vulnerability scanning

FORESEC Academy

VULNERABILITY SCANNINGFORESEC Academy Security Essentials (III)

FORESEC Academy

Agenda

Threat vectors Social Engineering Bypassing the firewall Tools that may be visiting your

DMZ Network Mapping Tools and

Vulnerability Scanners

FORESEC Academy

Primary Threat Vectors

Outsider attack from network Outsider attack from telephone Insider attack from local network Insider attack from local system Attack from malicious code

FORESEC Academy

KaZaA

Designed for peer-to-peer file sharing on the Internet

Introduces security weaknesses - Hole in a firewall - Users give away network information - A possible annoyance or DDoS tool

FORESEC Academy

KaZaA - Firewall Subversion

1) A and b set up KaZaA Net

2) Firewall denies inbound TCP request

1) C connects to KaZaA Net

2) C’s request relayed to A

3) A connects to C through wall

FORESEC Academy

Firewalls, WirelessConnections, and Modems

FORESEC Academy

Firewalls, WirelessConnections, and Modems

FORESEC Academy

Social Engineering

Attempt to manipulate or trick a personinto providing information or access

Bypass network security by exploitinghuman vulnerabilities

Vector is often outside attack bytelephone or a visitor inside your facility

FORESEC Academy

Social Engineering (2)

Human-based- Urgency- Third-person authorization

Computer-based- Popup windows- Mail attachments

FORESEC Academy

Social Engineering Defense

Develop appropriate security policies

Establish procedures for granting access, etc., and reporting violations

Educate users about vulnerabilities and how to report suspicious activity

FORESEC Academy

Tools that may beVisiting Your DMZ

3 famous Windows Trojans Open share scanners Jackal, Queso, and SYN/FIN Nmap and Hping Worms

FORESEC Academy

Trojans

FORESEC Academy

Trojans (2)

FORESEC Academy

SubSeven Client

FORESEC Academy

SubSeven EditServer

FORESEC Academy

Trojans Review

Trojans can penetrate firewalls as email attachments

SubSeven is still one of the most common

Protective tools include: All major anti-virus tools, firewalls, personal firewalls

FORESEC Academy

Network Mapping Tools

Open share scanners – Legion Network Scanners – Jackal TCP Fingerprinting - Queso, and

SYN/FIN Port Scanners - Nmap and Hping

FORESEC Academy

Finding Unprotected Shares -Legion

FORESEC Academy

Enter the Jackal 1997

FORESEC Academy

Sons of Jackal Continue to be Seen

Source Port 0 and 65535

FORESEC Academy

Queso and Friends http://www.securityfocus.com/tools/144

Queso sends packets with unexpected code bit combinations to determine the operating system of the remote computer. Currently, they claim to be able to distinguish over 100 OSes and OS states. Queso pattern is shown on

notes page

FORESEC Academy

Spoofed NetBIOS

06:49:55 proberA.4197 > 172.20.139.137.139: S 596843772:596843772(0) win 8192 (DF)

06:49:58 proberA.4197 > 172.20.139.137.139: S 596843772:596843772(0) win 8192 (DF)

06:50:04 proberA.4197 > 172.20.139.137.139: S 596843772:596843772(0) win 8192 (DF)

06:50:16 proberA.4197 > 172.20.139.137.139: S 596843772:596843772(0) win 8192 (DF)

12:57:56 proberE.2038 > 172.20.216.29.139: S 294167370:294167370(0) win 8192 (DF)

12:57:59 proberE.2038 > 172.20.216.29.139: S 294167370:294167370(0) win 8192 (DF)

12:58:05 proberE.2038 > 172.20.216.29.139: S 294167370:294167370(0) win 8192 (DF)

12:58:41 proberE.2039 > 172.20.216.29.139: S 294212415:294212415(0) win 8192 (DF)

FORESEC Academy

TTL

In the notes pages are the Time To Live fields

from the traces in the previous slide. Notice how

they cluster around 120. This is not expected

behavior. This is also fixed in the Nmap 2.08

release that has a decoy function so that the

decoy TTLs are random.

Analysis credit to Army Research Lab

FORESEC Academy

Nmap - Network Mapper

Freeware award winning networkscanner.

Supports a large number ofscanning techniques.

Numerous other features supported. - Remote Operating System Detection - Application Detection

FORESEC Academy

nmapwin - Windows port

FORESEC Academy

Hping - Spoofing Port Scanner

Conceptually, a TCP version of .Ping. Sends custom TCP packets to a host

and listens for replies Enables port scanning and spoofing

simultaneously, by crafting packets and analyzing the return

FORESEC Academy

Hping v2.0 - hping Enhanced Uses hping crafted packets to:

- Test firewall rules- Test net performance- Remotely fingerprint OSes- Audit TCP/IP stacks- Transfer files across a firewall- Check if a host is up

FORESEC Academy

Worms

Attack system through known holes. Automatically scan for more systems

to attack.

Lower system defenses, install a root shell or rootkit, and/or let the attacker know the system has been attacked.