ISA 4220 Server Systems Security James A. Edge Jr., CISSP, CISM, CISA, CPTE, MCSE Sr. Security Analyst Cincinnati Bell Technology Solutions
• • • • • Footprinting Enumeration Vulnerability Scanning Exploitation Reporting http://www.sans.org/reading_room/whitepapers/auditing/conducting-penetration-test-organization_67
• Host and Service Enumeration ▫ Port Scanning (nmap, scanline) ▫ SNMP Scanning (Solarwinds, onesixtyone, snmpenum.pl) ▫ NetBIOS Scanning (browsat, net view, nbtscan) http://www.jedge.com
Network Mapper (nmap)
• • • Latest stable version is 5.51.
More than a port scanner ▫ Service and OS Identification ▫ Traceroute ▫ Nmap Scripting Engine 177 scripts for vulnerability discovery, windows enumeration, fuzzing, & more.
Write your own!
Additional tools: Zenmap GUI, Ndiff, Ncat, & Nping.
• Nmap generates three file types (nmap, gnmap, xml) ▫ results.nmap: log file that is the same as the screen output (with verbose turned off) ▫ results.gnmap: output for each host found is placed on one line so grep can be used for simple shell script parsing.
▫ results.xml: used for advanced report generation and loading into a database.
• • Simple, free, standalone Windows port scanning executable.
▫ Requires no installation ▫ Perfect for upload to a compromised machine to scan internally.
▫ Conducts banner grabbing for port identification.
▫ Runs slow, output is horrible, shows only if a port is open, and no advanced features.
Formally created by Foundstone Tools now owned by McAfee.
Solarwinds SNMP Sweep
• Part of the commercial Engineer’s Toolset (starting at $1390).
▫ You will have to ask your company Networking group very nicely if you can use one of the licenses.
▫ Very easy to use GUI tools for SNMP scanning and analysis.
▫ MS Excel compatible reporting features.
Open Source SNMP Scanning
• • • Nmap ▫ Look for open UDP port 161 onesixtyone ▫ Community string dictionary attack snmpenum.pl
▫ Obtain detailed host information for Windows, Linux, and Cisco http://www.jedge.com/docs
• • Formally open source vulnerability scanner. The product went closed source with version 3.0 but was still free for commercial use. Now with version 4.0 you have to obtain a license to use the product for commercial purposes. The current version, Nessus 4.4, is still free for educational purposes and home use.
• • • Nikto is an open source web server scanner which performs comprehensive tests against web servers for multiple items, including over 6400 potentially dangerous files/CGIs, checks for outdated versions of over 1000 servers, and version specific problems on over 270 servers.
Latest version is 2.1.4 (2.20.2011) Video for integrating Nikto with Nessus ▫ http://www.cirt.net/node/86 http://www.cirt.net/
Web Application Attack and Audit Framework • • The project's goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend.
Open Source alternative to commercial tools HP Web Inspect, IBM Appscan, Acunetix, and Burp Suite.
• • Most scanners include their own report generation. However, even for expensive commercial tools, the reports generated include a mountain of information. No IT staff will read a 100-200 page report on the application or database vulnerabilities. Most scanners allow you to export the report information in XML format. You can then parse the information, load it into a database, and generate your own reports.
Parsing XML with Perl or PHP
• • XML can be parsed with your favorite scripting or programming language (Perl, PHP, Python, Ruby, Java, etc). ▫ I’m sure you can do this with windows scripting languages but I know NOTHING about this.
Examples will be given in Perl and PHP.
Parsing XML with Perl or PHP
• • Linux, Apache, MySQL and PHP, Perl, or Python (LAMP) creates an environment for custom report generation.
Many virtual images/appliances exist allowing an easy way to get the environment you need to process XML output.
▫ Turnkey LAMP Appliance http://www.turnkeylinux.org/lamp http://www.jedge.com/wordpress/?page_id=62
Turnkey LAMP Appliance
• • • • Download the Vmware Appliance from the Turnkey website.
Open the appliance in the free VMWare Player or Virtualbox.
When the image boots it will ask to set the system root password and the MySQL root password.
The image will then assist you in configuring network access.
Using Nmap http://www.youtube.com/watch?v=Bn36zoApLm4 Using Nessus http://www.youtube.com/watch?v=3RgOtjv4v8E Using Metasploit http://www.youtube.com/watch?v=RxyD0F38WYg http://www.irongeek.com/i.php?page=videos/msfpayload-msfencoder-metasploit-3-3 http://www.irongeek.com/i.php?page=videos/metasploit-create-reverse-meterpreter payload-executable Top 100 Network Security Tools http://sectools.org/ Misc http://www.packetstormsecurity.org
• • • James A. Edge Jr.
Email: [email protected]