Presentation_ID © 1999, Cisco Systems, Inc. Cisco Security Consulting

Assessing your Network for Vulnerabilities

Assessing your Network for Vulnerabilities

Danny Rodriguez

Network Security Engineer

2Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting

AgendaAgenda

• Why assess your Network?

• Define Assessment goals

• Assessment Methodology

• Break

• Common vulnerabilities

• Recent vulnerabilities

3Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting

Why Assess your Network?Why Assess your Network?

• Fear of “CNN” moment

• Mandated by management

• Determine risk to Intrusion

• Measure effectiveness of safeguards

4Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting

Why Assess your Network? (Cont.)

Why Assess your Network? (Cont.)

• To accurately map your network

• To identify vulnerabilities and countermeasures

• ...

5Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting

Define Assessment goalsDefine Assessment goals

• What do you want to accomplish?

• Test effectiveness of current safeguards

• Measure staffs ability to detect and respond

• Discover vulnerabilities present

• Determine risk to Denial-of-Service

Presentation_ID © 1999, Cisco Systems, Inc. Cisco Security Consulting

Assessment MethodologyAssessment Methodology

7Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting

SPA = External, Dial, Internal Analysis

SPA = External, Dial, Internal Analysis

WAN

Internet

Enterprise Network

External IP Assessment

Internal Network Assessment

External Dial Assessment

8Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting

Dial MethodologyDial Methodology

• Discovery

– Dial phone numbers provided

– During normal business hours

– During off hours (weekends, nights)

– Identify phone numbers with carriers

9Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting

Dial Methodology(Cont.)Dial Methodology(Cont.)

• Carrier Analysis

– Determine type of connected device

• router, PC, phone switch

– Determine type of remote control software

• pcAnywhere, ReachOut

10Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting

Dial Methodology(Cont.)Dial Methodology(Cont.)

• Penetration

– Test authentication

• Digital lines often overlooked (ISDN, DSL)

11Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting

Network Assessment Network Assessment

• Network Mapping

– Host and Service discovery

• Targeting

– Identifying potential vulnerabilities

• Exploitation

– Confirm potential vulnerabilities

12Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting

Network MappingNetwork Mapping

• Build registered map

– Public info

• Whois database (InterNIC, ARIN)

• DNS High Zone transfers

13Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting

Network Mapping (Cont.)Network Mapping (Cont.)

• Build electronic map

–“Live” hosts and active services

• ICMP Sweeps

• Port scans

– well know ports

– “blind” (not responding to ICMP)

14Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting

Network Mapping (Cont.)Network Mapping (Cont.)

• Map of record

– Customer provided information

• Network topos

– Including ISP information

• Registered domain names

• Hosted web sites

15Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting

TargetingTargeting

• Banner analysis

– Host (login)

– Service (smtp, pop, http)

• Port correlation

• Identify potential vulnerabilities

16Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting

ExploitationExploitation

• Automated confirmation tools

• Manual confirmation

– “Mind” in the middle

• Secondary exploitation

– “Launch pad”

Presentation_ID © 1999, Cisco Systems, Inc. Cisco Security Consulting

BreakBreak

Presentation_ID © 1999, Cisco Systems, Inc. Cisco Security Consulting

Common Vulnerabilities

Common Vulnerabilities

19Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting

Common vulnerabilitiesCommon vulnerabilities

• Passwords

• Dial-up

• Network Infrastructure

• Host based

• Service based

– HTTP, SMTP, FTP

20Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting

PasswordsPasswords

• Clear-Text

• “Null” passwords

• “Joe” passwords

• Weak passwords

21Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting

PasswordsPasswords

• No required length

• No aging

• No history

• Same password used for different access levels

22Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting

Password RecommendationsPassword Recommendations

• Use encrypted passwords

• Develop a password policy

– Require a password

– Require a minimum length

• 7 alphanumeric

– Implement password history and aging

23Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting

Passwords Recommendations (Cont.)

Passwords Recommendations (Cont.)

• Develop a password policy

– Require unique passwords be used for different levels of access

• “Crack” passwords routinely

– L0phtCrack and John the Ripper

24Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting

Dial-upDial-up

• Unauthorized modems

• Poor authentication mechanism

• No logging

• Digital lines often not analyzed

25Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting

Dial-up RecommendationsDial-up Recommendations

• Have strict policies and procedures

• Centralize modem pool

• Implement proper authentication mechanism

• Adequate logging

• Include Digital lines in assessment

26Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting

Network InfrastructureNetwork Infrastructure

• Unfiltered network traffic

• Remote management not restricted

• Susceptible to “sniffers”

• Susceptible to session hijacking

27Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting

Network InfrastructureNetwork Infrastructure

• Guessable SNMP community strings

– public, private, system, read, write

• Extranet connections

– vendors, partners

• No logging

28Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting

Network Infrastructure: Recommendations

Network Infrastructure: Recommendations

• Determine what network traffic should be allowed IN and OUT (policy)

• Restrict remote access only to authorized management workstations

• Determine if encryption is an option

• Implement a switched network

29Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting

Network Infrastructure: Recommendations (Cont.)

Network Infrastructure: Recommendations (Cont.)

• Adequate logging

– Log to external device (syslog)

• Use “good” snmp community strings

• Designate SNMP host servers

• Identify and properly segment extranet connections

30Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting

Host basedHost based

• Unnecessary Services

• Incorrect file permissions

• Trust relationships

• Log files not reviewed

• No logging

31Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting

Windows Windows

• Accessible shares to “Everyone”

• No logging

– Disabled by default in Windows NT

• WinNT NTFS not being utilized

• Domain Admin and Local Admin password the same

32Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting

Windows (Cont.) Windows (Cont.)

• Anonymous user connection

• Ability for any user to submit a “AT” job

• Access to backup SAM file

• Misconfigured domain trust relationship

33Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting

Windows RecommendationsWindows Recommendations

• Apply latest service packs, where applicable

• Adequate logging

• Set correct file permissions

– shares

– sensitive system files

• backup SAM

34Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting

Windows Recommendations (Cont.)

Windows Recommendations (Cont.)

• Format WinNT system as NTFS

• Use different passwords for Domain Admin and Local Admin accounts

• Implement registry edits for:

Anonymous user connection

AT job submission

• Properly design NT domain Trusts

35Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting

UnixUnix

• Incorrect file permissions

• Log files not reviewed

• Unnecessary services

R-services: rsh, rlogin, rexec

echo, discard, finger, rpc

36Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting

Unix (Cont.)Unix (Cont.)

• setuid programs

• Misconfigured NFS servers

• Trust relationships

• World readable password file

• Access to X-Windows*

37Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting

Unix RecommendationsUnix Recommendations

• Implement system auditing tools

– tripwire, logcheck

• Implement host based access control

– tcpwrappers

• Replace R-services with SSH implementation

38Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting

Unix Recommendations (Cont.)

Unix Recommendations (Cont.)

• Identify and remove setuid programs that are not needed

– $find / -perm -4000 -print

• Implement proper NFS access controls

– Host and file permissions

39Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting

Unix Recommendations (Cont.)

Unix Recommendations (Cont.)

• Determine need for trust relationships

• Enforce X-Windows access control

• Implement shadow passwords

– pwconv

40Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting

NovellNovell

• Accounts with “Null” password

• Access to management tools

– RCONSOLE

– NWAMDIN, SYSCON

41Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting

Novell (Cont.)Novell (Cont.)

• Access to SYSTEM and ETC file systems

• Weak RCONSOLE passwords

• No logging

42Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting

Novell RecommendationsNovell Recommendations

• Require passwords

• Restrict access to system files and management tools

• Determine need for RCONSOLE

43Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting

Novell Recommendations (Cont.)

Novell Recommendations (Cont.)

• Implement encrypted RCONSOLE password mechanism

• Choose “good” RCONSOLE password

• Adequate logging

44Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting

Common Service Vulnerabilities

Common Service Vulnerabilities

• HTTP (Web)

– Apache, Netscape, MS IIS

• SMTP (Mail)

– Sendmail, MS Exchange

• FTP

– wu-ftp, ProFTP, MS FTP

45Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting

HTTP Vulnerabilities HTTP Vulnerabilities

• Access to cgi-bin, scripts directory

• Sample scripts

• PUT Method

• Buffer overflow

– MS IIS

46Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting

SMTP Vulnerabilities SMTP Vulnerabilities

• Mail Relay

• SPAM

• Old sendmail versions

– remote “root” exploit

47Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting

FTP VulnerabilitiesFTP Vulnerabilities

• Anonymous FTP

– Read/Write permissions incorrect

• Misconfigured “root” directory

– Allows access to entire file system

• Ability to perform “bounce” port scan

48Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting

Recent VulnerabilitiesRecent Vulnerabilities

• Windows

– MS IIS (DoS attack)

– MS Office ODBC

• Linux

– crond, libtermcap, wu-ftpd

49Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting

Recent Vulnerabilities (Cont.)Recent Vulnerabilities (Cont.)

• Solaris

– Calendar program (rpc.cmsd)

• HTTP

– cgi script allowed access to HotMail accounts

Presentation_ID © 1999, Cisco Systems, Inc. Cisco Security Consulting

QuestionsQuestions

51Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsulting