SlideShare une entreprise Scribd logo

Defending Your Network

Télécharger en tant que PPT, PDF
Adam Getchell
Adam Getchell
Technologie
1  sur  36
Defending Your Network Adam Getchell College of Agricultural & Environmental Sciences Deans’ Office ACGetchell@ucdavis.edu IT Security Symposium June 22-24, 2005
© 2005 Adam Getchell Goals of this class (ambitious) • Discuss network detection, honeypots, IDS, and tarpits • Inspect network traffic patterns using Etherape • Build and configure a working honeypot using HOACD • Build and configure a working IDS using OpenIDS • Build and configure a working SMTP gateway using MailDroid
© 2005 Adam Getchell All of these tools are based on
© 2005 Adam Getchell What is OpenBSD? • The OpenBSD project was started by Theo de Raadt – http://www.openbsd.org • The most secure general-purpose operating system – 1 remote hole found in 8 years • Source code audited to proactively fix security bugs since 1996 – Bugs fixed for correctness, e.g., replace strcpy(), strcat(), and sprintf() with strlcpy(), strlcat(), and snprintf() • Clean system design doesn’t require a Unix guru to run a locked- down system – All configuration files stored in /etc – All devices in /dev – All logs stored in /var/log – Newsyslog automatically rotates logfiles – All unnecessary services turned off by default • Clean ports/packages system for installing software – Important for this class!
© 2005 Adam Getchell What is OpenBSD? Part 2 Security integrated throughout the operating system: • Buffer overflow protection with ProPolice compiler (non-exec stack via canaries, avoid pointer corruption via reordering) • W^X memory page protection on some architectures (non-exec heap) • Most services run in privilege separated (PrivSep) mode (including X Window server and xconsole, Apache, sendmail) • Systrace – system call policy filter (executable sandbox) • Daily insecurity report mailed to root – Uses mtree, directory hierarchy mapping program that checks permissions and checksums • Privilege separation for a large number of services – httpd – ftpd – tcpdump – afsd – mopd – pppoe – rbootd – dhcrelay – dhclient – dhcpd – tftpd – pflogd – bgpd – syslogd – X-Windows
© 2005 Adam Getchell What is OpenBSD ? Part 3 • Integrated cryptography throughout • Kerberos (IV, V) • Integrates OpenSSH, a free replacement for insecure utilities ftp, telnet, r* • IPSEC • Blowfish • Hardware crypto-acceleration cards • One-time passwords • New releases occur approximately every 6 months, in June and December • Man pages are useful, up to date, and worth reading • Easily upgraded from source via CVS, CVSup, or patching (e.g. tepatche, http://www.gwolf.cx/soft/tepatche/) – -current branch incorporates latest and greatest – -stable branch includes all known bug fixes and vulnerability patches • Offers binary emulation of other operating systems (Linux, HP-UX, FreeBSD, Solaris, BSD/OS) • Can run on flash memory and USB devices (e.g., OpenSoekris, OpenBrick)
© 2005 Adam Getchell OpenBSD Resources OpenBSD website: • http://www.openbsd.org OpenBSD man pages: • http://www.openbsd.org/cgi-bin/man.cgi Insecure at UC Davis • http://insecure.ucdavis.edu Absolute OpenBSD, by Michael Lucas, ISBN 1- 886411-99-9 Secure Architectures with OpenBSD, by Brandon Palmer and Jose Nazario, ISBN 03-21193-66-0
© 2005 Adam Getchell nmap # pkg_add –v ftp://ftp5.usa.openbsd.org/pub/OpenBSD/ 3.7/packages/i386/nmap-3.81.tgz # sudo nmap –v <target> Many, many options – still one of the best portscanners around For more details, see Matt Bishop’s “Advanced UNIX Security” presentation
© 2005 Adam Getchell Network Detection with EtherApe
© 2005 Adam Getchell EtherApe hints • Run etherape –n as root (or use sudo) • Use IP mode and select the correct interface • Double-click on nodes for detailed information • Edit preferences to change persistence, color, filtering, etc. • Use /etc/ethers to define MAC address-name relationships (especially for routers) • To resolve MAC addresses into IP addresses (and hence names via DNS), do: # ping <somehost> # arp –a • http://etherape.sourceforge.net/
© 2005 Adam Getchell What is a honeypot? • Lance Spitzner, “Open Source Honeypots: Learning with Honeyd” – http://www.securityfocus.com/infocus/1659 • “A honeypot is a security resource whose value lies in being probed, attacked, or compromised. The key point with this definition is honeypots are not limited to solving only one problem, they have a number of different applications. To better understand the value of honeypots, we can break them down into two different categories: production and research. Production honeypots are used to protect your network, they directly help secure your organization. Research honeypots are different; they are used to collect information. That information can then be used for a variety of purposes, such as early warning and prediction, intelligence gathering, or law enforcement.”
© 2005 Adam Getchell HOACD=Honeyd + OpenBSD + Arpd on CD • Bootable CD which uses CD as OS and hard drive as log and config file source • Install mode sets up disk, normal mode initializes Honeyd • Uses Arpd to conduct ARP spoofing in order to direct traffic for IP addresses to Honeyd • Honeyd is quite powerful – we’ll barely scratch the surface of its capabilities
© 2005 Adam Getchell Honeyd Written by Niels Provos (a NetBSD/OpenBSD developer), Honeyd is incredibly powerful: http://www.honeyd.org/index.php 1. Can simulate large network topologies with one host (tested to 65536) 2. Can simulate an entire LAN, including latency, loss, and bandwidth 3. Can simulate multiple entry routers with asymmetric routing 4. Can simultate GRE tunneling for distributed networks 5. Can assume personality of multiple operating systems using nmap or xprobe fingerprints or p0f rules 6. Subsystem Virtualization -- simulate multiple services (web, ftp, CISCO router login) using scripts 7. Tarpit keyword causes Honeyd to slow TCP connections and act like a Tarpit (c.f. LaBrea) 8. Dynamic Templates – can change networking behavior based on source address, operating system, or time
© 2005 Adam Getchell Honeyd Live Statistics http://www.honeyd.org/live.php
© 2005 Adam Getchell HOACD Hints • Select n when it asks if you want to erase the disk (or your install will take a long time!) • /dev/wd0a, 10M should be / • /dev/wd0b, 2xRAM should be swap • /dev/wd0d, 10M should be /etc • Make /dev/wd0e, 100M for /dev • Make /dev/wd0f, 64M for /tmp • Make /dev/wd0g, rest for /var • Arpd will snag all IP addresses you give it using ARP spoofing, so: – don’t overlap with (physical) lab machines! – don’t overlap with other virtual machines! • Use a strong root password • Setup normal user for remote SSH (remote root disabled) • Default setup spoofs Windows XP SP1 -- Checkout /var/honeyd/conf/honeyd.conf for details
© 2005 Adam Getchell Testing HOACD • Reboot into normal mode • Have someone ping or nmap you • For nice output, try: # cd /var/honeyd/honeydsum-v0.3 # ./honeydsum.pl –c honeydsum.conf ../log/honeyd.log.<use tab completion> | less • honeydsum.pl generates web pages using -w
© 2005 Adam Getchell Troubleshooting • Read http://www.honeynet.org.br/tools/hoacd/R EADME-1.1 carefully • You can sometimes confuse people (like Network Operations) or yourself as to what machine is where • If you’re not careful about which addresses you capture, you could tarpit your own legitimate traffic! (port 9100, 135, 445 are common)
© 2005 Adam Getchell Extra Credit: Pretty website statistics • We want to see the results • Enable Apache on OpenBSD # vi /etc/rc.conf.local Add httpd_flags=“” (or “-DSSL” after reading man ssl(8)) • We want accurate time for our charts Add ntpd_flags=“” You should now see httpd as a network daemon Whip up cronjob to copy results into /var/www
© 2005 Adam Getchell Extra Credit: More neat things to do • If you’re ambitious, you can attempt to simulate a network using: – http://www.paladion.net/papers/simulating_networks_wi th_honeyd.pdf – http://www.honeyd.org/config/honeyd.conf.bloat • Check out the Honeyd challenge: – http://www.citi.umich.edu/u/provos/honeyd/ch01- results/ • Honeycomb (Generate Snort signatures from attackers) • RandomNet (Random honeyd hosts generator, written in Java, with GUI)
© 2005 Adam Getchell Honeyd Resources Honeyd website: • http://www.honeyd.org/index.php Honeynet.BR website • http://www.honeynet.org.br/ HOACD • http://www.honeynet.org.br/tools/ Lance Spitzner, “Open Source Honeypots: Learning with Honeyd” – http://www.securityfocus.com/infocus/1659 Simulating Networks with Honeyd – http://www.paladion.net/papers/simulating_networks_wi th_honeyd.pdf – http://www.honeyd.org/config/honeyd.conf.networks
© 2005 Adam Getchell Intrusion Detection Systems
© 2005 Adam Getchell OpenIDS • OpenBSD 3.5 – Operating system – Sets up password for SSL website – Sets up password to exchange SSH keys for sensors • Snort – Intrusion Detection system • BASE – Web interface for Snort alerts • Snortalog – Reporting tool for Snort alerts • Mysql – Database to log alerts • Oinkmaster – Download latest Snort signatures • Pigsentry – Realtime analysis of Snort alerts
© 2005 Adam Getchell Snort Snort is another powerful open-source IDS originally by Marty Roesch, who has since turned it into Sourcefire, a commercial offering 1. Real-time traffic and protocol analysis 2. Rules-based language, with updates (can also write your own) 3. Notification mechanism 4. Modular architecture (e.g. BASE) See http://www.snort.org/docs/snort_htmanuals/ht manual_233/node16.html
© 2005 Adam Getchell OpenIDS Demonstration https://169.237.124.31/index.htm
© 2005 Adam Getchell OpenIDS hints • Two interfaces needed: a public one for reporting, a stealth interface for sniffing • Start off with standalone installation • htaccess sets password protected access to web interface • Two letter country code et. al for self-signed SSL • Challenge password for SSH tunnels • Y to enable RSS support • N for firewall modules • Q to quit extra applications • K for root ksh, then Q to continue • N to enable routing • Y to reboot
© 2005 Adam Getchell Testing OpenIDS • Login as root • Have someone ping or nmap you • Goto https://<your IP address> – Enter your htaccess username/password – Look at BASE, Symon, etc • Ensure that snort and mysqld are running
© 2005 Adam Getchell Extra Credit: Additional Sensors • Try doing a sensor installation of another machine hooked up to central station, see Appendix: – http://www.prowling.nu/OpenIDS %20Installation%20and %20configuration%20guide%201.0.pdf • Try firewall log installation with Hatchet, pfw
© 2005 Adam Getchell OpenIDS Resources OpenIDS web site • http://www.prowling.nu/ • http://www.prowling.nu/OpenIDS%20Installation %20and%20configuration%20guide%201.0.pdf OpenIDS mirror • http://openids.openbsdservers.com/ Snort web site • http://www.snort.org/ • http://www.snort.org/docs/snort_htmanuals/htma nual_233/node16.html
© 2005 Adam Getchell I hate spam! • After one week of vacation, my ucdavis.edu account had: – 208 good e-mail messages – 3555 pieces of spam
© 2005 Adam Getchell MailDroid • OpenBSD 3.7 • Sendmail 8.13.3 (chrooted) – Standard OpenBSD patched sendmail • smtp-vilter 1.1.9 (chrooted) – Connect milters to filter incoming mail • spamassassin 3.0.2 • Cyrus-sasl 2.1.20 – SASL2 authentication daemon to use with sendmail • Clamav 0.85.1 (chrooted) – Open source anti-virus milter • Squirrelmail 1.4.4 – SSL web mail front-end using internal IMAP server • Spamd – E-mail tarpit to trap spammers, now with greylisting • Pop3s – TLS based POP • Pf – Integrated with firewall ruleset • Chrooted Apache, named, PHP4.3.10
© 2005 Adam Getchell spamd • Fake sendmail-like daemon which rejects false mail by returning error code 450 (default) or 550 for Blacklisted hosts (known bad) • Very efficient – doesn’t slow receiving machine • Greylisted hosts get innocuous 451 Temporary Failure • If they retry later, they get Whitelisted • If they try to deliver another message, they get Blacklisted • Pf can be used to redirect port 25 requests for Whitelisted hosts to real MTA: table <spamd> persist table <spamd-white> persist rdr pass inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025 rdr pass inet proto tcp from !<spamd-white> to any port smtp -> 127.0.0.1 port 8025
© 2005 Adam Getchell MailDroid Hints • Make sure maildroid37.tgz is selected • I prefer to start ntpd by default • No to X Windows • No to com0 console • Select external interface as firewall interface • Webadmin panel password doesn’t do anything (yet) • Halt, remove CD, reboot, login as root, and run ./setup
© 2005 Adam Getchell Troubleshooting MailDroid • Consider making just one large partition to ensure all subdirectories have enough room (don’t do this on production!)
© 2005 Adam Getchell MailDroid Resources MailDroid website • http://www.maildroid.org/download.html Spamd info • http://www.openbsd.org/cgi-bin/man.cgi? query=spamd&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=h tml Clam AntiVirus • http://www.clamav.net/ SpamAssassin • http://spamassassin.apache.org/ Smtp-vilter • http://freshmeat.net/projects/smtp-vilter/ Cyrus-SASL • http://www.sendmail.org/~ca/email/cyrus/sysadmin.html SquirrelMail • http://www.squirrelmail.org/ Pop3s • http://sharkysoft.com/tutorials/linuxtips/pop3s/
© 2005 Adam Getchell Questions?
Defending Your Network Adam Getchell College of Agricultural & Environmental Sciences Deans’ Office ACGetchell@ucdavis.edu IT Security Symposium June 22-24, 2005

Recommandé

Defcon 29 Adversary Village: PurpleSharp - Automated Adversary Simulation
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary SimulationDefcon 29 Adversary Village: PurpleSharp - Automated Adversary Simulation
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary SimulationMauricio Velazco
 
Bsides NYC 2018 - Hunting for Lateral Movement
Bsides NYC 2018 - Hunting for Lateral MovementBsides NYC 2018 - Hunting for Lateral Movement
Bsides NYC 2018 - Hunting for Lateral MovementMauricio Velazco
 
SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005James Morris
 
Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Mauricio Velazco
 
BlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack Simulations
BlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack SimulationsBlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack Simulations
BlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack SimulationsMauricio Velazco
 
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksSANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksMauricio Velazco
 
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...Mauricio Velazco
 
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...Mauricio Velazco
 

Recommandé

Defcon 29 Adversary Village: PurpleSharp - Automated Adversary Simulation
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary SimulationDefcon 29 Adversary Village: PurpleSharp - Automated Adversary Simulation
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary SimulationMauricio Velazco
 
Bsides NYC 2018 - Hunting for Lateral Movement
Bsides NYC 2018 - Hunting for Lateral MovementBsides NYC 2018 - Hunting for Lateral Movement
Bsides NYC 2018 - Hunting for Lateral MovementMauricio Velazco
 
SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005James Morris
 
Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Mauricio Velazco
 
BlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack Simulations
BlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack SimulationsBlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack Simulations
BlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack SimulationsMauricio Velazco
 
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksSANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksMauricio Velazco
 
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...Mauricio Velazco
 
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...Mauricio Velazco
 
Bsides Baltimore 2019: Embrace the Red Enhancing detection capabilities with ...
Bsides Baltimore 2019: Embrace the Red Enhancing detection capabilities with ...Bsides Baltimore 2019: Embrace the Red Enhancing detection capabilities with ...
Bsides Baltimore 2019: Embrace the Red Enhancing detection capabilities with ...Mauricio Velazco
 
Bsides Long Island 2019
Bsides Long Island 2019Bsides Long Island 2019
Bsides Long Island 2019Mauricio Velazco
 
Root via XSS
Root via XSSRoot via XSS
Root via XSSPositive Hack Days
 
Advanced Debugging with WinDbg and SOS
Advanced Debugging with WinDbg and SOSAdvanced Debugging with WinDbg and SOS
Advanced Debugging with WinDbg and SOSSasha Goldshtein
 
Assume Compromise
Assume CompromiseAssume Compromise
Assume CompromiseZach Grace
 
Nessus and Reporting Karma
Nessus and Reporting KarmaNessus and Reporting Karma
Nessus and Reporting Karman|u - The Open Security Community
 
VS Debugging Tricks
VS Debugging TricksVS Debugging Tricks
VS Debugging TricksSasha Goldshtein
 
Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?HackIT Ukraine
 
Metasploit magic the dark coners of the framework
Metasploit magic the dark coners of the frameworkMetasploit magic the dark coners of the framework
Metasploit magic the dark coners of the frameworkRob Fuller
 
Audit
AuditAudit
AuditMark Ellzey Thomas
 
Fit 13 penetration test 1
Fit 13 penetration test 1Fit 13 penetration test 1
Fit 13 penetration test 1chephz DJ
 
Bettercap
BettercapBettercap
BettercapRajivarnan (Rajiv)
 
Hacktivity 2016: Stealthy, hypervisor based malware analysis
Hacktivity 2016: Stealthy, hypervisor based malware analysisHacktivity 2016: Stealthy, hypervisor based malware analysis
Hacktivity 2016: Stealthy, hypervisor based malware analysisTamas K Lengyel
 
Writing malware while the blue team is staring at you
Writing malware while the blue team is staring at youWriting malware while the blue team is staring at you
Writing malware while the blue team is staring at youRob Fuller
 
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisIstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisBGA Cyber Security
 
BSides Algiers - Nmap Scripting Engine - Hani Benhabiles
BSides Algiers - Nmap Scripting Engine - Hani BenhabilesBSides Algiers - Nmap Scripting Engine - Hani Benhabiles
BSides Algiers - Nmap Scripting Engine - Hani BenhabilesShellmates
 
'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh'Malware Analysis' by PP Singh
'Malware Analysis' by PP SinghBipin Upadhyay
 
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentThreat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentNahidul Kibria
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisChong-Kuan Chen
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 
Hadoop-Automation-Tool_RamkishorTak
Hadoop-Automation-Tool_RamkishorTakHadoop-Automation-Tool_RamkishorTak
Hadoop-Automation-Tool_RamkishorTakRam Kishor Tak
 
Big data processing using hadoop poster presentation
Big data processing using hadoop poster presentationBig data processing using hadoop poster presentation
Big data processing using hadoop poster presentationAmrut Patil
 

Contenu connexe

Tendances

Bsides Baltimore 2019: Embrace the Red Enhancing detection capabilities with ...
Bsides Baltimore 2019: Embrace the Red Enhancing detection capabilities with ...Bsides Baltimore 2019: Embrace the Red Enhancing detection capabilities with ...
Bsides Baltimore 2019: Embrace the Red Enhancing detection capabilities with ...Mauricio Velazco
 
Advanced Debugging with WinDbg and SOS
Advanced Debugging with WinDbg and SOSAdvanced Debugging with WinDbg and SOS
Advanced Debugging with WinDbg and SOSSasha Goldshtein
 
Assume Compromise
Assume CompromiseAssume Compromise
Assume CompromiseZach Grace
 
Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?HackIT Ukraine
 
Metasploit magic the dark coners of the framework
Metasploit magic the dark coners of the frameworkMetasploit magic the dark coners of the framework
Metasploit magic the dark coners of the frameworkRob Fuller
 
Fit 13 penetration test 1
Fit 13 penetration test 1Fit 13 penetration test 1
Fit 13 penetration test 1chephz DJ
 
Hacktivity 2016: Stealthy, hypervisor based malware analysis
Hacktivity 2016: Stealthy, hypervisor based malware analysisHacktivity 2016: Stealthy, hypervisor based malware analysis
Hacktivity 2016: Stealthy, hypervisor based malware analysisTamas K Lengyel
 
Writing malware while the blue team is staring at you
Writing malware while the blue team is staring at youWriting malware while the blue team is staring at you
Writing malware while the blue team is staring at youRob Fuller
 
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisIstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisBGA Cyber Security
 
BSides Algiers - Nmap Scripting Engine - Hani Benhabiles
BSides Algiers - Nmap Scripting Engine - Hani BenhabilesBSides Algiers - Nmap Scripting Engine - Hani Benhabiles
BSides Algiers - Nmap Scripting Engine - Hani BenhabilesShellmates
 
'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh'Malware Analysis' by PP Singh
'Malware Analysis' by PP SinghBipin Upadhyay
 
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentThreat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentNahidul Kibria
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisChong-Kuan Chen
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 

Tendances (20)

Bsides Baltimore 2019: Embrace the Red Enhancing detection capabilities with ...
Bsides Baltimore 2019: Embrace the Red Enhancing detection capabilities with ...Bsides Baltimore 2019: Embrace the Red Enhancing detection capabilities with ...
Bsides Baltimore 2019: Embrace the Red Enhancing detection capabilities with ...
 
Bsides Long Island 2019
Bsides Long Island 2019Bsides Long Island 2019
Bsides Long Island 2019
 
Root via XSS
Root via XSSRoot via XSS
Root via XSS
 
Advanced Debugging with WinDbg and SOS
Advanced Debugging with WinDbg and SOSAdvanced Debugging with WinDbg and SOS
Advanced Debugging with WinDbg and SOS
 
Assume Compromise
Assume CompromiseAssume Compromise
Assume Compromise
 
Nessus and Reporting Karma
Nessus and Reporting KarmaNessus and Reporting Karma
Nessus and Reporting Karma
 
VS Debugging Tricks
VS Debugging TricksVS Debugging Tricks
VS Debugging Tricks
 
Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?
 
Metasploit magic the dark coners of the framework
Metasploit magic the dark coners of the frameworkMetasploit magic the dark coners of the framework
Metasploit magic the dark coners of the framework
 
Audit
AuditAudit
Audit
 
Fit 13 penetration test 1
Fit 13 penetration test 1Fit 13 penetration test 1
Fit 13 penetration test 1
 
Bettercap
BettercapBettercap
Bettercap
 
Hacktivity 2016: Stealthy, hypervisor based malware analysis
Hacktivity 2016: Stealthy, hypervisor based malware analysisHacktivity 2016: Stealthy, hypervisor based malware analysis
Hacktivity 2016: Stealthy, hypervisor based malware analysis
 
Writing malware while the blue team is staring at you
Writing malware while the blue team is staring at youWriting malware while the blue team is staring at you
Writing malware while the blue team is staring at you
 
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisIstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
 
BSides Algiers - Nmap Scripting Engine - Hani Benhabiles
BSides Algiers - Nmap Scripting Engine - Hani BenhabilesBSides Algiers - Nmap Scripting Engine - Hani Benhabiles
BSides Algiers - Nmap Scripting Engine - Hani Benhabiles
 
'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh
 
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentThreat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
 

Similaire à Defending Your Network

Hadoop-Automation-Tool_RamkishorTak
Hadoop-Automation-Tool_RamkishorTakHadoop-Automation-Tool_RamkishorTak
Hadoop-Automation-Tool_RamkishorTakRam Kishor Tak
 
Big data processing using hadoop poster presentation
Big data processing using hadoop poster presentationBig data processing using hadoop poster presentation
Big data processing using hadoop poster presentationAmrut Patil
 
BYOD Revisited: Build Your Own Device (Embedded Linux Conference 2014)
BYOD Revisited: Build Your Own Device (Embedded Linux Conference 2014)BYOD Revisited: Build Your Own Device (Embedded Linux Conference 2014)
BYOD Revisited: Build Your Own Device (Embedded Linux Conference 2014)Ron Munitz
 
CoreOS automated MySQL Cluster Failover using Galera Cluster
CoreOS automated MySQL Cluster Failover using Galera ClusterCoreOS automated MySQL Cluster Failover using Galera Cluster
CoreOS automated MySQL Cluster Failover using Galera ClusterYazz Atlas
 
Hadoop Everywhere & Cloudbreak
Hadoop Everywhere & CloudbreakHadoop Everywhere & Cloudbreak
Hadoop Everywhere & CloudbreakSean Roberts
 
Hortonworks Technical Workshop: HDP everywhere - cloud considerations using...
Hortonworks Technical Workshop: HDP everywhere - cloud considerations using...Hortonworks Technical Workshop: HDP everywhere - cloud considerations using...
Hortonworks Technical Workshop: HDP everywhere - cloud considerations using...Hortonworks
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsqqlan
 
Redteaming HID attacks
Redteaming HID attacksRedteaming HID attacks
Redteaming HID attacksJuan Espin
 
ABS 2012 - Android Device Porting Walkthrough
ABS 2012 - Android Device Porting WalkthroughABS 2012 - Android Device Porting Walkthrough
ABS 2012 - Android Device Porting WalkthroughBenjamin Zores
 
Red Hat for IBM System z IBM Enterprise2014 Las Vegas
Red Hat for IBM System z IBM Enterprise2014 Las Vegas Red Hat for IBM System z IBM Enterprise2014 Las Vegas
Red Hat for IBM System z IBM Enterprise2014 Las Vegas Filipe Miranda
 
2012-03-15 What's New at Red Hat
2012-03-15 What's New at Red Hat2012-03-15 What's New at Red Hat
2012-03-15 What's New at Red HatShawn Wells
 
Deployment of WebObjects applications on CentOS Linux
Deployment of WebObjects applications on CentOS LinuxDeployment of WebObjects applications on CentOS Linux
Deployment of WebObjects applications on CentOS LinuxWO Community
 
The Deck by Phil Polstra GrrCON2012
The Deck by Phil Polstra GrrCON2012The Deck by Phil Polstra GrrCON2012
The Deck by Phil Polstra GrrCON2012Philip Polstra
 
Kubernetes - Hosted OSG Services
Kubernetes - Hosted OSG ServicesKubernetes - Hosted OSG Services
Kubernetes - Hosted OSG ServicesIgor Sfiligoi
 
Big data with hadoop Setup on Ubuntu 12.04
Big data with hadoop Setup on Ubuntu 12.04Big data with hadoop Setup on Ubuntu 12.04
Big data with hadoop Setup on Ubuntu 12.04Mandakini Kumari
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
 

Similaire à Defending Your Network (20)

Hadoop-Automation-Tool_RamkishorTak
Hadoop-Automation-Tool_RamkishorTakHadoop-Automation-Tool_RamkishorTak
Hadoop-Automation-Tool_RamkishorTak
 
Big data processing using hadoop poster presentation
Big data processing using hadoop poster presentationBig data processing using hadoop poster presentation
Big data processing using hadoop poster presentation
 
BYOD Revisited: Build Your Own Device (Embedded Linux Conference 2014)
BYOD Revisited: Build Your Own Device (Embedded Linux Conference 2014)BYOD Revisited: Build Your Own Device (Embedded Linux Conference 2014)
BYOD Revisited: Build Your Own Device (Embedded Linux Conference 2014)
 
CoreOS automated MySQL Cluster Failover using Galera Cluster
CoreOS automated MySQL Cluster Failover using Galera ClusterCoreOS automated MySQL Cluster Failover using Galera Cluster
CoreOS automated MySQL Cluster Failover using Galera Cluster
 
Hadoop Everywhere & Cloudbreak
Hadoop Everywhere & CloudbreakHadoop Everywhere & Cloudbreak
Hadoop Everywhere & Cloudbreak
 
Hortonworks Technical Workshop: HDP everywhere - cloud considerations using...
Hortonworks Technical Workshop: HDP everywhere - cloud considerations using...Hortonworks Technical Workshop: HDP everywhere - cloud considerations using...
Hortonworks Technical Workshop: HDP everywhere - cloud considerations using...
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via sms
 
Exp-3.pptx
Exp-3.pptxExp-3.pptx
Exp-3.pptx
 
Redteaming HID attacks
Redteaming HID attacksRedteaming HID attacks
Redteaming HID attacks
 
ABS 2012 - Android Device Porting Walkthrough
ABS 2012 - Android Device Porting WalkthroughABS 2012 - Android Device Porting Walkthrough
ABS 2012 - Android Device Porting Walkthrough
 
Aci dp
Aci dpAci dp
Aci dp
 
Security Onion
Security OnionSecurity Onion
Security Onion
 
Red Hat for IBM System z IBM Enterprise2014 Las Vegas
Red Hat for IBM System z IBM Enterprise2014 Las Vegas Red Hat for IBM System z IBM Enterprise2014 Las Vegas
Red Hat for IBM System z IBM Enterprise2014 Las Vegas
 
2012-03-15 What's New at Red Hat
2012-03-15 What's New at Red Hat2012-03-15 What's New at Red Hat
2012-03-15 What's New at Red Hat
 
Deployment of WebObjects applications on CentOS Linux
Deployment of WebObjects applications on CentOS LinuxDeployment of WebObjects applications on CentOS Linux
Deployment of WebObjects applications on CentOS Linux
 
The Deck by Phil Polstra GrrCON2012
The Deck by Phil Polstra GrrCON2012The Deck by Phil Polstra GrrCON2012
The Deck by Phil Polstra GrrCON2012
 
Kubernetes - Hosted OSG Services
Kubernetes - Hosted OSG ServicesKubernetes - Hosted OSG Services
Kubernetes - Hosted OSG Services
 
Big data with hadoop Setup on Ubuntu 12.04
Big data with hadoop Setup on Ubuntu 12.04Big data with hadoop Setup on Ubuntu 12.04
Big data with hadoop Setup on Ubuntu 12.04
 
Dns firewalls null-may2020
Dns firewalls null-may2020Dns firewalls null-may2020
Dns firewalls null-may2020
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
 

Plus de Adam Getchell

PCI Compliance in the Cloud: A working example
PCI Compliance in the Cloud: A working examplePCI Compliance in the Cloud: A working example
PCI Compliance in the Cloud: A working exampleAdam Getchell
 
April 2015 APS presentation
April 2015 APS presentationApril 2015 APS presentation
April 2015 APS presentationAdam Getchell
 
Cloud Applications at UC Davis
Cloud Applications at UC DavisCloud Applications at UC Davis
Cloud Applications at UC DavisAdam Getchell
 
Background independent quantum gravity
Background independent quantum gravityBackground independent quantum gravity
Background independent quantum gravityAdam Getchell
 
Agent based modeling-presentation
Agent based modeling-presentationAgent based modeling-presentation
Agent based modeling-presentationAdam Getchell
 
Newtonian limit in cdt
Newtonian limit in cdtNewtonian limit in cdt
Newtonian limit in cdtAdam Getchell
 
UC Davis Active Directory Unified Communications Design Whitepaper
UC Davis Active Directory Unified Communications Design WhitepaperUC Davis Active Directory Unified Communications Design Whitepaper
UC Davis Active Directory Unified Communications Design WhitepaperAdam Getchell
 
Agile Secure Cloud Application Development Management
Agile Secure Cloud Application Development ManagementAgile Secure Cloud Application Development Management
Agile Secure Cloud Application Development ManagementAdam Getchell
 
Secure Dot Net Programming
Secure Dot Net ProgrammingSecure Dot Net Programming
Secure Dot Net ProgrammingAdam Getchell
 
An Overview Of Python With Functional Programming
An Overview Of Python With Functional ProgrammingAn Overview Of Python With Functional Programming
An Overview Of Python With Functional ProgrammingAdam Getchell
 

Plus de Adam Getchell (11)

PCI Compliance in the Cloud: A working example
PCI Compliance in the Cloud: A working examplePCI Compliance in the Cloud: A working example
PCI Compliance in the Cloud: A working example
 
April 2015 APS presentation
April 2015 APS presentationApril 2015 APS presentation
April 2015 APS presentation
 
Cloud Applications at UC Davis
Cloud Applications at UC DavisCloud Applications at UC Davis
Cloud Applications at UC Davis
 
Background independent quantum gravity
Background independent quantum gravityBackground independent quantum gravity
Background independent quantum gravity
 
Agent based modeling-presentation
Agent based modeling-presentationAgent based modeling-presentation
Agent based modeling-presentation
 
Newtonian limit in cdt
Newtonian limit in cdtNewtonian limit in cdt
Newtonian limit in cdt
 
UC Davis Active Directory Unified Communications Design Whitepaper
UC Davis Active Directory Unified Communications Design WhitepaperUC Davis Active Directory Unified Communications Design Whitepaper
UC Davis Active Directory Unified Communications Design Whitepaper
 
Agile Secure Cloud Application Development Management
Agile Secure Cloud Application Development ManagementAgile Secure Cloud Application Development Management
Agile Secure Cloud Application Development Management
 
Secure Dot Net Programming
Secure Dot Net ProgrammingSecure Dot Net Programming
Secure Dot Net Programming
 
An Overview Of Python With Functional Programming
An Overview Of Python With Functional ProgrammingAn Overview Of Python With Functional Programming
An Overview Of Python With Functional Programming
 
Quantum Gravity
Quantum GravityQuantum Gravity
Quantum Gravity
 

Dernier

Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 

Dernier (20)

Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 

Defending Your Network

  • 1. Defending Your Network Adam Getchell College of Agricultural & Environmental Sciences Deans’ Office ACGetchell@ucdavis.edu IT Security Symposium June 22-24, 2005
  • 2. © 2005 Adam Getchell Goals of this class (ambitious) • Discuss network detection, honeypots, IDS, and tarpits • Inspect network traffic patterns using Etherape • Build and configure a working honeypot using HOACD • Build and configure a working IDS using OpenIDS • Build and configure a working SMTP gateway using MailDroid
  • 3. © 2005 Adam Getchell All of these tools are based on
  • 4. © 2005 Adam Getchell What is OpenBSD? • The OpenBSD project was started by Theo de Raadt – http://www.openbsd.org • The most secure general-purpose operating system – 1 remote hole found in 8 years • Source code audited to proactively fix security bugs since 1996 – Bugs fixed for correctness, e.g., replace strcpy(), strcat(), and sprintf() with strlcpy(), strlcat(), and snprintf() • Clean system design doesn’t require a Unix guru to run a locked- down system – All configuration files stored in /etc – All devices in /dev – All logs stored in /var/log – Newsyslog automatically rotates logfiles – All unnecessary services turned off by default • Clean ports/packages system for installing software – Important for this class!
  • 5. © 2005 Adam Getchell What is OpenBSD? Part 2 Security integrated throughout the operating system: • Buffer overflow protection with ProPolice compiler (non-exec stack via canaries, avoid pointer corruption via reordering) • W^X memory page protection on some architectures (non-exec heap) • Most services run in privilege separated (PrivSep) mode (including X Window server and xconsole, Apache, sendmail) • Systrace – system call policy filter (executable sandbox) • Daily insecurity report mailed to root – Uses mtree, directory hierarchy mapping program that checks permissions and checksums • Privilege separation for a large number of services – httpd – ftpd – tcpdump – afsd – mopd – pppoe – rbootd – dhcrelay – dhclient – dhcpd – tftpd – pflogd – bgpd – syslogd – X-Windows
  • 6. © 2005 Adam Getchell What is OpenBSD ? Part 3 • Integrated cryptography throughout • Kerberos (IV, V) • Integrates OpenSSH, a free replacement for insecure utilities ftp, telnet, r* • IPSEC • Blowfish • Hardware crypto-acceleration cards • One-time passwords • New releases occur approximately every 6 months, in June and December • Man pages are useful, up to date, and worth reading • Easily upgraded from source via CVS, CVSup, or patching (e.g. tepatche, http://www.gwolf.cx/soft/tepatche/) – -current branch incorporates latest and greatest – -stable branch includes all known bug fixes and vulnerability patches • Offers binary emulation of other operating systems (Linux, HP-UX, FreeBSD, Solaris, BSD/OS) • Can run on flash memory and USB devices (e.g., OpenSoekris, OpenBrick)
  • 7. © 2005 Adam Getchell OpenBSD Resources OpenBSD website: • http://www.openbsd.org OpenBSD man pages: • http://www.openbsd.org/cgi-bin/man.cgi Insecure at UC Davis • http://insecure.ucdavis.edu Absolute OpenBSD, by Michael Lucas, ISBN 1- 886411-99-9 Secure Architectures with OpenBSD, by Brandon Palmer and Jose Nazario, ISBN 03-21193-66-0
  • 8. © 2005 Adam Getchell nmap # pkg_add –v ftp://ftp5.usa.openbsd.org/pub/OpenBSD/ 3.7/packages/i386/nmap-3.81.tgz # sudo nmap –v <target> Many, many options – still one of the best portscanners around For more details, see Matt Bishop’s “Advanced UNIX Security” presentation
  • 9. © 2005 Adam Getchell Network Detection with EtherApe
  • 10. © 2005 Adam Getchell EtherApe hints • Run etherape –n as root (or use sudo) • Use IP mode and select the correct interface • Double-click on nodes for detailed information • Edit preferences to change persistence, color, filtering, etc. • Use /etc/ethers to define MAC address-name relationships (especially for routers) • To resolve MAC addresses into IP addresses (and hence names via DNS), do: # ping <somehost> # arp –a • http://etherape.sourceforge.net/
  • 11. © 2005 Adam Getchell What is a honeypot? • Lance Spitzner, “Open Source Honeypots: Learning with Honeyd” – http://www.securityfocus.com/infocus/1659 • “A honeypot is a security resource whose value lies in being probed, attacked, or compromised. The key point with this definition is honeypots are not limited to solving only one problem, they have a number of different applications. To better understand the value of honeypots, we can break them down into two different categories: production and research. Production honeypots are used to protect your network, they directly help secure your organization. Research honeypots are different; they are used to collect information. That information can then be used for a variety of purposes, such as early warning and prediction, intelligence gathering, or law enforcement.”
  • 12. © 2005 Adam Getchell HOACD=Honeyd + OpenBSD + Arpd on CD • Bootable CD which uses CD as OS and hard drive as log and config file source • Install mode sets up disk, normal mode initializes Honeyd • Uses Arpd to conduct ARP spoofing in order to direct traffic for IP addresses to Honeyd • Honeyd is quite powerful – we’ll barely scratch the surface of its capabilities
  • 13. © 2005 Adam Getchell Honeyd Written by Niels Provos (a NetBSD/OpenBSD developer), Honeyd is incredibly powerful: http://www.honeyd.org/index.php 1. Can simulate large network topologies with one host (tested to 65536) 2. Can simulate an entire LAN, including latency, loss, and bandwidth 3. Can simulate multiple entry routers with asymmetric routing 4. Can simultate GRE tunneling for distributed networks 5. Can assume personality of multiple operating systems using nmap or xprobe fingerprints or p0f rules 6. Subsystem Virtualization -- simulate multiple services (web, ftp, CISCO router login) using scripts 7. Tarpit keyword causes Honeyd to slow TCP connections and act like a Tarpit (c.f. LaBrea) 8. Dynamic Templates – can change networking behavior based on source address, operating system, or time
  • 14. © 2005 Adam Getchell Honeyd Live Statistics http://www.honeyd.org/live.php
  • 15. © 2005 Adam Getchell HOACD Hints • Select n when it asks if you want to erase the disk (or your install will take a long time!) • /dev/wd0a, 10M should be / • /dev/wd0b, 2xRAM should be swap • /dev/wd0d, 10M should be /etc • Make /dev/wd0e, 100M for /dev • Make /dev/wd0f, 64M for /tmp • Make /dev/wd0g, rest for /var • Arpd will snag all IP addresses you give it using ARP spoofing, so: – don’t overlap with (physical) lab machines! – don’t overlap with other virtual machines! • Use a strong root password • Setup normal user for remote SSH (remote root disabled) • Default setup spoofs Windows XP SP1 -- Checkout /var/honeyd/conf/honeyd.conf for details
  • 16. © 2005 Adam Getchell Testing HOACD • Reboot into normal mode • Have someone ping or nmap you • For nice output, try: # cd /var/honeyd/honeydsum-v0.3 # ./honeydsum.pl –c honeydsum.conf ../log/honeyd.log.<use tab completion> | less • honeydsum.pl generates web pages using -w
  • 17. © 2005 Adam Getchell Troubleshooting • Read http://www.honeynet.org.br/tools/hoacd/R EADME-1.1 carefully • You can sometimes confuse people (like Network Operations) or yourself as to what machine is where • If you’re not careful about which addresses you capture, you could tarpit your own legitimate traffic! (port 9100, 135, 445 are common)
  • 18. © 2005 Adam Getchell Extra Credit: Pretty website statistics • We want to see the results • Enable Apache on OpenBSD # vi /etc/rc.conf.local Add httpd_flags=“” (or “-DSSL” after reading man ssl(8)) • We want accurate time for our charts Add ntpd_flags=“” You should now see httpd as a network daemon Whip up cronjob to copy results into /var/www
  • 19. © 2005 Adam Getchell Extra Credit: More neat things to do • If you’re ambitious, you can attempt to simulate a network using: – http://www.paladion.net/papers/simulating_networks_wi th_honeyd.pdf – http://www.honeyd.org/config/honeyd.conf.bloat • Check out the Honeyd challenge: – http://www.citi.umich.edu/u/provos/honeyd/ch01- results/ • Honeycomb (Generate Snort signatures from attackers) • RandomNet (Random honeyd hosts generator, written in Java, with GUI)
  • 20. © 2005 Adam Getchell Honeyd Resources Honeyd website: • http://www.honeyd.org/index.php Honeynet.BR website • http://www.honeynet.org.br/ HOACD • http://www.honeynet.org.br/tools/ Lance Spitzner, “Open Source Honeypots: Learning with Honeyd” – http://www.securityfocus.com/infocus/1659 Simulating Networks with Honeyd – http://www.paladion.net/papers/simulating_networks_wi th_honeyd.pdf – http://www.honeyd.org/config/honeyd.conf.networks
  • 21. © 2005 Adam Getchell Intrusion Detection Systems
  • 22. © 2005 Adam Getchell OpenIDS • OpenBSD 3.5 – Operating system – Sets up password for SSL website – Sets up password to exchange SSH keys for sensors • Snort – Intrusion Detection system • BASE – Web interface for Snort alerts • Snortalog – Reporting tool for Snort alerts • Mysql – Database to log alerts • Oinkmaster – Download latest Snort signatures • Pigsentry – Realtime analysis of Snort alerts
  • 23. © 2005 Adam Getchell Snort Snort is another powerful open-source IDS originally by Marty Roesch, who has since turned it into Sourcefire, a commercial offering 1. Real-time traffic and protocol analysis 2. Rules-based language, with updates (can also write your own) 3. Notification mechanism 4. Modular architecture (e.g. BASE) See http://www.snort.org/docs/snort_htmanuals/ht manual_233/node16.html
  • 24. © 2005 Adam Getchell OpenIDS Demonstration https://169.237.124.31/index.htm
  • 25. © 2005 Adam Getchell OpenIDS hints • Two interfaces needed: a public one for reporting, a stealth interface for sniffing • Start off with standalone installation • htaccess sets password protected access to web interface • Two letter country code et. al for self-signed SSL • Challenge password for SSH tunnels • Y to enable RSS support • N for firewall modules • Q to quit extra applications • K for root ksh, then Q to continue • N to enable routing • Y to reboot
  • 26. © 2005 Adam Getchell Testing OpenIDS • Login as root • Have someone ping or nmap you • Goto https://<your IP address> – Enter your htaccess username/password – Look at BASE, Symon, etc • Ensure that snort and mysqld are running
  • 27. © 2005 Adam Getchell Extra Credit: Additional Sensors • Try doing a sensor installation of another machine hooked up to central station, see Appendix: – http://www.prowling.nu/OpenIDS %20Installation%20and %20configuration%20guide%201.0.pdf • Try firewall log installation with Hatchet, pfw
  • 28. © 2005 Adam Getchell OpenIDS Resources OpenIDS web site • http://www.prowling.nu/ • http://www.prowling.nu/OpenIDS%20Installation %20and%20configuration%20guide%201.0.pdf OpenIDS mirror • http://openids.openbsdservers.com/ Snort web site • http://www.snort.org/ • http://www.snort.org/docs/snort_htmanuals/htma nual_233/node16.html
  • 29. © 2005 Adam Getchell I hate spam! • After one week of vacation, my ucdavis.edu account had: – 208 good e-mail messages – 3555 pieces of spam
  • 30. © 2005 Adam Getchell MailDroid • OpenBSD 3.7 • Sendmail 8.13.3 (chrooted) – Standard OpenBSD patched sendmail • smtp-vilter 1.1.9 (chrooted) – Connect milters to filter incoming mail • spamassassin 3.0.2 • Cyrus-sasl 2.1.20 – SASL2 authentication daemon to use with sendmail • Clamav 0.85.1 (chrooted) – Open source anti-virus milter • Squirrelmail 1.4.4 – SSL web mail front-end using internal IMAP server • Spamd – E-mail tarpit to trap spammers, now with greylisting • Pop3s – TLS based POP • Pf – Integrated with firewall ruleset • Chrooted Apache, named, PHP4.3.10
  • 31. © 2005 Adam Getchell spamd • Fake sendmail-like daemon which rejects false mail by returning error code 450 (default) or 550 for Blacklisted hosts (known bad) • Very efficient – doesn’t slow receiving machine • Greylisted hosts get innocuous 451 Temporary Failure • If they retry later, they get Whitelisted • If they try to deliver another message, they get Blacklisted • Pf can be used to redirect port 25 requests for Whitelisted hosts to real MTA: table <spamd> persist table <spamd-white> persist rdr pass inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025 rdr pass inet proto tcp from !<spamd-white> to any port smtp -> 127.0.0.1 port 8025
  • 32. © 2005 Adam Getchell MailDroid Hints • Make sure maildroid37.tgz is selected • I prefer to start ntpd by default • No to X Windows • No to com0 console • Select external interface as firewall interface • Webadmin panel password doesn’t do anything (yet) • Halt, remove CD, reboot, login as root, and run ./setup
  • 33. © 2005 Adam Getchell Troubleshooting MailDroid • Consider making just one large partition to ensure all subdirectories have enough room (don’t do this on production!)
  • 34. © 2005 Adam Getchell MailDroid Resources MailDroid website • http://www.maildroid.org/download.html Spamd info • http://www.openbsd.org/cgi-bin/man.cgi? query=spamd&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=h tml Clam AntiVirus • http://www.clamav.net/ SpamAssassin • http://spamassassin.apache.org/ Smtp-vilter • http://freshmeat.net/projects/smtp-vilter/ Cyrus-SASL • http://www.sendmail.org/~ca/email/cyrus/sysadmin.html SquirrelMail • http://www.squirrelmail.org/ Pop3s • http://sharkysoft.com/tutorials/linuxtips/pop3s/
  • 36. Defending Your Network Adam Getchell College of Agricultural & Environmental Sciences Deans’ Office ACGetchell@ucdavis.edu IT Security Symposium June 22-24, 2005

Notes de l'éditeur

  1. Blacklist redirected to spamd and stuttered Non-whitelist redirected to spamd but not stuttered