Hardening is a conference of Computer Security, created by Prof. Giampaolo Bella of University of Catania to talk of the way to harden the computer that we use every day. In each edition there are different arguments of Internet/Computer Security. In this edition (29 may 2017) we have talked of Intrusion Detection Systems and Intrusion Prevention Systems (IDS/IPS), show examples of attacks and applications of these technologies.
Introduction to lecture
https://www.youtube.com/watch?v=tUYbRu1nrz8&feature=youtu.be&a
In this slides I talked about IDS and his passive (without a firewall) role that it has in the network, analyzing different scenarios. In particularly i used and talked about Snort
The document discusses dynamic port scanning (DPS), which integrates ARP poisoning into port scanning to dynamically spoof the source IP address of scan packets. DPS works by poisoning the ARP cache of the target host or gateway so that scan replies are delivered to the scanning machine regardless of the spoofed source IP. This allows the scan to appear as if it is coming from many machines, improving stealth, while still obtaining results unlike traditional IP spoofing techniques. The document outlines how DPS works, current spoofing methods, advantages over other techniques, and limitations.
Port scanning involves sending packets to ports on a target system to discover which ports are open and may be exploited. There are several common port scanning techniques like TCP connect scanning, SYN scanning, FIN scanning, and UDP scanning. Port scanners try to avoid detection by scanning slowly, spoofing packets, or fragmenting packets. Systems can detect port scans through signatures like many connections to different ports from the same source in a short time.
Slides for a college course at City College San Francisco. Based on "Hands-On Ethical Hacking and Network Defense, Third Edition" by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610.
Instructor: Sam Bowne
Class website: https://samsclass.info/123/123_S17.shtml
Port scanning is the process of examining IP addresses to determine what services are running on a network. It can be used by administrators to verify security policies and by attackers to identify vulnerabilities. Nmap is one of the most popular port scanners that adds features like OS detection. Shadow Security Scanner is a port scanning tool that audits services like FTP, SSH, SMTP, and supports expanding capabilities through an open ActiveX architecture. To prevent attacks, network devices should implement IP spoofing and firewalls should only allow necessary traffic while detecting and blocking potentially malicious behavior over time.
This document discusses various port scanning techniques used by hackers to discover services, operating systems, and open ports on target hosts. It explains common TCP scans like SYN scans which identify open and closed ports, and UDP scans. Timing options and techniques for hiding scans are also covered. The document provides examples of using the Nmap tool to perform scans and identify operating systems.
Port scanning involves attempting to connect to ports on a target system to discover which ports are open and what services they correspond to. It is done by software that scans a range of ports, usually 0 to 65,536, and analyzes responses to determine whether ports are open, closed, or filtered. Common port scanning tools include Nmap and Netcat. While port scanning can be used maliciously for hacking, it is also used by system administrators to diagnose network issues.
This document provides an overview of advanced scanning and exploitation techniques for security testing. It discusses using Nmap to scan for open ports and operating systems. The importance of local IP sweeping to find vulnerable systems on a local network is explained. Netcat is demonstrated as a simple way to create a remote shell on another system. Brief examples of shellcode and exploits that can be delivered through media files like JPGs and MP3s are also provided. The conclusion emphasizes that while this information is shown for educational purposes, actually exploiting systems without permission would be illegal.
In this slides I talked about IDS and his passive (without a firewall) role that it has in the network, analyzing different scenarios. In particularly i used and talked about Snort
The document discusses dynamic port scanning (DPS), which integrates ARP poisoning into port scanning to dynamically spoof the source IP address of scan packets. DPS works by poisoning the ARP cache of the target host or gateway so that scan replies are delivered to the scanning machine regardless of the spoofed source IP. This allows the scan to appear as if it is coming from many machines, improving stealth, while still obtaining results unlike traditional IP spoofing techniques. The document outlines how DPS works, current spoofing methods, advantages over other techniques, and limitations.
Port scanning involves sending packets to ports on a target system to discover which ports are open and may be exploited. There are several common port scanning techniques like TCP connect scanning, SYN scanning, FIN scanning, and UDP scanning. Port scanners try to avoid detection by scanning slowly, spoofing packets, or fragmenting packets. Systems can detect port scans through signatures like many connections to different ports from the same source in a short time.
Slides for a college course at City College San Francisco. Based on "Hands-On Ethical Hacking and Network Defense, Third Edition" by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610.
Instructor: Sam Bowne
Class website: https://samsclass.info/123/123_S17.shtml
Port scanning is the process of examining IP addresses to determine what services are running on a network. It can be used by administrators to verify security policies and by attackers to identify vulnerabilities. Nmap is one of the most popular port scanners that adds features like OS detection. Shadow Security Scanner is a port scanning tool that audits services like FTP, SSH, SMTP, and supports expanding capabilities through an open ActiveX architecture. To prevent attacks, network devices should implement IP spoofing and firewalls should only allow necessary traffic while detecting and blocking potentially malicious behavior over time.
This document discusses various port scanning techniques used by hackers to discover services, operating systems, and open ports on target hosts. It explains common TCP scans like SYN scans which identify open and closed ports, and UDP scans. Timing options and techniques for hiding scans are also covered. The document provides examples of using the Nmap tool to perform scans and identify operating systems.
Port scanning involves attempting to connect to ports on a target system to discover which ports are open and what services they correspond to. It is done by software that scans a range of ports, usually 0 to 65,536, and analyzes responses to determine whether ports are open, closed, or filtered. Common port scanning tools include Nmap and Netcat. While port scanning can be used maliciously for hacking, it is also used by system administrators to diagnose network issues.
This document provides an overview of advanced scanning and exploitation techniques for security testing. It discusses using Nmap to scan for open ports and operating systems. The importance of local IP sweeping to find vulnerable systems on a local network is explained. Netcat is demonstrated as a simple way to create a remote shell on another system. Brief examples of shellcode and exploits that can be delivered through media files like JPGs and MP3s are also provided. The conclusion emphasizes that while this information is shown for educational purposes, actually exploiting systems without permission would be illegal.
Predicting and Abusing WPA2/802.11 Group Keysvanhoefm
We analyze the generation and management of WPA2 group keys. These keys protect broadcast and multicast Wi-Fi traffic. We discovered several issues and illustrate their importance by decrypting all group (and unicast) traffic of a typical Wi-Fi network.
First we show that the 802.11 random number generator is flawed by design, and provides an insufficient amount of entropy. This is confirmed by predicting randomly generated group keys on several platforms. We then examine whether group keys are securely transmitted to clients. Here we discover a downgrade attack that forces usage of RC4 to encrypt the group key when transmitted in the 4-way handshake. The per-message RC4 key is the concatenation of a public 16-byte initialization vector with a secret 16-byte key, and the first 256 keystream bytes are dropped. We study this peculiar usage of RC4, and find that capturing 2 billion handshakes can be sufficient to recover (i.e., decrypt) a 128-bit group key. We also examine whether group traffic is properly isolated from unicast traffic. We find that this is not the case, and show that the group key can be used to inject and decrypt unicast traffic. Finally, we propose and study a new random number generator tailored for 802.11 platforms.
The document discusses scanning techniques used during penetration testing and hacking. It defines different types of scanning like port scanning, network scanning, and vulnerability scanning. It describes tools like Nmap that can be used to perform these scans and examines techniques like SYN scanning, XMAS scanning, NULL scanning, and IDLE scanning. The document also discusses using proxies and anonymizers to hide one's location while scanning and ways to document results like creating network diagrams of vulnerable systems.
This document provides information about tools and hardware requirements for wireless hacking and security testing on Linux systems. It discusses wardriving tools like Kismet and Aircrack for detecting wireless networks, as well as tools for cracking WEP keys like Airsnort and cracking WPA pre-shared keys with Cowpatty. It also lists recommended wireless network cards, describes wardriving for passive and active detection, and provides contact information for T'Lab, a technology open source laboratory.
The document discusses using Nmap to perform network scanning and reconnaissance. It provides an overview of Nmap, describing common scan types like TCP and UDP scans. It also covers useful Nmap options for tasks like service and operating system detection. The document demonstrates the Nmap Scripting Engine for tasks like vulnerability scanning and brute force attacks. It provides examples of commands for different scan types and scripts.
Snort is an open source network intrusion detection system (NIDS) that can perform network monitoring and packet logging. It analyzes network traffic in real-time and compares it to a rulebase to detect anomalous activity such as malware, attacks, and intrusions. Snort works by decoding packet headers and payloads and applying rules to detect patterns across the network, transport, and application layers. It can operate in three modes: sniffer, packet logger, and intrusion detection system. Rules are used to specify conditions that indicate malicious traffic and generate alerts.
The document provides an overview of ethical hacking techniques such as advanced scanning with NMAP to identify open ports and operating systems on remote systems. It discusses how tools like Nmap and Angry IP Scanner can be used to scan locally and remotely, and how information gathered can be used to potentially exploit systems. Example exploits discussed include using Netcat to create remote shells and payloads embedded in files like JPEG and MP3 files. The document emphasizes that while the information is presented, actually hacking systems without permission would be illegal.
Wireless security beyond password cracking by Mohit RanjanOWASP Delhi
Network attacks in wired Lan environments
Protection in wired Lan
Layout of modern networks ( wired + wireless )
Difference between wired and wireless security
Most powerful situation to acquire in any network
Wireless attacks
Why NTP ?
Captive portal attacks
Conclusion and some wild thoughts
For complete data to perform this attack please go to the Github link below:
https://github.com/mohitrajain/Wireless_security_beyond_password_cracking
Nmap is a popular port scanning tool used to discover open ports and services on a target system. It works by sending packets with different TCP flags like SYN, ACK, FIN to determine if ports are open or closed. Some scanning techniques used by Nmap include SYN scanning, stealth scanning, Xmas scanning, FIN scanning, and NULL scanning. These techniques allow the user to discover vulnerabilities and compromise target systems by exploiting open ports.
Nmap is a network exploration tool that collects information about target hosts including open ports, services, OS detection, and running scripts. It offers various host discovery techniques like ICMP ping, TCP and UDP ping to find active systems on the network. Once hosts are identified, nmap performs port scanning using TCP SYN, ACK, and UDP scans to determine open and closed ports. It can also detect services, versions, and OS on each host. Nmap scripts provide additional information gathering capabilities for vulnerabilities and exploits.
The document discusses different nmap scanning techniques including SYN scans, FIN scans, ACK scans, and window scans. It provides pros and cons of each technique. It then details a mission to penetrate SCO's firewall and discern open ports on a target system using different scan types. Another mission works to locate webservers on the Playboy network offering free images, optimizing the scan by getting timing information and scanning faster without DNS lookups. Several IP addresses with port 80 open are identified.
The document discusses hacking the Swisscom modem by exploiting default credentials to gain access. Upon login, the author runs commands to investigate the system such as viewing configuration files and mapping the internal network. Various system details are discovered including the Linux kernel version and software components.
This session covered cyber security and ethical hacking topics such as network hacking, Kali Linux, IPV4 vs IPV6, MAC addresses, wireless hacking techniques like deauthentication attacks, cracking WEP and WPA encryption, and post-connection attacks including ARP spoofing and MITM attacks. The presenter emphasized the importance of securing networks by using strong passwords, disabling WPS, and enabling HTTPS to prevent hacking attempts.
Nmap (Network Mapper} is and an Open Source utility which can quickly scan broad ranges of devices and provide valuable information about the devices on your network.It can be used for IT auditing and asset discovery as well as security profiling of the network.
This document describes potential backdoor techniques to maintain access to systems behind different types of firewalls. It discusses placing backdoors on internal machines rather than firewall machines. Suggested backdoor methods include using ACK-only telnet, the Loki ICMP tunnel, a UDP-based daemon shell, and exploiting ports left open for non-passive FTP. Insider assistance, exploiting vulnerable external services, hijacking connections, and trojan files are also proposed for initially penetrating firewalls.
Nmap is an open source tool that can scan networks to discover available hosts, services on hosts, operating systems and versions running on hosts, types of firewalls and filters in place, and other network details. It works across Linux, Windows, and other platforms. Nmap uses raw IP packets to gather this information, which can help identify security issues but also be used by attackers for reconnaissance. The tool supports various types of scans with different tradeoffs between stealthiness and information discovered. While Nmap has both command line and GUI interfaces, advanced usage requires command line expertise.
Snort is an open source network intrusion detection and prevention system that monitors network traffic and compares it against a ruleset to detect anomalous activity. It works on the network, transport, and application layers to analyze packet headers, payloads, and apply detection rules using a string matching algorithm. Snort includes components like a packet decoder, preprocessors, detection engine, and output modules. The detection engine applies rules to packets in priority order to detect known intrusions based on signatures as well as potential new attacks. Improving Snort involves optimizing its rule processing, offloading work to hardware, and developing better detection algorithms.
Nmap is a free and open-source tool for network discovery and security auditing. It can be used to discover hosts and services on a computer network by scanning target hosts and performing port scanning, version detection, and OS detection. System administrators, network engineers, and auditors use Nmap for security auditing, compliance testing, asset management, and network/system inventory. While Nmap provides useful information for hardening network security, it can also be used maliciously for reconnaissance, so permission should be obtained before using it on networks.
José Ramón Palanco is an OT security expert at ElevenPaths (Telefónica) who specializes in penetration testing, vulnerability research, and programming. The presentation covers OT protocols, an OT lab for hardware hacking and firmware analysis, industrial malware examples like Stuxnet, and projects including an industrial protocol IDS and Nmap scripts for discovering SCADA/ICS devices.
The audit report summarizes a security audit performed on May 28, 2014. The audit found 2 vulnerabilities on 1 system, with no critical vulnerabilities. The most common vulnerabilities were related to TCP sequence number approximation and generic ICMP timestamp responses. To address these issues, patches need to be applied to disable ICMP timestamp responses and enable TCP MD5 signatures.
Predicting and Abusing WPA2/802.11 Group Keysvanhoefm
We analyze the generation and management of WPA2 group keys. These keys protect broadcast and multicast Wi-Fi traffic. We discovered several issues and illustrate their importance by decrypting all group (and unicast) traffic of a typical Wi-Fi network.
First we show that the 802.11 random number generator is flawed by design, and provides an insufficient amount of entropy. This is confirmed by predicting randomly generated group keys on several platforms. We then examine whether group keys are securely transmitted to clients. Here we discover a downgrade attack that forces usage of RC4 to encrypt the group key when transmitted in the 4-way handshake. The per-message RC4 key is the concatenation of a public 16-byte initialization vector with a secret 16-byte key, and the first 256 keystream bytes are dropped. We study this peculiar usage of RC4, and find that capturing 2 billion handshakes can be sufficient to recover (i.e., decrypt) a 128-bit group key. We also examine whether group traffic is properly isolated from unicast traffic. We find that this is not the case, and show that the group key can be used to inject and decrypt unicast traffic. Finally, we propose and study a new random number generator tailored for 802.11 platforms.
The document discusses scanning techniques used during penetration testing and hacking. It defines different types of scanning like port scanning, network scanning, and vulnerability scanning. It describes tools like Nmap that can be used to perform these scans and examines techniques like SYN scanning, XMAS scanning, NULL scanning, and IDLE scanning. The document also discusses using proxies and anonymizers to hide one's location while scanning and ways to document results like creating network diagrams of vulnerable systems.
This document provides information about tools and hardware requirements for wireless hacking and security testing on Linux systems. It discusses wardriving tools like Kismet and Aircrack for detecting wireless networks, as well as tools for cracking WEP keys like Airsnort and cracking WPA pre-shared keys with Cowpatty. It also lists recommended wireless network cards, describes wardriving for passive and active detection, and provides contact information for T'Lab, a technology open source laboratory.
The document discusses using Nmap to perform network scanning and reconnaissance. It provides an overview of Nmap, describing common scan types like TCP and UDP scans. It also covers useful Nmap options for tasks like service and operating system detection. The document demonstrates the Nmap Scripting Engine for tasks like vulnerability scanning and brute force attacks. It provides examples of commands for different scan types and scripts.
Snort is an open source network intrusion detection system (NIDS) that can perform network monitoring and packet logging. It analyzes network traffic in real-time and compares it to a rulebase to detect anomalous activity such as malware, attacks, and intrusions. Snort works by decoding packet headers and payloads and applying rules to detect patterns across the network, transport, and application layers. It can operate in three modes: sniffer, packet logger, and intrusion detection system. Rules are used to specify conditions that indicate malicious traffic and generate alerts.
The document provides an overview of ethical hacking techniques such as advanced scanning with NMAP to identify open ports and operating systems on remote systems. It discusses how tools like Nmap and Angry IP Scanner can be used to scan locally and remotely, and how information gathered can be used to potentially exploit systems. Example exploits discussed include using Netcat to create remote shells and payloads embedded in files like JPEG and MP3 files. The document emphasizes that while the information is presented, actually hacking systems without permission would be illegal.
Wireless security beyond password cracking by Mohit RanjanOWASP Delhi
Network attacks in wired Lan environments
Protection in wired Lan
Layout of modern networks ( wired + wireless )
Difference between wired and wireless security
Most powerful situation to acquire in any network
Wireless attacks
Why NTP ?
Captive portal attacks
Conclusion and some wild thoughts
For complete data to perform this attack please go to the Github link below:
https://github.com/mohitrajain/Wireless_security_beyond_password_cracking
Nmap is a popular port scanning tool used to discover open ports and services on a target system. It works by sending packets with different TCP flags like SYN, ACK, FIN to determine if ports are open or closed. Some scanning techniques used by Nmap include SYN scanning, stealth scanning, Xmas scanning, FIN scanning, and NULL scanning. These techniques allow the user to discover vulnerabilities and compromise target systems by exploiting open ports.
Nmap is a network exploration tool that collects information about target hosts including open ports, services, OS detection, and running scripts. It offers various host discovery techniques like ICMP ping, TCP and UDP ping to find active systems on the network. Once hosts are identified, nmap performs port scanning using TCP SYN, ACK, and UDP scans to determine open and closed ports. It can also detect services, versions, and OS on each host. Nmap scripts provide additional information gathering capabilities for vulnerabilities and exploits.
The document discusses different nmap scanning techniques including SYN scans, FIN scans, ACK scans, and window scans. It provides pros and cons of each technique. It then details a mission to penetrate SCO's firewall and discern open ports on a target system using different scan types. Another mission works to locate webservers on the Playboy network offering free images, optimizing the scan by getting timing information and scanning faster without DNS lookups. Several IP addresses with port 80 open are identified.
The document discusses hacking the Swisscom modem by exploiting default credentials to gain access. Upon login, the author runs commands to investigate the system such as viewing configuration files and mapping the internal network. Various system details are discovered including the Linux kernel version and software components.
This session covered cyber security and ethical hacking topics such as network hacking, Kali Linux, IPV4 vs IPV6, MAC addresses, wireless hacking techniques like deauthentication attacks, cracking WEP and WPA encryption, and post-connection attacks including ARP spoofing and MITM attacks. The presenter emphasized the importance of securing networks by using strong passwords, disabling WPS, and enabling HTTPS to prevent hacking attempts.
Nmap (Network Mapper} is and an Open Source utility which can quickly scan broad ranges of devices and provide valuable information about the devices on your network.It can be used for IT auditing and asset discovery as well as security profiling of the network.
This document describes potential backdoor techniques to maintain access to systems behind different types of firewalls. It discusses placing backdoors on internal machines rather than firewall machines. Suggested backdoor methods include using ACK-only telnet, the Loki ICMP tunnel, a UDP-based daemon shell, and exploiting ports left open for non-passive FTP. Insider assistance, exploiting vulnerable external services, hijacking connections, and trojan files are also proposed for initially penetrating firewalls.
Nmap is an open source tool that can scan networks to discover available hosts, services on hosts, operating systems and versions running on hosts, types of firewalls and filters in place, and other network details. It works across Linux, Windows, and other platforms. Nmap uses raw IP packets to gather this information, which can help identify security issues but also be used by attackers for reconnaissance. The tool supports various types of scans with different tradeoffs between stealthiness and information discovered. While Nmap has both command line and GUI interfaces, advanced usage requires command line expertise.
Snort is an open source network intrusion detection and prevention system that monitors network traffic and compares it against a ruleset to detect anomalous activity. It works on the network, transport, and application layers to analyze packet headers, payloads, and apply detection rules using a string matching algorithm. Snort includes components like a packet decoder, preprocessors, detection engine, and output modules. The detection engine applies rules to packets in priority order to detect known intrusions based on signatures as well as potential new attacks. Improving Snort involves optimizing its rule processing, offloading work to hardware, and developing better detection algorithms.
Nmap is a free and open-source tool for network discovery and security auditing. It can be used to discover hosts and services on a computer network by scanning target hosts and performing port scanning, version detection, and OS detection. System administrators, network engineers, and auditors use Nmap for security auditing, compliance testing, asset management, and network/system inventory. While Nmap provides useful information for hardening network security, it can also be used maliciously for reconnaissance, so permission should be obtained before using it on networks.
José Ramón Palanco is an OT security expert at ElevenPaths (Telefónica) who specializes in penetration testing, vulnerability research, and programming. The presentation covers OT protocols, an OT lab for hardware hacking and firmware analysis, industrial malware examples like Stuxnet, and projects including an industrial protocol IDS and Nmap scripts for discovering SCADA/ICS devices.
The audit report summarizes a security audit performed on May 28, 2014. The audit found 2 vulnerabilities on 1 system, with no critical vulnerabilities. The most common vulnerabilities were related to TCP sequence number approximation and generic ICMP timestamp responses. To address these issues, patches need to be applied to disable ICMP timestamp responses and enable TCP MD5 signatures.
The audit report summarizes the results of a security audit performed on May 28, 2014. The scan found 2 vulnerabilities, with one being severe. The tcp-seq-num-approximation vulnerability was the most common and highest risk. The report provides details on the discovered systems, vulnerabilities found, and recommendations to address the tcp-seq-num-approximation and generic-icmp-timestamp vulnerabilities.
The document discusses techniques for bypassing security controls and gaining persistent access to a secured remote desktop server. It proposes infecting a client's workstation, stealing RDP credentials, and using various tools to bypass firewalls, application whitelisting, and other defenses in order to install malware and establish command and control of the target server. Specific bypass methods involve abusing Microsoft Word macros, exploiting Windows services, installing kernel drivers, and manipulating TCP source ports. The presentation demonstrates new attack tools and methods for pentesters and warns blue teams of challenges in detecting such advanced intrusions.
The document discusses a technique called Dynamic Port Scanning (DPS) that integrates ARP poisoning into port scanning to dynamically spoof the source IP address of scan packets. It allows scan packets to appear to come from many different IP addresses, making detection more difficult. The document provides an overview of current spoofing techniques, explains how ARP poisoning can be used to spoof IPs during scanning, lists advantages and limitations, and discusses various one-packet scanning techniques that can be used with DPS. It also introduces a tool called Dynamic Port Scanner that implements the DPS technique.
The document provides instructions for a lab on Snort and firewall rules. It describes:
1) Setting up the virtual environment and configuring networking on the CyberOps Workstation VM.
2) Explaining the differences between firewall and IDS rules while noting their similarities, such as both having matching and action components.
3) Having students run commands to start a malware server, use Snort to monitor traffic, and download a file from the server to trigger an alert, observing the alert in the Snort log.
Scada deep inside: protocols and security mechanismsAleksandr Timorin
The document discusses SCADA protocols and security mechanisms. It begins with an introduction to the speaker and overview of the agenda, which includes discussions of common industrial protocols like Modbus, DNP3, PROFINET DCP, IEC 61850, IEC 61870, and protocols from Siemens and Honeywell. It notes that many protocols have no authentication or encryption. The document then demonstrates attacks against protocols like analyzing and spoofing PROFINET DCP packets and causing issues on a Siemens PLC.
Ripe71 FastNetMon open source DoS / DDoS mitigationPavel Odintsov
This document describes FastNetMon, an open source DDoS mitigation toolkit. It provides concise summaries of network traffic and detects DDoS attacks in real-time. It can block malicious traffic through methods like BGP announcements. FastNetMon supports many Linux distributions and can integrate with hardware/cloud solutions. It detects attacks faster than traditional hardware/service approaches through optimized packet capture using tools like Netmap and PF_RING.
The document discusses various vulnerabilities in the Metasploitable virtual machine that can be exploited to gain unauthorized access. It describes how backdoors in FTP, IRC, and other services can be used to obtain root shells. It also explains how unintended access points like DistCC and Samba shares are misconfigured, allowing command execution and access to the file system.
Layer 8 and Why People are the Most Important Security ToolDamon Small
People are the cause of many security problems, but people are also the most effective resource for combating them. Technology is critical, but without trained professionals, it is ineffective. In the context two case studies, the presenter will describe specific instances where human creativity and skill overcame technical deficiencies. The presenter believes this topic to be particularly relevant for the Packet Hacking Village, as many techniques used are the same that are pertinent for Capture the Packet and Packet Detective.
Technical details will include the specific tools used, screenshots of captured data, and analysis of the malware and the malicious user’s activity. The goal of the presentation is show the importance of technical ability and critical thinking, and to demonstrate that skilled people are the most important tool in an information security program.
A scenario on basic incident response and showing how Microsoft uses a service that automatically creates a Man in the Middle incident. It also covers an overview on some inherent tools and how to use them for security operations
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...DefconRussia
The document describes vulnerabilities found in the Windows kernel trap handlers and NTVDM subsystem. It provides a case study of vulnerabilities disclosed in MS13-063, including CVE-2013-3196 which allowed a write-what-where condition in the nt!PushInt handler due to improper validation of operands during emulation of 16-bit instructions. The document also covers prior research on NTVDM vulnerabilities and the architecture of legacy software execution in Windows, highlighting the complex kernel interfaces and large attack surface involved in supporting older programs.
This document discusses the network analysis and intrusion detection software Snort. It provides information on Snort's architecture including its packet sniffer, preprocessor, detection engine, and alert logging capabilities. It also covers using Snort in various modes like sniffer, packet logger, and network intrusion detection system and provides an example Snort rule.
This document summarizes a presentation on attacking HomePlugAV powerline communication devices. It provides background on PLC technology, describing how PLCs transmit data over electrical wiring and discussing previous research. It then outlines several attacks against PLC networks, including eavesdropping on unencrypted communication between a computer and PLC, spoofing devices to intercept network information requests, and manipulating configuration files to backdoor devices.
This document discusses practical attacks against HomePlugAV powerline communication devices. It begins with an introduction to PLC technology and the OSI layers used. Previous work analyzing PLC security is summarized, including publications and tools. The document then analyzes the PLC network, describing how the ethernet interface can be used to retrieve device and network information. Basic attacks are discussed, such as intercepting the network passphrase or bruteforcing the network membership key. The document proposes studying default administrator passwords by analyzing devices sold on online marketplaces, to enable a "smart" bruteforce attack against the direct access key.
Modul 2 - Footprinting Scanning Enumeration.pptcemporku
This document discusses techniques for gathering intelligence about a target network or system prior to launching an attack. It covers the main steps of footprinting, scanning, and enumeration. Footprinting involves passive information gathering through tools like DNS queries, network queries, and WHOIS lookups. Scanning actively probes targets to identify live systems and map open ports, services, and operating systems using ping sweeps, port scans, and fingerprinting. Enumeration extracts further details about resources, users, groups, and shares once access is gained. The document provides an overview of various tools used at each stage and strategies for footprinting networks, scanning ports, and enumerating user information.
This document discusses techniques for gathering intelligence about a target network or system prior to launching an attack. It covers the main steps of footprinting, scanning, and enumeration. Footprinting involves passive information gathering through tools like DNS queries, network queries, and WHOIS lookups. Scanning actively probes targets to identify live systems and map open ports, services, and operating systems using ping sweeps, port scans, and fingerprinting. Enumeration extracts further details about resources, users, groups, and shares once access is gained. The document provides an overview of various tools used at each stage and strategies for footprinting networks, scanning ports, and enumerating user information.
Deep submicron-backdoors-ortega-syscan-2014-slidesortegaalfredo
Malicious hardware is a mature topic but previous research has focused almost exclusively on theoretical applications. In this article, practical implementations of gate-level backdoors will be presented using the Verilog hardware description language, then simulated and finally synthesized using freely available deep sub-micron (45-180 nm) standard cells, resulting in a backdoored latest-generation ARM CPU, suitable for fabrication and massive deployment.
Semelhante a Hardening Three - IDS/IPS Technologies (20)
Una serie di slides per vedere come usare msfvenom per la creazione di un payload da eseguire su una macchina Windows 7 ed effettuare un Exploitation in uno "scenario ideale" di Phishing/Social Engineering.
Subito dopo l'exploitation tratteremo del Maintaining Access installando la backdoor e vedremo qualche funzionalità che offre la shell Meterpreter
In queste slides ho parlato:
- Fondamenti su Exploit e Payload
- Cenni sulla struttura di Metasploit Framework
- Analisi Codice exploit UnrealIRCd3281
- Cenni Bind & Reverse Shell e Applicazione caso di studio
Nota Importante al fine di evitare malintesi:
Nelle slides è presente una slide nella quale faccio un analogia con una bomba, nello specifico la bomba atomica. Questa immagine, è stata usata al singolo scopo di esplicitare come è fatto un exploit e far capire qual è la differenza tra un exploit e un payload. Il tutto avviene usando la figura retorica dell'Analogia. Quindi, non ha nulla a che vedere con le vittime della seconda guerra mondiale o riferimenti storici di quel periodo.
In questo seminario ho simulato un Penetration Test completo partendo dalla fase di raccolta delle informazioni fino ad arrivare alla fase in cui l'attaccante penetra nel sistema e installa una backdoor per rafforzare la propria presenza nel sistema violato.
Durante ogni singola fase mi sono fermato a parlare di essa portando esempi sia teorici che demo pratiche.
Questo seminario nasce con lo scopo di appassionare i ragazzi e soprattutto far conoscere ad essi il mondo della sicurezza informatica rivolta ai test di penetrazione. Questo seminario nasce dall'invito che ho ricevuto da parte dell'istituto G.B. Vaccarini, essendo io stesso, un loro ex studente.
SSL/TLS Heartbleed.
In questo talk parlo molto velocemente del bug SSL/TLS Heartbleed, bug che ha afflitto dal 2012 al 2014 la cryptolibreria di OpenSSL. Sfruttando il suddetto bug era possibile violare completamente una comunicazione protetta da SSL/TLS. Il talk si conclude spiegando all'utente che il bug è stato risolto grazie al fatto che il progetto di OpenSSL è OpenSource e questo ha facilitato di molto la scoperta e la rilevazione del codice buggato.
Backdoor Coding: Analisi di una semplice backdoor e prime applicazioniSalvatore Lentini
In questo talk viene analizzata una semplice backdoor realizzata in Python. Il talk procede con l'explotation di una macchina Windows 7 tramite un attacco di Pishing e subito dopo con l'installazione di una backdoor persistence facendo vedere alcune delle funzionalità offerte. Il talk si conclude invitando l'utente a nascondere la propria webcam sensibilizzandolo sull'argomento. Il motivo per cui ho scelto di parlare di questo argomento, ha a che fare con le differenze che sorgono tra software open e software close, dato che nel primo è possibile tramite la lettura e comprensione del codice capire se il sistema ha routine di codice che si comportano come backdoor mentre nel secondo non sappiamo se ne esistono (data l'impossibilità di leggere il codice sorgente) e quindi dal momento che la sicurezza non si è mai basata sulla fiducia del produttore, è importante prevenire (mettendo delle etichette di plastica sulle nostre webcam).
The debris of the ‘last major merger’ is dynamically youngSérgio Sacani
The Milky Way’s (MW) inner stellar halo contains an [Fe/H]-rich component with highly eccentric orbits, often referred to as the
‘last major merger.’ Hypotheses for the origin of this component include Gaia-Sausage/Enceladus (GSE), where the progenitor
collided with the MW proto-disc 8–11 Gyr ago, and the Virgo Radial Merger (VRM), where the progenitor collided with the
MW disc within the last 3 Gyr. These two scenarios make different predictions about observable structure in local phase space,
because the morphology of debris depends on how long it has had to phase mix. The recently identified phase-space folds in Gaia
DR3 have positive caustic velocities, making them fundamentally different than the phase-mixed chevrons found in simulations
at late times. Roughly 20 per cent of the stars in the prograde local stellar halo are associated with the observed caustics. Based
on a simple phase-mixing model, the observed number of caustics are consistent with a merger that occurred 1–2 Gyr ago.
We also compare the observed phase-space distribution to FIRE-2 Latte simulations of GSE-like mergers, using a quantitative
measurement of phase mixing (2D causticality). The observed local phase-space distribution best matches the simulated data
1–2 Gyr after collision, and certainly not later than 3 Gyr. This is further evidence that the progenitor of the ‘last major merger’
did not collide with the MW proto-disc at early times, as is thought for the GSE, but instead collided with the MW disc within
the last few Gyr, consistent with the body of work surrounding the VRM.
(June 12, 2024) Webinar: Development of PET theranostics targeting the molecu...Scintica Instrumentation
Targeting Hsp90 and its pathogen Orthologs with Tethered Inhibitors as a Diagnostic and Therapeutic Strategy for cancer and infectious diseases with Dr. Timothy Haystead.
PPT on Direct Seeded Rice presented at the three-day 'Training and Validation Workshop on Modules of Climate Smart Agriculture (CSA) Technologies in South Asia' workshop on April 22, 2024.
hematic appreciation test is a psychological assessment tool used to measure an individual's appreciation and understanding of specific themes or topics. This test helps to evaluate an individual's ability to connect different ideas and concepts within a given theme, as well as their overall comprehension and interpretation skills. The results of the test can provide valuable insights into an individual's cognitive abilities, creativity, and critical thinking skills
Mending Clothing to Support Sustainable Fashion_CIMaR 2024.pdfSelcen Ozturkcan
Ozturkcan, S., Berndt, A., & Angelakis, A. (2024). Mending clothing to support sustainable fashion. Presented at the 31st Annual Conference by the Consortium for International Marketing Research (CIMaR), 10-13 Jun 2024, University of Gävle, Sweden.
ESR spectroscopy in liquid food and beverages.pptxPRIYANKA PATEL
With increasing population, people need to rely on packaged food stuffs. Packaging of food materials requires the preservation of food. There are various methods for the treatment of food to preserve them and irradiation treatment of food is one of them. It is the most common and the most harmless method for the food preservation as it does not alter the necessary micronutrients of food materials. Although irradiated food doesn’t cause any harm to the human health but still the quality assessment of food is required to provide consumers with necessary information about the food. ESR spectroscopy is the most sophisticated way to investigate the quality of the food and the free radicals induced during the processing of the food. ESR spin trapping technique is useful for the detection of highly unstable radicals in the food. The antioxidant capability of liquid food and beverages in mainly performed by spin trapping technique.
Immersive Learning That Works: Research Grounding and Paths ForwardLeonel Morgado
We will metaverse into the essence of immersive learning, into its three dimensions and conceptual models. This approach encompasses elements from teaching methodologies to social involvement, through organizational concerns and technologies. Challenging the perception of learning as knowledge transfer, we introduce a 'Uses, Practices & Strategies' model operationalized by the 'Immersive Learning Brain' and ‘Immersion Cube’ frameworks. This approach offers a comprehensive guide through the intricacies of immersive educational experiences and spotlighting research frontiers, along the immersion dimensions of system, narrative, and agency. Our discourse extends to stakeholders beyond the academic sphere, addressing the interests of technologists, instructional designers, and policymakers. We span various contexts, from formal education to organizational transformation to the new horizon of an AI-pervasive society. This keynote aims to unite the iLRN community in a collaborative journey towards a future where immersive learning research and practice coalesce, paving the way for innovative educational research and practice landscapes.
The cost of acquiring information by natural selectionCarl Bergstrom
This is a short talk that I gave at the Banff International Research Station workshop on Modeling and Theory in Population Biology. The idea is to try to understand how the burden of natural selection relates to the amount of information that selection puts into the genome.
It's based on the first part of this research paper:
The cost of information acquisition by natural selection
Ryan Seamus McGee, Olivia Kosterlitz, Artem Kaznatcheev, Benjamin Kerr, Carl T. Bergstrom
bioRxiv 2022.07.02.498577; doi: https://doi.org/10.1101/2022.07.02.498577
The technology uses reclaimed CO₂ as the dyeing medium in a closed loop process. When pressurized, CO₂ becomes supercritical (SC-CO₂). In this state CO₂ has a very high solvent power, allowing the dye to dissolve easily.
2. 2
Summary
●
Problems
●
Arp spoofing
●
Video with Netcat Backdoor
●
Ping out of network
●
Attempt access and Http Bruteforce
●
Tools:
●
Snort IDS/IPS
●
Suricata IDS/IPS
●
PulledPork
●
Barnyard2
●
Base
●
Some theoretical concepts
Hardening ThreeUniversity of Catania
3. 3
First Scenario
Ping out of network
We are an Network Administrator and don’t want that someone to ping
from out of network our hosts into our network (HOME_NET)
So, we want know who execute the ping
University of Catania Hardening Three
5. 5
Ping out of Network
Prevention
University of Catania Hardening Three
6. 6
Ping out of Network
Prevention
University of Catania
sudo snort -c /etc/snort/snort.conf -i ens38:ens39 -Q -A console -q
Hardening Three
7. 7
Possible problem
University of Catania
Did you have this error?
Don't worry. This is an IPS
then it want more memory!
You need add more memory
your virtual machine
Hardening Three
8. 8
Video with Netcat Backdoor
●
Seems a video, but……
DEMO
Hardening ThreeUniversity of Catania Hardening Three
9. 9
“It’s dangerous, so dangerous”
●
The file is a Self Extracting WinRar(SFX) archive
containing:
●
Video
●
Netcat
●
Caller.vbs: on execute, run Netcat on a specific port opening
the shell calling the attacker. Open the video
Hardening ThreeUniversity of Catania Hardening Three
10. 10
Creation of the archive
●
“Compression method”: select “Store”
●
“Archiving option”: check “Create SFX archive
●
On tab “Advanced” → “SFX options”
●
On tab “General” → “Path to Extract”: “C:virus” and tick
“Absolute path”
●
On tab “Setup” → “Setup program/Run after extraction”:
“caller.vbs”
●
On tab “Modes” → “Silent mode”: tick “Hide all”
●
On tab “Update” → “Overwrite mode”: tick “Skip existing files”
●
On tab “Text and icon” → “Load SFX icon from the file”: select a
.ico file containing the video icon.
University of Catania Hardening Three
12. 12
Attacker side
●
Run netcat on listen mode on the specific port
●
Wait until the victim play the fake video
University of Catania Hardening Three
13. 13
Detection and block rules
●
Rules to detect prompt commands on Windows:
●
drop tcp any any -> any any (msg:"Dir Command - Possible Remote Shell"; content:"dir"; sid:10000001;)
●
drop tcp any any -> any any (msg:"Dir Command - Possible Remote Shell"; content:"DIR"; sid:10000002;)
●
drop tcp any any -> any any (msg:"Dir Command - Possible Remote Shell"; content:"<DIR>"; sid:10000003;)
●
alert tcp any any -> any any (msg:"Cd Command - Possible Remote Shell"; content:"cd "; sid:10000004;)
●
alert tcp any any -> any any (msg:"Cd Command - Possible Remote Shell"; content:"Cd "; sid:10000005;)
●
alert tcp any any -> any any (msg:"Cd Command - Possible Remote Shell"; content:"cD "; sid:10000006;)
●
alert tcp any any -> any any (msg:"Cd Command - Possible Remote Shell"; content:"CD "; sid:10000007;)
●
alert tcp any any -> any any (msg:"MKDIR Command - Possible Remote Shell"; content:"mkdir "; sid:10000008;)
●
alert tcp any any -> any any (msg:"Del Command - Possible Remote Shell"; content:"del "; sid:10000009;)
●
alert tcp any any -> any any (msg:"Erase Command - Possible Remote Shell"; content:"erase "; sid:10000010;)
●
alert tcp any any -> any any (msg:"Format Command - Possible Remote Shell"; content:"format "; sid:10000011;)
●
Rule to block on Ubuntu in IPS mode: “drop tcp any any -> any any (msg:"Startup Shell - Possible
Remote Shell"; content:"Microsoft Windows ["; sid:10000000;)”
University of Catania Hardening Three
14. 14
Second Scenario
Attempt of login
Now, we want to know who attempted login on our web server
University of CataniaUniversity of Catania Hardening Three
20. 20
Http Bruteforce
Snort as IPS with nft
University of Catania
sudo snort -Q -–daq nfq -–daq-mode inline -–daq-var queue=0 -c /etc/snort/snort.conf -A console -q
? It’s a inline modality on Linux using Netfilter
1
2
Orderexecution
University of Catania Hardening Three
Triggeredrule
23. 23
Ping
●
Goal: A ping B
●
ARP, Request who-has 192.168.18.3 tell 192.168.18.1
●
ARP, Reply 192.168.18.3 is-at 00:0C:29:6C:54:28
University of Catania Hardening Three
24. 24
ARP Cache
●
ARP Cache: table with the associations IP → MAC
●
The associations will be deleted periodically
●
The device will accept any ARP reply in ANY time!
●
No authenticity control of the association
IP MAC
192.168.18.3 00:0C:29:6C:54:28
University of Catania Hardening Three
25. 25
MITM with ARP Poisoning
●
The attacker can sniff the victim packets
●
The attacker send on the LAN ARP Reply for each
device
●
“ARP, Reply X.X.X.X is-at Y:Y:Y:Y” where Y:Y:Y:Y is the
attacker MAC address
●
Let’s C the attacker and B the victim
●
ARP, Reply 192.168.18.3 is-at 00:0C:29:B0:C9:71
●
ARP, Reply 192.168.18.1 is-at 00:0C:29:B0:C9:71
University of Catania Hardening Three
26. 26
ARP Cache after the poisoning
●
A table
●
B table
IP MAC
192.168.18.3 00:0C:29:B0:C9:71
IP MAC
192.168.18.1 00:0C:29:B0:C9:71
University of Catania Hardening Three
27. 27
ARP Cache after the poisoning -
Continue
●
The attacker need to ARP spoofing very often
●
Every packet of the victim will be seen by the
attacker
A C B
University of Catania Hardening Three
28. 28
Ettercap
●
“Ettercap is a comprehensive suite for man in the
middle attacks.”
●
Man in the middle could be accomplished using the
-M arp mode
●
The attacker must activate the promiscous mode
●
“ettercap -T -i IF -M arp /IP_VICTIM//”
University of Catania Hardening Three
29. 29
Run Ettercap
1) Scan the devices of the LAN
2) ARP Poisoning
University of Catania Hardening Three
30. 30
Sniffing web navigation
●
The attacker can sniff the victim web navigation
A
Gateway
Switch
B C
Internet
ens33
ens39
University of Catania Hardening Three
31. 31
Password sniffing
●
The victim go in a HTTP web page
●
The attacker catch Username and Password
University of Catania Hardening Three
32. 32
IDS and the ARP spoofing
●
Suricata can’t do anything to detect an ARP spoofing
●
Snort can detect using the ARP Spoof Preprocessor
University of Catania Hardening Three
33. 33
Snort detection ARP spoofing
●
Modify /etc/snort/snort.conf
●
Uncomment “preprocessor arpsoof”
●
For each devices of the LAN, add “preprocessor
arpspoof_detect_host: IP MAC”
●
Uncomment “include
$PREPROC_RULE_PATH/preprocessor.rules”
●
Download the preprocessor rules in the Snort website and
save it on the file
“/etc/snort/preproc_rules/preprocessor.rules”
University of Catania Hardening Three
34. 34
Configuration of the Gateway
1)Promiscous mode: every packet will be read by the
network interface(whatever it is the destinatary of
the packet)
2)Masquerade: every packet transmitted outside
through the specific network interface will have the IP
Sender set to the gateway IP
University of Catania Hardening Three
36. 36
Virtual Network
●
VMware Workstation
●
No DHCP
University of Catania
(NAT)
INTERNET
192.168.232.1
192.168.232.0/24
192.168.232.2
192.168.248.1
192.168.248.2
192.168.248.0/24
University of Catania Hardening Three
37. 37
Create Networks
Open Virtual Network Editor:
●
Add 2 networks
vmnet11
●
Host-Only
●
192.168.232.0
●
255.255.255.0
vmnet12
●
Host-Only
●
192.168.248.0
●
255.255.255.0
NO DHCP!
University of CataniaUniversity of Catania Hardening Three
38. 38
Router
University of Catania
Router (Ubuntu)
Add 2 Network Adapter
(total)
→ NAT
→ Custom: vmnet11
→ Custom: vmnet12
sudo nano /etc/network/interfaces
auto ens38
iface ens38 inet static
address 192.168.232.1
netmask 255.255.255.0
auto ens39
iface ens39 inet static
address 192.168.248.1
netmask 255.255.255.0
sudo nano /etc/sysctl.conf
(take off #)
net.ipv4.ip_forward=1
sudo /etc/init.d/networking restart
sudo reboot
University of Catania Hardening Three
39. 39
Hosts
University of Catania
Victim (Ubuntu)
Add 1 Network Adapter
(total)
→ NAT
→ Custom: vmnet11
Attacker (Kali Linux)
Add 1 Network Adapter
(total)
→ NAT
→ Custom: vmnet12
sudo nano /etc/network/interfaces
auto eth0
iface eth0 inet static
address 192.168.232.2
netmask 255.255.255.0
gateway 192.168.232.1
sudo /etc/init.d/networking restart
sudo nano /etc/network/interfaces
auto ens38
iface ens38 inet static
address 192.168.248.2
netmask 255.255.255.0
gateway 192.168.248.1
sudo /etc/init.d/networking restart
University of Catania Hardening Three
40. 40
Apache Web Server
University of Catania
In victim machine we must install Apache
sudo apt-get install apache2 apache2-utils
sudo su
cd /var/www/html
echo “This is victim webserver” > index.html
nano /etc/apache2/site-available/000-default.conf
University of Catania Hardening Three
42. 42
Apache Web Server
University of Catania
htpasswd -c /etc/apache2/.htpasswd web
(insert new password for “web” user )
sudo /etc/init.d/networking restart
sudo /etc/init.d/apache2 restart
#After this configuration, disable the NAT interface
University of Catania Hardening Three
43. 43
Configuration Snort IDS on Router
Automatic Installation on Linux
Install Snort
sudo apt-get install snort
* Put the network interface of the network that we want to defend (ens39)
* the network address (192.168.248.0/24)
Test Installation
sudo snort -V
Configuration
sudo nano /etc/snort/snort.conf
(with the automatic installation you have to modified only HOME_NET inserting the network that
you want defend)
Test Configuration
sudo snort -c /etc/snort/snort.conf
(If start the sniffing mode, it’s a good thing!)
University of CataniaUniversity of Catania Hardening Three
44. 44
Create the custom rules file
sudo touch /etc/snort/rules/custom.rules
sudo nano /etc/snort/snort.conf
*include custom.rules in the snort.conf
Write the rules
sudo nano /etc/snort/rules/custom.rules
In rules folder you can put other rules that
you can download from Snort site.
University of CataniaUniversity of Catania Hardening Three
45. 45
Some commands to execute snort IDS
Verbose mode
snort -v
Using configuration file and show alert on the
terminal
snort -c /etc/snort/snort.conf -A console -i ens38
Log mode
sudo snort -c /etc/snort/snort.conf -A console -i ens38 -l /var/log/snort -k ascii
University of CataniaUniversity of Catania Hardening Three
46. 46
Configuration Snort IPS
manual installation
Install dependencies
sudo su
sudo apt-get install libdnet && apt-get install build-essential && apt-get install bison flex && apt-get
install libpcap-dev && apt-get install libpcre3-dev && apt-get install libnet1-dev && apt-get install
zlib1g-dev && apt-get install libnetfilter-queue-dev # daq: nfq && apt-get install libmnl-dev && apt-
get install libnfnetlink-dev && apt-get install libnetfilter-queue-dev && apt-get install checkinstall
sudo apt-get update
sudo apt-get upgrade
Create Tmp directory
mkdir -p /tmp/snort-install/
cd /tmp/snort-install/
Download in this folder daq from the Snort Site
Download in this folder libdnet.1.11
University of CataniaUniversity of Catania Hardening Three
47. 47
Configuration Snort IPS
manual installation
Install libdnet
tar -xvf libdnet-1.11.tar.gz
./configure “CFLAGS=-fPIC”
make
sudo checkinstall -y
sudo dpkg -i libdnet-1.11-1.amd64.deb
sudo ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1
Install daq
(Download and Extract daq) in /tmp/snort-install/
./configure
make
sudo checkinstall -y
sudo dpkg -i daq_2.0.6-1_amd64.deb
University of CataniaUniversity of Catania Hardening Three
48. 48
Snort as IPS with AFPACKET
Enable DAQ in AFPACKET
sudo nano /etc/snort/snort.conf
University of Catania
? It’s a inline modality on Linux using two bridged interfaces
University of Catania Hardening Three
49. 49
Installing Suricata on Windows
1) Install WinPcap from https://www.winpcap.org/install/
2) Install Suricata from https://suricata-ids.org/download/
3) Place rules into C:Program FilesSuricatarules or
C:Program Files (x86)Suricatarules
4) Modify the Suricata configuration file C:Program
FilesSuricatasuricata.yaml or C:Program Files
(x86)Suricatasuricata.yaml settings
●
Home Network
●
External Network
●
Rule Files
●
(In Windows 32 bit) Suricata Folder
University of Catania Hardening Three
50. 50
Run Suricata on Windows
1)“Run as administrator” Prompt command
2) Run the command “suricata.exe -c suricata.yaml -i
IPHOST”
3) In C:Program FilesSuricatalogfast.log C:Program
Files (x86)Suricatafast.log contains the logs
University of Catania Hardening Three
51. 51
Installing Suricata in IPS mode on
Ubuntu
1) On terminal: “sudo apt-get install suricata”
2) Place rules into /etc/suricata/rules
3) Modify the Suricata configuration file
/etc/suricata/suricata.yaml settings
●
Home Network
●
External Network
●
Rule Files
4) On terminal: “sudo iptables -I FORWARD -j
NFQUEUE”
University of Catania Hardening Three
52. 52
Run Suricata on Linux IPS mode
1) Run the command “sudo suricata -c suricata.yaml -q
0”
2) /var/log/suricata/fast.log contains the logs
University of Catania Hardening Three
53. 53
Barnyard2
●
Parsing and processing of snort log(unified2 format
file) and output it in other output:
●
Storing on database(PostgreSQL or MySql/MariaDB)
●
Talk to Sguil daemon
●
Talk to SnortSam
University of Catania Hardening Three
54. 54
Installing Barnyard2 with
MySql/MariaDB on Ubuntu 17.04
●
sudo apt-get install mysql-server libmysqlclient-dev
mysql-client autoconf libtool
●
Set the MySql root password
●
Be sure to have libdumbnet-dev libpcap-dev bison
flex packages and to install the DAQ
●
Be sure to have the sid-msg.map file on /etc/snort
●
Be sure the custom rules have the “rev” field
●
Modify the Snort configuration file adding: “output
unified2: filename snort.u2, limit 128”
University of Catania Hardening Three
55. 55
Installing Barnyard2 - Continue
●
Install Barnyard2:
●
wget https://github.com/firnsy/barnyard2/archive/master.tar.gz -O barnyard2-Master.tar.gz
●
tar zxvf barnyard2-Master.tar.gz
●
cd barnyard2-master
●
autoreconf -fvi -I ./m4
●
sudo ln -s /usr/include/dumbnet.h /usr/include/dnet.h
●
sudo ldconfig
●
./configure --with-mysql --with-mysql-libraries=/usr/lib/x86_64-linux-gnu
●
make
●
sudo make install
●
Put barnyard2 configuration file in Snort folder: sudo cp etc/barnyard2.conf /etc/snort/
●
Create barnyard2 log folder and file. Make them belong to Snort user and Snort Group:
●
sudo mkdir /var/log/barnyard2
●
sudo chown snort.snort /var/log/barnyard2
●
sudo touch /var/log/snort/barnyard2.waldo
●
sudo chown snort.snort /var/log/snort/barnyard2.waldo
University of Catania Hardening Three
56. 56
Installing Barnyard2 - Continue
●
Create the Barnyard2 database using the commands preinstalled and create the
Snort user of the database. Be sure to change “PASSWORD” with a secure
password:
●
mysql -u root -p
●
mysql> create database snort;
●
mysql> use snort;
●
mysql> source schemas/create_mysql
●
mysql> CREATE USER 'snort'@'localhost' IDENTIFIED BY 'PASSWORD';
●
mysql> grant create, insert, select, delete, update on snort.* to 'snort'@'localhost';
●
mysql> exit
●
Modify barnyard2 configuration file /etc/snort/barnyard2.conf adding(Be sure to
change “PASSWORD” with the previous password): “output database: log, mysql,
user=snort password=PASSWORD dbname=snort host=localhost sensor
name=sensor01”
●
Remove others read permission of the barnyard2 file: “sudo chmod o-r
/etc/snort/barnyard2.conf”
University of Catania Hardening Three
57. 57
Run Snort and Barnyard2
●
Run Snort: “sudo snort -u snort -g snort -c
/etc/snort/snort.conf -i INTERFACE”
●
Run Barnyard2: “sudo barnyard2 -c
/etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2
-w /var/log/snort/barnyard2.waldo -g snort -u snort”
University of Catania Hardening Three
58. 58
Installing BASE on Ubuntu 17.04
●
BASE is a PHP frontend for Barnyard2 log database
●
Permit to analyse the logs with a graphical interface
●
Install the no more supported PHP 5.6:
●
sudo add-apt-repository ppa:ondrej/php
●
sudo apt-get update
●
sudo apt-get install -y apache2 libapache2-mod-php5.6 php5.6-mysql php5.6-cli php5.6 php5.6-common
php5.6-gd php5.6-cli php-pear php5.6-xml
●
Install Pear image Graph: “sudo pear install -f --alldeps Image_Graph”
●
Install ADODB:
●
wget https://sourceforge.net/projects/adodb/files/adodb-php5-only/adodb-520-for-php5/adodb-5.20.8.tar.gz
●
tar -xvzf adodb-5.20.8.tar.gz
●
sudo mv adodb5 /var/adodb
●
sudo chmod -R 755 /var/adodb
●
Download BASE and copy on the Apache web folder:
●
wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz
●
tar xzvf base-1.4.5.tar.gz
●
sudo mv base-1.4.5 /var/www/html/base/
University of Catania Hardening Three
59. 59
Configure BASE
●
Copy the default configuration file:
●
cd /var/www/html/base
●
sudo cp base_conf.php.dist base_conf.php
●
Modify it and set(Be sure to change “PASSWORD” with the mysql snort password):
●
$BASE_urlpath = '/base';
●
$DBlib_path = '/var/adodb/';
●
$alert_dbname = 'snort';
●
$alert_host = 'localhost';
●
$alert_port = '';
●
$alert_user = 'snort';
●
$alert_password = 'PASSWORD';
●
Remove others read permission of the BASE configuration file and make the BASE folder, subfolders and
files belong to “www-data” user and group :
●
sudo chown -R www-data:www-data /var/www/html/base
●
sudo chmod o-r /var/www/html/base/base_conf.php
●
Restart Apache: “sudo service apache2 restart”
●
Open via Browser the URL: “http://localhost/base/index.php“
●
Click to “Setup page”
●
“Create BASE AG”
University of Catania Hardening Three
60. 60
Installing PulledPork
●
PulledPork is a tool that download automatically the Snort/Suricata rules to keep they up to date and unify every
rule files in a single one
●
Install the dependencies: “sudo apt-get install libcrypt-ssleay-perl liblwp-useragent-determined-perl”
●
Download and install PulledPork:
●
wget https://github.com/shirkdog/pulledpork/archive/master.tar.gz -O pulledpork-master.tar.gz
●
tar xzvf pulledpork-master.tar.gz
●
cd pulledpork-master/
●
sudo cp pulledpork.pl /usr/local/bin
●
sudo chmod +x /usr/local/bin/pulledpork.pl
●
sudo cp etc/*.conf /etc/snort
●
Modify the PulledPork configuration file /etc/snort/pulledpork.conf:
●
Comment or insert the Oinkcode in order to download the Oinkcode
●
Uncomment the rules you want download and comment the rules you don’t want
●
Set the version of rules “snort_version”
●
Set where to store the Snort rules (for example “snort.rules”)
●
Set where are stored the custom Snort rules
●
Set where is stored the sid-msg.map
●
Set where is stored the Snort configuration file
●
Set the distro version(in this case, Ubuntu 12.04)
●
Modify the Snort configuration file. Comment every rules and add the rule “snort.rules”
●
Run PulledPork: “sudo /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -l “
University of Catania Hardening Three
61. 61
Snort rules
●
From
https://www.snort.org/downloads/#rule-downloads
you can download the Snort rules(rules are organized
in category in rules
●
Snort Community(free)
●
Snort Registered(free previous registration)
●
Snort Subscription(starting at 29,99 €/year)
●
From EmergingThreat
https://rules.emergingthreats.net/open/ (free)
University of Catania Hardening Three
62. 62
Some Theoretical concepts on IDS and IPS
University of Catania
Concept of IDS was developed by James P. Anderson on 15
April in 1980 in his technical rapport
An IDS or an IPS is a system that it was developed to detect
typical signs of an intrusion. An IDS is similar to an anti-theft, it
see the bad traffic but does not block it. An IPS is an IDS but with
the behavior of a firewall.
Both see until the Application layer of the packets
●
NIDS/NIPS
●
HIDS/HIPS
●
Anomaly detection (“behavior based”)
●
Misuse detection (“Signatures based”)
University of Catania Hardening Three