how-to block ads
|
|
1.0 General Info·Tell me about Port Scanning
·How are Computers Cracked?
·What is a SYN-FLOOD?
·One Denial of Service Story
·Where can I go for further reading?
·Tell me about nbtstat and netbios port 139
| | |
Imagine a building with 65535 closed doors. Most of these doors are locked, but some will open if you knock on them (although they may still not let you in). A scan is like trying each of these doors in turn.
Obviously, scans are done by people trying to find a way in. The reason they choose to scan first is that since some of the doors (ports) may open if they scan (knock) on them, or might be opened by a program (doorman) that identifies itself. This gives them valuable information on what kind of security (if any) they are facing, and what revisions of software components can be seen.
Finding this out is half the challenge ... the other half is exploiting the holes.
Back to the analogy: there is more than one way to try a door ... but in every single case, you must interact with the door, somehow, to determine if it may be opened.
The obvious interaction is banging on the door... however, if you do not wish to alert the security guards, this is probably a bad approach. There are slightly quieter approaches (such as, moving the door handle slightly).
A port scan on a computer can be as simple as rattling the door handle of one door, or as lengthy as combinations of tapping, rattling and banging on every one of the 65535 doors, in parallel, to see which respond and how.
In the early days of scanning, tools scanned ports sequentially, and simply attempted a full connection with each port. These scans gave interesting results, but became so common that port scan detectors were quickly designed to set off alarms if the computer under attack noticed doors being accessed like this in a sequential manner.
Then came random port scans ... simple randomizing of the order of doors, and intervals between door knocks. This soon became easy to detect also.
Next stage in the arms race: by looking at the protocol involved in knocking on doors, it become possible to program a so-called 'stealth' scan. (TCP SYN Scan). This is more subtle than a straight knock. If your objective is to know whether the door would be answered, but you don't want it to be opened yet, it is possible to do a few different "half-knocks" that reveal whether the door is "alive" but do not alert possible higher level security or logging systems that the door was tried.
Next in port scan technology came the FIN Scan. This is like an inverse half knock(!). It happens that computer packet handlers (tcp stacks) have an interesting characteristic: FIN packets (a type of negotiation packet) addressed to "dead" doors cause a receipt of an RST packet, but alive doors do NOT. Therefore, a FIN scan can identify all the dead doors, and leave you with a list of potentially alive ones. Because the lowest level of the operating system is handling this, most port scan alarm systems have no awareness that this is happening.
If the FIN scan is not good enough, then there is the fragmentation scan. This breaks probe packets up, to possibly get through firewalls or avoid port alarms, and then be reassembled by the victim's computer to possibly reveal an open port.
Once a port scanner has assembled a list of potentially alive port numbers (doors), it has a good chance of identifying the operating system, the machine hardware, and which alive doors may have faulty "doormen" (software) behind them.
 show feedback form
 close
by KeysCapt 
last modified: 2004-02-01 04:50:38 | | | How systems are broken (owned in underground terminology)
1. Passwords: If your computer has passwords, it may be possible to guess them, sometimes by what is known as "brute force".
2. Exploitable flaws in gatekeeping programs: Tricking a program into doing something it should not do. usually by modify a file, deleting a file, or, returning information that should not be returned, by taking advantage of a known software bug. Webservers are incredibly complex gatekeepers or guardians of information, and currently have the richest variety of exploitable flaws or insecurities that creep into their setup and administration.
3. Buffer Overflows: Many programs, even the ones that operate as gatekeepers, are written with assumptions that inputs are always shorter than some given length. This has come about mainly due to a characteristic of the C programming language, which encourages (or more strictly, does not disallow) programmers to allocate fixed sized character buffers when reading data, and then not check for the case of input data over-writing those buffers. If the input data is unexpectedly large, the data may write over into the programs stack, and cause either a crash or worse, execution of code that the intruder plants into the input data.
4. Trojans: Tricking a computer to run something that contains code which compromises the machine, is what a Trojan does. It can take almost any form, such as a screen saver or a christmas greeting program. A trojan usually arrives by email or by IRC file-send, or in some cases from a web page. Trojans are sophisticated and unlikely to have been written specifically for either the person using them or the target they are used against, but with binary standards and more complex home operating systems, they are becoming more common.
5. Man in the Middle: The interception of communication between two computers gives the opportunity to either listen for information, possibly leading to cracking via passwords, or to impersonate one party, therefore leading to betrayal of trust. More complex betrayal intrusions can involve three or more parties.
Locating Vulnerable Systems
Information is gained by:
1. Scanning: Programs can scan a domain looking for telltale fingerprints of a system running services with known flaws.
2. Social Engineering: Simply contacting an organization and asking for a password is remarkably effective for the brazen armed with a little background information about the victims.
3. Sniffing: By compromising an otherwise uninteresting host, packet sniffers can be setup to watch data passing by the host that will lead to more information. Sniffers usually just look for cleartext passwords, but can also watch sessions and figure out which machines trust which other machines, information that is invaluable for attacking corporations.
Denial of Service (DOS Attacks)
A "denial-of-service" attack is an explicit attempt by attackers to prevent legitimate use of a service by those who depend upon it. Some examples are attempting to "flood" a network, thereby preventing legitimate network traffic, attempting to disrupt connections between two machines, thereby preventing access to a service, attempting to prevent a particular individual from accessing a service, and attempting to disrupt service to a specific system or person.
Denial of Service attacks are numerous and difficult to defend against, because they exploit very low level flaws in communications protocols, protocols designed in more academic environments. However, when a machine that provides security-related information is muzzled, denial of service can possibly lead to break ins. If a logging machine is crashed via a packet handling flaw, then because it is no longer logging activity, more ambitious attacks can be mounted.
Spoofing
Not getting caught is obviously of paramount importance to an attacker, so they go to incredible lengths to cover their tracks. Spoofed packets contain an invalid or innocent "from" address. Without access to network administrators, it is impossible to tell the origin from data at the point of reception. The trouble with this, from the attackers point of view, is that if they are invisible, they also cannot get any return data! Therefore, they can attempt to use proxies to remain connected. Proxies are usually innocent computers previously "owned", with relay programs setup on them. Conveniently, certain service programs like FTP, Wingate or Socks, when incorrectly configured, can act as relays even without the host being cracked, so scanning for possibly proxies that may be used is also a common activity.
What does Secure-Me concentrate on?
Evaluating security of corporate networks cannot be done with anything so simple as an automated tool, so Secure-Me is aimed at auditing the security of a simple home PC or a simple small business gateway machine, in the context of the increase in the number of machines now hooked to the net fulltime. In this situation, the possible security loopholes are fewer, and the evaluation becomes easier to automate On the other hand however, the number of people with access to scanning tools and the amount of bandwidth they have to use them are growing, so anyone who is running an insecure service or a misconfigured computer can easily be found and "owned".
Simply put, Secure-Me gives the machine a brief scan for what open services it runs, then uses some common crack scripts and programs that are in use now by the net underground to probe for possible risks with those services. The tools Secure-Me uses are really just an automated collection of cracking scripts and programs, orchestrated to report their results in one file. In a way, it is like an online webified version of Satan (an old cracking toolkit), but considerably more complete with newer tools.
show feedback form
close
by KeysCapt
last modified: 2004-02-01 05:09:55 | | | A syn-flood is a stream of packets that each initiate a new TCP session, but no follow-up packets are sent to complete the connection handshake.
Targetted at a service port, this will usually overload the server such that it cannot respond to any real connection requests from real clients because the server can only keep a limited number of connection slots active at any one time.
A syn-flood is a class of attack known as a denial of service attack. The origin for syn-flood packets can be set to any address on the net, making location of the source of a syn-flood attack, difficult.
show feedback form
close
edited by KeysCapt
last modified: 2004-02-01 05:09:24 | | | For a good look into a DOS attack and the measures taken to combat it, read about it on the GRC website: Denial of Service Attack.
show feedback form
close
by KeysCapt | | | There are a lot of security resources on the web that can be explored by using any search engine, such as Google.
A good discussion on prevention of DOS attacks is available here: »www.cisco.com/warp/public/707/newsflash.html
An excellent source for current information is our own Security Forum and the Security FAQ.
show feedback form
close
edited by KeysCapt
last modified: 2004-02-01 21:05:13 | | | Windows operating systems (win95, win98 and NT) implement a network protocol called NETBIOS. A machine with Netbios running over TCP/IP usually listens on several ports for SMB packets (regular IP packets with microsoft formats inside them).
By default, Windows machines advertise their existence and their name, domain and usernames, to anything that asks, without requiring a password for this information. Your desktop configuration may not have any public shares, or all shares may be password protected, but your machine will still advertise its login name and workgroup name to anything that asks it. It may also crash if sent a netbios packet designed to exploit a bug.
nbtstat is the name of a windows command prompt program that can be used to query any machine for this information.
smbclient is the name of a Samba program that can also talk SMB.
show feedback form
close
by KeysCapt
last modified: 2004-02-01 05:12:53 |
|
