VAPT
VAPT
RATIONALE
Successful exploitation of the vulnerability could allow an attacker to execute arbitrary code. Not
unlike most browser based vulnerabilities that we see these days, user interaction is required such
as clicking on a link in email or visiting a malicious web page.
OBJECTIVES
The goal is to learn about weaknesses in the network so that they can be remedied. The main
contribution of this book is to show how easy it is for attackers to automatically discover and
exploit application-level vulnerabilities. Our security policies should include regular vulnerability
testing. We hope to raise awareness and provide a tool available to web site administrators and web
developers to proactively audit the security of their applications.
UNIT 1 . ........................................................................................................................................ 6
INTRODUCTION .......................................................................................................................... 6
1.1 IMPORTANT TECHNICAL TERMS . ..................................................................................................... 6
1.2 INFORMATION GATHERING . ............................................................................................................ 7
1.3 SCANNING AND FINGERPRINTING . .................................................................................................. 9
1.3.1 DAEMON-BANNER GRABBING. ........................................................................................... 9
1.3.2 PORT SCANNING . .............................................................................................................. 11
1.3.3 ICMP SCANNING . .............................................................................................................. 14
1.3.4 FINGERPRINTING . ............................................................................................................. 18
SUMMARY . .................................................................................................................................................. 24
UNIT 2 . ..................................................................................................................................... 28
VULNERABILITY ASSESSMENT .......................................................................................................... 28
2.1 VULNERABILITIES . .......................................................................................................................... 28
2.2 VULNERABILITY ASSESSMENT . ....................................................................................................... 29
2.3 PROTECTIVE MEASURES . ............................................................................................................... 31
2.4 VULNERABILITY ASSESSMENT: THE RIGHT TOOLS TO PROTECT YOUR CRITICAL DATA. ................ 32
2.5 TYPES OF VULNERABILITY ASSESSMENT . ....................................................................................... 33
2.6 THE CHALLENGES OF VULNERABILITY ASSESSMENTS . .................................................................. 34
2.7 TOOLS FOR VA . .............................................................................................................................. 36
2.8 RISK ASSESSMENT . ......................................................................................................................... 39
2.8.1 CONTROLS . ....................................................................................................................... 41
2.8.2 ADMINISTRATIVE . ............................................................................................................. 41
2.8.3 LOGICAL . ........................................................................................................................... 41
2.8.4 PHYSICAL. .......................................................................................................................... 41
2.9 NETWORK SECURITY AUDIT CASE STUDY . ..................................................................................... 42
SUMMARY . .................................................................................................................................................. 43
UNIT 3 . ..................................................................................................................................... 47
PENETRATION TESTING .................................................................................................................. 47
3.1 INTRODUCTION AND METHODOLOGY . ......................................................................................... 47
3.1.1 PENETRATION TEST . ......................................................................................................... 47
3.1.2 WHY CONDUCT A PENETRATION TEST? . .......................................................................... 48
3.1.3 EXTERNAL PENETRATION TESTING AND VULNERABILITY ASSESSMENT . ......................... 48
3.1.4 INTERNAL PENETRATION TESTING . .................................................................................. 49
3.1.5 BENEFITS OF PENETRATION TESTING . .............................................................................. 49
3.2 TYPES OF PENETRATION TESTS . ..................................................................................................... 50
3.3 METHODOLOGY . ............................................................................................................................ 51
3.4 PENETRATION TESTING APPROACH. .............................................................................................. 54
3.5 PENETRATION TESTING VS VULNERABILITY ASSESSMENT . ........................................................... 56
3.6 HOW VULNERABILITIES ARE IDENTIFIED . ...................................................................................... 56
3.7 A SAMPLE PENETRATION TESTING REPORT . ................................................................................. 57
4 | ©ATL Technology Tab
3.8 SECURITY SERVICES . ....................................................................................................................... 64
3.9 SECURITY SERVICES MANAGEMENT TOOLS . ................................................................................. 65
3.10 FIREWALL . ...................................................................................................................................... 67
3.10.1 INTRODUCTION . ............................................................................................................... 67
3.10.2 RULES . ............................................................................................................................... 67
3.10.3 ROLE OF UTM . .................................................................................................................. 70
3.10.4 KEY ADVANTAGES . ............................................................................................................ 70
3.11 AUTOMATED VULNERABILITY SCANNING . .................................................................................... 70
3.12 AN APPROACH TO VULNERABILITY SCANNING . ............................................................................ 73
3.12.1 AUTOMATED VULNERABILITY. .......................................................................................... 73
3.12.2 PROTECTION FROM WEB SERVER ATTACKS . ................................................................. 74
3.12.3 AUTOMATED VULNERABILITY DETECTION . ...................................................................... 79
3.13 PASSWORD CRACKING AND BRUTE FORCING . .............................................................................. 80
3.14 DENIAL OF SERVICE (DOS) TESTING . .............................................................................................. 83
3.15 PENETRATION TESTING TOOLS . ..................................................................................................... 89
3.15.1 PORT SCANNERS . .............................................................................................................. 89
3.15.2 VULNERABILITY SCANNERS . .............................................................................................. 89
3.15.3 WEB APPLICATION ASSESSMENT PROXY . ......................................................................... 92
3.15.4 SECURITY TESTING TOOLS . ............................................................................................... 92
3.16 WIRELESS PENETRATION TESTING . ................................................................................................ 93
3.16.1 EAVESDROPPING . ............................................................................................................. 94
3.16.2 DISTRIBUTIVE ATTACKS . ................................................................................................... 94
3.16.3 UNAUTHORIZED NETWORK ACCESS . ................................................................................ 94
3.17 ESCALATION OF PRIVILEGES . ......................................................................................................... 95
3.17.1 LEAST PRIVILEDGE . ........................................................................................................... 95
3.17.2 PRIVILEGE SEPARATION . ................................................................................................... 95
3.17.3 COMMON TESTING TOOLS . .............................................................................................. 96
SUMMARY . ................................................................................................................................................ 104
CASE STUDIES . ........................................................................................................................................... 105
EXERCISE . .................................................................................................................................................. 110
Vulnerability Detection and Penetration Testing is the most comprehensive service for auditing,
pen testing, reporting and patching for your company‘s web based applications. Think of a
vulnerability assessment as the first step to a penetration test. The information gleaned from the
assessment will be used in the testing. Whereas, the assessment is checking for holes and potential
vulnerabilities, the penetration testing actually attempts to exploit the findings. Assessing network
infrastructure is a dynamic process. Security, both information and physical, is dynamic.
Performing an assessment shows an overview, which can turn up false positives and false
negatives. A Vulnerability Scan provides on demand network discovery and vulnerability
assessment reporting, remediation tracking, and enforcement of security policies. It is an efficient
way to assess business risk and improve your security posture. Potential vulnerabilities would be
identified in your system or network, and recommend fixes. This includes fixed and wireless
networks.
Penetration testing exploits the vulnerabilities found to gain access to the system. This approach
gives an in-depth report with increased assurance to the validity of vulnerabilities found.
Benefits of VA and PT
So, you can clearly see that it is an ESMTP server. After further prodding, you can find that it is an
EXIM server. You can move ahead now and focus only on EXIM ESMTP server based exploits,
etc.
When an open port is known, we can try to connect to the port. Then we may get some banner
which will reveal much information regarding the server or the target. This process is called banner
grabbing. Many e-mail, FTP, and web servers will respond to a telnet connection with the name
and version of the software. They aid a hacker in fingerprinting the OS and application software.
Daemon-Banner grabbing is the process of getting useful bits of information about the target
system by recording the welcome banners of the daemons running on its various ports. It can be
used to get the following information about the target system:
Daemon name and version number Operating System Security Measures used to identify possible
points of entry. It can easily be executed manually using ‗Telnet‘ or by using Port Scanners.
Countermeasures:
Edit the default welcome message and ensure important information is not given out.
To misguide the attacker and display false daemon banners.
Use a long false daemon banner and in the background record information on the client and
try and trace him.
10 | ©ATL Technology Tab
It gives us information about the daemon that is running and accepting our connection and whether
it is patched or not. Sometimes, it also gives off information such as the time it was compiled, if it
is a beta version or not. With that information, you can move ahead and try to exploit the daemon.
Of course, this information can be changed, to something it is not! But, the fact remains that most
system administrators are only interested in the daemon working good and they are least concerned
with the version information.
Tenable Nessus
Zenmap
Angry IP Scanner
Superscan etc.
Port Scanning is commonly used by computer attackers to get the following information about the
target system:
ICMP Scanning: Host Does this ICMP Host Detection technique ring aDetection Techniques
bell? Yes, it is indeed popularly known as the ‗ping‘ command or The ‗ping‘ utility can be used to
determine whether theutility. Ping‘s working is similar to that of aremote host is alive or not.
The ping command can be used by See Example. Real life sonar system To Host Detection
Purposes the attacker for the following purposes: clog up valuable network resources by sending
infinite ‗Echo request‘ Firewall detection ICMP Scanning: Host ICMP messages.
Below is sample output of a PING command-
Detection---Ping Example executed on a Windows machine: C:\WINDOWS>ping mail2.bol.net.in
Pinging mail2.bol.net.in [203.94.243.71] with 32 bytes of data: Reply from 203.94.243.71:
bytes=32 time=163ms TTL=61 Reply from 203.94.243.71: bytes=32 time=185ms TTL=61 Reply
from 203.94.243.71: bytes=32 time=153ms TTL=61 Reply from 203.94.243.71: bytes=32
time=129ms TTL=61 …………… ICMP Scanning: Host Detection Countermeasures Echo
Requests or PING messages can easily be filtered at the router level by using the below Access
Control List (ACL): access-list 101 To filter out all Echo Requests or PING messages-deny icmp
any any 8 accept those coming from say your ISP we can use: access-list 101 deny icmp any any 8
access-list 101 permit icmp xx.xx.xx.xx 0.0.0.255 any 8 ICMP.
Scanning: Time Stamping OS Detection Techniques one system to query another system for the
current time in the latter it makes Can also be used for Operating System Detection. -System. Use
of the ‗Timestamp Request‘ and ‗Timestamp Reply‘ ICMP messages.
ICMP Scanning: Time Stamping Countermeasures Requests can easily be filtered at the router
level by using the below ToAccess Control List (ACL): access-list 101 deny icmp any any 13
filter out all Timestamp Requests accept those coming from say your ISP, you can use: access-list
101 deny icmp any any 13 access-list 101 permit icmp xxx.xxx.xxx.xxx 0.0.0.255 any 13
ICMP Scanning: OS Detection Techniques Contd. Sending ICMP messages to a host and
comparing the responses invoked against the known responses, one can deduce the OS running on
the host. Working: 1. Send particular ICMP messages to the remote host. 1. Record the response
that you get from the remote system, when you perform Step 1. 1. Compare this response received,
to the already known responses shown by the various Operating Systems so that you can deduce
the exact OS name and version running on the remote host.
Active & Passive Fingerprinting of Microsoft based Operating Systems using the ICMP Protocol
The ICMP Protocol may seem harmless at first glance. Its goals and features were outlined in RFC
792 (and than later cleared in RFCs 1122, 1256, 1349, 1812).
The ICMP protocol is being used:
When a router or a destination host need to inform the source host about errors in a
datagram processing, and
For probing the network with request & reply messages in order to determine general
characteristics about the network.
In terms of security, ICMP is one of the most controversial protocols in the TCP/IP protocol suite.
The risks involved in implementing the ICMP protocol in a network, regarding scanning, are the
subject of this presentation. We will especially focus on Active and Passive Fingerprinting of
Microsoft Based Operating Systems
The ICMP Protocol Specifications
ICMP messages are sent in IP datagrams. Although ICMP uses IP as if it were a higher-level
protocol, ICMP is an internal part of IP and must be implemented in every IP module. It is
important to note that the ICMP protocol is used to provide feedback about some errors (non-
transient) in a datagram processing, not to make IP reliable. Datagram may still be undelivered
0 4 8 16 31
4 bit
4 bit 8-bit type of serv ice
Header 16-bit total length ( in bytes )
Version Length (TOS)=0
3 bit
16-bit identification 13-bit Fragment Offset
Flags
8-bit time to liv e 8-bit protocol=1 20
16-bit header checksum
( TTL ) (ICMP) bytes
Options ( if any )
ICMP Messages
A number code, also known as the ―message type‖, is assigned to each ICMP message; it specifies
the type of the message. Another number code represents a ―code‖ for the specified ICMP type. It
acts as a sub-type, and its interpretation is dependent upon the message type.
The ICMP protocol has two types of operations; therefore its messages are also divided to two:
The Internet Assigned Numbers Authority (IANA) has a list defining the ICMP message types that
are currently registered. It also lists the RFC that defines the ICMP message. The list is available
at: http://www.isi.edu/in-notes/iana/assignments/icmp-parameters
1.3.4 FINGERPRINTING
“Finger Printing is the art of Operating System Detection.”
A malicious computer attacker needs a few pieces of information before launching an attack. First,
a target, a host detected using a host detection method. The next piece of information would be the
services that are running on that host. This would be done with one of the Port Scanning methods.
The last piece of information would be the operating system used by the host. The information
would allow the malicious computer attacker to identify if the targeted host is vulnerable to a
certain exploit aimed at a certain service version running on a certain operating system.
What makes the Active Fingerprinting methods, which use the ICMP protocol unique, comparing
to other Active Fingerprinting methods? As we will learn, using Active Fingerprinting with ICMP
requires less traffic initiation from the prober to a target host. With some methods only one
datagram is required to determine the underlying operating system.
We can group the Active Fingerprinting methods that are based upon the ICMP protocol into the
following groups, which are based upon the ICMP traffic used:
Regular ICMP Query Messages
Crafted ICMP Query Messages
ICMP Error Messages
The question ―Which operating system answers for what kind of ICMP Query messages? ―Help us
identify certain groups of operating systems. For example, LINUX and *BSD based operating
18 | ©ATL Technology Tab
systems with a default configuration answer for ICMP Echo requests and for ICMP Timestamp
Requests. Until Microsoft Windows 2000 family of operating systems has been released it was a
unique combination for these two groups of operating systems. Since the Microsoft Windows 2000
operating system family mimics the same behavior (yes mimic), it is no longer feasible to make
this particular distinction. Other data we might use is ―Which operating systems answers for
queries aimed at the broadcast / network address of the network they reside on?‖ For Microsoft
based operating systems this information is not useful, since Microsoft based operating system
machines will not answer for any type of ICMP message aimed at the broadcast address of the
network these machines reside on.Using tables that map the ―who answers what?‖ approach we can
map Ultrix, Linux, Sun Solaris, and group HPUX & AIX based machines with some ICMP Query
messages combinations. Is it a sin not to answer an ICMP Query request aimed at the broadcast
address of a network? No.This is not an abnormal behavior as RFC 1122 states that if we send an
ICMP ECHO request to an IP Broadcast or IP Multicast addresses it may be silently discarded by a
host.
IP Time-to-Live Field
The sender sets the time to live field to a value that represents the maximum time the datagram is
allowed to travel on the Internet. The field value is decreased at each point that the Internet header
is being processed. RFC 791 states that this field decreasement reflects the time spent processing
the datagram. The field value is measured in units of seconds. The RFC also states that the
maximum time to live value can be set to 255 seconds, which equals 4.25 minutes. The datagram
must be discarded if this field value equals zero - before reaching its destination. Relating to this
field as a measure to assess time is a bit misleading. Some routers may process the datagram faster
than a second, and some may process the datagram longer than a second. The real intention is to
have an upper bound to the datagram lifetime, so infinite loops of undelivered datagram will not
jam the Internet.
Having a bound to the datagram‘s lifetime help us to prevent old duplicates to arrive after a certain
time elapsed. So when we retransmit a piece of information which was not previously delivered we
can be assured that the older duplicate is already discarded and will not interfere with the process.
The IP TTL field value with ICMP has two separate values: one for ICMP query messages and one
for ICMP query replies. The TTL field value helps us identify certain operating systems and groups
of operating systems. It also provides us with the simplest means to add another check criterion
when we are querying other host(s) or listening to traffic (sniffing).We can use the IP TTL field
value with the ICMP Query Reply datagram to identify certain groups of operating systems. The
method discussed in this section is a very simple one. We send an ICMP Query request message to
a host. If we receive a reply, we would be looking at the IP TTL field value in the ICMP query
reply.
The IP Time-To-Live field value received will not be the original value assigned to this field. The
reason is that each router along the path from the targeted host to the prober decreased this field
value by one. We can use two ways to approach this. The first one is looking at the IP TTL field
values that are usually used by operating systems and networking devices. They are 255, 128, 64
and 32. We will use the most close to value, as the original value assigned to the IP TTL fi. The
19 | ©ATL Technology Tab
second approach is less accurate than the first one. Since we already queried the targeted host,
querying it again will not be that We can use the trace route program (tracert in Windows 2000) in
order to reveal the number of hops between our system to the target. Adding the number we
calculated to the IP TTL field value should give us a good guess about the original IP TTL value
assigned to this field. Why this is only a good guess? Because the routes taken from the target to
our host and from our host to the target may be different routes. Again, we will have a number
close enough to one of the common values used to make a good guess about the original IP TTL
field value.
C:\>ping -n 1 www.sys-security.com
Pinging www.sys-security.com [216.230.199.48] with 32 bytes of data:
ICMP Timestamp Request aimed at the Broadcast
Address of a Netw ork
1
Reply No Reply
Solaris
HP-UX Other OS's
LINUX Kernel 2.2.14
Reply No Reply
Solaris
HP-UX
LINUX Kernel 2.2.14
Reply No Reply
LINUX Kernel 2.0.x, 2.2.x & 2.4.x use 64 as their IP TTL Field Value with ICMP Echo
Requests.
FreeBSD 4.1, 4.0, 3.4; Sun Solaris 2.5.1, 2.6, 2.7, 2.8; OpenBSD 2.6, 2.7, NetBSD and HP
UX 10.20 use 255 as their IP TTL field value with ICMP Echo requests.
Windows 95/98/98SE/ME/NT4 WRKS SP3, SP4, SP6a/NT4 Server SP4 - all use 32 as
their IP TTL field value with ICMP Echo requests.
Microsoft Window 2000 uses 128 as its IP TTL Field Value with ICMP Echo requests.
Courseware Piracy says it to those who labor to produce copyrighted materials and
cause serious financial damage. Protect yourself from this scam.
Fingerprinting is the technique of interpreting the responses of a system in order to figure out what
it is. Unusual combinations of data are sent to the system in order to trigger these responses.
Systems respond the same with correct data, but they rarely respond the same way for wrong data.
Active Fingerprinting
The strategy of active finger printing includes
craft requests
interpret responses
Operating System Fingerprinting
o nmap
o ICMP Usage in Scanning
Example:
o Send ICMP Netmask request
o Got a response? Might be Solaris
23 | ©ATL Technology Tab
Test implemented methods
response to unsupported messages
response to fuzzed lines
response on busy
o timing
response to unsupported media
o 415, 486, 603
The pros of active finger printing are that on demand it triggers bugs.
But active finger printing is noisy and detectable.
Passive Fingerprinting
Passive Fingerprinting is a technique used to map a targeted network (and networks and hosts
communicating with it) using sniffed information (exchanged network traffic) from that network.
Different operating systems use different implementations of the TCP/IP stack. We can identify
differences between those TCP/IP stack implementations. Therefore differentiate between the
different operating systems using those TCP/IP stack implementations differences. Based on the
sniffed information and those differences we can identify the various operating systems used on the
sniffed network. We can also identify some operating systems used on the network(s) and host(s)
communicating with our targeted network. We can also identify the various services available on
those host(s).
Strategy
o sniff existing traffic
o identify based on oddities
Passive finger printing is undetectable but it is hard to differ between minor versions.
Order/existence of headers
o i.e. Accept header set?
interpretation of RFCs
o Max-Forwards set to !70
SUMMARY
The specialized nature of information systems (IS) auditing and the skills necessary to perform
such audits require standards that apply specifically to IS auditing. One of the goals of the ATL
Security Group is to advance globally applicable standards to meet its vision. The development and
dissemination of the IS Auditing Standards are a cornerstone of the ATL professional‘s
contribution to the audit community. The framework for the IS Auditing Standards provides
24 | ©ATL Technology Tab
multiple levels of guidance. Standards define mandatory requirements for IS auditing and
reporting.
Guidelines provide guidance in applying IS Auditing Standards. The IS auditor should consider
them in determining how to achieve implementation of the standards, use professional judgment in
their application and be prepared to justify any departure. The objective of the IS Auditing
Guidelines is to provide further information on how to comply with the IS Auditing Standards.
Procedures provide examples of procedures an IS auditor might follow in an audit engagement.
The procedure documents provide information on how to meet the standards when performing IS
auditing work, but do not set requirements. The objective of the IS Auditing Procedures is to
provide further information on how to comply with the IS Auditing Standards. Thus in IS audits,
vulnerability assessments and testing plays major and essential role and thus its knowledge in depth
is must in information security and protection from hacking procedures.
EXERCISE
Q 2. A computer attack that exploits the way that a network connection remains open waiting
for a response is known as a _____ attack.
a) mail bomb
b) Smurf
c) spam
d) SYN flood
Q 3. Which of the following computer attack methods does not require a hardware or
software tool?
a) Spoofing
b) Social engineering
c) Port scanning
d) Packet sniffing
Q 10. After loading a word processor document from a floppy, a user's computer begins to
show symptoms of being infected by a virus.
Which of the following is true concerning this situation?
a) A document cannot contain a virus, so the source of the virus was not the word processing
document.
b) The document text could have contained an embedded virus.
c) The document could have contained a macro that contained a virus.
d) The word processing program checks all documents for viruses before using them, so the
source of the virus was not the document.
Answers: 1) c, 2) d, 3) b, 4) a, 5) b, 6) d, 7) d, 8) a, 9) a, 10) c
2.1 VULNERABILITIES
"Vulnerabilities are the gateways by which threats are manifested".
In other words, a system compromise can occur through a weakness found in a system. A
vulnerability assessment is a search for these weaknesses/exposures in order to apply a patch or fix
to prevent a compromise. How do these weaknesses occur? There are two points to consider:
Many systems are shipped with known and unknown security holes and bugs, and
Insecure default settings (passwords, etc.). Much vulnerability occurs as a result of
misconfiguration.
Vulnerabilities are actually weaknesses in software that might be used to compromise a computer.
Vulnerable software includes all types of operating systems and application programs. New
vulnerabilities are being discovered constantly in different ways. New vulnerabilities discovered by
security researchers are usually reported confidentially to the vendor, which is given time to study
the vulnerability and develop a path. Of all vulnerabilities disclosed in 2007, 50% could be
corrected through vendorf patches. When ready, the vendor will publish the vulnerability,
hopefully along with a patch. It has been argued that publication of vulnerabilities will help
attackers. Though this might be true, publication also fosters awareness within the entire
community. Systems administrators will be able to evaluate their systems and take appropriate
precautions. One might expect systems administrators to know the configuration of computers on
their network, but in large organizations, it would be difficult to keep track of possible
configuration changes made by users. Vulnerability testing offers a simple way to learn about the
configuration of computers on a network.
Vulnerability testing is an exercise to probe systems for known vulnerabilities. It requires a
database of known vulnerabilities, a packet generator, and test routines to generate a sequence of
packets to test for a particular vulnerability. If vulnerability is found and a software patch is
available, that host should be patched. Penetration testing is a closely related idea but takes it
further. Penetration testing simulates the actions of a hypothetical attacker to attempt to
compromise hosts.
Ways to counteract these conditions include:
Creating and abiding by baseline security standards
Installing vendor patches (when appropriate)
Vulnerability scanning
28 | ©ATL Technology Tab
Subscribing to and abiding by security advisories
Implementing perimeter defenses, such as firewalls and router ACLs
Implementing intrusion detection systems and virus scanning software.
The primary reason for testing the security of an operational system is to identify potential
vulnerabilities and subsequently repair them. The number of reported vulnerabilities is growing
daily. Consequently, it is imperative that organizations routinely test systems for vulnerabilities and
misconfigurations to reduce the likelihood of system compromise. Typically, vulnerabilities are
exploited repeatedly by attackers to attack weaknesses that organizations have not patched or
corrected. A few software vulnerabilities account for the majority of successful attacks because
attackers don't like to do extra work. They exploit the best-known flaws with the most effective and
widely available attack tools. And they count on organizations not fixing the problems.
The process followed to test for vulnerabilities is as defined –
Audit
o Information Gathering
o Vulnerability Scanning & Penetration Testing
Report
o Risk Assessment
o Comprehensive Reporting with Management / Technical Reports
Secure
o Patching Vulnerabilities
o Software‘s Recommendation / Implementation
Manage
o Regular Patching of newly discovered vulnerabilities in the system
o Address and escalate any unforeseen security related issue
o Identify, recommend and implement long term solutions
Rapid7 Nexpose Rapid7 Nexpose proactively supports the entire vulnerability management
lifecycle, including continuous discovery, dynamic detection, verification,
risk classification, impact analysis, reporting and mitigation. The result is up-
to-date, comprehensive security risk intelligence about your IT environment
and risk posture
GFI LanGuard: GFI LANguard Network Security Scanner (N.S.S.) checks your network
for possible security vulnerabilities by scanning your entire network for
missing security patches, service packs, open shares, open ports, unused user
accounts and more.
Nmap: "Network Mapper") is a free open source utility for network exploration or
security auditing.
L0pht Crack: An award-winning password audit and recovery tool for Windows and
Unix passwords.
Lan Surveyor: Automatically Diagram Your Entire LAN or WAN, Document All Your
Networked Devices, Monitor Up/Down Status of Your Key Systems and
Applications. Paros Web
Metasploit: is an advanced open-source platform for developing, testing, and using
exploit code.
Wireshark: Wireshark (known as Ethereal until a trademark dispute in Summer 2006) is
an open source network protocol analyzer for Unix and Windows.
Cain & Abel: This Windows-only password recovery tool handles an enormous variety
of tasks. It can recover passwords by sniffing the network, cracking encrypted
passwords
using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP
conversations,
decoding scrambled passwords, revealing password boxes, uncovering
cached passwords
and analyzing routing protocols.
Netstumbler: Netstumbler is the best known Windows tool for finding open wireless
access points ("wardriving").
Netcat: This simple utility reads and writes data across TCP or UDP network
connections. It is designed to be a reliable back-end tool that can be used
directly or easily driven by other programs and scripts.
True Crypt: TrueCrypt is an excellent open source disk encryption system.
SamSpade: Sam Spade provides a consistent GUI and implementation for many handy
network query tasks. It was designed with tracking down spammers in mind,
but can be useful for many other network exploration, administration, and
security tasks. It includes tools such as ping, nslookup, whois, dig, traceroute,
finger, raw HTTP web browser, DNS zone transfer, SMTP relay check,
website search, and more.
Ike-scan: ke-scan exploits transport characteristics in the Internet Key Exchange (IKE)
Spohn Security The Spohn NetAudit Integrated Security Manager is proprietary program we
Manager: designed from the ground up in order to put it all together. Security Manager
allows us to combine the results from Nessus, GFI, MBSA, and more,
into one Access Database that we will use to put together a comprehensive
assessment of your security posture. The same database is included on the
CD-Rom so you can see what we see, and even run your own queries.
Fingergoogle: Command line program to enumerate Google‘s enormous database for user
names.
Google: While it is far more than a security tool, Google's massive database is a good
mind for security researchers and penetration testers. You can use it to dig up
information about a target company by using directives such as ―site:target-
domain.com‖ and find employee names, sensitive information that they
wrongly thought was hidden, vulnerable
software installations, and more.
Hping2: This handy little utility assembles and sends custom ICMP, UDP, or TCP
packets and then displays any replies. It was inspired by the ping command,
but offers far more control over the probes sent.
Dig: dig (domain information groper) is a flexible tool for interrogating DNS name
servers.
Hydra: It can perform rapid dictionary attacks against more then 30 protocols,
including telnet, ftp, http, https, smb, several databases, and much more.
Psk-crack: psk-crack attempts to crack IKE Aggressive Mode pre-shared keys that have
been previously gathered using ike-scan with the --pskcrack option.
Packetyzer: Packetyzer provides a Windows user interface for the well known Ethereal
packet capture and dissection library.
Tcpdump: Tcpdump is the IP sniffer we all used before Ethereal (Wireshark) came on
the scene. It may not have the bells and whistles that Wireshark has, but it
does the job well and with fewer security holes. It also requires fewer system
resources.
Wget: GNU Wget is a free utility for non-interactive download of files from the
Httrack: allows you to download a World Wide Web site from the Internet to a local
directory, building recursively all directories, getting HTML, images, and
other files from the server to your computer. HTTrack arranges the original
site's relative link-structure.
Nikto: Nikto is an open source (GPL) web server scanner which performs
comprehensive tests against web servers for multiple items, including over
3200 potentially dangerous files/CGIs, versions on over 625 servers, and
version specific problems on over 230 servers.
Wikto: Windows version of Nikto with some added features.
There are two things in this definition that may need some clarification. First, the process of risk
assessment is an ongoing, iterative process. It must be repeated indefinitely. The business
environment is constantly changing and new threats and vulnerability emerge every day. Second,
the choice of countermeasures (controls) used to manage risks must strike a balance between
productivity, cost, effectiveness of the countermeasure, and the value of the informational asset
being protected.
Risk is the likelihood that something bad will happen that causes harm to an informational asset (or
the loss of the asset). Vulnerability is a weakness that could be used to endanger or cause harm to
an informational asset. A threat is anything (manmade or act of nature) that has the potential to
cause harm.
2.8.1 CONTROLS
When management chooses to mitigate a risk, they will do so by implementing one or more of
three different types of controls.
2.8.2 ADMINISTRATIVE
Administrative controls (also called procedural controls) consist of approved written policies,
procedures, standards and guidelines. Administrative controls form the framework for running the
business and managing people. They inform people on how the business is to be run and how day
to day operations are to be conducted. Laws and regulations created by government bodies are also
a type of administrative control because they inform the business. Some industry sectors have
policies, procedures, standards and guidelines that must be followed – the Payment Card Industry
(PCI) Data Security Standard required by Visa and MasterCard is such an example. Other
examples of administrative controls include the corporate security policy, password policy, hiring
policies, and disciplinary policies.
Administrative controls form the basis for the selection and implementation of logical and physical
controls. Logical and physical controls are manifestations of administrative controls.
Administrative controls are of paramount importance.
2.8.3 LOGICAL
Logical controls (also called technical controls) use software and data to monitor and control
access to information and computing systems. For example: passwords, network and host based
firewalls, network intrusion detection systems, access control lists, and data encryption are logical
controls.
An important logical control that is frequently overlooked is the principle of least privilege.
The principle of least privilege requires that an individual, program or system process is not
granted any more access privileges than are necessary to perform the task. A blatant example of the
failure to adhere to the principle of least privilege is logging into Windows as user Administrator to
read Email and surf the Web. Violations of this principle can also occur when an individual collects
additional access privileges over time. This happens when employees' job duties change, or they
are promoted to a new position, or they transfer to another department. The access privileges
required by their new duties are frequently added onto their already existing access privileges
which may no longer be necessary or appropriate.
2.8.4 PHYSICAL
Physical controls monitor and control the environment of the work place and computing facilities.
They also monitor and control access to and from such facilities. For example: doors, locks,
heating and air conditioning, smoke and fire alarms, fire suppression systems, cameras, barricades,
An important physical control that is frequently overlooked is the separation of duties. Separation
of duties ensures that an individual can not complete a critical task by himself. For example: an
employee who submits a request for reimbursement should not also be able to authorize payment or
print the check. An applications programmer should not also be the server administrator or the
database – these roles and responsibilities must be separated from one another.
Finally, the report provided a summary of conclusions with issues listed in order of risk, with the
most critical first.
Presentation
The report was then agreed with the organization, and presented to them face to face to ensure that
the organization gained the most value from the audit and the report.
The organization then proceeded to prioritize and resolve the issues.
SUMMARY
The objective of a vulnerability assessment is to find the security holds in the computers and
elements analyzed and its intent is not to damage the infrastructure. A Vulnerability Analysis
provides an overview of the flaws that exist on the system. It is more of a passive process. In
Vulnerability Analysis you use software tools that analyze both network traffic and systems to
identify any exposures that increase vulnerability to attacks. It deals with potential risks and
identifies and quantifies the security Vulnerabilities in a system. Vulnerability Analysis doesn‘t
provide validation of Security Vulnerabilities. Validation can be only done by Penetration testing.
It works to improve security posture and develop a more mature, integrated security program.
EXERCISE
Q 1.Which of the following conditions on a user's computer might indicate the presence of a
computer virus?
I. Certain files of the user are no longer present on the disk.
II. The system no longer boots.
III. Annoying messages appear on the display, and then disappear
a) I, II, and III
b) II and III only
c) I and II only
d) I and III only
Q 9. Which of the following computer attack methods does not require a hardware or
software tool?
a) Spoofing
b) Port scanning
c) Social engineering
d) Packet sniffing
Q 20.Which of the following is (are) true regarding network connectivity attacks?
I. A network connectivity attack can be achieved by generating numerous half-open
connections to the target computer.
Internet
The purpose of Internet testing is to compromise the target network. The methodology needed to
perform this test allows for a systematic checking for known vulnerabilities and pursuit of potential
security risks. The methodology ordinarily employed includes the processes of:
Ordinarily followed and should provide a detailed and exact method of execution. In addition, the
intricacies of new vulnerabilities and methods of exploitation require detailed study with a history
of information to draw upon.
Dial-in: War dialing is the systematic calling of each number in the target range in search of
3.3 METHODOLOGY
Penetration testing consists of four phases:
A broad range of possible service arrangements exists. An organization may select its internal
employees and teams to provide the service required, or it may choose to fully export the service to
an external service provider. This external service provider could be any organization because this
term does not intend to refer to only an external commercial service provider. For example, an
organization may choose to employ an external group from a subsidiary organization, a business
unit, or a commercial service provider.
3.10.2 RULES
Assumption: A stateful firewall will be used to protect an entire VLAN and that firewall logs will
be reviewed on a regular basis to identify security issues and configuration adjustments. It is
further assumed that the campus unit‘s system administrator has scanned the VLAN to identify
existing services that need to be considered during firewall configuration and require firewall rules
in excess of the base rules stated below:
General Firewall Policy: Deny all inbound traffic unless explicitly authorized and traffic from
internal VLAN users is generally unrestricted. All deny rules are logged.
Allow Web traffic (TCP 80/443) from any external address to internal web server – Permit
access to the specific IP address (es) of internal webservers via HTTP and HTTPS.
Additional security measures must be considered for web servers as many security exploits
use TCP port 80.
Allow traffic (TCP 21) to internal FTP server – If FTP services are provided to external
users, this rule permits access to the FTP server. As a reminder, when using FTP services,
user account and password information is transmitted in clear text. Use of passive FTP
(PASV) will negotiate a random data port versus use of TCP port 20.
Allow traffic (TCP 22) to internal SSH/SFTP server – Use of encrypted SSH is preferred
over insecure FTP/Telnet services. This rule permits use of SSH to access internal SSH
hosts.
Allow traffic (TCP 25) to internal SMTP server – Permit external SMTP users and servers
access to internal SMTP mail server. This rule presumes your campus unit is operating an
SMTP server.
Allow DNS (UDP 53) to internal DNS server – If the unit runs internal DNS servers this
rule is recommended. The rule is needed if a Windows Active Directory server is hosted on
the internal network. You must permit TCP 53 for zone transfer capability; however this
permission should not be applied by default.
68 | ©ATL Technology Tab
Allow traffic (UDP 67/68) for client access to DHCP server – This rule permits DHCP
clients to negotiate lease with DHCP server
Allow traffic (TCP 110) to internal POP server – Permit external POP user‘s access to
internal POP server. This rule presumes your campus unit is operating a POP server. It is
strongly recommended that POP authentication traffic be conducted over a secure
transport, such as TLS/SSL (TCP 995)
Allow NTP traffic (TCP 123) to specific internal host addresses (es) – This rule permits
time synchronization and may be needed by selected internal hosts for time
synchronization. This rule is required to support external client authentication to the
internal Active Directory services.
Allow traffic (TCP 143) to internal IMAP server – This rule permits external IMAP clients
to access internal IMAP server. It is strongly recommended that IMAP authentication
traffic be conducted over a secure transport, such as TLS/SSL (TCP 993)
Allow inbound traffic (TCP 515 from 169.237.104.59 and 169.237.104.65) for BANNER
spooler/printing to specific internal printer address – This rule will permit transcript
printing.
Allow inbound traffic (TCP 515 from 128.48.175.6) for PPS spooler/printing to specific
internal network printer address – This rule will permit printing Payroll/Personnel reports.
If you use Remote Printer Manager (PC) or Intersolv (Mac) for PPS printing to a non-
network printer, the firewall rule must permit TCP515 traffic to the host with the direct
connected printer.
Allow access to internal MeetingMaker Server (TCP 2001, UDP 2000, UDP 417) – This
rule permits inbound traffic to MeetingMaker servers residing on the protected network.
Allow access to MS SQL Server (TCP/UDP 1433 and 1434) to specific host address – This
rule permits inbound traffic to communicate with a MS SQL Server residing on the
protected VLAN.
Allow access to Microsoft Resources – Consult Microsoft‘s TechNet and Knowledge Base
resources to verify firewall configuration requirements for Exchange, MS SQL Server, and
shared MS network resources. Some firewall rules are determined by version. Shared
resources must be properly secured or the VLAN hosts could be vulnerable to security
compromises. See References section for additional information.
Allow traffic (TCP/UDP 135, 137, 138 139/445) for external access to specific shared
resources – This rule permits external clients to access shared Microsoft resources behind
the firewall.
Allow access (TCP 4899) to specific internal hosts using Famatech RADMIN remote
administration application – This rule permits external administrators to communicate with
hosts running the RADMIN utility.
Allow access (TCP 5641 and UDP 5642) from external clients running pc anywhere to
specific host addresses – This rule permits remote control of computing hosts behind the
firewall using Symantec‘s PC Anywhere product.
Increase UDP timeout from default 2 minutes to 45 minutes – This rule is suggested to bypass
DaFIS time restrictions.
Microsoft's URLScan
o Built in to IIS 6 and IIS 7
Link Ch_12o
Web-Crawling Tools
wget is a simple command-line tool to download a page, and can be used in scripts
o Available for Linux and Windows
o Link Ch 12z03
Offline Explorer Pro
o Commercial Win32 product
Web Application Assessment
Once the target application content has been crawled and thoroughly analyzed
If the cracked passwords were selected according to policy, the policy should be modified
to reduce the percentage of crackable passwords. If such policy modification would lead to
users writing down their passwords because they are difficult to memorize, an organization
should consider replacing password authentication with another form of authentication.
If cracked passwords were not selected according to policy, the users should be educated
on possible impacts of weak password selections. If such violations by the same users are
persistent, management should consider additional steps (additional training, password
management software to enforce better choices, deny access, etc.) to gain user compliance.
Many server platforms also allow the system administrator to set minimum password length and
complexity.
On systems that support password filters, the filters should be set so as to force the use of strong
passwords, and this may reduce or even eliminate the need to perform password cracking.
Passwords, no matter how strong, often are sent in the clear over networks; thus organizations
should be moving towards the use of stronger forms of authentication.
Brute force attack
A last resort is to try every possible password, known as a brute force attack. In theory, if there is
no limit to the number of attempts, a brute force attack will always be successful since the rules for
acceptable passwords must be publicly known; but as the length of the password increases, so does
the number of possible passwords. This method is unlikely to be practical unless the password is
relatively short; however techniques using parallel processing can reduce the time to find the
password in inverse proportion to the number of computer devices (CPUs) in use. This depends
heavily on whether the prospective attacker has access to the hash of the password as well as the
hashing algorithm, in which case the attack is called an offline attack (it can be done without
connection to the protected resource) or not, in which case it is called an online attack. Offline
attack is generally much easier, because testing a password is reduced to a mathematical
computation of the hash of the password to be tried and comparison with the hash of the real
password. In an online attack the attacker has to try to authenticate himself with all the possible
passwords, and rules and delays can be imposed by the system and the attempts can be logged.
A common password length recommendation is eight or more randomly chosen characters
combining letters, numbers, and special characters (punctuation, etc). This recommendation makes
sense for systems using stronger password hashing mechanisms such as md5-crypt and the
Blowfish-based bcrypt, but is inappropriate for many Microsoft Windows systems because they
store a legacy LAN Manager hash which splits the password into two seven character halves.
81 | ©ATL Technology Tab
On these systems, an eight character password is converted into a seven character password and a
one character password. For better security, LAN Manager Password storage should be disabled if
it will not break supported legacy systems .[9] Systems which limit passwords to numeric characters
only, or upper case only, or generally those which limit the range of possible password character
choices, also make brute force attacks easier. Using longer passwords in these cases (if possible)
can compensate for the limited allowable character set. Of course, even with an adequate range of
character choice, users who limit themselves to an obvious subset of the available characters (e.g.,
use only upper case alphabetic characters, or only digits) make brute force attacks against their
accounts much easier.
Generic brute-force search techniques are often successful, but smart brute-force techniques, which
exploit knowledge about how people tend to choose passwords, pose an even greater threat. NIST
SP 800-63 (2) provides further discussion of password quality, and suggests, for example, that an 8
character user-chosen password may provide somewhere between 18 and 30 bits of entropy
(randomness), depending on how it is chosen. For example 24 binary digits of randomness is
equivalent to 3 randomly chosen bytes, or approximately 5 random characters if they are restricted
to upper case alphabetic characters, or 2 words selected from a 4000 word vocabulary. This amount
of entropy is far less than what is generally considered safe for an encryption key.
How small is too small for offline attacks thus depends partly on an attacker's ingenuity and
resources (e.g. available time and computing power). The second of these will increase as
computers get faster. Most commonly used hashes can be implemented using specialized hardware,
allowing faster attacks. Large numbers of computers can be harnessed in parallel, each trying a
separate portion of the search space. Unused overnight and weekend time on office computers can
also be used for this purpose.
Objective
In this test case, you will create a typical traffic pattern of Oracle traffic, operating over a known
port. After measuring throughput, response time and transaction rates, you will start a DoS Ping
attack and compare the results.
Methodology:
1. Create an Oracle transaction as per the following criteria:
Run the transaction and record results in the ―No DoS/No DUT‖ column in table 1
below. See Figure for a typical results screen.
Now instruct the DUT to enforce its rules, and then re-run the transaction. Record the
results in the ―No DoS/DUT‖ column in table 1 below. This should tell you whether or
not the DUT is affecting traffic rates. Note that the DUT should be set up to defend
against the DoS Ping attack, which will be used in a subsequent step.
Now instruct the DUT to NOT enforce its rules and insert a DoS attack. This particular
attack should emanate from Endpoint 1 and target Endpoint .
Depending on the capabilities of your DUT and the available network bandwidth, you
may want to override the stream line rate (e.g. 15%). Also, ensure that the ―Measure
hardware performance pair statistics‖ checkbox is in the UNCHECKED position. This
will ensure that the target CPU (in this case, the Ixia CPU) handles the details of the
incoming ICMP Ping requests. See Figure for a description of what this should look
85 | ©ATL Technology Tab
like. Run and record the results in the ―DoS No DUT‖ column of table 1. For a
comparative look at results with DoS and no DUT, see Figure.
Now enable the DUT and re-run the transaction. Record the results in the ―DoS / DUT‖
column in table below.
The completed table should give you a good comparative analysis of how well your
DUT can protect internal hosts from DoS Ping attacks.
Table: Comparative test table for enterprise application traffic with DOS attack traffic
Objective
This test case will observe what happens in a VoIP environment when a series of SYN attacks are
directed at a host. It will show how VoIP connections can be sabotaged when the DUT is not
configured correctly.
Methodology
A communication channel will be set up between two sets of Performance Endpoints, creating
several VoIP conversations. A TCP SYN attack will be launched against one of the endpoints from
a third location. The DUT will initially allow the attack to proceed. In the second iteration, the
DUT will be trained to disallow any TCP connection attempts from the third party location. The
VoIP conversations will exist between the 17.176.5/4 and the 19.168.10/4 networks. Another
network will be superimposed on the same physical connection as the 17.176.5/4 network, utilizing
an address from the 13.7.5/4 network.
Note that IxApplifier will be used to install an address range of 17.176.5.101 to 17.176.5.10 on the
public side of the DUT, and address range of 19.168.10.101 to 19.168.10.10 on the private side.
Also, the third party address of 13.17.5.100 will be installed on the external port. It will target
address 19.168.10.101 on the internal port, using the DUT as a gateway at address 13.7.5.1.
1. Set up VoIP pairs between internal and external clients. The VoIP traffic will travel in both
directions; that is, half of the connections will have Endpoint 1 on the private side of the DUT,
and half will have Endpoint 1 on the public side. Set up a total of 0 pairs. See the setup in
Figure.
2. Ensure that the DUT rules enforcement is turned off.
3. Set up the attacking port to use a hardware performance pair. Select the
IPv4_Syn_Port80_74Bytes.str pattern. Make sure ―Measure hardware performance pair
statistics‖ is left unchecked so that the
victim port (internal port) responds to the
attack. Finally, override the stream line rate
and set up a very low rate of attack. You
may have to experiment a bit with this
number. A good starting point is 0.01%. The
objective is to slowly overwhelm the victim
port as the test is underway.
4. Set the run time for 1 minute, and run the
test. You should see the MOS scores
registering an almost perfect performance
up to the point that the victim processor gets
overwhelmed with TCP requests. At that
point, the MOS scores will cease to exist,
indicating that no more data is coming in
from the victim port. Figure: VoIP setup
5. If the target port did not crash, go back to step 3 and adjust the stream line rate higher. You
88 | ©ATL Technology Tab
should not have to go any higher than 5% to see the detrimental results of a TCP SYN attack.
6. Turn on DUT rule enforcement. There are several things that can be done to the DUT,
depending on the sophistication of the filtering required. If the DUT terminates and proxies
TCP connections, then you could turn on TCP SYN-Cookies to stop the effects of the SYN
attack. The simplest method is to simply filter on the malicious address, 13.7.5.100. This may
not be practical in the real world, but it can demonstrate the DUT‘s ability to filter on
undesirable source addresses.
7. Run the test again and ensure that the MOS scores stay at their near-perfect levels throughout
the test.
Vulnerability scanners can be of two types: network-based scanners and host-based scanners.
Network-based scanners are used primarily for mATLg an organization's network and identifying
open ports and related vulnerabilities. In most cases, these scanners are not limited by the operating
system of targeted systems. The scanners can be installed on a single system on the network and
can quickly locate and test numerous hosts. Host-based scanners have to be installed on each host
to be tested and are used primarily to identify specific host operating system and application
misconfigurations and vulnerabilities. Because host-based scanners are able to detect
vulnerabilities at a higher degree of detail than network-based scanners, they usually require not
only host (local) access but also a ―root‖ or administrative account. Some host-based scanners offer
the capability of repairing misconfigurations.
Organizations should conduct vulnerability scanning to validate that operating systems and major
applications are up to date on security patches and software version. Vulnerability scanning is a
somewhat labor-intensive activity that requires a high degree of human involvement in interpreting
the results. It may also disrupt network operations by taking up bandwidth and slowing response
times. However, vulnerability scanning is extremely important for ensuring that vulnerabilities are
mitigated before they are discovered and exploited by adversaries. Vulnerability scanning should
be conducted at least quarterly to semi-annually. Highly critical systems such as firewalls, public
web servers, and other perimeter points of entry should be scanned nearly continuously. It is also
recommended that since no vulnerability scanner can detect all vulnerabilities, more than one
should be used. A common practice is to use a commercially available scanner and a freeware
scanner.
Host-based vulnerability scanners are also readily available, both commercially as well as within
the open source community. They scan a host operating system for known weaknesses and
unpatched software, as well as for such configuration problems as file access control and user
permission management defects. Although they do not analyze application software directly, they
are useful at finding mistakes made in access control, configuration management, and other
configuration attributes, even at an application layer. Therefore, they are useful aids in a
development driven penetration test, if only to spot human errors in configurations. Although both
host- and network-based vulnerability scanners do little to help an application-level penetration
91 | ©ATL Technology Tab
test, they are necessary fundamental tools for penetration testers. A popular vulnerability scanners
are Nessus , Nmap. Taking the concept of network-based vulnerability scanner one step further,
application scanners began appearing several years ago.
3.16.1 EAVESDROPPING
Given the open nature of wireless, eavesdropping is a fact of life. Anyone with a computer with a
wireless adapter, and the right software, can simply sit within range of a specific AP (application
protocols) or client and receive each and every network packet, thereby reconstructing the entire
network session for either the specific client, or the overall communication from the AP. And you
won‘t even know this is going on. Ironically, the software used to do this is also a very effective
tool in overall wireless network analysis – a packet sniffer. A packet sniffer (like OmniPeek from
WildPackets) is indispensible for any network engineer responsible for a wireless network. The
idea is to understand what can be captured with a packet sniffer from your network before misuse
does, including things like how far away does your network remain vulnerable and what users (and
applications) are most vulnerable. Using any level of encryption helps here, as only the packet
headers of encrypted data will be accessible via sniffing, assuming your encryption keys have not
been cracked.
A man-in-the-middle attack is a more sophisticated form of eavesdropping, where the perpetrator
actually ―participates‖ in the network by taking receipt of a data stream and changing its contents
before forwarding it on. This could be to redirect traffic to an unauthorized host, or even to
manipulate data within a communication, such as a credit card transaction. As with eavesdropping,
wireless data encryption of the highest practical form is the best defense.
Good points:
o Large list of decoded protocols
o Easy to use interface
Bad points:
o Filter language difficult to use (and important)
o May crash in heavy traffic (capture traffic using
tethereal or tcpdump for later analysis)
1. nmap
A commonly used port scanner for identifying active hosts and associated services (i.e., open ports)
is nmap (see Appendix C for website). Nmap allows for a variety of different types of port scans to
be used in order to determine whether a port is open or closed. Nmap uses raw IP packets to
identify the available hosts on a network, the services or ports that are open, type of operating
system and version that hosts are running, type of packet filters and firewalls in use, and other
characteristics.
Cons
o scanning may be considered hostile
o SYN scans have been known to crash some systems
2. Nessus Vulnerability Scanner
Nessus is a fast and modular vulnerability scanner released by Renaud Deraison. The freeware
client/server tool audits a network remotely to enumerate and test the known vulnerabilities against
a database that is updated daily by the Internet security community in the form of plug-ins. Some
common plug-ins or security tests are for backdoors, denial of services, firewalls, Windows, etc.
The user can extend the test suite by using the Nessus Attack Scripting Language (NASL) to write
a new security test. Nessus is composed of a server component installed on a host where all the
tests are launched and client software deployed on another system to control the scan. The scan
outputs are in the form of complete exportable reports reflecting the detected vulnerabilities, the
risk level, and a remedy to the exploit.
“Nessus is a tool that has commercial counterparts still available for free use”
Org
Nessus works by
o locating hosts starting with a target file
o port scanning the targets located
o probing for vulnerabilities in applications listening at open ports
Pros
free vulnerability scanning
check for effectiveness of patching
Cons
some UI issues
less open than it once was
definitely appears hostile when used
Nessus Plug-ins
By default, Nessus can perform various security tests classified in the following plug-ins families:
Backdoors
CGI abuses
CISCO
Default Unix Accounts
Denial of Service
Finger abuses
Firewalls
FTP
Gain a shell remotely
Nessus Installation and Usage
The Nessus server component runs on POSIX systems, i.e. Solaris, FreeBSD, GNU/Linux and
others. The Nessus client software works with GTK, which is a set of Widgets used by many open-
sourced programs. There is also a client program, which is designed especially for the Windows
platform. The installation packages can be downloaded from the official Nessus web page,
http://www.nessus.org/download.html.
1. Download the script nessus-installer.sh and execute the sh nessus-installer.sh command to
install the standalone package.
9. Select the different plug-ins containing the security checks that will be used to scan a host.
Note: Nessus includes various Denial of Service tests that may crash a vulnerable target
system.
102 | ©ATL Technology Tab
]Figure: Nessus Setup Plugin Selection
10. Choose the target host or system and initiate the scan.
11. At the completion of the scan, a report reflects the open ports, detected services, security
impact and severity, and recommended solution. The report can be saved in various
formats, i.e. HTML, XML, others.
SUMMARY
Ensuring that company systems are secure and free of vulnerabilities is essential to a business‘s
continued development and growth. Arming IT professionals with the tools and the education to
identify and repair the system‘s vulnerabilities is the best method for securing against attacks.
Unfortunately, IT security is a dynamic process in an organizational environment and IT
professionals must be ever vigilant. Regular network- and host-based vulnerability assessments of
company systems are needed to ensure that these systems are continually free of vulnerabilities and
that they are compliant with the business security policies. Therefore, my vulnerability assessment
strategy will empower companies to secure and maintain their systems both efficiently and cost-
effectively.
According to Christine Orshesky, there is an increasing need for corporations to protect themselves
from computer viruses and other things that bump around the on-line community. Denial of Service
attacks and widespread virus infections have raised the issue of ‗due care‘. No longer is it
reasonable to rely solely on the installation of antivirus products to protect the on-line environment.
A holistic approach that provides the corporation with an integrated and layered security posture is
necessary to achieve protection – including policy, procedures, awareness, and technology. There
are many devices available to the hacker to footprint your company‘s network. Use these tools to
find the weaknesses before they do. Therefore, you can prepare an organized approach to your
layered security stance.
Worldwide it is recognized that courseware piracy is a serious offence which not only
affects the creative potential of society also causes economic losses to all those who
had invested their money in bringing out pirated materials in various forms for use by
end-users.
For the future, we should plan to implement more attack plug-ins. Also, there should certainly be
some room for improvement in the performance and throughput of the tool. We should also set up
Always look forward to Authentic Certificates and ATL holograms.
a web site where the proof-of-concept implementation of more vulnerability scanners can be
downloaded
If you from.
find Although
your coursewe are aware that
material to itbecanpirated,
be used immediately
for malicious purposes
contact (just as other
us at:
open source security tools but we believe that it can provide valuable help for web application
[email protected]
developers to audit the security of their application.
CASE STUDIES
Case study: 1
Web Always look forward
Application to Authentic
Penetration Certificates
Testing for a UK based ATL holograms.
andBank
Background
If you find your course material to be pirated, immediately contact us at:
The [email protected]
Client is a UK based independent bank authorized and regulated by Financial Services
Authority. Client had planned to offer its customers a reliable online payment and banking service.
To ensure the security of the online banking portal, it was imperative for the client to make sure
that the application was not easily susceptible to misuse and fraud, thus leading to loss of
reputation, loss of customer trust and financial loss. Client wanted an assurance that the web
application was secure, has appropriate security controls built in, before the roll out. Tech
Mahindra security consultants performed the web application penetration testing, to identify and
minimize the risk of a security breach.
ATL Software Security Group Solution
A certified team of security specialist were deployed to identify the application vulnerabilities that
could be exploited by the hacker. To arrive at the security posture the security consultants adopted
105 | ©ATL Technology Tab
the following approach:
ATL‘s penetration testing team arrived at the client‘s offices and was given network privileges
equivalent to a restricted access employee. At first glance, the network seemed to be properly
secured. Processing and storage of all payment card data occurred in segregated ―red zones‖
consisting of hardened devices with well-secured access points, and all best practices and
regulations for data encryption and handling appeared to have been followed. Anyone looking only
at the payment card segment would likely be impressed by its security and issue it a clean bill of
health.
The team then set aside the payment card segment and began trolling the larger network
infrastructure for vulnerabilities. Eventually, this search turned up an old, forgotten server. Further
probing revealed that the server‘s administrator password was blank—a critical mistake. The team
accessed the server‘s account list through the hole and cracked several account passwords. They
then found two other machines with the same accounts, and exploited them in the same way. This
time, they discovered a single account that allowed access to a number of network machines—
including the ―red zone‖ access devices and the payment card servers themselves. The penetration
testing team had not only cracked the client‘s ―fully-secured‖ PCI environment, but broken it wide
open.
ATL’s Client: Network Penetration Test Case Study
This is a case study of an external network penetration test that ATL Security Group Pvt.Ltd.
performed on one of the organisation. Some of the information has been changed or omitted to
maintain confidentiality.
Background
The client had most of their web servers at a single office and wished to understand their current
level of external risk. They commissioned ATL Group to carry out an external penetration test
and supplied ATL with the external IP address range to be tested.
ATL then proceeded with the four stages of the penetration test:
Information gathering
Scanning for external services
Identifying vulnerabilities on external services and exploiting them
Producing a detailed report of issues and recommendations
Information Gathering
ATL first verified that the IP address range supplied was assigned to the organisation by querying
the RIPE Whois Database. This also starts the information gathering process, as emails, telephone
numbers and addresses are available from RIPE. DNS servers were then queried for more
information such as registration details and mail servers.
Internet, forum and newsgroup searches on key individuals did not reveal much information that
would be useful in penetrating the network, for example any information about the technology that
the organisation has used, or the skills of individuals.
The services banners showed that the web and FTP services were all Microsoft IIS based, with a
mixture of IIS 4.0 (Windows NT) and IIS 5.0 (Windows 2000). Four of the service banners
disclosed internal computer names or private IP addresses.
Identifying and Exploiting Vulnerabilities
Mail relay variants were attempted on the mail servers with no success. Downloading the
Checkpoint firewall topology was unsuccessful; this may have revealed internal network
information. A DNS zone transfer on the DNS server was also unsuccessful, which may have also
revealed internal network information.
A commercial web server vulnerability scanning tool and an open source vulnerability scanning
tool were used to check for potential vulnerabilities on the relevant host services. These identified
that one of the FTP servers allowed anonymous access, and that some of the web servers had not
been locked down and had services that may be vulnerable to remote command execution.
The automated scans can reveal vulnerabilities, but a manual check usually reveals more
information. One host allowed remote command execution. ATL at this point informed the
organisation that they had a critically compromised host.
Credentials were then retrieved for administrator level users. The surrounding network was
enumerated, showing that the host was in a DMZ with access to other hosts.
ATL then looked at the web sites identified in the information gathering exercise, and also the
port scanning. Some of these were dynamic sites, with some using CGI applications with .exe
extensions, and others using ASP pages. Using open source scripts and tools, as well as in-house
developed tools and a manual process, the dynamic web sites were checked for web application
vulnerabilities. Common problems were discovered, the most serious of which was that some of
the pages on the web sites were vulnerable to SQL injection that allowed arbitrary SQL statements
109 | ©ATL Technology Tab
to be executed and also commands on the server itself, giving full control of the server.The proxy
server identified in the port scan appeared to allow access to an intranet, although limited internal
information was available.
Reporting
The issues listed above and other issues not mentioned were compiled and put into the final report.
The report noted the dates the test was carried out on, and the IP address range. The issues were
graded into the following risk levels: critical, high, medium, low and informational.
The executive summary specified that the overall security represented critical risk, and highlighted
that although firewall configuration was well maintained, application and operating system security
allowed remote intruders to gain access and control to a number of servers. The number of issues
identified at each risk level (critical, high, medium, low and informational) was presented
graphically and key issues starting with the most critical were listed with recommendations given
for resolution of each.
There then followed the technical part of the report, which detailed:
Information gathered: RIPE Whois information, DNS information and web site domain
names.
Network scan results.
Exploit tests carried out, such as mail relay and DNS zone transfer.
Summary walkthroughs and locations of the exploited web server and web application
vulnerabilities.
Technical, in depth list of issues discovered and recommendations on reducing the risk
starting with the most critical.
Presentation
ATL then presented the report to the organization face to face, which ensured that the
organization got the most value out of the report and a good understanding of the issues. Following
this, the organization rebuilt the previously compromised web server, reviewed the web
applications, and then requested ATL to carry out a follow-up penetration test.
EXERCISE
Q 1. Is penetration testing used for helping or for damaging a system?
a) Damaging
b) Helping
c) I don't know
Answers: 1) b, 2) a, 3) c, 4) c, 5) c, 6) b, 7) a