Mandatory Security Arsenal for Survival on the Internet Page 1 of 12

Academic Open Internet

Journal
www.acadjournal.com Volume 19, 2006
ISSN 1311-4360

Mandatory Security Arsenal for Survival on the Internet:

Techniques and Remedial Actions
(June 2006)
Maninder Singh, C|EH, Member IEEE. Seema Bawa, Member IEEE. and S.C. Saxena

Abstract—Today is the Golden Age of Hacking. Any person with malicious intents can acquire tools and
techniques via numerous freely hosted sites to launch attacks on Networks. Identifying and eliminating
security threats has become an arduous task for the administrators and not only big networks but also
home users are becoming target for the hackers, which use these slaved machines to create larger Botnets.
One solution to get rid of these is to acquire proper know-how on how to defend against such attacks.
This paper takes a typical scenario of a system, which was installed afresh but after connecting to the
network it showed signs of being controlled by somebody else. A live case study has been taken and step-
by-step procedure is demonstrated along with relevant screen shots and data analysis. We see how
practically it becomes essential to install anti-virus, firewall, patches etc. for the survival of these out-of-
the box infant PCs.

Index Terms—Cyber Crime, Security Threats, Antivirus, Firewall, Patches, Botnets.

Introduction
No matter where we work, what is our job profile and how your company competes in the market, no
organization can survive without network connectivity. Internet has widely opened the progress
opportunities that were only dreams few years back. As a matter of the fact though Internet delivers lots
of goodies but at the same times it gives nightmares to system administrators throughout the world.
Security vulnerabilities linger and consequently create a breeding ground for attacks, which even a novice
can exploit to create a security breach as, indicated in the Fig. 1. Though script kiddies launch these
attacks they can cause lot of damage to the networks.

The security research community as well as vendors identify and publish on an average 40 new security
vulnerabilities per week. These vulnerabilities provide a multitude of avenues for attacks. Incorrectly
configured systems, unchanged default passwords, product flaws, or missing security patches are among
the most typical causes of the network intrusions. Only by understanding how attacks work and what an
attacker does to compromise a machine can a company position itself so that it can be properly protected.
Knowing what an attacker can do to compromise a system and what that compromise looks like on a
network allows administrator to build a secure system.

http://www.acadjournal.com/2006/v19/part6/p3/ 05-Dec-07
Mandatory Security Arsenal for Survival on the Internet Page 2 of 12

Fig 1. Attack sophistication vs. intruder technical knowledge.

As is the saying in the Military Doctrine “Know thy enemy first” so we need to know what tools and
tactics a cracker uses to compromise a system. Primarily cyber-crime, focuses on Win32 systems and
their users. In this paper we show how to compromise a default windows 2000 machine using common
exploits, it is not meant to be a tutorial on hacking. It is meant to help closing down the vulnerabilities
and patching the system so as to get better security across the networks.

Passive and active reconnaissance

This is the first phase of an attack hacker tries to gather as much as information possible for the target.
There are two ways of gathering information first one is passive where hacker listens to the network
traffic by using a Sniffer and secondly he can get information by probing the machine/network thus
leading to an active methodology. Whatever may be the method intent is to know which operating system
in running on the target and which all ports are open so as to tailor made an attack.

One of the most popular types of passive attacks is sniffing. This involves sitting on a network segment,
watching and recording all traffic that passes on the segment. This will provide lot of information to the
hacker. Hacker can sniff NT authentication packets and later on use some password cracking tools to get
user credentials. In active reconnaissance attacker probes the system with some tool.

We will use a tool SuperScan that helps not only to scan the target but also enumerate so as to expose
many critical details which helps to mould the attack accordingly. This is typical case of an educational
institute where say Mr. Cracker comes with his laptop, hooks on the laptop to the free Info-outlet port and
gets an IP (internet protocol) address dynamically assigned by Institute’s DHCP (Dynamic Host
Configuration Protocol). He now uses SuperScan to scan the whole network so as to build an inventory of
the systems running on the network and finally targeting the weakest among these to launch the attack.

For this paper we have taken 192.168.1.75 (private IP series address) as the IP address of the hacker’s
machine and 192.168.1.76 as address for the victim. Hacker launches SuperScan and does scanning (i.e.
active reconnaissance) as in Fig.2.

http://www.acadjournal.com/2006/v19/part6/p3/ 05-Dec-07
Mandatory Security Arsenal for Survival on the Internet Page 3 of 12

Fig. 2. Scanning the target using SuperScan

From this hacker comes to know that the victim machine is having ports 135, 137 opened, which are
basically used by windows NetBIOS over TCP/IP for file sharing etc. Next hacker runs enumeration for
this particular machine so as to get more details about the accounts, shares, services etc.
The following information retrieved by enumeration Fig.3. is very critical and gives valuable information
to the hacker.

Attempting a NULL session connection on 192.168.1.76

NULL session successful to \\192.168.1.76\IPC$

A null session is only established when there are no credentials for a process to start under (no user name
or password). Typically, only the operating system itself runs as system.

Workstation/server type on 192.168.1.76

Windows 2000

Workstation/Server Name : "192.168.1.76"

Platform ID : 500
Version : 5.0
Comment : ""
Type : 00051003

It also tell the hacker that the Operating System is Windows 2000 so that he can tailor the attacks
accordingly.

http://www.acadjournal.com/2006/v19/part6/p3/ 05-Dec-07
Mandatory Security Arsenal for Survival on the Internet Page 4 of 12

Fig. 3. Enumeration phase of the victim’s machine.

Another important information shown is about the users, their names, password aging policy, last logon,
number of log- ons etc.

Total Users: 2
--- 1 ---
Admin "Administrator"
Full Name: ""
System Comment: "Built-in account for administering the computer/domain"
User Comment: ""
Last logon: Sun Jan 08 14:44:12 2006 (0 days ago)
Password expires: Never
Password changed: 0 days ago
Locked out: No
Disabled: No
Number of logons: 1
Bad password count: 0

--- 2 ---
User "Guest"
Full Name: ""
System Comment: "Built-in account for guest access to the computer/domain"
User Comment: ""
Last logon: Never
Password expires: Never
Password changed: Never
Locked out: No
Disabled: Yes
Number of logons: 0
Bad password count: 0

Another information, which is very useful for the hacker, is password policy details.

Password and account policies on 192.168.1.76

http://www.acadjournal.com/2006/v19/part6/p3/ 05-Dec-07
Mandatory Security Arsenal for Survival on the Internet Page 5 of 12

Account lockout threshold is 0

Minimum password length is 0
Maximum password age is 42 days

As can be seen Account lockout threshold is by default set to 0, which means intruder can try out
credentials any number times and will never be locked out.

Shares on 192.168.1.76

IPC: IPC$ (Remote IPC)

Disk: ADMIN$ (Remote Admin)
Disk: C$ (Default share)

This shows default shares on the victim’s machine. This much information is good enough for the hacker
to launch attack on the system, install some Trojan so that he can create back door on the machine and
later on can attach to the machine with greater ease.

Attack Phase
In the attack phase hacker uses tools to exploit the RPC vulnerability and then netcat to get the victim
machine’s prompt as shown in Fig. 4.

Fig. 4. Using DCOM RPC exploit

dcomexploit 1 192.168.1.76

Now hacker uses netcat to connect to 192.168.1.76 at port number 4444. Netcat is very popularly known
as swiff army knife tool for its versatility to make net connection across hosts.

netcat 192.168.1.76 4444

Next step is to gather data from the SAM database and pass it on the hacker’s machine. This is easily
done with the help of pwdump3 tool, which dumps database as an output file, which hacker later on
analyzes locally using dictionary based and/or brute force attacks.

Analysis of hacked data

Analysis of the captured data from the victimized machine can lead to cracking of passwords and hacker
makes repository and goes to other machine for executing the same step of attacks.

http://www.acadjournal.com/2006/v19/part6/p3/ 05-Dec-07
Mandatory Security Arsenal for Survival on the Internet Page 6 of 12

Fig. 5. Importing LM & NT hashes for password Cracking

Attacker uses “Cain & able” tool to crack the LM & NT hashes as shown in Fig.5. Tool takes few
minutes only to crack weak passwords. These weak passwords can become serious security loopholes and
can be used later to crack the system.

Fig. 6. Cain & able password analysis

As can be seen from Fig.6. Administrator password has been cracked as “test”. Now hacker can deploy a
trojan on this host so that later on he can log on to the machine using a backdoor. One can say once
hacker got the password why doesn’t he destroy the system. Actually this is not the aim of hackers these
days. Hackers want to create Botnets for themselves so that later on they can utilize these kinds of
zombies to launch attacks on more critical networks.

So today if a home user says “I don’t have any confidential data on machine why should somebody
bother to hack me?” This is total misconception, hackers use machines as launching pad for more serious
attacks or to utilize computational power on these zombies to crack passwords using brute force methods.

Remedial Actions: Layered Architecture

In the near future, organizations will be even more interconnected, leading to an increase in security
vulnerabilities. While maintaining firewall and other perimeter defenses, focus on security where users
access the network. Prevention and containment are essentials; precision to do this, placement of different
security components is necessary which is described below.

http://www.acadjournal.com/2006/v19/part6/p3/ 05-Dec-07
Mandatory Security Arsenal for Survival on the Internet Page 7 of 12

Firewalls are typically implemented using a dedicated or a non-dedicated firewall hardware and system
platform. A must-have for any non-dedicated firewall application system is a proper installation of the
operating system on which the firewall is placed. A "proper installation" means that the operating system
must be suitably "hardened" (i.e. configured for security) and especially for this reason, no service going
beyond the necessary minimum may be run on the operating system. The dedicated firewall hardware and
software provide protection mechanisms built in by the manufacturer. Fig.7 shows the general placement
layout of a firewall in a system.

Fig.7 Placement of firewall in a system

This placement will lead to a robust firewall working along with the following rules for the different
zones i.e. External, Internal and DMZ.

External To DMZ

1. External To DMZMail External ANY (External)

w.x.y.z (DMZ) MailServices Accept

2. External To DMZWeb External ANY (External)

w.x.y.z (DMZ) HTTP Accept

Internal To DMZ

1. Internal To DMZ InternalGroup (Internal)

DMZGroup (DMZ) HTTP Masq

Internal To External

1. Internal To external 192.168.1.2 (Internal)

0.0.0.0/0 (External) All Services Masq

Basically, a firewall removed from its packing and installed between the network and the Internet adds
little improvements to the security of the system. Human intervention is also required to decide how to
screen traffic and "instruct" the firewall to accept or deny incoming packets. It is de facto a complex and

http://www.acadjournal.com/2006/v19/part6/p3/ 05-Dec-07
Mandatory Security Arsenal for Survival on the Internet Page 8 of 12

sensitive task. Just a single security policy rule established for the wrong reasons can lead to a system
being vulnerable to outside attackers. Once must also remember, that a poorly configured firewall may
worsen the system's effective immunity to attacks. This is because system administrators may believe that
their systems are safe inside the firewall and will become relax towards internal day to day security
standards, if a firewall is in place. However, total reliance on the firewall tool, may provide a false sense
of security. The firewall will not work alone (no matter how it is designed or implemented) as it is not a
panacea.

In more colloquial terms, a firewall is a device that enforces a predesignated policy across an access point
to a network. Probably the most limiting factor in firewalls today is the policy. A firewall cannot protect
against attacks that it does not know about, and as such the policy should take this situation into account
and be as rigid as possible while still enabling work to get done. The firewall is simply one of many tools
in a toolkit for IT security policy. When choosing a firewall solution following figure can act as source
for selecting Open Source or Commercial deployment. Commercial tools are easy to implement but incur
heavy costs whereas open source alternatives are cheaper but time frame to get them implemented is
fairly large.

But security means more than screening out via firewalls It means guarding against illicit data access and
preventing users from misusing resources.

Fig 8. Selection between open-source and commercial solutions

Thus an Intrusion Detection System (IDS) accounts itself to be a second line of defense. Designed to
watch either a system for filesystem changes or traffic on the network, this system, with the help of a
human, learns what normal traffic looks like, then notes changes to the norm that would suggest an
intrusion or otherwise suspicious traffic. Notification can be via e-mail, beeper, and/or a SMS.

Intrusion Detection is the art of detecting inappropriate, incorrect, or anomalous activity. IDS is a system
that detects burglary attempts. Firewalls perform the role of door and window locks. These types of locks
will stop the majority of burglars but sophisticated intruders may circumvent security devices that protect
an intended target. Therefore, most people use a combination of sophisticated locks with alarm systems.
An IDS performs the role of such an alarm system and adds the next preventive layer of security by
detecting attacks that penetrate IT systems. Network-based IDSs monitor an entire, large network with
only a few well-situated nodes or devices and impose little overhead on a network. Network-based IDSs
are mostly passive devices that monitor ongoing network activity without adding significant overhead or
interfering with network operation. They are easy to secure against attack and may even be undetectable
to attackers; they also require little effort to install and use on existing networks.

http://www.acadjournal.com/2006/v19/part6/p3/ 05-Dec-07
Mandatory Security Arsenal for Survival on the Internet Page 9 of 12

Network-based IDSs are not able to monitor and analyze all traffic on large, busy networks and may
therefore overlook attacks launched during peak traffic periods. Network-based IDSs are not able to
monitor switch-based (high-speed) networks effectively, either. Typically, network-based IDSs cannot
analyze encrypted data, nor do they report whether or not attempted attacks succeed or fail. Thus,
network-based IDSs require a certain amount of active, manual involvement from network administrators
to gauge the effects of reported attacks.

Host-based IDS analyze activities on the host it monitors at a high level of detail. It can often determine
which processes and/or users are involved in malicious activities. Though they may each focus on a
single host, many host-based IDS systems use an agent-console model where agents run on (and monitor)
individual hosts but report to a single centralized console (so that a single console can configure, manage,
and consolidate data from numerous hosts). Host-based IDSs can detect attacks undetectable to the
network-based IDS and can gauge attack effects quite accurately. Host-based IDSs can use host-based
encryption services to examine encrypted traffic, data, storage, and activity. Host-based IDSs have no
difficulties operating on switch-based networks, either.

Data collection occurs on a per-host basis; writing to logs or reporting activity requires network traffic
and can decrease network performance. Clever attackers who compromise a host can also attack and
disable host-based IDSs. Host-based IDSs can be foiled by DoS attacks (since they may prevent any
traffic from reaching the host where they're running or prevent reporting on such attacks to a console
elsewhere on a network). Most significantly, a host-based IDS does consume processing time, storage,
memory, and other resources on the hosts where such systems operate.

Compared to firewalls, IDS are more sensitive to configuration errors and misleading design assumptions
and product mix choices. So, a careful performance check of any IDS infrastructure is needed before its
planned purchase and installation.

Fig.9 Placement of IDS in a system

What is most important - human intervention is still required i.e. from security-aware persons who will be

http://www.acadjournal.com/2006/v19/part6/p3/ 05-Dec-07
Mandatory Security Arsenal for Survival on the Internet Page 10 of 12

responsible for IDS setup and maintenance and will be alerted about security breach attempts. An IDS
cannot do the job alone and cannot be a "magic wand" to make IDS the only security required for our
systems. This is just a tool to be used by people, for this purpose a prerequisite suit of response
procedures should be prepared for the users to observe strictly.

With techniques like obfuscation, fragmentation, Denial of Service, and application hijacking the attacker
can pass traffic under the nose of an IDS to prevent their detection.

Prevention is invariably a better approach than treatment for both living beings and computer networks.
Just as it is with living beings, it is impossible to prevent all maladies from occurring on a computer
network. But unlike the human body, computer networks do not have an autonomic immune system that
differentiates self from non-self and neutralizes potential threats. Security engineers have to establish
what behavior and attributes are "self" for networks and deploy systems that identify "non-self" activities
and neutralize them. Thus the old phrase stands very true: information is the power. Panacea could be
proactive approach leading to better understanding the threats. Knowledge delivered out of this helps
administrators to use arsenal with full strength against black-hats. Honeynet is technology, which uses
proactive approach, based on military doctrine. Honeypots are closely monitored network decoys serving
several purposes: they can distract adversaries from more valuable machines on a network, they can
provide early warning about new attack and exploitation trends and they allow in-depth examination of
adversaries during and after exploitation of a honeypot.

Honeypots are a highly flexible security tool with different applications for security. They don't fix a
single problem. Instead they have multiple uses, such as prevention, detection, or information gathering.
Honeypots all share the same concept: a security resource that should not have any production or
authorized activity. In other words, deployment of honeypots in a network should not affect critical
network services and applications. A honeypot is a security resource and its value lies in being probed,
attacked, or compromised.

Honeypots are simple concept, which gives them following powerful strengths.

1. Small data sets of high value: Honeypots collect small amounts of information. Instead of logging
huge data they only log information of high value, as it is only the black hat community, which
interacts with them. This means it is much easier and cheaper to analyze the data and derive value
out of it.
2. Minimal Resources: Honeypots require a minimal resource, that is any Pentium graded machine is
good enough to handle entire class C network derived by 1000(s) of megabit technology.

http://www.acadjournal.com/2006/v19/part6/p3/ 05-Dec-07
Mandatory Security Arsenal for Survival on the Internet Page 11 of 12

Fig. 10 Placement of Honeypot

Network security is not a product that you can purchase. It is a process. A long process that you
continually update, improves, and monitor. The networks of today often include several different
operating systems, a variety of web-based and client/server applications, and other components from a
potpourri of vendors. These heterogeneous networks introduce a high level of complexity when it comes
to management and security issues. This complexity makes it impossible to effectively secure an entire
networking environment with a single component such as a firewall.

A total information security solution includes policy and procedure, access control, user authentication,
encryption, and content security. By focusing a security solution on an individual component, such as
access control or an encryption method, one risks leaving holes in the security shield that can be
exploited by a hacker. Approaching security as a concept and not as individual components is the best
way to develop and implement secured network environments.

References

1. 2004 CSI/FBI Computer Crime and Security Survey, CERT

2. Yankee group research note, September 8, 2004
http://www.yankeegroup.com/public/products/research_note.jsp?ID=11932.
3. Eric Cole. Hackers Beware, Official Course Material-Certified Ethical Hacker, pp. 22-23.
4. Spitzner, Lance. Honeypots- Tracking Hackers, Indianapolis, IN: Addison-Wesley, 2003.
5. John Levine, Richard LaBella, Henry Owen, Didier Contis, Brain Culver, The use of Honeynets to
Detect Exploited Systems across Large Enterprise Networks, proceedings of the 2003 IEEE
Workshop on Information Assurance, United States Military Academy, West Point, NY June 2003.
6. Hulme, George V, “Security Developer snared in Legal tar Pit” 23 April, 2003. http://cert.uni-
stuttgart.de/archive/isn/2003/04/msg00102.html (28 November, 2003).
7. Johnson, Keith. "Hackers caught in security 'honeypot'" 19 Dec. 2000:
http://www.zdnet.com/zdnn/stories/news/0,4586,2666273,00.html
8. Liston, Tom. “Hack Busters” 16 April 2003 http://www.hackbusters.net/ (28 November, 2003).
9. Merkow, Mark. “Playing with Fire: Not So Sweet Honeypots” 12 January,2001
10. Messmer, Ellen. “‘Decoy nets' gain backers in battle against hackers" 3 May 2001.

http://www.acadjournal.com/2006/v19/part6/p3/ 05-Dec-07
Mandatory Security Arsenal for Survival on the Internet Page 12 of 12

http://www.nwfusion.com/news/2001/0305honeypot.html
11. Provos, Niels. “A Virtual Honeypot Framework”
http://www.citi.umich.edu/techreports/reports/citi-tr-03-1.pdf
12. Raikow, David. "Building your own honeypot” 22 Nov, 2000.
http://www.zdnetindia.com/techzone/resources/security/stories/7602.
13. Ranum, Marcus J. “Hacker Tar Pit” September 2002.
http://infosecuritymag.techtarget.com/2002/sep/cooltools.shtml
14. Schwartau, Winn. "Lying to hackers is okay by me" 7 June 1999.
http://www.nwfusion.com/newsletters/sec/0705sec2.html?nf
15. Schwartau, Winn. "Honeypots wreak sweet revenge against cyber intruders" 4 Dec 2000.
http://www.nwfusion.com/columnists/2000/00173866.html
16. Schwartz, Mathew. “Networks use ‘honeypots’ to catch online thief” 4 April 2001.
ttp://www.cnn.com/2001/TECH/internet/04/04/trap.a.thief.idg/

Technical College - Bourgas,

All rights reserved, © March, 2000

http://www.acadjournal.com/2006/v19/part6/p3/ 05-Dec-07