How Hackers Attack NetworksCommon platforms for attacksLocal and remote attacksWhy worry about local attacks on workstations?Common local attacksCracking over the network: A four-step programFootprintingScanning and enumeratingScanning and enumerating: Methods and toolsScanning and enumerating: Methods and tools (cont.)ResearchingExploitsCountering hackersCountering hackers (cont.)Identifying attacksAdministrative shares:Control the targetCounters to brute force/dictionary attacksBuffer overflowHacker = Man in the middleSniffing on local networksSniffing: Switched networksARP SpoofingARP spoofing stepsCounters to ARP spoofingIP spoofing:DoSSYN floodingSmurf attackDistributed denial of serviceCommon DDoS zombie tools:©2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved. How Hackers Attack NetworksThis presentation is based on a PowerPoint by security expert Adrian Crenshaw. You can view his original presentation here.©2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved. Common platforms for attacksWindows 98/Me/XP Home EditionLinux, OpenBSD, Trinux, and other low-cost forms of UNIX©2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved. Local and remote attacksLocal: Attacks performed with physical access to the machineRemote: Attacks launched over the network©2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved. Why worry about local attacks on workstations?Hackers can collect more information about a network and its users.Hackers can obtain the administrator password on a workstation, which can lead to server access.Spyware can be installed to gather more sensitive information.©2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved. Common local attacksGetting admin/root at the local machineWindows Workstation: Rename or delete c:\winnt\system32\config\SAMLinux: at LILO prompt, type linux sCracking local passwordsL0phtcrack (LC)Removing hard drive to install in another boxExploiting files or commands available upon loginC:\Documents and Settings\All Users\Start Menu\Programs\StartupRegistry commands, such as adding users©2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved. Cracking over the network: A four-step program1. Footprinting2. Scanning and enumerating3. Researching4. Exploiting©2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved. FootprintingFinding out what an organization owns:Find the network block.Ping the network broadcast address.©2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved. What services are running?What accounts exist?How are things set up?Scanning and enumerating©2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved. Scanning and enumerating: Methods and toolsPort scanningNmapSniffingngrepSNMPSolarwindsNull sessionNBTenumNbtdump©2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved. Scanning and enumerating: Methods and tools (cont.)Null sessionNBTenumNbtdumpNetBIOS browsingNetviewLegionVulnerability scannersNessusWinfingerprintLANGuard©2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved. Researchinghttp://www.securityfocus.com/http://www.networkice.com/advice/Exploits/Portshttp://www.hackingexposed.comhttp://www.ntsecurity.net/http://www.insecure.org/Researching security sites and hacker sites can reveal exploits that will work on the systems discovered during scanning and enumerating.©2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved. ExploitsBrute force/dictionary attacksSoftware bugsBad input Buffer overflowsSniffing©2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved. Countering hackersPort scanningBlock all ports except those you needBlock ICMP if practicalNT: IPsec; Linux: iptablesSniffingUse switched mediaUse encrypted protocolsUse fixed ARP entries©2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved. Countering hackers (cont.)Null sessionsSet the following registry value to 2[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymous]Use IDSSnortBlackICE©2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved. Identifying attacksOn Windows, check the event log under Security.On Linux, check in /var/log/.Review IIS logs at \winnt\system32\LogFiles.Check Apache logs at /var/log/httpd.©2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved. Administrative shares:Make life easier for system admins. Can be exploited if a hacker knows the right passwords. Standard admin shares:Admin$IPC$C$ (and any other drive in the box)©2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved. Control the targetEstablish connection with target host.net use \\se-x-x\ipc$ /u:se-x-x\administratorUse Computer Management in MMC or Regedit to change system settings.Start Telnet session.at \\ se-x-x 12:08pm net start telnetTurning off file sharing thwarts these connections.©2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved. Counters to brute force/dictionary attacks Use good passwords.No dictionary wordsCombination of alpha and numeric charactersAt least eight-character lengthUse account lockouts.Limit services.If you don’t need, it turn it off.Limit scope.©2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved. Buffer overflowCracker sends more data then the buffer can handle, at the end of which is the code he or she wants executed.Allotted spaceon stack Data sent CodeStack smashed;Egg may be run. Code©2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved. Hacker = Man in the middle©2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved. Sniffing on local networksOn Ethernet without a switch, all traffic is sent to all computers.Computers with their NIC set to promiscuous mode can see everything that is sent on the wire. Common protocols like FTP, HTTP, SMTP, and POP3 are not encrypted, so you can read the passwords as plain text.©2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved. Sniffing: Switched networksSwitches send data only to target hosts. Switched networks are more secure.Switches speed up the network.©2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved.