Embed Size (px)
Citation preview
DePaul University
Security Forum
February 27, 2002
Presentations
Bill Eaheart Network Security – Network & Telecom Current Threats
Eric Pancer Systems Security – ISS The Audience is listening
John Kristoff Manager R&D - Network & Telecom Data Leaks
Rob Thomas Guest Speaker - Life in the Underground
Information Security at DePaul
Information Security Team (INFOSEC) Eric Pancer – System Security Bill Eaheart – Network Security
Role at the University Promote awareness Assist with computer security Provide guidance and resources to DePaul community
Contact [email protected] [email protected] http://networks.depaul.edu/security/
Security Principles
Defense in depth Physical Security Intrusion Detection Systems Firewalls Auditing Virtual Private Networks Encryption Strong Passwords Access control Lists Logging
Prevention is ideal – Detection is a mustSecurity through obscurity
Who are the threats?
HackersA person who enjoys exploring the details of programmable systems and how to stretch their capabilities
Crackers One who breaks security on a system
Script Kiddies Do mischief with scripts and programs written by others, often without understanding the exploit they are using.
Are you safe?
Hacker/Cracker Skills vs.
Availability of sophisticated tools
0
2
4
6
8
10
12
92 93 94 95 96 97 98 99 00 01
Skill Level
Sophistication of Tools
Show me the numbers!
2001 CSI/FBI Computer Crime and Security Survey
Unauthorized Use of Computer Systems within the last 12 months
4237
21
50
33
19
64
18 18
62
17 18
70
1612
64
25
11
0
10
20
30
40
50
60
70
80
Yes No Don't Know
Pe
rce
nta
ge
of
Re
sp
on
de
nts
1996
1997
1998
1999
2000
2001
80% of problems are due to ….
Is this changing?
Point of Attack
54
39 38
52
35
4744
24
5451
28
57
38
22
59
31
18
70
0
10
20
30
40
50
60
70
80
Internal Systems Remote Dial-in Internet
Per
cen
tag
e o
f R
esp
on
den
ts
1996
1997
1998
1999
2000
2001
CERT Web Site
www.cert.org
CERT Statistics
Year 1996 1997 1998 1999 2000 2001
Incident 2573 2134 3734 9859 21576 52658
Year 1996 1997 1998 1999 2000 2001
Vulner. 345 311 262 417 1090 2437
Vulnerabilities Reported
1996 - 2001
Incidents Reported
Why do they do it?
Information Corporate Source Code
Resources Storage Access Bandwidth Launching point
Challenge Activism
Political - Hacktivism
How do they get in?
PortsServices Third-party softwarePasswordsSocial EngineeringBack DoorsTrojan Horses
Information Gathering
The CompanyFind Initial Information
Available informationWhoisNslookup - Host
Host Look up
[user@test /]# host www.company.com
Server: host.atthome.com
Address: 192.168.10.10
Name: test.company.com
Address: 10.10.81.10
Aliases: www.company.com
Information Gathering
Address Range of the Network American Registry for Internet numbers www.arin.net Asia Pacific Network Information www.apnic.net Reseaux IP Europeens www.ripe.net Cyberabuse – www.cyberabuse.org
Traceroute
ARIN whois
The Company (NET-COMPANY) 100 South State Street Avenue Chicago, IL 60612 US
Netname: COMPANY Netblock: 10.10.0.0 - 10.10.255.255
Coordinator: Company Administrator (ZD12-ARIN) [email protected] (312) 323-1234
Domain System inverse mapping provided by:
DNS1.COMPANY.COM 10.10.120.120 DNS2.COMPANY.COM 10.10.240.120
Record last updated on 26-Mar-2001. Database last updated on 25-Feb-2002 20:01:06 EDT.
Traceroute
user@test /]#Tracing route to DNS1.company.com [10.10.80.10]over a maximum of 30 hops: 1 <1 ms <1 ms <1 ms badguy.home.com [192.20.40.50]
2 <1 ms <1 ms <1 ms rtr-isp.com [192.10.30.30] 3 <1 ms <1 ms <1 ms rtr-isp.com [192.10.20.20] 4 <1 ms <1 ms <1 ms 192.10.10.10
5 1 ms 1 ms 1 ms isp.location.net [16.6.9.33] 6 1 ms 1 ms 1 ms 16.6.9.122 7 15 ms 14 ms 11 ms 16.6.9.218 8 8 ms 10 ms 5 ms 10.10.1.1. 9 48 ms 84 ms 59 ms test.company.com [10.10.120.120]
Trace complete.
Information Gathering
Find Active Machines Ping Ping Sweep
Ping Sweep
[user@test /]# nmap –sP 10.10.82.11-30
Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ )Host d8211.company.com (10.10.82.11) appears to be up.Host d8212.company.com (10.10.82.12) appears to be up.Host d8213.company.com (10.10.82.13) appears to be up.Host d8214.company.com (10.10.82.14) appears to be up.Host d8215.company.com (10.10.82.15) appears to be up.Host d8216.company.com (10.10.82.16) appears to be up.Host d8217.company.com (10.10.82.17) appears to be up.Host d8218.company.com (10.10.82.18) appears to be up.Host d8220.company.com (10.10.82.20) appears to be up.Host d8221.company.com (10.10.82.21) appears to be up.
Nmap run completed -- 21 IP addresses (18 hosts up) scanned in 2 seconds
Information Gathering
Find open portsPort scanners
Scanport for WindowsNmap for *nixModems – War dialing
Figure out the operating systemNmap
Nmap
[user@test /]# nmap -O 10.10.82.11Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ )Interesting ports on test.company.com (10.10.1.1):(The 1520 ports scanned but not shown below are in state: closed)Port State Service7/tcp open echo 9/tcp open discard 13/tcp open daytime 19/tcp open chargen 21/tcp open ftp 23/tcp open telnet 25/tcp open smtp 37/tcp open time 6112/tcp open dtspc Remote OS guesses: Windows ME or Windows 2000 RC1 through final releaseUptime 20.028 days (since Wed Feb 6 11:05:16 2002)Nmap run completed -- 1 IP address (1 host up) scanned in 10 seconds
Information Gathering
Figure out which services are running Assumptions Telnet Vulnerability scanners
Commercial ISS – Internet Scanner CyberCop Secure Scanner
Shareware SARA Nessus SAINT
NessusNessus Scan Report------------------SUMMARY - Number of hosts which were alive during the test : 1 - Number of security holes found : 4 - Number of security warnings found : 18 - Number of security notes found : 4TESTED HOSTS
test.company.com (Security holes found)DETAILS - List of open ports :. Information found on port telnet (23/tcp) Remote telnet banner : HP-UX test B.11.00 U 9000/800 (tc) login: ÿüÿüÿþÿþ!ÿþ. Vulnerability found on port snmp (161/udp) : SNMP community name: public CVE : CAN-1999-0517 CVE : CVE-1999-0018------------------------------------------------------This file was generated by the Nessus Security Scanner
Information Gathering
Exploiting the systemClear map of the networkActive MachinesTypes of MachinesPorts and ServicesPotential vulnerabilitiesLook for known vulnerabilities and run
exploits
Security Tools
Port Scanner – Nmap Anti Virus – Norton’s, McAfee, Inoculate IT Vulnerability Scanner – Nessus Firewall – ZoneAlarm, PortSentry IDS - Snort Encryption Software – PGP, GNU PG SSH
OpenSSH PuTTY – ssh client
MD5
Encryption - secure communication and data storage
Pretty Good Privacy – PGP Develop by Philip Zimmerman Restricted use
GNU PG Complete and free replacement for PGP Can be used without restriction
Public/Private Key
Encryption
Plain TextThis is a test message.
Encrypted-----BEGIN PGP MESSAGE-----Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
qANQR1DBwU4DSTJMC1F2PksQCACdcf2IVYDlAr76yd5HF25PA3Qh6CCGBucLxgbtKQ5DfRqHduaU7BiCFbbbf188PM2iJraUsYUTz7kZAJ8DNx7JsJZcmo1gvs8UGUuP7jkSBEGSv59C3sXOMq9Zvzcd0uReWzzsZv+cjqZNBkKlueC88sYZvaFM4DAfbpkfgXK2XWRVbgymilclY3drHiyBVAk+EGmmQ2gZ4sNLZmoFlPD1G2SOuQhp63n2XgHTce/DpZ+rjDvF0dpDkv30G609cC82E0mVnzV9Ca6qNmxB2LY5P94ido2mfPp55T8h5VBGL2k3pQOblpjE0fN8un8vHzM6fab5pCALDnUI06v5YVzZB/4yFGXOqUvd3fgf1o/ayYkKZ+Cb6eKkUz4EmXASBmQNM9VBgXTjaizEHC4WCj3Crm7R1InDO9c47/9iYZZ6sHLJ0h5TU8SM1KfFRuJat438B2DElc9AECDQsqEM64BEOmqTKRkZ8OGdV0aEGcUpwcaif7WbrOlA8c/8kiNOOGGP/SqjnEesxjNfloKkhuy3Ck+j+D6jGu8B/96cYsKcKKk6GQwzopSmivhCZHOmDOdA4LIHzY+KTma+ASJGDlO1RTCECvQncn1G77LlktbBo5AtgeHi1uvk4qj1ZFr7fyVhwRdGP2wbxq8JupZ8h5DPyT4wM7TpgtlEjeSJl4vuObkzyS4QPOiAADW3IxHheN/8ZAnW9V1M7B26ZXK0v15htVNwUPFuKghw4kOPepYVa+8f=WOpm-----END PGP MESSAGE-----
Telnet
TelnetPlain Text!!
SSHSecure Shell program to log into another
computer over a network, secure communications over insecure
channels. Encrypted text
I smell a password…
Telnet session:Frame 30 (61 on wire, 61 captured) Telnet Data: login: Frame 32 (55 0n wire, 55 captured) Telnet Data: fFrame 36 (55 on wire, 55 captured) Telnet Data: rFrame 48 (55 on wire, 55 captured) Telnet Data: eFrame 51 (55 on wire, 55 captured) Telnet Data: dFrame 53 (54 on wire, 54 captured) Telnet Data: Password: Frame 60 (55 on wire, 55 captured) Telnet Data: fFrame 62 (55 on wire, 55 captured) Telnet Data: rFrame 65 (55 on wire, 55 captured) Telnet Data: e Frame 66 (55 on wire, 55 captured) Telnet Data: dFrame 68 (55 on wire, 55 captured) Telnet Data: fFrame 69 (60 on wire, 60 captured) Telnet Data: oFrame 72 (55 on wire, 55 captured) Telnet Data: o
MD5
MD5 is a one-way hash function, meaning that it takes a message and converts it into a fixed string of digits, also called a message digest.
[user@test /]# md5sum test.txt
2d282102fa671256327d4767ec23bc6b test.txt
[user@test /]# md5sum test.txt
2bc4fd1e721de48ca6dfd992b2e88712 test.txt
Security Sites
www.cert.orgwww.ciac.org/ciacwww.incidents.orgwww.securityfocus.comhttp://csrc.ncsl.nist.gov/Vendor sites for patches
References
Network Security, Private Communication in a PUBLIC World, by Charlie Kaufman, Radia Perlman and Mike Speciner
Computer Security Issues and Trends, Vol. VII No. 1 by Richard Power
Hackers Beware by Eric Cole
www.webopedia.com
www.nessus.org
www.nmap.org
www.cert.org
