Download presentation
Presentation is loading. Please wait.
Published byLaureen Payne Modified over 8 years ago
1
S C I E N C E A P P L I C A T I O N S I N T E R N A T I O N A L C O R P O R A T I O N Open-Source Network Security Tools Scanning/Securing/Exploiting oh my.
2
Beyond Network Security…. We Build Peace of Mind 2 Disclaimer The opinions expressed in this talk are just mine, and not the opinions of SAIC, nor ESS. I have nothing against vendors, some of my best friends are vendors. I was asked to do a talk on Open Source Network Security Tools, and not on commercial tools to avoid any vendor bias. They made me do it. I once saw a ghost cow in the road, honest.
3
Beyond Network Security…. We Build Peace of Mind 3 Agenda What is Open Source? Why should I care? Why no Commercial tools? What tools are available? What do they do? Where can I get them? Q&A
4
Beyond Network Security…. We Build Peace of Mind 4 What’s OpenSource? From opensource.org Open source doesn't just mean access to the source code. The distribution terms of open-source software must comply with the following criteria: 1.Free Redistribution 2.Source Code included/available 3.Derived Works allowed 4.Integrity of The Author's Source Code (patches/forks) 5.No Discrimination Against Persons or Groups 6.No Discrimination Against Fields of Endeavor 7.Distribution of License (no NDA) 8.License Must Not Be Specific to a Product 9.License Must Not Restrict Other Software 10.License Must Be Technology-Neutral
5
Beyond Network Security…. We Build Peace of Mind 5 Why does it matter? Cost Open Source is free. Zero acquisition cost. Security The source code is available for your review. Many eyes look at code. Find many bugs. Patch Often Support Free – Web/Mailing-Lists/SIGs $$$ - Commercial sites/ OS vendors…
6
Beyond Network Security…. We Build Peace of Mind 6 What about freeware / shareware / trialware etc. "Freeware" should not be confused with "free software" (roughly, software with unrestricted redistribution) or "shareware" (software distributed without charge for which users can pay voluntarily). “Shareware” Software that, like freeware, can be usually obtained (downloaded) and redistributed for free, but most often is under copyright and does legally require a payment in the EULA, at least beyond the evaluation period or for commercial applications.
7
Beyond Network Security…. We Build Peace of Mind 7 Why not use commercial products? How much money do you have? Why not use these tools at home? At your sibling’s/nephew’s/parent’s house? Typically has higher resource needs. But, has much better support. Better documentation. Nice shiny packaging.
8
Beyond Network Security…. We Build Peace of Mind 8 Enough License talk, where’s the goods? Categories of tools. Scanning – To find hosts/targets/details Accessing – To gauge security and baseline Securing – To protect the host. Exploiting – To pants the host. Deception – To deceive the attacker. Detection – To detect the attacker
9
Beyond Network Security…. We Build Peace of Mind 9 Scanning (The Basics) Nmap – Network Mapper http://insecure.org http://insecure.org OS Detection Application Detection High-Speed TCP/UDP scans IPv4 & IPv6 Supports Unix / Linux / BSD / Mac OS X, and Windows Even works with Windows XP SP2! Extremely configurable and could be a talk by itself…
10
Beyond Network Security…. We Build Peace of Mind 10 Scanning for Wireless dstumbler http://www.dachb0den.com/projects/dstumbler.html http://www.dachb0den.com/projects/dstumbler.html AP/SSID detection Detection of weped networks beacon interval for aps maximum supported rate Can crack WEP keys.
11
Beyond Network Security…. We Build Peace of Mind 11 Scanning (Advanced) Paketto Keiretsu 1.10 http://www.doxpara.com/paketto/ http://www.doxpara.com/paketto/ Scanrand, an unusually fast network service and topology discovery system Minewt, a user space NAT/MAT router Linkcat, which presents a Ethernet link to stdio Paratrace, which traces network paths without spawning new connections Phentropy, which uses OpenQVIS to render arbitrary amounts of entropy from data sources in three dimensional phase space.
12
Beyond Network Security…. We Build Peace of Mind 12 Assessing Web Sites Nikto http://www.cirt.net/code/nikto.shtml http://www.cirt.net/code/nikto.shtml Web/CGI scanner Finds vulnerable CGI Can do IDS evasion Has over 2,600 checks. $ nikto.pl –host 192.168.42.27 –verbose –web –output \ > nikto80_192.168.42.27.html.raw Nikto’s output provides notes on reasons why a finding may be a security risk: Target IP: 192.168.42.27 Target Hostname: www.victim.com Target Port: 80 -------------------------------------------------------------------- o Scan is dependent on "Server" string which can be faked, use -g to override o Server: WebSTAR/4.2 (Unix) mod_ssl/2.8.6 OpenSSL/0.9.6c o Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK, TRACE o Server allows PUT method, may be able to store files. o CONNECT method is enabled, server may act as a proxy or relays. o Server allows DELETE method, may be able to remove files. o Server allows PROPFIND or PROPPATCH methods, which indicates DAV/WebDAV is installed. Both allow remote admin and have had security problems. o WebSTAR/4.2(Unix)mod_ssl/2.8.6OpenSSL/0.9.6c appears to be outdated (current is at least mod_ssl/2.8.7) (may depend on server version) o /public/ Redirects to 'http://www.foundstone.com/public', this might be interesting... o robots.txt - This file tells web spiders where they can and cannot go (if they follow RFCs). You may find interesting directories listed here. (GET) o cgi-bin/htsearch?-c/nonexistant - The ht::/Dig install may let an attacker force ht://Dig to read arbitrary config files for itself. (GET) 885 items checked on remote host
13
Beyond Network Security…. We Build Peace of Mind 13 Assessing Websites (continued) pavuk http://www.idata.sk/~ondrej/pavuk/ http://www.idata.sk/~ondrej/pavuk/ Not really assessment. Very effcient Web Spider Can copy content off sites Supports authentication SSL support FTP, HTTP, Gopher
14
Beyond Network Security…. We Build Peace of Mind 14 Assessing Passwords hydra http://thc.org/thc-hydra/ http://thc.org/thc-hydra/ Brute-Force Password Guesser Can run in parallel to improve performance. Is able to assess passwords in… TELNET, FTP, HTTP, HTTPS, HTTP-PROXY, LDAP, SMB, SMBNT, MS-SQL, MYSQL, REXEC, CVS, SNMP, SMTP-AUTH, SOCKS5, VNC, POP3, IMAP, NNTP, PCNFS, ICQ, SAP/R3, Cisco auth, Cisco enable, Cisco AAA
15
Beyond Network Security…. We Build Peace of Mind 15 Assessing Networks, Hosts, etc. Nessus – Security Scanner http://nessus.org http://nessus.org Uses NMap, Nikto, Hydra, Server supports Unix * Clients for Windows & Unix Has thousands of checks. Scriptable Attack language If you don’t use it yet, you should.
16
Beyond Network Security…. We Build Peace of Mind 16 Assessing Wireless kismet http://www.kismetwireless.net/ http://www.kismetwireless.net/ Manufacturer and model identification Runtime decoding of WEP packets for known networks Network IP range detection Finds hidden SSIDs Detects wireless attacks Finds defaults configs.
17
Beyond Network Security…. We Build Peace of Mind 17 Securing Hosts p0f/pf/iptables p0f – Passive OS fingerprinting http://lcamtuf.coredump.cx/p0f.shtml http://lcamtuf.coredump.cx/p0f.shtml Can work with pf/iptables to create special rules. Only Windows 2000 and newer can connect out Restrict in-bound Windows SMTP to 1 per client. Only allow OpenBSD SSH to firewall pf – Berkely Packet Filter http://www.openbsd.org/faq/pf/ http://www.openbsd.org/faq/pf/ iptables – Linux IP Firewall http://www.netfilter.org/ http://www.netfilter.org/
18
Beyond Network Security…. We Build Peace of Mind 18 Securing OS through Hardening Bastille http://www.bastille-linux.org/ http://www.bastille-linux.org/ Tightens permissions Changes to secure defaults Removes unneeded services Enables better logging Locks down subsystems Is a slicer/dicer Available for Linux, HP-UX, & Mac-OS.
19
Beyond Network Security…. We Build Peace of Mind 19 Securing Passwords John the Ripper http://www.openwall.com/john/ http://www.openwall.com/john/ Brute-forces local password files. Supports most Unix password file types. Windows NT/2000/XP LanMan Hashes OpenVMS and SYSUAF.DAT AFS/Kerberos v4 TGT S/Key skeykeys files Netscape LDAP server passwords MySQL passwords
20
Beyond Network Security…. We Build Peace of Mind 20 Securing Users/Roles (Advanced) selinux http://www.nsa.gov/selinux/ http://www.nsa.gov/selinux/ Security Enhanced Linux Establish MAC (Mandatory Access Controls) Controls based on Objects not permissions. Root is not all powerful. Allows compartmentalized controls. Really confusing for most mortals.
21
Beyond Network Security…. We Build Peace of Mind 21 Exploiting Switched Networks Ettercap http://ettercap.sourceforge.net/ http://ettercap.sourceforge.net/ Enables the sniffing and capture of switched networks. ARP poisoning Man in the Middle Passive OS identification Password capture Passive Portmap
22
Beyond Network Security…. We Build Peace of Mind 22 Exploiting EndUser Machines Metasploit http://www.metasploit.com/ http://www.metasploit.com/ Framework for exploits Able to execute multiple options vs. a single vulnerability. 32 separate exploits 23 separate shellcodes
23
Beyond Network Security…. We Build Peace of Mind 23 Deceptive Services dtk – Deception ToolKit http://www.all.net/dtk/dtk.html http://www.all.net/dtk/dtk.html Pretend to run other services. Pretend to be other OS’s Prevent the attacker for gaining knowledge
24
Beyond Network Security…. We Build Peace of Mind 24 Deceptive Networks honeyd http://www.honeyd.org/ http://www.honeyd.org/ Simulates thousands of virtual hosts at the same time. Configuration of arbitrary services via simple configuration file: Includes proxy connects. Passive fingerprinting to identify remote hosts. Random sampling for load scaling. Simulates operating systems at TCP/IP stack level: Fools nmap and xprobe, Simulation of arbitrary routing topologies: Subsystem virtualization: Run real UNIX applications under virtual Honeyd IP addresses: web servers, ftp servers, etc...
25
Beyond Network Security…. We Build Peace of Mind 25 Detecting Network Attacks Snort with ACID Snort – Network IDS http://www.snort.org/ http://www.snort.org/ Rules based detection of network threats. Detects buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. ACID – Web front-End to Snort http://acidlab.sourceforge.net/ http://acidlab.sourceforge.net/ Enables rapid queries Displays threats graphically Uses back-end DB
26
Beyond Network Security…. We Build Peace of Mind 26 Detecting Network Traffic Ethereal http://www.ethereal.com/ http://www.ethereal.com/ Not really a Detection, but a GREAT sniffer! Decodes over 600 protocols FTP, SMTP, ICMP, RIP,… Has statistical analysis tools Allows deep inspection of network traffic
27
Beyond Network Security…. We Build Peace of Mind 27 Detecting Compromised Boxes chkrootkit http://www.chkrootkit.org/ http://www.chkrootkit.org/ Detects 56 different root-kits Detects unknown deletions and clean-ups Works on Linux 2.0.x, 2.2.x and 2.4.x, FreeBSD 2.2.x, 3.x, 4.x and 5.x, OpenBSD 2.x and 3.x., NetBSD 1.5.2, Solaris 2.5.1, 2.6 and 8.0, HP-UX 11, Tru64 and BSDI.
28
Beyond Network Security…. We Build Peace of Mind 28 So where can I get this stuff easily? Many ISO images of bootable linux available. [P]rofessional [H]acker's [L]inux [A]ssault [K]it http://www.phlak.org Local Area Security http://www.localareasecurity.com/ Knoppix security tools distribution http://www.knoppix-std.org/
29
Beyond Network Security…. We Build Peace of Mind 29 What about Windows? Most tools have Windows versions Nmap, pavuk, ettercap, Metasploit, etc.. Some are not Open-Source, but are available for private use Nessus Windows Technology http://www.tenablesecurity.com/newt.html Others will work under cygwin Linux/Unix for Windows http://www.cygwin.com/ http://www.cygwin.com/
30
Beyond Network Security…. We Build Peace of Mind 30 Questions? This is when you complain that I did not include your favorite tool. Or when you tell me what a great time you had.
31
S C I E N C E A P P L I C A T I O N S I N T E R N A T I O N A L C O R P O R A T I O N Scott C. Kennedy Chief Engineer, Secure Networking Engineering 4224 Campus Point Court San Diego, CA 92121 858.826.3035
32
Beyond Network Security…. We Build Peace of Mind 32 SANS 2003 Top 20 Vulnerabilities Windows 1.Internet Information Server (IIS) 2.Microsoft SQL Server (MSSQL) 3.Windows Authentication (LANMAN) 4.Internet Explorer (IE) 5.Windows Remote Access Service 6.Microsoft Data Access Components (MDAC) 7.Windows Scripting Host (WSH) 8.Microsoft Outlook & Outlook Express 9.Windows Peer to Peer Sharing (P2P) 10.Simple Network Management Protocol (SNMP) Unix/Linux 1.BIND Domain Name System (DNS) 2.Remote Procedure Call (RPC) 3.Apache Web Server 4.General Unix Authentication 5.Clear Text Services (Telnet/ftp/rsh) 6.Sendmail (SMTP) 7.Simple Network Management Protocol (SNMP) 8.Secure Shell (SSH) 9.Misconfiguration of Enterprise Services (NIS/NFS) 10.Open Secure Sockets Layer (OpenSSL)
33
Beyond Network Security…. We Build Peace of Mind 33 SANS 2004 Top 20 Vulnerabilities Windows 1.Web Servers & Services 2.Workstation Service 3.Windows Remote Access Service 4.Microsoft SQL Server (MSSQL) 5.Windows Authentication 6.Web Browsers 7.File Sharing Applications 8.LSASS Exposures 9.Mail Client 10. Instant Messaging Unix/Linux 1.BIND Domain Name System (DNS) 2.Web Server 3.Authentication 4.Version Control Systems 5.Mail Transport Service 6.Simple Network Management Protocol (SNMP) 7.Open Secure Sockets Layer (OpenSSL) 8.Misconfiguration of Enterprise Services (NIS/NFS) 9.Databases 10. Kernel
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.