Usually done by a bad guy (a.k.a Black Hat). Its not magic. It has a methodology. Many different Techniques (often change over time). New vulnerabilities are found (therefore new attacks over time).
white hat from a hacker’s (a.k.a black hats) point of view. A “simulated attack” with a predetermined goal. Telling too many people may invalidate the test.
acquisition news Phone numbers Contact names and email addresses Privacy or security policies indicating the types of security mechanisms in place Links to other web servers related to the organization 10
of systems reachable via the Internet TCP and UDP services running on each system identified System architecture (for example, SPARC vs. X86) Access control mechanisms and related access control lists (ACLs) Intrusion detection systems (IDSes) System enumeration (user- and group names, system banners, routing tables, SNMP information) 12
Internal domain names Network blocks Specific IP addresses of systems reachable via the intranet TCP and UDP services running on each system identified System architecture (for example SPARC vs. X86) Access control mechanisms and related access control lists (ACLs) Intrusion detection systems System enumeration (user- and group names, system banners, routing tables, SNMP information) 13
firewalls Operating systems running on key components Ports that are open Services that are running Versions of applications that are running 18
open port. As mentioned previously, RFC 793 states that the correct behavior is not to respond; however, many stack implementations (such as Windows NT) will respond with a FIN/ACK. Bogus Flag probe An undefined TCP flag is set in the TCP header of a SYN packet. Some operating systems, such as Linux, will respond with the flag set in their response packet. Initial Sequence Number (ISN) sampling The basic premise is to find a pattern in the initial sequence chosen by the TCP implementation when responding to a connection request. “Don’t fragment bit” monitoring Some operating systems will set the “Don’t fragment bit” to enhance performance. This bit can be monitored to determine what types of operating systems exhibit this behavior. TCP initial window size Initial window size on returned packets is tracked. For some stack implementations, this size is unique and can greatly add to the accuracy of the fingerprint mechanism. 20
they use for the ACK field, so some implementations will send back the sequence number you sent, and others will send back a sequence number + 1. ICMP error message quenching Operating systems may follow RFC 1812 (www.ietf.org/rfc/rfc1812.txt) and limit the rate at which error messages are sent. By sending UDP packets to some random high-numbered port, it is possible to count the number of unreachable messages received within a given amount of time. ICMP message quoting Operating systems differ in the amount of information that is quoted when ICMP errors are encountered. By examining the quoted message, you may be able to make some assumptions about the target operating system. ICMP error message–echoing integrity Some stack implementations may alter the IP headers when sending back ICMP error messages. By examining the types of alterations that are made to the headers, you may be able to make some assumptions about the target operating system. 21
the TOS is examined. Most stack implementations use 0, but this can vary. Fragmentation handling As pointed out by Thomas Ptacek and Tim Newsham in their landmark paper “Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection” (http://www.clark.net/ ~roesch/idspaper.html), different stacks handle overlapping fragments differently. Some stacks will overwrite the old data with the new data and vice versa when the fragments are reassembled. By noting how probe packets are reassembled, you can make some assumptions about the target operating system. TCP options TCP options are defined by RFC 793 and more recently by RFC 1323 (www.ietf.org/rfc/rfc1323.txt). The more advanced options provided by RFC 1323 tend to be implemented in the most current stack implementations. By sending a packet with multiple options set, such as no operation, maximum segment size, window scale factor, and timestamps, it is possible to make some assumptions about the target operating system. 22
time-to-live on the outbound packet? Window Size What does the operating system set as the Window Size? DF Does the operating system set the Don’t Fragment bit? TOS Does the operating system set the type of service, and if so, at what? 23
State Protocol Service Owner 22 open tcp ssh root 25 open tcp smtp root 80 open tcp http root 110 open tcp pop-3 root 113 open tcp auth root 6000 open tcp X11 root 25
+ userName + “‟;” John Doe SELECT * FROM users WHERE name = „John Doe‟; John Doe‟; DROP TABLE users; SELECT * FROM Users WHERE name = „John Doe'; DROP TABLE users;
system: Gaining access through the following attacks: Operating system attacks Application level attacks Scripts and sample program attacks Misconfiguration attacks o Elevating of privileges o Denial of Service 4. Uploading programs. 5. Downloading Data. 6. Keeping access by using the following: o Backdoors o Trojan horses 7. Covering Tracks 41
from the UTMP file. • Cloak.c— Wipes away all presence of a user on a UNIX system. • Cloak2.c— Newer version of cloak that performs a better job of cleaning up WTMP and UTMP files. • Displant.c— Cleans up and removes all traces from a UTMP file. • Hide.c— Cleans up and removes all traces from a UTMP file. • Invisible.c— Hides the attacker’s traces as root on a system. • Lastlogin.c— Removes the last log on for a particular user. • Logcloak.c— Another rewrite of cloak. • Logutmpeditor.c— Edits entries in the UTMP file. • Logwedit.c— Cleans up and removes all traces from the WTMP file. • Marry.c— Removes entries and cleans up log files. • Mme.c— Enables you to make changes and remove entries from the UTMP file. • Remove.c— Removes entries from UTMP, WTMP, and lastlog files. • Stealth.c— Cleans up and removes entries from UTMP files. • Ucloak.c— Another version of cloak that removes all presence of a user. • Utmp— Removes UTMP entries by name or number. • Wtmped.c— Enables you to overwrite the WTMP file with one of your choosing. • Zap.c— Remove entries from WTMP and UTMP file. • Zap2.c— An updated version of zap. 44
all reducible threats Data, Resources are potential targets due to bugs Bugs become exploits Assessment, mitigation aid understanding shield strength Assumption: - Network servers in an enterprise
and other components for the server Install, configure, and secure the underlying operating system as well as the server software For web servers, database servers, and directory servers which host content, ensure that the content is properly secured.
Deficient Planning management controls Fixing security later won’t help ▪ Cumbersome, expensive Detailed Plan should be made and followed Suspicious behavior, deviation from the plan.
Privileges, management, user authentication, protection of data Enforced appropriate access to Information Application meets requirements Vulnerability history, functionality
Anything not necessary should be removed First install software on a dedicated host/guest OS Apply patches and upgrades Create separate partition for server data Remove unnecessary service and unwanted default accounts
resources, devices Distribute access rights to users Sever software has the same option Set Identical permissions for both OS and server software Optimal Access controls Limit server applications access to resources Limit user access through additional controls
resource usage Ensure integrity of server logs Distinctive files need access control ▪ Logs, audit files, security mechanisms Individual User or User Groups Identity, restricted access OS should Limit file access by server software processes Enforce service processes, run as user, write to sever content whenever required.
software different partition Scan upload files before the server reads Limit size of Upload files Store logging information logging server Store locally if feasible Connection timeout configuration