an overview of non-commercial software for network administrators doug nomura doug.nomura@gmail.com...

An Overview of Non-Commercial Software for Network Administrators

Doug Nomuradoug.nomura@gmail.com

June 16 2009

UCCSC 2009 - Focus on Security

Disclaimer

Don’t blame me if your workstation breaks or something bad happens to your network

Scientist Gone Bad - this is me!

ExpectationsGeneral overview - Only have 60 minutes!

Focus will be on tools to help detect problems with your network

Two Hat Perspective

If you can use the tool, think how it can be used against you!

Approach

Tool will be described

What the tool does

How can you use it

Advantages/disadvantages

Topics to be covered

Data Mining 1A

Web 2.0

Kismet

OpenVAS

Metasploit

More Topics

NMap

Web Vulnerability Scanners

Pros and Cons of the free stuff

The Future

Data Mining 1A

Data Mining 1A

Every network leaks or broadcasts information

What is allowable or acceptable by your organization?

This section will give examples of types of information being broadcast - allowable and sensitive

Classic Sources of Data Leaks

DNS & MX records

Technical forums

Job sites

Google’sAdvanced Operators

Reduce noise

Help to refine search

Operator:search term

Tutorial to advanced operators http://www.googletutor.com/google-manual/web-search/adding-advanced-operators/

Operators

domain:ucdavis.edu

“Exact phrase”

Intitle: Look for phrase in page

Types of information

Personal information

Technical information

Let’s look for some personal information

Does anyone from UCD know person?or My Gosh - Look

at the SSN!!!

Sensitive information deleted from this slide

Is anyone from UCSF?Or this probably

shouldnot be broadcast to

the world

Sensitive information deleted from this slide

Text

Example of a technical google hack revealing Nessus Scan Reports

Summary of Google Hacking

Use Google to peruse your servers for sensitive information

Clean up your mess like old scan reports

Educate users about the danger of broadcasting information

The Pros of Google Hacking

Find information you didn’t know was being broadcast

It’s cheap and works

The Cons of Google Hacking

Someone may have found the information already

You may not find everything

Fear the Google cache!!!!!

References for Google Hacking

See Johnny Long’s book - Google Hacking for Penetration Testers - ISBN-10 1597491764

Any questions - just send me an email

Web 2.0Example: Twitter

Technical

Exploitation of code

Passive enumeration

Users careless of information being broadcast

Solution

Identify types of data not be broadcast

Educate

Users need to be made aware there are people “watching.”

“Free” Tools

Many released under GNU/GPL

Range from simple to complex

Many have great support and documentation

KismetDetects presence of 802.11 APs

Sniffs traffic

IDS

kismewireless.net

Kismet

Note error messages at bottom - ignore them

Courtesy of kismetwireless.net

Why use Kismet?

Pen testing of APs

Seek out rogue APs

Survey and map 802.11 installation

Distributed IDS

Kismet Advantages

Initial cost is free

Very powerful

Customizable

plugins

Cons of Kismet

Interface

May require significant configuration

Incompatibilities

Long term cost could be high due to time spent configuring and tweaking apps

OpenVAS

Vulnerability Assessment

Based upon Nessus 2.2

Released under GNU/GPL

openvas.org

Image Courtesy of openvas.org

Image Courtesy of openvas.org

Image Courtesy of openvas.org

OpenVAS

Runs well on Linux

Financially - free VA tool

Growing support for project

Disadvantages

Problems with some NVTs

Some difficulty non-linux platform

Security Framework identifies vulnerabilities and exploits them

Intended for penetration testing and research

Customizable

metasploit.org

Metasploit

Metasploit

Text

Command line interface of Metasploit

Metasploit

Example vulnerability to be used on Windows 2000 machine

Metasploit

Selection of exploit

Metasploit

Access has been achieved on remote machine

Metasploit Advantages

Growing community of users

Growing documentation

Runs well on most flavors of *nix

Excellent tool to identify and exploit vulnerability

Metasploit Disadvantages

Do not expect all exploits nor may be up to date with latest exploits

Lack of logging or reports

Machine running Metasploit can be compromised

This is a very dangerous tool and may violate policy at your institution. Use on test network

NMap - Network Mapper

Sends raw IP packets to specific host, or a range of hosts

Determines OS, version, open ports, identifies potential vulnerability

nmap.org

NMap

Network administrators and other IT folk responsible for network based assets

Pen testers and other security folk

NMapLoki:/Users/Doug root# nmap -sV 192.168.1.1-25

Starting Nmap 4.85BETA9 ( http://nmap.org ) at 2009-06-14 23:56 PDTInteresting ports on 192.168.1.1:Not shown: 998 closed portsPORT STATE SERVICE VERSION23/tcp open telnet Cisco telnetd (IOS 6.X)443/tcp open ssl/http Cisco PIX Device ManagerMAC Address: 00:08:21:3A:29:B2 (Cisco Systems)Service Info: OS: IOS; Device: firewall

Interesting ports on 192.168.1.2:Not shown: 997 closed portsPORT STATE SERVICE VERSION21/tcp open ftp tnftpd 2006121722/tcp open ssh OpenSSH 5.1 (protocol 1.99)548/tcp open afp Apple AFP (name: Feline; protocol 3.2; Mac OS X 10.4/10.5)MAC Address: 00:0D:93:32:D0:26 (Apple Computer)Service Info: Host: Feline.local

Interesting ports on 192.168.1.4:Not shown: 999 closed portsPORT STATE SERVICE VERSION5009/tcp open airport-admin Apple AirPort adminMAC Address: 00:03:93:1F:01:65 (Apple Computer)

Interesting ports on 192.168.1.6:

Part of a Nmap scan report

Strengths of NMap

Large base of support from user and developer community

Mature product

Fast and versatile scanner

Extremely stable. Install and go!

Weaknesses of NMap

Some scans seem to be intrusive

Some scans have crashed hosts being scanned

Web Vulnerability Scanners

GNU/GPL World

Singular in purpose

Paros

Stagnant

Nikto

Web Vulnerability Scanners

Singular purpose tools usually check for a single type of vulnerability (i.e. XSS, SQL injection). You would have to have a lot of different GNU/GPL tools to encompass all possible vulnerabilities

Web Vulnerability Scanners

Some projects become stagnant or die due to core developers ability to devote time to project

Advantages of the “free” apps

Initial cost is low

Some projects have a community of support

Documentation

A potentially powerful tool rivaling commercial tools

Advantages of “free” apps

Use older hardware

Great for that older machine collecting dust

Disadvantages

Project stability

UI issues

Application stability

Speed of development

Upgrades may be challenging

Geek Factor

Geek Factor

GeekFactor

0

100

100“cost”

What to do?

Define your needs

Determine stability and viability of project

Be willing to invest time

Be diligent

The future

Greater and easier exploitation of Web 2.0

You must educate your users about the dangers

Handhelds will be both targets and attackers

The End

Further questions? Drop me an email.

doug.nomura@gmail.com