programs can also modify application functionality, such as applying a blind carbon copy to all e-mail messages so that the attacker can read all of the organization’s e-mail.

One of the oldest forms of application layer attacks is a Trojan horse program that displays a screen, banner, or prompt that the user believes is the valid login sequence. The program then captures the information that the user enters and stores or e-mails the information to the attacker. Next, the program either forwards the information to the normal login process (normally impossible on modern systems) or simply sends an expected error to the user (for example, Bad Username or Bad Password or a combination), exits, and starts the normal login sequence. The user believes that he or she has incorrectly entered the password, reenters the information and is allowed access.

One of the newest forms of application layer attacks exploits the openness of several new technologies: the HTML specification, web browser functionality, and HTTP. These attacks, which include Java applets and ActiveX controls, involve passing harmful programs across the network and loading the programs through a user browser.

Netcat
Netcat is a networking utility that reads and writes data across network connections using the TCP/IP protocol. Netcat is designed to be a reliable back-end tool that can be used directly or can easily be driven by other programs and scripts. Netcat is also a feature-rich network debugging and exploration tool because Netcat can create almost any kind of connection you would need and has several interesting built-in capabilities. The screen capture in Figure lists the options you can use from the Netcat command line. The example in Figure illustrates how to use Netcat to redirect a TCP session from port 80 on the host where Netcat is running to port 139 on the machine with the address X.X.X.X. The first example in the figure shows how a hacker who gained access to a DMZ host uses Netcat on that host to relay traffic. All TCP sessions that are destined to TCP port 80 on the local system are redirected to an inside host on TCP port 139. Redirecting sessions allows the hacker to access TCP port 139 of the inside host, although the firewall permits only HTTP traffic to the DMZ host. The second example shows that Netcat is able to execute a program when the local system accepts a network connection. Any connection that the DMZ system accepts on the local TCP port 80 will spawn a CMD.exe shell. As a result, when a hacker connects to the HTTP server running on that DMZ host, the hacker receives a command prompt, effectively allowing the attacker to perform any operations within the system. Mitigating Application Layer Attacks
Figure lists the various measures you can take to reduce your risks for application layer attacks:

• Read operating system and network log files or have the files analyzed. It is important to review all logs and take action accordingly.
• Subscribe to mailing lists that publicize vulnerabilities. Most application and operating system vulnerabilities are published on the web by various sources.
• Keep your operating system and applications current with the latest patches. Always test patches and fixes in a nonproduction environment. This practice prevents downtime and keeps errors from being generated unnecessarily.
• Use IDS, IPS, or both to scan for known attacks, monitor and log attacks, and ultimately prevent attacks. Using these systems is essential to identifying security threats and mitigating some of these threats. In most cases, mitigation can be done automatically.

Web Links Netcat
http://en.wikipedia.org/wiki/Netcat

---

Content 5.3 Network Attacks Using Intelligence 5.3.4 Management Protocols and Vulnerabilities Configuration management protocols include SSH, SSL and the more insecure Telnet. Telnet was developed in an era when security was not an issue. The network administrator should recognize that the data within a Telnet session is sent as plaintext and can be intercepted by anyone with a packet sniffer located along the data path between the managed device and the management server. The clear text may include important or sensitive information, such as the configuration of the device itself, passwords, or other sensitive data. Note
Instead of using Telnet for remote management, it is recommended that you use SSH or SSL. Configuration Management Recommendations
Regardless of whether SSH, SSL, or Telnet is used for remote access to the managed device, you should configure ACLs to allow only management servers to connect to the device. All attempts from other IP addresses should be denied and logged. Configuration management is an essential component of the network availability and thus, configuration management security is of paramount importance. Figure summarizes configuration management recommendations. You should use secure management protocols when you are configuring all network devices. Some management protocols, such as SSH and SSL, have been designed with security in mind and can be used in the management solution. Other protocols, such as Telnet and Simple Network Management Protocol version 2 (SNMPv2), must be made secure by protecting the data with IPsec. IPsec provides the encryption and authentication that the system needs to combat an attacker who tries to compromise the data exchange. You should use access lists to further limit connectivity to the network devices and hosts. The access lists should permit management access, such as SSH or HTTPS, only from the legitimate management hosts. You should also implement RFC 3704 filtering at the ingress router to reduce the chance of an attacker from outside the network spoofing the addresses of the management hosts. Management Protocols
Figure lists some common management protocols. Each has security weaknesses as described below. SNMP is a network management protocol that you can use to retrieve information from a network device (commonly referred to as read-only access) or to remotely configure parameters on the device (commonly referred to as read-write access). SNMP versions 1 and 2 use passwords (called community strings) within each message as a simple form of security. Unfortunately, SNMPv1 and v2 devices send the community string in plaintext along with the message. Therefore, SNMPv1 and v2 messages can be intercepted by anyone with a packet sniffer located along the data path between the device and the management server. SNMPv3 overcomes these shortcomings by providing authentication and encryption to the message exchange. The syslog protocol is designed to carry messages from a device that is configured for logging to a syslog server that collects the information. The messages are sent as plaintext between the managed device and the management host. Syslog has no packet-level integrity checking that ensures that the packet contents have not been altered in transit. An attacker can alter syslog data in order to confuse a network administrator during an attack. TFTP is used for transferring configuration or system files across the network. TFTP uses UDP for the data stream between the requesting host and the TFTP server. As with other management protocols that send data in plaintext, you should recognize that data within a TFTP session might be intercepted by anyone with a packet sniffer located along the data path between the device and the management server. Whenever possible, TFTP traffic should be encrypted within an IPsec tunnel in order to reduce the chance of interception. Network Time Protocol (NTP) is used to synchronize the clocks of various devices across a network. Synchronization of the clocks within a network is critical for digital certificates and for correct interpretation of events within syslog data. A secure method of providing clocking for the network is for network administrators to implement their own master clocks for private networks synchronized, via