Proactive testing of the network allows the security administrator to determine if there are weaknesses in their security architecture. Using freely available tools that are sometimes used by attackers will identify your weaknesses and allow you to correct the vulnerabilities.
Nmap (Network Mapper) is an open source tool geared for security auditing of systems. It can also be used to discover network nodes on a given network as well. Nmap can identify hosts and, based on the TCP/IP stack, give a reasonably accurate guess on what operating system a target computer is running. In addition, Nmap will note what services are available on a system, with a good guess on the service and the version. There are other types of information you can get as well with this full-featured tool, but we will focus on operating system detection and services functions.
To get the latest version of Nmap (currently 3.50), go to http://download. insecure .org/nmap/dist/?M-D. Download the latest version of both Nmap and Nmap-frontend (nmap-3.50-1.i386.rpm and nmap-frontend-3.50-1.i386.rpm, respectively, as of this writing). In a shell window, navigate to where you downloaded the file and run the following commands, substituting the filenames if you choose a different version than 3.50:
rpm -Uvh nmap-3.50-1.i386.rpm rpm -Uvh nmap-frontend-3.50-1.i386.rpm
There are two ways to run Nmap at this point. You can utilize the command line version of Nmap or you can use the graphical front end to run your scans . We will focus on the graphical version as it is the easiest for new people to learn, but we will note the command line alternative command to each type of scan.
|Heads Up|| |
Now that you have installed Nmap, you should not run Nmap or any other security auditing tools against networks or machines that you do not have explicit written permission to run these vulnerability checks on. It is considered bad form, and in some cases can be illegal, to run these programs against other people's machines and networks without specific permission to do so. Please be careful when using these tools.
To start the graphical component of Nmap, decide if you need all the functionality of Nmap or if you can run with some of the options disabled. Not running as root limits your scanning options as described in the man page, but not so much so that you can t run an informative scan. One example of the types of scans you won t be able to run as a non-root user is the TCP SYN scan because of the requirements for building custom SYN packets. Non-root users also don t get one of the more interesting bits of functionality of OS fingerprinting, where Nmap tries to determine the operating system of the scanned system. Most of the options will still be available, but be aware that some functionality will not be available if you are not running Nmap as root.
The following starts Nmap Front End:
You will see a screen similar to Figure 14-5. In the bottom of the window you see a Command text box. Nmap is one of the better designed programs in that it shows you the command that is being run, so if you find a particular scan setup that you prefer, you can see the command line alternative for the scan. This allows you to run the command line equivalent of your favorite scans if you should find yourself without a graphical user interface.
If you click the Scan button without making any modifications to switches, you will get a generic scan that will also fingerprint the OS via TCP/IP fingerprinting. The default NmapFE scan will run SYN Stealth Scan ( half-open TCP connection), with an operating system scan, ICMP echo, and a default port list to scan. The output of the default NmapFE scan on a SLES8 with default install is shown in Figure 14-6.
You will notice that a lot of ports are open, which are potential vulnerabilities as discussed in earlier chapters. Also notice that Nmap properly guessed our operating system as this was run against the localhost (which was a SLES8 machine). Nmap also properly guessed the uptime of the machine, which just went through a reboot.
One other interesting option for the security administrator is to check the versions of your services, which helps you identify services that may need upgrading. To get a version type scan, click on Version Probe, which will add the -sV option to your command line. To run the command line equivalent, type
nmap -sS -sV -O -PI -PT 127.0.0.1
This will result in output similar to Figure 14-7.
NMAP has many different types of scans, including some that allow you to scan more stealthily to avoid detection via network intrusion detection systems (as discussed in Chapter 11). There are many different options to use when running Nmap, including UDP scans and full TCP connect. As a valid security auditor on a network you are responsible for (with approval), some of the options to hide your activities should not be required but are useful if you want to test your intrusion detection system. To gain a further understanding of all of Nmap s functionality and capabilities, you should view the online documentation at http://www.insecure.org/nmap/nmap_documentation.html or from the man page. A thorough understanding of Nmap s capabilities will allow you to audit your network and security mechanisms in many ways, so testing and review of the documentation is highly encouraged.
The Nmap scans will help you identify what systems under your responsibility are susceptible to intrusion based on open services and can give you a view of how an attacker would see your network. Based on the results of the scans you can also identify configuration creep, which is when a system s security posture slowly degrades because of user interaction, system administration mistakes, and modifications to available services.
Nmap is a fully functional scanner, but for a true understanding of your vulnerabilities, the next scanner discussed provides a better reporting mechanism and will help you have a better understanding of your systems.
Nessus is a full-featured, open source security scanner that will identify vulnerabilities and try to test the vulnerabilities found. It is a fast and easy-to-configure vulnerability scanner that is constantly being updated by community volunteers. Another great feature of Nessus is that it can create very detailed reports with graphs and all sorts of bells and whistles that can be understood and appreciated by users who are not security professionals.
To install Nessus, download the Nessus install file, nessus-installer.sh, from http://nessus.org/download.html. You will need to have gtk- devel installed, which can be checked by typing the following command:
# rpm -q gtk-devel
This should result in something similar to the following:
If you don t have gtk-devel installed, you should install it off your distribution CD-ROM (if you want a graphical user interface, which is the focus of this chapter). You may also need bison and flex, which are available on your distribution CD-ROM or via the Internet. If you are running SUSE, you can install the RPM from the distribution CD. If you don t have the RPM on CD, run the program you downloaded like this:
This will begin the installation process. You will be asked where you want the Nessus packages installed. The default of /usr/local/ is fine unless you have specific reasons to put it elsewhere. At this point you will be asked to press ENTER to begin the installation process, which takes a bit of time to depending on your system.
The next step is to add a user with the nessus-adduser account. You will be asked for the login, authentication (choose pass in most instances), and then a password. The next portion for rules is crucial to set Nessus up properly. The section allows you to limit the access users have to scan networks. Here is the standard syntax:
accept deny ip/mask default accept deny
The format is similar to the following:
accept 192.168.1.0/16 default deny
This would allow the user who had this rule set to scan the 192.168 .x.x network only. The IP address includes the standard CIDR notation, but you can also specify by IP address only. Press CTRL-D to finish up and accept the rule sets. The next step is to configure the Nessus daemon, but if you are happy with the default settings, Nessus will create it for you. For the first-time user, it is recommended that you leave the defaults until you are comfortable with the software. After the daemon is configured, you will need to run nessus-mkcert to create your SSL certificate. Now you can start nessusd by running the nessusd -D command, and then start the actual Nessus program with the command nessus . You will see the warning shown in Figure 14-8. After clicking OK, you will see the screen shown in Figure 14-9.
It is highly recommended that you select Enable all but dangerous plugins (which is the default) or you may create a denial of service for machines you are trying to protect. The option tabs are fairly straightforward and are dependent upon your organization s situation, so choose options accordingly . After reviewing the options selected, click on the Target Selection tab. You will see the screen shown in Figure 14-10.
The screen in Figure 14-10 is where you put in your machine or IP range to be scanned. Be very careful how you enter the information or you could inadvertently scan machines you didn t mean to. You can have your target machine listed by IP address (192.168.1.1), a hostname (linux1), or by a range of addresses (192.168.1.1-254 or 192.168.1.0/24 or 192.168.1.1-192.168.1.255). Enter in your selected machines to be audited and then click Start The Scan to begin scanning. When the scanning starts you will see a screen similar to Figure 14-11.
After the scan of the hosts you selected has completed, a report will pop open showing you the results of the scan. Here you can select to see results based on subnet, host, port, and severity, allowing you to drill down to specific vulnerabilities with an explanation of the vulnerability as shown in Figure 14-12.
One of the strengths of Nessus is that you can generate very easy-to-read reports that are suited for management. The reports will summarize problem areas of concern and allow you to drill down in a convenient HTML format. Figure 14-13 shows a sample report using the HTML with Graphs option.
Monitoring your systems is an important phase in the security program, and by using GNU Public License (GPL) or commercial software, your job as the security administrator is made easier. Ensure that you continuously and vigilantly monitor your systems because they will evolve and the initial hardening you completed will slowly degrade. By using the tools listed in this chapter, you will be able to identify those problem areas and resolve them in a timely fashion, before an attacker can take advantage of the vulnerability.