How Hackers Attack NetworksCommon platforms for attacksLocal and remote attacksWhy worry about local attacks on workstations?Common local attacksCracking over the network: A four-step programFootprintingScanning and enumeratingScanning and enumerating: Methods and toolsScanning and enumerating: Methods and tools (cont.)ResearchingExploitsCountering hackersCountering hackers (cont.)Identifying attacksAdministrative shares:Control the targetCounters to brute force/dictionary attacksBuffer overflowHacker = Man in the middleSniffing on local networksSniffing: Switched networksARP SpoofingARP spoofing stepsCounters to ARP spoofingIP spoofing:DoSSYN floodingSmurf attackDistributed denial of serviceCommon DDoS zombie tools:©2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved. How Hackers Attack NetworksThis presentation is based on a PowerPoint by security expert Adrian Crenshaw. You can view his original presentation here.©2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved. Common platforms for attacksWindows 98/Me/XP Home EditionLinux, OpenBSD, Trinux, and other low-cost forms of UNIX©2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved. Local and remote attacksLocal: Attacks performed with physical access to the machineRemote: Attacks launched over the network©2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved. Why worry about local attacks on workstations?Hackers can collect more information about a network and its users.Hackers can obtain the administrator password on a workstation, which can lead to server access.Spyware can be installed to gather more sensitive information.©2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved. Common local attacksGetting admin/root at the local machineWindows Workstation: Rename or delete c:\winnt\system32\config\SAMLinux: at LILO prompt, type linux sCracking local passwordsL0phtcrack (LC)Removing hard drive to install in another boxExploiting files or commands available upon loginC:\Documents and Settings\All Users\Start Menu\Programs\StartupRegistry commands, such as adding users©2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved. Cracking over the network: A four-step program1. Footprinting2. Scanning and enumerating3. Researching4. Exploiting©2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved. FootprintingFinding out what an organization owns:Find the network block.Ping the network broadcast address.©2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved. What services are running?What accounts exist?How are things set up?Scanning and enumerating©2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved. Scanning and enumerating: Methods and toolsPort scanningNmapSniffingngrepSNMPSolarwindsNull sessionNBTenumNbtdump©2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved. Scanning and enumerating: Methods and tools (cont.)Null sessionNBTenumNbtdumpNetBIOS browsingNetviewLegionVulnerability scannersNessusWinfingerprintLANGuard©2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved. Researchinghttp://www.securityfocus.com/http://www.networkice.com/advice/Exploits/Portshttp://www.hackingexposed.comhttp://www.ntsecurity.net/http://www.insecure.org/Researching security sites and hacker sites can reveal exploits that will work on the systems discovered during scanning and enumerating.©2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved. ExploitsBrute force/dictionary attacksSoftware bugsBad input Buffer overflowsSniffing©2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved. Countering hackersPort scanningBlock all ports except those you needBlock ICMP if practicalNT: IPsec; Linux: iptablesSniffingUse switched mediaUse encrypted protocolsUse fixed ARP entries©2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved. Countering hackers (cont.)Null sessionsSet the following registry value to 2[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymous]Use IDSSnortBlackICE©2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved. Identifying attacksOn Windows, check the event log under Security.On Linux, check in /var/log/.Review IIS logs at \winnt\system32\LogFiles.Check Apache logs at /var/log/httpd.©2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved. Administrative shares:Make life easier for system admins. Can be exploited if a hacker knows the right passwords. Standard admin shares:Admin$IPC$C$ (and any other drive in the box)©2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved. Control the targetEstablish connection with target host.net use \\se-x-x\ipc$ /u:se-x-x\administratorUse Computer Management in MMC or Regedit to change system settings.Start Telnet session.at \\ se-x-x 12:08pm net start telnetTurning off file sharing thwarts these connections.©2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved. Counters to brute force/dictionary attacks Use good passwords.No dictionary wordsCombination of alpha and numeric charactersAt least eight-character lengthUse account lockouts.Limit services.If you don’t need, it turn it off.Limit scope.©2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved. Buffer overflowCracker sends more data then the buffer can handle, at the end of which is the code he or she wants executed.Allotted spaceon stack Data sent CodeStack smashed;Egg may be run. Code©2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved. Hacker = Man in the middle©2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved. Sniffing on local networksOn Ethernet without a switch, all traffic is sent to all computers.Computers with their NIC set to promiscuous mode can see everything that is sent on the wire. Common protocols like FTP, HTTP, SMTP, and POP3 are not encrypted, so you can read the passwords as plain text.©2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved. Sniffing: Switched networksSwitches send data only to target hosts. Switched networks are more secure.Switches speed up the network.©2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved.
View Full Document