Fighting Zombies with FastNMAP & Npwn : A Case Study At Washington University
15
Fighting Zombies with FastNMAP & Npwn: A Case Study At Washington University REN-ISAC Techburst Thursday, April 29st, 2010 Brian Allen, CISSP [email protected] Network Security Analyst, Washington University in St. Louis http://nso.wustl.edu/
description
Fighting Zombies with FastNMAP & Npwn : A Case Study At Washington University. REN-ISAC Techburst Thursday, April 29st, 2010 Brian Allen, CISSP [email protected] Network Security Analyst, Washington University in St. Louis http ://nso.wustl.edu/. Washington University in St. Louis, MO. - PowerPoint PPT Presentation
Transcript of Fighting Zombies with FastNMAP & Npwn : A Case Study At Washington University
Fighting Zombies with FastNMAP & Npwn: A Case Study At Washington
University
REN-ISAC Techburst
Thursday, April 29st, 2010
Brian Allen, CISSP [email protected]
Network Security Analyst,Washington University in St. Louis
http://nso.wustl.edu/
Washington University in St. Louis, MO
• Private University Founded in 1853• 3,000+ Full Time and Adjunct Faculty• 13,000+ Full and Part Time Students• 13,000+ Employees• 4000+ Students Living on Campus• Decentralized Campus Network
NSS
NSO
Business School
Law School
Arts & Sciences
Medical School
Engineering School
Internet
Decentralized Campus NetworkNSS = Network Services and SupportNSO = Network Security Office
Library
Social Work
Art & Architecture
A Short Discussion of .EDU Politics and Potential Pitfalls of Scanning
A Short Discussion of .EDU Politics and Potential Pitfalls of Scanning
• Give Notice to Departments Before Scanning• The Period Between Scans is Not Too
Important : 1 week < X < A Couple Months• A Switch’s One Minute Heartbeat was Missed,
and School’s Network Engineers Were Paged• KVM Switch Hung – It was Old and Needed to
be Updated, Then it Handled the Scan Fine• Identify Devices with Problems, Exclude Them,
Work to Fix them
My Scanner: Dell PowerEdge R805
2x Quad-Core AMD Opteron 2.4GHz16GB Memory2x 146GB 10K Hard Drives4x Broadcom NetXtreme II 5708 1GbE Onboard
NICs Need to upgrade to an Intel Pro/1000 PCI-
Express card ($100-200)
NMAP Scripting Engine
• I kept 92 nse scripts like:– "dns-recursion.nse“– "http-headers.nse“– "imap-capabilities.nse“– "irc-info.nse“– "p2p-conficker.nse“– "smb-enum-users.nse“– "ssl-cert.nse“
• I removed all the brute force ones + others like: – "smb-check-vulns.nse“– "smb-brute.nse"
FastNMAP Command# nmap -sL -n 128.252.0.0/16 |egrep '^Nmap scan‘ |awk '{print $5}‘ |./fastnmap.pl
NPWN Command#./npwn.pl -x -s 7 -d ./log/
FastNMAP.pl Status Update• Took three days to scan 128.252.0.0/16• Much of the campus sits behind firewalls• Can only scan the MedSchool’s 93 /24 subnets
once per month• Am not scanning any of our private IP space
(student subnets, wireless, etc)• Usually find about 3000 IP addresses online
Some Interesting Npwn Tags
NPWN TAG Severity[VNCAUTHBYPASS] {10} [BACKDOOR] {10}[IMAPWEAKAUTHNOSSL] {7} [POP3WEAKAUTHNOSSL] {7} [NOPASSWD] {7} [OPENX11] {7}[SERV-U] {6}[OLD_MSFTP] {4} [SSLCERT_WILDCARD] {4} [NSFTP] {3}
Any Questions?
