© 1999, Cisco Systems, Inc. 1-1 Securing Routers Against Hackers and Denial of Service Attacks Lou...
-
Upload
avery-blakely -
Category
Documents
-
view
212 -
download
0
Transcript of © 1999, Cisco Systems, Inc. 1-1 Securing Routers Against Hackers and Denial of Service Attacks Lou...
© 1999, Cisco Systems, Inc. 1-1
Securing Routers Against Hackers and
Denial of Service AttacksLou Ronnau
© 1999, Cisco Systems, Inc. www.cisco.com
OutlineOutline
IP Refresher
Attack Types
Network Layer Attacks
Transport Layer Attacks
Application Layer Attacks
© 1999, Cisco Systems, Inc. www.cisco.com
Outline (cont.)Outline (cont.)
Reconnaissance
Initial Access
Questions
© 1999, Cisco Systems, Inc. www.cisco.com
IP Refresher
© 1999, Cisco Systems, Inc. www.cisco.com
TCP/IP Protocol Stack
Application
Presentation
Session
Transport
Network
Data Link
Physical
Application
Transport
Internet
Network Interface
Ethernet, 802.3, 802.5, ATM, FDDI, and so on
IP Conceptual LayersOSI Reference Model
© 1999, Cisco Systems, Inc. www.cisco.com
Internet Layer Refresher
Application
Transport
Network Interface
IP Datagram
IP Layer
Internet
VERS HLEN Type of Service
Total Length
ID Flags Frag Offset
TTL
Protocol Header Checksum
Src IP Address
Dst IP Address
IP Options
Data
Internet Control Message Protocol (ICMP)
Internet Protocol (IP)
Address Resolution Protocol (ARP)
Reverse Address Resolution Protocol (RARP)
© 1999, Cisco Systems, Inc. www.cisco.com
Transport Layer Refresher
Transmission Control Protocol (TCP)
User Datagram Protocol (UDP)
Src Port
Dst Port Seq # Ack # HLEN Reserved
Code Bits Window
TCP Segment Format
Transport Layer
Check Sum
Urgent Ptr Option Data
Src Port
Dst Port
Length
UDP Segment Format
Check Sum
Data
Application
Network Interface
Internet
Transport
© 1999, Cisco Systems, Inc. www.cisco.com
Port Numbers
TCP UDP
443
Application Layer
Transport Layer
Port Numbers
Telnet SMTP DNS HTTP SSL DNS TFTP
23 25 53 80 6953
© 1999, Cisco Systems, Inc. www.cisco.com
Transport
Network Interface
Internet
Application Layer Refresher
Web Browsing(HTTP, SSL)
File Transfer (FTP, TFTP, NFS, File Sharing)
E-Mail (SMTP, POP2, POP3)
Remote Login (Telnet, rlogin)
Name Management (DNS)
Microsoft Networking Services
Application Layer
Application
© 1999, Cisco Systems, Inc. 1-10
Attack Types
© 1999, Cisco Systems, Inc. www.cisco.com
Attack Types
Context:(Header)
Content:(Data)
“Atomic”Single Packet
“Composite”Multiple Packets
Ping of Death
Land Attack
Port Sweep
SYN Attack
TCP Hijacking
MS IE Attack
E-mail Attacks
Telnet Attacks
Character Mode Attacks
© 1999, Cisco Systems, Inc. www.cisco.com
Attack Types (cont.)
Reconnaissance• Host scan, port scan, SMTP VRFY
Access• Spoofing, session hijacking
Denial of service• SYN attacks, ping-of-death, teardrop, WinNuke
Privilege escalation• MS IE%2ASP, ftp cwd ~root
© 1999, Cisco Systems, Inc. www.cisco.com
Demystifying Common Attacks
Transport
Internet
Network Interface
Java, ActiveX, and Script Execution
E-Mail EXPN
WinNukeSYN Flood
UDP Bomb
Port Scan
Landc
Ping Flood
Ping of Death
IP Spoof
Address Scanning
Source Routing
Sniffer/Decoding
MAC Address Spoofing
Application
© 1999, Cisco Systems, Inc. 1-14
Network Layer Attacks
© 1999, Cisco Systems, Inc. www.cisco.com
Application
TCP
IPIP
Data Link
Physical
UDP
IP
IP Layer AttacksIP Layer Attacks
• IP Options
• IP Fragmentation
• Bad IP packets
• Spoofed Addresses
© 1999, Cisco Systems, Inc. www.cisco.com
IP Fragmentation AttacksIP Fragmentation Attacks
IP Fragment Attack• Offset value too small
• Indicates unusually small packet
• May bypass some packet filter devices
IP Fragments Overlap• Offset value indicates
overlap
• Teardrop attack
Data . . .
Options . . .
Destination IP
Source IP
TTL Proto Checksum
Identification Flg Frag Offset
Ver Len Serv Length
Frag Offset
© 1999, Cisco Systems, Inc. www.cisco.com
IP Fragmentation
Routers and Internet Gateways are stateless devices
Improperly fragmented packets are forwarded normally with other traffic
Requires “Statefull inspection”
© 1999, Cisco Systems, Inc. www.cisco.com
Bad IP Packet AttacksBad IP Packet Attacks
Unknown IP Protocol• Proto=invalid or undefined
Impossible IP Packet• Same source and
destination
• Land attackData
Options
Destination IP
Source IP
TTL Proto Checksum
Identification Flg Frag Offset
Ver Len Serv Length
Proto
Source IP
Destination IP
© 1999, Cisco Systems, Inc. www.cisco.com
IP Address Spoofing
Source IP address set to that of a trusted host or nonexistant host
Access-lists applied at the source are the only protection
Best applied at the connection to the Internet
© 1999, Cisco Systems, Inc. www.cisco.com
Spoofing: Access by Impersonationinterface Serial 1 ip address 172.26.139.2 255.255.255.252ip access-group 111 inno ip directed-broadcast!interface ethernet 0/0ip address 10.1.1.100 255.255.0.0no ip directed-broadcastAccess-list 111 deny ip 127.0.0.0 0.255.255.255 anyAccess-list 111 deny ip 10.1.0.0 0.0.255.255 anyAccess-list 111 permit ip any any
IP (D=10.1.1.2 S=10.1.1.1)IP (D=10.1.1.2 S=10.1.1.1)10.1.1.2
172.16.42.84
© 1999, Cisco Systems, Inc. www.cisco.com
Data . . .
Options . . .
Destination IP
Source IP
TTL Proto Checksum
Identification Flg Frag Offset
Ver Len Serv Length
HEADER
Options . . .Options . . .
PAY
IP OptionsIP Options
• IP Header– 20 bytes
• IP Options– Adds up to 40
additional bytes
– Only 8 valid options
© 1999, Cisco Systems, Inc. www.cisco.com
Copy:0—don’t include options in packet fragments
1—include options in packet fragments
Class:0—Network Control
2—Debugging
Option: one of eight valid options
Length: number of bytes in option (if used by option)
Parameters: parameters passed by the option
Last option is always option 0.
Copy:0—don’t include options in packet fragments
1—include options in packet fragments
Class:0—Network Control
2—Debugging
Option: one of eight valid options
Length: number of bytes in option (if used by option)
Parameters: parameters passed by the option
Last option is always option 0.
IP Options (cont.)IP Options (cont.)
0 1 2 3 4 5 6 7
CP Class Option #
0 1 2 3 4 5 6 7
Length (if used) Parameters... x 0 0 0 0 0 0 0
0 1 2 3 4 5 6 70 1 2 3 4 5 6 7
© 1999, Cisco Systems, Inc. www.cisco.com
IP Options (cont.)IP Options (cont.)
option #2 rarely unused
option #4 rarely unused
option #7 used to record the route (gateways) that a packet has traversed
option #8 rarely unused
Option #Option # Option NameOption Name
00 End of OptionsEnd of Options
11 No OperationNo Operation
22 SecuritySecurity
33 Loose Source RteLoose Source Rte
44 TimestampTimestamp
77 Record RouteRecord Route
88 Stream IDStream ID
99 Strict Source RteStrict Source Rte
© 1999, Cisco Systems, Inc. www.cisco.com
IP Source Routing
two options: #3 loose source routing and #9 strict source routing
can be used to bypass filters (acls)
some machines with multiple interfaces route s/r packets even with ip forwarding turned off
router command:no ip source route
© 1999, Cisco Systems, Inc. www.cisco.com
Application
TCP
IP
Data Link
Physical
UDP
IP
ICMP AttacksICMP Attacks
• ICMP Traffic Records
• Ping Sweeps
• ICMP Attacks
© 1999, Cisco Systems, Inc. www.cisco.com
Type:0—Echo Reply 15—Information Request8—Echo Request 16—Information Reply13—Timestamp Request 17—Address Mask Request14—Timestamp Reply 18—Address Mask Reply
Code: codes associated with each ICMP typeChecksum: checksum value of header fields (exc. checksum)
Type:0—Echo Reply 15—Information Request8—Echo Request 16—Information Reply13—Timestamp Request 17—Address Mask Request14—Timestamp Reply 18—Address Mask Reply
Code: codes associated with each ICMP typeChecksum: checksum value of header fields (exc. checksum)
Identifier
Type Code Checksum
ICMP Query MessageICMP Query Message
0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
Data . . .
Sequence #
HEADER
© 1999, Cisco Systems, Inc. www.cisco.com
ICMP Query Message (cont.)ICMP Query Message (cont.)
Echo Reply• Type=0
Echo Request• Type=8
Timestamp Request• Type=13
Timestamp Reply• Type=14
Destination IP
Source IP
TTL Proto Checksum
Identification Flg Frag Offset
Ver Len Serv Length
ICMP
TypeType Code Checksum
IP
HEADER
ICMP
© 1999, Cisco Systems, Inc. www.cisco.com
Type:3—Destination Unreachable 11—Time Exceeded4—Source Quench 12—Parameter Problem5—Redirect
Code: codes associated with each ICMP typeChecksum: checksum value of header fields (exc. checksum)
Type:3—Destination Unreachable 11—Time Exceeded4—Source Quench 12—Parameter Problem5—Redirect
Code: codes associated with each ICMP typeChecksum: checksum value of header fields (exc. checksum)
Unused
Type Code Checksum
ICMP Error MessageICMP Error Message
HEADER
0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
IP Header+
8 bytes of Original Datagram Data
© 1999, Cisco Systems, Inc. www.cisco.com
ICMP Error MessagesICMP Error Messages
Unreachable• Type=3
Source Quench• Type=4
Redirect• Type=5
Time Exceeded• Type=11
Parameter Problem• Type=12
Destination IP
Source IP
TTL Proto Checksum
Identification Flg Frag Offset
Ver Len Serv Length
ICMP
TypeType Code Checksum
IP
HEADER
ICMP
© 1999, Cisco Systems, Inc. www.cisco.com
ICMP AttacksICMP Attacks
Fragmented ICMP packet• Flag=more fragments or
Offset /= 0
ICMP Floods• Many ICMP packets
• To single host
Destination IP
Source IP
TTL Proto Checksum
Identification Flg Frag Offset
Ver Len Serv Length
ICMP
Type Code Checksum
IP
HEADER
ICMP
Length
© 1999, Cisco Systems, Inc. www.cisco.com
ICMP Attacks (cont.)ICMP Attacks (cont.)
ICMP Smurf attack• Type=0 (echo reply)
• Many packets
• To single host
ICMP Ping Of Death• Flag=last fragment
• Offset*8 + Length > 65535
Destination IP
Source IP
TTL Proto Checksum
Identification Flg Frag Offset
Ver Len Serv Length
Proto
TypeType Code Checksum
IP
HEADER
ICMP
Flg Frag Offset
© 1999, Cisco Systems, Inc. www.cisco.com
Smurfs
ICMP echo request with spoofed source address
Destination address set to the network broadcast address of a network (so called ping amplifier)
All hosts on the pinged network reply to the spoofed address
interface command:no ip directed broadcast
© 1999, Cisco Systems, Inc. www.cisco.com
Ping of Death
IP ping > 65535 bytes (ICMP echo request)
Transmitted in fragments
Crashes some operating systems on reassembly
© 1999, Cisco Systems, Inc. www.cisco.com
Loki AttackLoki Attack
Loki is a tool used to hide hacker traffic inside ICMP tunnel. It requires root access.
Loki ICMP tunnel• Original Loki
• Phrack Issue 51
Modified Loki ICMP tunneling• Modified Loki version
© 1999, Cisco Systems, Inc. 1-35
Transport Layer Attacks
© 1999, Cisco Systems, Inc. www.cisco.com
TCP AttacksTCP Attacks
• TCP Traffic Records
• TCP Port Scans
• TCP Host Sweeps
• Mail Attacks
• FTP Attacks
• Web Attacks
• NetBIOS Attacks
• SYN Flood & TCP Hijack Attacks
• TCP Applications
Application
TCP
IP
Data Link
Physical
UDPTCP
Application
© 1999, Cisco Systems, Inc. www.cisco.com
TCP Port ScansTCP Port Scans
A TCP Port Scan occurs when one host searches for multiple TCP services on a single host.
• Common scans– use normal TCP-SYN
• Stealth scans– use FIN, SYN-FIN, null, or
PUSH
– and/or fragmented packets
Destination IP
Source IP
TTL TCP Checksum
Identification Flg Frag Offset
Ver Len Serv Length
IP
TCP
Source Port
Source Sequence Number
Acknowledge Sequence Num
Len Res WindowFlagsChecksum Urgent Pointer
Dest Port
© 1999, Cisco Systems, Inc. www.cisco.com
TCP Port Scan AttacksTCP Port Scan Attacks
Port Sweep• SYNs to ports < 1024
• Triggers when type of sweep can’t be determine
SYN Port Sweep• SYNs to any ports
Frag SYN Port Sweep• Fragmented SYNs to many
ports
FIN port sweep• FINs to ports < 1024
Frag FIN port sweep• Fragmented FINs to ports <
1024
High port sweep• SYNs to ports > 1023
• Triggers when type of sweep can’t be determined
FIN High port sweep• FINs to ports > 1023
© 1999, Cisco Systems, Inc. www.cisco.com
TCP Port Scan Attacks(cont.)TCP Port Scan Attacks(cont.)
Frag High FIN port sweep• Fragmented FINs to ports >
1023
Null port sweep• TCPs without SYN, FIN, ACK,
or RST to any ports
Frag Null port sweep• Fragmented TCPs without
SYN, FIN, ACK, or RST to any ports
SYN FIN port sweep• SYN-FINs to any port
Frag SYN/FIN port sweep• Fragmented SYN/FINs to any
ports
Queso sweep• FIN, SYN/FIN, and a PUSH
© 1999, Cisco Systems, Inc. www.cisco.com
TCP Host SweepsTCP Host Sweeps
A TCP Host Sweep occurs when one host searches for a single TCP service on multiple hosts.• Common scans
– use normal TCP-SYN
• Stealth scans– use FIN, SYN-FIN, and null
– and/or fragmented packets
Destination IP
Source IP
TTL TCP Checksum
Identification Flg Frag Offset
Ver Len Serv Length
IP
TCP
Source Port
Source Sequence Number
Acknowledge Sequence Num
Len Res WindowFlagsChecksum Urgent Pointer
Dest Port
© 1999, Cisco Systems, Inc. www.cisco.com
TCP Host Sweep AttacksTCP Host Sweep Attacks
SYN host sweep• SYNs to same port
Frag SYN host sweep• Fragmented SYNs to same port
FIN host sweep• FINs to same port
Frag FIN host sweep• Fragmented FINs to same port
NULL host sweep• TCPs without SYN, FIN, ACK, or RST
to same port
Frag NULL host sweep• Fragmented packets without SYN,
FIN, ACK, or RST to same port
SYN/FIN host sweep• SYN-FINs to same port
Frag SYN/FIN host sweep• SYN-FINs to same port
© 1999, Cisco Systems, Inc. www.cisco.com
SYN Flood and TCP HijacksSYN Flood and TCP Hijacks
Half-Open SYN attack• DoS-SYN flood attack
• Ports 21, 23, 25, and 80
TCP Hijacking• Access-attempt to take over a TCP session
© 1999, Cisco Systems, Inc. www.cisco.com
TCP Intercept Protects Networks Against Syn floods
Connection Transferred
Connection Established
Request Intercepted
TCP SYN flooding can overwhelm server and cause it to deny service, exhaust memory or waste processor cycles
TCP Intercept protects network by intercepting TCP connection requests and replying on behalf of destination
Can be configured to passively monitor TCP connection requests and respond if connection fails to get established in configurable interval
© 1999, Cisco Systems, Inc. www.cisco.com
TCP InterceptTCP Intercept
Enable TCP Intercept (global configuration mode)• access-list access-list-number {deny | permit} tcp any destination
destination-wildcard
• ip tcp intercept list access-list-number
Set the TCP Intercept Mode (global configuration mode)• ip tcp intercept mode {intercept | watch}
Set TCP Intercept Drop Mode• ip tcp intercept drop-mode {oldest | random} ;def=oldest
Change the TCP Intercept Timers• ip tcp intercept watch-timeout seconds ;def=30 seconds
© 1999, Cisco Systems, Inc. www.cisco.com
TCP HijacksTCP Hijacks
TCP Hijacking
Works by correctly guessing sequence numbers
Newer O/S’s & firewalls eliminate problem by randomizing sequence numbers
TCP Hijacking Simplex Mode• One command followed by RST
© 1999, Cisco Systems, Inc. www.cisco.com
Land.c Attack
Spoofed packet with SYN flag set
Sent to open port
SRC addr/port same as DST addr/port
Many operating systems lock up
© 1999, Cisco Systems, Inc. www.cisco.com
UDP AttacksUDP Attacks
• UDP Traffic Records
• UDP Port Scan
• UDP Attacks
• UDP Applications
Application
TCP
IP
Data Link
Physical
UDPUDP
Application
© 1999, Cisco Systems, Inc. www.cisco.com
UDP Port ScansUDP Port Scans
UDP port scans• One host searches for
multiple UDP services on a single host
Destination IP
Source IP
TTL UDP Checksum
Identification Flg Frag Offset
Ver Len Serv Length
IP
UDP
Source Port
Length Checksum
Dest Port
Data . . .
© 1999, Cisco Systems, Inc. www.cisco.com
UDP AttacksUDP Attacks
UDP flood (disabled)• Many UDPs to same host
UDP Bomb• UDP length < IP length
Snork• Src=135, 7, or 19; Dest=135
Chargen DoS• Src=7 & Dest=19
Destination IP
Source IP
TTL UDP Checksum
Identification Flg Frag Offset
Ver Len Serv Length
IP
UDP
Source Port
Length Checksum
Dest Port
Data . . .
© 1999, Cisco Systems, Inc. www.cisco.com
Reflexive Access Lists
Allows the packet filtering mechanismto remember state
Reflexive ACLs are transparent until activated by matching traffic
• Protocol support—TCP, UDP
• Alternative to establishedestablished key word
• Available in Cisco IOS release 11.3
© 1999, Cisco Systems, Inc. www.cisco.com
Reflexive Access Lists
Router monitors outgoing connection
Creates dynamic permit inbound ACL using IP addresses and port numbers
Source Port
TCP Header
IP HeaderDestination Addr
Source Addr
# 1
Intial Sequence#
Destination Port
Flag
Ack # 2 : permit tcp 200.150.50.111 192.34.56.8 eq telnet
200.150.50.111192.34.56.8
1026
23
49091
Syn
© 1999, Cisco Systems, Inc. www.cisco.com
Cisco IOS Firewall Feature Set
Context-Based Access Control (CBAC)• Stateful, per-application filtering• Support for advanced protocols
(H.323, SQLnet, RealAudio, etc.)
Denial of Service detection and preventionControl downloading of Java appletsReal-time alertsTCP/UDP transaction logConfiguration and management
Enhanced Security for the Intelligent InternetEnhanced Security for the Intelligent Internet
© 1999, Cisco Systems, Inc. www.cisco.com
What Is “Context-Based Access Control” (CBAC)?
Tracks state and context of network connections to secure traffic flow
Inspects data coming into or leaving router
Allows connections to be established by temporarily opening ports based on payload inspection
Return packets authorized for particular connection only via temporary ACL
© 1999, Cisco Systems, Inc. www.cisco.com
Cisco IOS Context-Based Access Control (CBAC) Application Support
Transparent support for common TCP/UDP internet services, including:• WWW, Telnet, SNMP, finger, etc.
FTP
TFTP
SMTP
Java blocking
BSD R-cmds
Oracle SQL Net
Remote Procedure Call (RPC)
Multimedia applications:
• VDOnet’s VDO Live
• RealNetworks’ RealAudio
• Intel’s InternetVideo Phone (H.323)
• Microsoft’s NetMeeting (H.323)
• Xing Technologies’ Streamworks
• Whitepine’s CuSeeMe
© 1999, Cisco Systems, Inc. www.cisco.com
Cisco IOS Firewall Feature Set
Per user authentication and authorization (“authentication proxy”)Intrusion detection technologyIP Fragmentation defense Dynamic per-application port mappingConfigurable alerts and audit trail SMTP-specific attack detectionNew CBAC application support• MS-Networking, MS Netshow
© 1999, Cisco Systems, Inc. www.cisco.com
Cisco IOS Firewall:Authentication ProxyCisco IOS Firewall:
Authentication Proxy
HTTP-initiated Authentication
Valid for all types of application traffic
Provides dynamic, per user authentication and authorization via TACACS+ and RADIUS protocols
Works on any interface type for inbound or outbound traffic
© 1999, Cisco Systems, Inc. www.cisco.com
Cisco IOS Firewall:Authentication Proxy Operation
User
3. Authenticate
AAA Server
Cisco IOS Firewall/Cisco
7200 series router
S0E0 ISPISPandand
InternetInternet
1. User HTTP request
2. Get Uid/Password
4. Download profile, build dynamic ACL on router
5. Refresh/reload URL
User
© 1999, Cisco Systems, Inc. www.cisco.com
Application Layer Attacks
© 1999, Cisco Systems, Inc. www.cisco.com
MailMail
TCP port 25
Attacks include:• Reconnaissance
• Access
• DOS
Destination IP
Source IP
TTL TCP Checksum
Identification Flg Frag Offset
Ver Len Serv Length
IP
TCP
Source Port
Source Sequence Number
Acknowledge Sequence Num
Len Res WindowFlags
Checksum Urgent Pointer
Dest Port=25
Data . . .
© 1999, Cisco Systems, Inc. www.cisco.com
Mail AttacksMail Attacks
smail attack
sendmail invalid recipient
sendmail invalid sender
sendmail reconnaissance
Archaic sendmail attacks
sendmail decode alias
sendmail SPAM
Majordomo exec bug
MIME overflow bug
Qmail Length Crash
© 1999, Cisco Systems, Inc. www.cisco.com
File Transfer Protocol (FTP)File Transfer Protocol (FTP)
TCP port 21
Attacks include:• Reconnaissance
• Access
Destination IP
Source IP
TTL TCP Checksum
Identification Flg Frag Offset
Ver Len Serv Length
IP
TCP
Source Port
Source Sequence Number
Acknowledge Sequence Num
Len Res WindowFlags
Checksum Urgent Pointer
Dest Port=21
Data . . .
© 1999, Cisco Systems, Inc. www.cisco.com
FTP AttacksFTP Attacks
FTP SITE command attempted
FTP SYST command attempted
FTP CWD ~root
FTP Improper address specified
FTP Improper port specified
© 1999, Cisco Systems, Inc. www.cisco.com
WebWeb
TCP port 80
Attacks include:• Access
Destination IP
Source IP
TTL TCP Checksum
Identification Flg Frag Offset
Ver Len Serv Length
IP
TCP
Source Port
Source Sequence Number
Acknowledge Sequence Num
Len Res WindowFlags
Checksum Urgent Pointer
Dest Port=80
Data . . .
© 1999, Cisco Systems, Inc. www.cisco.com
Web AttacksWeb Attacks
phf attack
General cgi-bin attack
url file requested
.lnk file requested
.bat file requested
HTML file has .url link
HTML file has .lnk link
HTML file has .bat link
campas attack
glimpse server attack
IIS View Source Bug
IIS Hex View Source Bug
NPH-TEST-CGI Bug
TEST-CGI Bug
IIS DOT DOT VIEW Bug
IIS DOT DOT EXECUTE Bug
IIS DOT DOT DENIAL Bug
© 1999, Cisco Systems, Inc. www.cisco.com
Web Attacks (cont.)Web Attacks (cont.)
php view file Bug
SGI wrap bug
php buffer overflow
IIS Long URL Crash
View Source GGI Bug
MLOG/MYLOG CGI Bug
Handler CGI Bug
Webgais Bug
WebSendmail Bug
Webdist Bug
Htmlscript Bug
Performer Bug
WebSite win-c-sample buffer overflow
WebSite uploader
Novell convert bug
finger attempt
Count Overflow
© 1999, Cisco Systems, Inc. www.cisco.com
DNS AttacksDNS Attacks
UDP Port 53
Attacks include:• Reconnaissance
DNS HINFO Request• Potential reconnaissance
DNS Zone Transfer Request
• Potential reconnaissance
DNS Zone Transfer from other port
• Different port than 53
DNS request for all records• All records requested, not just one zone
© 1999, Cisco Systems, Inc. www.cisco.com
Application Exploit AttacksApplication Exploit Attacks
Sun Kill Telnet DOS
• port 23
Finger Bomb• port 79
rlogin -froot• port 513
Imap Authenticate Overflow• port 143
Imap Login Overflow• port 143
Pop Overflow• port 110
© 1999, Cisco Systems, Inc. www.cisco.com
Application Exploit Attacks (cont.)
Application Exploit Attacks (cont.)
Inn Overflow• port 119
Inn Control Message• port 119
IOS Telnet buffer overflow• port 23
IOS Command History Exploit• port 25
Cisco IOS Identity• port 1999
© 1999, Cisco Systems, Inc. www.cisco.com
Server Message Blocks (SMB)Server Message Blocks (SMB)
• Native NT file-sharing protocol
• Samba is UNIX port of SMB
• Common Internet File System (CIFS)– extension of SMB
© 1999, Cisco Systems, Inc. www.cisco.com
SMB TCP/UDP PortsSMB TCP/UDP Ports
• 135 - Remote Procedure Call Service
• 137 - NetBIOS Name Service (UDP)
• 138 - NetBIOS Datagram Service (UDP)
• 139 - NetBIOS Session Service
© 1999, Cisco Systems, Inc. www.cisco.com
NetBIOSNetBIOS
TCP Port 139
Attacks include:• Reconnaissance
• Access
• DOS
Destination IP
Source IP
TTL TCP Checksum
Identification Flg Frag Offset
Ver Len Serv Length
IP
TCP
Source Port
Source Sequence Number
Acknowledge Sequence Num
Len Res WindowFlags
Checksum Urgent Pointer
Dest Port=139
Data . . .
© 1999, Cisco Systems, Inc. www.cisco.com
NetBIOS AttacksNetBIOS Attacks
NETBIOS OOB data
NETBIOS Stat
NETBIOS Session Setup Failure
Windows Guest login
Windows Null Account Name
Windows Password File Access
Windows Registry Access
Windows RedButton
© 1999, Cisco Systems, Inc. www.cisco.com
Capture password file• FTP “RETR passwd”
loadmodule Attack• Telnet “IFS=/”
• Rlogin “IFS=/"
Planting .rhosts• Telnet “+ +”
• Rlogin “+ +”
Accessing shadow passwd• Telnet “/etc/shadow”
• Rlogin “/etc/shadow”
TCP Application AttacksTCP Application Attacks
TCP application attacks are attacks against various TCP applications.
© 1999, Cisco Systems, Inc. www.cisco.com
UDP Application AttacksUDP Application Attacks
Back Orifice• port 31337
Tftp passwd file attempt• port 69
Destination IP
Source IP
TTL UDP Checksum
Identification Flg Frag Offset
Ver Len Serv Length
IP
UDP
Source Port
Length Checksum
Dest Port
Data . . .
© 1999, Cisco Systems, Inc. www.cisco.com
RPC ServicesRPC Services
Applications do not use well-known ports• Use portmapper
– Registers applications
– TCP/UDP port 111
Attacks include• Reconnaissance
• Access
• DOS
2488 GET PORT # 111
2488 USE PORT # 2049 111
2488 NFS REQUEST 2049
CLIENTSERVER
© 1999, Cisco Systems, Inc. www.cisco.com
RPC AttacksRPC Attacks
RPC port registration• Remotely registering a
service that is not running
RPC port unregistration• Remotely unregistering a
running service
RPC dump• rpcinfo -p <host>
Proxied RPC request• Bypassess RPC
authentication
© 1999, Cisco Systems, Inc. www.cisco.com
RPC Attacks (cont.)RPC Attacks (cont.)
RPC Port Sweeps• Request service on
many ports on same host
• Stealth reconnaissance
RSTATD
RUSERSD
NFS
MOUNTD
YPPASSWD
SELECTION SVC
REXD
STATUS
TTDB
© 1999, Cisco Systems, Inc. www.cisco.com
RPC Attacks (cont.)RPC Attacks (cont.)
Portmapper Requests• Requests for services
known to be exploited
• In most cases should not be used
• If needed, filter signatures
ypserv
ypbind
yppasswd
ypupdated
ypxfrd
mountd
rexd
© 1999, Cisco Systems, Inc. www.cisco.com
RPC Attack (cont.)RPC Attack (cont.)
rexd attempt• Accessing rexd
• Allows remotely running commands
• Should not be allowed
• Unknown by some administrators
RPC Services with Buffer Overflow Vulnerabilities:•statd
•ttdb
•mountd
© 1999, Cisco Systems, Inc. www.cisco.com
Ident AttacksIdent Attacks
Ident is a protocol to prevent hostname, address, and username spoofing.
• TCP port 113
Ident buffer overflow• IDENT reply too large
Ident newline• IDENT reply with newline
plus more data
Ident improper request• IDENT request too long or
non-existent ports
© 1999, Cisco Systems, Inc. www.cisco.com
IP Servers on Routers
Router commands to turn off services
no service tcp-small-servers
no service udp-small-servers
© 1999, Cisco Systems, Inc. www.cisco.com
Trust ExploitsTrust Exploits
• Spoofing Trusted User
• Spoofing Trusted Host
• Planting ~/.rhosts or hosts.equiv via Alternate Methods
© 1999, Cisco Systems, Inc. www.cisco.com
Reconnaissance
© 1999, Cisco Systems, Inc. www.cisco.com
ReconnaissanceReconnaissance
Unauthorized discovery and mapping of systems, services, or vulnerabilities
© 1999, Cisco Systems, Inc. www.cisco.com
Reconnaissance MethodsReconnaissance Methods
• Common commands or administrative utilities– nslookup, ping, netcat, telnet, finger, rpcinfo, File
Explorer, srvinfo, dumpacl, and so on
• Hacker tools– SATAN, NMAP, custom scripts, and so on
© 1999, Cisco Systems, Inc. www.cisco.com
Discovering the TargetsDiscovering the Targets
• Know thy target– Domain name, IP Address space
(i.e victim.com, 192.168.X.X)
– whois, nslookup
• Ping Sweeps– Network mapping
– Identify potential targets
© 1999, Cisco Systems, Inc. www.cisco.com
Ping SweepsPing Sweeps
ICMP network sweep with Echo• Type=8
ICMP network sweep with Timestamp
• Type=13
ICMP network sweep with Address Mask
• Type=17
Destination IP
Source IP
TTL Proto Checksum
Identification Flg Frag Offset
Ver Len Serv Length
ICMP
TypeType Code Checksum
IP
HEADER
ICMP
© 1999, Cisco Systems, Inc. www.cisco.com
Port ScansPort Scans
• Port Scans (Probing)– Determine services being offered
(e.g. telnet, ftp, http, etc.)
• Post Port Scan– Determine Operating System Information
– Determine other information(e.g. usernames, hostnames, etc.)
© 1999, Cisco Systems, Inc. www.cisco.com
TCP Port ScansTCP Port Scans
Many O/S’s haven’t implemented TCP/IP according to the letter of the “law” (rfc’s)
They respond differently to TCP packets with various flags set
Destination IP
Source IP
TTL TCP Checksum
Identification Flg Frag Offset
Ver Len Serv Length
IP
TCP
Source Port
Source Sequence Number
Acknowledge Sequence Num
Len Res WindowFlagsChecksum Urgent Pointer
Dest Port
© 1999, Cisco Systems, Inc. www.cisco.com
Network Address Translation
Inside NetworkInside Network
10.1.1.2
132.22.2.1
INTERNET
Outside NetworkOutside Network
• Hides internal addresses• Provides dynamic or static translation of private addresses to registered IP
addresses• Supports true NAT, Overload (same as PAT), and
Inside LocalInside LocalIP AddressIP Address
Inside GlobalInside GlobalIP AddressIP Address
10.1.1.210.1.1.210.1.1.310.1.1.3
132.22.2.100132.22.2.100132.22.2.101132.22.2.101
© 1999, Cisco Systems, Inc. www.cisco.com
Network Address TranslationNetwork Address Translation
Each translation consumes approximately 160 bytes of memory
PAT (overload) translations limited to 4000 entries
Supports any TCP/UDP application that does not carry source and/or destination IP addresses in the payload
Application support for those that DO carry source and/or destination IP address in payload• ICMP, FTP (including port and pasv commands), NetBIOS over
TCP/IP (datagram, name, and session services), RealAudio, CuSeeMe, StreamWorks, DNS ‘A’ and ‘PTR’ records, NetMeeting, VDOLive, Vxtreme, IP Multicast (source address translation only)
© 1999, Cisco Systems, Inc. www.cisco.com
Initial Access
© 1999, Cisco Systems, Inc. www.cisco.com
AccessAccess
Unauthorized data manipulation, system access, or privileged escalation
© 1999, Cisco Systems, Inc. www.cisco.com
Access MethodsAccess Methods
• Exploit easily guessed passwords– Brute force
– Cracking tools
• Exploit mis-administered services– IP services (anonymous ftp, tftp, remote registry
access, nis, and so on)
– Trust relationships (spoofing, r-services, and so on)
– File sharing (NFS, Windows File Sharing)
© 1999, Cisco Systems, Inc. www.cisco.com
Access Methods (cont.)Access Methods (cont.)
• Exploit application holes– Mishandled input data
• Access outside application domain, buffer overflows, race conditions
– Protocol weaknesses
• Fragmentation, TCP session hijack
• Trojan horses– Programs to plant a backdoor into a host
© 1999, Cisco Systems, Inc. www.cisco.com
BackdoorsBackdoors
• BackOrifice– Win 95/98 Server Only
– Windows and Unix clients
– Configurable Ports (Default UDP 31337)
– Encrypted communications
• BackOrifice—ButtPlugs– Allow new features to be added easily
© 1999, Cisco Systems, Inc. www.cisco.com
Backdoors (cont)Backdoors (cont)
• NetBus (Freeware)– Remote administration tool
– Listens on TCP Ports 12345, 12346
– Trojan program
– Runs on Win95/98 and NT
© 1999, Cisco Systems, Inc. www.cisco.com
Denial of Service MethodsDenial of Service Methods
• Resource Overload– Disk space, bandwidth, buffers, ...
– Ping flood: smurf, ...
– SYN floods: neptune, synk4, ...
– Packet storms: UDP bombs, fraggle, ...
• Out of Band Data Crash– Oversized packets: ping of death, …
– Overlapped packets: winnuke, ...
– Un-handled data: teardrop, ...
© 1999, Cisco Systems, Inc. www.cisco.com
Other Areas to Consider
Disable:•IP helper addresses: no ip helper•IP broadcasting: no ip broadcast-address, no ip directed-broadcast•source routing: no ip source-route•r-commands: no ip rcmd rcp-enable• no ip rsh-enable•IDENT: no ip identd•CDP: no cdp run•dynamic circuits: no frame-relay inverse-arp•other “features” no proxy-arp, no ip redirects
© 1999, Cisco Systems, Inc. www.cisco.com
More Info
•http://www.2600.com/•http://www.cultdeadcow.com/•http://www.l0pht.com/•http://www.hackernews.com/•http://www.cert.org/•http://www.sans.org/•http://www.rootshell.com/•http://www.securityfocus.com/•http://www.cisco.com/security
© 1999, Cisco Systems, Inc. www.cisco.com
In Summary ….
May You Live in Interesting Times!!
© 1999, Cisco Systems, Inc. www.cisco.com