Karlstad University

Introduction to Vulnerability Assessment Labs

Ge Zhangge.zhang@kau.se

Dvg-C03

Karlstad University

Schedule

• 3 Attacking methods– Password cracking– ARP spoofing & sniffing– Port Scanning

• 1 Defense methods– Firewall configuration

• 2 Vulnerability assessment tool– Nessus– Bastille

Karlstad University

Environment

• 3 VM images (c:\vmware\valab-ht11 )

Hub Hub

Hub Hub

Switch

VM Host machine

Karlstad University

Password Cracking

• Authentication: – Something you know– Something you have – Something you are

• Password need to be transferred• Password need to be stored

Karlstad University

Brute Force

• Attempts all possible combinations of letters and numbers

• Possible Solution– Limit amount of unsuccessful logins– Change password often– The length should be at least 8 characters

Karlstad University

Dictionary

• Type of Brute Force• Only tries possibilities that are likely to succeed• List are derived from dictionary• Possible Solutions

– Mix and match numbers, letters, upper and lower case– Avoid passwords based on dictionary words, letter or number seq

uences, usernames, or biographical information

Karlstad University

John the ripper• Traditionally the account information is stored in the

/etc/passwd file• The /etc/passwd file is world-readable• Shadow password system stores passwords in the file

/etc/shadow which is not world-readable• Have a look on

– /usr/share/doc/john-1.7.0.2/EXAMPLES

• Then create your own account and password, run “john” again to see the result

• useradd [your account] • passwd [your account]

Karlstad University

Sniffing

• Hub: a hub simply receives incoming packets and broadcasts these packets out to all devices on the network

• Adapt promiscuous mode: an adapter can receive all frames on the network, not just frames are addressed to that adapter

Hub

shared Token Ring

Karlstad University

Wireshark

Show capture options

Filters for display

Select network interface

Filters for Capture

Karlstad University

Wireshark

Stop capturing

Captured datagrams

Datagrams analysis

Datagrams in Hex

Karlstad University

Hub v.s. switch

• Hub: Layer 1 (physical)• Switch: Layer 2 (data-link)

Hub

shared Token Ring

Switch

Dedicated

Karlstad University

ARP (Address Resolution Protocol)

• MAC address (layer 2)– Global unique– Unchangeable

• IP address (layer 3)– Network unique– Changeable

ARP

IP address

MAC address

RARP

IP address

MAC address

Karlstad University

ARP spoofing (cache poisoning) on switch

192.163.0.1 (AA)

192.163.0.2 (BB)

192.163.0.3 (CC)

192.163.0.4 (DD)

I am 192.163.0.4, with mac address CC

I am 192.163.0.1, with mac address CC

192.163.0.1 (AA)

192.163.0.2 (BB)

192.163.0.3 (CC)

192.163.0.4 (DD)

Who has the IP address 192.163.0.4? Tell 192.163.0.1 with mac: AA

192.163.0.1 (AA)

192.163.0.2 (BB)

192.163.0.3 (CC)

192.163.0.4 (DD)

192.163.0.4->CC

192.163.0.1->CC

192.163.0.1 (AA)

192.163.0.2 (BB)

192.163.0.3 (CC)

192.163.0.4 (DD)

I am 192.163.0.4, with mac address DD192.163.0.4->DD

Karlstad University

Preparation• ipconfig /all• Let me know the last number of your ip address and mac address• ping [IP address] –t

Door

Window

ping

pin

gp

ing

pin

g

ping

pin

gp

ing

pin

g

pin

gp

ing

pin

g

pin

gp

ing

pin

g

Door

ping

Ping

Karlstad University

Cain

Scan MAC addresses

Select interface

Scanned results

ARP spoofing configuration

Karlstad University

Cain

Add to list for spoofing

Spoof the arp cache for these two hosts to intercept the conversation between them

Karlstad University

Cain

Start ARP Spoofing

Karlstad University

Port Scanning

• Attackers wish to discover services they can break into.• Whether the service existing?• sending a packet to each port, once at a time.

– Based on the type of response, an attacker knows if the port is used.

– The used ports can be probed further for weakness. • Well-known: tcp 21, tcp 22, tcp 23, tcp 80 …

Karlstad University

Nmap

• -sT (scanning by TCP connections)• -sS (SYN scanning)• -sU (UDP scanning)• -sV (Version detection)• -O (OS fingerprinting)• -T[0-5] (time interval)• -f (fragmenting)

Karlstad University

Nmap

Karlstad University

Nmap

• Zenmap: graphical interface

Karlstad University

Firewall

• A set of related programs that protects the resources of a private network or a host from external environment.

• A mechanism for filtering network packets based on information contained within the IP header.

Karlstad University

IPtables

3 default chains• input Used to control packets entering the interface. (The packets

will be ended in this machine)• output Used to control packets leaving the interface. (The packets

are originated from this machine)• forward Used to control packets being masqueraded, or sent to

remote hosts.

Karlstad University

IPtables• iptables command [match] [target]• Command: -A, -I, -D, -F, -L• Match: -p [protocol], -s [source IP], -d [destination IP], -i [interface], --

sport [source port], --dport [destination port]• Target: -j [ACCEPT/DROP/LOG…]• Example:

– iptables –I INPUT –p ICMP –j DROP– iptables –I INPUT –p ICMP –icmp-type 0 –j ACCEPT

• Our task: restrict all inbound traffic, except SSH requests on port 22. However, any outgoing requests should not be affected.

Karlstad University

Nessus

• Remote vulnerability scanner• Nessus will

– Perform over 900 security checks– Accept new plugins to expand new checks– List security concerns and recommend actions to correct

them

Karlstad University

Nessus

• Client/server architecture– Server: perform checking– Client: Front-end

• Can test unlimited amount of hosts in each scan

Nessus Server NessusdNessus Client

www

FTP

Mail

VoIP

Karlstad University

Nessus

Karlstad University

Nessus

Karlstad University

Bastille

• Operating System Hardening– Remove unnecessary processes– Setting file permissions– Patching and updating– Setting networking access controls

• Generate your own hardening policy • Can be run manually to provide advice and

information

Karlstad University

Bastille

• Assessment mode: bastille -a

Karlstad University

Bastille

• Configuration mode: bastille -x