Here is a list of computer security white papers and lab projects that have been completed by Gary Neubauer II throughout his 12 year history in the security field. They include developing security Perception Management vs Pychological Warfare, Password Cracking Labs, Penetration Tests, Vunerability Assessments, Network Packet Sniffing, Security Logs Files, Hacking NT Passwords, and Intrusion Detection Lab setups. There are papers on MD5 Hash Analysis, Encryption Cracking, Log FIle Analysis, Network Analysis, Snort and ACID Labs, and a paper commenting on the Cuckoo's Egg Book by Cliff Stoll.
Intial Port Scanning and Reconnaissance is design to identify services that are being offered on a system, identify operating systems platform information, and other sensitive data like banner infos, hostnames, usernames, and application data. This lab discusses thae use of NMAP, strobe, Retina and ISS. Initial Port scans (network probing) • Identifies services that are being offered (e.g., DNS, FTP, HTTP, SMTP, SNMP, Telnet) Follow-up port scans • Identifies operating system platform information • Identifies other sensitive information (e.g., banner info, hostnames, usernames) • Fscan - command line port scanner for Windows NT/2000 • Nmap - an open source network/security tool for TCP/UDP port discovery, OS fingerprinting, and security auditing • Strobe - a network/security tool that locates and describes all listening TCP ports on one or more remote hosts Freeware/Shareware Port Scanners: •Fscan - http://www.foundstone.com/rdlabs/tools.php?category=Scanner •NMAP - http://www.insecure.org/nmap/ •Strobe - http://filewatcher.org/sec/strobe.html •Super Scan – http://www.foundstone.com/rdlabs/tools.php?category=Scanner •Whisker - http://www.wiretrip.net/rfp/p/doc.asp/i2/d21.htm Commercial Port Scanners •Cisco Secure Scanner - http://www.cisco.com/warp/public/cc/pd/sqsw/nesn/index.shtml •CyberCop - http://www.pgp.com/products/cybercop-scanner/default.asp •ISS Internet/System Scanner - https://www.iss.net/cgi-bin/download/evaluation/evaluation-select.cgi •NetIQ, Security Analyzer - http://www.webtrends.com/products/wsa/default.htm •Retina - http://www.eeye.com/html/Products/Retina/ •Symantec NetRecon - http://enterprisesecurity.symantec.com/products/products.cfm?ProductID=46&PID=8938810 Example “strobe” output $ strobe 172.16.16.45 strobe 1.03 (c) 1995 Julian Assange (proff@suburbia.net). 172.16.16.45 unknown 135/tcp unassigned 172.16.16.45 netbios-ssn 139/tcp # NETBIOS session service 172.16.16.45 unknown 1453/tcp unassigned 172.16.16.45 unknown 1498/tcp unassigned 172.16.16.45 unknown 1762/tcp unassigned 172.16.16.45 unknown 5800/tcp unassigned 172.16.16.45 unknown 5900/tcp unassigned 172.16.16.45 ftp 21/tcp 172.16.16.45 unknown 13782/tcp unassigned Example “nmap” output $ nmap 172.16.16.45 Interesting ports on (172.21.161.28): Port State Protocol Service 25 open tcp smtp 53 open tcp domain 80 open tcp http 135 open tcp loc-srv 139 open tcp netbios-ssn 443 open tcp https 445 open tcp microsoft-ds 1025 open tcp listen 1026 open tcp nterm 1032 open tcp iad3 Nmap run completed -- 1 IP address (1 host up) scanned in 7 seconds Example Banner Information 220 training FTP server (UNIX(r) System V Release 4.0) ready. 220 pokeyjoe Microsoft FTP Service (Version 4.0). +OK QPOP (version 2.2) at training.cisco.com starting. +OK Pop server at training.cisco.com signing off. SSH-1.5-1.2.26 Reconnaissance Determine running network services • DNS, Finger, HTTP, SMTP, SNMP, Telnet Determine operating system platform • Linux, Novell, UNIX, Windows • Trust relationships Locate existing shares (e.g., NetBIOS, NFS) • Check for hidden shares (e.g., C$, D$, ADMIN$) • Check for proper file permissions Identify user account information • Usernames, login times, group membership Reconnaissance Windows NT/2000 NBTSTAT - provides NetBIOS over TCP/IP statistics and current connection information • nbtstat -a • nbtstat -A • nbtstat -S (lists session table information) NET Commands - native support for basic networking commands • net use (command line utility for network sharing) • net view (command line utility for network maint.) •Net [ accounts | computer | config | file | group | localgroup | name | session | share | start | stop | statistics | time | use | user | view ] •CIS - http://www.cerberus-infosec.co.uk/cis.shtml •SomarSoft Utilities - http://www.systemtools.com/somarsoft/ Network Vulnerability Scanners • Cisco Secure Scanner – a commercial vulnerability scanner that supports network system identification, data management, user-defined vulnerability rules, and security reporting capabilities • Nessus - an open source vulnerability scanner that supports plug-in modules and NASL (Nessus Attack Scripting Language) for creating security test modules • Retina – a commercial vulnerability scanner that identifies known and unknown vulnerabilities, suggests fixes, and reports possible security holes within a network's internet, intranet, and extranet environments •Cisco Secure Scanner - http://www.cisco.com/warp/public/cc/pd/sqsw/nesn/ •Nessus - http://www.nessus.org/ •Retina - http://www.eeye.com/html/Products/Retina/ 34 - Initial Access Establishing a connection to a host without owning an account on it 36 - How to gain Initial Access • Try default user accounts and passwords • Leverage trust relationships • NetBIOS • NIS+ • NFS • Exploit weaknesses in network applications • Buffer Overflows • No Authentication Default Accounts and Passwords Database: •http://www.securityparadigm.com/defaultpw.htm•http://www.phenoelit.de/dpl/dpl.html Network devices: • Cisco: IOS – cisco[cisco]; CiscoWorks – admin[admin]; VPN 3000 – admin[admin]; WAN Manager – svplus[svplus ] • 3Com: Corebuilder and SuperStack - debug[synnet], tech[tech], manager[manager], security[security] • Lucent: System 75 – field[support], support[supportpw], sysadm[sysadmpw], tech[field] • Nortel: Extranet Switch – admin[setup]; Remote Office 9150 – admin[root ] • Operating systems and applications: • IBM: AS/400 – sysopr[sysopr], ibm[service], qserv[qserv], qserv[ibmcel], qsysopr[qsysopr] • Novell: ADMIN[ADMIN], GUEST[TSEUG], SUPERVISOR[SUPERVISOR], SUPERVISOR[SYSTEM], TEST[TEST] • Oracle: Versions 7 and 8 - system[manager], scott[tiger], dbsnmp[dbsnmp], sys[change_on_install], jones[steel], blake[paper], clark[cloth] Easily Guessed or Cracked Passwords • Null passwords • Joe passwords • jdoe jdoe • Slight variation of username • jdoe jdoe1 • root toor • jdoe jd0e Easily Guessed or Cracked Passwords (cont.) • Things related to the user • jdoe john (e.g., first initial) • rsmith nancy (e.g., spouse) • ducharme vsectrng (e.g., business unit) • People’s names or last names • Company or location names • Words found in dictionaries • Movies, slang, TV, literature names, etc. Recommend creating passwords using a passphrase (e.g., 1n33dcsn! – I need computer security now!) Trust Relationships • Leverage existing trust relationships (transitivity) • Windows Domain Model • One-way trust • Two-way trust • Linux/UNIX Trust Model • Spoof trusted user (.rhosts) • Spoof trusted host (hosts.equiv) • Windows Domain Models - http://is-it-true.org/nt/atips/atips307.shtml • Linux/UNIX Trusts - http://nim.cit.cornell.edu/usr/share/man/info/en_US/a_doc_lib/files/aixfiles/hosts.equiv.htm OS Trust Models • Windows • Domains - A trust relationship established between two domains enables users in one domain to be authenticated by a domain controller in another domain • Forests - A trust relationship is automatically created between the forest root domain and each root domain (or tree) that is added to the forest • Linux and UNIX • NFS - allows a local host to mount a disk partition on a remote host across a network • NIS+ - a distributed data lookup service for sharing data among networked systems Privileged Access Achieving root or administrator level privileges in a host without owning a privileged account on it How to gain Privileged Access • Try to login as a privileged user • Root account • “Super-User” equivalent accounts (e.g., sendmail) • Administrative accounts • Service accounts (e.g., exadmin, smsadmin, sqladmin) • Buffer Overflows • Execute a local or remote exploit • Inject a trojan that when executed will provide privileged access Windows NT/2000 registry keys used by trojans: •HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load •HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ LSA\Notification Packages –“fpnwclnt.dll” is installed by default. A Trojan could be substituted that would intercept all changes to the SAM •HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run •HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce •HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx •HKEY_ LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit •File system exploits: •Startup directory in user profile (e.g., \\start menu\\programs\startup) •Packet sniffing tools like snort, windump, ethereal, and even L0phtCrack3 all use the WinPcap device driver • Secondary Access To establish an inconspicuous access avenue back to the host, clear access evidence, and use host as springboard to access more targets Methods used to achieve Secondary Access • Crack retrieved passwords • Gain access to other systems • via cracked passwords • via trust relationships • via exploiting similar vulnerabilities • Hide presence • Clean logs and remove traces • Install backdoors (e.g., Rootkits)
