ECE-6612
http://www.csc.gatech.edu/copeland/jac/6612/
Prof. John A. Copeland
john.copeland@ece.gatech.edu
404 894-5177
fax 404 894-0035
Office: Klaus 3362
email or call for office visit, 404 894-5177
Network Security Utilities
and Organizations
3/13/2015
Network Security Utilities
A number of network security utilities have been developed to let network
manager scan a network to look for security holes. Surprisingly many of these are
free.
The most versatile for port scanning is “nmap.” Other actually run known exploits
against your systems to detect weaknesses (“Saint’ and “Satan”). Some should be
studied so that you know what crackers can easily do (e.g.,dsnif). Metasploit is a
framework that allows you to launch scanners (e.g., nmap) from a GUI interface
and store the results in a database. It also comes with over a hundred exploits that
can be run for “penetration testing.”
For intrusion detection, their are some expensive commercial services that come
with 24-hour-a-day, 7-day-a-week monitoring services ( ISS / IBM” ).
It’s safer to download “free” utilities in source format, and read the ‘C’ code
before you compile and use them. Some of these, like software from RedHat, come
with a PGP (or GPG) certificates that you should check. Many developers now
provide at least a CRC checksum or secure hash for their original (unaltered)
binaries. On the other hand, precompiled binaries for Windows are much easier to
install. Many of the applications can be installed by using MacPorts (sudo port
install nmap”) or apt-get (Ubuntu -“sudo apt-get install nmap”).
2
Tripwire - compares hash’s of system files
Tripwire HQ Connector Bundle The HQ Connector bundle is comprised of Tripwire's award-winning
file integrity software, Tripwire version 2.2.1, and a communications agent that allows the software
engine to "talk" to the Tripwire HQ Manager. Tripwire provides support for multiple platforms,
including Windows NT, Solaris, Linux, HP-UX, IBM-AIX and others. With the Tripwire HQ
Connector bundle, you can unequivocally answer the question: is my data the same today as it was
yesterday? This information will help you keep your system in optimal working order and manage
any changes - malicious or inadvertent - giving you complete control over data integrity.
Tripwire HQ Manager HQ Manager is a software console with a graphical user interface that allows
you to control hundreds of installations of HQ Connector. Named HQ Manager because it's designed
to operate as your information integrity headquarters, this product provides you with the very best
way to manage data integrity across an enterprise network from a single, centralized location.
Tripwire 2.2.1 for Linux With all the same great features as Tripwire 2.2.1 for other operating
systems, Tripwire for Linux is available as a free download (without the agent that communicates
with HQ Manager). In support of the open source community, Tripwire plans to release an open
source version of this product this fall. For more information and future announcements about the
open source release, check out www.tripwire.org.
Tripwire Academic Source Release 1.3.1 With only slight changes, the Tripwire Academic Source
Release (ASR) version 1.3.1 is the same as the original Tripwire software that was developed in 1992
by Dr. Eugene Spafford and Tripwire CTO Gene Kim. Tripwire offers this version as a free
download, but does not provide product support for it.
www.tripwire.com {commercial}
3
Nmap ("Network Mapper") is a free and open source utility for
network discovery and security auditing. Nmap uses raw IP
packets in novel ways to determine what hosts are available on
the network, what services (application name and version)
those hosts are offering, what operating systems (and OS
versions) they are running, what type of packet filters/firewalls
are in use, and dozens of other characteristics. It will rapidly
scan large networks.
Official binary packages are available for Linux, Windows, and
Mac OS X. Besides the classic command-line Nmap executable,
the Nmap suite includes an advanced GUI and results viewer
(Zenmap), a flexible data transfer, redirection, and debugging
tool (Ncat), a utility for comparing scan results (Ndiff), and a
packet generation and response analysis tool (Nping).
http://nmap.org/
4
Use nmap wisely. Limit the number of ports and IP Addresses
# nmap -P0 -sS -n -p 1-65354 143.215.200.6
Starting Nmap 6.25 ( http://nmap.org ) at 2013-03-27 08:00 EDT
Nmap scan report for 143.215.200.6
10
Host is up (0.17s latency).
All 65354 scanned ports on 143.215.200.6 are filtered
minutes/host
Nmap done: 1 IP address (1 host up) scanned in 604.68 seconds
# nmap -P0 -sS -n -p 1-4000,5900,31337 143.215.139.8
Starting Nmap 6.25 ( http://nmap.org ) at 2013-03-27 08:12 EDT
Nmap scan report for 143.215.200.8
3 seconds/host
Host is up (0.015s latency).
Not shown: 3999 closed ports
PORT STATE SERVICE
1500 ports per second
53/tcp open domain
443/tcp open https
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 3.00 seconds
5
Use nmap -A wisely. Limit the number of ports and IP Addresses
sh-3.2# nmap -P0 -sS -n -p 53,443,3306 -A 143.215.200.8
Starting Nmap 6.25 ( http://nmap.org ) at 2013-03-27 08:18 EDT
Nmap scan report for 143.215.200.8 Host is up (0.0018s latency).
PORT STATE SERVICE VERSION
53/tcp open domain?
443/tcp open ssl/http Apache httpd 2.2.8 ((Ubuntu) DAV/2 SVN/1.4.6
mod_ruby/1.2.6 Ruby/1.8.6(2007-09-24) mod_ssl/2.2.8 OpenSSL/0.9.8g)
| http-methods: Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=pigeon.csc.gatech.edu/Georgia Tech/...
| Not valid before: 2008-10-17T02:19:58+00:00
|_Not valid after: 2010-04-20T02:19:58+00:00
|_ssl-date: 2013-03-27T12:28:55+00:00; +9m29s from local time.
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5.8-log
| mysql-info: Protocol: 10
| Version: 5.0.51a-3ubuntu5.8-log
| Thread ID: 37158
| Some Capabilities: Connect with DB, Compress, Transactions, Secure Connection
| Status: Autocommit
|_Salt: @Xyvf|^?bOCDkmd,N#bF
Warning: OSScan results may be unreliable because we could not find ...
Aggressive OS guesses: Linux 2.6.8 - 2.6.27 (98%), Linux 2.6.18 - 2.6.32 (97%),
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Nmap done: 1 IP address (1 host up) scanned in 32.97 seconds
30 sec/host
6
Nessus
The "Nessus" Project aims to provide to the internet community a free,
powerful,up-to-date and easy to use remote security scanner.
A security scanner is a software which will audit remotely a given network and
determine whether bad guys (aka 'crackers') may break into it, or misuse it in some way.
Unlike many other security scanners, Nessus does not take anything for granted. That is,
it will not consider that a given service is running on a fixed port - that is, if you run
your web server on port 1234, Nessus will detect it and test its security. It will not make
its security tests regarding the version number of the remote services, but will really
attempt to exploit the vulnerability.
Nessus is very fast, reliable and has a modular architecture that allows you to fit it to
your needs. Test the security of your local network with the free “Home Feed”.
http://www.tenable.com/
{commercial: Tenable Network Security}
7
dsniff
Overview
I [Dug Song] wrote these tools with honest intentions - to audit my own network, and to
demonstrate the insecurity of cleartext network protocols. Please do not abuse this software.
Description
arpredirect: intercept packets from a target host (or all hosts) on the LAN intended for another host on the LAN by
forging ARP replies. this is an extremely effective way of sniffing traffic on a switch. kernel IP forwarding (or a
userland program which accomplishes the same, e.g. fragrouter :-) must be turned on ahead of time.
macof: flood the local network with random MAC addresses (causing some switches to fail open in repeating mode,
facilitating sniffing). a straight C port of the original Perl Net::RawIP macof program.
tcpkill: kill specified in-progress TCP connections (useful for libnids-based applications which require a full TCP 3whs for TCB creation).
tcpnice: slow down specified in-progress TCP connections via "active" traffic shaping (useful for sniffing fast
networks). forges tiny TCP window advertisements, and optionally ICMP source quench replies.
dsniff: password sniffer. handles FTP, Telnet, HTTP, POP, poppass, NNTP, IMAP, SNMP, LDAP, Rlogin, RIP, OSPF,
NFS, YP, SOCKS, X11, CVS, IRC, AIM, ICQ, Napster, PostgreSQL, Meeting Maker, Citrix ICA, Symantec
pcAnywhere, NAI Sniffer, Microsoft SMB, Oracle SQL*Net, Sybase and Microsoft SQL auth info.
(more)
8
dsniff - 2
dsniff automatically detects and minimally parses each application protocol, only saving the
interesting bits, and uses Berkeley DB as its output file format, only logging unique authentication
attempts. full TCP/IP reassembly is provided by libnids(3) (likewise for the following tools as well).
filesnarf: saves selected files sniffed from network file system traffic in the current working directory.
mailsnarf: a fast and easy way to violate the Electronic Communications Privacy Act of 1986 (18
USC 2701-2711), be careful. Outputs selected messages sniffed from SMTP traffic in Berkeley mbox
format, suitable for offline browsing with your favorite mail reader (mail -f, pine, etc.).
urlsnarf: output all requested URLs sniffed from HTTP traffic in CLF (Common Log Format, used by
almost all web servers), suitable for offline post-processing with your favorite web log analysis tool
(analog, wwwstat, etc.).
webspy: sends URLs sniffed from a client to your local Netscape browser for display, updated in realtime (as the target surfs, your browser surfs along with them, automagically). a fun party trick. :-)
(more)
http://monkey.org/~dugsong/
There is no index. Try adding application name to URL, like
http://monkey.org/~dugsong/dsniff/
or Google the application name
WARNING – THIS SITE WAS HACKED AND DOWNLOADED TROJAN HORSES FOR A
FEW MONTHS IN THE PAST. CHECK MD5’s
9
“wireshark” - A Network Protocol Analyzer (Sniffer)
“wireshark” is a free network protocol analyzer interactively browse the
capture data, viewing summary and detail information for each packet.
WireShark has several powerful features, including a rich display filter
language and the ability to view the reconstructed stream of a TCP
session.
Wireshark's powerful features make it the tool of choice for network
troubleshooting, protocol development, and education worldwide.
Wireshark was written by an international group of networking experts, and is an
example of the power of open source. It runs on Windows, Linux, UNIX, and
other platforms.
www.wireshark.org
10
Knoppix-STD
STD is a Security Tool. Actually it is a collection of hundreds if not
thousands of open source security tools. It's a Live Linux Distro (i.e. it
runs from a bootable CD in memory without changing the native
operating system of your PC). It's sole purpose in life is to put as many
security tools at your disposal with as slick an interface as it can.
STD is designed to assist network administrators and professionals alike
secure their networks.
The STD community is without exception White Hat. This means we
will not entertain discussions on ANY illegal or unethical activities.
www.knoppix.org and http://www.s-t-d.org/
List of tools: http://s-t-d.org/tools.html
11
125
Overview of NetSet Tools: http://sectools.org (insecure.org)
12
The “Community” version is is free. It
provides a GUI interface, a database
for information gained from scans and
attempted penetrations.
The Metasploit Project
Metasploit provides useful information to people who perform
penetration testing, IDS signature development, and exploit
research. This project was created to provide information on
exploit techniques and to create a useful resource for exploit
developers and security professionals. The tools and information
on this site are provided for legal security research and testing
purposes only. Metasploit is a community project managed by
Rapid7 [http://www.rapid7.com/] who also sells the Nexpose
vulnerability scanner (“Community” editions are free).
http://www.metasploit.com/
also Google for "backtrack"
13
Internet Security Systems, Inc - Atlanta
(now a division of IBM)
IBM helps you reduce the cost and complexity of securing your infrastructure with a comprehensive
portfolio of world-class managed security services and consulting services powered by IBM X-Force.
Managed security services
Award-winning managed services help protect your information assets from attack.
Professional security services
Build comprehensive and effective information security policies and practices for your business.
Solutions for mid-market organizations
Security solutions designed specifically to help mid-sized businesses stay up and running.
Payment Card Industry (PCI) compliance solutions
We can help you assess compliance and meet all 12 requirements of the PCI standard.
Virtualization security solutions
Manage the risk of virtualization and realize the cost savings.
www.iss.net
News Source (mostly about Microsoft updates): http://blogs.iss.net/
14
Network Security Organizations
There are a number or organizations that provide good advice about
network security programs.
The Computer Emergency Response Team (US-CERT) encourages
reports about cracking activities and releases an annual summary of
cracking incidents. CERT is operated by Carnegie-Mellon University
for the U.S. government (www.us-cert.gov).
SANS, which appears to be “for profit,” offers a number free
services. Reports on newly discovered exploits (without
implementation code) and patched exploits are available by email.
The Global Incident Analysis Center in available on the Web
(www.sans.org).
The FBI investigates cyber crimes and provides data from an
ongoing survey (http://www.fbi.gov/cyberinvest/cyberhome.htm).
The Secret Service also investigates cyber crimes, particularly those
involving child pornography and bank fraud.
15
CERT®/CC Contact Information
Email: info@us-cert.gov
Encrypting sensitive information: When sending sensitive information by email, please encrypt
it. You can find details about our PGP key at https://www.us-cert.gov/contact-us/
Phone - CERT Hotline 1 888 282-0870
US-CERT is part of DHS' National Cybersecurity and Communications Integration Center
(NCCIC).
The Department of Homeland Security's United States Computer Emergency Readiness Team
(US-CERT) leads efforts to improve the nation's cybersecurity posture, coordinate cyber
information sharing, and proactively manage cyber risks to the Nation while protecting the
constitutional rights of Americans. US-CERT strives to be a trusted global leader in cyber
security - collaborative, agile, and responsive in a dynamic and complex environment.
Subscribe to the US-CERT mailing list if you want to receive their advisories and summaries in
email.
www.us-cert.gov (US DHS)
also see www.cert.org (Carnegie Mellon U.)
16
CERT - 2
www.cert.org and www.us-cert.gov
17
SANS Global Incident Analysis Center
Welcome to GIAC, our mission is to provide up-to-date reports of malicious activity
on the net submitted by your international community of system administrators and
intrusion detection analysts. We welcome detects of intrusions, odd log file entries,
encryption failures, or other security related information.
Three gifts SANS gives to the community are the weekly digest of patches and
summaries of traces, the monthly Windows NT Digest of new security holes,
patches, and other administrative imperatives, and the weekly digest of the 25 top
news stories in secret. We'd be happy to send you any or all, just send an email to
info@sans.org with one or more of the following in the subject: Network Security
Digest, NT Digest, or Newsbites.
GIAC has posted a guide to defensive steps against DDOS attacks in a document
based on the Consensus Roadmap developed by the Partnership for Critical
Infrastructure Security. Since the DDOS threat will be with us for the long haul we
need to take appropriate countermeasures to reduce the impact of the threat. GIAC is
committed to train and assist security professional and with your help we can get
control of this problem. Thank you!
http://isc.sans.org/reports.html
18
National Infrastructure Protection Center (NIPC)
Located in the FBI's headquarters building in Washington, D.C., the NIPC brings
together representatives from the FBI, other U.S. government agencies, state and
local governments, and the private sector in a partnership to protect our nation's
critical infrastructures.
Established in February 1998, the NIPC's mission is to serve as the U.S. government's focal point for
threat assessment, warning, investigation, and response for threats or attacks against our critical
infrastructures. These infrastructures, which include telecommunications, energy, banking and finance,
water systems, government operations, and emergency services, are the foundation upon which our
industrialized society is based.
Our society is increasingly relying on new information technologies and the Internet to conduct business,
manage industrial activities, engage in personal communications, and perform scientific research. While
these technologies allow for enormous gains in efficiency, productivity, and communications, they also
create new vulnerabilities to those who would do us harm. The same interconnectivity that allows us to
transmit information around the globe at the click of a mouse or push of a button also creates
unprecedented opportunities for criminals, terrorists, and hostile foreign nation-states who might seek to
steal money or proprietary data, invade private records, conduct industrial espionage, cause a vital
infrastructure to cease operations, or engage in Information Warfare.
Protecting our critical infrastructures in the Information Age raises new challenges for all of us. Above all,
it requires a partnership between the government and private industry to reduce our vulnerability to attack
and increase our capabilities to respond to new threats. The NIPC provides an important vehicle for
carrying that partnership forward.
Disbanded, see CIP and Homeland Security, Nat. Cyber Sec. Div.:
http://www.dhs.gov/topic/cybersecurity
19
WASHINGTON, D.C. -- The Department of Justice, in conjunction with the FBI, the
Air Force Office of Special Investigation, the National Aeronautic and Space
Administration and the Naval Criminal Investigative Service, announced today that the
Israeli National Police arrested Ehud Tenebaum, an Israeli citizen, for illegally
accessing computers belonging to the Israeli and United States governments, as well as
hundreds of other commercial and educational systems in the U. S. and elsewhere.
The arrest of Tenebaum culminates several weeks of investigation into a series of
computer intrusions into United States military systems that occurred in February 1998.
As part of this investigation, the Department of Justice formally requested legal
assistance from the Israeli Ministry of Justice, and U.S. law enforcement agents traveled
to Israel to present Israeli law enforcement officials with evidence of the magnitude and
the source of the intrusions into United States computers.
Attorney General Janet Reno said that the prompt arrest of the Israeli hacker
demonstrates the effectiveness of international cooperation in cases involving
transnational criminal conduct. She added that the U.S. government's efforts to
investigate and prosecute computer crime are on the right track:
"This arrest should send a message to would-be computer hackers all over the world that the
United States will treat computer intrusions as serious crimes. We will work around the
world and in the depths of cyberspace to investigate and prosecute those who attack computer
networks," she said.
20
The Rustock Takedown and Global Spam Volumes
Posted by Ralf Iffert and Tom Cross on March 21, 2011 at 11:50 PM EDT.
Last week there was widespread media coverage of a successful effort by
Microsoft and US Marshals to take down the command and control capabilities
of the Rustock botnet. At the time some sources announced a significant drop
in spam volumes related to that event. Although X-Force noticed a 35% drop in
spam volume on March 16th, spam volumes can fluctuate within a large range
on a day to day basis and so this reduction in the volume did not initially
appear to be outside of the normal amount of fluctuation that occurs.
Now that several days have passed, this drop seems more significant, as the
spam volume has stayed down between 35 and 40% versus its previous average
volumes for several consecutive days. It appears that the Rustock takedown
likely had a sustained impact on the total volume of spam. It is worth noting,
however, that this reduction is only about half as big as the drop that occurred
over Christmas, when spammers appeared to have gone on holiday.
For more, see http://blogs.iss.net/
What to Do if a System is Compromised
Regain control
1.Disconnect compromised system(s) from the network.
To regain control, you will need to disconnect all compromised machines from your network
including dial-in connections.
After that you may wish to operate in single user mode in UNIX or as the local administrator in
NT to ensure that you have complete control of the machine; however, by rebooting or
changing to single user/local administrator mode, you may lose some useful information
because all processes executing at the time of discovery will be killed.
Therefore, you may wish to work through steps in section C.5*. Look for signs of a network
sniffer to determine if the compromised system is currently running a network sniffer.
Operating in single user mode on UNIX systems will prevent users, intruders, and intruder
processes from accessing or changing state on the compromised machine while you are going
through the recovery process.
If you do not disconnect the compromised machine from the network, you run the risk that the
intruder may be connected to your machine and may be undoing your steps as you try to
recover the machine. [On the other hand, some malware will do this automatically.]
2. Copy an image of the compromised system(s) . . .
[UNIX utility "dd" is good for this]
*Excerpt from http://www.cert.org/tech_tips/win-UNIX-system_compromise.html
Turn off – restart in single-user mode, or with a "Live" CD.
22
What to Do if a System is Compromised - 2
1. Power-Off and Disconnect from the network.
2. Reconfigure the BIOS* to prefer "boot" from a live† CD-ROM or USB drive.
Intel PC's can be booted from a "Knoppix" live CD-ROM or DVD (www.knoppix.org)
Use "SuperDuper" to make a live USB for a Mac (www.shirt-pocket.com, $ 28).
3.Clone the hard drive (for forensics and/or document recovery).
Use the UNIX utility "dd" (type: dd bs=1k if=/dev/sda1 of=/media/usbdisk)
You can see the actual disk drive names (like /dev/sda1 and /media/usbdisk by typing: df)
The disk drive "/media/usbdisk" (erased) must be as large as "/dev/sda1. This is best for
forensic purposes. Attach a "Chain of Evidence" to show everyone who took control, and when.
Include a hash of the disk image, and physically turn off "write" mode.
Other programs will de-segment files to compress the copied data onto an almost-clone disk.
Not as good for evidence, but useful if you have 50 GB actually used on a 1000 GB hard drive.
Clonezilla Live (clonezilla.org, available in a live CD/DVD or live USB).
Norton "Ghost" (free version may be available)
Others: Rescatux, Redo Backup & Recovery, SystemRescueCD, Trinity Rescue Kit
4. Best bet for recovery: periodically back up all documents (non-executable files) after
running a Virus Detection Tool (e.g., Sophos). Save all system, application installation disks,
and installation "keys" so everything can be reloaded onto a freshly wiped hard disk.
* You should have had the BIOS configured to "only boot from the hard drive", and locked with a password.
† A "Live" CD/DVD can be used to boot up the computer, and contains its own OS. A RAM drive is then used
which allows the hard drive to be dismounted and cloned. To make your own, see www.linux-live.org.
23