Diapositiva 1

Transcription

Diapositiva 1
Wireless and Mobile Hacks
BYOD Security Risk Lab
Ernest Staats
erstaats@gcasda.org
Master Science Information Assurance, (CISSP)®, CEH, MCSE, CNA, CWNA,
Security+, I-Net+, Network+, Server+, A+
The Disclaimer!
• This workshop is intended to help you understand
how mobile software and hardware can be used to
expose security issues in your network.
• Have Permission in Writing First!
• This knowledge is intended to be used responsibly
so we can provide academic environments that are
secure, safe and accessible.
Download Lab
• Go download the lab and put it on your
mobile device save it to your dropbox,
Kindle or email then open and follow
along.
– http://goo.gl/
• C:\FETCImage find installers for software
• C:\FETCImage\Installers\PA = 3.1 gig of
portable Security apps
Perceived Danger
Death by Shark at the Beach
The Real Danger
Death by Vending Machine at the Beach
Understand RISK!
Analyze risk
risk = (cost of an exploit)*(likelihood it will occur)
Mobile devices make this inexpensive and very
possible (BeetleJuice) inside of “Flame”
Demos:
Bypass DLP
(iSafe….)
iPad Apps
• Isafeplay
• Fing –
• iNetTools-.
• NSLookup –
• Netmon
• -Opsview
SPiceworks
IRdesktop
Free Wifi
Inet
Citrix
Vsphere
WI-FI Finder
Free Pint
NetSwissKnife
DropBox + BoxCryptor
Logmein
WI-FI Finder
Serial IO WiSnap
Network Mapping
inSSIDer 2.0
Wi-FI Inspector
Meraki WIFI tester
Portable apps
Angry IP Scanner let’s scan our local network what shares
are open
Wireless keyview find your key
WNetWatcher
Netsparker - Community Edition
Attack_Surface_Analyzer_BETA_x64
WSCC -- Windows System Control Center
Google Hacking Diggity Project -- SearchDiggity.Client Google and
Bing “hacking”
FireFox portable
FreeScreenRecord–
HoffmanUtilitySpotlight2009_04 -- Rich Copy great copying
What Channel is Rouge on
What is no filter WIFI Key
Walled out network
What is a Port?
“Doors” on the system where info is sent
out from and received
When a server app is running on a port, it
listens for packets
When there is nothing listening on a port,
the port is closed
Port Status Types
Open – port has an application listening on
it, and is accepting packets.
Closed – port is accessible by nmap, but no
application is listening on it.
Filtered – nmap can’t figure out if the port is
open or closed because the packets are
being filtered. (firewall)
Unfiltered – Ports are accessible, but nmap
can’t figure out if it is open/closed.
Typical Ports to know
Any port can be configured to run any
service.
• But major services stick to defaults
Popular TCP ports/services:
•
•
•
•
•
•
80 – HTTP (web server)
23 – Telnet
443 – HTTPS (ssl-encrypted web servers)
21 – FTP
22 – SSH (shell access)
25 – SMTP (send email)
More Ports that you need to
know
• 445 – Microsoft –DS (SMB communication w/
MS Windows Services
• 139 – NetBIOS-SSN (communication w/ MS
Windows
services
– 143 – IMAP (email retreival)
– 53 – Domain (DNS)
– 3306 – MYSQL (database)
nmap
Nmap ("Network Mapper") is a great tool
that we have in both the portable apps and
in BT
Extremely powerful.
Simple use:
Nmap –v –A
‘v’ for verbosity and ‘A’ for OS/version Detection
Zenmap
Scan one target
or a range
Built-in profiles or
make your own
for personal
ease.
Zenmap
Visual Map
• Hop Distance
• Router
Information
Group Hosts by
Service
Using a quite traceroute
Using Zenmap
Here are some IPs open to be scanned. Be
careful!
•
•
•
•
•
66.110.218.68
66.110.220.87
Hackerinstitute.net
66.110.218.106
moodle.gcasda.org
Just in case
• 192.168.2.254
What ports are open on
66.110.220.87?
Finding open Shares
•
•
•
•
ShareEnum
Angry IP Scanner
SoftPerfect Network Scanner
What Open shares are on our network?
Packet Sniffing
• WireShark
• Caspsa
Malware Detection: All
Portable Apps
•
•
•
•
•
•
•
Current Ports
CurrProcess
Autoruns
Process Hacker
Clam AV
Spybot
Stinger
Mobile Device Management
Secures mobile devices beyond Just
Email (i.e. ActiveSync)
Application Delivery system
Provision and Configure new devices
Asset tracking/Finding or deleting
A good list of MDM solutions and what
they offer
http://www.enterpriseios.com/wiki/Compar
ison_MDM_Providers
Desploit / Network Spoofer
Great Free Man in the middle hacking
tools that are hard to defend against
Android Apps
Anti - Wi-fi-scanning tool for finding open
networks and showing all potential target
devices
Android Apps
• ArpSpoof
arpspoof is an open source tool for network
auditing.
It redirects packets on the local network by
broadcasting spoofed ARP messages
• PortKnocker a good port knocking client
• Nessus
log into your Nessus scanners and start, stop and
pause vulnerability scans
Android Apps
Wifi Analyzer— Choose the best WiFI network
NetAudit—TCP port scanner
WiFi Key Recovery—recover the password of a
wireless
Network Discovery -- discovering, mapping,
scanning, profiling your Wifi network
Net Scan--Network scanning and discovery along
with port scanner. Find holes and security flaws in
your network.
Metadata Tools
FOCA (use compatibility mode if needed)
http://www.informatica64.com/DownloadFOCA/
Metagoofil
http://www.edge-security.com/metagoofil.php
Will
extract a list of disclosed PATHs in the
metadata, with this information you can guess OS,
network names, Shared resources, etc also extracts MAC
address from Microsoft Office documents
EXIF Tool
http://www.sno.phy.queensu.ca/~phil/exiftool/
EXIF Viewer Plugin
https://addons.mozilla.org/enUS/firefox/addon/3905
Jeffrey's Exif Viewer
http://regex.info/exif.cgi
Types that contain metadata
MAC addresses, user names, edits, GPS info. It all depends on the file format.
JPG
EXIF (Exchangeable image file format)
IPTC (International Press
Telecommunications Council)
PDF
DOC
DOCX
EXE
XLS
XLSX
PNG
Too many to name them all.
What Information is in
MetaData?
User Names:
Creators.
Modifiers .
Users in paths.
C:Documents and settings/ofmyfile
/home/johnny
Operating systems
Printers.
Local and remote
Paths
Local and remote.
Network info.
Shared Printers.
Shared Folders.
ACLS.
Internal Servers.
NetBIOS Name.
Domain Name.
IP Address.
Database structures.
Table names.
Colum names.
Device hardware info
Photo cameras.
Private Info.
Personal data.
History of use.
Software versions.
Fingerprinting Organizations
with Collected Archives FOCA
Search for documents in Google and
Bing
Automatic file downloading capable of
extracting Metadata, hidden info and
lost data cluster information Analyzes
the info to fingerprint the network
http://www.informatica64.com/FOCA
Metadata
Foca free
Type a project Name then type the URL use:
es-es.net
Extract Metadata, it will be displayed on the
right hand side of the window
GEO Tagging
•August of 2010, Adam
Savage, of
“MythBusters,” took a
photo of his vehicle
using his smartphone.
He then posted the
photo to his Twitter
account including the
phrase “off to work”
Read the full story here: http://nyti.ms/917hRh
Cat Schwartz of TechTV and
her blog
Meta Data Images Hands on
Go to
Jeffrey's Exif Viewer
http://regex.info/exif.cgi
Photo 1
photo.JPG
Where was the photo taken of the Police office was the
photographer on the sidewalk or somewhere else what
kind of device was used to take the photo
Second photo
_MG_5982_ES.jpg what is the ethnicity of the Girl in
the photo?
device was used to take the photo
Turn off GPS function on phones
•Disable the geotagging
function
•Most smartphones/Tablets
& several cameras
automatically display
geographical information
•It’s important that users
make efforts to turn off
geotagging
Scrubbing Meta Data
•Software
– Jpg and PNG metadata striper http://www.steelbytes.com/?mid=30
• Hands-On
• Copy image 1 and 2 used earlier down to local system use metadata
striper then compare the results @ http://regex.info/exif.cgi
– BatchPurifier LITE
• http://www.digitalconfidence.com/downloads.html
– Doc Scrubber
– http://www.javacoolsoftware.com/dsdownload.html
•Websites
– http://regex.info/exif.cgi
– http://trial.3bview.com/3BTrial/pages/clean.jsp
– Clean your documents: MSOffice 2k3 & XP
http://www.microsoft.com/downloads/details.aspx?displaylang=en
&FamilyID=144e54ed-d43e-42ca-bc7b-5446d34e5360
Metadata tools
Doc Scrubber—Remove metadata from
Word Documents downloaded
Select ALL options, reset Author to ES and Company to ES, Click Next
Build Secure Networks
Secure Network Engineering
• Document Gathering is First Step
• Understand Data Flows
• Log Events and Correlate
• Apply Least Privileged Principles
• Divide and Secure
• Establish Trust and Validate Data Integrity
• Test and Validate Routinely
Functional Requirements
1. Documentation
9. Virtual and Blade Servers
2. Data Center Physical Controls
10. Vulnerability and Threat Mgt
3. Enclaves
11. Log Mgt
4. Firewalls and Security Apps
12. Asset Mgt
5. Internet Access
13. Access Mgt
6. DNS
14. Performance Mgt
7. Hardening
15. Forensic Mgt
8. Config and Change Mgt
16. Service Mgt
Key Risk Considerations
• Mixing assets of different value
• Integrating security and network controls
• High event volume and Impact of false negatives
• Understanding data flows and security policies
• Performance impact of inspection
• Protecting high authority access
• Configuration errors and product defects
High-level Design
and Build Approach
N-Tier Application
Control Checklist
 Enclave for each app function
 Dedicated Internet Access
Firewall
 Security Fabric
 Separate Infrastructure Firewall
 SSL Accelerator and Proxies
 Tiered DNS
 Virtualization and Blade
Servers
 Netflow
 Network Address Translation
 Network Monitoring Switch
 Load Balancers
Lessons Learned
Pitfalls
•Poor Documentation
•Too many ACLs and Flows
•Netflow “meltdown”
•4 x10 Port Aggregation
•Virtual Switch Overload
•Poorly designed QoS
•Forensic Teams
Promising Solutions
•
Security Fabric
•
Firewall Policy Mgt
•
Virtual Switch Replacement
•
IEEE 802.1AE (MACsec)
Benefits
• Improved Security
• Increased Design Credibility
• Better Manageability
• Lower Total Costs
• Faster Response to Threats
Ultimately, adopting these design recommendations will provide a solid foundation
for safeguarding infrastructure and data at the highest speeds available today—and
tomorrow.