Unauthorised access would therefore mean any kind of access without the permission of either the rightful owner or the person in charge of a computer, computer system or computer network. Thus not only would accessing a server by cracking its password authentication system be unauthorised access, switching on a computer system without the permission of the person in charge of such a computer system would also be unauthorised access. Packet sniffing, tempest attack, password cracking and buffer overflow are common techniques used for unauthorised access.
Packet Sniffing
Packet Sniffing is a technology used by crackers and forensics experts alike. To understand 'Sniffing' the need is to first understand the basics of data transmission. Its a known fact that data travels in the form of packets on networks. These packets, also referred to as data-grams, are of various sizes depending on the network bandwidth as well as amount of data being carried in the packet in the measure of bytes. Each packet has an identification label also called a 'header'. The header carries information of the source, destination, protocol, size of packet, total number of packets in sequence and the unique number of the packet. The data carried by the packet is in an encrypted format, not as much for the sake of security as for the sake of convenience in transmitting the data. This cipher text (encrypted form) is also known as the hex of the data. When a person say 'A' sends a file to 'B' the data in the file gets converted into hex and gets broken into lots of packets finally headers are attached to all packets and the data is ready for transmission.
When being transmitted, the packets travel through a number of layers (Open Systems Interconnection (OSI) Model). Amongst theses layers, the network layer is responsible for preparing the packet for transmission. This is the level where most hackers and adversaries like to attack knowing that the packets are usually not secured and are prone to spoofing and sniffing attacks.
Now when an adversary (a person trying to hack into a system) to the whole process -'C' wishes to intercept the transmission between 'A' and 'B', he would have intercept the data packets and then go on to translate them back from hex to the actual data. For doing this he would normally use a technology called "Packet Sniffing". When he uses this technology he is able to intercept all or some of the packets leaving the victim (sender) computer. The same deception can also be practiced at the point of the intended recipient of the message before it can actually receive the packets.
To use the sniffing technology the adversary only needs to know the IP address e.g. (202.13.174.171) of either of the parties involved in the communication. He would then instruct the sniffer to apply itself to the network layer of the victim IP address. From then on, all packets leaving the IP address will be 'sniffed' by the Sniffer and the data that is being carried out will be reported to the adversary in the form of logs. The sniffed data would still be in the hex format however most Sniffers nowadays provide the facility of conversion of the stolen hex into actual human readable data, with varying amount of success. The sniffer can also be instructed to report only certain type of data, for example passwords that are traveling through the network. The Sniffer represents the network-computing equivalent of the telephone 'tap' that does not cause a disruption of the telephone connection but only listens in to the conversation being carried out surreptitiously, without anyone being the wiser. Similarly, the Sniffer, is invisible for anyone on either side of the network, since it does not steal data packets, it only screens them, copies the hex and then reformulates the hex into the original data for the adversary.
That is the reason the detection of most packet sniffers is next to impossible. Most firewalls that solely provide application level security are unable to discover the presence of any sniffers on the external wall of the network. The Sniffer attaches itself to the network devices like the modem or the Network Interface Card (NIC) that is used by the victim computer to send and receive data.
There are many commercially and conventionally available packet sniffers today, some which can freely be downloaded from the Internet. Some of the more famous ones are ADMsniff-v08, AntiSniff-101, anti_sniff_researchv1-1-2, esniff, ethereal and Spynet. Given below is a log file created by a packet sniffer called Spynet. This freely downloadable sniffer, like most others, gives the additional facility to users to convert the sniffed hex to data.
A Spynet log file:
No: 45 (Sequence number of specific packet) MAC source address: 12:54:35:700 Address on the Network card of sender) Protocol: HTTP (Hypertext Transfer Protocol) Source IP address: 203.113.174.171 (Senders IP address) Destination IP address: 16.15.244.132 (Receivers IP address) Source port: 80 (Port number used for sending the data) Destination port: 139 (Port number of the receivers computer) SEQ: 1312 (Total number of packets in the sequence)
ACK: 9918351 (Acknowledgement sent by the TCP) Packet size: 6950151 (Size of data packet in bytes)
Packet data: (Hex) ( Data)
0010: 1F B5 09 FB 00 00 00 00 01 00 6E 66 6F 72 6D 61
0020: 74 69 6F 6E 2E 20 0D 0D 50 72 6F 74 6F 63 6F 6C
0030: 73 20 6C 69 6B 65 3A 20 0D 0D 46 69 6C 65 20 54
0060: 72 61 6E 73 66 65 72 20 50 72 6F 74 6F 63 6F 6C
0070: 20 28 66 6F 72 20 75 70 6C 6F 61 64 69 6E 67 20
0080: 61 6E 64 20 64 6F 77 6E 6C 6F 61 64 69 6E 67 20
0090: 6F 66 20 69 6E 66 6F 72 6D 61 74 69 6F 6E 29 0D
00A0: 53 69 6D 70 6C 65 20 4D 61 69 6C 20 54 72 61 6E
00B0: 73 66 65 72 20 50 72 6F 74 6F 63 6F 6C 20 28 75
00C0: 73 65 64 20 66 6F 72 20 73 65 6E 64 69 6E 67 20
00D0: 2F 20 72 65 63 65 69 76 69 6E 67 20 65 6D 61 69
00E0: 6C 73 29 0D 54 65 6C 6E 65 74 20 50 72 6F 74 6F
00F0: 63 6F 6C 20 28 75 73 65 64 20 74 6F 20 63 6F 6E
0100: 6E 65 63 74 20 64 69 72 65 63 74 6C 79 20 74 6F
0110: 20 61 20 72 65 6D 6F 74 65 20 68 6F 73 74 29 0D
Tempest attack
Tempest is the ability to monitor electromagnetic emissions from computers in order to reconstruct the data. This allows remote monitoring of network cables or remotely viewing monitors.
The word TEMPEST is usually understood to stand for "Transient Electromagnetic Pulse Emanation Standard". There are some fonts that remove the high-frequency information, and thus severely reduce the ability to remotely view text on the screen. PGP also provides this option of using tempest resistant fonts. An appropriately equipped car can park near the target premises and remotely pick up all the keystrokes and messages displayed on the computer video screen. This would compromise all the passwords, messages, and so on. This attack can be thwarted by properly shielding computer equipment and network cabling so that they do not emit these signals.
Password cracking
A password is a type of authentication. It is a secret word or phrase that a user must know in order to gain access. A pass-phrase is a correspondingly larger secret consisting of multiple words. Passwords have been used since Roman times. The Romans were some of the first large armies where people didn't recognize each other by sight. In order to gain entry into the camp, a Roman soldier would have to know the secret password. Internal to the computer, password information is constantly being checked. If you were rqueried for the password each and every time, you would find that computer would become unusable. Therefore, the computer attempts to "cache" the password so that internal prompts during the same session do not cause external prompts to the user.
All systems cache passwords in memory during a login session. Therefore, if a hacker can gain access to all memory on the system, he/she can likely sift the memory for passwords. Likewise, hackers can frequently sift pagefiles for passwords. To crack a password means to decrypt a password, or to bypass a protection scheme. When the UNIX operating system was first developed, passwords were stored in the file "/etc/passwd". This file was readable by everyone, but the passwords were encrypted so that a user could not figure out what a person's password was. The passwords were encrypted in such a manner that a person could test a password to see if it was valid, but couldn't decrypt the entry. However, a program called "crack" was developed that would simply test all the words in the dictionary against the passwords in "/etc/passwd". This would find all user accounts whose passwords where chosen from the dictionary. Typical dictionaries also included people's names since a common practice is to choose a spouse or child's name. The sources of encrypted passwords typically include the following:
???/etc/passwd from a UNIX system
???SAM or SAM._ from a Windows NT system
???.pwl from a Windows 95/98 system
???sniffed challenge hashes from the network
The "crack" program is a useful tool for system administrators. By running the program on their own systems, they can quickly find users who have chosen weak passwords. In other words, it is a policy enforcement tool.
Password crackers are utilities that try to 'guess' passwords. One way, also known as a dictionary attack involves trying out all the words contained in a predefined dictionary of words. Ready-made dictionaries of millions of commonly used passwords can be freely downloaded from the Internet.
Another form of password cracking attack is 'brute force' attack. In this form of attack, all possible combinations of letters, numbers and symbols are tried out one by one till the password is found out. Brute force attacks take much longer than dictionary attacks.
Buffer overflow
Also known as buffer overrun, input overflow and unchecked buffer overflow, this is probably the most common way of breaking into a computer.
It involves input of excessive data into a computer. The excess data "overflows" into other areas of the computer's memory. This allows the hacker to insert executable code along with the input, thus enabling the hacker to break into the computer.
Packet Sniffing
Packet Sniffing is a technology used by crackers and forensics experts alike. To understand 'Sniffing' the need is to first understand the basics of data transmission. Its a known fact that data travels in the form of packets on networks. These packets, also referred to as data-grams, are of various sizes depending on the network bandwidth as well as amount of data being carried in the packet in the measure of bytes. Each packet has an identification label also called a 'header'. The header carries information of the source, destination, protocol, size of packet, total number of packets in sequence and the unique number of the packet. The data carried by the packet is in an encrypted format, not as much for the sake of security as for the sake of convenience in transmitting the data. This cipher text (encrypted form) is also known as the hex of the data. When a person say 'A' sends a file to 'B' the data in the file gets converted into hex and gets broken into lots of packets finally headers are attached to all packets and the data is ready for transmission.
When being transmitted, the packets travel through a number of layers (Open Systems Interconnection (OSI) Model). Amongst theses layers, the network layer is responsible for preparing the packet for transmission. This is the level where most hackers and adversaries like to attack knowing that the packets are usually not secured and are prone to spoofing and sniffing attacks.
Now when an adversary (a person trying to hack into a system) to the whole process -'C' wishes to intercept the transmission between 'A' and 'B', he would have intercept the data packets and then go on to translate them back from hex to the actual data. For doing this he would normally use a technology called "Packet Sniffing". When he uses this technology he is able to intercept all or some of the packets leaving the victim (sender) computer. The same deception can also be practiced at the point of the intended recipient of the message before it can actually receive the packets.
To use the sniffing technology the adversary only needs to know the IP address e.g. (202.13.174.171) of either of the parties involved in the communication. He would then instruct the sniffer to apply itself to the network layer of the victim IP address. From then on, all packets leaving the IP address will be 'sniffed' by the Sniffer and the data that is being carried out will be reported to the adversary in the form of logs. The sniffed data would still be in the hex format however most Sniffers nowadays provide the facility of conversion of the stolen hex into actual human readable data, with varying amount of success. The sniffer can also be instructed to report only certain type of data, for example passwords that are traveling through the network. The Sniffer represents the network-computing equivalent of the telephone 'tap' that does not cause a disruption of the telephone connection but only listens in to the conversation being carried out surreptitiously, without anyone being the wiser. Similarly, the Sniffer, is invisible for anyone on either side of the network, since it does not steal data packets, it only screens them, copies the hex and then reformulates the hex into the original data for the adversary.
That is the reason the detection of most packet sniffers is next to impossible. Most firewalls that solely provide application level security are unable to discover the presence of any sniffers on the external wall of the network. The Sniffer attaches itself to the network devices like the modem or the Network Interface Card (NIC) that is used by the victim computer to send and receive data.
There are many commercially and conventionally available packet sniffers today, some which can freely be downloaded from the Internet. Some of the more famous ones are ADMsniff-v08, AntiSniff-101, anti_sniff_researchv1-1-2, esniff, ethereal and Spynet. Given below is a log file created by a packet sniffer called Spynet. This freely downloadable sniffer, like most others, gives the additional facility to users to convert the sniffed hex to data.
A Spynet log file:
No: 45 (Sequence number of specific packet) MAC source address: 12:54:35:700 Address on the Network card of sender) Protocol: HTTP (Hypertext Transfer Protocol) Source IP address: 203.113.174.171 (Senders IP address) Destination IP address: 16.15.244.132 (Receivers IP address) Source port: 80 (Port number used for sending the data) Destination port: 139 (Port number of the receivers computer) SEQ: 1312 (Total number of packets in the sequence)
ACK: 9918351 (Acknowledgement sent by the TCP) Packet size: 6950151 (Size of data packet in bytes)
Packet data: (Hex) ( Data)
0010: 1F B5 09 FB 00 00 00 00 01 00 6E 66 6F 72 6D 61
0020: 74 69 6F 6E 2E 20 0D 0D 50 72 6F 74 6F 63 6F 6C
0030: 73 20 6C 69 6B 65 3A 20 0D 0D 46 69 6C 65 20 54
0060: 72 61 6E 73 66 65 72 20 50 72 6F 74 6F 63 6F 6C
0070: 20 28 66 6F 72 20 75 70 6C 6F 61 64 69 6E 67 20
0080: 61 6E 64 20 64 6F 77 6E 6C 6F 61 64 69 6E 67 20
0090: 6F 66 20 69 6E 66 6F 72 6D 61 74 69 6F 6E 29 0D
00A0: 53 69 6D 70 6C 65 20 4D 61 69 6C 20 54 72 61 6E
00B0: 73 66 65 72 20 50 72 6F 74 6F 63 6F 6C 20 28 75
00C0: 73 65 64 20 66 6F 72 20 73 65 6E 64 69 6E 67 20
00D0: 2F 20 72 65 63 65 69 76 69 6E 67 20 65 6D 61 69
00E0: 6C 73 29 0D 54 65 6C 6E 65 74 20 50 72 6F 74 6F
00F0: 63 6F 6C 20 28 75 73 65 64 20 74 6F 20 63 6F 6E
0100: 6E 65 63 74 20 64 69 72 65 63 74 6C 79 20 74 6F
0110: 20 61 20 72 65 6D 6F 74 65 20 68 6F 73 74 29 0D
Tempest attack
Tempest is the ability to monitor electromagnetic emissions from computers in order to reconstruct the data. This allows remote monitoring of network cables or remotely viewing monitors.
The word TEMPEST is usually understood to stand for "Transient Electromagnetic Pulse Emanation Standard". There are some fonts that remove the high-frequency information, and thus severely reduce the ability to remotely view text on the screen. PGP also provides this option of using tempest resistant fonts. An appropriately equipped car can park near the target premises and remotely pick up all the keystrokes and messages displayed on the computer video screen. This would compromise all the passwords, messages, and so on. This attack can be thwarted by properly shielding computer equipment and network cabling so that they do not emit these signals.
Password cracking
A password is a type of authentication. It is a secret word or phrase that a user must know in order to gain access. A pass-phrase is a correspondingly larger secret consisting of multiple words. Passwords have been used since Roman times. The Romans were some of the first large armies where people didn't recognize each other by sight. In order to gain entry into the camp, a Roman soldier would have to know the secret password. Internal to the computer, password information is constantly being checked. If you were rqueried for the password each and every time, you would find that computer would become unusable. Therefore, the computer attempts to "cache" the password so that internal prompts during the same session do not cause external prompts to the user.
All systems cache passwords in memory during a login session. Therefore, if a hacker can gain access to all memory on the system, he/she can likely sift the memory for passwords. Likewise, hackers can frequently sift pagefiles for passwords. To crack a password means to decrypt a password, or to bypass a protection scheme. When the UNIX operating system was first developed, passwords were stored in the file "/etc/passwd". This file was readable by everyone, but the passwords were encrypted so that a user could not figure out what a person's password was. The passwords were encrypted in such a manner that a person could test a password to see if it was valid, but couldn't decrypt the entry. However, a program called "crack" was developed that would simply test all the words in the dictionary against the passwords in "/etc/passwd". This would find all user accounts whose passwords where chosen from the dictionary. Typical dictionaries also included people's names since a common practice is to choose a spouse or child's name. The sources of encrypted passwords typically include the following:
???/etc/passwd from a UNIX system
???SAM or SAM._ from a Windows NT system
???
No comments:
Post a Comment