1 / 28

Vulnerability Scanning

FORE SEC Academy Security Essentials (III ). Vulnerability Scanning. Agenda. Threat vectors Social Engineering Bypassing the firewall Tools that may be visiting your DMZ Network Mapping Tools and Vulnerability Scanners. Primary Threat Vectors. Outsider attack from network

aric
Download Presentation

Vulnerability Scanning

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. FORESEC AcademySecurity Essentials (III) Vulnerability Scanning

  2. Agenda • Threat vectors • Social Engineering • Bypassing the firewall • Tools that may be visiting your DMZ • Network Mapping Tools and Vulnerability Scanners

  3. Primary Threat Vectors • Outsider attack from network • Outsider attack from telephone • Insider attack from local network • Insider attack from local system • Attack from malicious code

  4. KaZaA • Designed for peer-to-peer file sharing on the Internet • Introduces security weaknesses - Hole in a firewall - Users give away network information - A possible annoyance or DDoS tool

  5. KaZaA - Firewall Subversion 1) A and b set up KaZaA Net 2) Firewall denies inbound TCP request 1) C connects to KaZaA Net 2) C’s request relayed to A 3) A connects to C through wall

  6. Firewalls, WirelessConnections, and Modems

  7. Firewalls, WirelessConnections, and Modems

  8. Social Engineering • Attempt to manipulate or trick a person into providing information or access • Bypass network security by exploiting human vulnerabilities • Vector is often outside attack by telephone or a visitor inside your facility

  9. Social Engineering (2) • Human-based - Urgency - Third-person authorization • Computer-based - Popup windows - Mail attachments

  10. Social Engineering Defense • Develop appropriate security policies • Establish procedures for granting access, etc., and reporting violations • Educate users about vulnerabilities and how to report suspicious activity

  11. Tools that may beVisiting Your DMZ • 3 famous Windows Trojans • Open share scanners • Jackal, Queso, and SYN/FIN • Nmap and Hping • Worms

  12. Trojans

  13. Trojans (2)

  14. SubSeven Client

  15. SubSeven EditServer

  16. Trojans Review • Trojans can penetrate firewalls as email attachments • SubSeven is still one of the most common • Protective tools include: All major anti-virus tools, firewalls, personal firewalls

  17. Network Mapping Tools • Open share scanners – Legion • Network Scanners – Jackal • TCP Fingerprinting - Queso, and SYN/FIN • Port Scanners - Nmap and Hping

  18. Finding Unprotected Shares -Legion

  19. Enter the Jackal 1997

  20. Sons of Jackal Continue to be Seen Source Port 0 and 65535

  21. Queso and Friends http://www.securityfocus.com/tools/144 Queso sends packets with unexpected code bit combinations to determine the operating system of the remote computer. Currently, they claim to be able to distinguish over 100 OSes and OS states. Queso pattern is shown on notes page

  22. Spoofed NetBIOS • 06:49:55 proberA.4197 > 172.20.139.137.139: S 596843772:596843772(0) win 8192 (DF) • 06:49:58 proberA.4197 > 172.20.139.137.139: S 596843772:596843772(0) win 8192 (DF) • 06:50:04 proberA.4197 > 172.20.139.137.139: S 596843772:596843772(0) win 8192 (DF) • 06:50:16 proberA.4197 > 172.20.139.137.139: S 596843772:596843772(0) win 8192 (DF) • 12:57:56 proberE.2038 > 172.20.216.29.139: S 294167370:294167370(0) win 8192 (DF) • 12:57:59 proberE.2038 > 172.20.216.29.139: S 294167370:294167370(0) win 8192 (DF) • 12:58:05 proberE.2038 > 172.20.216.29.139: S 294167370:294167370(0) win 8192 (DF) • 12:58:41 proberE.2039 > 172.20.216.29.139: S 294212415:294212415(0) win 8192 (DF)

  23. TTL In the notes pages are the Time To Live fields from the traces in the previous slide. Notice how they cluster around 120. This is not expected behavior. This is also fixed in the Nmap 2.08 release that has a decoy function so that the decoy TTLs are random. Analysis credit to Army Research Lab

  24. Nmap - Network Mapper • Freeware award winning network scanner. • Supports a large number of scanning techniques. • Numerous other features supported. - Remote Operating System Detection - Application Detection

  25. nmapwin - Windows port

  26. Hping - Spoofing Port Scanner • Conceptually, a TCP version of .Ping. • Sends custom TCP packets to a host and listens for replies • Enables port scanning and spoofing simultaneously, by crafting packets and analyzing the return

  27. Hping v2.0 - hping Enhanced • Uses hping crafted packets to: - Test firewall rules - Test net performance - Remotely fingerprint OSes - Audit TCP/IP stacks - Transfer files across a firewall - Check if a host is up

  28. Worms • Attack system through known holes. • Automatically scan for more systems to attack. • Lower system defenses, install a root shell or rootkit, and/or let the attacker know the system has been attacked.

More Related