Intrusion Detection Systems FAQ

FAQ topic 

[25] Intrusion Detection Systems FAQ
Updated: Feb 01, 2005
[23] Trojans FAQ
Updated: Jun 26, 2003
[1] 2 3

FAQ: Part One 

What are hackers and crackers? 

An intruder is also referred to as a hacker or a cracker. A hacker is basically someone who hacks a system - he could do this because he finds it interesting or because he wants to access your system. In the latter case he would be a cracker.
In any case, hackers and crackers are both intruders and can be classified as external or internal intruders (outsiders or insiders).
External/Outsiders
Intruders from outside your network. They attack your web servers, email servers and may also attempt to go bypass the firewall to attack machines on the internal network. Outside intruders may come from the Internet, dial-up lines, physical break-ins, or from a partner (vendor, customer, reseller, etc.) network that is linked to your corporate network.
Internal/Insiders
Intruders that are using your internal network legitimately. These include users who misuse privileges or who attempt to get higher rights or use another users privileges. Internal intruders are often overlooked - most security breaches (80%) are done by insiders.

What are whitehats and blackhats? 

Hackers are often categorized as either Whitehat or Blackhat. Both Whitehats and Blackhats have the know-how to penetrate a system but their motives are different. A whitehat's aim is to know a system's loopholes to secure the system. On the other hand, blackhats make use of this knowledge for personal gain and other selfish and un-ethical purposes.
Some Computer Security consultants are described as Whitehat, while "script kiddies" are also sometimes described as Blackhat. Script kiddies are known to be less sophisticated hackers who launch attacks against computer systems such as port scanning, defacing a website or launching a Denial of Service attack.

How do intruders get passwords? 

Intruders get passwords in various ways. These are some of the most popular methods being used by the hackers nowadays:
Sniffing: Data passing on Ethernet or Wireless networks can usually be intercepted. This is done by making use of a protocol analyzer, which sets the network card to promiscuous mode - meaning that it is able to pass all data on the network to the operating system without filtering. Passwords are typically "sniffed" off clear text protocols. Such protocols include Pop3, FTP and Telnet. In these cases passwords flow through the network without making use of any encryption. Many new protocols now make use of encryption. Although encryption makes the task of sniffing passwords more difficult, it is still possible to get the passwords from the encrypted data by making use of Dictionary and Brute force attacks.
Sniffing is a very effective method for hackers and attackers since it is usually a passive attack and therefore more stealthy and more difficult to detect.
Replay attack: In some cases, intruders do not need to decrypt the password. They can use the encrypted form instead in order to login to systems. Tools are also available to make this kind of attack easier. This kind of attack is very popular against web applications.
Password file stealing: System passwords are usually stored in files or in the Windows registry. On Windows NT 2000 and XP, the passwords are stored in encrypted form on the SAM file. On UNIX systems the password is usually stored in the /etc/passwd or /etc/shadow. Once an attacker gets his hand on the password file he can launch a dictionary or brute force attack against the encrypted passwords.
Observation: A very well known and traditional password stealing attack is dubbed "shoulder surfing" - which is basically when an intruder watches someone type in a password. Observation can also be done by going through a victim's personal objects. Typically passwords are written on small pieces of paper - and can also be written on sticky notes attached to the monitor itself!
Social Engineering: Many successful hackers and attackers make use of human weaknesses - one such well-known hacker is Kevin Mitnick. A common (successful) technique is to simply call the user and say, "Hi, this is Bob from Some-Company. We have problems within the network and they appear to be coming from your machine. Can you give me your password?" Many users will happily supply this sensitive information without thinking twice.
Default Passwords: Sometimes it is not even required to guess the passwords, since the system would have default passwords put in by the system vendor. A lot of network devices such as switches and hardware routers will have default passwords allowing an attacker to easily gain access.

What is a typical intrusion scenario? 

A typical scenario might be:
1. Information Gathering
An attacker will normally start by finding out as much information as possible on his target. At this point the attacker will want to be as stealthy as possible and will usually make use of less direct methods. Some of these methods include doing a whois lookup and DNS Zone transfers as well as normal browsing of websites gathering e-mail addresses and similar important information belonging to the target.
2. Further Information Gathering
In an attempt to gather more information an attacker will usually perform ping sweeps, port scanning and check Web servers for vulnerable CGI scripts. The intruder will also check the versions of running applications and services on your host - normally done using Banner Grabbing techniques. Typically banner grabbing consists of connecting to a service (for example SMTP on port 25) and parsing the response. In the response one would usually get the version of the application or a typical pattern of that application. A good IDS will catch some of this activity.
3. Attack!!
Having a list of possible loopholes, the intruder will start trying out different attacks on the system. He will for example try to launch the UNICODE attack if he previously found out that the target has IIS installed. Apart from launching exploits for well known vulnerable software, a typical attacker will also try to find out misconfigured running services. For example he will try to guess passwords for known users on the system.
4. Successful intrusion
After a successful intrusion, attackers will usually install their own backdoors in the system and delete log files in order to hide their tracks. They may install 'toolkits' such as rootkits that give them access, replace existing services with their own Trojan horses that have backdoor passwords, or create their own user accounts. System Integrity Checkers such as Tripwire have the task of detecting this kind of activity and alerting the administrator. From here an attacker will usually launch further attacks to other hosts especially those that are trusted by the compromised machine.
5. Fun and profit
Different classes of system intruders have different goals. Some steal confidential information such as Credit cards, passwords etc: while others just use the compromised host to launch further attacks on sites (such as DDoS attacks). A few others will just deface a website.
A growing trend is to make use of a different pattern of attack. Intruders are increasingly randomly scanning internet addresses looking for a specific hole or number of holes. For example an intruder may scan for hosts having port 80 open and running a misconfigured / unpatched IIS server. Attackers will make a list of the vulnerable hosts and then launch attacks against each one of the hosts.

What are some common "intrusion signatures"?  

There are three types of attacks:
Information gathering:

  • Network mapping - ping sweeps
  • DNS zone transfers
  • E-mail recons
  • TCP or UDP port scans - Enumeration of services
  • Indexing of public web servers to find web server and CGI holes.
  • OS fingerprinting

Exploits: Attackers make use of vulnerabilities in target servers or misconfiguration on the system/network.
Denial-of-service (DoS) attacks: An attempt to break the system and make it inaccessible to other users. Intruders will attempt to crash a service or machine, overload network or hardware resources, such as overload the links, the CPU, or fill up the disk.

What are some common exploits? 

CGI scripts
CGI scripts consist of server-side programs which generate Dynamic web sites. A typical CGI is be formmail.cgi, which allows users to send e-mails to the website administrator without making use of an e-mail client. Other attacks that make use of CGI scripts include Cross Site scripting, SQL command injection, and Path traversal.
Web server attacks
Many times the web server itself could have security holes. Both Apache on UNIX and IIS on Windows NT have their share of root or SYSTEM vulnerabilities. An unpatched IIS 5 is vulnerable to the UNICODE directory traversal attack where attackers are able to execute files such as CMD.exe to gain a remote shell. Another common bug is buffer overflow in the request field or in one of the other HTTP fields.
Web browser attacks
Most modern web browsers have a series of security loopholes. Typical software vulnerabilities like format string and buffer overflow attacks are also found in http clients (such as Internet Explorer and Netscape). Active Content such as JavaScript, Java, ActiveX and HTML itself can also pose a security risk.

  • HTTP headers can be used to exploit bugs because some fields are passed to functions that expect only certain information. A well-known exploit for IE consists of encapsulating HTTP headers within an EML file and launching an executable embedded within the EML file.
  • HTML can be often exploited through buffer overflows. Internet Explorer 6 as well as previous versions of IE and Netscape were found to be vulnerable to these kind of attacks using different HTML tags with long strings as attributes.
  • JavaScript is well known to be the prime cause of security loopholes within web browsers. Likewise with VBScript and any other type of active scripting. These functions are generally run in a sandbox environment, however from time to time hackers find out new ways to escape the sandbox environment and execute code, read sensitive files etc.
  • Frames and iframes are many times used in conjunction with Active Scripting (JavaScript, ActiveX, Vbscript) exploits. However they are sometimes also used as a social engineering exploit to fake legitimate sites.
  • Java was built with a strong security model by making use of the sandbox technology. However third parties have implemented their own versions which can introduce bugs and flaws. Normal Java applets have no access to the local system, but sometimes they would be more useful if they did have local access. Thus, the implementations of "trust" models that can more easily be hacked.
  • ActiveX is even more dangerous than Java as it works purely from a trust model and runs native code. The trust model consists of either allowing the ActiveX application to run on the client machine, or not. Unlike Java, the ActiveX model has no way to limit the application certain functions only. As a security precaution ActiveX components generally have to be digitally signed. The sign assures the customer that the producer of the ActiveX component is legitimate but not that the ActiveX component is safe to install.

Access Auditing
Operating Systems usually support logging of failed login attempts, failed file access and attempts to perform administrative tasks especially by non-administrative user accounts.
POP3 and IMAP
POP3 and IMAP servers are known to contain exploits just like any other software. Apart from that an attacker can launch at attack in order to guess the password of a specific email address.
IP spoofing
A good number of attacks make use of changing the source IP address. TCP/IP protocol has no way to check if the source IP address in the packet header actually belongs to the machine sending it. Some of the attacks which take advantage of ip spoofing are:

  • SMURF Attack
    A broadcast ping is sent and the source IP of the ping is set the same as the victim's IP address. In this case a huge number of computers will respond back and send a Ping reply to the victim. When this is repeated, the victim's machine or link will get overloaded causing a Denial of Service.
  • TCP sequence number prediction
    A TCP connection is assigned a sequence number for the client and for the server. If the sequence number is predictable, intruders can create packets with forged IP address and guess the sequence number to hijack TCP connections.
  • DNS poisoning through sequence prediction
    DNS servers usually query other DNS servers to resolve names for other hosts. An attacker will send a request to the victim DNS server as well as a response to the same server. This way the attacker can make clients trying to access http://www.hotmail.com/ point to his servers.

Buffer Overflows
Some common buffer overflow attacks are:

  • Buffer overruns in major web servers
    Both Apache and IIS have well known vulnerabilities. Worms such as Code Red (for IIS) and Linux.Slapper (for Apache) make use of such vulnerabilities to spread.
  • DNS overflow
    Some of the older DNS servers (BIND) are vulnerable to overflows. A typical attack would be to supply an overly long DNS name to the server. DNS names are limited to 64-bytes per subcomponent and 256-bytes overall.
  • DNS attacks
    DNS servers are usually trusted by services and users - meaning that compromising a DNS server can lead to further attacks on end users and other services. This makes DNS servers a prime target for hacker attacks.
  • DNS cache poisoning
    This is a very typical attack on DNS servers. In simple terms it works by sending a Question to resolve a given domain ("Who is http://www.test.com/?") and providing the answer with false information ("www.test.com is 127.0.0.1").
What honeypot products are available? 

Fred Cohen's Deception Toolkit
http://www.all.net/dtk/
Specter
http://www.specter.ch/

What are the disadvantages of a honeypot? 
  • If the system does indeed get hacked, it can be used as a stepping-stone to further compromise the network.
  • Some people believe that since honeypots lure hackers in, that legal rights to prosecute hackers are reduced. This is a misconception, because honeypots are not active lures -- they do not advertise themselves. A hacker can only find a honeypot in the first place by running search programs on a network.
  • Honeypots add complexity. In security, complexity is bad: it leads to increased exposure to exploits.
  • Honeypots must be maintained just like any other networking equipment/services. This leads many people to turn them off after a while. You think that a 468 running RedHat Linux 4.2 that you setup 2 years ago doesn't require maintenance, but in reality it does. How do you know the logging is working right? What do you do when a new network management platform or vulnerability assessment system starts being used and alarms start going off? What do you do when alarms stop coming in because a hacker has compromised the system and is using it launch other attacks against you (or worse, back out to the Internet)?  
What are the advantages of a honeypot? 
  • An early-alarm that will trip only upon hostile activity. Network intrusion detection systems have a problem distinguishing hostile traffic from benign traffic. Isolated honeypots have a much easier time because they are systems that should not normally be accessed. This means that all traffic to a honeypot system is already suspect. Network management discovery tools and vulnerability assessment tools still cause false positives, but they otherwise give a better detection rate.
  • A hostile-intent assessment system. Honeypots often present themselves as easily hacked systems. One of the most common things hackers do is scan the Internet doing "banner checks". The honeypot can be setup to provide a banner that looks like a system that can easily be hacked, then to trigger if somebody actually does the hack. For example, the POP3 service reports the version of the software. Several versions of well-known packages have buffer-overflow holes. A hacker connects to port 110, grabs the version info from the banner, then looks up the version in a table that points to which exploit script can be used to break into the system.
[1] 2 3

Receive all the latest articles by email!

Receive Real-Time & Monthly WindowSecurity.com article updates in your mailbox. Enter your email below!
Click for Real-Time sample & Monthly sample

Become a WindowSecurity.com member!

Discuss your security issues with thousands of other network security experts. Click here to join!

Community Area

Log in | Register

Solution Center

Readers' Choice

Which is your preferred network auditing solution?