The Ultimate Defense (Think Like a Hacker)

Kanika Garg Department of Computer Science Krishna Engineering College

Kanika Garg Astt. Professor

Department of Computer Application - KEC

Session Prerequisites

Hands-on experience with Windows 2000 or Windows Server 2003 Working knowledge of networking, including basics of security Basic knowledge of network security-assessment strategies

Kanika Garg Astt. Professor

Department of Computer Application - KEC

This session is about

about operational security The easy way is not always the secure way Networks are usually designed in particular ways In many cases, these practices simplify attacks In some cases these practices enable attacks In order to avoid these practices it helps to understand how an attacker can use them

Kanika Garg Astt. Professor

Department of Computer Application - KEC

This session is NOT

a hacking tutorial Hacking networks you own can be enlightening

HACKING NETWORKS YOU DO NOT OWN IS ILLEGAL

demonstrating vulnerabilities in Windows Everything we show stems from operational security or custom applications Knowing how Windows operates is critical to avoiding problems for the faint of heart

Kanika Garg Astt. Professor

Department of Computer Application - KEC

What is HACKING
Hacking is a way of thinking A hacker is someone who thinks outside the box. It's someone who discards conventional wisdom, and does something else instead. It's someone who looks at the edge and wonders what's beyond. It's someone who sees a set of rules and wonders what happens if you don't follow them.

Hacking applies to all aspects of life- not just computers

Kanika Garg Astt. Professor

Department of Computer Application - KEC

The Network

IIS 5.0 Win 2000 DMZ LAN IIS 6.0 Windows 2003 Internal LAN

ISA Server Firewall

External LAN

Access Points

Kanika Garg Astt. Professor

Department of Computer Application - KEC

Profiles

National Interest

Spy

Personal Gain

Thief

Personal Fame

Trespasser

Curiosity

Vandal

Author

Script-Kiddy
SOURCE: Microsoft and Accenture

Undergraduate

Expert

Specialist

Kanika Garg Astt. Professor

Department of Computer Application - KEC

Approaches ?
What is the typical hacker profile:

Spy: Slow, careful, precise, invasive Thieves: Fast, careful, precise, sometimes invasive Script Kiddies: Slow, reckless, imprecise, invasive Defacers: Fast, reckless, precise, mildly invasive

Kanika Garg Astt. Professor

Department of Computer Application - KEC

Hacking Methodology Basic steps

Information Gathering / Profiling Probe / Enumeration Attack Advancement Entrenchment Infiltration/Extraction

Kanika Garg Astt. Professor

Department of Computer Application - KEC

Information Gathering
Profiling Involves: Decide and discover which targets to attack Often begin with a specific network or a specific company whois, nslookup queries Samspade.org Search Engine (googlescanning)

Kanika Garg Astt. Professor

Department of Computer Application - KEC

Probe
Scan specific targets for vulnerabilities Search sweeping ranges of ports with a portscan (nmap) Grab details such as service versions from the discovered ports aka banner grabbing (netcat) Windows: Connect to and enumerate information from NETBios (enum) Search the Internet for vulnerabilities based on versions of software found on targets Often begin with a specific network or a specific company

Kanika Garg Astt. Professor

Department of Computer Application - KEC

Probe
Selected Tools NMAP Superscan Nessus Whisker Netcat nikto

Kanika Garg Astt. Professor

Department of Computer Application - KEC

Probe
Most often, professional ethical hackers rely on Vulnerability Scanners to perform their jobs. MBSA

NetIQ Vulnerability Manager

Nessus eTrust Vulnerability Manager

Internet Security Systems Internet Scanner

Retina Network Security Scanner

Kanika Garg Astt. Professor

Department of Computer Application - KEC

nmap

Nmap is used to scan the ports of the target system. Using the O option would also report the Operating System of the target.
Kanika Garg Astt. Professor Department of Computer Application - KEC

nmap

Nmaps guess at the operating system type

Kanika Garg Astt. Professor

Department of Computer Application - KEC

Attack

Gather compatible exploits

Compile exploits (if required) Launch exploits against targets Modify parameters, re-launch exploits (if required)

Kanika Garg Astt. Professor

Department of Computer Application - KEC

Attack
There are many different types of attacks which can be broken down into several classifications. The attacks are performed from one of two perspectives:

Local: The attacker has access to a command prompt or has gained the ability to execute commands on the target
Remote: The attacker exploits the target box without first gaining access to a command shell
Kanika Garg Astt. Professor Department of Computer Application - KEC

Attacks: Buffer Overflow

Aka the Boundary Condition Error: Stuff more data into a buffer than it can handle. The resulting overflowed data falls into a precise location and is executed by the system Local overflows are executed while logged into the target system Remote overflows are executed by processes running on the target that the attacker connects to Result: Commands are executed at the privilege level of the overflowed program

Kanika Garg Astt. Professor

Department of Computer Application - KEC

Kanika Garg Astt. Professor

Department of Computer Application - KEC

Attacks: Input validation

Any process does not strip input before processing it, i.e. special shell characters such as semicolon and pipe symbols An attacker provides data in unexpected fields, ie SQL database parameters

Kanika Garg Astt. Professor

Department of Computer Application - KEC

Attacks: Weak password

Accounts with weak passwords are guessed by a remote attacker Accounts with weak passwords are cracked by attacker with access to a password database

Kanika Garg Astt. Professor

Department of Computer Application - KEC

Attacks: Exploit Sites

SecurityFocus: (http://www.securityfocus.com) Packetstorm: (http://packetstormsecurity.org)

New Order: (http://neworder.box.sk/)

Hack in the Box: (http://www.hackinthebox.org/) phreak.org (http://www.phreak.org/archives/exploits/unix/)
Kanika Garg Astt. Professor Department of Computer Application - KEC

Attack Phases

The Attack is most often broken into several phases: Locating Exploits Getting Exploits Modification of Exploits Building Exploits Testing Exploits Running Exploits

Kanika Garg Astt. Professor

Department of Computer Application - KEC

Kanika Garg Astt. Professor

Department of Computer Application - KEC

Locating Exploits

Kanika Garg Astt. Professor

Department of Computer Application - KEC

Obtaining and modifying Exploits

Kanika Garg Astt. Professor

Department of Computer Application - KEC

Advancement

If needed, gain further access to targets by further exploitation

Trojans Local Exploits The advancement phase will somewhat mirror the Attack phases unless the attacker has already tested the exploits

Kanika Garg Astt. Professor

Department of Computer Application - KEC

Entrenchment
Modify targets to ensure future access Backdoors Rootkits

Kanika Garg Astt. Professor

Department of Computer Application - KEC

Infiltration/Extraction

Install sniffers to monitor network traffic, gather usernames/passwords Extract data from compromised systems Compromise neighboring targets based on captured data or trust relationships

Kanika Garg Astt. Professor

Department of Computer Application - KEC

Script Kiddies
Named for their annoying ability to (sometimes) successfully compromise a system using pre-written scripts, generally follow a very simple non-cyclical methodology

Exploit Selection
Target Selection Attack Generally use Search engines to locate exploits Generally not a technically savvy lot, so exploit selection is made based on attack platforms available (generally Windows-based) and ease of use

Kanika Garg Astt. Professor

Department of Computer Application - KEC

Script Kiddies Target Selection

Most target selection involves noisy scanners, often launched from Windows platforms An increasing number of Script Kiddies, however, are gaining familiarity with Linux and use fairly standard tools such as nmap.

Kanika Garg Astt. Professor

Department of Computer Application - KEC

A Typical Hack

TRUSTED eC SEGMENT DB Server

Employees & Other Internal Users

Level IV Data
Internet App Servers DMZ FTP Drop Firewall 2 SAN Corporate LAN

S/W Load Balancing 2

2
DB Servers Firewall 4 H/W or S/W Load Balancing Firewall

Extranet Firewall SAN Web Server (Internal Users)

Public DNS Server

Web Servers

Trusted Business Partners

Kanika Garg Astt. Professor

Department of Computer Application - KEC

How To Get Your Network Hacked In 10 Easy Steps

Dont patch anything Run unhardened applications Logon everywhere as a domain admin Open lots of holes in the firewall Allow unrestricted internal traffic Allow all outbound traffic Dont harden servers Use lame passwords Use high-level service accounts, in multiple places Assume everything is OK

1. 2. 3.

4.
5. 6. 7. 8. 9. 10.

Kanika Garg Astt. Professor

Department of Computer Application - KEC

The moral
Initial entry is everything Most networks are designed like egg shells Hard and crunchy on the outside

Soft and chewy on the inside

Once an attacker is inside the network you can Update resume Hope he does a good job running it Drain the network

Kanika Garg Astt. Professor

Department of Computer Application - KEC

Questions and Answers

Kanika Garg Astt. Professor

Department of Computer Application - KEC