How to analyze we attack, Хэрхэн өөрийн цахим хуудсыг халдлагад өртсөн эсэхийг шалгах вэ

8/10/2019 How to analyze we attack,

1/47

LESSON 7

ATTACK ANALYSIS


2/47

WARNING

The Hacker Highschool Project is a learning tool and as with any learning tool there are

dangers. Some lessons, if abused, may result in physical injury. Some additional dangersmay also exist where there is not enough research on possible effects of emanationsfrom particular technologies. Students using these lessons should be supervised yetencouraged to learn, try and do. However S!"#$ cannot accept responsibility forhow any information herein is abused.

The following lessons and workbooks are open and publicly available under thefollowing terms and conditions of S!"#$%

&ll works in the Hacker Highschool Project are provided for non'commercial use withelementary school students, junior high school students and high school studentswhether in a public institution, private institution, or a part of home'schooling. Thesematerials may not be reproduced for sale in any form. The provision of any class,

course, training, or camp with these materials for which a fee is charged is expresslyforbidden without a license, including college classes, university classes, trade'schoolclasses, summer or computer camps and similar. To purchase a license, visit the ("!)S!section of the HHS web page at http%**www.hackerhighschool.org*licensing.html.

The Hacker Highschool Project is an open community effort and if you find value in thisproject, we ask that you support us through the purchase of a license, a donation, orsponsorship.

2

Lesson 7: Attack Analysis


3/47

Table of Contentsntroduction.......................................................................................................................................... +

"ontinued eading........................................................................................................................ +

easons to &ttack............................................................................................................................... -ust /ecause 0&ttacking for 1un2................................................................................................... -"yber'"rime 01or Profit2.................................................................................................................. 3State Sponsored*"yber 4arfare 0/its instead of bullets2............................................................ 5

1eed 6our Head% Stuxnet and 4orse............................................................................................... 77Hacktivism 0s it contagious or do we need a vaccine82......................................................... 79!spionage 04hat:s in your lunch box82...................................................................................... 7;

1eed 6our Head% &n &nalyst Tip....................................................................................................... 7ermany, &ustralia and apan. Taken at the Gbig picture level, the study showsthe increase in successful attacks up ;AK. &dd one historic theft of L


10/47

tiny slice of ops called cyber warfare. That slice is further split into offensive anddefensive operations. "yber warfare isn:t only about attacking an enemy:s network, itEsalso about protecting your own network against attacks.

tEs well documented that nations train, prepare and practice cyber warfare on a dailybasis. t is also well documented that cyber warfare is considered an Act of Wa! bythose same entities. G&ct of 4ar means that if one nation did this particular act, likedrop bombs on another country, the bombed country has an internationallyrecogniBed reason to fight back. 4ithout the backing of the international community,that nation is just committing an unprovoked attack on another nation. @nprovokedattacks on other nations are a bad idea. )ot that they donEt happen a lot.

/ecause of the international disgust for &cts of 4ar, cyber warfare has morphed intoclandestine operations or focused on intelligence gathering. Those nations thatcontinue to commit cyber warfare claim the actions are beyond the control of thatgovernment or are committed by separatist groups. #verwhelming evidence suggestsotherwise and is beyond the scope of this lesson. However, we still want to discuss this

military action and what it means to you."yber warfare is funded in the same way all military assets are and these functions areoperated as an extension of the military arsenal. Tanks and jets are expensive to build,buy, operate and maintain. The same holds true for any cyber warfare unit. !normousamounts of money are invested into these areas by most nations. n most cases, theseunits are manned by the best and brightest hackers in that country.

The premise of the units is to build an arsenal of digital weapons that can disrupt ordestroy another countryEs ability to conduct warfare. The most effective weaponsconsist of Bero'day exploits, which can target software, operating systems and controlmechanisms. Some weapons are shock and destroy worms that move through avariety of systems to delete data. These programs do not rely on a particular operating

system. They are the ultimate in cross'platform malware, are built to avoid detectionyet are extremely efficient. $any of these weapons are only a few kilobytes in siBe.

"yber weapons consist of three main components. These are the $eli8e!y 3ec&anis3,the na8i%ation syste3and the *ayloa$. They are the same components used in missiletechnology but cost a fraction of the price. $issiles reIuire a launch pad and are easyto spot on surveillance satellites. "yber weapons barely need any kind of launchfacility and can be activated from almost any location.

State sponsored hackers are privy to the source code of every piece of softwareimaginable. This enables the cyber soldiers to look deep into each program. /ased onknown information, almost every program has a bug every +'7A lines of code. /eingable to see the code allows these professionals to identify Bero'day exploits, bufferoverflows and system weaknesses in everything.

$ilitary objectives range from aircraft avionics to artillery control computers, radar'jamming systems and infrastructure support controls. emember that all is fai! in lo8ean$ 1a!.

E)e!cises

-.< esearch E94. 4hat is it8

-.+ 6ou are a security consultant. 6our client is nervous about the potentialfor !$P disruption of his giant cookie factory. 1ind the !xecutive eport from thefederal commission charged with studying the threat of !$P. >ive it a Iuickscan. )ow prepare your short report to your client% is his facility vulnerable8 s anattack possible, or likely8

;



11/47

-.= 6ou are a hacker. The giant cookie factory next door is driving you craBy.How can you use !$P to knock out that factory8

.ee$ Yo"!


12/47

you is traceable. That is much more dangerous than a state sponsoredStuxnet worm.

#nce upon a time, S"&?& systems were considered safe from attack, working in

isolation with little outside contact like true introverts. /ut they reIuireadministration and maintenance like all other systems. This leads to thepredictable human vulnerabilities.

So, thinks the administrator, if I don't let the techs bring in USB sticks they'llcomplain,and voilaF Someone plants a backdoor.

E)e!cise

-.- n your web browser, go to a search site. Search on the termsGS"&?& hacked followed by the current year. Scan a few of the resultsJthere will be plenty.

)ow add the term Gcheat sheet. HowEs your luck with this8 4eEll bet itEspretty good.

&s a side note, S"&?& infrastructure security is usually not concerned withConfi$entiality 0because thereEs no valuable information to steal from S"&?&networks, except maybe access credentials2. However, it is very concerned withInte%!ityand A8ailability.


13/47

on medical care they supposedly covered. Phone calls went nowhere. (etters wentnowhere. The media didnEt care or were paid not to report on this big corporation.4hatEs a hacker to do8

This hacker ran a program called Tone (oc to determine the range of pager phonenumbers in the local exchange and then dialed them all with the phone number to thelocal corporate boss. (ocal calls were free after all. Then he did it again sending outthe number to their claims desk. &nd again and again and again. He called thousandsof pagers every day creating a S3"!f Attack, where nearly everybody who got thatnumber on their pager called it back to ask why they paged them. &fter a few days, somany people were upset with this that it made the news. #nce it was in the newsalready, reporters were more than happy to print and report on other negative storiesabout that corporation.

&nd as the hacker got his story out to the news about unpaid claims, many otherpeople followed with similar stories. This lead to a local investigation which found liesand tricks used by the corporation to avoid paying out legitimate claims. This led to a

national investigation and criminal charges and huge fines against the corporation./ack then there was no word for hacktivism but thatEs what it was. t was geniusF &ndpossibly Iuite illegal.

Es*iona%e -W&at@s in yo"! l"nc& bo)?/

& company thatEs trying to purchase another company is playing something like agame of poker. f the other player knows what cards you have, you:ll have a toughtime winning the game.

n 9AA5, the 1/ contacted the "!# of a popular soft drink company to tell them thatthey were victims of a massive attack. The attack took several months but it alsohappened when the soft drink company was conducting a major acIuisition deal withan overseas drink manufacturer. The deal fell through for unknown reasons but it mightbe reasonable to suggest that the vast amount of internal data taken during theattack had something to do with the failure. The other overseas company knew whichcards were in play.

4e call that es*iona%e.

!spionage is lying, cheating, stealing, hurting, maiming, killing and everything inbetween that involves gaining information. There are three reasons for espionage%military, political and industrial. $ilitary and political were covered in StateSponsored*"yber 4arfare section above. So, we turn your attention to industrialespionage. sn:t that cool of us8

ust nod your head in agreement.

ndustrial espionage is just another fancy name for an attack that has a businesspurpose. The purpose is to gather intelligence, disrupt business or slow down anothercompeting company. esearch and product development are expensive and difficultto keep secret. &n organiBation can save themselves lots of cash by stealing the workof another company.

The same principle applies when your classmate looks over your shoulder during a test.He doesn:t know the answer but you do. f you are caught, you both get in troubleeven if you had nothing to do with the cheating. 6ou could call that academicespionage.

n a polite society, there are legal, moral and ethical issues that keep companies fromspying on each other. So, they hire other companies to do that work for them. /usiness



14/47

intelligence is a massive sector. This work would be considered illegal if the truecustomer were ever located. So, they have Non0isclos"!e A%!ee3ents -N0As/. Thesewritten contracts forbid one party from saying anything about the other party if theyare ever caught.

(ots of fun, eh8

.ee$ Yo"! etting fired from a job is a part of life. t happens.

#nce someone is fired, they usually box up their cubicle pictures, are escorted out thefront door by some nice men with big sticks and then sit in their car cussing for a while.#nce they are done throwing a tantrum, they build a resume and start looking for anew job. ?epending on the employee, the cycle may repeat over and over again.

Sometimes an employee 0ex'employee2 feels as though they were unjustly fired fromtheir job. These people like to get revenge. Those people who work in T love using theirskills to sabotage the companies: network, plant logic bombs or destroy every account

#



15/47

in the system. 6es, those ex'employees get their revenge but they also get a knock ontheir front door by the local law enforcement a few days later.

These scenarios happen all the time and they never have a happy ending for anyone.

The attacks are very successful mainly because the employee knows the inner workingof the network. Sometimes they are the only people who have access to certain partsof the network or they are the only ones who know how to do a vital function on thenetwork. @nfortunately, all these characteristics make the perpetrator very easy toidentify.

Sometimes an employee feels angry because they were passed over for a promotionor given a crappy parking space in the company lot. 06ou know theyEre trying to tellyou something when they make you park next to the dumpster.2 n thosecircumstances, the employee has time to plan the attack, place Trojans and logicbombs, set up command and control remote servers and generally plot terriblerevenge.

#ne recent plot included an ex'employee conducting attacks from a companydomain in other countries. 4hen the attacks were investigated, the company wasfound liable for the massive attacks. t took months before the reasons for the attackscould be uncovered, but they were inevitably traced to the fired employee. n themeantime, several countries were very upset with the innocent company and bannedthem from conducting international business. magine dollar signs flying out thewindow.

Ty*es of Attacks

)ow that we:ve looked at the reasons for attacks, we:re going to explore some of thepopular forms of attacks. emember that this lesson will focus on attacks that deny,disrupt, destroy or limit computer or network capabilities. The Iuestion of what is anattack and what isnEt is tricky. $alware is a perfect example of an attack, like Stuxnet.That tool seemed to have been designed to cripple the centrifuges used for makingnuclear fuel. t was an attack.

Sniffing emails and reading company data are not attacks because no real tangibledamage is done 0yeah, reputations vanish and lawsuits fly but thereEs no direct impacton the utility of the system itself2. $an'in'the'middle exploits may be considered attacksonly if the attacker inserts erroneous data into the packet stream that may cause some0tangible2 damage along the way to routers, servers or data.

(ikewise, cross'site scripting, buffer overflows and SM( injections arenEt attacks. They aree)*loits, a means to gain access to a network to launch an attack. /rute force is notan attackJ it is a method to get passwords to obtain access through elevated

privileges. 4hat someone does next might or might not be an attack. This is like a boxersparring. He may swing at you, but he hasnEt hit you with that haymaker and knockedyou out. 6et.

t would be impossible to name all the different kinds of attacks that are available,known or being created at this very moment. "yber'attacks take several forms, usealternate methods of executing their mission, rely on a variety of tools to make thatattack successful and can morph themselves over the lifetime of the attack. To makethings a bit easier to understand, weEre going to cover generalities of attack structures.

/uildings like houses and skyscrapers have uniIue types of structures and so do attacks.This is the best analogy we could come up with so help us out here. !ach attack has

'



16/47

strengths and weakness depending on how they are used or where they areemployed.

S*oofin% -W&o@s at t&e $oo!?/4hen you were a kid, you probably enjoyed pretending to be someone or somethingyou weren:t. t:s fun to play that game when you are young but when you get older, itserves other purposes. S*oofin%is pretending to be someone or something you aren:t.6ou can spoof an email, an account, a person, a network connection or a car. #k,maybe pretending to be a car is asking too much but that would be kinda cool. (ook,:m a N4 camper.

n the digital world, we spoof digital things. f we are setting up for an attack, we spoofto obtain information to get into a network, and to try to hide our origin. 6ouEd think thisis a no'brainer but not every hacker knows to do this. f you don:t spoof then you mightas well hand out a business card telling everyone what your name is and where youlive. Spoofing help to cover your tracks and obtain access.

The O*en So"!ce "lne!ability 0atabase -OS0,Bo!%/lists almost a thousand spoofingexploits in their collection. The list of spoofs includes cellphone S$S backups, spoofingin &pache servers, ?)S spoofing and ways to make a lonely spoofing salad for a lightlunch or snack. 6ou might think of spoofing as a multipurpose tool that is reinvented asnew technology emerges. There is even a spoof attack on an ordering application fora major fast'food chain, using &ndroid, for the hungry hackers out there.

There are multiple types of spoofing and as many reasons to spoof for attack purposes.#ne common use for spoofing is using a proxy or five to mask the location of theattacker. /y routing attack commands through several servers and proxies, theattacker can evade detection and avoid capture 0if they do everything perfectly2.)ow think of this in light of Bombies, the victims of co33an$ an$ cont!ol -CC/attack

vectors and the unwilling slaves of botnets. The execution modules they deliver arealready inside the victim:s network. The controller or 3ot&e!s&i* maintains a linkbetween itself and the attack modules inside the victim:s machines.

n these sophisticated attack structures, there will be several "O" sub'servers locatedthroughout the world. These "O" minions communicate with each attack module toensure data is flowing or the attack is progressing as planned. f an attack module isdiscovered on a computer, the best a victim can expect is to locate one of the minion"O" servers, not the main mothership. &ll connections are spoofed to look legitimate,all P traffic locations are spoofed to bypass ?S and everything else is spoofed to avoidlocating the main attacking servers.

E)e!cise

-.3 & popular open source tool used to conduct spoofing attacks is Ette!ca*. 6ou canfind your own copy at http%**ettercap.sourceforge.net*downloads.htmlor get the1edora Security Spin at http%**fedoraproject.org*wiki*Security(ab. Point yourbrowser to http%**www.thegeekstuff.com*9A79*A+*ettercap'tutorial* to see anexample of ?)S Spoofing.

& major challenge to spoofing comes from network authentication and applicationintegrity methods. 4e know that there are many ways to fake our way into a restrictedbuilding but many of the primary access points have angry guards waiting on the otherside. n a digital sense, those guards are control processes who may conduct a fullbody cavity search on anything trying to pass through that interactive point. Trust us,you don:t want that type of search done if you are trying to spoof your way in.

(

http://ettercap.sourceforge.net/downloads.htmlhttp://www.thegeekstuff.com/2012/05/ettercap-tutorial/http://ettercap.sourceforge.net/downloads.htmlhttp://www.thegeekstuff.com/2012/05/ettercap-tutorial/


17/47

&nother weak point in spoofing techniIues is deep packet inspection. ?ata packets atcritical 0or all2 network connections are screened for contents, sending location,possible modifications and potential threats. The software is fast and powerful. ?eeppacket inspection techniIues will usually identify any type of spoofed data and either

block the data or sound the alarms. !ither way, those spoofed data packets will belogged and audited. emember, spoofing is lying about your identity. tEs not the powerof invisibility.

7



18/47

Ga3e On: T!yD T!i A%ain

The classroom stank and Mr. Tris shirt was buttoned wrong as usual.His once-white dress shirt skipped a button between the second andthird hole down the front. Normally, the pudgy man had some fashionmistake like his shirt being untucked, a back pocket flipped inside out,mismatched socks, a watch on backwards, some hideous mismatch ofcolor and patterns between his pants and shirt. Si months into theschool year, most of the high school students were used to theunmarried teacher attire. There was a rumor he li!ed with a blindmother.

Mr. Tri did get "uite a laugh any time he attempted to grow a mustache

or beard, though. His facial hair grew in different colors, lengths and!arious stages of patchiness. #epending on the angle of sunlight or theamount of time he had spent growing his fu$$, he could look eitherhideous or hilarious. %n this particular day Mr. Tri was growing eithermuttonchops, a biker beard or a ponytail beard. &t was too early to tellbut ugly either way.

He stood in front of the horrified students of Technology '(' and beganhis unrehearsed lecture.

)*hildren, today we are going to talk about computer attacks and whatthey mean to us as keyboard users. There are some idiots who belie!ethat computer attacks are different from network attacks. This is !eryincorrectly. +n attack is an attack no matter what as long as digits areused. #igits are dangerous in the wrong hands. Hackers attackcomputers and steal digits which are traded for money and drugs.#igits are like drugs to some hackers, they must ha!e more and moredigits to feed their hacker cra!ings. &snt that right Ms. ace, Mr. Triannounced as he pointed to ace near the back of the class.

ace had tuned out the teacher e!en before she sat down so she wascaught by surprise when he called her name, )Huh, &m sorry. hatwas that/ Shanya sitting net to ace repeated the teacherscomments in a whisper.

Mr. Tri clearly thought he had the ad!antage o!er ace. He sniffedthough his nose, which sounded like a car backfiring, and said, )Ms.ace did you ha!e too many digits last night, perhaps while hacking/

ace shot back, )&m sorry Mr. Tri, from way back here it sounded likeyou said that you had too many donuts last night. & wouldnt know whyyou had too many donuts last night.

)#igits, & said digits, not donuts, he yelled, his face epanding to twiceits normal si$e. &ts angry red glow lit the first two rows of desks. Thestudents in those desks felt the temperature rise se!eral degrees fromthe teachers superno!a head.

5



19/47

ace let the slightest smirk creep out of the left corner of her mouth asshe asked, )hat about digits/ #igits are 0ust characters, numbers, orsymbols. #id you mean bits, or eight-bit bytes/ %r four-bit numbers

used in headecimal notation/ Since we use the bits in bytes like on1offswitches, there are 234 possible combinations... she was saying whenshe was abruptly cut off.

)&m not talking about any of that gibberish. & am talking aboutcomputer attacks. Now, listen up. Mr. Tri reali$ed that he5d made amassi!e mistake in telling the schools foremost hacker to listen to hisunresearched, unrehearsed, uneducated banter on a topic he couldbarely spell.

The small smirk on her face grew large as she replied, )%h, & apologi$e.& didnt reali$e you were going to co!er one of my fa!orite sub0ects.

6lease continue. Se!eral of the students looked like they didnt knowwhether they should laugh or run from the room. ace sat down andpulled out a pencil and paper for note taking. Mr. Tri felt his kneestrembling as he saw her ready to take notes on his ill-prepared topic.

)Students arent supposed to take notes. They are 0ust supposed torecite whate!er we tell them to, Mr. Tri mumbled to himself. )&f theystart taking notes then theyll figure out we don5t ha!e anything toteach them. They might e!en go out and learn on their own and then&d be out of a 0ob. & cant ha!e that, & need my 0ob. He sweated downto the deepest le!els of his tiny soul.

%ut of the thick, locker-room air, an idea fell onto Mr. Tris thin brain.Brilliant, he thought.

)%h, Ms. ace. & didnt know that this was a topic of interesting foryou, he said. The class was used to the fact that this adult couldntteach, couldnt dress, didnt bathe and couldnt speak !ery well either.

)hy dont you gi!e us a "uick class on your knowledge informationabout them computer attacks, the runt said as he offered the floor toace. That would get him out of a big 0am and make sure ace didntstart taking notes in his class.

ace nodded, stood up and went to the front of the room as Mr. Trislithered off to one side.

The teen began, )cyber attacks can create different types ofdestruction. *ybercriminals can do more damage o!er a wider areausing a computer than if they were using most modern weapons.

Se!eral of the younger guys in the group snorted with immatureremarks about tanks against a mouse pad and 7S8 dri!es !ersus acruise missile. ace kept talking like she couldn5t hear them. )None ofthose military weapons could take down an entire city or country, butse!eral cyber-attacks ha!e crippled targets that si$e9 &n March 2('',the country of :eorgia was taken o!er by a series of cyber attacks



20/47

against their banks, news stations, power grid and their go!ernment.&n +pril 2((;, the country of e!erything these daysneeded some type of electronics.


21/47

A**licationLaye! Attacks

)othing in life is perfect. )owhere is this statement truer than in digital technology.

Software and hardware have bugs, backdoors, vulnerabilities and errors in them evenbefore they reach the intended consumer. &pplication layer attacks target applicationservices 0server'side and client'side2. These types of attacks include b"ffe! o8e!flo1s,c!osssite sc!i*tin% -SS/, InFection 0such as command injection and SM( injection2,$i!ecto!y t!a8e!sals and exploits against every other interactive point you couldpossibly imagine. &s we saw from the #SN?/, there are entire databases dedicated todocumenting vulnerabilities, daily. ?uh.

E)e!cises

-.5 (ook at the #SN?/ website. 4ho maintains this database8 4hy8 &nd why shouldyou trust them8

-.7A (ook at http%**exploit'db.com. 4ho maintains this list8 4hy8 &nd you trust themwhy8

-.77 (ook at the )N? website. 4ho maintains this one8 4hy8 &nd why are theytrustworthy8

-.79 (ook at the "N! website, and answer the same Iuestions.

?onEt forget to check for the hardware vulnerabilities too. 4e did mention thatall that hardware is running applications, didnEt we8 f you follow the news youknow that certain governments have been inserting backdoors into hardware

being sent to countries they are completely friendly with, at least in theory.

f your organiBation were under attack, understanding application layer attacks mightbe your first step to stopping the attack. There are just so many types to choose from.&pplications are in everything digital and these applications interact with openconnections you may never even know about. These connections include using portsthat you might not expect software to send packets through. Dnow your ports andespecially know which applications access multiple ports to communicate.

& recently reported vulnerability is a good example of this, and a goodopportunity to get familiar with the dataloss discussion boards%

http%**lists.osvdb.org*pipermail*dataloss'discuss*9A79'$arch*AA;5;A.html

E)e!cise

-.7; 4ho exactly is Gsecurity curmudgeon8 Track him or her down. ?oes thisperson ever reveal their real identity8

2

http://exploit-db.com/http://lists.osvdb.org/pipermail/dataloss-discuss/2012-March/003930.htmlhttp://exploit-db.com/http://lists.osvdb.org/pipermail/dataloss-discuss/2012-March/003930.html


22/47

n reality, you should have already conducted an analysis of all access points, asrecommended by the #SST$$. The manual will take you through an intensiveexamination of every possible application interface that could yield a possible exploit.This testing should be performed before an attack, not after. To put it a better way, use

the #SST$$ on everything under your control every chance you get.

6ou:ll be the life of every party, trust us. (adies dig #SST$$ guys and guys love hearingabout #SST$$ from ladies.

n the #S model, these are (ayer - attacks. Since everyone including yourgrandmother has a web page or uses the nternet, a large number of network attacksare aimed at web applications. #rganiBations may not use secure coding practices forin'house programs and many lack the resources to perform proper security auditing oftheir public web application software. This common industry practice leaves moreexploits open with every new web widget and web application. $obile applicationsare easy targets because more people have smartphones than computers. $orepeople put sensitive information on their smartphones, too. They also take their

smartphones to work with them. t:s a win'win situation for every attacker.(ow'level application vulnerabilities can be chained together to run a series ofcommands with the privileges of the QrootQ user on the device. &n attacker can obtainunauthoriBed access to the device and plant backdoors or access configuration filescontaining credentials for other systems 0like &ctive ?irectory*(?&P credentials2 thatcan be used in further attacks.

Then there are the apps practically everyone uses, like &dobe eader and 1lash. &pplerefuses to offer &dobe 1lash in i#S because they feel &dobe has too many unsolvedsecurity issues. &nd thatEs just a video plug'in.

(et:s take a look at how many applications run on a small device. !ven before you turnthe device on, there is an internal clock. 6ou turn your device on and the circus starts.

&s power is applied, it is monitored by an on'board application that checks to ensurecorrect voltage. f it has enough juice, then the built'in circuits check to see what sortof thing theyEre in. t might be a toaster, it might be a Titan super computer, it just needsan application to see what its initial purpose is.

/efore we have even the slightest evidence of life on the screen, we have already runthree to four applications. The device:s read'only memory lives in built'in chips that usea hard coded application to tell the #S about its siBe, file storage capacity, if it:sbootable, did it pass the self'test, things like that. 4e are running five applications andthe device isn:t even ready to work yet. 6et, each one of the internal applicationscommunicates with each other and the "P@ before you see the start screen. #ncethat device is operational, you could easily have thirty programs running just on yoursmartphone. (et:s multiply that a few hundred times for a desktop computer and

multiply that a thousand times more for networks.

&pplication level attack potential changes every time a new device or program isadded, updated, removed or reconfigured.

@pdates and patches are the traditional solution to application vulnerabilities. #ops,this form is vulnerable to RSSJ better fix it. ?ang, that input allows a buffer overflowJbetter fix that too. 1ix that buggy code by piling on thousands of more lines of buggycodeF #r fail completely, as some patches do, and crash &(( your usersE systems 0itEshappened more than once2.

Some attacks use file replacement to keep their activity hidden. $alware and otherattack techniIues will name their programs Gcalc.exe or Gnotepad to hide them in

22



23/47

plain sight within the victim:s network. &s the victim updates their programs, thatmalicious code can be overwritten with the correct application. To combat this, anattacker will usually place a second copy of their code somewhere else in the system.This second copy will routinely check to make sure the attack package is where it was

meant to be. f the malware is overwritten, the second copy just writes it there again.

E)e!cises

-.7< $obile devices arenEt exempt from malware. (ist the application marketplaces forthe top three mobile operating systems.

1or each marketplace, do research to determine if they have ever distributedmalware.

f it has, how was it delivered8

How did it get into the market8

&nd what type of malware was it8-.7+ 4hat is Project un7cArn8

>o to their website. 4hat are you looking at8

How can you use this information8

Re3ote Access Toolkits -RATs/

This type of attack can be used by the very beginner script kiddie but it is still aneffective method to obtain access to networks and data. 6ou don:t have to knowanything about scripting to launch preconfigured programs like Poison vy. Theyprovide remote access thatEs almost identical to 4indows emote ?esktop. Have you

used it8 tEs useful for troubleshooting, training and breaking into a computer from adistance.

(et:s say that you forgot a file on your home computer but you are at the coffee shop.emote ?esktop into your home computer and transmit that file to your new locationor even work on that file as if you were sitting at the home computer. t:s Iuite handy.t:s also Iuite dangerous if not configured correctly.

That is the key to security for all digital life forms% configure them correctly.

ight out of the box, most products and applications are designed to be used by thewidest possible population using the most open configuration settings. This meansthings are supposed to be easy for the least computer savvy person you know, like agrandparent. tEs up to the user to configure, tweak, lock down and most importantly,

read the manual. 6ou may have heard the phrase GT$. 0Sometimes people addanother initial.2 6up, that stands for Gread the manual. $ost people don:t.

4eak passwords are easy ways to gain access to remote connections. 6ou couldstand outside any public hotspot, sniff the packets for a few minutes and you willprobably obtain several passwords for company remote servers. 4e at HackerHighschool do not recommend that you do this, but this is the kind of testing a smartsecurity person will do, along with warning network users to stay away from publicaccess 4i1i unless proper protection measures are taken 0hint% a secure NP)2.

2



24/47

E)e!cises

-.7= 4ho are the primary users of &Ts, and for what purpose8 This may be a trickyIuestion to answer until you do some research on A$8ance$ 4e!sistent T&!eats

-A4Ts/. 04e discussed these in (esson =, $alware.2 &PTs freIuently use &Ts.-.7- f you scanned your own computer for open ports, which port number would

make you suspect it was infected with a &T8

0OS an$ 00OS

0enial of Se!8ice -0oS/ attacks and 0ist!ib"te$ 0enial of Se!8ice -00oS/ attacks arecommonly associated with web sites and ecommerce. However, both of these attackscan be used against any device that communicates% an email server, a proxy, aswitch, an ?S and so forth. 4e are just used to hearing of these being used againstweb servers.

.i%"!e 7BThe "odespaces.com ??#S

4eb attacks occur so often that they don:t make headlines anymore. #ne of themajor problems with web attacks is the loss of business that happens when a companycan:t conduct transactions over the web. &maBon, >oogle, 1acebook, the )ew 6orkTimes and every major web content provider has been the target of ?oS or ??oSattacks. The basic idea behind these attacks is to keep a web server network too busyto handle normal P traffic. These attacks can be as simple as sending partial headerreIuests to a server or as complicated as having tens of thousands of Bombiecomputers overload a network with bogus reIuests.

?ue to the limitations of a single computer, it is difficult for one machine to disrupt theservice of a communication server. This isn:t to say that there are no ?oS attacks. Thereare and we:ll show you one in particular. /ut youEre more likely to see large networks ofcomputers working to distribute an attack across multiple fronts to disable networks.

2#



25/47

This is a ??oS attack. Those are much more common and itEs harder to track the trueattackers.

??oS reIuires a massive network of machines that are infected with command and

control software that propagates across thousands of unsuspecting computers. $ost ofthe time, the computer owner has no idea that they are part of a ??oS. Thesemachines are controlled by higher'level control servers located throughout the area.&bove the controlled servers is the mothership server that passes commands down tothe control servers, which they relay to the individual bots*Bombies.

(ocating the control servers is difficult at best and finding the mothership is rare. f thecontrol servers are located or compromised, the mothership servers unplug anddisappear. n the meantime, the individually controlled computers that unwittinglyparticipated in the ??oS cannot be legally prosecuted since they didn:t know theywere part of a crime. ight8 04rong.2

"riminal hackers have figured out many new twists on the ??oS concept but thoseideas are beyond the scope of this lesson. 4e:ll be covering a range of ?oS and ??oSattacks and how they work.

E)e!cise

-.9A ead up on ustock.

s it a trojan8

s it a root kit8

s it a proxy8

s it a back door8

1ind out how to remove it. Particularly note the egistry keys and the files you

have to remove.&nd once you have, is that really the end of your problems8

Slo1$o1ns

(et:s start with the simple slow ?enial of Service attack. & program like Slo1lo!issendsHTTP header packets to the victim. The trick is that the packets Slowloris sends are nevercomplete reIuests or they don:t contain all the information the web server needs torespond to the HTTP reIuest. Think of it as the old joke, GHow do you keep an idiot insuspense8 :ll tell you tomorrow.

The attack tries to make as many connections as possible. This is a slow attack, like yougetting out of bed on a cold morning. Slowloris mainly works against older &pache

servers, where the server will wait for the full header information before processing thatreIuest. The attack will send additional HTTP information but never enough tocomplete the reIuestJ it just tries to keep the connection open as long as possible.

This attack can be mitigated by limiting the number of connections a single P addresscan open and restricting slow connections to a minimum. )ewer &pache serversoftware comes with a module to reduce the effectiveness of this attack calledmodreItimeout.

nico!ns

@?P @nicorn attacks @ser ?atagram Protocol, which is the primeval portion of thenternet protocols. emember way back when we talked about protocols8 6eah, we

2'



26/47

told you about the connectionless @?P that doesn:t use any handshakes, unlike T"P0all that S6) S6) &"D stuff2. t just sends data and forgets about it. This works great forstreaming video, when data is being sent in large masses and missing one or fivepackets isn:t going to be noticed by the user.

The @nicorn attack exploits Win$o1s sockets -Winsock/ to make your dreams cometrue. t does this by flooding a target with multithreaded @?P packets. Similar @?P'(&>attacks just try to slow down a server, thus the name G(ag. t takes a pretty fatconnection to overload another server but this is an old school method of attack that isstill out there, lagging.

4ay 4e! Se!8ice

magine this% you can buy criminal Soft1a!easaSe!8ice -SaaS/. @sually SaaS issomething like email services, but there have been, are and will be services like/lackhole where you could pay by the thousand computers for sophisticated attacksagainst the victim of your choice. #f course, this service business earned its creator,

Paunch, many exciting adventures with the ussian legal and prison systems. &notherpay'to'hack too is Tw/ooter, a web service that calls itself an G&dministrative )etworkStresser Tool. 4hatever you want to call it, it does things similar to /lackhole. 6ou give ita target, pay your fee and clap your hands in glory as you watch some web sitebecome the victim of a ?oS. )o intelligence reIuired.

Gettin% to 4ost

>!T and P#ST attacks overwhelm a victim:s server by filling up their memory bufferswith reIuests. Some of the attacks reIuire the server to decrypt its own data in acircular process. t:s kind of like that annoying game where you repeat everything theother person says. n this attack, though, the server has no idea it is repeating itselfthousands of times a minute.

!T reIuests tooverwhelm the network. The >!T and P#ST attacks work very well in SS( sessions underHTTPS. These attacks are more difficult to identify because the data reIuests areencrypted.

R0Y, or the R0ea$Yetattack, is a form of P#ST attack, but it works by sending anever'ending content length reIuest for a P#ST Iuery. The server keeps waiting for therest of the P#ST content length but it never comes. t:s like winning the lottery% t neverhappens, to you anyway.

00oS ,y t&e N"3be!s

?istributed ?enial of Service attacks reIuire lots of data and plenty of bandwidth tooverwhelm the victimEs servers. To achieve this feat, most attackers will leverage otherresources like botnets, using other servers 0that donEt belong to them2, or being reallycreative with protocols. ??oS attacks utiliBe almost every layer of the #S model0remember the #S model from earlier lessons82 and the protocols associated withthem.

(ayer ; and < attacks have used the )etwork Time Protocol 0)TP2 servers to floodtargets with amplified data reIuests. The protocol was designed back when thenternet was young and security wasnEt an issue. $any of the original internet protocolsare still used today and still lack basic security measures. 4ith the )TP attack, anattacker spoofs a reIuest for time from one of the )TP servers located throughout theworld to synchroniBe time across networks. & )TP reIuest is a small unauthenticated

2(



27/47

reIuest from one computer for a time update. The )TP returns to the reIuestor alonger string of data that includes the time.

n this attack, the data reIuested is amplified by the fact the )TP server returns more

data than is sent to it in the first place. The )TP servers donEt reIuire verification from thereIuesting user which allows an attacker to spoof the return P address. &n attackersets up crafted packets that have the target as the destination address. These packetscan be launched from a single server that allows P spoofing.

#ne attack on 7A 1ebruary 9A7< generated a peak of bps against a cloud server.)ow that is some serious amplification of data directed at a target. The reIuestsgenerate 9A= times more data than are sent. So if the attacker sends 7,AAA 3 bit )TPreIuests 0$#)(ST2 at 7,AAA )TP servers, the results will be 7=,


28/47

$alware began its life as a form of attacking computers and that fact hasn:t changedone byte.

Teac&in% a 3an to *&is& -reat new program on it wasnEt there8 4e spent the whole nightreworking it so that when you put in into your computer it loaded our software alongwith the game. 4hen you are done playing with the game and your computer, we willlaunch our attacks, using your system, your P and your persona. f you want to seehow much you know about phishing, the #pen?)S IuiB is a good place to start0http%**www.opendns.com*phishing'IuiB*2.

E)e!cises

-.99 Put your security consultant hat on again. 6our client wants to know if security

training really is effective in making employees safer. There are big names on bothsides of the debate.

(ist two >odBilla'class security professionals who say it isnEt effective, and verybriefly, why.

(ist two who say it is, and why.

-.9; )ow you selling your client on S!T 0the Social'!ngineer Toolkit2. 4hat the heckdoes it do8 &re you selling him a product, or services8


29/47

you take the network down8 6ou didn:t. 6ou were eating a sandwich. Somebody elseis taking your network down.

&ttack detection techniIues rely on si%nat"!e !eco%nition and ano3aly $etection.

Signature detection works great if the attacker is using known vulnerabilities, exploits, ortypical tools 0like script kiddies do2. The problem with looking for attack signatures isthat the programs need to know what those are ahead of time. Signature recognitionprograms don:t work against Bero'day exploits because there isn:t any signature todetect until after the attack.

&nomalies within a network are an everyday occurrence. f the intrusion detectionsystem sends an alarm every time a data burst occurs, you:ll be spending your entirework day resetting the system. & few bad log'on attempts and there goes yourweekend. 1rom a practical standpoint% what is an anomaly anyway8 There is no easymethod to distinguish normal data flow from an attack, other than a ??oS or ?oS. &nddeep packet inspections reIuire additional resources and possible delays in datatransmission.

)etwork attacks that are carried out by people unfamiliar with your company willgather information ahead of time. Scanning by outside P addresses is a normal part ofany network so you will have to look for certain patterns like%

7. Scans that repeat the same time each day or night 0weekends and holidaysare great times to recon networks2

9. Scans that come from within the domain 0because internal scans areconsidered Gpassive traffic, the attacker may not bother with a disguise2

;. Scans that seem to use the same techniIue*tool


30/47

and the payload is already loaded. Too bad, no video of @ncle $ika slipping in thebathroom.

Spoofing may be used as part of an overall complex attack, such as reconnaissance

or information gathering. "reating a spoofed web site might be a simple method toget network users to upload a small segment of a larger attack tool. t would be likegetting one foot in a network:s door. #nce that small script or program is inside a user:sbrowsers, the malware phones home to retrieve the rest of the program. These actionscan be detected if you are looking for outbound traffic on unexpected ports tounusual @(s. 6ou should not see a local user uploading data to an external sourceJ thisis almost always a bad thing. Too few network security professionals look at outboundactivities, though, for better or worse, depending on which side youEre on.

P packet spoof detection reIuires more work since only a few of the current networkprotocols confirm the authenticity of inbound data packet addresses. 1orgedcertificates, man'in'the'middle intercepts and hijacked sessions can all be made tolook like trusted data sources. &dd to the fact that spoofing can happen at multiple

network levels such as network layer spoofing, transport layer spoofing, session andapplication layer spoofing 0discussed earlier2 and data link layer 0$&" address2spoofing.

Proper identification of suspected spoofed data packets needs to work in conjunctionwith ?S, routers and firewalls within a network. &n intruder may not even use the replydata that your network provided, they may just be looking for a connection. f she asksfor ?)S resolution from inside your network, she may not care if she gets a correct ?)Sentry back 0although this could be handy2J sheEs just probing for hosts. @sually. This iswhere Ti3e to Li8e -TTL/becomes useful for not only detecting spoofed packets butstopping spoofed data. /asically, the TT( setting of a packet tells the network how longto keep kicking the packet around. Packets shouldnEt be hanging around forever, andif they are trying to, they deserve suspicion.

nside intranets, data packets traveling along similar routes should take roughly thesame path and arrive at the same time, every time. f there are packets that do notseem to follow this basic principle, or appear to bounce through different paths, thosepackets may be spoofed. outers automatically tune TT(s 0keep them as short aspossible2 to minimiBe and flush out wandering 0spoofed2 packets. This is a basic first lineof defense.

However, different protocols use different TT(s. This is one reason why you will need todepend on correctly configured firewalls, routers and user training. Spoofing is aconstant challenge to battle.

E)e!cises

-.9- Time for research% find one common command'line tool that lets you find thepath to a target, using a switch that specifies the maximum number of hops 0TT(2,as a way to detect spoofing. 06es, you have used this tool before, in earlierlessons.2

-.75 &nd more research% find one easily'available command'line tool that lets youcreate spoofed packets 0or heck, any kind of packets you can imagine2.

Sniffles

Sniffing packets is not as simple as plugging your computer into the network andcapturing traffic. tEs often more difficult to decide where to place the sniffer than it is toanalyBe the traffic. The main devices that handle network traffic do so differently, so

;



31/47

you have to be aware of the network:s physical setup. So, how do you collect trafficfrom the network8

1irst, if youEre going to have to collect everyone's traffic, on a wired !thernet network

youEll need a 3i!!o! *o!t or t!"nk *o!ton a switch. #therwise, on a switched network,the only traffic youEll see is broadcast traffic and your own. /ut be very clear% 4i1i is notswitched networking. 4i1i functions like a hub% you can see everyoneEs packets.

f youEre attached to a mirror port or have put your 4i1i card into *!o3isc"o"s 3o$e, apacket sniffer application can monitor network traffic on all computers on the network.

4acket Sniffin%

& packet sniffing program is designed to capture the traffic packets that move alongthe network. 6ou get to check out the packet content and make some determinationsabout the validity of the packet. n (inux*$ac*@nix, the native tc*$"3* commandcan capture traffic, save it to a file, look for search strings and a lot more. 4hen youEre

dealing with automated processes 0come on, youEre a hacker, you want to automateeverything2, using tcpdump at the command line is the way to go.

Ente! t&e S&a!k: Wi!es&a!k

1ull'on >@ tools like Wi!es&a!kare often called net1o!k *!otocol analyHe!s. They let youcapture and interactively browse the traffic running on a computer network. 4iresharkis the de facto 0and often $e F"!e by lawU2 standard across many industries andeducational institutions. 1or 4indows users, you must also install the Win4ca* driver,which youEll be reminded of during installation. 4inPcap is also available fromwww.winpacap.polito.it, if you find yourself needing it separately.

Win$o1s Installation

?ownload and install 4ireshark 0http%**www.wireshark.org2. Then follow these steps%

1. ?ouble'click the installer file to begin installation and then click Ne)t in theintroductory window.

2. &ccept defaults all the way through.

3. W&en t&e $ialo% asks if yo" 1ant to install Win4ca*D 3ake s"!e t&e Install Win4ca*

bo) is c&ecke$ -in$icatin% yesJ/B

4. "lick Installand the process will begin.

Lin") Install

The first step to installing 4ireshark on (inux is to download the correct installationpackage. )ot all versions are supported. @sually youEre going to need root privileges.

R49base$ Syste3s

1or P$'based distributions 0ed Hat, 1edora and S@S!2, you can download theappropriate package from the 4ireshark page. #pen a terminal window and acommand like this 0use the filename of the actual installation package you download2%

rpm ivh wireshark-0.99.3.i386.rpm

/ut you can usually install it without downloading it with this command%

yum install wireshark

This command goes out and gets a slick pre'configured package from the syste3!e*osito!iesand installs it for you. )ice, huh8

http://www.winpacap.polito.it/http://www.wireshark.org/http://www.winpacap.polito.it/http://www.wireshark.org/


32/47

0E,base$ Syste3s

#n a ?!/'based system 0?ebian, @buntu and many more2 you can install 4iresharkfrom system repositories, so you donEt need to download anything unless you really

want to here either. #pen a terminal window and type the following%apt-get install wireshark

9ac OS Install

?ifferent versions of $ac #S R reIuire different procedures to install 4ireshark. "heckthe online documentation, but generally the steps are%

7. ?ownload the ?$> package from the 4ireshark site, and the RIuartB packagefrom http%**xIuartB.macosforge.org.

9. #pen the 4ireshark.dmg and copy 4ireshark.appto the &pplications folder.

;. #pen the RIuartB.dmg and copy RIuarB to the &pplications*@tilities folder.


33/47

.i%"!e 7B4ireshark



34/47

"hoose the interface you want to use and click Sta!tor simply click the interface underthe nterface (ist section. ?ata should start filling the window.

.i%"!e 7B24ireshark nterface Selection

This will open another window that shows the activity that 4ireshark sees on yournetwork.

#



35/47

#pen each of the following screens in your local copy of 4ireshark.

.i%"!e 7B"apture

n the packet capture window, the top pane displays a table containing all thepackets in the current capture file. This includes the packet number, the relative time of

the packet capture, the source and destination of the packet, the packet:s protocoland some general information found in the packet.

The middle pane contains a hierarchical display of the information about a singlepacket.

The lower pane displays the packet in its raw, unprocessed form. t shows how thepacket looked as it crossed the wire.

0eco$in% t&e 4ackets

)ow that you can see network traffic, you have to figure out what it all means.4ireshark provides a number of charts that are valuable in establishing what normalnetwork traffic looks like. There are a lot of different statistics to consult% click on the

Statisticsfield in the menu bar at the top of the screen.

'



36/47

.i%"!e 7B#Statistics $enu

These statistics are compilations of data 4ireshark observed. "onversations andendpoints identify sources of significant amounts of traffic. This tells you what the traffic

flow of your network should look like. Some items you might consider looking at include&P or "$P packets. (arge numbers of such packets might suggest a problem.

S"33a!y

/asic global statistics are available in the summary window such as%

"apture file properties

"apture time

"apture filter information

?isplay filter information

(



37/47

.i%"!e 7B'Summary

4!otocol


38/47

.i%"!e 7B(Protocol Hierarchy

Con8e!sations

f you use a T"P*P application or protocol, you should find four active tabs for !thernet,P, T"P and @?P conversations. & QconversationQ represents the traffic between twohosts. The number in the tab after the protocol indicates the number of conversations,for example Q!thernet%=Q.

Et&e!netCon8e!sations

.i%"!e 7B7!thernet "onversations

5



39/47

I4 Con8e!sations

.i%"!e 7B5P "onversations

TC4 con8e!sations

.i%"!e 7B T"P "onversations

&s you review this information from your computer, which programs might be involvedin these conversations, in light of information from the lesson on Ports and Protocols8

En$*oints

The endpoints provide statistics about received and transmitted data on a permachine basis. The number after the protocol indicates the number of endpoints. 1orinstance% Q!thernet%=Q.



40/47

.i%"!e 7B;!ndpoints

4hich endpoints are consuming the most traffic8 4hy might that be8

O"t*"t

.i%"!e 7B#utput

n this example, the seventeen packets show activity collected by 4ireshark. Theeasiest information to decode is the Source and !estinationcolumns. The 759.7=3.7.xPs are local network systems. The 97=.=5.7-A.75; is not local.

The next column to look at is the "rotocol column. This column tells you what protocolwas being used.

Packets two through five represent a ?)S Iuery to identify a specific website.

The last column, Info, provides more detailed information about the packets.

Packets six through eight identify the three way handshake of a T"P connection%

#;



41/47

Packet = S6) Packet

Packet - S6) &"D eply

Packet 3 &"D Packet

Packet 5 represents a reIuest to reuse a connection multiple times to downloadimages, scripts, stylesheets et ceteraafter the page has been delivered.

Packet 7A represents an acknowledgment of the reIuest.

Packets 77 and 79 provide information about packet segmentation. & QP?@Q is aQProtocol ?ata @nit.Q #ne unit of information being transferred in accordance with agiven protocol will be disassembled into many packets 0smaller pieces2 if itEs too largeto fit in one packet. 4hen the receiving side gets the packets they are thenreassembled before they are sent up the stack.

E)e!cises

-.;7 /y now you should be familiar with 4ireshark."an you look for a particular string of text in the packets you capture8 1ind outhow.

)ow, start a capture.

>o to a search engine, and search for the word Gpassword.

"heck in 4ireshark% does it see the word Gpassword, or is your traffic encryptedand unreadable8

Try this with at least three search engines.

4hich ones encrypt your traffic8 4hy do you suppose they do this8

/e clear that this is exactly how information is leaked% when itEs outbound.

-.9A &re you getting tired of looking at individual packets8 )ow itEs time to learn abouta nice feature of 4ireshark called Gfollowing T"P streams. The whole idea of T"Pis taking traffic apart and putting it back together again, so why not get rid of thewhole GpacketiBing operation and look at the original data8

1ind out how to do this, and demonstrate this skill to your instructor.

-.;9 6ou are a double'top'secret agent, and youEve managed to break into the!lbownian !mbassyEs NoP system. 6ou are familiar with Noice over P, right8/asically itEs telephone over the nternet. @se 4ireshark to see how many NoP callsare active.

-.;; f you can pinpoint the T"P stream for a NoP call, and you can follow that stream,

and you can save that stream, can you play back that call8


42/47

n a &"b, incoming frames are broadcasted to all ports. t doesnEt matter that the frameis only destined for one machine. The hub has no way of distinguishing which port aframe should be sent to. Passing it along to every port ensures that it will reach itsintended destination. This puts a lot of traffic on the network and can lead to poor

network response times. Since a hub broadcasts every packet to every machine ornode on the hub, a filter in each computer discards packets not addressed to it. &packet sniffer disables this filter to capture and analyBe some or all packets travelingthrough the hub, depending on the snifferEs configuration.

& s1itc&, on the other hand, keeps a record of the $edia &ccess "ontrol 0$&"2 orphysical addresses of all the devices connected to it. 4ith this information, a switchcan identify which system is on which port. So when a frame is received, the switchknows exactly which port to send it to, without significantly increasing network responsetimes. ThatEs why a switch is considered to be a much better choice than a hub. atherthan a central hub that broadcasts all traffic on the network to all machines, the switchacts like a central switchboard. t receives packets directly from the originatingcomputer and sends them directly to the machine to which they are addressed. Thismakes sniffing packets on a switch much more difficult. 6ou can only see traffic that isintended for your machine ' unless you use more advanced techniIues such as &Ppoisoning 0see !ttercap above or "ain and &bel for a 4indows tool2 /y the way, haveyou noticed that VallV popular sniffing*$T$ tools have been developed by talians8ncluding the 4inpcap port. 4hatEs up with that8

Ro"te!s are completely different devices. 4here a hub or switch is concerned withtransmitting ethernet frames at the local (ayer 9, a routerEs job, as its name implies, is toroute P packets to other networks, which is a (ayer ; operation. & packet contains thesource address it came from and the data, and the destination address of where itEsgoing.

& router is designed to join two or more networks, commonly two (ocal &rea )etworks

0(&)s2 or 4ide &rea )etworks 04&)s2, or a (&) and its SPEs network. outers arelocated at gateways, the places where two or more networks connect. @sing headersand forwarding tables, routers determine the best path for forwarding the packets.outers use protocols like "$P to communicate with each other and configure thebest route between any two hosts. The same packet sniffing issues apply to routers thatapply to switches.

Int!"sion 0etection Syste3s

6ouEve probably realiBed that, to use a packet sniffer to detect unauthoriBed activity inreal time, youEll have to sit at your computer, watching the output of the packet snifferand desperately hoping to see some kind of pattern. &n int!"sion $etection syste3

-I0S/does this job for you. ?Ss combine the ability to record network activity with setsof rules that allow them to flag unauthoriBed activity and generate real'time warnings.

E)e!cises

-.;< #pen 4ireshark and start a live capture. )ow open your web browser and lookfor a plain text document to download. ?ownload and save the text file to yourhard drive, then close the web browser and end the capture session in 4ireshark.(ook through the packets captured by 4ireshark, paying close attention to the&S" dump in the bottom pane. 4hat do you see8 f you have access to anemail account, try checking your email while 4ireshark is performing a capture.4hat do you see there8

#2



43/47

-.;+ #n the Capture #ptions Screen, make sure that the box marked G"apturepackets in promiscuous mode is checked. This option may allow you to capturepackets directed to or coming from other computers. /egin the capture and seewhat happens. ?o you see any traffic that is intended for a computer other than

yours8

-.;= 4hat do you know about the hardware that connects your computer to thenetwork8 ?oes it connect to the other computers through a switch, a router or ahub8 >o to a web search engine and try to find out which piece or pieces ofhardware would make it most difficult to capture packets from other computers.

-.;- f you are sitting at a coffee shop, library or airport, using 4i1i, and you wanted tocapture traffic, could you8 "ould someone else be doing the same to you8 4hatsecurity controls could you use to prevent that8

-.;3 esearch intrusion detection systems. How are they different from firewalls8 4hatdo they have in common with packet sniffers8 4hat kinds of unauthoriBed activitycan they detect8 4hat kinds of activity might they be unable to detect8


44/47

you wanted to study the bears then you might set out one big, tasty, sticky pot ofhoney in the middle of your clearing, but then you would surround that pot with moviecameras, still cameras, tape recorders and research assistants with clipboards and pithhelmets.

The two types of honeypots differ primarily in their complexity. 6ou can more easily setup and maintain a production honeypot because of its simplicity and the limitedamount of information that you hope to collect. n a production honeypot, you justwant to know that youEve been hitJ you donEt care so much whether the hackers stayaround. However, in a research honeypot, you want the hackers to stay, so that youcan see what they are doing. This makes setting up and maintaining a researchhoneypot more difficult. 6ou must make the system look like a real, working system thatoffers files or services that the hackers find interesting. & bear who knows what ahoneypot looks like might spend a minute looking at an empty pot, but only a full potfull of tasty honey is going to keep the bear hanging around long enough for you tostudy it.

Honeynets are harder yetJ they have to have what appears to be real, live traffic onthem.

,"il$in% a


45/47

firewall, but stop all outgoing traffic. This is a simple, effective solution, but intruders willIuickly realiBe that it is not a real, working computer system. & slightly more complexhoneypot might allow some outgoing traffic, but not all.

esearch honeypots which want to keep the intruders interested as long as possible sometimes use 3an%le!s, which audit outgoing traffic and disarm potentiallydangerous data by modifying it so that it is ineffective.

w ww.sicherheitstacho.euhas set up live feeds of cyber attacks as they happen. Thedata is based off 73A sensors 0honeypots2 located around the world. The site showswho is attacking who, the amount of data in the attack 0??oS2, and is updated everyfew seconds.

E)e!cises

-.;5 Honeypots can be useful tools for research and for spotting intruders, but usingthem to capture and prosecute these intruders is another Iuestion. ?ifferent

jurisdictions have different definitions and standards and judges and juries often

have varying views, so there are many Iuestions that need to be considered. ?ohoneypots represent an attempt at entrapment in your country8

-.


46/47

Concl"sion

The news is filled with stories on cyber attacks. Some of the attacks seem sophisticatedwhile others seem to happen by chance. The largest and smallest organiBations arebeing targeted on a regular basis by one form of digital crime or another. $ost movieplots involving action have at least one hacker in them that uses )map to destroy theenemy. tEs like the world has become one big series of digital wars. !xpect to see someTN reality show where cyber criminals face off next. (ike the next season of%&.

The reasons for entities to attack each other is as varied as the tools they use. Thesedays most of the attacks are well funded and aimed at criminal behavior. n the olddays, attacks were not. ?igital crime pays, as does espionage and nation*statewarfare. "riminals are using multiple layers of attack to confuse the target.

1inancial sectors are being targeted for many types of cyber attacks since that iswhere the money is. The fastest growing sector for cyber crime is mobile platforms.

$alware plays a huge part in the increase of these crimes across the globe. t seems asthough attackers are going after anything these days.

To combat and protect yourself, you need to secure your computer*network bythinking about all possible access points. #ne of the best ways to do this is to think likean attacker. @se the same tools they use against your own domain to see what needsto be strengthened.

?onEt focus on the threats as much as your own system. !ducate yourself and stay upon news about different types of attacks. The best defense is a good offense. HackerHighschool encourages you to explore the world around you but do no harm. f youhave an issue or a cause, we understand, but caution you to remember theimplications of your actions.

#(



47/47

Documents

How to analyze we attack, Хэрхэн өөрийн цахим хуудсыг халдлагад өртсөн эсэхийг шалгах вэ