FAQ: Network Intrusion Detection Systems. This FAQ answers simple questions related to detecting intruders who attack systems through the network, especially how such intrusions can be detected. Send mail to nids- faq @ robertgraham. Copyright 1. 99. 8- 2. Robert Graham (mailto: nids- faq. Robert. Graham. com. This document may be reproduced only for non- commercial purposes. All reproductions must contain this exact copyright notice. Reproductions must not contain alterations except by permision. My homepage: (slow link)http: //www. HTML)http: //www. TICM (fast link)http: //www. Shake Communications (Australia)http: //www. IT Sec (Germany)http: //www. Russian translation: http: //www. Added some new IDS products. Fixed TOC. Version 0. How to write a simple but effective TCP/IP port scanner for. Use a firewall and block that. Symantec Endpoint Protection Manager. Prevents a program from detecting the. Be sure to check that no other firewall rules apply to the program – for example. January 1, 1. 99. Minor updates. Changed format of hyper- links so I can create a text- only version of the FAQ. Changed embedded e- mail address so that spam- trollers can't extract them. Added TOC. An intrusion is somebody (A. K. A. For the purposes of this FAQ, IDS can be broken down into the following categories. NIDS) monitors packets on the network wire and attempts to discover if a hacker/cracker is attempting to break into a system (or cause a denial of service attack). A typical example is a system that watches for large number of TCP connection requests (SYN) to many different ports on a target machine, thus discovering if someone is attempting a TCP port scan. A NIDS may run either on the target machine who watches its own traffic (usually integrated with the stack and services themselves), or on an independent machine promiscuously watching all network traffic (hub, router, probe). Write A Program To Detect A Remote Firewall JobsHow to detect if a Keylogger is installed. NetFirewallRule -DisplayGroup 'Windows Firewall Remote Management' -Enabled True Set. Windows Firewall With Powershell 3. Write A Program To Detect A Remote Firewall BlockingThe most famous of such systems is . A SIV may watch other components as well, such as the Windows registry and chron configuration, in order to find well known signatures. It may also detect when a normal user somehow acquires root/administrator level privleges. Many existing products in this area should be considered more . In a similar manner to NIDS, these systems look for patterns in the log files that suggest an intruder is attacking. A typical example would be a parser for HTTP server log files that looking for intruders who try well- known security holes, such as the . Example: swatch. deception systems (A. K. A. See The Deception Tool. Kit http: //www. all. Also, simple tricks by renaming . Also see http: //www. For more info, see http: //www. There are two words to describe the intruder: hacker and cracker. A hacker is a generic term for a person who likes getting into things. The benign hacker is the person who likes to get into his/her own computer and understand how it works. The malicious hacker is the person who likes getting into other people's systems. The benign hackers wish that the media would stop bad- mouthing all hackers and use the term 'cracker' instead. Unfortunately, this is not likely to happen. In any event, the word used in this FAQ is 'intruder', to generically denote anybody trying to get into your systems. They may also attempt to go around the firewall to attack machines on the internal network. Outside intruders may come from the Internet, dial- up lines, physical break- ins, or from partner (vendor, customer, reseller, etc.) network that is linked to your corporate network. These include users who misuse priviledges (such as the Social Security employee who marked someone as being dead because they didn't like that person) or who impersonate higher privileged users (such as using someone else's terminal). A frequently quoted statistic is that 8. There are several types of intruders Joy riders hack because they can. Vandals are intent on causing destruction or marking up your web- pages. Profiteers are intent on profiting from their enterprise, such as rigging the system to give them money or by stealing corporate data and selling it. The primary ways a intruder can get into a system. Physical Intrusion If a intruders have physical access to a machine (i. Techniques range from special privileges the console has, to the ability to physically take apart the system and remove the disk drive (and read/write it on another machine). Even BIOS protection is easy to bypass: virtually all BIOSes have backdoor passwords. If the system doesn't have the latest security patches, there is a good chance the intruder will be able to use a known exploit in order to gain additional administrative privileges. The intruder begins with no special privileges. There are several forms of this hacking. For example, a intruder has a much more difficult time if there exists a firewall on between him/her and the victim machine. Software always has bugs. System Administrators and Programmers can never track down and eliminate all possible holes. Intruders have only to find one hole to break in. Software bugs can be classified in the following manner. Buffer overflows: Almost all the security holes you read about in the press are due to this problem. A typical example is a programmer who sets aside 2. Surely, the programmer thinks, nobody will ever have a name longer than that. But a hacker thinks, what happens if I enter in a false username longer than that? Where do the additional characters go? If they hackers do the job just right, they can send 3. Hackers find these bugs in several ways. First of all, the source code for a lot of services is available on the net. Hackers routinely look through this code searching for programs that have buffer overflow problems. Secondly, hackers may look at the programs themselves to see if such a problem exists, though reading assembly output is really difficult. Thirdly, hackers will examine every place the program has input and try to overflow it with random data. If the program crashes, there is a good chance that carefully constructed input will allow the hacker to break in. Note that this problem is common in programs written in C/C++, but rare in programs written in Java. Intruders can often send input that is meaningless to one layer, but meaningful to another layer. The most common language for processing user input on the web is PERL. Programs written in PERL will usually send this input to other programs for further evaluation. A common hacking technique would be to enter something like . This gets executed because PERL asks the operating system to launch an additional program with that input. However, the operating system intercepts the pipe '. Most programmers do not consider what happens when somebody enters input that doesn't match the specification. This means that they can execute more than one program at a time. There is a danger if two programs need to access the same data at the same time. Imagine two programs, A and B, who need to modify the same file. In order to modify a file, each program must first read the file into memory, change the contents in memory, then copy the memory back out into the file. The race condition occurs when program A reads the file into memory, then makes the change. However, before A gets to write the file, program B steps in and does the full read/modify/write on the file. Now program A writes its copy back out to the file. Since program A started with a copy before B made its changes, all of B's changes will be lost. Since you need to get the sequence of events in just the right order, race conditions are very rare. Intruders usually have to tries thousands of time before they get it right, and hack into the system. System configuration bugs can be classified in the following manner. Default configurations: Most systems are shipped to customers with default, easy- to- use configurations. Almost any UNIX or Win. NT machine shipped to you can be hacked in easily. This is because the administrator is too lazy to configure one right now and wants to get the machine up and running quickly with minimal fuss. Unfortunately, they never get around to fixing the password later, allowing intruders easy access. One of the first things a intruder will do on a network is to scan all machines for empty passwords. Sometimes administrators will inadvertently open a hole on a machine. Most administration guides will suggest that administrators turn off everything that doesn't absolutely positively need to run on a machine in order to avoid accidental holes. Note that security auditing packages can usually find these holes and notify the administrator. A network of machines trusting each other is only as secure as its weakest link. This is a special category all to itself. Then there are the users who choose . This gives a list of less than 3. In this attack, the intruder will use a program that will try every possible word in the dictionary. Dictionary attacks can be done either by repeatedly logging into systems, or by collecting encrypted passwords and attempting to find a match by similarly encrypting all the passwords in the dictionary. Intruders usually have a copy of the English dictionary as well as foreign language dictionaries for this purpose. They all use additional dictionary- like databases, such as names (see above) and lists of common passwords. A short 4- letter password consisting of lower- case letters can be cracked in just a few minutes (roughly, half a million possible combinations). A long 7- character password consisting of upper and lower case, as well as numbers and punctuation (1. Shared medium: On traditional Ethernet, all you have to do is put a Sniffer on the wire to see all the traffic on a segment. This is getting more difficult now that most corporations are transitioning to switched Ethernet. For example, you might not know a user's password, but sniffing a Telnet session when they log in will give you that password. While the bandwidth is really low (you can't sniff all the traffic), it presents interesting possibilities. Even if a software implementation is completely correct according to the design, there still may be bugs in the design itself that leads to intrusions. As a result, there are a number of design flaws that lead to possible security problems. How to write a simple but effective TCP/IP port scanner for Win. An article on how to write a TCP/IP port scanner with a GUI, based on the MFC's property sheet paradigm. Introduction. Writing a TCP/IP port scanner, it's not so hard. This article shows you how to develop a simple but effective port scanner for Win. CSocket which comes with MFC) and a small framework based on the CProperty. Sheet/CProperty. Page classes. The scanner also includes a module for testing connections (the Connect page) and allows the handling of the local database of services (the Services page). What you should to know. The sample application presented here does not requires a deep knowledge of the TCP/IP protocol. If you have some notions about the MFC and the Winsock API, then you are on the right direction. How a scanner works. Each time you send or receive data through the Internet, your mail (or web, chat, or whatever) program must connect to a remote port of a remote host. Some of the services which runs over the Internet are resumed into the following table: serviceportdescriptionecho. Echodaytime. 13. Daytimeftp. File Transfer Protocolssh. SSH Remote Login Protocoltelnet. Telnetsmtp. 25. Simple Mail Transfertime. Timenameserver. 42. Host Name Servernicname. Who Isdomain. 53. Domain Name Servergopher. Gopherhttp. 80. World Wide Web HTTPkerberos. Kerberospop. 31. 10. Post Office Protocolnetbios- ns. NETBIOS Name Servicenetbios- dgm. NETBIOS Datagram Servicenetbios- ssn. NETBIOS Session Service. In fact, the list of services/ports is greater than the above and includes three different port ranges: port rangeutilization. SMTP, POP3, FTP, etc. IANA organization. As the RFCs say (RFC7. TCP and RFC7. 68 for the UDP protocol), the above ports can be used for TCP and UDP connections, so it's not unusual to see duplicated entries for the same service, like in: serviceport/protocoldescriptionecho. Echoecho. 7/udp. Echo. The TCP/IP protocol is based on the OSI (Open Systems Interconnection) model, developed between 1. That model uses a proposal of the ISO (International Organization for Standardization), so it is well known as the ISO/OSI model also. The ISO/OSI architecture divides the network into various layers (application, presentation, session, transport, network, data- link and physical). Think to a layer like a plant of a building. At the lower level is your network card, used to exchange raw data between the computers, while at the higher level is your preferred client sending mail or browsing the web. In fact, the TCP/IP is not a protocol, but a suite of protocols, composed by: protocoldescription. IP (Internet Protocol)the protocol used to exchange raw data between remote hosts. TCP (Transport Control Protocol)the protocol used to exchange data between applications. UDP (User Data Protocol)used as the TCP to exchange data between applications, but more simpler and less reliable than the TCPICMP (Internet Control Message Protocol)used at the network layer for error messaging. The correspondence between the ISO/OSI model and the suite of the TCP/IP protocols can be represented by the following table: ISO/OSI model. TCP/IP suiteapplication layerclient programpresentation layerclient programsession layerclient programtransport layer. TCP/UDPnetwork layer. ICMP/IP/IGMPdata- link layer. ARP/hardware/RARPphysical layer. ARP/hardware/RARPThe IP and TCP protocols are the ground of data transfer. The IP protocol, which works at network layer, handles the transfer of raw data between computers. At this level, each packet contains the data which must be transferred and the IP address of the sender and the receiver. The TCP protocol works at the transport layer, but the principle is the same. TCP replaces the IP address concept with the port concept. Each transferred packet contains the data and the port number, where the port number is associated with a service instead of a computer. In other words, the IP protocol moves the raw data from one computer to other, using the IP address to identify each computer of the network. Well, but when the data arrives to the destination computer, where must it be left? Are you browsing the WEB? If so, the TCP protocol redirects the incoming data through the port used by the HTTP service (8. Are you using an FTP client? The TCP protocol redirects the incoming data through the port used by the service (2. As you can see, the port and service concepts are the basic principles used during data transfer through the Internet. Now you can understand which is the main purpose of a TCP/IP scanner. If you want to know what are the services currently running on a remote host, you must scan its ports. Implementation. The sample code presented here is only an example of Winsock programming. Do not think it like the best approach to the scan topical. As you know, the Winsock API can be used with three different modes, blocking, non- blocking and asyncronous modes. Our scanner uses the third (asyncronous) mode. Probably this is not the best mode which can be used with this topical (maybe using the blocking mode into a separate thread guarantees a better result), but this is not the point. Commercial scanners use a lot of threads to scan as fast as possible the mayor number of ports at the same time. This is not our purpose. Our scanner must scan one port at time, without blocking the UI until the work is done, and to do it in that way, the best approach is the asyncronous mode, used here to practice and exercise with the Winsock API. Of course, you are free to modify the proposed code to apply the Winsock mode you prefer. All the code contained into the sample project can be divided into two sections, the simple framework used to build a CProperty. Sheet based MFC application and the classes used for the Winsock interface. The CProperty. Sheet. Dialog. cpp/. h and CProperty. Page. Dialog. cpp/. MFC application. Tcp. Property. Sheet. cpp/. Tcp. CAsync. Sock. Winsock API in asyncronous mode, while the rest of the code is used internally to handle the list control (CList. Ctrl. Ex. cpp/. h), the program's configuration, etc. Note that the base class for the Winsock interface is the CWinsock class, not the CSock. As you can see looking into the code, the CWinsock class is used to map all the Winsock services to the real library or to a dummy implementation, depending on the . This is because the CWinsock class contains the code to handle locally a minimal SMTP/POP3 server, which you can use to exercise the SMTP/POP3 protocols without using an active Internet connection. As usual for an MFC app, you must derive you own class (in this case, the CTcp. Scan. App class) from the CWin. App. Our scanner is not dialog, but property sheet- based, so you must override the default Init. Instance() implementation for creating the property sheet and all the related pages: BOOL CTcp. Scan. App: :Init. Instance(void). . The Apply and the Help buttons are removed by the framework, so each page of the property sheet has only the OK and the Cancel buttons. Each page of the sheet modifies the text of the OK button, according to its needs. As you can see, each class used as a page of the sheet defines the following handlers: BOOL On. Init. Dialog(void). BOOL On. Set. Active(void). BOOL On. Kill. Active(void). On. Kill. Sheet(void). On. Ok(void). void On. Cancel(void); If you decide to use the CProperty. Sheet. Dialog/CProperty. Page. Dialog classes into your own code, do not miss to do the same. About the features of our scanner, consider that the Connect page allows you to test only the connections which use the same channel for commands and data. This means you can use that page to send and receive data with protocols like SMTP, POP3, HTTP, etc., but not with protocols like FTP, which uses two different channels (one for the commands and other for the data). When using the Connect page, remember that you are entering raw data, so if you want to get some HTML page through the HTTP protocol, you must specify the HTTP request as the standard say (in this case, specifying the pair of CR/LF chars at the end of the request). Any kind of ideas, suggestions or enhancements are always welcome. Luca Piergentililpiergentili@yahoo.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
January 2017
Categories |