Transcription
Hands-On EthicalHacking andNetwork DefenseChapter 3Network and Computer AttacksLast modified 1-11-17
ObjectivesDescribe the different types of malicioussoftwareDescribe methods of protecting againstmalware attacksDescribe the types of network attacksIdentify physical security attacks andvulnerabilities
Malicious Software (Malware)Network attacks prevent a business fromoperatingMalicious software (Malware) includes VirusWormsTrojan horsesGoals Destroy dataCorrupt dataShutdown a network or system
VirusesVirus attaches itself to an executable fileCan replicate itself through an executableprogram Needs a host program to replicateNo foolproof method of preventing them
Antivirus SoftwareDetects and removes virusesDetection based on virus signaturesMust update signature database periodicallyUse automatic update feature
Common Viruses
RansomwareEncrypts files, demands ransom for the keyDoesn't need to be reported as a breach, because no datawas stolen
Base 64 EncodingUsed to evade anti-spam tools, and toobscure passwordsEncodes six bits at a time (0 – 63) with asingle ASCII character A - Z:a – z:1 – 9: and -0 – 2526 – 5152 – 6162 and 63See links Ch 3a, 3b
Base64 ExampleORACLE - T1JBQ0xF Link Ch 3r
Viruses (continued)Commercial base 64 decodersShell Executable piece of programming codeShould not appear in an e-mail attachment
Macro VirusesVirus encoded as a macroMacro Lists of commandsCan be used in destructive waysExample: Melissa Appeared in 1999It is very simple – see link Ch 3c for sourcecode
Writing VirusesEven nonprogrammerscan create macro viruses Instructions posted onWeb sites Virus creation kits available fordownload (see link Ch 3d)Security professionals can learnfrom thinking like attackers But don’t create and release a virus!People get long prison terms for that.
WormsWorm Replicates and propagates without a host,often through emailInfamous examples Code RedNimdaCan infect every computer in the world ina short time At least in theory
Spread of Code Red WormSee link Ch 3u
ATM Machine Worms Cyberattacks against ATM machinesSlammer and Nachi wormsTrend produces antivirus for ATM machinesSee links Ch 3g, 3h, 3i Nachi was written to clean up damage causedby the Blaster worm, but it got out of controlSee link Ch 3j Diebold was criticized for using Windows forATM machines, which they also use on votingmachines
Important Worms
Trojan ProgramsInsidious attack against networksDisguise themselves as useful programs Hide malicious content in programBackdoorsRootkits Allow attackers remote access
FirewallsIdentify traffic on uncommon portsCan block this type of attack, if yourfirewall filters outgoing traffic Windows Firewall in XP SP2, Vista, and Win 7does not filter outgoing traffic by defaultTrojan programs can use known ports toget through firewalls HTTP (TCP 80) or DNS (UDP 53)
Windows DLL HijackingVulnerabilityDLL files are loadedfrom the incorrectdirectoryAffects over 200applications onevery version ofWindowsNo good patch yet(8-31-2010) Link Ch 3s, 3t, 3w
SpywareSends information from the infected computer tothe attacker Confidential financial dataPasswordsPINsAny other stored dataCan register each keystroke entered (keylogger)Prevalent technologyEducate users about spyware
Deceptive Dialog Box
AdwareSimilar to spyware Can be installed without the user being awareSometimes displays a bannerMain goal Determine user’s online purchasing habitsTailored advertisementMain problem Slows down computers
Protecting Against Malware AttacksDifficult taskNew viruses, worms, Trojan programsappear dailyAntivirus programs offer a lot of protectionEducate your users about these types ofattacks
Virus Alert
Educating Your UsersStructural training Includes all employees and managementE-mail monthly security updatesUpdate virus signature databaseautomatically
Educating Your UsersSpyBot and Ad-Aware Help protect against spyware and adwareWindows Defender is excellent tooFirewalls Hardware (enterprise solution)Software (personal solution)Can be combinedIntrusion Detection System (IDS) Monitors your network 24/7
FUDFear, Uncertainty and Doubt Avoid scaring users into complying with securitymeasuresSometimes used by unethical security testersAgainst the OSSTMM’s Rules of EngagementPromote awareness rather than instillingfear Users should be aware of potential threatsBuild on users’ knowledge
Link Ch 3v
Intruder Attacks on Networks andComputersAttack Any attempt by an unauthorized person to access or usenetwork resourcesNetwork security Security of computers and other devices in a networkComputer security Securing a standalone computer--not part of a networkinfrastructureComputer crime Fastest growing type of crime worldwide
Denial-of-Service AttacksDenial-of-Service (DoS) attack Prevents legitimate users from accessingnetwork resourcesSome forms do not involve computers, likefeeding a paper loop through a fax machineDoS attacks do not attempt to accessinformation Cripple the networkMake it vulnerable to other type of attacks
Testing for DoS VulnerabilitiesPerforming an attack yourself is not wise You only need to prove that an attack could becarried out
Distributed Denial-of-Service AttacksAttack on a host from multiple servers orworkstationsNetwork could be flooded with billions ofrequests Loss of bandwidthDegradation or loss of speedOften participants are not aware they arepart of the attack They are remote-controlled "zombies"
Buffer Overflow AttacksVulnerability in poorly written code Code does not check predefined size of inputfieldGoal Fill overflow buffer with executable codeOS executes this codeCan elevate attacker’s permission toAdministrator or even KernelProgrammers need special training to writesecure code
Ping of Death AttacksType of DoS attackNot as common as during the late 1990sHow it works Attacker creates a large ICMP packetMore than 65,535 bytes Large packet is fragmented at source networkDestination network reassembles large packetDestination point cannot handle oversize packet andcrashesModern systems are protected from this (Link Ch 3n)
Link Ch3x
Ping Fragmentation Example
Fragrouter DemoKali Linux fragrouter –F 1Another VM on same network, set defaultroute to Kali's IP addressAll network traffic will be fragmented atlayer 3 into 8-byte packetsOften bypasses IDS
Session HijackingEnables attacker to interrupt a TCPsessionTaking over another user's session
Addressing Physical SecurityProtecting a network also requiresphysical securityInside attacks are more likely than attacksfrom outside the company
Insider Threats
CCSF's CTO
San Francisco's NetAdmin
Cyber-Bullying Accusation
KeyloggersUsed to capture keystrokes on a computer HardwareSoftwareSoftware Behaves like Trojan programsHardware Easy to installGoes between the keyboard and the CPUKeyKatcher and KeyGhost
Keyloggers (continued)Protection Software-basedAntivirus Hardware-basedRandom visual testsLook for added hardwareSuperglue keyboard connectors in
Behind Locked DoorsLock up your servers Physical access means they can hack inConsider Ophcrack – booting to a CD-basedOS will bypass almost any security
LockpickingAverage person can pick deadbolt locks inless than five minutes After only a week or two of practiceExperienced hackers can pick deadboltlocks in under 30 secondsBump keys are even easier (Link Ch 3o)
Card Reader LocksKeep a log of whoenters and leaves theroomSecurity cards can beused instead of keysfor better security Image from link Ch 3p
Hands-On Ethical Hacking and Network Defense Chapter 3 Network and Computer Attacks Last modified 1-11-17. Objectives Describe the different types of malicious software Describe methods of protecting against malware attacks Describe the types of network attacks Identify physical security attacks and vulnerabilities. Malicious Software (Malware) Network attacks prevent a business from operating .
