security+ all-in-one edition chapter 13 – specific attacks brian e. brzezicki
TRANSCRIPT
![Page 1: Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki](https://reader035.vdocument.in/reader035/viewer/2022062716/56649dd05503460f94ac5f34/html5/thumbnails/1.jpg)
Security+All-In-One Edition
Chapter 13 – Specific Attacks
Brian E. Brzezicki
![Page 2: Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki](https://reader035.vdocument.in/reader035/viewer/2022062716/56649dd05503460f94ac5f34/html5/thumbnails/2.jpg)
Attacks
![Page 3: Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki](https://reader035.vdocument.in/reader035/viewer/2022062716/56649dd05503460f94ac5f34/html5/thumbnails/3.jpg)
Attacks Overview (391)There are generally two reasons someone is attacked• You are specifically targeted
– Company with money– Company with secrets– Revenge– “hacktivist”– Hard to stop..
• You are a target of opportunity– Low hanging fruit– Script Kiddies– Most common, make yourself less easy
(more)
![Page 4: Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki](https://reader035.vdocument.in/reader035/viewer/2022062716/56649dd05503460f94ac5f34/html5/thumbnails/4.jpg)
Steps in an Attack (392)Any good hacker will take a few common steps to
attack a site these can generally be ordered from 1-4
1. Reconnaissance – learn about the company in general
2. Scanning – scan the network and learn about the network
– Ping sweeps– Port scans– Banner grabs– Os fingerprinting (see later slide)
(more)
![Page 5: Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki](https://reader035.vdocument.in/reader035/viewer/2022062716/56649dd05503460f94ac5f34/html5/thumbnails/5.jpg)
Steps in an attack (392)3. Research Vulnerabilities – now that we
know what software is running and hopefully the version. Figure out what it attacks it might be vulnerable to
– nessus is a good tool– Security mailing lists (bugtraq) and sites
4. Performing the attack
![Page 6: Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki](https://reader035.vdocument.in/reader035/viewer/2022062716/56649dd05503460f94ac5f34/html5/thumbnails/6.jpg)
Minimizing Attacks (394)Often you are going to be attacked by “script-kiddies”
the easiest way to protect against them is simply make their job hard and they’ll move on somewhere else.
• Make sure OS and Apps are up to date with patches• Turn off and remove un-necessary services and
software• Run a host based firewall• Don’t display information in service banners• Don’t provide any information about your
network/systems publically
![Page 7: Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki](https://reader035.vdocument.in/reader035/viewer/2022062716/56649dd05503460f94ac5f34/html5/thumbnails/7.jpg)
Terms (398)Trapdoor – a method usually put into an OS or
application that allows the software developers to bypass security controls for the purpose of debugging or troubleshooting.
Backdoor – A program installed into a compromised computer to allow hackers to access the machine
• Example: Back Orifice, NetBus(more)
![Page 8: Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki](https://reader035.vdocument.in/reader035/viewer/2022062716/56649dd05503460f94ac5f34/html5/thumbnails/8.jpg)
Terms (413)Root kit – a program installed on a
compromised system to hide a hackers tracks and help them to maintain continued access to a machine
![Page 9: Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki](https://reader035.vdocument.in/reader035/viewer/2022062716/56649dd05503460f94ac5f34/html5/thumbnails/9.jpg)
DoS
![Page 10: Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki](https://reader035.vdocument.in/reader035/viewer/2022062716/56649dd05503460f94ac5f34/html5/thumbnails/10.jpg)
DoS (394)What is a DOS?
Which of the CIA triad does it attempt to affect.
How does it work?• Buffer overflows• Protocol violations• Brute Force
(more)
![Page 11: Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki](https://reader035.vdocument.in/reader035/viewer/2022062716/56649dd05503460f94ac5f34/html5/thumbnails/11.jpg)
DoS AttacksSome famous DoS attacks
• Ping of Death– Oversized Ping Packet– Counter Measures – Patch OS
• Tear Drop– Specially crafted overlapping IP Fragments (next)
• SYN Flood (later)
• Smurf (2 slides away)
![Page 12: Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki](https://reader035.vdocument.in/reader035/viewer/2022062716/56649dd05503460f94ac5f34/html5/thumbnails/12.jpg)
Tear Drop (n/b)
![Page 13: Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki](https://reader035.vdocument.in/reader035/viewer/2022062716/56649dd05503460f94ac5f34/html5/thumbnails/13.jpg)
Smurf Attack (n/b)
![Page 14: Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki](https://reader035.vdocument.in/reader035/viewer/2022062716/56649dd05503460f94ac5f34/html5/thumbnails/14.jpg)
Smurf AttackHow would a smurf attack someone?
1. Find site to attack, say www.ebay.com2. Forge Ping packet from www.ebay.com to a
BROADCAST network address3. Watch as the computers on the network all
start pinging back www.ebay.comCountermeasures• Drop forged packets at routersDrop directed broadcasts
![Page 15: Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki](https://reader035.vdocument.in/reader035/viewer/2022062716/56649dd05503460f94ac5f34/html5/thumbnails/15.jpg)
Smurf Attack
![Page 16: Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki](https://reader035.vdocument.in/reader035/viewer/2022062716/56649dd05503460f94ac5f34/html5/thumbnails/16.jpg)
SYN Flood (395)Attack
– Forge IP SYN packet from downed system– Server responds to fake downed address, which never responds– Use up all the “listen queue” slots– Stops real new connections from establishing
Countermeasures• Stop forged packets at ingress/egress routers• Patch OS• Decrease 3 way handshake timeout values• Increase 3 way handshake max connections• Use a firewall as a middleman• \HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TCPIP\
SynAttackProtect = 1 AND
• \HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TCPIP\TcpMaxConnectResponseRetransmissions >= 2
![Page 17: Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki](https://reader035.vdocument.in/reader035/viewer/2022062716/56649dd05503460f94ac5f34/html5/thumbnails/17.jpg)
SYN Flood (395)• use regedt32• HKEY_LOCAL_MACHINE\System\
CurrentControlSet\Services\TCPIP\SynAttackProtect = 1 AND
• \HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TCPIP\TcpMaxConnectResponseRetransmissions >= 2
By the way the info is athttp://technet.microsoft.com/en-us/library/cc938202.aspx
![Page 18: Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki](https://reader035.vdocument.in/reader035/viewer/2022062716/56649dd05503460f94ac5f34/html5/thumbnails/18.jpg)
SYN Flood Example
![Page 19: Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki](https://reader035.vdocument.in/reader035/viewer/2022062716/56649dd05503460f94ac5f34/html5/thumbnails/19.jpg)
DDoS (397)Distributed Denial of Service – a brute force method
that generally uses “zombies” and “botnets” to simply overwhelm a server.
May consist of a hierarchy of Attacker, Masters and Slaves (see image 2 slides)
It’s like Bruce Lee.. He might be able to defeat 10 people at a time… but it’s only a matter of numbers before even he is overwhelmed… could he defeat 10,000 attackers at once?
(more)
![Page 20: Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki](https://reader035.vdocument.in/reader035/viewer/2022062716/56649dd05503460f94ac5f34/html5/thumbnails/20.jpg)
DDoS
How are zombies and botnets usually created?
![Page 21: Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki](https://reader035.vdocument.in/reader035/viewer/2022062716/56649dd05503460f94ac5f34/html5/thumbnails/21.jpg)
DDoS
![Page 22: Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki](https://reader035.vdocument.in/reader035/viewer/2022062716/56649dd05503460f94ac5f34/html5/thumbnails/22.jpg)
Null Session (398)In early versions of windows, un-authenticated users
could “browse” the network to see what resources existed on the network. This browsing made use of “Null Sessions” which were open “guest accounts”.
Hackers can use Null Sessions and browsing to learn about the network and Null sessions should be disabled.
To fight NULL sessions on windowsHKLM\SYSTEM\CurrentControlSet\Control\LSA\
RestrictAnonymous = 1see http://support.microsoft.com/?kbid=246261
![Page 23: Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki](https://reader035.vdocument.in/reader035/viewer/2022062716/56649dd05503460f94ac5f34/html5/thumbnails/23.jpg)
Sniffing
![Page 24: Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki](https://reader035.vdocument.in/reader035/viewer/2022062716/56649dd05503460f94ac5f34/html5/thumbnails/24.jpg)
Sniffing (399)Many Network Communications are sent in “clear text”.
Someone gaining access to the physical network that they travel on can conduct a sniffing attack. (do example)
Problems• Sniff passwords• See confidential information
Counter measures• Use encrypted applications (SSL)• Use encrypted network communications (VPNs)• Use Switches to battle sniffing• Restrict physical access to networks• Use 802.1x to require authorization before allowing
network use
![Page 25: Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki](https://reader035.vdocument.in/reader035/viewer/2022062716/56649dd05503460f94ac5f34/html5/thumbnails/25.jpg)
Spoofing
![Page 26: Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki](https://reader035.vdocument.in/reader035/viewer/2022062716/56649dd05503460f94ac5f34/html5/thumbnails/26.jpg)
Spoofing (401)Making data look like it came from somewhere
that it didn’t (forging)
![Page 27: Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki](https://reader035.vdocument.in/reader035/viewer/2022062716/56649dd05503460f94ac5f34/html5/thumbnails/27.jpg)
Spoofing Countermeasure
• Have Internet/perimeter routers drop incoming packets claiming to be from your internal network.
• Have Internet/perimeter routers drop outgoing packets claiming to be from the Internet (spoofed from an inside node)
![Page 28: Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki](https://reader035.vdocument.in/reader035/viewer/2022062716/56649dd05503460f94ac5f34/html5/thumbnails/28.jpg)
ARP spoofing or poisoning (n/b)
• ARP poisoning is an attack against a network, where one computer send fake ARP replies, in the attempt to trick another computer on the same network to communicate with it instead of the real machine. This can be used as a man in the middle attack, or a straight “hijacking” attack
• Arpwatch and Xarp are tools to monitor ARP traffic and help detect ARP poisoning.
![Page 29: Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki](https://reader035.vdocument.in/reader035/viewer/2022062716/56649dd05503460f94ac5f34/html5/thumbnails/29.jpg)
Spoofing Email
SMTP (email) has no authentication built into the protocol… therefore spoofing is trivial
Do a quick example
![Page 30: Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki](https://reader035.vdocument.in/reader035/viewer/2022062716/56649dd05503460f94ac5f34/html5/thumbnails/30.jpg)
IP Address Spoofing (401)
IP also has no built in authentication. (IP Sec does) but not normal IP. So forging IP packets is trivial. Some systems use IP addresses as “access controls” so you can bypass firewalls and access controls by spoofing packets. (especially UDP)
Countermeasures • Set routers to drop forged packets? (how?)• Use IP Sec
![Page 31: Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki](https://reader035.vdocument.in/reader035/viewer/2022062716/56649dd05503460f94ac5f34/html5/thumbnails/31.jpg)
Man in the Middle Attack (403)
![Page 32: Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki](https://reader035.vdocument.in/reader035/viewer/2022062716/56649dd05503460f94ac5f34/html5/thumbnails/32.jpg)
DNS poisoning (n/b)
Faking DNS responses in order to trick a computer into going your site rather than a real site.
Example. If I can “poison” your DNS cache and redirect www.bankofamerica.com to my IP address, I could put up a fake site and steal your banking information! (or setup a MiM attack)
![Page 33: Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki](https://reader035.vdocument.in/reader035/viewer/2022062716/56649dd05503460f94ac5f34/html5/thumbnails/33.jpg)
Replay Attack (404)Replay Attack – Attacker captures a portion of
communications between two parties and retransmits at a later time.
Example: an attacker might replay a series of commands in a financial transaction to cause the transaction to be replayed multiple times.
Countermeasures• Encryption• Authentication• Session lifetimes• Unique transaction keys
![Page 34: Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki](https://reader035.vdocument.in/reader035/viewer/2022062716/56649dd05503460f94ac5f34/html5/thumbnails/34.jpg)
TCP/IP Hijacking
TCP/IP or Session Hijacking – taking over an existing session between a client and a server. You then actually “steal” the connection and you have bypassed any authentication mechanisms.
“hunt” on linux can be used for TCP Hijacking*
Counter Measures• Secure networks physically• Use IP Sec
![Page 35: Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki](https://reader035.vdocument.in/reader035/viewer/2022062716/56649dd05503460f94ac5f34/html5/thumbnails/35.jpg)
Covert Channels (n/b)Covert Channels are a way of people
communicating in ways the system never expected (as such nothing is monitoring or protecting/restricting these communications)
Covert Channels are usually used to secret pass secret information between people of a high clearance to a low clearance.. However they can also be used for hackers to secretly communication through network protection.
One Example is LOKI
![Page 36: Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki](https://reader035.vdocument.in/reader035/viewer/2022062716/56649dd05503460f94ac5f34/html5/thumbnails/36.jpg)
LOKI (n/b)
Pings easily go through the firewalls undetected!
![Page 37: Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki](https://reader035.vdocument.in/reader035/viewer/2022062716/56649dd05503460f94ac5f34/html5/thumbnails/37.jpg)
MAC flooding (n/b)
Mac Flooding – Putting out tons of packets with different MAC addresses in the attempts to overfill the switches MAC tables. If this happens a switch might simply drop into “hub mode” and start simply sending traffic down each port.
![Page 38: Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki](https://reader035.vdocument.in/reader035/viewer/2022062716/56649dd05503460f94ac5f34/html5/thumbnails/38.jpg)
Password Attacks
![Page 39: Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki](https://reader035.vdocument.in/reader035/viewer/2022062716/56649dd05503460f94ac5f34/html5/thumbnails/39.jpg)
Password Guessing (407)
This is pretty obvious, unfortunately people still use pretty easy to guess passwords, (ex. Their username or their kids names or birthdates)
Countermeasures: • Have a strong password policy• Use Multi-factor authentication• Implement account lock out times• Implement login delays• Protect password file
![Page 40: Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki](https://reader035.vdocument.in/reader035/viewer/2022062716/56649dd05503460f94ac5f34/html5/thumbnails/40.jpg)
Dictionary Attacks (408)An attacker tries to go through common
dictionary words and variations on words.
Countermeasures:
• Have a strong password policy
• Use Multi-factor authentication
• Implement account lock out times
• Implement login delays
• Protect password file
![Page 41: Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki](https://reader035.vdocument.in/reader035/viewer/2022062716/56649dd05503460f94ac5f34/html5/thumbnails/41.jpg)
Brute Force Attacks (408)Attacker tries every possible passwordExample – if a password can be 4 characters of 0-9Start with 0000, then 0001, then 0002 etc.. All the way
to 9999
Countermeasures: • Have a strong password policy• Use Multi-factor authentication• Implement account lock out times• Implement login delays• Protect password file
![Page 42: Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki](https://reader035.vdocument.in/reader035/viewer/2022062716/56649dd05503460f94ac5f34/html5/thumbnails/42.jpg)
Hybrid Attack
Use any combination of the previous password attacks
![Page 43: Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki](https://reader035.vdocument.in/reader035/viewer/2022062716/56649dd05503460f94ac5f34/html5/thumbnails/43.jpg)
Birthday Attacks (409)An attack against hashes, based on the
“Birthday paradox” which states that in a group of 23 people or more the chance of two individuals having the same birthday is greater than 50%.
Birthday attacks work as passwords are actually often stored as hash digests of the password
![Page 44: Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki](https://reader035.vdocument.in/reader035/viewer/2022062716/56649dd05503460f94ac5f34/html5/thumbnails/44.jpg)
Rainbow tables
![Page 45: Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki](https://reader035.vdocument.in/reader035/viewer/2022062716/56649dd05503460f94ac5f34/html5/thumbnails/45.jpg)
Rainbow tablesIn many Operating systems the passwords
stored are actually simply hash digest of the password rather than the actual password.
Rainbow Tables are pre-computed hash values for passwords that can be used to help crack passwords.
Countermeasures• Use password “salts”
![Page 46: Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki](https://reader035.vdocument.in/reader035/viewer/2022062716/56649dd05503460f94ac5f34/html5/thumbnails/46.jpg)
Software Exploits
![Page 47: Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki](https://reader035.vdocument.in/reader035/viewer/2022062716/56649dd05503460f94ac5f34/html5/thumbnails/47.jpg)
Buffer Overflow (409)One of the most common types of attacks, a
buffer overflow takes advantage of poor input validation in software. Most servers take input from a client. A Buffer overflow tries to send MORE data then is expected in order to overwrite memory and either
• Crash the system• Actually inject commands for the remote
server to run(more)
![Page 48: Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki](https://reader035.vdocument.in/reader035/viewer/2022062716/56649dd05503460f94ac5f34/html5/thumbnails/48.jpg)
Buffer Overflow (409)
Counter measures –
• Patch your software!
• Secure programming techniques and input validation (for places that write software, you generally cannot fix the problem as an administrator)
![Page 49: Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki](https://reader035.vdocument.in/reader035/viewer/2022062716/56649dd05503460f94ac5f34/html5/thumbnails/49.jpg)
Buffer Overflow
![Page 50: Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki](https://reader035.vdocument.in/reader035/viewer/2022062716/56649dd05503460f94ac5f34/html5/thumbnails/50.jpg)
Buffer Overflow
![Page 51: Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki](https://reader035.vdocument.in/reader035/viewer/2022062716/56649dd05503460f94ac5f34/html5/thumbnails/51.jpg)
Buffer Overflow
![Page 52: Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki](https://reader035.vdocument.in/reader035/viewer/2022062716/56649dd05503460f94ac5f34/html5/thumbnails/52.jpg)
Buffer Overflow
![Page 53: Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki](https://reader035.vdocument.in/reader035/viewer/2022062716/56649dd05503460f94ac5f34/html5/thumbnails/53.jpg)
Buffer Overflow
![Page 54: Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki](https://reader035.vdocument.in/reader035/viewer/2022062716/56649dd05503460f94ac5f34/html5/thumbnails/54.jpg)
Buffer Overflow
![Page 55: Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki](https://reader035.vdocument.in/reader035/viewer/2022062716/56649dd05503460f94ac5f34/html5/thumbnails/55.jpg)
Buffer Overflow
![Page 56: Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki](https://reader035.vdocument.in/reader035/viewer/2022062716/56649dd05503460f94ac5f34/html5/thumbnails/56.jpg)
Buffer Overflow
![Page 57: Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki](https://reader035.vdocument.in/reader035/viewer/2022062716/56649dd05503460f94ac5f34/html5/thumbnails/57.jpg)
Buffer Overflow
![Page 58: Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki](https://reader035.vdocument.in/reader035/viewer/2022062716/56649dd05503460f94ac5f34/html5/thumbnails/58.jpg)
Buffer Overflow
![Page 59: Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki](https://reader035.vdocument.in/reader035/viewer/2022062716/56649dd05503460f94ac5f34/html5/thumbnails/59.jpg)
Chapter 13 - ReviewQ. A SYN Flood is what type of attack?
Q. Name one way to protect against sniffing attacks
Q. What is the best protection against Buffer Overflows?
Q. What are the steps in a 3 way handshake
![Page 60: Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki](https://reader035.vdocument.in/reader035/viewer/2022062716/56649dd05503460f94ac5f34/html5/thumbnails/60.jpg)
Chapter 13 - Review
Q. What is a smurf attack?
Q. What is MAC flooding?
Q. What is LOKI, What is Loki creating? (hint… a C_ _ _ _ _ C _ _ _ _ _ _)