150 likes | 286 Views
Fighting Zombies with FastNMAP & Npwn : A Case Study At Washington University. REN-ISAC Techburst Thursday, April 29st, 2010 Brian Allen, CISSP ballen@wustl.edu Network Security Analyst, Washington University in St. Louis http ://nso.wustl.edu/. Washington University in St. Louis, MO.
E N D
Fighting Zombies with FastNMAP& Npwn:A Case Study At Washington University REN-ISAC Techburst Thursday, April 29st, 2010 Brian Allen, CISSP ballen@wustl.eduNetwork Security Analyst,Washington University in St. Louishttp://nso.wustl.edu/
Washington University in St. Louis, MO • Private University Founded in 1853 • 3,000+ Full Time and Adjunct Faculty • 13,000+ Full and Part Time Students • 13,000+ Employees • 4000+ Students Living on Campus • Decentralized Campus Network
Business School NSS Internet Law School NSO Arts & Sciences Medical School Decentralized Campus Network NSS = Network Services and Support NSO = Network Security Office Library Social Work Art & Architecture Engineering School
A Short Discussion of .EDU Politics and Potential Pitfalls of Scanning
A Short Discussion of .EDU Politics and Potential Pitfalls of Scanning • Give Notice to Departments Before Scanning • The Period Between Scans is Not Too Important : 1 week < X < A Couple Months • A Switch’s One Minute Heartbeat was Missed, and School’s Network Engineers Were Paged • KVM Switch Hung – It was Old and Needed to be Updated, Then it Handled the Scan Fine • Identify Devices with Problems, Exclude Them, Work to Fix them
My Scanner: Dell PowerEdge R805 2x Quad-Core AMD Opteron 2.4GHz 16GB Memory 2x 146GB 10K Hard Drives 4x Broadcom NetXtreme II 5708 1GbE Onboard NICs Need to upgrade to an Intel Pro/1000 PCI-Express card ($100-200)
NMAP Scripting Engine • I kept 92 nse scripts like: • "dns-recursion.nse“ • "http-headers.nse“ • "imap-capabilities.nse“ • "irc-info.nse“ • "p2p-conficker.nse“ • "smb-enum-users.nse“ • "ssl-cert.nse“ • I removed all the brute force ones + others like: • "smb-check-vulns.nse“ • "smb-brute.nse"
FastNMAP Command NPWN Command #./npwn.pl -x -s 7 -d ./log/ # nmap -sL -n 128.252.0.0/16 | egrep '^Nmap scan‘ | awk '{print $5}‘ | ./fastnmap.pl
FastNMAP.pl Status Update • Took three days to scan 128.252.0.0/16 • Much of the campus sits behind firewalls • Can only scan the MedSchool’s 93 /24 subnets once per month • Am not scanning any of our private IP space (student subnets, wireless, etc) • Usually find about 3000 IP addresses online
Some Interesting Npwn Tags NPWN TAG Severity [VNCAUTHBYPASS] {10} [BACKDOOR] {10} [IMAPWEAKAUTHNOSSL] {7} [POP3WEAKAUTHNOSSL] {7} [NOPASSWD] {7} [OPENX11] {7} [SERV-U] {6} [OLD_MSFTP] {4} [SSLCERT_WILDCARD] {4} [NSFTP] {3}