NRI institute of information science and technology, Bhopal

Paper presentation on Network security

Submitted to:OGI, Bhopal Date-15 October 2008

Presented by:Firdos Khan Abhishek Rajvaidya

TOPIC: - NETWORK SECURITY AUTHORS:-FIRDOS KHAN, ABHISHEK RAJVAIDYA COLLEGE:-NIIST BHOPAL ABSTRACT: Network security consists of the provisions made in an underlying computer network infrastructure, policies adopted by the network administrator to protect the network and the network-accessible resources from unauthorized access and consistent and continuous monitoring and measurement of its effectiveness (or lack) combined together NETSTAT MADE EASY:-the netstat command can be used to gather information on a variety of different aspects of your systems communication state at a given point of time including a list of open connections ,protocols, list of open ports remote ip address details etc. HIDING YOUR IP ADDRESS:-It includes Nat networks Proxy servers

FIREWALLS: Bypassing firewalls NETWORK RECONNAISSANCE:-It is the most effective information gathering technique, it includes Ping sweeping Detecting a ping sweep OS DETECTION:-It is very important for an attacker to determine the operating system running on the target host.one of the most easiest technique that you can use for operating system detection is fingerprinting.Theese are of two types Active fingerprinting Passive fingerprinting KEYLOGGERS ATTACK: How keyloggers work Securing systems

NETSTAT MADE EASY

Do you want to find out your friends ip address? Do you want to find your own ip address? Do you want to get a list of open ports currently being used? Do you want to detect the presence of a trojen on your computer?

The netstat command can be used to gather information on a variety of different aspects oof your systems communication state at a given point of time,including a list of open connections,protocols being used ,list of open ports,remote ip address details,and connection states,among other useful information.netstat gets all this information by reading the kernel routing tables in the memory.the rfc on the internet tool catalog describes netstat in the following manner: Netstat is a program that accesses network related data structures within the kernel then provides an ascii format at the terminal.netstat can provide reports on the routing tables,tcp connections,tcp and udp listens and protocol memory management. You should launch the command line prompt in order to use the netstat command: Microsoft windows xp[version 5.1.2600] copyright 1985-2001 microsoft corp. C:\documents and settings\firdos>netstat /?

Displays protocol statistics and current TCP/IP network connections.

NETSTAT [-a][-b][-e][-n][-o][-p proto][-r][-s][-v][interval]

Netstat-a netstat a argument is used to display all open connections on local machine.it also returns information about all remotes systems to which you are connected,the port numbers of those re mote systems and the type and state of connection you have with the remote systems.the typical syntax and output of netstat-a command is as follows

Similarly netstat n,netstatp,netstat-e,netstat-r can be defined

HIDING YOUR IP ADDRESS

Do you want to protect your ip address while using the internet? Do you want to protect your privacy? Do you want to share your internet connection/ Do you want to forge your source identitiy?

We have already seen that using netstat command in which ip address can be found out by an attacker.hence it has become very important for internet users to implement techniques of hiding their ip address from malicious users.the two most common techniques of hidin ip addresses are Network address translation (NAT) networks Proxy servers

NETWORK ADDRESS TRANSLATION NETWORKS

The current implementation of ip addressing provides users with a very limited number of ip addresses that can be used for connectivity purposes.to solve this shortage problem,a number of organizations have started implementing NAT addressing,which allows them to use a single public ip addresses for a large number of internal systems having unique private ip addresses.this allows a organizations to register single public ip addresses .

In computer networking, network address translation (NAT) is the process of modifying network address information in datagram packet headers while in transit across a traffic routing device for the purpose of remapping a given address space into another. Most often today, NAT is used in conjunction with network masquerading (or IP masquerading) which is a technique that hides an entire address space, usually consisting of private network addresses (RFC 1918), behind a single IP address in another, often public address space. This mechanism is implemented in a routing device that uses stateful translation tables to map the "hidden" addresses into a single address and then rewrites the outgoing Internet Protocol (IP) packets on exit so that they appear to originate from the router. In the reverse communications path, responses are mapped back to the originating IP address using the rules ("state") stored in the translation tables. The translation table rules established in this fashion are flushed after a short period without new traffic refreshing their state. As described, the method only allows transit traffic through the router when it is originating in the masqueraded network, since this establishes the translation tables. However, most NAT devices today allow the network administrator to configure translation tables entries for permanent use. This feature is often referred to as "static NAT" or port forwarding and allows traffic originating in the 'outside' network to reach designated hosts in the masqueraded network. Because of the popularity of this technique, see below, the term NAT has become virtually synonymous with the method of IP masquerading. Network address translation has serious consequences (see below, Drawbacks & Benefits) on the quality of Internet connectivity and requires careful attention to the details of its implementation. As a result many methods have been devised to alleviate the issues encountered, see article on NAT traversal. Different types of NAT Network address translation is implemented in a variety of schemes of translating addresses and port numbers, each affecting application communication protocols differently. Some application protocols that use IP address information need to determine the external address which is used for masquerading, and, furthermore, often need to examine and categorize the type of mapping used in a given NAT device. For this purpose, the Simple traversal of UDP over NATs (STUN) protocol was developed. It classified NAT implementation as Full cone NAT, restricted cone NAT, port restricted cone NAT or symmetric NAT.[1][2] and proposed a methodology for testing a device accordingly. However, these procedures have since been deprecated from standards status, as the methods have proven faulty and inadequate to correctly assess many devices. New methods are being developed (cf. Session Traversal Utilities for (NAT) (STUN))

Full cone NAT, also known as one-to-one NAT Once an internal address (iAddr:port1) is mapped to an external address (eAddr:port2), any packets from iAddr:port1 will be sent through eAddr:port2. Any external host can send packets to iAddr:port1 by sending packets to eAddr:port2.

Address-Restricted cone NAT Once an internal address (iAddr:port1) is mapped to an external address (eAddr:port2), any packets from iAddr:port1 will be sent through eAddr:port2. An external host (hostAddr:any) can send packets to iAddr:port1 by sending packets to eAddr:port2 only if iAddr:port1 had previously sent a packet to hostAddr:any. "any" means the port number doesn't matter.

Port-Restricted cone NAT Like a restricted cone NAT, but the restriction includes port numbers. Once an internal address (iAddr:port1) is mapped to an external address (eAddr:port2), any packets from iAddr:port1 will be sent through eAddr:port2. An external host (hostAddr:port3) can send packets to iAddr:port1 by sending packets to eAddr:port2 only if iAddr:port1 had previously sent a packet to hostAddr:port3.

Symmetric NAT

Each request from the same internal IP address and port to a specific destination IP address and port is mapped to a unique external source IP address and port. If the same internal host sends a packet even with the same source address and port but to a different destination, a different mapping is used.

Only an external host that receives a packet from an internal host can send a packet back

PROXY SERVERS In computer networks, a proxy server is a server (a computer system or an application program) which services the requests of its clients by forwarding requests to other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource, available from a different server. The proxy server provides the resource by connecting to the specified server and requesting the service on behalf of the client. A proxy server may optionally alter the client's request or the server's response, and sometimes it may serve the request without contacting the specified server. In this case, it would 'cache' the first request to the remote server, so it could save the information for later, and make everything as fast as possible. A proxy server that passes all requests and replies unmodified is usually called a gateway or sometimes tunneling proxy. A proxy server can be placed in the user's local computer or at various points between the user and the destination servers or the Internet. Schematic representation of a proxy server, where the computer in the middle acts as the proxy server between the other two.

WINGATE WinGate is an Integrated Gateway Management system for Microsoft Windows, providing firewall and NAT services, along with a number of integrated proxy servers and email services (SMTP, POP3 and IMAP servers). In the mid to late 1990s, WinGate was almost ubiquitous in homes and small businesses that needed to share a single Internet connection between multiple networked computers. The introduction of Internet Connection Sharing in Windows 98 however, combined with increasing availability of cheap NAT-enabled routers, forced WinGate to evolve to provide more than just internet connection sharing features. Today, focus for WinGate users is primarily access control, reporting, bandwidth management and content filtering.

Features WinGate runs on all versions of Microsoft Windows, from Windows 95 onwards. At its core, WinGate provides all 3 levels of Internet Access: a stateful packet-level firewall with NAT, several circuit-level proxies (SOCKS 4/5, and proprietary Winsock redirector), and multiple proxy servers. This provides a comprehensive access framework, and allows the maximum level of access control. WinGate's policy framework allows the creation of specific access rules, based on user account details, request details, location of user, authentication level and time of day. The policy framework is based on a user database and user authentication. WinGate allows use of either WinGate's built-in user database, the Windows user database, or the user database of an NT domain or Active Directory. Authentication can use integrated windows usernames and passwords (NTLM) and other authentication schemes. WinGate can also be used without authentication, or can assume user identity based on IP address or computer name. WinGate can also authenticate individual users on a Terminal server, and maintain separate user contexts to provide user-level control, and for applications that do not support authentication by using the WinGate Client software. WinGate provides a fully customizable, self-configuring DHCP server to assist with network configuration. It also supports multi-interface and multiple topology deployment including multiple DMZs. WinGate provides an integrated Email server (POP3 server and retrieval client, SMTP server, and IMAP4 server) with message routing features and per-email restrictions. This can be used to provide company email services, or to provide protection and additional security (encryption and authentication) for an existing email system. The WWW Proxy provides a transparent proxy for ease of administration, plus a shared proxy cache for improved surfing performance. It can also be used to secure access to internal web servers with either browser-based authentication or a Java-based applet. Proxy services in WinGate support SSL/TLS connections, dynamic network binding (automatic response to network events such as addition or removal of network interfaces), and gateway pre-selection (to direct service for a particular application out a specific Internet connection). Packet-level bandwidth management is also provided to allow control of bandwidth associated with certain users or applications, and is able to be configured on a per-time-ofday basis.

WinGate comes in three versions, Standard, Professional and Enterprise. Enterprise edition also provides an easily configured virtual private network system, which is also available separately as WinGate VPN. Licensing is tiered by the number of concurrently connected users, and available in a range of sizes to suit any budget or network size. Also available for WinGate are optional components that provide Antivirus scanning for email, web and FTP, and content filtering for web traffic. FIREWALLS A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system. It is also a device or set of devices configured to permit, deny, encrypt, decrypt, or proxy all computer traffic between different security domains based upon a set of rules and other criteria. Function A firewall is a dedicated appliance, or software running on another computer, which inspects network traffic passing through it, and denies or permits passage based on a set of rules. A firewall's basic task is to regulate some of the flow of traffic between computer networks of different trust levels. Typical examples are the Internet which is a zone with no trust and an internal network which is a zone of higher trust. A zone with an intermediate trust level, situated between the Internet and a trusted internal network, is often referred to as a "perimeter network" or Demilitarized zone (DMZ). A firewall's function within a network is similar to firewalls with fire doors in building construction. In the former case, it is used to prevent network intrusion to the private network. In the latter case, it is intended to contain and delay structural fire from spreading to adjacent structures. Without proper configuration, a firewall can often become worthless. Standard security practices dictate a "default-deny" firewall ruleset, in which the only network connections which are allowed are the ones that have been explicitly allowed. Unfortunately, such a configuration requires detailed understanding of the network applications and endpoints required for the organization's day-to-day operation. Many businesses lack such understanding, and therefore implement a "default-allow" ruleset, in which all traffic is allowed unless it has been specifically blocked. This configuration makes inadvertent network connections and system compromise much more likely.

Network address translation Main article: Network address translation Firewalls often have network address translation (NAT) functionality, and the hosts protected behind a firewall commonly have addresses in the "private address range", as defined in RFC 1918. Firewalls often have such functionality to hide the true address of protected hosts. Originally, the NAT function was developed to address the limited number of IPv4 routable addresses that could be used or assigned to companies or individuals as well as reduce both the amount and therefore cost of obtaining enough public addresses for every computer in an organization. Hiding the addresses of protected devices has become an increasingly important defense against network reconnaissance. BYPASSING FIREWALLS\ 1. Abstract ----------There are ambiguities in implementations of the TCP/IP suite for various operating systems. Even if this fact has been used since a long time in different software for OS fingerprinting, no real attempt has been made to identify the security impact of the differences in the TCP/IP semantics. We have done some research on the TCP/IP connection open semantics which is of course very important for security of networked systems. We believe that the flaws we have detected have a big impact on design of firewalls and packet filters since an improper implementation can easily lead to serious security problems. 2. Details ---------The TCP/IP protocol stack offers a three way handshake for connection oriented communication using the TCP protocol. Basically, a connection can be opened by sending a synchronization packet to a listening service on a particular host. The host will respond with a synchronization acknowledgment packet which in turn must be acknowledged by the requesting host. Then, the connection is considered to be open (at least at the transport layer) and the two hosts may exchange some data. The three way handshake is an essential part of the communication using the TCP protocol. Therefore many packet filter firewalls try to prevent the three way handshake from completion in order to protect an internal/corporate network from being accessed from the outside. Of course, statefull firewalls may have some more sophisticated mechanism. We have found a very ambiguous behavior of TCP/IP implementations while doing some research on the connection request phase. Below you will find the findings about various OSes, however the list should not be considered complete. We have used the NemesisTCP tool [1] to generate the traffic and tcpdump to capture the responses.

* The normal behavior (of all OSes) is like this: 14:18:00.595517 192.168.1.184.12345 > 192.168.1.111.9999: S 420:420(0) win 512 (DF) [tos 0x18] 14:18:00.595731 192.168.1.111.9999 > 192.168.1.184.12345: S 1679763291:1679763291(0) ack 421 win 5840 <mss 1460> (DF) The first host sends a SYN packet from port 12345 to a service on port 9999 and receives a SYN,ACK * Linux 2.4.19 The examination of the source code of the TCP engine reveals that a TCP connection can be opened by any combination of the TCP flags having the SYN bit set and the ACK bit reset. For example we can open a TCP connection by sending an obviously bogus SYN,RST packet: 14:25:43.888897 192.168.1.184.12345 > 192.168.1.111.9999: SR 420:420(0) win 512 (DF) [tos 0x18] 14:25:43.889143 192.168.1.111.9999 > 192.168.1.184.12345: S 2168208394:2168208394(0) ack 421 win 5840 <mss 1460> (DF) or something called 'Christmas packet' having mostly every TCP flag set (except the ACK flag of course): 14:30:46.341732 192.168.1.184.12345 > 192.168.1.111.9999: SFRP 420:420(0) win 512 urg 8 (DF) [tos 0x18] 14:30:46.342444 192.168.1.111.9999 > 192.168.1.184.12345: S 2492223280:2492223280(0) ack 421 win 5840 <mss 1460> (DF) Also SYN,FIN packets works well... * Solaris 5.8 Here we have success by sending SYN,FIN packets: 14:33:24.549246 192.168.1.184.12345 > 192.168.1.84.9999: SF 420:420(0) win 512 (DF) [tos 0x18] 14:33:24.549757 192.168.1.84.9999 > 192.168.1.184.12345: S 913533039:913533039(0) ack 421 win 24656 <mss 1460> (DF) or SYN,FIN,PSH packets with no payload 14:35:14.398346 192.168.1.184.12345 > 192.168.1.84.9999: SFP 420:420(0) win 512 (DF) [tos 0x18] 14:35:14.398801 192.168.1.84.9999 > 192.168.1.184.12345: S 940377913:940377913(0) ack 421 win 24656 <mss 1460> (DF)

other combinations don't seem to induce the SynSent state in the TCP/IP stack * FreeBSD 4.5 Here we also have luck with SYN,FIN packets: 14:47:21.558541 192.168.1.184.12345 > 192.168.1.104.9999: SF 420:420(0) win 512 (DF) [tos 0x18] 14:47:21.558719 192.168.1.104.9999 > 192.168.1.184.12345: S 1333327436:1333327436(0) ack 421 win 65535 <mss 1460> as well as with other combinations which don't combine the RST and/or ACK flag with SYN: 14:48:11.678246 192.168.1.184.12345 > 192.168.1.104.9999: SP 420:420(0) win 512 (DF) [tos 0x18] 14:48:11.678366 192.168.1.104.9999 > 192.168.1.184.12345: S 1714046856:1714046856(0) ack 421 win 65535 <mss 1460> * Windows NT 4.0 As in the case of BSD we can open connections using any combination of TCP flags as long as we do not set the RST and/or ACK flag (where did they take the code from...hm...): 14:59:46.315126 192.168.1.184.12345 > 192.168.1.17.9999: SF 420:420(0) win 512 (DF) [tos 0x18] 14:59:46.315566 192.168.1.17.9999 > 192.168.1.184.12345: S 15062452:15062452(0) ack 421 win 8576 <mss 1460> (DF) Other OSes than those tested above are expected to behave in a similar manner after obtaining such a discouraging result... 3. Impact --------The ambiguities can be used to bypass/tunnel firewalls filtering TCP packets according to the TCP flags set. Especially stateless firewalls simply comparing the flags field with some expected value(s) to distinguish between synchronization packets and packet from an already open connection can be easily bypassed just by sending a bogus synchronization packet to a listening port. The currently deployed TCP stacks seem to be highly bogus and lazy implemented. Administrators of firewall devices should set up some filtering rules to drop bogus TCP packets as mentioned above. For example on systems using iptables to filter packets bogus packets can be easily distinguished by following rules:

iptables -A INPUT -p tcp -d HOST/MASK --tcp-flags SYN,FIN SYN,FIN -j LOG -m limit --limit 10/m --log-level "LOGLEVEL" --log-prefix="bogus packet" $IP -A INPUT -p tcp -d HOST/MASK --tcp-flags SYN,FIN SYN,FIN -j DROP and so on for other flag combination NETWORK RECONNAISSANCE It is the most common yet effective information gathering technique.it includes PING SWEEPING A Ping sweep is a technique used to determine which of a range of IP addresses map to live hosts. It consists of ICMP ECHO requests sent to multiple hosts. If a given address is live, it will return an ICMP ECHO reply. A ping is often used to check that a network device is functioning. To disable ping sweeps on a network, administrators can block ICMP ECHO requests from outside sources. However, ICMP TIMESTAMP and Address Mask Requests can be used in a similar manner. Tools used for ping sweeps include fping, gping, and nmap for Unix systems, and the Pinger software from Rhino9. Pingers send multiple packets at the same time and allow the user to resolve host names and save output to a file. Ping Sweep Tools

PacketTrap Ping Sweep (as part of pt360 Tool Suite) AdventNet Ping Sweep Utility Northwest Performance Software

DETECTING A PING SWEEP Ping is a widely used technique that can help an attacker in detecting whether your system is active, which is often the first step an attacker will do, in order to identify possible targets. Once the ping operation has identified your computer as being active and connected to the internet, the attacker will likely proceed further to using additional techniques in order to identify security breaches in your computer system, that can be exploited in order to gain control over your computer. The ping operation consists of sending a special network packet to a target computer and awaiting a response that will actually let the attacker know if the target computer is active. It is to be mentioned that there are other types of packets that can be used as well, however

the most common operation performed is to send an ICMP ECHO (type 8) packet towards the target computer, and then the remote machine responds with an ICMP ECHO_REPLY (type 0) packet. The software residing on the attacket computer usually has a ping timeout setting, which can be usually set somewhere within a few hundred miliseconds up to a few seconds. The software awaits for the ICMP ECHO_REPLY packet to be sent within the chosen timeout, and if a reply packet is received, the target computer is now known to be active. Before launching an attack over a remote network, an attacker will likely start by scanning the network and gathering as much information as possible about the network. One of the common operations used is ping sweep. During a ping sweep, an attacker uses a large number of ping operations which are sent to a particular network, usually one per IP address. In order to efficiently scan hundreds or thousands of remote addresses, the attacker will probably use a multithreaded ping sweep tool, which allows not only customizing timeout setting in order to improve efficiency, but also allows multiple ping operations to be initialized and running at the same time, and therefore maximizing the number of remote addresses that will be scanned. Perhaps the most simple protection measure against identifying your computer as active through the Ping operation, is to disable the ICMP protocol. There are two types of common configurations that can be found, first is when your computer is directly connected to the internet (for example if you are using dialup and a regular modem, and no routers, you are likely to be connected to the internet directly) and in such situation you need to block the ICMP protocol by configuring the software firewall you are using on your computer. If you are not using a software firewall in such a situation, then you should absolutely get and install one as soon as possible, otherwise you are exposed to a large number of risks - it may take only minutes until an attacker or worm may get into your computer. Finally, if you are using a gateway computer or router to connect to the internet, you can disable the ICMP protocol on the gateway/router to protect your public IP address from being tested via a ping operation. It is to be mentioned though that the ping operation is an useful one and there are situations where it should remain active, and therefore ICMP should not be disabled in such cases. For example, many ISP's are using automated ping operations to monitor their connections, and if you disable ICMP, your ISP may take measures to correct what they may believe to be a non-functional connection, like disconnecting the connection, or in some cases they may even call in to ask what happened because their monitoring software tells them that the connection is down. There are also cases when certain software make use of ping operations for their normal functioning and these may believe that your computer is no longer responding. In such cases, it is advised not to disable ICMP. Alternatively you may permit ICMP only to a given computer or IP range, for example in the situation where your ISP needs to monitor your connection via ping operations, you can call them and ask what are the IP addresses of the monitoring machine(s) they are using, and then use the IP address or IP range provided to create an allow rule in your firewall for the ICMP protocol, which should solve the problem as your computer will respond to ICMP ECHO commands for your ISP, but not for everyone else.

 OS DETECTION:-It is very important for an attacker to determine the operating system running on the target host.one of the most easiest technique that you can use for operating system detection is fingerprinting.Theese are of two types Active fingerprinting Passive fingerprinting TCP/IP stack fingerprinting (a.k.a. OS fingerprinting) is the process of determining the operating system (OS) used by a remote target. There are two types of OS fingerprinting: active and passive. Passive OS fingerprinting Passive fingerprinting is undetectable by an intrusion detection system on the network. A passive fingerprinter (a person or an application) does not send any data across the network (wire); because of this it is undetectable. The downside of this method is that the client must either connect directly to the fingerprinting device, or be on the same hub as the other servers and clients in order to capture any packets on the wire. How passive OS fingerprinting works Passive fingerprinting works because TCP/IP flag settings are specific to various operating systems. These settings vary from one TCP stack implementation to another and include the following:

Initial TTL (8 bits) Window size (16 bits) Maximum segment size (16 bits) "Don't fragment" flag (1 bit) sackOK option (1 bit) nop option (1 bit) Window scaling option (8 bits) Initial packet size (16 bits)

These flags, when combined, provide a unique, 67-bit signature for every operating system.
[1]

Active OS fingerprinting Active fingerprinting is aggressive in nature. An active fingerprinter transmits to and receives from the targeted device. It can be located anywhere in the network, and with the active method you can learn more information about the target than with passive OS fingerprinting. The downside is that the fingerprinter can be identified by an intrusion detection system.

Active fingerprinting methods TCP stack querying

ICMP TCP SNMP

Banner grabbing

FTP TELNET HTTP

Port probing Protecting against and detecting fingerprinting Block all unnecessary outgoing ICMP traffic, especially unusual packet types like address masks and timestamps. Also, block any ICMP echo replies. Watch for excessive TCP SYN packets. Be warned that blocking things without knowing exactly what they are for can very well lead to a broken network; for instance, your network could become a black hole. Extensive knowledge of TCP/IP networking is recommended before engaging in traffic blocking. Fingerprinting tools A list of TCP/OS Fingerprinting Tools

Nmap - comprehensive active stack fingerprinting. p0f - comprehensive passive TCP/IP stack fingerprinting. Ettercap - passive TCP/IP stack fingerprinting. SinFP - single-port active/passive fingerprinting. XProbe2 - active TCP/IP stack fingerprinting.

[ Uses of TCP/IP Fingerprinting TCP Fingerprinting is a valuable tool for

Vulnerability scanning - TCP Fingerprinting is a valuable tool for scanning for vulnerabilities in a webserver or enterprise defense. Knowing the Operating System provides a clue as to what sort of tools or attacks a hacker can use. Fraud Detection[2] - more recently TCP/IP stack fingerprinting has been used as an additional tool for fingerprinting a device during a transaction in order to detect anomalies.

KEYLOGGERS Keystroke logging (often called keylogging) is a method of capturing and recording user keystrokes. The technique and name came from before the era of the graphical user interface; loggers nowadays would expect to capture mouse operations too. Keylogging can be useful to determine sources of errors in computer systems, to study how users interact and access with systems, and is sometimes used to measure employee productivity on certain clerical tasks. Such systems are also highly useful for both law enforcement and law-breakingfor instance, providing a means to obtain passwords or encryption keys and thus bypassing other security measures. Keyloggers are widely available on the Internet. There are currently two types of keylogging methods, hardware and software based. Application Keystroke logging can be achieved by both hardware and software means. Hardware key loggers are commercially available devices which come in three types: inline devices that are attached to the keyboard cable, devices which can be installed inside standard keyboards, and actual replacement keyboards that contain the key logger already built-in. The inline devices have the advantage of being able to be installed instantly on desktop computers without integrated keyboards. When used covertly, inline devices are easily detected by a glance at the keyboard connector plugged into the computer. Of the three types, the most difficult to install is also the most difficult to detect. The device that installs inside a keyboard (presumably the keyboard the target has been using all along) requires soldering skill and extended access to the keyboard to be modified. However, once in place, this type of device is virtually undetectable unless specifically looked for. Types of keystroke loggers 1) Local Machine software Keyloggers are software programs that are designed to work on the target computers operating system. From a technical perspective there are four categories:

Hypervisor-based: The keylogger resides in a malware hypervisor running underneath the operating system, which remains untouched, except that it effectively becomes a virtual machine. See Blue Pill for a conceptual example. Kernel based: This method is difficult both to write and to combat. Such keyloggers reside at the kernel level and are thus difficult to detect, especially for user-mode

applications. They are frequently implemented as rootkits that subvert the OS kernel and gain unauthorized access to the hardware which makes them very powerful. A keylogger using this method can act as a keyboard driver for example, and thus gain access to any information typed on the keyboard as it goes to the Operating System. Hook based: Such keyloggers hook the keyboard with functions provided by the OS. The OS warns them any time a key is pressed and it records it. Passive Methods: Here the coder uses operating system APIs like GetAsyncKeyState(), GetForegroundWindow(), etc. to poll the state of the keyboard or to subscribe to keyboard events. These are the easiest to write, but where constant polling of each key is required, they can cause a noticeable increase in CPU usage and can miss the occasional key. A more recent example simply polls the BIOS for preboot authentication PINs that have not been cleared from memory.
[1]

2) Remote Access software Keyloggers are local software keyloggers programmed with an added feature to transmit recorded data out of the target computer and make the data available to the monitor at a remote location. Remote communication is facilitated by one of four methods:

Data is uploaded to a website or an ftp account. Data is periodically emailed to a pre-defined email address. Data is wirelessly transmitted by means of an attached hardware system. It allows the monitor to log into the local machine via the internet or ethernet and access the logs stored on the target machine.

Hardware Keyloggers are used for keystroke logging by means of a hardware circuit that is attached somewhere in between the computer keyboard and the computer. It logs all keyboard activity to its internal memory, which can subsequently be accessed, for example, by typing in a secret key. A hardware keylogger has an advantage over a software solution; because it is not dependent on the computer's operating system, it will not interfere with any program running on the target machine and hence cannot be detected by any software, however its physical presence may be detected. 4) Remote Access Hardware Keyloggers, otherwise known as Wireless Hardware Keyloggers, work in much the same way as regular hardware keyloggers, except they have the ability to be controlled and monitored remotely by means of a wireless communication standard. 5) Wireless Keylogger sniffers collect packets of data being transferred from a wireless keyboard and its receiver and then attempts to crack the encryption key being used to secure wireless communications between the two devices. 6) Acoustic Keyloggers work by analysing a recording of the sound created by someone typing on a computer. Each character on the keyboard makes a subtly different acoustic signature when stroked. Using statistical methods, it is then possible to identify which

keystroke signature relates to which keyboard character. This is done by analysing the repetition frequency of similar acoustic keystroke signatures, the timings between different keyboard strokes and other context information such as the probable language in which the user is writing. A fairly long recording (1000 or more keystrokes) is required so that the statistics are meaningful. 7) Electromagnetic Radiation loggers work by passively capturing electromagnetic emissions of a keyboard, without being physically wired to it.[2] Cracking Writing software applications for keylogging is trivial, and like any computer program can be distributed as a trojan horse or as part of a virus. What is not trivial however, is installing a keystroke logger without getting caught and downloading data that has been logged without being traced. An attacker that manually connects to a host machine to download logged keystrokes risks being traced. A trojan that sends keylogged data to a fixed e-mail address or IP address risks exposing the attacker. Trojan Young and Yung devised several methods for solving this problem and presented them in their 1997 IEEE Security & Privacy paper[3] (their paper from '96 touches on it as well). They presented a deniable password snatching attack in which the keystroke logging trojan is installed using a virus (or worm). An attacker that is caught with the virus or worm can claim to be a victim. The cryptotrojan asymmetrically encrypts the pilfered login/password pairs using the public key of the trojan author and covertly broadcasts the resulting ciphertext. They mentioned that the ciphertext can be steganographically encoded and posted to a public bulletin board (e.g. Usenet). Ciphertext Young and Yung also mentioned having the cryptotrojan unconditionally write the asymmetric ciphertexts to the last few unused sectors of every writable disk that is inserted into the machine. The sectors remain marked as unused. This can be done using a USB token. So, the trojan author may be one of dozens or even thousands of people that are given the stolen information. Only the trojan author can decrypt the ciphertext because only the author knows the needed private decryption key. This attack is from the field known as cryptovirology. Federal Bureau of Investigation The FBI used a keystroke logger to obtain the PGP passphrase of Nicodemo Scarfo, Jr., son of mob boss Nicodemo Scarfo. Scarfo Jr. pleaded guilty to running an illegal gambling operation in 2002.[4] The FBI has also reportedly developed a trojan-horse-delivered keylogger program known as Magic Lantern.[5]

Use in surveillance software Some surveillance software has keystroke logging abilities and is advertised to monitor the internet use of minors. Such software has been criticized on privacy grounds, and because it can be used maliciously or to gain unauthorized access to users' computer systems. Keylogger prevention Currently there is no easy way to prevent keylogging. In the future, it is believed [who?] that software with secure I/O will be protected from keyloggers. Until then, however, the best strategy is to use common sense and a combination of several methods. It is possible to use software to monitor the connectivity of the keyboard and log the absence as a countermeasure against physical keyloggers. For a PS/2 keyboard, the timeout bit (BIT6 at port 100) has to be monitored. [6] But this only makes sense when the PC is (nearly) always on. Code signing 64-bit versions of Windows Vista and Server 2008 implement mandatory digital signing of kernel-mode device drivers, thereby restricting the installation of key-logging rootkits. Monitoring what programs are running A user should constantly observe the programs which are installed on his or her machine. Also, devices connected to PS/2 and USB ports (which can both be hacked) can be used to secretly install a keylogger and then remove it (along with the user's data) by the perpetrator. Anti-spyware Anti-spyware applications are able to detect many keyloggers and cleanse them. Responsible vendors of monitoring software support detection by anti-spyware programs, thus preventing abuse of the software. Firewall Enabling a firewall does not stop keyloggers per se, but can possibly prevent transmission of the logged material over the net if properly configured. Network monitors Network monitors (also known as reverse-firewalls) can be used to alert the user whenever an application attempts to make a network connection. This gives the user the chance to prevent the keylogger from "phoning home" with his or her typed information.

BIBLIOGRAPHY
Network security-Ankit Fadia en.wikipedia.org/wiki/Proxy_server en.wikipedia.org/wiki/Network_address_translation www.wingate.com en.wikipedia.org/wiki/OS_fingerprinting

www.hackingmobilephone.com