In this mode, the Right machine is the local machine on your IPsec gateway and the Left machine is your remote user.. auto=add Notice the entries are reversed on the gateway, using left
Trang 1If you are running a firewall with NAT, you may have to write a special rule in your firewall so that it doesn’t translate the network address of that machine Many newer firewall models automatically recognize IPsec packets and pass them through unchanged so this extra step is unnecessary
8.To test your connection, try pinging an internal address on the other side of the remote gateway If you get a successful response, then you have an IPsec tunnel up and running
9.If you really want to verify that the packets are being encrypted, use a packet sniffer such as Tcpdump or Ethereal to see if you can read any of the packets If the sniffer identifies the packets as ESP packets (ESP is one of the IPsec subprotocols)
Table 9.2 FreeS/WAN Parameters
Left The IP address of your Left IPsec gateway
Leftsubnet The range of IPs behind the Left gateway
Leftid The host name in a fully qualified domain name format and with an @ in front
of it For example, @gateway.example.com
Leftrsasigkey The key you copied earlier from the Left machine
Leftnexthop The default gateway for the Left machine The default setting should work in
most cases
Right Same as Left above but for the Right machine
Rightsubnet Same as Leftsubnet above but for the Right machine
Rightid Same as Leftid above but for the Right machine
Rightrsasigkey Same as Leftrsasigkey above but for the Right machine
Rightnexthop Same as Leftnexthop above but for the Right machine
Auto The default setting of add authorizes the connection but doesn’t start it up
when the system is booted If you want it to start automatically, change this
to start
Trang 2and the packet payloads come up looking like gibberish, then all is working cor-rectly
10.If you want to add multiple net-to-net connections, you can just add another sec-tion with a new title such as conn office1-to-office2 You can also rename the orig-inal net-to-net connection name as long as it is the same in the ipsec config files on both machines
Road Warrior Mode This procedure is fairly similar to the last one, with a few excep-tions In this mode, the Right machine is the local machine on your IPsec gateway and the Left machine is your remote user
1.On your remote machine, edit the same /etc/freeswan/ipsec.conf file using the fol-lowing template It looks similar to the net-to-net configuration with a few differences
conn road left=%defaultroute leftnexthop=%defaultroute leftid=@tonyslaptop.example.com leftrsasigkey=0sAQPIPN9uI
right=192.0.2.2 rightsubnet=10.0.0.0/24 rightid=@gateway.example.com rightrsasigkey=0sAQOnwiBPt
auto=add The remote configuration uses %defaultroute to pick up your dynamic IP
2.The Right side should contain the information for the gateway Get on the gateway machine and use this template for that ipsec.conf file
conn road left=192.0.2.2 leftid=gateway@example.com leftsubnet=192.0.2.1/24 leftrsasigkey=0sAQOnwiBPt
rightnexthop=%defaultroute right=%any
rightid=tonyslaptop@example.com rightrsasigkey=0sAQPIPN9uI
auto=add Notice the entries are reversed on the gateway, using left for the Local machine and right for the remote Also, the right IP is defined as %any This is a wildcard that allows any IP address, since you won’t learn it until the remote user tries to con-nect
3.Save this file
Trang 34.You are ready to connect Make sure that IPsec is up and running on the gateway machine, and then type the following command on the remote user end:
ipsec auto start road This should initiate the connection as before If you don’t get the message Ipsec
SAestablished, check your settings or refer to the troubleshooting section on the FreeS/WAN Web site
5.Test and verify the connection in the same manner as the net-to-net procedure
6.You can set up multiple remote connections as in the previous procedure and rename them whatever makes sense to you
Opportunistic Encryption If you want to do this with FreeS/WAN, your gateway box must not be behind a firewall doing NAT (the change in the IP address in the headers messes up the IPsec header verification mode) It is preferable to have a static IP address
on your gateway box There are two ways to do OE: full or partial In the full OE you can initiate outward IPsec connections and other IPsec hosts can initiate OE sessions with your gateway In partial mode, your gateway must always initiate the connection Both OE modes require you to have access to the DNS record for the hostname you want set up
Setting Up a Partial Opportunistic Encryption (initiate only)
1.First, edit the DNS record for the host name that you intend to use to add an entry for your key The DNS record must match the ID you use in the ipsec.conf file In the Road Warrior example earlier, that was gateway.example.com Issue the following command on your gateway machine to create this record:
ipsec showhostkey txt @gateway_hostname Replace gateway_hostname with your hostname, such as gateway example.com
It produces a text file with a text record containing your key and formatted in the proper DNS syntax
2.Insert this record into the zone file for that domain as a forward TXT record
Note: If you aren’t sure how to edit DNS records, have your DNS administrator
help you Making a mistake with a DNS record can easily take your whole domain down
Also, keep in mind that the changes will take a while to propagate across the Internet Depending on where you are querying from, this process might take as long as 48 hours
3.You can check to see if the change has taken place yet with the following query: ipsec verify host gateway.example.com
It should respond with an OK statement for the forward record
The reverse record lookup will fail, but this is acceptable as long as you don’t want to do a full OE Remember that even though you can correctly query the DNS server, the other end of your connection may not be able to yet Have them run the verify command as well
Trang 44.Once both sides can see the DNS record, then all you should have to do is restart your IPsec service by typing:
service ipsec restart When it comes back up, you should be ready to go
This is all that is required, since FreeS/WAN will automatically configure the connec-tion using the DNS record informaconnec-tion when it comes up
Setting Up Full Opportunistic Encryption
In order to do full OE, you must have a static IP on the gateway and have full control of the DNS record for that IP FreeS/WAN OE uses a reverse DNS lookup to verify the public key of any machine attempting to connect The instructions are exactly the same as for partial OE, except that you also create a reverse DNS record for your gateway host name Create the text file the same way as above and after adding it as a forward record, add it as
a reverse record tying it back to your static IP address Again, if you are unsure of how to edit a DNS file, get some help DNS is not something to monkey around with lightly Once both records are visible from the Internet, you should be able to restart your IPsec service and establish connections with IPsec OE compliant hosts
Password Crackers You have learned how to protect your information various ways using encryption, and how to encrypt files, sessions, and whole connections with other sites The next section looks at a tool to help you make sure your password files are safe This tool is a password encryption cracker It does the reverse of all the tools in this chap-ter in that it tries to decrypt the password file without any keys It is primarily to be used
on password files to make sure you don’t have passwords that are easy to crack
Most passwords these days are not stored in plain text on the server They are stored
as hashes of the password so that the clear text password is not being passed across the network On some operating systems, however, this hashing system is weak and the encryption is easily cracked Worst case, if someone captures a password file, he or she can run a brute force attack on the hashes, discovering some passwords This takes advan-tage of the tendency of most people to use simple passwords You can limit this ability in most operating systems, but even then, people will figure out ways to get around the limi-tations in the interest of making their life simpler Testing your password files with pass-word crackers is the only way to know for sure how safe your users’ passpass-words are
J o h n t h e R i p p e r : A P a s s w o r d C r a c k i n g T o o l
John the Ripper
Author/primary contact: Solar Designer
Version reviewed: 1.6
Trang 5John the Ripper was designed by the enigmatic Solar Designer to help system admin-istrators flush out weak passwords, mostly on UNIX systems John uses a text password file and checks the hash for each word in the file against the password file It even tries variations on dictionary words such as cat1, cat2, and so on It also uses some randomizing techniques after it runs out of words to keep on trying as long as you want to let it run It comes with a basic word file and you can also download various custom word files for dif-ferent operating systems or create your own
It is available for both UNIX and Windows Since it is a command line tool only, the basic operations are the same for both operating systems The separate installation pro-cesses are covered here
Windows Installation
1.Download the Windows binary package from the Web site or the book’s CD-ROM and unzip the file into its own directory
2.There is no real Windows setup process here Just put the files where you want them to reside and run them from that directory with the proper commands You may want to add that directory to your system path if you want to be able to run John the Ripper from any directory Otherwise, change to the john/run directory to access the binaries and run the program
UNIX Installation
1.Download and untar the source code files from the Web site or the book’s CD-ROM
2.Issue the following command from the src directory it created:
make This displays a list of systems supported
Note: If your system is not listed, substitute the command makegeneric in the next step (this should work most of the time)
3.Issue the following command substituting your supported system type for system: make system
This builds the program and puts the main binary programs in the john/run directory
4.Change into that directory and you are ready to run John the Ripper
Using John the Ripper
1.First, you need to have a copy of the password file
On most UNIX systems the password hashes aren’t stored in the main password file but are kept in a file called the shadow password file (called shadow on Linux systems) This protects the password hashes from being viewed easily, since the main user password file has to be accessible to various other parts of the operating system and so has to be world-readable
Trang 6The password hash file looks something like Listing 9.1.
Listing 9.1 Sample Password Hash File
root:$1$‰8_pwš/‚$3ABCmAmVVtBbgXc1EpAZ7.:12080:0:99999:7:::
bin:*:12080:0:99999:7:::
daemon:*:12080:0:99999:7:::
adm:*:12080:0:99999:7:::
lp:*:12080:0:99999:7:::
sync:*:12080:0:99999:7:::
apache:!!:12080:0:99999:7:::
postfix:!!:12080:0:99999:7:::
mysql:!!:12080:0:99999:7:::
tony:$1$™bFÌb/_R$6RFzrkqq6nY4zTkmWQ8xV0:12080:0:99999:7:::
The seemingly list of random characters after the account name is the hash of the password That is what John the Ripper goes to work on
2.The text file password in your John the Ripper directory contains the default word list You can add to this list if you have some custom passwords you want it to try
or replace it with your own word list
3. To run John the Ripper, type the following command:
john password_filename Replace password_filename with the filename of the password file you want to test
John the Ripper shows you any passwords it is able to crack on the screen as it tries Most of the word lists will be run through in a few minutes This is long enough for most purposes, but if you want to let it run longer to really test your passwords, you can run the process in the background
You can also interrupt the testing process and return to it later Press CTRL+C once to stop the testing and save the results in a file called john.pot Note that
pressing CTRL+C twice will abort the search and not save your results.
4.You can view the passwords retrieved thus far by typing:
john -show password_file
5.If you want to back up a cracking session, use the following command:
john –restore And that’s about all there is to it Happy password cracking (only your own password files, please!) If you find weak passwords, you can go to those people and have them change them or institute policies on the server that require stronger passwords
Trang 7Wireless Tools
Until recently, network administrators mostly only had to worry about securing physical, fixed information technology assets This includes servers, routers, and firewalls: the things that make up our line networks However, with the advent of inexpensive wire-less network equipment, there is a whole new spectrum (no pun intended) of security problems to contend with
This new technology has helped to lower the cost of deploying networks, brought access to places it wasn’t before, and made the term “mobile computing” truly a reality It has also drastically changed the network security perimeter for companies of all sizes Tra-ditionally, corporate networks were connected to the outside world in only a few places (see Figure 10.1) This allowed network managers to concentrate on protecting these lim-ited access points You could put firewalls and other defenses at these crucial choke points The inside of the network was largely treated as trusted because there was no way to get there other than through the protected points
Chapter Overview
Concepts you will learn:
•Wireless LAN terms
•The 802.11 protocols
•Weaknesses of wireless LANs
•Wireless assessment equipment
Tools you will use:
NetStumbler, StumbVerter, Kismet Wireless, and AirSnort
Trang 8Now the advancing march of technology has moved the security bar up a notch again With a wireless LAN deployed, your new security perimeter becomes literally the air around you Wireless attackers or eavesdroppers can come from any direction If you have wireless access deployed, anyone with a $50.00 card can potentially listen in on your network wire without ever stepping foot on your premises Figure 10.2 shows the new net-work security perimeter with wireless technology As you can see, if you are using wireless for part of your network, your security threats go up considerably But before you can properly secure your wireless network, you need to understand how wireless local area networks function and what their basic weaknesses are
Manufacturers of wireless LAN equipment have lowered the prices so much that it is now a feasible alternative for home networks Rather than wiring your house for Ethernet
to connect your PCs, you can buy a wireless base station and a couple of wireless cards and use the Internet from any room in your house (or outside for that matter) Many busi-ness conventions now offer free wireless Internet access to their attendees via wireless sta-tions There are grassroots campaigns to create free Internet access for neighborhoods outside the reach of DSL or cable by using public wireless access points Wide deploy-ment of wireless LAN technology is definitely here to stay, and sooner or later you will probably have to deal with it
Wireless LAN Technology Overview
The most popular protocol for wireless LAN technology today is by far the 802.11 series,
commonly known as Wi-Fi The 802.11 wireless standards are basically an extension of
the Ethernet protocol, which is why it interoperates so well with wired Ethernet networks
It uses the frequencies of 2.4GHz for 802.11b and 802.11g and 5GHz for 802.11a to
Figure 10.1 Network Threats Before Wireless Networking
Firewall
Attacks
Attacks
Computer Computer
Computer
Computer
Computer
The Internet
Trang 9broadcast data signals These frequencies are general-use spectrum, so you don’t have to apply for a license from the FCC to use them The downside of this is that other consumer devices can use these wavelengths too Some cordless phones and microwaves are also on the 2.4GHz band, so if you have these devices or other Wi-Fi networks in your area, you may encounter some interference
This wavelength is perfect for the short range that Wi-Fi is intended for Its design parameters allow for about 150 feet indoors and over 800 feet outdoors under normal con-ditions However, with a high-power antenna and line of sight, you can get up to a 20-mile range, which makes it attractive for office-to-office communications within a city (this assumes you are not in very mountainous terrain and you have access to a rooftop at least several floors up) Table 10.1 describes the four flavors of the 802.11 wireless standard that have emerged
Wi-Fi Terms
A Wi-Fi wireless network can operate in one of two modes Ad-hoc mode allows you to
directly connect two nodes together This is useful if you want to connect some PCs
together and don’t need access to a LAN or to the Internet Infrastructure mode lets you set up a base station, known as an access point (AP), and connect it to your LAN All of
the wireless nodes connect to the LAN through this point This is the most common con-figuration in corporate networks, as it allows the administrator to control wireless access at
Figure 10.2 Network Threats with Wireless Networking
Firewall
Attacks
Attacks
Attacks
Computer Computer
Computer Computer
Computer
The Internet
Wireless access point
Laptop
Laptop
Laptop
Trang 10one point Each wireless access point and card has a number assigned to it called a Basic Station System ID (BSSID) This is the MAC address for the access point’s wireless side The access point also has a Station Set Identifier (SSID), which defines the name of the
wireless network that all the nodes associate with This name is not necessarily unique to that access point In fact, most manufacturers assign a default SSID to APs so they are usable right out of the box The access point’s SSID is needed to connect to the network Some base stations have additional functionality, including routers and built-in DHCP servers There are even some integrated units that act as a wireless access point, firewall, and router for home and small business users
You set up a wireless network node by installing a wireless network interface card
(NIC) in a computer A wireless NIC comes in several forms: It can be a card that goes in
a PC slot, a PCMCIA card, an external USB device, and now even a compact flash format for the smaller slots in handheld computers An 802.11 wireless network in infrastructure mode has an access point that acts as your bridge between the wired Ethernet LAN and one or more wireless endpoints The access point sends out “beacon” broadcasts fre-quently to let any wireless node in the area know that it is there The beacon broadcasts act like a lighthouse, inviting any wireless nodes in the area to log on These beacon signals are part of the problem with Wi-Fi It is impossible turn off these signals completely, which makes it hard to hide the fact that you have a wireless network in your office Any-one with a wireless card can at least see your beacon signals if they are in range, although some sets allow you to limit the amount of information that goes out in these broadcasts
Table 10.1 802.11 Wireless Standards
802.11a This version of the standard uses the 5 GHz wavelength, which is a less
crowded spectrum and is less likely to have interference problems The theo-retical potential for this technology is 54Mps, which is a huge amount of band-width, but most applications in the field do not get that nearly that much
802.11b This is currently the most popular wireless standard It uses the 2.4 GHz
wave-length, which Bluetooth and other consumer devices also use It offers up to 11Mps of bandwidth, although practical applications under less than optimal conditions usually yield about half of that
802.11g A newer release, this standard provides up to 54Mps bandwidth, but in the
same 2.4GHz spectrum as 11b It is also backwardly compatible with 11b hardware
802.11i This new protocol is basically an extension of 802.11b with fixes to the
encryption protocol to make it much more secure It has just recently been approved by the IEEE, and products using it should be available in late 2004