Assessing Vulnerabilities
ISA 4220 Server Systems Security
James A. Edge Jr., CISSP, CISM, CISA, CPTE, MCSE
Sr. Security Analyst
Cincinnati Bell Technology Solutions
Assessing Vulnerabilities
•
•
•
•
•
Footprinting
Enumeration
Vulnerability Scanning
Exploitation
Reporting
http://www.sans.org/reading_room/whitepapers/auditing/conducting-penetration-test-organization_67
Enumeration
• Host and Service Enumeration
▫ Port Scanning (nmap, scanline)
▫ SNMP Scanning (Solarwinds, onesixtyone,
snmpenum.pl)
▫ NetBIOS Scanning (browsat, net view, nbtscan)
http://www.jedge.com
Network Mapper (nmap)
• Latest stable version is 5.51.
• More than a port scanner
▫ Service and OS Identification
▫ Traceroute
▫ Nmap Scripting Engine
 177 scripts for vulnerability discovery, windows
enumeration, fuzzing, & more.
 Write your own!
• Additional tools: Zenmap GUI, Ndiff, Ncat, &
Nping.
http://nmap.org/book/man.html
Nmap Reporting
• Nmap generates three file types (nmap, gnmap,
xml)
▫ results.nmap: log file that is the same as the
screen output (with verbose turned off)
▫ results.gnmap: output for each host found is
placed on one line so grep can be used for simple
shell script parsing.
▫ results.xml: used for advanced report generation
and loading into a database.
http://www.jedge.com/wordpress/?p=220
Scanline
• Simple, free, standalone Windows port scanning
executable.
▫ Requires no installation
▫ Perfect for upload to a compromised machine to
scan internally.
▫ Conducts banner grabbing for port identification.
▫ Runs slow, output is horrible, shows only if a port
is open, and no advanced features.
• Formally created by Foundstone Tools now
owned by McAfee.
http://www.mcafee.com/us/downloads/free-tools/scanline.aspx
Solarwinds SNMP Sweep
• Part of the commercial Engineer’s Toolset
(starting at $1390).
▫ You will have to ask your company Networking
group very nicely if you can use one of the
licenses.
▫ Very easy to use GUI tools for SNMP scanning and
analysis.
▫ MS Excel compatible reporting features.
http://www.solarwinds.com/products/toolsets/
Open Source SNMP Scanning
• Nmap
▫ Look for open UDP port 161
• onesixtyone
▫ Community string dictionary attack
• snmpenum.pl
▫ Obtain detailed host information for Windows,
Linux, and Cisco
http://www.jedge.com/docs
Nessus
http://cgi.tenable.com/nessus_4.4_installation_guide.pdf
http://cgi.tenable.com/nessus_4.4_user_guide.pdf
• Formally open source vulnerability scanner. The
product went closed source with version 3.0 but
was still free for commercial use. Now with
version 4.0 you have to obtain a license to use
the product for commercial purposes.
• The current version, Nessus 4.4, is still free for
educational purposes and home use.
Nikto
• Nikto is an open source web server scanner
which performs comprehensive tests against web
servers for multiple items, including over 6400
potentially dangerous files/CGIs, checks for
outdated versions of over 1000 servers, and
version specific problems on over 270 servers.
• Latest version is 2.1.4 (2.20.2011)
• Video for integrating Nikto with Nessus
▫ http://www.cirt.net/node/86
http://www.cirt.net/
w3af:
Web Application Attack and Audit Framework
• The project's goal is to create a framework to
find and exploit web application vulnerabilities
that is easy to use and extend.
• Open Source alternative to commercial tools HP
Web Inspect, IBM Appscan, Acunetix, and Burp
Suite.
http://w3af.sourceforge.net/
Reporting
• Most scanners include their own report
generation. However, even for expensive
commercial tools, the reports generated include
a mountain of information. No IT staff will read
a 100-200 page report on the application or
database vulnerabilities.
• Most scanners allow you to export the report
information in XML format. You can then parse
the information, load it into a database, and
generate your own reports.
http://php.net/manual/en/book.xml.php
Parsing XML with Perl or PHP
• XML can be parsed with your favorite scripting
or programming language (Perl, PHP, Python,
Ruby, Java, etc).
▫ I’m sure you can do this with windows scripting
languages but I know NOTHING about this.
• Examples will be given in Perl and PHP.
http://en.wikipedia.org/wiki/XML
Parsing XML with Perl or PHP
• Linux, Apache, MySQL and PHP, Perl, or Python
(LAMP) creates an environment for custom
report generation.
• Many virtual images/appliances exist allowing
an easy way to get the environment you need to
process XML output.
▫ Turnkey LAMP Appliance
 http://www.turnkeylinux.org/lamp
http://www.jedge.com/wordpress/?page_id=62
Turnkey LAMP Appliance
• Download the Vmware Appliance from the
Turnkey website.
• Open the appliance in the free VMWare Player
or Virtualbox.
• When the image boots it will ask to set the
system root password and the MySQL root
password.
• The image will then assist you in configuring
network access.
Helpful Links!
Using Nmap
http://www.youtube.com/watch?v=Bn36zoApLm4
Using Nessus
http://www.youtube.com/watch?v=3RgOtjv4v8E
Using Metasploit
http://www.youtube.com/watch?v=RxyD0F38WYg
http://www.irongeek.com/i.php?page=videos/msfpayload-msfencoder-metasploit-3-3
http://www.irongeek.com/i.php?page=videos/metasploit-create-reverse-meterpreterpayload-executable
Top 100 Network Security Tools
http://sectools.org/
Misc
http://www.packetstormsecurity.org
http://vulnerabilityassessment.co.uk
http://www.jedge.com
Contact
• James A. Edge Jr.
• Email: james.edge@jedge.com
• Web: http://www.jedge.com