I have written this article over and over again, looking for a way to keep the depth of technical information leveled for the intended audience. I found it almost impossible to write this article in such a fashion, that It would be interesting for more then network administrators and system engineers. Another consideration is the damage that could be done with this knowledge if it is being published publicly for untrained persons. Taking this in consideration I tried to describe the baseline leaving links and handouts for those that want to know more on the subject. And some general warnings on the tools I share in this article. But before I kick off, I might be nice to know why this article is written in the first place…
A few months back I was asked to have a look at possible studies to follow and to find out if it would benefit our company and customers. One of these studies was introduced as CEH, Certified Ethical Hacker. We almost thought it to be a joke, this because these things just don’t seem to go together. Ethical and Hacker, Breaking security and acquiring information based on ethical motivations. To convince us that this study might offer new insights and views on the subject, they pointed out a Seminar that would be given by Laura Chappell. A packet analyzer, and naturally we went to that seminar that was in fact a two day course on the subject as a kind of preview. But the items handled in this event pointed out a very clear notion. The responsibility for a decent security rests on every individual within a corporation, instead of a individual. The problem with this, is the fact that we all reside on our own known island afraid to look into unknown territory. In this article I will try to create bridge between these as good as possible by showing some examples and handouts. I wont be talking allot about computer forensics that was also a part of this course, and be more focused on the day to day stuff that is happening on our corporate network.
The OSI model, who is responsible?
In our current IT environments, the main method of communication between systems is the Ethernet Network. Based on the TCP/IP protocol suite we are able to communicate between different nodes able to share and provide the needed information to the systems the end-users work on. The way this communication is made possible, is visualized by means of the so called OSI model. It describes the various layers the information travels though before information is being sent over the wire. This model is actually already showing how many areas of expertise are touched to provide this communication. This is done by means of the 7 layers that make up this model. A reference to this model can be found here.
http://en.wikipedia.org/wiki/OSI_model
As you can see, the top most layers of the model describe the GUI based applications developers write, and the translation needed to make this information available to these applications. These are usually the layers where the information flow starts and ends up.
Next a set of purely functional layers are visible, resp. layer 2 / 5. These are the layers usually handled by the OS and network equipment, and are part of the System and Network administrators daily work. And last is the physical layer that represents the physical hardware and wires that are usually provided by the installation companies that build networks. Finally there is one last responsibility that cannot be found in the OSI model. The one I am talking about is the education of personal, the introduction of corporate security policies, and a block for social engineering. Mainly the awareness of the employees toward security as a general thought.
As you might have noticed, to secure all this and the information that is being made available using this model requires allot of areas to cover it all. There is no point to securing the network if the application and its data is publicly accessible and unsecured, Or securing the system and its applications if the Network is wide open. And there is no use to securing any of these, if there is no company policy or awareness with the employees to keep their network passwords secret…
Hacking you own network…
To offer a hand in securing your own applications, network but more important your companies information is to know what the risks are.
The most basic question is “what is required to get this information?†In most companies the answer would be something like;
1. Network access
2. Basic Knowledge about this network
3. A Password
4. Maybe some installed program to interpret the information…
Well each single one of these items can be “worked†around with simple solutions, for example.
1. Network access ?
We are all connected to the internet, so basically we are all on the same huge network with only some firewalls preventing access. But as a consultant I might not need a work around for this in most cases. I just plug in my laptop and there I go…
2. Knowledge ?
Most corporate networks have DHCP running, so an IP is usually provided automatically. If this is not the case, I can sniff the subnet where the TCP/IPs basic protocols like ARP, NetBIOS, NS will tell me all I need to know to set up a basic connection. From here on I just listen what interesting stuff comes by…
3. A password ?
There are allot of network intranets, software, samba shares and the like that are accessed over and over again by company employees that provide their logins over and over again. Most companies don’t even encrypt their intranets on the LAN saying it only to be accessible from the “inside†of their network, using basic http instead of https. In many cases like these I can sniff the internal network, and these will be provided automatically over time. All you need to do is know where to look.
4. Programs ?
no need for those. Just look at the data that goes over the line. There might be allot of “noise†around them. But most sniffers allow you to use filters and regular expressions to filter this out. Next to that from all the different protocols, most allow you to trace a single “conversation†in this mayhem of packets. This allows you to get most information needed, in many cases private information on how these programs work is also transmitted…
There are allot of holes if you are aware of them. Most require zero effort to close and or secure. Naturally I will offer you the chance to try this out for yourself, and see what you are unwillingly sharing over the line. All you need is a old fashion Hub and a sniffer to fetch the network data.
A good sniffer can be found here, http://www.wireshark.org/ and is the follow-up of the maybe better known sniffer called ethereal, that in fact is a dead product because the developers continued with Wireshark. The hub is needed because this will allow you to fetch information “not†intended for you. This is because a hub is a black hole for intelligent switches and will forward most packets to this black hole where the hub will do the same. To understand a bit better what this program shows, there are allot of documents and trainings here that will help you on that. http://www.packet-level.com/library.htm
Please for all that want to “try†this. Even though you might not break anything the network administrator will notice. Be aware of the fact that there is allot of “private†information is on the wire that might make you break laws on privacy and the like. So please be sure to get approval of the responsible parties before you do an attempt. This is also one of the reasons it’s so hard to get a decent security. Because of the juridical implications you come across when you want to detect possible leaks.
Using protocol leaks to hack?
All that IT experts do is build, support and configure systems to share information based on the OSI model. Within this OSI model the protocols that provide this basic functionality are described on a “per layer†basis. The problem with this, is that “if†there is a leak or weakness in one of these protocols all that depend on them will contain this venerability. Considered the most important and dangerous protocols in this suite are the ARP protocol, and the ICMP protocol. But next to these most other protocols can be and are being used to hack and gain access to the information that is being send over the wire. But to limit the brute length one could create in this document by describing all of them I will just be limiting to the ARP and ICMP.
ARP
Developers are probably well known with so called “middleware†applications. In the so called network world there are tools that are called “man in the middle†tools. There are some in the Linux security suite, and gnu based windows applications that can do this. Searching Google for these, so called “man in the middle†attacks will show a dazzling result of 13.500.000 hits. But how does this work in practice? Its fairly simple actually, and can be executed by non educated computer users by simply following instructions on such a gnu tools website.
One of the methods used to do this is called “ARP Poisoningâ€. To understand this technique it is nice to understand the function of the ARP protocol. ARP was designed to “find†a remote address its Media address (MAC) and store it in an ARP table for later reference. This table is the instance, we want to influence in such a poisoning. Fill it with false data. The way this is done is simple;
Two computers are communicating over the Ethernet. Now the attacker finds the two ips of these machines and their MAC address simply by pinging these machines and looking up their local ARP table with the command arp –a.
Now we have three addresses, the one of target 1, the one of target 2 and our own address. Next we “tell†target 1 using ARP that my own address is that of target 2, and we “tell†target 2 that my address is that of target 1. After some bashing with the ARP protocol the clients will be forced to update their ARP tables and the “poisoning†is complete. All we need to do now is forward the data to the other target and repeat the poisoning.
Don’t be fooled that this is always an attack. Legitimate usage is also known. For instance redirecting you to a sign in page before granting you network access, within hotel networks for instance. Packetfence is such an application for instance. http://www.packetfence.org/. Another nice windows tool to do actual poisoning is available here.
http://www.softahead.com/products/winarpspoof/WinARPSpoof.htm
Again, if you like to try this all. Do this with either proper clearance of the company or try this tool at home. This one might wrack the functionality of the designed network for a while. So be sure to read up on the subject if you like to have a go with it. And do consider local laws that might not allow you to do this…
ICMP
ICMP is the protocol used to Control the traffic on the wire. Known usage of the ICMP protocol might be the so called “pingâ€, the evil counter is “Ping of Deathâ€. Known might also be the “Time Exceededâ€. The problem with ICMP is that the remote host will ALWAYS listen to these messages and in some cases will respond “accordingly†to them. You will quickly guess what a “Redirect†could do, or how a firewall will respond to a “Destination Unreachable†on every request. Or try any of the other 29 base messages. A complete overview can be found here;
http://www.iana.org/assignments/icmp-parameters
All you will need is a packet generator, which will allow you to create these packets. And yes they can and will trigger a denial of service attack when used in a bad manor. So be very careful while trying the next tool on some network…
http://www.tamos.com/htmlhelp/commview/pgen.htm
Please take notice to the “warning†in the bottom of the screen. You should take this in hart. This tool can and WILL produce unwanted side effects if you use it in the wrong manner. Please DON’T use this tool on the corporate network if you are not sure what you are doing! Because it can generate an immense amount of packets you will be able to shutdown computers if you flood their connection, or your own. And can cause denial of services on the remote host including your own naturally.
Hacking Applications
Applications is one of the most complex subjects when you want to “use†them to gain access. Most application leaks are also not used to gain access, but more to trigger a denial of service on the machine that hosts this application. Some cases the denial of service in one application can cause access to the other and so forth.
In all cases knowledge is needed to achieve this. Knowledge about the application, or the language that is used, or the “rules†an application must follow depending on the operating system and or application server. Well known hacking methods are known in the “web†world, methods like “URL injectionâ€, connection flooding, triggering memory leaks and the like, all to gain access to that server / service or to stop it from servicing. Because of the complexity on the subject this might be a nice resource to read up on.
http://silverstr.ufies.org/blog/msdn-webcast-application-hacking.pdf
The problem usually is that the functions and supported language on the remote machine allows allot of host commands that will and can indirectly provide access. For instance a language like PHP, JAVA, C# .net and other server sided languages will allow code to be executed on the local machine. This will also allow people to compromise this machine. On web servers hosting web applications, all we can do is make the wall as high as possible. Considering User accounts that are used to execute scripts, applying well thought over login procedures, watching and guarding sessions and session idle times. But also things like “ARP poisoning†can be guarded against, when one also registers the MAC address bound to an IP address. Checking these as part of the login / session management, encrypting data at application level instead of trusting 3rd parties to always layout security correctly. Allot can be done to prevent hacking on various levels, all that will always be considered is the “costs†of such a solution. Is my data worth this investment on the long term. And I must admit it is a though question to answer.
Protecting yourself.
There are allot of means to protect yourself against all these threads. Allot of acknowledged people have broken their heads in their quest to detect and stop all these threads. Again the problem is that in many cases all fields need to be involved in the setup of this security plan. One must be known with the solutions to these problems and threads. As a handout here are a few that in most cases will only consume time to roll out.
Honeypots
A honeypot is a machine that is acting as a potential victim. It will emulate most network services by design (don’t make them to obvious). They act as if they where wide open but in reality they are not. The hacker will just be talking to an empty shell program that will respond correctly. A large collection of these are called a “mine fieldâ€. They can also be setup to inflict damage to the hackers system. But then again you are also at risk from the juridical aspect.
A nice collection can be found here.
http://www.l0t3k.org/security/tools/honeypot/
IDS
IDS or Intrusion Detection Systems are designed to recognize certain signatures. Most hacking tools, and Packet generators and the such leave their own “signature†somewhere in the packets to identify themselves. This is done to make sure network administrators are able to detect them and stop them if they are used in attempts to compromise company or the public services security. IDS is able to detect them and warn the administrator. IDS is also a small program that can be installed in a network.
IDS software is also available as GNU licensed software and a nice IDS is here:
http://www.snort.org/
Signature lists are also available and most of the time free of charge. Only the “latest†lists usually are paid for.
Updates
A very critical item on the systems we work on is updates. Security updates, Patches, firmware updates and the like usually fix holes in the applications running on a system. A little issue in these is that the information on what is being fixed is usually publicly accessible for all to read. This means that if you computer is not updated to the new version it has now become a public treat for all kinds of threats. And a easy one because the potential “leak†is published publicly on the net. I can hammer enough on this fact, even though its easily forgotten or not being checked when its “automatedâ€.
Other means.
On the areas other then network usually a good security design is all that is needed. One might think of Segmented networks, A solid security plan for Operating systems and network access by means of Active Directory and the provided policies. The usage of the Domain, and local security policies. Keen software development. The usage of Virus scanners, and anti spy-ware tools. Good education towards the employees in the risks of internet and social engineering. Company policies like “clear desks†and refreshing passwords and the like are all contributing to the overall security of the companies data. All in all there are allot of means that require only a little effort.
When considering security it is quickly becoming painfully visible that the complexity is enormous. This little fact makes it impossible to keep focused on one area of expertise when security matters. Only if all involved areas are aware of the risks and problems while securing public services, it is possible to throw up a wall in defense without an open door right in the middle. Solutions can and should be offered on all levels of expertise depending on the value the information represents, and the costs involved. Only then we can face the dangers of the World Wide Web without to much effort.
Regards,
Chris Gralike
System Engineer
AMIS Services.