Upload
baba
View
39
Download
3
Tags:
Embed Size (px)
DESCRIPTION
what people can see. securing linux. Big Picture. How rob a bank. A bit of History. 1954 & 1960 Bell System Tech Journals, trunk routing and frequencies Pranks Wozniak called Pope 2600 Hz Tone Captain Crunch whistle Phone Phreaking - PowerPoint PPT Presentation
Citation preview
securing linux
what people can see
Big Picture
How rob a bank
A bit of History
• 1954 & 1960 Bell System Tech Journals, trunk routing and frequencies
• Pranks Wozniak called Pope • 2600 Hz Tone Captain Crunch whistle • Phone Phreaking• Steve Wozniak’s blue box tone generator • 1990 Phone system became digital• War dialing early form of scanning • Wargames 1983
Socket Programming
• USPS Addressing– 1520 Orchard Road Apt 2A
• IP Addressing – 192.168.10.50/5900
• Service / Application listens on open port
• Instance messaging, VOIP in Games, telnet, FTP, HHTP
• Protocols – languages
overview• Network topologies
– eggshell architectures
• where to get information– news groups and mailing lists
• mapping a network– ping sweeps and traceroutes
• mapping a host– port scans and OS fingerprinting
• network scanners– everything in a single powerful package
• social engineering– exploiting human nature
where to get information
• news groups and mailing lists
• forums
• WHOIS database– www.arin.org
• DNS
Traditional topology
Enhanced traditional topology
Secure network topology
news groups / mailing lists / forums
• these are valuable resources– system administrator
– newbie
• BUT people get over excited and reveal too much information (gear head syndrome)
• golden rule - remain faceless and traceless
• security through obscurity– post only using generic terms
news groups / forums
• they are a source of information– personal information
• name, address, title, phone, e-mail
– system configuration• network architecture
• real host names and IP addresses
• hardware: brand names and model numbers
– archives• this information never goes away!!!
• http://www.archive.org
news groups / mailing lists
• countermeasures:– use generic titles, not real names
– use switchboard numbers, not personal numbers
– separate e-mail address• work-related communication (generic title)
• personal communication– [email protected]
– limit any public description of network• fictitious IP addresses & fictitious host names
WHOIS database www.arin.org
• whenever a URL is registered– information must be submitted with registration
– this information is publicly available
• whois utility– may require installation
• linux example:– whois lewisu.edu
– whois ibm.com
WHOIS database
• countermeasures:
– use generic titles, not real names
– use switchboard numbers, not personal numbers
– separate e-mail address
• work-related communication (generic title)
• personal communication
• obviously you MUST give valid information
• the goal is NOT to give away valuable information unnecessarily
DNS issues
• zone files have numerous options which provide information– HINFO system info: CPU and OS
– TXT additional text
– RP responsible person information
• zone transfers– mandatory from primary server to secondary
server
DNS Basics
• Domain name system performs ip to name resolutions on the internet
• Started in 1983 RFC 882 has grown to one of the largest and most powerful parts of the net.
• Other than name translation a number of protocols and applications use DNS for their main activity– SMTP for mapping email address to their server– SPF records, telephone numbers & addresses,
certificates and other info stored in DNS zone records
BIND
• Berkeley Internet Name Domain Server
• BIND is open-source software that implements the DNS protocols for the Internet.
DNS issues
• dig DNS lookup utility (domain information groper) is a flexible tool for interrogating DNS name servers.
• linux example:
– dig -t hinfo hostname
– dig -t txt hostname
DNS issues
• reverse lookups (IP address --> URL) often provide too much free information– 129.42.58.216 --> www.ibm.com
– www is a standard prefix for a web server
• linux example:– dig www.lewisu.edu
– dig -x 204.248.57.178
DNS issues
• every version of bind (4, 8, and 9) has its flaws!
• 9 was a total rewrite and still had issues– the following command
• host -c chaos -t txt version.bind <server>
– will usually tell you the specific vesion
• linux example:– dig -c chaos -t txt version.bind
DNS issues
• countermeasures: faceless & traceless– edit /etc/named.conf
• delete HINFO records
• delete TXT records
• RP records should contain generic title
• eliminate zone transfers– primary to secondary server
» allow-transfer { 233.45.164.27; };
– otherwise
» allow-transfer { none; };
• disable the version.bind response» version “not available”;
protocols and services
• network layer– IP: internet protocol
• transport layer– ICMP: internet control message protocol
– UDP: user datagram protocol
– TCP: transmission control protocol
• services
IP: internet protocol
• foundational layer for higher level protocols
• packet header contains– source IP address
– destination IP address
ICMP: internet control message protocol
• purpose of ICMP is to provide feedback about IP performance
• packet header contains– source IP address, destination IP address
– packet type, checksum, data
• most well-known packet types– 7 echo request
– 0 echo reply
– 3 destination unreachable
– 30 traceroute
UDP: user datagram protocol
• purpose of UDP is minimal transport service with no guarantee of delivery– connection-less
• packet header contains– source IP address, destination IP address
– source port number, destination port number
– length, checksum, data
• faster communication– but packet loss possible
TCP: transmission control protocol
• purpose of TCP is a transport service with guarantee of delivery– connection-oriented
• packet header contains– source IP address, destination IP address
– source port number, destination port number
– sequence #, control bits, checksum, data
• slower communication– but no packet loss
TCP: transmission control protocol
• control bits include:
– SYN, ACK, RST, FIN, ...
• building a connection:
– source sends SYN
– destination sends SYN/ACK
– source sends ACK
• terminating a connection:
– source sends FIN/ACK
– destination sends ACK
– destination sends FIN/ACK
– source sends ACK
services
• port numbers fall into three categories:– 0 through 1023 well-known
– 1024 through 49151 registered
– 49152 through 65535 dynamic / private
• www.iana.org has responsibility for assigning well-known port numbers
• well-known port numbers can only be used by root
services
• linux example:– less /etc/services
mapping a network
• ping sweeps– cracker sees what is out there?
• traceroutes– cracker learns how to get there?
• countermeasures
ping sweeps
• types of ping sweeps– icmp ping traditional echo request
– echo port ping request to port 7 (echo)
– fast ping icmp ping to multiple hosts
– network sweep
ping sweeps
• countermeasures:– edit iptables and firewalls
• no incoming / outgoing ICMP requests
• limit ICMP requests to internal network only
• drop ICMP at firewall
– be sure echo port and chargen port are disabled
• edit /etc/inetd.conf or /etc/xinetd.conf
• consider disabling inetd or xinetd completely!
fundamental network tools
• netcat / nc– swiss army knife of network communication
– invaluable to both• the system administrator
• the cracker
• nmap– basic tool for
• ping sweeps
• port scans
ntop
• ntop is a network traffic probe that shows network usage– similar to the UNIX top command
• ntop is a daemon that monitors the network
• ntop has a web interface
traceroutes
• once potential targets have been identified via ping sweeps, the cracker can augment information about the hosts using traceroute
• often provides information regarding– location
• ISP names and locations often visible
– hardware• descriptive names for routers, switches, and hosts
traceroutes
• flavors– UNIX traceroute
• command– traceroute <target>
• sequence of UDP packets having increasing TTLs
– Matt's traceroute• command
– mtr <target>
• sequence of ICMP packets having increasing TTLs
traceroutes
• countermeasures:– edit iptables and firewalls
• drop ICMP request packets
• drop UDP packets in traceroute range– 33,435 through 33,524
– do NOT use descriptive names for components within the network
• function / role
• vendor
mapping a host
• port scans– cracker sees what ports are open
• OS fingerprinting– cracker determines underlying software
• countermeasures
port scans
• what ports are open on the target host?
• what daemon is listening on each open port?– what software? what version?
port scans
• tools– netcat
• UDP scans
• TCP scans
– nmap• UDP scans
• TCP scans
• TCP stealth scans
– strobe
port scans• countermeasures:
– klaxon• incorporated into /etc/inetd.conf or /etc/xinetd.conf
• to listen on unused ports
– scanlogd• monitors ports for sudden increase in activity
– portsentry• monitors up to 64 ports
• able to take action against an intruder!– tcp wrappers and/or iptables
– psad• analysis of firewall logs
port scans• identifying software listening on a given port
is usually as simple as– telnet <target> <port>
• software typically displays a banner announcing itself and its version number!
• countermeasures:– remove / modify banner display
– example:• in /etc/sendmail.cf
– OsmtpGreetingMessage=$jUPS 2005;$b
OS fingerprinting
• OS fingerprinting– telnet is notorious for identifying
• the operating system, the distribution, even the kernel
– open ports often provide clues• smtp, ssh, and portmap => UNIX
• netbios => Windows
– /etc/issue, /etc/issue.net, and /etc/motd• often convey too much information
OS fingerprinting
• active OS fingerprinting– send sequence of special IP packets to target
– catalog responses
– compare with database of responses from various operating systems
– software• queso
• nmap
• xprobe
OS fingerprinting
• countermeasures:– utilize a firewall in front of servers
• operating system detected is that of firewall and not that of the server
– disable ICMP packets at the firewall• negates xprobe
– install IP Personality• only for Linux 2.4 kernels?
• using iptables, can impersonate ANY operating system
OS fingerprinting
• passive OS fingerprinting– does not initiate any additional IP traffic
– uses packet sniffing to gather information
– software• siphon
• pOf
OS fingerprinting
• countermeasures– can change some parameters of the operating
system• cat /proc/sys/net/ipv4/ip_default_ttl
– default value is 64
• echo 35 > /proc/sys/net/ipv4/ip_default_ttl– change to 35
• edit error messages masquerade as something else– apache httpd.conf
network scanners
• combine ping sweeps, traceroutes, port scans, and OS fingerprinting together and you have a
• network scanner• ISS: Internet Security Scanner
– first publicly available
• NESSUS
– the Cadillac of network scanners!
network scanners• other network scanners
– Nmap
– SATAN: Security Administrator's Tool for Analyzing Networks
• SANTA!
– SAINT: Security Administrator's Integrated Network Tool
– SARA: Security Auditor's Research Assistant
– NSAT: Network Security Analysts Tool
• text based!
– raccess: Remote Access System
• doesn't just check host; it exploits if possible!
social engineering• ten common techniques of social
engineering– impersonation
• pretend to be some from inside the company to obtain passwords
• usually coupled with research regarding IT personnel
– sympathy• usually request access to hardware: server room or
PC
• usually coupled with dire consequences if unable to complete the task
social engineering
• ten common techniques (cont'd)– wooing
• develop a trust relationship with the victim
• to obtain a wide range of information
– intimidation• for victims who do not respond well to sympathy or
wooing
• pretense: company official, government official, inspector
social engineering
• ten common techniques (cont'd)– greed
• money or goods in exchange for information
– confusion• create a diversion which vacates an office
• access logged-on session
social engineering
• ten common techniques (cont'd)– shoulder surfing
• passive observation of typing– either by physical presence as a trusted individual
– or by using some form of eavesdropping
– dumpster diving• searching garbage for useful information
– either discarded papers
– or removable media
social engineering
• ten common techniques (cont'd)– phishing
• request for victim to visit a false web site
• for purpose of updating invalid / obsolete information
– reverse social engineering• present oneself as an expert who can fix a problem
• results in a reversal of roles:– victim asks the questions
– social engineer provides the answers
» often being granted access to the computer systems
diy pen testing
• whois lewisu.edu• host lewisu.edu• dig lewisu.edu• traceroute www.google.com• ping lewisu.edu• Check your box
– netstat –anp
– dmesg | more
– ps aux
Summary
• Removed extra packages, services / daemons, close unneeded ports
• Methodology of least privilege
• Adopt a minimalist approach
• Acknowledge no security silver bullets!
• Adopt a comprehensive secure design utilizing multiple layers of defense