Security Monitoring

Download Report

Transcript Security Monitoring 

Security Training
Daniel Kouril, Ivo Nutar
Masaryk University
Bordeaux, November 2016
Agenda
Brief technical introduction
Capture-the-Flag Game
2
Preparation
Current browser is needed
 Chrome or Firefox in current version
3
Attack & Incentives
Getting (unauthorized) access to data
 Cyber espionage, money stealing
Disruption of services
 Blackmailing, demonstration of capabilities
Modification of data
 Damage reputation
Misuse resources
 Botnets
4
Typical attackers’ steps
1.
2.
3.
4.
5.
Getting familiar with the environment
Select target
Find vulnerability
Find a way to exploit vulnerability
Make the target useful for attacker
5
Network examination
Getting information about
 Network topology
 Exposed services
 Purpose of servers
Types of users, typical usage, …
May take some time, may be quite visible
 Network monitoring can detects scans, …
6
Vulnerabilities
Different types of weaknesses
 Programming error
 Design flaw
 Misconfiguration
 Personal/social aspects
Known vs. Zero-day
CVE – directory of known vulnerabilities
 CVE-YYYY-id unique identifier
7
Finding vulnerabilities
Collect information about the target
 Operating system, applications
 Exposed services, their versions
 Third-party modules
Estimate weaknesses
 Known vulnerabilities
 Often blackbox-style analysis
Manual vs. automated probing
8
Scanners for particular services
Web vulnerabilities
 nikto
SQL dababases
 sqlmap
Web CMS scanners
 Wordpress, Joomla, Drupal
A lot of others (open-source, commercial, …)
9
Exploiting vulnerabilities
Determine the version, sw, …, estimate the vulnerability
and select/craft the exploit
Public databases of exploits
 https://www.exploit-db.com/
Exploit + payload
Some exploits may make the node crash
Manual vs. automated
Forensics implications
10
Metasploit Framework
Tool for development and using exploits
 Directory of exploit codes
Text-based console (msfconsole), controlled by
commands
 show exploits – list of exploits
 search – look up the exploits
 use <exploit> - activate a particular exploit
 show options – display variables to set
 set RHOST <IP>
 show payload – show what will be injected
 exploit – trigger the exploitation process
11
Spreading activities
Often hop-by-hop
 Patterns from EGI attacks
Facilitated by weak password management, shared
accounts, credentials, …
A pure knowledge about a username is advantage
12
Attack against passwords
Hashed passwords
 Internet-assisted cracking, rainbow tables
 Brute-force/directory attacks, John the Ripper
Authentication attacks
 Subsequent attempts for authentications
 Common attacks targeting SSH, SMTP, RDP, …
 Password dictionary
 medusa
13
Useful tools
Pre-cooked components
 Malware composers
 “Shells”
Specialized linux distributions
 Kali
14
Hands-on exercise
You’re an attacker probing in a victim network
You will exercise the techniques described earlier
The goal is to demonstrate how the tools can be used
15
Backup slides
16
(d)DoS example
Overloading the service and/or network with common
requests
Reflected attacks
 Hiding origin
 IP address spoofing
Amplifications
 Some protocols return significantly
longer responses than requests
 NTP, SNMP, DNS
17
SQL Injections
Insufficient sanitization of users’ input
Consider an application managing users
“SELECT * FROM users WHERE name =‘” + userName + “‘;”
userName == “sveng” yields:
SELECT * FROM users WHERE name =‘sveng‘;
userName == “' OR '1'='1 -- ” yields:
SELECT * FROM users WHERE name = '' OR '1'='1 -- ‘;
18