Introduction to Vulnerability Assessment Labs Ge Zhang ge.zhang@kau.se Dvg-C03 Karlstad University
Schedule • 3 Attacking methods – Password cracking – ARP spoofing & sniffing – Port Scanning • 1 Defense methods – Firewall configuration • 2 Vulnerability assessment tool – Nessus – Bastille Karlstad University
Environment • 3 VM images ( c:\vmware\valab-ht11 ) Hub Hub Switch Hub Hub Host machine VM Karlstad University
Password Cracking • Authentication: – Something you know – Something you have – Something you are • Password need to be transferred • Password need to be stored Karlstad University
Brute Force • Attempts all possible combinations of letters and numbers • Possible Solution – Limit amount of unsuccessful logins – Change password often – The length should be at least 8 characters Karlstad University
Dictionary • Type of Brute Force • Only tries possibilities that are likely to succeed • List are derived from dictionary • Possible Solutions – Mix and match numbers, letters, upper and lower case – Avoid passwords based on dictionary words, letter or number sequences, usernames, or biographical information Karlstad University
John the ripper • Traditionally the account information is stored in the /etc/passwd file • The /etc/passwd file is world-readable • Shadow password system stores passwords in the file /etc/shadow which is not world-readable • Have a look on – /usr/share/doc/john-1.7.0.2/EXAMPLES • Then create your own account and password, run “john” again to see the result • useradd [your account] • passwd [your account] Karlstad University
Sniffing Hub shared Token Ring • Hub : a hub simply receives incoming packets and broadcasts these packets out to all devices on the network • Adapt promiscuous mode : an adapter can receive all frames on the network, not just frames are addressed to that adapter Karlstad University
Wireshark Show capture options Select network interface Filters for display Filters for Capture Karlstad University
Wireshark Stop capturing Captured datagrams Datagrams analysis Datagrams in Hex Karlstad University
Hub v.s. switch • Hub: Layer 1 (physical) Hub • Switch: Layer 2 shared (data-link) Token Ring Switch Dedicated Karlstad University
ARP (Address Resolution Protocol) • MAC address (layer 2) – Global unique – Unchangeable • IP address (layer 3) – Network unique IP address IP address – Changeable ARP RARP MAC address MAC address Karlstad University
ARP spoofing (cache poisoning) on switch Who has the IP address 192.163.0.4? Tell 192.163.0.4->DD I am 192.163.0.4, with mac address DD 192.163.0.1 with mac: AA 192.163.0.1 (AA) 192.163.0.1 (AA) 192.163.0.2 (BB) 192.163.0.2 (BB) 192.163.0.3 (CC) 192.163.0.3 (CC) 192.163.0.4 (DD) 192.163.0.4 (DD) 192.163.0.4->CC I am 192.163.0.4, with mac address CC 192.163.0.1 (AA) 192.163.0.1 (AA) I am 192.163.0.1, with mac address CC 192.163.0.1->CC 192.163.0.2 (BB) 192.163.0.2 (BB) 192.163.0.3 (CC) 192.163.0.3 (CC) 192.163.0.4 (DD) 192.163.0.4 (DD) Karlstad University
Preparation • ipconfig /all • Let me know the last number of your ip address and mac address • ping [IP address] –t Door Door ping ping ping ping ping ping ping ping ping ping ping ping ping ping ping Ping Window Karlstad University
Cain Select interface Scan MAC addresses Scanned results ARP spoofing configuration Karlstad University
Cain Add to list for spoofing Spoof the arp cache for these two hosts to intercept the conversation between them Karlstad University
Cain Start ARP Spoofing Karlstad University
Port Scanning • Attackers wish to discover services they can break into. • Whether the service existing? • sending a packet to each port, once at a time. – Based on the type of response, an attacker knows if the port is used. – The used ports can be probed further for weakness. • Well-known: tcp 21, tcp 22, tcp 23, tcp 80 … Karlstad University
Nmap • -sT (scanning by TCP connections) • -sS (SYN scanning) • -sU (UDP scanning) • -sV (Version detection) • -O (OS fingerprinting) • -T[0-5] (time interval) • -f (fragmenting) Karlstad University
Nmap Karlstad University
Nmap • Zenmap: graphical interface Karlstad University
Firewall • A set of related programs that protects the resources of a private network or a host from external environment. • A mechanism for filtering network packets based on information contained within the IP header. Karlstad University
IPtables 3 default chains • input Used to control packets entering the interface. (The packets will be ended in this machine) • output Used to control packets leaving the interface. (The packets are originated from this machine) • forward Used to control packets being masqueraded, or sent to remote hosts. Karlstad University
IPtables • iptables command [match] [target] • Command: -A, -I, -D, -F, -L • Match: -p [protocol], -s [source IP], -d [destination IP], -i [interface], --sport [source port], --dport [destination port] • Target: -j [ACCEPT/DROP/LOG…] • Example: – iptables –I INPUT –p ICMP –j DROP – iptables –I INPUT –p ICMP –icmp-type 0 –j ACCEPT • Our task: restrict all inbound traffic, except SSH requests on port 22. However, any outgoing requests should not be affected. Karlstad University
Nessus • Remote vulnerability scanner • Nessus will – Perform over 900 security checks – Accept new plugins to expand new checks – List security concerns and recommend actions to correct them Karlstad University
Nessus • Client/server architecture – Server: perform checking – Client: Front-end • Can test unlimited amount of hosts in each scan www FTP Nessus Server Nessusd Nessus Client Mail VoIP Karlstad University
Nessus Karlstad University
Nessus Karlstad University
Bastille • Operating System Hardening – Remove unnecessary processes – Setting file permissions – Patching and updating – Setting networking access controls • Generate your own hardening policy • Can be run manually to provide advice and information Karlstad University
Bastille • Assessment mode: bastille -a Karlstad University
Bastille • Configuration mode: bastille -x Karlstad University
Recommend
More recommend
