Professional Documents
Culture Documents
CYS 7132 - Lect-5
CYS 7132 - Lect-5
CYS 7132 - Lect-5
Gaining Access
• Necessary step for access to valid account
– Crack/bypass existing authentication mechanism
• Password
– Most prevalent form of authentication
– Main target of attacks
• Various types of attacks
– Social engineering
– Phishing
– Dictionary attacks
– Credential stuffing
1
Authentication Systems
Notion of Authentication
-External entities such as human users are represented within
computing systems by subjects, which act on their behalf.
-Authentication consists of binding the identity of an external entity
to a corresponding subject.
2. C: the set of complementary information (used by system to validate authentication information (e.g., hash of a password or the password itself)
3
Example: UNIX Password Mechanism
-Unix Password Format:
•Consists of up to eight ASCII characters, with the NUL (0) character excluded.
•Converted using one of 4,096 hash functions into an 11-character string plus two
additional characters identifying the function (i.e. exactly 13-character strings).
5
Phishing Attacks
What do you
think of this
message? Is it
legitimate or
scam?
© 13-Feb-15
6
Phishing Attacks (ctd.)
What do you
think of this
message? Is it
legitimate or
scam?
© 13-Feb-15
7
Dictionary Attacks
1. Dictionary attack type 1: the attacker computes for each guess pÎ Dic the
complement f(p) for each f ÎF, and then attempts to match it with the
complementary information of an existing entity: f(p)=c?
9
Dictionary Attack Tools
•Examples of popular tools: ncrack, Hydra, John the Ripper, Brutus, Medusa, etc.
10
Countermeasures
-In general, protection against attacks on authentication systems
consists of:
12
Passwords Strength
Purpose:
- Provide objective measures of password strength
- Measure how well password selection schemes work to produce
passwords that are difficult to guess
- NIST uses the standard definition of entropy and defines two
additional types of entropy:
Guessing Entropy: the expected amount of work to guess
the password of a selected user
Min-Entropy: the expected amount of work to guess
any single password in the set
14
Passwords Protection Techniques (ctd.)
•Password aging: consists of changing the passwords after specified period of time
or in the occurrence of specific events.
•One-Time Password (OTP): variable password which can be used only once
15
6. Follow-up Activities
Privilege Escalation
16
Privilege Escalation (ctd.)
17
Maintaining Access
18
Maintaining Access (ctd.)
• Using Backdoors
– Typically created as (malicious) client or server application using
network connectivity tools, e.g. netcat or OpenSSH
• Netcat or OpenSSH are (regular) applications used by administrators to
provide connectivity between two systems
– Can work as either a server or client to listen for a connection
– Can be configured to spawn a shell when a connection is made
– A backdoor can be setup in (bind) shell or in reverse shell mode
• Reverse shell is convenient if the network access to the target is
terminated for some reasons.
19
Covering Tracks
• Important, while on the exploited system, to be stealthy
and avoid detection
• Techniques used include:
– Manipulating log data
– Hiding files
– Using Rootkits
20
Covering Tracks (ctd.)
21
Covering Tracks (ctd.)
• Hiding files
– During the attack, we may need to add files and scripts to the
exploited system, e.g., to run a backdoor
– Need to hide these files to avoid detection
– Two different ways to hide a file:
• hide it in plain sight
– E.g., in Unix, the /dev/ directory, which originally contains over 7,500
files with archaic names can be a good hideout
• take advantage of the OS file structure
– Shadow files; use spaces as names
• Example: Hiding files in windows by adding the hidden attribute
– >attrib +h myfile.exe
22
Covering Tracks (ctd.)
• Using Rootkits
– Modify file systems by installing automatically trojaned binaries
– Allow modifying and configuring the system to not return certain
data to the user
– Target basic system utilities and commands that can help in
locating misconfigurations or suspicious activities
• E.g., ls, netstat, ps, etc.
23
7. Denial of Service
• Occurs when an unauthorized user prevents a legitimate
one from accessing or using services delivered by the
system.
network
User
attacks Server
Hacker
Reply
SrcIP: 142.92.0.0
DstIP: 125.132.0.100
...
IP: 125.132.0.100
IP: 142.92.0.0
Request
SrcIP: 125.132.0.100
DstIP: 142.92.0.0
...
IP: 123.102.99.200 25
• Reflection Attacks
– Use an intermediary to deliver the attack traffic
to the victim.
– Generic refection attack scenario:
Amplified DNS
response
Victim
IP: 125.132.0.100
IP: 142.92.0.0
Open DNS
Open DNS resolver
resolver
FIN
ACK
DATA
FIN
ACK
28
• Smurfing attack
– Based on the Internet Control Message Protocol
(ICMP)
• send an echo to a remote host to check whether it is alive
Anatomy:
1. Construct a packet with
the source address Are you alive (msg from victim)?
forged to be that of the Broadcast
victim Attacker
Host
2. Send crafted packets to
a broadcast address, ? ? ?
which is shared by
… Hn
several hosts. H1 H2
3. Hosts systematically
reply to the victim
which is then
yes yes yes yes
overwhelmed
Victim
29