network security by: mark lachniet ([email protected])
TRANSCRIPT
![Page 1: Network Security by: Mark Lachniet (mark@lachniet.com)](https://reader031.vdocument.in/reader031/viewer/2022013115/56649ecf5503460f94bdc721/html5/thumbnails/1.jpg)
Network Securityby: Mark Lachniet ([email protected])
![Page 2: Network Security by: Mark Lachniet (mark@lachniet.com)](https://reader031.vdocument.in/reader031/viewer/2022013115/56649ecf5503460f94bdc721/html5/thumbnails/2.jpg)
Introductions
Mark Lachniet Director of Information Data Systems
at Holt Public Schools Novell MasterCNE Freeware Disc Golf <yay!>
Mark Lachniet Director of Information Data Systems
at Holt Public Schools Novell MasterCNE Freeware Disc Golf <yay!>
![Page 3: Network Security by: Mark Lachniet (mark@lachniet.com)](https://reader031.vdocument.in/reader031/viewer/2022013115/56649ecf5503460f94bdc721/html5/thumbnails/3.jpg)
And the VictimA.K.A. “Fred”
![Page 4: Network Security by: Mark Lachniet (mark@lachniet.com)](https://reader031.vdocument.in/reader031/viewer/2022013115/56649ecf5503460f94bdc721/html5/thumbnails/4.jpg)
“White Hats” and “Black Hats”
• The good guys versus the bad guys• Some developers of “hacking” programs
do so to educate others and point out flaws for the betterment of computer security
• A wide variety of “white hat” help, advisories, and lists are available
• Also an ever-growing group of “black hats” armed with easy-to-use scripts known as “script kiddies.”
![Page 5: Network Security by: Mark Lachniet (mark@lachniet.com)](https://reader031.vdocument.in/reader031/viewer/2022013115/56649ecf5503460f94bdc721/html5/thumbnails/5.jpg)
Networks & Servers
• Requirement to do business
• Time and knowledge intensive to manage
• Many connected to the Internet
• Easy availability of hacking tools
=DANGER
![Page 6: Network Security by: Mark Lachniet (mark@lachniet.com)](https://reader031.vdocument.in/reader031/viewer/2022013115/56649ecf5503460f94bdc721/html5/thumbnails/6.jpg)
Security Risks• Physical, Logical, and policy security• User habits - passwords, logging in & out• Software bugs, Viruses & Trojans• Network attacks• Disgruntled employees• Competitors• Bored K12 students :)
![Page 7: Network Security by: Mark Lachniet (mark@lachniet.com)](https://reader031.vdocument.in/reader031/viewer/2022013115/56649ecf5503460f94bdc721/html5/thumbnails/7.jpg)
Focusing on the Net
• Focus on networks and the Internet• Most school districts are connected to the
Internet• The threat of a remote compromise • If a hacker can “own” your net, he can get
access to virtually all of your important data• Developments in security happen in
“Internet Time” (quick!)• Takes a lot of time to research and
implement good security
![Page 8: Network Security by: Mark Lachniet (mark@lachniet.com)](https://reader031.vdocument.in/reader031/viewer/2022013115/56649ecf5503460f94bdc721/html5/thumbnails/8.jpg)
Running on Internet time• This presentation represents *my*
knowledge at this time (10/98)• I don’t really consider myself a security
expert, just a network Administrator• There is undoubtably a great deal I do
*not* know and should be telling you• The technology changes quickly - assume
that it already has• Nonetheless, hopefully this will help you
in your own IT work
![Page 9: Network Security by: Mark Lachniet (mark@lachniet.com)](https://reader031.vdocument.in/reader031/viewer/2022013115/56649ecf5503460f94bdc721/html5/thumbnails/9.jpg)
Types of Risks• DoS - Denial of Service• Exploits - getting administrator access• Password cracking - brute force • Network mapping - host/port scans• Sniffers - intercept passwords on the net• Trojans and backdoors - getting back
into the system• Misc - networked printers, routers, etc.• And more...
![Page 10: Network Security by: Mark Lachniet (mark@lachniet.com)](https://reader031.vdocument.in/reader031/viewer/2022013115/56649ecf5503460f94bdc721/html5/thumbnails/10.jpg)
Denial of Service• Through some mechanism, services on
the network or server are disabled• Often due to poor programming (for
example buffer overflows)• What is a buffer overflow?• DoS attacks exist for virtually every
computer type from UNIX to PC• Windows NT is vulnerable to some DoS
attacks, even with current service packs• TCP/IP stacks often vulnerable as well• Used for destructive purposes (why else?)
![Page 11: Network Security by: Mark Lachniet (mark@lachniet.com)](https://reader031.vdocument.in/reader031/viewer/2022013115/56649ecf5503460f94bdc721/html5/thumbnails/11.jpg)
Exploits• Generally used to obtain administrator
privileges on a server
• Most often for UNIX operating systems, but sometimes for NT/Novell as well
• Usually distributed as source code or shell scripts (hence “script kiddies”)
• Usually involves a server program with administrator privileges that is misconfigured or has a bug in it
• Exploits are easy to obtain and run!
![Page 12: Network Security by: Mark Lachniet (mark@lachniet.com)](https://reader031.vdocument.in/reader031/viewer/2022013115/56649ecf5503460f94bdc721/html5/thumbnails/12.jpg)
Network scanners• Useful for getting the “lay of the land”• Determining what computers are
connected to the net and the services they offer
• Often used in coordination with exploits to scan a LARGE number of IP addresses for hosts which are vulnerable
• This is happening right NOW! Take a look at your web server logs and you can bet you will see their handiwork
• Some scanners can even tell what kind of computer is in use.
![Page 13: Network Security by: Mark Lachniet (mark@lachniet.com)](https://reader031.vdocument.in/reader031/viewer/2022013115/56649ecf5503460f94bdc721/html5/thumbnails/13.jpg)
About those “script kiddies”• Whereas once hacking was something
done by a technical elite, now programs of mass destruction are widely available
• People with little or no actual knowledge can use powerful tools to compromise security
• If you haven’t been scanned yet, it is just a matter of time
• You NEED to know if your security is good before they find out for you
![Page 14: Network Security by: Mark Lachniet (mark@lachniet.com)](https://reader031.vdocument.in/reader031/viewer/2022013115/56649ecf5503460f94bdc721/html5/thumbnails/14.jpg)
• Used to snoop on network traffic• Can obtain usernames and passwords
from plaintext transmissions such as Telnet, FTP, and mail
• Can also be used for other malicious purposes
• Assume that all traffic on the Internet is being watched by *someone*
• Encryption is protection against this kind of attack
• Telnet vs. Secure Shell [demo]
Network Sniffers
![Page 15: Network Security by: Mark Lachniet (mark@lachniet.com)](https://reader031.vdocument.in/reader031/viewer/2022013115/56649ecf5503460f94bdc721/html5/thumbnails/15.jpg)
• Some sniffers can “hijack” a connection between two other hosts and take over one of the ends of the conversation.
• Some sniffers can destroy a connection as well, rendering the connection useless
• Sniffers are often used in combination with other programs such as Trojans
• Sniffers are frequently used to obtain additional passwords from an already- compromised host
Network Sniffers, cont.
![Page 16: Network Security by: Mark Lachniet (mark@lachniet.com)](https://reader031.vdocument.in/reader031/viewer/2022013115/56649ecf5503460f94bdc721/html5/thumbnails/16.jpg)
Brute force attacks• Most passwords are 1-way encrypted. When you
type in your password, it is encrypted and compared to the password the system has on file for you. If the encrypted result matches, you typed the word
• Brute force engines attempt to encrypt an entire dictionary, one word at a time, in hopes of getting the password
• Can be used to obtain administrator privileges on NT, Novell, and UNIX!
• Servers respond by disabling login or slowing down drastically after a certain number of failed logins, thereby making it very time consuming to attack them
![Page 17: Network Security by: Mark Lachniet (mark@lachniet.com)](https://reader031.vdocument.in/reader031/viewer/2022013115/56649ecf5503460f94bdc721/html5/thumbnails/17.jpg)
Brute force on Windows NT• Windows NT is especially vulnerable to
brute force attacks such as NAT (NetBios Audit Tool)
• Under NT, the Administrator account cannot be disabled, so it is open to unlimited (and fast) brute force attacks
• Never let your NT admin password be in the dictionary!
• Can be hacked from anywhere on the Internet if your server is connected to the net
![Page 18: Network Security by: Mark Lachniet (mark@lachniet.com)](https://reader031.vdocument.in/reader031/viewer/2022013115/56649ecf5503460f94bdc721/html5/thumbnails/18.jpg)
Screen-shot of a NT hack on my home server
• [*]--- Attempting to connect with name: PUTZY
• [*]--- CONNECTED with name: PUTZY
• [*]--- Attempting to connect with protocol: MICROSOFT NETWORKS 1.03
• [*]--- Server time is Mon Oct 5 12:08:15 1998
• [*]--- Timezone is UTC-4.0
• [*]--- Remote server wants us to encrypt, telling it not to
•
• [*]--- Attempting to connect with name: PUTZY
• [*]--- CONNECTED with name: PUTZY
• [*]--- Attempting to establish session
• [*]--- Was not able to establish session with no password
• [*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `10th'
• [*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `1st'
• [*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `2nd'
• [*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `3rd'
And so on...
![Page 19: Network Security by: Mark Lachniet (mark@lachniet.com)](https://reader031.vdocument.in/reader031/viewer/2022013115/56649ecf5503460f94bdc721/html5/thumbnails/19.jpg)
Microsoft sharing shares too much information - another screen from home
• [*]--- Checking host: 10.0.0.4• [*]--- Obtaining list of remote NetBIOS names• [*]--- Remote systems name tables:
• PUTZY• LACHNIET• LACHNIET• PUTZY• LACHNIET• PUTZY• ADMINISTRATOR• LACHNIET• INet~Services• LACHNIET• IS~PUTZY• ^A^B__MSBROWSE__^B
All of this information helps the hackers...
Admin’s name
NT server name
Workgroup name
Programs running on the server
![Page 20: Network Security by: Mark Lachniet (mark@lachniet.com)](https://reader031.vdocument.in/reader031/viewer/2022013115/56649ecf5503460f94bdc721/html5/thumbnails/20.jpg)
NetWare is not immune
• NetWare can also be brute force attacked• NetWare 3.x is more vulnerable than 4.x+• Pandora - designed to crack a copy of
directory services• For NetWare 4.x+, generally requires
access to the console or administrator access to acquire a copy of directory services
![Page 21: Network Security by: Mark Lachniet (mark@lachniet.com)](https://reader031.vdocument.in/reader031/viewer/2022013115/56649ecf5503460f94bdc721/html5/thumbnails/21.jpg)
Brute force and UNIX• Brute force attacks originated on UNIX
to crack the /etc/passwd file
• Requires a user account or stolen password file
• Shadow passwords or other more advanced authentication systems can reduce the risk of this type of attack in UNIX environments
• Once again, just don’t ever use a password that is in the dictionary, or a place, or your mom, or your dog, etc.
![Page 22: Network Security by: Mark Lachniet (mark@lachniet.com)](https://reader031.vdocument.in/reader031/viewer/2022013115/56649ecf5503460f94bdc721/html5/thumbnails/22.jpg)
Miscellaneous Attacks
• Lots of other strange bugs exist in everything from server software to routers and printers
• For example, HP Jet Direct printers can be controlled and crashed remotely
• With physical access, certain routers (e.g. Cisco) can be taken over
• “Fake Mail” is a good example of the lack of security on the Internet [demo]
![Page 23: Network Security by: Mark Lachniet (mark@lachniet.com)](https://reader031.vdocument.in/reader031/viewer/2022013115/56649ecf5503460f94bdc721/html5/thumbnails/23.jpg)
Trojans and back doors• Are used to obtain or keep access to a system• Are remotely accessible, often with a simple
password• Allow full control of the host computer• For UNIX, usually provides a root shell
through a booby-trapped server program• Under Windows 95, “Back Orifice” is all the
rage in Trojan technology• Once you have one, as you will see, nothing is
safe
![Page 24: Network Security by: Mark Lachniet (mark@lachniet.com)](https://reader031.vdocument.in/reader031/viewer/2022013115/56649ecf5503460f94bdc721/html5/thumbnails/24.jpg)
State of the art software“Back Orifice”
• Written by the “Cult of the Dead Cow”• Is small and powerful (only 128k bytes!)• Is similar to a virus - some program containing the
program must be run on the computer in question• Generally distributed hidden inside of other
legitimate programs (such as FTP downloads or E-Mail attachments)
• Quietly installs itself and hides the evidence, running in the background at all times
• Makes use of additional features through “Butt plug-ins”
![Page 25: Network Security by: Mark Lachniet (mark@lachniet.com)](https://reader031.vdocument.in/reader031/viewer/2022013115/56649ecf5503460f94bdc721/html5/thumbnails/25.jpg)
Back Orifice Butt Plug-ins• A Butt plug-in is installed along with the
trojan and provides additional capabilities
• Butt-Trumpet sends and Email stating the IP address of the compromised computer (making you vulnerable even if you have a dialup connection)
• Butt-Sniffer allows a remote user to monitor network traffice on *your* local area network
• The potential is limitless [demo]
![Page 26: Network Security by: Mark Lachniet (mark@lachniet.com)](https://reader031.vdocument.in/reader031/viewer/2022013115/56649ecf5503460f94bdc721/html5/thumbnails/26.jpg)
Are you ever going to trust an attachment again?
• Since Email can be forged to appear to be coming from just about anyone, ALL email attachments are suspect!
• Make people in your organization aware of this risk - many people will click on anything that comes their way
![Page 27: Network Security by: Mark Lachniet (mark@lachniet.com)](https://reader031.vdocument.in/reader031/viewer/2022013115/56649ecf5503460f94bdc721/html5/thumbnails/27.jpg)
L0pht Crack• Multi-purpose NT hacking utility
• Performs brute force attacks on NT passwords (from the registry, from Emergency Repair discs, and from sniffed network traffic
• Integral sniffer to snatch NT passwords off the network for hacking
• http://www.l0pht.com (web site)
![Page 28: Network Security by: Mark Lachniet (mark@lachniet.com)](https://reader031.vdocument.in/reader031/viewer/2022013115/56649ecf5503460f94bdc721/html5/thumbnails/28.jpg)
Nessus• Is a client/server hacking program similar to
“Satan”
• Server runs on a UNIX host (usually someone else’s who has already been hacked)
• The hacker runs a client remotely and submits requests to the Nessus server
• The nessus server scans a range of hosts for known vulnerabilities and provides a detail report back to the client
• All the activity appears to come from the hacked server host, so the hacker goes free!
• The next big thing: coordinated server attacks!
![Page 29: Network Security by: Mark Lachniet (mark@lachniet.com)](https://reader031.vdocument.in/reader031/viewer/2022013115/56649ecf5503460f94bdc721/html5/thumbnails/29.jpg)
Getting help!• Okay, so now you are worried!• Research your operating systems on the net• Subscribe to Bug-Traq and other listserves• The best way to know that you are secure is to
hack your own network! it would be in your best interests to get someone to audit your security. If you don’t, someone will!
• Always keep up to date with service packs and patches
• Register your product so you will be made aware of security issues by the manufacturer
• Allow time for technical personnel to research security and improve their skills