EE579T-Class 5 - Electrical & Computer Engineering
Download
Report
Transcript EE579T-Class 5 - Electrical & Computer Engineering
EE579T
Network Security
5: Vulnerability Assessment
Prof. Richard A. Stanley
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/5 #1
Thought for the Day
“The network is the computer.”
Sun Microsystems
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/5 #2
Is this quote for real or
is it for marketing?
• What is typical PC bus speed?
• What sort of network data transfer rates can
be attained?
• What does this mean for the future of
networked computing?
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/5 #3
Overview of Tonight’s Class
•
•
•
•
Review last week’s lesson
Look at network security in the news
Course project discussions
Vulnerability assessment
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/5 #4
Last Week...
• Authentication is critical to achieving
network security, and is harder because the
user is at a distance from the computer
• Encryption is key to authentication
– Symmetric
– Asymmetric
• VPN’s provide a way to create a private
“tunnel” through a public network
– Not a panacea
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/5 #5
Network Security Last Week-1
• Anna Kournikova hits the Internet
– Email worm exploits Outlook address book
– Hits millions of users, over 20 large
corporations in Australia alone
– Why?
• Is Kournikova a common name?
• Are people that curious?
• Did someone suspect the picture was off-color?
– You are a systems administrator--how do you
protect against this sort of thing?
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/5 #6
Network Security Last Week- 2
• Kournikova hacker
–
–
–
–
Traced by Exite@home
Lives in Friesland, Netherlands
20-year old male
“Wanted to demonstrate how easy it was to
write a virus.”
– Maximum sentence guideline in Netherlands is
4 years, prosecutor can ask for more
• How did he do it?
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/5 #7
How He Did It
Rocket science, this is not
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/5 #8
Network Security Last Week- 3
• Tax prep site e1040 shut down Monday
– site's encryption software had been turned off during
site maintenance
– Social Security numbers and passwords of site users
were left exposed
• Hackers chip into Intel Web site
– “Smoked Crew” defaced an Intel sub-domain, leaving a
short message greeting other hackers
– Hackers got in through a well-publicized IIS4/NT4 flaw
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/5 #9
Network Security Last Week-4
• University computers remain hacker havens
– Systems "naked," exposed without firewalls
– perfect foils for hackers (i.e. zombies)
• Iomega research asserts 25% of computer users
have lost data to viruses, hackers
• Omni Consulting Group study reveals that
network security breaches cost companies close to
6% of their annual gross revenue, on the average
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/5 #10
Network Security Last Week-5
• Hacker fear scares EPA offline for 2 weeks
• Federal Net privacy mandate riles health
care industry
– industry unifies in opposition to HIPAA privacy
regulations, saying it will cost $22 billion to
bring systems in compliance
• Love Bug variant “Cartolina” sending
European postcards
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/5 #11
What do all these security issues
have in common?
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/5 #12
Course Projects
• Teams
• Topics
• Schedule
Let’s sort this out now.
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/5 #13
How To Rob a Bank
• Just walk in and demand the money
–
–
–
–
–
–
–
Where is the bank?
How do you know there is any money?
Where to park the getaway car?
Are there any guards or surveillance devices?
Will you need a disguise?
What kinds of things might go wrong?
What if they say “NO?”
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/5 #14
Success Requires Planning
• Whether robbing a bank or breaching
network security, you need to plan ahead
• Planning ahead is known as vulnerability
assessment
– Acquire the target (case the joint)
– Scan for vulnerabilities (find the entry points)
– Identify poorly protected data (shake the doors)
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/5 #15
Information in Plain Sight
• Lots of valuable information is just lying
around waiting to be used
–
–
–
–
telephone directories
company organization charts
business meeting attendee lists
promotional material
• The Internet has made having a company
web page the measure of being “with it”
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/5 #16
Target: FBI
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/5 #17
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/5 #18
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/5 #19
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/5 #20
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/5 #21
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/5 #22
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/5 #23
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/5 #24
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/5 #25
?
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/5 #26
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/5 #27
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/5 #28
You get the idea
• There is a lot of information out there, and it
is readily available to anyone
• Good intelligence usually consists of open
source material properly collated
• Law enforcement used to have special
access to this sort of information--now it’s
out on the ‘net
• Network access speeds up the rate at which
good intelligence can be collected
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/5 #29
Determine Your Scope
• Check out the target’s web page
–
–
–
–
–
–
–
physical locations
related companies or entities
merger/acquisition news
phone numbers, contact information
privacy or security policies
links to other related web servers
check the HTML source code
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/5 #30
Refine Your Search
• Run down leads from the news, etc.
– Search engines are a good way
• FerretSoft
• Dogpile
– Check USENET postings
– Use advance search capabilities to find links
back to target
• Search on wpi + security gives ~ 2900 hits
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/5 #31
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/5 #32
Use the Government
• EDGAR
– SEC site (www.sec.gov/edgarhp.htm)
– Search for 10-Q and 10-K reports
– Try to find subsidiary organizations with
different names
• Think about what your organization has on
databases available to the public
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/5 #33
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/5 #34
Zero In On The Networks
• InterNIC
–
–
–
–
Organization
Domain
Network
Point of contact
• www.networksolutions.com
• www.arin.net
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/5 #35
Search for wpi.edu
Registrant:
Worcester Polytechnic Institute (WPI-DOM)
100 Institute Road
Worcester, MA 01609-2280 US
Domain Name: WPI.EDU
Administrative Contact, Billing Contact:
Johannesen, Allan E (AEJ5) [email protected]
The College Computer Center
Worcester Polytechnic Institute
100 Institute Road
Worcester, MA 01609-2280
508 754-3964 (FAX) 508-831-5483 (FAX) 508-831-5483
Technical Contact:
Brandt, Joshua (JBC740) [email protected]
Solipsist Nation
9 Circuit Ave. E Apt 1
Worcester, MA 01603 US
508-831-5512
Record last updated on 05-Dec-2000.
Record created on 22-Mar-1988.
Database last updated on 15-Feb-2001 02:07:04 EST.
Domain servers in listed order:
NS.WPI.EDU
NS1.YIPES.COM
NS2.YIPES.COM
NS3.YIPES.COM
Spring 2001
© 2000, 2001, Richard A. Stanley
130.215.24.1
209.213.223.126
209.50.39.102
209.50.40.102
WPI
EE579T/5 #36
Other Sources
• InterNIC has 50-record limit, so…
– ftp://rs.internic.net/domain
– http://samspade.org/ssw/
• freeware
– www.nwpsw.com
• Netscan tools
• Single copy price = $32.00
– www.ipswitch.com
• WS_Ping ProPack = $37.50
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/5 #37
Example: Sam Spade
Sam Spade Features
Environment
Each tool displays it's output in it's own window, and everything is multi-threaded so you don't need to wait
for one query to complete before starting the next one
Some functions are threaded still further to allow lazy reverse DNS lookups (never do a traceroute -n again)
The output from each query is hotlinked, so you can right click on an email address, IP address, hostname
or internic tag to run another query on it
Appending the results of a query to the log window is a single button function
There's a lot of online help, in both WinHelp and HTMLHelp formats. This includes tutorials, background
information and links to online resources as well as the program manual itself
Tools
ping
dig
web browser
Usenet cancel check
Email blacklist query
Spring 2001
© 2000, 2001, Richard A. Stanley
nslookup
traceroute
keep-alive
website download
Abuse address query
WPI
whois
finger
DNS zone transfer
website search
S-Lang scripting
IP block whois
SMTP VRFY
SMTP relay check
email header analysis
Time
EE579T/5 #38
Query on Found Data
• POC
– May be (often is) POC for other domains
• Query for email addresses -- here are a few
from @wpi.edu
Amiji, Murtaza (MA3608) [email protected] (508) 831-5395
Baboval, John (JBJ116) [email protected] XXX-XXXX
Ballard, Richard (RBS722) [email protected] 508-831-6731
Barnett, Glenn S (GSB14) [email protected] (315)475-5920
Bartelson, Jon (JB12891) [email protected] (508) 831-5725 (FAX) (508) 831-5483
Berard, Keith (KB2414) [email protected] (508)754-4502
Blank, Karin (KBJ257) [email protected] 203-762-0532
Blomberg, Adam (AB5417) [email protected] 508-755-7699
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/5 #39
Query the DNS
• Insecure DNS configuration can reveal
information that should be kept confidential
• Zone transfers are popular attack
methodologies
–
–
–
–
nslookup often used
pipe output to a text file
review the text file at your leisure
select potential “good targets” based on data
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/5 #40
Map the Network
• traceroute
– Unix and Win/NT
– tracert in NT for file name legacy reasons
– Shows hops from router to destination
• Graphical tools exist, too
– VisualRoute
– www.visualroute.com
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/5 #41
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/5 #42
Detailed Scanning
• Network ping sweeps
– Who is active?
– Automated capabilities with some tools
• ICMP queries
– Reveal lots of information on systems
• System time
• Network mask
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/5 #43
Port Scanning
•
•
•
•
•
•
Identify running services
Identify OS
Identify specific applications of a service
Very popular
Very simple
Very dangerous
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/5 #44
Port Scan Types
•
•
•
•
Connect Scan--completes 3-way handshake
SYN--should receive SYN/ACK
FIN--should receive RST on closed ports
Xmas tree--sends FIN, URG, PSH; should receive
RST for closed ports
• Null--turns off all flags; target should send back
RST for closed ports
• UDP--port probably open if no “ICMP port
unreachable” message received
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/5 #45
Identify Running Services
•
•
•
•
•
•
•
Strobe
Udp_scan (from SATAN)
netcat
PortPro & Portscan
nmap
Using SYN scan is usually stealthy
Beware of DoS results
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/5 #46
OS Detection
• Stack fingerprinting
– Different vendors interpret RFCs differently
• Example:
– RFC 793 states correct response to FIN probe is none
– Win/NT responds with FIN/ACK
• Based on responses to specific probes, possible to
make very educated guesses as to what OS running
– Automated tools to make this easy!
• Nmap
Spring 2001
© 2000, 2001, Richard A. Stanley
(www.insecure.ord/nmap/)
WPI
EE579T/5 #47
Automated, Graphical Tools
• Can trace network topology very accurately
– ID machines by IP, OS, etc.
– Makes attack much easier
• Cheops
– www.marko.net/cheops/
• Tkined
– wwwhome.cs.utwente.nl/~schoenw/scotty/
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/5 #48
Enumeration
• Try to identify valid user accounts on poorly
protected resource shares
– Windows NT
• net view
– lists domains on network
– can also list shared resources
• nltest -- identifies PDC & BDC
• SNMP
• open a telnet connection
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/5 #49
Summary
• Attacking a network is no different from robbing a
bank; you have to plan if you expect to be
successful
• There are three basic steps to planning, which is
called vulnerability assessment:
– Acquire the target (case the joint)
– Scan for vulnerabilities (find the entry points)
– Identify poorly protected data (enumeration)
• This applies if you are inside or outside the
protected perimeter!
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/5 #50
Homework - 1
1. Identify and describe how you would
enumerate resources on a Unix network,
similar to the discussion in class of
enumeration on Windows/NT
2. You are the network administrator. How
would you defend against the threats of
target acquisition and vulnerability
scanning?
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/5 #51
Assignment for Next Week
• Prepare your project outline, with the members of
your team
• Next week’s topic: Hiding in Plain Sight
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/5 #52