Recent examples of Web Attacks, Worms and Viruses:
Recent examples of Buffer Overflows:
Network Vulnerabilities
Types of Vulnerabilities
IP Protocol weaknesses
• Improper input handling (Buffer Overflow)
•Good and Bad Passwords How-To: http://geodsoft.com/howto/password/
Default network services configurations
• Anonymous ftp (port bounce, world-writable)
• Default services enabled (e.g., chargen, echo, finger)
• DNS (buffer overflows, zone transfers – recon)
• SMTP (e-mail relaying, username enumeration)
• SNMP community names (public & private)
Trust relationships between hosts
• Windows NT/2000 Domains and Forests
• “R” services (.rhosts and hosts.equiv)
•Network device configurations – no authentication (e.g., telnet, ftp, http)
Top Ten Vulnerabilities by Cisco Secure Consulting Services
•Passwords – Default accounts, Easily guessable passwords, Joe accounts, Null passwords
•File Sharing – NFS export controls, No Auth, SMB/CIFS cleartext passwords, NFS trust relationships
Types of Exploits Local exploits
• Used to escalate user privileges
• NT winlogon exploit (GetadmforSops.exe)
• IIS system privilege exploit (hk.exe)
• Solaris libc exploit (ex_lobc-2.c)
• Solaris dtprintinfo exploit (ex_dtprintinfo.c)
Does not require user level access.
–Used to gain access without user access.
•IIS Web Server Traversal exploit (iis-zank.exe)
•Windows 9x NetBIOS exploit (client.c)
•Solaris RPC Buffer Overflow (sadmindex.c)
•WUFTPd Buffer Overflow (wuftpd2600.c)
•HTTP Tunnel via HTTP Proxy (httptunnel)
Most exploits depend on SUID or privileged use programs
• Buffer overflow exploits are most preferred
• Due to improper input checks
• Allows execution of malicious code
• “Smashing the Stack for Fun and Profit” (Aleph One)
• Trusted environment variables
• Variable values are used by most applications
• Software that does not perform proper checking on environment values can be exploited
• Internal Field Separator (IFS) and TMP
• IP Address space verification
• Network mapping with ICMP queries
• Identify potential targets
WHOIS Servers:
•www.internic.net/whois.html (US web sites)
•whois.isi.edu (US educational web sites)
•whois.apnic.net/ (Asia Pacific Network Information Centre)
•whois.ripe.net/ (Réseaux IP Européens Network Coordination Centre)
•whois.aunic.net (Australia)
•www.nic.mx/cgi/whois (Mexico)
•whois.nic.uk (United Kingdom)
•whois –h whois.arin.net
or whois –h whois.arin.net
•whois –h whois.networksolutions.com
Typical “host” commands: