Information Security

Incident Handling
Webinar 3
Hacker Techniques and Countermeasures

Jeremy Koster

1
 Brief Recap

• The hacking process

• Security testing
• Foot-printing
• Wireless and network scanning
• Types of network scans
• Nmap
• Password guessing and cracking
2
 Malware and Viruses

• Malware
– Software designed to perform malicious activities
– Collects data (credit cards, credentials, session tokens)
• Viruses
– Spreads from system to system attaching itself to files
– Requires user interaction
– Logic bombs (triggered by an event)
– Polymorphic (change an mutate to avoid detection)
– Multipartite (many propagation vectors)
– Macro (uses macro language)
– Hoaxes (fake announcements of viruses)

3
 Worms

• Worms
– Automatic spreading of infection
– No host program required
– Rapid replication
– Consumes resources
– Commonly consume bandwidth and resources

• Examples
– Morris worm
– Nimbda
– Crunchy/Spybot
– Conficker/Downadup

4
 Spyware and Adware
• Collect information
– Browsing habits
– Credentials
– Financial information
– Personal information
• Delivery mechanisms
– Email attachments and URLs
– Drive-by infections
– Peer to peer networks
– Instant messaging and IRC
– USB drives
• Adware
– Shows ads and pop-ups

5
 Scareware and Trojan Horses

• Scareware
– FakeAV
– RansomWare - Cryptolocker
– Disable security systems
• Trojan Horses
– Looks legitimate
– Malicious payload
• Remote access (RAT)
• Capturing or destroying data
• Denial of service
• Jump host, file server or proxy
– Uses common ports
– Games, jokes, screen savers, chat programs and media players

6
 Backdoors or Trapdoors
• Included by developers to aid in problem solving or spying
– To aid in problem solving or spying
– When the normal processes fail
– Dangerous when included, diabolical when discovered
• Installed by attackers
– After gaining access
• Bypasses logging and monitoring
• Types
– Rootkit and process hiding
– Service modification
– User account
• Command-line Remote Control Tools
– Netcat (nc, nc.exe)
– Reverse telnet
– Psexec
• Graphical remote control
– VNC

7
 Web Application Security

• Importance
– Front door to organisation
– High exposure and visibility
– Often access to bulk data
• Uses of HTTP/HTTPS
– Company web sites
– SSL VPNs
– Voice and video communications
– Embedded devices (webcams, PABX)
– Administrator consoles (servers, fax machines, printers)

8
 Web Application Attacks
• Defacement
– DNS attacks to redirect users to a different server
– PUT method
– Incorrect privileges
– MITM to grab admin credentials
– Brute-force attacks to gain admin credentials
• Data exfiltration or unauthorised access
– SQL Injection
– XSS and XSRF
– Authentication bypass (session hijacking)
– Erroneous application logic
• Denial of service
– Low system capacity (LOIC)
– Low network capacity
– Application vulnerabilities (SlowLoris)

9
 Web Application Hacking Tools

• Googledorks
– Finding vulnerable servers that have been indexed by Google
– Site:example.com
– “index of /admin”
– Filetype:htaccess user
• Web crawling
– Grabbing the entire site for analysis
– wget
– HTTrack
• Web application assessment
– Browser plugins (TamperData)
– Proxies (Burp and OWASP ZAP)
– Application vulnerabilities (SlowLoris)

10
 Web Application Vulnerabilities
• XSS
– Targets the users (clients) of the application
– Account and session hijacking
– Cookie theft
– Misdirection and misrepresentation
• SQL Injection
– Raw SQL queries into a field (sometimes blind)
– Bypass authentication
– Drop tables
– Getting a command shell
• CSRF
– Launches a request to a website within an active session through another website
– Password reset
– Funds transfers
– Purchases

11
 Database Attacks

• Discovery
– MS SQL port 1434
– Nmap
– Mysql, Oracle, PostgresSQL
• Weaknesses
– General software vulnerabilities (Slammer hit 75K in the first 10
minutes)
– Weak passwords
– No password guessing protection
– Misconfiguration
– Denial of service
12
 Attacks on Phone Systems

• PBX Hacking
– Dial-up connections to PBXs
– Internet accessible PBXs
– Default settings
• Voicemail hacking
– Default PIN numbers
– Just need the mobile number
• Direct Inward System Access (DISA)
– Used to allow staff to make use of lower cost company calls
– Can be used to resell long distance telephone calls

13
 Remote Access Attacks

• IPSec
– Site-to-site
– Client-to-site
– Split tunnelling
• Google hacking
– Filetype:pcf
– Cisco VPN profile information
– UDP 500
• Citrix
– Password guessing
– Kiosk style break-out (print, help, hyperlinks, internet explorer)

14
 Evading Detection
• Purpose
– Stay on a system as long as possible
– Erasing evidence, logs, errors messages, files and users
• Rootkits
– Hides malicious functions in existing system files and utilities
– Typically works with root privileges (kernel-mode)
– Allows for continued access, software installation, monitor traffic
– User-mode rootkits run alongside other applications (dll and process injection)
• Alternate data streams
– An additional stream of data within a file
– Commonly used for metadata
– Originally implemented to allow NTF to talk to HFS
– Difficult to identify

15
 Countermeasures
• Network level
• System based
• Security Architecture
– Zoning
– Security services

16
 Network Analysis Tools

• Intrusion detection and prevention

– Signatures identify malicious activity
– Dangerous in protective mode
– Excellent for post incident analysis
– NIDS, HIDS, NIPS, HIPS or IDP
• Network intrusion detection / prevention
– Network level protocol and packet analysis - much like a packet sniffer
– Send alerts or terminates activity
– Integrate with firewalls
– Can not inspect encrypted traffic
– Collect information useful for investigations

17
 System Analysis Tools

• File integrity monitoring

– Keeps an eye on critical files and settings
– Traditionally good for change control
– Excellent for post incident analysis
• Password auditing
– Good for finding the weak accounts
• Exploit tools
– Good for validating the plausibility of intrusion by
vulnerability
18
 Logging and Monitoring
• Purpose
– Keeps an eye on critical files and settings
– Traditionally good for change control
– Excellent for post incident analysis
• Security information and event management (SIEM)
– Notify in the case of a serious incident
– Post-incident investigation
• Events of interest
– User – login, logoff, add, disable, delete, include in group
– System – shutdown, restart, service shutdown/restart, time alteration, file deletion, privileged functions
– Application and DB – logon, logoff, backup, privileged commands
– Security equipment – suspicious behaviour, block events
• Systems of interest
– Major business applications – CRM, accounts, billing, HR, web sites (user-agent)
– Servers and workstations – AD, file shares, print servers
– Authentication systems – logon, logoff, restart, log flush, configuration changes
– Network devices and services – VPN, routers, switches, DNS servers
– Security equipment – IDS/IPS, firewalls, antivirus

19
 Malware Analysis
• Purpose
– Identify purpose of the malware
– Useful when malware is custom written
• Basic steps
– Update signatures
– Full scan
– Virus Total
– Second opinion – Live CD
• Advanced steps
– Run it up in a VM - benefits
– Use PS tools to identify activities
– Run a debugging tool to look at the code

20
 Information Security Architecture

• Purpose
– Protect assets at a macro level
– Build technical frameworks that can be reused
– Align business to business appetite for risk
– Centralise security services, controls and reporting
• Control classes
– Protection
– Detection
– Response

21
 Security Architecture Components

• Network level
– Firewalls (deny by default)
– Zoning (DMZ, business systems, NAT, user network)
– IDS/IPS – WAF (deep packet inspection and protocol analysis)
– Denial of service protection
– Data loss prevention
– Remote access control
– Change management (security review)
• System level
– Anti-malware
– Patching (at build time, regularly and the emergency path, patching pathway)
– Access control
– Central log monitoring (WORM, syslog hashing)
– File integrity monitoring
– Hardening (unneeded services, software, default accounts)
– HIPS (heuristics, attack profiling, port scan detection)

22
 Discussion Questions
1. Why is it important to perform post-incident
investigation?

2. What is the most effective way to bypass an IDS/IPS?

3. What is placed at risk with an XSS vulnerability?

4. Why is it important to protect internet facing web

applications?

23