Transcript common - Scott Streit Content

Cybersecurity
Computer Science Innovations, LLC
Ethical Hacking
Course Overview
Email: [email protected]
Course Content
http://content.scottstreit.com
Rules





Address me as “Scott”
Being able to do something is more
important than memorizing. I will not ask
you to memorize. My tests ask you to think
and explain. I ask you to take a position.
Your grade on a test (mid-term, final) is not
the final grade.
You must successfully complete all projects
to pass the course.
You pick your grade – I'll explain.
Goals




Einstein said, As simple as possible, but no
simpler.
If you cannot explain it simply, you do not
understand it well enough.
Any fool can make things more complex it
takes genius to find the simplicity.
Great science is simple.
How did we get here?
Turing Machine
P-V Semaphore – Unix – Flat Files
1972, Dr. E. F. Codd invented Relational
Database, Linear Algebra → Data Storage.
RDBMS – Transactions – Bob Epstein
1988 --1995 --- Databases fault tolerant and load
balanced. They were tightly coupled.
Startup and you want to do load balancing...
Larger than anyone ever has..... What do you

Class Overview

It is Good to be Smart, It is better to be
funny.

90% of the Material, how?

Projects – 2 Adjudicators

Everything is negotiable

This is supposed to be fun.
Overview

Ethical Hacking

Issues in Security

Trusted Computer System Evaluation
Criteria (TCSEC) - Orange Book

Measure Security

Implementation

Assurance
5 Rules of Software Development
1. W3C specifications ahead of JSR specifications.
2. JSR ahead of defacto standards.
3. Defacto standards ahead of custom development.
4. Compositional patterns to create software systems.
5. Use design patterns when creating custom code.
LAMP vs. WAR
Where is LAMP best. Linux, Apache, MySQL, Php
1) Your views closely model your database design.
2) Security requirements are not excessive.
Where is War best.
1) You views do not closely model your database
Design. In fact there probably is not RDBMS.
Elastic.
2) Serious Security Requirements (Underwriting).
Issues In Security

Convenience

Adjudication

Front/End Back End

IDS

Network Security

Database Security

Insurance Companies.
The Present Situation

If I am Responsible for System, X, how do I
bring it into Production?

Someone must Approve.

Somebody must assume risk.

Who is that? Insurance company

DOD Adjudicator.

Someone who assumes the risk.
Development up to present





If your system, and you are well defined.
If your security model is simple and based
on standards.
If you speak the same language as the
decision maker?
It is easier to get someone to put their neck
on the line.
Einstein said, If I saw further than others it is
because I was standing on the shoulders of
Giants.
Science Being Simple
Computer Science – Simple seems to win.
P-V Semaphore --- Seven lines of code.
Google ---- Processing Paradigms....
Simplicity in processing.
Map/Reduce …. Solr...
Open Source......
Definitions

Levels of Security

Lowest D... Not even discuss it.

Next Level up is C... C1 and C2



C1 and C2 rely on Discretionary Access
Control.
Next level up is B1, B2, B3 which are largely
related.
B level uses Mandatory Access Control
Subjects and Objects



Access Control... Can the subject read or write
the Object? That is one thing we are
concerned with.
Auditing... What did the subject do on June
30th? Who are the subjects that accessed my
mail.
Assurance – How can I be Guaranteed that all
access to th data have access control and
Auditing. And … Does my model work?
Access Control

Access Control has some pieces....

What are the pieces? The first two are

Identity Assertion

Role Gathering

Systems do this.

We knew this in 1984.. This is not new and
pre-dates the Internet.
Identity Assertion

Eminem – I am who you say I am.

How do you find out your identity?

Google... Username and Password

Google.. Additional Security through a Token

Show Something About yourself

Biometric Devices.

Prove who you are.
How Do We Do Identity Assertion
Www.bankofamerica.com
Web Server
Do I
have
a
sess
ion
Browser
Do I have a
session
How Do We Assert and Identity
Username and Password
Sitekey
Identity Asserter is username and password.
Google --- username and password.
Challenge ---> send a key to cell phone
Biometrics... cheap....
Identity Assertion

Identity Asserters must be pluggable.

What does that mean?


It means if I change the Identity Asserter, I do
not need to change the software.
Best Practice … Run the software with two
different Identity Asserters without changing,
compiling or writing Software.
Role Gathering
Browser
Web server
Asserts Identity
Gathers roles
Role Gathering

Having proven who I am.... What can I do?

The Roles Dictate what you can do.

So if my role is Administrator.. I can do a lot.

If my role is Guest... I can do a little.

Show me what you mean. Ok. Let's do a
practical Example.
Where do We See Roles
Web applications.....
Web.xml
Directory ---- roles can work in the directory
Page --- useradmin ----> roles can see it are
Administrator....
Browser... look up web.xml roles..... See it.
Practical Example - Roles

id
uid=1000(scott) gid=1000(scott)
groups=1000(scott),27(sudo),30(dip),46(plugd
ev),109(lpadmin),124(sambashare),129(vboxu
sers)

Groups are Synonymous with Roles... Spec
says.

They say what I can do. Use Plug in Devices

Line Printer Administrator, Share Files...etc.
What Happened?

Logged into my machine.

Asserted my identity by username password.

Gathered my roles.

Determined what I can do.

Why? It's the standard.
Impromptu Lab
Go to your linux instance. Any linux instance.
id command
then do a
sudo su then do a
adduser pedro
su - pedro
id
Common Shortcomings?


Let's say you have a machine with a web
server.
You have 5 people that are Web Server
Administrators

What are your options?

You can have a Group Account

Or you can setup the machine to allow multiple
people to update the Web Server.
What is Wrong with a Group
Account?

It Violates Discretionary Access Control.

Why? Named Subject, Named Object.

NOT

Named Group containing many Subjects and
Named Object.

Must be one to one – Person to Subject.

Now Three More Topics for C2.
Bringing Up A Web Server
Web Server ---- runs on port 80
Web Server ---- runs on port 8080
Ports < 1024 require Admin Privilege to Start
Process.
Ports >= 1024 do not require Admin
Why do we care? Least Privilege....
Have “Normal” Users Web Admin
So Let's say --- Morris Mo... he is a web admin
Cheri is a web admin.... They are going to run
As normal users... But they need to share
The web server.. and we do not want to violate
DAC.. So we need to separate them and
Keep Least Privilege...
Separate Users
Step 1
Create a group per user
And create a shared group.
Mo Al
Webguys shared group.
How To
root@companion:/opt# groupadd mo
root@companion:/opt# groupadd al
root@companion:/opt# groupadd webguys
pt# useradd
mo -g mo -G
root@companion:/opt#
useradd mo -g mo -G
webguys
pt# useradd
al -g al -G webguys
root@companion:/opt# useradd al -g al -G
webguys
How To
root@companion:/opt# mkdir /opt/share
root@companion:/opt# chown al:webguys
/opt/share
root@companion:/opt#
pt# useradd
mo -g mo -G
chmod 2775 /opt/share
pt# useradd al -g al -G webguys
the 2 is the set groupid bit. It means that all
files created inherit the group from the directory
not the user.
Three More Topics



Confidentiality

No one can listen in and gain information.

Encryption
Least Privilege

Very Very Important.

Am I doing the action with the least amount of Authority. Don't
work as Root or Admin
Non-Repudiation

How can I not deny that I sent it.
Confidentiality

https

Hyper Text Transport Protocol Secure

When you read your email are you

http or https?

Log into your mail.

Is it http or https? https
Least Privilege

I must work as a normal user

Or

I must work as an admin.

Which is better?

Why? Myself? Why? You don't mess up the
system on purpose or by accident.

Ports... https which port is that? 443

Who do you have to be to work as 443?

For ports less than 1024 you must be admin
How Do We Do Least Privilege
With https?

The browser (Source) wants to communicate
on 443.... Default

The system wants to use a normal user.

So what happens?

So your Firewall or Router maps 443 to 8443


So the Source requests 443 the System
responds with 8443 the Router maps them.
Best Practice … Always map <1024 ports to >
1024 to preserve Least Privilege.
Outside World to Inside
Https in a browser it says communicate on 443
But we want least privilege … So how do we do
that.
8443 on the local system.
We need our firewall/router administrator to set
this up for us.
Let's Look At This
Firewall
Al Admin
Browser 443
Map Incoming
443 to intenal 8443
On a specifc Server
Web Server
8443
Apache and Least Privilege

ubuntu@ip-10-204-147-104:~$ ps -ef | grep apache

root

www-data 3727 3725 0 14:55 ?
00:00:00 /usr/sbin/apache2 -k start

www-data 3729 3725 0 14:55 ?
00:00:00 /usr/sbin/apache2 -k start

www-data 3730 3725 0 14:55 ?
00:00:00 /usr/sbin/apache2 -k start

ubuntu

ubuntu@ip-10-204-147-104:~$ sudo su -

root@ip-10-204-147-104:~# cd /etc/

root@ip-10-204-147-104:/etc# grep www-data passwd

www-data:x:33:33:www-data:/var/www:/bin/sh

3725
1 0 14:55 ?
00:00:00 /usr/sbin/apache2 -k start
3828 865 0 14:55 pts/0
00:00:00 grep --color=auto apache
Apache is not adhering to Least Privilege
Unix Cheat Sheet


The command ls is the same thing as dir in
windows
The command ps is process status and
commonly used as ps -ef | more

Do a ps -ef | more

The command pwd is print working directory

The command chmod is change mode

The command chown is change user and
group
DAC in UNIX

In Unix we get DAC out of the box.

How do we do it.

Name Subject …. logging in

How do we protect files?

This is access control.
Unix History




How did we get to Unix?
Who created it? Brian Kerrnighan, Dennis
Ritchie, Thompson.
They worked for AT&T in New Jersey in the
70's. They had an idea. What if an operating
systems was created that worked on any
hardware?
So they needed a hardware independent
language – they called it C.
Unix History Continued

AT&T gave it away for free.

How many run Android's. Unix kernel

How many run IPhones. Unix.

There are two flavors. System V – MIT –
Linux

BSD – Berkeley – Cal Berkley – Mac/OS

AT&T – Created this.
Commands - Unix

Permissions

wwwxxxyyy for a file or directory.

Now let's define www it has 3 digit for RWE

So RWE is what … 7 now www is for the
user's permission.

xxx is for the group's permission and

yyy is for the world's permission.

So if a file is 400 like .pem file what is that?

400 100 000 000 which is R------ at the owner
More Permissions

So if I want a file to be Read and Write for the
Owner (User) of the file and Read for the
Group and Nothing for the world.

Let's do it together

www xxx yyy

U

The three digits RWE

110 100 000 = 6 4 0
G
O
Lab on Permissions

So..... A User may Read Write and Execute.

The Group may Read and Write.

The Other may only Read.

What is the pattern?

Remember www xxx yyy RWE U G O


1 1 1 1 10 100
7
6
4
So Back to Commands




The command ls -al full listing. You can see
the pattern.
So we a couple more commands and we are
done.
The command chmod 3DIGITS files changes
the mode. chmod 777 allows all access.
The command chgrp user:group and it lets yo
set the owner.
The World of Discretionary
Access Control



Says I should have a way to protect my private
files.......
Well, let's create two users. Chris and Dave
Chris should see Chris files and David could
see Chris files, but only Chris can update Chris
files and only Dave can update Dave files.
Let's Do It

root@companion:/opt# groupadd class

root@companion:/opt# groupadd dave

root@companion:/opt# groupadd chris

root@companion:/opt# useradd dave -g dave -G class

root@companion:/opt# useradd chris -g chris -G class

So class is a shared group with two members dave and chris.

So, dave has a primary group …. dave

So,, chris has a primary group …. chris
See DAC

Common area and it is call /opt … which is for
optional software

The command mkdir makes a directory.

root@companion:/opt# echo "hello" > chris.txt

root@companion:/opt# echo "goodbye" > dave.txt

root@companion:/opt# more chris.txt

hello

root@companion:/opt# more dave.txt

goodbye

root@companion:/opt# ls -al chris.txt dave.txt

-rw-r--r-- 1 root root 6 Jun 25 13:40 chris.txt

-rw-r--r-- 1 root root 8 Jun 25 13:40 dave.txt
Chris and Dave – Private for
Writing

Command chown user:group file

Command chown chris:chris chris.txt

Command chown dave:dave dave.txt

Command ls -al *.txt

root@companion:/opt# ls -al *.txt

-rw-r--r-- 1 chris chris 6 Jun 25 13:40 chris.txt

-rw-r--r-- 1 dave dave 8 Jun 25 13:40 dave.txt

root@companion:/opt# su - dave

No directory, logging in with HOME=/

$ cd /opt
umask

The opposite of bits set on a file when created
scott@companion:~$ umask
0002
scott@companion:~$ touch zzzz
scott@companion:~$ ls -al zzzz
-rw-rw-r-- 1 scott scott 0 Dec 6 20:11 zzzz
When I create a file the only bit to NOT set is the
2 bit.
umask (continued)

The opposite of bits set on a file when created
scott@companion:~$ umask 22
scott@companion:~$ touch zzyy
scott@companion:~$ ls -al zzyy
-rw-r--r-- 1 scott scott 0 Dec 6 20:13 zzyy
umask with a value sets the umask.
setting it as 22 means not to set the write bit
for users and groups.
Lab




Create a private group for you and your
partner along with a shared group.
Create a user for you and your partner with the
private group as your primary group (-g) and
the shared group (-G) as your supplemental
group.
Add each user.
Put a file in opt for each user. Use chmod and
chown to make the file globally read but only
private write.
Annoying Cannot Save Backup
File



When you are working as a user... you have a
private home directory, where you can work.
The command useradd has a way to specify
the home directory, which we did not do, so it
defaulted to the root of the system which is
owned by root. So you cannot write to it.
To Consider
There is an appropriate tool for a job. This is not
Religion. We are trying to get a job done.
There are 2M LAMP developers worldwide.
Wikipedia – written in LAMP. Bugzilla, written in
LAMP.
So, what Computer Scientists say is LAMP is not
real computer science. I disagree,
To Consider
There is an appropriate tool for a job. This is not
Religion. We are trying to get a job done.
There are 2M LAMP developers worldwide.
Wikipedia – written in LAMP. Bugzilla, written in
LAMP.
So, what Computer Scientists say is LAMP is not
real computer science. I disagree,
We Want To Use Least Privilege
We get our web server (Tomcat) to work as a
normal users.
What does this imply?
Port # >= 1024... No privileged User.
Example of this
Google Technology
Starting out... Google ingested the entire web
and searches it.
But the technology that ingest the entire web is
called Map/Reduce and is the open source
Apache project – Hadoop.
The technology to read the entire web is called
the Apache project Solr.
Solr
Runs with Least Privilege.
Show me!
Ran Solr:
Accessed it through http://localhost:8080/solr
Did a ps -ef | grep tomcat.
Running as scott
AWS.amazon.com/amis – these
are amazon machine images.
Top Down.... A specification committee gets
together,,, they understand the need.... they
build a specification. Many are good, some are
bad.
Bottom up... The specification committees do not
know about this. A vendor starts it.... It gets
critical mass... It becomes a defacto standard.
Somethings That Came From a
Specification
TCP/IP
HTML
Web Archives.
Java.
Browsers.
Some Things not from a
Specification (defacto)
Processors on PC
Wiki's
Spring Framework
Social Networking
RESTFull
Amazon - AMI
Amazon Machine Images
https://aws.amazon.com/amis
65,000 different machine machine images.
Ubuntu 12.04, MySQL Apache, php, postfix
Server … Elastic... Managed in a secure way.
Why is this Popular
Speed, efficiency, cost
Shawn – I can bring up a production instance in
less than 5 minutes.
Cost – Initial costs are nominal. I pay as I go.
How Do I do This
First go to amazon EC2. (Elastic Compute
Cloud)
classic wizard gives you different ones to choose
from. Amazon gives you their own AMI default.
Can go out to community and see the ones out
there running . Choose an instance of them.
Takes the image out there running and takes a
copy of it.
Launched an Instance
I have a security key that I use to get to the
server. This is going to lead to a best practice.
scott@companion:~/Desktop$ ls -al elijah.pem
-rw-rw-r-- 1 scott scott 1696 Sep 11 11:13
elijah.pem
scott@companion:~/Desktop$ chmod 600
elijah.pem
scott@companion:~/Desktop$ ls -al elijah.pem
-rw------- 1 scott scott 1696 Sep 11 11:13
elijah.pem
Let's Get to our Server
ssh -i elijah.pem [email protected]
So if we do not use a private key
ssh [email protected]
Permission denied (publickey)
Best Practices?
No unencrypted access. Only ssh or https
443 22 80, ports that are open
DAC – Single User to account. Groups. Shared,
etc.
And Private key to get into ssh.
Lab
Go back to Amazon,
Create an instance.
Log on to the server.
Remember.... chmod 400 on the key
Do not lose the key.
[email protected]
Password redskins1992
Review
Security Levels:
D everything
C1 – DAC with group level
C2 - DAC individual users and objects.
B1 - Mandatory Access Control – Wednesday It
is what we need for Multi-level secure.
B2, B3, A1 is the same as B1 with more
Assurance.
Review - II
So, how can I prove Solr is running with Least
Privilege?
Possibly – it is running on port 8080 >= 1024.
scott@companion:~$ ps -ef | grep tomcat
scott
10139 18578 0 14:55 pts/4
User is scott
Command grep scott /etc/passwd
Command su - scott
0
SSH
root@companion:~# groupadd jon
root@companion:~# useradd jon -g jon -d /home/jon s/bin/bash
root@companion:~# cd /
root@companion:/# cd /home
root@companion:/home# mkdir /home/jon
root@companion:/home# chown jon:jon /home/jon
jon@companion:~$ ssh localhost
jon@localhost's password:
Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-30-genericpae i686)
Requires password!!!!
No Password – How?
$ ssh-keygen
Enter file in which to save the key (/home/jon/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Your public key has been saved in /home/jon/.ssh/id_rsa.pub.
jon@companion:~$ ls -al .ssh
-rw------- 1 jon jon 1675 Sep 11 14:18 id_rsa
-rw-r--r-- 1 jon jon 395 Sep 11 14:18 id_rsa.pub
-rw-r--r-- 1 jon jon 222 Sep 11 14:16 known_hosts
jon@companion:~/.ssh$ mv id_rsa.pub authorized_keys
prove it: ssh localhost
We ssh now
jon@companion:~$ ssh localhost
Welcome to Ubuntu 12.04.1 LTS (GNU/Linux
3.2.0-30-generic-pae i686)
* Documentation: https://help.ubuntu.com/
Let's us in without a password!!!
Look at this a little further
jon@companion:~/.ssh$ more id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA1/O96EGofjJ/fdBvF5VVIiG
tnCeLgc+Ygt0XIv/N3M9lmCLN
9m6TGkJgn9AzrdVREb+R93i0D4Tvpv/kufd3LP
9joAWPHIoFIEq6rRsrhj1U4qnb
jon@companion:~/.ssh$ more authorized_keys
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQDX
873oQah+Mn990G8XlVUiIa2cJ4uBz5iC3Rci/8
SSH With Passphrase
jon@companion:~$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key
(/home/jon/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
lakers
Enter same passphrase again: lakers
jon@companion:~/.ssh$ mv id_rsa.pub
authorized_keys
jon@companion:~/.ssh$ ssh localhost
Lab 3
Use ssh-keygen to create a public and private
key.
Use this to get access to your account via ssh
without a password.
Setting SSHD to only allow
Private Key
sudo su -
cd /etc/ssh/
edit sshd_config
change
#PasswordAuthentication yes
PasswordAuthentication no
Lab 4
Allow private key only access to your account.
Log out of Xwindows and see password still
works.
THIS ONLY IMPACTS SSH, WHICH SHOULD
BE YOUR ONLY EXTERNAL ACCESS.
Physical access - we do not care.
Fingerprinting
So, we have a file at the top level of a
Web site.
It is called robots.txt
It specifies where to fine content and
What content to avoid.
What can this tell us from a fingerprinting
perspective? Tells us the stuff we wish to
protect.
Fingerprinting Perspective
Www.walmart.com
Www.schwans.com
Take down the robots.txt
Take down the sitemaps
Try to take down the disallows
Use wget …
Lab Fingerprint Web Server
Use wget
Use wget www.walmart.com/robots.txt
Use more robots.txt
Use wget <sitemap files>
Use more <sitemap files>
Use www.schwans.file
Try to wget disallowed files.
What Did We Learn?
What can we do with robots.txt from a fingerprint
perspective. Part of directory structure.
Show's you what they do not want to share.
Why does wget not pull disallow information?
Hint man wget . It adhere's to the robots.txt
protocol.
How could we get disallowed information? What
type of licensing is wget? Open Source. We
can get the source. Change it and go after the
Web Site Fingerprinting
Best Practices:
1) Use robots.txt for things you want found by a
search engine and disallow for things you do
not want found.
2) Use a tool (if you are a penetration tester) to
work around the disallow in robots.txt.
Remember disallow is a protocol.
3) Use security in the web server to protect
sensitive files.
Network 101
Typically three types of networks A, B, C
Differ by.... netmask
A netmask 255.0.0.0
B netmask 255.255.0.0
C netmask 255.255.255.0
So how does this work.
OSI Networking Model
Application - Applications running on top - ssh
Presentation --- Map data between
representations.
Session --- Support conversation.
Transport --- Put stuff in order, end to end
Network – communicate with routing
Data Link --- communicate without routing
Physical --- Cable
Data Link Layer
Data link – no routing
Scott
Brian
Command to See Network
Ifconfig -a
Scott
inet addr:10.10.10.234 Bcast:10.10.10.255
Mask:255.255.255.0
Brian ….. 10.10.10.231...
Netmask 255.255.255.0 What does that mean.
Netmask

255.255.255.0

Class C network.

Only route if you differ by more than the last octet.

10.10.10.234

10.10.10.231

No Routing necessary. Only differ by where the Netmask is 0
therefore resolved at the data link layer. MAC/IP. The
conversion between MAC and IP is datalink.
More Netmask

255.255.0.0 is a B network only route if differ
by left-most two octets.
192.168.1.2
192.168.2.3
Routing? No. Why? The only values that differ are where you have a
bit pattern of 1111's
255.0.0.0 is an A network
10.0.1.7 and 10.1.1.7 does it require routing.
Only differs by where it is 1.
Netmask Concluded

Class C network

Netmask 255.255.255.0

What is that in HEX?
–

FFFF.FFFF.FFFF.0000
What is that in Binary?
–
1111111111111.1111111111111111.111111111111.0
So Class C network one computer is

192.168.1.10 and one is 192.168.1.12

Need Routing?
Netmask Lab

Class C Network 255.255.255.0
–
192.168.1.10 and 192.168.0.11
Need routing? Yes. Differs by third


Class A Network 255.0.0.0
–
10.11.1.1 and 10.10.1.1 need routing? no.
–
11.11.1.1. and 10.10.1.2 need routing? yes
Question 192.168.1.1 for a router Cisco– who
makes it. 192.168.0.1 – Dlink Netgear, who
makes it?
A Little Further in the Network

Find the router..
–
Unix
–
Command netstat -rn
scott@kitchen:~$ ifconfig -a
eth0
Link encap:Ethernet HWaddr c8:0a:a9:b5:9d:db
inet addr:192.168.1.2 Bcast:192.168.1.255
Mask:255.255.252.0
scott@kitchen:~$ netstat -rn
Kernel IP routing table
Destination
Iface
Gateway
192.168.0.0
0.0.0.0
255.255.252.0 U
169.254.0.0
0.0.0.0
255.255.0.0
0.0.0.0
192.168.1.1
Genmask
0.0.0.0
Flags MSS Window irtt
U
UG
00
00
00
0 eth0
0 eth0
0 eth0
What About DNS?

Domain Name Service. Maps names to IP
addresses.

It is given to us by DHCP

Unix find it? More /etc/resolv.conf
scott@kitchen:~$ more /etc/resolv.conf
# Generated by NetworkManager
nameserver 192.168.1.1
On My Network

192.168.1.1 is the DNS Server and the Router

Netmask is 255.255.252.0

It is CISCO like????

That is what we found out.

To do on Windows ipconfig /all
Lab.... Tell me what you have on your Windows
box?
Conventions

Class C 255.255.255.0
–

Generally 192.168.x.x
Class A (bigger network)
Generally 10.x.x.x.

Gateway … generally. What ever you are
working with .1 DHCP Server is generally the
Gateway.
What is DHCP?




Distributed Hosts Configuration Protocol
Turn on a computer, get the IP address, DNS
Server, Router, and any Routes.
Broadcasts for it.
In other words, comes up, says who is my
DHCP? First one wins.
What is wrong with our Network,
via Conventions?


C Network, why netmask 255.255.255.0
IP address starts with 10, which is an A
network

Should start with ???? 192.168

Router ends in .254, what does it typically do?
–
.1
Review Fingerprinting


Why do we Fingerprint? To learn about the
system. If you are an adversary, you want to
find something easy.
If you are a security professional, you want
to see how hard your systems are.

Most common tool is nmap.

Nmap can help you work around an IDS.


Inspects traffic to tell you about products and
ports.
Nmap is a TCP/IP expert, Xmas, Stealth,
etc.
Network use Netmask
Typical network --- cisco …
Ip address of the router is
192.168.1.1
255.255.255.0
C
So if I talk to 192.168.1.10 to 192.168.1.21
Do I need to route?
No?
Network Route When
Addresses differ from where there is a 1.
For 255.255.255.0
If we wish to go from 192.168.1.10 to
206.245.1.17
Do we need to route? Yes
How do we find our router? Use netstat -rn
Talk About Addresses
TCP/IP protocol
We agree to not route what addresses:
169.254 what you get when you do not get a
dhcp address.
172.
10.
192.168
127.0.0.1 127.0.0.2
192.168.1.x CISCO
192.168.0.x DLINK
Network Topology
So, I want three networks to be separate and
have one external address to the internet.
How do I do this?
206.1.17.9 external address 10.10.10.254
internal
Network1 192.168.1.x 255.255.255.0 gtw
192.168.1.1
Internal (10.10.10.1)
Network2 192.168.2.x 255.255.255.0 gtw
192.168.2.1
Internal (10.10.10.2)
What Did We Learn
1) Netmask determines your address range..
Route when difference is in the area of 1's on
netmask.
2) Router must be on same subnet as network it
is routing.
3) How do we find netmask Unix (ifconfig -a)
windows ipconfig /all
4) How do we find router – netstat -rn
5) How do we find dns server windows its
ipconfig /all
Email Tracking
Let's say, I sent an email to Mo and I wanted
assurance that he has read it. Email itself is a
datagram.
In the email message
<img
src=”www.morrisisagreatguy.com/photo.jpg”>
Tools that do this for you. Put a link that does
not require a click and sends that to a server
for recordiing.
Email Tracking
<img
src=”www.morrisisagreatguy.com/photo.jpg”>
This can be a servlet that returns a graphic.
When the email is read, the servlet it called (it
has to show the graphic). While getting the
graphic, it denotes the fact that the email was
read.
Fingerprinting Lab
Tell me what I am running at www.scottstreit.com
By using nmap
Tell me what hosts on your subnet are running.
By using nmap
Review and Talk About Today
Discretionary Access Control
Go through nmap
DAC – Step by Step lab.
For nmap – two videos from youtube.
DAC
Why do we care how this works?
Unix paradigm is everywhere
Old people like Scott we had Unix with no
commands. So we manually modified two files
/etc/group and /etc/passwd
This impacted or effected the behavior.
Ubuntu/debian Fedora/RedHat... they have
different commands … but they all impact
/etc/group /etc/passwd
Commands
We have useradd, groupadd, umask, chmod,
chown --- five commands to do all of it.
1) Group out there. So you need private group
which means the username is the same as the
group name. So you need one of these per
user, and one shared group.
root@companion:~# groupadd dhoward
root@companion:~# groupadd snash
root@companion:~# groupadd lakers
What Happened Here?
We have two new Lakers as we move towards
our 17th NBA Championship, Dwight Howard
and Steve Nash. So if we wish to add them we
need to add the private group first. Next we
need a shared group... Lakers.
How do we check this
We can do a tail /etc/group
dhoward:x:1004:
snash:x:1005:
lakers:x:1006:
What do We do Next
Create the users
Do useradd snash -g snash -G lakers
root@companion:~# useradd snash -g snash -G
lakers
root@companion:~# useradd dhoward -g
dhoward -G lakers
What Happened
root@companion:~# tail /etc/group
dhoward:x:1004:
snash:x:1005:
lakers:x:1006:snash,dhoward
We have dhoward and snash are private. The
group lakers has two supplemental users
snash and dhoward.
What do we do Next?
Create a shared area on disk.
Going to go to /opt create a directory called
seventeen. In there I want to share files.
root@companion:~# mkdir /opt/seventeen
root@companion:~# cd /opt/seventeen
root@companion:/opt/seventeen# ls -al
total 8
drwxr-xr-x 2 root root 4096 Sep 11 09:31 .
drwxr-xr-x 4 root root 4096 Sep 11 09:31 ..
drwxr-xr-x 2 root root 4096 Sep
11 09:31 .
What is wrong with this. Group cannot write to it.
That is wrong because we want the group to
share it. Why did it default to 755 for
permissions.
We have rwe rwe rwe
111 101 101
This implies a umask of 22. Umask, as the
name implies (mask) are the 0's for file
creation.
What Do We Have Here
Posix compliant Discretionary Access Control.
It comes... out of the box..... No add on
packages, no recompiles, and it is constant
protection.
We say, linux, out of the box is C2 capable.
We say it is capable, why?
C2 Capable
Anyone can take a C2 system and make it D. If
you have a group account and multiple people
log in using the same account … you are now
at D.
PL3, PL3+ … C1, C2
PL3 = C2
PL3+ = B1
Passive Encryption vs. Active
Read the Orange book, there standards that say
passivated data must be encrypted B1...
We largely do not do this.... Is this good or bad
and why?
Encrypting Passivate Data is
Good
Handle the case of the disk falling into the wrong
hands. Could argue, encrypting a laptop hard
drive.
Tiered Security.... Encryption at the Xmission
level and at the storage level.
Encrypting Passivated Data is
Bad
1) We typically do not guard against physical
access. Guns, Guards, Gates.
2) What if you loose the key.
3) None of our tools run on encrypted data.
So if you have encrypted data in a mysql table,
you have to write the encryption/decryption
layer..... so the costs of software development
goes up dramatically.
Reasonable Compromise
Highest risk data is encrypted.. which means lap
top data is encrypted. Why? No penalty. And
you are much more likely to lose a lap top then
a bad person grabbing control of your machine.
This is where we are today.
Fingerprinting





We want to see what is on our network.
If you are bad.... then you are looking for easy
things.
We want to make sure, we are not one of
those easy things.
So for Bad People, Fingerprinting is a way to
find easy systems to crack.
For Security Professionals, hardening our
systems.
Best Practices

Only SSH login and only through a private key.

Open Ports 22 (private key only) and 443

This is for externally facing Servers

So how do we find out?
How Do We Fingerprint

Command - telnet host port

Then send it commands

Then get what's running by parsing the results
of commands.
scott@companion:~$ telnet www.scottstreit.com 80
Trying 74.103.6.161......
HEAD
<address>Apache/2.2.14 (Ubuntu) Server at localhost Port 80</address>
</body></html>
Instead Of

Telnet to a port.

Writing a socket level program

Ping
scott@companion:~$ ping www.scottstreit.com
PING www.scottstreit.com (74.103.6.161) 56(84)
bytes of data.
64 bytes from pool-74-103-6161.bltmmd.fios.verizon.net (74.103.6.161):
icmp_req=1 ttl=52 time=24.7 ms
We Use Nmap

What is good about Nmap?

Price.... Free

Runs on every system.

Around a long time – stable.

Defacto Standard.

Does a lot of things.
nmap

We can see what systems are up on a subnet

We can see what ports are open


We can see what tools are runinng on the
open ports.
We don't have to fool around with TCP/IP
Two Movies on nmap
Let's watch two youtube videos on nmap.
Lab

Tell me what is running on my machine.

Www.scottstreit.com

Do it two ways.

First telnet port HEAD port 80.

Telnet www.scottstreit.com 80
–
HEAD

Then do an nmap on my box.

Tell me what is running.

Tell me what hosts are up on our 10. subnet.

Use your backtrack instance Google it.
Let's Simulate nmap
scott@companion:~$ telnet www.scottstreit.com
80
Trying 173.59.254.127...
Connected to www.scottstreit.com.
Escape character is '^]'.
head
<!DOCTYPE HTML PUBLIC "-//IETF//DTD
HTML 2.0//EN">
<html><head>