Beruflich Dokumente
Kultur Dokumente
Vulnerability
• A computer vulnerability is a cyber security term that refers to a defect in a
system that can leave it open to attack.
• It is also refer to any type of weakness present in a computer itself, in a set
of procedures, or in anything that allows information security to be exposed
to a threat.
Common Computer Security
Vulnerabilities
• Bugs • Use of broken algorithms
• Weak passwords • URL redirection to untrusted sites
• Software that is already infected with virus • Path traversal
• Missing data encryption • Missing authentication for critical function
• OS command injection • Unrestricted upload of dangerous file types
• SQL injection • Dependence on untrusted inputs in a
security decision
• Buffer overflow
• Missing authorization
• Cross-site scripting and forgery
• Download of codes without integrity checks
System securities which can be harmed with
computer security vulnerability
• Reliability
• Confidentiality
• Entirety
• Usability
• Undeniableness:
System securities which can be harmed with
computer security vulnerability
• Reliability: This refers to reducing incorrect false alarm in the operation of a computer system
and enhancing the efficiency of a computer system.
• Confidentiality: This refers to protecting users’ information from disclosure and getting by
unauthorized third party.
• Entirety: This system security requires that information or programs should not be forged,
tampered, deleted or inserted deliberately in the process of storing, operation and
communication. In other words, information or programs cannot be lost or destroyed.
• Usability: This ensures that users can enjoy the services offered by computers and information
networks.
• Undeniableness: This security refers to guaranteeing information actors to be responsible for
their behavior.
Security Definitions
Vulnerability
A deficiency, error, or misconfiguration within a system which can be exploited
allowing the system to be used in an unintended manner.
Vulnerabili ty Scanner
Automatically tests system for KNOWN vulnerabilities
to confirm presence.
Exploit
Software program developed to attack an asset by taking advantage of a
vulnerability.
WHAT IS A VULNERABILITY
SCANNER?
• A vulnerability scanner can assess a variety of vulnerabilities across
information systems (including computers, network systems, operating
systems, and software applications) that may have originated from a vendor,
system administration activities, or general day-to-day user activities
Vendor-originated activities
• The User Interface allows the administrator to operate the scanner. It may be
either a Graphical User Interface (GUI), or just a command line interface.
TYPES OF VULNERABILITY
SCANNER
• Vulnerability scanners can be divided broadly into two groups:
1. Port Scanners that determine the list of open network ports in remote
systems.
2. Web Server Scanners that assess the possible vulnerabilities (e.g.
potentially dangerous files or CGIs) in remote web servers.
3. Web Application Scanners that assess the security aspects of web
applications (such as cross site scripting and SQL injection) running on
web servers.
HOST-BASED SCANNERS
• A host-based scanner is installed in the host to be scanned, and has direct
access to low-level data, such as specific services and configuration details of
the host's operating system.
• It can therefore provide insight into risky user activities such as using easily
guessed passwords or even no password.
• It can also detect signs that an attacker has already compromised a system,
including looking for suspicious file names, unexpected new system files or
device files, and unexpected privileged programs.
TYPES OF VULNERABILITY
SCANNER
1. Network-based scanners
a) Port scanners
(Nmap : http://insecure.org/nmap)
b) Network vulnerability scanners
(Nessus http://www.nessus.org/nessus/)
c) Web server scanners
(Nikto : http://www.cirt.net/code/nikto.html)
d) Web application vulnerability scanners (Paros :-
http://parosproxy.org/index.html)
(Acunetix :-http://www.acunetix.com/Acunetix)
2. Host-based scanners
Host vulnerability scanners
- Microsoft Baseline Security Analyser (MBSA)
(http://www.microsoft.com/technet/security/tools/mbsahome)
- Altiris SecurityExpressions (commercial) :
(http://www.altiris.com/Products/SecurityExpressions.aspx)
3. Database scanners
- Scuba by Imperva Database Vulnerability Scanner:
(http://www.imperva.com/application_defense_center/scuba/default.a
sp)
- Shadow Database Scanner
(http://www.safety-lab.com/en/products/6.html)
→ CHOOSING A VULNERABILITY
SCANNER
$ nc -v localhost 22
connection to localhost 22 port [tcp/ssh] succeeded!
SSH -2.0-OpenSSH_5.9
Netcat is a computer networking utility for reading from or writing to a nework
22 is the communication port.
Banner Grabbing
• Port-scanning tools can be complex, must learn their strengths and weaknesses a
nd understanding how and when you should use these tools.
• a web service will not respond until it receives data from
the client.
• The following command makes a valid HTTP request
using the HEAD method:
Request message from client to server
head method used to ask only for an information about a document
HTTP/1.1 200 OK,means the server is responding using HTTP protocol
version 1.1 200 when everything is okay
An entity tag (ETag) is an HTTP header used for Web cache validation
and conditional requests from browsers for resources.
The web site indicates Apache/2.2.11 in its Server header.
You could infer from this that the web site is prone to certain denial of
service (DoS) attacks (based on known vulnerabilities in the CVE
(common vulnerabilities and exposures ) database.
Traffic probes try to use valid requests.
For one thing, valid protocol messages are less likely to crash or interrupt a
service—if a web server didn’t handle the HEAD method without crashing, then
it’s a buggy service that needs to be fixed regardless of security problems.
The other reason is that the failure mode for services might not reveal as much
information.
For example, here’s another probe for an HTTP service using an incorrect request
format.
Notice that the informative headers are missing.
benefits of using a tool with a history of development and
research that has enumerated the best ways to get information
about services.
Traffic probes are not perfect.
Most services can be configured to remove version related
information or even spoof this information.
Vulnerability Probe
Trade-offs
• Network bandwidth
• Processing overhead- (processing time)
• Accuracy
• Cost
Problems
Capturing Packets
• High-speed networks (Mbps Gbps Tbps)
• High-volume traffic
• Streaming media (Windows Media, Real Media, Quicktime,youtu
be- performance related issues )
• P2P traffic(peer to peer , complete analysis reduces performance
, eg:game usage)
• Network Security Attacks
Problems
Flow Generation & Storage
• What packet information to save, to perform various analysis?
• How to minimize storage requirements?
Analysis
• How to analyze and generate data needed quickly?
• What kinds of info needs to be generated? Depends on applications
Research & Development Goals
⇢ Develop Methods to
• Capture all packets
• Generate flows
• Store flows efficiently
• Analyze data efficiently
• Generate various reports or information that are suitable for various application areas
⇢ Develop a Flexible, Scalable Traffic Monitoring and Analysis System for
• High-speed
• High-volume
• Rich media IP networks(eg :live video streaming)
Network Monitoring Metrics
Connectivity
Availability
Functionality
Delay RT delay
Delay variance
Capacity
Utilization Bandwidth
Throughput
Network Monitoring Metrics
⇢ Availability
• The percentage of a specified time interval during which the system was available for no
rmal use
• Internet packet transport works on a best-effort basis, i.e., a router may drop them depending on its
current conditions
• Metrics
• One way loss
• Round Trip (RT) loss
Network Monitoring Metrics
⇢ Throughput
• The rate at which data is sent through the network, usually expressed in bytes/sec, packets/sec, or
flows/sec
• Be careful in choosing the interval; a long interval will average out short-term bursts in the data rate
• A good compromise is to use one- to five-minute intervals, and to produce daily, weekly, monthly, and yearly plots
• Link Utilization over a specified interval is simply the throughput for the link expressed as a
percentage of the access rate
• Metrics
• Link Capacity (Mbps, Gbps)
• Throughput (bytes/sec, packets/sec, flows/sec)
• Utilization (%)
Passive Monitoring
Active Monitoring
Traffic Monitoring Approaches
Active Monitoring
• Performed by sending test (probe) traffic into network
• Generate test packets periodically or on-demand
• Measure performance of test packets or responses
• Take the statistics
• Impose extra traffic on network and distort its behavior in the process
• Test packet can be blocked by firewall or processed at low priority by routers
• Mainly used to monitor network performance
Traffic Monitoring Approaches
Response Target
Probe host
Traffic Monitoring Approaches
Passive Monitoring
• Carried out by observing network traffic
• Collect packets from a link or network flow from a router
• Perform analysis on captured packets for various purposes
• Network device performance degrades by mirroring or flow export
• Used to perform various traffic usage/characterization analysis or
intrusion detection
Comparison
Active Monitoring Passive Monitoring
Configuration Multi-point Single or multi-point
Data size Small Large
Device overhead
Network overhead Additional traffic
No overhead if splitter is used
Purpose Delay, packet loss, availability Throughput, traffic pattern, trend, & detection
Cannot reflect network characteristics Captured data has massive volume size
Disadvantages Need to generate the probe messages which may Should have additional facility to capture the
cause extra overhead to network mirrored packet from network
OpenVAS (Open Vulnerability Assessment System, the
name of the fork originally known as GNessUs) is a
framework of several services and tools offering a
vulnerability scanning and vulnerability management
solution.
All OpenVAS products are Free Software.
Most components are licensed under theGPL.
In technical terms, the basis of OpenVAS is aservice-
oriented client-server architecture.
The OpenVAS framework consists of various
modules, each with a clearly defined task. These
communicate via well established protocols.
The communication is consistently SSL-secured.
Information
Exploits
Payloads
Encoders
Nops
Auxiliary
#ENCODERS
• Encoders are used to evade the anti- virus Softwares and
firewall
• However it has no effect on the functionality of out exploit
• Popular encoders are –
1. shikata_ga_nai
2. base64
3. powershell_base64
#NOPs