Vulnerability Analysis Chapter 8: Identifying and Analyzing Threats, Vulnerabilities, and Exploits Identifying and Analyzing Threats, Vulnerabilities, and Exploits Identifying and Analyzing Threats, Vulnerabilities, and Exploits Review an organization’s historical data to identify past incidents from threats. Vulnerability Analysis Vulnerability analysis, sometimes called vulnerability scanning, is the act of determining which security holes and vulnerabilities may be applicable to the target network. In order to do this, we examine identified machines within the target network to identify all open ports and the operating systems and applications the hosts are running (including version number, patch level, and service pack). In addition, we compare this information with several Internet vulnerability databases to ascertain what current vulnerabilities and exploits may be applicable to the target network. 5 Host-Based Vulnerability Analysis Tools Host-Based Vulnerability Analysis Tools Also called Policy Checkers, These tools tell the Security Administrator whether the settings on the computer are consistent with your Security Policies. These tools check: actual password policy usage systems services available unused accounts auditing logs similar security-related functions. 6 Host-Based Vulnerability Analysis Tools This category of tools effectively locks down critical systems They perform security checks such as password checking, policy verification, file share status They check configuration of services, such as HTTP, FTP, NFS, looking for incorrect trust relationships 7 Host-Based Vulnerability Analysis Tools These programs can locate sniffers and backdoor programs on your systems They can detect risky user behavior, such as: Weak passwords Remote control applications Modems (which may not be authorized) Sharing of hard drive/file sharing 8 NMAP 9 Nmap Nmap ("Network Mapper") is a free open source utility for network exploration or security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. Port Scanning is used to determine what ports (or similar protocol abstraction) of a host are listening for connections. These ports represent potential communication channels. Mapping their existence facilitates the exchange of information with the host, and thus it is quite useful for anyone wishing to explore their networked 10 environment, including hackers. Nmap A typical Nmap scan is shown. The only Nmap arguments used in this example are -A, to enable OS and version detection, -T4 for faster execution, and then the two target hostnames. 11 Nmap Features Flexible: Supports dozens of advanced techniques for mapping out networks filled with IP filters, firewalls, routers, and other obstacles. This includes many port scanning mechanisms (both TCP & UDP) OS detection version detection ping sweeps Powerful: Nmap has been used to scan huge networks of literally hundreds of thousands of machines Portable: Most operating systems are supported, including Linux, Microsoft Windows, FreeBSD, OpenBSD, Solaris, IRIX, Mac OS X, HP-UX, NetBSD, Sun OS, Amiga, and more. 12 Port Scanning • Learning remote OS versions can be an extremely valuable network reconnaissance tool, since many security holes are dependent on OS version. • For instance, if you do a penetration test and find port 53 open. You could check to see if they are running a vulnerable version of bind. • Nmap’s most fundamental feature is port scanning. Point Nmap at a remote machine, and it might tell you that ports 25/tcp, 80/tcp, and 53/udp are open. Using its nmap-services database of more than 2,200 well-known services, Nmap would report that those ports probably correspond to a mail server (SMTP), web server (HTTP), and name server (DNS) respectively. 13 Nmap in the News US President George W. Bush visited the NSA headquarters at Fort Meade in January 2006. A wall-sized status screen in the background displays the latest versions of Nmap. Pictures were printed in the February 6, 2006 edition of Newsweek (article) and the Jan 27 Washington Post (article). And giant screen in the background displays the latest versions of open source tools, including Nmap, Snort, Ethereal, Kismet, and Metasploit. http://www.insecure.org/nmap/images/wash-post-nsa.jpg 14 Microsoft Baseline Security Analyzer 15 Microsoft Baseline Security Analyzer Microsoft Baseline Security Analyzer (MBSA) is a software tool released by Microsoft to determine security state by assessing missing security updates and less-secure security settings within Microsoft Windows, Windows components such as Internet Explorer, IIS web server, and products Microsoft SQL Server, and Microsoft Office macro settings. Security updates are determined by the current version of MBSA using the Windows Update Agent present on Windows computers since Windows 2000 Service Pack 3. The less-secure settings, often called Vulnerability Assessment (VA) checks, are assessed based on a hard-coded set of registry and file checks. MBSA 2.3 is the latest version of Microsoft’s free security and vulnerability assessment scan tool for administrators, security auditors, and IT professionals. 16 Microsoft Baseline Security Analyzer In November 2013 MBSA 2.3 was released. This release adds support for Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2. How To: Use the Microsoft Baseline Security Analyzer https://msdn.microsoft.com/en-us/library/ff647642.aspx https://www.microsoft.com/en-us/download/details.aspx?id=7558 17 GFI LANguard™ 18 GFI LANguard GFI LANguard™ is the awardwinning network and security scanner used by over 20,000 customers. GFI LANguard scans your network and ports to detect, assess and correct security vulnerabilities with minimal administrative effort. As an administrator, you have to deal separately with problems related to vulnerability issues, patch management and network auditing, at times using multiple products. However, with GFI LANguard these three cornerstones of vulnerability management are addressed in one package. We give you a complete picture of your network set-up and help you to maintain a secure network state faster and more effectively 19 GFI LANguard GFI LANguard scans your network and ports to detect, assess and correct security vulnerabilities with minimal administrative effort. As an administrator, you have to deal separately with problems related to vulnerability issues, patch management and network auditing, at times using multiple products. With GFI LANguard these three cornerstones of vulnerability management are addressed in one package. GFI LANguard gives you a complete picture of your network set-up and help you to maintain a secure network state faster and more effectively. http://www.gfi.com/ GFI LANguard Vulnerability Management GFI LANguard performs network scans using vulnerability check databases based on OVAL and SANS Top 20, providing over 15,000 vulnerability assessments when your network, including any virtual environment, is scanned. GFI LANguard allows you to analyze the state of your network security and take action before it is compromised. The latest version detects machines that are vulnerable to infection by the Conficker worm as well as identifying machines that have been infected. GFI LANguard Patch Management When a network scan is complete, GFI LANguard’s Patch Management gives you what you need to effectively deploy and manage patches on all machines across different Microsoft operating systems and products in 38 languages. Not only can you automatically download missing Microsoft security updates, but you can also automatically deploy the missing Microsoft patches or servicepacks throughout your network at the end of scheduled scans. GFI LANguard Network Auditing GFI LANguard’s Network Auditing tells you all you need to know about your network by retrieving hardware information on memory, processors, display adapters, storage devices, motherboard details, printers, and ports in use. Using baseline comparisons you can check whether any hardware was added or removed since the last scan. GFI LANguard will identify and report unauthorized software installations and provide alerts or even automatically uninstall unauthorized applications. OpenVAS 31 OpenVAS OpenVAS is a vulnerability scanner that was forked from the last free version of Nessus after Nessus went proprietary in 2005. It continues to grow, with more than 23,000 tests as of November 2011. OpenVAS plugins are written in the same NASL language used by Nessus. http://sectools.org/tag/new/ OpenVAS (Open Vulnerability Assessment System[1], initially GNessUs) is a framework of several services and tools offering a vulnerability scanning and vulnerability management solution. The actual security scanner is accompanied with a daily updated feed of Network Vulnerability Tests (NVTs), over 20,000 in total (as of January 2011). All OpenVAS products are Free Software. Most components are licensed under the GPL. The latest version is 4.0.0, released March 2011 32 OpenVAS 33 Nessus® 34 Nessus The Nessus® vulnerability scanner is the world-leader in active scanners, featuring high-speed discovery, configuration auditing, asset profiling, sensitive data discovery and vulnerability analysis of your security posture. (Vendor quote) Nessus scanners can be distributed throughout an entire enterprise, inside DMZs and across physically separate networks. Nessus is supported by a world renowned research team and has the largest vulnerability knowledge base, making it suitable for even the most complex environments. 35 Nessus Nessus is one of the most popular and capable vulnerability scanners, particularly for UNIX systems. It was initially free and open source, but they closed the source code in 2005 and removed the free "Registered Feed" version in 2008. It now costs $1,200 per year, which still beats many of its competitors. A free “Home Feed” is also available, though it is limited and only licensed for home network use. Nessus is constantly updated, with more than 46,000 plugins. Key features include remote and local (authenticated) security checks, a client/server architecture with a web-based interface, and an embedded scripting language for writing your own plugins or understanding the existing ones. The open-source version of Nessus was forked by a group of users who still develop it under the OpenVAS name. http://sectools.org/tag/vuln-scanners/ 36 Nessus Nessus Licensing Commercial organizations that use the Nessus vulnerability scanner must purchase a ProfessionalFeed subscription to scan their network, obtain support, updates to their database of vulnerability checks and compliance auditing. Each ProfessionalFeed costs $1,200 per year per Nessus scanner and can be purchased from Tenable's ProfessionalFeed Partners or directly from Tenable's E-commerce site. Nessus Home Page: http://www.nessus.org/ 37 Nessus Tenable offers a hardened, web-based appliance for easy deployment and operation of Nessus. The appliance is available to all Professional Feed subscribers as a VMware virtual image and also available on a variety of hardware appliances. Run the demo below. http://cgi.tenablesecurity.com/demos/NessusIntroduction/NessusIntroduction.ht ml 38 Security Vulnerability Tool Survey SecTools.Org: Top 125 Network Security Tools For more than a decade, the Nmap Project has been cataloguing the network security community's favorite tools. In 2011 this site became much more dynamic, offering ratings, reviews, searching, sorting, and a new tool suggestion form. This site allows open source and commercial tools on any platform, except those tools that we maintain (such as the Nmap Security Scanner, Ncat network connector, and Nping packet manipulator). We're very impressed by the collective smarts of the security community and we highly recommend reading the whole list and investigating any tools you are unfamiliar with. Click any tool name for more details on that particular application, including the chance to read (and write) reviews. Many site elements are explained by tool tips if you hover your mouse over them. Enjoy! http://sectools.org/vuln-scanners.html http://sectools.org/ Show link to class 39 Web Application Vulnerability Scanners 40 Web Application Vulnerability Scanners Web Application Vulnerability Scanners are tools designed to automatically scan web applications for potential vulnerabilities. These tools differ from general vulnerability assessment tools in that they do not perform a broad range of checks on a myriad of software and hardware. Instead, they perform other checks, such as potential field manipulation and cookie poisoning, which allows a more focused assessment of web applications by exposing vulnerabilities of which standard VA tools are unaware. 41 Web Application Vulnerability Scanners Commercial tools Acunetix WVS by Acunetix AppScan DE by IBM/Watchfire, Inc. Hailstorm by Cenzic N-Stealth by N-Stalker NTOSpider by NTObjectives WebInspect by HP/SPI-Dynamics WebKing by Parasoft elanize's Security Scanner by Elanize KG MileScan Web Security Auditor by MileSCAN Tech Free/OpenSource Tools Grabber by Romain Gaucher Grendel-Scan by David Byrne and Eric Duprey Nikto by Sullo Pantera by Simon Roses Femerling (OWASP Project) Paros by Chinotec Spike Proxy by Immunity (Now as OWASP Pantera) WebScarab by Rogan Dawes of Aspect Security (OWASP Project) Wapiti by Nicolas Surribas W3AF by Andres Riancho 42 Acunetix 43 Acunetix Acunetix Web Vulnerability Scanner : Commercial Web Vulnerability Scanner Acunetix WVS automatically checks your web applications for vulnerabilities such as SQL Injection, cross site scripting, and weak password strength on authentication pages. Acunetix WVS boasts a comfortable GUI and an ability to create professional website security audit reports. insecure.org evaluation: http://sectools.org/web-scanners.html Home page: http://www.acunetix.com/ 44 Acunetix Automatically detects SQL injection, cross site scripting and other web vulnerabilities SQL injection is a hacking technique which modifies SQL commands in order to gain access to data in the database. Cross site scripting attacks allow a hacker to execute a malicious script on your visitor´s browser. Acunetix Web Vulnerability Scanner can check if your web application is vulnerable to both of these attacks. More information about SQL injection and cross site scripting at our web site security centre. Other detected web vulnerabilities CRLF injection attacks Code execution attacks Directory traversal attacks File inclusion attacks Authentication attacks 45 Acunetix 46 Acunetix In depth checking for SQL Injection, Cross Site Scripting (XSS) and Other Vulnerabilities Acunetix checks for all web vulnerabilities including SQL injection, Cross site scripting and others. SQL injection is a hacking technique which modifies SQL commands in order to gain access to data in the database. Cross site scripting attacks allow a hacker to execute a malicious script on your visitor’s browser. Detection of these vulnerabilities requires a sophisticated detection engine. Paramount to web vulnerability scanning is not the number of attacks that a scanner can detect, but the complexity and thoroughness with the scanner launches SQL injection, Cross Site scripting and other attacks. Acunetix has a state of the art vulnerability detection engine which quickly finds vulnerabilities with a low number of false positives. 47 Acunetix Detects Google hacking vulnerabilities Google hacking is the term used for a hacker trying to find exploitable targets and sensitive data by entering queries in search engines. The Google Hacking Database (GHDB) contains queries that identify sensitive data such as portal logon pages, logs with network security information, and so on. Acunetix launches all the Google hacking database queries onto the crawled content of your web site, to find any sensitive data or exploitable targets before a “search engine hacker” does. The Google hacking feature is a unique, industry first feature. 48