EE579T/9 #1 Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T Network Security 9: Yet More...

Spring 2001© 2000, 2001, Richard A. Stanley

WPI EE579T/9 #1

EE579TNetwork Security

9: Yet More Network-Based Attacks

Prof. Richard A. Stanley


WPI EE579T/9 #2

Thought for the Day

“But in the evening he took his daughterLeah and brought her to Jacob…”

Genesis 29: 23


WPI EE579T/9 #3

Overview of Tonight’s Class

• Review last week’s lesson

• Look at network security in the news

• Course project schedule in actual time

• Network attacks--continued


WPI EE579T/9 #4

Last Week

• Windows 9x has no built-in security. This is both a blessing and a curse

• Windows NT can be a reasonably secure operating system if used properly

• There are ways to exploit NT -- these were begun last week and will be expanded this week


WPI EE579T/9 #5

Hacker of the Week• Abraham Abdallah

– Brooklyn, NY bus boy

– Stole identity of 217 of Forbes 400 richest folk

– Used public library internet access

– Wide use of other technical means

– Impersonated, possibly stole funds -- $10M?

– 18 USC § 1028


WPI EE579T/9 #6

Network Security Last Week-

• Insider monitoring seen as next wave in IT security– Fallout from the Hanssen case

– Final recognition of where the threat is?

– Your thoughts?

• Pentagon interest may give biometrics needed boost– Testing 600 products on market for DoD use


WPI EE579T/9 #7

Network Security Last Week- 2

• Totality offers e-business insurance– Covers against hacker attacks, damage to intellectual

property and extortion

– What does this imply?

• Brinks breaks into Net security market– partnered with Hyperon Inc.

– intrusion-detection and response services for companies that can't afford a full-time IT security staff


WPI EE579T/9 #8

Network Security Last Week- 3• FBI's NIPC warns of IDS vulnerability (3/16)

Internet Security Systems (ISS) has issued an alert regarding a software tool called Stick that can be used maliciously to exploit a vulnerability in Windows NT and 2000 versions of RealSecure Network Sensor 5.0, an intrusion-detection system (IDS). According to the FBI's National Infrastructure Protection Center, Stick can disable a network's IDS by flooding it with Internet traffic from several random IP addresses simultaneously. No such attacks have been reported, however, ISS said.


WPI EE579T/9 #9

Network Security Last Week- 4• 'Stick' causes an antihacking 'panic’ (3/19)

– Stick allegedly an IDS buster

– Experts say the technology is not new; Stick may be flawed

– Stick’s author says it was designed to test IDS’s and was given to the NSA for evaluation

– NSA & NIPC determined Stick was a threat and issued a government-wide warning

What a difference a weekend makes!


WPI EE579T/9 #10

Network Security Last Week- 5• Privacy concerns rise

– Software tools help protect online privacy as threats mount

– New Web page shows who's tracking you

– HIPAA delayed in implementation

• Virus attacks look set to pick up pace– Security experts warn that complexity (sic) of recent virus

attacks indicate that another big wave of attacks may not be too far off.

– One expert points to peer-to-peer technology because of the massive amounts of file sharing


WPI EE579T/9 #11


• Everything old is new again: "TCP weakness may be worse than suspected”– Guardent researcher released findings on TCP

vulnerability; and came under fire from critics claiming his findings were old news

– Initial TCP session sequence numbers are predictable

– Response: adding a random sequence to the beginning of the Initial Sequence Numbers

– Scientist says sequence can still be guessed by a skilled attacker


WPI EE579T/9 #12


• Why do you suppose we do this review every week?– Keep abreast of current events?

– Develop a seasoned eye for security problems in the real world?

– Merge the theoretical and the practical?

– Become a cynic?

YES! Learn to view with a critical eye.


WPI EE579T/9 #13

Updated Class Schedule

– 3/22: More network-based attacks– 3/29: Law, ethics, and privacy concerns– 4/5: Intrusion detection technology– 4/12: Exam + 2 project presentations– 4/19: 6 project presentations– 4/26: Final 6 project presentations + professor

evaluation


WPI EE579T/9 #14

Course Project Schedules - 1

Date Time Team

April 12 7:50-8:15 14

April 12 8:15-8:50 11

April 19 6:00-6:25 13

April 19 6:25-6:50 7

April 19 6:50-7:15 3

April 19 7:25-7:50 12

April 19 7:50-8:15 6


WPI EE579T/9 #15

Course Project Schedules - 2

Date Time Team

April 19 8:15-8:50 2

April 26 6:00-6:25 5

April 26 6:25-6:50 9

April 26 6:50-7:15 10

April 26 7:25-7:50 1

April 26 7:50-8:15 8

April 26 8:15-8:50 4


WPI EE579T/9 #16

Course Projects - 11. Port scanning technology

– Sullivan, Toomey

2. Extensible authentication protocol– Mizar, Hirsh, Tummala

3. Honey Pot– Kaps, Gaubatz

4. Wired/Wireless security comparison– Azevedo, Nguyen, H. Tummala


WPI EE579T/9 #17

Course Projects - 25. SOHO network security

– Davis, Syversen, Kintigh

6. Sniffing switched networks– Michaud, Lindsay, VanRandwyk

7. Broadband access security– Sumeet, Nirmit, Harsh

8. Trojan Horse security– Aparna, Subramanian


WPI EE579T/9 #18

Course Projects - 39. Java security

– Malloy

10. Router security– Mansour,

11. DDoS Security– Gorse, Pushee

12. Network Security Processors– McLaren, Brown


WPI EE579T/9 #19

Projects -4

13. Network cryptography– Lee

14. ATM Security (can’t do 26 Apr)– Fernandes, Kuppur, Venkatesh


WPI EE579T/9 #20

UDP Revisited • UDP is used to provide low-overhead, non-

guaranteed, connectionless datagram delivery• UDP packets contain source and destination info,

may contain a checksum• Some services (e.g. NTP, DNS) depend on UDP,

and cannot be shut off• Filtering UDP packets not straightforward, and

often ignored


WPI EE579T/9 #21

More Network Based Attacks

Do You Do Windows NT?


WPI EE579T/9 #22

Remember The Goal: Become Administrator

• Becoming Admin:– Guessing passwords

– Remote exploits

– Privilege escalation

• Build on your new power– Crack the SAM

– Exploit trust

– Remote control

• Cover your tracks


WPI EE579T/9 #23

Guessing Passwords Over the Network

• Manual guessing– Requires knowledge of user names

• Automated guessing– Requires knowledge of user names

• Eavesdropping– Requires network segment access


WPI EE579T/9 #24

Automated Password Guessing• Tools automate the manual process

– Legion– NetBIOS Auditing Tool

• Command line use, enables scripting

• Null passwords? Use NTInfo Scan

• CyberCop Scanner is a commercial tool to do this


WPI EE579T/9 #25

Eavesdropping

• Requires access to the network segment• L0phtcrack

– NT password-guessing tool

– Usually works offline against the PW file

– Getting the PW file not a trivial exercise

– L0phtcrack now includes SMB Packet Capture• Listens to network segment• Captures login sessions, strips encrypted data• Reverse engineers NT password encryption

• Anyone who can eavesdrop can become Administrator within a very short time!


WPI EE579T/9 #26

Switched Architecture = Fix?

• Social engineering from L0phtcrack:– Include following URL (as a file) in email to

target: ////yourcomputer/sharename/message.html

– Effect is to send PW hashes to you for verification

• L0pht also has sniffer to dump PW hashes from PPTP, a variant of which provides VPN service under NT

• BUT…switched network still less vulnerable than non-switched, all else equal


WPI EE579T/9 #27

Countermeasures • Block NetBIOS-specific ports

– Disable TCP & UDP ports 135-139 at the perimeter firewall (but what does this also do?)

– Disable TCP/IP binding for any adapter connected to public networks (but…?)

• Enforce password policies– Use the User Manager– Build good passwords (Passfilt DLL)– Use the Passprop tool


WPI EE579T/9 #28

More Countermeasures

• Disable LANMAN authentication– NT 4.0 SR 4 and later permits Registry setting to prohibit

NT host from accepting LANMAN

– This denies ability to “pass the hash”

– BUT: earlier client authentications will fail, exposing the LM hash anyway

• Enable SMB signing– Requires crypto verification of every SMB packet

– NT-only solution

– Performance degradation of 10-15%


WPI EE579T/9 #29

Prevention

• Switched networks are to be preferred– Remember the L0pht social engineering idea

• Keep Windows 9x and Windows for Workgroups clients off the network

• Enable auditing and logging– Analyze the logs routinely!– Log full of Logon/Logoff failures probably

indicates and automated attack


WPI EE579T/9 #30

More Remote Attacks• Remote buffer overflows

– Several published overflows in NT– Likelihood of severe attacks using this approach growing

• Denial of service– Known holes in NT patched--install patches!– Probably other holes to be found, especially in

Windows 2000, which is a tabula rasa– DoS can be used to force reboot, which then

triggers execution of malicious code


WPI EE579T/9 #31

Privilege Escalation -1

• Vacuuming up information– From non-Admin account, need to identify info

that will gain higher privilege– Enumerate shares, search for password files,

probe the Registry


WPI EE579T/9 #32

Privilege Escalation - 2

• getadmin– Adds a user to local Administrators group– Uses low-level kernel routine to set a flag

allowing access to any running process– Uses DLL injection to insert malicious code to

a process that can add users– Must be run locally on target system


WPI EE579T/9 #33


• sechole– Similar functionality to getadmin– secholed puts user in Domain Admins group– Modifies OpenProcess API call to attach to a

privileged process– Must be run locally on target…– UNLESS target running IIS, in which case it is

possible to launch remotely


WPI EE579T/9 #34


• Trojan applications– Exploit the path– Executable registry values, e.g. those in:

• Run

• RunOnce

• RunOnceEx

• AeDebug

• Winlogon

Any value can launch code

Debugger can launch codeUserinit can launch code


WPI EE579T/9 #35

Countermeasures

• Apply the patches

• Don’t allow write access to executable directories

• Block ports 135-139 (but this shuts down Windows file sharing)

• Audit execute privileges on web server filesystem


WPI EE579T/9 #36

Privilege Escalation

On balance, this is not trivially easy


WPI EE579T/9 #37

SAM’s the Man -- And the Target!

• SAM=Security Accounts Manager• NT equivalent to Unix /etc/password• Once you have Admin privileges, this is where the

user names and PWs are found– Backwards compatibility hinders crypto

– LanManager crypto has been broken

– Relatively easy to crack PWs with tools (L0phtcrack can crack all alphanumeric PWs in <24 hrs with a Pentium II @ 450 mHz


WPI EE579T/9 #38

Getting the SAM

• Boot to another OS and copy the file

• Get the backup SAM from the repair directory

• Extract PW hashes from the SAM (e.g. with pwdump or pwdump2)– Newer version bypasses SYSKEY

• Network eavesdropping


WPI EE579T/9 #39

NT Passwords: A Word

• Two versions of PW stored in SAM– NT version (NT hash)– LanMan version (LM hash): FLAWED!

• LanMan Problem– PW split into two 7-byte halves, blank-padded

to make 14 characters long– Each half encrypted separately, then

concatenated to make the LM hash


WPI EE579T/9 #40

NT Password Problems

• LM hash exposes serious crypto problem:– No password is stronger than 7 characters– Tools exist to crack these passwords

• L0phtcrack

• Excellent guesses of entire PW can be made by cracking the weaker half first

• So?– Choose NT passwords of length = 7 or 14


WPI EE579T/9 #41

NT Password Crackers

• L0phtcrack– GUI, fast

• John the Ripper– Command-line tool, dictionary-based– Unix, but cracks LanMan hashes

• Crack 5 with NT extensions– Many permutations used to crack– Not easy to use, but powerful


WPI EE579T/9 #42

Anti-Cracking Countermeasures• Choose good NT passwords

– Above discussion on length pertains– Include non-printable ASCII characters for key

accounts (like Admin)• ALT-255 = NUM LOCK

– Protect the SAM• Physical security for the server

• Keep track of the Admin group

– Implement SYSKEY (NT SP2)


WPI EE579T/9 #43

Exploiting Trust • Good account administration

– User accounts don’t have Admin privileges– Local Admin, Domain Admin not mirrored

• Exploit data in Local Security Authority – passwords, hashes, dialup info, etc.

• Autologon• Keystroke logging

– IKS costs $149, runs in kernel, logs all strokes


WPI EE579T/9 #44

Remote Control• NT Resource Kit is first point of departure

– Remote Command Line (remote.exe)

– Remote Command Servie (rcmd.exe)

– Included with server version of NT

– remote.exe easier to install and use

• Must run on target system

• With Admin access, can launch on schedule

• Remote shell via Netcat


WPI EE579T/9 #45

Back Doors - 1

• BackOrifice– BO2k runs on NT and Win9x– Provides remote control of machine– Source code available, making custom

modifications easy, detection harder

• Net Bus– Remote control of Win9x and Win NT– Keystroke logging an option


WPI EE579T/9 #46

Back Door - 2

• How about a remote GUI with all the bells and whistles?

• Try Virtual Network Computing– By AT&T Labs, Cambridge, UK– Free!– Can be installed remotely over the network– Stealthy– Virtually equivalent to “hands-on” access


WPI EE579T/9 #47

Countermeasures

• Look for the filenames of bad programs

• Hunt through the Registry

• Regularly check the process list

• Check the ports periodically


WPI EE579T/9 #48

Covering Up

• Disable auditing

• Clear the event log

• Hide a toolkit on the target system


WPI EE579T/9 #49

Think Creatively

• For example, suppose you could change the system clock. What might happen?– Old Kerberos tickets could be good again– Scheduled jobs may not run– And…?


WPI EE579T/9 #50

Cracking Unix

• Remote access– Exploit a listening service– Route through a Unix system that links two or

more networks securely– Remote execution attack (e.g. Trojan email,

etc.)

• Get root privileges

• Cover your tracks


WPI EE579T/9 #51

Unix vs. NT

• Unix around longer, source code available• Very many buffer overflow attacks• Specifics can be found in many texts• Note, however, that the methodology of the

attack follows the model used for NT. Why is this?

• Would you expect this model to have generality?


WPI EE579T/9 #52

Summary

• There is a set methodology to follow to gain network access (but this isn’t a cookie-cutter sort of approach)

• The methodology follows from the architecture and the software of the network

• The types of attacks vary widely, and new ones are constantly being developed

• Basic countermeasures and sound auditing will go a long ways towards securing the network


WPI EE579T/9 #53

Homework - 1

1. You are the architect of a Unix-based corporate network. You have been asked to audit the network for security. How will you proceed? What automated tools might you use, and where would you get them? If you could only search for three top vulnerabilities, what would they be?


WPI EE579T/9 #54

Homework - 2

2. Napster allows the sharing of material that is, or may be, copyrighted. U. S. copyright law holds that the author owns the copyright to whatever he/she produces, from the moment it is expressed in a tangible form (e.g. in bits on a disk). Is Napster legal? Is it ethical? Should it be either or neither?


WPI EE579T/9 #55

Assignment for Next Week

• Next week’s topic: Legal and ethical issues in network-based security

EE579T/9 #1 Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T Network Security 9: Yet More...

Documents

Transcript of EE579T/9 #1 Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T Network Security 9: Yet More...