Risk Management The Big Picture – Part 2

Chia sẻ: Huy Hoang | Ngày: | Loại File: PDF | Số trang:63

lượt xem

Risk Management The Big Picture – Part 2

Mô tả tài liệu
  Download Vui lòng tải xuống để xem tài liệu đầy đủ

If attackers are going to take advantage of vulnerabilities, it makes sense that we need to find them before they do. System, network, and telephone vulnerability scanning tools are a powerful method of doing this. Lets take a look at another Internet threat. This is the threat introduced by users who download and run utilities that are designed to share and search for files across the Internet. Examples are the programs Napster, Gnutella, and more recently Scour. In the next two slides we’ll examine Gnutella, its function, and the dangers it introduces....

Chủ đề:

Nội dung Text: Risk Management The Big Picture – Part 2

  1. Risk Management The Big Picture – Part 2 Going Around the Firewall and Scanning for Vulnerabilities Information Risk Management- SANS ©2001 1 If attackers are going to take advantage of vulnerabilities, it makes sense that we need to find them before they do. System, network, and telephone vulnerability scanning tools are a powerful method of doing this. 2-1
  2. Gnutella • Designed for peer-to-peer file sharing on the Internet • Introduces security weaknesses – Hole in a firewall – Users give away network information – A possible annoyance or DDOS tool Information Risk Management - SANS ©2001 2 Lets take a look at another Internet threat. This is the threat introduced by users who download and run utilities that are designed to share and search for files across the Internet. Examples are the programs Napster, Gnutella, and more recently Scour. In the next two slides we’ll examine Gnutella, its function, and the dangers it introduces. Gnutella is an Internet file sharing utility. Described as a “servant”, Gnutella acts as a server for sharing files while simultaneously acting as a client that searches for and downloads files from other users. The Gnutella net is peer-to-peer with interconnected servants that search and relay one another to make file sharing and storage truly distributed. When searching for a file, the Gnutella service will search hosts that you are connected to, and hosts they are connected to, and so on. Once the file is found, a download can be initiated with a TCP connection directly between the ‘client’ and ‘server’. Gnutella was designed to enhance free, easy, and anonymous exchange of information. However, there is a dark side - the distributed nature of the Gnutella net combined with the Gnutella net protocol introduces security weaknesses for Gnutella users. A prime concern is that Gnutella users situated behind firewalls open a hole in their firewall when they connect to an external Gnutella net. The way this works is covered in the next slide. Traces taken from a Gnutella user’s machine show that when searching, requesting a download, or ‘pinging’ for other Gnutella hosts, the user gives away a combination of information including an IP address within a network, a half- open connection and/or a known set of SEQ and ACK numbers, and a MAC address. Although security is not achievable merely through obscurity, it is certainly better to not openly offer this information to anyone on the Internet! In order to handle Network Address Translation (NAT), the Gnutella design incorporates the ability to spoof ports and IP addresses. Unfortunately, this means that an unwitting host may be targeted by many simultaneous SYN requests from hosts on the Gnutella net who are attempting to grab the files that the spoofed host is apparently offering. One more thing - with the current increasing use of Gnutella, and the number of Gnutella versions and downloads available, perhaps it is only a matter of time before someone discovers that there’s more to their executable than they originally thought. Is there a better way to distribute a Trojan, than to take advantage of a pool of users eager to download and run the Gnutella binary? 2-2
  3. Gnutella - Firewall Subversion 1 Gnutella Net F I B 2 F I R R E E A W A W 1 A A L 2 L 3 L C L C 1. A and B set up Gnutella Net 1. C connects to Gnutella Net 2. Firewall denies inbound 2. C’s request relayed to A TCP request 3. A connects to C through wall Information Risk Management - SANS ©2001 3 The fundamental trick Gnutella uses is to count on a firewall policy that says we trust ANY connection originated from inside the firewall. The threat vector with tools like Gnutella is inside users on your local network. They usually know they are violating policy, but they may not understand the entire risk of their actions. On the left, host A is behind a firewall and has connected to host B, forming a Gnutella net. Host A initiated the connection, which the firewall allowed. An external TCP request from host C is denied by the firewall - that is, C cannot initiate a connection to A. Gnutella provides a mechanism for host C to circumvent this firewall block and access host A. On the right, we see that host C connects to the Gnutella net previously set up by A and B. Through host B on the net, host C can now ‘see’ the files being offered by A. In order to download from A, host C needs to set up a TCP connection. Host C achieves this by sending a request to the Gnutella net which relays the request to A, telling A to initiate a connection to C. Since A is not prevented from connection initiation, a connection can be made. Indirectly, C can connect to a port on a host behind a firewall that denies inbound TCP connections to unserved ports! Combine this with the information give-away talked about earlier, and the hacker’s job is made that much easier. Thanks to Matt Scarborough for sourcing the Gnutella information. For more on Gnutella visit http://www.sans.org/y2k/gnutella.htm To summarize this section, many users place too much trust in their firewalls and firewalls are wonderful, but they, like any defensive means, have limitations. Next we will take a look at the type of attacks that are banging against your firewall on a daily basis. 2-3
  4. Firewalls, Wireless Connections, and Modems INTERNET ISP Firewall The more restrictive a site’s firewall policy, the more likely the employees will use modems. Information Risk Management - SANS ©2001 4 Suppose your house is connected to the Internet with a Cisco router running the firewall feature set. Behind that is an additional appliance firewall. Could your systems be easily reached? They could if the systems run 802.11 wireless cards! But long before wireless became popular, there were still a number of ways to penetrate or avoid firewalls. You can’t buy a system today without a 56K modem built-in and PCs with modems, however, are number one in the subvert-a-firewall hit parade. There are at least two problems with modems inside a firewall: Leaving the modem on auto- answer and having attackers scan you when you use them to connect to the Internet. The first case (auto-answer) is well-understood. If the modem is left in this mode, then an attacker may locate it with a war dialer and access the site. Perhaps the best defense for this is to sweep your site for modems periodically. Phonesweep is a commercial war dialer available at http://www.sandstorm.net. The second modem risk is exposed when a system makes a connection to an ISP: It is a fully functional, bi-directional network connection. Many sites understand some or all of the information- gathering probes and attacks that can be directed against Windows machines, and block NetBIOS with their filtering firewall or router. However, a system connected to an ISP is not protected by the firewall!! The picture on your screen represents a successful compromise of a secure facility. The firewall was a good one, with certified proxies. However, there was no proxy available for the timecard application, so they gave the administrative worker access to an ISP account. A determined hacker had studied what they were doing and since timecards are done at about the same time every other Friday, was able to scan the ISP dialups, find the administrative worker’s system, and gain access to information via an unprotected share that was later used to attack the facility. The firewall did its job just fine, but the perimeter was not sufficient to protect the facility. The threat vector here was an outside attack via a network. 2-4
  5. Finding Unprotected Shares - Legion Information Risk Management - SANS ©2001 5 Legion is available from http://www.nmrc.org/files/snt/. This tool is recommended for any system administrator or security professional responsible for a site with Windows systems. Just remember to test it in a lab and get WRITTEN permission BEFORE you run it, or the tag line of your next career may be: “Would you like fries with that order?” What does Legion do? The software can detect unprotected or poorly protected shares. Poorly protected shares may allow an attacker access to files. Depending on this access, this may mean the ability to compromise the system. It certainly could mean the ability to defeat two of the primary security pillars: Confidentiality and integrity. Confidentiality would be breached if they could read the files; integrity would be compromised if they could modify the files. This simple flaw is what enables an entire class of Windows worms to function, if they find an unprotected share they can copy themselves to the hard drive and then simply need to find a way to have their code executed. Sometimes these worms aren’t that dangerous, Lance Spitzner has an interesting account of an unprotected share worm at: http://project.honeynet.org/papers/worm/. In that case the worm borders on research. NOTE, not all Windows worms propagate via unprotected shares KAK for instance, uses an ActiveX design flaw in Outlook Express so that if the user simply reads an email message, (they do not have to open an attachment like the earliest worms), KAK is able to spread by attaching itself to the outgoing signature file so that it can reach other victims. Many of you know about shares and null sessions and have figured, “So what? We have a firewall and we block NetBIOS”. This is good, but if one system that connects to the Internet via modem or wireless card gets compromised, it can be used as a springboard to run against your entire network from the inside. Again, the simplest way to subvert a firewall is with a system and a modem inside a facility. 2-5
  6. Social Engineering • Attempt to manipulate or trick a person into providing information or access • Bypass network security by exploiting human vulnerabilities • Vector is often outside attack by telephone or a visitor inside your facility Information Risk Management - SANS ©2001 6 “Social engineering” is the term used to describe an attempt to manipulate or trick a person into providing valuable information or access to that information. It is the process of attacking a network or system by exploiting the people who interact with that system. People are often the weakest link in an organization’s security. All of the technology in the world cannot protect your network from a user who willingly gives out his or her password, or innocently installs malicious software. Social engineering often preys on qualities of human nature, such as the desire to be helpful, the fear of getting in trouble, or the tendency to trust the people - and computers - with which we interact. 2-6
  7. Social Engineering (2) • Human-based – Urgency – Third-person authorization • Computer-based – Popup windows – Mail attachments Information Risk Management - SANS ©2001 7 Most social engineering is “human based.” It involves one person trying to get valuable information from another person. The most well-known techniques are the urgency, impersonation, and third- person authorization techniques. Here is a classic example. A man calls the help desk: “Hello, this is Bob Smith, the Vice President of Big Corporation. I’m on travel and I’ve forgotten my password. Can you reset it so I can retrieve an important email for a meeting in 15 minutes?” Would your help desk question this request? Most people would give out the information without thinking, either because they want to be helpful or because they are afraid of refusing the “vice president’s” request especially since he has an urgent meeting in 15 minutes. Social engineering can also be computer-based. Consider this example: A user is browsing the web when he sees a pop-up window telling him that his Internet connection has timed out and he needs to re-enter his user name and password to re-authenticate. Would the average user question this activity? This is a common means to steal password information. These examples show that “human nature” can make it trivially easy for an attacker to walk right in to your network. Why hack through someone’s security system when you can get a user to open the door for you? 2-7
  8. Social Engineering Defense • Develop appropriate security policies • Establish procedures for granting access, etc., and reporting violations • Educate users about vulnerabilities and how to report suspicious activity Information Risk Management - SANS ©2001 8 Social engineering is one of the hardest attacks against which to defend. The weakness is a human one; we want to help people. Technology, such as host perimeter defense products, can provide some protection (for example, anti-virus software to guard against users who run viruses or Trojan software). Your best defense is to establish clear security policies - and enforce them. • Security policies should establish such things as: The types of access allowed; the people authorized to grant such access; and the circumstances under which exceptions may be granted. • In addition to policy, you should define procedures for things like activating and deactivating accounts; changing or resetting passwords; and granting additional rights or privileges. • Finally, educate your users about these types of threats. In most cases, users do not maliciously create security problems - they generally do so out of ignorance. If users are aware of the threats, they can properly guard against them. Here is a final thought about social engineering. In some sense, all attacks are social engineering. Whatever technology or technique an attacker is using to attack a site, if the attack is noticed, it often has a marked effect. Many people are starting to feel that they cannot keep up, that they cannot defend against the rapidly evolving threat. This is one reason why a course like this one is important, it gives you access to a lot of up-to-date information packaged so that you can get up-to-speed and back in the game fast. 2-8
  9. Primary Threat Vectors • Outsider attack from network • Outsider attack from telephone • Insider attack from local network • Insider attack from local system • Attack from malicious code Information Risk Management - SANS ©2001 9 A threat is applied against a vulnerability and that results in a compromise or denial of service. A threat vector is the method a threat uses to get to the target. For example, mosquitoes are the vector for malaria. A countermeasure against malaria (the threat) is to locate and spray mosquito breeding ponds (detection and response) or to invest in mosquito netting (prevention). As we discuss threats, please try to keep the threat vectors firmly in mind. Once the most important and probable threat vectors have been listed, you can note which ones are handled by current measures and which ones your proposal will address. For example, insider fraud risks are often well- controlled by existing separation of duties and audit controls. 2-9
  10. Tools That May Be Visiting Your DMZ • 3 famous Windows Trojans • Windows viruses that collect info • Jackal, Queso, and SYN/FIN • Nmap and Hping • Unix Worms Information Risk Management - SANS ©2001 10 As we continue our discussion of well-known attack and scanning tools, I am going to give a bit of a historical perspective. Many of the authors that worked on this file and the entire course were involved in the Department of Defense’s Shadow Intrusion Detection team. When we mention these tools, the way we learned about them was watching patterns on the net and then asking questions. Why is this traffic behaving like this? Sometimes we were able to tie a particular pattern, or signature, to a tool. The dates and time frames we are using in this discussion represent when these patterns came to us over the net, as opposed to when the tools were written or developed. Let me give you an example. We have already discussed Gnutella, but there is a similar tool called Napster and it uses the default ports of 6699 and 6700. Recently, I was doing intrusion detection work at a U.S. military site in the Pacific and we saw a LOT of traffic. One or two packets were trying to come in from the Internet to these well known Napster ports, but they were unable to penetrate the perimeter defenses of the military base. Then, boom, a bunch of traffic to or from port 8888. We configured a Snort intrusion detection system to capture the traffic and it had the look and feel of Napster. People were downloading sound files. Apparently, the folks on the base had found a way around the traffic filtering on the firewall by using this alternate port number of 8888. It seemed to be primarily a chat channel, but they were also able to acquire sound files using it. The new port with 8888 was a new pattern to me, but because I had seen a lot of Napster before, it had the look and feel of Napster. If you have an opportunity to run TCPdump or Windump (www.tcpdump.org) and watch the traffic coming to your network, this is a valuable thing to be familiar with. When you start watching, one thing you will almost certainly see are probes for Trojans. In the next few slides, we are going to look at some of the famous Windows Trojans and discuss their signature over the network. They are: Back Orifice, Netbus, and of course, SubSeven. These are examples of one of the most prevalent threat vectors today, malicious code. 2 - 10
  11. Trojans This screenshot is from an attack called w32.leaves, vulnerable computers are being harvested. What is a Trojan, how do they work? How do Trojans work? The user often compromises their computer by clicking on an attachment in an email message or newsgroup. Sometimes they try to hide the Trojan using a file name. One famous variation of the third Trojan we are going to discuss was released in newsgroups as sexxxymovie.mpeg.exe. Imagine folks surprise when they clicked on it. At that point the computer is compromised and waiting for its master. Older Trojans like Back Orifice and NetBus waited patiently, SubSeven tries to find a master. From a risk management perspective if you are infected with a Trojan and are not protected by at least one of the following: - A firewall - A personal firewall - Anti-virus files that recognize the Trojan or Trojan attempt then your computer system is certain to be compromised and totally under the control of the attacker. The screenshot is from a famous attack called w32.leaves. In this case attackers would troll the Internet looking for infected systems. Then they would use a master password to break into the computer. An arrest was made in London in August 2001 from a combined effort of the FBI and Scotland Yard. 2 - 11
  12. Trojans “Driving the Bus”, NETBUS Information Risk Management - SANS ©2001 12 This screen shot is the result of the NetBus Trojan. Some of the commands that can be issued to the infected system are visible: Send arbitrary text, play sounds, turn on the system’s microphone to spy on what is being said, and (my personal favorite) opening the CDROM door at will. NetBus establishes a TCP connection. This can remain active for a long time during periods of low- level activity. Most of the Trojans have control panels similar to this one. The default ports for NetBus are TCP 12345 or sometimes 12346. It is highly recommended that you memorize these default ports if you do not already know them. It really helps when you know some of the more commonly probed ports and don’t have to stop to look them up. That is especially true for SubSeven, the software shown on the next slide. Before the worm traffic overtook it, this was the most commonly probed port in the year 2000, and it is still very active today. The port is 27374 TCP though it can be changed. This is the default and by far most common. 2 - 12
  13. SubSeven Client Information Risk Management - SANS ©2001 13 SubSeven, also known as Sub7 or Backdoor_G, is a Trojan for the Windows platform (9x and NT) and is the primary Trojan being pinged for in the year 2000. The SubSeven download consists of three programs: The SubSeven server, client, and server editor. The server is the part of the Trojan that must be run on the victim’s machine for infection to occur. The client is the attacker’s device enabling connection to, and control of, those computers running the server. The screen shot shows the client interface for SubSeven v2.1. With 113+ characteristics, this version provides more attack options than either Back Orifice or NetBus. Attack examples include: Recording signals from the victim’s microphone, logging keyboard entries, Registry editing, opening FTP sessions (as in the screen shot), starting and recording from a webcam, gathering computer information, executing applications, stealing passwords, and much more. For the client to connect to a server, the server’s IP address is needed. The attacker achieves this by using ICQ if the victim does not have IP hiding enabled, or by using the notification options available on the server. The server will notify the attacker (by e-mail, ICQ, or IRC) that the victim has connected to the Internet. 2 - 13
  14. SubSeven EditServer Information Risk Management - SANS ©2001 14 This screen shot shows the interface for the SubSeven EditServer program. This facility ups the ante when it comes to detecting SubSeven activity and cleaning SubSeven infections. An attacker can connect to a client and install a newly-configured form of the SubSeven server, and then remove the old one. The new configuration might use a different TCP port, a different autostart mechanism (e.g. Registry, win.ini, etc.), a server filename that varies in size, icon and name, and might notify the attacker that the victim is on-line in a different way. So, if the server uses varying ports and may appear in disguise, how do we deal with it? Well, typical ports are 1243, 6711, 6712, 6713, 6776, and 27374. Typical filenames are server.exe, rundll.exe, systray.dll, and Task_bar.exe. The problem is that the ports, file names, and file locations can vary. However, the SubSeven server always uses an autostart mechanism involving some combination of entries in system.ini, win.ini, and the Registry, specifically: HKLM\Software\Microsoft\Windows\CurrentVersion\(Run or RunServices) The entry “shell=ini” in system.ini, “run=“ or “load=“ in win.ini, or the registry locations above, will contain a reference to the server program. Cleaning involves removing the offending entries and keys and deleting the server program. V2.2 will be released soon. Apparently, this will include a whole new concept in infection. Beware. 2 - 14
  15. Trojans Review • Trojans can penetrate firewalls as email attachments • SubSeven was the primary Trojan being pinged for in 2000 • Protective tools include: All major anti-virus tools, firewalls, personal firewalls Information Risk Management - SANS ©2001 15 To review the material on Trojans, the most common infection vector is by email. An unwitting individual opens an attachment and then they have the active Trojan. However, the attacker still has to find the system, unless they had a way of being certain which system was infected. This is the reason there is a lot of scanning activity looking for Trojans. The two well-known Trojans, Netbus and Back Orifice, have equally famous default ports of 12345 and 31337, but they can exist at other ports, and there are a large number of Trojans, including variations of these. Most recently, we have been evaluating scans that appear to be looking for Trojans, but are using a variety of destination ports – making it more difficult to write a filter for these scans. Furthermore, examples such as SubSeven, show that destination ports may change from case to case. The good news is that with reasonable precautions you can defend your systems! The major anti- virus software packages are quite good at locating and cleaning Trojans. Also, I strongly recommend you consider the use of personal firewalls. That concludes our section on Trojans. These next tools are classified as viruses, but what they do is really interesting. If they get onto your computer, they will attempt to FTP information off of your system into the Internet. 2 - 15
  16. Caligula • The Caligula virus (also called WM97) is a Word macro virus that searches the Registry for the location of the PGP key ring. When the key ring file is found, it is uploaded to the ftp.codebreakers.org incoming directory. • Once the computer is infected, Caligula sets the Registry key: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info\Caligula To a value of "1". Information Risk Management - SANS ©2001 16 The detailed information on your notes page is from http://www.securiteam.com. In both examples, FTP information from your computer is sent out onto the Internet. Even the tightest site in which I have worked allowed users inside the facility to initiate a connection to the Internet. Traffic originating from the inside is also rarely monitored; it just doesn’t seem to be worth the trouble. • Caligula can be detected by checking if the following registry value exists: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info\Caligula. • Picture.exe can be detected by checking for a file called "note.exe" in the windows directory (this file is created by the Trojan). As a general rule to avoid such Trojans and viruses, never run unknown binaries. System administrators should monitor attempted FTP connections to (ftp.codebreakers.org). Also, to protect your PGP key, never store the secret passphrase on the hard drive. Make sure the passphrase is long and complicated, (some PGP front ends offer a "passphrase quality" bar that measures the strength of the passphrase). For more information about picture.exe and Caligula, read ISS X-Force's advisory: http://www.iss.net/xforce/alerts.html. Other information-gathering viruses include picture.exe and W97.Marker.A. We will discuss Marker, since it just keeps popping up. 2 - 16
  17. W97M.Marker.A • Word 97 Virus – HKEY_CURRENT_USER\Software\Microsoft \MS Setup(ACME)\User Info – What does it do? • FTP’s what appears to be “worm tracks”, a list of the previous systems it has infected • Could potentially be a valuable reconnaissance tool for developing chains of potential infection Information Risk Management - SANS ©2001 17 We first discovered this when the intrusion detection system flagged a number of outbound FTPs, all headed to two addresses. Marker was one of the culprits, the one we sorted out first as a matter of fact. It turned out the computers were sending a file out into the Internet containing a list of the Microsoft Office registration information, as well as the internet addresses of the infection chain. So what? The interesting thing is that the information could potentially be used to target a specific desktop with a virus or Trojan. If someone didn’t have good anti-virus software once, they might not again, and by knowing who sends what to whom, you actually might be able to arrange to target a virus-infected host. That would be a neat trick. On your slide you see some strange formula, starting with HKEY. What is that? It’s a Windows Registry entry. How do you examine a Registry entry? With regedit, found in your Windows explorer, just hit CTRL F and type in regedit. Important safety tip. Your Registry is very important to the operation of your computer. You should make a backup of your computer, or at least ensure you have an updated Emergency Recovery Disk handy. On the other hand, hopefully you are just going to look and not edit anything. How else can you learn? The Registry entry on your slide is for an Office97 computer running Windows98, so you might have to goof around a bit on an NT 4.0 with Office 2000. The acme stuff is under HKEY_LOCAL_MACHINE, but learning is what it is all about. Anyway, should you find your way to User Info, check and see if the value of the key is LOGFILE = True This could be an indication of compromise by the virus. Of course, you could just run an updated mainstream anti-virus software package and be done with it. Using tools like these to capture information from your disk is not going to end because it works and is fairly low risk. There are other types of reconnaissance that require scanning from the outside. These generally must operate with a fairly obvious signature, though as we will see, there are ways to stealth their activity. 2 - 17
  18. Enter the Jackal 1997 /* Jackal - Stealth/FireWall scanner. With the use of half open ports and sending SYNC (sometimes additional flags like FIN) one can scan behind a firewall. It shouldn’t let the site feel we're scanning by not doing a 3-way-handshake; we hope to avoid any tcp-logging. Credits: Halflife, Jeff (Phiji) Fay, Abdullah Marafie. Alpha Tester: Walter Kopecky. Results: Some firewalls did allow SYN | FIN to pass through. No Site has been able to log the connections though.. during alpha testing.ShadowS shadows@kuwait.net Copyleft (hack it; i really don’t care). */ Opening comments - Jackal.c Information Risk Management - SANS ©2001 18 Jackal was the first software package I became aware of that was commonly used for SYN/FIN scanning. As you know, the three-way handshake begins with a packet with a SYN as the only TCP flag in the packet. However, it turns out that a number of operating systems, including Windows and many Unix systems, will respond to a SYN and also a FIN. This was a significant improvement on the half-open style scan. A SYN is used to initiate a connection; a FIN is used to tear a connection down. It isn’t logical for the two to be used together! So we have this situation where the tool gets good results and yet is easy for the analyst to find. TCPdump, the software sniffing tool used in the Shadow intrusion detection system, could detect the SYN/FIN just fine. In fact, we had been scratching our heads for weeks wondering what was generating such a strange pattern. Over the years and this dates back to late 1996, we have seen hundreds of variations of SYN/FIN. Why? One reason is that it works. In the same way that many hosts will respond to the combination even though they really shouldn’t, it turns out that many perimeters would allow these packets to pass since they were only looking for a SYN only. It may be true that SYN/FIN penetrates some firewalls and filtering routers, but it didn’t penetrate proxy-based firewalls such as TIS’s (now NAI’s), or Gauntlet for Secure Computing’s Sidewinder. When I got the scoop on Jackal, I spent a lot of hours reading sniffer logs from both sides of these firewalls. 2 - 18
  19. Sons of Jackal Continue to be Seen Source Port 0 and 65535 12:36:54 prober.0 > relay.net.2049: SF 111:111(0) win 512 16:11:38 IMAPER.65535 > ns2.org.143: SF 111:111(0) win 512 13:10:33 iquery.65535 > SF 111:111(0) win 1024 SF - SYN = Synchronize or Start; FIN = Finish or Stop Information Risk Management - SANS ©2001 19 The attacks shown on your screen are signatures against buffer overflows of well-known services. Again, we know the signature, if you were to pull the Snort Intrusion Detection system signatures you would find a SYN/FIN since it is that common. So, we could debate the effectiveness of Jackal and the software that followed its lead, but from an intrusion detection point of view, the key point is that source port zero and SF set are a good signature. In fact, they are a great signature. Now, if SYN /FIN isn’t logical, why do we see it on the network? Are these packets being crafted? The answer is, of course they are. Almost all software that creates crafted packets leaves an easily discovered signature. On this slide, the fixed sequence number of 111 lets us know this particular exploit script is being used. Therefore, to reiterate: The primary purpose(s) of the SF must be to avoid getting logged and to evade filtering devices. As of April, 1999, attacks have been seen, not just to IMAP (143) or NFS (2049), but also to FTP (TCP port 21) and DNS TSIG (TCP 111). 2 - 19
  20. Queso and Friends http://www.apostols.org/projectz/queso/ Queso sends packets with unexpected code bit combinations to determine the operating system of the remote computer. Currently, they claim to be able to distinguish over 100 OSes and OS states. Queso pattern is shown on notes page Information Risk Management - SANS ©2001 20 I really do have to hand it to the attacker community; they never cease to amaze me with their creativity. When I first heard of queso, I just had to shake my head in wonderment. I found it really hard to believe that by sending a mere six packets with some odd header combinations, including our friend SYN/FIN, and by watching the responses you got back, it was possible to determine the operating system. That is brilliant! This process is called stack analysis or TCP fingerprinting and it is remarkably successful. However, because the process requires sending unexpected or illogical patterns (such as SYN/FIN together), it sometimes also serves as a denial of service for devices with TCP stacks that are ill-prepared to handle these patterns. They just crash. The exact queso pattern is shown below. From the Queso page, the Queso scan pattern: 0 SYN * THIS IS VALID, used to verify LISTEN 1 SYN+ACK 2 FIN 3 FIN+ACK 4 SYN+FIN 5 PSH 6 SYN+XXX+YYY * XXX & YYY are unused TCP flags All packets have a random seq_num and a 0x0 ack_num. 2 - 20
Đồng bộ tài khoản