Man-in-the-Middle Applications
Web spoofing
TCP session hijacking
Information theft
Other attacks (denial-of-service attacks,
corruption of transmitted data, traffic analysis
to gain information about victim’s network)
ARP poisoning (Hunt)
ICMP redirects – Router sends redirect packet
to host, saying a better route exists for certain
traffic.
DNS server cache poisoning.
Attempts to circumvent authentication
mechanisms by:
• Recording authentication messaghies from a
legitimate user
• Reissuing those messages in order to
impersonate the user and gain access to
systems
Attacker uses techniques to make the victim
believe he or she is connected to a trusted host,
when in fact the victim is communicating with
the attacker
Well-known tool
• Hunt (Linux)
43 trang |
Chia sẻ: candy98 | Lượt xem: 499 | Lượt tải: 0
Bạn đang xem trước 20 trang tài liệu Security + Certification - Chapper 3: Attacks and Malicious Code Part 2- Athena, để xem tài liệu hoàn chỉnh bạn click vào nút DOWNLOAD ở trên
Chapter 3 :Attacks and
Malicious Code
(Part 2)
Man in the Middle
Class of attacks in which the attacker places
himself between two communicating hosts and
listens in on their session
Both of the other hosts think they are
communicating with each other
ATHENA
Man-in-the-Middle Attacks
ATHENA
Man-in-the-Middle Applications
Web spoofing
TCP session hijacking
Information theft
Other attacks (denial-of-service attacks,
corruption of transmitted data, traffic analysis
to gain information about victim’s network)
ATHENA
Man-in-the-Middle Methods
ARP poisoning (Hunt)
ICMP redirects – Router sends redirect packet
to host, saying a better route exists for certain
traffic. See:
redirects-are-bad.pdf
DNS server cache poisoning. See:
ATHENA
Replay Attacks
Attempts to circumvent authentication
mechanisms by:
• Recording authentication messaghies from a
legitimate user
• Reissuing those messages in order to
impersonate the user and gain access to
systems
ATHENA
TCP Session Hijacking
Attacker uses techniques to make the victim
believe he or she is connected to a trusted host,
when in fact the victim is communicating with
the attacker
Well-known tool
• Hunt (Linux)
ATHENA
ATHENA
Attacker Using Victim’s TCP
Connection
ATHENA
Social Engineering
Class of attacks that uses trickery on people
instead of computers
Exploits trusts between people instead of
machines
Often the first thing a blackhat will try
Can circumvent the most elaborate and
expensive security system
ATHENA
Social Engineering Goals
Goals
• Fraud
• Network intrusion
• Industrial espionage
• Equipment theft
• Identity theft
• Desire to disrupt the system or network
ATHENA
Social Engineering Examples
Calling the help desk or the IT department
and pretending to be a “boss” having trouble
with logging in
Calling the help desk or the IT department
and pretending to be a “consultant” just hired
and needing access quickly
See:
4/1062548967124.html
ATHENA
Social Engineering Remedies
Training/education
Have clearly defined policies and procedures
Rewards for good behavior
Fire/reprimand people who don’t follow proper
procedures
Hire penetration testers to probe your defenses
ATHENA
Dumpster Diving
ATHENA
Online Attacks
Use chat and e-mails venues to exploit trust
relationships
Users often do things before they think about it
The immediacy of the medium often leads to
quick decisions
If you must use IRC, use your own servers
ATHENA
Attacks Against Encrypted Data
Weak keys
Mathematical attacks
Birthday attack
Password guessing
Brute force
Dictionary
ATHENA
Weak Keys
Secret keys used in encryption that exhibit
regularities in encryption, or even a poor level
of encryption
Some algorithms have a number (usually a
small number) of weak keys
The Wired Equivalent Privacy (WEP)
mechanism used in wireless networks suffers
from weak keys
ATHENA
Mathematical Attack
Attempts to decrypt encrypted data using
mathematics to find weaknesses in the
encryption algorithm
Is much faster than just guessing (brute-force
attack)
The more examples of encrypted data you have,
and the more you know about the original data,
the better your attack can be
ATHENA
Categories of cryptanalysis
Cyphertext-only analysis uses only the
encrypted form of the data with no information
about the cleartext content.
Known plaintext attack uses some number of
messages in both encrypted and cleartext form.
Chosen plaintext attack uses a known, chosen
message to generate the cyphertext
ATHENA
Birthday Attack
Class of brute-force mathematical attacks that
exploits mathematical weaknesses of hash
algorithms and one-way hash functions
For k inputs, the same output should appear
after 1.2*k^(1/2) inputs (you are trying to
“guess” a previous input for which you know the
output)
This is much faster than a brute force attack
ATHENA
Password Guessing
Determines a user’s password using
techniques such as brute force or dictionary
attacks
A password is “guessed” by inputting a string
into the hash function. If the resulting hash is
the same as that stored by the OS, the input is
the password, or at least generates the same
hash value
ATHENA
Brute Force
Method of breaking passwords that involves
computation of every possible combination of
characters for a password of a given character
length
Will eventually find the correct password
Very computationally intensive
Longer passwords require longer to guess
ATHENA
Dictionary
Method of breaking passwords by using a
predetermined list of words as input to the
password hash
Only works against poorly chosen passwords
Dictionary lists are available on the Internet
*Use the user’s wife’s name, child’s name, dog’s
name, etc. first (if you know them)
ATHENA
Password Cracking Programs
L0phtcrack (now LC4) – costs money
John the Ripper – free
Ideally, you run these off-line against a
captured password file (or SAM file in
Windows)
ATHENA
Software Exploitation
Utilizes software vulnerabilities to gain access
and compromise systems
Example
• Buffer overflow attack
• SQL Injection
To stop software exploits
• Stay appraised of latest security patches provided
by software vendors
• Filter traffic at the firewall when you can
• Disable/remove unneeded applications
ATHENA
Buffer Overflow Attacks
Work by inputting more characters than the
program was written to accept
Extra characters contain instructions and a
new value to be loaded into the
microprocessor’s Instruction Pointer register
The microprocessor loads in the new
Instruction Pointer value, then executes the
attack code
ATHENA
Buffer Overflow Attacks
The attack code typically downloads the real
exploit, or installs a backdoor program
If you need the application, you can’t filter
traffic to the TCP or UDP port at the firewall
If you don’t need the application, filter the
traffic and remove the application
ATHENA
SQL Injection
Many web pages are connected to back-end
databases
Databases uses a language called Structured
Query Language (SQL)
SQL injection is the process of adding SQL
code to the end of a legitimate entry in a text
box
The code is then run against the backend
database, displaying database information to
the attacker
ATHENA
Malicious Software
ATHENA
Viruses
Self-replicating programs that spread by
“infecting” other programs
Require some action to trigger (run)
Damaging and costly
ATHENA
ATHENA
Virus Databases
ATHENA
Evolution of Virus Propagation
Techniques
ATHENA
Protecting Against Viruses
Enterprise virus protection solutions
• Desktop antivirus programs
• Virus filters for e-mail servers
• Network appliances that detect and remove viruses
Instill good behaviors in users and system
administrators
• Keep security patches and virus signature databases up to date
• Train users to not open unsolicited attachments
• Unhide file extensions
ATHENA
Backdoors (Programs)
Remote access program surreptitiously installed on
user computers that allows attacker to control behavior
of victim’s computer
Also known as remote access Trojans
Examples
• Back Orifice 2000 (BO2K)
• NetBus
Detection and elimination
• Up-to-date antivirus software
• Intrusion detection systems (IDS)
ATHENA
ATHENA
ATHENA
Trojan Horses
Class of malware that uses social engineering to
spread
Appears to be one thing, but contains
something else
Some viruses are classified as Trojans –
example “vacation pictures.jpg.vbs”
A lot of “free” software contains other programs
– gator, etc.
ATHENA
Logic Bombs
Set of computer instructions that lie dormant
until triggered by a specific event
Once triggered, the logic bomb performs a
malicious task
Almost impossible to detect until after
triggered
Often the work of former employees
For example: macro virus
• Uses auto-execution feature of specific
applications
ATHENA
Worms
Self-contained program that uses security
flaws such as buffer overflows to remotely
compromise a victim and replicate itself to
that system
Do not infect other executable programs
Account for 80% of all malicious activity on
Internet
Examples: Code Red, Code Red II, Nimda
ATHENA
Defense Against Worms
Latest security updates for all computers and
network devices
Filter all the traffic you can at the firewall
Remove unneeded services/applications
Network and host-based Intrusion Detection
Systems
Antivirus programs
ATHENA
Summary
Mechanisms, countermeasures, and best
practices for:
• Malicious software
• Denial-of-service attacks
• Software exploits
• Social engineering
• Attacks on encrypted data
ATHENA
Labs/Assignments
Do Project 3-1 on Page 90 of the textbook.
Don’t do step number 9.
Do Project 3-5 on Page 93 of the textbook.
Assignment: Pick out one of the tools we have
been using and write a short paper about
what type of tool it is, why you like it, what
you can do with it, etc. Not a step-by-step,
just a short review.
ATHENA