Looking at Vulnerabilities. Dave Dittrich The Information School /Computing & Communications University of Washington. Microsoft campus 8/25/03. Overview. Background concepts Your typical look at Vulnerabilities, Risk vs. Cost A (real!) complex attack scenario
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
Dave DittrichThe Information School /Computing & CommunicationsUniversity of Washington
Microsoft campus 8/25/03
One Day Traffic Graph
One Week Traffic Graph
One Year Traffic Graph
Internet Information Server (IIS)
Microsoft Data Access Server (MDAC)
Anonymous login/null session
LAN Manager Authentication(Weak LM hash)
General Windows Authentication (Accounts w/o pwd, bad pwd)
Remote Registry Access
Windows Scripting Host
Unix Top 10
Remote Procedure Call (RPC) services
Apache Web Server
Secure Shell (SSH)
Simple Network Management Protocol (SNMP)
File Transfer Protocol (FTP)
Berkeley “r” utilities(trust relationships)
Line Printer Daemon (LPD)
General Unix Authentication (accounts w/o pwd, bad pwd)SANS Top 20 Vulnerabilities
“stealth” / advanced scanning techniques
denial of service
network mgmt. diagnostics
exploiting known vulnerabilities
Source: CERT/CC (used w/o permission & modified “Can you say ‘fair use?’ Sure, I knew you could.” IHO Fred Rogers)
Survivability Compromise: Monitor network traffic
OR: 1. Install sniffer on desktop.
OR: 1. Use email trojan horse.
2. Use remote exploit.
3. Use Windows remote login service.
OR: 1. Use passwordless Administrator account.
2. Brute force passwords on all listed accounts.
3. Brute force passwords on common accounts.
2. Install sniffer on Unix/Windows server
OR: 1. Use remote exploit.
2. Steal/sniff password to root/Administrator account.
3. Guess password to root/Administrator account.
3. Man-in-the-middle attack on SSL/SSH.
Survivability Compromise: Disclosure of Patient Records
OR: 1. Attack Med Center network using connections to the Internet
OR: 1. Compromise central patient records database (PRDB).
AND: 1. Identify central PRDB.
OR: 1. Scan to identify PRDB.
2. Monitor network traffic to identify PRDB.
2. Compromise central PRDB.
OR: 1. Use Remote Exploit.
2. Monitor network traffic to sniff pwd to account.
3. Guess password to account.
2. Obtain file(s) containing patient records.
OR: 1. Monitor network traffic to capture patient records.
2. Compromise file server or terminal server.
OR: 1. Use Remote Exploit.
2. Monitor network traffic to sniff Administrator pwd.
3. Guess password to User/Administrator account.
Source: National Security Telecommunications and Information Systems Security Instruction (NSTISSI) No. 4009, January 1999