62 - Bezpečnost systémů a sítí Flashcards
Základy bezpečnosti
CIA - důvěrnost, integrita, dostupnost
Bezpečnost, funkcionalita a jednoduchost užívání (trojúhelník) - musíme balancovat (nejbezpečnější je zahrabat na dně moře, ale pak to asi nebude moc použitelné)
Typy hackerů a fáze hackování
• White Hats - Ethical hackers, hired by a customer for testing, improving their security or other defensive purposes.
Well respected and don’t use their skills and knowledge without prior consent.
• Black Hats - Using their skills illegally for either personal gain or malicious intent.
Black Hats do not ask for permission or consent.
• Gray Hats - Neither good, nor bad.
They are either curious about hacking or they feel like it’s their duty, with or without customer permission, to demonstrate security flaws in systems without permission.
- Hacktivist - hacker with political or ideological motivation
- Suicide Hacker
- Ethical Hacker
Hacking Stages
• Reconnaissance - Gather evidence and information on the targets before attack.
- Passive – gathering without the knowledge
- Active – may or may not be discovered (more risk of discovery)
- Scanning and enumeration - Gather more in-depth information
- Gaining access - The main attack phase, bypassing security controls, abusing vulnerabilities, ..
- Escalation of privileges - Gaining more privileges within the system (from user to root)
- Maintaining access - Ensuring there is a way back to the system using backdoor
- Covering tracks - Hide before discovery
Typy testování
• Black Box - Method of software testing without knowledge of internal structure and code of the testing application.
- Usually used for purposes of testing from perspective of real attacker.
- Black box testing is designed to simulate the real unknown hacker from outside.
• White Box - Method of testing with access to internal structure of the application and/or code.
- It usually refers to a methodology where a tester has full knowledge of the testing application/system.
- Designed to simulate internal threat – insider, disgruntled employee
• Grey Box -Combination of black-box and white-box testing,
- which benefits from straightforward technique of black-box testing and combines it with the knowledge base of code oriented white-box testing method.
- Tester starts with some level of privileges targeting the escalation within the tested application, over network or system.
Reconnaissance - Průzkum
• Seven-Step Information-Gathering Process (CEH)
- Information gathering
- Determining the network range
- Identifying active machines
- Finding open ports and access points
- OS fingerprinting
- Fingerprinting services
- Mapping the network attack surface
• Social networks
• Social engineering
• Tools: nmap
———————————————-
Footprinting (Looking for any information, no matter how big or small, that might give a better insight into the target)
= Process of gathering information on systems, applications and network
• Active Footprinting - Require to take actions on the target - Scan against computers, banner grabbing
• Passive Footprinting - Without interacting or communicating with the target (Public information, web, DNS, Social Engineering, Competitive intelligence)
• Anonymous vs. Pseudonymous
DNS Footprinting - trying to access the information about the internal structure, IP addresses, systems, etc.
• DNS – mapping service for names and IP addresses
• IANA – Internet Assigned Numbers Authority
- Full of information about internal structure, IP addresses, systems
• Record Types:
SRV Service
SOA Start of Authority
PTR Pointer
NS Name Server
MX Mail Exchange CNAME Canonical Name A Address
• DNS poisoning and DNSSEC
• Tools: whois, nslookup, dig, tracert, traceroute
Google hacking
Vulnerabilities
- “#-Frontpage-“ inurl:administrators.pwd
- cache:”access denied for user” “using password”
Cameras
• inurl:”ViewerFrame?Mode=“ • inurl:control/userimage
Server files
• intitle:index.of
• cache:define inurl:/conf
Anonymous googling:
• Use cache, “&strip=1”
Scanning and enumeration - Gather more in-depth information
Skenování a výčet - Získejte více podrobných informací
Scanning and Enumeration = Process of discovering systems on a network and open ports and identifying applications
Identify live systems
• Ping each IP address of the subnet to see which IP is alive
• Using ICMP protocol, TCP scanning
• Could be blocked by FW, IDS/IPS systems
Discover open ports
• Scanning ports of the systems to identify listening services
• Horizontal Scan – a scan of multiple hosts against one port
• Vertical Scan – scan of one host and all ports
• Portrange:0–1023–49151–65535
Nmap - Open-source network scanning tool (determine life systems, TCP sweet, SYN scan, UDP scan,..)
Identify operating system and services
• Fingerprinting – analyze OS and service replies to identify the operating system
• Banner grabbing – analyzing the banner of the service to identify version, os, type of service, and more
- Commonly by telnet, proxy for web applications, and other tools (get server version, mail server data, version, etc..)
Scan for vulnerabilities
• Versions of services and OS with known vulnerabilities
• Specialized tools: Nessus
- Scan Types and TCP Flags with response
Hiding (proxies, anonymyziers, ..)
Proxy
• Using specialized systems to hide IP address by replicating traffic through proxy
• TOR – onion designed proxy service
IP spoofing
• Obscure the source IP address
• Spoofing IP address may lead the packet never finds its way back
Source routing
• Specifying the route of a packet regardless of route tables
• The attacker can use an IP address of another machine on the subnet and have all the return traffic sent back, regardless of which routers are in transit.
• Most firewalls and routers detect and block source-routed packets
Anonymizers
• services to hide the identity, IP address, country of origin, etc. • http://www.anonymouse.org
Sniffing
Sniffing = Capturing packets from wire or air to analyze and find interesting information
Promiscuous mode of the network interface for capturing all packets regardless of source and destination IP address
• Portable devices, phones, tablets?
Collision domains
• Sharing the transport medium
• Switched network – how to sniff?
Open protocols without encryption
• All information available for sniffer
• HTTP without SSL
• Username / Passwords
tcpdump, wireshark, ettercap
Evade Security Controls
ARP protocol
• ARP is broadcast protocol for communication within collision domain
• IP address translated to MAC address
• CAM table – content addressable memory, all MAC addresses
ARP Flooding
• Generating ARP packets to fill CAM table. When CAM table is full and switch receives a message with no entry in CAM table, it will broadcast the message to all ports turning itself into a hub.
• In case of multiple entries in CAM table, the last record is used.
• Port security – manually assign MAC address to a specific port
MAC spoofing
• Valid user with MAC 0A-1B-2C-3D-4E-6F is connected to port 2. An attacker connects to port 3 and spoof 0a-1B-2C-3D-4E-5F MAC address. The switch will notice that the MAC address of valid user, formally on port 2, seems to have moved to port 3 and updates CAM table. The attacker will see all communication to valid user as long as this is kept up.
Intrusion Detection Systems
= Tools, methods, and resources to help identify, assess, and report unauthorized or unapproved network activity
- Network system for monitoring and detection network activities of malicious or unwanted behavior
- Alert administrator or other security mechanisms
- Capture and analyze communication on the network interface
- Detect malicious code
- Provides information about illegal acivity
- Passive mechanism (does not prevent the malicious behavior)
- Host, Network based IDS and IPS systems
- Evasion: IP fragmentation, Unicode characters, Slow actions
Firewalls, honeypots and password cracking
Firewalls
• Rule-based packet filters. First rule matched executes.
• Stateful inspection firewalls – tracks the entire status of the connection
• ICMP blocked with error code Type 3 Code 13
• Firewalking – determine what is opened on Firewall
• WAF – Web Application Firewall
• HTTP Tunneling – evasion technique tunneling protocols over HTTP
• ACK Tunnel – communicating with ACK messages
Honeypots
• Honey pot – Invitation for attackers as easy meat, often vulnerable to various types of attacks, full of services
• Capability of obtaining a lot of information about an attack, malware
• Can record the attack vector, characteristics and behavior, used tools, methods, exploits
• Best way to get new type of attacks, zero-day vulnerabilities, codes, programs to further analysis
——————————————-
Password cracking
Bad Passwords
• Short, blank, usernames, common dictionary, default values
• Dictionary words: password, Heslo123, qwerty, asdasdasd, test, …
Password attacks
• Dictionary attack – enumerate commonly used passwords
• Bruteforce attack – all possible combinations
• Hybrid attack – dictionary attack with variable upper/lower case, numbers
• Replay attack – Don’t break hash, replay the packet/message
Kerberos
Keyloggers
• Software, Hardware
• AV software can detect?
Windows and Linux Security
Patch Management
• Most problematic security threat is out-of-date windows machine
• 0-day (zero-day) vulnerabilities and exploits – Microsoft has zero day to patch the vulnerability
Passwords
• Stored in SAM file, located in c:\windows\system32\config directory.
• LAN Manager, NTLM, NTLMv2 – MD5
• Rainbow Tables
Escalating Privileges 1. Obtain administrator password 2. Take advantage of found vulnerability 3. Use Metasploit 4. Social Engineering ---------------------------------- Linux Security • File-system security • Access control through users permissions - chmod 777 file • Dangerous SUID bits
Passwords
• Located in clear-text in /etc/passwd, if shadowed in /etc/shadow
Buffer Overflow
- The faulty code does not check that the source buffer is too large to fit in the destination buffer.
- When the function returns, the CPU unwinds the stack frame and pops the (now modified) return address from the stack.
- Control does not return to the function as it should. Instead, arbitrary code (chosen by the attacker when crafting the initial input) is executed.
#include void f(char* s) { char buffer[10]; strcpy(buffer, s); }
Defense:
• Code auditing
• Non-executable stacks
• Randomize virtual address space
Security Hardening
Least Privileges
• Grant only those privileges that are necessary
• Run services with non-privileged users
• Restrict remote access to privileged accounts
Minimalize attack surface
• Stop and remove all unnecessary services
• Remove all not used personal and non-personal accounts
• Remove all unused libraries, tools, packages
Keep security high
• Set policy for password strength (8 length, characters, numbers, special chars, not dictionary)
• Set firewall with least privilege rules policy
Rootkits
= Collection of software put in place by an attacker that is designed to obscure system compromise
- sada počítačových programů, pomocí kterých lze maskovat přítomnost zákeřného softwaru v počítači, například přítomnost virů, trojských koní, spywaru a podobně.
- Application level - Works within the application, change application’s behavior, user rights level, and actions
- Kernel level - Attacks boot sectors and kernel level of the operating system, most dangerous and difficult to detect
- Library level - Uses system-level calls to hide its existence
Attacks - Human vs. computer based and other attacks
Human Based
Dumper Diving
• Rifling through the dumpsters, paper-recycling bins, and office trashcans
Impersonation
• Pretending to be employee, a valid user, executive (VIP)
Technical Support
• Form of impersonation aimed at technical support to solve problems such forgot password
Shoulder Surfing
• Look over the shoulder to watch them log in or access sensitive data even from long distance
Tailgating and Piggybacking
• Follow authorized person through open door
Piggybacking – ask for help, convincing lost or forget badge
Computer Based
Social networks
• Facebook, Google+, Linkedin, Twitter, …
• Plenty of personal or professional information for attack
• Friend of a friend
Phishing
• Crafting an e-mail that appears legitimate, but in fact contains malware, links to fake websites or to download malicious content
• No security technology is able to detect
Rogue security software
• Modern implementation of malware
• Fake AV programs carrying malware
Disgruntled employee
• Easy to convince, lot of sensitive information
• Biggest threat to company
Reflected / Spoofed attack
• Spoofing target IP address and sending huge amount of SYN, SYN/ACK packets to list of zombies. They reply with RST to the target.
Ping of Death
• RFC unspecified behavior with large ping payload crashing target operating system
Smurf attack
• Sent large number of ICMP packets with source IP address of target to broadcast, all machines will reply to target use all bandwidth preventing legitimate traffic to reach the destination.
SYN flood
• Large number of SYN packets sent to target “half-open” the target connection saturating the number of connections. The client is not able to receive more connections denying legitimate ones.
Teardrop attack
• Using IP fragmentation with over-sized payloads. After re-assembling the packets on the target machine, crashing due to vulnerability in the re-assembling code.