Network Security Tools - PowerPoint PPT Presentation

1 / 23
About This Presentation
Title:

Network Security Tools

Description:

Unauthorised use or misuse of computing systems. Loss/alteration/compromise of data or software ... Netlog. Drawbridge. NFSwatch. TCPwrapper. TCPdump. Nmap. TCP Dump ... – PowerPoint PPT presentation

Number of Views:126
Avg rating:3.0/5.0
Slides: 24
Provided by: ccGa
Category:

less

Transcript and Presenter's Notes

Title: Network Security Tools


1
Network Security Tools
  • Philsou Lee
  • Dec 4, 2001

2
Content
  • Goals of Network Security
  • The types of hacking
  • The types of hacker
  • Possible Effects of an Attack
  • Category of Tools
  • Specific Security Tools
  • Conclusion

3
Goals of Network Security
  • Confidentiality
  • Integrity
  • Authentication

4
The types of hacker
  • The Curious
  • The Malicious
  • The High-Profile Intruder
  • The Competition
  • The Borrowers
  • The Leapfrogger

5
Possible effects of an Attack
  • Denial-of-service
  • Unauthorised use or misuse of computing systems
  • Loss/alteration/compromise of data or software
  • Monetary/financial loss
  • Loss or endangerment of human life
  • Loss of trust in computer/network system
  • Loss of public confidence

Slide taken www.cert.org/present/cert-overview-tre
nds
6
Category of Tools
  • System Security Tools
  • Network monitor Tools
  • Network Level Security Tools
  • Other Tools

7
System Security Tools
  • COPS(Computer Oracle and Password System)
  • Crack
  • Npasswd
  • Tripwire
  • Ttywatcher
  • Tiger
  • Swatch
  • MD5
  • Skey

8
Crack
  • ---- errors and warnings ----
  • bad format /etc/shadow adm115650999997
  • bad format /etc/shadow bin115650999997
  • bad format /etc/shadow daemon115650999997
  • bad format /etc/shadow ejkangapple1165409999
    97
  • bad format /etc/shadow espressjun11654099999
    7
  • bad format /etc/shadow hyewon1e89Z8gjbv7u8qU
    GjJfHjersDRfHhj0115650999997
  • bad format /etc/shadow ident!!115650999997
  • bad format /etc/shadow jun1IErrLg4vXpJniKz3Q
    QjMSkxWySb950115650999997
  • bad format /etc/shadow khkim94khkim116540999
    997
  • .

9
System Security Tools
  • COPS(Computer Oracle and Password System)
  • Crack
  • Npasswd
  • Tripwire
  • Ttywatcher
  • Tiger
  • Swatch
  • MD5
  • Skey

10
Tripwire
  • (Nov 27)
  • --------------------------------------------------
    --------------------------
  • Section Unix File System
  • --------------------------------------------------
    --------------------------
  • Rule Name Severity Level
    Added Removed Modified
  • --------- --------------
    ----- ------- --------
  • ..
  • Critical Utility Sym-Links 100
    0 0 0
  • Critical system boot files 100
    0 0 0
  • Critical configuration files 100
    0 0 0
  • System boot changes 100
    0 0 0
  • OS executables and libraries 100
    0 0 0
  • Security Control 100
    0 0 0
  • Login Scripts 100
    0 0 0
  • Operating System Utilities 100
    0 0 0
  • Shell Binaries 100
    0 0 0
  • Root config files 100
    0 0 0
  • (Nov 30)
  • --------------------------------------------------
    --------------------------
  • Section Unix File System
  • --------------------------------------------------
    --------------------------
  • Rule Name Severity Level
    Added Removed Modified
  • --------- --------------
    ----- ------- --------
  • Critical Utility Sym-Links 100
    0 0 0
  • Critical system boot files 100
    0 0 1
  • Critical configuration files 100
    0 0 3
  • System boot changes 100
    3 2 1
  • OS executables and libraries 100
    0 0 0
  • Security Control 100
    0 0 1
  • Login Scripts 100
    0 0 0
  • Operating System Utilities 100
    0 0 0
  • Shell Binaries 100
    0 0 0
  • Root config files 100
    0 0 1

11
Tripwire (Contd)
  • (Nov 27)
  • Object Summary
  • --------------------------------------------------
    ---
  • Section Unix File System
  • --------------------------------------------------
    ---
  • No violations.
  • Error Report
  • No Errors
  • --------------------------------------------------
    --
  • End of report
  • (Nov 30)
  • --------------------------------------------------
    -------
  • Rule Name System boot changes (/var/log)
  • Severity Level 100
  • --------------------------------------------------
    -------
  • Added
  • "/var/log/sa/sar27"
  • "/var/log/sa/sa28"
  • "/var/log/sa/sa30"
  • Removed
  • "/var/log/sa/sa19"
  • "/var/log/sa/sar19"
  • --------------------------------------------------
    -----
  • Rule Name Security Control (/etc/group)
  • Severity Level 100
  • --------------------------------------------------
    ----

12
Network Monitor Tools
  • SATAN(Security Administrator Tool for Analyzing
    Networks)
  • ISS(Internet Scanner)
  • Netlog
  • Drawbridge
  • NFSwatch
  • TCPwrapper
  • TCPdump
  • Nmap

13
TCP Wrapper
1.
2.
3.
4.
TCP Wrapper Network monitoring, access control,
and booby traps, Wietse Venema
14
TCP Wrapper
  • hosts.allow This file describes the names of
    the hosts which are
  • allowed to use the local INET
    services, as decided
  • by the '/usr/sbin/tcpd' server.
  • ALLxenia.cc.gatech.edu
  • ALLgaia3.cc.gatech.edu
  • in.telnetdhouston.cc.gatech.edu
  • in.ftpdhouston.cc.gatech.edu
  • in.ftpdtokyo.cc.gatech.edu
  • hosts.deny This file describes the names of
    the hosts which are
  • not allowed to use the local
    INET services, as decided
  • by the '/usr/sbin/tcpd' server.
  • The portmap line is redundant, but it is left
    to remind you that
  • the new secure portmap uses hosts.deny and
    hosts.allow. In particular
  • you should know that NFS uses portmap!
  • ALL ALL EXCEPT xenia.cc.gatech.edu,houston.cc.ga
    tech.edu, 130.207.3.16
  • phoenix telnet seung.resnet.gatech.edu
  • Trying 128.61.54.51...
  • Connected to r54h51.res.gatech.edu.
  • Escape character is ''.
  • Connection closed by foreign host.
  • phoenix
  • houston telnet seung.resnet.gatech.edu
  • Trying 128.61.54.51...
  • Connected to r54h51.res.gatech.edu.
  • Escape character is ''.
  • Red Hat Linux release 7.1 (Seawolf)
  • Kernel 2.4.12 on an i686
  • login pslee
  • Password
  • Last login Sat Dec 1 123511 from
    houston.cc.gatech.edu
  • pslee_at_r54h51 pslee

15
Network Monitor Tools
  • SATAN(Security Administrator Tool for Analyzing
    Networks)
  • ISS(Internet Scanner)
  • Netlog
  • Drawbridge
  • NFSwatch
  • TCPwrapper
  • TCPdump
  • Nmap

16
TCP Dump
  • root_at_r54h51 /root tcpdump -u pslee
  • User level filter, protocol ALL, datagram packet
    socket
  • tcpdump listening on all devices
  • 173108.312830 eth0 lt houston.cc.gatech.edu.35682
    gt r54h51.res.gatech.edu.telnet
  • . 36180175493618017549(0) ack 618949068 win 8760
    (DF)
  • 173108.312923 eth0 gt r54h51.res.gatech.edu.telne
    t gt houston.cc.gatech.edu.35682
  • P 193(92) ack 0 win 5840 (DF) tos 0x10
  • 173108.314612 eth0 gt r54h51.res.gatech.edu.1025
    gt ns.resnet.gatech.edu.domain
  • 38186 PTR? 51.54.61.128.in-addr.arpa. (43) (DF)

17
Network Monitor Tools
  • SATAN(Security Administrator Tool for Analyzing
    Networks)
  • ISS(Internet Scanner)
  • Netlog
  • Drawbridge
  • NFSwatch
  • TCPwrapper
  • TCPdump
  • Nmap

18
Nmap
  • root_at_r54h51 tripwire nmap tokyo.cc.gatech.edu
  • Starting nmap V. 2.54BETA30 ( www.insecure.org/nma
    p/ )
  • Interesting ports on tokyo.cc.gatech.edu
    (130.207.114.15)
  • (The 1494 ports scanned but not shown below are
    in state closed)
  • Port State Service
  • 1/tcp filtered tcpmux
  • .
  • 11/tcp filtered systat
  • 12/tcp filtered unknown
  • ..
  • 18/tcp filtered msp
  • 19/tcp filtered chargen
  • 21/tcp open ftp
  • 22/tcp open ssh
  • 23/tcp open telnet
  • 25/tcp open smtp
  • 37/tcp open time
  • 42/tcp filtered nameserver
  • ..

19
Netowork Level Security Tools
  • SOCKSlibrary
  • TIS(Trusted Information Systems) Firewall Toolkit
  • Checkpoint FireWall-1

20
Other Tools
  • LSOF(LiSt Open Files)
  • Sendmail
  • RPCBind

21
Lsof
  • root_at_r54h51 tripwire lsof -i
  • COMMAND PID USER FD TYPE DEVICE SIZE NODE
    NAME
  • portmap 455 root 3u IPv4 807 UDP
    sunrpc
  • portmap 455 root 4u IPv4 808 TCP
    sunrpc (LISTEN)
  • rpc.statd 470 root 4u IPv4 825 UDP
    646
  • rpc.statd 470 root 5u IPv4 852 UDP
    1024
  • rpc.statd 470 root 6u IPv4 855 TCP
    1024 (LISTEN)
  • sshd 617 root 3u IPv4 990 TCP
    ssh (LISTEN)
  • xinetd 637 root 3u IPv4 1016 TCP
    telnet (LISTEN)
  • xinetd 637 root 4u IPv4 1017 UDP
    talk
  • xinetd 637 root 5u IPv4 1018 UDP
    ntalk
  • xinetd 637 root 7u IPv4 1019 TCP
    finger (LISTEN)
  • sendmail 686 root 4u IPv4 1080 TCP
    localhost.localdomainsmtp (LISTEN)
  • X 795 root 1u IPv4 1193 TCP
    x11 (LISTEN)
  • sshd 959 root 3u IPv4 1541 TCP
    6010 (LISTEN)
  • sshd 959 root 4u IPv4 1531 TCP
    r54h51.res.gatech.edussh-gtgaia3.cc.gatech.edu457
    16 (ESTABLISHED)
  • sshd 959 root 6u IPv4 1560 TCP
    r54h51.res.gatech.edu6010-gtr54h51.res.gatech.edu
    1025 (ESTABLISHED)
  • gnome-ter 960 jun 3u IPv4 1557 TCP
    r54h51.res.gatech.edu1025-gtr54h51.res.gatech.edu
    6010 (ESTABLISHED)
  • in.telnet 1105 root 0u IPv4 1915 TCP
    r54h51.res.gatech.edutelnet-gtxenia.cc.gatech.edu
    50723 (ESTABLISHED)

22
Lsof (Contd)
  • root_at_r54h51 /root netstat -t
  • Active Internet connections (w/o servers)
  • Proto Recv-Q Send-Q Local Address
    Foreign Address State
  • tcp 0 126 r54h51.res.gatectelnet
    xenia.cc.gatech.e47887 ESTABLISHED
  • tcp 0 0 r54h51.res.gatectelnet
    xenia.cc.gatech.e47981 ESTABLISHED
  • tcp 0 0 r54h51.res.gatech.1177
    211.169.240.71http CLOSE_WAIT
  • tcp 0 0 r54h51.res.gatech.1025
    helsinki.cc.gatech.ssh ESTABLISHED
  • root_at_r54h51 /root lsof -iTCP_at_211.169.240.71
  • COMMAND PID USER FD TYPE DEVICE SIZE NODE
    NAME
  • netscape- 1546 jun 32u IPv4 11962 TCP
    r54h51.res.gatech.edu1177-gt211.169.240.71http
    (CLOSE_WAIT)
  • root_at_r54h51 /root

23
Conclusion
  • Never set completely secure system.
  • Instead, try to restrict access to the most
    important information.
Write a Comment
User Comments (0)
About PowerShow.com