A Selection of Network Penetration Test Tools



Similar documents
Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology

CIT 380: Securing Computer Systems

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.

How-to: DNS Enumeration

Scanning Tools. Scan Types. Network sweeping - Basic technique used to determine which of a range of IP addresses map to live hosts.

Penetration Testing. NTS330 Unit 1 Penetration V1.0. February 20, Juan Ortega. Juan Ortega, juaorteg@uat.edu. 1 Juan Ortega, juaorteg@uat.

Installing and Configuring Nessus by Nitesh Dhanjani

Network Scanning. What is a Network scanner? Why are scanners needed? How do scanners do? Which scanner does the market provide?

Network Penetration Testing and Ethical Hacking Scanning/Penetration Testing. SANS Security Sans Mentor: Daryl Fallin

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Technical Support Information Belkin internal use only

Penetration Testing SIP Services

noway.toonux.com 09 January 2014

Packet filtering with Linux

Configuring DNS on Cisco Routers

Linux Network Security

Firewall implementation and testing

An Introduction to Nmap with a Focus on Information Gathering. Ionuț Ambrosie

Vulnerability Assessment and Penetration Testing

Black Box Penetration Testing For GPEN.KM V1.0 Month dd "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!

1. LAB SNIFFING LAB ID: 10

Tools for penetration tests 1. Carlo U. Nicola, HT FHNW With extracts from documents of : Google; Wireshark; nmap; Nessus.

Host Fingerprinting and Firewalking With hping

Nmap: Scanning the Internet

HOWTO: Set up a Vyatta device with ThreatSTOP in router mode

Troubleshooting Tools

Domain Name System Security

Evading Infrastructure Security Mohamed Bedewi Penetration Testing Consultant

VULNERABILITY ASSESSMENT WHITEPAPER INTRODUCTION, IMPLEMENTATION AND TECHNOLOGY DISCUSSION

NETWORK SECURITY WITH OPENSOURCE FIREWALL

HONEYD (OPEN SOURCE HONEYPOT SOFTWARE)

Security Considerations White Paper for Cisco Smart Storage 1

Network Monitoring Tool to Identify Malware Infected Computers

How to protect your home/office network?

STABLE & SECURE BANK lab writeup. Page 1 of 21

Port Scanning. Objectives. Introduction: Port Scanning. 1. Introduce the techniques of port scanning. 2. Use port scanning audit tools such as Nmap.

Penetration Testing. What Is a Penetration Testing?

Penetration Testing with Kali Linux

Penetration Testing Report Client: Business Solutions June 15 th 2015

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Looking for Trouble: ICMP and IP Statistics to Watch

Firewalking. A Traceroute-Like Analysis of IP Packet Responses to Determine Gateway Access Control Lists

Local DNS Attack Lab. 1 Lab Overview. 2 Lab Environment. SEED Labs Local DNS Attack Lab 1

Attack Frameworks and Tools


IDS and Penetration Testing Lab II

ACS 5.x and later: Integration with Microsoft Active Directory Configuration Example

PTSv2 in pills: The Best First for Beginners who want to become Penetration Testers. Self-paced, online, flexible access

SCP - Strategic Infrastructure Security

Firewall Testing. Cameron Kerr Telecommunications Programme University of Otago. May 16, 2005

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

Lab 2. CS-335a. Fall 2012 Computer Science Department. Manolis Surligas

Project 2: Firewall Design (Phase I)

Chapter 6 Phase 2: Scanning

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

FREQUENTLY ASKED QUESTIONS

CSE331: Introduction to Networks and Security. Lecture 17 Fall 2006

Firewall Stateful Inspection of ICMP

The Nexpose Expert System

REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB

Automated Penetration Testing with the Metasploit Framework. NEO Information Security Forum March 19, 2008

Web Application Vulnerability Testing with Nessus

Is the Scanning of Computer Networks Dangerous?

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

I N S T A L L A T I O N M A N U A L

Passive Network Traffic Analysis: Understanding a Network Through Passive Monitoring Kevin Timm,

Network: several computers who can communicate. bus. Main example: Ethernet (1980 today: coaxial cable, twisted pair, 10Mb 1000Gb).

KAREL UCAP DNS AND DHCP CONCEPTS MANUAL MADE BY: KAREL ELEKTRONIK SANAYI ve TICARET A.S. Organize Sanayi Gazneliler Caddesi 10

My FreeScan Vulnerabilities Report

Scan Report Executive Summary. Part 2. Component Compliance Summary IP Address :

Additional Information: A link to the conference website is available at:

Firewalls and Software Updates

DNS Resolving using nslookup

idatafax Troubleshooting

Vulnerability Assessment and Penetration Testing. CC Faculty ALTTC, Ghaziabad

Lab Objectives & Turn In

File transfer and login using IPv6, plus What to do when things don t work

IDS and Penetration Testing Lab ISA656 (Attacker)

Five Steps to Improve Internal Network Security. Chattanooga ISSA

SysPatrol - Server Security Monitor

Firewalls, NAT and Intrusion Detection and Prevention Systems (IDS)

Transformation of honeypot raw data into structured data

60467 Project 1. Net Vulnerabilities scans and attacks. Chun Li

BASIC ANALYSIS OF TCP/IP NETWORKS

Presented By: Holes in the Fence. Agenda. IPCCTV Attack. DDos Attack. Why Network Security is Important

CSE 127: Computer Security. Network Security. Kirill Levchenko

INFORMATION SECURITY TRAINING CATALOG (2015)

EXTRA. Vulnerability scanners are indispensable both VULNERABILITY SCANNER

Configuring PA Firewalls for a Layer 3 Deployment

HOWTO: Set up a Vyatta device with ThreatSTOP in bridge mode

GFI LANguard Network Security Scanner 3.3. Manual. By GFI Software Ltd.

Nessus. A short review of the Nessus computer network vulnerability analysing tool. Authors: Henrik Andersson Johannes Gumbel Martin Andersson

Vulnerability analysis

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments

VMware vcenter Log Insight Security Guide

Penetration: from Application down to OS

Windows Client/Server Local Area Network (LAN) System Security Lab 2 Time allocation 3 hours

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

Host Discovery with nmap

Transcription:

A Selection of Network Penetration Test Tools by (martin06@ru.is) Abstract This paper presents some of the tools required for a network penetration test. All parts of the test are covered, from the first phase of getting DNS information and IP addresses without making suspicious connections to the target, to the last phase of trying to get control over the target. All the software tools I present here are for free available on the Internet, which makes it possible for the interested reader to try them. The tools presented: Ping, Traceroute, NMAP, John the Ripper, Firewalk, Nessus and the Metasploit Framework. Keywords Penetration test, network, black- and whitehat - 1 -

Index Abstract... 1 Keywords... 1 Index... 2 Introduction:... 3 OS build in tools... 4 Ping... 4 Traceroute:... 4 DNS Information:... 5 NMAP:... 6 John (the Ripper):... 8 Firewalk:...10 Nessus:...10 The Metasploit Framework:...12-2 -

Introduction: Computer security is getting more and more important in our computerized world. Computers penetrate almost every possible part of our lives, and different networks merge together into the internet. A few years ago, the Internet and the cell phone networks have been separated. Nowadays, you can surf with a cell phone and carry voice over the internet without any problems, and in the near future those networks maybe will get one. Every computer and every network connected to the Internet is a possible target for attackers with bad intentions, often called blackhats or cracker. Sensitive information needs to be protected, and a penetration test on those systems holding sensitive information should be carried out frequently. Poorly patched systems and bad passwords can make it very easy to break into a system. Whitehats on the other hand are computer security professionals, which carry out attacks on system with the intention to find possible security holes and close them, making the system more secure. The tools in this paper are described in a chronological order of such penetration tests. It starts with the real basic tools that most operation systems have already built in after installation to identify a target. Then, after the target has been identified, it is important to know what services it is running, and then use exploits in them to gain control. There are a lot more security related tools available on the Internet like sniffer (like Ethereal, TCPDump, ), penetration test live CDs (like whax, BOSS, AnonymOS, ), Trojans (like BackOriffice, NetBus, ) and more. In the case of a penetration test with physical access to the machine, a total different set of tools will be used. The examples of the tools described in this paper were run on a 800 MHz with 512 MB RAM Linux server called opportunity, running Debian 3.1 sarge. Although all the tools are available on the Internet, the use of them might be prohibited by law in some countries and attacking computers without the proper permission can be seen as a crime. - 3 -

OS build in tools Ping Ping is a program for determining if a host in an IP network is up and what the response time is. It sends an ICMP Type 8 (Echo Requests) packet to the target host, which answers with ICMP Type 0 (Echo Response). If the host is down or currently unreachable, the router assigned to the host answers an ICMP Type 3 (Destination Unreachable) packet. Due to security reasons, many systems (either routers or computers) are configured not to answer to ICMP requests, making it more difficult to find out if the target host is up. ICMP is like TCP and UDP a protocol of the internet protocol (IP) suite. martin@opportunity:~$ ping www.google.com PING www.l.google.com (66.249.87.104) 56(84) bytes of data. 64 bytes from 66.249.87.104: icmp_seq=1 ttl=242 time=46.1 ms 64 bytes from 66.249.87.104: icmp_seq=2 ttl=242 time=40.3 ms 64 bytes from 66.249.87.104: icmp_seq=3 ttl=242 time=39.2 ms 64 bytes from 66.249.87.104: icmp_seq=4 ttl=242 time=51.1 ms --- www.l.google.com ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3002ms rtt min/avg/max/mdev = 39.252/44.209/51.155/4.795 ms Example 1: ping www.google.com Traceroute: Traceroute on Linux (and tracert on Windows) is a tool to determine the path to a particular host. It achieves this by sending out packets with incremented time to live (TTL) value. The IP TTL field is used to limit the lifetime of datagrams across the Internet and is decremented just before a router forwards a packet. If this reduction would cause the TTL to 0 or less, the router in question will send back an ICMP Type 11 (Time Exceeded) error message to the original host. So the first packet has a TTL of 1, the second a TTL of 2, and so on. Every hop on the path to the target is sending such an ICMP error message back. With these error messages, a list of hosts on the route to the target can be produced. Traceroute is - 4 -

often used for network troubleshooting and penetration testing, revealing useful information about network infrastructure and IP ranges around a given host. martin@opportunity:~$ traceroute www.google.com traceroute: Warning: www.google.com has multiple addresses; using 66.249.87.99 traceroute to www.l.google.com (66.249.87.99), 30 hops max, 38 byte packets 1 192.168.1.1 (192.168.1.1) 0.851 ms 0.683 ms 0.719 ms 2 chello084114164001.5.15.vie.surfer.at (84.114.164.1) 19.395 ms 9.188 ms 12.146 ms 3 at-vie-pe-sr15a-ge-3-1.upc.at (212.17.116.66) 13.342 ms 31.340 ms 34.888 ms 4 212.17.99.121 (212.17.99.121) 19.504 ms 17.504 ms 7.461 ms 5 212.17.99.17 (212.17.99.17) 9.467 ms 8.403 ms 17.216 ms 6 * * * 7 at-vie01a-rd1-ge-13-0.aorta.net (213.46.173.129) 17.105 ms 17.917 ms 19.361 ms 8 at-vie15a-rd1-ge-15-0.aorta.net (213.46.173.138) 19.665 ms 8.960 ms 19.041 ms 9 213.46.160.249 (213.46.160.249) 40.084 ms 37.999 ms 32.869 ms 10 uk-lon01a-rd2-pos-5-0.aorta.net (213.46.160.237) 45.935 ms 56.617 ms 45.009 ms 11 213.46.174.142 (213.46.174.142) 38.507 ms 62.577 ms 50.828 ms 12 * * * 13 po12-0.loncr3.london.opentransit.net (193.251.242.169) 146.214 ms 167.533 ms 132.358 ms 14 google-1.gw.opentransit.net (193.251.249.82) 43.241 ms 37.081 ms 60.188 ms 15 72.14.238.246 (72.14.238.246) 42.792 ms 43.805 ms 72.14.238.242 (72.14.238.242) 38.538 ms 16 66.249.87.99 (66.249.87.99) 38.128 ms 41.522 ms 47.439 ms Example 2: traceroute www.google.com DNS Information: Nslookup, host and dig are 3 tools to get data about a target using the domain name service (DNS). Nslookup is available for Windows and Unix, host and dig only for Unix. DNS information can be useful by providing a lot of information, i.e. identifying target IP ranges, mail server, system information, service provider, and more. The nice thing about this useful information is that it is not located at the target but distributed, making it impossible to find you because of your queries. All 3 tools can be used for retrieving all the data stored on a name server for a specific domain, a so called DNS zone transfer. A zone transfer can often be launched to reveal details of nonpublic internal networks and other useful information that can help build an accurate map of the target infrastructure. martin@opportunity:~$ dig ru.is MX ; <<>> DiG 9.2.4 <<>> ru.is MX ;; global options: printcmd ;; Got answer: - 5 -

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62372 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;ru.is. IN MX ;; ANSWER SECTION: ru.is. 120 IN MX 20 mx1.svaka.net. ru.is. 120 IN MX 10 mailgw.ru.is. ;; ADDITIONAL SECTION: mailgw.ru.is. 43200 IN A 130.208.240.60 ;; Query time: 137 msec ;; SERVER: 195.34.133.21#53(195.34.133.21) ;; WHEN: Sun Mar 19 20:34:27 2006 ;; MSG SIZE rcvd: 91 Example 3: Identifying the mail servers of Reykjavik University, mxl.svaka.net & mailgw.ru.is NMAP: NMAP is an open source project for network exploration and security auditing. It is able to scan large networks quite fast, but it also works fine for a single host. By sending raw IP packets, NMAP is able to determine which hosts on a network are up, which ports are open and which services are running on the hosts, if there are any firewalls and what their rules are, and even more. It also finds out which operating system and version is running on the target, by analyzing the TCP/IP stack and the services offered by the target (a technique known as fingerprinting ). It offers a wide range of scanning techniques, even stealth techniques not completing the TCP connection or by abusing the TCP protocol, sending packets that are impossible in the beginning of a normal TCP conversation. An example: the Null Scan option, sending packets with an empty TCP flag header (all bits are 0). opportunity:~#./nmap -sn -A 127.0.0.1 Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-03-20 11:44 CET Interesting ports on localhost.localdomain (127.0.0.1): (The 1662 ports scanned but not shown below are in state: closed) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 3.8.1p1 Debian-8.sarge.4 (protocol 2.0) 25/tcp open smtp Exim smtpd 4.50 80/tcp open http Apache httpd 2.0.54 ((Debian GNU/Linux) mod_python/3.1.3 Python/2.3.5 PHP/4.3.10-16 mod_perl/1.999.21 Perl/v5.8.4) - 6 -

111/tcp open rpcbind 2 (rpc #100000) 113/tcp open ident OpenBSD identd 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) 766/tcp open status 1 (rpc #100024) 1241/tcp open ssl Nessus security scanner 5432/tcp open postgresql PostgreSQL DB Device type: general purpose Running: Linux 2.4.X 2.5.X 2.6.X OS details: Linux 2.5.25-2.6.8 or Gentoo 1.2 Linux 2.4.19 rc1-rc7 Uptime 5.864 days (since Tue Mar 14 15:01:02 2006) Service Info: OS: OpenBSD Example 4: Stealth NMAP Null Scan of Opportunity The OS fingerprinting and the service versions are very useful as they can reveal poorly patched services and systems. By using a vulnerability scanner like Nessus (described later), well known exploits on these old services and unpatched systems can be discovered and may be abused for getting control over the system. Another nice feature is the T parameter, allowing the user to choose timing templates, specifying if the scan has to be very fast ( -T 5 ) or really slow ( -T 0 ) to avoid detection by Intrusion Detection Systems. The default timing template is -T 3. NMAP is used in the movie The Matrix Reloaded by Trinitiy to scan the computer of a power plant [3]. opportunity:~#./nmap -O 192.168.1.0/24 Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-03-20 12:14 CET Interesting ports on 192.168.1.1: (The 1670 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 80/tcp open http 443/tcp open https MAC Address: 00:13:10:2F:E6:7E (Cisco-Linksys) Device type: general purpose Running: Linux 2.4.X 2.5.X OS details: Linux 2.4.0-2.5.20 Uptime 72.623 days (since Fri Jan 6 21:17:05 2006) Interesting ports on 192.168.1.200: (The 1663 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 113/tcp open auth 139/tcp open netbios-ssn 445/tcp open microsoft-ds - 7 -

766/tcp open unknown 1241/tcp open nessus 5432/tcp open postgres Device type: general purpose Running: Linux 2.4.X 2.5.X 2.6.X OS details: Linux 2.5.25-2.6.8 or Gentoo 1.2 Linux 2.4.19 rc1-rc7, Linux 2.6.3-2.6.10 Uptime 5.884 days (since Tue Mar 14 15:01:02 2006) Nmap finished: 256 IP addresses (2 hosts up) scanned in 12.189 seconds Example 5: Scanning the sub-network 192.168.1.0-255 with OS detection John (the Ripper): John the Ripper is a fast password cracker, currently for almost every platform available. It supports most Unix password hash functions, as well as Kerberos and Windows 2000/XP LM hashes, and more. Its purpose is to detect weak passwords. System passwords in Windows are stored in the SAM database, in Linux in /etc/shadow, which can only be read by root. aa:$1$kctu9.rd$y3vub0crk0ggkb5kghicy.:13221:0:99999:7::: top:$1$kqs5m2pr$n043g3ynhlfzoa9czxjda.:13221:0:99999:7::: john:$1$m7hk6/zi$6s3gqncqej2eluspe7gag/:13221:0:99999:7::: paul:$1$mmo8jxij$uctmchyxl4/enhfpatze00:13221:0:99999:7::: walter:$1$jjtzttxz$54o4uaq1pnwzjsyh15hof1:13221:0:99999:7::: linda:$1$dwnln1r0$inxbqabbr11r4ijb7prdb/:13221:0:99999:7::: paolo:$1$dykjspfz$upbv56t3p1h5m4pcfcr81.:13221:0:99999:7::: oracle:$1$lfmgdrrm$mjmhdknx5xepcoyv3ghgs0:13221:0:99999:7::: sandy:$1$5kuyryuf$js2wpkuvptdc7vrysikou0:13221:0:99999:7::: temp:$1$si.rrxz4$0fdnl4dsqad1dvtfkwwcu1:13221:0:99999:7::: Example 6: Part of /etc/shadow, showing the test users and their hashed passwords John supports 3 different modes for cracking passwords: Dictionary attack, Single crack and Incremental mode. 1. Single crack: is the most basic mode which runs first when no specific mode was requested. It uses the login names, users home directories and any other information saved for that user in the /etc/passwd file, and will apply a large set of mangling rules. 2. Dictionary attack: a dictionary file is a file, containing one word per line. A quite big one can be found at ftp://ftp.openwall.com/pub/wordlists/all.gz, containing about 4 million words from several languages. - 8 -

3. Incremental mode: This is the most powerful mode, it will try all possible character combinations as passwords. Cracking with this mode will never terminate, because of the enormous number of combinations. You can specify the set of characters used. For the first experiment 10 users were added, john was running for 48 hours: Username Password cracked time aa test yes 15s top secret yes 15s john aek25bk no --- paul england yes 2m walter UKW!25bf no --- linda god yes <100m paolo limewire no --- oracle oracle yes 1s sandy lokomotion no --- temp Temp yes 1s Experiment 1: User list After only 2 seconds, oracle and temp were cracked, because of the really weak password. After 15 seconds, aa and top were cracked. In less then 100 minutes, Lindas password got cracked, and after restarting with a new wordlist (the big one mentioned above), pauls password got cracked. The second experiment intended to show the speed of the incremental mode. John was running for about 89 hours. The number in the username is equal to the length of the password. Username Password cracked time Username Password cracked time a1 a yes 45s a5 asdf1 yes 9m b1 yes 5m b5 9kk!$ no --- c1 " yes 5m c5 l<ßb3 no --- a2 a9 yes 9m a6 franz3 no --- b2 B/ yes 10h b6?help8 no --- c2 f. yes 10h c6 >yps%4 no --- a3 5eü no --- a7 hjan4k! no --- b3 ;op no --- b7 klo!re1 no --- c3 l & no --- a8 ~bqr2zu= no --- a4 at+i no --- b8 pia+r)l2 no --- b4 #la3 no --- c4 tor3 yes 19h - 9 -

d4 Qr4! no --- Experiment 2: User list Due to the quite slow CPU, the randomness of the character sequence and the big set of possible characters only a few passwords could get cracked. For highly sensitive systems, more time and a stronger CPU would make sense, as a possible attacker might have both. System administrators should use John regularly to find weak user passwords. Firewalk: Firewalk is a utility that can determine the filtering rules of a firewall or a packet filter. It uses traceroute-like IP packets to find out whether or not a particular packet can pass trough the filter, by sending IP packets with TTL values set to expire one hop past a given gateway. If an ICMP Type 11 (TTL esceeded in transit) message comes back, the packet passed through the filter and a response was later generated. If the packet was dropped without a comment, it was probably done at the gateway, although it is also possible that it passed through the filter and the target produced an ICMP error message, but the firewall is blocking outgoing ICMP packets. If an ICMP Type 13 (communication administratively prohibited) message is received, a simple filter such as a router access control list is being used. Firewalk doesn t work in networks where network address translation or any kind of proxy server is being used. It works effectively against hosts in true IP routed environments. You need to know the IP address of the filtering device and one host behind it to start the scan. Nessus: Nessus is a vulnerability scanner, consisting of 2 programs: the server nessusd program which does the scanning, and a client which presents the results to the user. In Unix you can connect to the server with the command line client nessus or the - 10 -

graphical user interface NessusClient, for Windows there is only a GUI client available, NessusWX. The result of a scan can be exported in various formats: plain text, HTML, XML or LATEX. Every security check in Nessus is coded as a plugin, written in NASL (Nessus Attack Scripting Language), a scripting language optimized for custom network interaction. More then 10,000 plugins are available by now, new ones generated every day. These plugins are immediately available to the direct feed customers ($1,200 per year and scanner), and are delivered seven days later to the registered feed customers (free). When performing a scan, nessus first does a port scan to find all open ports, and afterwards tries the exploits on the open ports. It can be used to scan many hosts at a time, or even a whole network. Below is the first part of a scan report with the most important facts found by nessus. The detailed information is truncated as it would be far too long. Nessus Scan Report ------------------ SUMMARY - Number of hosts which were alive during the test : 1 - Number of security holes found : 0 - Number of security warnings found : 3 - Number of security notes found : 38 TESTED HOSTS 127.0.0.1 (Security warnings found) DETAILS + 127.0.0.1 :. List of open ports : o ssh (22/tcp) (Security notes found) o netbios-ns (137/tcp) (Security notes found) o general/tcp (Security notes found) o cycleserv (763/udp) (Security notes found) o sunrpc (111/udp) (Security notes found) o unknown (766/tcp) (Security notes found) o postgresql (5432/tcp) (Security notes found) o nessus (1241/tcp) (Security notes found) o microsoft-ds (445/tcp) (Security warnings found) o netbios-ssn (139/tcp) (Security notes found) o ident (113/tcp) (Security notes found) - 11 -

o sunrpc (111/tcp) (Security notes found) o http (80/tcp) (Security warnings found) o smtp (25/tcp) (Security notes found) Example 7: Scan report without detailed information on Opportunity The Metasploit Framework: The Metasploit Framework is an open source vulnerability exploiter. After scanning a host with NMAP for running services, and checking them with Nessus for vulnerabilities, Metasploit can be used to take over the system or run any desired command with privileged rights. It is available for Windows, BSD, OS X and Linux, written mostly in Perl. It offers 3 different interfaces: the console interface was designed to be fast and flexible, offering an interactive command line. If a command is not recognized by Metasploit, it checks if it is a system command and executes it. The command line interface in a normal shell can be used for automated exploit testing. The web interface is a stand alone web server, offering access to the Metasploit framework to every browser. It is really easy to use: select an exploit, specify a target, verify the exploit options, selecting the payload, launching the exploit. The payload is the code to run on the target, usually opening a reverse shell, adding a privileged user or download and run backdoor software from the internet. The current version, 2.5, has 125 available exploits and 75 payloads. With the modularity of the exploit and the payload it is possible to combine almost every exploit with any payload, just depending on the operation system running at the target. - 12 -

References: [1] Network Security Assessment, by Chris McNab, O Reilly ISBN: 0-596-00611-X [2] Firewalk Whitepaper, retrieved March 20, 2006, from http://ussrback.com/unix/audit/firewalk/firewalk-final.pdf [3] Matrix mixes life and hacking, retrieved March 19, 2006, from http://news.bbc.co.uk/1/hi/technology/3039329.stm [4] John the Ripper online Documentation, retrieved March 16, 2006, from http://www.openwall.com/john/doc/ [5] Nessus Advanced User Guide, retrieved March 21, 2006, from http://www.nessus.org/documentation/nessus_3.0_advanced_user_guide.pdf [6] Open-Source Security Testing Methodology Manual, retrieved March 22, 2006, from http://www.zone-h.org/files/34/osstmm.pdf [7] BSI Studie Penetrationstest, retrieved March 20, 2006, from http://www.bsi.bund.de/literat/studien/pentest/penetrationstest.pdf [8] Metasploit User Guide, retrieved March 21, 2006, from http://www.metasploit.com/projects/framework/docs/userguide.pdf [9] The man pages shipped with the programs - 13 -

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information