Transcript final presentation

Network Security of Labnet
****** ******
Introduction
• Test the network security of the servers on
our Labnet domain
• Find Potential Weaknesses
• Find Security Flaws
• Software
– Nmap
– SAINT
Overview: Step 1
• Determine the best NMAP method for
scanning
• Run a port scan on one machine using all
scanning methods
• Select the method that returns the best
Results
Nmap Scan Types
Scan Type
Description
TCP SYN
Send a SYN packet to each port and wait for an ACK
TCP connect
Open a connection to each port.
FIN
Send a FIN packet and wait for a RST, which means the port is closed.
XMAS
Send a packet with the FIN, URG, and PUSH flags set and wait for a
RST, which means the port is closed
NULL
Send a packet with the FIN, URG, and PUSH flags set to zero and wait
for a RST, which means the port is closed.
UDP
Send a 0 byte UDP packet to each port and wait for an ICMP port
unreachable message.
IP Protocol
Send a raw IP protocol header packet without any protocol headers and
wait for an ICMP protocol unavailable message.
Idle scan
Uses a side channel to send a TCP port scan. (I.E. Broadcast node)
ACK Scan
Send an ACK packet to the port and wait for and RST packet.
RPC scan
Floods all open TCP and UDP ports with null RPC packets to determine
if it is an RPC port.
Overview: Step 2
• Identify the most interesting ports
• Scanning every port on every machine will
take too much time.
– 65k ports
– Slow network connection (10baseT)
• Use the best scanning method to scan all
ports on one machine.
Overview: Step 3
• Scan each server using the best scanning
method and most interesting ports
• Analyze and compile the data
– Find a typical server with typical open
connections
– Find major security holes in some servers
Final Step
• Run saint on a typical server.
• Identify Vulnerabilities
• Suggest a fix for the vulnerabilities
Scanning Method Results
• RPC scan locked up the target machine
– Due to RPC request flood
• The SYN, TCP connect, and RPC scan
returned the same 6 results.
• The FIN, NULL, and XMAS scans returned
the same 15 results.
• Arbitrarily selected the NULL scan
• Need to run a TCP and UDP scan.
Best ports
• Ran a full port scan on another machine
– Took too long to complete
• The results of the NULL scan returned many
hundreds of ports with a status of filtered.
• A range of 0-2450 and a select group of other
interesting ports for the NULL scan
• A range of 1-3200 and a select group of other
interesting ports for the UDP scan.
Results of network Scan
• 25 hosts out of 27 up at the time the test was
preformed
• All UDP ports filtered:
– 10.10.0.1, 10.10.1.1, 10.10.16.1, 10.10.17.1,
10.10.20.1, 10.10.23.1, and 10.10.26.1.
• All UDP ports left open on 10.10.13.1
• Most common TCP and UDP ports
Most common open TCP and
UDP ports
Port
Service
Port
Service
21
FTP
587
Submission
22
SSH
1020
Unknown
25
SMTP
1021
Unknown
53
Domain
1022
Unknown
80
HTTP
1023
Unknown
111
Sun RPC
2049
NFS
515
Printer
8080
HTTP-proxy
SAINT Results
• Critical Problems
– Exports /usr/home to everyone
– Buffer Overflow in BIND 8.3.3
– Vulnerable Sendmail Version 8.12.6
• Areas of Concern
– DNS Spoofing Vulnerability.
– Web servers allow cross-site tracing.
• For the purposes of the length, I will not discuss
the problems in detail or the potential problems.
Conclusion
• The vulnerabilities reported by SAINT did
not directly relate to the data collected by
nmap
• Provided a good insight to other problems
related to our network servers
• Solution:
– Remove or restrict the global export of /usr/home
– Install the newest versions of BIND and Sendmail
Conclusion
• Port scanning shows the potential vulnerability
access points
• Each open port has a specific piece of software
running as a server for that port
• A vulnerability in the software provides a hole for
intruders to access your system
• Port scanning is a powerful tool for determining
the security of a system or network
• It should only be used on systems and networks in
which you are the administrator, otherwise it is
seen as a malicious attack.