GMRIT, Security, Feb 2-3,2007
advertisement
Welcome to All
Participants
Prof NB Venkateswarlu
HOD, IT, GVPCOE
Visakhapatnam
venkat_ritch@yahoo.com
Let Me first
Congratulate all
the Organizers
First, You may
have to Excuse
me!!.
May be, I am the
only odd man out!.
However, I am
helpless. My Talk is
a last minute
adjustment.
Neverthless, I am
sure you will Enjoy.
Penetration
Testing Tools:
Linux Perspective
What I am going to Cover?
• Briefing general security threats
SQL Injections
Physhing
DNS hacking
SPAMS
BOTNETS
• Linux Security Aspects
• CERT-In Initiation under Ministry of
Information Technology, Govt of India.
Most Noted Reasons
•
•
•
•
•
•
•
Buffer overflows
Format String problems
Integer Overflows
SQL Injections
Command Injection
Failure to handle errors
Cross-site scripting
Most Noted Reasons - Cont
•
•
•
•
•
•
•
Failure to protect network traffic
Use of magic URL’s and hidden forms
Improper use of SSL
Use of weak password based systems
Failure to store and protect data securely
Information leakage
Trusting network address resolution
Most Noted Reasons - Cont
•
•
•
•
Improper file access
Race conditions
Unauthorised key exchange
Failure to use cryptographically strng
random numbers
• Poor usability
Defacement Statistics, Dec 2006
Cyber Insurance – US Statistics
• Premium Paid $100 millions
• Claims Paid
$14 millions
How did he do it?
Social Engineering
Ex:
Our Mumbai server is down. Please click the
standby server
SQL Injections
Let us consider the following line in an ASP
script
Query=“select count(*) from users where
UserName=‘” &userName&” ‘ and
userPass=‘ “&password&”’”
Let Username as Ram and password as ‘ or
1=1 –
Now created SQL statement becomes:
Select count(*) from users where
userName=‘Ram’ and userPass=‘’ or 1=1
–’
Thus checks for empty password
Similarly let username as:
‘having 1=1 –
Dsiplays users.UserName is invalid
indicating table name and attribute name
Now username is
‘or users.userName like ‘admin%’ –
Now he can login as Admin!!
May give chance to run multiple SQL
statements; For example username as:
‘or 1=1; drop table users; -‘; shutdown with nowait; -May give chance to run extended scripts:
‘exec master .. Xp_cmdshell ‘iisreset’; --
SQL Injection through URL
Physhing & Pharming
How Physhing works?
Monitoring bounced emails,
account activity, call volumes,
password eqnuiries
SPAMS
• Search engines
• Addresses posted in public areas such as
USENET
• Email directories, Yellow Pages
• Readymade lists (for sale!)
• Chat rooms
• Bruteforce attacks
Botenets
DDOS Attack
DDOS Attack
Botnets
How to tackle SPAMS
• Content based filtering
Pattern Matching
Hash Matching
Bayesian filtering
• Source address based filtering
Source Address Filtering
•
•
•
•
•
White lists
Block lists
Reputation analysis
Real time block hole lists
Challenge-Response
How to STOP SPAM -Cont
•
•
•
•
•
•
•
•
•
SMTP server Implementing
Should not relay unauthorized mails
Separate ports for submission and relay
Implement client authentication
Disable SMTP commands like VRFY
Prevent remote mails to local groups
Define max no of receipients per message
Reject NULL sender identity
Digital signatures
Educating People
Disable cross-site scripts, stop
injected scripts
Mutual Authentication, Data
destination block listing
Use trusted path
Password hashing, transaction
authentication
Induce delays especially in
financial institutions
DNS ATTACKS
DNS
Components of DNS
• DNS Zones
• DNS Name Space
• Resource Records
• Name Servers
DNS Name Space
Types of Name Servers
• Primary
• Secondary
• Caching
DNS Zone
• Contiguous portion of name space
• A name server can serve one or more
zones
• A zone may have one or more zones
• Zone files for the zone only
• Forward lookup zone
• Reverse lookup zone
Resource records
•
•
•
•
•
Name server
Host
Mail exchange
Start of authority
Canonical name
DNS query type
Recursive Query
Common DNS Attacks
•
•
•
•
•
•
•
Foot printing
Redirection
DOS
Data Modification/IP spoofing
DNS cache posioning
Where to be cautious?
Host, Transactions, query and/responser
Countering DOS
• All Name servers should not be
In a single subnet
Behind a single router
On a single leased line
• Have offsite slave name server
• Restrict zone transfer
Countering IP Spoofing
• Turnoff recursion
• Restrict the addresses which name server
responds
• Restrict the addresses which name server
responds to recursive queries
Transaction Security (DNSEC)
Best Practices
•
•
•
•
•
•
•
•
•
•
•
Provide redundant DNS services
Use separate servers for adv/resolving
Limit DNS interface access for resolution
Restrict zone replication
Restrict dynamic updates
Prevent cache corruption
Disable recursion
Turn off glue fetching
Filter traffic to DNS name server
Run services in less priveleged mode
Source address validation
• Don’t reply personal info. Ask in person.
Visit the web sites in person.
• Dear Sir/Madam is suspicious. Dear Mr
Rao probably ok.
• An exciting or upsetting statements
doubtful such as work from home
• They ask for username, password etc
• Never fill email forms
• Regularly check your bank a/c
• Make sure your OS is up to date
• Javascript:alert(“The actual URL of tyhis
site :” + location.protocol + “//” +
location.hostname + “/”);
To browser bar
Use password hashing
Penetration Testing
•
•
•
•
•
•
•
Discover Vulnerabilities
Plan the attack vector
Launch the attack
Gain the access
Exploitation
Simulating SPAM, Mail Spoofing
Gaining the shell
•
•
•
•
Block box – No info is given to pen tester
White box – Info is supplied
Attacks
Bruteforce, malicious code,
eavesdropping, phishing,DoS
Pen test results
•
•
•
•
Identified vulnerabilities
Sources of the same
Impact
risk
Pen Test
Initial Info Limited
Outcome Access
to Network
Location Inter/Exter
Tine
Medium
Vul Ass
Limited
List of
Vulnerabi.
External
Short
Auditing
Full
Secure
System
On Sys
Long
Linux Tools and Practices
Finger Printing
•
•
•
•
•
Knowing OS
OS version
Other device names
Database names etc
Example TCP finger printing tools: nmap,
queso, cheops
• telnet, finger, strobe, netcat, SATAN
• telnet hostname ftp - displays details
Finger printing - cont
• telnet hostname http
• Results
GET /scripts/..%255c../../..cmd.exe/…
Volume in drive C has no label
Volume Serial No
Linux Commands
• netstat –ltunp //List all listening ports
• netstat –atunp //Lists active connections
• rpcinfo
//Lists all services
Host based IDS
• ISS – Realsecure Server Sensor
• Check host file system ConsistencyTripWire, AIDE
• Tripwire can intimate through email and
can be configured as cron
• To build database tripwire –init
• To check tripwire –check>error.txt
Bastile – To harden Linux
• Many Yes/No’s
Osiris – osiris.shmoo.com
• Osirisd [Host1]
• Osiris,osirismd [Trusted Host]
• Check Host network connections –
BlackICE, PortSentry
• Check host log files: LogSentry, Swatch
Snort www.snort.org
• User can specify the pattern in the packets
and actions
• Additional plug-ins can be specified for
example to avoid subnet flooding etc.,
How do we know it is attacked?
• CPU utilization, disk activity, users login,
file activity
• Protocol validation by comparing analysed
traffic with RFC’s
• DOS (crashing some applications)
Removing services from /etc/rc.d/init.d
rm –rf servicename
Access Controls
• Set BIOS password
• Set GRUB boot loader password through the following
steps
a. Create a password hash by issuing the command
/sbin/grubmd5crypt
b. Edit /boot/grub/grub.conf to add the following line after
timeout tag
• password md5 <generated md5 hash>
• Avoid booting into single user mode without root
password. Edit /etc/inittab and
• add the following line after id:3:initdefault:
~~:S:wait:/sbin/sulogin
• Create a custom banner message in /etc/issue
and /etc/issue.net
Example banner message: UNAUTHORISED
ACCESS IS PROHIBITED
• Choose passwords that are complex to guess.
Set password parameters (max. days, min.
days, min. length etc.,) in /etc/login.defs
• Disable CTRL+ALT+DEL by commenting the line
ca::ctrlaltdel:/sbin/shutdown t3 r now
in /etc/inittab
• Edit /etc/profile file and set TMOUT=3600.
This will automatically timeout bash shell
after 3600 seconds
• Restrict root login to only one tty and one
vc. Edit /etc/securetty to comment out the
lines tty2 to tty11 and vc/2 to vc/11
• Delete unnecessary system users and
groups from /etc/passwd and /etc/group\
userdel <username>
groupdel <groupname>
• Following are some system users and
groups that can be deleted
• Users: lp, sync, shutdown, halt, news,
gopher, operator, games, mail , uucp, ftp
• Groups: lp, games, uucp, x.
• Change default shell for users bin,
daemon, rpm, vcsa, nobody to /dev/null
File System Security
• Set the UMASK attribute in /etc/profile to 033
• Find world writable files and change the
permission if world writable permission is not
required
find / perm 2 type f --print
chmod <permissions> <filename>
• Find out hidden files and directories
find / name ``..'' --print --xdev
find / name ``.*'' --print --xev | cat --v
• Carefully check the files and keep a list of
default hidden files for later on regular
audit reference. If any of the files are not
required remove them by
rm --rf <file name>
• If any world writable file is not required, set
the sticky bit
chmod +t <file name>
• Find out the executables with SUID or
SGID bit set and keep track of what they
are so that administrator is aware of any
changes.
find / type f \( perm 04000 o perm 02000 \) exec ls l {} \;
• Removable media nosuid and nodev
option
• Edit /etc/fstab to
mount /boot with nodev and read only option
• Label=/boot /boot ext3 nodev,ro......
• mount cdrom and floppy with nosuid and nodev
option
/dev/cdrom /mnt/cdrom udf,iso9660
nosuid,nodev,noauto,.......
/dev/fd0 /mnt/floppy udf,iso9660
nosuid,nodev,noauto,......
• Remove the files with no user and no group
find / nouser --o --nogroup --exec rm --rf {}\;
• Use nosuid to partitions (defined in
/etc/fstab) that are writable.
• Keep track of all the SUID/SGID files
Cryptographic File Systems (CFS),
Transparent Cryptographic File
System
insmod loop.o
/etc/fstab entry
/dev/loop0 /mnt/crypt ext2 user,noauto,rw,loop 0 0
dd if=/dev/vrandom of=/etc/cryptfile bs=1M
count=10
Losetup –e xor /dev/loop0 /etc/cryptfile
Mkfs –t ext2 /dev/loop0
Mount –t ext2 /dev/loop0 /mnt/crypt
Umount /dev/loop0
Losetup –d /dev/loop0
Change the permissions for the
following files
•
•
•
•
•
chmod 600 /etc/passwd
chmod 600 /etc/shadow
chmod 100 /bin/rpm
chmod 100 /bin/tar
chmod 100 /bin/gzip
•
•
•
•
•
•
chmod 100 /bin/ping
chmod 100 /bin/gunzip
chmod 100 /bin/mount
chmod 100 /bin/umount
chmod 100 /usr/bin/gzip
chmod 100 /usr/bin/gunzip
•
•
•
•
•
•
•
chmod 100/usr/bin/who
chmod 100 /usr/bin/lastb
chmod 100 /usr/bin/last
chmod 100 /usr/bin/lastlog
chmod 100 /sbin/arping
chmod 100 /usr/sbin/arping
chmod 100 /usr/sbin/usernetctl
•
•
•
•
•
•
•
chmod 100 /usr/sbin/traceroute
chmod 400 /etc/syslog.conf
chmod 400 /etc/hosts.allow
chmod 400 /etc/hosts.deny
chmod 400 /etc/sysconfig/syslog
chmod 644 /var/log/wtmp
chmod 644 /var/log/utmp
Change the attributes for the
following files
•
•
•
•
chattr +i /etc/passwd
chattr +i /etc/shadow
chattr +i /etc/services
chattr +i /etc/gshadow
•
•
•
•
•
•
chattr +i /etc/group
chattr +i /etc/login.defs
chattr +i /etc/init.d/
chattr +i /etc/services
chattr +i /etc/inittab
chattr +i /etc/fstab
•
•
•
•
•
•
chattr +i /usr/bin/who
chattr +i /usr/bin/lastb
chattr +i /usr/bin/last
chattr +i /usr/bin/lastlog
chattr +i /etc/syslog.conf
chattr +i /etc/sysconfig/syslog
Set file system limits instead of allowing unlimited
usage. Control the peruser
limits using the resourcelimits file
/etc/security/limits.conf and a PAM module
For example, limits for group ‘users' might
look like this:
@users hard core 5000
@users hard nproc 50
@users hard rss 5000
This says to limit the creation of core files,
restrict the number of processes to 50,
and restrict memory usage per user to 5
MB
Incident Handling
•
•
•
•
•
•
•
•
•
•
•
# Look for change in permission
-- World writable permissions
# find / perm 2 type f --print
-- Find SUID root files
# find / type f perm 04000 ls
-- Find GUID root files
# find / type f perm 02000 ls
-- Time stamp
# Find files access for last 1 day, 1 hr etc
# Find atime
# Ls --lautR
•
•
•
•
•
•
•
•
•
•
•
# Check for promiscuous mode.
-- Ifconfig a
# Check for new user existence.
-- /etc/passwd
# Find list of open ports
-- nmap scan
-- Netstat l
# Current processes
-- Ps aux
# system calls by an executable. (Trojanoid Binaries)
-- ltrace, strace, trussCheck
•
•
•
•
# Check for traffic in out
-- Ethereal, tcpdump etc
# Examine suspicious binaries
-- strings
•
•
•
•
•
Incident Handling
# Presence of malicious code
-- Chkrootkit
# Checks for presence of rootkits
-- Tripwire
The Coroners tool kit
•
•
•
•
•
•
•
•
# TCT is a collection of tools written with the
specific goal of gathering or analyzing
forensic information on a Un*x machine...
# Four major parts of TCT:
-- graverobber
-- the C tools (ils, icat, pcat, file, etc.)
-- unrm & lazarus
-- mactime
•
•
•
•
•
•
•
•
•
graverobber v /
# Automated way of collecting forensic info
# Gathers, in order
-- Memory
-- Unallocated filesystem
-- netstat, route, arp, etc.
-- ps/lsof, capture all process data
-- stat & MD5 on all files, strings on directories
-- Config, log, interesting files (cron, at, etc.)
•
•
•
•
•
•
•
graverobber
# data capturing tool at the heart of TCT
# runs various commands and records the
output
# captures by order of volatility
# most effectively used when run as root
over an entire filesystem
•
•
•
•
# pcat Process CAT
# ils Inode LS
# icat Inode CAT
# shell commands
Incident Handling DOS
•
•
•
•
•
•
•
# SYN attack
-- monitoring number of TCP Connection in a
syn_rcvd state.
-- netstat --an --f |grep SYN_RCVD |wc --l
# Watch the value of the TcpHalfOpenDrop
parameter
-- netstat s P | grep tcpHalfOpenDrop
Syslog and SyslogNG
•
•
•
•
•
•
•
•
The advantages of SyslogNG over Syslog are :
# ability to transport syslog messages over TCP
# filtering based on message contents
# logging of complete chain of forwarding
loghosts
(unlike regular syslog which will only record the
name of last step)
# support digital signatures and encryption.
# Can be run in a chrooted environment
Kernel Security
• Set the following kernel parameters
echo 0 > /proc/sys/net/ipv4/tcp_syncookies
echo 0 >
/proc/sys/net/ipv4/icmp_ignore_bogus_error_res
ponses
echo 1 >
/proc/sys/net/ipv4/icmp_echo_ignore_broadcast
s
echo 4096 >
/proc/sys/net/ipv4/tcp_max_syn_backlog
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
Add the following in the
/etc/sysctl.conf
net.ipv4.tcp_max_syn_backlog =4096
net.ipv4.conf.all.rp_filter =1
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.default.accept_source_route=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.secure_redirects=0
net.ipv4.conf.eth0.forwarding =0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.defaults.send_redirects=0
Log Security
• Add an entry in /etc/hosts file for the central syslogger . The entry
could be
<ip address> loghost
Change the default /etc/syslog.conf file with the following
*.debug /var/log/messages
kern.debug /var/log/kernel.log
user.debug /var/log/user.log
mail.debug /var/log/mail.log
daemon.error,info,alert,notice /var/log/daemon.log
auth.notice,crit,info /var/log/auth.log
authpriv.debug /var/log/authpriv.log
local2.notice,alert /var/log/sudo.log
syslog.debug /var/log/syslog.log
*.* @loghost
• Create btmp file in /var/log directory
touch /var/log/btmp
• Turn on accounting of processes
accton /var/log/pacct
Firewalls
• Packet Filtering
• Proxy Firewall
• Application gateway (screened-host
firewall)
IPTables command options
There are three built-in tables in the Linux kernel's
netfilter, and each has built-in chains. the
iptables command is used to configure these
tables.
1. filter – A table that is used for routing network
packets. This is default table, and is assumed by
iptables if the t parameter is not specified.
INPUT – Network packets that are destined
for the server.
OUTPUT – Network packets that originate
on the server.
FORWARD – Network packets that are
routed through the server.
right
.
2. nat – A table that is used for NAT. NAT
is a method of translating internal IP
address to external IP addresses.
PREROUTINGnetwork packets that
can be altered when they arrive at the
server.
OUTPUTNetwork packets that originate
on the server
POSTROUTING – Network packets
that can be altered
3.mangle – A table that is used for altering
network packets.
INPUT – Network packets that are
destined for the server.
OUTPUT – Network packets that
originate on the server.
FORWARD – Network packets that are
routed through the server.
PREROUTINGnetwork packets that can be altered
when they arrive at the server.
POSTROUTING – Network packets that can
be altered right before they are sent out.
Commands tell IPTables to perform a specific
action, and only one command is allowed per
iptables command string. Except for the help
command, all commands are written in
uppercase characters
Iptables Firewall
• The Network firewall security policy defines the
access or level of access to the different
services and applications. The methods to
implement firewall rules are given below.
• Everything not specifically denied is permitted
• Everything not specifically permitted is denied
• Set the firewall policy to drop all packets as
defined in second method
iptables P INPUT DROP
iptables P OUTPUT DROP
iptables P FORWARD DROP
• Now depending upon the Firewall policy,
administrator can define firewall rule sets
to explicitly grant access to only permitted
services or applications.
Allowing www
iptables A
INPUT p
tcp –dport www j
ACCEPT
This command appends a rule to the filter table since no table is defined with t.
The rule is appended to the INPUT chain in the filter table, as noted by INPUT
after A. This rule looks for packets where the protocol is tcp and the destination
port is www service, or port 80 as listed in /etc/services file. The target for this rule
is to let the packet pass through to its destination, which is accomplished by
sending the packet to the ACCEPT target
Forwarding
iptables A
FORWARD i
ppp0 o
eth0 m
state \
state
ESTABLISHED,RELATED j
ACCEPT
The lines above append (A) a new rule to the filter table to the
forwarding chain (FORWARD) from the outside interface out to the
internal interface where the packet's state is either a previously
established connection or a related connection. As long as the
default policy for the FORWARD chain is to DROP packets , a new
connection from the outside will not match this rule and will be
dropped.
Doing masquerading (NAT)
iptables t
nat A
POSTROUTING o
ppp0 j
MASQUERADE
Or,
where x.x.x.x is a valid static IP address on the external interface.
iptables t
nat A
POSTROUTING o
eth1 j
SNAT to
x.x.x.x
• The first example matches all traffic that is going out on
the outgoing interface. The target is MASQURADE
which is used to do NAT on interfaces with dynamic IP
addresses, such as ppp0 (dialup) interface.
iptables is being configured to allow the firewall to send ICMP echorequests (pings) and
in turn, accept the expected ICMP echoreplies.
●
set rules that allow telnet inside the network, but not outside
iptables A
OUTPUT p
icmp icmptype
echorequest
j
ACCEPT
iptables A
INPUT p
icmp icmptype
echoreply
j
ACCEPT
iptables A
OUTPUT p
tcp destinationport
telnet d
198.168.0.0 j
ACCEPT
iptables A
OUTPUT p
tcp destinationport
telnet d
! 198.168.0.0
j
REJECT
Integrity Checkers -- md5sum,
sha1sum and Tripwire
• Port Scanners nmap
• Vulnerability Assessment nessus and
SARA
•
•
•
•
•
•
•
•
•
•
basesystem glib libuser rpmdbredhat
bash glib2 losetup Sed
beecrypt Glibc Lvm Setup
bzip2 Glibccommon Makedev Setuptool
bzip2libs Gpm Mingetty shadowutils
chkconfig Grep Mkinitrd Slang
comps3es Grub Mktemp Slocate
coreutils Gzip Modutils Sysklogd
cracklib hwdata Mount SysVinit
cracklibdicts Info Ncurses Tar
Important Files/commands
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
crontabs initscripts Netconfig Termcap
cyrussasl iproute nettools Tmpwatch
cyrussaslmd5 iptables newt Tzdata
db4 iputils openldap Usermode
dev Kbd openssl utillinux
devlabel kernel pam vimcommon
diffutils kernelutils passwd vimminimal
e2fsprogs krb5libs patch Which
elfutilslibelf kudzu pcre Words
ethtool less popt Zlib
file libacl procps
filesystem libattr psmisc
findutils libgcc readline
gawk libstdc3 rootfiles
gdbm libtermcap rpm
Xlock & vlock
If you wander away from your machine from time to time, it is nice to be
able to "lock" your console so that no one tampers with or looks at
your work. Two programs that do this are: xlock and vlock.
Xlock is a X display locker. It should be included in any Linux
distributions that support X. Check out the man page for it for more
options, but in general you can run xlock from any xterm on your
console and it will lock the display and require your password to
unlock.
vlock is a simple little program that allows you to lock some or all of the
virtual consoles on your Linux box. You can lock just the one you are
working in or all of them. If you just lock one, others can come in and
use the console, they will just not be able to use your virtual TTY
until you unlock it. vlock ships with Red Hat Linux, but your mileage
may vary.
Of course locking your console will prevent someone from tampering
with your work, but does not prevent them from rebooting your
machine or otherwise disrupting your work. It also does not prevent
them from accessing your machine from another machine on the
network and causing problems.
Some Linux Tools useful for
Penetration Testing
Nessus www.nessus.org
The premier Open Source vulnerability
assessment tool
Nessus is a remote security scanner
forWindows, Linux, BSD, Solaris, and other
Unices. It is plug-in-based, has a GTK interface,
and performs over 1200 remote security checks.
It allows for reports to be generated in HTML,
XML, LaTeX, and ASCII text, and suggests
solutions for security problems
Hping www.hping.org
A network probing utility like ping on steroids
hping3 assembles and sends custom
ICMP/UDP/TCP packets and displays any
replies. It was inspired by the ping command,
but offers far more control over the probes sent.
It also has a handy traceroute mode and
supports IP fragmentation. This tool is
particularly useful when trying to
traceroute/ping/probe hosts behind a firewall
that blocks attempts using the standard utilities.
Dsniff
http://naughty.monkey.org/~dugson
g/dsniff/
A suite of powerful network auditing and penetration-testing
tools
This popular and well-engineered suite by Dug Song
includes many tools. dsniff, filesnarf, mailsnarf,
msgsnarf, urlsnarf, and webspy passively monitor a
network for interesting data (passwords, e-mail, files,
etc.). arpspoof, dnsspoof, and macof facilitate the
interception of network traffic normally unavailable to an
attacker (e.g, due to layer-2 switching). sshmitm and
webmitm implement active monkey-in-the-middle attacks
against redirected SSH and HTTPS sessions by
exploiting weak bindings in ad-hoc PKI. A separately
maintained partial Windows port is available here.
LANGuard
A commercial network security scanner for
Windows
LANguard scans networks and reports
information such as service pack level of each
machine, missing security patches, open shares,
open ports, services/applications active on the
computer, key registry entries, weak passwords,
users and groups, and more. Scan results are
outputted to an HTML report, which can be
customised/queried. Apparently a limited free
version is available for non-commercial/trial use.
SamSpade
http://www.samspade.org/ssw/
SamSpade provides a consistent GUI and
implementation for many handy network query
tasks. It was designed with tracking down
spammers in mind, but can be useful for many
other network exploration, administration, and
security tasks. It includes tools such as ping,
nslookup, whois, dig, traceroute, finger, raw
HTTP web browser, DNS zone transfer, SMTP
relay check, website search, and more. NonWindows users can enjoy online versions of
many of their tools.
SAINT
http://www.saintcorporation.com/sai
nt/
Security Administrator's Integrated Network
Tool
Saint is another commercial vulnerability
assessment tool (like ISS Internet Scanner
or eEye Retina). Unlike those Windowsonly tools, SAINT runs exclusively on
UNIX. Saint used to be free and open
source, but is now a commercial product.
Firewalk
http://www.packetfactory.net/project
s/firewalk/
Firewalk employs traceroute-like techniques
to analyze IP packet responses to
determine gateway ACL filters and map
networks. This classic tool was rewritten
from scratch in October 2002. Note that
much or all of this functionality can also be
performed by the Hping2 --traceroute
option.
Amap
http://www.thc.org/releases.php
Amap (by THC) is a new but powerful
scanner (finger printing) which probes
each port to identify applications and
services rather than relying on static port
mapping.
Fragroute: IDS systems' worst nightmare
http://www.monkey.org/~dugsong/fragroute/
Fragroute intercepts, modifies, and rewrites egress traffic,
implementing most of the attacks described in the
Secure Networks IDS Evasion paper. It features a simple
ruleset language to delay, duplicate, drop, fragment,
overlap, print, reorder, segment, source-route, or
otherwise monkey with all outbound packets destined for
a target host, with minimal support for randomized or
probabilistic behaviour. This tool was written in good faith
to aid in the testing of intrusion detection systems,
firewalls, and basic TCP/IP stack behaviour. Like Dsniff,
and Libdnet, this excellent tool was written by Dug Song.
nmap
http://www.insecure.org
A popular tool used for ports scaning and
OS finger printing
Kernel Based Intrusion Detecting
(LIDS)
• Preventing root users
• Preventing chanding iptables, ipchains
• Preventing direct port access, memory,
Security Enhanced Linux system
CERT-IN
• Charter
"The purpose of the CERT-In is, to become the nation's
most trusted referral agency of the Indian Community for
responding to computer security incidents as and when
they occur ; the CERT-In will also assist members of the
Indian Community in implementing proactive measures
to reduce the risks of computer security incidents."
• Mission
"To enhance the security of India's Communications and
Information Infrastructure through proactive action and
effective collaboration."
CERT-In Mission
Alert – Advise
- Assurance
National Information Security
Assessment Program (NISAP)
• Mandatory compliance requirement
• Mandatory compliance efforts- ISMS
standards
• Mandatory compliance verification
• Mandatory compliance reporting – to
CERT-In
ADVISORY COMMITTEE
• S.No.NameRole1.Shri. M. Madhavan Nambiar
Additional Secretary
Department Of Information TechnologyChairman
• 2.Shri. Ajeer Vidya
Joint Secretary & Financial Adviser
Department Of Information TechnologyMember
• 3.Prof. N. Balakrishnan
Chairman
Division Of Information Sciences
Indian Institute of ScienceMember
• 4.Dr. B. K. Gairola
Deputy Director General
National Informatics CentreMember
• 5.Dr. Gulshan Rai
Director
Indian Computer Emergency Response TeamMember
Secretary
AUTHORITY
• The CERT-In operates under the auspices of,
and with authority delegated by, the Department
of Information Technology, Ministry of
Communications & Information Technology,
Government of India.
• The CERT-In shall work cooperatively with
information officers and system administrators of
various sectoral and organisational networks of
its constituency.
•
VULNERABILITY NOTES
• CERT-In Vulnerability Note CIVN-2007-07
(31 January, 2007)
Microsoft Word Unspecified String Handling Memory
Corruption Vulnerability
• CERT-In Vulnerability Note CIVN-2007-06
(29th January, 2007)
Linux-PAM Login Bypass Security Vulnerability
• CERT-In Vulnerability Note CIVN-2007-05
(18th January, 2007)
Sun Java JRE GIF Image Processing Buffer Overflow
Vulnerability
• CERT-In Vulnerability Note CIVN-2007-04
(11th January, 2007)
Microsoft Windows Vector Markup Language Code
Execution Vulnerability
• CERT-In Vulnerability Note CIVN-2007-03
(11th January, 2007)
Remote Code Execution and Denial of Service
Vulnerabilities in Microsoft Outlook
• CERT-In Vulnerability Note CIVN-2007-02
(11th January, 2007)
Microsoft Excel Malformed Column Record, Palette
Record, IMDATA Record and String Vulnerabilities
• CERT-In Vulnerability Note CIVN-2007-01
(5th January, 2007)
OpenOffice Integer and Buffer Overflow Vulnerabilities
cert-in.org.in
Indian Computer Emergency Response
Team (CERT-In)
Ministry of Communications and
Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
What people are using in India
•
•
•
•
•
•
Content filtering 39%
Keyword Monitoring 28%
Data Leak detection and prevention 25%
IDS 23%
Packet Filtering 15%
Digital Rights Management SW 9%
IT – ACT 2000
• Section III - Certifying Authorities
• Public Key Infrastructure (PKI)
•
•
CERT-In Vulnerability Note CIVN-2007-06
Linux-PAM Login Bypass Security Vulnerability
Original Issue Date: January 29, 2007
•
Severity Rating: High
System Affected
•
•
•
•
•
Linux-PAM 0.x
Overview
A vulnerability has been reported in Linux-PAM, which could be exploited by remote
attackers to compromise a vulnerable system.
Description
A vulnerabilities has been reported in Linux-PAM due to an error within the
"_unix_verify_password()" function in modules/pam_unix/support.c while handling
passwords with a hash of "!!" or similar in "/etc/shadow" or "/etc/passwd".
Solution
Upgrade to Linux-PAM version 0.99.7.1
ftp://ftp.kernel.org/pub/linux/libs/pam/pre/library
•
•
CERT-In Advisory CIAD-2007-05
Multiple Vulnerabilities in Xorg, Xfree86 and Kerberos
Original issue date: January 16, 2007
•
•
•
•
•
Severity Rating: Medium
Systems Affected
X.Org X11 version 7.1 and prior
XFree86 version 4.6.99.15 and prior
MIT Kerberos V5 versions 1.4 through 1.4.4
MIT Kerberos V5 versions 1.5 through 1.5.1
•
•
•
•
•
•
•
•
•
•
•
•
•
Overview
Multiple vulnerabilities have been reported in Linux which could be exploited by remote attackers to execute commands on the affected
system.
Description
1. X.Org X11 Render or XFree86 and DBE Extensions Multiple
Local Privilege Escalation Vulnerabilities (CVE-2006-6101 ,CVE-2006-6102 , CVE-2006-6103)
A vulnerability has been reported in X.Org and XFree86 X server
due to a memory corruption error in the "ProcRenderAddGlyphs()","ProcDbeGetVisualInfo()" and "ProcDbeSwapBuffers()" functions
within the DBE extension, which could be exploited by remote attackers to execute arbitrary commands with "root" privileges via a
specially crafted X protocol request.
2. Kerberos V5 Kadmind RPC Library Remote Code Execution
Vulnerability ( CVE-2006-6143 )
A vulnerability has been reported in server side portion of RPC library used in Kerberos administration daemon “kadmind “ due to its
failure to properly initialize pointers. An remote attacker could exploit the vulnerability by sending a crafted packets on the affected system
to execute arbitrary code or cause denial of service attack.
3. Kerberos V5 Kadmind GSS-API Library Remote Code
Execution Vulnerability ( CVE-2006-6144 )
A vulnerability has been reported in Kerberos due to memory management error in "mechglue" abstraction interface of the GSS-API
library used in Kerberos administration daemon “kadmind “. An unauthenticated remote attacker could exploit the vulnerability by freeing
uninitialized pointers to execute arbitrary code on the affected system.
Solution
Apply appropriate patches suggested by vendor
Vendor Information
http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2006
-002-rpc.txt
http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2006
-003-mechglue.txt
•
•
•
•
•
•
•
•
•
•
•
•
•
CERT-In Vulnerability Note CIVN-2007-05
Sun Java JRE GIF Image Processing Buffer Overflow Vulnerability
Original Issue Date: January 18, 2007
Severity Rating: High
Systems Affected
Sun JDK version 5.0 Update 9 and prior
Sun JRE version 5.0 Update 9 and prior
Sun SDK version 1.4.2_12 and prior
Sun JRE version 1.4.2_12 and prior
Sun SDK version 1.3.1_18 and prior
Sun JRE version 1.3.1_18 and prior
Overview
A vulnerabilities has been reported in Sun Java JRE (Java Runtime Environment), which could be
exploited by remote attackers to compromise a vulnerable system.
Description
A buffer overflow error has been reported in Sun Java Runtime Environment while processing GIF
images with a “width” property set to 0 (Zero), which could be exploited by remote attackers to
execute arbitrary commands or to read/write local files on a vulnerable system by enticing a user
to visit a specially crafted web page containing a malicious applet.
Security Testing Standard
• Document www.osstmm.org
