Vulnerability Assessment Tools

team lib

As the complexity of an enterprise network increases , so do its vulnerabilities. Heterogeneous operating systems, each with their own configuration quirks , run myriad devices and applications in a high-speed, highly connected environment. The upshot is a maelstrom of code, with unexpected holes, glitches, and back doors. Oftentimes, network administrators aren't aware such breaches exist until an intruder uses them to gain unauthorized access to network resources.

Scanning is one way to root out possible weak points in your network. A host of software-based scanning tools are available to probe your network for known vulnerabilities in operating systems, applications, passwords, and so on. In fact, would-be intruders use these tools to scope out a network before attacking, so scanning is also a proactive security measure that lets you find the chinks in your armor before someone else does.

Depending on the level of technical expertise available to you, you'll have to decide whether to conduct your own scans or hire a scanning service. If you conduct your own scan, you can choose among commercial, open -source, and freeware tools.

Many of the open-source and freeware tools, such as Nmap, are written by hackers. Why would a legitimate administrator use hacker tools? Good question. A good answer is because such products can be highly effective. You may also find it instructive to learn just how intruders go about casing your network. However, commercial software packages perform the same functions and have easy-to-use interfaces and reporting capabilities.

Pings And Ports

A vulnerability scan takes a hacker's-eye view of your network. Seemingly harmless communication between two machines reveals information pointing to potential vulnerabilities (see "Scan and Deliver," page 34). The scanning tools match this information against a database of exploits to determine which ones may be present on your network.

A vulnerability scan consists of three basic steps. The first is network discovery, which uses the Ping utility to discover active devices on the network. The Ping utility sends Internet Control Message Protocol (ICMP) packets to a target system, looking for a response. A positive response, such as an ICMP ECHO_REPLY (Type 0) means the target is alive . This creates a basic map of live hosts that an intruder can target individually.

The second step is a port scan, which identifies ports in listening mode as well as those that may have exploitable active services. Port scans also identify the operating system on a target, including which service packs or kernel releases have been installed. This information permits an intruder to launch very precise exploits against a target. Be aware that simply finding a listening port doesn't imply vulnerability. Sometimes, an intruder must follow up with further packet manipulation to tease out potentially damaging information. The sidebar at the end of this tutorial describes several of these techniques.

In the final step, the scanner analyzes the data and generates a report detailing potential vulnerabilities and fixes. Because the report data is so crucial, you'll want to choose a solution that displays the results clearly and usefully to you. It's worth your time to review sample reports before buying or using any scanner.

Password Crackers

Password auditing software is another assessment tool available to both intruders and administrators. An administrator uses such a tool to audit his users' passwords to ensure they're following good password policy. A number of open-source password crackers are available on the Internet, and many commercial security scanners include password auditing.

The premier Windows NT password cracking tool is L0phtCrack, developed by the L0pht Heavy Industries group (see Resources).

Windows NT disguises passwords with an encryption function that turns plain text into a string of bytes, known as a hash. The problem is that NT must also support an older and weaker hash algorithm from LAN Manager for compatibility reasons. Because L0phtCrack has reverse-engineered the LAN Manager encryption function, it produces the same hash. Thus, instead of decrypting the password, L0phtCrack merely matches hashes.

The product exploits this flaw in three ways. First, a dictionary attack runs the hash on a collection of words commonly used as passwords. It compares this list to the NT hashes, looking for matches. If it doesn't find a match, the program next adds random characters to each word in its dictionary list. Finally, if still unsuccessful , it runs a brute-force attack, trying every possible combination of letters and numbers until it discovers a match.

While the above information makes it sound as if any old script kiddie running L0phtCrack can waltz off with your passwords, a would-be cracker must still overcome several barriers. For one, an attacker first has to get the Security Accounts Manager (SAM) file that stores the NT hashes, which requires administrator privileges on the target system. In addition, L0phtCrack must also be run offline because of the time it takes to match the hashes in the SAM file. The further intricacies of password cracking with L0phtCrack are outside the scope of this article, but check out Resources for more information.

Scan The Scanners

Before purchasing or downloading the latest and greatest network scanner, take some time to search for tools that will meet your objectives.

A good starting point is to determine the product's ease of use. If you prefer GUIs to command line interfaces, you'll likely lean toward commercial products. However, there's nothing stopping you from using both off-the-shelf and freeware tools.

When choosing a product, make sure it prioritizes vulnerabilities. A full-blown scan may generate an 800-page report filled with hundreds of exploits. Addressing such a gargantuan list will be more manageable if you know which ones must be dealt with immediately.

Be aware that a scan will affect your network's performanceto what degree depends on the depth of the scan and the number of devices. Schedule your scans when they're least likely to impact essential business services. Also, look for tools that allow you to target specific systems. You may want to scan particular segments of your network more frequently than others, and there's no sense in blasting every device you own with resource-consuming packets.

Find out how frequently the vulnerability database is updated. Just like viruses, new exploits appear all the time, so your tools should stay abreast of the latest attacks. That said, there are different ways of listing and counting exploits, so don't be dazzled by high numbers. Product A may claim to spot 10,000 vulnerabilities while Product B detects 5,000, but this doesn't mean Product A is a more comprehensive solution.

You may also want to inquire where the vendor gets its vulnerability information. While every vendor makes use of public postings from organizations such as CERT, BugTraq, and the SANS Institute, many also have in-house research teams that alert you to security holes before they're posted at large.

Clean Sweep

Let's say you've scoured your network from top to bottom. You've found the holes, read the reports, and applied the patches. Now your network is one hundred percent secureat least until an inventive coder discovers an entirely new way to slip packets through your firewalls.

Vulnerability scanning is not a one-time fix. Clever and industrious hackers constantly discover new exploits. In addition, clever and industrious software vendors are constantly releasing new versions of their products; even software that comes fully baked from the shop probably has unforeseen holes, or will interact in unexpected ways with your own network.

The frequency of your scans should depend on your security posture , as well as on the lifecycle of your network devices. If you have a relatively stable architecture with few changes or upgrades, you'll likely require fewer scans ( assuming you patched the holes you discovered the first time around). However, particularly sensitive segments of your network, such as the Demilitarized Zone (DMZ), may warrant more frequent check-ups.

Overall, be prepared to invest a good deal of time both for the scan and the clean-up afterwards. It makes no sense to discover vulnerabilities if you simply ignore them.

Scan And Deliver

In a normal TCP communications sequence, a client machine and server must go through a three-step "handshake" to establish a connection. The client initiates the handshake by sending a SYN packet to the server. If the server is available, it acknowledges the communication with a SYN/ACK packet. Finally, the client sends its own ACK packet and makes a connection.

Intruders can manipulate this handshake sequence to glean essential information based on the server's response, including misconfigured operating systems or software versions with known vulnerabilities.

The following port scans are commonly used to case a target host. This list is exerpted, with permission from the publisher, from the book Hacking Exposed , Second Edition (Osborne/ McGraw-Hill, 2001), by Joel Scambray, Stuart McClure, and George Kurtz.

TCP Connect scan. This type of scan connects to the target port and completes a full three-way handshake (SYN, SYN/ACK, and ACK). It is easily detected by the target system.

TCP SYN scan. This technique is called half-open scanning because a full TCP connection is not made. Instead, a SYN packet is sent to the target port. If a SYN/ACK is received from the target port, we can deduce that it is in the LISTENING state. If a RST/ACK is received, it usually indicates that the port isn't listening. A RST/ACK will be sent by the system performing the port scan so that a full connection is never established. This technique has the advantage of being stealthier than a full TCP connect, and it may not be logged by the target system.

TCP FIN scan. This technique sends a FIN packet to the target port. Based on RFC 793 (www.ietf.org/rfc/rfc0793.txt), the target system should send back an RST for all closed ports. This technique usually only works on Unix-based TCP/IP stacks.

TCP Xmas Tree scan. This technique sends a FIN, URG, and PUSH packet to the target port. Based on RFC 793, the target system should send back an RST for all closed ports.

TCP Null scan. This technique turns off all flags. Based on RFC 793, the target system should send back an RST for all closed ports.

TCP ACK scan. This technique maps out firewall rulesets. It helps determine if the firewall is a simple packet filter allowing only established connections (connections with the ACK bit set) or a stateful firewall performing advanced packet filtering.

TCP Window scan. This technique may detect open as well as filtered/nonfiltered ports on some systems (for example, AIX and FreeBSD) due to an anomaly in the way the TCP window size is reported .

TCP RPC scan. This technique is specific to Unix systems and detects and identifies Remote Procedure Call (RPC) ports and their associated programs and version numbers.

Resources

Rik Farrow's Network Defense columns in Network Magazine provide a host of information on security topics. In regard to vulnerability scanning, check out "ICMP Stands for Trouble" (September 2000, page 98) and "System Fingerprinting with Nmap" (November 2000, page 102). The articles can also be found at www. networkmagazine.com.

The book Hacking Exposed , Second Edition by Joel Scambray, Stuart McClure, and George Kurtz, has several in-depth chapters on vulnerability scanning, security exploits, and password cracking. Go to www. foundstone.com for more information.

L0phtCrack is available at www.securitysoftwaretech.com.

You can download the scanning tool Nmap from its creator's Web site at www. insecure .org. The site also has exploit lists and links to other scanning tools and security sites.

A list of commercial scanners is available at http://securityportal.com/research/research.scanners.html.

The magazine Information Security ran a four-part series on vulnerability assessment, from July 2000 through October 2000. Back issues are on the Web at www.infosecuritymag.com.

The Web site Windows IT Security discusses how to use L0phtCrack on Windows 2000. Go to www.ntsecurity.net/Articles/Index.cfm?ArticleID=9186/.

This tutorial, number 153, by Andrew Conry-Murray, was originally published in the April 2001 issue of Network Magazine.

 
team lib


Network Tutorial
Lan Tutorial With Glossary of Terms: A Complete Introduction to Local Area Networks (Lan Networking Library)
ISBN: 0879303794
EAN: 2147483647
Year: 2003
Pages: 193

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net