NETWORK SECURITY
Most computes criminals and hackers strike not because of their knowledge but they bloom because of the ignorance the users, system administrator on using their systems and servers and computer networks.
1.There are open ports on which hackers may attack.
2.There are dangerous kinds of attacks on the servers and administrators
3.There are mechanisms of securing window NT server administrator passwords.
This project is based on practical techniques, tacts, of attacking and the concept and mechanism of their attacks.
Thus for stopping the net criminals from intruding into the systems, the system administrator should know the drawbacks, loopholes of the OS, internet, and networking.
These papers give the details of different kinds of attacks that a hacker may onslaught on the administrator. Concepts and techniques of attacks like DOS attack, controlling and disconnecting remote modems,Trojan attasks, mail bombings etc.
.Emphasis is given on the open ports on which the hacker usually attack
ATTACKS ON THE SERVER.
DOS ATTACKS
Denial Of Service attacks( DOS attacks) are very common hacking attack now. It is defined as : An attack on the target system by a malicious attacker to render the normal services offered by it to legitimate users as unavailable or disable services..It involves the launching of an attack that will make the services offred by the target system or normal services offered by the internet or a network system to a legitimate user.
DOS attack can be described as one in which the target system’s memory is is so much clogged that it cannot serve legal users.Or system target is sent so much data files that,which can’t be handled by it and it crashes or reboot.
KINDS OF DOS ATTACK
PING OF DEATH:- Ping is a part of the ICMP protocol i.e. the internet control message Protocol.This is used to troubleshoot the TCP\IP network.
Ping is a command that sends out a datagram to the specified host. This specified host if alive i.e. turned on ,sends out reply or echoes of the same datagram. If the datagram that returns to our computer has the same datagram that was sent, then it means that the host is alive. Therefore ping is basically a command that allows to check if a host is alive or not. It can also be used to determine the amount of time taken for a datagram to reach the host.
Actually it is so deadly so that it can be used to ping a hostname perpetually, that may cause the host to crash. When a host receives a ping signal, it allocates some of its resources to to attend to or to echo backthe datagram. Now, if a host is pinged perpetually, then a time will come when all resources of the host are used and the host either hangs or restarts.
Due to ping’s deadly nature,most shall account ISP hide the ping utility.
It can be find out by using the command :
Whereis Ping
It is usually hidden in /usr/etc.
The flood ping which pings a host perpetually is:
Ping –t hostname
Ping –a can be usedto resolve addresses of the hosname.
We can even ping ourselves.The IP 127.0.0.1 is the local host. This means that when we connect to 127.0.0.1 , we actually connect to our own machine. Therefore to ping ourselves perpetually, we give the command:
Ping –t 127.0.0.1
However the flood ping no longer works as most of the OS have been updated.
The following ping command creates a giant datagram of the size 65,510.
C:\windows>ping –165510
This might hang the victim’s computer.
FPING UTILITY: this tool allows to send mass echo request to a huge number of systems.The normal ping sends out echoes one by one to eachj system on a network. Against this, fping sends mass echoe requests to the entirenetwork at a single time. Hence it is more efficient.
SYNFLOOD ATTACK:- SYN flooding is flooding the target system with so many connection requests, that all it’s mamorr gets hogged up in trying to establish proper connections with allthese requests .In effect, since all the memory of the target system is used up in trying to establish connections, the target system is unable to provide services even to the legitimate users.The SYN attack TCP/IP in three way handshake.whenever a client wants to establish a connections with a host,three steps takes place,known as three steps handshake:
1. The client system sends a SYN packet to to the remote host.
Client---------------SYN packet---------------Host
2. The remote host replies with a SYN/ACK packet to the client.
Host----------------SYN/ACK packet-------------Client
3. The client replies with an ACK packet,acknowledging the packet sent by the hostin step 2.
Client------------------ASK----------------------Host.
The above is known as three way handshake and only if the above are completed, a complete TCP/IP connection is established between a source and destination.
In SYN attack several SYN packets are sent to the server but all have a bad source IP address.When a server receives these SYN packets with bad IP addresses,it tries to respond to each one of them with a SYN ACK.Now the target system waits for an ACK message to come from the bad IP address.But as the IP doesn’t exist,the target system never receives the message.Hence these requests occupy large number of resources of the target system.As a result,due to large no of requests,the memory of the system gets hogged up and it becomes unable to respond to the legal users.Thus the server eventually crash, hang or reboot.
In accordance with the rules of TCP\IP,after a certain time has passed, a timed out takes place and the connection requests Queued up by the target system are discarded and thus a part of the hogged up memory is freed.Therefore in SYN flood attack, the attacker keeps on sending connection requests at a faster rate then the timed out take place.Thus the attacker keeps the target system hanged.
To know that we have been attacked,type the command:
C:windows>netstat –a
This will show as:
Active Connections
Proto Local Address Foreign Address State
TCP aditya 201.xx.34.23 SYN_RECEIVED
TCP aditya 201.xx.34.23 SYN_RECEIVED
TCP aditya 201.xx.34.23 SYN_RECEIVED
TCP aditya 201.xx.34.23 SYN_RECEIVED
TCP aditya 201.xx.34.23 SYN_RECEIVED
TCP aditya 201.xx.34.23 SYN_RECEIVED
TCP aditya *.* ESTABLISHRD
If the above command shows a lot of connections in the SYN_RECEIVED stata,then probably the system is under SYN attack. The connections under ESTABLISHED state are legitimate connections.
CONTROLLING AND DISCONNECTING REMOTE MODEMS.
Let our IP address is xx.xx.xx.xx and the server we are connecting to has the IP yy.yy.yy.yy.Let us assume a single data packet and send it to yy.yy.yy.yy,then the packet will take the following path to reach the destination.
Data packet at source-----------Modem of source-------------Router------------
Modem of Destination---------------Destination Server.
Thus, each data packet goes VIA MODEM, both at the source and the destination.Thus all data goes through modems and this data may be a command.
A syatem controls a modem by issuing the commands which are generally referred as AT commands. The word AT precedes all modem commands with a few exceptions.
An example of the AT commands is that is issued when you dial into your ISP.When you click on the ‘connect’ button, the DUN software sends the following command to your modem:
ATDT and ATDP command followed by the number you want to dial and enter.
To Issue command to the modem, it should be in the command mode.
A modem is always either in the command mode or in the online mode.When the system boot up, the modem, by default, is in the command mode.When the modem is in the command mode, then the AT commands are considered to be commands, while in the online mode all commands are considered to be data packets.
When we are connected to the internet, the modem is in the online mode, and thus can’t accept any command.This means that if we know the IP address of a person,and send a modem command string, the modem will only treat it as normal data and will not react to it.Thus the modem has to be switched in the commend mode.
When the modem is in the online mode, it can be brought to the command mode by sending it the escape characters.i.e.+++.Pressing the escapes character will switch the modem to the command mode and it will start reacting to the AT commands.
To return the modem in the online state, ATO command is given.
Thus if we know the IP address of a person, and we send the +++ string to it followed by the AT modem commands, we can practically control the remote modems.We can do anything with the modem.
H0 is the AT command that instructs the modem to hangup or disconnect.
If we want to disconnect our own modem, then we will issue the following command:
+++ATH0
This command switches the modem from the online mode to command mode and then send it the H0 command which disconnects the modem.
If we send this command to the remote modem, it will disconnect that too.
NOTE:The command ATH0 don’t work on all modems.
The way the command ATH0 works is that it hides escape/control sequences in an ICMP echo request packet.( it contains the string +++ATH0).Actually the string +++ sends the modem into escape mode, and if the guard time on the modem is set very low it will go into command mode instantaneously and we can issue it the AT commands.The system receives the echo request package with a new timestamp and checksum,destination/source hosts and return it to
sender. When it returns, the string is send to the modem and thus execution of the command takes place.There are few conditions that must be met for it to work. These are:
1. The target computer must not filter ICMP echo requestsand must know how to reply to one if it gets one.
2. The target computer must be using a modem
3. The target computer must have a vulnerable modem (i.e. guard time must be set nvery low) .
2. Spoofed ( i.e. with bad IP ) packets must be sent to the target computer, otherwise the target computer will know that from where these are coming from.
TROJAN/KEY LOGGER ATTACKS
Trojan is a tool which when installed in a system,can be misused for malicious purposes by the attacker.They are capable of doing a lot of harm to the target computer.
Almost all Trojans are made up of:
1.THE SERVER PART:This part of the Trojans should be installed and be running on the target system.
2.THE CLIENT PART:This part of the Trojan is installed and running on the attacker’s computer.
The Trojans attack in the following way:
1. The attacker tries to install the server part of the Trojan on the target system, iny of the following methods:
(a). Sending the Trojan disguised as a normal file through ICQ or any other instant messaging software.
(b). Installing the Trojan on the target computer manually.
©. By Trickery:In this method, the attacker either hides the Trojan server part into normal.EXE file.This file is chosen by the attacker on the basis this victim finds this file as useful and he installs this infected file.
2. Once the attacker has been able the Trojan on the server system,it binds a particular port on the target computer and the attacker listens for the connections.Each Trojan has a particular port to which it binds.
3. As soon as the attacker listens for the connections, he tries to know the IP address of the target computer.
4. As soon as the attacker gets the IP address of the target system,he uses the client part of the Trojanof his system and thus the attacker becomes able to control the target system.Thus, using this Trojan, the attacker can enjoy full control on the target system.
DETECTION OF A TROJAN:
Almost all types of Trojans are loaded into the memory each time the window boots up.There some common references or the locations where the are known or hiding are:
(A). THE START UP FOLDER: c:\windows\startmenu\programs\startup
This folder is actually stored in the registry:
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell folders]
Common startup=c:\windows start menu\programs startup.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\user shall folders]
Startup= c:\windows start menu\programs startup.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\ shall folders]
Startup= c:\windows start menu\programs startup
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\user shell folders]
Common startup=c:\windows start menu\programs startup.
(B). SYSTEM FILES: The two system files,win.ini and system.ini are also executed
(c). BATCH FILES: The two batch files, autoexe.bat and winstart.bat arev also executed.These batch files may contain the malicious commands.
(D). THE WINDOW REGISTRY: The Trojan programs may also reside in the window registry and thus the following registry are executed when window boots.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservicesOnce]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runOnce]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\RunOnce]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\RunServices.
Thus by monitoring these and other places,we can detect the presence the Trojan viruses.
MAIL BOMBING
Mailbombing means to send a huge amount of emails to a single email account so that the maximum space of the account is filled and the user can’t receive any further email and making it difficult for the user to read the existing emails.
Mailbombing is of two types:
1. THE MASS MAIL BOMBING METHOD: In this kind of attack the user’s account is filled with huge number of the emails.There are mail bombing softwareswhich allow to send a particular message using a SMTP server.These softwares can be maid easily ib pearl.
e.g. #!/bin/pearl
$mprogram=’/usr/lib/sendmail’;
$victim=’victim@hostname.com’;
$var=0;
while($var<1000)
{
open (MAIL,”|$mprogram$victim”)||die”can’t open mail program”;
printMAIL “Mail Bombing”;
close(MAIL);
sleep(4);
$var++;
}
This program will send 1000 emails to the target account.
LIST LINKING: In this mailbombing the target is subscribed to thousands of mailing list. This kind of mail bombing is more effective as the server has to unscribing himself from this long mailing list.
The List Linking mailbombing is done by the use of mail bombing software.This software asks the target email address , the address of the SMTP server,the forged email address from which the mail bomb is to appear.
This software subscribes the victim again and again, abd thus he has a lot of work to do. He even has to miss his incoming important emails and existing emails.
In this type of attack, don’t download all the massages and deleting. Instead, log on to the POP port of your mail server and delete the useless massages using POP commands.And by reading the header , the mailbomber can be easily traced.
PORT SCANNING
There are basically two kinds of ports—Physical(hardware) and Virtual(software).
Hard ware are the slots behind the CPU to which other system davices are connected.A software port is a virtual pipe through which informaion flows. A particularsystem can have a large number of ports. All ports are numbered and on each port a particular service or software is running.
Port scanning is the first step in finding a hackablr server, with a hole or any vulnerability.
If we are to hack our ISPserver, then we first have to find out the hostname of the server run by the ISP.Now each server can have a large number of open ports and it will take days to manually go and search the services running on each port.This is where the port scanning utilities come in.
Tools like SATAN allow to find out the list of the open ports and the services running on them and also the vulnerability of the target system.
Another thing we must be careful about port scanning the ISP is that most port scanners are easily traceable.If caught port scanning on the host, then this is a sure symbol of hacker’s activity.
To find out the list of the open ports on our own system,we have to give the command:
C:\windows>netstst –a
The ports are of three kinds:
1. The well known ports:These ports are the ports which are numbered from 0 to 1023.This range of the port is bound to the sevices running on them. Thus each port has a specific service running on it.
Eg. The FTP runs on Port 21.
3. The registered port number:These ports are from 1024 to 49151.This range of the port is not bound to any specific service. Actually networking utilities like browser email opens a random port within this region and starts the communication with the remoye server.A port number within this region enables us to surf the net .
These ports are simply open so that our software applications can do the desired work.They act as a buffering transferring packets received to the application and vice versa.Once we close our application, these ports are automatically closed.
3. THE DYNAMIC/PRIVATE PORT NUMBER.:These ports are the ports from 49152 to 65535. This range is rarely used and is mostly used by Trojans.
Eg. Sun starts its RPC port at 32768.
BLOCKING THE PORTS:
Thus, this basically shows us to what to do if the netstat command gives us a couple of open ports on our system or server.
1. Check the Trojan list and compare if the open port number matches any Trojan list. If it does ,get a Trojan remover and remove the Trojan.
2. WE can also remap the ports. This is an efficient method to secure our open ports. The remappng is done by the fact that instead of running a service on a well-known port,where it can be easily exploited, it better to run it on a not so known port. Thus a hacker will find it more difficult to find that service.This method is known as remapping.
3. ETHERPEEK is an excellent sniffing software,which can easily trace the port scanner.
4. NUKE NABBER, a window freeware, claims to be an excellent port blocker.
5. There are other utilities such as PORT DUMPER, which can fake daemons (services) like Telnet, Finger printing, etc.
SECURING WINDOWS NT ADMINISTRATOR PASSWORDS
(Source : www.ntbugtraq.ntadvice.com/default.asp )
The NT Security Access Manager (SAM) is the security manager of the passwords of the windows NT Administrator. The SAM stores the list of the usernames of all accounts and their respective passwords in the encrypted form of all local users on that particular domain. Cracking the encrypted passwords stored by SAM is all needed to control the entire network.
By default the backup of SAM is stored in the file %systemroot%\repair\sam._.And by default , This directory allows everyone to read access. Thus it is possible to retrieve the hashed(encrypted) passwords from the file directly. There it is required not to give access to the root directory of the %systemroot% drive against having any system file manipulated.
Recently the algorithm of reversing the NT user hashed passwords into NT user ID’s passwords was published.
This created a scary concern over the relative security of the Window NT Administrator System.
Therefore RECOMMENDATIONS to secure the file %systemroot%\repair\sam._ [this file stores the backup of SAM(SAM stores the passwords),and hence one of the most important file]. These are:
TO SECURE THE %systemroot%\repair\sam._ FILE:
By default, the SAM._ and \repair directory has the following permission:
Administrators; SYSTEM : Full Control
Everyone: Read
Power Users: Change
1. From within Explorer, highlight the SAM._ file, right click, choose properties,security,permissions. Remove all privileges from this file.
2. From DOS prompt, execute the following;
Cacls %systemroots%\repair\sam._ /D Everyone
This will deny the group Everyone permission to the file, ensuring that no other permission can override the file permission.
3. Whenever you need to update your ERD(Emergency Repair Disk), first execute the following at DOS;
Cacls %systemroot%\repair\sam._/T/G Administrators:C
This will grant Administrators change permission to update it during the ERD update. (SAM database is backed up whenever ERD is updated).
4. Once the ERD has been updated, execute the following at DOS;
cacls%systemroot%\repair\sam._/E/R Administrator
This will once again remove the permission for Administrator.
Hence the file is fully secured.