White Hat Vulnerability Testing

Security analysts use vulnerability scanners to test their system's infrastructure and vulnerability to attack and exploitation. It is imperative that the proper tools are used to take a good hard look at a system's weaknesses so they know how to either remove or repair the problems so that they are no longer exploitable.

LANguard Network Scanner

The "LANguard Network Scanner, marketed by a company called GFI, " is by far one of the better free scanners on the market today. Once vulnerabilities are found, this scanner can aid in closing them. .

Once download, installation is very easy. Once the installation is completed, open the LANguard Network Scanner by either double-clicking the desktop icon it creates or finding it in the Programs menu. Once opened, you will see that the scanner is ready to be used. Figure A.1 shows the Scanner already populated with a Windows 2000 Server.

Figure A.1: Viewing the GFI LANguard Network Scanner

In the figure, you can see that all you need to do is scan via an IP address (or range of IP addresses) to connect to a host and check it for problems. You can also scan via hostname, but for these purposes, we will stay with the basics. A single Windows 2000 Server on the network has been selected for testing. This server was installed and not updated with the latest hot fixes from Microsoft.

Following are issues you may need to contend with to secure your Windows 2000 Server. Lets look at this in steps:

1. Open the scanner and pick a server. (I selected a server with the IP address of 192.168.1.10.)

2. Scan the server by clicking on the Start Scanning icon in the tool bar.

3. Once started, the right-hand pane of the scanner gives feedback on the scan that is taking place. The left-hand pane is where the node (192.168.1.10) will show up if it exists. You will then see a list of services.

4. Figure A.2 shows the final result of the services listed.

   
   Figure A.2: Scanning and Reviewing the Results of a Windows 2000 Server

5. As can be seen in the figure, there are quite a few items of interest. First, look at the services running on the server. It may be necessary to investigate whether there is the need for Internet Information Services (IIS [for Web publishing]) to be running on a server being used for file shares.

   Note

   For the exam, you MUST know how to disable services that are unwanted or unnecessary. The IIS Web Publishing Service is at the top of the list! If you are not running a Web site or an intranet, disable this service.

6. The FTP service is also running. You probably do not want this service running on a production server. All a hacker would need to do to is open a Web browser and type: ftp://192.168.1.10. Once opened, they may be able to place warez (files and junk) on the server without your knowing.

   Note

   If protected with appropriate permissions, the system is probably safe. The point is that you may not even have known that this vulnerability existed in the first place and using this scanner may have helped you see it.

7. Another important fact is that there are many services and protocols running on this server that you may not be using. and POP3 are running for e-mail services. If they are not needed, they should be disabled. Since this is an Active Directory Server, DNS must be running, as it is the DNS server for this domain. This tool gives some insight as to what is running and gives an opportunity to see what services and protocols may or may not be needed.

8. Figure A.3 clearly shows that you are being alerted to issues on your Windows 2000 Server that need your immediate attention.

   
   Figure A.3: Viewing CGI Abuses

Many of the alerts seen here are fixed by way of hot fixes and service packs but nonetheless, the point of showing them to you is to help you understand how to use this tool, what it shows you, and how to stimulate yourself into further research. Following is a listing for an IIS 5.0 FrontPage Server Extension problem currently listed in the alerts in Figure A.3:

Problem: IIS 5.0 cross site scripting vulnerability using .shtml files or /_vti_bin/shtml.dll Detail: Using specially designed URLs, IIS 5.0 may return user specified  content to the browser. This poses great security risk, especially if the browser is JavaScript enabled and the problem is greater in IE. By  clicking on links or just visiting hostile web pages the target IIS server may return user defined malicous active content. This is a bug in IIS  5.0, but it affects end users and is exploited with a browser.

Without using the scanner, you may never have known that the Windows 2000 Server was vulnerable to this type of problem. To sum up the use of this scanner, remember… a scanner only provides you with information that you need to act on. The LANguard Network Scanner test your system for vulnerabilities and show you what it finds. It is up to the security analyst to research the problems further to help solve any problems. Microsoft TechNet, the Microsoft Knowledge Base, and NTBUGTRAQ can be used to help research any problems found with the scanner.

Network Mapper and Network Mapper for Windows

No White Hat's arsenal would be complete without Network Mapper (Nmap), the UNIX tool of choice for port scanning. A port scanner is a type of vulnerability tester. It is "lightweight" compared to LANguard, but is a very flexible command line-based tool that can be used on any UNIX-based system available. It is also free, and easy to learn and use. Figure A.4 shows Nmap running on a Linux server.

Figure A.4: Running a Scan with the Linux-based Nmap

Nmap is an open source utility for network exploration or security auditing. There is also a newer version of Nmap called NmapWin, which is the Windows version of the original Nmap tool.

Nmap and NmapWin were developed with high-speed scanning in mind. Following are the high points of the tool:

• It is free and easy to use

• It can rapidly scan both very large networks and/or single systems

• It can accurately figure out what hosts are available on a network

• It can find services and ports available on a system

• It can scan to find which version of what operating system is running

Nmap and NmapWin are very easy to download and install. Once installed, you can use the Help files to find the options needed to scan your network. For the most part, if you simply install it, open it, and add a subnet to it (for example, 192.168.1.0/24), you can scan that entire subnet for hosts.

Figure A.5 shows that NmapWin is used with a Graphical User Interface (GUI). It is the same tool as Nmap, but is not ported to Windows systems by way of a Win32 interface.

Figure A.5: Using the Windows-based Version of NmapWin

To download, install, and use NmapWin, follow these steps:

1. Go to the Web site and download the Windows version called NmapWin.

2. Make sure you download and install WinPcap, which is the Windows-based packet capture architecture that is needed in tandem with NmapWin. (Both links are provided in this appendix.)

3. Download and install both packages. Follow the defaults and select where you want the files to be installed on your system.

4. Make sure you reboot your system before using the software.

5. Once rebooted, open NmapWin and start scanning either individual hosts (as seen in Figure A.5) or entire subnets. Read the downloadable documentation to learn the ins and outs of using the tool.

Ethereal

If you want to '"sniff" your network for free, you may want to download a copy of "Ethereal." Packet sniffers such as Ethereal allow security analyst's to perform a test of their systems to see if they are susceptible to eavesdropping attacks.

Ethereal is a tool that can be used to passively analyze a network to see the kinds of conversations being sent to and from hosts on the network. It can capture NetBIOS Master Browser elections, see which hosts have the Server service or File and Print Sharing enabled or, even capture credentials such as username and password from users on the network perhaps using Telnet for an in-band connection to a device. This being said, in order to know these vulnerabilities exist, a Sniffer should be running on the network to find out exactly is going on inside the wire.

Figure A.6 shows the use of Ethereal on a network where I wanted to make sure that only TCP/IP was running. After running a scan on a local subnet and searching for Internetwork Packet Exchange/Sequenced Packet Exchange (IPX/SPX), unnecessary services and protocols were found running that are using up bandwidth and central processing unit (CPU) cycles on the wide area network (WAN) links and devices, respectively.

Figure A.6: Using Ethereal to Perform Passive Attacks

There is a second module to Ethereal that must be installed on the system in order to get it to work. To install Ethereal, do the following:

1. Go to the Web site and download Ethereal.

2. Make sure you download and install WinPcap, which is the Windows-based packet-capture architecture that is needed in tandem with Ethereal. (Both links are provided in this appendix.)

3. Download and install both packages. Follow the defaults and select where you want the files to be installed on your system.

4. Make sure you reboot your system before using the software.

5. Once rebooted, open Ethereal and start sniffing your network (as seen in Figure A.6). Read the downloadable documentation to learn the ins and outs of using the tool.