Documente Academic
Documente Profesional
Documente Cultură
Abstract—Today is the Golden Age of Hacking. Any person with malicious intents can acquire tools and
techniques via numerous freely hosted sites to launch attacks on Networks. Identifying and eliminating
security threats has become an arduous task for the administrators and not only big networks but also
home users are becoming target for the hackers, which use these slaved machines to create larger Botnets.
One solution to get rid of these is to acquire proper know-how on how to defend against such attacks.
This paper takes a typical scenario of a system, which was installed afresh but after connecting to the
network it showed signs of being controlled by somebody else. A live case study has been taken and step-
by-step procedure is demonstrated along with relevant screen shots and data analysis. We see how
practically it becomes essential to install anti-virus, firewall, patches etc. for the survival of these out-of-
the box infant PCs.
Introduction
No matter where we work, what is our job profile and how your company competes in the market, no
organization can survive without network connectivity. Internet has widely opened the progress
opportunities that were only dreams few years back. As a matter of the fact though Internet delivers lots
of goodies but at the same times it gives nightmares to system administrators throughout the world.
Security vulnerabilities linger and consequently create a breeding ground for attacks, which even a novice
can exploit to create a security breach as, indicated in the Fig. 1. Though script kiddies launch these
attacks they can cause lot of damage to the networks.
The security research community as well as vendors identify and publish on an average 40 new security
vulnerabilities per week. These vulnerabilities provide a multitude of avenues for attacks. Incorrectly
configured systems, unchanged default passwords, product flaws, or missing security patches are among
the most typical causes of the network intrusions. Only by understanding how attacks work and what an
attacker does to compromise a machine can a company position itself so that it can be properly protected.
Knowing what an attacker can do to compromise a system and what that compromise looks like on a
network allows administrator to build a secure system.
http://www.acadjournal.com/2006/v19/part6/p3/ 05-Dec-07
Mandatory Security Arsenal for Survival on the Internet Page 2 of 12
As is the saying in the Military Doctrine “Know thy enemy first” so we need to know what tools and
tactics a cracker uses to compromise a system. Primarily cyber-crime, focuses on Win32 systems and
their users. In this paper we show how to compromise a default windows 2000 machine using common
exploits, it is not meant to be a tutorial on hacking. It is meant to help closing down the vulnerabilities
and patching the system so as to get better security across the networks.
One of the most popular types of passive attacks is sniffing. This involves sitting on a network segment,
watching and recording all traffic that passes on the segment. This will provide lot of information to the
hacker. Hacker can sniff NT authentication packets and later on use some password cracking tools to get
user credentials. In active reconnaissance attacker probes the system with some tool.
We will use a tool SuperScan that helps not only to scan the target but also enumerate so as to expose
many critical details which helps to mould the attack accordingly. This is typical case of an educational
institute where say Mr. Cracker comes with his laptop, hooks on the laptop to the free Info-outlet port and
gets an IP (internet protocol) address dynamically assigned by Institute’s DHCP (Dynamic Host
Configuration Protocol). He now uses SuperScan to scan the whole network so as to build an inventory of
the systems running on the network and finally targeting the weakest among these to launch the attack.
For this paper we have taken 192.168.1.75 (private IP series address) as the IP address of the hacker’s
machine and 192.168.1.76 as address for the victim. Hacker launches SuperScan and does scanning (i.e.
active reconnaissance) as in Fig.2.
http://www.acadjournal.com/2006/v19/part6/p3/ 05-Dec-07
Mandatory Security Arsenal for Survival on the Internet Page 3 of 12
From this hacker comes to know that the victim machine is having ports 135, 137 opened, which are
basically used by windows NetBIOS over TCP/IP for file sharing etc. Next hacker runs enumeration for
this particular machine so as to get more details about the accounts, shares, services etc.
The following information retrieved by enumeration Fig.3. is very critical and gives valuable information
to the hacker.
A null session is only established when there are no credentials for a process to start under (no user name
or password). Typically, only the operating system itself runs as system.
Windows 2000
It also tell the hacker that the Operating System is Windows 2000 so that he can tailor the attacks
accordingly.
http://www.acadjournal.com/2006/v19/part6/p3/ 05-Dec-07
Mandatory Security Arsenal for Survival on the Internet Page 4 of 12
Another important information shown is about the users, their names, password aging policy, last logon,
number of log- ons etc.
Total Users: 2
--- 1 ---
Admin "Administrator"
Full Name: ""
System Comment: "Built-in account for administering the computer/domain"
User Comment: ""
Last logon: Sun Jan 08 14:44:12 2006 (0 days ago)
Password expires: Never
Password changed: 0 days ago
Locked out: No
Disabled: No
Number of logons: 1
Bad password count: 0
--- 2 ---
User "Guest"
Full Name: ""
System Comment: "Built-in account for guest access to the computer/domain"
User Comment: ""
Last logon: Never
Password expires: Never
Password changed: Never
Locked out: No
Disabled: Yes
Number of logons: 0
Bad password count: 0
Another information, which is very useful for the hacker, is password policy details.
http://www.acadjournal.com/2006/v19/part6/p3/ 05-Dec-07
Mandatory Security Arsenal for Survival on the Internet Page 5 of 12
As can be seen Account lockout threshold is by default set to 0, which means intruder can try out
credentials any number times and will never be locked out.
Shares on 192.168.1.76
This shows default shares on the victim’s machine. This much information is good enough for the hacker
to launch attack on the system, install some Trojan so that he can create back door on the machine and
later on can attach to the machine with greater ease.
Attack Phase
In the attack phase hacker uses tools to exploit the RPC vulnerability and then netcat to get the victim
machine’s prompt as shown in Fig. 4.
dcomexploit 1 192.168.1.76
Now hacker uses netcat to connect to 192.168.1.76 at port number 4444. Netcat is very popularly known
as swiff army knife tool for its versatility to make net connection across hosts.
Next step is to gather data from the SAM database and pass it on the hacker’s machine. This is easily
done with the help of pwdump3 tool, which dumps database as an output file, which hacker later on
analyzes locally using dictionary based and/or brute force attacks.
http://www.acadjournal.com/2006/v19/part6/p3/ 05-Dec-07
Mandatory Security Arsenal for Survival on the Internet Page 6 of 12
Attacker uses “Cain & able” tool to crack the LM & NT hashes as shown in Fig.5. Tool takes few
minutes only to crack weak passwords. These weak passwords can become serious security loopholes and
can be used later to crack the system.
As can be seen from Fig.6. Administrator password has been cracked as “test”. Now hacker can deploy a
trojan on this host so that later on he can log on to the machine using a backdoor. One can say once
hacker got the password why doesn’t he destroy the system. Actually this is not the aim of hackers these
days. Hackers want to create Botnets for themselves so that later on they can utilize these kinds of
zombies to launch attacks on more critical networks.
So today if a home user says “I don’t have any confidential data on machine why should somebody
bother to hack me?” This is total misconception, hackers use machines as launching pad for more serious
attacks or to utilize computational power on these zombies to crack passwords using brute force methods.
http://www.acadjournal.com/2006/v19/part6/p3/ 05-Dec-07
Mandatory Security Arsenal for Survival on the Internet Page 7 of 12
Firewalls are typically implemented using a dedicated or a non-dedicated firewall hardware and system
platform. A must-have for any non-dedicated firewall application system is a proper installation of the
operating system on which the firewall is placed. A "proper installation" means that the operating system
must be suitably "hardened" (i.e. configured for security) and especially for this reason, no service going
beyond the necessary minimum may be run on the operating system. The dedicated firewall hardware and
software provide protection mechanisms built in by the manufacturer. Fig.7 shows the general placement
layout of a firewall in a system.
External To DMZ
Internal To DMZ
Internal To External
Basically, a firewall removed from its packing and installed between the network and the Internet adds
little improvements to the security of the system. Human intervention is also required to decide how to
screen traffic and "instruct" the firewall to accept or deny incoming packets. It is de facto a complex and
http://www.acadjournal.com/2006/v19/part6/p3/ 05-Dec-07
Mandatory Security Arsenal for Survival on the Internet Page 8 of 12
sensitive task. Just a single security policy rule established for the wrong reasons can lead to a system
being vulnerable to outside attackers. Once must also remember, that a poorly configured firewall may
worsen the system's effective immunity to attacks. This is because system administrators may believe that
their systems are safe inside the firewall and will become relax towards internal day to day security
standards, if a firewall is in place. However, total reliance on the firewall tool, may provide a false sense
of security. The firewall will not work alone (no matter how it is designed or implemented) as it is not a
panacea.
In more colloquial terms, a firewall is a device that enforces a predesignated policy across an access point
to a network. Probably the most limiting factor in firewalls today is the policy. A firewall cannot protect
against attacks that it does not know about, and as such the policy should take this situation into account
and be as rigid as possible while still enabling work to get done. The firewall is simply one of many tools
in a toolkit for IT security policy. When choosing a firewall solution following figure can act as source
for selecting Open Source or Commercial deployment. Commercial tools are easy to implement but incur
heavy costs whereas open source alternatives are cheaper but time frame to get them implemented is
fairly large.
But security means more than screening out via firewalls It means guarding against illicit data access and
preventing users from misusing resources.
Thus an Intrusion Detection System (IDS) accounts itself to be a second line of defense. Designed to
watch either a system for filesystem changes or traffic on the network, this system, with the help of a
human, learns what normal traffic looks like, then notes changes to the norm that would suggest an
intrusion or otherwise suspicious traffic. Notification can be via e-mail, beeper, and/or a SMS.
Intrusion Detection is the art of detecting inappropriate, incorrect, or anomalous activity. IDS is a system
that detects burglary attempts. Firewalls perform the role of door and window locks. These types of locks
will stop the majority of burglars but sophisticated intruders may circumvent security devices that protect
an intended target. Therefore, most people use a combination of sophisticated locks with alarm systems.
An IDS performs the role of such an alarm system and adds the next preventive layer of security by
detecting attacks that penetrate IT systems. Network-based IDSs monitor an entire, large network with
only a few well-situated nodes or devices and impose little overhead on a network. Network-based IDSs
are mostly passive devices that monitor ongoing network activity without adding significant overhead or
interfering with network operation. They are easy to secure against attack and may even be undetectable
to attackers; they also require little effort to install and use on existing networks.
http://www.acadjournal.com/2006/v19/part6/p3/ 05-Dec-07
Mandatory Security Arsenal for Survival on the Internet Page 9 of 12
Network-based IDSs are not able to monitor and analyze all traffic on large, busy networks and may
therefore overlook attacks launched during peak traffic periods. Network-based IDSs are not able to
monitor switch-based (high-speed) networks effectively, either. Typically, network-based IDSs cannot
analyze encrypted data, nor do they report whether or not attempted attacks succeed or fail. Thus,
network-based IDSs require a certain amount of active, manual involvement from network administrators
to gauge the effects of reported attacks.
Host-based IDS analyze activities on the host it monitors at a high level of detail. It can often determine
which processes and/or users are involved in malicious activities. Though they may each focus on a
single host, many host-based IDS systems use an agent-console model where agents run on (and monitor)
individual hosts but report to a single centralized console (so that a single console can configure, manage,
and consolidate data from numerous hosts). Host-based IDSs can detect attacks undetectable to the
network-based IDS and can gauge attack effects quite accurately. Host-based IDSs can use host-based
encryption services to examine encrypted traffic, data, storage, and activity. Host-based IDSs have no
difficulties operating on switch-based networks, either.
Data collection occurs on a per-host basis; writing to logs or reporting activity requires network traffic
and can decrease network performance. Clever attackers who compromise a host can also attack and
disable host-based IDSs. Host-based IDSs can be foiled by DoS attacks (since they may prevent any
traffic from reaching the host where they're running or prevent reporting on such attacks to a console
elsewhere on a network). Most significantly, a host-based IDS does consume processing time, storage,
memory, and other resources on the hosts where such systems operate.
Compared to firewalls, IDS are more sensitive to configuration errors and misleading design assumptions
and product mix choices. So, a careful performance check of any IDS infrastructure is needed before its
planned purchase and installation.
What is most important - human intervention is still required i.e. from security-aware persons who will be
http://www.acadjournal.com/2006/v19/part6/p3/ 05-Dec-07
Mandatory Security Arsenal for Survival on the Internet Page 10 of 12
responsible for IDS setup and maintenance and will be alerted about security breach attempts. An IDS
cannot do the job alone and cannot be a "magic wand" to make IDS the only security required for our
systems. This is just a tool to be used by people, for this purpose a prerequisite suit of response
procedures should be prepared for the users to observe strictly.
With techniques like obfuscation, fragmentation, Denial of Service, and application hijacking the attacker
can pass traffic under the nose of an IDS to prevent their detection.
Prevention is invariably a better approach than treatment for both living beings and computer networks.
Just as it is with living beings, it is impossible to prevent all maladies from occurring on a computer
network. But unlike the human body, computer networks do not have an autonomic immune system that
differentiates self from non-self and neutralizes potential threats. Security engineers have to establish
what behavior and attributes are "self" for networks and deploy systems that identify "non-self" activities
and neutralize them. Thus the old phrase stands very true: information is the power. Panacea could be
proactive approach leading to better understanding the threats. Knowledge delivered out of this helps
administrators to use arsenal with full strength against black-hats. Honeynet is technology, which uses
proactive approach, based on military doctrine. Honeypots are closely monitored network decoys serving
several purposes: they can distract adversaries from more valuable machines on a network, they can
provide early warning about new attack and exploitation trends and they allow in-depth examination of
adversaries during and after exploitation of a honeypot.
Honeypots are a highly flexible security tool with different applications for security. They don't fix a
single problem. Instead they have multiple uses, such as prevention, detection, or information gathering.
Honeypots all share the same concept: a security resource that should not have any production or
authorized activity. In other words, deployment of honeypots in a network should not affect critical
network services and applications. A honeypot is a security resource and its value lies in being probed,
attacked, or compromised.
Honeypots are simple concept, which gives them following powerful strengths.
1. Small data sets of high value: Honeypots collect small amounts of information. Instead of logging
huge data they only log information of high value, as it is only the black hat community, which
interacts with them. This means it is much easier and cheaper to analyze the data and derive value
out of it.
2. Minimal Resources: Honeypots require a minimal resource, that is any Pentium graded machine is
good enough to handle entire class C network derived by 1000(s) of megabit technology.
http://www.acadjournal.com/2006/v19/part6/p3/ 05-Dec-07
Mandatory Security Arsenal for Survival on the Internet Page 11 of 12
Network security is not a product that you can purchase. It is a process. A long process that you
continually update, improves, and monitor. The networks of today often include several different
operating systems, a variety of web-based and client/server applications, and other components from a
potpourri of vendors. These heterogeneous networks introduce a high level of complexity when it comes
to management and security issues. This complexity makes it impossible to effectively secure an entire
networking environment with a single component such as a firewall.
A total information security solution includes policy and procedure, access control, user authentication,
encryption, and content security. By focusing a security solution on an individual component, such as
access control or an encryption method, one risks leaving holes in the security shield that can be
exploited by a hacker. Approaching security as a concept and not as individual components is the best
way to develop and implement secured network environments.
References
http://www.acadjournal.com/2006/v19/part6/p3/ 05-Dec-07
Mandatory Security Arsenal for Survival on the Internet Page 12 of 12
http://www.nwfusion.com/news/2001/0305honeypot.html
11. Provos, Niels. “A Virtual Honeypot Framework”
http://www.citi.umich.edu/techreports/reports/citi-tr-03-1.pdf
12. Raikow, David. "Building your own honeypot” 22 Nov, 2000.
http://www.zdnetindia.com/techzone/resources/security/stories/7602.
13. Ranum, Marcus J. “Hacker Tar Pit” September 2002.
http://infosecuritymag.techtarget.com/2002/sep/cooltools.shtml
14. Schwartau, Winn. "Lying to hackers is okay by me" 7 June 1999.
http://www.nwfusion.com/newsletters/sec/0705sec2.html?nf
15. Schwartau, Winn. "Honeypots wreak sweet revenge against cyber intruders" 4 Dec 2000.
http://www.nwfusion.com/columnists/2000/00173866.html
16. Schwartz, Mathew. “Networks use ‘honeypots’ to catch online thief” 4 April 2001.
ttp://www.cnn.com/2001/TECH/internet/04/04/trap.a.thief.idg/
http://www.acadjournal.com/2006/v19/part6/p3/ 05-Dec-07