Upload
warren-simon
View
219
Download
3
Embed Size (px)
Citation preview
1
CSCD 434/539
Lecture 9Spring 2014
Wardriving and Vulnerability Scanning
Reconnaissance and Scanning Combined Today we discuss two separate topics
Wardriving and Vulnerability scanning Both are related to finding networks and
discovering possible absence of security or presence of vulnerabilities that can be exploited
Wardriving is more of a fun pasttime Vulnerability scanning is and should be
part of your security program
3
Introduction• Wardriving
• Reconnaissance technique used to locate wireless networks• Determine location, encryption used• Vulnerability to compromise
• Vulnerability scanning – Allows network administrators to test
their networks for known vulnerabilities– Works closely with vulnerability
databases
Wardriving - Background
• Wi-Fi: Wireless Networks– Wireless Access points provide bridge to
Internet• Problems:– Network access through thin air– Wireless networks often configured without
any security– Commonly used Wi-Fi security protocols
broken– Looking for wireless access points is fun!• You can potentially hack from the comfort
of your Car!!– Using them is… illegal? Immoral?
5
Wardriving
• Goal– Locate WLAN’s and determine their
SSID’s• Definition:– Service Set ID The SSID is identifying
name of a wireless network - strictly it is identifying name of a wireless access point– It allows one wireless network to be
clearly distinguishable from another• SSID transmitted in clear text by access
points and all wireless cards using access points
6
Wardriving
• Wardriving–Who invented it?– Invented by Peter Shipley in 2001 when
he drove around Silicon Valley and found hundreds of access points–Website: http://www.dis.org/shipley/
–Why does it work?• 802.11 signals only valid for a short
distance, so aren’t we safe from War Drivers? Is this true?
What Other Technique was War Driving Based Upon War Dialing A war dialer is a computer program used
to identify the phone numbers that can successfully make a connection with a computer modem
Program automatically dials a defined range of phone numbers and logs and enters in a database those numbers that successfully connect to the modem
What movie was this made famous ?
8
Wardriving• Distances in 802.11– Normal ... Signal travels 100 meters or less – War driving, don’t need to send traffic just
detect the LAN– If using a highgain antenna, researchers have
shown signals can travel > 2 km or 1.2 miles• Km to miles – 1km = .62 miles
– When both ends have a highgain antenna, signals can travel > 100 km or 62 miles!!!!• High-gain antenna (HGA) an antenna with
focused, narrow radiowave beam• Narrow beam allows more precise targeting
where radio signal goes - also known as a directional antenna
Serious Wardriving rig!!
Wardriving
• Then, there's the fasion concious
http://www.theinquirer.net/inquirer/news/1020852/kisses-renderman-brave-inq-snapperazzi
11
War Driving
• Techniques –Active Scanning–Passive Scanning–Forcing de-authentication
• Set of tools to do some of these things here– http://etutorials.org/Networking/
Wireless+lan+security/Appendix+A.+Resources+and+References/General+Tools/
12
War Driving• Active Scanning– Broadcast 802.11 probe packets with SSID of
“any”, check for access points in range• Like going outside and shouting, “Who’s there?”
– Netstumbler is free Older tool for doing active scanning http://ww.netstumbler.com• Popular tool for active scanning WLAN’s• Runs in Windows XP not Windows 7 or Vista
• inSSIDer a newer alternative to NetStumbler• Does work with Windows Vista, Windows 7,
64-bit PCs and Linux http://www.metageek.net/products/inssider/
Netstumbler
• What does Netstumbler do?–Gathers MAC address,– SSIDS,–Wireless Channels and relative signal
strength of each access point– Tells if security is turned on, WEP, WPA2– Coordinates with GPS system• Locates access points on a map
14
Netstumbler
15
War Driving Stats• Statistics (Ed Scoudis)– Netstumbler–ORiNOCO antenna,– Laptop,– Taxi cab– in NY City– Result!!
• One hour found 455 access points
War Driving Stats
http://www.theinquirer.net/inquirer/news/654/1045654/london-leads-wifi-access-points
• From survey by RSA, security firm, 2008– London had more wireless network access
points 12,276 than– New York City, 9,227, or – Paris 4,481–War-driving for unsecured WiFi access points
has replaced war-dialing for unprotected dial-in modems as preferred attack mode of network intruders
War Driving Stats
• Looked at Access Point Security New York, 97 % corporate access points used encryption, • Was 76 % in 2007,
• Paris, 94 % corporate access points were
encrypted, 72 % had WPA or more
• London 20 % corporate AP's unsecured, 48 % beyond WEP
18
San Francisco Wi-Fi’s 2001
19
War Driving
• Defense Against Active Scanning– Configure access points to ignore probes
with “any” set– Becomes invisible to Netstumbler– Active scanning alerts security people to
attacker presence if monitoring – Improved method is Passive Scanning
20
War Driving
• Passive Scanning– Stealthier way of discovering WLAN’s – Puts wireless card into rfmon mode• Monitor Mode • Like Ethernet, promiscuous mode
– Sniffs all wireless traffic from air
– Allows a machine to see all traffic on LAN • Not just traffic destined for that
machine
21
War Driving• Passive Scanning– Kismet – by Mike Kershaw• Does Detailed packet capture and analysis • Linux but can run it in cygwin for Windows• http://www.kismetwireless.net
–Wellenreiter - by Max Moser• Optimized for war-driving• http://www.remote-exploit.org• Runs on Linux and supports, prism2, lucent,
and cisco wireless card types
22
War Driving
• Passive Scanning–Wireless interface also supports
promiscuous mode, rfmon mode– rfmon allows a machine to view all
packets within range from multiple WLAN’s – Doesn’t associate with any of them– Intercepts beacons and extracts SSID’s
from them – SSID’s sent in clear text!
23
War Driving
• Passive Scanning– After discovering wireless AP or client,
gains SSID• Listens then for ARP or DHCP traffic to
determine MAC and IP of each discovered wireless device
24
War Driving
• Drawback of Wellenreiter– If access point is configured to omit its
SSID from its beacons and no other users are sending traffic to access point, won’t be able to determine SSID–Will know access point is there, not its
name– Thus, another way to get SSID’s from
WLAN is to force clients to send traffic …
25
War Driving
• De-authentication – ESSID-Jack is a tool that is part of Airjack
toolkit • If WLAN ignores probes with SSID of
“any” and omits SSID information from beacons, and no active traffic is going to it,
What do you do?• Use De-authentication!• Assume there are clients who have
previously been authenticated to an access point
26
War Driving• Steps to de-authenticate and get
SSID1.Attacker first sends wireless de-
authentication message to broadcast address of the LANSpoofing MAC address of access point (AP)MAC address was previously grabbed from management frames using Kismet or Wellenreiter
2.Client accepts de-authentication message as coming from access pointResult is that client will disconnect from WLAN
3.Client then tries to re-associate with WLAN by sending an association message with SSID in clear text
4.Attacker sniffs for association frame and gets SSID
Dissassociation and Rogue AP
Sniffs association frame packet for SSID
28
War Driving
• De-authentication – Why it works–Wireless clients accept wireless control
messages without authentication!!!– Believes attacker is AP– Attacker can force client off WLAN by
merely spoofing AP’s MAC address
29
Defenses to War Driving• Can set AP to omit SSID from Beacon packet– Not broadcasting name to the world!
• Set up stronger authentication to AP’s–MAC address is not great form of
authentication–MAC addresses can be easily reset to
anything in Linux or Unix• ifconfig eth0 hw ether mymacaddress• Windows a bit harder
– Use strong authentication with 802.11i not WEP
30
Defenses to War Driving
• Recommend use of Virtual Private Networks– VPN’s use encryption – Help prevent sniffing of traffic– VPN’s typically deployed across the
Internet to connect clients securely to corporate networks– Yet, can serve similar purpose for
wireless networks in home corporate environment
31
War Driving
http://www.wardrive.net/wardriving/faq
• Is it illegal to War drive?• Legality of wardriving hasn't been absolutely
tested, but few people think that wardriving itself is illegal
• What is illegal is connecting to and using networks without network owner's permission – Which is what most people call "breaking into a
network"
• Wardriving has taken some hits by press because network crackers will sometimes use wardriving tools to locate networks to break into
32
War Driving• Staying within legal bounds– Adhere to a relatively strict code of ethics: • Don't look.• Don't touch. • Don't play through.
– In other words, – 1) Don't examine the contents of a network; – 2) Don't add, delete, or change anything on
network, and – 3) Don't use network's Internet connection for Web surfing, email, chat, FTP, or anything
else. • Somebody else paid for bandwidth, and if
you don't have permission to use it, you're stealing it
Resources
• URL's Wirelesshttp://www.wardrive.comhttp://wardrive.nethttp://www.netstumbler.nethttp://www.remote-exploit.orghttp://www.kismetwireless.nethttp://sourceforge.net/projects/airjack
• T-shirt - “Wardriving is not a crime”http://www.staticusers.net/
wardrivingisnotacrime/
• Bookshttp://www.amazon.com/gp/product/0764597302
Vulnerability Assessment
35
Vulnerability Assessment• All OS platforms have vulnerabilities
–Windows, Unix/Linux and yes, MAC too!
– OS drivers and utilities have vulnerabilities– Applications that run on OS platforms
have vulnerabilities– These “holes” into your network and
systems are beyond the network protocol vulnerabilities – Lots of software vulnerabilities and some
system level vulnerabilities such as weak password policies
36
Definitions
• What is a computer system vulnerability?
–Vulnerability is• Software flaw, configuration error, or
series of errors that allow access or exposes data to attackers or users that are not authorized
– Vulnerabilities may result from bugs in application code or design flaws in the system– A vulnerability could be hypothetical, or could have a known associated exploit
Vulnerabilities • Who discovers them?
• Humans discover them, • Hacker groups• Security company or • Researcher
– Discovers specific way to violate security of a software product– Discovery may be accidental or through
directed research– Vulnerability, in various levels of detail, is
then released to the security community 37
Can you say holes?
Release of Vulnerabilities
• Both security researchers and hackers publish vulnerabilities.
• Publishing vulnerabilities is controversial.
• Are there pros and cons of alerting the world to vulnerabilities?
38
39
More Definitions
• What is an exploit?– Piece of software, or sequence of
commands that take advantage– Of bug, glitch or vulnerability to get
unintended or unanticipated behavior out of computer software, hardware, or other electronic devices– Frequently includes
• Gaining control of a computer system• Allowing privilege escalation• Denial of service attack
40
Examples of Exploits• Trojan horse Phel -- an anagram of the
word help -- that attacks or attacked Windows XP
• Trojan is capable of remotely controlling a user's system even if the latest Windows XP Service Pack has been installed
• Trojan horse, distributed as an HTML file– Attempts to exploit vulnerability in
Internet Explorer's HTML Help Control component in all versions of Windows … 2004
41
Scanning• Vulnerability Scanning–Next stage in information gathering• At this stage, want to identify specific
vulnerabilities on target systems so that attacker can run exploit against to gain access/ Also used by system administrators
–Can automate process of checking system for known vulnerabilities• Maybe hundreds of vulnerabilities in a
given year• What are the chances they didn’t get all
patched?
Vulnerability Scanners History
• 1992 - First one– Internet Security Scanner (ISS)
• 1995– SATAN - Security Admin Tool for Analyzing
Networks– Dan Farmer and Wietse Venema–Wider checks
• 1998– Nessus - Was Open Source, built on their
ideas– Still one of most popular, home use still free
43
Scanning• Vulnerability Scanning–Looks for several types of
vulnerabilities• Configuration errors• Default configuration weaknesses• Well-known system vulnerabilities
–Number of scanners available• Some are free • Some cost a lot of money• Some of the most popular
vulnerability scanners are free
44
Scanning
• Vulnerability Scanners
• Retina http://www.eeye.com• IBM ISS Internet Scanner http://www.iss.net• Nessus http://www.nessus.org/• GFI LANguard Network Security Scanner
http://www.gfi.com/lannetscan
45
Scanning Nessus• Nessus
• Flexible – can write your own vulnerability checks
• Called plugins, has own scripting language– Source code is supplied– Lots of developers – to enhance functionality– Free for home use, corporate use - Costs!!– CVE is built into product, Common Vulnerabilities and Exposures database• Allows Nessus to cross reference with other tools that are CVE compliant
46
Scanning Nessus• Nessus
• Runs on Linux, Unix and Windows • Nessus doesn’t use large Database of
vulnerabilities that gets updated• It uses Nessus Attack Scripting Language
(NASL)• Allows people to write their own scripts,
plug-ins– It provides plug-in interface
• Many free plug-ins are available from http://www.nessus.org/plugins/index.php?view=all
» Plug-ins specific to detecting a common virus or vulnerability» Like a virus signature
47
Scanners Nessus• Example Nessus Plugins - Backdoor Plugins– Zotob Worm– IRC bot detection– SMTP server on a strange port– Kibuv worm detection– TFTP backdoor– Xerox MicroServer Unauthorized Access
Vulnerabilities– Port TCP:0– XAMPP Default FTP Account– Default web account on Zyxel– Bofra Virus Detection– MoonLit Virus Backdoor
48
Scanning With Nessus• Nessus– What vulnerabilities can it discover?• A few of the common ones include– Finger – often misconfigured–Windows Vulnerabilities – many of them– CGI Problems – Scripts often have
vulnerabilties– RPC – remote procedure call program– Firewalls – mis-configured– FTP – has had a lot of vulnerabilities» Looks for unpatched FTP
implementation– Can just look at the plug-ins list for
sample
49
Scanning With Nessus• Nessus– Has a client/server architecture– Can run it from a Server and allow many
clients– Or, can run the client and server on one
machine – From GUI Interface• Can decide which vulnerability to run• Can target one machine of an entire network• Decide on encryption algorithm for
client/server communication
50
Nessus
Configurewith Respect to Plugin
51
Scanning With Nessus• Nessus– Each vulnerability is ranked with respect
to risk• Low, medium and high• Should interpret the risk results only in view
of your own system• Same vulnerability may not be high risk for
you
– Recommendations are then made for fixing vulnerability
52
Nessus Reports
Reporting Screen
OpenVAS vs. Nessus
• As Nessus became commercialized, OpenVAS became open source version
• OpenVAS was initially named GNessUs as a fork of the Nessus security scanner to allow future free development of the now-proprietary tool.
• OpenVAS was originally proposed by pentesters at Portcullis Computer Security[3] and then announced[4] by Tim Brown on Slashdot ... about 2005
• OpenVAS is actively being developed and supported
http://www.openvas.org/
54
Vulnerability Databases and Information
55
National Vulnerability Database
• NVD, comprehensive cyber security vulnerability database– Integrates all publicly available U.S.
Government vulnerability resources and provides references to industry resources– Based on and synchronized with the CVE
vulnerability naming standard• NVD is CVE standard augmented with
additional analysis, a database, and a fine grained search engine. NVD is a superset of CVE.• NVD is synchronized with CVE such that any
updates to CVE appear immediately on NVD
http://nvd.nist.gov/
56
Common Vulnerabilities and Exposures (CVE)
• A list of standardized names for vulnerabilities and other information security exposures (CVE)– CVE standardizes names for all publicly known
vulnerabilities and security exposures and is a community wide effort
– Content of CVE is collaborative effort of CVE Editorial Board
• Includes representatives from over 20 security-related organizations
• Security tool vendors, academic institutions, and government
– MITRE Corporation maintains CVE and moderates Editorial Board discussions.•CVE, http://cve.mitre.org
57
• Example CVE Entries
– CVE-1999-0002 Buffer overflow in NFS mountd gives root access to remote attackers, mostly in Linux systems.
– CVE-1999-0003 Execute commands as root via buffer overflow in Tooltalk database server (rpc.ttdbserverd)
CVE-1999-0005Arbitrary command execution via IMAP buffer overflow in authenticate command.
58
Scanners
• What should you do with Vulnerability scanner?– Run it against your own systems– Do this before an attacker does– Look at results– Fix reported vulnerabilities if
a problem for your site
59
Summary of Techniques• So far ...– To attack a specific system – not
widespread worm or virus attack– Attackers must do a lot of work• Reconnaissance – Gather information
– Dumpster diving– Who is database– DNS queries, physical access
• IP Scanning– Identify hosts, services and operating systems– Host and port scanning, stack fingerprinting– Vulnerability scanning last stage of scanning
phase
• Next phase is the attack!
60
The End
• Next TimeLab is Google Hacking On your own ...