Vulnerability scanners

Transcription

1 Vulnerability scanners Author Johan Nilsson Supervisor Vesa Virta Master of Science Thesis Department of Computer and Systems Sciences Royal Institute of Technology

2 Abstract Computer networks are used by organisations and companies as a carrier of communication and services. Disruption of the network service can severally harm the organisation. A vulnerability scanner can find weaknesses in a computer network before a potential attacker does. It scans the network for vulnerabilities by testing weaknesses and by gathering information about different entities active in the network. From the testing and information gathering it makes conclusions and reports the vulnerabilities it found in the network. If the scanner misses some vulnerabilities and the administrator of the network makes the conclusion that the network is secure enough the impact can be severe on the organisation or company. This thesis is trying to find out to what extent a vulnerability scanner can be trusted. The thesis starts with defining the theoretical requirements to a secure network. When the foundation is set the thesis moves on and explains common network vulnerabilities that are threatening computer networks. Network security testing is an activity that consists of several techniques and tools to simulate possible attacks. The vulnerability scanner is one tool that can be used during such a test. Four vulnerability scanners have been run against a laboratory network. On the same network a penetration test has been conducted to know what security holes that can be used to gain access to the system. The comparison between the findings of the vulnerability scanners and the vulnerabilities found and explored in the penetration test indicates to what extent the vulnerability scanners can be trusted. The results show that the scanners miss out on severe vulnerabilities or give them a low priority, even though these vulnerabilities have been used to gain access to an entity in the network. Vulnerability scanners work with the best intentions but are far too insecure to be trusted as a stand alone security tool. ii

3 Acknowledgement I would first and foremost like to thank my mentor, Vesa Virta at FRA for his great support and interest in this thesis. I would also like to thank the co-workers at FRA for welcoming me and sharing their knowledge. Last but not least, thank you family and friends for inspiration and support. Stockholm May 2006 Johan Nilsson iii

4 CHAPTER 1 INTRODUCTION Introduction Research question Purpose of thesis Audience Methodology Limitations Thesis structure... 3 CHAPTER 2 RESEARCH METHODOLOGY... 4 CHAPTER 3 VULNERABILITIES Vulnerability assessment Assessments in practice... 8 CHAPTER 4 THE SECURE NETWORK The secure network The survivable system Characteristics of a survivable system Organising a network CHAPTER 5 COMMON NETWORK VULNERABILITIES Buffer overflow Router and firewall weaknesses Web Server Exploits Mail Server Exploits DNS Server Database Exploits User and File Management Manufacturer Default Accounts Blank or Weak Passwords Unneeded Services Information Leaks Denial of Service CHAPTER 6 NETWORK SECURITY TESTING Password Cracking Log reviews File integrity checkers Virus detectors War dialling Wireless LAN testing Penetration testing CHAPTER 7 SCANNERS Port scanners Application scanners Vulnerability scanners OS Fingerprinting Active IP packet fingerprinting Identifying vulnerabilities Reports of Vulnerabilities False positives...37 iv

5 CHAPTER 8 TESTED SCANNERS The scanners used Nessus Retina Netrecon ISS CHAPTER 9 TESTING THE NETWORK Penetration Testing of the Laboratory Network The penetration test Vulnerability scanners vs. the penetration test RPCBIND The use of finger and SSH DCOM Finding the SSH service on a high port number Reverse lookup Web services running Additional vulnerabilities LSASS.EXE SQL preauthentication IIS.printer Summary Vulnerability Scanners vs. Penetration test CHAPTER 10 CONCLUSION BIBLIOGRAPHY: Appendix A...64 Policies for the network...64 Appendix B...66 Foot printing a network...66 Appendix C...68 Why patching...68 Risks with updates...69 CVE Common Vulnerability and Exposures...70 v

6 Table of Figures Figure 1 Method used in the thesis Figure 2 Survivable strategies, key properties for the survivable network Figure 3 Example network, network topology for reference Figure 4 Model for network security testing Figure 5 Nessus scanner Figure 6 Retina audit scan process Figure 7 Retina scanner Figure 8 Netrecon scanner Figure 9 ISS scanner Figure 10 The laboratory network Figure 11 The laboratory network after penetration test Index of Tables Table 1. Unneeded services, table of services often used in network although they are unneeded Table 2. Summary of scanners vs. penetration test vi

7 Chapter 1 Introduction 1.1 Introduction Network administrators try to keep the networks secure from both inside and outside threats. From the outside world there is always the possibility of someone using a flaw in the network to gain access. On the inside there are the users that, although they have legitimate access to parts of the network or to some of the information held in the systems, are able to cause all sorts of problems for the network administrator. In a perfect world the network administrator has total control over the network, he knows exactly what machines are running and all of them are patched with the latest updates. That is the perfect world. In reality the network administrators are often struggling with patches or software updates that can not be applied due to the configuration of the networks. There are machines that have been used for testing and then forgotten or machines that have been moved and forgotten. These machines also need maintenance otherwise they will constitute a major security threat. [4] When trying to find vulnerabilities in a network at a company or organisation a vulnerability scanner can be used. Depending on the tool chosen it will be able to scan different platforms or services in a network. But the basic idea is that it will scan the ports of the target system and from an evaluation of the information withdrawn, it will make certain assumptions as to how secure the system is. As with all computer software, this type of programs can also make mistakes; to what extent can the output information be trusted? Do the vulnerability scanners miss anything? How should they be used to help in securing the network? The impact on the network if the scanner misses a vulnerability and the administrator comes to the conclusion that everything is secure in the network, could be severe. A known problem with vulnerability scanners is that they might produce false positives and false negatives. The possibility of this problem occurring makes the scanning of the network a job only for those with proper training and knowledge of the scanned network. [1] During the work on this thesis four vulnerability scanners will be tested in a computer laboratory simulating a computer network. Penetration testing against the laboratory network will be conducted and the output from these tests will be compared with the findings of the vulnerability scanners and discussed. 1

8 1.2 Research question To what extent can the result of a vulnerability scanner be trusted and to what extent can it be used by a network administrator? 1.3 Purpose of thesis Vulnerability scanners present a summary of computer networks security level. If that information is incorrect, the whole system can be compromised and information can be lost. By conducting laboratory experiments with vulnerability scanners the thesis will try to estimate to what extent vulnerability scanners can be used and trusted with the work of securing a computer network. 1.4 Audience IT managers and network administrators considering purchasing and using network scanners to secure their network may get indications on what limitations and workload these kinds of tools can result in. 1.5 Methodology In order to understand the underlying technology and for what purpose the vulnerability scanner exists a literature review has been done. The literature review is focused on four topics, the survivable system, practical demands on networks, common vulnerabilities and network testing. This framework will give an understanding of the environment and demands on vulnerability scanners. A case study is conducted by running four vulnerability scanners in a laboratory network. The laboratory network are then penetration tested to know what vulnerabilities that are present in the network. The result from the vulnerability scanners are then compared with the vulnerabilities found in the penetration test. In chapter 2 the methodology is outlined more thoroughly. 1.6 Limitations Due to time limitation of the thesis the numbers of scanners tested is a limitation. The scanners used in the thesis were chosen on the basis that they should be able to scan different platforms and applications common in computer networks. The scanners should also be either world 2

9 leading in number of users, award winning or developed by a world leading company. This case study is conducted in the autumn of When scanning the laboratory environment there where so much information and vulnerabilities generated from each scan that the investigation had to be limited to known vulnerabilities present in the environment. 1.7 Thesis structure Chapter 2: Research methodology: This chapter will clarify the methodology of the case study. Chapter 3: Vulnerabilities: This chapter explains the concept of a vulnerability and how it can be found Chapter 4: The secure network: This chapter describes the theoretical background of both the secure network and the survivable system and how these requirements can be fulfilled both technically and with policies when creating a new network. Chapter 5: Common network vulnerabilities: This chapter explains some common vulnerability s inside computer networks. Chapter 6: Network security testing: This chapter will explain the concept network security testing and the most common techniques used. Chapter 7: Scanners: This chapter gives a presentation of scanners in general and the vulnerability scanners in particular. Chapter 8: Scanners used: This chapter presents the vulnerability scanners that were used in the case study. Chapter 9: Testing the network: In this chapter a penetration test of the laboratory network is conducted and a comparison between the findings of the scanners and vulnerabilities used in the penetration test is done. Chapter 10: Conclusions Bibliography Appendix A, Policies for the network Appendix B, Foot printing a network Appendix C, Why patching 3

10 Chapter 2 Research Methodology This thesis is a case study of vulnerability scanners with the purpose of finding out to what extent these tools can be used and trusted with the work of testing a computer network for vulnerabilities. To answer the question an inductive approach and qualitative observations have been done. With an inductive approach the researcher collects empirical data that are compiled into a theory. If a deductive approach would have been chosen there would have been an existing theory that are either rejected or approved of, no such theory have been found. The case study is trying to evaluate to what extent the findings of a vulnerability scanner can be trusted. The collection of qualitative observations, technical data, from the laboratory network is evaluated as either correct or false. An inductive approach to the findings of the vulnerability scanners is the natural choice. For the definition of a secure network, to know the goal for a vulnerability scanner, the requirements for a survivable system has to be defined, both theoretically and practical. When the foundation of a survivable network is laid the thesis moves on and explains the common network vulnerabilities that are threatening the computer networks. There are different methodologies and technologies to meet the different threats to a computer network. One of them is the vulnerability scanner. In the network security part of the thesis the author tries to explain where this tool fits in and what it is trying to accomplish among the other tools that are used to secure computer network. A laboratory network has been used as a test environment during the writing of this thesis. A penetration test has been conducted on the laboratory network to find out what vulnerabilities the network has and how they can be used by a real hacker. Penetration testing is a methodology that is used to estimate how secure a network is and how it can be compromised by a hacker. By comparing the vulnerabilities that the vulnerability scanners find in the laboratory network with the conducted penetration test conclusions can be made on the accuracy of the scanners. The workflow described above can also be viewed in Figure 1. 4

11 Theoretical background Testing the network Vulnerability assessment Literature study The secure network in theory The secure network in practice Testing vulnerability scanners Conclusions Network vulnerabilities Network security testing Penetration test Scanners Figure 1 Method used The author has put up certain criteria s to know what defines a successful run with a vulnerability scanner. These criteria s has been stated as a result of the literature study. Each vulnerability scanner will make a test round in the laboratory and the following criteria s should be matched: Did the scanners find: All hosts? All open ports? Did the scanner identify the service correctly? Are the errors reported explained in a way that clearly describes the problem? 5

12 After the end of each scanner review the laboratory network will be rebooted and re -initialized to make sure that nothing has crashed during the last run. Additional manual penetration testing will be done on the laboratory network to see what vulnerabilities that can be exploited. The findings from the penetration testing will be compared with the output from the scanners and analyzed. Known issues and problems of scanners are then analyzed. Conclusions are drawn from the testing and the discussion of the common errors. The results in this study can not be re -produced with the exact same findings if the scanning and penetration testing are not conducted on the same laboratory network as this work. But the author anticipates that the findings in this thesis are pointing to the accuracy of the scanners in a way that can be translated to all networks. 6

13 Chapter 3 Vulnerabilities Vulnerability constitutes any known weakness on a system that could potentially be exploited by malicious software or hacker. [1, p. 489] 3.1 Vulnerability assessment When the term Vulnerability assessment is used in the context of vulnerability scanners it is meant the process of finding known vulnerabilities in a network. This process identifies vulnerabilities so they can be eliminated before exploited by malicious software or hackers. In most cases the vulnerabilities are known and can therefore be found. The vulnerabilities that constitute threats in a network include software defects, unnecessary services, misconfigurations and unsecured accounts. [2] The vulnerability scanner works with a proactive approach, it finds vulnerabilities, hopefully, before they have been used. There is however a possibility that a, to the public, unknown vulnerability is present in the system. A program that takes advantage of an unknown vulnerability is called a Zero day exploit. A Zero day exploit is unknown to security professionals which mean that information about the exploit is not publicly available [31]. A reactive approach is used by, for example, IPS (Intrusion Prevention System). It alerts when the harm is being done, but it is considered better to prevent than to cure. [2] A vulnerability assessment could be described as a systematic examination of networks to determine the adequate security measures, identify security defiance and provide data from which to predict the effectiveness of proposed security measures after implementation. [3] A vulnerability assessment starts with a device discovery that maps the network. This is a very important step of an assessment. If the administrator is not aware of what devices that are running on the network it is possible that these devices are not updated and secured in the way they should. Therefore these devices constitute a vulnerability to the network. A vulnerability assessment can be used as an inventory of the systems on the network and the services they provide. Selected information about the network can easily be collected and the reports help in reviewing changes in the network. 7

14 3.2 Assessments in practice In assessments of networks, methods like vulnerability scanning and penetration tests are used to measure the technical aspects of security in networks. A penetration test can be described as a security test where the security evaluators attempt to circumvent the implemented security features. The purpose of the penetration test is to identify ways to use tools, techniques and vulnerabilities to gain access to the network. Penetration testing, however, does not give a complete picture of the security in a network. Network security is a complex business; just because you lock the door doesn t mean an intruder can not use a window to get in. The use of web enabled and client/server architectures have created many windows. Vulnerability assessment, penetration testing and other techniques, described later in this thesis, are used to make the assessment as a real hacker would do it. It could be a way to know how an intruder may work and to know what can be done to defend against an attack. [4] A greater part of the commercial security industry is concerned with identifying risks, especially the ones created by software vulnerabilities. When the risk assessment is completed and the vulnerabilities found, patching will be done. This methodology is called penetrate and patch. [4] In a paper by A. Stewart [4] he says that there has been an over reliance on firewalls, encryption and other perimeter protection security and by that neglect of the security of the internal systems. The author also states that many security companies offer free security assessment because there will always be some vulnerabilities present and the customers will then be persuaded to invest in additional security measures. These security assessments often... consider direct risks and not indirect risks. [4, p.367]. Indirect risks are often harder to pinpoint compared to a direct risk since they only emerge when for instance business processes are analysed. Direct risks surface when scanning a network and software vulnerabilities occurs. For the security market these vulnerabilities are easier to explain to the customer and therefore easier to turn into commercial gain. Direct risks are something that also needs to be fixed, but still threats to an organisation or a company may remain the indirect risks and structural security vulnerabilities [4, p.367]. When talking about risk, fear is a great motivating factor. Companies that make vulnerability assessments or vulnerability scanners can highlight vulnerabilities from the assessment and present themselves as the solution thus avoiding the root cause of the problem. 8

15 Chapter 4 The Secure Network 4.1 The secure network Security services for a network are often classified as: CIA: Confidentiality Integrity Availability All the security efforts are distilled into these three areas that are the foundation of information security. The triad represents the goal of all security efforts, where each one requires different tools and methods and protects different areas or type of information in a computer network [5]. Confidentiality, means the information in a network needs to be protected from unauthorized disclosure. The service can also be used to protect the computer network from traffic flow analysis [6]. Employing the following security measures can enhance the confidentiality of data in a network: Network security protocols Network authentication services Data encryption services [7] Integrity, means to ensure that the information received has not been unauthorized, unanticipated or unintentional modified [6]. Several techniques exist in ensuring this service: Nonrepudiation of message source Communications security 9

16 Intrusion detection systems Availability, different attacks can make distributed networks unavailable or disrupt the service [6]. Availability security services ensure that data is available when required and the security work is mostly concentrated to Denial of Service attacks. Some techniques are [7]: Fault tolerance of disks, systems, and backups Acceptable log in and process performance Firewall systems Reliable and functional security processes and mechanism Some literature [6] adds the following concepts to the CIA triad namely: Authentication, both sender and receiver must be able verify that the information received is from the source it claims to be Accountability, synonymous with non -repudiation. This service makes sure that the sender or receiver of a message can not deny having sent or received a transmitted message Access control, it is important to be able to limit and control the access to a network [6] 10

17 4.2 The survivable system For a computer network to maintain service and provide an organisation with useful ways of communicating there are a couple of theoretical demands that can be stated. Computer networks give organisations and companies a possibility to maintain a highly distributed organisation. But with the possibilities comes the downside, the elevated risks of intrusion and compromise. Incorporating survivability into an organisations system can mitigate these risks. Survivability is a concept that comes from several fields of study (e.g., security, fault tolerance, safety, reliability, reuse, performance, verification, and testing) and introduces new concepts and principles. Survivability focuses on preserving essential services, even when systems are penetrated and compromised. [8] Survivability should be integrated and treated on a par with other system properties, to develop systems with required functionality and performance that can also withstand failures and compromises. [8 p.1] The first objective of the survivable systems is to continue to deliver essential service in the case of attack, failure or accident. The terms attack, failure and accident all describe potential damaging events. [8] 4.3 Characteristics of a survivable system A network system must have the capability to survive the possible occurrences of attack, failures and accidents. The quality levels of confidentiality, integrity and availability in a system must be withheld. But the level of survival and the demands of maintaining essential services look different depending on the service that the different networks provide. In a financial system, for instance, the survival is measured after how easily essential services as the stock trade or bank services are disrupted. The essential services are the minimum functions that must be maintained when the environment is hostile or failure and accidents occur that threatens the system. According to Anderson et al. [32], Figure 2, there are four key properties of survivable strategies: resistance, recognition, recovery and adaptation. 11

18 Figure 2 Survivable strategies [32, Anderson, et al. p.7] Resistance to attacks are strategies of making the attack so time- and money consuming that it is not worth the effort. With a strong authentication and access control, like strong passwords and access control that can grant or deny users, the system can resist attacks. Encryption is useful in many ways; as an example it can be used in access controls and securing stored data. Message filtering can be used to block messages to unsupported or unwanted services and messages with an internal address coming from outside the network. Messages associated with known attacks can also be filtered. Survivability wrappers help the operating system to sort out messages and redirect attacks. By using different sorts of operating systems within a system the vulnerability may decrease. Functional isolation helps against attacks, particularly denial of services attacks. Different services might share the same central processing unit and memory or network adapters. By isolating services like processing from sensitive data files on the same server the threat to the system can be decreased. [8] Recognition of attacks and damage are done by IDS, intrusion detection systems. They recognize typical attack patterns or use a baseline model for normal behaviour. Integrity checkers are used to detect intrusions that modify system files. [8] 12

19 Recovering from an attack and limiting the damage is essential for a system s survival. It is important to have a plan for this when disaster strikes. In the day to day work it is also necessary to take system backups to have data and information to restore. With for instance, data in replicated databases data can be stored and kept intact. Redundant components can be used to maintain essential services when the network is under attack. [8] Adaptation and evolution service requirements are important since new vulnerabilities are constantly discovered in otherwise static environments the adaptation of a systems ability to resist, recognize, and recover from intrusion attempts are essential. An example of a systems adaptation could be an infrastructure that enables the system to update itself with the latest fixes against newly discovered vulnerabilities. Reports of known intruder activity, information used in intrusion detection systems fetched from a central information resource could also be part of the adaptation service. [8] As for all the requirements, resistance, recognition and recovery, the evolvement of a networks ability to adapt is also crucial for a network systems survival. [8] For organisations and companies the network is used as a carrier of communication and services. It is common for companies to have a decentralised structure and the network is a vital resource that must work since disruption in services could severally harm the organisation. [8] A new network infrastructure should be planned for both optimal use and future development. Many networks today have problems since they were only planned for a certain number of users and services at the time of implementation and the development of the network was not considered. Another goal when planning a new network is that it should be secure, scalable and have an environment that the users and administrators can use and benefit from. Scalable features are important for easily managing the network with updates and other new features, a kind of divide and conquer strategy, and also to easily divide the services to improve the security of the network [8] 13

20 4.4 Organising a network The theoretical demands resistance, recognition, recovering and adaptation for survival of the computer network have been clarified. The thesis will turn these theoretical demands into practical requirements on the computer network. By creating a network that is well planned the risk of incidents will be minimised [10]. The goal is to create a network that is secure, scalable and that the administrators and users are comfortable with. A sample network can consist of the following parts: Communication equipment, like: Switches Routers Firewalls Network based services, like: DNS servers SMTP servers Mail servers Beside the strictly technical parts of the network a number of policies must be considered and created to get an easily managed and survivable network. 1 1 These network policies can be viewed in Appendix A. 14

21 Figure 3 Example of a network to use as reference [10, SITIC, FR04-04] Figure 3 is an example of a network topology for reference. A DMZ (Demilitarized Zone) segment of the network is in place 2. Notice the possibility to cut off some communication to reassure the possibility of maintaining service if an attack occurs. As mentioned in characteristics of a survivable system, different organisations have different threat profiles. SITIC [10] suggests that a threat and vulnerability profile should be made for each organisation and that the outcome of the profile is taken into consideration when planning a new network. Some possible scenarios can be planned for, like the occurrence of an attack or intrusion. Below are some risks for a computer network described and some possible remedies suggested by SITIC [10]: What connections to the Internet exists, are there any unauthorised openings, such as: 2 A DMZ is specified in Appendix A 15

22 Modems connected to a host allowing traffic not passing through a firewall to the network. Lab networks are according to SITIC often not secured enough, these might constitute a threat. VPN -networks (Virtual Private Networks) between the office and an employee working from home. If the home user machine can be compromised an authorised connection might be established by an attacker. Therefore the policy for users working outside the network must be thoroughly defined. The Internet Service Provider (ISP) security policy must be considered that a connection for the network is ensured. Have the hosts within the network firewalls that protect them from traffic that is not authorised. It can be important to ensure that only the absolutely necessary traffic can travel between machines so that a possible attacker can not excel his privileges once inside the network. The same password should not be used for several machines, like servers. According to SITIC [10] it is common problem that the same password is used on several servers. If an attacker is able to gain access to one server the same password can be used on other servers in the network. Only allow necessary outgoing traffic on certain ports. SITIC state that it is common for traffic that is coming to a network is restricted by a firewall but not the outgoing traffic. For instance, if a machine on the inside of the network has been struck by malicious code that is spreading by opening a connection to the Internet on the IRC channel on high port number, between This list of risks that might occur in networks is not complete. But a conclusion to some of the bullets above could, according to SITIC, be to limit the access on the allowed number of opened ports to the network. This could ensure that some of the listed risks above can be minimised as 16

23 well as other possible scenarios. Also the possibility to generate logs in the firewalls over the not allowed ports can help to discover an attack when an infected machine tries to connect to the internet on a not allowed port. SITIC [10] suggests a list of ports that a network administrator can allow to be opened, to be able to maintain the network services. At the same time they point out that this must be mapped to the needs of the network. For incoming traffic (to DMZ): 25 TCP, SMTP for e mail 53 UDP DNS for translating logical addresses from the Internet if the network uses its own DNS 80 TCP HTTP for Web traffic 443 TCP HTTPS (SSL) for encryption of Web traffic if there are any such services For outgoing traffic: 21 TCP FTP for file transmission 25 TCP SMTP 53 UDP DNS for translating logical addresses from the Internet if the network uses its own DNS 80 TCP HTTP for Web traffic 443 TCP HTTPS (SSL) for encrypted Web traffic [10] One way of defending the system is to constantly monitor what information the network is leaking, to know what an attacker knows about the systems and to be able to identify which information has left the organisation via the network interface. Foot printing is when an 17

24 attacker is preparing an attack against a network this is an important part in the defence of networks. 3 It does not involve any illegal activities or directly disturb the service of a network. But since a successful foot printing often leads to a successful hack, steps must be taken to constrain and control the information that can be reached. 3 The concept of foot printing can be studied more thoroughly in Appendix B. 18

25 Chapter 5 Common network vulnerabilities In Open Source Security Tools by Howlett [5] he points out that it is important to remember that for the average company the threat of being exposed by a hacker is not that large. The vulnerability should be weighed against what kind of business it is, a bank or perhaps a government institution. The author also states that it is important to keep the system more secure than the next system, since many hackers use common and known exploits on whatever network that is vulnerable. It is almost impossible to secure a network from an attacker with the right amount of knowledge, time and money. The mainstream hacker uses known exploits, these exploits has often been known for some time. As an example, the damage from the Code Red worm outbreak in 2001 could have been reduced if the networks had been patched with the patch that was released a year before. There are many examples of big outbreaks where many machines are affected and the remedy existed in form of a patch. 4 The use of so called zero day exploits and unknown exploits are very rare. [5] If one attack doesn t work the hacker often have the possibility of trying another way to break in to the system. In the following subchapters a number of common network vulnerabilities are described. In general a vulnerability scanner can be used to find most of them. Common vulnerabilities in computer networks according to Howlett [5] are: 5.1 Buffer overflow Buffer overflows are often the result of poorly written and tested code. It can be exploited by performing actions that cause the system to run out of resources. This is done with legitimate requests or sending excessive data that the system is unable to process properly. In some cases a buffer overflow can make it possible to run arbitrary code on the affected system. The countermeasures are better code review, testing and vendor accountability. For the system administrator the countermeasure is to apply patches in a timely fashion. [5] 4 The remedy of patching and updating can be studied more closely in Appendix C. 19

26 5.2 Router and firewall weaknesses These devices are the perimeter protection of the network. Howlett [5] states that with the growing complexity of the devices and the sophistication of the attackers these protection applications can also be compromised, if they are not configured correctly. Even if the rule sets are written correctly, many routers still run Telnet for interactive logins rather then a more secure SSH. The use of Telnet makes sniffer attacks possible were login and password combinations can be grabbed. Also, some routers run Finger and other information leaking services. Some firewalls are running on a Windows or UNIX platform, which makes them vulnerable to all the common OS level exploits. It is also possible that the software in firewalls can contain exploitable code, but it is rare. Firewalls often use web servers to interface with the users which make them vulnerable through that interface. [5] 5.3 Web Server Exploits Most networks today involve a web server and these applications are well know for their bugs and security holes. Howlett states that The very idea of a web server that a user can pull files from the server without any authentication at all, sets up the potential for security gaps [5 p.125]. The problems come from the fact that a web server has to deal with an ever growing number of protocols, commands and a lot of traffic. And also the fact that scripted programming languages like ASP and PHP has code that needs to be executed. A hacked web server can lead to other problems and embarrassments than just a changed website. The web servers are often connected to other internal systems or perhaps a database that might contain information not only for the web applications. [5] 5.4 Mail Server Exploits The E mail servers, like the web server, is a very important application for a computer network but also one of the most exposed points in a network. Since the mail server always has an open port to the Internet through the firewall it is vulnerable to hacking. For instance, if a hacker is uncertain of what type of SMTP (Simple Mail Transport Protocol) the server is running then there are two ways of finding this out; one is to simply sending a mail to the server and then reading the header of the response mail, the other is to use telnet and open a session to port 25 and read the banner that is sent. When the type of server is known the vulnerability databases can be checked for known exploits. [11] 20

27 5.5 DNS Server There are a couple of reasons that makes the DNS server the weakest point of all in the whole internet structure. A DNS translates the IP addresses into logical names and vice versa. Even if IP connectivity to the outside world works, without the DNS server in the domain no traffic will reach the web servers and no e mail will work. By a successful DoS (Denial of Service) attack the whole domain will go down. Another possibility is an attack called DNS cache poisoning where DNS entries are forged and the IP traffic is therefore redirected to another site. [5] 5.6 Database Exploits By using a database connection to the web site more functionality can be added, like users filling in different kinds of forms or logging in to view personal data, placed orders and etc. Even though the web sites are placed on the outside of the direct core of the network, databases are not. By using special crafted URLs containing SQL or some other loosely typed database commands a vulnerability exists since they are executed within the database and therefore often at the core of the system. [5] 5.7 User and File Management The key to user and file management is to work according to the principle of least privilege. Users should only be given permission to access what is needed for them to do their job, nothing more. It s a fine balance between being overwhelmed by helpdesk calls and weakening the security of the network. Different platforms have different ways of dealing with the problem but all solutions have weaknesses. Windows has a problem with shares, it is giving away to much information another problem is that guest accounts set by default must be manually removed after installation. The platform UNIX has a problem that users can be either root or not root. The not root users might need to be root to access or perhaps compile something and the root account is given away by the administrator to easily. A vulnerability scanner can help testing easy to guess passwords for administrator accounts and also test the common administrator/administrator login/password in Windows. [5] 5.8 Manufacturer Default Accounts Hardware manufacturers often ship their hardware with a default configuration where different default accounts are set for easier set up. There might also be accounts for technicians and 21

28 service representatives. On the Internet there are lists of information circulating over the default login and password that the major hardware manufacturers and software vendors are using. There are also scripts that are free of charge that can be used to run automatic tests against these logins. So, it s a good idea to change the default settings of these accounts. [5] 5.9 Blank or Weak Passwords Passwords are a commonly used security feature but not without problems. Logins often has passwords that are left intentionally blank, even administration accounts. Worms and hacking programs often check for these conditions, blank password or a password that is the same as the login. Passwords should be changed on regular basis according to certain requirements. Vulnerability scanners can be set to check for the use of default and weak passwords. [5] 5.10 Unneeded Services The problem of unneeded services comes from a combination of administrator s unwillingness to take services out of a system that works fine and the ever increasing development of process speed and memory capacity. Another problem is that the following services often are turned on by default in different applications: Services Common Port Numbers Functions chargen 19 Generates a stream of characters when a request is sent. Can be used in a DoS attack by continuously sending requests. daytime 13 Returns the time of day, not needed in a modern system discard 9 Discard what is sent to it silently. Mainly for testing purpose. echo 7 Replies with whatever is sent to it. Like chargen it can be used in a denial -of -service attack. finger 79 Very useful to hackers for information gathering. qotd(quote of the day) 17 Sends a little quote or phrase that the administrator sets up when the user logs on. Table 1 Unneeded services, (These services are ranked as useless by Howlett [5 p.129]) 22

29 5.11 Information Leaks There are too many loose lipped operating systems connected to the Internet giving away useful information to hackers. Especially Windows with its plug and play network system are guilty of giving away too much information on network systems. A search engine like can also be used to gather information like user names, shared drives and directories since people often has a habit of storing documents on a web server that they think can not be reached since they are not linked to any website. But this is not the case and there is a lot of information that can be reached by using a common search engine on the Internet. This is why it is a good idea to regularly search the Internet for the domain names of the network to see what surface. [5] 5.12 Denial of Service If a hacker can not get in to the system there is always the possibility of trying a denial of service attack. Political targets or companies that perform their business over the Internet are typically exposed and vulnerable to this kind of attack. There are many ways to perform a denial of service attack, from simply swamping the main router with traffic to take advantage of a known bug in a program and making the service unreachable and therefore crashing a server. It is hard to defend against this problem but if the latest program updates are installed the risk is reduced. [5] 23

30 Chapter 6 Network security testing For a system to test the security of the network, maintaining services and ensuring survival there are couple of techniques and tools available. These techniques and tools can help when vulnerabilities as the one s described in the previous chapter are encountered. According to CERT ( vulnerabilities surfaced in Together with the growing number of computers per person in an organisation these vulnerabilities has to be tested to maintain system security. [16] Hackers and crackers that try to enter a system tend to exploit the vulnerability that is easiest to use. There for SANS has made a list of the top 20 vulnerabilities that is most commonly used by hackers and crackers. A report made by SANS dated May 2000 discusses the issue A small number of flaws in software programs are responsible for the vast majority of successful Internet attacks. A few software vulnerabilities account for the majority of successful attacks because attackers don't like to do extra work. They exploit the best-known flaws with the most effective and widely available attack tools. And they count on organizations not fixing the problems. [16 p.2-1] During a network systems lifetime the security must be constantly updated and developed to encounter new and enhanced vulnerabilities. NIST has described a model for security maintenance. The model separates between an operational stage, when the network is in use and the maintenance stage, when the system is upgraded or changed (ST&E, Security Test & Evolution). In the operational stage periodic testing should be done to make sure that the network is secured. When an upgrade or a change in the network structure has been done, the change must be tested and evaluated to make sure that an unsecured network is not put in use. For this task a vulnerability scanner among other tools could be useful. [16] The level of testing will differ between different types of applications depending on the type of application and there vulnerability. 24

31 Figure 4 Model for network security testing, testing activities during operational and maintenance stage. [16 p.2-3] The security testing will produce reports with insight into other systems and services life cycle. Depending on the size of the organisation this information could be useful for other staff involved into other IT related areas. The information could be used: As a reference point for corrective action, In defining mitigation activities to address identified vulnerabilities, As a benchmark for tracing an organization s progress in meeting security requirements, To assess the implementation status of system security requirements, To conduct cost/benefit analysis for improvements to system security, To enhance other life-cycle activities, such as risk assessments, Certification and Authorization (C&A), and performance improvement efforts. [16] There are many different kinds of techniques for testing the security in a computer network. Some of the techniques are highly automated and some require more human involvement to start the testing. These techniques are: Password Cracking 25

32 Log Review Integrity Checkers Virus Detection War Dialling War Driving ( or wireless LAN testing) Penetration Testing Network Scanning, finds the active hosts and the ports they respond to in the specified network. Vulnerability Scanning performs a network scanning but it also tries to find the weaknesses in the services the scanned host provide [16] 6.1 Password Cracking There are a number of programs and techniques to crack a password. Passwords are often stored and sent across a network in an encrypted form called a hash. The hash is generated from the password chosen by the user. Every time the user logs in and states a password it is transformed to a hash and compared to the stored hash. There are two ways to capture hashes from a system, either by gaining root or administrator access or by capturing the hashes on the network with a network sniffer. A hash can be cracked in three ways: Dictionary attack, the hash is compared with all the entries in a stored dictionary Hybrid attack, will try if the password contains a combination of a word in a dictionary and different characters. 26

33 Brute force method, tries random letters and characters in different combinations. It generates the password and their associated hash. The only delimiter of a brute force on a password is time and processing power. Another problem with passwords could be the lack of authentication policies, the network is not using any authentication and the password is sent in clear text over the internet. This should be taken care of by a stronger form of authentication policy. Password crackers like the program L0pht Crack should be run on the system network so the administrator can get a picture of what and how strong passwords is used on the network. This would give a hint if the password policy should be altered to enhance the security on the network. [16] 6.2 Log reviews From the review of logs from IDS (Intrusion Detection System), Firewalls and servers it can be concluded if the system network is working according to the security policy. Reviewing logs can tell if the administrator should consider removing vulnerable unused services, hardening the firewall policy or reconfigure the network to minimise the possibility of compromise. 6.3 File integrity checkers It is important to verify the integrity of a file to know that it has not been altered. The file integrity checkers computes a checksum on every file. It is especially useful on system files that are particularly vulnerable to alteration. The checksums should be recomputed and checked regularly to ensure the integrity and security of the network. 6.4 Virus detectors There are many ways for a virus to enter a system, basically through any medium or connection connected to a computer or server. Two versions of antivirus programs are mainly in use. One can be installed in the network infrastructure as a perimeter protector and the other on each host in the network. To get the highest security both should be used. To be efficient the virus signature database must be updated to protect against the latest threats. The updating can be a problem to execute on each host but is easier to manage on the perimeter protection since their availability is higher and the number of machines is smaller. Trojans and worms also constitute a major threat to all computer networks but with frequent updates the threat can be considerably 27

34 minimized. According to NIST [16] most antivirus programs updates are done automatically. It is important that the antivirus program is working with the latest updates and that the updating is done at least weekly and after each update a full scan of the network is done. 6.5 War dialling A network can have a perfect configuration and security but all that is lost with a modem circumventing the security features of a network. War dialling or telephone line scanning is an attack where the telephone number range is tested to see if there are a modem or fax present and responding on the inside of a PBX (Private Branch Exchange). Several software packages both commercial and freeware are available to use for war dialling. [17] 6.6 Wireless LAN testing A number of wireless LAN protocols exist, according to NIST [16] the b is the most commonly used. There are a couple of known vulnerabilities following this protocol: Insertion attacks Interception and monitoring of wireless traffic Denial of service attacks Client to client attacks A standard recommendation is that wireless networks should be placed outside the firewall and IDS. Wireless networks can always be reached by an intruder but the access can be delimited by using access list on MAC addresses, no broadcasting on SSID and using encryption on the traffic. [16] 6.7 Penetration testing A penetration test is the process of gaining unauthorised access to a computer network. It is a way for an organisation or company to determine how well their security measures respond to a real life attack and what an attacker can accomplish or compromise. Before starting a penetration test the goals as well as the limitations of the test should be set. The goals and limitations of the test depend on what the administrator of the target network consider important to protect and test for vulnerabilities. There are different ways of conducting the test, with or 28