Open Source Security Tools alek rollyson

DISCLAIMER DON'T BE STUPID...SERIOUSLY USE OF THESE TOOLS ON MACHINES NOT LEGALLY OWNED BY YOU COULD END UP PUTTING A NASTY MARK ON YOUR CRIMINAL RECORD

please ask questions. in the interest of time i'm going to automatically assume you're keeping up if you don't say anything

Talk Overview Protocol Analyzing, Sniffers, Interceptors, Port Scanning o Wireshark, Ettercap, Nmap Vulnerability Assessment o OpenVAS (nessus replacement) Pen Testing Tools o metasploit framework Password Crackers o john the ripper, ophcrack Wireless Security Tools o aircrack-ng, kismet Honeypots o kippo Security Focused Distributions Notes on Hardening Dispelling some bullshit

protocol analysis capture and analyze network traffic o promiscuous mode Wireshark is extremely popular and powerfulWireshark o uses pcap to capture packets o capture ethernet, , PPP and loopback traffic o "knows" about different networking protocols and can display useful information about each o use filters to find relevant data o used to need special privileges, can run as normal user on most platforms now o CLI interface Tshark

Sniffing, Intercepting MITM - man in the middle Ettercap is highly regarded and very powerfulEttercap o use in promiscuous mode o four modes (IP, MAC, ARP, PublicARP) o can sniff encrypted traffic (SSH, HTTPS) o Password collectors for tons of protocols o inject into an established connection o hijack dns o alter/drop packets o can detect other poisoners on the network

port scanning self descriptive, designed to probe and scan for open ports Nmap is THE port scanner. Just use itNmap o very comprehensive and smart  accounts for network conditions during the scan o turned into a swiss army knife due to excellent community  OS fingerprinting  names and versions of running services  estimated uptime  presence of firewall  type of device  new scripting engine (SoC project)  ZenWalk gui available (also SoC project)

Vulnerability Assessments meant to be a one stop shop for discovering vulnerabilities in systems o port scanning, enumerator, web app scanner, exploit checks, default accounts and passwords, misconfigurations, DoS checks, etc Nessus is huge in the industry (OpenVAS is the open source implementation)NessusOpenVAS o exploits published regularly as a "feed" o attacks are written in NASL (nessus attack scripting language)

Penetration Testing Tools often used in conjunction with vulnerability scans to actively attempt to penetrate a system very broad term Metasploit Framework is becoming the de facto standard for vulnerability developmentMetasploit Framework o largest ruby project in existence o often times new exploits will include a Metasploit module that includes full details of the exploit o choose exploit -> check if exploit applies -> configure payload -> configure encoding to evade IDS -> execute the exploit o includes an extensive shell code and opcode database with full source code

password crackers two main modes o dictionary (rainbow tables) o brute force John The Ripper probably most popularJohn The Ripper o can auto detect password type  DES flavors, LM Hash (MD5), SHA, Blowfish, Kerberos AFS o can be fed rainbow tables o pretty simple to use Ophcrack o Cracks windows LM hash passwords via rainbow tables  some basic tables provided o livecd available

Honeypots valuable recon tool set up to look like a vulnerable machine, really used to divert attacks and possibly gather information o distraction tool o research attack methods o watch skiddies try and fail over and over sometimes turn out to be pretty entertaining Kippo is a simple open source honeypot with recording capabilitiesKippo

security distros backtrack linux o includes most of the tools we'll talk about tonight o one of the best (most up to date) security live cd o latest release is 4r2 knoppix std o used to be an excellent security live cd o now stagnant unfortunately damn vulnerable linux o pretty much exactly what it sounds like o designed to be easy to break, good for learning about vulnerabilities almost all of these tools are available in distribution repositories

notes on hardening mandatory vs. discretionary access control intrusion detection systems reduce your attack surface o close unneeded ports (port knocking) o disable unneeded services open source vs. proprietary o aka: security through obscurity = FAIL intrusion detection systems regular security auditing always be aware of social engineering use key login for ssh, disable password login o use a password for you key and protect it! o disable root login via ssh disable smtp open relays

dispelling some bullshit upping password change frequency not really that helpful, false sense of security good idea to write down passwords? o argument still going on about this o bruce schneier seems to think it's ok changing default ports doesn't really do much o auto scanners are patient b/c they're, well, machines hashing != encryption not broadcasting SSID doesn't really do much o neither does MAC black/whitelisting DON'T USE DICTIONARY WORDS IN PASSWORDS o use different passwords for sites! physical access = root

dispelling more bullshit beware of unencrypted access points o free public wifi pay attention to those messages about server keys changing phishing can get anyone, even smart people Linux and OSX do have nasty attacks out there o just a matter of time people o don't assume you're automatically secure DO NOT rely on tor for confidentiality o malicious nodes are not unheard of Don't let anyone convince you that they are omniscient just because they have a CISSP as mentioned before...security via obscurity == FAIL don't connect LOIC via hivemind, regardless of what people on the anonops irc channel tell you