Introduction to Vulnerability Assessment Labs - PowerPoint PPT Presentation

About This Presentation
Title:

Introduction to Vulnerability Assessment Labs

Description:

Nessus Remote vulnerability scanner Nessus will Perform over 900 security checks Accept new plugins to expand new checks List security concerns and recommend ... – PowerPoint PPT presentation

Number of Views:229
Avg rating:3.0/5.0
Slides: 33
Provided by: nic1162
Category:

less

Transcript and Presenter's Notes

Title: Introduction to Vulnerability Assessment Labs


1
Introduction to Vulnerability Assessment Labs
  • Ge Zhang
  • ge.zhang_at_kau.se
  • Dvg-C03

2
Schedule
  • 4 Attacking methods
  • Traffic sniffing
  • ARP spoofing
  • Password cracking
  • Port Scanning
  • 1 Defense methods
  • Firewall configuration
  • 2 Vulnerability assessment tool
  • Nessus
  • Bastille
  • Summarizing Report on its learning (1-2 pages)

3
Environment
  • 3 VM images (c\VMware\valab-ht10\)
  • Windows, Fedora (angel), Fedora (devil)

4
Sniffing
  • Hub a hub simply receives incoming packets and
    broadcasts these packets out to all devices on
    the network
  • Adapt promiscuous mode an adapter can receive
    all frames on the network, not just frames are
    addressed to that adapter

5
Wireshark
6
Wireshark
7
Sniffing practice
  • Surfing with the browser on the host machine
  • Sniff the HTTP traffic using wireshark on the VM

8
Hub v.s. switch
  • Hub Layer 1 (physical)
  • Switch Layer 2 (data-link)

9
ARP (Address Resolution Protocol)
  • MAC address (layer 2)
  • Global unique
  • Unchangeable
  • IP address (layer 3)
  • Network unique
  • Changeable

10
ARP spoofing (cache poisoning) on switch
11
Preparation
  • ipconfig /all
  • Let me know the last number of your ip address
    and mac address
  • ping hostname t

12
Cain
13
Cain
14
Cain
15
Password Cracking
  • Authentication
  • Something you know
  • Something you have
  • Something you are
  • Password need to be transferred
  • Password need to be stored

16
Brute Force
  • Attempts all possible combinations of letters and
    numbers
  • Possible Solution
  • Limit amount of unsuccessful logins
  • Change password often
  • The length should be at least 8 characters

17
Dictionary
  • Type of Brute Force
  • Only tries possibilities that are likely to
    succeed
  • List are derived from dictionary
  • Possible Solutions
  • Mix and match numbers, letters, upper and lower
    case
  • Avoid passwords based on dictionary words, letter
    or number sequences, usernames, or biographical
    information

18
John the ripper
  • Traditionally the account information is stored
    in the /etc/passwd file
  • The /etc/passwd file is world-readable
  • Shadow password system stores passwords in the
    file /etc/shadow which is not world-readable
  • unshadow /etc/passwd /etc/shadow gt tmp
  • less tmp /have a look/
  • john tmp
  • Then create your own account and password, run
    john again to see the result
  • useradd your account
  • passwd your account

19
Port Scanning
  • Attackers wish to discover services they can
    break into.
  • Whether the service existing?
  • sending a packet to each port, once at a time.
  • Based on the type of response, an attacker knows
    if the port is used.
  • The used ports can be probed further for
    weakness.
  • Well-known tcp 21, tcp 22, tcp 23, tcp 80

20
Nmap
  • -sT (scanning by TCP connections)
  • -sS (SYN scanning)
  • -sU (UDP scanning)
  • -sV (Version detection)
  • -O (OS fingerprinting)
  • -T0-5 (time interval)
  • -f (fragmenting)

21
Nmap
22
Nmap
  • Zenmap graphical interface

23
Firewall
  • A set of related programs that protects the
    resources of a private network or a host from
    external environment.
  • A mechanism for filtering network packets based
    on information contained within the IP header.

24
IPtables
  • 3 default chains
  • input Used to control packets entering the
    interface. (The packets will be ended in this
    machine)
  • output Used to control packets leaving the
    interface. (The packets are originated from this
    machine)
  • forward Used to control packets being
    masqueraded, or sent to remote hosts.

25
IPtables
  • iptables command match target
  • Command -A, -I, -D, -F, -L
  • Match -p protocol, -s source IP, -d
    destination IP, -i interface, --sport source
    port, --dport destination port
  • Target -j ACCEPT/DROP/LOG
  • Example
  • iptables I INPUT p ICMP j DROP
  • iptables I INPUT p ICMP icmp-type 0 j ACCEPT
  • Our task restrict all inbound traffic, except
    SSH requests on port 22. However, any outgoing
    requests should not be affected.

26
Nessus
  • Remote vulnerability scanner
  • Nessus will
  • Perform over 900 security checks
  • Accept new plugins to expand new checks
  • List security concerns and recommend actions to
    correct them

27
Nessus
  • Client/server architecture
  • Server perform checking
  • Client Front-end
  • Can test unlimited amount of hosts in each scan

28
Nessus
29
Nessus
30
Bastille
  • Operating System Hardening
  • Remove unnecessary processes
  • Setting file permissions
  • Patching and updating
  • Setting networking access controls
  • Generate your own hardening policy
  • Can be run manually to provide advice and
    information

31
Bastille
  • Assessment mode bastille -a

32
Bastille
  • Configuration mode bastille -x
Write a Comment
User Comments (0)
About PowerShow.com