1 / 35

Advances In Real-Time Vulnerability Assessment

Advances In Real-Time Vulnerability Assessment. By David Meltzer. Web Server. W-IDS Sensor. CISO. The Worst IDS Ever Invented. Web Server. B-Scanner Engine. CISO. The Best Active Scanner Ever Invented. Agenda Brief history of assessment tools Less recent advances

roy
Download Presentation

Advances In Real-Time Vulnerability Assessment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Advances In Real-Time Vulnerability Assessment By David Meltzer

  2. Web Server W-IDS Sensor CISO The Worst IDS Ever Invented

  3. Web Server B-Scanner Engine CISO The Best Active Scanner Ever Invented

  4. Agenda • Brief history of assessment tools • Less recent advances • Examination of passive techniques • Hybrid scanning • Introduce PAPMap • Hybrid exploits • Conclusions

  5. Vulnerability Assessments Answers These Questions: Inventory / Discovery What hosts are on the network? What ports are open? What services are running? What is the configuration state of those services? Deeper… Vulnerability State What are the vulnerabilities on a host? What are the patches missing on a host? What is it about this host that creates a security risk?

  6. Assumptions No host-based tools. Knowledge is useful. Networks change.

  7. Comparing Scanning Techniques The Metrics: • Coverage What can it tell you? • Accuracy False positives/negatives? • Speed Time-to-Detect • Turbidity Disruptiveness to network/hosts

  8. Traditional Scanning “Active” Scanning SATAN, ISS, Nessus, etc.

  9. Less Recent Advances in Active Vulnerability Analysis • Distributed Scanning • Directed Scanning • Fingerprint-Based Scanning

  10. Passive Vulnerability Analysis:The First Passive Check (me, RealSecure, circa 1997) Browser vulnerabilities becoming popular. Browsers don’t listen on the network. No way to tell if host running a vulnerable browser via scanning (in many situations). Solution:Watch HTTP connections for version of browser being used in IDS. Trigger alert if version matches a known vulnerable one.

  11. Passive Vulnerability Analysis Passive vulnerability signatures in RealSecure IDS – Meltzer ’97 “Passive Vulnerability Detection” – Gula ’99 “Target-Based IDS” - Roesch ’00 “Vulnerability Detection Systems (VDS)” - Meltzer ’02 “Passive Vulnerability Scanner (PVS)” - Gula ’03 “Passive Network Discovery Systems (PNDS)” – Roesch ’04

  12. Passive Vulnerability Analysis:Turbidity Listening is safe (mostly). Why people like IDS. Why people like anything passive.

  13. Passive Vulnerability Analysis:Speed Real-Time But… At first use

  14. Passive Vulnerability Analysis:Coverage Ugh… Some things only/better discovered passively (eg client-side vulns) Some things discovered equally well passively or actively (eg lots of versioning) MANY things only discovered actively (eg almost all SANS Top 20 vulns)

  15. Passive Vulnerability Analysis:Accuracy Depends… IF you are content with poor coverage, you can have perfectly accurate passive scanning.

  16. Hybrid Scanning Approach Realizing active and passive scanning are complementary techniques… Why should you have to choose?

  17. Hybrid Scanning Defined Gathering network inventory and vulnerability data using both active and passive techniques integrated into a single system.

  18. Hybrid Advantages Independent active/passive engines: • Double the hassle • Substantially more turbidity • Waste resources • Manually resolve conflicts Hybrid approach: • Single configuration • Uses less bandwidth than pure active • Single output

  19. Hybrid Scanning: Introducing PAPMap Combines passive and active scanning techniques for TCP port discovery. Operates as a drop-in replacement for nmap. Utilizes nmap for active scanning. A complete and functional hybrid scanner but with only TCP port coverage.

  20. PAPMap Requirements R-1. Takes same command line as nmap. R-2. Produces almost same output as nmap. R-3. Runs nmap scan then switches to passive listening mode and updates output anytime a change in TCP port open/closed state detected.

  21. PAPMap Components papCL: command-line interface papGUI: GUI interface papNmap: nmap communication interface papDB: in-memory port state database papSniff: network listener for port states papAlert: output handler

  22. PAPMap CL Operation: Part I nmap: % nmap –oX nmap-results.xml 192.168.1.0/24 papmap: % papmap –oX nmap-results.xml 192.168.1.0/24

  23. PAPMap CL Operation: Part II • Executes nmap • Loads nmap XML output into in-memory database • Starts listening promiscuously on network

  24. PAPMap CL Operation: Part III Sniffer Design Only interested in initial connection establishments Only interested in connections being made TO the hosts in network range being scanned Interested in state of all ports pcap-based sniffer

  25. PAPMap CL Operation: Part III Sniffer Design 2 (TCP/IP 101) Easy cases: Port is listening IF… SYN/ACK reply FROM port Port is NOT listening IF… SYN sent TO port AND RST reply FROM port

  26. PAPMap CL Operation: Part III Sniffer Design 3 Hard cases: No reply to a SYN:Is port closed? Is host down? Did I drop a packet? Did network drop packet? Was SYN malformed? Firewall? Need state-handling to resolve

  27. PAPMap CL Operation: Part III Sniffer Design 4 When a new connection is established or denied… - Lookup known state in papDB - If state has changed… - Update papDB - Send alert to papAlert

  28. PAPMap CL Operation: Part IV • Line output to stdout indicating new status of the port. • Nmap XML file is updated to reflect real-time state of network being mapped (but updates cached to avoid flailing disk). • Monitoring continues until user quits.

  29. PAPMap Demo

  30. PAPMap Benchmarks In progress, will be updated before conference…

  31. PAPMap Status v1.0 released at Ruxcon, July 10, 2004 Source and binaries freely available following conference at:http://www.intrusec.com/resources.asp

  32. PAPMap Future Enhancements • Expand coverage beyond TCP port state • Add active rescans • Add ‘reverse’ mode • Hybridize other popular tools

  33. Hybrid Exploits The Idea: Passively: Sniff network waiting for a ‘trigger’ alert New system comes up on network Host connects to Windows Update to patch Active: Exploit the target device in real-time Exploit and load shell before patches occur

  34. Hybrid Exploits Example / Demo In progress, will be updated before conference…

  35. Thanks and Credits Thanks to Mike Davis for his work on PAPMap with me, and to Intrusec forsponsoring this research. Word to duke, caddis, and ruxcon crew for giving me a reason to rux it in .au.

More Related