Advances In RealTime Vulnerability Assessment - PowerPoint PPT Presentation

1 / 35
About This Presentation
Title:

Advances In RealTime Vulnerability Assessment

Description:

Brief history of assessment tools. Less recent advances ... papmap oX nmap-results.xml 192.168.1.0/24. PAPMap CL Operation: Part II. Executes nmap ... – PowerPoint PPT presentation

Number of Views:55
Avg rating:3.0/5.0
Slides: 36
Provided by: robertm170
Category:

less

Transcript and Presenter's Notes

Title: Advances In RealTime Vulnerability Assessment


1
Advances In Real-Time Vulnerability Assessment
  • By David Meltzer

2
  • The Worst IDS Ever Invented

3
  • The Best Active Scanner Ever Invented

4
  • Agenda
  • Brief history of assessment tools
  • Less recent advances
  • Examination of passive techniques
  • Hybrid scanning
  • Introduce PAPMap
  • Hybrid exploits
  • Conclusions

5
  • Vulnerability Assessments
  • Answers These Questions
  • Inventory / Discovery
  • What hosts are on the network?
  • What ports are open?
  • What services are running?
  • What is the configuration state of those
    services?
  • Deeper
  • Vulnerability State
  • What are the vulnerabilities on a host?
  • What are the patches missing on a host?
  • What is it about this host that creates a
    security risk?

6
  • Assumptions
  • No host-based tools.
  • Knowledge is useful.
  • Networks change.

7
  • Comparing Scanning Techniques
  • The Metrics
  • Coverage
  • What can it tell you?
  • Accuracy
  • False positives/negatives?
  • Speed
  • Time-to-Detect
  • Turbidity
  • Disruptiveness to network/hosts

8
  • Traditional Scanning
  • Active Scanning
  • SATAN, ISS, Nessus, etc.

9
  • Less Recent Advances in
  • Active Vulnerability Analysis
  • Distributed Scanning
  • Directed Scanning
  • Fingerprint-Based Scanning

10
  • Passive Vulnerability AnalysisThe First Passive
    Check
  • (me, RealSecure, circa 1997)
  • Browser vulnerabilities becoming popular.
  • Browsers dont listen on the network.
  • No way to tell if host running a vulnerable
    browser via scanning (in many situations).
  • SolutionWatch HTTP connections for version of
    browser being used in IDS. Trigger alert if
    version matches a known vulnerable one.

11
  • Passive Vulnerability Analysis
  • Passive vulnerability signatures in RealSecure
    IDS
  • Meltzer 97
  • Passive Vulnerability Detection
  • Gula 99
  • Target-Based IDS
  • - Roesch 00
  • Vulnerability Detection Systems (VDS) -
    Meltzer 02
  • Passive Vulnerability Scanner (PVS)
  • - Gula 03
  • Passive Network Discovery Systems (PNDS)
  • Roesch 04

12
  • Passive Vulnerability AnalysisTurbidity
  • Listening is safe (mostly).
  • Why people like IDS.
  • Why people like anything passive.

13
  • Passive Vulnerability AnalysisSpeed
  • Real-Time
  • But
  • At first use

14
  • Passive Vulnerability AnalysisCoverage
  • Ugh
  • Some things only/better discovered passively (eg
    client-side vulns)
  • Some things discovered equally well passively or
    actively (eg lots of versioning)
  • MANY things only discovered actively (eg almost
    all SANS Top 20 vulns)

15
  • Passive Vulnerability AnalysisAccuracy
  • Depends
  • IF you are content with poor coverage, you can
    have perfectly accurate passive scanning.

16
  • Hybrid Scanning Approach
  • Realizing active and passive scanning are
    complementary techniques
  • Why should you have to choose?

17
  • Hybrid Scanning Defined
  • Gathering network inventory and vulnerability
    data using both active and passive techniques
    integrated into a single system.

18
  • Hybrid Advantages
  • Independent active/passive engines
  • Double the hassle
  • Substantially more turbidity
  • Waste resources
  • Manually resolve conflicts
  • Hybrid approach
  • Single configuration
  • Uses less bandwidth than pure active
  • Single output

19
  • Hybrid Scanning
  • Introducing PAPMap
  • Combines passive and active scanning techniques
    for TCP port discovery.
  • Operates as a drop-in replacement for nmap.
  • Utilizes nmap for active scanning.
  • A complete and functional hybrid scanner but with
    only TCP port coverage.

20
  • PAPMap Requirements
  • R-1. Takes same command line as nmap.
  • R-2. Produces almost same output as nmap.
  • R-3. Runs nmap scan then switches to passive
    listening mode and updates output anytime a
    change in TCP port open/closed state detected.

21
  • PAPMap Components
  • papCL command-line interface
  • papGUI GUI interface
  • papNmap nmap communication interface
  • papDB in-memory port state database
  • papSniff network listener for port states
  • papAlert output handler

22
  • PAPMap CL Operation Part I
  • nmap
  • nmap oX nmap-results.xml 192.168.1.0/24
  • papmap
  • papmap oX nmap-results.xml 192.168.1.0/24

23
  • PAPMap CL Operation Part II
  • Executes nmap
  • Loads nmap XML output into in-memory database
  • Starts listening promiscuously on network

24
  • PAPMap CL Operation Part III
  • Sniffer Design
  • Only interested in initial connection
    establishments
  • Only interested in connections being made TO the
    hosts in network range being scanned
  • Interested in state of all ports
  • pcap-based sniffer

25
  • PAPMap CL Operation Part III
  • Sniffer Design 2 (TCP/IP 101)
  • Easy cases
  • Port is listening IF
  • SYN/ACK reply FROM port
  • Port is NOT listening IF
  • SYN sent TO port AND
  • RST reply FROM port

26
  • PAPMap CL Operation Part III
  • Sniffer Design 3
  • Hard cases
  • No reply to a SYNIs port closed?
  • Is host down?
  • Did I drop a packet?
  • Did network drop packet?
  • Was SYN malformed?
  • Firewall?
  • Need state-handling to resolve

27
  • PAPMap CL Operation Part III
  • Sniffer Design 4
  • When a new connection is established or denied
  • - Lookup known state in papDB
  • - If state has changed
  • - Update papDB
  • - Send alert to papAlert

28
  • PAPMap CL Operation Part IV
  • Line output to stdout indicating new status of
    the port.
  • Nmap XML file is updated to reflect real-time
    state of network being mapped (but updates cached
    to avoid flailing disk).
  • Monitoring continues until user quits.

29
  • PAPMap Demo

30
  • PAPMap Benchmarks
  • In progress, will be updated before conference

31
  • PAPMap Status
  • v1.0 released at Ruxcon, July 10, 2004
  • Source and binaries freely available following
    conference athttp//www.intrusec.com/resources.a
    sp

32
  • PAPMap Future Enhancements
  • Expand coverage beyond TCP port state
  • Add active rescans
  • Add reverse mode
  • Hybridize other popular tools

33
  • Hybrid Exploits
  • The Idea
  • Passively
  • Sniff network waiting for a trigger alert
  • New system comes up on network
  • Host connects to Windows Update to patch
  • Active
  • Exploit the target device in real-time
  • Exploit and load shell before patches occur

34
  • Hybrid Exploits
  • Example / Demo
  • In progress, will be updated before conference

35
  • Thanks and Credits
  • Thanks to Mike Davis for his work on
  • PAPMap with me, and to Intrusec forsponsoring
    this research.
  • Word to duke, caddis, and ruxcon crew for giving
    me a reason to rux it in .au.
Write a Comment
User Comments (0)
About PowerShow.com