EE579T/8 #1 Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T Network Security 8: More About...

Spring 2001© 2000, 2001, Richard A. Stanley

WPI EE579T/8 #1

EE579TNetwork Security

8: More About Network-Based Attacks

Prof. Richard A. Stanley


WPI EE579T/8 #2

Thought for the Day

“Denial of service attacks are thelast resort of a desperate mind;

unfortunately, they are a reality.”

Stuart McClure, Joel Scambray, George Kurtz


WPI EE579T/8 #3

Overview of Tonight’s Class

• Review last week’s lesson

• Look at network security in the news

• Course project scheduling

• Network attacks--continued


WPI EE579T/8 #4

Last Week...

• TCP/IP was not intended as a secure protocol; as a result, it has vulnerabilities that can be exploited

• There are many types of attacks that can be mounted over network connections in order to gain unauthorized access to resources

• Never forget, the best access is hands-on


WPI EE579T/8 #5

Network Security Last Week- 1• SubSeven updated to Version 2.2, adds

– support for proxy programs

– ability to listen to a random port

– GUI-based packet sniffer

– ability to relay information about compromised machines to Web sites via CGI

– list of infected machines can then be passed around to hackers


WPI EE579T/8 #6

Network Security Last Week- 2

• GAO faults IRS online tax filing security– Hackers can access taxpayer data, including tax

return

– Authentication/signature requirements not upheld, but $2.1B refunds paid anyway!

• Successful hacks to government sites have increased markedly; only half are reported– Problem attributed to OS’s that are vulnerable when

delivered


WPI EE579T/8 #7


• W32.Kris, the “Christmas virus,” has resurfaced bigger and badder– Modified, renamed to W32.Magistr.24876

– Payload capable of overwriting a hard drive and destroying a computer's BIOS chip.

– Virus (actually a worm) infects random Word file on the user's hard drive, then attaches that file and 5 other files, to an e-mail which it sends to all in the address book


WPI EE579T/8 #8


• IT leaders form Online Privacy Alliance to combat privacy legislation. Approach:– identify expensive regulatory burdens

– question how any U.S. Internet law would apply to non-Internet industries

– assures lawmakers that privacy is best guarded by new technology, not new laws.

– asserts that online privacy would cost consumers billions annually


WPI EE579T/8 #9

Network Security Last Week- 5• Largest Internet criminal attack to date:

– Eastern European hackers spent a year systematically exploiting known Windows NT vulnerabilities to steal customer data

– More than 1million credit cards numbers taken

– More than 40 sites victimized

• FBI and USSS taking unprecedented step of releasing detailed forensic information from ongoing investigations because of the importance of the attacks


WPI EE579T/8 #10

Network Security Last Week- 6• Updated worm-generating software issued

– Brazilian hacker Kalamar has refined his software used to write the Kournikova virus

– Software encrypts the worms so they are impossible to delete

– They can also carry an executable payload

• Hacker distances himself from responsibility for wrongdoing, claiming that "worms are for learning, not for spreading”


WPI EE579T/8 #11

Network Security Last Week- 7• Bibliofind closes its books after hack

– No more online payments for Amazon spin-off, Bibliofind

– Hacker had been sitting on the site's servers since October, downloading customer information, including credit card numbers

– Servers were taken down 2 Mar; all customer information was purged

– Customers now have to arrange payment directly with the sellers


WPI EE579T/8 #12

Network Security Last Week- 8• Naked Wife virus: destructive but contained

• Israeli hacktivists suspected in rerouting Hamas home page to a pornographic site

• Vierika VB worm – Outlook e-mail attachment

– Lowers Internet Explorer security settings

– Changes a user's start page to an Italian site that contains the main part of the worm

• Palm passwords accessible through back door via serial syncing cable


WPI EE579T/8 #13

Revised Class Schedule Due to Snow Day

• We can go in many directions from here– What do you want to hear about most in the 3

remaining lectures?

• Schedule– 3/22, 3/29, 4/5: Lecture classes– 4/12: Exam + 2 project presentations– 4/19: 6 project presentations– 4/26: 6 project presentations + prof. evaluation


WPI EE579T/8 #14

Course Projects - 11. Port scanning technology

– Sullivan, Toomey

2. Extensible authentication protocol– Mizar, Hirsh, Tummala

3. Honey Pot– Kaps, Gaubatz

4. Wired/Wireless security comparison– Azevedo, Nguyen, H. Tummala


WPI EE579T/8 #15

Course Projects - 25. SOHO network security

– Davis, Syversen, Kintigh

6. Sniffing switched networks– Michaud, Lindsay, VanRandwyk

7. Broadband access security– Sumeet, Nirmit, Harsh

8. Trojan Horse security– Aparna, Subramanian


WPI EE579T/8 #16

Course Projects - 39. Java security

– Malloy

10. Router security– Mansour,

11. DDoS Security– Gorse, Pushee

12. Network Security Processors– McLaren, Brown


WPI EE579T/8 #17

Projects -4

13. Network cryptography– Lee

14. ATM Security (can’t do 26 Apr)– Fernandes, Kuppur, Venkatesh


WPI EE579T/8 #18

Network Based Attacks

Do You Do Windows?


WPI EE579T/8 #19

ARP Revisited

• Bad guy on same network segment– Sends gratuituous ARP response– Most implementations will cache the response,

even though it was not requested– This takes over the IP address associated with

the MAC address

• Bad guy on another network segment– Only has to deal with routing between segments


WPI EE579T/8 #20

Hacking Windows 98

• Good news– Very limited remote administration capability– Impossible to execute commands remotely,

except with third-party software or proxy• BUT THESE EXIST!

• Bad news– No real security design; “feel-good” features


WPI EE579T/8 #21

Windows 9x Remote Attacks


WPI EE579T/8 #22

Windows 98 Shares

• Printer shares fairly benign, save for free-riding (which costs money for time and supplies, so it isn’t a victimless attack)

• File shares another story– Many scanners exist to uncover Win9x shares– If root partition shared, Trojan Horses easy to

plant that execute on next boot + other mischief– PWL files can be downloaded for cracking


WPI EE579T/8 #23

Replay Authentication Hash• Win9x with file sharing issues same challenge to

remote computer in a given 15-minute period

• Username and challenge are hashed for authentication– Username sent in clear– Identically hashed authentication request could be

sent in the 15 minute period to mount share

• So far, not widely exploited. But…?


WPI EE579T/8 #24

Dial-Up Servers

• Can easily provide back door into LAN if dial-up used on a modem connection

• Modem allows password enumeration and guessing, just as on the broadband side

• Intruders can attack what they find– Can’t go further because Win9x can’t route

network traffic

• VPN now bundled with DUN, so...


WPI EE579T/8 #25

Remotely Hacking the Registry• Win9x does not have built-in remote registry

access

• Remote Registry Service is provided on the Win9x distribution CD, and provides this service

– found in \admin\nettools\remotreg

– Forces user-level security to be enabled

• Not the easiest hole to create or to exploit


WPI EE579T/8 #26

Back Doors - 1

• BackOrifice– Creators bill it as a remote admin tool!– Allows nearly complete remote control of Win9x

systems, including Registry mods– UDP-based (default port 31337)– You want it?

• www.bo2k.com

– You want to find and kill it?• www.ultraglobe.com/basement/backorifice/index.shtml


WPI EE579T/8 #27

Back Doors - 2

• Net Bus– Remote control of Win9x and Win NT– TCP based (port 12345 or 20034)– Because of TCP basing, more likely to be caught by

a firewall (most firewalls don’t worry about UDP)– You want it?

• http://home.t-online.de/TschiTschi/netbus_pro.htm


WPI EE579T/8 #28

Back Door Catch-22

• Server software must execute on the target machine -- cannot launch from remote

• How to make this possible?– Buffer overflow to push code into target

• “long attachment filename” bug in Outlook

– Hostile mobile code– Trickery (e.g. Saran Wrap makes BO look like

InstallShield)


WPI EE579T/8 #29

Built-in / Add-in Problems

• MS Personal Web Server– If unpatched, reveals file contents to attackers

who know file location and request via non-standard URL

• Commercial software– PCAnywhere– LapLink– CarbonCopy

These are an attacker’s dreams come true!


WPI EE579T/8 #30

Win9x Console-Based Attacks


WPI EE579T/8 #31

Reboot

• Win9x has no logon security

• Windows password merely identifies the active user (try clicking “Cancel”)

• Any logon screen is cosmetic -- security doesn’t really mean much here

• If you prefer, reboot from your own floppy disk


WPI EE579T/8 #32

Defeat the Screen Saver Password

• CD-ROM Autorun runs under screen saver– Polls for CD-ROM insertion– If “yes”, runs programs at ‘open=‘ in the

Autorun.inf file, which can be anything

• Screen saver password– Stored in registry– Poor encryption, has been broken– Easy break-in, somewhat stealthy


WPI EE579T/8 #33

Passwords in the Registry

• Many programs store their passwords in the Registry– Lots are not even encrypted– This is handy if you forget, but also a

vulnerability

• Tools available to make password recovery from the Registry simple


WPI EE579T/8 #34

Crack Password Files at Leisure

• PWL file found in root partition

• Attacker can download files to a floppy and crack at his convenience– copy C:\Windows\*.pwl a:

• Many tools exist to help this effort, e.g.– PWL Tool, $75, one-time demo free

• www.webdon.com


WPI EE579T/8 #35

Windows NT Attacks


WPI EE579T/8 #36

NT Versus Unix

• NT perceived as insecure– But not really more insecure than Unix

• Why?– Running code in server processor space can be restricted

– Interactive console login restricted to a few admin accounts

– Source code access poor, so few buffer issues

• Issues– Backwards compatibility

– Ease of use


WPI EE579T/8 #37

Goal: Become Administrator

• Guessing passwords

• Remote exploits

• Privilege escalation


WPI EE579T/8 #38

Guessing Passwords Over the Network

• Manual guessing– Requires knowledge of user names

• Automated guessing– Requires knowledge of user names

• Eavesdropping– Requires network segment access


WPI EE579T/8 #39

Manual Password Guessing - 1

• Users tend towards the easiest password: none

• Failing that, passwords are chosen to be easy to remember

• Much software runs under NT user accounts, the names of which become public knowledge after a time, and are usually easily remembered


WPI EE579T/8 #40

Manual Password Guessing - 2

• Start with user list– DumpACL– sid2user

• Open Network Neighborhood or use Find Computer and IP address

• Start making educated guesses to log into a valid user account

• Works, but time-consuming


WPI EE579T/8 #41

Automated Password Guessing• Tools automate the process

– Legion– NetBIOS Auditing Tool

• Command line use, enables scripting

• Null passwords? Use NTInfo Scan

• CyberCop Scanner is a commercial tool to do this


WPI EE579T/8 #42

Eavesdropping

• Requires access to the network segment• L0phtcrack

– NT password-guessing tool

– Usually works offline against the PW file

– Getting the PW file not a trivial exercise

– L0phtcrack now includes SMB Packet Capture• Listens to network segment• Captures login sessions, strips encrypted data• Reverse engineers NT password encryption

• Anyone who can eavesdrop can become Administrator within a very short time!


WPI EE579T/8 #43

Switched Architecture?

• Social engineering from L0phtcrack:– Include following URL in email to target:

////yourcomputer/sharename/message.html– Effect is to send PW hashes to you for

verification

• L0pht also has sniffer to dump PW hashes from PPTP, a variant of which provides VPN service under NT


WPI EE579T/8 #44

Countermeasures • Block NetBIOS-specific ports

– Disable TCP & UDP ports 135-139 at the perimeter firewall

– Disable TCP/IP binding for any adapter connected to public networks

• Enforce password policies– Use the User Manager– Build good passwords (Passfilt DLL)– Use the Passprop tool


WPI EE579T/8 #45

More Countermeasures

• Disable LANMAN authentication– NT 4.0 SR 4 and later permits Registry setting to prohibit

NT host from accepting LANMAN

– This denies ability to “pass the hash”

– BUT: earlier client authentications will fail, exposing the LM hash anyway

• Enable SMB signing– Requires crypto verification of every SMB packet

– NT-only solution

– Performance degradation of 10-15%


WPI EE579T/8 #46

Prevention

• Switched networks are to be preferred– Remember the L0pht social engineering idea

• Keep Windows 9x and Windows for Workgroups clients off the network

• Enable auditing and logging– Analyze the logs routinely!– Log full of Logon/Logoff failures probably

indicates and automated attack


WPI EE579T/8 #47

What About Intrusion Detection?

• Many tools available

• A good tool can serve as a canary in a coal mine, but– Intrusion detection is not a mature technology– Detection tends to be based on comparison to

known attacks– Avoiding the novel is a problem– False alarms can raise havoc with routine ops


WPI EE579T/8 #48

More Remote Attacks• Remote buffer overflows

– Several published overflows in NT– Likelihood of severe attacks using this approach growing

• Denial of service– Known holes in NT patched--install patches!– Probably other holes to be found, especially in

Windows 2000, which is a tabula rasa– DoS can be used to force reboot, which then

triggers execution of malicious code


WPI EE579T/8 #49

Privilege Escalation -1

• Vacuuming up information– From non-Admin account, need to identify info

that will gain higher privilege– Enumerate shares, search for password files,

probe the Registry


WPI EE579T/8 #50

Privilege Escalation - 2

• getadmin– Adds a user to local Administrators group– Uses low-level kernel routine to set a flag

allowing access to any running process– Uses DLL injection to insert malicious code to

a process that can add users– Must be run locally on target system


WPI EE579T/8 #51

Privilege Escalation - 3

• sechole– Similar functionality to getadmin– secholed puts user in Domain Admins group– Modifies OpenProcess API call to attach to a

privileged process– Must be run locally on target…– UNLESS target running IIS, in which case it is

possible to launch remotely


WPI EE579T/8 #52

Countermeasures

• Apply the patches

• Don’t allow write access to executable directories

• Block ports 135-139 (shuts down Windows file sharing)

• Audit execute privileges on web server filesystem


WPI EE579T/8 #53

Buffer Overflows• Sending oversize ICMP packets

• Sending IIS 3.0 a 4048 byte URL request

• Sending email with 256-character file name attachments to Netscape/MS email clients

• SMB logon to NT with incorrect data size

• Sending Pine user an email with “from” address > 256 characters

• Connect to WinGate POP3 port with user name of 256 characters


WPI EE579T/8 #54

Summary

• Windows 9x has no built-in security. This is both a blessing and a curse

• Windows NT can be a reasonably secure operating system if used properly

• There are ways to exploit NT

• Allowing Win9x clients to log onto an NT domain increases security exposure


WPI EE579T/8 #55

Homework - 1

1. You are a user on a Windows NT network segment. You want access to the payroll files, which you can obtain either as a member of the Payroll group or the Administrator group. How would approach breaking into the network to gain access to these files?


WPI EE579T/8 #56

Homework - 2

2. Your Windows 2000 network requires that several tens of Windows 98 clients be allowed to connect to it. What security problems do you foresee? How can you mitigate these problems?


WPI EE579T/8 #57

Assignment for Next Week

• Next week’s topic: Yet More Network-Based Attacks

EE579T/8 #1 Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T Network Security 8: More About...

Documents

Transcript of EE579T/8 #1 Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T Network Security 8: More About...