Security Mgt. Tools and Subsystems some attack and defense security tools at work Reconaissance Passive Active Penetration Classes of tools (network-bound)
Passive Reconaissance Passively listen and analyze the traffic on the network, or log and analyze events on hosts Do not change the state on the entity in question Can be used for attack or defensive purposes Examples Network sniffer Intrusion Detection System Active Reconaissance Gathers information by doing something in a potentially detectable way (often by sending network traffic) and waiting for responses Examples WHOIS Traceroute Port scanner
Methodology for Reconnaissance Intelligence Gathering Footprinting Verification Vitality Penetration Testing Penetration tools Aid the user in breaking into and gaining unauthorized access to a network entity and/or respective hosts Often work by exploiting a specific vulnerability in software or unintended interactions between entities Penetration Testing Tools similar to attack tools, may have damage control mechanisms to minimize negative impact example tools: nmap wireshark nessus metasploit
Penetration Testing nmap Port scanning OS fingerprinting Service version detection Penetration Testing Wireshark Previously known as Ethereal is a multi-platform open-source network protocol analyzer It allows one to examine data from a live network or from a capture file on a disk (previously recorded by tcpdump, for instance) Understands hundreds of protocols Rich display filter language Ability to reconstruct TCP sessions and follow entire streams
Penetration Testing Metasploit Framework The attack tool par excellence (at least for real hackers) It is an advanced open-source platform for developing, testing, and using exploit code It is currently used for just about cutting-edge exploitation research Already ships with hundreads of exploits and shellcode Penetration Testing other specific tools exist for: Databases Web Applications Wirelless... Extended open source security tools special-purpose attack tools (e.g Stuxnet suite)
Fighting back... Defense and Countermeasures: methodology and tools Systematic measures to defend systems and networks from intrusion Defensive security management Active countermeasures for defense and protection
Security management and defensive functions security enhancement fault (attack, vulnerability) diagnosis attack prevention intrusion detection auditing Security management and defensive functions security enhancement fault (attack, vulnerability) diagnosis attack prevention intrusion detection auditing
Security management functions security enhancement tools in this class we have tools that render machines and software more robust, by preventing/removing vulnerabilities; for example cryptographic software, filtering and wrapping software, or packages that encrypt, sign or checksum critical software, to detect modifications; e.g., Crypto libraries, Wrappers or Integrity Checkers examples of such software are Tripwire, Xinetd, Tcpwrapper, Portmapper, and Cracklib Wrappers and Integrity Checkers Wrappers and Integrity Checkers can significantly improve the resilience of otherwise vulnerable software, by: neutralising vulnerabilities detecting modifications 34
Tripwire Defensive tool (more specifically an integrity checker) Configuration control Monitors important file and registry values and properties (like access times, flags, owner, etc) Enables Admins to detect files that are added, modified or deleted Provides a history of what changes during patching Two Components Tripwire for Servers (command line) Tripwire Manager (GUI front end) Security management and defensive functions security enhancement fault (attack, vulnerability) diagnosis attack prevention intrusion detection auditing
Security management functions fault (attack, vulnerability) diagnosis tools in this class we have for example packages that scan the facility looking for design or configuration vulnerabilities; Vulnerability Scanners e.g., test systems to activate vulnerabilities, discover them and correct them (removal) or filter them (neutralisation) examples of such software used over the past few years are Crack, COPS, Tiger, ISS, Satan, Saint, Nessus, Merlin, Trojan On Vulnerability Scanners vulnerability scanners are useful but have limitations:» exercise the system in order to activate vulnerabilities: often only find those they look for; only those reachable by the interface method» do not detect attacks» periodical execution, background, non real-time
Bringing it all together there have been over the past few years, releases of powerful packages integrating several tools of the classes seen above Hiren's BootCD Syst. diagnosis & management Metasploit - Penetration Testing BackTrack - Penetration Testing Security management and defensive functions security enhancement fault (attack, vulnerability) diagnosis attack prevention intrusion detection auditing
Security management functions attack prevention in this class we have all types of tools that attempt at blocking attacks to internal, perhaps vulnerable, components Firewall Systems e.g., restrict access to systems, to prevent attacks from getting to the vulnerabilities examples of such software are Firewall-1, IPtables, Gauntlet, Raptor Limitations of Firewalls firewalls are an excellent tool, but not perfect: not transparent (except for bridge-level) slow networks down do not block all attacks block legitimate interactions something more proactive is needed in the way of: taking care of residual vulnerabilities (most subtle) taking care of on-going or successful attacks
Security management and defensive functions security enhancement fault (attack, vulnerability) diagnosis attack prevention intrusion detection auditing Security management functions intrusion detection tools in this class we have for example packages that perform real-time supervision, looking for anomalous behavior or state of the system, or abnormal patterns of usage, in order to detect intrusions; they act as a last resource, when a successful attack/vulnerability match occurred Intrusion Detection Systems e.g., detect symptoms derived from ongoing or successful attacks examples of such software are Scandetector, CPM, AID, AAID, NID, ASAX, Hummer, Snort
Intrusion Detection Systems complement the protection offered by scanners and firewalls IDS are based on sensors sensors are programs, sometimes in boxes, which detect intrusions in parts of systems and generate reports to consoles consoles interpret and/or generate appropriate responses Security management and defensive functions security enhancement fault (attack, vulnerability) diagnosis attack prevention intrusion detection auditing
Security management functions auditing tools in this class we have for example packages that perform logging and build audit trails of the system, in order for the administrator to analyze events a posteriori e.g., correlate attacks to detect intrusion campaigns; audits should be secure, in the sense of indelible e.g., Secure logging and auditing tools and Protocol Analyzers examples of such software are Tcpdump, Analyzer, Swatch, Logdaemon, Netlog, Netman Protocol Analyzers (ex. Wireshark) Sniffers have their good side...