Network Security Tools and Defense
Total Page:16
File Type:pdf, Size:1020Kb
NetworkNetwork SecuritySecurity ToolsTools andand DefenseDefense –– AnAn OverviewOverview Jeff Huberty Business Information Technology Solutions (BITS) www.bits-solutions.com HasHas YourYour SystemSystem BeenBeen Compromised?Compromised? OUTLINEOUTLINE CSI/FBICSI/FBI SurveySurvey ResultsResults SecuritySecurity GoalsGoals SecuritySecurity ThreatsThreats InternetInternet andand NetworkNetwork ToolsTools UsedUsed WhatWhat CanCan WeWe Do?Do? (best(best practices)practices) AccessAccess ControlControl OverviewOverview PhasesPhases ofof AttacksAttacks andand DefensesDefenses SmallSmall BusinessBusiness andand HomeHome PracticesPractices CSI/FBICSI/FBI SurveySurvey ResultsResults (06/2004)(06/2004) The Computer Security Institute (CSI) held its ninth annual Computer Crime and Security Survey with the following results: • Financial losses totaled $141.5 million (494 respondents); significant decrease from 530 respondents reporting $202 million last year. • The most expensive computer crime was denial of service (DoS). Theft of intellectual property, the prior leading category, was the second most expensive last year. • The vast majority of organizations in the survey do not outsource computer security activities. Survey suggests that organizations that raise their level of security awareness have reason to hope for measurable returns on their investments. “Men are from Mars, Women are from Venus. Computers are from Hell!” FourFour ObjectivesObjectives ofof ComputerComputer SecuritySecurity "A bus station is where a bus stops. A train station is where a train stops. On my desk I have a workstation..." SecuritySecurity GoalsGoals Confidentiality keeps information from being read by unauthorized people Assures that information stored in a computer is never contaminated or changed in a way that is not appropriate ensuring that the data can be accessed by all authorized people Integrity Availability "The nice thing about standards is that there are so many to choose from." SecuritySecurity GoalsGoals Availability: addresses issues from fault tolerance to protect against denial of service and access control to ensure that data is available to those authorized to access it. Confidentiality: provide protection mechanisms for the data while it is stored and transferred over networks between computers. Integrity: keeping data away from those who should not have it and making sure that those who should have it can get it are fairly basic ways to maintain the integrity of the data NEW! Nonrepudiation: Allows the formation of binding contracts w/o any paper being printed for written signatures (digital signatures) “"If it wasn't backed-up, then it wasn't important." — The sysadmin's moto. SecuritySecurity ThreatsThreats "The problem with computers is they do what you tell them." SecuritySecurity ThreatsThreats –– SANSSANS TopTop 2020 (www.sans.org) Top Vulnerabilities to Windows Top Vulnerabilities to UNIX Web Servers & Services BIND Domain Name System Workstation Service Web Server Windows Remote Access Services Authentication Microsoft SQL Server (MSSQL) Version Control Systems Windows Authentication Mail Transport Service Web Browsers Simple Network Management Protocol (SNMP) File-Sharing Applications Open Secure Sockets Layer (SSL) LSAS Exposures (OSPF) Misconfiguration of Enterprise Mail Client Services NIS/NFS Instant Messaging Databases Kernel "A computer's attention span is only as long as its power cord." ToolsTools UsedUsed forfor AttackingAttacking andand AuditingAuditing SystemsSystems onon thethe NetNet Port Scanners CombinationCombination SystemsSystems Windows Enumeration AuditingAuditing Web Hacking PortPort RedirectionRedirection Password Cracking/Brute SniffersSniffers Force Backdoors and Remote WirelessWireless ToolsTools Access WarWar DialersDialers Simple Source Auditing TCP/IPTCP/IP StackStack "ASCII stupid question, get a stupid ANSI !" InternetInternet ToolsTools ¾ Port Scanners (Nmap, SuperScan, IpEye, Fscan, WUPS, Udp_scan) ¾ Windows Enumeration (Winfingerprint, GetUserInfo, Enum, PsTools) ¾ Web Hacking ¾ Vulnerability Scanners (Whisker, Nikto, Stealth, Twwwscan/Arirang) ¾ All-Purpose (Curl, OpenSSL, Stunnel) ¾ Application Inspection (Achilles, WebSleuth, Wget) ¾ Password Cracking/Brute-Force ¾ PassFilt.dll and Windows Password Policies ¾ PAM and UNIX Password Policies ¾ OpenBSD login.conf "ERROR: Computer possessed; Load EXOR.SYS ? [Y/N]" PortscanPortscan ThreatThreat ExampleExample Below is a capture of a malicious Here is the view from the attacks side using NMAP: port scan: Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2004-11-30 21:57 EST TCPDUMP Capture: Interesting ports on (66.252.X.2): 535> (DF) [tos 0x10] (The 1655 ports scanned but not shown below are in state: filtered) 20:38:27.470402 66.90.95.X.22 > PORT STATE SERVICE 66.252.X.2.61627: P 271600:271792(192) 21/tcp open ftp 66.252.X.2.61627: P 271600:271792(192) 22/tcp open ssh ack 289 win 65535 <nop,nop,timestamp 25/tcp open smtp 880842161 1498707535> (DF) [tos 0x10] 80/tcp open http 20:38:27.470426 66.90.95.X.22 > 113/tcp open auth 66.252.X.2.61627: P 271792:271984(192) 443/tcp open https ack 289 win 65535 <nop,nop,timestamp SHOWS us what services are running on this 880842161 1498707535> (DF) [tos 0x10] network. An attack could be staged on each or any of the services. A Denial of Service 20:38:27.470437 66.252.X.2.61627 > or any of the services. A Denial of Service (DoS) attack would target open ports in an 66.90.95.X.22: . ack 260016 win 50180 (DoS) attack would target open ports in an attempt to slow/halt the systems <nop,nop,timestamp 1498707535 attempt to slow/halt the systems connections. An exploit attack would be 880842155> (DF) connections. An exploit attack would be directed to the service flaws running on that This is seen from the Administrators port. I.E. HTTP (Web Browsers) can be side of the field. buffer overrun with the right knowledge and software. "The definition of a hacker ? Someone who, after installing a new program, goes immediately into the [Tools][Options] menu." WhatWhat IfIf MSMS CreatedCreated NMap?NMap? WebWeb serverserver ExploitExploit AttemptAttempt The following is a real capture of an exploit attempt on 30–NOV-04: Httpd access log: 66.205.59.245 Å-Attackers IP- - [30/Nov/2004:20:18:16 -0500] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\ x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0 2\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1 \x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\ xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x 02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb 1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 Å- Buffer Overflow attempt Basically, this is a repeated string of text that is sent to a web server in an attempt to overflow the buffer. If this attack was successful (un-patched web server) it would drop them into a UNIX/TS shell prompt and then they are in the system. Most UNIX web server administrators won’t allow web servers to run as root, however there are plenty out there that do. This attack filled about 8 megs of log space in a matter of 30 minutes. A simple solution is to stay patched and make sure you have the proper IDS/Firewalling/Filtering in place prior to rolling out a global Web server. "A computer program does what you tell it to do, not what you want it to do." Greer’s Third Law. InternetInternet Tools,Tools, cont’dcont’d ¾ Password Cracking/Brute Force Tools ¾ John the Ripper ¾ L0phtCrack ¾ Grabbing Windows Password Hashes (Pwdump, Lsadump2, Winhash, Ddumper, XSCAN) ¾ Active Brute-Force (SMBGrind, Nbaudit, John the ripper2x) ¾ Backdoors and Remote Access (VNC, Netbus, Back Orifice, SubSeven, Loki, stcpshell, Knark, AGOBOT, Phatbot, SDBOT) ¾ Simple Source Auditing (Flawfinder, RATS) ¾ Combination System Auditing (Nessus, STAT, Retina, Internet Scanner, Tripwire) "Before software can be reusable it first has to be usable." — Ralph Johnson. NetworkNetwork ToolsTools ¾ PortPort RedirectionRedirection (datapipe,(datapipe, Fpipe)Fpipe) ¾ SniffersSniffers (BUTTSniffer,(BUTTSniffer, Tcpdump,Tcpdump, Windump,Windump, Ethereal,Ethereal, Dsniff,Dsniff, Snort)Snort) ¾ WirelessWireless (Netstumbler,(Netstumbler, AiroPeek)AiroPeek) ¾ WarWar DialersDialers (ToneLoc,(ToneLoc, THCTHC--Scan)Scan) ¾ TCP/IPTCP/IP StackStack (ISIC,(ISIC, Iptest,Iptest, Nemesis)Nemesis) "It's 5.50 a.m.... Do you know where your stack pointer is ?" WhatWhat CanCan WeWe Do?Do? Take steps to increase security awareness • Education, training, periodic bulletins, etc., cultivate user acceptance of security technologies that need to be deployed. Policies need to be established and enforced • Describe the responsibilities of individuals and groups in safeguarding organizational assets from loss or misuse. IT infrastructure needs to be security-enabled • IT and network administrators need to keep themselves informed about security vulnerabilities and fixes, to include best-of-breed technologies and methodologies for coping with security threats. On-going vigiliance, in the form of vulnerability assessments must be part of the operational routine • Security should be seen as a work in progress and never a finished project. Hackers adapt; so should the organization. PoliciesPolicies andand SettingsSettings Firewall Setting Policy No outside Web access. Drop all outgoing packets to any IP, Port 80 Outside connections to Public Web Server Only. Drop all incoming TCP SYN packets to any IP except 150:160.170.180, port 80 Prevent Web-Radios from eating up the available bandwidth.