Intrusion Detection system and Toolkit

Report
種子教師國外培訓課程
Intrusion Detection System
and Tool Kits
Bo Cheng (鄭伯炤)
Email:[email protected],tw
Tel: 05-272-0411 Ext. 33512
1
Information Networking Security and Assurance Lab
National Chung Cheng University
Agenda (03/03)
Time
Topics
8:00 - 9:20
Welcome
9:20 - 10:30
IDS Introduction
10:30 - 10:50
Coffee Break
10:50 - 12:00
Hacking (I)
12:00 - 13:00
Lunch Break
13:00 - 13:30
Nmap
13:30 - 14:00
A Real World Attack: Wu-ftp attack
14:00 - 15:00
Nessus
15:00 - 15:20
Coffee Break
15:20 - 16:40
IDS Faq
16:40 - 17:10
Tripwire
17:10 - 17:30
tcpdump, tcprelay and Swatch
Information Networking Security and Assurance Lab
National Chung Cheng University
2
Agenda (03/04)
Time
Topics
9:00 - 10:30
Hacking (II)
10:30 - 10:50
Coffee Break
10:50 - 11:20
Auditing Windows
11:20 - 12:00
SARA
12:00 - 13:00
Lunch Break
13:00 - 14:00
Snort
14:00 - 14:30
PortSentry
14:30 - 15:00
DumpSec
15:00 - 15:20
Coffee Break
15:20 - 16:20
IDS Evasion
16:20 - 16:50
Fragrouter
16:50 - 17:30
Nikto
Information Networking Security and Assurance Lab
National Chung Cheng University
3
Agenda (03/05)
Time
Topics
9:00 - 10:30
Detection Engine
10:30 - 10:50
Coffee Break
10:50 - 12:00
The Future of IDS and IPS
4
Information Networking Security and Assurance Lab
National Chung Cheng University
The Introduction of Intrusion
Detection systems
5
Information Networking Security and Assurance Lab
National Chung Cheng University
Outline
Introduction
The type of IDS
Tools that Complement IDS
Deploying IDS
A Brief History of IDS
The players in IDS market
Summary
Reference
6
Information Networking Security and Assurance Lab
National Chung Cheng University
Introduction
What is Intrusion?
CIA
Confidentiality
Availability
Information
Security
Integrity
What is Intrusion Detection?
the process of monitoring the events occurring in a
computer system or network, analyzing them for
signs of security problems
7
Information Networking Security and Assurance Lab
National Chung Cheng University
Types of IDS (Information Source)
Operate on information (e.g., log or
Host (HID) OS system call) collected from
within an individual computer
system.
Uses a module, coupled with the
application, to extract the desired
information and monitor transactions
Application-Integrated (AIID)
Application (AID)
Network (NID)
Capture and analyze all
network packets
Operate on application
transactions log
e.g., Entercept Web Server Edition
Monitor packets to/from
Network-Node (NNID)
a specific node
8
Information Networking Security and Assurance Lab
National Chung Cheng University
http://www.networkintrusion.co.uk/ids.htm
The Detection Results
False Positive
• Annoy
• Crying wolf
• Tuning
• Prevention?
True Negative
True Positive
• Wire-speed performance
• Mis-configuration
• Poor detection engine
• IDS Evasion
False Negative
Information Networking Security and Assurance Lab
National Chung Cheng University
9
IDS Responses After Detection
Intrusion Detection Working Group
•IDMEF - Message Exchange Format
Alarms/
Notifications
Passive
Responses
Active
Responses
•IDXP - Exchange Protocol
Communication protocol for exchanging IDMEF messages
Generate SNMP trap
SNMP
Integration
Support SNMP Manager (e.g., HP
OV) and MIB (e.g., iss.mib trap)
Take Action Against
the Intruder
Retaliation: Information warfare
Injecting TCP reset packets
Collect additional
information
Change the
Environment
Information Networking Security and Assurance Lab
National Chung Cheng University
XML-based alert format among IDS components
Reconfiguring routers/firewalls (e.g., via FW1 OPSEC) to block packets based on IP
address, network ports, protocols, or services
10
Source: NIST
Check Point - Open Platform for Secure
Enterprise Connectivity (OPSEC)
TCP/UDP Port
Name
Short description
FW1_cvp
Check Point OPSEC Content Vectoring Protocol - Protocol used
for communication between FWM and AntiVirus Server
18182 /tcp
FW1_ufp
Check Point OPSEC URL Filtering Protocol - Protocol used for
communication between FWM and Server for Content Control
(e.g. Web Content)
18183 /tcp
FW1_sam
Check Point OPSEC Suspicious Activity Monitor API - Protocol
e.g. for Block Intruder between MM and FWM
18184 /tcp
FW1_lea
Check Point OPSEC Log Export API - Protocol for exporting
logs from MM
18185 /tcp
FW1_omi
Check Point OPSEC Objects Management Interface - Protocol
used by applications having access to the ruleset saved at MM
18187 /tcp
FW1_ela
Check Point Event Logging API - Protocol used by applications
delivering logs to MM
18207 /tcp
FW1_pslo
gon
Check Point Policy Server Logon protocol - Protocol used for
download of Desktop Security from PS to SCl
18181 /tcp
11
Information Networking Security and Assurance Lab
National Chung Cheng University
NFR and RealSecure support FW-1_sam and FW1_ela
Complement IDS Tools
Create a baseline and
apply a message digest
(cryptographic hash) to
key files and then
checking the files
periodically
When the IDS detects
attackers, it seamlessly
transfers then to a special
padded cell host
Determine whether a
network or host is vulnerable
to known attacks
File Integrity
Checkers
Vulnerability
Assessment
Honey Pot
Padded Cell
A system/resource
designed to be attractive
to potential attacker
12
Information Networking Security and Assurance Lab
National Chung Cheng University
Source: http://www.icsalabs.com/html/communities/ids/buyers_guide/guide/index.shtml
NIDS Deployments
•See all outside attacks to help forensic analysis
Internet
1
•Identify DMZ related attacks
•Spot outside attacks penetrate the network's perimeter
•Avoid outside attacks to IDS itself
•Highlight external firewall problems with the policy/performance
•Pinpoint compromised server via outgoing traffic
External firewall
2
DMZ
•Increase the possibility to recognize attacks.
•Detect attacks from insider or authorized
users within the security perimeter.
Mode:
•Tap
3
4
•SPAN (Mirror)
Network Backbones
•Port Clustering
•In-Line
Critical Subnets
Information Networking Security and Assurance Lab
National Chung Cheng University
•Observe attacks on critical
systems and resources
•Provide cost effective
solutions
13
IDS Balancer
Network
Internet
•Toplayer’s IDS Balancer
•Radware FireProof
GigaBit SX Tap
Fiber Tap
IDS Balancer
•Availability
•Scalability
•ROI
•Cost-effective (reduce sensors
while increasing intrusion coverage)
14
Information Networking Security and Assurance Lab
National Chung Cheng University
A Brief History of IDS
SAIC’s
CMDS team
along
the
first
with
commercial
the
Haystack
vendor
team,
of
IDS
SAIC
ASIM
NetRanger,
Air
Force's
was
made
also
Cryptologic
the
considerable
developing
first
commercially
Support
progress
a
form
Center
of
viable
in
revealed
Stalker
the
first
was
the
visible
a
necessary
host-based,
host-based
information
pattern
intrusion
for
UC
Davis’
Lawrence
Livermore
Lab
Intrusion
Detection
Expert
System
The
security
market
leader
developed
analyze
audit
trails
from
government
audit
trails
contained
vital
information
Distributed
UC
Davis's Intrusion
Todd Heberlein
Detection
develop
System
Heberlein
tools,
with
introduced
its
Stalker
the
line
first
of
host-based
idea
of
host-based
overcoming
network
developed
intrusion
the
intrusion
scalability
Automated
detection
detection,
and
Security
portability
device.
called
matching
commercial
detection
system
company
that
detection
included
robust
system
produced
an
IDS
that
analyzed
audit
a
network
intrusion
detection
system
mainframe
computers
and
create
that
could
be valuable
trackingsolution
(DIDS)
NSM,
the
augmented
first
network
thein
intrusion
existing
hybrid
products.
intrusion
detection.
Computer
issues.
Measurement
Misuse
System
Detection
to monitor
System
search
development
capabilities
to
manually
and as
data
by
comparing
it. with
defined
called
RealSecure
profiles
of
users
upon
their
misuse
and
understanding
user
by trackingsystem
detection
clientbased
machines
as
well
(CMDS).
network
traffic
on the
Air data
Force's
automatically
theUS
audit
patterns.
activities
behavior
the
servers
it query
originally
monitored.
network.
Information Networking Security and Assurance Lab
National Chung Cheng University
15
The players in IDS market (I)
In 1999
Host-Based
RealSecure
ISS
In 1997
Network-Based
RealSecure
BlackICE
Sentry
Network ICE
BlackICE
Sentry (GigaBit)
16
Information Networking Security and Assurance Lab
National Chung Cheng University
The players in IDS market (II)
CISCO
Entercept tech
Standard Edition
Enterprise Edition
Host-Based
(Entercept tech)
Standard Edition
Enterprise Edition
Network-Based
Catalyst 6000
IDS 4230
IDS 4210
In 1997
Air Force Cryptologic
Support Center
ASIM
ASIM Development
Staff from AF CSC
$124Million
Wheel Group
NetRanger
17
Information Networking Security and Assurance Lab
National Chung Cheng University
The players in IDS market (III)
Symantec
Host-Based
Intruder Alert
Network-Based
NetProwler
Axent
Enterasys/Cabletron
Host-Based
Squire
Network-Based
Dragon
Network Security Wizards
18
Information Networking Security and Assurance Lab
National Chung Cheng University
CyberSafe
Intrusion.com
Host-based
Kane
Network-based
SecureNet Pro
Host-Based
Centrax
Network-Based
Centrax
(NNID tech.)
NetworkICE
ODS
Host-based
CMDS
Kane
MimeStar
SecureNet Pro
Centrax
Entrax
Network
Associates
Trusted
Information
Systems
CMDS
SAIC
UCAL Davis
Lawrence Livermore labs
Haystack Development staff
Haystack Labs
Stalker
19
Information Networking Security and Assurance Lab
National Chung Cheng University
Summary
Government funding and corporate interest
helped Anderson, Heberlein, and Denning
spawned the evolution of IDS.
Intrusion detection has indeed come a long
way, becoming a necessary means of
monitoring, detecting, and responding to
security threats.
20
Information Networking Security and Assurance Lab
National Chung Cheng University
Reference
 NIST Special Publication on Intrusion Detection
Systems
http://csrc.nist.gov/publications/nistpubs/800-31/sp800-31.pdf
 The Evolution of Intrusion Detection Systems
http://www.tdisecurity.com/documents/IDSEvolution.pdf
 Web site
http://www.cisco.com
http://www.iss.net
http://www.enterasys.com
http://www.intrusion.com
http://www.cybersafe.com/centrax/
21
Information Networking Security and Assurance Lab
National Chung Cheng University
22
Information Networking Security and Assurance Lab
National Chung Cheng University
Hacking I
23
Information Networking Security and Assurance Lab
National Chung Cheng University
Attack Motivations, Phases and Goals
Data manipulation
System access
Elevated privileges
Deny of Service
Analyze Information & Prepare Attacks
• Service in use
• Known OS/Application vulnerability
• Known network protocol security weakness
• Network topology
• Revenge
• Political activism
• Financial gain
Actual Attack
 Network Compromise
 DoS/DDoS Attack
• Bandwidth consumption
• Host resource starvation
Collect Information
• Public data source
• Scanning and probing
24
Information Networking Security and Assurance Lab
National Chung Cheng University
Tools, Tools, Tools
Network Scanning
Reconnaissance
•Telnet
•Nmap
•Hping2
•Netcat
•ICMP: Ping and Traceroute
•Nslookup
•Whois
•ARIN
•Dig
•Target Web Site
•Others
Penetration Tool
Vulnerability Assessment
•Nessus
•SARA
25
Information Networking Security and Assurance Lab
National Chung Cheng University
Collect Information
Public data source
Scanning and probing
26
Information Networking Security and Assurance Lab
National Chung Cheng University
Whois Database
Contain data elements regarding Internet
addresses, domain names, and individual
contacts
domain name uniquely
27
Information Networking Security and Assurance Lab
National Chung Cheng University
ARIN
American Registry for Internet Numbers
Gather information about who owns particular
IP address ranges, given company or domain
names
28
Information Networking Security and Assurance Lab
National Chung Cheng University
DNS
A hierarchical database
Root DNS Servers (start point)
com DNS Servers
net DNS Servers
org DNS Servers
abc.com DNS Servers
The DNS hierarchy
29
Information Networking Security and Assurance Lab
National Chung Cheng University
DNS Resolve
ROOT
DNS SERVER
www.abc.com
referral to abc.com
LOCAL
DNS SERVER
com
DNS SERVER
www.abc.com = 10.11.12.13
CLIENT
A recursive search to resolve a domain name
Information Networking Security and Assurance Lab
National Chung Cheng University
abc.com 30
DNS SERVER
Some DNS Record Type
Record Type Name
Purpose
Example Record Format
Address
(A Record)
Maps a domain name to a
specific IP address
www 1D IN A 10.1.1.1
Host Information
(HINFO Record)
Identifies the host system type
www 1D IN HINFO
Solaris8
Mail Exchanger
(MX record)
Identifies a mail system
accepting mail for the giver
domain
@ 1D IN MX 10
mail.abc.com
Name Server
(NS Record)
Identifies the DNS servers
associated with a giver domain
@ 1D IN NS
nameserver.abc.com
Text (TXT Record)
Associates an arbitrary text
string with the domain name
System1 IN TXT “This is
a cool system”
31
Information Networking Security and Assurance Lab
National Chung Cheng University
nslookup
IP 反查 domain name
Return
fromfrom
localremote
DNS cache
Return
DNS cache
Zone Transfer
32
Information Networking Security and Assurance Lab
National Chung Cheng University
A split DNS
EXTERNAL
DNS
INTERNET
DMZ
INTERNAL
DNS
INTERNAL
NETWORK
INTERNAL
SYSTEM
33
Information Networking Security and Assurance Lab
National Chung Cheng University
DMZ
 DMZ stands for De-Militarized Zone. The DMZ
setting allows the server that provides public
resources (Ex. Web or FTP) to map public IP
addresses for Internet users to use in a Broadband
sharing router environment.
INTERNET
DMZ
Internal
Network
DMZ system
,such as Web, Mail,
DNS and FTP
Allowed
Forbidden
Information Networking Security and Assurance Lab
National Chung Cheng University
34
Collect Information
Public data source
Scanning and probing
35
Information Networking Security and Assurance Lab
National Chung Cheng University
Network Mapping
 Map out your network infrastructure
 Mapping and scanning your Internet gateway, including
DMZ systems, such as Web, mail, FTP, and DNS
 Mapping and scanning your internal network
 Techniques
 Finding live hosts
 Tracing your network topology
36
Information Networking Security and Assurance Lab
National Chung Cheng University
Finding Live Hosts
 Two methods
ICMP ping
 Ping all possible addresses to determine which ones have active
hosts
 Ping, using an ICMP Echo Request packet
• Alive, sending an ICMP Echo Reply message
• Otherwise, nothing is listening at that address
TCP/UDP packet
 If block incoming ICMP
 send a TCP or UDP packet to a port, such as TCP port 80
37
Information Networking Security and Assurance Lab
National Chung Cheng University
Traceroute
TTL = 1
Time exceeded
TTL = 2
Time exceeded
Using traceroute to discover the path from source to destination
38
Information Networking Security and Assurance Lab
National Chung Cheng University
Cheops
39
Information Networking Security and Assurance Lab
National Chung Cheng University
Defenses against Network Mapping
 Filter
IN: Firewalls and packet-filtering capabilities of your
routers
OUT: Stop ICMP Time Exceeded messages leaving your
network
 Blocking
Block incoming ICMP messages at gateway
Ping Web server? Maybe
Ping DMZ database server? Probably not
Ping internal network hosts? Definitely not
40
Information Networking Security and Assurance Lab
National Chung Cheng University
Using port scanners
Analyzing which ports are open
To know the purpose of each system
To learn potential entryways into system
TCP/IP stack has 65,535 TCP/UDP ports
“well-known” port numbers
TCP port 80
RFC 1700
Nmap @ www.insecure.org/Nmap
41
Information Networking Security and Assurance Lab
National Chung Cheng University
Nmap
What type of packets does the scanning system
send
TCP Connect, TCP SYN, TCP FIN, …
42
Information Networking Security and Assurance Lab
National Chung Cheng University
Types of Nmap Scans
 Legitimate TCP connections established using a
three-way handshake
SYN with ISNA
ACK ISNA and SYN with ISNB
ACK ISNB
Connection
ALICE
BOB
The TCP three-way handshake
43
Information Networking Security and Assurance Lab
National Chung Cheng University
TCP Header
Bit: 0
4
10
16
Source port
31
Destination port
20 octets
Sequence number
Acknowledgement number
Data
offset
Reserved
U A P R S F
R C S S Y I
G K H T N N
Checksum
Window
Urgent pointer
Options + padding
44
Information Networking Security and Assurance Lab
National Chung Cheng University
The Polite Scan: TCP Connect
Completes the three-way handshake, and then
gracefully tears down the connection using
FIN packets
If closed
No SYN-ACK returned
Receive either no response, a RESET packet, or an
ICMP Port Unreachable
Easy to detect
45
Information Networking Security and Assurance Lab
National Chung Cheng University
A Little Stealthier: TCP SYN Scan
 TCP SYN scans
Sending a SYN to each target port
If open, a SYN-ACK response
Sends a RESET packet, aborting the connection
 Referred to as “half-open” scans
 Two benefits
The end system Not record the connection, however, routers
or firewalls do
Its speed
46
Information Networking Security and Assurance Lab
National Chung Cheng University
Violate the Protocol Spec: TCP FIN,
Xmas Tree, Null Scans(1)
TCP FIN scan
A FIN packet to tear down the connection, but no
connections are set up!!
Xmas Tree scan
Sends packets with the FIN, URG, and PUSH code
bits set
Null scan
Sends packets with no code bits set
47
Information Networking Security and Assurance Lab
National Chung Cheng University
TCP ACK Scans
SYN
SYN-ACK
SYN
Packet
Filter
Device
Allow outgoing traffic
and the established
responses
Block incoming traffic
if the SYN packet is set
EXTERNAL
NETWORK
INTERNAL
NETWORK
Allowing outgoing sessions (and responses),
while blocking incoming session initiation
Information Networking Security and Assurance Lab
National Chung Cheng University
48
TCP ACK Scans (cont.)
ACK dest port 1024
ACK dest port 1025
ACK dest port 1026
Aha! I know port 1026 is
open through the firewall
EXTERNAL
NETWORK
Packet
Filter
Device
RESET
INTERNAL
NETWORK
49
Information Networking Security and Assurance Lab
National Chung Cheng University
Vulnerability Scanning Tools
What’s vulnerability scanner
Types of vulnerabilities
Common configuration errors
Default configuration weaknesses
Well-known system vulnerabilities
50
Information Networking Security and Assurance Lab
National Chung Cheng University
Vulnerability Scanning Tools (cont.)
User
Configuration
Tool
Scanning
Engine
Knowledge
Base of Current
Active Scan
Vulnerability
Database
Results
Repository
& Report
Generation
A generic vulnerability scanner
Information Networking Security and Assurance Lab
National Chung Cheng University
TARGETS
51
Nessus
 Nessus Plug-ins categories:
 Finger abuses
 Windows
 Backdoors
 Gain a shell remotely
 CGI abuses
 Remote file access
 RPC
 Firewalls
 FTP
 SMTP
 ……
52
Information Networking Security and Assurance Lab
National Chung Cheng University
The Nessus Architecture
 Client-server architecture
 Client: user configuration tool and a results repository/report generation
tool
 Server: vulnerabilities database, a knowledge base of the current active
scan, and a scanning engine
 Supports strong authentication, based on public key encryption
 Supports strong encryption based on the twofish and ripemd
algorithms
 The advantage of the client-server architecture
 The most common use: running on a single machine
53
Information Networking Security and Assurance Lab
National Chung Cheng University
Intrusion Detection System
Tools can be detected by a network-based
intrusion detection system (IDS)
IDSs listen for attacks and warn administrators
of the attacker’s activities
The attackers evade detection by the IDS
BlackHat versus WhiteHat
54
Information Networking Security and Assurance Lab
National Chung Cheng University
How Intrusion Detection Systems Work
Captures all data on the LAN
Sort through this data to determine if an actual
attack is underway
Have a database of attack signatures
When attacks discovered, the IDS will warn
the administrator
55
Information Networking Security and Assurance Lab
National Chung Cheng University
A Network-Based Intrusion Detection
System
Port 23!
Alert! Alert
NETWORK
IDS
PROBE
TCP port 80
NETWORK
TCP port 23
ATTACKER
PROTECTED
SERVER
56
Information Networking Security and Assurance Lab
National Chung Cheng University
Gaining Access Using Application
and Operating System Attacks
57
Information Networking Security and Assurance Lab
National Chung Cheng University
Outlines
Stack-Based Buffer Overflow Attacks
Password Attacks
Web Application Attacks
58
Information Networking Security and Assurance Lab
National Chung Cheng University
What is a Stack-Based Buffer Overflow?
59
Information Networking Security and Assurance Lab
National Chung Cheng University
The Make up of a Buffer Overflow
60
Information Networking Security and Assurance Lab
National Chung Cheng University
Application Layer IDS Evasion for Buffer
Overflow
 K2 released ADMutate
A buffer overflows
exploit
ADMutate
A news exploit
 polymorphism
For NOPs
 Substitute a bunch of functionally equivalent statements for the
NOPs
For the machine language code
 Applies the XOR to the code to combine it with a randomly
generated key
61
Information Networking Security and Assurance Lab
National Chung Cheng University
Outlines
Stack-Based Buffer Overflow Attacks
Password Attacks
Web Application Attacks
64
Information Networking Security and Assurance Lab
National Chung Cheng University
Password Attacks
Guessing Default Passwords
Password Guessing through Login Scription
Password cracking
65
Information Networking Security and Assurance Lab
National Chung Cheng University
Let’s Crack Those Passwords!
Stealing the encrypted passwords and trying to
recover the clear-text password
Dictionary
Brute-force cracking
hybrid
•Create a password guess
•Encrypt the guess
•Compare encrypted guess with
encrypted value from the stolen
password file
•If match, you’ve got the password!
Else, loop back to the top.
Password cracking is really just a loop.
66
Information Networking Security and Assurance Lab
National Chung Cheng University
Tools Cracking Passwords
Cracking Windows NT/2000 Passwords Using
L0phtCrack (LC4)
http://www.atstake.com/products/lc/
Cracking UNIX-like and Windows-based
Passwords Using John the Ripper
http://www.openwall.com/john/
67
Information Networking Security and Assurance Lab
National Chung Cheng University
Outlines
Stack-Based Buffer Overflow Attacks
Password Attacks
Web Application Attacks
68
Information Networking Security and Assurance Lab
National Chung Cheng University
Account Harvesting
Account harvesting’s concept
Different error message for an incorrect userID than
for an incorrect password
Lock out user accounts?
Yes, DoS attack
No, password guessing across the network
69
Information Networking Security and Assurance Lab
National Chung Cheng University
Yellow-orange
IAmRyan
241230
70
Information Networking Security and Assurance Lab
National Chung Cheng University
Thank YOU
71
Information Networking Security and Assurance Lab
National Chung Cheng University
Security Essentials Toolkit
Nmap
72
Information Networking Security and Assurance Lab
National Chung Cheng University
Outline
Description
Purpose
Principle and Pre-Study
Required Facilities
Challenge Procedure
Summary
Reference
73
Information Networking Security and Assurance Lab
National Chung Cheng University
Description
 Reconnaissance is key for an attacker to be successful.
 To defend against attacks, you should examine your
systems from the viewpoint of the attacker.
 Use some tools that you can see what the attackers
see, and then you can patch any vulnerabilities.
 Nmap is a classic example of a reconnaissance tool.
74
Information Networking Security and Assurance Lab
National Chung Cheng University
Purpose
To know:
The features and role of Nmap in auditing systems.
How to install, use, and analyze the output of Nmap.
75
Information Networking Security and Assurance Lab
National Chung Cheng University
Principle and Pre-Study
Hacker’s attack methodology.
Why we need Scanning Tools ?
76
Information Networking Security and Assurance Lab
National Chung Cheng University
Required Facilities
Permission
Do not proceed without receiving the necessary
permissions.
Hardware
Intel-based PC
Software
Windows OS and Linux OS
Nmap
http://www.insecure.org/nmap/
77
Information Networking Security and Assurance Lab
National Chung Cheng University
Challenge Procedure
Step 1:Install Nmap (Skip)
Step 2:Review Nmap Option
Step 3:Test Nmap
78
Information Networking Security and Assurance Lab
National Chung Cheng University
Step 2:Nmap Option (1/2)
By scan type :
Hosts (-sP)
TCP Ports (-sT)
RPC servers (-sR)
SYN scan (-sS)
FIN scan (-sF), Xmas tree (-sX), null scan (-sN)
ACK scan (-sA)
Scanning for UDP Ports (-sU)
79
Information Networking Security and Assurance Lab
National Chung Cheng University
Step 2:Nmap Option (2/2)
 By other function :
Fragmentation (-f)
Decoys (-D)
OS Fingerprinting (-O)
Timing (-T option)
option
Time between Probes
Probe Response Timeout
Paranoid
5 min
5 min
Sneaky
15 sec
15 sec
Polite
0.4 sec
6 sec (10 max)
Normal
None
6 sec (10 max)
Aggressive
None
1 sec (1.5 max)
Insane
None
0.3 sec max
80
Information Networking Security and Assurance Lab
National Chung Cheng University
Step 3:Test Nmap (NMapWin v1.3.1)
81
Information Networking Security and Assurance Lab
National Chung Cheng University
Step 3:Test Nmap (Linux Nmap)
82
Information Networking Security and Assurance Lab
National Chung Cheng University
Summary
Nmap is an powerful tool that allows
administrators, as well as attackers, to
determine what services and ports are open on
a particular device.
Nmap scans of your network should be run
frequently to verify that new services or ports
have not been unknowingly add your
environment.
83
Information Networking Security and Assurance Lab
National Chung Cheng University
Reference
http://www.insecure.org/nmap/
84
Information Networking Security and Assurance Lab
National Chung Cheng University
85
Information Networking Security and Assurance Lab
National Chung Cheng University
A Real World Attack: wu-ftp
86
Information Networking Security and Assurance Lab
National Chung Cheng University
Outline
Description
Purpose
Principle and Pre-Study
Required Facilities
Step by step
Summary
Reference
87
Information Networking Security and Assurance Lab
National Chung Cheng University
Description
There have many intrusion accident happened
in day. Do you know what technique that
crackers can intrude your web server, mail
server and ftp server.
Today, this exercise will guide you through the
process of discovering a vulnerable system,
exploiting the vulnerability, and installing
software to cover your tracks.
88
Information Networking Security and Assurance Lab
National Chung Cheng University
Purpose
Located a vulnerable system
Exploit that vulnerability to gain a root shell
Installed a RootKit
Access the system via the RootKit
89
Information Networking Security and Assurance Lab
National Chung Cheng University
Principle and Pre-Study (I)
 CERT Advisory CA-1999-13
Multiple Vulnerabilities in WU-FTPD
1. MAPPING_CHDIR Buffer Overflow
2. Message File Buffer Overflow
3. SITE NEWER Consumes Memory

http://www.cert.org/advisories/CA-1999-13.html
90
Information Networking Security and Assurance Lab
National Chung Cheng University
Principle and Pre-Study (II)
 What is Buffer overflow?
2003 Top Ten Vulnerability Threat (Symantec)
2
a programmer
Microsoft
RPCSS
DCOM
Interface Long
Filename Heap
Corruption
allowing
for an
unbounded
operation
on data.
3
Microsoft Windows ntdll.dll Buffer Overflow
4
Sun Solaris Sadmin Client Credentials Remote Administrative Access
5
Sendmail Address Prescan Memory Corruption
6
Multiple Microsoft Internet Explorer Script Execution
7
Microsoft Windows Workstation Service Remote Buffer Overflow
8
Samba ‘call_trans2open” Remote Buffer Overflow
9
Microsoft Windows Locator Service Buffer Overflow
10
Cisco IOS Malicious IPV4 Packet Sequence Denial of Service
1
Microsoft
Windows
DCOM RPC Internet
BufferisOverrun
A type of
programmatic
flaw that
due to
91
Information Networking Security and Assurance Lab
National Chung Cheng University
Required Facilities
WARNING:
This process of cracking a system is only tested in
internal network.
Do not actual exploit on unprivileve host
Hardware
PC or Workstation with UNIX-like system
Software
Wu-ftp 6.2.0
RootKits and Buffer Overflow Program
92
Information Networking Security and Assurance Lab
National Chung Cheng University
Step (I): reconnaissance and scanning
Use “nmap” for
system scanning
Test the account
of anonymous
93
Information Networking Security and Assurance Lab
National Chung Cheng University
Step (II): exploit the target
Decompress the buffer overflow file
and compile it
List the usage of this
tool
94
Information Networking Security and Assurance Lab
National Chung Cheng University
Step (III): cracking
Execute the
buffer
overflow on
target host
Got the root
right
95
Information Networking Security and Assurance Lab
National Chung Cheng University
Step (IV)
 Download the rootkit from outside and install it
checking the login user
Download the tool from
another victim
Decompress the rootkit
Execute the rootkit
96
Information Networking Security and Assurance Lab
National Chung Cheng University
Step (V): auto-patch the victim
the default login password
change the system command
open the telnet port
Report the system information
close the system filewall
97
Information Networking Security and Assurance Lab
National Chung Cheng University
Step (IV)
try the rootkit if it works
The Telnet daemon has been
replaced
Input the ID and the Password
Which predefine by us
We have got a root shell now
Now you can do anything
98
Information Networking Security and Assurance Lab
National Chung Cheng University
Summary
Checking the OS and applications’
vulnerability periodically.
Catch the idea of “Defense in Depth.”
There is no security operating system or
application for a willing heart.
99
Information Networking Security and Assurance Lab
National Chung Cheng University
Reference
CERT
http://www.cert.org/
Nmap
http://incsecure.org/
Buffer Overflow and RootKits download site
http://www.flatline.org.uk/~pete/ids/
100
Information Networking Security and Assurance Lab
National Chung Cheng University
101
Information Networking Security and Assurance Lab
National Chung Cheng University
The premier open source
Vulnerability Assessment tool
102
Information Networking Security and Assurance Lab
National Chung Cheng University
Outline
Description
Purpose
Principle and Pre-Study
Required Facilities
Step by step
Summary
Reference
103
Information Networking Security and Assurance Lab
National Chung Cheng University
Description (I)
A security scanner is a software which will
audit remotely a given network and determine
whether crackers may break into it, or misuse
it in some way.
Nessus is a free, open source vulnerability
scanner that provide a view of your networks
as seen by outsiders.
104
Information Networking Security and Assurance Lab
National Chung Cheng University
Description (II)
 Nessus also provide many kinds of detailed
report that identifies the vulnerabilities and
the critical issues that need to be corrected.
 Nessus Features:
 Plugin-based
customized security checks can be written in
C or NASL2(Nessus’s Scripting Language ver. 2)
 Exportable report
Support many kinds of export report, like
ASCII text, LaTex and HTML
105
Information Networking Security and Assurance Lab
National Chung Cheng University
Purpose
Teach you how to install, configure and use
Nessus.
You will also learn how to interpret its output.
106
Information Networking Security and Assurance Lab
National Chung Cheng University
Principle and Pre-Study
nessus client
nessusd server
FTP server
Mail server
Nessus – Client and Server architecture
nessusWX win32 client
Target network
WWW server
107
Information Networking Security and Assurance Lab
National Chung Cheng University
Required Facilities
Permission
Do not proceed without receiving the
necessary permissions
 Hardware
PC or Workstation with UNIX-based OS
 Software
Client
 GTK- the gimp toolkit, version 1.2
Server
 OpenSSL
The latest stable release is nessus 2.0.9
108
Information Networking Security and Assurance Lab
National Chung Cheng University
Step (I): install nessus
 Some way to install
lynx -source http://install.nessus.org | sh
 dangerous
sh nessus-installer.sh
 Easy and less dangerous
Install the nessus tarball archives individually
 nessus-libraries
 libasl
 nessus-core
 nessus-plugins
Safe, but noisy
109
Information Networking Security and Assurance Lab
National Chung Cheng University
Step (II): create nessusd account
add the client user’s account
The authentication method
by password check
Edit user’s right
110
Information Networking Security and Assurance Lab
National Chung Cheng University
Step (III): create nessusd account
The authentication method by
key change
The key information of user
111
Information Networking Security and Assurance Lab
National Chung Cheng University
Step (IV): Configure your nessusd
 Edit the file /usr/local/etc/nessus/nessus.conf












plugins_folder = /usr/local/lib/nessus/plugins
max_hosts = 30
max_checks = 10
logfile = /usr/local/var/nessus/logs/nessusd.messages
log_whole_attack = yes
rules = /usr/local/etc/nessus/nessusd.rules
users = /usr/local/etc/nessus/nessusd.users
cgi_path = /cgi-bin:/scripts
port_range = default
use_mac_addr = no
plugin_upload = no
slice_network_addresses = no
Maximum number of
simultaneous host tested
Maximum number of
simultaneous checks
Scan the range of port
found in /etc/services
Can users upload plugins?
 Execute nessusd –D
 Default listen on TCP 1241
 Execute nessus
Safely start nessusd as
root on TCP 1241
112
Information Networking Security and Assurance Lab
National Chung Cheng University
Step (V): Nessus client configuration (UNIX)
The nessusd server’s address
The open port number of nessusd
Login user name
User password
Click on “Log in”
113
Information Networking Security and Assurance Lab
National Chung Cheng University
The test would not cause the target host crash
114
Information Networking Security and Assurance Lab
National Chung Cheng University
The scan range
You can give extra information
to some security check so that
the audit is more complete
Send the test result to
defined mail address
Avoid the detection by
IDS
Choice the scan tools
115
Information Networking Security and Assurance Lab
National Chung Cheng University
Input the target’s address
allow a user to restrict his test.
For instance, I want to test
10.163.156.1/24, except
10.163.156.5. The ruleset I
entered allows me to do that.
A single IP address: 10.163.156.1
A range of IP addresses: 10.163.156.1-254
A range of IP addresses in CIDR:
10.163.156.1/24
A hostname in Full Qualified Domain
Name notation:
hope.fr.nessus.org
116
Information Networking Security and Assurance Lab
National Chung Cheng University
The Nessus Knowledge Base Feature:
Allow user can save the Knowledge base
in client host
Nessus information
117
Information Networking Security and Assurance Lab
National Chung Cheng University
Step (VI): the scan process
The target’s open port
Scaning
The security level
Comments of this note
The resource of this
security include
know-how and the
solution
118
Information Networking Security and Assurance Lab
National Chung Cheng University
Step (VI): the export of the data
Report in nessus clinent format
export to XML
LaTeX format can be output to PDF
Report in Html with graphs
119
Information Networking Security and Assurance Lab
National Chung Cheng University
Summary
 PC Magazine nominated Nessus as being one of the “Best
Products of 2003", in the "open-source" category !
 Nessus is a powerful vulnerability assessment and port scanner
that allows you to see the same view of your network that an
outsider sees.
120
Information Networking Security and Assurance Lab
National Chung Cheng University
Reference
Nessus & Nessus WX website
http://www.nessus.org
NeWT website
http://www.tenablesecurity.com/newt.html
PC Manage
http://www.pcmag.com/article2/0,4149,1420870,00.
asp
121
Information Networking Security and Assurance Lab
National Chung Cheng University
122
Information Networking Security and Assurance Lab
National Chung Cheng University
Appendix A – other nessus commands
 nessus-build
 Script can be used to build a .nes nessus plugin from a .c source file.
 nessus-config
 Displays compiler/linker flags for the nessus libaries
 nessus-mkcert-client
 Create a client certificate
 Protects the communication between the client and the server by using
SSL. SSL requires the server to present a certificate to the client, and the
client can optionally present a certificate to the server.
 nessus-mkrand
 Create a file with random bytes
 nessus-adduser
 Is a simple program which will add a user in the proper nessusd
configuration files, and wil send a singal to nessusd if it is running to
notify it of the changes.
123
Information Networking Security and Assurance Lab
National Chung Cheng University
Appendix B - NessusWX
Nessus Client for Win32
http://nessuswx.nessus.org/
Current version 1.4.4
124
Information Networking Security and Assurance Lab
National Chung Cheng University
125
Information Networking Security and Assurance Lab
National Chung Cheng University
126
Information Networking Security and Assurance Lab
National Chung Cheng University
127
Information Networking Security and Assurance Lab
National Chung Cheng University
Options & port scan properties
128
Information Networking Security and Assurance Lab
National Chung Cheng University
Connection & comments
129
Information Networking Security and Assurance Lab
National Chung Cheng University
130
Information Networking Security and Assurance Lab
National Chung Cheng University
131
Information Networking Security and Assurance Lab
National Chung Cheng University
132
Information Networking Security and Assurance Lab
National Chung Cheng University
133
Information Networking Security and Assurance Lab
National Chung Cheng University
Applendix C – commercial product
NeWT 1.0
A native port of Nessus under Windows, which is
very easy to install and to use
This is a commercial product from Tenable Network
Security
134
Information Networking Security and Assurance Lab
National Chung Cheng University
Start Screen
135
Information Networking Security and Assurance Lab
National Chung Cheng University
Scan config
136
Information Networking Security and Assurance Lab
National Chung Cheng University
Scan in progress
137
Information Networking Security and Assurance Lab
National Chung Cheng University
Example report
138
Information Networking Security and Assurance Lab
National Chung Cheng University
FAQ: Network Intrusion
Detection Systems
139
Information Networking Security and Assurance Lab
National Chung Cheng University
Outline
Introduction
Architecture
Policy & Resources
IDS and Firewalls
Limitations of NIDS
140
Information Networking Security and Assurance Lab
National Chung Cheng University
Introduction
What is a "network intrusion detection
system (NIDS)"?
Who is misusing the system?
Why can intruders get into systems?
What is a typical intrusion scenario?
Where can I find current statistics about
intrusions?
141
Information Networking Security and Assurance Lab
National Chung Cheng University
What is a "network intrusion detection system (NIDS)"?
 An intrusion is somebody attempting to break into or misuse
your system. The word "misuse" is broad, and can reflect
something severe as stealing confidential data to something
minor such as misusing your email system for spam.
 Network intrusion detection systems (NIDS) monitors
packets on the network wire and attempts to discover if a
hacker / cracker is attempting to break into a system (or cause
a denial of service attack).
142
Information Networking Security and Assurance Lab
National Chung Cheng University
Who is misusing the system?
 Outsiders
Outside intruders may come from the Internet, dial-up lines, physical
break-ins, or from partner (vendor, customer, reseller, etc.) network that is
linked to your corporate network.
 Insiders
Intruders that legitimately use your internal network. These include users
who misuse privileges or who impersonate higher privileged users.
 A frequently quoted statistic is that 80% of security
breaches are committed by insiders.
143
Information Networking Security and Assurance Lab
National Chung Cheng University
Why can intruders get into systems?
 Software bugs
Buffer overflows、Unexpected combinations、Unhandled input、Race
conditions…
 System configuration
Default configurations、Lazy administrators、Hole creation、Trust
relationships…
 Password cracking
Really weak passwords、Dictionary attacks、Brute force attacks…
 Sniffing unsecured traffic
Shared medium、Server sniffing、Remote sniffing…
 Design flaws
TCP/IP protocol flaws、UNIX design flaws…
144
Information Networking Security and Assurance Lab
National Chung Cheng University
What is a typical intrusion scenario?
 A typical scenario might be:
 Step 1: Outside reconnaissance
The intruder might search news articles and press releases about your company.
 Step 2: Inside reconnaissance
At this point, the intruder has done 'normal' activity on the network and has not done anything that
can be classified as an intrusion.
 Step 3: Exploit
The intruder crosses the line and starts exploiting possible holes in the target machines.
 Step 4: Foot hold
At this stage, the hacker has successfully gained a foot hold in your network by hacking
into a machine.
 Step 5: Profit
The intruder takes advantage of their status to steal confidential data, misuse system
resources, or deface web pages.
145
Information Networking Security and Assurance Lab
National Chung Cheng University
Where can I find current statistics about intrusions?
 CyberNotes by NIPC
http://www.fbi.gov/nipc/welcome.htm
 AusCERT Consolidated Statistics Project
http://www.auscert.org.au/Information/acsp/index.html
 An Analysis Of Security Incidents On The Internet 1989 –
1995
http://www.cert.org/research/JHThesis/Start.html
 CERT Reports, Articles, and Presentations
http://www.cert.org/nav/reports.html
 1999 CSI-DBI Survey
http://www.gocsi.com/summary.htm
http://www.gocsi.com/prelea990301.htm
146
Information Networking Security and Assurance Lab
National Chung Cheng University
Architecture
How are intrusions detected?
What happens after a NIDS detects an attack?
Where do I put IDS systems on my network?
147
Information Networking Security and Assurance Lab
National Chung Cheng University
How are intrusions detected?
 Anomaly detection
The most common way people approach network intrusion detection is to
detect statistical anomalies. The idea behind this approach is to measure a
"baseline" of such stats as CPU utilization, disk activity, user logins, file
activity, and so forth. Then, the system can trigger when there is a deviation
from this baseline.
 Signature recognition
The majority of commercial products are based upon examining the traffic
looking for well-known patterns of attack. This means that for every hacker
technique, the engineers code something into the system for that technique.
148
Information Networking Security and Assurance Lab
National Chung Cheng University
What happens after a NIDS detects an attack?











Reconfigure firewall
chime
SNMP Trap
NT Event
syslog
send e-mail
page
Log the attack
Save evidence
Launch program
Terminate the TCP session
149
Information Networking Security and Assurance Lab
National Chung Cheng University
Where do I put IDS systems on my network?
 Some Places suggest to put IDS:
 Network hosts
A NIDS installed like virus scanning software is the most effective way to detect such
intrusions.
 Network perimeter
IDS is most effective on the network perimeter, such as on both sides of the firewall,
near the dial-up server, and on links to partner networks.
 WAN backbone
Another high-value point is the corporate WAN backbone. A frequent problem is
hacking from "outlying" areas to the main corporate network.
 Server farms
For extremely important servers, you may be able to install dedicate IDS systems that
monitor just the individual server's link.
 LAN backbones
IDS systems are impractical for LAN backbones, because of their high traffic
requirements. Some vendors are incorporating IDS detection into switches.
150
Information Networking Security and Assurance Lab
National Chung Cheng University
Policy & Resources
How should I implement intrusion detection
my enterprise?
Where can I find updates about new security
holes?
What are some other security and intrusion
detection resources?
151
Information Networking Security and Assurance Lab
National Chung Cheng University
How should I implement intrusion detection my enterprise?
 Think about how you can configure the following systems in order to
detect intruders:
 Operating Systems
Such as WinNT and UNIX come with integrated logging/auditing features that can be
used to monitor security critical resources.
 Services
Such as web servers, e-mail servers, and databases, include logging/auditing features as
well.
 Network Intrusion Detection Systems
That watch network traffic in an attempt to discover intrusion attempts.
 Firewalls
Usually have some network intrusion detection capabilities.
 Network management platforms
Have tools to help network managers set alerts on suspicious activity.
152
Information Networking Security and Assurance Lab
National Chung Cheng University
Where can I find updates about new security holes?
 CERT (Computer Emergency Response Team)
http://www.cert.org
 AUSCERT (AUStralian Computer Emergency Response
Team)
http://www.auscert.org.au/
 CIAC (Computer Incident Advisory Capability) by US
Department of Energy
http://www.ciac.org/.
153
Information Networking Security and Assurance Lab
National Chung Cheng University
What are some other security and intrusion detection resources?
SANS Institute
http://www.sans.org/
Technical Incursion Countermeasures
http://www.ticm.com
IDS mailing list
Email questions to [email protected]
ISS database
http://www.iss.net/security_center/advice/Countermeasures/
Intrusion_Detection/default.htm
154
Information Networking Security and Assurance Lab
National Chung Cheng University
IDS and Firewalls
Why do I need IDS if I already have a firewall?
155
Information Networking Security and Assurance Lab
National Chung Cheng University
Why do I need IDS if I already have a firewall?
 Some reasons for adding IDS to you firewall are:
 Double-checks misconfigured firewalls.
 Catches attacks that firewalls legitimate allow through (such as attacks
against web servers).
 Catches attempts that fail.
 Catches insider hacking.
 "Defense in depth, and overkill paranoia, are your
friends.“ (quote by Bennett Todd ) Hackers are much more
capable than you think; the more defenses you have, the better.
156
Information Networking Security and Assurance Lab
National Chung Cheng University
Limitations of NIDS
Switched network
Resource limitations
157
Information Networking Security and Assurance Lab
National Chung Cheng University
Switched network
 There are some solutions to this problem, but not all of them
are satisfactory.
 Embed IDS within the switch
Some vendors (Cisco, ODS) are imbedding intrusion detection directly into switches.
 Monitor/span port
Many switches have a "monitor port" for attaching network analyzers. A NIDS can
easily be added to this port as well.
 Tap into the cable (for inter-switch or switch-to-node)
A monitor can be connected directly to the cable in order to monitor the traffic.
 Host-based sensors
The only way to defeat the resource limitations of switched networks is to distribute
host-based intrusion detection.
158
Information Networking Security and Assurance Lab
National Chung Cheng University
Resource limitations
 This section lists some typical resource issues:
Network traffic loads
Current NIDS have trouble keeping up with fully loaded segments.
TCP connections
IDS must maintain connection state for a large number of TCP connections.
This requires extensive amount of memory.
Other state information
TCP is the simplest example of state information that must be kept by the IDS
in memory, but other examples include IP fragments, TCP scan information,
and ARP tables.
Long term state
A classic problem is "slow scans", where the attacker scans the system very
slowly.
159
Information Networking Security and Assurance Lab
National Chung Cheng University
Security Organization
160
Information Networking Security and Assurance Lab
National Chung Cheng University
Outline
NIPC
CERT
AusCERT
CIAC
SANS Institute
CVE
161
Information Networking Security and Assurance Lab
National Chung Cheng University
NIPC
 National Infrastructure Protection Center
 http://www.nipc.gov
 Publication:
CYBERNOTES
 Every two weeks by Information Analysis and Infrastructure
Protection (IAIP) at the Department of Homeland Security.
•
•
•
•
Bugs, Holes & Patches
Trends
Viruses
Trojans
162
Information Networking Security and Assurance Lab
National Chung Cheng University
CERT® Coordination Center (CERT®/CC )
 Computer Emergency Response Team
 http://www.cert.org/nav/index_main.html
 CERT/CC was the first computer security incident
response team.
Vulnerabilities, Incidents & Fixes
 Incident Notes & Vulnerability Notes
Security Practices & Evaluations
Survivability Research & Analysis
Training & Education
163
Information Networking Security and Assurance Lab
National Chung Cheng University
AusCERT
 AusCERT, as Australia’s national Computer Emergency
Response Team (CERT), is an independent, not-for-profit
organization, based at The University of Queensland.
 https://www.auscert.org.au/index.html
 AusCERT has a representative on the Forum for Incident
Response and Security Teams (FIRST) steering committee.
 Publication:
 Security Bulletins
 Member Newsletters
 Checklists
 Presentations and Papers
164
Information Networking Security and Assurance Lab
National Chung Cheng University
CIAC
Computer Incident Advisory Capability
U.S. Department of Energy
http://www.ciac.org/ciac/index.html
Publication:
CIAC Bulletins and Advisories
CIAC Technical Bulletins
Computer Security Tools (Developed by CIAC)
165
Information Networking Security and Assurance Lab
National Chung Cheng University
SANS Institute
SysAdmin, Audit, Network, Security
http://www.sans.org/index.php
SANS Computer & Information Security Training
SANS Weekly Security Bulletins and Alerts
SANS Forum
SANS Top Twenty List
166
Information Networking Security and Assurance Lab
National Chung Cheng University
CVE®
 Common Vulnerabilities and Exposures
 http://cve.mitre.org/
 CVE is sponsored by U.S. Department of Homeland
Security.
 CVE aims to standardize the names for all publicly
known vulnerabilities and security exposures.
 A list of standardized names for vulnerabilities and
other information security exposures.
167
Information Networking Security and Assurance Lab
National Chung Cheng University
CVE® (cont.)
 How to Build the CVE List:
Stage 1: Submission
 Conversion、Matching、Refinement、Editing Phase
Stage 2: Candidates
 Assignment 、Proposal 、Voting 、Modification 、Final
Decision Phase
Stage 3: The Entry
 Changing the name from CAN-YYYY-NNNN to CVE-YYYYNNNN
 Modification Phase
168
Information Networking Security and Assurance Lab
National Chung Cheng University
CVE Goal
169
Information Networking Security and Assurance Lab
National Chung Cheng University
171
Information Networking Security and Assurance Lab
National Chung Cheng University
Host-Based Intrusion Detection software
TRIPWIRE
172
Information Networking Security and Assurance Lab
National Chung Cheng University
Outline
Description
Purpose
Principle and Pre-Study
Required Facilities
Step by step
Summary
Reference
173
Information Networking Security and Assurance Lab
National Chung Cheng University
Description
The first objective of an attacker is to obtain
access to your system. The second objective is
to retain that access, even if you close the hole
she entered. To accomplish this, an attacker
will often install a RootKit
Tripwire creates a database of advanced
mathematical checksums (MD5) to take a
snapshot of a system’s file properties and
contents.
174
Information Networking Security and Assurance Lab
National Chung Cheng University
Purpose
To introduce you to the installation,
configuration, and use of Tripwire as a hostbased intrusion detection system
175
Information Networking Security and Assurance Lab
National Chung Cheng University
Principle and Pre-Study
 What is RootKit?
a collection of modified System
Binaries that are designed to hide the
attacker’s activities on your system.
 How do you know if you can trust the information
your system is giving you?
176
Information Networking Security and Assurance Lab
National Chung Cheng University
Required Facilities
Hardware:
PC or Workstation with UNIX-based OS
Software
Tripwire 2.3.1
177
Information Networking Security and Assurance Lab
National Chung Cheng University
Step (I): Install on FreeBSD
 FreeBSD
Enter
local
Make
withthe
FreeBSD
passphrase
portthe
treesite
Enter
Enter
the
site
Enter
the
site
Enter
the
local key
passphrase
keyfile
passphrase
passphrase
file passphrase
The information
Generating
the
of install
database
by the
configuration
policy
file
Waitlocal
a while
Install
for creating
complete
the database
The
keyfile
passphrase
will need when initial
The site keyfile passphrase will need when initial
or modify
SignSign
the
thetripwire
the
Tripwire
Tripwire
database
configuration
policy
file.file
The
filelocal key
or modify the configuration file or the policy file
may also be used for signing integrity check reports
Accept the license
agreement178
Information Networking Security and Assurance Lab
National Chung Cheng University
Step (II): Test Tripwire
Add a user name is
jared who have root
access right
compare the file system and the tripwire database
The output after check
the file system
Tripwire detect that the
file have been modified
179
Information Networking Security and Assurance Lab
National Chung Cheng University
Step (III): Scheduling function
 Using “crontab” to run Tripwire check every day as 1 a.m. and the output
will be mailed to root at same time.
 Edit /etc/crontab with root and restart /usr/sbin/cron
180
Information Networking Security and Assurance Lab
National Chung Cheng University
The tripwire configure file
The tripwire policy file
181
Information Networking Security and Assurance Lab
National Chung Cheng University
Summary
Using a database of calculate checksums,
tripwire is capable of detecting when a critical
system file is changed.
The database made by tripwire should be
secured in such a way that an attacker can not
alter it.
182
Information Networking Security and Assurance Lab
National Chung Cheng University
Reference
http://www.tripwire.org
RFC 1321 - The MD5 Message-Digest
Algorithm
Man page of tripwire
183
Information Networking Security and Assurance Lab
National Chung Cheng University
184
Information Networking Security and Assurance Lab
National Chung Cheng University
Appendix – install on Linux
Select the tripwire rpm for each linux
distribution and install it.
rpm –I tripwire-[version].i386.rpm
After complete the installation, create the
site keyfile password and the local keyfile
password
sh /etc/tripwire/twinstall.sh
185
Information Networking Security and Assurance Lab
National Chung Cheng University
Sign the Tripwire configuration file
Sign the Tripwire policy file
Install the default policy
/usr/sbin/twadmin –m P /etc/tripwire/twpol.txt
Generate the initial checksum database
/usr/sbin/tripwire –m I
Edit the default site policy file
vi /etc/tripwire/twpol.txt
186
Information Networking Security and Assurance Lab
National Chung Cheng University
Network-Based Intrusion Detection
TCPDUMP
187
Information Networking Security and Assurance Lab
National Chung Cheng University
Outline
Description
Purpose
Principle and Pre-Study
Required Facilities
Step by step
Summary
Reference
188
Information Networking Security and Assurance Lab
National Chung Cheng University
Description
Packet sniffing is the heart of intrusion
detection and of understanding what is actually
occurring on your network.
TCPDUMP provides options and filters to
assist in the proper and thorough analysis of
the acquired traffic.
189
Information Networking Security and Assurance Lab
National Chung Cheng University
Propose
To demonstrate how to install and use
TCPdump and how to analyze data that is
collected.
To understand what the basic functionality of
network-based intrusion detection.
190
Information Networking Security and Assurance Lab
National Chung Cheng University
Principle and Pre-Study
Promiscuous mode
In a network, promiscuous mode allows a network
device to intercept and read each network packet that
arrives in its entirety.
This mode of operation is sometimes given to a
network snoop server that captures and saves all
packets for analysis
191
Information Networking Security and Assurance Lab
National Chung Cheng University
Output format
ARP/RARP packets
arp who-has [A] tell [B]
arp reply [A] is-at [a]
TCP packets
src > dst: flags data-seqno ack window urgent options
 src: source ip address and port
 dst: destination ip address and port
 flags: S (SYN), F (FIN), P(PUSH), R(RST), . (no flags)
 Data-seqno: describes the portion of sequence space covered by the data in
the packet
 Ack: sequence number of the next data
 Window: the number of byte of receive buffer space
 Urg: indicates there is “urgent” data in the packet
 Options: tcp options enclosed in angle brackets
192
Information Networking Security and Assurance Lab
National Chung Cheng University
Required Facilities
Hardware:
PC or Workstation with UNIX-based OS or
Microsoft windows
Software
TCPDUMP 3.8.1
LIBCAP 0.8.1
193
Information Networking Security and Assurance Lab
National Chung Cheng University
Step (I): install
 For Linux
 Download libpcap from http://www.tcpdump.org/release/libpcap0.7.2.tar.gz
tar zxvf libpcap-0.7.2.tar.gz; cd libpcap-0.7.2; ./configure;
make; make install
 Download tcpdump fom http://www.tcpdump.org/release/tcpdump3.7.2.tar.gz
tar zxvf tcpdump-3.7.2.tar.gz; cd tcpdump3.7.2; ./configure; make; make install
 For FreeBSD
bulit-in
194
Information Networking Security and Assurance Lab
National Chung Cheng University
Step (II): execute
Listen on the address
is 140.123.113.86 and
don’t convert address
to names
The packets
number is count
by kernel
Listen the packet which tcp port is 80
Too many packet that the system can not process
195
Information Networking Security and Assurance Lab
National Chung Cheng University
Summary
TCPdump is powerful packet capture utilities
that allow for the extraction of particular types
of network traffic based on header information.
They can filter any field in the IP, ICMP, UDP,
or TCP header using byte offsets.
196
Information Networking Security and Assurance Lab
National Chung Cheng University
Replay packets from capture files
TCPREPLAY
197
Information Networking Security and Assurance Lab
National Chung Cheng University
Description
TCPreplay is a tool for replaying network
traffic from files which saved by tcpdump
TCPreplay resend all packets from input files
at the speed at which they were recorded, a
specified data rate, or as fast as the hardware is
capable.
198
Information Networking Security and Assurance Lab
National Chung Cheng University
Required Facilities
Hardware:
PC or Workstation with UNIX-based OS
Software
TCPreplay 2.02
199
Information Networking Security and Assurance Lab
National Chung Cheng University
Step
200
Information Networking Security and Assurance Lab
National Chung Cheng University
Summary
Originally, TCPreplay was written to test
network intrusion detection systems, however
TCPreplay has been used to test firewalls,
routers, and other network devices.
201
Information Networking Security and Assurance Lab
National Chung Cheng University
Host-based Intrusion Detection software
the Simple WATCHdog
swatch
202
Information Networking Security and Assurance Lab
National Chung Cheng University
Description
Reconnaissance is important for a successful
attack, but it can also give the attacker away
swatch monitor syslog by looking for new
entries that match specific criteria and provides
a variety of alert mechanisms
203
Information Networking Security and Assurance Lab
National Chung Cheng University
Propose
Exercise demonstrates how to install and
configure swatch
After swatch is install, an alert is triggered and
notification is sent
204
Information Networking Security and Assurance Lab
National Chung Cheng University
Requirement facilities
Hardware
pc or workstation
software
Perl 5
Time::HiRes
Date::Calc
Date::Format
File::Tail
205
Information Networking Security and Assurance Lab
National Chung Cheng University
Step (I): Install
206
Information Networking Security and Assurance Lab
National Chung Cheng University
Step (II): Config
 Copy the example configuration file and review it
207
Information Networking Security and Assurance Lab
National Chung Cheng University
Step (III)
execute swatch with root and put it into
background
208
Information Networking Security and Assurance Lab
National Chung Cheng University
Step (IV)
change the swatch configuration file
Trigger an event that will cause swatch to issue
a notification
209
Information Networking Security and Assurance Lab
National Chung Cheng University
Step (V)
check the mail
210
Information Networking Security and Assurance Lab
National Chung Cheng University
summary
Swatch provides a simple method for
notification when selected events occur on
the system
Swatch also provides variety of notification
methods, such as mail, pagers, pop-up
windows, or other custom command
Swatch reduce the need for continual
attention to log file while providing a more
timely awareness of issues as they arise.
211
Information Networking Security and Assurance Lab
National Chung Cheng University
Reference
TCPdump website
http://www.tcpdump.org
WinDump
http://windump.polito.it
TCPreplay website
http://tcpreplay.sourceforge.net
swatch website
http://swatch.sourceforge.net
212
Information Networking Security and Assurance Lab
National Chung Cheng University
213
Information Networking Security and Assurance Lab
National Chung Cheng University
Hacking II
214
Information Networking Security and Assurance Lab
National Chung Cheng University
Gaining Access Using Network
Attacks
215
Information Networking Security and Assurance Lab
National Chung Cheng University
Sniffer
A sniffer grab anything sent across the LAN
What type of data can a sniffer capture?
Anything, but encrypted
An attacker must have an account
Island hopping attack
216
Information Networking Security and Assurance Lab
National Chung Cheng University
Island hopping attack
LAN
217
Information Networking Security and Assurance Lab
National Chung Cheng University
Some of the most interesting sniffers
Passive sniffing
Snort, a freeware sniffer and network-based IDS,
available at www.snort.org
Sniffit, freeware running on a variety of UNIX
flavors, available at
reptile.rug.ac.be/~coder/sniffit/sniffit.html
Active sniffing
Dsniff, a free suite of tools built around a sniffer
running on variations of UNIX, available at
www.monkey.org/~dugsong/dsniff
218
Information Networking Security and Assurance Lab
National Chung Cheng University
Sniffing through a Hub: Passive Sniffing
Blah, blah, blah
HUB
Blah, blah, blah
BROADCAST ETHERNET
219
Information Networking Security and Assurance Lab
National Chung Cheng University
Active Sniffing: Sniffing through a Switch
and Other Cool Goodies
Switched Ethernet does not broadcast
Looks at the MAC address
Active sniffing tool: Dsniff
Blah, blah, blah
SWITCH
SWITCHED ETHERNET
220
Information Networking Security and Assurance Lab
National Chung Cheng University
Advanced sniffing attacks
Foiling Switches with Spoofed ARP Messages
Remapping DNS names to redirect network
connections
Sniffing SSL and SSH connections
221
Information Networking Security and Assurance Lab
National Chung Cheng University
Foiling Switches with Spoofed ARP
Messages(1)
Victim’s traffic
isn’t sent to
attacker
Blah, blah, blah
THE
OUTSIDE
WORLD
SWITCH
CLIENT
MACHINE
DEFAULT
ROUTER
A switched LAN prevents an attacker from passively sniffing traffic
222
Information Networking Security and Assurance Lab
National Chung Cheng University
Foiling Switches with Spoofed ARP
Messages(2)
1 Configure IP Forwarding to
send packets to the default
router for the LAN and activates
the Dsniff program
2 Send fake ARP
response to remap default
router IP address to
attacker’s MAC address.
SWITCH
CLIENT
MACHINE
Router’s IP
Attacker’s
Router’s MAC
MAC
3 Victim sends
traffic destined for
the outside world.
Based on poisoned
ARP table entry,
traffic is really sent
to the attacker’s
MAC address.
4 Sniff the traffic from the link.
5 Packets are forwarded
from attacker’s machine to
the actual default router for
delivery to the outside
world.
THE
OUTSIDE
WORLD
DEFAULT
ROUTER
Arpspoof redirects traffic, allowing the attacker to sniff a switched LAN
223
Information Networking Security and Assurance Lab
National Chung Cheng University
Sniffing and Spoofing DNS
1 Attacker activates
dnsspoof program
Attacker quickly sends fake DNS
response with any IP address the
attacker wants the victim to use:
www.skoudisstuff.com =
10.1.1.56
Attacker sniffs DNS request
from the line.
SWITCH
CLIENT
MACHINE
Victim tries to
resolve a
name using
DNS
Victim now surfs
to attacker’s site
instead of desired
destination.
www.skoudisstuff.com
,the desired
destination at
10.22.12.41
DEFAULT
ROUTER
THE
OUTSIDE
WORLD
Attacker’s machine at 10.1.1.56
224
Information Networking Security and Assurance Lab
National Chung Cheng University
Sniffing an HTTPS connection using dsniff’s
person-in-the-middle attack
2 Dnsspoof sends fake DNS
response with the IP address
of the machine running
webmitm (10.1.2.3)
www.edsbank.com
3 Victim establishes
SSL connection, not
knowing attacker is
proxying connection
1 Attacker activates dnsspoof
and webmitm programs
IP address
= 10.1.2.3
4 Webmitm proxies the https connection,
establishing an https connection to the
server and sending the attacker’s own
certificate to the client
LAN
5 Victim now
access
the desired
server,
but all traffic is
viewable by
attacker using
webmitm as a
proxy
www.skoudisstuff.comt
he desired destination
at 10.22.12.41
DEFAULT
ROUTER
THE
OUTSIDE
WORLD
IP address 10.22.12.41
225
Information Networking Security and Assurance Lab
National Chung Cheng University
IP Address Spoofing
Changing or disguising the source IP address
Not want to have their actions traced back
Helps attackers undermine various applications
IP Address Spoofing
Flavor 1: Simply Changing the IP Address
Flavor 2: Undermining UNIX r-Commands
Flavor 3: Spoofing with Source Routing
226
Information Networking Security and Assurance Lab
National Chung Cheng University
Simply Changing the IP Address
EVE
SYN (A, ISNA)
ACK (A, ISNA) SYN (B, ISNB)
RESET !!!
ALICE
BOB
227
Information Networking Security and Assurance Lab
National Chung Cheng University
Spoofing with Source Routing 1/2
Let the attacker get responses
Allows the source machine sending a packet to
specify the path it will take on the network
Two kinds of source routing
Loose source routing
Strict source routing
Reference: RFC 791
228
Information Networking Security and Assurance Lab
National Chung Cheng University
IP Options
Class Number Length
Description
0
0
0
0
0
0
1
2
3
7
0
0
11
Var
Var
End of Options
No op
Security
Loose Source Routing
Record Route
0
0
2
8
9
4
4
Var
Var
Stream ID (obsolete)
Strict Source Routing
Internet Time-Stamp
229
Information Networking Security and Assurance Lab
National Chung Cheng University
Spoofing with Source Routing 2/2
PACKET
EVE
PACKET
Route:
1. Alice
2. Eve
3. Bob
Packet Contents
Route:
1. Alice
2. Eve
3. Bob
Packet Contents
ALICE
Spoofing attack using
source routing.
BOB
230
Information Networking Security and Assurance Lab
National Chung Cheng University
IP Spoofing Defense
Implement “anti-spoof” packet filters
Both incoming (ingress) and outgoing (egress)
Not allow source-routed packets through
network gateways
231
Information Networking Security and Assurance Lab
National Chung Cheng University
IP Spoofing Defense
NETWORK A
FILTERING
DEVICE
Dropped
NETWORK B
Packet with
IP source address
on Network A
Anti-spoof filters.
232
Information Networking Security and Assurance Lab
National Chung Cheng University
Session Hijacking 1/3
 A marriage of sniffing
and spoofing
 Seeing packets, but also
monitoring the TCP
sequence numbers
 Sniffing, then injecting
spoofed traffic
Alice telnet
NETWORK
Alice
BOB
“Hi, I’m
Alice”
EVE
A network-based session hijacking scenario.
233
Information Networking Security and Assurance Lab
National Chung Cheng University
Session Hijacking 2/3
 Session hijacking tools
Hunt, network-based
Dsniff’s sshmitm tool
Juggernaut, network-based
TTYWatcher, host-based
TTYSnoop, host-based
234
Information Networking Security and Assurance Lab
National Chung Cheng University
Session Hijacking 3/3
ACK ACK ACK ACK
NETWORK
Alice
BOB
Packets with increasing
sequence numbers
EVE
An ACK storm triggered by session hijacking.
235
Information Networking Security and Assurance Lab
National Chung Cheng University
Session Hijacking with Hunt 1/3
 Hunt
Network-based session-hijacking tool
Runs on Linux
Allows to view a bunch of sessions, and select a particular
one to hijack
Inject a command or two into the session stream, resulting in
an ACK storm
How to prevent an ACK storm?
ARP spoofing
• Sends unsolicited ARPs, known as “gratuitous packets”
• Most system devour, overwriting the IP-to-MAC address
mapping in their ARP tables
236
Information Networking Security and Assurance Lab
National Chung Cheng University
Session Hijacking with Hunt 2/3
IP = a.b.c.d
MAC = AA.AA.AA.AA.AA.AA
IP = w.x.y.z
MAC = BB.BB.BB.BB.BB.BB
“ARP
w.x.y.z is at
DD.DD.DD.DD.DD.DD”
“ARP
a.b.c.d is at
EE.EE.EE.EE.EE.EE”
IP = Anything
MAC = CC.CC.CC.CC.CC.CC
237
Information Networking Security and Assurance Lab
National Chung Cheng University
Session Hijacking with Hunt 3/3
IP = e.f.g.h
MAC = GG.GG.GG.GG.GG.GG
IP = i.j.k.l
MAC = HH.HH.HH.HH.HH.HH
IP = w.x.y.z
MAC = BB.BB.BB.BB.BB.BB
IP = a.b.c.d
MAC = AA.AA.AA.AA.AA.AA
“ARP
i.j.k.l is at
II.II.II.II.II.II”
“ARP
e.f.g.h is at
JJ.JJ.JJ.JJ.JJ.JJ”
IP = Anything
MAC = CC.CC.CC.CC.CC.CC
238
Information Networking Security and Assurance Lab
National Chung Cheng University
Netcat: A General Purpose Network Tool
 Swiss Army knife
of network tools
 two modes
Client mode: nc
Listen mode: nc –l
Supports source
routing
SYSTEM RUNNING NETCAT
Input from
a file
NETCAT
IN CLIENT
MODE
Output sent
across the network to any
TCP or UDP port
on any system.
SYSTEM RUNNING NETCAT
Input received
from the network
on any TCP or
UDP port.
NETCAT
IN LISTEN
MODE
Input from
a file
239
Information Networking Security and Assurance Lab
National Chung Cheng University
Netcat for File Transfer
 Pushing
Destination machine receiving file
 $nc –l –p 1234 > [file]
Source machine sending file
 $nc [remote_machine] 1234 < [file]
SOURCE
Send to TCP
port X
DESTINATION
Input from NETCAT
a file
IN CLIENT
MODE
NETCAT
IN LISTEM
MODE
Output to
a file
Listen
on port X
240
Information Networking Security and Assurance Lab
National Chung Cheng University
Netcat for File Transfer
 Pulling
Source machine, offering file for transfer
 $nc –l –p 1234 < [file]
Destination machine, pulling file
 $nc [remote_machine] 1234 > [file]
SOURCE
Listen
on port X
Input from NETCAT
a file
IN LISTEN
MODE
Connect
to port X
DESTINATION
NETCAT
IN CLIENT
MODE
Dumps file
across network
Output to
a file
Receives file
from network
241
Information Networking Security and Assurance Lab
National Chung Cheng University
Netcat for Port Scanning
Supports only standard, “vanilla” port scans,
which complete the TCP three-way handshake
 $ echo QUIT | nc –v –w 3 [target_machine] [startport] - [endport]
242
Information Networking Security and Assurance Lab
National Chung Cheng University
Netcat for Vulnerability Scanning
 Used as a limited vulnerability scanning tool
 Write various scripts that implement vulnerability
checks
 The UNIX version of Netcat ships with several shell
scripts, including
RPC
NFS
Weak trust relationships
Bad passwords
 Limited compared to Nessus
243
Information Networking Security and Assurance Lab
National Chung Cheng University
Relaying Traffic with Netcat
Send
NC
output
LISTENER to input
NC
CLIENT
Send
NC
output
LISTENER to input
NC
CLIENT
244
Information Networking Security and Assurance Lab
National Chung Cheng University
Relaying Traffic with Netcat
DMZ
SYSTEM COMPROMIZED
BY ATTACKER
Listen
on UDP
port 53
NETCAT
CLIENT
OUTSIDE
Send
NC
output
LISTENER to input
NC
CLIENT
Originate
on TCP
port 25
No traffic allowed from outside to inside.
NETCAT LISTENER ON
DNS traffic (UDP 53) allowed from outside to DMZ.
INTERNAL SYSTEM
SMTP traffic (TCP 25) allowed from DMZ to inside.
INSIDE
245
Information Networking Security and Assurance Lab
National Chung Cheng University
Introduction to DoS
STOPPING SERVICES
Process killing
System reconfiguring
LOCALLY Process crashing
EXHAUSTING RESOURCES
Forking processes to fill
the process table
Filling up the whole file
system
ATTACK IS
LAUNCHED…
Malformed packet attacks Packet floods, (e.g., SYN
(e.g., Land, Teardrop, etc.) Flood, Smurf, Distributed
REMOTELY
Denial of Service
Denial-of-Service attack categories
246
Information Networking Security and Assurance Lab
National Chung Cheng University
Stopping Local Services
Using a local account, stopping valuable
processes that make up services
Shut down the inetd process
Methods for stopping local services:
Process killing
System reconfiguration
Process crashing
A nasty example: the logic bomb
Logic bomb extortion threats
247
Information Networking Security and Assurance Lab
National Chung Cheng University
Locally Exhausting Resources
When resources are exhausted, the system
grind to a halt, preventing legitimate access
Methods for exhausting local resources
Filling up the process table
Filling up the file system
Sending outbound traffic that fills up the
communications link
248
Information Networking Security and Assurance Lab
National Chung Cheng University
Remotely Stopping Services
 Remote DoS attacks more prevalent
 Exploit an error in the TCP/IP stack
Exploit Name
Overview of How It Works
Susceptible Platforms
Land
Sends a spoofed packet, where the source IP
address is the same as the destination IP address,
and the source port is the same as the destination
port, The target receives a packet that appears to be
leaving the same port that it is arriving on, at the
same time on the same machine. Older TCP/IP
stacks get confused at this unexpected event and
crash
A large number of platforms,
including Windows systems,
various UNIX types, routers,
printers, etc.
Latierra
A relative of Land, which sends multiple Land-type
packets to multiple ports simultaneously
A large number of platforms,
including Windows systems,
various UNIX types, routers,
printers, etc.
249
Information Networking Security and Assurance Lab
National Chung Cheng University
Remotely Stopping Services
Exploit Name
Overview of How It Works
Susceptible Platforms
Ping of Death
Sends an oversized ping packet. Older TCP/IP stacks
cannot properly handle a ping packet greater than 64
kilobytes, and crash when one arrives.
Numerous systems, including
Windows, many UNIX variants,
printers, etc.
Jolt2
Sends a stream of packet fragments, none of which
have a fragment offset of zero. Therefore, none of the
fragments looks like the first one in the series. As
long as the stream of fragments is being sent,
rebuilding these bogus fragments consumes all
processor capacity on the target machine.
Windows 95, 98, NT, and 2000
Teardrop, Newtear,
Bonk, Syndrop
Various tools that send overlapping IP packet
fragments. The fragment offset values in the packet
headers are set to incorrect values, so that the
fragments do not align properly when reassembled.
Some TCP/IP stacks crash when they receive such
overlapping fragments.
Windows 95, 98, and NT and
Linux machines.
Winnuke
Sends garbage data to an open file sharing port (TCP
port 139) on a Windows machine. When data arrives
on the port that is not formatted in legitimate Server
Message Block (SMB) protocol, the system crashes.
Windows 95 and NT.
250
Information Networking Security and Assurance Lab
National Chung Cheng University
Remotely Exhausting Resources
Using a flood of packets
SYN floods
Smurf attacks
Distributed DoS attacks, DDoS
251
Information Networking Security and Assurance Lab
National Chung Cheng University
SYN Flood
Three-way handshake
The TCP/IP stack allocates a small piece of
memory on its connection queue
To remember the initial sequence number
Two ways
To fill the connection queue with half-open
connections
Just fill the entire communications link
252
Information Networking Security and Assurance Lab
National Chung Cheng University
SYN Flood
EVE
SYN (ISNA)
SYN-ACK
RESET!!!
BOB
ALICE
Connection queue
freed up upon
receiving RESET
packet.
SYN(X1,ISNx)
SYN(X2,ISNx)
SYN(X3,ISNx)
EVE
BOB
SYN-ACK
253
Information Networking Security and Assurance Lab
National Chung Cheng University
SYN cookies (Linux Kernel)
ISNB is a function of the source IP address,
destination IP address, port numbers, and
a secret seed. Bob doesn’t remember
ISNB, or store any information about the
half-open connection in the queue.
SYN(A, ISNA)
SYN(B, ISNB) ACK(A, ISNA)
ACK(B, ISNB)
ALICE
BOB
When the ACK (B, ISNB) arrives, Bob
applies the same function to the ACK packet
to check if the value of ISNB is legitimate.
If this is a valid ISNB, the connection is
established.
Bob will never store information
in the connection queue for these
SYNs; Instead, Bob sends
SYN(B, ISNB) ACK(X, ISNx)
EVE sends spoofed packets from X
EVE
Information Networking Security and Assurance Lab
National Chung Cheng University
254
Smurf Attacks
Also known as directed broadcast attacks
Router converts the IP broadcast message to a
MAC broadcast message using a MAC address
of FF:FF:FF:FF:FF:FF
Every machine read the message and send a
respone
255
Information Networking Security and Assurance Lab
National Chung Cheng University
Smurf Attacks
UG
H!
Broadcast ping
spoofed from
w.x.y.z
Responses!
w.x.y.z
SMURF AMPLIFIER
256
Information Networking Security and Assurance Lab
National Chung Cheng University
DDoS Architecture
First, tack over a large number of victim
machine, referred to as “zombies”
Install the zombie software on the systems
The component of the DDoS tool
The attacker uses a special client tool to
interact with the zombies
257
Information Networking Security and Assurance Lab
National Chung Cheng University
A DDoS attack using Tribe Flood Network
2000
CLIENT
UGH!
ZOMBIE
ZOMBIE
ATTACKER
WITH NETCAT
CLIENT
ZOMBIE
VICTIM
ZOMBIE
ZOMBIE
258
Information Networking Security and Assurance Lab
National Chung Cheng University
TFN2K, a Powerful DDoS Tool
Attack types including:
Targa
UDP Flood
SYN Flood
ICMP Flood
Smurf Attack
“Mix” Attack-UDP, SYN, and ICMP Floods
259
Information Networking Security and Assurance Lab
National Chung Cheng University
TFN2K, a Powerful DDoS Tool
 Features
Authentication using an encrypted password
All packets from the client to the zombies are sent using an
ICMP Echo Reply packet
 ICMP Echo Replies allowed into many network
 No port number associated with ICMP
 Finding the attacker is very difficult
 The client machine included a encrypted file indicating the IP
addresses of all of the zombies under its control
 Allows the attacker to run a single arbitrary command
simultaneously on all zombies
260
Information Networking Security and Assurance Lab
National Chung Cheng University
Maintaining Access: Trojans,
Backdoors, and Rootkits
261
Information Networking Security and Assurance Lab
National Chung Cheng University
Backdoors
Allow an attacker to access a machine using an
alternative entry method
To bypass the front door
When Attackers Collide
Attacker closes security holes, and installs backdoor
Backdoor security controls even stronger than
standard system security controls, possibly using
SSH
262
Information Networking Security and Assurance Lab
National Chung Cheng University
Backdoors Melded into Trojan Horses
Type of Trojan
Horse Backdoor
Characteristics
Analogy
Example Tools
Application-level
Trojan Horse
Backdoor
A separate
application runs
on the system,
giving the attacker
backdoor access.
An attacker adds poison
to your soup. A foreign
entity is added into the
existing system by the
attacker.
 Back Orifice 2000
Traditional
RootKits
Critical operating
system
components are
replaced or
modified by the
attacker to create
backdoors and
hide on the system
An attacker replaces the
potatoes in your soup
with modified potatoes
that are poisonous. The
existing components of
the system are modified
by the attacker.
Linux RootKit5 for
Linux
T0rnKit for Linux,
Solaris
Other, platformspecific RootKits for
SunOS, AIX, SCO,
Solaris, etc.
(BO2K)
Sub7
Hack-a-tack
QAZ
263
Information Networking Security and Assurance Lab
National Chung Cheng University
Backdoors Melded into Trojan Horses (cont.)
Type of Trojan
Horse Backdoor
Kernel-level
RootKits
Characteristics
Analogy
Example Tools
The operating
system kernel itself
is modified to foster
backdoor access
and allow the
attacker to hide.
An attacker replaces your
tongue with a modified,
poison tongue so that you
cannot detect their
deviousness by looking at
the soup. The very organs
you eat with are modified
to poison you.
 Knark for Linux
Adore for Linux
Plasmoid’s Solaris
Kernel-Level RootKit
Windows NT
RootKit
264
Information Networking Security and Assurance Lab
National Chung Cheng University
Application-Level




Add a separate application to a system
Mostly developed for Windows platforms
RootKits are more popular in the UNIX world
EX. Back Orifice 2000 (BO2K)
Backdoor
Client
Backdoor
Server
NETWORK
(Internet, intranet, etc.)
Remote access and control
ATTACKER
VICTIM
265
Information Networking Security and Assurance Lab
National Chung Cheng University
Traditional RootKits
Replace critical operating system executables
Traditionally focused on UNIX systems
NT/2000 RootKits replace Dynamic Link
Libraries
266
Information Networking Security and Assurance Lab
National Chung Cheng University
Comparison
System
Executables
Remain
intact
Login
With
Backdoor
EVIL BACKDOOR
Good Good
Good
Login
PS
ifconfig
KERNEL
Trojan
PS
KERNEL
Trojan
ifconfig
System
Executables
Are altered to
Include
Backdoor and
Other stealth
capabilities
Comparing Application-Level Trojan horse backdoors with traditional RootKits
267
Information Networking Security and Assurance Lab
National Chung Cheng University
What Do Traditional RootKits Do?
RootKits depend on the attacker already
having root access
A RootKit is a suite of tools that allow the
attacker to maintain root-level access by
implementing a backdoor
268
Information Networking Security and Assurance Lab
National Chung Cheng University
/bin/login Replacement
Authentication
A RootKit replaces /bin/login with a
modified version that includes a backdoor
password
269
Information Networking Security and Assurance Lab
National Chung Cheng University
Traditional RootKits
Linux RootKit 5 (lrk5)
Targeting Linux systems
t0rnkit
Targeting Linux and Solaris systems
270
Information Networking Security and Assurance Lab
National Chung Cheng University
Nastiest:
Kernel-Level RootKits
The kernel is the fundamental, underlying part
of the OS
Troja
n
Logi
n
Trojan
PS
Trojan
ifconfig
Good
KERNEL
Login
Information Networking Security and Assurance Lab
National Chung Cheng University
Good
PS
KERNEL
Good
Good
Ifconfi tripwir
g
e
TROJAN
KERNEL
271
What They can Do…
 The Power of Execution Redirection
 Most Kernel-level RootKits include a capability to do execution redirection
 Bait-and-switch
 /bin/login -> /bin/backdoorlogin
 File Hiding
 Kernel-level RootKits support file hiding
 Implemented in the kernel
 Process Hiding
 Hiding processes, such as a Netcat backdoor
 Network Hiding
 netstat
 Masking particular network port usage
 Nmap
272
Information Networking Security and Assurance Lab
National Chung Cheng University
How to Implement Kernel-Level RootKits
Loadable Kernel Modules
Many kernel-level RootKits are implemented
as LKMs
 insmod knark.o
273
Information Networking Security and Assurance Lab
National Chung Cheng University
Some Examples of Kernel-Level RootKits
Knark, a Linux Kernel-Level RootKit
Remote execution
Promiscuous mode hiding
Taskhacking
Real-ttime process hiding
 Kill -31 process_id
Kernel-module hiding
Knark package includes a separate module called modhide
274
Information Networking Security and Assurance Lab
National Chung Cheng University
Some Examples of Kernel-Level RootKits
(cont.)
Adore, Another Linux Kernel-Level RootKit
Plasmoid’s Solaris Loadable Kernel Module
RootKit
Windows NT Kernel-Level RootKit by
RootKit.com
www.rootkit.com
A patch
275
Information Networking Security and Assurance Lab
National Chung Cheng University
Thank YOU
276
Information Networking Security and Assurance Lab
National Chung Cheng University
Auditing your
Microsoft Windows system
Host-Based Intrusion Detection system
277
Information Networking Security and Assurance Lab
National Chung Cheng University
Outline
Description
Purpose
Principle and Pre-Study
Required Facilities
Step by step
Summary
Reference
278
Information Networking Security and Assurance Lab
National Chung Cheng University
Description
After a system has been hardened, the final
step is to baseline it so that changes that are
indicative of a successful intrusion can be
detected.
The system logs are an invaluable source of
information regarding the activity on your
systems.
279
Information Networking Security and Assurance Lab
National Chung Cheng University
Purpose
To introduce you to simple tools that can be
used to create powerful baseline and auditing
methods for your systems
280
Information Networking Security and Assurance Lab
National Chung Cheng University
Principle and Pre-Study
281
Information Networking Security and Assurance Lab
National Chung Cheng University
Required Facilities
 Hardware
PC or Workstation with Microsoft Windows 2000 or XP
 Software
dumpel
 http://www.microsoft.com/windows2000/techinfo/reskit/tools/e
xisting/dumpel-o.asp
Microsoft Excel
Micorsoft Windows 2000 resource kit – netsvc.exe
Fport
 http://www.foundstone.com/resources/termsofuse.htm?file=fpor
t.zip
282
Information Networking Security and Assurance Lab
National Chung Cheng University
Step (I): Analyze log files
 Download “dumpel” for analyze the log files and decompress that.
283
Information Networking Security and Assurance Lab
National Chung Cheng University
 Use dumpel.exe to output the system log file
Dumpel –f devent –l system -t
284
Information Networking Security and Assurance Lab
National Chung Cheng University
process the log file by Micorsoft Excel
285
Information Networking Security and Assurance Lab
National Chung Cheng University
The import wizard setup
286
Information Networking Security and Assurance Lab
National Chung Cheng University
Sort the data
287
Information Networking Security and Assurance Lab
National Chung Cheng University
Filter the Event ID
288
Information Networking Security and Assurance Lab
National Chung Cheng University
Step (II): Baseline open ports
 Download and then uncompress Fport
 Execute fport and redirect its output to a baseline file
289
Information Networking Security and Assurance Lab
National Chung Cheng University
Step (III): Baseline running services
Execute netsvc and redirect its output to a
baseline file for future reference
useage
NETSVC service_name \\computer_name /command
290
Information Networking Security and Assurance Lab
National Chung Cheng University
Step (IV): Schedule baseline audits
 Schedule the baseline audits
 Test the baseline batch file.
291
Information Networking Security and Assurance Lab
National Chung Cheng University
Setup the scheduled task
292
Information Networking Security and Assurance Lab
National Chung Cheng University
Setup with the schedule wizard
293
Information Networking Security and Assurance Lab
National Chung Cheng University
summary
Before a hardened system is put into
production, a baseline of the system is made
for future auditing and forensic purpose
Simple tools can be scripted to easily monitor
the large system for any unexpected changes
294
Information Networking Security and Assurance Lab
National Chung Cheng University
Reference
Windows 2000 resource kits
http://www.microsoft.com/windows2000/techinfo/re
skit/tools/default.asp
FountStone website:
http://www.foundstone.com
295
Information Networking Security and Assurance Lab
National Chung Cheng University
296
Information Networking Security and Assurance Lab
National Chung Cheng University
Security Essentials Toolkit
SARA
297
Information Networking Security and Assurance Lab
National Chung Cheng University
Outline
Description
Purpose
Principle and Pre-Study
Required Facilities
Challenge Procedure
Summary
Reference
298
Information Networking Security and Assurance Lab
National Chung Cheng University
Description
 Security Auditor's Research Assistant, a derivative of
the Security Administrator Tool for Analyzing
Networks. (SATAN)
 Remotely probes systems via the network and stores
its findings in a database.
 The results can be viewed with HTML browser that
supports the http protocol.
299
Information Networking Security and Assurance Lab
National Chung Cheng University
Purpose
To know the SARA Tool and how to scan
you target security vulnerability.
300
Information Networking Security and Assurance Lab
National Chung Cheng University
Principle and Pre-Study
Why should we need to audit our environment?
301
Information Networking Security and Assurance Lab
National Chung Cheng University
Required Facilities
 Permission
Do not proceed without receiving the necessary
permissions.
 Hardware
Intel-based PC
 Software
Linux OS with Apache Web Server
SARA 5
http://www-arc.com/sara/
302
Information Networking Security and Assurance Lab
National Chung Cheng University
Challenge Procedure
 Step 1:Install SARA
 Step 2:Start SARA
 Step 3:Select Target and Scan
 Step 4:View Report
 Step 5:Report Writer
303
Information Networking Security and Assurance Lab
National Chung Cheng University
Step 1:Install SARA
 When you want to install SARA, you must install
apache server first.
 Install SARA
./Configure
make
304
Information Networking Security and Assurance Lab
National Chung Cheng University
Step 2: Start SARA (1/2)
305
Information Networking Security and Assurance Lab
National Chung Cheng University
Step 2: Start SARA (2/2)
306
Information Networking Security and Assurance Lab
National Chung Cheng University
Step 3: Select Target and Scan (1/5)
307
Information Networking Security and Assurance Lab
National Chung Cheng University
Step 3: Select Target and Scan (2/5)
308
Information Networking Security and Assurance Lab
National Chung Cheng University
Step 3: Select Target and Scan (3/5)
309
Information Networking Security and Assurance Lab
National Chung Cheng University
Step 3: Select Target and Scan (4/5)
310
Information Networking Security and Assurance Lab
National Chung Cheng University
Step 3: Select Target and Scan (5/5)
311
Information Networking Security and Assurance Lab
National Chung Cheng University
Step 4: View Report (1/5)
312
Information Networking Security and Assurance Lab
National Chung Cheng University
Step 4: View Report (2/5)
313
Information Networking Security and Assurance Lab
National Chung Cheng University
Step 4: View Report (3/5)
314
Information Networking Security and Assurance Lab
National Chung Cheng University
Step 4: View Report (4/5)
315
Information Networking Security and Assurance Lab
National Chung Cheng University
Step 4: View Report (5/5)
316
Information Networking Security and Assurance Lab
National Chung Cheng University
Step 5: Report Writer (1/3)
317
Information Networking Security and Assurance Lab
National Chung Cheng University
Step 5: Report Writer (2/3)
318
Information Networking Security and Assurance Lab
National Chung Cheng University
Step 5: Report Writer (3/3)
319
Information Networking Security and Assurance Lab
National Chung Cheng University
Summary
 SARA is a network scanner, not system scanner. (See
Service)
 After you use SARA to audit your network service,
you can see your network service vulnerability.
 SANS and CVE provides a common roadmap for
vulnerability definitions.
320
Information Networking Security and Assurance Lab
National Chung Cheng University
Reference
 http://www-arc.com/sara/
 http://www.secureroot.com/security/tools/966532531
5.html
 http://www.sans.org/top20/
http://cve.mitre.org/
321
Information Networking Security and Assurance Lab
National Chung Cheng University
322
Information Networking Security and Assurance Lab
National Chung Cheng University
Snort: Network-based Intrusion
Detection System
323
Information Networking Security and Assurance Lab
National Chung Cheng University
Description
Snort
A Network-based intrusion detection system
Freeware
http://www.snort.org
Principle
Listening to traffic on the network
comparing it against the patterns or signatures of
known malicious traffic
Alert if malicious
324
Information Networking Security and Assurance Lab
National Chung Cheng University
Objective
Installing and configuring Snort
Analysis Console for Intrusion Databases
325
Information Networking Security and Assurance Lab
National Chung Cheng University
Snort: Three Main Mode
Sniffer Mode
 ./snort -vde
Packet Logger Mode
 ./snort –vde –l ./log –h 192.168.1.0/24
Network Intrusion Detection Mode
 ./snort –vde –l ./log –h 192.168.1.0/24 –c snort.conf
326
Information Networking Security and Assurance Lab
National Chung Cheng University
Installing Snort from source code
 Compile Snort











#groupadd snort
#useradd –g snort snort
# tar –zxvf snort-2.1.*.tar.gz <attention!!!>
# cd snort-2.1.*
# ./configure --with-mysql=/where/you/installed
# make
# make install
#cd etc
#cp snort.conf /etc/snort
#cp *.config /etc/snort
#cp contrib/S99snort /etc/init.d/snort
 Install the latest rules
 # mkdir /etc/snort
 # cp rules/* /etc/snort
 Create the logging directory for snort
 #mkdir /var/log/snort
327
Information Networking Security and Assurance Lab
National Chung Cheng University
Attention!!!
Snort-2.1.0
cd snort-2.1.0/src
grep /var/run *
edit util.c
/var/run/ -> var/run
328
Information Networking Security and Assurance Lab
National Chung Cheng University
snort.conf
329
Information Networking Security and Assurance Lab
National Chung Cheng University
snort.conf --Set the Network variables
330
Information Networking Security and Assurance Lab
National Chung Cheng University
snort.conf --Configure preprocessors
331
Information Networking Security and Assurance Lab
National Chung Cheng University
snort.conf --Configure output plug-ins
332
Information Networking Security and Assurance Lab
National Chung Cheng University
snort.conf --Customize your rule set
333
Information Networking Security and Assurance Lab
National Chung Cheng University
Writing Snort Rules (1/3)
The Basics
Alert tcp any any -> 192.168.1.0/24 111 (content:”|00 01 86 a5|”; msg:”mount access”;)
Rule header section
Rule option section
Variables
var MY_NET [192.168.1.0/24,10.1.1.0/24]
Includes
include <include file path/name>
alert tcp any any -> $MY_NET any (flags:S; msg:”SYN packet”;)
334
Information Networking Security and Assurance Lab
National Chung Cheng University
Writing Snort Rules (2/3)
Rules Headers
Rules Actions alert log pass activate dynamic
tcp ip udp icmp
Protocols
IP Addresses CIDR ! [x.y.z.0/24,a.b.c.0/24]
Port Numbers 1:1024 :6000 500:
The Direction Operator -> <- <>
Activate/Dynamic Rules
335
Information Networking Security and Assurance Lab
National Chung Cheng University
Writing Snort Rules (3/3)
Rule Options
Skip, please reference Snort Users Manual
http://www.snort.org/docs/writing_rules/index.html
336
Information Networking Security and Assurance Lab
National Chung Cheng University
Alerts
337
Information Networking Security and Assurance Lab
National Chung Cheng University
Go deep into
Conceptual Topology
Sensor Placement Model
Snort + Apache + Mysql + ACID
338
Information Networking Security and Assurance Lab
National Chung Cheng University
339
Information Networking Security and Assurance Lab
National Chung Cheng University
340
Information Networking Security and Assurance Lab
National Chung Cheng University
Snort + Apache + Mysql + ACID
Apache Web Server
hosting the ACID web-based console
MySQL Server
storing Snort alerts
ACID (Analysis Console for Intrusion
Databases)
a web-based application for viewing firewall logs
and/or IDS alerts
Snort
341
Information Networking Security and Assurance Lab
National Chung Cheng University
342
Information Networking Security and Assurance Lab
National Chung Cheng University
343
Information Networking Security and Assurance Lab
National Chung Cheng University
344
Information Networking Security and Assurance Lab
National Chung Cheng University
Reference Web site
Snort
http://www.snort.org
345
Information Networking Security and Assurance Lab
National Chung Cheng University
Security Essentials Toolkit
PortSentry
346
Information Networking Security and Assurance Lab
National Chung Cheng University
Outline
Description
Purpose
Principle and Pre-Study
Required Facilities
Challenge Procedure
Summary
Reference
347
Information Networking Security and Assurance Lab
National Chung Cheng University
Description
PortSentry is an example of host-based
intrusion detection software.
PortSentry monitors the TCP and UDP ports
on the system in an attempt to determine if
someone is scanning the system in anticipation
of an attack.
Another unique aspect of PortSentry is that it
will also initiate protective action
automatically. (/etc/hosts.deny)
348
Information Networking Security and Assurance Lab
National Chung Cheng University
Purpose
To know:
How the host-based IDS work.
How to install & configure Portsentry.
349
Information Networking Security and Assurance Lab
National Chung Cheng University
Principle and Pre-Study
Hacker’s attack technique.
Port Scanning Tools.
Principle of the host-based IDS.
350
Information Networking Security and Assurance Lab
National Chung Cheng University
Required Facilities
Hardware
Intel-based PC running Linux OS
Software
PortSentry 1.2
 http://sourceforge.net/projects/sentrytools/
351
Information Networking Security and Assurance Lab
National Chung Cheng University
Challenge Procedure
Step 1:Install PortSentry
Step 2:Configure PortSentry
Step 3:Test PortSentry
Step 4:Kill PortSentry
352
Information Networking Security and Assurance Lab
National Chung Cheng University
Step 1:Install PortSentry
Log in as root. Then download the PortSentry
source file.
353
Information Networking Security and Assurance Lab
National Chung Cheng University
Step 2:Configure PortSentry (1/2)
 vi /usr/local/psionic/portsentry/portsentry.ignore
354
Information Networking Security and Assurance Lab
National Chung Cheng University
Step 2:Configure PortSentry (2/2)
 /usr/local/psionic/portsentry/portsentry –tcp
 /usr/local/psionic/portsentry/portsentry –udp
 tail /var/log/messages
355
Information Networking Security and Assurance Lab
National Chung Cheng University
Step 3:Test PortSentry (1/2)
356
Information Networking Security and Assurance Lab
National Chung Cheng University
Step 3:Test PortSentry (2/2)
357
Information Networking Security and Assurance Lab
National Chung Cheng University
Step 4:Kill PortSentry (1/2)
 vi /etc/hosts.deny
358
Information Networking Security and Assurance Lab
National Chung Cheng University
Step 4:Kill PortSentry (2/2)
 killall portsentry
359
Information Networking Security and Assurance Lab
National Chung Cheng University
Summary
PortSentry is host-based intrusion detection
software.
It’s able to detect port scanning.
Protective action automatically, PortSentry can
adding scanning system’s IP address to the
hosts.deny file.
Care should be taken when using PortSentry, it
can also be used to cause a type of denial of
service (DoS).
360
Information Networking Security and Assurance Lab
National Chung Cheng University
Reference
 SANS GIAC Certification:Security Essentials Toolkit
(GSEC)
 http://www2.tw.ibm.com/developerWorks/tutorial/SelectTutori
al.do?tutorialId=268#sec7
 http://linux.cudeso.be/linuxdoc/portsentry.php
 http://linux.rice.edu/help/tips-sentry.html
 http://toget.pchome.com.tw/intro/unix_system/5095.html
361
Information Networking Security and Assurance Lab
National Chung Cheng University
362
Information Networking Security and Assurance Lab
National Chung Cheng University
Security Essentials Toolkit
DumpSec
363
Information Networking Security and Assurance Lab
National Chung Cheng University
Outline
Description
Purpose
Principle and Pre-Study
Required Facilities
Challenge Procedure
Summary
Reference
364
Information Networking Security and Assurance Lab
National Chung Cheng University
Description
 A gaping hole in Windows NT and Windows 2000 is
null sessions. Required by these operating system for
communications between servers, they are often left
open for nonauthenticated users.
 The amount information available to the attacker via
null session is so great that tools are helpful to distill
all of it. One such tools is DumpSec.
 As always, what’s valuable to attackers is valuable to
network administrator.
 DumpSec is also an excellent tool as part of an audit
toolkit.
365
Information Networking Security and Assurance Lab
National Chung Cheng University
Purpose
To know:
How to audit Windows NT environment.
How to install, use, and analyze the output of
DumpSec.
366
Information Networking Security and Assurance Lab
National Chung Cheng University
Principle and Pre-Study
What is DumpSec?
It dumps the permissions and audit settings for the
file system, registry, printer and shares in a concise,
readable listbox (text) format, so holes in system
security are readily apparent.
How does DumpSec work?
DumpSec works by connecting to the target box as
the Null user via the [net use \\server "" /user:""]
command and then call NetServerGetInfo() API to
collect information.
367
Information Networking Security and Assurance Lab
National Chung Cheng University
Required Facilities
Permission
Do not proceed without receiving the necessary
permission.
Hardware
Intel-based PC running Windows 2000 Professional.
Software
DumpSec
http://www.somarsoft.com
368
Information Networking Security and Assurance Lab
National Chung Cheng University
Challenge Procedure
Step 1:Install DumpSec (Skip)
Step 2:Select a target computer.
Step 3:Search for unprotected shares.
Step 4:Extract user information.
Step 5:Search for RAS dial-in account.
Step 6:Analyze system policies.
Step 7:Examine running service.
369
Information Networking Security and Assurance Lab
National Chung Cheng University
Step 2:Select a target computer
370
Information Networking Security and Assurance Lab
National Chung Cheng University
Step 3:Search for unprotected shares
371
Information Networking Security and Assurance Lab
National Chung Cheng University
Step 4:Extract user information
372
Information Networking Security and Assurance Lab
National Chung Cheng University
Step 5:Search for RAS dial-in account
373
Information Networking Security and Assurance Lab
National Chung Cheng University
Step 6:Analyze system policies
374
Information Networking Security and Assurance Lab
National Chung Cheng University
Step 7:Examine running service
375
Information Networking Security and Assurance Lab
National Chung Cheng University
Summary
DumpSec provides a very comprehensive view
of user account and simple management.
DumpSec is free, so it offer a cost effective
method to help evaluate user account security.
However, to complete a review of the domain,
time must be spent with the domain
administrators discussing policies and
procedures as well.
376
Information Networking Security and Assurance Lab
National Chung Cheng University
Reference
 http://www.somarsoft.com/
 http://www.mnisaca.org/dumpsec.doc
 http://www.emb.gov.hk/ited/Chinese/resources/biling
ual_glossary_on_IT_terms/D.asp
 http://www.microsoft.com/taiwan/technet/security/pr
odtech/windows/windows2000/staysecure/secops06.h
tm
377
Information Networking Security and Assurance Lab
National Chung Cheng University
378
Information Networking Security and Assurance Lab
National Chung Cheng University
IDS Evasion Techniques
379
Information Networking Security and Assurance Lab
National Chung Cheng University
Introduction
BlackHat community vs. WhiteHat (IDS
vendors)
BlackHat exploit inherent weaknesses in
NIDSs
380
Information Networking Security and Assurance Lab
National Chung Cheng University
Outline
IDS Evasion vs. Detection Engine
IDS Evasion at the Network Level
IDS Evasion at the Application Level
Basic String Matching Weaknesses
Polymorphic Shell Code
Fragmentation Attacks
Denial of Service
Conclusion
381
Information Networking Security and Assurance Lab
National Chung Cheng University
IDS Evasion vs. Detection Engine
Simple Pattern Matching
Traffic Anomalies
Protocol Anomalies
String Matching Weaknesses
Stateful Signatures
Backdoor Detection
382
Information Networking Security and Assurance Lab
National Chung Cheng University
383
Information Networking Security and Assurance Lab
National Chung Cheng University
IDS Evasion at the Network Level
 Fragment packets
 Fragments captured, remembered, and analyzed by
the IDS
Requires a great deal of memory and processing power on
the IDS
 IDS must reassemble packets. However, different
target systems have various inconsistencies in the
way they handle fragments
Just use fragments
Send a flood of fragments
Fragment the packets in unexpected ways
384
Information Networking Security and Assurance Lab
National Chung Cheng University
The tiny fragment attack
Looks good
to me…
Fragment 1:
Part of TCP Header
ATTACKER
Fragment 2:
Rest of TCP Header
with port number
NETWORK
NETWORK
IDS
PROBE
PROTECTED
SERVER
385
Information Networking Security and Assurance Lab
National Chung Cheng University
Fragmentation Attacks
Fragmentation overwrite
Packet #1 GET x.idd
Packet #2 somerandomcharacters
Packet #3 a.? (buffer overflow)
Packet
GET x.ida.? (buffer overflow)
Packet
GET x.idsomerandomcharacters
Fragmentation time-out
Packet #1
Packet #2 (59 seconds later)
GET foo.id
a.? (buffer overflow)
MF bit set
386
Information Networking Security and Assurance Lab
National Chung Cheng University
A fragment overlap attack
Looks good
to me…
Fragment 1:
GET x.idd
ATTACKER
Fragment 2:
a.? (buffer overflow)
NETWORK
IDS
PROBE
NETWORK
GET x.ida.? (buffer overflow)
PROTECTED
SERVER
387
Information Networking Security and Assurance Lab
National Chung Cheng University
Fragmentation Attacks
Fragmentation combined with some other
network techniques (take TTL for example)
Packet #
1
Payload
GET foo.id
TTL
>2
Packet #
2
Payload
evasion.htm
TTL
2
Packet #
3
Payload
TTL
a?bufferoverflow > 2
Packet GET foo.idevasion.htm
Packet GET foo.ida?bufferoverflow
388
Information Networking Security and Assurance Lab
National Chung Cheng University
Using FragRouter to evade IDS detection
Looks good
to me…
NETWORK
IDS
PROBE
ATTACK
SYSTEM
Attack
packets
FRAGROUTER
Attack
fragments
VICTIM
389
Information Networking Security and Assurance Lab
National Chung Cheng University
Some of the Many Fragmentation Options
Offered by FragRouter
Name
Flag
How the packets are mangled
frag-1
-F1
Send data in ordered 8-byte IP fragments
frag-2
-F2
Send data in ordered 24-byte IP fragments
frag-3
-F3
Send data in ordered 8-byte IP fragments, with one fragment sent out
of order
tcp-1
-T1
Complete TCP handshake, send fake FIN and RST (with bad
checksums) before sending data in ordered 1-byte segments
tcp-5
-T5
Complete TCP handshake, send data in ordered 2-byte segments,
preceding each segment with a 1-byte null data segment that overlaps
the latter half of it. This amounts to the forward-overlapping 2-byte
segment rewriting the null data back to the real attack.
tcp-7
-T7
Complete TCP handshake, send data in ordered 1-byte segments
interleaved with 1-byte null segments for the same connection but
with drastically different sequence numbers.
390
Information Networking Security and Assurance Lab
National Chung Cheng University
IDS Evasion at the Application Level
Manipulating information at the Application
Layer
Allow an attacker to modify particular
Application-level commands
IDS gets confused and will not detect the
attack
Nikto, a good example of Application-level
IDS evasion
391
Information Networking Security and Assurance Lab
National Chung Cheng University
IDS Evasion Tactics
IDS Evasion Tactic Name
How Tactic Works
Example
URL Encoding
The request is encoded using
unicode equivalents of the
characters. Some IDSs will not
recognize the encoding as a
request for the vulnerable
script.
GET
/%63%67%69%2d%62%69
%6e/broken.cgi HTTP/1.0
TAB Separation
Instead of using spaces in the
HTTP request, use tabs. If the
IDS signature is based on
spaces, the IDS will miss the
attack
GET<tab>/cgibin/broken.cgi<tab>HTTP/1.
0
Case Sensitivity
Windows systems are case
insensitive. If the IDS is
looking for “cgi-bin” and we
send “CGI-BIN,” the IDS may
not notice
GET /CGI-BIN/broken.cgi
HTTP/1.0
392
Information Networking Security and Assurance Lab
National Chung Cheng University
Basic String Matching Weaknesses
Signature-based IDS
Breaking the string match of a poorly written
signature is trivial
Signature (Snort)
Evasion by changing string
393
Information Networking Security and Assurance Lab
National Chung Cheng University
Basic String Matching Weaknesses
more advanced techniques
Through an interactive session
Hex encoding a url
394
Information Networking Security and Assurance Lab
National Chung Cheng University
Polymorphic Shell Code
devolved by K2 and is based on virus evasion
techniques
SSH CRC32 buffer overflows
395
Information Networking Security and Assurance Lab
National Chung Cheng University
Polymorphic Shell Code
Currently there are 55 replacements used on
x86 (less on other architectures)
http://cansecwest.com/noplist-v1-1.txt
396
Information Networking Security and Assurance Lab
National Chung Cheng University
Denial of Service (DoS)
 A less civilized method of evasion
 Tools such as Stick, Snot and several testing tools
used to create a vast amount of alarms that can:
Consume the devices processing power and allow attacks to
sneak by;
Fill up disk space causing attacks to not be logged;
Cause more alarms than can be handled by management
systems
Cause personnel to not be able to investigate all the alarms;
and,
Cause the device to lock up
397
Information Networking Security and Assurance Lab
National Chung Cheng University
Conclusion
 Traditional string matching weaknesses are becoming
more difficult to evade
 Network level evasion tactics such as fragmentation
can still be successful
 Turn on or off certain processing intensive modules
depending on the environment
 Fortunately, processing power is increasing quickly,
and if vendors are willing to sacrifice bandwidth,
more prudent processing of events can be realized.
398
Information Networking Security and Assurance Lab
National Chung Cheng University
Security Essentials Toolkit
Fragrouter
399
Information Networking Security and Assurance Lab
National Chung Cheng University
Outline
Description
Purpose
Principle and Pre-Study
Required Facilities
Challenge Procedure
Summary
Reference
400
Information Networking Security and Assurance Lab
National Chung Cheng University
Description
 Something is plagues many attackers is the problem
of how to bypass the intrusion detection systems.
 Network-based IDS attempts to match the traffic it
sees against known patterns.
 With the attack packets fragmented, the attacker has a
better chance of bypassing the victim’s IDS.
 Fragrouter is a prime example of a tool that can do
packets fragmentation.
401
Information Networking Security and Assurance Lab
National Chung Cheng University
Purpose
To know:
An example of IDS evasion.
How to install and configure Fragrouter.
402
Information Networking Security and Assurance Lab
National Chung Cheng University
Principle and Pre-Study (1/2)
Firewall
Network
Attacker
Target
IDS
403
Information Networking Security and Assurance Lab
National Chung Cheng University
Principle and Pre-Study (2/2)
Firewall
Fragrouter
Attacker
Target
IDS
404
Information Networking Security and Assurance Lab
National Chung Cheng University
Required Facilities
Permission
Do not proceed without receiving the necessary
permission.
Hardware
Intel-based System
Software
Linux Kernel 2.2 or higher
Fragrouter
http://online.securityfocus.com/data/tools/fragrouter1.6.tar.gz
405
Information Networking Security and Assurance Lab
National Chung Cheng University
Challenge Procedure
Step 1:Install Fragrouter
Step 2: Review Fragrouter Option
Step 3: Test Fragrouter
406
Information Networking Security and Assurance Lab
National Chung Cheng University
Step 1:Install Fragrouter




tar zxf fragrouter-1.6.tar.gz
./configure
make
make install
407
Information Networking Security and Assurance Lab
National Chung Cheng University
Step 2: Review Fragrouter Option (1/3)
 -B1:No fragmentation.
 -F1:Fragments the packet into ordered 8-byte fragmentation.
 -F2:Fragments the packet into ordered 24-byte fragmentation.
 -F3:Like –F1, but place one of fragments out of order.
 -F4:Duplicates one of the fragmented packets.
 -F5:Fragments the packet and send out of order while also duplicating
a random packet.
 -F6:Send the data in unordered, 8-byte fragment.
 -F7:Send the data in ordered 16 byte fragments, places an 8-byte, null
data fragment in front of each fragment.
408
Information Networking Security and Assurance Lab
National Chung Cheng University
Step 2: Review Fragrouter Option (2/3)
 -T1:Complete TCP three-way hand-shake, Then Sends fake FIN and
RST datawith bad checksums before sending the real data in
ordered, 1-byte segment.






-T2:Sends the data with the sequence number wrapping back to zero.
-T3:Duplicates the penultimate segment of each segment.
-T4:Sends additional 1-byte null data of each segment.
-T5:2 byte segments, in each segments 1-byte is null data.
-T6:Sequence number jumps of 1,000 throughout the data stream.
-T7:Send data in 1-byte segment and 1-byte null data, but change the
sequence number.
 -T8:1-byte segments placing one of those segments out of data.
 -T9:Sending all of its data out of order.
409
Information Networking Security and Assurance Lab
National Chung Cheng University
Step 2: Review Fragrouter Option (3/3)
 -C1:Not complete 3-way handshake, sends data with random sequence
number.
 -C2:Complete 3-way handshake, sends data in order 1-byte, and intermix
SYN packets for establish connection.
 -C3:Not complete 3-way handshake, sends null data as if the handshake
is complete. Then complete 3-way handshake and sends the data.
 -R1:Complete 3-way handshake and shut down with RST packet, then reconnect
and sends data.
 -I2: Complete 3-way handshake and send data, but 1-byte segment with bad
checksum.
 -I3: Complete 3-way handshake and send data, 1-byte segment’s ACK flag not set.
 -M1:Use Thomas Lopatic’s Windows NT 4.0 SP 2 fragmentation attack.
 -M2:Use John McDonald’s Linux IP chains fragmentation attack.
410
Information Networking Security and Assurance Lab
National Chung Cheng University
Step 3: Test Fragrouter (1/4)
 fragrouter –option
411
Information Networking Security and Assurance Lab
National Chung Cheng University
Step 3: Test Fragrouter (2/4)
Change Gateway
412
Information Networking Security and Assurance Lab
National Chung Cheng University
Step 3: Test Fragrouter (3/4)
Example 1: fragrouter –B1
413
Information Networking Security and Assurance Lab
National Chung Cheng University
Step 3: Test Fragrouter (4/4)
Example 2: fragrouter –T1
414
Information Networking Security and Assurance Lab
National Chung Cheng University
Summary
Fragrouter is an example to do IDS evasion.
Both of the Fragrouter and attack machine
need to be on the same network segment, and
the victim need to be on a separate segment.
Don’t proceed without receiving the necessary
permissions.
415
Information Networking Security and Assurance Lab
National Chung Cheng University
Reference





http://dag.wieers.com/packages/fragrouter/
http://online.securityfocus.com/data/tools/fragrouter-1.6.tar.gz
http://www.securityfocus.com/tools/176
http://www.securityfocus.com/infocus/1577
http://oldsite.linuxaid.com.cn/solution/showsol.jsp?i=413#rout
e_vs_router
 http://ouah.kernsh.org/IP_frag.htm
416
Information Networking Security and Assurance Lab
National Chung Cheng University
417
Information Networking Security and Assurance Lab
National Chung Cheng University
A Vulnerability Assessment
NIKTO
418
Information Networking Security and Assurance Lab
National Chung Cheng University
Outline
Description
Purpose
Principle and Pre-Study
Required Facilities
Step by step
Summary
Reference
419
Information Networking Security and Assurance Lab
National Chung Cheng University
Description
Nikto is a web server scanner which performs
comprehensive tests against web server for
multiple items
2600 potentially dangerous files/CGIs
Versions on over 625 servers
Version specific problems on over 230 servers
Nikto support for LibWhisker’s anti-IDS
methods (IDS evasion)
420
Information Networking Security and Assurance Lab
National Chung Cheng University
Description
Nikto perform security or information checks
Misconfigurations
Default files and scripts
Insecure files and scripts
Outdate software
421
Information Networking Security and Assurance Lab
National Chung Cheng University
Purpose
To understand what is vulnerability scanner,
and why we need it
To family with the operation of the Nikto
vulnerability scanner.
422
Information Networking Security and Assurance Lab
National Chung Cheng University
Principle and Pre-study
A look at whisker's anti-IDS tactics
an HTTP request defined by RFC 1945
Types of IDS
Smart
Raw
423
Information Networking Security and Assurance Lab
National Chung Cheng University
IDS evasion
Evasion type
Evasion method
1
Method matching
GET /cgi-bin/some.cgi  HEAD /cgi-bin/some.cgi
2
URL encoding
cgi-bin  %63%67%69%2d%62%69%6e
3
Double slashes
/cgi-bin/some.cgi  //cgi-bin//some.cgi
4
Reverse traversal
/cgi-bin/some.cgi 
5
Self-reference directories
cgi-bin/phf  /./cgi-bin/./phf
6
Premature request ending
GET /%20HTTP/1.0%0d%0aHeader:%20/../../cgi-bin/some.cgi HTTP/1.0\r\n\r\n
7
Parameter hiding
GET /index.htm%3fparam=/../cgi-bin/some.cgi HTTP/1.0
8
HTTP mis-formatting
Method<space>URI<space>HTTP/Version CRLF CRLF ->
Method<tab>URI<tab>HTTP/ Version CRLF CRLF
9
Long URLs
GET /rfprfp<lots of characters>rfprfp/../cgi-bin/some.cgi HTTP/1.0
10
DOS/Win directory syntax
"/cgi-bin/some.cgi“  "/cgi-bin\some.cgi"
11
NULL method processing
GET%00 /cgi-bin/some.cgi HTTP/1.0
12
Case sensitivity
/cgi-bin/some.cgi  /CGI-BIN/SOME.CGI
13
Session splicing
"GET / HTTP/1.0“  "GE", "T ", "/", " H", "T", "TP", "/1", ".0"
Information Networking Security and Assurance Lab
14
In summary
National Chung Cheng University
GET /cgi-bin/blahblah/../some.cgi HTTP/1.0
Combine multiple tactics together
424
Required Facilities
 Permission
Do not proceed without receiving the necessary
permissions
 Hardware:
PC or Workstation with UNIX-based OS
 Software
Perl 5.004
Nikto 1.32
NET::SSLeay
LibWhisker
OpenSSL
425
Information Networking Security and Assurance Lab
National Chung Cheng University
Step (I): install Nikto
Install nikto with port tree
After install nikto,
patch /usr/local/bin/nikto.pl to indicate the config.txt
patch /usr/local/etc/nikto/config.txt to indicate the plugin directory
426
Information Networking Security and Assurance Lab
National Chung Cheng University
IDS evasion
option
mutate checks
option
IDS evasion
method
427
Information Networking Security and Assurance Lab
National Chung Cheng University
Basic scan information
Web server banner and
basic function
Report some
vulnerability and
suggest the solution
Information Networking Security and Assurance Lab
National Chung Cheng University
Report the result
428
Step (II): execute nikto
Basic scan
information
Web server banner
and basic function
Report some
vulnerability and
suggest the solution
Report the result
429
Information Networking Security and Assurance Lab
National Chung Cheng University
Step (III): IDS evasion
Detection with IDS
evasion method 1 2
on target
140.123.113.86
430
Information Networking Security and Assurance Lab
National Chung Cheng University
Summary
CGI exploits are everywhere. It is most
important that you scan your own site so that
you can see what attackers might see.
Nikto is a PERL, open source web server
scanner which supports SSL. It checks for
remote web server vulnerabilities and
misconfigurations.
431
Information Networking Security and Assurance Lab
National Chung Cheng University
Reference
Nikto
http://www.cirt.net/code/nikto.html
Comprehensive Perl Archive Network
http://www.cpan.org
LibWhisker
http://www.wiretrip.net/rfp/lw.asp
A look at whisker’s anti-IDS tactics
http://www.wiretrip.net/rfp/txt/whiskerids.html
432
Information Networking Security and Assurance Lab
National Chung Cheng University
433
Information Networking Security and Assurance Lab
National Chung Cheng University
Intrusion Detection System
Detection Analysis Comparison
434
Information Networking Security and Assurance Lab
National Chung Cheng University
Outline
What is IDS?
Detection Analysis Comparison
Anomaly
Misuse
Signatures-based
Commercial Intrusion Detection System
IDS challenges
435
Information Networking Security and Assurance Lab
National Chung Cheng University
What is IDS?
IDS stands for “Intrusion Detection System”
Detecting inappropriate, incorrect, or anomalous
activity on a system
Identifying network intrusion attempts
Send alert to administrators, and make response
Intrusion — attempts to compromise the
confidentiality, integrity, availability, or to bypass the
security mechanisms of a computer or network. (NIST
sp800-31)
436
Information Networking Security and Assurance Lab
National Chung Cheng University
Detection Analysis Comparison:
Anomaly
Anomaly detection involves defining “normal”
activity and looking for deviations from this
baseline
437
Information Networking Security and Assurance Lab
National Chung Cheng University
Detection Analysis Comparison:
Misuse
Predictive models are built from labeled
data sets (instances are labeled as
“normal” or “intrusive”)
These models can be more
sophisticated and precise than
manually created signatures
Unable to detect attacks whose
instances have not yet been observed
438
Information Networking Security and Assurance Lab
National Chung Cheng University
Misuse
Signatures explicitly define what activity
should be considered malicious
Simple pattern matching
Stateful pattern matching
Protocol decode-based analysis
Heuristic-based analysis
439
Information Networking Security and Assurance Lab
National Chung Cheng University
Detection Analysis Comparison:
Signatures
 Stateless Pattern Matching
 Looking for a fixed sequence of bytes in a single packet
 Pros
+ simple
+ direct correlation (highly specific)
+ reliable alerts (for the specified pattern)
+ applicable across all protocols
 Cons
- false positive rates (pattern not has unique as assumed)
- any attack modification lead to false negative
- does not apply well to stream based traffic (single packet inspection)
- do not scale can dramatically slow performance
- blind until new pattern is developed
- evasion is somewhat easy
440
Information Networking Security and Assurance Lab
National Chung Cheng University
Detection Analysis Comparison:
Signatures (cont.)
 Stateful Pattern Matching
 Matches are made in context within the state of the stream
 Pros
+ only lightly more effort than simple pattern matching
+ direct correlation (highly specific)
+ reliable alerts (for the specified pattern)
+ applicable across all protocols
+ evasion becomes more difficult
 Cons
- false positive rates (pattern not has unique as assumed)
- any attack modification lead to false negative
- may require multiple signatures to deal with a single vulnerability
- blind until new pattern is developed
441
Information Networking Security and Assurance Lab
National Chung Cheng University
Detection Analysis Comparison:
Signatures (cont.)
 Protocol Decode-Based Analysis
Decode protocols elements like the client or server in the
conversation would do then look for RFC violations (fields
content, header and payload size, special characters,…)
Pro
+ minimize the chance for false positive (for well defined
protocols)
+ direct correlation (highly specific)
+ reliable alerts (for the specified protocol)
Cons
- can lead to high false positive if the RFC is ambiguous (grey
area)
- longer and more complex development time
442
Information Networking Security and Assurance Lab
National Chung Cheng University
Detection Analysis Comparison:
Signatures (cont.)
Heuristic-Based Analysis
Based on algorithmic logic such as statistical
evaluations of the type of traffic being presented
Pros
+ some types of suspicious activity cannot be detected
through other means
Cons
- algorithm may require tuning or modification
443
Information Networking Security and Assurance Lab
National Chung Cheng University
Anomaly
 Look for traffic that deviates from what is seen “normally”.
Issue is to define what “normal” is. If normal is hard-coded
then it becomes heuristic-based. Learning what normal is
sounds like the panacea but it’s only been limited to academia
research so far and with limited success.
 Pros
+ can detect unknown attack (if implemented properly)
+ low overhead (no new signature to develop and install)
 Cons
- no intrusion data granularity (no pattern, unknown attacks)
- highly dependant on what has been learn as normal
444
Information Networking Security and Assurance Lab
National Chung Cheng University
Signature verbose Anomalous
Pros
Cons
Signature
Anomalous
+ Fast
+ Detect known attack
immediately
+ Can detect unknown
attacks
+ Can detect misuse within a
valid session
- Only detect attacks known
to system
- Signatures can be written
more general. (false
positives)
- Give false feeling of
security, if not up to date
- Complex, intensive
- Prone to false negatives
and positives
- Longer ramp-up time
(need to generate profiles of
users to detect deviation
from these profiles)
Information Networking Security and Assurance Lab
National Chung Cheng University
445
Commercial Intrusion Detection System
Misuse detection based commercial
 Snort – open source network IDS based on signatures.
 Network Flight Recorder (NFR) detects known attacks and their
variations
 NetRanger (CISCO) – sensors (analyze the traffic) and directors
(manage sensors)
 Shadow – collects audit data and runs tcpdump filters to catch attacks
 P-Best (SRI) – rule-based expert system that describes malicious
behavior
 NetStat (UCSB) – real time IDS using state transition analysis
446
Information Networking Security and Assurance Lab
National Chung Cheng University
Commercial Intrusion Detection System
(cont.)
Anomaly detection based commercial IDSs
 IDES, NIDES – statistical anomaly detection
 EMERAld – statistical anomaly detection
 SPADE (Statistical anomaly detection Engine) within Snort
 Computer watch (AT&T) – expert system that summarizes security
sensitive events and apply rules to detect anomalous behavior
 Wisdom & Sense – builds a set of rules that statistically describe
normal behavior
447
Information Networking Security and Assurance Lab
National Chung Cheng University
SPADE --- Snort plug-in
 SPADE: examines TCP SYN packets and maintains the count
of packets observed on (dest IP, dest Port) tuples
 SPADE checks the probability of every new packet on the (dest IP, dest Port)
tuple
 The lower the probability, the higher the anomaly score
 Drawback: raises false alarms on legitimate traffic for which (dest IP, dest Port)
combinations are infrequent
Dest Port
Dest IP
##
#
#
#
### #
#
#
**
#
448
Information Networking Security and Assurance Lab
National Chung Cheng University
IDS challenges
Minimizing false positive
Minimizing false negative
Keeping up with performance
Handling the large amount of data generated
449
Information Networking Security and Assurance Lab
National Chung Cheng University
The Future of IDS and IPS
450
Information Networking Security and Assurance Lab
National Chung Cheng University
IDS Market Forecast (I)
451
Information Networking Security and Assurance Lab
National Chung Cheng University
Source: IDC, 2001
IDS Market Forecast (II)
452
Information Networking Security and Assurance Lab
National Chung Cheng University
Source: IDC, 2001
IDS Life Cycle
Setting up the current generation of IDSs requires a
substantial time investment to ensure they'll flag only
suspicious traffic and leave everything else alone.
www.nwfusion.com/techinsider/2002/0624security1.html
• Signature Updating
• Writing Signature
Testing
• Accuracy
• Resource Usage
• Stress
Vulnerability Assessment
Configuration
Tuning
Installation
• Information Collecting
• Filtering and Correlation
• Traffic Analysis
453
Information Networking Security and Assurance Lab
National Chung Cheng University
Testing Reality
 Eight IDSs fail to impress during the month long test on a
production network.
 Several IDSs crashed repeatedly under the burden of the
false alarms they churned out.
 When real attacks came along, some products didn't catch
them and others buried the reports so deep in false alarms
that they were easy to miss.
 Overly complex interfaces made tuning out false alarms a
challenge
http://www.nwfusion.com/techinsider/2002/0624security1.html
454
Information Networking Security and Assurance Lab
National Chung Cheng University
High Speed IDS Tests (Attacks Detected at
970 Mbps
Information Networking Security and Assurance Lab
National Chung Cheng University
http://www.nwfusion.com/reviews/2002/1104revnetr.html
455
When Firewall Meets IDS
Firewall
An gateway that restricts data
communication traffic to and from
one of the connected networks
(the one said to be "inside" the
firewall) and thus protects that
network's system resources
against threats from the other
network (the one that is said to be
"outside" the firewall).
• Access Control
• NAT
• Prevent the attacks
• Validate firewall configuration
• Detect attacks but firewalls allow them
to pass through (such as attacks against
web servers).
• Seize insider hacking
IDS
A security service that monitors
and analyzes system events for
the purpose of finding, and
providing real-time or near
real- time warning of, attempts
to access system resources in an
unauthorized manner
456
Information Networking Security and Assurance Lab
National Chung Cheng University
Gateway IDS (GIDS) and Host Intrusion
Prevention (HIP)
Company
Inadvertently block
legitimate traffic
Company
Website
Entercept Security Technologies
www.entercept.com
Harris STAT Neutralizer
www.statonline.com
Okena StormWatch and StormFront
www.okena.com
Sana Security
www.sanasecurity.com
Linux IDS
www.lids.org
Website
Captus Networks
www.captusnetworks.com
Cisco Systems IDS
www.cisco.com
ForeScout ActiveScout
www.forescout.com
RealSecure Network Protection
www.iss.net
Intruvert Networks
www.intruvert.com
NetScreen Technologies IDP
www.netscreen.com
Snort Hogwash
http://hogwash.sourceforge.net
TippingPoint Technologies
UnityOne
www.tippingpoint.com
Information Networking Security and Assurance Lab
National Chung Cheng University
Ineffective against denial-ofservice attacks
http://www.cio.com/archive/061503/et_article.html
OneSecure  Netscreen
457
Okena  Cisco
Entercept and Intruvert  Network Associates
NIDS Market Predictions: Head to Head
• Intrusion detection market jumped 29.2 per cent year on year
(firewall/virtual private network security appliance market increased 7.5
per cent).
• In contrast to statements that intrusion detection software is dead, the
growth in intrusion detection appliances show that many organizations
still see the value in monitoring their networks
• Could reached $2 billion in 2005, up from $486 million in 2000.
1000
600
400
200
0
•IDS market will grow 43 per cent to $149m by 2004
•IDS revenue will hit $1.1bn by 2006,
230
800
491
571
634
688
327
70
2002
2003
IPS Revenue
2004
2005
IDS Revenue
• IDS is dead, long live IPS
• By year end 2004, advances in non-signature based intrusion detection
technology will enable network-based intrusion prevention to replace 50%
of established IDS deployments and capture 75% of new deployments.
• By end of 2003, 90% of IDS deployments will fail when false positives are not
reduced by 50%.
Information Networking Security and Assurance Lab
National Chung Cheng University
http://www.vnunet.com/News/1143747
http://www.ipa.go.jp/security/fy11/report/contents/intrusion/ids-meeting/idsbg.pdf
458
Security Platform Evolution
459
Information Networking Security and Assurance Lab
National Chung Cheng University
Source: Gartner Research
IDS Battle: Statements From Marcus Ranum
The IDS battle of the day after tomorrow will be applying
_relevance_ and _significance_ to the correlated results
The IDS battle of tomorrow will be data
correlation from varieties of sources
IDS battle of today is detection algorithms
Information Networking Security and Assurance Lab
National Chung Cheng University
460
http://archives.neohapsis.com/archives/sf/ids/2002-q1/0271.html
Other Suggestions From Xerox
 Detect a wide variety of intrusion types
 Very high certainty
 Real-time detection
 Develop a network-wide view rather than local views
 Analysis must work reliably with incomplete data
 Detect unanticipated attack methods
 Scale to very large heterogeneous systems
 What data to collect for maximal effectiveness; network instrumentation
 Automated response
 Discover or narrow down the source of an attack
 Integrate with network management and fault diagnosis
 Infer intent; forming the big picture
 Cooperative problem solving
http://www.blackhat.com/presentations/bh-usa-99/teresa-lunt/tutorial.ppt
461
Information Networking Security and Assurance Lab
National Chung Cheng University
My Opinions  MEAP
Performance
Management
Accuracy
Evasion
462
Information Networking Security and Assurance Lab
National Chung Cheng University
463
Information Networking Security and Assurance Lab
National Chung Cheng University

similar documents