Scribd
Upload
402 views50 pages

Attack Methods: Ap/index - SHTML

The document describes various methods attackers use to penetrate targeted systems, including collecting unobtrusive information, scanning networks and hosts, fingerprinting operating systems, exploiting known vulnerabilities, and maintaining access after gaining entry. It discusses techniques like port scanning to find services, spoofing IP addresses, using chains of compromised hosts to launch attacks, and installing rootkits and backdoors. The goal is to stealthily profile the target, break in by exploiting vulnerabilities, and establish continued unauthorized access.

Uploaded by

Hina Shakir
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
402 views50 pages

Attack Methods: Ap/index - SHTML

The document describes various methods attackers use to penetrate targeted systems, including collecting unobtrusive information, scanning networks and hosts, fingerprinting operating systems, exploiting known vulnerabilities, and maintaining access after gaining entry. It discusses techniques like port scanning to find services, spoofing IP addresses, using chains of compromised hosts to launch attacks, and installing rootkits and backdoors. The goal is to stealthily profile the target, break in by exploiting vulnerabilities, and establish continued unauthorized access.

Uploaded by

Hina Shakir
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 50

Attack Methods

http://www.networkuptime.com/nm
ap/index.shtml
Targeted System Penetration (Break-
In Attacks)
 Unobtrusive Information Collection
 Do research before sending any packets into the
network
 Use in social engineering attacks

 Use as background for packet attacks

 Corporate website
 Trade press (often online and searchable)
 Securities and Exchange Commission (SEC)
web-enabled Internet financial database (Figure
4-2)
2
Figure 4-2: Securities and Exchange
Commission's Edgar Service

3
Targeted System Penetration (Break-
In Attacks)

 Unobtrusive Information Collection


 Whois database (Figure 4-3)
 Information about responsible person
 Information about IP addresses of DNS
servers, to find firm’s IP address block
 Easy if assigned a classful address block
(Figure 4-4)
 Difficult is CIDR address block or a block of
ISP addresses

4
Figure 4-3: Whois Entry for
Pukanui.Com (from www.netsol.com)
 Registrant:
 Panko, Ray (PUKANUI-DOM)
 1000 Pukanui St.
 Honolulu, HI 96821
 US

 Domain Name: PUKANUI.COM

 Administrative Contact:
 Panko, Ray (RP17477) [email protected]

 1000 Pukanui St.
 Honolulu, HI 96821
 US
 (808) 956-8111

5
Figure 4-3: Whois Entry for
Pukanui.Com (from www.netsol.com)
 Registrant:
 Technical Contact:
 VeriSign, Inc. (HOST-ORG)
[email protected]
 VeriSign, Inc.
 21355 Ridgetop Circle
Dulles, VA 20166
US
1-888-642-9675 fax: - [email protected]

Record expires on 07-Jul-2003


Record created on 07-Jul-2001 DNS
Database last updated on 7-Jun-2002 15:07:22 EDT. Servers
 Domain servers in listed order:

 NS76.WORLDNIC.COM 216.168.225.216
 NS75.WORLDNIC.COM 216.168.225.215
6
Figure 4-4: Classful IP Address
Allocations
Class Initial IP Last IP Address in Size or Addresses in
Address in Class Network Block
Class Part Allocated to
Firm
A 0.0.0.1 127.255.255.254 8 16,777,214

B 128.0.0.1 191.255.255.254 16 65,534

C 192.0.0.1 223.255.255.254 24 254

 Example
 Suppose DNS server is 128.171.17.1
 Must be a Class B address block (from table lookup)
 Therefore, the network part is 16 bits: 128.171
 Address block must be 128.171.0.1 to 128.171.255.254 7
Targeted System Penetration (Break-
In Attacks)

 IP Address Spoofing
 Put false IP addresses in outgoing attack
packets
 Attacker is blind to replies
 Use series of attack platforms (Figure 4-5)

8
Figure 4-5: Using a Chain of Attack
Hosts

Allows Reading of Replies


Without Exposing Attacker

Replies

Attacker
1.4.5.6 Victim
Attack
60.77.8.32

Compromised Compromised
Host Host
123.67.8.23 123.67.33.4

9
Figure 4-5: Using a Chain of Attack
Hosts

Attacker
1.4.5.6
Subsequent Trace Back

Successful
Connection
Broken Victim
Connection 60.77.8.32
Broken

Compromised Compromised
Host Host
123.67.8.23 123.67.33.4
10
Figure 4-1: Targeted System
Penetration (Break-In Attacks)

 Host Scanning
 To identify IP addresses of potential victims
 Ping individual hosts (Figure 4-6)
 Ping all IP addresses in block for live IP
addresses (Figure 4-7)

11
Figure 4-6: Ping at the Windows
Command Prompt

12
Figure 4-7: Ping Scanning With Ping
Sweep

13
Figure 4-1: Targeted System
Penetration (Break-In Attacks)

 Host Scanning
 Ping often is blocked by firewalls
 Send TCP SYN/ACK to generate RST segments
(Figure 4-8)
 These are carried in IP packets that reveal
the potential victim’s IP address
 Other RST-generating attacks (SYN/FIN
segments)

14
Figure 4-8: TCP SYN/ACK Host
Scanning Attack

15
Figure 4-1: Targeted System
Penetration (Break-In Attacks)
 Network Scanning
 To learn about router organization in a network
 Send Traceroute messages (Tracert in Windows
systems)
 Port Scanning
 Most break-ins exploit specific services
 For instance, IIS webservers

 Services listen for connections on specific


TCP or UDP ports (HTTP=80)

16
Targeted System Penetration (Break-
In Attacks)
 Port Scanning
 Scan servers for open ports (Figure 4-9)
 Send SYN segments to a particular port number
 Observe SYN/ACK or reset (RST) responses
 May scan for all well-known TCP ports (1024) and all well-
known UDP ports (1024)
 Or may scan more selectively
 Scan clients for Windows file sharing ports (135-139)
 Stealth scanning
 Scan fewer systems and ports and/or scan more slowly to
avoid detection
17
Targeted System Penetration (Break-
In Attacks)

 Fingerprinting
 Identify a particular operating system or
application program and (if possible) version
 For example, Microsoft Windows 2000 Server
 For example, BSD LINUX 4.2
 For example, Microsoft IIS 5.0
 Useful because most exploits are specific to
particular programs or versions

18
Targeted System Penetration (Break-
In Attacks)

 Fingerprinting
 Active fingerprinting
 Send odd messages and observe replies
 Different operating systems and application
programs respond differently
 Odd packets may set off alarms

19
Targeted System Penetration (Break-
In Attacks)

 Fingerprinting
 Passive fingerprinting
 Read packets and look at parameters (TTL,
window size, etc.)
 If TTL is 113, probably originally 128. Windows 9X,
NT 4.0, 2000, or Novell NetWare
 Window size field is 18,000. Must be Windows
2000 Server

 Less precise than active fingerprinting

20
Figure 4-9: NMAP Port Scanning and
Operating Systems Fingerprinting

21
Targeted System Penetration (Break-In
Attacks)
 The Break-In
 Password Guessing
 Seldom works because attacker is locked our after a
few guesses
 Exploits that take advantage of known vulnerabilities that
have not been patched
 Exploits are easy to use
 Frequently effective
 The most common break-in approach today
 Session hijacking (Figure 4-10)
 Take over an existing TCP communication session
 Difficult to do (must guess TCP sequence numbers),
so not commonly done
22
Figure 4-10: Session Hijacking

23
Targeted System Penetration (Break-
In Attacks)

 After the Break-In


 Install rootkit
 Usually downloaded through trivial file
transfer protocol (TFTP)
 Erase audit logs
 Create backdoors for reentry if original hacking
vulnerability is fixed
 Backdoor accounts

 Trojanized programs that permit reentry

24
Targeted System Penetration (Break-
In Attacks)

 After the Break-In


 Weaken security
 Unfettered access to steal information
 Install victimization software
 Keystroke capture programs

 Spyware

 Remote Administration Trojans (RATs)

 Attack software to use against other hosts

25
Denial-of-Service (DoS) Attacks

 Introduction
 Attack on availability
 Act of vandalism

 Single-Message DoS Attacks


 Crash a host with a single attack packet
 Examples: Ping-of-Death, Teardrop, and LAND
 Send unusual combination for which developers
did not test

26
Denial-of-Service (DoS) Attacks

 Flooding Denial-of-Service Attacks


 SYN flooding (Figure 4-12)
 Try to open many connections with SYN
segments
 Victim must prepare to work with many
connections
 Victim crashes if runs out of resources; at
least slows down
 More expensive for the victim than the
attacker
27
Figure 4-12: SYN Flooding DoS
Attack

SYN SYN SYN SYN SYN

Attacker Sends Flood of SYN Segments


Attacker Victim Sets Aside Resources for Each Victim
1.34.150.37 Victim Crashes or Victim Becomes Too 60.168.47.47
Overloaded to Respond to the SYNs
from Legitimate Uses

28
Figure 4-13: Smurf Flooding DoS
Attack
“Innocent” Firm

Echo

Attacker 4.
2.
1.34.150.37 Echo Replies
Router with
Broadcasting
1. Enabled
Single ICMP Echo Message
Source IP: 60.168.47.47
(Victim) Destination IP:
Broadcast 3.
Broadcast
Echo
Victim Message
60.168.47.47
29
Distributed Denial-of-Service (DDoS)
Attack
Handler Zombie
Attack Attack
Command Command Attack Packet

Attacker Victim
1.34.150.37 60.168.47.47
Attack Packet
Attack
Command
Attack
Command Zombie

Attack Packet
Attack
Command

Handler
Zombie
30
Figure 4-11: Denial-of-Service (DoS)
Attacks

 Stopping DoS Attacks


 Ingress filtering to stop attack packets (Figure 4-
14)
 Limited ability of ingress filtering because link to
ISP might become overloaded
 Egress filtering by attacker’s company or ISP
 Requires cooperating from attacker’s company
or ISP
 Requires a community response; victim cannot
do it alone
31
Figure 4-15: The Difficulty of Stopping
DoS Attacks
4. Attacks Must Be
3. Stopped on the Internet
Legitimate
Packets Cannot
Border Get Through
Site
Firewall
2.
Internet
Attack Attack packets ISP Backbone
Packets
Blocked
But

5. Other Companies Must


1. ISP Access Line Saturated Harden Hosts So They
by Attack Packets Are Not Compromised and
Used in Attacks

32
Figure 4-16: Malicious Software
(Malware)

 Malware: Malicious software


 Essentially an automated attack robot
capable of doing much damage
 Usually target-of-opportunity attacks

33
Figure 4-16: Malicious Software
(Malware)
 Types of malware
 Viruses: infect files or system sectors on disk
 Attach themselves to executable programs or
to disk system sectors (mostly the former)
 Infected file must be executed for virus to be
able to work
 Worms: propagate by themselves between hosts
 Payloads
 Malicious: designed to do damage

 “Benign” may do damage accidentally


34
Figure 4-16: Malicious Software
(Malware)

 Types of malware
 Active Content in Webpages, HTML E-Mail
Bodies
 HTML scripts or small programs (applets)

 Attack directly when clicked on or download a


malicious program
 User can turn off active content execution,
but webpage functionality will be reduced
 Non-mobile malware
 Trojan horses, etc.

35
Figure 4-16: Malicious Software
(Malware)

 Types of malware
 Blended threats combine attack vectors and
after-attack damage tools
 Propagate in multiple ways: as viruses,
worms and active content
 Afterward, do damage directly, and download
non-mobile attack programs

36
Figure 4-16: Malicious Software
(Malware)

 Viruses
 Executable versus macro viruses
 Executable viruses attach to executable
programs (traditional)
 Macro viruses attach as macros (series of
commands) to data file; executed when file is
opened
 Propagation vectors
 Exchange floppy disks (rare)
37
Figure 4-16: Malicious Software
(Malware)
 Viruses
 Propagation vectors
 E-mail attachments
 E-mail offers easy attachment delivery
 90% of viruses spread via e-mail
attachments today
 An epidemic: virus in every 200 to 400 e-
mail messages
 Some users open attachments from
people they trust
38
Figure 4-16: Malicious Software
(Malware)
 Viruses
 Propagation vectors
 E-mail attachments

 But good people get viruses


 Viruses send e-mail pretending to be
coming from victim
 Should open e-mail attachments only if
specifically expected and still scan with
updated virus program
 HTML bodies may execute malware
automatically
39
Figure 4-16: Malicious Software
(Malware)

 Viruses
 Propagation vectors
 IRC and instant messaging (IM)

 FTP and website downloads

40
Figure 4-16: Malicious Software
(Malware)

 Antivirus Protection
 Location for Filtering
 On clients (often disabled by users)
 On mail servers (does not require user
compliance)
 Outsourced e-mail scanning outside the firm
(advantages of scale and experience)

41
Figure 4-16: Malicious Software
(Malware)

 Antivirus Protection
 Scanning Method
 Signature scanning (characteristic sequence
of commands for a particular virus)
 Dominant scanning method today
 Behavioral scanning (what the virus tries to
do, for instance reformat the hard drive)
 Can stop new viruses and worms
 Many false alarms and misses
42
Figure 4-16: Malicious Software
(Malware)

 Antivirus Protection
 Two nightmares for antivirus professionals
 Flash viruses that spread too rapidly for
signatures to be developed
 Not a theoretical concern. In 2001, Nimda
became the most widespread Internet
virus/worm within 22 minutes!
 Behavioral scanning and outsourcing firms
that see many instances quickly will
become important
43
Figure 4-16: Malicious Software
(Malware)

 Antivirus Protection
 Two nightmares for antivirus professionals
 Metamorphic viruses
 Instead of placing their code at the end of
the infected file, they place it throughout
the file
 Might make signature detection inaccurate
 Might make signature detection too slow to
be workable
44
Figure 4-16: Malicious Software
(Malware)

 Antivirus Protection
 Recovery
 Detection and Identification
 Repair
 Go to the antivirus vendor’s website
 Malware-specific repair program or manual
procedure

45
Figure 4-16: Malicious Software
(Malware)
 Antivirus Protection
 Recovery
 Repair

 Often, infected programs must be reinstalled-


sometimes the entire operating system
 Some or all data since the last backup might be
lost
 If damage to data files took place over a period
of time, a company might not know when its last
clean backup was
 Extremely time consuming 46
Figure 4-16: Malicious Software
(Malware)

 Nimda Worm of 2001


 Highly sophisticated blended threat
 Spread by infected clients infecting other clients
 Spread by sending e-mail in client’s name
(often accepted because receivers recognize
and trust the name)
 Spread by open file shares on client

47
Figure 4-16: Malicious Software
(Malware)

 Nimda Worm of 2001


 Spread by infected clients infecting webservers
 Client scanning for IIS webservers almost
constitutes a DoS attack
 Client infects IIS webserver through
backdoors left by previous viruses and worm
 Client infects IIS webserver through
unpatched directory traversal vulnerability

48
Figure 4-16: Malicious Software
(Malware)

 Nimda Worm
 Spread by IIS webserver infecting clients with
malicious links, often executed automatically
when the page is downloaded
 Trojanizes various files so they are difficult to
find and clean out
 Multiple propagation vectors allowed Nimda to
become the Internet’s most widespread
virus/worm within 22 minutes

49
Figure 4-16: Malicious Software
(Malware)
 MyDoom Worm (2004)
 mass-mailing worm selects from a list of email subjects,
message bodies, and attachment file names for its
email messages. It spoofs the sender name of its
messages so that they appear to have been sent by
different users instead of the actual users on infected
machines.
 can also propagate through the Kazaa peer-to-peer file-
sharing network
 performs a denial of service (DoS) attack against the
software business site www.sco.com
 runs a backdoor component, which it drops as the file
SHIMGAPI.DLL. The backdoor component opens port 3127
to 3198 to allow remote users to access and manipulate
infected systems
 One in nine emails infected within the first week

50

You might also like