Network Security Tools

1
Network Security Tools

• Philsou Lee
• Dec 4, 2001

2
Content

• Goals of Network Security
• The types of hacking
• The types of hacker
• Possible Effects of an Attack
• Category of Tools
• Specific Security Tools
• Conclusion

3
Goals of Network Security

• Confidentiality
• Integrity
• Authentication

4
The types of hacker

• The Curious
• The Malicious
• The High-Profile Intruder
• The Competition
• The Borrowers
• The Leapfrogger

5
Possible effects of an Attack

• Denial-of-service
• Unauthorised use or misuse of computing systems
• Loss/alteration/compromise of data or software
• Monetary/financial loss
• Loss or endangerment of human life
• Loss of trust in computer/network system
• Loss of public confidence

Slide taken www.cert.org/present/cert-overview-tre
nds
6
Category of Tools

• System Security Tools
• Network monitor Tools
• Network Level Security Tools
• Other Tools

7
System Security Tools

• COPS(Computer Oracle and Password System)
• Crack
• Npasswd
• Tripwire
• Ttywatcher
• Tiger
• Swatch
• MD5
• Skey

8
Crack

• ---- errors and warnings ----
• bad format /etc/shadow adm115650999997
• bad format /etc/shadow bin115650999997
• bad format /etc/shadow daemon115650999997
  
• bad format /etc/shadow ejkangapple1165409999
  97
• bad format /etc/shadow espressjun11654099999
  7
• bad format /etc/shadow hyewon1e89Z8gjbv7u8qU
  GjJfHjersDRfHhj0115650999997
• bad format /etc/shadow ident!!115650999997
  
• bad format /etc/shadow jun1IErrLg4vXpJniKz3Q
  QjMSkxWySb950115650999997
• bad format /etc/shadow khkim94khkim116540999
  997
• .

9
System Security Tools

• COPS(Computer Oracle and Password System)
• Crack
• Npasswd
• Tripwire
• Ttywatcher
• Tiger
• Swatch
• MD5
• Skey

10
Tripwire

• (Nov 27)
• --------------------------------------------------
  --------------------------
• Section Unix File System
• --------------------------------------------------
  --------------------------
• Rule Name Severity Level
  Added Removed Modified
• --------- --------------
  ----- ------- --------
• ..
• Critical Utility Sym-Links 100
  0 0 0
• Critical system boot files 100
  0 0 0
• Critical configuration files 100
  0 0 0
• System boot changes 100
  0 0 0
• OS executables and libraries 100
  0 0 0
• Security Control 100
  0 0 0
• Login Scripts 100
  0 0 0
• Operating System Utilities 100
  0 0 0
• Shell Binaries 100
  0 0 0
• Root config files 100
  0 0 0

• (Nov 30)
• --------------------------------------------------
  --------------------------
• Section Unix File System
• --------------------------------------------------
  --------------------------
• Rule Name Severity Level
  Added Removed Modified
• --------- --------------
  ----- ------- --------
• Critical Utility Sym-Links 100
  0 0 0
• Critical system boot files 100
  0 0 1
• Critical configuration files 100
  0 0 3
• System boot changes 100
  3 2 1
• OS executables and libraries 100
  0 0 0
• Security Control 100
  0 0 1
• Login Scripts 100
  0 0 0
• Operating System Utilities 100
  0 0 0
• Shell Binaries 100
  0 0 0
• Root config files 100
  0 0 1

11
Tripwire (Contd)

• (Nov 27)
• Object Summary
• --------------------------------------------------
  ---
• Section Unix File System
• --------------------------------------------------
  ---
• No violations.
• Error Report
• No Errors
• --------------------------------------------------
  --
• End of report

• (Nov 30)
• --------------------------------------------------
  -------
• Rule Name System boot changes (/var/log)
• Severity Level 100
• --------------------------------------------------
  -------
• Added
• "/var/log/sa/sar27"
• "/var/log/sa/sa28"
• "/var/log/sa/sa30"
• Removed
• "/var/log/sa/sa19"
• "/var/log/sa/sar19"
• --------------------------------------------------
  -----
• Rule Name Security Control (/etc/group)
• Severity Level 100
• --------------------------------------------------
  ----

12
Network Monitor Tools

• SATAN(Security Administrator Tool for Analyzing
  Networks)
• ISS(Internet Scanner)
• Netlog
• Drawbridge
• NFSwatch
• TCPwrapper
• TCPdump
• Nmap

13
TCP Wrapper
1.
2.
3.
4.
TCP Wrapper Network monitoring, access control,
and booby traps, Wietse Venema
14
TCP Wrapper

• hosts.allow This file describes the names of
  the hosts which are
• allowed to use the local INET
  services, as decided
• by the '/usr/sbin/tcpd' server.
• ALLxenia.cc.gatech.edu
• ALLgaia3.cc.gatech.edu
• in.telnetdhouston.cc.gatech.edu
• in.ftpdhouston.cc.gatech.edu
• in.ftpdtokyo.cc.gatech.edu
• hosts.deny This file describes the names of
  the hosts which are
• not allowed to use the local
  INET services, as decided
• by the '/usr/sbin/tcpd' server.
• The portmap line is redundant, but it is left
  to remind you that
• the new secure portmap uses hosts.deny and
  hosts.allow. In particular
• you should know that NFS uses portmap!
• ALL ALL EXCEPT xenia.cc.gatech.edu,houston.cc.ga
  tech.edu, 130.207.3.16

• phoenix telnet seung.resnet.gatech.edu
• Trying 128.61.54.51...
• Connected to r54h51.res.gatech.edu.
• Escape character is ''.
• Connection closed by foreign host.
• phoenix
• houston telnet seung.resnet.gatech.edu
• Trying 128.61.54.51...
• Connected to r54h51.res.gatech.edu.
• Escape character is ''.
• Red Hat Linux release 7.1 (Seawolf)
• Kernel 2.4.12 on an i686
• login pslee
• Password
• Last login Sat Dec 1 123511 from
  houston.cc.gatech.edu
• pslee_at_r54h51 pslee

15
Network Monitor Tools

• SATAN(Security Administrator Tool for Analyzing
  Networks)
• ISS(Internet Scanner)
• Netlog
• Drawbridge
• NFSwatch
• TCPwrapper
• TCPdump
• Nmap

16
TCP Dump

• root_at_r54h51 /root tcpdump -u pslee
• User level filter, protocol ALL, datagram packet
  socket
• tcpdump listening on all devices
• 173108.312830 eth0 lt houston.cc.gatech.edu.35682
  gt r54h51.res.gatech.edu.telnet
• . 36180175493618017549(0) ack 618949068 win 8760
  (DF)
• 173108.312923 eth0 gt r54h51.res.gatech.edu.telne
  t gt houston.cc.gatech.edu.35682
• P 193(92) ack 0 win 5840 (DF) tos 0x10
• 173108.314612 eth0 gt r54h51.res.gatech.edu.1025
  gt ns.resnet.gatech.edu.domain
• 38186 PTR? 51.54.61.128.in-addr.arpa. (43) (DF)

17
Network Monitor Tools

• SATAN(Security Administrator Tool for Analyzing
  Networks)
• ISS(Internet Scanner)
• Netlog
• Drawbridge
• NFSwatch
• TCPwrapper
• TCPdump
• Nmap

18
Nmap

• root_at_r54h51 tripwire nmap tokyo.cc.gatech.edu
• Starting nmap V. 2.54BETA30 ( www.insecure.org/nma
  p/ )
• Interesting ports on tokyo.cc.gatech.edu
  (130.207.114.15)
• (The 1494 ports scanned but not shown below are
  in state closed)
• Port State Service
• 1/tcp filtered tcpmux
• .
• 11/tcp filtered systat
• 12/tcp filtered unknown
• ..
• 18/tcp filtered msp
• 19/tcp filtered chargen
• 21/tcp open ftp
• 22/tcp open ssh
• 23/tcp open telnet
• 25/tcp open smtp
• 37/tcp open time
• 42/tcp filtered nameserver
• ..

19
Netowork Level Security Tools

• SOCKSlibrary
• TIS(Trusted Information Systems) Firewall Toolkit
• Checkpoint FireWall-1

20
Other Tools

• LSOF(LiSt Open Files)
• Sendmail
• RPCBind

21
Lsof

• root_at_r54h51 tripwire lsof -i
• COMMAND PID USER FD TYPE DEVICE SIZE NODE
  NAME
• portmap 455 root 3u IPv4 807 UDP
  sunrpc
• portmap 455 root 4u IPv4 808 TCP
  sunrpc (LISTEN)
• rpc.statd 470 root 4u IPv4 825 UDP
  646
• rpc.statd 470 root 5u IPv4 852 UDP
  1024
• rpc.statd 470 root 6u IPv4 855 TCP
  1024 (LISTEN)
• sshd 617 root 3u IPv4 990 TCP
  ssh (LISTEN)
• xinetd 637 root 3u IPv4 1016 TCP
  telnet (LISTEN)
• xinetd 637 root 4u IPv4 1017 UDP
  talk
• xinetd 637 root 5u IPv4 1018 UDP
  ntalk
• xinetd 637 root 7u IPv4 1019 TCP
  finger (LISTEN)
• sendmail 686 root 4u IPv4 1080 TCP
  localhost.localdomainsmtp (LISTEN)
• X 795 root 1u IPv4 1193 TCP
  x11 (LISTEN)
• sshd 959 root 3u IPv4 1541 TCP
  6010 (LISTEN)
• sshd 959 root 4u IPv4 1531 TCP
  r54h51.res.gatech.edussh-gtgaia3.cc.gatech.edu457
  16 (ESTABLISHED)
• sshd 959 root 6u IPv4 1560 TCP
  r54h51.res.gatech.edu6010-gtr54h51.res.gatech.edu
  1025 (ESTABLISHED)
• gnome-ter 960 jun 3u IPv4 1557 TCP
  r54h51.res.gatech.edu1025-gtr54h51.res.gatech.edu
  6010 (ESTABLISHED)
• in.telnet 1105 root 0u IPv4 1915 TCP
  r54h51.res.gatech.edutelnet-gtxenia.cc.gatech.edu
  50723 (ESTABLISHED)

22
Lsof (Contd)

• root_at_r54h51 /root netstat -t
• Active Internet connections (w/o servers)
• Proto Recv-Q Send-Q Local Address
  Foreign Address State
• tcp 0 126 r54h51.res.gatectelnet
  xenia.cc.gatech.e47887 ESTABLISHED
• tcp 0 0 r54h51.res.gatectelnet
  xenia.cc.gatech.e47981 ESTABLISHED
• tcp 0 0 r54h51.res.gatech.1177
  211.169.240.71http CLOSE_WAIT
• tcp 0 0 r54h51.res.gatech.1025
  helsinki.cc.gatech.ssh ESTABLISHED
• root_at_r54h51 /root lsof -iTCP_at_211.169.240.71
• COMMAND PID USER FD TYPE DEVICE SIZE NODE
  NAME
• netscape- 1546 jun 32u IPv4 11962 TCP
  r54h51.res.gatech.edu1177-gt211.169.240.71http
  (CLOSE_WAIT)
• root_at_r54h51 /root

23
Conclusion

• Never set completely secure system.
• Instead, try to restrict access to the most
  important information.