You are on page 1of 19

FORESEC Academy

FORESEC Academy Security Essentials (III)

IN TER N ET S EC U R ITY
TEC H N O LO G IES
FORESEC
Academy
Internet Security Technologies
Agenda
Chapter 13: Attack Strategies and
Mitigation
Chapter 14: Firewalls and Honeypots
Chapter 15: Vulnerability Scanning
Chapter 16: Host-Based Intrusion
Detection
Chapter 17: Network-Based Intrusion
Detection
Chapter 18: Risk Management and
Auditing
FORESEC
Academy
Attack Strategies and M itigation
Chapter O utline
Mitnick-Shimomura Attack Analysis
Preventive Techniques
Methods of Attack
Chapter Summary
FORESEC
Academy
K.M itnick vs.T.Shim om ura

Confidentiality, integrity and


availability
attack
Reconnaissance probing to
determine
trust relationship (r utilities)
IP spoofing to act as one side of
trust
relationship
Lack of site or system perimeter
FORESEC
Academy
Tw o System s,
Trust Relationship

Unix, Apple Computers, and


Windows all
have built-in trust relationship
capabilities. If one party in a two-
way trust relationship is
compromised or spoofed, the other
party is in great danger.
FORESEC
Academy
Enter the BadG uy(TM )

Reconnaissance
is
often the first
phase of an
attack
FORESEC
Academy
Silence B W ith D oS

Attacker is going
to
Pretend he is B,
so B SYN Flood
Must be silenced Attack to
so it B renders B
Cannot signal an unable
alarm To reply to A
FORESEC
Academy
Attacker Probes for a
W eakness in A.s TCP Stack

Each time A is
stimulated, the
SYN/ACK response
is predictable.
FORESEC
Academy
Attacker Pretends to be B

The attacker,
pretending to
be B,
uses the
predictable
response to open
a
connection.
FORESEC
Academy
M ake A D efenseless

Attacker sends
expected
ACK with fake
SRC
IP ADDRESS to
establish a
connection.
FORESEC
Academy
Finish the Job
B sends rshell packet echo ++>/.rhosts to open
A to attack

Attacker uses Attacker


# rlogin I
root
to takeover
A
FORESEC
Academy

What Common
Techniques Could
Have
Prevented The
Attack?
FORESEC
Academy

What Risk
Management
Techniques Could Have
Detected
The Attack?
FORESEC
Academy
Patching System s

Although not relevant to Mitnicks


attack, per se, still very important.
Timely patching can often prevent
the
majority of attack vectors from
being
successfully executed.
Patches are often available before or
very soon after exploits are
announced.
FORESEC
Academy
D isabling U nused Services
FORESEC
Academy
H ost-based Intrusion
D etection
FORESEC
Academy
N etw ork-based Intrusion
D etection
FORESEC
Academy
N etw ork Vulnerability Scanner

Scanner Warning:
A trust B
A has potential rshell vulnerability
FORESEC
Academy
Firew alls

Many attack attempts fail to penetrate well


configured
firewalls, especially if they have a
deny everything not specifically
allowed policy.