Presentation on theme: "Network Security of Labnet ******. Introduction Test the network security of the servers on our Labnet domain Find Potential Weaknesses Find Security."— Presentation transcript:
Introduction Test the network security of the servers on our Labnet domain Find Potential Weaknesses Find Security Flaws Software –Nmap –SAINT
Overview: Step 1 Determine the best NMAP method for scanning Run a port scan on one machine using all scanning methods Select the method that returns the best Results
Nmap Scan Types Scan TypeDescription TCP SYNSend a SYN packet to each port and wait for an ACK TCP connectOpen a connection to each port. FINSend a FIN packet and wait for a RST, which means the port is closed. XMASSend a packet with the FIN, URG, and PUSH flags set and wait for a RST, which means the port is closed NULLSend a packet with the FIN, URG, and PUSH flags set to zero and wait for a RST, which means the port is closed. UDPSend a 0 byte UDP packet to each port and wait for an ICMP port unreachable message. IP ProtocolSend a raw IP protocol header packet without any protocol headers and wait for an ICMP protocol unavailable message. Idle scanUses a side channel to send a TCP port scan. (I.E. Broadcast node) ACK ScanSend an ACK packet to the port and wait for and RST packet. RPC scanFloods all open TCP and UDP ports with null RPC packets to determine if it is an RPC port.
Overview: Step 2 Identify the most interesting ports Scanning every port on every machine will take too much time. –65k ports –Slow network connection (10baseT) Use the best scanning method to scan all ports on one machine.
Overview: Step 3 Scan each server using the best scanning method and most interesting ports Analyze and compile the data –Find a typical server with typical open connections –Find major security holes in some servers
Final Step Run saint on a typical server. Identify Vulnerabilities Suggest a fix for the vulnerabilities
Scanning Method Results RPC scan locked up the target machine –Due to RPC request flood The SYN, TCP connect, and RPC scan returned the same 6 results. The FIN, NULL, and XMAS scans returned the same 15 results. Arbitrarily selected the NULL scan Need to run a TCP and UDP scan.
Best ports Ran a full port scan on another machine –Took too long to complete The results of the NULL scan returned many hundreds of ports with a status of filtered. A range of 0-2450 and a select group of other interesting ports for the NULL scan A range of 1-3200 and a select group of other interesting ports for the UDP scan.
Results of network Scan 25 hosts out of 27 up at the time the test was preformed All UDP ports filtered: –10.10.0.1, 10.10.1.1, 10.10.16.1, 10.10.17.1, 10.10.20.1, 10.10.23.1, and 10.10.26.1. All UDP ports left open on 10.10.13.1 Most common TCP and UDP ports
Most common open TCP and UDP ports PortServicePortService 21FTP587Submission 22SSH1020Unknown 25SMTP1021Unknown 53Domain1022Unknown 80HTTP1023Unknown 111Sun RPC2049NFS 515Printer8080HTTP-proxy
SAINT Results Critical Problems –Exports /usr/home to everyone –Buffer Overflow in BIND 8.3.3 –Vulnerable Sendmail Version 8.12.6 Areas of Concern –DNS Spoofing Vulnerability. –Web servers allow cross-site tracing. For the purposes of the length, I will not discuss the problems in detail or the potential problems.
Conclusion The vulnerabilities reported by SAINT did not directly relate to the data collected by nmap Provided a good insight to other problems related to our network servers Solution: –Remove or restrict the global export of /usr/home –Install the newest versions of BIND and Sendmail
Conclusion Port scanning shows the potential vulnerability access points Each open port has a specific piece of software running as a server for that port A vulnerability in the software provides a hole for intruders to access your system Port scanning is a powerful tool for determining the security of a system or network It should only be used on systems and networks in which you are the administrator, otherwise it is seen as a malicious attack.