1

فصل ه�فتمTrust But Verify:

Checking Security

درس امنیت تجارت الکترونیک

به نام خدا

علی ناصراسدی

2

Objectives How to define trust and decide on the

level of security to apply to any given situation.

You must understand the target system. Holistic Perspective Detailed Perspective Pitfalls

3

A Security Professional should

Ensure level of security Discover the flaws Understand the Risks Put suitable countermeasure and safeguards Evaluate protocols and application components Evaluate the interactions among different

system elements Evaluate the Communication Topology Evaluate the flow of sensitive data in the

system

4

Requirements Analyzing the security of system with tools. then, System Hardening

Tools: Application Survey tools

Provide you very detailed insight into what the applications do how they behave from a security perspective whether there are hidden vulnerabilities in them

Protocols and Network tools Provide you

flaws in communication infrastructure when individual applications exchange data

5

Tools By applying these tools to your applications

and network infrastructure you set up what are called reconnaissance

posts around your system. Better results on virtualization softwares

VMWare KVM Sun xVM VirtualBox

Isolation Heterogeneous operating system environments

6

Vulnerability Assessment and Threat Analysis

Performing a thorough system survey from a security perspective is referred to as Vulnerability Assessment and Threat Analysis (VATA).

One of the most useful techniques to assist in performing an effective VATA is to compose what is called an attack tree.

a structure that illustrates the system components and the links through which they are connected.

7

Sample Attack Tree

8

Attack Tree Composing a complete attack tree is

practically impossible. combinatorial explosion state-space explosion

You need to be selective and choose the most important components and links

Unfortunately there is no automated tool to compose an attack tree.

9

Intrusion Detection and Prevention Using Snort

One of the worst things that can happen is entering your house and realizing that it has been broken into.

But the next worse thing that can happen is that you enter your house, it has been broken into, and you don’t know it.

Your computer system is no different than your house from a protection perspective. Need some intrusion-prevention mechanisms Snort 2.9.8.0 (http://www.snort.org)

10

Snort Snort is a rule-based Network Intrusion Prevention System

(NIPS) and Network Intrusion Detection System (NIDS) that operates using sensors.

 Created by Martin Roesch in 1998. It is available in both open source and a commercial version

offered by Sourcefire. Operates in three modes

intrusion detection intrusion prevention packet sniffing

Several sub-modes depending on detection and prevention requirements of your network packet logging traffic analysis on an IP network

11

Snort - 2 Snort is rule-based

you could define a set of conditions based on how your evaluation is conducted

look for packets that are sent from a specific network address, or are destined to a particular address.

Snort uses sensors points of interest in your network topology a specific router in an office building

12

Network Scanning Using Nmap

Sometimes you need to audit and explore your network to perform inventory, upgrade schedules, and monitor your network for security-related activities.

Nmap (Network Mapper) is the perfect tool in your toolbox for this task.

network scanner Nmap can map the network based on hosts, services, ports,

topology, timing, and various other profiles. it can guess (with a reasonable accuracy) the operating

system that a host runs by sending a network packet to the target host, examining the response header, and comparing it with known patterns in its database.

13

Nmap Nmap discovers various elements and

produces a map of the network. It can discover passive services.

whether or not a service is available written by Gordon Lyon

14

Web Application Survey The most important piece of your website is its front-end. You need to evaluate the logic and the flow of this layer

extremely carefully. The best way to do this is to manually click through all the

links to check their integrity and ensure every page is operating as intended by the designer.

However, for a complex site, this is not always practical. Tools

Lynx Wget Teleport Pro BlackWidow BrownRecluse Pro

15

Lynx Lynx is a text browser for the World Wide

Web. allows the user to dynamically traverse

the target site and evaluate its contents. As of 2015, it is the oldest web browser

currently in general use and development, having started in 1992.

16

Wget Wget is a free software package

provided by GNU for retrieving files using HTTP, HTTPS, and FTP protocols.

Using a script and Wget, you could automatically download an entire website for static analysis.

Latest Version: 1.17 (12.2015)

17

Teleport Pro Teleport Pro is shareware for offline

browsing by Tennyson Maxwell Information Systems, Inc.

provides cookie support JavaScript parsing capability simultaneous retrieval threads Java Applet retrieval retrieval filters

18

BlackWidow BlackWidow is shareware from SoftByte Labs. For scanning a site and creating a complete

profile of its structure and external and internal links, and even figuring out link errors.

has a powerful filtering capability to download all the file’s contents for further offline analysis.

scan a site remotely (that is, without downloading it to the local system).

19

Vulnerability Scanning Vulnerability scanning is different than application

survey and network scanning in that you already have knowledge of the existence of known flaws, you know how to detect them, and you go about finding them in target products.

Modes destructive mode non-destructive mode

Tools Nessus Nikto Wireshark

20

Nessus One of the most comprehensive

vulnerability scanners available to security professionals is without a doubt Nessus.

Latest Ver: 6.3.3 (03-2015) It is developed and maintained by Tenable

Network Security, Inc. Has a client and a server component. The server piece is called Nessus

vulnerability scanner.

21

Nessus - 2 Vulnerabilities that allow a

remote hacker to control or access sensitive data on a system.

Misconfiguration (e.g. open mail relay, missing patches, etc.).

Default passwords, a few common passwords, and blank/absent passwords on some system accounts.

Denials of service against the TCP/IP stack by using malformed packets.

22

Nikto Nikto is an open source software package for

Web server scanning. Nikto is a good tool to reveal insecure

configuration on web servers.  including over 6700 potentially dangerous

files/CGIs  checks for outdated versions of over 1250

servers version specific problems on over 270 servers It also checks for server configuration items such

as the presence of multiple index files

23

Wireshark Wireshark (formerly known as Ethereal) is a

very powerful network protocol analyzer. Although its design purpose was not to

perform vulnerability scanning, we place it in this category because it provides a very rich set of features that, combined with Nessus and Snort, make for a hacker’s dream toolset for network vulnerability scanning.

Initial Release: 1998 Latest Ver: 2.0 (11-2015)

24

Wireshark - 2 is licensed under GNU GPL v2 It can plug in to almost any known network interface:

Ethernet, Token-Ring, FDDI, Serial (PPP and SLIP), 802.11 Wireless LAN, ATM connections, and many more.

Wireshark is a pluggable and extensible network packet analyzer.

Wireshark uses colors to help the user identify the types of traffic at a glance

By default, green is TCP traffic, dark blue is DNS traffic, light blue is UDP traffic, and black identifies TCP packets with problems

25

Penetration Testing Penetration testing (or PenTest) is a combination of

methods to simulate an attack by adversary entities — machine, human, or a combination of both — to assess the system protection for potential vulnerabilities.

try to break the system yourself before a hacker does it for you.

There are two types of tests: destructive and non-destructive.

Tools Metasploit Aircrack-ng

26

Metasploit Metasploit is one of the most advanced

penetration testing tools available to security professionals.

Consists of runtime environment (Metasploit Framework,

or MSF) a shell (Meterpreter attack platform) predefined exploits (Payloads) a well-defined function (Exploits)

Lates ver: 4.11 (18-12-2015)

27

Metasploit - 2 Metasploit deploys what is called a Soft

Architecture. That is, it easily integrates with complementary tools such as Nmap, Nessus, Wireshark, code editors, and various types of debuggers and disassemblers, such as IDA Pro or SoftIce.

28

Aircrack-ng Aircrack-ng is a key-cracking program for 802.11

WEP and WPA-PSK wireless protocols. Latest ver: 1.2 (04-2015) It cracks the keys by capturing enough data

packets from the target wireless access point. It can also be used as an auditing tool for

wireless LANs. Aircrack-ng is a network software suite consisting

of a detector, packetsniffer, WEP and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless LANs.

29

Aircrack-ng - 2

30

Wireless Reconnaissance Almost all corporate entities have both

wired and wireless access points. You have to determining what type of

traffic is available, and how to circumvent security measures protecting it.

Tools NetStumbler Kismet AirMagnet Wi-Fi Analyzer

31

NetStumbler NetStumbler is a simple tool for detecting

Wireless Local Area Networks (WLANs), or wireless hotspots.

It is available only for the Microsoft Windows operating system and is very easy to use.

facilitates detection of Wireless LANs using the 802.11b, 802.11a and 802.11g WLAN standards.

Latest ver: 0.4.0 (04-2014)

32

NetStumbler - 2 The program is commonly used for:

Wardriving Verifying network configurations finding locations with poor coverage in a

WLAN Detecting causes of wireless interference Detecting unauthorized ("rogue") access

points Aiming directional antennas for long-haul

WLAN links

33

Kismet It is a feature-rich wireless network

detector and Intrusion Detection System (IDS).

Kismet can sniff or intercept the content of all variants of the 802.11 protocol

Latest ver: 2013-03-R1b (04-2013) Without sending any loggable packets, it

is able to detect the presence of both wireless access points and wireless clients, and to associate them with each other.