Sécurité et Réseau Eric Lapaille - Emmanuel Tychon - Frederic Rouyre © Netline 96-99.

Sécurité et Réseau

Eric Lapaille - Emmanuel Tychon - Frederic Rouyre

© Netline 96-99

Sites Web

• http://www.cert.org/

• http://www.microsoft.com/security/default.asp

Attaques les plus courantes

Exploitation of weaknesses in the "cgi-bin/phf" program used on Web servers to steal system password files;

Attacks on systems running the free Linux version of UNIX, including installation of "sniffers" that can steal unencrypted passwords when people log on to the systems

Denial-of-service attacks were particularly troubling for Internet Service Providers;

Widely-available hacker kits have permitted even novices to attack systems with known vulnerabilities;

Poorly-configured anonymous FTP sites were used to exchange illegal copies of proprietary software;

Abuse of e-mail included mail-bombing, forgeries ("spoofing") and a large increase in the amount of junk e-mail ("spamming");

Viruses and hoaxes about viruses (especially wild claims about dangerous e-mail) increased in 1996.

Evaluer la sécurité de NT

• C2

• Account policies

• Users accounts

• Compte administrateur

• Compte Invité/Guest

• Users Rights

C2

The system should not dual boot. Windows NT should be the only operating system installed.

The OS/2 and POSIX subsystems should not be installed.

All drives on the system must be formatted for the NT File System, not the FAT file system. To check drive status in Windows NT 4.0, right-click on the drive and choose Properties.

The Security Log should not overwrite old events. To check this, open the Event Viewer and choose Log Settings from the Log menu. The option called "Do Not Overwrite Events (Clear Log Manually)" should be enabled.

Do not allow blank passwords. To check this, open the User Manager for Domains and choose Account from the Policies menu and disable Permit Blank Passwords in the Minimum Password Length field. This will require that you choose the "At Least x Characters" field and specify a value for x.

Disable the Guest account. In the User Manager, double-click on the Guest account and put

a check mark on the item called "Account Disabled."

Account policies & restrictions

Maximum Password Age Password should expire in x number of days.

Minimum Password Length Password should be greater than eight characters.

Minimum Password Age Set to allow changes in x number of days.

Password Uniqueness Set to Remember x Passwords.

Lockout after x bad logon attempts Set x to 4.

Reset Count After x minutes Set to approximately 20 minutes to avoid unnecessary lockouts.

Lockout Duration field Set according to your logon policies. If forever is set, an administrator must restore the account.

Forcibly disconnect remote users from server when logon hours expire Set this option to prevent after-hours activities or disconnect systems that were left on

User must log on in order to change password Set this option to prevent users whose passwords have expired from logging on. The administrator must change the password.

Users accounts Look for old user accounts of employees who have left the company and remove the accounts if appropriate.

Check the password options. Should the user be able to change the password? Does the password never expire? Is this account disabled? If it is disabled, has the user left the company? If so, consider removing the account.

Click the Groups button to determine which groups the user belongs to. Is membership in these groups appropriate for the user? What rights and permissions does the user obtain from the groups? What access does the group have to other domains?

Click the Profile button in the New User properties dialog box to check the location of the user's home directory. If you remove the account, also remove the specified directory. Does the user have a profile, and if so, is it mandatory? Are System Policies required?

Click the Hours button to evaluate the times that the user can access the network. Make sure no one can log on after hours if that is your policy.

Click the Logon To button to evaluate which computers the user can log on to. Make sure that no one can log on from a computer in an unsupervised area.

Click the Account button to set an account expiration date if necessary. All temporary accounts or administrator "test" accounts should expire automatically.

Click the Dialin button to evaluate dial-in capabilities. If users can dial in, enable Call Back options to a specified

telephone number in the dialog box for added security.

Administrator

• If you are taking over the management of an existing system, you should change the Administrator account name and password immediately. You do not know who might have a password that would give them access to the account.

• The Administrator account is often the target of attacks because of its well-known name. You should rename the Administrator account to an obscure name and create a "decoy" account called "Administrator" with no permissions. Intruders will attempt to break in to this decoy account instead of the real account.

• Enable failed logons in the auditing system to detect attempts to log on to any account, including Administrator. Look for unnecessary accounts that have Administrator status. Perhaps an intruder has created such an account as a backdoor into the system.

• Review the membership of the Administrators group and the Domain Admins group. Remove all unnecessary users from this group. If you have a large network that consists of multiple administrators, interview these administrators on a regular basis to evaluate their activities and need for Administrator status.

• To protect against the loss of the Administrator, create a "backdoor" Administrator account with an obscure name and a three-part password. Give three people one part of this password. In the event that Administrator access is required, all three must be present to access the Administrator account

Guest account

Users who log on as guests can access any shared folder that the Everyone group has access to (i.e., if the Everyone group has Read permissions to the Private folder, guests can access it with Read permissions).

You don't know who Guest users are and there is no accountability because all guests log in to the same account.

Always disable the Guest account on networks that are connected to untrusted networks such as the Internet. It provides too many opportunities for break-ins.

Users Rights

Access this computer from the network By default, only the Administrators and the Everyone group have this right. Remove the Everyone group (why would you want everyone to access this server from the network if you are interested in security?), then add specific groups as appropriate. For example, create a new group called "Network Users" with this right, then add users who should have network access.

Backup files and directories User's with this right can potentially carry any files off-site. Carefully evaluate which users and groups have this right. Also evaluate the Restore files and directories right.

Log on locally For servers, only administrators should have this right. No regular user ever needs to logon directly to the server itself. By default, the administrative groups (Administrators, Server Manager, etc.) have this right. Make sure that any user who is a member of these groups has a separate management account.

Manage auditing and security logs Only the Administrators group should have this right.

Take ownership of files or other objects Only the Administrators group should have this right.

Firewall/Proxy Server

Perimeter Defenses

Screening Router

Screening Router

• Screening routers can look at information related to the hard-wired address of a computer, its IP address (Network layer), and even the types of connections (Transport layer) and then provide filtering based on that information. A screening router may be a stand-alone routing device or a computer that contains two network interface cards (dual-homed system). The router connects two networks and performs packet filtering to control traffic between the networks.

• Administrators program the device with a set of rules that define how packet filtering is done. Ports can also be blocked; for example, you can block all applications except HTTP (Web) services. However, the rules that you can define for routers may not be sufficient to protect your network resources, especially if the Internet is connected to one side of the router. Those rules may also be difficult to implement and error-prone, which could potentially open up holes in

your defenses.

NT Security

• Local Security Authority (LSA)

• This is also known as the Security Subsystem. It is the central component of NT security. It handles local security policy and user authentication. LSA also handles generating and logging audit messages.

• Security Account Manager (SAM)

• SAM handles user and group accounts, and provides user authentication for LSA.

• Security Reference Monitor (SRM)

• SRM enforces access validation and auditing for LSA. It checks user accounts as the user tries to access various files, directories, etc, and either allows or denies access. Auditing messages are generated as a result. The SRM contains a copy of the access validation code to ensure that resources are protected uniformly throughout the system, regardless of resource type.

• User Interface (UI)

• An important part of the security model, the UI is mainly all that the end user sees, and is how most of the

administration can be performed.

NT Security

• Stand Alone

• Workgroup

• Domain

NT Password

• \\WINNT\SYSTEM32\CONFIG\SAM is the location of the security database. This is usually world readable by default, but locked since it is in use by system compotents. It is possible that there are SAM.SAV files which could be readable. If so, these could be obtained for the purpose of getting password info.

• During the installation of NT a copy of the password database is put in \\WINNT\REPAIR. Since it was just installed, only the Administrator and Guest accounts will be there, but maybe Administrator is enough

• If the Sys Admin updates their repair disks, or you get a hold of a copy of the repair disks, you can get password database. The file is SAM._ in the ERD directory.

• If you are insane, you can go poking around in the SAM secret keys. First, schedule service to logon as LocalSystem and allow it to interact with the desktop, and then schedule an interactive regedt32 session. The regedt32 session will be running as LocalSystem and you can play around in the secret keys.

Failles

• NTFSDOS

• NeTMonitor

• GetAdmin

• BackOrifice

NetBios

NBTSTAT -A x.x.x.x (plug in the IP address of the box you're after)

Add the machine name this returns to your LMHOSTS file.

If you are not on an NT 4.x machine, type NBTSTAT -R to refresh the NetBios names.

Try NET VIEW \\machinename to see the shares

Try DIR \\machinename\share to list shares if open

Try NET VIEW \\ipaddress or NET VIEW \\fully.qualified.name.com, which should get you the user names

under NT 4.0.

FTP

• Anonymous

Port Scanner

• Port scanning is a technique to check TCP/IP ports to see what services are available. For example port 80 is typically a web server, port 25 is SMTP used by Internet mail and so on. By scanning and seeing what TCP/IP ports are listening at the end of a TCP/IP address, you can get an idea as to what type of box the target might be, what services are available, and possibly plan an attack if you are aware of an exploit involving a particular service.

• If port 135, 137, 138, and 139 are open on the target of a scan, it

is quite possible that the target is NT

Denial Of Services

• Denial of Service (DOS) is simply rendering a service offered by a workstation or server unavailable to others. This is a controversial subject, since some people think that DOS is not a hack, or rather juvenile and petty. While I can't think of very many reasons why you might want to engage in DOS, I still will continue to include this type of material in Hack FAQs. What is more sad -- the fact that I include them, or the fact that there are so many of them?

• Reasons that a hacker might want to resort to DOS might include the following:

A trojan has been installed, but a reboot is required to activate it.

A hacker wishes to cover their tracks VERY DRAMATICALLY, or cover CPU activity with a random crash to make the site think it was "just a fluke".

The hacker isn't a hacker at all, but a pissed off lamer who has a poor outlook and too much free time.

The hacker is acting out of the need (or delusion) that the DOS serves a greater good, such as a DOS attack on Pro Life sites by Pro Choice believers

Ping of Death

• The Ping of Death is a large ICMP packet sent by a workstation to a target. The target receives the ping in fragments and starts reassembling the packet. However, due to the size of the packet once it is reassembled it is too big for the buffer and overflows it. This causes unpredictable results, such as reboots or hangs.

• Windows 95 and Windows NT are capable of sending such a packet. By simply typing in "ping -165527 -s 1 <target>" you can send such a ping. There are also source code examples available for Unix platforms that allow large ping packets to be

constructed. These sources are freely available on the Internet.

SYN flood Attack

• In the TCP/IP protocol, a three way handshake takes place as a service is connected to. First in a SYN packet from the client, with which the service responses with a SYN-ACK. Finally the client responds to the SYN-ACK and the conversation is considered started.

• A SYN Flood attack is when the client does not response to the SYN-ACK, tying up the service until the service times out, and continues to send SYN packets. The source address of the client is forged to a non-existant host, and as long as the SYN packets are sent faster than the timeout rate of the TCP stack waiting for the time out, the resources of the service will be tied up.

Telnet

• First, by telnetting to port 53, 135, or 1031, and then typing in about 10 or so characters and hitting enter will cause problems. If DNS (port 53) is running, DNS will stop. If 135 answers, the CPU utilization will increase to 100%, slowing performance. And if port 1031 is hit, IIS will get knocked down. Typically the fix is to reboot the server, as it will be hung or so slow as to render it useless.

• Telnetting to port 80 and typing "GET ../.." will also crash IIS.

Registry

Hive File Backup File--------------------------- ------ ------------HKEY_LOCAL_MACHINE\SOFTWARE SOFTWARE SOFTWARE.LOGHKEY_LOCAL_MACHINE\SECURITY SECURITY SECURITY.LOGHKEY_LOCAL_MACHINE\SYSTEM SYSTEM SYSTEM.LOGHKEY_LOCAL_MACHINE\SAM SAM SAM.LOGHKEY_CURRENT_USER USERxxx USERxxx.LOG ADMINxxx ADMINxxx.LOGHKEY_USERS\.DEFAULT DEFAULT DEFAULT.LOG

Ciphers• Used to assure data privacy

• Scrambling of cleartextdata into ciphertext– Letter of alphabet plus three

• Ciphers use a key to “seed”the process– Original input may be recovered

if the key is known

• How do ciphers function?

Ciphers

• Cleartext = ABCDEFGHIJKLM…

• Key = 011011010010…

• Ciphertext = @#$%!a<ms{`?%…

• What are some common types of ciphers?

CipherCipherCipherCipherInputInput OutputOutput

KeyKey

Ciphers• Data Encryption Standard - DES

– Developed by National SecurityAgency, 1977

– Widely used in banking

• RC4– Originally designed by RSA– Mostly used on the Internet

• Others available: IDEA, Safer, etc.

• What makes these ciphers secure?

Ciphers• Mathematically secure functions

– Input data cannot be recoveredwithout the key

• Key must be large number of bits– Makes it impractical to try every possible key

• DES key is 56 bits - 32,000 trillion keys– $64,000 computer - one year to try every key

• How do we securely distribute thesecret key?

Diffie-Hellman Public Key• Invented at Stanford - first public-key system

– Used to derive secret keys – Avoids other nonsecure distribution schemes

• Based on two mathematically related keys– Regenerated each time a session is initialized– One kept private the other public (transmitted)– The private key cannot be derived

from the public key

• Are there other public-key systems?

Public Key - RSA• Discovered at MIT- while trying to break DH

– Used to transmit secret keys

• Based on two mathematically related keys– One kept private the other public (posted)– Data is encrypted with the destination party’s public key -

he decrypts with his private key

• RSA Security Hole– Sender can send same session key to an eavesdropper

• How does RSA work?

Public Key - RSA

1.A generates a session key that it would like to use to communicate securely with B

AAAA BBBBB public keyB public keyB private keyB private key

Session keySession key

Public Key - RSA

2.A obtains B’s public key



Public Key - RSA

2.A obtains B’s public key


B public keyB public keySession keySession key

Public Key - RSA

3.A encrypts the session keywith B’s public key


B public keyB public keySession keySession key

Public Key - RSA

3.A encrypts the session keywith B’s public key



Public Key - RSA

4.A transmits the encryptedsession key to B



Public Key - RSA

4.4. AA transmits the encrypted transmits the encryptedsession key to session key to BB




Public Key - RSA

4.4. AA transmits the encrypted transmits the encryptedsession key to session key to BB


Session keySession keySession keySession key

Public Key - RSA

5.B decrypts the received sessionkey using his private key


Session keySession keySession keySession key

Public Key - RSA

5.5. BB decrypts the received session decrypts the received sessionkey using his private keykey using his private key

AAAA BBBBSession keySession key Session keySession key

Public Key - RSA

6.A and B can now communicate securely using the same session key


Public Key - RSA

6.6. AA and and BB can now communicate securely can now communicate securely using the same session keyusing the same session key


AA can send the same session key to someone else who can send the same session key to someone else who can then decipher data between can then decipher data between AA and and BB

Public Key - RSA

• A sends the same session key to C by using C’s public key


CCCCSession keySession key

Public Key - RSA

• C can now read the data transmitted between A and B that B thoughtwas secure



Public Key - RSA

How does Diffie-Hellman work?How does Diffie-Hellman work?

CC can now read the data transmitted can now read the data transmitted between between AA and and BB that that BB thought thoughtwas securewas secure



Ciphers And Public Keys• Ciphers provide data privacy

– Nobody else can read the datayou transmit

• High-speed ciphers, DES, usethe same key for encryptionand decryption

• Diffie-Hellman public key gets the secret session key to both parties

• What provides authenticityand data integrity?

Digital Signatures• More features than paper signatures

1. Identifies sender

2. Provides data integrity

• Data has not been modifiedin transit

• Requires use of a hash

• What is a hash?

Digital Signatures - Hash

• One-way function, cannot recover input• Provides a fixed-length output for any length input

and a different output for a different input• Secure hash algorithm - 160-bit length• How is a hash used in a digital signature?

HashHashfunctionfunctionHashHashfunctionfunctionDataDataDataData Message digestMessage digest

Digital Signatures

• Sender creates hash

HashHashfunctionfunctionHashHashfunctionfunctionDataDataDataData

Digital Signatures

• Sender creates hash,“signs” the hash

Sender’s private keySender’s private key

HashHashfunctionfunctionHashHashfunctionfunctionDataDataDataData EncryptEncryptEncryptEncrypt

Digital Signatures

• Sender creates hash,“signs” the hash,and transmits dataand “signed” hash

““Signed” hashSigned” hash

DataData

Sender’s private keySender’s private key

HashHashfunctionfunctionHashHashfunctionfunctionDataDataDataData EncryptEncryptEncryptEncrypt

Digital Signatures

• Receiver decrypts “signed” hash

““Signed” hashSigned” hash Sender’s public keySender’s public keyDecryptDecryptDecryptDecrypt

Digital Signatures

• Receiver decrypts “signed” hash, generates new hash

HashHashfunctionfunctionHashHashfunctionfunctionDataData

““Signed” hashSigned” hashSender’s public keySender’s public key

DecryptDecryptDecryptDecrypt

ValidatedValidated

AbortAbort

Digital Signatures

• Receiver decrypts “signed” hash, generates new hash,and compares both hashes

====HashHashfunctionfunctionHashHashfunctionfunctionDataData

““Signed” hashSigned” hash

Sender’s public keySender’s public key

DecryptDecryptDecryptDecrypt

Digital Signatures• Certifies data has not been

modified since “signed”

• A digital signature alone doesnot allow the receiver to prove authenticity of the sender

• Anyone could masquerade asA by proposing a public key forA and signing with the associated private key

• How can B trust that A is A?

Digital Certificate• Certification of authenticity

• Analogies:– Driver’s license, passport, company ID

• Digital certificate provides authentication through a digital signature of a third party

• How does a digital certificate work?

Digital Certificate

• Includes personal info,public key, and hash

• Hash is signed by certification authority’s private key

• How do I get a certificateand what is the benefit?

John SmithJohn SmithXYZ CompanyXYZ Company3#7uKy&&2@~?:[}FGRbv+0Jr%6^2#<,”3#7uKy&&2@~?:[}FGRbv+0Jr%6^2#<,”un*HtR-+’L<khYHr4$3&^^(0{/?m`~IJun*HtR-+’L<khYHr4$3&^^(0{/?m`~IJHash signed by a respected authority - CAHash signed by a respected authority - CA


Digital Certificate

• John brings his personal info and public key to a respected authority

• Certification authority creates hash of John’s info and public key and then signs with CA’s private key

• So what is the benefit?



Digital Certificate

• John can present his certificate as proof that he appeared in front of a CA and said “this is my public key”

• John’s certificate can be validated subject to the credibility of the CA

• John is now authenticated



Use Of Digital Certificates• Secure e-mail

– Privacy and integrity of message– Authentication of sender

• Corporate security officer issues address books with attached certificates– Recipient receives only private messages after

integrity is verified and sender is authenticated

• Users can generate certificates andattach them to messages fornoncompany e-mail

Sécurité et Réseau Eric Lapaille - Emmanuel Tychon - Frederic Rouyre © Netline 96-99.

Documents

Transcript of Sécurité et Réseau Eric Lapaille - Emmanuel Tychon - Frederic Rouyre © Netline 96-99.