Top Banner
ISA 3200 SUMMER 2010 Chapter 4: Finding Network Vulnerabilities
50
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: ISA 3200 SUMMER 2010 Chapter 4: Finding Network Vulnerabilities.

ISA 3200SUMMER 2010Chapter 4:Finding Network Vulnerabilities

Page 2: ISA 3200 SUMMER 2010 Chapter 4: Finding Network Vulnerabilities.

White Hat Agreement

6/14ISA 3200 Summer 2010

2

Discuss applicability to this class Will post

Page 3: ISA 3200 SUMMER 2010 Chapter 4: Finding Network Vulnerabilities.

Learning Objectives

Name the common categories of vulnerabilities

Discuss common system and network vulnerabilities

Locate and access sources of information about emerging vulnerabilities

Identify the names and functions of the widely available scanning and analysis tools

6/14ISA 3200 Summer 2010

3

Page 4: ISA 3200 SUMMER 2010 Chapter 4: Finding Network Vulnerabilities.

Introduction

To maintain secure networks, information security professionals must be prepared to identify system vulnerabilities, whether by hiring system assessment experts or by conducting self-assessments using scanning and penetration tools

Network security vulnerability is defect in product, process, or procedure that, if exploited, may result in violation of security policy, which in turn might lead to loss of revenue, loss of information, or loss of value to the organization

6/14ISA 3200 Summer 2010

4

Page 5: ISA 3200 SUMMER 2010 Chapter 4: Finding Network Vulnerabilities.

Common Vulnerabilities

Common vulnerabilities fall into two broad classes:

Defects in software or firmware Weaknesses in processes and

procedures

6/14ISA 3200 Summer 2010

5

Page 6: ISA 3200 SUMMER 2010 Chapter 4: Finding Network Vulnerabilities.

Defects in Software or Firmware

Buffer overruns (or buffer overflows) arise when quantity of input data exceeds size of available data area (buffer)

Injection attacks can occur when programmer does not properly validate user input and allows an attacker to include input that, when passed to a database, can give rise to SQL injection vulnerabilities

Network traffic is vulnerable to eavesdropping because a network medium is essentially an open channel

6/14ISA 3200 Summer 2010

6

Page 7: ISA 3200 SUMMER 2010 Chapter 4: Finding Network Vulnerabilities.

Defects in Software or Firmware (continued)

How can security professionals remain abreast of all the vulnerabilities?

First and perhaps foremost, they must know: Organization’s security policies Software and hardware the organization uses

Information security professionals should regularly consult these public disclosure lists: Vendor announcements Full disclosure mailing lists CVE: the common vulnerabilities and exposures

database

6/14ISA 3200 Summer 2010

7

Page 8: ISA 3200 SUMMER 2010 Chapter 4: Finding Network Vulnerabilities.

References

6/14ISA 3200 Summer 2010

8

M. Howard, D. LeBlanc, J. Viega 24 deadly sins of software security A catalog of problem areas

Anderson, Security Engineering Methodologies to incorporate security into

software development

Page 9: ISA 3200 SUMMER 2010 Chapter 4: Finding Network Vulnerabilities.

Reporting Vulnerabilities

6/14ISA 3200 Summer 2010

9

Vendor Announcements Full disclosure lists

Bugtraq http://www.securityfocus.com/ Examine a page

Internet Storm Center http://isc.sans.edu/

Page 10: ISA 3200 SUMMER 2010 Chapter 4: Finding Network Vulnerabilities.

Vendor Announcements

6/14ISA 3200 Summer 2010

10

Page 11: ISA 3200 SUMMER 2010 Chapter 4: Finding Network Vulnerabilities.

BugTraq

6/14ISA 3200 Summer 2010

11

Page 12: ISA 3200 SUMMER 2010 Chapter 4: Finding Network Vulnerabilities.

Weaknesses in Processes and Procedures

6/14ISA 3200 Summer 2010

12

Just as hazardous as software vulnerabilities More difficult to detect and fix because they

typically involve the human element Often arise when policy is violated or

processes and procedures that implement policy are inadequate or fail

To ensure security policy is implemented, organizations should hold regular security awareness training and regularly review policies and their implementation

Firewalls & Network Security, 2nd ed. - Chapter 4 Slide 12

Page 13: ISA 3200 SUMMER 2010 Chapter 4: Finding Network Vulnerabilities.

Scanning and Analysis Tools

To truly assess risk within computing environment, technical controls must be deployed using strategy of defense in depth

Scanners and analysis tools can find vulnerabilities in systems, holes in security components, and unsecured aspects of the network

Scanners, sniffers, and other such vulnerability analysis tools are invaluable because they enable administrators to see what attackers see

6/14ISA 3200 Summer 2010

13

Page 14: ISA 3200 SUMMER 2010 Chapter 4: Finding Network Vulnerabilities.

Scanning and Analysis Tools (continued)

Scanning tools are typically used as part of an attack protocol

Attack protocol is a series of steps or processes used by attacker, in logical sequence, to launch attack against target system or network

This may begin with a collection of publicly available information about a potential target, a process known as footprinting

Attacker uses public Internet data sources to perform searches to identify network addresses of the organization

6/14ISA 3200 Summer 2010

14

Page 15: ISA 3200 SUMMER 2010 Chapter 4: Finding Network Vulnerabilities.

Footprinting

Most important information for footprinting purposes is IP address range

Another piece of useful information is name, phone number, and e-mail address of the technical contact

This research is augmented by browsing the organization’s Web pages since Web pages usually contain information about internal systems, individuals developing Web pages, and other tidbits, which can be used for social engineering attacks

6/14ISA 3200 Summer 2010

15

Page 16: ISA 3200 SUMMER 2010 Chapter 4: Finding Network Vulnerabilities.

Footprinting (continued)

To assist in footprint intelligence collection process, an enhanced Web scanner can be used that, among other things, can scan entire Web sites for valuable pieces of information, such as server names and e-mail addresses

6/14ISA 3200 Summer 2010

16

Page 17: ISA 3200 SUMMER 2010 Chapter 4: Finding Network Vulnerabilities.

Fingerprinting

6/14ISA 3200 Summer 2010

17

http://ws.arin.net/whois 130.218.123.38

Note the name of the institution

Page 18: ISA 3200 SUMMER 2010 Chapter 4: Finding Network Vulnerabilities.

Sam Spade

6/14ISA 3200 Summer 2010

18

http://majorgeeks.com/Sam_Spade_d594.html Sam Spade is a general-purpose Internet utility

package, with some extra features to help in tracing the source of spam and other forms of Internet harassment.

Sam Spade fetures include: ping - nslookup - whois - IP block - dig - traceroute finger - SMTP VRFY - web browser keep-alive - DNS zone transfer - SMTP relay check - Usenet cancel check - website download - website search - email header analysis - Email blacklist - query Abuse address

Page 19: ISA 3200 SUMMER 2010 Chapter 4: Finding Network Vulnerabilities.

Sam Spade

6/14ISA 3200 Summer 2010

19

Page 20: ISA 3200 SUMMER 2010 Chapter 4: Finding Network Vulnerabilities.

Shared Folders

6/14ISA 3200 Summer 2010

20

Setting up a folder on the host to be visible in a guest

Look in Network Neighborhood or Network Places

\\vmware-host\Shared Folders

Page 21: ISA 3200 SUMMER 2010 Chapter 4: Finding Network Vulnerabilities.

Demo

6/14ISA 3200 Summer 2010

21

SamSpade Browse a web page Crawl a web site

Turnkey lamp has a some files in directory build

Using Filezilla to upload to Lamp.

Page 22: ISA 3200 SUMMER 2010 Chapter 4: Finding Network Vulnerabilities.

Fingerprinting

Next phase of attack protocol is data-gathering process called fingerprinting, a systematic survey of all of the target organization’s Internet addresses that is conducted to identify network services offered by hosts in that range

Fingerprinting reveals useful information about internal structure and operational nature of the target system or network

6/14ISA 3200 Summer 2010

22

Page 23: ISA 3200 SUMMER 2010 Chapter 4: Finding Network Vulnerabilities.

OS Detection

6/14ISA 3200 Summer 2010

23

Xprobe What does it mean we get a .tar file?

Page 24: ISA 3200 SUMMER 2010 Chapter 4: Finding Network Vulnerabilities.

Port Scanners

Port scanning utilities (port scanners) are tools used by both attackers and defenders to identify computers that are active on a network, as well as ports and services active on those computers, functions and roles the machines are fulfilling, and other useful information

The more specific the scanner is, the better and more useful the information it provides is, but a generic, broad-based scanner can help locate and identify rogue nodes on the network

6/14ISA 3200 Summer 2010

24

Page 25: ISA 3200 SUMMER 2010 Chapter 4: Finding Network Vulnerabilities.

Port Scanners (continued)

Port is a network channel or connection point in a data communications system

Within TCP/IP, TCP and UDP port numbers differentiate multiple communication channels used to connect to network services being offered on same device

In all, there are 65,536 port numbers in use for TCP and another 65,536 port numbers for UDP

Ports greater than 1023 typically referred to as ephemeral ports and may be randomly allocated to server and client processes

6/14ISA 3200 Summer 2010

25

Page 26: ISA 3200 SUMMER 2010 Chapter 4: Finding Network Vulnerabilities.

Port Scanners (continued)

Why secure open ports? Open port is an open door and can be

used by attacker to send commands to a computer, potentially gain access to a server, and possibly exert control over a networking device

The general policy statement is to remove from service or secure any port not absolutely necessary to conducting business

6/14ISA 3200 Summer 2010

26

Page 27: ISA 3200 SUMMER 2010 Chapter 4: Finding Network Vulnerabilities.

Some standard ports

6/14ISA 3200 Summer 2010

27

Port Service

20 and 21 FTP

22 SSH

23 Telnet

25 SMTP

80 HTTP

443 HTTPS

8080 Various servers

Page 28: ISA 3200 SUMMER 2010 Chapter 4: Finding Network Vulnerabilities.

Some Standard Ports

6/14ISA 3200 Summer 2010

28

Which would be likely to be open on different types of systems?

Page 29: ISA 3200 SUMMER 2010 Chapter 4: Finding Network Vulnerabilities.

Demo

6/14ISA 3200 Summer 2010

29

Install and run NMap

Page 30: ISA 3200 SUMMER 2010 Chapter 4: Finding Network Vulnerabilities.

Firewall Analysis Tools

Understanding exactly where organization’s firewall is located and what existing rule sets do are very important steps for any security administrator

Several tools that automate remote discovery of firewall rules and assist administrator (or attacker) in analyzing rules to determine exactly what they allow and what they reject

6/14ISA 3200 Summer 2010

30

Page 31: ISA 3200 SUMMER 2010 Chapter 4: Finding Network Vulnerabilities.

Firewall Analysis Tools (continued)

Administrators wary of using same tools attackers use should remember: Regardless of the nature of the tool used to

validate or analyze firewall’s configuration, it is the intent of the user that dictates how information gathered will be used

To defend a computer or network, it is necessary to understand ways it can be attacked; thus, a tool that can help close up an open or poorly configured firewall helps network defender minimize risk from attack

6/14ISA 3200 Summer 2010

31

Page 32: ISA 3200 SUMMER 2010 Chapter 4: Finding Network Vulnerabilities.

Operating System Detection Tools

Identifying target computer’s operating system is very valuable to attacker

Once the operating system is known, it is easy to determine all vulnerabilities to which it might be susceptible

6/14ISA 3200 Summer 2010

32

Page 33: ISA 3200 SUMMER 2010 Chapter 4: Finding Network Vulnerabilities.

Vulnerability Scanners

Passive vulnerability scanner listens in on the network and identifies vulnerable versions of both server and client software

Active vulnerability scanners scan networks for highly detailed information by initiating network traffic in order to identify security holes These scanners identify exposed usernames

and groups, show open network shares, and expose configuration problems and other vulnerabilities in servers

6/14ISA 3200 Summer 2010

33

Page 34: ISA 3200 SUMMER 2010 Chapter 4: Finding Network Vulnerabilities.

Vulnerability Scanners (continued)

6/14ISA 3200 Summer 2010

34

Page 35: ISA 3200 SUMMER 2010 Chapter 4: Finding Network Vulnerabilities.

Demo

6/14ISA 3200 Summer 2010

35

Install and run Nessus

Page 36: ISA 3200 SUMMER 2010 Chapter 4: Finding Network Vulnerabilities.

Vulnerability Validation

Often, an organization requires proof that system is actually vulnerable to certain attacks

May require such proof to avoid having system administrators attempt to repair systems that are not broken or because they have not yet built satisfactory relationship with vulnerability assessment team

Class of scanners exists that exploit remote machine and allow vulnerability analyst (penetration tester) to create accounts, modify Web pages, or view data

6/14ISA 3200 Summer 2010

36

Page 37: ISA 3200 SUMMER 2010 Chapter 4: Finding Network Vulnerabilities.

Vulnerability Validation (continued)

6/14ISA 3200 Summer 2010

37

Page 38: ISA 3200 SUMMER 2010 Chapter 4: Finding Network Vulnerabilities.

Packet Sniffers

Network tool that collects copies of packets from network and analyzes them

Sometimes called a network protocol analyzer

Can provide network administrator with valuable information for diagnosing and resolving networking issues

In the wrong hands, sniffer can be used to eavesdrop on network traffic

6/14ISA 3200 Summer 2010

38

Page 39: ISA 3200 SUMMER 2010 Chapter 4: Finding Network Vulnerabilities.

Legalities

6/14ISA 3200 Summer 2010

39

Be on a network that the organization owns

Be under direct authorization of the owners of the network

Have knowledge and consent of the content creators

All three conditions must be obtained to legally use a packet sniffer

Ref: Whitman et al.

Page 40: ISA 3200 SUMMER 2010 Chapter 4: Finding Network Vulnerabilities.

Packet Sniffers (continued)

6/14ISA 3200 Summer 2010

40

Page 41: ISA 3200 SUMMER 2010 Chapter 4: Finding Network Vulnerabilities.

Demo

6/14ISA 3200 Summer 2010

41

http://www.ethereal.com/ Work only on the private network

Setting the network options Note that guest machines cannot access

the internet Watch some traffic while accessing

turnkey lamp

Page 42: ISA 3200 SUMMER 2010 Chapter 4: Finding Network Vulnerabilities.

Wireless Security Tools

Wireless connection, while convenient, has many potential security holes

Security professional must assess risk of wireless networks

Wireless security toolkit should include ability to sniff wireless traffic, scan wireless hosts, and assess level of privacy or confidentiality afforded on wireless network

6/14ISA 3200 Summer 2010

42

Page 43: ISA 3200 SUMMER 2010 Chapter 4: Finding Network Vulnerabilities.

Wireless Security Tools (continued)

6/14ISA 3200 Summer 2010

43

Page 44: ISA 3200 SUMMER 2010 Chapter 4: Finding Network Vulnerabilities.

Penetration Testing

Penetration test involves using all techniques and tools available to attacker in order to attempt to compromise or penetrate an organization’s defenses

Penetration testing can be performed by internal group (so called “red teams”) or outsourced to external organization

A variable of the penetration test, whether performed internally or outsourced, is amount of information provided to the red team

6/14ISA 3200 Summer 2010

44

Page 45: ISA 3200 SUMMER 2010 Chapter 4: Finding Network Vulnerabilities.

Penetration Testing (continued)

Three categories of testing: Black box: red team is given no information

whatsoever about the organization and approaches the organization as external attacker

Gray box: red team is given some general information about the organization such as general structure, network address ranges, software and versions

White box: red team has full information on the organization and its structure

6/14ISA 3200 Summer 2010

45

Page 46: ISA 3200 SUMMER 2010 Chapter 4: Finding Network Vulnerabilities.

Chapter Summary

To maintain secure networks, information security professionals must be prepared to systematically identify system vulnerabilities

Often done by performing self-assessment using scanning and penetration tools testing

Common vulnerabilities fall into two classes: Defects in software or firmware Weaknesses in processes and procedures

6/14ISA 3200 Summer 2010

46

Page 47: ISA 3200 SUMMER 2010 Chapter 4: Finding Network Vulnerabilities.

Chapter Summary (continued)

Information security professionals should regularly consult vendor announcements, full disclosure mailing lists, and the common vulnerabilities and exposures (CVE) database

To assess risk within a computing environment, network professionals must use tools such as intrusion detection systems (IDPS), active vulnerability scanners, passive vulnerability scanners, automated log analyzers, and protocol analyzers (sniffers)

6/14ISA 3200 Summer 2010

47

Page 48: ISA 3200 SUMMER 2010 Chapter 4: Finding Network Vulnerabilities.

Chapter Summary (continued)

Many organizations use penetration test to assess their security posture on a regular basis

Penetration test team (red team) uses all techniques and tools available to attackers in order to attempt to compromise or penetrate an organization’s defenses

6/14ISA 3200 Summer 2010

48

Page 49: ISA 3200 SUMMER 2010 Chapter 4: Finding Network Vulnerabilities.

Demo

6/14ISA 3200 Summer 2010

49

Install and run the NG scoring tool

Page 50: ISA 3200 SUMMER 2010 Chapter 4: Finding Network Vulnerabilities.

Demo

6/14ISA 3200 Summer 2010

50

Install and run Microsoft baseline security tool