Slide 1

Report
Fighting Zombies with FastNMAP &
Npwn: A Case Study At Washington
University
REN-ISAC Techburst
Thursday, April 29st, 2010
Brian Allen, CISSP
[email protected]
Network Security Analyst,
Washington University in St. Louis
http://nso.wustl.edu/
Washington University in St. Louis, MO
•
•
•
•
•
•
Private University Founded in 1853
3,000+ Full Time and Adjunct Faculty
13,000+ Full and Part Time Students
13,000+ Employees
4000+ Students Living on Campus
Decentralized Campus Network
Business School
NSS
Law School
Arts & Sciences
Internet
NSO
Medical School
Library
Social Work
Art & Architecture
Engineering School
Decentralized Campus Network
NSS = Network Services and Support
NSO = Network Security Office
A Short Discussion of .EDU Politics
and Potential Pitfalls of Scanning
A Short Discussion of .EDU Politics and
Potential Pitfalls of Scanning
• Give Notice to Departments Before Scanning
• The Period Between Scans is Not Too
Important : 1 week < X < A Couple Months
• A Switch’s One Minute Heartbeat was Missed,
and School’s Network Engineers Were Paged
• KVM Switch Hung – It was Old and Needed to
be Updated, Then it Handled the Scan Fine
• Identify Devices with Problems, Exclude Them,
Work to Fix them
My Scanner: Dell PowerEdge R805
2x Quad-Core AMD Opteron 2.4GHz
16GB Memory
2x 146GB 10K Hard Drives
4x Broadcom NetXtreme II 5708 1GbE Onboard
NICs
Need to upgrade to an Intel Pro/1000 PCIExpress card ($100-200)
NMAP Scripting Engine
• I kept 92 nse scripts like:
–
–
–
–
–
–
–
"dns-recursion.nse“
"http-headers.nse“
"imap-capabilities.nse“
"irc-info.nse“
"p2p-conficker.nse“
"smb-enum-users.nse“
"ssl-cert.nse“
• I removed all the brute force ones + others like:
– "smb-check-vulns.nse“
– "smb-brute.nse"
FastNMAP Command
# nmap -sL -n 128.252.0.0/16 |
egrep '^Nmap scan‘ |
awk '{print $5}‘ |
./fastnmap.pl
NPWN Command
#./npwn.pl -x -s 7 -d ./log/
FastNMAP.pl Status Update
• Took three days to scan 128.252.0.0/16
• Much of the campus sits behind firewalls
• Can only scan the MedSchool’s 93 /24 subnets
once per month
• Am not scanning any of our private IP space
(student subnets, wireless, etc)
• Usually find about 3000 IP addresses online
Some Interesting Npwn Tags
NPWN TAG
[VNCAUTHBYPASS]
[BACKDOOR]
[IMAPWEAKAUTHNOSSL]
[POP3WEAKAUTHNOSSL]
[NOPASSWD]
[OPENX11]
[SERV-U]
[OLD_MSFTP]
[SSLCERT_WILDCARD]
[NSFTP]
Severity
{10}
{10}
{7}
{7}
{7}
{7}
{6}
{4}
{4}
{3}
Any Questions?

similar documents