Upload
winfred-marshall
View
226
Download
0
Embed Size (px)
Citation preview
1
CSCD 434
Lecture 9aSpring 2012
Wardriving and Vulnerability Scanning
2
Introduction• Wardriving
• Reconnaissance technique used to locate wireless networks
• Determine location, encryption used• Vulnerability to compromise
• Vulnerability scanning –Allows network administrators to test their networks for known vulnerabilities–Works closely with vulnerability databases
War Dialing
• What is War Dialing?• War dialing is practice of dialing all the phone
numbers in a range in order to find those that will answer with a modem
• Modems can still be the single biggest hole that an administrator may face
• Hope of finding anything interesting. Interesting items often include test tones, computers, Voice Mail Boxes (VMB's), Private Branch Exchanges (PBX's), and government offices and modems
War Dialing
• How to do it ...–War dialing one telephone number takes
approximately 35 seconds. This means that war dialing a prefix of ten thousand numbers will take just over four days– Or, use a war dialing program, sometimes
called a war dialing program like• Warvox from Metasploit author
http://warvox.org/#Licensing
• Iwar - Intelligent War Dialer for Linuxhttps://www.softwink.com/iwar/
Wardriving - Background• Wi-Fi: Wireless Networks– Wireless Access points provide bridge to
Internet• Wireless Network Attributes – Network access through thin air– Wireless networks often configured without
any security– Commonly used Wi-Fi security protocols
broken– Looking for wireless access points is fun!• You can potentially hack from comfort of
your Car!!
6
Wardriving• Goal– Locate WLAN’s and determine their
SSID’s• SSID• MAC Address• Security (WEP,WPA,WPA2 etc.)• Signal strength and Location
• Need GPS)• Definition:–Service Set ID. SSID is identifying name of a wireless network
• SSID transmitted in clear text by access points and all wireless cards using the access points
7
Wardriving
• Wardriving–Who invented it?– Invented by Peter Shipley in 2001 when
he drove around Silicon Valley and found hundreds of access points–Website: http://www.dis.org/shipley/
– How does it work?• 802.11 signals only valid for a short
distance, so aren’t we safe from War Drivers? Is this true?
8
Wardriving• Distances in 802.11– Normal ... Signal travels 100 meters or less – War driving, don’t need to send traffic just
detect the LAN– If using a highgain antenna, researchers have
shown signals can travel > 2 km or 1.2 miles• Km to miles – 1km = .62 miles
– When both ends have a highgain antenna, signals can travel > 100 km or 62 miles!!!!• High-gain antenna (HGA) an antenna with
focused, narrow radiowave beam• Narrow beam allows more precise targeting
where radio signal goes - also known as a directional antenna
Serious Wardriving rig!!
Wardriving• Then, there's the fasion concious
http://www.theinquirer.net/inquirer/news/1020852/kisses-renderman-brave-inq-snapperazzi
11
War Driving
• Techniques –Active Scanning–Passive Scanning–Forcing de-authentication
12
War Driving• Active Scanning
– Broadcast 802.11 probe packets with SSID of “any”, check for access points in range• Like going outside and shouting, “Who’s there?”• If probe packet is specific for an SSID,
only that network responds• Probe packet of any, gets responses
from all networks in range• Active, because the tool sends out
packets
13
War Driving
– Netstumbler is free tool for doing active scanning http://ww.netstumbler.com• Has been popular tool for active
scanning WLAN’s• Runs in Windows XP not Windows 7 or
Vista• Istumbler99
• Similar program that runs on your iphone
http://istumbler.net/• inSSIDer an alternative to NetStumbler• Does work with Windows Vista, Windows
7, 64-bit PCs and Linux
http://www.metageek.net/products/inssider/
Netstumbler
• What does Netstumbler do?– Gathers MAC address,
– SSIDS,
–Wireless Channels and relative signal strength of each access point
– Tells if security is turned on, WEP
– Coordinates with GPS system
• Locates access points on a map
15
Netstumbler
16
War Driving Stats• Statistics (Ed Scoudis)– Netstumbler– ORiNOCO antenna,– Laptop,– Taxi cab– in NY City– Result!!
• One hour found 455 access points
War Driving Statshttp://www.theinquirer.net/inquirer/news/654/1045654/
london-leads-wifi-access-points
• From survey by RSA, security firm, 2008– London still has more wireless network
access points 12,276 than– New York City, 9,227, or – Paris 4,481
• How many are unsecured or lightly secured?
War Driving Stats• Looked at Access Point Security New York, 97 % corporate access points used encryption, • Was 76 % in 2007,
• Paris, 94 % corporate access points were
encrypted, 72 % had WPA or more
• London 20 % corporate AP's unsecured, 48 % beyond WEP
19
San Francisco Wi-Fi’s
20
War Driving
• Defense Against Active Scanning– Configure access points to ignore probes
with “any” set– Becomes invisible to Netstumbler– Active scanning alerts security people to
attacker presence if monitoring – Improved method is Passive Scanning
21
War Driving
• Passive Scanning– Stealthier way of discovering WLAN’s – Puts wireless card into rfmon mode
• Monitor Mode • Able to sniff all wireless traffic from the air
– All AP’s periodically transmit beacons to announce its presence every 1/10th of a second ,contain important network information especially SSID
– Tools listen for beacons to discover wireless networks.
– Don't send data .. is a passive scanning technique
22
War Driving• Passive Scanning– Kismet – by Mike Kershaw• Does Detailed packet capture and analysis • Linux but can run it in cygwin for Windows• http://www.kismetwireless.net
–Wellenreiter - by Max Moser• Optimized for war-driving• http://www.remote-exploit.org• Runs on Linux and supports, prism2, lucent,
and cisco wireless card types
23
War Driving
• Passive Scanning– rfmon allows a machine to view all
packets within range from multiple WLAN’s – Doesn’t associate with any of them!!!– Intercepts beacons and extracts SSID’s
from them– SSID’s sent in clear text!
24
War Driving
• Passive Scanning– After discovering wireless AP or client,
gains SSID• Listens then for ARP or DHCP traffic to
determine MAC and IP of each discovered wireless device
25
Defenses to War Driving• Can set AP to omit SSID from Beacon packet– Not broadcasting name to the world!
• Set up stronger authentication to AP’s–MAC address is not a great form of
authentication–MAC addresses can be easily reset to
anything in Linux or Unix$ ifconfig eth0 hw ether mymacaddress• Windows a bit harder
– Use strong authentication with 802.11i not WEP
26
Defenses to War Driving
• Recommend use of Virtual Private Networks– VPN’s use encryption – Help prevent sniffing of traffic– VPN’s typically deployed across the
Internet to connect clients securely to corporate networks– Yet, can serve similar purpose for
wireless networks in home corporate environment
27
War Driving
http://www.wardrive.net/wardriving/faq
• Is it illegal to War drive?• Legality of wardriving hasn't been tested,
but few people think that wardriving itself is illegal.
• What is illegal is connecting to and using networks without the network owner's permission – Which is what most people call "breaking into a
network"
• Wardriving has taken some hits by press because network crackers will sometimes use wardriving tools to locate networks to break into.
28
War Driving• Staying within legal bounds– Adhere to a relatively strict code of ethics: • Don't look.• Don't touch. • Don't play through.
In other words, 1) don't examine the contents of a network; 2) don't add, delete, or change anything on the
network, and 3) don't even use the network's Internet
connection for Web surfing, email, chat, FTP, or anything else. • Somebody else paid for the bandwidth, and
if you don't have permission to use it, you're stealing it
Resources• URL's Wireless
http://www.wardrive.comhttp://wardrive.nethttp://www.netstumbler.nethttp://www.remote-exploit.orghttp://www.kismetwireless.nethttp://sourceforge.net/projects/airjack
• T-shirt - “Wardriving is not a crime”http://www.hackerstickers.com/products/
wardriving-t-shirt.shtml
• Bookshttp://www.amazon.com/gp/product/0764597302
Vulnerability Assessment
31
Vulnerability Assessment• All OS platforms have vulnerabilities
–Windows, Unix/Linux and yes, MAC too!
– OS drivers and utilities have vulnerabilities– Applications that run on OS platforms
have vulnerabilities– These “holes” into your network and
systems are beyond the network protocol vulnerabilities – Lots of software vulnerabilities and
some system level vulnerabilities such as weak password policies
32
Definitions
• What is a computer system vulnerability? A Vulnerability is• Software flaw,• Sonfiguration error, or series of errors• That allow access or exposes data to
attackers or users that are not authorized
–Vulnerabilities may result from• Bugs in application code or design flaws in
the system–A vulnerability could be• Hypothetical, or• Have a known associated exploit
Vulnerabilities • Who discovers them?
• Humans discover them, • Hacker groups• Security company or • “Researchers”
– Discovers specific way to violate security of a software product– Discovery may be accidental or through
directed research– Vulnerability, is then released to security
community 33
Release of Vulnerabilities
• Both security researchers and hackers publish vulnerabilities
• Publishing vulnerabilities is controversial
• Question ....• What are pros and cons of alerting
the world to vulnerabilities?
34
35
More Definitions
• What is an exploit?– Piece of software, or sequence of
commands that takes advantage– Of bug, glitch or vulnerability to get
unintended or unanticipated behavior out of computer software, hardware, or other electronic devices– Frequently includes
• Gaining control of a computer system• Allowing privilege escalation• Denial of service attack
36
Examples of Exploits• Trojan horse Phel -- an anagram of the
word help -- attacks Windows XP• Trojan capable of remotely controlling a
user's system even if latest Windows XP Service Pack has been installed
• Trojan horse, distributed as an HTML file– Attempts to exploit vulnerability in
Internet Explorer's HTML Help Control component in all versions of Windows … 2004
37
Scanning• Vulnerability Scanning–Next stage in information gathering• At this stage, want to identify specific
vulnerabilities on target systems so that attacker can run exploit against to gain access
–Can automate process of checking system for known vulnerabilities• Maybe hundreds of vulnerabilities in a
given year• What are the chances they didn’t get all
patched?
Vulnerability Scanners• 1992 - First one
• Internet Security Scanner (ISS)• 1995
• SATAN - Security Admin Tool for Analyzing Networks• Dan Farmer and Wietse Venema• Wider checks
• 1998• Nessus - Was Open Source, built on their
ideas• Still one of most popular, home use still free• Now charge for its use!
• 2008• OpenVAS was initially named GNessUs as a
fork of the Nessus security scanner
39
Scanning• Vulnerability Scanning–Looks for several types of
vulnerabilities• Configuration errors• Default configuration weaknesses• Well-known system vulnerabilities
–Number of scanners available• Some are free • Some cost a lot of money• Some of the most popular
vulnerability scanners are free
40
Scanning
• Vulnerability Scanners
• Retina http://www.eeye.com• IBM ISS Internet Scanner
http://www.iss.net• Nessus http://www.nessus.org/• GFI LANguard Network Security
Scannerhttp://www.gfi.com/lannetscan
41
Scanning Nessus• Nessus
• Flexible – can write your own vulnerability checks
• Called plugins, has own scripting language
• Source code supplied• Lots of developers – to enhance
functionality• Free for home use, corporate use -
now costs money• Uses Common Vulnerabilities and
Exposures database• Allows Nessus to cross reference with
other tools that are CVE compliant
42
Scanning Nessus• Nessus
• Runs on Linux, Unix and Windows • Nessus doesn’t use large Database of
vulnerabilities that gets updated• It uses Nessus Attack Scripting Language
(NASL)• Allows people to write their own scripts,
plug-ins– It provides plug-in interface
• Many free plug-ins are available from http://www.nessus.org/plugins/index.php?view=all
» Plug-ins specific to detecting a common virus or vulnerability» Like a virus signature
43
Scanners Nessus• Example Nessus Plugins - Backdoor Plugins– Zotob Worm– IRC bot detection– SMTP server on a strange port– Kibuv worm detection– TFTP backdoor– Xerox MicroServer Unauthorized Access
Vulnerabilities– Port TCP:0– XAMPP Default FTP Account– Default web account on Zyxel– Bofra Virus Detection– MoonLit Virus Backdoor
44
Scanning With Nessus• Nessus– What vulnerabilities can it discover?• A few of the common ones include– Finger – often misconfigured–Windows Vulnerabilities – many of them– CGI Problems – Scripts often have
vulnerabilties– RPC – remote procedure call program– Firewalls – mis-configured– FTP – has had a lot of vulnerabilities» Looks for unpatched FTP
implementation– Can just look at the plug-ins list for
sample
45
Scanning With Nessus• Nessus– Has a client/server architecture– Can run it from a Server and allow many
clients– Or, can run the client and server on one
machine – From GUI Interface• Can decide which vulnerability to run• Can target one machine of an entire network• Decide on encryption algorithm for
client/server communication
46
Nessus
Configurewith Respect to Plugin
47
Scanning With Nessus• Nessus– Each vulnerability is ranked with respect
to risk• Low, medium and high• Should interpret the risk results only in view
of your own system• Same vulnerability may not be high risk for
you
– Recommendations are made for fixing vulnerability
48
Nessus Reports
Reporting Screen
OpenVAS vs. Nessus
• As Nessus became commercialized, OpenVAS became open source version
• OpenVAS was initially named GNessUs as a fork of the Nessus security scanner to allow future free development of the now-proprietary tool
• OpenVAS was originally proposed by pentesters at Portcullis Computer Security ... around 2005
• OpenVAS is actively being developed and supported
http://www.openvas.org/
Lab on OpenVas Coming Up
50
51
Vulnerability Databases and Information
52
National Vulnerability Database
• NVD, comprehensive cyber security vulnerability database– Integrates all publicly available U.S.
Government vulnerability resources and provides references to industry resources– Based on and synchronized with the CVE
vulnerability naming standard• NVD is the CVE standard augmented with
additional analysis, a database, and a fine grained search engine. NVD is a superset of CVE• NVD is synchronized with CVE such that any
updates to CVE appear immediately on NVD
http://nvd.nist.gov/
53
Common Vulnerabilities and Exposures (CVE)
• A list of standardized names for vulnerabilities and other information security exposures (CVE)– CVE standardizes names for all publicly known
vulnerabilities and security exposures and is a community wide effort
– Content of CVE is collaborative effort of CVE Editorial Board
• Includes representatives from over 20 security-related organizations
• Security tool vendors, academic institutions, and government
– MITRE Corporation maintains CVE and moderates Editorial Board discussions.• CVE, http://cve.mitre.org
54
Common Vulnerabilities and Exposures
• Example CVE Entries– CVE-1999-0002 Buffer overflow in NFS mountd
gives root access to remote attackers, mostly in Linux systems.
– CVE-1999-0003 Execute commands as root via buffer overflow in Tooltalk database server (rpc.ttdbserverd)
– CVE-1999-0005 Arbitrary command execution via IMAP buffer overflow in authenticate command.
55
Scanners
• What should you do with Vulnerability scanner?– Run it against your own systems– Do this before an attacker does– Look at results– Fix reported vulnerabilities if
a problem for your site
56
Summary of Techniques• So far ...– To attack a specific system – not
widespread worm or virus attack– Attackers must do a lot of work• Reconnaissance – Gather information
– Dumpster diving– Who is database– DNS queries, physical access
• IP Scanning– Identify hosts, services and operating systems– Host and port scanning, stack fingerprinting– Vulnerability scanning last stage of scanning
phase
• Next phase is attack
57
The End
Lab this Week: OpenVas Vulnerability ScanningSee Lab page for reading on OpenVas