Network security Assessment: (goal) o to identify and categorize your risks. o is an integral part of any security life cycle o understand the security techniques of the network, to execute security policy and incident response procedures. o To protect networks and data from determined attacks,
18/05/2017 Lecturer: Nguyễn Thị Thanh Vân – FIT - HCMUTE I II III IV 18/05/2017 Introduction of Network Security Assessment Footprinting and Reconnaissance Scanning Networks Assessing network services 18/05/2017 Nguyen Thi Thanh Van - Khoa CNTT 17/05/2017 Network security Assessment: (goal) o to identify and categorize your risks o is an integral part of any security life cycle o understand the security techniques of the network, to execute security policy and incident response procedures o To protect networks and data from determined attacks, 17/05/2017 18/05/2017 Vulnerability scanning uses automated systems o ensure that no obvious vulnerabilities exist Network security assessment o giving practical advice that can improve a company’s security Web application testing o identify command injection, poor permissions, other weaknesses Full-blown penetration testing to compromise the target environment Onsite auditing: o provides the clearest picture of network security 17/05/2017 17/05/2017 18/05/2017 Identify IP networks and hosts of interest Majority network scanning and probing to identify potentially vulnerable hosts Investigation of vulnerabilities and further network probing by hand Exploitation of vulnerabilities and circumvention (avoidance) of security mechanisms 17/05/2017 Virtualization Software: VMWare, PCVirtual Operating Systems: Windows, Linux… Supported Tools 17/05/2017 18/05/2017 Footprinting Scanning Networks o whois, o Nmap o dig, o Nessus o traceroute, o Commercial Network o nslookup o Web Application Report Testing 17/05/2017 10 Footprinting/Reconnaissance Whois, NSLookup, Search engines, Social Netw orking Site Scanning and Enumeration Computers Port, Application Services Ganing access Buffer Overflow, Spoofing, Hijacking, Pasw ord Cracking Maintaining access Covering track Clearing Logs, Planting Rootlkits 18/05/2017 11 18/05/2017 Nguyen Thi Thanh Van - Khoa CNTT 17/05/2017 Understanding the Steps of Ethical Hacking What Is Footprinting? Steps of Footprinting Terminology in Footprinting Threats Introduced by Footprinting The Footprinting Process Footprinting Tools 17/05/2017 13 18/05/2017 Footprinting: o is a method of observing and collecting information about a potential target with the intention of finding a way to attack the target o looks for information and later analyzes it, weaknesses or potential vulnerabilities Footprinting results: o a unique organization profile with respect to networks (Internet/intranet/ extranet/wireless) and systems involved 17/05/2017 14 Footprinting generally needs the following steps to ensure proper information retrieval: Collect information about a target: host and network Determine the OS of web server and web application data Query such as Whois, DNS, network, and organizational Locate existing or potential vulnerabilities or exploits that exist in the current infrastructure => helpful to launching later attacks 17/05/2017 15 18/05/2017 Unearth initial information Locate the network range Ascertain active machines Discover open ports/access points Detect operating systems Uncover services on ports Map the network 17/05/2017 17 Social Engineering: ask to get information Network and System Attacks: gather information relating to an environment’s system configuration and operating systems Information Leakage: victims of data and other company secrets slipping out the door and into the wrong hands Privacy Loss: access to a system can compromise not only the security of the system, but the privacy of the information stored on it as well Revenue Loss: Loss of information and security related to online business, banking, and financial-related issues can easily lead to lack of trust in a business, which may even lead to closure of the business itself 17/05/2017 18 18/05/2017 Using Search Engines: obtain Location and Geography: Google Earth/Map Social Networking and Information Gathering: Fb, Tw itter… Financial Services and Information Gathering The Value of Job Sites Working with E- mail Competitive Analysis: The reports created through competitive analysis Google Hacking: is possible to fine-tune results to obtain items such as passwords, certain file types, sensitive folders, configuration data, and other data Gaining Network Information: Whois, Tracert Social Engineering: The Art of Hacking Humans w eb server version, IP address, subnet data, OS information (Netcraft), URL, subdomain… 17/05/2017 19 Whois NSLookup, Search engines, Social Networking Site ARIN Neo Trace VisualRoute Trace SmartWhois eMailTrackerPro Website watcher Google Earth GEO Spider HTTrack Web Copier E-mail Spider 17/05/2017 20 18/05/2017 www.samspade.org www.geektools.com www.whois.net www.demon.net 17/05/2017 21 Using www.dnsstuff.com, you can extract DNS information such as: • Mail server extensions • IP addresses 17/05/2017 22 10 18/05/2017 The firewall: o o should be good enough to detect the probes of an attacker should carry out stateful inspection, w ith it having a specific rule set NIDS: Only necessary ports should be kept open (the rest should be filtered) All sensitive information that is not to be disclosed to the public over the Internet should not be displayed o should be used to find out the OS detection method used by some tools (Nmap) 17/05/2017 95 Tool: SentryPC (www.sentrypc.com) ~ Secure Filtering, Monitoring, and Access Control ~ SentryPC enables you to control, restrict and monitor access and usage of your PC ~ Features: • Complete Time Management • Application Scheduling and Filtering • Website Filtering • Chat Filtering • Keystroke Filtering • Powerful Security Features • Protects your Users • Logs – Keystrokes Typed – Application Usage – Website Visits – Chat Conversations – Windows Viewed 17/05/2017 96 47 18/05/2017 Next chapter 17/05/2017 97 Nguyen Thi Thanh Van - Khoa CNTT 17/05/2017 48 18/05/2017 Remote Information Services Web Servers Web Application Remote maintenance Services Database Services Email Services IP VPN Services Unix RPC Services 17/05/2017 99 DNS Finger Auth NTP SMNP LDAP RPC 17/05/2017 10 49 18/05/2017 You should perform the following tests for each accessible name server: o Retrieve DNS service version information o Cross-reference version details with vulnerability lists to enumerate vulnerabilities o Perform DNS zone transfers against known domains o Undertake reverse querying against known IP blocks and internal addresses o Carry out forward grinding using a dictionary of common hostnames 10 17/05/2017 The fingerd service: listening on TCP port 79 of Cisco IOS routers and Unix-based servers Using Finger: o a Finger client: finger @192.168.0.10 o by directly using a Telnet client: $ telnet 192.168.0.1 79 o Netcat to connect to port 79 Finger Information Leaks o identify user accounts on the target system o Ex: finger '1 0'@192.168.0.10 Finger Redirection o servers running Finger exist on multiple networks, to find internal usernames and host: finger @192.168.0.10@217.34.17.200 17/05/2017 10 50 18/05/2017 The Unix auth service (known internally as identd) listens on TCP port 113 provide a degree of authentication through mapping local usernames to TCP network ports in use IRC is a good example of this: when a user connects to an IRC server, an ident request is sent to TCP port 113 of the host to retrieve the user name Finding service ownership details through identd: $ nmap -I -sT 192.168.0.10 10 17/05/2017 NTP: runs on UDP port 123 of Cisco devices and Unix-based systems NTP services can be queried to obtain the remote hostname, NTP Fingerprinting o query remote NTP daemons and enumerate system details • OS fingerprinting: perl ntp.pl -t 192.168.66.202 • Enumerating Linux system : perl ntp.pl -t pingo 17/05/2017 10 51 18/05/2017 SNMP: listens on UDP port 161 SNMP runs on: o network infrastructure devices: switches, routers, and other appliances o on Unix-based and Windows servers for central network management purposes SNMP MIB data: o can be retrieved from a device o can be written to a device Accessing a router MIB is useful when performing further network reconnaissance and mapping Attacker & security consultants access MIB databases, use: o ADMsnmp (for brute-force): ADMsnmp 192.168.0.1 o Snmpwalk (for accessing MIB): snmpwalk -c private 192.168.0.1 10 17/05/2017 LDAP: o runs on Windows 2000/2003, mail servers o provides user directory information to clients o is highly extensible and widely supported by Apache, Exchange, Outlook, Netscape Communicator, and others Anonymous LDAP Access, using o ldap (windows) o ldapsearch (Unix): ldapsearch -h 192.168.0.65 LDAP Brute Force, using o bf_ldap: bf_ldap 17/05/2017 10 52 18/05/2017 The Unix rwhod service listens on UDP port 513 using the Unix rwho client: list current users who are logged into the remote host, Ex: rwho 192.168.189.120 jarvis ttyp0 Jul 17 10:05 (192.168.189.164) dan ttyp7 Jul 17 13:33 (194.133.50.25) root ttyp9 Jul 17 16:48 (192.168.189.1) 10 17/05/2017 rusers o is a (RPC) service endpoint that listens on dynamic ports o The rusers client utility first connects to the RPC portmapper, which returns the whereabouts of the rusersd service Enumerating RPC services with rpcinfo $ rpcinfo -p 192.168.0.50 Gathering active user details through rusers $ rusers -l 192.168.0.50 17/05/2017 10 53 18/05/2017 fingerd, rwhod, or rusers: should not run in any production environment DNS Server o should run only where necessary, o must be correctly configured to deny zone transfers to unauthorized peers Identd: refrain from running on mission-critical Linux servers NTP services: should be filtered and not exposed to the public Internet SNMP service: o should be configured with strong read and write access o ensures further resilience and blocks buffer overflow and other process manipulation attacks LDAP: Ensure that your accessible LDAP and Windows AD GC services don’t serve sensitive information to anonymous unauthenticated users 17/05/2017 10 Remote Information Services Web Servers Web Application Remote maintenance Services Database Servies Email Services IP VPN SErvices Unix RPC Services 17/05/2017 11 54 18/05/2017 Comprehensive testing of web services involves the following steps: Fingerprinting the web server Identifying and assessing reverse proxy mechanisms Enumerating virtual hosts and web sites running on the web server Identifying subsystems and enabled components Investigating known vulnerabilities in the web server and enabled components Crawling accessible web sites to identify files and directories of interest Brute-force password grinding against accessible authentication mechanisms 17/05/2017 11 All software: up-to-date patches, correct configuration ensure that associated Apache components such as mod_perl and PHP are disabled using entrance filtering Prevent indexing of accessible directories if no index files are present Don’t expose script debugging information to public web users 17/05/2017 11 55 18/05/2017 A number of technologies and platforms are: Microsoft ASP.NET, Sun JSP, and PHP… Vulnerabilities can exist in any of tiers • Presentation tier • Application tier • Data tier Web Application Attack Strategies o • Server-side script variables • HTTP request headers • HTTP cookie fields • XML request content Web Application Vulnerabilities o Authentication issues (default user accounts, brute force ) o Parameter modification 11 17/05/2017 Common remote maintenance services include: o FTP, SSH, Telnet, X Windows, VNC, Citrix, and Microsoft Terminal Services three categories of attack: o Information leak attacks o Brute-force guessing of user passwords o Process handling attacks (buffer overflows, format string bugs, etc.) 17/05/2017 11 56 18/05/2017 Don’t provide anonymous FTP access ensure the service patches are up-to-date, firewall software is also current avoid running other public network services (for example, web or mail services) on the same machine as an FTP server Don’t run Telnet services on publicly accessible devices Ensure resilience of your remote maintenance services from bruteforce password-guessing attacks Set a good password policy Don’t run r-services (rsh, rexec, or rlogin) because they are vulnerable to spoofing attacks, use very weak authentication, and are plain text In secure environments, don’t use services such as VNC because they have weak authentication 17/05/2017 11 MySQL SQL Oracle 17/05/2017 11 57 18/05/2017 Ensure that database user passwords are adequately strong Filter and control public Internet-based access to database service ports Don’t run publicly accessible remote maintenance services on database servers; use two-factor authentication for remote access from specific staging hosts, or SSH with public keys Oracle databases should also be hardened to prevent access to unnecessary stored procedures and features ensure SQL services are patched with the latest service packs and security hotfixes to ensure resilience from buffer overflows and other types of remote attacks 11 17/05/2017 MS Windows networking services o Microsoft RPC endpoint mapper listens on TCP & UDP port 135 o SMB protocol facilitates resource sharing in MS Windows • < Windows NT, SMB is run through NetBIOS over TCP/IP, using UDP ports 137 and 138 and TCP port 139 • >= Windows 2000: support Common Internet File System (CIFS), which provides full SMB access directly through TCP & UDP port 445 Unix Samba 17/05/2017 11 58 18/05/2017 Filter public or untrusted network access to high-risk services Ensure local administrator account passwords are set Enforce a decent user account lockout policy to minimize the impact of bruteforce password-grinding attacks 11 17/05/2017 Email Service Protocols: SMTP, POP-2, POP-3, and IMAP o smtp 25/tcp pop2 109/tcp pop3 110/tcp imap2 143/tcp submission 587/tcp SSL-wrapped versions of these mail services: o smtps 465/tcp imaps 993/tcp pop3s 995/tcp 17/05/2017 12 59 18/05/2017 Don’t run Sendmail or Microsoft Exchange in highsecurity environments (they contains many bugs and is heavily bloated) To minimize the impact of a user enumeration and password-grinding attack 12 17/05/2017 I II III IV 17/05/2017 Introduction of Network Security Assessment Footprinting and Reconnaissance Scanning Networks Assessing network services 12 60 18/05/2017 Install and configure tools Cloudy-17/05/2017 12 2007, Cryptography and Network Security, Principles and Practice, William Stallings, Prentice Hall, fifth Edition 2014, CEHv8: Certified Ethical Hacker Version Study Guide o Chapter 4,5 2008, Network Security Assessment, Second Edition o Section: 1,2,3,4 17/05/2017 12 61 ... 17/05/2017 59 -sT (TcpConnect) -sS (SYN scan) -sF (Fin Scan) -sX (Xmas Scan) -sN (Null Scan) -sP (Ping Scan) -sU (UDP scans) -sO (Protocol Scan) -sI (Idle Scan) -sA (Ack Scan) -sW (Window Scan)... (Window Scan) -sR (RPC scan) -sL (List/Dns Scan) -P0 (don’t ping) -PT (TCP ping) -PS (SYN ping) -PI (ICMP ping) -PB (= PT + PI) -PP (ICMP timestamp) -PM (ICMP netmask) 60 29 18/05/2017... system 17/05/2017 34 16 18/05/2017 17/05/2017 35 Some common ways to perform these types of scans are: ■ Wardialing ■ Wardriving ■ Pinging (ICMP Scanning) ■ Port scanning 17/05/2017 36 17 18/05/2017