Intrusion Detection Systems FAQ

FAQ topic 

[ 25 ] Intrusion Detection Systems FAQ   Last updated: Feb 01, 2005
   
  FAQ: Part One   
 What are hackers and crackers?   Last updated: Feb 01, 2005
 What are whitehats and blackhats?   Last updated: Feb 01, 2005
 How do intruders get passwords?   Last updated: Feb 01, 2005
 What is a typical intrusion scenario?   Last updated: Feb 01, 2005
 What are some common “intrusion signatures”?   Last updated: Feb 01, 2005
 What are some common exploits?   Last updated: Feb 01, 2005
 What honeypot products are available?   Last updated: Feb 01, 2005
 What are the disadvantages of a honeypot?   Last updated: Feb 01, 2005
 What are the advantages of a honeypot?   Last updated: Feb 01, 2005
 What is a honeypot?   Last updated: Feb 01, 2005
 What are the limitations of a network based IDS?   Last updated: Feb 01, 2005
 Why do I need IDS if I already have a firewall?   Last updated: Feb 01, 2005
 What intrusion detection systems are available?   Last updated: Feb 01, 2005
 What is Snort?   Last updated: Feb 01, 2005
 How do I collect enough evidence about the hacker?   Last updated: Feb 01, 2005
 What are the main things to do to secure a Win NT/2000/XP system?   Last updated: Feb 01, 2005
 How are intrusions detected?   Last updated: Feb 01, 2005
 Where can I find some Statistics on intrusions?   Last updated: Feb 01, 2005
 What is a DDoS (Distributed Denial of Service) attack?   Last updated: Feb 01, 2005
 What are the types of DoS (Denial of Service) attacks?   Last updated: Feb 01, 2005
 What is a Denial of Service attack?   Last updated: Feb 01, 2005
 What are some host/service discovery methods?   Last updated: Feb 01, 2005
 How do systems get hacked?   Last updated: Feb 01, 2005
 What are the legal implications of honeypots?   Last updated: Feb 01, 2005
[ 23 ] Trojans FAQ   Last updated: Jun 26, 2003

FAQ: Part One 

What are hackers and crackers?

An intruder is also referred to as a hacker or a cracker. A hacker is basically someone who hacks a system – he could do this because he finds it interesting or because he wants to access your system. In the latter case he would be a cracker.
In any case, hackers and crackers are both intruders and can be classified as external or internal intruders (outsiders or insiders).
External/Outsiders
Intruders from outside your network. They attack your web servers, email servers and may also attempt to go bypass the firewall to attack machines on the internal network. Outside intruders may come from the Internet, dial-up lines, physical break-ins, or from a partner (vendor, customer, reseller, etc.) network that is linked to your corporate network.
Internal/Insiders
Intruders that are using your internal network legitimately. These include users who misuse privileges or who attempt to get higher rights or use another users privileges. Internal intruders are often overlooked – most security breaches (80%) are done by insiders.

  [back top]

What are whitehats and blackhats?

Hackers are often categorized as either Whitehat or Blackhat. Both Whitehats and Blackhats have the know-how to penetrate a system but their motives are different. A whitehat’s aim is to know a system’s loopholes to secure the system. On the other hand, blackhats make use of this knowledge for personal gain and other selfish and un-ethical purposes.
Some Computer Security consultants are described as Whitehat, while “script kiddies” are also sometimes described as Blackhat. Script kiddies are known to be less sophisticated hackers who launch attacks against computer systems such as port scanning, defacing a website or launching a Denial of Service attack.

  [back top]

How do intruders get passwords?

Intruders get passwords in various ways. These are some of the most popular methods being used by the hackers nowadays:
Sniffing: Data passing on Ethernet or Wireless networks can usually be intercepted. This is done by making use of a protocol analyzer, which sets the network card to promiscuous mode – meaning that it is able to pass all data on the network to the operating system without filtering. Passwords are typically “sniffed” off clear text protocols. Such protocols include Pop3, FTP and Telnet. In these cases passwords flow through the network without making use of any encryption. Many new protocols now make use of encryption. Although encryption makes the task of sniffing passwords more difficult, it is still possible to get the passwords from the encrypted data by making use of Dictionary and Brute force attacks.
Sniffing is a very effective method for hackers and attackers since it is usually a passive attack and therefore more stealthy and more difficult to detect.
Replay attack: In some cases, intruders do not need to decrypt the password. They can use the encrypted form instead in order to login to systems. Tools are also available to make this kind of attack easier. This kind of attack is very popular against web applications.
Password file stealing: System passwords are usually stored in files or in the Windows registry. On Windows NT 2000 and XP, the passwords are stored in encrypted form on the SAM file. On UNIX systems the password is usually stored in the /etc/passwd or /etc/shadow. Once an attacker gets his hand on the password file he can launch a dictionary or brute force attack against the encrypted passwords.
Observation: A very well known and traditional password stealing attack is dubbed “shoulder surfing” – which is basically when an intruder watches someone type in a password. Observation can also be done by going through a victim’s personal objects. Typically passwords are written on small pieces of paper – and can also be written on sticky notes attached to the monitor itself!
Social Engineering: Many successful hackers and attackers make use of human weaknesses – one such well-known hacker is Kevin Mitnick. A common (successful) technique is to simply call the user and say, “Hi, this is Bob from Some-Company. We have problems within the network and they appear to be coming from your machine. Can you give me your password?” Many users will happily supply this sensitive information without thinking twice.
Default Passwords: Sometimes it is not even required to guess the passwords, since the system would have default passwords put in by the system vendor. A lot of network devices such as switches and hardware routers will have default passwords allowing an attacker to easily gain access.

  [back top]

What is a typical intrusion scenario?

A typical scenario might be:
1. Information Gathering
An attacker will normally start by finding out as much information as possible on his target. At this point the attacker will want to be as stealthy as possible and will usually make use of less direct methods. Some of these methods include doing a whois lookup and DNS Zone transfers as well as normal browsing of websites gathering e-mail addresses and similar important information belonging to the target.
2. Further Information Gathering
In an attempt to gather more information an attacker will usually perform ping sweeps, port scanning and check Web servers for vulnerable CGI scripts. The intruder will also check the versions of running applications and services on your host – normally done using Banner Grabbing techniques. Typically banner grabbing consists of connecting to a service (for example SMTP on port 25) and parsing the response. In the response one would usually get the version of the application or a typical pattern of that application. A good IDS will catch some of this activity.
3. Attack!!
Having a list of possible loopholes, the intruder will start trying out different attacks on the system. He will for example try to launch the UNICODE attack if he previously found out that the target has IIS installed. Apart from launching exploits for well known vulnerable software, a typical attacker will also try to find out misconfigured running services. For example he will try to guess passwords for known users on the system.
4. Successful intrusion
After a successful intrusion, attackers will usually install their own backdoors in the system and delete log files in order to hide their tracks. They may install ‘toolkits’ such as rootkits that give them access, replace existing services with their own Trojan horses that have backdoor passwords, or create their own user accounts. System Integrity Checkers such as Tripwire have the task of detecting this kind of activity and alerting the administrator. From here an attacker will usually launch further attacks to other hosts especially those that are trusted by the compromised machine.
5. Fun and profit
Different classes of system intruders have different goals. Some steal confidential information such as Credit cards, passwords etc: while others just use the compromised host to launch further attacks on sites (such as DDoS attacks). A few others will just deface a website.
A growing trend is to make use of a different pattern of attack. Intruders are increasingly randomly scanning internet addresses looking for a specific hole or number of holes. For example an intruder may scan for hosts having port 80 open and running a misconfigured / unpatched IIS server. Attackers will make a list of the vulnerable hosts and then launch attacks against each one of the hosts.

  [back top]

What are some common “intrusion signatures”?

There are three types of attacks:
Information gathering:

  • Network mapping – ping sweeps
  • DNS zone transfers
  • E-mail recons
  • TCP or UDP port scans – Enumeration of services
  • Indexing of public web servers to find web server and CGI holes.
  • OS fingerprinting

Exploits: Attackers make use of vulnerabilities in target servers or misconfiguration on the system/network.
Denial-of-service (DoS) attacks: An attempt to break the system and make it inaccessible to other users. Intruders will attempt to crash a service or machine, overload network or hardware resources, such as overload the links, the CPU, or fill up the disk.

  [back top]

What are some common exploits?

CGI scripts
CGI scripts consist of server-side programs which generate Dynamic web sites. A typical CGI is be formmail.cgi, which allows users to send e-mails to the website administrator without making use of an e-mail client. Other attacks that make use of CGI scripts include Cross Site scripting, SQL command injection, and Path traversal.
Web server attacks
Many times the web server itself could have security holes. Both Apache on UNIX and IIS on Windows NT have their share of root or SYSTEM vulnerabilities. An unpatched IIS 5 is vulnerable to the UNICODE directory traversal attack where attackers are able to execute files such as CMD.exe to gain a remote shell. Another common bug is buffer overflow in the request field or in one of the other HTTP fields.
Web browser attacks
Most modern web browsers have a series of security loopholes. Typical software vulnerabilities like format string and buffer overflow attacks are also found in http clients (such as Internet Explorer and Netscape). Active Content such as JavaScript, Java, ActiveX and HTML itself can also pose a security risk.

  • HTTP headers can be used to exploit bugs because some fields are passed to functions that expect only certain information. A well-known exploit for IE consists of encapsulating HTTP headers within an EML file and launching an executable embedded within the EML file.
  • HTML can be often exploited through buffer overflows. Internet Explorer 6 as well as previous versions of IE and Netscape were found to be vulnerable to these kind of attacks using different HTML tags with long strings as attributes.
  • JavaScript is well known to be the prime cause of security loopholes within web browsers. Likewise with VBScript and any other type of active scripting. These functions are generally run in a sandbox environment, however from time to time hackers find out new ways to escape the sandbox environment and execute code, read sensitive files etc.
  • Frames and iframes are many times used in conjunction with Active Scripting (JavaScript, ActiveX, Vbscript) exploits. However they are sometimes also used as a social engineering exploit to fake legitimate sites.
  • Java was built with a strong security model by making use of the sandbox technology. However third parties have implemented their own versions which can introduce bugs and flaws. Normal Java applets have no access to the local system, but sometimes they would be more useful if they did have local access. Thus, the implementations of “trust” models that can more easily be hacked.
  • ActiveX is even more dangerous than Java as it works purely from a trust model and runs native code. The trust model consists of either allowing the ActiveX application to run on the client machine, or not. Unlike Java, the ActiveX model has no way to limit the application certain functions only. As a security precaution ActiveX components generally have to be digitally signed. The sign assures the customer that the producer of the ActiveX component is legitimate but not that the ActiveX component is safe to install.

Access Auditing
Operating Systems usually support logging of failed login attempts, failed file access and attempts to perform administrative tasks especially by non-administrative user accounts.
POP3 and IMAP
POP3 and IMAP servers are known to contain exploits just like any other software. Apart from that an attacker can launch at attack in order to guess the password of a specific email address.
IP spoofing
A good number of attacks make use of changing the source IP address. TCP/IP protocol has no way to check if the source IP address in the packet header actually belongs to the machine sending it. Some of the attacks which take advantage of ip spoofing are:

  • SMURF Attack
    A broadcast ping is sent and the source IP of the ping is set the same as the victim’s IP address. In this case a huge number of computers will respond back and send a Ping reply to the victim. When this is repeated, the victim’s machine or link will get overloaded causing a Denial of Service.
  • TCP sequence number prediction
    A TCP connection is assigned a sequence number for the client and for the server. If the sequence number is predictable, intruders can create packets with forged IP address and guess the sequence number to hijack TCP connections.
  • DNS poisoning through sequence prediction
    DNS servers usually query other DNS servers to resolve names for other hosts. An attacker will send a request to the victim DNS server as well as a response to the same server. This way the attacker can make clients trying to access http://www.hotmail.com/ point to his servers.

Buffer Overflows
Some common buffer overflow attacks are:

  • Buffer overruns in major web servers
    Both Apache and IIS have well known vulnerabilities. Worms such as Code Red (for IIS) and Linux.Slapper (for Apache) make use of such vulnerabilities to spread.
  • DNS overflow
    Some of the older DNS servers (BIND) are vulnerable to overflows. A typical attack would be to supply an overly long DNS name to the server. DNS names are limited to 64-bytes per subcomponent and 256-bytes overall.
  • DNS attacks
    DNS servers are usually trusted by services and users – meaning that compromising a DNS server can lead to further attacks on end users and other services. This makes DNS servers a prime target for hacker attacks.
  • DNS cache poisoning
    This is a very typical attack on DNS servers. In simple terms it works by sending a Question to resolve a given domain (“Who is http://www.test.com/?”) and providing the answer with false information (“www.test.com is 127.0.0.1”).

  [back top]

What honeypot products are available?

Fred Cohen’s Deception Toolkit
http://www.all.net/dtk/
Specter
http://www.specter.ch/

  [back top]

What are the disadvantages of a honeypot?

  • If the system does indeed get hacked, it can be used as a stepping-stone to further compromise the network.
  • Some people believe that since honeypots lure hackers in, that legal rights to prosecute hackers are reduced. This is a misconception, because honeypots are not active lures — they do not advertise themselves. A hacker can only find a honeypot in the first place by running search programs on a network.
  • Honeypots add complexity. In security, complexity is bad: it leads to increased exposure to exploits.
  • Honeypots must be maintained just like any other networking equipment/services. This leads many people to turn them off after a while. You think that a 468 running RedHat Linux 4.2 that you setup 2 years ago doesn’t require maintenance, but in reality it does. How do you know the logging is working right? What do you do when a new network management platform or vulnerability assessment system starts being used and alarms start going off? What do you do when alarms stop coming in because a hacker has compromised the system and is using it launch other attacks against you (or worse, back out to the Internet)?  

  [back top]

What are the advantages of a honeypot?

  • An early-alarm that will trip only upon hostile activity. Network intrusion detection systems have a problem distinguishing hostile traffic from benign traffic. Isolated honeypots have a much easier time because they are systems that should not normally be accessed. This means that all traffic to a honeypot system is already suspect. Network management discovery tools and vulnerability assessment tools still cause false positives, but they otherwise give a better detection rate.
  • A hostile-intent assessment system. Honeypots often present themselves as easily hacked systems. One of the most common things hackers do is scan the Internet doing “banner checks”. The honeypot can be setup to provide a banner that looks like a system that can easily be hacked, then to trigger if somebody actually does the hack. For example, the POP3 service reports the version of the software. Several versions of well-known packages have buffer-overflow holes. A hacker connects to port 110, grabs the version info from the banner, then looks up the version in a table that points to which exploit script can be used to break into the system.

  [back top]

What is a honeypot?

While not strictly sniffer-based intrusion detection systems, honeypots still process network protocols in much the same ways. Therefore, I’ve decided to add this section to my FAQ.
Deception systems (A.K.A. decoys, lures, fly-traps, honeypots) which contain pseudo-services whose goal is to emulate well-known holes in order to trap hackers. See The Deception ToolKit http://www.all.net/dtk/ for an example. Also, simple tricks by renaming “administrator” account on NT, then setting up a dummy account with no rights by extensive auditing can be used. There is more on “deception” later in this document. Also see http://www.enteract.com/~lspitz/honeypot.html
A honeypot is a system designed to look like something that an intruder can hack. Examples can be:

  • Installing a machine on the network with no particular purpose other than to log all attempted access.
  • Installing an older unpatched operating system on a machine. For example, the default installation of WinNT 4 with IIS 4 can be hacked using several different techniques. A standard intrusion detection system can then be used to log hacks directed against the machine, and further track what the intruder attempts to do with the system once it is compromised.
  • Install special software designed for this purpose. It has the advantage of making it look like the intruder is successful without really allowing them access.
  • Any existing system can be “honeypot-ized”. For example, on WinNT, it is possible to rename the default “administrator” account, then create a dummy account called “administrator” with no password. WinNT allows extensive logging of a person’s activities, so this honeypot will track users attempting to gain administrator access and exploit that access.

  [back top]

What are the limitations of a network based IDS?

A network based Intrusion Detection system has 2 big limitations:
Switched networks – A network based IDS must be able to see all network traffic of the network that it is protecting. If a network uses a switch (most do nowadays) a sniffer will not be able to see all the network traffic. This usually means that you would deploy a network based IDS at the gateway only, i.e. on your Internet connection. However this does not protect you from internal attacks.
High Speed – Modern networks are so fast, that an Intrusion Detection system has a hard time keeping up.

  [back top]

Why do I need IDS if I already have a firewall?

A common misunderstanding is that firewalls recognize attacks and block them. This is not true.
Firewalls are simply a device that shuts off everything, and then turns back on only a few well-chosen items. In a perfect world, systems would already be “locked down” and secure, and firewalls would be unneeded. The reason we have firewalls is precisely because security holes are left open accidentally.
Thus, when installing a firewall, the first thing it does is it stops ALL communication. The firewall administrator then carefully adds “rules” that allow specific types of traffic to go through the firewall. For example, a typical corporate firewall allowing access to the Internet would stop all UDP and ICMP datagram traffic, stops incoming TCP connections, but allows outgoing TCP connections. This stops all incoming connections from Internet hackers, but still allows internal users to connect in the outgoing direction.
A firewall is simply a fence around you network, with a couple of well-chosen gates. A fence has no capability of detecting somebody trying to break in (such as digging a hole underneath it), nor does a fence know if somebody coming through the gate is allowed in. It simply restricts access to the designated points.
In summary, a firewall is not the dynamic defensive system that users imagine it to be. In contrast, an IDS is much more of that dynamic system. An IDS does recognize attacks against the network that firewalls are unable to see.
For example, in April of 1999, many sites were hacked via a bug in ColdFusion. These sites all had firewalls that restricted access only to the web server at port 80. However, it was the web server that was hacked. Thus, the firewall provided no defense. On the other hand, an intrusion detection system would have discovered the attack, because it matched the signature configured in the system.
Another problem with firewalls is that they are only at the boundary to your network. Roughly 80% of all financial losses due to hacking come from inside the network. A firewall at the perimeter of the network sees nothing going on inside; it only sees that traffic which passes between the internal network and the Internet.
Some reasons for adding IDS to your firewall are:

  • Double-checks misconfigured firewalls.
  • Catches attacks that firewalls legitimate allow through (such as attacks against web servers).
  • Catches attempts that fail.
  • Catches insider hacking.

“Defense in depth, and overkill paranoia, are your friends.” (quote by Bennett Todd). Hackers are much more capable than you think; the more defenses you have, the better. And they still won’t protect you from the determined hacker. They will, however, raise the bar on determination needed by the hackers.

  [back top]

What intrusion detection systems are available?

Click here for a list of Intrusion Detection Systems.

  [back top]

What is Snort?

Snort is a freeware network intrusion detection system. It runs on Linux and has become one of the most effective network based intrusion detection systems around. However, snort requires a fair amount of both Linux and networking knowledge. http://www.snort.org/

  [back top]

How do I collect enough evidence about the hacker?

An interesting field of IDS is collecting enough information about the incident to identify the hacker. This can be very hard because truly elite hackers will be bouncing their attacks from another compromised system. Hackers will also often employ IP address spoofing, which may appear as if attacks are coming from machines that aren’t even turned on.
As far as I can tell, the best technique is to collect as much information as you can. For example, I’ve put a packet sniffer capturing to trace files on our T-1 line saving to files on a 16-gigabyte disk (most any sniffing program on most platforms can do this). You may not think it fun, but I enjoy perusing these files. It’s amazing how many TCP/UDP scans and other probes I see on a regular basis.
Likewise, you should make sure you have full auditing and logging enabled on any/all systems exposed to the Internet. These will help you figure out what happened when you were hacked.

  [back top]

What are the main things to do to secure a Win NT/2000/XP system?

The following lists items that make WinNT more secure, including detection as well as prevention. These are roughly listed in order of importance.

  1. Install the latest service packs and “hot fixes”.
  2. Use NTFS instead of FAT. NTFS allows permissions to be set on a per-file/per-directory basis and allows auditing on a per-file/per-directory basis.
  3. Rename the “administrator” account. A common attack is to use a Dictionary or brute force attack on the “administrator” account.
  4. Create a new account named “administrator” for detecting intrusion attempts.
  5. Disable the “guest” account. You may also want to rename this account as (much like “administrator”). Once you’ve renamed the “guest” account, you may want to create a new account named “guest” for detecting hacking attempts.
  6. Turn on auditing for “HKEY_LOCAL_MACHINE\Security” in order to detect remote registry browsing.
  7. Enable “Password Protected” on the screensaver.
  8. Turn off automatic sharing of ADMIN$, C$, D$, etc. via the “AutoShare” parameter in the registry. This parameter is under “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters”, and is “AutoShareServer” for WinNT Server or “AutoShareWks” for WinNT Workstation. This is a DWORD, with a value of ‘1’ for enabled (default), or a value of ‘0’ for disabled. You will have to add the value yourself because it doesn’t already exist in the registry.

  [back top]

How are intrusions detected?

Anomaly detection
The most common way people approach network intrusion detection is to detect statistical anomalies. The idea behind this approach is to measure a “baseline” of such stats as CPU utilization, disk activity, user logins, file activity, and so forth. Then, the system can trigger when there is a deviation from this baseline.
The benefit of this approach is that it can detect the anomalies without having to understand the underlying cause behind the anomalies.
For example, let’s say that you monitor the traffic from individual workstations. Then, the system notes that at 2am, a lot of these workstations start logging into the servers and carrying out tasks. This is something interesting to note and possibly take action on.
Signature recognition
The majority of commercial products are based upon examining the traffic looking for well-known patterns of attack. This means that for every hacker technique, the engineers code something into the system for that technique.
This can be as simple as a pattern match. The classic example is to example every packet on the wire for the pattern “/cgi-bin/phf?”, which might indicate somebody attempting to access this vulnerable CGI script on a web-server. Some IDS systems are built from large databases that contain hundreds (or thousands) of such strings. They just plug into the wire and trigger on every packet they see that contains one of these strings.

  [back top]

Where can I find some Statistics on intrusions?

Internet Storm Centerhttp://ww.incidents.org/
Reports on trends on ports and services being scanned by collecting intrusion detection log entries to detect new malicious activity.
CERT Reports, Articles, and Presentations (http://www.cert.org/nav/reports.html)
CERT has a number of historical statistics on intrusions, but they aren’t nearly as up-to-date as the NIPC. 

  [back top]

What is a DDoS (Distributed Denial of Service) attack?

A Distributed Denial of Service consists of launching a Denial of Service attack from a good number of sites against a single host. Such an attack is generally more effective to bring down huge corporate sites than DoS attacks. A typical DDoS attack consists of master, slave and victim – master being the attacker, slave being the compromised systems and victim of course being the attacker’s target. Once the attacker sends out a specific command to the slave or zombie systems, the attack is launched.

  [back top]

What are the types of DoS (Denial of Service) attacks?

Three generic DoS methods stand out as particularly dangerous: Smurf or Fraggle, SYN Flood, and DNS attacks.
Smurf / Fraggle
The Smurf / Fraggle attack is one of the most devastating DoS attacks. It uses bandwidth consumption to disable a system’s network resources. It accomplishes this using amplification of the attackers bandwidth. Three actors participate in the DoS attack: the attacker, the victim, and the amplifying network. The attacker sends a ping request to the amplifying network with the victim’s address as the return address. If the amplifying network has 100 systems, the signal can be amplified 100 times. It is easy to see how a Smurf attack can be launched by an attacker with relatively low bandwidth to disable a system with much higher bandwidth.
SYN Flood
The SYN flood attack was considered to be the most devastating DoS method before the Smurf was discovered. This method uses resource starvation to achieve the DoS. During a normal TCP handshake, (1) a client sends a SYN request to the server, (2) the server responds with a SYN / ACK to the client, and the client sends a final ACK back to the server. In a SYN flood attack, the attacker sends multiple SYN requests to the victim with spoofed source addresses for the return address. The spoofed addresses are for nonexistent networks. The victim’s server then responds with a SYN / ACK back to the nonexistent network. Because no network receives this SYN / ACK, the victim’s system just waits for the ACK from the client. The ACK never arrives, and the victim’s server eventually times out. If the attacker sends SYN requests often enough, the victim’s available resources for setting up a connection will be consumed waiting for these bogus ACKs. These resources are usually low in number, so relatively few bogus SYN requests (as few as a dozen) can create a DoS event.
DNS Attacks
On earlier versions of BIND, attackers could effectively poison the cache on a DNS server that was using recursion to look up a zone not served by the nameserver. Once the cache was poisoned, a potential legitimate user would be directed to the attacker’s network or a nonexistent network. This problem has been corrected with later versions of BIND.

  [back top]

What is a Denial of Service attack?

A Denial of Service (DoS) attack is an attempt to prevent legitimate users of a service from accessing that service. DoS attacks usually make use of software bugs to crash or freeze a service, or bandwidth limits by making use of a flood attack to saturate all bandwidth.

  [back top]

What are some host/service discovery methods?

Ping sweeps
Attackers will usually check which IP addresses are active by sending an ICMP ping packet and expecting a reply. Similarly some tools make use of SNMP, TCP/IP and other protocols to “ping” a host to see it its up.
TCP scans
Enumerating open TCP ports on a target machine is very important in an attack since this allows hackers to find exploitable services. Attackers will most of the times make use of stealth scans to try avoid being discovered at this early stage of the attack. Scans can be either sequential, randomized, or configured lists of ports.
UDP scans
Due to the design of the UDP, scanning this protocol is considerably slower and produces a lot of false positives. This is due to the fact that UDP is a connectionless protocol – which means that when a port is open it does not have to send a confirmation that the UDP packet was received. Most UDP implementations send an ICMP destination packet unreachable message when the port is closed. Firewalls should be configured not to respond with ICMP destination port unreachable – this would give a hard time to hackers using traditional UDP scanning. Apart from this many machines throttle ICMP messages, which means that scanning such machines is a very slow process.
OS Fingerprinting
One method to identify the target Operating System is to send illegal or ambiguous packets. Although protocol definitions (RFCs) usually define how a machine should reply to data that it’s expecting, these same standards do not always take in consideration illegal packets. The result of this is that each Operating System responds uniquely to invalid inputs and therefore hackers can guess the remote Operating System without being caught using normal System logging.
Another method to discover the Operating system of a target include Banner Grabbing – which consists of analyzing responses by services running on the victim server.
Account scans
Tries to log on with accounts

  • Accounts with no password set
  • Accounts with password same as username, or “password”.
  • Default accounts that were shipped with the product
  • Accounts installed with software products

  [back top]

How do systems get hacked?

Systems can get hacked when either of the following get compromised:

  1. Physical Security – An attacker will in this case obtain physical access to the machine. This can be done easily once the intruder gets past any physical security systems in place – for example by removing the disk drive and accessing it from home.
  2. System Security – An attacker will gain access to the system by gaining privileges on the system such as by obtaining access to a user account.

This FAQ will focus Physical Security. System Security tries to prevent against the following issues:

Software security issues

There are a large number of generic security vulnerabilities produced by “bad coding practices”. While some of these loopholes are already well known and might be fixed, others are waiting to be discovered. These software bugs can be found and exploited in server software, client applications and the operating system itself. Sometimes protocols are inheritely flawed and therefore any applications making use of that specific protocol will be vulnerable.
Software bugs can be classified in the following manner:
Buffer overflows: The most traditional and probably best-known security vulnerability tends to be the Buffer Overrun or Buffer overflow.
Example of how buffer overflow holes are produced:
A programmer assumes that users of his software will never supply input longer than 256 characters as a username.
A hacker will instead try input more than 256 characters as the username and see what happens. What happens in this case is a buffer overflow – which means that the extra characters will be executed as instructions on the remote server.
Buffer overflows are normally found in C and C++ programs, and are very rare on programs written using higher-level computer languages such as Java.
Unexpected input: At design stage sometimes programmers do not think about all possible input combinations. This can result in creating major security holes. A Path Traversal attack is usually carried out via unchecked URL input parameters, cookies and HTTP request headers – this is one example of unexpected input.
Unhandled input: Sometimes programmers overlook the possibility that someone may enter input that doesn’t match what the program is expecting. This can result in denial of service where some programs/services may crash as well as user privileges escalation.
Race conditions: When two or more processes/threads access a shared data item, the result depends on the order of execution. In the security world, if a privileged process is forced to write custom code to a certain file which is then executed by another privileged process, code execution may take place resulting in a security vulnerability.
System configuration
System configuration bugs can be classified in the following manner:
Default configurations: On installation a system will have the most common settings. Most of the times this means easy to use and abuse. In fact most Windows NT/2000 and XP systems shipped have to be patched and configured or else it is very easy to break into. In fact “script kiddies” – the less sophisticated hackers – tend to search for default installations of Windows 2000 and Linux systems to break into.
Empty or common passwords: A huge number of servers on come corporate networks do not have a password set. This can be very convenient for quick installation of a huge number of systems but will create a very obvious hole. Sometimes administrators will also get obvious passwords for all machines on the network. This means that once an attacker guesses the password for one machine, this password will grant him access on the other machines on the network.
Mis-configuration: Most applications and server software can be configured to allow easier access – i.e. run with no security. This can include enabling a feature – or just enabling all features within a program.
Trust relationships: Security is only as strong as your weakest link. Computers on a corporate network make use of trust relationships, so that a server allows another specific system to make use of a service on the server. If the specific system is compromised, the attacker also gets to enjoy access to the server.

Password cracking

Most security systems are based around a username/password system. This systems has various attack points:
Weak passwords: It is very common for people to make use of their name as password. Other common choices for passwords include birthdays, relative’s names, car model, nicknames and other familiar things. It is also common for people to choose “password” or something such as “letmein” as password – as well as simply set a blank password. Of course if an attacker knows the person just a little he can easily guess the password.
Dictionary attacks: A very common attack is to make use of a list of well-known passwords and run it against the login system or a stolen password file. This means trying out every password in the dictionary – a task that can take just a few seconds on an NT SAM file depending on the size of the dictionary file as well as the number of users in the database.
Brute force attacks: This kind of attack is very similar to the Dictionary attack, but it tries all possible combinations of characters. The advantage is that any password can be guessed using this attack. However this attack is of course very time consuming. Hackers chose to try certain characters only, such as lower case characters and limit the length of the password so that this attack is more feasible.

Sniffing unsecured traffic

Shared network: Traditional Ethernets allow attackers to simply set the network card to promiscuous mode and obtain all data passing through the network. The attacker would usually make use of a protocol analyzer (better known as a sniffer) to launch this attack. While this attack is very difficult to detect, most corporate networks have now turned to switched Ethernet, which do not allow passive attacks such as this one.
Sniffing on a switched network: Although switched networks prevent passive snooping, there are still a few attacks that can be launched:

  1. Server sniffing: If a router is compromised, an attacker can usually still sniff network data since a lot of packets flow through routers.
  2. Active attacks against Switched networks: ARP Spoofing, MAC flooding, MAC duplicating. These attacks allow hackers to capture unencrypted passwords and data over the network.
  3. Rogue DHCP servers. If an attacker launches a rogue DHCP server he can effectively set up his machine as a router and force computers on the network to think it is a legitimate router.

Remote sniffing: SNMP has a service called RMON that allows for remote monitoring of data. Various SNMP implementations contain security issues and make use of default public community strings.

Design flaws

Many times software is not designed with security in mind from the start. This means that sometimes security issues will emerge even when software implementation is flawless. Such a problem will often require a full software redesign. However many programmers and designers choose to patch existing software to hide design flaws.
Underlying protocol flaws: Most network programs are built to make use of TCP/IP to communicate with other services across the Internet. Athough TCP/IP is robust, it was not designed with security in mind and it inherits many possible problems. Examples include IP spoofing, DNS hijacking and SYN floods. Ipsec on the other hand has been designed to fix flaws within TCP/IP – however it is not widely implemented yet.

  [back top]

What are the legal implications of honeypots?

Do honeypots constitute entrapment?
No. This is the most commonly asked question about honeypots, and the answer is a clear no. Entrapment has a clear legal definition whereby law enforcement officers encourage somebody to a commit a crime that they were not otherwise disposed to do. This means:

  • If you are not a law enforcement officer, you cannot entrap.
  • Affording the means for somebody to commit a crime is not the same as encouraging the crime. The FBI can setup a honeypot without risk of entrapment.
  • If the FBI contacts somebody in alt.2600 and posts a bounty for cracking into a system, then it would be entrapment.

Am I aiding and abetting a crime?
Possibly. You are certainly not abetting the person breaking into your system. However, if he/she uses your system to launch attacks against other systems, you might be partially liable for the actions. Click here for an interesting story.

Am liable for attacks launched from the compromised honeypot?
Very probably. This hasn’t been tested in court, but if you have a lot of money and the hacker causes lots of damage, guess who the victim is going to sue? It doesn’t matter what the law says, there is a good chance you will have to defend yourself in court. Note that this also applies when the hacker breaks into any of your systems.

  [back top]

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top