Ethical Hacking

This course focuses on teaching students about current security threats and defenses. From this point on we will learn about details of security threats and even perform some attacks ourselves in a controlled and safe setting, on DeterLab.

Why do we learn how to attack? Just like doctors need to train treating sick patients for years, with an attending, before they can practice on their own, security practitioners need to practice attack detection and defense, in a realistic setting and under supervision of more experienced professionals, before they gain enough skills to handle attacks in the wild. Attacks occur in many variants, and may affect different networks in different ways. Also, often several types of attacks have similar "symptoms" and only hands-on investigation of each event can help a security practitioner disambiguate among them.

Unfortunately, it is almost impossible to obtain access to a real network during attack, unless one is this network's administrator. And it is too costly for classes to have a team of professional hackers attack a network so students could investigate the effects and try out countermeasures. This is why in this class we are learning how to attack ourselves, and then how to diagnose and defend against these attacks.

What about ethics? Attacks we learn are all performed in DeterLab, on a set of machines and network connections that are isolated from the real Internet and whose purpose is to be used for security experimentation. It is perfectly safe to crash these machines, infect them, overload the network, disturb connectivity, etc. There are established procedures to recover the initial state after any of these events and no one is disturbed by these actions.

What if a student uses the techniques learned in class to attack someone in real world? Many attacks that we learn about in class include sending unsolicited traffic to the victim, breaking into the victim's computer, accessing resources or information without authorization or interfering with their network connectivity. Any of these acts are punishable by US law and are criminal offenses. Most are misdemeanors but some are felonies. Same rules apply to cybercrime as they do for stealing or physical attacks. It is never OK to attack someone, physically or in cyber-world.

Intrusions

Why do people break into somebody's computer or network? Often motivation is financial gain, but it could also be due to political reasons, personal revenge or just for bragging rights. What type of people usually performs intrusions? In the past most "hackers" were teenage computer enthusiasts who wanted bragging rights of having broken into a big organization's network. Today, most cybercrime incidents have organized criminal or political groups behind them.

An intrusion scenario consists of five stages:

  1. Reconnaissance - learning a lot about the intended victim, such as their network range, names of DNS servers and public servers, network configuration, etc.
  2. Scanning - learning about live machines in the victim network, about services running on them, about network topology or firewall rules
  3. Gaining access - breaking into computers
  4. Maintaining access - keeping a backdoor open that is known only to attacker for future easy access
  5. Covering tracks - making sure network or computer admin have hard time diagnosing the intrusion or tracing down the attacker

Reconnaissance

In this stage the attacker aims to find out as much information about target as they can without actively interacting with the target. One way to do this is through non-technical means, like social engineering (talking to people in the target organization), physical break-in, or looking through the target organization's trash. If the target has wireless network that is not secure the attacker could sniff its traffic without physically being on premises, as wireless range may extend outside the buildings.

Another way to do reconnaissance is to search the Internet for desired information. Organization's Web site may hold information about internal servers, their configuration and their IPs or DNS names. Employees may post such information to Web forums, e.g., for Linux or Java troubleshooting.

When an organization acquires a domain name or a set of IP addresses, Internet bodies known as registrars collect and publicly display information about:

Domain Name System (DNS)

DNS helps humans learn IP addresses that various DNS names map into. DNS is organized as a hierarchy with each server maintaining some portion of distributed information. For more information about DNS see our network primer.

An attacker can gather information about target's IP address range, different server's names and IP addresses and possibly server OS and configuration information from the target's DNS server. One way to do this is called interrogating DNS or DNS zone transfer. This is the type of DNS query that causes the server to dump all its information in the reply. It was created to help networks perform server backup. If the target's DNS server does not have a security rule that prevents DNS zone transfers to an IP outside of the target's IP address range, the attacker can use this to obtain information about the target.

What are defenses against DNS interrogation? One is to ensure that DNS zone transfers can be done only with internal servers. Another is to make sure that DNS server has no extra information - just public server IPs and domain names. The third defense is split-horizon DNS illustrated in the figure below.

Here, there are two DNS servers - an external one visible to external users and an internal one visible to employees. The external/internal server holds information only about public/private servers respectively. If a server needs to be accessible both to external and to internal users it receives two IP addresses, one public one private. The internal DNS server can redirect internal users to the external DNS server if these users need info about public addresses of the company's servers. No external user can access the internal DNS server. This can be enforced either via firewall rules or security rules in the internal DNS server's configuration.

Scanning

In the scanning phase the attacker sends probing traffic to the target to learn about live IPs (IPs that are assigned to machines in the network), services in the network, network topology, etc.

To learn about live machines the attacker can perform a ping sweep or a TCP SYN sweep. A ping sweep sends a ping (ICMP ECHO request) to each IP address in the IP range assigned to the target. If there is no reply or ICMP unreachable message, the address is not live; if there is a ping reply (ICMP ECHO reply) the address is live. A network could defend against this with a firewall rule that forbids ICMP traffic to exit the network, thus any ping would receive no reply. TCP SYN sweep sends a TCP SYN to all or some ports on each IP address in the IP range assigned to the target. Such traffic cannot be filtered by a firewall since the target may offer some public services that legitimate customers will access by sending TCP SYNs. But a firewall could restrict TCP SYN traffic only to those public services.

To learn about network topology the attacker can perform a traceroute. This program sends packets (usually ICMP ECHO but other types can be sent as well) to some address in the target's IP range, with the increasing value in the IP header's TTL (time-to-live) field. When this value comes to zero, routers usually issue ICMP unreachable message to the sender. By looking at these replies the attacker can piece together the route from his machines to the target, as well as the target's internal network topology. One defense against network topology mapping is to have a firewall rule that forbids ICMP traffic to exit the network. Another is network address translation (NAT).

A NAT sits on a border router of the network and rewrites IP addresses and ports in packets going in and out. When an internal host B wants to send traffic out on a new source port NAT creates an entry in its table that maps (IPB, sportB) to a currently unused port X at the NAT. It then rewrites (IPB, sportB) with (IPNAT, X) in each packet sent from B to the outside. When the replies come back for (IPNAT, X), NAT rewrites this into (IPB, sportB) and passes the replies to B. This way the remote server has an impression that it is communicating only with the NAT and learns nothing about the internal topology of the network.

If B offers some public service (e.g. a Web server) NAT will use the well-known service port (e.g. 80) for X. The situation becomes complicated if there is more than one public server within the NAT-protected network, that needs the same well-known service port. In this case only one server can offer service on this port to its clients, while all other servers must use non-standard port numbers. This requires notifying clients about this non-standard port number, i.e. this is not transparent to the clients.

Port scanning is usually done to detect open ports, but can also be used to find OS type and version or firewall holes. Various scans can be sent, e.g.:

The best defense against port scanning is to close unused ports. A firewall can also be used to ensure that external traffic only reaches public services. Firewalking is a special type of scanning where the attacker sends TCP ACK packets, with especially crafted source IP and source port, to determine firewall rules. The attacker first discovers its distance from the firewall. Then sends firewallk packets with TTL = distance+1. If the attacker receives ICMP time exceeded message they know that the packet made it past the firewall. The best defense against firewalking is to ensure that no ICMP traffic is sent to the external IPs. This way the attacker cannot differentiate between a successful and a failed scan. Vulnerability scanning is the last scanning phase. The attacker actually tries different exploits to see if any succeed.