Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Document
Document related concepts
no text concepts found
Transcript
Securing Routers Against Hackers and Denial of Service Attacks Lou Ronnau [email protected] © 1999, Cisco Systems, Inc. 1-1 Outline IP Refresher Attack Types Network Layer Attacks Transport Layer Attacks Application Layer Attacks © 1999, Cisco Systems, Inc. www.cisco.com Outline (cont.) Reconnaissance Initial Access Questions © 1999, Cisco Systems, Inc. www.cisco.com IP Refresher © 1999, Cisco Systems, Inc. www.cisco.com TCP/IP Protocol Stack OSI Reference Model IP Conceptual Layers Application Presentation Application Session Transport Transport Network Internet Data Link Network Interface Physical © 1999, Cisco Systems, Inc. www.cisco.com Ethernet, 802.3, 802.5, ATM, FDDI, and so on Internet Layer Refresher IP Layer Internet Control Message Protocol (ICMP) Application Internet Protocol (IP) Address Resolution Protocol (ARP) Transport Internet Reverse Address Resolution Protocol (RARP) Network Interface IP Datagram VERS HLEN Protocol © 1999, Cisco Systems, Inc. Type of Service Total Length Header Src IP Checksum Address ID Flags Dst IP IP Address Options www.cisco.com Frag Offset Data TTL Transport Layer Refresher Transport Layer Transmission Control Protocol (TCP) Application User Datagram Protocol (UDP) Transport Internet Network Interface TCP Segment Format Src Port Dst Port Seq # Ack # HLEN Reserved Code Window Bits UDP Segment Format Src Port © 1999, Cisco Systems, Inc. Dst Port Length Check Sum www.cisco.com Data Check Sum Urgent Ptr Option Data Port Numbers Application Layer Telnet Transport Layer © 1999, Cisco Systems, Inc. 23 SMTP DNS 25 HTTP 53 SSL DNS TFTP 80 443 53 69 TCP UDP www.cisco.com Port Numbers Application Layer Refresher Application Layer Web Browsing (HTTP, SSL) Application File Transfer (FTP, TFTP, NFS, File Sharing) Transport Internet E-Mail (SMTP, POP2, POP3) Network Interface Remote Login (Telnet, rlogin) Name Management (DNS) Microsoft Networking Services © 1999, Cisco Systems, Inc. www.cisco.com Attack Types © 1999, Cisco Systems, Inc. 1-10 Attack Types Ping of Death Context: (Header) Content: (Data) © 1999, Cisco Systems, Inc. Port Sweep SYN Attack Land Attack MS IE Attack TCP Hijacking Telnet Attacks E-mail Attacks Character Mode Attacks “Atomic” Single Packet “Composite” Multiple Packets www.cisco.com Attack Types (cont.) Reconnaissance • Host scan, port scan, SMTP VRFY Access • Spoofing, session hijacking Denial of service • SYN attacks, ping-of-death, teardrop, WinNuke Privilege escalation • MS IE%2ASP, ftp cwd ~root © 1999, Cisco Systems, Inc. www.cisco.com Demystifying Common Attacks Application Transport Internet Network Interface Java, ActiveX, and Script Execution E-Mail EXPN WinNuke SYN Flood UDP Bomb Port Scan Landc Ping Flood Ping of Death IP Spoof Address Scanning Source Routing Sniffer/Decoding MAC Address Spoofing © 1999, Cisco Systems, Inc. www.cisco.com Network Layer Attacks © 1999, Cisco Systems, Inc. 1-14 IP Layer Attacks Application • IP Options • IP Fragmentation TCP • Bad IP packets UDP IP • Spoofed Addresses Data Link Physical © 1999, Cisco Systems, Inc. www.cisco.com IP Fragmentation Attacks Ver Len IP Fragment Attack • Offset value too small • Indicates unusually small packet • May bypass some packet filter devices Identification TTL Length Flg Frag Frag Offset Offset Proto Checksum Source IP Destination IP Options . . . IP Fragments Overlap • Offset value indicates overlap Data . . . • Teardrop attack © 1999, Cisco Systems, Inc. Serv www.cisco.com IP Fragmentation Routers and Internet Gateways are stateless devices Improperly fragmented packets are forwarded normally with other traffic Requires “Statefull inspection” © 1999, Cisco Systems, Inc. www.cisco.com Bad IP Packet Attacks Ver Len Serv Length Identification Unknown IP Protocol • Proto=invalid or undefined Impossible IP Packet Proto Proto Checksum Source IP Source IP Destination IP Destination IP • Same source and destination Options • Land attack © 1999, Cisco Systems, Inc. TTL Flg Frag Offset Data www.cisco.com IP Address Spoofing Source IP address set to that of a trusted host or nonexistant host Access-lists applied at the source are the only protection Best applied at the connection to the Internet © 1999, Cisco Systems, Inc. www.cisco.com Spoofing: Access by Impersonation 172.16.42.84 interface Serial 1 ip address 172.26.139.2 255.255.255.252 ip access-group 111 in no ip directed-broadcast ! interface ethernet 0/0 ip address 10.1.1.100 255.255.0.0 no ip directed-broadcast Access-list 111 deny ip 127.0.0.0 0.255.255.255 any Access-list 111 deny ip 10.1.0.0 0.0.255.255 any Access-list 111 permit ip any any 10.1.1.2 IP (D=10.1.1.2 S=10.1.1.1) © 1999, Cisco Systems, Inc. www.cisco.com IP Options Ver Len Serv Identification H E A D E R • IP Header – 20 bytes • IP Options – Adds up to 40 additional bytes – Only 8 valid options © 1999, Cisco Systems, Inc. TTL Length Flg Frag Offset Proto Checksum Source IP Destination IP Options .. .... Options P A Y www.cisco.com Data . . . IP Options (cont.) 0 1 2 CP Class 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 Option # Length (if used) Parameters... x 0 0 0 0 0 0 0 Copy: 0—don’t include options in packet fragments 1—include options in packet fragments Class: 0—Network Control 2—Debugging Option: one of eight valid options Length: number of bytes in option (if used by option) Parameters: parameters passed by the option Last option is always option 0. © 1999, Cisco Systems, Inc. www.cisco.com IP Options (cont.) option #2 rarely unused option #4 rarely unused option #7 used to record the route (gateways) that a packet has traversed option #8 rarely unused © 1999, Cisco Systems, Inc. Option # 0 1 2 3 4 7 8 9 www.cisco.com Option Name End of Options No Operation Security Loose Source Rte Timestamp Record Route Stream ID Strict Source Rte IP Source Routing two options: #3 loose source routing and #9 strict source routing can be used to bypass filters (acls) some machines with multiple interfaces route s/r packets even with ip forwarding turned off router command:no ip source route © 1999, Cisco Systems, Inc. www.cisco.com ICMP Attacks Application • ICMP Traffic Records • Ping Sweeps • ICMP Attacks TCP UDP IP Data Link Physical © 1999, Cisco Systems, Inc. www.cisco.com ICMP Query Message 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 H E A D E R Type Code Identifier Checksum Sequence # Data . . . Type: 0—Echo Reply 8—Echo Request 13—Timestamp Request 14—Timestamp Reply 15—Information Request 16—Information Reply 17—Address Mask Request 18—Address Mask Reply Code: codes associated with each ICMP type Checksum: checksum value of header fields (exc. checksum) © 1999, Cisco Systems, Inc. www.cisco.com ICMP Query Message (cont.) Echo Reply • Type=0 Echo Request • Type=8 Timestamp Request • Type=13 Timestamp Reply Length I Ver Len Serv P Identification Flg Frag Offset H Proto Checksum ICMP E TTL A Source IP D E R Destination IP Type I Type C M P • Type=14 © 1999, Cisco Systems, Inc. www.cisco.com Code Checksum ICMP Error Message 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 H E A D E R Type Code Checksum Unused IP Header + 8 bytes of Original Datagram Data Type: 3—Destination Unreachable 4—Source Quench 5—Redirect 11—Time Exceeded 12—Parameter Problem Code: codes associated with each ICMP type Checksum: checksum value of header fields (exc. checksum) © 1999, Cisco Systems, Inc. www.cisco.com ICMP Error Messages Unreachable • Type=3 Source Quench • Type=4 Redirect • Type=5 Time Exceeded • Type=11 Length I Ver Len Serv P Identification Flg Frag Offset H Proto Checksum ICMP E TTL A Source IP D E R Destination IP Type I Type C M P Parameter Problem • Type=12 © 1999, Cisco Systems, Inc. www.cisco.com Code Checksum ICMP Attacks Fragmented ICMP packet • Flag=more fragments or Offset /= 0 ICMP Floods • Many ICMP packets • To single host © 1999, Cisco Systems, Inc. Length Length I Ver Len Serv P Identification Flg Frag Offset H Proto Checksum ICMP E TTL A Source IP D E R Destination IP I C M P www.cisco.com Type Code Checksum ICMP Attacks (cont.) Length I Ver Len Serv P Identification Flg Frag Frag Offset Offset H Proto Checksum Proto E TTL A Source IP D E R Destination IP ICMP Smurf attack • Type=0 (echo reply) • Many packets • To single host ICMP Ping Of Death • Flag=last fragment • Offset*8 + Length > 65535 © 1999, Cisco Systems, Inc. Type I Type C M P www.cisco.com Code Checksum Smurfs ICMP echo request with spoofed source address Destination address set to the network broadcast address of a network (so called ping amplifier) All hosts on the pinged network reply to the spoofed address interface command:no ip directed broadcast © 1999, Cisco Systems, Inc. www.cisco.com Ping of Death IP ping > 65535 bytes (ICMP echo request) Transmitted in fragments Crashes some operating systems on reassembly © 1999, Cisco Systems, Inc. www.cisco.com Loki Attack Loki ICMP tunnel Loki is a tool used to hide hacker traffic inside ICMP tunnel. It requires root access. • Original Loki • Phrack Issue 51 Modified Loki ICMP tunneling • Modified Loki version © 1999, Cisco Systems, Inc. www.cisco.com Transport Layer Attacks © 1999, Cisco Systems, Inc. 1-35 TCP Attacks • TCP Traffic Records • TCP Port Scans Application • TCP Host Sweeps • Mail Attacks TCP • FTP Attacks • Web Attacks IP • NetBIOS Attacks • SYN Flood & TCP Hijack Attacks • TCP Applications © 1999, Cisco Systems, Inc. UDP www.cisco.com Data Link Physical TCP Port Scans A TCP Port Scan occurs when one host searches for multiple TCP services on a single host. • Common scans Ver Len I P Identification TTL TCP Length Flg Frag Offset Checksum Source IP Destination IP Source Port Dest Port Source Sequence Number T C Acknowledge Sequence Num P Len Res Flags Window – use normal TCP-SYN • Stealth scans Checksum – use FIN, SYN-FIN, null, or PUSH – and/or fragmented packets © 1999, Cisco Systems, Inc. Serv www.cisco.com Urgent Pointer TCP Port Scan Attacks FIN port sweep • FINs to ports < 1024 Port Sweep • SYNs to ports < 1024 • Triggers when type of sweep can’t be determine SYN Port Sweep Frag FIN port sweep • Fragmented FINs to ports < 1024 High port sweep • SYNs to any ports Frag SYN Port Sweep • Fragmented SYNs to many ports • SYNs to ports > 1023 • Triggers when type of sweep can’t be determined FIN High port sweep • FINs to ports > 1023 © 1999, Cisco Systems, Inc. www.cisco.com TCP Port Scan Attacks(cont.) Frag High FIN port sweep • Fragmented FINs to ports > 1023 SYN FIN port sweep • SYN-FINs to any port Frag SYN/FIN port sweep Null port sweep • TCPs without SYN, FIN, ACK, or RST to any ports • Fragmented SYN/FINs to any ports Queso sweep • FIN, SYN/FIN, and a PUSH Frag Null port sweep • Fragmented TCPs without SYN, FIN, ACK, or RST to any ports © 1999, Cisco Systems, Inc. www.cisco.com TCP Host Sweeps A TCP Host Sweep occurs when one host searches for a single TCP service on multiple hosts. • Common scans – use normal TCP-SYN Ver Len I P Identification TTL TCP Length Flg Frag Offset Checksum Source IP Destination IP Source Port Dest Port Source Sequence Number T C Acknowledge Sequence Num P Len Res Flags Window Checksum • Stealth scans – use FIN, SYN-FIN, and null – and/or fragmented packets © 1999, Cisco Systems, Inc. Serv www.cisco.com Urgent Pointer TCP Host Sweep Attacks SYN host sweep NULL host sweep • SYNs to same port • TCPs without SYN, FIN, ACK, or RST to same port Frag SYN host sweep • Fragmented SYNs to same port Frag NULL host sweep • Fragmented packets without SYN, FIN, ACK, or RST to same port FIN host sweep • FINs to same port SYN/FIN host sweep • SYN-FINs to same port Frag FIN host sweep • Fragmented FINs to same port Frag SYN/FIN host sweep • SYN-FINs to same port © 1999, Cisco Systems, Inc. www.cisco.com SYN Flood and TCP Hijacks Half-Open SYN attack • DoS-SYN flood attack • Ports 21, 23, 25, and 80 TCP Hijacking • Access-attempt to take over a TCP session © 1999, Cisco Systems, Inc. www.cisco.com TCP Intercept Protects Networks Against Syn floods Request Intercepted Connection Established Connection Transferred TCP SYN flooding can overwhelm server and cause it to deny service, exhaust memory or waste processor cycles TCP Intercept protects network by intercepting TCP connection requests and replying on behalf of destination Can be configured to passively monitor TCP connection requests and respond if connection fails to get established in configurable interval © 1999, Cisco Systems, Inc. www.cisco.com TCP Intercept Enable TCP Intercept (global configuration mode) • access-list access-list-number {deny | permit} tcp any destination destination-wildcard • ip tcp intercept list access-list-number Set the TCP Intercept Mode (global configuration mode) • ip tcp intercept mode {intercept | watch} Set TCP Intercept Drop Mode • ip tcp intercept drop-mode {oldest | random} ;def=oldest Change the TCP Intercept Timers • ip tcp intercept watch-timeout seconds ;def=30 seconds © 1999, Cisco Systems, Inc. www.cisco.com TCP Hijacks TCP Hijacking Works by correctly guessing sequence numbers Newer O/S’s & firewalls eliminate problem by randomizing sequence numbers TCP Hijacking Simplex Mode • One command followed by RST © 1999, Cisco Systems, Inc. www.cisco.com Land.c Attack Spoofed packet with SYN flag set Sent to open port SRC addr/port same as DST addr/port Many operating systems lock up © 1999, Cisco Systems, Inc. www.cisco.com UDP Attacks Application • UDP Traffic Records • UDP Port Scan TCP • UDP Attacks UDP IP • UDP Applications Data Link Physical © 1999, Cisco Systems, Inc. www.cisco.com UDP Port Scans Ver Len I P UDP port scans • One host searches for multiple UDP services on a single host © 1999, Cisco Systems, Inc. U D P www.cisco.com Serv Identification TTL Length Flg UDP Frag Offset Checksum Source IP Destination IP Source Port Dest Port Length Checksum Data . . . UDP Attacks UDP flood (disabled) Ver Len • Many UDPs to same host I P UDP Bomb • UDP length < IP length Snork • Src=135, 7, or 19; Dest=135 U D P Chargen DoS • Src=7 & Dest=19 © 1999, Cisco Systems, Inc. www.cisco.com Identification TTL Length Serv Flg UDP Frag Offset Checksum Source IP Destination IP Source Port Dest Port Checksum Length Data . . . Reflexive Access Lists Allows the packet filtering mechanism to remember state Reflexive ACLs are transparent until activated by matching traffic © 1999, Cisco Systems, Inc. • Protocol support— TCP, UDP • Alternative to established key word • Available in Cisco IOS release 11.3 www.cisco.com Reflexive Access Lists Source Addr Destination Addr Source Port 192.34.56.8 200.150.50.111 TCP Header IP Header 1026 Destination Port 23 Intial Sequence# Ack 49091 Syn Flag # 2 : permit tcp 200.150.50.111 192.34.56.8 eq telnet #1 Router monitors outgoing connection Creates dynamic permit inbound ACL using IP addresses and port numbers © 1999, Cisco Systems, Inc. www.cisco.com Cisco IOS Firewall Feature Set Enhanced Security for the Intelligent Internet Context-Based Access Control (CBAC) • Stateful, per-application filtering • Support for advanced protocols (H.323, SQLnet, RealAudio, etc.) Denial of Service detection and prevention Control downloading of Java applets Real-time alerts TCP/UDP transaction log Configuration and management © 1999, Cisco Systems, Inc. www.cisco.com What Is “Context-Based Access Control” (CBAC)? Tracks state and context of network connections to secure traffic flow Inspects data coming into or leaving router Allows connections to be established by temporarily opening ports based on payload inspection Return packets authorized for particular connection only via temporary ACL © 1999, Cisco Systems, Inc. www.cisco.com Cisco IOS Context-Based Access Control (CBAC) Application Support Transparent support for common TCP/UDP internet services, including: Multimedia applications: • VDOnet’s VDO Live • WWW, Telnet, SNMP, finger, etc. FTP TFTP SMTP Java blocking BSD R-cmds Oracle SQL Net Remote Procedure Call (RPC) © 1999, Cisco Systems, Inc. • RealNetworks’ RealAudio • Intel’s InternetVideo Phone (H.323) • Microsoft’s NetMeeting (H.323) • Xing Technologies’ Streamworks • Whitepine’s CuSeeMe www.cisco.com Cisco IOS Firewall Feature Set Per user authentication and authorization (“authentication proxy”) Intrusion detection technology IP Fragmentation defense Dynamic per-application port mapping Configurable alerts and audit trail SMTP-specific attack detection New CBAC application support • MS-Networking, MS Netshow © 1999, Cisco Systems, Inc. www.cisco.com Cisco IOS Firewall: Authentication Proxy HTTP-initiated Authentication Valid for all types of application traffic Provides dynamic, per user authentication and authorization via TACACS+ and RADIUS protocols Works on any interface type for inbound or outbound traffic © 1999, Cisco Systems, Inc. www.cisco.com Cisco IOS Firewall: Authentication Proxy Operation User 1. User HTTP request 2. Get Uid/Password E0 Cisco IOS Firewall/Cisco 7200 series router S0 User 5. Refresh/reload URL 3. Authenticate AAA Server 4. Download profile, build dynamic ACL on router © 1999, Cisco Systems, Inc. www.cisco.com ISP and Internet Application Layer Attacks © 1999, Cisco Systems, Inc. www.cisco.com Mail Ver Len TCP port 25 Attacks include: • Reconnaissance • Access • DOS I P Serv Identification TTL TCP Length Flg Frag Offset Checksum Source IP Destination IP Source Port Dest Port=25 Source Sequence Number T C Acknowledge Sequence Num P Len Res Flags Window Checksum Urgent Pointer Data . . . © 1999, Cisco Systems, Inc. www.cisco.com Mail Attacks smail attack sendmail decode alias sendmail invalid recipient sendmail SPAM sendmail invalid sender Majordomo exec bug sendmail reconnaissance MIME overflow bug Archaic sendmail attacks Qmail Length Crash © 1999, Cisco Systems, Inc. www.cisco.com File Transfer Protocol (FTP) Ver Len I P TCP port 21 Attacks include: • Reconnaissance • Access Serv Identification TTL TCP Length Flg Frag Offset Checksum Source IP Destination IP Source Port Dest Port=21 Source Sequence Number T C Acknowledge Sequence Num P Len Res Flags Window Checksum Urgent Pointer Data . . . © 1999, Cisco Systems, Inc. www.cisco.com FTP Attacks FTP SITE command attempted FTP SYST command attempted FTP CWD ~root FTP Improper address specified FTP Improper port specified © 1999, Cisco Systems, Inc. www.cisco.com Web Ver Len I P TCP port 80 Attacks include: • Access Serv Identification TTL TCP Length Flg Frag Offset Checksum Source IP Destination IP Source Port Dest Port=80 Source Sequence Number T C Acknowledge Sequence Num P Len Res Flags Window Checksum Urgent Pointer Data . . . © 1999, Cisco Systems, Inc. www.cisco.com Web Attacks phf attack glimpse server attack General cgi-bin attack IIS View Source Bug url file requested IIS Hex View Source Bug .lnk file requested NPH-TEST-CGI Bug .bat file requested TEST-CGI Bug HTML file has .url link IIS DOT DOT VIEW Bug HTML file has .lnk link IIS DOT DOT EXECUTE Bug HTML file has .bat link IIS DOT DOT DENIAL Bug campas attack © 1999, Cisco Systems, Inc. www.cisco.com Web Attacks (cont.) php view file Bug Webdist Bug SGI wrap bug Htmlscript Bug php buffer overflow Performer Bug IIS Long URL Crash WebSite win-c-sample buffer overflow View Source GGI Bug MLOG/MYLOG CGI Bug Handler CGI Bug Webgais Bug WebSendmail Bug © 1999, Cisco Systems, Inc. WebSite uploader Novell convert bug finger attempt Count Overflow www.cisco.com DNS Attacks DNS HINFO Request • Potential reconnaissance UDP Port 53 Attacks include: DNS Zone Transfer Request • Potential reconnaissance • Reconnaissance DNS Zone Transfer from other port • Different port than 53 DNS request for all records • All records requested, not just one zone © 1999, Cisco Systems, Inc. www.cisco.com Application Exploit Attacks Sun Kill Telnet DOS • port 23 Finger Bomb • port 79 rlogin -froot • port 513 © 1999, Cisco Systems, Inc. Imap Authenticate Overflow • port 143 Imap Login Overflow • port 143 Pop Overflow • port 110 www.cisco.com Application Exploit Attacks (cont.) Inn Overflow • port 119 IOS Command History Exploit • port 25 Inn Control Message • port 119 Cisco IOS Identity • port 1999 IOS Telnet buffer overflow • port 23 © 1999, Cisco Systems, Inc. www.cisco.com Server Message Blocks (SMB) • Native NT file-sharing protocol • Samba is UNIX port of SMB • Common Internet File System (CIFS) – extension of SMB © 1999, Cisco Systems, Inc. www.cisco.com SMB TCP/UDP Ports • 135 - Remote Procedure Call Service • 137 - NetBIOS Name Service (UDP) • 138 - NetBIOS Datagram Service (UDP) • 139 - NetBIOS Session Service © 1999, Cisco Systems, Inc. www.cisco.com NetBIOS Ver Len TCP Port 139 Attacks include: • Reconnaissance • Access • DOS I P Serv Identification TTL TCP Length Flg Frag Offset Checksum Source IP Destination IP Source Port Dest Port=139 Source Sequence Number T C Acknowledge Sequence Num P Len Res Flags Window Checksum Urgent Pointer Data . . . © 1999, Cisco Systems, Inc. www.cisco.com NetBIOS Attacks NETBIOS OOB data NETBIOS Stat NETBIOS Session Setup Failure Windows Guest login Windows Null Account Name Windows Password File Access Windows Registry Access Windows RedButton © 1999, Cisco Systems, Inc. www.cisco.com TCP Application Attacks Capture password file • FTP “RETR passwd” loadmodule Attack • Telnet “IFS=/” TCP application attacks are attacks against various TCP applications. • Rlogin “IFS=/" Planting .rhosts • Telnet “+ +” • Rlogin “+ +” Accessing shadow passwd • Telnet “/etc/shadow” • Rlogin “/etc/shadow” © 1999, Cisco Systems, Inc. www.cisco.com UDP Application Attacks Ver Len Back Orifice • port 31337 I P © 1999, Cisco Systems, Inc. Identification TTL UDP Length Flg Frag Offset Checksum Source IP Destination IP Tftp passwd file attempt • port 69 Serv U D P www.cisco.com Source Port Dest Port Length Checksum Data . . . RPC Services Applications do not use well-known ports • Use portmapper – Registers applications – TCP/UDP port 111 CLIENT Attacks include 2488 GET PORT # 111 2488 USE PORT # 2049 111 • Reconnaissance • Access • DOS © 1999, Cisco Systems, Inc. SERVER 2488 www.cisco.com NFS REQUEST 2049 RPC Attacks RPC port registration RPC dump • Remotely registering a service that is not running • rpcinfo -p <host> Proxied RPC request RPC port unregistration • Remotely unregistering a running service © 1999, Cisco Systems, Inc. • Bypassess RPC authentication www.cisco.com RPC Attacks (cont.) RSTATD RUSERSD RPC Port Sweeps NFS • Request service on many ports on same host • Stealth reconnaissance MOUNTD YPPASSWD SELECTION SVC REXD STATUS TTDB © 1999, Cisco Systems, Inc. www.cisco.com RPC Attacks (cont.) ypserv Portmapper Requests • Requests for services known to be exploited • In most cases should not be used • If needed, filter signatures ypbind yppasswd ypupdated ypxfrd mountd rexd © 1999, Cisco Systems, Inc. www.cisco.com RPC Attack (cont.) rexd attempt • Accessing rexd • Allows remotely running commands • Should not be allowed • Unknown by some administrators © 1999, Cisco Systems, Inc. RPC Services with Buffer Overflow Vulnerabilities: •statd •ttdb •mountd www.cisco.com Ident Attacks Ident buffer overflow • IDENT reply too large Ident is a protocol to prevent hostname, address, and username spoofing. • TCP port 113 © 1999, Cisco Systems, Inc. Ident newline • IDENT reply with newline plus more data Ident improper request • IDENT request too long or non-existent ports www.cisco.com IP Servers on Routers Router commands to turn off services no service tcp-small-servers no service udp-small-servers © 1999, Cisco Systems, Inc. www.cisco.com Trust Exploits • Spoofing Trusted User • Spoofing Trusted Host • Planting ~/.rhosts or hosts.equiv via Alternate Methods © 1999, Cisco Systems, Inc. www.cisco.com Reconnaissance © 1999, Cisco Systems, Inc. www.cisco.com Reconnaissance Unauthorized discovery and mapping of systems, services, or vulnerabilities © 1999, Cisco Systems, Inc. www.cisco.com Reconnaissance Methods • Common commands or administrative utilities – nslookup, ping, netcat, telnet, finger, rpcinfo, File Explorer, srvinfo, dumpacl, and so on • Hacker tools – SATAN, NMAP, custom scripts, and so on © 1999, Cisco Systems, Inc. www.cisco.com Discovering the Targets • Know thy target – Domain name, IP Address space (i.e victim.com, 192.168.X.X) – whois, nslookup • Ping Sweeps – Network mapping – Identify potential targets © 1999, Cisco Systems, Inc. www.cisco.com Ping Sweeps ICMP network sweep with Echo • Type=8 ICMP network sweep with Timestamp • Type=13 ICMP network sweep with Address Mask • Type=17 © 1999, Cisco Systems, Inc. Length I Ver Len Serv P Identification Flg Frag Offset H Proto Checksum ICMP E TTL A Source IP D E R Destination IP Type I Type C M P www.cisco.com Code Checksum Port Scans • Port Scans (Probing) – Determine services being offered (e.g. telnet, ftp, http, etc.) • Post Port Scan – Determine Operating System Information – Determine other information (e.g. usernames, hostnames, etc.) © 1999, Cisco Systems, Inc. www.cisco.com TCP Port Scans Many O/S’s haven’t implemented TCP/IP according to the letter of the “law” (rfc’s) They respond differently to TCP packets with various flags set © 1999, Cisco Systems, Inc. Ver Len I P Serv Identification TTL TCP Length Flg Frag Offset Checksum Source IP Destination IP Source Port Dest Port Source Sequence Number T C Acknowledge Sequence Num P Len Res Flags Window www.cisco.com Checksum Urgent Pointer Network Address Translation Inside Network Outside Network 132.22.2.1 INTERNET 10.1.1.2 Inside Local IP Address Inside Global IP Address 10.1.1.2 10.1.1.3 132.22.2.100 132.22.2.101 • Hides internal addresses • Provides dynamic or static translation of private addresses to registered IP addresses • Supports true NAT, Overload (same as PAT), and © 1999, Cisco Systems, Inc. www.cisco.com Network Address Translation Each translation consumes approximately 160 bytes of memory PAT (overload) translations limited to 4000 entries Supports any TCP/UDP application that does not carry source and/or destination IP addresses in the payload Application support for those that DO carry source and/or destination IP address in payload • ICMP, FTP (including port and pasv commands), NetBIOS over TCP/IP (datagram, name, and session services), RealAudio, CuSeeMe, StreamWorks, DNS ‘A’ and ‘PTR’ records, NetMeeting, VDOLive, Vxtreme, IP Multicast (source address translation only) © 1999, Cisco Systems, Inc. www.cisco.com Initial Access © 1999, Cisco Systems, Inc. www.cisco.com Access Unauthorized data manipulation, system access, or privileged escalation © 1999, Cisco Systems, Inc. www.cisco.com Access Methods • Exploit easily guessed passwords – Brute force – Cracking tools • Exploit mis-administered services – IP services (anonymous ftp, tftp, remote registry access, nis, and so on) – Trust relationships (spoofing, r-services, and so on) – File sharing (NFS, Windows File Sharing) © 1999, Cisco Systems, Inc. www.cisco.com Access Methods (cont.) • Exploit application holes – Mishandled input data • Access outside application domain, buffer overflows, race conditions – Protocol weaknesses • Fragmentation, TCP session hijack • Trojan horses – Programs to plant a backdoor into a host © 1999, Cisco Systems, Inc. www.cisco.com Backdoors • BackOrifice – Win 95/98 Server Only – Windows and Unix clients – Configurable Ports (Default UDP 31337) – Encrypted communications • BackOrifice—ButtPlugs – Allow new features to be added easily © 1999, Cisco Systems, Inc. www.cisco.com Backdoors (cont) • NetBus (Freeware) – – – – © 1999, Cisco Systems, Inc. Remote administration tool Listens on TCP Ports 12345, 12346 Trojan program Runs on Win95/98 and NT www.cisco.com Denial of Service Methods • Resource Overload – Disk space, bandwidth, buffers, ... – Ping flood: smurf, ... – SYN floods: neptune, synk4, ... – Packet storms: UDP bombs, fraggle, ... • Out of Band Data Crash – Oversized packets: ping of death, … – Overlapped packets: winnuke, ... – Un-handled data: teardrop, ... © 1999, Cisco Systems, Inc. www.cisco.com Other Areas to Consider Disable: •IP helper addresses: no ip helper •IP broadcasting: no ip broadcast-address, no ip directedbroadcast •source routing: no ip source-route •r-commands: no ip rcmd rcp-enable • no ip rsh-enable •IDENT: no ip identd •CDP: no cdp run •dynamic circuits: no frame-relay inverse-arp •other “features” no proxy-arp, no ip redirects © 1999, Cisco Systems, Inc. www.cisco.com More Info •http://www.2600.com/ •http://www.cultdeadcow.com/ •http://www.l0pht.com/ •http://www.hackernews.com/ •http://www.cert.org/ •http://www.sans.org/ •http://www.rootshell.com/ •http://www.securityfocus.com/ •http://www.cisco.com/security © 1999, Cisco Systems, Inc. www.cisco.com In Summary …. May You Live in Interesting Times!! © 1999, Cisco Systems, Inc. www.cisco.com © 1999, Cisco Systems, Inc. www.cisco.com
Related documents