ee579t network security 6: vulnerability assessment

Spring 2005© 2000-2005, Richard A. Stanley

EE579T/6 #1

EE579TNetwork Security

6: Vulnerability Assessment

Prof. Richard A. Stanley

Spring 2005© 2000-2005, Richard A. Stanley

EE579T/6 #2

Overview of Tonight’s Class

• Review last week’s lesson

• Look at network security in the news

• Vulnerability assessment

Spring 2005© 2000-2005, Richard A. Stanley

EE579T/6 #3

Last time...• SSL provides a means for secure transport layer

communications in TCP/IP networks

• SSL is a commonly used protocol, developed by Netscape, but ubiquitously used in browsers, etc.

• The key element of SSL is the handshake protocol

• SET not widely used for credit transactions, but the dual signature it introduced is useful

Spring 2005© 2000-2005, Richard A. Stanley

EE579T/6 #4

Security in the News

• T-Mobile security

• ChoicePoint

• DNS spoofing attacks

• Online banking--$90K sent to Latvia?

• Mydoom (again!)

Spring 2005© 2000-2005, Richard A. Stanley

EE579T/6 #5

What do all these security issues have in common?

Spring 2005© 2000-2005, Richard A. Stanley

EE579T/6 #6

Thought for the Day

“When computers (people) are networked, their power multiplies geometrically. Not only can people share all that information inside their machines, but they can reach out and instantly tap the power of other machines (people), essentially making the entire network their computer.”

Scott McNeely, CEO Sun Microsystems

Spring 2005© 2000-2005, Richard A. Stanley

EE579T/6 #7

Is this quote for real or is it for marketing?

• What is typical PC bus speed?

• What sort of network data transfer rates can be attained?

• What does this mean for the future of networked computing?

Spring 2005© 2000-2005, Richard A. Stanley

EE579T/6 #8

Risks and Vulnerabilities

• Risks are “just there”

• Vulnerabilities occur due to design choices we make along the way

• They are not the same thing!

Spring 2005© 2000-2005, Richard A. Stanley

EE579T/6 #9

Vulnerability Assessment

• What is it?

• Why do we care?

• Whose job is it?

• How good a job do we have to do?

• How can we describe vulnerabilities?– OVAL

Spring 2005© 2000-2005, Richard A. Stanley

EE579T/6 #10

Warning!

• In this lecture, we will discuss techniques for enumerating and attacking networks. This discussion is intended to help you understand how to protect networks, and is not a recommendation for or approval of this sort of activity.

• Under no circumstances should you scan or otherwise probe a network without the explicit authorization of its management. Doing so could violate U. S. Federal law (18 USC § 1030).

Spring 2005© 2000-2005, Richard A. Stanley

EE579T/6 #11

How To Rob a Bank

• Just walk in and demand the money– Where is the bank?– How do you know there is any money?– Where to park the getaway car?– Are there any guards or surveillance devices?– Will you need a disguise?– What kinds of things might go wrong?– What if they say “NO?”

Spring 2005© 2000-2005, Richard A. Stanley

EE579T/6 #12

Success Requires Planning

• Whether robbing a bank or breaching network security, you need to plan ahead

• Planning ahead is known as vulnerability assessment– Acquire the target (case the joint)– Scan for vulnerabilities (find the entry points)– Identify poorly protected data (shake the doors)

Spring 2005© 2000-2005, Richard A. Stanley

EE579T/6 #13

Information in Plain Sight

• Lots of valuable information is just lying around waiting to be used– telephone directories– company organization charts– business meeting attendee lists– promotional material

• The Internet has made having a company web page the measure of being “with it”

Spring 2005© 2000-2005, Richard A. Stanley

EE579T/6 #14

Target: FBI

Spring 2005© 2000-2005, Richard A. Stanley

EE579T/6 #15

Spring 2005© 2000-2005, Richard A. Stanley

EE579T/6 #16

Spring 2005© 2000-2005, Richard A. Stanley

EE579T/6 #17

Spring 2005© 2000-2005, Richard A. Stanley

EE579T/6 #18

Spring 2005© 2000-2005, Richard A. Stanley

EE579T/6 #19

Spring 2005© 2000-2005, Richard A. Stanley

EE579T/6 #20

Spring 2005© 2000-2005, Richard A. Stanley

EE579T/6 #21

Spring 2005© 2000-2005, Richard A. Stanley

EE579T/6 #22

Spring 2005© 2000-2005, Richard A. Stanley

EE579T/6 #23

?

Spring 2005© 2000-2005, Richard A. Stanley

EE579T/6 #24

Spring 2005© 2000-2005, Richard A. Stanley

EE579T/6 #25

Spring 2005© 2000-2005, Richard A. Stanley

EE579T/6 #26

You get the idea• There is a lot of information out there, and it is

readily available to anyone• Good intelligence usually consists of open

source material properly collated• Law enforcement used to have special access to

this sort of information--now it’s out on the ‘net• Network access speeds up the rate at which

good intelligence can be collected

Spring 2005© 2000-2005, Richard A. Stanley

EE579T/6 #27

Determine Your Scope

• Check out the target’s web page– physical locations– related companies or entities– merger/acquisition news– phone numbers, contact information– privacy or security policies– links to other related web servers– check the HTML source code

Spring 2005© 2000-2005, Richard A. Stanley

EE579T/6 #28

Refine Your Search

• Run down leads from the news, etc.– Search engines are a good way

• FerretSoft

• Dogpile

• Google

– Check USENET postings

– Use advance search capabilities to find links back to target

• Search on “worcester polytechnic security” gives ~ 32,400 hits

Spring 2005© 2000-2005, Richard A. Stanley

EE579T/6 #29

Spring 2005© 2000-2005, Richard A. Stanley

EE579T/6 #30

Use the Government

• EDGAR– SEC site (www.sec.gov/edgarhp.htm)– Search for 10-Q and 10-K reports– Try to find subsidiary organizations with

different names

• Think about what your organization has on databases available to the public

Spring 2005© 2000-2005, Richard A. Stanley

EE579T/6 #31

Spring 2005© 2000-2005, Richard A. Stanley

EE579T/6 #32

Zero In On The Networks

• InterNIC – http://www.internic.net/– Organization– Domain– Network– Point of contact

• www.networksolutions.com

• www.arin.net

Spring 2005© 2000-2005, Richard A. Stanley

EE579T/6 #33

Other Sources

• Sam Spade for Windows– freeware

• Netscan Tools – Single copy price = $249

• Ipswitch.com– WhatsUp Pro = $1,495

Spring 2005© 2000-2005, Richard A. Stanley

EE579T/6 #34

Query on Found Data

• POC– May be (often is) POC for other domains

• Query for email addresses -- here are a few from @wpi.edu (harder to do than earlier)

Amiji, Murtaza (MA3608) murti@WPI.EDU (508) 831-5395 Baboval, John (JBJ116) jbaboval@WPI.EDU XXX-XXXX Ballard, Richard (RBS722) rick@WPI.EDU 508-831-6731 Barnett, Glenn S (GSB14) rhythm@WPI.EDU (315)475-5920 Bartelson, Jon (JB12891) jonb@WPI.EDU (508) 831-5725 (FAX) (508) 831-5483 Berard, Keith (KB2414) keithb@WPI.EDU (508)754-4502 Blank, Karin (KBJ257) blankk@WPI.EDU 203-762-0532 Blomberg, Adam (AB5417) scarpa@WPI.EDU 508-755-7699

Spring 2005© 2000-2005, Richard A. Stanley

EE579T/6 #35

Query the DNS

• Insecure DNS configuration can reveal information that should be kept confidential

• Zone transfers are popular attack methodologies– nslookup often used– pipe output to a text file– review the text file at your leisure– select potential “good targets” based on data

Spring 2005© 2000-2005, Richard A. Stanley

EE579T/6 #36

Map Network Connectivity

• traceroute– Unix and Win/NT– tracert in NT for file name legacy reasons– Shows hops from router to destination

• Graphical tools exist, too– VisualRoute– www.visualroute.com

Spring 2005© 2000-2005, Richard A. Stanley

EE579T/6 #37

Spring 2005© 2000-2005, Richard A. Stanley

EE579T/6 #38

Detailed Scanning

• Network ping sweeps– Who is active?– Automated capabilities with some tools

• ICMP queries– Reveal lots of information on systems

• System time

• Network mask

Spring 2005© 2000-2005, Richard A. Stanley

EE579T/6 #39

Port Scanning

• Identify running services

• Identify OS

• Identify specific applications of a service

• Very popular

• Very simple

• Very dangerous

Spring 2005© 2000-2005, Richard A. Stanley

EE579T/6 #40

Port Scan Types• Connect Scan--completes 3-way handshake• SYN--should receive SYN/ACK• FIN--should receive RST on closed ports• Xmas tree--sends FIN, URG, PSH; should receive

RST for closed ports• Null--turns off all flags; target should send back

RST for closed ports

• UDP--port probably open if no “ICMP port unreachable” message received

Spring 2005© 2000-2005, Richard A. Stanley

EE579T/6 #41

Identify Running Services

• nmap

• netcat

• Udp_scan (and others from SATAN)

• Using SYN scan is usually stealthy

• Beware of DoS results

Spring 2005© 2000-2005, Richard A. Stanley

EE579T/6 #42

OS Detection

• Stack fingerprinting– Vendors interpret RFCs differently

• Example:– RFC 793 states correct response to FIN probe is none

– Win/NT responds with FIN/ACK

• Based on responses to specific probes, possible to make very educated guesses as to what OS running

– Nmap database so accurate, it is used in commerical products (e.g. eEye Retina scanner)

– Automated tools to make this easy!• Nmap (www.insecure.ord/nmap/)

Spring 2005© 2000-2005, Richard A. Stanley

EE579T/6 #43

Enumeration

• Try to identify valid user accounts on poorly protected resource shares, e.g. on Windows-based systems– net view

• lists domains on network

• can also list shared resources

– nltest -- identifies primary & backup domain controllers

– SNMP

– open a telnet connection

Spring 2005© 2000-2005, Richard A. Stanley

EE579T/6 #44

Automated, Graphical Tools

• Can trace network topology very accurately– ID machines by IP, OS, etc.– Makes attack much easier

• No shortage of possible tools– Frequent additions to list– One source:

http://www.slac.stanford.edu/xorg/nmtf/nmtf-tools.html

Spring 2005© 2000-2005, Richard A. Stanley

EE579T/6 #45

Actual Scan Results--Win2K

• Performed using Internet Security Scanner

• Part of the IIS suite of programs– Can scan NT/2000/XP and Unix systems– Runs only on NT/2000– Scan range (i.e., addresses) user settable– Sample vulnerability report

Spring 2005© 2000-2005, Richard A. Stanley

EE579T/6 #46

Many Other Scanners

• eEye Retina Scanner – http://www.eeye.com/html/resources/tours/retina/index.html

• Nessus– Unix-based system and network scanner

• NeWT– Windows port of Nessus with graphical front-

end– http://www.tenablesecurity.com/products/newt.shtml

• …and lots more. Google is your friend.

Spring 2005© 2000-2005, Richard A. Stanley

EE579T/6 #47

Summary

• Attacking a network is no different from robbing a bank; you have to plan if you expect to be successful

• There are three basic steps to planning, which is called vulnerability assessment:– Acquire the target (case the joint)

– Scan for vulnerabilities (find the entry points)

– Identify poorly protected data (enumeration)

• This applies if you are inside or outside the protected perimeter!

Spring 2005© 2000-2005, Richard A. Stanley

EE579T/6 #48

Homework - 1

1. Identify and describe how you would enumerate resources on a Unix network, similar to the discussion in class of enumeration on Windows/NT/2000/XP

2. You are the network administrator. How would you defend against the threats of target acquisition and vulnerability scanning?