Hackers and Scanners Antti Palokangas Hackers scanners Most

  • Slides: 16
Download presentation
Hackers and Scanners Antti Palokangas

Hackers and Scanners Antti Palokangas

Hackers & scanners • Most of scanners are easy to use and widely distributed

Hackers & scanners • Most of scanners are easy to use and widely distributed • It is no longer a question of if, but when you will be probed • You may believe that if no one knows about your systems, you are secure. Others believe that their systems are of no value, so why would anyone probe them? But these kind of unprotected systems are easy to exploit for example to DDo. Sattacks

What is a ”script kiddie”? • Script kiddies can be advanced users or just

What is a ”script kiddie”? • Script kiddies can be advanced users or just kids who have found a nice application and bugs from Internet • Script kiddies look for an easy kill • They do this by focusing on a small number of exploits, and then searching randomly the entire Internet for that exploit • Scanners are important tools for searching the exploitable systems

Example of script kiddie using scanners • Step 1: Script kiddie finds a bug

Example of script kiddie using scanners • Step 1: Script kiddie finds a bug nobody else knows about or uses a common exploit from e. g. www. cert. org or bugtraq (archived at www. securityfocus. com), hoping that administrator of a system hasn’t fixed the bug • Step 2: Uses tools (e. g. z 0 ne) to scan random networks for IP-addresses. Tool builds an IPdatabase which can be used also later (databases may contain over 2 million addresses)

Example of script kiddie using scanners • Step 3: Scans IP-addresses for information: e.

Example of script kiddie using scanners • Step 3: Scans IP-addresses for information: e. g. operating system type, running services, system architecture (x 86, Alpha, Sparc) • Step 4: Breaks into exploitable systems where bug hasn’t been fixed

Usefulness of a scanner for a hacker • It’s important to fix bugs immediately

Usefulness of a scanner for a hacker • It’s important to fix bugs immediately to prevent abovementioned attacks and run only needed services • The way bug fixes are updated now would mean that a hacker who tries to take advantage of a known bug before the bug is fixed would have a small time margin from an unpredictable time when a bug is found to an uncertain time when a bug is fixed • This type of attack may not be suitable for a hacker who wants to break into certain well-administered system. But there is always somewhere a system that hasn’t been updated

Usefulness of a scanner for a hacker • We may say that finding holes

Usefulness of a scanner for a hacker • We may say that finding holes with a publicly known vulnerability scanner is probably most useful if the goal of the hacker is - just to break in somewhere - terrorist action or vandalism - make a computer crime anywhere • If the target is a specific system which is known to have high security, the hacker should: – find new holes, not the ones in the bulletin boards, – or plant holes using viruses or other distribution methods • A scanner can be useful, but it should be not detected easily. Therefore it may be not necessary for the attacker to find all information he can get. After all, he may have rather few new holes that can be used.

Reverse engineering security patches • Currently security patches in software releases are reverse engineered

Reverse engineering security patches • Currently security patches in software releases are reverse engineered and their security implications are sought for and similar holes in other pieces of software looked for. • This is relatively slow work (though not very slow – reverse engineering a security patch may be done in a day), but it will find new holes. • Being too certain of security after having successfully scanned a system without any vulnerabilities found is quite wrong. Security scanner can be compared to an anti-virus program: it only checks for known holes and it must be updated to remain functional

Detecting scanning • It may be possible to monitor the network for odd behavior

Detecting scanning • It may be possible to monitor the network for odd behavior and detect scanning • One way is to find scanning patterns in our log files after scan has occured (manually or automatically by Intrusion Detection Systems)

Detecting a scanner • There are programs which detect a scanner: Courtney, Gabriel, scan_detector,

Detecting a scanner • There are programs which detect a scanner: Courtney, Gabriel, scan_detector, TCP Wrapper, scanlogd, Argus. • Some of them have a sniffer, like tcpdump, and look for a rapid sequence of short connection attempts to TCP and UDP ports. Some use proxies and make logs • There has not been any raise in the number of attacks made with SATAN or other scanners. • We may assume it is because real attackers modify the scanners so, that scanning goes undetected. It is for instance possible to slow down scanning below the level which causes a scanner detector to alarm.

Detecting a scanner • There also stealth scanners which do not leave traces of

Detecting a scanner • There also stealth scanners which do not leave traces of the scan. Jakal and Nmap are stealth scanners using half scan (start SYN/ACK but never complete it). • ”Half scanning” won’t fool e. g. Port. Sentry, tcplogd or Intrusion Detection Systems (IDS) but it will prevent applications logging suspiciously closed connections

Detecting scanning • Courtney detects if the system has been scanned by SATAN, or

Detecting scanning • Courtney detects if the system has been scanned by SATAN, or any other similar port scanner and notifies this to the administrator. Courtney is a short PERL script, which uses tcpdump sniffer. • tcpdump is a sniffer, which puts a LAN interface to a promiscuous mode so, that all IP packets can be read by the sniffer. tcpdump is one of the more popular programs for traffic measurement also. The Courtney program notices port scanning from a rapid sequence of connection attempts to many UDP and TCP ports. • Gabriel is similar to Courtney, but it is a binarycreated from C and does not use tcpdump. It only runs on Sun. • Either of these are not very useful nowadays

Other ways to improve security • Scanning a system and finding no bad holes

Other ways to improve security • Scanning a system and finding no bad holes (most systems cannot protect against Do. S-attacks, so this vulnerability there is) may give a wrong feeling of security. There are bugs though they are not found. • What one can do is to replace the services by something more simple ones which hopefully have much fewer bugs or none at all (if they are very simple, this is possible) • Usually services are not replaceable, they can only be patched and updated • TCP ports need not have the real daemon listening them (or have the inetd daemon start the service, which is another common way). One can also make a proxy service using TCP Port Wrappers developed by Wietse Venema.

Other ways to improve security • SOCKS is a proxy technique which is used

Other ways to improve security • SOCKS is a proxy technique which is used to build circuit level firewalls. Socksifying all ports is one way to stop an intruder from using them. • There are tools (IP Personality, Fingerprint fucker, Stealth patch, IPlog) to fake your operating system so that Nmap will be fooled and guesses wrong. • Exploits are often OS-specific, so faking makes hacking more difficult

Other ways to improve security • The defender could offer some traps to see

Other ways to improve security • The defender could offer some traps to see if the attacker tries them • These traps are called honeypots • Honeypots should be implemented so that attacker can’t do anything harmful, but honeypot administrator gains valuable information on attacker’s methods • More on honeypots: http: //project. honeynet. org/

How to test your own vulnerabilities? • If you have only one computer, you

How to test your own vulnerabilities? • If you have only one computer, you could use an Internet-service to scan your vulnerabilities. Several sites do it for free usually after registering. • How much do you trust these kind of services?

Antti Timonen Olen kotona Mimosa Sihvola 014291698 AnttiAntti Timonen Olen kotona Mimosa Sihvola 014291698 Antti
Valmennuskurssi sosiaalitieteiden tutkintoohjelmaan Kevt 2012 Antti Halmetoja anttiValmennuskurssi sosiaalitieteiden tutkintoohjelmaan Kevt 2012 Antti Halmetoja antti
TIK kandiseminaarin viittausluento Antti Rousi antti m rousiaaltoTIK kandiseminaarin viittausluento Antti Rousi antti m rousiaalto
Onnistunut patentointiprosessi 22 3 2002 Antti Ivanoff AnttiOnnistunut patentointiprosessi 22 3 2002 Antti Ivanoff Antti
Tietojrjestelmt yrityksen tyvlinein Antti Ivanoff Antti Jskelinen IlonaTietojrjestelmt yrityksen tyvlinein Antti Ivanoff Antti Jskelinen Ilona
Shift to Issuing Based methodology Antti Kuronen anttiShift to Issuing Based methodology Antti Kuronen antti
Tiedonhankinnan ulkoistaminen Antti Ivanoff 158835 Antti Jskelinen 156620Tiedonhankinnan ulkoistaminen Antti Ivanoff 158835 Antti Jskelinen 156620
Reflex Dictionary Generator Antti Hahto antti hahtotut fiReflex Dictionary Generator Antti Hahto antti hahtotut fi
Scanners Flatbed Scanners A lamp is used toScanners Flatbed Scanners A lamp is used to
Scanners Flatbed Scanners A lamp is used toScanners Flatbed Scanners A lamp is used to
Crackers Vs Hackers Qu son los HACKERS HackerCrackers Vs Hackers Qu son los HACKERS Hacker
MUJERES HACKERS MUJERES HACKERS Definicin Trmino para designarMUJERES HACKERS MUJERES HACKERS Definicin Trmino para designar
Teknologiateollisuuden Suomen talousnkymt Lokakuu 2020 Jukka Palokangas JohtavaTeknologiateollisuuden Suomen talousnkymt Lokakuu 2020 Jukka Palokangas Johtava
Taloudellisen kasvun syyt Tapio Palokangas syyslukukausi 2010 TaustaaTaloudellisen kasvun syyt Tapio Palokangas syyslukukausi 2010 Taustaa
Teknologiateollisuuden Talousnkymt 7 8 2018 Pekonomisti Jukka PalokangasTeknologiateollisuuden Talousnkymt 7 8 2018 Pekonomisti Jukka Palokangas