s c i e n c e a p p l i c a t i o n s i n t e r n a t i o n a l c o r p o r a t i o n open-source...

S C I E N C E A P P L I C A T I O N S I N T E R N A T I O N A L C O R P O R A T I O N

Open-Source Network Open-Source Network Security ToolsSecurity Tools

Scanning/Securing/ExploitiScanning/Securing/Exploiting oh my.ng oh my.

Beyond Network Security…. We Build Peace of Mind 2

DisclaimerDisclaimer

The opinions expressed in this talk are just mine, and not the opinions of SAIC, nor ESS.

I have nothing against vendors, some of my best friends are vendors.

I was asked to do a talk on Open Source Network Security Tools, and not on commercial tools to avoid any vendor bias.

They made me do it.

I once saw a ghost cow in the road, honest.


AgendaAgenda

What is Open Source? Why should I care? Why no Commercial tools? What tools are available? What do they do? Where can I get them? Q&A


What’s OpenSource? What’s OpenSource? From From opensource.orgopensource.org

Open source doesn't just mean access to the source code. The distribution terms of open-source software must comply with the following criteria:

1. Free Redistribution

2. Source Code included/available

3. Derived Works allowed

4. Integrity of The Author's Source Code (patches/forks)

5. No Discrimination Against Persons or Groups

6. No Discrimination Against Fields of Endeavor

7. Distribution of License (no NDA)

8. License Must Not Be Specific to a Product

9. License Must Not Restrict Other Software

10.License Must Be Technology-Neutral


Why does it matter?Why does it matter?

Cost Open Source is free. Zero acquisition cost.

Security The source code is available for your review. Many eyes look at code. Find many bugs. Patch Often

Support Free – Web/Mailing-Lists/SIGs $$$ - Commercial sites/ OS vendors…


What about freeware / What about freeware / shareware / trialware etc.shareware / trialware etc.

"Freeware" should not be confused with "free software" (roughly, software with unrestricted redistribution) or "shareware" (software distributed without charge for which users can pay voluntarily).

“Shareware” Software that, like freeware, can be usually obtained (downloaded) and redistributed for free, but most often is under copyright and does legally require a payment in the EULA, at least beyond the evaluation period or for commercial applications.


Why not use commercial Why not use commercial products?products?

How much money do you have? Why not use these tools at home? At your sibling’s/nephew’s/parent’s house? Typically has higher resource needs.

But, has much better support. Better documentation. Nice shiny packaging.


Enough License talk, where’s Enough License talk, where’s the goods?the goods?

Categories of tools. Scanning – To find hosts/targets/details Accessing – To gauge security and baseline Securing – To protect the host. Exploiting – To pants the host. Deception – To deceive the attacker. Detection – To detect the attacker


Scanning (The Basics)Scanning (The Basics)Nmap – Network MapperNmap – Network Mapper

http://insecure.org OS Detection Application Detection High-Speed TCP/UDP scans IPv4 & IPv6 Supports Unix / Linux / BSD /

Mac OS X, and Windows Even works with Windows XP SP2! Extremely configurable and could be a talk by itself…

http://insecure.org/


Scanning for WirelessScanning for Wirelessdstumblerdstumbler

http://www.dachb0den.com/projects/dstumbler.html AP/SSID detection Detection of

weped networks beacon interval for aps maximum supported rate

Can crack WEP keys.

http://www.dachb0den.com/projects/dstumbler.html


Scanning (Advanced)Scanning (Advanced)Paketto Keiretsu 1.10Paketto Keiretsu 1.10

http://www.doxpara.com/paketto/ Scanrand, an unusually fast

network service and topology discovery system

Minewt, a user space NAT/MAT router

Linkcat, which presents a Ethernet link to stdio

Paratrace, which traces network paths without spawning new connections

Phentropy, which uses OpenQVIS to render arbitrary amounts of entropy from data sources in three dimensional phase space.

http://www.doxpara.com/paketto/


Assessing Web SitesAssessing Web SitesNiktoNikto

http://www.cirt.net/code/nikto.shtml Web/CGI scanner Finds vulnerable CGI Can do IDS evasion Has over 2,600 checks.

$ nikto.pl –host 192.168.42.27 –verbose –web –output \> nikto80_192.168.42.27.html.rawNikto’s output provides notes on reasons why a finding may be a security risk:Target IP: 192.168.42.27Target Hostname: www.victim.comTarget Port: 80--------------------------------------------------------------------o Scan is dependent on "Server" string which can be faked,use -g to overrideo Server: WebSTAR/4.2 (Unix) mod_ssl/2.8.6 OpenSSL/0.9.6co Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS,PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK, TRACEo Server allows PUT method, may be able to store files.o CONNECT method is enabled, server may act as a proxy or relays.o Server allows DELETE method, may be able to remove files.o Server allows PROPFIND or PROPPATCH methods, which indicatesDAV/WebDAV is installed. Both allow remote admin and have hadsecurity problems.o WebSTAR/4.2(Unix)mod_ssl/2.8.6OpenSSL/0.9.6c appears to be outdated(current is at least mod_ssl/2.8.7) (may depend on server version)o /public/ Redirects to 'http://www.foundstone.com/public', thismight be interesting...o robots.txt - This file tells web spiders where they can and cannotgo (if they follow RFCs). You may find interesting directories listedhere. (GET)o cgi-bin/htsearch?-c/nonexistant - The ht::/Dig install may let anattacker force ht://Dig to read arbitrary config files for itself.(GET)885 items checked on remote host

http://www.cirt.net/code/nikto.shtml


Assessing Websites (continued)Assessing Websites (continued)pavukpavuk

http://www.idata.sk/~ondrej/pavuk/ Not really assessment. Very effcient Web Spider Can copy content off sites Supports authentication SSL support FTP, HTTP, Gopher


Assessing Passwords Assessing Passwords hydrahydra

http://thc.org/thc-hydra/ Brute-Force Password Guesser Can run in parallel to improve performance. Is able to assess passwords in…

TELNET, FTP, HTTP, HTTPS, HTTP-PROXY, LDAP, SMB, SMBNT, MS-SQL, MYSQL, REXEC, CVS, SNMP, SMTP-AUTH, SOCKS5, VNC, POP3, IMAP, NNTP, PCNFS, ICQ, SAP/R3, Cisco auth, Cisco enable, Cisco AAA


Assessing Networks, Hosts, etc. Assessing Networks, Hosts, etc. Nessus – Security ScannerNessus – Security Scanner

http://nessus.org Uses NMap, Nikto, Hydra, Server supports Unix * Clients for Windows & Unix Has thousands of checks. Scriptable Attack language

If you don’t use it yet, you should.

http://nessus.org/


Assessing WirelessAssessing Wirelesskismetkismet

http://www.kismetwireless.net/ Manufacturer and model identification Runtime decoding of WEP packets for

known networks Network IP range detection Finds hidden SSIDs Detects wireless attacks Finds defaults configs.


Securing HostsSecuring Hostsp0f/pf/iptablesp0f/pf/iptables

p0f – Passive OS fingerprinting http://lcamtuf.coredump.cx/p0f.shtml Can work with pf/iptables to create special rules.

• Only Windows 2000 and newer can connect out• Restrict in-bound Windows SMTP to 1 per client.• Only allow OpenBSD SSH to firewall

pf – Berkely Packet Filter http://www.openbsd.org/faq/pf/

iptables – Linux IP Firewall http://www.netfilter.org/


Securing OS through HardeningSecuring OS through HardeningBastille Bastille

http://www.bastille-linux.org/ Tightens permissions Changes to secure defaults Removes unneeded services Enables better logging Locks down subsystems Is a slicer/dicer

Available for Linux, HP-UX, & Mac-OS.


Securing PasswordsSecuring PasswordsJohn the RipperJohn the Ripper

http://www.openwall.com/john/ Brute-forces local password files. Supports

most Unix password file types. Windows NT/2000/XP LanMan Hashes OpenVMS and SYSUAF.DAT AFS/Kerberos v4 TGT S/Key skeykeys files Netscape LDAP server passwords MySQL passwords


Securing Users/Roles (Advanced)Securing Users/Roles (Advanced)selinuxselinux

http://www.nsa.gov/selinux/ Security Enhanced Linux Establish MAC (Mandatory Access Controls)

Controls based on Objects not permissions. Root is not all powerful.

Allows compartmentalized controls. Really confusing for most mortals.


Exploiting Switched NetworksExploiting Switched NetworksEttercapEttercap

http://ettercap.sourceforge.net/ Enables the sniffing and capture of switched networks. ARP poisoning Man in the Middle Passive OS identification Password capture Passive Portmap


Exploiting EndUser MachinesExploiting EndUser MachinesMetasploitMetasploit

http://www.metasploit.com/ Framework for exploits Able to execute multiple options vs. a single vulnerability. 32 separate exploits 23 separate shellcodes


Deceptive ServicesDeceptive Servicesdtk – Deception ToolKitdtk – Deception ToolKit

http://www.all.net/dtk/dtk.html Pretend to run other services. Pretend to be other OS’s Prevent the attacker for gaining knowledge


Deceptive NetworksDeceptive Networkshoneydhoneyd

http://www.honeyd.org/ Simulates thousands of virtual hosts at the same time. Configuration of arbitrary services via simple

configuration file: Includes proxy connects. Passive fingerprinting to identify remote hosts. Random sampling for load scaling.

Simulates operating systems at TCP/IP stack level: Fools nmap and xprobe,

Simulation of arbitrary routing topologies: Subsystem virtualization:

Run real UNIX applications under virtual Honeyd IP addresses: web servers, ftp servers, etc...


Detecting Network AttacksDetecting Network AttacksSnort with ACIDSnort with ACID

Snort – Network IDS http://www.snort.org/ Rules based detection of network threats.

Detects buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.

ACID – Web front-End to Snort http://acidlab.sourceforge.net/ Enables rapid queries Displays threats graphically Uses back-end DB


Detecting Network TrafficDetecting Network TrafficEtherealEthereal

http://www.ethereal.com/ Not really a Detection, but a GREAT sniffer! Decodes over 600 protocols

FTP, SMTP, ICMP, RIP,… Has statistical analysis tools Allows deep inspection of

network traffic


Detecting Compromised BoxesDetecting Compromised Boxeschkrootkitchkrootkit

http://www.chkrootkit.org/ Detects 56 different root-kits Detects unknown deletions and clean-ups Works on

Linux 2.0.x, 2.2.x and 2.4.x, FreeBSD 2.2.x, 3.x, 4.x and 5.x, OpenBSD 2.x and 3.x., NetBSD 1.5.2, Solaris 2.5.1, 2.6 and 8.0, HP-UX 11, Tru64 and BSDI.


So where can I get this stuff So where can I get this stuff easily?easily?

Many ISO images of bootable linux available. [P]rofessional [H]acker's [L]inux [A]ssault [K]it

• http://www.phlak.org Local Area Security

• http://www.localareasecurity.com/ Knoppix security tools distribution

• http://www.knoppix-std.org/

http://www.phlak.org/

http://www.phlak.org/

http://www.localareasecurity.com/

http://www.knoppix-std.org/

http://www.knoppix-std.org/


What about Windows?What about Windows?

Most tools have Windows versions Nmap, pavuk, ettercap,

Metasploit, etc.. Some are not Open-Source, but are

available for private use Nessus Windows Technology

• http://www.tenablesecurity.com/newt.html

Others will work under cygwin Linux/Unix for Windows http://www.cygwin.com/

http://www.tenablesecurity.com/newt.html

http://www.cygwin.com/


Questions?Questions?

This is when you complain that I did not include your favorite tool.

Or when you tell me what a great time you had.

S C I E N C E A P P L I C A T I O N S I N T E R N A T I O N A L C O R P O R A T I O N

Scott C. Kennedy

Chief Engineer, Secure Networking Engineering

4224 Campus Point Court

San Diego, CA 92121

858.826.3035


SANS 2003 Top 20 SANS 2003 Top 20 Vulnerabilities Vulnerabilities

Windows 1. Internet Information Server (IIS)

2. Microsoft SQL Server (MSSQL)

3. Windows Authentication (LANMAN)

4. Internet Explorer (IE)

5. Windows Remote Access Service

6. Microsoft Data Access Components (MDAC)

7. Windows Scripting Host (WSH)

8. Microsoft Outlook & Outlook Express

9. Windows Peer to Peer Sharing (P2P)

10.Simple Network Management Protocol (SNMP)

Unix/Linux1. BIND Domain Name System

(DNS)

2. Remote Procedure Call (RPC)

3. Apache Web Server

4. General Unix Authentication

5. Clear Text Services (Telnet/ftp/rsh)

6. Sendmail (SMTP)

7. Simple Network Management Protocol (SNMP)

8. Secure Shell (SSH)

9. Misconfiguration of Enterprise Services (NIS/NFS)

10.Open Secure Sockets Layer (OpenSSL)


SANS 2004 Top 20 SANS 2004 Top 20 Vulnerabilities Vulnerabilities

Windows

1. Web Servers & Services

2. Workstation Service

3. Windows Remote Access Service

4. Microsoft SQL Server (MSSQL)

5. Windows Authentication

6. Web Browsers

7. File Sharing Applications

8. LSASS Exposures

9. Mail Client

10. Instant Messaging

Unix/Linux1. BIND Domain Name System

(DNS)

2. Web Server

3. Authentication

4. Version Control Systems

5. Mail Transport Service

6. Simple Network Management Protocol (SNMP)

7. Open Secure Sockets Layer (OpenSSL)

8. Misconfiguration of Enterprise Services (NIS/NFS)

9. Databases

10. Kernel

s c i e n c e a p p l i c a t i o n s i n t e r n a t i o n a l c o r p o r a t i o n open-source...

Documents

source software

peace of mind

gauge security

commercial tools

t i o n s i n t e r

open source doesnt

free software

attacker slide