Beruflich Dokumente
Kultur Dokumente
Objectives
Describe the role of an ethical hacker
Describe what you can do legally as an ethical hacker
Describe what you cannot do as an ethical hacker
Introduction to Ethical Hacking
Ethical hackers
Employed by companies to perform penetration tests
Penetration test
Legal attempt to break into a company’s network to find its weakest link
Tester only reports findings, does not solve problems
Security test
More than an attempt to break in; also includes analyzing company’s security policy and procedures
Tester offers solutions to secure or protect the network
The Role of Security and Penetration Testers
Hackers
• Access computer system or network without authorization
• Breaks the law; can go to prison
Crackers
• Break into systems to steal or destroy data
• U.S. Department of Justice calls both hackers
Ethical hacker
• Performs most of the same activities but with owner’s permission
The Role of Security and Penetration Testers
Script kiddies or packet monkeys
• Young inexperienced hackers
• Copy codes and techniques from knowledgeable hackers
Experienced penetration testers write programs or scripts using these languages
• Practical Extraction and Report Language (Perl), C, C++, Python, JavaScript, Visual Basic, SQL,
and many others
Script
• Set of instructions that runs in sequence
It Takes Time to Become a Hacker
• This class alone won’t make you a hacker, or an expert
It might make you a script kiddie
• It usually takes years of study and experience to earn respect in the hacker community
• It’s a hobby, a lifestyle, and an attitude
A drive to figure out how things work
The Role of Security and Penetration Testers
Tiger box
• Collection of OSs and hacking tools
• Usually on a laptop
• Helps penetration testers and security testers conduct vulnerabilities assessments and attacks
Penetration-Testing Methodologies
White box model
• Tester is told everything about the network topology and technology
This is a Floor
Plan
Penetration-Testing Methodologies
Black box model
• Company staff does not know about the test
• Tester is not given details about the network
▪ Burden is on the tester to find these details
• Tests if security personnel are able to detect an attack
Penetration-Testing Methodologies
Gray box model
• Hybrid of the white and black box models
• Company gives tester partial information
Certification Programs for Network Security Personnel
Certification programs available in almost every area of network security
Basics:
• CompTIA Security+ (CNIT 120)
• Network+ (CNIT 106 or 201)
Objectives
Describe the TCP/IP protocol stack
Explain the basic concepts of IP addressing
Explain the binary, octal, and hexadecimal numbering system
Overview of TCP/IP
Protocol
Common language used by computers for speaking
Transmission Control Protocol/Internet Protocol (TCP/IP)
Most widely used protocol
TCP/IP stack
Contains four different layers
Network
Internet
Transport
Application
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port | Destination Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Acknowledgment Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Data | |U|A|P|R|S|F| |
| Offset| Reserved |R|C|S|S|Y|I| Window |
| | |G|K|H|T|N|N| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum | Urgent Pointer |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Options | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| data |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Demonstration
Wireshark Packet Sniffer
TCP Handshake: SYN, SYN/ACK, ACK
TCP Ports
TCP Status
Flags
Wireshark Capture of a
PING
IP Addressing
Consists of four bytes, like 147.144.20.1
Two components
Network address
Host address
Neither portion may be all 1s or all 0s
Classes
Class A
Class B
Class C
Objectives
Describe the different types of malicious
software
Describe methods of protecting against
malware attacks
Describe the types of network attacks
Identify physical security attacks and
vulnerabilities
Malicious Software (Malware)
Network attacks prevent a business from
operating
Malicious software (Malware) includes
Virus
Worms
Trojan horses
Goals
Destroy data
Corrupt data
Shutdown a network or
system
Viruses
Virus attaches itself to an executable
file
Can replicate itself through an
executable program
Needs a host program to
replicate
No foolproof method of preventing
them
Antivirus Software
Detects and removes viruses
Detection based on virus signatures
Must update signature database periodically
Use automatic update feature
Base 64 Encoding
Used to evade anti-spam tools, and to obscure passwords
Encodes six bits at a time (0 – 64) with a single ASCII character
A - Z: 0 – 25
a – z: 26 – 51
1 – 9: 52 – 61
+ and - 62 and 63
See links Ch 3a, 3b
Viruses (continued)
Commercial base 64 decoders
Shell
Executable piece of programming code
Should not appear in an e-mail attachment
Firewalls
Identify traffic on uncommon ports
Can block this type of attack, if your firewall filters outgoing traffic
Windows XP SP2’s firewall does not filter outgoing traffic
Vista’s firewall doesn’t either (by default), according to link Ch
3l and 3m
Trojan programs can use known ports to get through firewalls
HTTP (TCP 80) or DNS (UDP 53)
Trojan Demonstration
Make a file with command-line Windows commands
Save it as C:\Documents and Settings\
username\cmd.bat
Start, Run, CMD will execute this file instead of
C:\Windows\System32\Cmd.exe
Improved Trojan
Resets the administrator password
Almost invisible to user
Works in Win XP, but not so easy in Vista
Objectives
Footprinting
Describe DNS zone transfers
Identify the types of social engineering
Footprinting
Using Web Tools for Footprinting
“Case the joint”
• Look over the location
• Find weakness in security systems
• Types of locks, alarms
In computer jargon, this is called footprinting
• Discover information about
The organization
Its network
Scan Results
In Paros:
• Analyze
• Scan
Finds security risks in
a site
Again, don’t scan
sites without
permission!
Bugnosis is gone
Objectives
Describe port scanning
Describe different types of port scans
Describe various port-scanning tools
Explain what ping sweeps are used for
Explain how shell scripting is used to automate security tasks
Introduction to Port Scanning
Port Scanning
• Finds out which services are offered by a host
• Identifies vulnerabilities
Open services can be used on attacks
• Identify a vulnerable port
• Launch an exploit
Scan all ports when testing
• Not just well-
known ports
AW Security Port
Scanner
A commercial tool to
identify vulnerabilities
Port scanning programs
report
• Open ports
• Closed ports
• Filtered ports
• Best-guess
assessment of
which OS is
running
Is Port Scanning Legal?
The legal status of port
scanning is unclear
• If you have
permission,
it's legal
• If you cause
damage of $5,000 or more, it may be illegal
• For more, see links Ch 5a and Ch 5b
Types of Port Scans
Normal TCP Handshake
Client SYN Æ Server
Client Å SYN/ACK Server
Client ACK Æ Server
• After this, you are ready to send data
Open
SYN,ACK response from
server
Client then sends RST
Filtered
No response from server
Connect scan
• Completes the three-way handshake
• Not stealthy--appears in log files
• Three states
Closed
RST response from server
Open
SYN,ACK response from
server
Client sends ACK
Client sends RST
Filtered
No response from server
NULL scan
• All the packet flags are turned off
• Two results:
Closed ports reply with RST
Nessus Plug-ins
Hping
Used to bypass filtering devices
• Allows users to fragment and
manipulate IP packets
www.hping.org/download
Powerful tool
• All security testers must be
familiar with tool
Supports many parameters (command options)
• See links Ch 5m, Ch 5n
Broadcast Addresses
If you PING a broadcast address, that can create a lot of traffic
Normally the broadcast address ends in 255
But if your LAN is subnetted with a subnet mask like 255.255.255.192
• There are other broadcast addresses ending in 63, 127, and 191
Smurf Attack
Pinging a broadcast address on an old network resulted in a lot of ping responses
So just put the victim's IP address in the "From" field
• The victim is attacked by a flood of pings, none of them directly from you
Modern routers don't forward broadcast packets, which prevents them from amplifying smurf attacks
Windows XP and Ubuntu don't respond to broadcast PINGs
See links Ch 5o, 5p
Objectives
Describe the enumeration step of security testing
Enumerate Microsoft OS targets
Enumerate NetWare OS targets
Enumerate *NIX OS targets
Introduction to Enumeration
Enumeration extracts information about:
• Resources or shares on the network
• User names or groups assigned on the network
• Last time user logged on
• User’s password
Before enumeration, you use Port scanning and footprinting
• To Determine OS being used
Intrusive process
NBTscan
NBT (NetBIOS over TCP/IP)
• is the Windows
networking
protocol
• used for shared
folders and printers
NBTscan
• Tool for enumerating Microsoft OSs
Enumerating Microsoft Operating Systems
Study OS history
• Knowing your target makes your job easier
Many attacks that work for older Windows OSs still work with newer versions
Windows 95
The first Windows version that did not start with DOS
Still used the DOS kernel to some extent
Introduced the Registry database to replace Win.ini, Autoexec.bat, and other text files
Introduced Plug and Play and ActiveX
Used FAT16 file system
Windows 98 and ME
More Stable than Win 95
Used FAT32 file system
Win ME introduced System Restore
Win 95, 98, and ME are collectively called "Win 9x"
Windows NT 3.51 Server/Workstation
No dependence on DOS kernel
Domains and Domain Controllers
NTFS File System to replace FAT16 and FAT31
Much more secure and stable than Win9x
Many companies still use Win NT Server Domain Controllers
Win NT 4.0 was an upgrade
DumpSec
Enumeration tool for Microsoft systems
Produced by Foundstone, Inc.
Allows user to connect to a server and “dump” the following information
• Permissions for shares
• Permissions for printers
• Permissions for the Registry
• Users in column or table format
• Policies and rights
• Services
Objectives
Explain basic programming concepts
Write a simple C program
Explain how Web pages are created with HTML
Describe and create basic Perl programs
Explain basic object-oriented programming concepts
Introduction to Computer Programming
Computer programmers must understand the rules of programming languages
• Programmers deal with syntax errors
One minor mistake and the program will not run
• Or worse, it will produce unpredictable results
Being a good programmer takes time and patience
Computer Programming Fundamentals
Fundamental concepts
• Branching, Looping, and Testing (BLT)
• Documentation
Function
• Mini program within a main program that carries out a task
Branching, Looping, and Testing (BLT)
Branching
• Takes you from one area of the program to another area
Looping
• Act of performing
a task over and
over
Testing
• Verifies some
condition and
returns true or
false
A C Program
Filename ends in
.c
It's hard to read at
first
A single missing
semicolon can
ruin a program
Comments
Comments make
code easier to read
Branching and Testing
Diagram of branches
See links Ch 7b, 7c
Anatomy of a C Program
The first computer program a C student learns "Hello, World!"
Comments
Use /* and */ to
comment
large portions
of text
Use // for one-
line
comments
Include
#include statement
• Loads libraries that hold the commands and functions used in your program
Functions
A Function Name is always followed by parentheses ( )
Curly Braces { } shows where a function begins and ends
main() function
• Every C program requires a main() function
• main() is where processing starts
Functions can call other functions
• Parameters or arguments are optional
\n represents a line feed
Mathematical Operators
The i++ in the example below adds one to the variable i
Logical Operators
The i<11 in the example below compares the variable i to 11
Error in textbook
C example on page 138 should be this instead
Objectives
Tools to assess Microsoft system vulnerabilities
Describe the vulnerabilities of Microsoft operating systems and services
Techniques to harden Microsoft systems against common vulnerabilities
Best practices for securing Microsoft systems
Tools to Identify Vulnerabilities on Microsoft Systems
Many tools are available for this task
• Using more than one tool is advisable
Using several tools help you pinpoint problems more accurately
Built-in Microsoft Tools
Microsoft Baseline Security Analyzer (MBSA)
Winfingerprint
HFNetChk
MBSA Results
SQL Server
SQL vulnerabilities exploits areas
• The SA account with a blank password
• SQL Server Agent
• Buffer overflow
• Extended stored procedures
• Default SQL port 1433
Vulnerabilities related to SQL Server 7.0 and SQL Server 2000
The SA Account
The SA account is the master account, with full rights
SQL Server 6.5 and 7 installations do not require setting a password for this account
SQL Server 2000 supports mixed-mode authentication
• SA account is created with a blank password
• SA account cannot be disabled
SQL Server Agent
Service mainly responsible for
• Replication
• Running scheduled jobs
• Restarting the SQL service
Authorized but unprivileged user can create scheduled jobs to be run by the agent
Buffer Overflow
Database Consistency Checker in SQL Server 2000
• Contains commands with buffer overflows
SQL Server 7 and 2000 have functions that generate text messages
• They do not check that messages fit in the buffers supplied to hold them
Format string vulnerability in the C runtime functions
Extended Stored Procedures
Several of the extended stored procedures fail to perform input validation
• They are susceptible to buffer overruns
Default SQL Port 1443
SQL Server is a Winsock application
• Communicates over TCP/IP using port 1443
Spida worm
• Scans for systems listening on TCP port 1443
• Once connected, attempts to use the xp_cmdshell
Enables and sets a password for the Guest account
Changing default port is not an easy task
Best Practices for Hardening Microsoft Systems
Penetration tester
• Finds vulnerabilities
Security tester
• Finds vulnerabilities
• Gives recommendations for correcting found vulnerabilities
Patching Systems
The number-one way to keep your system secure
• Attacks take advantage of known vulnerabilities
CNIT 123 – Bowne Page 6 of 7
Chapter 8: Microsoft Operating System Vulnerabilities
• Options for small networks
Accessing Windows Update manually
Automatic Updates
• This technique does not really ensure that all machines are patched at the same time
• Does not let you skip patches you don’t want
Some patches cause problems, so they should be tested first
Options for patch management for large networks
• Systems Management Server (SMS)
• Software Update Service (SUS)
Patches are pushed out from the network server after they have been tested
Antivirus Solutions
An antivirus solution is essential
For small networks
• Desktop antivirus tool with automatic updates
For large networks
• Corporate-level solution
An antivirus tool is almost useless if it is not updated regularly
Enable Logging and Review Logs Regularly
Important step for monitoring critical areas
• Performance
• Traffic patterns
• Possible security breaches
Logging can have negative impact on performance
Review logs regularly for signs of intrusion or other problems
• Use a log-monitoring tool
Disable Unused or Unneeded Services
Disable unneeded services
Delete unnecessary applications or scripts
Unused applications or services are an invitation for attacks
Requires careful planning
• Close unused ports but maintain functionality
Other Security Best Practices
• Use a firewall on each machine, and also a firewall protecting the whole LAN from the Internet
• Delete unused scripts and sample applications
• Delete default hidden shares
• Use different names and passwords for public interfaces
•
Other Security Best Practices
• Be careful of default permissions
For example, new shares are readable by all users in Win XP
• Use available tools to assess system security
Like MBSA, IIS Lockdown Wizard, etc.
• Disable the Guest account
• Rename the default Administrator account
• Enforce a good password policy
• Educate users about security
• Keep informed about current threats
Objectives
Describe the fundamentals of the Linux operating system
Describe the vulnerabilities of the Linux operating system
Describe Linux remote attacks
Explain countermeasures for protecting the Linux operating system
Review of Linux Fundamentals
Linux is a version of UNIX
• Usually available
free
• Red Hat
Includes
documentatio
n and support
for a fee
Linux creates default
directories
cd /
ls -F
Note: ls -F adds:
/ to directories
* to executables
@ to linked files
cd /bin
ls -F
cd /dev
ls
cd /etc
ls -F
Note: hosts file with name-to-IP mapping ("cat hosts" to see it)
passwd with user names and groups ("cat passwd" to see it)
shadow file with hashed passwords ("sudo cat shadow" to see it)
cd /home
ls -l
Note: Home
directory for each
user, owned by the
user
cd /lib
ls -F
Note: Libraries
here, nothing
particularly
interesting
cd /mnt
ls -al
cd /proc
ls -F
cd /var/log
ls
cat boot
Getting Help
Many of these commands have multiple parameters and additional functionality
Use these commands to get help. (Replace command with the command you want help with, such as ifconfig)
command --help
man command
Linux OS Vulnerabilities
UNIX has been around for quite some time
Attackers have had plenty of time to discover
vulnerabilities in *NIX systems Nessus Scanning a Linux Server (with Samba)
Enumeration tools can
also be used
against Linux systems
Nessus can be used to
enumerate Linux
systems
Nessus can be used to
• Discover
vulnerabilities
related to SMB
and NetBIOS
• Discover other
vulnerabilities
• Enumerate
shared
resources
Test Linux computer
against common known
vulnerabilities
• Review the
CVE and CAN
information
• See links Ch
9m, n, o
Remote Access Attacks
on Linux Systems
Differentiate between
local attacks and
remote attacks
• Remote attacks
are harder to perform
Attacking a network remotely requires
• Knowing what system a remote user is operating
• The attacked system’s password and login accounts
Footprinting an Attacked System
Footprinting techniques
• Used to find out information about a target system
Determining the OS version the attacked computer is running
• Check newsgroups for details on posted messages
• Knowing a company’s e-mail address makes the search easier
Other Footprinting Tools
Whois databases
DNS zone transfers
Nessus
CNIT 123 – Bowne Page 5 of 5
Chapter 9: Linux Operating System Vulnerabilities
Port scanning tools
Using Social Engineering to Attack Remote Linux Systems
Goal
• To get OS information from company employees
Common techniques
• Urgency
• Quid pro quo
• Status quo
• Kindness
• Position
Train your employees about social engineering techniques
Trojans
Trojan programs spread as
• E-mail attachments
• Fake patches or security fixes that can be downloaded from the Internet
Trojan program functions
• Allow for remote administration
• Create a FTP server on attacked machine
• Steal passwords
• Log all keys a user enters, and e-mail results to the attacker
Trojan programs can use legitimate outbound ports
• Firewalls and IDSs cannot identify this traffic as malicious
• Example: Sheepshank uses HTTP GETs
It is easier to protect systems from already identified Trojan programs
• See links Ch 9e, f, g
Rootkits
• Contain Trojan binary programs ready to be installed by an intruder with root access to the system
• Replace legitimate commands with Trojan programs
• Hides the tools used for later attacks
• Example: LRK5
LRK5
• A famous Linux Rootkit
• See Links Ch 9h, i, j
Rootkit Detectors
Security testers should check their Linux systems for
rootkits
• Rootkit Hunter (Link Ch 9l)
• Chkrootkit (Link Ch 9l)
• Rootkit Profiler (Link Ch 9k)
Demonstration of rkhunter
sudo apt-get install rkhunter
sudo rkhunter –c
Objectives
Describe Web applications
Explain Web application vulnerabilities
Describe the tools used to attack Web servers
Web Servers
The two main Web servers are Apache (Open source) and IIS (Microsoft)
Understanding Web Applications
It is nearly impossible to write a program without bugs
• Some bugs create security vulnerabilities
Web applications also have bugs
• Web applications have a larger user base than standalone applications
• Bugs are a bigger problem for Web applications
Web Application Components
Static Web pages
• Created using HTML
Dynamic Web pages
• Need special components
<form> tags
Common Gateway Interface (CGI) scripts
Active Server Pages (ASP)
PHP
ColdFusion
Scripting languages like JavaScript
ODBC (Open Database connector)
Web Forms
Use the <form> element or tag in an HTML document
• Allows customer to submit information to the Web server
Web servers process information from a Web form by using a Web
application
Easy way for attackers to intercept data that users submit to a Web
server
Web form example
<html><body>
<form>
Enter your username:
<input type="text" name="username">
<br>
Enter your password:
<input type="text" name="password">
</form></body></html>
Common Gateway Interface (CGI)
Handles moving data from a Web server to a Web browser
The majority of dynamic Web pages are created with CGI and scripting languages
Describes how a Web server passes data to a Web browser
• Relies on Perl or another scripting language to create dynamic Web pages
Phfscan.c
• Written to scan Web sites looking for hosts that could be exploited by the PHF bug
• The PHF bug enables an attacker to download the victim’s /etc/passwd file
• It also allows attackers to run programs on the victim’s Web server by using a particular URL
See links Ch 10zj, 10 zk
Objectives
Explain wireless technology
Describe wireless networking standards
Describe the process of authentication
Describe wardriving
Describe wireless hacking and tools used by hackers and security professionals
Understanding Wireless Technology
For a wireless network to function, you must have the right hardware and software
Wireless technology is part of our lives
• Baby monitors
• Cell and cordless phones
• Pagers
• GPS
• Remote controls
• Garage door openers
• Two-way radios
• Wireless PDAs
Components of a Wireless Network
A wireless network has only three basic components
• Access Point (AP)
• Wireless network interface card (WNIC)
• Ethernet cable
Access Points
An access point (AP) is a transceiver that connects to an Ethernet cable
• It bridges the wireless network with the wired network
Not all wireless networks connect to a wired network
• Most companies have Wireless LANs (WLANs) that connect to their wired network topology
The AP is where channels are configured
An AP enables users to connect to a LAN using wireless technology
• An AP is available only within a defined area
Wireless NICs
For wireless technology to work, each node or
computer must have a wireless NIC
NIC’s main function
• Converting the radio waves it receives
into digital signals the computer
understands
Wireless NICs
There are many wireless NICs on the market
• Choose yours depending on how you
plan to use it
• Some tools require certain specific
brands of NICs
Understanding Authentication
Wireless technology brings new security risks to a network
Authentication
• Establishing that a user is authentic—authorized to use the network
• If authentication fails, anyone in radio range can use your network
The 802.1X Standard
Defines the process of authenticating and authorizing users on a WLAN
Basic concepts
• Point-to-Point Protocol (PPP)
• Extensible Authentication Protocol (EAP)
• Wired Equivalent Privacy (WEP)
• Wi-Fi Protected Access (WPA)
Point-to-Point Protocol (PPP)
Many ISPs use PPP to connect dial-up or DSL users
PPP handles authentication with a user name and password, sent with PAP or CHAP
• PAP (Password Authentication Protocol) sends passwords unencrypted
Vulnerable to trivial sniffing attacks
See link Ch 11f
CHAP Vulnerability
CHAP (Challenge-Handshake Authentication Protocol)
• Server sends a Challenge with a random value
• Client sends a Response, hashing the random value with the secret password
This is still vulnerable to a sort of session hijacking attack (see links Ch 11e)
Extensible Authentication Protocol (EAP)
EAP is an enhancement to PPP
Allows a company to select its authentication method
• Certificates
• Kerberos
Kerberos is used on LANs for authentication
Uses Tickets and Keys
Used by Windows 2000, XP, and 2003 Server by default
Not common on WLANS (I think)
X.509 Certificate
Record that authenticates network entities
Identifies
• The owner
• The certificate authority (CA)
• The owner’s public key
See link Ch 11j
Objectives
Describe the history of cryptography
Describe symmetric and asymmetric cryptography algorithms
Explain public key infrastructure (PKI)
Describe possible attacks on cryptosystems
Understanding Cryptography Basics
Cryptography is the process of converting plaintext into ciphertext
• Plaintext: readable text (also called cleartext)
• Ciphertext: unreadable or encrypted text
Cryptography is used to hide information from unauthorized users
Decryption is the process of converting ciphertext back to plaintext
History of Cryptography
Substitution cipher
• Replaces one letter with another letter based on a key
• Example: Julius Caesar’s Cipher
Used a key value of 3
ABCDEFGHIJKLMNOPQRSTUVWXYZ
DEFGHIJKLMNOPQRSTUVWXYZABC
Cryptanalysis studies the process of breaking encryption algorithms
When a new encryption algorithm is developed, cryptanalysts study it and
try to break it
• Or prove that it is impractical to break it (taking much time and
many resources)
Enigma
Used by the Germans during World War II
• Replaced letters as they were typed
• Substitutions were computed using a key and a set of switches or rotors
• Image from Wikipedia (link Ch 12a)
Steganography
The process of hiding data in plain view in pictures, graphics, or text
• Example: changing colors slightly to encode individual bits in an image
The image on the left contains the image on the right hidden in it (link Ch 12c)
Algorithms
An algorithm is a mathematical function or program that works with a key
Security comes from
• A strong algorithm—one that cannot be reversed without the key
• A key that cannot be found or guessed
Keys (not in textbook)
A sequence of random bits
• The range of allowable values is called a keyspace
The larger the keyspace, the more secure the key
• 8-bit key has 28 = 256 values in keyspace
• 24-bit key has 224 = 16 million values
• 56-bit key has 256 = 7 x 1016 values
• 128-bit key has 2128 = 3 x 1038 values
RC5
Block cipher that can operate on different block sizes: 32, 64, and 128
The key size can reach 2048 bits
Created by Ronald L. Rivest in 1994 for RSA Data Security
Cracking RC5
56-bit and 64-bit key RC5s have already been cracked
The RC5-72 project is underway, trying to crack a 72-bit key
• At the current rate, it will take 1000 years
Links Ch 12l, 12m
CNIT 123 – Bowne Page 3 of 11
Chapter 12: Cryptography
Hashing Algorithms
SHA-1 is one of the most popular hashing algorithms
• SHA-1 has been broken
• Collisions were found in 2004 and 2005 (link Ch 12p
• As of March 15, 2005, the NIST recommends not using SHA applications
• But there are collisions in MD5 too
• SHA-256 hasn’t been broken yet
See link Ch 12q
Hashing Algorithms
Name Notes
MD2 Written for 8-bit machines, no longer secure
MD4 No longer secure
MD5 Security is questionable now
SHA-1 The successor to MD5, used in TLS, SSL, PGP, SSH, S/MIME, and IPsec.
It has been broken so it's not longer completely secure
SHA-2 Not yet broken, but no longer recommended.
The NIST is now developing a new algorithm to replace SHA.
So there’s a 51% chance that two of them have the same birthday
See link Ch 12r
If there are N possible hash values,
• You’ll find collisions when you have calculated 1.2 x sqrt(N) values
Objectives Router
Describe network security devices
Describe firewall technology
Describe intrusion detection systems
Describe honeypots
Routers
Routers are like intersections; switches
are like streets
• Image from Wikipedia (link
Ch 13a)
Understanding Routers
Routers are hardware devices used on a
network to send packets to different
network segments
• Operate at the network layer
of the OSI model
Routing Protocols
Routers tell one another what paths are available with Routing Protocols
• Link-state routing protocol
Each router has complete information about every
network link
Example: Open Shortest Path First (OSPF)
• Distance-vector routing protocol
Routers only know which direction to send
packets, and how far
Example: Routing Information Protocol (RIP)
Cisco Routers
Image from cisco.com (link Ch 13b)
Understanding Basic Hardware Routers
Cisco routers are widely used in the networking
community
• More than one million Cisco 2500 series
routers are currently being used by companies around the world
Vulnerabilities exist in Cisco as they do in any operating system
• See link Ch 13c
Cisco Router Components
Internetwork Operating System (IOS)
Random access memory (RAM)
• Holds the router’s running configuration, routing tables, and buffers
• If you turn off the router, the contents stored in RAM are wiped out
Nonvolatile RAM (NVRAM)
• Holds the router’s configuration file, but the information is not lost if the router is turned off
Flash memory
• Holds the IOS the router is using
• Is rewritable memory, so you can upgrade the IOS
Understanding Firewalls
Firewalls are hardware devices or software installed on a system and have two purposes
• Controlling access to all traffic that enters an internal network
• Controlling all traffic that leaves an internal network
Hardware Firewalls
Advantage of hardware firewalls
• Faster than software firewalls
(more throughput)
Disadvantages of hardware firewalls
• You are limited by the
firewall’s hardware
Number of interfaces, etc.
• Usually filter incoming traffic
only (link Ch 13i)
CNIT 123 – Bowne Page 2 of 2
Chapter 13: Protecting Networks with Security Devices
Software Firewalls
Advantages of software firewalls
• Customizable: can interact with the user to
provide more protection
• You can easily add NICs to the server
running the firewall software
Software Firewalls
Disadvantages of software firewalls
• You might have to worry about
configuration problems
• They rely on the OS on which they are
running
Firewall Technologies
Network address translation (NAT)
Access control lists (Packet filtering)
Stateful packet inspection (SPI)
Understanding Honeypots
Honeypot
• Computer placed on the perimeter of a network
• Contains information intended to lure and then trap hackers
Computer is configured to have vulnerabilities
Goal
• Keep hackers connected long enough so they can be traced back
How They Work
A honeypot appears to have
important data or sensitive
information stored on it
• Could store fake
financial data that
tempts hackers to
attempt browsing
through the data
Hackers will spend time attacking
the honeypot
• And stop looking for
real vulnerabilities in
the company’s network
Honeypots also enable security
professionals to collect data on
attackers
Virtual honeypots
• Honeypots created
using software solutions
instead of hardware
devices
• Example: Honeyd
Project Honey Pot
Web masters install software on
their websites
When spammers harvest email
addresses from sites,
HoneyNet's servers record the
IP of the harvester
• Can help prosecute the
spammers and block the spam
Link Ch 13p
Uses a Capture Server and one or more Capture Clients
• The clients run in virtual machines
• Clients connect to suspect Web servers
• If the client detects an infection, it alerts the Capture Server and restores itself to a clean state
• The server gathers data about malicious websites
See link Ch 13q
Legal Concerns
Defeating security to enter a network without permission is clearly illegal
• Even if the security is weak
Sniffing unencrypted wireless traffic may also be illegal
• It could be regarded as an illegal wiretap
• The situation is unclear, and varies from state to state
• In California, privacy concerns tend to outweigh other considerations
• See links l14v, l14w
Equipment
Wireless Network Interface Cards (NICs) and Drivers
The Goal
All wireless NICs can connect to an Access Point
But hacking requires more than that, because we need to do
• Sniffing – collecting traffic addressed to other devices
• Injection – transmitting forged packets which will appear to be from other devices
Windows v. Linux
The best wireless hacking software is written in Linux
• The Windows tools are inferior, and don't support packet injection
But all the wireless NICs are designed for Windows
• And the drivers are written for Windows
• Linux drivers are hard to find and confusing to install
Wireless NIC Modes
There are four modes a NIC can use
• Master mode
• Managed mode
• Ad-hoc mode
• Monitor mode
See link l_14j
Master Mode
• Also called AP or Infrastructure
mode
• Looks like an access point
• Creates a network with
A name (SSID)
A channel
Managed Mode
• Also called Client mode
• The usual mode for a Wi-Fi laptop
• Joins a network created by a master
• Automatically changes channel to match the master
• Presents credentials, and if accepted,
becomes associated with the master
Ad-hoc Mode
• Peer-to-peer network
• No master or Access Point
• Nodes must agree on a channel and SSID
Monitor Mode
• Does not associate with Access Point
• Listens to traffic
• Like a wired NIC in Promiscuous
Mode
Wi-Fi NICs
To connect to a Wi-Fi network, you need a
Network Interface Card (NIC)
PCMCIA PCMCIA
The most common type is the PCMCIA card
• Designed for laptop computers
USB
• Can be used on a laptop or desktop PC
PCI
• Installs inside a desktop PC
Choosing a NIC
For penetration testing (hacking), consider these factors:
• Chipset
• Output power
• Receiving sensitivity
• External antenna connectors
• Support for 802.11i and improved WEP USB
versions
Wi-Fi NIC Manufacturers
Each wireless card has two manufacturers
• The card itself is made by a company like
Netgear
Ubiquiti
Linksys
D-Link
many, many others
• But the chipset (control circuitry) is made by a different company
Chipsets
To find out what chipset your card uses, you must search on the Web
• Card manufacturer's don't want you to
know
Major chipsets: PCI
• Prism
• Cisco Aironet
• Hermes/Orinoco
• Atheros
There are others
Prism Chipset
Prism chipset is a favorite among hackers
• Completely open -- specifications available
• Has more Linux drivers than any other
chipset
See link l_14d
Prism chipset is the best choice for penetration
testing
HostAP Linux Drivers are highly recommended,
supporting:
• NIC acting as an Access Point
• Use of the iwconfig command to
configure the NIC
See link l_14h
Cisco Aironet Chipset
Cisco proprietary – not open
Based on Prism, with more features
• Regulated power output
• Hardware-based channel-
hopping
Very sensitive – good for wardriving
• Cannot use HostAP drivers
• Not useful for man-in-the-
middle or other complex
attacks
Hermes Chipset
Lucent proprietary – not open
Lucent published some source code for WaveLAN/ORiNOCO cards
Useful for all penetration testing, but require
• Shmoo driver patches (link l_14l) to use monitor mode
Atheros Chipset
The most common chipset in 802.11a devices
• Best Atheros drivers are MadWIFI (link l_14m)
• Some cards work better than others
• Monitor mode is available, at least for some cards
Other Cards
If all else fails, you could use Windows drivers with a wrapper to make them work in Linux
• DriverLoader (link l_14n)
• NdisWrapper (link l_14o)
But all you'll get is basic functions, not monitor mode or packet injection
• Not much use for hacking
Cracking WEP: Tools and Principles
A Simple WEP Crack
The Access Point and Client are using WEP
encryption
The hacker device just listens
Listening is Slow
You need to capture 50,000 to 200,000 "interesting" packets to crack a 64-bit WEP key
• The "interesting" packets are the ones containing Initialization Vectors (IVs)
• Only about ¼ of the packets contain IVs
• So you need 200,000 to 800,000 packets
It can take hours or days to capture that many
packets
Packet Injection
A second hacker machine injects packets to create
more "interesting packet"
Injection is MUCH Faster
With packet injection, the listener can collect 200
IVs per second
5 – 10 minutes is usually enough to crack a 64-bit
key
Cracking a 128-bit key takes an hour or so
• Link l_14r
AP & Client Requirements
Access Point
• Any AP that supports WEP should be fine (they all do)
Client
• Any computer with any wireless card will do
• Could use Windows or Linux
Listener Requirements
NIC must support Monitor Mode
Could use Windows or Linux
• But you can't use NDISwrapper
Software
• Airodump (part of the Aircrack Suite) for Windows or Linux (see Link l_14q)
• BackTrack is a live Linux CD with Aircrack on it (and many other hacking tools)
Link l_14n
Injector Requirements
NIC must support injection
Must use Linux
Software
• void11 and aireplay
Link l_14q
Sources
http://www.aircrack-ng.org/doku.php?id=compatible_cards (link l_14a)
http://www.wi-foo.com/ (link l_14c)
http://www.vias.org/wirelessnetw/wndw_05_04.html (link l_14j)
http://smallnetbuilder.com/content/view/24244/98/ (link l_14p)
SSL Handshake
SSL handshake has three
stages:
• Hellos
• Certificate, Key
Exchange, and
Authentication
• "Change cipher
spec" –
handshake finished
The Gateway just forwards all this traffic to the Web server
Demonstration: Sniffing SSL Handshake with Wireshark
Start Wireshark capturing packets
Open a browser and go to yahoo.com
Click the My Mail button
Hand
Hello
Key
Hand – these three packets are the TCP Handshake, which happens before the SSL handshake
Hello – these two packets are the Hellos, which start the SSL handshake
Key – these packets perform the last two stages of the SSL handshake:
• Certificate, Key Exchange, and Authentication
• "Change cipher spec" – handshake finished