Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
EE579T Network Security 8: More About Network-Based Attacks Prof. Richard A. Stanley Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #1 Thought for the Day “Denial of service attacks are the last resort of a desperate mind; unfortunately, they are a reality.” Stuart McClure, Joel Scambray, George Kurtz Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #2 Overview of Tonight’s Class • • • • Review last week’s lesson Look at network security in the news Course project scheduling Network attacks--continued Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #3 Last Week... • TCP/IP was not intended as a secure protocol; as a result, it has vulnerabilities that can be exploited • There are many types of attacks that can be mounted over network connections in order to gain unauthorized access to resources • Never forget, the best access is hands-on Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #4 Network Security Last Week- 1 • SubSeven updated to Version 2.2, adds – support for proxy programs – ability to listen to a random port – GUI-based packet sniffer – ability to relay information about compromised machines to Web sites via CGI – list of infected machines can then be passed around to hackers Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #5 Network Security Last Week- 2 • GAO faults IRS online tax filing security – Hackers can access taxpayer data, including tax return – Authentication/signature requirements not upheld, but $2.1B refunds paid anyway! • Successful hacks to government sites have increased markedly; only half are reported – Problem attributed to OS’s that are vulnerable when delivered Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #6 Network Security Last Week- 3 • W32.Kris, the “Christmas virus,” has resurfaced bigger and badder – Modified, renamed to W32.Magistr.24876 – Payload capable of overwriting a hard drive and destroying a computer's BIOS chip. – Virus (actually a worm) infects random Word file on the user's hard drive, then attaches that file and 5 other files, to an e-mail which it sends to all in the address book Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #7 Network Security Last Week- 4 • IT leaders form Online Privacy Alliance to combat privacy legislation. Approach: – identify expensive regulatory burdens – question how any U.S. Internet law would apply to non-Internet industries – assures lawmakers that privacy is best guarded by new technology, not new laws. – asserts that online privacy would cost consumers billions annually Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #8 Network Security Last Week- 5 • Largest Internet criminal attack to date: – Eastern European hackers spent a year systematically exploiting known Windows NT vulnerabilities to steal customer data – More than 1million credit cards numbers taken – More than 40 sites victimized • FBI and USSS taking unprecedented step of releasing detailed forensic information from ongoing investigations because of the importance of the attacks Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #9 Network Security Last Week- 6 • Updated worm-generating software issued – Brazilian hacker Kalamar has refined his software used to write the Kournikova virus – Software encrypts the worms so they are impossible to delete – They can also carry an executable payload • Hacker distances himself from responsibility for wrongdoing, claiming that "worms are for learning, not for spreading” Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #10 Network Security Last Week- 7 • Bibliofind closes its books after hack – No more online payments for Amazon spin-off, Bibliofind – Hacker had been sitting on the site's servers since October, downloading customer information, including credit card numbers – Servers were taken down 2 Mar; all customer information was purged – Customers now have to arrange payment directly with the sellers Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #11 Network Security Last Week- 8 • Naked Wife virus: destructive but contained • Israeli hacktivists suspected in rerouting Hamas home page to a pornographic site • Vierika VB worm – Outlook e-mail attachment – Lowers Internet Explorer security settings – Changes a user's start page to an Italian site that contains the main part of the worm • Palm passwords accessible through back door via serial syncing cable Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #12 Revised Class Schedule Due to Snow Day • We can go in many directions from here – What do you want to hear about most in the 3 remaining lectures? • Schedule – – – – 3/22, 3/29, 4/5: Lecture classes 4/12: Exam + 2 project presentations 4/19: 6 project presentations 4/26: 6 project presentations + prof. evaluation Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #13 Course Projects - 1 1. Port scanning technology – Sullivan, Toomey 2. Extensible authentication protocol – Mizar, Hirsh, Tummala 3. Honey Pot – Kaps, Gaubatz 4. Wired/Wireless security comparison – Azevedo, Nguyen, H. Tummala Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #14 Course Projects - 2 5. SOHO network security – Davis, Syversen, Kintigh 6. Sniffing switched networks – Michaud, Lindsay, VanRandwyk 7. Broadband access security – Sumeet, Nirmit, Harsh 8. Trojan Horse security – Aparna, Subramanian Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #15 Course Projects - 3 9. Java security – Malloy 10. Router security – Mansour, 11. DDoS Security – Gorse, Pushee 12. Network Security Processors – McLaren, Brown Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #16 Projects -4 13. Network cryptography – Lee 14. ATM Security (can’t do 26 Apr) – Fernandes, Kuppur, Venkatesh Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #17 Network Based Attacks Do You Do Windows? Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #18 ARP Revisited • Bad guy on same network segment – Sends gratuituous ARP response – Most implementations will cache the response, even though it was not requested – This takes over the IP address associated with the MAC address • Bad guy on another network segment – Only has to deal with routing between segments Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #19 Hacking Windows 98 • Good news – Very limited remote administration capability – Impossible to execute commands remotely, except with third-party software or proxy • BUT THESE EXIST! • Bad news – No real security design; “feel-good” features Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #20 Windows 9x Remote Attacks Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #21 Windows 98 Shares • Printer shares fairly benign, save for freeriding (which costs money for time and supplies, so it isn’t a victimless attack) • File shares another story – Many scanners exist to uncover Win9x shares – If root partition shared, Trojan Horses easy to plant that execute on next boot + other mischief – PWL files can be downloaded for cracking Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #22 Replay Authentication Hash • Win9x with file sharing issues same challenge to remote computer in a given 15minute period • Username and challenge are hashed for authentication – Username sent in clear – Identically hashed authentication request could be sent in the 15 minute period to mount share • So far, not widely exploited. But…? Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #23 Dial-Up Servers • Can easily provide back door into LAN if dial-up used on a modem connection • Modem allows password enumeration and guessing, just as on the broadband side • Intruders can attack what they find – Can’t go further because Win9x can’t route network traffic • VPN now bundled with DUN, so... Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #24 Remotely Hacking the Registry • Win9x does not have built-in remote registry access • Remote Registry Service is provided on the Win9x distribution CD, and provides this service – found in \admin\nettools\remotreg – Forces user-level security to be enabled • Not the easiest hole to create or to exploit Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #25 Back Doors - 1 • BackOrifice – Creators bill it as a remote admin tool! – Allows nearly complete remote control of Win9x systems, including Registry mods – UDP-based (default port 31337) – You want it? • www.bo2k.com – You want to find and kill it? • www.ultraglobe.com/basement/backorifice/index.shtml Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #26 Back Doors - 2 • Net Bus – Remote control of Win9x and Win NT – TCP based (port 12345 or 20034) – Because of TCP basing, more likely to be caught by a firewall (most firewalls don’t worry about UDP) – You want it? • http://home.t-online.de/TschiTschi/netbus_pro.htm Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #27 Back Door Catch-22 • Server software must execute on the target machine -- cannot launch from remote • How to make this possible? – Buffer overflow to push code into target • “long attachment filename” bug in Outlook – Hostile mobile code – Trickery (e.g. Saran Wrap makes BO look like InstallShield) Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #28 Built-in / Add-in Problems • MS Personal Web Server – If unpatched, reveals file contents to attackers who know file location and request via nonstandard URL • Commercial software – PCAnywhere – LapLink – CarbonCopy Spring 2001 © 2000, 2001, Richard A. Stanley These are an attacker’s dreams come true! WPI EE579T/8 #29 Win9x Console-Based Attacks Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #30 Reboot • Win9x has no logon security • Windows password merely identifies the active user (try clicking “Cancel”) • Any logon screen is cosmetic -- security doesn’t really mean much here • If you prefer, reboot from your own floppy disk Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #31 Defeat the Screen Saver Password • CD-ROM Autorun runs under screen saver – Polls for CD-ROM insertion – If “yes”, runs programs at ‘open=‘ in the Autorun.inf file, which can be anything • Screen saver password – Stored in registry – Poor encryption, has been broken – Easy break-in, somewhat stealthy Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #32 Passwords in the Registry • Many programs store their passwords in the Registry – Lots are not even encrypted – This is handy if you forget, but also a vulnerability • Tools available to make password recovery from the Registry simple Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #33 Crack Password Files at Leisure • PWL file found in root partition • Attacker can download files to a floppy and crack at his convenience – copy C:\Windows\*.pwl a: • Many tools exist to help this effort, e.g. – PWL Tool, $75, one-time demo free • www.webdon.com Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #34 Windows NT Attacks Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #35 NT Versus Unix • NT perceived as insecure – But not really more insecure than Unix • Why? – Running code in server processor space can be restricted – Interactive console login restricted to a few admin accounts – Source code access poor, so few buffer issues • Issues – Backwards compatibility – Ease of use Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #36 Goal: Become Administrator • Guessing passwords • Remote exploits • Privilege escalation Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #37 Guessing Passwords Over the Network • Manual guessing – Requires knowledge of user names • Automated guessing – Requires knowledge of user names • Eavesdropping – Requires network segment access Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #38 Manual Password Guessing - 1 • Users tend towards the easiest password: none • Failing that, passwords are chosen to be easy to remember • Much software runs under NT user accounts, the names of which become public knowledge after a time, and are usually easily remembered Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #39 Manual Password Guessing - 2 • Start with user list – DumpACL – sid2user • Open Network Neighborhood or use Find Computer and IP address • Start making educated guesses to log into a valid user account • Works, but time-consuming Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #40 Automated Password Guessing • Tools automate the process – Legion – NetBIOS Auditing Tool • Command line use, enables scripting • Null passwords? Use NTInfo Scan • CyberCop Scanner is a commercial tool to do this Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #41 Eavesdropping • Requires access to the network segment • L0phtcrack – – – – NT password-guessing tool Usually works offline against the PW file Getting the PW file not a trivial exercise L0phtcrack now includes SMB Packet Capture • Listens to network segment • Captures login sessions, strips encrypted data • Reverse engineers NT password encryption • Anyone who can eavesdrop can become Administrator within a very short time! Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #42 Switched Architecture? • Social engineering from L0phtcrack: – Include following URL in email to target: ////yourcomputer/sharename/message.html – Effect is to send PW hashes to you for verification • L0pht also has sniffer to dump PW hashes from PPTP, a variant of which provides VPN service under NT Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #43 Countermeasures • Block NetBIOS-specific ports – Disable TCP & UDP ports 135-139 at the perimeter firewall – Disable TCP/IP binding for any adapter connected to public networks • Enforce password policies – Use the User Manager – Build good passwords (Passfilt DLL) – Use the Passprop tool Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #44 More Countermeasures • Disable LANMAN authentication – NT 4.0 SR 4 and later permits Registry setting to prohibit NT host from accepting LANMAN – This denies ability to “pass the hash” – BUT: earlier client authentications will fail, exposing the LM hash anyway • Enable SMB signing – Requires crypto verification of every SMB packet Spring–2001 EE579T/8 #45 NT-only solution WPI © 2000, 2001, Richard A. Stanley Prevention • Switched networks are to be preferred – Remember the L0pht social engineering idea • Keep Windows 9x and Windows for Workgroups clients off the network • Enable auditing and logging – Analyze the logs routinely! – Log full of Logon/Logoff failures probably indicates and automated attack Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #46 What About Intrusion Detection? • Many tools available • A good tool can serve as a canary in a coal mine, but – Intrusion detection is not a mature technology – Detection tends to be based on comparison to known attacks – Avoiding the novel is a problem – False alarms can raise havoc with routine ops Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #47 More Remote Attacks • Remote buffer overflows – Several published overflows in NT – Likelihood of severe attacks using this approach growing • Denial of service – Known holes in NT patched--install patches! – Probably other holes to be found, especially in Windows 2000, which is a tabula rasa – DoS can be used to force reboot, which then triggers execution of malicious code Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #48 Privilege Escalation -1 • Vacuuming up information – From non-Admin account, need to identify info that will gain higher privilege – Enumerate shares, search for password files, probe the Registry Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #49 Privilege Escalation - 2 • getadmin – Adds a user to local Administrators group – Uses low-level kernel routine to set a flag allowing access to any running process – Uses DLL injection to insert malicious code to a process that can add users – Must be run locally on target system Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #50 Privilege Escalation - 3 • sechole – Similar functionality to getadmin – secholed puts user in Domain Admins group – Modifies OpenProcess API call to attach to a privileged process – Must be run locally on target… – UNLESS target running IIS, in which case it is possible to launch remotely Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #51 Countermeasures • Apply the patches • Don’t allow write access to executable directories • Block ports 135-139 (shuts down Windows file sharing) • Audit execute privileges on web server filesystem Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #52 Buffer Overflows • Sending oversize ICMP packets • Sending IIS 3.0 a 4048 byte URL request • Sending email with 256-character file name attachments to Netscape/MS email clients • SMB logon to NT with incorrect data size • Sending Pine user an email with “from” address > 256 characters • Connect to WinGate POP3 port with user name of 256 characters Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #53 Summary • Windows 9x has no built-in security. This is both a blessing and a curse • Windows NT can be a reasonably secure operating system if used properly • There are ways to exploit NT • Allowing Win9x clients to log onto an NT domain increases security exposure Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #54 Homework - 1 1. You are a user on a Windows NT network segment. You want access to the payroll files, which you can obtain either as a member of the Payroll group or the Administrator group. How would approach breaking into the network to gain access to these files? Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #55 Homework - 2 2. Your Windows 2000 network requires that several tens of Windows 98 clients be allowed to connect to it. What security problems do you foresee? How can you mitigate these problems? Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #56 Assignment for Next Week • Next week’s topic: Yet More Network-Based Attacks Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #57