4. Expectations
• General overview - Only have 60 minutes!
• Focus will be on tools to help detect
problems with your network
• Two Hat Perspective
• If you can use the tool, think how it can
be used against you!
5. Approach
Tool will be described
• What the tool does
• How can you use it
• Advantages/disadvantages
6. Topics to be covered
Data Mining 1A
• Web 2.0
• Kismet
• OpenVAS
• Metasploit
7. More Topics
• NMap
• Web Vulnerability Scanners
• Pros and Cons of the free stuff
• The Future
9. Data Mining 1A
• Every network leaks or broadcasts
information
• What is allowable or acceptable by your
organization?
• This section will give examples of types of
information being broadcast - allowable and
sensitive
10. Classic Sources of Data
Leaks
• DNS & MX records
• Technical forums
• Job sites
11.
12. Google’s
Advanced Operators
• Reduce noise
• Help to refine search
• Operator:search term
• Tutorial to advanced operators
http://www.googletutor.com/google-manual/web-se
20. Text
Example of a technical google hack
revealing Nessus Scan Reports
21. Summary of Google
Hacking
• Use Google to peruse your servers for
sensitive information
• Clean up your mess like old scan reports
• Educate users about the danger of
broadcasting information
22. The Pros of Google
Hacking
• Find information you didn’t know was being
broadcast
• It’s cheap and works
23. The Cons of Google
Hacking
• Someone may have found the information
already
• You may not find everything
• Fear the Google cache!!!!!
24. References for Google
Hacking
• See Johnny Long’s book - Google Hacking for
Penetration Testers - ISBN-10 1597491764
• Any questions - just send me an email
25. Web 2.0
• Example: Twitter
• Technical
• Exploitation of code
• Passive enumeration
• Users careless of information being
broadcast
26. Solution
• Identify types of data not be broadcast
• Educate
• Users need to be made aware there are
people “watching.”
27. “Free” Tools
• Many released under GNU/GPL
• Range from simple to complex
• Many have great support and documentation
33. Cons of Kismet
• Interface
• May require significant configuration
• Incompatibilities
• Long term cost could be high due to time
spent configuring and tweaking apps
34. OpenVAS
Vulnerability Assessment
• Based upon Nessus 2.2
• Released under GNU/GPL
• openvas.org
40. Metasploit
• Security Framework identifies vulnerabilities
and exploits them
• Intended for penetration testing and
research
• Customizable
• metasploit.org
41. Metasploit
Text
Command line interface of Metasploit
45. Metasploit Advantages
• Growing community of users
• Growing documentation
• Runs well on most flavors of *nix
• Excellent tool to identify and exploit
vulnerability
46. Metasploit
Disadvantages
• Do not expect all exploits nor may be up to
date with latest exploits
• Lack of logging or reports
• Machine running Metasploit can be
compromised
• This is a very dangerous tool and may violate
policy at your institution. Use on test
network
47. NMap - Network Mapper
• Sends raw IP packets to specific host, or a
range of hosts
• Determines OS, version, open ports, identifies
potential vulnerability
• nmap.org
48. NMap
• Network administrators and other IT folk
responsible for network based assets
• Pen testers and other security folk
49. NMap
Loki:/Users/Doug root# nmap -sV 192.168.1.1-25
Starting Nmap 4.85BETA9 ( http://nmap.org ) at 2009-06-14 23:56 PDT
Interesting ports on 192.168.1.1:
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
23/tcp open telnet Cisco telnetd (IOS 6.X)
443/tcp open ssl/http Cisco PIX Device Manager
MAC Address: 00:08:21:3A:29:B2 (Cisco Systems)
Service Info: OS: IOS; Device: firewall
Interesting ports on 192.168.1.2:
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp tnftpd 20061217
22/tcp open ssh OpenSSH 5.1 (protocol 1.99)
548/tcp open afp Apple AFP (name: Feline; protocol 3.2; Mac OS X 10.4/10.5)
MAC Address: 00:0D:93:32:D0:26 (Apple Computer)
Service Info: Host: Feline.local
Interesting ports on 192.168.1.4:
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
5009/tcp open airport-admin Apple AirPort admin
MAC Address: 00:03:93:1F:01:65 (Apple Computer)
Interesting ports on 192.168.1.6:
Part of a Nmap scan report
50. Strengths of NMap
• Large base of support from user and
developer community
• Mature product
• Fast and versatile scanner
• Extremely stable. Install and go!
51. Weaknesses of NMap
• Some scans seem to be intrusive
• Some scans have crashed hosts being scanned
52. Web Vulnerability
Scanners
• GNU/GPL World
• Singular in purpose
• Paros
• Stagnant
• Nikto
53. Web Vulnerability
Scanners
Singular purpose tools usually check for a
single type of vulnerability (i.e. XSS, SQL
injection). You would have to have a lot of
different GNU/GPL tools to encompass all
possible vulnerabilities
54. Web Vulnerability
Scanners
Some projects become stagnant or die due to
core developers ability to devote time to
project
55. Advantages of the
“free” apps
• Initial cost is low
• Some projects have a community of support
• Documentation
• A potentially powerful tool rivaling
commercial tools
56. Advantages of “free”
apps
Use older hardware
• Great for that older machine collecting
dust
59. What to do?
• Define your needs
• Determine stability and viability of project
• Be willing to invest time
• Be diligent
60. The future
Greater and easier exploitation of Web 2.0
• You must educate your users about the
dangers
• Handhelds will be both targets and attackers