Ways to bypass firewalls.
The main task of a firewall is to protect computer networks or individual nodes from unauthorized access. Also, firewalls are often called filters, since their main task is not to let through (filter) packets that do not meet the criteria defined in the configuration.
Depending on the coverage of controlled data flows, firewalls are divided into:
traditional network(or internetwork) screen program (or an integral part of operating system) on a gateway (a server that forwards traffic between networks) or hardware solution, which control incoming and outgoing data flows between connected networks.
personal firewall- a program installed on user computer and designed to protect only this computer from unauthorized access.
network layer when filtering occurs based on the addresses of the sender and recipient of packets, port numbers of the transport layer of the OSI model and static rules, set by the administrator;
session level(also known as stateful) - tracking sessions between applications, not passing packets that violate TCP / IP specifications, often used in malicious operations - resource scanning, hacking through incorrect TCP / IP implementations, connection drops / slowdowns, data injection.
application layer, filtering based on the analysis of the application data transmitted within the package. These types of screens allow you to block the transmission of unwanted and potentially harmful information based on policies and settings.
stateless(simple filtering), which do not track current connections (for example, TCP), but filter the data stream solely based on static rules;
stateful,(filtering based on context), with tracking of current connections and skipping only those packets that satisfy the logic and algorithms of the corresponding protocols and applications. These types of firewalls allow you to more effectively deal with various types of DoS attacks and vulnerabilities in some network protocols. In addition, they provide the functionality of protocols such as H.323, SIP, FTP, etc., which use complex schemes data transfers between recipients that are difficult to describe by static rules, and often incompatible with standard ones, stateless network screens.
^ A threat from within. Threats do not always come only from the outside of the ITU, from the Internet. A large number of losses are associated precisely with security incidents by internal users (according to statistics, up to 80% of incidents come from within). It should be clarified that the firewall only looks at traffic at the boundaries between internal network and the Internet. If the traffic exploiting the security holes never passes through the firewall, then the ITU does not find any problems.
Tunnels. The firewall filters traffic and makes decisions about allowing or blocking network packets based on information about the protocol being used. As a rule, the rules provide for an appropriate check to determine whether a particular protocol is allowed or not. For example, if ports 25 and 80 are allowed on the ITU, then mail (SMTP) and Web (HTTP) traffic is allowed to enter the internal network. It is this processing principle that is used by skilled attackers. All unauthorized activity is carried out within the allowed protocol, thereby creating a tunnel through which the attacker implements the attack. The simplest example that demonstrates the use of tunnels is Internet worms and macro viruses that enter the corporate network as attachments to e-mail messages. If the firewall allows the passage of SMTP traffic (and I have not seen the ITU that would not do this), then the internal network can also get " viral infection".A common modern covert channel attack is the Loki attack. This attack uses the ICMP protocol to transfer data, although this protocol was not designed to be used in this way, it is only intended to send messages about the current status and errors. But someone has developed a special tool (Loki) that allows an attacker to write data right after the ICMP header.
This allows an attacker to communicate with another system through a covert channel. This attack is often very successful because most firewalls are configured to allow incoming and outgoing ICMP traffic. it covert channel, because it uses a protocol for communication that was not designed for it. Detailed information about the Loki attack can be found at http://xforce.iss.net/xforce/xfdb/1452.
Encryption. Very often from the lips of many domestic developers VPN tools you can hear that the tool he developed for building virtual private networks can solve many security problems. They rest on the fact that since the protected network communicates with its opponents (remote offices, partners, customers, etc.) only via a VPN connection, then no "infection" will penetrate it. This is partly true, but only on the condition that the opponents also do not communicate with anyone through unsecured channels. And this is hard to imagine. And since most organizations use encryption to protect external network connections, an attacker's interest will be directed to those places on the network where information of interest to him is probably not secure, that is, to nodes or networks with which a trusted relationship is established. And even in the case of creating VPN connections between a network protected by an ITU with VPN functions and a trusted network, an attacker will be able to implement his attacks with the same efficiency. Moreover, the effectiveness of its attacks will be even higher, since often the security requirements for trusted nodes and networks far below all other nodes. An attacker will be able to penetrate a trusted network, and only then from it carry out his unauthorized actions in relation to the target of his attack.
^ Vulnerabilities in firewalls. By attacking the ITU and putting it out of action, attackers can calmly, without fear of being detected, implement their criminal plans in relation to the resources of the protected network. For example, since the beginning of 2001, many vulnerabilities have been discovered in the implementation of various well-known firewalls.
^ Address spoofing- this is a way to hide the real address of the attacker. However, it can also be used to bypass firewall protection mechanisms. Such simplest way, as replacing the source address of network packets with an address from the protected network, can no longer mislead modern firewalls. They all use various ways protection from such change. However, the principle of address substitution itself remains relevant. For example, an attacker can replace his real address with the address of a host that has a trusted relationship with the attacked system and implement a denial of service attack on it.
Example on the slide
"Normal heroes always go around"
Why try to infiltrate protected resources through security features when you can try to bypass them? This can be illustrated with an example from a related field. On Wednesday, February 21, 1990, Mary Pirham, a budget analyst for an American company, came to work. However, she was unable to enter her workplace even after dialing the four-digit code and saying the code word on the access control system. Still wanting to get to work, Mary went around the building and opened the back door with a nail file and a plastic comb. The newest protective system, bypassed by Mary Pirham, was advertised as "trouble-free and reliable" and cost several tens of thousands of dollars. Similarly, with firewalls, only the modem can play the role of a back door. Do you know how many modems are installed on your network and what they are used for? Do not immediately answer in the affirmative, think. When surveying one network, the heads of the information security and automation department tore their shirts off, claiming that they knew every single modem installed in their network. By running the Internet Scanner security analysis system, we actually found the modems indicated by them, used to update the databases of the accounting and legal systems. However, two unknown modems were also found. One was used by a member of the analytics department to access work directories from home. The second modem was used to access the Internet, bypassing the firewall.
Another example is related to the possibility of bypassing the ITU. Threats do not always come only from the outside of the ITU, from the Internet. A large number of losses are associated precisely with security incidents by internal users (according to statistics, up to 80% of incidents come from within). It should be clarified that the firewall only inspects traffic at the boundaries between the internal network and the Internet. If the traffic exploiting the security holes never passes through the firewall, then the ITU does not find any problems. In 1985, at one of the Russian shipyards, a criminal group of over 70 (!) People was exposed, which during 1981-1985. by introducing into information system payroll for false documents stole more than 200 thousand rubles. Similar cases were recorded at factories in Leningrad and Gorky. Not even the most efficient firewall could detect such activity.
Tunnels are used not only in the subwayBut even viewing traffic at the border between the external and internal networks does not guarantee complete protection. The firewall filters traffic and makes decisions about allowing or blocking network packets based on information about the protocol being used. More often than not, the rules provide an appropriate check to determine whether a particular protocol is allowed or not. For example, if ports 25 and 80 are allowed on the ITU, then mail (SMTP) and Web (HTTP) traffic is allowed to enter the internal network. It is this processing principle that is used by skilled attackers. All unauthorized activity is carried out within the allowed protocol, thereby creating a tunnel through which the attacker implements the attack. The simplest example that demonstrates the use of tunnels is Internet worms and macro viruses that enter the corporate network as attachments to e-mail messages. If the firewall allows SMTP traffic (and I've never seen an ITU that doesn't), then a "viral infection" can also get into the internal network. I will give more complex example. For example, a web server running software Microsoft(Internet Information Server), protected by a firewall that only allows port 80. At first glance, complete protection is provided. But only at first glance. If IIS version 3.0 is used, then the address is: http://www.domain.ru/default.asp. (with a dot at the end) allows an attacker to gain access to the contents of an .asp file, which can store sensitive data (for example, a database access password). The RealSecure intrusion detection system named this attack "HTTP IIS 3.0 Asp Dot". And even if you have installed the most latest version IIS 5.0, then again you can't feel in complete security. Contact address:
http://SOMEHOST/scripts/georgi.bat/..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c%20dir%20C:\
causes the command "dir C:\" to be executed. Similarly, you can read any file, including those containing confidential information:
http://SOMEHOST/scripts/georgi.asp/..%C1%9C..%C1%9C..%C1%9Ctest.txt
A final example is the Loki attack, which allows various commands (such as a request to pass the /etc/passwd password file) to be tunneled into ICMP Echo Requests and responded to in ICMP Echo Reply responses.
Encrypt, don't encrypt, it doesn't matter...
Very often, from the lips of many domestic developers of VPN tools, one can hear that the tool they have developed for building virtual private networks can solve many security problems. They rest on the fact that since the protected network communicates with its opponents (remote offices, partners, customers, etc.) only via a VPN connection, then no "infection" will penetrate it. This is partly true, but only on the condition that the opponents also do not communicate with anyone through unsecured channels. And this is hard to imagine. And since most organizations use encryption to protect external network connections, an attacker's interest will be directed to those places on the network where information of interest to him is probably not secure, that is, to nodes or networks with which a trusted relationship is established. And even in the case of creating VPN connections between a network protected by an ITU with VPN functions and a trusted network, an attacker will be able to implement his attacks with the same efficiency. Moreover, the effectiveness of his attacks will be even higher, since often the security requirements for trusted nodes and networks are much lower than all other nodes. An attacker will be able to penetrate a trusted network, and only then from it carry out his unauthorized actions in relation to the target of his attack. In March 1995, the Johnson Space Center's security administrator received a report that two of the center's computers had been attacked by intruders. However, as a result of the investigation, it turned out that these computers were compromised as early as December 1994, and programs intercepting user IDs and passwords were installed on them. The logs for these programs contained about 1,300 user IDs and passwords from more than 130 systems connected to the compromised hosts.
Address spoofing is a way to hide the real address of an intruder. However, it can also be used to bypass firewall protection mechanisms. Such a simple method as replacing the source address of network packets with an address from a protected network can no longer mislead modern firewalls. All of them use various methods of protection against such substitution. However, the principle of address substitution itself remains relevant. For example, an attacker can replace his real address with the address of a host that has a trusted relationship with the attacked system and implement a denial of service attack on it.
Firewall - as an attack target
Firewalls are often targets of attack themselves. By attacking the ITU and putting it out of action, attackers can calmly, without fear of being detected, implement their criminal plans in relation to the resources of the protected network. For example, since the beginning of 2001, many vulnerabilities have been discovered in the implementation of various well-known firewalls. For example, incorrect handling of TCP packets with the ECE flag in ITU ipfw or ip6fw allowed a remote attacker to bypass the created rules. Another vulnerability was found in the BorderWare Firewall Server 6.1.2 firewall. Exploitation of this ICMP Echo Request broadcast vulnerability resulted in a violation of ITU BorderWare availability. Other firewalls did not stand aside - Cisco Secure Pix Firewall, WatchGuard Firebox, etc.
Wait, who's coming? Present your passport!
The vast majority of firewalls are built on classic access control models developed in the 70s and 80s of the last century in the military departments. According to these models, a subject (user, program, process, or network package) is allowed or denied access to some object (for example, a file or a network node) upon presentation of some unique element inherent only to this subject. In 80% of cases this element is the password. In other cases, such a unique element is a Touch Memory tablet, Smart or Proximity Card, the user's biometric characteristics, etc. For network package such an element is addresses or flags in the packet header, as well as some other parameters.
You can see that the weakest link in this scheme is the unique element. If the intruder somehow received this very element and presented it to the firewall, then he perceives it as "his own" and allows him to act within the rights of the subject whose secret element was unauthorizedly used. With the current pace of technology development, gaining access to such a secret element is not difficult. It can be "eavesdropped" while being transmitted over the network using protocol analyzers, including those built into operating systems (for example, Network Monitor in Windows NT 4.0). It can be selected using special programs available on the Internet, such as L0phtCrack for Windows or Crack for Unix.
That. even the most powerful and reliable firewall will not protect against penetration into the corporate network of the intruder, if the latter was able to pick up or steal the password of an authorized user. Moreover, the firewall will not even detect violations, since for it the intruder who stole the password is an authorized user. For example, on March 22, 1995, an unidentified attacker, using a stolen password and software from the Pinsk branch of BelAKB "Magnatbank", penetrated the computer network of the Belarusian Interbank Settlement Center and transferred 1 billion rubles to the settlement account of Aresa LTD LLC in the Soviet branch of BelAKB "Promstroybank". 700 million rubles.
Administrator - king and god
Every organization has users with virtually unlimited rights on the network. These are network administrators. They are not controlled by anyone and can do almost anything on the network. As a rule, they use their unlimited rights to perform their functional duties. But imagine for a moment that the administrator is offended by something. Be it a low salary, underestimation of his capabilities, revenge, etc. There are cases when such offended administrators "spoiled the blood" of more than one company and led to very serious damage. In the fall of 1985, USPA & IRA computer security director Donald Burlison tried through the company's management to get a reduction in the amount of income tax that he constantly had to pay, and with which he was unhappy. However, he was fired. Three days after he left, he came to work and, after gaining access to the company's network, deleted 168,000 records from the insurance and trade protection database. He then launched several worms onto the network that were supposed to continue deleting similar entries in the future. And Russia did not stand aside. In 1991, with the help of computer technology, foreign exchange funds were stolen from Vnesheconombank in the amount of 125.5 thousand dollars and preparations were made for the theft of more than 500 thousand dollars more. The mechanism of the theft was very simple. A resident of Moscow, together with the head of the department of automation of non-trading operations of the Vnesheconombank's Computing Center, opened accounts using six fake passports and deposited $50 each. Then, by changing the banking software, 125 thousand dollars were transferred to open accounts, which were obtained using fake passports.
These two examples demonstrate that even the most effective firewall could not protect a corporate network if it were attacked by its administrator.
Conclusion
Firewalls do not provide a sufficient level of security for corporate networks. Although in no case should they be abandoned. They will help provide the necessary, but clearly insufficient, level of protection of corporate resources. As has been noted more than once, traditional tools, which include firewalls, were built on the basis of models developed at a time when networks were not widespread and methods of attacking these networks were not as developed as they are now. In order to counteract these attacks at the proper level, it is necessary to use new technologies. For example, the intrusion detection technology, which began to be actively developed abroad and came to Russia four years ago. This technology prominent representative which is the company's RealSecure family of tools internet security Systems, allows you to effectively complement existing firewalls, providing a higher level of security.
Q. I am using a dynamic IP address - should I be concerned about security?
A. Although there is an opinion that it is not, in fact it is all lies. Firstly, if the time range in which a computer can be connected to the Internet is approximately known, then it is not so difficult to scan the entire dynamic address space of the provider. Secondly, many attacks are made "at random" - without any specific purpose. And thirdly, you can have time to "light up" a dynamic address on irc, www, etc. - when using almost any network service.
Q. And what, in fact, threatens me?
A. Yes, whatever. Your computer can be "hung", and sometimes - even for this it is not necessary at all for your machine to accept any connections, they can steal or replace any valuable information.
Q. What are the basic precautions needed?
A. A good place to start is to estimate what the possible consequences will cost - this will help to take _adequate_ measures. If you need to connect to the Internet a small office network out of a dozen or one and a half machines, and even though some of them contain confidential information, it is quite possible that it makes sense to purchase a simple firewall - or make it yourself, if possible. In order to more or less safely access the Internet from your home computer, it is enough to take some basic precautions.
First, you need to disable the sharing of computer resources over TCP / IP. This can be done in at least two ways - the first one that Microsoft recommends is to turn off resource sharing altogether (Settings -> control panel-> Network -> File and Print Sharing)
Of course, it is suitable if you are not going to actively use this feature.
The second way is to disconnect the Netbios interface from TCP/IP (Settings -> Control Panel -> Network -> TCP/IP ->Properties -> Bindings)
Secondly, it is useful to make sure that the versions of Win95\NT and networking software used are the latest and that no updates, service packs, etc. have been released for them. Well, the fact that you don’t need to use dubious software, run any file that comes by email and generally do such stupid things is probably not worth mentioning. Let me just remind you that any word document can contain a macro virus.
Q. What kind of software can pose an additional risk?
A. Almost any;-). A little more detail:
When using the most common WWW browsers such as Netscape Navigator or MS Internet Explorer problems are possible and more serious than a "fall" as a result of internal error- including, for example, reading any file from your disk - for real, and not as implemented in a stupid joke that has been scaring mugs for years. How to protect yourself from this?
Use the latest versions of browsers, in which _known_ "holes" are more or less plugged, and if you need to protect yourself from the unknown to some extent, I can only advise you to turn off support for ActiveX, Java and Javascript.
In the case of email "ohm - again, if you don't do stupid things and don't run incoming .exe files (and remember about macro viruses!), You will hardly have to face more inconvenience than idiotic letters that come with enviable regularity with offers to buy something something unnecessary or to participate in another stupid pyramid scheme with sending money in an envelope to the devil where.. This is called spam - and you can fight it by calculating from the headers of the letter of the Internet provider that allows such a mess and starting to swear at it. apparently not - other than automating the deletion of such emails (Inbox Assistant does just that.) Theoretically, MIME, an extended message format often (or more often than necessary) used on the Internet _might_ present security problems, but in practice it happens infrequently.News is not much different from email in terms of client security.If you are using IRC, then most likely the most important thing is that the ip address of your computer well, the version of the irc client and often the type and version of the operating system become known to everyone and everyone - which is clearly not good. Those who like to try their own (more often - not their own ;-) technical achievements on you may turn out to be more than it seems at first glance. In addition, the script or even the irc client itself can contain bookmarks with almost any possibilities. The dcc protocol can cause the most trouble - by the way, you can simply turn it off in most irc clients. If you do not understand in detail how the proposed script works, you should not install it in any case - unless knowledgeable person will check it. ICQ is still little studied in this matter - but two things are known about it: a) any client can be "dumped" by a stream of meaningless data on the port where he answers - "And this is just the beginning" (c) AO MMM b) he does not provides no additional features compared to irc. I wouldn't recommend using ICQ at all.
Q. I am using an old subscription kit with MSIE 3.01. How dangerous is this and what should be done?
A. Version 3.01 of MS Internet Explorer can bring some pretty nasty security problems: this version can run programs on the computer it's running on - without the user's consent. For this reason, it is better to replace it with a more new version 3.02. The version that this moment included in the subscription kit (3.02) is also not without a similar error, but firstly, it does not apply to MSIE itself, but to its sharing with PowerPoint", and secondly, only one _such_ error is (so far) known. Yes, and there is a fix for it. Unfortunately, we are not yet able to replace the MSIE version inside the subscriber kit (the program for generating it in the "best" traditions of the company Microsoft is pretty closed) for the _most_ latest release 3.02 ("Last Updated June 13, 1997"), but this difference is no longer so fundamental.
Q. What, in short, can be said about Netscape Communicator 4.0-release?
A. This version, as well as previous versions of Netscape's Web browsers, has a bug in the javascript implementation that allows (when standard settings) read any file from your computer. You can either replace it with version 4.01, or change the Netscape settings so that this danger is no longer relevant (menu Security Advisor - enable confirmations to send data over the network).
Q. Why is the provider not taking security measures?
A. The fact is that, for example, by disallowing access to ports used by Windows / Samba for resource sharing, we will deprive our clients of the opportunity to use this for completely legitimate and sometimes even necessary purposes. Therefore, we provide security on our part of the network - and your task is to ensure it on yours. Of course, I can help to do this - but I am not obliged to do it for free ;-).
Q. I received an email warning about a virus spreading via email..
A. Such nonsense has been circulating on the net for more than a year - it's just another version of the "holy letter". The fact that the growth of the Internet "a provides a constant influx of fresh idiots ready to send such things to everyone is truly depressing. The biggest danger that this virus exposes its victims to is the opportunity to join the aforementioned ranks.
Q. Is a UUCP connection completely secure?
A. Practically yes. Completely - no. Practically - because, firstly, cases of "hacking" uucp are almost unknown - this requires a direct connection with the attacked machine using the uucp protocol. However, according to at least in some versions of the most popular implementation of uucp for *DOS - uupc/@ by Ache, I found a bug that allows you to bypass the built-in protection of the uucp command handler and read / write any file in any directory - just using a relative path like ~/../. ./somewhere. And secondly, the offline way the machine interacts with the network makes it impossible to obtain information immediately and makes it easier to detect hacking attempts. Of course, what has been said about email largely applies to uucp connections as well.
Firewalls and Backdoors
Vollter, based on SecurityFocus
Can your security infrastructure protect you if you left your key under the rug?
As a modern IT professional, you've done it all: you've protected your network with firewalls and/or proxies, installed antivirus software on all computers, and protected your mobile workstations with personal firewalls. It would seem that everything was done according to the instructions, everything is correctly configured. But even with all this, are the systems really secure? Can your multiple defense systems withstand modern intrusion methods?
This article provides a brief overview of current backdoor technologies, discusses how they can be used to bypass the security infrastructure that exists in most networks, and gives thought to people who rely on these technologies to protect their systems/networks.
Foundation - firewall
Before discussing modern backdoor technologies, it is necessary to first look at what obstacles the attacker must pass through. A firewall is an integral part of a comprehensive security framework for your network. If placed too much on them, they can also be the weakest link in your defense strategy.
There are different varieties/combinations of "standard" firewalls to choose from depending on your circumstances:
Packet-filtering firewall -a firewall, which is a router or computer running software that is configured to filter certain kinds of incoming and outgoing packets. Packet filtering is based on the information contained in the TCP and IP packet headers (sender and destination addresses, their port numbers, etc.)
- Working on level 3
- Also known as port-based firewalls
- Each packet is compared against lists of rules (source/destination address, source/destination port)
- Inexpensive, fast, but least secure
- Technology 20 years ago
- Breaks more complex applications (like FTP)
- Example: router access control lists (ACLs)
Circuit-level gateway session layer) - a firewall that excludes direct interaction between an authorized client and an external host. It first receives a trusted client's request for certain services and, after verifying the validity of the requested session, establishes a connection to an external host. The gateway then simply copies the packets in both directions without filtering them.
- Works on level 4
- Forward TCP connections based on port
- Inexpensive but more secure than a packet filter
- Generally requires the work of a user or a configuration program for full operation.
- Example: SOCKS firewall
Application-level gateways- firewall that excludes direct communication between an authorized client and an external host by filtering all incoming and outgoing packets on application layer OSI models. Intermediaries associated with the application route information generated by specific TCP/IP services through the gateway.
- Works at level 5
- Application specific
- Moderately expensive and slow, but more secure and allows logging of user activity
- Requires user input or a configuration program to fully function
- Example: Web (http) proxy
stateful inspection firewallAn expert-level firewall that inspects the contents of received packets at three levels of the OSI model: network, session, and application. This task uses special packet filtering algorithms that compare each packet against a known pattern of authorized packets.
- 3 level filtering
- Level 4 Validation
- Inspection Level 5
- High levels of cost, protection and complexity
- Example: CheckPoint Firewall-1
Some modern firewalls use a combination of the above methods and provide additional ways to protect both networks and systems:
"Personal"/host firewalls
This class of firewalls allows you to further extend protection by allowing control over what types of system functions or processes have access to network resources. These firewalls can use different types signatures and conditions to allow or reject traffic. Here are some of common functions personal firewalls:
- Protocol Driver Blocking - Do not allow "non-standard" protocol drivers to be loaded and used by programs
- Application level blocking - allow only certain applications or libraries to perform network actions or accept incoming connections
- Signature-based blocking - constantly monitor network traffic and block all known attacks.
The added control increases the complexity of security management due to the potentially large number of systems that can be protected by a personal firewall. It also increases the risk of damage and vulnerability due to poor setup.
Dynamic firewalls
Dynamic firewalls combine the standard firewalls (listed above) and intrusion detection techniques to provide on-the-fly blocking of network connections that match a particular signature, while allowing connections from other sources to the same port. For example, you can block the activity of network worms without disrupting normal traffic.
Fundamentals of Backdoor Technologies
What is backdoor? A backdoor is "a mechanism surreptitiously inserted into a computer system to facilitate unauthorized access to the system and can be classified into (at least) three categories:
Active
Active backdoors create connections to one or more remote computers. These can either be permanent network connections(for example, tunnels) between computers, or a backdoor actively monitors a compromised system, collects information, sends data in separate "portions" and receives confirmations and / or commands from remote systems.
Passive
Passive backdoors listen on one or more ports for incoming connections from one or more remote computers. Similar to active backdoors, these programs can be used to establish a tunnel into a compromised network, or to accept commands and return the required information.
Attacking Backdoor
Typically, these backdoors are the result of a buffer overflow in a poorly written program that results in some type of access (eg, root/administrator level, or user level).
There is one common feature three types Backdoor- they all work by bypassing the complex, "layered" defense infrastructure that you painstakingly designed. A real hacker (i.e. not a half-educated teenager and not a user of ready-made scripts) can quickly determine whether it is worth attacking your system with a frontal attack. Standard methods can be used relatively easily to discover the types and configurations of equipment that is protecting your network boundaries. Some of these tools can even help you discover active IDSs. Most networks are fairly well protected around the perimeter, so backdoors are the main method of infiltrating a network for a number of reasons:
They will not be immediately detected even by properly configured firewalls, NIDS and HIDS systems.
A frontal attack must (or at least must) cause a stunning effect - all defense systems will simply howl with alarms. And if you didn't order hack tests, that means you're being attacked.
Some security systems will immediately block the scanner's IP address. But even if this is not the case, by still avoiding a frontal attack, the hacker removes the primary cause of the alarm, and is able to work freely and without interference.
They rely on specialized attack methods.
Which is harder: building the exact SYN-Frag attack needed to buffer a buffer overflow in CheckPoint firewalls (a possibility that has been discovered twice in the last 4 years) or forcing the user to open an attached file?
A frontal attack requires 4-6 specialized hacking methods, with no guarantee that one of them will not cause the system to freeze or reboot, rendering the entire attempt useless. It is difficult, as it requires certain knowledge and skills. Instead, you can hint to the user that he received an extremely important or interesting message by e-mail - new job with an astronomical salary, an astrological forecast or nude photos of Anna Kournikova…
They exploit vulnerabilities in internal network programs.
How many Windows or *nix computers are on your network? How many users use each of these systems? How many routers, firewalls and IDS do you have? Most likely a lot. Or a lot. In most organizations, it is much easier for a hacker to find an unpatched Windows or *nix system inside than to find a vulnerability in a secure perimeter.
Inner work
Although this article considers Backdoors in the context of intrusion attempts by external attackers, they are not limited to this narrow area of practice. Backdoors can be used by employees, customers, or co-workers to provide themselves with undetected remote access to your network.
Regardless of the type of backdoor, there are two primary ways to introduce them into your network. Method one: Users inadvertently download and execute a program on their system. Extremely common examples are email attachments that exploit an unpatched vulnerability on a client's system, a web page that contains unexpected hidden payload, and "spyware" programs. Unfortunately, these methods are too common and can lead to a serious loss of privacy and secrecy. In case of "spyware" installed desired programs, registry keys are set, which allows you to trace every movement on the network that the user makes. This tracking is not limited to internet sites, thus making it easy to map all important places the company's internal network.
Even without downloading the "spyware" backdoor, the user may still be exposed to more legal forms of the backdoor. The Real Networks player is constantly connected to its home network and it's almost impossible to deactivate it without reinstalling it. Windows users can be controlled if they use Automatic Updates or synchronize time with Microsoft servers.
The second method is to actually stay in your network. A trivial example: installing a program that has a backdoor created by the programmer himself. These types of backdoors can be malicious, but they are usually programmed to bypass standard processes software development to save time. This may be the oldest kind of backdoor, originally used to bypass telnet/rlogin restrictions. Installation is fairly simple: the user installs a program that does not require elevated privileges to run, then the program runs and waits for connections on a port that is not blocked by access control devices. This remote access can be to a multi-user system or to a workstation. Initially targeted at Unix, these types of programs have become quite common and can be quite difficult to find.
This type of backdoor is more easily understood with a specific example:
Program: | |
exploits/bindshell |
|
Passive |
This program is easily modified to run on any specific port - TCP 1234 for example - and does not support a password, thus allowing everyone to connect. To connect remote user simply establishes a telnet connection to the desired hosts on a specific port:
telnet some.insecure.host.org 1234
There are several technologies for detecting this program, none of which provide simple or direct isolation. In all cases, knowledge of the normal state of the OS is necessary.
- 'netstat -a' this program, which comes with the operating UNIX system and is used to view the status of network connections. Can view ports that are not in the normal state.
- 'nmap' or 'strobe' port scanners that can be used to identify active and listening ports. Again, knowing the normal state can be helpful.
- 'lsof -i' program that can be used to view all open files and the resources they use. Can look for unusual applications launched by the user that require the use of network ports.
Program: | |
exploits/sneakin |
|
Active |
This program requires elevated privileges and basically waits for two specially crafted ICMP packets in order to create something very similar to a reverse telnet session that is established with the remote system. Sneakin requires LINUX and netcat.
The "listening" mode is just as difficult to detect as in the above example. An external port scanner will not work because the program intercepts and processes ICMP packets while access to them is allowed by the operating system kernel. LSOF will show a process that is accessing the network adapter in promiscuous mode. Generally LSOF could be the best tool to discover the NIC in this mode. netcat will also provide a clue to that particular backdoor, as will show two ICMP ports using the raw protocol. When "sneakin" will switch to ACTIVE state, LSOF and netcat will show additional processes that are using network ports.
Program: | |
/bugtraq/1999-q4/ |
|
Attack based |
GIFtpD is one of the standard examples of backdoor attackers. The attacker takes advantage of several poorly configured features of the ftp server, which allows them to upload and execute backdoor code, in this case BindShell.
Sneaking and bindshell are classic remedies used against a weak firewall strategy. Many sites deploy an extremely strong strategy to prevent direct access to listening ports. Without direct access, most of the backdoor can't work. However, even the strongest strategy can be easily destroyed by active backdoors using the “tunneling” technique. A tunnel, in the context of a backdoor, is best explained as a program that resides inside a secure part of a network and establishes a connection with an external host, resulting in bidirectional traffic flowing between those systems and/or networks. This is a serious threat to even the most modern security architecture. A popular example of such a connection would be to create an encrypted network connection between two computers using VPN software.
properly configured VPN tunnel must provide full and unrestricted access to networks for which computers are gateways. When legitimate remote access is provided for employees and business partners, a VPN can increase productivity, save time, and reduce costs. When they are used for illegal purposes, they will only have the opposite effect.
VPN technology is still fairly new and requires more than casual familiarity with setup and support when used legally. And even more strange when they are used as a backdoor tool. It is not necessary to use a VPN for the tunnel. Taking a step back, two computers can be connected using the more traditional and widely known secure shell software. Secure shell - or SSH, as it is most often referred to - can be used to establish a tunnel between two computers, allowing a port on the client (outside the firewall) to be remapped to a port on the server (behind the firewall). For example, you can register client port 2200 to port 23 on the server. The user accesses the client (outside the firewall), connects via telnet to localhost on port 2200 and receives port 23 on the remote computer (behind the firewall). A weak strategy allows the connection to be generated by the computer behind the firewall. This is a simple and popular trick.
It is also extremely easy to access the organization's internal web sites. The user simply installs a copy of the proxy agent - for example, "squid" web proxy or Apache httpd a daemon with proxy support compiled on some internal system. The standard software configuration for any agent can be used. The user would then use the SSH port to connect client port 3128 to the server on port 3128. The client, again outside the firewall, now has proxy access to the organization's internal web server through proxy port 3128.
This example can be further extended to allow more than one external computer to access internal web sites. Adding a simple port forwarding system can make a tunneled proxy connection available (on port 3128) to all users on the remote network.
Normal methods cannot be used to identify the existence of this type of tunnel. Depending on the platform you are using, you can monitor network usage and look for consistent or persistent processes with established network connections to the outside. At the host level, identifying the backdoor in this way requires the creation and maintenance of a basic network state (possibly using software methods mentioned earlier). It is also possible to poll edge firewalls and monitor connection status tables by examining established connections.
Ready Protection
There is a small way that can completely protect the network from backdoor use. Using network IDS or host-IDS is difficult to configure, deploy, and effective use, especially in large organizations. Without the development of special-purpose programs designed to monitor systems and networks for the presence of a backdoor, the only way to defend against these methods is a change of mind. Security leaders who think they can just hide their networks behind firewalls and then sit back and stubbornly say "no one can get in, I've closed all the doors" need to change their minds. good protection against the backdoor must begin with a change in the philosophy of network access. The starting point is to develop a strong Internet access strategy and technologies that can restrict access through a well-configured firewall.
At the network level, preventing backdoors means making it very difficult for them to establish connections outside of your infrastructure. One approach would be to use a session layer gateway (ie SOCKS/port redirection) as a means of restricting the backdoor from using any TCP ports. While this limits the number of external resources that applications can access, it can also create additional administrative and workloads and may not work with some applications. With today's SOCKS gateways, administration can become a global strategy with little impact on operations and almost no impact on applications.
An alternative is to use a highly restrictive access strategy - which allows very few direct external connections - and Web/(application-specific) proxies that require authentication first before access is allowed. The goal is similar to port redirection: to stop uncontrolled access to external computers. While the most traditional methods of protection suggest closing all doors and windows, modern business for normal functioning must have access to external resources. Unfortunately, almost any external access mechanism can potentially be used to provide a backdoor tunnel. A network architecture using a proxy server gives you fine-grained control over what is allowed outside your network, since applications must "speak the correct language" in order to gain access. Tunnels can be established through proxies (especially over SSL connections), but they are much more difficult to configure and deploy correctly.
Even with these methods requiring considerable time and resources to deploy, designing a network access architecture that makes it easier for users to do their job and makes it harder for the backdoor to do their job is not trivial task. Your goal should be to design an infrastructure that makes it as efficient as possible to tie network connections to users.
Google vs Firewalls
As reported in PCWeek/RE 21, 2001, due to a temporary firewall shutdown at South Atlanta Polytechnic University, the Google search engine indexed the university's intranet and was able to access student files such as home addresses, social security numbers, and etc.
A common misunderstanding is that the firewall does not recognize attacks and does not block them. A firewall (ITU) is a device that first denies everything and then only allows "good" things. That is, when installing a firewall, the first thing to do is to prohibit all connections between the protected and open networks. The administrator then adds specific rules that allow certain traffic to pass through the firewall. A typical ITU configuration would deny all incoming ICMP traffic, leaving only outgoing traffic and some incoming traffic based on UDP and TCP protocols (eg HTTP, DNS, SMTP, etc.). This will allow employees of the protected organization to work with the Internet and will prevent intruders from accessing internal resources. However, it should not be forgotten that ITUs are simply rule-based systems that allow or deny traffic through them. Even the ITU, which uses "stateful inspection" technology, does not allow to say for sure whether an attack is present in the traffic or not. They can only notify if the traffic matches the rule.
There is a good analogy with the physical world. A firewall is just a fence around your network that cannot detect when someone is digging under it. The ITU is simply restricting access to some points behind your fence. And in order not to be unfounded, we will give a few examples when firewalls will not save you from intruders [Lukatsky1-01].
Attacks through tunnels in the firewall
Tunneling is a method of encapsulating (masking) messages of one type (which can be blocked by ITU filters) inside messages of another type. Attacks through "tunnels" arise due to the presence of corresponding properties in many network protocols. The ITU filters network traffic and makes decisions about allowing or blocking packets based on information about the network protocol being used. Typically, the rules provide for an appropriate check to determine whether or not a particular protocol is in use. For example, if ports 25 and 80 are allowed on the ITU, then mail (SMTP) and Web (HTTP) traffic is allowed to enter the internal network. It is this processing principle that is used by skilled attackers. All unauthorized activity is carried out within the allowed protocol, thereby creating a tunnel through which the attacker implements the attack. For example, such a defect in firewalls is used in the implementation of the LOKI attack, which allows tunneling various commands into ICMP Echo Requests and responses to them into ICMP Echo Reply responses, which significantly changes the size of the data field compared to the standard one.
For a firewall and any other traditional network security tool, these steps look quite common. For example, this is how the transmission of a password file in the 1CMP "tunnel" is displayed by the TCPdump protocol analyzer.
Another example of tunneling attacks is application layer attacks, which involve the practice of exploiting vulnerabilities in applications by sending packets directly related to those applications.
Rice. 1.3. Attack through tunnels in the firewall
The simplest example demonstrating the use of such tunnels is Internet worms and macro viruses that enter the corporate network as attachments to e-mail messages. If the firewall allows the passage of SMTP traffic (the author has not seen the ITU that would not do this), then a "virus infection" can also get into the internal network. Let's take a more complicated example. For example, a Web server running Microsoft software (Internet Information Server) is protected by a firewall that only allows port 80. At first glance, provided effective protection. But only at first glance. If IIS version 3.0 is used, then the address is http://www.domain.ru/default.asp. (with a period at the end) allows an attacker to gain access to the contents of an .asp file, which can store sensitive data (for example, a database access password). And even if you have installed the latest version of IIS 5.0.
Moreover, a large number of rules reduces the performance of the firewall and, as a result, the bandwidth of the communication channels passing through it.
Firewall bypass attacks
The words of the song from the children's film "Aibolit-66" - "Normal heroes always go around" - perfectly illustrate the following problem inherent in firewalls. Why try to get to protected resources through security tools when you can try to bypass them?
Example from a related field
On February 21, 1990, budget analyst Mary Pirham came to work. However, she was unable to enter her workplace even after dialing the four-digit code and saying the code word on the security system. Still wanting to get in, Mary opened the back door with a plastic fork and a pocket screwdriver. The latest defense system, which Mary Pirham bypassed, was advertised as "fail-safe and reliable" and cost $44,000 [Wakka1-97].
Similarly, with firewalls, only the modem can play the role of a back door. Do you know how many modems are installed on your network and what they are used for? Do not immediately answer in the affirmative, think. In a survey of one network, security and automation executives tore their shirts off, claiming they knew every single modem installed on their network. By running the Internet Scanner security analysis system, we actually found the modems they indicated, used to update the databases of the accounting and legal systems. However, two unknown modems were also found. One was used by a member of the analytics department to access work directories from home. The second modem served to access the Internet bypassing the firewall.
Another example is related to the possibility of bypassing the ITU. Threats do not always come only from the outside of the ITU, from the Internet. A large number of losses, as statistics show, is connected precisely with security incidents from internal users, from the inside. It needs to be clarified that the firewall only inspects traffic at the boundaries between the internal network and the Internet. If the traffic exploiting the security holes never passes through the firewall, then the ITU does not find any problems.
Although each organization will put forward its own requirements and priorities among the three selection criteria, it is possible to clearly articulate 10 must-have features for a next-generation firewall:
- Function control of applications and their sub-applications
- Managing unknown traffic
- Scanning for viruses and malware in all applications, on all ports
- Ensuring the same level of application visibility and control for all users and devices
- Simplify, not complicate, network security with the addition of application control
- Delivering the same throughput and performance with application control fully enabled
- Support for exactly the same firewall features in both hardware and virtual form factors
2. Your next-generation firewall must identify and control tools that allow you to bypass security tools.
Screenshot: TCP-over-DNS tunnel network traffic. Encrypted data is transmitted in the Text field. A normal firewall sees this traffic as DNS queries.
Programmers want you to be comfortable! So that you put skype and it immediately "lit up green". You'll enjoy the fact that you don't have to coax the administrator into writing rules on the firewall, as these applications find and use already open pots for other applications. Such ports are often ports 80, 53, 123, 25, 110. Or the program takes and uses the proxy server settings from the browser.
Modern defenses are not perfect. They are also written by programmers. 20 years ago, when the Internet was created, it was agreed that ports would be used to identify applications. 80 - HTTP, 25 - SMTP, 21 - FTP and so on. The situation has changed: any applications can go inside these ports. Have the protections changed? Can they determine what standard port for HTTP (port 80) is another non-HTTP application currently running?
Bypass firewall rules by non-standard use of standard ports.
There is now a sufficient set of applications on your network that can be used to purposefully bypass the security policies that protect your organization. How do you control it?
Security bypass tools include applications of two classes - applications that are originally designed to bypass security (for example, external proxies and encrypted tunnel applications (non-VPN)), and applications that can be adapted to perform this task (for example, remote server management tools /desktop).
- External proxies and encrypted tunnel applications (non-VPNs) equipped with a number of cloaking techniques are specifically used to bypass security measures. Because these applications are built from the ground up to bypass security and therefore introduce business and security risks, they have no business value to your network.
- Remote server/desktop management tools such as RDP and Teamviewer are commonly used by help desk workers and IT professionals to improve work efficiency. They are also often used by employees of organizations to connect to home and other computers outside the corporate network, bypassing the firewall. Attackers are well aware of the use of such applications, and the official Verizon Data Breach Report (DBIR) reported that these remote access tools were used in one or more stages of network attacks. And are still in use.
Do they carry standard applications Is there any risk in the network? After all, both remote access applications and many encrypted tunnel applications can be used by administrators and employees. However, these same tools are increasingly used by attackers on different stages in their complex attacks. An example of such a tool in 2017 is the Cobalt Strike. If organizations cannot control the use of these circumvention tools, they will not be able to successfully implement security policies and expose themselves to all the risks that these security controls are designed to protect against.
Requirements. There are different types of bypass applications, and the techniques that each type of application is equipped with vary slightly. There are public and private external proxies that can use both HTTP and HTTPS. For example large base public proxy data is available at proxy.org (banned in the Russian Federation and should be banned on your corporate network) Private proxies are often configured based on unclassified IP addresses (for example, home computers) with applications such as PHProxy or CGIProxy. Remote access applications such as RDP, Teamviewer, or GoToMyPC have legitimate uses, but due to the additional risk they introduce, they must be strictly controlled. Most other bypass applications (e.g. Ultrasurf, Tor, Hamachi) have no business value for your network. Regardless of the state of your security policy, your next generation firewall should be equipped with special techniques to identify and control all of the listed applications without being tied to specific port, protocol, encryption method, or other circumvention tactic.
And one more important point: Apps that bypass security are regularly updated, making them even more difficult to detect and control. Therefore, it is very important to know how often the application control features of your firewall are updated and maintained.
Real example. Are standard protocols used on non-standard ports on your network? Can an administrator move RDP from the default port 3389 to another port? Maybe. Can HTTP go on a port other than 80? Not only can, but walks. Can FTP server work on the Internet on a different port than 21 - yes great amount. Whether your means of protection see it. If not, it's a standard move for a company employee or hacker to evade policy checks. Just move FTP on port 25 - it turns out that your security tool thinks it's SMTP. Do your IPS or antivirus signatures only work on port 80 or 110 (POP3)? The attacker will forward the traffic to any other port. For example 10000.
4.13.2. Firewall bypass
A firewall cannot provide absolute security because its operation algorithm is imperfect. In our world there is nothing perfect, absolutely reliable, otherwise life would be boring and uninteresting.
How does the Firewall protect your computer or server? Everything is based on certain rules, according to which the screen checks everything passing through network interface traffic and makes a decision on the possibility of passing it. But there is no such filter, other than an absolute ban, that can provide security, and there is no such rule that cannot be bypassed.
It is very easy to implement a DoS attack on most firewalls. When we considered the technology of this attack ( see sect. 1.1.6), then they said that it is easily organized in two cases:
1. The power of your channel is greater than that of the enemy.
2. There is a task on the server that requires large computer resources, and it is possible to complete it.
Firewall is complicated software system, which needs significant technical capacity to analyze all passing traffic, most of which is spent on packets with the syn flag set, i.e. to a connection request. The parameters of each such packet must be compared with all established rules.
At the same time, large resources and a powerful channel are not needed to send syn-packets. A hacker can easily bombard the server's allowed port with sun-packets in which the sender's address is randomly substituted. The processor of the attacked machine may not be able to cope with a large stream of requests that need to be checked against filters, and a queue will form that will not allow processing connections from legitimate users.
The worst thing is if the firewall is configured to send error messages. In this case, the load on the processor is increased by creating and sending packets to addresses that do not exist or do not belong to the hacker.
If the client sends too much data that cannot be placed in one packet, then the information is split into several blocks. This process is called packet fragmentation. Most firewalls analyze only the first blocks in a session, and all the rest are considered correct. The logic of such control is clear, if the first packet is correct, then why check them all and waste precious server resources on this? Otherwise, the rest will be of no use, because the connection is not established and the integrity of the information is violated.
In order for the firewall to let the hacker's data through, the packets can be in a special way fragmented. You can protect yourself from such an attack only if the Firewall automatically reassembles fragmented packets and views them as assembled. Most firewalls do not have this feature.
The firewall very often becomes the object of attack, and it is not a fact that the attempt will not be successful. If an attacker manages to capture the Firewall, then the network will become open, as in the palm of your hand. In this case, only personal firewalls on each computer can save you from total defeat. In practice, the security policy personal computer not so tough, but may be quite sufficient to prevent further penetration of the hacker into the network.
An attack on a firewall is independent of its implementation. Errors occur both in Linux OS and in routers with filtering capabilities.
The main task that the firewall solves is to prohibit access to obviously closed resources. But there are open resources. For example, if you want the Web server to be accessible to Internet users, then the firewall will not be able to protect against hacking through errors in the scripts on the Web server.
Maximum security brings some inconvenience. So, I already said that it is best to prohibit any attempts to connect from the outside. A connection can only be established on the initiative of a client on your network, not remote computer. In this case, the hacker will be left out, but network users may also have problems, for example, when trying to connect to an FTP server in active mode. We already know that this service runs on two ports: ftp and ftp-data (ftpd). The user connects to the server's ftp port, and when you request a file, the server itself initiates a connection to the client, and the firewall will not allow this. For the FTP service, this problem was solved by adding the ability to work in passive mode, but in other programs (for example, in chats), the issue remains open.
A hacker can establish a connection to a secure network through a tunnel on open port and with a valid address within the network. You can't get away from this, because at least something, but should be allowed.
In large companies, there may be several servers on the same network. I've only seen a water company and in movies how administrators to manage each of them work on multiple monitors and keyboards at the same time. In real life, such specialists are too lazy, and monotonous work is tiring, so they sit at only one computer, and use a remote connection to connect to the server.