USC CSCI 530 - 2.10 - D2474059

Home> Schools> University of Southern California> Computer Science (CSCI) > CSCI 530> 2.10

DOC PREVIEW

USC CSCI 530 - 2.10

School name University of Southern California

Course Csci 530- Security Systems

Pages 65

This preview shows page 1-2-3-4-30-31-32-33-34-62-63-64-65 out of 65 pages.

Save

View full document

Premium Document

Do you want full access? Go Premium and unlock all 65 pages.

Access to all documents

Download any document

Ad free experience

Subscribe for instant access Get instant access

View full document

Premium Document

Do you want full access? Go Premium and unlock all 65 pages.

Access to all documents

Download any document

Ad free experience

Subscribe for instant access Get instant access

View full document

Premium Document

Do you want full access? Go Premium and unlock all 65 pages.

Access to all documents

Download any document

Ad free experience

Subscribe for instant access Get instant access

View full document

Premium Document

Do you want full access? Go Premium and unlock all 65 pages.

Access to all documents

Download any document

Ad free experience

Subscribe for instant access Get instant access

View full document

Premium Document

Do you want full access? Go Premium and unlock all 65 pages.

Access to all documents

Download any document

Ad free experience

Subscribe for instant access Get instant access

View full document

Premium Document

Do you want full access? Go Premium and unlock all 65 pages.

Access to all documents

Download any document

Ad free experience

Subscribe for instant access Get instant access

View full document

Premium Document

Do you want full access? Go Premium and unlock all 65 pages.

Access to all documents

Download any document

Ad free experience

Subscribe for instant access Get instant access

View full document

Premium Document

Do you want full access? Go Premium and unlock all 65 pages.

Access to all documents

Download any document

Ad free experience

Subscribe for instant access Get instant access

View full document

Premium Document

Do you want full access? Go Premium and unlock all 65 pages.

Access to all documents

Download any document

Ad free experience

Subscribe for instant access Get instant access

View full document

Premium Document

Do you want full access? Go Premium and unlock all 65 pages.

Access to all documents

Download any document

Ad free experience

Subscribe for instant access Get instant access

View full document

Premium Document

Do you want full access? Go Premium and unlock all 65 pages.

Access to all documents

Download any document

Ad free experience

Subscribe for instant access Get instant access

View full document

Premium Document

Do you want full access? Go Premium and unlock all 65 pages.

Access to all documents

Download any document

Ad free experience

Subscribe for instant access Get instant access

View full document

Premium Document

Do you want full access? Go Premium and unlock all 65 pages.

Access to all documents

Download any document

Ad free experience

Subscribe for instant access Get instant access

Premium Document

Do you want full access? Go Premium and unlock all 65 pages.

Access to all documents

Download any document

Ad free experience

Subscribe for instant access Get instant access

Unformatted text preview:

Phase&2:&Scanning&• Detec0ng&informa0on&useful&for&break9in&– Live&machines&– Network&topology&– Firewall&conﬁgura0on&– Applica0ons&and&OS&types&– Vulnerabili0es&Network&Mapping&• Finding&live&hosts&– Ping&sweep&– TCP&SYN&sweep&• Map&network&topology&&– Traceroute&• Sends&out&ICMP&or&UDP&packets&with&increasing&TTL&• Gets&back&ICMP_TIME_EXCEEDED&message&from&intermediate&routers&&Traceroute&A& R1& R2& R3& db&www&mail&1.&ICMP_ECHO&to&www.vic0m.com&TTL=1&1a.&ICMP_TIME_EXCEEDED&&from&R1&vic0m.com&A:&R1&is&my&ﬁrst&hop&to&www.vic0m.com!&Traceroute&A& R1& R2& R3& db&www&mail&2.&ICMP_ECHO&to&www.vic0m.com&TTL=2&2a.&ICMP_TIME_EXCEEDED&&from&R2&vic0m.com&A:&R19R2&is&my&path&to&www.vic0m.com!&Traceroute&A& R1& R2& R3& db&www&mail&3.&ICMP_ECHO&to&www.vic0m.com&TTL=3&3a.&ICMP_TIME_EXCEEDED&&from&R3&vic0m.com&A:&R19R29R3&is&my&path&to&www.vic0m.com!&Traceroute&A& R1& R2& R3& db&www&mail&4.&ICMP_ECHO&to&www.vic0m.com&TTL=4&4a.&ICMP_REPLY&&from&www.vic0m.com&vic0m.com&A:&R19R29R39www&is&my&path&to&www.vic0m.com&Traceroute&A& R1& R2& R3& db&www&mail&Repeat&for&db&and&mail&servers&vic0m.com&A:&R19R29R39www&is&my&path&to&www.vic0m.com&&&&&R19R29R39db&is&my&path&to&db.vic0m.com&&&&&R19R29R39mail&is&my&path&to&mail.vic0m.com&è Victim network is a star with R3 at the center&&&&&&&Network&Mapping&Tools&• Cheops&– Linux&applica0on&– hYp://cheops9ng.sourceforge.net/Automa0cally&performs&ping&sweep&and&network&mapping&and&displays&results&in&GUI&Dangerous*Defenses&Against&Network&Mapping&And&Scanning&• Filter&out&outgoing&ICMP&traﬃc&– Maybe&allow&for&your&ISP&only&• Use&Network&Address&Transla0on&(NAT)&NAT&box&A&B&C&D&Internal&hosts&with&192.168.0.0/16&1.2.3.4&8.9.10.11&Request&1.2.3.4&Reply&1.2.3.4&How&NATs&Work&• For&internal&hosts&to&go&out&– B&s ends&traﬃc&to&www. go o gl e.com&– NAT&modiﬁes&the&IP&header&of&this&traﬃc&• Source&IP:&B&èNAT&• Source&port:&B’s&chosen&port&Y&è&random&port&X&– NAT&remembers&that&whatever&comes&for&it&on&port&X&should&go&to&B&on&port&Y&– Go ogle&replies,&NAT&modiﬁ es&the&IP&header&• Des0na0on&IP:&NAT&èB&• Des0na0on&port:&X&è&Y&How&NATs&Work&• For&public&services&oﬀered&by&internal&hosts&– Y ou &adver0se&your&web&server&A&at&NAT’s&address&(1.2.3.4&and&port&80)&– NAT&remembers&that&whatever&comes&for&it&on&port&80&should&go&to&A&on&port&80&– External&clients&send&traﬃc&to&1.2.3.4:80&– NAT&modiﬁes&the&IP&header&of&this&traﬃc&• Des0na0on&IP:&NAT&èA&• Des0na0on&port:&NAT’s&port&80&è&A’s&service&port&80&– A&repli es,&NAT&modiﬁes&the&IP&header&• Source&IP:&AèNAT&• Source&port:&80&è&80&How&NATs&Work&• What&if&you&have&another&Web&server&C&– Y ou &adver0se&your&web&server&A&at&NAT’s&address&(1.2.3.4&and&port&55)&–&not&a&standard&Web&server&port&so&clients&must&know&to&talk&to&a&diﬀ.&port&– NAT&remembers&that&whatever&comes&for&it&on&port&55&should&go&to&C&on&port&80&– External&clients&send&traﬃc&to&1.2.3.4:55&– NAT&modiﬁes&the&IP&header&of&this&traﬃc&• Des0na0on&IP:&NAT&èC&• Des0na0on&port:&NAT’s&port&55è&C’s&service&port&80&– C &replies,&NAT&modiﬁ es&the&IP&header&• Source&IP:&CèNAT,&source&port:&80&è&55&&Port&Scanning&• Finding&applica0ons&that&listen&on&ports&• Send&various&packets:&– Establish&and&tear&down&TCP&connec0on&– Half9open&and&tear&down&TCP&connec0on&– Send&invalid&TCP&packets:&FIN,&Null,&Xmas&scan&– Send&TCP&ACK&packets&–&ﬁnd&ﬁrewall&holes&– Obscure&the&source&–&FTP&bounce&scans&– UDP&scans&– Find&RPC&applica0ons&Dangerous*Port&Scanning&• Set&source&port&and&address&– To&allow&packets&to&pass&through&the&ﬁrewall&– To&hide&your&source&address&• Use&TCP&ﬁngerprin0ng&to&ﬁnd&out&OS&type&– TCP&standard&does&not&specify&how&to&handle&invalid&packets&– Implementa0ons&diﬀer&a&lot&Port&Scanning&Tools&• Nmap&– Unix&and&Windows&NT&applica0on&and&GUI&– hYp://nmap.org/&– Various&scan&types&&– Adjustable&0ming&Dangerous*Defenses&Against&Port&Scanning&• Close&all&unused&ports&• Remove&all&unnecessary&services&• Filter&out&all&unnecessary&traﬃc&• Find&openings&before&the&aYackers&do&• Use&smart&ﬁltering,&based&on&client’s&IP&Firewalk:&Determining&Firewall&Rules&• Find&out&ﬁrewall&rules&for&new&connec0ons&• We&don’t&care&about&target&machine,&just&about&packet&types&that&can&get&through&the&ﬁrewall&– Find&out&distance&to&ﬁrewall&using&traceroute&– Ping&arbitrary&des0na0on&selng&TTL=distance+1&– If&you&receive&ICMP_TIME_EXCEEDED&&message,&the&ping&went&through&Defenses&Against&Firewalking&• Filter&out&outgoing&ICMP&traﬃc&• Use&ﬁrewall&proxies&– This&defense&works&because&a&proxy&recreates&each&packet&including&the&TTL&ﬁeld&Vulnerability&Scanning&• The&aYacker&knows&OS&and&applica0ons&installed&on&live&hosts&– He&can&now&ﬁnd&for&each&combina0on&• Vulnerability&exploits&• Common&conﬁgura0on&errors&• Default&conﬁgura0on&&• Vulnerability&scanning&tool&uses&a&database&of&known&vulnerabili0es&to&generate&packets&• Vulnerability&scanning&is&also&used&for&sysadmin&Vulnerability&Scanning&Tools&• SARA&– hYp://www9arc.com/sara&• SAINT&– hYp://www.saintcorpora0on.com&• Nessus&– hYp://www.nessus.org&Dangerous*Defenses&Against&&Vulnerability&Scanning&• Close&your&ports&and&keep&systems&patched&• Find&your&vulnerabili0es&before&the&aYackers&do&At&The&End&Of&Scanning&Phase&&• AYacker&has&a&list&of&“live”&IP&addresses&&• Open&ports&and&applica0ons&at&live&machines&• Some&informa0on&about&OS&type&and&version&of&live&machines&• Some&informa0on&about&applica0on&versions&at&open&ports&• Informa0on&about&network&topology&• Informa0on&about&ﬁrewall&conﬁgura0on&Phase&3:&Gaining&Access&• Exploit&vulnerabili0es&– Exploits&for&a&speciﬁc&vulnerability&can&be&downloaded&from&hacker&sites&– Skilled&hackers&write&new&exploits&What&is&a&vulnerability?&What&is&an&exploit?&Stack9Based&Overﬂow&AYacks&•

View Full Document