Presentation is loading. Please wait.

Presentation is loading. Please wait.

ISA 3200 SUMMER 2010 Chapter 4: Finding Network Vulnerabilities.

Published byGeorge Cobb Modified over 9 years ago

Similar presentations

Presentation on theme: "ISA 3200 SUMMER 2010 Chapter 4: Finding Network Vulnerabilities."— Presentation transcript:

1 ISA 3200 SUMMER 2010 Chapter 4: Finding Network Vulnerabilities

2 White Hat Agreement 6/14 ISA 3200 Summer 2010 2  Discuss applicability to this class  Will post

3 Learning Objectives  Name the common categories of vulnerabilities  Discuss common system and network vulnerabilities  Locate and access sources of information about emerging vulnerabilities  Identify the names and functions of the widely available scanning and analysis tools 6/14 ISA 3200 Summer 2010 3

4 Introduction  To maintain secure networks, information security professionals must be prepared to identify system vulnerabilities, whether by hiring system assessment experts or by conducting self-assessments using scanning and penetration tools  Network security vulnerability is defect in product, process, or procedure that, if exploited, may result in violation of security policy, which in turn might lead to loss of revenue, loss of information, or loss of value to the organization 6/14 ISA 3200 Summer 2010 4

5 Common Vulnerabilities Common vulnerabilities fall into two broad classes:  Defects in software or firmware  Weaknesses in processes and procedures 6/14 ISA 3200 Summer 2010 5

6 Defects in Software or Firmware  Buffer overruns (or buffer overflows) arise when quantity of input data exceeds size of available data area (buffer)  Injection attacks can occur when programmer does not properly validate user input and allows an attacker to include input that, when passed to a database, can give rise to SQL injection vulnerabilities  Network traffic is vulnerable to eavesdropping because a network medium is essentially an open channel 6/14 ISA 3200 Summer 2010 6

7 Defects in Software or Firmware (continued)  How can security professionals remain abreast of all the vulnerabilities?  First and perhaps foremost, they must know:  Organization’s security policies  Software and hardware the organization uses  Information security professionals should regularly consult these public disclosure lists:  Vendor announcements  Full disclosure mailing lists  CVE: the common vulnerabilities and exposures database 6/14 ISA 3200 Summer 2010 7

8 References 6/14 ISA 3200 Summer 2010 8  M. Howard, D. LeBlanc, J. Viega 24 deadly sins of software security  A catalog of problem areas  Anderson, Security Engineering  Methodologies to incorporate security into software development

9 Reporting Vulnerabilities 6/14 ISA 3200 Summer 2010 9  Vendor Announcements  Full disclosure lists  Bugtraq  http://www.securityfocus.com/ http://www.securityfocus.com/  Examine a page  Internet Storm Center  http://isc.sans.edu/

10 Vendor Announcements 6/14 ISA 3200 Summer 2010 10

11 BugTraq 6/14 ISA 3200 Summer 2010 11

12 Weaknesses in Processes and Procedures 6/14 ISA 3200 Summer 2010 12  Just as hazardous as software vulnerabilities  More difficult to detect and fix because they typically involve the human element  Often arise when policy is violated or processes and procedures that implement policy are inadequate or fail  To ensure security policy is implemented, organizations should hold regular security awareness training and regularly review policies and their implementation Firewalls & Network Security, 2nd ed. - Chapter 4 Slide 12

13 Scanning and Analysis Tools  To truly assess risk within computing environment, technical controls must be deployed using strategy of defense in depth  Scanners and analysis tools can find vulnerabilities in systems, holes in security components, and unsecured aspects of the network  Scanners, sniffers, and other such vulnerability analysis tools are invaluable because they enable administrators to see what attackers see 6/14 ISA 3200 Summer 2010 13

14 Scanning and Analysis Tools (continued)  Scanning tools are typically used as part of an attack protocol  Attack protocol is a series of steps or processes used by attacker, in logical sequence, to launch attack against target system or network  This may begin with a collection of publicly available information about a potential target, a process known as footprinting  Attacker uses public Internet data sources to perform searches to identify network addresses of the organization 6/14 ISA 3200 Summer 2010 14

15 Footprinting  Most important information for footprinting purposes is IP address range  Another piece of useful information is name, phone number, and e-mail address of the technical contact  This research is augmented by browsing the organization’s Web pages since Web pages usually contain information about internal systems, individuals developing Web pages, and other tidbits, which can be used for social engineering attacks 6/14 ISA 3200 Summer 2010 15

16 Footprinting (continued)  To assist in footprint intelligence collection process, an enhanced Web scanner can be used that, among other things, can scan entire Web sites for valuable pieces of information, such as server names and e-mail addresses 6/14 ISA 3200 Summer 2010 16

17 Fingerprinting 6/14 ISA 3200 Summer 2010 17  http://ws.arin.net/whois http://ws.arin.net/whois  130.218.123.38  Note the name of the institution

18 Sam Spade 6/14 ISA 3200 Summer 2010 18  http://majorgeeks.com/Sam_Spade_d594.html http://majorgeeks.com/Sam_Spade_d594.html  Sam Spade is a general-purpose Internet utility package, with some extra features to help in tracing the source of spam and other forms of Internet harassment.  Sam Spade fetures include: ping - nslookup - whois - IP block - dig - traceroute finger - SMTP VRFY - web browser keep-alive - DNS zone transfer - SMTP relay check - Usenet cancel check - website download - website search - email header analysis - Email blacklist - query Abuse address

19 Sam Spade 6/14 ISA 3200 Summer 2010 19

20 Shared Folders 6/14 ISA 3200 Summer 2010 20  Setting up a folder on the host to be visible in a guest  Look in Network Neighborhood or Network Places  \\vmware-host\Shared Folders

21 Demo 6/14 ISA 3200 Summer 2010 21  SamSpade  Browse a web page  Crawl a web site  Turnkey lamp has a some files in directory build  Using Filezilla to upload to Lamp.

22 Fingerprinting  Next phase of attack protocol is data- gathering process called fingerprinting, a systematic survey of all of the target organization’s Internet addresses that is conducted to identify network services offered by hosts in that range  Fingerprinting reveals useful information about internal structure and operational nature of the target system or network 6/14 ISA 3200 Summer 2010 22

23 OS Detection 6/14 ISA 3200 Summer 2010 23  Xprobe  What does it mean we get a.tar file?

24 Port Scanners  Port scanning utilities (port scanners) are tools used by both attackers and defenders to identify computers that are active on a network, as well as ports and services active on those computers, functions and roles the machines are fulfilling, and other useful information  The more specific the scanner is, the better and more useful the information it provides is, but a generic, broad-based scanner can help locate and identify rogue nodes on the network 6/14 ISA 3200 Summer 2010 24

25 Port Scanners (continued)  Port is a network channel or connection point in a data communications system  Within TCP/IP, TCP and UDP port numbers differentiate multiple communication channels used to connect to network services being offered on same device  In all, there are 65,536 port numbers in use for TCP and another 65,536 port numbers for UDP  Ports greater than 1023 typically referred to as ephemeral ports and may be randomly allocated to server and client processes 6/14 ISA 3200 Summer 2010 25

26 Port Scanners (continued)  Why secure open ports?  Open port is an open door and can be used by attacker to send commands to a computer, potentially gain access to a server, and possibly exert control over a networking device  The general policy statement is to remove from service or secure any port not absolutely necessary to conducting business 6/14 ISA 3200 Summer 2010 26

27 Some standard ports 6/14 ISA 3200 Summer 2010 27 PortService 20 and 21FTP 22SSH 23Telnet 25SMTP 80HTTP 443HTTPS 8080Various servers

28 Some Standard Ports 6/14 ISA 3200 Summer 2010 28  Which would be likely to be open on different types of systems?

29 Demo 6/14 ISA 3200 Summer 2010 29  Install and run NMap

30 Firewall Analysis Tools  Understanding exactly where organization’s firewall is located and what existing rule sets do are very important steps for any security administrator  Several tools that automate remote discovery of firewall rules and assist administrator (or attacker) in analyzing rules to determine exactly what they allow and what they reject 6/14 ISA 3200 Summer 2010 30

31 Firewall Analysis Tools (continued)  Administrators wary of using same tools attackers use should remember:  Regardless of the nature of the tool used to validate or analyze firewall’s configuration, it is the intent of the user that dictates how information gathered will be used  To defend a computer or network, it is necessary to understand ways it can be attacked; thus, a tool that can help close up an open or poorly configured firewall helps network defender minimize risk from attack 6/14 ISA 3200 Summer 2010 31

32 Operating System Detection Tools  Identifying target computer’s operating system is very valuable to attacker  Once the operating system is known, it is easy to determine all vulnerabilities to which it might be susceptible 6/14 ISA 3200 Summer 2010 32

33 Vulnerability Scanners  Passive vulnerability scanner listens in on the network and identifies vulnerable versions of both server and client software  Active vulnerability scanners scan networks for highly detailed information by initiating network traffic in order to identify security holes  These scanners identify exposed usernames and groups, show open network shares, and expose configuration problems and other vulnerabilities in servers 6/14 ISA 3200 Summer 2010 33

34 Vulnerability Scanners (continued) 6/14 ISA 3200 Summer 2010 34

35 Demo 6/14 ISA 3200 Summer 2010 35  Install and run Nessus

36 Vulnerability Validation  Often, an organization requires proof that system is actually vulnerable to certain attacks  May require such proof to avoid having system administrators attempt to repair systems that are not broken or because they have not yet built satisfactory relationship with vulnerability assessment team  Class of scanners exists that exploit remote machine and allow vulnerability analyst (penetration tester) to create accounts, modify Web pages, or view data 6/14 ISA 3200 Summer 2010 36

37 Vulnerability Validation (continued) 6/14 ISA 3200 Summer 2010 37

38 Packet Sniffers  Network tool that collects copies of packets from network and analyzes them  Sometimes called a network protocol analyzer  Can provide network administrator with valuable information for diagnosing and resolving networking issues  In the wrong hands, sniffer can be used to eavesdrop on network traffic 6/14 ISA 3200 Summer 2010 38

39 Legalities 6/14 ISA 3200 Summer 2010 39  Be on a network that the organization owns  Be under direct authorization of the owners of the network  Have knowledge and consent of the content creators  All three conditions must be obtained to legally use a packet sniffer  Ref: Whitman et al.

40 Packet Sniffers (continued) 6/14 ISA 3200 Summer 2010 40

41 Demo 6/14 ISA 3200 Summer 2010 41  http://www.ethereal.com/ http://www.ethereal.com/  Work only on the private network  Setting the network options  Note that guest machines cannot access the internet  Watch some traffic while accessing turnkey lamp

42 Wireless Security Tools  Wireless connection, while convenient, has many potential security holes  Security professional must assess risk of wireless networks  Wireless security toolkit should include ability to sniff wireless traffic, scan wireless hosts, and assess level of privacy or confidentiality afforded on wireless network 6/14 ISA 3200 Summer 2010 42

43 Wireless Security Tools (continued) 6/14 ISA 3200 Summer 2010 43

44 Penetration Testing  Penetration test involves using all techniques and tools available to attacker in order to attempt to compromise or penetrate an organization’s defenses  Penetration testing can be performed by internal group (so called “red teams”) or outsourced to external organization  A variable of the penetration test, whether performed internally or outsourced, is amount of information provided to the red team 6/14 ISA 3200 Summer 2010 44

45 Penetration Testing (continued)  Three categories of testing:  Black box: red team is given no information whatsoever about the organization and approaches the organization as external attacker  Gray box: red team is given some general information about the organization such as general structure, network address ranges, software and versions  White box: red team has full information on the organization and its structure 6/14 ISA 3200 Summer 2010 45

46 Chapter Summary  To maintain secure networks, information security professionals must be prepared to systematically identify system vulnerabilities  Often done by performing self-assessment using scanning and penetration tools testing  Common vulnerabilities fall into two classes:  Defects in software or firmware  Weaknesses in processes and procedures 6/14 ISA 3200 Summer 2010 46

47 Chapter Summary (continued)  Information security professionals should regularly consult vendor announcements, full disclosure mailing lists, and the common vulnerabilities and exposures (CVE) database  To assess risk within a computing environment, network professionals must use tools such as intrusion detection systems (IDPS), active vulnerability scanners, passive vulnerability scanners, automated log analyzers, and protocol analyzers (sniffers) 6/14 ISA 3200 Summer 2010 47

48 Chapter Summary (continued)  Many organizations use penetration test to assess their security posture on a regular basis  Penetration test team (red team) uses all techniques and tools available to attackers in order to attempt to compromise or penetrate an organization’s defenses 6/14 ISA 3200 Summer 2010 48

49 Demo 6/14 ISA 3200 Summer 2010 49  Install and run the NG scoring tool

50 Demo 6/14 ISA 3200 Summer 2010 50  Install and run Microsoft baseline security tool

Download ppt "ISA 3200 SUMMER 2010 Chapter 4: Finding Network Vulnerabilities."

Similar presentations

ETHICAL HACKING A LICENCE TO HACK

ETHICAL HACKING A LICENCE TO HACK
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.
Essential NetTools Pranay Kumar. Essential NetTools  This tool is a set of network tools useful in diagnosing networks and monitoring your computer's.

Essential NetTools Pranay Kumar. Essential NetTools  This tool is a set of network tools useful in diagnosing networks and monitoring your computer's.
Finding Network Vulnerabilities. 2 Objectives Define vulnerabilities Name the common categories of vulnerabilities Discuss common system and network vulnerabilities.

Finding Network Vulnerabilities. 2 Objectives Define vulnerabilities Name the common categories of vulnerabilities Discuss common system and network vulnerabilities.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Vulnerability Analysis Borrowed from the CLICS group.

Vulnerability Analysis Borrowed from the CLICS group.
Network Security Testing Techniques Presented By:- Sachin Vador.

Network Security Testing Techniques Presented By:- Sachin Vador.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
Penetration Testing Edmund Whitehead Rayce West. Introduction - Definition of Penetration Testing - Who needs Penetration Testing? - Penetration Testing.

Penetration Testing Edmund Whitehead Rayce West. Introduction - Definition of Penetration Testing - Who needs Penetration Testing? - Penetration Testing.
Port Scanning.

Port Scanning.
Information Security Introduction to Information Security Michael Whitman and Herbert Mattord 14-1.

Information Security Introduction to Information Security Michael Whitman and Herbert Mattord 14-1.
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau (20086034) Lee Shirly (20095815) Ong Ivy (20095040)

Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Chapter 4: Security Baselines Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 4: Security Baselines Security+ Guide to Network Security Fundamentals Second Edition.

Similar presentations

Ads by Google