ECE-6612 http www csc gatech edu copeland jac 6612 Prof John

ECE-6612 http: //www. csc. gatech. edu/copeland/jac/6612/ Prof. John A. Copeland john. copeland@ece. gatech. edu 404 894 -5177 Office: Klaus 3362 email or call for office visit Chapter 9 - Network Intrusion 3/4/15

Network Intruders Masquerader: A person who is not authorized to use a computer, but gains access appearing to be someone with authorization (steals services, violates the right to privacy, destroys data, . . . ) Misfeasor: A person who has limited authorization to use a computer, but misuses that authorization (steals services, violates the right to privacy, destroys data, . . . ) Clandestine User: A person who seizes supervisory control of a computer and proceeds to evade auditing and access controls. Hacker: generic term for someone who does unauthorized things with other peoples’ computers (also a poor golfer, tennis player, or programmer good at writing quick and dirty code). 2

Access Control Today many systems are protected only by a simple password that is typed in, or sent over a network in the clear. Techniques for guessing passwords: 1. Try default passwords. 2. Try all short words, 1 to 3 characters long. 3. Try all the words in an electronic dictionary (60, 000). 4. Collect information about the user’s hobbies, family names, birthday, etc. 5. Try user’s phone number, social security number, street address, etc. 6. Try all license plate numbers (123 XYZ). Prevention: Enforce good password selection (“c 0 p 31 an 6” - not great, “wdu. SR-wm. Hb 365” - better) Three words, separate with punctuation, add a number: e. g. : burgla. R-666. Protect-ALL 3

Password Gathering Look under keyboard, telephone etc. Look in the Rolodex under “X” and “Z” Call up pretending to from “micro-support, ” and ask for it (human engineering or social engineering. “Snoop” a network and watch the plaintext passwords go by. Tap a phone line - but this requires a very special modem. Use a “Trojan Horse” program to record key stokes. Used by most bots. 4

UNIX Passwords Stored in /etc/shadow User’s password ( should be required to have 12 characters, some non-letters) Random 24 -bit number R 64 encoded (Salt) SHA-512 hashed to 87 viewable R 64 characters User ID 1 : Salt Value 1 Hash 1 User ID 2 Salt Value 2 Hash 2 User ID 3 Salt Value 3 Hash 3 Line from /etc/shadow copeland: $6$Uqc. JG 1 si$9 MQO … Wkh/3 PZ 1: 14930: 0: 99999: 7: : $1$ - MD 5 : $2$ - Blowfish : $5$ - SHA-256 : $6$ - SHA-512 5

Storing UNIX Passwords Until a few years ago, UNIX password hashes were kept in a publicly readable file, /etc/passwords. Now they are kept in a “shadow” file only visible by “root”. This helps prevent a reverse-lookup Dictionary Attack. “Salt”: • Random number shown in clear (R 64) – added to password • Prevents duplicate passwords from being easily seen as such. • Prevents use of standard reverse-lookup dictionaries ( a different dictionary would have to be generated for each value of Salt). • Does not “effectively increase the length of the password. ” 6

The Stages of a Network Intrusion [RAERU] 1. Scan the network to: [RECONNAISANCE] • locate which IP addresses are in use, • what operating system is in use, • what TCP or UDP ports are “open” (being listened to by Servers). 2. Run “Exploit” scripts against open ports. [ACCESS] 3. Elevate privileges to “root” or “admin” privileges. [ELEVATE] 4. Download from Hacker Web site special versions of systems files that will let Cracker have free access in the future without his cpu time or disk storage space being noticed by auditing programs. [ROOT KIT] (or simple backdoor) 5. Use IRC (Internet Relay Chat) to invite friends to the feast, or use the computer and its info (ID theft, Warz, Botnet). [UTILIZE] For current scanning activity: http: //isc. sans. org/reports. html 7

# nmap -s. S -P 0 -vv -p 21, 22, 25, 110, 443 209. 162. 185. 100 Starting nmap V. 3. 00 ( www. insecure. org/nmap/ ) Host jacsw (209. 162. 185. 100) appears to be up. . . good. Initiating SYN Stealth Scan against victim (209. 162. 185. 100) Adding open port 22/tcp Adding open port 443/tcp The SYN Stealth Scan took 4 seconds to scan 5 ports. Interesting ports on jacsw (209. 162. 185. 100): Port State Service 21/tcp filtered ftp [response blocked by firewall] 22/tcp open ssh [tcp port 22 open] 25/tcp filtered smtp 110/tcp filtered pop-3 443/tcp open https Nmap run completed -- 1 IP address (1 host up) scanned in 5 seconds # telnet 209. 162. 185. 100 22 [telnet can connect to any port] Trying 209. 162. 185. 101. . . [here we specified port 22] Connected to 209. 162. 185. 100. SSH-2. 0 -Open. SSH_3. 1 p 1 [response shows SSH version] 8

# less /var/log/secure [unless a root kit is installed, log files tell who has logged on] Oct 15 13: 45: 30 lc 1 sshd[12538]: Could not reverse map address 199. 77. 146. 103. Oct 15 13: 46: 26 lc 1 sshd[12538]: Accepted password for root from 199. 77. 146. 103 port 52388 ssh 2 Oct 15 15: 05: 44 lc 1 sshd[12591]: Could not reverse map address 199. 77. 146. 103. Oct 15 15: 05: 48 lc 1 sshd[12591]: Accepted password for root from 199. 77. 146. 103 port 52438 ssh 2 Oct 17 07: 34: 10 lc 1 sshd[13409]: Accepted password for root from 130. 207. 226. 152 port 52613 ssh 2 Oct 17 07: 49: 33 lc 1 sshd[13460]: Accepted password for root from 130. 207. 226. 152 port 52615 ssh 2 Oct 17 08: 02: 37 lc 1 sshd[13503]: Accepted password for root from 130. 207. 237. 139 port 52616 ssh 2 Oct 17 08: 10: 40 lc 1 sshd[13542]: Accepted password for root from 130. 207. 237. 148 port 52617 ssh 2 Oct 17 08: 26: 16 lc 1 sshd[13584]: Accepted password for root from 130. 207. 237. 158 port 52618 ssh 2 Oct 17 11: 52: 18 lc 1 sshd[13640]: Could not reverse map address 199. 77. 146. 103. Windows – use “Event Viewer” Mac – use “Console” 9

Protection from a Network Intrusion Protection 1. Use a “Firewall” between the local area network and the worldwide Internet to limit access (Chapter 10). 2. On Microsoft PC’s, with XP and later, use the OS firewall that limits incoming and outgoing communications by Application (program), not just port number. For Mac, buy "Little Snitch" ($35). Detection 1. Use an IDS (Intrusion Detection System) to detect Cracker during the scanning stage (lock out the IP address, or remove malware from a local host). 2. Use a program like Trip. Wire* on each host to detect when systems files are altered, and email an alert to Sys Admin. Reaction 1. Have a plan and means to implement it. * Gene Kim and Gene Spafford (Ph. D GT 1986), Perdue U. , http: //www. cerias. purdue. edu/ 10

"Little Snitch" Firewall for Mac. OS 11

"Little Snitch" Firewall for Mac. OS - Popup 12

13

Anomaly-Based Intrusion Detection A Negative Event, True or False, is one that does not trigger an Alarm High statistical variation in most measurable network behavior parameters results in high false-alarm rate Detected as Positive, -> Alarm #False-Positives = #Normal Events x FP-rate False Alarms, False Positives (FP) # Normal Events = #True. Positves + #False. Positives Figure 9. 1 Undetected Intrusions, #False-Negatives = #Bad Events x FN-rate False Negatives (FN) Detection Threshold 14

If the “behavior” is a connection: ("positive" says it is malicious, "negative" it is not) For Legitimate Connections (total number = LC) True-Negative-Rate + False-Positive-Rate = TNR + FPR = 1 Correctly handled connections (no alarms) = TNR * LC Incorrectly handled connections (false alarms) = FPR * LC For Malicious Connections (total number = MC) False-Negative-Rate + True-Positive-Rate = FNR + TPR = 1 Correctly handled connections (real alarms) = TPR * MC Incorrectly handled connections (no alarms) = FNR * MC Trade-off by shifting threshold If LC >> MC then (FPR * LC) >> (TPR * MC) hence “false alarms” are much greater than “real alarms” when FPR >> MC/LC (tiny) (TPR is 1 - FNR or approx. 1)

“Base-Rate” Fallacy Suppose the accuracy of an IDS is 99% (both TPR and TNR). This means that for every 100 normal events, there will be 1 false positive. Also for every 100 intrusion events, there will be 99 detects (true positives) and 1 missed detection (false negative). If there are 300, 000 normal connections a day, there will be 3000 false alarms (false positives). If there is one intrusion per week, there will be a 99% chance of detecting it (if the IDS is still turned on). For detailed math, see Appendix 9 A of the textbook (editions 2, 3). 16

Example Problems - "Base-Rate Fallacy*" Q. If there are 10, 000 connections* on a network per day, and the False Positive Rate is 0. 0001: 1. How many false alarms (False Positives) will result? Ans. 10, 000 x 0. 0001 = 1000 false alarms per day (False Positives / day) 2. How many good connections will not cause alarms (True Negatives)? Ans. 10, 000 x (1 - 0. 0001) = 9, 999, 000 True Negatives per day. *Unless stated (as in the next problem), assume none (or a negligible number) of connections are "bad". Q. If there are 100 "bad" (or "intrusion") connections per day, and the False Negative Rate is 0. 1: 1. How many will be detected (True Positives)? Ans. 100 x (1 - 0. 1) = 90 2. How many will be missed (False Negatives)? Ans. 100 x 0. 1 = 10 "Negative" means there was no Alarm, "Positive" means there was an Alarm. "True" means the decision to issue an alarm was correct, "False" means the decision was incorrect. * The "Fallacy" comes from ignoring the fact that there are many more "good" connections (the Base Rate) than "bad, " and thus concluding that a False Positive Rate as large as say 0. 0001 would lead to satisfactory operation. 17

Distributed Host-Based IDS Highly recommended for critical servers, and PCs Modules must be installed and configured on hosts. Examples: Okena (Cisco), ISS Desktop Preventia 18

Signature-Based IDS Data Packets are compared to a growing library of known attack signatures. These include port numbers or sequence numbers that are fixed in the exploit application, and sequences of characters that appear in the data stream. Packet streamsmust be assembled and searched, which reduces the maximum possible data rate on the link being observed. 19

Six “Signatures” from the Snort Database www. snort. org alert tcp $EXTERNAL_NET any -> $HOME_NET 7070 (msg: "IDS 411 - Real. Audio. Do. S"; flags: AP; content: "|fff 4 fffd 06|"; ) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg: "IDS 362 - MISC Shellcode X 86 NOPS-UDP"; content: "|90 90 90 90 90 90 90|"; ) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "IDS 359 - OVERFLOWNOOP-HP-TCP 2"; flags: PA; content: "|0 b 39 0280 0 b 39 0280|"; ) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "IDS 345 - OVERFLOWNOOP-Sparc-TCP"; flags: PA; content: "|13 c 0 1 ca 6 13 c 0 1 ca 6|"; ) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg: "IDS 355 - OVERFLOWNOOP-Sparc-UDP 2"; content: "|a 61 c c 013 a 61 c c 013|"; ) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "IDS 291 - MISC Shellcode x 86 stealth NOP"; content: "|eb 02|"; ) 20

Signature-Based Intrusion Detection Systems May Not Detect New Types of Attack Back Orifice Land Attack Win Nuke IP Blob Trino Attacks with Names Attacks without Names (not analyzed yet) Alarm on Activities in these areas. 21

Flow-Based Technology (NBAD - Network Behavior Analysis Detection) recognizes normal traffic to detect new types of intrusions. Back Orifice Land Attack FTP Web Win Nuke IP Blob Net. BIOS Trino Email Attacks with Names Attacks without Names (not analyzed yet) Normal Network Activities Alarm on Activities in this areas. Example: Lancope’s “Stealth. Watch” 22

Flow-based Behaviorial Analysis A “Flow” is the stream of packets from one host to another related to the same service (e. g. , Web, email, telnet, …). Data in packet headers is used to build up counts (leads to high speed). Flow. Statistics Counters Number of Packets Number of Total Bytes After the flow is over, counters are analyzed and a value is derived for the probability* that the flow was crafted, perhaps for probing the network for vulnerabilities or for denial of service. Number of Data Bytes * Based on heuristic rules, not statistical analysis. Start Time of Flow Stop Time of Flow Duration of Flow Flag-Bit True-False Combo Fragmentation Bits ICMP Packet Responses to UDP Packets Counters 23

Zone Protection One of the Zones could be a Dark (Sinkhole*) Net. * monitored block of IP addresses with no hosts 24

Stealth. Watch screen 25

IDS Types Should be Combined Host-Based Can detect misuse of OS access and file permissions. Signature -Based Can detect attacks embedded in network data -if signature is known Anomaly -Based On host or network. Can detect new types, but high false alarm rate. Flow-Based (NBAD) Can detect new types of attacks by network activity. Should be used with Host-Based and Signature Based One of my three rules: Multiple layers of protection are needed to optimize security, for a given cost. 26

The Stages of a Network Intrusion [RAERU] 1. Scan the network to: [RECONNAISANCE] • locate which IP addresses are in use, Flow-based* "CI", signature-based? • what operating system is in use, • what TCP or UDP ports are “open” (being listened to by Servers). Vulnerability Scan Signature? , Flow-Based 2. Run “Exploit” scripts against open ports. [ACCESS] Port Profile* 3. Elevate privileges to “root” privileges. [ELEVATE] Host-based 4. Download from Hacker Web site special versions of systems files that will let Cracker have free access in the future without his cpu time or disk storage space being noticed by auditing programs. [ROOT KIT] Signature? , "Port-Profile*", Forbidden Zones*, Host-based 5. Use IRC (Internet Relay Chat) to invite friends to the feast, or use the computer and its info another way. [UTILIZE] Signature? , "Port-Profile*", Forbidden Zones*, Host-based * Stealth. Watch 27

Detection of the “Mac Attack” DDo. S Plan Type "A" Probes (detected by John Copeland in Dec. 1999) The first three UDP probes, which started my investigation, had a single character in the data field, an 'A'. The UDP port numbers were identical, 31790 ->31789. They stimulate the 1500 -byte ICMP Echo-Request packet and the normal 58 byte ICMP Destination_Unreachable-Port Packets. The Echo-Request is never answered. Date Time EST Source IP (Place) Destination (Place) 1999 -12 -28 18: 40 151. 21. 82. 251 (Italy) to 24. 88. 47 (Atlanta, GA) 1999 -12 -10 18: 28 152. 169. 145. 206 ( AOL ) to 24. 88. 47 (Atlanta, GA) 1999 -12 -16 03: 34 212. 24. 231. 131 (Saudi Arabia) to 24. 88. 47 (Atlanta) UDP packets with an empty data field, like those generated by the "nmap" scan program, do not stimulate the 1500 -byte ICMP packets from an OS-9 Macintosh (at least one character of data was required). http: //users. ece. gatech. edu/~copeland/jac/macattack/index. html http: //users. ece. gatech. edu/~copeland/jac/ajc_mac_hacker. html http: //users. ece. gatech. edu/~copeland/jac/macattack/fox-news. mov 28

"license to" src="https://present5.com/presentation/c2eeaf4785a214fbab21f92f10302021/image-29.jpg" alt="2 nd Generation, “Mac Attack” Scanning "Double-zero" Probes (James Bond, "00" -> "license to" /> 2 nd Generation, “Mac Attack” Scanning "Double-zero" Probes (James Bond, "00" -> "license to kill"), detected in Dec. 1999. I had now seen 3 UDP type "00" probes, and had another "00" probe reported from Kansas. These probes use a single UDP packet, two bytes of data (ascii zeroes) and identical UDP port numbers, 60000 ->2140. They stimulate the 1500 -byte ICMP Echo-Request packet and the normal 58 -byte ICMP Destination_Unreachable-Port Packets. The Echo-Request is never answered. 1999 -12 -20 07: 04 195. 229. 024. 212 (Arab Emirates*) to 24. 88. 47 (Atlanta, GA) 1999 -12 -21 08: 04 195. 229. 024. 213 (Arab Emirates*) to 24. 88. 47 (Atlanta, GA) *DNS name: cwa 129. emirates. net. ae 1999 -12 -25 09: 39 212. 174. 198. 29 (Turkey) to 24. 94. xxx (Wichita, Kansas) *DNS: none 1999 -12 -31 05: 35 195. 99. 56. 179 (Manchester, UK*) to 14. 88. xx (Atlanta, GA) *DNS name: manchester_nas 11. ida. bt. net 2000 -01 -04 05: 08 24. 94. 80. 152 (Road Runner, Hawaii) to 24. 94. xxx (Wichita, Kansas) *DNS name: a 24 b 94 n 80 client 152. hawaii. rr. com 2000 -01 -06 04: 48 195. 44. 201. 41 (cwnet, NJ) to 24. 88. xxx (Atlanta, GA) *DNS name: ad 11 -s 16 -201 -41. cwci. net 29

Drawing from Atlanta Journal. Constitution article, Dec. 1999. Full details at www. csc. gatech. edu /macattack/ 30

Fox News – Dec. 29, 1999 http: //www. csc. gatech. edu/copeland/jac/macattack/fox-news. m 4 v

traceroute (tracert) to find location of IP Address Start: 11/21/99 11: 07: 40 PM Find route from: 24. 88. 47 to: www. orbicom. (196. 28. 160. 129), Host Names truncated to 32 bytes 1 24. 88. 48. 1 (24. 88. 48. 1 2 24. 88. 3. 21 (24. 88. 3. 21 3 24. 93. 64. 69 (24. 93. 64. 69 4 24. 93. 64. 61 (24. 93. 64. 61 5 24. 93. 64. 57 (24. 93. 64. 57 6 sgarden-sa-gsr. carolina. rr. com. (24. 93. 64. 30 7 roc-gsr-greensboro-gsr. carolina. (24. 93. 64. 17 8 roc-asbr-roc-gsr. carolina. rr. com (24. 93. 64. 6 9 12. 127. 173. 205 (12. 127. 173. 205 10 gbr 2 -a 30 s 1. wswdc. ip. att. net. (12. 127. 1. 30 11 gr 2 -p 3110. wswdc. ip. att. net. (12. 123. 8. 246 12 att-gw. washdc. teleglobe. net. (192. 205. 32. 94 13 if-7 -2. core 1. newyork. teleglobe. n (207. 45. 222. 145 14 if-0 -0 -0. bb 3. newyork. teleglobe. n (207. 45. 221. 69 15 ix-1 -1 -1. bb 3. newyork. teleglobe. n (207. 45. 199. 202 16 196. 30. 121. 243 (196. 30. 121. 243 17 fe 0 -0. cr 3. ndf. iafrica. net. (196. 31. 17. 26 18 atm 6 -0 sub 300. cr 1. vic. iafrica. net (196. 30. 121. 81 19 196. 30. 200. 6 (196. 30. 200. 6 20 196. 4. 162. 86 (196. 4. 162. 86 21 www. orbicom. (196. 28. 160. 129 • Trace completed 11/21/99 11: 08: 25 PM • Max 30 hops, 40 byte packets ): ): ): ): ): ): 17 ms 18 ms 17 ms 19 ms 25 ms 26 ms 28 ms 30 ms 40 ms 38 ms 278 ms 41 ms 45 ms 50 ms 44 ms 635 ms 641 ms 643 ms 662 ms 663 ms 17 ms 19 ms 18 ms 17 ms 25 ms 27 ms 28 ms 32 ms 39 ms 40 ms 43 ms 46 ms 47 ms 46 ms 48 ms 632 ms 640 ms 659 ms 658 ms 16 ms 18 ms 17 ms 18 ms 23 ms 27 ms 30 ms 39 ms 42 ms 45 ms 49 ms 50 ms 45 ms 633 ms 644 ms 643 ms 664 ms 32

"host" (newer "nslookup") and "whois" utilities jac: /Users/copeland root# host www. orbicom. com has address 196. 31. 129. 146 jac: /Users/copeland # whois www. orbicom. com [ERROR] Whois Server Version 1. 3 Domain names in the. com and. net domains can now be registered with many different competing registrars. Go to http: //www. internic. net for detailed information. No match for "WWW. ORBICOM. COM". jac: /Users/copeland # whois orbicom. com … Registrant: Multichoice Africa P O Box 1502, Randburg, Gauteng 2125 ZA [Zaire] 33

"host" and "whois" data put into email Alarm Message Alarm: - Port Flood Attack Host: 200. 56. 54. 65 No DNS Name Victim: 130. 207. 125. 134 pat. gatech. edu Time: Mon Jan 3 19: 27: 31 EST 2005 Serial No. 300482 Port Flood Attack : Indicates that the suspect IP has attempted to connect on an excessive number of ports on the 'victim IP'. This may be indicative of a denial of service attack or an aggressive scan by the suspect IP. --- whois 200. 56. 54. 65 --[Querying whois. lacnic. net] [whois. lacnic. net] By submitting a whois query, you agree to use this data only for legal purposes only. % 2005 -01 -03 22: 27: 32 inetnum: 200. 55. 0/18 status: allocated owner: Impisat Argentina ownerid: AR-IMAR 3 -LACNIC responsible: Christian O_Flaulant address: Alferez Parediso, 256, address: 1107 - Buenos Aires country: AR phone: +54 11 51701234 nslastaa: 20041230 created: 20001121 changed: 20010926 nic-hdl: CHO person: Christian OFlaulant e-mail: coflaulant@IMPISAT. COM. AR address: Alferez Pareja, 128, address: 3207 - Buenos Aires country: AR phone: +54 11 51704600 [] 34

Try http: //www. geektools. com 35