MAC address filtering for wireless networking isn’t real “security”. Anyone who pays any attention to current trends in wireless security at all should know that MAC filtering is less effective than WEP — and that WEP can be cracked almost instantly these days with commonly available tools.
This doesn’t mean MAC filtering is useless. Its resource consumption is almost unmeasurable, and even if it doesn’t keep out any reasonably knowledgeable security crackers willing to spend a few moments gaining access, it does keep out a lot of automated opportunistic attacks that are aiming solely for the absolute lowest-hanging fruit on the security tree. Since that lowest-hanging fruit consists of the majority of wireless access points, MAC filtering can be of value as a way of turning away the majority of opportunistic attackers.
Don’t rely on MAC filtering alone, however. Please, just don’t. It’s a bad idea. People seem to think “Oh, well, sure a determined attacker can get past it, but not anyone else.” It doesn’t take much determination at all to spoof a MAC address. In fact, I’ll tell you how:
1. “Listen” in on network traffic. Pick out the MAC address. This can be done with a plethora of freely available security tools, including Nmap.
2. Change your MAC address.
You can spoof a MAC address when using Nmap with nothing more than a –spoof-mac command line option for Nmap itself to hide the true source of Nmap probes. If you give it a MAC address argument of “0″, it will even generate a random MAC address for you.
For more general MAC address spoofing, your MAC address is trivially reset with tools available in default installs of most operating systems. Here are some examples:
* Linux: ifconfig eth0 hw ether 03:a0:04:d3:00:11
* FreeBSD: ifconfig bge0 link 03:a0:04:d3:00:11
* MS Windows: On Microsoft Windows systems, the MAC address is stored in a registry key. The location of that key varies from one MS Windows version to the next, but find that and you can just edit it yourself. There are, of course, numerous free utilities you can download to make this change for you as well (such as Macshift for MS Windows XP).
All of these techniques can of course be automated by self-propagating malware, and the creation of the malware can even be automated to some extent by existing malware creation “kits”.
This post has been copied from: http://blogs.techrepublic.com.com/security/?p=395
Sunday
IP Spoofing
Criminals have long employed the tactic of masking their true identity, from disguises to aliases to caller-id blocking. It should come as no surprise then, that criminals who conduct their nefarious activities on networks and computers should employ such techniques. IP spoofing is one of the most common forms of on-line camouflage. In IP spoofing, an attacker gains unauthorized access to a computer or a network by making it appear that a malicious message has come from a trusted machine by “spoofing” the IP address of that machine. In this article, we will examine the concepts of IP spoofing: why it is possible, how it works, what it is used for and how to defend against it.
History
The concept of IP spoofing, was initially discussed in academic circles in the 1980's. While known about for sometime, it was primarily theoretical until Robert Morris, whose son wrote the first Internet Worm, discovered a security weakness in the TCP protocol known as sequence prediction. Stephen Bellovin discussed the problem in-depth in Security Problems in the TCP/IP Protocol Suite, a paper that addressed design problems with the TCP/IP protocol suite. Another infamous attack, Kevin Mitnick's Christmas Day crack of Tsutomu Shimomura's machine, employed the IP spoofing and TCP sequence prediction techniques. While the popularity of such cracks has decreased due to the demise of the services they exploited, spoofing can still be used and needs to be addressed by all security administrators.
Technical Discussion
To completely understand how these attacks can take place, one must examine the structure of the TCP/IP protocol suite. A basic understanding of these headers and network exchanges is crucial to the process.
Internet Protocol – IP
Internet protocol (IP) is a network protocol operating at layer 3 (network) of the OSI model. It is a connectionless model, meaning there is no information regarding transaction state, which is used to route packets on a network. Additionally, there is no method in place to ensure that a packet is properly delivered to the destination.
Examining the IP header, we can see that the first 12 bytes (or the top 3 rows of the header) contain various information about the packet. The next 8 bytes (the next 2 rows), however, contains the source and destination IP addresses. Using one of several tools, an attacker can easily modify these addresses – specifically the “source address” field. It's important to note that each datagram is sent independent of all others due to the stateless nature of IP. Keep this fact in mind as we examine TCP in the next section.
Transmission Control Protocol – TCP
IP can be thought of as a routing wrapper for layer 4 (transport), which contains the Transmission Control Protocol (TCP). Unlike IP, TCP uses a connection-oriented design. This means that the participants in a TCP session must first build a connection - via the 3-way handshake (SYN-SYN/ACK-ACK) - then update one another on progress - via sequences and acknowledgements. This “conversation”, ensures data reliability, since the sender receives an OK from the recipient after each packet exchange.
As you can see above, a TCP header is very different from an IP header. We are concerned with the first 12 bytes of the TCP packet, which contain port and sequencing information. Much like an IP datagram, TCP packets can be manipulated using software. The source and destination ports normally depend on the network application in use (for example, HTTP via port 80). What's important for our understanding of spoofing are the sequence and acknowledgement numbers. The data contained in these fields ensures packet delivery by determining whether or not a packet needs to be resent. The sequence number is the number of the first byte in the current packet, which is relevant to the data stream. The acknowledgement number, in turn, contains the value of the next expected sequence number in the stream. This relationship confirms, on both ends, that the proper packets were received. It’s quite different than IP, since transaction state is closely monitored.
Consequences of the TCP/IP Design
Now that we have an overview of the TCP/IP formats, let's examine the consequences. Obviously, it's very easy to mask a source address by manipulating an IP header. This technique is used for obvious reasons and is employed in several of the attacks discussed below. Another consequence, specific to TCP, is sequence number prediction, which can lead to session hijacking or host impersonating. This method builds on IP spoofing, since a session, albeit a false one, is built. We will examine the ramifications of this in the attacks discussed below.
Spoofing Attacks
There are a few variations on the types of attacks that successfully employ IP spoofing. Although some are relatively dated, others are very pertinent to current security concerns.
Non-Blind Spoofing
This type of attack takes place when the attacker is on the same subnet as the victim. The sequence and acknowledgement numbers can be sniffed, eliminating the potential difficulty of calculating them accurately. The biggest threat of spoofing in this instance would be session hijacking. This is accomplished by corrupting the datastream of an established connection, then re-establishing it based on correct sequence and acknowledgement numbers with the attack machine. Using this technique, an attacker could effectively bypass any authentication measures taken place to build the connection.
Blind Spoofing
This is a more sophisticated attack, because the sequence and acknowledgement numbers are unreachable. In order to circumvent this, several packets are sent to the target machine in order to sample sequence numbers. While not the case today, machines in the past used basic techniques for generating sequence numbers. It was relatively easy to discover the exact formula by studying packets and TCP sessions. Today, most OSs implement random sequence number generation, making it difficult to predict them accurately. If, however, the sequence number was compromised, data could be sent to the target. Several years ago, many machines used host-based authentication services (i.e. Rlogin). A properly crafted attack could add the requisite data to a system (i.e. a new user account), blindly, enabling full access for the attacker who was impersonating a trusted host.
Man In the Middle Attack
Both types of spoofing are forms of a common security violation known as a man in the middle (MITM) attack. In these attacks, a malicious party intercepts a legitimate communication between two friendly parties. The malicious host then controls the flow of communication and can eliminate or alter the information sent by one of the original participants without the knowledge of either the original sender or the recipient. In this way, an attacker can fool a victim into disclosing confidential information by “spoofing” the identity of the original sender, who is presumably trusted by the recipient.
Denial of Service Attack
IP spoofing is almost always used in what is currently one of the most difficult attacks to defend against – denial of service attacks, or DoS. Since crackers are concerned only with consuming bandwidth and resources, they need not worry about properly completing handshakes and transactions. Rather, they wish to flood the victim with as many packets as possible in a short amount of time. In order to prolong the effectiveness of the attack, they spoof source IP addresses to make tracing and stopping the DoS as difficult as possible. When multiple compromised hosts are participating in the attack, all sending spoofed traffic, it is very challenging to quickly block traffic.
Misconceptions of IP Spoofing
While some of the attacks described above are a bit outdated, such as session hijacking for host-based authentication services, IP spoofing is still prevalent in network scanning and probes, as well as denial of service floods. However, the technique does not allow for anonymous Internet access, which is a common misconception for those unfamiliar with the practice. Any sort of spoofing beyond simple floods is relatively advanced and used in very specific instances such as evasion and connection hijacking.
Defending Against Spoofing
There are a few precautions that can be taken to limit IP spoofing risks on your network, such as:
Filtering at the Router - Implementing ingress and egress filtering on your border routers is a great place to start your spoofing defense. You will need to implement an ACL (access control list) that blocks private IP addresses on your downstream interface. Additionally, this interface should not accept addresses with your internal range as the source, as this is a common spoofing technique used to circumvent firewalls. On the upstream interface, you should restrict source addresses outside of your valid range, which will prevent someone on your network from sending spoofed traffic to the Internet.
Encryption and Authentication - Implementing encryption and authentication will also reduce spoofing threats. Both of these features are included in Ipv6, which will eliminate current spoofing threats. Additionally, you should eliminate all host-based authentication measures, which are sometimes common for machines on the same subnet. Ensure that the proper authentication measures are in place and carried out over a secure (encrypted) channel.
Conclusion
IP Spoofing is a problem without an easy solution, since it’s inherent to the design of the TCP/IP suite. Understanding how and why spoofing attacks are used, combined with a few simple prevention methods, can help protect your network from these malicious cloaking and cracking techniques.
This post has been copied from: http://www.symantec.com/connect/articles/ip-spoofing-introduction
History
The concept of IP spoofing, was initially discussed in academic circles in the 1980's. While known about for sometime, it was primarily theoretical until Robert Morris, whose son wrote the first Internet Worm, discovered a security weakness in the TCP protocol known as sequence prediction. Stephen Bellovin discussed the problem in-depth in Security Problems in the TCP/IP Protocol Suite, a paper that addressed design problems with the TCP/IP protocol suite. Another infamous attack, Kevin Mitnick's Christmas Day crack of Tsutomu Shimomura's machine, employed the IP spoofing and TCP sequence prediction techniques. While the popularity of such cracks has decreased due to the demise of the services they exploited, spoofing can still be used and needs to be addressed by all security administrators.
Technical Discussion
To completely understand how these attacks can take place, one must examine the structure of the TCP/IP protocol suite. A basic understanding of these headers and network exchanges is crucial to the process.
Internet Protocol – IP
Internet protocol (IP) is a network protocol operating at layer 3 (network) of the OSI model. It is a connectionless model, meaning there is no information regarding transaction state, which is used to route packets on a network. Additionally, there is no method in place to ensure that a packet is properly delivered to the destination.
Examining the IP header, we can see that the first 12 bytes (or the top 3 rows of the header) contain various information about the packet. The next 8 bytes (the next 2 rows), however, contains the source and destination IP addresses. Using one of several tools, an attacker can easily modify these addresses – specifically the “source address” field. It's important to note that each datagram is sent independent of all others due to the stateless nature of IP. Keep this fact in mind as we examine TCP in the next section.
Transmission Control Protocol – TCP
IP can be thought of as a routing wrapper for layer 4 (transport), which contains the Transmission Control Protocol (TCP). Unlike IP, TCP uses a connection-oriented design. This means that the participants in a TCP session must first build a connection - via the 3-way handshake (SYN-SYN/ACK-ACK) - then update one another on progress - via sequences and acknowledgements. This “conversation”, ensures data reliability, since the sender receives an OK from the recipient after each packet exchange.
As you can see above, a TCP header is very different from an IP header. We are concerned with the first 12 bytes of the TCP packet, which contain port and sequencing information. Much like an IP datagram, TCP packets can be manipulated using software. The source and destination ports normally depend on the network application in use (for example, HTTP via port 80). What's important for our understanding of spoofing are the sequence and acknowledgement numbers. The data contained in these fields ensures packet delivery by determining whether or not a packet needs to be resent. The sequence number is the number of the first byte in the current packet, which is relevant to the data stream. The acknowledgement number, in turn, contains the value of the next expected sequence number in the stream. This relationship confirms, on both ends, that the proper packets were received. It’s quite different than IP, since transaction state is closely monitored.
Consequences of the TCP/IP Design
Now that we have an overview of the TCP/IP formats, let's examine the consequences. Obviously, it's very easy to mask a source address by manipulating an IP header. This technique is used for obvious reasons and is employed in several of the attacks discussed below. Another consequence, specific to TCP, is sequence number prediction, which can lead to session hijacking or host impersonating. This method builds on IP spoofing, since a session, albeit a false one, is built. We will examine the ramifications of this in the attacks discussed below.
Spoofing Attacks
There are a few variations on the types of attacks that successfully employ IP spoofing. Although some are relatively dated, others are very pertinent to current security concerns.
Non-Blind Spoofing
This type of attack takes place when the attacker is on the same subnet as the victim. The sequence and acknowledgement numbers can be sniffed, eliminating the potential difficulty of calculating them accurately. The biggest threat of spoofing in this instance would be session hijacking. This is accomplished by corrupting the datastream of an established connection, then re-establishing it based on correct sequence and acknowledgement numbers with the attack machine. Using this technique, an attacker could effectively bypass any authentication measures taken place to build the connection.
Blind Spoofing
This is a more sophisticated attack, because the sequence and acknowledgement numbers are unreachable. In order to circumvent this, several packets are sent to the target machine in order to sample sequence numbers. While not the case today, machines in the past used basic techniques for generating sequence numbers. It was relatively easy to discover the exact formula by studying packets and TCP sessions. Today, most OSs implement random sequence number generation, making it difficult to predict them accurately. If, however, the sequence number was compromised, data could be sent to the target. Several years ago, many machines used host-based authentication services (i.e. Rlogin). A properly crafted attack could add the requisite data to a system (i.e. a new user account), blindly, enabling full access for the attacker who was impersonating a trusted host.
Man In the Middle Attack
Both types of spoofing are forms of a common security violation known as a man in the middle (MITM) attack. In these attacks, a malicious party intercepts a legitimate communication between two friendly parties. The malicious host then controls the flow of communication and can eliminate or alter the information sent by one of the original participants without the knowledge of either the original sender or the recipient. In this way, an attacker can fool a victim into disclosing confidential information by “spoofing” the identity of the original sender, who is presumably trusted by the recipient.
Denial of Service Attack
IP spoofing is almost always used in what is currently one of the most difficult attacks to defend against – denial of service attacks, or DoS. Since crackers are concerned only with consuming bandwidth and resources, they need not worry about properly completing handshakes and transactions. Rather, they wish to flood the victim with as many packets as possible in a short amount of time. In order to prolong the effectiveness of the attack, they spoof source IP addresses to make tracing and stopping the DoS as difficult as possible. When multiple compromised hosts are participating in the attack, all sending spoofed traffic, it is very challenging to quickly block traffic.
Misconceptions of IP Spoofing
While some of the attacks described above are a bit outdated, such as session hijacking for host-based authentication services, IP spoofing is still prevalent in network scanning and probes, as well as denial of service floods. However, the technique does not allow for anonymous Internet access, which is a common misconception for those unfamiliar with the practice. Any sort of spoofing beyond simple floods is relatively advanced and used in very specific instances such as evasion and connection hijacking.
Defending Against Spoofing
There are a few precautions that can be taken to limit IP spoofing risks on your network, such as:
Filtering at the Router - Implementing ingress and egress filtering on your border routers is a great place to start your spoofing defense. You will need to implement an ACL (access control list) that blocks private IP addresses on your downstream interface. Additionally, this interface should not accept addresses with your internal range as the source, as this is a common spoofing technique used to circumvent firewalls. On the upstream interface, you should restrict source addresses outside of your valid range, which will prevent someone on your network from sending spoofed traffic to the Internet.
Encryption and Authentication - Implementing encryption and authentication will also reduce spoofing threats. Both of these features are included in Ipv6, which will eliminate current spoofing threats. Additionally, you should eliminate all host-based authentication measures, which are sometimes common for machines on the same subnet. Ensure that the proper authentication measures are in place and carried out over a secure (encrypted) channel.
Conclusion
IP Spoofing is a problem without an easy solution, since it’s inherent to the design of the TCP/IP suite. Understanding how and why spoofing attacks are used, combined with a few simple prevention methods, can help protect your network from these malicious cloaking and cracking techniques.
This post has been copied from: http://www.symantec.com/connect/articles/ip-spoofing-introduction
Hacking XP accounts
Step One: First, open Command Prompt (either; Start->Run->Type cmd.exe->OK OR; Double-Click C:\Windows\System32\cmd.exe
Step Two: Create an account, if you do not wish to create a new account, ignore this step. Type the following into the black box that appears (command prompt)
net user /add
Example: net user max 123456 /add
This will create a password protected account. The username will be max The password will be 123456
Step Three: Find all of the user groups that are available on the network
net localgroup
This will bring up a list like this *Administrators *Debugger Users *Guests *HelpServicesGroup *Users The command completed successfully. (can be different according to different systems)
Step Four: Input the following into Command Prompt
net localgroup /add
Example:
net localgroup administrators max /add
This would add the username “max” join the group “administrators” and have all privileges related to that group.
This will work on local machines. and if you are lucky enough and the admin is not very good on what he is doing you can create your own admin account in an networked environment as well :) :) but if the cmd command prompt is restricted or a manual access rights are placed then no way to make this work.. You will probably get into trouble if you get caught doing this.. I have only provided this as an example of what you can do with command prompt and thus why it should always be disabled on limited accounts, I am not responsible for anything you do with this. also note that this only work at home or in an unmanaged network.
Step Two: Create an account, if you do not wish to create a new account, ignore this step. Type the following into the black box that appears (command prompt)
net user /add
Example: net user max 123456 /add
This will create a password protected account. The username will be max The password will be 123456
Step Three: Find all of the user groups that are available on the network
net localgroup
This will bring up a list like this *Administrators *Debugger Users *Guests *HelpServicesGroup *Users The command completed successfully. (can be different according to different systems)
Step Four: Input the following into Command Prompt
net localgroup /add
Example:
net localgroup administrators max /add
This would add the username “max” join the group “administrators” and have all privileges related to that group.
This will work on local machines. and if you are lucky enough and the admin is not very good on what he is doing you can create your own admin account in an networked environment as well :) :) but if the cmd command prompt is restricted or a manual access rights are placed then no way to make this work.. You will probably get into trouble if you get caught doing this.. I have only provided this as an example of what you can do with command prompt and thus why it should always be disabled on limited accounts, I am not responsible for anything you do with this. also note that this only work at home or in an unmanaged network.
Phishing
Phishing can be seen as trying to farudently obtain sensitive, private information from users through fake login pages or any other fake forms. This information can be anything ranging from your mail account password to your credit card pin numbers.
Phishing is an important hacking tool in e-mail hacking.
Phishing requires just a few steps for ecxecution and if you are good in HTML script writing then its perhaps the easiest thing in the world about mail hacking. And if you are not then do not loose heart there are a variety of phish creators available on the net that can take care of the script part for you.
The first step is to create a phishing page for the site you want. This can be done by simply copying the source code of the login page and editing the "action" in the script. Other details include creating of database file for the filled forms to be sent to you.
Next step is to register yourself for free web hosting service to host your account from which the phishing page would be uploaded on the net.
Take care of the domain name of your site. This can arouse suspicion so its better to use url shortening services available on the net.
Next upload your page and related material on the web.
Now comes the most important and tricky task: Convince or trick your target into using that page. This would require your social engineering skills.
This technique would come into use during the 2nd round of the event.
Phishing is an important hacking tool in e-mail hacking.
Phishing requires just a few steps for ecxecution and if you are good in HTML script writing then its perhaps the easiest thing in the world about mail hacking. And if you are not then do not loose heart there are a variety of phish creators available on the net that can take care of the script part for you.
The first step is to create a phishing page for the site you want. This can be done by simply copying the source code of the login page and editing the "action" in the script. Other details include creating of database file for the filled forms to be sent to you.
Next step is to register yourself for free web hosting service to host your account from which the phishing page would be uploaded on the net.
Take care of the domain name of your site. This can arouse suspicion so its better to use url shortening services available on the net.
Next upload your page and related material on the web.
Now comes the most important and tricky task: Convince or trick your target into using that page. This would require your social engineering skills.
This technique would come into use during the 2nd round of the event.
Friday
Google Hacking
From Wikipedia, the free encyclopedia
Google hacking is a computer hacking technique that uses Google Search and other Google applications to find security holes in the configuration and computer code that websites use.
Google hacking involves using advance operators in the Google search engine to locate specific strings of text within search results. Some of the more popular examples are finding specific versions of vulnerable Web applications. The following search query would locate all web pages that have that particular text contained within them. It is normal for default installations of applications to include their running version in every page they serve, e.g., "Powered by XOOPS 2.2.3 Final".
The following search query will locate all websites that have the words "admbook" and "version" in the title of the website. It also checks to ensure that the web page being accessed is a PHP file.
intitle:admbook intitle:version filetype:php
Another technique is searching for insecure coding practices in the public code indexed by Google Code Search or other source code search engines.
One can even retrieve the username and password list from Microsoft FrontPage servers by inputting the given microscript in Google search field:
"#-Frontpage-" inurl:administrators.pwd
Devices connected to the Internet can be found. A search string such as inurl:"ViewerFrame?Mode=" will find public web cameras.
This technique would come into use in round 2 of limtz.
Google hacking is a computer hacking technique that uses Google Search and other Google applications to find security holes in the configuration and computer code that websites use.
Google hacking involves using advance operators in the Google search engine to locate specific strings of text within search results. Some of the more popular examples are finding specific versions of vulnerable Web applications. The following search query would locate all web pages that have that particular text contained within them. It is normal for default installations of applications to include their running version in every page they serve, e.g., "Powered by XOOPS 2.2.3 Final".
The following search query will locate all websites that have the words "admbook" and "version" in the title of the website. It also checks to ensure that the web page being accessed is a PHP file.
intitle:admbook intitle:version filetype:php
Another technique is searching for insecure coding practices in the public code indexed by Google Code Search or other source code search engines.
One can even retrieve the username and password list from Microsoft FrontPage servers by inputting the given microscript in Google search field:
"#-Frontpage-" inurl:administrators.pwd
Devices connected to the Internet can be found. A search string such as inurl:"ViewerFrame?Mode=" will find public web cameras.
This technique would come into use in round 2 of limtz.
Limitz (Hacking)
From now on I would also be providing information pertaining to the event Limitz to be held in Trisha'10 at A.I.E.T. Lucknow. This would include tips and links to useful sites, e-books. The rules for the event are:
The event is based purely on going beyond ones normal reach into forbidden territories in search of treasures unknown.
Hacking is not just getting into a system, it is about getting out of it without being caught. The competition aims to check your skills in both areas with the master of the two emerging as winner.
Rules:
1.) The event would be divided 2 set of rounds.
2.) First round would be objective quiz comprising of 12 questions with negative marking.
3.) Second round would involve users to prove their metal with live targets.
4.) The contestants are allowed to CHEAT J ) .
5.) The contestants can use any software they deem fit.
6.) You are allowed to remotely access your rival’s system and hamper his/her progress.
7.) You are allowed to use laptops for assistance but the final solution should be working on the system provided.
8.) In case of failure of net connections alternate set of problems would be provided to be worked out offline
Note: Registration closes on 31st March 2010.
Subscribe to:
Posts (Atom)