Slide 1

Download Report

Transcript Slide 1

Fighting Zombies with FastNMAP & Npwn: A Case Study At Washington University

REN-ISAC Techburst Thursday, April 29st, 2010 Brian Allen, CISSP [email protected]

Network Security Analyst, Washington University in St. Louis http://nso.wustl.edu/

Washington University in St. Louis, MO • • • • • • Private University Founded in 1853 3,000+ Full Time and Adjunct Faculty 13,000+ Full and Part Time Students 13,000+ Employees 4000+ Students Living on Campus Decentralized Campus Network

Business School Law School Arts & Sciences Medical School Library Social Work Art & Architecture Engineering School NSS NSO Internet Decentralized Campus Network NSS = Network Services and Support NSO = Network Security Office

A Short Discussion of .EDU Politics and Potential Pitfalls of Scanning

• • • • • A Short Discussion of .EDU Politics and Potential Pitfalls of Scanning Give Notice to Departments Before Scanning The Period Between Scans is Not Too Important : 1 week < X < A Couple Months A Switch’s One Minute Heartbeat was Missed, and School’s Network Engineers Were Paged KVM Switch Hung – It was Old and Needed to be Updated, Then it Handled the Scan Fine Identify Devices with Problems, Exclude Them, Work to Fix them

My Scanner: Dell PowerEdge R805

2x Quad-Core AMD Opteron 2.4GHz

16GB Memory 2x 146GB 10K Hard Drives 4x Broadcom NetXtreme II 5708 1GbE Onboard NICs Need to upgrade to an Intel Pro/1000 PCI Express card ($100-200)

NMAP Scripting Engine

• • I kept 92 nse scripts like: – – "dns-recursion.nse“ "http-headers.nse“ – – "imap-capabilities.nse“ "irc-info.nse“ – – "p2p-conficker.nse“ "smb-enum-users.nse“ – "ssl-cert.nse“ I removed all the brute force ones + others like: – – "smb-check-vulns.nse“ "smb-brute.nse"

FastNMAP Command

# nmap -sL -n 128.252.0.0/16 | egrep '^Nmap scan‘ | awk '{print $5}‘ | ./fastnmap.pl

NPWN Command

#./npwn.pl -x -s 7 -d ./log/

• • • • •

FastNMAP.pl Status Update

Took three days to scan 128.252.0.0/16 Much of the campus sits behind firewalls Can only scan the MedSchool’s 93 /24 subnets once per month Am not scanning any of our private IP space (student subnets, wireless, etc) Usually find about 3000 IP addresses online

Some Interesting Npwn Tags

NPWN TAG [VNCAUTHBYPASS] [BACKDOOR] [IMAPWEAKAUTHNOSSL] [POP3WEAKAUTHNOSSL] [NOPASSWD] [OPENX11] [SERV-U] [OLD_MSFTP] [SSLCERT_WILDCARD] [NSFTP] Severity {10} {10} {7} {7} {7} {7} {6} {4} {4} {3}

Any Questions?