Vulnerability scanners

Transcription

1 Vulnerability scanners Author Johan Nilsson Supervisor Vesa Virta Master of Science Thesis Department of Computer and Systems Sciences Royal Institute of Technology

2 Abstract Computer networks are used by organisations and companies as a carrier of communication and services. Disruption of the network service can severally harm the organisation. A vulnerability scanner can find weaknesses in a computer network before a potential attacker does. It scans the network for vulnerabilities by testing weaknesses and by gathering information about different entities active in the network. From the testing and information gathering it makes conclusions and reports the vulnerabilities it found in the network. If the scanner misses some vulnerabilities and the administrator of the network makes the conclusion that the network is secure enough the impact can be severe on the organisation or company. This thesis is trying to find out to what extent a vulnerability scanner can be trusted. The thesis starts with defining the theoretical requirements to a secure network. When the foundation is set the thesis moves on and explains common network vulnerabilities that are threatening computer networks. Network security testing is an activity that consists of several techniques and tools to simulate possible attacks. The vulnerability scanner is one tool that can be used during such a test. Four vulnerability scanners have been run against a laboratory network. On the same network a penetration test has been conducted to know what security holes that can be used to gain access to the system. The comparison between the findings of the vulnerability scanners and the vulnerabilities found and explored in the penetration test indicates to what extent the vulnerability scanners can be trusted. The results show that the scanners miss out on severe vulnerabilities or give them a low priority, even though these vulnerabilities have been used to gain access to an entity in the network. Vulnerability scanners work with the best intentions but are far too insecure to be trusted as a stand alone security tool. ii

3 Acknowledgement I would first and foremost like to thank my mentor, Vesa Virta at FRA for his great support and interest in this thesis. I would also like to thank the co-workers at FRA for welcoming me and sharing their knowledge. Last but not least, thank you family and friends for inspiration and support. Stockholm May 2006 Johan Nilsson iii

4 CHAPTER 1 INTRODUCTION Introduction Research question Purpose of thesis Audience Methodology Limitations Thesis structure... 3 CHAPTER 2 RESEARCH METHODOLOGY... 4 CHAPTER 3 VULNERABILITIES Vulnerability assessment Assessments in practice... 8 CHAPTER 4 THE SECURE NETWORK The secure network The survivable system Characteristics of a survivable system Organising a network CHAPTER 5 COMMON NETWORK VULNERABILITIES Buffer overflow Router and firewall weaknesses Web Server Exploits Mail Server Exploits DNS Server Database Exploits User and File Management Manufacturer Default Accounts Blank or Weak Passwords Unneeded Services Information Leaks Denial of Service CHAPTER 6 NETWORK SECURITY TESTING Password Cracking Log reviews File integrity checkers Virus detectors War dialling Wireless LAN testing Penetration testing CHAPTER 7 SCANNERS Port scanners Application scanners Vulnerability scanners OS Fingerprinting Active IP packet fingerprinting Identifying vulnerabilities Reports of Vulnerabilities False positives...37 iv

5 CHAPTER 8 TESTED SCANNERS The scanners used Nessus Retina Netrecon ISS CHAPTER 9 TESTING THE NETWORK Penetration Testing of the Laboratory Network The penetration test Vulnerability scanners vs. the penetration test RPCBIND The use of finger and SSH DCOM Finding the SSH service on a high port number Reverse lookup Web services running Additional vulnerabilities LSASS.EXE SQL preauthentication IIS.printer Summary Vulnerability Scanners vs. Penetration test CHAPTER 10 CONCLUSION BIBLIOGRAPHY: Appendix A...64 Policies for the network...64 Appendix B...66 Foot printing a network...66 Appendix C...68 Why patching...68 Risks with updates...69 CVE Common Vulnerability and Exposures...70 v

6 Table of Figures Figure 1 Method used in the thesis Figure 2 Survivable strategies, key properties for the survivable network Figure 3 Example network, network topology for reference Figure 4 Model for network security testing Figure 5 Nessus scanner Figure 6 Retina audit scan process Figure 7 Retina scanner Figure 8 Netrecon scanner Figure 9 ISS scanner Figure 10 The laboratory network Figure 11 The laboratory network after penetration test Index of Tables Table 1. Unneeded services, table of services often used in network although they are unneeded Table 2. Summary of scanners vs. penetration test vi

7 Chapter 1 Introduction 1.1 Introduction Network administrators try to keep the networks secure from both inside and outside threats. From the outside world there is always the possibility of someone using a flaw in the network to gain access. On the inside there are the users that, although they have legitimate access to parts of the network or to some of the information held in the systems, are able to cause all sorts of problems for the network administrator. In a perfect world the network administrator has total control over the network, he knows exactly what machines are running and all of them are patched with the latest updates. That is the perfect world. In reality the network administrators are often struggling with patches or software updates that can not be applied due to the configuration of the networks. There are machines that have been used for testing and then forgotten or machines that have been moved and forgotten. These machines also need maintenance otherwise they will constitute a major security threat. [4] When trying to find vulnerabilities in a network at a company or organisation a vulnerability scanner can be used. Depending on the tool chosen it will be able to scan different platforms or services in a network. But the basic idea is that it will scan the ports of the target system and from an evaluation of the information withdrawn, it will make certain assumptions as to how secure the system is. As with all computer software, this type of programs can also make mistakes; to what extent can the output information be trusted? Do the vulnerability scanners miss anything? How should they be used to help in securing the network? The impact on the network if the scanner misses a vulnerability and the administrator comes to the conclusion that everything is secure in the network, could be severe. A known problem with vulnerability scanners is that they might produce false positives and false negatives. The possibility of this problem occurring makes the scanning of the network a job only for those with proper training and knowledge of the scanned network. [1] During the work on this thesis four vulnerability scanners will be tested in a computer laboratory simulating a computer network. Penetration testing against the laboratory network will be conducted and the output from these tests will be compared with the findings of the vulnerability scanners and discussed. 1

8 1.2 Research question To what extent can the result of a vulnerability scanner be trusted and to what extent can it be used by a network administrator? 1.3 Purpose of thesis Vulnerability scanners present a summary of computer networks security level. If that information is incorrect, the whole system can be compromised and information can be lost. By conducting laboratory experiments with vulnerability scanners the thesis will try to estimate to what extent vulnerability scanners can be used and trusted with the work of securing a computer network. 1.4 Audience IT managers and network administrators considering purchasing and using network scanners to secure their network may get indications on what limitations and workload these kinds of tools can result in. 1.5 Methodology In order to understand the underlying technology and for what purpose the vulnerability scanner exists a literature review has been done. The literature review is focused on four topics, the survivable system, practical demands on networks, common vulnerabilities and network testing. This framework will give an understanding of the environment and demands on vulnerability scanners. A case study is conducted by running four vulnerability scanners in a laboratory network. The laboratory network are then penetration tested to know what vulnerabilities that are present in the network. The result from the vulnerability scanners are then compared with the vulnerabilities found in the penetration test. In chapter 2 the methodology is outlined more thoroughly. 1.6 Limitations Due to time limitation of the thesis the numbers of scanners tested is a limitation. The scanners used in the thesis were chosen on the basis that they should be able to scan different platforms and applications common in computer networks. The scanners should also be either world 2

9 leading in number of users, award winning or developed by a world leading company. This case study is conducted in the autumn of When scanning the laboratory environment there where so much information and vulnerabilities generated from each scan that the investigation had to be limited to known vulnerabilities present in the environment. 1.7 Thesis structure Chapter 2: Research methodology: This chapter will clarify the methodology of the case study. Chapter 3: Vulnerabilities: This chapter explains the concept of a vulnerability and how it can be found Chapter 4: The secure network: This chapter describes the theoretical background of both the secure network and the survivable system and how these requirements can be fulfilled both technically and with policies when creating a new network. Chapter 5: Common network vulnerabilities: This chapter explains some common vulnerability s inside computer networks. Chapter 6: Network security testing: This chapter will explain the concept network security testing and the most common techniques used. Chapter 7: Scanners: This chapter gives a presentation of scanners in general and the vulnerability scanners in particular. Chapter 8: Scanners used: This chapter presents the vulnerability scanners that were used in the case study. Chapter 9: Testing the network: In this chapter a penetration test of the laboratory network is conducted and a comparison between the findings of the scanners and vulnerabilities used in the penetration test is done. Chapter 10: Conclusions Bibliography Appendix A, Policies for the network Appendix B, Foot printing a network Appendix C, Why patching 3

10 Chapter 2 Research Methodology This thesis is a case study of vulnerability scanners with the purpose of finding out to what extent these tools can be used and trusted with the work of testing a computer network for vulnerabilities. To answer the question an inductive approach and qualitative observations have been done. With an inductive approach the researcher collects empirical data that are compiled into a theory. If a deductive approach would have been chosen there would have been an existing theory that are either rejected or approved of, no such theory have been found. The case study is trying to evaluate to what extent the findings of a vulnerability scanner can be trusted. The collection of qualitative observations, technical data, from the laboratory network is evaluated as either correct or false. An inductive approach to the findings of the vulnerability scanners is the natural choice. For the definition of a secure network, to know the goal for a vulnerability scanner, the requirements for a survivable system has to be defined, both theoretically and practical. When the foundation of a survivable network is laid the thesis moves on and explains the common network vulnerabilities that are threatening the computer networks. There are different methodologies and technologies to meet the different threats to a computer network. One of them is the vulnerability scanner. In the network security part of the thesis the author tries to explain where this tool fits in and what it is trying to accomplish among the other tools that are used to secure computer network. A laboratory network has been used as a test environment during the writing of this thesis. A penetration test has been conducted on the laboratory network to find out what vulnerabilities the network has and how they can be used by a real hacker. Penetration testing is a methodology that is used to estimate how secure a network is and how it can be compromised by a hacker. By comparing the vulnerabilities that the vulnerability scanners find in the laboratory network with the conducted penetration test conclusions can be made on the accuracy of the scanners. The workflow described above can also be viewed in Figure 1. 4

11 Theoretical background Testing the network Vulnerability assessment Literature study The secure network in theory The secure network in practice Testing vulnerability scanners Conclusions Network vulnerabilities Network security testing Penetration test Scanners Figure 1 Method used The author has put up certain criteria s to know what defines a successful run with a vulnerability scanner. These criteria s has been stated as a result of the literature study. Each vulnerability scanner will make a test round in the laboratory and the following criteria s should be matched: Did the scanners find: All hosts? All open ports? Did the scanner identify the service correctly? Are the errors reported explained in a way that clearly describes the problem? 5

12 After the end of each scanner review the laboratory network will be rebooted and re -initialized to make sure that nothing has crashed during the last run. Additional manual penetration testing will be done on the laboratory network to see what vulnerabilities that can be exploited. The findings from the penetration testing will be compared with the output from the scanners and analyzed. Known issues and problems of scanners are then analyzed. Conclusions are drawn from the testing and the discussion of the common errors. The results in this study can not be re -produced with the exact same findings if the scanning and penetration testing are not conducted on the same laboratory network as this work. But the author anticipates that the findings in this thesis are pointing to the accuracy of the scanners in a way that can be translated to all networks. 6

13 Chapter 3 Vulnerabilities Vulnerability constitutes any known weakness on a system that could potentially be exploited by malicious software or hacker. [1, p. 489] 3.1 Vulnerability assessment When the term Vulnerability assessment is used in the context of vulnerability scanners it is meant the process of finding known vulnerabilities in a network. This process identifies vulnerabilities so they can be eliminated before exploited by malicious software or hackers. In most cases the vulnerabilities are known and can therefore be found. The vulnerabilities that constitute threats in a network include software defects, unnecessary services, misconfigurations and unsecured accounts. [2] The vulnerability scanner works with a proactive approach, it finds vulnerabilities, hopefully, before they have been used. There is however a possibility that a, to the public, unknown vulnerability is present in the system. A program that takes advantage of an unknown vulnerability is called a Zero day exploit. A Zero day exploit is unknown to security professionals which mean that information about the exploit is not publicly available [31]. A reactive approach is used by, for example, IPS (Intrusion Prevention System). It alerts when the harm is being done, but it is considered better to prevent than to cure. [2] A vulnerability assessment could be described as a systematic examination of networks to determine the adequate security measures, identify security defiance and provide data from which to predict the effectiveness of proposed security measures after implementation. [3] A vulnerability assessment starts with a device discovery that maps the network. This is a very important step of an assessment. If the administrator is not aware of what devices that are running on the network it is possible that these devices are not updated and secured in the way they should. Therefore these devices constitute a vulnerability to the network. A vulnerability assessment can be used as an inventory of the systems on the network and the services they provide. Selected information about the network can easily be collected and the reports help in reviewing changes in the network. 7

14 3.2 Assessments in practice In assessments of networks, methods like vulnerability scanning and penetration tests are used to measure the technical aspects of security in networks. A penetration test can be described as a security test where the security evaluators attempt to circumvent the implemented security features. The purpose of the penetration test is to identify ways to use tools, techniques and vulnerabilities to gain access to the network. Penetration testing, however, does not give a complete picture of the security in a network. Network security is a complex business; just because you lock the door doesn t mean an intruder can not use a window to get in. The use of web enabled and client/server architectures have created many windows. Vulnerability assessment, penetration testing and other techniques, described later in this thesis, are used to make the assessment as a real hacker would do it. It could be a way to know how an intruder may work and to know what can be done to defend against an attack. [4] A greater part of the commercial security industry is concerned with identifying risks, especially the ones created by software vulnerabilities. When the risk assessment is completed and the vulnerabilities found, patching will be done. This methodology is called penetrate and patch. [4] In a paper by A. Stewart [4] he says that there has been an over reliance on firewalls, encryption and other perimeter protection security and by that neglect of the security of the internal systems. The author also states that many security companies offer free security assessment because there will always be some vulnerabilities present and the customers will then be persuaded to invest in additional security measures. These security assessments often... consider direct risks and not indirect risks. [4, p.367]. Indirect risks are often harder to pinpoint compared to a direct risk since they only emerge when for instance business processes are analysed. Direct risks surface when scanning a network and software vulnerabilities occurs. For the security market these vulnerabilities are easier to explain to the customer and therefore easier to turn into commercial gain. Direct risks are something that also needs to be fixed, but still threats to an organisation or a company may remain the indirect risks and structural security vulnerabilities [4, p.367]. When talking about risk, fear is a great motivating factor. Companies that make vulnerability assessments or vulnerability scanners can highlight vulnerabilities from the assessment and present themselves as the solution thus avoiding the root cause of the problem. 8

15 Chapter 4 The Secure Network 4.1 The secure network Security services for a network are often classified as: CIA: Confidentiality Integrity Availability All the security efforts are distilled into these three areas that are the foundation of information security. The triad represents the goal of all security efforts, where each one requires different tools and methods and protects different areas or type of information in a computer network [5]. Confidentiality, means the information in a network needs to be protected from unauthorized disclosure. The service can also be used to protect the computer network from traffic flow analysis [6]. Employing the following security measures can enhance the confidentiality of data in a network: Network security protocols Network authentication services Data encryption services [7] Integrity, means to ensure that the information received has not been unauthorized, unanticipated or unintentional modified [6]. Several techniques exist in ensuring this service: Nonrepudiation of message source Communications security 9

16 Intrusion detection systems Availability, different attacks can make distributed networks unavailable or disrupt the service [6]. Availability security services ensure that data is available when required and the security work is mostly concentrated to Denial of Service attacks. Some techniques are [7]: Fault tolerance of disks, systems, and backups Acceptable log in and process performance Firewall systems Reliable and functional security processes and mechanism Some literature [6] adds the following concepts to the CIA triad namely: Authentication, both sender and receiver must be able verify that the information received is from the source it claims to be Accountability, synonymous with non -repudiation. This service makes sure that the sender or receiver of a message can not deny having sent or received a transmitted message Access control, it is important to be able to limit and control the access to a network [6] 10

17 4.2 The survivable system For a computer network to maintain service and provide an organisation with useful ways of communicating there are a couple of theoretical demands that can be stated. Computer networks give organisations and companies a possibility to maintain a highly distributed organisation. But with the possibilities comes the downside, the elevated risks of intrusion and compromise. Incorporating survivability into an organisations system can mitigate these risks. Survivability is a concept that comes from several fields of study (e.g., security, fault tolerance, safety, reliability, reuse, performance, verification, and testing) and introduces new concepts and principles. Survivability focuses on preserving essential services, even when systems are penetrated and compromised. [8] Survivability should be integrated and treated on a par with other system properties, to develop systems with required functionality and performance that can also withstand failures and compromises. [8 p.1] The first objective of the survivable systems is to continue to deliver essential service in the case of attack, failure or accident. The terms attack, failure and accident all describe potential damaging events. [8] 4.3 Characteristics of a survivable system A network system must have the capability to survive the possible occurrences of attack, failures and accidents. The quality levels of confidentiality, integrity and availability in a system must be withheld. But the level of survival and the demands of maintaining essential services look different depending on the service that the different networks provide. In a financial system, for instance, the survival is measured after how easily essential services as the stock trade or bank services are disrupted. The essential services are the minimum functions that must be maintained when the environment is hostile or failure and accidents occur that threatens the system. According to Anderson et al. [32], Figure 2, there are four key properties of survivable strategies: resistance, recognition, recovery and adaptation. 11

18 Figure 2 Survivable strategies [32, Anderson, et al. p.7] Resistance to attacks are strategies of making the attack so time- and money consuming that it is not worth the effort. With a strong authentication and access control, like strong passwords and access control that can grant or deny users, the system can resist attacks. Encryption is useful in many ways; as an example it can be used in access controls and securing stored data. Message filtering can be used to block messages to unsupported or unwanted services and messages with an internal address coming from outside the network. Messages associated with known attacks can also be filtered. Survivability wrappers help the operating system to sort out messages and redirect attacks. By using different sorts of operating systems within a system the vulnerability may decrease. Functional isolation helps against attacks, particularly denial of services attacks. Different services might share the same central processing unit and memory or network adapters. By isolating services like processing from sensitive data files on the same server the threat to the system can be decreased. [8] Recognition of attacks and damage are done by IDS, intrusion detection systems. They recognize typical attack patterns or use a baseline model for normal behaviour. Integrity checkers are used to detect intrusions that modify system files. [8] 12

19 Recovering from an attack and limiting the damage is essential for a system s survival. It is important to have a plan for this when disaster strikes. In the day to day work it is also necessary to take system backups to have data and information to restore. With for instance, data in replicated databases data can be stored and kept intact. Redundant components can be used to maintain essential services when the network is under attack. [8] Adaptation and evolution service requirements are important since new vulnerabilities are constantly discovered in otherwise static environments the adaptation of a systems ability to resist, recognize, and recover from intrusion attempts are essential. An example of a systems adaptation could be an infrastructure that enables the system to update itself with the latest fixes against newly discovered vulnerabilities. Reports of known intruder activity, information used in intrusion detection systems fetched from a central information resource could also be part of the adaptation service. [8] As for all the requirements, resistance, recognition and recovery, the evolvement of a networks ability to adapt is also crucial for a network systems survival. [8] For organisations and companies the network is used as a carrier of communication and services. It is common for companies to have a decentralised structure and the network is a vital resource that must work since disruption in services could severally harm the organisation. [8] A new network infrastructure should be planned for both optimal use and future development. Many networks today have problems since they were only planned for a certain number of users and services at the time of implementation and the development of the network was not considered. Another goal when planning a new network is that it should be secure, scalable and have an environment that the users and administrators can use and benefit from. Scalable features are important for easily managing the network with updates and other new features, a kind of divide and conquer strategy, and also to easily divide the services to improve the security of the network [8] 13

20 4.4 Organising a network The theoretical demands resistance, recognition, recovering and adaptation for survival of the computer network have been clarified. The thesis will turn these theoretical demands into practical requirements on the computer network. By creating a network that is well planned the risk of incidents will be minimised [10]. The goal is to create a network that is secure, scalable and that the administrators and users are comfortable with. A sample network can consist of the following parts: Communication equipment, like: Switches Routers Firewalls Network based services, like: DNS servers SMTP servers Mail servers Beside the strictly technical parts of the network a number of policies must be considered and created to get an easily managed and survivable network. 1 1 These network policies can be viewed in Appendix A. 14

21 Figure 3 Example of a network to use as reference [10, SITIC, FR04-04] Figure 3 is an example of a network topology for reference. A DMZ (Demilitarized Zone) segment of the network is in place 2. Notice the possibility to cut off some communication to reassure the possibility of maintaining service if an attack occurs. As mentioned in characteristics of a survivable system, different organisations have different threat profiles. SITIC [10] suggests that a threat and vulnerability profile should be made for each organisation and that the outcome of the profile is taken into consideration when planning a new network. Some possible scenarios can be planned for, like the occurrence of an attack or intrusion. Below are some risks for a computer network described and some possible remedies suggested by SITIC [10]: What connections to the Internet exists, are there any unauthorised openings, such as: 2 A DMZ is specified in Appendix A 15

22 Modems connected to a host allowing traffic not passing through a firewall to the network. Lab networks are according to SITIC often not secured enough, these might constitute a threat. VPN -networks (Virtual Private Networks) between the office and an employee working from home. If the home user machine can be compromised an authorised connection might be established by an attacker. Therefore the policy for users working outside the network must be thoroughly defined. The Internet Service Provider (ISP) security policy must be considered that a connection for the network is ensured. Have the hosts within the network firewalls that protect them from traffic that is not authorised. It can be important to ensure that only the absolutely necessary traffic can travel between machines so that a possible attacker can not excel his privileges once inside the network. The same password should not be used for several machines, like servers. According to SITIC [10] it is common problem that the same password is used on several servers. If an attacker is able to gain access to one server the same password can be used on other servers in the network. Only allow necessary outgoing traffic on certain ports. SITIC state that it is common for traffic that is coming to a network is restricted by a firewall but not the outgoing traffic. For instance, if a machine on the inside of the network has been struck by malicious code that is spreading by opening a connection to the Internet on the IRC channel on high port number, between This list of risks that might occur in networks is not complete. But a conclusion to some of the bullets above could, according to SITIC, be to limit the access on the allowed number of opened ports to the network. This could ensure that some of the listed risks above can be minimised as 16

23 well as other possible scenarios. Also the possibility to generate logs in the firewalls over the not allowed ports can help to discover an attack when an infected machine tries to connect to the internet on a not allowed port. SITIC [10] suggests a list of ports that a network administrator can allow to be opened, to be able to maintain the network services. At the same time they point out that this must be mapped to the needs of the network. For incoming traffic (to DMZ): 25 TCP, SMTP for e mail 53 UDP DNS for translating logical addresses from the Internet if the network uses its own DNS 80 TCP HTTP for Web traffic 443 TCP HTTPS (SSL) for encryption of Web traffic if there are any such services For outgoing traffic: 21 TCP FTP for file transmission 25 TCP SMTP 53 UDP DNS for translating logical addresses from the Internet if the network uses its own DNS 80 TCP HTTP for Web traffic 443 TCP HTTPS (SSL) for encrypted Web traffic [10] One way of defending the system is to constantly monitor what information the network is leaking, to know what an attacker knows about the systems and to be able to identify which information has left the organisation via the network interface. Foot printing is when an 17

24 attacker is preparing an attack against a network this is an important part in the defence of networks. 3 It does not involve any illegal activities or directly disturb the service of a network. But since a successful foot printing often leads to a successful hack, steps must be taken to constrain and control the information that can be reached. 3 The concept of foot printing can be studied more thoroughly in Appendix B. 18

25 Chapter 5 Common network vulnerabilities In Open Source Security Tools by Howlett [5] he points out that it is important to remember that for the average company the threat of being exposed by a hacker is not that large. The vulnerability should be weighed against what kind of business it is, a bank or perhaps a government institution. The author also states that it is important to keep the system more secure than the next system, since many hackers use common and known exploits on whatever network that is vulnerable. It is almost impossible to secure a network from an attacker with the right amount of knowledge, time and money. The mainstream hacker uses known exploits, these exploits has often been known for some time. As an example, the damage from the Code Red worm outbreak in 2001 could have been reduced if the networks had been patched with the patch that was released a year before. There are many examples of big outbreaks where many machines are affected and the remedy existed in form of a patch. 4 The use of so called zero day exploits and unknown exploits are very rare. [5] If one attack doesn t work the hacker often have the possibility of trying another way to break in to the system. In the following subchapters a number of common network vulnerabilities are described. In general a vulnerability scanner can be used to find most of them. Common vulnerabilities in computer networks according to Howlett [5] are: 5.1 Buffer overflow Buffer overflows are often the result of poorly written and tested code. It can be exploited by performing actions that cause the system to run out of resources. This is done with legitimate requests or sending excessive data that the system is unable to process properly. In some cases a buffer overflow can make it possible to run arbitrary code on the affected system. The countermeasures are better code review, testing and vendor accountability. For the system administrator the countermeasure is to apply patches in a timely fashion. [5] 4 The remedy of patching and updating can be studied more closely in Appendix C. 19

26 5.2 Router and firewall weaknesses These devices are the perimeter protection of the network. Howlett [5] states that with the growing complexity of the devices and the sophistication of the attackers these protection applications can also be compromised, if they are not configured correctly. Even if the rule sets are written correctly, many routers still run Telnet for interactive logins rather then a more secure SSH. The use of Telnet makes sniffer attacks possible were login and password combinations can be grabbed. Also, some routers run Finger and other information leaking services. Some firewalls are running on a Windows or UNIX platform, which makes them vulnerable to all the common OS level exploits. It is also possible that the software in firewalls can contain exploitable code, but it is rare. Firewalls often use web servers to interface with the users which make them vulnerable through that interface. [5] 5.3 Web Server Exploits Most networks today involve a web server and these applications are well know for their bugs and security holes. Howlett states that The very idea of a web server that a user can pull files from the server without any authentication at all, sets up the potential for security gaps [5 p.125]. The problems come from the fact that a web server has to deal with an ever growing number of protocols, commands and a lot of traffic. And also the fact that scripted programming languages like ASP and PHP has code that needs to be executed. A hacked web server can lead to other problems and embarrassments than just a changed website. The web servers are often connected to other internal systems or perhaps a database that might contain information not only for the web applications. [5] 5.4 Mail Server Exploits The E mail servers, like the web server, is a very important application for a computer network but also one of the most exposed points in a network. Since the mail server always has an open port to the Internet through the firewall it is vulnerable to hacking. For instance, if a hacker is uncertain of what type of SMTP (Simple Mail Transport Protocol) the server is running then there are two ways of finding this out; one is to simply sending a mail to the server and then reading the header of the response mail, the other is to use telnet and open a session to port 25 and read the banner that is sent. When the type of server is known the vulnerability databases can be checked for known exploits. [11] 20

27 5.5 DNS Server There are a couple of reasons that makes the DNS server the weakest point of all in the whole internet structure. A DNS translates the IP addresses into logical names and vice versa. Even if IP connectivity to the outside world works, without the DNS server in the domain no traffic will reach the web servers and no e mail will work. By a successful DoS (Denial of Service) attack the whole domain will go down. Another possibility is an attack called DNS cache poisoning where DNS entries are forged and the IP traffic is therefore redirected to another site. [5] 5.6 Database Exploits By using a database connection to the web site more functionality can be added, like users filling in different kinds of forms or logging in to view personal data, placed orders and etc. Even though the web sites are placed on the outside of the direct core of the network, databases are not. By using special crafted URLs containing SQL or some other loosely typed database commands a vulnerability exists since they are executed within the database and therefore often at the core of the system. [5] 5.7 User and File Management The key to user and file management is to work according to the principle of least privilege. Users should only be given permission to access what is needed for them to do their job, nothing more. It s a fine balance between being overwhelmed by helpdesk calls and weakening the security of the network. Different platforms have different ways of dealing with the problem but all solutions have weaknesses. Windows has a problem with shares, it is giving away to much information another problem is that guest accounts set by default must be manually removed after installation. The platform UNIX has a problem that users can be either root or not root. The not root users might need to be root to access or perhaps compile something and the root account is given away by the administrator to easily. A vulnerability scanner can help testing easy to guess passwords for administrator accounts and also test the common administrator/administrator login/password in Windows. [5] 5.8 Manufacturer Default Accounts Hardware manufacturers often ship their hardware with a default configuration where different default accounts are set for easier set up. There might also be accounts for technicians and 21

28 service representatives. On the Internet there are lists of information circulating over the default login and password that the major hardware manufacturers and software vendors are using. There are also scripts that are free of charge that can be used to run automatic tests against these logins. So, it s a good idea to change the default settings of these accounts. [5] 5.9 Blank or Weak Passwords Passwords are a commonly used security feature but not without problems. Logins often has passwords that are left intentionally blank, even administration accounts. Worms and hacking programs often check for these conditions, blank password or a password that is the same as the login. Passwords should be changed on regular basis according to certain requirements. Vulnerability scanners can be set to check for the use of default and weak passwords. [5] 5.10 Unneeded Services The problem of unneeded services comes from a combination of administrator s unwillingness to take services out of a system that works fine and the ever increasing development of process speed and memory capacity. Another problem is that the following services often are turned on by default in different applications: Services Common Port Numbers Functions chargen 19 Generates a stream of characters when a request is sent. Can be used in a DoS attack by continuously sending requests. daytime 13 Returns the time of day, not needed in a modern system discard 9 Discard what is sent to it silently. Mainly for testing purpose. echo 7 Replies with whatever is sent to it. Like chargen it can be used in a denial -of -service attack. finger 79 Very useful to hackers for information gathering. qotd(quote of the day) 17 Sends a little quote or phrase that the administrator sets up when the user logs on. Table 1 Unneeded services, (These services are ranked as useless by Howlett [5 p.129]) 22

29 5.11 Information Leaks There are too many loose lipped operating systems connected to the Internet giving away useful information to hackers. Especially Windows with its plug and play network system are guilty of giving away too much information on network systems. A search engine like can also be used to gather information like user names, shared drives and directories since people often has a habit of storing documents on a web server that they think can not be reached since they are not linked to any website. But this is not the case and there is a lot of information that can be reached by using a common search engine on the Internet. This is why it is a good idea to regularly search the Internet for the domain names of the network to see what surface. [5] 5.12 Denial of Service If a hacker can not get in to the system there is always the possibility of trying a denial of service attack. Political targets or companies that perform their business over the Internet are typically exposed and vulnerable to this kind of attack. There are many ways to perform a denial of service attack, from simply swamping the main router with traffic to take advantage of a known bug in a program and making the service unreachable and therefore crashing a server. It is hard to defend against this problem but if the latest program updates are installed the risk is reduced. [5] 23

30 Chapter 6 Network security testing For a system to test the security of the network, maintaining services and ensuring survival there are couple of techniques and tools available. These techniques and tools can help when vulnerabilities as the one s described in the previous chapter are encountered. According to CERT ( vulnerabilities surfaced in Together with the growing number of computers per person in an organisation these vulnerabilities has to be tested to maintain system security. [16] Hackers and crackers that try to enter a system tend to exploit the vulnerability that is easiest to use. There for SANS has made a list of the top 20 vulnerabilities that is most commonly used by hackers and crackers. A report made by SANS dated May 2000 discusses the issue A small number of flaws in software programs are responsible for the vast majority of successful Internet attacks. A few software vulnerabilities account for the majority of successful attacks because attackers don't like to do extra work. They exploit the best-known flaws with the most effective and widely available attack tools. And they count on organizations not fixing the problems. [16 p.2-1] During a network systems lifetime the security must be constantly updated and developed to encounter new and enhanced vulnerabilities. NIST has described a model for security maintenance. The model separates between an operational stage, when the network is in use and the maintenance stage, when the system is upgraded or changed (ST&E, Security Test & Evolution). In the operational stage periodic testing should be done to make sure that the network is secured. When an upgrade or a change in the network structure has been done, the change must be tested and evaluated to make sure that an unsecured network is not put in use. For this task a vulnerability scanner among other tools could be useful. [16] The level of testing will differ between different types of applications depending on the type of application and there vulnerability. 24

31 Figure 4 Model for network security testing, testing activities during operational and maintenance stage. [16 p.2-3] The security testing will produce reports with insight into other systems and services life cycle. Depending on the size of the organisation this information could be useful for other staff involved into other IT related areas. The information could be used: As a reference point for corrective action, In defining mitigation activities to address identified vulnerabilities, As a benchmark for tracing an organization s progress in meeting security requirements, To assess the implementation status of system security requirements, To conduct cost/benefit analysis for improvements to system security, To enhance other life-cycle activities, such as risk assessments, Certification and Authorization (C&A), and performance improvement efforts. [16] There are many different kinds of techniques for testing the security in a computer network. Some of the techniques are highly automated and some require more human involvement to start the testing. These techniques are: Password Cracking 25

32 Log Review Integrity Checkers Virus Detection War Dialling War Driving ( or wireless LAN testing) Penetration Testing Network Scanning, finds the active hosts and the ports they respond to in the specified network. Vulnerability Scanning performs a network scanning but it also tries to find the weaknesses in the services the scanned host provide [16] 6.1 Password Cracking There are a number of programs and techniques to crack a password. Passwords are often stored and sent across a network in an encrypted form called a hash. The hash is generated from the password chosen by the user. Every time the user logs in and states a password it is transformed to a hash and compared to the stored hash. There are two ways to capture hashes from a system, either by gaining root or administrator access or by capturing the hashes on the network with a network sniffer. A hash can be cracked in three ways: Dictionary attack, the hash is compared with all the entries in a stored dictionary Hybrid attack, will try if the password contains a combination of a word in a dictionary and different characters. 26

33 Brute force method, tries random letters and characters in different combinations. It generates the password and their associated hash. The only delimiter of a brute force on a password is time and processing power. Another problem with passwords could be the lack of authentication policies, the network is not using any authentication and the password is sent in clear text over the internet. This should be taken care of by a stronger form of authentication policy. Password crackers like the program L0pht Crack should be run on the system network so the administrator can get a picture of what and how strong passwords is used on the network. This would give a hint if the password policy should be altered to enhance the security on the network. [16] 6.2 Log reviews From the review of logs from IDS (Intrusion Detection System), Firewalls and servers it can be concluded if the system network is working according to the security policy. Reviewing logs can tell if the administrator should consider removing vulnerable unused services, hardening the firewall policy or reconfigure the network to minimise the possibility of compromise. 6.3 File integrity checkers It is important to verify the integrity of a file to know that it has not been altered. The file integrity checkers computes a checksum on every file. It is especially useful on system files that are particularly vulnerable to alteration. The checksums should be recomputed and checked regularly to ensure the integrity and security of the network. 6.4 Virus detectors There are many ways for a virus to enter a system, basically through any medium or connection connected to a computer or server. Two versions of antivirus programs are mainly in use. One can be installed in the network infrastructure as a perimeter protector and the other on each host in the network. To get the highest security both should be used. To be efficient the virus signature database must be updated to protect against the latest threats. The updating can be a problem to execute on each host but is easier to manage on the perimeter protection since their availability is higher and the number of machines is smaller. Trojans and worms also constitute a major threat to all computer networks but with frequent updates the threat can be considerably 27

34 minimized. According to NIST [16] most antivirus programs updates are done automatically. It is important that the antivirus program is working with the latest updates and that the updating is done at least weekly and after each update a full scan of the network is done. 6.5 War dialling A network can have a perfect configuration and security but all that is lost with a modem circumventing the security features of a network. War dialling or telephone line scanning is an attack where the telephone number range is tested to see if there are a modem or fax present and responding on the inside of a PBX (Private Branch Exchange). Several software packages both commercial and freeware are available to use for war dialling. [17] 6.6 Wireless LAN testing A number of wireless LAN protocols exist, according to NIST [16] the b is the most commonly used. There are a couple of known vulnerabilities following this protocol: Insertion attacks Interception and monitoring of wireless traffic Denial of service attacks Client to client attacks A standard recommendation is that wireless networks should be placed outside the firewall and IDS. Wireless networks can always be reached by an intruder but the access can be delimited by using access list on MAC addresses, no broadcasting on SSID and using encryption on the traffic. [16] 6.7 Penetration testing A penetration test is the process of gaining unauthorised access to a computer network. It is a way for an organisation or company to determine how well their security measures respond to a real life attack and what an attacker can accomplish or compromise. Before starting a penetration test the goals as well as the limitations of the test should be set. The goals and limitations of the test depend on what the administrator of the target network consider important to protect and test for vulnerabilities. There are different ways of conducting the test, with or 28

35 without the IT staff having knowledge of test, with or without someone actively trying to defend against the attack. One important thing is to make sure that the testing is not conducted without the approval of the system owner and the consent from other involved like, ISPs (Internet Service Provider). Penetration tests can be conducted from the inside of the organisation network or from outside, or a combination of both. Conducting tests from within will show what a malicious user or an unauthorised attacker can achieve from inside the network. From the outside the firewalls usually limit the access to different resources and a penetration test are usually focused on common protocols like FTP (File Transport Protocol), HTTP (Hypertext Transfer Protocol), or SMTP (Simple Mail Transfer Protocol) and POP (Post Office Protocol). When an organisation has decided to conduct a penetration test the rules of engagement must be set, these should include: Specific IP addresses/ranges to be tested Any restricted host (i.e., hosts, systems, subnets, not to be tested) A list of acceptable testing techniques e.g. social engineering, DoS (Denial of Service), etc. and tools (password crackers, network sniffers, etc.). Times to conduct the testing (e.g. during business hours, after business hours, etc) Identification of a finite period of testing IP addresses of the machines from which penetration testing will be conducted so that administrators can differentiate the legitimate penetration testing attacks from actual malicious attacks Points of contacts for the penetration testing team, the targeted system and the networks Measures to prevent law enforcement being called with false alarms (created by the testing) Handling of information collected by the penetration testing team [16] 29

36 The skill of a possible hacker must also be part of the scope when deciding the level of the penetration test. In SANS [18 Penetration Testing] hackers are divided into the following levels: Sport intruder: Usually broken down into subcategories of novice (a single machine hacker), crackers (multiple machine attackers who write their own cracking tools) and apprentice (usually taught by a hacker and use freeware off the Internet until they are up to writing their own tools.) Competitive intelligence: These hackers are usually just trying to gain insight into the capabilities of a competitor. They might also employ a packet sniffer to monitor traffic from a destination IP address in top management or corporate marketing. Foreign Intelligence: Such attackers attempt to gain information that will be used by a foreign country or international terrorist organisation. Most penetration testing naturally goes beyond the scope of sport intruder and competitive intelligence due to the intensive work effort and the possibility for the penetration testing team to conduct the work legally, with less pressure. A penetration test often tries to exploit the following categories of vulnerabilities: OS specific bugs, exploits, vulnerabilities and security holes Weaknesses in firewall and routers among different brands Exploitations of web server scripts Exploitable shares and trusts between systems and files The final report from a penetration test should summarize the vulnerabilities found during the testing. The vulnerabilities must be clearly explained to the target organisation to be able to benefit from the test and get a more secure network. [18] 30

37 Chapter 7 Scanners Scanning the network can be done with different types of scanners. To find vulnerabilities in a network a network scanner can be used. There are different types of scanners each with different goals. A port scanner is scanning the ports of the network and tries to find out what ports, services and operating system the target are running. Application scanners assess a specific application running on the network. Vulnerability scanners contain all the functionality of the above described scanners and try to give a complete picture of the vulnerabilities in the network. 7.1 Port scanners By using different options in the flag bit and combinations of flags sent in sequence the scanned host can be tricked into replying. A TCP (Transmission Control Protocol) port scanner like Nmap can be used with different options and using different ways to investigate the number of open ports in a system. A Full TCP connection is when the scanner tries to establish a regular connection with a three way handshake. For every listening port the connect will succeed, failure indicates a closed port. TCP SYN (Synchronise) scanning or half open scanning is when the scanner sends a SYN segment. If the host answers with a RST (reset) then the port are closed, otherwise it will answer with a SYN/ACK (Synchronise/acknowledge) and it is opened. The scanner then sends a RST to break the connection since this information is all that it is requesting, the port is opened. If the scanned system has a logging function turned on this kind of connection request is unlikely to be logged. Besides Nmap there exist a number of different tools to use for port scanning and there are also different methods to use to find open ports in a host. Stealthier methods like FIN, Xmas Tree, Null scanning and others. If a logging function is turned on in the scanned system a stealthier can be better to use to avoid detection. [19] UDP (User Datagram Protocol) scanning can also be used to find vulnerabilities in a system. The scanning software programs of TCP often also are able to find open UDP ports in systems. To scan the UDP ports in a system the scanner sends UDP packets containing 0 bytes and if the port is closed it will respond with an ICMP (Internet Control Message Protocol) port unreachable error. If the port is opened the reply will be application specific. The downside of this behaviour is that if a packet is lost, the scanner will interpret it as an opened UDP port. [19] 31

38 If ports like 135 and 139 are found to be opened on a host it is likely to be a Windows NT or a Windows 2000 running on that host. The type of operating system is also assumed from information like TCP packet sequence number generation, responses to ICMP packets and the TTL field (Time To Live), and other information from the scan. The scanner can only make assumptions of the operating system running it can not say for sure that it is correct since services can be set to other ports then the default. Firewalls can also restrict the access to the ports. If port 80 is used, it is usually for web services but different platforms can be used and there are different vulnerabilities in the Apache web server or Microsoft IIS server. By grabbing something called a banner additional information can be gained. The banner contains information about what application type, version number and operating service that is used. But this information is uncertain since it can be changed manually or when updating the system the banner might not be updated. There is a big uncertainty in the information presented by the scanner. It is up to the person performing the scan to interpret the given result. Organizations should conduct network scanning to: Check for unauthorized hosts connected to the organization s network Identify vulnerable services Identify deviations from the allowed services defined in the organization s security policy Prepare for penetration testing Assist in the configuration of the IDS (Intrusion Detection System) [16] The downside to network scanning is the manual interpretation, the level of expertise acquired to make the correct assumptions and the level of uncertainty in the result. But it is still a good way of controlling the IP address space of the organisation. [16] 32

39 7.2 Application scanners There are application scanners to be used for assessing the security configuration of a specific application or services like Web, database and NT domains that is difficult to configure. An example of a Web server scanner is Nikto. It looks for potentially dangerous files/cgi problems on servers. Nikto is included in the Nessus scanner. Other examples are SPIKE Proxy, Acunetix and Whisker or Libwhisker. For checking updates in Windows the HFNetChk can be used, among other tools. Database scanning can be done by Shadow or Metacoretex among others. 7.3 Vulnerability scanners A vulnerability scanner starts like a port scanner and tries to identify all the hosts running in the defined IP range. When the hosts have been found the scanner tries to find all opened ports and corresponding services on all active hosts. In most scanners there is a possibility of setting different scan modes and also state which ports to scan. The goal of the scanner is to identify vulnerabilities in the scanned host and this is done through comparing running operating systems and software applications running with known vulnerabilities stored in a database. [16] There are two types of vulnerability scanners, host based and network based. A host based scanner is installed on every system that should be assessed. It has the possibility to be run as stand alone software or be linked to a central part on the network. Host assessment software makes the vulnerability analysis from the inside of a host and looks for insecure file permissions, missing software patches, noncompliant security policies, backdoors and Trojan horse installations. These features makes it a preferred tool to use in security critical systems since the testing is time consuming and not scalable but provide good security supervision. The network based tools finds all live systems in the provided IP range and analyses them for potential vulnerabilities. From an administrative view the network based tools are easier to use since they provide information collected in one report summarising the security situation ranging from one host to a large complex network. The downside with the network vulnerability scanners is that they might not detect active hosts if there is a firewall running, not detecting open backdoors or not being able to perform certain tests due to disruption of normal services. [20] 33

40 A network vulnerability assessment starts with determining which systems in the defined range that can be defined as online and accessible. Generally scanners try many ways to trigger a response. If the host answers it will be put in a list of valid host. Most vulnerability scanners have an option for force scanning of a specific address regardless if a response is received or not. Different scanners use different ways of assessing if an address corresponds to an online host but the most common is the use of ICMP echo request (ping). Nessus as well as other scanners also has the ability to use both TCP and UDP packets to find out if the host is active OS Fingerprinting Operating system fingerprinting is a way of finding out what kind of operating system the target is using. This can be accomplished by sniffing network packages travelling between hosts, sending a carefully crafted package to the target machine and analysing the response or through non technical means. Hosts will often give away the information of which operating system it is using in banners or header information. An example can be Telnet which presents the type of operating system in the prompt information. A couple of existing techniques for finding the operating system are: FTP, will also provide the information when sent the SYST command, or in the welcome banner HTTP, can be connected to and given the query, GET / HTTP/1.0 \n SNMP, if this service is used on the machine it can be queried for information of the running host Other services like IMAP, POP2, POP3, SMTP, SSH, NNTP and finger can also be used for finding useful information [20] Active IP packet fingerprinting By analysing the response to a certain valid or invalid IP package consisting of an ICMP, TCP or UDP package a more refined guess of the running operating system can be made. A couple of techniques exist [21] and some of them are: 34

41 FIN Probing, A package with the FIN flag set is sent to a known open port. The usual behaviour should be for the port to ignore and drop the package according to RFC 793 but many stacks sends a RST back and that is one clue to the fingerprint. TCP ISN Sampling, TCP adds sequence numbers to each package to keep track of the successful number of bytes transferred. Different operating systems have different ways of starting and adjusting these numbers. ICMP Error Quoting, ICMP can be used in several ways, one is that ICMP error packets are required to return a small part of the original message but different implementations sends different sizes of error packages. This is especially useful for host that has no listening ports at all. ICMP Error Message Echo Integrity, In a ICMP error message parts of the original message is included and different implementations can change these original parts in different ways, leaving traces of there identity. ICMP Error Message Type of Service (TOS), Almost all implementations return a zero in the TOS field. Linux, however, returns a different number. TCP Options, Enhancements has been done to TCP by different RFC:s and the compliance of these enhancements by different implementations can be traced and the operating system revealed. As Trowbridge [21] points out many more differences between OS can be used to identify them. Some of them are described in Trowbridge [21]. After trying to decide what kind of operating system that is running on the scanned host a vulnerability scanner normally will move on and perform a port scan. A port scan can be performed either on the TCP and/or UDP services, if the system responds with a message that the port is opened the number is logged and stored for later use. There are available TCP ports but most assessment tools, default, will only scan through a limited set of these ports. The number of preferred ports to scan is defined before starting the scan. 35

42 When the open ports are found the service identification begins. This is done by sending common application requests and analysing the responses against a set of signatures. All information gathered during the scan is stored by the scanner to be used later. According to Nessus Network Auditing [20] not all assessment tools perform this stage, which gives a more uncertain result. As an example the service HTTP (Hyper Text Transfer Protocol) could be found on another port then the standard port 80 since there are many of applications using this protocol and installing it on other ports then 80. A scan should therefore be conducted without taking only the actual port number into consideration. After that stage is finished the actual application type must be found for each service. If the scanner makes the wrong conclusion of version type the scanned service might crash. A web server, as an example, is vulnerable to a long pathname overflow. So if the scanner uses the wrong vulnerability test and sends a request that is longer than the application can handle it will crash. Therefore it is important that the scanner knows what type of application that is running before starting to identifying vulnerabilities. [20] Identifying vulnerabilities At this point all online hosts has been found, all opened ports has been mapped to a known service, the type of application for each service is known and the scanning for vulnerabilities begins. Scanners in general start this process by gathering all the information from the preceding testing rounds. Makes an active configuration probe against the active IP addresses and finalises the tests with a set of custom attacks that identifies if there are any vulnerabilities in the tested system. Vulnerabilities are identified in different ways and to different extent. In some cases the vulnerability is identified from the information of a banner and version test, in other cases the scanner makes a complete exploitation of the vulnerability. Identifying vulnerabilities by banner grabbing and version detection is not a reliable since an application update could have been done without updating the banner information. This could result in a false positive when there is no other information for the scanner to safely verify that any vulnerability exists. Some vulnerability checks are done by attempting to exploit the flaw just as much that the service does not crash, which for some errors and scanners is a very hard to accomplish. [20] 36

43 7.3.4 Reports of Vulnerabilities Different scanners have different reporting possibilities. Generally, the current scan can be viewed in the GUI (Graphical User Interface) of the scanner and the information can be traversed and broken down from IP range, host, service and the present vulnerability. Many scanners also give the users the possibility to sort the information in vulnerability levels, services, hosts and on other key information. Usually, the scans can also be saved and compared to other scans on the same networks, showing trend reports for the network. Reports can also be printed and as an example, the ISS scanner has the possibility to present reports in more than 74 ways of a scan, using graphs, diagrams and different languages [30]. In most scanners the reports can be presented on different technical levels so that the information can easily be shared and presented at different levels in a company or organisation. The scanners, often, also provide the possibility to present the information in different formats like, HTML or as a Word document. [20] False positives A false positive is when the vulnerability scanner reports an error that is not present. There are a number of reasons of why a false positive occur. The causes can be defined into two different categories, technical false positives and contextual false positives [20]. Technical false positives Buggy scripts, most scanners give the possibility to develop your own scripts and there is always the possibility of a script not behaving as planned under all circumstances. System patch, many security checks rely on service banners. If these are not updated when the service is patched then a false positive might be reported. Unexpected answer, if a test is run on FTP, a long string is sent. If the service did not reply then a HELP request is sent and if that is not answered. It is then assumed that the FTP service has crashed and it is reported as vulnerable to buffer overflows. But the service might have become temporarily unavailable during the requests. Other reasons can be other security technologies like, firewalls, proxies or IPS (Intrusion Prevention Systems) 37

44 Contextual false positive A patch affects normal operations. A false positive in the context of a scanner can occur when it is not possible to install a patch without affecting normal operations of applications. Certain conditions doesn t apply, if a test demands that the scanner must log into the entity to check for vulnerabilities and the credentials is not passed by the person conducting the test. Then it is common that the scanner only checks the banners and version number of the service. Relevance, an application like a DNS could be set to behave different outside or inside a network intentionally, but that is not considered by the scanner. 38

45 Chapter 8 Tested scanners 8.1 The scanners used Here is a presentation of the scanners tested and how they managed in the laboratory environment. The scanners were chosen on the basis that they should be able to scan different platforms and applications common in computer networks. The scanners should also be either world leading in number of users, award winning or developed by a world leading company. The author must emphasize that there are other scanners on the market that are, probably, just as good as the ones chosen but the lack of time restricted the number of scanners to the four described below. A quick overview of the scanners background and interface follow. 8.2 Nessus On the homepage of Nessus ( the organisation proudly states that their scanner is used by 75,000 organisations world wide and that the scanner is the most popular in use today, endorsed by security organisations like the SANS institute. The project of creating Nessus was started in 1998 by Renaud Deraison with the intention of giving the security community a free, powerful, up to date and easy to use, remote security scanner. Until the release of Nessus 3.0 in the autumn of 2005 the scanner was completely free of charge. The Nessus 3.0 is also a freeware but to get the latest plug-ins, security checks, directly and not with a weeks delay the owner, Tenable security, will charge the user. [22] The old versions of Nessus as well as Nessus 3.0 uses a script language called NASL (Nessus Attack Script Language), it is described as looking like the programming language C without the pointers and memory management, with some Perl isms (Perl is a script language). [20] For the older versions, development of scripts is free and anyone can write a script both for private use and to share with other users of Nessus. When a new vulnerability is presented volunteers can develop a script to find the vulnerability when scanning. The world wide network of developers has created over 2400 vulnerability checks that can be run with Nessus. The checks cover different areas of vulnerabilities, like [20]: Backdoors CGI abuses Cisco Denial of Service 39

46 Finger abuses FTP Gaining a shell remotely Gaining root remotely General Miscellaneous Netware NIS Port scanners Remote file access RPC Settings SMTP problems SNMP Untested Useless services Windows Windows: User management When running tests these different checks can be turned off if they do not apply or if they disturb or interrupt anything running on the scanned system. Also, specific test can be individually run to test certain vulnerabilities. Nessus uses a client server architecture. Each session is configured and controlled by the client but the test is run on the server side. There are some advantages to this architecture, the scan can be conducted from outside of the network but started on the inside. Different operating system platforms can be used on the client side, when this is written there are clients to use on UNIX and Windows platforms. 40

47 Figure 5 Nessus scanner, target tab To use the Nessus scanner login and password must be provided. This is the first thing the user is prompted with when starting the scanner. The scalability of client user makes it possible to remotely execute Nessus, the server can be run on a machine with access to more bandwidth than the average office computer and it also gives the possibility for a administrator to execute it from home. When logged in the other tabs can be accessed. Behind the Plugin tab the plug-in can be selected, plug-ins can be disabled if they do not comply with the testing effort or if they might cause a denial of service or make a server to go down. The better part of the server side of Nessus are configured with the options in the Prefs. tab. The user can set the Nmap options here, if the scanner should scan UDP ports, test settings and FTP servers, HTTP commands and more. 41

48 In the Scan options the port range is defined as well as the number of hosts and checks to run simultaneously. Port scanner options can also be set, there are several options to choose from, like TCP connect scan, Nmap, SYN scan, ping the remote host, to mention a few. Target tab is where the IP range is set as well as the option to save the session. A database called the Knowledge Base is used for storing the results of a scan, it is situated behind the KB tab. Information from previous scans like open ports can be used to make the scanning more efficient. Reports can be generated in different formats like HTML, LaTeX and XML, to mention a few. The information can be presented in pie charts and graphs. [5] 8.3 Retina Retina Network security scanner, ( is developed by eeye Digital Security, the company state at their website that they are the leading developer of endpoint security and vulnerability management software solutions. The scanner is recognized as the industry standard for vulnerability assessment. Retina is automatically updated in the beginning of each session. By default the Retina network security scanner uses a 4 step process when running an audit scan. The first step is to build a scan list from address group and discovery options. Retina tries to ascertain if the target is a device, as well as what applications/services it is running. When it found the active hosts it will try a port scanning to determine what ports are open, closed or filtered on each device. The third step is OS detection. This is done by Windows registry check, NetBIOS, ICMP fingerprinting or TCP fingerprint (it uses Nmap). The scanner does not use exploit code and does not explicitly require administrative rights to conduct a scan. Applications or services should not be affected by the scan since it is non intrusive. [23] The last step is naturally the audit process. Each port and the associated service will be tested for vulnerabilities. The specified protocols will be run to find the known vulnerabilities associated with the port and service. 42

49 Targeting, scan list is built Port scan OS detection Auditing Figure 6 Retina audit scan process [23] Retinas user interface contains, besides the menu bar of a shortcut bar to the left and four main tabs in the main window, Discover, Audit, Remediate report and Report. Figure 7 Retina scanner, viewing the audit tab Discover, choose the IP range and port range that should be discovered and the way the scanner should do it (ICMP, TCP). Audit, choose the IP range, port range and audits that should be performed during the scan. The results are saved in files that can be viewed in the three bottom tables of the main window. 43

50 Remediate report, the files from each scan are selected and from that scan, different hosts or vulnerabilities can be presented and organized in a report. Report, from one scan the information can be sorted in different categories and presented in different ways, like top vulnerabilities or top open ports from that particular scan. 8.4 Netrecon Netrecon, ( is a vulnerability scanner from Symantec, the world leading in solutions for information security, information availability and information integrity. The latest release of the GUI of the Netrecon is the Netrecon 3.6 that was issued the year The scanner uses the Liveupdate to get the latest plug ins to test for vulnerabilities. The feed of new test are constantly updated and in the test the latest plug ins have been used. [24] The scanner simulates common intrusion or attack scenarios to identify and report network vulnerabilities. Corrective actions are suggested for the vulnerabilities discovered. Reports can be exported to different formats like, Word, Excel and HTML. [24] Figure 8 Netrecon scanner, main window 44

51 Netrecon has different objectives that can be chosen depending on the purpose of the scan. The objectives are divided into the following categories: Heavy scan, Medium scan, Light and Granular objectives. The categories heavy to light scan makes it possible to choose how thorough scan the user wants. Granular objectives let the user himself decide a subset of additional objectives to that should be run during a scan either individually or as a part of another objective. [24] In the upper left corner of the main window there are, Network resources and Vulnerabilities to choose from. The Network resources focus on the scan result for particular network resources. The graph pane, upper right corner, and data table, the lower part of the GUI, change as a particular resource is chosen. Information behind the Vulnerabilities tab focus on the scan result of a certain vulnerability. When a vulnerability is chosen in this area the graph pane and data table is changed accordingly. The scanner is grading the vulnerabilities on a scale from where 100 is a very is a severe risk. 8.5 ISS The Internet Security Systems (ISS) Internet scanner ( Figure 9 ISS scanner, interface 45

52 The scanner starts with asset identification where all the assets in the network defined should be found. After that the vulnerability assessment starts with a probe for vulnerabilities in applications, services and the system level code. For fingerprinting of the operating systems the fingerprint database of Nmap is used. The main window of the ISS scanner is divided in three sections. In the upper left corner the hosts that the scanner are set to test are presented as a default, additionally there are three more tabs to choose from, vulnerabilities, services and accounts. Depending on what is chosen the specific information are presented in the main window on the upper right half. If, for instance a specific host is selected the main window will present the vulnerabilities found on that host, services running and accounts. There are different ways of sorting and presenting the information. Default the main window presents an overview of the IP range scanned with information like DNS names, OS type, ping time and scan status. The window at the bottom presents status information about ongoing scans etc. The scanner uses scan sessions to define which devices on a network to scan. A scan session is the chosen policy that describes which checks to run, an encryption key for the session and the IP range defined by the user. Policies are chosen depending on type of application or testing goal. The session files can be altered to fit the needs of the user and of course reused in other scan sessions. They are stored in a database along with the information of the scanned hosts. [25] 46

53 Chapter 9 Testing the network Generally a vulnerability scanner is designed to find: All the hosts that are running on the network The open ports on these hosts The services that are running on these ports If these services are patched with the latest updates If the network is properly configured Figure 10 The laboratory network The scanners were run against a laboratory network to find out if they knew the answers to these criteria s. A penetration test of the laboratory network were conducted to see if the scanners could find and warn about vulnerabilities that come from configuration errors or vulnerabilities that is the product of two or more services that are used in the network. The penetration test also pinpointed the easiest ways the network could be exposed. A comparison between the scanners reports and the penetration test could give a hint of the quality of the work the vulnerability scanners performs. The software used in the laboratory network has not been updated for several years so there should be several vulnerabilities present. The network is a class C network which means it has three IP ranges each holding 255 individual hosts. There are 13 hosts active in this network which consists of router, firewall and hosts. The hosts are using operating systems like Open 47

54 BSD, Red Hat Linux and different Windows versions. For scanning a laptop with 1.5 GHz processor and 512 MB RAM was used. Nessus was tested from a Linux platform and the rest from Windows XP. 9.1 Penetration Testing of the Laboratory Network To be able to decide how good the scanners work a penetration test or hack was conducted on the lab network. This was done from the same access point that the scanners had used to scan the network. It was also conducted without using any background knowledge of the lab network, except the IP number to use for connecting to the network. The goal of the hack was to gain root access to a couple of machines and explore the network for vulnerabilities and see what harm a hacker could cause the laboratory network. The goal of the hack should answer the following questions: Can any false negatives be proven? Have the scanners missed anything while scanning the network? Can any false positives be proven? Are the scanners reporting on errors that do not exist? Do the scanners really scan as thoroughly as it is stated in the manuals? 9.2 The penetration test 1. The attack begins with stealing an IP address and some additional information, to set up the attacking machine and access the network. 2. A sniffer is starded to record all the network traffic. 3. When succeeded Nmap is run to find hosts and services. The scanning should give a better result since the scan is conducted with an IP number that is, hopefully, allowed by the firewall. The result was, 10 hosts found and there matching operating systems, open ports and running services on these ports. From this scan it is found that the IP addresses, , , runs a service called RPCbind or the portmapper on port 111/TCP. RPCbind is known for a vulnerability that give an attacker information that might lead to that the attacker gains unauthorised access to the machine. To that service an RPCinfo request can be made. 48

55 4. RPCinfo is run against the following addresses , , , mountd found on , UDP port Since the machine is obviously running mountd the command of Showmount can be run on the target to gain access to the list of clients that have remotely mounted a file system. To gain access to this information and view the net -exported file systems, Showmount is run against The vulnerability with this service is the information that can be gained. Some information is gained. The host states that it exports its home catalogue to fjalar.hack.xa. But who is Fjalar? 6. To find the DNS server, both to learn more about the target network and find out who Fjalar is, a UDP scanning is done with Nmap against a given range of hosts and ports, /24 and /24 and the port 53. No DNS are found. A conclusion is made that it must be in the IP range /24, (see point 11). 7. Finger is running on port 79 on hosts , , there is no one logged in to , On login Gunnar is found with name Joe. The finger request takes some time, probably since a DNS request is done on the requesting IP address and the hacking machine is not found. 8. The Nmap run in the beginning stated that SSH is running on the target so the command, ssh gunnar@ is executed and when the system ask for a password Gunnar is typed and it works, the machine uses Gunnar/gunnar as login and password on SSH. The hacker is logged in with user credentials to the These user credentials happen to be root, so root access is gained. 9. The host will now be explored for information. Requests are sent to the user for the information it holds on other users in the network, netstat and passwords. The information gathered is put to a file that is stored at , when the file contains the information the hacker requests then it is viewed by cat and pasted to the hacker computer and viewed for information. A sniffer is placed on the hacked host to record the traffic on this machine. 10. The Nmap scan is viewed again to find a suitable Windows machine with a potential DCOM vulnerability. It is a vulnerability affecting Windows 2000, NT and XP so there are a couple of 49

56 hosts in the network to try an attack against. The vulnerability affects the Windows Distributed Communication Object Model (DCOM) Remote Procedure Call (RPC), it allows an attacker to gain full access and execute any code on the target machine thus making it compromised [26]. The service is activated by default on Windows NT, 2000, XP and 2003 [27]. A DCOM service is running on the and a successful connection to the service is established and system privileges have been accomplished. 11. Another attempt is made to find the DNS domain name. From the previous scans with Nmap of active hosts and the UDP scan on port 53 it is concluded that the DNS is on host A reverse lookup is done to get the domain name. The command host is run and the response gives the name karl.hack.xa. 12. Nmap is run against /24 to find open hosts. But the attack is aborted since it seems like the firewall is slowing down the traffic. Another attempt is made by scanning with Nmap and defining the ports to look for, 53/UDP, 53/TCP, 80/TCP and 443/TCP. The response states that and are running. No ports open on , but it is still classified as running. The problem might be that Nmap only scan some default ports, a full port scan is done on to find its open ports, Nmap answers with an open port that is running SSH. This is a non-standard port for this service and therefore it is a vulnerability if the administrator is not aware of this service. 13. The program dig is run to gain DNS info. dig will respond with the information the DNS have in the Zonefile. This is called a Zonetransfer. All information about the zone is transferred to the machine that issued the query. It is used instead of a reverse lookup since the Zonetransfer will give us information not only on all the host and machines that a reverse lookup would give but also the other IP ranges that the DNS is aware of but that the hacker might not be aware of since they are behind a firewall. Zonetransfer, the dig did not work, probably because the firewall prohibited access. Instead, a reverse lookup is run against , all users in the whole network are listed in three different files. The user names can be used by testing different types of accesses and guessing the passwords. The sniffer that was placed on the hacked machine of can be analysed to see if there have been any passwords sent that can be used in combinations with these user names. 50

57 14. Some hosts are running web services on port 80, the IP addresses are entered in a web browser, like Mozilla. Different homepages are found on these hosts namely: , connection refused , under construction , requests a login , Kalles hemsida, with a guest book refused connection and the hack is moving on, requests a login. This could be brute forced. The homepage of is under construction, all the files are in place but they are empty. This can be used in a number of ways, one could be that a specially crafted URL is inserted and a cross site scripting is done. But there might be other ways of exploring this. Therefore Nikto is set to scan and it warns about the command../.. to exit the script catalogue. When viewing the host of it turns out that it has got Netcat installed. Netcat is a simple utility that reads and writes data across networks. By using cmd.exe a hacker can execute Netcat remotely on the target machine. The utility could also be placed on the host by the attacker, using cmd.exe. The cmd.exe makes it possible to get a command shell where the files of the homepage can be reached and altered. The command is executed with cmd.exe+nc.exe+hacker_ip+443+-e+cmd.exe and the files are reached. There is also a homepage on the IP address that has a guestbook where comments can be inserted. Cross site scripting can be used on this guestbook to harm or gain access to the visitor of the webpage. 51

58 Conclusions of the penetration test Figure 11 The laboratory network after penetration test, flags represents compromised machines The penetration test points out some of the possible ways to enter the network. The flags are machines that have been or could be taken over with the techniques described above. A number of vulnerabilities have been highlighted in the penetration test. It is now up to a vulnerability scanner to point these vulnerabilities out so they can be fixed. 9.3 Vulnerability scanners vs. the penetration test The following comparison between the scanners and the penetration test is to see if the vulnerability scanners are able to report on the vulnerabilities that can be exploited to gain access to a network. The conclusions of the comparison are presented in a figure in chapter 9.5 at page 64, Summary of scanners vs. penetration test. The test does not take the concept of defence in depth into consideration which means that a fully functional firewall is in use, that perhaps IDS would warn about the attack or that a human would try to secure the system when warned about what is happening, or other security measures. It is simply a comparison between what is used in the attack and the findings of the scanners RPCBIND The first real issue of the penetration test is the use of the RPCbind service running on port 111/TCP. As mentioned it can be used by an attacker to gain information about other services available on the attacked system. The attacker finds the service on host , and by running Nmap. Nessus finds the service on all three hosts, but only reports it as a vulnerability on host The vulnerability level is set to Informal, the lowest priority ranking in Nessus. By making an RPCinfo request to the systems the attacker finds out 52

59 that host is running a mountd service on port 889/UDP. Further inquiries (using the Showmount command) show that /home is exported to the host Fjalar. Nessus does not find the mountd service. Retina finds the SUNRPC on port 111/TCP on the host of but the service is not found on or at all. On it warns adequately that the service of RPC should be disabled or that the latest version should be installed from the vendor. Netrecon finds this service on all three hosts. The vulnerability is set to 19 out of 100 on all three findings, a very low priority. ISS also finds the service on all three ports but gives the vulnerability a low priority. The service is not giving direct access to the system only information about the system. As long as the scanner is able to find it and categories it, it is ok to give a low priority The use of finger and SSH The finger service is found by Nmap in Nessus to be running on 3 hosts. In the penetration test it is checked if it is possible to get any information from this service. From two of the host it is not, but the third, answers with login (Gunnar) and name (Joe). Nessus has also found the service on all three hosts but is only stating that the port is active and from the port number made the conclusion that it is probably finger. On the hacked one, it gives an additional message saying that an unknown service runs on this port and that it could be used by a Trojan horse. The priority is set to informational. The login found on the machine was then used on the SSH service on port 22. Even though the scanner found the service, Nessus neglected to report on the vulnerability from the combination of finger and SSH. The scanner was unable to sufficiently report on the vulnerability of finger, to run a finger request, to gather the information on the login and the vulnerability presented by the combination of SSH and Finger. The penetration test is made by a human and therefore it is possible to make a conclusion and take the information from one service and try it on another. The finger service found in the attack to be active on the is found by Retina on but not in On the hosts the service is found and the vulnerability is set to informational. It is stated that the service should be removed since it can be used by an attacker to gather information. Retina has not been able to run the 53

60 finger service and to catch the user login. The scanner finds that the port 22 is opened and that it is running SSH but it has no comments on this fact. The vulnerability of the combination of running both finger and SSH on the same machine is not mentioned. Netrecon finds both of the services finger and SSH on host The scanner proposes that the service is disabled if not in use. It also explains that finger can give information away like login names or a user s full name. Netrecon is not aware of the login name present in the finger service. The vulnerability is set to 37 out of 100. For the SSH service the description of the vulnerability is about the possibility the administrator have to restrict the product identification. It is suggested that if an attacker is either fooled by the banner or there is no banner to grab then the attacker is less likely to succeed or different attacks has to be tried and the administrator has a better chance to catch the attacker. The combination of the two services and the vulnerability they create is not mentioned. It is the author s opinion that changing the banner will not prohibit an attacker or worm to run an exploit just because the banner is stating a particular version number of the service. ISS finds that the finger service is running and is also presenting the login name, Gunnar. As the other scanners it also inform on the fact that it can give away attacker information like logon accounts and trusted hosts. Disappointingly it totally misses the fact that SSH is running on the host. That is very severe DCOM In the hack the DCOM vulnerability on host is used, this service is not mentioned in the report of Nessus. But it is warning about the RPC interface on the host of on port 135. The vulnerability level is set to second highest, perhaps the correct level of vulnerability would be the highest. But the correct fix from Microsoft is mentioned. As a default explicit checks should be done if the DCOM service is running and the scanner should give this vulnerability the highest risk level since Microsoft has had a fix out since July In the attack the vulnerability of DCOM were used to gain system privileges to the machine This is adequately warned about in the Retina report, the vulnerability is set to the highest alert. The same vulnerability is also reported on the host It could be presumed that these hosts have the same vulnerability even though it has not been tested. 54

61 Netrecon totally misses that the RPC service is running, the scanner finds that the port is opened but the message about this port is that it found an opened TCP port and if it is not necessary that it is opened it should be closed. That is an understatement. Netrecon gives it 19 out of 100 in severity, a fatal mistake by the Netrecon scanner. ISS totally misses the fact that RPC is running on port 135/TCP, no vulnerability reported on any host Finding the SSH service on a high port number Even though Nessus was run with a full port scan it doesn t find that the port is open on with the SSH service running. This is a severe vulnerability that should have been found by Nessus. Retina finds the port 47682/TCP that is running SSH on the host This is very well done, but in the report it should perhaps be mentioned that this is a service that is normally not run on this port number. The vulnerability should be reported with more then just the finding of the port and service. Doubts should be raised for the reader of the necessity of running this service at this high port number since it could be forgotten, missed and considered as a vulnerability. This would help an administrator with less experience to understand the severity of the finding. Both Netrecon and ISS totally miss the fact that the service is running and nothing is reported Reverse lookup The DNS reverse lookup that lists all hosts on the network (even the ones that wasn t active during the scan) is not mentioned in the scan report from neither scanner. Default the scanners run a reverse lookup of the target host. It is part of their information gathering about the scanned system. It is not something that they warn about. It is up to the administrator to take the appropriate action if the scanner is able to gather to much information Web services running XSS, Cross Site Scripting, affects web servers that dynamically generate HTML pages based on user provided input. Cross site scripting can be used to apply a script and execute code in another user s web session if the code is not properly validated before using them in dynamic web pages. Since had a guestbook where messages could be inserted and sent it also 55

62 gave the possibility for a XSS. On the host of a XSS could be done on the error page that is shown in Nessus warns about the possibility to issue a cross site scripting on hosts and but misses that there are web services on and Retina and ISS warns about the cross site scripting and sets the vulnerability to medium on the but it misses the XSS on the host of Netrecon do not warn about this vulnerability in either of the hosts.../.. As mentioned the web application scanner Nikto is run within Nessus. On the host Nikto is run on port 80 and it produces a report that contains about 40 lines. In the hack the possibility of escaping the web-server root and remotely executing commands were used. This error is found and reported by Nikto. Perhaps Nikto gives Nessus an uneven advantage in the search for vulnerabilities in web services but the other tools should then try and develop their tools in a way so they can match Nessus use of Nikto. Web services are part of the network. No other scanner reports on this vulnerability. The use of cmd.exe made it possible to reach the empty files of the web page. The possibility to use the empty homepage on is reported in Nessus and the vulnerability is set to a warning. The possibility to use the vulnerability of the empty homepage with a specially crafted URL to issue a Denial of Service attack is set to risk factor, high. Netrecon finds that the Microsoft IIS server has Indexing Service IDA/IDQ Scripts enabled on host The risk level is set to 96 out of 100. It is stated that these services should not be enabled unless there is a business need. Nessus states that a web server is running on port 80 of , but doesn t issue any warnings, which is ok since no immediate vulnerability was found on it. Retina warns about vulnerabilities in the IDA/IDQ in a sufficient way. 56

63 9.4 Additional vulnerabilities There are a couple of vulnerabilities present in the laboratory network that were not used and confirmed in the penetration test above. But they have been used in other hack exercises against the same laboratory network LSASS.EXE LSASS.EXE, an unchecked buffer in the Microsoft ASN.1 library could allow code execution on an effected system. The vulnerability with LSASS is not found in the Nessus scan at any host even though all of the plugs -ins are tested. It is either the case that Retina and ISS are only reporting the absent of the patch MS to fix the vulnerability, a false positive or that Nessus and Retina has missed the vulnerability, a false negative. Since the vulnerability has been used in the laboratory environment it is a false negative by Nessus and Netrecon. The bug is reported by Retina and ISS on and It is not reported at all by Netrecon or Nessus SQL preauthentication SQL preauthentication, there are three ways of using this vulnerability, two of the ways can cause a buffer overflow and the third is a denial of service. All four scanners find the vulnerability and give the vulnerability a top priority IIS.printer IIS.printer, a buffer overflow can be done on the.printer ISAPI filter, it provides Windows 2000 with support for the Internet Printing Protocol. The service allows web based control of network printers. The vulnerability arises when more then 420 bytes are sent in a request. The vulnerability is found on by Nessus. It reports that there might be a buffer overflow within the IIS server and gives the notice the second highest priority, it also reports on the.ida ISAPI filter that is mapped and that this could lead to an attacker gaining access to the web server. Nessus suggests that the service is taken away if not used. Retina reports a number of vulnerabilities on the ISAPI filter and one of them addresses the vulnerability with the.printer getting a buffer overflow, the priority is set to High. Also Netrecon finds this vulnerability and suggest that the script mappings for Internet Data Administration (IDA) and Internet Data Query (.IDQ) are removed. Netrecon gives the vulnerability 39 out 100, which a bit low considering that it can be used to access the system. ISS reports that the system is running 57

64 Microsoft IIS and states that it is important that the service is configured according to the best security practice, the note has priority low. ISS misses the IIS.printer vulnerability that gives access to the system [28]. 9.5 Summary Vulnerability Scanners vs. Penetration test The result of the comparison between the vulnerabilities that are present in the environment and the findings of the vulnerability scanners are presented in the chart below. If the scanner reports back a vulnerability with priority medium or less and the vulnerability has been used to gain access to the system it is considered a failure of the scanner. Vulnerabilities Retina Nessus Netrecon ISS RPCBIND x x Finger & SSH DCOM x SSH on high port number x WWW, using cmd.exe x XSS x x x LSASS.EXE x x SQL preauthentication x x x x IIS.printer x x x Table 2 Summary of scanners vs. penetration test, the x marks that the vulnerability was found by the scanner Evidently neither of the scanners could successfully find all vulnerabilities. Retina was able to find and report the correct priority on the highest number of the vulnerabilities but is still missing out on vulnerabilities that gives an attacker access to the network. Nessus are using a couple of application scanners successfully, like Nikto, and that gives Nessus an advantage. But the other scanners are still claiming to be Internet or Network scanners and therefore that is no excuse. It could be the case that the vendors are selling these other scanner applications as an upgrade or as a standalone product. Anyhow, as a security tools vulnerability scanners can not be considered to produce a totally secure system. 58

65 Chapter 10 Conclusion One conclusion that can be made from the combination of the literature study and the tests is that some vulnerability controls can be effective, but not sufficient. To provide assurance of appropriate level of confidentiality, integrity and availability of information, vulnerability assessments are important mechanisms through which organisations can identify potential security exposures. Routine self assessments in combination with penetration tests help you identify security critical areas and provide a good picture of how security is managed and improved. But not to forget, these tools do have some limitations. The thesis describes the effort to find out to what extent a vulnerability scanner can be used to secure a network. To answer this question the requirements for a computer network has been examined theoretically and practically and the most common vulnerabilities that a computer network can be exposed to have been defined. The concept of a vulnerability scanner fits very well into the theoretical part with the description of a tool to be trusted when new threats are encountered and these threats have to be found in order to maintain full service in a organisation s network. It can also be used in network security tests, for instance as a sub-set of a penetration test, since it in general finds vulnerabilities that can be exploited to gain access to a computer network. The errors it finds are also very well described and therefore easy to grasp for a user with average knowledge of computer networks. However the author can not find one vulnerability scanner that can be used as the only scanner tool when assessing the security of a computer network. The findings in this thesis points to that even though scanners are working with the best intentions the results of the scans are far too insecure to be trusted. Some errors are reported with a lower priority then they deserve or they are missed all together. To interpret the result of a scan and to be able to read between the lines, knowledge up to almost expertise level in computer networks and security is necessary. This level of knowledge must also be used to interpret the possibility of a false positive, a problem that increases the insecurity of the scanner tool. The reports from a scanning over a class C network, like the one used in the laboratory for this thesis, were over 100 pages long for each scanner and there were only 11 hosts present in the network. With patching the number of pages would have decreased but on the other hand scanning a full C network with up to 255 hosts, would create a lot of information to go through. The way that the scanner manages priorities and 59

66 reports the data collected is very important for a successful scanning. Some scanners tested had different ways of presenting the findings in the GUI. How the data should be presented is a matter of opinion of the person set to interpret it. But it must be taken into consideration by a person that is set to use the scanner. The generation of reports are also important to consider since it differs between scanners. Some scanners even had problems with correctly generating a readable report. The test with vulnerability scanners versus the penetration test shows that scanners do not only miss severe vulnerabilities they also miss information that can be used to access a system. Again, it is pointed out that it takes almost expertise level to interpret the result. A vulnerability scanner is a tool that a network administrator can live without. But if it is part of the toolbox it can be run regularly and if it finds one or more vulnerabilities, see it as a bonus. In an organization, when the computer administration has their hands full with daily activities, there is often no time for analyzing all output from a scan. Instead administrators are probably going to fix the vulnerabilities with the highest priorities. But this thesis show, by testing several vulnerability scanners, that this is not enough for securing a system since the vulnerabilities are not always correctly prioritized by the scanners. As a conclusion it can be said that a vulnerability scanner does not give a network administrator enough control over the security status of the network. Initially a part of the goal of this thesis was to find guidelines for keeping a network secure with a vulnerability scanner. During the tests of the vulnerability scanners, to the author s disappointment, it turned out that this kind of product did not have the maturity to be a tool for securing a network, due to the findings stated above. Therefore the thesis had to be directed against the weaknesses of this kind of product. 60

67 Bibliography: [1] H.S. Venter, J.H.P. Eloff, (2004), Vulnerability forecasting a conceptual model, University of Pretoria, SA, Department of Computer Science, [2] Citadel Security software inc. page visited [3] page visited [4] A.Stewart, (2004), On risk: perception and direction, Computer & Security nr , , [5] Tony Howlett, (2004), Open Source Security Tools, Prentice Hall 2004 [6] William Stallings, (2003), Network Security Essentials, Pearson Education 2003 [7] Bragg, Roberta, (2003), CISSP, Training Guide, QUE CORPORATION 2003 [8] Richard C. Linger, Howard F. Lipson, et al, Life cycle models for survivability, [9] Joel Scambray, Stuart McClure, George Kurtz, Hacking Exposed: Network Security Secrets and Solutions, 3rd Edition, Foundstone Inc. [10] SITIC, Praktisk nätverksdesign, FR04-04, [11] Bill English, Securing Exchange 2000 Server E mail, 2002, whitepapers, [12] C.Andrews, The five Ps of patch management, 2005, Computer & Security nr [13] SITIC, Hantering av programrättningar och systemuppdateringar, FR03-02, [14] page visited

68 [15] Richard C. Linger, Howard F. Lipson, John McHugh, Nancy R. Mead and Carol A. Sledge Life cycle Models for Survivable Systems October 2002, TECHNICAL REPORT, CMU/SEI TR-026, ESC-TR [16] John Wack, Miles Tracy, Murugiah Souppaya Guideline on Network Security Testing, 2003, NIST Special Publication , SP pdf [17] Michael Gunn, War dialing, 2002 SANS Institute, reading room [18] Jessica Lowery, Penetration Testing, The Third Party Hacker, 2002 v1.3 SANS Institute, reading room [19] Marco de Vivo, Eddy Carrasco, Germinal Isern and Gabriela O. de Vivo, A review of port scanning techniques, 1999, [20] Jay Beale, Haroon Meer, Roelof Temmingh, Charl Van Der Walt, Renaud Deraison, Nessus Network Auditing, 2004, [21] Chris Trowbridge, An Overview of Remote Operating System Fingerprinting, 2003 v1.4b SANS Institute, reading room [22] page visited [23] Retina manual, ( page visited [24] Netrecon, manual, ( page visited [25] ISS User Guide, ( page visited

69 [26] FER%20OVERFLOW, page visited [27] page visited [28] page visited [30] page visited [31] page visited [32] Anderson Robert H., Hearn Anthony C., & Hundley, Richard O. RAND Studies of cyberspace security issues and the concept of a U.S minimum essential information infrastructure, Proceedings of the 1997 IEEE Information Survivability Workshop. San Diego California Feb Los Alamos, CA: IEEE Computer Society,

70 Appendix A Policies for the network Organisation policies, as an example it could be involving things such as, if the users should be able to reach the network from home or when travelling. Planning the IP addresses, if the network grows with new connections and functions a well defined plan for IP addresses can help when the network expands. Segmentation of the network, to be able to control the access to different services all internal servers should be on a dedicated connection. Service nets, traffic that takes a lot of bandwidth like backup copies, file copies, synchronisations, monitoring, etc. This might demand a dedicated line. Security copies, depending on the priorities from the organisation of what information is important more or less information might demand security copying. This must also be taken into consideration as to what way the security copying should be done, either locally or through the network. Time synchronisation of the servers, when an incident has taken place it is vital that the servers have a common conception of the current time to easier facilitate the reconstruction of an incident. Security zones, DMZ (Demilitarized Zones), some services are only to be used on some specific parts of the system. By dividing the network into security zones it can be made sure that, for example, a service that can be reached from the Internet is not in the same zone as a service that should not be reached from the Internet. The zones can be classified as follows: A Secure zone the only allowed traffic inside the internal network is the one that has been started from within. Protected zone (DMZ), traffic can be allowed in from the Internet and from the internal network. 64

71 Unsafe zone, Internet, all traffic is allowed in all directions. Choices of platform and support agreement are also issues that should be taken into consideration. The choice of platform and operating system should be made in accordance with the needs of the organisation and the knowledge base in the organisation. Since different retailers offer different kinds of support agreement, the differences should be considered to minimize disturbances when problems occur. [10] 65

72 Appendix B Foot printing a network In order to make a successful attack, or hack, the target must be foot printed. This is something that is hard to defend against since most organisations, in order to be successful, must be present on the Internet and in other sorts of media. The foot printing, mostly, does not involve any illegal activities or directly disturb the services of the network. But since a successful foot printing often leads to a successful hack, steps must be taken to constrain and control the information that can be reached. Most companies and organisations have a website where all sorts of information can be gathered. Information like: Related companies or organisations Merger or acquisition news Phone numbers Contact names and addresses Privacy or security policies indicating the security level of the target Links to other web servers related to the organisation It can also be useful to look for that kind of information by checking the HTML code of the websites for source code comments. Additionally, articles about security incidents in the organisation might also be available by using a common search engine like Search engines can also be used as a source to find sites that have links back to the target domain or sites that are not sanctioned but stored within the target domain. These sites can also contain information related to the organisation or the web servers can be vulnerable to exploits and therefore constitute a major threat. Mergers with other organisations are something most companies are proud of since a merger represents growth and the outside world is quickly informed. But network mergers can be hard 66

73 to make secure so information about mergers with other entities can be interesting for an attacker. With a program like Whois the domain names of a network associated with the target company can be identified. The domain names represent the company presence on the Internet. There are a number of different Whois databases that can be queried for information related to domain names. There are a number of registrar s exits for domain names but only one contains information about one specific network. Whois can be executed with different queries, the following types exists: Registrar, displays specific registrar information and associated Whois servers Organisational, displays all information related to a particular organisation Domain, displays all information related to a particular domain Network, displays all information related to a particular network or a single IP address Point of contact (POC), displays all information related to specific person, typically the administrative contact When the domains have been identified the DNS (Domain Name System) server can be queried. The DNS maps IP addresses to hostnames. A DNS server can have a couple of vulnerabilities that needs to be adjusted in order to make it harder to gain network specific information. The DNS server can have a misconfiguration allowing unauthorized persons performing a DNS zone transfer. If the master DNS server is unavailable a second server must be able to take its place and perform DNS zone transfer so that all network information is transferred. A common misconfiguration is that the server gives its information to anyone who asks for it. If the organisation doesn t differ between public and private DNS information it could end up giving away internal IP addresses and hostnames which is very vital information. One countermeasure could be that the firewall or packet router filters denies all unauthorised inbound connections to TCP port 53. Other solutions exist to counter this problem. 67

74 Appendix C Why patching The necessity of patch management became obvious when the Slammer worm was released the year The Slammer worm doubled the number of infected servers every 8 seconds and the cost for the worm were approximately 500 million. Most of the damage done could have been avoided if the patch that had been available for six months had been installed on the target servers. [5] In year 2004 Howell [5] states that there were more then 4000 vulnerabilities published, looking into every one of them would take hundreds of man hours. All networks are not affected but still the list has to be traversed. A threat that is getting bigger is the decreasing time period between the time of vulnerability discovery and vulnerability exploit. The Blaster worm in year 2004 was released just 18 days after discovery. To meet the threat Andrews [12] made up a set of 5 points to avoid time consuming last minute patching, and instead having it as a part of the security management strategy. The 5 points are: Plan, it is important to know what the potential vulnerabilities are and were they are. A risk assessment should be done on the network and the critical services prioritised. Prioritise, all can not be patched right away. New patches have been known to induce instability into software. The services in a network most likely to be attacked first should have a higher priority. Policy, from the risk assessment, conclusions of what parts of the system that is essential for the network (which parts can wait and in what order should the systems be patched?) should be made and a specific patching policy produced. In the beginning of the patching policy a procedure for assessing and distinguish the severity of new alerts and the policy is then divided into two different parts, one for critical patches and one for non critical patches. Performance, some patches needs to be tested in the environment before being installed. Manufacturers often test the patches before releasing them but they have probably not tested them in every possible environment. 68

75 Products, there are products for dedicated patch- and vulnerability management but there are some issues that need to be checked: Are the patches secure and signed for authenticity If the system grows, does the patch guarantee scalability Does the vendor test the patches before shipping Is there a patch library available Are there multiple platform support Is the patching prioritized at the vendor Can the patch be rolled back if problems occur Risks with updates Before installing, the necessity of the update should be analysed since the negative consequences of the update, for example, could be that some parts of the system becomes incompatible, services goes offline or that new program errors and vulnerabilities are introduced. After reviewing the benefits of the update and considered things like compatibility, hardware and performance the organisation must evaluate if the updating should be done considering the risk for the existing network security and services. SITIC states that patching is only one of the corners in the building of a secure network but it can help in reducing the number of vulnerabilities that will occur. [13] So, why don t people patch their systems when the new system updates and service packs are released? If this would be the case then there would be a lot harder to brake into systems. There are many reasons for this according to Howlett [5] a couple of reasons are suggested: IT do not show any profit. Companies often want to keep a minimum of IT personnel and it is extra hard for IT security personnel to show any ROI (Return On Investment). Also the trend of outsourcing IT maintenance is not raising the bar of security since the outsourcing company often has their priority to keep things running and not to secure the system. 69

76 As mentioned, system stability has often got a higher priority then securing the system. There is also the problem with keeping a good testing environment to test all patch releases before they go live. Too many patches to install on a minimum of IT staff. Patches from Microsoft are often released at least once a month. For system administrators this work is often laid on top of the normal system administration. Ignorance, many system administrators are simply not aware that a system fix exists or that a patch has been released. With Microsoft automatic update this problem has started to decrease but for other smaller vendors that do not have automatic updating it is still a problem. Microsoft has got several patching managers that do not communicate with each other so parts of the problems still exist. [5] CVE Common Vulnerability and Exposures CVE is a naming convention for security vulnerabilities. The goal is to make it easier to share data across separate vulnerability capabilities. Often different applications suffer from the same vulnerability. The CVE name of the exploit can help in acknowledging the problem and the naming policy helps in spreading and communicating the problem. When a potential vulnerability or exposure is discovered then that information is given a Candidate number or CAN number which means that it is under review and has not reached the status of CVE. It is the MITRE Corporation that has taken the initiative of the CVE naming convention it is also sponsored by the Department of Homeland Security and US CERT. CVE contains the standard name with status indicator, a short description of the vulnerability and references to related vulnerability reports and advisories. When this is written (060111) there are unique CVE names. [14] The Bugtraq mailing list is hosted and organised by the vendor SecurityFocus. The list is a forum for discussions and announcements of security vulnerabilities in depth. When a new vulnerability is discovered it is recommended that the vendor gets one week to fix the exploit before it goes public and is published in the Bugtraq forum. This means that vendors have to fix the problem fast and that the general public gets informed of the problem. Sharing information means that the public can benefit and learn from others mistake and can both test the weakness and also verify if it is present in more applications then the one presented. [14] 70