Academic Open Internet Journal

ISSN 1311-4360

www.acadjournal.com

Volume 19, 2006

 

 

 

Mandatory Security Arsenal for Survival on the Internet: Techniques and Remedial Actions
(June 2006)

Maninder Singh, C|EH, Member IEEE. Seema Bawa, Member IEEE. and S.C. Saxena

Abstract—Today is the Golden Age of Hacking. Any person with malicious intents can acquire tools and techniques via numerous freely hosted sites to launch attacks on Networks. Identifying and eliminating security threats has become an arduous task for the administrators and not only big networks but also home users are becoming target for the hackers, which use these slaved machines to create larger Botnets. One solution to get rid of these is to acquire proper know-how on how to defend against such attacks. This paper takes a typical scenario of a system, which was installed afresh but after connecting to the network it showed signs of being controlled by somebody else. A live case study has been taken and step-by-step procedure is demonstrated along with relevant screen shots and data analysis.  We see how practically it becomes essential to install anti-virus, firewall, patches etc. for the survival of these out-of-the box infant PCs.

Index Terms—Cyber Crime, Security Threats, Antivirus, Firewall, Patches, Botnets. 

Introduction

No matter where we work, what is our job profile and how your company competes in the market, no organization can survive without network connectivity. Internet has widely opened the progress opportunities that were only dreams few years back. As a matter of the fact though Internet delivers lots of goodies but at the same times it gives nightmares to system administrators throughout the world. Security vulnerabilities linger and consequently create a breeding ground for attacks, which even a novice can exploit to create a security breach as, indicated in the Fig. 1. Though script kiddies launch these attacks they can cause lot of damage to the networks.

The security research community as well as vendors identify and publish on an average 40 new security vulnerabilities per week. These vulnerabilities provide a multitude of avenues for attacks. Incorrectly configured systems, unchanged default passwords, product flaws, or missing security patches are among the most typical causes of the network intrusions. Only by understanding how attacks work and what an attacker does to compromise a machine can a company position itself so that it can be properly protected. Knowing what an attacker can do to compromise a system and what that compromise looks like on a network allows administrator to build a secure system.

1st

Fig 1. Attack sophistication vs. intruder technical knowledge.

As is the saying in the Military Doctrine “Know thy enemy first” so we need to know what tools and tactics a cracker uses to compromise a system. Primarily cyber-crime, focuses on Win32 systems and their users. In this paper we show how to compromise a default windows 2000 machine using common exploits, it is not meant to be a tutorial on hacking. It is meant to help closing down the vulnerabilities and patching the system so as to get better security across the networks.

Passive and active reconnaissance

This is the first phase of an attack hacker tries to gather as much as information possible for the target. There are two ways of gathering information first one is passive where hacker listens to the network traffic by using a Sniffer and secondly he can get information by probing the machine/network thus leading to an active methodology. Whatever may be the method intent is to know which operating system in running on the target and which all ports are open so as to tailor made an attack.

 One of the most popular types of passive attacks is sniffing. This involves sitting on a network segment, watching and recording all traffic that passes on the segment. This will provide lot of information to the hacker. Hacker can sniff NT authentication packets and later on use some password cracking tools to get user credentials. In active reconnaissance attacker probes the system with some tool.

We will use a tool SuperScan that helps not only to scan the target but also enumerate so as to expose many critical details which helps to mould the attack accordingly. This is typical case of an educational institute where say Mr. Cracker comes with his laptop, hooks on the laptop to the free Info-outlet port and gets an IP (internet protocol) address dynamically assigned by Institute’s DHCP (Dynamic Host Configuration Protocol). He now uses SuperScan to scan the whole network so as to build an inventory of the systems running on the network and finally targeting the weakest among these to launch the attack.

For this paper we have taken 192.168.1.75 (private IP series address) as the IP address of the hacker’s machine and 192.168.1.76 as address for the victim. Hacker launches SuperScan and does scanning (i.e. active reconnaissance) as in Fig.2.

2nd
Fig. 2. Scanning the target using SuperScan

From this hacker comes to know that the victim machine is having ports 135, 137 opened, which are basically used by windows NetBIOS over TCP/IP for file sharing etc. Next hacker runs enumeration for this particular machine so as to get more details about the accounts, shares, services etc.
The following information retrieved by enumeration Fig.3. is very critical and gives valuable information to the hacker.
 
Attempting a NULL session connection on 192.168.1.76

NULL session successful to \\192.168.1.76\IPC$

A null session is only established when there are no credentials for a process to start under (no user name or password). Typically, only the operating system itself runs as system.

Workstation/server type on 192.168.1.76

Windows 2000

Workstation/Server Name : "192.168.1.76"
Platform ID             : 500
Version                 : 5.0
Comment                 : ""
Type                    : 00051003

It also tell the hacker that the Operating System is Windows 2000 so that he can tailor the attacks accordingly.

3rd
 Fig. 3. Enumeration phase of the victim’s machine.

Another important information shown is about the users, their names, password aging policy, last logon, number of log- ons etc.

Total Users: 2
--- 1 ---
 Admin "Administrator"
 Full Name:          ""
 System Comment:     "Built-in account for administering the computer/domain"
 User Comment:       ""
 Last logon:         Sun Jan 08 14:44:12 2006 (0 days ago)
 Password expires:   Never
 Password changed:   0 days ago
 Locked out:         No
 Disabled:           No
 Number of logons:   1
 Bad password count: 0

--- 2 ---
 User  "Guest"
 Full Name:          ""
 System Comment:     "Built-in account for guest access to the computer/domain"
 User Comment:       ""
 Last logon:         Never
 Password expires:   Never
 Password changed:   Never
 Locked out:         No
 Disabled:           Yes
 Number of logons:   0
 Bad password count: 0

      Another information, which is very useful for the hacker, is password policy details.

Password and account policies on 192.168.1.76

Account lockout threshold is 0
Minimum password length is 0
Maximum password age is 42 days

As can be seen Account lockout threshold is by default set to 0, which means intruder can try out credentials any number times and will never be locked out.

Shares on 192.168.1.76

IPC:     IPC$ (Remote IPC)
Disk:    ADMIN$ (Remote Admin)
Disk:    C$ (Default share)

This shows default shares on the victim’s machine. This much information is good enough for the hacker to launch attack on the system, install some Trojan so that he can create back door on the machine and later on can attach to the machine with greater ease.

Attack Phase

In the attack phase hacker uses tools to exploit the RPC vulnerability and then netcat to get the victim machine’s prompt as shown in Fig. 4.

4th
Fig. 4. Using DCOM RPC exploit

dcomexploit  1 192.168.1.76

Now hacker uses netcat to connect to 192.168.1.76 at port number 4444. Netcat is very popularly known as swiff army knife tool for its versatility to make net connection across hosts.

netcat 192.168.1.76 4444

Next step is to gather data from the SAM database and pass it on the hacker’s machine. This is easily done with the help of pwdump3 tool, which dumps database as an output file, which hacker later on analyzes locally using dictionary based and/or brute force attacks.

Analysis of hacked data

Analysis of the captured data from the victimized machine can lead to cracking of passwords and hacker makes repository and goes to other machine for executing the same step of attacks.

5th
Fig. 5. Importing  LM & NT hashes for password Cracking

Attacker uses “Cain & able” tool to crack the LM & NT hashes as shown in Fig.5. Tool takes few minutes only to crack weak passwords. These weak passwords can become serious security loopholes and can be used later to crack the system.

6th 
Fig. 6. Cain & able password analysis

As can be seen from Fig.6. Administrator password has been cracked as “test”. Now hacker can deploy a trojan on this host so that later on he can log on to the machine using a backdoor. One can say once hacker got the password why doesn’t he destroy the system. Actually this is not the aim of hackers these days. Hackers want to create Botnets for themselves so that later on they can utilize these kinds of zombies to launch attacks on more critical networks.

So today if a home user says “I don’t have any confidential data on machine why should somebody bother to hack me?” This is total misconception, hackers use machines as launching pad for more serious attacks or to utilize computational power on these zombies to crack passwords using brute force methods.

Remedial Actions: Layered Architecture

In the near future, organizations will be even more interconnected, leading to an increase in security vulnerabilities. While maintaining firewall and other perimeter defenses, focus on security where users access the network. Prevention and containment are essentials; precision to do this, placement of different security components is necessary which is described below.

Firewalls are typically implemented using a dedicated or a non-dedicated firewall hardware and system platform. A must-have for any non-dedicated firewall application system is a proper installation of the operating system on which the firewall is placed. A "proper installation" means that the operating system must be suitably "hardened" (i.e. configured for security) and especially for this reason, no service going beyond the necessary minimum may be run on the operating system. The dedicated firewall hardware and software provide protection mechanisms built in by the manufacturer. Fig.7 shows the general placement layout of a firewall in a system.

7th

Fig.7 Placement of firewall in a system
This placement will lead to a robust firewall working along with the following rules for the different zones i.e. External, Internal and DMZ.

External To DMZ

1. External To DMZMail External ANY (External)
 w.x.y.z (DMZ)  MailServices  Accept  

2. External To DMZWeb External ANY (External)
 w.x.y.z (DMZ)  HTTP  Accept  

Internal To DMZ

1. Internal To DMZ InternalGroup (Internal)
 DMZGroup (DMZ)  HTTP  Masq

Internal To External

1. Internal To external 192.168.1.2 (Internal)
 0.0.0.0/0 (External)   All Services  Masq  

Basically, a firewall removed from its packing and installed between the network and the Internet adds little improvements to the security of the system. Human intervention is also required to decide how to screen traffic and "instruct" the firewall to accept or deny incoming packets. It is de facto a complex and sensitive task. Just a single security policy rule established for the wrong reasons can lead to a system being vulnerable to outside attackers. Once must also remember, that a poorly configured firewall may worsen the system's effective immunity to attacks. This is because system administrators may believe that their systems are safe inside the firewall and will become relax towards internal day to day security standards, if a firewall is in place. However, total reliance on the firewall tool, may provide a false sense of security. The firewall will not work alone (no matter how it is designed or implemented) as it is not a panacea.

In more colloquial terms, a firewall is a device that enforces a predesignated policy across an access point to a network. Probably the most limiting factor in firewalls today is the policy. A firewall cannot protect against attacks that it does not know about, and as such the policy should take this situation into account and be as rigid as possible while still enabling work to get done. The firewall is simply one of many tools in a toolkit for IT security policy. When choosing a firewall solution following figure can act as source for selecting Open Source or Commercial deployment. Commercial tools are easy to implement but incur heavy costs whereas open source alternatives are cheaper but time frame to get them implemented is fairly large.

But security means more than screening out via firewalls It means guarding against illicit data access and preventing users from misusing resources.

8th

Fig 8. Selection between open-source and commercial solutions

Thus an Intrusion Detection System (IDS) accounts itself to be a second line of defense. Designed to watch either a system for filesystem changes or traffic on the network, this system, with the help of a human, learns what normal traffic looks like, then notes changes to the norm that would suggest an intrusion or otherwise suspicious traffic. Notification can be via e-mail, beeper, and/or a SMS.

Intrusion Detection is the art of detecting inappropriate, incorrect, or anomalous activity. IDS is a system that detects burglary attempts. Firewalls perform the role of door and window locks. These types of locks will stop the majority of burglars but sophisticated intruders may circumvent security devices that protect an intended target. Therefore, most people use a combination of sophisticated locks with alarm systems. An IDS performs the role of such an alarm system and adds the next preventive layer of security by detecting attacks that penetrate IT systems.  Network-based IDSs monitor an entire, large network with only a few well-situated nodes or devices and impose little overhead on a network. Network-based IDSs are mostly passive devices that monitor ongoing network activity without adding significant overhead or interfering with network operation. They are easy to secure against attack and may even be undetectable to attackers; they also require little effort to install and use on existing networks.

Network-based IDSs are not able to monitor and analyze all traffic on large, busy networks and may therefore overlook attacks launched during peak traffic periods. Network-based IDSs are not able to monitor switch-based (high-speed) networks effectively, either. Typically, network-based IDSs cannot analyze encrypted data, nor do they report whether or not attempted attacks succeed or fail. Thus, network-based IDSs require a certain amount of active, manual involvement from network administrators to gauge the effects of reported attacks.

Host-based IDS analyze activities on the host it monitors at a high level of detail. It can often determine which processes and/or users are involved in malicious activities. Though they may each focus on a single host, many host-based IDS systems use an agent-console model where agents run on (and monitor) individual hosts but report to a single centralized console (so that a single console can configure, manage, and consolidate data from numerous hosts). Host-based IDSs can detect attacks undetectable to the network-based IDS and can gauge attack effects quite accurately. Host-based IDSs can use host-based encryption services to examine encrypted traffic, data, storage, and activity. Host-based IDSs have no difficulties operating on switch-based networks, either.

Data collection occurs on a per-host basis; writing to logs or reporting activity requires network traffic and can decrease network performance. Clever attackers who compromise a host can also attack and disable host-based IDSs. Host-based IDSs can be foiled by DoS attacks (since they may prevent any traffic from reaching the host where they're running or prevent reporting on such attacks to a console elsewhere on a network). Most significantly, a host-based IDS does consume processing time, storage, memory, and other resources on the hosts where such systems operate.

Compared to firewalls, IDS are more sensitive to configuration errors and misleading design assumptions and product mix choices. So, a careful performance check of any IDS infrastructure is needed before its planned purchase and installation.

 

9th

Fig.9 Placement of IDS in a system

What is most important - human intervention is still required i.e. from security-aware persons who will be responsible for IDS setup and maintenance and will be alerted about security breach attempts. An IDS cannot do the job alone and cannot be a "magic wand" to make IDS the only security required for our systems. This is just a tool to be used by people, for this purpose a prerequisite suit of response procedures should be prepared for the users to observe strictly.

With techniques like obfuscation, fragmentation, Denial of Service, and application hijacking the attacker can pass traffic under the nose of an IDS to prevent their detection.

Prevention is invariably a better approach than treatment for both living beings and computer networks. Just as it is with living beings, it is impossible to prevent all maladies from occurring on a computer network. But unlike the human body, computer networks do not have an autonomic immune system that differentiates self from non-self and neutralizes potential threats. Security engineers have to establish what behavior and attributes are "self" for networks and deploy systems that identify "non-self" activities and neutralize them. Thus the old phrase stands very true: information is the power. Panacea could be proactive approach leading to better understanding the threats. Knowledge delivered out of this helps administrators to use arsenal with full strength against black-hats. Honeynet is technology, which uses proactive approach, based on military doctrine. Honeypots are closely monitored network decoys serving several purposes: they can distract adversaries from more valuable machines on a network, they can provide early warning about new attack and exploitation trends and they allow in-depth examination of adversaries during and after exploitation of a honeypot.

Honeypots are a highly flexible security tool with different applications for security. They don't fix a single problem. Instead they have multiple uses, such as prevention, detection, or information gathering. Honeypots all share the same concept: a security resource that should not have any production or authorized activity. In other words, deployment of honeypots in a network should not affect critical network services and applications. A honeypot is a security resource and its value lies in being probed, attacked, or compromised.

Honeypots are simple concept, which gives them following powerful strengths.

  1. Small data sets of high value: Honeypots collect small amounts of information. Instead of logging huge data they only log information of high value, as it is only the black hat community, which interacts with them. This means it is much easier and cheaper to analyze the data and derive value out of it.
  2. Minimal Resources: Honeypots require a minimal resource, that is any Pentium graded machine is good enough to handle entire class C network derived by 1000(s) of megabit technology.

 


10th

Fig. 10 Placement of Honeypot

Network security is not a product that you can purchase. It is a process. A long process that you continually update, improves, and monitor.  The networks of today often include several different operating systems, a variety of web-based and client/server applications, and other components from a potpourri of vendors. These heterogeneous networks introduce a high level of complexity when it comes to management and security issues. This complexity makes it impossible to effectively secure an entire networking environment with a single component such as a firewall.

A total information security solution includes policy and procedure, access control, user authentication, encryption, and content security. By focusing a security solution on an individual component, such as access control or an encryption method, one risks leaving holes in the security shield that can be exploited by a hacker. Approaching security as a concept and not as individual components is the best way to develop and implement secured network environments.

References

  1. 2004 CSI/FBI Computer Crime and Security Survey, CERT
  2. Yankee group research note, September 8, 2004 http://www.yankeegroup.com/public/products/research_note.jsp?ID=11932.
  3. Eric Cole. Hackers Beware, Official Course Material-Certified Ethical Hacker, pp. 22-23.
  4. Spitzner, Lance. Honeypots- Tracking Hackers, Indianapolis, IN: Addison-Wesley, 2003.
  5. John Levine, Richard LaBella, Henry Owen, Didier Contis, Brain Culver, The use of Honeynets to Detect Exploited Systems across Large Enterprise Networks, proceedings of the 2003 IEEE Workshop on Information Assurance, United States Military Academy, West Point, NY June 2003.
  6. Hulme, George V, “Security Developer snared in Legal tar Pit” 23 April, 2003. http://cert.uni-stuttgart.de/archive/isn/2003/04/msg00102.html (28 November, 2003).
  7. Johnson, Keith. "Hackers caught in security 'honeypot'" 19 Dec. 2000: http://www.zdnet.com/zdnn/stories/news/0,4586,2666273,00.html
  8. Liston, Tom. “Hack Busters” 16 April 2003 http://www.hackbusters.net/ (28 November, 2003).
  9. Merkow, Mark. “Playing with Fire: Not So Sweet Honeypots” 12 January,2001
  10. Messmer, Ellen. “‘Decoy nets' gain backers in battle against hackers" 3 May 2001. http://www.nwfusion.com/news/2001/0305honeypot.html
  11. Provos, Niels. “A Virtual Honeypot Framework” http://www.citi.umich.edu/techreports/reports/citi-tr-03-1.pdf 
  12. Raikow, David. "Building your own honeypot” 22 Nov, 2000. http://www.zdnetindia.com/techzone/resources/security/stories/7602.
  13. Ranum, Marcus J. “Hacker Tar Pit” September 2002. http://infosecuritymag.techtarget.com/2002/sep/cooltools.shtml
  14. Schwartau, Winn. "Lying to hackers is okay by me" 7 June 1999. http://www.nwfusion.com/newsletters/sec/0705sec2.html?nf
  15. Schwartau, Winn. "Honeypots wreak sweet revenge against cyber intruders" 4 Dec 2000. http://www.nwfusion.com/columnists/2000/00173866.html
  16. Schwartz, Mathew. “Networks use ‘honeypots’ to catch online thief” 4 April 2001. ttp://www.cnn.com/2001/TECH/internet/04/04/trap.a.thief.idg/

 

eXTReMe Tracker

Technical College - Bourgas,

All rights reserved, © March, 2000