session 49 performing a vulnerability assessment with commercial and open source tools

Session 49Performing a Vulnerability Assessment with

Commercial and Open Source Tools

© 2003 Lucent Technologies

Performing a Vulnerability Assessment with Commercial and

Open Source Tools

Session Number 49

George G. McBride, CISSP

Thursday (10/2) – 9:45 AM to 1:00 PM


Our Goals and Objectives

Discuss commercial and open source tools War Dialing, War Driving, Dumpster Diving Web Based Application Assessments Assessing IIS, SQL Server, Etc. What goes in a report? Understanding the data that you are

getting…Is the vendor doing a great job?


Our Goals and Objectives (Cont’d)

Lessons Learned Do’s and Don’ts Commercial vs Open Sourced Tools:

– Live Demos!

But first, a word from the lawyers:


Legal / Liability Issues

Important for risk / vulnerability assessments and critical for “Ethical Hacking”:– Get permission from the proper person or

group before starting. Log all of your actions. Run these tools at your own risk.

– You are responsible for your actions. Open source or commercial.


Legal / Liability Issues (Cont’d)

Check your tools:– Test them on a stand-alone network with a

network sniffer– Review the source code and compile the tools

yourself– Obtain source and CRCs/Hash-Values from a

respectable source


Legal / Liability Issues (Final)

Watch, and throttle when necessary, the traffic that you generate

Protect your generated data– It’s a list of the weaknesses of your network– Use Encryption


What is an “Assessment”

Policy, procedures, and documentation review? Who and how many will be interviewed? Physical security review? At least a walk-

through? Perform a modem scan (war dial)? Review the voice-mail system? PBX? Wireless Review ? Blue Tooth? Review of Microsoft Windows shares?

Unix Exports? Review remote access ? Perimeter Review?


What is an “Assessment”

Review Firewall and IDS – configuration/rules/logs?

Review Infrastructure (routers, switches, etc)? Which machines will you scan? Servers?

Workstations? Application Review? Web Server review ? Web based application

review? Database Review? Social Engineering Attempts?


Commercial vs Open Source

Commercial:– Generally requires purchase, includes

shareware…– Support readily available, usually for a price– Can’t see source, rely on vendor for updates

Open Source:– Free Distribution– Source Code– Modifiable


Tools Categories To Discuss

Network Sniffers Network Mappers And Discovery Host Based Network Based Tools Web Based Application Assessments Firewall and Perimeter Assessment Wireless and Modem Assessment Dumpster Diving and Social Engineering Others


Disclaimer!

This is a partial list. For fairness, I’ve tried to provide a balance

of Microsoft Windows and Linux tools If you have a favorite tool that you like that

has some additional features or does thing differently, please let us know during the discussions


Recon: Sam Spade


Recon: Misc Sources


Recon: Google


Network Sniffers

Network Sniffers can be used as part of an assessment to:– Ensure you don’t flood the network– Know exactly what you are doing

• Log what you are doing at the network level• An electronic record

– Look at traffic coming back to the source• Are you getting the anticipated response?


Windows Sniffers (Ethereal)

Ethereal Start Screen:•Available for Windows and most Unix Flavors•Requires “libpcap”, the packet capture library (also open source)


Windows Sniffers (Ethereal)Ethereal Start Screen

Ethereal Capture Status


Windows Sniffers (Ethereal)

Ethereal Data Review


Linux Sniffer (tcpdump)

TCP Dump:•Available for Windows and most Unix Flavors•Requires “libpcap”, the packet capture library (also open source)


Cheops-NG (Next Generation)

Part network management and monitoring, part mapping and discovery

Provide network delineation parameters and let it discover the network

Allows you to easily run scripts to perform a specific function against a particular service…ie, polling


Cheops-NG Mapping Tool


Cheops-NG Mapping Tool

Cheops General Screen•Unix Only•Does a decent job of discovery•Don’t get caught up in network diagramming


Cheops-NG From (Cheops Web)

Cheops-NG•Screen shot from Cheops-NG Web Site


HP Open View


Passive vs Active Scanning

Some of the newer tools are passive and only listen to traffic generated by others.

This has some great benefits:– Consumes no bandwidth– Generally doesn’t disrupt the network– Accuracy and Completeness increases over

time– Detects new services immediately after

activation


Passive “Issues”

With all of the positives of Passive Scanning, there are some negative issues:– Doesn’t discover available, but unused

services – the service must be used to be detected

– Requires a significant amount of time to “discover” the environment

– Cannot “interrogate” targets to determine vulnerability or versions


Active Scans

Provides immediate feedback

Tests for all known services or a particular target

Scan on demand for virus/worm/Trojan detection

Can disrupt network Can generated

significant bandwidth Becomes obsolete as

soon as environment changes

Can cause lock-outs or denial of services


P0f (Passive Fingerprinting)


p0f (Passive Fingerprinting)


Nevo - Startup


Nevo – Sample Run


Nevo – To HTML (Nessus)


nmap (Network Mapper)

Do-All port scanner (TDP/UDP, Covert/Overt, Fast to super-slow)

Remote platform detection Remote services version detection Updates regularly!


nmap (Linux Command Line)


nmap (Linux Scan Complete)


nmap (With Service Version)


nmap (Linux Gnome Front-End)

nmap•Available for Windows and most Unix Flavors•Has a front-end – same data, just prettier


SuperScan 4.0

SuperScan 4.0•Excellent and Free!•Fast•MS Windows Based


SuperScan 4.0 (HTML Report)

SuperScan 4.0•HMTL output•Great for including in reports


Winfingerprint

Winfingerprint•Performs numerous MS Windows specific checks•Checks for shares, users, sessions, and more.


FoundStone’s ScanLine (SL)

ScanLine•Ultra fast TCP and UDP Scanner•Useful for scripting


FoundStone’s ScanLine (SL)


SolarWinds

Commercial, a “conglomeration” of tools.

DNS, Discovery, Monitoring, SNMP, Some Cisco Security tools.

Doesn’t have anything not available individually.


SolarWinds Engineer’s Edition


Shares Finder


Nessus (Start-Up)


Nessus (Scan Execution)


Nessus


Nessus Scanning


Nessus Data Review


Nessus Report Generation


Internet Security System’s: Internet Scanner

It’s been around for a while– Largest market share for a commercial risk

assessment– Corporate Support– Part of a family of Risk Assessment tools– These guys make a Database Scanner, Host

Scanner, Wireless Scanner, Real Secure, and now own Black Ice


ISS’ Internet Scanner


eEye Retina Scanner


Terminal Server

Allows clients to connect to a machine with Terminal Services using Remote Desktop

Think pcAnywhere ProbeTS searches for Terminal Server and

can look for TS on a non-standard port. TSGrinder does a dictionary attack


ProbeTS


TSGrinder


Web Security

What do we need to look for:– Server system errors

• IIS Buffer Overflows• Apache remote exploits

– Programming code errors• SQL Code Injection• Cross Site Scripting (XSS)• URL Manipulation• Cookie poisoning


Automated Scanners

IIS and Nessus are tools that can help detect some of the vulnerabilities.

Web based application scanners such as Nikto and Appscan will detect a lot of known vulnerabilities of the server and application.

Local proxy tools allow assessors to review data and traffic and to manipulate cookies and traffic.


Web-Applications: AppScan


Web-Applications: AppScan

Output File Types•.PDF, .XLS, .HTML, TIFF, .RTF, .TXT


Web-Applications: Nikto

Nikto•Uses “libwhisker”, the library developed to support “whisker” which has grown unsupported.


Web-Applications: Nikto


@Stake’s Web Proxy


Paros Proxy


AppDetective


Wireless

War-driving, war-walking, war-chalking Closed Network SSID Broadcast GPS 802.11a/b/g


NetStumbler


Kismet


Airtraffic


Fluke: WaveRunner


Fluke: WaveRunner

802.11b detection only HP iPaq handheld – reloaded with Linux Lightweight, extremely portable Somewhat expensive at $4000 ish


bv system’s “Yellow Jacket”


Kensington: WiFi Finder

Detects 802.11b/g WLAN equipment

Much cheaper at $25 Very portable No info except for 3

status lights…High, Medium, and Low.


Kensington: WiFi Finder

Q: My network at work isn’t detected by the wifi finder, what gives?A: There are 2 possibilities:

1) Your work has a secure network, by design the wifi finder will not detect networks that do not want to be detected.

From Kensington’s WiFi Web-Page,


BlueTooth

You can use your iPAQ, mobile phone, or laptop to discover devices

@Stake has “redfang”, a non-discoverable blue-tooth detector that runs on linux.


BlueTooth Detector

Detects and troubleshoots all Blue Tooth signals

No way to get data off the device for recording/historical purposes

You’ve got to be close to pick up Blue Tooth +/- (30 feet max)


Password Cracking

Not interested in what the passwords are Only want to know how many and how

they were cracked (aka determined) Brute-force vs dictionary cracking

– Choose the appropriate dictionaries Consider the best “bang for the buck” and

only look at dictionary attacks


Password Cracking: L0phtCrack


Password Cracking: “John”

John the ripper Available on MS Windows and Unix

platform Works on MS Windows and Unix

password files Continues to be enhanced for increased

performance


Password Cracking: “John”


War-Dialing

Discovering modems connected to telephone lines

Keep an eye on numbers only reachable externally and/or internally

Be aware of help-desks, security, and other 24x7 organizations that may be impacted by your efforts


War Dialing: Tone-Loc


War Dialing: Phone Sweep


Dumpster Diving

Best Advice: Wear disposable clothes and gloves with hard shoes…or stay outside and use a stick.

Looking for what should have been shredded or properly disposed of.


Physical Review

Computer room physical security Access control and logging Sensitive information secured Equipment secured Shredders/Proprietary Bins around Fire extinguishers Office doors locked And so much more….


Physical Security Review

Google can help you find numerous checklists through a search of: “physical security review checklist”.


Social Engineering

In a nutshell, lying to get information that you need. In corporate speak, obtaining information through “misleading social interaction”.

A great way to verify policies, help desk procedures, and how things really work.

Mitnick, really did write the book: The Art of Deception.


Social Engineering Examples

Testing the help desk by posing as a worker on long term disability just coming back.

The administrative assistant of an agitated executive

System administrator who can’t get into their machine and needs the remote access turned on.


Other Resources

Fyodor’s web-site at www.insecure.org has the top 75 of 2003 tools as voted by the readers.

Security Focus has some great mailing lists

Sites such as Freshmeat, Packetstorm (www.packetstorm.org), and many others are great resources


Questions?

Feel free to call me at +1.732.949.3408 or via e-mail at [email protected]

Check my web-site, www.digdata.com for other information and latest presentation

Let me know if you find any new or better tools

session 49 performing a vulnerability assessment with commercial and open source tools

Documents

open source tools slide

respectable source slide

review firewall

perimeter review

wireless review

lucent technologies

documentation review

database review