Friday, February 19, 2010

Certified Ethical Hacker 7

An IDS, also known as an Intrusion Detection System, is a sniffer that sniffs packets and analyzes them. IDS typically matches packet streams with known signatures. Signatures can be used to match things like "too many TCP connections", which usually results from SYN scans.
IDS can be sitting off the traffic or inline with the traffic. If the IDS is inline with the traffic, it is acting as a router. When an inline IDS detects an anomaly, it can immediately block the traffic. An IDS sitting inline with traffic is known as an IPS or IDP where "P" stands for Prevention.

System Integrity Verifier refer to host-based software that check for altered system files.

IDS can do two things: Anomaly Detection, and Signature Recognition. Signature Recognition detects based on known signatures. Anomaly Detection trains the IDS to know the baseline, and is able to notify the administrator when the traffic flow steers away from the norm.

An IDS will monitor all the packets on the wire on the fly. IDS reassembles streams of packets to do protocol and application stack verification and logs events. Stealth and half-open scans are examples of attacks that can be scanned through protocol stack verification.

Application stack verification refers to the IDS's ability to do deep packet inspection on application layer attacks. Examples of application layer attacks are attempts to crash NetBIOS systems by sending data to port 139 that are not Out-of-Band.

IDS can be host-based. An example of a host-based IDS is Snort. Snort is quite difficult to configure but is a freeware and does its job really well. Ways to go past an IDS is to craft packets to not match the signatures but still accomplish the same goals. Similar methods are used to get past firewalls.

A tool to mutate packets is Fragrouter. Fragrouter tries to get through the firewalls/IDS systems by fragmenting files or packets so much that firewalls/IDS systems no longer recognize them as threats. When reassembled at the target, the code becomes malicious.

Another tool to evade IDS is Engage Packet Builder. Engage Packet Builder can craft packets so that the packets appear to be destined for port 80, but end up in another port at the target system.

TCPReplay is able to capture and replay network traffic. Sidestep by Robert Graham can also be used to do attacks like Engage Packet Builder. A trick of social engineering is to flood the system with many false positives daily to the point that the administrator no longer take alarms seriously.

Good security not only comprises of good equipment but also proper plans to carry out should an attack happen.

Httptunnel is similar to a Trojan whereby an inside host establishes a HTTP tunnel with an outside host. The inside host then relays the packets to the intended victim. There are many other applications that makes use of HTTP tunneling, such as P2P software.

Reverse Shell means to start a session outbound through a firewall towards an attacker. The attacker's replies then come back through the firewall as legitimate traffic.

Loki is able to create a ICMP tunnel to send covert commands and other information in the data fields. ICMP Shell (ISH) is a telnet session tunneled through an ICMP session.

To block ICMP tunnels, you can block ICMP traffic. But ACK packets are usually not filtered. Therefore, ACK packets can be used as a tunneling mechanism to send covert data. An example of an ACK tunneler is AckCmd from AckCmd.

Honeypots refer to false targets deliberately deployed to lure hackers. Honey Pots can let you locate and track hackers, but you cannot use Honey Pots to prosecute a hacker. In law, a Honey Pot is an "attractive nuisance" and is not usable as evidence.

Honeypot software include:
-Back Officer
-Bait N Switch
-Tiny Honeypot
-The Deception Toolkit

Honeypots can do several things. KFSensor for example makes it look as if certain ports are open. KFSensor can make it look as if a system is filled with Trojans as well. Some IDPs can also be put into a Honeypot mode.

Administrators usually focus on securing the perimeter of the network. However, a lot of attacks originate from inside the network. Therefore, it is good practice to protect internal server farms, and other important targets.

These are the general steps to compile programs under Linux:
make install

Nmap is popular in Linux for port-scanning.

To do a SYN/TCP scan:
nmap -v -sS

To do a UDP scan:
nmap -v -sU

To do a Stealth Scan with no ping
nmap -v -sS -P0

To Fingerprint a host:
nmap -v -O

Vulnerability scanners like Nessus are both offensive and defensive tools to note. Scanners like Nessus can perform thousands of exploits on a host, and then report their findings in a nice HTML form. Cheops allow visual mapping of a network. Useful when used with other tools like Nmap or Nessus.

Scanlogd allows to detect when port scans are going on. Abacus Portsentry can detect port scans and can also act as a firewall and send alarms like an IDS.

Xcrack on Linux is used for cracking passwords. It uses dictionary attacks but doesn't offer any hybrid types of checks. It is quite fast.

Auditor (now known as Backtrack) is a good platform to begin hacking on. Nessus and Nmap Front End are both available on Auditor. The most famous and fastest sniffer in Linux is Sniffit. It is CLI but it also has a GUI.

Session Hijacking on Linux can be done through Hunt. It is very popular and is able to restore sessions after hijacking it.

Linux Rootkit v4 is a very popular rootkit tool. It contains bindshell, chfn, chsh, crontab, du, find, fix, ifconfig, inetd, killall, linsniffer, login, ls, netstat, oasswd, pidof, ps, rshd, sniffchk, syslogd, tcpd, top, wted and z2.

IPChains is a very general Packet Filter. It analyzes three chains: Input, Output and Forward. Input refers to packets destined for the device. Output refers to packets sent by the device. Forward refers to packets going through the device. IPChains work like access lists in routers where it is processed in order until a match is made.

IPTables is made to replace IPChains. IPTables can do stateful inspections. It separates firewall and NAT processes and can now filter TCP flags and TCP options as well as MAC addresses.

Applications like Flawfinder, StackGuard and Libsafe can scan your written applications to find any potential weaknesses like buffer overflows.

A list of common IDS software for Linux are:

A list of common scanners for Linux are:

A list of common encryption suites for Linux are:

A list of common logging and traffic monitors for Linux are:
-TCP Wrappers

Buffer overflows can be really dangerous to your systems. On Oct 19 2000, hundreds of flights were grounded because of a software glitch in the LAX air traffic control system. A Mexican Air Controller typed 9 instead of 5 characters into a flight-description data, which resulted in a buffer overflow.

Buffer overflows can be deliberate or accidental like the story above. Buffer overflows are also known as buffer overruns and they occur when an attacker sends more data than the program has enough allocated memory to handle. Programs that run out of memory would push the data into other locations, which allows malicious codes to be stored and run. If an attacker overflows Internet Explorer's buffer, he could take over the system through the browser.

Overflow attacks look for codes that doesn't check for boundaries, then look for processes that would execute arbitrary instructions. Buffer overflow attacks must be extremely carefully crafted, or else it would just cause the target system to crash.

A full understanding of C , Assembly, CPU Architecture, Machine Level System and exec() system calls is required to perform Buffer Overflows.

NOPs are known as No Operations in Assembly. To position a malicious code during a buffer overflow, attackers usually pad the front of their code with NOPs. IDS can have signature matching presets to match attacks like these.

Countermeasures against Buffer Overflows include auditing the code manually. Don't allow stack execution. Use a type safe language (like Java, or C#) or safer C libraries.

Metaspoilt can be run as a web service. It's easier for new users to launch attacks through the web interface.

Public-key Cryptography was first invented in 1976 by Whitfield Diffie and Martin Hellman. Each person gets a private and public key. The public key is available to anyone needing to use it, while the private key should be stored securely. The public key is known as the encryption key, while the private key is the decryption key.

The public key can be sent over the network to be used by another party to encrypt a file. Once the file is encrypted, he can send it back where the private key can be used to decrypt it. Private keys can also encrypt files, which can be decrypted by public keys. This is known as file signing. This is type of encryption is known as Asymmetric Encryption.

RSA (Rivest Shamir Adleman) was developed by Ronald L Rivest, Adi Shamir and Leonard M Adleman in 1977. RSA uses modular arithmetic and elementary number theory to do computations on large prime numbers. RSA is widely used. RSA was supposed to be kept private, but it showed up on the internet. RSA released an open standard, but no one knows if it's the true algorithm. Therefore, the open standard is known as the ARSA (assumed RSA).

MD5 takes any input and produces a 128-bit signature of the input. It is for creation and verification of a digital signature for a file before it is compressed or encrypted. This is widely adopted for integrity checks.

SHA (Secure Hash Algorithm) is slower than MD5 but is much more secure and it takes a longer time for brute force to crack. SSL was developed by Netscape to securely transfer document over the internet. It uses private key to encrypt data and is independent of the application.

RC5 is a block cipher which breaks files into blocks before encrypting it. It has variable key sizes and can deal with large files very quickly. SSH is the standard for secure shell. It replaces telnet in secure environments.

A rainbow table is a precomputed table of hashes, similar to dictionaries. Rainbow tables can reverse NTLM hashes within days. Winrtgen can generate rainbow tables in days, which can cut down reversal time of hashes from weeks to minutes.


  1. Syraxius,
    Wow this is a great resource.. I’m enjoying it.. good article,
    Thanks for sharing it in really nice and detailed review. i had gone through the article and information which you presented is very informative. The most interesting job in the field of computers is being an Ethical Hacker, so for more information check this link: http://www.eccouncil.org/certification/certified_ethical_hacker.aspx

  2. IDS Intrusion Detection System is used to know if the data on network is tempered or not.It involve checking of Digital signature for signed messages.Some messages are very sensitive and confidential so require such checking