Vulnerability Scanning
description
Transcript of Vulnerability Scanning
FORESEC Academy
VULNERABILITY SCANNINGFORESEC Academy Security Essentials (III)
FORESEC Academy
Agenda
Threat vectors Social Engineering Bypassing the firewall Tools that may be visiting your
DMZ Network Mapping Tools and
Vulnerability Scanners
FORESEC Academy
Primary Threat Vectors
Outsider attack from network Outsider attack from telephone Insider attack from local network Insider attack from local system Attack from malicious code
FORESEC Academy
KaZaA
Designed for peer-to-peer file sharing on the Internet
Introduces security weaknesses - Hole in a firewall - Users give away network information - A possible annoyance or DDoS tool
FORESEC Academy
KaZaA - Firewall Subversion
1) A and b set up KaZaA Net
2) Firewall denies inbound TCP request
1) C connects to KaZaA Net
2) C’s request relayed to A
3) A connects to C through wall
FORESEC Academy
Firewalls, WirelessConnections, and Modems
FORESEC Academy
Firewalls, WirelessConnections, and Modems
FORESEC Academy
Social Engineering
Attempt to manipulate or trick a personinto providing information or access
Bypass network security by exploitinghuman vulnerabilities
Vector is often outside attack bytelephone or a visitor inside your facility
FORESEC Academy
Social Engineering (2)
Human-based- Urgency- Third-person authorization
Computer-based- Popup windows- Mail attachments
FORESEC Academy
Social Engineering Defense
Develop appropriate security policies
Establish procedures for granting access, etc., and reporting violations
Educate users about vulnerabilities and how to report suspicious activity
FORESEC Academy
Tools that may beVisiting Your DMZ
3 famous Windows Trojans Open share scanners Jackal, Queso, and SYN/FIN Nmap and Hping Worms
FORESEC Academy
Trojans
FORESEC Academy
Trojans (2)
FORESEC Academy
SubSeven Client
FORESEC Academy
SubSeven EditServer
FORESEC Academy
Trojans Review
Trojans can penetrate firewalls as email attachments
SubSeven is still one of the most common
Protective tools include: All major anti-virus tools, firewalls, personal firewalls
FORESEC Academy
Network Mapping Tools
Open share scanners – Legion Network Scanners – Jackal TCP Fingerprinting - Queso, and
SYN/FIN Port Scanners - Nmap and Hping
FORESEC Academy
Finding Unprotected Shares -Legion
FORESEC Academy
Enter the Jackal 1997
FORESEC Academy
Sons of Jackal Continue to be Seen
Source Port 0 and 65535
FORESEC Academy
Queso and Friends http://www.securityfocus.com/tools/144
Queso sends packets with unexpected code bit combinations to determine the operating system of the remote computer. Currently, they claim to be able to distinguish over 100 OSes and OS states. Queso pattern is shown on
notes page
FORESEC Academy
Spoofed NetBIOS
06:49:55 proberA.4197 > 172.20.139.137.139: S 596843772:596843772(0) win 8192 (DF)
06:49:58 proberA.4197 > 172.20.139.137.139: S 596843772:596843772(0) win 8192 (DF)
06:50:04 proberA.4197 > 172.20.139.137.139: S 596843772:596843772(0) win 8192 (DF)
06:50:16 proberA.4197 > 172.20.139.137.139: S 596843772:596843772(0) win 8192 (DF)
12:57:56 proberE.2038 > 172.20.216.29.139: S 294167370:294167370(0) win 8192 (DF)
12:57:59 proberE.2038 > 172.20.216.29.139: S 294167370:294167370(0) win 8192 (DF)
12:58:05 proberE.2038 > 172.20.216.29.139: S 294167370:294167370(0) win 8192 (DF)
12:58:41 proberE.2039 > 172.20.216.29.139: S 294212415:294212415(0) win 8192 (DF)
FORESEC Academy
TTL
In the notes pages are the Time To Live fields
from the traces in the previous slide. Notice how
they cluster around 120. This is not expected
behavior. This is also fixed in the Nmap 2.08
release that has a decoy function so that the
decoy TTLs are random.
Analysis credit to Army Research Lab
FORESEC Academy
Nmap - Network Mapper
Freeware award winning networkscanner.
Supports a large number ofscanning techniques.
Numerous other features supported. - Remote Operating System Detection - Application Detection
FORESEC Academy
nmapwin - Windows port
FORESEC Academy
Hping - Spoofing Port Scanner
Conceptually, a TCP version of .Ping. Sends custom TCP packets to a host
and listens for replies Enables port scanning and spoofing
simultaneously, by crafting packets and analyzing the return
FORESEC Academy
Hping v2.0 - hping Enhanced Uses hping crafted packets to:
- Test firewall rules- Test net performance- Remotely fingerprint OSes- Audit TCP/IP stacks- Transfer files across a firewall- Check if a host is up
FORESEC Academy
Worms
Attack system through known holes. Automatically scan for more systems
to attack.
Lower system defenses, install a root shell or rootkit, and/or let the attacker know the system has been attacked.