Beruflich Dokumente
Kultur Dokumente
1-1
Outline
IP Refresher Attack Types Network Layer Attacks Transport Layer Attacks Application Layer Attacks
www.cisco.com
Outline (cont.)
www.cisco.com
IP Refresher
www.cisco.com
OSI Reference Model Application Presentation Session Transport Network Data Link Physical
IP Conceptual Layers
Application
www.cisco.com
Protocol
www.cisco.com
www.cisco.com
Port Numbers
Application Layer
Telnet SMTP DNS HTTP SSL DNS TFTP
Transport Layer
23
25
53
80 443
53 69
TCP
UDP
Port Numbers
www.cisco.com
www.cisco.com
Attack Types
1-10
Attack Types
Ping of Death
Context: (Header)
Land Attack
Content: (Data)
MS IE Attack
E-mail Attacks
Atomic Single Packet
Telnet Attacks
Character Mode Attacks
Composite Multiple Packets
www.cisco.com
Access
Spoofing, session hijacking
Denial of service
SYN attacks, ping-of-death, teardrop, WinNuke
Privilege escalation
MS IE%2ASP, ftp cwd ~root
1999, Cisco Systems, Inc.
www.cisco.com
Network Interface
www.cisco.com
IP Layer Attacks
Application
www.cisco.com
IP Fragmentation Attacks
IP Fragment Attack
Offset value too small Indicates unusually small packet May bypass some packet filter devices
Ver Len Serv Length Flg Frag Offset Frag Offset Checksum
IP Fragments Overlap
Offset value indicates overlap Teardrop attack
www.cisco.com
IP Fragmentation
Routers and Internet Gateways are stateless devices Improperly fragmented packets are forwarded normally with other traffic Requires Statefull inspection
www.cisco.com
Identification
Unknown IP Protocol
Proto=invalid or undefined
TTL
Proto Proto
Impossible IP Packet
Same source and destination Land attack
www.cisco.com
IP Address Spoofing
Source IP address set to that of a trusted host or nonexistant host Access-lists applied at the source are the only protection Best applied at the connection to the Internet
www.cisco.com
172.16.42.84
www.cisco.com
IP Options
Ver Len H E A D E R Serv Length Flg Frag Offset Checksum
Identification
IP Header
20 bytes
TTL
Proto
IP Options
Adds up to 40 additional bytes Only 8 valid options
P A Y
Data . . .
www.cisco.com
IP Options (cont.)
0 1 2 3 4 5 6 7 Option # 0 1 2 3 4 5 6 7 Length (if used) 0 1 2 3 4 5 6 7 Parameters... 0 x 1 2 0 0 3 4 5 6 7 0 0 0 0 0
CP Class
Copy:
0dont include options in packet fragments
Class:
0Network Control 2Debugging
Length: number of bytes in option (if used by option) Parameters: parameters passed by the option Last option is always option 0.
1999, Cisco Systems, Inc.
www.cisco.com
IP Options (cont.)
option #2 rarely unused option #4 rarely unused
option #7 used to record the route (gateways) that a packet has traversed option #8 rarely unused
Option # 0 1 2 3 4 7 8 9
Option Name End of Options No Operation Security Loose Source Rte Timestamp Record Route Stream ID Strict Source Rte
www.cisco.com
IP Source Routing
two options: #3 loose source routing and #9 strict source routing can be used to bypass filters (acls) some machines with multiple interfaces route s/r packets even with ip forwarding turned off router command:no ip source route
www.cisco.com
ICMP Attacks
Application
TCP IP
UDP
www.cisco.com
H E A D E R
Type
Code
Checksum
Identifier
Data . . .
Sequence #
Type:
0Echo Reply 8Echo Request 13Timestamp Request 14Timestamp Reply 15Information Request 16Information Reply 17Address Mask Request 18Address Mask Reply
Code: codes associated with each ICMP type Checksum: checksum value of header fields (exc. checksum)
1999, Cisco Systems, Inc.
www.cisco.com
Echo Request
Type=8
Timestamp Request
Type=13
Timestamp Reply
Type=14
1999, Cisco Systems, Inc.
www.cisco.com
H E A D E R
Type
Code
Checksum
Unused
IP Header + 8 bytes of Original Datagram Data
Type:
3Destination Unreachable 4Source Quench 5Redirect 11Time Exceeded 12Parameter Problem
Code: codes associated with each ICMP type Checksum: checksum value of header fields (exc. checksum)
1999, Cisco Systems, Inc.
www.cisco.com
Source Quench
Type=4
Redirect
Type=5
Time Exceeded
Type=11
Parameter Problem
Type=12
1999, Cisco Systems, Inc.
www.cisco.com
ICMP Attacks
Length Length I Ver Len Serv P Identification Flg Frag Offset H Proto Checksum ICMP E TTL A Source IP D E R Destination IP I C M P Type Code Checksum
ICMP Floods
Many ICMP packets To single host
www.cisco.com
www.cisco.com
Smurfs
ICMP echo request with spoofed source address
Destination address set to the network broadcast address of a network (so called ping amplifier) All hosts on the pinged network reply to the spoofed address interface command:no ip directed broadcast
www.cisco.com
Ping of Death
IP ping > 65535 bytes (ICMP echo request) Transmitted in fragments Crashes some operating systems on reassembly
www.cisco.com
Loki Attack
Loki ICMP tunnel
Loki is a tool used to hide hacker traffic inside ICMP tunnel. It requires root access.
Original Loki Phrack Issue 51
www.cisco.com
TCP Attacks
TCP Traffic Records TCP Port Scans
Application
TCP IP
UDP
www.cisco.com
Identification
TCP
Source IP
Common scans
use normal TCP-SYN
Stealth scans
use FIN, SYN-FIN, null, or PUSH and/or fragmented packets
1999, Cisco Systems, Inc.
www.cisco.com
Port Sweep
SYNs to ports < 1024 Triggers when type of sweep cant be determine
www.cisco.com
Identification
TCP
Source IP
Stealth scans
use FIN, SYN-FIN, and null
www.cisco.com
www.cisco.com
TCP Hijacking
Access-attempt to take over a TCP session
www.cisco.com
Request Intercepted
Connection Established
Connection Transferred
TCP SYN flooding can overwhelm server and cause it to deny service, exhaust memory or waste processor cycles TCP Intercept protects network by intercepting TCP connection requests and replying on behalf of destination Can be configured to passively monitor TCP connection requests and respond if connection fails to get established in configurable interval
www.cisco.com
TCP Intercept
Enable TCP Intercept (global configuration mode)
access-list access-list-number {deny | permit} tcp any destination destination-wildcard ip tcp intercept list access-list-number
www.cisco.com
TCP Hijacks
TCP Hijacking Works by correctly guessing sequence numbers Newer O/Ss & firewalls eliminate problem by randomizing sequence numbers TCP Hijacking Simplex Mode
One command followed by RST
www.cisco.com
Land.c Attack
Spoofed packet with SYN flag set Sent to open port SRC addr/port same as DST addr/port Many operating systems lock up
www.cisco.com
UDP Attacks
Application
UDP Traffic Records UDP Port Scan UDP Attacks UDP Applications
TCP IP Data Link Physical UDP
www.cisco.com
Serv
Length
Identification
Flg
Frag Offset
Checksum
UDP
Source IP
U D P
www.cisco.com
UDP Attacks
UDP flood (disabled)
Many UDPs to same host I P
Serv
Length
Flg Frag Offset
Checksum
Identification
UDP
UDP Bomb
UDP length < IP length
Source IP
Snork
Src=135, 7, or 19; Dest=135
U D P
Chargen DoS
Src=7 & Dest=19
www.cisco.com
Allows the packet filtering mechanism to remember state Reflexive ACLs are transparent until activated by matching traffic
Protocol support TCP, UDP Alternative to established key word Available in Cisco IOS release 11.3
www.cisco.com
1026 23
49091
Syn
#1
Router monitors outgoing connection Creates dynamic permit inbound ACL using IP addresses and port numbers
1999, Cisco Systems, Inc.
www.cisco.com
Denial of Service detection and prevention Control downloading of Java applets Real-time alerts TCP/UDP transaction log Configuration and management
www.cisco.com
www.cisco.com
www.cisco.com
www.cisco.com
www.cisco.com
User
User
5. Refresh/reload URL
3. Authenticate
AAA Server
www.cisco.com
www.cisco.com
Mail
Ver Len I P TTL Serv Flg Length Frag Offset Checksum Identification
TCP
Source IP
Dest Port=25
Source Sequence Number T C Acknowledge Sequence Num P Len Res Flags Window Checksum Urgent Pointer
Data . . .
www.cisco.com
Mail Attacks
smail attack sendmail invalid recipient sendmail invalid sender sendmail reconnaissance Archaic sendmail attacks sendmail decode alias sendmail SPAM Majordomo exec bug MIME overflow bug Qmail Length Crash
www.cisco.com
I P
TCP
TCP port 21
Attacks include:
Reconnaissance Access
Dest Port=21
Source Sequence Number T C Acknowledge Sequence Num P Len Res Flags Window Checksum Urgent Pointer
Data . . .
www.cisco.com
FTP Attacks
FTP SITE command attempted FTP SYST command attempted FTP CWD ~root FTP Improper address specified FTP Improper port specified
www.cisco.com
Web
Ver Len Serv Flg Length Frag Offset Checksum Identification TTL
I P
TCP
Dest Port=80
Source Sequence Number T C Acknowledge Sequence Num P Len Res Flags Window Checksum Urgent Pointer
Data . . .
www.cisco.com
Web Attacks
phf attack General cgi-bin attack url file requested glimpse server attack IIS View Source Bug
www.cisco.com
Webgais Bug
WebSendmail Bug
www.cisco.com
DNS Attacks
DNS HINFO Request
Potential reconnaissance
www.cisco.com
Finger Bomb
port 79
rlogin -froot
port 513
Pop Overflow
port 110
www.cisco.com
www.cisco.com
www.cisco.com
www.cisco.com
NetBIOS
Ver Len Serv Flg Length Frag Offset Checksum Identification TTL
I P
TCP
Dest Port=139
Source Sequence Number T C Acknowledge Sequence Num P Len Res Flags Window Checksum Urgent Pointer
Data . . .
www.cisco.com
NetBIOS Attacks
NETBIOS OOB data
NETBIOS Stat NETBIOS Session Setup Failure Windows Guest login Windows Null Account Name Windows Password File Access Windows Registry Access Windows RedButton
1999, Cisco Systems, Inc.
www.cisco.com
loadmodule Attack
Telnet IFS=/
Rlogin IFS=/"
Planting .rhosts
Telnet + +
Rlogin + +
www.cisco.com
Ver Len
Serv
Length
Back Orifice
port 31337
I P
Identification
TTL
Flg
Frag Offset
Checksum
UDP
Dest Port
Checksum
Data . . .
www.cisco.com
RPC Services
Applications do not use well-known ports
Use portmapper
Registers applications TCP/UDP port 111
CLIENT SERVER
2488 GET PORT # 111
Attacks include
Reconnaissance Access DOS
111
2488
NFS REQUEST
2049
www.cisco.com
RPC Attacks
RPC port registration
Remotely registering a service that is not running
RPC dump
rpcinfo -p <host>
www.cisco.com
www.cisco.com
Portmapper Requests
Requests for services known to be exploited In most cases should not be used If needed, filter signatures
www.cisco.com
www.cisco.com
Ident Attacks
Ident buffer overflow
IDENT reply too large
Ident newline
IDENT reply with newline plus more data
www.cisco.com
IP Servers on Routers
www.cisco.com
Trust Exploits
www.cisco.com
Reconnaissance
www.cisco.com
Reconnaissance
www.cisco.com
Reconnaissance Methods
Hacker tools
SATAN, NMAP, custom scripts, and so on
www.cisco.com
Ping Sweeps
Network mapping Identify potential targets
www.cisco.com
Ping Sweeps
ICMP network sweep with Echo
Type=8
Length I Ver Len Serv P Identification Flg Frag Offset H Proto Checksum ICMP E TTL A Source IP D E R Destination IP Type I Type C M P Code Checksum
www.cisco.com
Port Scans
www.cisco.com
Identification
TCP
Source IP
www.cisco.com
Hides internal addresses Provides dynamic or static translation of private addresses to registered IP addresses Supports true NAT, Overload (same as PAT), and
www.cisco.com
www.cisco.com
Initial Access
www.cisco.com
Access
www.cisco.com
Access Methods
Exploit easily guessed passwords
Brute force Cracking tools
www.cisco.com
Trojan horses
Programs to plant a backdoor into a host
www.cisco.com
Backdoors
BackOrifice
Win 95/98 Server Only Windows and Unix clients Configurable Ports (Default UDP 31337) Encrypted communications
BackOrificeButtPlugs
Allow new features to be added easily
www.cisco.com
Backdoors (cont)
NetBus (Freeware)
Remote administration tool Listens on TCP Ports 12345, 12346 Trojan program Runs on Win95/98 and NT
www.cisco.com
www.cisco.com
Disable:
IP helper addresses: no ip helper IP broadcasting: no ip broadcast-address, no ip directedbroadcast source routing: no ip source-route r-commands: no ip rcmd rcp-enable no ip rsh-enable IDENT: no ip identd CDP: no cdp run dynamic circuits: no frame-relay inverse-arp other features no proxy-arp, no ip redirects
www.cisco.com
More Info
www.cisco.com
In Summary .
www.cisco.com
www.cisco.com