vulnerability scanning

28
FORESEC Academy VULNERABILITY SCANNING FORESEC Academy Security Essentials (III)

Upload: aric

Post on 22-Feb-2016

74 views

Category:

Documents


0 download

DESCRIPTION

FORE SEC Academy Security Essentials (III ). Vulnerability Scanning. Agenda. Threat vectors Social Engineering Bypassing the firewall Tools that may be visiting your DMZ Network Mapping Tools and Vulnerability Scanners. Primary Threat Vectors. Outsider attack from network - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: Vulnerability Scanning

FORESEC Academy

VULNERABILITY SCANNINGFORESEC Academy Security Essentials (III)

Page 2: Vulnerability Scanning

FORESEC Academy

Agenda

Threat vectors Social Engineering Bypassing the firewall Tools that may be visiting your

DMZ Network Mapping Tools and

Vulnerability Scanners

Page 3: Vulnerability Scanning

FORESEC Academy

Primary Threat Vectors

Outsider attack from network Outsider attack from telephone Insider attack from local network Insider attack from local system Attack from malicious code

Page 4: Vulnerability Scanning

FORESEC Academy

KaZaA

Designed for peer-to-peer file sharing on the Internet

Introduces security weaknesses - Hole in a firewall - Users give away network information - A possible annoyance or DDoS tool

Page 5: Vulnerability Scanning

FORESEC Academy

KaZaA - Firewall Subversion

1) A and b set up KaZaA Net

2) Firewall denies inbound TCP request

1) C connects to KaZaA Net

2) C’s request relayed to A

3) A connects to C through wall

Page 6: Vulnerability Scanning

FORESEC Academy

Firewalls, WirelessConnections, and Modems

Page 7: Vulnerability Scanning

FORESEC Academy

Firewalls, WirelessConnections, and Modems

Page 8: Vulnerability Scanning

FORESEC Academy

Social Engineering

Attempt to manipulate or trick a personinto providing information or access

Bypass network security by exploitinghuman vulnerabilities

Vector is often outside attack bytelephone or a visitor inside your facility

Page 9: Vulnerability Scanning

FORESEC Academy

Social Engineering (2)

Human-based- Urgency- Third-person authorization

Computer-based- Popup windows- Mail attachments

Page 10: Vulnerability Scanning

FORESEC Academy

Social Engineering Defense

Develop appropriate security policies

Establish procedures for granting access, etc., and reporting violations

Educate users about vulnerabilities and how to report suspicious activity

Page 11: Vulnerability Scanning

FORESEC Academy

Tools that may beVisiting Your DMZ

3 famous Windows Trojans Open share scanners Jackal, Queso, and SYN/FIN Nmap and Hping Worms

Page 12: Vulnerability Scanning

FORESEC Academy

Trojans

Page 13: Vulnerability Scanning

FORESEC Academy

Trojans (2)

Page 14: Vulnerability Scanning

FORESEC Academy

SubSeven Client

Page 15: Vulnerability Scanning

FORESEC Academy

SubSeven EditServer

Page 16: Vulnerability Scanning

FORESEC Academy

Trojans Review

Trojans can penetrate firewalls as email attachments

SubSeven is still one of the most common

Protective tools include: All major anti-virus tools, firewalls, personal firewalls

Page 17: Vulnerability Scanning

FORESEC Academy

Network Mapping Tools

Open share scanners – Legion Network Scanners – Jackal TCP Fingerprinting - Queso, and

SYN/FIN Port Scanners - Nmap and Hping

Page 18: Vulnerability Scanning

FORESEC Academy

Finding Unprotected Shares -Legion

Page 19: Vulnerability Scanning

FORESEC Academy

Enter the Jackal 1997

Page 20: Vulnerability Scanning

FORESEC Academy

Sons of Jackal Continue to be Seen

Source Port 0 and 65535

Page 21: Vulnerability Scanning

FORESEC Academy

Queso and Friends http://www.securityfocus.com/tools/144

Queso sends packets with unexpected code bit combinations to determine the operating system of the remote computer. Currently, they claim to be able to distinguish over 100 OSes and OS states. Queso pattern is shown on

notes page

Page 22: Vulnerability Scanning

FORESEC Academy

Spoofed NetBIOS

06:49:55 proberA.4197 > 172.20.139.137.139: S 596843772:596843772(0) win 8192 (DF)

06:49:58 proberA.4197 > 172.20.139.137.139: S 596843772:596843772(0) win 8192 (DF)

06:50:04 proberA.4197 > 172.20.139.137.139: S 596843772:596843772(0) win 8192 (DF)

06:50:16 proberA.4197 > 172.20.139.137.139: S 596843772:596843772(0) win 8192 (DF)

12:57:56 proberE.2038 > 172.20.216.29.139: S 294167370:294167370(0) win 8192 (DF)

12:57:59 proberE.2038 > 172.20.216.29.139: S 294167370:294167370(0) win 8192 (DF)

12:58:05 proberE.2038 > 172.20.216.29.139: S 294167370:294167370(0) win 8192 (DF)

12:58:41 proberE.2039 > 172.20.216.29.139: S 294212415:294212415(0) win 8192 (DF)

Page 23: Vulnerability Scanning

FORESEC Academy

TTL

In the notes pages are the Time To Live fields

from the traces in the previous slide. Notice how

they cluster around 120. This is not expected

behavior. This is also fixed in the Nmap 2.08

release that has a decoy function so that the

decoy TTLs are random.

Analysis credit to Army Research Lab

Page 24: Vulnerability Scanning

FORESEC Academy

Nmap - Network Mapper

Freeware award winning networkscanner.

Supports a large number ofscanning techniques.

Numerous other features supported. - Remote Operating System Detection - Application Detection

Page 25: Vulnerability Scanning

FORESEC Academy

nmapwin - Windows port

Page 26: Vulnerability Scanning

FORESEC Academy

Hping - Spoofing Port Scanner

Conceptually, a TCP version of .Ping. Sends custom TCP packets to a host

and listens for replies Enables port scanning and spoofing

simultaneously, by crafting packets and analyzing the return

Page 27: Vulnerability Scanning

FORESEC Academy

Hping v2.0 - hping Enhanced Uses hping crafted packets to:

- Test firewall rules- Test net performance- Remotely fingerprint OSes- Audit TCP/IP stacks- Transfer files across a firewall- Check if a host is up

Page 28: Vulnerability Scanning

FORESEC Academy

Worms

Attack system through known holes. Automatically scan for more systems

to attack.

Lower system defenses, install a root shell or rootkit, and/or let the attacker know the system has been attacked.