5.

Gaining Access
• Necessary step for access to valid account
– Crack/bypass existing authentication mechanism
• Password
– Most prevalent form of authentication
– Main target of attacks
• Various types of attacks
– Social engineering
– Phishing
– Dictionary attacks
– Credential stuffing

1
Authentication Systems
Notion of Authentication
-External entities such as human users are represented within
computing systems by subjects, which act on their behalf.
-Authentication consists of binding the identity of an external entity
to a corresponding subject.

-The external entity is required to provide a piece of information

allowing the authentication system to confirm his identity.
-The information may come from one or more of the following
sources:
1. Secret knowledge such as password
2. Special device such as smart card
3. Inherent human traits or characteristics such as fingerprints
4. Specific location such as particular domains or machines. 2
Authentication Model
-The authentication process consists of checking the authentication
information supplied by an entity against some complementary
information stored by the authentication system.

-The authentication process is carried through an authentication

system, which can be represented as a tuple (A, C, F, L, S) where:
1. A: the set of authentication information (used by entities to prove their identities (e.g., password))

2. C: the set of complementary information (used by system to validate authentication information (e.g., hash of a password or the password itself)

3. F: the set of complementation functions f: A®C (Generate appropriate c ∈ C given a ∈ A)

4. L: the set of authentication functions l: A´C®{true, false} verify identity

5. S: the set of selection functions Generate/alter A and C

•Complementation functions: used to derive complementary information from the authentication

information;
•Authentication functions: used to check the authentication information;
•Selection functions: used to create or modify the authentication and complementary information.

3
Example: UNIX Password Mechanism
-Unix Password Format:
•Consists of up to eight ASCII characters, with the NUL (0) character excluded.
•Converted using one of 4,096 hash functions into an 11-character string plus two
additional characters identifying the function (i.e. exactly 13-character strings).

-The UNIX Authentication System consists of the following:

•A contains about 6.9´1016 passwords (chosen from a set of 127 possible
characters).
•C contains 3.0´1023 strings (chosen from an alphabet of 64 characters).
•Complementation functions: 4,096 possible hash functions in F.
•Authentication functions include login and su.
•Selection functions include passwd and nispasswd used to modify passwords.
⁃ UNIX system standard hash function
• Hashes password into 11 printable char string using one of 4096 hash functions
⁃ As authentication system:
• A={strings of 8 chars or less}
• C={2 char hash id || 11 char hash}
• F = { 4096 versions of modified DES }
• L={login,su,...}
• S = { passwd, nispasswd, passwd+, ... } 4
Attacks
-Attacks on authentication system consist of finding authentication
information aÎA and associating it with a particular entity.

-The association may be achieved by computing, for fÎF, f(a)=cÎC

and linking c with the entity.

-Two forms of attacks on password-based authentication systems:

1. Social engineering: tricking unsuspected user into revealing their

authentication information; e.g., phishing

2. Dictionary attack: finding valid authentication information

through guessing.

5
Phishing Attacks

What do you
think of this
message? Is it
legitimate or
scam?

© 13-Feb-15
6
Phishing Attacks (ctd.)

What do you
think of this
message? Is it
legitimate or
scam?

© 13-Feb-15
7
Dictionary Attacks

• A password is just a string

of characters

Average user's password choices

based on analysis of 34,000
passwords from a social network
Dictionary Attacks (ctd.)
-Consist of guessing a password by repeated trial and error; it is the
most common form of attacks on passwords.
-The attack is typically based on a list of words used as password
guesses, which plays the role of a dictionary. The words may be
organized randomly or based on some probability of selection.

-There are two forms of dictionary attacks:

1. Dictionary attack type 1: the attacker computes for each guess pÎ Dic the
complement f(p) for each f ÎF, and then attempts to match it with the
complementary information of an existing entity: f(p)=c?

2. Dictionary attack type 2: the attacker applies the authentication functions

l ÎL to the guess p; if l(p)=true, then p is a valid authentication information.

9
Dictionary Attack Tools

-There is a variety of free dictionary attack tools:

•Some focus only on one type of attacks (i.e. type I or II), while other support
several types of attack methods (e.g. dictionary & scanning attacks)

•Examples of popular tools: ncrack, Hydra, John the Ripper, Brutus, Medusa, etc.

10
Countermeasures
-In general, protection against attacks on authentication systems
consists of:

1. Hiding information related to a, c, or f.

2. Preventing access to the authentication functions lÎ L.

-In particular, protection against dictionary attacks consist of

maximizing the time needed to guess the password.
•The probability that a dictionary attack succeeds in a specified time period is
expressed as:
T ´G
P³
N
Where:
-P is the probability that the attack succeeds
-T is the time period during which the attack takes place
-N is the total number of possible passwords
-G is the number of guesses that can be tested in one time unit
11
•Exercise:
An online banking scheme requires each user to choose a sequence of
n digits as a password.

1. What should be the minimum value of n if the probability of a successful guess

over a 6 months period is 40%, assuming that 1000 guesses can
be tested each second ?

2. Is this a good scheme? If not, propose a better alternative.

12
Passwords Strength
Purpose:
- Provide objective measures of password strength
- Measure how well password selection schemes work to produce
passwords that are difficult to guess
- NIST uses the standard definition of entropy and defines two
additional types of entropy:
Guessing Entropy: the expected amount of work to guess
the password of a selected user
Min-Entropy: the expected amount of work to guess
any single password in the set

- Unfortunately, there is no way to convert Shannon entropy

into guessing entropy
- Also, some studies have shown that these metrics do not reflect
the strength of passwords in practice.
13
Passwords Protection Techniques
-Against Type 1 dictionary attack: password hardening using salting,
which consists of selecting randomly for each user different
complementation function.
-Against Type 2 dictionary attack: Common protection strategies
include:
1. Backoff techniques: consist, between consecutive failed authentication attempts,
of delaying access to the system by an increasing amount of time.

2. Disconnection techniques: the system is disconnected after specified number of

failed authentications. The user must re-establish the connection.

3. Disabling techniques: the system is disabled after specified number of failed

authentication attempts. In this case only the administrator has the power to
re-enable the system.

14
Passwords Protection Techniques (ctd.)

-Other password protection approaches:

•Password aging: consists of changing the passwords after specified period of time
or in the occurrence of specific events.

•Proactive password checking: enforces specific restrictions on the selection of new

passwords (e.g., reject account names, user names, dictionary words etc.)

•One-Time Password (OTP): variable password which can be used only once

15
6. Follow-up Activities

Privilege Escalation

• Consist of exploiting a bug, design flaw or configuration

oversight in an OS or application to gain elevated access to
resources
• Unlike other attacks, privilege escalation tools are not well
defined
• Various tactics available:
– Exploit specific vulnerabilities (e.g. buffer overflow)
– Listen on network for sensitive data (e.g. username/password)
– Social engineering

16
Privilege Escalation (ctd.)

• Buffer Overflow Vulnerability

– One of the most prevalent forms of software security vulnerability
– Exploit program vulnerability to excessively long input values
– Recurring security problem that has been around for some time
– Cost of a successful attack can be extremely high
• may give the attacker administrative control of the system.

Program Program code Overflow Malicious code

invocation … Program with …
Malicious input
Return pointer Modified pointer
Buffer
Activation Local variables Overwritten values growth
record
Buffer Execution Buffer
stack
… …

17
Maintaining Access

• Access is maintained using backdoors

• Backdoors:
– Provide ways around defense obstacles, e.g., firewalls or access
control list
– Speed up future accesses to the target network
– Can be setup easily using tools like Netcat

18
Maintaining Access (ctd.)

• Using Backdoors
– Typically created as (malicious) client or server application using
network connectivity tools, e.g. netcat or OpenSSH
• Netcat or OpenSSH are (regular) applications used by administrators to
provide connectivity between two systems
– Can work as either a server or client to listen for a connection
– Can be configured to spawn a shell when a connection is made
– A backdoor can be setup in (bind) shell or in reverse shell mode
• Reverse shell is convenient if the network access to the target is
terminated for some reasons.

19
Covering Tracks
• Important, while on the exploited system, to be stealthy
and avoid detection
• Techniques used include:
– Manipulating log data
– Hiding files
– Using Rootkits

20
Covering Tracks (ctd.)

• Manipulating log data

– Two general types of log files are of interest: system generated and
application generated.
– Two options:
• Delete the entire log
– Advantage: ensure activity untraceable
– Drawback: easily detectable
• Modify the contents of the log file
– Beneficial when targeted at removing any log data related to specific
steps of the attack
– Drawback: removing/modifying specific piece of information on one
hand may raise some flags on the other hand

21
Covering Tracks (ctd.)

• Hiding files
– During the attack, we may need to add files and scripts to the
exploited system, e.g., to run a backdoor
– Need to hide these files to avoid detection
– Two different ways to hide a file:
• hide it in plain sight
– E.g., in Unix, the /dev/ directory, which originally contains over 7,500
files with archaic names can be a good hideout
• take advantage of the OS file structure
– Shadow files; use spaces as names
• Example: Hiding files in windows by adding the hidden attribute
– >attrib +h myfile.exe

22
Covering Tracks (ctd.)

• Using Rootkits
– Modify file systems by installing automatically trojaned binaries
– Allow modifying and configuring the system to not return certain
data to the user
– Target basic system utilities and commands that can help in
locating misconfigurations or suspicious activities
• E.g., ls, netstat, ps, etc.

23
7. Denial of Service
• Occurs when an unauthorized user prevents a legitimate
one from accessing or using services delivered by the
system.

network

User
attacks Server

Hacker

-Sources of DoS attacks:

•Abuse of a legitimate feature (e.g., mail service, communication protocols).
•Creation of malformed packets that confuse the TCP/IP stack of target machine
•Exploitation of bugs in a particular network daemon (e.g., tcpd, httpd).
24
• Spoofing IP Addresses
– Goal: hide attack source
– Adequate for non-interactive attacks

Reply
SrcIP: 142.92.0.0
DstIP: 125.132.0.100
...
IP: 125.132.0.100

IP: 142.92.0.0

Request
SrcIP: 125.132.0.100
DstIP: 142.92.0.0
...

IP: 123.102.99.200 25
• Reflection Attacks
– Use an intermediary to deliver the attack traffic
to the victim.
– Generic refection attack scenario:

1. Attacker sends a packet with a

spoofed source IP address to
the intermediary, with the
spoofed address being the
address of the target.
2. The response from the
intermediary will be delivered
to the target instead of the
attacker

- Targeted protocols (i.e. reflectors): DNS, NTP, SSDP, 26

SNMP, RPC
 • Amplification Attacks
– Deliver larger response than the original query
– Targeted protocols (i.e. amplifiers): DNS, NTP,
SSDP, SNMP
Generic amplification attack scenario Amplification Attack Tool – Saddam

Amplified DNS
response

Victim
IP: 125.132.0.100

IP: 142.92.0.0
Open DNS
Open DNS resolver
resolver

Spoofed DNS queries

SRC IP: 125.132.0.100 27
Attacker (Bot)
IP: 123.102.99.200
• SYN Flooding attack
– Consist of sending a large number of SYN packets and
never acknowledging any of the replies.
– Creating too many partially-open connections can
quickly overflow the receiver
Alice TCP Bob
SYN
SYN_ACK
ACK
DATA DATA

FIN
ACK
DATA
FIN
ACK

- Attack tool – hping3

28
• Smurfing attack
– Based on the Internet Control Message Protocol
(ICMP)
• send an echo to a remote host to check whether it is alive

Anatomy:
1. Construct a packet with
the source address Are you alive (msg from victim)?
forged to be that of the Broadcast
victim Attacker
Host
2. Send crafted packets to
a broadcast address, ? ? ?
which is shared by
… Hn
several hosts. H1 H2
3. Hosts systematically
reply to the victim
which is then
yes yes yes yes
overwhelmed

Victim

29