Www.cnsafe.net - How do the invaders enter the system? - Why should the invaders invade the system? - How do the invaders get password? - Typical intrusion process? - What are the types of general intrusion (Exploits)? - What is a vulnerability (Exploits)? What is reconnaissance [Translation: Original, suspected for reconnaissance?] - What is the Denial Service (DOS)? - How is the current attack? - Where can I find the statistics of the current attack behavior? 2. How to Intrusion Test? --NIDS How to distinguish between data? - What do you do after the attack is attacked? - What is the similar measures to NIDS? - Where should I install NIDS in the network? - How to make IDS suitable for security architecture? Other parts? - How to detect if you run IDS? 3. Countermeasures - How to improve intrusion detection and prevention under WinNT? - How to increase intrusion detection and prevention under Win95 / 98? - How to improve intrusion detection and prevention under UNIX? - How to improve intrusion detection and prevention under Macintosh? - How to improve the intrusion detection and prevention of enterprises? - How to achieve intrusion detection within the company? - What should I do after being attacked? - Some people say that they are attacked from me, how should I do? - How to collect enough evidence about intruders? 4. Products - What free software (freeware) or Shareware intrusion detection system? - What are the commercial intrusion detection systems? - What is the "Network Grep" system? - What tools do you use to enter my system? - Other intrusion detection systems I should care? 6. Resources - Where can I find New system vulnerability update? - Other resources related to security and intrusion detection? - What are the worthless sites? 7.IDS and firewall - Why do I need IDS with a firewall? - With intrusion detection, still Do you need a firewall? Where is the information? Anti-firewall? 8. Implement guidelines - I should ask the IDS provider What issues? - How do I maintain the system on an on-going? - How do I stop not proper? Network browsing? - How do I build my own IDS (write code)? -Nids legal? - How is this an eavesdropped)? - How to protect the log files not to be tamper with evidence? 9.NIDS Limitations - Switching network (inherent Limitations) - Resource Limitations - Nids Attack - Simple Reason - Complex Reason - Tools 10. Miscellaneous - What Standards / Interoperability Works 11. Honey Pot and Deceory System - What is the advantages of honeypot? - honey What are the disadvantages of can? - How to set my own honeypot? - What types of honeypots have? - Building a positive and opposite effect of a system that can be attacked? - Do people use the example of honeypot? - What honeypots Product? - What is deception?
1. Introduction 1. What is a network intrusion detection system (NIDS)? Invasion refers to some people (called 'hacker', 'hacker') attempt to enter or abuse your system. The range of words 'Abuse' is wide, which can include strict stealing confidential data to some secondary things, such as abuse your email system spam (although many people in us, this is the main) . The intrusion detection system (IDS) is used to detect these intrusion systems. According to this FAQ, IDS can have the following category: Network Intrusion Detection System (NIDS) Monitoring the data packet of the network cable and attempts to have a hacker / hacker attempt to enter the system (or reject service attack DOS). A typical example is a system-observing a large number of TCP connection requests for many different ports of a target host to find that someone is performing TCP port scanning. A NIDS can run on the target host (usually integrated in the protocol stack or service itself), or run traffic on the standalone host (hub, router, detector [probe]). Note that a "network" IDS monitors many hosts, but other other monitors a host (they installed). The System Complete Inspection (SIV) monitoring system file is trying to find if an invasioner has changed the file (may leave a back door). This is the most famous of this system is TripWire. A SIV should also be able to monitor other components, such as Windows registry and Chron configuration, and the purpose is to find a well-known signs. He should also detect a general user who caught Root / Administrator level permissions. More products in this area should be considered a tool instead of a system: such as TripWire, tools detect changes to critical system components, but cannot produce real-time alarms. Log File Monitor (LFM) Monitoring the log file generated by the network device. Similar to NIDS, these systems make recommendations for intruder attacks by matching the pattern of log files. A typical example is to analyze HTTP log files to find that intruders try to have some well-known vulnerabilities (such as PHF attacks) instances have SWATCH. There are also some pseudo-services that are tuned (including Decoys, Lures, Fly-Traps, Honeypots). See the example in the Palm Toolkit: http://www.all.net/dtk/. You can also simply create a wide range of audits by rename NT system administrator accounts. There is more descriptions on the deception system after this document. See also http://www.enteract.com/~lspitz/honeypot.html Others See: http://www.icsa.net/idswhite/. 1.2 Who is in the misuse system? There are two words To describe attackers: hackers and hackers. Hackers are a general term: people who like to enter things. Beneficial hackers are those who like to enter him / her own computer. Malicious hackers are those who like to enter others. Beneficial hacker hopes that the media can stop harsh criticism to all hackers, using hackers to do alternatives. Unfortunately, this idea is not accepted, in any case, the word used in this FAQ is 'intruder', to generally say those who want to enter other people's systems. Invasivers can be divided into two categories: external: invasive in the network, or may attack your externally existing (messy web server, spam through the E-mail server). External invasive may come from Internet, dial line, physical intervention, or partner network (seller, customer, middleman, etc.) connected to your network (seller, customer, middleman, etc.). Internal: legal uses your interconnect network invasive network. People who include abuse of power (such as social security employees, because they don't like someone to die) and mimic changes to the power of the power (such as the terminal of others). A commonly cited statistics are 80% of security issues related to internal people.
There are several types of invasive people: 'Happy Riders (Joy Riders) is black;' cultural destroyer '(Vandals) is intended to destroy or change the web page; profiters is intended, such as control system Stealing data profile. 1.3 How does intruders enter the system? The main way for intruders enters the system: Physical invasion: If an invasive person is physically and enters authority. (For example, they can use the keyboard or participate in the system), it should be able to enter. The method includes console privileges until the physical participation system and removes the disk (in additional machine read / write). Even BIOS protection is also easy to pass: In fact, all BIOS has a back door password. System invasion: This type of invasion is a more authority in the system user. If the system does not play the latest vulnerability patch, it will provide invasive opportunities to obtain system administrator privileges with well-known vulnerabilities. Remote intrusion: This type of intrusion refers to the system from the system through the network. The invasive manner has a variety of forms from no privornity. For example, if there is a firewall with a firewall between his / her and the victim host, there is much more complicated. It should be noted that the network invasion detection system mainly cares about remote intrusion. 1.4 Why can the invaders invade the system? The software always exists. System administrators and developers will never discover and solve all possible vulnerabilities. Invasive, as long as you find a vulnerability, you can invade the system. 1.4.1 Software BUG Software BUG exists in the server rear program (daemons), client, operating system, and network protocol stack. The software bug can be divided into the following: Buffer overflow: Almost all security vulnerabilities we read are attributed to this. A typical example is a developer set a 256-character long buffer to store username. Developers think about that no one is longer than this. But hacker thinks if I entered a very long user name what happened? Where is the additional character? If the hacker happens to be correct, they send 300 characters, including the code executed by the server, and, They entered the system. The hackers found these bugs through several ways. First, many service source code is open on the network. Hackers often read these code to find programs with buffer overflow issues. Second, the hackers can read the program itself to see if there is a problem, although the reading code output is really difficult. Third, the hackers will check all the inputs and attempt to overflow with random data. If the program crashes, there will be opportunities for hackers carefully construct input and allow access. It should be noted that this problem is generally existed in the program written in C / C , but rarely appears in the Java program. Accidental combination: The program is usually combined into a lot of layer code, including potential as the lowermost operating system layer. Invasive can often send some of the meaningful inputs, but it makes sense to other layers. The most commonly controlled user input in the web is Perl. Perl written procedures tend to send these inputs to other programs to further process. A common hacker technology is to enter strings "| mail
Invasants usually have to try thousands of times, then obtain permissions, enter the system. 1.4.2 System Configuration System Configuration BUG can be divided into the following categories: Default configuration: Many default easy configurations adopted when the system is delivered to customers. Unfortunately, "easy to use" means "easy intrusion". Almost all delivered to your UNIX and Winnt systems can be easily attacked. Lazy System Administrator: Amazing digital host is configured to have no system administrator password. This is because the system administrator is too lazy to lazy to configure one immediately. They just want the system to start running as soon as possible. Unfortunately, they never come back to set up, let the invasant easily come in. The easiest thing that invasive is to first scan all the machines to find the host without a password. Generated Vulnerabilities: In fact, all programs may be configured as a non-secure mode. Sometimes the system administrator will open a vulnerability on the host. Many System Administrator's Manual recommends that system administrators turn off all the programs and services that are not absolutely necessary to avoid accidental vulnerabilities. It should be noted that security audit packs can usually find these vulnerabilities and remind system administrators' trust in trust: invaders often use the "Island jumping" method to use trust relationship attack network. A network that trusts the host is as safe as they are the most vulnerable link. 1.4.3 Password Decryption This is a special part. True fragile password: Many people use their own name, the name of the child, the name of the spouse, the name of the pet, or the model of the trolley. There are also users who use "password" or nothing. This gives a list of not many and 30 possibilities that invaders can type themselves. Dictionary Attack: After the above attack fails, invasants began trying to "Dictionary Attack". This method, the invasator utilizes each possibility of trying the words in the dictionary. Dictionary attacks can utilize repeated landing or collecting encrypted passwords and trying to match words in the encrypted dictionary. Invasive people typically use a dictionary in an English dictionary or other languages. They also use additional class dictionary databases such as names and common passwords. Brute Force Attacks: Similar to Dictionary attacks, invasants may try all character combination. A 4 password consisting of lowercase letters can be cracked in a few minutes. (About a total of 500,000 possible combinations) a longer password consisting of uppercase letters, including numbers and punctuation (100 trillion possible combinations) can be cracked within one month, if you can try 100 per second Ten thousand kinds of combinations. (In fact, a single machine can count thousands of times per second.) 1.4.4 Monitor unsafe communication sharing media: Traditional Ethernet, you can see all communication in a network segment on the online segment to start Sniffer online . This method is now difficult because more companies use exchanges to exchange Ethernet. Server monitors: however, in an exchanged network, if you can install the Sniffer program in a server (special to do router), you can use the information you can use to attack the customer host and trust host. For example, you may not know the password of a user, you can get his password by monitoring the Telnet session when he logged in. Remote monitor: A large number of hosts can RMON, with a public community string. When the bandwidth is very low (you can't listen to all communications), you will show interesting possibilities. 1.4.5 The shortcomings of the design are even when a software is fully implemented, it may still be invaded because of the bugs when designing. TCP / IP protocol Disadvantages: TCP / IP protocol is designed before we have many black experience. As a result, there are many shortcomings that may cause security issues. Some examples such as Smurf attacks, ICMP unreachable links, IP kids, and SYN FLOODS. The biggest problem is that the IP protocol itself is very trust: hacking free forged and changing IP data. IPsec is designed to solve many disadvantages, but there is no extensive application. Unix Design Disadvantages: There are many UNIX inherent shortcomings that make the UNIX system frequently invaded. The main problem is the authority control system, only "root" is the system administrator privilege.
RESULTS: 1.5 How to get passwords? Intruders use the following method to obtain passwords: Singteentities monitor: Telnet, FTP, basic HTTP) uses the vocabulary password, which means that they are not encrypted during the customer / server transmission. Intruders can use a protocol analyzer to observe such a password on the cable. There is no need for more efforts; invaders can use these passwords immediately to log in. Ciphertext monitor: Many protocols use encrypted passwords. In this case, the intruder needs to execute a dictionary or a powerful attack password to try to decrypt. It should be noted that you can't find the existence of intruders, because he / she is completely passive and does not deliver anything to the cable. The password crack is not allowed to send people and things to the cable when the invaders use their own machines. Replay Attack: Many cases, intruders do not have to decode password. They can use the encrypted format instead of the landing system. This usually needs to re-encode client software to steal the encrypted password password: All user databases are typically stored on a single file on disk. Under UNIX is / etc / passwd (or other mirror of this file), Under WinNT, it is a SAM file, once the invader gets this file, he / she can run the decryption program (as described above). To discover some fragile passwords in the document. Observe: A traditional password security issue is that the password must be long and difficult to make a dictionary and strong attack. However, such a password is often difficult to remember, so the user wrote it in a certain manner. Intruders can often search for a personal desk to find a password written on a small note (generally under the keyboard). Intruders can also trained their own way of viewing the password back. Communicative Engineering: A normal (and successful) skill is a simple call to users and say "Hi, I am Bob, we are tracking some questions on the network, and appear in your machine. You use What is the password? "Many users will give up their password in this case. (Many companies have policies to make users never give their password, even their own MIS departments, but this trick is still successful.
A simple solution is that MIS group calls for 6 months of employee asking them a password, then criticizing their mistakes, so they will not forget :-) 1.6 Typical intrusion process? A typical intrusion process may be as follows: Steps 1. External investigation - invaders will find out as much as possible to actually give them directly. They often pass public information or camouflage into normal users. In this way, the intruder will make you real It is difficult to notice. If your network is registered with your Domain Name (such as foobar.com), invaders can use the 'WHOIS' this check table (LOOKUP) to try to find your network (NetWork). Invasion Perhaps via your DNS table (using 'nslook', 'dig', or other tools to convert the name of your machine. Intruder browsing other public information, such as your public site And anonymous FTP site. Intruders may find newspapers about your company's news files and newspapers. Step 2. Internal investigation - intruders use more aggressive technologies to scan information, but not destroy Anything. They will be found by you all the web pages (CGI Scripts is often easily invaded). They may use 'ping' in order to test the presence of the host. They may use UDP / TCP Scan / Strob Scanning) to find the availability of the destination host. They may perform a tool program like 'rpcinfo', 'showmount', 'snmpwalk', and so on. About this, invading It is only "normal" network behavior and does not make any move that is classified as intrusion. For this, NIDS will tell you "Someone is checking your big gate", but no one I really tried to open the door. Step 3. Intrusion - the invader violates the rules and began to make a possible vulnerability invasion on the target host. Intruder tried to pass a shell instruction in one input material, thus jeopardizing CGI The invader tried to pass a large amount of information to infringe a known buffer-overrun vulnerability. The invader started to check if there is a simple guess (or even) password account. A hack It will be invaded by several phases. For example, if hackers can get a user's account, he will try to make Root / Admin. Step 4. Based on this stage, intruders have already The invasion of the machine is successfully based in your network. Intruder The main purpose is to hide the invasion evidence (Audit TRAIL and LOG) and confirm that he can invade again. They may install 'Toolkits' to let them execute. Use them with the backdoor password (Trojanhorses) ) Replace the original service, or create a user account. System Integrityverifiers (SIVS) can notice the change of the file to detect the invaders using these means. Since most of the network is difficult to defend against internal Infribrus, invaders will use this machine to use this machine's hopping island. Step 5. Advancers - Invasive people use their advantages to steal confidential information, abuse system resources (phased by other machines) or destroy you Web. Other plots may be different. Whether it is invading a specific site or randomly scan specific vulnerabilities in the network world. For example, intruders may try to scan the entire network with Sendmail Debug vulnerabilities. They can It is easy to invade a loophole machine. They will not directly target you, don't even know who you are. (Just like 'birthdayattack'
The known system vulnerability and IP location is listed. If you find a machine with one of the machines with a vulnerability? -mail reconnaissance, TCP or UDP port (PORT) scan (SCAN), discovers CGI vulnerability with the possible indexing of the Open Web Servo, Vulnerability - The invader will use the invisible characteristics or defects (BUGS) ) To access the system. Denial-of-service) (DOS) attack - intruder tries to destroy the service (or machine), make the network link overload, CPU overload, fill the hard disk. Intruder is not Want to get information, but just like destroyed behavior without letting you use the machine. Shell Special Channel Utilization, Direct Transfer Variable Enter In Command Shell. Use hidden variables, specify file names (filename "in the system, or disclose more system all kinds. The most well-known CGI defect is loading The 'PHF' database (library) of NCSA HTTPTD. 'PHF'Library assumes that the sever-parse HTML is allowed to return any files. Other intruders try to use well-known CGI script vulnerabilities: TextCounter , Guestbook, EWS, INFO2www, count.cgi, handler, webdist.cgi, php.cgi, files.pl, nph-test-cgi, nph-publish, anyform, formmail. If you find someone trying to access the CGI script described above (But you didn't use them), this clearly shows an invasion intent (assuming you didn't use the CGI script you want to use with that defect version). 1.8.2 Web Server (Server) After the CGI program is executed, Web servers may have other vulnerabilities. Very many self-Written web servers (including IIS 1.0 and NetWare2.x) will write a series of "../" because in a file name. Path (PATH) In the name, there is thus jumped to the other places of the system archive, and you get any files. Other general vulnerabilities are in the request (Field), or other HTTP The data buffer overflows. The web server often produces a vulnerability because there is an ancient vulnerability in Microsoft IIS. There are two file names in the file - a long-term name A short corresponding 8.3 form name, sometimes bypassing the allowed mechanism to get access. NTFS (The New File System) has a feature, named "Alternate Data Streams" similar to the data and resources of the Macintosh system. You You can add ":: $ data" when you pass stream name (this is to see his script instead of execution), to access his file. The server has a problem for the URLS. For example, "death by A Thousand Slashes "Problem, causing Apache to generate a large number of CPU loads, because it tried thousands of" / "
Each directory is handled in the URL. 1.8.3 Web browser attacks Microsoft and Netscape's web browsers, there are security vulnerabilities (of course, although the latest version, we have not found), including URL, HTTP, HTML, JavaScript, Frames, Java, with ActiveX attacks. The URL data segment will have a buffer spill, when it is being monk, it is displayed on the screen, or in some form is processed when it is interped by the HTTP header. (Solid by Cache History). Moreover, there is an old Internet Explorer vulnerability in the browser, which will accompany the vulnerability that can affect internally during the execution of the LNK or URL command. HTTP header may pass by passing to only a specific value Producing a vulnerability HTML often has a vulnerability, such as MIME-TYPE buffer overlying Netscape Communicator
Command. JavaScript has been very fond of life, often tries to infringe "File Upload" via generating a file name and automatically hiding "submit" button. There are many different vulnerabilities to be corrected, however it will There is a new discovery method to bypass the correction. Frames often uses a part of JavaScript, or Java Hack to use a screen via a pixel size, hide the web page) but they present a special problem. If I can contain one Site to a trusted user frames, then replace part of the Frames with my own site, so they will appear in front of one of that remote site. Java has a sound Security Model, but confirming that model has a special vulnerability (although compared to anything else, it is confirmed to be one of the most secure components throughout the system). Further, its sound security, perhaps Its undoing: Normal Java Applets cannot access the local (local) system, but sometimes if they can get local systems, they will be more useful. So, "Trust" model is completed, it is easier The invasion. ActiveX is even more dangerous than Java, when it is purely functioning with a trust model and executes the original (Native) program code. You even infect the virus (Virus) (in the manufacturer's program code) Accidentally implanted). 1.8.4 SMTP (Sendmail) Attack Sendmail is an extremely complex and widely used program, which is the source of security vulnerabilities. In the past ('88 Morris Worm ), Hackers use the vulnerability of the debug command or hide the feature of WIZ. Recently, they often try to use buffer relief means. SMTP is also used as a reconnaissance attack, if you use the vrfy command to find out Famous. 1.8.5 Access failed login attempt, failed files have taken attempts, password cracking, misuse of managers power. 1.8.6 IMAP users receive Email from the server via the IMAP protocol (under comparison, SMTP Transfer E-mail between the servers. Hackers have discovered vulnerabilities in some popular IMAP servers. 1.8.7 IP spoofing Some types of attacks use technology to fake (or 'spoof') your IP Site. An original address is accompanied by each IP packet (Packet) is transmitted, and it is actually not used for Routing. This means that when it is talking to the server (talkin), an intruder can be loaded into you. Intruder is not A response package (although your machine is seen, but discarding them, because they do not meet any requests you pass). The intruder will not obtain data via this manner. It is still faked to you, send commands to the server. IP spoof often uses some other attacks to use: smurf is broadcast in fake source address, resulting in a large number of machine responses, via the address, replying to the victim, make it (Or its link) load. The TCP serial number is preselected in the start of the TCP connection. You must choose a serial number at this end, and the server side must choose a serial number. The older TCP stack selects a predictable contravement, and Let the intruder from a forged IP address (they should not see answering packages), they will be able to bypass the safety mechanism. DNS "recursive" by poisoning the DNS server through predictable serial number
