Global Information Assurance Certification Paper - GIAC ...
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Global Information Assurance Certification Paper
Copyright SANS Institute
Author Retains Full Rights
This paper is taken from the GIAC directory of certified professionals. Reposting is not permited without express written permission.
Interested in learning more?
Check out the list of upcoming events offering
"Security Essentials Bootcamp Style (Security 401)"
at http://www.giac.org/registration/gsecOpen File Shares: An Unexpected Business Risk
Jaime Carpenter
June 21, 2001
Over the past few days, well O.K. the last month, I have been stressed over what topic to write
s.
about for my GSEC practical. Many topics have come to mind. I have found that as I now focus
ht
on writing my practical my topic has finally crystallized into a topic that we are currently
rig
working through at my company: Open File Shares.
ull
Background
f
The purpose of this report is to talk about the risk of open file shares to a business, reiterate the
ns
importance of a security
Key fingerprint = AF19policy
FA27on2F94
file sharing, showDE3D
998D FDB5 you some
F8B5 tools
06E4to use
A169to4E46
assess the security
tai
posture of your network, and finally outline basic steps to take to secure your network.
re
In this report an open file share or network share is defined as either a Peer-to-Peer or
or
Client/Server NetBIOS/SMB type of shared folder or directory of files that has been improperly
th
secured or not secured at all. At a minimum, the open file share would allow unintended read
access to information stored in the shared directory. The worst case of an open file share allows
Au
full read/write access to information stored in the shared directory.
2,
The Risk
00
-2
File sharing in general is seen as a major benefit of networking. The risk arises when a PC,
workstation or server is improperly configured and data is exposed. Imagine a manager of a
00
payroll department who saves a spreadsheet containing information about this year’s raises on
20
the hard drive of his PC only to be called in to the CEO’s office later to explain how the
information was leaked! This is an example of how confidentiality can be compromised and
te
often the owner of the information has no idea that the data is at risk.
tu
Unexpected exposure of confidential information is not the only risk. Data integrity and
sti
availability can be affected by the spread of viruses like Funlove. In my company we have been
In
hit hard by the Funlove virus, which can propagate itself via open file shares. “Periodically the
virus scans any network shares with write access, and infects any EXE, SCR and OCX files on
NS
any shared network drives.”(1) Our help desk and workstation support team have been fighting
the battle of eradication of this virus for months. Each instance of the virus infection requires
SA
hours of recovery work and sometimes a complete reload of the desktop OS. Since January 1,
2001, there have been 50 Funlove infections reported to our help desk.
©
A recent eWeek article claims that the number 1 threat to security today is from internal sources
rather than external sources. According to the respondents of a survey quoted in the article, "57
percent said the breaches were caused by inside users accessing unauthorized resources"(2).
Open filefingerprint
Key shares are=certainly
AF19 FA27one 2F94
way this
998Dtype of unauthorized
FDB5 DE3D F8B5access
06E4 can
A169 occur.
4E46
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.The need for a good Security Policy
Because of these risks, it is paramount that you establish a security policy on file sharing. In the
article “Best Practices in Network Security”(3), Fredrick M. Avolio says that it is important to
establish a root security policy that includes:
s.
ht
• Root security policy overview
rig
• Security architecture guide
• Incident-response procedures
ull
• Acceptable use policies
• System admin procedures
f
ns
• Other management procedures (data classification and storage)
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
The Root security policy overview should contain the overall security philosophy of your
re
company. It is the basis or foundation on which the other policies are derived. It is essential that
you have the commitment of senior management to support your security policies because “if
or
senior management is not committed to information security, your best efforts are wasted”(3).
th
Au
The security architecture guide needs to show how file sharing is used in your company. A small
company may implement a peer-to-peer technology while a large company may have a mix of
2,
peer-to-peer and client/server or just client/server. Whichever suites your need, it is important to
00
spell it out clearly in your policy. File sharing will also need to be covered in the acceptable use
policies, system admin procedures and other management procedures (like data classification and
-2
storage).
00
In your policies you must also clearly spell out the consequences of a policy violation. It may be
20
only a reprimand or it could lead to termination of employment. It is a good idea to check with
your human resources and/or legal departments on the language used in your policies.
te
tu
Tools
sti
There are three network scanning tools that I have chosen to demonstrate in this paper.
In
•
NS
SMBScanner 1.0 available at: http://hispahack.ccc.de/smb.htm
SA
• Legion v2.1 available at: http://packetstorm.securify.com/groups/rhino9/
©
• ISS Internet Scanner available at: https://www.iss.net/cgi-
bin/download/evaluation/evaluation-select.cgi
Test Lab Setup
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Here is the test lab setup I will use to demonstrate the scanning tools. (This is not a
recommended security setup, just an example)
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.IP Address Name Operating System Share Name Access Type
192.168.0.1 WINKIN Windows 98 C Password/Full
RESTRICTED Password/Full
s.
PRINTER Full
ht
HIDDEN$ Full
rig
192.168.0.2 BLINKIN Windows 2000 Pro
ADMIN$ Admin
ull
C$ Admin
DATA Everyone/Full
f
ns
PROGRAMS Everyone/Read
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
192.168.0.3 NOD Windows 95 PROGRAMS Read
re
CDROM Read
or
th
SMBScanner 1.0
Au
The first tool is SMBScanner 1.0. Although I don’t understand Spanish, the translated web page
2,
states: “SmbScanner does not have limitation and it is not necessary to pay for use rights.”)(4). I
00
understood that to mean “Free”.
-2
Setup was easy enough. I downloaded the zip
file, extracted the files to a directory and I was
00
ready to go.
20
Running the program displays a dialog that allows
te
you to enter an IP address range to scan. Enter
tu
the IP address range to scan and click the Scan
sti
button. When the scan completes you will be
In
given a tree view of hosts where file shares were
found. You will notice that this tool does not
NS
display hidden shares (a share with a $ sign at the
end of the name). There is also no option to
SA
export or save a list of the scan results.
©
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.Once you have the list of hosts, you can right
click on a share and you will be given the choice
to connect, browse or brute force the share.
s.
ht
rig
full
ns
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
The brute force option uses a userlist file and a
re
passlist file to attack a password protected share.
There is a sample of each included with the
or
program. They are text files named user.dat and
th
pass.dat. You can create your own files or modify
the ones provided. However you will have to use a
Au
text editor to edit the files, because the brute force
dialog will not allow editing even though it appears
2,
that it will.
00
-2
00
20
Legion v2.1
te
tu
The next tool is Legion v2.1. This is a very well known scanning tool. Legion v2.1 was
mentioned in the SANS Security Essentials class I attended, in the book “Hacking Exposed:
sti
Network Security Secrets and Solutions”(5) and in one of my searches there was even a link to a
In
tutorial for Legion v2.1 on a hackers website!(6)
NS
After downloading the zip file, just extract the setup files and run setup.exe to install. Legion is
shareware and if you use the program beyond the 14-day evaluation period you are expected to
SA
pay $25 for continued use.
©
You have a few more options with Legion v2.1 beyond just IP address range scanning. The
startup dialog gives you options for Scan Type and Connection Speed. The Scan Type allows
you to use a range or a predefined list of IP addresses. Connection Speed allows you to adjust
what type of line speed you have on your network connection.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.s.
ht
rig
I chose to use the Scan Range option. Enter a range of IP addresses then click Scan (you are
limited to scanning only 64 subnets at a time). When the scan is complete, you will be given a
ull
dialog that shows a tree view of the hosts where shares were found. A nice feature is the ability
to save a listing of shares to a text file, which is very useful for reporting. Legion v2.1 also does
f
ns
not display hidden shares.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
re
or
th
Au
2,
00
-2
00
20
te
tu
sti
In
ISS Internet Scanner
NS
The most powerful scanning tool of those covered in this report is Internet Security Systems’
SA
Internet Scanner. This is a full-featured vulnerability and threat assessment tool. You can
download a trial copy but you will be limited on both time and features. Internet Scanner uses an
©
expiring key to limit the number of addresses that you may scan and also ensure that you have
properly licensed the product.
ISS Internet Scanner works by scanning a range of IP addresses using policies, which are made
up of exploits
Key or checks,
fingerprint to FA27
= AF19 assess 2F94
the vulnerabilities
998D FDB5 DE3D of the host(s) found.
F8B5 06E4 You4E46
A169 can create your
own policies based on your environment. Use caution when creating your own policies because
Internet Scanner can also perform denial of service checks that will in fact cause a denial of
service on a host.
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.After you have installed the program, you will need to create a policy to use. For this report, I
created a policy called Open Shares and included only a few of the checks available for shares.
To create the policy, follow these steps:
1. Choose Policy on the Internet Scanner menu
s.
2. Choose New (this will step you through a wizard like creation tool)
ht
3. Select the “Blank” policy as the base for your new policy
rig
4. Give the policy a name: Open File Shares
5. When the policy editor starts choose Vulnerabilities, Standard, Shares
ull
6. Enable the checks for
a. All Access NetBIOS share – Everyone
f
b. All Access NetBIOS share found
ns
c. NetBIOS
Key fingerprint share
= AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
d. Open NetBIOS share
re
e. Open Samba Share
f. Writable NetBIOS Share
or
th
Au
2,
00
-2
00
20
te
tu
sti
In
NS
SA
©
After you have created your policy, you will be ready to perform your scan. Choose File, New
Session from the menu. Select your newly created Open File Shares policy, add a session
Key fingerprint
comment, = AF19
then specify FA27 2F94
the hosts. There998D FDB5
are three DE3DtoF8B5
options use to06E4 A169
specify the4E46
hosts: Use Host
File, Use Command Line Facility or Ping valid hosts in your key. For simplicity I chose Use
Command Line Facility and entered the IP addresses of the Test Lab hosts.
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.s.
ht
rig
ull
f
ns
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
After you enter in the IP addresses to scan and click Finish your session will be defined. Now
from the ISS Internet Scanner menu choose Scan, Scan Now. When the scan has completed you
re
will see a screen much like the one below.
or
th
Au
2,
00
-2
00
20
te
tu
sti
In
NS
SA
©
On Key
the left of the screen
fingerprint there
= AF19 are 2F94
FA27 4 tabs: Hosts,
998D Vulnerabilities,
FDB5 DE3D F8B5Services and Accounts.
06E4 A169 4E46 Click on
the Vulnerabilities tab and expand the tree view. ISS Internet Scanner did find the hidden share
HIDDEN$, but it does not show the Windows 2000 Professional administrative shares ADMIN$
and C$
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.s.
ht
rig
ull
f
ns
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
re
or
th
Au
2,
00
-2
00
ISS Internet scanner also has predefined reports that show varying levels of detail. There are
20
reports for Line Management that contain the vulnerabilities found and a brief description and
there are Technician reports that show the vulnerabilities along with fix information.
te
tu
sti
Basic steps to take to secure your network
In
NS
Now that you have seen an overview of scanning tools, you are ready to secure your network.
Remember to get permission from your management, in writing, BEFORE you use any scanning
SA
tools on your network. If your company uses a change management system, you may need to
document your activity so that system administrators will be on alert and expect the scan.
©
Here are some basic steps to take:
1. Get permission to perform your security scan
2. Document the planned scanning activity
Key fingerprint
3. Select your =target
AF19IPFA27 2F94
address 998D
range FDB5 DE3D
or ranges to scanF8B5 06E4 A169 4E46
4. Scan the target IP addresses
5. Verify your results against your security policy (the tools demonstrated would show if
shares exist, but you will need to confirm whether or not they are properly secured)
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.6. Report your findings to the appropriate system admin personnel or to management
(unless you are directly responsible for closing any vulnerabilities found)
7. Get an expected closure date for any vulnerabilities found (unless you are directly
responsible for closing any vulnerabilities found)
8. Close any vulnerabilities found by disabling file sharing, adding passwords or other
s.
access controls
ht
9. Rescan to ensure that the vulnerabilities have been closed
rig
ull
Other tools
f
ns
Symantec NetRecon
Key fingerprint information
= AF19 at: 998D FDB5 DE3D F8B5 06E4 A169 4E46
FA27 2F94
tai
http://enterprisesecurity.symantec.com/products/products.cfm?ProductID=46&PID=6277422
re
PGP CyberCop ASaP available at:
or
http://www.mcafeeasap.com/content/cybercop_asap/default.asp
th
SMB Scanner Pro available at: http://www.tzsoftware.com/software/smbscanpro/index.shtml
Au
DumpSec (formerly known as DumpAcl) available at: http://www.somarsoft.com/
2,
00
-2
References
00
(3) Avolio, Frederick M. “Best Practices in Network Security”. Network Computing. March 20,
20
2000.
URL: http://www.nwc.com/1105/1105f2.html
te
tu
Daviel, Andrew. “Network Security”
URL: http://vancouver-webpages.com/security/index.html
sti
In
“File And Printer Sharing And The Internet”
URL: http://lockdown.batcave.net/issues/index.html
NS
(2) Fisher, Dennis. “Insiders are main computer security threat”. eWeek. June 20, 2001.
SA
URL: http://www.zdnet.com/eweek/stories/general/0,11011,2777325,00.html
©
Greenberg, Binyamin. “Implementing a Secure Network”. Nightfall Security Solutions, LLC.
URL: http://nightfallsecurity.com/whitepapers/securenetwork.html
(6) kM. “Lesson 3”. www.hackersclub.com
URL: http://www.hackersclub.com/km/newbies/lesson3/index2.html
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Kossuth, Joanne. “A Review of Peer-to-Peer Network Insecurities in Business Applications:
Should you take the Risk”. February 17, 2001.
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.URL: http://www.sans.org/infosecFAQ/win/review.htm
(1) McAfee. Virus Information Library Profile.
URL: http://vil.nai.com/vil/virusChar.asp?virus_k=10419
s.
(5) McClure, Stuart, Joel Scambray and George Kurtz. Hacking Exposed: Network Security
ht
Secrets & Solutions. Berkeley: Osborne/McGraw-Hill, 1999. 63.
rig
(4) Translated version of http://hispahack/ccc/de/smb.htm. Google.
ull
URL:
http://translate.google.com/translate?hl=en&sl=es&u=http://hispahack.ccc.de/smb.htm&prev=/se
f
arch%3Fq%3Dsmb%2Bscanner%26hl%3Den%26safe%3Doff
ns
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
re
or
th
Au
2,
00
-2
00
20
te
tu
sti
In
NS
SA
©
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.Last Updated: January 6th, 2021
Upcoming Training
SANS Security East 2021 , Jan 11, 2021 - Jan 16, 2021 CyberCon
SANS Security Fundamentals 2021 , Netherlands Jan 18, 2021 - Jan 29, 2021 CyberCon
Cyber Threat Intelligence Summit & Training 2021 Virtual - US Eastern, Jan 21, 2021 - Feb 01, 2021 CyberCon
SANS Cyber Security West: Feb 2021 , Feb 01, 2021 - Feb 06, 2021 CyberCon
Open-Source Intelligence Summit & Training 2021 Virtual - US Eastern, Feb 08, 2021 - Feb 23, 2021 CyberCon
SANS Essentials Australia 2021 - Live Online , Australia Feb 15, 2021 - Feb 20, 2021 CyberCon
SANS Essentials Australia 2021 Melbourne, Australia Feb 15, 2021 - Feb 20, 2021 Live Event
SANS London February 2021 , United Kingdom Feb 22, 2021 - Feb 27, 2021 CyberCon
SANS Secure Japan 2021 , Japan Feb 22, 2021 - Mar 13, 2021 CyberCon
SANS Scottsdale: Virtual Edition 2021 , Feb 22, 2021 - Feb 27, 2021 CyberCon
SANS Cyber Security East: March 2021 , Mar 01, 2021 - Mar 06, 2021 CyberCon
SANS Secure Asia Pacific 2021 Singapore, Singapore Mar 08, 2021 - Mar 20, 2021 Live Event
SANS Secure Asia Pacific 2021 , Singapore Mar 08, 2021 - Mar 20, 2021 CyberCon
SANS Cyber Security West: March 2021 , Mar 15, 2021 - Mar 20, 2021 CyberCon
SANS Riyadh March 2021 , Kingdom Of Saudi Mar 20, 2021 - Apr 01, 2021 CyberCon
Arabia
SANS Secure Australia 2021 Canberra, Australia Mar 22, 2021 - Mar 27, 2021 Live Event
SANS Secure Australia 2021 Live Online , Australia Mar 22, 2021 - Mar 27, 2021 CyberCon
SANS 2021 , Mar 22, 2021 - Mar 27, 2021 CyberCon
SANS Munich March 2021 , Germany Mar 22, 2021 - Mar 27, 2021 CyberCon
SANS Cyber Security Mountain: April 2021 , Apr 05, 2021 - Apr 10, 2021 CyberCon
SANS Cyber Security East: April 2021 , Apr 12, 2021 - Apr 17, 2021 CyberCon
SANS London April 2021 , United Kingdom Apr 12, 2021 - Apr 17, 2021 CyberCon
SANS Autumn Australia 2021 Sydney, Australia Apr 12, 2021 - Apr 17, 2021 Live Event
SANS Autumn Australia 2021 - Live Online , Australia Apr 12, 2021 - Apr 17, 2021 CyberCon
SANS SEC401 (In Spanish) April 2021 , Spain Apr 12, 2021 - Apr 23, 2021 CyberCon
SANS Secure India 2021 , Singapore Apr 19, 2021 - Apr 24, 2021 CyberCon
SANS Baltimore Spring: Virtual Edition 2021 , Apr 26, 2021 - May 01, 2021 CyberCon
SANS Cyber Security Central: May 2021 , May 03, 2021 - May 08, 2021 CyberCon
SANS Security West 2021 , May 10, 2021 - May 15, 2021 CyberCon
SANS Cyber Security East: May 2021 , May 17, 2021 - May 22, 2021 CyberCon
SANS In French May 2021 , France May 31, 2021 - Jun 05, 2021 CyberConYou can also read
