programs can also modify application
functionality, such as applying a blind carbon copy to all
e-mail messages so that the attacker can read all of the
organization’s e-mail. One of the oldest forms of
application layer attacks is a Trojan horse program that
displays a screen, banner, or prompt that the user believes is
the valid login sequence. The program then captures the
information that the user enters and stores or e-mails the
information to the attacker. Next, the program either forwards
the information to the normal login process (normally
impossible on modern systems) or simply sends an expected error
to the user (for example, Bad Username or Bad Password or a
combination), exits, and starts the normal login sequence. The
user believes that he or she has incorrectly entered the
password, reenters the information and is allowed access.
One of the newest forms of application layer attacks
exploits the openness of several new technologies: the HTML
specification, web browser functionality, and HTTP. These
attacks, which include Java applets and ActiveX controls,
involve passing harmful programs across the network and loading
the programs through a user browser.
Netcat
Netcat is a networking utility that reads and
writes data across network connections using the TCP/IP
protocol. Netcat is designed to be a reliable back-end tool
that can be used directly or can easily be driven by other
programs and scripts. Netcat is also a feature-rich network
debugging and exploration tool because Netcat can create almost
any kind of connection you would need and has several
interesting built-in capabilities. The screen capture in Figure
lists the options you can use from the Netcat command line. The
example in Figure illustrates how to use Netcat to redirect a
TCP session from port 80 on the host where Netcat is running to
port 139 on the machine with the address X.X.X.X. The first
example in the figure shows how a hacker who gained access to a
DMZ host uses Netcat on that host to relay traffic. All TCP
sessions that are destined to TCP port 80 on the local system
are redirected to an inside host on TCP port 139. Redirecting
sessions allows the hacker to access TCP port 139 of the inside
host, although the firewall permits only HTTP traffic to the
DMZ host. The second example shows that Netcat is able to
execute a program when the local system accepts a network
connection. Any connection that the DMZ system accepts on the
local TCP port 80 will spawn a CMD.exe shell. As a result, when
a hacker connects to the HTTP server running on that DMZ host,
the hacker receives a command prompt, effectively allowing the
attacker to perform any operations within the system.
Mitigating Application Layer Attacks
Figure lists
the various measures you can take to reduce your risks for
application layer attacks: - Read operating system and
network log files or have the files analyzed. It is important
to review all logs and take action accordingly.
-
Subscribe to mailing lists that publicize vulnerabilities. Most
application and operating system vulnerabilities are published
on the web by various sources.
- Keep your operating
system and applications current with the latest patches. Always
test patches and fixes in a nonproduction environment. This
practice prevents downtime and keeps errors from being
generated unnecessarily.
- Use IDS, IPS, or both to
scan for known attacks, monitor and log attacks, and ultimately
prevent attacks. Using these systems is essential to
identifying security threats and mitigating some of these
threats. In most cases, mitigation can be done
automatically.
Web Links Netcat
http://en.wikipedia.org/wiki/Netcat
Content
5.3 Network Attacks Using Intelligence
5.3.4 Management Protocols and Vulnerabilities
Configuration management protocols include SSH, SSL and the
more insecure Telnet. Telnet was developed in an era when
security was not an issue. The network administrator should
recognize that the data within a Telnet session is sent as
plaintext and can be intercepted by anyone with a packet
sniffer located along the data path between the managed device
and the management server. The clear text may include important
or sensitive information, such as the configuration of the
device itself, passwords, or other sensitive data.
Note
Instead of using Telnet for remote management,
it is recommended that you use SSH or SSL. Configuration
Management Recommendations
Regardless of whether SSH,
SSL, or Telnet is used for remote access to the managed device,
you should configure ACLs to allow only management servers to
connect to the device. All attempts from other IP addresses
should be denied and logged. Configuration management is an
essential component of the network availability and thus,
configuration management security is of paramount importance.
Figure summarizes configuration management recommendations. You
should use secure management protocols when you are configuring
all network devices. Some management protocols, such as SSH and
SSL, have been designed with security in mind and can be used
in the management solution. Other protocols, such as Telnet and
Simple Network Management Protocol version 2 (SNMPv2), must be
made secure by protecting the data with IPsec. IPsec provides
the encryption and authentication that the system needs to
combat an attacker who tries to compromise the data exchange.
You should use access lists to further limit connectivity to
the network devices and hosts. The access lists should permit
management access, such as SSH or HTTPS, only from the
legitimate management hosts. You should also implement RFC 3704
filtering at the ingress router to reduce the chance of an
attacker from outside the network spoofing the addresses of the
management hosts. Management Protocols
Figure lists
some common management protocols. Each has security weaknesses
as described below. SNMP is a network management protocol that
you can use to retrieve information from a network device
(commonly referred to as read-only access) or to remotely
configure parameters on the device (commonly referred to as
read-write access). SNMP versions 1 and 2 use passwords (called
community strings) within each message as a simple form of
security. Unfortunately, SNMPv1 and v2 devices send the
community string in plaintext along with the message.
Therefore, SNMPv1 and v2 messages can be intercepted by anyone
with a packet sniffer located along the data path between the
device and the management server. SNMPv3 overcomes these
shortcomings by providing authentication and encryption to the
message exchange. The syslog protocol is designed to carry
messages from a device that is configured for logging to a
syslog server that collects the information. The messages are
sent as plaintext between the managed device and the management
host. Syslog has no packet-level integrity checking that
ensures that the packet contents have not been altered in
transit. An attacker can alter syslog data in order to confuse
a network administrator during an attack. TFTP is used for
transferring configuration or system files across the network.
TFTP uses UDP for the data stream between the requesting host
and the TFTP server. As with other management protocols that
send data in plaintext, you should recognize that data within a
TFTP session might be intercepted by anyone with a packet
sniffer located along the data path between the device and the
management server. Whenever possible, TFTP traffic should be
encrypted within an IPsec tunnel in order to reduce the chance
of interception. Network Time Protocol (NTP) is used to
synchronize the clocks of various devices across a network.
Synchronization of the clocks within a network is critical for
digital certificates and for correct interpretation of events
within syslog data. A secure method of providing clocking for
the network is for network administrators to implement their
own master clocks for private networks synchronized, via