Network Security Assessment ppt

This book covers only the technical network scanning and assessment techniquesused within Levels 2 Evaluation and 3 Red Team of the IAM framework, sinceLevel 1 assessment involves high-l

Network Security Assessment

Other resources from O’Reilly

Related titles Network Security Hacks

Computer Security Basics

oreilly.com oreilly.com is more than a complete catalog of O’Reilly books.

You’ll also find links to news, events, articles, weblogs, samplechapters, and code examples

oreillynet.com is the essential portal for developers interested in

open and emerging technologies, including new platforms, gramming languages, and operating systems

pro-Conferences O’Reilly brings diverse innovators together to nurture the ideas

that spark revolutionary industries We specialize in menting the latest tools and systems, translating theinnovator’s knowledge into useful skills for those in the

docu-trenches Visit conferences.oreilly.com for our upcoming

events

Safari Bookshelf (safari.oreilly.com) is the premier online

refer-ence library for programmers and IT professionals Conductsearches across more than 1,000 books Subscribers can zero in

on answers to time-critical questions in a matter of seconds.Read the books on your Bookshelf from cover to cover or sim-ply flip to the page you need Try it today for free

Network Security Assessment

SECOND EDITION

Chris McNab

Beijing • Cambridge • Farnham • Köln • Paris • Sebastopol • Taipei • Tokyo

Network Security Assessment, Second Edition

by Chris McNab

Copyright © 2008 Chris McNab All rights reserved.

Printed in the United States of America.

Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472 O’Reilly books may be purchased for educational, business, or sales promotional use Online editions

are also available for most titles (safari.oreilly.com) For more information, contact our

corporate/institutional sales department: (800) 998-9938 or corporate@oreilly.com.

Editor: Tatiana Apandi

Production Editor: Sarah Schneider

Copyeditor: Amy Thomson

Proofreader: Sarah Schneider

Indexer: Lucie Haskins

Cover Designer: Karen Montgomery

Interior Designer: David Futato

Illustrator: Robert Romano

Printing History:

March 2004: First Edition.

October 2007: Second Edition.

Nutshell Handbook, the Nutshell Handbook logo, and the O’Reilly logo are registered trademarks of

O’Reilly Media, Inc Network Security Assessment, the cover image, and related trade dress are

trademarks of O’Reilly Media, Inc.

Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks Where those designations appear in this book, and O’Reilly Media, Inc was aware of a trademark claim, the designations have been printed in caps or initial caps.

While every precaution has been taken in the preparation of this book, the publisher and author assume

no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein.

This book uses RepKover ™ , a durable and flexible lay-flat binding.

ISBN-10: 0-596-51030-6

ISBN-13: 978-0-596-51030-5

Table of Contents

Foreword .xi Preface xv

1 Network Security Assessment 1

2 Network Security Assessment Platform 10

3 Internet Host and Network Enumeration 17

5 Assessing Remote Information Services 79

6 Assessing Web Servers 101

7 Assessing Web Applications 160

Table of Contents | vii

8 Assessing Remote Maintenance Services 198

9 Assessing Database Services 239

MySQL 252

10 Assessing Windows Networking Services 256

11 Assessing Email Services 290

13 Assessing Unix RPC Services 330

14 Application-Level Risks 340

Table of Contents | ix

A TCP, UDP Ports, and ICMP Message Types 415

B Sources of Vulnerability Information 420

C Exploit Framework Modules 422

Index 453

After managing the performance of over 20,000 infrastructure and applications tration tests, I have come to realize the importance of technical testing and providinginformation security assurance

pene-This book accurately defines a pure technical assessment methodology, giving youthe ability to gain a much deeper understanding of the threats, vulnerabilities, andexposures that modern public networks face The purpose for conducting the tens ofthousands of penetration tests during my 20+ years working in information systemssecurity was “to identify technical vulnerabilities in the tested system in order to cor-rect the vulnerability or mitigate any risk posed by it.” In my opinion, this is a clear,concise, and perfectly wrong reason to conduct penetration testing

As you read this book, you will realize that vulnerabilities and exposures in mostenvironments are due to poor system management, patches not installed in a timelyfashion, weak password policy, poor access control, etc Therefore, the principal rea-son and objective behind penetration testing should be to identify and correct theunderlying systems management process failures that produced the vulnerabilitydetected by the test The most common of these systems management processfailures exist in the following areas:

• System software configuration

• Applications software configuration

• Software maintenance

• User management and administration

Unfortunately, many IT security consultants provide detailed lists of specific testfindings and never attempt the higher-order analysis needed to answer the question

“Why?” This failure to identify and correct the underlying management cause of thetest findings assures that, when the consultant returns to test the client after sixmonths, a whole new set of findings will appear

If you are an IT professional who is responsible for security, use this book to helpyou assess your networks; it is effectively a technical briefing of the tools and tech-niques that your enemies can use against your systems If you are a consultantperforming a security assessment for a client, it is vital that you bear in mind themismanagement reasons for the vulnerabilities, as discussed here.

Several years ago, my company conducted a series of penetration tests for a very largeinternational client The client was organized regionally; IT security policy wasissued centrally and implemented regionally We mapped the technical results to thefollowing management categories:

Vulnerabilities due to improperly configured applications

We then computed the average number of security assessment findings per 100 tems tested for the total organization and produced the chart shown in Figure F-1

sys-Figure F-1 Average vulnerabilities by management category

Average vulnerabilities by management category

S/W maintenance

Pswd/Access control

Malicious software

Dangerous services

Bad Apps config

Foreword | xiii

We then conducted a comparison of the performance of each region against the porate average The results were quite striking, as shown in Figure F-2 (above theaverage is bad, with more findings than the corporate average)

cor-Figure F-2 clearly shows discernible and quantifiable differences in the effectiveness

of the security management in each of the regions For example, the IT manager inRegion 3 clearly was not performing software maintenance or password/accesscontrols management, and the IT manager in Region 1 failed to remove unneededservices from his systems

It is important that, as you read this book, you place vulnerabilities and exposuresinto categories and look at them in a new light You can present a report to a clientthat fully documents the low-level technical issues at hand, but unless the underly-ing high-level mismanagement issues are tackled, network security won’t improve,and different incarnations of the same vulnerabilities will be found later on Thisbook will show you how to perform professional Internet-based assessments, but it isvital that you always ask the question, “Why are these vulnerabilities present?”

About Bob Ayers

Bob Ayers is currently the Director for Critical Infrastructure Defense with a major

IT company based in the United Kingdom Previously, Bob worked for 29 years withthe U.S Department of Defense (DoD) His principal IT security assignments werewith the Defense Intelligence Agency (DIA) where he served as the Chief of the DoD

Figure F-2 Regional comparisons against the corporate average

Regional comparisons vs average

Bad O/S config S/W maintenance

Pswd/Access control Malicious software

Dangerous services Bad Apps config

KEY

Intelligence Information System (DoDIIS) During this assignment, Bob developedand implemented new methodologies to ensure the security of over 40,000 comput-ers processing highly classified intelligence information Bob also founded the DoDcomputer emergency response capability, known as the Automated Systems SecurityIncident Support Team (ASSIST) Noticed for his work in DoDIIS, the U.S Assis-tant Secretary of Defense (Command, Control, Communications, and Intelligence)selected Bob to create and manage a 155-person, $100-million-per-year DoD-wideprogram to improve all aspects of DoD IT security Prior to leaving governmentservice, Bob was the director of the U.S DoD Defensive Information Warfareprogram.

It is never impossible for a hacker to break into a computer system, only improbable.

Computer hackers routinely break into corporate, military, online banking, andother networked environments Even in 2007, as I am writing this second edition of

Network Security Assessment, I still perform incident response work in these sectors.

As systems generally become more secure, the methods used by these attackers arebecoming more advanced, involving intricate repositioning, social engineering, phys-ical compromise (stealing disks from servers or installing rogue wireless accesspoints), and use of specific zero-day exploits to attack peripheral software compo-nents such as antivirus or backup solutions that are widely deployed internallywithin corporate networks

By the same token, you would expect professional security consultants to be testingfor these types of issues In the vast majority of cases they are not I know thisbecause at Matta we run a program called Sentinel, which involves testing securityassessment vendors for companies in the financial services sector The Sentinel plat-form contains a number of vulnerable systems, and vendors are scored based on thevulnerabilities they identify and report

Since 2004, Matta has processed nearly 30 global penetration testing vendors usingSentinel In a recent test involving 10 testing providers, we found the following:

• Two vendors failed to scan all 65536 TCP ports

• Five vendors failed to report the publicly accessible MySQLservice rootpassword of “password”

• Seven vendors failed to report the easily exploitable, high-risk SSLPCT overflow(MS04-011)

A number of vendors have tested the Sentinel platform on more than one occasion It

is clear that there is a lack of adherence to a strict testing methodology, and testresults (in particular, the final report presented to the customer) vary wildly,depending on the consultant involved

So here I am, in 2007, updating this book with a clear vision: to document a clearand concise Internet-based network security assessment methodology and approach.After running the Sentinel program through a number of iterations, performing anumber of challenging penetration tests myself, and working to build a competentteam at Matta, I feel it is the right time to update this book.

Overview

This book tackles one single area of information security in detail: that of ing IP-based network security assessment in a structured and logical way Themethodology presented in this book describes how a determined attacker will scourInternet-based networks in search of vulnerable components (from the network tothe application level) and how you can perform exercises to assess your networkseffectively This book doesn’t contain any information that isn’t relevant to IP-basedsecurity testing; topics that are out of scope include war dialing and 802.11 wirelessassessment

undertak-Assessment is the first step any organization should take to start managing tion risks correctly My background is that of a teenage hacker turned professionalsecurity analyst, with a 100 percent success rate over the last nine years in compro-mising the networks of multinational corporations I have a lot of fun working in thesecurity industry and feel that now is the time to start helping others by clearlydefining an effective best-practice network assessment methodology

informa-By assessing your networks in the same way that a determined attacker does, you cantake a more proactive approach to risk management Throughout this book, thereare bulleted checklists of countermeasures to help you devise a clear technicalstrategy and fortify your environments at the network and application levels

Recognized Assessment Standards

This book has been written in line with government penetration testing standardsused in the United States (NSA IAM) and the United Kingdom (CESG CHECK).Other testing standards associations include MasterCard SDP, CREST, CEH, andOSSTMM These popular accreditation programs are discussed here

NSA IAM

The United States National Security Agency (NSA) has provided an INFOSEC ment Methodology (IAM) framework to help consultants and security professionals

Assess-outside the NSA provide assessment services to clients in line with a recognized

standard The NSA IAM home page is http://www.iatrp.com.

This book covers only the technical network scanning and assessment techniquesused within Levels 2 (Evaluation) and 3 (Red Team) of the IAM framework, sinceLevel 1 assessment involves high-level cooperative gathering of information, such assecurity policies.

CESG CHECK

The Government Communications Headquarters (GCHQ) in the United Kingdom

has an information assurance arm known as the Communications and Electronics Security Group (CESG) In the same way that the NSA IAM framework allows secu-

rity consultants outside the NSA to provide assessment services, CESG operates aprogram known as CHECK to evaluate and accredit security testing teams within theU.K to undertake government assessment work The CESG CHECK home page is

accessible at http://www.cesg.gov.uk/site/check/index.cfm.

Unlike the NSA IAM, which covers many aspects of information security (includingreview of security policy, antivirus, backups, and disaster recovery), CHECKsquarely tackles the area of network security assessment A second program is the

CESG Listed Adviser Scheme (CLAS), which covers information security in a broader

sense and tackles areas such as ISO/IEC 27002, security policy creation, and auditing

To correctly accredit CHECK consultants, CESG runs an assault course to test theattack and penetration techniques and methods demonstrated by attendees Theunclassified CESG CHECK assault course lists the areas of technical competencerelating to network security assessment as:

• Use of DNS information retrieval tools for both single and multiple records,including an understanding of DNS record structure relating to target hosts

• Use of ICMP, TCP, and UDP network mapping and probing tools

• Demonstration of TCP service banner grabbing

• Information retrieval using SNMP, including an understanding of MIB structurerelating to target system configuration and network routes

• Understanding of common weaknesses in routers and switches relating toTelnet, HTTP, SNMP, and TFTP access and configuration

The following are Unix-specific competencies:

• User enumeration via finger, rusers, rwho, and SMTP techniques

• Use of tools to enumerate Remote Procedure Call (RPC) services and

demon-strate an understanding of the security implications associated with thoseservices

• Demonstration of testing for Network File System (NFS) weaknesses

• Testing for weaknesses within r-services (rsh, rexec, and rlogin)

• Detection of insecure X Windows servers

• Testing for weaknesses within web, FTP, and Samba services

Here are Windows NT-specific competencies:

• Assessment of NetBIOS and CIFS services to enumerate users, groups, shares,domains, domain controllers, password policies, and associated weaknesses

• Username and password grinding via NetBIOS and CIFS services

• Detecting and demonstrating presence of known security weaknesses within

Internet Information Server (IIS) web and FTP service components, and Microsoft

SQL Server

This book clearly documents assessments in all these listed areas, along with ground information to help you gain a sound understanding of the vulnerabilitiespresented Although the CESG CHECK program assesses the methodologies ofconsultants who wish to perform U.K government security testing work, internalsecurity teams of organizations and companies outside the United Kingdom should

back-be aware of its framework and common body of knowledge

PCI Data Security Standards

Two security assessment accreditations that have gained popularity in recent years

are the MasterCard Site Data Protection (SDP) program, which, along with the VISA Account Information Security (AIS) scheme, form Payment Card Industry (PCI) data

security standards Merchants, processors, and data storage entities that process ment card data must be assessed by a PCI-compliant vendor The PCI accreditationprogram assault course is similar to that operated under CESG CHECK and MattaSentinel, in that consultants must test a network of vulnerable servers and devices,and must accurately find and report the seeded vulnerabilities

Other Assessment Standards and Associations

Five assessment standards and associations worth mentioning and keeping date with are as follows:

up-to-• ISECOM’s Open Source Security Testing Methodology Manual (OSSTMM) (http:// www.osstmm.org)

• Council of Registered Ethical Security Testers (CREST) (http://www.crestapproved.com)

• TIGER Scheme (http://www.tigerscheme.org)

• EC-Council’s Certified Ethical Hacker (CEH) (http://www.eccouncil.org/CEH.htm)

• Open Source Web Application Security Project (OWASP) (http://www.owasp.org)

Hacking Defined

In this book I define hacking as:

The art of manipulating a process in such a way that it performs an action that is useful

to you.

I think this is a true representation of a hacker in any sense of the word, whether it

be a computer programmer who used to hack code on mainframes back in the day sothat it would perform actions useful to him, or a modern computer attacker with avery different goal and set of ethics Please bear in mind that when I use the term

hacker in this book, I am talking about a network-based assailant trying to

compromise the security of a system I don’t mean to step on the toes of hackers inthe traditional sense who have sound ethics and morals

Organization

This book consists of 16 chapters and 3 appendixes At the end of each chapter is achecklist that summarizes the threats and techniques described in that chapter alongwith effective countermeasures The appendixes provide useful reference material,including listings of TCP and UDP ports, along with ICMP message types and theirfunctions Details of popular vulnerabilities in Microsoft Windows and Unix-basedoperating platforms are also listed Here is a brief description of each chapter andappendix:

Chapter 1, Network Security Assessment, discusses the rationale behind network

security assessment and introduces security as a process, not a product

Chapter 2, Network Security Assessment Platform, covers the various operating

systems and tools that make up a professional security consultant’s attack platform

Chapter 3, Internet Host and Network Enumeration, logically walks through the

Internet-based options that a potential attacker has to map your network, from openweb searches to DNS sweeping and querying of authoritative name servers

Chapter 4, IP Network Scanning, discusses all known IP network scanning

tech-niques and their relevant applications, also listing tools and systems that supportsuch scanning types IDS evasion and low-level packet analysis techniques are alsocovered

Chapter 5, Assessing Remote Information Services, defines the techniques and tools that execute information leak attacks against services such as LDAP, finger, and

DNS Some process manipulation attacks are discussed here when appropriate

Chapter 6, Assessing Web Servers, covers the assessment of underlying web services,

including Microsoft IIS, Apache, Tomcat, and subsystems such as OpenSSL,

Microsoft FrontPage, and Outlook Web Access (OWA).

Chapter 7, Assessing Web Applications, covers assessment of various web application

technologies, including ASP, JSP, PHP, middleware, and backend databases such asMySQL, Oracle, and Microsoft SQL Server Also covered here is the use of tools such

as Paros and WebScarab

Chapter 8, Assessing Remote Maintenance Services, details the tools and techniques

used to correctly assess all common maintenance services (including FTP, SSH,VNC, X Windows, and Microsoft Terminal Services) Increasingly, these services aretargets of information leak and brute-force attacks, resulting in a compromise eventhough the underlying software isn’t strictly vulnerable

Chapter 9, Assessing Database Services, covers IP-based assessment of database

serv-ers including Oracle, Microsoft SQL Server, and MySQL

Chapter 10, Assessing Windows Networking Services, tackles security assessment for

Windows components (including MSRPC, NetBIOS, and CIFS) in a port-by-portfashion Information leak, brute-force, and process manipulation attacks againsteach component are detailed, from the DCE locator service listening on port 135through to the CIFS direct listener on port 445

Chapter 11, Assessing Email Services, details assessment of SMTP, POP-3, and IMAP

services that transport email Often, these services can fall foul to information-leakand brute-force attacks, and, in some instances, process manipulation

Chapter 12, Assessing IP VPN Services, covers assessment of IP services that provide

secure inbound network access, including IPsec, Microsoft PPTP, and SSL VPNs

Preface | xxi

Chapter 13, Assessing Unix RPC Services, comprehensively covers assessment of

Unix RPC services found running on Linux, Solaris, IRIX, and other platforms RPCservices are commonly abused to gain access to hosts, so it is imperative that anyaccessible services are correctly assessed

Chapter 14, Application-Level Risks, defines the various types of application-level

vulnerabilities that hacker tools and scripts exploit By grouping vulnerabilities inthis way, a timeless risk management model can be realized because all futureapplication-level risks will fall into predefined groups

Chapter 15, Running Nessus, details how to set up and configure the Nessus

vulnera-bility scanner to perform effective and fast automated testing of networks

Chapter 16, Exploitation Frameworks, covers the selection and use of exploitation frameworks, including the Metasploit Framework (MSF), Immunity CANVAS, and

CORE IMPACT These toolkits allow professional security consultants to repositionand deeply test networks in a highly effective manner

Appendix A, TCP, UDP Ports, and ICMP Message Types, contains definitive listings

and details of tools and systems that can be used to easily assess services found

Appendix B, Sources of Vulnerability Information, lists good sources of publicly

accessible vulnerability and exploit information so that vulnerability matrices can bedevised to quickly identify areas of potential risk when assessing networks and hosts

Appendix C, Exploit Framework Modules, lists the exploit and auxiliary modules

found in MSF, IMPACT, and CANVAS, along with GLEG and Argeniss add-onpacks

Audience

This book assumes you are familiar with IP and administering Unix-based operatingsystems, such as Linux or Solaris A technical network administrator or security con-sultant should be comfortable with the contents of each chapter To get the most out

of this book, you should be familiar with:

• The IP protocol suite, including TCP, UDP, and ICMP

• Workings of popular Internet network services, including FTP, SMTP, andHTTP

• At least one Unix-like operating system, such as Linux, or a BSD-derived form like Mac OS X

plat-• Configuring and building Unix-based tools in your environment

• Firewalls and network filtering models (DMZ segments, bastion hosts, etc.)

Mirror Site for Tools Mentioned in This Book

URLs for tools in this book are listed so that you can browse the latest files andpapers on each respective site If you are worried about Trojan horses or other mali-cious content within these executables, they have been virus-checked and are mir-

rored at the O’Reilly site http://examples.oreilly.com/networksa/tools/.

Using Code Examples

This book is here to help you get your job done In general, you may use the code inthis book in your programs and documentation You don’t need to contact us forpermission unless you’re reproducing a significant portion of the code For example,writing a program that uses several chunks of code from this book doesn’t require

permission Selling or distributing a CD-ROM of examples from O’Reilly books does

require permission Answering a question by citing this book and quoting examplecode doesn’t require permission Incorporating a significant amount of example code

from this book into your product’s documentation does require permission.

We appreciate, but don’t require, attribution An attribution usually includes the title,

author, publisher, and ISBN For example: “Network Security Assessment, Second

Edition, by Chris McNab Copyright 2008 Chris McNab, 978-0-596-51030-5.”

If you feel your use of code examples falls outside fair use or the permission given

above, feel free to contact us at permissions@oreilly.com.

Conventions Used in This Book

The following typographical conventions are used in this book:

Italic

Indicates example URLs, passwords, error messages, filenames, emphasis, andthe first use of technical terms

Constant width

Indicates commands, IP addresses, and Unix command-line examples

Constant width italic

Indicates replaceable text

Constant width bold

Indicates user input

This icon signifies a tip, suggestion, or general note.

Preface | xxiii

This icon indicates a warning or caution.

Comments and Questions

Please address comments and questions concerning this book to the publisher:O’Reilly Media, Inc

1005 Gravenstein Highway North

I am also extremely grateful for the positive support from the O’Reilly Media teamsince 2003, including Tatiana Apandi, Nathan Torkington, Jim Sumser, Laurie Petry-cki, and Debby Russell

The talented individuals I work alongside at Matta (http://www.trustmatta.com)

deserve a mention, along with my colleagues at DarkStar Technologies Without thesupport of the guys I work with, I would never get complex projects like this bookfinished on time!

Finally, many thanks to Glyn Geoghan for technical review of both editions of thisbook

Guest Authors Featured in This Book

A big thanks to the following for ghostwriting and improving the following chapters

of this book:

• Roy Hills for overhauling and updating the “Assessing IP VPN Services” chapter(Chapter 12)

• Matt Lewis for writing the “Application-Level Risks” chapter (Chapter 14)

• Justin Clarke for writing the “Running Nessus” chapter (Chapter 15)

• James Tusini for help writing the “Assessing Web Applications” chapter(Chapter 7)

These individuals are recognized specialists in their respective areas and have madeexcellent contributions to this book Without them, the book would not be such acomprehensive blueprint for security testing and assessment

This chapter discusses the rationale behind Internet-based network security ment and penetration testing at a high level To retain complete control over yournetworks and data, you must take a proactive approach to security, an approach thatstarts with assessment to identify and categorize your risks Network securityassessment is an integral part of any security life cycle

assess-The Business Benefits

From a commercial standpoint, information assurance is a business enabler As a

security consultant, I have helped a number of clients in the retail sector secure their802.11 wireless networks used in stores By designing and implementing secure net-works, these retailers can lower their costs and increase efficacy, by implementingqueue-busting technologies, for example

Shortcomings in network security and user adherence to security policy often allowInternet-based attackers to locate and compromise networks High-profile examples

of companies that have fallen victim to such determined attackers in recent timesinclude:

RSA Security (http://www.2600.com/hacked_pages/2000/02/www.rsa.com/) OpenBSD (http://lists.jammed.com/incidents/2002/08/0000.html)

a number of the following techniques:

• Compromising poorly configured or protected peripheral systems that arerelated to the target network

• Directly compromising key network components using private zero-day exploitscripts and tools

• Compromising network traffic using redirection attacks (including ARP ing, ICMP redirection, and VLAN hacking)

spoof-• Cracking user account passwords and using those credentials to compromiseother systems

To protect networks and data from determined attacks, you need assurance andunderstanding of the technical security of the network, along with adherence to secu-rity policy and incident response procedures In this book, I discuss assessment oftechnical security and improving the integrity and resilience of IP networks Takingheed of the advice presented here and acting in a proactive fashion ensures a decentlevel of network security

IP: The Foundation of the Internet

The Internet Protocol version 4 (IPv4) is the networking protocol suite all public

Internet sites currently use to communicate and transmit data to one another From

a network security assessment methodology standpoint, this book comprehensivelydiscusses the steps that should be taken during the security assessment of any IPv4network

IPv6 is an improved protocol that is gaining popularity among

addresses) as opposed to the 32-bit space of IPv4 (only 4 billion

addresses) that allows a massive number of devices to have publicly

routable addresses Eventually, the entire Internet will migrate across

to IPv6, and every electronic device in your home will have an address.

Due to the large size of the Internet and the sheer number of security issues and nerabilities publicized, opportunistic attackers will continue to scour the public IPaddress space seeking vulnerable hosts The combination of new vulnerabilities beingdisclosed on a daily basis, along with the adoption of IPv6, ensures that opportunisticattackers will always be able to compromise a certain percentage of Internet networks

vul-Classifying Internet-Based Attackers

At a high level, Internet-based attackers can be divided into the following twogroups:

• Opportunistic attackers who scour large Internet address spaces for vulnerablesystems

• Focused attackers who attack select Internet-based systems with a specific goal

in mind

Assessment Service Definitions | 3

Opportunistic threats are continuous, involving attackers using autorooting toolsand scripts to compromise vulnerable systems across the Internet Upon placing avulnerable, default out-of-the-box server installation on the public Internet, research-ers have found that it is usually compromised within an hour by automated softwarebeing run in this way

Most Internet hosts compromised by opportunistic attackers are insecure home user

systems These systems are then turned into zombies that run software to log user keystrokes, launch denial-of-service (DoS) flooding attacks, and serve as a platform

to attack and compromise other systems and networks

Focused attackers adopt a more complex and systematic approach with a clear goal

in mind A focused attacker will exhaustively probe every point of entry into a targetnetwork, port-scanning every IP address and assessing each and every network ser-vice in depth Even if this determined attacker can’t compromise the target network

on his first attempt, he is aware of areas of weakness Detailed knowledge of a site’soperating systems and network services allows the attacker to compromise thenetwork upon the release of new exploit scripts in the future

The networks that are most at risk are those with sizeable numbers of publicly sible hosts Having many entry points to a network multiplies the potential forcompromise, and managing risk becomes increasingly difficult as the network grows

acces-This is commonly known as the defender’s dilemma; a defender must ensure the

integrity of every point of entry, whereas an attacker only needs to gain accessthrough one to be successful

Assessment Service Definitions

Security vendors offer a number of assessment services branded in a variety of ways.Figure 1-1 shows the key service offerings along with the depth of assessment andrelative cost Each service type can provide varying degrees of security assurance

Vulnerability scanning uses automated systems (such as Nessus, ISS Internet

Scan-ner, QualysGuard, or eEye Retina) with minimal hands-on qualification and ment of vulnerabilities This is an inexpensive way to ensure that no obviousvulnerabilities exist, but it doesn’t provide a clear strategy to improve security

assess-Network security assessment is an effective blend of automated and hands-on manual

vulnerability testing and qualification The report is usually handwritten, accurate,and concise, giving practical advice that can improve a company’s security

Web application testing involves post-authentication assessment of web application

components, identifying command injection, poor permissions, and other nesses within a given web application Testing at this level involves extensive manualqualification and consultant involvement, and it cannot be easily automated

weak-Full-blown penetration testing lies outside the scope of this book; it involves multiple

attack vectors (e.g., telephone war dialing, social engineering, and wireless testing) tocompromise the target environment Instead, this book fully demonstrates anddiscusses the methodologies adopted by determined Internet-based attackers to com-promise IP networks remotely, which in turn will allow you to improve IP networksecurity

Onsite auditing provides the clearest picture of network security Consultants have

local system access and run tools on each system capable of identifying anythinguntoward, including rootkits, weak user passwords, poor permissions, and otherissues 802.11 wireless testing is often performed as part of onsite auditing Onsiteauditing is also outside the scope of this book

Network Security Assessment Methodology

The best practice assessment methodology used by determined attackers andnetwork security consultants involves four distinct high-level components:

• Network reconnaissance to identify IP networks and hosts of interest

• Bulk network scanning and probing to identify potentially vulnerable hosts

• Investigation of vulnerabilities and further network probing by hand

• Exploitation of vulnerabilities and circumvention of security mechanismsThis complete methodology is relevant to Internet-based networks being tested in ablind fashion with limited target information (such as a single DNS domain name) If

a consultant is enlisted to assess a specific block of IP space, he skips initial networkenumeration and commences bulk network scanning and investigation ofvulnerabilities

Figure 1-1 Different security testing services

Internal network

DMZ

Internet

Vulnerability Scanning

Cost and time

Network Security Assessment

Web Application Testing

Penetration Testing Onsite Auditing

Network Security Assessment Methodology | 5

Internet Host and Network Enumeration

Various reconnaissance techniques are used to query open sources to identify hostsand networks of interest These open sources include web and newsgroup searchengines, WHOIS databases, and DNS name servers By querying these sources,attackers can often obtain useful data about the structure of the target network from

the Internet without actually scanning the network or necessarily probing it directly.

Initial reconnaissance is very important because it can uncover hosts that aren’tproperly fortified against attack A determined attacker invests time in identifyingperipheral networks and hosts, while companies and organizations concentrate theirefforts on securing obvious public systems (such as public web and mail servers), andoften neglect hosts and networks that lay off the beaten track

It may well be the case that a determined attacker also enumerates networks of party suppliers and business partners who, in turn, have access to the target networkspace Nowadays such third parties often have dedicated links to areas of internalcorporate network space through VPN tunnels and other links

third-Key pieces of information that are gathered through initial reconnaissance includedetails of Internet-based network blocks, internal IP addresses gathered from DNSservers, insight into the target organization’s DNS structure (including domainnames, subdomains, and hostnames), and details of relationships between physicallocations

This information is then used to perform structured bulk network scanning andprobing exercises to further assess the target network space and investigate potentialvulnerabilities Further reconnaissance involves extracting user details, includingemail addresses, telephone numbers, and office addresses

Bulk Network Scanning and Probing

Upon identifying IP network blocks of interest, analysts should carry out bulk TCP,UDP, and ICMP network scanning and probing to identify accessible hosts and net-work services (such as HTTP, FTP, SMTP, and POP-3), that can in turn be abused togain access to trusted network space

Key pieces of information that are gathered through bulk network scanning includedetails of accessible hosts and their TCP and UDP network services, along withperipheral information such as details of ICMP messages to which target hostsrespond, and insight into firewall or host-based filtering policies

After gaining insight into accessible hosts and network services, analysts can beginoffline analysis of the bulk results and investigate the latest vulnerabilities inaccessible network services

Investigation of Vulnerabilities

New vulnerabilities in network services are disclosed daily to the security nity and the underground alike through Internet mailing lists and various publicforums Proof-of-concept tools are often published for use by security consultants,whereas full-blown exploits are increasingly retained by hackers and not publiclydisclosed in this fashion

commu-The following web sites are extremely useful for investigating potential ties within network services:

vulnerabili-SecurityFocus (http://www.securityfocus.com)

milw0rm (http://www.milw0rm.com)

Packet Storm (http://www.packetstormsecurity.org)

FrSIRT (http://www.frsirt.com)

MITRE Corporation CVE (http://cve.mitre.org)

NIST National Vulnerability Database (http://nvd.nist.gov)

ISS X-Force (http://xforce.iss.net)

CERT vulnerability notes (http://www.kb.cert.org/vuls)

SecurityFocus hosts many useful mailing lists including BugTraq, Vuln-Dev, and Test You can subscribe to these lists by email, and you can browse through the

Pen-archived posts at the web site Due to the sheer number of posts to these lists, Ipersonally browse the SecurityFocus mailing list archives every couple of days.Packet Storm and FrSIRT actively archive underground exploit scripts, code, andother files If you are in search of the latest public tools to compromise vulnerableservices, these sites are good places to start Often, SecurityFocus provides onlyproof-of-concept or old exploit scripts that aren’t effective in some cases FrSIRTruns a commercial subscription service for exploit scripts and tools You can access

and learn more about this service at http://www.frsirt.com/english/services/.

Commercial vulnerability alert feeds are very useful and often provide insight intounpatched zero-day issues According to Immunity Inc., on average, a given zero-daybug has a lifespan of 348 days before a vendor patch is made available The follow-ing notable commercial feed services are worth investigating (these vendors also runfree public feeds):

eEye Preview (http://research.eeye.com/html/services/)

3Com TippingPoint DVLabs (http://dvlabs.tippingpoint.com)

VeriSign iDefense Security Intelligence Services (http://labs.idefense.com/services/)

Lately, Packet Storm has not been updated as much as it could be, so I increasinglyuse the milw0rm web site to check for new exploit scripts, along with browsing theMITRE Corporation CVE list, ISS X-Force, and CERT vulnerability notes lists Theselists allow for effective collation and research of publicly known vulnerabilities so

Network Security Assessment Methodology | 7

that exploit scripts can be located or built from scratch The NIST National bility Database (NVD) is a very useful enhancement to CVE that contains a lot of

Vulnera-valuable information

Investigation at this stage may also mean further qualification of vulnerabilities It isoften the case that bulk network scanning doesn’t give detailed insight into serviceconfiguration and certain enabled options, so a degree of manual testing against keyhosts is often carried out within this investigation phase

Key pieces of information that are gathered through investigation include technicaldetails of potential vulnerabilities along with tools and scripts to qualify and exploitthe vulnerabilities present

Exploitation of Vulnerabilities

Upon qualifying potential vulnerabilities in accessible network services to a degreethat it’s probable that exploit scripts and tools will work correctly, the next step isattacking and exploiting the host There’s not really a lot to say about exploitation at

a high level, except that by exploiting a vulnerability in a network service and ing unauthorized access to a host, an attacker breaks computer misuse laws in mostcountries (including the United Kingdom, United States, and many others).Depending on the goal of the attacker, she can pursue many different routes throughinternal networks, although after compromising a host, she usually undertakes thefollowing:

gain-• Gain superuser privileges on the host

• Download and crack encrypted user-password hashes (the SAM database under

Windows and the /etc/shadow file under most Unix-based environments)

• Modify logs and install a suitable backdoor to retain access to the host

• Compromise sensitive data (files, databases, and network-mapped NFS orNetBIOS shares)

• Upload and use tools (network scanners, sniffers, and exploit scripts) to mise other hosts

compro-This book covers a number of specific vulnerabilities in detail, but it leaves crackingand pilfering techniques (deleting logs and installing backdoors, sniffers, and othertools) to the countless number of hacking books available By providing you withtechnical information related to network and application vulnerabilities, I hope toenable you to formulate effective countermeasures and risk mitigation strategies

The Cyclic Assessment Approach

Assessment of large networks in particular can become a very cyclic process if you aretesting the networks of an organization in a blind sense and are given minimalinformation As you test the network, information leak bugs can be abused to find dif-ferent types of useful information (including trusted domain names, IP address blocks,and user account details) that is then fed back into other processes The flowchart inFigure 1-2 outlines this approach and the data being passed between processes

Figure 1-2 The cyclic approach to network security assessment

Network Enumeration

Use of Web and News searches, WHOIS, and DNS

Account usernames New domain names

and IP addresses

No

IP addresses and DNS hostnames

Network Scanning

Use of port scanners and network probe tools

Accessible TCP and UDP network services

Network Service Assessment

Testing for information leak and process manipulation vulnerabilities which provide us with system access or data that can be used elsewhere

Access granted?

Yes

Collation of Data & Reporting

Brute Force Password Grinding

Using multipe vectors (remote maintenance, email, and FTP services in particular) to compromise valid user passwords

The Cyclic Assessment Approach | 9

This flowchart includes network enumeration, then bulk network scanning, andfinally specific service assessment It may be the case that by assessing a rogue non-authoritative DNS service, an analyst may identify previously unknown IP addressblocks, which can then be fed back into the network enumeration process to identifyfurther network components In the same way, an analyst may enumerate a number

of account usernames by exploiting public folder information leak vulnerabilities inMicrosoft Outlook Web Access, which can then be fed into a brute-force passwordgrinding process later on

Chapter 2

CHAPTER 2

This chapter outlines and discusses the components and tools that make up aprofessional security consultant’s toolkit for performing tasks including reconnais-sance, network scanning, and exploitation of vulnerable software components Manyadvanced tools can only be run from Unix-based systems, while other Windows-specific tools are required when testing Microsoft-based platforms and environments,and so building a flexible platform is very important

Although these tools and their respective configurations and uses are discussed indetail throughout the book, they are discussed here at a reasonably high level so thatyou may start to think about preparing and configuring your assessment platform At

a high level, the tools and components that you need to consider are as follows:

• Virtualization software to allow you to run multiple virtual systems on onephysical machine

• Operating systems within your assessment platform

• Reconnaissance tools to perform initial Internet-based open source querying

• Network scanning tools to perform automated bulk scanning of accessible IPaddresses

• Exploitation frameworks to exploit vulnerable software components and ble services

accessi-• Web application testing tools to perform specific testing of web applicationsWith the exception of commercial tools that require licenses, all of the tools listed in

this book can be found in the O’Reilly archive at http://examples.oreilly.com/ networksa/tools I have listed the original sites in most cases so that you can freely

browse other tools and papers on each respective site

Virtualization Software

Most security consultants use server virtualization software to underpin their testingplatforms Virtualization software allows for multiple virtual machines, running

Operating Systems | 11

different operating systems and tools, to be run in parallel on the same physical tem Virtual machines are also easily frozen, spun-back to a previous known goodstate, and copied or moved between different physical machines, all of which allowsfor easy maintenance

ture products require commercial licenses

I run VMware Server from my Windows workstation to run and access Linux andother operating platforms in parallel as needed during a network security assess-ment From a networking perspective, VMware can be used in many configurations

I use a virtual NAT configuration that gives my virtual machines access to thenetwork card of my workstation

Microsoft Virtual Server is also available, and offers datacenter-class features such asrapid configuration and deployment of virtual machine images Virtual Server is avail-

able from http://www.microsoft.com/windowsserversystem/virtualserver/default.mspx.

The operating platforms you use during a network security assessment will depend

on the type of network you are going to test and the depth to which you will performyour assessment It is often the case that to successfully launch exploit scripts againstLinux or Unix systems, you will require access to a Unix-like platform (usually Linux

or BSD-derived) to correctly compile and run specialist exploit tools

Microsoft Windows Platforms

As Windows releases (XP, 2003 Server, Vista, etc.) start to mature and become moreflexible, many more network assessment and hacking tools that run cleanly on theplatform are becoming available Previous Windows releases didn’t give raw access

to network sockets, so many tools had to be run from Unix-based platforms This is

no longer the case; increasing amounts of useful security utilities have been portedacross to Windows, including Nmap and powerful tools within the Dsniff package,

such as arpspoof.

Windows operating platforms are usually required within a network security ment exercise to use tools that are run against Windows targets, such as Urity’sRpcScan, because it uses internal Windows libraries and components that are noteasily available or ported to Unix-based platforms

assess-Linux Platforms

Linux is the platform of choice for most hackers and security consultants alike.Linux is versatile, and the system kernel provides low-level support for leading-edgetechnologies and protocols (Bluetooth and IPv6 are good examples at the time ofwriting) All mainstream IP-based attack and penetration tools can be built and rununder Linux with no problems, due to the inclusion of extensive networking libraries

Fedora Core (http://fedora.redhat.com)

Binary distributions like Ubuntu are useful and reliable, and are updated easily using

apt-get or aptitude package management programs Many large companies,

includ-ing Google, use Ubuntu on both client workstation and server systems Maintaininclud-ingbinary Linux distributions is much simpler than using source distributions, such asGentoo, which require compilation of new software components

Apple Mac OS X

Mac OS X is a BSD-derived operating system The underlying system looks and feels

very much like any Unix environment, with standard command shells (such as sh, csh, and bash) and useful network utilities that can be used during an IP-based network security assessment (including telnet, ftp, rpcinfo, snmpwalk, host, and dig).

Mac OS X is supplied with a compiler and many header and library files that allowfor specific assessment tools to be built, including Nmap, Nessus, and Nikto Many

Network Scanning Tools | 13

other tools and packages are available for Mac OS X via DarwinPorts (http:// www.darwinports.com) and Fink (http://www.finkproject.org).

Network Scanning Tools

Network scanners are used to perform bulk automated scanning of IP ranges to tify vulnerable network service components The two most popular open source net-work scanners are Nmap and Nessus

iden-Nmap

Nmap is a port scanner used to scan large networks and perform low-level ICMP,TCP, and UDP analysis Nmap supports a large number of scanning techniques, alsooffering a number of advanced features such as service protocol fingerprinting, IPfingerprinting, stealth scanning, and low-level network traffic filter analysis Nmap is

available from http://www.insecure.org/nmap Currently, Nmap can be run under

most operating platforms, including Windows, Linux, and Mac OS X

Nessus

Nessus is a vulnerability assessment package that can perform many automated testsagainst a target network, including ICMP, TCP, and UDP scanning, testing of spe-cific network services (such as Apache, MySQL, Oracle, Microsoft IIS, and manyothers), and rich reporting of vulnerabilities identified

Having run the Sentinel testing platform and evaluated the security consultants ofthe world’s largest penetration testing providers, I know that all of them use Nessus

to perform bulk network scanning and assessment, from which manual qualification

and use of specific tools and techniques follows Nessus has two components mon and client) and deploys in a distributed fashion that permits effective networkcoverage and management.

(dae-Nessus reporting is comprehensive in most cases However, reports often contain anumber of false positives and a lot of noise (as issues are often not reported con-cisely or different iterations of the same issue are reported), so it is important thatconsultants manually parse Nessus output, perform qualification, and produce anaccurate and concise handwritten report As with many other tools, Nessus usesCVE references to report issues CVE is a detailed list of common vulnerabilities

maintained by the MITRE Corporation (http://cve.mitre.org).

Nessus is available for free download from http://www.nessus.org, and can be run

under Linux, Solaris, Windows, Mac OS X, and other platforms Tenable Securitymaintains a commercially supported and up-to-date branch of Nessus and its scan-ning scripts, which has enhanced features relating to SCADA testing and compliance

auditing under Windows and Unix Further information is available from http:// www.tenablesecurity.com/products/nessus.shtml.

Commercial Network Scanning Tools

Commercial scanning packages are used by many network administrators and thoseresponsible for the security of large networks Although not cheap (with softwarelicenses often in the magnitude of tens of thousands of dollars), commercial systemsare supported and maintained by the respective vendor, so vulnerability databasesare kept up-to-date With this level of professional support, a network administratorcan assure the security of his network to a certain level

Here’s a selection of popular commercial packages:

ISS Internet Scanner (http://www.iss.net)

eEye Retina (http://www.eeye.com)

QualysGuard (http://www.qualys.com)

Matta Colossus (http://www.trustmatta.com)

An issue with such one-stop automated vulnerability assessment packages is that,increasingly, they record false positive results As with Nessus, it is often advisable touse a commercial scanner to perform an initial bulk scanning and network serviceassessment of a network, then fully qualify and investigate vulnerabilities by hand toproduce accurate results Matta Colossus addresses this by allowing the user tosupervise a scan as it is conducted, and also to edit the final report

Exploitation Frameworks

Upon identifying vulnerable network services and components of interest by forming network scanning, exploitation frameworks are used to exploit the flaws in

per-Exploitation Frameworks | 15

these accessible network services and gain access to the target host Qualification inthis way is often important so that a clear and accurate report can be presented to theclient The only exploitation framework that is available for free at the time of writ-ing is Metasploit Two popular commercial frameworks are CORE IMPACT andImmunity CANVAS

Metasploit Framework

The Metasploit Framework (MSF) (http://www.metasploit.com) is an advanced open

source platform for developing, testing, and using exploit code The project initiallystarted off as a portable network game and then evolved into a powerful tool forpenetration testing, exploit development, and vulnerability research

The framework and exploit scripts are written in Ruby, and widespread support forthe language allows MSF to run on almost any Unix-like system under its defaultconfiguration The system itself can be accessed and controlled through a command-line interpreter or web interface running from a suitable server

Metasploit exploit modules are reliable and cover exploitation of the most popularvulnerabilities uncovered in Windows- and Unix-based platforms since 2004 A veryuseful feature in the current version (3.0 at the time of writing) is a reverse VNCserver injection mechanism, which is invaluable when repositioning throughWindows servers

Commercial Exploitation Frameworks

Security consultants use commercial exploitation frameworks to perform tion and repositioning tasks At the time of writing, the two leading commerciallyavailable exploitation frameworks are CORE IMPACT and Immunity CANVAS.These tools are feature-rich, reliable, and commercially supported, offering advancedfeatures such as repositioning using agent software Also, third-party companies(including Argeniss and GLEG) offer zero-day exploit packs, which can be integratedinto these systems to exploit unpublished zero-day vulnerabilities

penetra-These exploitation frameworks are discussed along with Metasploit Framework inChapter 16 For current details relating to IMPACT and CANVAS, you can visit theirrespective vendor web sites:

CORE Security Technologies (http://www.coresecurity.com)

Immunity Inc (http://www.immunityinc.com/products-canvas.shtml)

Details of the GLEG and Argeniss 0day exploit packs, containing numerous lished exploit scripts, can be found at their respective web sites:

unpub-GLEG VulnDisco (http://gleg.net/products.shtml)

Ageniss Ultimate 0day Exploits Pack (http://www.argeniss.com/products.html)