1 CSCD 434 Lecture 9a Spring 2012 Wardriving and Vulnerability Scanning.

1

CSCD 434

Lecture 9aSpring 2012

Wardriving and Vulnerability Scanning

2

Introduction• Wardriving

• Reconnaissance technique used to locate wireless networks

• Determine location, encryption used• Vulnerability to compromise

• Vulnerability scanning –Allows network administrators to test their networks for known vulnerabilities–Works closely with vulnerability databases

War Dialing

• What is War Dialing?• War dialing is practice of dialing all the phone

numbers in a range in order to find those that will answer with a modem

• Modems can still be the single biggest hole that an administrator may face

• Hope of finding anything interesting. Interesting items often include test tones, computers, Voice Mail Boxes (VMB's), Private Branch Exchanges (PBX's), and government offices and modems

War Dialing

• How to do it ...–War dialing one telephone number takes

approximately 35 seconds. This means that war dialing a prefix of ten thousand numbers will take just over four days– Or, use a war dialing program, sometimes

called a war dialing program like• Warvox from Metasploit author

http://warvox.org/#Licensing

• Iwar - Intelligent War Dialer for Linuxhttps://www.softwink.com/iwar/

Wardriving - Background• Wi-Fi: Wireless Networks– Wireless Access points provide bridge to

Internet• Wireless Network Attributes – Network access through thin air– Wireless networks often configured without

any security– Commonly used Wi-Fi security protocols

broken– Looking for wireless access points is fun!• You can potentially hack from comfort of

your Car!!

6

Wardriving• Goal– Locate WLAN’s and determine their

SSID’s• SSID• MAC Address• Security (WEP,WPA,WPA2 etc.)• Signal strength and Location

• Need GPS)• Definition:–Service Set ID. SSID is identifying name of a wireless network

• SSID transmitted in clear text by access points and all wireless cards using the access points

7

Wardriving

• Wardriving–Who invented it?– Invented by Peter Shipley in 2001 when

he drove around Silicon Valley and found hundreds of access points–Website: http://www.dis.org/shipley/

– How does it work?• 802.11 signals only valid for a short

distance, so aren’t we safe from War Drivers? Is this true?

8

Wardriving• Distances in 802.11– Normal ... Signal travels 100 meters or less – War driving, don’t need to send traffic just

detect the LAN– If using a highgain antenna, researchers have

shown signals can travel > 2 km or 1.2 miles• Km to miles – 1km = .62 miles

– When both ends have a highgain antenna, signals can travel > 100 km or 62 miles!!!!• High-gain antenna (HGA) an antenna with

focused, narrow radiowave beam• Narrow beam allows more precise targeting

where radio signal goes - also known as a directional antenna

Serious Wardriving rig!!

Wardriving• Then, there's the fasion concious

http://www.theinquirer.net/inquirer/news/1020852/kisses-renderman-brave-inq-snapperazzi

11

War Driving

• Techniques –Active Scanning–Passive Scanning–Forcing de-authentication

12

War Driving• Active Scanning

– Broadcast 802.11 probe packets with SSID of “any”, check for access points in range• Like going outside and shouting, “Who’s there?”• If probe packet is specific for an SSID,

only that network responds• Probe packet of any, gets responses

from all networks in range• Active, because the tool sends out

packets

13

War Driving

– Netstumbler is free tool for doing active scanning http://ww.netstumbler.com• Has been popular tool for active

scanning WLAN’s• Runs in Windows XP not Windows 7 or

Vista• Istumbler99

• Similar program that runs on your iphone

http://istumbler.net/• inSSIDer an alternative to NetStumbler• Does work with Windows Vista, Windows

7, 64-bit PCs and Linux

http://www.metageek.net/products/inssider/

Netstumbler

• What does Netstumbler do?– Gathers MAC address,

– SSIDS,

–Wireless Channels and relative signal strength of each access point

– Tells if security is turned on, WEP

– Coordinates with GPS system

• Locates access points on a map

15

Netstumbler

16

War Driving Stats• Statistics (Ed Scoudis)– Netstumbler– ORiNOCO antenna,– Laptop,– Taxi cab– in NY City– Result!!

• One hour found 455 access points

War Driving Statshttp://www.theinquirer.net/inquirer/news/654/1045654/

london-leads-wifi-access-points

• From survey by RSA, security firm, 2008– London still has more wireless network

access points 12,276 than– New York City, 9,227, or – Paris 4,481

• How many are unsecured or lightly secured?

War Driving Stats• Looked at Access Point Security New York, 97 % corporate access points used encryption, • Was 76 % in 2007,

• Paris, 94 % corporate access points were

encrypted, 72 % had WPA or more

• London 20 % corporate AP's unsecured, 48 % beyond WEP

19

San Francisco Wi-Fi’s

20

War Driving

• Defense Against Active Scanning– Configure access points to ignore probes

with “any” set– Becomes invisible to Netstumbler– Active scanning alerts security people to

attacker presence if monitoring – Improved method is Passive Scanning

21

War Driving

• Passive Scanning– Stealthier way of discovering WLAN’s – Puts wireless card into rfmon mode

• Monitor Mode • Able to sniff all wireless traffic from the air

– All AP’s periodically transmit beacons to announce its presence every 1/10th of a second ,contain important network information especially SSID

– Tools listen for beacons to discover wireless networks.

– Don't send data .. is a passive scanning technique

22

War Driving• Passive Scanning– Kismet – by Mike Kershaw• Does Detailed packet capture and analysis • Linux but can run it in cygwin for Windows• http://www.kismetwireless.net

–Wellenreiter - by Max Moser• Optimized for war-driving• http://www.remote-exploit.org• Runs on Linux and supports, prism2, lucent,

and cisco wireless card types

23

War Driving

• Passive Scanning– rfmon allows a machine to view all

packets within range from multiple WLAN’s – Doesn’t associate with any of them!!!– Intercepts beacons and extracts SSID’s

from them– SSID’s sent in clear text!

24

War Driving

• Passive Scanning– After discovering wireless AP or client,

gains SSID• Listens then for ARP or DHCP traffic to

determine MAC and IP of each discovered wireless device

25

Defenses to War Driving• Can set AP to omit SSID from Beacon packet– Not broadcasting name to the world!

• Set up stronger authentication to AP’s–MAC address is not a great form of

authentication–MAC addresses can be easily reset to

anything in Linux or Unix$ ifconfig eth0 hw ether mymacaddress• Windows a bit harder

– Use strong authentication with 802.11i not WEP

26

Defenses to War Driving

• Recommend use of Virtual Private Networks– VPN’s use encryption – Help prevent sniffing of traffic– VPN’s typically deployed across the

Internet to connect clients securely to corporate networks– Yet, can serve similar purpose for

wireless networks in home corporate environment

27

War Driving

http://www.wardrive.net/wardriving/faq

• Is it illegal to War drive?• Legality of wardriving hasn't been tested,

but few people think that wardriving itself is illegal.

• What is illegal is connecting to and using networks without the network owner's permission – Which is what most people call "breaking into a

network"

• Wardriving has taken some hits by press because network crackers will sometimes use wardriving tools to locate networks to break into.

28

War Driving• Staying within legal bounds– Adhere to a relatively strict code of ethics: • Don't look.• Don't touch. • Don't play through.

In other words, 1) don't examine the contents of a network; 2) don't add, delete, or change anything on the

network, and 3) don't even use the network's Internet

connection for Web surfing, email, chat, FTP, or anything else. • Somebody else paid for the bandwidth, and

if you don't have permission to use it, you're stealing it

Resources• URL's Wireless

http://www.wardrive.comhttp://wardrive.nethttp://www.netstumbler.nethttp://www.remote-exploit.orghttp://www.kismetwireless.nethttp://sourceforge.net/projects/airjack

• T-shirt - “Wardriving is not a crime”http://www.hackerstickers.com/products/

wardriving-t-shirt.shtml

• Bookshttp://www.amazon.com/gp/product/0764597302

Vulnerability Assessment

31

Vulnerability Assessment• All OS platforms have vulnerabilities

–Windows, Unix/Linux and yes, MAC too!

– OS drivers and utilities have vulnerabilities– Applications that run on OS platforms

have vulnerabilities– These “holes” into your network and

systems are beyond the network protocol vulnerabilities – Lots of software vulnerabilities and

some system level vulnerabilities such as weak password policies

32

Definitions

• What is a computer system vulnerability? A Vulnerability is• Software flaw,• Sonfiguration error, or series of errors• That allow access or exposes data to

attackers or users that are not authorized

–Vulnerabilities may result from• Bugs in application code or design flaws in

the system–A vulnerability could be• Hypothetical, or• Have a known associated exploit

Vulnerabilities • Who discovers them?

• Humans discover them, • Hacker groups• Security company or • “Researchers”

– Discovers specific way to violate security of a software product– Discovery may be accidental or through

directed research– Vulnerability, is then released to security

community 33

Release of Vulnerabilities

• Both security researchers and hackers publish vulnerabilities

• Publishing vulnerabilities is controversial

• Question ....• What are pros and cons of alerting

the world to vulnerabilities?

34

35

More Definitions

• What is an exploit?– Piece of software, or sequence of

commands that takes advantage– Of bug, glitch or vulnerability to get

unintended or unanticipated behavior out of computer software, hardware, or other electronic devices– Frequently includes

• Gaining control of a computer system• Allowing privilege escalation• Denial of service attack

36

Examples of Exploits• Trojan horse Phel -- an anagram of the

word help -- attacks Windows XP• Trojan capable of remotely controlling a

user's system even if latest Windows XP Service Pack has been installed

• Trojan horse, distributed as an HTML file– Attempts to exploit vulnerability in

Internet Explorer's HTML Help Control component in all versions of Windows … 2004

37

Scanning• Vulnerability Scanning–Next stage in information gathering• At this stage, want to identify specific

vulnerabilities on target systems so that attacker can run exploit against to gain access

–Can automate process of checking system for known vulnerabilities• Maybe hundreds of vulnerabilities in a

given year• What are the chances they didn’t get all

patched?

Vulnerability Scanners• 1992 - First one

• Internet Security Scanner (ISS)• 1995

• SATAN - Security Admin Tool for Analyzing Networks• Dan Farmer and Wietse Venema• Wider checks

• 1998• Nessus - Was Open Source, built on their

ideas• Still one of most popular, home use still free• Now charge for its use!

• 2008• OpenVAS was initially named GNessUs as a

fork of the Nessus security scanner

39

Scanning• Vulnerability Scanning–Looks for several types of

vulnerabilities• Configuration errors• Default configuration weaknesses• Well-known system vulnerabilities

–Number of scanners available• Some are free • Some cost a lot of money• Some of the most popular

vulnerability scanners are free

40

Scanning

• Vulnerability Scanners

• Retina http://www.eeye.com• IBM ISS Internet Scanner

http://www.iss.net• Nessus http://www.nessus.org/• GFI LANguard Network Security

Scannerhttp://www.gfi.com/lannetscan

41

Scanning Nessus• Nessus

• Flexible – can write your own vulnerability checks

• Called plugins, has own scripting language

• Source code supplied• Lots of developers – to enhance

functionality• Free for home use, corporate use -

now costs money• Uses Common Vulnerabilities and

Exposures database• Allows Nessus to cross reference with

other tools that are CVE compliant

42

Scanning Nessus• Nessus

• Runs on Linux, Unix and Windows • Nessus doesn’t use large Database of

vulnerabilities that gets updated• It uses Nessus Attack Scripting Language

(NASL)• Allows people to write their own scripts,

plug-ins– It provides plug-in interface

• Many free plug-ins are available from http://www.nessus.org/plugins/index.php?view=all

» Plug-ins specific to detecting a common virus or vulnerability» Like a virus signature

43

Scanners Nessus• Example Nessus Plugins - Backdoor Plugins– Zotob Worm– IRC bot detection– SMTP server on a strange port– Kibuv worm detection– TFTP backdoor– Xerox MicroServer Unauthorized Access

Vulnerabilities– Port TCP:0– XAMPP Default FTP Account– Default web account on Zyxel– Bofra Virus Detection– MoonLit Virus Backdoor

44

Scanning With Nessus• Nessus– What vulnerabilities can it discover?• A few of the common ones include– Finger – often misconfigured–Windows Vulnerabilities – many of them– CGI Problems – Scripts often have

vulnerabilties– RPC – remote procedure call program– Firewalls – mis-configured– FTP – has had a lot of vulnerabilities» Looks for unpatched FTP

implementation– Can just look at the plug-ins list for

sample

45

Scanning With Nessus• Nessus– Has a client/server architecture– Can run it from a Server and allow many

clients– Or, can run the client and server on one

machine – From GUI Interface• Can decide which vulnerability to run• Can target one machine of an entire network• Decide on encryption algorithm for

client/server communication

46

Nessus

Configurewith Respect to Plugin

47

Scanning With Nessus• Nessus– Each vulnerability is ranked with respect

to risk• Low, medium and high• Should interpret the risk results only in view

of your own system• Same vulnerability may not be high risk for

you

– Recommendations are made for fixing vulnerability

48

Nessus Reports

Reporting Screen

OpenVAS vs. Nessus

• As Nessus became commercialized, OpenVAS became open source version

• OpenVAS was initially named GNessUs as a fork of the Nessus security scanner to allow future free development of the now-proprietary tool

• OpenVAS was originally proposed by pentesters at Portcullis Computer Security ... around 2005

• OpenVAS is actively being developed and supported

http://www.openvas.org/

Lab on OpenVas Coming Up

50

51

Vulnerability Databases and Information

52

National Vulnerability Database

• NVD, comprehensive cyber security vulnerability database– Integrates all publicly available U.S.

Government vulnerability resources and provides references to industry resources– Based on and synchronized with the CVE

vulnerability naming standard• NVD is the CVE standard augmented with

additional analysis, a database, and a fine grained search engine. NVD is a superset of CVE• NVD is synchronized with CVE such that any

updates to CVE appear immediately on NVD

http://nvd.nist.gov/

53

Common Vulnerabilities and Exposures (CVE)

• A list of standardized names for vulnerabilities and other information security exposures (CVE)– CVE standardizes names for all publicly known

vulnerabilities and security exposures and is a community wide effort

– Content of CVE is collaborative effort of CVE Editorial Board

• Includes representatives from over 20 security-related organizations

• Security tool vendors, academic institutions, and government

– MITRE Corporation maintains CVE and moderates Editorial Board discussions.• CVE, http://cve.mitre.org

54

Common Vulnerabilities and Exposures

• Example CVE Entries– CVE-1999-0002 Buffer overflow in NFS mountd

gives root access to remote attackers, mostly in Linux systems.

– CVE-1999-0003 Execute commands as root via buffer overflow in Tooltalk database server (rpc.ttdbserverd)

– CVE-1999-0005 Arbitrary command execution via IMAP buffer overflow in authenticate command.

55

Scanners

• What should you do with Vulnerability scanner?– Run it against your own systems– Do this before an attacker does– Look at results– Fix reported vulnerabilities if

a problem for your site

56

Summary of Techniques• So far ...– To attack a specific system – not

widespread worm or virus attack– Attackers must do a lot of work• Reconnaissance – Gather information

– Dumpster diving– Who is database– DNS queries, physical access

• IP Scanning– Identify hosts, services and operating systems– Host and port scanning, stack fingerprinting– Vulnerability scanning last stage of scanning

phase

• Next phase is attack

57

The End

Lab this Week: OpenVas Vulnerability ScanningSee Lab page for reading on OpenVas