Network Security
-
Upload
naida-good -
Category
Documents
-
view
30 -
download
0
description
Transcript of Network Security
![Page 1: Network Security](https://reader030.fdocuments.in/reader030/viewer/2022033102/56813948550346895da0e3d2/html5/thumbnails/1.jpg)
Network Security
Attack Analysis
![Page 2: Network Security](https://reader030.fdocuments.in/reader030/viewer/2022033102/56813948550346895da0e3d2/html5/thumbnails/2.jpg)
cs490ns - cotter 2
Outline
• Types of Attacks
• Vulnerabilities Exploited
• Network Attack Phases
• Attack Detection Tools
![Page 3: Network Security](https://reader030.fdocuments.in/reader030/viewer/2022033102/56813948550346895da0e3d2/html5/thumbnails/3.jpg)
Top Cyber-security Risks
• Application vulnerabilities exceed OS vulnerabilities– Password guessing – SQL, FTP, SSH
• Web application attacks– Server-side , client-side attacks– PHP remote file Include– Cross-site scripting– SQL injection
• Windows: Conficker/Downadup• Apple: QuickTime …• Zero Day Vulnerabilities
– File Format Vulnerabilities (pdf, Word, Execl, Flash, etc.)
![Page 4: Network Security](https://reader030.fdocuments.in/reader030/viewer/2022033102/56813948550346895da0e3d2/html5/thumbnails/4.jpg)
cs490ns - cotter 4
www.sans.org – Top 20 – Top 20 4/084/08
Client-side Vulnerabilities in:
C1. Web Browsers
C2. Office Software
C3. Email Clients
C4. Media Players
Server-side Vulnerabilities in:
S1. Web Applications
S2. Windows Services
S3. Unix and Mac OS Services
S4. Backup Software
S5. Anti-virus Software
S6. Management Servers
S7. Database Software
Security Policy and Personnel:
H1. Excessive User Rights and Unauthorized Devices
H2. Phishing/Spear Phishing
H3. Unencrypted Laptops and Removable Media
Application Abuse:
A1. Instant Messaging
A2. Peer-to-Peer Programs
Network Devices:
N1. VoIP Servers and Phones
Zero Day Attacks:
Z1. Zero Day Attacks
![Page 5: Network Security](https://reader030.fdocuments.in/reader030/viewer/2022033102/56813948550346895da0e3d2/html5/thumbnails/5.jpg)
cs490ns - cotter 5
Example Description Example Description
• C4 Media Players– C4.1 Description– C4.2 Operating Systems Affected– C4.3 CVE Entries– C4.4 How to determine if you are vulnerable– C4.5 How to protect against MP
vulnerabilities– C4.6 References
![Page 6: Network Security](https://reader030.fdocuments.in/reader030/viewer/2022033102/56813948550346895da0e3d2/html5/thumbnails/6.jpg)
C4.3 CVE Entries• RealPlayer
CVE-2007-2497, CVE-2007-3410, CVE-2007-5601
• Apple iTunes CVE-2007-3752
• Adobe Flash PlayerCVE-2007-3457, CVE-2007-5476
• Apple QuicktimeCVE-2007-0462, CVE-2007-0588, CVE-2007-0466, CVE-2007-0711, CVE-2007-0712, CVE-2007-0714, CVE-2007-2175,CVE-2007-2295, CVE-2007-2296, CVE-2007-0754, CVE-2007-2388, CVE-2007-2389, CVE-2007-2392, CVE-2007-2393,CVE-2007-2394, CVE-2007-2396, CVE-2007-2397, CVE-2007-5045, CVE-2007-4673
• Windows Media PlayerCVE-2006-6134, CVE-2007-3035, CVE-2007-3037, CVE-2007-5095
![Page 7: Network Security](https://reader030.fdocuments.in/reader030/viewer/2022033102/56813948550346895da0e3d2/html5/thumbnails/7.jpg)
nvd.nist.gov
![Page 8: Network Security](https://reader030.fdocuments.in/reader030/viewer/2022033102/56813948550346895da0e3d2/html5/thumbnails/8.jpg)
cs490ns - cotter 8
Types of Attacks
• Software vulnerabilities– Buffer overflows
• Viruses, trojans, etc.
• System or service configuration mistakes
• Password weaknesses
• Denial-of-Service attacks
• Wireless Attacks
![Page 9: Network Security](https://reader030.fdocuments.in/reader030/viewer/2022033102/56813948550346895da0e3d2/html5/thumbnails/9.jpg)
cs490ns - cotter 9
Buffer Overflows
• Objective:– Send more data to an application input than it
is designed to handle. – Craft the data such that the overflow portion
will be interpreted as executable code.– Typically done by getting data to overflow in
stack so that it overwrites PC address
• Depends on:– Traditional (non-checked) data validation.– Code instructions that do not validate input.
![Page 10: Network Security](https://reader030.fdocuments.in/reader030/viewer/2022033102/56813948550346895da0e3d2/html5/thumbnails/10.jpg)
cs490ns - cotter 10
Buffer Overflow Example
void function(char *str) { char buffer[16]; strcpy(buffer,str);}
void main() { char large_string[256]; int i; for( i = 0; i < 255; i++) large_string[i] = 'A'; function(large_string);}
![Page 11: Network Security](https://reader030.fdocuments.in/reader030/viewer/2022033102/56813948550346895da0e3d2/html5/thumbnails/11.jpg)
cs490ns - cotter 11
Stack Structure for function
bottom of top ofmemory memory
code buffer sfp ret *str<------ [XXXXXXXXXXXXXXXX][XXXX][XXXX][XXXX]top of bottom ofstack stack
*str pointer to char buffer (argument into function)ret pointer to return address in mainsfp saved frame pointer (reference into memory frame)buffer storage allocated for character arraycode …
![Page 12: Network Security](https://reader030.fdocuments.in/reader030/viewer/2022033102/56813948550346895da0e3d2/html5/thumbnails/12.jpg)
cs490ns - cotter 12
Stack Overflow
bottom of top ofmemory memory
buffer sfp ret *str<------ [XXXXXXXXXXXXXXXX][1F3C][1F9A][1F7C]top of bottom ofstack stack
bottom of top ofmemory memory
buffer sfp ret *str<------ [AAAAAAAAAAAAAAAA][AAAA][AAAA][AAAA]top of bottom ofstack stack
After strcpy:
Before strcpy:
![Page 13: Network Security](https://reader030.fdocuments.in/reader030/viewer/2022033102/56813948550346895da0e3d2/html5/thumbnails/13.jpg)
cs490ns - cotter 13
Stack Manipulationbottom of top ofmemory memory
buffer sfp ret *str<------ [AAAAAAAAAAAAAAAA][XXXX][1F94][XXXX]top of bottom ofstack stack
Overflow buffer with the bytes needed to overwrite the return pointer with a desired addressThat points to an instruction of your own crafting
bottom of top ofmemory memory
buffer sfp ret *str<------ [AAAAAAAAAAAAAAAA][XXXX][1F41][XXXX]top of bottom ofstack stack
![Page 14: Network Security](https://reader030.fdocuments.in/reader030/viewer/2022033102/56813948550346895da0e3d2/html5/thumbnails/14.jpg)
cs490ns - cotter 14
Viruses, trojans, etc.
• Check for evidence of programs (and versions) that are susceptible to attack.
• Test for outdated (or unchecked) virus scan software.
![Page 15: Network Security](https://reader030.fdocuments.in/reader030/viewer/2022033102/56813948550346895da0e3d2/html5/thumbnails/15.jpg)
cs490ns - cotter 15
System or service configuration mistakes
• Default passwords left in place– Router passwords– Program passwords
• Default (unused) services left running– Sendmail– Echo, time, etc.
• Default settings for firewalls and routers
![Page 16: Network Security](https://reader030.fdocuments.in/reader030/viewer/2022033102/56813948550346895da0e3d2/html5/thumbnails/16.jpg)
cs490ns - cotter 16
Password weaknesses
• Test for standard password weaknesses– Short passwords– Dictionary based passwords– Personal information passwords (pets, family, etc.)
• Test for unencrypted passwords• Try to download encrypted password files
– /etc/passwd, /etc/shadow
• Use dictionary, etc as source– Encrypt word, compare to password file
![Page 17: Network Security](https://reader030.fdocuments.in/reader030/viewer/2022033102/56813948550346895da0e3d2/html5/thumbnails/17.jpg)
cs490ns - cotter 17
Wireless Attacks
• Scan for Access Points (War Driving)
• Look for SSID beacons
• Test for mac address blocking
• Look for unencrypted access points
• If encrypted, test for WEP / WPA– If WEP, consider the value of capturing data
and trying to recover secret through IV
![Page 18: Network Security](https://reader030.fdocuments.in/reader030/viewer/2022033102/56813948550346895da0e3d2/html5/thumbnails/18.jpg)
cs490ns - cotter 18
Network Attack Phases
• Reconnaissance
• Vulnerability Identification
• Penetration
• Control
• Embedding
• Data extraction / modification
• Attack Relay
![Page 19: Network Security](https://reader030.fdocuments.in/reader030/viewer/2022033102/56813948550346895da0e3d2/html5/thumbnails/19.jpg)
cs490ns - cotter 19
Reconnaissance
• Find out about network topology– What IP addresses are active?– What Operating Systems do they use?– What services / servers do they support?– What other machines do they talk to?
• Tools– Port Scanners– DNS queries (zone transfers)
• Defense– Snort, Shadow
![Page 20: Network Security](https://reader030.fdocuments.in/reader030/viewer/2022033102/56813948550346895da0e3d2/html5/thumbnails/20.jpg)
cs490ns - cotter 20
Vulnerability Identification
• Once systems have been scanned, specific sweeps are made to check for specific service or system vulnerabilities– See SANS top 20– Buffer overflows, etc.
• Most Popular Targets– Servers difficult to remove or relocate ( DNS,
mail, web, etc.)
• Defense– Don’t expose vulnerabilities!
![Page 21: Network Security](https://reader030.fdocuments.in/reader030/viewer/2022033102/56813948550346895da0e3d2/html5/thumbnails/21.jpg)
cs490ns - cotter 21
Penetration
• Most sucessful hack is one that is not detected– Second best is an attack that cannot be traced.
• Systems with some security typically rely on a “hard shell”.– Firewall or proxy servers– Perhaps IDS
• If firewall is secure, then use the users– Track external site visits– Taint DNS records to point to an attack machine– Let users establish the connection for you!
![Page 22: Network Security](https://reader030.fdocuments.in/reader030/viewer/2022033102/56813948550346895da0e3d2/html5/thumbnails/22.jpg)
cs490ns - cotter 22
Control
• Typically a bootsrtap process. – Find an exploit that allows you to control a
process (program).– Use that process to start up a process of your
choosing with permissions of the owner of the original process
– This process will contact the attack host and download the full exploit.
– Use that process to execute another exploit that will get root privilege (if needed).
![Page 23: Network Security](https://reader030.fdocuments.in/reader030/viewer/2022033102/56813948550346895da0e3d2/html5/thumbnails/23.jpg)
cs490ns - cotter 23
Embedding
• Once into the system, the hacker will attempt to hide several different access programs.– If one exploit is discovered, perhaps others will not. – Alter logging programs to not display packets– Alter process display programs to not show processes– Etc.
• Want to be sure that the attack program (bot) will survive a restart.
![Page 24: Network Security](https://reader030.fdocuments.in/reader030/viewer/2022033102/56813948550346895da0e3d2/html5/thumbnails/24.jpg)
cs490ns - cotter 24
Embedding
• Store exploits by overwriting little used existing files (games,etc.)
• Store most of the exploit as fragments inside other files (steganography), then use a small reassembly program to rebuild on command
• Hide program on unused portions of the disk• Load poritons of the bot onto unused eeprom on
the network card.
![Page 25: Network Security](https://reader030.fdocuments.in/reader030/viewer/2022033102/56813948550346895da0e3d2/html5/thumbnails/25.jpg)
cs490ns - cotter 25
Data extraction / modification
• First order of business is to send system data back to relay– Windows – registry– Linux - /proc
• Transmit data slowly – over several different sessions
• Encrypt and embed data into known (or expected) data flows – www, ftp, e-mail, etc.– Use existing programs RMON and arpwatch
![Page 26: Network Security](https://reader030.fdocuments.in/reader030/viewer/2022033102/56813948550346895da0e3d2/html5/thumbnails/26.jpg)
cs490ns - cotter 26
Attack Relay
• Use this new system as a relay to attack other systems.– Use multiple relays – ideally in multiple
countries – to link to attacked machines.– Use multiple machines for an attack
• A few suspicious packets from a machine once in a week may not be acted upon
• Multiple machines are harder to block.
![Page 27: Network Security](https://reader030.fdocuments.in/reader030/viewer/2022033102/56813948550346895da0e3d2/html5/thumbnails/27.jpg)
cs490ns - cotter 27
Attack Detection Tools
• Scanners– Virus Scanners– SpyBots– Malware scanners
• IDS– Network based– Host based
![Page 28: Network Security](https://reader030.fdocuments.in/reader030/viewer/2022033102/56813948550346895da0e3d2/html5/thumbnails/28.jpg)
Profile of an Advanced Cyber Intrusion
• Ongoing (since 1999) series of suspected intrusions on US commercial and military sites from PRC
• Information presented in an unclassified document that details China’s capability to conduct cyber attacks
• One element of that report is a detailed report of an intrusion into a US commercial network
![Page 29: Network Security](https://reader030.fdocuments.in/reader030/viewer/2022033102/56813948550346895da0e3d2/html5/thumbnails/29.jpg)
Awareness of the Problem
• Information security staff at the company became aware of the intrusion when they detected large volumes of data leaving their network– Coming from multiple machines– Going to multiple addresses mostly (completely?)
within the US
• Were able to implement blocks to stop the flow, but an unknown volume of data was transmitted.
![Page 30: Network Security](https://reader030.fdocuments.in/reader030/viewer/2022033102/56813948550346895da0e3d2/html5/thumbnails/30.jpg)
Two Teams
• Able to distinguish teams based on the tools and techniques used.
• Forensic Profile– Able to distinguish individuals based on “keyboard behavior” –
tools, techniques, command combinations, elapsed time between keyboard entries, etc.
• Breach Team– Figure out how to get into the network and secure machines.
• Collection Team– Determine what information to extract and implement the
extraction.
![Page 31: Network Security](https://reader030.fdocuments.in/reader030/viewer/2022033102/56813948550346895da0e3d2/html5/thumbnails/31.jpg)
Data Compromised
• Information extracted was very carefully selected.– Files picked out of directories of related information– Files generally were not opened pripr to extraction
• Suggests that intruders had very detailed knowledge of the information in the network and had been able to search through the files to identify what they wanted. – Took a lot of time– Took detailed knowledge of the company
![Page 32: Network Security](https://reader030.fdocuments.in/reader030/viewer/2022033102/56813948550346895da0e3d2/html5/thumbnails/32.jpg)
Activity prior to exfiltration
• Information Security (IS) detected low levels of intrusive activity prior to exfiltration.– Seemed to be folcused on maintenance of their
presence within the network– When detected IS would block the link. – Apparently intruders were able to open up other links
undetected to continue their reconaissance.
• Process continued for several days (at least).
![Page 33: Network Security](https://reader030.fdocuments.in/reader030/viewer/2022033102/56813948550346895da0e3d2/html5/thumbnails/33.jpg)
Reconnaissance Phase
• Identify specific files, directories and file shares that contained desirable information
• Identify specific users who would have access to desired information and compromise their accounts.
• Uncover and use password policies• Identify group memberships• Construct detailed network architecture
diagrams to facilitate information movement• Process was very methodical and quiet.
![Page 34: Network Security](https://reader030.fdocuments.in/reader030/viewer/2022033102/56813948550346895da0e3d2/html5/thumbnails/34.jpg)
Data Exfiltration Operation
Cmd /Control
Work station
Work station
Staging Staging Staging
FileServer
FileServer
FileServer
ExfiltHost
ExfiltHost
ExfiltHost
ExternalHost
ExternalHost
ExternalHost
Staging
Compromised users
Staging Sys via RDP
Sending Hosts (Internal)
Collection Host (External)
External Command and Control (C2)
![Page 35: Network Security](https://reader030.fdocuments.in/reader030/viewer/2022033102/56813948550346895da0e3d2/html5/thumbnails/35.jpg)
Analysis
• Used dozens of accounts over about 150 occasions to gather information.– Very difficult to correlate the activities prior to
exfiltration.
• Group memberships were particularly important in accessing data from non-compromised accounts.
![Page 36: Network Security](https://reader030.fdocuments.in/reader030/viewer/2022033102/56813948550346895da0e3d2/html5/thumbnails/36.jpg)
Data Staging Process
• Took place over several days• Noticed an increase in short duration communications
– Appeared to be used to verify resources, set up redundant channels, etc.
• Transfer done in the evening (same time each night).• Transfer desired data from file servers to mail servers.
– 75% of the company’s several dozen mail servers were involved in the intrusion.
• Rename files to resemble legitimate Windows files on mail servers.
• Encrypt and compress files into 650 MB RAR archives
![Page 37: Network Security](https://reader030.fdocuments.in/reader030/viewer/2022033102/56813948550346895da0e3d2/html5/thumbnails/37.jpg)
Exfiltration• Secure a compromised user machine for use as an internal
C2 station• Move data into staging servers• Test all staging servers by downloading a 20MB video file.
– Terminated download before complete.• Identify local (US) external hosts to receive the data• Used several versions of FTP (both standard and
customized versions) to get a working configuration for offloading files.
• Finally got a working configuration to a US University site.• Replicated the configuration 5 more times to increase
throughput.• Eventually detected and blocked. IS noted repeated
attempts over the next 5 hours to regain access.
![Page 38: Network Security](https://reader030.fdocuments.in/reader030/viewer/2022033102/56813948550346895da0e3d2/html5/thumbnails/38.jpg)
cs490ns - cotter 38
Summary
• There are many ways that hackers can get into systems
• Complexity of systems today makes it difficult to protect all possible attack vectors.
• Several web sites available to identify trends (SANS, etc.)
• Understand the process!
![Page 39: Network Security](https://reader030.fdocuments.in/reader030/viewer/2022033102/56813948550346895da0e3d2/html5/thumbnails/39.jpg)
cs490ns - cotter 39
References• Stealth Coordinated Attack HOWTO
by Dragos Ruiu - 1999– Google for a copy (it seems to move around)
• Network Intrusion Detection 3rd ed.- Northcutt and Novak – New Riders Publishing 2003
• Maximum Linux Security – Anonymous – Sams Publishing – 2000
• Ethical Hacking and Network Defense – Simpson – Thomson Course Technonogy – 2006
• Smashing the Stack for Fun and Profit– http://www.phrack.org/phrack/60/p60-0x06.txt
• PRC and Cyber Warfare– http://www.uscc.gov/researchpapers/2009/
NorthropGrumman_PRC_Cyber_Paper_FINAL_Approved%20Report_16Oct2009.pdf