Hands-On Ethical Hands-On Ethical Hacking and Network Hacking and Network

DefenseDefense

Chapter 3Chapter 3Network and Computer AttacksNetwork and Computer Attacks

22

ObjectivesObjectives

Describe the different types of malicious Describe the different types of malicious softwaresoftware

Describe methods of protecting against Describe methods of protecting against malware attacksmalware attacks

Describe the types of network attacksDescribe the types of network attacks

Identify physical security attacks and Identify physical security attacks and vulnerabilitiesvulnerabilities

33

Malicious Software (Malware)Malicious Software (Malware)

Network attacks prevent a business from Network attacks prevent a business from operatingoperatingMalicious software (Malware) includesMalicious software (Malware) includes VirusVirus WormsWorms Trojan horsesTrojan horses

GoalsGoals Destroy dataDestroy data Corrupt dataCorrupt data Shutdown a network or systemShutdown a network or system

44

VirusesViruses

Virus attaches itself to an executable fileVirus attaches itself to an executable file

Can replicate itself through an executable Can replicate itself through an executable programprogram Needs a host program to replicateNeeds a host program to replicate

No foolproof method of preventing themNo foolproof method of preventing them

55

Antivirus SoftwareAntivirus Software

Detects and removes virusesDetects and removes virusesDetection based on virus signaturesDetection based on virus signatures

Must update signature database periodicallyMust update signature database periodically

Use automatic update featureUse automatic update feature

66

77

Base 64 EncodingBase 64 Encoding

Used to evade anti-spam tools, and to Used to evade anti-spam tools, and to obscure passwordsobscure passwords

Encodes six bits at a time (0 – 64) with a Encodes six bits at a time (0 – 64) with a single ASCII charactersingle ASCII character A - Z:A - Z: 0 – 250 – 25 a – z:a – z: 26 – 5126 – 51 1 – 9:1 – 9: 52 – 6152 – 61 + and -+ and - 62 and 6362 and 63

See links Ch 3a, 3bSee links Ch 3a, 3b

88

Viruses (continued)Viruses (continued)

Commercial base 64 decodersCommercial base 64 decoders

ShellShell Executable piece of programming codeExecutable piece of programming code Should not appear in an e-mail attachmentShould not appear in an e-mail attachment

99

Macro VirusesMacro Viruses

Virus encoded as a macroVirus encoded as a macro

MacroMacro Lists of commandsLists of commands Can be used in destructive waysCan be used in destructive ways

Example: MelissaExample: Melissa Appeared in 1999Appeared in 1999 It is very simple – see link Ch 3c for source It is very simple – see link Ch 3c for source

codecode

1010

Writing VirusesWriting Viruses

Even nonprogrammersEven nonprogrammerscan create macro virusescan create macro viruses Instructions posted on Instructions posted on

Web sitesWeb sites Virus creation kits available for Virus creation kits available for

download (see link Ch 3d)download (see link Ch 3d)

Security professionals can learn Security professionals can learn from thinking like attackersfrom thinking like attackers But don’t create and release a virus! But don’t create and release a virus!

People get long prison terms for that.People get long prison terms for that.

1111

WormsWorms

WormWorm Replicates and propagates without a hostReplicates and propagates without a host

Infamous examplesInfamous examples Code RedCode Red NimdaNimda

Can infect every computer in the world in a Can infect every computer in the world in a short timeshort time At least in theoryAt least in theory

1212

ATM Machine WormsATM Machine Worms

Cyberattacks against ATM machinesCyberattacks against ATM machines Slammer and Nachi wormsSlammer and Nachi worms Trend produces antivirus for ATM machinesTrend produces antivirus for ATM machines

See links Ch 3g, 3h, 3iSee links Ch 3g, 3h, 3i Nachi was written to clean up damage caused Nachi was written to clean up damage caused

by the Blaster worm, but it got out of controlby the Blaster worm, but it got out of controlSee link Ch 3jSee link Ch 3j

Diebold was criticized for using Windows for Diebold was criticized for using Windows for ATM machines, which they also use on voting ATM machines, which they also use on voting machinesmachines

1313

1414

1515

Trojan ProgramsTrojan Programs

Insidious attack against networksInsidious attack against networksDisguise themselves as useful programsDisguise themselves as useful programs Hide malicious content in programHide malicious content in program

BackdoorsBackdoorsRootkitsRootkits

Allow attackers remote accessAllow attackers remote access

1616

FirewallsFirewalls

Identify traffic on uncommon portsIdentify traffic on uncommon portsCan block this type of attack, if your Can block this type of attack, if your firewall filters outgoing trafficfirewall filters outgoing traffic Windows XP SP2’s firewall does not filter Windows XP SP2’s firewall does not filter

outgoing trafficoutgoing traffic Vista’s firewall doesn’t either (by default), Vista’s firewall doesn’t either (by default),

according to link Ch 3l and 3maccording to link Ch 3l and 3m

Trojan programs can use known ports to Trojan programs can use known ports to get through firewallsget through firewalls HTTP (TCP 80) or DNS (UDP 53)HTTP (TCP 80) or DNS (UDP 53)

1717

1818

Trojan DemonstrationTrojan Demonstration

Make a file with Make a file with command-line Windows command-line Windows commandscommandsSave it as Save it as C:\Documents and Settings\C:\Documents and Settings\usernameusername\cmd.bat\cmd.batStart, Run, CMD will execute this file Start, Run, CMD will execute this file instead of C:\Windows\System32\instead of C:\Windows\System32\Cmd.exeCmd.exe

1919

Improved TrojanImproved Trojan

Resets the administrator passwordResets the administrator password

Almost invisible to userAlmost invisible to user

Works in Win XP, but not so easy in VistaWorks in Win XP, but not so easy in Vista

2020

SpywareSpyware

Sends information from the infected computer to Sends information from the infected computer to the attackerthe attacker Confidential financial dataConfidential financial data PasswordsPasswords PINsPINs Any other stored dataAny other stored data

Can register each keystroke entered (keylogger)Can register each keystroke entered (keylogger)

Prevalent technologyPrevalent technology

Educate users about spywareEducate users about spyware

2121

Deceptive Dialog BoxDeceptive Dialog Box

2222

AdwareAdware

Similar to spywareSimilar to spyware Can be installed without the user being awareCan be installed without the user being aware

Sometimes displays a bannerSometimes displays a banner

Main goalMain goal Determine user’s online purchasing habitsDetermine user’s online purchasing habits Tailored advertisementTailored advertisement

Main problemMain problem Slows down computersSlows down computers

2323

Protecting Against Malware Protecting Against Malware AttacksAttacks

Difficult taskDifficult task

New viruses, worms, Trojan programs New viruses, worms, Trojan programs appear dailyappear daily

Antivirus programs offer a lot of protectionAntivirus programs offer a lot of protection

Educate your users about these types of Educate your users about these types of attacksattacks

2424

2525

2626

Educating Your UsersEducating Your Users

Structural trainingStructural training Most effective measureMost effective measure Includes all employees and managementIncludes all employees and management

E-mail monthly security updatesE-mail monthly security updates Simple but effective training methodSimple but effective training method

Update virus signature database Update virus signature database automaticallyautomatically

2727

Educating Your UsersEducating Your Users

SpyBot and Ad-AwareSpyBot and Ad-Aware Help protect against spyware and adwareHelp protect against spyware and adware Windows Defender is excellent tooWindows Defender is excellent too

FirewallsFirewalls Hardware (enterprise solution)Hardware (enterprise solution) Software (personal solution)Software (personal solution) Can be combinedCan be combined

Intrusion Detection System (IDS)Intrusion Detection System (IDS) Monitors your network 24/7Monitors your network 24/7

2828

FUDFUDFear, Uncertainty and DoubtFear, Uncertainty and Doubt Avoid scaring users into complying with security Avoid scaring users into complying with security

measuresmeasures Sometimes used by unethical security testersSometimes used by unethical security testers Against the OSSTMM’s Rules of EngagementAgainst the OSSTMM’s Rules of Engagement

Promote awareness rather than instilling Promote awareness rather than instilling fearfear Users should be aware of potential threatsUsers should be aware of potential threats Build on users’ knowledgeBuild on users’ knowledge

2929

Intruder Attacks on Networks Intruder Attacks on Networks and Computersand Computers

AttackAttack Any attempt by an unauthorized person to access or use Any attempt by an unauthorized person to access or use

network resourcesnetwork resources

Network securityNetwork security Security of computers and other devices in a networkSecurity of computers and other devices in a network

Computer securityComputer security Securing a standalone computer--not part of a network Securing a standalone computer--not part of a network

infrastructureinfrastructure

Computer crimeComputer crime Fastest growing type of crime worldwideFastest growing type of crime worldwide

3030

Denial-of-Service AttacksDenial-of-Service Attacks

Denial-of-Service (DoS) attackDenial-of-Service (DoS) attack Prevents legitimate users from accessing Prevents legitimate users from accessing

network resourcesnetwork resources Some forms do not involve computers, like Some forms do not involve computers, like

feeding a paper loop through a fax machinefeeding a paper loop through a fax machine

DoS attacks do not attempt to access DoS attacks do not attempt to access informationinformation Cripple the networkCripple the network Make it vulnerable to other type of attacksMake it vulnerable to other type of attacks

3131

Testing for DoS VulnerabilitiesTesting for DoS Vulnerabilities

Performing an attack yourself is not wisePerforming an attack yourself is not wise You only need to prove that an attack could You only need to prove that an attack could

be carried outbe carried out

3232

Distributed Denial-of-Service Distributed Denial-of-Service AttacksAttacks

Attack on a host from multiple servers or Attack on a host from multiple servers or workstationsworkstations

Network could be flooded with billions of Network could be flooded with billions of requestsrequests Loss of bandwidthLoss of bandwidth Degradation or loss of speedDegradation or loss of speed

Often participants are not aware they are part Often participants are not aware they are part of the attackof the attack Attacking computers could be controlled using Attacking computers could be controlled using

Trojan programsTrojan programs

3333

Buffer Overflow AttacksBuffer Overflow Attacks

Vulnerability in poorly written codeVulnerability in poorly written code Code does not check predefined size of input fieldCode does not check predefined size of input field

GoalGoal Fill overflow buffer with executable codeFill overflow buffer with executable code OS executes this codeOS executes this code Can elevate attacker’s permission to Can elevate attacker’s permission to

Administrator or even KernelAdministrator or even Kernel

Programmers need special training to write Programmers need special training to write secure codesecure code

3434

3535

3636

Ping of Death AttacksPing of Death Attacks

Type of DoS attackType of DoS attack

Not as common as during the late 1990sNot as common as during the late 1990s

How it worksHow it works Attacker creates a large ICMP packetAttacker creates a large ICMP packet

More than 65,535 bytesMore than 65,535 bytes Large packet is fragmented at source networkLarge packet is fragmented at source network Destination network reassembles large packetDestination network reassembles large packet Destination point cannot handle oversize packet and Destination point cannot handle oversize packet and

crashescrashes Modern systems are protected from this (Link Ch 3n) Modern systems are protected from this (Link Ch 3n)

3737

Session HijackingSession Hijacking

Enables attacker to join a TCP sessionEnables attacker to join a TCP session

Attacker makes both parties think he or Attacker makes both parties think he or she is the other partyshe is the other party

3838

Addressing Physical SecurityAddressing Physical Security

Protecting a network also requires Protecting a network also requires physical securityphysical security

Inside attacks are more likely than attacks Inside attacks are more likely than attacks from outside the companyfrom outside the company

3939

KeyloggersKeyloggers

Used to capture keystrokes on a computerUsed to capture keystrokes on a computer HardwareHardware SoftwareSoftware

SoftwareSoftware Behaves like Trojan programsBehaves like Trojan programs

HardwareHardware Easy to installEasy to install Goes between the keyboard and the CPUGoes between the keyboard and the CPU KeyKatcher and KeyGhostKeyKatcher and KeyGhost

4040

4141

4242

Keyloggers (continued)Keyloggers (continued)

ProtectionProtection Software-basedSoftware-based

AntivirusAntivirus Hardware-basedHardware-based

Random visual testsRandom visual tests

Look for added hardwareLook for added hardware

Superglue keyboard connectors inSuperglue keyboard connectors in

4343

Behind Locked DoorsBehind Locked Doors

Lock up your serversLock up your servers Physical access means they can hack inPhysical access means they can hack in Consider Ophcrack – booting to a CD-based Consider Ophcrack – booting to a CD-based

OS will bypass almost any security OS will bypass almost any security

4444

LockpickingLockpicking

Average person can pick deadbolt locks in Average person can pick deadbolt locks in less than five minutesless than five minutes After only a week or two of practiceAfter only a week or two of practice

Experienced hackers can pick deadbolt Experienced hackers can pick deadbolt locks in under 30 secondslocks in under 30 seconds

Bump keys are even easier (Link Ch 3o)Bump keys are even easier (Link Ch 3o)

4545

Card Reader LocksCard Reader Locks

Keep a log of who Keep a log of who enters and leaves the enters and leaves the roomroom

Security cards can be Security cards can be used instead of keys used instead of keys for better securityfor better security Image from link Ch 3pImage from link Ch 3p