Corso di Sicurezza delle Reti e dei Sistemi Software aa 2015/16

Size: px

Start display at page:

Download "Corso di Sicurezza delle Reti e dei Sistemi Software aa 2015/16"

Ambrose Richardson
5 years ago
Views:

1 Corso di Sicurezza delle Reti e dei Sistemi Software aa 2015/16 Universita' degli Studi del Sannio Ing. Antonio Pirozzi

2 Exercises workflow

3 Exercises workflow: phase2 You are here

4 Fw Testing and bypass

5 The Risks Unauthorized access Denial of Service Wasted employee time Theft of internal data.

6 WTF? In automotive engineering:

7 WTF? In the Real World

8 Firewall Policies What Internet usage is not allowed? What will be done with the logs? Will we cooperate with law enforcement? Internal security policy Cit: The kind of firewall is how much insurance you re buying.

9 :D

10 Poorly configured fw:

11 Recommanded Lectures By Michael Rash Publisher : No Starch Press

12 Firewall types 1/2: The National Institute of Standards and Technology (NIST) divides firewalls into three basic types: Packet Firewall Stateful inspection Proxys headers SoR Drop Accept keeps track of the state of network connections combine stateful inspection and application inspection modern firewalls have a mix of those But...

13 Firewall types 1/2: (ACLs) Unified Threat Management (UTM ) Next-generation firewalls (NGFWs) WAF (suhoshin patch, mod_security)

14 Fw Hacking Workflow Gather Info Looking for known vuln (fragm. mtu) Try to subvert fw pivoting

15 Iptables (packets and statefull fw) TABLES CHAINS : - INPUT - OUTPUT - FORWARD Matches: --source (-s) --destination (-d) --protocol (-p) --in-interface (-i) --out-interface (-o) --state TARGET: ACCEPT DROP LOG REJECT RETURN

16 Iptables packet filtering Flushing existing connections: $IPTABLES -F $IPTABLES -F -t nat $IPTABLES -X $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP

17 iptables rules : INPUT CHAIN R1 ) $IPTABLES -A INPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID --log-ip-options log-tcp-options R2 ) $IPTABLES -A INPUT -m state --state INVALID -j DROP INVALID is applied to all those packets which are not part of any TCP session { TCP TCP FIN NULL TCP XMAS R3 ) $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT ESTABLISHED : macth packets of an already established TCP session : ACK, RST In both direction RELATED : describes packets that are starting a new connection, but this connection is associated with an existing one

18 Iptables rules : INPUT CHAIN ACCEPT RULES Accept an SSH connection from internal network only : R 1) $IPTABLES -A INPUT -i eth1 -p tcp -s $INT_NET --dport 22 --syn -m state --state NEW -j ACCEPT Accept ICMP echo request packet from everywhere : R 2) $IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

19 Iptables rules : OUTPUT CHAIN ACCEPT RULES Accept rules for allowing outbound connectionst : R 1) IPTABLES -A OUTPUT -p tcp --dport 21 --syn -m state --state NEW -j ACCEPT R 2) $IPTABLES -A OUTPUT -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT R 3) $IPTABLES -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT

20 Iptables rules : FORWARD CHAIN R1 ) $IPTABLES -A FORWARD -p tcp -i eth1 -s $INT_NET --dport 21 --syn -m state --state NEW -j ACCEPT R 2) $IPTABLES -A FORWARD -p tcp -i eth1 -s $INT_NET --dport 80 --syn -m state --state NEW -j ACCEPT R 3) $IPTABLES -A FORWARD -p udp --dport 53 -m state --state NEW -j ACCEPT Nat table : NAT chains PREROUTING POSTROUTING N1 ) $IPTABLES -t nat -A PREROUTING -p tcp --dport 80 -i eth0 -j DNAT --to :80 N2 ) $IPTABLES -t nat -A PREROUTING -p tcp --dport 53 -i eth0 -j DNAT --to :53 N3 ) $IPTABLES -t nat -A POSTROUTING -s $INT_NET -o eth0 -j MASQUERADE

21 Iptables: application layer data Matching Printable DATA : iptables -I INPUT 1 -p tcp --dport m string --string "test" --algo bm -m state --state ESTABLISHED -j LOG --log-prefix "tester" Matching NON Printable DATA : iptables -I INPUT 1 -p udp --dport m string --hex-string " a7a7a7a7a7a7a7a7a7a7 " --algo bm -j LOG --log-prefix "YEN " Hex code From Linux Firewalls By Michael Rash Publisher : No Starch Press

22 Iptables: application layer data Matching BoF Attack : iptables -I FORWARD 1 -p tcp --dport 443 -m state --state ESTABLISHED -m string --string "AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" -j LOG --log-prefix "SSL BoF detected " From Linux Firewalls By Michael Rash Publisher : No Starch Press

23 Iptables: application layer data From SNORT rules to iptables : alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg: "BLEEDING-EDGE EXPLOIT MS-SQL SQL Injection closing string plus line comment"; flow: to_server,established; content: "' 00 "; content: " "; reference:url, reference:url, classtype: attempted-user; sid: ; rev:5; ) iptables -I FORWARD 1 -p tcp --dport m state --state ESTABLISHED -m string --hex-string "' 00 " --algo bm -m string --hex-string " " --algo bm -j LOG --log-prefix "SQL INJECTION COMMENT " From Linux Firewalls By Michael Ras Publisher : No Starch Press

24 Firewalking Tools: RFC 793 Nmap oldschool Hping3 oldschool firewalk A fw Reconnaissance technique developed by Mike Schiffman and David Goldsmith. It utilizes traceroute, TTL values and TCP flags in order to identify fw and their respective ACLs.

25 DEMO CLOSED STATE from RFC 793 : Se la connessione non esiste (CLOSED), viene inviato un segnale RST in risposta a qualsiasi segmento in ingresso, a meno che non avvenga un altro reset. In particolare, vengono respinti in questo modo i SYN indirizzati a una connessione inesistente. Se il segmento in ingresso ha un campo ACK, il reset prende il suo numero di sequenza dal campo ACK del segmento, altrimenti il campo ACK ha il numero di sequenza uguale a zero e il campo ACK viene impostato sulla somma dei numeri di sequenza e sulla lunghezza del segmento in ingresso. La connessione rimane nello stato CLOSED.

26 Demo Listen STATE from RFC 793 : Se la connessione è in un qualsiasi stato non sincronizzato (LISTEN, SYNSENT, SYN-RECEIVED), e il segmento in ingresso si accorda per qualcosa che non è ancora stato inviato (il segmento reca un ACK inaccettabile), o se un segmento in ingresso ha un livello di sicurezza o compartimento che non corrisponde esattamen al livello e al compartimento richiesto per la connessione, viene inviato un segnale di reset...

27 findings STATE FLAG REPLY Listen NULL None Listen FIN None Listen RST None Listen ACK RST Listen SYN SYN/ACK Closed RST None Closed NULL RST/ACK Closed ACK RST Closed SYN RST/ACK Closed FIN RST/ACK

28 ACLs deduction : tcp flags 4b4l@Zion ~ $ sudo hping3 -p 80 -S localhost PING localhost (lo ): S set, 40 headers + 0 data bytes en=44 ip= ttl=64 DF id=0 sport=80 flags=sa seq=0 win=43690 rtt=7.9 ms en=44 ip= ttl=64 DF id=0 sport=80 flags=sa seq=1 win=43690 rtt=3.5 ms en=44 ip= ttl=64 DF id=0 sport=80 flags=sa seq=2 win=43690 rtt=3.4 ms C -- localhost hping statistic --- packets transmitted, 3 packets received, 0% packet loss ound-trip min/avg/max = 3.4/4.9/7.9 ms Service is Listening

29 ACLs deduction : tcp flags k4b4l@zion ~ $ sudo hping3 -p 80 -A localhost HPING localhost (lo ): A set, 40 headers + 0 data bytes ^C --- localhost hping statistic packets transmitted, 0 packets received, 100% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms Service is listening...but RST flag expected Fw is dropping packets

30 ACLs deduction : icmp messages FONTE:

31 OS fingerprinting Nmap -O $IP Xprobe2 $IP

Certification. Securing Networks

Certification. Securing Networks Certification Securing Networks UNIT 9 Securing Networks 1 Objectives Explain packet filtering architecture Explain primary filtering command syntax Explain Network Address Translation Provide examples