network security scanning tools
TRANSCRIPT
S C I E N C E A P P L I C A T I O N S I N T E R N A T I O N A L C O R P O R A T I O N
Open-Source Network Open-Source Network Security ToolsSecurity Tools
Scanning/Securing/ExploitiScanning/Securing/Exploiting oh my.ng oh my.
Beyond Network Security…. We Build Peace of Mind 2
DisclaimerDisclaimer
The opinions expressed in this talk are just mine, and not the opinions of SAIC, nor ESS.
I have nothing against vendors, some of my best friends are vendors.
I was asked to do a talk on Open Source Network Security Tools, and not on commercial tools to avoid any vendor bias.
They made me do it.
I once saw a ghost cow in the road, honest.
Beyond Network Security…. We Build Peace of Mind 3
AgendaAgenda
What is Open Source? Why should I care? Why no Commercial tools? What tools are available? What do they do? Where can I get them? Q&A
Beyond Network Security…. We Build Peace of Mind 4
What’s OpenSource? What’s OpenSource? From From opensource.orgopensource.org
Open source doesn't just mean access to the source code. The distribution terms of open-source software must comply with the following criteria:
1. Free Redistribution
2. Source Code included/available
3. Derived Works allowed
4. Integrity of The Author's Source Code (patches/forks)
5. No Discrimination Against Persons or Groups
6. No Discrimination Against Fields of Endeavor
7. Distribution of License (no NDA)
8. License Must Not Be Specific to a Product
9. License Must Not Restrict Other Software
10.License Must Be Technology-Neutral
Beyond Network Security…. We Build Peace of Mind 5
Why does it matter?Why does it matter?
Cost Open Source is free. Zero acquisition cost.
Security The source code is available for your review. Many eyes look at code. Find many bugs. Patch Often
Support Free – Web/Mailing-Lists/SIGs $$$ - Commercial sites/ OS vendors…
Beyond Network Security…. We Build Peace of Mind 6
What about freeware / What about freeware / shareware / trialware etc.shareware / trialware etc.
"Freeware" should not be confused with "free software" (roughly, software with unrestricted redistribution) or "shareware" (software distributed without charge for which users can pay voluntarily).
“Shareware” Software that, like freeware, can be usually obtained (downloaded) and redistributed for free, but most often is under copyright and does legally require a payment in the EULA, at least beyond the evaluation period or for commercial applications.
Beyond Network Security…. We Build Peace of Mind 7
Why not use commercial Why not use commercial products?products?
How much money do you have? Why not use these tools at home? At your sibling’s/nephew’s/parent’s house? Typically has higher resource needs.
But, has much better support. Better documentation. Nice shiny packaging.
Beyond Network Security…. We Build Peace of Mind 8
Enough License talk, where’s Enough License talk, where’s the goods?the goods?
Categories of tools. Scanning – To find hosts/targets/details Accessing – To gauge security and baseline Securing – To protect the host. Exploiting – To pants the host. Deception – To deceive the attacker. Detection – To detect the attacker
Beyond Network Security…. We Build Peace of Mind 9
Scanning (The Basics)Scanning (The Basics)Nmap – Network MapperNmap – Network Mapper
http://insecure.org OS Detection Application Detection High-Speed TCP/UDP scans IPv4 & IPv6 Supports Unix / Linux / BSD /
Mac OS X, and Windows Even works with Windows XP SP2! Extremely configurable and could be a talk by itself…
Beyond Network Security…. We Build Peace of Mind 10
Scanning for WirelessScanning for Wirelessdstumblerdstumbler
http://www.dachb0den.com/projects/dstumbler.html AP/SSID detection Detection of
weped networks beacon interval for aps maximum supported rate
Can crack WEP keys.
Beyond Network Security…. We Build Peace of Mind 11
Scanning (Advanced)Scanning (Advanced)Paketto Keiretsu 1.10Paketto Keiretsu 1.10
http://www.doxpara.com/paketto/ Scanrand, an unusually fast
network service and topology discovery system
Minewt, a user space NAT/MAT router
Linkcat, which presents a Ethernet link to stdio
Paratrace, which traces network paths without spawning new connections
Phentropy, which uses OpenQVIS to render arbitrary amounts of entropy from data sources in three dimensional phase space.
Beyond Network Security…. We Build Peace of Mind 12
Assessing Web SitesAssessing Web SitesNiktoNikto
http://www.cirt.net/code/nikto.shtml Web/CGI scanner Finds vulnerable CGI Can do IDS evasion Has over 2,600 checks.
$ nikto.pl –host 192.168.42.27 –verbose –web –output \> nikto80_192.168.42.27.html.rawNikto’s output provides notes on reasons why a finding may be a security risk:Target IP: 192.168.42.27Target Hostname: www.victim.comTarget Port: 80--------------------------------------------------------------------o Scan is dependent on "Server" string which can be faked,use -g to overrideo Server: WebSTAR/4.2 (Unix) mod_ssl/2.8.6 OpenSSL/0.9.6co Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS,PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK, TRACEo Server allows PUT method, may be able to store files.o CONNECT method is enabled, server may act as a proxy or relays.o Server allows DELETE method, may be able to remove files.o Server allows PROPFIND or PROPPATCH methods, which indicatesDAV/WebDAV is installed. Both allow remote admin and have hadsecurity problems.o WebSTAR/4.2(Unix)mod_ssl/2.8.6OpenSSL/0.9.6c appears to be outdated(current is at least mod_ssl/2.8.7) (may depend on server version)o /public/ Redirects to 'http://www.foundstone.com/public', thismight be interesting...o robots.txt - This file tells web spiders where they can and cannotgo (if they follow RFCs). You may find interesting directories listedhere. (GET)o cgi-bin/htsearch?-c/nonexistant - The ht::/Dig install may let anattacker force ht://Dig to read arbitrary config files for itself.(GET)885 items checked on remote host
Beyond Network Security…. We Build Peace of Mind 13
Assessing Websites (continued)Assessing Websites (continued)pavukpavuk
http://www.idata.sk/~ondrej/pavuk/ Not really assessment. Very effcient Web Spider Can copy content off sites Supports authentication SSL support FTP, HTTP, Gopher
Beyond Network Security…. We Build Peace of Mind 14
Assessing Passwords Assessing Passwords hydrahydra
http://thc.org/thc-hydra/ Brute-Force Password Guesser Can run in parallel to improve performance. Is able to assess passwords in…
TELNET, FTP, HTTP, HTTPS, HTTP-PROXY, LDAP, SMB, SMBNT, MS-SQL, MYSQL, REXEC, CVS, SNMP, SMTP-AUTH, SOCKS5, VNC, POP3, IMAP, NNTP, PCNFS, ICQ, SAP/R3, Cisco auth, Cisco enable, Cisco AAA
Beyond Network Security…. We Build Peace of Mind 15
Assessing Networks, Hosts, etc. Assessing Networks, Hosts, etc. Nessus – Security ScannerNessus – Security Scanner
http://nessus.org Uses NMap, Nikto, Hydra, Server supports Unix * Clients for Windows & Unix Has thousands of checks. Scriptable Attack language
If you don’t use it yet, you should.
Beyond Network Security…. We Build Peace of Mind 16
Assessing WirelessAssessing Wirelesskismetkismet
http://www.kismetwireless.net/ Manufacturer and model identification Runtime decoding of WEP packets for
known networks Network IP range detection Finds hidden SSIDs Detects wireless attacks Finds defaults configs.
Beyond Network Security…. We Build Peace of Mind 17
Securing HostsSecuring Hostsp0f/pf/iptablesp0f/pf/iptables
p0f – Passive OS fingerprinting http://lcamtuf.coredump.cx/p0f.shtml Can work with pf/iptables to create special rules.
• Only Windows 2000 and newer can connect out• Restrict in-bound Windows SMTP to 1 per client.• Only allow OpenBSD SSH to firewall
pf – Berkely Packet Filter http://www.openbsd.org/faq/pf/
iptables – Linux IP Firewall http://www.netfilter.org/
Beyond Network Security…. We Build Peace of Mind 18
Securing OS through HardeningSecuring OS through HardeningBastille Bastille
http://www.bastille-linux.org/ Tightens permissions Changes to secure defaults Removes unneeded services Enables better logging Locks down subsystems Is a slicer/dicer
Available for Linux, HP-UX, & Mac-OS.
Beyond Network Security…. We Build Peace of Mind 19
Securing PasswordsSecuring PasswordsJohn the RipperJohn the Ripper
http://www.openwall.com/john/ Brute-forces local password files. Supports
most Unix password file types. Windows NT/2000/XP LanMan Hashes OpenVMS and SYSUAF.DAT AFS/Kerberos v4 TGT S/Key skeykeys files Netscape LDAP server passwords MySQL passwords
Beyond Network Security…. We Build Peace of Mind 20
Securing Users/Roles (Advanced)Securing Users/Roles (Advanced)selinuxselinux
http://www.nsa.gov/selinux/ Security Enhanced Linux Establish MAC (Mandatory Access Controls)
Controls based on Objects not permissions. Root is not all powerful.
Allows compartmentalized controls. Really confusing for most mortals.
Beyond Network Security…. We Build Peace of Mind 21
Exploiting Switched NetworksExploiting Switched NetworksEttercapEttercap
http://ettercap.sourceforge.net/ Enables the sniffing and capture of switched networks. ARP poisoning Man in the Middle Passive OS identification Password capture Passive Portmap
Beyond Network Security…. We Build Peace of Mind 22
Exploiting EndUser MachinesExploiting EndUser MachinesMetasploitMetasploit
http://www.metasploit.com/ Framework for exploits Able to execute multiple options vs. a single vulnerability. 32 separate exploits 23 separate shellcodes
Beyond Network Security…. We Build Peace of Mind 23
Deceptive ServicesDeceptive Servicesdtk – Deception ToolKitdtk – Deception ToolKit
http://www.all.net/dtk/dtk.html Pretend to run other services. Pretend to be other OS’s Prevent the attacker for gaining knowledge
Beyond Network Security…. We Build Peace of Mind 24
Deceptive NetworksDeceptive Networkshoneydhoneyd
http://www.honeyd.org/ Simulates thousands of virtual hosts at the same time. Configuration of arbitrary services via simple
configuration file: Includes proxy connects. Passive fingerprinting to identify remote hosts. Random sampling for load scaling.
Simulates operating systems at TCP/IP stack level: Fools nmap and xprobe,
Simulation of arbitrary routing topologies: Subsystem virtualization:
Run real UNIX applications under virtual Honeyd IP addresses: web servers, ftp servers, etc...
Beyond Network Security…. We Build Peace of Mind 25
Detecting Network AttacksDetecting Network AttacksSnort with ACIDSnort with ACID
Snort – Network IDS http://www.snort.org/ Rules based detection of network threats.
Detects buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
ACID – Web front-End to Snort http://acidlab.sourceforge.net/ Enables rapid queries Displays threats graphically Uses back-end DB
Beyond Network Security…. We Build Peace of Mind 26
Detecting Network TrafficDetecting Network TrafficEtherealEthereal
http://www.ethereal.com/ Not really a Detection, but a GREAT sniffer! Decodes over 600 protocols
FTP, SMTP, ICMP, RIP,… Has statistical analysis tools Allows deep inspection of
network traffic
Beyond Network Security…. We Build Peace of Mind 27
Detecting Compromised BoxesDetecting Compromised Boxeschkrootkitchkrootkit
http://www.chkrootkit.org/ Detects 56 different root-kits Detects unknown deletions and clean-ups Works on
Linux 2.0.x, 2.2.x and 2.4.x, FreeBSD 2.2.x, 3.x, 4.x and 5.x, OpenBSD 2.x and 3.x., NetBSD 1.5.2, Solaris 2.5.1, 2.6 and 8.0, HP-UX 11, Tru64 and BSDI.
Beyond Network Security…. We Build Peace of Mind 28
So where can I get this stuff So where can I get this stuff easily?easily?
Many ISO images of bootable linux available. [P]rofessional [H]acker's [L]inux [A]ssault [K]it
• http://www.phlak.org Local Area Security
• http://www.localareasecurity.com/ Knoppix security tools distribution
• http://www.knoppix-std.org/
Beyond Network Security…. We Build Peace of Mind 29
What about Windows?What about Windows?
Most tools have Windows versions Nmap, pavuk, ettercap,
Metasploit, etc.. Some are not Open-Source, but are
available for private use Nessus Windows Technology
• http://www.tenablesecurity.com/newt.html
Others will work under cygwin Linux/Unix for Windows http://www.cygwin.com/
Beyond Network Security…. We Build Peace of Mind 30
Questions?Questions?
This is when you complain that I did not include your favorite tool.
Or when you tell me what a great time you had.
S C I E N C E A P P L I C A T I O N S I N T E R N A T I O N A L C O R P O R A T I O N
Scott C. Kennedy
Chief Engineer, Secure Networking Engineering
4224 Campus Point Court
San Diego, CA 92121
858.826.3035
Beyond Network Security…. We Build Peace of Mind 32
SANS 2003 Top 20 SANS 2003 Top 20 Vulnerabilities Vulnerabilities
Windows 1. Internet Information Server (IIS)
2. Microsoft SQL Server (MSSQL)
3. Windows Authentication (LANMAN)
4. Internet Explorer (IE)
5. Windows Remote Access Service
6. Microsoft Data Access Components (MDAC)
7. Windows Scripting Host (WSH)
8. Microsoft Outlook & Outlook Express
9. Windows Peer to Peer Sharing (P2P)
10.Simple Network Management Protocol (SNMP)
Unix/Linux1. BIND Domain Name System
(DNS)
2. Remote Procedure Call (RPC)
3. Apache Web Server
4. General Unix Authentication
5. Clear Text Services (Telnet/ftp/rsh)
6. Sendmail (SMTP)
7. Simple Network Management Protocol (SNMP)
8. Secure Shell (SSH)
9. Misconfiguration of Enterprise Services (NIS/NFS)
10.Open Secure Sockets Layer (OpenSSL)
Beyond Network Security…. We Build Peace of Mind 33
SANS 2004 Top 20 SANS 2004 Top 20 Vulnerabilities Vulnerabilities
Windows
1. Web Servers & Services
2. Workstation Service
3. Windows Remote Access Service
4. Microsoft SQL Server (MSSQL)
5. Windows Authentication
6. Web Browsers
7. File Sharing Applications
8. LSASS Exposures
9. Mail Client
10. Instant Messaging
Unix/Linux1. BIND Domain Name System
(DNS)
2. Web Server
3. Authentication
4. Version Control Systems
5. Mail Transport Service
6. Simple Network Management Protocol (SNMP)
7. Open Secure Sockets Layer (OpenSSL)
8. Misconfiguration of Enterprise Services (NIS/NFS)
9. Databases
10. Kernel