Firewalls, Phases of Hacking
Password cracking tools
L0phtCrack for windows, John the ripper
In screened host firewall system what is configuration for the packet filtering router like?
only packets from and to the bastion host are allowed to pass through the router -the bastion host performs authentication and proxy functions
Application-level gateway diagram
outside computer host <---> AL Gateway <---> inside host
Circuit-level gateway diagram
see slide 15
Scanning for vulnerabilities
tool available nessus.org
Phases of Hacking
1. Reconnaissance 2. Scanning 3. Gaining Access 4. Maintaining Access 5. Covering the tracks
Three common firewall configurations
1. Screened host firewall system (Single-home bastion host) 2. Screened host firewall system (dual-homed bastion host) 3. Screened-subnet firewall system
How does a screened-subnet firewall system work?
-Most secure configuration of the three -Two packet filtering routers are used -Creation of an isolated sub-network
Three common types of Firewalls
-Packet-filtering routers -Application-level gateways -Circuit-level gateways
Protocol Tunneling using Reverse WWW Shell
-tunneling used to hide data: using one protocol to carry another-->> ex email carries html, carries commands over http, data looks like web traffic
Defenses against Reverse WWW shell
-use IDS -use AV tools -know what should be running on each m/c: investigate strange processes
How does a screened host firewall system work?
(single-homed bastion host) -Greater security than single configurations because of two reasons: implements packet and application level filtering allowing for flexibility in defining security policy -An intruder must generally penetrate two separate system -Affords flexibility in providing direct Internet access (public information server ex-web server)
Bastion Host
- a system identified by the firewall administrator as a critical strong point in the network's security -the bastion host serves as a platform for an application-level or circuit level gateway
Design Goals of FIrewall Characteristics
-All traffic from outside to inside must pass through the firewall (physically blocking all access to the local network except via the firewall) -Only authorized traffic (defined by local security policies) will be allowed to pass -The firewall itself is immune to penetration (use of trusted system with a secure operating system)
Buffer overflows
-Allows hacker to execute arbitrary commands -Take over system -Based on putting too much info that developers allocated for
Aims of a firewall
-Establish a controlled link -Protect the premises network from Internet-based attacks -Provide a single choke point
Defenses against recon
-Keep registration records up to date -Use organization contact name rather than individual contact info -Don't use OS type and functions in domain names ex) firewall.ibm.com -Use split DNS: internal and external
How does a circuit-level gateway firewall work?
-Stand alone system or specialized function performed by an application level gateway -sets up two TCP connections -the gateway typically relays TCP segments from one connection to the other without examining contents
How to crack passwords
-Steal it from /etc/passwd or /etc/shadow directory on UNIX or from SAM database on Windows or Winnt(or windows)/system32/config/SAM -Crack it: Guess, encrypt, compare with the stolen file, run through a dictionary of common passwords or use automated tools
What is the security function and what situation is circuit level gateway often used?
-The security function consists of determining which connections will be allowed -Typically use is a situation in which the system administrator trusts the internal users
Advantages of screened-subnet firewall system
-Three levels of defense to thwart intruders -The outside router advertises only the existence of the screened subnet to the Internet (internal network is invisible to the Internet) -The inside router advertises only the existence of the screened subnet to the internal network (the systems on the inside network cannot construct direct routes to the Internet)
Uses/abuses of NetCat
-Transfer files: NC 21 < testfile.in and NC -I -p 21 > testfile.out -Scan ports: Nc-v-w 4 -z 1-80 -Create backdoors: Nc 1027 (iis port) and NC -I -p 1027 -e cmd.exe -Create relays: bounce a connection between systems
Phase 4: Maintaining Access
-Utilize Trojan horses and backdoors -Application level trojan horses
How does a packet-filtering router work?
-applies a set of rules to each incoming IP packet and then forwards of discards the packet -filter packets going in both directions -the packet filter is typically set up as a list of rules based on matches to fields in the IP or TCP header (ex addresses or port numbers) -two default policies (discard or forward)
Checksum Utility
-can confirm the fingerprints of any downloaded program -to confirm authentic program downloaded -Wireshark
Port scanning defenses
-disable unneeded services -use servuces control panel to disable (in admin tools under control panel settings) - use firewalls
Sniffing Defenses
-don't use telnet, rsh, rlogin -Use secure shell -Use VPN to encrypt all data between systems
How to use an application level trojan horse
-fool user into installing s/w -attacker can remotely access and control victim m/c -can be used for legitimate remote administration purposes ex) Remote Desktop, VNC, Chrome Remote Desktop, NetCat
Sniffing Data
-gather info transmitted across LAN -display stolenn data or log into file
Phase 5: Covering Tracks
-hiding files and directories -NTFS supports file streaming
Availability of info
-list of open ports -map of target network -list of vulnerabilities on target network -now gain access
Defense against Application Trojan Horses
-look for changes in the system: new registry keys and unexpected files -anti-virus tools can detect
NetCat: Swiss Knife for Hackers
-reads and writes data across networks -Available in Netcat -Runs in client or listen mode: Nc [dest] [port_number] NC-I-p [port_number]
Password Cracking Defenses
-strong password -password filtering s/w to verify complexity of s/w -token based authentication
Disadvantages of Application-level Gateway
Additional processing overhead on each connection
Phase 3: Gaining Access
Aim to 1. Analyze buffer overflows 2. Crack passwords 3. Sniff data 4. Use NetCat
Phase 3: Gaining Access
Aim: analyze buffer overflows, crack passwords, sniff data, use Netcat
Network Map
Develop using cheops-ng -Linux based, non-windows -Discovers network hosts, traces the network, and draws the network topology
Disadvantages of packet filtering router
Difficulty of setting up packet filter rules, Lack of authentication
What setting is associated with outside connections to public web server only?
Drop all incoming TCP SYN packets to any IP except 128.227.36.3, port 80
Screened host firewall system
Dual homed bastion host
Firewall Configurations
In addition to the use of simple configuration of a single system (single packet filtering router or single gateway), more complex configurations are possible
Packet-Filtering Router diagram description
Internet, Packet-Filtering Router, and Private network. The dashed security perimeter is half filter and all private network
Reconnaissance
Low tech and computer based: search the web -used to retrieve useful information like name of administrators, phone numbers and addresses, internet addresses of target machines, technologies in use, business partnerships
Network tools to gather info
Ping (is the host alive), DNS lookup (map domain names to IP addresses), Whois info, IP block registration for an organization, Traceroute
Advantages of packet filtering router
Simplicity, Transparency to users, High Speed
Low tech recon
Social engineering, physical break ins, dumpster diving
Port Scanner using Nmap
TCP and UDP ports -Each system has 65535 of each ports -Packets leave one port on a m/c and go to another port on another m/c -When a system 'listens' on a port, its open -Any open port is potential entry point -Port scanners scan such ports
Shut off Telnet / FTP
Telnet / FTP has inherent security weaknesses -no ecryption -password easily sniffed -shut it down
What does a screened host firewall system consist of?
Two systems - 1. A packet-filtering router 2. A bastion host
Nmap port scanner
Type of scan: intense, Ping, Quick, Traceroute -can generate packets from decoys: makes finding attacker more difficult -OS detection: based on fingerprints
Phase 2: Scanning
after recon, looks for ways to break in, relies on automated tools
How does application-level gateway work?
also called a proxy server - acts as a relay of application-level traffic
Where is the firewall inserted?
between the premises network and the internet
What setting is associated with prevent web radios from eating up the available bandwidth
drop all incoming UDP packets - except DNS and Router Broadcasts
What setting is associated with no outside web access?
drop all outgoing packets to any IP, Port 80
Advantages of Application-level Gateway
higher security that packet filters, only need to scrutinize a few allowable applications, easy to log and audit all incoming traffic
Defenses for Buffer Overflows
implement non-executable system stack -automated code examining tools