Once you have the system information, you can research the possible attacks or exploits that can be used against it. Nessus is a program that can run a set of exploits against a target in a nonintrusive way or with the intent to crash the system as part of the test. Nessus is a great scanner, even though it is free, as long as you know how to use it. In this section we look at how we can scan our DMZ (as a hacker would), looking for possible vulnerabilities. In Figure B.11, showing the Nessus report of a host, you can see Nessus in use. Simply plug the IP address into Nessus and let it check your host.
The Nessus Project aims to provide to the Internet community a fre e, p owe r f u l , u p - t o - d a t e, and easy-to-use remote security scanner. A security scanner is softwa re that re m o t e l y audits a given network and determines whether hacke rs might be able to break into it or misuse it in some way. U n l i ke many other security scanners , Nessus takes nothing for gr a n t e d . That is, it will not consider that a given service is running on a fixed port—for example, if yo u run your Web server on port 1234, Nessus detects it and tests its securi t y. It does not make its s e c u rity tests re g a rding the ve rsion number of the remote services but attempts to exploit the v u l n e r a b i l i t y. Nessus is ve ry fast and re l i a ble and has a modular arc h i t e c t u re that allows you to fit it to your needs.You can get Nessus free at w w w. n e s s u s . o r g / a b o u t / .
LANGuard
LANGuard is another vulnerability scanner. In Figure B.12, you can see that we scanned a DMZ host and were able to find quite a bit open here.The Windows 2000 host on the DMZ we scanned had IIS installed, and this is what it returned:
■ An issue with SMTP running on this system. If you are not using it, it will
become a spam relay immediately.
■ FTP is running. We tested it and it was completely open for business. ■ Terminal Services is running—very bad if not used.
■ A Web server is running, but there’s no site up and in use.This tells us that the
server could be used for something else. Basically, it has IIS installed and running, but the administrator might not know that. Perfect for exploiting!
■ There are also a few alerts. We can see where the vulnerability scanner’s true
strength comes in—showing where the common gateway interface (CGI) vulnera- bilities are.
Basically, you can see that as we continue to test, you are getting deeper into the map, just as we planned. Our efforts to penetrate the DMZ might just pay off with all this recon- naissance. We have already started a map and populated it with a great amount of informa- tion. We know what hosts are where, what OSs they are running, what vulnerabilities that have exposed, and more.
At this point in the game, stealth and patience are virtues. We need to be stealthy to avoid tripping any IDS, and we need patience for working past these blocks to gather infor- mation that might be slow in coming.
Although penetration tests sound like and can be fun even while being serious, there are legal issues about which we must be very concerned.The DMCA has cast a shadow across the land of security since, in the strictest sense of the law, writing about how a marker can bypass CD security is a violation of the DMCA’s provisions. We do not purport to be legal experts and strongly suggest that before you do any testing, you consult an attorney and make sure that you have a contract in which the testing parameters are clearly stated and that the customer signs it.There have been cases in which someone has contracted for testing but did not really have the authority to approve security testing against a production network. The network engineer ends up in the middle, trying to explain that he or she is not hacking the network for which they are under contract to run tests. As you might see, such a situa- tion can get very messy in a short period of time.
N
OTEOther available scanners that you can use include:
■ Nessus, which is an exploit and vulnerability scanner ■ Security Administrators Integrated Network Tool (SAINT)
■ Netcat, which has been called the Swiss Army knife of network tools ■ Nikto
■ Hunt Freeware sniffer with hijack capabilities
■ Wireshark or other trace analysis tools such as tcpdump or Etherpeek ■ A hex editor to make custom packets or to examine the results of a
sniff
■ A software emulator such as Virtual PC or VMWare, which we use to
run Linux concurrently with Windows
■ A Telnet client such as Teraterm
■ A wardialer such as THC-SCAN for those forgotten doorways in ■ An SNMP string cracker like the one in Cain & Able (www.oxid.it)