1 / 48

Chapter 11: Vulnerability Resources A vulnerability is a weakness that could be exploited

Chapter 11: Vulnerability Resources A vulnerability is a weakness that could be exploited by an adversary. All software comes with bugs: ~ 2-5 per 1000 lines of ode. See http://panko.cba.hawaii.edu/HumanErr/ Windows 2000: 35 M lines = 175,000 – 200,000 bugs.

hakan
Download Presentation

Chapter 11: Vulnerability Resources A vulnerability is a weakness that could be exploited

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 11: Vulnerability Resources A vulnerability is a weakness that could be exploited by an adversary. All software comes with bugs: ~ 2-5 per 1000 lines of ode. See http://panko.cba.hawaii.edu/HumanErr/ Windows 2000: 35 M lines = 175,000 – 200,000 bugs. Red Hat Linux 7.1: 30 M lines = 150,000 – 600,000 bugs. Chapter 11. Vulnerability Resources

  2. Bugs and Vulnerabilities Not all bugs create vulnerabilities, but there are plenty to go around. So.. Bugs happen, some fraction are security, they are discovered and the vendor issues a patch – hopefully before an exploit happens. Security folks must track vulnerabilities and patches. How? Chapter 11. Vulnerability Resources

  3. Security Vulnerabilities - The Big Picture - Paths Chapter 11. Vulnerability Resources

  4. The Big Picture – How Do They get In? Every external path into a computer can be an exploit path: Physical access – hands on attack – physical security. Social Engineering – get the user to expose the system by giving up the password or executing an unsafe action – a human behavior attack – people are helpful and may be easily duped. External attack – comes through one of the external entry points: With help from inside – witting, unwitting, half-witted. Without help from the inside – through a weakness in the external protection mechanisms. Chapter 11. Vulnerability Resources

  5. The Big Picture – How Do They get In? Intelligence gathering: By collecting information available outside the protected network to reveal mechanisms to get inside posing as a legitimate user: Break into an employees home computer that is used to access a company network. Place a keyboard monitor on a system used by others to phone home (e.g., in a Kiosk or a public access point). Chapter 11. Vulnerability Resources

  6. Physical Media What: Bad stuff introduced on floppy disks, tapes, cd’s. Why: User works from home or performs work while on travel. Media may be contaminated while a system is attached to a different network. Problem: Potential to introduce viruses, trojans, worms, bad data. Chapter 11. Vulnerability Resources

  7. Physical Media Strategy: Know the source of any information and scan media before using. Consider monitoring changes to the system. Weaknesses: Users don’t scan - it’s a bother. Will only detect known malicious software. What if the hardware has been modified? Chapter 11. Vulnerability Resources

  8. Computer Systems What: A computer, whether a laptop, desktop, or server can be compromised by either direct or indirect access (e.g., over the network). Why: The systems may not be adequately protected from physical access (locked doors). It may have software vulnerabilities that allow successful network attacks. Problem: There are many paths to the machine and multiple vulnerabilities. If vulnerabilities are not patched they can be exploited by an attacker. Chapter 11. Vulnerability Resources

  9. Computer Systems Strategy: Strong local access controls, both physical and electronic and good behavior on the part of the user! Weaknesses: User behavior, software complexity, multiple users, applications, many vulnerabilities, difficult to detect attacks. Chapter 11. Vulnerability Resources

  10. Dial-Up Service (also 1-800) What: Single auto-answer modem(s) to dedicated modem banks. Why: Used to serve remote users - workers from home, staff on travel, collaborators, etc. Problem: Any situation where a user connects to a Computer remotely – no or weak authentication, weak passwords, clear text passwords, re-usable passwords, etc. Chapter 11. Vulnerability Resources

  11. Dial-Up Service (also 1-800) Strategy: Prohibit modem services without strong authentication. Scan telephone # space for answering modems (e.g., war dialers, use either a hacker tool or a commercial dialer). Weaknesses: Users enable answering modems, don’t follow policy. Weak authentication services. Chapter 11. Vulnerability Resources

  12. Digital Subscriber Lines/Cable Modems What: Always on when system is on and directly connected to an internal DSL/Cable modem pool or through an ISP. Why: Remote access like dial-up, but much higher performance. Problem: Anyone on your cable sees your traffic (cable only) and both are always turned on unless the computer or modem is shut down. Chapter 11. Vulnerability Resources

  13. Digital Subscriber Lines/Cable Modems Strategy: Policy to shutdown when unattended, use a firewall on the remote machine, and strong authentication/encryption on the link while connected to the corporate network (e.g., VPN). Weaknesses: Won’t block unknown vulnerabilities (e.g., if the home machine is compromised, can carry a Trojan into the network. Users don’t follow policy. Chapter 11. Vulnerability Resources

  14. Internet What: The Internet can be an “always on” service - an Enterprise network connected to an ISP by dedicated line with or without a firewall OR a “dial-up” service only on when you are logged onto an ISP (typical of modem access from a home system Why: The Internet provides many external services that An enterprise finds very useful (e.g., public web pages). Problem: There are many network services (http, ftp, telnet, etc.) each with one, or more vulnerabilities. If vulnerable, they can be exploited by an attacker from a remote location. Chapter 11. Vulnerability Resources

  15. Internet Strategy: Strong perimeter defenses at every entry and egress point in the enterprise network - stress perimeter – define & protect! Weaknesses: Complexity, multiple protocols, applications, many vulnerabilities, difficult to trace the source of attacks, etc. Chapter 11. Vulnerability Resources

  16. Computer Attacks Most attacks reach a system from some form of connection (e.g., Internet, modem, network drop). Direct attacks require a physical presence. If a desktop at work, by entry to building & office. If a laptop on travel, by entry to hotel, theft of laptop.. Physical security is the paramount concern and most organizations have physical security protection policies. If not, put them in place and follow them! Chapter 11. Vulnerability Resources

  17. Network Attacks - Equal Opportunity Attacks May be doing mischief or looking to steal resources (cycles) or finding a secondary launch point for attacks on other sites. Looking for any machine that can be compromised, often scans for one, or a few, vulnerabilities that are easy to exploit. Not usually targeting a site. Won’t devote much time - if there are barriers, go to next Site (like the car thief looking for the unlocked cars Complete with keys in the ignition or even running). From script kiddies to serious state-supported experts. Chapter 11. Vulnerability Resources

  18. Network Attacks - Targeted Attacks Targets a specific organization or class of organization – often government, military. Typically has a specific motivation - profit, revenge, ideology, etc. Willing to spend a larger amount of time breaking in. Searches a wide range of vulnerabilities looking for one to exploit and typically uses multiple methods - social engineering, dumpster diving, scanning, etc. Chapter 11. Vulnerability Resources

  19. Penetration Model – How They Get In Begin Reconnaissance Scanning Exploit Identification Expansion Take Action End Insert Backdoor Cover Tracks Chapter 11. Vulnerability Resources

  20. Network Break-ins - How Do They Do That? Reconnaissance - Identify target enterprise networks (browsing). Scanning I - Gather information on a specific network (targeting). Scanning II - Identify computers and services provided by a network (host and application targeting). Identification - Determine vulnerabilities of services identified (e.g., what OS is running). Exploit – Mount an attack on a vulnerable service. Chapter 11. Vulnerability Resources

  21. Network Break-ins - How Do They Do That? Expansion – Extend access to root and/or other systems. Take Action – Perform desired action (snoop, download, erase files, etc.). Cover Tracks – Erase logs, rename files, remove exploiting software, etc. Install Backdoor – Make re-entry possible (create remote access account). Chapter 11. Vulnerability Resources

  22. Reconnaissance - Information Gathering Determine the network address in the Domain Registry. Each domain on the Internet has a registered domain name (e.g., doe.gov, or pnl.gov, or microsoft.com. InterNIC has a database (registry) of domain names. Search InterNIC database records - use whois command. Entries: Name & address of the organization. Phone # and e-mail of administrative contact. IP address of the name servers in the domain. Chapter 11. Vulnerability Resources

  23. whois Query > whois -h nic.org abc.org ABC Corporation (ABC-DOM) 100 Anystreet Anytown, Anystate Anytownzip Domain Name: abc.org Status: active Administrative Contact: Doe, John (xxx) yyy-zzzz john.doe@mail.abc.org Chapter 11. Vulnerability Resources

  24. whois Query (more) Domain name servers in listed order (from NIC database) apollo.abc.og 198.150.130.130 mars.abc.net 198.148.2.10 adonis.abc.org 198.150.130.110 Record last updated 05-Jan-00 ****************** END*********** Have confirmed corporate identity Name & IP addresses of Domain Name Server (DNS) Name & IP address of other hosts, mail servers Chapter 11. Vulnerability Resources

  25. Other Sources American Registry for Internet Numbers (ARIN) – web Interface http://www.arin.net/whois/arinwhois.html - searchable web page. Search for 130.20 returns: Battelle Pacific Northwest Laboratory (NET-PNLNET) PO Box 999, MSIN K7-57 3320 Q Avenue Richland, WA 99352 US Netname: PNLNET Netblock: 130.20.0.0 – 130.20.255.255 (IP addresses range) Domain System inverse mapping provided by: NS1.NET.PNL.GOV 130.20.20.36 NS2.NET.PNL.GOV 130.20.64.36 Chapter 11. Vulnerability Resources

  26. Other Sources More web-based whois databases: http://www.cs.cf.ac.uk/Dave/Internet/node59.html http://www.internic.net/whois.html http://www.allwhois.com/home.html Note that allwhois has world-wide extent covering multiple countries. Chapter 11. Vulnerability Resources

  27. Information Gathering – Network Structure Routes used by the network Hosts on the network Location of firewalls Some hosts will be found in the DNS records. Sometimes all hosts are shown in DNS (if not screened by firewall). Finding more hosts usually requires network address/port scanning. Chapter 11. Vulnerability Resources

  28. Information Gathering - DNS DNS records will reveal host addresses. How many are revealed depends on the site architecture – some sites split DNS space into external (can be seen from the Internet) and internal (can only be seen by systems inside the network perimeter). Unix nslookup command is designed to query DNS. nslookup set type = any ls –d target_network_name Any will dump all available DNS records. For Windows, Sam Spade http://www.samspade.org Chapter 11. Vulnerability Resources

  29. Sam Spade -Integrated tool – Multiple methods Ping: Query a specific host to see if it is alive. DNS lookup: Find IP address from host name (and vice versa). Whois: As described earlier. Dig: Gets host-specific information from a DNS server. Traceroute: Traces the routes packet take to a host. Finger: – Finds user information about specific hosts. SMTP verify: Used to verify e-mail addresses. Web:Browse the web and reveal the raw traffic before rendering. zone transfer: Requests a DNS dump of all information on a domain (well managed domains do not allow). Chapter 11. Vulnerability Resources

  30. Asking the Routers Simple Network Management Protocol (SNMP) – can be used to request routing tables. Snmpnetstat host1 public -rn <cr> Routing tables Destination Gateway Interface default fw1 if0 156.80.189.49/32 lug if0 192.168.1 culprit Ethernet 0 208.208.101.32/27 culprit1 Ethernet 1 202.208.101.64/27 culprit2 Ethernet 2 Shows several hosts and what may be a firewall (fw1). Chapter 11. Vulnerability Resources

  31. Traceroute Uses IP Time-To-Live (TTL) field - start at 1 hop and increment by 1 until the destination is reached traceroute 176.6.1.1 (route to 176.6.1.1. - max = 30 hops) Try1Try2Try3Host 1 <10ms <10ms <10ms chosen1 [208.208.101.33] 2 <10ms <10ms <10ms fw1 [192.168.1.2] 3 <10ms <10ms <10ms pwset [137.120.54.32] .. 9 10ms 10ms 20ms zephr [176.6.1.1] Ids routers/hosts in the path - uses UDP packet on a port not expected to be open - gets a trace response. Chapter 11. Vulnerability Resources

  32. Network Scanning Ping: Uses Internet Control Message Protocol (ICMP) type 0 and type 8 packets. ICMP is an error control and messaging protocol for: Flow control; Reporting unreachable destinations; Redirecting routes; Checking status of remote hosts. Type 8 is an echo (ping) request - ping IP address. Type 0 is a response to a ping - responds if host is there. A positive response defines a host present at the IP address contained in the ping packet. Chapter 11. Vulnerability Resources

  33. Locate Accessible Services - Port Scanning Objective is to find host services that are running and whether they are exploitable services. Specific interest is: For a specific host: Verify the port number & service running including software name & version number (e.g., Sendmail 8.9.1b). Determine the operating system on host & version number (e.g., Sun Solaris, Version 2.6). Chapter 11. Vulnerability Resources

  34. Locate Accessible Services - Port Scanning 2 Once identified, services can then be compared to a listing or database of vulnerabilities for the specific OS and service by version number. If the vulnerability has not been patched, it may be Possible to exploit the system. This is the final prelude to an exploit attempt. There are a number of tools available for port scanning. Chapter 11. Vulnerability Resources

  35. Port Scanning – Nmap for Unix Available on web at www.insecure.org. Sophisticated: Scans networks to identify answering IP addresses. Scans host ports to identify active ports. Attempts to detect operating system make and version. Assesses difficulty of TCP sequence number prediction. Chapter 11. Vulnerability Resources

  36. Nmap Scanning Techniques Depends on the features of TCP, has multiple scan types: 1. TCP (-sT) - Basic, mail port 25, attempts 3-way connect. 2. SYN (-sS) - Basic, but does not complete the connection. 3. FIN (-sF) - Sends packets with FIN bit sent - more stealthy than SYN probes. 4. Xmas (-sX) - Turns on multiple flags (FIN, URG, PSH). 5. Null (-sN) - Sends empty packets (Windows does not respond to null packets). 6. Ping (-sP) - Uses TCP plus ICMP ping. 7. UPD (-sU) - Null-byte UDP packets - maps UDP ports. 8. RPC (-sR) - Identifies open Sun RPC services. Chapter 11. Vulnerability Resources

  37. Nmap Options Target port definition: Default - Scans ports 1-1024 (well known ports). Custom - Set a port range to any scan range. Fast scan - Scan only those ports specified in included service file. Define Source Port - Allows the source (scanners port address) to be spoofed - useful to fool some firewalls by using a DNS source port so it looks like a legitimate DNS request response. Chapter 11. Vulnerability Resources

  38. Nmap Options (more) OS identification - Uses TCP/IP fingerprinting to guess the OS being run by the target - observes differences in responses and attributes of specific operating systems. Spoof the IP source address - firewalls look for multiple port requests from the same IP address to detect scans - this option varies the IP address to hide the fact of scanning - also makes tracing difficult. Chapter 11. Vulnerability Resources

  39. Nmap Options (more) Fragment the scan - Fragmented packets are assembled by the final destination host. Some older firewalls did not re-assemble fragments so scans were hidden. Newer firewalls now often re-assemble fragments in order to better detect scans. AT END - the attacker has a list of IP addresses and services running (i.e., open ports) on those addresses. The next task is to identify vulnerabilities on open ports. Chapter 11. Vulnerability Resources

  40. Vulnerability Scanners Port scanning can be combined with vulnerability scanning and several packages including some commercial software does this. A vulnerability scanner not only identifies the open ports, but tests these ports for known vulnerabilities. Use a database of known vulnerabilities - much like a virus signature database - limited only by the content of the database. Chapter 11. Vulnerability Resources

  41. Vulnerability Scanners - Types General – May be freeware or Commercial-Off-The- Shelf (COTS). COTS are relatively expensive. Specific - Usually custom, looking for a single vulnerability. Often constructed on-the-fly to deal with a specific situation. Can scan only OR scan and attempt to exploit (called penetration testing). Good practice for the “good” guys to use to detect vulnerabilities! Chapter 11. Vulnerability Resources

  42. General Vulnerability Scanners - Freebies SAINT (Security Administrator’s Integrated Network Tool). A version of SATAN. http://www.wwdsi.com/saint SARA (Security Auditor’s Research Assistant – http://www-arc.com/sara Nessus - X-Windows for Unix. http://www.nessus.org VLAD the Scanner. http://razor.bindview.com/tools/ But beware – some sites can/do deliver Trojans – point is – may be hard to tell the good guys from the bad guys! Chapter 11. Vulnerability Resources

  43. General Vulnerability Scanners - COTS CyberCop Scanner by Network Associates. http://www. pgp.com/products/cybercop-scanner/default.asp Internet Scanner by Internet Security Systems (ISS), Inc. http://www.iss.net Secure Scanner by Cisco. http://www.cisco.com/warp/public/cc/pd/sqsw/nesn NetRecon by Axtent: http://www.axtent.com Chapter 11. Vulnerability Resources

  44. Other Stuff Password Crackers are included in most COTS scanners. Some password crackers are available on the Internet: Crack, Version 5.0 - Unix – requires Unix hashed password file - uses permuted dictionary. L0phtcrack - Dictionary & brute force for NT - not as strong as Crack, but NT stores 14 char passwords as two 7 char hashes, making it much easier to crack. Chapter 11. Vulnerability Resources

  45. Case Study - From a DOE Training Session Used dig to research domain records for an organization. Ran Nmap on networks identified by dig and created a database of open ports. Used Nmap to map the structure of one network including the location and services behind a firewall. One service was available - http on port 80 on a server. Used Telnet to request a page from the server and identified Microsoft IIS/4.0 Chapter 11. Vulnerability Resources

  46. Case Study - more Since Microsoft web servers often run Frontpage, tried to connect to Frontpage with a Frontpage client. Found Frontpage extensions and noted that the front page administrator’s password was not set. So, logged in as administrator - allows reads and writes in user space. Server also allowed programs to be executed by a browser, so loaded a program & asked browser to execute it. Program was executed at same privilege as the web server - allowed a connection back to our attacking host. Chapter 11. Vulnerability Resources

  47. Case Study - more This allowed the remote host to establish a remote console connection. Using the console, captured the registry file. Used the registry file and L0phtcrack to break the administrator’s password. Took full control of the server with administrator privilege. Used this server to bypass the firewall and allow attacks on all the hosts on the network. Chapter 11. Vulnerability Resources

  48. Summary of the Intrusion Model 1: Identify target networks. 2: Gather information on a specific network (targeting). 3: Identify hosts on the target network (host targeting). 4: Identify services (port scanning). 5: Determine possible vulnerabilities of services identified. 6: Test and/or exploit vulnerabilities. 7: Hide your tracks. 8: Insert backdoor and exit. Chapter 11. Vulnerability Resources

More Related