here - Information Systems Auditing

peruvianwageslaveInternet και Εφαρμογές Web

5 Φεβ 2013 (πριν από 4 χρόνια και 8 μήνες)

153 εμφανίσεις

Assessing Vulnerabilities

ISA 4220 Server Systems
Security

James A. Edge Jr., CISSP, CISM, CISA, CPTE, MCSE

Sr. Security Analyst

Cincinnati Bell Technology Solutions

Assessing Vulnerabilities


Footprinting


Enumeration


Vulnerability Scanning


Exploitation


Reporting

http://www.sans.org/reading_room/whitepapers/auditing/conducting
-
penetration
-
test
-
organization_67

Enumeration


Host and Service Enumeration


Port Scanning (
nmap
,
scanline
)


SNMP Scanning (
Solarwinds
,
onesixtyone
,
snmpenum.pl)


NetBIOS Scanning (
browsat
, net view,
nbtscan
)



http://www.jedge.com

Network Mapper (
nmap
)


Latest stable version is 5.51.


More than a port scanner


Service and OS Identification


Traceroute


Nmap

Scripting
Engine


177

scripts for vulnerability discovery, windows
enumeration, fuzzing, & more.


Write your own!


Additional tools:
Zenmap

GUI,
Ndiff
,
Ncat
, &
Nping
.

http://nmap.org/book/man.html

Nmap

Reporting


Nmap

generates three file types (
nmap
,
gnmap
,
xml)


results.nmap
: log file that is the same as the
screen output (with verbose turned off)


results.gnmap
: output for each host found is
placed on one line so
grep

can
be used for
simple
shell script parsing.


results.xml: used for advanced report generation
and loading into a database.

http://www.jedge.com/wordpress/?p=220

Scanline


Simple, free, standalone Windows port scanning
executable.


Requires no installation


Perfect for upload to a compromised machine to
scan internally.


Conducts banner grabbing for port identification.


Runs slow, output is horrible, shows only if a port
is open, and no advanced features.


Formally created by
Foundstone

Tools now
owned by McAfee.


http://www.mcafee.com/us/downloads/free
-
tools/scanline.aspx

Solarwinds

SNMP Sweep


Part of the commercial Engineer’s Toolset
(starting at $1390).


You will have to ask your company Networking
group very nicely if you can use one of the
licenses.


Very easy to use GUI tools for SNMP scanning and
analysis.


MS Excel compatible reporting features.

http://www.solarwinds.com/products/toolsets/

Open Source SNMP Scanning


Nmap


Look for open UDP port 161


onesixtyone


Community string dictionary attack


snmpenum.pl


Obtain detailed host information for Windows,
Linux, and Cisco


http://www.jedge.com/docs

Nessus


Formally open source vulnerability scanner. The
product went closed source with version 3.0 but
was still free for commercial use. Now with
version 4.0 you have to obtain a license to use
the product for commercial purposes.


The current version, Nessus 4.4, is still free for
educational purposes and home use.

http://cgi.tenable.com/nessus_4.4_user_guide.pdf

http://cgi.tenable.com/nessus_4.4_installation_guide.pdf

Nikto


Nikto

is an open source web server scanner
which performs comprehensive tests against web
servers for multiple items, including over 6400
potentially dangerous files/CGIs, checks for
outdated versions of over 1000 servers, and
version specific problems on over 270 servers
.


Latest version is 2.1.4 (2.20.2011)


Video for integrating
Nikto

with Nessus


http://www.cirt.net/node/86

http://www.cirt.net/

w3af:
Web
Application Attack and Audit Framework


The
project's goal is to create a framework to
find and exploit web application vulnerabilities
that is easy to use and extend
.


Open Source alternative to commercial tools HP
Web Inspect, IBM
Appscan
,
Acunetix
, and Burp
Suite.

http://w3af.sourceforge.net/

Reporting


Most scanners include their own report
generation. However, even for expensive
commercial tools, the reports generated include
a mountain of information. No IT staff will read
a 100
-
200 page report on the application or
database vulnerabilities.


Most scanners allow you to export the report
information in XML format. You can then parse
the information, load it into a database, and
generate your own reports.

http://php.net/manual/en/book.xml.php

Parsing XML with Perl or PHP


XML can be parsed with your favorite scripting
or programming language (Perl, PHP, Python,
Ruby, Java,
etc
).


I’m sure you can do this with windows scripting
languages but I know NOTHING about this.


Examples will be given in Perl and PHP.


http://en.wikipedia.org/wiki/XML

Parsing XML with Perl or PHP


Linux, Apache, MySQL and PHP, Perl, or
Python
(LAMP) creates an environment for custom
report generation.


Many virtual images/appliances exist allowing
an easy way to get the environment you need to
process XML output.


Turnkey LAMP Appliance


http://
www.turnkeylinux.org/lamp


http://www.jedge.com/wordpress/?page_id=62

Turnkey
LAMP Appliance


Download the
Vmware

Appliance from the
Turnkey website.


Open the appliance in the free
VMWare

Player
or
Virtualbox
.


When the image boots it will ask to set the
system root password and the MySQL root
password.


The image will then assist you in configuring
network access.

Helpful Links!

Using
Nmap

http://www.youtube.com/watch?v=Bn36zoApLm4


Using Nessus

http://www.youtube.com/watch?v=3RgOtjv4v8E


Using
Metasploit

http://www.youtube.com/watch?v=RxyD0F38WYg

http://www.irongeek.com/i.php?page=videos/msfpayload
-
msfencoder
-
metasploit
-
3
-
3

http://www.irongeek.com/i.php?page=videos/metasploit
-
create
-
reverse
-
meterpreter
-
payload
-
executable


Top 100 Network Security Tools

http://sectools.org/



Misc

http://www.packetstormsecurity.org

http://vulnerabilityassessment.co.uk

http://www.jedge.com

Contact


James A. Edge Jr.


Email:
james.edge@jedge.com


Web:
http://www.jedge.com