Network Vulnerability Scanning Process and Network Penetration Test Pr

English | Vietnamese

Rules

Main Forum

Portal

Member Listing

Statistics

Search

Reading Room
[Register]

Login [ | https ]

Forum Index

Thảo luận bảo mật

Network Vulnerability Scanning Process and Network Penetration Test Pr

[Discussion] Network Vulnerability Scanning Process and Network Penetration Test Pr	16/12/2010 14:04:22 (+0700) \| #1 \| 227253

vikjava
Elite Member

Joined: 28/06/2004 02:32:38
Messages: 926
Location: NQN
Offline

Dear all.

Hiện tại mình đang tìm hiểu để hình thành kịch bản của 2 quá trình trên. Cho mình hỏi để hình thành kịch bản của 2 quá trình trên chúng ta phải làm gì? Quá trình đươc xây dựng như thế nào, cần những yếu tố gì? ...

Mời mọi người thảo luận. Thân

[Discussion] Network Vulnerability Scanning Process and Network Penetration Test Pr	20/12/2010 08:34:32 (+0700) \| #2 \| 227447

vikjava
Elite Member

Joined: 28/06/2004 02:32:38
Messages: 926
Location: NQN
Offline

Dear all.

Đọc một mớ tài liệu, mình tóm lại các ý bản thân cho là chính yếu. Xin hỏi những thông tin này đã đúng và đủ để thực hiện công việc chưa ah? Nếu chưa đúng hoặc đủ thì cần nhưng gì bồ sung thêm

1.1 Senior IT Management/Chief Information Officer (CIO)
The Senior IT Management/CIO ensures that the organization’s security posture is adequate. The Senior IT Management provides direction and advisory services for the protection of information systems for the entire organization. The Senior IT Management/CIO is responsible for the following activities that are associated with security testing:
+ Coordinating the development and maintenance of the organization's information security policies, standards, and procedures,
+ Ensuring the establishment of, and compliance with, consistent security evaluation processes throughout the organization, and
+ Participating in developing processes for decision-making and prioritization of systems for security testing.

1.2 Information Systems Security Program Managers (ISSM)
The Information Systems Security Program Managers (ISSMs) oversee the implementation of, and compliance with the standards, rules, and regulations specified in the organization's security policy. The ISSMs are responsible for the following activities associated with security testing:
+ Developing and implementing standard operating procedures (security policy),
+ Complying with security policies, standards and requirements, and

+ Ensuring that critical systems are identified and scheduled for periodic testing according to the security policy requirements of each respective system.

1.3 Information Systems Security Officers (ISSO)
Information Systems Security Officers (ISSOs) are responsible for overseeing all aspects of information security within a specific organizational entity. They ensure that the organization's information security practices comply with organizational and departmental policies, standards, and procedures. ISSOs are responsible for the following activities associated with security testing:
+ Developing security standards and procedures for their area of responsibility,
+ Cooperating in the development and implementation of security tools and mechanisms,
+ Maintaining configuration profiles of all systems controlled by the organization, including but not limited to, mainframes, distributed systems, microcomputers, and dial access ports, and
+ Maintaining operational integrity of systems by conducting tests and ensuring that designated IT professionals are conducting scheduled testing on critical systems.

1.4 System and Network Administrators
System and network administrators must address the security requirements of the specific system(s) for which they are responsible on a daily basis. Security issues and solutions can originate from either outside (e.g., security patches and fixes from the vendor or computer security incident response teams) or within the organization (e.g., the Security Office). The administrators are responsible for the following activities associated with security testing:
+ Monitoring system integrity, protection levels, and security related events,
+ Resolving detected security anomalies associated with their information system resources,
+ Conducting security tests as required, and
+ Assessing and verifying the implemented security measures.

1.5 Managers and Owners
Managers and owners of a system oversee the overall compliance of their assets with their defined/identified security requirements. They are also responsible for ensuring that test results and recommendations are adopted as appropriate.

2. Security Testing Techniques
The following types of testing are described in this section:
+ Network Scanning
+ Vulnerability Scanning
+ Password Cracking
+ Log Review
+ Integrity Checkers
+ Virus Detection
+ Penetration Testing
After running any tests, certain procedures should be followed, including documenting the test results, informing system owners of the results, and ensuring that vulnerabilities are patched or mitigated.

2.1 Roles and Responsibilities for Testing
Only designated individuals, including network administrators or individuals contracted to perform the network scanning as part of a larger series of tests, should conduct the tests described in this section. The approval for the tests may need to come from as high as the CIO depending on the extent of the testing. It would be customary for the testing organization to alert other security officers, management, and users that network mapping is taking place. Since a number of these test mimic some of the signs of attack, the appropriate manages must be notified to avoid confusion and unnecessary expense. In some cases, it may be wise to alert local law enforcement officials if, for example, the security policy included notifying law enforcement.

2.2 Network Scanning
Organizations should conduct network scanning to:
+ Check for unauthorized hosts connected to the organization’s network,
+ Identify vulnerable services,
+ Identify deviations from the allowed services defined in the organization’s security policy,
+ Prepare for penetration testing,
+ Assist in the configuration of the intrusion detection system (IDS), and
+ Collect forensics evidence.
Network scanning results should be documented and identified deficiencies corrected. The following corrective actions may be necessary as a result of network scanning:
+ Investigate and disconnect unauthorized hosts,
+ Disable or remove unnecessary and vulnerable services,
+ Modify vulnerable hosts to restrict access to vulnerable services to a limited number of required hosts (e.g., host level firewall or TCP wrappers), and
+ Modify enterprise firewalls to restrict outside access to known vulnerable services.

2.3 Vulnerability Scanning
Vulnerability scanners provide the following capabilities:
+ Identifying active hosts on network
+ Identifying active and vulnerable services (ports) on hosts.
+ Identifying applications and banner grabbing.
+ Identifying operating systems.
+ Identifying vulnerabilities associated with discovered operating systems and applications.
+ Identifying misconfigured settings.
+ Testing compliance with host application usage/security policies.
+ Establishing a foundation for penetration testing.
Vulnerability scanners can be of two types: network-based scanners and host-based scanners. Network-based scanners are used primarily for mapping an organization's network and identifying open ports and related vulnerabilities. In most cases, these scanners are not limited by the operating system of targeted systems. The scanners can be installed on a single system on the network and can quickly locate and test numerous hosts. Host-based scanners have to be installed on each host to be tested and are used primarily to identify specific host operating system and application misconfigurations and vulnerabilities. Because host-based scanners are able to detect vulnerabilities at a higher degree of detail than network-based scanners, they usually require not only host (local) access but also a “root” or administrative account. Some host-based scanners offer the capability of repairing misconfigurations.
Vulnerability scanning results should be documented and discovered deficiencies corrected. The following corrective actions may be necessary as a result of vulnerability scanning:
+ Upgrade or patch vulnerable systems to mitigate identified vulnerabilities as appropriate.
+ Deploy mitigating measures (technical or procedural) if the system cannot be immediately patched (e.g., operating system upgrade will make the application running on top of the operating system inoperable), in order to minimize the probability of this system being compromised.
+ Improve configuration management program and procedures to ensure that systems are upgraded routinely.
+ Assign a staff member to monitor vulnerability alerts and mailing lists, examine their applicability to the organization's environment and initiate appropriate system changes.
+ Modify the organization's security policies, architecture, or other documentation to ensure that security practices include timely system updates and upgrades.

2.4 Password Cracking
Password cracking programs can be used to identify weak passwords. Password cracking verifies that users are employing sufficiently strong passwords. Passwords are generally stored and transmitted in an encrypted form called a hash. When a user logs on to a computer/system and enters a password, a hash is generated and compared to a stored hash. If the entered and the stored hashes match, the user is authenticated.

Password crackers should be run on the system on a monthly basis or even continuously to ensure correct password composition throughout an organization. The following actions can be taken if an unacceptably high number of passwords can be cracked:14
+ If the cracked passwords were selected according to policy, the policy should be modified to reduce the percentage of crackable passwords. If such policy modification would lead to users writing down their passwords because they are difficult to memorize, an organization should consider replacing password authentication with another form of authentication.
+ If cracked passwords were not selected according to policy, the users should be educated on possible impacts of weak password selections. If such violations by the same users are persistent, management should consider additional steps (additional training, password management software to enforce better choices, deny access, etc.) to gain user compliance. Many server platforms also allow the system administrator to set minimum password length and complexity.

2.5 Log Reviews
Various system logs can be used to identify deviations from the organization's security policy, including firewall logs, IDS logs, server logs, and any other logs that are collecting audit data on systems and networks. While not traditionally considered a testing activity, log review and analysis can provide a dynamic picture of ongoing system activities that can be compared with the intent and content of the security policy. Essentially, audit logs can be used to validate that the system is operating according to policies.
Log reviews should be conducted very frequently, if not daily, on major servers and firewalls. Again, using log-reduction tools will assist system administrators greatly in identifying problems and suspicious activity. For the specific purpose of testing implementation of required security configurations, once a month may be sufficient with the exception of on demand reviews resulting from major system upgrades that require validation. The following actions can be taken if a system is not configured according to policies:
+ Remove vulnerable services if they are not needed.
+ Reconfigure the system as required to reduce the chance of compromise.
+ Change firewall policy to limit access to the vulnerable system or service.
+ Change firewall policy to limit accesses from the IP subnet that is the source of compromise

2.6 File Integrity Checkers
A file integrity checker computes and stores a checksum for every guarded file and establishes a database of file checksums. It provides a tool for the system administrator to recognize changes to files, particularly unauthorized changes. Stored checksums should be recomputed regularly to test the current value against the stored value to identify any file modifications. A file integrity checker capability is usually included with any commercial host-based intrusion detection system.

Integrity checkers should be run daily on a selection of system files that would be affected by a compromise. Integrity checkers should also be used when a compromise is suspected for determining the extent of possible damage. If an integrity checker detects unauthorized system file modifications, the possibility of a security incident should be considered and investigated according to the organization's incident response and reporting policy, and its procedures.

2.7 Virus Detectors
The following steps are recommended:
+ Virus definition files should be updated at least weekly and whenever a major outbreak of a new virus occurs.
+ The anti-virus software should be configured to run continuously in the background and use heuristics, if available to look for viruses.
+ After the virus definition files are updated, a full system scan should be performed.

2.8 Penetration Testing
- Penetration testing is security testing in which evaluators attempt to circumvent the security features of a system based on their understanding of the system design and implementation. The purpose of penetration testing is to identify methods of gaining access to a system by using common tools and techniques used by attackers. Penetration testing should be performed after careful consideration, notification, and planning.

+ Specific IP addresses/ranges to be tested
+ Any restricted hosts (i.e., hosts, systems, subnets, not to be tested)
+ A list of acceptable testing techniques (e.g. social engineering, DoS, etc.) and tools (password crackers, network sniffers, etc.)
+ Times when testing is to be conducted (e.g., during business hours, after business hours, etc.)
+ Identification of a finite period for testing
+ IP addresses of the machines from which penetration testing will be conducted so that administrators can differentiate the legitimate penetration testing attacks from actual malicious attacks
+ Points of contact for the penetration testing team, the targeted systems, and the networks
+ Measures to prevent law enforcement being called with false alarms (created by the testing)
+ Handling of information collected by penetration testing team.

- Penetration testing can be overt or covert. These two types of penetration testing are commonly referred to as Blue Teaming and Red Teaming. Blue Teaming involves performing a penetration test with the knowledge and consent of the organization's IT staff. Red Teaming involves performing a penetration test without the knowledge of the organization's IT staff but with full knowledge and permission of the upper management.

- During the first phase, reconnaissance, a penetration testing team attempts to get an overview of the target to develop more specific information.

+ Domain Name System (DNS) interrogation
+ InterNIC (whois) queries
+ Search of the target organization’s web server(s) for information
+ Search of the organization’s Lightweight Directory Access Protocol server(s) (LDAP) for information
+ Packet capture (generally only during internal tests)
+ NetBIOS enumeration (generally only during internal tests)
+ Network Information System ([NIS] generally only during internal tests)
+ Banner grabbing

Figure 2: The Maltego Information Reconnaissance Toolkit
+ During the reconnaissance phase, a team may use a toolkit such as Maltego, as shown in Figure 2. The Maltego toolkit provides an open source intelligence-gathering engine that mines the web for data. By performing transforms against input such as a domain name or URL, Maltego searches the web for useful targeting information such as email addresses that can be used as a vector to deliver a social engineering or client side attack later in the penetration test.

- After reconnaissance, penetration testers move into an enumeration phase. During this phase, the team identifies entry points into the network. In addition, the team may use automated toolkits to identify vulnerable services, servers, and hosts on the network.

+ Tool used for enumeration of targets is nmap (network mapper). It is an open source utility for network exploration and security auditing. The author, Feydor, provides the tool for download at http://nmap.org/. Nmap contains a series of rules and fingerprints to identify the services and operating systems of different machines on a network. It compares the responses from a target against its massive database to provide the penetration testing team with more specific data about a target.

Figure 3 shows results generated by the nmap tool

+ Penetration testers may take the results from an nmap automated scan against the network and import it into commercial tools like the Nessus Vulnerability Scanner available at http://www.nessus.org/nessus/. The Nessus Vulnerability Scanner maintains a large database of vulnerable software and services and connects to different hosts and servers to determine whether they are vulnerable to any of these exploits. The Nessus Vulnerability Scanner, depicted in Figure 4, provides the penetration testing team with an overview of vulnerable services by host and port.

Figure 4: The Nessus Vulnerability Scanner

+ For attacking web applications, a team may use an automated scanner such as Nikto http://cirt.net/nikto2) to determine vulnerabilities. Nikto connects to webservers, looking for over 6,400 potentially dangerous files/scripts, and checks for outdated versionof over 1,000 servers. Using Nikto, a penetration testing team can identify a vector such as cross-site-scripting, file-upload, or remote-file-inclusion to attack a server.Additionally, as depicted in Figure 5, the results of Nikto may steer the penetration testing team toward exploits that would succeed against the target

Figure 5: The Nikto Web Vulnerability Assessment Toolkit

- Once the team identifies a vulnerability, the team move into the next phase: exploitation. This is the pivotal phase in the cycle, by actively attacking the service orhost the penetration tester roves the systems are vulnerable to an exploit. Finally, theteam wraps up their work with successful documentation of their efforts in a penetration testing report that is provided to the client. Although we have described this order linearly, it is important to note that penetration testers move back and forth fluidly between several of the phases. For example, a penetration testing team will not necessarily document all of the vulnerabilities found before moving to exploitation. This ensures the team has results it can show a client, who usually has the team on a very tight time schedule

+ When preparing to exploit a target, the penetration testing team may choose to use
an all-encompassing framework such as MetaSploit to attack the attack. The MetaSploit
development team makes the project freely available under the BSD license and allowable for download at http://www.metasploit.com. Figure 6 depicts a screenshot of MetaSploit being used to attack a Windows XP SP2 machine. In the figure, the user selects an exploit, MS08-067 (Conficker), and a payload, the meterpreter shell. As a result of the exploit, the attacker can remotely command the target via the shell.

Go to:

Users currently in here
1 Anonymous