Risk Management The Big Picture – Part Going Around the Firewall and Scanning for Vulnerabilities Information Risk Management- SANS ©2001 If attackers are going to take advantage of vulnerabilities, it makes sense that we need to find them before they System, network, and telephone vulnerability scanning tools are a powerful method of doing this 2-1 Gnutella • Designed for peer-to-peer file sharing on the Internet • Introduces security weaknesses – Hole in a firewall – Users give away network information – A possible annoyance or DDOS tool Information Risk Management - SANS ©2001 Lets take a look at another Internet threat This is the threat introduced by users who download and run utilities that are designed to share and search for files across the Internet Examples are the programs Napster, Gnutella, and more recently Scour In the next two slides we’ll examine Gnutella, its function, and the dangers it introduces Gnutella is an Internet file sharing utility Described as a “servant”, Gnutella acts as a server for sharing files while simultaneously acting as a client that searches for and downloads files from other users The Gnutella net is peer-to-peer with interconnected servants that search and relay one another to make file sharing and storage truly distributed When searching for a file, the Gnutella service will search hosts that you are connected to, and hosts they are connected to, and so on Once the file is found, a download can be initiated with a TCP connection directly between the ‘client’ and ‘server’ Gnutella was designed to enhance free, easy, and anonymous exchange of information However, there is a dark side - the distributed nature of the Gnutella net combined with the Gnutella net protocol introduces security weaknesses for Gnutella users A prime concern is that Gnutella users situated behind firewalls open a hole in their firewall when they connect to an external Gnutella net The way this works is covered in the next slide Traces taken from a Gnutella user’s machine show that when searching, requesting a download, or ‘pinging’ for other Gnutella hosts, the user gives away a combination of information including an IP address within a network, a halfopen connection and/or a known set of SEQ and ACK numbers, and a MAC address Although security is not achievable merely through obscurity, it is certainly better to not openly offer this information to anyone on the Internet! In order to handle Network Address Translation (NAT), the Gnutella design incorporates the ability to spoof ports and IP addresses Unfortunately, this means that an unwitting host may be targeted by many simultaneous SYN requests from hosts on the Gnutella net who are attempting to grab the files that the spoofed host is apparently offering One more thing - with the current increasing use of Gnutella, and the number of Gnutella versions and downloads available, perhaps it is only a matter of time before someone discovers that there’s more to their executable than they originally thought Is there a better way to distribute a Trojan, than to take advantage of a pool of users eager to download and run the Gnutella binary? 2-2 Gnutella - Firewall Subversion A F I R E W A L L B A C A and B set up Gnutella Net Firewall denies inbound TCP request F I R E W A L L Gnutella Net C C connects to Gnutella Net C’s request relayed to A A connects to C through wall Information Risk Management - SANS ©2001 The fundamental trick Gnutella uses is to count on a firewall policy that says we trust ANY connection originated from inside the firewall The threat vector with tools like Gnutella is inside users on your local network They usually know they are violating policy, but they may not understand the entire risk of their actions On the left, host A is behind a firewall and has connected to host B, forming a Gnutella net Host A initiated the connection, which the firewall allowed An external TCP request from host C is denied by the firewall - that is, C cannot initiate a connection to A Gnutella provides a mechanism for host C to circumvent this firewall block and access host A On the right, we see that host C connects to the Gnutella net previously set up by A and B Through host B on the net, host C can now ‘see’ the files being offered by A In order to download from A, host C needs to set up a TCP connection Host C achieves this by sending a request to the Gnutella net which relays the request to A, telling A to initiate a connection to C Since A is not prevented from connection initiation, a connection can be made Indirectly, C can connect to a port on a host behind a firewall that denies inbound TCP connections to unserved ports! Combine this with the information give-away talked about earlier, and the hacker’s job is made that much easier Thanks to Matt Scarborough for sourcing the Gnutella information For more on Gnutella visit http://www.sans.org/y2k/gnutella.htm To summarize this section, many users place too much trust in their firewalls and firewalls are wonderful, but they, like any defensive means, have limitations Next we will take a look at the type of attacks that are banging against your firewall on a daily basis 2-3 Firewalls, Wireless Connections, and Modems INTERNET ISP Firewall The more restrictive a site’s firewall policy, the more likely the employees will use modems Information Risk Management - SANS ©2001 Suppose your house is connected to the Internet with a Cisco router running the firewall feature set Behind that is an additional appliance firewall Could your systems be easily reached? They could if the systems run 802.11 wireless cards! But long before wireless became popular, there were still a number of ways to penetrate or avoid firewalls You can’t buy a system today without a 56K modem built-in and PCs with modems, however, are number one in the subvert-a-firewall hit parade There are at least two problems with modems inside a firewall: Leaving the modem on autoanswer and having attackers scan you when you use them to connect to the Internet The first case (auto-answer) is well-understood If the modem is left in this mode, then an attacker may locate it with a war dialer and access the site Perhaps the best defense for this is to sweep your site for modems periodically Phonesweep is a commercial war dialer available at http://www.sandstorm.net The second modem risk is exposed when a system makes a connection to an ISP: It is a fully functional, bi-directional network connection Many sites understand some or all of the informationgathering probes and attacks that can be directed against Windows machines, and block NetBIOS with their filtering firewall or router However, a system connected to an ISP is not protected by the firewall!! The picture on your screen represents a successful compromise of a secure facility The firewall was a good one, with certified proxies However, there was no proxy available for the timecard application, so they gave the administrative worker access to an ISP account A determined hacker had studied what they were doing and since timecards are done at about the same time every other Friday, was able to scan the ISP dialups, find the administrative worker’s system, and gain access to information via an unprotected share that was later used to attack the facility The firewall did its job just fine, but the perimeter was not sufficient to protect the facility The threat vector here was an outside attack via a network 2-4 Finding Unprotected Shares Legion Information Risk Management - SANS ©2001 Legion is available from http://www.nmrc.org/files/snt/ This tool is recommended for any system administrator or security professional responsible for a site with Windows systems Just remember to test it in a lab and get WRITTEN permission BEFORE you run it, or the tag line of your next career may be: “Would you like fries with that order?” What does Legion do? The software can detect unprotected or poorly protected shares Poorly protected shares may allow an attacker access to files Depending on this access, this may mean the ability to compromise the system It certainly could mean the ability to defeat two of the primary security pillars: Confidentiality and integrity Confidentiality would be breached if they could read the files; integrity would be compromised if they could modify the files This simple flaw is what enables an entire class of Windows worms to function, if they find an unprotected share they can copy themselves to the hard drive and then simply need to find a way to have their code executed Sometimes these worms aren’t that dangerous, Lance Spitzner has an interesting account of an unprotected share worm at: http://project.honeynet.org/papers/worm/ In that case the worm borders on research NOTE, not all Windows worms propagate via unprotected shares KAK for instance, uses an ActiveX design flaw in Outlook Express so that if the user simply reads an email message, (they not have to open an attachment like the earliest worms), KAK is able to spread by attaching itself to the outgoing signature file so that it can reach other victims Many of you know about shares and null sessions and have figured, “So what? We have a firewall and we block NetBIOS” This is good, but if one system that connects to the Internet via modem or wireless card gets compromised, it can be used as a springboard to run against your entire network from the inside Again, the simplest way to subvert a firewall is with a system and a modem inside a facility 2-5 Social Engineering • Attempt to manipulate or trick a person into providing information or access • Bypass network security by exploiting human vulnerabilities • Vector is often outside attack by telephone or a visitor inside your facility Information Risk Management - SANS ©2001 “Social engineering” is the term used to describe an attempt to manipulate or trick a person into providing valuable information or access to that information It is the process of attacking a network or system by exploiting the people who interact with that system People are often the weakest link in an organization’s security All of the technology in the world cannot protect your network from a user who willingly gives out his or her password, or innocently installs malicious software Social engineering often preys on qualities of human nature, such as the desire to be helpful, the fear of getting in trouble, or the tendency to trust the people - and computers - with which we interact 2-6 Social Engineering (2) • Human-based – Urgency – Third-person authorization • Computer-based – Popup windows – Mail attachments Information Risk Management - SANS ©2001 Most social engineering is “human based.” It involves one person trying to get valuable information from another person The most well-known techniques are the urgency, impersonation, and thirdperson authorization techniques Here is a classic example A man calls the help desk: “Hello, this is Bob Smith, the Vice President of Big Corporation I’m on travel and I’ve forgotten my password Can you reset it so I can retrieve an important email for a meeting in 15 minutes?” Would your help desk question this request? Most people would give out the information without thinking, either because they want to be helpful or because they are afraid of refusing the “vice president’s” request especially since he has an urgent meeting in 15 minutes Social engineering can also be computer-based Consider this example: A user is browsing the web when he sees a pop-up window telling him that his Internet connection has timed out and he needs to re-enter his user name and password to re-authenticate Would the average user question this activity? This is a common means to steal password information These examples show that “human nature” can make it trivially easy for an attacker to walk right in to your network Why hack through someone’s security system when you can get a user to open the door for you? 2-7 Social Engineering Defense • Develop appropriate security policies • Establish procedures for granting access, etc., and reporting violations • Educate users about vulnerabilities and how to report suspicious activity Information Risk Management - SANS ©2001 Social engineering is one of the hardest attacks against which to defend The weakness is a human one; we want to help people Technology, such as host perimeter defense products, can provide some protection (for example, anti-virus software to guard against users who run viruses or Trojan software) Your best defense is to establish clear security policies - and enforce them • Security policies should establish such things as: The types of access allowed; the people authorized to grant such access; and the circumstances under which exceptions may be granted • In addition to policy, you should define procedures for things like activating and deactivating accounts; changing or resetting passwords; and granting additional rights or privileges • Finally, educate your users about these types of threats In most cases, users not maliciously create security problems - they generally so out of ignorance If users are aware of the threats, they can properly guard against them Here is a final thought about social engineering In some sense, all attacks are social engineering Whatever technology or technique an attacker is using to attack a site, if the attack is noticed, it often has a marked effect Many people are starting to feel that they cannot keep up, that they cannot defend against the rapidly evolving threat This is one reason why a course like this one is important, it gives you access to a lot of up-to-date information packaged so that you can get up-to-speed and back in the game fast 2-8 Primary Threat Vectors • Outsider attack from network • Outsider attack from telephone • Insider attack from local network • Insider attack from local system • Attack from malicious code Information Risk Management - SANS ©2001 A threat is applied against a vulnerability and that results in a compromise or denial of service A threat vector is the method a threat uses to get to the target For example, mosquitoes are the vector for malaria A countermeasure against malaria (the threat) is to locate and spray mosquito breeding ponds (detection and response) or to invest in mosquito netting (prevention) As we discuss threats, please try to keep the threat vectors firmly in mind Once the most important and probable threat vectors have been listed, you can note which ones are handled by current measures and which ones your proposal will address For example, insider fraud risks are often wellcontrolled by existing separation of duties and audit controls 2-9 Tools That May Be Visiting Your DMZ • famous Windows Trojans • Windows viruses that collect info • Jackal, Queso, and SYN/FIN • Nmap and Hping • Unix Worms Information Risk Management - SANS ©2001 10 As we continue our discussion of well-known attack and scanning tools, I am going to give a bit of a historical perspective Many of the authors that worked on this file and the entire course were involved in the Department of Defense’s Shadow Intrusion Detection team When we mention these tools, the way we learned about them was watching patterns on the net and then asking questions Why is this traffic behaving like this? Sometimes we were able to tie a particular pattern, or signature, to a tool The dates and time frames we are using in this discussion represent when these patterns came to us over the net, as opposed to when the tools were written or developed Let me give you an example We have already discussed Gnutella, but there is a similar tool called Napster and it uses the default ports of 6699 and 6700 Recently, I was doing intrusion detection work at a U.S military site in the Pacific and we saw a LOT of traffic One or two packets were trying to come in from the Internet to these well known Napster ports, but they were unable to penetrate the perimeter defenses of the military base Then, boom, a bunch of traffic to or from port 8888 We configured a Snort intrusion detection system to capture the traffic and it had the look and feel of Napster People were downloading sound files Apparently, the folks on the base had found a way around the traffic filtering on the firewall by using this alternate port number of 8888 It seemed to be primarily a chat channel, but they were also able to acquire sound files using it The new port with 8888 was a new pattern to me, but because I had seen a lot of Napster before, it had the look and feel of Napster If you have an opportunity to run TCPdump or Windump (www.tcpdump.org) and watch the traffic coming to your network, this is a valuable thing to be familiar with When you start watching, one thing you will almost certainly see are probes for Trojans In the next few slides, we are going to look at some of the famous Windows Trojans and discuss their signature over the network They are: Back Orifice, Netbus, and of course, SubSeven These are examples of one of the most prevalent threat vectors today, malicious code - 10 Examining Hping Options • -F set the FIN flag • -S set the SYN flag • -A set the ACK flag • -P set the PUSH flag • -U set the URG flag • -R set the RST flag • -X set all flags • -a address spoofing Information Risk Management - SANS ©2001 49 Hping allows you to set any or all of the TCP flags This capability allows you to operating system fingerprinting or to probe through firewalls, among other things The spoofing capability is what leads to the ability to perform stealth scans - 49 Scanning For Listening Services • At a Linux command prompt enter: hping 192.168.0.79 –S –p 25 Information Risk Management - SANS ©2001 50 This slide demonstrates how hping can be used to determining if a service is running on a remote server In this case we are scanning for the SMTP mail service By setting the SYN flag with the ‘S’ option, we are sending packets that are requesting that a connection be opened The ‘-p 25’ directs the packet to the SMTP port of the remote service According to the TCP protocol, the remote system should respond with a SYN/ACK packet to our request if a service is listening on the port and with a RST packet if not Since the response packets had the SYN/ACK flags set, it can be concluded that the SMTP service is listening on this port - 50 Performing A Stealth Scan • On a Windows system start up a packet sniffer to monitor traffic • At a Linux command enter the following using the Windows system as the spoofed system: hping –a 192.168.0.11 –p 25 192.168.0.79 Information Risk Management - SANS ©2001 51 This time we are going to a spoofed scan with hping Before doing so, we will set up a packet sniffer that will show where the scanned system sends its response packets - 51 From The Spoofed System’s Viewpoint • Examine the packet capture done by the Windows’ system sniffer Information Risk Management - SANS ©2001 52 This is what the stealth scan looks like from the viewpoint of the spoofed system Notice how the first packet received is a SYN/ACK packet That’s an immediate indication that something is wrong Since the spoofed system doesn’t know why the scanned system is sending a SYN/ACK packet, it sends a RST packet to tell the scanned system to drop the connection - 52 Phone Scanning for Vulnerability Detection • Response for successful intrusion detection is not clear – Defensive posture is difficult to maintain – Generally not criminal to call phone numbers • Intrusion detection may not be possible • Scanning works - attackers use it! • Threat of scanning acts as a deterrent Information Risk Management - SANS ©2001 53 Special thanks to Simson Garfinkel and the folks at Sandstorm (www.sandstorm.net) for the permission to use the PhoneSweep slides Firewalls are not perfect we said, but when they fail it is more likely that they fail because of what the folks on the inside do, as opposed to the firewall having a technical problem We already talked about users bringing up services on ports that are expected to be open for other reasons Various multimedia programs such as napster and gnutella make it easy to get files through a site’s defenses and there are manuals on how to this on the Internet One other way that users can cause firewalls to fail is by hooking their system up to a modem Next Sunday, take a minute to some research Pull the color ads in your area for the consumer electronic stores such as Circuit City and the like Check out the computers What they all have? - 53 War Dialers • Used by attackers to find dial-up modems • Many programs, widely available – Toneloc, The Hacker’s Choice, etc Information Risk Management - SANS ©2001 54 Well, what I notice about the ads (besides a price that is wrong by $400, because nobody in their right mind is going to sign a contract with Microsoft Networks or CompuServe), is all the computers have modems Eventually, someone, somewhere is going to hook that modem up Modems have a “dial on demand” mode, but they also have an auto-answer mode This would be useful if you wanted to be able to access your computer at work from your computer at home to download files The screen shot you see is for ToneLoc, probably the most popular war dialer It will scan a range of phone numbers looking for a modem on auto-answer These systems can then be targeted - 54 Mitigating the War Dialer Threat • Intrusion Detection Response: – Monitor call logs at phone switch – Set up monitored modems on special phone numbers (honeypot) • Scanning Response: – Proactively scan your own phone numbers – Take action when modems are found Information Risk Management - SANS ©2001 55 Your facility almost certainly has and will be scanned The question is, what action are you willing to take? The logical countermeasure is to scan your own phone lines on a regular basis Now, this is simple in theory, complex in practice Your organization may have a person in charge of phones and they may be able to help you Be aware that Heating, Ventilation, and Cooling (HVAC - some folks say Heating, Ventilation, Air Conditioning) and alarm systems may be active on your phone system, and these numbers should be avoided ToneLoc and most other scanners allow you to avoid number ranges - 55 PhoneSweep: Commercial Scanner • A Telephone Scanner, not a War Dialer – modems – System ID – Penetration – Repeatable scans – 80+ page manual – Supported Information Risk Management - SANS ©2001 56 Many organizations are uncomfortable using hacker code to attack their own sites because of the risk of embedded malicious code Also, the documentation on some underground code is not the best Technical support can be dicey from hacker locations These are some of the factors that cause some organizations to prefer commercial software with phone support, printed manuals…and someone to sue if things go wrong - 56 Select Modems Information Risk Management - SANS ©2001 57 An example of a commercial scanner is PhoneSweep shown on this slide Notice that it can run multiple modems in parallel; it turns out that phone scanning is really slow! - 57 Specify Dialing Times (PhoneSweep relies on the system clock for accurate time & day of the week.) hours outside Business Hours Information Risk Management - SANS ©2001 58 With a commercial tool, you tend to get more flexibility in settings For instance, you might want to consider scanning at night in case people leave their modems on auto-answer when they leave work It is nice to have this capability, but scanning when you are not there can be dangerous Another high-end feature to look for is the ability to detect fax machines - 58 Telephone Scanning Summary • Any large site probably has modems that they not know about • Remember the “Legion” slide • Slow, slow, slow, think seriously about the parallel modem option • Doesn’t seem to distinguish between faxes and modems as well as I had hoped Information Risk Management - SANS ©2001 59 To summarize the phone scan section, this is something you should seriously consider doing Remember that example in the firewalls section, of the facility that was compromised because of a user accessing the Internet via a modem and ISP? Unfortunately, phone scanning will only detect modems on auto-answer Many organizations have digital phones, and so analog lines require special permission; this certainly limits how many numbers you need to test Commercial tools have some significant advantages On the other hand, ToneLoc is simple and very well tested! - 59 How to a Vulnerability Scan • Get permission, explain what you are doing, “finding our vulnerabilities before attackers do” • Put out the word ahead of time, publish your phone number; people don’t like surprises Information Risk Management - SANS ©2001 60 We will close this section with a discussion of the general principles of scanning Note well, vulnerability scanning can be hazardous to your career The difference between a hacker and a penetration tester is permission! Be certain that you have it If you are just starting a scanning program in your organization, you probably want written permission Things can go very wrong when you are scanning I have crashed a number of systems - I’ve already mentioned the mockup of a Navy warship – and my friend John Green has a whole Navy base to his credit! We both did this with simple vulnerability assessment tool People will be a lot more forgiving if you warn them ahead of time and make sure it is easy for them to find you If you are not in the office or people not know how to contact you, then you could create a serious problem for your organization and therefore yourself - 60 How to a Vulnerability Scan (2) • Click target selection, choose a system, tell it to expand to the subnet • Heavy scan, but not allow Denial of Service scan (at least at first) • Only scan when you are in the office by the phone • Fix the red “priority” problems first Information Risk Management - SANS ©2001 61 There is no point in configuring the scanner to hit all of your addresses unless you are in a small organization Do a subnet at a time, a workgroup at a time, whatever makes sense This way you don’t have an overwhelming number of vulnerabilities to fix If you scan the whole facility, you will have a huge list of problems and everyone will talk about fixing them, but it never gets past the promises stage This is very dangerous After you run the scan on a large scale, you get a huge printout of all the problems and some of them are flagged as “very” serious, some “just” serious, and so forth You present it to management, tell them it is the end of life as we know it if they aren’t fixed They agree, they task people, there are meetings, everyone agrees to get things fixed, and you run into deadlines and emergencies and they never get fixed Now you can’t play that card again - after all, the organization is still in business! If you run another scan, no one will take it that seriously Therefore – scan a small section Start with your own shop Fix the problems, and move on There is another approach, called the Top Ten Project A number of scanners, including SARA and Nessus, have scanning modes that only look for the Top Ten vulnerabilities This way, you only have to deal with the most serious problems first For more information, please see www.sans.org/topten.htm - 61 Warning!!! Vulnerability scanners may be hazardous to your career • Be very sure you are authorized • People really prefer to be warned • Scanners sometimes crash systems • Don’t jump to conclusions about how vulnerable a system is until you know the tool very well Information Risk Management - SANS ©2001 62 In the previous example, it isn’t that you were wrong when you went to management and told them they were vulnerable The problem is that attackers often leave a low footprint - you can be compromised and not realize it Anyway, to summarize this section, a vulnerability scanner is a great way to find many of the holes that external and internal attackers would exploit, given the opportunity However, scanners are prone to false positives and can break things Be conservative; start the tool at low power and run it on a low number of systems until you are very familiar with its effects - 62 Course Revision History Information Risk Management - SANS ©2001 63 v1.0 – S Northcutt – Jul 2000 v1.1 – edited by J Kolde – Aug 2000 v1.2 – edited by J Kolde, format grayscale for b/w printing – 23 Nov 2000 v1.3 – audio remastered, edited by J Kolde – 12 Dec 2000 v1.4 – slides cut out to make entire course teachable, S Northcutt May, 2001;spell check and format F.Kerby 09 May v1.5 – edited/formatted by J Kolde – May 2001 v1.5a – edited by D Tuttle – 24 July 2001 v1.6 – updates and added exercises by E Cole – 10 Aug 2001 v1.7 – updated E Cole – Nov 2001 v1.8 – updated and reorganized S Northcutt 21 - Nov 2001 v1.9 – edited and audio recorded by C Wendt – 16 Jan 2002 - 63 [...]... information 2 - 21 Spoofer NetBIOS 06:49:55 06:49:58 06:50:04 06:50:16 proberA.4197 proberA.4197 proberA.4197 proberA.4197 > > > > 1 72. 20.139.137.139: 1 72. 20.139.137.139: 1 72. 20.139.137.139: 1 72. 20.139.137.139: 12: 57:56 12: 57:59 12: 58:05 12: 58:41 proberE .20 38 proberE .20 38 proberE .20 38 proberE .20 39 > > > > 1 72. 20 .21 6 .29 .139: 1 72. 20 .21 6 .29 .139: 1 72. 20 .21 6 .29 .139: 1 72. 20 .21 6 .29 .139: S S S S S S S S 5968437 72: 5968437 72( 0)... 5968437 72: 5968437 72( 0) 5968437 72: 5968437 72( 0) 5968437 72: 5968437 72( 0) 5968437 72: 5968437 72( 0) 29 4167370 :29 4167370(0) 29 4167370 :29 4167370(0) 29 4167370 :29 4167370(0) 29 421 2415 :29 421 2415(0) Information Risk Management - SANS 20 01 win win win win win win win win 81 92 81 92 81 92 81 92 81 92 81 92 81 92 81 92 (DF) (DF) (DF) (DF) (DF) (DF) (DF) (DF) 22 This is a small sample of a massive pattern detected at several sites All the. .. 405:405(0) ack 674 win 81 92 06: 42: 08 srn.com.113 > 1 92. 168.83.15 .20 39: S 23 3 :23 3(0) ack 674 win 81 92 Result 06:44:09 srn.com.113 > 1 92. 168.1 62. 67 .22 26: S 76:761(0) ack 674 win 81 92 06:44:09 1 92. 168.1 62. 67 .22 26 > srn.com.113: R 674:674(0) win 0 The initiating SYN connections were never sent, but SYN-ACKs are received Information Risk Management - SANS 20 01 21 This slide demonstrates the TCP half-open scan... Address: TTL: Traceroute Back: Expected Traceroute hops: 1 72. 20 .20 4.154 120 12/ 10/11 hops 8 Destination IP Address: TTL: Traceroute Back: Expected Traceroute hops: 1 92. 168 .21 2. 123 one connection 115, 14/13/ 12 hops 12- 13 Destination IP Address: TTL: Traceroute Back: Expected Traceroute hops: 1 72. 20. 122 .157 120 Timeout occurred after 12/ 11/11 hops 8 2 - 23 3 connections 116 Worms • Attack system through known... was the most commonly probed port in the year 20 00, and it is still very active today The port is 27 374 TCP though it can be changed This is the default and by far most common 2 - 12 SubSeven Client Information Risk Management - SANS 20 01 13 SubSeven, also known as Sub7 or Backdoor_G, is a Trojan for the Windows platform (9x and NT) and is the primary Trojan being pinged for in the year 20 00 The SubSeven... if these scans were actually originating from sites all over the Internet, and possibly from different operating systems as well, we should see over thousands of these packets and some variation in the TTLs 2 - 22 TTL In the notes pages are the Time To Live fields from the traces in the previous slide Notice how they cluster around 120 This is not expected behavior This is also fixed in the nmap 2. 08... does not have IP hiding enabled, or by using the notification options available on the server The server will notify the attacker (by e-mail, ICQ, or IRC) that the victim has connected to the Internet 2 - 13 SubSeven EditServer Information Risk Management - SANS 20 01 14 This screen shot shows the interface for the SubSeven EditServer program This facility ups the ante when it comes to detecting SubSeven... was the primary Trojan being pinged for in 20 00 • Protective tools include: All major anti-virus tools, firewalls, personal firewalls Information Risk Management - SANS 20 01 15 To review the material on Trojans, the most common infection vector is by email An unwitting individual opens an attachment and then they have the active Trojan However, the attacker still has to find the system, unless they... programs: The SubSeven server, client, and server editor The server is the part of the Trojan that must be run on the victim’s machine for infection to occur The client is the attacker’s device enabling connection to, and control of, those computers running the server The screen shot shows the client interface for SubSeven v2.1 With 113+ characteristics, this version provides more attack options than either... signature of a TCP half-open scan The destination site sees packets with SYN/ACKs, but there are no initiating SYNs to match them to The lower section of the slide, shown below the result box, demonstrates how this scan works When srn.com’s packet arrives at 1 92. 168.1 62. 67 with the SYN/ACK set, 1 92. 168.1 62. 67 knows something is wrong TCP is stateful, and so 1 92. 168.1 62. 67 knows he never sent a SYN or ... 1 72. 20 .21 6 .29 .139: 1 72. 20 .21 6 .29 .139: 1 72. 20 .21 6 .29 .139: S S S S S S S S 5968437 72: 5968437 72( 0) 5968437 72: 5968437 72( 0) 5968437 72: 5968437 72( 0) 5968437 72: 5968437 72( 0) 29 4167370 :29 4167370(0) 29 4167370 :29 4167370(0)... > 1 72. 20.139.137.139: 1 72. 20.139.137.139: 1 72. 20.139.137.139: 1 72. 20.139.137.139: 12: 57:56 12: 57:59 12: 58:05 12: 58:41 proberE .20 38 proberE .20 38 proberE .20 38 proberE .20 39 > > > > 1 72. 20 .21 6 .29 .139:... 29 4167370 :29 4167370(0) 29 4167370 :29 4167370(0) 29 421 2415 :29 421 2415(0) Information Risk Management - SANS 20 01 win win win win win win win win 81 92 81 92 81 92 81 92 81 92 81 92 81 92 81 92 (DF) (DF)