URL: HTTP://crypto.ee.ncku.edu.tw Mail: gbox@crypto.ee.ncku.edu.tw
Process Server/Service Virus Worm Hacker Toolkits Trojan/back door Malicious code Exploit code
Process & Service (Process) (Run Ones) CPU Process Daemon Super Daemon Service (Windows )
Process process process exec thread PID Memory context Environment File descriptors Security credential
(Unix & Linux) Daemon Server Ex: web, smtp, ftp, ssh, vnc etc,. Super Daemon Ex: ftp, telnet, pop3.etc,.
(Unix & Linux) Daemon Runlevel Run Level 0 1 single user mode 2 3 4 5 6 reboot
(Unix & Linux) Super Daemon Inetd /etc/inetd.conf /etc/service xinetd /etc/xinetd.conf /etc/xinetd.d
(Unix & Linux) Command ps (System V / BSD) ps elf/elf (System V) ps aux/aux (BSD) /Proc Process
(Windows) Windows Registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur rentversion\run* HKEY_LOCAL_USER\SOFTWARE\Microsoft\Windows\Current Version\Run C:\Documents and Settings\All Users\ Service Windows Registry HKEY_LOCAL_MACHINE\SYSTEM\Services
Server ( )& Service( ) Server ( ) Service( ) Server
Web Would Wide Web Mail SMTP POP 2/3 IMAP NFS DNS Remote Control SNMP
Windows process manager (Taskmgr) Other Tools Pstools-pslist http://www.sysinternals.com/ntw2k/freeware/pst ools.shtml Process Explorer http://www.sysinternals.com/ntw2k/freeware/pr ocexp.shtml
process System Idle Process 95 Process status ALT + CTRL + DEL
Process status Pstools-pslist http://www.sysinternals.com/ntw2k/freewar e/pstools.shtml Process Explorer http://www.sysinternals.com/ntw2k/freewar e/procexp.shtml
Pstools-pslist
Process Explorer
Unix/Linux process manager Process Status ps command (ps package) lsof /proc ps elf (SystemV) Ps aux (BSD) Cmdline
ps command
lsof command
Ref. http://www.msservermag.com.tw/
A flaw in a computer or network allowing unauthorized use or unauthorized access. Ignorance or errors in process of programming or configurations which lead to security problems
( )
Design Phase (Weak algorithm) (Design error ) Implementation Phase (Input validation error) ( ) (Boundary check error) (Race condition )
Operation Phase (Configuration error) Human Nature (Weak Passwords) (Unsafe habits) Etc...,
(Weak algorithm) Eg: TCP CheckSums Etc.,
(Design error ) E.g: Etc,.
E.g: SQL Injection
( ) E.g: Fetchmail - header parsing function readheaders()
Concurrent E.g: Redhat LogWatch Linux 2.2.x ~ 2.4.x - kmod.c (race condition) ptrace
E.g: Web Server (Would witted)
Human Nature (Weak Passwords) Username 1234 1111 (Unsafe habits) Etc.,
Bruce Force, Resource Exhausting, Buffer Overflow Format String TCP Spoofing TCP Hijacking, etc. Social Engineering
Bruce Force Etc,.
Resource Exhausting SYN Flooding.. SYN Flooding Host A SYN SYN Etc,. ACK/SYN ACK/SYN ACK Host B chache chache
Buffer Overflow
Format String SQL Injection ' SQL strsql="select * FROM tbluser WHERE UserName='" & _ Request("UserName") & "' AND Password='" & Request("Pass") & "'" ' SQL Server Set rec=.execute(strsql)
Format String SQL Injection strsql= SELECT * FROM tbluser WHERE UserName= admin AND Password= 1234 Set rec=.execute(strsql) admin -- strsql= SELECT * FROM tbluser WHERE UserName='admin'--' AND Password= 1234' Set rec=.execute(strsql) AND -- SELECT * FROM tbluser WHERE UserName='admin'
TCP Spoofing
TCP Spoofing
TCP Hijacking Host C SEQ=8251 ACK=29236 LEN=XX SEQ=29232 ACK=8251+XX SEQ=8251 ACK=29232 LEN=XX
Social Engineering
(Program Error) (Gain Privilege) (Denial of Service) / / / (Information Leakage / Corruption) / (Backdoor / Trojan)
.. E.g. CERT Advisory-,. Whithats- Snort IDS Nessus plugins archives Nessus
CERT/CC Vulnerability Note; Bugtraq ID, ISS X-Force: Name& number, etc. CVE (Common Vulnerabilities and Exposures) : Dictionary CVE Compatible http://cve.mitre.org/
Common Vulnerabilities and Exposures http://cve.mitre.org/ SecurityFocus Vulnerabilities http://www.securityfocus.com/bid X-Force Database http://xforce.iss.net/xforce/search.php Whitehats arachnids http://whitehats.com/ids/index.html CERT/CC Vulnerability Notes Database http://www.kb.cert.org/vuls
Top Vulnerabilities to Windows Systems W1 Internet Information Services (IIS) W2 Microsoft SQL Server (MSSQL) W3 Windows Authentication W4 Internet Explorer (IE) W5 Windows Remote Access Services W6 Microsoft Data Access Components (MDAC) W7 Windows Scripting Host (WSH) W8 Microsoft Outlook and Outlook Express W9 Windows Peer to Peer File Sharing (P2P) W10 Simple Network Management Protocol (SNMP)
Top Vulnerabilities to UNIX Systems U1 BIND Domain Name System U2 Remote Procedure Calls (RPC) U3 Apache Web Server U4 General UNIX Authentication Accounts with No Passwords or Weak Passwords U5 Clear Text Services U6 Sendmail U7 Simple Network Management Protocol (SNMP) U8 Secure Shell (SSH) U9 Misconfiguration of Enterprise Services NIS/NFS U10 Open Secure Sockets Layer (SSL)
(1)
(2)
Antivirus software
MBSA Microsoft Baseline Security Analyzer MBSA Version 1.2 : Windows XP Home Edition/Professional Windows 2000 Professional/Server Windows Server 2003 IP http://www.microsoft.com/technet/security/tools/mbsahome.mspx
Unix/Linux Tar ball recompiler Package manager Update Windows Windows Update Auto Update(win98SE,W2K sp4,winxp,win 2003) Download patch