Friday, June 17, 2011

Hack The STACK USING SNORT ETHERIAL ALL 8 LAYERS



Introduction
“Everything old becomes new again.”The goal of this chapter is to take the well-known
Open Systems Interconnect (OSI) model and use it to present security topics in a new and
unique way. While each of the subsequent chapters focuses on one individual layer, this
chapter offers a high-level overview of the entire book.
Our Approach to This Book
This book is compiled of issues and concerns that security professionals must deal with on a
daily basis. We look at common attack patterns and how they are made possible. Many
attacks occur because of poor protocol design; others occur because of poor programming or
lack of forethought when designing code. Finally, the tools that are useful for identifying and
analyzing exploits and exposures are discussed—the tools you will return to time and time
again.

WARNING
Many of the tools discussed in this book can be used by both security profes-
sionals and hackers. Always make sure you have the network owner’s permis-
sion before using any of these tools, which will save you from many headaches
and potential legal problems.

Tools of the Trade

The following sections examine “protocol analyzers” and the Intrusion Detection Systems
(IDSes), which are the two main tools used throughout this book.
Protocol Analyzers
Protocol analyzers (or sniffers) are powerful programs that work by placing the host system’s
network card into promiscuous mode, thereby allowing it to receive all of the data it sees in
that particular collision domain. Passive sniffing is performed when a user is on a hub. When
using a hub, all traffic is sent to all ports; thus, all a security professional or attacker has to do
is start the sniffer and wait for someone on the same collision domain to begin transmitting
data. A collision domain is a network segment that is shared but not bridged or switched;
packets collide because users are sharing the same bandwidth.
Sniffing performed on a switched network is known as active sniffing, because it switches
segment traffic and knows which particular port to send traffic to. While this feature adds
much needed performance, it also raises a barrier when attempting to sniff all potential

switched ports. One way to overcome this impediment is to configure the switch to mirror a
port. Attackers may not have this capability, so their best hope of bypassing the functionality
of the switch is through poisoning and flooding (discussed in subsequent chapters).
Sniffers operate at the data link layer of the OSI model, which means they do not have
to play by the same rules as the applications and services that reside further up the stack.
Sniffers can capture everything on the wire and record it for later review.They allow user’s
to see all of the data contained in the packet. While sniffers are still a powerful tool in the
hands of an attacker, they have lost some of their mystical status as many more people are
using encryption.
The sniffer used in this book is called Ethereal, which is free and works well in both a
Windows and a Linux environment. (Chapter 3 provides a more in-depth review of how to
install and use Ethereal.) If you’re eager to start using Ethereal, more details about the pro-
gram can be found at http://www.ethereal.com. (Ethereal’s name has been changed to Wireshark.)
Intrusion Detection Systems
Intrusion detection systems (IDSes) play a critical role in protecting the Information
Technology (IT) infrastructure. Intrusion detection involves monitoring network traffic,
detecting attempts to gain unauthorized access to a system or resource, and notifying the
appropriate individuals so that counteractions can be taken.The ability to analyze vulnerabili-
ties and attacks with a sniffer and then craft a defense with an IDS is a powerful combination.
The IDS system used in this book is Snort, which can be used with both Linux and Windows
and has industry wide support.

NOTE
Intrusion detection has a short history. In 1983, Dr. Dorothy Denning began
developing the first IDS, which would be used by the U.S. government to ana-
lyze the audit trails of government mainframe systems.
Snort is a freeware IDS developed by Martin Roesch and Brian Caswell. It’s a
lightweight, network-based IDS that can be set up on a Linux or Windows host. While the
core program uses a Command Line Interface (CLI), graphical user interfaces (GUIs) can
also be used. Snort operates as a network sniffer and logs activity that matches predefined
signatures. Signatures can be designed for a wide range of traffic, including Internet Protocol
(IP),Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet
Control Message Protocol (ICMP).

Snort consists of two basic parts:
■ Header Where the rules “actions” are identified
■ Options Where the rules “alert messages” are identified
To learn more about Snort, go to http://www.Snort.org.

Organization of This Book
This book is arranged in the same manner as the layers of the OSI model, which was devel-
oped to provide organization and structure to the world of networking. In 1983, the
International Organization for Standardization (ISO) and the International Telegraph and
Telephone Consultative Committee (CCITT) merged documents and developed the OSI
model, which is based on a specific hierarchy where each layer builds on the output of each
adjacent layer (see ISO 7498).Today, it is widely used as a guide for describing the operation of
a networking environment, and also serves as a teaching model for hacks, attacks, and defenses.
The OSI model is a protocol stack where the lower layers deal primarily with hardware,
and the upper layers deal primarily with software.The OSI model’s seven layers are designed
so that control is passed down from layer to layer.The seven layers of the OSI model are
shown in Table 1.1

Table 1.1 The Seven-Layer OSI Model

Layer Responsibility
Application Application support such as File Transfer Protocol (FTP), Telnet, and
Hypertext Transfer Protocol (HTTP)
Presentation Encryption, Server Message Block (SMB), American Standard Code
for Information Interchange (ASCII), and formatting
Session Data flow control, startup, shutdown, and error detection/
correction
Transport End-to-end communications, UDP and TCP services
Network Routing and routable protocols such as IP and Open Shortest Path
First (OSPF). Path control and best effort at delivery
Data link Network interface cards, Media Access Control (MAC) addresses,
framing, formatting, and organizing data
Physical Transmission media such as twisted-pair cabling, wireless systems,
and fiber-optic cable
The OSI model functions as follows:
1. Information is introduced into the application layer and passed down until it ends
up at the physical layer.
2. Next, it is transmitted over the physical medium (i.e., wire, coax, or wireless) and
sent to the target device.
3. Once at the target device, it proceeds back up the stack to the application layer.
For this book, an eighth layer has been added to the OSI model that is called the
“people” layer (or “social” layer). Figure 1.1 shows the eight layers and interprets the services
of each.

NOTE
While the OSI model is officially seven layers, for the purposes of this book an
additional layer (layer 8 [the “people” layer]) has been added to better address
the different hacks and attacks that can occur in a networked environment.
Figure 1.1 Hack the Stack’s Eight Layers
The People Layer
Layer 8 is known as the people layer, and while not an official layer of the OSI model, it is an
important consideration; therefore, it has been added to the OSI model for this book. People
are often the weakest link. We can implement the best security solutions known at the lower
layers of the OSI model and still be vulnerable through people and employees. Social engi-
neering, phishing, phreaking, and dumpster diving are a few of the ways these attacks can be
carried out.

The Application Layer
Layer 7 is known as the application layer. Recognized as the official top layer of the OSI
model, this layer serves as the window for application services. Layer 7 is not the actual
application, but rather the channel through which applications communicate.
The Presentation Layer
Layer 6 is known as the presentation layer.The main purpose of the presentation layer is to
deliver and present data to the application layer.This data must be formatted so that the
application layer can understand and interpret it.The presentation layer is responsible for
items such as:
■ Encryption and decryption of messages
■ Compression and expansion of messages, format translation
■ Handling protocol conversion

The Session Layer
Layer 5 is known as the session layer. Its purpose is to allow two applications on different
computers to establish and coordinate a session. It is also responsible for managing the ses-
sion while information and data are being moved. When a data transfer is complete, the ses-
sion layer tears down the session. Session-layer protocols include:
■ Remote Procedure Call (RPC)
■ Structured Query Language (SQL)



The Transport Layer
Layer 4 is known as the transport layer. Whereas the application, presentation, and session
layers are primarily concerned with data, the transport layer is focused on segments.

Depending on the application protocol being used, the transport layer can send data either
quickly or reliably.Transport layer responsibilities include end-to-end error recovery and flow
control.The two primary protocols found on this layer include:
■ TCP A connection-oriented protocol; provides reliable communication using
handshaking, acknowledgments, error detection, and session teardown
■ UDP A connectionless protocol; offers speed and low overhead as its primary
advantage


The Network Layer
Layer 3 is known as the network layer, which is tied to software and deals with packets.The
network layer is the home of the IP, which offers best effort at delivery and seeks to find the
best route from the source to the target network. Network-layer components include:
■ Routers
■ Stateless inspection/packet filters


The Data Link Layer
Layer 2 is known as the data link layer and is focused on traffic within a single local area net-
work (LAN).The data link layer formats and organizes the data before sending it to the
physical layer. Because it is a physical scheme, hard-coded Mandatory Access Control (MAC)
addresses are typically used.The data link layer organizes the data into frames. When a frame
reaches the target device, the data link layer strips off the data frame and passes the data
packet up to the network layer. Data-link-layer components include:
■ Bridges
■ Switches
■ Network Interface Card (NIC)
■ MAC addresses


The Physical Layer
Layer 1 of the OSI model is known as the physical layer. Bit-level communication takes place
at layer 1. Bits have no defined meaning on the wire; however, the physical layer defines how
long each bit lasts and how it is transmitted and received. Physical layer components include
copper cabling, fiber cabling, wireless system components, and Ethernet hubs.The physical
layer in this book has been extended to include:

Perimeter security

■ Device Security
■ Identification and authentication
Common Stack Attacks
A range of exploits can be launched in any stack-based system. For this book, we followed
the stack-based approach of arranging the various attacks into a logical order for discussion
of the risks and potential solutions. Let’s look at some of the attacks and the layers where
they can be found.

The People Layer (SOCIAL ENGINERING)
One of the biggest threats at this layer is social engineering, because it targets people. Some
organizations spend a fortune on technical controls but next to nothing on training and edu-
cating employees on security processes and procedures. Attackers use various techniques
(e.g., trust) to trick individuals into complying with their wishes. As with other types of
attacks, the bulk of the work of a social engineering attack is doing the reconnaissance and
laying the groundwork.The attack itself usually takes on one of the following angles:
■ Diffusion of Responsibility I know the policy is not to give out passwords, but
I will take responsibility for this.
■ Identification We both work for the same company; this benefits everyone.
■ Chance for Ingratiation This is a win-win situation.The company is going to
reward you for helping me in this difficult situation.
■ Trust Relationships Although I am new here, I am sure I have seen you in the
break room.
■ Cooperation Together we can get this done.
■ Authority I know what the policy is; I drafted those policies and I have the right
to change them.
Another threat at the people layer is dumpster diving. Many companies throw out an
amazing amount of stuff (e.g., old hardware, software, post-it pads, organizational charts,
printouts of names and passwords, source code, memos and policy manuals). All of these
items offer a wealth of information to an attacker.
The Application Layer
Most of the applications listed in this section are totally insecure because they were written
for a different time. At the beginning of the networked world, most systems were mainframes

that were locked in government and business buildings.There were no Category 5 cables
interconnecting every office in the building, and no open wireless access points were being
broadcast from the apartment next door. Suppressing passwords and other critical informa-
tion on the monitor was considered robust enough to protect information and data. Here’s a
short list of some of the insecure applications and high-level protocols:

■ FTP FTP is a TCP service that operates on ports 20 and 21 and is used to move
files from one computer to another. Port 20 is used for the data stream, and trans-
fers the data between the client and the server. Port 21 is the control stream, and is
used to pass commands between the client and the FTP server. Attacks on FTP
target misconfigured directory permissions and compromised or sniffed cleartext
passwords. FTP is one of the most commonly hacked services.

■ Telnet Telnet is a TCP shell service that operates on port 23.Telnet enables a
client at one site to establish a session with a host at another site.The program
passes the information typed at the client’s keyboard to the host computer system.
While Telnet can be configured to allow anonymous connections, it should also be
configured to require usernames and passwords. Unfortunately, even then,Telnet
sends them in cleartext. When a user is logged in, he or she can perform any
allowed task.

■ Simple Mail Transfer Protocol (SMTP) This application is a TCP service that
operates on port 25, and is designed to exchange electronic mail between net-
worked systems. Messages sent through SMTP have two parts: an address header
and the message text. All types of computers can exchange messages with SMTP.
Spoofing and spamming are two of the vulnerabilities associated with SMTP.

■ Domain Name Service (DNS) This application operates on port 53, and per-
forms address translation. DNS converts fully qualified domain names (FQDNs)
into a numeric IP address and converts IP addresses into FQDNs. DNS uses UDP
for DNS queries and TCP for zone transfers. DNS is subject to poisoning and if
misconfigured, can be solicited to perform a full zone transfer.

■ Trivial File Transfer Protocol (TFTP) TFTP operates on port 69, and is a
connectionless version of FTP that uses UDP to reduce overhead and reliability. It
does so without TCP session management or authentication, which can pose a big
security risk. It is used to transfer router configuration files and to configure cable
modems. People hacking those cable modems are known as uncappers.

■ Hypertext Transfer Protocol (HTTP) HTTP is a TCP service that operates
on port 80. HTTP helped make the Web the popular service that it is today.The
HTTP connection model is known as a stateless connection. HTTP uses a request
response protocol where a client sends a request and a server sends a response.
Attacks that exploit HTTP can target the server, browser, or scripts that run on the
browser. Nimda is an example of the code that targeted a Web server.

■ Simple Network Management Protocol (SNMP) SNMP is a UDP service
that operates on ports 161 and 162, and was designed to be an efficient and inex-
pensive way to monitor networks.The SNMP protocol allows agents to gather
information (e.g., network statistics) and report back to their management stations.
Some of the security problems that plague SNMP are caused by the fact that com-
munity strings are passed as cleartext and the default community strings
(public/private) are well known. SNMP version 3 is the most current and offers
encryption for more robust security.

The Session Layer

There is a weakness in the security controls at the presentation and session layers. Let’s look at
the Windows NT LanMan (NTLM) authentication system. Originally developed for
Windows systems and then revised for Windows NT post service pack 2 systems, this secu-
rity control proved to be an example of weak encryption (i.e., many passwords encrypted
with this system could be cracked in less than 1 second because of the way Microsoft stored
the hashed passwords). An NTLM password is uppercase, padded to 14 characters, and
divided into seven character parts.The two hashed results are concatenated and stored as a
LAN Manager (LM) hash, which is stored in the SAM.The session layer is also vulnerable to
attacks such as session hijacking. Network Basic Input/Output System (NetBIOS) is another
service located in this area of the stack. (Subsequent chapters go into greater detail regarding
the various types of encryption (e.g., hashing).
NetBIOS was developed for IBM and adopted by Microsoft, and has become and
industry standard. It allows applications on different systems to communicate through the
LAN. On LANs, hosts using NetBIOS systems identify themselves using a 15-character
unique name. Since NetBIOS is non-routable, Microsoft adapted it to run over Transmission
Control Protocol/Internet Protocol (TCP/IP). NetBIOS is used in conjunction with SMB,
which allows for the remote access of shared directories and files.This key feature of
Windows makes file and print sharing and the Network Neighborhood possible. It also
introduced other potential vulnerabilities into the stack by giving attackers the ability to
enumerate systems and gather user names and accounts, and share information. Almost every
script kiddie and junior league hacker has exploited the net use command.
The Transport Layer
The transport layer is rife with vulnerabilities, because it is the home of UDP and TCP.
Because UDP is connectionless, it’s open for attackers to use for a host of denial of service
(DoS) attacks. It’s also easy to spoof and requires no confirmation.TCP is another used and
abused protocol. Port scanning and TCP make the hacker trade possible. Before a hacker can
launch an attack, he or she must know what is running and what to target.TCP makes this
possible. From illegal flag settings, NULL, and XMAS, to more common synchronous (SYN)
and reset (RST) scans,TCP helps attackers identify services and operating systems.

Extending OSI to Network Security

At the network level are services such as IP and ICMP. IPv4 has no security services
built in, which is why Secure Internet Protocol (IPSec) (a component of IPv6) was devel-
oped. Without IPSec, IP can be targeted for many types of attacks (e.g., DOS), abused
through source routing, and tricked into zombie scanning “IPID Scan.” While ICMP was
developed for diagnostics and to help with logical errors, it is also the target of misuse.
ICMP can be used to launch Smurf DoS attacks or can be subverted to become a covert
channel with programs such as Loki.

The Data Link Layer
The dangers are real at the data link layer. Conversion from logical to physical addressing
must be done between the network and data link layers. Address Resolution Protocol (ARP)
resolves logical to physical addresses. While critical for communication, it is also used by
attackers to bypass switches and monitor traffic, which is known as ARP poisoning. Even
without ARP poisoning, passive sniffing can be a powerful tool if the attacker positions him-
self or herself in the right place on the network.

The Physical Layer
An attacker gaining access to the telecommunications closet, an open port in the conference
room, or an unused office, could be the foothold needed to breach the network or, even
worse, gain physical access to a server or piece of equipment. It’s a generally accepted fact
that if someone gains physical access to an item, they can control it.The Cisco site provides a
page that explains how to reset the password and gain entry into a Cisco device
(http://www.cisco.com/warp/public/474/psw...500.html). Figure 1.2 lists each layer of the
stack and many of the common attacks and vulnerabilities found at those layers.

Any one Want Whole Book then tell me I will mail you

No comments: