Advances In RealTime Vulnerability Assessment

1
Advances In Real-Time Vulnerability Assessment

• By David Meltzer

2

• The Worst IDS Ever Invented

3

• The Best Active Scanner Ever Invented

4

• Agenda
• Brief history of assessment tools
• Less recent advances
• Examination of passive techniques
• Hybrid scanning
• Introduce PAPMap
• Hybrid exploits
• Conclusions

5

• Vulnerability Assessments
• Answers These Questions
• Inventory / Discovery
• What hosts are on the network?
• What ports are open?
• What services are running?
• What is the configuration state of those
  services?
• Deeper
• Vulnerability State
• What are the vulnerabilities on a host?
• What are the patches missing on a host?
• What is it about this host that creates a
  security risk?

6

• Assumptions
• No host-based tools.
• Knowledge is useful.
• Networks change.

7

• Comparing Scanning Techniques
• The Metrics
• Coverage
• What can it tell you?
• Accuracy
• False positives/negatives?
• Speed
• Time-to-Detect
• Turbidity
• Disruptiveness to network/hosts

8

• Traditional Scanning
• Active Scanning
• SATAN, ISS, Nessus, etc.

9

• Less Recent Advances in
• Active Vulnerability Analysis
• Distributed Scanning
• Directed Scanning
• Fingerprint-Based Scanning

10

• Passive Vulnerability AnalysisThe First Passive
  Check
• (me, RealSecure, circa 1997)
• Browser vulnerabilities becoming popular.
• Browsers dont listen on the network.
• No way to tell if host running a vulnerable
  browser via scanning (in many situations).
• SolutionWatch HTTP connections for version of
  browser being used in IDS. Trigger alert if
  version matches a known vulnerable one.

11

• Passive Vulnerability Analysis
• Passive vulnerability signatures in RealSecure
  IDS
• Meltzer 97
• Passive Vulnerability Detection
• Gula 99
• Target-Based IDS
• - Roesch 00
• Vulnerability Detection Systems (VDS) -
  Meltzer 02
• Passive Vulnerability Scanner (PVS)
• - Gula 03
• Passive Network Discovery Systems (PNDS)
• Roesch 04

12

• Passive Vulnerability AnalysisTurbidity
• Listening is safe (mostly).
• Why people like IDS.
• Why people like anything passive.

13

• Passive Vulnerability AnalysisSpeed
• Real-Time
• But
• At first use

14

• Passive Vulnerability AnalysisCoverage
• Ugh
• Some things only/better discovered passively (eg
  client-side vulns)
• Some things discovered equally well passively or
  actively (eg lots of versioning)
• MANY things only discovered actively (eg almost
  all SANS Top 20 vulns)

15

• Passive Vulnerability AnalysisAccuracy
• Depends
• IF you are content with poor coverage, you can
  have perfectly accurate passive scanning.

16

• Hybrid Scanning Approach
• Realizing active and passive scanning are
  complementary techniques
• Why should you have to choose?

17

• Hybrid Scanning Defined
• Gathering network inventory and vulnerability
  data using both active and passive techniques
  integrated into a single system.

18

• Hybrid Advantages
• Independent active/passive engines
• Double the hassle
• Substantially more turbidity
• Waste resources
• Manually resolve conflicts
• Hybrid approach
• Single configuration
• Uses less bandwidth than pure active
• Single output

19

• Hybrid Scanning
• Introducing PAPMap
• Combines passive and active scanning techniques
  for TCP port discovery.
• Operates as a drop-in replacement for nmap.
• Utilizes nmap for active scanning.
• A complete and functional hybrid scanner but with
  only TCP port coverage.

20

• PAPMap Requirements
• R-1. Takes same command line as nmap.
• R-2. Produces almost same output as nmap.
• R-3. Runs nmap scan then switches to passive
  listening mode and updates output anytime a
  change in TCP port open/closed state detected.

21

• PAPMap Components
• papCL command-line interface
• papGUI GUI interface
• papNmap nmap communication interface
• papDB in-memory port state database
• papSniff network listener for port states
• papAlert output handler

22

• PAPMap CL Operation Part I
• nmap
• nmap oX nmap-results.xml 192.168.1.0/24
• papmap
• papmap oX nmap-results.xml 192.168.1.0/24

23

• PAPMap CL Operation Part II
• Executes nmap
• Loads nmap XML output into in-memory database
• Starts listening promiscuously on network

24

• PAPMap CL Operation Part III
• Sniffer Design
• Only interested in initial connection
  establishments
• Only interested in connections being made TO the
  hosts in network range being scanned
• Interested in state of all ports
• pcap-based sniffer

25

• PAPMap CL Operation Part III
• Sniffer Design 2 (TCP/IP 101)
• Easy cases
• Port is listening IF
• SYN/ACK reply FROM port
• Port is NOT listening IF
• SYN sent TO port AND
• RST reply FROM port

26

• PAPMap CL Operation Part III
• Sniffer Design 3
• Hard cases
• No reply to a SYNIs port closed?
• Is host down?
• Did I drop a packet?
• Did network drop packet?
• Was SYN malformed?
• Firewall?
• Need state-handling to resolve

27

• PAPMap CL Operation Part III
• Sniffer Design 4
• When a new connection is established or denied
• - Lookup known state in papDB
• - If state has changed
• - Update papDB
• - Send alert to papAlert

28

• PAPMap CL Operation Part IV
• Line output to stdout indicating new status of
  the port.
• Nmap XML file is updated to reflect real-time
  state of network being mapped (but updates cached
  to avoid flailing disk).
• Monitoring continues until user quits.

29

• PAPMap Demo

30

• PAPMap Benchmarks
• In progress, will be updated before conference

31

• PAPMap Status
• v1.0 released at Ruxcon, July 10, 2004
• Source and binaries freely available following
  conference athttp//www.intrusec.com/resources.a
  sp

32

• PAPMap Future Enhancements
• Expand coverage beyond TCP port state
• Add active rescans
• Add reverse mode
• Hybridize other popular tools

33

• Hybrid Exploits
• The Idea
• Passively
• Sniff network waiting for a trigger alert
• New system comes up on network
• Host connects to Windows Update to patch
• Active
• Exploit the target device in real-time
• Exploit and load shell before patches occur

34

• Hybrid Exploits
• Example / Demo
• In progress, will be updated before conference

35

• Thanks and Credits
• Thanks to Mike Davis for his work on
• PAPMap with me, and to Intrusec forsponsoring
  this research.
• Word to duke, caddis, and ruxcon crew for giving
  me a reason to rux it in .au.