Welcome to All Participants

Prof NB Venkateswarlu

HOD, IT, GVPCOE

Visakhapatnam

venkat_ritch@yahoo.com

Let Me first Congratulate all the Organizers

First, You may have to Excuse me!!.

May be, I am the only odd man out!.

However, I am helpless. My Talk is a last minute adjustment. Neverthless, I am sure you will Enjoy.

Penetration Testing Tools: Linux Perspective

What I am going to Cover?

• Briefing general security threats

SQL Injections

Physhing

DNS hacking

SPAMS

BOTNETS

• Linux Security Aspects

• CERT-In Initiation under Ministry of Information Technology, Govt of India.

Most Noted Reasons

• Buffer overflows

• Format String problems

• Integer Overflows

• SQL Injections

• Command Injection

• Failure to handle errors

• Cross-site scripting

Most Noted Reasons - Cont

• Failure to protect network traffic

• Use of magic URL’s and hidden forms

• Improper use of SSL

• Use of weak password based systems

• Failure to store and protect data securely

• Information leakage

• Trusting network address resolution

Most Noted Reasons - Cont

• Improper file access

• Race conditions

• Unauthorised key exchange

• Failure to use cryptographically strng random numbers

• Poor usability

Defacement Statistics, Dec 2006

Cyber Insurance – US Statistics

• Premium Paid $100 millions

• Claims Paid $14 millions

How did he do it?

Social Engineering

Ex:

Our Mumbai server is down. Please click the standby server

SQL Injections

Let us consider the following line in an ASP script

Query=“select count(*) from users where UserName=‘” &userName&” ‘ and userPass=‘ “&password&”’”

Let Username as Ram and password as ‘ or 1=1 –

Now created SQL statement becomes:

Select count(*) from users where userName=‘Ram’ and userPass=‘’ or 1=1 –’

Thus checks for empty password

Similarly let username as:

‘having 1=1 –

Dsiplays users.UserName is invalid indicating table name and attribute name

Now username is

‘or users.userName like ‘admin%’ –

Now he can login as Admin!!

May give chance to run multiple SQL statements; For example username as:

‘or 1=1; drop table users; --

‘; shutdown with nowait; --

May give chance to run extended scripts:

‘exec master .. Xp_cmdshell ‘iisreset’; --

SQL Injection through URL

Physhing & Pharming

How Physhing works?

Monitoring bounced emails, account activity, call volumes,

password eqnuiries

SPAMS

• Search engines

• Addresses posted in public areas such as USENET

• Email directories, Yellow Pages

• Readymade lists (for sale!)

• Chat rooms

• Bruteforce attacks

Botenets

DDOS Attack

DDOS Attack

Botnets

How to tackle SPAMS

• Content based filtering

Pattern Matching

Hash Matching

Bayesian filtering

• Source address based filtering

Source Address Filtering

• White lists

• Block lists

• Reputation analysis

• Real time block hole lists

• Challenge-Response

How to STOP SPAM -Cont

• SMTP server Implementing• Should not relay unauthorized mails• Separate ports for submission and relay• Implement client authentication• Disable SMTP commands like VRFY• Prevent remote mails to local groups• Define max no of receipients per message• Reject NULL sender identity• Digital signatures

Educating People

Disable cross-site scripts, stop injected scripts

Mutual Authentication, Data destination block listing

Use trusted path

Password hashing, transaction authentication

Induce delays especially in financial institutions

DNS ATTACKS

DNS

Components of DNS

• DNS Zones

• DNS Name Space

• Resource Records

• Name Servers

DNS Name Space

Types of Name Servers

• Primary

• Secondary

• Caching

DNS Zone

• Contiguous portion of name space

• A name server can serve one or more zones

• A zone may have one or more zones

• Zone files for the zone only

• Forward lookup zone

• Reverse lookup zone

Resource records

• Name server

• Host

• Mail exchange

• Start of authority

• Canonical name

DNS query type

Recursive Query

Common DNS Attacks

• Foot printing

• Redirection

• DOS

• Data Modification/IP spoofing

• DNS cache posioning

• Where to be cautious?

• Host, Transactions, query and/responser

Countering DOS

• All Name servers should not be

In a single subnet

Behind a single router

On a single leased line

• Have offsite slave name server

• Restrict zone transfer

Countering IP Spoofing

• Turnoff recursion

• Restrict the addresses which name server responds

• Restrict the addresses which name server responds to recursive queries

Transaction Security (DNSEC)

Best Practices

• Provide redundant DNS services• Use separate servers for adv/resolving• Limit DNS interface access for resolution• Restrict zone replication• Restrict dynamic updates• Prevent cache corruption• Disable recursion• Turn off glue fetching• Filter traffic to DNS name server• Run services in less priveleged mode• Source address validation

• Don’t reply personal info. Ask in person. Visit the web sites in person.

• Dear Sir/Madam is suspicious. Dear Mr Rao probably ok.

• An exciting or upsetting statements doubtful such as work from home

• They ask for username, password etc

• Never fill email forms

• Regularly check your bank a/c

• Make sure your OS is up to date

• Javascript:alert(“The actual URL of tyhis site :” + location.protocol + “//” + location.hostname + “/”);

To browser bar

Use password hashing

Penetration Testing

• Discover Vulnerabilities

• Plan the attack vector

• Launch the attack

• Gain the access

• Exploitation

• Simulating SPAM, Mail Spoofing

• Gaining the shell

• Block box – No info is given to pen tester

• White box – Info is supplied

• Attacks

• Bruteforce, malicious code, eavesdropping, phishing,DoS

Pen test results

• Identified vulnerabilities

• Sources of the same

• Impact

• risk

Pen Test Vul Ass Auditing

Initial Info Limited Limited Full

Outcome Access List of Secure

to Network Vulnerabi. System

Location Inter/Exter External On Sys

Tine Medium Short Long

Linux Tools and Practices

Finger Printing

• Knowing OS

• OS version

• Other device names

• Database names etc

• Example TCP finger printing tools: nmap, queso, cheops

• telnet, finger, strobe, netcat, SATAN

• telnet hostname ftp - displays details

Finger printing - cont

• telnet hostname http

• Results

GET /scripts/..%255c../../..cmd.exe/…

Volume in drive C has no label

Volume Serial No

Linux Commands

• netstat –ltunp //List all listening ports

• netstat –atunp //Lists active connections

• rpcinfo //Lists all services

Host based IDS

• ISS – Realsecure Server Sensor

• Check host file system Consistency-TripWire, AIDE

• Tripwire can intimate through email and can be configured as cron

• To build database tripwire –init

• To check tripwire –check>error.txt

Bastile – To harden Linux

• Many Yes/No’s

Osiris – osiris.shmoo.com

• Osirisd [Host1]

• Osiris,osirismd [Trusted Host]

• Check Host network connections – BlackICE, PortSentry

• Check host log files: LogSentry, Swatch

Snort www.snort.org

• User can specify the pattern in the packets and actions

• Additional plug-ins can be specified for example to avoid subnet flooding etc.,

How do we know it is attacked?

• CPU utilization, disk activity, users login, file activity

• Protocol validation by comparing analysed traffic with RFC’s

• DOS (crashing some applications)

Removing services from /etc/rc.d/init.d

rm –rf servicename

Access Controls

• Set BIOS password • Set GRUB boot loader password through the following

steps a. Create a password hash by issuing the command

/sbin/grub md5 crypt b. Edit /boot/grub/grub.conf to add the following line after

timeout tag • password md5 <generated md5 hash> • Avoid booting into single user mode without root

password. Edit /etc/inittab and • add the following line after id:3:initdefault:

~~:S:wait:/sbin/sulogin

• Create a custom banner message in /etc/issue and /etc/issue.net

Example banner message: UNAUTHORISED ACCESS IS PROHIBITED

• Choose passwords that are complex to guess. Set password parameters (max. days, min. days, min. length etc.,) in /etc/login.defs

• Disable CTRL+ALT+DEL by commenting the line

ca::ctrlaltdel:/sbin/shutdown t3 r now in /etc/inittab

• Edit /etc/profile file and set TMOUT=3600. This will automatically timeout bash shell after 3600 seconds

• Restrict root login to only one tty and one vc. Edit /etc/securetty to comment out the lines tty2 to tty11 and vc/2 to vc/11

• Delete unnecessary system users and groups from /etc/passwd and /etc/group\

userdel <username> groupdel <groupname> • Following are some system users and

groups that can be deleted • Users: lp, sync, shutdown, halt, news,

gopher, operator, games, mail , uucp, ftp • Groups: lp, games, uucp, x. • Change default shell for users bin,

daemon, rpm, vcsa, nobody to /dev/null

File System Security

• Set the UMASK attribute in /etc/profile to 033 • Find world writable files and change the

permission if world writable permission is not required

find / perm 2 type f --print

chmod <permissions> <filename> • Find out hidden files and directories

find / name ``..'' --print --xdev

find / name ``.*'' --print --xev | cat --v

• Carefully check the files and keep a list of default hidden files for later on regular audit reference. If any of the files are not required remove them by

rm --rf <file name>

• If any world writable file is not required, set the sticky bit

chmod +t <file name>

• Find out the executables with SUID or SGID bit set and keep track of what they are so that administrator is aware of any changes.

find / type f \( perm 04000 o perm 02000 \) exec ls l {} \;

• Removable media nosuid and nodev option

• Edit /etc/fstab to mount /boot with nodev and read only option • Label=/boot /boot ext3 nodev,ro...... • mount cdrom and floppy with nosuid and nodev

option /dev/cdrom /mnt/cdrom udf,iso9660

nosuid,nodev,noauto,....... /dev/fd0 /mnt/floppy udf,iso9660

nosuid,nodev,noauto,...... • Remove the files with no user and no group

find / nouser --o --nogroup --exec rm --rf {}\;

• Use nosuid to partitions (defined in /etc/fstab) that are writable.

• Keep track of all the SUID/SGID files

Cryptographic File Systems (CFS), Transparent Cryptographic File

Systeminsmod loop.o/etc/fstab entry/dev/loop0 /mnt/crypt ext2 user,noauto,rw,loop 0 0dd if=/dev/vrandom of=/etc/cryptfile bs=1M

count=10Losetup –e xor /dev/loop0 /etc/cryptfileMkfs –t ext2 /dev/loop0Mount –t ext2 /dev/loop0 /mnt/cryptUmount /dev/loop0Losetup –d /dev/loop0

Change the permissions for the following files

• chmod 600 /etc/passwd

• chmod 600 /etc/shadow

• chmod 100 /bin/rpm

• chmod 100 /bin/tar

• chmod 100 /bin/gzip

• chmod 100 /bin/ping

• chmod 100 /bin/gunzip

• chmod 100 /bin/mount

• chmod 100 /bin/umount

• chmod 100 /usr/bin/gzip

• chmod 100 /usr/bin/gunzip

• chmod 100/usr/bin/who

• chmod 100 /usr/bin/lastb

• chmod 100 /usr/bin/last

• chmod 100 /usr/bin/lastlog

• chmod 100 /sbin/arping

• chmod 100 /usr/sbin/arping

• chmod 100 /usr/sbin/usernetctl

• chmod 100 /usr/sbin/traceroute

• chmod 400 /etc/syslog.conf

• chmod 400 /etc/hosts.allow

• chmod 400 /etc/hosts.deny

• chmod 400 /etc/sysconfig/syslog

• chmod 644 /var/log/wtmp

• chmod 644 /var/log/utmp

Change the attributes for the following files

• chattr +i /etc/passwd

• chattr +i /etc/shadow

• chattr +i /etc/services

• chattr +i /etc/gshadow

• chattr +i /etc/group

• chattr +i /etc/login.defs

• chattr +i /etc/init.d/

• chattr +i /etc/services

• chattr +i /etc/inittab

• chattr +i /etc/fstab

• chattr +i /usr/bin/who

• chattr +i /usr/bin/lastb

• chattr +i /usr/bin/last

• chattr +i /usr/bin/lastlog

• chattr +i /etc/syslog.conf

• chattr +i /etc/sysconfig/syslog

Set file system limits instead of allowing unlimited usage. Control the per user

limits using the resource limits file

/etc/security/limits.conf and a PAM module

For example, limits for group ‘users' might look like this:

@users hard core 5000 @users hard nproc 50 @users hard rss 5000 This says to limit the creation of core files,

restrict the number of processes to 50, and restrict memory usage per user to 5 MB

Incident Handling

• # Look for change in permission • -- World writable permissions • # find / perm 2 type f --print • -- Find SUID root files • # find / type f perm 04000 ls • -- Find GUID root files • # find / type f perm 02000 ls • -- Time stamp • # Find files access for last 1 day, 1 hr etc • # Find atime • # Ls --lautR

• # Check for promiscuous mode. • -- Ifconfig a • # Check for new user existence. • -- /etc/passwd • # Find list of open ports • -- nmap scan • -- Netstat l • # Current processes • -- Ps aux • # system calls by an executable. (Trojanoid Binaries) • -- ltrace, strace, trussCheck

• # Check for traffic in out • -- Ethereal, tcpdump etc • # Examine suspicious binaries • -- strings

• Incident Handling • # Presence of malicious code • -- Chkrootkit • # Checks for presence of rootkits • -- Tripwire

The Coroners tool kit

• # TCT is a collection of tools written with the • specific goal of gathering or analyzing • forensic information on a Un*x machine... • # Four major parts of TCT: • -- graverobber • -- the C tools (ils, icat, pcat, file, etc.) • -- unrm & lazarus • -- mactime

• graverobber v / • # Automated way of collecting forensic info • # Gathers, in order • -- Memory • -- Unallocated filesystem • -- netstat, route, arp, etc. • -- ps/lsof, capture all process data • -- stat & MD5 on all files, strings on directories • -- Config, log, interesting files (cron, at, etc.)

• graverobber

• # data capturing tool at the heart of TCT

• # runs various commands and records the

• output

• # captures by order of volatility

• # most effectively used when run as root

• over an entire filesystem

• # pcat Process CAT

• # ils Inode LS

• # icat Inode CAT

• # shell commands

Incident Handling DOS

• # SYN attack • -- monitoring number of TCP Connection in a • syn_rcvd state. • -- netstat --an --f |grep SYN_RCVD |wc --l • # Watch the value of the TcpHalfOpenDrop • parameter • -- netstat s P | grep tcpHalfOpenDrop

Syslog and SyslogNG

• The advantages of SyslogNG over Syslog are : • # ability to transport syslog messages over TCP • # filtering based on message contents • # logging of complete chain of forwarding

loghosts • (unlike regular syslog which will only record the • name of last step) • # support digital signatures and encryption. • # Can be run in a chrooted environment

Kernel Security

• Set the following kernel parameters echo 0 > /proc/sys/net/ipv4/tcp_syncookies echo 0 >

/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

echo 4096 > /proc/sys/net/ipv4/tcp_max_syn_backlog

echo 0 > /proc/sys/net/ipv4/tcp_timestamps

Add the following in the /etc/sysctl.conf

net.ipv4.tcp_max_syn_backlog =4096

net.ipv4.conf.all.rp_filter =1

net.ipv4.conf.all.accept_source_route=0

net.ipv4.conf.all.accept_redirects=0

net.ipv4.conf.all.secure_redirects=0

net.ipv4.conf.default.rp_filter=1

net.ipv4.conf.default.accept_source_route=0

net.ipv4.conf.default.accept_redirects=0

net.ipv4.conf.secure_redirects=0

net.ipv4.conf.eth0.forwarding =0

net.ipv4.conf.all.send_redirects=0

net.ipv4.conf.defaults.send_redirects=0

Log Security • Add an entry in /etc/hosts file for the central syslogger . The entry

could be <ip address> loghost Change the default /etc/syslog.conf file with the following *.debug /var/log/messages kern.debug /var/log/kernel.log user.debug /var/log/user.log mail.debug /var/log/mail.log daemon.error,info,alert,notice /var/log/daemon.log auth.notice,crit,info /var/log/auth.log authpriv.debug /var/log/authpriv.log local2.notice,alert /var/log/sudo.log syslog.debug /var/log/syslog.log *.* @loghost

• Create btmp file in /var/log directory

touch /var/log/btmp

• Turn on accounting of processes

accton /var/log/pacct

Firewalls

• Packet Filtering

• Proxy Firewall

• Application gateway (screened-host firewall)

IPTables command optionsThere are three built-in tables in the Linux kernel's

netfilter, and each has built-in chains. the iptables command is used to configure these tables.1. filter – A table that is used for routing network packets. This is default table, and is assumed by iptables if the t parameter is not specified.

INPUT – Network packets that are destined for the server.

OUTPUT – Network packets that originate on the server.

FORWARD – Network packets that are routed through the server.

right.

2. nat – A table that is used for NAT. NAT is a method of translating internal IP address to external IP addresses.

PREROUTINGnetwork packets that can be altered when they arrive at the server.

OUTPUTNetwork packets that originate on the server

POSTROUTING – Network packets that can be altered

3.mangle – A table that is used for altering network packets.

INPUT – Network packets that are destined for the server.

OUTPUT – Network packets that originate on the server.

FORWARD – Network packets that are routed through the server.

PREROUTINGnetwork packets that can be altered when they arrive at the server.

POSTROUTING – Network packets that can be altered right before they are sent out.

Commands tell IPTables to perform a specific action, and only one command is allowed per iptables command string. Except for the help command, all commands are written in uppercase characters

Iptables Firewall

• The Network firewall security policy defines the access or level of access to the different services and applications. The methods to implement firewall rules are given below.

• Everything not specifically denied is permitted • Everything not specifically permitted is denied • Set the firewall policy to drop all packets as

defined in second method

iptables P INPUT DROP

iptables P OUTPUT DROP

iptables P FORWARD DROP

• Now depending upon the Firewall policy, administrator can define firewall rule sets to explicitly grant access to only permitted services or applications.

Allowing www

iptables A

INPUT p

tcp –dport www j

ACCEPTThis command appends a rule to the filter table since no table is defined with t. The rule is appended to the INPUT chain in the filter table, as noted by INPUT after A. This rule looks for packets where the protocol is tcp and the destination port is www service, or port 80 as listed in /etc/services file. The target for this rule is to let the packet pass through to its destination, which is accomplished by sending the packet to the ACCEPT target

Forwardingiptables AFORWARD ippp0 oeth0 mstate \stateESTABLISHED,RELATED jACCEPT

The lines above append (A) a new rule to the filter table to the forwarding chain (FORWARD) from the outside interface out to the internal interface where the packet's state is either a previously established connection or a related connection. As long as the default policy for the FORWARD chain is to DROP packets , a new connection from the outside will not match this rule and will be dropped.

Doing masquerading (NAT)iptables t

nat APOSTROUTING o

ppp0 jMASQUERADE

Or, where x.x.x.x is a valid static IP address on the external interface.

iptables tnat A

POSTROUTING oeth1 j

SNAT tox.x.x.x

• The first example matches all traffic that is going out on the outgoing interface. The target is MASQURADE which is used to do NAT on interfaces with dynamic IP addresses, such as ppp0 (dialup) interface.

iptables is being configured to allow the firewall to send ICMP echorequests (pings) and in turn, accept the expected ICMP echoreplies.

● set rules that allow telnet inside the network, but not outside iptables AOUTPUT picmp icmptypeechorequestjACCEPTiptables AINPUT picmp icmptypeechoreplyjACCEPT

iptables AOUTPUT ptcp destinationporttelnet d198.168.0.0 jACCEPTiptables AOUTPUT ptcp destinationporttelnet d! 198.168.0.0jREJECT

Integrity Checkers -- md5sum, sha1sum and Tripwire

• Port Scanners nmap

• Vulnerability Assessment nessus and SARA

• basesystem glib libuser rpmdb redhat • bash glib2 losetup Sed • beecrypt Glibc Lvm Setup • bzip2 Glibc common Makedev Setuptool • bzip2 libs Gpm Mingetty shadow utils • chkconfig Grep Mkinitrd Slang • comps 3es Grub Mktemp Slocate • coreutils Gzip Modutils Sysklogd • cracklib hwdata Mount SysVinit • cracklib dicts Info Ncurses Tar

Important Files/commands• crontabs initscripts Netconfig Termcap • cyrus sasl iproute net tools Tmpwatch • cyrus sasl md5 iptables newt Tzdata • db4 iputils openldap Usermode • dev Kbd openssl util linux • devlabel kernel pam vim common • diffutils kernel utils passwd vim minimal • e2fsprogs krb5 libs patch Which • elfutils libelf kudzu pcre Words • ethtool less popt Zlib • file libacl procps • filesystem libattr psmisc • findutils libgcc readline • gawk libstdc3 rootfiles • gdbm libtermcap rpm

Xlock & vlockIf you wander away from your machine from time to time, it is nice to be

able to "lock" your console so that no one tampers with or looks at your work. Two programs that do this are: xlock and vlock.

Xlock is a X display locker. It should be included in any Linux distributions that support X. Check out the man page for it for more options, but in general you can run xlock from any xterm on your console and it will lock the display and require your password to unlock.

vlock is a simple little program that allows you to lock some or all of the virtual consoles on your Linux box. You can lock just the one you are working in or all of them. If you just lock one, others can come in and use the console, they will just not be able to use your virtual TTY until you unlock it. vlock ships with Red Hat Linux, but your mileage may vary.

Of course locking your console will prevent someone from tampering with your work, but does not prevent them from rebooting your machine or otherwise disrupting your work. It also does not prevent them from accessing your machine from another machine on the network and causing problems.

Some Linux Tools useful for Penetration Testing

Nessus www.nessus.org

The premier Open Source vulnerability assessment tool Nessus is a remote security scanner forWindows, Linux, BSD, Solaris, and other Unices. It is plug-in-based, has a GTK interface, and performs over 1200 remote security checks. It allows for reports to be generated in HTML, XML, LaTeX, and ASCII text, and suggests solutions for security problems

Hping www.hping.org

A network probing utility like ping on steroids hping3 assembles and sends custom ICMP/UDP/TCP packets and displays any replies. It was inspired by the ping command, but offers far more control over the probes sent. It also has a handy traceroute mode and supports IP fragmentation. This tool is particularly useful when trying to traceroute/ping/probe hosts behind a firewall that blocks attempts using the standard utilities.

Dsniff http://naughty.monkey.org/~dugson

g/dsniff/A suite of powerful network auditing and penetration-testing

tools This popular and well-engineered suite by Dug Song includes many tools. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker (e.g, due to layer-2 switching). sshmitm and webmitm implement active monkey-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI. A separately maintained partial Windows port is available here.

LANGuard

A commercial network security scanner for Windows LANguard scans networks and reports information such as service pack level of each machine, missing security patches, open shares, open ports, services/applications active on the computer, key registry entries, weak passwords, users and groups, and more. Scan results are outputted to an HTML report, which can be customised/queried. Apparently a limited free version is available for non-commercial/trial use.

SamSpade http://www.samspade.org/ssw/

SamSpade provides a consistent GUI and implementation for many handy network query tasks. It was designed with tracking down spammers in mind, but can be useful for many other network exploration, administration, and security tasks. It includes tools such as ping, nslookup, whois, dig, traceroute, finger, raw HTTP web browser, DNS zone transfer, SMTP relay check, website search, and more. Non-Windows users can enjoy online versions of many of their tools.

SAINT http://www.saintcorporation.com/sai

nt/Security Administrator's Integrated Network

Tool Saint is another commercial vulnerability assessment tool (like ISS Internet Scanner or eEye Retina). Unlike those Windows-only tools, SAINT runs exclusively on UNIX. Saint used to be free and open source, but is now a commercial product.

Firewalk http://www.packetfactory.net/project

s/firewalk/Firewalk employs traceroute-like techniques

to analyze IP packet responses to determine gateway ACL filters and map networks. This classic tool was rewritten from scratch in October 2002. Note that much or all of this functionality can also be performed by the Hping2 --traceroute option.

Amap http://www.thc.org/releases.php

Amap (by THC) is a new but powerful scanner (finger printing) which probes each port to identify applications and services rather than relying on static port mapping.

Fragroute: IDS systems' worst nightmare

http://www.monkey.org/~dugsong/fragroute/ Fragroute intercepts, modifies, and rewrites egress traffic,

implementing most of the attacks described in the Secure Networks IDS Evasion paper. It features a simple ruleset language to delay, duplicate, drop, fragment, overlap, print, reorder, segment, source-route, or otherwise monkey with all outbound packets destined for a target host, with minimal support for randomized or probabilistic behaviour. This tool was written in good faith to aid in the testing of intrusion detection systems, firewalls, and basic TCP/IP stack behaviour. Like Dsniff, and Libdnet, this excellent tool was written by Dug Song.

nmap http://www.insecure.org

A popular tool used for ports scaning and OS finger printing

Kernel Based Intrusion Detecting (LIDS)

• Preventing root users

• Preventing chanding iptables, ipchains

• Preventing direct port access, memory,

Security Enhanced Linux system

CERT-IN

• Charter "The purpose of the CERT-In is, to become the nation's

most trusted referral agency of the Indian Community for responding to computer security incidents as and when they occur ; the CERT-In will also assist members of the Indian Community in implementing proactive measures to reduce the risks of computer security incidents."

• Mission "To enhance the security of India's Communications and

Information Infrastructure through proactive action and effective collaboration."

CERT-In Mission

Alert – Advise - Assurance

National Information Security Assessment Program (NISAP)

• Mandatory compliance requirement

• Mandatory compliance efforts- ISMS standards

• Mandatory compliance verification

• Mandatory compliance reporting – to CERT-In

 ADVISORY COMMITTEE• S.No.NameRole1.Shri. M. Madhavan Nambiar

Additional SecretaryDepartment Of Information TechnologyChairman

• 2.Shri. Ajeer VidyaJoint Secretary & Financial AdviserDepartment Of Information TechnologyMember

• 3.Prof. N. BalakrishnanChairmanDivision Of Information SciencesIndian Institute of ScienceMember

• 4.Dr. B. K. GairolaDeputy Director GeneralNational Informatics CentreMember

• 5.Dr. Gulshan RaiDirectorIndian Computer Emergency Response TeamMember Secretary  

AUTHORITY• The CERT-In operates under the auspices of,

and with authority delegated by, the Department of Information Technology, Ministry of Communications & Information Technology, Government of India.

• The CERT-In shall work cooperatively with information officers and system administrators of various sectoral and organisational networks of its constituency.

•   VULNERABILITY NOTES

• CERT-In Vulnerability Note CIVN-2007-07(31 January, 2007) Microsoft Word Unspecified String Handling Memory Corruption Vulnerability

• CERT-In Vulnerability Note CIVN-2007-06(29th January, 2007) Linux-PAM Login Bypass Security Vulnerability

• CERT-In Vulnerability Note CIVN-2007-05(18th January, 2007) Sun Java JRE GIF Image Processing Buffer OverflowVulnerability

• CERT-In Vulnerability Note CIVN-2007-04(11th January, 2007) Microsoft Windows Vector Markup Language Code Execution Vulnerability

• CERT-In Vulnerability Note CIVN-2007-03(11th January, 2007) Remote Code Execution and Denial of Service Vulnerabilities in Microsoft Outlook

• CERT-In Vulnerability Note CIVN-2007-02(11th January, 2007) Microsoft Excel Malformed Column Record, Palette Record, IMDATA Record and String Vulnerabilities

• CERT-In Vulnerability Note CIVN-2007-01(5th January, 2007) OpenOffice Integer and Buffer Overflow Vulnerabilities

cert-in.org.in Indian Computer Emergency Response

Team (CERT-In) Ministry of Communications and Information Technology Electronics Niketan 6, C.G.O. Complex New Delhi-110 003

What people are using in India

• Content filtering 39%

• Keyword Monitoring 28%

• Data Leak detection and prevention 25%

• IDS 23%

• Packet Filtering 15%

• Digital Rights Management SW 9%

IT – ACT 2000

• Section III - Certifying Authorities

• Public Key Infrastructure (PKI)

• CERT-In Vulnerability Note CIVN-2007-06Linux-PAM Login Bypass Security Vulnerability

• Original Issue Date: January 29, 2007

Severity Rating: High• System Affected

Linux-PAM 0.x • Overview • A vulnerability has been reported in Linux-PAM, which could be exploited by remote

attackers to compromise a vulnerable system. • Description• A vulnerabilities has been reported in Linux-PAM due to an error within the

"_unix_verify_password()" function in modules/pam_unix/support.c while handling passwords with a hash of "!!" or similar in "/etc/shadow" or "/etc/passwd".

Solution • Upgrade to Linux-PAM version 0.99.7.1

ftp://ftp.kernel.org/pub/linux/libs/pam/pre/library

• CERT-In Advisory CIAD-2007-05Multiple Vulnerabilities in Xorg, Xfree86 and Kerberos

• Original issue date: January 16, 2007

Severity Rating: Medium• Systems Affected• X.Org X11 version 7.1 and prior • XFree86 version 4.6.99.15 and prior • MIT Kerberos V5 versions 1.4 through 1.4.4 • MIT Kerberos V5 versions 1.5 through 1.5.1

• Overview • Multiple vulnerabilities have been reported in Linux which could be exploited by remote attackers to execute commands on the affected

system. • Description • 1. X.Org X11 Render or XFree86 and DBE Extensions Multiple

Local Privilege Escalation Vulnerabilities (CVE-2006-6101 ,CVE-2006-6102 , CVE-2006-6103)• A vulnerability has been reported in X.Org and XFree86 X server

due to a memory corruption error in the "ProcRenderAddGlyphs()","ProcDbeGetVisualInfo()" and "ProcDbeSwapBuffers()" functions within the DBE extension, which could be exploited by remote attackers to execute arbitrary commands with "root" privileges via a specially crafted X protocol request.

• 2. Kerberos V5 Kadmind RPC Library Remote Code ExecutionVulnerability ( CVE-2006-6143 )

• A vulnerability has been reported in server side portion of RPC library used in Kerberos administration daemon “kadmind “ due to its failure to properly initialize pointers. An remote attacker could exploit the vulnerability by sending a crafted packets on the affected system to execute arbitrary code or cause denial of service attack.

• 3. Kerberos V5 Kadmind GSS-API Library Remote CodeExecution Vulnerability ( CVE-2006-6144 )

• A vulnerability has been reported in Kerberos due to memory management error in "mechglue" abstraction interface of the GSS-API library used in Kerberos administration daemon “kadmind “. An unauthenticated remote attacker could exploit the vulnerability by freeing uninitialized pointers to execute arbitrary code on the affected system.

• Solution • Apply appropriate patches suggested by vendor• Vendor Information • http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2006

-002-rpc.txt http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2006-003-mechglue.txt

• CERT-In Vulnerability Note CIVN-2007-05Sun Java JRE GIF Image Processing Buffer Overflow Vulnerability

• Original Issue Date: January 18, 2007

Severity Rating: High• Systems Affected • Sun JDK version 5.0 Update 9 and prior • Sun JRE version 5.0 Update 9 and prior • Sun SDK version 1.4.2_12 and prior • Sun JRE version 1.4.2_12 and prior • Sun SDK version 1.3.1_18 and prior • Sun JRE version 1.3.1_18 and prior • Overview • A vulnerabilities has been reported in Sun Java JRE (Java Runtime Environment), which could

be exploited by remote attackers to compromise a vulnerable system. • Description• A buffer overflow error has been reported in Sun Java Runtime Environment while processing

GIF images with a “width” property set to 0 (Zero), which could be exploited by remote attackers to execute arbitrary commands or to read/write local files on a vulnerable system by enticing a user to visit a specially crafted web page containing a malicious applet.

Security Testing Standard

• Document www.osstmm.org