Document

Download Report

Transcript Document 

Open-Source Network
Security Tools
Scanning/Securing/Exploiting
oh my.
S C I E N C E APPLI CATI O N S I NT E R NAT I O NAL C O R PO RAT I O N
Disclaimer
 The opinions expressed in this talk are just
mine, and not the opinions of SAIC, nor ESS.
 I have nothing against vendors, some of my best
friends are vendors.
 I was asked to do a talk on Open Source
Network Security Tools, and not on commercial
tools to avoid any vendor bias.
 They made me do it.
 I once saw a ghost cow in the road, honest.
Beyond Network Security…. We Build Peace of Mind
2
Agenda
 What is Open Source?
 Why should I care?
 Why no Commercial tools?
 What tools are available?
 What do they do?
 Where can I get them?
 Q&A
Beyond Network Security…. We Build Peace of Mind
3
What’s OpenSource?

From opensource.org
Open source doesn't just mean access to the source
code. The distribution terms of open-source software
must comply with the following criteria:
1. Free Redistribution
2. Source Code included/available
3. Derived Works allowed
4. Integrity of The Author's Source Code (patches/forks)
5. No Discrimination Against Persons or Groups
6. No Discrimination Against Fields of Endeavor
7. Distribution of License (no NDA)
8. License Must Not Be Specific to a Product
9. License Must Not Restrict Other Software
10. License Must Be Technology-Neutral
Beyond Network Security…. We Build Peace of Mind
4
Why does it matter?
 Cost
 Open Source is free. Zero acquisition cost.
 Security
 The source code is available for your review.
 Many eyes look at code.
 Find many bugs.
 Patch Often
 Support
 Free – Web/Mailing-Lists/SIGs
 $$$ - Commercial sites/ OS vendors…
Beyond Network Security…. We Build Peace of Mind
5
What about freeware / shareware /
trialware etc.
"Freeware" should not be confused with "free
software" (roughly, software with unrestricted
redistribution) or "shareware" (software
distributed without charge for which users can
pay voluntarily).
“Shareware” Software that, like freeware, can be
usually obtained (downloaded) and redistributed
for free, but most often is under copyright and
does legally require a payment in the EULA, at
least beyond the evaluation period or for
commercial applications.
Beyond Network Security…. We Build Peace of Mind
6
Why not use commercial products?
 How much money do you have?
 Why not use these tools at home?
 At your sibling’s/nephew’s/parent’s house?
 Typically has higher resource needs.
 But, has much better support.
 Better documentation.
 Nice shiny packaging.
Beyond Network Security…. We Build Peace of Mind
7
Enough License talk, where’s the
goods?
 Categories of tools.
 Scanning – To find hosts/targets/details
 Accessing – To gauge security and baseline
 Securing – To protect the host.
 Exploiting – To pants the host.
 Deception – To deceive the attacker.
 Detection – To detect the attacker
Beyond Network Security…. We Build Peace of Mind
8
Scanning (The Basics)
Nmap – Network Mapper






http://insecure.org
OS Detection
Application Detection
High-Speed TCP/UDP scans
IPv4 & IPv6
Supports Unix / Linux / BSD /
Mac OS X, and Windows
 Even works with Windows XP SP2!
 Extremely configurable and could be a talk by itself…
Beyond Network Security…. We Build Peace of Mind
9
Scanning for Wireless
dstumbler
 http://www.dachb0den.com/projects/dstumbler.html
 AP/SSID detection
 Detection of
 weped networks
 beacon interval for aps
 maximum supported rate
 Can crack WEP keys.
Beyond Network Security…. We Build Peace of Mind
10
Scanning (Advanced)
Paketto Keiretsu 1.10
 http://www.doxpara.com/paketto/
 Scanrand, an unusually fast
network service and topology
discovery system
 Minewt, a user space NAT/MAT
router
 Linkcat, which presents a Ethernet
link to stdio
 Paratrace, which traces network
paths without spawning new
connections
 Phentropy, which uses OpenQVIS
to render arbitrary amounts of
entropy from data sources in three
dimensional phase space.
Beyond Network Security…. We Build Peace of Mind
11
Assessing Web Sites
Nikto
 http://www.cirt.net/code/nikto.shtml
 Web/CGI scanner
 Finds vulnerable CGI
 Can do IDS evasion
 Has over 2,600 checks.
$ nikto.pl –host 192.168.42.27 –verbose –web –output \
> nikto80_192.168.42.27.html.raw
Nikto’s output provides notes on reasons why a finding may be a security risk:
Target IP: 192.168.42.27
Target Hostname: www.victim.com
Target Port: 80
-------------------------------------------------------------------o Scan is dependent on "Server" string which can be faked,
use -g to override
o Server: WebSTAR/4.2 (Unix) mod_ssl/2.8.6 OpenSSL/0.9.6c
o Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS,
PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK, TRACE
o Server allows PUT method, may be able to store files.
o CONNECT method is enabled, server may act as a proxy or relays.
o Server allows DELETE method, may be able to remove files.
o Server allows PROPFIND or PROPPATCH methods, which indicates
DAV/WebDAV is installed. Both allow remote admin and have had
security problems.
o WebSTAR/4.2(Unix)mod_ssl/2.8.6OpenSSL/0.9.6c appears to be outdated
(current is at least mod_ssl/2.8.7) (may depend on server version)
o /public/ Redirects to 'http://www.foundstone.com/public', this
might be interesting...
o robots.txt - This file tells web spiders where they can and cannot
go (if they follow RFCs). You may find interesting directories listed
here. (GET)
o cgi-bin/htsearch?-c/nonexistant - The ht::/Dig install may let an
attacker force ht://Dig to read arbitrary config files for itself.
(GET)
885 items checked on remote host
Beyond Network Security…. We Build Peace of Mind
12
Assessing Websites (continued)
pavuk







http://www.idata.sk/~ondrej/pavuk/
Not really assessment.
Very effcient Web Spider
Can copy content off sites
Supports authentication
SSL support
FTP, HTTP, Gopher
Beyond Network Security…. We Build Peace of Mind
13
Assessing Passwords
hydra
 http://thc.org/thc-hydra/
 Brute-Force Password Guesser
 Can run in parallel to improve performance.
 Is able to assess passwords in…
 TELNET, FTP, HTTP, HTTPS, HTTP-PROXY,
 LDAP, SMB, SMBNT, MS-SQL, MYSQL,
 REXEC, CVS, SNMP, SMTP-AUTH, SOCKS5,
 VNC, POP3, IMAP, NNTP, PCNFS, ICQ, SAP/R3,
 Cisco auth, Cisco enable, Cisco AAA
Beyond Network Security…. We Build Peace of Mind
14
Assessing Networks, Hosts, etc.
Nessus – Security Scanner






http://nessus.org
Uses NMap, Nikto, Hydra,
Server supports Unix *
Clients for Windows & Unix
Has thousands of checks.
Scriptable Attack language
 If you don’t use it yet, you should.
Beyond Network Security…. We Build Peace of Mind
15
Assessing Wireless
kismet
 http://www.kismetwireless.net/
 Manufacturer and model identification
 Runtime decoding of WEP packets for
known networks
 Network IP range detection
 Finds hidden SSIDs
 Detects wireless attacks
 Finds defaults configs.
Beyond Network Security…. We Build Peace of Mind
16
Securing Hosts
p0f/pf/iptables
 p0f – Passive OS fingerprinting
 http://lcamtuf.coredump.cx/p0f.shtml
 Can work with pf/iptables to create special rules.
• Only Windows 2000 and newer can connect out
• Restrict in-bound Windows SMTP to 1 per client.
• Only allow OpenBSD SSH to firewall
 pf – Berkely Packet Filter
 http://www.openbsd.org/faq/pf/
 iptables – Linux IP Firewall
 http://www.netfilter.org/
Beyond Network Security…. We Build Peace of Mind
17
Securing OS through Hardening
Bastille







http://www.bastille-linux.org/
Tightens permissions
Changes to secure defaults
Removes unneeded services
Enables better logging
Locks down subsystems
Is a slicer/dicer
 Available for Linux, HP-UX, & Mac-OS.
Beyond Network Security…. We Build Peace of Mind
18
Securing Passwords
John the Ripper
 http://www.openwall.com/john/
 Brute-forces local password files.
 Supports
 most Unix password file types.
 Windows NT/2000/XP LanMan Hashes
 OpenVMS and SYSUAF.DAT
 AFS/Kerberos v4 TGT
 S/Key skeykeys files
 Netscape LDAP server passwords
 MySQL passwords
Beyond Network Security…. We Build Peace of Mind
19
Securing Users/Roles (Advanced)
selinux
 http://www.nsa.gov/selinux/
 Security Enhanced Linux
 Establish MAC (Mandatory Access Controls)
 Controls based on Objects not permissions.
 Root is not all powerful.
 Allows compartmentalized controls.
 Really confusing for most mortals.
Beyond Network Security…. We Build Peace of Mind
20
Exploiting Switched Networks
Ettercap







http://ettercap.sourceforge.net/
Enables the sniffing and capture of switched networks.
ARP poisoning
Man in the Middle
Passive OS identification
Password capture
Passive Portmap
Beyond Network Security…. We Build Peace of Mind
21
Exploiting EndUser Machines
Metasploit





http://www.metasploit.com/
Framework for exploits
Able to execute multiple options vs. a single vulnerability.
32 separate exploits
23 separate shellcodes
Beyond Network Security…. We Build Peace of Mind
22
Deceptive Services
dtk – Deception ToolKit




http://www.all.net/dtk/dtk.html
Pretend to run other services.
Pretend to be other OS’s
Prevent the attacker for gaining knowledge
Beyond Network Security…. We Build Peace of Mind
23
Deceptive Networks
honeyd
 http://www.honeyd.org/
 Simulates thousands of virtual hosts at the same time.
 Configuration of arbitrary services via simple
configuration file:
 Includes proxy connects.
 Passive fingerprinting to identify remote hosts.
 Random sampling for load scaling.
 Simulates operating systems at TCP/IP stack level:
 Fools nmap and xprobe,
 Simulation of arbitrary routing topologies:
 Subsystem virtualization:
 Run real UNIX applications under virtual Honeyd IP
addresses: web servers, ftp servers, etc...
Beyond Network Security…. We Build Peace of Mind
24
Detecting Network Attacks
Snort with ACID
 Snort – Network IDS
 http://www.snort.org/
 Rules based detection of network threats.
Detects buffer overflows, stealth port scans, CGI
attacks, SMB probes, OS fingerprinting attempts,
and much more.
 ACID – Web front-End to Snort
 http://acidlab.sourceforge.net/
 Enables rapid queries
 Displays threats graphically
 Uses back-end DB
Beyond Network Security…. We Build Peace of Mind
25
Detecting Network Traffic
Ethereal
 http://www.ethereal.com/
 Not really a Detection, but a GREAT sniffer!
 Decodes over 600 protocols
 FTP, SMTP, ICMP, RIP,…
 Has statistical analysis tools
 Allows deep inspection of
network traffic
Beyond Network Security…. We Build Peace of Mind
26
Detecting Compromised Boxes
chkrootkit
 http://www.chkrootkit.org/
 Detects 56 different root-kits
 Detects unknown deletions and clean-ups
 Works on
 Linux 2.0.x, 2.2.x and 2.4.x,
 FreeBSD 2.2.x, 3.x, 4.x and 5.x,
 OpenBSD 2.x and 3.x.,
 NetBSD 1.5.2,
 Solaris 2.5.1, 2.6 and 8.0,
 HP-UX 11,
 Tru64 and BSDI.
Beyond Network Security…. We Build Peace of Mind
27
So where can I get this stuff easily?
 Many ISO images of bootable linux available.
 [P]rofessional [H]acker's [L]inux [A]ssault [K]it
• http://www.phlak.org
 Local Area Security
• http://www.localareasecurity.com/
 Knoppix security tools distribution
• http://www.knoppix-std.org/
Beyond Network Security…. We Build Peace of Mind
28
What about Windows?
 Most tools have Windows versions
 Nmap, pavuk, ettercap,
Metasploit, etc..
 Some are not Open-Source, but are
available for private use
 Nessus Windows Technology
• http://www.tenablesecurity.com/newt.html
 Others will work under cygwin
 Linux/Unix for Windows
 http://www.cygwin.com/
Beyond Network Security…. We Build Peace of Mind
29
Questions?
 This is when you complain that I did not include
your favorite tool.
 Or when you tell me what a great time you had.
Beyond Network Security…. We Build Peace of Mind
30
Scott C. Kennedy
Chief Engineer, Secure Networking Engineering
4224 Campus Point Court
San Diego, CA 92121
858.826.3035
S C I E N C E APPLI CATI O N S I NT E R NAT I O NAL C O R PO RAT I O N
SANS 2003 Top 20 Vulnerabilities
Windows
1. Internet Information Server (IIS)
2. Microsoft SQL Server (MSSQL)
3. Windows Authentication
(LANMAN)
Unix/Linux
1. BIND Domain Name System
(DNS)
2. Remote Procedure Call (RPC)
3. Apache Web Server
4. Internet Explorer (IE)
4. General Unix Authentication
5. Windows Remote Access Service
5. Clear Text Services (Telnet/ftp/rsh)
6. Microsoft Data Access
Components (MDAC)
6. Sendmail (SMTP)
7. Windows Scripting Host (WSH)
7. Simple Network Management
Protocol (SNMP)
8. Microsoft Outlook & Outlook
Express
8. Secure Shell (SSH)
9. Windows Peer to Peer Sharing
(P2P)
10. Simple Network Management
Protocol (SNMP)
9. Misconfiguration of Enterprise
Services (NIS/NFS)
10. Open Secure Sockets Layer
(OpenSSL)
Beyond Network Security…. We Build Peace of Mind
32
SANS 2004 Top 20 Vulnerabilities
Unix/Linux
Windows
1. Web Servers & Services
2. Workstation Service
1. BIND Domain Name System
(DNS)
2. Web Server
3. Windows Remote Access Service
3. Authentication
4. Microsoft SQL Server (MSSQL)
4. Version Control Systems
5. Windows Authentication
5. Mail Transport Service
6. Web Browsers
6. Simple Network Management
Protocol (SNMP)
7. File Sharing Applications
8. LSASS Exposures
9. Mail Client
10. Instant Messaging
7. Open Secure Sockets Layer
(OpenSSL)
8. Misconfiguration of Enterprise
Services (NIS/NFS)
9. Databases
10. Kernel
Beyond Network Security…. We Build Peace of Mind
33