Hacking and its Defense

guideflannelServers

Dec 4, 2013 (3 years and 8 months ago)

86 views

GROUP MEMBERS




Chan Li

Suman Lohani


Prabhu Sundaram

Hacking and its Defense

Objective



Why this topic??

Surprising Facts on Hacking




U.S. Department of Defense

is attacked some 250,000
times each year


-

Source: The Business Journal




A Microsoft
-
operated site
was cracked and defaced
Monday by someone calling himself “flipz.” It was the first time
a Microsoft Web site has been breached successfully.



-

Dated: oct 26

Source: abc.com





Worldwide cost

of the Code Red computer worms that
were unleashed on the Internet in July and August has reached
about $2.6 billion U.S. ($1.1 billion in clean
-
up costs and $1.5
billion in lost productivity)



-

Source: www.ns2000.org





Estimated total cost for 2001
-

$15 billion



Love Bug
-

$8.7 billion




Melissa
-

$1.2 billion



Explorer
-
$1 billion



SirCam
-

$1.035 billion




Finally
, www would have been radically
different if there were no Hackers.










Cost of virus attacks on information systems
around the world



2000

-

$17.1 billion



1999

-

$12.1 billion




Here, we will Discuss the practice of
hacking in general and demonstrate a few of
the current common methods, exploits and
Preventions….



Reasons to hack !!



Curiosity



Fame



Belief in open systems



Revenge



Notoriety/Fame



Profit ($$$ or other gain)



Revolutionary


Glossary


Hacking




2 definitions



1.

Hobby/Profession of working with computers.

2. Hacking refers to acts of unauthorized access or
intrusion, in a computer, network, or telecom
system by means of computer device, gadget and or
softwares.



often referred to as the 2
nd

one who refer cyber
criminals as “Crackers”





Phreaking
-




The art and Science of Cracking the Phone Network
(for eg: free long
-

distance calls). By extension, security


cracking especially communication networks.



Back
-
Door Program
-


A feature programmers often build into programs to
allow special privileges normally denied to users of the
program. Often programmers build back doors so they
can fix bugs. If hackers or others learn about a back
door, the feature may pose a security risk.




Glossary



Smurfing


-

Popular hacking technique by which attackers can persuade
your network to perform a denial of service attack on a machine
somewhere else on the Internet. Such attacks can also generate large
quantities of traffic on your network…


Prevention:
use a line:
no ip directed
-
broadcast





Spoofing


A common technique used to attack sites is to create TCP/IP
packets which appear to be from local IP addresses.



Prevention:

The site router is in an ideal place to detect
and prevent these attacks, since it can detect when packets with
internal source addresses arrive on the external interface of the
router…


Glossary



Trojan Horse Program


A program which may be planted on your hard drive

by an email message attachment, and may be designed to send

information about your system back to the hackers which wrote it.




Spy Ware


A program which you have downloaded from a legitimate
company, but which

unbeknownst to you

has been written to
track your every move on the internet for marketing purposes and
send the information back to the company.



Glossary



Denial of Service


An attack specifically designed to prevent the normal
functioning of a system and thereby to prevent lawful access to
the system by authorized users.

Hackers can cause denial of service attacks by destroying or
modifying data or by overloading the system's servers until
service to authorized users is delayed or prevented.



Sniffing


The use of a sniffer to capture passwords as they cross
a network. The network could be a local area network, or the
Internet itself. The sniffer can be hardware or software.










Glossary





Virus

-

Vital Information Resources Under Siege


A computer virus is a specific type of malicious computer
code that replicates itself or inserts copies or new versions of itself

in other programs.



Worm


Worms are parasitic computer programs that replicate, but
unlike viruses, do not infect other computer program files. Worms
can create copies on the same computer, or can send the copies to
other computers via a network



Damages likely be Caused !!




Stealing or destroying data




Disabling protection systems




Shutting down entire networks




Disclosure of Information, such as
theft of credit card numbers




Denial of service attacks including
Smurfing…



A common methodology is the
following


1. Gather target information.


2. Identify services offered by target to the public
(whether intentional or not).


3. Research the discovered services for known
vulnerabilities.


4. Attempt to exploit the services.


5. Utilize exploited services to gain additional
privileges from the target.


Reiterate steps 1
-
5 until goals are achieved.


Steps Hackers generally follow !!


Step 1:
Gather target information..




Domain names, IP address ranges



InterNIC contact information



Physical addresses



Organizational structures



Alliances and financial information



Names of officers, managers, technical staff



Newsgroup posts



Step 2:
Indentify services !!





Web Servers



FTP Servers



DNS Servers



e
-
mail gateways



Help desks/phone support



other (gopher, LDAP, irc, etc.)


Step 3:

Research vulnerabilities



Vendor announcements.



Default configurations.



Poor configurations. (ie. Passwords, cleartext
protocols)



Gather available exploits or develop new exploit



Derived exploits



Some original work.


Step 4:

Exploit Vulnerabilities
.



Attempt to exploit vulnerabilities to gain access to the target.



Continue until Successful.

Step 5:

Utilize increased access



Exploit additional vulnerabilities to gain additional access and

information to use in penetrating further into an organization.



The hacker "becomes" a legitimate user (even an
administrator).











Only requires normal web user access to an IIS webserver
(i.e. port 80 or 443).




Using non
-
standard ports for your web server only makes
this marginally more difficult. You do publish how to access
your webserver to someone, right? (also, you would be
surprised what search engines contain about you.)




Using SSL (https protocol) will not prevent the exploit
from succeeding.




Demo on IIS Web Exploit !!



Target: Windows NT Server 4.0sp6a, IIS 4.0




Attacker: Linux 2.2.17
-
21mdk kernel, Window NT
Worstation 4.0 sp6a


Demo

: Software Levels



Target IP address is 192.168.168.125




Query whois database at ARIN.net to locate owner and
domain information.




Also try reverse DNS mappings for host/domain names.


Demo

: Target info

Use nmap to scan target for services of interest.

$ nmap
-
sS
-
p 21
-
25,80,135
-
139,443 192.168.168.125


Starting nmap V. 2.53 by fyodor@insecure.org (
www.insecure.org/nmap/ )

Interesting ports on (192.168.168.125):

(The 7 ports scanned but not shown below are in state: closed)

Port State Service

21/tcp open ftp

80/tcp open http

135/tcp open loc
-
srv

139/tcp open netbios
-
ssn

443/tcp open https

Nmap run completed
--

1 IP address (1 host up) scanned in 1 second












Demo

: Services information

Use netcat or telnet commands to determine web server information.

$ nc 198.168.168.125 80

HEAD / HTTP/1.0

<CR>

HTTP/1.1 200 OK

Server: Microsoft
-
IIS/4.0

Content
-
Location: http://192.168.168.125/Default.htm

Date: Mon, 06 Aug 2001 23:40:10 GMT

Content
-
Type: text/html

Accept
-
Ranges: bytes

Last
-
Modified: Mon, 30 Jul 2001 15:28:47 GMT

ETag: "c0bf6c53c19c11:b50"

Content
-
Length: 4325


Demo:
Research services



Unicode “dot dot” exploit to traverse filesystem



Default configuration of Inetpub
\
scripts directory is
used to upload and execute commands of our choice.



Get target to fetch useful commands.



Get target to initiate a command session.



Use target to obtain additional information
.



Demo
:
Exploit services to gain access



Stay current on patch levels for Microsoft's OS
and web server.



Implement good firewalling.



Use an IDS system (or two!).



Host security is important (Microsoft's "Securing
IIS” and “Securing Windows NT” documents).



Pattern matching intercept proxies.



Prevention on IIS

Demonstration


Ping, ifconfig, tracert(Icmp)



Hacking tools


IP


tools.exe


Wotweb.exe


Superscan.exe

Prevention




The Price of a New Web Server $ 800




The Price of the Application Firewall $ 2500



Having to tell your boss that you’ve
Just been Hacked!!



PRICELESS!!


Some Defense Arsenals for
Computer Security

!!

1.
Password Protection

2.

AntiVirus Software

3.

Encryption

4.

Audit Trails

5.

Smart Cards and Biometrics

6.
Firewalls





Here we will focus about Firewalls…



Firewall


Firewall



H/W firewall



S/W firewall




Router/internet


gateways




Application


Packet



Proxy filtering




Firewall firewall


(Squid:
-
Microsoft proxy server) (ipchains:
-
Linux)



























Proxy Server Example
There are two types of Firewall.

1.
Dual Homed

2. Demilitarized Setup.


Internet

Router

Firewall +
router +DHCP
Server

Hub

Comp

Comp

Comp

Comp

Comp

Comp

Comp

Dual Homed (Secure Network)

Internet

Firewall

Web Server

mail


DNS

Firewall

Database Server


mail


DNS


Demilitarized Setup

(More Secure
Network)

Firewall Example 1
Firewall Example 2
Firewall Products


Some Firewall Providers:


McAFEE ASAP


Trend Micro


Zone Alarm..

Single user
-

Cost $ 40 (for 1 year)

50 users

-

Cost $1500


Some Versions of it are Free to download…..


Useful security related links !!



SANS Institute (www.sans.org)


Security Focus Archives (www.securityfocus.com)


Snort IDS home (www.snort.org)


Security archives (archives.neohapsis.com)



CERT Coordination Center (
www.cert.org
)


http://www.courses.dsu.edu/ infs750


www.insecure.org


Mailing Lists




Risks Digest (
www.risks.org
)




BUGTRAQ
(
www.securityfocus.com/bugtraq/archive
)




NTBugtraq (
www.ntbugtraq.com
)




Win2KSecurity Advice (www.ntsecurity.net)



Securing Web servers


Apache project (www.apache.org)


http://httpd.apache.org/docs/misc/tutorials.html



support.microsoft.com

"Resources for Securing Internet Information Services”, Article
ID Q282060.


Conclusion


How to prevent becoming a target?



!! The only reliable solution to reduce the risk of a
successful intrusion attempt is staying current with
your security infrastructure. This is an ongoing
dynamic process. !!


Areas to be explored includes


More about Hackers


SSL, L2TP, Proxy servers (security devices and
software)



More on Server Vulnerabilities



Data Protection