Security Scanners

I l @ ve RuBoard

As technology and computer systems become more complex, they are more prone to have security holes. At the same time, computer hackers are becoming more knowledgeable and sophisticated. Amateur hackers and sophisticated industrial espionage will continue to proliferate. Knowledge of security holes and hacking techniques is being spread widely and quickly by highly available communication channels and networks.

Vulnerabilities which are already known are the most common source for intrusions. Hackers write tools to exploit these vulnerabilities. Administrators must keep up to date by researching known vulnerabilities for all the systems in use to avoid losses. This one step can significantly reduce loss.

Host-based Vulnerability Testing

Host-based vulnerability testing evaluates the security of a system by evaluating configuration files for errors and software for known vulnerabilities.

  • Tiger, the Texas A&M system checker, is a tool that inspects security- related settings of UNIX computers. It is a set of scripts that scan a UNIX system looking for security problems, in the same fashion as Dan Farmer's COPS. Tiger was originally developed to provide a check of UNIX systems on the A&M campus that were to be accessed from off campus, so it had to be simple enough that even new system managers would be able to use it.

  • TARA, Tiger Analytical Research Assistant, is a variant of the Tiger software developed by the Advanced Research Corporation. It was developed since the original had not been updated for a very long time and there were numerous changes made to the "systems" directories. Output was streamlined to provide a more readable report file. Also, minor bugs in the "scripts" directory were corrected. TARA was tested under Red Hat Version 5.x, 6.x, SGI IRIX 5.3, 6.x, and SunOS 5.x. This upgrade was performed by the Advanced Research Corporation under a contract from the United States Government.

The following example of a configuration file indicates the tests that are performed by these programs:

 Tiger_Check_PASSWD=Y         # Fast  Tiger_Check_GROUP=Y          # Fast  Tiger_Check_ACCOUNTS=Y       # Time varies on # of users  Tiger_Check_RHOSTS=Y         # Time varies on # of users  Tiger_Check_NETRC=Y          # Time varies on # of users  Tiger_Check_ALIASES=Y        # Fast  Tiger_Check_CRON=Y           # Fast  Tiger_Check_ANONFTP=Y        # Fast  Tiger_Check_EXPORTS=Y        # Fast  Tiger_Check_INETD=Y          # Could be faster, not bad though  Tiger_Check_KNOWN=Y          # Fast  Tiger_Check_PERMS=Y          # Could be faster, not bad though  Tiger_Check_SIGNATURES=N     # Several minutes  Tiger_Check_FILESYSTEM=Y     # Time varies on disk space...  Tiger_Check_PATH=Y           # Fast for just root... varies for all  Tiger_Check_EMBEDDED=N       # Several minutes 

Network-based Vulnerability Testing

Network-based tools scan hosts on the network for open ports to test for general security vulnerabilities and specific exploits. They evaluate the services which are available.

  • SAINT, Security Administrator's Integrated Network Tool, in its simplest mode, gathers as much information about remote hosts and networks as possible by examining such network services as finger, NFS, NIS, ftp and tftp, rexd, statd, and other services. The information gathered includes the presence of various network information services as well as potential security flaws ” usually in the form of incorrectly set up or configured network services, well-known bugs in system or network utilities, or poor or ignorant policy decisions. It can then either report on this data or use a simple rule-based system to investigate any potential security problems. Users can then examine, query, and analyze the output with an HTML browser such as Mosaic, Netscape, or Lynx. While the program is primarily geared towards analyzing the security implications of the results, a great deal of general network information can be gained when using the tool ” network topology, network services running, types of hardware and software being used on the network, etc.

    However, the real power of SAINT comes into play when used in exploratory mode. Based on the initial data collection and a user configurable ruleset, it will examine the avenues of trust and dependency and iterate further data collection runs over secondary hosts. This not only allows the user to analyze her or his own network or hosts, but also to examine the real implications inherent in network trust and services and help them make reasonably educated decisions about the security level of the systems involved.

  • SARA, Security Auditor's Research Assistant, is a second-generation tool for examining systems over the network to determine the security of the services which it provides.

    The first generation tool, the Security Administrator's Tool for Analyzing Networks (SATAN), was developed in early 1995. It became the benchmark for network security analysis for several years . However, few updates were provided and the tool slowly became obsolete in the growing threat environment.

    The original author of SAINT (a SATAN derivative), Bob Todd, joined Advanced Research in early 1999 and has been working to evolve SATAN and the original SAINT concept to a community-oriented product (i.e, SARA).

     # Probes by attack level.      #     # ? Means conditional, controlled by rules.todo. * Matches anything.      @light = (              'dns.sara',              'rpc.sara',              'showmount.sara?',              ); 

This means that a light scan will run the dns.sara and the rpc.sara scans , and the showmount.sara if SARA determines that the target is running NFS.

A bit further down shows:

 @normal = (              @light,              ' finger.sara',             'tcpscan.sara 70,80,ftp,telnet,smtp,nntp,uucp',              'udpscan.sara 53,177',              'rusers.sara?',              'boot.sara?',              );      @heavy = (              @normal,             $heavy_tcp_scan = 'tcpscan.sara 1-9999',             $heavy_udp_scan = 'udpscan.sara 1-2050,32767-33500',              '*?',              ); 

There is nothing unusual here, except for the tcp and udp scan numbers; these refer to the port numbers that SARA examines for signs of activity.

I l @ ve RuBoard


Halting the Hacker. A Practical Guide to Computer Security
Halting the Hacker: A Practical Guide to Computer Security (2nd Edition)
ISBN: 0130464163
EAN: 2147483647
Year: 2002
Pages: 210

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net