WWDC2004 Session 635

Transcript

Kind: captions Language: en thanks a lot folks jettyguy and manage one of the developer technical support teams and I have the great pleasure of bringing up to people who have a lot who spend their days worrying about security brian schatz an eighth ian is part of our emerging technologies team and Damien Weiss is part of our Apple consulting team and they spent their days as I said thinking about how to make things more secure so if you'll help me welcome to the stage Brian satin Asian Jason I would want to say welcome again for this section 6 35 security best practices using open source tools my name is bryan sutton Aidan I work for a group called emerging technologies we are involved in design architecture and security for apple's internal IT group and my co-presenter here is Damian white she is an apple consulting engineer he will be prefer he will be introducing insults during his presentation and having said that let's move to the presentation with the growth of the internet more and more people are getting into the internet businesses are getting into the internet there is a lot of Commerce done on internet all these different factors have created the demand for security to make things worse in the past five or six years the number of vulnerabilities that have been reported the threats that have been reported the virus attacks that have been reported I've almost doubled so all these events tell us a simple story 19 letters three words one idea security is important the good news here is that OS 10 is a secure platform it's got UNIX at its core it's got security at its core and it's got security at all the different levels it also has so many different tools to enhance security especially as a system administrator you could use OS 10 to increase the security of your platform and especially OS you can you could use OS 10 as an administrative platform to administer other machines in the network you could use our sin to do scanning to do detection and so many different secure activities what are you going to learn here in this presentation initially you are going to learn about some of the user level open source tools tools that ship default with the OS tools that you can use to enhance the security in your organization how do you configure these tools and what are some of the hardening techniques that you can apply to these tools and also you're going to look at some of the network scanning tools how do you use intrusion detection software some what are some of the scanning tools what are some of the even correlation software's and how can you detect file changes file system changes file tampering and all these different activities and finally you are going to see how we can use some common security libraries which are common to all these different tools and how we can build up on tools and get a general awareness of what's inside these security tools and so on so it's going to be a real interesting journey we can approach security from three different angles there are three different areas with potential and possible security attacks can come from from the physical side of it from the application site an attacker could have attack your application and gain unauthorized access through your application upload malicious code three application so from the application side and also from the network side and this section is actually added to for complete for to make the presentation complete but I'm actually going to quickly skim through this section physical security this is often the hardest to obtain because this involves humans and it also involves responsibility of all the different departments in the organization so this is actually the harder to obtain it's no matter how secure your system is in terms of software and hardware if somebody gains physical access to your system there are so many different ways to dig they can jeopardize the system and I just want to highlight two things here I want to talk about unprotected wireless networks especially networks that aren't protected and people can drive around with antennas and tryna get into these networks and attackers can you such networks as launch birds especially in the network that you have here at Apple there are guys out there who are detecting and scanning and preventing wonder abilities as as it's going to happen as it's happening as I speak and the next thing I want to talk about is having multiple application well having to use multiple different applications are inevitable because you know you need so many different applications to do your day-to-day activities but all these application need some form of authentication and eventually it's going to be a password so in end of the day you have to remember all these different passwords and you're going to you cannot remember all of them you're going to write them in yellow stickies stick them somewhere and eventually they're going to go to that trash can and get into some introduce some attackers hand or somebody who has physical access is going to get his hand in on the password and then there is a compromise can happen so it's always the best practice to move away from multiple password systems move on to a single sign-on system or move on to a system that has single sign-on and single password or single sign-on or a multi-factor authentication or the two factor based authentication system compromises as I said will also happen at the application level before I go into the application level I would like to talk about something as I mentioned previously OS 10 is a secure system it is secure are the box and there are quite a few examples and the two things that I like to bring here is that OS 10 has a real good separation between user accounts and administrative accounts the root account is disabled by default and especially there is and there are file unique level permissions that separate you between administrative and user accounts and with tiger you're going to have all the ACLS and all the great features and in terms of network sports OS 10 client has 0 ports opened and out of the box away stand client does not have any ports open a server of course as six ports opened and out of our of two of which are security software's like sshd on 22 then the Kerberos sport and four of them I administrative ports now we're going to look at some tools that enhance security these were reason that we are looking at these tools are these tools can help you to enhance security these tools can provide you with authentication can provide you with access can also provide you with encryption can provide you data integrity and so on and so forth so what we're going to do is you're going to look at some configuration and some hardening techniques by using these tools the first tool we're going to talk about is open it yourself it's shipped default with the OS 10 it is is an open source tool it's an open source implementation of the ssa's ssl protocol it's a great tool to do certificate management you can manage the certificate to out its life cycle using this tool you can also manage a private key throughout its life cycle you can use this tool to do client server based authentication and you can also do encryption using these tools it has all these different encryption utility is embedded in this tool especially what you could do is you could actually create a generator certificate by using openssl and then later on you can use that certificate to do both client and server authentication especially when you heat an https website you your client your client browser in counts encounters a server certificate and then then by looking at the install fear in the client it actually verifies the server certificate and the reverse also could be done so basically this this tool allows you to produce certificates that can be later on used to do authentication and encryption and so on and so forth however at Apple we do ship the serious a frameworks the cdsa frameworks are much more secure it it provides certificate management functions it provides security services it provides encryption services it provides a lot of the things that openssl does and there are numerous advantages by using the cdsa frameworks because if you use the serious a framework you can do Export Control paperwork really easily and you can have so many other different creatures as far as handling private keys public keys and so on and so forth and it's optimized to so at Apple we strongly recommend you to use the CD sa frameworks and if you have an old application that uses openssl that links directly to some openssl libraries it's ok to use openssl but if you are trying to build some cryptographic application or some kind of public key based application it's always recommended that you use the CD sa frameworks what we see here are some of the functions that openssl can do first generating keys openssl can be used to generate private keys it can also be used to view keys view your private keys and also view your certificate you can be used to create certificate signing request so you basically give the private key in and then she'll open episodes define you create a CSR a signing request and it will give you a bunch of questions and which you need to give answers and then it will eventually create your signing request you can create a crl in the case of verification when the server verifies then the client or the server verified certificate it'll actually look a check across the crl and then you can create CR else by using openssl and you can actually do this finding process itself by using openssl provided you are the CA or the assigning or the administrator you can also do a certificate format changing and formatting scripts for example certificates are in multiple formats you can turn them from p PM formats to dr format and so on and so forth then finally you can verify you can actually tell what role you want to openssl to play and it actually will go through the different depths that you specify and to verify your certificate and what we have here is a typical example in the case of web authentication if you if a website wants to authenticate a client but what would the web server do it would actually have some kind of a password username some kind of a basic or a digest based mechanism to authenticate the client we could also use a certificate from the client side to really authenticate the server so in order to do that we actually in this example we modify the HTTP dot v dot cornice and added some configured patience to it to do such an authentication what we did first is that we added this entry which basically tells you which is the ca certificate to verify the client certificate with the name of the ca certificate that will verify the client certificate with and this section tells you the directory that you want to protect and these are some of the SSL options that will allow you to be are you tell SSL to do certain functionality for you to to protect your website and next to that you're going to look at is openssh openssh is the open source implementation of the ssh protocol openssh is shipped tefal in OS 10 it's a great tool it provides you with encryption data integrity and the secure communication it actually encrypts both of both your data channel as well as your command channel so in origin the remote shell is actually openssh so it provides you file transfer services it provides to secure shell services it provides you secure copy services it replaces all the other utilities so we recommend you to use open it as a openssh it's a great tool and openssh has the client as well as a server side the client is basically the ssh or the SCP or the SFTP components and the server side is the sshd demon so let's look at some hardening techniques that you can use at the sshd demon to increase security the file in question here is the sshd config and some of the changes that you're going to make here basically we could filter connections that are in coming into the sshd based on IP and we could give access for incoming connections and then something else we can we could do is we could also do filtering based on users you could be good only allows certain users to connect to the system now the important thing I'd like to highlight here is that previously i mentioned to move away from password systems so you could you could use some kind of a public key based system to authenticate to sshd or you could even move into a system like Kerberos having said that let's move into the next section it's IP firewalls we said that the west end is a very secure platform out of the box as soon as you start using all the different services eventually you're going to open up a lot of ports you're going to open up different ports and you're gonna install all your different servers so they are going to have a lot of boats too so the best way when you are in a public network to protect yourself is by using an IP firewall and always then by default has a firewall built into it and if you go to the client is not the ipfw firewall interface in the client this is this a certain the system preferences sharing panel and in a server you have it in the server admin panel so you can enable your firewalls and protect yourself from all the attack that can public that can happen in the public internet and if you are a command line kind of guy you could actually use the ipfw utility and you know build and build your firewalls and then centrally push firewalls and do all kinds of different activities so the ipfw wutt goes like this the ipfw the command add commands all list or 0 all those things then the action the protocol the addresses and also the external and the source destination and so on and so forth and what you see below is a list of commands that has been installed into the ipfw the next interesting too that I would like to talk about is Kerberos previously I mean in the slide that came before I was talking about the two that i was talking about are primarily both public key and shared key based mechanism now we're going to talk about a Kerberos scrub role is primarily a shared key based mechanism it actually gives security it provides you with authentication and single sign-on and kerberos is shipped default we do western it's MIT s it will be technically correct into MIT s3 party key agreement protocol so basically what it does is that it gives a single sign-on it gives us authentication so how does it give a single sign-on so to understand how Kerberos gives single sign-on we need to understand there are three components in this system the client the application or the cover and the KDC so the real problem here is that the the server needs to authenticate the client so how can they serve authenticate the client the server can authenticate that client by some sort of a trust credentials provided by a trust cluster entity and that first identity is the key distribution center or the KDC in Kerberos the KDC will have all the different user account and and what happened is the clients and the application servers will actually have Kerberos libraries installing them so when somebody wants to log into Kerberos he will log into the client life Kerberos library and as soon as a login happens a ticket granting ticket is given to the client so what happens is this ticket granting ticket is stored into the client cash and as long as you have a ticket granting ticket you can actually participate in all the other different authentication sections for example once and if you want to use an application you the user will go and click an application and the application opens up and the application fees okay there's a ticket granting ticket because the application is sensitive of Kerberos so it sees that there's a ticket granting ticket and it takes it takes the ticket finding ticket will send pic to the KDC and it will get a service ticket for that session as to let you get a service ticket the application will take a one-time token from the service ticket and please send that through its custom protocol it could also use kerberos but in most applications use their own protocols to take that token from the service ticket it can be a GSS token or if you are familiar with the API is it can be a GSS or a KR betoken it takes a token it presents it to the application server and the application server verifies and gives access and as long as you have a TGT you can all the different applications can participate in a single sign-on so using one TGT using multiple different service tickets the applications can participate in a single sign-on the beauty here is that when a user logs in the password never travels across the wire and the tdt and the service records are actually time limited so it increases the security and what we have here is the Kerberos configuration file it in OS turn it in it's in library preferences it's called edu at MIT der Kerberos and if you are using some sort of a directory mechanism like if you enable Active Directory plug-in or if you enable an LD I based plug-in and you want to use kerberos along with it the this file would be automatically created for you and are you if you are connecting to some a different for different Kerberos server like a syllabic serve or something you could create this file so let me quickly go through this file so each KDC belongs to a realm or a domain just like your system it belongs to your domain so it belongs to our wealth and what you see here are the realm configurations and what you see here is that if the entry that tells the kds your client Kerberos libraries where your KDC is it will give you the domain name of the KDC as well as the ports of the KDC so you can have multiple KDC increase down there and in case of a failure in case of the first KDC fails it would naturally failover to the second KDC and so on and so forth in our Apple IT group we did have the exact same problem so you had we had number of applications we are tons of them and then we have tons of passwords to remember so what we did is we moved on from our password scheme to a single sign-on bay scheme how did we do that we actually use the framework that was deployed in weston platform the Kerberos framework and we built a log in application on top of that and what does and we also added some more features in top of this application so what did we actually add the things that we added was we added extension based on activity if a user is sitting actively on its terminal and having some kind of keystrokes or mouse movements then the tickets will be renewed the TGT that obtained will be renewed if the TGT eventually will be taken for a shorter time and will be keep on renewing it according to activity and something else we are added was selective participation there are certain mission-critical applications which do not want to participate in single sign-on so these application can centrally be disabled from participating into single sign-on or the user can decide whether he listened well whether his application to participate in single sign-on or not and so on and so forth we also added another nice feature it's called log in flash loggers logout hooks especially if somebody is logged into the single sign-on system and when somebody goes into the Kerberos window and finds off it would naturally the hooks would tell each application will call back each application and say like look this guy has already logged out and the applications could take their own actions and the vice versa is true to you could actually install a hook when application people log out of applications the the central login system would know about and one of the most interesting things we did is that we added pluggable authentication to our single sign-on system so we basically added Kerberos hardware authentication as fans a security authentication module based authentication so we could do kerberos authentication we could bootstrap the authentication by using smart cards and that was a very cool thing that we did and what they are going to see here is a tiny demo it's going to be actually a video demo so what you see here is the Kerberos window and we don't have any tickets right now so we are going to the central application that I created that be created and then we are logging into the system oops the capsule is on okay let me go back wait type everything that's a long password so let me sign in I'm signing to the system and I'm also automatically signed into Kerberos so it shows my TGT and I can see my TGT there and it's time limited is taken for an hour and now let me go back to since I have the tdt I can go back to the application and find using the application so now I'm signed in so if i go back to kerr bros i should see I'm actually moving Travie try dragging the application away if i go back to Kerberos i will also see my service ticket for that application and now I'm vibing off my application service ticket and it automatically logs me off the application if I try to find in again it'll actually pump me my login window so you also can actually use the existing Kerberos framework and start building single sign-on systems it really is real easy to do and it's real powerful and it's really good and let's having said that let's move on to the next section it's the key chains well in the OS 10 the key chain is the default central repository for all passwords and all secrets so you could store passwords as well as certificates and all these different things in the kitchen and if you especially if you want always tend native applications like Safari and the TF framework and all these different components to really recognize your certificates you need to install them into the into the key chains you have to install them into the anchors file so we have seen all the basic tools now let's say no now let's see what else can be done so I'm going to toss it on to Damien to lead us from here Damien there you go thank you Brian names Damien Weiss I work for the apple and a prized consulting group dealing with deployment and integration issues and I spend most of my time most of my focus on security issues I'm going to talk about what else can be done we're going to talk about password policies scanning files and changes in network intrusion detection talk about password policies you know passwords are the main gate into your machine they are the easiest way in and if you make them so the hardest way in I have a friend of mine who aspires to be a screenwriter and he loves to say all the time he loves to say you know he had a thousand monkeys a thousand typewriters typing for a thousand years they'd eventually turn out the screenplay for The Godfather you also like to say that if they give him a day they would turn out the screenplay for Titanic and the monkeys that have enough time to smoke a couple of cigarettes afterwards and that aside I see a lot of folks when I go on site I see a lot of folks who have the the Titanic of passwords their password policies are very lacks and and and indeed i alas and I'll say well you know what's your password or you know what's this user's password and they'll tell me and generally it's the username plus a number which is the first thing of course people scan form you know what do we do at Apple to help you guys out well we help you enact password policies bye-bye actually implementing it into open directory and there's a mistake up here on the screen where it says workgroup manager that's supposed to say server admin so if you go to server admin then to the open directory tab you'll actually see there you can set a number of things you can set password policies such as whether or not the user can have a password with their name in it or whether or not they have to have numbers or anything along those lines also password generators are great to use there's hundreds of them out there if you go to google and search for simply password generator at least 100 will pop up my two favorite personally are those that go ahead and generate passwords they're not are in the dictionary but nevertheless sound like normal English words indeed what you find is that they're words that sound like words that you would use everyday but grossly misspelled also are those password generators that generate password that are easy to type but are just an amalgam of letters and numbers and punctuation marks finally administrator password policies you know I remember the first time as a system administrator I was actually working at the Defense Department at the at DISA and the administrator of the root password for 35 next step machines was simply DISA and then the name of that computer and that's what it was when I first arrived and needless to say about 15 years later things don't seem to change at clients that part of the problem is too many machines remember the root password administrator password for I would strongly suggest that each pass would be unique don't try to go ahead and make the mistake of setting up the administrator pass or based on the company name or your managers name or anything along those lines because you really need to protect yourself especially in the admin password from both external attacks but also internal attacks the guy 3 cubes down knows what your managers name is we're going to talk about network scanning and monitoring and we're going to talk about these tools but first you know these tools really generate a lot of output and the real goal is to go ahead and essentially break into your network and find the weaknesses for you and a lot of folks for some reason seemed to think a good idea is just to leave the results of this on the hard drive just somewhere unencrypted or or world readable please secure them my favorite technique is to actually use one of those USB Drive memory sticks and actually copy it on take it put in your pocket and then use it appropriately let's talk about in map let's talk about a port we all know this you know port is a is a it's a logical connection it's the name for a logical connection between services that stay open for and obviously we can go ahead and look for these ports services that are listening for requests or staying open and using port scanner like in map allows us to find those in maps really good for quick and dirty scans for ports and because that you can find out what services the users of running in this example I have here I've got the verbose flag turned on and dash F specifies that's going into a TCP syn scan mode and the dash shows for LS detection scanning every machine on this network and I'm doing that for a very important reason is that you can't have your eyes everywhere folks have an easy way of plugging in a computer and then hiding it from you in order to listen to all the traffic on the network talk about necess necess is a great utility it goes ahead and does more and obviously in map it goes ahead and perform scans it looks and actively treats the network based on plugins that you've given it so for instance database plugins or plugins oops there we go sorry about that it goes ahead and has plugins for a number of operating systems and a number of protocols and services allows you to go ahead and specify exactly what it is that you're scanning for and those results are very good you can go ahead and we scan over and over and over again I have a client who actually runs meses day and night specifically just looking for new stuff and new vulnerabilities out there on the network osm is really straddle the line between scanning and monitoring and intrusion detection which we're going to get to later on here but I really wanted to stick it fear into scanning and monitoring it really is sort of the the overlord if you want to think of it that way of security utilities it gathers information from everywhere from log files from scans from anything and everything that it can possibly find its goal is to bring that all together in one place but more importantly to bring it together in one place so it gets a better read on the network so as to eliminate any false positives excuse me any false negatives of intrusion detection on your network what else can you do well you can also scan the file system what I mean by that is skiing the file system is simply going through looking at each one of the files doing a checksum in each one of those files and then saving that checksum goes ahead and allows you to be able to know when any changes have been made and why do you want to do that well very simply when a break-in happens the evidence of the break-in and certainly the evidence of the attempt at a break and has generally found somewhere on the file system also after a break and has happened any back doors that are left on the machine are definitely found somewhere within that file system knowing about a break and after it happens very soon after it how often helps to prevent further break and you can see that the first machine to go is generally the beachhead and then from there because all the machines are generally trusting of each other on some level or another or in the case of most machines you know all the administrative passwords are the same it allows the ease of breaking into further machine so you really want to stop that as quickly as possible and talk about a couple of tools that allow you to scan trip wire and read mine first is trip wire stripper bar is great for locking down one machine even if it's not on the network it goes ahead and just like I said it doesn't check someone every single file on your network excuse me on that one machine and it goes ahead into texting changes so you run it every night at one o'clock in the morning or whenever and it will go ahead and tell you what files have been changed a lot of files that change every day obviously log files those kind of things you tempt w temp files those things change normally but what you're looking for obviously changes in files and in directories that shouldn't be changing at all a good thing to look here is su ID bit su ID bits that have been changed or added to files an old popular way of back door and old populate back door was to go ahead and find an su ID file or actually create an Feig file depending on what kind of access the cracker head to the Machine and copy in shell c shell any any shell file into that now that container of a final invest ranting you an su ID shell file read mine you know read mine 11 of the design awards for last year's WWDC it's a great utility if you guys haven't looked at I encourage a strong way to take a look it's really a client-server tripwires the best way I know to describe it the first thing that you would do is you'd first configure your your read mine server to take the load sets which are those checks them files and go ahead then and go to each one of the clients or use ard for that matter to run the assistant to go ahead and create those load sets at that point you can go ahead and automatically check for any changes and even possibly rollback any changes and talk about network intrusion detection and why you want to do that well as the slide says very simply another pair of eyes never hurts and in this case multiple sets of eyes never hurt and all the machines never sleep and I have noticed that it seems that crackers seemed to work best or the very least most frequently from about ten o'clock to about four o'clock in the morning and that's generally the time when I am dead asleep to tools i'm going to go over hen wen and snort hen wen is the mac OS 10 front end for snort the GUI application allows you to get a quick up and running intrusion detection system going it is great for those folks who want to have the power of snort but don't want to bother with all the configuration of it you don't want to bother reading through all the texts and configuration files strongly recommend folks to go ahead and download it and take a quick look at it it's very well worth it it also allows for easy easy spaded configuration we're going to talk about speed in a second here spade is a part of ten one excuse me it's actually an add-on to snore but the configurations there in hen one and what it does is spayed loosens each one of the packets that come through and assigns it a score and what it does is it has a model bet you know listen to that packet figures out how suspicious the packet is and the score is based on that suspicion the lower the score the less officious of packet and converse with a higher score the higher the more suspicious of packet is and you can set the threshold at which Spade will notify you of suspicious activity happening on your network but what I like about Spade is that it's very similar to junk mail within mail within our mail application wherein it goes ahead and goes into a learning mode and then at that point after you're satisfied with its learning mode it will go ahead and automatically set that threshold score and then it will also continue to automatically adjust itself it'll automatically adapt based on more traffic and sees snort you know it is a big mouthful I've been practicing this slide over the last week and every time I get to the sentence I'm always just blown away snort uses user-defined preprocessors and rule says to detect suspicious package and what that means is I'm like someone applauded for that I didn't know that people were in Delft of my literacy but you know nods I odd it uses rule sets of tech suspicious packets and what that means is there's a number of rule sets that run within snort and what it does is it uses you know bite level matching it listens each one of the pack it some users bite level matching in order to figure out based on the rules you know what needs to happen whether or not notifications need to happen whether or not notifications don't need to happen with a nut for the processing needs to happen those pre processes obviously are just what they say they're just preprocessors they're there before you get to the rules and talk about preprocessors the rules are written like this first you have an action which in this case is alert i have in this example and the next one is the protocol which will be TCP the source address is any and the port address is any now what I've gone ahead and done is i'm going to set up this rule for detecting any mount d access from anywhere to my local network so I've got my destination address which is the 192 168 with the netmask of 24 port number 111 which is the mount deport and the actual specific content which is within that packet which is saying hey look you know this is Mount deep packet and it will actually go ahead and what actually needs to happen well we're going to go ahead a message to snort log that amount D accesses happened preprocessors preprocessors run before the rule set they allow for packet modification analysis before handing it off to that detection engine or those rules that and so what that means is that you know it's those things the preprocessors run before the rule said so if you have certain packets that you don't want to be detected or if you're getting a lot of false negatives on on specific type of packets or or from one specific machine the place to go ahead and exempt those packets is there in the preprocessors go ahead and specify them in the configuration file just like we have up here the output modules you know the output module is simply just telling snort where to send the ruleset and pre process or information signal as a packet comes in goes to the rule sets where does snort or where is snorts supposed to write that information to and that's where the output modules come into play I know some clients like to go ahead and specify all the output just go into one huge honking file and others like to go ahead and break it up very very very small you know we've talked about what else you should do and now I'm going to talk about what you shouldn't do please don't enable the our utilities are shell arkathi etc I have been guilty of doing this in the past however the models have changed now we actually have our alternatives each one of these utilities and while the utilities themselves specifically are not secure in order to go ahead and get them up and running you have to go ahead and open up security holes telnet there's a great you or a great alternative Brian one had talked about secure shell and finger I've noticed first time I was introduced to unix the first thing I actually introduced it was finger and I thought this was earth-shattering that you could go ahead and actually stick your status in somewhere and people get actually read it this is the greatest thing since sliced bread obviously all the functionality of finger has now been replaced by aim or by you know personal web pages also try not to use non ssl mail protocols I I have I love to go to client side set up my powerbook let it scan for an hour and then show the clients all the mail passwords and usernames that I've gone ahead and harvested just by listening to their network it usually brings a little bit of unease but then they realize hey we need to do something about this and and and that's what I enjoy is actually fixing those problems ftp use SFTP or secure shell tftp while limited use of tftp isn't inherently insecure you see a lot of times folks trying to extend tftp beyond what it was designed to do and does making it insecure and finally non open directory based authentication there's a lot of problems that we see outside of open directory and I would encourage you not to enable it so with that I'm going to go ahead and invite brian back on up here and he'll talk to you about writing your own tools goodbye thanks Damien that was wonderful we saw a great list of all these different open source tools and how you can take advantage of them to do scanning intrusion detection even correlation and all these different things especially as an administrator one of the things that you really need to know is when you use all these tools what is inside these tools and to get a general awareness you have to know what are the components of these tools so I'm going to talk to you about some other network components or some other libraries these tools are constructed with and most of them are open source libraries and the first tool that I'm going to library that I'm going to talk about it slid pcap lead pcap is default in OS 10 it's a package capturing library it listens on the wire and it can cap capture both Ethernet tcp/ip and all these different types of packets and any sort of application like TCP dump would actually use lippy cap and a lot of the different tools actually use p delete all the different open source tools they actually use lip pcap to do the packet capturing later on I'm going to show you a program that I've written using lip recap it's a great it's a great library the next library is lib net little net is a packet injection flash packet creation library so you can use limit to create beard TCP packets I would say our packets with different headers and all this different stuff so it's a great utility and lot of the intuition detection tools and even snot use equipment live net is actually a low-level tool if you are building all these different open source library is you have to build lignite first in order to build all the other libraries and the next is lived in it liebe dich net is a fraction library which provides you abstract data abstracted colonel data like the interface information like the arp cache and also the routing table so you can have direct access to the routing table by using they lived in it and a lot of the security tools and applications does in fact you use lived in it and the next tool is linked mixed library I keep on saying tool for libraries the next library is slip SF leave SF is an OS fingerprinting library so by using lib SF you can detect what your destination OS is what always you are pinging on so basically live by yourself can work on active as well as passive mode and what it does is it has a database on how the colonel responds to certain packets and depending on the feedback and receives it compares it and it actually gives scholz and the and the system that gets the highest score is most likely to be the system that in the destination so it's a great library you can use in your tools and the next library is lip n ideas lib an idea to the TCP fragmentation an assembly detection library most of the inclusion detection tools actually use in Libyan ideas to like Ln ideas and n ideas and I take it dear sniff they all these all these tools they use liban ideas by you can actually register a callback function into callback function into leben ideas when liban ideas encounters a fragmented IP packets it will actually call you back so it has great functionality the reasons as I said before why am I talking about all these different libraries I'm talking about these different libraries because it gives you a general awareness of what your tools are made of second it gives you if you are a developer it gives you the ability to code and write up a tiny to it because most of the security tools that we have they do a specific purpose they are for a specific purpose and and if you might have a purpose that's different from the tools purpose so you can actually quickly write up onto of your own bye-bye no using some of these libraries and having said that let's move on to see how you can write your tool I in fact right wrote up a small program hundred lines of code within less than an hour it's very easy I call it the Browse program and there are actually programs like this in the open source arena what this does is actually it uses lead pcap listens on your wire captured IP packets and then it strips off MAC addresses from the packets and its toes if it's have if you'd find the new mac address it stores it in an array and then it resolves the mac address to a vendor name so basically it browses the network and finds out all these divided devices and and which window it belongs to you could actually easily exchange this program put liebe liebe ourselves in it and you could actually do fingerprinting away fingerprinting as well so it's a very tiny program and what you see here is the output of the program you see I ran it in my home network and you see the MAC addresses VIPs and the vendor names so these tools will really allows to to allow you to write up this library the knowledge of these libraries will allow you to write up tools and increase security in your network now in conclusion take advantage of all the tools that we showed you they are great tools and also use OS 10 as an administrative platform to run all these tools and secure your network and hear what you see are some of the different URLs for these tools tools like Nestle's in map-read mind and lift at the lib net libraries there were some of the tools the rest of them they actually come in the US 10