Vulnerability detection

Transcription

1 Introduce vulnerability Vulnerability detection Vulnerability: a weak point though which the security of a computer can be breached Vulnerability: a programming error in an application that can be exploited to gain access to the computer with that program installed Course: CMPT Fall 05 Department: Computer Science Professor: Dr Stefan Robila Student: Hung Nhu Nguyen Vulnerability detect system Vulnerability Scanner VDS is a continuously monitoring, always-on system that can detect and alert administrators to the presence of vulnerabilities as they appear A vulnerability scanner is a type of computer program specifically designed to search a given target (piece of software, computer, network, etc) for weaknesses

2 Vulnerability Scanner VDS & Vulnerability Scanner Components of a network-based scanner VDS is not the same thing as a vulnerability scanner: Vulnerability scanners take a snapshot of a system and report the vulnerabilities that appear at that point in time Vulnerability detection system is continuously monitoring a network for the appearance of new vulnerabilities so that if one appears A good way to think of it is that vulnerability scanners audit periodically and VDS monitor continuously Introduce ATK How does ATK work? The acronym ATK stands for Attack Tool Kit. It was first developed to provide a very small and handy tool for Windows to realize fast checks for dedicated vulnerabilities ATK is developed and maintained by Marc Ruef. ( ATK is written in Visual Basic, open source, underlies the General Public License (GPL) and is absolutely free to use and distribute The ATK is a vulnerability scanner and exploiting framework The ATK execute the commands given in the plugin A plugin is a small file that provides the data for checking. Every plugin contains one single check, the description, the procedure to verify the existence of the flaw and further informations. Plugins are necessary to use the ATK, doing checkings and security audits

3 Example plugin <plugin_id>196</plugin_id> <plugin_name>http Proxy port tcp/8080 detection</plugin_name> <plugin_family>firewalls</plugin_family> <plugin_created_date>2004/09/09</plugin_created_date> <plugin_created_name>marc Ruef</plugin_created_name> <plugin_created_ >marc dot ruef at computec dot ch</plugin_created_ > <plugin_created_web> <plugin_created_company>computec.ch</plugin_created_company> <plugin_updated_name>marc Ruef</plugin_updated_name> <plugin_updated_ >marc dot ruef at computec dot ch</plugin_updated_ > <plugin_updated_web> <plugin_updated_company>computec.ch</plugin_updated_company> <plugin_updated_date>2004/11/13</plugin_updated_date> <plugin_version>1.3</plugin_version> <plugin_changelog>added a NetRecon rating and CVE number in version 1.2. Corrected the plugin structure and added the accuracy values in 1.3</plugin_changelog> <plugin_protocol>tcp</plugin_protocol> <plugin_port>8080</plugin_port> <plugin_procedure_detection>open send GET / HTTP/1.0\nProxy-Connection: Keep-Alive\n\n sleep close pattern_exists *HTTP/1.[0-1] 200 * OR *HTTP/1.[0-1] 50[2-3] *</plugin_procedure_detection> <plugin_detection_accuracy>80</plugin_detection_accuracy> <plugin_comment>check is inspired by the Nessus plugin. See also ATK plugin 34 for a Squid specific version of this plugin.</plugin_comment> <bug_affected>misconfigured or unsecure HTTP proxy servers</bug_affected> <bug_not_affected>other solutions</bug_not_affected> <bug_vulnerability_class>configuration</bug_vulnerability_class> <bug_description>the remote host is running an HTTP web proxy that is misconfigured because he accepts requests coming from anywhere. This allows attackers to gain some anonymity when browsing some sensitive sites using your proxy, making the remote sites think that the requests come from your network. An attacker may also use this one to do further analysis or attacking of the proxy host.</bug_description> <bug_solution>you should install or upgrade the proxy to the latest version to prevent the exploitation of known vulnerabilities. Also limit unwanted connections and communications with ACL and firewalling.</bug_solution> <bug_fixing_time>approx. 40 minutes</bug_fixing_time> <bug_exploit_availability>yes</bug_exploit_availability> <bug_remote>yes</bug_remote> The commands in plugins + Open: Opens a connection to the destination host and the destination port. Every network connection has to start with this command + Sleep [seconds]: Lets the plugin sleep for some seconds. The parameter defines how long to sleep in seconds. Possible values are from 0 to n. + Send [data string]: Send data over an established connection. + icmp_alive: Verifies the ICMP reachability of the target host. Mostly used in denial of service checks. + pattern_exists: Checks if the pattern exists in the response. Important part of every trigger based check. + close: Close the established connection to the destination host and the destination port. The socket is freed and could be used for another connection attempt. Every network connection has to end with this command. All plugins loaded from plugins folder Configuration form Main frame

4 Plugin editor Attack visualize & Attack response form nslookup form Ports canner form

5 References ICMP Ping form Questions