EE579T/5 #1 Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T Network Security 5: Vulnerability Assessment Prof. Richard A. Stanley

Spring 2001© 2000, 2001, Richard A. Stanley

WPI EE579T/5 #1

EE579TNetwork Security

5: Vulnerability Assessment

Prof. Richard A. Stanley


WPI EE579T/5 #2

Thought for the Day

“The network is the computer.”

Sun Microsystems


WPI EE579T/5 #3

Is this quote for real or is it for marketing?

• What is typical PC bus speed?

• What sort of network data transfer rates can be attained?

• What does this mean for the future of networked computing?


WPI EE579T/5 #4

Overview of Tonight’s Class

• Review last week’s lesson

• Look at network security in the news

• Course project discussions

• Vulnerability assessment


WPI EE579T/5 #5

Last Week...

• Authentication is critical to achieving network security, and is harder because the user is at a distance from the computer

• Encryption is key to authentication– Symmetric

– Asymmetric

• VPN’s provide a way to create a private “tunnel” through a public network– Not a panacea


WPI EE579T/5 #6

Network Security Last Week-1• Anna Kournikova hits the Internet

– Email worm exploits Outlook address book– Hits millions of users, over 20 large corporations in

Australia alone– Why?

• Is Kournikova a common name?• Are people that curious?• Did someone suspect the picture was off-color?

– You are a systems administrator--how do you protect against this sort of thing?


WPI EE579T/5 #7

Network Security Last Week- 2• Kournikova hacker

– Traced by Exite@home– Lives in Friesland, Netherlands– 20-year old male– “Wanted to demonstrate how easy it was to write a

virus.”– Maximum sentence guideline in Netherlands is 4

years, prosecutor can ask for more

• How did he do it?


WPI EE579T/5 #8

How He Did It

Rocket science, this is not


WPI EE579T/5 #9

Network Security Last Week- 3• Tax prep site e1040 shut down Monday

– site's encryption software had been turned off during site maintenance

– Social Security numbers and passwords of site users were left exposed

• Hackers chip into Intel Web site– “Smoked Crew” defaced an Intel sub-domain, leaving a

short message greeting other hackers

– Hackers got in through a well-publicized IIS4/NT4 flaw


WPI EE579T/5 #10

Network Security Last Week-4

• University computers remain hacker havens– Systems "naked," exposed without firewalls

– perfect foils for hackers (i.e. zombies)

• Iomega research asserts 25% of computer users have lost data to viruses, hackers

• Omni Consulting Group study reveals that network security breaches cost companies close to 6% of their annual gross revenue, on the average


WPI EE579T/5 #11

Network Security Last Week-5

• Hacker fear scares EPA offline for 2 weeks

• Federal Net privacy mandate riles health care industry– industry unifies in opposition to HIPAA

privacy regulations, saying it will cost $22 billion to bring systems in compliance

• Love Bug variant “Cartolina” sending European postcards


WPI EE579T/5 #12

What do all these security issues have in common?


WPI EE579T/5 #13

Course Projects

• Teams

• Topics

• Schedule

Let’s sort this out now.


WPI EE579T/5 #14

How To Rob a Bank

• Just walk in and demand the money– Where is the bank?– How do you know there is any money?– Where to park the getaway car?– Are there any guards or surveillance devices?– Will you need a disguise?– What kinds of things might go wrong?– What if they say “NO?”


WPI EE579T/5 #15

Success Requires Planning

• Whether robbing a bank or breaching network security, you need to plan ahead

• Planning ahead is known as vulnerability assessment– Acquire the target (case the joint)– Scan for vulnerabilities (find the entry points)– Identify poorly protected data (shake the doors)


WPI EE579T/5 #16

Information in Plain Sight

• Lots of valuable information is just lying around waiting to be used– telephone directories– company organization charts– business meeting attendee lists– promotional material

• The Internet has made having a company web page the measure of being “with it”


WPI EE579T/5 #17

Target: FBI


WPI EE579T/5 #18


WPI EE579T/5 #19


WPI EE579T/5 #20


WPI EE579T/5 #21


WPI EE579T/5 #22


WPI EE579T/5 #23


WPI EE579T/5 #24


WPI EE579T/5 #25


WPI EE579T/5 #26

?


WPI EE579T/5 #27


WPI EE579T/5 #28


WPI EE579T/5 #29

You get the idea• There is a lot of information out there, and it is

readily available to anyone• Good intelligence usually consists of open

source material properly collated• Law enforcement used to have special access to

this sort of information--now it’s out on the ‘net• Network access speeds up the rate at which

good intelligence can be collected


WPI EE579T/5 #30

Determine Your Scope

• Check out the target’s web page– physical locations– related companies or entities– merger/acquisition news– phone numbers, contact information– privacy or security policies– links to other related web servers– check the HTML source code


WPI EE579T/5 #31

Refine Your Search

• Run down leads from the news, etc.– Search engines are a good way

• FerretSoft

• Dogpile

– Check USENET postings– Use advance search capabilities to find links

back to target• Search on wpi + security gives ~ 2900 hits


WPI EE579T/5 #32


WPI EE579T/5 #33

Use the Government

• EDGAR– SEC site (www.sec.gov/edgarhp.htm)– Search for 10-Q and 10-K reports– Try to find subsidiary organizations with

different names

• Think about what your organization has on databases available to the public


WPI EE579T/5 #34


WPI EE579T/5 #35

Zero In On The Networks

• InterNIC– Organization– Domain– Network– Point of contact

• www.networksolutions.com

• www.arin.net


WPI EE579T/5 #36

Registrant:Worcester Polytechnic Institute (WPI-DOM) 100 Institute Road Worcester, MA 01609-2280 US

Domain Name: WPI.EDU

Administrative Contact, Billing Contact: Johannesen, Allan E (AEJ5) [email protected] The College Computer Center Worcester Polytechnic Institute 100 Institute Road Worcester, MA 01609-2280 508 754-3964 (FAX) 508-831-5483 (FAX) 508-831-5483 Technical Contact: Brandt, Joshua (JBC740) [email protected] Solipsist Nation 9 Circuit Ave. E Apt 1 Worcester, MA 01603 US 508-831-5512

Record last updated on 05-Dec-2000. Record created on 22-Mar-1988. Database last updated on 15-Feb-2001 02:07:04 EST.

Domain servers in listed order:

NS.WPI.EDU 130.215.24.1 NS1.YIPES.COM 209.213.223.126 NS2.YIPES.COM 209.50.39.102 NS3.YIPES.COM 209.50.40.102

Search for wpi.edu


WPI EE579T/5 #37

Other Sources

• InterNIC has 50-record limit, so…– ftp://rs.internic.net/domain– http://samspade.org/ssw/

• freeware

– www.nwpsw.com• Netscan tools

• Single copy price = $32.00

– www.ipswitch.com• WS_Ping ProPack = $37.50


WPI EE579T/5 #38

Example: Sam Spade

Sam Spade FeaturesEnvironmentEach tool displays it's output in it's own window, and everything is multi-threaded so you don't need to waitfor one query to complete before starting the next oneSome functions are threaded still further to allow lazy reverse DNS lookups (never do a traceroute -n again)The output from each query is hotlinked, so you can right click on an email address, IP address, hostnameor internic tag to run another query on itAppending the results of a query to the log window is a single button functionThere's a lot of online help, in both WinHelp and HTMLHelp formats. This includes tutorials, backgroundinformation and links to online resources as well as the program manual itself

Toolsping nslookup whois IP block whoisdig traceroute finger SMTP VRFYweb browser keep-alive DNS zone transfer SMTP relay checkUsenet cancel check website download website search email header analysisEmail blacklist query Abuse address query S-Lang scripting Time


WPI EE579T/5 #39

Query on Found Data

• POC– May be (often is) POC for other domains

• Query for email addresses -- here are a few from @wpi.edu

Amiji, Murtaza (MA3608) [email protected] (508) 831-5395 Baboval, John (JBJ116) [email protected] XXX-XXXX Ballard, Richard (RBS722) [email protected] 508-831-6731 Barnett, Glenn S (GSB14) [email protected] (315)475-5920 Bartelson, Jon (JB12891) [email protected] (508) 831-5725 (FAX) (508) 831-5483 Berard, Keith (KB2414) [email protected] (508)754-4502 Blank, Karin (KBJ257) [email protected] 203-762-0532 Blomberg, Adam (AB5417) [email protected] 508-755-7699


WPI EE579T/5 #40

Query the DNS

• Insecure DNS configuration can reveal information that should be kept confidential

• Zone transfers are popular attack methodologies– nslookup often used– pipe output to a text file– review the text file at your leisure– select potential “good targets” based on data


WPI EE579T/5 #41

Map the Network

• traceroute– Unix and Win/NT– tracert in NT for file name legacy reasons– Shows hops from router to destination

• Graphical tools exist, too– VisualRoute– www.visualroute.com


WPI EE579T/5 #42


WPI EE579T/5 #43

Detailed Scanning

• Network ping sweeps– Who is active?– Automated capabilities with some tools

• ICMP queries– Reveal lots of information on systems

• System time

• Network mask


WPI EE579T/5 #44

Port Scanning

• Identify running services

• Identify OS

• Identify specific applications of a service

• Very popular

• Very simple

• Very dangerous


WPI EE579T/5 #45

Port Scan Types• Connect Scan--completes 3-way handshake• SYN--should receive SYN/ACK• FIN--should receive RST on closed ports• Xmas tree--sends FIN, URG, PSH; should receive

RST for closed ports• Null--turns off all flags; target should send back

RST for closed ports

• UDP--port probably open if no “ICMP port unreachable” message received


WPI EE579T/5 #46

Identify Running Services

• Strobe

• Udp_scan (from SATAN)

• netcat

• PortPro & Portscan

• nmap

• Using SYN scan is usually stealthy

• Beware of DoS results


WPI EE579T/5 #47

OS Detection

• Stack fingerprinting– Different vendors interpret RFCs differently

• Example:– RFC 793 states correct response to FIN probe is none

– Win/NT responds with FIN/ACK

• Based on responses to specific probes, possible to make very educated guesses as to what OS running

– Automated tools to make this easy!• Nmap (www.insecure.ord/nmap/)


WPI EE579T/5 #48

Automated, Graphical Tools

• Can trace network topology very accurately– ID machines by IP, OS, etc.– Makes attack much easier

• Cheops– www.marko.net/cheops/

• Tkined– wwwhome.cs.utwente.nl/~schoenw/scotty/


WPI EE579T/5 #49

Enumeration

• Try to identify valid user accounts on poorly protected resource shares– Windows NT

• net view– lists domains on network

– can also list shared resources

• nltest -- identifies PDC & BDC

• SNMP

• open a telnet connection


WPI EE579T/5 #50

Summary

• Attacking a network is no different from robbing a bank; you have to plan if you expect to be successful

• There are three basic steps to planning, which is called vulnerability assessment:– Acquire the target (case the joint)

– Scan for vulnerabilities (find the entry points)

– Identify poorly protected data (enumeration)

• This applies if you are inside or outside the protected perimeter!


WPI EE579T/5 #51

Homework - 1

1. Identify and describe how you would enumerate resources on a Unix network, similar to the discussion in class of enumeration on Windows/NT

2. You are the network administrator. How would you defend against the threats of target acquisition and vulnerability scanning?


WPI EE579T/5 #52

Assignment for Next Week

• Prepare your project outline, with the members of your team

• Next week’s topic: Hiding in Plain Sight

Documents

EE579T/5 #1 Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T Network Security 5: Vulnerability Assessment Prof. Richard A. Stanley