Agenda
! ! ! ! ! ! ! Storing Passwords on the system Password Cracking on Windows and Linux Defenses against Password cracking Sniffing Defenses against Sniffing Address Resolution Protocol (ARP) Man in the Middle
Cracking Passwords
Passwords that can be guessed easily are a problem Lots of tools available to figure out passwords L0phtcrack windows password cracker John the Ripper Unix password cracker Default passwords remaining on a system are a typical vulnerability
ECE 4883 - Internetwork Security
Password storage
Password files have passwords stored in a hashed or encrypted form Hash algorithm example is message digest 4 (MD4) Encrypted algorithm example is Data Encryption Standard (DES) When you use your password, it is hashed or encrypted and then compared to the stored value Crackers use a downloaded local copy of password file on their own machine
Storing Passwords
Systems have a file with all hashed/encrypted passwords
! Windows SAM (Security Accounts Manager) database ! UNIX - /etc/passwd or /etc/shadow
Windows Passwords
Security Accounts Manager (SAM) has two versions for each password LanMan (LM) password version for backward compatibility with windows workgroups NT Hash cryptographic hash for windows NT/2000 (Uses MD4) SAM file is in \WINNT\system32\config\ directory which is a binary file that is hard to read Back up copy stored in \WINNT\repair
Using Passwords
System has a hashed/encrypted version of the password stored in a file On login attempt ! system hashes/encrypts the password typed in by using for example crypt() function in linux ! Compares hashed/encrypted value to stored hashed/encrypted value ! Idea behind password cracking is to get a copy of the hashed/encrypted passwords and then make guesses, hash/encrypt the guess and compare
ECE 4883 - Internetwork Security
Password Cracking
Dictionary Attack ! Hackers steal a copy of the stored password file ! Guess a password (may use a dictionary) ! Find hash/encrypted value of the guess ! Compare hash to entries from stored file ! Continue this till success or out of options for password guesses. Brute Force Guess every possible combination of characters Hybrid Use dictionary but add characters to dictionary entries
L0phtCrack (lc4)
Some statistics (from the website)
! L0phtCrack obtained 18% of the passwords in 10 minutes ! 90% of the passwords were recovered within 48 hours on a Pentium II/300 ! The Administrator and most Domain Admin passwords were cracked
10
11
12
13
14
15
16
Agenda
" Storing Passwords on the system " Password Cracking on Windows and Linux " Defenses against Password cracking Sniffing Defenses against Sniffing Address Resolution Protocol (ARP) Man in the Middle
ECE 4883 - Internetwork Security
17
Sniffing
Collect information being transmitted on the network Attacker must be either on source, destination or intermediate network Sniffed information can be stored/logged
18
attacker
Data A
H U B
Data A
Data A
19
20
Data A
Data A
21
Sniffit
Easy to use sniffer Available at:
http://reptile.rug.ac.be/~coder/sniffit/sniffit.html
Can be run in interactive mode Can be used to sniff traditional LANS For Switched LANS, must be used with ARP Cache Poisoning tools
ECE 4883 - Internetwork Security
22
Sniffit
Conditions to use (from the Sniffit web page):
! You should be ROOT on your machine ! The machine has to be connected to a network ! You have to be allowed to sniff (ethical condition)
23
24
ethereal
From http://www.ethereal.com/ Ethereal is a free network protocol analyzer for Unix and Windows. It allows you to examine data from a live network or from a capture file on disk. You can interactively browse the capture data, viewing summary and detail information for each packet. Ethereal has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session.
ECE 4883 - Internetwork Security Source: www.ethereal.com
25
26
27
28
Agenda
" Storing Passwords on the system " Password Cracking on Windows and Linux " Defenses against Password cracking " Sniffing " Defenses against Sniffing Address Resolution Protocol (ARP) Man in the Middle
ECE 4883 - Internetwork Security
29
What is ARP?
Address Resolution Protocol
! Used to convert IP addresses to MAC addresses ! Low-Level Protocol ! Essential for inter-network communication ! Used in networks with broadcast capabilities; usually Ethernet
30
31
32
The figure shows the use of ARP when a computer is trying to contact another computer (sysa) on the same LAN using the ping program:
33
34
35
The ARP request includes: -target machine (TARGET IP) -IP address of the sender machine (SENDER IP) -physical address of the sender (SENDER HA) -physical address of target machine (TARGET HA)
ECE 4883 - Internetwork Security
36
ARP Poisoning
Note: ARP is stateless The malicious computer (Machine C) can send an ARP Reply to A and cause A to associate Bs IP with Cs MAC address. This will cause all messages from A to B to go to C Do the same to B
ECE 4883 - Internetwork Security
37
ARP Poisoning
C can now act as middle man for all communications between A and B. C can decide which packets are forwarded and which are discarded. C can also alter communications packets between A and B. This attack can act as a doorway.
ECE 4883 - Internetwork Security
38
39
40
41
Useful in scenarios where a one time authentication is used (e.g. RSA token). In such scenarios sniffing the password is useless, but hijacking an already authenticated session is possible Injection of commands to the server Emulation of fake replies to the client
ECE 4883 - Internetwork Security
42
Insertion of malicious code into web pages or mail (javascript, trojans, virus, etc) Modification on the fly of binary files during the download phase (virus, backdoor, etc)
ECE 4883 - Internetwork Security
43
Attacks
The attacker can modify the payload of the packets by recalculating the checksum The length of the payload can also be changed but only in full-duplex (in this case the seq number has to be adjusted)
44
45
46
47
Using Ettercap
48
49
50
51
This demonstration involves three hosts: attacker, victim, and target. attacker is the system used by the attacker for the hijack. victim is the system used by the victim for telnet client connections to the target system. target is the target system that the intruder wants to compromise. It is where the telnetd daemon is running. A simple diagram of the network shows the attacker and victim hosts are on the same network (which can be ethernet switched and the attack will still work), while the target system can be anywhere. (Actually, either victim or target can be on the same network as attacker: it doesn't matter.) For the attack to succeed, the victim must use telnet, rlogin, ftp, or any other non-encrypted TCP/IP utility. Use of SecurID card, or other token based secondary authentication is useless as protection against hijacking, as the attacker can simply wait until after the user authenticates, then hijack the session.
52
53
The attack scenario can be as simple as: 1. Attacker: Spends some time determining the IP addresses of target and victim systems. Determining trust relationships can be easily done with utilities like SATAN, finger, systat, rwho or running who, ps, or last from previously stolen (or wide open "guest" style) accounts. 2. Attacker: Runs hunt as root on attacking host. Waits for hunt to indicate a session has been detected (hunt will note a new session by changing its prompt from "->" to "*>"). 3. Attacker: Starts ARP relay daemon, prepares RST daemon entry for use later, sets option to enable host name resolution (for convenience). 4. Victim: Logs in to target using telnet. Runs pine to read/compose email.
54
5.
Attacker: Sees new connection; lists active connections to see if this one is potentially "interesting." If it is, attacker can either watch the session (packet sniffing) or hijack the session. Decides to hijack. Victim: Sees strange new prompt. Tries pressing RETURN and doesn't know what to think. Tries web browser and notices that it still works fine (not a network problem). Not sure what to think. Attacker: Finds this is a user session and decides to give it back (resynchronizes TCP/IP stream). Victim: Sees prompt for keystrokes, follows request, gets session back. Puzzled, decides to log in to root account to take a closer look. Attacker: Turns on RST daemon to prevent new connections, waits to hijack root session. Victim: Runs ssu to get SecurID protected root shell.
ECE 4883 - Internetwork Security
6.
7. 8. 9. 10.
55
11. 12.
Attacker: Completes hijack after seeing root login. Victim: Sees strange prompt. Tries pressing RETURN again. Same result as before. Tries web browser again. Same thing. Tries getting a new telnet session. Fails. Tries ftp. Fails. Attacker: Sets up backdoor, disables command history, resets session, turns off RST daemon. Victim: Finally gets a new session. Original session is now gone. Assumes network outage or Windows TCP/IP stack corruption. Reboots system and everything is back to "normal"). Attacker: Waits for admin's sessions to all disappear (gone home for the night), then logs in using new backdoor. Installs rootkit (more backdoors, sniffer), cleans log files.
13. 14.
15.
56
References
http://alor.antifork.org/talks/MITMBHeu03.ppt http://www.csc.vill.edu/~fsalandr/netclass /cassel.ppt http://staff.washington.edu/dittrich/talks/ qsm-sec/script.html
57