Transcript Open_Source_InfoSec - Open Source Club at Ohio State

Open Source Security Tools
alek rollyson
DISCLAIMER
DON'T BE STUPID...SERIOUSLY
USE OF THESE TOOLS ON MACHINES NOT LEGALLY
OWNED BY YOU COULD END UP PUTTING A NASTY MARK
ON YOUR CRIMINAL RECORD
please ask questions. in the
interest of time i'm going to
automatically assume you're
keeping up if you don't say
anything
Talk Overview
• Protocol Analyzing, Sniffers, Interceptors, Port Scanning
o Wireshark, Ettercap, Nmap
• Vulnerability Assessment
o OpenVAS (nessus replacement)
• Pen Testing Tools
o metasploit framework
• Password Crackers
o john the ripper, ophcrack
• Wireless Security Tools
o aircrack-ng, kismet
• Honeypots
o kippo
• Security Focused Distributions
• Notes on Hardening
• Dispelling some bullshit
protocol analysis
• capture and analyze network traffic
o promiscuous mode
• Wireshark is extremely popular and powerful
o uses pcap to capture packets
o capture ethernet, 802.11, PPP and loopback traffic
o "knows" about different networking protocols and can
display useful information about each
o use filters to find relevant data
o used to need special privileges, can run as normal user
on most platforms now
o CLI interface Tshark
Sniffing, Intercepting
• MITM - man in the middle
• Ettercap is highly regarded and very powerful
o use in promiscuous mode
o four modes (IP, MAC, ARP, PublicARP)
o can sniff encrypted traffic (SSH, HTTPS)
o Password collectors for tons of protocols
o inject into an established connection
o hijack dns
o alter/drop packets
o can detect other poisoners on the network
port scanning
• self descriptive, designed to probe and scan for open ports
• Nmap is THE port scanner. Just use it
o very comprehensive and smart
 accounts for network conditions during the scan
o turned into a swiss army knife due to excellent community
 OS fingerprinting
 names and versions of running services
 estimated uptime
 presence of firewall
 type of device
 new scripting engine (SoC project)
 ZenWalk gui available (also SoC project)
Vulnerability Assessments
• meant to be a one stop shop for discovering vulnerabilities in
systems
o port scanning, enumerator, web app scanner, exploit
checks, default accounts and passwords,
misconfigurations, DoS checks, etc
• Nessus is huge in the industry (OpenVAS is the open source
implementation)
o exploits published regularly as a "feed"
o attacks are written in NASL (nessus attack scripting
language)
Penetration Testing Tools
• often used in conjunction with vulnerability scans to actively
attempt to penetrate a system
• very broad term
• Metasploit Framework is becoming the de facto standard for
vulnerability development
o largest ruby project in existence
o often times new exploits will include a Metasploit module
that includes full details of the exploit
o choose exploit -> check if exploit applies -> configure
payload -> configure encoding to evade IDS -> execute
the exploit
o includes an extensive shell code and opcode database
with full source code
password crackers
• two main modes
o dictionary (rainbow tables)
o brute force
• John The Ripper probably most popular
o can auto detect password type
 DES flavors, LM Hash (MD5), SHA, Blowfish,
Kerberos AFS
o can be fed rainbow tables
o pretty simple to use
• Ophcrack
o Cracks windows LM hash passwords via rainbow tables
 some basic tables provided
o livecd available
Honeypots
• valuable recon tool
• set up to look like a vulnerable machine, really used to divert
attacks and possibly gather information
o distraction tool
o research attack methods
o watch skiddies try and fail over and over
• sometimes turn out to be pretty entertaining
• Kippo is a simple open source honeypot with recording
capabilities
security distros
• backtrack linux
o includes most of the tools we'll talk about tonight
o one of the best (most up to date) security live cd
o latest release is 4r2
• knoppix std
o used to be an excellent security live cd
o now stagnant unfortunately
• damn vulnerable linux
o pretty much exactly what it sounds like
o designed to be easy to break, good for learning about
vulnerabilities
• almost all of these tools are available in distribution
repositories
notes on hardening
• mandatory vs. discretionary access control
• intrusion detection systems
• reduce your attack surface
o close unneeded ports (port knocking)
o disable unneeded services
• open source vs. proprietary
o aka: security through obscurity = FAIL
• intrusion detection systems
• regular security auditing
• always be aware of social engineering
• use key login for ssh, disable password login
o use a password for you key and protect it!
o disable root login via ssh
• disable smtp open relays
dispelling some bullshit
• upping password change frequency not really that helpful,
false sense of security
• good idea to write down passwords?
o argument still going on about this
o bruce schneier seems to think it's ok
• changing default ports doesn't really do much
o auto scanners are patient b/c they're, well, machines
• hashing != encryption
• not broadcasting SSID doesn't really do much
o neither does MAC black/whitelisting
• DON'T USE DICTIONARY WORDS IN PASSWORDS
o use different passwords for sites!
• physical access = root
dispelling more bullshit
• beware of unencrypted access points
o free public wifi
• pay attention to those messages about server keys
changing
• phishing can get anyone, even smart people
• Linux and OSX do have nasty attacks out there
o just a matter of time people
o don't assume you're automatically secure
• DO NOT rely on tor for confidentiality
o malicious nodes are not unheard of
• Don't let anyone convince you that they are omniscient just
because they have a CISSP
• as mentioned before...security via obscurity == FAIL
• don't connect LOIC via hivemind, regardless of what people
on the anonops irc channel tell you