Passive attack

54 slides
0.22 MB

Similar Presentations

Presentation Transcript


“The advanced exploration of computer systems is commonly referred to as hacking.” -- from ‘Hackers: a Canadian police perspective Part I’ Reference:  


Security Attacks/ThreatsThese are actions that compromise the security of information owned or transferred by an entity. Attacks can be one of 4 forms: Interruption Interception Modification Fabrication


Type Of Attacks/ThreatsInformationInformationsourceDestination(a) Normal Flow(b) Interruption(c) Modification(d) FabricationIII(e) InterceptionI


Active and Passive Attacks 


Active AttacksA Passive attack can only observe communications or data. Example: Interception ( also called eavesdropping or passive wiretapping) An Active attack can actively modify communications or data • Often difficult to perform, but very powerful – Mail forgery/modification – TCP session hijacking /IP spoofing Examples: Interruption, Modification ( also called active wiretapping), Fabrication Types of Active Attacks: masquerade, replay, modification and denial of service.


Types of Intruders:Intrusion by a Masquerader: One, who is not authorized to use a computer system, but who penetrates and uses a legitimate user’s account Misfeasor: A legitimate user who accesses data, programs or resources, for which he is not authorized; or A legitimate user who misuses his access privileges; Clandestine User: One who seizes supervisory control and uses it to evade access and audit controls or to suppress audit trail. A masquerader is an outsider, a misfeasor is an insider and the clandestine user can be either an insider or an outsider.


Why do they attack?The attacker may attack - taking it as an intellectual challenge - to have thrills by seeing reports of his exploits in public media. But a large majority of attacks are by foot-soldiers, called script kiddies, who use attacks discovered, designed and implemented by someone else. The script kiddies, simply download the script and launch the attack, without understanding anything. Or - they may be indulging in espionage for financial gain.


Survey: Type of attacksFBI/CSI Survey of 2002: - 80% of respondents acknowledged financial loss due to intrusion - Only 34% reported the intrusions to police - 74% found misfeasors - 40% detected DOS attacks Reference: Annual FBI/Computer Security Institute Survey:


Hacker’s METHODS Port Scan to find, for the target, - which ports/services are running - the O/S nmap - scans all the ports - guesses the operating system (Please refer to the paper by Fyodor to understand the methods used. These methods depend upon the special features that each OS has.) Reference: 1.Fyodor,’ Remote OS detection via TCP/IP Stack FingerPrinting’ June, 2002, available at 2.Stephen Northcutt and Judy Novak, ‘Network Intrusion Detection: An Analyst’s Handbook’, pp 81-85


Hacker’s Methods cont.2. Toolkits provided by manufacturers to make products compatible with their products. These may be used to discover the vulnerabilities of the product. 3. Wireless Nets: * ‘AirMagnet’ from AirMagnet Inc. * ‘Observer’ from Network Instruments * ‘Wireless Security Analyzer’ from IBM can check whether a wireless network can be accessed by outsiders. ( contains a list of access points, by city, that can be accessed by anyone. In 2002 Chris O’Ferrel, a security consultant, was able to connect to the Pentagon wireless net, from outside the building.)


Impersonation MethodsGuess the ID and password of an authorized user: - by guessing passwords - by using default passwords given with a system by its manufacturer (Many administrators fail to disable the defaults) Example: SNMP uses a ‘community string’ as a password for the community of devices, that can interact with one another. Many administrators forget to change the default ‘community string’ installed on a (new) router/switch. - by overflow - in some ill designed systems, authentication may be foiled by ‘overflow’ of password (if the password overflows, the system may assume authentication) -


Impersonation Methods continuedby non-existent authentication. In Unix, the file -rhosts lists the trusted hosts -rlogin lists trusted users, who can access without authentication A user may login one system as a guest- to access public information and through this host, he may connect to a trusted host.


Impersonation: A few Definitions Impersonation vs. Spoofing Impersonation (mis)represents an authorized entity during communication on a net. Spoofing: A hacker spoofs when he falsely carries on one side of the exchange between two parties. Masquerade of a site: An example: Thus bank may be the official site. A hacker registers and asks clients to visit the site. Thus passwords and pin numbers may be collected for misuse.


Impersonation: A few Definitions cont. Session Hijacking: An example: A customer may select books on When it comes to taking the order and making the payment, may hijack the session. Man-in-the-middle Attack vs. Session Hijacking Man-in-the-middle is wire-tapping actively from the beginning, whereas a session-hijacker takes over after part of the session is over.


Examples of AttacksBuffer Overflow Dot-Dot and constrained environment “Server-side include” problem Incomplete Mediation Time-of-check to Time-of use DoS and DDoS Misuse of Active Code


Buffer Overflow All programming languages set aside a specific area in memory for every variable. For example: char addr[10]; sets aside 10 bytes for the array. If someone were to give an input to addr, which is larger, it may overflow into some other area. This area may have been allocated to: -User data -User’s program code -System date -System program code


Buffer Overflow cont.Overwriting User Data: may affect program result. But will not affect any other program. Overwriting User’s Program: If an instruction that has already been executed(and is not to be executed again) as overwritten -> no effect. -Otherwise if the character that has been overwritten is not a valid instruction, the system halts (Illegal instruction exception) -Otherwise the user program gives wrong output Overwriting System data/program: Results similar to the ones for user data/program. But it may affect all the users since system data and programs are used by every user on the machine


Buffer Overflow: Usual Buffer Overflow AttacksThe attacker may use the data input, close to system code. Thus he may be able to go into the O.S. which has the highest privileges. He may use the Stack Pointer to return to a part of the hackers code, which may have been placed earlier. Passing parameters through a URL: Consider &parm1=(519)253-3000&parm2=2003Mar20 If instead of parm1 and parm2, a 500 or 100 digit value is introduced, it could cause a problem in the web system. Reference: IIS 4.0 remote overflow exploit.


Buffer Overflow: An Example: U.S. Army Web Server AttackedBuffer Overflow Attack: A Web server was attacked using a URL that was 4KB in length. ( Reference: eWeek, March 18, 2003 ) The machine was compromised. It began mapping the network around it, looking for other vulnerable machines. It then started sending the results of its mapping to a remote machine through TCP port 3389 using terminal services


Dot-Dot and constrained environmentTo prevent an attack, external users, who approach through the Internet, may be put in a constrained environment. A constrained environment: where a user is allowed to use only specified and limited system resources. Accordingly the server may begin processing a user’s program in a particular directory sub-tree which contains everything the server needs.


Dot-Dot and constrained environment (cont..)But both in unix and windows, .. is the directory indicator for the predecessor. Cereberus discovered in MS Index Server the following fault: Passing the following url to the web-server: http://url/null.htw? CiWebHits File = /../../../.. /../winnt/system32/autoexec.nt a user is able to get the autoexec.bat file of the server. Now the hacker may modify it!


Dot-Dot and constrained environment (cont..)Solution: Webserver should have no editors, telnet programs or any utilities. But the code and data, for web applications, will have to be transferred manually to the server or may have to be pushed as a raw image. The webmaster may not like it.


“Server-side include” problemEXAMPLE: ‘contact us’ part on web-pages includes commands, which are supposed to be given by the server. Hence such commands may be accepted by the system without any scrutiny. These commands may be placed in HTML. A hacker may use this facility to modify the command to ‘telnet’ to gain access rights, which he should not have.


“Good judgment is the result of experience – and experience is the result of poor judgment.”


Examples of Attacks Slide 15 again Buffer Overflow Dot-Dot and constrained environment “Server-side include” problem Incomplete Mediation Time-of-check to Time-of use DoS and DDoS Misuse of Active Code


Incomplete Mediation ACCEPTING DATA FROM A USER IN A WEB FORM: The system could put checks of valid data to screen out erroneous data. However after taking the values from the user, the program generates the URL line, based on the validated data. But the hacker can edit the URL generated by the program, and resend it. The web server cannot differentiate between an edited URL and a system-generated URL. Such a system is said to have incomplete mediation.

Browse More Presentations

Last Updated: 8th March 2018

Recommended PPTs