Tech 581W Computer Network Operations, Laboratory 1: Team 5

Abstract

In this lab we review the pros and cons of penetration testing, methods and tools used in penetration testing, and the creation of lab environments for performing penetration testing.  One method of penetration testing is a technological, tool-based approach for attacking various points in a system that corresponds to the OSI seven layer model.  In addition to the original seven layers, we examine an additional two layers, people and kinetics.  We create a matrix that gives examples of tools that could be used for attacks and which OSI layer they correspond to along with the McCumber Cube coordinates that the tool would impact.

Literature Review

The primary focus of the literature in Lab 1 is the creation of various laboratory environments to support penetration testing and an attack-based security strategy.  Some of the papers also focus on the benefits of using an attack-based strategy vs. a defensive strategy.   These two topics are most certainly connected and a good starting point for our TECH581W class as acceptance of an attack-based strategy for security training is assumed.

The first paper in this set to talk about the benefits of using ethical hacking services and penetration testing is (Gula, 1999)which, though it is a vendor whitepaper, has many interesting points about items that are often overlooked in penetration testing.  The publisher, Enterasys, does business in the field of penetration testing so that needs to be taken into consideration when reviewing the contents of the paper.  The author doesn’t do as well of a job selling penetration testing as he does pointing out what is often missed in them, assumedly to show that his company’s service is superior.  There is no quantitative research given to show that the list of items given are often missed by penetration testers, simply, that they “normally go untested as considered by the author (Gula, 1999, p. 6).”  The history of penetration testing along with a good argument on its necessity based on the amount of risk an organization is willing to tolerate from electronic intruders is discussed in (Coffin, 2003).  The author shows a very simple example of what a penetration test may cost vs. down time for an electronic commerce site.  Of special note is the author’s inclusion of the limitations of penetration testing and ethical hacking.  Just because a site may not be compromised by the testers does not necessarily mean that it is secure, just that the particular tester did not find any vulnerabilities at that point in time with their specific skill set.  In (Arce & McGraw, 2004), the authors discuss the various aspects of attack-based penetration testing and acknowledge that “the majority opinion is that the only way to properly defend a system against attack is to understand what attacks look like as deeply and realistically as possible (p.17).”  The authors acknowledge the prevalence of the buffer overflow attack and discuss new, more advanced methods of buffer overflow attacks.  Also important to a red team in a penetration test is documentation of the methods employed and their results.  In (Ray, Vemuri, & Kantubhukta, 2005) the authors describe a method of using XML code to make their attacks reusable for other engagements.  This not only creates a standardized form of documenting what was done but allows for easier sharing of the information with other testers in the organization.

The one paper in this first group of readings that detailed weaknesses in penetration analysis was (Du & Mathur, 1998, p. 2).  The authors suggest that penetration testing requires one to know about flaws that might exist already in the system which can significantly affect the validity of the test, and this is certainly something that cannot be overlooked.  As mentioned in (Coffin, 2003), an unsuccessful penetration test does not mean that the system is completely secure.  Du & Mathur (1998) introduce the idea of fault injection into systems.  This method of testing attempts to cause the system to fail by injecting faults and bad data.  The authors present a model for identifying areas that would be good for testing and a methodology for analyzing results.  Fault injection complemented by penetration testing would yield optimal results but would require separate teams of experts for each part.
The bulk of the readings in Lab 1 discuss the creation of lab environments and curricula to facilitate training security practitioners in the field of penetration testing.

(Holland-Minkley, 2006; Micco & Rossman, 2002; Mink & Freiling, 2006) all discuss teaching attack-based security classes and the necessity of having a lab for testing.   While (Micco & Rossman, 2002) was primarily concerned with detailing issues that may arise when running a cyberwarfare class, the other two papers were concerned with the “success” of the class which they based on empirical evidence gathered from students.  Another topic raised in these papers regarding the curricula was getting permission from the institutions to run a class that could train potential attackers of their networks.  One important thing stressed in the classes was ethics and responsibility surrounding the knowledge gained through the class.  In (Mink & Freiling, 2006) the basis of the article goes over should student learn about attacking systems and what can be learned from it. It also discusses is defense more important than attacking. Upon reading the paper they also created a method to measure the results of this type of learning but it strays away from what the tile of the paper is. When they say “is attacking better than defense” it is thought that the method would measure the benefits and disadvantages between attacking and defense. As with security and usability it would not be possible to have one without the other and it all depends on the circumstances the professional is in where the importance of one may take over the other.

Due to the nature of penetration testing, many of the tools used can be harmful to normal operation of systems.  Because of that, when teaching ethical hacking classes, lab environments need to be designed so that they do not impact the rest of the organization’s systems or even the Internet at large.  The course instructors in (Micco & Rossman, 2002) designed a lab that was cut off completely from the rest of the school’s network and only had an Internet connection through a modem with a special agreement with the internet service provider.  In the DETER testbed, the organizers designed a system that was accessible remotely to multiple users that could handle running simultaneous, isolated tests

(Benzel et al., 2006, p. 2).  Another method of providing an isolated environment for the purpose of penetration testing is virtualization.  In (Heien, Massengale, & Wu, 2008, p. 76) the authors utilize Qemu to create a virtualized environment with multiple clients and subnets all without the need for any additional hardware.  VMWare was evaluated in (Micco & Rossman, 2002, p. 24) but the authors thought it would be of little benefit.  They chose Linux because it was free over NT being “much more expensive.” creating a homogenous testbed which at the time probably only represented a very small fraction of the operating system market.  The authors do concede that a heterogeneous network would have been much more realistic.  Our lab environment for this class will consist of an isolated network between hosts running in VMWare.  This will allow us to maximize department resources and run multiple virtual hosts simultaneously without interrupting the other teams.

Lab Exercise

In addition to creating our lab environment, we were also tasked with creating an attack matrix based on a 9 layer OSI model combined with the McCumber Cube (McCumber, 1991).  By examining the layers of the OSI model we are able to identify attack tools that could exploit a system at each of those levels.   By adding the McCumber Cube coordinates it adds an additional layer of visibility in to what areas an organization may need to focus its efforts on.  We examined tool suites such as Backtrack combined with Internet search engines and our personal knowledge to compile the list.

OSI Layer

Tools

McCumber Cube Coordinate

People/8 Ancestry.com, Careerbuilder, Dropbox, Dice.com, Facebook, Monster.com, Myspace, Twitter, Spy Confidentiality, Storage, People
Saboteur Integrity, Storage, People
Application/7 Absinthe, Checkpwd, Cisco Auditing Tool, Cisco Global Exploiter, Dig,Dnstracer, Dnsmap, Finger Google, Fuzzer, GFI LanGuard, Hydra, JBroFuzz, John the Ripper, Lodowep, Maltego, Medusa, Metagoofil, Metasploit, Metoscan, Mibble MIB Broswe, Mistress, Nessus, Nikto, Nmbscan, Oracle Auditing Tools, PBNJ, Peach, PStoreView, RevHosts, RPCDump, Sidguess, SMTP-Vrfy, SQLbrute, Sqldict, Subdomainer, VNC_bypauth, whoami, WyD, Confidentiality, Storage, Technology
Achilles, Dmitry, Halberd, Httprint, Mezcal, Relay Scanner, TFTP-Brute, VNCrack, Confidentiality, Transmission, TechnT
XSpy Confidentiality, Processing, Technology
Sqlupload, Tini, Zodiac Integrity, Storage, Technology
Pirana, Wapiti Integrity, Transmission, Technology
Barrier Integrity, Processing, Technology
Dnswalk Availability, Storage, Technology
Bed, Cisco Torch Availability, Transmission, Technology
Presentation/6 OpenSSL-Scanner Confidentiality, Storage, Technology
Squirtle Integrity, Processing, Technology
Session /5 Fierce, Mbenum,  PcapSipDump, PcapToSip_RTP,  SIPcrack SIPDump, SIPp, SIPSak Confidentiality, Transmission, Technology
FPort Integrity, Processing, Technology
CIRT Fuzzer, ICMPTX, Juggernaut, NSTX Availability, Transmission, Technology
Network/3 Afrag, Airbase-ng, Aircrack-ng, Airdecap-ng, Airodump-ng, Airmon-ng, Airplay-ng, Airpwn, airoscript, AirSnarf, Angry IP Scanner, ASLeap, Autonomous System Scanner, Autoscan,Cheops-ng, EtterCap, Fping, IKE-Scan, IKEProbe, itrace, Mailsnarf, Netdiscover, Netenum, Netmask, Nmap, PHoss, Ping, Protos, PSK-Crack, Psyche, ScanLine, Wireshark Confidentiality, Transmission, Technology
IRDP Responder Integrity, Transmission, Technology
Data Link/2 Bluesnarfer, BTcrack, BTscanner, Redfang Confidentiality, Transmission, Technology
Bluebugger, Blueprint, Bluesmash, Cain & Abel, Carwhisperer, File2Cable, Gobbler, HCIDump, MacChanger, MDK3, Minicom,  ObexFTP, SMAC, Smap, Ussp-Push, Wellenreiter, Wicrawl, WifiTap, WifiZoo Integrity, Transmission, Technology
Physical/1 Fiber tap, Hardware Keylogger,”Pringles can” antenna, TEMPEST, Wiretapping Confidentiality, Transmission, Technology
Kinetic/0 Arson, Nuclear Bomb, Ship Anchor, Shovel Availability, Transmission, Technology
EMP Availability, Processing,Technology
Dumpster Diving Confidentiality, Storage, Process
Lock Pick Confidentiality, Storage, Technology

Findings

Since the original seven layer OSI model exists inside a computer system, the majority of the tools identified fall in the technology area of the McCumber cube rather than people or process.  Any interaction which requires cognition and action on the part of the user would move into the people or processing area of the McCumber cube.  Based on this one might see a substantial bias towards a tool-based, technological approach to penetration testing and, while that is certainly an important part of the testing procedure, a majority of the areas to attack are outside of the technology realm and, in many cases, are substantially easier to attack.  If this matrix were presented to a customer, it should be noted by the testers that it’s only an aid in seeing where these technological tools affect their organization, not a breakdown of the threats and vulnerabilities they may be exposed to.

Issues

Many of the tools found in the list from Backtrack could fall in to multiple categories so we took the approach of placing the tool where we felt it was best suited for impacting confidentiality, integrity, or availability.  Essentially, where we felt the tool would do the most damage.  One of the most difficult placements was Wireshark since this tool can operate at layers 1 through 7.  We felt that by placing it at layer 3 we would be able to monitor a vast majority of network traffic since most is IP based and use that common factor for working up the stack when necessary.  Another issue encountered was a misunderstanding of the amount of tools to be listed in the threat matrix.  This was noted by the instructor before submission and required a rebuild of the original table.

Conclusions

This lab was a serious mental exercise that stretched our thinking patterns on how we view tools.  By placing such a wide variety of tools into a matrix we saw patterns develop at different layers of the OSI model.  We saw a heavy focus on tools that affected confidentiality and data storage in the application layer while we saw tools affecting confidentiality and data in transmission in layers 3 and 4.  These findings would be useful when developing a plan for penetration testing by showing where to concentrate efforts and what tools to use when attacking the various layers of an organization’s security.

Works Cited

Arce, I., & McGraw, G. (2004). Guest Editors’ Introduction: Why Attacking Systems Is a Good Idea. Security & Privacy, IEEE, 2(4), 17-19.

Benzel, T., Braden, R., Kim, D., Neuman, C., Joseph, A., Sklower, K., et al. (2006). Experience with DETER: A Testbed for Security Research. Paper presented at the Proceedings of the 2nd IEEE Conference on Testbeds and Research Infrastructures for Development of Networks and Communities.

Coffin, B. (2003). It Takes a Thief: Ethical Hackers Test Your Defenses. Risk Management Magazine, 50, 10-14.

Du, W., & Mathur, A. (1998). Vulnerability Testing of Software System Using Fault Injection. Purdue University.

Gula, R. (1999). Broadening the Scope of Penetration-Testing Techniques: Enterasys Networks.

Heien, C., Massengale, R., & Wu, N. (2008). Building a Network Testbed for Internet Security Research. Paper presented at the Sixth Annual Consortium for Computing Sciences in Colleges Mid-South Conference.

Holland-Minkley, A. M. (2006). Cyberattacks: A Lab-based Introduction to Computer Security. Paper presented at the Proceedings of the 7th Conference on Information Technology Education.

McCumber, J. R. (1991, October, 1991). Information Systems Security: A Comprehensive Model. Paper presented at the 14th National Computer Security Conference.

Micco, M., & Rossman, H. (2002). Building a Cyberwar Lab: Lessons Learned: Teaching Cybersecurity Principles to Undergraduates. Paper presented at the Proceedings of the 33rd SIGCSE Technical Symposium on Computer Science Education.

Mink, M., & Freiling, F. C. (2006). Is Attack Better than Defense?: Teaching Information Security the Right Way. Paper presented at the Proceedings of the 3rd Annual Conference on Information Security Curriculum Development.

Ray, H. T., Vemuri, R., & Kantubhukta, H. R. (2005). Toward an Automated Attack Model for Red Teams. Security & Privacy, IEEE, 3(4), 18-25.

Links

Layer 8

Ancestry.com –http://www.ancestry.com

Careerbuilder.com – http://www.careerbuilder.com/

Dice.com – http://www.dice.com

Dropbox – http://www.getdropbox.com

Facebook – http://facebook.com

Myspace – http://www.myspace.com/

Monster – http://www.monster.com/

Twitter – http://twitter.com

Layer 7

Absinthe – http://www.0x90.org/releases/absinthe/docs/basicusage.php

Achilles – http://www.mavensecurity.com/achilles

Barrier – http://www.erratasec.com

Bed – http://snake-basket.de/bed.html

Checkpwd – http://www.red-database-security.com/software/checkpwd.html

Cisco Auditing Tool – http://www.infosecpro.com/penetrationtest/p73.htm

Cisco Global Exploiter – http://www.vulnerabilityassessment.co.uk/cge.htm

Cisco Torch – http://www.arhont.com/ViewPage7422.html?siteNodeId=3&languageId=1&contentId=-1

Dig – http://linux.about.com/od/commands/l/blcmdl1_dig.htm

Dmitry – http://www.mor-pah.net/

Dnstracer – http://www.mavetju.org/unix/dnstracer.php

Dnswalk – http://sourceforge.net/projects/dnswalk/

Dnsmap – http://unknown.pentester.googlepages.com/

Finger Google – http://unknown.pentester.googlepages.com/

Fuzzer – http://www.securiteam.com/tools/5TP012AHFU.html

GFI LanGuard – http://www.gfi.com/lannetscan/

Halberd – http://halberd.superadditive.com/

Httprint – http://net-square.com/httprint/

Hydra – http://www.thc.org/

JBroFuzz – http://www.owasp.org/index.php/Category:OWASP_JBroFuzz

John the Ripper – http://www.openwall.com/john/

Lodowep – http://www.cqure.net/wp/?page_id=17

Maltego – http://www.paterva.com/maltego/

Medusa – http://www.darknet.org.uk/2006/05/medusa-password-cracker-version-11-now-available-for-download/

Metagoofil – http://www.edge-security.com/metagoofil.php

Metasploit – http://www.metasploit.com/

Metoscan – http://www.securiteam.com/tools/5CP0O20IAK.html

Mezcal – http://0x90.org/releases/mezcal/

Mibble MIB Browser – http://www.mibble.org/

Mistress – http://packetstormsecurity.org/fuzzer/mistress.rar

Nessus – http://www.nessus.org

Nikto – http://www.cirt.net/code/nikto.shtml

Nmbscan – http://nmbscan.gbarbier.org/

Oracle Auditing Tools – http://www.cqure.net/wp/?page_id=2

PBNJ – http://pbnj.sf.net/

Peach – http://peachfuzz.sourceforge.net/

Pirana – http://www.guay-leroux.com/projects/SMTP%20content%20filters.pdf

PStoreView – http://www.ntsecurity.nu/toolbox/pstoreview/

Relay Scanner – http://www.cirt.dk/

RevHosts – http://www.revhosts.net/

RPC Dump – http://www.cultdeadcow.com/tools/rpcdump.php

Sidguess – http://www.red-database-security.com/whitepaper/oracle_guess_sid.html

SMTP-Vrfy – http://jeremy.kister.net/code/perl/vrfy.pl

SQLbrute – http://www.justinclarke.com/archives/2006/03/sqlbrute.html

sqldict – http://www.vulnerabilityassessment.co.uk/sqlat.htm

sqlupload – http://www.vulnerabilityassessment.co.uk/sqlat.htm

Subdomainer – http://www.edge-security.com/subdomainer.php

Tini – http://www.ntsecurity.nu/toolbox/tini/

VNC_bypauth – http://www.securityfocus.com/bid/17978/exploit

VNCrack – http://phenoelit-us.org/vncrack/docu.html

Wapiti – http://wapiti.sourceforge.net

whoami – http://www.microsoft.com/downloads/details.aspx?FamilyId=49AE8576-9BB9-4126-9761-BA8011FABF38&displaylang=en

WyD – http://www.remote-exploit.org/codes_wyd.html

Yersinia – http://www.yersinia.net/

XSpy – http://www.acm.vt.edu/~jmaxwell/programs/xspy/xspy.html

Zodiac – http://www.packetfactory.net/zodiac/

Layer 6

OpenSSL-Scanner – http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0656

Squirtle – http://code.google.com/p/squirtle

Layer 5

Fierce – http://ha.ckers.org/fierce/

Marathon – http://www.codeplex.com/marathontool

Mbenum – http://www.cqure.net/wp/mbenum/

PSTools – http://technet.microsoft.com/en-us/sysinternals/default.aspx

SIPcrack – http://www.remote-exploit.org/codes_sipcrack.html

SIPDump – http://www.remote-exploit.org/codes_sipcrack.html

SIPp – http://freshmeat.net/redir/sipp/49242/url_homepage/sipp.sourceforge.net

SIPSak – http://sipsak.org/

Smap – http://www.wormulon.net/smap/

Layer 4

0trace – http://lcamtuf.coredump.cx

Amap – http://www.thc.org/thc-amap/

CIRT Fuzzer – https://www.buslab.org/index.php/content/view/45743/2/

CryptCat – http://cryptcat.sourceforge.net/

Driftnet – http://www.ex-parrot.com/~chris/driftnet/

Dsniff – http://monkey.org/~dugsong/dsniff/

Etherape – http://etherape.sourceforge.net/

Firewalk – http://www.packetfactory.net/projects/firewalk/

FPort – http://www.foundstone.com/us/resources/proddesc/fport.htm

Hping – http://www.hping.org/

Hping2 – http://sourceforge.net/projects/hping2/

Hping3 – http://gd.tuwien.ac.at/www.hping.org/hping3.html

ICMPTX – http://thomer.com/icmptx/

Iodine – http://code.kryo.se/iodine/

InTrace – http://www.swiecki.net/

Juggernaut – http://www.securiteam.com/tools/2NUQBSAQ0C.html

Matahari – http://matahari.sourceforge.net/

Netcat – http://netcat.sourceforge.net/

P0f – http://lcamtuf.coredump.cx/p0f.shtml

Privoxy – http://www.privoxy.org/

ProxyTunnel – http://proxytunnel.sourceforge.net/

Taof – http://sourceforge.net/projects/taof

TcPick – http://tcpick.sourceforge.net/

TCPtraceroute – http://michael.toren.net/code/tcptraceroute/

TCtrace – http://phenoelit-us.org/irpas/docu.html#tctrace

Scanrand – http://www.secureworks.com/research/articles/scanrand

SinFP – http://sourceforge.net/projects/sinfp/

Spike – http://www.immunitysec.com/resources-freesoftware.shtml

SuperScan – http://www.foundstone.com/us/resources/proddesc/superscan.htm

UnicornScan – http://www.unicornscan.org/

XProbe2 – http://xprobe.sourceforge.net/

Layer 3

Afrag – http://homepages.tu-darmstadt.de/~p_larbig/wlan/

Aircrack-ng – http://www.aircrack-ng.org/

Airdecap-ng –  http://www.aircrack-ng.org/doku.php?id=airdecap-ng

Airplay-ng – http://www.aircrack-ng.org/doku.php?id=aireplay-ng

Airmon-ng – http://www.aircrack-ng.org/doku.php?id=airmon-ng

Airpwn – http://airpwn.sourceforge.net/

AirSnarf – http://airsnarf.shmoo.com/

Angry IP Scanner – http://www.angryziber.com/w/Home

ASLeap – http://asleap.sourceforge.net/

Autonomous System Scanner – http://phenoelit-us.org/irpas/docu.html#ass

Autoscan – http://autoscan.free.fr/

Cheops-ng – http://cheops-ng.sourceforge.net/

Ethereal – http://www.ethereal.com/

Ettercap – http://ettercap.sourceforge.net/

Fping – http://www.fping.com/

itrace – http://phenoelit-us.org/irpas/docu.html#itrace

IKE-Scan – http://www.nta-monitor.com/tools/ike-scan/

IKEProbe – http://www.securityfocus.com/infocus/1821

IRDP Responder – http://phenoelit-us.org/irpas/docu.html#irdpresponder

Mailsnarf – http://www.irongeek.com/i.php?page=backtrack-3-man/mailsnarf

Netdiscover – http://nixgeneration.com/~jaime/netdiscover/

Netenum – http://phenoelit-us.org/irpas/docu.html#netenum

Netmask – http://phenoelit-us.org/irpas/docu.html#netmask

Nmap – http://www.insecure.org/nmap

PHoss – http://phenoelit-us.org/phoss/docu.html

Ping – http://www.hmug.org/man/8/ping.php

Protos – http://phenoelit-us.org/irpas/docu.html#protos

PSK-Crack – http://www.nta-monitor.com/tools/ike-scan/

Psyche – http://psyche.pontetec.com/

ScanLine – http://www.foundstone.com/us/resources/proddesc/scanline.htm

Wireshark – http://wireshark.org/

Layer 2

BlueBugger – http://www.remote-exploit.org/codes_bluebugger.html

Blueprint – http://trifinite.org/trifinite_stuff_blueprinting.html

Bluesmash – http://sourceforge.net/projects/bluesmash/

Bluesnarfer – http://www.alighieri.org/project.html

Btcrack – http://www.nruns.com/_en/security_tools_btcrack.php

Btscanner – http://www.pentest.co.uk/

Cain & Abel – http://www.oxid.it/cain.html

Carwhisperer – http://trifinite.org/trifinite_stuff_carwhisperer.html

File2Cable – http://phenoelit-us.org/irpas/docu.html#file2cable

Gobbler – http://gobbler.sourceforge.net/

HCIDUMP – http://www.linuxcommand.org/man_pages/hcidump8.html

MacChanger – http://alobbs.com/macchanger/

MDK3 – http://homepages.tu-darmstadt.de/~p_larbig/wlan/

Minicom – http://alioth.debian.org/projects/minicom/

ObexFTP – http://triq.net/obexftp.html

PcapSipDump – http://sourceforge.net/projects/psipdump

PcapToSip_RTP – http://wiki.cdyne.com/wiki/index.php?title=PCAP_To_SIP_and_RTP

Redfang –  http://www.net-security.org/software.php?id=519

Ussp-Push – http://www.xmailserver.org/ussp-push.html

Wellenreiter – http://www.wellenreiter.net/

Wicrawl – http://midnightresearch.com/projects/wicrawl

Wifi Tap – http://sid.rstack.org/index.php/Wifitap_EN

WifiZoo – http://community.corest.com/~hochoa/wifizoo/wifizoo_v1.2.tgz

12 comments for “Tech 581W Computer Network Operations, Laboratory 1: Team 5

Leave a Reply