welcome to all participants prof nb venkateswarlu hod, it, gvpcoe visakhapatnam...
Post on 26-Dec-2015
219 Views
Preview:
TRANSCRIPT
Welcome to All Participants
Prof NB Venkateswarlu
HOD, IT, GVPCOE
Visakhapatnam
venkat_ritch@yahoo.com
Let Me first Congratulate all the Organizers
First, You may have to Excuse me!!.
May be, I am the only odd man out!.
However, I am helpless. My Talk is a last minute adjustment. Neverthless, I am sure you will Enjoy.
Penetration Testing Tools: Linux Perspective
What I am going to Cover?
• Briefing general security threats
SQL Injections
Physhing
DNS hacking
SPAMS
BOTNETS
• Linux Security Aspects
• CERT-In Initiation under Ministry of Information Technology, Govt of India.
Most Noted Reasons
• Buffer overflows
• Format String problems
• Integer Overflows
• SQL Injections
• Command Injection
• Failure to handle errors
• Cross-site scripting
Most Noted Reasons - Cont
• Failure to protect network traffic
• Use of magic URL’s and hidden forms
• Improper use of SSL
• Use of weak password based systems
• Failure to store and protect data securely
• Information leakage
• Trusting network address resolution
Most Noted Reasons - Cont
• Improper file access
• Race conditions
• Unauthorised key exchange
• Failure to use cryptographically strng random numbers
• Poor usability
Defacement Statistics, Dec 2006
Cyber Insurance – US Statistics
• Premium Paid $100 millions
• Claims Paid $14 millions
How did he do it?
Social Engineering
Ex:
Our Mumbai server is down. Please click the standby server
SQL Injections
Let us consider the following line in an ASP script
Query=“select count(*) from users where UserName=‘” &userName&” ‘ and userPass=‘ “&password&”’”
Let Username as Ram and password as ‘ or 1=1 –
Now created SQL statement becomes:
Select count(*) from users where userName=‘Ram’ and userPass=‘’ or 1=1 –’
Thus checks for empty password
Similarly let username as:
‘having 1=1 –
Dsiplays users.UserName is invalid indicating table name and attribute name
Now username is
‘or users.userName like ‘admin%’ –
Now he can login as Admin!!
May give chance to run multiple SQL statements; For example username as:
‘or 1=1; drop table users; --
‘; shutdown with nowait; --
May give chance to run extended scripts:
‘exec master .. Xp_cmdshell ‘iisreset’; --
SQL Injection through URL
Physhing & Pharming
How Physhing works?
Monitoring bounced emails, account activity, call volumes,
password eqnuiries
SPAMS
• Search engines
• Addresses posted in public areas such as USENET
• Email directories, Yellow Pages
• Readymade lists (for sale!)
• Chat rooms
• Bruteforce attacks
Botenets
DDOS Attack
DDOS Attack
Botnets
How to tackle SPAMS
• Content based filtering
Pattern Matching
Hash Matching
Bayesian filtering
• Source address based filtering
Source Address Filtering
• White lists
• Block lists
• Reputation analysis
• Real time block hole lists
• Challenge-Response
How to STOP SPAM -Cont
• SMTP server Implementing• Should not relay unauthorized mails• Separate ports for submission and relay• Implement client authentication• Disable SMTP commands like VRFY• Prevent remote mails to local groups• Define max no of receipients per message• Reject NULL sender identity• Digital signatures
Educating People
Disable cross-site scripts, stop injected scripts
Mutual Authentication, Data destination block listing
Use trusted path
Password hashing, transaction authentication
Induce delays especially in financial institutions
DNS ATTACKS
DNS
Components of DNS
• DNS Zones
• DNS Name Space
• Resource Records
• Name Servers
DNS Name Space
Types of Name Servers
• Primary
• Secondary
• Caching
DNS Zone
• Contiguous portion of name space
• A name server can serve one or more zones
• A zone may have one or more zones
• Zone files for the zone only
• Forward lookup zone
• Reverse lookup zone
Resource records
• Name server
• Host
• Mail exchange
• Start of authority
• Canonical name
DNS query type
Recursive Query
Common DNS Attacks
• Foot printing
• Redirection
• DOS
• Data Modification/IP spoofing
• DNS cache posioning
• Where to be cautious?
• Host, Transactions, query and/responser
Countering DOS
• All Name servers should not be
In a single subnet
Behind a single router
On a single leased line
• Have offsite slave name server
• Restrict zone transfer
Countering IP Spoofing
• Turnoff recursion
• Restrict the addresses which name server responds
• Restrict the addresses which name server responds to recursive queries
Transaction Security (DNSEC)
Best Practices
• Provide redundant DNS services• Use separate servers for adv/resolving• Limit DNS interface access for resolution• Restrict zone replication• Restrict dynamic updates• Prevent cache corruption• Disable recursion• Turn off glue fetching• Filter traffic to DNS name server• Run services in less priveleged mode• Source address validation
• Don’t reply personal info. Ask in person. Visit the web sites in person.
• Dear Sir/Madam is suspicious. Dear Mr Rao probably ok.
• An exciting or upsetting statements doubtful such as work from home
• They ask for username, password etc
• Never fill email forms
• Regularly check your bank a/c
• Make sure your OS is up to date
• Javascript:alert(“The actual URL of tyhis site :” + location.protocol + “//” + location.hostname + “/”);
To browser bar
Use password hashing
Penetration Testing
• Discover Vulnerabilities
• Plan the attack vector
• Launch the attack
• Gain the access
• Exploitation
• Simulating SPAM, Mail Spoofing
• Gaining the shell
• Block box – No info is given to pen tester
• White box – Info is supplied
• Attacks
• Bruteforce, malicious code, eavesdropping, phishing,DoS
Pen test results
• Identified vulnerabilities
• Sources of the same
• Impact
• risk
Pen Test Vul Ass Auditing
Initial Info Limited Limited Full
Outcome Access List of Secure
to Network Vulnerabi. System
Location Inter/Exter External On Sys
Tine Medium Short Long
Linux Tools and Practices
Finger Printing
• Knowing OS
• OS version
• Other device names
• Database names etc
• Example TCP finger printing tools: nmap, queso, cheops
• telnet, finger, strobe, netcat, SATAN
• telnet hostname ftp - displays details
Finger printing - cont
• telnet hostname http
• Results
GET /scripts/..%255c../../..cmd.exe/…
Volume in drive C has no label
Volume Serial No
Linux Commands
• netstat –ltunp //List all listening ports
• netstat –atunp //Lists active connections
• rpcinfo //Lists all services
Host based IDS
• ISS – Realsecure Server Sensor
• Check host file system Consistency-TripWire, AIDE
• Tripwire can intimate through email and can be configured as cron
• To build database tripwire –init
• To check tripwire –check>error.txt
Bastile – To harden Linux
• Many Yes/No’s
Osiris – osiris.shmoo.com
• Osirisd [Host1]
• Osiris,osirismd [Trusted Host]
• Check Host network connections – BlackICE, PortSentry
• Check host log files: LogSentry, Swatch
Snort www.snort.org
• User can specify the pattern in the packets and actions
• Additional plug-ins can be specified for example to avoid subnet flooding etc.,
How do we know it is attacked?
• CPU utilization, disk activity, users login, file activity
• Protocol validation by comparing analysed traffic with RFC’s
• DOS (crashing some applications)
Removing services from /etc/rc.d/init.d
rm –rf servicename
Access Controls
• Set BIOS password • Set GRUB boot loader password through the following
steps a. Create a password hash by issuing the command
/sbin/grub md5 crypt b. Edit /boot/grub/grub.conf to add the following line after
timeout tag • password md5 <generated md5 hash> • Avoid booting into single user mode without root
password. Edit /etc/inittab and • add the following line after id:3:initdefault:
~~:S:wait:/sbin/sulogin
• Create a custom banner message in /etc/issue and /etc/issue.net
Example banner message: UNAUTHORISED ACCESS IS PROHIBITED
• Choose passwords that are complex to guess. Set password parameters (max. days, min. days, min. length etc.,) in /etc/login.defs
• Disable CTRL+ALT+DEL by commenting the line
ca::ctrlaltdel:/sbin/shutdown t3 r now in /etc/inittab
• Edit /etc/profile file and set TMOUT=3600. This will automatically timeout bash shell after 3600 seconds
• Restrict root login to only one tty and one vc. Edit /etc/securetty to comment out the lines tty2 to tty11 and vc/2 to vc/11
• Delete unnecessary system users and groups from /etc/passwd and /etc/group\
userdel <username> groupdel <groupname> • Following are some system users and
groups that can be deleted • Users: lp, sync, shutdown, halt, news,
gopher, operator, games, mail , uucp, ftp • Groups: lp, games, uucp, x. • Change default shell for users bin,
daemon, rpm, vcsa, nobody to /dev/null
File System Security
• Set the UMASK attribute in /etc/profile to 033 • Find world writable files and change the
permission if world writable permission is not required
find / perm 2 type f --print
chmod <permissions> <filename> • Find out hidden files and directories
find / name ``..'' --print --xdev
find / name ``.*'' --print --xev | cat --v
• Carefully check the files and keep a list of default hidden files for later on regular audit reference. If any of the files are not required remove them by
rm --rf <file name>
• If any world writable file is not required, set the sticky bit
chmod +t <file name>
• Find out the executables with SUID or SGID bit set and keep track of what they are so that administrator is aware of any changes.
find / type f \( perm 04000 o perm 02000 \) exec ls l {} \;
• Removable media nosuid and nodev option
• Edit /etc/fstab to mount /boot with nodev and read only option • Label=/boot /boot ext3 nodev,ro...... • mount cdrom and floppy with nosuid and nodev
option /dev/cdrom /mnt/cdrom udf,iso9660
nosuid,nodev,noauto,....... /dev/fd0 /mnt/floppy udf,iso9660
nosuid,nodev,noauto,...... • Remove the files with no user and no group
find / nouser --o --nogroup --exec rm --rf {}\;
• Use nosuid to partitions (defined in /etc/fstab) that are writable.
• Keep track of all the SUID/SGID files
Cryptographic File Systems (CFS), Transparent Cryptographic File
Systeminsmod loop.o/etc/fstab entry/dev/loop0 /mnt/crypt ext2 user,noauto,rw,loop 0 0dd if=/dev/vrandom of=/etc/cryptfile bs=1M
count=10Losetup –e xor /dev/loop0 /etc/cryptfileMkfs –t ext2 /dev/loop0Mount –t ext2 /dev/loop0 /mnt/cryptUmount /dev/loop0Losetup –d /dev/loop0
Change the permissions for the following files
• chmod 600 /etc/passwd
• chmod 600 /etc/shadow
• chmod 100 /bin/rpm
• chmod 100 /bin/tar
• chmod 100 /bin/gzip
• chmod 100 /bin/ping
• chmod 100 /bin/gunzip
• chmod 100 /bin/mount
• chmod 100 /bin/umount
• chmod 100 /usr/bin/gzip
• chmod 100 /usr/bin/gunzip
• chmod 100/usr/bin/who
• chmod 100 /usr/bin/lastb
• chmod 100 /usr/bin/last
• chmod 100 /usr/bin/lastlog
• chmod 100 /sbin/arping
• chmod 100 /usr/sbin/arping
• chmod 100 /usr/sbin/usernetctl
• chmod 100 /usr/sbin/traceroute
• chmod 400 /etc/syslog.conf
• chmod 400 /etc/hosts.allow
• chmod 400 /etc/hosts.deny
• chmod 400 /etc/sysconfig/syslog
• chmod 644 /var/log/wtmp
• chmod 644 /var/log/utmp
Change the attributes for the following files
• chattr +i /etc/passwd
• chattr +i /etc/shadow
• chattr +i /etc/services
• chattr +i /etc/gshadow
• chattr +i /etc/group
• chattr +i /etc/login.defs
• chattr +i /etc/init.d/
• chattr +i /etc/services
• chattr +i /etc/inittab
• chattr +i /etc/fstab
• chattr +i /usr/bin/who
• chattr +i /usr/bin/lastb
• chattr +i /usr/bin/last
• chattr +i /usr/bin/lastlog
• chattr +i /etc/syslog.conf
• chattr +i /etc/sysconfig/syslog
Set file system limits instead of allowing unlimited usage. Control the per user
limits using the resource limits file
/etc/security/limits.conf and a PAM module
For example, limits for group ‘users' might look like this:
@users hard core 5000 @users hard nproc 50 @users hard rss 5000 This says to limit the creation of core files,
restrict the number of processes to 50, and restrict memory usage per user to 5 MB
Incident Handling
• # Look for change in permission • -- World writable permissions • # find / perm 2 type f --print • -- Find SUID root files • # find / type f perm 04000 ls • -- Find GUID root files • # find / type f perm 02000 ls • -- Time stamp • # Find files access for last 1 day, 1 hr etc • # Find atime • # Ls --lautR
• # Check for promiscuous mode. • -- Ifconfig a • # Check for new user existence. • -- /etc/passwd • # Find list of open ports • -- nmap scan • -- Netstat l • # Current processes • -- Ps aux • # system calls by an executable. (Trojanoid Binaries) • -- ltrace, strace, trussCheck
• # Check for traffic in out • -- Ethereal, tcpdump etc • # Examine suspicious binaries • -- strings
• Incident Handling • # Presence of malicious code • -- Chkrootkit • # Checks for presence of rootkits • -- Tripwire
The Coroners tool kit
• # TCT is a collection of tools written with the • specific goal of gathering or analyzing • forensic information on a Un*x machine... • # Four major parts of TCT: • -- graverobber • -- the C tools (ils, icat, pcat, file, etc.) • -- unrm & lazarus • -- mactime
• graverobber v / • # Automated way of collecting forensic info • # Gathers, in order • -- Memory • -- Unallocated filesystem • -- netstat, route, arp, etc. • -- ps/lsof, capture all process data • -- stat & MD5 on all files, strings on directories • -- Config, log, interesting files (cron, at, etc.)
• graverobber
• # data capturing tool at the heart of TCT
• # runs various commands and records the
• output
• # captures by order of volatility
• # most effectively used when run as root
• over an entire filesystem
• # pcat Process CAT
• # ils Inode LS
• # icat Inode CAT
• # shell commands
Incident Handling DOS
• # SYN attack • -- monitoring number of TCP Connection in a • syn_rcvd state. • -- netstat --an --f |grep SYN_RCVD |wc --l • # Watch the value of the TcpHalfOpenDrop • parameter • -- netstat s P | grep tcpHalfOpenDrop
Syslog and SyslogNG
• The advantages of SyslogNG over Syslog are : • # ability to transport syslog messages over TCP • # filtering based on message contents • # logging of complete chain of forwarding
loghosts • (unlike regular syslog which will only record the • name of last step) • # support digital signatures and encryption. • # Can be run in a chrooted environment
Kernel Security
• Set the following kernel parameters echo 0 > /proc/sys/net/ipv4/tcp_syncookies echo 0 >
/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 4096 > /proc/sys/net/ipv4/tcp_max_syn_backlog
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
Add the following in the /etc/sysctl.conf
net.ipv4.tcp_max_syn_backlog =4096
net.ipv4.conf.all.rp_filter =1
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.default.accept_source_route=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.secure_redirects=0
net.ipv4.conf.eth0.forwarding =0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.defaults.send_redirects=0
Log Security • Add an entry in /etc/hosts file for the central syslogger . The entry
could be <ip address> loghost Change the default /etc/syslog.conf file with the following *.debug /var/log/messages kern.debug /var/log/kernel.log user.debug /var/log/user.log mail.debug /var/log/mail.log daemon.error,info,alert,notice /var/log/daemon.log auth.notice,crit,info /var/log/auth.log authpriv.debug /var/log/authpriv.log local2.notice,alert /var/log/sudo.log syslog.debug /var/log/syslog.log *.* @loghost
• Create btmp file in /var/log directory
touch /var/log/btmp
• Turn on accounting of processes
accton /var/log/pacct
Firewalls
• Packet Filtering
• Proxy Firewall
• Application gateway (screened-host firewall)
IPTables command optionsThere are three built-in tables in the Linux kernel's
netfilter, and each has built-in chains. the iptables command is used to configure these tables.1. filter – A table that is used for routing network packets. This is default table, and is assumed by iptables if the t parameter is not specified.
INPUT – Network packets that are destined for the server.
OUTPUT – Network packets that originate on the server.
FORWARD – Network packets that are routed through the server.
right.
2. nat – A table that is used for NAT. NAT is a method of translating internal IP address to external IP addresses.
PREROUTINGnetwork packets that can be altered when they arrive at the server.
OUTPUTNetwork packets that originate on the server
POSTROUTING – Network packets that can be altered
3.mangle – A table that is used for altering network packets.
INPUT – Network packets that are destined for the server.
OUTPUT – Network packets that originate on the server.
FORWARD – Network packets that are routed through the server.
PREROUTINGnetwork packets that can be altered when they arrive at the server.
POSTROUTING – Network packets that can be altered right before they are sent out.
Commands tell IPTables to perform a specific action, and only one command is allowed per iptables command string. Except for the help command, all commands are written in uppercase characters
Iptables Firewall
• The Network firewall security policy defines the access or level of access to the different services and applications. The methods to implement firewall rules are given below.
• Everything not specifically denied is permitted • Everything not specifically permitted is denied • Set the firewall policy to drop all packets as
defined in second method
iptables P INPUT DROP
iptables P OUTPUT DROP
iptables P FORWARD DROP
• Now depending upon the Firewall policy, administrator can define firewall rule sets to explicitly grant access to only permitted services or applications.
Allowing www
iptables A
INPUT p
tcp –dport www j
ACCEPTThis command appends a rule to the filter table since no table is defined with t. The rule is appended to the INPUT chain in the filter table, as noted by INPUT after A. This rule looks for packets where the protocol is tcp and the destination port is www service, or port 80 as listed in /etc/services file. The target for this rule is to let the packet pass through to its destination, which is accomplished by sending the packet to the ACCEPT target
Forwardingiptables AFORWARD ippp0 oeth0 mstate \stateESTABLISHED,RELATED jACCEPT
The lines above append (A) a new rule to the filter table to the forwarding chain (FORWARD) from the outside interface out to the internal interface where the packet's state is either a previously established connection or a related connection. As long as the default policy for the FORWARD chain is to DROP packets , a new connection from the outside will not match this rule and will be dropped.
Doing masquerading (NAT)iptables t
nat APOSTROUTING o
ppp0 jMASQUERADE
Or, where x.x.x.x is a valid static IP address on the external interface.
iptables tnat A
POSTROUTING oeth1 j
SNAT tox.x.x.x
• The first example matches all traffic that is going out on the outgoing interface. The target is MASQURADE which is used to do NAT on interfaces with dynamic IP addresses, such as ppp0 (dialup) interface.
iptables is being configured to allow the firewall to send ICMP echorequests (pings) and in turn, accept the expected ICMP echoreplies.
● set rules that allow telnet inside the network, but not outside iptables AOUTPUT picmp icmptypeechorequestjACCEPTiptables AINPUT picmp icmptypeechoreplyjACCEPT
iptables AOUTPUT ptcp destinationporttelnet d198.168.0.0 jACCEPTiptables AOUTPUT ptcp destinationporttelnet d! 198.168.0.0jREJECT
Integrity Checkers -- md5sum, sha1sum and Tripwire
• Port Scanners nmap
• Vulnerability Assessment nessus and SARA
• basesystem glib libuser rpmdb redhat • bash glib2 losetup Sed • beecrypt Glibc Lvm Setup • bzip2 Glibc common Makedev Setuptool • bzip2 libs Gpm Mingetty shadow utils • chkconfig Grep Mkinitrd Slang • comps 3es Grub Mktemp Slocate • coreutils Gzip Modutils Sysklogd • cracklib hwdata Mount SysVinit • cracklib dicts Info Ncurses Tar
Important Files/commands• crontabs initscripts Netconfig Termcap • cyrus sasl iproute net tools Tmpwatch • cyrus sasl md5 iptables newt Tzdata • db4 iputils openldap Usermode • dev Kbd openssl util linux • devlabel kernel pam vim common • diffutils kernel utils passwd vim minimal • e2fsprogs krb5 libs patch Which • elfutils libelf kudzu pcre Words • ethtool less popt Zlib • file libacl procps • filesystem libattr psmisc • findutils libgcc readline • gawk libstdc3 rootfiles • gdbm libtermcap rpm
Xlock & vlockIf you wander away from your machine from time to time, it is nice to be
able to "lock" your console so that no one tampers with or looks at your work. Two programs that do this are: xlock and vlock.
Xlock is a X display locker. It should be included in any Linux distributions that support X. Check out the man page for it for more options, but in general you can run xlock from any xterm on your console and it will lock the display and require your password to unlock.
vlock is a simple little program that allows you to lock some or all of the virtual consoles on your Linux box. You can lock just the one you are working in or all of them. If you just lock one, others can come in and use the console, they will just not be able to use your virtual TTY until you unlock it. vlock ships with Red Hat Linux, but your mileage may vary.
Of course locking your console will prevent someone from tampering with your work, but does not prevent them from rebooting your machine or otherwise disrupting your work. It also does not prevent them from accessing your machine from another machine on the network and causing problems.
Some Linux Tools useful for Penetration Testing
Nessus www.nessus.org
The premier Open Source vulnerability assessment tool Nessus is a remote security scanner forWindows, Linux, BSD, Solaris, and other Unices. It is plug-in-based, has a GTK interface, and performs over 1200 remote security checks. It allows for reports to be generated in HTML, XML, LaTeX, and ASCII text, and suggests solutions for security problems
Hping www.hping.org
A network probing utility like ping on steroids hping3 assembles and sends custom ICMP/UDP/TCP packets and displays any replies. It was inspired by the ping command, but offers far more control over the probes sent. It also has a handy traceroute mode and supports IP fragmentation. This tool is particularly useful when trying to traceroute/ping/probe hosts behind a firewall that blocks attempts using the standard utilities.
Dsniff http://naughty.monkey.org/~dugson
g/dsniff/A suite of powerful network auditing and penetration-testing
tools This popular and well-engineered suite by Dug Song includes many tools. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker (e.g, due to layer-2 switching). sshmitm and webmitm implement active monkey-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI. A separately maintained partial Windows port is available here.
LANGuard
A commercial network security scanner for Windows LANguard scans networks and reports information such as service pack level of each machine, missing security patches, open shares, open ports, services/applications active on the computer, key registry entries, weak passwords, users and groups, and more. Scan results are outputted to an HTML report, which can be customised/queried. Apparently a limited free version is available for non-commercial/trial use.
SamSpade http://www.samspade.org/ssw/
SamSpade provides a consistent GUI and implementation for many handy network query tasks. It was designed with tracking down spammers in mind, but can be useful for many other network exploration, administration, and security tasks. It includes tools such as ping, nslookup, whois, dig, traceroute, finger, raw HTTP web browser, DNS zone transfer, SMTP relay check, website search, and more. Non-Windows users can enjoy online versions of many of their tools.
SAINT http://www.saintcorporation.com/sai
nt/Security Administrator's Integrated Network
Tool Saint is another commercial vulnerability assessment tool (like ISS Internet Scanner or eEye Retina). Unlike those Windows-only tools, SAINT runs exclusively on UNIX. Saint used to be free and open source, but is now a commercial product.
Firewalk http://www.packetfactory.net/project
s/firewalk/Firewalk employs traceroute-like techniques
to analyze IP packet responses to determine gateway ACL filters and map networks. This classic tool was rewritten from scratch in October 2002. Note that much or all of this functionality can also be performed by the Hping2 --traceroute option.
Amap http://www.thc.org/releases.php
Amap (by THC) is a new but powerful scanner (finger printing) which probes each port to identify applications and services rather than relying on static port mapping.
Fragroute: IDS systems' worst nightmare
http://www.monkey.org/~dugsong/fragroute/ Fragroute intercepts, modifies, and rewrites egress traffic,
implementing most of the attacks described in the Secure Networks IDS Evasion paper. It features a simple ruleset language to delay, duplicate, drop, fragment, overlap, print, reorder, segment, source-route, or otherwise monkey with all outbound packets destined for a target host, with minimal support for randomized or probabilistic behaviour. This tool was written in good faith to aid in the testing of intrusion detection systems, firewalls, and basic TCP/IP stack behaviour. Like Dsniff, and Libdnet, this excellent tool was written by Dug Song.
nmap http://www.insecure.org
A popular tool used for ports scaning and OS finger printing
Kernel Based Intrusion Detecting (LIDS)
• Preventing root users
• Preventing chanding iptables, ipchains
• Preventing direct port access, memory,
Security Enhanced Linux system
CERT-IN
• Charter "The purpose of the CERT-In is, to become the nation's
most trusted referral agency of the Indian Community for responding to computer security incidents as and when they occur ; the CERT-In will also assist members of the Indian Community in implementing proactive measures to reduce the risks of computer security incidents."
• Mission "To enhance the security of India's Communications and
Information Infrastructure through proactive action and effective collaboration."
CERT-In Mission
Alert – Advise - Assurance
National Information Security Assessment Program (NISAP)
• Mandatory compliance requirement
• Mandatory compliance efforts- ISMS standards
• Mandatory compliance verification
• Mandatory compliance reporting – to CERT-In
ADVISORY COMMITTEE• S.No.NameRole1.Shri. M. Madhavan Nambiar
Additional SecretaryDepartment Of Information TechnologyChairman
• 2.Shri. Ajeer VidyaJoint Secretary & Financial AdviserDepartment Of Information TechnologyMember
• 3.Prof. N. BalakrishnanChairmanDivision Of Information SciencesIndian Institute of ScienceMember
• 4.Dr. B. K. GairolaDeputy Director GeneralNational Informatics CentreMember
• 5.Dr. Gulshan RaiDirectorIndian Computer Emergency Response TeamMember Secretary
AUTHORITY• The CERT-In operates under the auspices of,
and with authority delegated by, the Department of Information Technology, Ministry of Communications & Information Technology, Government of India.
• The CERT-In shall work cooperatively with information officers and system administrators of various sectoral and organisational networks of its constituency.
• VULNERABILITY NOTES
• CERT-In Vulnerability Note CIVN-2007-07(31 January, 2007) Microsoft Word Unspecified String Handling Memory Corruption Vulnerability
• CERT-In Vulnerability Note CIVN-2007-06(29th January, 2007) Linux-PAM Login Bypass Security Vulnerability
• CERT-In Vulnerability Note CIVN-2007-05(18th January, 2007) Sun Java JRE GIF Image Processing Buffer OverflowVulnerability
• CERT-In Vulnerability Note CIVN-2007-04(11th January, 2007) Microsoft Windows Vector Markup Language Code Execution Vulnerability
• CERT-In Vulnerability Note CIVN-2007-03(11th January, 2007) Remote Code Execution and Denial of Service Vulnerabilities in Microsoft Outlook
• CERT-In Vulnerability Note CIVN-2007-02(11th January, 2007) Microsoft Excel Malformed Column Record, Palette Record, IMDATA Record and String Vulnerabilities
• CERT-In Vulnerability Note CIVN-2007-01(5th January, 2007) OpenOffice Integer and Buffer Overflow Vulnerabilities
cert-in.org.in Indian Computer Emergency Response
Team (CERT-In) Ministry of Communications and Information Technology Electronics Niketan 6, C.G.O. Complex New Delhi-110 003
What people are using in India
• Content filtering 39%
• Keyword Monitoring 28%
• Data Leak detection and prevention 25%
• IDS 23%
• Packet Filtering 15%
• Digital Rights Management SW 9%
IT – ACT 2000
• Section III - Certifying Authorities
• Public Key Infrastructure (PKI)
• CERT-In Vulnerability Note CIVN-2007-06Linux-PAM Login Bypass Security Vulnerability
• Original Issue Date: January 29, 2007
Severity Rating: High• System Affected
Linux-PAM 0.x • Overview • A vulnerability has been reported in Linux-PAM, which could be exploited by remote
attackers to compromise a vulnerable system. • Description• A vulnerabilities has been reported in Linux-PAM due to an error within the
"_unix_verify_password()" function in modules/pam_unix/support.c while handling passwords with a hash of "!!" or similar in "/etc/shadow" or "/etc/passwd".
Solution • Upgrade to Linux-PAM version 0.99.7.1
ftp://ftp.kernel.org/pub/linux/libs/pam/pre/library
• CERT-In Advisory CIAD-2007-05Multiple Vulnerabilities in Xorg, Xfree86 and Kerberos
• Original issue date: January 16, 2007
Severity Rating: Medium• Systems Affected• X.Org X11 version 7.1 and prior • XFree86 version 4.6.99.15 and prior • MIT Kerberos V5 versions 1.4 through 1.4.4 • MIT Kerberos V5 versions 1.5 through 1.5.1
• Overview • Multiple vulnerabilities have been reported in Linux which could be exploited by remote attackers to execute commands on the affected
system. • Description • 1. X.Org X11 Render or XFree86 and DBE Extensions Multiple
Local Privilege Escalation Vulnerabilities (CVE-2006-6101 ,CVE-2006-6102 , CVE-2006-6103)• A vulnerability has been reported in X.Org and XFree86 X server
due to a memory corruption error in the "ProcRenderAddGlyphs()","ProcDbeGetVisualInfo()" and "ProcDbeSwapBuffers()" functions within the DBE extension, which could be exploited by remote attackers to execute arbitrary commands with "root" privileges via a specially crafted X protocol request.
• 2. Kerberos V5 Kadmind RPC Library Remote Code ExecutionVulnerability ( CVE-2006-6143 )
• A vulnerability has been reported in server side portion of RPC library used in Kerberos administration daemon “kadmind “ due to its failure to properly initialize pointers. An remote attacker could exploit the vulnerability by sending a crafted packets on the affected system to execute arbitrary code or cause denial of service attack.
• 3. Kerberos V5 Kadmind GSS-API Library Remote CodeExecution Vulnerability ( CVE-2006-6144 )
• A vulnerability has been reported in Kerberos due to memory management error in "mechglue" abstraction interface of the GSS-API library used in Kerberos administration daemon “kadmind “. An unauthenticated remote attacker could exploit the vulnerability by freeing uninitialized pointers to execute arbitrary code on the affected system.
• Solution • Apply appropriate patches suggested by vendor• Vendor Information • http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2006
-002-rpc.txt http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2006-003-mechglue.txt
• CERT-In Vulnerability Note CIVN-2007-05Sun Java JRE GIF Image Processing Buffer Overflow Vulnerability
• Original Issue Date: January 18, 2007
Severity Rating: High• Systems Affected • Sun JDK version 5.0 Update 9 and prior • Sun JRE version 5.0 Update 9 and prior • Sun SDK version 1.4.2_12 and prior • Sun JRE version 1.4.2_12 and prior • Sun SDK version 1.3.1_18 and prior • Sun JRE version 1.3.1_18 and prior • Overview • A vulnerabilities has been reported in Sun Java JRE (Java Runtime Environment), which could
be exploited by remote attackers to compromise a vulnerable system. • Description• A buffer overflow error has been reported in Sun Java Runtime Environment while processing
GIF images with a “width” property set to 0 (Zero), which could be exploited by remote attackers to execute arbitrary commands or to read/write local files on a vulnerable system by enticing a user to visit a specially crafted web page containing a malicious applet.
Security Testing Standard
• Document www.osstmm.org
top related