An Integrated Vulnerability Analysis and Penetration Testing Framework

Transcription

1 An Integrated Vulnerability Analysis and Penetration Testing Framework A Thesis submitted in partial fulfillment of the requirements for the degree of Master of Technology in Computer Technology Department of Computer Science and Engineering Jadavpur University, Kolkata By Chiranjit Datta Examination Roll: M6TCT University Registration No of Under the guidance of Shri. Mridul Sankar Barik Assistant Professor Department of Computer Science and Engineering Faculty of Engineering and Technology Jadavpur University, Kolkata May, 2013

2 TO WHOM IT MAY CONCERN This is to certify that the work in this thesis entitled An Integrated Vulnerability Analysis and Penetration Testing Framework has been satisfactorily completed by Chiranjit Datta. It is a bonafide piece of work carried out under my supervision at Jadavpur University, Kolkata, for partial fulfillment of the requirements for awarding of the Master of Technology in Computer Technology (MTCT) degree of the Department of Computer Science and Engineering, Faculty of Engineering and Technology, Jadavpur University during the academic year Shri. Mridul Sankar Barik Project Supervisor Assistant Professor Department of Computer Science and Engineering Jadavpur University Forwarded By: Prof. Sivaji Bandyopadhyay Head of the Department Department of Computer Science and Engineering Jadavpur University

3 Department of Computer Science and Engineering Faculty of Engineering and Technology Jadavpur University, Kolkata Certificate of Approval This is to certify that the thesis entitled An Integrated Vulnerability Analysis and Penetration Testing Framework is a bona-fide record of work carried out by Chiranjit Datta in partial fulfillment of the requirements for the award of the degree of Master of Technology in Computer Technology (MTCT) in the Department of Computer Science and Engineering, Jadavpur university during the period June 2012 to May It is understood that by this approval the undersigned do not necessarily endorse or approve any statement made, opinion expressed or conclusion drawn therein but approve the thesis only for the purpose for which it has been submitted. Examiners: (Signature of the Examiner) (Signature of the Supervisor)

4 Declaration of Originality and Compliance Of Academic Ethics I hereby declare that this thesis contains literature survey and original research work by the undersigned candidate, as part of his Mater of Technology in Computer Technology studies. All information in this document have been obtained and present in accordance with academic rules and ethical conduct. I also declare that, as required by these rules and conduct, I have fully cited and referenced all material and results that are not original to this work. Name : Chiranjit Datta Roll Number : M6TCT Thesis Title : An Integrated Vulnerability Analysis and Penetration Testing Framework Signature with Date :

5 Acknowledgement The work presented in this thesis has been carried out at the department of Computer Science and Engineering at Jadavpur University, Kolkata. The main setting for this research work has been at the Center for Distributed Computing, Jadavpur University. In my attempted integration of vulnerability analysis and penetration testing frameworks, I thank all who have helped along the way and influenced the formation of understanding and representation of the integrated tool presented in this thesis. In particular, I wish to express my gratitude to my supervisor, Shri Mridul Sankar Barik, Assistant Professor, Dept. of Computer Science and Engineering at Jadavpur University, Kolkata for his continued encouragement and support, all his contribution of time, ideas, and invaluable suggestions during this work. I would also like to thank Prof. Chandan Mazumdar for not only giving me an opportunity to work on this project and use the resources of Center for Distributed Computing, Jadavpur University, but also for his valuable guidance at every step of this thesis. I wish to thank Prof. Sivaji Bandyopadhyay, Head of the Department of Computer Science & Engineering, Jadavpur University for providing me all the facilities and for his support to the activities of this project. I am also grateful to Dr. Anirban Sengupta, Principal Research Engineer, CDCJU, for sharing his knowledge and experience with me and also his immense support and co-operation. Furthermore, I am deeply indebted to all my colleagues and friends at Center for Distributed Computing who have provided the environment for sharing their experiences and ideas regarding the security issues involved in Banking. Finally I want to thank my parents and my siblings for being a constant source of support and encouragement Chiranjit Datta Department of Computer Science and Engineering Examination Roll No: M6TCT University Registration No: of

6 Table of Contents List of Figures List of Tables Chapter-1 Introduction Security in Today s Heterogeneous Network Vulnerability Analysis and Penetration Testing Requirement of VA and PT Difference between Vulnerability Analysis and Penetration Testing Dependency of VA and PT on each other Integrated VA and PT Objective Organization of the Thesis Chapter-2 Vulnerability Analysis Definition of Vulnerability in the Information Security Context Vulnerability Analysis Definition Importance of VA VA Techniques Vulnerability Scanners The Limitations of Vulnerability Scanners Case Study Nessus OpenVAS Nexpose Comparative Analysis of Nessus, OpenVAS, Nexpose Scanner About the Vulnerability Scanners for Testing Page 6

7 Test Scanning Results Chapter-3 Penetration Testing Definition of Penetration Testing in the Information Security Context Penetration Testing Definition Importance of PT Types of Penetration Testing Black-Box Penetration Testing White-Box Penetration Testing Gray-Box Penetration Testing PT Techniques External Penetration Testing Internal Security Assessment Application Security Assessment Network Security Assessment Wireless/Remote-Access Security Assessment Telephony Security Assessment Social-Engineering Assessment Penetration Testing Tools Metasploit Framework CORE IMPACT CANVAS Case Study Metasploit Framework Metasploit Architecture Rex Core Base Page 7

8 Auxiliary Modules Encoder Modules Exploit Modules Payload Modules User-Interface Modes Chapter-4 Integration of VA and PT Reason of Integration Existing Integrated VA and PT tools Chapter-5 Integrated VA and PT Tool Motivation Architecture of the Tool Multi-Tier Nature of the Tool Presentation Tier or Client Tier Logic Tier or Middle Tier Data Tier Design of the Tool Process Flow of the Tool Scope Information Gathering Vulnerability Detection Information Analysis and Planning Attack and Penetration Result Analysis Reporting Data-Tier Design Logic-Tier Design Presentation-Tier Design Implementation of the Tool Page 8

9 5.5 Performance of the Tool Chapter-6 Conclusion and Future Work References Index Page 9

10 List of Figures Figure 1 : Number of vulnerabilities detected in Host 1 (Windows 7) Figure 2 : Year-wise vulnerability detection in Host Figure 3 : Number of vulnerabilities detected in Host 2 (Windows XP) Figure 4 : Year-wise vulnerability detection in Host Figure 5 : Number of vulnerabilities detected in Host 3 (Red Hat Linux 6) Figure 6 : Year-wise vulnerability detection in Host Figure 7 : Comparative statistics of vulnerability detection Figure 8 : Year-wise statistics of vulnerability detection Figure 9 : Architectural Model of Metasploit Figure 10 : Architectural Model of VAPT Tool Figure 11 : 3-Tier Architecture Figure 12 : A sample Presentation Tier of the Tool Figure 13 : Presentation Tier of Tool s Network Discovery Service Figure 14 : Presentation Tier of Tool s Vulnerability Analysis Service Figure 15 : Presentation Tier of Tool s one of the Vulnerability Scanner Service Figure 16 : Presentation Tier of Tool s Penetration Testing Service Figure 17 : Tool s Standalone Mode Figure 18 : Tool s Client/Server Mode Figure 19 : Tool s Client-Tier side verification Figure 20 : Tool s Data-Tier side verification Figure 21 : Tool s Composite Logic/Middle-Tier Figure 22 : Process Design of the Tool Figure 23 : Different Sections of the Tool Figure 24 : User-Administration Section (Add User) of the Tool Figure 25 : Network Discovery Section of the Tool Figure 26 : Network Discovery Section with WLAN discovery of the Tool Figure 27 : OpenVAS Scanner section of the Tool Figure 28 : Nexpose Scanner section of the Tool Figure 29 : Automatic Penetration Testing section of the Tool Figure 30 : Report Generation section of the Tool Page 10

11 List of Tables Table 1 : Overall Scanning output result Table 2 : Detected vulnerabilities in Host 1 (Windows 7) Table 3 : Detected vulnerabilities in Host 2 (Windows XP) Table 4 : Detected vulnerabilities in Host 3 (Red Hat Linux 6) Table 5 : Comparative analysis according to the age of total detected vulnerabilities Page 11

12 Chapter-1 Introduction 1.1 Security in Today s Heterogeneous Network Our everyday lives have become critically dependent on networking technology and systems. In addition to telephone and communications, new multimedia services and sensor networks are becoming part of our daily lives. Impressive increases in data traffic and the strong demands for pervasive communications have been recently met by remarkable advances in optical networking and wireless networking technologies. While technological advances have been outstanding, modern applications find significant performance bottlenecks in today s heterogeneous network environments. The original Internet design assumed intelligent end-devices (computers), an end-to-end principle, and a cooperative network management based on trust. The Internet Protocol (IP) did not consider supporting security, real-time services, or quality-of-service (QoS). The new Internet realities are: diverse end-devices (appliances), heterogeneous networks (wireless/satellite, optical core, etc.), competitive and adversarial network management (trust can no longer be assumed). In addition, the modern services often require real-time transport, quality-of-service, and security. The new Internet and modern applications challenge the underlying assumptions of the current protocol and network architecture. Along with this, there is an interesting dichotomy with respect to network security and network diversity. That is, homogeneous networks are easier to manage and configure, making them good for your organization's security in some ways. In other ways, they are bad because they offer a single point of compromise for a given piece of your IT infrastructure. The best example is in the area of desktop systems. Today, the vast majority of organizations have standardized on Microsoft application and operating system software for the desktop. Microsoft Internet Explorer is the most popular web browser, and the various flavors of Microsoft Outlook are the most popular clients. Both of these systems are based on popular Internet standards (SMTP, IMAP, POP3, HTTP, SSL, and so on). Setting aside the rise of website development that requires a specific browser, any standards-compliant web browser or client could be used instead of the Microsoft variants. Most organizations stay with Microsoft products, however, which leaves an entire organization vulnerable to a well-written exploit for either of these applications. So, with this multi-tier network architectures, web services, custom applications, and heterogeneous server platform environments, keeping data and information assets secure is more difficult than ever. Page 12

13 Coupled with this added complexity is the fact that criminal organizations have organized their hacking efforts; it is no longer just script kiddies trying to break into an network. In the past several years, it has become apparent that there is real money to be made from criminal hacking, and identity theft is one of the world s fastest growing problems. 1.2 Vulnerability Analysis and Penetration Testing Vulnerability analysis, also known as vulnerability assessment, is a process that defines, identifies, and classifies the security holes (vulnerabilities) in a computer, network, or communications infrastructure. Using this method to assess vulnerabilities, security experts deliberately probe a network or system to discover its weaknesses. However, this method does not differentiate between flaws that can be exploited to cause damage and those that cannot. By performing penetration tests against the organizational environment, one can actually replicate the types of actions that a malicious attacker would take, giving a more accurate representation of the security posture at any given time by identifying which flaws pose a threat to the organization. This process provides guidelines for the development of countermeasures to prevent a genuine attack. Vulnerability Assessment and Penetration Testing (VAPT) [1] provides enterprises with a more comprehensive infrastructure evaluation than any single test alone. Using the Vulnerability Assessment and Penetration Testing (VAPT) approach gives an organization a more detailed view of the threats facing its network architectures, web-services, applications etc. enabling the business to better protect its systems and data from malicious attacks Requirement of VA and PT Computer software is prone to vulnerabilities. Bugs in the software make it vulnerable and attackers use these vulnerabilities to exploit or get into the system. Once the vulnerability is exploited, Organization s valuable information would be at compromise. Every day, new vulnerabilities are found, and combined vulnerability assessment and penetration testing make sure that organization s information systems are immune to the new vulnerabilities by identifying the patches and updates to be made. Page 13

14 Organizations have firewalls. But firewalls are purely port based network traffic controllers. For example, if firewall is configured to allow web traffic, firewall passes the web traffic from outside to inside and if the web server is vulnerable, attackers can exploit the web server as the firewall allows web traffic. VA-PT makes double sure the security posture of organization by scanning and fixing the vulnerabilities of organization s information systems Difference between Vulnerability Analysis and Penetration Testing To understand what is the combined effect of VA and PT, we need to know what they can do separately. A quick difference between vulnerability analysis and penetration testing will give a picture of this. So the difference: 1. Vulnerability Analysis is the process of identifying vulnerabilities on a network, whereas a Penetration Testing is focused on actually gaining unauthorized access to the tested systems and using that access to the network or data, as directed by the client. 2. A Vulnerability Analysis provides an overview of the flaws that exist on the system while a Penetration Testing goes on to provide an impact analysis of the flaws identifies the possible impact of the flaw on the underlying network, operating system, database etc. 3. Vulnerability Analysis is more of a passive process. In Vulnerability Analysis one use software tools that analyze both network traffic and systems to identify any exposures that increase vulnerability to attacks. Penetration Testing is an active practice wherein ethical hackers are employed to simulate an attack and test the network and systems resistance. 4. Vulnerability Analysis deals with potential risks, whereas Penetration Testing is actual proof of concept. Vulnerability Analysis is just a process of identifying and quantifying the security Vulnerabilities in a system. Vulnerability Analysis doesn t provide validation of Security Vulnerabilities. Validation can be only done by Penetration testing. 5. The scope of a Penetration Testing can vary from a Vulnerability Analysis to fully exploiting the targets to destructive testing. Penetration Testing consists of a Vulnerability Analysis, but it goes one step ahead where in one will be evaluating the security of the system by simulating an attack usually done by a Malicious Hacker. For instance a Vulnerability Analysis exercise might identify absence of anti-virus software on the system or open ports as Page 14

15 a vulnerability. The Penetration Testing will determine the level to which existing vulnerabilities can be exploited and the damage that can be inflicted due to this. 6. A Vulnerability Analysis answers the question: What are the present Vulnerabilities and how do we fix them? A Penetration Testing simply answers the questions: Can any External Attacker or Internal Intruder break-in and what can they attain?. 7. A Vulnerability Analysis works to improve security posture and develop a more mature, integrated security program, where as a Penetration Testing is only a snapshot of organization s security program s effectiveness. 8. Commonly Vulnerability Assessment goes through the following phases: Information Gathering, Port Scanning, Enumeration, Threat Profiling & Risk Identification, Network Level Vulnerability Scanning, Application Level Vulnerability Scanning, Mitigation Strategies Creation, Report Generation, and Support. Whereas a Penetration Testing Service however have following phases: Information Gathering, Port Scanning, Enumeration, Social Engineering, Threat Profiling & Risk Identification, Network Level Vulnerability Assessment, Application Level Vulnerability Assessment, Exploit Research & Development, Exploitation, Privilege Escalation, Engagement Analysis, Mitigation Strategies, Report Generation, and Support Dependency of VA and PT on each other Vulnerability assessment and penetration testing are two different and complimentary proactive approaches to assess the security posture of an information system s network. The Vulnerability Assessment is done to test the security posture of the information system both internally and externally. Penetration tests provide evidence that vulnerabilities do exist as a result network penetrations are possible. Together they provide a blueprint for remediation Integrated VA and PT Vulnerability assessment offers partial evaluation of vulnerabilities, actually testing for vulnerabilities done by penetrating barriers is useful adjunct. As it identifies potential access paths missed by VAS. Penetration testing is the practice of testing a computer system, network or Web application to find vulnerabilities that an attacker could exploit. Page 15

16 Vulnerability Assessment and Penetration Testing (VAPT) is a Systematic analysis of security status of Information systems. Vulnerability assessment is an on-demand solution which makes it convenient to run tests over the Internet anywhere, anytime. It is a hybrid solution which blends automated testing with security expert analysis. The unique technology identifies all possible attack vectors, which may be missed if vulnerability analysis or penetration testing is done alone only. 1.3 Objective There are a variety of reasons for performing a vulnerability assessment and penetration test. One of the main reasons is to find vulnerabilities and fix them before an attacker does. Sometimes, the IT department is aware of reported vulnerabilities but they need an outside expert to officially report them so that management will approve the resources necessary to fix them. Having a second set of eyes check out a critical computer system is a good security practice. Testing a new system before it goes on-line is also a good idea. Again, penetration testing is not the best way to find all vulnerabilities. Vulnerability assessments that include careful diagnostic reviews of all servers and network devices will definitely identify more issues faster than a black box penetration test. Penetration tests are conducted in a limited time period. This means that it is a snapshot of a system or network s security. As such, testing is limited to known vulnerabilities and the current configuration of the network. Also it does not mean that if the testing team did not discover the any vulnerability in the organization s system, it does not mean that hackers or intruders will not. On timely basis vulnerability assessment and penetration testing should be done for any organization to protect it from any possible attack. And for this if an integrated VA-PT tool is available in hand it will be very helpful for any organization to take a snapshot of current security posture, without increasing any further budget for security only. This integrated tool will decrease third-party dependency which is still needed for penetration testing. So there is a need to develop a tool which will ease the process of VA and PT for any organization. This will help in calculating the risk-analysis and developing attack graphs too, on time-to-time. Page 16

17 1.4 Organization of the Thesis The remaining chapters of this thesis will discuss the following: Chapter 2: Vulnerability Analysis summarizes vulnerability, its importance in an organization s security posture, overview of vulnerability scanners and comparative study of scanners like Nessus, OpenVAS and Nexpose and their performance over a test-bed. Chapter 3: Penetration Testing summarizes penetration testing and its importance, different techniques and frameworks for penetration testing, and a study of a one of this framework namely Metasploit. Chapter 4: Integration of VA and PT describes why integration of VA and PT is necessary, and different existing integrated VA-PT tools. Chapter 5: Integrated VA and PT Tool describes the architecture, design, implementation and performance of the tool, and also the tools and technologies used to build-up the tool. And finally, Chapter 6: Conclusion and Future Work summarizes the contributions of the thesis and the scope of future work. Page 17

18 Chapter-2 Vulnerability Analysis 2.1 Definition of Vulnerability in the Information Security Context ISO defines vulnerability as: [2] A weakness of an asset or group of assets that can be exploited by one or more threats where an asset is anything that can has value to the organization, its business operations and their continuity, including information resources that support the organization's mission. IETF RFC 2828 define vulnerability as: [3][4] A flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy. Many NIST publications define vulnerability in IT context in different publications: FISMApedia [5] term [7] provide a list. Between them SP [8], give a broader one: A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system's security policy. The Open Group defines vulnerability in [9] as: The probability that threat capability exceeds the ability to resist the threat. ISACA defines vulnerability in Risk IT framework as: A weakness in design, implementation, operation or internal control. 2.2 Vulnerability Analysis Vulnerability analysis [20] is to find vulnerabilities and to take more holistic look at security. Penetration testing is a focused attack of a single or a few vulnerabilities that are generally already known to exist or are suspected of existing. Vulnerabilities now scale beyond technology the operational processes like patch management and incident management have a significant impact on Page 18

19 the lifecycle of vulnerability. Vulnerability analysis can forecast the effectiveness of proposed countermeasures and evaluate their actual effectiveness after they are put into use. Reasons for Vulnerability Existence: 1. Insecure coding practices 2. Developer education not focused on security 3. Limited testing budget and scope 4. Disjoined security processes 5. More resources outside than inside Definition A vulnerability analysis is the process of identifying and quantifying vulnerabilities in an environment. It is an in-depth evaluation of organization s posture, indicating weaknesses as well as providing the appropriate mitigation procedures required to either eliminate those weaknesses or reduce them to an acceptable level of risk Importance of VA Once a network is secured by fully patching it and deploying antivirus solutions, hackers might still be able to exploit a number of misconfigurations. Below is a list of general issues one might find in a typical operating system installation: 1. Unnecessary open shares 2. Unused user accounts 3. Unnecessary open ports 4. Rogue devices connected to your systems 5. Dangerous script configurations 6. Servers allowing use of dangerous protocols 7. Incorrect permissions on important system files 8. Running of unnecessary, potentially dangerous services Apart from these misconfigurations, when running a vulnerability assessment on target network one might find several security issues with a wide range of software and hardware including: Page 19

20 9. Default passwords on certain devices 10. Unnecessary services running on some devices 11. Running web services that contain known vulnerabilities 12. Dangerous applications such as peer-to-peer applications 13. Third-party applications that are a vulnerability to known exploits. Some vulnerability scanners will also look for signs of known malware based on the computer s behavior rather than actually scanning the files for known malware signatures. In some cases, this approach can help uncover issues that an antivirus might miss, especially if that malware is being protected by a rootkit. It is important to note that each of the issues mentioned above can jeopardize the network s security even if this is fully patched. Take into account that some systems may still have accounts which belonged to employees who left or were laid off and are still active; such a vulnerability assessment will bring these to light and, until such accounts are disabled, these potentially disgruntled employees can log into a target systems and cause havoc. The same applies to open shares. These are one of the vectors hackers use to spread viruses, especially in cases where such needless open shares aren t password protected. In some cases, having a particular port open can also be an indication that the system is running a known malware. Most vulnerability scanners will point this out in their scan results. Rouge devices are a big security concern for companies. From USB drives to wireless access points, these devices can provide an access into your network intentionally or unintentionally. Monitoring for the existence of these devices is an essential part of securing network. Dangerous scripts, misconfigured services, and incorrect permissions, can all be exploited by a skilled hacker whose objective is to gain access to his victim s systems. Something that is generally overlooked when securing the network, is the devices connected to it. Printers, routers and fax machines are generally seen as a minor concern in terms of security. However, some of these devices can be used as a gateway to networks when they carry a faulty configuration or they still use default settings. Some network printers, for example, by default allow unsecured telnet access to them without requiring any authentication. A subset of these will also store a copy of what is printed in their internal storage something employees can copy even remotely over the internet. Page 20

21 Finally, there are vulnerabilities caused by software. Some web services contain known exploits that allow a malicious attacker to use that script as a gateway to send s, potentially using an organization to launch spam runs; SQL injection exploits might allow an attacker to get hold of usernames and passwords, or inserting his own username, or even to run code remotely. Likewise the use of applications with known vulnerabilities can open an organization to targeted attacks. Malicious hackers might try to send people malicious payloads targeted at these vulnerable applications that, when triggered, would run the code the hacker would have embedded in the payload sent. When misconfigured, P2P applications can share confidential documents or source codes with the whole world. These applications can be a huge threat when installed on a corporate environment. Even if configured correctly, it is impossible to verify the origin or legitimacy of anything downloaded through their use. Employees using such an application might unknowingly download malware or even illegal material. Clearly, patch management and antivirus protection are only the first step in securing a network. A good vulnerability assessment is the next logical move. Networks are a dynamic entity, they evolve and change constantly. A vulnerability assessment should be set to run constantly and inform the administrator every time change is detected to make the utmost of network security protection. 2.3 VA Techniques Steps for Vulnerability Assessment/Analysis: a. Defining and classifying network or system resources. b. Assigning relative levels of importance to the resources. c. Identifying potential threats to each resource. d. Developing a strategy to deal with the most serious potential problems first. e. Defining and implementing ways to minimize the consequences if an attack occurs. The following are the different types of vulnerability assessment techniques [10] : 1. Active assessments: Active assessments are a type of vulnerability assessment that uses network scanners to scan the network to identify the hosts, services, and vulnerabilities Page 21

22 present in that network. Active network scanners have the capability to reduce the intrusiveness of the checks they perform. 2. Passive assessments: Passive assessments sniff the traffic present on the network to identify the working systems, network services, applications, and vulnerabilities. Passive assessments also provide a list of the users who are currently using the network. 3. Host-based assessments: Host-based assessments are a type of security check that involves carrying out a configuration-level check through the command line. These assessments check the security of a particular network or server. Host-based assessments are carried out through host-based scanners, which identify system vulnerabilities like incorrect registry and file permissions as well as software configuration errors. Many commercial and open-source scanning tools, such as SecurityExpressions, are used for host-based assessment. 4. Internal assessments: An internal assessment involves scrutinizing the internal network to find exploits and vulnerabilities. The following are some of the possible steps in performing an internal assessment: a. Specify the open ports and related services on network devices, servers, and systems. b. Check for router configurations and firewall rule sets. c. List the internal vulnerabilities of the operating system and server. d. Scan for Trojans that may be present in the internal environment. e. Check the patch levels on the organization s internal network devices, servers, and systems. f. Check for the existence of malware, spyware, and virus activity and document them. g. Evaluate the physical security. h. Identify and review the remote management process and events. i. Assess the file-sharing mechanisms (for example, NFS and SMB/CIFS shares). j. Examine the antivirus implementation and events. 5. External assessments: These types of assessments are based on external devices such as firewalls, routers, and servers. An external assessment estimates the threat of network security attacks external to the organization. It determines how secure the external network and firewall are. The following are some of the possible steps in performing an external assessment: Page 22

23 a. Determine the set of rules for firewall and router configurations for the external network. b. Check whether external server devices and network devices are mapped. c. Identify open ports and related services on the external network. d. Examine patch levels on the server and external network devices. e. Review detection systems such as IDS, firewalls, and application-layer protection systems. f. Get information on DNS zones. g. Scan the external network through a variety of proprietary tools available on the Internet. h. Examine Web applications such as e-commerce and shopping cart software for vulnerabilities. 6. Application assessments: An application assessment focuses on transactional Web applications, traditional client-server applications, and hybrid systems. It analyzes all elements of an application infrastructure, including how every element is deployed and how every element communicates with the client and server. Both commercial and open-source tools are used to perform such assessments. 7. Network assessments: Network assessments determine the possible network security attacks that may occur on an organization s system. These assessments evaluate the organization s system for vulnerabilities that are related to the organization s network, such as missing patches, unnecessary services, weak authentication, and weak encryption. Network assessments are performed through firewall and network scanners such as Nessus. These scanners find open ports, recognize the services running on those ports, and find vulnerabilities associated with these services. These assessments help organizations determine how vulnerable systems are to Internet and intranet attacks and how an attacker can gain access to important information. A typical network assessment conducts the following tests on a network: i. Checks the network topologies for inappropriate firewall configuration. j. Examines the router filtering rules. k. Identifies inappropriately configured database servers. l. Tests individual services and protocols such as HTTP, SNMP, and FTP. m. Reviews HTML source code for unnecessary information. n. Performs bounds checking on variables Page 23

24 8. Wireless network assessments: In the past, wireless networks were built with weak and basically defective data encryption mechanisms. Now, wireless network standards have evolved, but many networks that were initially deployed are still active and ripe for attack. Wireless network assessments try to attack wireless authentication mechanisms and get unauthorized access. This type of assessment tests wireless networks and also identifies rogue wireless networks that may exist within an organization s perimeter. These assessments are performed on client-specified sites where wireless networks have been installed. They sniff wireless network traffic and try to crack encryption keys. If the network can be accessed, then other network access is tested. Once analysis has been completed, if security holes are found as a result of vulnerability analysis, a vulnerability disclosure may be required. The person or organization that discovers the vulnerability or a responsible industry body such as the Computer Emergency Readiness Team (CERT) may make the disclosure. If the vulnerability is not classified as a high level threat, the vendor may be given a certain amount of time to fix the problem before the vulnerability is disclosed publicly. The third stage of vulnerability analysis (identifying potential threats) is sometimes performed by a white hat using ethical hacking techniques. Using this method to assess vulnerabilities, security experts deliberately probe a network or system to discover its weaknesses. This process provides guidelines for the development of countermeasures to prevent a genuine attack. 2.4 Vulnerability Scanners 1. Host-based vulnerability scanners: Host-based scanners are useful for servers that run various applications such as those that involve Web, critical file, database, directory, and remote access capabilities. These host-based scanners are able to detect high levels of vulnerabilities and provide the information required to eliminate those vulnerabilities. A hostbased vulnerability scanner can find out what type of operating system is running on a particular host s computer and can detect its known vulnerabilities. It also examines general applications and services. a. Some of the known host-based vulnerability scanners are: Microsoft Baseline Security Analyzer (MBSA), Altiris SecurityExpressions (commercial), Retina Network Security Scanner. b. A database scanner is another example of a host-based vulnerability scanner. It performs detailed security analysis of the authorization, authentication, and Page 24

25 integrity of database systems, and can identify any potential security exposures in database systems, ranging from weak passwords and security misconfigurations to Trojan horses. E.g., Scuba by Imperva Database Vulnerability Scanner, Shadow Database Scanner. 2. Application-layer vulnerability scanners: This type of vulnerability scanners are designed to serve the needs of all kinds of operating system types and applications. These tools identify the various resources on a system that pose security threats. These vulnerabilities could be external DoS/DDoS threats, network data interception, or other application-layer vulnerabilities. Application-layer vulnerability scanners are typically directed toward Web servers or database servers. 3. Scope-of-assessment tools: Scope-of-assessment tools provide assessment of security by testing for vulnerabilities in the applications and operating system of a network. These tools provide standard control and a reporting interface that allows users to select a suitable scan type. These tools generate a standard report of the vulnerabilities found during the scan. Some of the scope-of-assessment tools are designed to test a specific application or its type for vulnerability. Application vulnerability scanning can take either or both of two approaches: a. Static Code Analysis: If user own the codebase of application, the best place to start is by secure coding practices. It is a good idea to have code review as part of software development process. Static Code Analysis involves more work upfront but results in much more robust applications. b. Dynamic Code Analysis is the next step, and it s done by taking a black box approach to the app, and trying to probe it with tools similar to scanners that will perform injections and try to crash or bypass controls in the application. This is an automated process, and there are some inexpensive or free tools from Cenzic, Whitehat and VERACODE, among others, that can do this on a basic level and offer different versions of this type of scan. 4. Depth assessment tools: Depth assessment tools are used to identify previously unknown vulnerabilities in systems. Generally, these tools are used to identify vulnerabilities to an unstable degree of depth. Such types of tools include fuzzers that give arbitrary input to a system s interface. Many of these tools use a set of vulnerability signatures to test whether the product is resistant to a known vulnerability or not and then use variations of those signatures to find unknown vulnerabilities. Page 25

26 5. Active scanners: Active scanners perform vulnerability tests on the networks that use system resources. The main advantage of an active scanner is that the system administrator or IT manager has good control of the timing and degree of vulnerability scans. These scanners should not be used on critical systems because they use system resources, affecting the processing of other tasks. 6. Passive scanners: Passive scanners are those that do not affect system resources considerably, as they only observe system data and perform data processing on a separate analysis machine. A passive scanner first receives system data, which provides complete information on which processes are running, and then assesses that data against a set of rules. 7. Location/data examination scanners: Some of the location/data examination scanners are: a. Network-based scanner: Network-based scanners are those that have interaction only with the machine in which they reside and provide a report only to that same machine after scanning. Different types of network-based scanners include: i. Port Scanners that determine the list of open network ports in remote systems; e.g., Nmap. ii. Web Server Scanners that assess the possible vulnerabilities (e.g. potentially dangerous files or CGIs) in remote web servers; e.g., Nikto, Wikto. iii. Web Application Scanners that assess the security aspects of web applications (such as cross site scripting and SQL injection) running on web servers. It should be noted that web application scanners could not provide comprehensive security checks on every aspect of a target web application. Additional manual checking (such as whether a login account is locked after a number of invalid login attempts) might be needed in order to supplement the testing of web applications. E.g., Paros, Acunetix Web Vulnerability Scanner (commercial). Page 26

27 iv. Network vulnerability scanners determine the vulnerabilities of each host in the network. E.g., Nessus, Nexpose, OpenVAS, SAINT (commercial), GFI LANguard Network Security Scanner (N.S.S.) (commercial) b. Agent-based scanner: Agent-based scanners reside on a single machine but have the ability to scan a number of machines on the network. c. Proxy scanner: Proxy scanners are network-based scanners that have the ability to scan networks from any machine in the network. d. Cluster scanner: Cluster scanners are similar to proxy scanners but have the ability to perform two or more scans on different machines simultaneously in the network The Limitations of Vulnerability Scanners With all these strong points vulnerability scanner also have limitations. These drawbacks of vulnerability scanners are: 1. A vulnerability scanner can only assess a "snapshot of time" in terms of a system or network's security status. Therefore, scanning needs to be conducted regularly, as new vulnerabilities can emerge, or system configuration changes can introduce new security holes. 2. Vulnerability scanners can only report vulnerabilities according to the plug-ins installed in the scan database. They cannot determine whether the response is a false negative or a false positive (Regarding vulnerability scanning, "false negative" is the failure to recognize an existence of a flaw in the system or the network under assessment, whereas "false positive" is the incorrect determination of the presence of vulnerability. The former might be due to missing plug-ins in a scanner database while the latter requires human judgment to confirm.). Human judgment is always needed in analyzing the data after the scanning process. 3. A vulnerability scanner is designed to discover known vulnerabilities only. It cannot identify other security threats, such as those related to physical, operational or procedural issues. Page 27

28 In addition, many vulnerability scanners rely on plug-ins to determine potential vulnerabilities. Plug-ins are part of the knowledge database (or scan database) of the vulnerabilities that the scanner is capable of detecting. These databases may be named differently (such as Scanning Profile ) in different scanner products, but the term plug-ins will be preferred here. The finite number of plugins can be another drawback with vulnerability scanners. A scanner can only check for those vulnerabilities that it knows, by cross checking with the presence of its corresponding installed plug-in set. It cannot identify those vulnerabilities that don t have a plug-in. Not all scanners need plug-ins. For example, port scanners do not need any plug-ins as they just scan a target range of ports. 2.5 Case Study Vendor-designed vulnerability assessment tools can be used to test a host or application for vulnerabilities. There are several vulnerability assessment tools available, including port scanners, vulnerability scanners, and OS vulnerability assessment scanners. The right tools have to be chosen based on the test requirements. These tools are able to test from dozens to thousands of different vulnerabilities, depending on the product. The selected tool should have a sound database of vulnerabilities and attack signatures that are updated frequently. The testing team should choose a tool that matches the organization s environment and personnel expertise. The team should also find out how many reports are produced, what information they contain, and whether the reports can be exported. The following criteria should be followed at the time of using or purchasing any vulnerability assessment tool: 1. Types of vulnerabilities discovered: The most important information at the time of evaluating any tool is to find out how many types of vulnerabilities it will discover. 2. Testing the capability of scanning: The vulnerability assessment tool must have the capability to execute the entire selected test and must scan all the systems selected for scanning. 3. Ability to provide an accurate report: The ability to prepare an accurate report is essential. Vulnerability reports should be short and clear and should provide methods for mitigating discovered vulnerabilities. 4. Functionality for writing own tests: When a signature is not present for a recently found vulnerability, it is helpful if the vulnerability scanning tool allows user-developed tests to be used. Page 28

29 5. Ability to schedule tests: It is important to be able to schedule tests, as it allows the test team to perform scanning when traffic on the network is light. Depending upon these criteria, three vulnerability assessment tool is selected for study: Nessus, OpenVAS and Nexpose Nessus Nessus is one of the most popular and capable vulnerability scanners, particularly for UNIX systems. It was initially free and open source, but they closed the source code in 2005 and removed the free "Registered Feed" version in It now costs $1,200 per year, which still beats many of its competitors. A free Home Feed is also available, though it is limited and only licensed for home network use. Nessus is a client-server based vulnerability scanner. It provides powerful, up-to-date and easy-to-use remote security scanner for business-critical enterprise devices and applications. Nessus servers, placed at strategic points on the network, scan a target computer for open ports and known vulnerabilities, and report to Nessus client. The following are the major features of Nessus [11] : 1. Up-to-date security vulnerability database. 2. Remote and local security a. Traditional network security scanners tend to focus solely on the services listening on the network. b. Nessus has the ability to detect not only remote flaws in hosts on the network but also their local flaws and missing patches whether they are running Windows, Mac OS X. or a Unix-like operating system. 3. Scalable a. Nessus has been built so that it can easily scale from a single-cpu computer with low memory to a quad-cpu computer with gigabytes of RAM. b. The more power given to Nessus, the quicker it will scan the network. 4. Plug-ins a. Each security test is written as an external plug-in written in NASL. b. Each NASL plug-in can be read and modified, to better understand the results of Nessus report. Page 29

30 5. NASL a. The Nessus Security Scanner includes NASL (Nessus Attack Scripting Language), a language designed to write security tests easily and quickly. b. NASL plug-ins run in a contained environment on top of a virtual machine, thus making Nessus an extremely secure scanner. 6. Smart service recognition a. Nessus does not assume that the target hosts will respect the IANA-assigned port numbers. b. Nessus will recognize an FTP server running on a non-standard port or a Web server running on port Multiple services a. If a host runs the same service more than once. Nessus will test all instances. 8. Nondestructive or thorough a. Nessus can either perform a regular nondestructive security audit on a routine basis or throw everything it can at a remote host to see how well it withstands attack from intruders OpenVAS OpenVAS is a vulnerability scanner that was forked from the last free version of Nessus after Nessus went proprietary in It continues to grow, with more than 23,000 tests as of November OpenVAS plugins are written in the same NASL language used by Nessus. The OpenVAS is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution. The actual security scanner is accompanied with a daily updated feed of Network Vulnerability Tests (NVTs), over 30,000 in total (as of April 2013). All OpenVAS products are Free Software. Most components are licensed under the GNU General Public License (GNU GPL). Some major features of OpenVAS [12] : 1. OpenVAS can be quite network intensive. Even if the OpenVAS developers have taken every effort to avoid packet loss (including transparently resending UDP packets, waiting for data to be received in TCP connections, etc.) so bandwidth use should always be closely monitored, with current server hardware, bandwidth is usually the bottleneck in a OpenVAS scan. It might not became too apparent in the final reports, scanners will still run, holes might be Page 30