Presentation is loading. Please wait.

Presentation is loading. Please wait.

Agenda –Thinking about the concept –Introduction –Types of defensive technology –Raising the bar –Typical assessment methodology –Attacks –Examples –Conclusion.

Published byRoland Lee Modified over 8 years ago

Similar presentations

Presentation on theme: "Agenda –Thinking about the concept –Introduction –Types of defensive technology –Raising the bar –Typical assessment methodology –Attacks –Examples –Conclusion."— Presentation transcript:

1

2 Agenda –Thinking about the concept –Introduction –Types of defensive technology –Raising the bar –Typical assessment methodology –Attacks –Examples –Conclusion

3 Thinking about the concept We’re from South Africa: –Robbery on Atterbury Road in Pretoria –Electric fencing around my house From the insect world: –Acid bugs – “I don’t taste nice” –Electric eel Spy vs. spy: –Disinformation

4 Introduction Current trends in “assessment” space: –Technology is getting smarter –People are getting lazy –Good “hacker” used to be technically clever –Tool/scanner for every level of attack Perceptions: –Administrators are dumb, “hackers” are clever –Skill = size of your toolbox In many cases the mechanic’s car is always broken.

5 Types of defensive technology Robbery analogy: –Firewalls:Amour plated windows –IDS:Police –IPS:Driving away –Back Hack:Carry a gun in the car Fence analogy: –Firewalls:Walls –IDS:Police –IPS:Armed response –Back Hack:Trigger happy wife…

6 Raising the bar Raising the “cost” of an “assessment”: Attacking the technology, not the people Attacking automation; “lets move to the next target” Used to be: “Are you sure it’s not a honey pot?” Now: –Is YOUR network safe? –Are YOUR tools safe from attack? –Do YOU have all the service packs installed? –Do you measure yourself as you measure your targets?

7 Typical assessment methodology Foot printing Vitality Network level visibility Vulnerability discovery Vulnerability exploitation Web application assessment

8 Attacks Types: -Avoiding/Stopping individual attacks -Creating noise/confusion -Stopping/Killing the tool -Killing the attacker’s host/network Levels: -Network level -Network application level -Application level

9 Attacks Attack vectors: All information coming back to the attacker is under OUR control: –Packets (and all its features) –Forward & reverse DNS entries –Banners –Error codes, messages –Web pages Our data is used: Where the scanner reads the data Where the scanner stores the data Where the scanner renders the data

10 Attacks Disclaimer Legal Technical

11 Examples Foot printing: Avoiding DNS obfuscation Noise: “Eat my zone!” Stopping: Endless loop of forward entries Killing: Eeeevil named…

12 Examples Foot printing: Tools: Very basic – host, nslookup, dig Domains: not a lot we can do there.. DNS entries: forward, reverse, axfr, ns SensePost has some interesting foot printing tools…

13

14

15 Examples Network level: Avoiding Firewall Noise: honeyd & transparent reverse proxies –Random IPs alive –Random ports open –Traceroute interception/misdirection –Fake network broadcast addresses Stopping: ???..anyone? Killing: nmap with banner display?? (-sV) Where scanners deal with DNS

16 Examples Network level: Tools: Ping sweeps / vitality checkers Port scanners nmap, paketto/pulse, superscan, visualroute, some custom scripts, etc.

17

18

19

20 Examples

21 Network application level Avoiding Patches, patches Noise: –Fake banners –Combined banners (to ^ or not to ^) –NASL (reverse) interpreter Stopping: –Chasing the time-outs using tarpits Killing: –Buffer overflows –Rendering of data – malicious code in HTML –Where data is inserted into databases –Scanners that use other scanners (e.g. using nessus,nmap)

22 Examples Network application level Tools: Shareware: Nessus, amap, httpprint, metaspoilt Commercial: ISS, Retina, Typhon, Foundscan, Qualys, Cisco

23 Examples

24

25

26 Application level & (web server assessment) Avoiding Application level firewall Noise: –On IPs not in use: Random 404,500,302,200 responses..but not enough to trigger Nikto Fooling Nessus’s no 404 plugin –Within the application Bogus forms, fields Pages with “ODBC connect error” See Saumil Shah’s PHP_Guard… Stopping: Spider traps, Human/browser detectors Killing: –“You are an idiot!” and other malicious HTML code –Bait files.. Admintool.exe and friends in /files, /admin

27 Examples Tools: Shareware: Nikto, Nessus, Whisker?, WebScarab, Exodus, Pharos, Spike, Httrack, Teleport pro Commercial: Sanctum Appscan, Cenzic Hailstorm, Kavado Scando, SPI Dynamics WebInspect, @stake webproxy

28 Examples

29

30 Armpits – defending against automation The story so far.. Operates on network level Acts as a proxy – typically on firewall Low overhead Uses Flash to create sessionIDs Uses cookies to track sessions Can be integrated with IPS

31 Examples Armpit1

32

33

34 Examples Armpit2 With IPS

35

36 Examples Content level Throwing bait to listeners Echelon type noise in email signatures Fake email addresses/conversations Traffic that bites back

37 Conclusion These techniques do not make your network safer? IPS is getting smarter –The closer to the application level they go, the more accurate they become. You should worry when administrators start thinking like hackers…

Download ppt "Agenda –Thinking about the concept –Introduction –Types of defensive technology –Raising the bar –Typical assessment methodology –Attacks –Examples –Conclusion."

Similar presentations

Intrusion Detection/Prevention Systems Charles Poff Bearing Point.

Intrusion Detection/Prevention Systems Charles Poff Bearing Point.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
NetScanTools ® LE Law Enforcement Version of NetScanTools ® from Northwest Performance Software, Inc. netscantools.com.

NetScanTools ® LE Law Enforcement Version of NetScanTools ® from Northwest Performance Software, Inc. netscantools.com.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated 9-18-08.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
ITP 457 Network Security Network Hacking 101. Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target.

ITP 457 Network Security Network Hacking 101. Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target.
Forces that Have Brought the world to it’s knees over the centuries.

Forces that Have Brought the world to it’s knees over the centuries.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Rochester Institute of Technology Secure IT 2007 Security Auditing Course Development Rochester Institute of Technology Yin Pan

Rochester Institute of Technology Secure IT 2007 Security Auditing Course Development Rochester Institute of Technology Yin Pan
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
Vulnerability Analysis Borrowed from the CLICS group.

Vulnerability Analysis Borrowed from the CLICS group.
Vulnerability Scanning at NU Robert Vance NUIT-Telecom & Network Services.

Vulnerability Scanning at NU Robert Vance NUIT-Telecom & Network Services.
1 Colorado University Guest Lecture: Vulnerability Assessment Chris Triolo Spring 2007.

1 Colorado University Guest Lecture: Vulnerability Assessment Chris Triolo Spring 2007.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Assessing Vulnerabilities ISA 4220 Server Systems Security James A. Edge Jr., CISSP, CISM, CISA, CPTE, MCSE Sr. Security Analyst Cincinnati Bell Technology.

Assessing Vulnerabilities ISA 4220 Server Systems Security James A. Edge Jr., CISSP, CISM, CISA, CPTE, MCSE Sr. Security Analyst Cincinnati Bell Technology.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
1 GFI LANguard Network Security Scanner. 2 Contents Introduction Features Source & Installation Testing environment Results Conclusion.

1 GFI LANguard Network Security Scanner. 2 Contents Introduction Features Source & Installation Testing environment Results Conclusion.

Similar presentations

Ads by Google