Скачать презентацию ECE-6612 Network Security Utilities and Organizations Prof John Скачать презентацию ECE-6612 Network Security Utilities and Organizations Prof John

b433d2fcf84a5912f716cc9a4d3b988d.ppt

  • Количество слайдов: 22

ECE-6612 Network Security Utilities and Organizations Prof. John A. Copeland john. copeland@ece. gatech. edu ECE-6612 Network Security Utilities and Organizations Prof. John A. Copeland john. copeland@ece. gatech. edu 404 894 -5177 fax 404 894 -0035 Office: Klaus 3362 email or call for office visit, 404 894 -5177 http: //www. csc. gatech. edu/copeland/jac/6612/ 13 -Net. Sec%20 Utilities-Orgs. ppt 3/14/2016

Network Security Utilities A number of network security utilities have been developed to let Network Security Utilities A number of network security utilities have been developed to let network manager scan a network to look for security holes. Surprisingly many of these are free. The most versatile for port scanning is “nmap. ” Other actually run known exploits against your systems to detect weaknesses (“Saint’ and “Satan”). Some should be studied so that you know what crackers can easily do (e. g. , dsnif). Metasploit is a framework that allows you to launch scanners (e. g. , nmap) from a GUI interface and store the results in a database. It also comes with over a hundred exploits that can be run for “penetration testing. ” For intrusion detection, their are some expensive commercial services that come with 24 -hour-a-day, 7 -day-a-week monitoring services ( ISS / IBM” ). It’s safer to download “free” utilities in source format, and read the ‘C’ code before you compile and use them. Some of these, like software from Red. Hat, come with a PGP (or GPG) certificates that you should check. Many developers now provide at least a MD 5 checksum or other secure hash for their original (unaltered) binaries. On the other hand, precompiled binaries for Windows are much easier to install. Many of the applications can be installed by using Mac. Ports (sudo port install nmap”) or apt-get (Ubuntu -“sudo apt-get install nmap”). 2

Tripwire - compares hash’s of system files Tripwire provides support for multiple platforms, including Tripwire - compares hash’s of system files Tripwire provides support for multiple platforms, including Windows NT, Solaris, Linux, HP-UX, IBM-AIX and others. With the Tripwire HQ Connector bundle, you can unequivocally answer the question: is my data the same today as it was yesterday? This information will help you keep your system in optimal working order and manage any changes - malicious or inadvertent - giving you complete control over data integrity. Tripwire 2. 2. 1 for Linux With all the same great features as Tripwire 2. 2. 1 for other operating systems, Tripwire for Linux is available as a free download (without the agent that communicates with HQ Manager). In support of the open source community, Tripwire plans to release an open source version of this product this fall. For more information and future announcements about the open source release, check out www. tripwire. org. With only slight changes, the Tripwire Academic Source Release (ASR) version 1. 3. 1 is the same as the original Tripwire software that was developed in 1992 by Dr. Eugene Spafford and Tripwire CTO Gene Kim. Tripwire offers this version as a free download, but does not provide product support for it. www. tripwire. com {commercial} 3

Nmap ( Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It will rapidly scan large networks. Official binary packages are available for Linux, Windows, and Mac OS X. Besides the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping). http: //nmap. org/ 4

Use nmap wisely. Limit the number of ports and IP Addresses # nmap -P Use nmap wisely. Limit the number of ports and IP Addresses # nmap -P 0 -s. S -n -p 1 -65354 143. 215. 200. 6 Starting Nmap 6. 25 ( http: //nmap. org ) at 2013 -03 -27 08: 00 EDT Nmap scan report for 143. 215. 200. 6 10 Host is up (0. 17 s latency). All 65354 scanned ports on 143. 215. 200. 6 are filtered minutes/host Nmap done: 1 IP address (1 host up) scanned in 604. 68 seconds # nmap -P 0 -s. S -n -p 1 -4000, 5900, 31337 143. 215. 139. 8 Starting Nmap 6. 25 ( http: //nmap. org ) at 2013 -03 -27 08: 12 EDT Nmap scan report for 143. 215. 200. 8 3 seconds/host Host is up (0. 015 s latency). Not shown: 3999 closed ports PORT STATE SERVICE 1500 ports per second 53/tcp open domain 443/tcp open https 3306/tcp open mysql Nmap done: 1 IP address (1 host up) scanned in 3. 00 seconds 5

Use nmap -A wisely. Limit the number of ports and IP Addresses sh-3. 2# Use nmap -A wisely. Limit the number of ports and IP Addresses sh-3. 2# nmap -P 0 -s. S -n -p 53, 443, 3306 -A 143. 215. 200. 8 Starting Nmap 6. 25 ( http: //nmap. org ) at 2013 -03 -27 08: 18 EDT Nmap scan report for 143. 215. 200. 8 Host is up (0. 0018 s latency). PORT STATE SERVICE VERSION 53/tcp open domain? 443/tcp open ssl/http Apache httpd 2. 2. 8 ((Ubuntu) DAV/2 SVN/1. 4. 6 mod_ruby/1. 2. 6 Ruby/1. 8. 6(2007 -09 -24) mod_ssl/2. 2. 8 Open. SSL/0. 9. 8 g) | http-methods: Potentially risky methods: TRACE |_See http: //nmap. org/nsedoc/scripts/http-methods. html |_http-title: Site doesn't have a title (text/html). | ssl-cert: Subject: common. Name=pigeon. csc. gatech. edu/Georgia Tech/. . . | Not valid before: 2008 -10 -17 T 02: 19: 58+00: 00 |_Not valid after: 2010 -04 -20 T 02: 19: 58+00: 00 |_ssl-date: 2013 -03 -27 T 12: 28: 55+00: 00; +9 m 29 s from local time. 3306/tcp open mysql My. SQL 5. 0. 51 a-3 ubuntu 5. 8 -log | mysql-info: Protocol: 10 | Version: 5. 0. 51 a-3 ubuntu 5. 8 -log | Thread ID: 37158 | Some Capabilities: Connect with DB, Compress, Transactions, Secure Connection | Status: Autocommit |_Salt: @Xyvf|^? b. OCDkmd, N#b. F Warning: OSScan results may be unreliable because we could not find. . . Aggressive OS guesses: Linux 2. 6. 8 - 2. 6. 27 (98%), Linux 2. 6. 18 - 2. 6. 32 (97%), No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Nmap done: 1 IP address (1 host up) scanned in 32. 97 seconds 30 sec/host 6

Nessus The Nessus The "Nessus" Project aims to provide to the internet community a free, powerful, up-to-date and easy to use remote security scanner. A security scanner is a software which will audit remotely a given network and determine whether bad guys (aka 'crackers') may break into it, or misuse it in some way. Unlike many other security scanners, Nessus does not take anything for granted. That is, it will not consider that a given service is running on a fixed port - that is, if you run your web server on port 1234, Nessus will detect it and test its security. It will not make its security tests regarding the version number of the remote services, but will really attempt to exploit the vulnerability. Nessus is very fast, reliable and has a modular architecture that allows you to fit it to your needs. Test the security of your local network with the free “Home Feed”. http: //www. tenable. com/ {commercial: Tenable Network Security} 7

dsniff Overview I [Dug Song] wrote these tools with honest intentions - to audit dsniff Overview I [Dug Song] wrote these tools with honest intentions - to audit my own network, and to demonstrate the insecurity of cleartext network protocols. Please do not abuse this software. Description arpredirect: intercept packets from a target host (or all hosts) on the LAN intended for another host on the LAN by forging ARP replies. this is an extremely effective way of sniffing traffic on a switch. kernel IP forwarding (or a userland program which accomplishes the same, e. g. fragrouter : -) must be turned on ahead of time. macof: flood the local network with random MAC addresses (causing some switches to fail open in repeating mode, facilitating sniffing). a straight C port of the original Perl Net: : Raw. IP macof program. tcpkill: kill specified in-progress TCP connections (useful for libnids-based applications which require a full TCP 3 whs for TCB creation). tcpnice: slow down specified in-progress TCP connections via "active" traffic shaping (useful for sniffing fast networks). forges tiny TCP window advertisements, and optionally ICMP source quench replies. dsniff: password sniffer. handles FTP, Telnet, HTTP, POP, poppass, NNTP, IMAP, SNMP, LDAP, Rlogin, RIP, OSPF, NFS, YP, SOCKS, X 11, CVS, IRC, AIM, ICQ, Napster, Postgre. SQL, Meeting Maker, Citrix ICA, Symantec pc. Anywhere, NAI Sniffer, Microsoft SMB, Oracle SQL*Net, Sybase and Microsoft SQL auth info. (more) 8

dsniff - 2 dsniff automatically detects and minimally parses each application protocol, only saving dsniff - 2 dsniff automatically detects and minimally parses each application protocol, only saving the interesting bits, and uses Berkeley DB as its output file format, only logging unique authentication attempts. full TCP/IP reassembly is provided by libnids(3) (likewise for the following tools as well). filesnarf: saves selected files sniffed from network file system traffic in the current working directory. mailsnarf: a fast and easy way to violate the Electronic Communications Privacy Act of 1986 (18 USC 2701 -2711), be careful. Outputs selected messages sniffed from SMTP traffic in Berkeley mbox format, suitable for offline browsing with your favorite mail reader (mail -f, pine, etc. ). urlsnarf: output all requested URLs sniffed from HTTP traffic in CLF (Common Log Format, used by almost all web servers), suitable for offline post-processing with your favorite web log analysis tool (analog, wwwstat, etc. ). webspy: sends URLs sniffed from a client to your local Netscape browser for display, updated in realtime (as the target surfs, your browser surfs along with them, automagically). a fun party trick. : -) (more) http: //monkey. org/~dugsong/ There is no index. Try adding application name to URL, like http: //monkey. org/~dugsong/dsniff/ or Google the application name WARNING – THIS SITE WAS HACKED AND DOWNLOADED TROJAN HORSES FOR A FEW MONTHS IN THE PAST. CHECK MD 5’s 9

“wireshark” - A Network Protocol Analyzer (Sniffer) “wireshark” is a free network protocol analyzer “wireshark” - A Network Protocol Analyzer (Sniffer) “wireshark” is a free network protocol analyzer interactively browse the capture data, viewing summary and detail information for each packet. Wire. Shark has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session. Wireshark's powerful features make it the tool of choice for network troubleshooting, protocol development, and education worldwide. Wireshark was written by an international group of networking experts, and is an example of the power of open source. It runs on Windows, Linux, UNIX, and other platforms. www. wireshark. org 10

Knoppix-STD is a Security Tool. Actually it is a collection of hundreds if not Knoppix-STD is a Security Tool. Actually it is a collection of hundreds if not thousands of open source security tools. It's a Live Linux Distro (i. e. it runs from a bootable CD in memory without changing the native operating system of your PC). It's sole purpose in life is to put as many security tools at your disposal with as slick an interface as it can. STD is designed to assist network administrators and professionals alike secure their networks. The STD community is without exception White Hat. This means we will not entertain discussions on ANY illegal or unethical activities. www. knoppix. org and http: //www. s-t-d. org/ List of tools: http: //s-t-d. org/tools. html 11

125 Overview of Net. Set Tools: http: //sectools. org (insecure. org) 12 125 Overview of Net. Set Tools: http: //sectools. org (insecure. org) 12

The “Community” version is is free. It provides a GUI interface, a database for The “Community” version is is free. It provides a GUI interface, a database for information gained from scans and attempted penetrations. The Metasploit Project Metasploit provides useful information to people who perform penetration testing, IDS signature development, and exploit research. This project was created to provide information on exploit techniques and to create a useful resource for exploit developers and security professionals. The tools and information on this site are provided for legal security research and testing purposes only. Metasploit is a community project managed by Rapid 7 [http: //www. rapid 7. com/] who also sells the Nexpose vulnerability scanner (“Community” editions are free). http: //www. metasploit. com/ also Google for "backtrack" 13

CERT®/CC Contact Information Email: info@us-cert. gov Encrypting sensitive information: When sending sensitive information by CERT®/CC Contact Information Email: info@us-cert. gov Encrypting sensitive information: When sending sensitive information by email, please encrypt it. You can find details about our PGP key at https: //www. us-cert. gov/contact-us/ Phone - CERT Hotline 1 888 282 -0870 US-CERT is part of DHS' National Cybersecurity and Communications Integration Center (NCCIC). The Department of Homeland Security's United States Computer Emergency Readiness Team (US-CERT) leads efforts to improve the nation's cybersecurity posture, coordinate cyber information sharing, and proactively manage cyber risks to the Nation while protecting the constitutional rights of Americans. US-CERT strives to be a trusted global leader in cyber security - collaborative, agile, and responsive in a dynamic and complex environment. Subscribe to the US-CERT mailing list if you want to receive their advisories and summaries in email. www. us-cert. gov (US DHS) also see www. cert. org (Carnegie Mellon U. ) 14

Atlanta Network-Security Startups Air. Defense (Motorola) Air. Watch (VMware) – www. air-watch. com Damballa Atlanta Network-Security Startups Air. Defense (Motorola) Air. Watch (VMware) – www. air-watch. com Damballa Internet Security Systems, Inc (IBM) - www. iss. net LANcope (Cisco) www. lancope. com Pin. Drop Pure. Wire (now part of Barracuda) Secure. Works (mostly owned by Dell) 15

SANS Global Incident Analysis Center Welcome to GIAC, our mission is to provide up-to-date SANS Global Incident Analysis Center Welcome to GIAC, our mission is to provide up-to-date reports of malicious activity on the net submitted by your international community of system administrators and intrusion detection analysts. We welcome detects of intrusions, odd log file entries, encryption failures, or other security related information. Three gifts SANS gives to the community are the weekly digest of patches and summaries of traces, the monthly Windows NT Digest of new security holes, patches, and other administrative imperatives, and the weekly digest of the 25 top news stories in secret. We'd be happy to send you any or all, just send an email to info@sans. org with one or more of the following in the subject: Network Security Digest, NT Digest, or Newsbites. GIAC has posted a guide to defensive steps against DDOS attacks in a document based on the Consensus Roadmap developed by the Partnership for Critical Infrastructure Security. Since the DDOS threat will be with us for the long haul we need to take appropriate countermeasures to reduce the impact of the threat. GIAC is committed to train and assist security professional and with your help we can get control of this problem. Thank you! http: //isc. sans. org/reports. html 16

National Infrastructure Protection Center (NIPC) Located in the FBI's headquarters building in Washington, D. National Infrastructure Protection Center (NIPC) Located in the FBI's headquarters building in Washington, D. C. , the NIPC brings together representatives from the FBI, other U. S. government agencies, state and local governments, and the private sector in a partnership to protect our nation's critical infrastructures. Established in February 1998, the NIPC's mission is to serve as the U. S. government's focal point for threat assessment, warning, investigation, and response for threats or attacks against our critical infrastructures. These infrastructures, which include telecommunications, energy, banking and finance, water systems, government operations, and emergency services, are the foundation upon which our industrialized society is based. Our society is increasingly relying on new information technologies and the Internet to conduct business, manage industrial activities, engage in personal communications, and perform scientific research. While these technologies allow for enormous gains in efficiency, productivity, and communications, they also create new vulnerabilities to those who would do us harm. The same interconnectivity that allows us to transmit information around the globe at the click of a mouse or push of a button also creates unprecedented opportunities for criminals, terrorists, and hostile foreign nation-states who might seek to steal money or proprietary data, invade private records, conduct industrial espionage, cause a vital infrastructure to cease operations, or engage in Information Warfare. Protecting our critical infrastructures in the Information Age raises new challenges for all of us. Above all, it requires a partnership between the government and private industry to reduce our vulnerability to attack and increase our capabilities to respond to new threats. The NIPC provides an important vehicle for carrying that partnership forward. Disbanded, see CIP and Homeland Security, Nat. Cyber Sec. Div. : http: //www. dhs. gov/topic/cybersecurity 17

WASHINGTON, D. C. -- The Department of Justice, in conjunction with the FBI, the WASHINGTON, D. C. -- The Department of Justice, in conjunction with the FBI, the Air Force Office of Special Investigation, the National Aeronautic and Space Administration and the Naval Criminal Investigative Service, announced today that the Israeli National Police arrested Ehud Tenebaum, an Israeli citizen, for illegally accessing computers belonging to the Israeli and United States governments, as well as hundreds of other commercial and educational systems in the U. S. and elsewhere. The arrest of Tenebaum culminates several weeks of investigation into a series of computer intrusions into United States military systems that occurred in February 1998. As part of this investigation, the Department of Justice formally requested legal assistance from the Israeli Ministry of Justice, and U. S. law enforcement agents traveled to Israel to present Israeli law enforcement officials with evidence of the magnitude and the source of the intrusions into United States computers. Attorney General Janet Reno said that the prompt arrest of the Israeli hacker demonstrates the effectiveness of international cooperation in cases involving transnational criminal conduct. She added that the U. S. government's efforts to investigate and prosecute computer crime are on the right track: "This arrest should send a message to would-be computer hackers all over the world that the United States will treat computer intrusions as serious crimes. We will work around the world and in the depths of cyberspace to investigate and prosecute those who attack computer networks, " she said. 18

The Rustock Takedown and Global Spam Volumes Posted by Ralf Iffert and Tom Cross The Rustock Takedown and Global Spam Volumes Posted by Ralf Iffert and Tom Cross on March 21, 2011 at 11: 50 PM EDT. Last week there was widespread media coverage of a successful effort by Microsoft and US Marshals to take down the command control capabilities of the Rustock botnet. At the time sources announced a significant drop in spam volumes related to that event. Although X-Force noticed a 35% drop in spam volume on March 16 th, spam volumes can fluctuate within a large range on a day to day basis and so this reduction in the volume did not initially appear to be outside of the normal amount of fluctuation that occurs. Now that several days have passed, this drop seems more significant, as the spam volume has stayed down between 35 and 40% versus its previous average volumes for several consecutive days. It appears that the Rustock takedown likely had a sustained impact on the total volume of spam. It is worth noting, however, that this reduction is only about half as big as the drop that occurred over Christmas, when spammers appeared to have gone on holiday. For more, see http: //blogs. iss. net/

Network Security Organizations There a number or organizations that provide good advice about network Network Security Organizations There a number or organizations that provide good advice about network security programs. The Computer Emergency Response Team (US-CERT) encourages reports about cracking activities and releases an annual summary of cracking incidents. CERT is operated by Carnegie-Mellon University for the U. S. government (www. us-cert. gov). SANS, which appears to be “for profit, ” offers a number free services. Reports on newly discovered exploits (without implementation code) and patched exploits are available by email. The Global Incident Analysis Center in available on the Web (www. sans. org). The FBI investigates cyber crimes and provides data from an ongoing survey (http: //www. fbi. gov/cyberinvest/cyberhome. htm). The Secret Service also investigates cyber crimes, particularly those involving child pornography and bank fraud. 20

What to Do if a System is Compromised Regain control 1. Disconnect compromised system(s) What to Do if a System is Compromised Regain control 1. Disconnect compromised system(s) from the network. To regain control, you will need to disconnect all compromised machines from your network. After that you may wish to operate in single user mode in UNIX or as the local administrator in NT to ensure that you have complete control of the machine; however, by rebooting or changing to single user/local administrator mode, you may lose some useful information because all processes executing at the time of discovery will be killed. Look for signs of a network sniffer to determine if the compromised system is currently running a network sniffer (ifconfig – physical port in "PROMISC" mode). Operating in single user mode on UNIX systems will prevent users, intruders, and intruder processes from accessing or changing state on the compromised machine while you are going through the recovery process. If you do not disconnect the compromised machine from the network, you run the risk that the intruder may be connected to your machine and may be undoing your steps as you try to recover the machine. [On the other hand, some malware will do this automatically. ] 2. Copy an image of the compromised system(s). . . [UNIX utility "dd" is good for this] *Excerpt from http: //www. cert. org/tech_tips/win-UNIX-system_compromise. html Turn off – restart in single-user mode, or with a "Live" CD. 21

What to Do if a System is Compromised - 2 1. Power-Off and Disconnect What to Do if a System is Compromised - 2 1. Power-Off and Disconnect from the network. 2. Reconfigure the BIOS* to prefer "boot" from a live† CD-ROM or USB drive. Intel PC's can be booted from a "Knoppix" live CD-ROM or DVD (www. knoppix. org) Use "Super. Duper" to make a live USB for a Mac (www. shirt-pocket. com, $ 28). 3. Clone the hard drive (for forensics and/or document recovery). Use the UNIX utility "dd" (type: dd bs=1 k if=/dev/sda 1 of=/media/usbdisk) You can see the actual disk drive names (like /dev/sda 1 and /media/usbdisk by typing: df) The disk drive "/media/usbdisk" (erased) must be as large as "/dev/sda 1. This is best forensic purposes. Attach a "Chain of Evidence" to show everyone who took control, and when. Include a hash of the disk image, and physically turn off "write" mode. Other programs will de-segment files to compress the copied data onto an almost-clone disk. Not as good for evidence, but useful if you have 50 GB actually used on a 1000 GB hard drive. 3. Clonezilla Live (clonezilla. org, available in a live CD/DVD or live USB). 4. Norton "Ghost" (free version may be available) 5. Others: Rescatux, Redo Backup & Recovery, System. Rescue. CD, Trinity Rescue Kit 6. 4. Best bet for recovery: periodically back up all documents (non-executable files) after running a Virus Detection Tool (e. g. , Sophos). Save all system, application installation disks, and installation "keys" so everything can be reloaded onto a freshly wiped hard disk. * You should have had the BIOS configured to "only boot from the hard drive", and locked with a password. † A "Live" CD/DVD can be used to boot up the computer, and contains its own OS. A RAM drive is then used which allows the hard drive to be dismounted and cloned. To make your own, see www. linux-live. org. 22