scanning and analysis tools Fuzz testing

SCANNING AND ANALYSIS TOOLS To secure a network, someone in the organization must know exactly where the network needs to be secured. Although this step may sound simple and obvious, many companies skip it. They install a perimeter firewall and then relax, lulled into a sense of security by this single layer of defense. To truly assess the risks within a computing environment, you must deploy technical controls using a strategy of defense in depth, which is likely to include IDPSs, active vulnerability scanners, passive vulnerability scanners, automated log analyzers, and protocol analyzers (commonly referred to as sniffers).

Although some information security experts may not perceive them as defensive tools, scanners, sniffers, and other vulnerability analysis applications can be invaluable because they enable administrators to see what the attacker sees. Some of these tools are extremely complex, and others are rather simple. Some tools are expensive commercial products, but many of the best scanning and analysis tools are developed by the hacker community or open-source project teams and are available for free on the Web. As you’ve learned, an IDPS helps to secure networks by detecting intrusions; the remaining items in the preceding list help administrators identify where the network needs securing. More specifically, scanner and analysis tools can find vulnerabilities in systems, holes in security components, and unsecured aspects of the network.

In the military, there is a long and distinguished history of generals inspecting the troops under their command before battle. In a similar way, security administrators can use vulnerability analysis tools to inspect the computers and network devices under their supervision. A word of caution, though : Good administrators should have several hacking Web sites bookmarked and should try to keep up with chat room discussions on new vulnerabilities, recent conquests, and favorite assault techniques. Security administrators are well within their rights to use tools that potential attackers use in order to examine network defenses and find areas that require additional attention.

Scanning tools are typically used as part of an attack protocol to collect information that an attacker needs to launch a successful attack. The process of collecting publicly available information about a potential target is known as footprinting. The attacker uses public Internet data sources to perform keyword searches that identify the network addresses of an organization. Many of these scanning and analysis tools have distinct signatures, and some Internet service providers (ISPs) scan for these signatures. If the ISP discovers someone using hacker tools, it can revoke that user’s access privileges. Therefore, organizational administrators are advised to establish a working relationship with their ISPs and notify them of any plans that could lead to misunderstandings. Amateur users are advised not to use these tools on the Internet.

the view source option on most popular Web browsers allows users to see the source code behind the graphics. Details in the source code of the Web page can provide clues to potential attackers and give them insight into the configuration of an internal network, such as the locations and directories for Common Gateway Interface (CGI) script bins and the names or addresses of computers and servers. In addition, public business Web sites such as those for Forbes or Yahoo! Business often reveal information about their company structure, commonly used company names, and other details that attackers find useful. Furthermore, This research is augmented by browsing the organization’s Web pages. Web pages usually contain information about internal systems, the people who develop the Web pages, and other tidbits that can be used for social engineering attacks. For example,

common search engines allow attackers to query for any site that links to their proposed target. By doing a bit of initial Internet research, an attacker can often find additional Internet locations that are not commonly associated with the company—that is, business-to-business (B2B) partners and subsidiaries. Armed with this information, the attacker can find the “weakest link” into the target network . consider a company that has a large data center in Atlanta. The data center has been secured, so an attacker will have a difficult time breaking into it via the Internet. However, the attacker has run a “link” query on a search engine and found a small Web server that links to the company’s main Web server. After further investigation , the attacker learns that the server was set up by an administrator at a remote facility For example,

the organized research and investigation of internet addresses owned or controlled by a target organization. a logical sequence of steps or processes used by an attacker to launch an attack against a target system or network. Attack protocol- Footprinting-

unrestricted internal link into the company’s corporate data center. The attacker can attack the weaker site at the remote facility and use the compromised internal network to attack the true target. While it may seem trite or clichéd, the old saying that “a chain is only as strong as its weakest link” is very relevant to network and computer security. If a company has a trusted network connection with 15 business partners, one weak business partner can compromise all 16 networks. To assist in footprint intelligence collection, you can use an enhanced Web scanner that examines entire Web sites for valuable pieces of information, such as server names and e-mail addresses. One such scanner is called Sam Spade (see Figure 9-13), which you can obtain by searching the Web for a copy of the last version (1.14). Although antiquated, Sam Spade can perform a host of scans and probes, such as sending multiple ICMP information requests (pings), attempting to retrieve multiple and cross-zoned DNS queries, and performing network analysis queries known as traceroutes from the commonly used UNIX command.

All of these scans are powerful diagnostic and hacking activities, but Sam Spade is not considered hackerware (hacker-oriented software). Rather, it is a utility that is useful to network administrators and miscreants a like. For Linux or BSD systems, a tool called GNU Wget allows a remote user to “mirror” entire Web sites. With this tool, attackers can copy an entire Web site and then go through the source HTML, JavaScript, and Web-based forms at their leisure , collecting and collating all of the data from the source code that will help them mount an attack . The next phase of the attack protocol is a data gathering process called fingerprinting FINGERPRINTING- the systematic survey of a targeted organizations internet addresses collected during the footprinting phase to identify the network services offered by the hosts in that range. fingerprinting deploys various tools that are described in the following sections to reveal useful information about the internal structure and nature of the target system or network to be attack.

-A type of tool used both by attackers and defenders to identify or fingerprint active computers on a network , the active ports and services on those computers, the functions and roles of the machines, and other useful information. Port scanning utilities, or port scanners, are tools that can either perform generic scans or those for specific types of computers, protocols, or resources. You need to understand the network environment and the scanning tools at your disposal so you can use the tool best suited to the data collection task at hand. For instance, if you are trying to identify a Windows computer in a typical network, a built-in feature of the operating system, nbtstat, may provide your answer very quickly without the use of a scanner. This tool does not work on some networks, however. PORT SCANNER

The more specific the scanner is, the more useful its information is to attackers and defenders. However, you should keep a generic, broad-based scanner in your toolbox to help locate and identify unknown rogue nodes on the network. Probably the most popular port scanner is Nmap, which runs both on UNIX and Windows systems. A port is a network channel or connection point in a data communications system. Within the TCP/IP networking protocol, TCP and User Datagram Protocol (UDP) port numbers differentiate the multiple communication channels that connect to the network services offered on a network device. Each application within TCP/IP has a unique port number. Some have default ports but can also use other ports. Some of the well-known port numbers are shown in Table 9-2. In all, 65,536 port numbers are in use for TCP and another 65,536 port numbers are used for UDP. Services that use the TCP/IP protocol can run on any port; however, services with reserved ports generally run on ports 1–1023.

Port 0 is not used. Port numbers greater than 1023 are typically referred to as ephemeral ports and may be randomly allocated to server and client processes. Why secure open ports? Simply put, an attacker can use an open port to send commands to a computer, potentially gain access to a server, and possibly exert control over a networking device. As a rule of thumb, any port that is not absolutely necessary for conducting business should be secured or removed from service. For example, if a business doesn’t host Web services, there is no need for port 80 to be available on its servers.

Attack Surface- the functions an d features that a system exposes to unauthenticated users. The number and nature of the open ports on a system are an important part of its attack surface. As a general design goal, security practitioners seek to reduce the attack surface of each system to minimize the potential for latent defects and unintended consequences to cause losses. At this point, we must caution that some activities performed routinely by security professionals—specifically , port scanning—may cause problems for casual system users . Even the use of the network ping command can cause issues at some organizations. Some organizations have strong policy prohibitions for activities that test network security. Many endpoint protection products trigger alarms when these activities are detected Always ask permission from the organizations security office before “testing ” network security.

Port Number Protocol 7 Echo 20 File Transfer ( default data ) (FTP) 21 File Transfer (Control) (FTP) 23 Telnet 25 Simple Mail Transfer Protocol (SMTP) 53 Domain Name System(DNS) 80 Hypertext Transfer Protocol(HTTP) 110 Post Office Protocol version 3 (POP3) 161 Simple Network Management Protocol (SNMP) Table 9-2 Commonly Use d Port Numbers

FIREWALL ANALYSIS TOOLS Understanding exactly where an organization’s firewall is located and the functions of its existing rule sets are very important steps for any security administrator. Several tools automate the remote discovery of firewall rules and assist the administrator (or attacker) in analyzing the rules to determine what they allow and reject. The Nmap tool mentioned earlier has some advanced options that are useful for firewall analysis. For example, the option called idle scanning, which is run with the -I switch, allows the Nmap user to bounce a scan across a firewall by using one of the idle DMZ hosts as the initiator of the scan. More specifically, most operating systems do not use truly random IP packet identification numbers (IP IDs), so if the DMZ has multiple hosts and one of them uses nonrandom IP IDs, the attacker can query the server and obtain the currently used IP ID as well as the known algorithm for incrementing IP IDs.

The attacker can then spoof a packet that is allegedly from the queried server and destined for an internal IP address behind the firewall. If the port is open on the internal machine, the machine replies to the server with a SYN-ACK packet, which forces the server to respond with a TCP RESET packet. In its response, the server increments its IP ID number. The attacker can now query the server again to see if the IP ID has incremented. If it has, the attacker knows that the internal machine is alive and has the queried service port open. In a nutshell, running the Nmap idle scan allows attackers to scan an internal network as if they were on a trusted machine inside the DMZ . Firewalk is another tool that can be used to analyze firewalls. Written by noted network security experts Mike Schiffman and David Goldsmith , Firewalk uses incrementing Time-To-Live (TTL) packets to determine the path into a network as well as the default firewall policy. Running Firewalk against a target machine reveals where routers and firewalls are filtering traffic to the target host.

We must again caution that many tools used by security professionals may cause problems for casual system users. Some organizations have strong policy prohibitions against any form of hackerware, and even possessing the files needed to install it or having results from its use may be a violation that carries grave consequences. Many endpoint protection products trigger alarms for these types of tools. Always ask permission from the organization’s security office before using any tools of this nature. A final firewall analysis tool worth consideration is HPING (www.hping.org), which is a modified ping client. It supports multiple protocols and has a command-line method of specifying nearly any ping parameter. For instance, you can use HPING with modified TTL values to determine the infrastructure of a DMZ.

You can use HPING with specific ICMP flags to bypass poorly configured firewalls that allow all ICMP traffic to pass through and find internal systems. Administrators who are wary of using the same tools that attackers use should remember two important points. Regardless of the tool that is used to validate or analyze a firewall’s configuration, user intent dictates how the gathered information is used. To defend a computer or network well, administrators must understand the ways it can be attacked . Thus, a tool that can help close an open or poorly configured firewall will help the network defender minimize the risk from attack.

The ability to detect a target computer’s operating system is very valuable to an attacker. Once the OS is known, the attacker can easily determine all of the vulnerabilities to which it is susceptible. Many tools use networking protocols to determine a remote computer’s OS. One such tool is XProbe, which uses ICMP to determine the remote OS. When run, XProbe sends many different ICMP queries to the target host. As reply packets are received, XProbe matches these responses from the target’s TCP/IP stack with its own internal database of known responses. Because most OSs have a unique way of responding to ICMP requests , XProbe is very reliable in finding matches and thus detecting the operating systems of remote computers. Therefore , system and network administrators should restrict the use of ICMP through their organization’s firewalls and , when possible, within their internal networks. Operating System Detection Tools

Vulnerability Scanners An example of a vulnerability scanner is Nessus, a professional freeware utility that uses IP packets to identify hosts available on the network, the services (ports) they offer , their operating system and OS version, the type of packet filters and firewalls in use, and dozens of other network characteristics. Figures 9-14 and 9-15 show sample screens from Nessus. Vulnerability scanners should be proficient at finding known, documented holes, but what happens if a Web server is from a new vendor or a new application was created by an internal development team? In such cases, you should consider using a class of vulnerability scanners called black-box scanners or fuzzers . Active vulnerability scanners examine networks for highly detailed information An active scanner is one that initiates traffic on the network to determine security holes.

is a straightforward technique that looks for vulnerabilities in a program or protocol by feeding random input to the program or a network running the protocol. Vulnerabilities can be detected by measuring the outcome of the random inputs. Fuzz testing One example of a fuzz scanner is Spike, which has two primary components. The first is the Spike Proxy (www.spikeproxy.com), which is a full-blown proxy server. As Web site visitors use the proxy, Spike builds a database of each traversed page, form , and other Web-specific asset. When the Web site owner determines that enough history has been collected to completely characterize the full site, Spike can be used to check for bugs. In other words, administrators can use the usage history collected by Spike to traverse all known pages, forms, and active programs such as asp and cgibin, and then can test the system by attempting overflows, SQL injection, cross-site scripting, and many other classes of Web attacks .

A list of the top commercial and residential vulnerability scanners includes the following product: Nessus OpenVAS CoreImpact Nexpose GFI LanGuard Microsoft Baseline Security Analyzer (MBSA) Retina Secunia PSI Nipper Security Administrator`s Integrated Network Tool (SAINT)

The Nessus scanner features a class of attacks called destructive attacks. If enabled, Nessus attempts common overflow techniques against a target host. Fuzzers or black-box scanners and Nessus in destructive mode can be very dangerous tools, so they should be used only in a lab environment. In fact, these tools are so powerful that even experienced system defenders are not likely to use them in the most aggressive modes on their production networks. At the time of this writing, the most popular scanners seem to be Nessus, OpenVAS, and Nexpose. The Nessus scanner was originally open source, but it is now strictly commercial. OpenVAS was created as a variant from the last free version of Nessus and is therefore a good open-source alternative. Nexpose offers free and commercial versions.

Members of an organization often require proof that a system is vulnerable to a certain attack. They may require such proof to avoid having system administrators attempt to repair systems that are actually not broken or because they have not yet built a satisfactory relationship with the vulnerability assessment team. In these instances, a class Of scanners is available that actually exploits the remote machine and allows the vulnerability analyst (sometimes called a penetration tester) to create an account, modify a Web page, or view data. These tools can be very dangerous and should be used only when absolutely necessary. Three such tools are Core Impact, Immunity’s CANVAS, and the Metasploit Framework.

Of these three tools, only the Metasploit Framework is available without a license fee. The Metasploit Framework is a collection of exploits coupled with an interface that allows penetration testers to automate the custom exploitation of vulnerable systems. For instance, if you wanted to exploit a Microsoft Exchange server and run a single command ( perhaps add the user “security” into the administrators group), the tool allows you to customize an overflow in this manner . Figure 9-16 shows the Metasploit Framework.

Passive vulnerability scanner - A scanner that listens in on a network and identifies vulnerable versions of both server and client software. At the time of this writing, two primary vendors offer this type of scanning solution: Tenable Network Security, with its Passive Vulnerability Scanner (PVS), and Watcher Web Security Scanner from Casaba (see Figure 9-17). The advantage of using passive scanners is that they do not require vulnerability analysts to obtain approval prior to testing. These tools simply monitor the network connections to and from a server to obtain a list of vulnerable applications. Furthermore, passive vulnerability scanners can find clientside vulnerabilities that are typically not found by active scanners. For instance, an active scanner operating without domain admin rights would be unable to determine the version of Internet Explorer running on a desktop machine, but a passive scanner could make that determination by observing traffic to and from the client.

PACKET SNIFFERS - A software program or hardware appliance that can intercept copy, and interpret network traffic. -A packet sniffer or network protocol analyzer can provide a network administrator with valuable information for diagnosing and resolving networking issues. In the wrong hands, however, a sniffer can be used to eavesdrop on network traffic. commercial and open-source sniffers are both available—for example, Sniffer is a commercial product and Snort is open-source software. The dominant network protocol analyzer is Wireshark (www.wireshark.org), formerly known as Ethereal , which is available in open-source and commercial versions. Wireshark allows the administrator to examine data both from live network traffic and captured traffic.

Wireshark’s features include a language filter and a TCP session reconstruction utility. Figure 9-20 shows a sample screen from Wireshark. To use these types of programs most effectively , the user must be connected to a network from a central location using a monitoring port. Simply tapping into an Internet connection floods you with more data than you can readily process, and the action technically constitutes a violation of the U.S. Wiretap Act. To use a packet sniffer legally, the administrator must: 1.be on a network that the organization owns, 2.have authorization of the network’s owners, and 3.have knowledge and consent of the content creators.

If all three conditions are met, the administrator can selectively collect and analyze packets to identify and diagnose problems on the network. Consent is usually obtained by having all system users sign a release when they are issued a user ID and passwords; the release states that “use of the systems is subject to monitoring.” These three conditions are the same requirements for employee monitoring in general; therefore, packet sniffing should be construed as a form of employee monitoring. Many administrators feel safe from sniffer attacks when their computing environment is primarily a switched network , but they couldn’t be more wrong. Several open-source sniffers support alternate networking approaches and can enable packet sniffing in a switched network environment. Two of these approaches are ARP spoofing and session hijacking, which use tools like Ettercap (www.ettercap-project.org/). To secure data in transit across any network, organizations must use a carefully designed and implemented encryption solution to ensure uncompromised content privacy.

WIRELESS SECURITY TOOLS 802.11 wireless networks have sprung up as subnets on nearly all large networks. A wireless connection is convenient, but it has many potential security holes. An organization that spends all of its time securing the wired network while ignoring wireless networks is exposing itself to a security breach. As a security professional, you must assess the risk of wireless networks. A wireless security toolkit should include the ability to sniff wireless traffic, scan wireless hosts, and assess the level of privacy or confidentiality afforded on the wireless network. Sectools.org identified the top wireless tools in current use:

• Aircrack, a wireless network protocol cracking tool • Kismet, a powerful wireless network protocol sniffer, network detector, and IDPS, which works by passively sniffing networks • NetStumbler, a freeware Windows file parser available at www.netstumbler.org • inSSIDer, an enhanced scanner for Windows, OS X, and Android • KisMAC, a GUI passive wireless stumbler for Mac OS X (a variation of Kismet)31

Another wireless tool, AirSnare (https://airsnare.en.softonic.com/), is freeware that can be run on a low-end wireless workstation. AirSnare monitors the airwaves for any new devices or access points. When it finds one, AirSnare sounds an alarm to alert administrators that a new and potentially dangerous wireless apparatus is attempting access on a closed wireless network. The tools discussed in this module help the attacker and the defender prepare themselves to complete the next steps in the attack protocol: attack, compromise, and exploit. These steps are beyond the scope of this text and are usually covered in more advanced classes on computer and network attack and defense.

scanning and analysis tools Fuzz testing

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

scanning and analysis tools Fuzz testing

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Slide 23

Slide 24

Slide 25

Slide 26

Slide 27

Slide 28

Slide 29

Slide 30

Slide 31

Slide 32

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

Pray For The Peace Of Jerusalem and You Will Prosper

Don_t_Waste_Your_Life_God.....powerpoint

VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf

Fertility awareness methods for women in the society

Chapter 5 Arithmetic Functions Computer Organisation and Architecture

syakira bhasa inggris (1) (1).pptx.......