Fighting Zombies with FastNMAP & Npwn : A Case Study At Washington University

Fighting Zombies with FastNMAP & Npwn: A Case Study At Washington

University

REN-ISAC Techburst

Thursday, April 29st, 2010

Brian Allen, CISSP ballen@wustl.edu

Network Security Analyst,Washington University in St. Louis

http://nso.wustl.edu/

Washington University in St. Louis, MO

• Private University Founded in 1853• 3,000+ Full Time and Adjunct Faculty• 13,000+ Full and Part Time Students• 13,000+ Employees• 4000+ Students Living on Campus• Decentralized Campus Network

Business School

Law School

Arts & Sciences

Medical School

Engineering School

Internet

Decentralized Campus NetworkNSS = Network Services and SupportNSO = Network Security Office

Library

Social Work

Art & Architecture

A Short Discussion of .EDU Politics and Potential Pitfalls of Scanning

• Give Notice to Departments Before Scanning• The Period Between Scans is Not Too

Important : 1 week < X < A Couple Months• A Switch’s One Minute Heartbeat was Missed,

and School’s Network Engineers Were Paged• KVM Switch Hung – It was Old and Needed to

be Updated, Then it Handled the Scan Fine• Identify Devices with Problems, Exclude Them,

Work to Fix them

My Scanner: Dell PowerEdge R805

2x Quad-Core AMD Opteron 2.4GHz16GB Memory2x 146GB 10K Hard Drives4x Broadcom NetXtreme II 5708 1GbE Onboard

NICs Need to upgrade to an Intel Pro/1000 PCI-

Express card ($100-200)

NMAP Scripting Engine

• I kept 92 nse scripts like:– "dns-recursion.nse“– "http-headers.nse“– "imap-capabilities.nse“– "irc-info.nse“– "p2p-conficker.nse“– "smb-enum-users.nse“– "ssl-cert.nse“

• I removed all the brute force ones + others like: – "smb-check-vulns.nse“– "smb-brute.nse"

FastNMAP Command# nmap -sL -n 128.252.0.0/16 |egrep '^Nmap scan‘ |awk '{print $5}‘ |./fastnmap.pl

NPWN Command#./npwn.pl -x -s 7 -d ./log/

FastNMAP.pl Status Update• Took three days to scan 128.252.0.0/16• Much of the campus sits behind firewalls• Can only scan the MedSchool’s 93 /24 subnets

once per month• Am not scanning any of our private IP space

(student subnets, wireless, etc)• Usually find about 3000 IP addresses online

Some Interesting Npwn Tags

NPWN TAG Severity[VNCAUTHBYPASS] {10} [BACKDOOR] {10}[IMAPWEAKAUTHNOSSL] {7} [POP3WEAKAUTHNOSSL] {7} [NOPASSWD] {7} [OPENX11] {7}[SERV-U] {6}[OLD_MSFTP] {4} [SSLCERT_WILDCARD] {4} [NSFTP] {3}

Any Questions?

Fighting Zombies with FastNMAP & Npwn : A Case Study At Washington University

Documents

Transcript of Fighting Zombies with FastNMAP & Npwn : A Case Study At Washington University

Zombies Attack School

From Mechanical Brains to Philosophical Zombieshomes.sice.indiana.edu/nensmeng/files/p-zombies-slides.pdfphilosophical zombies. The purported possibility of zombies is the product

Zombies & Cyclops

Thomas Zombies

Business Cure Campaign · In this box, you’ll find our Zombie Business fighting essentials: 1. The Zombie Business Cure social media accounts – fighting zombies with one hand

Fighting Zombies the Fun and Easy Way

Secondary research Zombies

Graveyards & Zombies

Hacking UX Zombies

Civic Power & Zombies

zombies document.docx

Space Zombies

Guns‘n’Glory Zombies by HandyGames* Solutions Briefww1.prweb.com/.../IGuns-n-Glory-Zombies-by-HandyGames-Solutions-Brief.pdf · Guns‘n’Glory Zombies by HandyGames* Solutions

Actors and Zombies

Locating Zombies

Dawnofthe zombies

Survive Zombies

marvel zombies 2

Knockout vs Zombies

Toasted Zombies