How to secure network from hackers?

Every four minutes a network is hacked costing organizations millions of dollars. Using penetration testing tools, ethical hackers can save them from this pain




BANGALORE, INDIA: The history of crime prevention is similar to the history of warfare. First an offense takes place and to counter it a defense is developed. Modern age bandits are malicious hackers who strategically infringe into a network and get away with sensitive data. The worst that they can do with your data is, selling the data to competitors or can even blackmail you over your personal stuff.

The hacking business has surpassed illegal drug trafficking as a criminal money maker. Every 4 minutes a network is hacked and this costs the organization millions to cover for the losses. So instead of spending millions on covering losses the organizations prefer to protect their network by hiring people who penetrate the company network under a signed contract. These people are called ethical hackers or pen-testers who try to gain access into the network without knowing usernames and passwords. These people run various rigorous tests on the network and test its security infrastructure.

The techniques and software used to carry out pen-tests are called pen-tools or penetration tools. These tools are also used by hackers to hack into the systems and networks, so the basic difference between a pen-tester and hacker is permission. The pen-tester is permitted to actually hack into the network (up to a certain extent only), while the hacker hacks the network without permission and steals information. Pen-testing is a precautionary exercise that lets the organization know if there is any vulnerability in its security infrastructure so that they can correct them as instructed by the pen-tester.

Pen-testing can be categorized as Black Box testing; where the pen-tester has no knowledge of the system he will penetrate (simulation of the real time situation where the hacker works on an alien system), another type is White Box penetration testing, where a pen-tester is provided significant knowledge about the network and in many cases these tests are done in conjunction with the IT team of the company. After the tests are conducted a well documented report is written and presented.

Benefits of pen-testing
What is the need for us to pen test our network? Who will hack our network and what would he get in return? These obvious questions pop up in the mind of many business owners when probed  about security. Small enterprises lack a dedicated force for security of their information and if it exists it is more or less business driven, experts if any are not well experienced. The goal of the organization is liquidity and security is not given much concern.

Some businesses just get fine with automatic software updates, strong passwords, and a firewall, whereas others need some more control. For intruders it's about getting access to resources the easiest way possible and if we go by records there has been a sharp increase in security breaches within small enterprises. The big money is now in stealing personal identification number (PIN) information together with associated credit and debit accounts. PIN based frauds are directly related to withdrawing cash from a person's account. Small enterprises may be attacked as an opportunity or they may be randomly selected from large population of vulnerable organizations.

Unlike small and medium enterprises which are quite ignorant about their security, large enterprises spend significant amounts of capital on their security and privacy. Since the security of the large enterprises is directly related to their reputation, they take a lot of pain in ensuring that their networks are safe and secure. Another reason for large enterprises to protect their network is growing competition, as recently we have seen a lot of large emerging companies that are ready to meet any end to capture the market.

As organizations become more and more aware they have started budgeting over IT security practices and lot of small and medium business are also becoming savvier in making decisions over IT security concerns. The organizations are constantly thriving to gain the customer confidence, and so are spending huge amounts on their security practices and this is where penetration testing comes into picture.

We launched a Brute Force attack using a tool called Cain & Abel to decrypt the encrypted passwords added to the network.

Cain & Abel was used to launch an ARP Poisoning and Sniffing attack on the target network to fetch passwords.

Cain & Abel used for retrieving passwords of duped users on the network. You can see all the passwords and names of users who were duped on the network. Pen-test vs vulnerability assessment The vulnerability test gets into system till it isn't compromised while the penetration tests can compromise a system as per the contract with the company. Most organizations carry out vulnerability tests instead of penetration tests. Vulnerability test is only about identifying and quantifying the security flaws, while penetration testing is active analysis of the system for any weaknesses or flaws and can involve active exploitation of security vulnerabilities. Security issues are reported to the owner and often a technical solution is suggested. Penetration tools Many penetration tools are existent today and most are freeware, however our focus is on two important tools, VoIP and firewall testing tools. To test VoIP we selected Cain & Abel since this tool is developed for Microsoft operating systems. It is basically a password recovery tool with many useful utilities like dictionary attack, cryptanalysis, brute forcing attack, and ARP poisoning, recovering local security asserts secrets. An important feature of Cain and Abel is that it works within in an established LAN as soon as we move out from LAN this test is of little use. We performed some interesting tests with this tool, namely brute forcing attack, ARP poisioning and recovered LSA secrets for a local machine. Some useful and tested features of this test are: Protected password recovery:  Reveals locally stored passwords of Outlook, Outlook Express, Outlook Express Identities, Outlook 2002, Internet Explorer and MSN Explorer. Brute force attack: The most effective technique to generate password based on various combinations. It is applied to hash files generated through PwDump  utility. LSA Secrets Dumper: Dumps the contents of the Local Security Authority Secrets. Sniffer: Captures passwords, hashes and authentication information while they are transmitted on the network. Includes several filters for application specific authentications and routing protocols. The VoIP filter enables the capture of voice conversations transmitted with the SIP/RTP protocol saved later as WAV files. ARP Poisoning Attack: This attack is based on poisoning of the ARP cache of the switch, as it is known that all the traffic in a LAN is passed through a switch which maintains ARP (Address Resolution protocol) cache. The attack basically poisons the ARP cache of the switch so that all traffic will move through the attacker's machine without the knowledge of the user. Cain and Abel is user friendly and its results are 99% accurate. The newest version, v49.35, has added support for Windows 2008 Server in APR-RDP sniffing filter. For more references you can log on to www.oxid.it. A limitation with Cain and Abel is that you have to get into the network to use it. Another limitation is that since it is free and created for use in educational and security purposes, it can also be used by hackers to hack into your network. There are many network tools which are used for mapping networks, however the most popular of them is Firewalk which is used to gather information about the remote network. The principle of firewalk is based on traceroute. However, the limitation of traceroute is that with this we can only trace the response of the gateways but the knowledge about its internal network is not known. If we want to trace the network behind the firewall, we have to run a slightly different kind of probe. This probe lets us know the kind of traffic a firewall can pass through. To extract information with the traceroute probe it is necessary that we know the IP address of the gateway. Once we get the gateway IP we can now run a scan which will let us know the kind of protocol packets that are accepted by the firewall. This is simple. Run a scan and if you don't get a response then the protocol used by you is blocked by the firewall. Try sending packets for different protocols and monitor the response. By sending packets to every host behind the firewall an accurate map about network topology can be generated. Firewalk It is one of the popular reconnaissance and an open source tool used for determining what four layers will a given IP forwarding device will pass. The working includes sending TCP/UDP packets with TTL (Time to Live) one greater than the targeted gateway. The gateway will forward the packets to the next hop where they will expire and an error message stating ICMP_TIME_ EXCEEDED is displayed, however if the gateway blocks the packet it will give no response. To get the correct IP TTL that will expire one hop beyond the gateway, we need to ramp up hop counts. After ramping we can start scanning the network. Firewalk can be used as an hacking tool by hackers and can also be used by pen-testers to examine that ACLs (Access control lists are used on  routers to limit the protocols allowed to pass through the host system behind the router) are doing what they are intended to do. When we opened two ports SMTP (25) and HTTP (80) by port forwarding in the firewall and tried to scan them using NETCAT, these results were obtained. We tried a similar test to determine the network behind the firewall by creating a dummy network and running test over it. The network included a firewall (Endian), a mail server and a client computer. The three interfaces of firewall ? WAN , internal and DMZ were connected as a network. The WAN interface was connected to the Internet terminal while an internal network behind the firewall was made to which a mail pop3 server was connected and this was connected to the DMZ interface. A test machine running backtrack was used as an Attacking machine. A firewall probe was then run on the machine and results were recorded. As the setup was very simple and didn't have any misconfiguration in our case, Firewalk was not able to detect any configuration error in the setup. NETCAT NETCAT is a  computer networking service  for reading and writing network  connections using TCP and UDP  protocols. At the same time, it is a feature-rich network debugging and investigation tool, since it can produce almost any kind of correlation you would need. It is basically a UNIX based utility but its Windows compatible versions are also available. NETCAT can also be used as a port scanner which detects the open ports on the target machine. We used NETCAT for scanning the open ports on the target machine and to get the information of the network behind the firewall. One may think, it is even possible to connect to an arbitarary ports using even a simple tool like Telnet so what is the USP of this tool. The explanation lies in the fact that Telnet has standard input EOF problem so one must introduce calculated delays in driving scripts to allow network output to finish. Telnet also will not transfer arbitrary binary data, because certain characters are interpreted as Telnet options and are thus removed from the data stream.