List of tools (Updated)

- Cryptography tools
Base64 Encoder & Decoder
Multi-Digest (MD5, SHA1, SHA256, SHA384, SHA512)
Hash Password Cracker (MD5, SHA1, SHA256, SHA384, SHA512)
Secure Password Generator
Files en/decryptor Rijndael (AES) 256 bits – GOST – ARC4
- Network tools
TCP Flood DoSer
TCP Flood AutoDoSer
Spoofed SYN Flood DoSer [nmap - hping3]
Port scanner
Honeypot
PenTBox Secure Instant Messaging
Fuzzer
- Extra
L33t Sp3@k Converter

This blog will describe and detail common corporate network threats and what methods can be implemented to prevent them.  Please note that this is a semi high-level approach to the concepts discussed.  Below is a list of some common network attacks and vulnerabilities that will be discussed:

• IP Spoofing
• DoS and DDoS
• DNS Poisoning

IP Spoofing

IP spoofing is the act of disguising a computer’s IP address.  This is accomplished by forging a packet header so it contains a different IP address.  This technique makes the packet appear as if it was sent from a different address which hides its original source.  An attacker would spoof their IP address for various reasons.

Intent of IP Spoofing

An attacker may spoof his or her network address with an address of a known and trusted host in order so that the target computer would accept a packet and act upon it.  This method is used to breach security protocols and authentications that only allow specific IP address to communicate with devices on a network and hijacking connections.  Another use of IP spoofing is to attempt to hide the true source of the attacker.

How IP Spoofing is Accomplished

The IP spoofing attack is performed on a network by means of a computer tailored with IP spoofing tools.  The attacking computer then begins attempting to communicate with devices on the network with the spoofed IP address.

Defending IP Spoofing

Defending a network from an IP spoof attack is accomplished by packet filtering, as well as encryption and authentication.  Implementing encryption and authentication methods to gain access to a network requires a credentials handshake between the devices in and outside the network.  This policy creates another barrier the attacker must hurdle if at all possible depending on the encryption method used.

Implementing and access control list as well as ingress and egress packet filtering at the router will provide solid defense against IP spoofing.  This is because ingress filtering prevents an attacker outside the network to successfully spoof an IP address of a machine inside the network, and therefore denying communication to the attacker.  Egress filtering works in situations opposite from ingress.  In other words, an attacker within the network cannot successfully spoof (mimic) an IP address that is outside the network.  These means of filtering should make it very difficult for an attacker to successfully spoof an IP address.

DoS and DDoS Attack

A denial of service (DoS) attack attempts to consume network resources so that the network or its devices cannot respond to requests.  In other words, the DoS attack creates a severe bottleneck on a critical network device.  The different motivations behind this type of attack would be to hold a company’s resources ransom, or prevent specific device communication while another attack is being performed.

How DoS Exploits the OSI Model

To understand how a DoS attack functions, one must first understand how client/server communication works.  When a device contacts a server and makes a request to view a webpage or a file there must be a series (three) of “handshakes” between the device and server in order to establish a connection before the request can be carried out.  This handshake consists of synchronized and acknowledgment messages between the communicating devices.  The initiating device sends the messages to the server, the server replies with its messages and then waits for the initiating device to respond.  Once the device responds the request between the device and server will be executed.

One of Many Ways of How DoS is Accomplished

One method to execute a DoS attack would be to have the initiating attack device not respond to the server’s handshake and leaving it to hold the line open.  The attacking device then requests more handshakes and not responding to the server’s handshake, making it hold more lines open and eventually running out of resources and crashing the network.  Many DoS attacks are easily avoided by today’s current technology.  In response to the ineffectiveness of the DoS, the DDoS evolved and now is a more common attack between the two.

The DDoS Attack

A distributed denial of service (DDoS) attack is a variation of the DoS attack.  The differentiation between the two attacks is that the DDoS attack is carried out by multiple zombie computers (potentially hundreds or thousands) that flood a victim device with requests.  This style of attack makes it nearly impossible to identify and block the attack at its source because the attack is coming from various locations.

DoS Defense

As previously mentioned preventing a DoS attack can be as simple of updating or upgrading the network hardware and software with current versions.  If a DoS attack is experienced it can be terminated by configuring the router to block communication with the attacking IP address, setting firewall settings appropriately, and only having necessary ports open.

DDoS Defense

Preventing a DDoS attack is difficult because of the various incoming IP addresses.  One prevention method would be to use Cisco Internetwork Operating System (IOS) on a Cisco Router.  The IOS provides settings and configurations to help filter out flooding attacks.  Another measure would be to implement a cleaning center service offered by companies such as Prolexic.  The cleaning center works by sending all network traffic through a proxy which filters the bad traffic from the good, and then forwards the good traffic onto the designated server.  Implementing the previously mentioned features as well as staying abreast on all current DDoS attack methods should provide solid defense measures against the attacks.

DNS Poisoning

DNS poisoning is an attack on a Domain Name System (DNS) server.  The attack is often used to commit identity theft.  Simply put, DNS is a hierarchical system that provides name resolution to IP addresses, which makes human navigation more intuitive.  For example, instead of the client entering the IP address 209.85.225.99 to enter the google website, the client can enter in the URL, “google.com.”  The DNS server then resolves the URL name with the numeric IP address and the client is directed to the webpage.

How DNS Poisoning Works

DNS poisoning exploits a flaw in the DNS protocol and allows the attacker to poison an authentic DNS server , which then redirects a victim’s website request to the attackers own server.  The attacker’s server can then contaminate the victim’s computer with viruses, worms, and other malicious programs to collect information.  This information can include banking and other sensitive information.

DNS Poisoning Defense

The most effective way to prevent DNS poisoning is to implement the use of DNSSEC (Domain Name System Security Extensions).  DNSSEC was designed specifically to combat against the exploited flaw in DNS, which is accomplished by checking and resolving digital signatures from authorized DNS servers and not allowing communication from rogue DNS servers.  Another good practice is to minimize the roles and services on the DNS server because the added roles provide potential holes in security.

Internet Protection

Staying abreast on current security threats is essential for every security professional.  This is because threats are growing and evolving daily.  In order for the security professional to maintain the integrity of his or her network infrastructure he or she must stay current on the latest threats and counter measures.

The best way to assist the security professional with keeping informed in regards to current threats is utilizing security-focused websites.  With the many different “security focused” websites out on the World Wide Web, one might ask, “What websites are best to use?”  This blog helps answer this question because the author has invested hours of analyzing informative security-focused websites and has compiled a list of the top four useful security-focused websites.

The criterion used to decipher the useful websites from the useless is as follows:

• The number of current articles- Some websites, although have good information, have not provided any new articles within 10 days.  This takes away from the websites’ integrity of current information.
• Ease of navigation- Navigation of the website must be simple and intuitive because this correlates with the effectiveness of the website.  A Security professional does not have time to sift through worthless information.
• Relevant information- Let’s agree that articles such as an ESPN video peephole case is not relevant to information security threats.

The Authors top five professional security-focused websites are as follows:

1. http://www.securitypronews.com/

Security Pro News is a great resource for current security threats.  The website offers a useful “Latest 10 virus alerts” table that is easily located at the top right hand corner of the website.

2. http://www.theregister.co.uk/security/

The Register provides many articles in regards to network security and current events.  The website also encompasses useful navigable filters—crime, malware, and enterprise security.

3. http://securitynewsportal.com/

Security news portal is a website that hosts a compilation of all the latest security threats and news articles.  The website contains all of the articles as that the above three websites do, and then some.  The reasoning for security news portal coming in at number three is because it can be difficult at first to navigate through the vast amount of articles.  This is due in part because the website is a one man operation.

4. http://www.scmagazineus.com

SC magazine is a publication that caters to IT security professionals.  The website is very informational and has many current articles, but does not offer the navigability filters that the above websites have.

5. http://cyberinsecure.com/

Cyber insecure is also another favorite because it offers the most comprehensive navigable category filter.  This makes it easy for the reader to research specific security threats and articles they are interested in.  Cyber insecure was lacking relevant articles that the other websites had; as a result, the website came in fifth.

All IT security professionals should have these websites bookmarked in their web browser and frequent them regularly to help combat potential threats, risks, and vulnerabilities that may and will develop.

I remember back in the day, the 90’s, messing around with AIM…downloading password cracking programs, breaking into people’s accounts, and causing trouble. A person approached me the other day inquiring about recovering their msn email password by cracking it. Reflecting back to the 90’s, I told my client that I could do it with ease… Time’s sure have changed.

After over an hour of riddling my test machine with viruses and no results, I could see my prepubescent hacking method was a huge fail and nothing was gained. Time to change the approach. A colleague of mine had introduced me to a Linux based hybrid GUI/command line OS called, BackTrack 4. BackTrack 4 is a powerful network hacking system, although a challenge for the Linux novice to utilize. This novice is up to the challenge.

I recently installed backtrack onto my system and preparing it for battle. I hit a few bumps along the way and found some useful advice on hackforums.net. First, to launch the GUI you must enter “start x” at the command prompt. Simple enough. Next, hurdle, the network cards are disabled, meaning no network connectivity. The GUI provides no solutions, hello command line: “/etc/init.d/networking start” Now I can access the internet and see my wireless status from the GUI. Time for updates…Peter Van Eeckhoutte has a nice blog that provides a cheat sheet of useful commands including updates found here: http://www.corelan.be:8800/index.php/2009/07/04/backtrack-4-cheat-sheet/

I will practice hacking into my own network, then some nodes on the network, and sniff for passwords. Then I will provide security measures to prevent these attacks as I discover them. As a side note, it appears that all hacking commands must be performed by the “root” user. Might as well login to it from the get go to avoid hang-ups…you’ll know what I mean if you dabble with backtrack and youtube tutorials.

I’ll make updates as discoveries are made. I will also be getting an ASUS wireless router in the mail shortly where I will be putting dd-wrt firmware on it and unleashing its capabilities…just another weapon in the “hacker’s arsenal.” More on that when the time comes.

The Abominable A

On your home network your router acts as a proxy server, which stands between the network and the Internet by which it using NAT. With the middle man attack the attacker acts as the proxy, being able to read, insert and modify the data in the intercepted communication.

How does the attacker act as a proxy server? I’m glad you asked. First of all you will need to be on the network in which you are trying to intercept the packets. A good place to try this out would be your local coffee shop where internet access is free. Listening to someone aim or yahoo chat is nothing new and as far as I can tell they haven’t put anything in place to stop it since the nature of the http protocol and data transfer which are all ASCII based hasn’t changed and probably never will.

If you are a windows user there are the tools you will need. Nmap, Cain and abel, and Ethereal. Nmap is a security scanner and you will use this tool for scanning the network. The scan will give you the MAC, IP, and the computer name for all the users on the wireless network. This is the chance you take when you go to starbuck to have your coffee and decide to get on line.

Most routers IP are 192.168.1.1. Within your Nmap you will type 192.168.1.1-199, because you want to scan all open TCP sessions. After everybody’s info pops up you will take that persons IP address and do a port scan using Nmap to get an idea of what apps they are using. Most web servers use port 80 and email server use port 25. Yahoo uses TCP Port 5101 and that can change but it’s always in the 5100-99.

Next you will use cain and able to snife out the network one more time to find that person again. The reason why we used Nmap was so we could port scan them and see if the attack is worth it. Cain and abel will not let you do port scans.

After Cain finds them you will start your ARP attack. This is what tells the firewall/router that you are Jacks computer, and Jack computer thinks you are the firewall. There OS builds an table using ARP
and locates all hosts that are connected to the router. ARP uses a 3 layers address scheme and is kinda hard to understand but we can save ARP for another blog. All you’re doing with Cain and abel is switching that info around.

Last but not least you will use Ethereal to scan the network and pick up all the incoming traffic from that user. A lot easier done then typed…lol Note if you try to use Ethereal without using Cain and abel first Ethereal will not be able to pick up anything. Cain and abel is what puts you between the firewall/router and host.

I have recently been hearing alot of chatter about Amahi Home Server.  I decided to investigate. After a quick search for Amahi I was there – http://www.amahi.org/ This is what it says on their page :

The Amahi Linux Home Server makes your home networking simple. We like to call the Amahi servers HDAs, for “Home Digital Assistants.” Each HDA delivers all the functionality you would want in a home server, while being as easy to use as a web browser.

The core functionality available in the base Amahi HDA install includes:

• Protect Your Computers Backup all your networked PCs simply and easily on your home network. If one of your PCs “dies” you can easily restore it!
• Organize Your Files Access, share and search your files from any machine on your network, making it easy to share and find your photos, music and videos.
• Internet Wide Access Automatically setup your own VPN so you can access your network from anywhere: safely and securely.
• Private Internet Applications Shared applications like calendaring, private wiki and more to come, will help you manage your home and your family!

So this got me interested and I started the install of Fedora 12 right away – things didnt run as smoothly as they made it sound. First off I didnt listen to what it says and I tried the process with a live .iso – after i realized this didnt work i tried again with the dvd instalation disk but this time didnt have my HDA system settings right. So 3rd time was the charm – up and running and very cool !  I recommend Amahi + Fedora 12 to anyone that wishes to run a home server. This setup allows you to easily share files over the internal network and access then from outside the local network through OpenVpn over the internet. All your info wherever you are! !