Network Security Program Company · Fist Studio (fist@ns2.co.uk) Little Gray Man Translated ---------------------------------------------------------------------------------------------------------------------------------------------- ------------------------------ table of Contents------------------- ---------------------------------------- 1 Introduction 1.1 Weakness? 1.2 "System Intruder" I. IN Network 2.1 Many companies' networking technology 2.2 Understanding this network system Weak item 3 Attack 3 Attack 3.1 Attacker's "stealth" 3.2 Network Touring and Information Collection 3.3 Determining the Trust Network Node 3.4 Determine Weak Parts 3.5 Using Network Components "Weak" 3.6 Controls Network Node 4 Abuse Network Resources and Access 4.1 Download Sensitive Information 4.2 Attack Other Trusted Networks 4.3 Installation Back Door and Trojan Software 4.4 make your network 5 Comprehensive Network Security Improvement 5.1 Reference Read 5.2 Recommended Tools and Programs ----------------------------------- ------------------------ 1.0 Introduction ------------------------ ---------------------------------- This white paper is to help system management and operators deeply understand typical system invasion. The methods and means of use are written. This article should not be seen as a guide to network security, although this article does help you find a vulnerability of your network system or point out possible potential accidents. We hope that you can like this article and learn some of the operating methods of the current system invaders through this article. Network Security Program Company · Fist Studio (fist@ns2.co.uk) --------------------------------- -------------------------- 1.1 Where is the vulnerability? ------------------- ---------------------------------------- Every day, companies and all kinds of organizations live A wide variety of computer networks, computer networks allow us to effectively share a large amount of data resources. In general, corporate networks mainly consider its function and efficiency when designing and formation, rarely put security in their hearts. Despite the short-term perspective from the business perspective, this practice is not wrong, once the network is running and developing, the security issue will follow, so that the company who uses the big network will spend a million yuan to solve . Most enterprise networks or sensitive private networks operate in the client-server mode. In this mode, enterprise employees use the local workstation to work, and the server is needed to share information. In this white skin, we will focus on server-side security because system attackers will usually take a server as an attack target. The server is the "hub" of information transfer. If an attacker can get unauthorized power on the server, then other parts of the network are much easier. For attacker's large-scale network, it is easy to attack, including: Bank and Financial Institutions Internet Services Provider Medicine Government and Defense Agency Government Agency Supplier Multinational Group Although most of these attacks are internal personnel ( Users who have received some sensitive information access to the enterprise), but we mainly focus on pure external network attack technology. The investigation and attacks on banks and financial institutions are mainly to exercise commercial fraud. In order to take a lot of money, many banks have been attacked. Banks have never admitted that they are victims of external network attacks, because once such messages reveal that they will lose a lot of customers and credits. Internet service providers are the universal goals of system attackers, as ISP servers can easily access from the Internet.
Moreover, ISP has a large high-speed connection to fiber optics around the world. Once the attackers succeed, a lot of information can be transmitted on the Internet. Larger ISPs will have user databases, and these databases typically contain users who are interested in attackers, such as credit card numbers, real names, addresses, etc. Pharmaceutical companies are typically victims of commercial espionage attacks. In this attack, attackers will get a lot of money for the stealing confidential medicine data. Those pharmaceutical companies have spent millions of US dollars, the development of medicine data developed, often leaked or lost in such an attack. In the past six years, the US government and defense agencies have suffered from a number of attacks on the Internet of INTERNET. Since these institutions are inadequate, the security system is not perfect, and these government and military institutions are often spying and attacking attackers, and information security issues have become a laborious war. Although the contractors of defense projects attach great importance to security issues, they still do not have become the targets of attackers that are confidential or sensitive to military materials, because these materials can sell a good price to foreign groups. Although there are only few cases known to the public, these activities are vigilant. Multinational companies are the main victims of industrial espionage. Multinational companies have office in all countries in the world, so large enterprise networks are generally established for effective sharing between employees. The NSS team has done the invasion test for several multinational companies. It is found that these enterprise networks can be driven in many cases. Like medical companies, multinational companies' daily work is based on electronic data transmission, components, and computer, and have already spent huge funds in new technologies research and development. Therefore, for these companies' competitors, hiring a group of "system attackers" to illegally obtain secret information of these companies is very tempting. Another attack in competing company can use to make the computer system of the other company for a while, so that the other company has lost a lot of income. Usually it is difficult to determine such an attack from He. If the internal network segmentation and configuration is not good, such companies will bring huge impact on the company and cause huge financial losses. This "illegal behavior" is very common in the current network society, it should be worthy of high quality attention. -------------------------------------------------- --------- 1.2 "System invaders" prototype ------------------------------- -------------------------- Research shows that a typical "system attacker" is usually male, between 16 and 25 years old . These attackers start from invading other systems to improve their crack technology, or unauthorized use the network to meet the system attacks. Most attackers are very persevering attacks, which may be because they have a lot of idle time. Most attackers are opportunists, they will run many scanners to find a large number of remote hosts, and hope to find system weaknesses. When a machine is found to be attacked by a remote attack, the attacker will try to get managers privileges, install the backdoors for you later, and then make up the usual system weakers that will remotely access secure, to prevent other attackers The same attack means attacks have been "conquer" machines "conquer". These opportunists mainly use two methods: First, the internet, two is the telephone network. To make a host remotely on the Internet scan, attackers typically start a scanning program from a machine that he has acquired, high-speed Internet connection (usually fiber connection) machine.
To scan machines that use telephone networks, such as terminal servers, electronic bulletin systems, or voicemail service systems, attackers use an automatic dialing program that automatically dials a large number of phone numbers in the specified range, from which they can Confirmed as the "carrier signal" of the above telephone network system to determine the attack object. Only very few part of the system attacker has a clear attack target before launching an attack, these attackers have more skill, which will use the latest attack skills to conquer a network. There is a kind of attacker that is specially utilizing unprecedented vulnerabilities and "function" of the firewall, through the enterprise itself on the firewall of the firewall on the Internet. These attackers determine that the network or host to attack is usually loaded with sensitive data, such as technological research development records, or attackers believe that valuable additional data. These attackers usually have a large network security company or a security tool used by the consultant, using them to find all the various security defects of specific goals. This attacker that attacks specific targets is often very patient. They will try to invade some system after spend a few months. -------------------------------------------------- --------- 2.1 Many companies' networking technology -------------------------------- ------------------------- A typical business will use the Internet as the following use: Host for company Web Services provides Email and other global communication via Internet Services Give the Employees Internet Services In NSS for network penetration tests, a business network is usually different from the firewall and application proxy servers. In such a network, enterprise web servers and email servers are typically in the "external" of the enterprise network, and information is transmitted through the trust domain channel inside and outside the network. When there is a trust relationship between external mail servers and internal hosts, a textual email barrier policy should be used. Usually, enterprises should only allow external mail servers to communicate with 25 ports of a particular "secure" enterprise internal mail server, which greatly reduces the possibility of unauthorized access, even if the external Email server has been controlled. Among the NSS, there is a company with many "multi-hook hosts" machines. These machines have two network interfaces, one connected to the external network, one connection to the intranet. From a secure perspective, this machine that works simultaneously in two network sections may cause serious harm to network security. When controlling such a machine, it is easily used as a "bridge" of the invasion internal network. -------------------------------------------------- --------- 2.2 Understand the weak items of such network systems ------------------------------- -------------------------- On the Internet, typical companies may have 5 external web servers, 2 external mail servers and 1 Firewall or packet filtering system. Generally speaking, the web server is not the primary attack target, unless the firewall is configured in some respects, so that the attacker can take advantage of this error control server. However, install the TCP package filter on the web server, only the trusted machine is always a good idea to use Telnet and FTP ports. Attackers generally choose to choose the email server as an attack target that enters the intranet, because the mail server must have a connection between the external network and the company's intranet to distribute and exchange inside and outside mail (the translation: once controlled the mail server, There will definitely have channels to enter the intranet). Like a Web attack, this attack policy is valid to configure the configuration with the firewall or packet filtering system.
The filtering router is another target that is often selected, and they use the attack-type SNMP scanner and the common string "Violent Journal: Use the Volume Trial Name and Password) to attack. If this attack is successful, the router will be easily set to the bridge from the external network to the intranet, making it possible to make the intranet from the external attack. In the above case, attackers will carefully weigh the hosts that should try to attack which hosts, find out what kind of trust relationship between the host and the host of the Internet. So if you should install the TCP package filter on all external networks and confirm that only specific trusted machines can connect to the important port (service) of the host, usually: FTP (21), SSH (22), Telnet 23), SMTP (25), NAMED (53), POP3 (110), IMAP (143), RSH (514), Rlogin (513), LPD (515). SMTP, NAMED and PortMapper ports should be in accordance with the host in the network The role is appropriately filtered. Practice shows that implementing package filter will greatly reduce the possibility of enterprise intranet attack. In the company's internal network without a clear "Enterprise Internet" policy, "multi-hosted host" and improper router will also have the case where the internal network is unclear, so that the system attacker uses non-use. Authorized access to attack attacks are easier to enter your corporate network. If the company's external network DNS is configured, it is easy to make the enterprise network "image" (translation note: get the enterprise network host configuration, you can prepare the next step). When the NSS is infiltrated, we can "Image" enterprise network from such an improperly configured DNS server. Therefore, the DNS should not be configured between the enterprise external mesh machine and the intranet machine, and only the IP address is used in the external network and the intranet machine. Machines with network interfaces in multiple networks are unsafe, using this unsafe machine attacker, can easily access corporate networks, and they can even use Compromise hosts. The Finger Forward service that abuses these machines is a very easy thing. For example, you can use it to collect information on users, hosts, and networks, thus confirm which machines in the enterprise are worth continuing attack, and even send Root @ Host, BIN @ Host, Daemon @ Host's finger request confirms the host's operating system, making system attacks easier. Some attackers use a "automatic dial" technology (the translation: "Try all the calls in the selected number interval to find the number with carrier signals, generally these phones are the terminal server of the enterprise), they generally choose The company is located in the number of telephone numbers, such as buildings or network operations. When an attacker finds and obtains the access to the terminal server, it is generally said that they have achieved a certain degree of access to the internal network of the enterprise, so it completely bypass the various firewalls and filters of the internet and Internet. . So make sure the security of the terminal server is critical, and should be recorded to each connection of the terminal server. When you need to understand the weaknesses of the network system, you should keep the trust relationship between your network hosts. This trust relationship may be established by the TCP filter, Host.Equiv file, .rhosts or .shosts file. The large network is usually attacked by using these trust relationships.
To give an example: If an attacker sees your hosts.allow file through the CGI vulnerability, and finds that you can allow all FTPs and Telnet connectors from * .trusted.com, so he can get * .trusted.com The control of any host is to attack your machine. So, it is necessary to ensure that all your trusted machines can resist from remote attacks as your machine. Another attack method worth mentioning is to install "back door" or "Trojan horse" program in the enterprise machine (such as on some Windows 95/98 machines), if the company can access the Internet via app agent or firewall When they use this convenience to visit some "Software Warehouse" sites and download some pirated software. These "Software Warehouse" sites will usually provide some screensaver, software tools and other programs. Some of this software has "backdoor" or "Trojan horse" program, such as "Cult of the Dead Cow's" Back Orific. When these screen protected or other programs are installed, these "Trojans" will hang themselves in the system's registry and start at each boot. In Bo Trojans, some options for Trojans allow Trojans to automatically complete some operations, such as automatically connect IRCs and enter specific channels, and so on. This is very dangerous, because the host machine for Trojans is easily controlled by remote attackers on the Internet. For attackers with access to the internal network of the enterprise, whether the internal staff of his company or illegal access to host access, Bo Trojans will definitely become more effective. With appropriate strategies, attackers can install all machines in the company in the week, so that he will control each machine from the remote control, including file operation, restart the machine and even re-re- Format disk, all can be operated from remote operations. -------------------------------------------------- --------- 3.1 attacker's "stealth" ------------------------------- ------------------------- Typical system attackers generally use the following strategies to hide their true IP address: - From the right to control The host jumps on the Telnet or RSH - jump from the Windows host through WINGATES and other services - using improper proxy servers to jump when you find that your network has been scanned, and these scans come from the hosted host or agent It is recommended that you contact their system administrator by phone to reflect the problem of mastery. Don't contact Email because attackers can intercept all email sent to the administrator. Some experience old attackers will use telephone exchange techniques to invade, they may adopt the following tricks: - Use "No. 800" personal phone exchange service, use the "crack" account into ISP to jump; - seek first And join a host, then join the Internet by this host to jump. Tracking attackers using telephone network jump skills into Internet is extremely difficult because they may come from any corner in the world. If an attacker can successfully use the "800" dial-up jump, he can simply dial in any place in the world without worrying about long-distance telephone costs.
-------------------------------------------------- --------- 3.2 Network Tour and Information Collection ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ------------------------- A skilled attacker will pre-reconnaissance to the host's host on the Internet from the internet . When an attacker tries to obtain an internal network and a foreign network host information, the following measures are used: - View the relevant document on the FTP server - Connect the mail server, make "EXPN" query request - use the Finger service on the external host to find user attackers generally implement the network itself, then try to find out possible Specific weaknesses. On the basis of the results obtained above, attackers can easily get a batch of hostnames and address lists in the intranet, and begin to understand the relationship between them. When these pre-scan, some typical attackers may also commit some small errors, namely, when they connect some ports of the attacked host to get the operating system version or other information, use their true IP address. . So when you find that your host is attacked, a good way is to find out those inappropriate requests by checking your FTP and HTTPD records. -------------------------------------------------- --------- 3.3 Determine trust network node -------------------------------- ------------------------ Attacker chooses trusted network nodes as attack objects, and trusted nodes will usually be managers' Servers that are considered secure. Attackers will initially find NFS information output from NFSD or MountD on your machine, because some key directories on your machine (such as / usr / bin, / etc, and / home, etc.) may be trusted by mount Machine. Finger daemon is usually abused to determine the trusted host or user tool, as in general, specific users always log in from a particular host. The attacker will then try to find other types of trust relationships, such as when an attacker can successfully attack the host with CGI vulnerabilities, he can access the host /etc/hosts.allow file. When the data obtained above is analyzed in detail, the attacker can determine the letter of conflict between the attack host, the next step is to find the vulnerability that the trusted host may exist, prepare for subsequent remote attacks. -------------------------------------------------- --------- 3.4 Determine Weak Network Components --------------------------------- ------------------------ When the attacker has established awareness of the network structure of the corporate network, he will use some Linux programs such as amdhack. MSCAN, NMAP, and other small scanners, a weak scan for remote attacks for a particular host. Typically, these scans are carried out on a machine with a fast fiber connection. AmdHack is required to ROOT's permissions on Linux, so an attacker usually uses those machines that have been attacked and "rootkit" have been scanned. These "rootkit" can use some of the keying or vulnerabilities of some key system programs to unauthorized access to the system without being discounted.
Administrators who start the scanner host usually don't know that their own machines are scanning the company's enterprise network, because the seemingly normal "PS" or "NetStat" and other processes are in the horses that cover the process. Other programs, such as MSCAN does not require root privileges, so you can effectively scan from any Linux (or other action platform, when using NMAP) machine, it is usually slower, although these scans are slower, and generally will not hide Very good (because unlike AMDHACK, the attacker does not need to get root permissions). Both AMDHACK and MSCANs perform the following scans for the remote host: - Host TCP port scan - portmapper provided by the RPC service provided by the portMapper - NFSD-supplied Directory table - Samba or NetBIOS shared catalog table - multiple Finger Determine the default account - CGI program Vulnerability scan - find the operating system version of the host running system version of the system daemon, including Sendmail, IMAP, POP3, RPC Status, and RPC Mountd. Now that attackers will rarely use Satan because it is too slow, and only finds some expired vulnerabilities. When scanning the enterprise outgoing network, the attacker can clearly understand which host is safe, which host has a vulnerability. When the router is used by the company, and when the router can use SNMP, some attack master will use an aggressive SNMP scan, and the router is string "violent attack" to obtain the public and private names of the device. -------------------------------------------------- --------- 3.5 Using Network Components "Weak" ------------------------------- -------------------------- An attacker can find any trust relationship between the external network host, and find out the "weak" ". If he does find a vulnerability of a network node, he will try to control your host. A patient attacker will not attack your machine in normal working hours, and he usually attacks at 6 o'clock in the evening, which will reduce the opportunity to be discovered, and give an attacker's abundant time The mainframe is installed, the sniffer or Trojan does not have to worry about being broken by the system administrator. Most attackers are very free on weekends, so general attacks have occurred at that time. Attackers will try to control a trusted external host as a jump board that attacks an internal network. This attack method may be effective depending on the effect of the network filter installed between the enterprise and the internal network and the internal network, this attack method may be effective or invalid. When an attacker controls an external mail server, after the access rights of all network segments within the company, he can start deeply embedding yourself in your network. In order to control the hub components of the network, attackers will use some programs to scan from remote to the weaknesses and vulnerabilities of the system daemon of the corporate external host, such as some versions of Sendmail, IMAP, POP3 versions, and defective RPC services such as Statd, Mountd and PCNFSD. Most remote attacks are launched from the machine that has been controlled by the attacker, and the attack program needs to be recompiled under the same system as the attacked host. When executing a program for your external network host system daemon, an attacker typically tastes the root permissions of the system host to access the internal network of the company.
-------------------------------------------------- --------- 3.6 Controls with vulnerabilities network nodes ------------------------------- -------------------------- When the successful control system daemon, the attackers will "cleaning the battlefield", modify the host access log, in the system The service server is installed in the back door, making it impossible to enter in the future without being found. First of all, he will install the back door so that he can visit it later. Most of the latter programs used by the attackers have been pre-compiled. Attackers can use some tips to change the date and access settings of the program installed in the back door. Sometimes even adding the length of the file files can also be changed to the original file. If an attacker is worried about the FTP log file, he can use the "RCP" program to place the rear door program on the host. Of course, these attackers will not repair the security vulnerabilities of the corporate network. He usually only installs the backdoor or Trojan programs on the critical system file, such as "PS", "NetStat", etc. to hide the activities on the host. In the Solaris 2.x system, attackers usually install the back door in some key files below. / usr / bin / login / usr / sbin / ping /usr/sbin/in.telnetd /usr/sbin/in.rshd /usr/sbin/in.rlogind It is said that some attackers will put down in / usr / bin directory. RHOSTS files to allow remote programs to be started via RSH or CSH interactive environment. Attackers will generally check the system's log system, see if their connection and attack procedure are recorded, and then he will delete all the records of the system from the machine. If a machine is likely to be a target of attack, it is recommended to direct the log directly to the line printer, because the attacker is almost impossible to remove its access record from the printed log. When confirming that your connection is not recorded by any log system, the attacker will start attacking the business network. If an attacker has obtained an access to the intranet, it is generally said that they will not attack other external network hosts. -------------------------------------------------- --------- 4.1 Download sensitive information ----------------------------------- ---------------------- If the attacker's goal is to download sensitive information from the web server or FTP server of the company, he can pass the external network. The machine is configured to connect the "bridge" of the intranet and the intranet of the company to achieve the purpose. However, if the objective of the attacker is sensitive information in a machine in the enterprise, he may take advantage of the external mesh machine that has been controlled, attempts to get the access to the machine through the trust relationship between the machine. -------------------------------------------------- --------- 4.2 Attack other trusted network ------------------------------------------------------------------------------------------------------------------------------------------ -------------------------- Many attackers are only repeating the steps in 3.2, 3.3, 3.4, and 3.5, to find the intranet data, get within Internet access. Objectivity to the attacker wants to achieve, he may install the back door or Trojan in the intranet. If an attacker wants to complete access to the internal network host, he may install Trojans or the back door with the method introduced by Section 3.6 and delete your access record. Attackers will also install detecting detectors on the host, and will be described in detail in Section 4.3. If an attacker just wants to download data from a specific server, he may take other ways to get access to internal hosts, such as identifying the host trusted by the server, and try to control the host.
-------------------------------------------------- --------- 4.3 Install Sniffer ---------------------------------- ----------------------- The method of using a very fast and effective username machine password for a large number of internal network hosts is to use "Ethernet Smell Detective "" "(Ethernet Sniffer) program. However, since these sniffers are only valid when the attacker and the attacker are valid in the same Ethernet segment, running a sniffer is not useful on the front network host of the bridge. To "sniff" the data stream in the network, the attacker must obtain root permissions of an intranet host, and this host must be on the same network segment with other hosts. The method described in Section 3.2, 3.3, 3.4, 3.5, and 3.6 during the attack, because the attacker must successfully control the control and install the back door software at the host to ensure that the sniffier can properly install and run. Only when the control is obtained, the back door is installed, and after installing Trojans on "PS" and "NetStat", the attacker can install "Ethernet Snorger" on the host. In Solaris 2.x, these sniffers are typically installed in the / usr / bin or / dev directory, then modify the properties of the program to make it look like other installed system programs. Most "Ethernet Snorgeons" are running in the background, and outputs the result to the log file of the local machine. It is worth mentioning that an attacker usually modifies "PS" to make the sniffing process is not found. The Ethernet Snock Detector program sets the network interface card into the "no choice" mode, allowing it to listen to the username, password, and other useful data, and store it into the log file of the sniff. An attacker can use these data to be listened to access to other hosts. Because "Ethernet Snorger" is installed on Ethernet, it can detect all data streams in the same network segment, not just data from the host host or sent to the host. Attackers usually return, download the log file established by the sniffer after one week. In this case, the lurking sniffing program in a branch of the corporate network will be set very well, unless the company has implemented a good network security measures, otherwise, this sniffer is difficult to find. For system administrators who care about network security, there is a good tool called TripWire, which can be obtained from Coast (see Section 5.2). Tripwire creates a "fingerprint" of MD5 in your file system and can monitor any modifications to malicious users or attackers for your file system. To find the "None Selected" mode network card (usually means the installed sniffer), the "CPM" tool for CERT is very effective. You can find more information to http://www.cert.org/ftp/tools/cpm/. -------------------------------------------------- --------- 4.4 makes the network 痪 ------------------------------------- ---------------------- Some servers run very important applications, such as databases, network operating systems, and other programs that perform "Key Tasks". Once the attacker has received the control of these servers, it is easy to easily put the network for a long time. An attacker is not common, but it is very cruelly destroyed the network to run the "RM-RF / &" command on the host running the key service (the translation: Delete all the files on the machine).
This attack can make the network a few hours to several months depending on the network backup measures of the system. If the purpose of the attacker is to enter the internal network, it may utilize security vulnerabilities exist in existing routers, such as vulnerabilities in the routers such as Cisco, Bay and Ascend. In some cases, an attacker can restart the router from the distance, even completely turning off the router until the system administrator restarts. This way to the network will cause greatly destruction, because when an attacker attacks on a series of routers that perform critical network functions (such as routers to build a business backbone network), he can easily put the network easily. Function is quite a period of time. between. So, for the execution of the "Key Task", the router and server should be upgraded, and all measures should be made to ensure that it is safe. -------------------------------------------------- --------- 5.1 Reference Readings ---------------------------------------------------------------------------------------------------------------------------- --------------------- Have a lot of good articles can help you maintain your internal network, external network, host, server, etc. We recommend you access to the following sites, if you want to have a more in-depth understanding of large networks and hosts, read the following books: http://www.ndion.com/archives/documents/advanced/ http://www.rootshell. COM / BETA / Documentation.html http://seclab.cs.ucdavis.edu/papers.html http://rhino9.ml.org/textware/ 'Practical UNIX & Internet Security' --------- --------------------------- If you have not read unix and Internet security books, this book is a good start. SIMSON GARFINKEL AND GENE SPAFFORD O'REILLY & Associates, Inc. ISBN 1-56592-148-8 US $ 39.95 CAN $ 56.95 (UK AROUND 30 Pounds) ------------------- ---------------------------------------- 5.2 Recommendation Tools and procedures ----- -------------------------------------------------- ---- There are many free system security programs that can run on mainstream operating systems, such as Solaris, Irix, Linux, AIX, HP-UX, and Windows NT, more information on these free tools and programs. We recommend you to access the following sites: ftp://coast.cs.purdue.edu/pub/tools/unix/ http://www.alw.nih.gov/security/prog-full.html http: // rhino9 Network Security Solutions Ltd. Now is now developing a network security tool based on UNIX and Windows platforms, which is expected to be launched later in the next few months.
Please visit http://www.ns2.co.uk during this period, and take a look at our other "fine" version of the free software! -------------------------------------------------- --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- And the perspective to observe, analyze, this world, although he is not perfect, even though he is full of scars ... we feel that he is a fox, enthusiasm, alert, smart, trying to leave or pass away. what...
