Scan

Bear in mind you will need the WinPcap drivers installed in order to use X-Scan, though like many such utilities X-Scan will install WinPcap if you don’t already have it installed. When it comes to the actual checks being performed, X-Scan uses the same Nessus plug-ins, but X-Scan also has the capability to perform some additional checks and OS fingerprinting. Like Nessus, X-Scan also sup- ports command-line operations, which could be a plus depending on your environment. On the down side, X-Scan does not support the client-server architecture that Nessus does. If that type of functionality is needed, you could use some type of remote access functionality to run the scans from a system more appropriately located, but this would require third-party software. If this capability is needed, X-Scan may not be the best tool and Nessus might be a better fit.

Figure 1.21

X-Scan HTML Report

Microsoft Baseline Security Analyzer

The Microsoft Baseline Security Analyzer is a tool for checking the baseline security of supported Microsoft products. In this instance baseline means that the minimum security patches have been applied (MBSA uses the updater service to check patch levels) and the minimum security settings have been checked.The MSBS is not a general purpose vulnerability scanner like Nessus. MSBS is instead a way to check your Microsoft hosts for weak security settings, not necessarily vulnerabilities. The primary page for MBSA is www.microsoft.com/technet/security/tools/mbsahome.mspx.There are different versions of MBSA, each supporting different platforms. MBSA 1.2.1 is for users who have Office 2000 and Exchange 5.0 or 5.5. MBSA 2.0 supports Windows 2000 SP3 or later, Office XP, Exchange 2000, and SQL Server 2000 SP4 or later. A more complete listing of supported prod- ucts can be found in the article located at http://support.microsoft.com/?scid=kb;en-us;895660.The older MSBA 1.2.1 supports only a limited set of software.You can use MBSA 1.2.1 combined with EST (Enterprise Scan Tool) to obtain fairly comprehensive scanning coverage of older legacy applica- tions.The software is relatively small and lightweight, at less than 2 MB.The installation process is simple and quick.The MBSA interface, shown in Figure 1.22, is also very straightforward.

To scan a single computer, simply click Scan a computer, enter a computer name or IP address, and then click Start Scan.The scanner will report on any settings or options on the target that are suboptimal from a security standpoint.The results of a sample scan are shown in Figure 1.23.

The MBSA has marked a red “X” for any security issues it finds, including in this example not having all the disk partitions formatted as NTFS. NTFS is Microsoft’s file system format that allows for configuration access controls on files and folders. Fat32 is an older Microsoft file system that has no file security.

Figure 1.22

Microsoft Baseline Security Analyzer

Be default, the scan results are stored in %USERPROFILE%\SecurityScans as .mbsa files. MBSA also includes a command-line version, called mbsacli.exe.There are several useful options that can be used on the command line. Basic usage would be mbsacli /target 192.168.1.99, for example.You could also use mbsacli /r 192.168.1.1-192.168.1.254to scan a range of IP addresses. If you omit the target completely, MBSA will default to the localhost as the target. By default, mbsacli this way pro- duces text results directly to the console and creates an .mbsa report in the

%USERPROFILE%\Security Scan\ directory.The text output can be redirected to a file, and while the output formatting isconducive to parsing the results programmatically, it is nota very good format for human viewing. Unfortunately, there isn’t much out there to help you manipulate the findings. Microsoft does offer the Microsoft Office Visio 2003 Connector for the Microsoft Baseline Security Analyzer (MBSA) 2.0.This tool enables you to see the results in Visio when clicking on a Visio icon.You can download the Visio connector from www.microsoft.com/technet/security/ tools/mbsavisio.mspx.

So let’s suppose you wanted to test all your systems regularly using MBSA and report on critical updates that are not installed.You could use the command-line version and the job scheduler for the scheduling part.Then take your textoutput files and the findcommand, such as find “Missing” <MBSAout.txt>, to list all missing updates.You could further pipe this into finda second time to output only the missing critical updates with find “Missing” <MBSAout.txt> | find “Critical”.To sum- marize, MBSA is a very good tool but its most glaring weakness is the lack of a good reporting mechanism. If you have only a few systems to test, however, MBSA can be a very useful tool.

OSSTMM

Let’s suppose that you can run vulnerability scanners and perform network discovery, but you want to take your security assessments to the next level. If you begin to think about all the security testing that could be done, covering such broad topics as wireless security, physical security, employee educa- tion, incident response, and much more, you might feel a bit overwhelmed.The task is so large that simply figuring out where to start could be difficult, and if you do that, there is always the possibility that you might miss something critical.The OSSTMM (Open Source Security Testing Methodology Manual) is exactly what it sounds like.This is a free manual on how to perform a security assessment. It is very detailed (version 2.0 is 120 pages) and can be downloaded from www.isecom.org/osstmm/. Even if you choose not to perform all the testing that is outlined in the manual, it is an invaluable resource to help guide you on proper testing procedures and practices.

In addition to covering such pre-testing tasks as defining scope of the testing and the rules of engagement, it breaks the actual areas to be tested down into sections and subsections called modules. Here are summaries of the sections covered.

■ Information Security This broad category covers such tasks as scouring the Internet for

publicly available information that can provide clues about non-public information. An example of such indirect disclosure would be a job posting that specifically requires experi- ence with F5’s BIGIP products, which would indirectly tell people what type of load bal- ancers the company is using. It also covers the secure handling of confidential data, including personal data.

■ Process Security This section includes testing verifying your procedures and attempting

(such as not verifying your identity before resetting an account) or while impersonating someone else.This section also includes luring authorized users to an external location (typically a virtual location such as a Web page) whereby their credentials can be compro- mised or other information gathered.

■ Internet Technology Security This section focuses more on the underlying technolo-

gies, and examines such things as the network, packet loss, routes, and route control, ISP, and bandwidth of the target organization.This section is really where the build of security testing activity takes place.This section also includes performing a network survey and ini- tial investigation via IP scanning and port scanning. Some indirect disclosure issues will also be touched upon here as you learn some things about the underlying network.The han- dling of confidential information will again be reviewed at the network level concerning encryption protocols and related technologies.This section also does the work of applica- tion vulnerability testing, route testing, access control testing, IDS testing, and testing of anti-Trojan and anti-virus systems. Finally, this section includes modules to address password cracking, denial of service testing, and a review of the organization’s security policy.

■ Communication Security This section includes testing the PBX and other communica-

tions methods such as voicemail, modems, and fax machines.

■ Wireless Security Because of the complexity and expertise needed to thoroughly test

wireless security, wireless has its own section in the OSSTMM.This section includes such esoteric modules as testing electromagnetic radiation (EMR), which can enable a person to read what appears on a CRT monitor from outside the building, based on the EMR that is projected beyond the display screen. It also covers the more mundane testing against the wireless network itself, including both 802.11x and Bluetooth networks.The broad cate- gory would even includes wireless headsets and the security of the conversations over them, wireless hand scanners (such as in a retail store), RFID devices, and other wireless/cordless devices.

■ Physical Security This section includes evaluating perimeter security, security moni- toring, and access controls methods, such as gates, doors and locks. It also includes alarm response (all types of alarms, including fire, environmental, and a security incident alarm). The geographical location and ramifications thereof are also reviewed in this section. The end of the document contains multiple templates that can be used for your actual testing, such as a Firewall Analysis Template and a Password Cracking Template.These templates are not pro- cedures but are rather the type of documentation you would include with your testing, detailing exactly what was tested and how.These templates can be valuable for both ensuring that you are doc- umenting your testing adequately and helping ensure that you do not miss any vital steps, because many of the steps have explicit sections of the template to record the specifics.

The business model for the Institute for Security and Open Methodologies (ISECOM) is basi- cally that they provide the OSSTMM for free. However, it is a peer-reviewed and updated document. As best practices change and the manual is updated, those changes are made available to “gold” and “silver” subscribers before the general public.Typically, the time delay for free access is a few months. Because this is a testing methodology, a few months’ delay probably will not pose any significant problems for those who want the OSSTMM for free.

Summary

Taken as a whole, the tools and utilities covered in this chapter should empower you to locate the systems on your network using a variety of methods.The best of class utilities presented offer a broad spectrum of choices in complexity and features for discovery scanning. After all the systems are located, you can begin testing them with a vulnerability scanner to determine what their current security posture is.This enables you to build a complete and accurate picture of just how secure the systems are.The Microsoft Baseline Security Analyzer takes this one step further and reports on weak security settings for Microsoft operating systems, rather than vulnerabilities. All of this collectively gives you the information you need to complete the first step of securing your network, which is information gathering. Chapters 2 and 3 provide more detail on how to use this information to pro- tect your perimeter and network resources.

Solutions Fast Track

Taking Inventory

Taking an inventory of the devices on your network must be repeated regularly to ensure that the inventory remains accurate.

Nmap has more features and option than any other free scanner. Familiarize yourself with not only the options you need to use, but also the ones you might encounter as a hacker attempts to collect information on your network.

Because the various scanners have different strengths and weaknesses, you should familiarize yourself with all of them and choose the appropriate one for the task.

Identifying that the wireless devices exist should be simple; it’s determining the devices’ physical location that is often difficult.

To attempt to triangulate and locate the physical devices, you will need a scanner that displays an accurate signal strength and a directional antenna.

Vulnerability Scanning

Be cognizant of the invasiveness of the scans you are running and of the risks that the scan poses to the target host(s).

Consider the legal ramifications to any wireless activities you pursue and ensure you have adequate backing from your employer.

MSBA is for Microsoft products only and reports on weak security settings, all of which do not necessarily represent a security vulnerability per se.

OSSTMM

OSSTMM is a manual to guide you through the process of performing a security assessment using the peer-accepted best practices.

Q:

Does a simple port scan pose any risk to my target hosts?

A:

It definitely can. A simple ping scan to see which systems are alive shouldn’t pose any risk, but a more involved port scan might. If the target host has significantly more resources than the target system, you could exhaust the resources of the target system and result in an inadvertent denial of service attack. Of even higher risk are some of Nmap’s more unusual scanning options. Some of the specialized TCP flag manipulation scans carry a definite risk to the target host. Because the flag combinations can be illegal (according to the TCP specifications) the target host might not be coded well enough to handle them. Granted, in this day and age this shouldn’t happen, but these types of scans still carry a risk.

Q:

Why are wireless access points such a big security concern? Why should I care if my users want to use someone else’s Internet bandwidth instead of mine?

A:

There are many reasons. If a user who is connected to your corporate network also connects to an open wireless access point and his machine is attacked and compromised, the attacker has an open backdoor into your corporate network which probably bypasses all your firewalls and secu- rity measures. Even if you set aside all the security issues, the user in question now has an outside connection that you cannot easily monitor.You no longer have visibility if that user is trafficking in trade secrets or otherwise transmitting confidential information. When the user is using your company Internet connection, you have the capability to use an IDS, collect traffic statistics, take advantage of a firewall you control, and apply other security policies.

Q:

Can I write my own custom “plug-ins” to perform special security checks using NASL?

A:

You can.There is a large body of plug-ins already available and odds are good the check you’re looking for is already available unless it is very customized.You can search the available plug-ins at http://nessus.org/plugins/index.php?view=search.The search results may include plug-ins that are not available yet except for the direct feedor registered feed customers.You can also create your own plug-ins from scratch and if they might be useful to others you can share them with the Nessus community. X-Scan will also enables you to create your own plug-ins and uses the same NASL plug-ins as Nessus.

Frequently Asked Questions

The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to

39

Protecting

Your Perimeter

Solutions in this chapter:

■

Firewall Types

■

Firewall Architectures

■

Implementing Firewalls

■

Providing Secure Remote Access

In document How to Cheat at Configuring Open Source Security Tools The Perfect Reference for the Multitasked SysAdmin pdf (Page 49-57)