Introduction to Vulnerability Assessment Labs Ge Zhang - - PowerPoint PPT Presentation

introduction to vulnerability assessment labs
SMART_READER_LITE
LIVE PREVIEW

Introduction to Vulnerability Assessment Labs Ge Zhang - - PowerPoint PPT Presentation

Nov 22, 2022 5 likes •321 views

Introduction to Vulnerability Assessment Labs Ge Zhang ge.zhang@kau.se Dvg-C03 Karlstad University Schedule 3 Attacking methods Password cracking ARP spoofing & sniffing Port Scanning 1 Defense methods

slide-1
SLIDE 1

Karlstad University

Introduction to Vulnerability Assessment Labs

Ge Zhang ge.zhang@kau.se Dvg-C03

slide-2
SLIDE 2

Karlstad University

Schedule

  • 3 Attacking methods

– Password cracking – ARP spoofing & sniffing – Port Scanning

  • 1 Defense methods

– Firewall configuration

  • 2 Vulnerability assessment tool

– Nessus – Bastille

slide-3
SLIDE 3

Karlstad University

Environment

  • 3 VM images (c:\vmware\valab-ht11 )

Hub Hub Hub Hub Switch VM Host machine

slide-4
SLIDE 4

Karlstad University

Password Cracking

  • Authentication:

– Something you know – Something you have – Something you are

  • Password need to be transferred
  • Password need to be stored
slide-5
SLIDE 5

Karlstad University

Brute Force

  • Attempts all possible combinations of

letters and numbers

  • Possible Solution

– Limit amount of unsuccessful logins – Change password often – The length should be at least 8 characters

slide-6
SLIDE 6

Karlstad University

Dictionary

  • Type of Brute Force
  • Only tries possibilities that are likely to

succeed

  • List are derived from dictionary
  • Possible Solutions

– Mix and match numbers, letters, upper and lower case – Avoid passwords based on dictionary words, letter

  • r number sequences, usernames, or biographical

information

slide-7
SLIDE 7

Karlstad University

John the ripper

  • Traditionally the account information is stored in

the /etc/passwd file

  • The /etc/passwd file is world-readable
  • Shadow password system stores passwords in the

file /etc/shadow which is not world-readable

  • Have a look on

– /usr/share/doc/john-1.7.0.2/EXAMPLES

  • Then create your own account and password, run

“john” again to see the result

  • useradd [your account]
  • passwd [your account]
slide-8
SLIDE 8

Karlstad University

Sniffing

  • Hub: a hub simply receives incoming packets and

broadcasts these packets out to all devices on the network

  • Adapt promiscuous mode: an adapter can

receive all frames on the network, not just frames are addressed to that adapter

Hub shared Token Ring

slide-9
SLIDE 9

Karlstad University

Wireshark

Show capture options Filters for display Select network interface Filters for Capture

slide-10
SLIDE 10

Karlstad University

Wireshark

Stop capturing Captured datagrams Datagrams analysis Datagrams in Hex

slide-11
SLIDE 11

Karlstad University

Hub v.s. switch

  • Hub: Layer 1

(physical)

  • Switch: Layer 2

(data-link)

Hub shared Token Ring Switch Dedicated

slide-12
SLIDE 12

Karlstad University

ARP (Address Resolution Protocol)

  • MAC address (layer

2)

– Global unique – Unchangeable

  • IP address (layer 3)

– Network unique – Changeable

ARP

IP address MAC address

RARP

IP address MAC address

slide-13
SLIDE 13

Karlstad University

ARP spoofing (cache poisoning)

  • n switch

192.163.0.1 (AA) 192.163.0.2 (BB) 192.163.0.3 (CC) 192.163.0.4 (DD) I am 192.163.0.4, with mac address CC I am 192.163.0.1, with mac address CC

192.163.0.1 (AA) 192.163.0.2 (BB) 192.163.0.3 (CC) 192.163.0.4 (DD) Who has the IP address 192.163.0.4? Tell 192.163.0.1 with mac: AA 192.163.0.1 (AA) 192.163.0.2 (BB) 192.163.0.3 (CC) 192.163.0.4 (DD) 192.163.0.4->CC 192.163.0.1->CC 192.163.0.1 (AA) 192.163.0.2 (BB) 192.163.0.3 (CC) 192.163.0.4 (DD) I am 192.163.0.4, with mac address DD 192.163.0.4->DD

slide-14
SLIDE 14

Karlstad University

Preparation

  • ipconfig /all
  • Let me know the last number of your ip address and mac address
  • ping [IP address] –t

Door Window ping ping ping ping ping ping ping ping ping ping ping ping ping ping Door ping Ping

slide-15
SLIDE 15

Karlstad University

Cain

Scan MAC addresses Select interface Scanned results ARP spoofing configuration

slide-16
SLIDE 16

Karlstad University

Cain

Add to list for spoofing Spoof the arp cache for these two hosts to intercept the conversation between them

slide-17
SLIDE 17

Karlstad University

Cain

Start ARP Spoofing

slide-18
SLIDE 18

Karlstad University

Port Scanning

  • Attackers wish to discover services they can

break into.

  • Whether the service existing?
  • sending a packet to each port, once at a time.

– Based on the type of response, an attacker knows if the port is used. – The used ports can be probed further for weakness.

  • Well-known: tcp 21, tcp 22, tcp 23, tcp 80 …
slide-19
SLIDE 19

Karlstad University

Nmap

  • -sT (scanning by TCP connections)
  • -sS (SYN scanning)
  • -sU (UDP scanning)
  • -sV (Version detection)
  • -O (OS fingerprinting)
  • -T[0-5] (time interval)
  • -f (fragmenting)
slide-20
SLIDE 20

Karlstad University

Nmap

slide-21
SLIDE 21

Karlstad University

Nmap

  • Zenmap: graphical interface
slide-22
SLIDE 22

Karlstad University

Firewall

  • A set of related programs that

protects the resources of a private network or a host from external environment.

  • A mechanism for filtering network

packets based on information contained within the IP header.

slide-23
SLIDE 23

Karlstad University

IPtables

3 default chains

  • input Used to control packets entering the
  • interface. (The packets will be ended in this

machine)

  • output Used to control packets leaving the
  • interface. (The packets are originated from this

machine)

  • forward Used to control packets being

masqueraded, or sent to remote hosts.

slide-24
SLIDE 24

Karlstad University

IPtables

  • iptables command [match] [target]
  • Command: -A, -I, -D, -F, -L
  • Match: -p [protocol], -s [source IP], -d [destination IP],
  • i [interface], --sport [source port], --dport

[destination port]

  • Target: -j [ACCEPT/DROP/LOG…]
  • Example:

– iptables –I INPUT –p ICMP –j DROP – iptables –I INPUT –p ICMP –icmp-type 0 –j ACCEPT

  • Our task: restrict all inbound traffic, except SSH

requests on port 22. However, any outgoing requests should not be affected.

slide-25
SLIDE 25

Karlstad University

Nessus

  • Remote vulnerability scanner
  • Nessus will

– Perform over 900 security checks – Accept new plugins to expand new checks – List security concerns and recommend actions to correct them

slide-26
SLIDE 26

Karlstad University

Nessus

  • Client/server architecture

– Server: perform checking – Client: Front-end

  • Can test unlimited amount of hosts in each

scan

Nessus Server Nessusd Nessus Client www FTP Mail VoIP

slide-27
SLIDE 27

Karlstad University

Nessus

slide-28
SLIDE 28

Karlstad University

Nessus

slide-29
SLIDE 29

Karlstad University

Bastille

  • Operating System Hardening

– Remove unnecessary processes – Setting file permissions – Patching and updating – Setting networking access controls

  • Generate your own hardening policy
  • Can be run manually to provide advice

and information

slide-30
SLIDE 30

Karlstad University

Bastille

  • Assessment mode: bastille -a
slide-31
SLIDE 31

Karlstad University

Bastille

  • Configuration mode: bastille -x