NRI institute of information science and

technology, Bhopal

Paper presentation on

Network security

Submitted to:- Presented by:-

OGI, Bhopal Firdos Khan

Abhishek Rajvaidya
Date-15 October 2008
TOPIC: - NETWORK SECURITY
AUTHORS:-FIRDOS KHAN, ABHISHEK RAJVAIDYA
COLLEGE:-NIIST BHOPAL

ABSTRACT:-

 Network security consists of the provisions made in an underlying computer

network infrastructure, policies adopted by the network administrator to protect
the network and the network-accessible resources from unauthorized access and
consistent and continuous monitoring and measurement of its effectiveness (or
lack) combined together

 NETSTAT MADE EASY:-the netstat command can be used to gather

information on a variety of different aspects of your system’s communication
state at a given point of time including a list of open connections ,protocols, list of
open ports remote ip address details etc.

 HIDING YOUR IP ADDRESS:-It includes

 Nat networks
 Proxy servers

 FIREWALLS:-
 Bypassing firewalls

 NETWORK RECONNAISSANCE:-It is the most effective information gathering

technique, it includes-
 Ping sweeping
 Detecting a ping sweep

 OS DETECTION:-It is very important for an attacker to determine the operating

system running on the target host.one of the most easiest technique that you can use
for operating system detection is fingerprinting.Theese are of two types-
 Active fingerprinting
 Passive fingerprinting

 KEYLOGGERS ATTACK:-
 How keyloggers work
 Securing systems
NETSTAT MADE EASY

• Do you want to find out your friend’s ip address?

• Do you want to find your own ip address?
• Do you want to get a list of open ports currently being used?
• Do you want to detect the presence of a trojen on your computer?

The netstat command can be used to gather information on a variety of different

aspects oof your system’s communication state at a given point of time,including a
list of open connections,protocols being used ,list of open ports,remote ip address
details,and connection states,among other useful information.netstat gets all this
information by reading the kernel routing tables in the memory.the rfc on the internet
tool catalog describes netstat in the following manner:

Netstat is a program that accesses network related data structures within the kernel
then provides an ascii format at the terminal.netstat can provide reports on the routing
tables,tcp connections,tcp and udp listens and protocol memory management.

You should launch the command line prompt in order to use the netstat command:
Microsoft windows xp[version 5.1.2600]
© copyright 1985-2001 microsoft corp.

C:\documents and settings\firdos>netstat /?

Displays protocol statistics and current TCP/IP network connections.

NETSTAT [-a][-b][-e][-n][-o][-p proto][-r][-s][-v][interval]

Netstat-a netstat –a argument is used to display all open connections on local

machine.it also returns information about all remotes systems to which you are
connected,the port numbers of those re mote systems and the type and state of connection
you have with the remote systems.the typical syntax and output of netstat-a command is
as follows
Similarly netstat –n,netstatp,netstat-e,netstat-r can be defined

HIDING YOUR IP ADDRESS

• Do you want to protect your ip address while using the internet?

• Do you want to protect your privacy?
• Do you want to share your internet connection/
• Do you want to forge your source identitiy?

We have already seen that using netstat command in which ip address can be found
out by an attacker.hence it has become very important for internet users to implement
techniques of hiding their ip address from malicious users.the two most common
techniques of hidin ip addresses are

• Network address translation (NAT) networks

• Proxy servers

NETWORK ADDRESS TRANSLATION NETWORKS

The current implementation of ip addressing provides users with a very limited number
of ip addresses that can be used for connectivity purposes.to solve this shortage
problem,a number of organizations have started implementing NAT addressing,which
allows them to use a single public ip addresses for a large number of internal systems
having unique private ip addresses.this allows a organizations to register single public ip
addresses .
In computer networking, network address translation (NAT) is the process of modifying
network address information in datagram packet headers while in transit across a traffic
routing device for the purpose of remapping a given address space into another.

Most often today, NAT is used in conjunction with network masquerading (or IP
masquerading) which is a technique that hides an entire address space, usually consisting
of private network addresses (RFC 1918), behind a single IP address in another, often
public address space. This mechanism is implemented in a routing device that uses
stateful translation tables to map the "hidden" addresses into a single address and then
rewrites the outgoing Internet Protocol (IP) packets on exit so that they appear to
originate from the router. In the reverse communications path, responses are mapped
back to the originating IP address using the rules ("state") stored in the translation tables.
The translation table rules established in this fashion are flushed after a short period
without new traffic refreshing their state.

As described, the method only allows transit traffic through the router when it is
originating in the masqueraded network, since this establishes the translation tables.
However, most NAT devices today allow the network administrator to configure
translation tables entries for permanent use. This feature is often referred to as "static
NAT" or port forwarding and allows traffic originating in the 'outside' network to reach
designated hosts in the masqueraded network.

Because of the popularity of this technique, see below, the term NAT has become
virtually synonymous with the method of IP masquerading.

Network address translation has serious consequences (see below, Drawbacks &
Benefits) on the quality of Internet connectivity and requires careful attention to the
details of its implementation. As a result many methods have been devised to alleviate
the issues encountered, see article on NAT traversal.

Different types of NAT

Network address translation is implemented in a variety of schemes of translating

addresses and port numbers, each affecting application communication protocols
differently. Some application protocols that use IP address information need to determine
the external address which is used for masquerading, and, furthermore, often need to
examine and categorize the type of mapping used in a given NAT device. For this
purpose, the Simple traversal of UDP over NATs (STUN) protocol was developed. It
classified NAT implementation as Full cone NAT, restricted cone NAT, port restricted
cone NAT or symmetric NAT.[1][2] and proposed a methodology for testing a device
accordingly. However, these procedures have since been deprecated from standards
status, as the methods have proven faulty and inadequate to correctly assess many
devices. New methods are being developed (cf. Session Traversal Utilities for (NAT)
(STUN))
Full cone NAT, also known as one-to-one NAT

Once an internal address (iAddr:port1) is mapped to an external address (eAddr:port2),

any packets from iAddr:port1 will be sent through eAddr:port2. Any external host can
send packets to iAddr:port1 by sending packets to eAddr:port2.

Address-Restricted cone NAT

Once an internal address (iAddr:port1) is mapped to an external address (eAddr:port2),

any packets from iAddr:port1 will be sent through eAddr:port2. An external host
(hostAddr:any) can send packets to iAddr:port1 by sending packets to eAddr:port2 only if
iAddr:port1 had previously sent a packet to hostAddr:any. "any" means the port number
doesn't matter.

Port-Restricted cone NAT

Like a restricted cone NAT, but the restriction includes port numbers.

Once an internal address (iAddr:port1) is mapped to an external address (eAddr:port2),

any packets from iAddr:port1 will be sent through eAddr:port2. An external host
(hostAddr:port3) can send packets to iAddr:port1 by sending packets to eAddr:port2 only
if iAddr:port1 had previously sent a packet to hostAddr:port3.
Symmetric NAT

• Each request from the same internal IP address and port to a specific destination
IP address and port is mapped to a unique external source IP address and port.

If the same internal host sends a packet even with the same source address and
port but to a different destination, a different mapping is used.

Only an external host that receives a packet from an internal host can send a packet back
PROXY SERVERS

In computer networks, a proxy server is a server (a computer system or an application

program) which services the requests of its clients by forwarding requests to other
servers. A client connects to the proxy server, requesting some service, such as a file,
connection, web page, or other resource, available from a different server. The proxy
server provides the resource by connecting to the specified server and requesting the
service on behalf of the client. A proxy server may optionally alter the client's request or
the server's response, and sometimes it may serve the request without contacting the
specified server. In this case, it would 'cache' the first request to the remote server, so it
could save the information for later, and make everything as fast as possible.

A proxy server that passes all requests and replies unmodified is usually called a gateway
or sometimes tunneling proxy.

A proxy server can be placed in the user's local computer or at various points between the
user and the destination servers or the Internet.

Schematic representation of a proxy server, where the computer in the middle acts as the
proxy server between the other two.

WINGATE

WinGate is an Integrated Gateway Management system for Microsoft Windows,

providing firewall and NAT services, along with a number of integrated proxy servers
and email services (SMTP, POP3 and IMAP servers).

In the mid to late 1990s, WinGate was almost ubiquitous in homes and small businesses
that needed to share a single Internet connection between multiple networked computers.
The introduction of Internet Connection Sharing in Windows 98 however, combined with
increasing availability of cheap NAT-enabled routers, forced WinGate to evolve to
provide more than just internet connection sharing features. Today, focus for WinGate
users is primarily access control, reporting, bandwidth management and content filtering.
Features

WinGate runs on all versions of Microsoft Windows, from Windows 95 onwards. At its
core, WinGate provides all 3 levels of Internet Access: a stateful packet-level firewall
with NAT, several circuit-level proxies (SOCKS 4/5, and proprietary Winsock
redirector), and multiple proxy servers. This provides a comprehensive access
framework, and allows the maximum level of access control.

WinGate's policy framework allows the creation of specific access rules, based on user
account details, request details, location of user, authentication level and time of day. The
policy framework is based on a user database and user authentication. WinGate allows
use of either WinGate's built-in user database, the Windows user database, or the user
database of an NT domain or Active Directory. Authentication can use integrated
windows usernames and passwords (NTLM) and other authentication schemes. WinGate
can also be used without authentication, or can assume user identity based on IP address
or computer name.

WinGate can also authenticate individual users on a Terminal server, and maintain
separate user contexts to provide user-level control, and for applications that do not
support authentication by using the WinGate Client software.

WinGate provides a fully customizable, self-configuring DHCP server to assist with

network configuration. It also supports multi-interface and multiple topology deployment
including multiple DMZs.

WinGate provides an integrated Email server (POP3 server and retrieval client, SMTP
server, and IMAP4 server) with message routing features and per-email restrictions. This
can be used to provide company email services, or to provide protection and additional
security (encryption and authentication) for an existing email system.

The WWW Proxy provides a transparent proxy for ease of administration, plus a shared
proxy cache for improved surfing performance. It can also be used to secure access to
internal web servers with either browser-based authentication or a Java-based applet.

Proxy services in WinGate support SSL/TLS connections, dynamic network binding

(automatic response to network events such as addition or removal of network
interfaces), and gateway pre-selection (to direct service for a particular application out a
specific Internet connection).

Packet-level bandwidth management is also provided to allow control of bandwidth

associated with certain users or applications, and is able to be configured on a per-time-
of-day basis.
WinGate comes in three versions, Standard, Professional and Enterprise. Enterprise
edition also provides an easily configured virtual private network system, which is also
available separately as WinGate VPN. Licensing is tiered by the number of concurrently
connected users, and available in a range of sizes to suit any budget or network size.

Also available for WinGate are optional components that provide Antivirus scanning for
email, web and FTP, and content filtering for web traffic.

FIREWALLS

A firewall is an integrated collection of security measures designed to prevent

unauthorized electronic access to a networked computer system. It is also a device or set
of devices configured to permit, deny, encrypt, decrypt, or proxy all computer traffic
between different security domains based upon a set of rules and other criteria.

Function

A firewall is a dedicated appliance, or software running on another computer, which

inspects network traffic passing through it, and denies or permits passage based on a set
of rules.

A firewall's basic task is to regulate some of the flow of traffic between computer
networks of different trust levels. Typical examples are the Internet which is a zone with
no trust and an internal network which is a zone of higher trust. A zone with an
intermediate trust level, situated between the Internet and a trusted internal network, is
often referred to as a "perimeter network" or Demilitarized zone (DMZ).

A firewall's function within a network is similar to firewalls with fire doors in building
construction. In the former case, it is used to prevent network intrusion to the private
network. In the latter case, it is intended to contain and delay structural fire from
spreading to adjacent structures.

Without proper configuration, a firewall can often become worthless. Standard security
practices dictate a "default-deny" firewall ruleset, in which the only network connections
which are allowed are the ones that have been explicitly allowed. Unfortunately, such a
configuration requires detailed understanding of the network applications and endpoints
required for the organization's day-to-day operation. Many businesses lack such
understanding, and therefore implement a "default-allow" ruleset, in which all traffic is
allowed unless it has been specifically blocked. This configuration makes inadvertent
network connections and system compromise much more likely.
Network address translation
Main article: Network address translation

Firewalls often have network address translation (NAT) functionality, and the hosts
protected behind a firewall commonly have addresses in the "private address range", as
defined in RFC 1918. Firewalls often have such functionality to hide the true address of
protected hosts. Originally, the NAT function was developed to address the limited
number of IPv4 routable addresses that could be used or assigned to companies or
individuals as well as reduce both the amount and therefore cost of obtaining enough
public addresses for every computer in an organization. Hiding the addresses of protected
devices has become an increasingly important defense against network reconnaissance.

BYPASSING FIREWALLS\

1. Abstract
-----------

There are ambiguities in implementations of the TCP/IP suite for various operating
systems. Even if this fact has been used since a long time in different software for OS
fingerprinting, no real attempt has been made to identify the security impact of the
differences in the TCP/IP semantics. We have done some research on the TCP/IP
connection open semantics which is of course very important for security of networked
systems. We believe that the flaws we have detected have a big impact on design of
firewalls and packet filters since an improper implementation can easily lead to serious
security problems.

2. Details
----------

The TCP/IP protocol stack offers a three way handshake for connection oriented
communication using the TCP protocol. Basically, a connection can be opened by
sending a synchronization packet to a listening service on a particular host. The host will
respond with a synchronization acknowledgment packet which in turn must be
acknowledged by the requesting host. Then, the connection is considered to be open (at
least at the transport layer) and the two hosts may exchange some data.

The three way handshake is an essential part of the communication using the TCP
protocol. Therefore many packet filter firewalls try to prevent the three way handshake
from completion in order to protect an internal/corporate network from being accessed
from the outside. Of course, statefull firewalls may have some more sophisticated
mechanism.

We have found a very ambiguous behavior of TCP/IP implementations while doing some
research on the connection request phase. Below you will find the findings about various
OSes, however the list should not be considered complete. We have used the
NemesisTCP tool [1] to generate the traffic and tcpdump to capture the responses.

* The normal behavior (of all OSes) is like this:

14:18:00.595517 192.168.1.184.12345 > 192.168.1.111.9999: S 420:420(0) win 512

(DF) [tos 0x18] 14:18:00.595731 192.168.1.111.9999 > 192.168.1.184.12345: S
1679763291:1679763291(0) ack 421 win 5840 <mss 1460> (DF)

The first host sends a SYN packet from port 12345 to a service on port 9999 and receives
a SYN,ACK

* Linux 2.4.19

The examination of the source code of the TCP engine reveals that a TCP connection can
be opened by any combination of the TCP flags having the SYN bit set and the ACK bit
reset. For example we can open a TCP connection by sending an obviously bogus
SYN,RST packet:

14:25:43.888897 192.168.1.184.12345 > 192.168.1.111.9999: SR 420:420(0) win 512

(DF) [tos 0x18] 14:25:43.889143 192.168.1.111.9999 > 192.168.1.184.12345: S
2168208394:2168208394(0) ack 421 win 5840 <mss 1460> (DF)

or something called 'Christmas packet' having mostly every TCP flag set (except the
ACK flag of course):

14:30:46.341732 192.168.1.184.12345 > 192.168.1.111.9999: SFRP 420:420(0) win 512

urg 8 (DF) [tos 0x18] 14:30:46.342444 192.168.1.111.9999 > 192.168.1.184.12345: S
2492223280:2492223280(0) ack 421 win 5840 <mss 1460> (DF)

Also SYN,FIN packets works well...

* Solaris 5.8

Here we have success by sending SYN,FIN packets:

14:33:24.549246 192.168.1.184.12345 > 192.168.1.84.9999: SF 420:420(0) win 512

(DF) [tos 0x18] 14:33:24.549757 192.168.1.84.9999 > 192.168.1.184.12345: S
913533039:913533039(0) ack 421 win 24656 <mss 1460> (DF)

or SYN,FIN,PSH packets with no payload

14:35:14.398346 192.168.1.184.12345 > 192.168.1.84.9999: SFP 420:420(0) win 512
(DF) [tos 0x18] 14:35:14.398801 192.168.1.84.9999 > 192.168.1.184.12345: S
940377913:940377913(0) ack 421 win 24656 <mss 1460> (DF)

other combinations don't seem to induce the SynSent state in the TCP/IP stack

* FreeBSD 4.5

Here we also have luck with SYN,FIN packets:

14:47:21.558541 192.168.1.184.12345 > 192.168.1.104.9999: SF 420:420(0) win 512

(DF) [tos 0x18] 14:47:21.558719 192.168.1.104.9999 > 192.168.1.184.12345: S
1333327436:1333327436(0) ack 421 win 65535 <mss 1460>

as well as with other combinations which don't combine the RST and/or ACK flag with
SYN:

14:48:11.678246 192.168.1.184.12345 > 192.168.1.104.9999: SP 420:420(0) win 512

(DF) [tos 0x18] 14:48:11.678366 192.168.1.104.9999 > 192.168.1.184.12345: S
1714046856:1714046856(0) ack 421 win 65535 <mss 1460>

* Windows NT 4.0

As in the case of BSD we can open connections using any combination of TCP flags as
long as we do not set the RST and/or ACK flag (where did they take the code
from...hm...):

14:59:46.315126 192.168.1.184.12345 > 192.168.1.17.9999: SF 420:420(0) win 512

(DF) [tos 0x18] 14:59:46.315566 192.168.1.17.9999 > 192.168.1.184.12345: S
15062452:15062452(0) ack 421 win 8576 <mss 1460> (DF)

Other OSes than those tested above are expected to behave in a similar manner after
obtaining such a discouraging result...

3. Impact
---------

The ambiguities can be used to bypass/tunnel firewalls filtering TCP packets according to
the TCP flags set. Especially stateless firewalls simply comparing the flags field with
some expected value(s) to distinguish between synchronization packets and packet from
an already open connection can be easily bypassed just by sending a bogus
synchronization packet to a listening port. The currently deployed TCP stacks seem to be
highly bogus and lazy implemented.

Administrators of firewall devices should set up some filtering rules to drop bogus TCP
packets as mentioned above. For example on systems using iptables to filter packets
bogus packets can be easily distinguished by following rules:

iptables -A INPUT -p tcp -d HOST/MASK --tcp-flags SYN,FIN SYN,FIN -j LOG -m

limit --limit 10/m --log-level "LOGLEVEL" --log-prefix="bogus packet"
$IP -A INPUT -p tcp -d HOST/MASK --tcp-flags SYN,FIN SYN,FIN -j DROP

and so on for other flag combination

NETWORK RECONNAISSANCE

It is the most common yet effective information gathering technique.it includes

PING SWEEPING

A Ping sweep is a technique used to determine which of a range of IP addresses map to

live hosts. It consists of ICMP ECHO requests sent to multiple hosts. If a given address is
live, it will return an ICMP ECHO reply.

A ping is often used to check that a network device is functioning. To disable ping
sweeps on a network, administrators can block ICMP ECHO requests from outside
sources. However, ICMP TIMESTAMP and Address Mask Requests can be used in a
similar manner.

Tools used for ping sweeps include fping, gping, and nmap for Unix systems, and the
Pinger software from Rhino9. Pingers send multiple packets at the same time and allow
the user to resolve host names and save output to a file.

Ping Sweep Tools

• PacketTrap Ping Sweep (as part of pt360 Tool Suite)

• AdventNet Ping Sweep Utility
• Northwest Performance Software

DETECTING A PING SWEEP

Ping is a widely used technique that can help an attacker in detecting whether your
system is active, which is often the first step an attacker will do, in order to identify
possible targets. Once the ping operation has identified your computer as being active and
connected to the internet, the attacker will likely proceed further to using additional
techniques in order to identify security breaches in your computer system, that can be
exploited in order to gain control over your computer.

The ping operation consists of sending a special network packet to a target computer and
awaiting a response that will actually let the attacker know if the target computer is
active. It is to be mentioned that there are other types of packets that can be used as well,
however the most common operation performed is to send an ICMP ECHO (type 8)
packet towards the target computer, and then the remote machine responds with an ICMP
ECHO_REPLY (type 0) packet. The software residing on the attacket computer usually
has a ping timeout setting, which can be usually set somewhere within a few hundred
miliseconds up to a few seconds. The software awaits for the ICMP ECHO_REPLY
packet to be sent within the chosen timeout, and if a reply packet is received, the target
computer is now known to be active.

Before launching an attack over a remote network, an attacker will likely start by
scanning the network and gathering as much information as possible about the network.
One of the common operations used is ping sweep. During a ping sweep, an attacker uses
a large number of ping operations which are sent to a particular network, usually one per
IP address. In order to efficiently scan hundreds or thousands of remote addresses, the
attacker will probably use a multithreaded ping sweep tool, which allows not only
customizing timeout setting in order to improve efficiency, but also allows multiple ping
operations to be initialized and running at the same time, and therefore maximizing the
number of remote addresses that will be scanned.

Perhaps the most simple protection measure against identifying your computer as active
through the Ping operation, is to disable the ICMP protocol. There are two types of
common configurations that can be found, first is when your computer is directly
connected to the internet (for example if you are using dialup and a regular modem, and
no routers, you are likely to be connected to the internet directly) and in such situation
you need to block the ICMP protocol by configuring the software firewall you are using
on your computer. If you are not using a software firewall in such a situation, then you
should absolutely get and install one as soon as possible, otherwise you are exposed to a
large number of risks - it may take only minutes until an attacker or worm may get into
your computer. Finally, if you are using a gateway computer or router to connect to the
internet, you can disable the ICMP protocol on the gateway/router to protect your public
IP address from being tested via a ping operation.

It is to be mentioned though that the ping operation is an useful one and there are
situations where it should remain active, and therefore ICMP should not be disabled in
such cases. For example, many ISP's are using automated ping operations to monitor their
connections, and if you disable ICMP, your ISP may take measures to correct what they
may believe to be a non-functional connection, like disconnecting the connection, or in
some cases they may even call in to ask what happened because their monitoring
software tells them that the connection is down. There are also cases when certain
software make use of ping operations for their normal functioning and these may believe
that your computer is no longer responding. In such cases, it is advised not to disable
ICMP. Alternatively you may permit ICMP only to a given computer or IP range, for
example in the situation where your ISP needs to monitor your connection via ping
operations, you can call them and ask what are the IP addresses of the monitoring
machine(s) they are using, and then use the IP address or IP range provided to create an
allow rule in your firewall for the ICMP protocol, which should solve the problem as
your computer will respond to ICMP ECHO commands for your ISP, but not for
everyone else.

 OS DETECTION:-It is very important for an attacker to determine the operating

system running on the target host.one of the most easiest technique that you can use
for operating system detection is fingerprinting.Theese are of two types-
 Active fingerprinting
 Passive fingerprinting

TCP/IP stack fingerprinting (a.k.a. OS fingerprinting) is the process of determining the

operating system (OS) used by a remote target.

There are two types of OS fingerprinting: active and passive.

Passive OS fingerprinting

Passive fingerprinting is undetectable by an intrusion detection system on the network. A

passive fingerprinter (a person or an application) does not send any data across the
network (wire); because of this it is undetectable. The downside of this method is that the
client must either connect directly to the fingerprinting device, or be on the same hub as
the other servers and clients in order to capture any packets on the wire.

How passive OS fingerprinting works

Passive fingerprinting works because TCP/IP flag settings are specific to various
operating systems. These settings vary from one TCP stack implementation to another
and include the following:

• Initial TTL (8 bits)

• Window size (16 bits)
• Maximum segment size (16 bits)
• "Don't fragment" flag (1 bit)
• sackOK option (1 bit)
• nop option (1 bit)
• Window scaling option (8 bits)
• Initial packet size (16 bits)

These flags, when combined, provide a unique, 67-bit signature for every operating
system.[1]
Active OS fingerprinting

Active fingerprinting is aggressive in nature. An active fingerprinter transmits to and

receives from the targeted device. It can be located anywhere in the network, and with the
active method you can learn more information about the target than with passive OS
fingerprinting. The downside is that the fingerprinter can be identified by an intrusion
detection system.

Active fingerprinting methods

TCP stack querying

• ICMP
• TCP
• SNMP

Banner grabbing

• FTP
• TELNET
• HTTP

Port probing

Protecting against and detecting fingerprinting

Block all unnecessary outgoing ICMP traffic, especially unusual packet types like
address masks and timestamps. Also, block any ICMP echo replies. Watch for excessive
TCP SYN packets. Be warned that blocking things without knowing exactly what they
are for can very well lead to a broken network; for instance, your network could become
a black hole. Extensive knowledge of TCP/IP networking is recommended before
engaging in traffic blocking.

Fingerprinting tools

A list of TCP/OS Fingerprinting Tools

• Nmap - comprehensive active stack fingerprinting.

• p0f - comprehensive passive TCP/IP stack fingerprinting.
• Ettercap - passive TCP/IP stack fingerprinting.
• SinFP - single-port active/passive fingerprinting.
• XProbe2 - active TCP/IP stack fingerprinting.

[ Uses of TCP/IP Fingerprinting

TCP Fingerprinting is a valuable tool for

 • Vulnerability scanning - TCP Fingerprinting is a valuable tool for scanning for
vulnerabilities in a webserver or enterprise defense. Knowing the Operating
System provides a clue as to what sort of tools or attacks a hacker can use.
• Fraud Detection[2] - more recently TCP/IP stack fingerprinting has been used as an
additional tool for fingerprinting a device during a transaction in order to detect
anomalies.

KEYLOGGERS

Keystroke logging (often called keylogging) is a method of capturing and recording user
keystrokes. The technique and name came from before the era of the graphical user
interface; loggers nowadays would expect to capture mouse operations too. Keylogging
can be useful to determine sources of errors in computer systems, to study how users
interact and access with systems, and is sometimes used to measure employee
productivity on certain clerical tasks. Such systems are also highly useful for both law
enforcement and law-breaking—for instance, providing a means to obtain passwords or
encryption keys and thus bypassing other security measures. Keyloggers are widely
available on the Internet.

There are currently two types of keylogging methods, hardware and software based.

Application

Keystroke logging can be achieved by both hardware and software means. Hardware key
loggers are commercially available devices which come in three types: inline devices that
are attached to the keyboard cable, devices which can be installed inside standard
keyboards, and actual replacement keyboards that contain the key logger already built-in.
The inline devices have the advantage of being able to be installed instantly on desktop
computers without integrated keyboards.

When used covertly, inline devices are easily detected by a glance at the keyboard
connector plugged into the computer. Of the three types, the most difficult to install is
also the most difficult to detect. The device that installs inside a keyboard (presumably
the keyboard the target has been using all along) requires soldering skill and extended
access to the keyboard to be modified. However, once in place, this type of device is
virtually undetectable unless specifically looked for.
Types of keystroke loggers

1) Local Machine software Keyloggers are software programs that are designed to work
on the target computer’s operating system. From a technical perspective there are four
categories:

• Hypervisor-based: The keylogger resides in a malware hypervisor running

underneath the operating system, which remains untouched, except that it
effectively becomes a virtual machine. See Blue Pill for a conceptual example.
• Kernel based: This method is difficult both to write and to combat. Such
keyloggers reside at the kernel level and are thus difficult to detect, especially for
user-mode applications. They are frequently implemented as rootkits that subvert
the OS kernel and gain unauthorized access to the hardware which makes them
very powerful. A keylogger using this method can act as a keyboard driver for
example, and thus gain access to any information typed on the keyboard as it goes
to the Operating System.
• Hook based: Such keyloggers hook the keyboard with functions provided by the
OS. The OS warns them any time a key is pressed and it records it.
• Passive Methods: Here the coder uses operating system APIs like
GetAsyncKeyState(), GetForegroundWindow(), etc. to poll the state of the
keyboard or to subscribe to keyboard events. These are the easiest to write, but
where constant polling of each key is required, they can cause a noticeable
increase in CPU usage and can miss the occasional key. A more recent example
simply polls the BIOS for preboot authentication PINs that have not been cleared
from memory.[1]

2) Remote Access software Keyloggers are local software keyloggers programmed with
an added feature to transmit recorded data out of the target computer and make the data
available to the monitor at a remote location. Remote communication is facilitated by one
of four methods:

• Data is uploaded to a website or an ftp account.

• Data is periodically emailed to a pre-defined email address.
• Data is wirelessly transmitted by means of an attached hardware system.
• It allows the monitor to log into the local machine via the internet or ethernet and
access the logs stored on the target machine.

Hardware Keyloggers are used for keystroke logging by means of a hardware circuit that
is attached somewhere in between the computer keyboard and the computer. It logs all
keyboard activity to its internal memory, which can subsequently be accessed, for
example, by typing in a secret key. A hardware keylogger has an advantage over a
software solution; because it is not dependent on the computer's operating system, it will
not interfere with any program running on the target machine and hence cannot be
detected by any software, however its physical presence may be detected.
4) Remote Access Hardware Keyloggers, otherwise known as Wireless Hardware
Keyloggers, work in much the same way as regular hardware keyloggers, except they
have the ability to be controlled and monitored remotely by means of a wireless
communication standard.

5) Wireless Keylogger sniffers collect packets of data being transferred from a wireless
keyboard and its receiver and then attempts to crack the encryption key being used to
secure wireless communications between the two devices.

6) Acoustic Keyloggers work by analysing a recording of the sound created by someone

typing on a computer. Each character on the keyboard makes a subtly different acoustic
signature when stroked. Using statistical methods, it is then possible to identify which
keystroke signature relates to which keyboard character. This is done by analysing the
repetition frequency of similar acoustic keystroke signatures, the timings between
different keyboard strokes and other context information such as the probable language in
which the user is writing. A fairly long recording (1000 or more keystrokes) is required
so that the statistics are meaningful.

7) Electromagnetic Radiation loggers work by passively capturing electromagnetic

emissions of a keyboard, without being physically wired to it.[2]

Cracking

Writing software applications for keylogging is trivial, and like any computer program
can be distributed as a trojan horse or as part of a virus. What is not trivial however, is
installing a keystroke logger without getting caught and downloading data that has been
logged without being traced. An attacker that manually connects to a host machine to
download logged keystrokes risks being traced. A trojan that sends keylogged data to a
fixed e-mail address or IP address risks exposing the attacker.

Trojan

Young and Yung devised several methods for solving this problem and presented them in
their 1997 IEEE Security & Privacy paper[3] (their paper from '96 touches on it as well).
They presented a deniable password snatching attack in which the keystroke logging
trojan is installed using a virus (or worm). An attacker that is caught with the virus or
worm can claim to be a victim. The cryptotrojan asymmetrically encrypts the pilfered
login/password pairs using the public key of the trojan author and covertly broadcasts the
resulting ciphertext. They mentioned that the ciphertext can be steganographically
encoded and posted to a public bulletin board (e.g. Usenet).

Ciphertext

Young and Yung also mentioned having the cryptotrojan unconditionally write the
asymmetric ciphertexts to the last few unused sectors of every writable disk that is
inserted into the machine. The sectors remain marked as unused. This can be done using
a USB token. So, the trojan author may be one of dozens or even thousands of people that
are given the stolen information. Only the trojan author can decrypt the ciphertext
because only the author knows the needed private decryption key. This attack is from the
field known as cryptovirology.

Federal Bureau of Investigation

The FBI used a keystroke logger to obtain the PGP passphrase of Nicodemo Scarfo, Jr.,
son of mob boss Nicodemo Scarfo. Scarfo Jr. pleaded guilty to running an illegal
gambling operation in 2002.[4] The FBI has also reportedly developed a trojan-horse-
delivered keylogger program known as Magic Lantern.[5]

Use in surveillance software

Some surveillance software has keystroke logging abilities and is advertised to monitor
the internet use of minors. Such software has been criticized on privacy grounds, and
because it can be used maliciously or to gain unauthorized access to users' computer
systems.

Keylogger prevention

Currently there is no easy way to prevent keylogging. In the future, it is believed [who?] that
software with secure I/O will be protected from keyloggers. Until then, however, the best
strategy is to use common sense and a combination of several methods. It is possible to
use software to monitor the connectivity of the keyboard and log the absence as a
countermeasure against physical keyloggers. For a PS/2 keyboard, the timeout bit (BIT6
at port 100) has to be monitored. [6] But this only makes sense when the PC is (nearly)
always on.

Code signing

64-bit versions of Windows Vista and Server 2008 implement mandatory digital signing
of kernel-mode device drivers, thereby restricting the installation of key-logging rootkits.

Monitoring what programs are running

A user should constantly observe the programs which are installed on his or her machine.
Also, devices connected to PS/2 and USB ports (which can both be hacked) can be used
to secretly install a keylogger and then remove it (along with the user's data) by the
perpetrator.

Anti-spyware

Anti-spyware applications are able to detect many keyloggers and cleanse them.
Responsible vendors of monitoring software support detection by anti-spyware programs,
thus preventing abuse of the software.
Firewall

Enabling a firewall does not stop keyloggers per se, but can possibly prevent transmission
of the logged material over the net if properly configured.

Network monitors

Network monitors (also known as reverse-firewalls) can be used to alert the user
whenever an application attempts to make a network connection. This gives the user the
chance to prevent the keylogger from "phoning home" with his or her typed information.
 BIBLIOGRAPHY
Network security-Ankit Fadia

en.wikipedia.org/wiki/Proxy_server

en.wikipedia.org/wiki/Network_address_translation

www.wingate.com

en.wikipedia.org/wiki/OS_fingerprinting

www.hackingmobilephone.com