introduction to vulnerability assessment labs
DESCRIPTION
Introduction to Vulnerability Assessment Labs. Ge Zhang [email protected] Dvg-C03. Schedule. 4 Attacking methods Traffic sniffing ARP spoofing Password cracking Port Scanning 1 Defense methods Firewall configuration 2 Vulnerability assessment tool Nessus Bastille - PowerPoint PPT PresentationTRANSCRIPT
Schedule
• 4 Attacking methods– Traffic sniffing– ARP spoofing– Password cracking– Port Scanning
• 1 Defense methods– Firewall configuration
• 2 Vulnerability assessment tool– Nessus– Bastille
• Summarizing Report on its learning (1-2 pages)
Environment• 3 VM images (c:\VMware\valab-ht10\)
– Windows, Fedora (angel), Fedora (devil)
Hub Hub
Hub Hub
Switch
VM Host machine
Sniffing
• Hub: a hub simply receives incoming packets and broadcasts these packets out to all devices on the network
• Adapt promiscuous mode: an adapter can receive all frames on the network, not just frames are addressed to that adapter
Hub
shared Token Ring
Wireshark
Show capture options
Filters for display
Select network interface
Filters for Capture
Wireshark
Stop capturing
Captured datagrams
Datagrams analysis
Datagrams in Hex
Sniffing practice
• Surfing with the browser on the host machine
• Sniff the HTTP traffic using wireshark on the VM
Hub v.s. switch
• Hub: Layer 1 (physical)
• Switch: Layer 2 (data-link)
Hub
shared Token Ring
Switch
Dedicated
ARP (Address Resolution Protocol)
• MAC address (layer 2)– Global unique– Unchangeable
• IP address (layer 3)– Network unique– Changeable
ARP
IP address
MAC address
RARP
IP address
MAC address
ARP spoofing (cache poisoning) on switch
192.163.0.1 (AA)
192.163.0.2 (BB)
192.163.0.3 (CC)
192.163.0.4 (DD)
I am 192.163.0.4, with mac address CC
I am 192.163.0.1, with mac address CC
192.163.0.1 (AA)
192.163.0.2 (BB)
192.163.0.3 (CC)
192.163.0.4 (DD)
Who has the IP address 192.163.0.4? Tell 192.163.0.1 with mac: AA
192.163.0.1 (AA)
192.163.0.2 (BB)
192.163.0.3 (CC)
192.163.0.4 (DD)
192.163.0.4->CC
192.163.0.1->CC
192.163.0.1 (AA)
192.163.0.2 (BB)
192.163.0.3 (CC)
192.163.0.4 (DD)
I am 192.163.0.4, with mac address DD192.163.0.4->DD
Preparation• ipconfig /all• Let me know the last number of your ip address and mac address• ping [hostname] –t
Door
Window
ping
pin
gp
ing
pin
g
ping
pin
gp
ing
pin
g
pin
gp
ing
pin
g
pin
gp
ing
pin
g
Door
ping
Ping
Cain
Scan MAC addresses
Select interface
Scanned results
ARP spoofing configuration
Cain
Add to list for spoofing
Spoof the arp cache for these two hosts to intercept the conversation between them
Cain
Start ARP Spoofing
Password Cracking
• Authentication: – Something you know– Something you have – Something you are
• Password need to be transferred• Password need to be stored
Brute Force
• Attempts all possible combinations of letters and numbers
• Possible Solution– Limit amount of unsuccessful logins– Change password often– The length should be at least 8 characters
Dictionary
• Type of Brute Force• Only tries possibilities that are likely to
succeed• List are derived from dictionary• Possible Solutions
– Mix and match numbers, letters, upper and lower case
– Avoid passwords based on dictionary words, letter or number sequences, usernames, or biographical information
John the ripper
• Traditionally the account information is stored in the /etc/passwd file
• The /etc/passwd file is world-readable• Shadow password system stores passwords in
the file /etc/shadow which is not world-readable• unshadow /etc/passwd /etc/shadow > tmp• less tmp /*have a look*/• john tmp
• Then create your own account and password, run “john” again to see the result
• useradd [your account] • passwd [your account]
Port Scanning
• Attackers wish to discover services they can break into.
• Whether the service existing?• sending a packet to each port, once at a time.
– Based on the type of response, an attacker knows if the port is used.
– The used ports can be probed further for weakness.
• Well-known: tcp 21, tcp 22, tcp 23, tcp 80 …
Nmap
• -sT (scanning by TCP connections)
• -sS (SYN scanning)
• -sU (UDP scanning)
• -sV (Version detection)
• -O (OS fingerprinting)
• -T[0-5] (time interval)
• -f (fragmenting)
Nmap
Nmap
• Zenmap: graphical interface
Firewall
• A set of related programs that protects the resources of a private network or a host from external environment.
• A mechanism for filtering network packets based on information contained within the IP header.
IPtables
3 default chains• input Used to control packets entering the interface.
(The packets will be ended in this machine)• output Used to control packets leaving the interface.
(The packets are originated from this machine)• forward Used to control packets being masqueraded, or
sent to remote hosts.
IPtables• iptables command [match] [target]
• Command: -A, -I, -D, -F, -L• Match: -p [protocol], -s [source IP], -d [destination IP], -i
[interface], --sport [source port], --dport [destination port]• Target: -j [ACCEPT/DROP/LOG…]• Example:
– iptables –I INPUT –p ICMP –j DROP– iptables –I INPUT –p ICMP –icmp-type 0 –j ACCEPT
• Our task: restrict all inbound traffic, except SSH requests on port 22. However, any outgoing requests should not be affected.
Nessus
• Remote vulnerability scanner
• Nessus will– Perform over 900 security checks– Accept new plugins to expand new checks– List security concerns and recommend
actions to correct them
Nessus
• Client/server architecture– Server: perform checking– Client: Front-end
• Can test unlimited amount of hosts in each scan
Nessus Server NessusdNessus Client
www
FTP
VoIP
Nessus
Nessus
Bastille
• Operating System Hardening– Remove unnecessary processes– Setting file permissions– Patching and updating– Setting networking access controls
• Generate your own hardening policy
• Can be run manually to provide advice and information
Bastille
• Assessment mode: bastille -a
Bastille
• Configuration mode: bastille -x