Transcript c:\vmware\valab-ht11

Introduction to Vulnerability
Assessment Labs
Ge Zhang
[email protected]
Dvg-C03
Karlstad University
Schedule
• 3 Attacking methods
– Password cracking
– ARP spoofing & sniffing
– Port Scanning
• 1 Defense methods
– Firewall configuration
• 2 Vulnerability assessment tool
– Nessus
– Bastille
Karlstad University
Environment
• 3 VM images (c:\vmware\valab-ht11 )
Hub
Hub
Switch
Hub
VM
Karlstad University
Hub
Host machine
Password Cracking
• Authentication:
– Something you know
– Something you have
– Something you are
• Password need to be transferred
• Password need to be stored
Karlstad University
Brute Force
• Attempts all possible combinations of letters and
numbers
• Possible Solution
– Limit amount of unsuccessful logins
– Change password often
– The length should be at least 8 characters
Karlstad University
Dictionary
•
•
•
•
Type of Brute Force
Only tries possibilities that are likely to succeed
List are derived from dictionary
Possible Solutions
– Mix and match numbers, letters, upper and lower case
– Avoid passwords based on dictionary words, letter or number
sequences, usernames, or biographical information
Karlstad University
John the ripper
• Traditionally the account information is stored in the
/etc/passwd file
• The /etc/passwd file is world-readable
• Shadow password system stores passwords in the file
/etc/shadow which is not world-readable
• Have a look on
– /usr/share/doc/john-1.7.0.2/EXAMPLES
• Then create your own account and password,
run “john” again to see the result
• useradd [your account]
• passwd [your account]
Karlstad University
Sniffing
Hub
shared
Token Ring
• Hub: a hub simply receives incoming packets and broadcasts these
packets out to all devices on the network
• Adapt promiscuous mode: an adapter can receive all frames on the
network, not just frames are addressed to that adapter
Karlstad University
Wireshark
Show capture options
Select network interface
Filters for display
Filters for Capture
Karlstad University
Wireshark
Stop
capturing
Captured
datagrams
Datagrams
analysis
Datagrams
in Hex
Karlstad University
Hub v.s. switch
• Hub: Layer 1 (physical)
• Switch: Layer 2 (data-link)
Hub
shared
Token Ring
Switch
Dedicated
Karlstad University
ARP (Address Resolution Protocol)
• MAC address (layer 2)
– Global unique
– Unchangeable
• IP address (layer 3)
– Network unique
– Changeable
Karlstad University
IP address
IP address
ARP
RARP
MAC address
MAC address
ARP spoofing (cache poisoning) on switch
Who has the IP address 192.163.0.4? Tell
192.163.0.1 with mac: AA
192.163.0.4->DD
I am 192.163.0.4, with mac address DD
192.163.0.1 (AA)
192.163.0.1 (AA)
192.163.0.2 (BB)
192.163.0.2 (BB)
192.163.0.3 (CC)
192.163.0.3 (CC)
192.163.0.4 (DD)
192.163.0.4 (DD)
I am 192.163.0.4, with mac address CC
192.163.0.1 (AA)
I am 192.163.0.1, with mac address CC
192.163.0.2 (BB)
192.163.0.1 (AA)
192.163.0.1->CC
192.163.0.2 (BB)
192.163.0.3 (CC)
192.163.0.3 (CC)
192.163.0.4 (DD)
Karlstad University
192.163.0.4->CC
192.163.0.4 (DD)
Preparation
• ipconfig /all
• Let me know the last number of your ip address and mac address
• ping [IP address] –t
Door
Door
ping
ping
ping
ping
Window
ping
ping
ping
ping
ping
ping
ping
ping
Ping
Karlstad University
ping
ping
ping
Cain
Select interface
Scan MAC
addresses
Scanned
results
ARP spoofing
configuration
Karlstad University
Cain
Add to list for spoofing
Spoof the arp cache for these two hosts to
intercept the conversation between them
Karlstad University
Cain
Start ARP Spoofing
Karlstad University
Port Scanning
• Attackers wish to discover services they can break into.
• Whether the service existing?
• sending a packet to each port, once at a time.
– Based on the type of response, an attacker knows if the port is
used.
– The used ports can be probed further for weakness.
• Well-known: tcp 21, tcp 22, tcp 23, tcp 80 …
Karlstad University
Nmap
•
•
•
•
•
•
•
Karlstad University
-sT (scanning by TCP connections)
-sS (SYN scanning)
-sU (UDP scanning)
-sV (Version detection)
-O (OS fingerprinting)
-T[0-5] (time interval)
-f (fragmenting)
Nmap
Karlstad University
Nmap
• Zenmap: graphical interface
Karlstad University
Firewall
• A set of related programs that protects the
resources of a private network or a host from
external environment.
• A mechanism for filtering network packets based on
information contained within the IP header.
Karlstad University
IPtables
3 default chains
• input Used to control packets entering the interface. (The packets
will be ended in this machine)
• output Used to control packets leaving the interface. (The packets
are originated from this machine)
• forward Used to control packets being masqueraded, or sent to
remote hosts.
Karlstad University
IPtables
• iptables
command [match] [target]
• Command: -A, -I, -D, -F, -L
• Match: -p [protocol], -s [source IP], -d [destination IP], -i [interface], -sport [source port], --dport [destination port]
• Target: -j [ACCEPT/DROP/LOG…]
• Example:
– iptables –I INPUT –p ICMP –j DROP
– iptables –I INPUT –p ICMP –icmp-type 0 –j
ACCEPT
• Our task: restrict all inbound traffic, except SSH requests on port 22.
However, any outgoing requests should not be affected.
Karlstad University
Nessus
• Remote vulnerability scanner
• Nessus will
– Perform over 900 security checks
– Accept new plugins to expand new checks
– List security concerns and recommend actions to correct
them
Karlstad University
Nessus
• Client/server architecture
– Server: perform checking
– Client: Front-end
• Can test unlimited amount of hosts in each scan
www
FTP
Nessus Client
Nessus Server Nessusd
Mail
VoIP
Karlstad University
Nessus
Karlstad University
Nessus
Karlstad University
Bastille
• Operating System Hardening
–
–
–
–
Remove unnecessary processes
Setting file permissions
Patching and updating
Setting networking access controls
• Generate your own hardening policy
• Can be run manually to provide advice and
information
Karlstad University
Bastille
• Assessment mode: bastille -a
Karlstad University
Bastille
• Configuration mode: bastille -x
Karlstad University