EE579S Computer Security

Download Report

Transcript EE579S Computer Security

EE579T Network Security 3: Vulnerability Assessment

Prof. Richard A. Stanley

WPI

EE579T/3GD #1

Overview of Today’s Class

WPI

EE579T/3GD #2

Project Definitions

• Who?

• What?

• Problems, issues?

WPI

EE579T/3GD #3

Last Time...

• IPSec is a complex security protocol, originally developed for roll-out with IP v6 • Provides authentication, integrity, and confidentiality services to IP transmission • Improves on basic protocols like D-H • Many implementations available for IP v4, so it is usable today • Authentication and encapsulation services provide a basis for VPNs Summer 2003 © 2000-2003, Richard A. Stanley

WPI

EE579T/3GD #4

Next time...

• Next class topic is SSL and SET • I must be away next Monday. How do we proceed?

– The class is available on videotape – The slides will be sent to you – Please meet as normally scheduled, watch the lecture and discuss the slides, and we’ll go over any questions on July 28th Summer 2003 © 2000-2003, Richard A. Stanley

WPI

EE579T/3GD #5

Network Security Checklist

(searchSecurity.com) • Check systems for zombie agent software • Minimize external exposure by minimizing Internet access and connectivity [do not leave non mission critical Internet connections open continuously and deny Internet access to employees who do not need it.] • Review security policies and ensure that they are current, implemented and enforced . Summer 2003 © 2000-2003, Richard A. Stanley

WPI

EE579T/3GD #6

Security checklist - 2

• Ensure all current service-level and security patches have been installed on operating systems and software, including antivirus updates • Enhance the review and monitoring of all critical system logs for suspect activity, and consider implementing an intrusion-detection system • Revisit firewall configurations and rules to ensure that unnecessary ports and services are turned off and that access control is tightly managed Summer 2003 © 2000-2003, Richard A. Stanley

WPI

EE579T/3GD #7

Security checklist - 3

• Consider curtailing remote access by employees, business partners, customers and consultants to essential business.

• Consider changing passwords for all super-user or power IDs such as Root, dbadmin, application manager IDs, etc., especially if that information has become widely shared .

(emphasis added)

• Revisit access control lists to ensure that access to critical functions and resources is limited.

WPI

EE579T/3GD #8

Security checklist - 4

• Discuss with your ISP what measures they are taking to ensure the security and reliability of the services they are providing you.

• Regularly back up all critical systems and test actual systems recovery procedures .

• Consider an incident response plan for addressing actions to be taken should a debilitating cyber incident/event occur, affecting your business.

WPI

EE579T/3GD #9

Security checklist - 5

• Ensure all users of your corporate computer systems (including employees, consultants, contractors and temporary workers) understand the importance of protecting the business and their role in the overall program. • Users working from home via high-speed, broadband connections should be required to have a firewall installed on their system. In addition, they should only be allowed to connect to the corporate network through a VPN tunnel.

WPI

EE579T/3GD #10

What do all these security issues have in common?

WPI

EE579T/3GD #11

Thought for the Day

WPI

EE579T/3GD #12

Is this quote for real or is it for marketing?

• What is typical PC bus speed?

• What sort of network data transfer rates can be attained?

• What does this mean for the future of networked computing?

WPI

EE579T/3GD #13

How To Rob a Bank

• Just walk in and demand the money – Where is the bank?

– How do you know there is any money?

– Where to park the getaway car?

– Are there any guards or surveillance devices?

– Will you need a disguise?

– What kinds of things might go wrong?

WPI

EE579T/3GD #14

Success Requires Planning

• Whether robbing a bank or breaching network security, you need to plan ahead • Planning ahead is known as vulnerability assessment – Acquire the target (case the joint) – Scan for vulnerabilities (find the entry points) – Identify poorly protected data (shake the doors) Summer 2003 © 2000-2003, Richard A. Stanley

WPI

EE579T/3GD #15

Information in Plain Sight

• Lots of valuable information is just lying around waiting to be used – telephone directories – company organization charts – business meeting attendee lists – promotional material • The Internet has made having a company web page the measure of being “with it” Summer 2003 © 2000-2003, Richard A. Stanley

WPI

EE579T/3GD #16

Target: FBI

WPI

EE579T/3GD #17

WPI

EE579T/3GD #18

WPI

EE579T/3GD #19

WPI

EE579T/3GD #20

WPI

EE579T/3GD #21

WPI

EE579T/3GD #22

WPI

EE579T/3GD #23

WPI

EE579T/3GD #24

WPI

EE579T/3GD #25

WPI

EE579T/3GD #26

WPI

EE579T/3GD #27

WPI

EE579T/3GD #28

You get the idea

• There is a lot of information out there, and it is readily available to anyone • Good intelligence usually consists of open source material properly collated • Law enforcement used to have special access to this sort of information--now it’s out on the ‘net • Network access speeds up the rate at which good intelligence can be collected Summer 2003 © 2000-2003, Richard A. Stanley

WPI

EE579T/3GD #29

Determine Your Scope

• Check out the target’s web page – physical locations – related companies or entities – merger/acquisition news – phone numbers, contact information – privacy or security policies – links to other related web servers – check the HTML source code Summer 2003 © 2000-2003, Richard A. Stanley

WPI

EE579T/3GD #30

Refine Your Search

• Run down leads from the news, etc.

– Search engines are a good way • FerretSoft • Dogpile – Check USENET postings – Use advance search capabilities to find links back to target • Search on wpi + security gives ~ 2900 hits Summer 2003 © 2000-2003, Richard A. Stanley

WPI

EE579T/3GD #31

WPI

EE579T/3GD #32

Use the Government

• EDGAR – SEC site (www.sec.gov/edgarhp.htm) – Search for 10-Q and 10-K reports – Try to find subsidiary organizations with different names • Think about what

your

WPI

EE579T/3GD #33

WPI

EE579T/3GD #34

Zero In On The Networks

• InterNIC – Organization – Domain – Network – Point of contact • www.networksolutions.com

• www.arin.net

WPI

EE579T/3GD #35

Search for wpi.edu

Registrant: Worcester Polytechnic Institute ( WPI-DOM ) 100 Institute Road Worcester, MA 01609-2280 US Domain Name: WPI.EDU

Administrative Contact, Billing Contact: Johannesen, Allan E ( 100 Institute Road Technical Contact: Brandt, Joshua ( AEJ5 Worcester, MA 01609-2280 JBC740 ) [email protected]

The College Computer Center Worcester Polytechnic Institute 508 754-3964 (FAX) 508-831-5483 (FAX) 508-831-5483 ) [email protected]

Solipsist Nation 9 Circuit Ave. E Apt 1 Worcester, MA 01603 US 508-831-5512 Record last updated on 05-Dec-2000.

Record created on 22-Mar-1988.

Database last updated on 15-Feb-2001 02:07:04 EST.

Domain servers in listed order: NS.WPI.EDU

NS1.YIPES.COM

NS2.YIPES.COM

NS3.YIPES.COM

130.215.24.1

209.213.223.126

209.50.39.102

209.50.40.102

WPI

EE579T/3GD #36

Other Sources

• InterNIC has 50-record limit, so… – ftp://rs.internic.net/domain – http://samspade.org/ssw/ • freeware – www.nwpsw.com

• Netscan tools • Single copy price = $32.00

– www.ipswitch.com

• WS_Ping ProPack = $37.50

WPI

EE579T/3GD #37

Example: Sam Spade

Sam Spade Features Environment

Each tool displays it's output in it's own window, and everything is multi-threaded so you don't need to wait for one query to complete before starting the next one Some functions are threaded still further to allow lazy reverse DNS lookups (never do a traceroute -n again) The output from each query is hotlinked, so you can right click on an email address, IP address, hostname or internic tag to run another query on it Appending the results of a query to the log window is a single button function There's a lot of online help, in both WinHelp and HTMLHelp formats. This includes tutorials, background information and links to online resources as well as the program manual itself

Tools

ping dig web browser Usenet cancel check Email blacklist query nslookup traceroute keep-alive website download Abuse address query whois finger DNS zone transfer website search S-Lang scripting IP block whois SMTP VRFY SMTP relay check email header analysis Time Summer 2003 © 2000-2003, Richard A. Stanley

WPI

EE579T/3GD #38

Query on Found Data

• POC – May be (often is) POC for other domains • Query for email addresses -- here are a few from @wpi.edu

Amiji, Murtaza ( MA3608 ) [email protected] (508) 831-5395 Baboval, John ( JBJ116 ) [email protected] XXX-XXXX Ballard, Richard ( RBS722 ) [email protected] 508-831-6731 Barnett, Glenn S ( GSB14 ) [email protected] (315)475-5920 Bartelson, Jon ( JB12891 ) [email protected] (508) 831-5725 (FAX) (508) 831-5483 Berard, Keith ( KB2414 ) [email protected] (508)754-4502 Blank, Karin ( KBJ257 ) [email protected] 203-762-0532 Blomberg, Adam ( AB5417 ) [email protected] 508-755-7699 Summer 2003 © 2000-2003, Richard A. Stanley

WPI

EE579T/3GD #39

Query the DNS

• • Insecure DNS configuration can reveal information that should be kept confidential

Zone transfers

methodologies are popular attack – nslookup often used – pipe output to a text file – review the text file at your leisure – select potential “good targets” based on data Summer 2003 © 2000-2003, Richard A. Stanley

WPI

EE579T/3GD #40

Map the Network

• traceroute – Unix and Win/NT – tracert in NT for file name legacy reasons – Shows hops from router to destination • Graphical tools exist, too – VisualRoute – www.visualroute.com

WPI

EE579T/3GD #41

WPI

EE579T/3GD #42

Detailed Scanning

• Network ping sweeps – Who is active?

WPI

EE579T/3GD #43

Port Scanning

WPI

EE579T/3GD #44

Port Scan Types

• Connect Scan--completes 3-way handshake • SYN--should receive SYN/ACK • FIN--should receive RST on closed ports • Xmas tree--sends FIN, URG, PSH; should receive RST for closed ports • Null--turns off all flags; target should send back RST for closed ports • UDP--port probably open if no “ICMP port unreachable” message received Summer 2003 © 2000-2003, Richard A. Stanley

WPI

EE579T/3GD #45

Identify Running Services

WPI

EE579T/3GD #46

OS Detection, etc.

• Stack fingerprinting – Different vendors interpret RFCs differently • Example: – RFC 793 states correct response to FIN probe is none – Win/NT responds with FIN/ACK • Based on responses to specific probes, possible to make very educated guesses as to what OS running – Automated tools to make this easy!

WPI

EE579T/3GD #47

Enumeration

• Try to identify valid user accounts on poorly protected resource shares – Windows NT • net view – lists domains on network – can also list shared resources • nltest -- identifies PDC & BDC • SNMP • open a telnet connection Summer 2003 © 2000-2003, Richard A. Stanley

WPI

EE579T/3GD #48

Automated, Graphical Tools

• Can trace network topology very accurately – ID machines by IP, OS, etc.

WPI

EE579T/3GD #49

Summary

• Attacking a network is no different from robbing a bank; you have to plan if you expect to be successful • There are three basic steps to planning, which is called

vulnerability assessment

: – Acquire the target (case the joint) – Scan for vulnerabilities (find the entry points) – Identify poorly protected data (enumeration) • This applies if you are inside or outside the protected perimeter!

WPI

EE579T/3GD #50

Homework - 1

1. Identify and describe how you would enumerate resources on a Unix network, similar to the discussion in class of enumeration on Windows/NT 2. You are the network administrator. How would you defend against the threats of target acquisition and vulnerability scanning?

WPI

EE579T/3GD #51

EE579S Computer Security

Transcript EE579S Computer Security

EE579T Network Security 3: Vulnerability Assessment

Overview of Today’s Class

Project Definitions

Last Time...

Next time...

Network Security Checklist

Security checklist - 2

Security checklist - 3

Security checklist - 4

Security checklist - 5

What do all these security issues have in common?

Thought for the Day

Is this quote for real or is it for marketing?

How To Rob a Bank

Success Requires Planning

Information in Plain Sight

Target: FBI

You get the idea

Determine Your Scope

Refine Your Search

Use the Government

Zero In On The Networks

Search for wpi.edu

Other Sources

Example: Sam Spade

Query on Found Data

Query the DNS

Map the Network

Detailed Scanning

Port Scanning

Port Scan Types

Identify Running Services

OS Detection, etc.

Enumeration

Automated, Graphical Tools

Summary

Homework - 1

Directory