Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hackers and Scanners Antti Palokangas. Hackers & scanners Most of scanners are easy to use and widely distributed It is no longer a question of if, but.

Published byIris Gregory Modified over 8 years ago

Similar presentations

Presentation on theme: "Hackers and Scanners Antti Palokangas. Hackers & scanners Most of scanners are easy to use and widely distributed It is no longer a question of if, but."— Presentation transcript:

1 Hackers and Scanners Antti Palokangas

2 Hackers & scanners Most of scanners are easy to use and widely distributed It is no longer a question of if, but when you will be probed You may believe that if no one knows about your systems, you are secure. Others believe that their systems are of no value, so why would anyone probe them? But these kind of unprotected systems are easy to exploit for example to DDoS- attacks

3 What is a ”script kiddie”? Script kiddies can be advanced users or just kids who have found a nice application and bugs from Internet Script kiddies look for an easy kill They do this by focusing on a small number of exploits, and then searching randomly the entire Internet for that exploit Scanners are important tools for searching the exploitable systems

4 Example of script kiddie using scanners Step 1: Script kiddie finds a bug nobody else knows about or uses a common exploit from e.g. www.cert.org or bugtraq (archived at www.securityfocus.com), hoping that administrator of a system hasn’t fixed the bug Step 2: Uses tools (e.g. z0ne) to scan random networks for IP-addresses. Tool builds an IP- database which can be used also later (databases may contain over 2 million addresses)

5 Example of script kiddie using scanners Step 3: Scans IP-addresses for information: e.g. operating system type, running services, system architecture (x86, Alpha, Sparc) Step 4: Breaks into exploitable systems where bug hasn’t been fixed

6 Usefulness of a scanner for a hacker It’s important to fix bugs immediately to prevent above- mentioned attacks and run only needed services The way bug fixes are updated now would mean that a hacker who tries to take advantage of a known bug before the bug is fixed would have a small time margin from an unpredictable time when a bug is found to an uncertain time when a bug is fixed This type of attack may not be suitable for a hacker who wants to break into certain well-administered system. But there is always somewhere a system that hasn’t been updated

7 Usefulness of a scanner for a hacker We may say that finding holes with a publicly known vulnerability scanner is probably most useful if the goal of the hacker is - just to break in somewhere - terrorist action or vandalism - make a computer crime anywhere If the target is a specific system which is known to have high security, the hacker should: – find new holes, not the ones in the bulletin boards, – or plant holes using viruses or other distribution methods A scanner can be useful, but it should be not detected easily. Therefore it may be not necessary for the attacker to find all information he can get. After all, he may have rather few new holes that can be used.

8 Reverse engineering security patches Currently security patches in software releases are reverse engineered and their security implications are sought for and similar holes in other pieces of software are looked for. This is relatively slow work (though not very slow – reverse engineering a security patch may be done in a day), but it will find new holes. Being too certain of security after having successfully scanned a system without any vulnerabilities found is quite wrong. Security scanner can be compared to an anti-virus program: it only checks for known holes and it must be updated to remain functional

9 Detecting scanning It may be possible to monitor the network for odd behaviour and detect scanning One way is to find scanning patterns in our log files after scan has occured (manually or automatically by Intrusion Detection Systems)

10 Detecting a scanner There are programs which detect a scanner: Courtney, Gabriel, scan_detector, TCP Wrapper, scanlogd, Argus. Some of them have a sniffer, like tcpdump, and look for a rapid sequence of short connection attempts to TCP and UDP ports. Some use proxies and make logs There has not been any raise in the number of attacks made with SATAN or other scanners. We may assume it is because real attackers modify the scanners so, that scanning goes undetected. It is for instance possible to slow down scanning below the level which causes a scanner detector to alarm.

11 Detecting a scanner There are also stealth scanners which do not leave traces of the scan. Jakal and Nmap are stealth scanners using half scan (start SYN/ACK but never complete it). ”Half scanning” won’t fool e.g. PortSentry, tcplogd or Intrusion Detection Systems (IDS) but it will prevent applications logging suspiciously closed connections

12 Detecting scanning Courtney detects if the system has been scanned by SATAN, or any other similar port scanner and notifies this to the administrator. Courtney is a short PERL script, which uses tcpdump sniffer. tcpdump is a sniffer, which puts a LAN interface to a promiscuous mode so, that all IP packets can be read by the sniffer. tcpdump is one of the more popular programs for traffic measurement also. The Courtney program notices port scanning from a rapid sequence of connection attempts to many UDP and TCP ports. Gabriel is similar to Courtney, but it is a binarycreated from C and does not use tcpdump. It only runs on Sun. Either of these are not very useful nowadays

13 Other ways to improve security Scanning a system and finding no bad holes (most systems cannot protect against DoS-attacks, so this vulnerability there is) may give a wrong feeling of security. There are bugs though they are not found. What one can do is to replace the services by something more simple ones which hopefully have much fewer bugs or none at all (if they are very simple, this is possible) Usually services are not replaceable, they can only be patched and updated TCP ports need not have the real daemon listening them (or have the inetd daemon start the service, which is another common way). One can also make a proxy service using TCP Port Wrappers developed by Wietse Venema.

14 Other ways to improve security SOCKS is a proxy technique which is used to build circuit level firewalls. Socksifying all ports is one way to stop an intruder from using them. There are tools (IP Personality, Fingerprint fucker, Stealth patch, IPlog) to fake your operating system so that Nmap will be fooled and guesses wrong. Exploits are often OS-specific, so faking makes hacking more difficult

15 Other ways to improve security The defender could offer some traps to see if the attacker tries them These traps are called honeypots Honeypots should be implemented so that attacker can’t do anything harmful, but honeypot administrator gains valuable information on attacker’s methods More on honeypots: http://project.honeynet.org/http://project.honeynet.org/

16 How to test your own vulnerabilities? If you have only one computer, you could use an Internet-service to scan your vulnerabilities. Several sites do it for free usually after registering. How much do you trust these kind of services?

Download ppt "Hackers and Scanners Antti Palokangas. Hackers & scanners Most of scanners are easy to use and widely distributed It is no longer a question of if, but."

Similar presentations

Intrusion Detection System(IDS) Overview Manglers Gopal Paliwal Gopal Paliwal Roshni Zawar Roshni Zawar SenthilRaja Velu SenthilRaja Velu Sreevathsa Sathyanarayana.

Intrusion Detection System(IDS) Overview Manglers Gopal Paliwal Gopal Paliwal Roshni Zawar Roshni Zawar SenthilRaja Velu SenthilRaja Velu Sreevathsa Sathyanarayana.
Guide to Computer Forensics and Investigations1 Network Forensics Overview Network forensics –Systematic tracking of incoming and outgoing traffic To ascertain.

Guide to Computer Forensics and Investigations1 Network Forensics Overview Network forensics –Systematic tracking of incoming and outgoing traffic To ascertain.
Protection from Internet Theft By James Seegars. What Is Hacking? Definition – A)To change or alter(Computer Program) – B) To gain access to (a computer.

Protection from Internet Theft By James Seegars. What Is Hacking? Definition – A)To change or alter(Computer Program) – B) To gain access to (a computer.
Honeypot 서울과학기술대학교 Jeilyn Molina 121336101. Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Hackers, Crackers, and Network Intruders: Heroes, villains, or delinquents? Tim McLaren Thursday, September 28, 2000 McMaster University.

Hackers, Crackers, and Network Intruders: Heroes, villains, or delinquents? Tim McLaren Thursday, September 28, 2000 McMaster University.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
CS682- Network Management and Security Prof. Katz.

CS682- Network Management and Security Prof. Katz.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
Presented by: Luke Speed Computer Security. Why is computer security important! Intruders hack into computers to steal personal information that the user.

Presented by: Luke Speed Computer Security. Why is computer security important! Intruders hack into computers to steal personal information that the user.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
Network Security Testing Techniques Presented By:- Sachin Vador.

Network Security Testing Techniques Presented By:- Sachin Vador.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.

Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Www.BeyondSecurity.comwww.SecurITeam.com Beyond Security Ltd. Port Knocking Beyond Security Noam Rathaus CTO Sunday, July 11, 2004 Presentation on.

Beyond Security Ltd. Port Knocking Beyond Security Noam Rathaus CTO Sunday, July 11, 2004 Presentation on.
Computer Networks IGCSE ICT Section 4.

Computer Networks IGCSE ICT Section 4.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Similar presentations

Ads by Google