Interactive Powerpoint_How to Master effective communication
Ch03 Network and Computer Attacks
1. Hands-On EthicalHands-On Ethical
Hacking and NetworkHacking and Network
DefenseDefense
Chapter 3Chapter 3
Network and Computer AttacksNetwork and Computer Attacks
2. 2
ObjectivesObjectives
Describe the different types of maliciousDescribe the different types of malicious
softwaresoftware
Describe methods of protecting againstDescribe methods of protecting against
malware attacksmalware attacks
Describe the types of network attacksDescribe the types of network attacks
Identify physical security attacks andIdentify physical security attacks and
vulnerabilitiesvulnerabilities
3. 3
Malicious Software (Malware)Malicious Software (Malware)
Network attacks prevent a business fromNetwork attacks prevent a business from
operatingoperating
Malicious software (Malware) includesMalicious software (Malware) includes
VirusVirus
WormsWorms
Trojan horsesTrojan horses
GoalsGoals
Destroy dataDestroy data
Corrupt dataCorrupt data
Shutdown a network or systemShutdown a network or system
4. 4
VirusesViruses
Virus attaches itself to an executable fileVirus attaches itself to an executable file
Can replicate itself through an executableCan replicate itself through an executable
programprogram
Needs a host program to replicateNeeds a host program to replicate
No foolproof method of preventing themNo foolproof method of preventing them
5. 5
Antivirus SoftwareAntivirus Software
Detects and removes virusesDetects and removes viruses
Detection based on virus signaturesDetection based on virus signatures
Must update signature database periodicallyMust update signature database periodically
Use automatic update featureUse automatic update feature
7. 7
Base 64 EncodingBase 64 Encoding
Used to evade anti-spam tools, and toUsed to evade anti-spam tools, and to
obscure passwordsobscure passwords
Encodes six bits at a time (0 – 64) with aEncodes six bits at a time (0 – 64) with a
single ASCII charactersingle ASCII character
A - Z:A - Z: 0 – 250 – 25
a – z:a – z: 26 – 5126 – 51
1 – 9:1 – 9: 52 – 6152 – 61
+ and -+ and - 62 and 6362 and 63
See links Ch 3a, 3bSee links Ch 3a, 3b
8. 8
Viruses (continued)Viruses (continued)
Commercial base 64 decodersCommercial base 64 decoders
ShellShell
Executable piece of programming codeExecutable piece of programming code
Should not appear in an e-mail attachmentShould not appear in an e-mail attachment
9. 9
Macro VirusesMacro Viruses
Virus encoded as a macroVirus encoded as a macro
MacroMacro
Lists of commandsLists of commands
Can be used in destructive waysCan be used in destructive ways
Example: MelissaExample: Melissa
Appeared in 1999Appeared in 1999
It is very simple – see link Ch 3c for sourceIt is very simple – see link Ch 3c for source
codecode
10. 10
Writing VirusesWriting Viruses
Even nonprogrammersEven nonprogrammers
can create macro virusescan create macro viruses
Instructions posted onInstructions posted on
Web sitesWeb sites
Virus creation kits available forVirus creation kits available for
download (see link Ch 3d)download (see link Ch 3d)
Security professionals can learnSecurity professionals can learn
from thinking like attackersfrom thinking like attackers
But don’t create and release a virus!But don’t create and release a virus!
People get long prison terms for that.People get long prison terms for that.
11. 11
WormsWorms
WormWorm
Replicates and propagates without a hostReplicates and propagates without a host
Infamous examplesInfamous examples
Code RedCode Red
NimdaNimda
Can infect every computer in the world inCan infect every computer in the world in
a short timea short time
At least in theoryAt least in theory
12. 12
ATM Machine WormsATM Machine Worms
Cyberattacks against ATM machinesCyberattacks against ATM machines
Slammer and Nachi wormsSlammer and Nachi worms
Trend produces antivirus for ATM machinesTrend produces antivirus for ATM machines
See links Ch 3g, 3h, 3iSee links Ch 3g, 3h, 3i
Nachi was written to clean up damage causedNachi was written to clean up damage caused
by the Blaster worm, but it got out of controlby the Blaster worm, but it got out of control
See link Ch 3jSee link Ch 3j
Diebold was criticized for using Windows forDiebold was criticized for using Windows for
ATM machines, which they also use on votingATM machines, which they also use on voting
machinesmachines
15. 15
Trojan ProgramsTrojan Programs
Insidious attack against networksInsidious attack against networks
Disguise themselves as useful programsDisguise themselves as useful programs
Hide malicious content in programHide malicious content in program
BackdoorsBackdoors
RootkitsRootkits
Allow attackers remote accessAllow attackers remote access
16. 16
FirewallsFirewalls
Identify traffic on uncommon portsIdentify traffic on uncommon ports
Can block this type of attack, if yourCan block this type of attack, if your
firewall filters outgoing trafficfirewall filters outgoing traffic
Windows XP SP2’s firewall does not filterWindows XP SP2’s firewall does not filter
outgoing trafficoutgoing traffic
Vista’s firewall doesn’t either (by default),Vista’s firewall doesn’t either (by default),
according to link Ch 3l and 3maccording to link Ch 3l and 3m
Trojan programs can use known ports toTrojan programs can use known ports to
get through firewallsget through firewalls
HTTP (TCP 80) or DNS (UDP 53)HTTP (TCP 80) or DNS (UDP 53)
18. 18
Trojan DemonstrationTrojan Demonstration
Make a file withMake a file with
command-line Windowscommand-line Windows
commandscommands
Save it asSave it as
C:Documents and SettingsC:Documents and Settings
usernameusernamecmd.batcmd.bat
Start, Run, CMD will execute this fileStart, Run, CMD will execute this file
instead ofinstead of
C:WindowsSystem32Cmd.exeC:WindowsSystem32Cmd.exe
19. 19
Improved TrojanImproved Trojan
Resets the administrator passwordResets the administrator password
Almost invisible to userAlmost invisible to user
Works in Win XP, but not so easy in VistaWorks in Win XP, but not so easy in Vista
20. 20
SpywareSpyware
Sends information from the infected computer toSends information from the infected computer to
the attackerthe attacker
Confidential financial dataConfidential financial data
PasswordsPasswords
PINsPINs
Any other stored dataAny other stored data
Can register each keystroke entered (keylogger)Can register each keystroke entered (keylogger)
Prevalent technologyPrevalent technology
Educate users about spywareEducate users about spyware
22. 22
AdwareAdware
Similar to spywareSimilar to spyware
Can be installed without the user being awareCan be installed without the user being aware
Sometimes displays a bannerSometimes displays a banner
Main goalMain goal
Determine user’s online purchasing habitsDetermine user’s online purchasing habits
Tailored advertisementTailored advertisement
Main problemMain problem
Slows down computersSlows down computers
23. 23
Protecting Against MalwareProtecting Against Malware
AttacksAttacks
Difficult taskDifficult task
New viruses, worms, Trojan programsNew viruses, worms, Trojan programs
appear dailyappear daily
Antivirus programs offer a lot of protectionAntivirus programs offer a lot of protection
Educate your users about these types ofEducate your users about these types of
attacksattacks
26. 26
Educating Your UsersEducating Your Users
Structural trainingStructural training
Most effective measureMost effective measure
Includes all employees and managementIncludes all employees and management
E-mail monthly security updatesE-mail monthly security updates
Simple but effective training methodSimple but effective training method
Update virus signature databaseUpdate virus signature database
automaticallyautomatically
27. 27
Educating Your UsersEducating Your Users
SpyBot and Ad-AwareSpyBot and Ad-Aware
Help protect against spyware and adwareHelp protect against spyware and adware
Windows Defender is excellent tooWindows Defender is excellent too
FirewallsFirewalls
Hardware (enterprise solution)Hardware (enterprise solution)
Software (personal solution)Software (personal solution)
Can be combinedCan be combined
Intrusion Detection System (IDS)Intrusion Detection System (IDS)
Monitors your network 24/7Monitors your network 24/7
28. 28
FUDFUD
Fear, Uncertainty and DoubtFear, Uncertainty and Doubt
Avoid scaring users into complying with securityAvoid scaring users into complying with security
measuresmeasures
Sometimes used by unethical security testersSometimes used by unethical security testers
Against the OSSTMM’s Rules of EngagementAgainst the OSSTMM’s Rules of Engagement
Promote awareness rather than instillingPromote awareness rather than instilling
fearfear
Users should be aware of potential threatsUsers should be aware of potential threats
Build on users’ knowledgeBuild on users’ knowledge
29. 29
Intruder Attacks on NetworksIntruder Attacks on Networks
and Computersand Computers
AttackAttack
Any attempt by an unauthorized person to access orAny attempt by an unauthorized person to access or
use network resourcesuse network resources
Network securityNetwork security
Security of computers and other devices in a networkSecurity of computers and other devices in a network
Computer securityComputer security
Securing a standalone computer--not part of a networkSecuring a standalone computer--not part of a network
infrastructureinfrastructure
Computer crimeComputer crime
Fastest growing type of crime worldwideFastest growing type of crime worldwide
30. 30
Denial-of-Service AttacksDenial-of-Service Attacks
Denial-of-Service (DoS) attackDenial-of-Service (DoS) attack
Prevents legitimate users from accessingPrevents legitimate users from accessing
network resourcesnetwork resources
Some forms do not involve computers, likeSome forms do not involve computers, like
feeding a paper loop through a fax machinefeeding a paper loop through a fax machine
DoS attacks do not attempt to accessDoS attacks do not attempt to access
informationinformation
Cripple the networkCripple the network
Make it vulnerable to other type of attacksMake it vulnerable to other type of attacks
31. 31
Testing for DoS VulnerabilitiesTesting for DoS Vulnerabilities
Performing an attack yourself is not wisePerforming an attack yourself is not wise
You only need to prove that an attack couldYou only need to prove that an attack could
be carried outbe carried out
32. 32
Distributed Denial-of-ServiceDistributed Denial-of-Service
AttacksAttacks
Attack on a host from multiple servers orAttack on a host from multiple servers or
workstationsworkstations
Network could be flooded with billions ofNetwork could be flooded with billions of
requestsrequests
Loss of bandwidthLoss of bandwidth
Degradation or loss of speedDegradation or loss of speed
Often participants are not aware they areOften participants are not aware they are
part of the attackpart of the attack
Attacking computers could be controlled usingAttacking computers could be controlled using
Trojan programsTrojan programs
33. 33
Buffer Overflow AttacksBuffer Overflow Attacks
Vulnerability in poorly written codeVulnerability in poorly written code
Code does not check predefined size of inputCode does not check predefined size of input
fieldfield
GoalGoal
Fill overflow buffer with executable codeFill overflow buffer with executable code
OS executes this codeOS executes this code
Can elevate attacker’s permission toCan elevate attacker’s permission to
Administrator or even KernelAdministrator or even Kernel
Programmers need special training toProgrammers need special training to
write secure codewrite secure code
36. 36
Ping of Death AttacksPing of Death Attacks
Type of DoS attackType of DoS attack
Not as common as during the late 1990sNot as common as during the late 1990s
How it worksHow it works
Attacker creates a large ICMP packetAttacker creates a large ICMP packet
More than 65,535 bytesMore than 65,535 bytes
Large packet is fragmented at source networkLarge packet is fragmented at source network
Destination network reassembles large packetDestination network reassembles large packet
Destination point cannot handle oversize packet andDestination point cannot handle oversize packet and
crashescrashes
Modern systems are protected from this (Link Ch 3n)Modern systems are protected from this (Link Ch 3n)
37. 37
Session HijackingSession Hijacking
Enables attacker to join a TCP sessionEnables attacker to join a TCP session
Attacker makes both parties think he orAttacker makes both parties think he or
she is the other partyshe is the other party
38. 38
Addressing Physical SecurityAddressing Physical Security
Protecting a network also requiresProtecting a network also requires
physical securityphysical security
Inside attacks are more likely than attacksInside attacks are more likely than attacks
from outside the companyfrom outside the company
39. 39
KeyloggersKeyloggers
Used to capture keystrokes on a computerUsed to capture keystrokes on a computer
HardwareHardware
SoftwareSoftware
SoftwareSoftware
Behaves like Trojan programsBehaves like Trojan programs
HardwareHardware
Easy to installEasy to install
Goes between the keyboard and the CPUGoes between the keyboard and the CPU
KeyKatcher and KeyGhostKeyKatcher and KeyGhost
43. 43
Behind Locked DoorsBehind Locked Doors
Lock up your serversLock up your servers
Physical access means they can hack inPhysical access means they can hack in
Consider Ophcrack – booting to a CD-basedConsider Ophcrack – booting to a CD-based
OS will bypass almost any securityOS will bypass almost any security
44. 44
LockpickingLockpicking
Average person can pick deadbolt locks inAverage person can pick deadbolt locks in
less than five minutesless than five minutes
After only a week or two of practiceAfter only a week or two of practice
Experienced hackers can pick deadboltExperienced hackers can pick deadbolt
locks in under 30 secondslocks in under 30 seconds
Bump keys are even easier (Link Ch 3o)Bump keys are even easier (Link Ch 3o)
45. 45
Card Reader LocksCard Reader Locks
Keep a log of whoKeep a log of who
enters and leaves theenters and leaves the
roomroom
Security cards can beSecurity cards can be
used instead of keysused instead of keys
for better securityfor better security
Image from link Ch 3pImage from link Ch 3p