EECS 354 Network Security Introduction
Why Learn To Hack Understanding how to break into computer systems allows you to better defend them Learn how to think like an attacker Defense then becomes second-nature Security is an increasingly important field There are many jobs for security specialists Developers are expected to be aware of security concerns
Why Internet Security >The past decade has seen an explosion in concern about information security Malicious code (viruses, worms, etc.) caused over $28 billion in economic losses in 2003 and $67 billion in 2006! The number of scans, probes, and attacks reported to the DHS has increased by more than 300 percent from 2006 to 2008 > Security specialist markets are expanding! Salary Premiums for Security Certifications Increasing (Computerworld 2007) Up to 15% more salary Demand is being driven not only by compliance and government regulation, but also by customers who are "demanding more security" from companies >US Struggles to recruit compute security experts (Washington Post Dec. 23 2009) 3
Overview Course information VM logistics x86 stack structure What are exploits? Why we use Linux TCP/IP Network utilities Local utilities Source code availability
Course Overview Atypical structure This course is based on group learning and experience Originally developed in 2007 by grad students Material tweaked with each iteration This year, taught mostly by grad students (5/6) with oversight by a professor and guest lectures from a security professional The class will follow a theory and practice model We will introduce the basic theory for fundamental hacking techniques, then carry out these techniques in controlled environments
Course Objectives Build a team for the annual UCSB International CTF Competition in December Participation in the competition is mandatory (and fun!) Practical knowledge of computer security Theory Attack Defense
Prerequisites and Materials Required EECS 213 or ECE 205 and 231 Highly Recommended Networking (EECS 340) Operating Systems (EECS 343) Familiarity with the UNIX environment No textbooks All readings will come from handouts
Course Contents Shellcode Buffer Overflows Heap Overflows Web Attacks Security Policy Layer 2 Attacks Cryptography Firewalls and IDSs Password cracking and Reverse Engineering Wireless Attacks
Communication Slides will be made online prior to each class Web page: http://netsec.cs.northwestern.edu/ Newsgroup: nuctf@googlegroups.com IRC: #netsec on acm.eecs.northwestern.edu
Grading No exams for this class Participation in CTF and practice competitions is mandatory Participation 20% Homework 45% Competition 20% Group Project 15%
Overview Course information VM logistics x86 stack structure What are exploits? Why we use Linux TCP/IP Network utilities Local utilities Source code availability
Overview Exploit demo Course information VM logistics x86 stack structure What are exploits? Why we use Linux TCP/IP Network utilities Local utilities Source code availability
Linux Memory Layout FF 00 Stack Heap DLLs Heap Data Text Stack Runtime stack (8MB limit) Heap Dynamically allocated storage When call malloc, calloc, new DLLs Dynamically Linked Libraries Library routines (e.g., printf, malloc) Linked into object code when first executed Data Statically allocated data E.g., arrays & strings declared in code Text Executable machine instructions Read-only
Linux Memory Allocation Initially Linked Some Heap More Heap Stack Stack Stack Stack Heap Heap DLLs DLLs DLLs Heap Data Data Data Data Text Text Text Text
Overview Exploit demo Course information VM logistics x86 stack structure What are exploits? Why we use Linux TCP/IP Network utilities Local utilities Source code availability
Exploits An exploit is any computer input that takes advantage of a vulnerability to cause unintended behavior, usually to gain control of a computer system (Wikipedia) We will craft custom exploits to remotely gain control of computer systems
Overview Exploit demo Course information VM logistics x86 stack structure What are exploits? Why we use Linux TCP/IP Network utilities Local utilities Source code availability
Linux Learning to hack on MS Windows is like trying to learn how to dance in a body cast anonymous Linux offers low-level access to OS services as well as a powerful command-line By the end of this class everyone will be very comfortable working and hacking in a Linux environment
Must know Linux Basic Linux commands (see Lab 1) Command line text editor(s) Valuable Linux filesystem (/etc, /usr, etc.) Downloading source code, compiling, and installing./configure, make, make install Ubuntu aptitude package management Come to office hours or ask on IRC for Linux help
Overview Exploit demo Course information VM logistics x86 stack structure What are exploits? Why we use Linux TCP/IP Network utilities Local utilities Source code availability
TCP/IP This course assumes some knowledge of how networks work It is not necessary to understand every detail TCP Discussion Socket Discussion
Overview Exploit demo Course information VM logistics x86 stack structure What are exploits? Why we use Linux TCP/IP Network utilities Local utilities Source code availability
netcat The TCP/IP swiss-army knife Simplest usage: $ nc host port Shell shoveling using TCP (simple backdoor) You can use netcat to get a shell if there is no firewall protecting the target $ nc -l -p 5300 -e /bin/sh Then, just connect to the target $ nc target_ip port
Major features nmap Host Discovery Identifies computers on a network Port Scanning Enumerates the open ports on one or more computers Version Detection Determines the application name and version number of services on remote machines OS Detection Remotely determining the operating system from network devices You must be root (use sudo) to use some features Consistently voted as one of the most used security tools
Nessus Nessus is an open-source vulnerability scanner Its goal is to detect weaknesses on a target host In addition, Nessus probes the remote host for any useful information (type of OS, etc.)
Overview Exploit demo Course information VM logistics x86 stack structure What are exploits? Why we use Linux TCP/IP Network utilities Local utilities Source code availability
netstat/ps Once you have access to a box, what do you do? Two useful tools are netstat and ps netstat print network connections, interface statistics, etc. ps report a snapshot of the current running processes
netstat Command line options --inet specifies the inet address family (only displays network sockets) -a/--all show all connections (both listening and non-listening sockets) -p/--program show the PID and the name of the program to which each socket belongs -n/--numeric show numerical addresses instead of trying to determine symbolic host To show all network sockets $ netstat --inet -apn
ps $ ps $ps ax To see all processes you are running To see all processes running on the machine $ps aux (to see user information) To see all processes root is running $ps aux grep root
Overview Exploit demo Course information VM logistics x86 stack structure What are exploits? Why we use Linux TCP/IP Network utilities Local utilities Source code availability
Source Code Availability In general, we will always have source code available for analysis This mirrors many real-world situations Even without source code, many applications have documented vulnerabilities that are easily exploited Things can get tricky when source code is not available Brute-forcing becomes extremely helpful Reverse engineering is another option
Source Code Most buffer overflows use the same functions No bounds check: gets, strcpy, scanf Programmer-based bounds check: memcpy, strncpy Use grep to find where these functions are used Not all are vulnerable, but it's a quick starting point
Source Code Flawfinder (Static source code analysis) test.c: void func() { char buffer[64]; } Examining test.c Desktop/test.c:2: [2] (buffer) char: Statically-sized arrays can be overflowed. Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length.
Scanning Localhost Try to get root through local hacks Find root programs ps aux grep root Find setuid or root programs find / -perm -4000 2> /dev/null
setuid Some programs that are run by normal users need to execute as root setuid programs are marked with an 's' Many setuid programs only execute as root for as little time as they need to setuid system call allows changing user id back Example: ping rwsr-xr-x 1 root root 30848 2007-03-04 22:25 ping