Slide 1

Application Security
Slide 2

Part 1
Software Security

In previous lessons belong to BCSE training program, you were introduced with knowledge of
security and systematic safety.
Today I am representing to you about another important knowledge field, which are
understandings of software vulnerabilities
Slide 3

Main content
1. Fundamental concepts
2. Analysis of basic vulnerabilities
3. Practical examples
4. Prevention solutions
5. Some advanced technologies

Content of the lessons today include parts as follows:

- Fundamental concept to be grasped before learning software vulnerabilities.
- Analysis of basic vulnerabilities
- Practical examples
- Methods of preventing and fighting
- Some advanced technologies in ensuring safety for operations of software system.
Slide 4

Definition and classification

of software vulnerabilities

Let’s start with the first part: Fundamental concept to be grasped and classification of software
vulnerabilities
Slide 5

Operating system: basic structure

User & Kernel Mode

As you know, software can only operate when gaining an appropriate environment and
foundation – this is operating system
Before studying software and vulnerabilities, we should grasp basic knowledge about operating
system.
Let’s look at this chart describing architect of a very popular operating system – Window
operating system – we can see that, this operating system is divided into 2 basic components;
these are User Mode and Kernel Mode with many dynamic link libraries, supplying API with
using software in order to implement its functions.
Dynamic link libraries in User Mode are linked to ntdll.dll, through which connection between
user mode and kernel mode is created.
Slide 6

Operating system: basic structure

User & Kernel Mode

 Kernel Mode:
 Core level of operating system

 Driver, applications at low level, etc.

 Permission : Ring 0

 User Mode:
 Application layer (User Mode) of operating system
 Application software: MS Word, IE, Firefox, Yahoo Messenger, etc.
 Permission: Ring 3

Let’s study more detailed about User mode and Kernel mode
The first and the most important one is kernel mode
This is core of operating system
Include Drivers, applications at low level, etc
Permission : Ring 0
And about User mode
This is application of operating system
MS Word, IE, Firefox, Yahoo Messenger…
Include application software: MS Word, IE, Firefox, Yahoo Messenger
Permission : Ring 3
Slide 7

Operating system: basic structure

User & Kernel Mode

Ring -1 (Virtualization)

This chart is about permission share in Window operating system, including 4 levels: from Ring
0 to Ring 3
Slide 8

Memory diagram
Windows
8x86
32 bit

System dll
Stack
Heap

Another important part of the operating system is data memory management during operation
process.
We are considering Window operating system, run on 8x86 mircoprocessing
On Random Access Memory (RAM), information about dynamic link libraries of the system (dll
of window that we have just mentioned in some previous slides) are stored during operation
process, in data storages serving to operation of application – Stack and Heap
Slide 9

Memory management
 8086
 Real Mode (Segment:Register).
 Can indentify address of 20 bits 64KB.
 80286 - …
 Virtual Address Mode
 Use Flat address Mechanism with 32 Bit
 Pagination mechanism, enabling management of big physical
memory
 Fractional management is still maintained but transferred to
operating system.
 Windows: 4KB (User Mode) và 4MB (Kernel Mode).

In different mircoprocessing generations, the data memory managements are different as well.
AT 8086, data memory management depended on its actual address and can indentify address
with 20 bite, equivalent to maximally 64Kb
At 80286 -
Use Virtual Address Mode
Use Flat address Mechanism with 32 Bite, equivalent to maximally 4Gb
Have pagination mechanism, enabling management of big physical data memory
Fractional management is still maintained but transferred to operating system.
Slide 10

Classification of vulnerabilities

Structure of system
Application Vulnerability
o Kernel Vulnerability
Management of memory
Buffer overflow vulnerabilities
•Stack Overflow
•Heap Overflow

After studying basic knowledge of operating system – the foundation enabling software operate,
we are moving to the next content of lesson.
Based on different evaluation criteria, we have different methods of classification.
Based on structure of system, we can divide into 2 types
Application Vulnerability.
Kernel Vulnerability.
Based on management of data memory, we can divide into

Buffer overflow vulnerabilities

Stack Overflow.
Heap Overflow.
Slide 11

Buffer overflow

Buffer is one data area (on RAM) which is

provided during application execution.

Buffer overflow vulnerability is one flaw of

software when recording an enormous data
amount, exceeding the actual size of buffer

Let’s study buffer overflow, which is one of common error but highly dangerous.
Firstly, we should know definition of buffer
Buffer is one data area (on RAM) which is provided during implementation of application.
And Buffer overflow fault (BoF) is one fault of software when recording enormous data amount
compared to actual size of buffer
Slide 12

Buffer overflow vulnerability

void demo_function(int i)
{
byte buffer[8];
strcpy(buffer,”AAA”);
}

 Is this function faulty?

Let’s look at this code section and answer to a question: Does this function get fault?
Slide 13

Buffer overflow vulnerability

void demo_function(int i)
{
byte buffer[8];
strcpy(buffer,”AAAAAAAA…AAA”);
}
Will Compiler flag this faulty ?
? Will it be executed as expectation of
programmer?

And how about this code section?

Compilers will not show fault when compiling this code section.
However, during implementation of program, the fault can happen and the program will break.
If this program breaks, will it take this advantage to implement malware?
Slide 14

We have just seen that how one program, that we write, can get buffer overflow fault.
This is an example about very popular software which also gets these cases of breaking during
implementation process.
This picture is about Microsoft Office Word - very popular software of text editor.
If vulnerabilities on word are exploited and used by hacker to attack computer of victim, the
consequences will be very huge
Slide 15

Buffer overflow vulnerability

Buffer overflow vulnerability is when software

buffer is overrun, enabling hackers to take
advantage to install malware and control the
system.
Buffer overflow vulnerability enables hackers to
force the software to implement a function that
it is not designed to do

We have just studied about vulnerabilities of buffer overflow, and these are dangers of the
vulnerabilities:
Buffer overflow vulnerability is fault of buffer overflow of software, which enables Hacker to
take advantage to set-up malware and control the system.
Buffer overflow vulnerability enables Hacker to force the software to implement a function
which is not designed previously
Slide 16

Threats
Speeding up spread and destruction of Worm
 Code Red (2001) – flaw in IIS
 Conficker (2009) – RPC flaw
 Stuxnet (2010)
 Flame (2012)
Losing control of system
Being stolen with sensitive information
Reducing efficiency of system

These are actual examples about dangers of software vulnerabilities exploited.

Software vulnerabilities contribute to injection acceleration and damage of Worm
Code Red (2001) –Exploit fault in IIS
Blaster (2003) – Use fault in DCOM RPC.
Sasser (2004) – Fault in LSASS.
Conficker (2009) – Fault RPC…
That software vulnerabilities are exploited causes administrator lose control of system and
reduces efficiency of this system.
Slide 17

Buffer overflow vulnerability

Attack methods

To continue, we will study about methods of attacking and exploiting some software
vulnerabilities, specifically buffer overflow vulnerability
Slide 18

Shellcode
Command series
written in machine
code which can be
executed
Implement simple
missions

Introduction about shellcode

---------------------------------------------------------------------------------------------------------------------
---------------------------------------------
Direct tool used to exploit software vulnerabilities is Shellcode.

Shellcode is a small machine code brought to data memory when exploiting

vulnerability. Machine code is the unique language which microprocessing can identify
and implement directly
Implement a simple mission. Increase right of a user or open a gate on computer of
victim
Slide 19

Stack Frame
Parent(){
// …
Children(“hello”);
Children2(“continue’);
}
Children(char* in){
char *bar;
char c[12];
strcpy(c,in);
return;
}

Introductions about stack frame

---------------------------------------------------------------------------------------------------------------------
---------------------------------------------
Other important contents to grasp, before studying exploitation of one software vulnerability,
are Stack Frame and function calls
Look at the code section on the left and illustration of stack when implementing the program on
the permission .
On stack in the permission image, we have address painted by blue, this is memory area used
to store data during implementation process of the program or also called buffer. The area
painted by green stores is boundary value of stack area.
The area painted by red is address returned after finishing the function.
If input data is “helllo\n” like this image, there will not be anything happened, the program
section will implement normally.
Slide 20

Stack Overflow
Children(“AAAAAAAA…AAAAAAAAA”);

Stack when having buffer overflow fault

---------------------------------------------------------------------------------------------------------------------
---------------------------------------------
How about now?

When input data is a series with a length more than 12, the extent of buffer will be declared to
it.
We can see that the input series is recorded overflowing the below of stack, overlapping
memory area used for other purposes of the program.
And the program breaks.
Slide 21

Exploit vulnerabilities
Replace
address
sent back
with
Shellcode
address

Exploit based on address sent back

---------------------------------------------------------------------------------------------------------------------
---------------------------------------------
This is an illustration of using buffer overflow to exploit one program.
Looking at this illustration, we will see orientation of this exploitation as follows:
Record to overflow memory to store data (buffer) with a big data with shellcode
Measure to insert on memory storing data sent back (red area) by address of shellcode
. When function is executed, it will send back with executing right to initial address of
shellcode

And malware is executed

Slide 22

DEMO
Winamp

This is demo of exploitation of actual vulnerability on Winamp

Slide 23

Vulnerability
Service software

You have just been introduced about basic understandings of foundations of operating system,
definition of software vulnerabilities and actual software vulnerability detected and exploited.
In the next part, I will talk about vulnerabilities on service software.
Slide 24

Software providing services

Software providing services on the
internet
 Web Service, Mail Server, etc.
 FTP, MIRC, RPC, etc.
Can be attacked without interaction of
user.
Easily to be attacked due to opened gate
without prevention of Firewall

As you know, service software are software providing services on internet such as Web service,
Mail server
Some services mentioned at the next are FTP, MIRC, RPC.
.
These software can be attacked without interaction of user.
This is really dangerous because patients do not indentify the danger they are coping to and
absolutely do not know that they are being attacked.
Besides, one of reasons causing service software become easy targets for attacker to exploit
vulnerabilities on them is that these software are opened with ports on the system without any
prevention of Firewall.
Slide 25

Any software has latent buffer

overflow flaw

Information Internet Service

Apache
Mdeamon
Services on Windows, Linux, etc.

Any software has latent vulnerabilities.

Some famous names are :
IIS - Information Internet Service.
Apache.
Mdeamon.
Services on Windows, Linux…
Slide 26

Code Red – IIS

Appear on July 13, 2001
Exploit MS01-033 (IIS Service)
vulnerability

GET /default.ida?NNNN…NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN…NNNN HTTP/1.0

An actual example of taking advantage of vulnerability on IIS service to dissipate computer

worm is Code Red worm
Code Red was detected on July 13th, 2001, taking advantage MS01-033 vulnerability on IIS
Service to infect quickly on Internet.
Calculated to July 19th, 2001, seven days since the date of appearing, Code Red had infected on
359000 computers.
We can see on this slide, this is data section causing buffer overflow of IIS
Slide 27

Conficker – RPC Service

Appear November 2008
Exploit MS08-067 (RPC Service)
vulnerability

RPC Canonicalize: \\a\..\c  \\c

\\a\..\ccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc
ccccccccccccccccccccccccccccccccccccccccccccccccccccccc

Another example is Conficker worm

It appeared on November 2008 and exploited vulnerability on RPC Service. Calculated to
January 2009, it had infected on computers of over 200 countries and about 9 million to 15
million computers had estimated to be infected.
Slide 28

Vulnerability
Web browser

One of popular software connected to Internet and being another important target of
exploitation of vulnerability is web browser.
Slide 29

Web browser

All browsers have latent buffer overflow

flaw
Exploitation of browser vulnerability
requires interaction of user

We have known relatively many different web browser with different engines such as IE of
mircosoft, Chrome of Google, safari of Apples and FireFox, etc which have been known as
popular web browser
Despite different features, under security aspect, all web browser have a same characteristic
that are latent vulnerabilities.
Exploitation of latent of web browser is more difficult than that of service web because
exportation of fault of the browser requires interaction of user.
Slide 30

Chrome – “ Save As” Function

<html>
<head>
<title>AAAAAAAAAAAA…AAAAAAAAAAA</title>
</head>
<body>Website content</body>
</html>

One example of suffer overflow vulnerabilities detected on Google Chrome web browser is
suffer overflow in “Save as” function.
This is a vulnerability detected in 2008 by Mr. Le Duc Anh, who was then student participating
internship in Bkis Network Security Centre.
Cause of this fault is that when user use Save as” function to save 1 website, this title card is a
series with a great length
Slide 31

IE – Media Encoder COM

<html>
<object classid="CLSID:A8D3AD02-7508-4004-
B2E9-AD33F087F43C" id="target"></OBJECT>
<script>
var buffer = "BBBBBBBBBBBBBBBBBBBBBB...";
target.GetDetailsString(buffer,1);
</script>
</html>

Another example is fault happened on IE browser, in Media Encoder when dealing with a buffer
variable with a great size
Slide 32

DEMO
Chrome
IE 7

This is demo about exploitation of vulnerabilities on Chrome and IE browsers.

Slide 33

Vulnerabilities
Software with FILE format

Another threat of latent vulnerabilities is treatment of input data of software.

In this session, we will study software vulnerabilities with File format
Slide 34

Software with file format

Some popular softwares with File format
are:
 Word, Excel, PPT, etc.
 PDF, Torrent, pls, etc.
This flaw requires interaction of user
Almost users do not see threats from files like
word, pdf and so on

Some popular software with File format are:

Word, Excel, PPT …
PDF, Torrent, pls…
Faults of file format require interaction of user in order to finish exploitation.

However, it is dangerous that almost user do not see threats from word of pdf file
For them, these are very normal things and have no ability of damaging them.
Slide 35

DEMO
Microsoft Word 2003.
Microsoft Excel 2003.
PDF Launch

These are demo of exploitation of some faults about file format of software
*Microsoft Word 2003.
*Microsoft Excel 2003.
*PDF Launch
Slide 36

Vulnerabilities
Windows Kernel

Another problem needed to consider is vulnerabilities of window kernel

Slide 37

Blue Screen of Death

Blue Screen of Death –All of us certainly get this situation at least one time.
Thus, what is cause of this “dealth”. Let’s study.
Slide 38

Driver flaws

• Driver has the permission of Ring 0 (the

highest)
• Controlling driver = controlling system
 Possibility of escalation

Vulnerabilities of window kernel are mainly fault of Drivers

These drivers run at Ring 0 permission . Controlling driver enables controlling the system.
This can be seen as the greatest threat to the system.
However, it is lucky that vulnerabilities on drivers are rarely seen.
Slide 39

Causes & Solutions

I have just introduced you about definition of software vulnerabilities with their latent threats.
Thus, what is cause for these software vulnerabilities and how to prevent, fight and restrict
hazards of them.
Slide 40

Causes

Secure programming
Decentralization policy
Security policy of the entire system
Not updating patches

There are many causes, such as:

- Safe programming – mistakes in programming process are direct cause of these vulnerabilities.
Shortage of investigation step in programming process will increase threat of vulnerabilities
when the product is completed.
- Applied permission share policy is also a cause of exploitation of vulnerabilities
- Security policy of entire system and no updating patching for software also increase threat of
being attacked.
Slide 41

Prevention

Being trained about secure programming

Appropriate Decentralization policy
Use of IDS, IPS, etc.
Updating patches regularly and
automatically

From causes mentioned above, we can give some methods of preventing and fighting
appearance of vulnerabilities and their exploitation as follows:
- Being trained about safe programming
- Appropriate permission share policy
- Use of IDS, IPS…methods
- Update patching regularly and automatically
Slide 42

Some advanced techniques

The next session will mention about some advanced technologies of exploitation of software
vulnerabilities
Slide 43

Why we need advanced technologies

There are always solutions for new
exploitation technology. Exploitation
solution for replacing out-fashioned
address sent back
Always update new technologies and
solutions

One question is that why it needs advanced technologies?

Slide 44

Cookie (block returned address)

This solution is to
stop prevention of
address sent back

The first method is use of Cookie for stack

Value of Cookie is a random value, pushed into stack during function call process.
When taking address returned, the operating system will check this value of Cookie that
whether it was changed or not. If not, it will implement normally, and if yes, it means that this
value was attacked and the execution process will be stopped
However, use of cookie does not also ensure absolute safety; it still is bypassed by version of
vulnerabilities exploitation adjusted appropriately.
Slide 45

Safe SEH
Microsoft uses algorithm to check the
accuracy of SHE address
This algorithm is not completed, which
leads to possibility of Bypass SafeSEH

Another protection method is SafeSEH.

- Microsoft uses algorithm of checking accuracy of SHE address.
- This algorithm is not completed, which leads to possibility of Bypass SafeSEH
Slide 46

DEP
Data Execution Prevention (DEP)
2 modes:
hardware-enforced DEP
Software-enforced DEP

Data Execution Prevention (DEP) is security characteristic of operating system.

This is mechanism of execution of command code on pages marked as execution not allowed
(such as stack, heap, hay .data section of the process). Thus, when DEP is on, shellcode on
traditional exploitation will not be allowed to execute.

DEP can run in 2 regimes, hardware-enforced DEP enables marking data memory pages which
are areas not allowed execution.
And software-enforced DEP with more restricted protection characteristic for CPU not
supported with DEP.
Slide 47

ASRL
Changes continuously address of storage
areas, making the address returned
useless.
Random algorithm of Microsoft has not
been completed, which leads to
possibility of being bypassed in some
cases

A higher and more effective protection method is ASRL Address space layout randomization
- This is a technology which changes continuously address of storage areas, making the address
returned useless.
- However, random algorithm of Microsoft has not been completed, which leads to possibility of
being bypassed in some cases.
Slide 48

Part II
Remote Access Security

In part 2 of our lecture, I will present threats when we make Remote access security
Slide 49

Remote Access
Remote Desktop

49
Tr 49

Remote Desktop provides access to the desktop of a computer running Windows XP

Professional from a computer at another location. For example, connect to your office
computer from home and use all your applications, files, and network resources just as
if you were actually in your office, using your office computer.
Using Remote Desktop, you can run applications on a remote computer running
Windows XP Professional from any other client running a Windows operating system.
The applications run on the Windows XP Professional–based remote computer and only
the keyboard input, mouse input, and display output data are transmitted over the
network from the local computer.

Remote Desktop consists of the following components, which are discussed in detail in
this section:
Remote Desktop Protocol
Client software
Remote Desktop Connection
Remote Desktop Web Connection
The Remote Desktop Protocol (RDP) is a presentation-layer protocol that allows a
Windows-based terminal (WBT) or other Windows-based client to communicate with a
Windows XP Professional–based computer. RDP works across any TCP/IP connection,
including local area network (LAN), wide area network (WAN), dial-up, Integrated
Services Digital Network (ISDN), digital subscriber line (DSL), or virtual private network
(VPN) connections. RDP delivers to the client computer the display and input
capabilities for applications running on a Windows XP Professional–based computer.
---------------
One popular application that we use for remote access is Remote Desktop – this application
enables us to access to one computer running window operating system.
Ứng dụng sử dụng giao thức RDP This application uses RDP protocol .
Slide 50

Remote Access Security

• TCP port 3389 và UDP port 3389

Brute Force

Tr 50

RDP servers are built into Windows operating systems; an RDP server for Unix and OS
X also exists. By default, the server listens on TCP port 3389 and UDP port 3389

--------------
RDP server is built on window operating system and has version on unix and os x
Defaulted set-up of RDP is on 3389 gate.
As the chart above, we can see the operation method of remote desktop application.
Client authenticates information of user and password to control remote computer.
Actions on keyboard and moute from client are sent to remote computer and respective
programs will be implemented there and then returned with images of destop to lient computer
As the information above, we know that the gate defaulted for this protocol is 3389. Thus, there
is a threat that it can brute force username and password in order to gain control of remote
computer.
Slide 51

Solutions

VPN

Strong password

Tr 51

To deal with the threat above, we can use VPN: it increases safety level than allowing everyone
to connect to remote computer.

Another necessary method is to set a strong password for your own.

Slide 52

Part III
Email Security

The part 3 of our lecture, I will talk about another important issue, that is email security
Email has become an important thing in work and life and used popularly by everyone,
however, not many people can recognize clearly threats of using email.
Slide 53

Mail – Definition

• Use protocol (gate serial number) and

SMTP (25), POP3 (110), IMAP (143)

Before studying latent threats about safety loss of using email, let’s stuty operation of email.
Applications of sending and receiving email work with protocol STMP at gate 25, POP3 at 110
gate or IMAP at 143 gate.
Slide 54

This is operation diagram showing process when 1 email is sent from people A to people B

When A sends email to B, this email is sent from server SMTP of A to server SMTP of B
Next, the email is sent to server POP3 or IMAP of B
Slide 55

E-mail

• Use protocol SMTP (TCP 25) to send mail

• Use protocol POP3/IMAP (TCP 110/143) to
receive mail

- Use protocol SMTP (TCP 25) to send mail

- Use protocol POP3/IMAP (TCP 110/143) to receive mail
Slide 56

PGP

 Pretty Good Privacy

 method of public coding
 provide ability of using electronic signature, code of content and other information of
email
User is provided with 1 public key and 1 private key
 Supporting facilities are normally integrated and mailed to client or used separately
.

One safe and popular application of sending and receiving email is PGP - Pretty Good Privacy

It uses method of public coding, providing ability of using electronic signature, code of content
and other information of email.
User is provided with 1 public key and 1 private key
Supporting facilities are normally integrated and mailed to client or used separately
Slide 57

Threat

 Spam
 Use email to advertise
Send mail bomb
 Sender does not know receiver
 Receiver has to get troublesome
 Not good mail configuration will lead to spam

After studying operation method and some applications of sending and receiving email, we will
move to the next session that is latent threat of using email.
Firstly, we will mention one problem that anyone certainly has ever had, that is spam
Use email to advertise
Send mail bomb
Sender does not know receiver
Receiver has to get troublesome
Not good mail configuration will lead to spam
Slide 58

Threats

 Hoax ( a o)
 Method: send announcement about warn of virus,
security problem, etc
 Spreading through anxiousness and shortage of
understanding of users.
 Level: rather dangerous

Another problem is tricking via email

Method: send announcement about warn of virus, security problem, etc
Spreading through anxiousness and shortage of understanding of users.
Level: rather dangerous.
Slide 59

Protection of email system

• Using Mail gateway Scan software

• Good mail server configuration, without
open relay
• Prevent Spam on Server
• Associate with coding
Take vigilance with strange mail with
doubtful content.

So, how we can do to protect ourselves before these threats.

Protect yourself and service users by:
- Using Mail gateway Scan software
- Good mail server configuration, without open relay
- Prevent Spam on Server
- Associate with coding
- Take vigilance with strange mail with doubtful content.
Slide 60

Part IV
Application Security Baselines

In part 4 of our lecture, I will present content of Application Security Baselines

Slide 61

Security Checklist

To begin with, I will talk about Security Checklist

Slide 62

Security Checklist

• System investigation
• Network infrastructure
• Application, software
• Service
• Use demand
• Use procedure
• Network security components

Firstly, Checklist about investigating system.

It includes contents needed to investigate as follows:
Network infrastructure
Application, software
Service
Use demand
Use procedure
Network security components
Slide 63

Security Checklist – Record document

• Record document with details of network

security configuration
• Should review and repair when having
any change in network

Clarify importance of document in network system.

An important task during implementation of security checklist is to record document
Contents of this task include :
Record document with details of network security configuration
Should review and repair when having any change in network
Slide 64

Security Checklist

• list out necessary things

Services
Protocols
Applications
Account of user
File access permission
 System access permission

In the document, should list out necessary things:

Services
Protocols
Applications
Account of user
File access permission
System access permission
Slide 65

Security Checklist– OS updates

 check regularly update

versions of operating
system
 Execute WSUS (Windows
Server Update Services)

- And should check regularly update versions of operating system

- Execute WSUS (Windows Server Update Services)
WSUS is a program which enables administrator to allocate update versions, software patching
for computers under his management scope.
Slide 66

Security Checklist– Patching

• patching with OS and software

For example:
Windows patching against to Blaster and Sasser
Oracle patching against to 80 vulnerabilities (10/2005)
Patching are given quickly to mend vulnerabilities and may be
have not checked yet.

The next problem is updating patching

patching with OS and software
For example:
Windows patching against to Blaster and Sasser
Oracle patching against to 80 vulnerabilities (10/2005)
Patching are given quickly to mend vulnerabilities and may be have not checked yet.
Slide 67

Security Checklist– Services Packs

• Khi có quá nhiều b n vá, nhà s n xuất tập

hợp chúng lại và ưa ra b n SP

When having too much menders, manufacture will gather them and give SP
Slide 68

Security Checklist– Network Hardening

• Đóng những dịch vụ không cần thiết

Dịch vụ mạng
Ứng dụng
Cổng
Giao thức

The next Checklist needed to implement in order to ensure safety for system is Security
Checklist– Network Hardening
Close unnecessary services
- Network service
- Application
- Gate
- Protocol
Slide 69

Security Checklist– Application Hardening

• Manage all software being run

• Ensure they are updated and repaired all faults
• Security level of server is at the same with the
lowest security level of 1 application run on it.

The last Checklist needed to implement is Security Checklist– Application Hardening

Similar to Network Hardening, – Application Hardening make it difficult to exploit system
vulnerabilities
Tasks in checklist Application Hardening include:
Manage all software being run
Ensure they are updated and repaired all faults
Security level of server is at the same with the lowest security level of 1 application run on it.
Slide 70

Part V
Network Security Analysis Tool

In part 5 of our lecture, I will present content of Network Security Analysis Tool
Slide 71

Content

1. Check connection on computer

2. Scan service gate
3. Analyze network data
4. Scan computer vulnerabilities

There are 4 major content in this part 5

Check connection on computer
Scan service gate
Analyze network data
Scan computer vulnerabilities
Slide 72

Content

1. Check connection on computer

2. Scan service gate
3. Analyze network data
4. Scan computer vulnerabilities

Let’s start with the first content: Check connection on computer

Slide 73

Assumed situation given:

There is a sign that the computer is

controlled by remote control
 Mouse and keyboard are run by
themselves
 CD disk is closed and open by itself
 Personal information are lost
What is solution?

Assumed situation given:

There is a sign that the computer is controlled by remote control
Mouse and keyboard are run by themselves.
CD disk is closed and open by itself.
Personal information are lost
…
What is solution?
Slide 74

Signals of backdoor
Open gate for control command
Create connection to strange IP to receive
command

Your computer can be infected with backdoor. In real, backdoors will implement tasks as
follows:
Open gate for control command
Create connection to strange IP to receive command
Slide 75

Method of detecting backdoor

Check
 Gates, services used
 IPs being connected to
 Situation of connection

How can we do to realize whether our computer is infected by backdoor or not?

Check
Gates, servies used
IPs being connected to
Situation of connection
Slide 76

Tools to follow connections

Netstat
Fport
TcpView

Thus, which tool should we use to follow connections

We can use tools as follows:
Netstat
Fport
TcpView
Slide 77

Netstat

Available in windows
line interface
Easy to use

Firstly, with netstat

Netstat is an available tool in windows
It has command line interface and is quite easy to use
This slide shows image of netstat application being run on cmd
With command of netstat and option –a, we will have information of all connection in system
with information about protocol, local address, connection address and connection situation:
These normally are listening and established.
Slide 78

Situations in opening 1 connection

Client Server

LISTEN

SYN_SENT

SYN_RCVD

ESTABLISHED

This diagrams of situations in opening 1 connection.

In order to create 1 connection, it is required that the server has to be in situation of LISTEN.
Client sends SYN package to server, server changes to situation of SYN_RCVD and sends back
with SYN ACK.
Client sends ACK to server in order to finish creating 1 connection
Server changes to situation of ESTABLISHED.
Slide 79

Situations in closing 1 connection

FIN_WAIT_1

CLOSE_WAIT

FIN_WAIT_2 LAST_ACK

TIME_WAIT

CLOSED

At closing connection
Client is in situation of FIN_WAIT_1 and sends FIN M package to server. Server changes to
situation of CLOSE_WAIT and sends back with ACK M+1. Then, server changes to situation of
CLOSE_ACK and sends FIN N package to Client.
After receiving ACK M+1 package, Client changes to situation of FIN_WAIT_2.
After receiving FIN package, Client changes to situation of TIME_WAIT and sends ACK N+1
package to server
Server changes to situation of CLOSED – finishing work session of the connection
Slide 80

TcpView

Another tool used to follow connections is TCPView

It has visual interface and provides more information than that of netstat
It shows information about name of software using connections, connection protocol, source
address and destination address of connection as well as information about connection
situation.
Slide 81

Determine service gate

Each service often uses a fixed service

gate
Some popular gates are
 80,443: Web
 25, 110, 143: Mail
 53: DNS
http://www.iana.org/assignments/port-
numbers

After collecting information about existing connections on computer, we need to know

information about service gates.
Each service often uses a fixed service gate.
Some popular gates are:
80,443 used for Web service
25, 110, 143 used for Mail service
53 used for DNS
Can refer more in the link
Slide 82

Find information about IP

Use whois service
 http://www.domaintools.com
 http://www.dnsstuff.com
 SmartWhois

After finding information about connection, service gate, we need to consider IP address to
which the computer is connected.
In order to find information about IP address, we can use whois services
On links in the slide.
Slide 83

Content

1. Check connection on computer

2. Scan service gate
3. Analyze network data
4. Scan computer vulnerabilities

The 2nd content presented is scanning service gates.

Slide 84

Scanning gates – Definition

checking whether one or many

computer open(s) one or many service
gate(s) or not..

Port 4444?
Close

Scanning gates means checking whether one or many computer open(s) one or many service
gate(s) or not.
On this diagram, computer A wants to check whether computer B is opening 4444 gate or not.
. If computer B does not open 4444 gate, the Close result will be sent to computer A
Slide 85

Tools supporting scanning gates

SuperScan
Nmap

Some tools supporting scanning gates are SuperScan and Nmap

Slide 86

SuperScan

http://www.softpedia.com/get/Network-
Tools/Network-IP-
Scanner/SuperScan.shtml
Supports few scanning technology
Supports banner grabbing
Friendly graphic interface

SuperScan is free software and can be downloaded at the address on slide.

SuperScan supports few scanning technology
Supports banner grabbing and friendly graphic interface
Slide 87

SuperScan

This is interface of SuperScan with information about establishment of configuration for 1 work
session, including IP address, IP band needed to scan; the results of scanning process are
addresses having gates open and these gates.
Slide 88

Scanning - Technology
TCP Scan:
 Connect Scan
 SYN Scan
 XMAS Scan
 ACK Scan
 FTP Scan
UDP Scan

SuperScan provides with technologies as follows:

TCP Scan:
Connect Scan
SYN Scan
XMAS Scan
ACK Scan
FTP Scan
UDP Scan
Slide 89

SYN Scan

SYN

SYN/ACK

RST

Send Receive Result

SYN SYN/ACK Port is open; host is up.
SYN RST Port is closed; host is up.
SYN Nothing Blocked by firewall or host is down

As you know, TCP protocol has mechanism of shaking hand with 3 steps during establishment of
connection.
When Client sends SYN package with a certain Port data to Server, if this server sends back with
SYN/ACK package, the client will know that Port on Server is opened; and if Server sends
backs with RST/SYN, it means that Port on Server is closed.
Slide 90

XMAS Scan

FIN, URG, PUSH

RST

Send Receive Result

FIN Nothing Port is open (if host is up and not
URG blocked by firewall)
PUSH
RST Port is closed; host is up.

Client will send TCP packages with a certain Port quantity needed to scan, containing many Flag
data such as FIN, URG, PSH. If Server sends back with RST package, we know that Port on
Server is closed.
Slide 91

Can we use it to see whether FTP service is used on Server or not?

Slide 92

UDP Scan

UDP Packet

ICMP unreachable

Send Receive Result

UDP Nothing Port is open (if host is up and not
blocked by firewall)
UDP ICMP unreachable Port is closed.

When UDP Scan is used, the UDP package will be sent; if the result sent back is empty, it means
that gate is opened.
If the ICMP is unreachable, it means that gate is closed.
Slide 93

Nmap
http://insecure.org/nmap
A strong tool of scanning gate
Support many scanning technologies
Support banner grabbing
Supporting detection of operating system
Provide results with high accuracy
Command line interface and graphic
interface

The 2nd tool I would like to introduce is Nmap

This is the strongest tool of scanning gate, supporting many scanning technologies.
It supports banner grabbing, supporting detection of operating system and provide results with
high accuracy
It has both command line interface and graphic interface.
Slide 94

Nmap

These are command line of Nmap with options

Nmap –sT: in which letter s – is Scan, and letter T is type of TCP scan
Nmap –sU: it means use of UDP Scan
Nmap –sP: it uses Ping to scan
Nmap –sF: it uses FIN Scan
Nmap –sX: it uses method of XMAS Scan
Nmap –sN: it uses NULL Scssan
Nmap –sV: used to Scan name of applications and their version
Nmap –SR /I RPC used to scan RPC
Slide 95

Scanning gates - application

Check safety of system

Check services on system
 Type of service
 Version
Determine operating system

Scanning gates has applications as follows:

Check safety of system
Check services on system
Type of service
Version
Determine operating system
Slide 96

Content

1. Check connection on computer

2. Scan service gate
3. Analyze network data
4. Scan computer vulnerabilities

The 3rd content in this knowledge field is Analysis of network data

Slide 97

Sniff – Definition

is actions of interposing and following

data flow running in computer network

The first knowledge is definition of Sniff

Sniff is actions of interposing and following data flow running in computer network
Slide 98

Tools

Software
 Wireshark
 Ettercap => Cain & abel
 TcpDump, WinDump…
Some hardware products
Establish Security Monitoring system

//Sniffer is product of Network general

Some popular tools are:
Wireshark
Ettercap, for example: Cain&abel
Some hardware products are also used to serve to sniff actions
Security Monitoring is also necessary actions for establishment of Security Monitoring system.
Slide 99

Wireshark

http://www.wireshark.org
Support well in network using hub
Support in analyzing many protocols
Strong abilities of analysis and statistics

Let’s study about the first and a strong tool, that is wireshark
Wireshark supports >800 protocols
It supports well in network using hub
Support in analyzing many protocols
It has strong abilities of analyzing and statisticing
Slide 100

Wireshark

This is interface of wirashark when it is implementing sniff actions and analyzing packages
We can see information about order number of packages, time of packages, address of source
address and destination address; as well as information about protocol and other detailed
information of package.
Slide 101

Technologies
Inline mode
Wired LAN Sniffing
 For Hub: Promiscuous mode
 Fore Switch: Arp Spoofing
Wireless Lan Sniffing : Monitor mode

Some technologies used for sniff actions are:

Inline mode
Wired LAN Sniffing
For Hub: Promiscuous mode
For Switch: Arp Spoofing
Wireless Lan Sniffing : Monitor mode
Slide 102

In terms of the network using hub, when 1 package is sent to hub by any computer, the package
will be forwarded to all remaining computers connected to the hub
That the sniff actions for packages sent between A and B using the same hub of C is merely
connection to hub
Slide 103

In terms of network using Switch, sniff actions will be more difficult.

As we know, computers connected through switch will use ARP protocol.
When computer A wants to contact with computer B with IP address of B.B.B.B, the computer A
will ask switch of Computer B.B.B.B that what is it MAC address?
Switch will ask computer having address of B.B.B.B about is MAC address and then send back to
Computer A
Slide 104

If Computer C wants to overhear in network, firstly it needs to change respective MAC address
with address of IP A.A.A.A and B.B.B.B into its MAC address.
When Computer B sends package to Computer A, this package will be sent to Computer C
instead of Computer A.
Computer C will record it and forward it to Computer A
Similarly, when A sends package to B, this package is also moved to C before C forwards it to B.
Thus, A and B still exchange with each other without realizing these package exchanged
between them are moved to C.
Slide 105

Ettercap

http://ettercap.sourceforge.net
Provide ability of sniffing in the network
using switch
Support in analyzing many protocols to
get sensitive information such as
username and password.

The next tool is ettercap

This tool provides ability of sniffing in the network using switch
It supports in analyzing many protocols to get sensitive information such as username and
password.
Slide 106

Ettercap

This is interface of ettercap with version 0.7.3

Ettercap gets information about IP addresses in the network with information about MAC
address.
Information about email account and password of user.
//Information about image
Slide 107

Preventing sniffing

Code
Arp watch
VLAN
Static arp table

Thus, how can we do to prevent threats of sniffing?

The first method of prevention is coding information sent in the network
Use ARP watch
Use VLAN in local network
Using ARP table also helps to enhance safety level in exchanging these information
Slide 108

Applications

Steal information
Dealing with accidents about network
Detect intrusion
Checking protocol used in the network

Some applications of Sniff are

Steal – using sniff for bad purpose
However, Sniff is also used for good purposes such as dealing with accidents about network,
detecting intrusion and checking protocol used in the network
Slide 109

Content

1. Check connection on computer

2. Scan service gate
3. Analyze network data
4. Scan computer vulnerabilities

The 4th part in today lecture is to present scanning computer vulnerabilities

Slide 110

Level of danger

9776 vulnerabilities was detected in 2012 on 2503

products.
13073 vulnerabilities was detected in 2013 on 2289
products.
=>Over 1000 vulnerabilities was detected each month
20% estimated of these vulnerabilities are serious faults,
which can make the system lose its control.
users often do not have time to update pitching

Why do we need to scan computer vulnerabilities??

the 1st session of the lecture, I have just talked about software vulnerabilities and their
dangerous level.
In statistics published in 2012, number of vulnerabilities detected is 9776 vulnerabilities on 2503
software products
And in 2013, this number was much greater, up to 13073 vulnerabilities detected on 2289
products.
Ir can be easily realized an enormous number with over 1000 vulnerabilities detected in each
month.
It is more dangerous that 20% estimated of these vulnerabilities are serious faults, which can
make the system lose its control.
It is much worse when users often do not have time to update pitching
http://secunia.com/vulnerability-review/vulnerability_update_all.html
Slide 111

Solutions

Regularly update
 WSUS
 Use investigation tools as follows
 Microsoft Baseline Security Analyzer
 Secunia Personal Software Inspector
 Retina Network Security Scanner

The method for this problem is to regularly update pitching of software

To support management of update version, we can use Windows Server Update Services
(WSUS)
Or use investigation tools as follows
Microsoft Baseline Security Analyzer
Secunia Personal Software Inspector
Retina Network Security Scanner
Now I will introduce in details about the tools just mentioned.
.
Slide 112

Windows Server Update Services

This is architectural diagram of Window Server Update Services

With each 1 network system, we can have one or many WSUS servers
These WSUS servers will take updates of Microsoft from their server and then distribute them
to all computers in its network.
Slide 113

Microsoft Baseline Security Analyzer

http://www.microsoft.com/technet/secu
rity/tools/mbsahome.mspx
Scan pitching of Microsoft
Scan security policy
Support local or scans computers in
domain.

Tool: Microsoft Baseline Security Analyzer

It scans pitching of Microsoft
It also scans security policy and supports local or scans computers in domain
Slide 114

Microsoft Baseline Security Analyzer

This is interface of Microsoft Baseline Security analyzer

Slide 115

Secunia Personal Software Inspector

https://psi.secunia.com/
Scan software vulnerabilities of many various
brands
Simple and easy to use.
Follow applications by real time
Only scans on computer set-up

Secunia Personal Software Inspector is a tool scanning software vulnerabilities of many various
brands.
It’s advantages are being simple and easy to use and following applications by real time.
This software only scans on computer set-up
Slide 116

Secunia Personal Software Inspector

This is interface of Secunia Personal Software Inspector

Slide 117

Retina Network Security Scanner

http://www.eeye.com/Retina/
Scan software vulnerabilities on computer
Scan security policy of the system.
Support scanning local and scanning through
network
Support with 2 types of scanning :
 With Username / Password
 Without Username/Password

Retina Network Security Scanner

It is a tool scanning software vulnerabilities, scanning security policy of the system.
It supports scanning local and scanning through network.
It also support with 2 types of scanning, which are to use username/password and not to use
username password
Slide 118

Retina Network Security Scanner

This is interface of retina network security scanner software

Slide 119

Conclusion

Check connection on computer

Scan service gate
Analyze network data
Scan computer vulnerabilities

Thus, I have just shown you understandings about checking connection on computer as well as
necessary knowledge about scanning gate, analyzing network data and scanning computer
vulnerabilities
Slide 120

Review questions
Give necessary information when considering and analyzing
validity of network connection?
Definitions of scanning gates and applications of scanning
gates.
Present some basic technologies of scanning gates
Indicate basic difference between sniffing technology in
network using hub and in network using switch
Present arp poisoning technology
Give some solutions for restricting sniffing
Give main applications of analyzing data transmitted in the
network
Give some software scanning computer vulnerabilities

These are review questions of these parts