Lab 3: Network Security Threats Student Name: Hoàng Nguyễn Anh Quốc Student No: 51002641 I Objectives Get to know some common network security threats Using Nmap to analyze vulnerabilities of a specific host II Preparation Download and install nmap from http://nmap.org/, select the version that is appropriate to your operating system version III Some common network security threats a Viruses and worms A Virus is a “program or piece of code that is loaded onto your computer without your knowledge and runs against your wishes, Viruses can cause a huge amount of damage to computers In relation to a network, if a virus is downloaded then all the computers in the network would be affected because the virus would make copies of itself and spread itself across networks A worm is similar to a virus but a worm can run itself whereas a virus needs a host program to run Virus: W32.UsbFakeDrive - Khi mở USB bị nhiễm virus, người sử dụng thấy ổ đĩa USB phải mở tiếp ổ đĩa thứ hai thấy liệu Thực chất, ổ đĩa thứ hai shortcut chứa file virus Khi người dùng mở liệu lúc máy tính bị nhiễm mã độc từ USB Worm nhiên : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru n "windows auto update" = msblast.exe Triệu , v.v…) b Trojan Horses CuuDuongThanCong.com https://fb.com/tailieudientucntt A Trojan Horse is “a program in which malicious or harmful code is contained inside apparently harmless programming or data in such a way that it can get control and its chosen form of damage, such as ruining the file allocation table on your hard disk In a network if a Trojan Horse is installed on a computer and tampers with the file allocation table it could cause a massive amount of damage to all computers of that network Một thí dụ mẫu Trojan horse có www.freewebs.com/em_ce_do/doctor.exe Chương trình tự động tắt máy chạy tự chép phiên vào thư mục "StartUp" máy tự động tắt lần máy khởi động Con Trojan horse tự hủy sau hoạt động hay xóa bỏ cách khởi động vào chế độ chờ lệnh (command prompt) từ xóa tệp lệnh xóa Chương trình chạy Windows XP c SPAM SPAM is “flooding the Internet with many copies of the same message, in an attempt to force the message on people who would not otherwise choose to receive it Spam mail, spam chat… d Phishing Phishing is “an e-mail fraud method in which the perpetrator sends out legitimatelooking emails in an attempt to gather personal and financial information from recipients CuuDuongThanCong.com https://fb.com/tailieudientucntt e Packet Sniffers A packet sniffer is a device or program that allows eavesdropping on traffic travelling between networked computers The packet sniffer will capture data that is addressed to other machines, saving it for later analysis In a network a packet sniffer can filter out personal information and this can lead to areas such as identity theft so this is a major security threat to a network CuuDuongThanCong.com https://fb.com/tailieudientucntt  Giải pháp: mã hóa liệu gửi để tránh sniff thông tin quan trọng f Maliciously Coded Websites Some websites across the net contain code that is malicious Malicious code is “Programming code that is capable of causing harm to availability, integrity of code or data, or confidentiality in a computer system The source code of this page contains various “.js” files The “search.js” file is infected with malicious JavaScript code Here is the source code of that file: The malicious JavaScript code is inserted at the bottom of this “.js” file Here is the malicious content: CuuDuongThanCong.com https://fb.com/tailieudientucntt g Password Attacks Password attacks are attacks by hackers that are able to determine passwords or find passwords to different protected electronic areas Many systems on a network are password protected and hence there are more chances for a hacker to hack into the systems and steal data Dùng keylogger, sniff phishing… để lấy password h Hardware Loss and Residual Data Fragments Hardware loss and residual data fragments are a growing worry for companies, governments etc i Shared Computers Shared computers are always a threat Shared computers involve sharing a computer with one or more people máy tính mang virus kết nối vào mạng LAN máy cho phép máy khác truy cập vào Hậu tồn máy mạng LAN bị nhiễm virus j Zombie Computers and Botnets “A zombie computer, or “drone” is a computer that has been secretly compromised by hacking tools which allow a third party to control the computer and its resources remotely A hacker could hack into a computer and control the computer and obtain data A botnet “is a number of Internet computers that, although their owners are unaware of it, have been set up to forward transmissions (including spam or viruses) to other computers on the internet This is a major security threat on a network because the network, unknown to anyone, could be acting as a hub that forwards malicious files etc to other computers Hacker dùng kiểu công DdoS click fraud để hướng nạn nhân click vào trang web, quảng cáo họ Exercise: Give example and solution for each threat IV NMap Nmap, short for Network Mapper, is a very versatile security tool that should be included in every professional’s toolkit Nmap is an open source utility for network exploration, security scanning and auditing It comes with a very wide range of options that can make the utility more robust and can add or change features to your specifications Nmap was created by Gordon Lyon, a.k.a Fyodor Vaskovich, and first published in 1997 Since the source code has been available the software has been expanded greatly In addition to improvements in the functionality of the program, graphical user interfaces and support for numerous operating systems have been developed Currently Nmap can run on Linux, Windows, OS X, FreeBSD, Solaris, Amiga, HP-UX, and others GUI versions are also available on most of these systems along with the command line CuuDuongThanCong.com https://fb.com/tailieudientucntt versions There are also implementations that can take advantage of web browsing to allow for access to Nmap via a web browser Nmap is very popular among security professionals as well as black hat hackers because of its numerous uses The most recent version of the program can be used to check for network host discovery, port scanning, version and OS detection, network inventory, ping sweeps, and detailing logging mechanisms These various uses are all important, but what the most basic sections of the program deal with are host discovery and port scanning Nmap can be used to check to see what other devices and machines are connected to the network It can also be used to check which ports on these devices are open and closed The results of these type scans can be saved to a log file which can be analyzed at a later time or saved for future comparison Complete documentation and download information can be found at http://nmap.org/ as well as much more information pertaining to the use of the product Nmap is often used in combination with other open source security tools such as Snort, Nessus, and Wireshark to help secure networks from attacks In combination with these other tools a powerful security suite can be established that can help to ensure protection of networks Other important techniques to follow include frequently patching all systems, routine security audits, and enforcement of security policies a Host Discovery Using NMAP At the command line, type “nmap” and press Enter to see available nmap scan types and options Which is the option to determine whether a host is online or not? At the command line, type “nmap –sP [Network Address].*”and press Enter The * at the end of the network address means to scan every possible IP address on that network The –sP option tells Nmap to only perform a ping scan (host discovery), then print out the available hosts that responded to the scan This will take some time, please be patient You can press Enter to check the progress of the scan How many hosts did you discover? 57 How many IP addresses were scanned? 256 What are the IP addresses of the hosts? (List IP addresses) Host is up (0.066s latency) MAC Address: 00:0E:84:54:E2:FF (Cisco Systems) Nmap scan report for 172.28.13.2 Host is up (0.0020s latency) MAC Address: EC:30:91:EC:C0:41 (Cisco Systems) Nmap scan report for 172.28.13.5 Host is up (0.0020s latency) MAC Address: 00:25:45:22:92:76 (Cisco Systems) Nmap scan report for 172.28.13.6 Host is up (0.0030s latency) MAC Address: 00:17:E0:15:22:80 (Cisco Systems) Nmap scan report for 172.28.13.7 Host is up (0.0030s latency) MAC Address: 00:17:E0:15:17:C0 (Cisco Systems) Nmap scan report for 172.28.13.14 CuuDuongThanCong.com https://fb.com/tailieudientucntt Minh họa cho câu 3,4,5: Starting Nmap 6.40 ( http://nmap.org ) at 2013-09-18 13:42 SE Asia Standard Time Nmap scan report for 172.28.13.1 Host is up (0.066s latency) MAC Address: 00:0E:84:54:E2:FF (Cisco Systems) Nmap scan report for 172.28.13.2 Host is up (0.0020s latency) MAC Address: EC:30:91:EC:C0:41 (Cisco Systems) Nmap scan report for 172.28.13.5 Host is up (0.0020s latency) MAC Address: 00:25:45:22:92:76 (Cisco Systems) Nmap scan report for 172.28.13.6 Host is up (0.0030s latency) MAC Address: 00:17:E0:15:22:80 (Cisco Systems) Nmap scan report for 172.28.13.7 Host is up (0.0030s latency) MAC Address: 00:17:E0:15:17:C0 (Cisco Systems) Nmap scan report for 172.28.13.14 Host is up (0.0020s latency) MAC Address: 00:21:5E:57:18:6E (IBM) Nmap scan report for 172.28.13.15 Host is up (0.00s latency) MAC Address: 00:24:E8:2D:17:63 (Dell) Nmap scan report for 172.28.13.27 Host is up (0.00s latency) MAC Address: 00:25:90:0F:15:AC (Super Micro Computer) Nmap scan report for 172.28.13.28 Host is up (0.00s latency) MAC Address: 00:25:90:30:EA:DC (Super Micro Computer) Nmap scan report for 172.28.13.29 Host is up (0.0010s latency) MAC Address: 00:25:90:30:EA:80 (Super Micro Computer) Nmap scan report for 172.28.13.41 Host is up (0.0010s latency) MAC Address: 00:22:19:AC:65:16 (Dell) Nmap scan report for 172.28.13.42 Host is up (0.0010s latency) MAC Address: 00:0C:29:7A:23:58 (VMware) Nmap scan report for 172.28.13.43 Host is up (0.00s latency) MAC Address: 00:0C:29:00:DD:40 (VMware) Nmap scan report for 172.28.13.44 Host is up (0.00s latency) MAC Address: 00:0C:29:65:A3:B9 (VMware) Nmap scan report for 172.28.13.45 Host is up (0.0010s latency) MAC Address: 00:0C:29:B1:AF:D5 (VMware) Nmap scan report for 172.28.13.46 Host is up (0.0010s latency) MAC Address: 00:0C:29:29:ED:60 (VMware) Nmap scan report for 172.28.13.47 Host is up (0.00s latency) MAC Address: 00:0C:29:7A:3A:AC (VMware) Nmap scan report for 172.28.13.49 Host is up (0.00s latency) MAC Address: 00:0C:29:6C:BC:7D (VMware) Nmap scan report for 172.28.13.55 Host is up (0.0010s latency) MAC Address: 00:21:5E:28:BE:FC (IBM) Nmap scan report for 172.28.13.56 Host is up (0.0010s latency) MAC Address: 00:24:E8:2D:29:3A (Dell) Nmap scan report for 172.28.13.57 Host is up (0.0010s latency) MAC Address: 08:00:27:C8:60:54 (Cadmus Computer Systems) Nmap scan report for 172.28.13.58 Host is up (0.0010s latency) MAC Address: 08:00:27:FF:D0:B2 (Cadmus Computer Systems) Nmap scan report for 172.28.13.62 Host is up (0.00s latency) MAC Address: 00:50:56:2D:6C:B7 (VMware) Nmap scan report for 172.28.13.63 Host is up (0.00s latency) MAC Address: 00:50:56:37:1B:B2 (VMware) Nmap scan report for 172.28.13.75 Host is up (0.013s latency) MAC Address: 70:F1:A1:35:FF:E8 (Liteon Technology) Nmap scan report for 172.28.13.77 Host is up (0.013s latency) MAC Address: 1C:65:9D:2C:B4:A1 (Liteon Technology) Nmap scan report for 172.28.13.79 Host is up (0.013s latency) MAC Address: 00:22:FB:5C:CF:A6 (Intel Corporate) Nmap scan report for 172.28.13.81 Host is up (0.013s latency) MAC Address: 1C:65:9D:2C:B4:A1 (Liteon Technology) Nmap scan report for 172.28.13.91 Host is up (0.010s latency) MAC Address: AC:81:12:00:DA:3D (Gemtek Technology Co.) Nmap scan report for 172.28.13.92 Host is up (0.00s latency) MAC Address: 00:24:E8:2D:29:26 (Dell) Nmap scan report for 172.28.13.99 Host is up (0.0010s latency) MAC Address: 00:24:E8:2D:2A:D5 (Dell) Nmap scan report for 172.28.13.100 Host is up (0.0010s latency) MAC Address: 00:24:E8:2D:18:8F (Dell) Nmap scan report for 172.28.13.105 Host is up (0.0010s latency) MAC Address: 00:24:E8:2D:29:D0 (Dell) Nmap scan report for 172.28.13.119 Host is up (0.00s latency) MAC Address: 00:24:E8:2D:2A:84 (Dell) Nmap scan report for 172.28.13.126 Host is up (0.00s latency) MAC Address: 00:24:E8:2D:16:F1 (Dell) Nmap scan report for 172.28.13.128 Host is up (0.00s latency) MAC Address: 00:24:E8:2D:25:E5 (Dell) Nmap scan report for 172.28.13.131 Host is up (0.00s latency) MAC Address: 00:24:E8:2D:2A:71 (Dell) Nmap scan report for 172.28.13.132 Host is up (0.018s latency) MAC Address: 70:F1:A1:35:FF:E8 (Liteon Technology) Nmap scan report for 172.28.13.134 Host is up (0.00s latency) MAC Address: 00:25:64:CC:91:E4 (Dell) Nmap scan report for 172.28.13.135 Host is up (0.00s latency) MAC Address: 00:24:E8:2D:18:AC (Dell) Nmap scan report for 172.28.13.137 Host is up (0.00s latency) MAC Address: 00:24:E8:2D:26:AE (Dell) Nmap scan report for 172.28.13.145 Host is up (0.00s latency) MAC Address: 00:24:E8:2D:29:35 (Dell) Nmap scan report for 172.28.13.146 Host is up (0.00s latency) MAC Address: 00:24:E8:2D:2B:E0 (Dell) Nmap scan report for 172.28.13.151 Host is up (0.00s latency) MAC Address: 00:21:5E:29:67:D7 (IBM) Nmap scan report for 172.28.13.157 Host is up (0.0010s latency) MAC Address: 00:24:E8:2D:26:4B (Dell) Nmap scan report for 172.28.13.160 Host is up (0.0010s latency) MAC Address: 00:24:E8:2D:24:AB (Dell) Nmap scan report for 172.28.13.166 Host is up (0.020s latency) MAC Address: 00:26:C7:DB:71:72 (Intel Corporate) Nmap scan report for 172.28.13.167 Host is up (0.00s latency) MAC Address: 20:CF:30:4B:E8:CB (Asustek Computer) Nmap scan report for 172.28.13.168 Host is up (0.00s latency) MAC Address: 48:5B:39:66:D2:87 (Asustek Computer) Nmap scan report for 172.28.13.171 Host is up (0.0010s latency) MAC Address: 14:FE:B5:B4:5F:B5 (Dell) Nmap scan report for 172.28.13.173 Host is up (0.0010s latency) MAC Address: 00:24:BE:46:49:E5 (Sony) Nmap scan report for 172.28.13.175 Host is up (0.0020s latency) MAC Address: 00:24:E8:2D:2B:C7 (Dell) Nmap scan report for 172.28.13.176 Host is up (0.0020s latency) MAC Address: F0:4D:A2:BF:3B:5F (Dell) Nmap scan report for 172.28.13.188 Host is up (0.00s latency) MAC Address: 00:21:5E:29:68:8C (IBM) Nmap scan report for 172.28.13.200 Host is up (0.0020s latency) MAC Address: 00:24:E8:2D:16:CB (Dell) Nmap scan report for 172.28.13.251 Host is up (0.0010s latency) MAC Address: 00:21:5E:28:BF:58 (IBM) Nmap scan report for 172.28.13.170 Host is up Nmap done: 256 IP addresses (57 hosts up) scanned in 12.63 seconds You can also use Nmap to scan other networks (use –n option to save time) For example, if the available networks are 192.168.101.*, 192.168.102.*, 192.168.103.*, and 192.168.104.*, you can type “nmap –sP 192.168.101‐104.* ‐n” to scan all networks in one command “101‐104” means the range of the networks 101, 102, 103, and 104 b Port Scan Nmap is an efficient port scanner Port scanning is to detect any valunabilitis on a network or host computer Network administrator can use Nmap to detect undesired CuuDuongThanCong.com https://fb.com/tailieudientucntt services running on a network The simple command nmap target scans more than 1660 TCP ports on the host target and indentify open ports In the following exercise, you will use nmap to scan port on a host Identify the IP address of your network’s default gateway At the command line, type “nmap [Default Gateway IP Address]” and press Enter This may take several seconds How many ports are open? (1309/tcp) Does the target host the web, ftp, and telnet services? jtag-server (Yêu cầu đưa hình ảnh minh họa đưa sau buổi học lab nên mục chưa có hình.) Identify another target on your local area network You can use a target host that you have discovered in the earlier exercise At the command line, type “nmap –sT [target]” and press Enter This may take several seconds The –sT option is to perform a TCP port scan Use –O option to discover the operating system of your target At the command line, type “nmap –O [target]” Identify which ports are open on a specific machine, corresponding services and their versions How can an attacker exploit these information? Starting Nmap 6.40 ( http://nmap.org ) at 2013-09-18 14:10 SE Asia Standard Time Nmap scan report for 172.28.13.135 Host is up (0.00062s latency) Not shown: 984 closed ports PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 554/tcp open rtsp 2869/tcp open icslap 3389/tcp open ms-wbt-server 5357/tcp open wsdapi 5800/tcp open vnc-http 5900/tcp open vnc 10243/tcp open unknown 49152/tcp open unknown 49153/tcp open unknown 49154/tcp open unknown 49155/tcp open unknown 49156/tcp open unknown 49158/tcp open unknown MAC Address: 00:24:E8:2D:18:AC (Dell) Nmap done: IP address (1 host up) scanned in 1.97 seconds CuuDuongThanCong.com https://fb.com/tailieudientucntt V References http://www.itsecurity.com/ http://nmap.org/ CuuDuongThanCong.com https://fb.com/tailieudientucntt ... involve sharing a computer with one or more people máy tính mang virus kết nối vào mạng LAN máy cho phép máy khác truy cập vào Hậu tồn máy mạng LAN bị nhiễm virus j Zombie Computers and Botnets... có www.freewebs.com/em_ce_do/doctor.exe Chương trình tự động tắt máy chạy tự chép phiên vào thư mục "StartUp" máy tự động tắt lần máy khởi động Con Trojan horse tự hủy sau hoạt động hay xóa bỏ