Welcome to All Participants

About This Presentation

Title:

Welcome to All Participants

Description:

Let Me first Congratulate all the Organizers. First, You may ... Turn off glue fetching. Filter traffic to DNS name server. Run services in less priveleged mode ... – PowerPoint PPT presentation

Number of Views:417

Avg rating:3.0/5.0

Slides: 167

Provided by: RIT73

more less

Transcript and Presenter's Notes

Title: Welcome to All Participants

1
Welcome to All Participants

Prof NB Venkateswarlu
HOD, IT, GVPCOE
Visakhapatnam
venkat_ritch_at_yahoo.com

Let Me first Congratulate all the Organizers

First, You may have to Excuse me!!.
May be, I am the only odd man out!.

However, I am helpless. My Talk is a last
minute adjustment. Neverthless, I am sure you
will Enjoy.

Penetration Testing Tools Linux Perspective

6
What I am going to Cover?

Briefing general security threats
SQL Injections
Physhing
DNS hacking
SPAMS
BOTNETS
Linux Security Aspects
CERT-In Initiation under Ministry of Information
Technology, Govt of India.

7
Most Noted Reasons

Buffer overflows
Format String problems
Integer Overflows
SQL Injections
Command Injection
Failure to handle errors
Cross-site scripting

8
Most Noted Reasons - Cont

Failure to protect network traffic
Use of magic URLs and hidden forms
Improper use of SSL
Use of weak password based systems
Failure to store and protect data securely
Information leakage
Trusting network address resolution

9
Most Noted Reasons - Cont

Improper file access
Race conditions
Unauthorised key exchange
Failure to use cryptographically strng random
numbers
Poor usability

10
Defacement Statistics, Dec 2006
11
(No Transcript)
12
Cyber Insurance US Statistics

Premium Paid 100 millions
Claims Paid 14 millions

13
(No Transcript)
14
(No Transcript)
15
How did he do it?

Social Engineering
Ex
Our Mumbai server is down. Please click the
standby server

16
SQL Injections

Let us consider the following line in an ASP
script
Queryselect count() from users where
UserName userName and userPass
password

Let Username as Ram and password as or 11
Now created SQL statement becomes
Select count() from users where userNameRam
and userPass or 11
Thus checks for empty password

Similarly let username as
having 11
Dsiplays users.UserName is invalid indicating
table name and attribute name

Now username is
or users.userName like admin
Now he can login as Admin!!

May give chance to run multiple SQL statements
For example username as
or 11 drop table users --
shutdown with nowait --
May give chance to run extended scripts
exec master .. Xp_cmdshell iisreset --

21
SQL Injection through URL
22
Physhing Pharming
23
How Physhing works?
24
(No Transcript)
25
(No Transcript)
26
Monitoring bounced emails, account activity, call
volumes, password eqnuiries
27
SPAMS

Search engines
Addresses posted in public areas such as USENET
Email directories, Yellow Pages
Readymade lists (for sale!)
Chat rooms
Bruteforce attacks

28
Botenets
29
DDOS Attack
30
DDOS Attack
31
(No Transcript)
32
Botnets
33
(No Transcript)
34
(No Transcript)
35
(No Transcript)
36
(No Transcript)
37
(No Transcript)
38
How to tackle SPAMS

Content based filtering
Pattern Matching
Hash Matching
Bayesian filtering
Source address based filtering

39
Source Address Filtering

White lists
Block lists
Reputation analysis
Real time block hole lists
Challenge-Response

40
How to STOP SPAM -Cont

SMTP server Implementing
Should not relay unauthorized mails
Separate ports for submission and relay
Implement client authentication
Disable SMTP commands like VRFY
Prevent remote mails to local groups
Define max no of receipients per message
Reject NULL sender identity
Digital signatures

41
Educating People
42
(No Transcript)
43
Disable cross-site scripts, stop injected scripts
44
Mutual Authentication, Data destination block
listing
45
Use trusted path
46
(No Transcript)
47
Password hashing, transaction authentication
48
Induce delays especially in financial institutions
49
DNS ATTACKS
50
DNS

Components of DNS
DNS Zones
DNS Name Space
Resource Records
Name Servers

51
DNS Name Space
52
Types of Name Servers

Primary
Secondary
Caching

53
DNS Zone

Contiguous portion of name space
A name server can serve one or more zones
A zone may have one or more zones
Zone files for the zone only
Forward lookup zone
Reverse lookup zone

54
Resource records

Name server
Host
Mail exchange
Start of authority
Canonical name

55
DNS query type
56
Recursive Query
57
Common DNS Attacks

Foot printing
Redirection
DOS
Data Modification/IP spoofing
DNS cache posioning
Where to be cautious?
Host, Transactions, query and/responser

58
Countering DOS

All Name servers should not be
In a single subnet
Behind a single router
On a single leased line
Have offsite slave name server
Restrict zone transfer

59
Countering IP Spoofing

Turnoff recursion
Restrict the addresses which name server responds
Restrict the addresses which name server responds
to recursive queries

60
Transaction Security (DNSEC)
61
Best Practices

Provide redundant DNS services
Use separate servers for adv/resolving
Limit DNS interface access for resolution
Restrict zone replication
Restrict dynamic updates
Prevent cache corruption
Disable recursion
Turn off glue fetching
Filter traffic to DNS name server
Run services in less priveleged mode
Source address validation

62
(No Transcript)
63
(No Transcript)
64

Dont reply personal info. Ask in person. Visit
the web sites in person.
Dear Sir/Madam is suspicious. Dear Mr Rao
probably ok.
An exciting or upsetting statements doubtful such
as work from home
They ask for username, password etc
Never fill email forms

Regularly check your bank a/c
Make sure your OS is up to date
Javascriptalert(The actual URL of tyhis site
location.protocol // location.hostname
/)
To browser bar
Use password hashing

66
(No Transcript)
67
(No Transcript)
68
(No Transcript)
69
(No Transcript)
70
Penetration Testing

Discover Vulnerabilities
Plan the attack vector
Launch the attack
Gain the access
Exploitation
Simulating SPAM, Mail Spoofing
Gaining the shell

71
(No Transcript)
72

Block box No info is given to pen tester
White box Info is supplied
Attacks
Bruteforce, malicious code, eavesdropping,
phishing,DoS

73
Pen test results

Identified vulnerabilities
Sources of the same
Impact
risk

74
(No Transcript)
75

Pen Test Vul Ass
Auditing
Initial Info Limited Limited Full
Outcome Access List of Secure
to Network Vulnerabi. System
Location Inter/Exter External On Sys
Tine Medium Short Long

76
Linux Tools and Practices
77
Finger Printing

Knowing OS
OS version
Other device names
Database names etc
Example TCP finger printing tools nmap, queso,
cheops
telnet, finger, strobe, netcat, SATAN
telnet hostname ftp - displays details

78
Finger printing - cont

telnet hostname http
Results
GET /scripts/..255c../../..cmd.exe/
Volume in drive C has no label
Volume Serial No

79
Linux Commands

netstat ltunp //List all listening ports
netstat atunp //Lists active connections
rpcinfo //Lists all services

80
Host based IDS

ISS Realsecure Server Sensor
Check host file system Consistency-TripWire, AIDE
Tripwire can intimate through email and can be
configured as cron
To build database tripwire init
To check tripwire checkgterror.txt

81
Bastile To harden Linux

Many Yes/Nos

82
Osiris osiris.shmoo.com

Osirisd Host1
Osiris,osirismd Trusted Host
Check Host network connections BlackICE,
PortSentry
Check host log files LogSentry, Swatch

83
(No Transcript)
84
Snort www.snort.org

User can specify the pattern in the packets and
actions
Additional plug-ins can be specified for example
to avoid subnet flooding etc.,

85
(No Transcript)
86
How do we know it is attacked?

CPU utilization, disk activity, users login, file
activity
Protocol validation by comparing analysed traffic
with RFCs
DOS (crashing some applications)

Removing services from /etc/rc.d/init.d
rm rf servicename

88
Access Controls

Set BIOS password
Set GRUB boot loader password through the
following steps
a. Create a password hash by issuing the command
/sbin/grubmd5crypt
b. Edit /boot/grub/grub.conf to add the following
line after timeout tag
password md5 ltgenerated md5 hashgt
Avoid booting into single user mode without root
password. Edit /etc/inittab and
add the following line after id3initdefault
Swait/sbin/sulogin

Create a custom banner message in /etc/issue and
/etc/issue.net
Example banner message UNAUTHORISED ACCESS IS
PROHIBITED
Choose passwords that are complex to guess. Set
password parameters (max. days, min. days, min.
length etc.,) in /etc/login.defs
Disable CTRLALTDEL by commenting the line
cactrlaltdel/sbin/shutdown t3 r now
in /etc/inittab

Edit /etc/profile file and set TMOUT3600. This
will automatically timeout bash shell after 3600
seconds
Restrict root login to only one tty and one vc.
Edit /etc/securetty to comment out the lines tty2
to tty11 and vc/2 to vc/11

Delete unnecessary system users and groups from
/etc/passwd and /etc/group\
userdel ltusernamegt
groupdel ltgroupnamegt
Following are some system users and groups that
can be deleted
Users lp, sync, shutdown, halt, news, gopher,
operator, games, mail , uucp, ftp
Groups lp, games, uucp, x.
Change default shell for users bin, daemon, rpm,
vcsa, nobody to /dev/null

92
File System Security

Set the UMASK attribute in /etc/profile to 033
Find world writable files and change the
permission if world writable permission is not
required
find / perm 2 type f --print
chmod ltpermissionsgt ltfilenamegt
Find out hidden files and directories
find / name ..'' --print --xdev
find / name .'' --print --xev cat --v

Carefully check the files and keep a list of
default hidden files for later on regular audit
reference. If any of the files are not required
remove them by
rm --rf ltfile namegt
If any world writable file is not required, set
the sticky bit
chmod t ltfile namegt

Find out the executables with SUID or SGID bit
set and keep track of what they are so that
administrator is aware of any changes.
find / type f \( perm 04000 o perm 02000 \)
exec ls l \
Removable media nosuid and nodev option

Edit /etc/fstab to
mount /boot with nodev and read only option
Label/boot /boot ext3 nodev,ro......
mount cdrom and floppy with nosuid and nodev
option
/dev/cdrom /mnt/cdrom udf,iso9660
nosuid,nodev,noauto,.......
/dev/fd0 /mnt/floppy udf,iso9660
nosuid,nodev,noauto,......
Remove the files with no user and no group
find / nouser --o --nogroup --exec rm --rf \

Use nosuid to partitions (defined in /etc/fstab)
that are writable.
Keep track of all the SUID/SGID files

97
Cryptographic File Systems (CFS), Transparent
Cryptographic File System

insmod loop.o
/etc/fstab entry
/dev/loop0 /mnt/crypt ext2 user,noauto,rw,loop 0
0
dd if/dev/vrandom of/etc/cryptfile bs1M
count10
Losetup e xor /dev/loop0 /etc/cryptfile
Mkfs t ext2 /dev/loop0
Mount t ext2 /dev/loop0 /mnt/crypt
Umount /dev/loop0
Losetup d /dev/loop0

98
Change the permissions for the following files

chmod 600 /etc/passwd
chmod 600 /etc/shadow
chmod 100 /bin/rpm
chmod 100 /bin/tar
chmod 100 /bin/gzip

chmod 100 /bin/ping
chmod 100 /bin/gunzip
chmod 100 /bin/mount
chmod 100 /bin/umount
chmod 100 /usr/bin/gzip
chmod 100 /usr/bin/gunzip

100

chmod 100/usr/bin/who
chmod 100 /usr/bin/lastb
chmod 100 /usr/bin/last
chmod 100 /usr/bin/lastlog
chmod 100 /sbin/arping
chmod 100 /usr/sbin/arping
chmod 100 /usr/sbin/usernetctl

101

chmod 100 /usr/sbin/traceroute
chmod 400 /etc/syslog.conf
chmod 400 /etc/hosts.allow
chmod 400 /etc/hosts.deny
chmod 400 /etc/sysconfig/syslog
chmod 644 /var/log/wtmp
chmod 644 /var/log/utmp

102
Change the attributes for the following files

chattr i /etc/passwd
chattr i /etc/shadow
chattr i /etc/services
chattr i /etc/gshadow

103

chattr i /etc/group
chattr i /etc/login.defs
chattr i /etc/init.d/
chattr i /etc/services
chattr i /etc/inittab
chattr i /etc/fstab

104

chattr i /usr/bin/who
chattr i /usr/bin/lastb
chattr i /usr/bin/last
chattr i /usr/bin/lastlog
chattr i /etc/syslog.conf
chattr i /etc/sysconfig/syslog

105
Set file system limits instead of allowing
unlimited usage. Control the peruser limits
using the resourcelimits file /etc/security/limit
s.conf and a PAM module
106
For example, limits for group users' might look
like this _at_users hard core 5000 _at_users hard
nproc 50 _at_users hard rss 5000 This says to
limit the creation of core files, restrict the
number of processes to 50, and restrict memory
usage per user to 5 MB
107
Incident Handling

Look for change in permission
-- World writable permissions
find / perm 2 type f --print
-- Find SUID root files
find / type f perm 04000 ls
-- Find GUID root files
find / type f perm 02000 ls
-- Time stamp
Find files access for last 1 day, 1 hr etc
Find atime
Ls --lautR

108

Check for promiscuous mode.
-- Ifconfig a
Check for new user existence.
-- /etc/passwd
Find list of open ports
-- nmap scan
-- Netstat l
Current processes
-- Ps aux
system calls by an executable. (Trojanoid
Binaries)
-- ltrace, strace, trussCheck

109

Check for traffic in out
-- Ethereal, tcpdump etc
Examine suspicious binaries
-- strings
Incident Handling
Presence of malicious code
-- Chkrootkit
Checks for presence of rootkits
-- Tripwire

110
The Coroners tool kit

TCT is a collection of tools written with the
specific goal of gathering or analyzing
forensic information on a Unx machine...
Four major parts of TCT
-- graverobber
-- the C tools (ils, icat, pcat, file, etc.)
-- unrm lazarus
-- mactime

111

graverobber v /
Automated way of collecting forensic info
Gathers, in order
-- Memory
-- Unallocated filesystem
-- netstat, route, arp, etc.
-- ps/lsof, capture all process data
-- stat MD5 on all files, strings on
directories
-- Config, log, interesting files (cron, at,
etc.)

112

graverobber
data capturing tool at the heart of TCT
runs various commands and records the
output
captures by order of volatility
most effectively used when run as root
over an entire filesystem

113

pcat Process CAT
ils Inode LS
icat Inode CAT
shell commands

114
Incident Handling DOS

SYN attack
-- monitoring number of TCP Connection in a
syn_rcvd state.
-- netstat --an --f grep SYN_RCVD wc --l
Watch the value of the TcpHalfOpenDrop
parameter
-- netstat s P grep tcpHalfOpenDrop

115
Syslog and SyslogNG

The advantages of SyslogNG over Syslog are
ability to transport syslog messages over TCP
filtering based on message contents
logging of complete chain of forwarding
loghosts
(unlike regular syslog which will only record the
name of last step)
support digital signatures and encryption.
Can be run in a chrooted environment

116
Kernel Security

Set the following kernel parameters
echo 0 gt /proc/sys/net/ipv4/tcp_syncookies
echo 0 gt /proc/sys/net/ipv4/icmp_ignore_bogus_erro
r_responses
echo 1 gt /proc/sys/net/ipv4/icmp_echo_ignore_broad
casts
echo 4096 gt /proc/sys/net/ipv4/tcp_max_syn_backlog
echo 0 gt /proc/sys/net/ipv4/tcp_timestamps

117
Add the following in the /etc/sysctl.conf

net.ipv4.tcp_max_syn_backlog 4096
net.ipv4.conf.all.rp_filter 1
net.ipv4.conf.all.accept_source_route0
net.ipv4.conf.all.accept_redirects0
net.ipv4.conf.all.secure_redirects0
net.ipv4.conf.default.rp_filter1
net.ipv4.conf.default.accept_source_route0

118

net.ipv4.conf.default.accept_redirects0
net.ipv4.conf.secure_redirects0
net.ipv4.conf.eth0.forwarding 0
net.ipv4.conf.all.send_redirects0
net.ipv4.conf.defaults.send_redirects0

119
Log Security

Add an entry in /etc/hosts file for the central
syslogger . The entry could be
ltip addressgt loghost
Change the default /etc/syslog.conf file with the
following
.debug /var/log/messages
kern.debug /var/log/kernel.log
user.debug /var/log/user.log
mail.debug /var/log/mail.log
daemon.error,info,alert,notice /var/log/daemon.log
auth.notice,crit,info /var/log/auth.log
authpriv.debug /var/log/authpriv.log
local2.notice,alert /var/log/sudo.log
syslog.debug /var/log/syslog.log
. _at_loghost

120

Create btmp file in /var/log directory
touch /var/log/btmp
Turn on accounting of processes
accton /var/log/pacct

121
Firewalls

Packet Filtering
Proxy Firewall
Application gateway (screened-host firewall)

122

IPTables command options
There are three built-in tables in the Linux
kernel's netfilter, and each has built-in chains.
the iptables command is used to configure these
tables.
1. filter A table that is used for routing
network packets. This is default table, and is
assumed by iptables if the t parameter is not
specified.
INPUT Network packets that are destined for
the server.
OUTPUT Network packets that originate on the
server.
FORWARD Network packets that are routed
through the server.
right
.

123

2. nat A table that is used for NAT. NAT is a
method of translating internal IP address to
external IP addresses.
PREROUTINGnetwork packets that can be altered
when they arrive at the server.
OUTPUTNetwork packets that originate on the
server
POSTROUTING Network packets that can be
altered

124

3. mangle A table that is used for altering
network packets.
INPUT Network packets that are destined for
the server.
OUTPUT Network packets that originate on the
server.
FORWARD Network packets that are routed
through the server.

125

PREROUTINGnetwork packets that can be altered
when they arrive at the server.
POSTROUTING Network packets that can be
altered right before they are sent out.
Commands tell IPTables to perform a specific
action, and only one command is allowed per
iptables command string. Except for the help
command, all commands are written in uppercase
characters

126
Iptables Firewall

The Network firewall security policy defines the
access or level of access to the different
services and applications. The methods to
implement firewall rules are given below.
Everything not specifically denied is permitted
Everything not specifically permitted is denied
Set the firewall policy to drop all packets as
defined in second method
iptables P INPUT DROP

127

iptables P OUTPUT DROP
iptables P FORWARD DROP
Now depending upon the Firewall policy,
administrator can define firewall rule sets to
explicitly grant access to only permitted
services or applications.

128

Allowing www
iptables A
INPUT p
tcp dport www j
ACCEPT

This command appends a rule to the filter table
since no table is defined with t. The rule is
appended to the INPUT chain in the filter table,
as noted by INPUT after A. This rule looks for
packets where the protocol is tcp and the
destination port is www service, or port 80 as
listed in /etc/services file. The target for this
rule is to let the packet pass through to its
destination, which is accomplished by sending
the packet to the ACCEPT target
129
Forwarding iptables
A FORWARD i ppp0 o eth0 m state
\ state ESTABLISHED,RELATED j ACCEPT

The lines above append (A) a new rule to the
filter table to the forwarding chain (FORWARD)
from the outside interface out to the internal
interface where the packet's state is either a
previously established connection or a related
connection. As long as the default policy for the
FORWARD chain is to DROP packets , a new
connection from the outside will not match this
rule and will be dropped.

130
Doing masquerading (NAT) iptables t nat
A POSTROUTING o ppp0 j MASQUERADE Or,
where x.x.x.x is a valid static IP address on
the external interface. iptables t nat
A POSTROUTING o eth1 j SNAT to x.x.x.x

The first example matches all traffic that is
going out on the outgoing interface. The target
is MASQURADE which is used to do NAT on
interfaces with dynamic IP addresses, such as
ppp0 (dialup) interface.

131
iptables is being configured to allow the
firewall to send ICMP echorequests (pings) and in
turn, accept the expected ICMP echoreplies.? set
rules that allow telnet inside the network, but
not outside

iptables A
OUTPUT p
icmp icmptype
echorequest
j
ACCEPT
iptables A
INPUT p
icmp icmptype
echoreply
j
ACCEPT

132

iptables A
OUTPUT p
tcp destinationport
telnet d
198.168.0.0 j
ACCEPT
iptables A
OUTPUT p
tcp destinationport
telnet d
! 198.168.0.0
j
REJECT

133
Integrity Checkers -- md5sum, sha1sum and
Tripwire

Port Scanners nmap
Vulnerability Assessment nessus and SARA

134

basesystem glib libuser rpmdbredhat
bash glib2 losetup Sed
beecrypt Glibc Lvm Setup
bzip2 Glibccommon Makedev Setuptool
bzip2libs Gpm Mingetty shadowutils
chkconfig Grep Mkinitrd Slang
comps3es Grub Mktemp Slocate
coreutils Gzip Modutils Sysklogd
cracklib hwdata Mount SysVinit
cracklibdicts Info Ncurses Tar

135
Important Files/commands

crontabs initscripts Netconfig Termcap
cyrussasl iproute nettools Tmpwatch
cyrussaslmd5 iptables newt Tzdata
db4 iputils openldap Usermode
dev Kbd openssl utillinux
devlabel kernel pam vimcommon
diffutils kernelutils passwd vimminimal
e2fsprogs krb5libs patch Which
elfutilslibelf kudzu pcre Words
ethtool less popt Zlib
file libacl procps
filesystem libattr psmisc
findutils libgcc readline
gawk libstdc3 rootfiles
gdbm libtermcap rpm

136
Xlock vlock

If you wander away from your machine from time to
time, it is nice to be able to "lock" your
console so that no one tampers with or looks at
your work. Two programs that do this are xlock
and vlock.
Xlock is a X display locker. It should be
included in any Linux distributions that support
X. Check out the man page for it for more
options, but in general you can run xlock from
any xterm on your console and it will lock the
display and require your password to unlock.
vlock is a simple little program that allows you
to lock some or all of the virtual consoles on
your Linux box. You can lock just the one you are
working in or all of them. If you just lock one,
others can come in and use the console, they will
just not be able to use your virtual TTY until
you unlock it. vlock ships with Red Hat Linux,
but your mileage may vary.
Of course locking your console will prevent
someone from tampering with your work, but does
not prevent them from rebooting your machine or
otherwise disrupting your work. It also does not
prevent them from accessing your machine from
another machine on the network and causing
problems.

137
Some Linux Tools useful for Penetration Testing
138
Nessus www.nessus.org

The premier Open Source vulnerability
assessment tool Nessus is a remote security
scanner forWindows, Linux, BSD, Solaris, and
other Unices. It is plug-in-based, has a GTK
interface, and performs over 1200 remote security
checks. It allows for reports to be generated in
HTML, XML, LaTeX, and ASCII text, and suggests
solutions for security problems

139
Hping www.hping.org

A network probing utility like ping on
steroids hping3 assembles and sends custom
ICMP/UDP/TCP packets and displays any replies. It
was inspired by the ping command, but offers far
more control over the probes sent. It also has a
handy traceroute mode and supports IP
fragmentation. This tool is particularly useful
when trying to traceroute/ping/probe hosts behind
a firewall that blocks attempts using the
standard utilities.

140
Dsniff http//naughty.monkey.org/dugsong/dsniff/

A suite of powerful network auditing and
penetration-testing tools This popular and
well-engineered suite by Dug Song includes many
tools. dsniff, filesnarf, mailsnarf, msgsnarf,
urlsnarf, and webspy passively monitor a network
for interesting data (passwords, e-mail, files,
etc.). arpspoof, dnsspoof, and macof facilitate
the interception of network traffic normally
unavailable to an attacker (e.g, due to layer-2
switching). sshmitm and webmitm implement active
monkey-in-the-middle attacks against redirected
SSH and HTTPS sessions by exploiting weak
bindings in ad-hoc PKI. A separately maintained
partial Windows port is available here.

141
LANGuard

A commercial network security scanner for
Windows LANguard scans networks and reports
information such as service pack level of each
machine, missing security patches, open shares,
open ports, services/applications active on the
computer, key registry entries, weak passwords,
users and groups, and more. Scan results are
outputted to an HTML report, which can be
customised/queried. Apparently a limited free
version is available for non-commercial/trial
use.

142
SamSpade http//www.samspade.org/ssw/

SamSpade provides a consistent GUI and
implementation for many handy network query
tasks. It was designed with tracking down
spammers in mind, but can be useful for many
other network exploration, administration, and
security tasks. It includes tools such as ping,
nslookup, whois, dig, traceroute, finger, raw
HTTP web browser, DNS zone transfer, SMTP relay
check, website search, and more. Non-Windows
users can enjoy online versions of many of their
tools.

143
SAINT http//www.saintcorporation.com/saint/

Security Administrator's Integrated Network Tool
Saint is another commercial vulnerability
assessment tool (like ISS Internet Scanner or
eEye Retina). Unlike those Windows-only tools,
SAINT runs exclusively on UNIX. Saint used to be
free and open source, but is now a commercial
product.

144
Firewalk http//www.packetfactory.net/projects/fir
ewalk/

Firewalk employs traceroute-like techniques to
analyze IP packet responses to determine gateway
ACL filters and map networks. This classic tool
was rewritten from scratch in October 2002. Note
that much or all of this functionality can also
be performed by the Hping2 --traceroute option.

145
Amap http//www.thc.org/releases.php

Amap (by THC) is a new but powerful scanner
(finger printing) which probes each port to
identify applications and services rather than
relying on static port mapping.

146
Fragroute IDS systems' worst nightmare
http//www.monkey.org/dugsong/fragroute/

Fragroute intercepts, modifies, and rewrites
egress traffic, implementing most of the attacks
described in the Secure Networks IDS Evasion
paper. It features a simple ruleset language to
delay, duplicate, drop, fragment, overlap, print,
reorder, segment, source-route, or otherwise
monkey with all outbound packets destined for a
target host, with minimal support for randomized
or probabilistic behaviour. This tool was written
in good faith to aid in the testing of intrusion
detection systems, firewalls, and basic TCP/IP
stack behaviour. Like Dsniff, and Libdnet, this
excellent tool was written by Dug Song.

147

nmap http//www.insecure.org
A popular tool used for ports scaning and OS
finger printing

148
Kernel Based Intrusion Detecting (LIDS)

Preventing root users
Preventing chanding iptables, ipchains
Preventing direct port access, memory,
Security Enhanced Linux system

149
CERT-IN

Charter
"The purpose of the CERT-In is, to become the
nation's most trusted referral agency of the
Indian Community for responding to computer
security incidents as and when they occur the
CERT-In will also assist members of the Indian
Community in implementing proactive measures to
reduce the risks of computer security incidents."
Mission
"To enhance the security of India's
Communications and Information Infrastructure
through proactive action and effective
collaboration."

150
CERT-In Mission

Alert Advise - Assurance

151
National Information Security Assessment Program
(NISAP)

Mandatory compliance requirement
Mandatory compliance efforts- ISMS standards
Mandatory compliance verification
Mandatory compliance reporting to CERT-In

152
(No Transcript)
153
(No Transcript)
154
(No Transcript)
155

ADVISORY COMMITTEE
S.No.NameRole1.Shri. M. Madhavan
NambiarAdditional SecretaryDepartment Of
Information TechnologyChairman
2.Shri. Ajeer VidyaJoint Secretary Financial
AdviserDepartment Of Information
TechnologyMember
3.Prof. N. BalakrishnanChairmanDivision Of
Information SciencesIndian Institute of
ScienceMember
4.Dr. B. K. GairolaDeputy Director
GeneralNational Informatics CentreMember
5.Dr. Gulshan RaiDirectorIndian Computer
Emergency Response TeamMember Secretary

156

AUTHORITY
The CERT-In operates under the auspices of, and
with authority delegated by, the Department of
Information Technology, Ministry of
Communications Information Technology,
Government of India.
The CERT-In shall work cooperatively with
information officers and system administrators of
various sectoral and organisational networks of
its constituency.

157

VULNERABILITY NOTES
CERT-In Vulnerability Note CIVN-2007-07(31
January, 2007) Microsoft Word Unspecified String
Handling Memory Corruption Vulnerability
CERT-In Vulnerability Note CIVN-2007-06(29th
January, 2007) Linux-PAM Login Bypass Security
Vulnerability
CERT-In Vulnerability Note CIVN-2007-05(18th
January, 2007) Sun Java JRE GIF Image Processing
Buffer OverflowVulnerability

158

CERT-In Vulnerability Note CIVN-2007-04(11th
January, 2007) Microsoft Windows Vector Markup
Language Code Execution Vulnerability
CERT-In Vulnerability Note CIVN-2007-03(11th
January, 2007) Remote Code Execution and Denial
of Service Vulnerabilities in Microsoft Outlook
CERT-In Vulnerability Note CIVN-2007-02(11th
January, 2007) Microsoft Excel Malformed Column
Record, Palette Record, IMDATA Record and String
Vulnerabilities
CERT-In Vulnerability Note CIVN-2007-01(5th
January, 2007) OpenOffice Integer and Buffer
Overflow Vulnerabilities

159
cert-in.org.in

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information
Technology Electronics Niketan 6, C.G.O.
Complex New Delhi-110 003

160
What people are using in India

Content filtering 39
Keyword Monitoring 28
Data Leak detection and prevention 25
IDS 23
Packet Filtering 15
Digital Rights Management SW 9

161
IT ACT 2000

Section III - Certifying Authorities
Public Key Infrastructure (PKI)

162

CERT-In Vulnerability Note CIVN-2007-06Linux-PAM
Login Bypass Security Vulnerability
Original Issue Date January 29, 2007Severity
Rating High
System Affected Linux-PAM 0.x
Overview
A vulnerability has been reported in Linux-PAM,
which could be exploited by remote attackers to
compromise a vulnerable system.
Description
A vulnerabilities has been reported in Linux-PAM
due to an error within the "_unix_verify_password(
)" function in modules/pam_unix/support.c while
handling passwords with a hash of "!!" or similar
in "/etc/shadow" or "/etc/passwd". Solution
Upgrade to Linux-PAM version 0.99.7.1
ftp//ftp.kernel.org/pub/linux/libs/pam/pre/libra
ry

163

CERT-In Advisory CIAD-2007-05Multiple
Vulnerabilities in Xorg, Xfree86 and Kerberos
Original issue date January 16, 2007Severity
Rating Medium
Systems Affected
X.Org X11 version 7.1 and prior
XFree86 version 4.6.99.15 and prior
MIT Kerberos V5 versions 1.4 through 1.4.4
MIT Kerberos V5 versions 1.5 through 1.5.1
Overview
Multiple vulnerabilities have been reported in
Linux which could be exploited by remote
attackers to execute commands on the affected
system.
Description
1. X.Org X11 Render or XFree86 and DBE Extensions
MultipleLocal Privilege Escalation
Vulnerabilities (CVE-2006-6101 ,CVE-2006-6102 ,
CVE-2006-6103)
A vulnerability has been reported in X.Org and
XFree86 X serverdue to a memory corruption error
in the "ProcRenderAddGlyphs()","ProcDbeGetVisualIn
fo()" and "ProcDbeSwapBuffers()" functions within
the DBE extension, which could be exploited by
remote attackers to execute arbitrary commands
with "root" privileges via a specially crafted X
protocol request.
2. Kerberos V5 Kadmind RPC Library Remote Code
ExecutionVulnerability ( CVE-2006-6143 )
A vulnerability has been reported in server side
portion of RPC library used in Kerberos
administration daemon kadmind due to its
failure to properly initialize pointers. An
remote attacker could exploit the vulnerability
by sending a crafted packets on the affected
system to execute arbitrary code or cause denial
of service attack.
3. Kerberos V5 Kadmind GSS-API Library Remote
CodeExecution Vulnerability ( CVE-2006-6144 )
A vulnerability has been reported in Kerberos due
to memory management error in "mechglue"
abstraction interface of the GSS-API library used
in Kerberos administration daemon kadmind . An
unauthenticated remote attacker could exploit the
vulnerability by freeing uninitialized pointers
to execute arbitrary code on the affected system.
Solution
Apply appropriate patches suggested by vendor
Vendor Information

164

CERT-In Vulnerability Note CIVN-2007-05Sun Java
JRE GIF Image Processing Buffer Overflow
Vulnerability
Original Issue Date January 18, 2007Severity
Rating High
Systems Affected
Sun JDK version 5.0 Update 9 and prior
Sun JRE version 5.0 Update 9 and prior
Sun SDK version 1.4.2_12 and prior
Sun JRE version 1.4.2_12 and prior
Sun SDK version 1.3.1_18 and prior
Sun JRE version 1.3.1_18 and prior
Overview
A vulnerabilities has been reported in Sun Java
JRE (Java Runtime Environment), which could be
exploited by remote attackers to compromise a
vulnerable system.
Description
A buffer overflow error has been reported in Sun
Java Runtime Environment while processing GIF
images with a width property set to 0 (Zero),
which could be exploited by remote attackers to
execute arbitrary commands or to read/write local
files on a vulnerable system by enticing a user
to visit a specially crafted web page containing
a malicious applet.