Network Security Testing CS 155 Elie Bursztein Why testing security • Get a snapshot of the current security • Evaluate the capacity to face intrusion • Test backup plan !""#$$%&'(%)*#+%,%*-./0123.40-%.0%.56%!76-%"02/36%"632/4.8%#69.4-:%$6.5010;0:8%$<-2<; &'%=2:29.%>((? !"#$%&'(#)%"*#%*#+,*-../00 !"# $$$%&#$$' $ ()*+,# $ (#,*+-./ $ !#0.-'1 $ 2#.")3)4)1/ $ 25'*54$ 6%((!227$ &+)8-3#0 $ 5 $ 9#.")3)4)1/$ :)+$ 5$ .")+)*1" $0#,*+-./ $.#0.; $ "#+#$ $ +#:#++#3$ .) $ 50 $5' $%((!22$ 5*3-.< $ $='$ %((!22 $5*3-. $-0 $5' $ 5,,*+5.#$ 9#50*+#9#'.$):$0#,*+-./$5.$5'$)&#+5.-)'54$4#8#4$."5.$-0$,4#5+$):$500*9&.-)'0$5'3$5'#,3).54$#8-3#',#<$ =0$5$9#.")3)4)1/$-.$-0$3#0-1'#3$.)$>#$,)'0-0.#'.$5'3$+#&#5.5>4#<$$$=0$5'$)&#'$0)*+,#$9#.")3)4)1/;$-.$ 544)?0$:)+$:+##$3-00#9-'5.-)'$):$-':)+95.-)'$5'3$-'.#44#,.*54$&+)&#+./<$ (-',#$-.0$0.5+.$5.$."#$#'3$):$@AAA;$."#$%((!22$B*-,C4/$1+#?$$.)$#',)9&500$544$0#,*+-./$,"5''#40$?-."$."#$ 5&&4-#3$#D&#+-#',#$):$.")*05'30$):$+#8-#?#+0<$E/$@AAF;$."#$%((!22$?50$')$4)'1#+$$,)'0-3#+#3$G*0.$5'$ #."-,54$"5,C-'1$:+59#?)+C<$H.$"53$>#,)9#$5$9#.")3)4)1/$.)$500*+#$0#,*+-./$?50$>#-'1$3)'#$+-1".$5.$ ."#$)&#+5.-)'54$4#8#4<$ $=0$5*3-.0$>#,59#$95-'0.+#59;$."#$'##3$:)+$5$0)4-3$9#.")3)4)1/$>#,59#$ ,+-.-,54<$$H'$@AAI;$."#$%((!22$,"5'1#3$:+)9$3#:-'-'1$.#0.0$>50#3$)'$0)4*.-)'0$0*,"$50$$:-+#?544$.#0.0$5'3$ +)*.#+$.#0.0$.)$$5$0.5'35+3$:)+$.")0#$?")$'##3#3$5$+#4-5>4#$0#,*+-./$.#0.$+5."#+$."5'$G*0.$5$,)9&4-5',#$ +#&)+.$$:)+$5$0&#,-:-,$+#1*45.-)'$)+$4#1-045.-)'< J-." $ K#+0-)' $ L; $ ."# $ %((!22 $ #',)9&500#0 $ .#0.0 $ :+)9 $ 544 $ ,"5''#40 $ M $ N*95' $ ; $ O"/0-,54; $ J-+#4#00;$ !#4#,)99*'-,5.-)'0; $ 5'3 $ P5.5 $ Q#.?)+C0< $ =$ 0#. $ ): $ 0#,*+-./ $ 9#.+-,0; $ ,544#3$ R-0C $ =00#009#'. $ K54*#0$ 6R=K07;$ &+)8-3# $ 5 $ &)?#+:*4 $ .))4 $ ."5. $ ,5' $ &+)8-3# $ 5 $ 1+5&"-,54 $ +#&+#0#'.5.-)' $ ): $ 0.5.#; $ 5'3 $ 0")?$ ,"5'1#0$-'$0.5.#$)8#+$.-9#<$!"-0$-'.#1+5.#0$?#44$?-."$5$S350">)5+3S$:)+$95'51#9#'.$5'3$-0$>#'#:-,-54$ :)+$>)."$-'.#+'54$5'3$#D.#+'54$.#0.-'1;$544)?-'1$5$,)9&5+-0)'T,)9>-'5.-)'$):$."#$.?)<$ $U*5'.-.5.-8#$ R-0C$25'51#9#'.$,5'$>#$3)'#$:+)9$."#$%((!22$=*3-.$+#&)+.$:-'3-'10;$&+)8-3-'1$5$9*,"$-9&+)8#3$ +#0*4.$3*#$.)$$9)+#$5,,*+5.#;$#++)+$:+##$+#0*4.0<$!"#$%((!22$-',4*3#0$-':)+95.-)'$:)+$&+)G#,.$&45''-'1;$ B*5'.-:/-'1$+#0*4.0;$5'3$."#$+*4#0$):$#'151#9#'.$:)+$&#+:)+9-'1$0#,*+-./$5*3-.0<$$!"#$9#.")3)4)1/$,5'$ >#$#50-4/$-'.#1+5.#3$?-."$#D-0.-'1$45?0$5'3$&)4-,-#0$.)$500*+#$5$.")+)*1"$0#,*+-./$5*3-.$."+)*1"$544$ ,"5''#40< H.$-0$+#,)99#'3#3$."5.$/)*$+#53$."+)*1"$."#$%((!22$)',#$,)9&4#.#4/$>#:)+#$&*..-'1$-.$-'.)$&+5,.-,#<$ H.$5-90$.)$>#$5$0.+5-1".M:)+?5+3$.))4$:)+$."#$-9&4#9#'.5.-)'$5'3$3),*9#'.5.-)'$):$5$0#,*+-./$.#0.<$ V*+."#+$500-0.5',#$:)+$.")0#$?")$'##3$"#4&$-'$*'3#+0.5'3-'1$5'3$-9&4#9#'.-'1$."-0$9#.")3)4)1/$-0$ 585-45>4#$5.$."#$H(WX%2$?#>0-.#<$$ SCOPE 1'$2%3, !"#$&+-95+/$&*+&)0#$):$."-0$95'*54$-0$.)$&+)8-3#$5$ 0,-#'.-:-, $ 9#.")3)4)1/ $ :)+ $ ."# $ 5,,*+5.#$ ,"5+5,.#+-Y5.-)' $ ): $ 0#,*+-./ $ ."+)*1" $ #D59-'5.-)'$ 5'3$,)++#45.-)'$):$.#0.$+#0*4.0$-'$5$,)'0-0.#'.$5'3$ +#4-5>4#$?5/<$ $!"-0$95'*54$-0$535&.5>4#$.)$549)0.$ 5'/$5*3-.$./&#;$-',4*3-'1$&#'#.+5.-)'$.#0.0;$#."-,54$ "5,C-'1; $ 0#,*+-./ $ 500#009#'.0; $ 8*4'#+5>-4-./$ 500#009#'.0; $ +#3M.#59-'1; $ >4*#M.#59-'1; $ 5'3 $ 0)$ :)+."<$H.$-0$?+-..#'$50$5$0#,*+-./$+#0#5+,"$3),*9#'.$ 5'3 $ -0 $ 3#0-1'#3 $ :)+ $ $ :5,.*54 $ 0#,*+-./ $ 8#+-:-,5.-)'$ 5'3$&+#0#'.5.-)'$):$9#.+-,0$)'$5$&+):#00-)'54$4#8#4<$ OSSTMM !!%@/6<.4A6%@0BB0-9%>'C%=../4D2.40-EF0-@0BB6/34<;EF0G6/4A9%>((HE>((?I%*"+@!$ !""#$$%@6/.4J43<.40-%J0/%=214.0/9I%=-<;89.9I%<-1%"632/4.8%K/0J69940-<;9%,%LLL'49630B'0/:I%LLL'099.BB'0/: % Results • Date /type • Duration • Auditor and analyst associated • Test type • Scope • Test index • Channel test • Test vector • Verified test and metrics calculations of the operational protection levels, loss controls, and security limitations • Knowledge of which tests have been completed, not completed, or only partially completed, and to what extent • Any issues regarding the test and the validity of the results • Test error margins • Any processes which influence the security limitations • Any unknowns or anomalies • !""#$$%&'(%)*#+%,%*-./0123.40-%.0%.56%!76-%"02/36%"632/4.8%#69.4-:%$6.5010;0:8%$<-2<; &'%=2:29.%>((? !"#$%&'()* !"#$%&'()*+&,+ +'%&-(#*(.+ +/&.0+'+,*.+"1+-*(*2'%+$"%&)&*,3+/0*2*+ +.0*+.4$*+"1+)"#$%&'()*+2*56&2*7+ 7*$*(7,+6$"(+.0*+2*-&"(+'(7+)622*(.%4+26%&(-+-"8*2(#*(.3+&(76,.24+'(7+96,&(*,,+.4$*,3+'(7+,6$$"2.&(-+ %*-&,%'.&"(:++!"#$%&'()*++&,+)"#$6%,"24;+0"/*8*23+',+/&.0+'(4+".0*2+.02*'.3+'+2&,<+',,*,,#*(.+#6,.+9*+ #'7*+/0*.0*2+"2+(".+."+&(8*,.+&(+'(4+.4$*+"1+)"#$%&'()*:+ +=1.*(3+ +)"#$%&'()*+&,+(".+',+9%')<+'(7+ /0&.*+',+&.+'$$*'2,+."+9*:++>0*+=??>@@+2*)"-(&A*,+.02**+.4$*,+"1+)"#$%&'()*B C: D*-&,%'.&"(:+ +!"#$%&'()*+/&.0+%*-&,%'.&"(+&,+&(+'))"27'()*+."+.0*+2*-&"(+/0*2*+.0*+%*-&,%'.&"(+ )'( + 9* + *(1"2)*7: + >0* + ,.2*(-.0 + '(7 + )"##&.#*(. + ." + .0* + %*-&,%'.&"( + )"#*, + 12"# + $2*8&"6,%4+ ,6))*,,16%+%*-'%+'2-6#*(.,+'(7+'$$2"$2&'.*%4+,*.+'(7+E6,.+*(1"2)*#*(.+#*',62*,:+F'&%62*+."+ )"#$%4+/&.0+%*-&,%'.&"(+#'4+%*'7+."+)2&#&('%+)0'2-*,: G: H*-6%'.&"(:+ +!"#$%&'()*+."+2*-6%'.&"(+&,+&(+'))"27'()*+."+.0*+&(76,.24+"2+/&.0&(+.0*+-2"6$+ /0*2*+.0*+2*-6%'.&"(+)'(+9*+*(1"2)*7:++F'&%62*+."+)"#$%4+/&.0+*,.'9%&,0*7+2*-6%'.&"(,++"1.*(+ %*'7,+."+7&,#&,,'%+12"#+.0*+-2"6$3+'+%",,+"1+$2&8&%*-*,3+'+#"(*.'24+1&(*3+)&8&%+)0'2-*,3+'(7+&(+,"#*+ )',*,+/0*2*+%*-&,%'.&"(+*I&,.,+."+,6$$"2.+.0*+2*-6%'."24+9"743+)2&#&('%+)0'2-*,: J: K"%&)4:+!"#$%&'()*+."+$"%&)4+&,+&(+'))"27'()*+."+.0*+96,&(*,,+"2+"2-'(&A'.&"(+/0*2*+.0*+$"%&)4+ )'(+9*+*(1"2)*7:++F'&%62*+."+)"#$%4+/&.0+$"%&)4++"1.*(+%*'7,+."+7&,#&,,'%+12"#+.0*+"2-'(&A'.&"(3+ '+%",,+"1+$2&8&%*-*,3+'+#"(*.'24+1&(*3+)&8&%+)0'2-*,3+'(7+&(+,"#*+)',*,+/0*2*+%*-&,%'.&"(+*I&,.,+."SCOPE + ,6$$"2.+.0*+$"%&)4+#'<*2,3+)2&#&('%+)0'2-*,: OSSTMM >0*+=??>@@+&,+7*8*%"$*7+/&.0+)"()*2(+1"2+#'E"2+%*-&,%'.&"(+'(7+2*-6%'.&"(,:++L,+(".+'%%+)"#$%&'()*+&,+ )2*'.*7+*56'%%43+.0*+#'&(+1")6,+"1+.0*+=??>@@+&,+,*)62&.4:++D*-&,%'.&"(+'(7+2*-6%'.&"(+.0'.+7*.'&%+.0*+ $62)0',&(-+"1+,$*)&1&)+$2"76).,+"2+,*28&)*,3+"1.*(+.02"6-0+,$*)&'%%4+%"99&*7+*11"2.,3+#'4+0'8*+-""7+ &(.*(.&"(,;+0"/*8*23+.0*+=??>@@+)'((".+7&2*).%4+#**.+.0*,*+$'2.&)6%'2+2*56&2*#*(.,:+ +L,+%*-&,%'.&"(+ '(7+2*-6%'.&"(+#'4+9*+'67&.*7+*&.0*2+6(7*2+.0*+%*..*2+"1+.0*+%'/+"2+.0*+,$&2&.+"1+.0*+%'/3+7*$*(7&(-+ 6$"(+.0*+'67&.&(-+9"743+$2""1+$2"$*2+'(7+8'%&7+"$*2'.&"('%+$2".*).&"(+'(7+)"(.2"%,+,6)0+.0'.+',+)'(+ !!%@/6<.4A6%@0BB0-9%>'C%=../4D2.40-EF0-@0BB6/34<;EF0G6/4A9%>((HE>((?I%*"+@!$ !""#$$%@6/.4J43<.40-%J0/%=214.0/9I%=-<;89.9I%<-1%"632/4.8%K/0J69940-<;9%,%LLL'49630B'0/:I%LLL'099.BB'0/: %% !""#$$%&'(%)*#+%,%*-./0123.40-%.0%.56%!76-%"02/36%"632/4.8%#69.4-:%$6.5010;0:8%$<-2<; &'%=2:29.%>((? !"#$%&'()*"+')*(,"+ !"#$%&'() *+#,('-./*',*0-*%12&#330*(#&1*(4 *#-$4150,,*033*64&1,*0-7*,()3#,*46*,#$%&'()*(#,(, *6&41*(8#* '-(&%,'4-**(4*(8#*80-7,94-*0%7'(:**+8#*0553'$0('4-*46*(8#*1#(847434.)*6&41*(8',*10-%03*;'33*-4(*7#(#&* 6&41*(8#*$84,#-*()5#*46*(#,('-.:**Security Test Type OSSTMM <4;#=#&> * 0, * 0 * ,(0-70&7> * (8', * 1#(847434.) * ', * -4( * (4 * 2# * 64334;#7 * !4669(8#9,8#36/: * * ?&0$('$03* '153#1#-(0('4-*46*(8#*@""+AA*&#B%'&#,*7#6'-'-.*'-7'='7%03*(#,('-.*5&0$('$#,*(4*1##(*(8#*&#B%'&#1#-(,* 7#6'-#7*8#&#:**+8',*1#0-,*(80(*#=#-*;8#-*64334;'-.*(8',*1#(847434.)>*)4%&*0553'$0('4-*46*'(*0-7*)4%&* (#$8-'B%#*;'33*&#63#$(*(8#*()5#*46*(#,(*)4%*80=#*$84,#-:**+#,(*()5#,*10)*2#>*2%(*0&#-C(*3'1'(#7*(4>*4-#*46* (8#,#*,'D*$4114-*()5#,E +8#*0%7'(4&*#-.0.#,*(8#*(0&.#(*;'(8*-4*5&'4&*F-4;3#7.#*46*'(,*7#6#-,#,>*0,,#(,>* 4&*$80--#3,:**+8#*(0&.#(*',*5&#50&#7*64&*(8#*0%7'(>*F-4;'-.*'-*07=0-$#*033*(8#* 7#(0'3,*46*(8#*0%7'(:* *G*23'-7*0%7'(*5&'10&'3)*(#,(,*(8#*,F'33,*46*(8#*0%7'(4&:* *+8#* - ./&01 2&#07(8 * 0-7 * 7#5(8 * 46 * 0 * 23'-7 * 0%7'( * $0- * 4-3) * 2# * 0, * =0,( * 0, * (8# * 0%7'(4&C,* 0553'$023#*F-4;3#7.#*0-7*#66'$'#-$)*0334;,:**H-*I@A"JI*0-7*"?JI"JI>*(8',*',* 46(#- * &#6#&&#7 * (4 * 0, * J(8'$03 * <0$F'-. * 0-7 * '- * 4(8#& * ?<K""JI * 0-7 * <LA"JI* $80--#3,>*(8',*',*.#-#&033)*,$&'5(#7*0,*M0&*N01'-.*4&*O43#*?30)'-.: +8#*0%7'(4&*#-.0.#,*(8#*(0&.#(*;'(8*-4*5&'4&*F-4;3#7.#*46*'(,*7#6#-,#,>*0,,#(,>* 4&*$80--#3,:**+8#*(0&.#(*',*-4(*-4('6'#7*'-*07=0-$#*46*(8#*,$45#*46*(8#*0%7'(>*(8#* $80--#3,*(#,(#7>*4&*(8#*(#,(*=#$(4&,:**G*74%23#*23'-7*0%7'(*(#,(,*(8#*,F'33,*46*(8#* 2 34$5/")./&01 0%7'(4&*0-7*(8#*5&#50&#7-#,,*46*(8#*(0&.#(*(4*%-F-4;-*=0&'023#,*46*0.'(0('4-:* +8#*2&#07(8*0-7*7#5(8*46*0*23'-7*0%7'(*$0-*4-3)*2#*0,*=0,(*0,*(8#*0%7'(4&C,* 0553'$023#*F-4;3#7.#*0-7*#66'$'#-$)*0334;,:**+8',*',*03,4*F-4;-*0,*0*P30$F*P4D* G%7'(*4&*?#-#(&0('4-*+#,(:** !!%@/6<.4A6%@0BB0-9%>'C%=../4D2.40-EF0-@0BB6/34<;EF0G6/4A9%>((HE>((?I%*"+@!$ !""#$$%@6/.4J43<.40-%J0/%=214.0/9I%=-<;89.9I%<-1%"632/4.8%K/0J69940-<;9%,%LLL'49630B'0/:I%LLL'099.BB'0/: %& Channel • Physsec • Human • Physical • SPECSEC • Wireless communication • COMSEC • Data networks • Telecommunication OSSTMM Hacker Skill Level T 1 Tier 2 Tier 3 Network techniques toolbox • Network scouting • Os fingerprinting • Vulnerability scanner • Network trace analysis Network scouting Scouting toolbox • Unix standard tools • Nmap (“Network Mapper”) • Free and open source • Leading network scanner Why scouting is important ? • Scouting is the first step • You can’t attack what you don’t know Scouting Process overview Hosts Ports Services Vulnerabilities Topological Mapping DNS info Ping Traceroute Firewalking Whois Domain Name: STANFORD.EDU Registrant: Stanford University The Board of Trustees of the Leland Stanford Junior University 241 Panama Street, Pine Hall, Room 115 Stanford, CA 94305-4122 UNITED STATES Whois Administrative Contact: Domain Admin Stanford University 241 Panama Street Pine Hall, Room 115 Stanford, CA 94305-4122 UNITED STATES (650) 723-4328 [email protected] Whois Name Servers: ARGUS.STANFORD.EDU 171.64.7.115 AVALLONE.STANFORD.EDU 171.64.7.88 ATALANTE.STANFORD.EDU 171.64.7.61 AERATHEA.STANFORD.EDU 152.3.104.250 Digging DNS record • Dig stanford.edu • ;; ANSWER SECTION: • stanford.edu.