Dragon by Security Wizards


Dragon is based on the Award-Winning UNIX-based Intrusion Detection System from Enterasys - a Cabletron Company - (Previously Network Security Wizards) in the USA. Dragon Network based IDS is the most scalable, versatile IDS currently available. Unix based, and compatible with many of today's favored operating systems, Dragon has consistently proved itself to be the most reliable, accurate and robust IDS available. A host-based intrusion defense tool, Dragon Host Sensor monitors individual systems and applications, including today's most common operating systems, for evidence of malicious or suspicious activity in real time, and monitors key system logs for evidence of tampering. Dragon Host Sensor may be deployed on a protected host or on a dedicated analysis system where logs are forwarded from switches, firewalls, routers and other IDSs and aggregated via SNMP or syslog.

start sidebar
Snort (http://www.snort.org)
  • Snort is an Open Source Intrusion Detection System

  • It contains over thousand signatures. and can be downloaded at http://www.snort.org/cgi-bin/done.cgi

  • Checkout the following example:

    In this example of PHF attack detection, a straight text string is searched for in the app layer

     Alert tcp any any -> 192.168.1.0/24 80 (msg: "PHF attempt" ; content: "/cgi-bin/phf";) 

    It gives an alert, that a TCP connection from any IP address and any port to the 192.168.1.x subnet to port 80.

    It searches for the content "/cgi-bin/phf" any where in the content. If it find such content, it will alert the console with a message "PHF attempt"

end sidebar
 
Tools  

Snort is a software-based real-time network intrusion detection system developed by Martin Roesch that can be used to notify an administrator of a potential intrusion attempt. Snort is a "lightweight" NIDS in that it is non- intrusive , easily configured, utilizes familiar methods for rule development, and takes only a few minutes to install. Snort currently includes the ability to detect more than 1100 potential vulnerabilities.

Among its features include the ability to:

  • Detect and alert based on pattern matching for threats including buffer overflows, stealth port scans , CGI attacks, SMB probes and NetBIOS queries, NMAP and other portscanners, well-known backdoors and system vulnerabilities, DDoS clients , and many more;

  • Use syslog, SMB "WinPopUp" messages, or a file to alert an administrator;

  • Develop new rules quickly once the pattern (attack signature) is known for the vulnerability;

  • Record packets in their human-readable form from the offending IP address in a hierarchical directory structure.

  • Used as a "passive trap" to record the presence of traffic that should not be found on a network, such as NFS or Napster connections;

  • Used on an existing workstation to monitor a home DSL connection, or on a dedicated server to monitor a corporate web site

Snort uses the popular libpcap library, the same library that tcpdump uses to perform its packet sniffing. Snort decodes all the packets passing by on the network to which it's attached by entering promiscuous mode. Based upon the content of the individual packets and the rules defined in the configuration file, an alert is generated.

start sidebar
Evading IDS Systems
  • Many simple network intrusion detection systems rely upon "pattern matching".

  • Attack scripts have well known patterns, so simply compiling a database of the output of known attack scripts provide pretty good detection, but can easily be evaded by simply changing the script.

  • IDS evasion focuses on foiling signature matching by altering an attacker' s appearance.

    For example, some POP3 servers are vulnerable to a buffer overflow when a long password is entered. It is easy to evade simply by changing the attack script.

end sidebar
 
Attack Methods  

An evasion attack is said to have occurred when an end-system accepts a packet that the IDS rejects. By erroneously rejecting the packet, an IDS misses its contents entirely. This allows the attacker to exploit a similar situation where it is possible to slip crucial information past the IDS in packets that the IDS is too strict about processing.

These attacks are the easiest to exploit and most devastating to the accuracy of the IDS. Entire sessions can be carried forth in packets that evade the IDS. Evasion attacks foil pattern matching in a manner quite similar to insertion attacks. Again, the attacker makes the IDS to see a different stream of data than the end-system - though the end-system sees more than the IDS, and the information that the IDS misses becomes critical to the detection of the attack.

Protocols like TCP allow any amount of data (within the limits of the IP protocol's maximum packet size ) to be contained in each discrete packet. A collection of data can be transmitted in one packet, or in a group of them. Because they can arrive at their destination out of order, even when transmitted in order, each packet is given a number that indicates its place within the intended order of the stream. This is commonly referred to as a "sequence number", and collections of packets marked with sequence numbers as " sequenced "'.

The recipient of stream of TCP packets has the responsibility of re-ordering and extracting the information contained in each of them, reconstructing the original collection of data that the sender transmitted. The process of taking a collection of unordered, sequenced packets and reconstructing the stream of data they contain is termed "reassembly".

Reassembly issues manifest themselves at the IP layer, as well; IP defines a mechanism, called "fragmentation"', that allows machines to break individual packets into smaller ones. Each individual fragment bears a marker that denotes where it belongs in the context of the original packet; this field is called the "offset". IP implementations must be able to accept a stream of packet fragments and, using their offsets, reassemble them into the original packet.

Evasion attacks disrupt stream reassembly by causing the IDS to miss parts of it. The packets lost by the IDS might be vital for the sequencing of the stream; the IDS might not know what to do with the packets it sees after the evasion attacks. In many situations, it's fairly simple for the attacker to create an entire stream that eludes the IDS.

start sidebar
Complex IDS Evasion
  • An intruder might send a TCP SYN packet that the IDS sees, but the victim host never sees.

  • This causes the IDS to believe the connection is closed, but when in fact it is not. Since TCP connections do not send "keep-alives", the intruder could wait hours or days after this "close"before continuing the attack.

  • The first attack is to find a way to pass packets as far as the IDS, and cause a later router to drop packets.

  • This depends upon the router configuration, but typical examples include low TTL fields, fragmentation, source routing, and other IP options.

  • If there is a slow link past the IDS, then the hacker can flood the link with high priority IP packets, and send the TCP FIN as a low priority packet - the router's queuing mechanism will likely drop the packet.

end sidebar
 
Attack Methods  

Experienced hackers can direct their attacks in ways to bypass intrusion detection systems through complex procedures. For example, an intruder might send a TCP SYN packet that the NIDS detects, but which the target system does not. This leads the NIDS to believe the connection is closed, but when in fact it is open. Since TCP connections are stateful, the intruder could wait hours or days before resuming the attack. In practice, most interesting services do kill the connection after a certain time with no activity, but the intruder still can cause a wait of several minutes before continuing.

The first such attack is to find a way to pass packets as far as the NIDS, but cause a later router to drop packets. This depends upon the router configuration, but typical examples include low TTL fields, fragmentation, source routing, and other IP options. If there is a slow link past the NIDS, then the hacker can flood the link with high priority IP packets, and send the TCP FIN as a low priority packet -- the router's queuing mechanism will likely drop the packet.

Another approach is to consider what the host will or will not accept. For example, different TCP stacks behave differently to slightly invalid input (which programs like 'nmap' and 'queso' use to fingerprint operating systems). Typical ways of causing different traffic to be accepted or rejected are:

  • Send TCP options,

  • Cause timeouts to occur for IP fragments or TCP segments,

  • Overlap fragments/segments,

  • Send slight wrong values in TCP flags or sequence numbers.

start sidebar
Hacking Tool: fragrouter
  • Fragrouter is a program for routing network traffic in such a way as to elude most network intrusion detection systems.

  • Fragrouter allows attacks to avoid detection by network intrusion detection systems.

  • For exmple, the Fragrouter could be used to obfuscate a phf attack against a web server, a buffer overflow attack against a DNS server, or any number of other attacks.

 fragrouter [ -i interface ] [ -p ] [   ATTACK ] host 
end sidebar
 
Tools  

Fragrouter allows attacks to avoid detection by network intrusion detection systems. Conceptually, fragrouter is just a one-way fragmenting router - IP packets get sent from the attacker to the fragrouter, which transforms them into a fragmented data stream to forward to the victim. It is a program for routing network traffic in such a way as to elude most network intrusion detection systems. Fragrouter evades IDSs by fragmenting traffic at the IP or TCP layer.

Most network IDSs fall victim to this attack-hiding technique because they don't bother to reconstruct a coherent view of the network data (via IP fragmentation and TCP stream reassembly). For example, Fragrouter could be used to obfuscate a phf attack against a web server, a buffer overflow attack against a DNS server, or any number of other attacks.

 attack                  fragmented attack     +-------+        +-----------+                     +-------------+      haxOr -------& gt;  fragrouter  - -- - - - -& gt;  victim     +-------+        +-------------+                  +-----------+                                                 V                                          +------+------+                                           network IDS                                           +-------------+ 

Usage: fragrouter [-i interface] [-p] [ATTACK] host

Fragrouter enables an attacker to break the packets into smaller fragments before sending them across the network. This requires network-based IDS to gather all fragments and attempt to reassemble and interpret them to establish their signature.

For example, if overlapping fragments are sent with different data, some systems prefer the data from the first fragment (WinNT, Solaris), whereas others keep the data from the last fragment (Linux, BSD).

The NIDS has no way of knowing which the end-node will accept, and may guess wrong. By slicing and dicing packets in highly unusual and unexpected ways.

start sidebar
Hacking Tool: Tcpreplay

http:// sourceforge .net/projects/tcpreplay/

  • Tcpreplay is a set of UNIX tools which allows the replaying of captured network traffic.

  • It can be used to test a variety of network devices including routers, firewalls, and NIDS.

     tcpreplay [ -i intf ] [ -1 loop count ] [ -r rate  -m multiplier ] file ... 
end sidebar
 
Tools  

Tcpreplay is a BSD-style licensed tool to replay saved tcpdump files at arbitrary speeds. It provides a variety of features for replaying traffic for both passive sniffer devices as well as inline devices such as routers, firewalls, and the new class of inline IDS's.

Many NIDSs fare poorly when looking for attacks on heavily-loaded networks. Tcpreplay allows the user to recreate real network traffic from a real network for use in testing.

Tcpreplay includes the following tools:

  • tcpreplay - the tool for replaying capture files

  • tcpprep - a capture file pre-processor for creating cache files for tcpreplay

  • capinfo - the tool for printing statistics about capture files

  • pcapmerge - a tool for merging pcap files into one larger one (1.4.x only)

  • flowreplay - a tool for replaying connections (1.5.x only)

Tcpreplay was written to test network intrusion detection devices, however tcpreplay has been used to test firewalls, routers, and other in-line devices. In it's current form, tcpreplay is not very well suited for testing IP stacks or applications running on servers or clients since it is unable to synchronize TCP sequence numbers nor is able to react or use packets sent by other devices as input.

start sidebar
Hacking Tool: SideStep.exe

http://www.robertgraham.com/tmp/sidestep.html

  • Sidestep is a hacking tool which evades network IDS in a completely different manner compared to fragrouter.

     c:\>sidestep SideStep v1.0 Copyright (s) 2000 by Network ICE http://www.robertgraham.com/tmp/sidestep.html usage:   sidestep <target> [<options>] Sends attacks at the target that evades an IDS. One of the following protocols/attacks must be specified:  -rpc         RPC PortMap DUMP  -ftp         FTP CD -root  -dns         DNS version.bind query  - -snmp      SNMP lanman user enum  - http       /cgi-bin/phf  -bo         BackOrifice ping  -all One of three modes must be specified:  -norm          Does no evasion (normal attacks)  -evade         Attempts to attack target evading the IDS  -false         Does not attack the system at all (false positive) Example:  sidestep -10.0.0.1 -evade -dns  Queries DNS server for version info evading IDS 
end sidebar
 
Tools  

Sidestep is a hacking tool which evades network IDS in a completely different manner compared to fragrouter. The program generates attacks using three modes:

  • Normal - This executes the attack/scan at the level of sophistication of script kiddies. Most IDSs should pick up these attacks.

  • Evasion - Here it carries out the same attack but using sophisticated IDS evasion techniques. None of these attacks are fragmented at the IP or TCP layer.

  • False positive - Doesn't attack the target, but instead does something relatively normal. However, many IDSs falsely trigger on this.

It must be noted that sidestep does not do anything malicious and is more of a demonstration tool for evading IDS. It does this at the application layer. To list the functionality of sidestep, it does the following:

  • RPC Portmapper Dump

  • FTP CWD ~root

  • DNS version.bind Query

  • SNMP LanMAN User Enum

  • PHF Probe

  • BackOrifice Ping

start sidebar
Hacking Tool: Anzen NIDSbench

http://www.anzen.com/research/nidsbench/

  • Contains "fragrouter" that forces all traffic to fragment, which demonstrates how easy it is for hackers/crackers to do the same in order to evade intrusion detection.

  • This accepts incoming traffic then fragments it according to various rules (IP fragmentation with various sizes and overlaps, TCP segmentation again with various sizes and overlaps, TCP insertion in order to de-synchronize the connection, etc.)

end sidebar
 
Tools  

Nidsbench is a lightweight, portable toolkit for testing network intrusion detection systems. It implements several well-known attacks against passive network monitoring and allows for the instrumentation of trace-driven network attack simulations. The goal of the NIDSbench project is to provide better tools for evaluating NIDS products and to help standardize a testing methodology for the purpose of objective comparison. NIDSbench provides tools to evaluate two measurable NIDS characteristics: performance and correctness. Nidsbench includes the following programs:

Tcpreplay: Tcpreplay is aimed at testing the performance of a NIDS by replaying real background network traffic in order to hide attacks. Tcpreplay allows the user to control the speed at which the traffic is replayed, and can replay arbitrary tcpdump traces. Unlike programmatically - generated artificial traffic which doesn't exercise the application/protocol inspection that a NIDS performs , and doesn't reproduce the real-world anomalies that appear on production networks (asymmetric routes, traffic bursts/lulls, fragmentation, retransmissions, etc.), tcpreplay allows for exact replication of real traffic seen on real networks.

Fragrouter: Fragrouter is aimed at testing the correctness of a NIDS, according to the specific TCP/IP attacks listed in the Secure Networks NIDS evasion paper. Other NIDS evasion toolkits which implement these attacks are in circulation among hackers or publically available, and it is assumed that they are currently being used to bypass NIDSs.

Idstest: Idstest is aimed at testing the correctness of a NIDS by actually performing the attacks such systems are supposed to detect. In theory, this is no different from what may commercial vulnerability scanners do, except that many of them only look for vulnerability symptoms (ex. versions reported in software banners) instead of actually attempting exploits.

start sidebar
Hacking Tool: ADMutate

http://www.ktwo.ca/security.html

  • ADMutate accepts a buffer overflow exploit as input and randomly creates a functionally equivalent version which bypasses IDS.

  • Once a new attack is known, it usually takes the IDS vendors a number of hours or days to develop a signature. But in the case of ADMutate, it has taken months for signature-based IDS vendors to add a way to detect a polymorphic buffer overflow generated by it.

end sidebar
 
Tools  

ADMutate exploits weaknesses in purely signature-based IDS. By avoiding the patterns that the IDS look for and accomplishing the same goal, it is able to circumvent the stored patterns. It can take an attack shell code and subtly transform it. Polymorphism is the ability to exist in multiple forms. Therefore, if the application level data is put through a mutation algorithm, the user can obtain an equivalently functional, but completely unique code fragment.

This technique is quite easy to adapt to the needs of the exploit coder . The preferred exploit is the buffer overflow as buffer overflow's have sufficient non operational code that when can be altered to perform a number of other tasks . ADMutate attempts to encode the shellcode with a simple mechanism (xor) so that the shellcode will be unique to any NIDS sensor. This evades any shellcode signature analysis.

Usually when an attacker tries a buffer overflow attack, an ID system will match a string contained in the data or shellcode of the attack and generate an alert. ADMutate generates different strings or signatures every time so the ID system does not recognize the threat.

This means that attackers could gain ground on security experts because it takes time for ID system developers to update their products - a situation made more difficult because attackers can generate a possibly infinite amount of random strings.

The decrypt engine is needed to decode the XOR'ed shellcode. This is also polymorphic and works by varying the assembly instructions to accomplish the same results in different ways. It adopts out of order decoding to vary the signature even more. In addition, it can be used to encrypt the part of network traffic that IDS such as Snort examines. If ADMutate is combined with the statdx.c script, Snort's signature will be unable to detect this attack.

start sidebar
Tools to inject strangely formatted packets on to the wire
  • Libnet (http://www.packetfactory.net/libnet)

  • Rootshefl (http://www.rootshell.com)

  • IPsend (http://www.coombs.anu.edu.au/^avalon)

  • Sun Packet Shell (psh) Protocol Testing Tool (http://www.playground.sun.com/psh)

  • Net::RawIP (http://www.quake.skif.net/RawIP)

  • CyberCop Scanner's CASL (http://www.nai.com)

end sidebar
 

aicmpsend 1.10 (http://www.elxsi.de/)

AICMPSEND is an ICMP sender with many features including ICMP flooding and spoofing. All ICMP flags and codes are implemented. You can use this program for various DoS attacks, for ICMP flooding and to test firewalls. Requires perl module Net::RawIP

apsend 1.60 (http://www.elxsi.de/)

TCP/IP/UDP/ICMP packet sender with syn flood, land attack, DoS attack against tcpdump 3.4, and spoofing. It also include socket functions like netcat and you can specify a lot of other options like Time to Live(TTL), Type of service(ToS), sequence number, ack number, urgent pointer, SYN/PUSH/ACK/RST/URG/FIN flag, window size, number of packets to send and so on. This program can be used to test firewall configurations. Requires perl module Net::RawIP

blast v2.0 (http://www.foundstone.com/rdlabs/blastbeta.html)

A small, quick TCP service stress test tool. Blast does a good amount of work very quickly and can help spot potential weaknesses in network servers. For a detailed explanation and examples of usage of this tool, please read the .txt file included in the zip.

CASL 2.0 (http://www.pgp.com/products/casl/default.asp)

CASL is a high-level scripting language that allows you to write simple scripts to invoke complex vulnerability tests thus avoiding hundreds of lines of low-level coding. This free version of CASL is a command-line application that currently runs under Redhat Linux 5.x. The commercial release of Cybercop Scanner includes a graphic interface. This excellent software was originally authored by the fine folks at Secure Networks Inc., now absorbed into the NAI mothership. This is one of the more powerful commercial-quality toolsets to be released as freeware.

easy tcpip library 0.4 (http:// members .nbci.com/_XMCM/mgornstein/download.html)

Library to make basic tcp/ip applications in a quick and easy way.

ettercap 0.1.0 (http://ettercap.sourceforge.net/)

ettercap is a network sniffer/interceptor/logger for switched LANs. It uses ARP poisoning and the man-in-the-middle technique to sniff all the connections between two hosts . Data injection in an established connection is also possible keeping it alive . You can sniff connection between local and remote host through a gateway using the MAC-based sniffing mode. It has an ncurses interface.

gasp 0.92 (http://laurent.riesterer.free.fr/gasp/)

GASP (Generator and Analyzer System for Protocols) works by providing an extremely detailed packet description language. GASP is divided in two parts: a compiler which takes the specification of the protocols and generates the code to handle it, this code is a new Tcl command as GASP in build upon Tcl/Tk and extends the scripting facilities provided by Tcl. Linux version -author is working on a port to Windows NT.

hping2 beta 54 (http://www.kyuzz.org/antirez/hping/)

hping2 is a network tool able to send custom ICMP/UDP/TCP packets and to display target replies like ping do with ICMP replies. hping2 handles fragmentation, arbitrary packet body and size and can be used in order to transfer files under supported protocols. Using hping2 you are able at least to perform the following jobs. Test firewall rules - [spoofed] port scanning - Test net performance using differents protocols, packet size, TO S (type of service) and fragmentation. - Path MTU discovery - File trasfer even between really fascist firewall rules. - Traceroute functionality under different protocols. - Firewalk like usage. - Remote OS fingerprint. - TCP/IP stack auditing.

icmpush 2.2 (http://hispahack.ccc.de/)

ICMPush is a tool that sends ICMP packets fully customized from command line. This release supports the ICMP error types Unreach, Parameter Problem, Redirect and Source Quench and the ICMP information types Timestamp, Address Mask Request, Information Request, Router Solicitation, Router Advertisement and Echo Request. Also supports ip-spoofing, broadcasting and other useful features. It's really a powerful program for testing and debugging TCP/IP stacks and networks. (ICMP packets anyway)

ippacket 2.1 (http://w3.cpwright.com/)

Command line/ curses utility to construct IP/TCP/UDP/ICMP packets on a Linux system. This shows a lot of potential, but the interface is quite buggy .

ipsend 2.1.2.2 (http://coombs.anu.edu.au/~avalon/)

Ipsend is a test tool included with the ipfilter package. It can be used to generate arbitary IP packets on ethernet connected machines.

isic 0.05 (http://expert.cc.purdue.edu/~frantzen/)

ISIC sends randomly generated packets to a target computer. Its primary uses are to stress-test an IP stack, to find leaks in a firewall, and to test the implementation of IDSes and firewalls. The user can specify how often the packets will be frags, have IP options, TCP options, an urgent pointer, etc. Programs for TCP, UDP, ICMP, and IP w/ random protocols, and random ethernet frames are included.

Icrzo 3.11 (http://www.laurentconstantin.com/us/lcrzo/lcrzo/)

Lcrzo is a network library, for network administrators and network hackers. Its main objective is to easily create network test programs. This library provides network functionnalities for Ethernet, IP, UDP, TCP, ICMP, ARP and RARP protocols. It supports spoofing, sniffing, client and server creation. Furthermore, Icrzo contains high level functions dealing with data storage and handling. Using all these functions, you can quickly create a network test program. Lcrzo, which means "Laurent Constantin R ZO" (R ZO=network in French), is available under the GNU LGPL license. This library runs under Linux, FreeBSD and Solaris.

libnet 1.0.2a (http://www.packetfactory.net/libnet/)

Libnet is a collection of routines to help with the construction and handling of network packets. It provides a portable framework for low-level network packet writing and handling. Using libnet, quick and simple packet assembly applications can be created with minimal programming effort. Libnet features portable packet creation interfaces at the IP layer and link layer, as well as a host of supplementary and c complementary functionality. The library has matured considerably and is now supplemented by Route's excellent manual (which was actually published in full in Phrack 55). Additional functionality and stability are added with each release.

libnet NT (http://www.eeye.com/html/Databases/Software/libnetnt.html)

Win32 port of libnet by Eeye. LibnetNT has the exact same functionality and abilities as Libnet except LibnetNT can be used to develop low level packet injection programs on Windows NT4.0 and Windows NT5.0. Libnet is a collection of routines to help with the construction and handling of network packets. It provides a portable framework for low-level network packet writing and handling. Using libnet, quick and simple packet assembly applications can be created with minimal programming effort. Libnet features portable packet creation interfaces at the IP layer and link layer, as well as a host of supplementary and c complementary functionality. The library has matured considerably and is now supplemented by Route's excellent manual (which was actually published in full in Phrack 55). Additional functionality and stability are added with each release. Requires Winpcap.

MGEN Toolset 3.2 (http://manimac.itd.nrl.navy.mil/MGEN/)

The Naval Research Laboratory (NRL) "Multi-Generator" (MGEN) Toolset provides programs for sourcing/sinking real-time multicast/unicast UDP/IP traffic flows with optional support for operation with ISI's "rsvpd". It now also includes support for scripted generation of packet flows with the IP TOS field set. The MGEN tools transmit and receive (and log) time-stamped, sequence numbered packets. Post-test analyses of the log files can be performed to assess network or network component ability to support the given traffic load in terms of packet loss, delay, delay jitter, etc. MGEN has been used to evaluate the capability of networks and devices to properly provide IP Multicast and RSVP support. The binary distributions include a little documentation and some example script files.

mpac 1.01

mpac is a tool for creating Ethernet-TCP/IP packets with payload. Packets are built with plaintext configuration files representing each layer (ethernet, ip, tcp, payload).

nemesis 1.31 (http://www.packetninja.net/nemesis/)

The Nemesis Project is a libnet-based toolset designed to be a commandline-based, portable IP stack for UNIX/Linux. The suite is broken down by protocol, and should allow for useful scripting of injected packet streams from simple shell scripts.

Net::RawIP 0.9d (http://quake.skif.net/RawIP/)

Net::RawIP is a perl module that allows for easy manipulation of raw IP packets, with the optional feature of manipulating Ethernet headers. This module requires perl 5.004 or later and libpcap.

netcat 1.10 (http://www.lopht.com/~weld/netcat/)

Netcat is a simple UNIX utility, which reads and writes data across network connections, using TCP or UDP protocol. It is designed to be a reliable "back-end" tool that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and exploration tool; since it can create almost any kind of connection, you would need and has several interesting built-in capabilities. Netcat, or "nc" as the actual program is named, should have been supplied long ago as another one of those cryptic but standard UNIX tools. Netcat also allows you specify source ports for arbitrary tcp and udp connections, bind as a server, and use source routing.

netsh 0.1 (http://www.via.ecp.fr/~bbp/netsh/)

Netsh is a tool designed to debug network applications. It enables the user to dump incoming packets in ascii or hexadecimal and to send hand made custom packets (again, ascii and hexadecimal forms can also be used). It is also able to forward the dumped packets: it has been designed to be inserted between a client and a server application, even if it may easily be used differently.

PacketX v1 (http://www.ntobjectives.com/packetx.htm)

PacketX is a native Windows NT firewall-testing tool that allows for complete TCP/IP packet creation and provides businesses a method for verifying a firewall vendor's product claims. Featuring packet spoofing technology and raw packet creation techniques, this tool are essentially a packet cannon that shoots custom packets at a firewall in order to verify the approval/denial of internet domain address against firewall ACL's.

pksnd 1.02 (http://www.alberts.com/Ambry/Shareware?File_Name=pksnd102.zip&OS=DOS)

PC based packet assembly system.

Send Packet 1.5 (http://members.nbci.com/_XMCM/mgornstein/download.html)

Send Packet is a small but powerful program to test how your network responds to specific packet content. Via a config file and/or command line parameters, you can forge (modify the headers of) your own TCP/UDP/ICMP/IP packets and send them through your network. It's modular philosophy allows for the specification of which modules you want to include. --TCP/UDP/ICMP/IP packet "customizer". You can modify almost all the parameters in the headers of the tcp/udp/icmp/ip set of protocols. Can also send the contents of a file in the data section of the tcp header. Useful to test networks, firewalls, etc, educational, and simple to use for the student.

sendip 1.1 (http://www.earth.li/projectpurple/progs/ sendip .html)

SendIP is a command line tool to send arbitrary IP packets. It has a large number of command line options to specify the content of every header of a TCP, UDP, ICMP, or raw IP packet. It also allows any data to be added to the packet. Checksums can be calculated automatically, but if you wish to send out wrong checksums, that is supported too. Changes: This release compiles under *BSD as well as Linux, doesn't need GNU make, and includes RPMs and random header field generation. Added manpage , cleaned up source.

SING 1.1 (http://sourceforge.net/projects/sing)

SING stands for 'Send ICMP Nasty Garbage'. It is a tool that sends ICMP packets fully customized from command line. Its main purpose is to replace the ping command but adding certain enhancements (Fragmentation, spoofing,).

socket script 1.16 (http://www.linuxave.net/~drow/SocketScript/)

Socket Script is primarily for people who want to create networking-oriented programs, but don't want to learn the details of using sockets. It has multiple network commands that enable you to tell the script interpreter where you want to connect, and all you have to do is focus on the script itself, leaving the connection parts to SScript. It seems to be good for non-programmers as well as experienced. SScript has more than 100 commands. It can be be compiled as text-only or graphic using GTK.

spak 0.6b (http://freeport.xenos.net/%7Exenon/software/spak/index.html)

Spak (Send PAcKet) is a collection of programs that can be used to create and send a packet over a network. Spak is designed to be very modular and allow as much control over the design of the packet as possible. The modules included with this release are makeip, maketcp, makeudp, makearp, makeeth, sendpacket, and sendeth. Spak was developed and tested under Linux 2.0.x, SunOS 5.5.1, and BSDI 3.1 systems.

spoof 0.1 (http://www.kalug.lug.net/coding/nettools/)

Fyodor's first attempt to create a spoof library. (spoofing various sorts of TCP packets only). This newer version is the result of a few additional hours of work on previous code. Now supports IP/UDP/TCP spoofing.

TCP/IP Library v2 (http://www.komodia.com/tools.htm)

Tcpip_lib is a library for Windows 2000 which allows arbitrary packet creation. It allows you to send raw IP headers, do IP spoofing, and play with the nuts and bolts of networking protocols. Requires the recent DDK or SDK for win2k.

tcpreplay 1.01 (http://www.anzen.com/research/nidsbench/tcpreplay.html)

Tcpreplay is aimed at testing the performance of a NIDS by replaying real background network traffic in which to hide attacks. Tcpreplay allows you to control the speed at which the traffic is replayed, and can replay arbitrary tcpdump traces. Unlike programmatically-generated artificial traffic which doesn't exercise the application/protocol inspection that a NIDS performs, and doesn't reproduce the real-world anomalies that appear on production networks (asymmetric routes, traffic bursts/lulls, fragmentation, retransmissions, etc.), tcpreplay allows for exact replication of real traffic seen on real networks. Note this is not technically packet shaping, since packets are played back verbatim from recording, and cannot be altered with this program. However, this tool is potentially extremely useful, and somewhat related .

The Packet Shell 4.1 (http://playground.sun.com/psh/)

This tool is provided by Sun and was originally meant for use with Solaris 2.5.1 and above. Packet Shell is an extensible Tcl/Tk based software toolset for protocol development and testing. The Packet Shell creates Tcl commands that allow you to create, modify, send, and receive packets on networks. The Packet Shell requires the preserve of the Tcl/Tk package to execute. The new version 4.1 Beta is now distributed with Berkeley's libpcap 0.4 distributions for portability. Also many of the protocol libraries have been ported to the BSD platform.

USI++ 1.90 (http://www.cs.uni-potsdam.de/homepages/students/linuxer/libs/index.html)

Powerful low-level network library, which allows you to send modified/spoofed packets over the network. USI++ runs on Linux and FreeBSD systems and supports 10MBit, 100MBit and PPP - devices. v1.63 comes with some bug fixes; it now works properly on FreeBSD. USI++ requires libpcap. All Linux and BSD distributions should include libpcap. Version 1.90 is a new version with improved flexibility, HTML documentation, and more sample-programs including traceroute-like tools and invisible port scanners.

xipdump 1.5.4 (http://www.epita.fr/~lse/xipdump/)

Xipdump is a protocol analyzer and tester. It's a kind of graphical tcpdump which adds the possibility of changing packet values and resending them. The graphical representation of a packet is intended to offer a complete, customizable view at a glance.

start sidebar
What do I do when I have been hacked?
  • Incident response team

    Set up an "incident response team". Identify those people who should be called whenever people suspect an intrusion in progress.

  • Response procedure

    You need to decide now what your priorities are between network uptime and intrusion. Can you pull the network plug whenever you strongly suspect intrusion? Do you wantto allow continued intrusion in order to gather evidence against the intruder?

  • Lines of communication

    Do you propagate the information up the corporate food chain from your boss up to the CEO, Do you inform the FBI or police? Do you notify partners (vendors/customers)

end sidebar
 
Countermeasure  

For the most part, a good response requires that you've set up good defensive measures in the first place. These include:

  • Incident Response Team

    Set up an "incident response team". Identify those people who should be called whenever people suspect an intrusion in progress. The response team needs to be "inter - departmental", and include such people as:

  • Upper Management

    Need to identify somebody with the authority to handle escalated issues. For example, if the company has an online trading service, you need to identify somebody with enough power to "pull the plug". Going off-line on such a service will have a major impact -- but would still be better than hackers trading away people's stocks.

  • HR (Human Resources)

    Many attacks come from internal employees . This consists of both serious attacks (cracking into machines) as well as nuisance attacks, such as browsing inappropriate servers looking for files like customer lists that might be left open.

  • Technical Staff

    Security is often separate from normal MIS activity. If security personnel detect a compromised system, they need to know who in MIS they need to call.

  • Outside Members

    Identify people outside the company that may be contacted. This might be a local ISP person (for example, helping against smurf attacks), the local police, or the FBI. These aren't necessarily "formal" team members. They might not know anything about this, or they might simply be a "role" (like <support@localisp.net>). But put their names on the list so that everyone knows who to call.

  • Security Team

    Of course, the most important team members will be the security people themselves. Note that not all "team members" need to be involved with every incident. For example, you only need to ping upper management on serious attacks. They may never be called upon, but they do need to be identified, and they do need to be prepared as to the types of decisions they will have to make.

  • Response Procedure

    Figure out guidelines now for the response action. For example, you need to decide now what your priorities are between network uptime and intrusion: can you pull the network plug whenever you strongly suspect intrusion? Do you want to allow continued intrusion in order to gather evidence against the intruder? Decide now, and get the CEO's approval now, because you won't have time during the attack.

  • Lines Of Communication

    Figure out guidelines for communication. Do you propagate the information up the corporate food chain from your boss up to the CEO, or horizontally to other business units? Do you take part in incident reporting organizations such as FIRST (Forum of Incident Response and Security Teams) at http://www.first.org ? Do you inform the FBI or police? Do you notify partners (vendors/customers) that have a connection to your network (and who may be compromised, or from whom the attack originated)? Do you hide the intrusion from the press? Note that the FBI has a webpage for reporting crime at: http://www. usdoj .gov/criminal/ cybercrime /reporting.htm

  • Logging Procedures

    Set up your logging/auditing/monitoring procedures now; one of the most common thoughts after an attack is how much they wished they had adequate logging in the first place in order to figure out what happened .

  • Training/Rehearsal

    Get training on all these issues. Each person involved needs to understand the scope of what they need to do. Also carry out dry runs. Assume a massive hacker penetration into your network, and drill what happens. Most hacker penetrations succeed because companies practice at being unprepared for their attack.

    Since computer networks are growing so fast, there are not enough trained people to handle intrusions. Likewise, networks grow in an ad hoc fashion, so logging/auditing is haphazard. These conditions lead to the state that people don't know what to do when they've been attacked , and their networks aren't robust enough to recover well from the attack.

    The recommended practice outlines the following steps for incident handling.

1-1 Document Everything

1-2 Contact Primary IRC

1-3 Preserve Evidence

1-4 Verify the Incident

1-5 Notify Appropriate Personnel

1-6 Determine Incident Status

1-7 Assess Scope

1-8 Assess Risk

1-9 Establish Goals

1-10 Evaluate Options

1-11 Implement Triage Actions

1-12 Escalation and Handoff

2-1 Verify Containment

2-2 Revisit Scope, Risk, and Goals

2-3 Collect Evidence

2-4 Analyze Evidence

2-5 Build Hypotheses and Verify

2-6 Intermediate Mitigation

3-1 Finalize Analysis and Report

3-2 Archive Evidence

3-3 Implement Remediation

3-4 Execute Recovery

3-5 Conduct Post-Mortem

start sidebar
Hacking through firewalls
  • One of the easiest and most common ways for an attacker to slip by a firewall is by installing some network software on an internal system that communicates using a port address permitted by the firewall's configuration.

  • A popular port to use is port 53 TCP, normally used by DNS.

  • Many firewalls permit all traffic using port 53 by default, because it simplifies firewall configuration and reduces support calls.

end sidebar
 
Attack Methods  

When a network is protected by a firewall, attackers look for ways and means to hack through the firewall. There are various ways this can be achieved.

Insider: If the attacker can have an accomplice inside the company who installs the backdoor. This would be the easiest way. One of the easiest and most common ways for an attacker to slip by a firewall is by installing some network software on an internal system that communicates using a port address permitted by the firewall's configuration. A popular port to use is port 53 TCP, normally used by DNS. Many firewalls permit all traffic using port 53 by default, because it simplifies firewall configuration and reduces support calls.

Vulnerable Services: Nearly all networks offer some kind of services, like incoming email, WWW /DNS. These may be on the firewall host itself, a host in the DMZ or on an internal machine. If an attacker can find a hole in one of those services, he has a greater chance of getting in.

Vulnerable External Server: Sometimes external machines are accessed from within the firewall. If an attacker can compromise the external machines, he can cause serious damage later on. The attacker could also send fake ftp answers to overflow a buffer in the ftp client software, replace a gif picture on a web server with one which crashes the browser and executes a command. Some firewalls are configured to allow incoming telnet from some machines, so anyone can sniff these and get it.

Hijacking Connections: Often companies consider that allowing incoming telnet connections with secure authentication such as SecureID, to be safe. But anyone can hijack these after the authentication and get in. Another way of using hijacked connections is to modify replies in the protocol implementation to generate a buffer overflow.

start sidebar
Bypassing Firewall using Httptunnel

http://www.nocrew.org/software/httptunnel.html

  • Httptunnel creates a bidirectional virtual data path tunneled in HTTP requests. The requests can be sent via an HTTP proxy if desired so.

end sidebar
 
Tools  

httptunnel creates a bidirectional virtual data connection tunneled in HTTP requests. The HTTP requests can be sent via an HTTP proxy if so desired. This can be useful for users behind restrictive firewalls.

If WWW access is allowed through a HTTP proxy, it's possible to use httptunnel and telnet or PPP to connect to a computer outside the firewall.

start sidebar
Placing Backdoors through Firewalls

The reverse www shell

  • This backdoor should work through any firewall and allow users to surf the WWW. A program is run on the internal host, which spawns a child every day at a special time.

  • For the firewall, this child acts like a user, using his Netscape client to surf on the internet. In reality, this child executes a local shell and connects to the www server operated by the hacker on the internet via a legitimate looking http request and sends it ready signal.

  • The legitimate looking answer of the www server operated by the hacker are in reality the commands the child will execute on it's machine in the local shell.

end sidebar
 

Written by THC's van Hauser, Rwwwshell was released somewhere between October 1998, and May 1999 as a Proof-of-Concept program for the paper "Placing Backdoors through Firewalls". Building off of some of the strengths of daemon shell, it was also written in perl, making it largely portable and flexible. The key strength of rwwwshell lies in the paradigm shift it represented: here the slave/Trojan side, made the initial connection to the master rather than the reverse, a strategy designed to circumvent stateful packet inspection devices and proxies that only allow incoming traffic from pre-existing connections.

Tools  

In practice, the rwwwshell slave can be actively used real-time, or configured as a passive backdoor, to wake up and contact the pre-configured master as a timed event, via an outgoing HTTP Request. The master side then originates shell commands as HTTP Response packets, and output from commands return from the slave as cgi script HTTP GETs. Each command-response exchange is a new TCP connection initially incrementing from port 1171, and by default connecting to port 8080, thereby allowing non-root use and appearing to be a caching web server exchange.

click to expand

Commands and responses are uuencoded to further obscure the true nature of the conversation. In the passive mode, since the slave side may wake up every day and fail connection attempts to the master, by the time the true remote control session actually takes place, it may not even appear to be a new or unusual conversation. In addition, the master server responds to conventional connection attempts with 404 error messages, adding to the appearance of legitimacy . The reliable transport of TCP packets also ensures data integrity.

The only obvious drawback to the methods employed in rwwwshell relate to the credibility of the web traffic, particularly when all traffic is revealed to be calls to /cgi -bin/order. Embedding in web traffic is highly likely to be a successful strategy for covert channel establishment.

Example of a connection:

Slave

GET /cgi-bin/order?M5mAejTgZdgYOdgIOoBqFfVYTgjFLdgxEdbiHeykrj HTTP/1.0

Master replies with

g5mAlfbknz

start sidebar
Hiding Behind Covert Channel: Loki

http://www.phrack.com/phrack/51/P51-06

  • LOKI2 is an information-tunneling program. LOKI uses Internet Control Message Protocol (ICMP) echo response packets to carry its payload. ICMP echo response packets are normally received by the Ping program, and many firewalls permit responses to pass.

  • We tunnel simple shell commands inside of ICMP_ECHO /ICMP_ECHOREPLY and DNS name lookup query / reply traffic. To the network protocol analyzer, this traffic seems like ordinary benign packets of the corresponding protocol. To correct listener (the LOKI2 daemon) however, the packets are recognized for what they really are.

end sidebar
 
Tools  

Loki was originally presented in August 1996 in the underground magazine Phrack, one of the oldest and most well-known hackzines on the net. The concept of the Loki Project is based on the fact that arbitrary information tunneling in the data portion of ICMP_ECHO and ICMP_ECHOREPLY packets is a possibility. Loki exploits the covert channel that exists inside of ICMP_ECHO traffic, because usually, network devices do not filter the contents of ICMP_ECHO traffic. They simply pass them, drop them, or return them.

The attacker can send Trojan packets by masquerading them as common ICMP_ECHO traffic. He can then encapsulate any information he wants to, using this method akin to steganography. While the author states that Loki is not a compromise tool, attackers use it for various purposes including breaking into a machine. It can be used as a backdoor into a system by providing a covert method of getting commands executed on a target machine. The reverse is also possible -as it can be used as a way of clandestinely retrieving information from a machine. In essence the channel is simply a way to secretly communicate data, while confidentiality and authenticity can be added by way of cryptography. Since both symmetric and asymmetric key exchange and blowfish encryption were available in Loki at build time, there was clearly a realization that covert was no guarantee, and the confidentiality of the commands embedded in the packets certainly reduced the risk of detection. The important point is that routers, firewalls, packet-filters, dual- homed hosts, all can serve as conduits for Loki as long as it passes ICMP_ECHO traffic. Detection can be difficult and perhaps the only indication can be a surplus of ICMP_ECHOREPLY packets with a garbled payload. However, if the attacker can keep traffic on the channel down to a minimum, and is able to hide the Loki server inside the kernel, chances of detecting Loki is much more difficult. The only countermeasure that can be taken is to disallow ICMP_ECHO traffic entirely. Restricting ICMP_ECHO traffic to be accepted from trusted hosts can be overcome by forging packets.

start sidebar
Hacking Tool: 007 Shell

http://www.softpj.org/en/docs.html

  • 007Shell is a Covert Shell ICMP Tunneling program. It works similar to Loki.

  • It works by putting data streams in the ICMP message past the usual 4 bytes (8-bit type, 8-bit code and 16-bit checksum).

end sidebar
 
Tools  

007Shell is a simple client server C program used for remotely administering a machine over a network using techniques similar to Loki, i.e., covert ICMP ECHO_REPLY packets to encapsulate command and response messages within the packet payload. The program was authored by FuSys of softpj and has client and server elements.

The 007shell distribution is split into a reusable tunneling library and a shell front end, and the same program serves as either client or server. Data is padded out to multiples of 64 bytes which virtually guarantees that it appears to be ping packets, and it also employs ping reply packets only. 007Shell is a backdoor that can be placed by an attacker after a successful intrusion or deployed as a Trojan if an unsuspecting user executes a malicious program or script. Unlike Loki, the 007Shell client sends commands in the ECHO_REPLY packet payload, which the server responds to in a new ECHO_REPLY response back. The function of ECHO_REPLY is to return the identical payload received from an ECHO (ICMP TYPE 8) back to the originator, as a connectivity test.

007Shell requires raw IP network access, which is a way to circumvent the operating system's native IP networking stack in order to listen to intercept and create its own crafted packets. As root permission is required for ICMP raw socket access, and the program makes no attempt to hide itself on the local system, and data transmission is in cleartext, making it easy to detect. A netstat command will indicate the mysterious program by a raw protocol indicator. Since there are few legitimate programs that will require raw access, and so the raw protocol indicator should always be considered suspect.

start sidebar
Hacking Tool: ICMP Shell
  • ICMP Shell (ISH) is a telnet-like protocol. It provides the capability of connecting a remote host to open a shell using only ICMP for input and output.

  • The ISH server runs as a daemon on the server side. When the server receives a request from the client, it will strip the header and look at the ID field, if it matches the server's ID then it will pipe the data to "/bin/sh".

  • It will then read the results from the pipe and send them back to the client, where the client then prints the data to stdout .

end sidebar
 
Tools  

ICMP Shell (ISH) is a telnet-like protocol. It provides the capability of connecting to a remote host to open a shell using only ICMP for input and output. ICMP Shell was written in C for the UNIX environment. It allows the administrator to access the computer remotely using ICMP. The ISHELL server is run in daemon mode on the remote server.

When the server receives a request from the client it strips the header and looks for the ID field. On finding a match the server will pipe the data to "/bin/sh". It will then read the results from the pipe and send them back to the client and the client prints the results to stdout. By default the client and server send packets with an ICMP type of o (ICMP_ECHO_REPLY), but this can be changed on both the client and server side. ISHELL does not depend on what ICMP type is sent out from the client or server end. Moreover, the types do not have to match.

ISHELL does not only pipe commands to a server and send back the output. It also works with interactive programs (ie. gdb). However, there comes a minor problem from this. ISHELL will not be able to display a shell prompt (#) as there is no way to differentiate between a command and interaction with a program. Like 007shell, ICMP shell uses raw sockets on both the client and server side; therefore root privileges are required to use this program.

Usage: ICMP Shell vo.1 (server) - by: Peter Kieltyka

Usage:/ishd [options]

Options: -h Display this screen, -d Run server in debug mode, -i <id> Set session id; range: 0-65535 (default: 1515), -t <type> Set ICMP type (default: o), -p <packetsize> Set packet size (default: 512)

Example:/ishd -i 65535 -t o -p 1024

start sidebar
ACK Tunneling
  • Trojans normally use ordinary TCP or UDP communication between their client and server parts.

  • Any firewall between the attacker and the victim that blocks incoming traffic will usually stop all trojans from working. ICMP tunneling has existed for quite sometime now, but if you block ICMP in the firewall, you will be safe from that.

  • ACK Tunneling works through firewalls that do not apply their rule sets on TCP ACK segments (ordinary packet filters belong to this class of firewalls).

end sidebar
 

The presence of a firewall between the attacker and the victim configured to block incoming traffic will usually stop a Trojan client on the outside from contacting a Trojan server on the inside. However, protocol tunneling - particularly ICMP tunneling has proved that it is possible to penetrate the firewall. If the countermeasure such as blocking all ICMP traffic is adopted, it has been thought that the firewall would be impenetrable.

Note  

The concept of ACK Tunneling as elucidated by Arne Vidstrom, takes advantage of firewalls that do not apply their rule sets on TCP ACK segments. Ordinary packet filters belong to this class of firewalls while stateful firewalls do not. It is known that TCP is a protocol that establishes virtual connections on top of IP. A session is established when the client sends a SYN (synchronize) segment, the server responds with a SYN/ACK segment, and the client confirms with an ACK ( acknowledge ) segment. This three-way handshake has been detailed in earlier modules. All traffic in the following session consists of ACK segments.

Typical packet filtering firewalls consider that a session always starts with a SYN segment from the client. Therefore, rule sets are applied on all SYN segments, and it is assumed that any ACK segments detected are part of an established session. More advanced firewalls apply their rule sets on all segments, including ACK segments. Other firewalls are configurable, regarding the two ways to handle ACK segments. Typically, a session may have thousands or millions of ACK segments, but only one SYN segment. Firewalls do not apply the rule set on ACK segments because it increases the work load and the cost of running the firewall.

In a scenario where UDP and ICMP traffic is blocked by the firewall, if an attacker sends a Trojan by mail to a user on the inside of the firewall and the user runs the Trojan, how the attacker on the outside contact the Trojan on the inside?

This is where ACK Tunneling comes into play. So how does ACK Tunneling work? The client part of the Trojan uses only ACK segments to communicate with the server part, and vice versa. Now the segments pass straight through the firewall. As long as the attacker knows the IP of the target system, it doesn't matter if his/her own IP is dynamic. And even if the target IP changes with time the attacker could use a special scanner to scan for the Trojan - straight through the firewall.

The Trojan doesn't have to contain any link to the attacker. And the person connecting to it might not even know who sent the Trojan to the user. It would be just like scanning for NetBus over a whole network hoping it's running on some of the systems. Of course the attacker might be traced through sniffing and tracing the ACK segments. On the other hand there is a great possibility that the firewall won't log these even if it's configured to log all outgoing connections, because it probably only logs the starting SYN segment.

start sidebar
Hacking Tool: AckCmd
  • http://ntsecurity.nu/papers/acktunneling

  • AckCmd is a client/server combination for Windows 2000 that lets you open a remote command prompt to another system ( running the server part of AckCmd.

  • It communicates using only TCP ACK segments. This way the client component is able to directly contact the server component through firewall in some cases.

click to expand
end sidebar
 
Tools  

Written by Arne Vidstrom, AckCmd provides a remote command shell on Windows 2000 systems. AckCmd is a backdoor client/server combination that lets you open a remote Command Prompt to another system (running the server part of AckCmd). It communicates using only TCP ACK segments. This way the client component is able to directly contact the server component through a firewall in some cases. Although it uses TCP packets for transport, like traditional remote shells , there are a number of aspects that make the program particularly covert.

Designed to exploit a weakness in many firewall and IDS rules, AckCmd communicates using only TCP ACK segments, rather than more typically examined TCP SYN packets. The data segment of each originating ACK contains buffered command line data, and elicits a TCP RESET from the remote side; the response is then presented in a new ACK back to the originator.

While an extremely fast user may produce an abnormally large rate of reset packets, nonetheless the traffic pattern looks like an already established (and torn down) connection and is unlikely to raise any flags. In addition, the choice of client side TCP port 80, and server side port 1054, increases the likelihood of successful firewall traversal, and reduces risk of detection. However, the packets are not properly formatted for HTTP, the program is plainly visible on the task list, and the command line transaction is in cleartext - easily observed , if one knows it is there.

start sidebar
Honey pots
  • Honey pots are programs that simulate one or more network services that you designate on your computer's ports.

  • An attacker assumes that you are running vulnerable services that can be used to break into the machine.

  • A honey pot can be used to log access attempts to those ports including the attacker's keystrokes.

  • This could give advanced warnings of a more concerted attack.

end sidebar
 
Note  

A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource. A honeypot is a security resource whose value lies in being probed, attacked, or compromised. They are a resource that has no production value, it has no authorized activity. Whenever there is any interaction with a honeypot, this is most likely malicious activity. Honeypots are unique; they don't solve a specific problem. Instead, they are a highly flexible tool with many different applications to security. Some honeypots can be used to help prevent attacks; others can be used to detect attacks, while other honeypots can be used for information gathering and research. Examples can be:

  • Installing a machine on the network with no particular purpose other than to log all attempted access.

  • Installing an older unpatched operating system on a machine. For example, the default installation of WinNT 4 with IIS 4 can be hacked using several different techniques. A standard intrusion detection system can then be used to log hacks directed against the machine, and further track what the intruder attempts to do with the system once it is compromised.

  • Install special software designed for this purpose. It has the advantage of making it look like the intruder is successful without really allowing them access.

  • Any existing system can be "honeypot-ized". For example, on WinNT, it is possible to rename the default "administrator" account, then create a dummy account called "administrator" with no password. WinNT allows extensive logging of a person's activities, so this honeypot will track users attempting to gain administrator access and exploit that access.

Honeypots have several powerful advantages. They include:

  • Small data sets: Honeypots collect small amount of data, but almost all of this data is real attacks or unauthorized activity. Since honeypots collect only malicious activity, it makes it much easier to analyze and react to the information they collect.

  • Reduced false positives: With most detection technologies (such as IDS sensors) a large percentage of alerts are false warnings, making it very difficult to figure out what is a real attack. With honeypots, almost everything detected or captured is an attack or unauthorized activity, vastly reducing false positives.

  • False negatives : Unlike most technologies, it's very easy for honeypots to detect and records attacks or behavior never seen before in the wild.

  • Cost effective: Honeypots only interact with malicious activity; and do not need high performance resources. Most honeypots can easily run on an old Pentium computer with 128 MB of Ram.

  • Simplicity: Honeypots are very simple; there are no advance algorithms to develop, nor any rule bases to maintain.

Honeypots also have their disadvantages. This is why they do not replace any existing technologies. Instead they work with and compliment the existing infrastructure.

  • Limited View: Honeypots only see activity that interacts with them. They do not see nor capture any attacks directed against existing systems.

  • Risk: Anytime another resource is added with an IP stack, risk is a subset. While different honeypots have different levels of risk, this is always be an issue that must be addressed.

In general, there are two different types, Production and Research. Production honeypots are used to protect your organization; they are used primarily for preventing, detecting, or responding to attacks. Generally these honeypots emulate services and operating systems. Research honeypots are used to gather information. This information can be used for profiling, early warning and prediction, statistical analysis, etc. Generally these honeypots do not emulate, instead they are real operating systems for attackers to interact with.

Network intrusion detection systems have a problem distinguishing hostile traffic from benign traffic. Isolated honeypots have a much easier time because they are systems that should not normally be accessed. This means that all traffic to a honeypot system is already suspected. Network management discovery tools and vulnerability assessment tools still cause false positives, but they otherwise give a better detection rate.

start sidebar
Honeypot Software Vendors
  1. Back Officer Friendly (http://www.nfr.com)

  2. Bait N Switch Honeypot (http://violating.us)

  3. BigEye (http://violating.us)

  4. HoneyD(http://www.citi.umich.edu/u/provos/honeyd/)

  5. KFSensor for Windows (http://www.keyfocus.net/kfsensor/)

  6. LaBrea Tarpit (http://www.hackbusters.net)

  7. ManTrap (http://www. symantec .com)

  8. NetFacade (http://www.itsecure.bbn.com/NetFacade.htm)

  9. Single-Honeypot (http://www.sourceforge.net/projects/single-honeypot/)

  10. Smoke Detector (http://palisadesys.com/products/smokedetector/)

  11. Specter (http://www. specter .ch)

  12. Tiny Honeypot (http://www.alpinista.org/thp/)

  13. The Deception Toolkit (http://www.all.net/dtk/)

end sidebar
 
  • Back Officer Friendly (http://www.nfr.com)

  • Bait N Switch Honeypot (http://violating.us)

  • BigEye (http://violating.us)

  • HoneyD(http://www.citi.umich.edu/u/provos/honeyd/)

  • KFSensor for Windows (http://www.keyfocus.net/kfsensor/)

  • LaBrea Tarpit (http://www.hackbusters.net)

  • ManTrap (http://www.symantec.com)

  • NetFacade (http://www.itsecure.bbn.com/NetFacade.htm)

  • Single-Honeypot (http://www.sourceforge.net/projects/single-honeypot/)

  • Smoke Detector (http://palisadesys.com/products/smokedetector/)

  • Specter (http://www.specter.ch)

  • Tiny Honeypot (http://www.alpinista.org/thp/)

  • The Deception Toolkit (http://www.all.net/dtk/)

start sidebar
Honeypot-KFSensor
click to expand
end sidebar
 
Tools  

KFSensor is a host based Intrusion Detection System (IDS) that acts as a honeypot to attract and log potential hackers and port scanner-kiddies by simulating vulnerable system services and even Trojans. It acts as a honeypot to attract and detect hackers by simulating vulnerable system services and Trojans.

The system is highly configurable and features detailed logging, analysis of attack and security alerts. The user can create different scenarios; select which ports the program should act upon and what action to take when access is attempted. KFSensor provides detailed logging, analysis of attack and security alerts.

KFSensor lies dormant until attacked, consuming very little processor time or network resources. Sensors can be installed on users' machines without affecting their normal use, eliminating the need for additional hardware. KFSensor emulates real servers, such as FTP, POP 3 , HTTP, Telnet and SMTP, to improve deception and gain more valuable information on a hacker's motives.

Attacks are detected, analyzed and reported immediately allowing fast response to an attack while still in progress. KFSensor does not rely on signatures of known attacks and can therefore detect new or o day threats, such as new worms, viruses and elite hackers. KFSensor is just as effective at detecting internal threats.

start sidebar
Summary
  • Intrusion Detection Systems (IDS) monitors packets on the network wire and attempts to discover if a hacker/hacker is attempting to break into a system

  • System Integrity Verifiers (SIV) monitor system files to find when an intruder changes. Tripwire is one of the popular SIVs.

  • Intrusion Detection happens either by Anomaly detection or Signature recognition.

  • An IDS consists of a special TCP/IP stack that reassembles IP datagrams and TCP streams.

  • A simple Protocol verification system can flag invalid packets. This can include valid, by suspicious, behavior such as severally fragmented IP packets

  • In order to effectively detect intrusions that use invalid protocol behavior, IDS must re- implement a wide variety of application-layer protocols to detect suspicious or invalid behavior.

  • One of the easiest and most common ways for an attacker to slip by a firewall is by installing network software on an internal system that usines a port address permitted by the firewall's configuration.

  • Honey pots are programs that simulate one or more network services that you designate on your computer's ports.

end sidebar
 



Staf of EC-Council - Ethical Hacking Student Courseware. Certidied Ethical Hacker-Exam 312-50 (EC-Council E-Business Certification Series)
Staf of EC-Council - Ethical Hacking Student Courseware. Certidied Ethical Hacker-Exam 312-50 (EC-Council E-Business Certification Series)
ISBN: N/A
EAN: N/A
Year: 2003
Pages: 109

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net