Vulnerability Detection

Transcription

1 Vulnerability Detection Department of Computer Science Montclair State University Course : CMPT Computer and Data Security Semester : Fall 2005 Student : Hung Nhu Nguyen Instructor : Dr. Stefan Robila Dec 12, 2005

2 Table of contents 1. Abstract. 2. Introduction What is a vulnerability? 2.2. Vulnerabilities detection system 2.3. Vulnerability scanner 3. Introduce ATK What is ATK? 3.2. What is plugin? 3.3. How does ATK scan vulnerability? 3.4. How to use the ATK? Configuration Selecting a plugin Running the scan and Analyzing the results Portscanner, ICMPPing, nslookup 4. Conclusion 5. References Student: Hung Nhu Nguyen 2

3 1. Abstract. Everything has both two sides, the left side and the right side, the useful side and the harmful side. Also in the world of computers, the computers bring to people too much convenient. Certainly everybody knows that, so I do not want to say again. Beside these convenient, sometimes they have some problems that reduce the convenient, even effect to user s information and harmful for users. On the other hand, when the crimes of computer were born, people use computer (internet) is being concerned by them. They always find out the flaws on the internet, in the software to attack. On the computer systems always exist the vulnerabilities. A vulnerability represents a weak point though which the security of a computer can be breached. A vulnerability is a programming error in an application that can be exploited to gain access to the computer with that program installed. So that we have to discover those vulnerabilities as soon as possible to reduce the damage has done by attackers. In this project, I would like to study about the vulnerability detection system as well as build tool to help to detect the vulnerability on a system. In addition, I introduce the ATK that is vulnerability scanner and exploiting framework. It is possible to detect potential flaws and exploit found vulnerabilities Student: Hung Nhu Nguyen 3

4 2. Introduction What is a vulnerability? A vulnerability represents a weak point though which the security of a computer can be breached. A vulnerability is a programming error in an application that can be exploited to gain access to the computer with that program installed Vulnerabilities detection system. A vulnerability detection system (VDS) is a continuously monitoring, always-on system that can detect and alert administrators to the presence of vulnerabilities as they appear. Think of it conceptually akin to an IDS except instead of constantly monitoring for hackers attempting to break-in, you are constantly monitoring for vulnerabilities hackers COULD use to break-in, before they actually do. A vulnerability detection system is a type of monitoring system that you can build yourself out of existing security products you are probably already using by doing a little bit of tweaking and integration work. Of course, vendors are sure to come along to make that easier for you, but the main advantage of pre-built solutions will be to save you time and money in building, deploying, and managing these systems, and be wary of those who claim otherwise Vulnerability scanner. A vulnerability scanner is a type of computer program specifically designed to search a given target (piece of software, computer, network, etc) for weaknesses. The scanner systematically engages the target in an attempt to assess where the target is vulnerable to attack. The program can be used either prophylactically (to find holes and plug them before they are exploited) or maliciously (to find holes and exploit them). VDS is not the same thing as a vulnerability scanner or security assessment tool. But a vulnerability scanner is the closest relative to a VDS and they share a common goal. Vulnerability scanners take a snapshot of a system and report the vulnerabilities that appear at that point in time. In contrast, a vulnerability detection system is continuously monitoring a network for the appearance of new vulnerabilities so that if one appears, Student: Hung Nhu Nguyen 4

5 administrators are instantly alerted to the presence of it. A good way to think of it is that vulnerability scanners audit periodically and VDS monitor continuously. Figure 1: Components of a network-based scanner 3. Introduce ATK 3.1. What is ATK? The acronym ATK stands for Attack Tool Kit. It was first developed to provide a very small and handy tool for Windows to realize fast checks for dedicated vulnerabilities. In the meanwhile it is a combination of security scanner (e.g. Nessus) and exploiting framework (e.g. MetaSploit). The special thing about ATK is that the tool is able to do the work without great interaction. But there is also always the possibility to vary and change the behaviour of the software. This concern the plugins, checking, enumeration and reporting. The user is not dependent of the ideas of the developers - If needed because of the modularity nearly every change can be done within a few seconds. ATK is developed and maintained by Marc Ruef. ( ATK is written in Visual Basic, underlies the General Public License (GPL) and is absolutely free to use and distribute. The ATK is a vulnerability scanner and exploiting framework. It is possible to detect potential flaws and exploit found vulnerabilities. Thus the ATK is a very powerful Student: Hung Nhu Nguyen 5

6 tool for administrators, security auditors and penetration testers to secure an IT environment What is plugin? A plugin is a small file that provides the data for checking. Every plugin contains one single check, the description, the procedure to verify the existence of the flaw and further informations. Plugins are necessary to use the ATK, doing checkings and security audits How does ATK scan vulnerability? The ATK is perfect to verify a specific vulnerability, perhaps found by another scanning or enumeration utility. The ATK execute the commands given in the plugin (in the plugin_request field). The first, ATK use command open to opens a connection to the destination host and the destination port. Every network connection has to start with this command. After that, it can use follow commands: - Sleep [seconds] command to let plugin sleep for some seconds. - Send [data string] command to sends data over the established connection. - icmp_alive command to verify the ICMP reachability of the target host. Mostly used in denial of service checks. - pattern_exists command to check if the pattern exists in the response. Important part of every trigger based check. The end, ATK use close command to close the established connection to the destination host and the destination port. The socket is freed and could be used for another connection attempt. Every network connection has to end with this command. After processing the commands above, the target host normally sends back some data. The plugin_trigger field in the plugin holds the trigger for the check. If the string in this field can be found in the server reply, the flaw is classified as found. Student: Hung Nhu Nguyen 6

7 3.4. How to use the ATK The ATK has many functions. In this paper shows in some its main functions and how to use them Configuration: After starting the ATK by running the exe file you can see the main frame. If you have never started or configured the ATK, the default configuration is used. Before you can do your specific scans, you have to edit the running configuration by pressing the config button in the toolbar. Figure 2: Main frame of ATK Student: Hung Nhu Nguyen 7

8 Figure 3: Form configuration You are able to change the target to detect at the Target textbox. You can do this by either type the host name or IP address. But you have to notice that, you should never scan a network resource without permission. The other properties on this form (to see them, you can click on the tabs) such as Preferences, Mapping, Plugin, ect. Only take a few minutes to check and change all possibilities to get more efficient configuration for your detection. Afterwards you can apply the new configuration by clicking File->Save. This configuration is saved in the configs\default.config file. Or you can click File->Save as to save in another filename for using next time Selecting a plugin Come back the main frame, you are able to select a plugin by clicking on of the nodes in the left treeview. These plugin loaded from plugins directory. These plugin are loaded by ID, Name, Port, ect. The plugin will be loaded into the memory and the fields are show in the right frame. Student: Hung Nhu Nguyen 8

9 Figure 4: Selecting a plugin Preparing the scan After you have configured your ATK and selected a specific scan. Now you may want to prepare the tool for the attack/detection. From main frame, by selecting edit in the toolbar, the form plugin editor is showed. Student: Hung Nhu Nguyen 9

10 Figure 5: Plugin editor By this form, you are able to see and edit every field in the plugin. This includes also the attack procedure so you are able to create your own and individual attacks. I have introduced detection commands above Running the scan and Analyzing the results: If your scan has been prepared, you can start the attack/scan by clicking on the Start button on the toolbar. It will take a few seconds to run the attack and to show the results of the scan attempt. The progress of the scanning are showed on the taskbar. You also visualize the running attack by clicking Visualise button on the toolbar. The attack visualizing shows the running attack in real-time and the attack response (clicking Response button on the toolbar) allows to do a response analysis of the finished check. Student: Hung Nhu Nguyen 10

11 Figure 6: Attack visualize & Attack response form When the scan is finished, the ATK will show the existence or non-existence of the checked flaw. If the vulnerability was found, a red textbox will appear - If the vulnerability couldn't be found, a green textbox will appear. (The red or green textbox is placed under the toolbar). By clicking on this textbox after the scan is finished, the attack response window will open so a further analysis of the response can be done.there are also suggestions for further analysis and attacks given. The silent checks - if activated - determine other plugins that would perhaps also detect the existence of potential flaws without touching the target Portscanner, ICMPPing, nslookup Beside the main functions above, there are three normal functions in ATK: - Portscanner: you can use this function to scan port to know what port is opening on the target host. - ICMPPing: ping function Student: Hung Nhu Nguyen 11

12 - nslookup: lookup the IP address if the host name given. In the opposite, lookup the host name if IP address given. Figure 7: Ports canner form Figure 8: nslookup form Student: Hung Nhu Nguyen 12

13 Figure 9: ICMP Ping form 4. Conclusion: Through a few sheets of paper, I learn about some information relate to the vulnerability detection. On the other hand, I also understand how a vulnerability scanner works, specially is ATK program. Thenceforth, I can build a program which scans the vulnerabilities of the programs or network, About the ATK, I investigated and understand their benefits and features: - Open-source (GPL) and free available for everyone. - Detection and exploiting mode available. - Simple plugin and attack editing during run time. - Plugins are written in xml and usually open-source (GPL) too. - Modular architecture (e.g. suggestions and reporing). - Real-time attack visualisation and advanced logging. - Detailed response and attack analysis. - Generation on individual reports. - Scanning and enumeration tools (nslookup, portscanner) - Nessus NASL support (experiemental). - Support for CVE names, SecuityForcus, CERT, Snort, etc. Student: Hung Nhu Nguyen 13

14 5. References: Student: Hung Nhu Nguyen 14