Ch03 Network and Computer Attacks
description
Transcript of Ch03 Network and Computer Attacks
Hands-On Ethical Hands-On Ethical Hacking and Network Hacking and Network
DefenseDefense
Chapter 3Chapter 3Network and Computer AttacksNetwork and Computer Attacks
22
ObjectivesObjectives
Describe the different types of malicious Describe the different types of malicious softwaresoftware
Describe methods of protecting against Describe methods of protecting against malware attacksmalware attacks
Describe the types of network attacksDescribe the types of network attacks
Identify physical security attacks and Identify physical security attacks and vulnerabilitiesvulnerabilities
33
Malicious Software (Malware)Malicious Software (Malware)
Network attacks prevent a business from Network attacks prevent a business from operatingoperatingMalicious software (Malware) includesMalicious software (Malware) includes VirusVirus WormsWorms Trojan horsesTrojan horses
GoalsGoals Destroy dataDestroy data Corrupt dataCorrupt data Shutdown a network or systemShutdown a network or system
44
VirusesViruses
Virus attaches itself to an executable fileVirus attaches itself to an executable file
Can replicate itself through an executable Can replicate itself through an executable programprogram Needs a host program to replicateNeeds a host program to replicate
No foolproof method of preventing themNo foolproof method of preventing them
55
Antivirus SoftwareAntivirus Software
Detects and removes virusesDetects and removes virusesDetection based on virus signaturesDetection based on virus signatures
Must update signature database periodicallyMust update signature database periodically
Use automatic update featureUse automatic update feature
66
77
Base 64 EncodingBase 64 Encoding
Used to evade anti-spam tools, and to Used to evade anti-spam tools, and to obscure passwordsobscure passwords
Encodes six bits at a time (0 – 64) with a Encodes six bits at a time (0 – 64) with a single ASCII charactersingle ASCII character A - Z:A - Z: 0 – 250 – 25 a – z:a – z: 26 – 5126 – 51 1 – 9:1 – 9: 52 – 6152 – 61 + and -+ and - 62 and 6362 and 63
See links Ch 3a, 3bSee links Ch 3a, 3b
88
Viruses (continued)Viruses (continued)
Commercial base 64 decodersCommercial base 64 decoders
ShellShell Executable piece of programming codeExecutable piece of programming code Should not appear in an e-mail attachmentShould not appear in an e-mail attachment
99
Macro VirusesMacro Viruses
Virus encoded as a macroVirus encoded as a macro
MacroMacro Lists of commandsLists of commands Can be used in destructive waysCan be used in destructive ways
Example: MelissaExample: Melissa Appeared in 1999Appeared in 1999 It is very simple – see link Ch 3c for source It is very simple – see link Ch 3c for source
codecode
1010
Writing VirusesWriting Viruses
Even nonprogrammersEven nonprogrammerscan create macro virusescan create macro viruses Instructions posted on Instructions posted on
Web sitesWeb sites Virus creation kits available for Virus creation kits available for
download (see link Ch 3d)download (see link Ch 3d)
Security professionals can learn Security professionals can learn from thinking like attackersfrom thinking like attackers But don’t create and release a virus! But don’t create and release a virus!
People get long prison terms for that.People get long prison terms for that.
1111
WormsWorms
WormWorm Replicates and propagates without a hostReplicates and propagates without a host
Infamous examplesInfamous examples Code RedCode Red NimdaNimda
Can infect every computer in the world in a Can infect every computer in the world in a short timeshort time At least in theoryAt least in theory
1212
ATM Machine WormsATM Machine Worms
Cyberattacks against ATM machinesCyberattacks against ATM machines Slammer and Nachi wormsSlammer and Nachi worms Trend produces antivirus for ATM machinesTrend produces antivirus for ATM machines
See links Ch 3g, 3h, 3iSee links Ch 3g, 3h, 3i Nachi was written to clean up damage caused Nachi was written to clean up damage caused
by the Blaster worm, but it got out of controlby the Blaster worm, but it got out of controlSee link Ch 3jSee link Ch 3j
Diebold was criticized for using Windows for Diebold was criticized for using Windows for ATM machines, which they also use on voting ATM machines, which they also use on voting machinesmachines
1313
1414
1515
Trojan ProgramsTrojan Programs
Insidious attack against networksInsidious attack against networksDisguise themselves as useful programsDisguise themselves as useful programs Hide malicious content in programHide malicious content in program
BackdoorsBackdoorsRootkitsRootkits
Allow attackers remote accessAllow attackers remote access
1616
FirewallsFirewalls
Identify traffic on uncommon portsIdentify traffic on uncommon portsCan block this type of attack, if your Can block this type of attack, if your firewall filters outgoing trafficfirewall filters outgoing traffic Windows XP SP2’s firewall does not filter Windows XP SP2’s firewall does not filter
outgoing trafficoutgoing traffic Vista’s firewall doesn’t either (by default), Vista’s firewall doesn’t either (by default),
according to link Ch 3l and 3maccording to link Ch 3l and 3m
Trojan programs can use known ports to Trojan programs can use known ports to get through firewallsget through firewalls HTTP (TCP 80) or DNS (UDP 53)HTTP (TCP 80) or DNS (UDP 53)
1717
1818
Trojan DemonstrationTrojan Demonstration
Make a file with Make a file with command-line Windows command-line Windows commandscommandsSave it as Save it as C:\Documents and Settings\C:\Documents and Settings\usernameusername\cmd.bat\cmd.batStart, Run, CMD will execute this file Start, Run, CMD will execute this file instead of C:\Windows\System32\instead of C:\Windows\System32\Cmd.exeCmd.exe
1919
Improved TrojanImproved Trojan
Resets the administrator passwordResets the administrator password
Almost invisible to userAlmost invisible to user
Works in Win XP, but not so easy in VistaWorks in Win XP, but not so easy in Vista
2020
SpywareSpyware
Sends information from the infected computer to Sends information from the infected computer to the attackerthe attacker Confidential financial dataConfidential financial data PasswordsPasswords PINsPINs Any other stored dataAny other stored data
Can register each keystroke entered (keylogger)Can register each keystroke entered (keylogger)
Prevalent technologyPrevalent technology
Educate users about spywareEducate users about spyware
2121
Deceptive Dialog BoxDeceptive Dialog Box
2222
AdwareAdware
Similar to spywareSimilar to spyware Can be installed without the user being awareCan be installed without the user being aware
Sometimes displays a bannerSometimes displays a banner
Main goalMain goal Determine user’s online purchasing habitsDetermine user’s online purchasing habits Tailored advertisementTailored advertisement
Main problemMain problem Slows down computersSlows down computers
2323
Protecting Against Malware Protecting Against Malware AttacksAttacks
Difficult taskDifficult task
New viruses, worms, Trojan programs New viruses, worms, Trojan programs appear dailyappear daily
Antivirus programs offer a lot of protectionAntivirus programs offer a lot of protection
Educate your users about these types of Educate your users about these types of attacksattacks
2424
2525
2626
Educating Your UsersEducating Your Users
Structural trainingStructural training Most effective measureMost effective measure Includes all employees and managementIncludes all employees and management
E-mail monthly security updatesE-mail monthly security updates Simple but effective training methodSimple but effective training method
Update virus signature database Update virus signature database automaticallyautomatically
2727
Educating Your UsersEducating Your Users
SpyBot and Ad-AwareSpyBot and Ad-Aware Help protect against spyware and adwareHelp protect against spyware and adware Windows Defender is excellent tooWindows Defender is excellent too
FirewallsFirewalls Hardware (enterprise solution)Hardware (enterprise solution) Software (personal solution)Software (personal solution) Can be combinedCan be combined
Intrusion Detection System (IDS)Intrusion Detection System (IDS) Monitors your network 24/7Monitors your network 24/7
2828
FUDFUDFear, Uncertainty and DoubtFear, Uncertainty and Doubt Avoid scaring users into complying with security Avoid scaring users into complying with security
measuresmeasures Sometimes used by unethical security testersSometimes used by unethical security testers Against the OSSTMM’s Rules of EngagementAgainst the OSSTMM’s Rules of Engagement
Promote awareness rather than instilling Promote awareness rather than instilling fearfear Users should be aware of potential threatsUsers should be aware of potential threats Build on users’ knowledgeBuild on users’ knowledge
2929
Intruder Attacks on Networks Intruder Attacks on Networks and Computersand Computers
AttackAttack Any attempt by an unauthorized person to access or use Any attempt by an unauthorized person to access or use
network resourcesnetwork resources
Network securityNetwork security Security of computers and other devices in a networkSecurity of computers and other devices in a network
Computer securityComputer security Securing a standalone computer--not part of a network Securing a standalone computer--not part of a network
infrastructureinfrastructure
Computer crimeComputer crime Fastest growing type of crime worldwideFastest growing type of crime worldwide
3030
Denial-of-Service AttacksDenial-of-Service Attacks
Denial-of-Service (DoS) attackDenial-of-Service (DoS) attack Prevents legitimate users from accessing Prevents legitimate users from accessing
network resourcesnetwork resources Some forms do not involve computers, like Some forms do not involve computers, like
feeding a paper loop through a fax machinefeeding a paper loop through a fax machine
DoS attacks do not attempt to access DoS attacks do not attempt to access informationinformation Cripple the networkCripple the network Make it vulnerable to other type of attacksMake it vulnerable to other type of attacks
3131
Testing for DoS VulnerabilitiesTesting for DoS Vulnerabilities
Performing an attack yourself is not wisePerforming an attack yourself is not wise You only need to prove that an attack could You only need to prove that an attack could
be carried outbe carried out
3232
Distributed Denial-of-Service Distributed Denial-of-Service AttacksAttacks
Attack on a host from multiple servers or Attack on a host from multiple servers or workstationsworkstations
Network could be flooded with billions of Network could be flooded with billions of requestsrequests Loss of bandwidthLoss of bandwidth Degradation or loss of speedDegradation or loss of speed
Often participants are not aware they are part Often participants are not aware they are part of the attackof the attack Attacking computers could be controlled using Attacking computers could be controlled using
Trojan programsTrojan programs
3333
Buffer Overflow AttacksBuffer Overflow Attacks
Vulnerability in poorly written codeVulnerability in poorly written code Code does not check predefined size of input fieldCode does not check predefined size of input field
GoalGoal Fill overflow buffer with executable codeFill overflow buffer with executable code OS executes this codeOS executes this code Can elevate attacker’s permission to Can elevate attacker’s permission to
Administrator or even KernelAdministrator or even Kernel
Programmers need special training to write Programmers need special training to write secure codesecure code
3434
3535
3636
Ping of Death AttacksPing of Death Attacks
Type of DoS attackType of DoS attack
Not as common as during the late 1990sNot as common as during the late 1990s
How it worksHow it works Attacker creates a large ICMP packetAttacker creates a large ICMP packet
More than 65,535 bytesMore than 65,535 bytes Large packet is fragmented at source networkLarge packet is fragmented at source network Destination network reassembles large packetDestination network reassembles large packet Destination point cannot handle oversize packet and Destination point cannot handle oversize packet and
crashescrashes Modern systems are protected from this (Link Ch 3n) Modern systems are protected from this (Link Ch 3n)
3737
Session HijackingSession Hijacking
Enables attacker to join a TCP sessionEnables attacker to join a TCP session
Attacker makes both parties think he or Attacker makes both parties think he or she is the other partyshe is the other party
3838
Addressing Physical SecurityAddressing Physical Security
Protecting a network also requires Protecting a network also requires physical securityphysical security
Inside attacks are more likely than attacks Inside attacks are more likely than attacks from outside the companyfrom outside the company
3939
KeyloggersKeyloggers
Used to capture keystrokes on a computerUsed to capture keystrokes on a computer HardwareHardware SoftwareSoftware
SoftwareSoftware Behaves like Trojan programsBehaves like Trojan programs
HardwareHardware Easy to installEasy to install Goes between the keyboard and the CPUGoes between the keyboard and the CPU KeyKatcher and KeyGhostKeyKatcher and KeyGhost
4040
4141
4242
Keyloggers (continued)Keyloggers (continued)
ProtectionProtection Software-basedSoftware-based
AntivirusAntivirus Hardware-basedHardware-based
Random visual testsRandom visual tests
Look for added hardwareLook for added hardware
Superglue keyboard connectors inSuperglue keyboard connectors in
4343
Behind Locked DoorsBehind Locked Doors
Lock up your serversLock up your servers Physical access means they can hack inPhysical access means they can hack in Consider Ophcrack – booting to a CD-based Consider Ophcrack – booting to a CD-based
OS will bypass almost any security OS will bypass almost any security
4444
LockpickingLockpicking
Average person can pick deadbolt locks in Average person can pick deadbolt locks in less than five minutesless than five minutes After only a week or two of practiceAfter only a week or two of practice
Experienced hackers can pick deadbolt Experienced hackers can pick deadbolt locks in under 30 secondslocks in under 30 seconds
Bump keys are even easier (Link Ch 3o)Bump keys are even easier (Link Ch 3o)
4545
Card Reader LocksCard Reader Locks
Keep a log of who Keep a log of who enters and leaves the enters and leaves the roomroom
Security cards can be Security cards can be used instead of keys used instead of keys for better securityfor better security Image from link Ch 3pImage from link Ch 3p