0% found this document useful (0 votes)
335 views119 pages

VAPT

This document discusses vulnerability assessment and penetration testing. It provides an introduction to important technical terms, information gathering techniques like port scanning and fingerprinting. It covers vulnerability assessment methodology and tools. It also discusses penetration testing methodology, types of tests, how vulnerabilities are identified, and sample reporting. Penetration testing tools are also outlined. The overall goal is to learn about weaknesses in networks to improve security.

Uploaded by

Eddie Peter
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
335 views119 pages

VAPT

This document discusses vulnerability assessment and penetration testing. It provides an introduction to important technical terms, information gathering techniques like port scanning and fingerprinting. It covers vulnerability assessment methodology and tools. It also discusses penetration testing methodology, types of tests, how vulnerabilities are identified, and sample reporting. Penetration testing tools are also outlined. The overall goal is to learn about weaknesses in networks to improve security.

Uploaded by

Eddie Peter
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 119

MODULE

VULNERABILITY ASSESSMENT AND


PENETRATION TESTING

This material is copyrighted by ATL © Printed in 2016

0 | ©ATL Technology Tab


1 | ©ATL Technology Tab
PROLOGUE
DESCRIPTION
Mozilla has got to be happy that they‘re Firefox 3 web browser has received over 12 million
downloads since Tuesday, but it took only five hours for the browser‘s first critical vulnerability to
be discovered. Luckily details about the vulnerability have not been made public, and Mozilla has
said that there‘s no known exploit for the bug at this time. At this point very little is known about
the vulnerability other than the fact that you would have to click on a link to initiate it.

RATIONALE
Successful exploitation of the vulnerability could allow an attacker to execute arbitrary code. Not
unlike most browser based vulnerabilities that we see these days, user interaction is required such
as clicking on a link in email or visiting a malicious web page.

OBJECTIVES
The goal is to learn about weaknesses in the network so that they can be remedied. The main
contribution of this book is to show how easy it is for attackers to automatically discover and
exploit application-level vulnerabilities. Our security policies should include regular vulnerability
testing. We hope to raise awareness and provide a tool available to web site administrators and web
developers to proactively audit the security of their applications.

2 | ©ATL Technology Tab


3 | ©ATL Technology Tab
TABLE OF CONTENT

UNIT 1 . ........................................................................................................................................ 6
INTRODUCTION .......................................................................................................................... 6
1.1 IMPORTANT TECHNICAL TERMS . ..................................................................................................... 6
1.2 INFORMATION GATHERING . ............................................................................................................ 7
1.3 SCANNING AND FINGERPRINTING . .................................................................................................. 9
1.3.1 DAEMON-BANNER GRABBING. ........................................................................................... 9
1.3.2 PORT SCANNING . .............................................................................................................. 11
1.3.3 ICMP SCANNING . .............................................................................................................. 14
1.3.4 FINGERPRINTING . ............................................................................................................. 18
SUMMARY . .................................................................................................................................................. 24
UNIT 2 . ..................................................................................................................................... 28
VULNERABILITY ASSESSMENT .......................................................................................................... 28
2.1 VULNERABILITIES . .......................................................................................................................... 28
2.2 VULNERABILITY ASSESSMENT . ....................................................................................................... 29
2.3 PROTECTIVE MEASURES . ............................................................................................................... 31
2.4 VULNERABILITY ASSESSMENT: THE RIGHT TOOLS TO PROTECT YOUR CRITICAL DATA. ................ 32
2.5 TYPES OF VULNERABILITY ASSESSMENT . ....................................................................................... 33
2.6 THE CHALLENGES OF VULNERABILITY ASSESSMENTS . .................................................................. 34
2.7 TOOLS FOR VA . .............................................................................................................................. 36
2.8 RISK ASSESSMENT . ......................................................................................................................... 39
2.8.1 CONTROLS . ....................................................................................................................... 41
2.8.2 ADMINISTRATIVE . ............................................................................................................. 41
2.8.3 LOGICAL . ........................................................................................................................... 41
2.8.4 PHYSICAL. .......................................................................................................................... 41
2.9 NETWORK SECURITY AUDIT CASE STUDY . ..................................................................................... 42
SUMMARY . .................................................................................................................................................. 43
UNIT 3 . ..................................................................................................................................... 47
PENETRATION TESTING .................................................................................................................. 47
3.1 INTRODUCTION AND METHODOLOGY . ......................................................................................... 47
3.1.1 PENETRATION TEST . ......................................................................................................... 47
3.1.2 WHY CONDUCT A PENETRATION TEST? . .......................................................................... 48
3.1.3 EXTERNAL PENETRATION TESTING AND VULNERABILITY ASSESSMENT . ......................... 48
3.1.4 INTERNAL PENETRATION TESTING . .................................................................................. 49
3.1.5 BENEFITS OF PENETRATION TESTING . .............................................................................. 49
3.2 TYPES OF PENETRATION TESTS . ..................................................................................................... 50
3.3 METHODOLOGY . ............................................................................................................................ 51
3.4 PENETRATION TESTING APPROACH. .............................................................................................. 54
3.5 PENETRATION TESTING VS VULNERABILITY ASSESSMENT . ........................................................... 56
3.6 HOW VULNERABILITIES ARE IDENTIFIED . ...................................................................................... 56
3.7 A SAMPLE PENETRATION TESTING REPORT . ................................................................................. 57
4 | ©ATL Technology Tab
3.8 SECURITY SERVICES . ....................................................................................................................... 64
3.9 SECURITY SERVICES MANAGEMENT TOOLS . ................................................................................. 65
3.10 FIREWALL . ...................................................................................................................................... 67
3.10.1 INTRODUCTION . ............................................................................................................... 67
3.10.2 RULES . ............................................................................................................................... 67
3.10.3 ROLE OF UTM . .................................................................................................................. 70
3.10.4 KEY ADVANTAGES . ............................................................................................................ 70
3.11 AUTOMATED VULNERABILITY SCANNING . .................................................................................... 70
3.12 AN APPROACH TO VULNERABILITY SCANNING . ............................................................................ 73
3.12.1 AUTOMATED VULNERABILITY. .......................................................................................... 73
3.12.2 PROTECTION FROM WEB SERVER ATTACKS . ................................................................. 74
3.12.3 AUTOMATED VULNERABILITY DETECTION . ...................................................................... 79
3.13 PASSWORD CRACKING AND BRUTE FORCING . .............................................................................. 80
3.14 DENIAL OF SERVICE (DOS) TESTING . .............................................................................................. 83
3.15 PENETRATION TESTING TOOLS . ..................................................................................................... 89
3.15.1 PORT SCANNERS . .............................................................................................................. 89
3.15.2 VULNERABILITY SCANNERS . .............................................................................................. 89
3.15.3 WEB APPLICATION ASSESSMENT PROXY . ......................................................................... 92
3.15.4 SECURITY TESTING TOOLS . ............................................................................................... 92
3.16 WIRELESS PENETRATION TESTING . ................................................................................................ 93
3.16.1 EAVESDROPPING . ............................................................................................................. 94
3.16.2 DISTRIBUTIVE ATTACKS . ................................................................................................... 94
3.16.3 UNAUTHORIZED NETWORK ACCESS . ................................................................................ 94
3.17 ESCALATION OF PRIVILEGES . ......................................................................................................... 95
3.17.1 LEAST PRIVILEDGE . ........................................................................................................... 95
3.17.2 PRIVILEGE SEPARATION . ................................................................................................... 95
3.17.3 COMMON TESTING TOOLS . .............................................................................................. 96
SUMMARY . ................................................................................................................................................ 104
CASE STUDIES . ........................................................................................................................................... 105
EXERCISE . .................................................................................................................................................. 110

5 | ©ATL Technology Tab


UNIT 1
INTRODUCTION

Vulnerability Detection and Penetration Testing is the most comprehensive service for auditing,
pen testing, reporting and patching for your company‘s web based applications. Think of a
vulnerability assessment as the first step to a penetration test. The information gleaned from the
assessment will be used in the testing. Whereas, the assessment is checking for holes and potential
vulnerabilities, the penetration testing actually attempts to exploit the findings. Assessing network
infrastructure is a dynamic process. Security, both information and physical, is dynamic.
Performing an assessment shows an overview, which can turn up false positives and false
negatives. A Vulnerability Scan provides on demand network discovery and vulnerability
assessment reporting, remediation tracking, and enforcement of security policies. It is an efficient
way to assess business risk and improve your security posture. Potential vulnerabilities would be
identified in your system or network, and recommend fixes. This includes fixed and wireless
networks.
Penetration testing exploits the vulnerabilities found to gain access to the system. This approach
gives an in-depth report with increased assurance to the validity of vulnerabilities found.
Benefits of VA and PT

 Identifies vulnerabilities and risks in your networking infrastructure


 Validates the effectiveness of current security safeguards
 Quantifies the risk to internal systems and confidential information
 Raises executive awareness of corporate liability
 Provides detailed remediation steps to prevent network compromise
 Validates the security of system upgrades
 Protects the integrity of online assets
 Helps to achieve and maintain compliance with federal and state regulations

1.1 IMPORTANT TECHNICAL TERMS


System – A system is any of the following:

 Computer system (e.g., mainframe, minicomputer)


 Network system (e.g., local area network [LAN])
 Network domain
 Host (e.g., a computer system)
 Network nodes, routers, switches and firewalls

6 | ©ATL Technology Tab


 Network and/or computer application on each computer system.
Network Security Testing – Activities that provide information about the integrity of an
organization's networks and associated systems through testing and verification of network-related
security controls on a regular basis. ―Security Testing‖ or ―Testing‖ is used throughout this
document to refer to Network Security Testing. The testing activities can include any of the types
of tests including network mATLg, vulnerability scanning, password cracking, penetration testing,
war dialing, war driving, file integrity checking, and virus scanning.
Operational Security Testing – Network security testing conducted during the operational stage
of a system‘s life, that is, while the system is operating in its operational environment.
Vulnerability – A bug or misconfigurations or special sets of circumstances that could result in an
exploitation of that vulnerability. For the purposes of this document, vulnerability could be
exploited directly by an attacker, or indirectly through automated attacks such as Distributed
Denial of Service (DDOS) attacks or by computer viruses.

1.2 INFORMATION GATHERING


“Information Gathering is focused on collecting as much information as possible about a target
application.”
Generally the first step of a pen test is information gathering which is very important for profiling a
company leveraging public resources to find private information
 Fully utilized by 'Blackhat' hackers
 By linking information from different sources a complete
picture can be built.
Information gathering is important and is being used
 There is no way to know people are doing this
 Be aware of what you have available on the web
 Learn and understand the discussed techniques and tools
This task can be carried out in many different ways. By using
public tools (search engines), scanners, sending simple HTTP
requests, or specially crafted requests, it is possible to force the
application to leak information, e.g., disclosing error messages or
revealing the versions and technologies used. Figure: Vulnerable Browser
The main thing to note here is STEALTH
 These activities are passive and nonintrusive
 Utilizing the memory of the net:
o Google Cache
o archive.org
o Newsgroups (used to be Dejanews)

7 | ©ATL Technology Tab


Such information gathering is now even easier with tools such as
 dnsreports.com
 whois.sc
 nqt.php
 network-tools.com
 netcraft.com
 ip-plus.net/tools/dns_check_set.en.html
Like any kind of hacking, passive information gathering is about thinking outside the box
 Utilizing the many links between information sources is a key
 Picking out useful info is the skill, this activity is akin to modern age dumpster diving
Think outside the lines:
 Check job databases for vacancies
o Discloses types of technology used
 Trawl newsgroups for technical postings
o Sometimes can reveal whole topology
 Locate company registration details
o Can give away physical locations
 Find out personal details about employees
o May be used in social engineering attacks
The Power of Search Engines
Search engines have evolved hugely since the beginning
 They now have MEMORY
o Google cache
 Advanced search operands now exist
o filetype:
o inurl:
o intitle:
Only 3% of people use the advanced features of Google.
 People tend to get locked in to 1 search engine when there are so many
 Each engine has different strengths, learn to utilize them all
 searchlore.org is a great place to learn about the different engines
Recommendations

 Disable Directory Browsing


 Do not put sensitive information in web browser able directories
 Do not put sensitive information in web browser able directories
 Don't rely on security through obscurity
 Conduct these tests on your own domains and fix any rogue findings

8 | ©ATL Technology Tab


1.3 SCANNING AND FINGERPRINTING
1.3.1 DAEMON-BANNER GRABBING
“It is the process of getting useful bits of information about the target system by recording the
welcome banners of the daemons running on its various ports.”
Daemon Banner Grabbing can be used to get the following information about the target system:
 Daemon name and version number.
 Operating System
 Security Measures used.
 To identify possible points of entry. Do not put sensitive
information in web browser able directories
 Can easily be executed manually using ‗Telnet‘ or by
using Port Scanners.
Daemon Banner Grabbing: Possible Countermeasures
 Edit the default welcome message and ensure important
information is not given out.
 To misguide the attacker and display false daemon
banners.
 Use a long false daemon banner and in the background
record information on the client and try and trace him.
Figure: Telnet
Banner grabbing is considered a very important part of penetration tests because it gives us
information about the daemon that is running and accepting our connection and whether it is
patched or not.
Sometimes, it also gives off information such as the time it was compiled, if it is a beta version or
not. With that information, you can move ahead and try to exploit the daemon. Of course, this
information can be changed, to something it is not! But, the fact remains that most system
administrators are only interested in the daemon working good and they are least concerned with
the version information. All they want is a 100% system uptime. So, most of them do not change it
and let it be the system default.
The question now remains how you grab a banner. Simple! Telnet to the port and see the output.
easy. We have included a small list of well known ports under port number 1024, that you can use
and grab a banner.
21 FTP (File Transfer Protocol)
22 SSH (Secure Shell)
23 Telnet
25 SMTP (Send Mail Transfer Protocol)
43 whois
53 DNS (Domain Name Service)

9 | ©ATL Technology Tab


68 DHCP (Dynamic Host Control Protocol)
79 Finger
80 HTTP (HyperText Transfer Protocol)
110 POP3 (Post Office Protocol, version 3)
115 SFTP (Secure File Transfer Protocol)
119 NNTP (Network New Transfer Protocol)
123 NTP (Network Time Protocol)
137 NetBIOS-ns
138 NetBIOS-dgm
139 NetBIOS
143 IMAP (Internet Message Access Protocol)
161 SNMP (Simple Network Management Protocol)
194 IRC (Internet Relay Chat)
220 IMAP3 (Internet Message Access Protocol 3) Figure: Banner Garbage
389 LDAP (Lightweight Directory Access Protocol)
443 SSL (Secure Socket Layer)
445 SMB (NetBIOS over TCP)
666 Doom
993 SIMAP (Secure Internet Message Access Protocol)
995 SPOP (Secure Post Office Protocol)
For example, you want to grab a banner for an SMTP service (port 25). All you do is, telnet mail
server 25.
SMTP BANNER GRAB

So, you can clearly see that it is an ESMTP server. After further prodding, you can find that it is an
EXIM server. You can move ahead now and focus only on EXIM ESMTP server based exploits,
etc.
When an open port is known, we can try to connect to the port. Then we may get some banner
which will reveal much information regarding the server or the target. This process is called banner
grabbing. Many e-mail, FTP, and web servers will respond to a telnet connection with the name
and version of the software. They aid a hacker in fingerprinting the OS and application software.
Daemon-Banner grabbing is the process of getting useful bits of information about the target
system by recording the welcome banners of the daemons running on its various ports. It can be
used to get the following information about the target system:
Daemon name and version number Operating System Security Measures used to identify possible
points of entry. It can easily be executed manually using ‗Telnet‘ or by using Port Scanners.
Countermeasures:

 Edit the default welcome message and ensure important information is not given out.
 To misguide the attacker and display false daemon banners.
 Use a long false daemon banner and in the background record information on the client and
try and trace him.
10 | ©ATL Technology Tab
It gives us information about the daemon that is running and accepting our connection and whether
it is patched or not. Sometimes, it also gives off information such as the time it was compiled, if it
is a beta version or not. With that information, you can move ahead and try to exploit the daemon.
Of course, this information can be changed, to something it is not! But, the fact remains that most
system administrators are only interested in the daemon working good and they are least concerned
with the version information.

1.3.2 PORT SCANNING


“The act of systematically scanning a computer's ports.”
Port scanning means to scan the target system in order to get a list of open ports (i.e. ports listening
for connections) and services running on these open ports. Since a port is a place where
information goes into and out of a computer, port scanning identifies open doors to a computer.
Port scanning has legitimate uses in managing networks, but port scanning also can be malicious in
nature if someone is looking for a weakened access point to break into your computer. It is similar
to a thief going through your neighborhood and checking every door and window on each house to
see which ones are open and which ones are locked.
Port scanning in and of it is not a crime. There is no way to stop someone from port scanning your
computer while you are on the Internet because accessing an Internet server opens a port, which
opens a door to your computer. There are, however, software products that can stop a port scanner
from doing any damage to your system.

 Port Scanning is normally the first step that an attacker undertakes.


 Is used to get a list of open ports, services and the Operating System running on the target
system.
 Can be performed easily by using different methods.
 Manual Port Scanning can be performed using the famous ‗Telnet‘ program.
 It is often the first tell tale sign, that gives an attacker away to the system administrator.
One of the primary stages in penetrating/auditing a remote host is to firstly compose a list of open
ports, using one or more of the techniques described below. Once this has been established, the
results will help an attacker identify various services that are running on that port using an RFC
compliant port list, (/etc/services in UNIX, getservbyport() function automatically obtains this)
allowing further compromisation of the remote host after this initial discovery.
Port scanning techniques take form in three specific and differentiated ways.
 open scanning
 half-open scanning
 stealth scanning
Detection and Countermeasures of Port Scanning are:
 Initialization and Termination of Connections on multiple ports from the same remote IP
Address.

11 | ©ATL Technology Tab


 Only monitoring can be done. No effective countermeasure available, without
compromising on the services offered by the system.
Each of these techniques allow an attack to locate open/closed ports on a server, but knowing to
use the correct scan in a given environment depends completely on the type of network topology,
IDS, logging features a remote host has in place. Although open scans log heavily and are easily
detectable they produce fairly positive results on open/closed ports. Alternatively, using a stealth
scan may avoid certain IDS and bypass firewall rule sets but the scanning mechanism, such as
packet flags, used in identifying these open/closed ports maybe offset by dropped packets over a
network, leading to false positives. Further discussion of this concept takes place in the FIN scan
section of this document.
Port scanning is a method for detecting open or listening ports on a system. These ports are
susceptible to being exploited by hackers and thus port scanners are tools that provide the network
administrator information about these vulnerabilities. This paper compares the various TCP/UDP
port scanning techniques being used today, based on their stealth capabilities, their reliability and
speed. Related scanning techniques like OS fingerprinting among others are detailed.
PORT SCANNING TECHNIQUES:

A. TCP connect() / Full Open / Vanilla Scan


A simple connect () [1] call is issued to all the ports one wants to scan and a three way handshake
begins. If the port is open then the connect () call succeeds otherwise it returns an error.
Open port:
client -> SYN
server -> SYN|ACK
client -> ACK
Closed port:
client -> SYN
server -> RST|ACK
client -> RST
B. TCP SYN / Half Open Scan Figure: Port scanning technique
Instead of a 3 way connection which occurs in the connect() call, in this scan custom ized TCP
packets with SYN flag set high is sent to the desired port [9]. If the port is open a SYN+ACK is
returned, after which the connection is immediately closed by sending a RST. A closed port returns
RST+ACK.
Open port:
client -> SYN
server -> SYN|ACK
client -> RST

12 | ©ATL Technology Tab


Closed port:
client -> SYN
server -> RST|ACK
C. TCP Stealth Scans
These scans involve sending TCP packets with Stealth flags[9] (FIN1, NULL2[8], XMAS3[8],
PURG4[5]) set to the target host. Open ports do not respond to such messages, whereas closed
ports send a RST+ACK reply.
Open port:
client -> Stealth Flags set
server -> -
Closed port:
client -> Stealth Flags set
server -> RST|ACK
D. UDP recvfrom() / Deaf UDP Scan
A UDP socket is opened with the desired port and an empty message is sent. If the port in turn
replies with some data, it is open. If the port is closed, an ICMP port unreachable error [1] is
generated, which is identified and propagated by the OS to the scanner. Ports that do not return any
data and do not generate an ICMP error may be assumed to be open.
Open port:
client -> UDP packet, server -> -
Closed port:
client -> UDP packet
server -> ICMP PORT UNREACHABLE
In another version of this scan (UDP ICMP Port Scanning) customized UDP packets are sent and
ICMP error packets are captured. The exchange of packets is same as above.
E. Dumb Scan
Involved in this scan are three hosts:
* A - attackers host
* I - inactive host
* T - target host
Host A sends a spoofed TCP packet (SYN + IP address of I) to a target port on host T [2]. Host T
will reply to I. The reply may be a packet with RST or SYN+ACK flags high depending on
whether the port is closed or open. Now I will send RST on receiving SYN+ACK or do nothing on
receiving RST. All this while host A will continuously send ICMP request packets to I and analyze
the ID fields of IP header of the packets. If the IDs are in serial order it signifies that I is not
sending packets to any other system i.e. it had received a RST from T or that the port was not open.
13 | ©ATL Technology Tab
If there is a discontinuity in the IDs then it is clear that I has sent a RST to T i.e. T earlier had sent a
SYN+ACK to I or the target port was open.
F. Decoy and Fragmentation
When generating customized TCP/UDP packets (e.g. on raw sockets), one can spoof or change the
source address of the IP packets. Such packets when sent along with the real query packets
decrease the chance of being identified as the real attacker through logging. This is the concept of
employing decoy packets to divert attention. IP packets undergo fragmentation and reassembly to
cope with the different datalink layers they pass through. TCP packets of size less than the MTU
allowed by the datalink layer can be fragmented by force and sent using more than a single IP
packet. Such fragmented IP packets escape detection by Intrusion Detection Systems and also
tunnel through Firewall.
Port Scanning Tools:

 Tenable Nessus
 Zenmap
 Angry IP Scanner
 Superscan etc.
Port Scanning is commonly used by computer attackers to get the following information about the
target system:

 List of Open Ports


 Services Running
 Exact Names and Versions of all the Services or Daemons.
Web vulnerability Scanners:
A port scanner is a software application designed to probe a network host for open ports. This is
often used by administrators to verify security policies of their networks and by attackers to
identify running services on a host with the view to compromise it. To port scan a host is to scan
for listening ports on a single target host. To port sweep is to scan multiple hosts for a specific
listening port.
Port scanning software, in its most basic state, simply sends out a request to connect to the target
computer on each port sequentially and makes a note of which ports responded or seem open to
more in-depth probing.

1.3.3 ICMP SCANNING


The Internet Control Message Protocol (ICMP) is the protocol used for reporting errors that might
have occurred while Extremely Useful in - transferring data packets over networks originally,
designed for network diagnosis andInformation Gathering. Can beto find out as to what went
wrong in the data communication. Host Detection Operating System used to find out the following:
Information Network Topography Information Firewall Detection
14 | ©ATL Technology Tab
ICMP Each ICMP Message has a ‗code‘scanning: An Introduction Continued and a ‗type‘ value,
the unique combination of which corresponds to the specific error message that it is carrying.
For Example, an ICMP message with a ‗type‘ value of 3 and a ‗code‘ value of 3 represents the
―Port Unreachable‖ error message. While, an ICMP message with a ‗type‘ value of 3 and a ‗code‘
value of 2, represents the ―Protocol Unreachable‖ error message. ICMP Scanning: Host Detection
Techniques. This technique reveals to the attacker whether or not a particular host. It makes useis
connected to the Internet or not. (I.e. alive or not) Working:of the ‗Echo Request‘ and ‗Echo
Reply‘ ICMP messages. Client-----------ICMP Echo Request------------◊ Host Case 1: (Alive)
Host---------------ICMP Echo Reply--------------◊ Client Case 2: (Not Alive) There is NO response
from the host.

ICMP Scanning: Host Does this ICMP Host Detection technique ring aDetection Techniques
bell? Yes, it is indeed popularly known as the ‗ping‘ command or The ‗ping‘ utility can be used to
determine whether theutility. Ping‘s working is similar to that of aremote host is alive or not.
The ping command can be used by See Example. Real life sonar system To Host Detection
Purposes the attacker for the following purposes: clog up valuable network resources by sending
infinite ‗Echo request‘ Firewall detection ICMP Scanning: Host ICMP messages.
Below is sample output of a PING command-
Detection---Ping Example executed on a Windows machine: C:\WINDOWS>ping mail2.bol.net.in
Pinging mail2.bol.net.in [203.94.243.71] with 32 bytes of data: Reply from 203.94.243.71:
bytes=32 time=163ms TTL=61 Reply from 203.94.243.71: bytes=32 time=185ms TTL=61 Reply
from 203.94.243.71: bytes=32 time=153ms TTL=61 Reply from 203.94.243.71: bytes=32
time=129ms TTL=61 …………… ICMP Scanning: Host Detection Countermeasures Echo
Requests or PING messages can easily be filtered at the router level by using the below Access
Control List (ACL): access-list 101 To filter out all Echo Requests or PING messages-deny icmp
any any 8 accept those coming from say your ISP we can use: access-list 101 deny icmp any any 8
access-list 101 permit icmp xx.xx.xx.xx 0.0.0.255 any 8 ICMP.

These technique helps-

Scanning: Time Stamping OS Detection Techniques one system to query another system for the
current time in the latter it makes Can also be used for Operating System Detection. -System. Use
of the ‗Timestamp Request‘ and ‗Timestamp Reply‘ ICMP messages.

Working: Client-----------ICMP Timestamp Request------------◊ Host DependingHost-----------


ICMP Timestamp Reply------------◊ Client upon response, sometimes Operating System running on
host, can be Timestampdeduced.

ICMP Scanning: Time Stamping Countermeasures Requests can easily be filtered at the router
level by using the below ToAccess Control List (ACL): access-list 101 deny icmp any any 13
filter out all Timestamp Requests accept those coming from say your ISP, you can use: access-list
101 deny icmp any any 13 access-list 101 permit icmp xxx.xxx.xxx.xxx 0.0.0.255 any 13

15 | ©ATL Technology Tab


ICMP Scanning: This technique can be used to findAddress Mask Messages Technique It
makes use of theout the address mask of the target system. -‗Address Mask Request‘ and
‗Address Mask Reply‘ ICMP messages.
Working: Client-----------ICMP Address Mask Request------------◊ Host
Host-----------ICMP Such a technique can easily beAddress mask Reply------------◊ Client filtered
at the router level by using an ACL similar to what we earlier discussed.

There isICMP Scanning:


OS Detection Techniques numerous possible ICMP query messages that one can generate and send
When a host receives a particular type of ICMP-across a network. Query message, then according
to its operating system, the host will this response varies from OS to OS andgenerate a predefined
respond. The contents of the response generated due to the ICMP messages vary in otherfrom
one OS to another and is same for one type of OS. Words, the response of a host due to a
particular type of ICMP message the same ICMP messageis hugely dependent on the OS running
on it. Sent to a UNIX system and a Windows system will generate two different responses. This
difference in responses exists due to different ByOperating Systems.

ICMP Scanning: OS Detection Techniques Contd. Sending ICMP messages to a host and
comparing the responses invoked against the known responses, one can deduce the OS running on
the host. Working: 1. Send particular ICMP messages to the remote host. 1. Record the response
that you get from the remote system, when you perform Step 1. 1. Compare this response received,
to the already known responses shown by the various Operating Systems so that you can deduce
the exact OS name and version running on the remote host.
Active & Passive Fingerprinting of Microsoft based Operating Systems using the ICMP Protocol

The ICMP Protocol may seem harmless at first glance. Its goals and features were outlined in RFC
792 (and than later cleared in RFCs 1122, 1256, 1349, 1812).
The ICMP protocol is being used:

 When a router or a destination host need to inform the source host about errors in a
datagram processing, and
 For probing the network with request & reply messages in order to determine general
characteristics about the network.
In terms of security, ICMP is one of the most controversial protocols in the TCP/IP protocol suite.
The risks involved in implementing the ICMP protocol in a network, regarding scanning, are the
subject of this presentation. We will especially focus on Active and Passive Fingerprinting of
Microsoft Based Operating Systems
The ICMP Protocol Specifications
ICMP messages are sent in IP datagrams. Although ICMP uses IP as if it were a higher-level
protocol, ICMP is an internal part of IP and must be implemented in every IP module. It is
important to note that the ICMP protocol is used to provide feedback about some errors (non-
transient) in a datagram processing, not to make IP reliable. Datagram may still be undelivered

16 | ©ATL Technology Tab


without any report of their loss. If a higher level protocol that uses IP needs reliability he must
implement it.
RFC 792 defines the IP protocol ID for ICMP to be 1. It also states that the IP Type-of-Service
field value and the Precedence Bits value should be equal to zero. According to RFC 1812, Routers
will use the value of 6 or 7 as their IP Precedence bits value with ICMP Error messages.
Special Conditions with ICMP
For transient error messages no ICMP error message should be sent. For the following conditions
the ICMP protocol has strict rules of inner working which are defined in RFC 792:
No ICMP Error messages are sent in response to ICMP Error messages to avoid infinite repetition.

0 4 8 16 31
4 bit
4 bit 8-bit type of serv ice
Header 16-bit total length ( in bytes )
Version Length (TOS)=0
3 bit
16-bit identification 13-bit Fragment Offset
Flags
8-bit time to liv e 8-bit protocol=1 20
16-bit header checksum
( TTL ) (ICMP) bytes

32-bit source IP address

32-bit destination IP address

Options ( if any )

Type Code Checksum 4 bytes

IP Data ICMP data (depending on the type of message)


Field

Figure: The ICMP Protocol


2 For fragmented IP datagram ICMP messages are only sent for errors on fragment zero (the first
fragment).
3 ICMP Error messages are never sent in response to a datagram that is destined to a broadcast or
a multicast address.
4 ICMP Error messages are never sent in response to a datagram sent as a link layer broadcast.

17 | ©ATL Technology Tab


5 ICMP Error messages are never sent in response to a datagram whose source address does not
represents a unique host – the source IP address cannot be zero, a loopback address, a
broadcast address or a multicast address.
6 ICMP Error messages are never sent in response to an IGMP message of any kind.
7 When an ICMP message of unknown type is received, it must be silently discarded.
8 Routers will almost always generate ICMP messages but when it comes to a destination
host(s), the number of ICMP messages generated is implementation dependent.

ICMP Messages

A number code, also known as the ―message type‖, is assigned to each ICMP message; it specifies
the type of the message. Another number code represents a ―code‖ for the specified ICMP type. It
acts as a sub-type, and its interpretation is dependent upon the message type.
The ICMP protocol has two types of operations; therefore its messages are also divided to two:

 ICMP Error Messages


 ICMP Query Messages

The Internet Assigned Numbers Authority (IANA) has a list defining the ICMP message types that
are currently registered. It also lists the RFC that defines the ICMP message. The list is available
at: http://www.isi.edu/in-notes/iana/assignments/icmp-parameters

1.3.4 FINGERPRINTING
“Finger Printing is the art of Operating System Detection.”
A malicious computer attacker needs a few pieces of information before launching an attack. First,
a target, a host detected using a host detection method. The next piece of information would be the
services that are running on that host. This would be done with one of the Port Scanning methods.
The last piece of information would be the operating system used by the host. The information
would allow the malicious computer attacker to identify if the targeted host is vulnerable to a
certain exploit aimed at a certain service version running on a certain operating system.
What makes the Active Fingerprinting methods, which use the ICMP protocol unique, comparing
to other Active Fingerprinting methods? As we will learn, using Active Fingerprinting with ICMP
requires less traffic initiation from the prober to a target host. With some methods only one
datagram is required to determine the underlying operating system.
We can group the Active Fingerprinting methods that are based upon the ICMP protocol into the
following groups, which are based upon the ICMP traffic used:
 Regular ICMP Query Messages
 Crafted ICMP Query Messages
 ICMP Error Messages
The question ―Which operating system answers for what kind of ICMP Query messages? ―Help us
identify certain groups of operating systems. For example, LINUX and *BSD based operating
18 | ©ATL Technology Tab
systems with a default configuration answer for ICMP Echo requests and for ICMP Timestamp
Requests. Until Microsoft Windows 2000 family of operating systems has been released it was a
unique combination for these two groups of operating systems. Since the Microsoft Windows 2000
operating system family mimics the same behavior (yes mimic), it is no longer feasible to make
this particular distinction. Other data we might use is ―Which operating systems answers for
queries aimed at the broadcast / network address of the network they reside on?‖ For Microsoft
based operating systems this information is not useful, since Microsoft based operating system
machines will not answer for any type of ICMP message aimed at the broadcast address of the
network these machines reside on.Using tables that map the ―who answers what?‖ approach we can
map Ultrix, Linux, Sun Solaris, and group HPUX & AIX based machines with some ICMP Query
messages combinations. Is it a sin not to answer an ICMP Query request aimed at the broadcast
address of a network? No.This is not an abnormal behavior as RFC 1122 states that if we send an
ICMP ECHO request to an IP Broadcast or IP Multicast addresses it may be silently discarded by a
host.
IP Time-to-Live Field
The sender sets the time to live field to a value that represents the maximum time the datagram is
allowed to travel on the Internet. The field value is decreased at each point that the Internet header
is being processed. RFC 791 states that this field decreasement reflects the time spent processing
the datagram. The field value is measured in units of seconds. The RFC also states that the
maximum time to live value can be set to 255 seconds, which equals 4.25 minutes. The datagram
must be discarded if this field value equals zero - before reaching its destination. Relating to this
field as a measure to assess time is a bit misleading. Some routers may process the datagram faster
than a second, and some may process the datagram longer than a second. The real intention is to
have an upper bound to the datagram lifetime, so infinite loops of undelivered datagram will not
jam the Internet.

Having a bound to the datagram‘s lifetime help us to prevent old duplicates to arrive after a certain
time elapsed. So when we retransmit a piece of information which was not previously delivered we
can be assured that the older duplicate is already discarded and will not interfere with the process.
The IP TTL field value with ICMP has two separate values: one for ICMP query messages and one
for ICMP query replies. The TTL field value helps us identify certain operating systems and groups
of operating systems. It also provides us with the simplest means to add another check criterion
when we are querying other host(s) or listening to traffic (sniffing).We can use the IP TTL field
value with the ICMP Query Reply datagram to identify certain groups of operating systems. The
method discussed in this section is a very simple one. We send an ICMP Query request message to
a host. If we receive a reply, we would be looking at the IP TTL field value in the ICMP query
reply.

The IP Time-To-Live field value received will not be the original value assigned to this field. The
reason is that each router along the path from the targeted host to the prober decreased this field
value by one. We can use two ways to approach this. The first one is looking at the IP TTL field
values that are usually used by operating systems and networking devices. They are 255, 128, 64
and 32. We will use the most close to value, as the original value assigned to the IP TTL fi. The
19 | ©ATL Technology Tab
second approach is less accurate than the first one. Since we already queried the targeted host,
querying it again will not be that We can use the trace route program (tracert in Windows 2000) in
order to reveal the number of hops between our system to the target. Adding the number we
calculated to the IP TTL field value should give us a good guess about the original IP TTL value
assigned to this field. Why this is only a good guess? Because the routes taken from the target to
our host and from our host to the target may be different routes. Again, we will have a number
close enough to one of the common values used to make a good guess about the original IP TTL
field value.
C:\>ping -n 1 www.sys-security.com
Pinging www.sys-security.com [216.230.199.48] with 32 bytes of data:
ICMP Timestamp Request aimed at the Broadcast
Address of a Netw ork
1

Reply No Reply

Solaris
HP-UX Other OS's
LINUX Kernel 2.2.14

ICMP Information Request aimed at the Broadcast


Address of a Netw ork
2

Reply No Reply

Solaris
HP-UX
LINUX Kernel 2.2.14

ICMP Address Mask Request aimed at Specific IPs

Reply No Reply

Solaris LINUX Kernel 2.2.14

Figure: ICMP Timestamp Request


Reply from 216.230.199.48: bytes=32 time=481ms TTL=238
Ping statistics for 216.230.199.48:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 481ms, Maximum = 481ms, Average = 481ms

20 | ©ATL Technology Tab


C:\>tracert -h 16 www.sys-security.com
Tracing route to www.sys-security.com [216.230.199.48] over a maximum of 16 hops:
1 100 ms 100 ms 120 ms Haifa-mng-1 [213.8.12.7]
2 90 ms 90 ms 90 ms ge037.herndon1.us.telia.net [205.164.141.1]
3 120 ms 151 ms 200 ms 213.8.8.5
4 441 ms 450 ms 451 ms 500.Serial3-5.GW3.NYC6.ALTER.NET [157.130.253.69]
5 440 ms 451 ms 451 ms 521.ATM2-0.XR2.NYC4.ALTER.NET [152.63.24.38]
6 912 ms 460 ms 461 ms 188.ATM3-0.TR2.NYC1.ALTER.NET [146.188.179.38]
7 471 ms 480 ms 471 ms 104.at-5-1-0.TR2.CHI4.ALTER.NET [146.188.136.153]
8 470 ms 471 ms 471 ms 198.at-2-0-0.XR2.CHI2.ALTER.NET [152.63.64.229]
9 480 ms 471 ms 471 ms 0.so-2-1-0.XL2.CHI2.ALTER.NET [152.63.67.133]
10 471 ms 471 ms 470 ms POS6/0.GW2.CHI2.ALTER.NET [152.63.64.145]
11 471 ms 481 ms 470 ms siteprotect.customer.alter.net [157.130.119.50]
12 481 ms 490 ms 481 ms 216.230.199.48
Trace complete.
C:\>

Figure: ICMP Query Replies


If we look at the ICMP Echo replies IP TTL field values than we can identify few patterns:
 UNIX and UNIX-like operating systems use 255 as their IP TTL field value with ICMP
query replies.
 Compaq Tru64 v5.0 and LINUX 2.0.x are the exception, using 64 as its IP TTL field value
with ICMP query replies.
 Microsoft Windows operating system based machines are using the value of 128.
 Microsoft Windows 95 is the only Microsoft operating system to use 32 as its IP TTL field
value with ICMP query messages, making it unique among all other operating systems as
well.

21 | ©ATL Technology Tab


The examination of the IP TTL field value is not limited to ICMP Query replies only. We can learn
a lot from the ICMP requests aimed at our host(s) as well. The IP Time-To-Live field value
received will not be the original value assigned to this field. The reason is that each router along the
path from the targeted host to the prober decreased this field value by one. We will examine the IP
TTL field values that are usually used by operating systems and networking devices. They are 255,
128, 64 and 32. We will use the most close to value, as the original value assigned to the IP TTL
field.
ICMP Query Requests
Using techniques which will trace the querying target path until its gateway may not work, and
may alert the prober that we are aware of his activities. This method is a Passive Fingerprinting
method.

Figure: ICMP Query Requests


The ICMP Query message type used was ICMP Echo request, which is common on all operating
systems tested using the ping utility.

 LINUX Kernel 2.0.x, 2.2.x & 2.4.x use 64 as their IP TTL Field Value with ICMP Echo
Requests.
 FreeBSD 4.1, 4.0, 3.4; Sun Solaris 2.5.1, 2.6, 2.7, 2.8; OpenBSD 2.6, 2.7, NetBSD and HP
UX 10.20 use 255 as their IP TTL field value with ICMP Echo requests.
 Windows 95/98/98SE/ME/NT4 WRKS SP3, SP4, SP6a/NT4 Server SP4 - all use 32 as
their IP TTL field value with ICMP Echo requests.
 Microsoft Window 2000 uses 128 as its IP TTL Field Value with ICMP Echo requests.

22 | ©ATL Technology Tab


Correlating the Information

Figure: IP TTL ECHO Request and Replies


The usage of ICMP in the Passive Operating System Fingerprinting Process

If you don’t own me, don’t use me!

Courseware Piracy says it to those who labor to produce copyrighted materials and
cause serious financial damage. Protect yourself from this scam.

 Your study materials need to have ATL‘s Hologram on it.


 You should have ATL‘s authentic certificates.
If you find some unauthenticated courseware with you, contact us at:
[email protected]

Fingerprinting is the technique of interpreting the responses of a system in order to figure out what
it is. Unusual combinations of data are sent to the system in order to trigger these responses.
Systems respond the same with correct data, but they rarely respond the same way for wrong data.
Active Fingerprinting
The strategy of active finger printing includes
 craft requests
 interpret responses
 Operating System Fingerprinting
o nmap
o ICMP Usage in Scanning
Example:
o Send ICMP Netmask request
o Got a response? Might be Solaris
23 | ©ATL Technology Tab
Test implemented methods
 response to unsupported messages
 response to fuzzed lines
 response on busy
o timing
 response to unsupported media
o 415, 486, 603
The pros of active finger printing are that on demand it triggers bugs.
But active finger printing is noisy and detectable.
Passive Fingerprinting
Passive Fingerprinting is a technique used to map a targeted network (and networks and hosts
communicating with it) using sniffed information (exchanged network traffic) from that network.
Different operating systems use different implementations of the TCP/IP stack. We can identify
differences between those TCP/IP stack implementations. Therefore differentiate between the
different operating systems using those TCP/IP stack implementations differences. Based on the
sniffed information and those differences we can identify the various operating systems used on the
sniffed network. We can also identify some operating systems used on the network(s) and host(s)
communicating with our targeted network. We can also identify the various services available on
those host(s).

 Strategy
o sniff existing traffic
o identify based on oddities

Passive finger printing is undetectable but it is hard to differ between minor versions.
Order/existence of headers
o i.e. Accept header set?

 order/formatting inside headers


o brackets
o display name
o order of tags

 interpretation of RFCs
o Max-Forwards set to !70

SUMMARY
The specialized nature of information systems (IS) auditing and the skills necessary to perform
such audits require standards that apply specifically to IS auditing. One of the goals of the ATL
Security Group is to advance globally applicable standards to meet its vision. The development and
dissemination of the IS Auditing Standards are a cornerstone of the ATL professional‘s
contribution to the audit community. The framework for the IS Auditing Standards provides
24 | ©ATL Technology Tab
multiple levels of guidance. Standards define mandatory requirements for IS auditing and
reporting.
Guidelines provide guidance in applying IS Auditing Standards. The IS auditor should consider
them in determining how to achieve implementation of the standards, use professional judgment in
their application and be prepared to justify any departure. The objective of the IS Auditing
Guidelines is to provide further information on how to comply with the IS Auditing Standards.
Procedures provide examples of procedures an IS auditor might follow in an audit engagement.
The procedure documents provide information on how to meet the standards when performing IS
auditing work, but do not set requirements. The objective of the IS Auditing Procedures is to
provide further information on how to comply with the IS Auditing Standards. Thus in IS audits,
vulnerability assessments and testing plays major and essential role and thus its knowledge in depth
is must in information security and protection from hacking procedures.

EXERCISE

Q 1. Which of the following consequences of executing a virus on a PC is (are) possible?


I. Files appear to be missing or deleted from the hard disk.
II. Either the PC system board or a disk drive is physically damaged.
III. There is low computer memory on disks.
a) I, II, and III
b) I only
c) I and III only
d) II and III only

Q 2. A computer attack that exploits the way that a network connection remains open waiting
for a response is known as a _____ attack.
a) mail bomb
b) Smurf
c) spam
d) SYN flood

Q 3. Which of the following computer attack methods does not require a hardware or
software tool?
a) Spoofing
b) Social engineering
c) Port scanning
d) Packet sniffing

Q 4. Which of the following computer attacks is spoofing?


25 | ©ATL Technology Tab
a) Using one computer to impersonate another
b) Monitoring a network to intercept data
c) Using a program to decrypt passwords
d) Accessing an unprotected port on a computer

Q 5. Which of the following is (are) true regarding network bandwidth attacks?


I. They can be used to launch a denial of service attack.
II. They can cause a Web site to become unavailable.
III. They work by flooding a network with traffic.
a) I and II only
b) I, II, and III
c) II and III only
d) I and III only

Q 6. Which of the following can help prevent denial of service attacks?


I. Defragment hard drives frequently.
II. Disable or block any unused network services.
a) I and II
b) I only
c) None
d) II only

Q 7. Which of the following is not true of malicious software?


a) A Trojan horse is an entire program that a user might knowingly execute but without
realizing that it will operate in a malicious manner.
b) A worm is a program that replicates itself on other systems and impacts computer
operations by tying up critical resources such as memory or files.
c) A boot virus is located on the area of a disk loaded by the BIOS during the boot process
and is immediately activated every time the computer is reset or powered on.
d) A program virus is embedded within a program file and is initially activated whenever the
program file is copied to the disk drive.

Q 8. The method of cracking a password by trying all possible alphanumeric combinations is


known as a _____ attack
a) brute force
b) port scanning
c) man-in-the-middle

26 | ©ATL Technology Tab


d) dictionary

Q 9. Attacking a computer by sending it an excessive number of email messages is known as


a) spamming
b) spoofing
c) Smurfing
d) pinging

Q 10. After loading a word processor document from a floppy, a user's computer begins to
show symptoms of being infected by a virus.
Which of the following is true concerning this situation?
a) A document cannot contain a virus, so the source of the virus was not the word processing
document.
b) The document text could have contained an embedded virus.
c) The document could have contained a macro that contained a virus.
d) The word processing program checks all documents for viruses before using them, so the
source of the virus was not the document.
Answers: 1) c, 2) d, 3) b, 4) a, 5) b, 6) d, 7) d, 8) a, 9) a, 10) c

27 | ©ATL Technology Tab


UNIT 2
VULNERABILITY ASSESSMENT

2.1 VULNERABILITIES
"Vulnerabilities are the gateways by which threats are manifested".
In other words, a system compromise can occur through a weakness found in a system. A
vulnerability assessment is a search for these weaknesses/exposures in order to apply a patch or fix
to prevent a compromise. How do these weaknesses occur? There are two points to consider:
 Many systems are shipped with known and unknown security holes and bugs, and
 Insecure default settings (passwords, etc.). Much vulnerability occurs as a result of
misconfiguration.
Vulnerabilities are actually weaknesses in software that might be used to compromise a computer.
Vulnerable software includes all types of operating systems and application programs. New
vulnerabilities are being discovered constantly in different ways. New vulnerabilities discovered by
security researchers are usually reported confidentially to the vendor, which is given time to study
the vulnerability and develop a path. Of all vulnerabilities disclosed in 2007, 50% could be
corrected through vendorf patches. When ready, the vendor will publish the vulnerability,
hopefully along with a patch. It has been argued that publication of vulnerabilities will help
attackers. Though this might be true, publication also fosters awareness within the entire
community. Systems administrators will be able to evaluate their systems and take appropriate
precautions. One might expect systems administrators to know the configuration of computers on
their network, but in large organizations, it would be difficult to keep track of possible
configuration changes made by users. Vulnerability testing offers a simple way to learn about the
configuration of computers on a network.
Vulnerability testing is an exercise to probe systems for known vulnerabilities. It requires a
database of known vulnerabilities, a packet generator, and test routines to generate a sequence of
packets to test for a particular vulnerability. If vulnerability is found and a software patch is
available, that host should be patched. Penetration testing is a closely related idea but takes it
further. Penetration testing simulates the actions of a hypothetical attacker to attempt to
compromise hosts.
Ways to counteract these conditions include:
 Creating and abiding by baseline security standards
 Installing vendor patches (when appropriate)
 Vulnerability scanning
28 | ©ATL Technology Tab
 Subscribing to and abiding by security advisories
 Implementing perimeter defenses, such as firewalls and router ACLs
 Implementing intrusion detection systems and virus scanning software.
The primary reason for testing the security of an operational system is to identify potential
vulnerabilities and subsequently repair them. The number of reported vulnerabilities is growing
daily. Consequently, it is imperative that organizations routinely test systems for vulnerabilities and
misconfigurations to reduce the likelihood of system compromise. Typically, vulnerabilities are
exploited repeatedly by attackers to attack weaknesses that organizations have not patched or
corrected. A few software vulnerabilities account for the majority of successful attacks because
attackers don't like to do extra work. They exploit the best-known flaws with the most effective and
widely available attack tools. And they count on organizations not fixing the problems.
The process followed to test for vulnerabilities is as defined –
 Audit
o Information Gathering
o Vulnerability Scanning & Penetration Testing
 Report
o Risk Assessment
o Comprehensive Reporting with Management / Technical Reports
 Secure
o Patching Vulnerabilities
o Software‘s Recommendation / Implementation
 Manage
o Regular Patching of newly discovered vulnerabilities in the system
o Address and escalate any unforeseen security related issue
o Identify, recommend and implement long term solutions

2.2 VULNERABILITY ASSESSMENT


A is the process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a
system. Examples of systems for which vulnerability assessments are performed for include, but
are not limited to, nuclear power plants, information technology systems, energy supply systems,
water supply systems, transportation systems, and communication systems.
Vulnerability assessments can be conducted for small businesses to large regional infrastructures.
Vulnerability assessment has many things in common with risk assessment. Assessments are
typically performed according to the following steps:

 Cataloging assets and capabilities (resources) in a system.


 Assigning quantifiable value (or at least rank order) and importance to those resources
 Identifying the vulnerabilities or potential threats to each resource
 Mitigating or eliminating the most serious vulnerabilities for the most valuable resources

29 | ©ATL Technology Tab


Vulnerabilities in IT systems such as software and networks can be considered holes or errors.
These vulnerabilities are due to improper software design, insecure coding, or both. For
example, buffer overflow is a vulnerability where the boundary limits for an entity such as
variables and constants are not properly defined or checked. This can be compromised by
supplying data which is greater than what the entity can hold. This result in a memory spill over
into other areas and thereby corrupts the instructions or code that need to be processed by the
microprocessor.
When vulnerability is exploited it results in a security violation, which will result in a certain
impact. A security violation may be an unauthorized access, escalation of privileges, or denial-of-
service to the IT systems.
Tools are used in the process of identifying vulnerabilities. These tools are called vulnerability
scanners. A vulnerability scanning tool can be a hardware-based or software application.
Generally, vulnerabilities can be classified based on the type of security error. A type is a root
cause of the vulnerability.
Vulnerabilities can be classified into the following types:

1. Access Control Vulnerabilities


It is an error due to the lack of enforcement pertaining to users or functions that are
permitted, or denied, access to an object or a resource.
Examples: Improper or no access control list or table, No privilege model, Inadequate file
permissions, Improper or weak encoding
Security violation and impact: Files, objects, or processes can be accessed directly
without authentication or routing.
2. Authentication Vulnerabilities
It is an error due to inadequate identification mechanisms so that a user or a process is not
correctly identified.
Examples: Weak or static passwords, Improper or weak encoding or weak algorithms
Security violation and impact: An unauthorized, or less privileged user (for example,
Guest user), or a less privileged process gains higher privileges, such as administrative or
root access to the system
3. Boundary Condition Vulnerabilities
It is an error due to inadequate checking and validating mechanisms such that the length of
the data is not checked or validated against the size of the data storage or resource.
Examples: Buffer overflow, overwriting the original data in the memory
Security violation and impact: Memory is overwritten with some arbitrary code so that is
gains access to programs or corrupts the memory. This will ultimately crash the operating
system. An unstable system due to memory corruption may be exploited to get command
prompt, or shell access, by injecting an arbitrary code
4. Configuration Weakness Vulnerabilities
It is an error due to the improper configuration of system parameters, or leaving the default

30 | ©ATL Technology Tab


configuration settings as it is, which may not be secure.
Examples: Default security policy configuration, File and print access in Internet
connection sharing
Security violation and impact: Most of the default configuration settings of many
software applications are published and are available in the public domain. For example,
some applications come with standard default passwords. If they are not secured, they
allow an attacker to compromise the system. Configuration weaknesses are also exploited
to gain higher privileges resulting in privilege escalation impacts.
5. Exception Handling Vulnerabilities
It is an error due to improper setup or coding where the system fails to handle, or properly
respond to, exceptional or unexpected data or conditions.
Example: SQL Injection
Security violation and impact: By injecting exceptional data, user credentials can be
captured by an unauthorized entity
6. Input Validation Vulnerabilities
It is an error due to a lack of verification mechanisms to validate the input data or contents.
Examples: Directory traversal, Malformed URLs
Security violation and impact: Due to poor input validation, access to system-privileged
programs may be obtained.
7. Randomization Vulnerabilities
It is an error due to a mismatch in random data or random data for the process.
Specifically, these vulnerabilities are predominantly related to encryption algorithms.
Examples: Weak encryption key, insufficient random data
Security violation and impact: Cryptographic key can be compromised which will impact
the data and access security.
8. Resource Vulnerabilities
It is an error due to a lack of resources availability for correct operations or processes.
Examples: Memory getting full, CPU is completely utilized
Security violation and impact: Due to the lack of resources the system becomes unstable
or hangs. This results in a denial of services to the legitimate users.
9. State Error
It is an error that is a result of the lack of state maintenance due to incorrect process flows.
Examples: Opening multiple tabs in web browsers
Security violation and impact: There are specific security attacks, such as Cross-site
scripting (XSS), that will result in user-authenticated sessions being hijacked.

2.3 PROTECTIVE MEASURES


Common exploits occur because of weaknesses found in a computing environment. These exploits
are an attack against:

31 | ©ATL Technology Tab


1. Confidentiality - being secure from unauthorized access. Example: Vulnerabilities in
telnet (user names and passwords sent unencrypted from a remote connection) can allow an
attack against Confidentiality.
2. Integrity - accuracy and completeness of data. Example: Vulnerabilities in send mail (mail
can be forged from any address) can allow an attack against integrity.
3. Availability - data and systems ready for use at all times by authorized users. Example:
Variations in ping (request for information, can cause a denial of service attack - i.e.,
floods, ping of death) can be an attack against Availability.
Examples of Protective Security Measures: Access controls - user IDs and passwords, appropriate
password and security policies, separation of duties.
 User authentication, with appropriate use of controls, where possible, e.g. smart cards,
biometrics, etc.
 Workstation lock screens,
 Encryption,
 Proper registry permissions,
 Proper directory and file permissions,
 properly defined user rights,
 applying patches/updates,
 firewalls,
 VPN tunneling,
 screening routers,
 anti-virus software,
 prompt removal of terminated/transferred employee accounts, default passwords and
 Unnecessary services running on the system.

2.4 VULNERABILITY ASSESSMENT: THE RIGHT TOOLS TO


PROTECT YOUR CRITICAL DATA
Over the last several years, Vulnerability Assessment (VA) has become one of the hottest fields
within the computer security market. VA tools are designed to detect and report on security holes
within various software applications, allowing organizations to take corrective actions before a
devastating attack occurs. Due to the reduction in ―time to exploit‖ once a new vulnerability
reaches the public domain, and the regulatory pressures imposed on businesses within a variety of
verticals, the need for reliable vulnerability assessment has never been greater. Unfortunately, the
environment in which software applications are developed today is largely driven by schedule and
features, rather than stability or security. This situation has led to corporate networking being ripe
with vulnerabilities there for the picking, and the software vendors are doing very little to remedy
the situation. Risks to corporate applications are further exacerbated by overburdened and
understaffed IT departments.
Successful and well publicized cyber-attacks have now become commonplace; often hitting the
affected businesses hard with fines, mandatory external audits, and customers taking their business
to someplace where they hope their personal data will be better protected. Securing your assets
with a layered approach to security is the only way to win in a world where hackers are
32 | ©ATL Technology Tab
everywhere, and software vendors take no liability for the damages that poorly developed products
cause. We‘ve all heard about the need for a Firewall to block access to the network, an IDS or IPS
to detect and stop external attacks, and a VPN to protect sensitive communications. These are
essential tools in protecting your data, but they fall far short of a complete solution, as external
hackers can still access the network through legitimate applications, and insiders continue to
operate unfettered. How secure is your money in a bank with no Vault? Vulnerability Assessment
inside the perimeter is the next step in proactively protecting your data, but it is a complex
marketplace, and there is no single magic bullet or VA tool out there with the breadth to cover your
entire network and all the applications within.

2.5 TYPES OF VULNERABILITY ASSESSMENT


There are two broad categories of vulnerability assessment software, Host-based, and Network-
based. Host-based VA tools focus on analyzing issues specific to a single host machine. Typically,
these tools load agent software onto the target system that tracks activities and configurations
changes, and reports back to a centralized console. Network-based VA tools run on centralized
scanner machines, often operate anonymously (requiring no logins), and can scan a range of hosts
for vulnerabilities. Information Technology (IT) professionals can use both network- and host-
based vulnerability assessments (VAs) to obtain a complete evaluation of the security risks of the
system(s) under investigation.
Network-based VAs are accomplished through the use of network scanners. Network scanners are
able to detect open ports, identify services running on these ports, simulate attacks, and reveal
possible vulnerabilities associated with these services. On the other hand, host-based VAs are
carried out through host-based scanners. Host based scanners are able to recognize system-level
vulnerabilities including incorrect file permissions, registry permissions, and software
configuration errors. Furthermore, they ensure that target systems are compliant with the
predefined company security policies.
Unlike network-based scanners, an administrator account or an agent is required to be on the target
system to allow for the system-level access required. A network scanner should be the first tool
used in the vulnerability assessment process. It provides a quick snapshot of the highest risk
vulnerabilities that require immediate attention. A network-based scanning assessment might detect
extremely critical vulnerabilities such as misconfigured firewalls or vulnerable web servers in a
DMZ that could provide a stepping stone to an intruder and allow them to quickly compromise an
organization‘s security. Network-based scanning performs quick, detailed analyses of an
enterprise‘s critical network and system infrastructure from the perspective of an external or
internal intruder trying to use the network to break into systems.
“Network-based scanners are excellent tools for evaluating security risks associated with two
types: risks associated with vendor supplied software, and risks associated with network and
systems administration.”
Host-based scanning‘s strengths lie in direct access to low-level details of a host‘s operating
system, specific services, and configuration details. While a network-based scanner emulates the
perspective that a network-based intruder would have, a host-based scanner can view a system
33 | ©ATL Technology Tab
from the security perspective of a user who has a local account on the system. This is a critical
difference, since a network-based scanner cannot, by definition; provide sufficient insight into
potential user activity risks. Accessing these user-driven security risks is critical not only to the
specific host affected, but to the security of the entire network. Once a user has access to local
account (even just a ―Guest‖ account) it opens up a whole range of possibilities for exploiting and
taking control of the local system. An intruder who has accessed a specific host might be a
legitimate user misusing an account, or it could be an account taken over by an intruder who
guessed or cracked a password. For both situations, a host-based scanner helps ensure that a given
system is properly configured and those vulnerabilities are patched so that a local user doesn‘t gain
access to administrator or root privileges.
While both network- and host-based scanning technologies have their unique strengths, using both
tools in a coordinated fashion provides the best vulnerability assessment for measuring an
organization‘s security risks. Network-based scanners allow information security professionals to
assess and correct network-based vulnerabilities, secure network perimeter points on an ongoing
basis and strengthen initial lines of defense against intrusion. Host-based scanners provide an
additional level of security by locking down individual hosts to prevent critical resources from
being accessed by internal misuse or external intruders using compromised accounts.

2.6 THE CHALLENGES OF VULNERABILITY ASSESSMENTS


Network vulnerability assessments are widely recognized as a crucial component of network
security and a key component of any overall Network Security Assessment Service. Vulnerability
Assessments are performed to determine the actual security posture of a network environment.
They are designed to explore whether or not a malicious attacker can affect the confidentiality,
availability, or integrity of information or attack network elements in any form of Denial of Service
(DoS) attack. These questions have been historically answered by performing vulnerability
assessments in a proactive manner — attempting to identify vulnerabilities in a network before
hackers do, allowing corrective action to be taken to mitigate any problems before they are
potentially exploited.
Since networks are incredibly dynamic, it has long been recognized that vulnerability assessments
should be performed periodically, either by internal audit teams or by external consulting
organizations or both.
Challenge No. 1 — To Protect the Organization Assets in Dynamic Networks and
Heterogeneous Environment
Vulnerability assessments need a high level of expertise to correctly determine not just the range of
vulnerabilities present in a network, but specifically, those vulnerabilities that put the enterprise at
risk, and what level of risk is present. In order to correctly identify security weaknesses within a
network environment, the security assessment team must accurately and comprehensively discover,
enumerate, and assess complex, heterogeneous networks in dynamic environments.IT departments
today find themselves in the unenviable position of managing increasingly heterogeneous
environments. That‘s a problem when the time between the announcement of vulnerability and the
appearance of code designed to exploit that vulnerability has shrunk from months to days.Most
34 | ©ATL Technology Tab
enterprise infrastructures today consist of multiple devices, operating systems, and applications that
have diverse security and availability requirements. Hence enterprises have to rely on fragmented,
multivendor solutions to provide everything from intrusion prevention and policy compliance to
patch management, high availability, backup, and data recovery. Such a strategy involves
deploying and supporting an array of independent products and services. It can be complicated,
time consuming, and costly from an administrative standpoint, making it a major drain on IT
productivity. It‘s also impractical given today‘s threat environment, in which malicious code
capable of exposing confidential information is increasing dramatically.
Challenge No. 2 — The Organization’s Security Team
In this heterogeneous environment, the security team must have current, broad, and deep technical
expertise in a myriad of technologies. What is required to perform vulnerability assessments in this
environment?
In brief, the NSAS must simulate the capabilities of knowledgeable malicious attackers. Simulating
these capabilities in a controlled and trusted environment requires specialized knowledge and tools,
both of which are extremely sparse and expensive in today‘s IT environment. There are only just
over 40,000 Certified Information Systems Security Professionals (CISSPs) worldwide, but fewer
engineers are qualified to perform NSAS and vulnerability assessments.
While there are a growing number of tools, use of these by no expert personnel will typically
produce a large printout with many listed vulnerabilities. Not all of these are likely to be critical for
a specific network, and may result in excessive effort and expense to correct. This is where the
expertise and assessment against the real network environment is necessary.The shortage of
qualified personnel is compounded by the fact that security is alarmingly dynamic — the
knowledge and software that was last used to successfully test your network may now obsolete due
to newly discovered vulnerabilities.Maintaining the appropriate level of technical competency in
vulnerability testing requires a multidisciplinary team well versed in the countless hardware and
software combinations used in today‘s networks. Additionally, the security assessment team must
monitor the plethora of mailing lists, news groups, and hacker web sites devoted to exploiting
security vulnerabilities. Very few organizations can afford to dedicate the necessary resources to
effectively perform these monitoring tasks.
For all but the largest of security assessment organizations, attracting and retaining a qualified
security team is almost impossible. Maintaining current software and assessment techniques and
methodologies is equally difficult due to limited resources. This often explains why so many
organizations currently use third party consultants and software tools to assist with NSAS
operations, a trend that is growing everyday as networks and assessment technology becomes even
more complex.

Challenge No. 3 — Regulatory Compliance


As the regulatory compliance landscape becomes steadily more complex, the risks associated with
noncompliance grow more costly. Organizations — and more importantly — network security
administrators — are increasingly are required to provide compliance to a variety of legislation.
35 | ©ATL Technology Tab
CEOs increasingly sign statements based on their security administrators‘ assessments, affirming to
regulatory bodies, that the security of their networks and the information retained with in them,
meets minimum standards.

2.7 TOOLS FOR VA


SAMPLE LIST OF TOOLS

Rapid7 Nexpose Rapid7 Nexpose proactively supports the entire vulnerability management
lifecycle, including continuous discovery, dynamic detection, verification,
risk classification, impact analysis, reporting and mitigation. The result is up-
to-date, comprehensive security risk intelligence about your IT environment
and risk posture
GFI LanGuard: GFI LANguard Network Security Scanner (N.S.S.) checks your network
for possible security vulnerabilities by scanning your entire network for
missing security patches, service packs, open shares, open ports, unused user
accounts and more.

Nessus: Nessus is a proprietary network vulnerability scanner available. It is


constantly
updated, and includes more than 14,000 plugins.
MBSA: Microsoft Baseline Security Analyzer: an easy-to-use tool designed for the IT
professional that helps small- and medium-sized businesses determine their
security state in accordance with Microsoft security recommendations and
offers specific remediation guidance.

Nmap: "Network Mapper") is a free open source utility for network exploration or
security auditing.

SolarWinds: Suite of security-related tools which includes many network discovery


scanners, an SNMP brute-force cracker, router password decryption, a TCP
connection reset program, and more.

L0pht Crack: An award-winning password audit and recovery tool for Windows and
Unix passwords.

Lan Surveyor: Automatically Diagram Your Entire LAN or WAN, Document All Your
Networked Devices, Monitor Up/Down Status of Your Key Systems and
Applications. Paros Web
Metasploit: is an advanced open-source platform for developing, testing, and using
exploit code.
Wireshark: Wireshark (known as Ethereal until a trademark dispute in Summer 2006) is
an open source network protocol analyzer for Unix and Windows.

36 | ©ATL Technology Tab


Proxy: A Java based web proxy for assessing web application vulnerability.
It supports editing/viewing HTTP/HTTPS messages on-the-fly to change
items such as cookies and form fields. It includes a web traffic recorder, web
spider, hash calculator, and a scanner for testing common web application
attacks such as SQL injection and cross-site scripting.

Cain & Abel: This Windows-only password recovery tool handles an enormous variety
of tasks. It can recover passwords by sniffing the network, cracking encrypted
passwords
using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP
conversations,
decoding scrambled passwords, revealing password boxes, uncovering
cached passwords
and analyzing routing protocols.
Netstumbler: Netstumbler is the best known Windows tool for finding open wireless
access points ("wardriving").

Netcat: This simple utility reads and writes data across TCP or UDP network
connections. It is designed to be a reliable back-end tool that can be used
directly or easily driven by other programs and scripts.
True Crypt: TrueCrypt is an excellent open source disk encryption system.

SuperScan4: SuperScan is a free Windows-only closed-source TCP/UDP port scanner


by Foundstone. It includes a variety of additional networking tools such as
ping, traceroute, http head, and whois.

SamSpade: Sam Spade provides a consistent GUI and implementation for many handy
network query tasks. It was designed with tracking down spammers in mind,
but can be useful for many other network exploration, administration, and
security tasks. It includes tools such as ping, nslookup, whois, dig, traceroute,
finger, raw HTTP web browser, DNS zone transfer, SMTP relay check,
website search, and more.

Ettercap-NG: Ettercap is a terminal-based network sniffer/interceptor/logger for ethernet


LANs. It supports active and passive dissection of many protocols (even
ciphered ones, like ssh and https). Data injection in an established connection
and filtering on the fly is also possible, keeping the connection synchronized.
t has the ability to check whether you are in a switched LAN or not, and to
use OS fingerprints (active or passive) to let you know the geometry of the
LAN.

Ike-scan: ke-scan exploits transport characteristics in the Internet Key Exchange (IKE)

37 | ©ATL Technology Tab


service, the mechanism used by VPNs to establish a connection between a
server and a remote client.

Spohn Security The Spohn NetAudit Integrated Security Manager is proprietary program we
Manager: designed from the ground up in order to put it all together. Security Manager
allows us to combine the results from Nessus, GFI, MBSA, and more,
into one Access Database that we will use to put together a comprehensive
assessment of your security posture. The same database is included on the
CD-Rom so you can see what we see, and even run your own queries.

Fingergoogle: Command line program to enumerate Google‘s enormous database for user
names.

Google: While it is far more than a security tool, Google's massive database is a good
mind for security researchers and penetration testers. You can use it to dig up
information about a target company by using directives such as ―site:target-
domain.com‖ and find employee names, sensitive information that they
wrongly thought was hidden, vulnerable
software installations, and more.

NessusWX: Open source windows version of the Nessus Client

Hping2: This handy little utility assembles and sends custom ICMP, UDP, or TCP
packets and then displays any replies. It was inspired by the ping command,
but offers far more control over the probes sent.

Dig: dig (domain information groper) is a flexible tool for interrogating DNS name
servers.
Hydra: It can perform rapid dictionary attacks against more then 30 protocols,
including telnet, ftp, http, https, smb, several databases, and much more.
Psk-crack: psk-crack attempts to crack IKE Aggressive Mode pre-shared keys that have
been previously gathered using ike-scan with the --pskcrack option.
Packetyzer: Packetyzer provides a Windows user interface for the well known Ethereal
packet capture and dissection library.
Tcpdump: Tcpdump is the IP sniffer we all used before Ethereal (Wireshark) came on
the scene. It may not have the bells and whistles that Wireshark has, but it
does the job well and with fewer security holes. It also requires fewer system
resources.

Nemesis: The Nemesis Project is designed to be a commandline-based, portable human


IP stack for UNIX/Linux, and Windows.

Wget: GNU Wget is a free utility for non-interactive download of files from the

38 | ©ATL Technology Tab


Web. It supports HTTP, HTTPS, and FTP protocols, as well as retrieval
through HTTP proxies.

Httrack: allows you to download a World Wide Web site from the Internet to a local
directory, building recursively all directories, getting HTML, images, and
other files from the server to your computer. HTTrack arranges the original
site's relative link-structure.

Nikto: Nikto is an open source (GPL) web server scanner which performs
comprehensive tests against web servers for multiple items, including over
3200 potentially dangerous files/CGIs, versions on over 625 servers, and
version specific problems on over 230 servers.
Wikto: Windows version of Nikto with some added features.

Httprint: httprint is a web server fingerprinting tool.

Table: Tools for VA

2.8 RISK ASSESSMENT


Definition:"Risk is the process of identifying vulnerabilities and threats to the information
resources used by an organization in achieving business objectives, and deciding
what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of
the information resource to the organization."

There are two things in this definition that may need some clarification. First, the process of risk
assessment is an ongoing, iterative process. It must be repeated indefinitely. The business
environment is constantly changing and new threats and vulnerability emerge every day. Second,
the choice of countermeasures (controls) used to manage risks must strike a balance between
productivity, cost, effectiveness of the countermeasure, and the value of the informational asset
being protected.
Risk is the likelihood that something bad will happen that causes harm to an informational asset (or
the loss of the asset). Vulnerability is a weakness that could be used to endanger or cause harm to
an informational asset. A threat is anything (manmade or act of nature) that has the potential to
cause harm.

 Look if your books and CD‘s contain ATL‘s Hologram or not.


 Check for an ATL‘s Authentic Certificate.
If you find yourself to be a victim of courseware Piracy, immediately write to us at:
[email protected]

39 | ©ATL Technology Tab


The likelihood that a threat will use a vulnerability to cause harm creates a risk. When a threat does
use a vulnerability to inflict harm, it has an impact. In the context of information security, the
impact is a loss of availability, integrity, and confidentiality, and possibly other losses (lost income,
loss of life, loss of real property). It should be pointed out that it is not possible to identify all risks,
nor is it possible to eliminate all risk. The remaining risk is called "residual risk".A risk is carried
out by a team of people who have knowledge of specific areas of the business. Membership of the
team may vary over time as different parts of the business are assessed. They may use a subjective
qualitative analysis based on informed opinion, or where reliable dollar figures and historical
information is available, the analysis may use quantitative analysis.The research has shown that the
most vulnerable point in most information systems is the human user, operator, designer, or other
human. The ISO/IEC 27002:2005 Code of practice for information security
management recommends the following be examined during a risk:
 Security policy,
 Organization of information security,
 Asset management,
 Human resources security,
 Physical and environmental security,
 Communications and operations management,
 Access control,
 Information systems acquisition, development and maintenance,
 Information security incident management,
 Business continuity management, and
 Regulatory compliance.

In broad terms, the risk assessment process consists of:


1. Identification of assets and estimating their value. Include: people, buildings, hardware,
software, data (electronic, print, and other), and supplies.
2. Conduct a threat. Include: Acts of nature, acts of war, accidents, malicious acts originating
from inside or outside the organization.
3. Conduct a vulnerability, and for each vulnerability, calculate the probability that it will be
exploited. Evaluate policies, procedures, standards, training, physical security, quality
control, technical security.
4. Calculate the impact that each threat would have on each asset. Use qualitative analysis or
quantitative analysis.
5. Identify, select and implement appropriate controls. Provide a proportional response.
Consider productivity, cost effectiveness, and value of the asset.
6. Evaluate the effectiveness of the control measures. Ensure the controls provide the required
cost effective protection without discernible loss of productivity.
For any given risk, management can choose to accept the risk based upon the relative low value of
the asset, the relative low frequency of occurrence, and the relative low impact on the business. Or,
leadership may choose to mitigate the risk by selecting and implementing appropriate control
measures to reduce the risk. In some cases, the risk can be transferred to another business by

40 | ©ATL Technology Tab


buying insurance or outsourcing to another business. The reality of some risks may be disputed. In
such cases leadership may choose to deny the risk.

2.8.1 CONTROLS
When management chooses to mitigate a risk, they will do so by implementing one or more of
three different types of controls.

2.8.2 ADMINISTRATIVE
Administrative controls (also called procedural controls) consist of approved written policies,
procedures, standards and guidelines. Administrative controls form the framework for running the
business and managing people. They inform people on how the business is to be run and how day
to day operations are to be conducted. Laws and regulations created by government bodies are also
a type of administrative control because they inform the business. Some industry sectors have
policies, procedures, standards and guidelines that must be followed – the Payment Card Industry
(PCI) Data Security Standard required by Visa and MasterCard is such an example. Other
examples of administrative controls include the corporate security policy, password policy, hiring
policies, and disciplinary policies.
Administrative controls form the basis for the selection and implementation of logical and physical
controls. Logical and physical controls are manifestations of administrative controls.
Administrative controls are of paramount importance.

2.8.3 LOGICAL
Logical controls (also called technical controls) use software and data to monitor and control
access to information and computing systems. For example: passwords, network and host based
firewalls, network intrusion detection systems, access control lists, and data encryption are logical
controls.
An important logical control that is frequently overlooked is the principle of least privilege.
The principle of least privilege requires that an individual, program or system process is not
granted any more access privileges than are necessary to perform the task. A blatant example of the
failure to adhere to the principle of least privilege is logging into Windows as user Administrator to
read Email and surf the Web. Violations of this principle can also occur when an individual collects
additional access privileges over time. This happens when employees' job duties change, or they
are promoted to a new position, or they transfer to another department. The access privileges
required by their new duties are frequently added onto their already existing access privileges
which may no longer be necessary or appropriate.

2.8.4 PHYSICAL
Physical controls monitor and control the environment of the work place and computing facilities.
They also monitor and control access to and from such facilities. For example: doors, locks,
heating and air conditioning, smoke and fire alarms, fire suppression systems, cameras, barricades,

41 | ©ATL Technology Tab


fencing, security guards, cable locks, etc. Separating the network and workplace into functional
areas are also0 physical controls.

An important physical control that is frequently overlooked is the separation of duties. Separation
of duties ensures that an individual can not complete a critical task by himself. For example: an
employee who submits a request for reimbursement should not also be able to authorize payment or
print the check. An applications programmer should not also be the server administrator or the
database – these roles and responsibilities must be separated from one another.

2.9 NETWORK SECURITY AUDIT CASE STUDY


This is a case study of a Network Security Audit that ATL performed for a Payment Gateway
company. Some of the information has been changed or omitted to maintain confidentiality.
Background
The organization carries out much of its business online and felt that an independent view of their
internal and external network security was required and selected ATL Group to carry out both an
external penetration test to assess perimeter security, and an on-site network audit to assess internal
security.
Internal Audit
Three ATL‘s consultants carried out the internal audit, with one of them nominated as the lead
auditor. This lead auditor liaised with the organization‘s Information Security Officer (ISO). The
purpose of the audit was to determine the actual technical setup and compare it to best practice.
The ISO, together with other staff with appropriate knowledge, were interviewed to gain an
understanding of the setup of the network, servers and LAN. This allowed an up-to-date network
diagram to be created. Copies of existing network diagrams and the security policy were also taken.
The lead auditor then assigned consultants to audit the configuration of firewalls, routers, web
servers, database servers and domain controllers, and to take samples of other workstations.
Antivirus, email, network topology and physical security were also areas that were examined.
Throughout the process, the staff responsible for each area being audited was interviewed further as
required.
Report
At the end of the on-site process, the lead auditor held a meeting with the ISO to provide an initial
oral report of findings. The final output was a comprehensive, detailed report consisting of an
executive summary, a section for the external penetration test, a section for the internal network
audit, and a technical summary. The executive summary first specified that the security of the
network represented medium risk. Most elements of the network were configured securely, and the
recent introduction of a group security policy would reinforce and improve security awareness.
The executive summary also listed the following issues:
 The external security risk was low, although one of the firewall configurations would allow
outbound connections if a server was vulnerable, an attacker could more easily
compromise it.

42 | ©ATL Technology Tab


 Although external, email and server anti-virus was in place, the individual user
workstations were not protected. There was also no patching for workstations, so if a virus
or worm found its way onto the internal network it would spread unhindered.
 There was no intrusion detection system (IDS) in place; the external penetration test was
not noticed by the organisation, and since the organisation was dependent on online
business, ATL highly recommended the implementation of a monitored network IDS.
 A domain user‘s password audit showed that many users had simple passwords. Although
the security policy gave guidance on choosing strong passwords, there was no mechanism
enforcing strong passwords.
 A number of internal SQL Server databases had blank administrator passwords and service
pack levels that were not up-to-date.
Further detail and recommendations were provided in the rest of the report. The external audit
section listed the external test results in detail, with a technical summary of issues and
recommendations, for which there were few. The internal audit section listed the areas audited
together with a diagram of the network topology. Good security practices were highlighted as were
areas where security could be improved:
 Antivirus protection
 Physical security
 Information security
 Wireless connectivity
 Database servers
 Firewall configurations
 DMZs
 Perimeter security

Finally, the report provided a summary of conclusions with issues listed in order of risk, with the
most critical first.
Presentation
The report was then agreed with the organization, and presented to them face to face to ensure that
the organization gained the most value from the audit and the report.
The organization then proceeded to prioritize and resolve the issues.

SUMMARY
The objective of a vulnerability assessment is to find the security holds in the computers and
elements analyzed and its intent is not to damage the infrastructure. A Vulnerability Analysis
provides an overview of the flaws that exist on the system. It is more of a passive process. In
Vulnerability Analysis you use software tools that analyze both network traffic and systems to
identify any exposures that increase vulnerability to attacks. It deals with potential risks and
identifies and quantifies the security Vulnerabilities in a system. Vulnerability Analysis doesn‘t
provide validation of Security Vulnerabilities. Validation can be only done by Penetration testing.
It works to improve security posture and develop a more mature, integrated security program.

43 | ©ATL Technology Tab


Commonly Vulnerability Assessment goes through the following phases: Information Gathering,
Port Scanning, Enumeration, Threat Profiling & Risk Identification, Network Level Vulnerability
Scanning, Application Level Vulnerability Scanning, Mitigation Strategies Creation, Report
Generation, and Support.

EXERCISE
Q 1.Which of the following conditions on a user's computer might indicate the presence of a
computer virus?
I. Certain files of the user are no longer present on the disk.
II. The system no longer boots.
III. Annoying messages appear on the display, and then disappear
a) I, II, and III
b) II and III only
c) I and II only
d) I and III only

Q 2.Which of the following is (are) true regarding computer security attacks?


I. Hackers can cause home computers to attack other computers.
II. Organizations typically experience more computer security breaches from internal
personnel than from people external to the organization.
a) I only
b) None
c) II only
d) I and II
Q 3.Which of the following is (are) true regarding a Smurf attack?
I. It can use the ping command to perform the attack.
II. It allows a hacker to steal data from a computer.
III. It uses other computers on a network to attack a single computer.
a) I and III only
b) I, II, and III
c) II and III only
d) I and II only
Q 4.The method of cracking a password by trying all possible alphanumeric combinations is
known as a _____ attack
a) brute force
b) port scanning
c) dictionary
d) man-in-the-middle
Q 5.Computers can be attacked by programs that exhaust which of the following resources?
44 | ©ATL Technology Tab
I. CPU cycles
II. Memory
III. Disk space
a) I and III only
b) I, II, and III
c) II and III only
d) I and II only
Q 6.What does a packet sniffer do?
a) Converts encrypted passwords to plain text
b) Renders a computer network unusable
c) Causes one computer to impersonate another
d) Captures data packets that are transmitted through a network
Q 7.Which of the following can be used to prevent packet sniffing attacks?
I. Data encryption
II. Well-chosen passwords
III. Limiting physical access to network connections
a) I and II only
b) I and III only
c) I, II, and III
d) I and III only
Q 8.Which of the following consequences of executing a virus on a PC is (are) possible?
I. Files appear to be missing or deleted from the hard disk.
II. Either the PC system board or a disk drive is physically damaged.
III> There is low computer memory on disks.
a) II and III only
b) I, II, and III
c) I only
d) I and III only

Q 9. Which of the following computer attack methods does not require a hardware or
software tool?
a) Spoofing
b) Port scanning
c) Social engineering
d) Packet sniffing
Q 20.Which of the following is (are) true regarding network connectivity attacks?
I. A network connectivity attack can be achieved by generating numerous half-open
connections to the target computer.

45 | ©ATL Technology Tab


II. A network connectivity attack can be achieved by generating excessive amount of traffic
on the target network.
a) None
b) II only
c) I only
d) I and II
Answers: 1) a, 2) d, 3) a, 4) a, 5) a, 6) d, 7) d, 8) d, 9) c, 10) d

46 | ©ATL Technology Tab


UNIT 3
PENETRATION TESTING

3.1 INTRODUCTION AND METHODOLOGY


Penetration testing is the process of attempting to gain access to resources without knowledge of
usernames, passwords and other normal means of access. If the focus is on computer resources,
then examples of a successful penetration would be obtaining or subverting confidential
documents, pricelists, databases and other protected information. Near flawless penetration testing
is a requirement for high rated secure systems.
Penetration testing is a form of stress testing which exposes weaknesses. The main thing that
separates a penetration tester from an attacker is permission. The penetration tester will have
permission from the owner of the computing resources that are being tested and will be responsible
to provide a report. The goal of a penetration test is to increase the security of the computing
resources being tested. In many cases, a penetration tester will be given user-level access and in
those cases, the goal would be to elevate the status of the account or user other means to gain
access to additional information that a user of that level should not have access to. Some
penetration testers are contracted to find one hole, but in many cases, they are expected to keep
looking past the first hole so that additional vulnerabilities can be identified and fixed. It is
important for the pen-tester to keep detailed notes about how the tests were done so that the results
can be verified and so that any issues that were uncovered can be resolved. It‗s important to
understand that it is very unlikely that a pen-tester will find all the security issues. As an example,
if a penetration test was done yesterday, the organization may pass the test.

3.1.1 PENETRATION TEST


Much of the confusion surrounding penetration testing stems from the fact it is a relatively recent
and rapidly evolving field. Additionally, many organizations will have their own internal
terminology (one man‗s penetration test is another‗s vulnerability audit or technical risk
assessment).
At its simplest, a penetration-test (actually, we prefer the term security assessment) is the process
of actively evaluating your information security measures. Note the emphasis on ―active
assessment‖; the information systems will be tested to find any security issues, as opposed to a
solely theoretical or paper-based audit. The results of the assessment will then be documented in a
report, which should be presented at a debriefing session, where questions can be answered and
corrective strategies can be freely discussed.

47 | ©ATL Technology Tab


3.1.2 WHY CONDUCT A PENETRATION TEST?
From a business perspective, penetration testing helps safeguard your organization against failure,
through:
 Preventing financial loss through fraud (hackers, extortionists and disgruntled employees)
or through lost revenue due to unreliable business systems and processes.
 Proving due diligence and compliance to your industry regulators, customers and
shareholders. Non-compliance can result in your organization losing business, receiving
heavy fines, gathering bad PR or ultimately failing. At a personal level it can also mean the
loss of your job, prosecution and sometimes even imprisonment.
 Protecting your brand by avoiding loss of consumer confidence and business reputation.
From an operational perspective, penetration testing helps shape information security strategy
through Identifying vulnerabilities and quantifying their impact and likelihood so that they can be
managed proactively; budget can be allocated and corrective measures implemented.
Scope of Evaluation
There are several types of penetration tests that will, depending upon the circumstances, affect the
scope of the evaluation, methodology adopted and assurance levels of the audit. The individual
(appropriate IT management) responsible for safeguarding the organization should evaluate various
alternatives, selecting that which provides the maximum level of assurance with the least disruption
acceptable to the organization (cost/risk analysis). There should be agreement on the type of
penetration testing to be carried out–intrusive or nonintrusive.

3.1.3 EXTERNAL PENETRATION TESTING AND VULNERABILITY


ASSESSMENT

Internet

The purpose of Internet testing is to compromise the target network. The methodology needed to
perform this test allows for a systematic checking for known vulnerabilities and pursuit of potential
security risks. The methodology ordinarily employed includes the processes of:

 Information gathering (reconnaissance)


 Network enumeration
 Vulnerability analysis
 Exploitation
 Results analysis and reporting

Ordinarily followed and should provide a detailed and exact method of execution. In addition, the
intricacies of new vulnerabilities and methods of exploitation require detailed study with a history
of information to draw upon.
Dial-in: War dialing is the systematic calling of each number in the target range in search of

48 | ©ATL Technology Tab


listening modems. Once all listening modems are identified, brute force default password attempts
or strategic guessing attempts are made on the username/password challenge (sometimes only
passwords are necessary) to gain unauthorized access. Access to the login screen banner is crucial
to accessing any system. Some systems require only a password, which can be a vendor-provided
default password or just hitting ―enter‖. At times of poor configuration, even a login banner does
not appear and access is granted directly devoid of any authentication mechanism.

3.1.4 INTERNAL PENETRATION TESTING


Goal:
The goal of internal penetration testing is to ascertain vulnerabilities inside the network perimeter.
The testing performed closely parallels that which an internal IS auditor will be assigned to audit,
given the size, complexity and financial resources devoted to risk associated with lack of security
concerns. The overall objective is to identify potential vulnerabilities within the internal network
and weaknesses in controls in place to prevent and/or detect their exploitation by a
hacker/malicious employee/contractor who may obtain unauthorized access to information
resources or cause system disruption or a system outage.
The first phase relates to information gathering, which is comprised of public information search,
googling, obtaining maximum information about business, employees, etc., thereby profiling the
target. For instance this phase may result in obtaining resumes/CVs of employees which may be
useful in understanding technologies employed at the attack site. The first testing goal is to
ascertain the internal network topology or footprint that provides a map of the critical access
paths/points and devices including their Internet protocol (IP) address ranges. This is the network
discovery stage. Once critical points/devices are identified within the network, the next step is to
attack those devices given the various types of known vulnerabilities within the system and
operating software running on the devices (e.g., UNIX, NT, Apache, Netscape and IIS). This
comprises the vulnerability analysis phase. Exploitation and notification is the third and final
phase.

3.1.5 BENEFITS OF PENETRATION TESTING


 Identify any potential security vulnerabilities in an organization‘s current infrastructure and
develop plans to mitigate these weaknesses.
 Determine the degree of exposure to external and internal attacks.
 Provide evidence that verifies the possibility of exploiting the vulnerabilities found.
 Determine the probability that an attacker could compromise the system with access to
computers connected to your company's network.
 Assess the defense systems such as Intrusion Detection System (IDS), firewall etc and
check if they are working properly.
 Third-party audits meet government and industry compliance standards.
 Accurate and up-to-date vulnerability knowledge base.
 Comprehensive and easy to user report for management as well as technical team.
 Closing all window of opportunity for intruders.

49 | ©ATL Technology Tab


3.2 TYPES OF PENETRATION TESTS
Testing is about variation—finding the things in the software and its environment that can be
varied, varying them, and seeing how the software responds. The goal is to ensure that the software
performs reliably and securely under reasonable and even unreasonable production scenarios. So
the most fundamental planning a tester can do is to understand what can be varied and what ways
that variation needs to be staged for testing. From a security standpoint, the environment, user
input, and internal data and logic are the primary places where such variation can reveal security
issues. The environment consists of the files, applications, system resources, and other local or
network resources used by the application. Any of these could be the entry point of attack. User
input is the data that originates with external (usually untrusted) entities that is parsed and used by
the software. Internal data and logic are the internally stored variables and logic paths, which have
any number of potential enumerations. By varying the information in the software's environment,
input domain and data/logic paths, you can perform attacks.
Environment Attacks
Software does not execute in isolation. It relies on any number of binaries and code-equivalent
modules, such as scripts and plug-ins. It may also use configuration information from the registry
or file system as well as databases and services that may reside anywhere. Each of these
environmental interactions may be the source of a security breach and therefore must be tested.
There are also a number of important questions you must ask about the degree of trust that your
application has in these interactions, including the following: How much does the application trust
its local environment and remote resources? Does the application put sensitive information in a
resource (for instance, the registry) that can be read by other applications? Does it trust every file
or library it loads without verifying the contents? Can an attacker exploit this trust to force the
application to do his bidding? In addition to the trust questions, penetration testers should watch for
DLLs that might be faulty or have been replaced (or modified) by an attacker, binaries, or files with
which the application interacts that are not fully protected by access control lists (ACLs) or are
otherwise unprotected. Testers must also be on the lookout for other applications that access shared
memory resources or store sensitive data in the registry or in temporary files. Finally, testers must
consider factors that create system stress, such as a slow network, low memory, and so forth, and
determine the impact of these factors on security features. Environment attacks are often conducted
by rigging an insecure environment and then executing the application within that environment to
see how it responds. This is an indirect form of testing; the attacks are waged against the
environment in which the application is operating. Now let's look at direct testing.
Input Attacks
In penetration testing, the subsets of inputs that come from untrusted sources are the most
important. These include communication paths such as network protocols and sockets, exposed
remote functionality such as DCOM, remote procedure calls (RPCs) and Web services, data files
(binary or text), temporary files created during execution, and control files such as scripts and
XML, all of which are subject to tampering. Finally, UI controls allowing direct user input,
including logon screens, Web front ends, and the like, must also be checked. Specifically, you want
to determine whether input is properly controlled: are good inputs allowed in and bad ones (such as
50 | ©ATL Technology Tab
long strings, malformed packets, and so forth) kept out? Suitable input checking and file parsing
are critical.
You'll need to test to see whether dangerous input can be entered into UI controls, and find out
what happens when it is. This includes special characters, encoded input, script fragments, format
strings, escape sequences, and so forth. You'll need to determine whether long strings that are
embedded in packets fields or in files and are capable of causing memory overflow will get
through. Corrupt packets in protocol streams are also a concern. You must watch for crashes and
hangs and check the stack for exploitable memory corruption. Finally, you must ensure that such
things as validation and error messages happen in the right place (client-side rather than server
side) as a proper defense against bad input.Input attacks really are like lobbing grenades against an
application. Some of them will be properly parried and some will cause the software to explode. It's
up to the penetration team to determine which are which and initiate appropriate fixes.
Data and Logic Attacks
Some faults are embedded in an application's internal data storage mechanisms and algorithm
logic. In such cases, there seem to be design and coding errors where the developer was assuming
either a benevolent user or failed to consider some code paths where a user might tread.
Denial of service is the primary example of this category but certainly not the most dangerous.
Denial of service attacks can be successful when developers have failed to plan for a large number
of users (or connections, files, or whatever inputs cause some resource to be taxed to its limit).
However, there are far more insidious logical defects that need to be tested. For example,
information disclosure can happen when inputs that drive error messages and other generated
outputs reveal exploitable information to an attacker. One practical example of such data that you
should always remove is any hardcoded test accounts or test APIs (which are often included in
internal builds to aid test automation). These can provide easy access to an attacker. Two more
tests you should run are to input false credentials to determine if the internal authorization
mechanisms are robust, and choose inputs that vary the code paths. Often one code path is secure
but the same functionality can be accessed in a different way, which could inadvertently bypass
some crucial check.
Don't Be Deterred
Penetration testing is very different from traditional functional testing; not only do penetration
testers lack appropriate documentation, but they also must be able to think like users who intend to
do harm. This point is very important—developers often operate under the assumption that no
reasonable user would execute a particular scenario, and therefore decline a bug fix. But you really
can't take chances like that. Hackers will go to great lengths to find vulnerabilities and no trick,
cheat, or off-the-wall test case is out of bounds. The same must be true for penetration testers as
well.

3.3 METHODOLOGY
Penetration testing consists of four phases:

51 | ©ATL Technology Tab


Figure: Four-stage penetration testing methodology
In the planning phase, rules are identified, management approval is finalized, and the testing goals
are set. The planning phase sets the groundwork for a successful penetration test. No actual testing
occurs in the planning phase. The discovery phase starts the actual testing. Network scanning (port
scanning) is used to identify potential targets. The second part of the discovery phase is
vulnerability analysis. During this phase, services, applications, and operating systems of scanned
hosts are compared against vulnerability databases (for vulnerability scanners this process is
automatic). Generally human testers use their own database or public databases to identify
vulnerabilities manually. This manual process is better for identifying new or obscure
vulnerabilities, but is much slower than an automated scanner. Executing an attack is at the heart
of any penetration test. This is where previously identified potential vulnerabilities are verified by
attempting to exploit them. If an attack is successful, the vulnerability is verified and safeguards are
identified to mitigate the associated security exposure. Frequently, exploits that are executed during
attack execution do not grant the maximum level of access that can be gained by an attacker.
Instead they may result in the testing team learning more about the targeted network and its
potential vulnerabilities, or they may induce a change in the state of the security of the targeted
network. In case, additional analysis and testing is required to determine the true level of risk for
the network. This is represented in the feedback loop in Figure between the Attack and Discovery
phase of a penetration test.

Figure: Sequence of Phases


52 | ©ATL Technology Tab
Penetration test methodology includes three types:
 A zero-knowledge test
 A full knowledge test
 and a partial knowledge test
With our zero-knowledge attack, the Penetration Test Team has no real information about the
target environment. This type of test is obviously designed to provide the most realistic penetration
test possible.
In our partial knowledge test, the client organization provides the test team with the type of
information a motivated attacker is likely to find, and hence, saves time and expense. Our partial
knowledge test approach is used if there is a specific kind of attack or specific targeted host that the
client organization wants to have the penetration test team focus on. To conduct a partial
knowledge test, the test team is provided with such documents as policy and network topology
documents, asset inventory, and other valuable information. Our last type of approach for
penetration testing is a full-knowledge attack, whereby the penetration test team has as much
information about the client environment as possible. This approach is designed to simulate an
attacker who has intimate knowledge of the target organization‘s systems, such as an actual
employee. The above strategies are conducted both on the Application as well as the Network.
The steps involved in Application and Network VAPT are as follows:
1. Application Penetration Test Methodology
 Information Gathering
 Configuration Testing
 Business Logic Testing
 Authentication Testing
 Authorization Testing
 Client-side Attacks
 Data Validation Testing
 Session Management Testing
 Denial of Service Testing
 Web Services Testing
 AJAX Testing

2. Network Penetration Testing Methodology


 Reconnaissance
 Vulnerability Assessment
 Network Links and Protocol Vulnerability Testing
 Multiple Attack Vector Analysis
 Exploitation
 Scenario Modeling Analysis
 Root Cause Analysis
 Risk Calculation

53 | ©ATL Technology Tab


3.4 PENETRATION TESTING APPROACH
Develop a penetration test plan
Establishing the test ground rules is a particularly important part of penetration analysis. The rules
are captured in the penetration test plan, which defines the test objective, the product configuration,
the test environment, test resources, and schedule.
It is important that penetration testing use ethical evaluators who are no antagonistic toward the
vendor to encourage cooperation, to protect proprietary information and vendor investment, and
ultimately to yield an improved security product. Test results and flaws discovered during
penetration testing must be kept strictly proprietary and not be made public by the test team.
Establish testing goal
There can be many goals for penetration testing, including security assurance, system design
research and systems training. The analysis is successfully concluded when:

 A defined number of flaws are found,


 A set level of penetration time has transpired,
 A dummy target object is accessed by unauthorized means,
 The security policy is violated sufficiently and bypassed, or
 The money and resources are exhausted.
Most often the last criterion ends the penetration test, after a defined level of effort is expended.
For some systems, multiple independent penetration teams are used to provide different
perspectives and increased confidence in the flawlessness of the product if few flaws are found. As
a holistic assurance technology, penetration testing is best used to explore the broad capabilities of
the object system for flaws rather than to create a gaming situation between the vendor and the
penetration team of trying to acquire an identified protected object by unauthorized means.
Therefore, much of penetration testing focuses on the design, implementation, and operational
integrity of the security perimeter, the control of the boundary crossings of this critical security
interface.
Define the object system to be tested.
A system intended for evaluation is delivered with a collection of material and documentation that
supports the security claim, including a security policy model, a descriptive top level specification
a formal top level specification. All the source and object code, the design and test documentation,
and the security evidence must be under configuration management control. This controlled
collection of security material will be referred to as the security ―evidence,‖ and defines the
security system to be penetration tested. Not all the evidence will be complete if the penetration
testing is performed by the vendor during the development phase. The evidence must be frozen and
remain unmodified during the penetration testing period to avoid testing a moving target.

54 | ©ATL Technology Tab


Posture the penetrator
When an actual test is required to confirm a flaw, a host of test conditions must be established,
which derive directly from the test objectives and the test environment defined in the plan. In open-
box testing we assume the penetrator can exploit internal flaws within the security kernel and work
backward to find flaws in the security perimeter that may allow access to the internal flaws.
In the case of a general-purpose system such as UNIX, open-box testing is the most appropriate
posture. For special-purpose systems which prohibit user code (for example, where code is in
ROM), closed-box penetration testing by methods external to the product is analogous to electrical
engineering ―black-box‖ testing. In closed-box testing the penetrator is clearly seeking flaws in the
security perimeter and exploiting flaws in the interface control document specifications (ICD).
Open-box testing of the NTCB is still a test requirement to determine the vulnerability of the
network to Trojan horse or viral attacks.
Fix penetration analysis resources.
Penetration analysis is an open-ended, labor-intensive methodology seeking flaws without limit.
The testing must be bound in some manner, usually by limiting labor hours. Small teams of about
four people are most productive. Interestingly, penetration testing is destructive testing. It is
intense, detailed work that burns out team members if frequent rotation of the evaluators is not
practiced.
The procedure for penetration testing should follow the steps described below.
1. Research information about the target system Computers that can be accessed over the
internet must have an official IP address. Freely accessible databases provide information
about the IP address blocks assigned to an organization.
2. Scan target systems for services on offer. An attempt is made to conduct a port scan of the
computer(s) being tested, open ports being indicative of the applications assigned to them.
3. Identify systems and applications the names and version of operating systems and
applications in the target systems can be identified by ―fingerprinting‖.
4. Researching Vulnerabilities Information about vulnerabilities of specific operating systems
and applications can be researched efficiently using the information gathered.
5. Exploiting vulnerabilities Detected vulnerabilities can be used to obtain unauthorized
access to the system or to prepare further attacks. The quality and value of a penetration
test depends primarily on the extent to which the test caters to the client‗s personal
situation, i.e. how much of the tester‗s time and resources are spent on detecting
vulnerabilities related to the IT infrastructure and how creative the tester‗s approach is.
This process cannot be covered in the general description above, which is why there are
huge differences in the quality of penetration testing as a service.

55 | ©ATL Technology Tab


3.5 PENETRATION TESTING VS VULNERABILITY
ASSESSMENT
There is often some confusion between penetration testing and vulnerability assessment. The two
terms are related but penetration testing has more of an emphasis on gaining as much access as
possible while vulnerability assessment places the emphasis on identifying areas that are vulnerable
to the attack. An automated vulnerability scanner will often identify possible vulnerabilities based
on service banners or other network responses that are not in fact what they seem.
A vulnerability assessor will stop just before compromising a system, whereas a penetration tester
will go as far as they can within the scope of the contract. It is important to keep in mind that you
are dealing with a Test. ‗A penetration test is like any other test in the sense that it is a sampling of
all possible systems and configurations. Unless the contractor is hired to test only a single system,
they will be unable to identify and penetrate all possible systems using all possible vulnerabilities.
As such, any Penetration Test is a sampling of the environment. Furthermore, most testers will go
after the easiest targets first. Vulnerability Assessment searches and checks the infrastructure to
detect vulnerabilities, whereas penetration testing intends to exploit the vulnerabilities to probe the
damage that could result from the vulnerabilities. VA is executed by automated tools, whereas
penetration testing is a totally manual process. VA is executed by commercial tools, whereas
penetration testing is executed by public processes.

3.6 HOW VULNERABILITIES ARE IDENTIFIED


Vulnerabilities need to be identified by both the penetration tester and the vulnerability scanner.
The steps are similar for the security tester and an unauthorized attacker. The attacker may choose
to proceed more slowly to avoid detection, but some penetration testers will also start slowly so
that the target company can learn where their detection threshold is and make improvements. The
first step in either a penetration test or a vulnerability scan is reconnaissance. This is where the
tester attempts to learn as much as possible about the target network as possible. This normally
starts with identifying publicly accessible services such as mail and web servers from their service
banners. Many servers will report the Operating System they are running on, the version of
software they are running, patches and modules that have been enabled, the current time, and
perhaps even some internal information like an internal server name or IP address. Once the tester
has an idea what software might be running on the target computers that information needs to be
verified. The tester really doesn‗t KNOW what is running but he may have a pretty good idea. The
information that the tester has can be combined and then compared with known vulnerabilities, and
then those vulnerabilities can be tested to see if the results support or contradict the prior
information. In a stealthy penetration test, these first steps may be repeated for some time before
the tester decides to launch a specific attack. In the case of a strict vulnerability assessment, the
attack may never be launched so the owners of the target computer would never really know if this
was an exploitable vulnerability or not. Vulnerability is a concept that links the relationship that
people have with their environment to social forces and institutions and the cultural values that
sustain and contest them.

56 | ©ATL Technology Tab


“The concept of vulnerability expresses the multidimensionality of disasters by focusing
attention on the totality of relationships in a given social situation which constitute a condition
that, in combination with environmental forces, produces a disaster.”
It's also the extent to which changes could harm a system. In other words, it's the extent to which a
community can be affected by the impact of a hazard.

3.7 A SAMPLE PENETRATION TESTING REPORT


There is a draft of penetration testing report to better understand the testing.

Figure: Sample Report

57 | ©ATL Technology Tab


ATTENTION: This document contains information that is confidential and privileged. The
information is intended for the private use. By accepting this document you agree to keep the
contents in confidence and not copy, disclose, or distribute this without written request to and
written confirmation. If you are not the intended recipient, be aware that any disclosure, copying,
or distribution of the contents of this document is prohibited.

58 | ©ATL Technology Tab


59 | ©ATL Technology Tab
60 | ©ATL Technology Tab
61 | ©ATL Technology Tab
62 | ©ATL Technology Tab
63 | ©ATL Technology Tab
3.8 SECURITY SERVICES
Security services fall into one of three categories

64 | ©ATL Technology Tab


Table: Categories of Security Services
The security services life cycle applies to any security service regardless of the category into which
it falls and could even apply to an entire IT security category. As managers determine which IT
security services need to be implemented, assessed, or discontinued, they should consider the
impact on other IT security services. Selecting the most appropriate services, service mix, and
service level is a complex decision, as is deciding who should provide the needed service. Much of
the complexity of this decision stems from the wide range of arrangements from which an
organization may choose, though organizational, personnel and other issues

A broad range of possible service arrangements exists. An organization may select its internal
employees and teams to provide the service required, or it may choose to fully export the service to
an external service provider. This external service provider could be any organization because this
term does not intend to refer to only an external commercial service provider. For example, an
organization may choose to employ an external group from a subsidiary organization, a business
unit, or a commercial service provider.

3.9 SECURITY SERVICES MANAGEMENT TOOLS


Overview of Metrics
Metrics are a management tool that facilitates decision-making and accountability through practical
and relevant data collection, data analysis, and performance data reporting. The importance of a
metrics program is discussed in NIST SP 800-55, Security Metrics Guide for Information
Technology Systems. A full and complete discussion of computer security metrics is beyond the
scope of this document; however, IT security service managers should understand what metrics are
and when they should be used.
For example, a metric for a management service, such as a training and awareness program, might
be the percentage of new employees who receive IT security training within their first 30 days on
the job. Gathering this data repeatedly, over time, will allow managers to assess how well the
current training service provider performs its task today, to set targets for the service provider in
the future, and then to assess how well it met the desired target. The metrics process is discussed
further.
Overview of Service Agreements
A service agreement serves as the agreement between the service provider and the organization
requesting the service. As service arrangements become more complex and employ commercial

65 | ©ATL Technology Tab


service providers, the formality of the agreement should increase. A fully externalized service
arrangement with a commercial entity, for example, will require a formal contract so that managers
can hold service providers accountable for their actions. A fully internal service arrangement may
require a less formal agreement, perhaps an agreed-on reporting process or an MOA. Regardless of
the arrangement, all parties should be aware of their roles and responsibilities. Section 4.4.1
discusses the importance of service agreements.
Overview of IT Security Services Issues
Implementing a security service and service arrangement can be complex. Each security service has
its own costs and risks associated with it, as does each service arrangement. Making a decision
based on one issue can have major implications for the organization in other areas. The decision
makers will have to balance near-term cost/value with potential long-term risks associated with
new vulnerabilities, attrition, potential loss of employee productivity/morale and internal functional
skills, and other impacts.

Figure: IT Security Service Issue Categories

66 | ©ATL Technology Tab


3.10 FIREWALL
3.10.1 INTRODUCTION
“A technological barrier designed to prevent unauthorized or unwanted communications
between sections of a computer network. “
A firewall is a part of a computer system or network that is designed to block unauthorized access
while permitting authorized communications. It is a device or set of devices which is configured to
permit or deny computer based application upon a set of rules and other criteria.
Firewalls can be implemented in either hardware or software, or a combination of both. Firewalls
are frequently used to prevent unauthorized Internet users from accessing private networks
connected to the Internet, especially intranets. All messages entering or leaving the intranet pass
through the firewall, which examines each
message and blocks those that do not meet the
specified security criteria.
Basically, a firewall, working closely with a
router program, examines each network packet
to determine whether to forward it toward its
destination. A firewall also includes or works
with a proxy server that makes network requests
on behalf of workstation users. A firewall is
often installed in a specially designated
computer separate from the rest of the network
so that no incoming request can get directly at
private network resources.
A number of companies make firewall products. Features include logging and reporting, automatic
alarms at given thresholds of attack, and a graphical user interface for controlling the firewall.
Computer security borrows this term from firefighting, where it originated. In firefighting, a
firewall is a barrier established to prevent the spread of fire.

3.10.2 RULES
Assumption: A stateful firewall will be used to protect an entire VLAN and that firewall logs will
be reviewed on a regular basis to identify security issues and configuration adjustments. It is
further assumed that the campus unit‘s system administrator has scanned the VLAN to identify
existing services that need to be considered during firewall configuration and require firewall rules
in excess of the base rules stated below:
General Firewall Policy: Deny all inbound traffic unless explicitly authorized and traffic from
internal VLAN users is generally unrestricted. All deny rules are logged.

Suggested Base Rules


Deny all inbound traffic with network addresses matching internal VLAN addresses – Inbound
67 | ©ATL Technology Tab
traffic should not originate from network addresses matching internal VLAN addresses. Normalize
all inbound and outbound traffic (e.g., scrub in all) – This rule will ensure inbound and outbound
traffic is defragmented.
Allow ICMP packets (ICMPTYPE 3, 8,11) from any external address – This rule permits
acceptance of network maintenance traffic (Destination Unreachable, Echo and Time Exceeded)
from any external address. The rule could be abused sending the VLAN excessive amounts of
ICMP traffic. Under such circumstances, more restrictive controls should be considered. Further
isolation could be achieved by limiting this traffic to only campus network addresses (note - add IP
range). Alternatively, some firewall implementations allow for throttling of ICMP traffic, which is
an effective way of allowing ICMP control communication but discouraging excessive use of
ICMP. Throttling traffic levels may be preferable to defining specific firewall rules for ICMP
functions. Allow RIP UDP traffic from router to VLAN hosts – This rule should only be used if the
department has hosts that require default route advertisements.
Suggested Optional Rules
The following rules are offered as a guide and should only be considered if you offer the particular
services on the protected VLAN. Management and support staff must evaluate the use of following
firewall rules and determine whether the rule imposes a serious risk to the security of the protected
resources behind the firewall.
The use of additional security measures must be used for resources shared through the firewall to
ensure only authorized access and use. Additional security measures include account management,
regular operating system and application maintenance, removal of unnecessary services/processes,
access control measures and activation/inspection of event logs (Reference: SANS Step-by-Step
Guides).

 Allow Web traffic (TCP 80/443) from any external address to internal web server – Permit
access to the specific IP address (es) of internal webservers via HTTP and HTTPS.
Additional security measures must be considered for web servers as many security exploits
use TCP port 80.
 Allow traffic (TCP 21) to internal FTP server – If FTP services are provided to external
users, this rule permits access to the FTP server. As a reminder, when using FTP services,
user account and password information is transmitted in clear text. Use of passive FTP
(PASV) will negotiate a random data port versus use of TCP port 20.
 Allow traffic (TCP 22) to internal SSH/SFTP server – Use of encrypted SSH is preferred
over insecure FTP/Telnet services. This rule permits use of SSH to access internal SSH
hosts.
 Allow traffic (TCP 25) to internal SMTP server – Permit external SMTP users and servers
access to internal SMTP mail server. This rule presumes your campus unit is operating an
SMTP server.
 Allow DNS (UDP 53) to internal DNS server – If the unit runs internal DNS servers this
rule is recommended. The rule is needed if a Windows Active Directory server is hosted on
the internal network. You must permit TCP 53 for zone transfer capability; however this
permission should not be applied by default.
68 | ©ATL Technology Tab
 Allow traffic (UDP 67/68) for client access to DHCP server – This rule permits DHCP
clients to negotiate lease with DHCP server
 Allow traffic (TCP 110) to internal POP server – Permit external POP user‘s access to
internal POP server. This rule presumes your campus unit is operating a POP server. It is
strongly recommended that POP authentication traffic be conducted over a secure
transport, such as TLS/SSL (TCP 995)
 Allow NTP traffic (TCP 123) to specific internal host addresses (es) – This rule permits
time synchronization and may be needed by selected internal hosts for time
synchronization. This rule is required to support external client authentication to the
internal Active Directory services.
 Allow traffic (TCP 143) to internal IMAP server – This rule permits external IMAP clients
to access internal IMAP server. It is strongly recommended that IMAP authentication
traffic be conducted over a secure transport, such as TLS/SSL (TCP 993)
 Allow inbound traffic (TCP 515 from 169.237.104.59 and 169.237.104.65) for BANNER
spooler/printing to specific internal printer address – This rule will permit transcript
printing.
 Allow inbound traffic (TCP 515 from 128.48.175.6) for PPS spooler/printing to specific
internal network printer address – This rule will permit printing Payroll/Personnel reports.
If you use Remote Printer Manager (PC) or Intersolv (Mac) for PPS printing to a non-
network printer, the firewall rule must permit TCP515 traffic to the host with the direct
connected printer.
 Allow access to internal MeetingMaker Server (TCP 2001, UDP 2000, UDP 417) – This
rule permits inbound traffic to MeetingMaker servers residing on the protected network.
 Allow access to MS SQL Server (TCP/UDP 1433 and 1434) to specific host address – This
rule permits inbound traffic to communicate with a MS SQL Server residing on the
protected VLAN.
 Allow access to Microsoft Resources – Consult Microsoft‘s TechNet and Knowledge Base
resources to verify firewall configuration requirements for Exchange, MS SQL Server, and
shared MS network resources. Some firewall rules are determined by version. Shared
resources must be properly secured or the VLAN hosts could be vulnerable to security
compromises. See References section for additional information.
 Allow traffic (TCP/UDP 135, 137, 138 139/445) for external access to specific shared
resources – This rule permits external clients to access shared Microsoft resources behind
the firewall.
 Allow access (TCP 4899) to specific internal hosts using Famatech RADMIN remote
administration application – This rule permits external administrators to communicate with
hosts running the RADMIN utility.
 Allow access (TCP 5641 and UDP 5642) from external clients running pc anywhere to
specific host addresses – This rule permits remote control of computing hosts behind the
firewall using Symantec‘s PC Anywhere product.
Increase UDP timeout from default 2 minutes to 45 minutes – This rule is suggested to bypass
DaFIS time restrictions.

69 | ©ATL Technology Tab


3.10.3 ROLE OF UTM
Unified Threat Management (UTM) is a comprehensive solution that has recently emerged in the
network security industry and since 2004, has gained widespread currency as a primary network
gateway defense solution for organizations. it is the evolution of the traditional firewall into an all-
inclusive security product that has the ability to perform multiple security functions in one single
appliance: network firewalling, network intrusion prevention and gateway antivirus (AV), gateway
anti-spam, VPN, content filtering, load balancing and on-appliance reporting.
“UTM perimeter-security devices combine firewalling, antivirus, and intrusion detection and
prevention on a single appliance.”
How UTM secures the network
A single UTM appliance makes it very easy to manage a company's security strategy, with just one
device to worry about, one source of support and a single way to maintain every aspect of your
security solution. The UTM can prove to be more effective a solution as its strength lies in the
bundle of solutions which are integrated and designed to work together. Also from one single
centralized console, all the security solutions can be monitored and configured. Thus it tweaks the
solutions to perfection.
In this context, UTMs represent all-in-one security appliances that carry firewall, VPN, gateway
anti-virus, gateway anti-spam, intrusion prevention, content filtering, bandwidth management and
centralized reporting as basic features. The UTM is thus, a highly integrated quiver of security
solutions, working in tandem that systematically provides network security to organizations. As
there is a customized OS holding all these security features at one place, they tend to work in
unison, providing a very high throughput. The UTM can prove highly effective because its strength
lies in the bundle of solutions which are integrated and designed to work together without treading
on each other‘s toes.

3.10.4 KEY ADVANTAGES


1. Reduced complexity: Single security solution. Single Vendor. Single AMC
2. Simplicity: Avoidance of multiple software installation and maintenance
3. Easy Management: Plug & Play Architecture, Web-based GUI for easy management
4. Performance: Zero-hour protection without degrading the network performance
5. Troubleshooting: Single point of contact – 24 × 7 vendor support
6. Reduced technical training requirements, one product to learn.
7. Regulatory compliance

3.11 AUTOMATED VULNERABILITY SCANNING


IT organizations are moving forward with enhanced vulnerability management as they become
more and more aware that keeping their networks safe means performing vulnerability checks on a
routine basis, with up to daily assessments of the highest risk services and systems. With this
approach, the automation of the Vulnerability Management process becomes another, cost-
effective, way of managing the increasingly complex problems of keeping a network secure. Many
70 | ©ATL Technology Tab
of the emerging components of network security are strong candidates for automation.
Vulnerability assessments have been recently identified, by independent market research, as one of
the most sought after services to automate.
As with the automation of any business function, the final decision is based on whether or not an
automated solution can do the job more efficiently, cheaper, and perhaps faster than a manual task.
But when examining vulnerability scanning as an automated service, one really important further
factor must be taken into consideration which is — the ability of the solution to provide easy
vulnerability data acquisition and distribution of that information. To help examine this question in
relation to vulnerability assessments, we‘ll examine how vulnerability assessments are currently
performed, and then discuss evolving roles for vulnerability assessments in an automated process
paradigm.
The Future of Vulnerability Scanning — Automated Ongoing Scans
The Automated Vulnerability Detection System (AVDS) provides a series of hardware appliances
that run dedicated online connected software, simulating both external and internal hacker attacks
for a target network. With an average of 310 new operating system and application vulnerabilities
announced each and every month the need to treat vulnerability scanning in the same light as
antivirus has become essential. An automated, ongoing vulnerability assessment and management
solution is now a genuine option for this activity. The Enterprise now needs that capability for
Vulnerability Scanning to be run both on a regular scheduled basis, and on demand to assess
changes. This may require up to daily frequency due to the increasing complexity of vulnerabilities
and the speed at which they can now be exploited, and should be performed as a specialized
service. With the increasing complexity of networks, the number of vulnerabilities being
discovered daily, the speed at which exploits can launch malicious code and the ease of installation
of rogue devices, performing vulnerability and network security assessments annually, biannually
or even quarterly is no longer a sufficient risk mitigation strategy for today‘s well protected
network.
Similarly, the challenge of staying up to date with the current vulnerabilities is now a specialist
task, in which it should now be assigned to a dedicated solution capable of updating automatically
for new threats and scanning periodically based on a predefined schedule. Beyond Security has
taken vulnerability scanning to the next level — developing a new way to approach this important
task by providing it as an Automated Daily Scanning solution based on a highly powerful
management tool. While Intrusion Detection and Prevention Systems still play an important role,
having your network scanned — both internally and externally — for the latest vulnerabilities
every day or even every hour, your level of network protection has just reached a new level.
The Beyond Security Automated Vulnerability Scanning System performs a comprehensive regular
vulnerability assessment on the network and produces a detailed report that contains:

 An Executive Summary of the vulnerabilities found


 A Comprehensive list of all vulnerabilities discovered
 A wide range of solutions to those vulnerabilities
 The list of all simulated attacks performed.

71 | ©ATL Technology Tab


The Automated Vulnerability Detection System (AVDS) is updated with new attack profiles on a
daily basis, using information from the www.securiteam.com security portal, which is one of the
largest and most respected security information gathering portals on the Internet.
Using AVDS, it is possible to conduct security scans on:

 The corporate LAN and WAN (from within the organization)


 The DMZ and the external network (from the Internet and outside world)
 Applications
 Anything that talks ―IP‖ on a network including VoIP network elements and endpoint
devices.
 The AVDS has the following major advantages:
 It simulates a range of attacks on the organization‘s network without causing any damage
—using the same techniques, tools and methodologies as the most sophisticated hackers.
 It consumes minimal bandwidth — there is no negative effect on the network‘s running
performance this application.
 It performs daily/weekly penetration testing according to your predefined schedule.
 It has inbuilt data mining capabilities allowing onthefly generation of statistical and
historical information
 The unique ―Customer Zone‖ gives the ability to decentralize the vulnerability scanning
task to multiple users. This gives them a simple web interface with limited access to the
scanning system.
 It allows instant tracking of vulnerabilities across the entire network
 It generates a detailed network mATLg, detailing what servers and services have been
added, removed or changed since the last scan.
 It can generate results in any of the following formats: HTML, PDF, CSV and XML.
The AVDS reports can be used as an extensive network management tool and a potentially very
powerful SarbanesOxley compliance tool. Some of the reporting features include:

 Easy to read and understand


 Contain executive summary and technical sections.
 Provide links for immediate remedial action.
 Can contain Differential Reporting Mechanisms that show the difference from previous
scans, allowing you to track both infrastructure changes as well as the vulnerabilities.
Some of the AVDS highlights:

 Utilizes the www.securiteam.com portal as the primary information source —


 Securiteam.com is one of the largest sources of vulnerability information and solutions on
the Internet and is referenced by many vulnerability scanning products.
 Automatically discovers and reports on Rogue Wireless Access Points, devices & software
applications, modems, USB storage devices, Trojans and SpyWare.
 Scans through wireless networks (802.11a/b/g, GPRS) and discovers and maps wireless
access points
72 | ©ATL Technology Tab
 The only multi level scanning tool — Automated Scanning looks for vulnerabilities in the
system, database, network and application
 Scans ―anything that talks IP‖.
 Communication: Routers, Access Points, VoIP phones and gateways
 Security appliances: Firewall, Content filtering and AntiVirus
 OS specific tests: UNIX, Linux, AS400,
Novell, Windows 95/98, Windows NT, Windows 2000/2003, Windows XP and Vista

 Application: Layer 7 checks


 Less than 0.1% false positive rate — the lowest in the industry.
 Supports differential reporting as a management tool — giving the ability to view the
changes in network security posture since the last scan
 Simple to install and configure via a web interface
 At maximum performance scans an entire Class C network within 12 minutes
 Fully automated
 Scheduled scans Distributed servers
 The ability to manage multiple servers from a single location; control the server‘s
configuration, add new users to the distributed management system, etc.
 Distributed management
 Allows you to create multiple users and assign them one or more security management
roles; scan specific IP addresses, view reports of scans, schedule new scans, etc.
 Completely conforms to the CVE standard
 Includes behavioral checks — The tool not only utilizes common attack signatures, but
also performs behavioral checks
 On demand Denial of Service scans (configurable)
 Completely agent less and requires no special privileges or software installations
o Gives you an accurate ―hacker‘s view‖ of your network.
 No increase of network load
 Preinstalled server, complete with software and hardware.
 Provides remedial action recommendations

3.12 AN APPROACH TO VULNERABILITY SCANNING


3.12.1 AUTOMATED VULNERABILITY
Our ATL vulnerability scanner consists of three main components: First, the crawling component
gathers a set of target web sites. Then, the attack component launches the configured attacks
against these targets. Finally, the analysis component examines the results returned by the web
applications to determine whether an attack was successful.
Crawling Component
Because of the relatively slow response time of remote web servers (typically ranging from 100 to
10000 milliseconds), we use a queued workflow system that is executing several concurrent worker
73 | ©ATL Technology Tab
threads to improve crawling efficiency. Depending on the performance of the machine that hosts
ATL vulnerability scanner, the bandwidth of the uplink, and the targeted web servers, 10 to 30
concurrent worker threads are typically deployed during a vulnerability detection run. To start a
crawling session, the crawling component of ATL vulnerability scanner needs to be seeded with a
root web address. Using this address as a starting point, the crawler steps down the link tree,
collecting all pages and included web forms during the process. Just as a typical web crawler,
ATL vulnerability scanner has configurable options for the maximum link depth, maximum
number of pages per domain to crawl, maximum crawling time, and the option of dropping external
links.
Attack Component
After the crawling phase has completed, ATL vulnerability scanner starts processing the list of
target pages. In particular, the attack component scans each page for the presence of web forms.
The reason is that the fields of web forms constitute our entry points to web applications. For each
web form, we extract the action (or target) address and the methods (i.e., GET or POST) used to
submit the form content. Also, the form fields and its corresponding CGI parameters are collected.
Then, depending on the actual attack that is launched, appropriate values for the form fields are
chosen. Finally, the form content is uploaded to the server specified by the action address (using
either a GET or POST request). As defined in the HTTP protocol, the attacked server responds to
such a web request by sending back a response page via HTTP.
Analysis Modules
After an attack has been launched, the analysis module has to parse and interpret the server
response. An analysis module uses attack-specific response criteria and keywords to calculate a
confidence value to decide if the attack was successful. Obviously, when a large number of web
sites are scanned, false positives are possible. Thus, care needs to be taken in determining the
confidence value so that false positives are reduced.

3.12.2 PROTECTION FROM WEB SERVER ATTACK


Popular Web Servers:
 Microsoft IIS/ASP/ASP.NET
 LAMP (Linux/Apache/MySQL/PHP)
 Oracle WebLogic
o Link Ch 12j
 IBM WebSphere
o Link Ch 12k

74 | ©ATL Technology Tab


Figure: Microsoft IIS Servers
Attacking Web Server Vulnerabilities
 An attacker with the right set of tools and ready-made exploits can bring down a vulnerable
web server in minutes
 Some of the most devastating Internet worms have historically exploited these kinds of
vulnerabilities
o Code Red and Nimda attacked IIS vulnerabilities
 The risk of such attacks is decreasing, because:
o Newer versions of Web servers are less vulnerable
o System administrators are better at configuring the platforms
o Vendor's "best practices" documents are better
o Patches come out more rapidly
Why the Risk is decreasing
 Countermeasures are available, such as:
o Sanctum/Watchfire's AppShield
 A Web application firewall (link Ch_12n)

 Microsoft's URLScan
o Built in to IIS 6 and IIS 7
 Link Ch_12o

 Automated vulnerability-scanning products and tools are available


Web Server Vulnerabilities
 Sample files
 Source code disclosure
 Canonicalization
 Server extensions
 Input validation (for example, buffer overflows)

75 | ©ATL Technology Tab


Sample files
 Sample scripts and code snippets to illustrate creative use of a platform
 In Microsoft's IIS 4.0
o Sample code was installed by default
o showcode. asp and codebrews.asp
o These files enabled an attacker to view almost any file on the server like this:
 http://192.168.51.101/msadc/Samples/SELECTOR/showcode.asp?source=/../..
/../../../boot.ini
 http://192.168.51.101/iissamples/exair/howitworks/codebrws.asp?source=
/../../../../../winnt/repair/setup.log
 Sample Files Countermeasure
 Remove sample files from production webservers
 If you need the sample files, you can get patches to improve them
o ColdFusion Expression Evaluator patch
o Link Ch 12p
 Source Code Disclosure
 IIS 4 and 5 could reveal portions of source code through the HTR vulnerability (link Ch
12q)
 Apache Tomcat and Oracle WebLogic had similar issues
 Attack URLs:
o http://www.iisvictim.example/global.asa+.htr
o http://www.weblogicserver.example/index.js%70
o http://www.tomcatserver.example/examples/jsp/num/
numguess.js%70
Source Code Disclosure Countermeasures
 Apply patches (these vulnerabilities were patched long ago)
 Remove unneeded sample files
 Never put sensitive data in source code of files
o You can never be sure source code is hidden
 Canonicalization Attacks
 There are many ways to refer to the same file
 C:\text.txt
 ..\text.txt
 \\computer\C$\text.txt
 The process of resolving a resource to a standard (canonical) name is called
canonicalization
Canonicalization Attack Countermeasures
 Patch your Web platform
 Compartmentalize your application directory structure
o Limit access of Web Application user to minimal required
 Clean URLs with URLScan and similar products

76 | ©ATL Technology Tab


o Remove Unicode or double-hex-encoded characters before they reach the server
New IIS 7 Security Measures
 Application Pool Isolation
o Each Web application runs as a process named w3wp.exe, and under the user identity
IUSRS
o But a different SID is injected into the w3wp.exe process for each Web application
o NTFS permissions allow each Web application process access to only its own files
and folders
 In IIS 7 you can assign access controls to a specific URL by user name or group
 This is far more flexible and convenient than applying NTFS permissions to files and
folders
 Especially when Web files are moved from one machine to another Link Ch 12
Server Extensions
 Code libraries tacked on to the core HTTP engine to provide extra features
o Dynamic script execution (for example, Microsoft ASP)
o Site indexing
o Internet Printing Protocol
o Web Distributed Authoring and Versioning (WebDAV)
o Secure Sockets Layer (SSL)
 Each of these extensions has vulnerabilities, such as buffer overflows
 Microsoft WebDAV Translate: f problem
o Add "translate: f" to header of the HTTP GET request, and a \ to the end of the URL
o Reveals source code Links Ch 12u, v
Server Extensions Exploitation Countermeasures
 Patch or disable vulnerable extensions
o The Translate: f problem was patched long ago
Buffer Overflows
 Web servers, like all other computers, can be compromised
by buffer overflows
 The Web server is easy to find, and connected to the Internet,
so it is a common target
Famous Buffer Overflows
 IIS HTR Chunked Encoding Transfer Heap Overflow
o Affects Microsoft IIS 4.0, 5.0, and 5.1
o Leads to remote denial of service or remote code
execution at the IWAM_ MACHINENAME privilege
level
 IIS's Indexing Service extension (idq.dll) Figure: Authorization
o A buffer overflow used by the infamous Code Red worm
 Internet Printing Protocol (IPP) vulnerability
77 | ©ATL Technology Tab
 Apache mod_ssl vulnerability
o Also known as the Slapper worm
o Affects all versions up to and including Apache 2.0.40
o Results in remote code execution at the super-user level
 Apache also suffered from a vulnerability in the way it handled HTTP requests encoded
with chunked encoding
o Resulted in a worm dubbed "Scalper"
o Thought to be the first Apache worm
Buffer Overflow Countermeasures
 Apply software patches
 Scan your server with a vulnerability scanner
Web Server Vulnerability Scanners
 Nikto checks for common Web server vulnerabilities
o It is not subtle—it leaves obvious traces in log files
o Link Ch 12z01
 Whisker is another Web server vulnerability scanner
o Nikto version 2 uses LibWhisker 2, so it may replace Whisker

Web Application Hacking


 Attacks on applications themselves, as opposed to the web server software upon which
these applications run
 The same techniques
o Input-validation attacks
o Source code disclosure attacks
o etc.
 Web Crawling
 Examine a Web site carefully for Low Hanging Fruit
o Local path information
o Backend server names and IP addresses
o SQL query strings with passwords
o Informational comments
 Look in static and dynamic pages, include and other support files, source code

Web-Crawling Tools
 wget is a simple command-line tool to download a page, and can be used in scripts
o Available for Linux and Windows
o Link Ch 12z03
 Offline Explorer Pro
o Commercial Win32 product
Web Application Assessment
 Once the target application content has been crawled and thoroughly analyzed

78 | ©ATL Technology Tab


 Probe the features of the application
o Authentication
o Session management
o Database interaction
o Generic input validation

Tools for Web Application Assessment


 Achilles proxy server
o Allows user to intercept and alter HTTP and HTTPS traffic
o Runs on Windows
 Paros proxy server
o Requires Java Runtime Engine (JRE)
o Scans for vulnerabilities
o Spiders sites
o Runs on Windows or Linux/Unix
 Link Ch 12z04
Web Application Assessment
 Once the target application content has been crawled and thoroughly analyzed
 Probe the features of the application
o Authentication
o Session management
o Database interaction
o Generic input validation
 Tools for Web Application Assessment
 Achilles proxy server
o Allows user to intercept and alter HTTP and HTTPS traffic
o Runs on Windows
 Paros proxy server
o Requires Java Runtime Engine (JRE)
o Scans for vulnerabilities
o Spiders sites
o Runs on Windows or Linux/Unix
 Link Ch 12z04

3.12.3 AUTOMATED VULNERABILITY DETECTION


Our SecuBat vulnerability scanner consists of three main components: First, the crawling
component gathers a set of target web sites. Then, the attack component launches the configured
attacks against these targets. Finally, the analysis component examines the results returned by the
web applications to determine whether an attack was successful. Many web application security
vulnerabilities result from generic input validation problems. Although the majority of web
vulnerabilities are easy to understand and avoid, many web developers are, unfortunately, not
security-aware and there is general consensus that there exist a large number of vulnerable
applications and web sites on the web. We believe that it is only a matter of time before attackers
79 | ©ATL Technology Tab
start using automated vulnerability scanning tools to discover web vulnerabilities that they can
exploit. Such vulnerabilities, for example, could be used to launch phishing attacks that are difficult
to identify even by technically more sophisticated users.

3.13 PASSWORD CRACKING AND BRUTE FORCING


Password cracking is the process of recovering passwords from data that has been stored in or
transmitted by a computer system. A common approach is to repeatedly try guesses for the
password. The purpose of password cracking might be to help a user recover a forgotten password
(though installing an entirely new password is less of a security risk, but involves system
administration privileges), to gain unauthorized access to a system, or as a preventive measure by
system administrators to check for easily crackable passwords. On a file-by file basis, password
cracking is utilized to gain access to digital evidence for which a judge has allowed access but the
particular file's access is restricted.
Password cracking programs can be used to identify weak passwords. Password cracking verifies
that users are employing sufficiently strong passwords. Passwords are generally stored and
transmitted in an encrypted form called a hash. When a user logs on to a computer/system and
enters a password, a hash is generated and compared to a stored hash. If the entered and the stored
hashes match, the user is authenticated.
During a penetration test or a real attack, password cracking employs captured password hashes.
Passwords hashes can be intercepted when they are transmitted across the network (using a
network sniffer) or they can be retrieved from the targeted system. The latter generally requires
administrative or ―root‖ access on the target system. Once the hashes are obtained, an automated
password cracker rapidly generates hashes until a match is found. The fastest method for
generating hashes is a dictionary attack that uses all words in a dictionary or text file. There are
many dictionaries available on the Internet that cover most major and minor languages, names,
popular television shows, etc. So any ―dictionary‖ word no matter how obscure is weak.
Another method of cracking is called a hybrid attack, which builds on the dictionary method by
adding numeric and symbolic characters to dictionary words. Depending on the password cracker
being used, this type of attack will try a number of variations. The attack tries common substitutes
of characters and numbers for letters (e.g., p@ssword and h4ckme). Some will also try adding
characters and numbers to the beginning and end of dictionary words (e.g., password99,
password$%, etc.).
The most powerful password-cracking method is called the brute force method. Although brute
force can take a long time, it usually takes far less time than most password policies specify for
password changing. Consequently, passwords found during brute force attacks are still too weak.
Brute force randomly generates passwords and their associated hashes. However since there are so
many possibilities it can take months to crack a password. Theoretically all passwords are
―crackable‖ from a brute force attack given enough time and processing power. Penetration testers
and attackers often have multiple machines to which they can spread the task of cracking password.
Multiple processors greatly shorten the length of time required to crack strong passwords.

80 | ©ATL Technology Tab


A strong Linux/Unix password is one that is long (greater than 10 characters at least) and complex
(contains both upper and lower case letters, special characters and numbers). Creating a strong
Windows password is somewhat more complicated.
Password crackers should be run on the system on a monthly basis or even continuously to ensure
correct password composition throughout an organization. The following actions can be taken if an
unacceptably high number of passwords can be cracked:

 If the cracked passwords were selected according to policy, the policy should be modified
to reduce the percentage of crackable passwords. If such policy modification would lead to
users writing down their passwords because they are difficult to memorize, an organization
should consider replacing password authentication with another form of authentication.
 If cracked passwords were not selected according to policy, the users should be educated
on possible impacts of weak password selections. If such violations by the same users are
persistent, management should consider additional steps (additional training, password
management software to enforce better choices, deny access, etc.) to gain user compliance.
Many server platforms also allow the system administrator to set minimum password length and
complexity.

On systems that support password filters, the filters should be set so as to force the use of strong
passwords, and this may reduce or even eliminate the need to perform password cracking.
Passwords, no matter how strong, often are sent in the clear over networks; thus organizations
should be moving towards the use of stronger forms of authentication.
Brute force attack
A last resort is to try every possible password, known as a brute force attack. In theory, if there is
no limit to the number of attempts, a brute force attack will always be successful since the rules for
acceptable passwords must be publicly known; but as the length of the password increases, so does
the number of possible passwords. This method is unlikely to be practical unless the password is
relatively short; however techniques using parallel processing can reduce the time to find the
password in inverse proportion to the number of computer devices (CPUs) in use. This depends
heavily on whether the prospective attacker has access to the hash of the password as well as the
hashing algorithm, in which case the attack is called an offline attack (it can be done without
connection to the protected resource) or not, in which case it is called an online attack. Offline
attack is generally much easier, because testing a password is reduced to a mathematical
computation of the hash of the password to be tried and comparison with the hash of the real
password. In an online attack the attacker has to try to authenticate himself with all the possible
passwords, and rules and delays can be imposed by the system and the attempts can be logged.
A common password length recommendation is eight or more randomly chosen characters
combining letters, numbers, and special characters (punctuation, etc). This recommendation makes
sense for systems using stronger password hashing mechanisms such as md5-crypt and the
Blowfish-based bcrypt, but is inappropriate for many Microsoft Windows systems because they
store a legacy LAN Manager hash which splits the password into two seven character halves.
81 | ©ATL Technology Tab
On these systems, an eight character password is converted into a seven character password and a
one character password. For better security, LAN Manager Password storage should be disabled if
it will not break supported legacy systems .[9] Systems which limit passwords to numeric characters
only, or upper case only, or generally those which limit the range of possible password character
choices, also make brute force attacks easier. Using longer passwords in these cases (if possible)
can compensate for the limited allowable character set. Of course, even with an adequate range of
character choice, users who limit themselves to an obvious subset of the available characters (e.g.,
use only upper case alphabetic characters, or only digits) make brute force attacks against their
accounts much easier.
Generic brute-force search techniques are often successful, but smart brute-force techniques, which
exploit knowledge about how people tend to choose passwords, pose an even greater threat. NIST
SP 800-63 (2) provides further discussion of password quality, and suggests, for example, that an 8
character user-chosen password may provide somewhere between 18 and 30 bits of entropy
(randomness), depending on how it is chosen. For example 24 binary digits of randomness is
equivalent to 3 randomly chosen bytes, or approximately 5 random characters if they are restricted
to upper case alphabetic characters, or 2 words selected from a 4000 word vocabulary. This amount
of entropy is far less than what is generally considered safe for an encryption key.

How small is too small for offline attacks thus depends partly on an attacker's ingenuity and
resources (e.g. available time and computing power). The second of these will increase as
computers get faster. Most commonly used hashes can be implemented using specialized hardware,
allowing faster attacks. Large numbers of computers can be harnessed in parallel, each trying a
separate portion of the search space. Unused overnight and weekend time on office computers can
also be used for this purpose.

82 | ©ATL Technology Tab


Table: Summary Comparisons

3.14 DENIAL OF SERVICE (DOS) TESTING


A Denial of Service (DoS) attack is an attack with the purpose of preventing legitimate users from
using a specified network resource such as a website, web service, or computer system. A
Distributed Denial of Service (DDoS) attack is a coordinated attack on the availability of services
of a given target system or network that is launched indirectly through many compromised
computing systems. The services under attack are those of the ―primary victim‖, while the
compromised systems used to launch the attack are often called the ―secondary victims.‖ The use
of secondary victims in a DDoS attack provides the attacker with the ability to wage a much larger
83 | ©ATL Technology Tab
and more disruptive attack while remaining anonymous since the secondary victims actually
perform the attack making it more difficult for network forensics to track down the real attacker.
Denial of Service (DoS) attacks is a reality for most organizations with connections to the public
Internet. In order to protect yourselves from the potential hazards of network hackers and malicious
coders, a set of devices and software-based tools such as DUTs, intrusion detection systems (IDS),
remote access solutions (VPN) and sophisticated routers and L4-7 application switches have been
developed to effectively block malicious traffic and protect the organization‘s data and information
infrastructure.
There are three procedures for DOS testing:
1. assess the impact of DoS traffic on existing network traffic
2. measure the performance of devices responsible for denying DoS traffic network access
3. determine the performance of network devices that are being attacked (e.g. servers, routers,
WLAN access points)
A brief outline of the DoS attack types
There are several common types of DoS attacks, as explained below. Keep in mind that such
attacks are created within specific hardware, generated directly using Field Programmable Gate
Arrays (FPGA), and as such, this malicious traffic can be generated in speeds ranging from zero to
the full wire speed of the interface.
SYN Attack
Every TCP connection begins with a single TCP SYN flag being sent from the client host to a
server. In response to receiving such a flag, the server typically allocates resources and then sends a
TCP SYN-ACK packet back toward the client host station. A SYN attack overwhelms the victim
computer with a rapid succession of SYN packets, causing it to over allocate resources and either
crash or wait for the allocated resources to time out.
Teardrop Attack
Fragmented packets that continuously overlATLg offsets are sent from a client to a server. The
server cannot reconstruct the original payload from the fragmented overlATLg packets and
eventually crashes.
Ping Attack
An ICMP Ping Request is sent to a server at a high rate, causing bandwidth problems on the
server‘s network.

Ping of Death (POD) Attack


ICMP Ping Requests are sent from a client to a server; however, each packet is a fragment of a
complete Ping Request of extremely large size. This may cause the server to over allocate
resources and crash.
Unreachable Host Attack
An ―ICMP Host Unreachable‖ message may be sent to a server that is already in communication
with another host. This will likely cause the server to drop that connection.

84 | ©ATL Technology Tab


Test case examples
Two test cases are observed in the following sections. These simple test cases show how to set up
for testing the performance of networks and specific devices when being loaded with both DoS and
standard application traffic.

Test Case 1: Ping Attack on Oracle Traffic

Objective
In this test case, you will create a typical traffic pattern of Oracle traffic, operating over a known
port. After measuring throughput, response time and transaction rates, you will start a DoS Ping
attack and compare the results.
Methodology:
1. Create an Oracle transaction as per the following criteria:

 Endpoint 1 and Endpoint network addresses assigned as per your setup


 Set up the ―How does the Console know Endpoint 1‖ address using the Ixia
management address, e.g.; 10.0.3.1. Similarly, set up a management address for the
―How does Endpoint 1 know Endpoint ?‖ address, e.g.; 10.0.3.2
 Use a sample script such as Oracle_AP_Tier_Invoice_Mult_Dist.scr‖ script for this
pair.
 Edit the script so that it uses TCP port 31. Also, use minimum transaction delays and
unlimited send data rate.
 Replicate pairs n times according to your traffic volume. In this case, the pair was
replicated 19 times so that there are a total of 20 Oracle traffic flows in this test.
 Set the run time for 1 minute. Be sure to choose the ‗Batch mode‘ run option.
 In the resulting charts, you may want to display a total rather than the results of each
individual script.
2. Ensure that the DUT allows all traffic (rules not enforced) to pass through to generate a set
of baseline test results.

 Run the transaction and record results in the ―No DoS/No DUT‖ column in table 1
below. See Figure for a typical results screen.
 Now instruct the DUT to enforce its rules, and then re-run the transaction. Record the
results in the ―No DoS/DUT‖ column in table 1 below. This should tell you whether or
not the DUT is affecting traffic rates. Note that the DUT should be set up to defend
against the DoS Ping attack, which will be used in a subsequent step.
 Now instruct the DUT to NOT enforce its rules and insert a DoS attack. This particular
attack should emanate from Endpoint 1 and target Endpoint .
 Depending on the capabilities of your DUT and the available network bandwidth, you
may want to override the stream line rate (e.g. 15%). Also, ensure that the ―Measure
hardware performance pair statistics‖ checkbox is in the UNCHECKED position. This
will ensure that the target CPU (in this case, the Ixia CPU) handles the details of the
incoming ICMP Ping requests. See Figure for a description of what this should look
85 | ©ATL Technology Tab
like. Run and record the results in the ―DoS No DUT‖ column of table 1. For a
comparative look at results with DoS and no DUT, see Figure.
 Now enable the DUT and re-run the transaction. Record the results in the ―DoS / DUT‖
column in table below.
 The completed table should give you a good comparative analysis of how well your
DUT can protect internal hosts from DoS Ping attacks.

Table: Comparative test table for enterprise application traffic with DOS attack traffic

Figure: Typical results for no DoS and no DUT.

86 | ©ATL Technology Tab


Figure: Setting up for DoS Ping attacks

Figure: Comparative results for DoS and no DUT

87 | ©ATL Technology Tab


Test Case 2: VoIP and TCP SYN Attacks

Objective
This test case will observe what happens in a VoIP environment when a series of SYN attacks are
directed at a host. It will show how VoIP connections can be sabotaged when the DUT is not
configured correctly.
Methodology
A communication channel will be set up between two sets of Performance Endpoints, creating
several VoIP conversations. A TCP SYN attack will be launched against one of the endpoints from
a third location. The DUT will initially allow the attack to proceed. In the second iteration, the
DUT will be trained to disallow any TCP connection attempts from the third party location. The
VoIP conversations will exist between the 17.176.5/4 and the 19.168.10/4 networks. Another
network will be superimposed on the same physical connection as the 17.176.5/4 network, utilizing
an address from the 13.7.5/4 network.
Note that IxApplifier will be used to install an address range of 17.176.5.101 to 17.176.5.10 on the
public side of the DUT, and address range of 19.168.10.101 to 19.168.10.10 on the private side.
Also, the third party address of 13.17.5.100 will be installed on the external port. It will target
address 19.168.10.101 on the internal port, using the DUT as a gateway at address 13.7.5.1.
1. Set up VoIP pairs between internal and external clients. The VoIP traffic will travel in both
directions; that is, half of the connections will have Endpoint 1 on the private side of the DUT,
and half will have Endpoint 1 on the public side. Set up a total of 0 pairs. See the setup in
Figure.
2. Ensure that the DUT rules enforcement is turned off.
3. Set up the attacking port to use a hardware performance pair. Select the
IPv4_Syn_Port80_74Bytes.str pattern. Make sure ―Measure hardware performance pair
statistics‖ is left unchecked so that the
victim port (internal port) responds to the
attack. Finally, override the stream line rate
and set up a very low rate of attack. You
may have to experiment a bit with this
number. A good starting point is 0.01%. The
objective is to slowly overwhelm the victim
port as the test is underway.
4. Set the run time for 1 minute, and run the
test. You should see the MOS scores
registering an almost perfect performance
up to the point that the victim processor gets
overwhelmed with TCP requests. At that
point, the MOS scores will cease to exist,
indicating that no more data is coming in
from the victim port. Figure: VoIP setup
5. If the target port did not crash, go back to step 3 and adjust the stream line rate higher. You
88 | ©ATL Technology Tab
should not have to go any higher than 5% to see the detrimental results of a TCP SYN attack.
6. Turn on DUT rule enforcement. There are several things that can be done to the DUT,
depending on the sophistication of the filtering required. If the DUT terminates and proxies
TCP connections, then you could turn on TCP SYN-Cookies to stop the effects of the SYN
attack. The simplest method is to simply filter on the malicious address, 13.7.5.100. This may
not be practical in the real world, but it can demonstrate the DUT‘s ability to filter on
undesirable source addresses.
7. Run the test again and ensure that the MOS scores stay at their near-perfect levels throughout
the test.

3.15 PENETRATION TESTING TOOLS


3.15.1 PORT SCANNERS
Port scanning tools are used to gather information about a test target from a remote network
location. Specifically, port scanners attempt to locate which network services are available for
connection on each target host. They do this by probing each of the designated (or default) network
ports or services on the target system. Most port scanners are able to scan both TCP as well as UDP
ports. Most can also target a specified list of ports and can be configured for the speed and port
sequence that they scan. Additionally, most port scanners are able to perform a range of different
varieties of port probes. These can include a standard SYN-->SYN-->ACK-->ACK sequence for
TCP ports, as well as ―half scans‖. Lastly, another common feature of port scanners is their ability
to deduce the operating system type—and often times the version number—based on watching the
empirical behavior that it exhibits when probed with variations of TCP flag settings. They can do
this because many TCP/IP implementations vary in their specific responses to probes that aren‗t
explicitly addressed by Internet convention. The rationale for all of the configuration flexibility
with port scanners is so that the tester can employ a great deal of agility in testing for different port
configurations, as well as to attempt to hide from network intrusion detection mechanisms and the
like. Although this can be particularly useful for testing production or near-production network
environments, its usefulness is at best diminished for the purposes laid out here.

3.15.2 VULNERABILITY SCANNERS


Vulnerability scanners take the concept of a port scanner to the next level. Like a port scanner, a
vulnerability scanner identifies hosts and open ports, but it also provides information on the
associated vulnerabilities (as opposed to relying on human interpretation of the results). Most
vulnerability scanners also attempt to provide information on mitigating discovered vulnerabilities.
Vulnerability scanners provide system and network administrators with proactive tools that can be
used to identify vulnerabilities before an adversary can find them. A vulnerability scanner is a
relatively fast and easy way to quantify an organization's exposure to surface vulnerabilities.
The primary distinction between a port scanner and vulnerability scanner is that vulnerability
scanners attempt to exercise (known) vulnerabilities on their targeted systems, whereas port
scanners only produce an inventory of available services. That said, the distinguishing factors
between port and vulnerability scanners are often times blurred. Apart from that, a good
vulnerability scanner is a vital tool to a traditional penetration tester. They provide an essential
89 | ©ATL Technology Tab
means of meticulously probing each and every available network service on the targeted hosts.
Vulnerability scanners work from a database of documented network service security defects,
exercising each defect on each available service of the target range of hosts. This enables the tester
to rapidly and quite exhaustively look for common configuration weaknesses in the targeted
systems as well as for unpatched network server software. Traditional vulnerability scanners are
generally able to scan only target operating systems and network infrastructure components, as
well as any other TCP/IP device on a network, for operating system level weaknesses. They are not
able to probe general purpose applications, as they lack any sort of knowledge base of how an
unknown application functions. Some vulnerability scanners are able to attempt to exploit network
trust relationships by recursively scanning the targeted network on each compromisable host. This
capability is particularly useful to a CIO audience, as it enables the test team to demonstrate how
an attacker might be able to enter a corporate network by taking iterative steps towards a target.
Again, however, it is of little relevance to the sorts of penetration testing that matter the most in a
software development context, except (arguably) to demonstrate to the development team how a
single weakness might lead to greater compromises if exploited.
Vulnerability scanners attempt to identify vulnerabilities in the hosts scanned. Vulnerability
scanners can also help identify out-of-date software versions, applicable patches or system
upgrades, and validate compliance with, or deviations from, the organization's security policy. To
accomplish this, vulnerability scanners identify operating systems and major software applications
running on hosts and match them with known exposures. Scanners employ large databases of
vulnerabilities to identify flaws associated with commonly used operating systems and
applications.
The scanner will often provide significant information and guidance on mitigating discovered
vulnerabilities. In addition vulnerability scanners can automatically make corrections and fix
certain discovered vulnerabilities. This assumes that the operator of the vulnerability scanners has
―root‖ or administrator access to the vulnerable host. However, vulnerability scanners have some
significant weaknesses. Generally, they only identify surface vulnerabilities and are unable to
address the overall risk level of a scanned network. Although the scan process itself is highly
automated, vulnerability scanners can have a high false positive error rate (reporting vulnerabilities
when none exist). This means an individual with expertise in networking and operating system
security and in administration must interpret the results.
Since vulnerability scanners require more information than port scanners to reliably identify the
vulnerabilities on a host, vulnerability scanners tend to generate significantly more network traffic
than port scanners. This may have a negative impact on the hosts or network being scanned or
network segments through which scanning traffic is traversing. Many vulnerability scanners also
include tests for denial of service (DoS) attacks that, in the hands of an inexperienced tester, can
have a considerable negative impact on scanned hosts. Another significant limitation of
vulnerability scanners is that they rely on constant updating of the vulnerability database in order to
recognize the latest vulnerabilities. Before running any scanner, organizations should install the
latest updates to its vulnerability database. Some vulnerability scanner databases are updated more
regularly than others. The frequency of updates should be a major consideration when choosing a
vulnerability scanner. Vulnerability scanners are better at detecting well-known vulnerabilities
90 | ©ATL Technology Tab
than the more esoteric ones, primarily because it is difficult to incorporate all known vulnerabilities
in a timely manner. Also, manufacturers of these products keep the speed of their scanners high
(more vulnerabilities detected requires more tests which slows the overall scanning process).
Vulnerability scanners provide the following capabilities:
 Identifying active hosts on network
 Identifying active and vulnerable services (ports) on hosts.
 Identifying applications and banner grabbing.
 Identifying operating systems.
 Identifying vulnerabilities associated with discovered operating systems and applications.
 Identifying misconfigured settings.
 Testing compliance with host application usage/security policies.
 Establishing a foundation for penetration testing.

Vulnerability scanners can be of two types: network-based scanners and host-based scanners.
Network-based scanners are used primarily for mATLg an organization's network and identifying
open ports and related vulnerabilities. In most cases, these scanners are not limited by the operating
system of targeted systems. The scanners can be installed on a single system on the network and
can quickly locate and test numerous hosts. Host-based scanners have to be installed on each host
to be tested and are used primarily to identify specific host operating system and application
misconfigurations and vulnerabilities. Because host-based scanners are able to detect
vulnerabilities at a higher degree of detail than network-based scanners, they usually require not
only host (local) access but also a ―root‖ or administrative account. Some host-based scanners offer
the capability of repairing misconfigurations.
Organizations should conduct vulnerability scanning to validate that operating systems and major
applications are up to date on security patches and software version. Vulnerability scanning is a
somewhat labor-intensive activity that requires a high degree of human involvement in interpreting
the results. It may also disrupt network operations by taking up bandwidth and slowing response
times. However, vulnerability scanning is extremely important for ensuring that vulnerabilities are
mitigated before they are discovered and exploited by adversaries. Vulnerability scanning should
be conducted at least quarterly to semi-annually. Highly critical systems such as firewalls, public
web servers, and other perimeter points of entry should be scanned nearly continuously. It is also
recommended that since no vulnerability scanner can detect all vulnerabilities, more than one
should be used. A common practice is to use a commercially available scanner and a freeware
scanner.
Host-based vulnerability scanners are also readily available, both commercially as well as within
the open source community. They scan a host operating system for known weaknesses and
unpatched software, as well as for such configuration problems as file access control and user
permission management defects. Although they do not analyze application software directly, they
are useful at finding mistakes made in access control, configuration management, and other
configuration attributes, even at an application layer. Therefore, they are useful aids in a
development driven penetration test, if only to spot human errors in configurations. Although both
host- and network-based vulnerability scanners do little to help an application-level penetration
91 | ©ATL Technology Tab
test, they are necessary fundamental tools for penetration testers. A popular vulnerability scanners
are Nessus , Nmap. Taking the concept of network-based vulnerability scanner one step further,
application scanners began appearing several years ago.

3.15.3 WEB APPLICATION ASSESSMENT PROXY


Although they only work on web applications, web application assessment proxies are perhaps the
most useful of the vulnerability assessment tools listed here. Assessment proxies work by
interposing themselves between the tester‗s web browser and the target web server. Further, they
allow the tester to view and manipulate any and all data content flowing between the two. This
gives the tester a great deal of flexibility in trying different ―tricks‖ to exercise application
weaknesses in the application‗s user interface and associated components. This level of flexibility
is why assessment proxies are considered essential tools for all black box testing of web
applications. For example, the tester can view all cookies, hidden HTML fields, and other data in
use by a web application and attempt to manipulate their values to trick the application into
allowing access where the tester should not be able to get to. Changing cookie values such as
customer ID can have startling results on poorly developed applications.

3.15.4 SECURITY TESTING TOOLS


We use the tools mentioned below to help us perform our penetration testing and audit tasks. This
is not an exhaustive list but is illustrative of the software we find helpful, in addition to the manual
tests we perform. nmap: Nmap is an open source utility for network exploration or security
auditing, in preparation for penetration testing. It was designed to rapidly scan large networks.
Nmap uses raw IP packets in novel ways to determine what hosts are available on the network,
what services (ports) they are offering, what operating system (and OS version) they are running,
what type of packet filters/firewalls are in use, and dozens of other characteristics. Netcat: Netcat
has been dubbed the network Swiss army knife. It is a simple UNIX utility which reads and writes
data across network connections, using TCP or UDP protocol. It is designed to be a reliable "back-
end" tool that can be used directly or easily driven by other programs and scripts. At the same time,
it is a feature-rich network debugging and exploration tool, since it can create almost any kind of
connection you would need and has several interesting built-in capabilities. SmartWhois: Unlike
standard Whois utilities, SmartWhois can find information about a computer or domain in any part
of the world, even if an IP address cannot be resolved to a hostname. It reveals country, state or
province, city, name of the network provider, administrator and technical support contact
information, as well as IP ranges. Sam Spade: Sam Spade for Windows is a freeware network
query tool which we use for nslookup, dig, finger, DNS zone transfer, SMTP relay check and e-
mail header analysis. Brutus: Brutus is one of the fastest, most flexible remote password crackers
you can get your hands on - it's also free. It is available for Windows 9x, NT and 2000. Brutus was
first made publicly available in October 1998 and since that time there have been at least 70,000
downloads and over 175,000 visitors to its home page. PuTTY: PuTTY is a free implementation of
Telnet and SSH for Win32 platforms, along with an xterm terminal emulator. Standards
Compliance There are a number of good standards and guidelines in relation to information
security in general, for penetration tests in particular, and for the storage of certain types of data.

92 | ©ATL Technology Tab


Any provider chosen should at least have a working knowledge of these standards and would
ideally be exceeding their recommendations. Notable organizations and standards include:
PCI
The Payment Card Industry (PCI) Data Security Requirements were established in December 2004,
and apply to all Members, merchants, and service providers that store, process or transmit
cardholder data. As well as a requirement to comply with this standard, there is a requirement to
independently prove verification.
ISACA
ISACA was established in 1967 and has become a pace-setting global organization for information
governance, control, security and audit professionals. Its IS Auditing and IS Control standards are
followed by practitioners worldwide and its research pinpoints professional issues challenging its
constituents. CISA, the Certified Information Systems Auditor is ISACA's cornerstone
certification. Since 1978, the CISA exam has measured excellence in the area of IS auditing,
control and security and has grown to be globally recognized and adopted worldwide as a symbol
of achievement.
OSSTMM
The aim of The Open Source Security Testing Methodology Manual (OSSTMM) is to set forth a
standard for Internet security testing. It is intended to form a comprehensive baseline for testing
that, if followed, ensures a thorough and comprehensive penetration test has been undertaken. This
should enable a client to be certain of the level of technical assessment independently of other
organization concerns, such as the corporate profile of the penetration-testing provider.
OWASP
The Open Web Application Security Project (OWASP) is an Open Source community project
developing software tools and knowledge based documentation that helps people secure web
applications and web services. It is an open source reference point for system architects,
developers, vendors, consumers and security professionals involved in designing, developing,
deploying and testing the security of web applications and Web Services. The key areas of
relevance are the forthcoming Guide to Testing Security of Web Applications and Web Services
and the testing tools under the development projects. The Guide to Building Secure Web
Applications not only covers design principals, but also is a useful document for setting out criteria
by which to assess vendors and test systems.

3.16 WIRELESS PENETRATION TESTING


Penetration testing is one of the best ways to accurately evaluate your wireless network‘s current
level of risk. Seeing in real-time how and where an attacker can access your system allows network
administrators to address vulnerabilities before someone else finds them.
For our purposes, it is the methods that hackers use to try to breach your wireless network, so it
should also become the methods you use to test your network. By doing so you‘ll understand your
vulnerabilities in advance, allowing you to address areas that are economically feasible for your
particular situation. Remember, any issue in network security is essentially an arms race – you need
93 | ©ATL Technology Tab
to decide how best to spend your resources to obtain the maximum level of security that you can
afford, and be aware of your remaining areas of vulnerability.
Wireless penetration testing can take several forms, including eavesdropping, malicious attacks
designed to prevent legitimate users from accessing the network, and attempts to actually gain
access to the overall corporate network via wireless vulnerabilities. Let‘s take a look at each one in
a bit more detail.

3.16.1 EAVESDROPPING
Given the open nature of wireless, eavesdropping is a fact of life. Anyone with a computer with a
wireless adapter, and the right software, can simply sit within range of a specific AP (application
protocols) or client and receive each and every network packet, thereby reconstructing the entire
network session for either the specific client, or the overall communication from the AP. And you
won‘t even know this is going on. Ironically, the software used to do this is also a very effective
tool in overall wireless network analysis – a packet sniffer. A packet sniffer (like OmniPeek from
WildPackets) is indispensible for any network engineer responsible for a wireless network. The
idea is to understand what can be captured with a packet sniffer from your network before misuse
does, including things like how far away does your network remain vulnerable and what users (and
applications) are most vulnerable. Using any level of encryption helps here, as only the packet
headers of encrypted data will be accessible via sniffing, assuming your encryption keys have not
been cracked.
A man-in-the-middle attack is a more sophisticated form of eavesdropping, where the perpetrator
actually ―participates‖ in the network by taking receipt of a data stream and changing its contents
before forwarding it on. This could be to redirect traffic to an unauthorized host, or even to
manipulate data within a communication, such as a credit card transaction. As with eavesdropping,
wireless data encryption of the highest practical form is the best defense.

3.16.2 DISTRIBUTIVE ATTACKS


A Denial of Service (DoS) attack, which is much easier to mount on a wireless network than on a
wired network, is the most basic form of disruption attack. Since the physical layer for wireless is
the air, and the spectrum that is used is shared by other devices, one simple yet effective DoS
attack is simply to flood the spectrum with noise and illegitimate traffic. Though illegal, this is
quite hard to trace, and even harder to prove. There‘s no real need to perform DoS testing of your
own, especially at layer one, because it‘s just plain easy to do and there‘s very little to do to
counteract it. The best approach is to make sure you have tools in place, and know how to use
them, that can monitor layer one for interference, possibly even identifying the type, as well as
monitor layer two and above to alert you when DoS activity is detected on the network.

3.16.3 UNAUTHORIZED NETWORK ACCESS


Although eavesdropping and disruption attacks are certainly serious, they also tend to be localized,
since WLAN signals only travel for several hundred feet. These attacks are most effective when a
large number of users are confined to a relatively small space, like a conference center or a

94 | ©ATL Technology Tab


stadium. Unauthorized network access, though somewhat harder to accomplish, has a much greater
reach if successful as it allows the hacker to gain access to the network overall, eliminating the
―localized‖ effect of WLAN signals. Unauthorized WLAN access, assuming your WLAN is not
already open to all users (which should never the case), requires that either (a) the perpetrator
know, or somehow guess, the key used for network access (and subsequently the seed for data
encryption) or (b) the perpetrator employs specific software that monitors overall WLAN traffic,
eventually ―cracking‖ the network key either through brute force efforts or by watching for certain
weaknesses known in WLAN protection schemes, like WEP (wired equivalent privacy). Once the
key is cracked, the perpetrator is on your network, with all the privileges allowed to your wireless
users. The best protection against unauthorized access is first and foremost to use the most
powerful WLAN protection scheme possible, WPA2 Enterprise. No other scheme is really suitable
for corporate networks. And if you feel that‘s not enough, place your wireless network in your
DMZ and require that wireless users only access corporate data over a VPN.

3.17 ESCALATION OF PRIVILEGES


Services running on computers connected to the Internet present a target for attackers to
compromise their security. This can lead to unauthorized access of sensitive data or resources.
Services that require special privileges for their operation are critically sensitive. A programming
error here may allow an attacker to obtain and abuse the special privileges.
The degree of the escalation depends on which privileges the attacker is authorized to hold and
which privileges can be obtained in a successful attack. For example, a programming error that
permits a user to gain extra privilege after successful authentication limits the degree of escalation
because the user is already authorized to hold some privileges. On the other hand, a remote attacker
gaining super user privileges without any authentication presents a more severe escalation.

3.17.1 LEAST PRIVILEDGE


We refer to a privilege as a security attributes that is required for certain operations. Privileges are
not unique and may be held by multiple entities. The motivation for this effort is the principle of
least privilege: every program and every user should oper3 ate using the least amount of privileges
necessary to complete the job. Applying the principle to application design limits unintended
damage resulting from programming errors. Three approaches are suggested to application design
that helps prevent unanticipated consequences from such errors: defensive programming, language
enforced protection, and protection mechanisms supported by the operating system. The latter two
approaches are not applicable to many Unix-like operating systems because they are developed in
the C language which lacks type-safety or other protection enforcement. Even if the principle of
least privilege has been followed, an attacker may still gain those privileges that are necessary for
the application to operate.

3.17.2 PRIVILEGE SEPARATION


This section presents an approach called privilege separation which cleaves an application into
privileged and unprivileged parts. Its philosophy is similar to the decomposition found in micro-
kernels or in UNIX command line tools. Privilege separation is orthogonal to other protection
95 | ©ATL Technology Tab
mechanisms that an operating system might support. The goal of privilege separation is to reduce
the amount of code that runs with special privileges. We achieve this by splitting an application
into two parts. One part that runs with privileges and the other that runs without them. We call the
privileged part the monitor and the unprivileged part the slave. The slave has to ask the monitor to
perform any operation that requires privileges. Before serving a request from the slave, the monitor
first validates it. If the request is currently permitted, the monitor executes it and communicates the
results back to the slave. In order to separate the privileges in a service, it is necessary to identify
the operations that require them.
Programming errors in privileged services can result in system compromise allowing an attacker to
gain unauthorized privileges. Privilege separation as a concept that allows the majority of an
application to run without any privileges at all. Programming errors in the unprivileged part of the
application can not lead to privilege escalation.

3.17.3 COMMON TESTING TOOLS


Three Useful Tools
 ethereal – see what is on your network
 nmap – determine which ports are open
 nessus – search for vulnerabilities
o Ethereal
 Open Source network protocol analyzer
o ethereal.com
 Key points:
o run as root, but use su (not su )
o use filters in busy networks
o analyze stored traffic or live traffic
o have permission to sniff traffic first

 Good points:
o Large list of decoded protocols
o Easy to use interface
 Bad points:
o Filter language difficult to use (and important)
o May crash in heavy traffic (capture traffic using
 tethereal or tcpdump for later analysis)
1. nmap
A commonly used port scanner for identifying active hosts and associated services (i.e., open ports)
is nmap (see Appendix C for website). Nmap allows for a variety of different types of port scans to
be used in order to determine whether a port is open or closed. Nmap uses raw IP packets to
identify the available hosts on a network, the services or ports that are open, type of operating
system and version that hosts are running, type of packet filters and firewalls in use, and other
characteristics.

96 | ©ATL Technology Tab


The most basic form of port scanning supported by nmap is the TCP connect() scan, using the -sT
option flag (nmap is case sensitive). The connect() system call provided by the host operating
system is used to attempt to open a connection to any or all ports (user selects) on a remote host. If
the port is listening or open, then the connect() will succeed, otherwise the port is not listening or is
in a closed state. No special privileges are needed in order to employ this kind of scan. A more
common scan that is not as easily detected as the TCP connect() scan is the TCP SYN scan, also
known as a SYN Stealth scan or ―half-open‖ scan, since nmap does not open a full TCP connection
(see Figure). This scan is implemented using the -sS flag. On a Unix/Linux host running nmap, root
privileges are needed in order to create the custom SYN packets that are needed for this type of
scan.
First a SYN packet is sent as though the machine running nmap is initiating a ―genuine‖ TCP
connection. The host running nmap then waits for a response. A SYN|ACK response is indicative
of a listening or open port. A response of RST is indicative of a non-listening or closed port. If a
SYN|ACK is received, a RST is immediately sent to ―cancel‖ the connection. This final action is
required to remove the possibility of causing a SYN flood DoS attack. This can occur because all
pending connections are stored in a buffer. If a RST is not sent, the target host‘s buffer may reach
capacity. When this occurs, legitimate requests will not be processed resulting in a DoS until either
a RST is received or timeout occurs on the pending requests.
Nmap allows other types of ping requests to be used also. These types include a ―TCP‖ ping,
connection request ping, and true ICMP ping or ICMP echo request. A ―TCP‖ ping, flag of -PT,
sends out TCP ACK packets throughout the target network and waits for responses. Hosts that are
up on the network should respond with a RST. A connection request ping, flag of -PS, sends out
connection request or SYN packets onto the target network. Hosts that are on the network should
respond with a RST. A true ICMP ping, flag of -PI, sends an ICMP echo request packet on to the
network and waits for an ICMP echo response to validate hosts that are on the network. The default
ping type, flag of -PB, uses a combination of the ―TCP‖ ping and the ICMP ping in parallel. This
allows one to find hosts that are operating behind firewalls that filter one but not both types of
pings. Another feature of nmap is the ability to remotely fingerprint the operating system and
version that the scanned hosts are running. Nmap uses queries of the host‘s TCP/IP stack and the
knowledge that different operating systems and their respective versions have different responses.
This feature can be implemented with the -O flag.
The command line format for running nmap is as follows:
nmap [Scan Type(s)] [Options] <host or net #1 ... [#N]>
An example SYN scan of a class C network is shown in Figure

Figure: SYN scan

97 | ©ATL Technology Tab


This scan would perform a SYN stealth scan without first pinging the hosts on the class C subnet
192.168.3.0. In addition, the scan will check ports 1 through 12,000 inclusive for open services.
After mATLg the ports, nmap will attempt to fingerprint the operating system and version. All
output from this scan will be in verbose mode (which provides more details on the scanned hosts)
and this output will also be saved in human readable (plain text as opposed to binary) output to the
file scan.txt. The output of nmap on one of the scanned hosts is provided in Figure (the text file
would list similar results for each active host found).

Figure: Example Nmap Output

 The continually updated Open Source tool for


 network exploration and security assessments
o nmap.insecure.org
 Written by a security consultant, Fyodor
 Basically a port scanner
o but will do much more
nmap is useful for discovering inuse..
IP addresses
 quickly send ICMP Echo with sP to check to see which hosts are up and respond
 ARP scans can be used in the local network, and are very fast and quite reliable (PR)
 other types of scans are possible, such as ACK scans to port 80 (PA p 80)
 Port scanning detects open ports
o Open ports represent listening services
o Listening services are potentially vulnerable services
 Use port scanning to
o check for compliance to policy, ie, no Web servers on desktops
o unusual services, or service list differing from netstat, an indication that a root kit has
been installed

98 | ©ATL Technology Tab


nmap Port Scanning
 Traditional port scan displays the port number and service name
 nmap can attempt to identify application version
o adds reliability to service name identification
o provides additional information to port scan
o based on banner grabbing
nmap OS Identification
 nmap will attempt to identify the OS version of scanned systems
o requires discovering one open and one closed port
o examines responses to packets sent to open and closed ports
o collects other information, such as ISN, IP id, window size, and order of TCP options
o 1707 fingerprints in version 3.95
nmap Pros and Cons
 Pros
o fastest, much flexible, scanner
o OS and application version info
o accepts IP address ranges, lists, file format
o frontend available for the commandline inhibited

 Cons
o scanning may be considered hostile
o SYN scans have been known to crash some systems
2. Nessus Vulnerability Scanner
Nessus is a fast and modular vulnerability scanner released by Renaud Deraison. The freeware
client/server tool audits a network remotely to enumerate and test the known vulnerabilities against
a database that is updated daily by the Internet security community in the form of plug-ins. Some
common plug-ins or security tests are for backdoors, denial of services, firewalls, Windows, etc.
The user can extend the test suite by using the Nessus Attack Scripting Language (NASL) to write
a new security test. Nessus is composed of a server component installed on a host where all the
tests are launched and client software deployed on another system to control the scan. The scan
outputs are in the form of complete exportable reports reflecting the detected vulnerabilities, the
risk level, and a remedy to the exploit.

“Nessus is a tool that has commercial counterparts still available for free use”
Org
 Nessus works by
o locating hosts starting with a target file
o port scanning the targets located
o probing for vulnerabilities in applications listening at open ports

99 | ©ATL Technology Tab


Nessus Clientserver architecture
 client requests scans and formats results
 server accepts scan requests, authenticates clients, performs scans
 scans based on large and constantly updated vulnerability list

Pros
 free vulnerability scanning
 check for effectiveness of patching

Cons
 some UI issues
 less open than it once was
 definitely appears hostile when used
Nessus Plug-ins
By default, Nessus can perform various security tests classified in the following plug-ins families:

 Backdoors
 CGI abuses
 CISCO
 Default Unix Accounts
 Denial of Service
 Finger abuses
 Firewalls
 FTP
 Gain a shell remotely
Nessus Installation and Usage
The Nessus server component runs on POSIX systems, i.e. Solaris, FreeBSD, GNU/Linux and
others. The Nessus client software works with GTK, which is a set of Widgets used by many open-
sourced programs. There is also a client program, which is designed especially for the Windows
platform. The installation packages can be downloaded from the official Nessus web page,
http://www.nessus.org/download.html.
1. Download the script nessus-installer.sh and execute the sh nessus-installer.sh command to
install the standalone package.

100 | ©ATL Technology Tab


Figure: Nessus Script
2. After answering a few questions, Nessus is compiled and installed on the system. The
following figure shows that the program has been installed successfully and the various
Nessus commands.

Figure: Installation Complete

3. Run the /usr/local/sbin/nessus-mkcert command to create a nessusd certificate. The


following figure shows that the certificate has been successfully created.
101 | ©ATL Technology Tab
Figure: Nesses SSL Certificate
4. Execute the /usr/local/sbin/nessus-adduser command to create a Nessus user account that is
userd to perform a scan.
5. To update the script automatically, use /usr/local/sbin/nessus-update-plugins command.
This will download the current security checks from the Nessus site.
6. Start the Nessus daemon (nessusd) by executing the /usr/local/sbin/nessusd –D command.
7. Run the /usr/local/bin/nessus command to start the Nessus client (nessus) that can be used
to configure and perform the vulnerability audits.
8. Enter the user name and password in order to operate the program.

Figure: Nessus Setup

9. Select the different plug-ins containing the security checks that will be used to scan a host.
Note: Nessus includes various Denial of Service tests that may crash a vulnerable target
system.
102 | ©ATL Technology Tab
]Figure: Nessus Setup Plugin Selection
10. Choose the target host or system and initiate the scan.

Figure: Nessus Setup target Selection

11. At the completion of the scan, a report reflects the open ports, detected services, security
impact and severity, and recommended solution. The report can be saved in various
formats, i.e. HTML, XML, others.

103 | ©ATL Technology Tab


Figure: Nessus Report view

SUMMARY
Ensuring that company systems are secure and free of vulnerabilities is essential to a business‘s
continued development and growth. Arming IT professionals with the tools and the education to
identify and repair the system‘s vulnerabilities is the best method for securing against attacks.
Unfortunately, IT security is a dynamic process in an organizational environment and IT
professionals must be ever vigilant. Regular network- and host-based vulnerability assessments of
company systems are needed to ensure that these systems are continually free of vulnerabilities and
that they are compliant with the business security policies. Therefore, my vulnerability assessment
strategy will empower companies to secure and maintain their systems both efficiently and cost-
effectively.
According to Christine Orshesky, there is an increasing need for corporations to protect themselves
from computer viruses and other things that bump around the on-line community. Denial of Service
attacks and widespread virus infections have raised the issue of ‗due care‘. No longer is it
reasonable to rely solely on the installation of antivirus products to protect the on-line environment.
A holistic approach that provides the corporation with an integrated and layered security posture is
necessary to achieve protection – including policy, procedures, awareness, and technology. There
are many devices available to the hacker to footprint your company‘s network. Use these tools to
find the weaknesses before they do. Therefore, you can prepare an organized approach to your
layered security stance.

104 | ©ATL Technology Tab


While we put in processes to protect information assets, it is essential that the IT infrastructure is
tested on a regular basis to identify the existing weaknesses due to the operating system and
application vulnerabilities as these can be exploited either internally or externally to gain access to
information assets. IT Security, governance and risk management is on the top agenda for global
business leaders today.

Courseware Piracy – Don’t be a victim!

Worldwide it is recognized that courseware piracy is a serious offence which not only
affects the creative potential of society also causes economic losses to all those who
had invested their money in bringing out pirated materials in various forms for use by
end-users.

Always look forward to Authentic Certificates and ATL holograms.

If you find your course material to be pirated, immediately contact us at:


[email protected]

For the future, we should plan to implement more attack plug-ins. Also, there should certainly be
some room for improvement in the performance and throughput of the tool. We should also set up
Always look forward to Authentic Certificates and ATL holograms.
a web site where the proof-of-concept implementation of more vulnerability scanners can be
downloaded
If you from.
find Although
your coursewe are aware that
material to itbecanpirated,
be used immediately
for malicious purposes
contact (just as other
us at:
open source security tools but we believe that it can provide valuable help for web application
[email protected]
developers to audit the security of their application.

CASE STUDIES
Case study: 1
Web Always look forward
Application to Authentic
Penetration Certificates
Testing for a UK based ATL holograms.
andBank

Background
If you find your course material to be pirated, immediately contact us at:
The [email protected]
Client is a UK based independent bank authorized and regulated by Financial Services
Authority. Client had planned to offer its customers a reliable online payment and banking service.
To ensure the security of the online banking portal, it was imperative for the client to make sure
that the application was not easily susceptible to misuse and fraud, thus leading to loss of
reputation, loss of customer trust and financial loss. Client wanted an assurance that the web
application was secure, has appropriate security controls built in, before the roll out. Tech
Mahindra security consultants performed the web application penetration testing, to identify and
minimize the risk of a security breach.
ATL Software Security Group Solution
A certified team of security specialist were deployed to identify the application vulnerabilities that
could be exploited by the hacker. To arrive at the security posture the security consultants adopted
105 | ©ATL Technology Tab
the following approach:

 Security consultants after thoroughly understanding the customer‘s security requirements


and concerns customized the penetration testing methodology to achieve the scope of work
outlined for the project.
 Analysis of the banking applications was performed to arrive at the attack scenarios
 Tests were executed using a combination of open source and commercial tools to ensure
optimum results
 Web Application was scanned using AppScan to identify potential vulnerabilities. The
scan results were reviewed to identify false positives.
 Proof of Concepts was conducted to confirm the existence of the security issues
 Security consultants presented the final report to the client highlighting the areas of
concern; the vulnerabilities detected and suggested remediation.
Client Overview
The Client, a UK based bank offering services to meet the needs of customers managing and
moving money online. The client had planned to launch an online banking provision to make it is
easy to move money to and from merchants and other customers, within a secure online
environment.
Solution Highlight
ATL helped the client to minimize security risks identified during penetration testing by
recommending vendor agnostic and cost effective solutions. It conducted a Web Application
Penetration Testing of the online banking portal from our Vulnerability Assessment centre. VAC is
a state of art security testing and research facility dedicated to the research and development in
Security Testing.
Case Study: 2
Penetration Test – Client of ATL
Industry Sector: Finance
The client is often utilized to provide restricted-functionality environments to internal staff and
third-party organizations, including contractors and external consultants. If not adequately secured
these environments provide a wealth of opportunity for the ‗interested‘ or malicious user to gain
elevated levels of access to networked systems. Poorly-secured Client‘s deployments can present a
serious risk to finance and banking institutions by allowing restricted users to gain unauthorized
and unaudited access to internal finance related applications and systems.
ATL identifies the security and business risks present within the client environment to enable
financial institutions to mitigate those risks to an acceptable level. ATL adds value to the
penetration testing process by providing deeply technical business consultants who deliver findings
in terms of the necessary business impact analysis to the information security managers who
demand it.

106 | ©ATL Technology Tab


Case #1 – Our commitment to delivering value
ATL was asked to perform a penetration test against the client implementation of a global
insurance and financial services provider. The client environment was deployed to provide a
reduced functionality desktop environment for third party contractors located in the providers‘
offices.
Client identified that the third party contractors were able to gain access to restricted applications
and personally identifiable data belonging to staff and clients through a misconfiguration within the
client environment. ATL was able to provide evidence that a contractor could gain domain
administrator level privileges on the client network and full control over the Microsoft Windows
based network; this included wholesale access to proprietary information held in a database cluster.
Due to the severity of the business impact as assessed by ATL, a full debrief workshop was
arranged to present the recommendations within the report and to discuss prioritization of the
necessary remedial work. This assisted the client in attaining a significantly increased level of
confidence in the security of their systems and confidentiality of their sensitive data in an
appropriately structured and timely manner.
Case #2 – Our people are the differentiator
ATL performed a penetration test against the client implementation of a global private equity
group. The client implementation had been deployed to provide remote working facilities to
employees. Weaknesses in the controls surrounding the client environment, combined with
deficiencies in the corporate security posture as a whole, provided ATL with the opportunity to
gain unauthorized access to critical network infrastructure.
ATL was ultimately able to gain domain administrator level privileges and thus effectively
control the networking infrastructure, the VOIP telephone system, CCTV cameras and also a
number of other less critical systems. Following receipt of the detailed report containing technical
recommendations to mitigate the risks, the client engaged ATL to conduct a formal risk
assessment of a number of key components within the internal corporate infrastructure. ATL was
able to draw from its experienced security management practice to provide the necessary resource
with a strong background in the investment industry.
Subject Organization
Client: A large insurance provider subject to the Payment Card Industry
CHALLENGE: CRACK A HARDENED PAYMENT CARD ZONE
A national insurance provider had built a network zone to process payment card data in compliance
with the Payment Card Industry Data Security Standard (PCI DSS). The insurer was confident that
all regulations and best practices had been followed, and that their network was well protected
against any kind of attack. As part of their compliance validation with PCI DSS, the insurer asked
Trustwave‘s ATL to perform an internal penetration test against the network and identify any
remaining vulnerabilities. When the test was complete, ATL‘s findings would question the security
of not only the payment card segment, but of the network infrastructure as a whole.

107 | ©ATL Technology Tab


SOLUTION: TEST WHOLE NETWORKS, NOT JUST MACHINES

ATL‘s penetration testing team arrived at the client‘s offices and was given network privileges
equivalent to a restricted access employee. At first glance, the network seemed to be properly
secured. Processing and storage of all payment card data occurred in segregated ―red zones‖
consisting of hardened devices with well-secured access points, and all best practices and
regulations for data encryption and handling appeared to have been followed. Anyone looking only
at the payment card segment would likely be impressed by its security and issue it a clean bill of
health.
The team then set aside the payment card segment and began trolling the larger network
infrastructure for vulnerabilities. Eventually, this search turned up an old, forgotten server. Further
probing revealed that the server‘s administrator password was blank—a critical mistake. The team
accessed the server‘s account list through the hole and cracked several account passwords. They
then found two other machines with the same accounts, and exploited them in the same way. This
time, they discovered a single account that allowed access to a number of network machines—
including the ―red zone‖ access devices and the payment card servers themselves. The penetration
testing team had not only cracked the client‘s ―fully-secured‖ PCI environment, but broken it wide
open.
ATL’s Client: Network Penetration Test Case Study
This is a case study of an external network penetration test that ATL Security Group Pvt.Ltd.
performed on one of the organisation. Some of the information has been changed or omitted to
maintain confidentiality.
Background
The client had most of their web servers at a single office and wished to understand their current
level of external risk. They commissioned ATL Group to carry out an external penetration test
and supplied ATL with the external IP address range to be tested.
ATL then proceeded with the four stages of the penetration test:
 Information gathering
 Scanning for external services
 Identifying vulnerabilities on external services and exploiting them
 Producing a detailed report of issues and recommendations

Information Gathering
ATL first verified that the IP address range supplied was assigned to the organisation by querying
the RIPE Whois Database. This also starts the information gathering process, as emails, telephone
numbers and addresses are available from RIPE. DNS servers were then queried for more
information such as registration details and mail servers.
Internet, forum and newsgroup searches on key individuals did not reveal much information that
would be useful in penetrating the network, for example any information about the technology that
the organisation has used, or the skills of individuals.

108 | ©ATL Technology Tab


An internally developed tool was used on search engines to find DNS names with IP addresses
within the IP range. This turned up 19 different web sites on 5 different IP addresses. It was
assumed that there were other web sites hosted by the organisation that hadn't been indexed by
search engines.
Note that this information is all publicly available, and was discovered without any or very little
direct contact with the organisation's network.

Scanning for External Services


The external IP range was then scanned for common TCP and UDP services, such as FTP, Mail,
DNS, web, and remote control services. More in-depth scans were also carried out three times over
the course of the week of the test. These scans were carried out using two different tools and
undertaken slowly to both keep scanning traffic at near zero, and evade any intrusion detection or
prevention systems that may be in place. The TCP port scanning revealed that no hosts replied to
ICMP pings. There were several hosts web servers on port 80 and 443. There were SMTP mail
gateways, a DNS server, FTP servers and a host with port 264 open that indicated a Checkpoint
firewall.

The services banners showed that the web and FTP services were all Microsoft IIS based, with a
mixture of IIS 4.0 (Windows NT) and IIS 5.0 (Windows 2000). Four of the service banners
disclosed internal computer names or private IP addresses.
Identifying and Exploiting Vulnerabilities
Mail relay variants were attempted on the mail servers with no success. Downloading the
Checkpoint firewall topology was unsuccessful; this may have revealed internal network
information. A DNS zone transfer on the DNS server was also unsuccessful, which may have also
revealed internal network information.
A commercial web server vulnerability scanning tool and an open source vulnerability scanning
tool were used to check for potential vulnerabilities on the relevant host services. These identified
that one of the FTP servers allowed anonymous access, and that some of the web servers had not
been locked down and had services that may be vulnerable to remote command execution.
The automated scans can reveal vulnerabilities, but a manual check usually reveals more
information. One host allowed remote command execution. ATL at this point informed the
organisation that they had a critically compromised host.
Credentials were then retrieved for administrator level users. The surrounding network was
enumerated, showing that the host was in a DMZ with access to other hosts.
ATL then looked at the web sites identified in the information gathering exercise, and also the
port scanning. Some of these were dynamic sites, with some using CGI applications with .exe
extensions, and others using ASP pages. Using open source scripts and tools, as well as in-house
developed tools and a manual process, the dynamic web sites were checked for web application
vulnerabilities. Common problems were discovered, the most serious of which was that some of
the pages on the web sites were vulnerable to SQL injection that allowed arbitrary SQL statements
109 | ©ATL Technology Tab
to be executed and also commands on the server itself, giving full control of the server.The proxy
server identified in the port scan appeared to allow access to an intranet, although limited internal
information was available.
Reporting
The issues listed above and other issues not mentioned were compiled and put into the final report.
The report noted the dates the test was carried out on, and the IP address range. The issues were
graded into the following risk levels: critical, high, medium, low and informational.
The executive summary specified that the overall security represented critical risk, and highlighted
that although firewall configuration was well maintained, application and operating system security
allowed remote intruders to gain access and control to a number of servers. The number of issues
identified at each risk level (critical, high, medium, low and informational) was presented
graphically and key issues starting with the most critical were listed with recommendations given
for resolution of each.
There then followed the technical part of the report, which detailed:
 Information gathered: RIPE Whois information, DNS information and web site domain
names.
 Network scan results.
 Exploit tests carried out, such as mail relay and DNS zone transfer.
 Summary walkthroughs and locations of the exploited web server and web application
vulnerabilities.
 Technical, in depth list of issues discovered and recommendations on reducing the risk
starting with the most critical.
Presentation
ATL then presented the report to the organization face to face, which ensured that the
organization got the most value out of the report and a good understanding of the issues. Following
this, the organization rebuilt the previously compromised web server, reviewed the web
applications, and then requested ATL to carry out a follow-up penetration test.

EXERCISE
Q 1. Is penetration testing used for helping or for damaging a system?
a) Damaging
b) Helping
c) I don't know

Q 2. Which of the following are ways to conduct penetration testing?


a) Black Box testing, White Box testing, Grey Box Testing
b) Black Box testing, Red Box Testing, Grey Box Testing
c) White Box testing, Brown Box Testing, Red Box Testing
d) Black Box testing, Green Box Testing, White Box Testing
Q 3. Penetration testing should focus in what scenarios?
a) Most likely
110 | ©ATL Technology Tab
b) Most dangerous
c) Both
Q 4. What is social engineering?
a) Using force to gain access to the information you need
b) Hacking either telecommunication or wireless networks to gain access to the information
you need
c) Using manipulation to deceive people that you are someone you are not to gain access to
the information you need
Q 5. Which of the following Operating Systems are most effective in penetration testing in
networks?
a) Ubuntu, Red Hat, Arch Linux
b) Windows, Mac OSX, Google Chrome OS
c) BackTrack, Helix, PHLAK

Q 6. What is a risk involved in doing penetration testing?


a) You have to pay for the testing
b) Some operations of the company might slow down.
c) Skynet takes over the world
Q 7. Which of the following groups must a penetration testing review?
a) Documentation, Log, System Configuration, Ruleset, Network Sniffing, File Integrity
b) Documentation, Log, System Configuration, Network Sniffing, File Integrity
c) Documentation, Log, System Configuration, Network Sniffing, Ruleset, File Integrity,
Personnel

Answers: 1) b, 2) a, 3) c, 4) c, 5) c, 6) b, 7) a

111 | ©ATL Technology Tab


CHECKLIST OF TOOLS FOR VULNERABILITY
ASSESSMENT PENETRATION TESTING
Nmap v5.51
Nessus v4.4.1
Lan Spy
Cerberus encryptedftp3setup
HTTrack Web Site Copier v3.40
Website Ripper Copier v3.6.2
Visiual WebRipper_1.0
Sam Spade v1.14
Global Network Inventory Scanner v3.01
Microsoft Baseline Security Analyzer v2.1.1
Retina Network Security Scanner v5.4
Network Security Inspector V3.2
NetBIOS Enumerator v1.017
GFI LANGuard 2011
Nsauditor v2.3
Net Scanner v2.6
Angry IP Scanner v3.0
Retina WIFI Scanner v1.0.3
Hping2
Tracelog Installer v1.5
BackTrack
PortScanner
112 | ©ATL Technology Tab
REFERENCES

 Hale, Poynter, and Sample, Holistic Security, 2000.


URL: http://www.jerboa.com/whitepapers/holisticsecurity.pdf
 Novak, Judy, DNS Evasion Techniques and Beyond – February 2000.
URL:http://www.itpapers.com/cgi/PSummaryIT.pl?paperid=22016&scid=275
 Orshesky, Christine, Corporations‘ Due Care, September 2000.
URL:http://www.virusbtn.com/vb2000/Programme/papers/orshesky.pdf
 Scambray, J., Stuart McClure, and George Kurtz. Hacking Exposed. 2nd Edition
 Osborne/McGraw-Hill Co., 2001. ISBN: 0-07-212748-1
 Wilson, Zachary. Hacking: The Basics. 4 April 2001.
URL: http://www.sans.org/infosecFAQ/hackers/hack_basics.htm
 Bosworth, Seymour; Michel E. Kabay, Editor; Computer Security Handbook, 4th edition,
John Wiley & Sons, Indianapolis, Indiana, USA, April 2002
 The CERT Guide to System and Network Security Practices, 1st Edition, Addison-Wesley
Publishing Co., June 2001
 e-Commerce Security: Security the Network Perimeter, IT Governance Institute, Rolling
Meadows, Illinois, USA, 2002
 Klevinsky, T.J.; Scott Laliberte; Ajay Gupta; Hack I.T.—Security Through Penetration
Testing, Addison-Wesley, Boston, Massachusetts, USA, June 2002
 Kreutz, Vines,;―The CISSP Prep Guide;‖ John Wiley & Sons, Inc.; 2001
 Rhoades, David; ―Hacking and Securing Web-based Applications,‖ Maven Security
Consulting Inc., 12th USENIX Security Symposium, Washingtong DC, USA, 4-8 August
2003

113 | ©ATL Technology Tab


NOTES
Session #
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________

114 | ©ATL Technology Tab


NOTES
Session #
___________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_____________________________________________________________________________
_______________________________________________________________________________

115 | ©ATL Technology Tab


NOTES
Session #
______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________

116 | ©ATL Technology Tab


NOTES
Session #
________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________

117 | ©ATL Technology Tab


NOTES
Session #
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________

118 | ©ATL Technology Tab

You might also like