330 likes | 459 Views
Introduction to Vulnerability Assessment Labs. Ge Zhang ge.zhang@kau.se Dvg-C03 . Schedule. 4 Attacking methods Traffic sniffing ARP spoofing Password cracking Port Scanning 1 Defense methods Firewall configuration 2 Vulnerability assessment tool Nessus Bastille
E N D
Introduction to Vulnerability Assessment Labs Ge Zhang ge.zhang@kau.se Dvg-C03
Schedule • 4 Attacking methods • Traffic sniffing • ARP spoofing • Password cracking • Port Scanning • 1 Defense methods • Firewall configuration • 2 Vulnerability assessment tool • Nessus • Bastille • Summarizing Report on its learning (1-2 pages)
Environment • 3 VM images (c:\VMware\valab-ht10\) • Windows, Fedora (angel), Fedora (devil)
Sniffing • Hub: a hub simply receives incoming packets and broadcasts these packets out to all devices on the network • Adapt promiscuous mode: an adapter can receive all frames on the network, not just frames are addressed to that adapter
Sniffing practice • Surfing with the browser on the host machine • Sniff the HTTP traffic using wireshark on the VM
Hub v.s. switch • Hub: Layer 1 (physical) • Switch: Layer 2 (data-link)
ARP (Address Resolution Protocol) • MAC address (layer 2) • Global unique • Unchangeable • IP address (layer 3) • Network unique • Changeable
Preparation • ipconfig /all • Let me know the last number of your ip address and mac address • ping [hostname] –t
Password Cracking • Authentication: • Something you know • Something you have • Something you are • Password need to be transferred • Password need to be stored
Brute Force • Attempts all possible combinations of letters and numbers • Possible Solution • Limit amount of unsuccessful logins • Change password often • The length should be at least 8 characters
Dictionary • Type of Brute Force • Only tries possibilities that are likely to succeed • List are derived from dictionary • Possible Solutions • Mix and match numbers, letters, upper and lower case • Avoid passwords based on dictionary words, letter or number sequences, usernames, or biographical information
John the ripper • Traditionally the account information is stored in the /etc/passwd file • The /etc/passwd file is world-readable • Shadow password system stores passwords in the file /etc/shadow which is not world-readable • unshadow /etc/passwd /etc/shadow > tmp • less tmp /*have a look*/ • john tmp • Then create your own account and password, run “john” again to see the result • useradd [your account] • passwd [your account]
Port Scanning • Attackers wish to discover services they can break into. • Whether the service existing? • sending a packet to each port, once at a time. • Based on the type of response, an attacker knows if the port is used. • The used ports can be probed further for weakness. • Well-known: tcp 21, tcp 22, tcp 23, tcp 80 …
Nmap • -sT (scanning by TCP connections) • -sS (SYN scanning) • -sU (UDP scanning) • -sV (Version detection) • -O (OS fingerprinting) • -T[0-5] (time interval) • -f (fragmenting)
Nmap • Zenmap: graphical interface
Firewall • A set of related programs that protects the resources of a private network or a host from external environment. • A mechanism for filtering network packets based on information contained within the IP header.
IPtables 3 default chains • input Used to control packets entering the interface. (The packets will be ended in this machine) • output Used to control packets leaving the interface. (The packets are originated from this machine) • forward Used to control packets being masqueraded, or sent to remote hosts.
IPtables • iptables command [match] [target] • Command: -A, -I, -D, -F, -L • Match: -p [protocol], -s [source IP], -d [destination IP], -i [interface], --sport [source port], --dport [destination port] • Target: -j [ACCEPT/DROP/LOG…] • Example: • iptables –I INPUT –p ICMP –j DROP • iptables –I INPUT –p ICMP –icmp-type 0 –j ACCEPT • Our task: restrict all inbound traffic, except SSH requests on port 22. However, any outgoing requests should not be affected.
Nessus • Remote vulnerability scanner • Nessus will • Perform over 900 security checks • Accept new plugins to expand new checks • List security concerns and recommend actions to correct them
Nessus • Client/server architecture • Server: perform checking • Client: Front-end • Can test unlimited amount of hosts in each scan
Bastille • Operating System Hardening • Remove unnecessary processes • Setting file permissions • Patching and updating • Setting networking access controls • Generate your own hardening policy • Can be run manually to provide advice and information
Bastille • Assessment mode: bastille -a
Bastille • Configuration mode: bastille -x