Network Security Tools and

Defense – An Overview

Jeff Huberty
Business Information Technology Solutions (BITS)
www.bits-solutions.com
Has Your System Been Compromised?
 OUTLINE

‹ CSI/FBI Survey Results

‹ Security Goals

‹ Security Threats

‹ Internet and Network Tools Used

‹ What Can We Do? (best practices)

‹ Access Control Overview

‹ Phases of Attacks and Defenses

‹ Small Business and Home Practices

 CSI/FBI Survey Results (06/2004)
‹ The Computer Security Institute (CSI) held its ninth annual Computer Crime
and Security Survey with the following results:

• Financial losses totaled $141.5 million (494 respondents); significant

decrease from 530 respondents reporting $202 million last year.

• The most expensive computer crime was denial of service (DoS). Theft of
intellectual property, the prior leading category, was the second most
expensive last year.

• The vast majority of organizations in the survey do not outsource

computer security activities.

‹ Survey suggests that organizations that raise their level of security awareness
have reason to hope for measurable returns on their investments.

“Men are from Mars, Women are from Venus. Computers are from Hell!”
Four Objectives of Computer Security

"A bus station is where a bus stops. A train station is where a train stops.
On my desk I have a workstation..."
 Security Goals

Confidentiality
keeps information from being
read by unauthorized people

Assures that information stored in a

computer is never contaminated or
changed in a way that is not appropriate ensuring that the data can be
accessed by all authorized people

Integrity Availability

"The nice thing about standards is that there are so many to choose from."
 Security Goals
‹ Availability: addresses issues from fault tolerance to protect
against denial of service and access control to ensure that data is
available to those authorized to access it.

‹ Confidentiality: provide protection mechanisms for the data while

it is stored and transferred over networks between computers.

‹ Integrity: keeping data away from those who should not have it and
making sure that those who should have it can get it are fairly basic
ways to maintain the integrity of the data

‹ NEW! Nonrepudiation: Allows the formation of binding contracts

w/o any paper being printed for written signatures (digital signatures)
“"If it wasn't backed-up, then it wasn't important." — The sysadmin's moto.
 Security Threats

"The problem with computers is they do what you tell them."

 Security Threats – SANS Top 20
(www.sans.org)

‹ Top Vulnerabilities to Windows ‹ Top Vulnerabilities to UNIX

‹ Web Servers & Services ‹ BIND Domain Name System

‹ Workstation Service ‹ Web Server
‹ Windows Remote Access Services ‹ Authentication
‹ Microsoft SQL Server (MSSQL) ‹ Version Control Systems
‹ Windows Authentication ‹ Mail Transport Service
‹ Web Browsers ‹ Simple Network Management
‹ File-Sharing Applications Protocol (SNMP)
‹ LSAS Exposures (OSPF) ‹ Open Secure Sockets Layer (SSL)
‹ Mail Client ‹ Misconfiguration of Enterprise
Services NIS/NFS
‹ Instant Messaging
‹ Databases
‹ Kernel

"A computer's attention span is only as long as its power cord."

 Tools Used for Attacking and
Auditing Systems on the Net
‹ Port Scanners ‹ Combination Systems
‹ Windows Enumeration Auditing
‹ Web Hacking ‹ Port Redirection
‹ Password Cracking/Brute
Force
‹ Sniffers
‹ Backdoors and Remote ‹ Wireless Tools
Access ‹ War Dialers
‹ Simple Source Auditing ‹ TCP/IP Stack

"ASCII stupid question, get a stupid ANSI !"

 Internet Tools
¾ Port Scanners (Nmap, SuperScan, IpEye, Fscan, WUPS,
Udp_scan)

¾ Windows Enumeration (Winfingerprint, GetUserInfo, Enum,

PsTools)

¾ Web Hacking
¾ Vulnerability Scanners (Whisker, Nikto, Stealth, Twwwscan/Arirang)
¾ All-Purpose (Curl, OpenSSL, Stunnel)
¾ Application Inspection (Achilles, WebSleuth, Wget)

¾ Password Cracking/Brute-Force
¾ PassFilt.dll and Windows Password Policies
¾ PAM and UNIX Password Policies
¾ OpenBSD login.conf

"ERROR: Computer possessed; Load EXOR.SYS ? [Y/N]"

 Portscan Threat Example
‹ Below is a capture of a malicious ‹ Here is the view from the attacks side
using NMAP:
port scan: Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2004-
2004-11-
11-30
TCPDUMP Capture: 21:57 EST
Interesting ports on (66.252.X.2):
535> (DF) [tos 0x10] (The 1655 ports scanned but not shown below are in state: filtered)
filtered)
PORT STATE SERVICE
20:38:27.470402 66.90.95.X.22 >
21/tcp open ftp
66.252.X.2.61627: P 271600:271792(192) 22/tcp open ssh
ack 289 win 65535 <nop,nop,timestamp 25/tcp open smtp
880842161 1498707535> (DF) [tos 0x10] 80/tcp open http
20:38:27.470426 66.90.95.X.22 > 113/tcp open auth
443/tcp open https
66.252.X.2.61627: P 271792:271984(192)
ack 289 win 65535 <nop,nop,timestamp SHOWS us what services are running on this
880842161 1498707535> (DF) [tos 0x10] network. An attack could be staged on each
20:38:27.470437 66.252.X.2.61627 > or any of the services. A Denial of Service
66.90.95.X.22: . ack 260016 win 50180 (DoS) attack would target open ports in an
<nop,nop,timestamp 1498707535 attempt to slow/halt the systems
880842155> (DF) connections. An exploit attack would be
directed to the service flaws running on that
This is seen from the Administrators port. I.E. HTTP (Web Browsers) can be
side of the field. buffer overrun with the right knowledge and
software.

"The definition of a hacker ? Someone who, after installing a new program, goes
immediately into the [Tools][Options] menu."
What If MS Created NMap?
 Web server Exploit Attempt
‹ The following is a real capture of an exploit attempt on 30–NOV-04:
Httpd access log:
66.205.59.245 Å-Attackers IP- - [30/Nov/2004:20:18:16 -0500] "SEARCH
/\x90\
x90\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\
x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\x
b1\
b1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x0
2\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1
\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\
xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x
02\
02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb
1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02\
x02\xb1\
xb1\x02 Å-
Buffer Overflow attempt
Basically, this is a repeated string of text that is sent to a web server in an attempt to overflow the
buffer. If this attack was successful (un-patched web server) it would drop them into a UNIX/TS
shell prompt and then they are in the system. Most UNIX web server administrators won’t allow
web servers to run as root, however there are plenty out there that do. This attack filled about 8
megs of log space in a matter of 30 minutes. A simple solution is to stay patched and make sure
you have the proper IDS/Firewalling/Filtering in place prior to rolling out a global Web server.
.

"A computer program does what you tell it to do, not what you want it to do."
Greer’s Third Law.
 Internet Tools, cont’d
¾ Password Cracking/Brute Force Tools

¾ John the Ripper

¾ L0phtCrack
¾ Grabbing Windows Password Hashes (Pwdump, Lsadump2, Winhash, Ddumper, XSCAN)
¾ Active Brute-Force (SMBGrind, Nbaudit, John the ripper2x)

¾ Backdoors and Remote Access (VNC, Netbus, Back Orifice, SubSeven, Loki,
stcpshell, Knark, AGOBOT, Phatbot, SDBOT)

¾ Simple Source Auditing (Flawfinder, RATS)

¾ Combination System Auditing (Nessus, STAT, Retina, Internet Scanner, Tripwire)

"Before software can be reusable it first has to be usable." — Ralph Johnson.

 Network Tools
¾ Port Redirection (datapipe, Fpipe)
¾ Sniffers (BUTTSniffer, Tcpdump,
Windump, Ethereal, Dsniff, Snort)
¾ Wireless (Netstumbler, AiroPeek)
¾ War Dialers (ToneLoc, THC-Scan)
¾ TCP/IP Stack (ISIC, Iptest, Nemesis)

"It's 5.50 a.m.... Do you know where your stack pointer is ?"
 What Can We Do?
‹ Take steps to increase security awareness

• Education, training, periodic bulletins, etc., cultivate user acceptance of security technologies
that need to be deployed.

‹ Policies need to be established and enforced

• Describe the responsibilities of individuals and groups in safeguarding organizational assets

from loss or misuse.

‹ IT infrastructure needs to be security-enabled

• IT and network administrators need to keep themselves informed about security

vulnerabilities and fixes, to include best-of-breed technologies and methodologies for coping
with security threats.

‹ On-going vigiliance, in the form of vulnerability assessments must be part of the

operational routine

• Security should be seen as a work in progress and never a finished project. Hackers adapt;
so should the organization.
 Policies and Settings
Firewall Setting
Policy
No outside Web access.
Drop all outgoing packets to any IP, Port 80

Outside connections to Public Web Server

Only. Drop all incoming TCP SYN packets to any IP
except 150:160.170.180, port 80

Prevent Web-Radios from eating up the

available bandwidth. Drop all incoming UDP packets - except DNS
and Router Broadcasts.

Drop all ICMP packets going to a “broadcast”

Prevent your network from being used for address (150.160.255.255 or 150.160.0.0).
a Smuft DoS attack.

Drop all incoming ICMP, UDP, or TCP echo-

Prevent your network from being tracerouted request packets, drop all packets with TTL< 5
or scanned.

"Unix is user-friendly. It's just very selective about who its friends are."
 Access Control
¾ Today almost all systems are protected only by a simple
password that is typed in, or sent over a network in the
clear.Techniques for guessing passwords:
¾ Try default passwords.
¾ Try all short words, 1 to 3 characters long.
¾ Try all the words in an electronic dictionary(60,000).
¾ Collect information about the user’s hobbies, family
names, birthday, etc.
¾ Try user’s phone number, social security number, street
address, etc.
¾ Try all license plate numbers (123XYZ).
¾ Prevention: Enforce good password selection
(j@1H7%!2u4rZ) with more than 10 characters

"The number of the beast — vi vi vi."

 Password Gathering
¾ Look under keyboard, telephone, monitors, etc

¾ Look in the Rolodex under “X” and “Z”

¾ Call up pretending to be from “micro-support,” and ask for it.

¾ “Snoop” a network and watch the plaintext passwords go by.

¾ Tap a phone line - but this requires a very special modem, UI,
VAMP.

¾ Use a “Trojan Horse” program to record key stokes.

"If debugging is the process of removing software bugs, then programming must be the
process of putting them in."
 Stages of a Network Intrusion
1. Scan the network to:

• locate which IP addresses are in use,

• what operating system is in use,
• what TCP or UDP ports are “open” (being listened to by Servers).

2. Run “Exploit” scripts against open ports

3. Get access to Shell program which is “suid” (has “root” privileges).

4. Download from Hacker Web site special versions of systems files

that will let Cracker have free access in the future without his cpu
time or disk storage space being noticed by auditing programs.

5. Use IRC (Internet Relay Chat) to invite friends to the feast, control
multiple machines, or just to host warez/P2P files.

"Computers make very fast, very accurate mistakes."

 Phase 1: Reconnaissance
‹ ATTACK ‹ DEFENSE
• Social Engineering • User Awareness
• Physical Break-In • Security Badges, Card
Readers, etc.
• Dumpster Diving • Shredder, Move Bins
• Search the Web
• Establish policies of what
‹ Own Website
info is allowed on Web
‹ Usenet (newsgroups)
Servers
• Whois
• Update registration data
• DNS
• Keep additional info to a
minimum, restrict zone
transfers, use “split DNS”

"To err is human, but for a real disaster you need a computer."
 Phase 2: Scanning
‹ ATTACK ‹ DEFENSE
• War Dialing • Modem Policies
• Network Mapping • Hardening (close
unused ports)
• Vulnerability • Patch, Run Tools
Against Own Net
• Intrusion • Intrusion Detection
System

"hAS aNYONE sEEN MY cAPSLOCK kEY ?"

 Phase 3: Gaining Access
‹ ATTACK ‹ DEFENSE
• Script Kiddie • Patch, Event Logs

• Sophisticated
‹ Stack/Buffer Overflow • IDS, mailing lists
‹ Password • Tips discussed later
‹ Web Apps • DigiSign, Encrypt, dyna
session IDs, timestamps

"If brute force doesn't solve your problems, then you aren't using enough."
 Phase 3: Access via Network
‹ ATTACK ‹ DEFENSE
• Sniffing • Secure protocols,
DMZ
• IP Address Spoof • Test via NMap, SSH
for UNIX
• Session Hijacking • Combine everything
above

"Artificial Intelligence usually beats natural stupidity."

 Phase 3: DDoS
‹ ATTACK ‹ DEFENSE
• Stopping Local Svc • Patches, Proper Privileges
(no Adm)
• Locally Exhausting • Principle of Least Privilege
Resources • Patches, static ARP
• Remotely Stopping Svcs • TFN2K (DDoS Tool)
• Remotely Exhausting
Resources

"Smith & Wesson — the original point and click interface."

 Phase 4: Maintaining Access
‹ ATTACK ‹ DEFENSE

• Trojan Horses ‹ AV Tools and Education are

• Backdoors (BD) the best form of combat to
• BDs in Trojans these elements
• App-Level BD (BO2K)

• Traditional Rootkits ‹ Hard to guess

passwords, security
patches, closing unused
ports, and defined
security programs in
place

"Foolproof systems don't take into account the ingenuity of fools." — Gene Brown.
 Phase 5: Duck and Cover
‹ ATTACK ‹ DEFENSE

• Altering Log Files ‹ Activate Logging

• (Unix/Windows) ‹ Set Proper Permissions
‹ Use Separate Logging Server
• Altering Accounting Files in ‹ Encrypt Log Files
UNIX ‹ Making Log Files Append Only
‹ Protecting Log Files with
• Altering UNIX Shell History Write-Once Media
‹ Create Hidden Files and
Directories

"Dude, I hate to be the bearer of bad news, but I'm afraid you've been hacked — the
FTP server at 127.0.0.1 has all your personal files. See for yourself; just log in with your
 Spyware, Viruses, Trojans (Oh, My!)

¾ Spyware - software that covertly gathers user information through

the user's Internet connection without his or her knowledge, usually
for advertising purposes; latest purposes are more sinister
¾ Virus - code that copies itself into other programs
¾ Payload - harmful things it does, after it has had time to spread.
¾ Worm - a program that replicates itself across the network (usually
riding on email messages or attached documents (e.g., macro
viruses).
¾ Trojan Horse - instructions in an otherwise good program that cause
bad things to happen (sending your data or password to an attacker
over the net).
¾ Logic Bomb - malicious code that activates on an event (e.g., date).
¾ Trap Door (or Back Door) - undocumented entry point written into
code for debugging that can allow unwanted users.

"Enter any 11-digit prime number to continue..."

 What Can I Do?
¾ Have a well-known virus protection program, configured to scan disks and downloads
automatically for known viruses.

¾ Use a well-known firewall program (preferably hardware and software solution)

¾ Do not execute programs (or "macro's") from unknown sources (e.g., PS files, HyperCard files,
MS Office documents, Java, ...), if you can help it.

¾ Avoid the most common operating systems and email programs, if possible.

¾ Run legitimate anti-spyware programs (Ad-aware SE Personal and Spybot Search and Destroy
1.3 are both free and highly recommended by professionals)

¾ Conduct monthly/quarterly audits on home/business PCs incorporating:

¾ Deletion of temp files (sans .log files) contained in temporary internet folders and temp folders
¾ Set security level for macros to high (requesting your permission)
¾ Resetting IE security to Medium to Medium-
Medium-High; shorten history settings and temporary internet files
¾ Check local installed programs in Add/Remove programs for validity
validity
¾ Check Services for bogus service applications
¾ Check Event Viewer (security, application, system)
 Great Websites
‹ Packet Storm Security (packetstorm.security.com)
‹ SANS (sans.org)
‹ Security Focus Bugtraq Archives (securityfocus.com)
‹ @stake Security News (atstake.com/security_news)
‹ Security Portal (securityportal.com)
‹ 2600 (2600.com)
‹ White Hats (whitehats.com)
‹ Attrition (attrition.org)
‹ Information Security Magazine (infosecuritymagazine.com)
‹ CERT (cert.org)
 Credits
‹ Secured Enterprise: Protecting Your Information Assets; F. Byrnes/P. Proctor, Prentice-Hall PTR
(5/2002)

‹ Counter Hack; E. Skoudis, Prentice-Hall PTR (2002)

‹ Information Week (various articles)

‹ Network Security: A Hacker’s Perspective; Fadia, Prentice Press (2003)

‹ Know Your Enemy: Revealing the Security Tools, Tactics, and Motives of the BlackHat
Community; Honeynet Project; Addison-Wesley (2002)

Login: yes
Password: i dont have one
password is incorrect

Login: yes
Password: incorrect
Any Questions?