• No results found

An Integrated Vulnerability Analysis and Penetration Testing Framework

N/A
N/A
Protected

Academic year: 2021

Share "An Integrated Vulnerability Analysis and Penetration Testing Framework"

Copied!
82
0
0

Loading.... (view fulltext now)

Full text

(1)

An Integrated

Vulnerability Analysis and Penetration Testing

Framework

A Thesis submitted in partial fulfillment of the requirements for the degree of

Master of Technology in Computer Technology

Department of Computer Science and Engineering

Jadavpur University, Kolkata

By

Chiranjit Datta

Examination Roll: M6TCT-13-10

University Registration No. 113932 of 2010-2011

Under the guidance of

Shri. Mridul Sankar Barik

Assistant Professor

Department of Computer Science and Engineering

Faculty of Engineering and Technology

Jadavpur University, Kolkata

May, 2013

(2)

TO WHOM IT MAY CONCERN

This is to certify that the work in this thesis entitled “An Integrated Vulnerability Analysis and Penetration Testing Framework” has been satisfactorily completed by Chiranjit Datta. It is a bona-fide piece of work carried out under my supervision at Jadavpur University, Kolkata, for partial fulfillment of the requirements for awarding of the Master of Technology in Computer Technology (MTCT) degree of the Department of Computer Science and Engineering, Faculty of Engineering and Technology, Jadavpur University during the academic year 2012-2013.

--- Shri. Mridul Sankar Barik Project Supervisor Assistant Professor Department of Computer Science and Engineering Jadavpur University

Forwarded By:

--- Prof. Sivaji Bandyopadhyay

Head of the Department

Department of Computer Science and Engineering Jadavpur University

(3)

Department of Computer Science and Engineering Faculty of Engineering and Technology

Jadavpur University, Kolkata 700032

Certificate of Approval

This is to certify that the thesis entitled “ An Integrated Vulnerability Analysis and Penetration Testing Framework” is a bona-fide record of work carried out by Chiranjit Datta in partial fulfillment of the requirements for the award of the degree of Master of Technology in Computer Technology (MTCT) in the Department of Computer Science and Engineering, Jadavpur university during the period June 2012 to May 2013. It is understood that by this approval the undersigned do not necessarily endorse or approve any statement made, opinion expressed or conclusion drawn therein but approve the thesis only for the purpose for which it has been submitted.

Examiners:

--- --- (Signature of the Examiner) (Signature of the Supervisor)

(4)

Declaration of Originality and Compliance

Of

Academic Ethics

I hereby declare that this thesis contains literature survey and original research work by the undersigned candidate, as part of his Mater of Technology in Computer Technology studies. All information in this document have been obtained and present in accordance with academic rules and ethical conduct.

I also declare that, as required by these rules and conduct, I have fully cited and referenced all material and results that are not original to this work.

Name : Chiranjit Datta Roll Number : M6TCT-13-10

Thesis Title : An Integrated Vulnerability Analysis and Penetration Testing Framework

(5)

Acknowledgement

The work presented in this thesis has been carried out at the department of Computer Science and Engineering at Jadavpur University, Kolkata. The main setting for this research work has been at the Center for Distributed Computing, Jadavpur University.

In my attempted integration of vulnerability analysis and penetration testing frameworks, I thank all who have helped along the way and influenced the formation of understanding and representation of the integrated tool presented in this thesis. In particular, I wish to express my gratitude to my supervisor, Shri Mridul Sankar Barik, Assistant Professor, Dept. of Computer Science and Engineering at Jadavpur University, Kolkata for his continued encouragement and support, all his contribution of time, ideas, and invaluable suggestions during this work. I would also like to thank Prof. Chandan Mazumdar for not only giving me an opportunity to work on this project and use the resources of Center for Distributed Computing, Jadavpur University, but also for his valuable guidance at every step of this thesis.

I wish to thank Prof. Sivaji Bandyopadhyay, Head of the Department of Computer Science & Engineering, Jadavpur University for providing me all the facilities and for his support to the activities of this project.

I am also grateful to Dr. Anirban Sengupta, Principal Research Engineer, CDCJU, for sharing his knowledge and experience with me and also his immense support and co-operation. Furthermore, I am deeply indebted to all my colleagues and friends at Center for Distributed Computing who have provided the environment for sharing their experiences and ideas regarding the security issues involved in Banking.

Finally I want to thank my parents and my siblings for being a constant source of support and encouragement.

--- Chiranjit Datta

Department of Computer Science and Engineering

Examination Roll No: M6TCT-13-10 University Registration No: 113932 of 2010-2011

(6)

Table of Contents

List of Figures…… ... 10

List of Tables…….. ... 11

Chapter-1 Introduction ... 12

1.1 Security in Today’s Heterogeneous Network ... 12

1.2 Vulnerability Analysis and Penetration Testing ... 13

1.2.1 Requirement of VA and PT ... 13

1.2.2 Difference between Vulnerability Analysis and Penetration Testing ... 14

1.2.3 Dependency of VA and PT on each other ... 15

1.2.4 Integrated VA and PT ... 15

1.3 Objective ... 16

1.4 Organization of the Thesis ... 17

Chapter-2 Vulnerability Analysis ... 18

2.1 Definition of Vulnerability in the Information Security Context ... 18

2.2 Vulnerability Analysis ... 18

2.2.1 Definition... 19

2.2.2 Importance of VA ... 19

2.3 VA Techniques ... 21

2.4 Vulnerability Scanners ... 24

2.4.1 The Limitations of Vulnerability Scanners ... 27

2.5 Case Study ... 28

2.5.1 Nessus ... 29

2.5.2 OpenVAS ... 30

2.5.3 Nexpose ... 31

2.5.4 Comparative Analysis of Nessus, OpenVAS, Nexpose Scanner ... 33

(7)

2.5.4.2 Test Scanning Results ... 34

Chapter-3 Penetration Testing ... 44

3.1 Definition of Penetration Testing in the Information Security Context ... 44

3.2 Penetration Testing ... 44

3.2.1 Definition... 45

3.2.2 Importance of PT ... 46

3.3 Types of Penetration Testing ... 46

3.3.1 Black-Box Penetration Testing ... 47

3.3.2 White-Box Penetration Testing ... 47

3.3.3 Gray-Box Penetration Testing ... 48

3.4 PT Techniques ... 48

3.4.1 External Penetration Testing ... 48

3.4.2 Internal Security Assessment ... 49

3.4.3 Application Security Assessment ... 50

3.4.4 Network Security Assessment ... 51

3.4.5 Wireless/Remote-Access Security Assessment ... 51

3.4.6 Telephony Security Assessment ... 52

3.4.7 Social-Engineering Assessment ... 52

3.5 Penetration Testing Tools ... 53

3.5.1 Metasploit Framework ... 53 3.5.2 CORE IMPACT ... 54 3.5.3 CANVAS... 55 3.6 Case Study ... 55 3.6.1 Metasploit Framework ... 56 3.6.1.1 Metasploit Architecture ... 56 3.6.1.1.1 Rex ... 57 3.6.1.1.2 Core ... 57 3.6.1.1.3 Base ... 57

(8)

3.6.1.1.4 Auxiliary Modules ... 57

3.6.1.1.5 Encoder Modules ... 57

3.6.1.1.6 Exploit Modules ... 57

3.6.1.1.8 Payload Modules ... 57

3.6.1.2 User-Interface Modes ... 59

Chapter-4 Integration of VA and PT ... 61

4.1 Reason of Integration ... 61

4.2 Existing Integrated VA and PT tools ... 62

Chapter-5 Integrated VA and PT Tool ... 63

5.1 Motivation ... 63

5.2 Architecture of the Tool ... 63

5.2.1 Multi-Tier Nature of the Tool ... 64

5.2.1.1 Presentation Tier or Client Tier ... 65

5.2.1.2 Logic Tier or Middle Tier ... 68

5.2.1.3 Data Tier ... 69

5.3 Design of the Tool ... 70

5.3.1 Process Flow of the Tool ... 70

5.3.1.1 Scope ... 70

5.3.1.2 Information Gathering ... 71

5.3.1.3 Vulnerability Detection ... 71

5.3.1.4 Information Analysis and Planning ... 71

5.3.1.5 Attack and Penetration ... 71

5.3.1.6 Result Analysis ... 71

5.3.1.7 Reporting ... 72

5.3.2 Data-Tier Design ... 72

5.3.3 Logic-Tier Design ... 72

5.3.4 Presentation-Tier Design ... 73

(9)

5.5 Performance of the Tool ... 77

Chapter-6 Conclusion and Future Work ... 78

References………… ... 79

(10)

List of Figures

Figure 1 : Number of vulnerabilities detected in Host 1 (Windows 7) ... 37 

Figure 2 : Year-wise vulnerability detection in Host 1 ... 38 

Figure 3 : Number of vulnerabilities detected in Host 2 (Windows XP) ... 39 

Figure 4 : Year-wise vulnerability detection in Host 2 ... 40 

Figure 5 : Number of vulnerabilities detected in Host 3 (Red Hat Linux 6) ... 41 

Figure 6 : Year-wise vulnerability detection in Host 3 ... 41 

Figure 7 : Comparative statistics of vulnerability detection ... 42 

Figure 8 : Year-wise statistics of vulnerability detection ... 43 

Figure 9 : Architectural Model of Metasploit ... 56 

Figure 10 : Architectural Model of VAPT Tool ... 63 

Figure 11 : 3-Tier Architecture ... 64 

Figure 12 : A sample Presentation Tier of the Tool ... 65 

Figure 13 : Presentation Tier of Tool’s Network Discovery Service ... 66 

Figure 14 : Presentation Tier of Tool’s Vulnerability Analysis Service ... 66 

Figure 15 : Presentation Tier of Tool’s one of the Vulnerability Scanner Service ... 66 

Figure 16 : Presentation Tier of Tool’s Penetration Testing Service ... 67 

Figure 17 : Tool’s Standalone Mode ... 67 

Figure 18 : Tool’s Client/Server Mode ... 67 

Figure 19 : Tool’s Client-Tier side verification ... 68 

Figure 20 : Tool’s Data-Tier side verification ... 68 

Figure 21 : Tool’s Composite Logic/Middle-Tier ... 69 

Figure 22 : Process Design of the Tool ... 70 

Figure 23 : Different Sections of the Tool ... 73 

Figure 24 : User-Administration Section (Add User) of the Tool ... 73 

Figure 25 : Network Discovery Section of the Tool ... 74 

Figure 26 : Network Discovery Section with “WLAN discovery” of the Tool ... 74 

Figure 27 : OpenVAS Scanner section of the Tool ... 75 

Figure 28 : Nexpose Scanner section of the Tool ... 75 

Figure 29 : Automatic Penetration Testing section of the Tool ... 75 

(11)

List of Tables

Table 1 : Overall Scanning output result ... 34 

Table 2 : Detected vulnerabilities in Host 1 (Windows 7) ... 35 

Table 3 : Detected vulnerabilities in Host 2 (Windows XP) ... 38 

Table 4 : Detected vulnerabilities in Host 3 (Red Hat Linux 6) ... 40 

(12)

Chapter-1 Introduction

1.1 Security in Today’s Heterogeneous Network

Our everyday lives have become critically dependent on networking technology and systems. In addition to telephone and email communications, new multimedia services and sensor networks are becoming part of our daily lives. Impressive increases in data traffic and the strong demands for pervasive communications have been recently met by remarkable advances in optical networking and wireless networking technologies. While technological advances have been outstanding, modern applications find significant performance bottlenecks in today’s heterogeneous network environments.

The ‘original’ Internet design assumed intelligent end-devices (computers), an ‘end-to-end’ principle, and a cooperative network management based on trust. The Internet Protocol (IP) did not consider supporting security, real-time services, or quality-of-service (QoS). The new Internet realities are: diverse end-devices (appliances), heterogeneous networks (wireless/satellite, optical core, etc.), competitive and adversarial network management (trust can no longer be assumed). In addition, the modern services often require real-time transport, quality-of-service, and security. The new Internet and modern applications challenge the underlying assumptions of the current protocol and network architecture. Along with this, there is an interesting dichotomy with respect to network security and network diversity. That is, homogeneous networks are easier to manage and configure, making them good for your organization's security in some ways. In other ways, they are bad because they offer a single point of compromise for a given piece of your IT infrastructure. The best example is in the area of desktop systems.

Today, the vast majority of organizations have standardized on Microsoft application and operating system software for the desktop. Microsoft Internet Explorer is the most popular web browser, and the various flavors of Microsoft Outlook are the most popular e-mail clients. Both of these systems are based on popular Internet standards (SMTP, IMAP, POP3, HTTP, SSL, and so on). Setting aside the rise of website development that requires a specific browser, any standards-compliant web browser or e-mail client could be used instead of the Microsoft variants. Most organizations stay with Microsoft products, however, which leaves an entire organization vulnerable to a well-written exploit for either of these applications.

So, with this multi-tier network architectures, web services, custom applications, and heterogeneous server platform environments, keeping data and information assets secure is more difficult than ever.

(13)

Coupled with this added complexity is the fact that criminal organizations have organized their hacking efforts; it is no longer just “script kiddies” trying to break into an network. In the past several years, it has become apparent that there is real money to be made from criminal hacking, and identity theft is one of the world’s fastest growing problems.

1.2 Vulnerability Analysis and Penetration Testing

Vulnerability analysis, also known as vulnerability assessment, is a process that defines, identifies, and classifies the security holes (vulnerabilities) in a computer, network, or communications infrastructure. Using this method to assess vulnerabilities, security experts deliberately probe a network or system to discover its weaknesses. However, this method does not differentiate between flaws that can be exploited to cause damage and those that cannot.

By performing penetration tests against the organizational environment, one can actually replicate the types of actions that a malicious attacker would take, giving a more accurate representation of the security posture at any given time by identifying which flaws pose a threat to the organization. This process provides guidelines for the development of countermeasures to prevent a genuine attack.

Vulnerability Assessment and Penetration Testing (VAPT)[1] provides enterprises with a more comprehensive infrastructure evaluation than any single test alone. Using the Vulnerability Assessment and Penetration Testing (VAPT) approach gives an organization a more detailed view of the threats facing its network architectures, web-services, applications etc. enabling the business to better protect its systems and data from malicious attacks.

1.2.1 Requirement of VA and PT

Computer software is prone to vulnerabilities. Bugs in the software make it vulnerable and attackers use these vulnerabilities to exploit or get into the system. Once the vulnerability is exploited, Organization’s valuable information would be at compromise.

Every day, new vulnerabilities are found, and combined vulnerability assessment and penetration testing make sure that organization’s information systems are immune to the new vulnerabilities by identifying the patches and updates to be made.

(14)

Organizations have firewalls. But firewalls are purely port based network traffic controllers. For example, if firewall is configured to allow web traffic, firewall passes the web traffic from outside to inside and if the web server is vulnerable, attackers can exploit the web server as the firewall allows web traffic. VA-PT makes double sure the security posture of organization by scanning and fixing the vulnerabilities of organization’s information systems.

1.2.2 Difference between Vulnerability Analysis and Penetration Testing

To understand what is the combined effect of VA and PT, we need to know what they can do separately. A quick difference between vulnerability analysis and penetration testing will give a picture of this. So the difference:

1. Vulnerability Analysis is the process of identifying vulnerabilities on a network, whereas a PenetrationTesting is focused on actually gaining unauthorized access to the tested systems and using that access to the network or data, as directed by the client.

2. A Vulnerability Analysis provides an overview of the flaws that exist on the system while a Penetration Testing goes on to provide an impact analysis of the flaws identifies the possible impact of the flaw on the underlying network, operating system, database etc.

3. Vulnerability Analysis is more of a passive process. In Vulnerability Analysis one use software tools that analyze both network traffic and systems to identify any exposures that increase vulnerability to attacks. Penetration Testing is an active practice wherein ethical hackers are employed to simulate an attack and test the network and systems’ resistance.

4. Vulnerability Analysis deals with potential risks, whereas PenetrationTesting is actual proof of concept. Vulnerability Analysis is just a process of identifying and quantifying the security Vulnerabilities in a system. Vulnerability Analysis doesn’t provide validation of Security Vulnerabilities. Validation can be only done by Penetration testing.

5. The scope of a Penetration Testing can vary from a Vulnerability Analysis to fully exploiting the targets to destructive testing. Penetration Testing consists of a Vulnerability Analysis, but it goes one step ahead where in one will be evaluating the security of the system by simulating an attack usually done by a Malicious Hacker. For instance a Vulnerability Analysis exercise might identify absence of anti-virus software on the system or open ports as

(15)

a vulnerability. The Penetration Testing will determine the level to which existing vulnerabilities can be exploited and the damage that can be inflicted due to this.

6. A Vulnerability Analysis answers the question: “What are the present Vulnerabilities and how do we fix them?” A Penetration Testing simply answers the questions: “Can any External Attacker or Internal Intruder break-in and what can they attain?”.

7. A Vulnerability Analysis works to improve security posture and develop a more mature, integrated security program, where as a Penetration Testing is only a snapshot of organization’s security program’s effectiveness.

8. Commonly Vulnerability Assessment goes through the following phases: Information Gathering, Port Scanning, Enumeration, Threat Profiling & Risk Identification, Network Level Vulnerability Scanning, Application Level Vulnerability Scanning, Mitigation Strategies Creation, Report Generation, and Support. Whereas a Penetration Testing Service however have following phases: Information Gathering, Port Scanning, Enumeration, Social Engineering, Threat Profiling & Risk Identification, Network Level Vulnerability Assessment, Application Level Vulnerability Assessment, Exploit Research & Development, Exploitation, Privilege Escalation, Engagement Analysis, Mitigation Strategies, Report Generation, and Support.

1.2.3 Dependency of VA and PT on each other

Vulnerability assessment and penetration testing are two different and complimentary proactive approaches to assess the security posture of an information system’s network. The Vulnerability Assessment is done to test the security posture of the information system both internally and externally. Penetration tests provide evidence that vulnerabilities do exist as a result network penetrations are possible. Together they provide a blueprint for remediation.

1.2.4 Integrated VA and PT

Vulnerability assessment offers partial evaluation of vulnerabilities, actually testing for vulnerabilities done by penetrating barriers is useful adjunct. As it identifies potential access paths missed by VAS. Penetration testing is the practice of testing a computer system, network or Web application to find vulnerabilities that an attacker could exploit.

(16)

Vulnerability Assessment and Penetration Testing (VAPT) is a Systematic analysis of security status of Information systems. Vulnerability assessment is an on-demand solution which makes it convenient to run tests over the Internet anywhere, anytime. It is a hybrid solution which blends automated testing with security expert analysis. The unique technology identifies all possible attack vectors, which may be missed if vulnerability analysis or penetration testing is done alone only.

1.3 Objective

There are a variety of reasons for performing a vulnerability assessment and penetration test. One of the main reasons is to find vulnerabilities and fix them before an attacker does. Sometimes, the IT department is aware of reported vulnerabilities but they need an outside expert to officially report them so that management will approve the resources necessary to fix them. Having a second set of eyes check out a critical computer system is a good security practice. Testing a new system before it goes on-line is also a good idea.

Again, penetration testing is not the best way to find all vulnerabilities. Vulnerability assessments that include careful diagnostic reviews of all servers and network devices will definitely identify more issues faster than a “black box” penetration test.

Penetration tests are conducted in a limited time period. This means that it is a “snapshot” of a system or network’s security. As such, testing is limited to known vulnerabilities and the current configuration of the network. Also it does not mean that if the testing team did not discover the any vulnerability in the organization’s system, it does not mean that hackers or intruders will not.

On timely basis vulnerability assessment and penetration testing should be done for any organization to protect it from any possible attack. And for this if an integrated VA-PT tool is available in hand it will be very helpful for any organization to take a snapshot of current security posture, without increasing any further budget for security only. This integrated tool will decrease third-party dependency which is still needed for penetration testing.

So there is a need to develop a tool which will ease the process of VA and PT for any organization. This will help in calculating the risk-analysis and developing attack graphs too, on time-to-time.

(17)

1.4 Organization of the Thesis

The remaining chapters of this thesis will discuss the following:

Chapter 2: Vulnerability Analysis summarizes vulnerability, its importance in an organization’s

security posture, overview of vulnerability scanners and comparative study of scanners like Nessus, OpenVAS and Nexpose and their performance over a test-bed.

Chapter 3: Penetration Testing summarizes penetration testing and its importance, different

techniques and frameworks for penetration testing, and a study of a one of this framework namely Metasploit.

Chapter 4: Integration of VA and PT describes why integration of VA and PT is necessary, and

different existing integrated VA-PT tools.

Chapter 5: Integrated VA and PT Tool describes the architecture, design, implementation and

performance of the tool, and also the tools and technologies used to build-up the tool.

And finally,

Chapter 6: Conclusion and Future Work summarizes the contributions of the thesis and the scope

(18)

Chapter-2 Vulnerability

Analysis

2.1 Definition of Vulnerability in the Information

Security Context

ISO 27005 defines vulnerability as:[2]

A weakness of an asset or group of assets that can be exploited by one or more threats where an asset is anything that can has value to the organization, its business operations and their continuity, including information resources that support the organization's mission.

IETF RFC 2828 define vulnerability as:[3][4]

A flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy.

Many NIST publications define vulnerability in IT context in different publications: FISMApedia[5] term[7] provide a list. Between them SP 800-30[8], give a broader one:

A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system's security policy.

The Open Group defines vulnerability in [9] as:

The probability that threat capability exceeds the ability to resist the threat.

ISACA defines vulnerability in Risk IT framework as:

A weakness in design, implementation, operation or internal control.

2.2 Vulnerability Analysis

Vulnerability analysis[20] is to find vulnerabilities and to take more holistic look at security. Penetration testing is a focused attack of a single or a few vulnerabilities that are generally already known to exist or are suspected of existing. Vulnerabilities now scale beyond technology the operational processes like patch management and incident management have a significant impact on

(19)

the lifecycle of vulnerability. Vulnerability analysis can forecast the effectiveness of proposed countermeasures and evaluate their actual effectiveness after they are put into use.

Reasons for Vulnerability Existence:

1. Insecure coding practices

2. Developer education not focused on security

3. Limited testing budget and scope

4. Disjoined security processes

5. More resources outside than inside

2.2.1 Definition

A vulnerability analysis is the process of identifying and quantifying vulnerabilities in an environment. It is an in-depth evaluation of organization’s posture, indicating weaknesses as well as providing the appropriate mitigation procedures required to either eliminate those weaknesses or reduce them to an acceptable level of risk.

2.2.2 Importance of VA

Once a network is secured by fully patching it and deploying antivirus solutions, hackers might still be able to exploit a number of misconfigurations. Below is a list of general issues one might find in a typical operating system installation:

1. Unnecessary open shares

2. Unused user accounts

3. Unnecessary open ports

4. Rogue devices connected to your systems

5. Dangerous script configurations

6. Servers allowing use of dangerous protocols

7. Incorrect permissions on important system files

8. Running of unnecessary, potentially dangerous services

Apart from these misconfigurations, when running a vulnerability assessment on target network one might find several security issues with a wide range of software and hardware including:

(20)

9. Default passwords on certain devices

10. Unnecessary services running on some devices

11. Running web services that contain known vulnerabilities

12. Dangerous applications such as peer-to-peer applications

13. Third-party applications that are a vulnerability to known exploits.

Some vulnerability scanners will also look for signs of known malware based on the computer’s behavior rather than actually scanning the files for known malware signatures. In some cases, this approach can help uncover issues that an antivirus might miss, especially if that malware is being protected by a rootkit.

It is important to note that each of the issues mentioned above can jeopardize the network’s security even if this is fully patched.

Take into account that some systems may still have accounts which belonged to employees who left or were laid off and are still active; such a vulnerability assessment will bring these to light and, until such accounts are disabled, these potentially disgruntled employees can log into a target systems and cause havoc.

The same applies to open shares. These are one of the vectors hackers use to spread viruses, especially in cases where such needless open shares aren’t password protected. In some cases, having a particular port open can also be an indication that the system is running a known malware. Most vulnerability scanners will point this out in their scan results.

Rouge devices are a big security concern for companies. From USB drives to wireless access points, these devices can provide an access into your network – intentionally or unintentionally. Monitoring for the existence of these devices is an essential part of securing network. Dangerous scripts, misconfigured services, and incorrect permissions, can all be exploited by a skilled hacker whose objective is to gain access to his victim’s systems.

Something that is generally overlooked when securing the network, is the devices connected to it. Printers, routers and fax machines are generally seen as a minor concern in terms of security. However, some of these devices can be used as a gateway to networks when they carry a faulty configuration or they still use default settings. Some network printers, for example, by default allow unsecured telnet access to them without requiring any authentication. A subset of these will also store a copy of what is printed in their internal storage – something employees can copy even remotely over the internet.

(21)

Finally, there are vulnerabilities caused by software. Some web services contain known exploits that allow a malicious attacker to use that script as a gateway to send emails, potentially using an organization to launch spam runs; SQL injection exploits might allow an attacker to get hold of usernames and passwords, or inserting his own username, or even to run code remotely. Likewise the use of applications with known vulnerabilities can open an organization to targeted attacks. Malicious hackers might try to send people malicious payloads targeted at these vulnerable applications that, when triggered, would run the code the hacker would have embedded in the payload sent. When misconfigured, P2P applications can share confidential documents or source codes with the whole world. These applications can be a huge threat when installed on a corporate environment. Even if configured correctly, it is impossible to verify the origin or legitimacy of anything downloaded through their use. Employees using such an application might unknowingly download malware or even illegal material.

Clearly, patch management and antivirus protection are only the first step in securing a network. A good vulnerability assessment is the next logical move. Networks are a dynamic entity, they evolve and change constantly. A vulnerability assessment should be set to run constantly and inform the administrator every time change is detected to make the utmost of network security protection.

2.3 VA Techniques

Steps for Vulnerability Assessment/Analysis:

a. Defining and classifying network or system resources. b. Assigning relative levels of importance to the resources. c. Identifying potential threats to each resource.

d. Developing a strategy to deal with the most serious potential problems first.

e. Defining and implementing ways to minimize the consequences if an attack occurs.

The following are the different types of vulnerability assessment techniques[10]:

1. Active assessments: Active assessments are a type of vulnerability assessment that uses

(22)

present in that network. Active network scanners have the capability to reduce the intrusiveness of the checks they perform.

2. Passive assessments: Passive assessments sniff the traffic present on the network to identify

the working systems, network services, applications, and vulnerabilities. Passive assessments also provide a list of the users who are currently using the network.

3. Host-based assessments: Host-based assessments are a type of security check that involves

carrying out a configuration-level check through the command line. These assessments check the security of a particular network or server. Host-based assessments are carried out through host-based scanners, which identify system vulnerabilities like incorrect registry and file permissions as well as software configuration errors. Many commercial and open-source scanning tools, such as SecurityExpressions, are used for host-based assessment.

4. Internal assessments: An internal assessment involves scrutinizing the internal network to

find exploits and vulnerabilities. The following are some of the possible steps in performing an internal assessment:

a. Specify the open ports and related services on network devices, servers, and systems. b. Check for router configurations and firewall rule sets.

c. List the internal vulnerabilities of the operating system and server. d. Scan for Trojans that may be present in the internal environment.

e. Check the patch levels on the organization’s internal network devices, servers, and systems.

f. Check for the existence of malware, spyware, and virus activity and document them. g. Evaluate the physical security.

h. Identify and review the remote management process and events.

i. Assess the file-sharing mechanisms (for example, NFS and SMB/CIFS shares). j. Examine the antivirus implementation and events.

5. External assessments: These types of assessments are based on external devices such as

firewalls, routers, and servers. An external assessment estimates the threat of network security attacks external to the organization. It determines how secure the external network and firewall are. The following are some of the possible steps in performing an external assessment:

(23)

a. Determine the set of rules for firewall and router configurations for the external network.

b. Check whether external server devices and network devices are mapped. c. Identify open ports and related services on the external network.

d. Examine patch levels on the server and external network devices.

e. Review detection systems such as IDS, firewalls, and application-layer protection systems.

f. Get information on DNS zones.

g. Scan the external network through a variety of proprietary tools available on the Internet.

h. Examine Web applications such as e-commerce and shopping cart software for vulnerabilities.

6. Application assessments: An application assessment focuses on transactional Web

applications, traditional client-server applications, and hybrid systems. It analyzes all elements of an application infrastructure, including how every element is deployed and how every element communicates with the client and server. Both commercial and open-source tools are used to perform such assessments.

7. Network assessments: Network assessments determine the possible network security attacks

that may occur on an organization’s system. These assessments evaluate the organization’s system for vulnerabilities that are related to the organization’s network, such as missing patches, unnecessary services, weak authentication, and weak encryption. Network assessments are performed through firewall and network scanners such as Nessus. These scanners find open ports, recognize the services running on those ports, and find vulnerabilities associated with these services. These assessments help organizations determine how vulnerable systems are to Internet and intranet attacks and how an attacker can gain access to important information. A typical network assessment conducts the following tests on a network:

i. Checks the network topologies for inappropriate firewall configuration. j. Examines the router filtering rules.

k. Identifies inappropriately configured database servers.

l. Tests individual services and protocols such as HTTP, SNMP, and FTP. m. Reviews HTML source code for unnecessary information.

(24)

8. Wireless network assessments: In the past, wireless networks were built with weak and basically defective data encryption mechanisms. Now, wireless network standards have evolved, but many networks that were initially deployed are still active and ripe for attack. Wireless network assessments try to attack wireless authentication mechanisms and get unauthorized access. This type of assessment tests wireless networks and also identifies rogue wireless networks that may exist within an organization’s perimeter. These assessments are performed on client-specified sites where wireless networks have been installed. They sniff wireless network traffic and try to crack encryption keys. If the network can be accessed, then other network access is tested.

Once analysis has been completed, if security holes are found as a result of vulnerability analysis, a vulnerability disclosure may be required. The person or organization that discovers the vulnerability or a responsible industry body such as the Computer Emergency Readiness Team (CERT) may make the disclosure. If the vulnerability is not classified as a high level threat, the vendor may be given a certain amount of time to fix the problem before the vulnerability is disclosed publicly. The third stage of vulnerability analysis (identifying potential threats) is sometimes performed by a white hat using ethical hacking techniques. Using this method to assess vulnerabilities, security experts deliberately probe a network or system to discover its weaknesses. This process provides guidelines for the development of countermeasures to prevent a genuine attack.

2.4 Vulnerability Scanners

1. Host-based vulnerability scanners: Host-based scanners are useful for servers that run

various applications such as those that involve Web, critical file, database, directory, and remote access capabilities. These host-based scanners are able to detect high levels of vulnerabilities and provide the information required to eliminate those vulnerabilities. A host-based vulnerability scanner can find out what type of operating system is running on a particular host’s computer and can detect its known vulnerabilities. It also examines general applications and services.

a. Some of the known host-based vulnerability scanners are: Microsoft Baseline Security Analyzer (MBSA), Altiris SecurityExpressions (commercial), Retina Network Security Scanner.

b. A database scanner is another example of a host-based vulnerability scanner. It performs detailed security analysis of the authorization, authentication, and

(25)

integrity of database systems, and can identify any potential security exposures in database systems, ranging from weak passwords and security misconfigurations to Trojan horses. E.g., Scuba by Imperva Database Vulnerability Scanner, Shadow Database Scanner.

2. Application-layer vulnerability scanners: This type of vulnerability scanners are designed to

serve the needs of all kinds of operating system types and applications. These tools identify the various resources on a system that pose security threats. These vulnerabilities could be external DoS/DDoS threats, network data interception, or other application-layer vulnerabilities. Application-layer vulnerability scanners are typically directed toward Web servers or database servers.

3. Scope-of-assessment tools: Scope-of-assessment tools provide assessment of security by

testing for vulnerabilities in the applications and operating system of a network. These tools provide standard control and a reporting interface that allows users to select a suitable scan type. These tools generate a standard report of the vulnerabilities found during the scan. Some of the scope-of-assessment tools are designed to test a specific application or its type for vulnerability. Application vulnerability scanning can take either or both of two approaches:

a. Static Code Analysis: If user own the codebase of application, the best place

to start is by secure coding practices. It is a good idea to have code review as part of software development process. Static Code Analysis involves more work upfront but results in much more robust applications.

b. Dynamic Code Analysis is the next step, and it’s done by taking a black box

approach to the app, and trying to probe it with tools similar to scanners that will perform injections and try to crash or bypass controls in the application. This is an automated process, and there are some inexpensive or free tools from Cenzic, Whitehat and VERACODE, among others, that can do this on a basic level and offer different versions of this type of scan.

4. Depth assessment tools: Depth assessment tools are used to identify previously unknown

vulnerabilities in systems. Generally, these tools are used to identify vulnerabilities to an unstable degree of depth. Such types of tools include fuzzers that give arbitrary input to a system’s interface. Many of these tools use a set of vulnerability signatures to test whether the product is resistant to a known vulnerability or not and then use variations of those signatures to find unknown vulnerabilities.

(26)

5. Active scanners: Active scanners perform vulnerability tests on the networks that use system resources. The main advantage of an active scanner is that the system administrator or IT manager has good control of the timing and degree of vulnerability scans. These scanners should not be used on critical systems because they use system resources, affecting the processing of other tasks.

6. Passive scanners: Passive scanners are those that do not affect system resources considerably,

as they only observe system data and perform data processing on a separate analysis machine. A passive scanner first receives system data, which provides complete information on which processes are running, and then assesses that data against a set of rules.

7. Location/data examination scanners: Some of the location/data examination scanners are:

a. Network-based scanner: Network-based scanners are those that have

interaction only with the machine in which they reside and provide a report only to that same machine after scanning. Different types of network-based scanners include:

i. Port Scanners that determine the list of open network ports in remote systems; e.g., Nmap.

ii. Web Server Scanners that assess the possible vulnerabilities (e.g. potentially dangerous files or CGIs) in remote web servers; e.g., Nikto, Wikto.

iii. Web Application Scanners that assess the security aspects of web applications (such as cross site scripting and SQL injection) running on web servers. It should be noted that web application scanners could not provide comprehensive security checks on every aspect of a target web application. Additional manual checking (such as whether a login account is locked after a number of invalid login attempts) might be needed in order to supplement the testing of web applications. E.g., Paros, Acunetix Web Vulnerability Scanner (commercial).

(27)

iv. Network vulnerability scanners determine the vulnerabilities of each host in the network. E.g., Nessus, Nexpose, OpenVAS, SAINT (commercial), GFI LANguard Network Security Scanner (N.S.S.) (commercial)

b. Agent-based scanner: Agent-based scanners reside on a single machine but

have the ability to scan a number of machines on the network.

c. Proxy scanner: Proxy scanners are network-based scanners that have the

ability to scan networks from any machine in the network.

d. Cluster scanner: Cluster scanners are similar to proxy scanners but have the

ability to perform two or more scans on different machines simultaneously in the network.

2.4.1 The Limitations of Vulnerability Scanners

With all these strong points vulnerability scanner also have limitations. These drawbacks of vulnerability scanners are:

1. A vulnerability scanner can only assess a "snapshot of time" in terms of a system or network's security status. Therefore, scanning needs to be conducted regularly, as new vulnerabilities can emerge, or system configuration changes can introduce new security holes.

2. Vulnerability scanners can only report vulnerabilities according to the plug-ins installed in the scan database. They cannot determine whether the response is a false negative or a false positive (Regarding vulnerability scanning, "false negative" is the failure to recognize an existence of a flaw in the system or the network under assessment, whereas "false positive" is the incorrect determination of the presence of vulnerability. The former might be due to missing plug-ins in a scanner database while the latter requires human judgment to confirm.). Human judgment is always needed in analyzing the data after the scanning process.

3. A vulnerability scanner is designed to discover known vulnerabilities only. It cannot identify other security threats, such as those related to physical, operational or procedural issues.

(28)

In addition, many vulnerability scanners rely on “plug-ins” to determine potential vulnerabilities. Plug-ins are part of the knowledge database (or scan database) of the vulnerabilities that the scanner is capable of detecting. These databases may be named differently (such as “Scanning Profile”) in different scanner products, but the term “ins” will be preferred here. The finite number of plug-ins can be another drawback with vulnerability scanners. A scanner can only check for those vulnerabilities that it “knows”, by cross checking with the presence of its corresponding installed plug-in set. It cannot identify those vulnerabilities that don’t have a plug-in. Not all scanners need plug-ins. For example, port scanners do not need any plug-ins as they just scan a target range of ports.

2.5 Case Study

Vendor-designed vulnerability assessment tools can be used to test a host or application for vulnerabilities. There are several vulnerability assessment tools available, including port scanners, vulnerability scanners, and OS vulnerability assessment scanners. The right tools have to be chosen based on the test requirements. These tools are able to test from dozens to thousands of different vulnerabilities, depending on the product.

The selected tool should have a sound database of vulnerabilities and attack signatures that are updated frequently. The testing team should choose a tool that matches the organization’s environment and personnel expertise. The team should also find out how many reports are produced, what information they contain, and whether the reports can be exported.

The following criteria should be followed at the time of using or purchasing any vulnerability assessment tool:

1. Types of vulnerabilities discovered: The most important information at the time of evaluating any tool is to find out how many types of vulnerabilities it will discover.

2. Testing the capability of scanning: The vulnerability assessment tool must have the capability to execute the entire selected test and must scan all the systems selected for scanning.

3. Ability to provide an accurate report: The ability to prepare an accurate report is essential. Vulnerability reports should be short and clear and should provide methods for mitigating discovered vulnerabilities.

4. Functionality for writing own tests: When a signature is not present for a recently found vulnerability, it is helpful if the vulnerability scanning tool allows user-developed tests to be used.

(29)

5. Ability to schedule tests: It is important to be able to schedule tests, as it allows the test team to perform scanning when traffic on the network is light.

Depending upon these criteria, three vulnerability assessment tool is selected for study: Nessus, OpenVAS and Nexpose.

2.5.1 Nessus

Nessus is one of the most popular and capable vulnerability scanners, particularly for UNIX systems. It was initially free and open source, but they closed the source code in 2005 and removed the free "Registered Feed" version in 2008. It now costs $1,200 per year, which still beats many of its competitors. A free “Home Feed” is also available, though it is limited and only licensed for home network use.

Nessus is a client-server based vulnerability scanner. It provides powerful, up-to-date and easy-to-use remote security scanner for business-critical enterprise devices and applications. Nessus servers, placed at strategic points on the network, scan a target computer for open ports and known vulnerabilities, and report to Nessus client.

The following are the major features of Nessus[11]: 1. Up-to-date security vulnerability database. 2. Remote and local security

a. Traditional network security scanners tend to focus solely on the services listening on the network.

b. Nessus has the ability to detect not only remote flaws in hosts on the network but also their local flaws and missing patches – whether they are running Windows, Mac OS X. or a Unix-like operating system.

3. Scalable

a. Nessus has been built so that it can easily scale from a single-CPU computer with low memory to a quad-CPU computer with gigabytes of RAM.

b. The more power given to Nessus, the quicker it will scan the network. 4. Plug-ins

a. Each security test is written as an external plug-in written in NASL.

b. Each NASL plug-in can be read and modified, to better understand the results of Nessus report.

(30)

5. NASL

a. The Nessus Security Scanner includes NASL (Nessus Attack Scripting Language), a language designed to write security tests easily and quickly.

b. NASL plug-ins run in a contained environment on top of a virtual machine, thus making Nessus an extremely secure scanner.

6. Smart service recognition

a. Nessus does not assume that the target hosts will respect the IANA-assigned port numbers.

b. Nessus will recognize an FTP server running on a non-standard port or a Web server running on port 8080.

7. Multiple services

a. If a host runs the same service more than once. Nessus will test all instances. 8. Nondestructive or thorough

a. Nessus can either perform a regular nondestructive security audit on a routine basis or throw everything it can at a remote host to see how well it withstands attack from intruders.

2.5.2 OpenVAS

OpenVAS is a vulnerability scanner that was forked from the last free version of Nessus after Nessus went proprietary in 2005. It continues to grow, with more than 23,000 tests as of November 2011. OpenVAS plugins are written in the same NASL language used by Nessus.

The OpenVAS is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution. The actual security scanner is accompanied with a daily updated feed of Network Vulnerability Tests (NVTs), over 30,000 in total (as of April 2013). All OpenVAS products are Free Software. Most components are licensed under the GNU General Public License (GNU GPL).

Some major features of OpenVAS[12]:

1. OpenVAS can be quite network intensive. Even if the OpenVAS developers have taken every effort to avoid packet loss (including transparently resending UDP packets, waiting for data to be received in TCP connections, etc.) so bandwidth use should always be closely monitored, with current server hardware, bandwidth is usually the bottleneck in a OpenVAS scan. It might not became too apparent in the final reports, scanners will still run, holes might be

(31)

detected, but one will risk to run into false negatives (i.e. OpenVAS will not report a security hole that is present in a remote host).

o It is not easy to give a bandwidth estimate for a OpenVAS run, one will probably need to make his/her own counts. However, assuming a test 65536 of TCP ports. This will require at least a single packet per port that is at least 40 bytes large. Add 14 bytes for the Ethernet header and user will send 65536 * (40 + 14) = 3670016 bytes. So for just probing all TCP ports we may need a multitude of this as nmap will try to resend the packets twice if no response is received.

A very rough estimate is that a full scan for UDP, TCP and RPC as well as all NASL scripts may result in 8 to 32 MB worth of traffic per scanned host. Reducing the amount of tested part and such will reduce the amount of data to be transferred significantly.

2. Each child forked by OpenVAS scanner will be nice (when option is set) itself to a very low priority. This may speed up scan as the main scanner process will be able to continue to spew processes, and this guarantees that OpenVAS does not deprives other important processes from their resources.

3. By default, OpenVAS does not trust the remote host banners. It means that it will check a webserver claiming to be IIS for Apache flaws, and so on. This behavior might generate false positive and will slow the scan down somehow.

4. Some services (in particular SMB) do not appreciate multiple connections at the same time coming from the same host. Using the KB notation of OpenVAS scanner to designate a service formally. Ex: "139, Services/www", will prevent OpenVAS from making two connections at the same time on port 139 and on every port which hosts a web server.

5. OpenVAS plugins use the result of each other to execute their job. For instance, a plugin which logs into the remote SMB registry will need the results of the plugin which finds the SMB name of the remote host and the results of the plugin which attempts to log into the remote host.

(32)

Rapid7 Nexpose is a vulnerability scanner which aims to support the entire vulnerability management lifecycle, including discovery, detection, verification, risk classification, impact analysis, reporting and mitigation. It integrates with Rapid7's Metasploit for vulnerability exploitation. It is sold as standalone software, an appliance, virtual machine, or as a managed service or private cloud deployment. User interaction is through a web browser. There is a free "community edition" for scanning up to 32 IPs, as well as Express ($3,000 per user per year), Express Pro ($7,000 per user per year) and Enterprise (starts at $25,000 per user per year) editions.

Some of the major features of Nexpose scanner are[13]:

1. Asset Discovery: Automatically discover and inventory IT assets and the applications and

services running on them, including IPv6, virtual and cloud-hosted assets. Integrate Nexpose's asset information with third-party asset inventories such as Active Directory (AD), LDAP and VMware vCenter.

2. Comprehensive Assessment: Nexpose correlates threats such as vulnerabilities,

misconfigurations, policy violations, exposure to exploits and malware across all of organization’s assets, including operating systems, networks, databases and web applications.

3. Risk Prioritization: Prioritization schemes can be incorporated by factors such as exposure to

exploits, malware and the age of vulnerabilities into a single prioritized risk score. Thus vulnerabilities can be filtered across 145 signal categories to easily prioritize remediation and mitigate risk in an environment.

4. Compliance: Internal policies can be compared, tracked and benchmarked against industry

best practices and benchmarks such as FDCC , CIS and USGCB and leverage policy frameworks such as SCAP. Internal policies can be specified based on Nexpose's powerful policy editor. Security assessments and reports are ran to certify compliance with regulations such as PCI, HIPAA, NERC, FISMA, SANS Top 20 and state privacy laws.

5. Virtualization Security: Nexpose scans virtual environment to continuously check for threats

including those in the hypervisor, guest operating system and virtual applications. Through the integration with VMware's vCenter, Nexpose listens and stays up to date with the status of changing virtual environment. Nexpose is the only vulnerability management solution that has been selected and validated by VMware as part of VMware's virtualization security reference architecture.

(33)

2.5.4 Comparative Analysis of Nessus, OpenVAS, Nexpose Scanner

In this high-level comparison of Nessus, Nexpose and OpenVAS I have made no attempt to do a detailed metric based analysis. The primary reason for this is that it would be time consuming and difficult to get a conclusive result. This is due to the large differences in not only detection but also categorization of vulnerabilities by the different solutions.

What I have done is targeted these three different vulnerability scanners against one Windows-7 [SP-1] machine with different configuration, one Windows XP [SP-3] machine and one Red Hat Linux 6.3[Kernel version: 2.6.32] machine.

In the testing, I am deliberately focusing on the network vulnerability scanning capabilities rather than looking at the web application vulnerability detection in detail. It is my belief that a network vulnerability scanner should be capable of identifying poorly configured services, default services that have poor security and software with known security vulnerabilities.

2.5.4.1 About the Vulnerability Scanners for Testing

1. Nessus [version 5.0.3] was launched using the External network scan profile [This policy is tuned to scan externally facing hosts, which typically present fewer services to the network. The plugins associated with known web application vulnerabilities (CGI Abuses and CGI Abuses: XSS plugin families) are enabled in this policy. Also, all 65,535 ports will be scanned for on each target.].

 The Home feed had been used for testing. According to the Tenable website The Nessus HomeFeed gives you the ability to scan your personal home network (up to 16 IP addresses) with the same high-speed, in-depth assessments and agentless scanning convenience that ProfessionalFeed subscribers enjoy.

 At the time of scanning, Nessus had over 54K plugins (a simple program that checks for a given flaw).

2. OpenVAS [version 4] was tested with the “Full and very deep ultimate” scan profile [Exploits the majority of NVT’s, between them there are some that may cause a shutdown of the service/remote system. This profile is slower because it does not use the information previously collected.].

(34)

 External tools that OpenVAS can use have not been installed (apart from Nmap), these external tools being mostly web application vulnerability detection tools including wapiti, Arachni, Nikto and Dirb.

 At the time of scanning, OpenVAS had over 30K NVTs.

3. Nexpose scanner [Community Edition v:5.6.1] was executed with the Exhaustive Scan Template [Performs an exhaustive network audit of all systems and services using only safe checks, including patch/hotfix checking, policy compliance checking, and application-layer auditing. Performing an exhaustive audit could take several hours or even days to complete, depending on the number of hosts selected.].

 According to the Rapid7 website “ Nexpose Community Edition is powered by the same scan engine as award-winning Nexpose Enterprise Edition and offers many of the same features.” With this version one can scan up to 32 IP addresses.

4. No tweaking of default scan profiles was undertaken.

5. No credentials were used during the scan.

2.5.4.2 Test Scanning Results

The comparative studies of the scanner result after scanning the said three hosts, are as follow:

Table 1 : Overall Scanning output result

Nessus

(External Network Profile)

Host#1 (Windows 7) Critical: 1 High: 0 Medium: 7 Low: 4 Info: 66 Host#2 (Windows XP) Critical: 2 High: 0 Medium: 3 Low: 0 Info: 22 Host#3 Critical: 0

(35)

(Red Hat Linux 6) High: 0 Medium: 0 Low: 0 Info: 11

OpenVAS

(Full and very deep ultimate)

Host#1 (Windows 7) High: 3 Medium: 6 Low: 9 Log: 29 Host#2 (Windows XP) High: 3 Medium: 1 Low: 9 Log: 20 Host#3 (Red Hat Linux 6)

High: 0 Medium: 3 Low: 2 Log: 16

Nexpose

(Exhaustive Scan Template)

Host#1 (Windows 7) Critical: 0 Severe: 6 Moderate: 2 Host#2 (Windows XP) Critical: 6 Severe: 2 Moderate: 0 Host#3 (Red Hat Linux 6)

Critical: 0 Severe: 1 Moderate: 2

Table 2 : Detected vulnerabilities in Host 1 (Windows 7)

Vulnerability Nessus OpenVAS Nexpose

OpenSSL FIPS/ PolarSSL Mode Diffie-Hellman Key Exchange Predictable Secret MiTM Weakness

CVE ID: 2011-1923, 2011-5095 OSVDB ID: 70945, 71845

X

Microsoft Windows SMB LanMan Pipe Server Listing Disclosure

OSVDB ID: 300

(36)

RC4 Algorithm Pseudo-random Character Generation Weakness Plaintext Content Disclosure

CVE ID: 2013-2566 OSVDB ID: 91162

X

Cisco Multiple Devices TLS Renegotiation Handshakes MiTM Plaintext Data Injection

CVE ID: 2009-3555 OSVDB ID: 59968-59974, 60366, 60521, 61234, 61718, 61784, 61785, 61929, 62064, 62135, 62210, 62273, 62536, 62877, 64040, 64499, 64725, 65202, 66315, 67029, 69032, 69561, 70055, 70620, X

Oracle Sun GlassFish Enterprise Server / Java System Application Server Crafted GET Request Authentication

Bypass Arbitrary Code Execution CVE ID: 2011-0807

OSVDB ID: 71948

X X

Multiple Web Server Dangerous HTTP Method TRACE CVE ID: 2003-1567, 2004-2320, 2010-0386, 2004-2763, 2005-3398, 2006-4683, 2007-3008, 2008-7253, 2009-2823

OSVDB ID: 877, 3726, 5648, 35511, 50485

X X

Microsoft Windows Server Service Crafted RPC Request Handling Unspecified Remote Code Execution

CVE-2008-4250 OSVDB-49243

X

Unspecified vulnerability in Oracle GlassFish 2.1, 2.1.1, and 3.0.1, and Java System Message Queue 4.1 allows local users to affect confidentiality, integrity, and availability, related to

Java Message Service (JMS). CVE-2010-4438

X

Unspecified vulnerability in Oracle Communications Server 2.0; GlassFish Enterprise Server 2.1.1, 3.0.1, and 3.1.1; and

Sun Java System App Server 8.1 and 8.2 allows remote attackers to affect availability via unknown vectors related to

Web Container. CVE-2011-3559

X

(37)

Communications Server 2.0, Sun Java System Application Server 8.1 and 8.2, and possibly other products, computes hash values for form parameters without restricting the ability

to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by

sending many crafted parameters, aka Oracle security ticket S0104869.

CVE-2011-5035

Multiple cross-site scripting (XSS) vulnerabilities in the Admin Console in Sun GlassFish Enterprise Server 2.1 allow

remote attackers to inject arbitrary web script or HTML via the query string to (1) applications/applications.jsf, (2)

configuration/configuration.jsf, (3) customMBeans/customMBeans.jsf, (4)

resourceNode/resources.jsf, (5) sysnet/registration.jsf, or (6) webService/webServicesGeneral.jsf; or the name parameter to

(7) configuration/auditModuleEdit.jsf, (8) configuration/httpListenerEdit.jsf, or (9)

resourceNode/jdbcResourceEdit.jsf. CVE-2009-1553

X

Web Server Directory Enumeration

OWASP-CM-006 X X

Inadequate Encryption Strength

CWE-326, 327, 720, 753, 803 X X

Figure 1 : Number of vulnerabilities detected in Host 1 (Windows 7)

0 2 4 6 8

Nessus Openvas Nexpose

Summary of Vulnerability (Number wise) Detection in Host#1

(38)

Figure 2 : Year-wise vulnerability detection in Host 1

Table 3 : Detected vulnerabilities in Host 2 (Windows XP)

Vulnerability Nessus OpenVAS Nexpose

Microsoft Windows Server Service Crafted RPC Request Handling Unspecified Remote Code Execution

CVE-2008-4250, OSVDB-49243

X X X

Microsoft Windows SMB Vulnerabilities Remote Code Execution

CVE-2008-4834, CVE-2008-4835, CVE-2008-4114 OSVDB- 48153, 52691, 52692

X X X

A Windows NT domain user or administrator account has a guessable password.

CVE-1999-0505

X

A NETBIOS/SMB share password is the default, null, or missing.

CVE-1999-0519, CVE-2002-1117, CVE-1999-0520 OSVDB- 299, 8230

X X

The SMB implementation in the Server service in Microsoft

Windows 2000 SP4, Windows XP SP2 and SP3, Windows X X 0 0.5 1 1.5 2 2.5 3 Nessus Openvas Nexpose

Summary of Vulnerability (Timestamp wise) Detection in Host#1

(39)

Server 2003 SP2, Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not properly validate request fields, which allows remote

authenticated users to execute arbitrary code via a malformed request, aka "SMB Pathname Overflow Vulnerability." 2010-0020, 2010-0021, 2010-0022,

CVE-2010-0231

The SMB Server in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not properly validate fields in an SMB request, which allows remote attackers to execute arbitrary code via a crafted

SMB packet, aka "SMB Pool Overflow Vulnerability." CVE-2010-2550, CVE-2010-2551, CVE-2010-2552

X

The SMB Server service in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 does not properly validate fields in

SMB requests, which allows remote attackers to execute arbitrary code via a malformed request in a (1) SMBv1 or (2) SMBv2 packet, aka "SMB Transaction Parsing Vulnerability."

CVE-2011-0661, OSVDB-71781

X

Figure 3 : Number of vulnerabilities detected in Host 2 (Windows XP)

0 2 4 6

Nessus Openvas Nexpose

Summary of Vulnerability (Number wise) Detection in Host#2

(40)

Figure 4 : Year-wise vulnerability detection in Host 2

Table 4 : Detected vulnerabilities in Host 3 (Red Hat Linux 6)

Vulnerability Nessus OpenVAS Nexpose

Multiple Vendor ICMP netmask Request Information Disclosure

CVE-1999-0524, OSVDB-95

X X

TCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a

denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such

as BGP.

CVE-2004-0230, OSVDB-4030

X X

The auth_parse_options function in auth-options.c in sshd in OpenSSH before 5.7 provides debug messages containing

authorized_keys command options, which allows remote authenticated users to obtain potentially sensitive information

by reading these messages, as demonstrated by the shared user account required by Gitolite. NOTE: this can cross privilege boundaries because a user account may intentionally

X 0 1 2 3 4 Nessus Openvas Nexpose

Summary of Vulnerability (Timestamp wise) Detection in Host#2

(41)

have no shell or filesystem access, and therefore may have no supported way to read an authorized_keys file in its own

home directory. CVE-2012-0814

Figure 5 : Number of vulnerabilities detected in Host 3 (Red Hat Linux 6)

Figure 6 : Year-wise vulnerability detection in Host 3

0 0.5 1 1.5 2

Nessus Openvas Nexpose

Summary of Vulnerability (Number wise) Detection in Host#3 0 0.5 1 1.5 2 Nessus Openvas Nexpose

Summary of Vulnerability (Timestamp wise) Detection in Host#3

(42)

Figure 7 : Comparative statistics of vulnerability detection

Vulnerability scanning is an important security control that should be implemented by any organization wishing to secure their IT infrastructure. It is recommended by the SANS Institute as a Critical Control and by the US based NIST as a Security Management Control.

The results show significant variation in discovered security vulnerabilities by the different tools. It may be helpful to compare vulnerability scanners to anti-virus solutions; they are both an important security control that can enhance an organization’s security posture. However as with anti-virus, a vulnerability scanner will not find all the bad things.

This will be common knowledge for most in the security industry who have performed network vulnerability testing. When performing vulnerability scanning, it is necessary to check the results for accuracy (false positives) and to actively look for things that were missed (false negatives).

My recommended approach to the use of multiple tools. As they will provide a greater level of coverage and assist in confirming discovered vulnerabilities.

0 0.5 1 1.5 2 2.5 3 3.5 4 4.5 5 At Host#1 At Host#2 At Host#3

Summary of Comparative Vulnerability (Number wise) Detection

by Nessus by Openvas

by Nexpose by Nessus & Openvas

by Openvas & Nexpose by Nexpose & Nessus by Nessus & Openvas & Nexpose

(43)

Figure 8 : Year-wise statistics of vulnerability detection

All Vulnerabilities discovered till date*

All recent Vulnerabilities from 2011 to till date*

Nessus 56.5% 42.8%

OpenVAS 47.8% 57%

Nexpose 43.4% 14%

*w.r.t Total number of vulnerabilities discovered by these three scanners.

Table 5 : Comparative analysis according to the age of total detected vulnerabilities

After Nessus scanner became proprietary, open-source community lost tool that was practically standard for network vulnerability assessment. However, OpenVAS scanner presented itself in this test as reliable and trustworthy tool for network security audit. It’s only minus would be smaller base of plugins, comparing to Nessus, and that is something that needs to be improved. Even though Nessus vulnerability scanner still has larger base of plugins and discovers more known vulnerabilities, results obtained in our test showed that OpenVAS scanner discover more recent vulnerabilities. These are pretty good results for OpenVAS considering Nessus have three times more plugins and 10+ years of development behind. Nexpose scanner is relatively new in this respect of comparison. Still it has the results to think about in near future, for the other two scanners.

0 1 2 3 4 5 6 7 8 Nessus Openvas Nexpose

Summary of Comparative Vulnerability (Timestamp wise) Detection

before 2010 2010 2011 2012 2013

(44)

Chapter-3 Penetration

Testing

3.1 Definition of Penetration Testing in the

Information Security Context

Penetration

References

Related documents

Once you open the browser, you should start seeing some activity in WebScarab, because WebScarab is capturing all the requests and replies between the browser and the server.

While attacks that exploit vulnerabilities in software (managed by Vulnerability Management) deal with bugs in software’s source code and method of operation, attacks

Punjabi generally performs liposuction procedures at Redlands Community Hospital, Loma Linda University Medical Center, Loma Linda Community Hospital, and The Inland

Citigroup, the new name created out of Citicorp and Travelers Group, was now able to service its customers with a wide variety of products, which is extremely important in

Economy: The Views of (Late) Muhammad Baqir al Sadr 13 ”,discusses Baqir al Sadr‟s views on various aspects of Islamic economy like; ownership of property, economic

ﻪﻣﺎﻧﺮﺑ ﻱﺍﺮﺟﺍ ﺕﺭﻭﺮﺿ ﻪﺘﻜﻧ ﻦﻳﺍ ﻣ ﻭ ﻥﻭﺪﻣ ﻲﺷﺯﻮﻣﺁ ﻱﺎﻫ ﺢﻄﺳ ﻱﺎﻘﺗﺭﺍ ﺖﻬﺟ ﻲﺷﺯﻮﻣﺁ ﺮﺛﺆ ﻩﺍﺭ ﺯﺍ ﻲﻜﻳ ﻥﺍﻮﻨﻋ ﻪﺑ ﺍﺭ ﺯﺪﻳﺍ ﻪﻨﻴﻣﺯ ﺭﺩ ﻥﺎﻧﺍﻮﺟ ﺵﺮﮕﻧ ﻭ ﻲﻫﺎﮔﺁ ﺭﺎﻛ ﻲﻣ ﺭﺍﺮﻗ

Shelter cat impoundment from the target area where 60 cats/ 1000 residents were neutered annually decreased by 66% during the 2-year study period, compared to a decrease of 12% in

These notes are meant to complement the material and content of the title ‘The Nature of Chinese Metaphysics’ radio show on Melody FM. Use it to help you further understand