session 49 performing a vulnerability assessment with commercial and open source tools
TRANSCRIPT
© 2003 Lucent Technologies
Performing a Vulnerability Assessment with Commercial and
Open Source Tools
Session Number 49
George G. McBride, CISSP
Thursday (10/2) – 9:45 AM to 1:00 PM
© 2003 Lucent Technologies
Our Goals and Objectives
Discuss commercial and open source tools War Dialing, War Driving, Dumpster Diving Web Based Application Assessments Assessing IIS, SQL Server, Etc. What goes in a report? Understanding the data that you are
getting…Is the vendor doing a great job?
© 2003 Lucent Technologies
Our Goals and Objectives (Cont’d)
Lessons Learned Do’s and Don’ts Commercial vs Open Sourced Tools:
– Live Demos!
But first, a word from the lawyers:
© 2003 Lucent Technologies
Legal / Liability Issues
Important for risk / vulnerability assessments and critical for “Ethical Hacking”:– Get permission from the proper person or
group before starting. Log all of your actions. Run these tools at your own risk.
– You are responsible for your actions. Open source or commercial.
© 2003 Lucent Technologies
Legal / Liability Issues (Cont’d)
Check your tools:– Test them on a stand-alone network with a
network sniffer– Review the source code and compile the tools
yourself– Obtain source and CRCs/Hash-Values from a
respectable source
© 2003 Lucent Technologies
Legal / Liability Issues (Final)
Watch, and throttle when necessary, the traffic that you generate
Protect your generated data– It’s a list of the weaknesses of your network– Use Encryption
© 2003 Lucent Technologies
What is an “Assessment”
Policy, procedures, and documentation review? Who and how many will be interviewed? Physical security review? At least a walk-
through? Perform a modem scan (war dial)? Review the voice-mail system? PBX? Wireless Review ? Blue Tooth? Review of Microsoft Windows shares?
Unix Exports? Review remote access ? Perimeter Review?
© 2003 Lucent Technologies
What is an “Assessment”
Review Firewall and IDS – configuration/rules/logs?
Review Infrastructure (routers, switches, etc)? Which machines will you scan? Servers?
Workstations? Application Review? Web Server review ? Web based application
review? Database Review? Social Engineering Attempts?
© 2003 Lucent Technologies
Commercial vs Open Source
Commercial:– Generally requires purchase, includes
shareware…– Support readily available, usually for a price– Can’t see source, rely on vendor for updates
Open Source:– Free Distribution– Source Code– Modifiable
© 2003 Lucent Technologies
Tools Categories To Discuss
Network Sniffers Network Mappers And Discovery Host Based Network Based Tools Web Based Application Assessments Firewall and Perimeter Assessment Wireless and Modem Assessment Dumpster Diving and Social Engineering Others
© 2003 Lucent Technologies
Disclaimer!
This is a partial list. For fairness, I’ve tried to provide a balance
of Microsoft Windows and Linux tools If you have a favorite tool that you like that
has some additional features or does thing differently, please let us know during the discussions
© 2003 Lucent Technologies
Network Sniffers
Network Sniffers can be used as part of an assessment to:– Ensure you don’t flood the network– Know exactly what you are doing
• Log what you are doing at the network level• An electronic record
– Look at traffic coming back to the source• Are you getting the anticipated response?
© 2003 Lucent Technologies
Windows Sniffers (Ethereal)
Ethereal Start Screen:•Available for Windows and most Unix Flavors•Requires “libpcap”, the packet capture library (also open source)
© 2003 Lucent Technologies
Linux Sniffer (tcpdump)
TCP Dump:•Available for Windows and most Unix Flavors•Requires “libpcap”, the packet capture library (also open source)
© 2003 Lucent Technologies
Cheops-NG (Next Generation)
Part network management and monitoring, part mapping and discovery
Provide network delineation parameters and let it discover the network
Allows you to easily run scripts to perform a specific function against a particular service…ie, polling
© 2003 Lucent Technologies
Cheops-NG Mapping Tool
Cheops General Screen•Unix Only•Does a decent job of discovery•Don’t get caught up in network diagramming
© 2003 Lucent Technologies
Cheops-NG From (Cheops Web)
Cheops-NG•Screen shot from Cheops-NG Web Site
© 2003 Lucent Technologies
Passive vs Active Scanning
Some of the newer tools are passive and only listen to traffic generated by others.
This has some great benefits:– Consumes no bandwidth– Generally doesn’t disrupt the network– Accuracy and Completeness increases over
time– Detects new services immediately after
activation
© 2003 Lucent Technologies
Passive “Issues”
With all of the positives of Passive Scanning, there are some negative issues:– Doesn’t discover available, but unused
services – the service must be used to be detected
– Requires a significant amount of time to “discover” the environment
– Cannot “interrogate” targets to determine vulnerability or versions
© 2003 Lucent Technologies
Active Scans
Provides immediate feedback
Tests for all known services or a particular target
Scan on demand for virus/worm/Trojan detection
Can disrupt network Can generated
significant bandwidth Becomes obsolete as
soon as environment changes
Can cause lock-outs or denial of services
© 2003 Lucent Technologies
nmap (Network Mapper)
Do-All port scanner (TDP/UDP, Covert/Overt, Fast to super-slow)
Remote platform detection Remote services version detection Updates regularly!
© 2003 Lucent Technologies
nmap (Linux Gnome Front-End)
nmap•Available for Windows and most Unix Flavors•Has a front-end – same data, just prettier
© 2003 Lucent Technologies
SuperScan 4.0 (HTML Report)
SuperScan 4.0•HMTL output•Great for including in reports
© 2003 Lucent Technologies
Winfingerprint
Winfingerprint•Performs numerous MS Windows specific checks•Checks for shares, users, sessions, and more.
© 2003 Lucent Technologies
FoundStone’s ScanLine (SL)
ScanLine•Ultra fast TCP and UDP Scanner•Useful for scripting
© 2003 Lucent Technologies
SolarWinds
Commercial, a “conglomeration” of tools.
DNS, Discovery, Monitoring, SNMP, Some Cisco Security tools.
Doesn’t have anything not available individually.
© 2003 Lucent Technologies
Internet Security System’s: Internet Scanner
It’s been around for a while– Largest market share for a commercial risk
assessment– Corporate Support– Part of a family of Risk Assessment tools– These guys make a Database Scanner, Host
Scanner, Wireless Scanner, Real Secure, and now own Black Ice
© 2003 Lucent Technologies
Terminal Server
Allows clients to connect to a machine with Terminal Services using Remote Desktop
Think pcAnywhere ProbeTS searches for Terminal Server and
can look for TS on a non-standard port. TSGrinder does a dictionary attack
© 2003 Lucent Technologies
Web Security
What do we need to look for:– Server system errors
• IIS Buffer Overflows• Apache remote exploits
– Programming code errors• SQL Code Injection• Cross Site Scripting (XSS)• URL Manipulation• Cookie poisoning
© 2003 Lucent Technologies
Automated Scanners
IIS and Nessus are tools that can help detect some of the vulnerabilities.
Web based application scanners such as Nikto and Appscan will detect a lot of known vulnerabilities of the server and application.
Local proxy tools allow assessors to review data and traffic and to manipulate cookies and traffic.
© 2003 Lucent Technologies
Web-Applications: AppScan
Output File Types•.PDF, .XLS, .HTML, TIFF, .RTF, .TXT
© 2003 Lucent Technologies
Web-Applications: Nikto
Nikto•Uses “libwhisker”, the library developed to support “whisker” which has grown unsupported.
© 2003 Lucent Technologies
Wireless
War-driving, war-walking, war-chalking Closed Network SSID Broadcast GPS 802.11a/b/g
© 2003 Lucent Technologies
Fluke: WaveRunner
802.11b detection only HP iPaq handheld – reloaded with Linux Lightweight, extremely portable Somewhat expensive at $4000 ish
© 2003 Lucent Technologies
Kensington: WiFi Finder
Detects 802.11b/g WLAN equipment
Much cheaper at $25 Very portable No info except for 3
status lights…High, Medium, and Low.
© 2003 Lucent Technologies
Kensington: WiFi Finder
Q: My network at work isn’t detected by the wifi finder, what gives?A: There are 2 possibilities:
1) Your work has a secure network, by design the wifi finder will not detect networks that do not want to be detected.
From Kensington’s WiFi Web-Page,
© 2003 Lucent Technologies
BlueTooth
You can use your iPAQ, mobile phone, or laptop to discover devices
@Stake has “redfang”, a non-discoverable blue-tooth detector that runs on linux.
© 2003 Lucent Technologies
BlueTooth Detector
Detects and troubleshoots all Blue Tooth signals
No way to get data off the device for recording/historical purposes
You’ve got to be close to pick up Blue Tooth +/- (30 feet max)
© 2003 Lucent Technologies
Password Cracking
Not interested in what the passwords are Only want to know how many and how
they were cracked (aka determined) Brute-force vs dictionary cracking
– Choose the appropriate dictionaries Consider the best “bang for the buck” and
only look at dictionary attacks
© 2003 Lucent Technologies
Password Cracking: “John”
John the ripper Available on MS Windows and Unix
platform Works on MS Windows and Unix
password files Continues to be enhanced for increased
performance
© 2003 Lucent Technologies
War-Dialing
Discovering modems connected to telephone lines
Keep an eye on numbers only reachable externally and/or internally
Be aware of help-desks, security, and other 24x7 organizations that may be impacted by your efforts
© 2003 Lucent Technologies
Dumpster Diving
Best Advice: Wear disposable clothes and gloves with hard shoes…or stay outside and use a stick.
Looking for what should have been shredded or properly disposed of.
© 2003 Lucent Technologies
Physical Review
Computer room physical security Access control and logging Sensitive information secured Equipment secured Shredders/Proprietary Bins around Fire extinguishers Office doors locked And so much more….
© 2003 Lucent Technologies
Physical Security Review
Google can help you find numerous checklists through a search of: “physical security review checklist”.
© 2003 Lucent Technologies
Social Engineering
In a nutshell, lying to get information that you need. In corporate speak, obtaining information through “misleading social interaction”.
A great way to verify policies, help desk procedures, and how things really work.
Mitnick, really did write the book: The Art of Deception.
© 2003 Lucent Technologies
Social Engineering Examples
Testing the help desk by posing as a worker on long term disability just coming back.
The administrative assistant of an agitated executive
System administrator who can’t get into their machine and needs the remote access turned on.
© 2003 Lucent Technologies
Other Resources
Fyodor’s web-site at www.insecure.org has the top 75 of 2003 tools as voted by the readers.
Security Focus has some great mailing lists
Sites such as Freshmeat, Packetstorm (www.packetstorm.org), and many others are great resources
© 2003 Lucent Technologies
Questions?
Feel free to call me at +1.732.949.3408 or via e-mail at [email protected]
Check my web-site, www.digdata.com for other information and latest presentation
Let me know if you find any new or better tools