1 / 15

Fighting Zombies with FastNMAP & Npwn : A Case Study At Washington University

Fighting Zombies with FastNMAP & Npwn : A Case Study At Washington University. REN-ISAC Techburst Thursday, April 29st, 2010 Brian Allen, CISSP ballen@wustl.edu Network Security Analyst, Washington University in St. Louis http ://nso.wustl.edu/. Washington University in St. Louis, MO.

said
Download Presentation

Fighting Zombies with FastNMAP & Npwn : A Case Study At Washington University

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Fighting Zombies with FastNMAP& Npwn:A Case Study At Washington University REN-ISAC Techburst Thursday, April 29st, 2010 Brian Allen, CISSP ballen@wustl.eduNetwork Security Analyst,Washington University in St. Louishttp://nso.wustl.edu/

  2. Washington University in St. Louis, MO • Private University Founded in 1853 • 3,000+ Full Time and Adjunct Faculty • 13,000+ Full and Part Time Students • 13,000+ Employees • 4000+ Students Living on Campus • Decentralized Campus Network

  3. Business School NSS Internet Law School NSO Arts & Sciences Medical School Decentralized Campus Network NSS = Network Services and Support NSO = Network Security Office Library Social Work Art & Architecture Engineering School

  4. A Short Discussion of .EDU Politics and Potential Pitfalls of Scanning

  5. A Short Discussion of .EDU Politics and Potential Pitfalls of Scanning • Give Notice to Departments Before Scanning • The Period Between Scans is Not Too Important : 1 week < X < A Couple Months • A Switch’s One Minute Heartbeat was Missed, and School’s Network Engineers Were Paged • KVM Switch Hung – It was Old and Needed to be Updated, Then it Handled the Scan Fine • Identify Devices with Problems, Exclude Them, Work to Fix them

  6. My Scanner: Dell PowerEdge R805 2x Quad-Core AMD Opteron 2.4GHz 16GB Memory 2x 146GB 10K Hard Drives 4x Broadcom NetXtreme II 5708 1GbE Onboard NICs Need to upgrade to an Intel Pro/1000 PCI-Express card ($100-200)

  7. NMAP Scripting Engine • I kept 92 nse scripts like: • "dns-recursion.nse“ • "http-headers.nse“ • "imap-capabilities.nse“ • "irc-info.nse“ • "p2p-conficker.nse“ • "smb-enum-users.nse“ • "ssl-cert.nse“ • I removed all the brute force ones + others like: • "smb-check-vulns.nse“ • "smb-brute.nse"

  8. FastNMAP Command NPWN Command #./npwn.pl -x -s 7 -d ./log/ # nmap -sL -n 128.252.0.0/16 | egrep '^Nmap scan‘ | awk '{print $5}‘ | ./fastnmap.pl

  9. FastNMAP.pl Status Update • Took three days to scan 128.252.0.0/16 • Much of the campus sits behind firewalls • Can only scan the MedSchool’s 93 /24 subnets once per month • Am not scanning any of our private IP space (student subnets, wireless, etc) • Usually find about 3000 IP addresses online

  10. Some Interesting Npwn Tags NPWN TAG Severity [VNCAUTHBYPASS] {10} [BACKDOOR] {10} [IMAPWEAKAUTHNOSSL] {7} [POP3WEAKAUTHNOSSL] {7} [NOPASSWD] {7} [OPENX11] {7} [SERV-U] {6} [OLD_MSFTP] {4} [SSLCERT_WILDCARD] {4} [NSFTP] {3}

  11. Any Questions?

More Related