SlideShare a Scribd company logo

Analysis of ESET Smart Security 6 personal firewall’s thresholds and detection of various network attacks

Andrej Šimko
Andrej Šimko

The main goal of this project is to observe attacks on ESET Smart Security 6’s firewall, to discover the ability to detect various attacks coming from the same LAN, and find out thresholds of triggering warning/detection relevant to those attacks.

Software
1 of 9
Download to read offline
1/9 Analysis of ESET Smart Security 6 personal firewall’s thresholds and detection of various network attacks Andrej Šimko 359952 andrej.simko@mail.muni.cz 08.05.2013 Project on Advanced Topics in IT Security 1. Introduction The main goal of this project is to observe attacks on ESET Smart Security 6’s firewall, to discover the ability to detect various attacks coming from the same LAN, and find out thresholds of triggering warning/detection relevant to those attacks. 2. Testing environment: To simulate firewall’s reaction in real-life scenario, 2 notebooks (first one, the attacker without any antivirus/firewall system present; and second one the victim with Windows 7 64-bit installed, and ESET Smart Security 6 turned on) were present, connected through cables (or wireless) to intermediate device - router, which was resetted to default factory settings. Victim’s IPv4 address is 192.168.0.101, attacker’s 192.168.0.100 and router’s 192.168.0.1. 3. About ESET Smart Security 6 ESET Smart Security 6.0.316.0 is the newest version of commercial internet security suite from company ESET for end user devices, such as computers or laptops. It gives end station complex protection, since it integrates antivirus, firewall, Intrusion Detection System, Host Intrusion Prevention System, antispam, parental control, and other means of protection. It has gotten multiple awards throughout entire world [1].
2/9 4. Port scanning Port scanning is technique of discovering open ports on host computer, or any other network device. If there are any open ports, attacker might be able to use them to mount some kind of attack. On the other hand, port scanning is widely used from network administrator positions to find out, whether computer ports are secured enough. One of the best widely available tools that specializes on different scans and various options is Nmap, which was used to lunch port scanning attacks on ESET Smart Security 6’s firewall, and thus test it’s reactions, capabilities, and thresholds of scanning ports. Manual page to Nmap with lots examples and explanations can be found on [4]. 4.1. TCP SYN = “-sS” This default variant of port scanning in Nmap is very quick and stealthy, since it never completes TCP connection. It isn’t platform specific, so it works on any platform. It differentiates between open (reply to SYN packet is SYN/ACK or SYN), closed (RST is received) and filtered (if no response is received, or ICMP unreachable error is received) state of ports. 4.2. TCP Connect() = “-sT” This technique is used, when user doesn’t have privileges to raw packets - Nmap asks operating system to establish entire TCP connection with port on destination machine. It is much slower variant, then TCP SYN scan that requires more packets. Using this technique, target machine is more likely to log the connection. 4.3. TCP NULL, FIN, XMAS = “-sN”, “-sF”, “-sX” These scans are based on loophole in TCP RFC document to differentiate between open and closed ports. If system is compliant with RFC text, closed port is indicated by returning RST if any packet doesn’t contain SYN, RST or ACK bits. If no response is received, port is designated open|filtered. If ICMP unreachable error is received, port is marked as filtered. However, not all operating systems follow RFC 793 to the letter, resulting in all ports being labeled as closed. Such systems are from Microsoft or CISCO and their response is RST no matter if port is open or closed. But this scan should work on most UNIX-based systems. 4.4. TCP ACK = “-sA” This variant is slightly different from all others, because it does not determine if ports are open or closed, but it rather differentiates if ports are filtered or unfiltered. This is done by sending packets with only ACK bit. If ports are unfiltered, they response with RST packet no matter if they are open or closed. Ports that send ICMP unreachable error or don’t send any reply at all are marked as filtered. 4.5. TCP Window = “-sW” Window scan is exactly the same as TCP ACK scan, but thanks to some implementation details of some systems, it is able to differentiate also between open and closed ports. It does so by examining if window size is zero or positive number, because some systems respond with zero window size if
3/9 ports are closed, and positive number if ports are opened. However, this type of scan is not trustworthy, because only minority of systems are behaving in this way. 4.6. TCP Maimon = “-sM” Named after its discoverer, Maimon scan is behaving like NULL, FIN or XMAS scan. The only difference is that probe has FIN/ACK bits set. According to TCP RFC, RST packet should be generated as response to such probe, no matter if port is open/closed. However, some systems simply drop packet if the port is open. 4.7. UDP = “-sU” UDP scan is much slower then scanning TCP, because probe responses may be lost, and many systems (mainly Linux ones) have set limit in generating ICMP destination unreachable messages to one per second. For most common ports, Nmap sends protocol-specific payload, and for other ports the payload is left empty. If particular ICMP port unreachable is received, port is labeled as closed. If other ICMP unreachable errors are received, port is marked as filtered. If UDP response is generated, port is designated as open. If no response is received, port is classified as open|filtered. 4.8. SCTP INIT = “-sY” SCTP is new protocol that is an alternative to TCP/UDP. SCTP INIT is SCTP equivalent to TCP SYN, because it doesn’t establish entire connection. It differentiates between open, closed and filtered ports. 4.9. SCTP COOKIE ECHO = “-sZ” More advanced variant of SCTP scanning that is even stealthier then SCTP INIT. The disadvantage is inability to differ between open and filtered ports. 4.10. Service/version detection = “-sV” Nmap is also able to tell, what kind of service protocol is run on selected port (Telnet, SSH, FTP, …), application name (Apache httpd, Solaris telnetd…), version number, hostname, type of device (router, printer…), OS family (Windows, Linux…). 5. Port scanning and ESET Smart Security 6 I have used default scanning options (“nmap -[technique] 192.168.0.101”, where “[technique]” was chosen from {-sS, -sT, -sN, -sF, -sX, -sA, -sW, -sM, -sU, -sY, -sZ, -sV}) to discover which scanning techniques are detectable on ESET Smart Security 6. I found out, that ESET Smart Security 6 is able to successfully detect following Nmap methods: TCP SYN, TCP Connect(), UDP, and service/version detection. It however completely lacks the ability to detect following scanning methods: TCP ACK, TCP Window, TCP Maimon, TCP Null, TCP FIN, TCP XMAS, SCTP INIT, SCTP COOKIE-ECHO. Nmap’s default number of scanned ports is set to 1000 ports, and only SCTP uses only less (52) ports that have all been scanned.
4/9 Next, I tried to observe how many ports can be scanned with all detected methods without detecting it. I found out, that if anyone is scanning only 8 ports ESET Smart Security 6 won’t detect it at all (but scanning 9 ports will be detected!). The example can be “nmap -p 190-197 192.168.0.101”. I also discovered, that having scanned ports in non-random consecutive fashion (e.g. scanning ports in ascending order, like 190, 191, 192, 193, 194; apart from scanning in random fashion, like 194, 190, 192, 193, 191) has none effect on detection of scanning. Another setting that has no effect on detection ability is scanning top ports, so I would recommend everyone to use “--top-ports” in any command, since it is higher probability of finding an open ports. There is also a way how to scan all ports with techniques that are detectable by ESET Smart Security 6. One can either have “--max-rate 1” or “--scan-delay 1” set. Both options limit scanning to 1 port per second, but they are not detectable at all by this firewall. When setting “--scan-delay” to 0.9, or “--max-rate” to 1.1 they are detected, so setting either of them to 1 is the right choice. Another method of how to successfully evade scanning detection is to use fragmentation. When set to 8 or 16, both TCP SYN and Service/version detection can be used without limiting number of scans per second. One can achieve this by setting command to “nmap -f --mtu 16 -technique 192.168.0.101”, where “-technique” can be {-sS, -sV} and ”--mtu” can be {8, 16}. Setting maximum transfer unit to higher than 16 will cause successful detection of port scanning. However, TCP Connect() and UDP are detected no matter the fragmentation. UDP Scan has many unique properties that I discovered while testing it. It seems that it doesn’t have specific default threshold values set, but rather some adaptive kind. I’ve tried to approximate “--max- rate” parameter with its value as high as possible, but I observed following situation: when set directly to anything higher than 6, it is detected immediately. However, when it is set to 6, then 11, and again and again incremented by 5, it is detected only when setting to 51. After one successful detection, it is again impossible to do undetected scan, unless set to 6 or lower and start the process again. I tried incrementing it by other values then 5, and the highest possible value was 9. While incrementing with 9, successful detection was at number 60. The exact command I used was “nmap - n --top-ports 100 --max-rate 6 -sU 192.168.0.101”. On the other hand, “--scan-delay” set to 0.05 works perfectly and is undetectable, while when set to 0.04, it is detected. 6. ARP Spoofing Using Cain & Abel, I was able to mount ARP spoofing/poisoning attack. Since there is nice GUI environment, I saw that it Cain & Abel was unable to lunch successful ARP spoofing attack to given IP address (no matter the settings in Cain & Abel), when ESET Smart Security 6 was turned on. It was successfully detected as “Detected ARP cache poisoning attack” and countered by not allowing traffic to go through attacker. When however firewall was turned off, and then while attacking it was turned on, old and new connections were successfully routed through attacker. Yes, they were detected, but not countered. I haven’t found any way of making ARP spoofing attack undetected.
5/9 7. Denial of Service DOS attack is an attempt to make devices or entire network unavailable for legitimate users. There exists dedicated software on DOS attacks that were created to lunch attack on web servers, based on their URL. Example of such software can be BamBam [2]. Other programs I found have the capability to lunch DOS attack on some computer (also) by typing it’s IP address, like Low Orbit Ion Cannon [3]. 7.1. Flooding with Low Orbit Ion Cannon This tool can be used to target web servers based on their URL, or any computer based on IP. User have also capability to set attack options like timeout, HTTP subsite or TCP/UDP message=payload, attacked port, method (TCP, UDP or HTTP), number of threads (how many users it emulates), ability to wait for replay and speed of attacking. I tried all 3 methods, and since there is no web-server run on my victim’s computer, HTTP attack didn’t do anything. TCP attack did also nothing to my network. On the other hand, UDP attack, firing up to 50 000 packets per second did about 38% of network utilization. I think this number would be even higher, if my attacker’s netbook was better equipped (since it’s CPU was used to 100%). ESET Smart Security 6 was unable to detect any of these attacks done by LOIC. When I tried to attack from victim to attacker (simply because of better equipped hardware), I was able to utilize network to 45% and CPU of computer I attacked on to about 80%. With option ”wait for reply” checked, network was utilized to 73% and CPU to 90%. So using this tool, one can attacked network without the detection of ESET Smart Security 6. 7.2. Flooding with Hping3 Using tool Hping3 (manual pages can be found on [5]), I was able to also test another flooding attacks. While testing ICMP flood with “--flood” option (which means sending packets as fast as possible, but also ignoring incoming replies), network utilization of 100Mb/s network connection on victim’s computer was rather strange (see picture) and it didn’t matter if firewall was on or off. Of course, ESET Smart Security 6 has successfully detected that attack was in progress (“Detected ICMP Flooding attack”). I noticed, that when not using “--flood” option, “hping3 -- icmp 192.168.0.101” is receiving successful responses from victim. I tried to find threshold and while using waiting interval between sending packets (“-i u24650”), there was 0% packet loss and it was not detected (although, with network utilization of only 0.03%, it is hardly DOS type of attack). Anything lower then this bound was detected by firewall, and it started to drop some packets. For example when using u24000, attack was detected along with 2% packet loss. The detection threshold is set to 201 packets. If 202 packets are sent to victim, ESET Smart Security 6 detects attack in progress. These 201 undetected packets can be sent 1 microsecond apart from each other (with “-i u1” command). Another way around detection is using “--rand-source” which isn’t detected at all, nor there are any message logged in firewall’s logs. Yet another successful way of avoiding detection was setting data size to some high number (for example to “-d 22304”), which also utilized over 98.4% of network (constantly, not in peaks like it was shown in the picture), and this time without any detection.
6/9 When trying to flood victim with UDP flood (“hping3 --udp --flood 192.168.0.101”), victim’s network adapter was utilized to continuous 71.5% and one of 8 CPUs was utilized to about 50%. This attack, however, was not detected by ESET Smart Security 6, but there were hundreds of warning messages in logs saying “Detected unexpected data in protocol”, so this attack can be noticed. This warning messages can also be countered by adding “--destport 80” or other port (I also tried port 89), which makes this attack really undetectable and successful. Like with ICMP flooding, one can add more data bytes to utilize more network, but it also from some reason lowers CPU usage of 1 CPU from 50% to about 1%. Almost the same results were observed by trying “--rawip”, which creates TCP packets. If however data value was not set (left to default setting), there were hundreds of warning messages in logs telling “Incorrect TCP packet length”. This of course was easy to cope with by again setting data parameter to some value. Maximum network utilization was again somewhere around 98.4% when using big data packets, but there was no need to set destination port - TCP packets doesn’t generate “Detected unexpected data in protocol” warning message in logs. 7.3. IPv6 ICMP router advertisement Using this attack, anyone can disable entire network of Windows based devices from 1 device which is generating only few packets per second. The main idea of this attack is in behavior of IPv6. In IPv4, when host/client told router/DHCP server “I need an IP”, he obtained one. IPv6 works in different way: when host connects to network, router is the one who tells “I’m your router, join my network” and host only replies “ok, I will”. Thus, every client on LAN creates an address and joins the network. To use this attack, I used 3 commands in Backtrack: “cd /usr/local/bin”, “./fake_router6 eth0 def:c0::/64” to advertise attacker’s PC as IPv6 router, then I’ve waited few seconds so that victim’s PC would notice new router, and then finally started flooding with “flood_router6 eth0”. Although this type of flood was utilizing network only on about 0.5%, it rendered my Intel i7 with 8 logical CPUs and 8 GB of RAM almost completely frozen in seconds (which is nice since attacker’s netbook is only single-core 1.7GHz Athlon) - I wasn’t even able to move my mouse. ESET Smart Security 6 did not detected this DOS attack, which I find rather strange, since attacker was firing thousands of packet per second (although, it only takes about 5 packets per second to drive CPU to 100%). After issuing command “ipconfig | more” on victim’s computer, there were of course many IPv6 addresses. What good firewall should be able to do with this attack is to block rogue Router Advertisements. Which could be again attacked if traffic had source IP address of legitimate router, but it would still be better than nothing. Or at least, detecting multiple IPv6 router advertisements packets and dropping some of them would be huge improvement. I’ve sent an email to ESET asking whether there is possibility to detect/ protect against this attack and got reply within 24 hours, but they haven’t answered any of my questions.
7/9 7.4. 2 ARP spoofing attacks at once Another type of DOS attack, this time to attack the network connection itself, was done be setting ARP spoofing twice with swapped IP addresses of victim and router. This was done in Backtrack, by first setting attacker’s machine to forwarding mode: “echo 1 > /proc/sys/net/ipv4/ip_forward”. Then, setting up ip table to intercept HTTP requests was done (by command “iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 1000”). Convincing network it should send their traffic to my machine was done by “arpspoof -i eth0 -t 192.168.0.101 192.168.0.1”. Second arpspoof, which ended in Denial of Service was “arpspoof -i eth0 -t 192.168.0.1 192.168.0.101”. This attack was detected as “Detected ARP cache poisoning attack” and also “Identical IP addresses detected in network”. Network seemed unused (0-0.01% of utilization), but when trying to connect to internet, Google Chrome returned “Error 105 (net::ERR_NAME_NOT_RESOLVED): Unable to resolve the server's DNS address”. Internet connection was thus entirely disabled. The conclusion is that ESET Smart Security 6 can effectively handle one ARP spoofing, but not multiple spoofings that result in DOS. 7.5. deAuthentication attack Yet another DOS attack that isn’t detected by ESET Smart Security 6 is sending deAuthentication packets, when victim is connected via wireless. While in Backtrack, I issued “airmon-ng start wlan0”, then “airodump-ng mon0” to discover access point’s (my router’s) BSSID/MAC address. When this was done, I simply started flooding deAuthentication packets to either entire network to disconnect all computers on it (“aireplay-ng -0 0 -a [BSSID of router] mon0”) or just selected computer (“-c [MAC of victim]” was added). Neither one of these attack has been noticed by ESET Smart Security 6. The only way of noticing it was the inability of Windows to connect to wireless LAN. This attack can be also done with “mdk3” command: “mdk3 mon0 d -b blacklist -c 11”, where “blacklist” is file with BSSID of station (“echo [target BSSID] > blacklist”) and “11” is channel which is easily found at output of “iwlist wlan0 scan”. I’ve also asked ESET company about detecting this type of attack - they first tried to convince me that this attack will be detected as ARP spoof, since they were pretty sure that ARP spoofing is needed to perform this type of attack, but after another email exchange they told me there is no way in ESET Smart Security 6 to detect this type of attack. 8. Relevant settings in ESET Smart Security 6 All relevant settings are located in Advanced Setup/Network/Personal Firewall/IDS and advanced options. User can turn on/off the detection of various attacks separately (ARP Poisoning, DNS Poisoning, TCP Port Scanning, UDP Port Scanning), with ability to “Block unsafe address after detection”. This is useful option for end users, which is defaultly enabled. The threshold of this blocking timer after successfully detecting an attack is set to exactly 10 minutes, without any way of changing it.
8/9 However, ESET Smart Security 6 lacks any option to set timers for various detections. I didn’t found that something like this would be possible. Another disadvantage from my point of view is, that in Log files to personal firewall, there isn’t any information about precise type of attack (e.g. when the attack is Port Scanning, it displays only TCP or UDP as protocol, but none information about which flags where used in packet, or if connection was successfully established/only TCP SYN packet was sent from attacker). Only things logged and always recorded are: Time (without milliseconds), Event, Source, Target and Protocol; where both source and target addresses are in IP_address:port form (when the protocol is TCP or UDP; otherwise only IP addresses are shown). One can filter log by record type (Diagnostic, Informative, Warnings, Errors, Critical), where all attacks I did were designated as Critical. There were also logged some Warning messages (Incorrect TCP packet length, Suspicious IP packet fragment, Detected unexpected data in protocol). When I turned on defaultly disabled setting “Log all blocked connections”, I was able to observe packets being blocked when trying to port scanning. There were 2 types of logged messages that something is blocked, but both were only Informative. First one was with default setting of blocking unsafe address after detection: “Address temporarily blocked by active defense (IDS)”. Second one was when this setting was turned off: “Packet blocked by active defense (IDS)”. The last thing I’m missing is some dialogue or information to the user, what can be/is being done while attack is detected. I observed that detecting ARP poisoning attack successfully prevents attacker from routing communication through him, but there is no information about it. If I was user and saw this warning that I’m being attacked, I would use some information that there is nothing to be afraid of, since this attack is successfully countered. Or after detecting port scanning, just add some information about that attacker is temporarily blocked (if this setting is in affect). Also, there could be simple button “find out more about this type of attack” pointing to ESET’s knowledge base, so user can directly find relevant information about that particular type of attack and if he should be afraid of something, or not.
9/9 9. Email to ESET tech support After these findings, I tried to write an email to ESET, asking them detection/possible protection about IPv6 router advertisement attack, detection of deAuthentication packets, and possibility of setting thresholds of detection of other attack types. I got reply within 24 hours, but it was really inaccurate. They tried to tell me all those attacks I asked are detected within “IDS and advanced options” settings; and that since deAuthentication attack first needs successful ARP poisoning to be done, it is detected when trying ARP poisoning attack. Another inaccuracy they told me was that TCP flooding is also detectable. After another email exchange with ESET they admitted that deAuthentication attack isn’t detectable by their firewall, but didn’t answer any of my other questions, so I stopped trying to communicate with them. 10. Conclusion There exists multiple easy-doable attacks from widely available (free) software on the Internet. Many of them are undetectable on systems with ESET Smart Security 6 with default settings set. The only truly unsuccessful attack that I observed and could not successfully do was ARP poisoning attack - it was always detected and countered, so packets weren’t routed through attacker. Other attacks were successfully done by changing parameters of attacks. Among those attacks that can be made undetectable are port scanning, different kinds of Denial of Service attacks (TCP/UDP/ICMP flooding, IPv6 router advertisement attack, and deAuthentication attack). I haven’t tried any other attacks, nor any other firewall from the same or different company, but I think ESET should make this personal firewall better by including more information about attacks and adding more types of attacks that can be detected. 11. Resources [1] http://www.eset.com/home/whyeset/awards/ [2] http://www.anonoperations.com/bambam [3] http://sourceforge.net/projects/loic/ [4] http://nmap.org/book/man-port-scanning-techniques.html [5] http://linux.die.net/man/8/hping3 [6] http://samsclass.info/ipv6/proj/flood-router6a.htm [7] http://ashwinsaxena.com/blog/technology/deauth-attack-disconnect-computers/ [8] http://kb.eset.com/esetkb/index?page=content&id=SOLN2906&viewlocale=en_US&actp=SE ARCH

Recommended

Port Scanning
Port ScanningPort Scanning
Port Scanning
amiable_indian
 
Nmap
NmapNmap
NmapFat-Thing Gabriel-Culley
 
Port Scanning Overview
Port Scanning OverviewPort Scanning Overview
Port Scanning Overview
Publicly traded global multi-billion services company
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port Scanning
Sam Bowne
 
NMAP
NMAPNMAP
NMAP
PrateekAryan1
 
NMAP by Shrikant Antre & Shobhit Gautam
NMAP by Shrikant Antre & Shobhit GautamNMAP by Shrikant Antre & Shobhit Gautam
NMAP by Shrikant Antre & Shobhit Gautam
n|u - The Open Security Community
 
Node finder presentation
Node finder presentationNode finder presentation
Node finder presentation
Varun Varshney
 
NMAP - The Network Scanner
NMAP - The Network ScannerNMAP - The Network Scanner
NMAP - The Network Scanner
n|u - The Open Security Community
 

Recommended

Port Scanning
Port ScanningPort Scanning
Port Scanning
amiable_indian
 
Nmap
NmapNmap
NmapFat-Thing Gabriel-Culley
 
Port Scanning Overview
Port Scanning OverviewPort Scanning Overview
Port Scanning Overview
Publicly traded global multi-billion services company
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port Scanning
Sam Bowne
 
NMAP
NMAPNMAP
NMAP
PrateekAryan1
 
NMAP by Shrikant Antre & Shobhit Gautam
NMAP by Shrikant Antre & Shobhit GautamNMAP by Shrikant Antre & Shobhit Gautam
NMAP by Shrikant Antre & Shobhit Gautam
n|u - The Open Security Community
 
Node finder presentation
Node finder presentationNode finder presentation
Node finder presentation
Varun Varshney
 
NMAP - The Network Scanner
NMAP - The Network ScannerNMAP - The Network Scanner
NMAP - The Network Scanner
n|u - The Open Security Community
 
project_docs
project_docsproject_docs
project_docsAndrey Lavrinovic
 
Nmap Basics
Nmap BasicsNmap Basics
Nmap Basicsamiable_indian
 
Hardening Three - IDS/IPS Technologies
Hardening Three - IDS/IPS TechnologiesHardening Three - IDS/IPS Technologies
Hardening Three - IDS/IPS Technologies
Salvatore Lentini
 
Nmap Discovery
Nmap DiscoveryNmap Discovery
Nmap DiscoveryTai Pan
 
Detecting Reconnaissance Through Packet Forensics by Shashank Nigam
Detecting Reconnaissance Through Packet Forensics by Shashank NigamDetecting Reconnaissance Through Packet Forensics by Shashank Nigam
Detecting Reconnaissance Through Packet Forensics by Shashank Nigam
OWASP Delhi
 
IDS & Passive Network Defense
IDS & Passive Network DefenseIDS & Passive Network Defense
IDS & Passive Network Defense
Salvatore Lentini
 
Networks lab manual ecp62
Networks lab manual ecp62Networks lab manual ecp62
Networks lab manual ecp62
Basil John
 
Client side exploits
Client side exploitsClient side exploits
Client side exploitsnickyt8
 
Dima kovalenko - Is ARMv8.3 the end of ROP?
Dima kovalenko - Is ARMv8.3 the end of ROP?Dima kovalenko - Is ARMv8.3 the end of ROP?
Dima kovalenko - Is ARMv8.3 the end of ROP?
Hacken_Ecosystem
 
Backtrack Manual Part8
Backtrack Manual Part8Backtrack Manual Part8
Backtrack Manual Part8
Nutan Kumar Panda
 
Dcn (transmission control protocol) ppt
Dcn (transmission control protocol) pptDcn (transmission control protocol) ppt
Dcn (transmission control protocol) ppt
Vijay Kumar
 
Positive Hack Days. Pavlov. Network Infrastructure Security Assessment
Positive Hack Days. Pavlov. Network Infrastructure Security AssessmentPositive Hack Days. Pavlov. Network Infrastructure Security Assessment
Positive Hack Days. Pavlov. Network Infrastructure Security Assessment
Positive Hack Days
 
Claire protorpc
Claire protorpcClaire protorpc
Claire protorpcFan Robbin
 
Information and data security pseudorandom number generation and stream cipher
Information and data security pseudorandom number generation and stream cipherInformation and data security pseudorandom number generation and stream cipher
Information and data security pseudorandom number generation and stream cipher
Mazin Alwaaly
 
Troubleshoot cloud networking like a pro
Troubleshoot cloud networking like a proTroubleshoot cloud networking like a pro
Troubleshoot cloud networking like a pro
Sohail Arham
 
Sevana Voice Impairments Detection Library
Sevana Voice Impairments Detection LibrarySevana Voice Impairments Detection Library
Sevana Voice Impairments Detection Library
Sevana Oü
 
8051 Timers
8051 Timers8051 Timers
8051 Timers
SaravananVijayakumar4
 
Predicting and Abusing WPA2/802.11 Group Keys
Predicting and Abusing WPA2/802.11 Group KeysPredicting and Abusing WPA2/802.11 Group Keys
Predicting and Abusing WPA2/802.11 Group Keys
vanhoefm
 
12 tcp-dns
12 tcp-dns12 tcp-dns
12 tcp-dnsCulverton Blessy
 
Eu 17-levomaki-automatic-discovery-of-evasion-vulnerabilities-using-targeted-...
Eu 17-levomaki-automatic-discovery-of-evasion-vulnerabilities-using-targeted-...Eu 17-levomaki-automatic-discovery-of-evasion-vulnerabilities-using-targeted-...
Eu 17-levomaki-automatic-discovery-of-evasion-vulnerabilities-using-targeted-...
Olli-Pekka Niemi
 
Using metasploit
Using metasploitUsing metasploit
Using metasploit
CyberRad
 
Contents namp
Contents nampContents namp
Contents namp
shwetha mk
 

More Related Content

What's hot

Hardening Three - IDS/IPS Technologies
Hardening Three - IDS/IPS TechnologiesHardening Three - IDS/IPS Technologies
Hardening Three - IDS/IPS Technologies
Salvatore Lentini
 
Nmap Discovery
Nmap DiscoveryNmap Discovery
Nmap DiscoveryTai Pan
 
Detecting Reconnaissance Through Packet Forensics by Shashank Nigam
Detecting Reconnaissance Through Packet Forensics by Shashank NigamDetecting Reconnaissance Through Packet Forensics by Shashank Nigam
Detecting Reconnaissance Through Packet Forensics by Shashank Nigam
OWASP Delhi
 
IDS & Passive Network Defense
IDS & Passive Network DefenseIDS & Passive Network Defense
IDS & Passive Network Defense
Salvatore Lentini
 
Networks lab manual ecp62
Networks lab manual ecp62Networks lab manual ecp62
Networks lab manual ecp62
Basil John
 
Client side exploits
Client side exploitsClient side exploits
Client side exploitsnickyt8
 
Dima kovalenko - Is ARMv8.3 the end of ROP?
Dima kovalenko - Is ARMv8.3 the end of ROP?Dima kovalenko - Is ARMv8.3 the end of ROP?
Dima kovalenko - Is ARMv8.3 the end of ROP?
Hacken_Ecosystem
 
Backtrack Manual Part8
Backtrack Manual Part8Backtrack Manual Part8
Backtrack Manual Part8
Nutan Kumar Panda
 
Dcn (transmission control protocol) ppt
Dcn (transmission control protocol) pptDcn (transmission control protocol) ppt
Dcn (transmission control protocol) ppt
Vijay Kumar
 
Positive Hack Days. Pavlov. Network Infrastructure Security Assessment
Positive Hack Days. Pavlov. Network Infrastructure Security AssessmentPositive Hack Days. Pavlov. Network Infrastructure Security Assessment
Positive Hack Days. Pavlov. Network Infrastructure Security Assessment
Positive Hack Days
 
Claire protorpc
Claire protorpcClaire protorpc
Claire protorpcFan Robbin
 
Information and data security pseudorandom number generation and stream cipher
Information and data security pseudorandom number generation and stream cipherInformation and data security pseudorandom number generation and stream cipher
Information and data security pseudorandom number generation and stream cipher
Mazin Alwaaly
 
Troubleshoot cloud networking like a pro
Troubleshoot cloud networking like a proTroubleshoot cloud networking like a pro
Troubleshoot cloud networking like a pro
Sohail Arham
 
Sevana Voice Impairments Detection Library
Sevana Voice Impairments Detection LibrarySevana Voice Impairments Detection Library
Sevana Voice Impairments Detection Library
Sevana Oü
 
8051 Timers
8051 Timers8051 Timers
8051 Timers
SaravananVijayakumar4
 
Predicting and Abusing WPA2/802.11 Group Keys
Predicting and Abusing WPA2/802.11 Group KeysPredicting and Abusing WPA2/802.11 Group Keys
Predicting and Abusing WPA2/802.11 Group Keys
vanhoefm
 
Eu 17-levomaki-automatic-discovery-of-evasion-vulnerabilities-using-targeted-...
Eu 17-levomaki-automatic-discovery-of-evasion-vulnerabilities-using-targeted-...Eu 17-levomaki-automatic-discovery-of-evasion-vulnerabilities-using-targeted-...
Eu 17-levomaki-automatic-discovery-of-evasion-vulnerabilities-using-targeted-...
Olli-Pekka Niemi
 

What's hot (20)

project_docs
project_docsproject_docs
project_docs
 
Nmap Basics
Nmap BasicsNmap Basics
Nmap Basics
 
Hardening Three - IDS/IPS Technologies
Hardening Three - IDS/IPS TechnologiesHardening Three - IDS/IPS Technologies
Hardening Three - IDS/IPS Technologies
 
Nmap Discovery
Nmap DiscoveryNmap Discovery
Nmap Discovery
 
Detecting Reconnaissance Through Packet Forensics by Shashank Nigam
Detecting Reconnaissance Through Packet Forensics by Shashank NigamDetecting Reconnaissance Through Packet Forensics by Shashank Nigam
Detecting Reconnaissance Through Packet Forensics by Shashank Nigam
 
IDS & Passive Network Defense
IDS & Passive Network DefenseIDS & Passive Network Defense
IDS & Passive Network Defense
 
Networks lab manual ecp62
Networks lab manual ecp62Networks lab manual ecp62
Networks lab manual ecp62
 
Client side exploits
Client side exploitsClient side exploits
Client side exploits
 
Dima kovalenko - Is ARMv8.3 the end of ROP?
Dima kovalenko - Is ARMv8.3 the end of ROP?Dima kovalenko - Is ARMv8.3 the end of ROP?
Dima kovalenko - Is ARMv8.3 the end of ROP?
 
Backtrack Manual Part8
Backtrack Manual Part8Backtrack Manual Part8
Backtrack Manual Part8
 
Dcn (transmission control protocol) ppt
Dcn (transmission control protocol) pptDcn (transmission control protocol) ppt
Dcn (transmission control protocol) ppt
 
Positive Hack Days. Pavlov. Network Infrastructure Security Assessment
Positive Hack Days. Pavlov. Network Infrastructure Security AssessmentPositive Hack Days. Pavlov. Network Infrastructure Security Assessment
Positive Hack Days. Pavlov. Network Infrastructure Security Assessment
 
Claire protorpc
Claire protorpcClaire protorpc
Claire protorpc
 
Information and data security pseudorandom number generation and stream cipher
Information and data security pseudorandom number generation and stream cipherInformation and data security pseudorandom number generation and stream cipher
Information and data security pseudorandom number generation and stream cipher
 
Troubleshoot cloud networking like a pro
Troubleshoot cloud networking like a proTroubleshoot cloud networking like a pro
Troubleshoot cloud networking like a pro
 
Sevana Voice Impairments Detection Library
Sevana Voice Impairments Detection LibrarySevana Voice Impairments Detection Library
Sevana Voice Impairments Detection Library
 
8051 Timers
8051 Timers8051 Timers
8051 Timers
 
Predicting and Abusing WPA2/802.11 Group Keys
Predicting and Abusing WPA2/802.11 Group KeysPredicting and Abusing WPA2/802.11 Group Keys
Predicting and Abusing WPA2/802.11 Group Keys
 
12 tcp-dns
12 tcp-dns12 tcp-dns
12 tcp-dns
 
Eu 17-levomaki-automatic-discovery-of-evasion-vulnerabilities-using-targeted-...
Eu 17-levomaki-automatic-discovery-of-evasion-vulnerabilities-using-targeted-...Eu 17-levomaki-automatic-discovery-of-evasion-vulnerabilities-using-targeted-...
Eu 17-levomaki-automatic-discovery-of-evasion-vulnerabilities-using-targeted-...
 

Similar to Analysis of ESET Smart Security 6 personal firewall’s thresholds and detection of various network attacks

Using metasploit
Using metasploitUsing metasploit
Using metasploit
CyberRad
 
Contents namp
Contents nampContents namp
Contents namp
shwetha mk
 
Contents namp
Contents nampContents namp
Contents namp
shwetha mk
 
Zen map
Zen mapZen map
Zen map
harisnaved
 
NMAP1.ppt
NMAP1.pptNMAP1.ppt
NMAP1.ppt
DakshKhurana15
 
01204427-scanner.ppt
01204427-scanner.ppt01204427-scanner.ppt
01204427-scanner.ppt
VarunBehere1
 
Nmap Hacking Guide
Nmap Hacking GuideNmap Hacking Guide
Nmap Hacking Guide
Aryan G
 
Scanning and Enumeration in Cyber Security.pptx
Scanning and Enumeration in Cyber Security.pptxScanning and Enumeration in Cyber Security.pptx
Scanning and Enumeration in Cyber Security.pptx
MahdiHasanSowrav
 
Module 3 Scanning
Module 3 ScanningModule 3 Scanning
Module 3 Scanningleminhvuong
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAP
Phannarith Ou, G-CISO
 
Nmap
NmapNmap
Nmap
Megha Sahu
 
Assessment Questions and Answers1. What are the diff.docx
Assessment Questions and Answers1. What are the diff.docxAssessment Questions and Answers1. What are the diff.docx
Assessment Questions and Answers1. What are the diff.docx
fredharris32
 
A REVIEW ON NMAP AND ITS FEATURES
A REVIEW ON NMAP AND ITS FEATURESA REVIEW ON NMAP AND ITS FEATURES
A REVIEW ON NMAP AND ITS FEATURES
IRJET Journal
 
For your final step, you will synthesize the previous steps and la
For your final step, you will synthesize the previous steps and laFor your final step, you will synthesize the previous steps and la
For your final step, you will synthesize the previous steps and la
ShainaBoling829
 
NMap
NMapNMap
NMap
Pritesh Raka
 
Practical White Hat Hacker Training - Active Information Gathering
Practical White Hat Hacker Training - Active Information GatheringPractical White Hat Hacker Training - Active Information Gathering
Practical White Hat Hacker Training - Active Information Gathering
PRISMA CSI
 
Zmap fast internet wide scanning and its security applications
Zmap fast internet wide scanning and its security applicationsZmap fast internet wide scanning and its security applications
Zmap fast internet wide scanning and its security applications
losalamos
 
Network Security Nmap N Nessus
Network Security Nmap N NessusNetwork Security Nmap N Nessus
Network Security Nmap N NessusUtkarsh Verma
 
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wp
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wpUs 13-opi-evading-deep-inspection-for-fun-and-shell-wp
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wp
Olli-Pekka Niemi
 

Similar to Analysis of ESET Smart Security 6 personal firewall’s thresholds and detection of various network attacks (20)

Using metasploit
Using metasploitUsing metasploit
Using metasploit
 
Contents namp
Contents nampContents namp
Contents namp
 
Contents namp
Contents nampContents namp
Contents namp
 
Zen map
Zen mapZen map
Zen map
 
NMAP1.ppt
NMAP1.pptNMAP1.ppt
NMAP1.ppt
 
01204427-scanner.ppt
01204427-scanner.ppt01204427-scanner.ppt
01204427-scanner.ppt
 
Scanning
ScanningScanning
Scanning
 
Nmap Hacking Guide
Nmap Hacking GuideNmap Hacking Guide
Nmap Hacking Guide
 
Scanning and Enumeration in Cyber Security.pptx
Scanning and Enumeration in Cyber Security.pptxScanning and Enumeration in Cyber Security.pptx
Scanning and Enumeration in Cyber Security.pptx
 
Module 3 Scanning
Module 3 ScanningModule 3 Scanning
Module 3 Scanning
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAP
 
Nmap
NmapNmap
Nmap
 
Assessment Questions and Answers1. What are the diff.docx
Assessment Questions and Answers1. What are the diff.docxAssessment Questions and Answers1. What are the diff.docx
Assessment Questions and Answers1. What are the diff.docx
 
A REVIEW ON NMAP AND ITS FEATURES
A REVIEW ON NMAP AND ITS FEATURESA REVIEW ON NMAP AND ITS FEATURES
A REVIEW ON NMAP AND ITS FEATURES
 
For your final step, you will synthesize the previous steps and la
For your final step, you will synthesize the previous steps and laFor your final step, you will synthesize the previous steps and la
For your final step, you will synthesize the previous steps and la
 
NMap
NMapNMap
NMap
 
Practical White Hat Hacker Training - Active Information Gathering
Practical White Hat Hacker Training - Active Information GatheringPractical White Hat Hacker Training - Active Information Gathering
Practical White Hat Hacker Training - Active Information Gathering
 
Zmap fast internet wide scanning and its security applications
Zmap fast internet wide scanning and its security applicationsZmap fast internet wide scanning and its security applications
Zmap fast internet wide scanning and its security applications
 
Network Security Nmap N Nessus
Network Security Nmap N NessusNetwork Security Nmap N Nessus
Network Security Nmap N Nessus
 
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wp
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wpUs 13-opi-evading-deep-inspection-for-fun-and-shell-wp
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wp
 

Recently uploaded

Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
Max Andersen
 
A Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdfA Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdf
kalichargn70th171
 
How Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptxHow Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptx
wottaspaceseo
 
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
informapgpstrackings
 
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume MontevideoVitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
Paco van Beckhoven
 
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdfDominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
AMB-Review
 
A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
Philip Schwarz
 
Understanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSageUnderstanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSage
Globus
 
Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfInto the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdf
Ortus Solutions, Corp
 
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILBeyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Natan Silnitsky
 
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Anthony Dahanne
 
First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
Globus
 
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
Matt Welsh
 
Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSCorporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
Tendenci - The Open Source AMS (Association Management Software)
 
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdfEnhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
Jay Das
 
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteAI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
Google
 
How to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good PracticesHow to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good Practices
Globus
 
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Globus
 

Recently uploaded (20)

Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
 
A Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdfA Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdf
 
How Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptxHow Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptx
 
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
 
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume MontevideoVitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume Montevideo
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
 
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdfDominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
 
A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
 
Understanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSageUnderstanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSage
 
Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfInto the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdf
 
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILBeyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
 
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
 
First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
 
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
 
Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSCorporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
 
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdfEnhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
 
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteAI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
 
How to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good PracticesHow to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good Practices
 
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...
 

Analysis of ESET Smart Security 6 personal firewall’s thresholds and detection of various network attacks

  • 1. 1/9 Analysis of ESET Smart Security 6 personal firewall’s thresholds and detection of various network attacks Andrej Šimko 359952 andrej.simko@mail.muni.cz 08.05.2013 Project on Advanced Topics in IT Security 1. Introduction The main goal of this project is to observe attacks on ESET Smart Security 6’s firewall, to discover the ability to detect various attacks coming from the same LAN, and find out thresholds of triggering warning/detection relevant to those attacks. 2. Testing environment: To simulate firewall’s reaction in real-life scenario, 2 notebooks (first one, the attacker without any antivirus/firewall system present; and second one the victim with Windows 7 64-bit installed, and ESET Smart Security 6 turned on) were present, connected through cables (or wireless) to intermediate device - router, which was resetted to default factory settings. Victim’s IPv4 address is 192.168.0.101, attacker’s 192.168.0.100 and router’s 192.168.0.1. 3. About ESET Smart Security 6 ESET Smart Security 6.0.316.0 is the newest version of commercial internet security suite from company ESET for end user devices, such as computers or laptops. It gives end station complex protection, since it integrates antivirus, firewall, Intrusion Detection System, Host Intrusion Prevention System, antispam, parental control, and other means of protection. It has gotten multiple awards throughout entire world [1].
  • 2. 2/9 4. Port scanning Port scanning is technique of discovering open ports on host computer, or any other network device. If there are any open ports, attacker might be able to use them to mount some kind of attack. On the other hand, port scanning is widely used from network administrator positions to find out, whether computer ports are secured enough. One of the best widely available tools that specializes on different scans and various options is Nmap, which was used to lunch port scanning attacks on ESET Smart Security 6’s firewall, and thus test it’s reactions, capabilities, and thresholds of scanning ports. Manual page to Nmap with lots examples and explanations can be found on [4]. 4.1. TCP SYN = “-sS” This default variant of port scanning in Nmap is very quick and stealthy, since it never completes TCP connection. It isn’t platform specific, so it works on any platform. It differentiates between open (reply to SYN packet is SYN/ACK or SYN), closed (RST is received) and filtered (if no response is received, or ICMP unreachable error is received) state of ports. 4.2. TCP Connect() = “-sT” This technique is used, when user doesn’t have privileges to raw packets - Nmap asks operating system to establish entire TCP connection with port on destination machine. It is much slower variant, then TCP SYN scan that requires more packets. Using this technique, target machine is more likely to log the connection. 4.3. TCP NULL, FIN, XMAS = “-sN”, “-sF”, “-sX” These scans are based on loophole in TCP RFC document to differentiate between open and closed ports. If system is compliant with RFC text, closed port is indicated by returning RST if any packet doesn’t contain SYN, RST or ACK bits. If no response is received, port is designated open|filtered. If ICMP unreachable error is received, port is marked as filtered. However, not all operating systems follow RFC 793 to the letter, resulting in all ports being labeled as closed. Such systems are from Microsoft or CISCO and their response is RST no matter if port is open or closed. But this scan should work on most UNIX-based systems. 4.4. TCP ACK = “-sA” This variant is slightly different from all others, because it does not determine if ports are open or closed, but it rather differentiates if ports are filtered or unfiltered. This is done by sending packets with only ACK bit. If ports are unfiltered, they response with RST packet no matter if they are open or closed. Ports that send ICMP unreachable error or don’t send any reply at all are marked as filtered. 4.5. TCP Window = “-sW” Window scan is exactly the same as TCP ACK scan, but thanks to some implementation details of some systems, it is able to differentiate also between open and closed ports. It does so by examining if window size is zero or positive number, because some systems respond with zero window size if
  • 3. 3/9 ports are closed, and positive number if ports are opened. However, this type of scan is not trustworthy, because only minority of systems are behaving in this way. 4.6. TCP Maimon = “-sM” Named after its discoverer, Maimon scan is behaving like NULL, FIN or XMAS scan. The only difference is that probe has FIN/ACK bits set. According to TCP RFC, RST packet should be generated as response to such probe, no matter if port is open/closed. However, some systems simply drop packet if the port is open. 4.7. UDP = “-sU” UDP scan is much slower then scanning TCP, because probe responses may be lost, and many systems (mainly Linux ones) have set limit in generating ICMP destination unreachable messages to one per second. For most common ports, Nmap sends protocol-specific payload, and for other ports the payload is left empty. If particular ICMP port unreachable is received, port is labeled as closed. If other ICMP unreachable errors are received, port is marked as filtered. If UDP response is generated, port is designated as open. If no response is received, port is classified as open|filtered. 4.8. SCTP INIT = “-sY” SCTP is new protocol that is an alternative to TCP/UDP. SCTP INIT is SCTP equivalent to TCP SYN, because it doesn’t establish entire connection. It differentiates between open, closed and filtered ports. 4.9. SCTP COOKIE ECHO = “-sZ” More advanced variant of SCTP scanning that is even stealthier then SCTP INIT. The disadvantage is inability to differ between open and filtered ports. 4.10. Service/version detection = “-sV” Nmap is also able to tell, what kind of service protocol is run on selected port (Telnet, SSH, FTP, …), application name (Apache httpd, Solaris telnetd…), version number, hostname, type of device (router, printer…), OS family (Windows, Linux…). 5. Port scanning and ESET Smart Security 6 I have used default scanning options (“nmap -[technique] 192.168.0.101”, where “[technique]” was chosen from {-sS, -sT, -sN, -sF, -sX, -sA, -sW, -sM, -sU, -sY, -sZ, -sV}) to discover which scanning techniques are detectable on ESET Smart Security 6. I found out, that ESET Smart Security 6 is able to successfully detect following Nmap methods: TCP SYN, TCP Connect(), UDP, and service/version detection. It however completely lacks the ability to detect following scanning methods: TCP ACK, TCP Window, TCP Maimon, TCP Null, TCP FIN, TCP XMAS, SCTP INIT, SCTP COOKIE-ECHO. Nmap’s default number of scanned ports is set to 1000 ports, and only SCTP uses only less (52) ports that have all been scanned.
  • 4. 4/9 Next, I tried to observe how many ports can be scanned with all detected methods without detecting it. I found out, that if anyone is scanning only 8 ports ESET Smart Security 6 won’t detect it at all (but scanning 9 ports will be detected!). The example can be “nmap -p 190-197 192.168.0.101”. I also discovered, that having scanned ports in non-random consecutive fashion (e.g. scanning ports in ascending order, like 190, 191, 192, 193, 194; apart from scanning in random fashion, like 194, 190, 192, 193, 191) has none effect on detection of scanning. Another setting that has no effect on detection ability is scanning top ports, so I would recommend everyone to use “--top-ports” in any command, since it is higher probability of finding an open ports. There is also a way how to scan all ports with techniques that are detectable by ESET Smart Security 6. One can either have “--max-rate 1” or “--scan-delay 1” set. Both options limit scanning to 1 port per second, but they are not detectable at all by this firewall. When setting “--scan-delay” to 0.9, or “--max-rate” to 1.1 they are detected, so setting either of them to 1 is the right choice. Another method of how to successfully evade scanning detection is to use fragmentation. When set to 8 or 16, both TCP SYN and Service/version detection can be used without limiting number of scans per second. One can achieve this by setting command to “nmap -f --mtu 16 -technique 192.168.0.101”, where “-technique” can be {-sS, -sV} and ”--mtu” can be {8, 16}. Setting maximum transfer unit to higher than 16 will cause successful detection of port scanning. However, TCP Connect() and UDP are detected no matter the fragmentation. UDP Scan has many unique properties that I discovered while testing it. It seems that it doesn’t have specific default threshold values set, but rather some adaptive kind. I’ve tried to approximate “--max- rate” parameter with its value as high as possible, but I observed following situation: when set directly to anything higher than 6, it is detected immediately. However, when it is set to 6, then 11, and again and again incremented by 5, it is detected only when setting to 51. After one successful detection, it is again impossible to do undetected scan, unless set to 6 or lower and start the process again. I tried incrementing it by other values then 5, and the highest possible value was 9. While incrementing with 9, successful detection was at number 60. The exact command I used was “nmap - n --top-ports 100 --max-rate 6 -sU 192.168.0.101”. On the other hand, “--scan-delay” set to 0.05 works perfectly and is undetectable, while when set to 0.04, it is detected. 6. ARP Spoofing Using Cain & Abel, I was able to mount ARP spoofing/poisoning attack. Since there is nice GUI environment, I saw that it Cain & Abel was unable to lunch successful ARP spoofing attack to given IP address (no matter the settings in Cain & Abel), when ESET Smart Security 6 was turned on. It was successfully detected as “Detected ARP cache poisoning attack” and countered by not allowing traffic to go through attacker. When however firewall was turned off, and then while attacking it was turned on, old and new connections were successfully routed through attacker. Yes, they were detected, but not countered. I haven’t found any way of making ARP spoofing attack undetected.
  • 5. 5/9 7. Denial of Service DOS attack is an attempt to make devices or entire network unavailable for legitimate users. There exists dedicated software on DOS attacks that were created to lunch attack on web servers, based on their URL. Example of such software can be BamBam [2]. Other programs I found have the capability to lunch DOS attack on some computer (also) by typing it’s IP address, like Low Orbit Ion Cannon [3]. 7.1. Flooding with Low Orbit Ion Cannon This tool can be used to target web servers based on their URL, or any computer based on IP. User have also capability to set attack options like timeout, HTTP subsite or TCP/UDP message=payload, attacked port, method (TCP, UDP or HTTP), number of threads (how many users it emulates), ability to wait for replay and speed of attacking. I tried all 3 methods, and since there is no web-server run on my victim’s computer, HTTP attack didn’t do anything. TCP attack did also nothing to my network. On the other hand, UDP attack, firing up to 50 000 packets per second did about 38% of network utilization. I think this number would be even higher, if my attacker’s netbook was better equipped (since it’s CPU was used to 100%). ESET Smart Security 6 was unable to detect any of these attacks done by LOIC. When I tried to attack from victim to attacker (simply because of better equipped hardware), I was able to utilize network to 45% and CPU of computer I attacked on to about 80%. With option ”wait for reply” checked, network was utilized to 73% and CPU to 90%. So using this tool, one can attacked network without the detection of ESET Smart Security 6. 7.2. Flooding with Hping3 Using tool Hping3 (manual pages can be found on [5]), I was able to also test another flooding attacks. While testing ICMP flood with “--flood” option (which means sending packets as fast as possible, but also ignoring incoming replies), network utilization of 100Mb/s network connection on victim’s computer was rather strange (see picture) and it didn’t matter if firewall was on or off. Of course, ESET Smart Security 6 has successfully detected that attack was in progress (“Detected ICMP Flooding attack”). I noticed, that when not using “--flood” option, “hping3 -- icmp 192.168.0.101” is receiving successful responses from victim. I tried to find threshold and while using waiting interval between sending packets (“-i u24650”), there was 0% packet loss and it was not detected (although, with network utilization of only 0.03%, it is hardly DOS type of attack). Anything lower then this bound was detected by firewall, and it started to drop some packets. For example when using u24000, attack was detected along with 2% packet loss. The detection threshold is set to 201 packets. If 202 packets are sent to victim, ESET Smart Security 6 detects attack in progress. These 201 undetected packets can be sent 1 microsecond apart from each other (with “-i u1” command). Another way around detection is using “--rand-source” which isn’t detected at all, nor there are any message logged in firewall’s logs. Yet another successful way of avoiding detection was setting data size to some high number (for example to “-d 22304”), which also utilized over 98.4% of network (constantly, not in peaks like it was shown in the picture), and this time without any detection.
  • 6. 6/9 When trying to flood victim with UDP flood (“hping3 --udp --flood 192.168.0.101”), victim’s network adapter was utilized to continuous 71.5% and one of 8 CPUs was utilized to about 50%. This attack, however, was not detected by ESET Smart Security 6, but there were hundreds of warning messages in logs saying “Detected unexpected data in protocol”, so this attack can be noticed. This warning messages can also be countered by adding “--destport 80” or other port (I also tried port 89), which makes this attack really undetectable and successful. Like with ICMP flooding, one can add more data bytes to utilize more network, but it also from some reason lowers CPU usage of 1 CPU from 50% to about 1%. Almost the same results were observed by trying “--rawip”, which creates TCP packets. If however data value was not set (left to default setting), there were hundreds of warning messages in logs telling “Incorrect TCP packet length”. This of course was easy to cope with by again setting data parameter to some value. Maximum network utilization was again somewhere around 98.4% when using big data packets, but there was no need to set destination port - TCP packets doesn’t generate “Detected unexpected data in protocol” warning message in logs. 7.3. IPv6 ICMP router advertisement Using this attack, anyone can disable entire network of Windows based devices from 1 device which is generating only few packets per second. The main idea of this attack is in behavior of IPv6. In IPv4, when host/client told router/DHCP server “I need an IP”, he obtained one. IPv6 works in different way: when host connects to network, router is the one who tells “I’m your router, join my network” and host only replies “ok, I will”. Thus, every client on LAN creates an address and joins the network. To use this attack, I used 3 commands in Backtrack: “cd /usr/local/bin”, “./fake_router6 eth0 def:c0::/64” to advertise attacker’s PC as IPv6 router, then I’ve waited few seconds so that victim’s PC would notice new router, and then finally started flooding with “flood_router6 eth0”. Although this type of flood was utilizing network only on about 0.5%, it rendered my Intel i7 with 8 logical CPUs and 8 GB of RAM almost completely frozen in seconds (which is nice since attacker’s netbook is only single-core 1.7GHz Athlon) - I wasn’t even able to move my mouse. ESET Smart Security 6 did not detected this DOS attack, which I find rather strange, since attacker was firing thousands of packet per second (although, it only takes about 5 packets per second to drive CPU to 100%). After issuing command “ipconfig | more” on victim’s computer, there were of course many IPv6 addresses. What good firewall should be able to do with this attack is to block rogue Router Advertisements. Which could be again attacked if traffic had source IP address of legitimate router, but it would still be better than nothing. Or at least, detecting multiple IPv6 router advertisements packets and dropping some of them would be huge improvement. I’ve sent an email to ESET asking whether there is possibility to detect/ protect against this attack and got reply within 24 hours, but they haven’t answered any of my questions.
  • 7. 7/9 7.4. 2 ARP spoofing attacks at once Another type of DOS attack, this time to attack the network connection itself, was done be setting ARP spoofing twice with swapped IP addresses of victim and router. This was done in Backtrack, by first setting attacker’s machine to forwarding mode: “echo 1 > /proc/sys/net/ipv4/ip_forward”. Then, setting up ip table to intercept HTTP requests was done (by command “iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 1000”). Convincing network it should send their traffic to my machine was done by “arpspoof -i eth0 -t 192.168.0.101 192.168.0.1”. Second arpspoof, which ended in Denial of Service was “arpspoof -i eth0 -t 192.168.0.1 192.168.0.101”. This attack was detected as “Detected ARP cache poisoning attack” and also “Identical IP addresses detected in network”. Network seemed unused (0-0.01% of utilization), but when trying to connect to internet, Google Chrome returned “Error 105 (net::ERR_NAME_NOT_RESOLVED): Unable to resolve the server's DNS address”. Internet connection was thus entirely disabled. The conclusion is that ESET Smart Security 6 can effectively handle one ARP spoofing, but not multiple spoofings that result in DOS. 7.5. deAuthentication attack Yet another DOS attack that isn’t detected by ESET Smart Security 6 is sending deAuthentication packets, when victim is connected via wireless. While in Backtrack, I issued “airmon-ng start wlan0”, then “airodump-ng mon0” to discover access point’s (my router’s) BSSID/MAC address. When this was done, I simply started flooding deAuthentication packets to either entire network to disconnect all computers on it (“aireplay-ng -0 0 -a [BSSID of router] mon0”) or just selected computer (“-c [MAC of victim]” was added). Neither one of these attack has been noticed by ESET Smart Security 6. The only way of noticing it was the inability of Windows to connect to wireless LAN. This attack can be also done with “mdk3” command: “mdk3 mon0 d -b blacklist -c 11”, where “blacklist” is file with BSSID of station (“echo [target BSSID] > blacklist”) and “11” is channel which is easily found at output of “iwlist wlan0 scan”. I’ve also asked ESET company about detecting this type of attack - they first tried to convince me that this attack will be detected as ARP spoof, since they were pretty sure that ARP spoofing is needed to perform this type of attack, but after another email exchange they told me there is no way in ESET Smart Security 6 to detect this type of attack. 8. Relevant settings in ESET Smart Security 6 All relevant settings are located in Advanced Setup/Network/Personal Firewall/IDS and advanced options. User can turn on/off the detection of various attacks separately (ARP Poisoning, DNS Poisoning, TCP Port Scanning, UDP Port Scanning), with ability to “Block unsafe address after detection”. This is useful option for end users, which is defaultly enabled. The threshold of this blocking timer after successfully detecting an attack is set to exactly 10 minutes, without any way of changing it.
  • 8. 8/9 However, ESET Smart Security 6 lacks any option to set timers for various detections. I didn’t found that something like this would be possible. Another disadvantage from my point of view is, that in Log files to personal firewall, there isn’t any information about precise type of attack (e.g. when the attack is Port Scanning, it displays only TCP or UDP as protocol, but none information about which flags where used in packet, or if connection was successfully established/only TCP SYN packet was sent from attacker). Only things logged and always recorded are: Time (without milliseconds), Event, Source, Target and Protocol; where both source and target addresses are in IP_address:port form (when the protocol is TCP or UDP; otherwise only IP addresses are shown). One can filter log by record type (Diagnostic, Informative, Warnings, Errors, Critical), where all attacks I did were designated as Critical. There were also logged some Warning messages (Incorrect TCP packet length, Suspicious IP packet fragment, Detected unexpected data in protocol). When I turned on defaultly disabled setting “Log all blocked connections”, I was able to observe packets being blocked when trying to port scanning. There were 2 types of logged messages that something is blocked, but both were only Informative. First one was with default setting of blocking unsafe address after detection: “Address temporarily blocked by active defense (IDS)”. Second one was when this setting was turned off: “Packet blocked by active defense (IDS)”. The last thing I’m missing is some dialogue or information to the user, what can be/is being done while attack is detected. I observed that detecting ARP poisoning attack successfully prevents attacker from routing communication through him, but there is no information about it. If I was user and saw this warning that I’m being attacked, I would use some information that there is nothing to be afraid of, since this attack is successfully countered. Or after detecting port scanning, just add some information about that attacker is temporarily blocked (if this setting is in affect). Also, there could be simple button “find out more about this type of attack” pointing to ESET’s knowledge base, so user can directly find relevant information about that particular type of attack and if he should be afraid of something, or not.
  • 9. 9/9 9. Email to ESET tech support After these findings, I tried to write an email to ESET, asking them detection/possible protection about IPv6 router advertisement attack, detection of deAuthentication packets, and possibility of setting thresholds of detection of other attack types. I got reply within 24 hours, but it was really inaccurate. They tried to tell me all those attacks I asked are detected within “IDS and advanced options” settings; and that since deAuthentication attack first needs successful ARP poisoning to be done, it is detected when trying ARP poisoning attack. Another inaccuracy they told me was that TCP flooding is also detectable. After another email exchange with ESET they admitted that deAuthentication attack isn’t detectable by their firewall, but didn’t answer any of my other questions, so I stopped trying to communicate with them. 10. Conclusion There exists multiple easy-doable attacks from widely available (free) software on the Internet. Many of them are undetectable on systems with ESET Smart Security 6 with default settings set. The only truly unsuccessful attack that I observed and could not successfully do was ARP poisoning attack - it was always detected and countered, so packets weren’t routed through attacker. Other attacks were successfully done by changing parameters of attacks. Among those attacks that can be made undetectable are port scanning, different kinds of Denial of Service attacks (TCP/UDP/ICMP flooding, IPv6 router advertisement attack, and deAuthentication attack). I haven’t tried any other attacks, nor any other firewall from the same or different company, but I think ESET should make this personal firewall better by including more information about attacks and adding more types of attacks that can be detected. 11. Resources [1] http://www.eset.com/home/whyeset/awards/ [2] http://www.anonoperations.com/bambam [3] http://sourceforge.net/projects/loic/ [4] http://nmap.org/book/man-port-scanning-techniques.html [5] http://linux.die.net/man/8/hping3 [6] http://samsclass.info/ipv6/proj/flood-router6a.htm [7] http://ashwinsaxena.com/blog/technology/deauth-attack-disconnect-computers/ [8] http://kb.eset.com/esetkb/index?page=content&id=SOLN2906&viewlocale=en_US&actp=SE ARCH