Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
EE579T Network Security 8: Vulnerability Assessment Prof. Richard A. Stanley Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #1 Overview of Tonight’s Class • Review last week’s lesson • Look at network security in the news • Vulnerability assessment Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #2 Last time... • SSL provides a means for secure transport layer communications in TCP/IP networks • SSL is a commonly used protocol, developed by Netscape, but ubiquitously used in browsers, etc. • The key element of SSL is the handshake protocol • SET not widely used for credit transactions, but the dual signature it introduced is useful Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #3 Security in the News • Not-so-secure Shell (SSH) – OpenSSH has a buffer overflow problem! – Fixed in Version 3.1, released last week • The glow on your face... – Researcher claims to be able to recover screen content by examining reflections from user’s face at distances up to 50 meters – Could impact rules on classified computing Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #4 More News • BlackBerry gets the raspberry – Researchers using open source software and “gadgets from Radio Shack” able to intercept BlackBerry and Mobitex messages – Not a flaw in the design, but an exploitation of the specification • MyLife worm is back – Attempts to delete Windows system files Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #5 And Still More News... • Reduced standards no standards – NeoPoint, San Diego, CA fined $95,000 by the Bureau of Export Administration for exporting 128-bit encryption software to South Korea without a license – Ten counts, in 1998-1999 – Company acknowledged it knew license needed – “... The U.S. Government can and will enforce its export controls on encryption products...” Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #6 And Still it Overflows... • Buffer Overflow opens Windows (vnunet) – Windows shell buffer-overflow discovered – If exploited, an attacker could execute malicious code with privileges of the logged in user • outsider could add or delete files, communicate with Web sites or reformat the hard drive • Vulnerability results from unchecked buffer in part of Windows shell that helps to locate missing programs Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #7 What do all these security issues have in common? Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #8 Thought for the Day “The network is the computer.” Sun Microsystems Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #9 Is this quote for real or is it for marketing? • What is typical PC bus speed? • What sort of network data transfer rates can be attained? • What does this mean for the future of networked computing? Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #10 Course Projects • Teams • Topics • Schedule Let’s sort this out now. Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #11 How To Rob a Bank • Just walk in and demand the money – – – – – – – Where is the bank? How do you know there is any money? Where to park the getaway car? Are there any guards or surveillance devices? Will you need a disguise? What kinds of things might go wrong? What if they say “NO?” Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #12 Success Requires Planning • Whether robbing a bank or breaching network security, you need to plan ahead • Planning ahead is known as vulnerability assessment – Acquire the target (case the joint) – Scan for vulnerabilities (find the entry points) – Identify poorly protected data (shake the doors) Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #13 Information in Plain Sight • Lots of valuable information is just lying around waiting to be used – – – – telephone directories company organization charts business meeting attendee lists promotional material • The Internet has made having a company web page the measure of being “with it” Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #14 Target: FBI Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #15 Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #16 Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #17 Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #18 Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #19 Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #20 Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #21 Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #22 Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #23 ? Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #24 Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #25 Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #26 You get the idea • There is a lot of information out there, and it is readily available to anyone • Good intelligence usually consists of open source material properly collated • Law enforcement used to have special access to this sort of information--now it’s out on the ‘net • Network access speeds up the rate at which good intelligence can be collected Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #27 Determine Your Scope • Check out the target’s web page – – – – – – – physical locations related companies or entities merger/acquisition news phone numbers, contact information privacy or security policies links to other related web servers check the HTML source code Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #28 Refine Your Search • Run down leads from the news, etc. – Search engines are a good way • FerretSoft • Dogpile – Check USENET postings – Use advance search capabilities to find links back to target • Search on wpi + security gives ~ 2900 hits Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #29 Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #30 Use the Government • EDGAR – SEC site (www.sec.gov/edgarhp.htm) – Search for 10-Q and 10-K reports – Try to find subsidiary organizations with different names • Think about what your organization has on databases available to the public Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #31 Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #32 Zero In On The Networks • InterNIC – – – – Organization Domain Network Point of contact • www.networksolutions.com • www.arin.net Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #33 Search for wpi.edu Registrant: Worcester Polytechnic Institute (WPI-DOM) 100 Institute Road Worcester, MA 01609-2280 US Domain Name: WPI.EDU Administrative Contact, Billing Contact: Johannesen, Allan E (AEJ5) [email protected] The College Computer Center Worcester Polytechnic Institute 100 Institute Road Worcester, MA 01609-2280 508 754-3964 (FAX) 508-831-5483 (FAX) 508-831-5483 Technical Contact: Brandt, Joshua (JBC740) [email protected] Solipsist Nation 9 Circuit Ave. E Apt 1 Worcester, MA 01603 US 508-831-5512 Record last updated on 05-Dec-2000. Record created on 22-Mar-1988. Database last updated on 15-Feb-2001 02:07:04 EST. Domain servers in listed order: NS.WPI.EDU NS1.YIPES.COM NS2.YIPES.COM NS3.YIPES.COM Spring 2001 © 2000, 2001, Richard A. Stanley 130.215.24.1 209.213.223.126 209.50.39.102 209.50.40.102 WPI EE579T/8 #34 Other Sources • InterNIC has 50-record limit, so… – ftp://rs.internic.net/domain – http://samspade.org/ssw/ • freeware – www.nwpsw.com • Netscan tools • Single copy price = $32.00 – www.ipswitch.com • WS_Ping ProPack = $37.50 Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #35 Example: Sam Spade Sam Spade Features Environment Each tool displays it's output in it's own window, and everything is multi-threaded so you don't need to wait for one query to complete before starting the next one Some functions are threaded still further to allow lazy reverse DNS lookups (never do a traceroute -n again) The output from each query is hotlinked, so you can right click on an email address, IP address, hostname or internic tag to run another query on it Appending the results of a query to the log window is a single button function There's a lot of online help, in both WinHelp and HTMLHelp formats. This includes tutorials, background information and links to online resources as well as the program manual itself Tools ping dig web browser Usenet cancel check Email blacklist query Spring 2001 © 2000, 2001, Richard A. Stanley nslookup traceroute keep-alive website download Abuse address query WPI whois finger DNS zone transfer website search S-Lang scripting IP block whois SMTP VRFY SMTP relay check email header analysis Time EE579T/8 #36 Query on Found Data • POC – May be (often is) POC for other domains • Query for email addresses -- here are a few from @wpi.edu Amiji, Murtaza (MA3608) [email protected] (508) 831-5395 Baboval, John (JBJ116) [email protected] XXX-XXXX Ballard, Richard (RBS722) [email protected] 508-831-6731 Barnett, Glenn S (GSB14) [email protected] (315)475-5920 Bartelson, Jon (JB12891) [email protected] (508) 831-5725 (FAX) (508) 831-5483 Berard, Keith (KB2414) [email protected] (508)754-4502 Blank, Karin (KBJ257) [email protected] 203-762-0532 Blomberg, Adam (AB5417) [email protected] 508-755-7699 Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #37 Query the DNS • Insecure DNS configuration can reveal information that should be kept confidential • Zone transfers are popular attack methodologies – – – – nslookup often used pipe output to a text file review the text file at your leisure select potential “good targets” based on data Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #38 Map the Network • traceroute – Unix and Win/NT – tracert in NT for file name legacy reasons – Shows hops from router to destination • Graphical tools exist, too – VisualRoute – www.visualroute.com Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #39 Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #40 Detailed Scanning • Network ping sweeps – Who is active? – Automated capabilities with some tools • ICMP queries – Reveal lots of information on systems • System time • Network mask Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #41 Port Scanning • • • • • • Identify running services Identify OS Identify specific applications of a service Very popular Very simple Very dangerous Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #42 Port Scan Types • • • • Connect Scan--completes 3-way handshake SYN--should receive SYN/ACK FIN--should receive RST on closed ports Xmas tree--sends FIN, URG, PSH; should receive RST for closed ports • Null--turns off all flags; target should send back RST for closed ports • UDP--port probably open if no “ICMP port unreachable” message received Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #43 Identify Running Services • • • • • • • Strobe Udp_scan (from SATAN) netcat PortPro & Portscan nmap Using SYN scan is usually stealthy Beware of DoS results Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #44 OS Detection • Stack fingerprinting – Different vendors interpret RFCs differently • Example: – RFC 793 states correct response to FIN probe is none – Win/NT responds with FIN/ACK • Based on responses to specific probes, possible to make very educated guesses as to what OS running – Automated tools to make this easy! • Nmap Spring 2001 © 2000, 2001, Richard A. Stanley (www.insecure.ord/nmap/) WPI EE579T/8 #45 Enumeration • Try to identify valid user accounts on poorly protected resource shares – Windows NT • net view – lists domains on network – can also list shared resources • nltest -- identifies PDC & BDC • SNMP • open a telnet connection Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #46 Automated, Graphical Tools • Can trace network topology very accurately – ID machines by IP, OS, etc. – Makes attack much easier • Cheops – www.marko.net/cheops/ • Tkined – wwwhome.cs.utwente.nl/~schoenw/scotty/ Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #47 Actual Scan Results--Win2K • Performed using Internet Security Scanner • Part of the IIS suite of programs – – – – Can scan both NT/2000 and Unix systems Runs only on NT/2000 Scan range (i.e., addresses) user settable This scan done on a local Win 2000 host with a preconfigured heavy scan Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #48 Actual Scan Results--Linux • Again, using ISS • Scanned a Linux host – But, ISS doesn’t run on Linux! – So, ran Win2K and ISS inside VMWare, running on top of Linux – VMWare lets you run one of several O/S from inside it, but they can “see” the underlying computer and O/S Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #49 Summary • Attacking a network is no different from robbing a bank; you have to plan if you expect to be successful • There are three basic steps to planning, which is called vulnerability assessment: – Acquire the target (case the joint) – Scan for vulnerabilities (find the entry points) – Identify poorly protected data (enumeration) • This applies if you are inside or outside the protected perimeter! Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #50 Homework - 1 1. Identify and describe how you would enumerate resources on a Unix network, similar to the discussion in class of enumeration on Windows/NT 2. You are the network administrator. How would you defend against the threats of target acquisition and vulnerability scanning? Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T/8 #51