Network Securityby: Mark Lachniet (mark@lachniet.com)

Introductions

Mark Lachniet Director of Information Data Systems

at Holt Public Schools Novell MasterCNE Freeware Disc Golf <yay!>

Mark Lachniet Director of Information Data Systems

at Holt Public Schools Novell MasterCNE Freeware Disc Golf <yay!>

And the VictimA.K.A. “Fred”

“White Hats” and “Black Hats”

• The good guys versus the bad guys• Some developers of “hacking” programs

do so to educate others and point out flaws for the betterment of computer security

• A wide variety of “white hat” help, advisories, and lists are available

• Also an ever-growing group of “black hats” armed with easy-to-use scripts known as “script kiddies.”

Networks & Servers

• Requirement to do business

• Time and knowledge intensive to manage

• Many connected to the Internet

• Easy availability of hacking tools

=DANGER

Security Risks• Physical, Logical, and policy security• User habits - passwords, logging in & out• Software bugs, Viruses & Trojans• Network attacks• Disgruntled employees• Competitors• Bored K12 students :)

Focusing on the Net

• Focus on networks and the Internet• Most school districts are connected to the

Internet• The threat of a remote compromise • If a hacker can “own” your net, he can get

access to virtually all of your important data• Developments in security happen in

“Internet Time” (quick!)• Takes a lot of time to research and

implement good security

Running on Internet time• This presentation represents *my*

knowledge at this time (10/98)• I don’t really consider myself a security

expert, just a network Administrator• There is undoubtably a great deal I do

*not* know and should be telling you• The technology changes quickly - assume

that it already has• Nonetheless, hopefully this will help you

in your own IT work

Types of Risks• DoS - Denial of Service• Exploits - getting administrator access• Password cracking - brute force • Network mapping - host/port scans• Sniffers - intercept passwords on the net• Trojans and backdoors - getting back

into the system• Misc - networked printers, routers, etc.• And more...

Denial of Service• Through some mechanism, services on

the network or server are disabled• Often due to poor programming (for

example buffer overflows)• What is a buffer overflow?• DoS attacks exist for virtually every

computer type from UNIX to PC• Windows NT is vulnerable to some DoS

attacks, even with current service packs• TCP/IP stacks often vulnerable as well• Used for destructive purposes (why else?)

Exploits• Generally used to obtain administrator

privileges on a server

• Most often for UNIX operating systems, but sometimes for NT/Novell as well

• Usually distributed as source code or shell scripts (hence “script kiddies”)

• Usually involves a server program with administrator privileges that is misconfigured or has a bug in it

• Exploits are easy to obtain and run!

Network scanners• Useful for getting the “lay of the land”• Determining what computers are

connected to the net and the services they offer

• Often used in coordination with exploits to scan a LARGE number of IP addresses for hosts which are vulnerable

• This is happening right NOW! Take a look at your web server logs and you can bet you will see their handiwork

• Some scanners can even tell what kind of computer is in use.

About those “script kiddies”• Whereas once hacking was something

done by a technical elite, now programs of mass destruction are widely available

• People with little or no actual knowledge can use powerful tools to compromise security

• If you haven’t been scanned yet, it is just a matter of time

• You NEED to know if your security is good before they find out for you

• Used to snoop on network traffic• Can obtain usernames and passwords

from plaintext transmissions such as Telnet, FTP, and mail

• Can also be used for other malicious purposes

• Assume that all traffic on the Internet is being watched by *someone*

• Encryption is protection against this kind of attack

• Telnet vs. Secure Shell [demo]

Network Sniffers

• Some sniffers can “hijack” a connection between two other hosts and take over one of the ends of the conversation.

• Some sniffers can destroy a connection as well, rendering the connection useless

• Sniffers are often used in combination with other programs such as Trojans

• Sniffers are frequently used to obtain additional passwords from an already- compromised host

Network Sniffers, cont.

Brute force attacks• Most passwords are 1-way encrypted. When you

type in your password, it is encrypted and compared to the password the system has on file for you. If the encrypted result matches, you typed the word

• Brute force engines attempt to encrypt an entire dictionary, one word at a time, in hopes of getting the password

• Can be used to obtain administrator privileges on NT, Novell, and UNIX!

• Servers respond by disabling login or slowing down drastically after a certain number of failed logins, thereby making it very time consuming to attack them

Brute force on Windows NT• Windows NT is especially vulnerable to

brute force attacks such as NAT (NetBios Audit Tool)

• Under NT, the Administrator account cannot be disabled, so it is open to unlimited (and fast) brute force attacks

• Never let your NT admin password be in the dictionary!

• Can be hacked from anywhere on the Internet if your server is connected to the net

Screen-shot of a NT hack on my home server

• [*]--- Attempting to connect with name: PUTZY

• [*]--- CONNECTED with name: PUTZY

• [*]--- Attempting to connect with protocol: MICROSOFT NETWORKS 1.03

• [*]--- Server time is Mon Oct 5 12:08:15 1998

• [*]--- Timezone is UTC-4.0

• [*]--- Remote server wants us to encrypt, telling it not to

•

• [*]--- Attempting to connect with name: PUTZY

• [*]--- CONNECTED with name: PUTZY

• [*]--- Attempting to establish session

• [*]--- Was not able to establish session with no password

• [*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `10th'

• [*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `1st'

• [*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `2nd'

• [*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `3rd'

And so on...

Microsoft sharing shares too much information - another screen from home

• [*]--- Checking host: 10.0.0.4• [*]--- Obtaining list of remote NetBIOS names• [*]--- Remote systems name tables:

• PUTZY• LACHNIET• LACHNIET• PUTZY• LACHNIET• PUTZY• ADMINISTRATOR• LACHNIET• INet~Services• LACHNIET• IS~PUTZY• ^A^B__MSBROWSE__^B

All of this information helps the hackers...

Admin’s name

NT server name

Workgroup name

Programs running on the server

NetWare is not immune

• NetWare can also be brute force attacked• NetWare 3.x is more vulnerable than 4.x+• Pandora - designed to crack a copy of

directory services• For NetWare 4.x+, generally requires

access to the console or administrator access to acquire a copy of directory services

Brute force and UNIX• Brute force attacks originated on UNIX

to crack the /etc/passwd file

• Requires a user account or stolen password file

• Shadow passwords or other more advanced authentication systems can reduce the risk of this type of attack in UNIX environments

• Once again, just don’t ever use a password that is in the dictionary, or a place, or your mom, or your dog, etc.

Miscellaneous Attacks

• Lots of other strange bugs exist in everything from server software to routers and printers

• For example, HP Jet Direct printers can be controlled and crashed remotely

• With physical access, certain routers (e.g. Cisco) can be taken over

• “Fake Mail” is a good example of the lack of security on the Internet [demo]

Trojans and back doors• Are used to obtain or keep access to a system• Are remotely accessible, often with a simple

password• Allow full control of the host computer• For UNIX, usually provides a root shell

through a booby-trapped server program• Under Windows 95, “Back Orifice” is all the

rage in Trojan technology• Once you have one, as you will see, nothing is

safe

State of the art software“Back Orifice”

• Written by the “Cult of the Dead Cow”• Is small and powerful (only 128k bytes!)• Is similar to a virus - some program containing the

program must be run on the computer in question• Generally distributed hidden inside of other

legitimate programs (such as FTP downloads or E-Mail attachments)

• Quietly installs itself and hides the evidence, running in the background at all times

• Makes use of additional features through “Butt plug-ins”

Back Orifice Butt Plug-ins• A Butt plug-in is installed along with the

trojan and provides additional capabilities

• Butt-Trumpet sends and Email stating the IP address of the compromised computer (making you vulnerable even if you have a dialup connection)

• Butt-Sniffer allows a remote user to monitor network traffice on *your* local area network

• The potential is limitless [demo]

Are you ever going to trust an attachment again?

• Since Email can be forged to appear to be coming from just about anyone, ALL email attachments are suspect!

• Make people in your organization aware of this risk - many people will click on anything that comes their way

L0pht Crack• Multi-purpose NT hacking utility

• Performs brute force attacks on NT passwords (from the registry, from Emergency Repair discs, and from sniffed network traffic

• Integral sniffer to snatch NT passwords off the network for hacking

• http://www.l0pht.com (web site)

Nessus• Is a client/server hacking program similar to

“Satan”

• Server runs on a UNIX host (usually someone else’s who has already been hacked)

• The hacker runs a client remotely and submits requests to the Nessus server

• The nessus server scans a range of hosts for known vulnerabilities and provides a detail report back to the client

• All the activity appears to come from the hacked server host, so the hacker goes free!

• The next big thing: coordinated server attacks!

Getting help!• Okay, so now you are worried!• Research your operating systems on the net• Subscribe to Bug-Traq and other listserves• The best way to know that you are secure is to

hack your own network! it would be in your best interests to get someone to audit your security. If you don’t, someone will!

• Always keep up to date with service packs and patches

• Register your product so you will be made aware of security issues by the manufacturer

• Allow time for technical personnel to research security and improve their skills

END

mark@lachniet.com