Firewalls, Phases of Hacking

Password cracking tools

L0phtCrack for windows, John the ripper

In screened host firewall system what is configuration for the packet filtering router like?

only packets from and to the bastion host are allowed to pass through the router -the bastion host performs authentication and proxy functions

Application-level gateway diagram

outside computer host <---> AL Gateway <---> inside host

Circuit-level gateway diagram

see slide 15

Scanning for vulnerabilities

tool available nessus.org

Phases of Hacking

1. Reconnaissance 2. Scanning 3. Gaining Access 4. Maintaining Access 5. Covering the tracks

Three common firewall configurations

1. Screened host firewall system (Single-home bastion host) 2. Screened host firewall system (dual-homed bastion host) 3. Screened-subnet firewall system

How does a screened-subnet firewall system work?

-Most secure configuration of the three -Two packet filtering routers are used -Creation of an isolated sub-network

Three common types of Firewalls

-Packet-filtering routers -Application-level gateways -Circuit-level gateways

Protocol Tunneling using Reverse WWW Shell

-tunneling used to hide data: using one protocol to carry another-->> ex email carries html, carries commands over http, data looks like web traffic

Defenses against Reverse WWW shell

-use IDS -use AV tools -know what should be running on each m/c: investigate strange processes

How does a screened host firewall system work?

(single-homed bastion host) -Greater security than single configurations because of two reasons: implements packet and application level filtering allowing for flexibility in defining security policy -An intruder must generally penetrate two separate system -Affords flexibility in providing direct Internet access (public information server ex-web server)

Bastion Host

- a system identified by the firewall administrator as a critical strong point in the network's security -the bastion host serves as a platform for an application-level or circuit level gateway

Design Goals of FIrewall Characteristics

-All traffic from outside to inside must pass through the firewall (physically blocking all access to the local network except via the firewall) -Only authorized traffic (defined by local security policies) will be allowed to pass -The firewall itself is immune to penetration (use of trusted system with a secure operating system)

Buffer overflows

-Allows hacker to execute arbitrary commands -Take over system -Based on putting too much info that developers allocated for

Aims of a firewall

-Establish a controlled link -Protect the premises network from Internet-based attacks -Provide a single choke point

Defenses against recon

-Keep registration records up to date -Use organization contact name rather than individual contact info -Don't use OS type and functions in domain names ex) firewall.ibm.com -Use split DNS: internal and external

How does a circuit-level gateway firewall work?

-Stand alone system or specialized function performed by an application level gateway -sets up two TCP connections -the gateway typically relays TCP segments from one connection to the other without examining contents

How to crack passwords

-Steal it from /etc/passwd or /etc/shadow directory on UNIX or from SAM database on Windows or Winnt(or windows)/system32/config/SAM -Crack it: Guess, encrypt, compare with the stolen file, run through a dictionary of common passwords or use automated tools

What is the security function and what situation is circuit level gateway often used?

-The security function consists of determining which connections will be allowed -Typically use is a situation in which the system administrator trusts the internal users

Advantages of screened-subnet firewall system

-Three levels of defense to thwart intruders -The outside router advertises only the existence of the screened subnet to the Internet (internal network is invisible to the Internet) -The inside router advertises only the existence of the screened subnet to the internal network (the systems on the inside network cannot construct direct routes to the Internet)

Uses/abuses of NetCat

-Transfer files: NC 21 < testfile.in and NC -I -p 21 > testfile.out -Scan ports: Nc-v-w 4 -z 1-80 -Create backdoors: Nc 1027 (iis port) and NC -I -p 1027 -e cmd.exe -Create relays: bounce a connection between systems

Phase 4: Maintaining Access

-Utilize Trojan horses and backdoors -Application level trojan horses

How does a packet-filtering router work?

-applies a set of rules to each incoming IP packet and then forwards of discards the packet -filter packets going in both directions -the packet filter is typically set up as a list of rules based on matches to fields in the IP or TCP header (ex addresses or port numbers) -two default policies (discard or forward)

Checksum Utility

-can confirm the fingerprints of any downloaded program -to confirm authentic program downloaded -Wireshark

Port scanning defenses

-disable unneeded services -use servuces control panel to disable (in admin tools under control panel settings) - use firewalls

Sniffing Defenses

-don't use telnet, rsh, rlogin -Use secure shell -Use VPN to encrypt all data between systems

How to use an application level trojan horse

-fool user into installing s/w -attacker can remotely access and control victim m/c -can be used for legitimate remote administration purposes ex) Remote Desktop, VNC, Chrome Remote Desktop, NetCat

Sniffing Data

-gather info transmitted across LAN -display stolenn data or log into file

Phase 5: Covering Tracks

-hiding files and directories -NTFS supports file streaming

Availability of info

-list of open ports -map of target network -list of vulnerabilities on target network -now gain access

Defense against Application Trojan Horses

-look for changes in the system: new registry keys and unexpected files -anti-virus tools can detect

NetCat: Swiss Knife for Hackers

-reads and writes data across networks -Available in Netcat -Runs in client or listen mode: Nc [dest] [port_number] NC-I-p [port_number]

Password Cracking Defenses

-strong password -password filtering s/w to verify complexity of s/w -token based authentication

Disadvantages of Application-level Gateway

Additional processing overhead on each connection

Phase 3: Gaining Access

Aim to 1. Analyze buffer overflows 2. Crack passwords 3. Sniff data 4. Use NetCat

Phase 3: Gaining Access

Aim: analyze buffer overflows, crack passwords, sniff data, use Netcat

Network Map

Develop using cheops-ng -Linux based, non-windows -Discovers network hosts, traces the network, and draws the network topology

Disadvantages of packet filtering router

Difficulty of setting up packet filter rules, Lack of authentication

What setting is associated with outside connections to public web server only?

Drop all incoming TCP SYN packets to any IP except 128.227.36.3, port 80

Screened host firewall system

Dual homed bastion host

Firewall Configurations

In addition to the use of simple configuration of a single system (single packet filtering router or single gateway), more complex configurations are possible

Packet-Filtering Router diagram description

Internet, Packet-Filtering Router, and Private network. The dashed security perimeter is half filter and all private network

Reconnaissance

Low tech and computer based: search the web -used to retrieve useful information like name of administrators, phone numbers and addresses, internet addresses of target machines, technologies in use, business partnerships

Network tools to gather info

Ping (is the host alive), DNS lookup (map domain names to IP addresses), Whois info, IP block registration for an organization, Traceroute

Advantages of packet filtering router

Simplicity, Transparency to users, High Speed

Low tech recon

Social engineering, physical break ins, dumpster diving

Port Scanner using Nmap

TCP and UDP ports -Each system has 65535 of each ports -Packets leave one port on a m/c and go to another port on another m/c -When a system 'listens' on a port, its open -Any open port is potential entry point -Port scanners scan such ports

Shut off Telnet / FTP

Telnet / FTP has inherent security weaknesses -no ecryption -password easily sniffed -shut it down

What does a screened host firewall system consist of?

Two systems - 1. A packet-filtering router 2. A bastion host

Nmap port scanner

Type of scan: intense, Ping, Quick, Traceroute -can generate packets from decoys: makes finding attacker more difficult -OS detection: based on fingerprints

Phase 2: Scanning

after recon, looks for ways to break in, relies on automated tools

How does application-level gateway work?

also called a proxy server - acts as a relay of application-level traffic

Where is the firewall inserted?

between the premises network and the internet

What setting is associated with prevent web radios from eating up the available bandwidth

drop all incoming UDP packets - except DNS and Router Broadcasts

What setting is associated with no outside web access?

drop all outgoing packets to any IP, Port 80

Advantages of Application-level Gateway

higher security that packet filters, only need to scrutinize a few allowable applications, easy to log and audit all incoming traffic

Defenses for Buffer Overflows

implement non-executable system stack -automated code examining tools