Adatbiztonság a gazaságinformatikában

Adatbiztonság a gazaságinformatikában 2011. november 19. Budapest Dr. Bencsáth Boldizsár adjunktus BME Híradástechnikai Tanszék bencsath@crysys.hit.bme.hu

Network vulnerability scanners Target: A system, IP range, etc. Goal: To find vulnerable software components of the target in a fast and efficient way: Test against ten thousands of vulnerabilities in seconds Working method: Scans target for services identifies software version Performs basic tests to find out vulnerable services (e.g. is anonymous ftp login enabled?) Generally uses a number of active plugins to test target service against known vulnerabilities Uses a database that contains vulnerable software version numbers -> only matching this to the identified software version might result in large number of false positives Generally a lot more is incorporated (login support, password trial for weak pw., fuzzing tests, etc.) 2

Problems and advantages of vulnerability scanners Problems Limited availability of free tools (Nessus: free, open source to closed source, limited free version) Vulnerability databases have to be kept updated Knowledge might be needed on the OS, Services to have accurate results (to avoid false positives) Attacks against custom settings, tools, software components is generally missing Generally, no new attack or system-wide vulnerability can be found The human knowledge is still needed Advantages Automatic running, fast scanning of multiple hosts against thousands of vulnerabilities Good looking automatic reports as audit material Most of the internet-wide scanning attacks can be prevented (those attackers also use standard attacks, databases) 3

Nessus installation 1. Downloading and installing Nessus VIDEO nessus_inst1.avi 02:15. 2. Installing Nessus plugins, activation VIDEO nessus_inst2.avi 03:47 4

Further videos on nessus 1. Nessus Scanning preparation, test1 VIDEO nessus_test1.avi 02:34 2. First results VIDEO nessus_test1_results.avi 03:47 3. Results in HTML LINK nessus_test1_results.html 4. Nessus Webscan 1 Video nessus_crysys_webscan_start.avi 01:38 5. Nessus Webscan result 1 Video nessus_crysys_webscan_results.avi 02:05 5

Security through obscurity Security through obscurity (!!! There s a long-long debate about that!!!) = we don t even tell how the system/configuration/software looks like, someone thinks that hiding information makes the system secure. Harder to find bugs Insider information -> higher risk to find flaws as the system is not yet known for most of the experts Obscurity is just a tool to have more time to solve problems Time is crucial for the system administrator but not on the global level E.g traditional locks are all about time not about absolute protection However, Obscurity might hide problems that ought to be solved Audits can help to find out problems even if security-through-obscurity mechanisms are in use Hiding unnecessary information is a general tool of protection, but in fact, it is security through obscurity 6

DNS as information source 1 basic query [2010-noDNSSec] boldi@hbgyak:~$ dig crysys.hu ; <<>> DiG 9.5.1-P3 <<>> crysys.hu ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6960 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;crysys.hu. IN A ;; ANSWER SECTION: crysys.hu. 3000 IN A 152.66.249.135 ;; Query time: 33 msec ;; SERVER: 10.105.1.254#53(10.105.1.254) ;; WHEN: Tue Feb 23 14:04:04 2010 ;; MSG SIZE rcvd: 43 7

DNS get the MX record for mails boldi@hbgyak:~$ dig crysys.hu in mx ; <<>> DiG 9.5.1-P3 <<>> crysys.hu in mx ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42586 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;crysys.hu. IN MX ;; ANSWER SECTION: crysys.hu. 3000 IN MX 50 eternal.datacontact.hu. crysys.hu. 3000 IN MX 10 shamir.crysys.hu. ;; Query time: 32 msec ;; SERVER: 10.105.1.254#53(10.105.1.254) ;; WHEN: Tue Feb 23 14:04:48 2010 ;; MSG SIZE rcvd: 86 8

Getting list of DNS servers boldi@hbgyak:~$ dig crysys.hu in ns ; <<>> DiG 9.5.1-P3 <<>> crysys.hu in ns ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39280 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;crysys.hu. IN NS ;; ANSWER SECTION: crysys.hu. 2681 IN NS ns1.crysys.dc.hu. crysys.hu. 2681 IN NS ns2.crysys.dc.hu. ;; Query time: 42 msec ;; SERVER: 10.105.1.254#53(10.105.1.254) ;; WHEN: Tue Feb 23 14:09:23 2010 ;; MSG SIZE rcvd: 73 9

So?? DNS servers give the basic information about what servers are we connecting to The attacker will do these firsts steps as well Of course, sometimes this is not interesting But the attacker can learn which hosts are in duty for specific means (MX,NS,WEB, etc.) Multiple adresses might be used for a service (round-robin hosts for Web, multiple DNS servers (round-robin), MX records (priority based list + RR) Not to much to gain, but much to loose if You avoid to check this. 10

Finding out bind version information boldi@hbgyak:~$ dig version.bind @ns2.crysys.dc.hu txt ch ; <<>> DiG 9.5.1-P3 <<>> version.bind @ns2.crysys.dc.hu txt ch ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51978 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;version.bind. CH TXT ;; ANSWER SECTION: version.bind. 0 CH TXT "4.9.3-P1-plus-CA-98.05-patches" 11

The named version of BME DNS server boldi@hbgyak:~$ dig version.bind @ns.bme.hu txt ch ; <<>> DiG 9.5.1-P3 <<>> version.bind @ns.bme.hu txt ch ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18923 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;version.bind. CH TXT ;; ANSWER SECTION: version.bind. 0 CH TXT "9.5.1-P3" ;; AUTHORITY SECTION: version.bind. 0 CH NS version.bind. 12

Version.bind So You can check the version of bind But You cannot be sure it is not faked As sysadmin, You might want to set this to something fake That will be security-through-obscurity But If You are lazy to upgrade whenever it is needed- at least, fake the version info 13

Zone transfer if allowed boldi@hbgyak:~$ dig crysys.hu @ns2.crysys.dc.hu in axfr ; <<>> DiG 9.5.1-P3 <<>> crysys.hu @ns2.crysys.dc.hu in axfr ;; global options: printcmd crysys.hu. 3000 IN SOA ns1.crysys.dc.hu. netadmin.ns1.crysys.dc.hu. 2003030439 43200 14400 2592000 3000 crysys.hu. 3000 IN NS ns1.crysys.dc.hu. crysys.hu. 3000 IN NS ns2.crysys.dc.hu. crysys.hu. 3000 IN A 152.66.249.135 crysys.hu. 3000 IN MX 10 shamir.crysys.hu. crysys.hu. 3000 IN MX 50 eternal.datacontact.hu. crysys.hu. 3000 IN TXT "Datacontact - your nameserver..." aggregator.crysys.hu. 3000 IN A 195.228.45.178 albifrons.crysys.hu. 3000 IN A 10.105.1.95 clamav.crysys.hu. 3000 IN A 152.66.249.132 cypio.crysys.hu. 3000 IN A 152.66.249.135 db.crysys.hu. 3000 IN A 152.66.249.139 deserecprj.crysys.hu. 3000 IN A 152.66.249.132 deserecvclt1.crysys.hu. 3000 IN A 152.66.249.131 deserecvclt2.crysys.hu. 3000 IN A 152.66.249.133 deserecvhost1.crysys.hu. 3000 IN A 152.66.249.130 deserecvirtclt1.crysys.hu. 3000 IN A 152.66.249.131 deserecvirtclt2.crysys.hu. 3000 IN A 152.66.249.133. 14

Zone transfer authorization boldi@fw:~$ dig crysys.hu @ns1.crysys.dc.hu in axfr ; <<>> DiG 9.5.1-P1 <<>> crysys.hu @ns1.crysys.dc.hu in axfr ;; global options: printcmd ; Transfer failed. Limiting zone transfer in named.conf: allow-transfer { 195.228.45.175; 152.66.249.135; ) 15

Setting fake bind version in named.conf more /etc/bind/boldi@shamir:~ $ more /etc/bind/named.conf /* sample configuration file for BIND 8.1 or later * should be installed as /etc/named.conf * * Author: Florian La Roche */ # # overall options of the server # options { version "4.9.3-P1-plus-CA-98.05-patches"; 16

boldi@hbgyak:~$ whois 152.66.249.135 OrgName: RIPE Network Coordination Centre OrgID: RIPE Address: P.O. Box 10096 City: Amsterdam StateProv: PostalCode: 1001EB Country: NL ReferralServer: whois://whois.ripe.net:43 NetRange: 152.66.0.0-152.66.255.255 CIDR: 152.66.0.0/16 NetName: RIPE-ERX-152-66-0-0 NetHandle: NET-152-66-0-0-1 Parent: NET-152-0-0-0-0 NetType: Early Registrations, Transferred to RIPE NCC Comment: These addresses have been further assigned to users in Comment: the RIPE NCC region. Contact information can be found in Comment: the RIPE database at http://www.ripe.net/whois RegDate: 2004-03-03 Updated: 2004-03-03 17

inetnum: 152.66.0.0-152.66.255.255 netname: BMENET descr: Budapest University of Technology and Economics descr: Budapesti Muszaki es Gazdasagtudomanyi Egyetem country: HU org: ORG-BME1-RIPE admin-c: GR1029-RIPE tech-c: IOS2-RIPE tech-c: GOYA-RIPE tech-c: THU-RIPE remarks: rev-srv: nic.bme.hu remarks: rev-srv: ns.bme.hu status: ASSIGNED PI mnt-by: AS2547-MNT source: RIPE # Filtered remarks: rev-srv attribute deprecated by RIPE NCC on 02/09/2009 18

DNS AXFR AXFR is a zone transfer, that means, a DNS server copies all available data in a specific zone to another DNS server (the secondary downloads all data to be served). Anyone, who can download zone transfer data knows all the hosts, or subdomains that are defined in the zone E.g. all.ca domain entries could be downloaded by AXFR Why is it a problem? E.g. info@domain.hu type spams. Spammer can easily collect a list Is it a problem? Hard to answer see above S.b.Obscurity. 19

Whois Whois is a general internet-wide database protocol It is typically used for IP address look, DNS owner look At many places it is no longer used directly for.hu it is redirected to web-based service http://www.domain.hu/domain/domainsearch/ (who know how ethical it is) 20

21

22

2011 domain: bme.hu domain-használó: Budapest University of Technology and Economics domain-használó: Budapesti Muszaki és Gazdaságtudományi Egyetem cím: Pf 91 cím: H-1521 Budapest cím: HU telefon: +36 1 4631111 telefax: +36 1 4631110 hun-id: 1000215059 admin-kontakt: 2001296914 tech-kontakt: 2001292652 zone-kontakt: 2000226497 névszerver: nic.bme.hu[152.66.115.1] névszerver: ns2.pantel.net névszerver: ns.bme.hu[152.66.116.1] regisztrálva: 1993-03-03 14:24:46 módosítva: 2010-03-02 15:28:56 regisztrátor: 1960215001 admin-kontakt: Remzső Gábor cím: Pf 91 cím: H-1521 Budapest cím: HU telefon: +36 1 4632421 telefax: +36 1 4631110 hun-id: 2001296914 23

tech-kontakt: BMENET hostmaster cím: Pf 91 cím: H-1521 Budapest cím: HU telefon: +36 1 4631616 telefax: +36 1 4632420 e-mail: hostmaster@bme.hu hun-id: 2001292652 zone-kontakt: DNS Admin HUNGARNET cím: Pf. 498 cím: 1396 Budapest 62 cím: HU telefon: dns-admin@hungarnet.hu telefax: +36 1 350-6750 hun-id: 2000226497 regisztrátor: HUNGARNET Association regisztrátor: HUNGARNET Egyesület (Registrar) cím: Victor Hugo u. 18-22. cím: H-1132 Budapest cím: HU telefon: +36 1 4503070 telefax: +36 1 3506750 hun-id: 1960215001 24

2010 record (archive) person: Gabor Remzso address: Budapest University of Technology and Economics address: Center of Information Systems address: Muegyetem rkp. 9. R310 address: H-1111 Budapest address: Hungary phone: +36 1 4632421 fax-no: +36 1 4632420 nic-hdl: GR1029-RIPE org: ORG-BME1-RIPE mnt-by: AS2547-MNT source: RIPE # Filtered person: Istvan Ostrosits address: Invitel address: Puskas Tivadar u. 8-10. address: H-2040 Budaors address: Hungary phone: +36 1 8883583 nic-hdl: IOS2-RIPE source: RIPE # Filtered 25

2010 record /2 person: Andras Jako address: Budapest University of Technology and Economics address: Center of Information Systems address: Muegyetem rkp. 9. R310 address: H-1111 Budapest address: Hungary phone: +36 1 4631672 fax-no: +36 1 4632420 nic-hdl: GOYA-RIPE org: ORG-BME1-RIPE source: RIPE # Filtered person: Imre Simon address: Budapest University of Technology and Economics address: Center of Information Systems address: Muegyetem rkp. 9. R310 address: H-1111 Budapest address: Hungary phone: +36 1 4631616 fax-no: +36 1 4632420 nic-hdl: THU-RIPE source: RIPE # Filtered 26

2010 record /3 % Information related to '152.66.0.0/16AS2547' route: 152.66.0.0/16 descr: BMENET org: ORG-BME1-RIPE origin: AS2547 mnt-by: AS2547-MNT source: RIPE # Filtered organisation: ORG-BME1-RIPE org-name: BME remarks: Budapest University of Technology and Economics remarks: Budapesti Muszaki es Gazdasagtudomanyi Egyetem org-type: OTHER address: Muegyetem rkp. 9. H-1111 Budapest Hungary phone: +36 1 4632421 fax-no: +36 1 4632420 remarks: ========================================================= abuse-mailbox: abuse@bme.hu remarks: --------------------------------------------------------- remarks: Reporting guidelines can be found at http://net.bme.hu/abuse/?lang=en Reports not conforming to these guidelines may be discarded silently. Thanks for your cooperation. remarks: --------------------------------------------------------- 27

2010 record /4 remarks: Bejelentest kerjuk az alabbiak szerint tegyen: http://net.bme.hu/abuse/ Az itt leirtaknak meg nem felelo bejelentesekkel nem all modunkban foglalkozni. Koszonjuk szives egyuttmukodeset! remarks: ========================================================= mnt-ref: AS2547-MNT mnt-by: AS2547-MNT source: RIPE # Filtered 28

Kérdések? KÖSZÖNÖM A FIGYELMET! Dr. Bencsáth Boldizsár adjunktus BME Híradástechnikai Tanszék bencsath@crysys.hit.bme.hu 29