Team 8 Paper

From CyberSecurity
Revision as of 02:28, 25 October 2005 by Liebling (talk | contribs)

Jump to: navigation, search

I will edit the text and integrate it on this page. At 11:30, I will take the text we have here, PDFify it, and e-mail it, along with the source code, to the TAs.


Attack techniques

Attempt and findings

In order to discover what potentially exploitable network processes were running on CSE291B, the Red Team ran nmap to conduct a comprehensive port scan. Because firewalls generally close network vulnerable ports that aren’t needed by resources outside of an internal network, we decided to download and run nmap from a machine within the firewall – CSEP291A. Nmap was able to help us discover that OpenSSH v3.9, rpcbind, status, and nlockmgr were listening on the ports 22, 111, 1024 and 1025 respectively. No known buffer overruns were found for that version of OpenSSH (although previous version had many published exploits).

There is a vulnerability within rpcbind that allows a denial of service to be waged by flooding it with request messages. The way this attack could be used to exploit the machine was not clear and so the attack was not considered. No other vulnerabilities within the network processes were found. The Red Team investigated the possibility of mounting a password cracking attack. If the hash of the root password could be obtained and if the password was not sufficiently strong, it could be possible with enough computing time to run a dictionary attack or other brute force method to derive the password. But as a standard security precaution, the administrator of the CSEP291B machine had placed the password hashes in a separate shadow file rather than in /etc/passwd with the other account information. This shadow file was readable only by the root user.

On the other hand, the Red Team was aware that most (if not all) the user accounts on the machine were setup by the administrator with the same password as the account name. This meant that the team could have gained access to the other users’ sensitive data. Also, malicious applications or scripts could have been put in place of other custom applications that a privileged user would execute.

Technical discussion

The non-technical reader can skip this section and continue to #Damage estimation.

Damage estimation

Home computer

Walmart's Corporate VP

Charles Schwab NYSE

Value to terrorists

Scalability

Feasability of acquiring knowledge

Value for achieving aims of terrorists

Defenses

Home

Developer

Corporate IT

Public policy

Summary

Retrieved from "http://cubist.cs.washington.edu/CyberSecurity/index.php?title=Team_8_Paper&oldid=2321"