...

Thursday, February 18, 2010

Certified Ethical Hacker 4

A Trojan horse is any destructive program that masquerades itself as, or hides inside a harmless application. Unlike viruses, Trojans do not replicate but can be just as destructive. Trojans may claim to rid your computer of viruses but instead introduce more into your computer.
An attacker gets access to an infected system and infects it with a Trojan. The Trojan then provides more means of access to stage different kinds of attacks. The following are the genres of Trojans:
-Password Sending/Capturing
-FTP Trojans
-Keystroke Capture
-Destructive
-Denial of Service
-Proxy/MITM Trojans
-Remote Access
-Software Detection Killers

(MITM stands for Man-in-the-Middle)

Trojans can be introduced through various means. The following are the most common:
-Chat Clients (ICQ, IRC, MSN, AIM, Yahoo, Trillian)
-Email Attachments
-Physical Access
-Browser and E-Mail Software Bugs (X-Site Scripting)
-File Sharing
-Wrappers
-Bogus Freeware Sites

Tini is a low profile Trojan that listens to port 7777. The file is only 3KB so it leaves a very small footprint. When you connect to it, you will be given access to the prompt.

Netcat listens to any TCP or UDP ports and similarly you can access the system's CLI when you connect to it.

SubSeven is a Trojan that enables attackers to gain access through the network. The infected system is the Server, while the attacker becomes the Client. The client can perform several funny/destructive operations.

Back Orifice 2000 can be installed with a rootkit making it hidden. Back Orifice had the highest number of infections to Windows. The server is only 100KB and the client is 500KB. Back Orifice 2000 gives the attacker complete control of the system.

NetBus features a similar client/server architecture.

Wrappers wrap two or more programs into one package. Wrappers typically wrap a Trojan with a legitimate software. When run, the legitimate software runs, together with the Trojan.

An example of a wrapper is eLiTeWrap. eLiTeWrap allows specification of which wrapped programs should be visible and which programs should be hidden.

After wrapping, you may change an executable's icon through IconPlus or Restorator.

Spreading Trojans via Removable Media
If the system is set up to use autorun, you can create an autorun.inf with the following syntax:
[autorun]
open=Trojan.exe
icon=Trojan.ico


When Back Orifice became popular, a program called BOSniffer sniffs for Back Orifice and removes it.

There are programs like FireKiller that disables all firewalls and anti-virus programs.

Trojans can wait for authenticated traffic to tunnel data through. Reverse WWW is the process of the infected computer making connections outwards towards the attacker. This gets through stateful firewalls.

Fport reports all open ports on the system. TCPView shows all the active TCP sessions.

There are Trojans such as HDKP which are designed specifically to destroy hard disks.

At times you may find hash strings when downloading files. You can hash the downloaded files yourself and match it with the provided string to see if it has been altered. This is a manual integrity check.

A sniffer is designed to monitor network data. Sniffers typically work with TCP traffic, but some more specialized sniffers can sniff at the protocol level ("Protocol Analyzers").

Network users often send sensitive information through insecure means (such as Telnet, POP3, SMTP, etc.). A popular tool to sniff the network is Ethereal (WireShark now). It can sniff an entire stream and rebuild it simply by right-clicking it and choosing Follow Stream.

Snort can be a packet logger and sniffer, but was designed as a host based IDS. Host based IDS can look for signature based and anomalous traffic conditions. WinDump is a popular packet capturing program that is CLI-based. Etherpeek and many others can do about the same things, the only difference is how the data is portrayed.

Passive Sniffing refers to sniffing from devices like hubs. Active sniffing refers to sniffing traffic from switches, which requires extra work.

We need to turn a switch into a hub. To do this, we need to max out its MAC address table. EtherFlood can help us do this. EtherFlood floods thousands of gratuitous ARPs per second into the switch which would fill its CAM table after a few minutes.

dsniff is a sniffer that can sniff for passwords. mailsnarf can filter out mail traffic.

ARP spoofing is to impersonate someone else's MAC (also known as MAC spoofing). SMAC allows changing of the MAC address. This allows to get through access lists based on MAC such as those used in wireless.

HTTPS and SSH Sniffing
We can easily sniff the traffic. However, the traffic is encrypted. We have to first obtain both side's certificates. Then, we'll have to convince both sides to connect to our computer. That way, we'll be taking part in a MITM attack.

Macof is another flooding tool like EtherFlood.

Ettercap is the perfect tool for hackers or analysts. It is multipurpose and expandable. Plugins allow DoS, DNS Spoofing, and MAC Flooding. It is, however, CLI-based.

DNS Sniffing and Spoofing
DNS Spoofing occurs when a DNS entry points to another IP instead of the legitimate IP address. When poisoning a DNS cache, an attacker uses his own rogue DNS or another compromised DNS to replicate false entries. An attacker could also do an ARP poisoning to redirect DNS requests to his rogue DNS.

ARP Poisoning refers to the process whereby an attacker prepopulates the gateway's MAC cache to take the identity of another host. Therefore all packets to the specific host would be sent to the attacker.

APR stands for ARP Poison Routing. APR is used in typical MITM attacks. This is accomplished by ARP Poisoning both the gateway and the victim to route the traffic through the attacker. This way, you could intercept traffic between the victim and the gateway more quietly as compared to MAC Flooding.

In February 2000, Yahoo, Buy.com, eBay, Amazon, E*Trade and CNN went dark all in one day. This is an example of a denial of service attack. A Denial of Service is an attack that keeps legitimate users or customers from accessing services. It can be based on bandwidth or logic of the system. Often, a failed attempt at "owning the box" will lead an attacker to launch a DoS. The idea being, if they can't gain access, then no one can.

The categories of DOS attacks are:
-Bandwidth Attacks
Flood the connection so much that traffic congestion occurs.
-Protocol Attacks
Attacks like SYN floods which overwhelms its CPU and memory.
-Logic Attacks
An attack that crashes through bad code (e.g. SMBDie)

In a Distributed Denial of Service attack, a hacker utilizes several compromised machines (known as Zombies) to launch an attack against a specific target (or a set of them). The attack appear to be from multiple sources.

The easiest DoS is the Ping of Death. The attacker uses a very large ping size which would eat up bandwidth and slow down CPU from the reassembling of the packets. This has been known to cause BSOD in older NT machines.

SSPing is an example of a DOS tool. This sends overly large fragmented ICMP ping packets to the target. The victim will over utilize its resources to reassemble and process the packets. Very effective against Windows 95/NT and Mac OS.

Land Exploit sends a TCP SYN packet in which the destination and source addresses are of the same address and port number (e.g. the victim's). Older operating systems would hang because they couldn't handle such a packet.

Smurf forges ICMP packets with a broadcast destination address and the source address of the victim. Multiple replies will be sent to the victim from all the hosts in the subnet.

SYN Flood floods a host with a series of initial TCP connection SYN packets. The victims would reply with a SYN/ACK and the await the attacker's ACK (which would never come). Once there are too many TCP sessions, the victim would not be able to establish new ones, and would no longer respond to legitimate traffic.

WinNuke sends traffic to the NetBIOS port of 139. 139 is the OOB (out of band) port and would cause the system to crash because the packet was not marked as OOB.

Jolt2 allowed attackers to send fragmented traffic from across the network to the victim. It allowed users to spoof their IP addresses. The victim's CPU would reach near 100% utilization causing it to slow down or stop handing legitimate traffic.

Bubonic.c sends random TCP packets to the victim and eventually overloads it. It was designed for Windows 2000.

Targa uses 8 different DoS attacks simultaneously. It is a dangerous tool to use against the network.

Popular DDoS Tools include:
-Stacheldraht
-TFN
-Trinoo
-mstream
-Shaft
-TFN2K

DDoS schemes follow this pattern:
1) Mass Intrusion
The attack would evaluate the vulnerable systems within the network, then install the clients on those targets to turn them into Zombies.
2) Execution
The Zombies are then ordered to execute DoS on their victim either scheduled or by the attacker's command.

The following can minimize the DoS attack effectiveness:
1) Robust, fault-tolerant design
2) Limitations on Bandwidth
3) Keeping up with patches or hotfixes
4) Harden the system by turning off unneeded services
5) Allow only necessary traffic
6) Filter IP addresses as needed

We have to allow network access, so DoS cannot be prevented.

Preventing distributed attacks:
1) Secure the network
2) Utilize signature-based IPS/IDS
3) Use probes or scanning tools
4) Use trusted Zombie detection tools

There are a lot of options for IDS. Choices include Cisco's IDS, Juniper's NetScreen IDP and Snort Host-based IDS. The firewall is not the solution to protect the network. Most attacks disguise themselves as permitted traffic.

To do a non-stop ping, use the syntax:
ping -t 192.168.1.1

To specify the size of the ping, use the syntax:
ping -t -l 65500 192.168.1.1

No comments :

Post a Comment

<