A common topic that comes up from people just getting into the computer security realm is what tools they can use to break into a computer. Well that is a seriously loaded question with a lot of different directions you could go. I want to take a moment and step back from the question and really dig into what most people are really asking. To me it seems they want to know right from the start how to hack their neighbor in under 10 seconds like in the movies. While you may be able to accomplish something similar to this deep into your career, it most likely isn’t going to happen from the start.
What really needs to happen at this point is the basic understanding of ports and what services may be associated with them. I’m going to assume at this point that you have some sort of networking knowledge and will be able to follow the conversation without breaking down every point moving forward. Every service listens on a port to do its normal functions. Using this information some smart people have developed tools that can scan through a set of common ports to see what is currently accepting connections. These port scanners can be very simple such as opening a TCP connection and then that is it or they can see what service is listening on that port by sending a query. Generally speaking though, the tools such as nmap will simply open a TCP connection and then close it when done. The list of ports it finds is then reported back with the common services associated with it.
We can then move on with the information of what ports are listening to something a little deeper. A vulnerability scanner will take the list of ports it found to be open and start analyzing the information on those ports. An example here would be a SMB server that the vulnerability scanner would send specific packets to in order to get more information. A locked down system would simply report back that the port is open. A less secure system would give out all sorts of information such as software version number and then try to make a connection based off that. This is where the part about being a vulnerability scanner comes into play. A simple port scanner is just for ports but a vulnerability scanner uses the version information reported back and does a search through its databases for known issues. If it finds that you are running version 1.2.3 and there is a known issue with that version, it could formulate a specially crafted packet to take advantage of the exploit. Now not all software does this. Some white-hat software simply lets you know that there is a known exploit and then provides you with the CVE numbers for you to take action.
The next step in this whole thing is the protocol analyzers. Generally speaking these are not used by the average joe. Sure they are great tools for seeing what is going on with your network but until there is something interesting (such as an exploit) that you are able to take action on, there is not a ton to see. Oh you made it this far? Good. I then want to talk for a moment about protocol analyzers and insecure transmissions. The easiest way to explain to people about insecure protocols such as FTP and Telnet is to capture one of the sessions. It becomes clear as day how insecure these protocols are and how a protocol analyzer can capture the data. There is even protocol analyzer software available which monitors the network for these insecure connections and provides them in a GUI for the user to review.
No comments:
Post a Comment