Security Auditing Tools

1. Service Mapping Tools

Service mapping tools are used to identify systems, remote services, and open ports. These types of tools can be used to test a firewall rule base or response given different real or crafted IP packets.

1.1 Nmap

Nmap is the network and service scanning tool of choice for most security professionals. It is a free, open source application available on all UNIX and Windows operating systems. The tool is command-line based, but there are a number of graphical frontends for those who want a point-and-click experience.

Nmap can be used to scan for service ports, perform operating system detection, and ping sweeps. Nmap uses an “operating systems normal” response to a valid connection request or “tear down” response to determine whether a port is open (listening and responding) or if it is not enabled. A typical TCP connection follows a three-way handshake to set up communications.

Step 1. Computer A sends a Syn packet to computer B to initiate communication-Syn.

Step 2. Computer B replies to computer A with an acknowledgement packet-Ack.

Step 3. Computer A sends a Syn acknowledgement packet to computer B to start the session-Syn Ack.

Step 4. A connection is established and data communications can begin.

If you execute Nmap with its default settings, and assuming you have root privileges, Nmap performs a SYN scan:

nmap 192.168.1.3

Nmap sends a SYN to all of the ports listed in its services file (over 1,000 ports) and looks for a SYN/ACK response. If it gets a response, it assumes that the port is open and immediately sends a RST (reset) to close the connection and then move on to the next port to be tested. If there is no response, Nmap assumes that the port is closed. The SYN scanning process is simple and is why Nmap can scan a host so quickly.

Starting Nmap 5.21 ( http://insecure.org )

Interesting ports on 172.16.1.3:

Not shown: 1707 closed ports

PORT     STATE SERVICE

135/tcp  open  msrpc

139/tcp  open  netbios-ssn

445/tcp  open  microsoft-ds

3389/tcp open  ms-term-serv

MAC Address: 00:1A:92:0A:62:B1 (Asustek Computer)

Nmap done: 1 IP address (1 host up) scanned in 2.226 seconds

Useful Nmap Commands

Nmap Command Example Description
nmap –sP 192.168.1.0/24 Ping the entire 192.168.1.0 subnet to see which hosts respond.
nmap –P0 192.168.1.5-11 Scan IP hosts at .5–11. Assume hosts are available for scanning, don’t ping to check and perform a SYN scan. (By default, Nmap doesn’t scan a host if it doesn’t receive a ping response.)
nmap –A 192.168.1.4 Scan host and attempt identification of services running on ports and the OS.
nmap –O 172.16.2.3 Scan host and attempt to identify what OS it runs.
nmap –p22,23,25 10.10.1.1 Scan a host to see whether ports 22, 23, and 25 are available.
nmap –sT –A –v 192.12.1.24 Scan a host with full a TCP connect and perform OS and service version detection with verbose reporting.
Table 3: Nmap comands  

1.2. Hping

Hping is a tool that expands on basic ping functionality by providing the capability to create custom IP packets for the auditing and testing of security controls. Hping enables the sending of arbitrary packets, the manipulation of IP options and fields, and basic port-scanning capabilities. Not only does Hping send packets, but it also enables the auditor to set up a listening mode that displays any packets that return matching a certain pattern. This can be useful when testing security controls such as firewalls or intrusion detection system (IDS) and intrusion prevention system (IPS).

Some of the uses of Hping are:

  • Port scanning:Hping provides basic port-scanning capabilities including an incremental option (++ before the port number) that enables an auditor to scan a range of ports with custom packets and TCP options. This tool doesn’t replace Nmap, but provides a high level of control about exactly what packets get sent on the wire.
  • Network protocol testing:Hping can create practically any packet you want to manufacture to test how a system responds to malformed communications.
  • Access control and firewall testing:Hping can be used to test firewall and IDS rules to ensure they work as expected. Hping can accept input from a text file to create payload data that can be packaged and sent to a remote system (like exploit code). This feature can be used to verify IPS signatures and monitoring systems.

The following example shows Hping scanning ports from 134 to 140. Notice the SA flags in the response denoting a SYN ACK response on the live ports, and RA flags or Reset Ack on closed ports:

hping2 172.16.1.3 –S -p ++134

HPING 172.16.1.3 (en1 172.16.1.3): S set, 40 headers + 0 data bytes

len=46 ip=172.16.1.3 ttl=128 DF id=4802 sport=134 flags=RA seq=0 win=0 rtt=0.6 ms

len=46 ip=172.16.1.3 ttl=128 DF id=4803 sport=135 flags=SA seq=1 win=8192 rtt=0.8 ms

len=46 ip=172.16.1.3 ttl=128 DF id=4804 sport=136 flags=RA seq=2 win=0 rtt=0.8 ms

len=46 ip=172.16.1.3 ttl=128 DF id=4805 sport=137 flags=RA seq=3 win=0 rtt=0.9 ms

len=46 ip=172.16.1.3 ttl=128 DF id=4806 sport=138 flags=RA seq=4 win=0 rtt=0.8 ms

len=46 ip=172.16.1.3 ttl=128 DF id=4807 sport=139 flags=SA seq=5 win=8192

rtt=0.8 ms

len=46 ip=172.16.1.3 ttl=128 DF id=4808 sport=140 flags=RA seq=6 win=0 rtt=0.8 ms

….Truncated for brevity

Some useful Hping commands are included in Table 4-2.

Useful Hping2 Commands

hping2 Command Example Description
hping2 172.16.1.4 –p 80 Sends a TCP Null packet to port 80 on host 172.16.1.4. Most systems respond with a Reset/Ack flag if they are up and not firewalled.
hping2 192.168.1.4 –p 80 –S Sends a SYN connect packet to host 192.168.1.4 at port 80. If the port is open, you will see a SYN/ACK response.
hping2 172.16.1.10 –S -p ++22 Sends a SYN connect packet to host 172.16.1.10 port 22 and increments the port number by 1 after each packet sent. Open ports respond with SA flags and closed ports respond with RA flags. It is useful for mapping ports sequentially.

Table4: Hping Commands

2. Vulnerability Assessment Tools

There are many vulnerability assessment tools available today, from commercial applications to well-known open source tools. A vulnerability scanner’s purpose is to map known vulnerabilities in products and present a report of potential vulnerabilities. This type of tool is great for automating the assessment of multiple hosts and usually provides nice severity categorization and output for reports. Obviously, you need to be careful when performing vulnerability tests on business systems because some of the assessment mechanisms these tools use to find vulnerabilities can crash services or cause an outage. Auditors should have a plan in place for restoring service in the event of a problem and perform testing outside of peak utilization times. Taking down the accounting server in the middle of processing payroll will not win you any friends and could be a career-limiting move. The following sections discuss vulnerability assessment tools that are good examples of the types of applications auditors can use to find control weaknesses.

2.1 Nessus

Nessus is a popular vulnerability scanner that looks for known vulnerabilities in operating systems, networking gear, and applications. Currently at version 4, Nesus has expanded its functionality significantly since it was introduced as an open source project more than 10 years ago. With the release of Version 4, Nessus has become a closed source product owned by Tennable Network Security. While the scanner is still free for home use to scan your personal devices, if you use it in any other capacity outside of the home, a professional feed license is required. The professional feed provides access to the latest updates and advanced features such as compliance checks (PCI NIST or CIS), SCAP protocol support, the ability to load it as virtual appliance, and product support from Tenable. The yearly professional license fee for Nessus is around $1,200.

Optionally, you can input login credentials and SNMP strings for databases and windows domain credentials to get a more thorough scan of operating system files and networking equipment settings. Figure 29 shows the plugin selection process used to configure scanning policies.

Figure : Selecting Plugins in Nessus

After scanning policies have been configured, select the device IP addresses that will be assessed. To start a scan, simply provide target addresses to scan, and then the scan policy that you want to use. You can select individual IPs, entire subnets, or you can import a text file with all of the addresses for the entire organization. After your targets are selected, select launch scan and Nessus will start its vulnerability analysis. 

2.2 RedSeal SRM

RedSeal Security Risk Manager (SRM) is a commercial risk management and threat identification application that eases the burden of analyzing a network to find vulnerabilities in configurations and visualizes the severity of what could happen if network security controls are compromised. The power of this application is that it enables an auditor to identify, prioritize, and report on the risk an organization faces at every point in the network. SRM builds a model of the network by importing configurations from network devices, vulnerability data from scanners, and the applications that are present. It performs Network Configuration Checks (NCC) that compare device configurations against standards and that identify vulnerabilities leveraging the National Vulnerability Database hosted by NIST.

Figure  SRM Home Tab

RedSeal Security Risk Manager is a useful tool for visualizing and reporting on risk. Auditors can use it to aide in identifying whether a network is configured according to best practices, but also as a means to interpret business risk by assigning asset values and automatically quantifying the risk. Most auditors use a number of discrete tools that pull portions of this data, but having the ability to identify potential vulnerabilities and then extrapolate downstream attack potential is a compelling aspect of this product. For example, you may wonder whether a web server can be compromised and how much access the current configuration affords that web server to the internal network. Simply click on the Threats To tab and see visually what could potentially happen. Threat modeling is a powerful way to increase the security posture of the network.

Some of the other uses for SRM are:

  • Prioritizing what host or devices to remediate first based on the overall risk and downstream threat to the organization
  • Modeling a potential perimeter breach to determine what types of compensating technologies or controls need to be in place to reduce the risk of leapfrogging from one system to another
  • As a measuring tool for management to correlate the changes in risk over time and as systems are remediated
  • As new vulnerabilities are identified in applications, quickly modeling the impact of those vulnerabilities to the network as a whole
  • As new services or business-to-business connections are brought online, modeling the risk to connected systems
  • The ability to conduct a best-practices audit per device with the click of a button

3. Packet Capture Tools

Validation and testing of security controls are the most important aspects of conducting an audit. Auditors shouldn’t just assume a firewall or IPS will enforce policy; they must test it and gather evidence abour how well those controls do their jobs. Packet capture tools are familiar to anyone who has had to troubleshoot a challenging network redesign or configuration. Packet capture tools are also extremely valuable when testing firewall rules, IPS signatures, and practically any other scenario where you need to see exactly what is going across the wire. Tcpdump and Wireshark are two free tools that should be in every auditor’s repertoire.

3.1 Tcpdump

Tcpdump is a free packet capture program that operates as a simple command-line based “sniffer”.

Tcpdump is an easy tool to get started using. Simply open a command prompt, type in the command Tcpdump, and it happily starts displaying all of the packets seen by the first interface it finds on the machine. To be more specific about the interface you use (wireless or wired), you can type:

tcpdump -D

1.en0

2.fw0

3.en1

4.lo0

Tcpdump lists the interfaces available on your computer so that you can then select by number which one you want to use. This is especially useful on the Windows version (Windump) because Windows stores device information in the registry and assigns a cryptic address to your interfaces. After you have the appropriate interface, in this case Ethernet0 (en0), you can begin capturing traffic by issuing the command tcpdump –i 1 (or tcpdump –I en0):

tcpdump -i 1

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listing on en0, link-type EN10MB (Ethernet), capture size 68 bytes

17:16:15.684181 arp who-has dhcp-10-90-9-126.cisco.com tell dhcp-10-90-9-126.cisco.com

17:16:15.746744 00:1a:a1:a7:8c:d9 (oui Unknown) > 01:00:0c:cc:cc:cd (oui Unknown)

 SNAP Unnumbered, ui, Flags [Command], length 50

Useful Tcpdump Commands

Tcpdump Command Example Description
tcpdump –r file_name –s 1514 -vv Read the capture file name with a snaplen of 1514 and decode of very verbose.
tcpdump –w file_name –s 1514 -e Write capture to file_name with a snaplen of 1514.
tcpdump –I eth0 –s 1514 –vv -e Capture packets from interface Ethernet 0, decode very verbose, and include Ethernet header information.
tcpdump host 10.2.3.1 and udp dst port 53 Capture packets from host 10.2.3.1 that are UDP going to port 53 (DNS).
tcpdump –i 3 (tcp[13] & 0x03)=3 Capture and display packets on interface 3 with SYN and FIN bits set in TCP header.

Table 5: Tcpdump Commands

3.2 Wireshark/Tshark

Wireshark started life as Ethereal, written by Gerald Combs in 1998. Wireshark operates very much like Tcpdump in that it captures live traffic from the wire, reads traffic from a captured file, and decodes hundreds of protocols. Where Tcpdump has a simpler decode mechanism, Wireshark supports vastly more protocols and has a protocol decode framework that allows for the creation of custom packet decoders in the form of plugins. The display capabilities and advanced features such as stream following and packet marking make it easy to see what you want very quickly.

The filtering capabilities in Wireshark also allow for highly granular display and capture filters that follow the Tcpdump filter creation syntax. So, if you know Tcpdump, you will feel at home using Wireshark. Of course, Wireshark also has its own more detailed filtering language that can use specific keywords to search for fields of interest that don’t require you to figure out what the offset is and what bits are required.

Figure  Wireshark Capture Options

4. Penetration Testing Tools

Auditors can leverage high-quality penetration testing tools to make auditing security controls significantly easier. Most professional penetration testers use a combination of general purpose exploit frameworks such as Core Impact and Metasploit in addition to their own custom scripts and applications. Not everyone in security is an uber hacker or has the time to build their own tools to test for exploitable services. These two applications are powerful and represent the best of the commercial and open source penetration testing tools available.

4.1. Core Impact

In the world of penetration tools, Core Impact is widely considered the best commercial product available. Developed by Core Security Technologies, this software package is a comprehensive penetration testing suite with the latest commercial grade exploits and a drag-and-drop graphical interface that can make anyone look like a security penetration testing pro.

Remotely exploitable network vulnerabilities are the Holy Grail of the security world, but Core Impact doesn’t just rely on those types of exploits. It also provides client-side attacks designed to test how well the users follow security policy. You can embed Trojans into Excel files or other applications and email them to a user to see if they are following policy. If the user opens the suspicious file against policy, then Core Impact gains control of the computer and takes a screenshot of the desktop (suitable for framing!). There are also phishing capabilities that allow you to gather e-mail addresses and other information (useful for social engineering) off of the corporate website.

The Core Impact dashboard shown in Figure 31 is the first screen you see when launching this product and includes general information about the number and types of exploits available, and what operating systems are exploitable via the tool.

Figure  Core Impact Dashboard

In Core Impact, you can define workspaces to segment individual assessment engagements. Each workspace is password-protected and encrypted on the system to prevent sensitive data from falling into the wrong hands. These workspaces store a complete record of all of the activities and modules run during the penetration test.

4.2. Metasploit

The Metasploit project is responsible for providing the security community with one of the most important and useful security tools available today. Unlike commercial products like Core Impact, there isn’t the same level of polish or features designed for less experienced security professionals. There are no reporting capabilities or the simple wizard-based GUIs; this tool is designed for those security professionals who want to directly control every aspect of a penetration test. The current version 3.3 has improved dramatically and includes four choices for the user interface.

Msfconsole: This is the primary console. It provides access to all of Metasploits exploits, payloads, and auxiliary modules through an intuitive command driven interface. Every portion of the interface has help features either through the command help or –h. You can easily find exploits and payloads by issuing the search command.

Msfcli: This is a -ine interface executed from a UNIX or Windows command prompt that provides access to Metasploit. Designed to provide quick access to a known exploit or auxiliary module, it is also useful for scripting.

Msfweb: MSFweb provides control of Metasploit through an interactive web interface. By default, it uses the built-in web brick web server and binds to the loopback address at port 55555. You can, however, select a real IP address and access the Metasploit from another computer’s web browser. Firefox, Internet Explorer, and Safari are all supported.

Msfgui: In version 3.3, the Metasploit GUI has advanced considerably and is available for UNIX platforms (3.2 supports a GUI on Windows). The interface has integrated search functions and status and session connection information to exploited systems:

Payloads: Payloads provide the commands to add users, execute commands, copy files, launch a VNC session, or just initiate a command shell back to the attacker. Payloads are what are sent with the exploit to provide the attack a mechanism to interact with the exploited system. These payloads are available for a wide number of operating systems, including BSD, UNIX, Windows, OSX, Solaris, and PHP web environments.

Exploits: Exploits are the code and commands that Metasploit uses to gain access. Many of these are in the form of buffer overflows that enable the remote attacker to execute payloads (arbitrary software). There are hundreds of exploits for Windows, UNIX, and even a few for the Apple iPhone.

Encoders: Buffer overflows are targeted against specific processor types and architectures. Metasploit’s encoders enable the user to make the payloads readable for PowerPC, SParc, and X86 processors. You can also modify the encoder settings to change the payload to try to evade IDS and IPS signatures.

NOPS: NOPS (no operation) are used when added to payloads in a buffer overflow because the exact location in memory of where the overflow occurs is not always known. NOPS allows there to be a margin of error in the coding of an exploit, because when the processor sees a NOP, it ignores it and moves on to the next bit of code in the buffer. After it reaches the payload, it executes the hacker’s commands. Most IDS/IPS trigger on a string of NOPS (known as a NOP sled). These modules in Metasploit allow for the customization of the NOP sled to try to evade IDS/IPS systems.

Auxiliary: The Auxiliary modules in Metasploit provide many useful tools including wireless attacks, denial of service, reconnaissance scanners, and SIP VoIP attacks.

After you install Metasploit, you have a choice about how you interact with it by picking the appropriate interface. Using Metasploit from the interactive console allows direct access to the most powerful components of the framework.

4.3. BackTrack

BackTrack is a Linux live CD distribution built on Slackware Linux that doesn’t require any installation and can be run from practically any PC with a CD ROM. You can also configure BackTrack to boot off of a USB memory stick making it an extremely portable, easily available security-testing environment. BackTrack4 is one of the most complete suites of security assessment tools ever assembled, saving security professionals countless hours of finding, installing, and compiling hundreds of different security applications. There are other security-focused distributions available, but none are as widely regarded and supported as BackTrack.

BackTrack is offered as a free distribution from www.remote-exploit.org and is available for download directly from the website or Bit-torrent network. Once downloaded, you can use it from a CD, USB memory stick, or load it into VmWare. The benefit of loading to a read/writeable format is obvious in that you can store settings, update packages, and customize the environment. Regardless of your preferred method of use, the tools included are extensive and are organized by the Open Source Security Testing Methodology. The categories are:

Information gathering: DNS mapping, Whois, Finger, and mail scanning

Network mapping: Port and services mapping, OS fingerprinting, and VPN discovery

Vulnerability identification: Tools to identify service, SQL, VoIP, and HTTP vulnerabilities

Web application analysis: Web application hacking tools for the frontend services (XSS, PHP) and the backend database (SQL injection)

Radio network analysis: Wireless sniffers, scanners, and cracking tools

Penetration: Tools to exploit vulnerabilities and compromise systems (Metasploit is the primary application.)

Privilege escalation: LAN sniffers, password sniffers, and spoofing tools

Maintaining access: Backdoors, rootkits, and tunneling applications for retaining access after exploiting

Digital forensics: Disk editors, file system dump tools, and hex editors for recovering evidence from deleted and hidden files

Reverse engineering: Malware analysis tools, application debug tools, and hex and assembly tools

Voice over IP: VoIP cracking and recording tools

Miscellaneous: Tools that don’t fit in any other category that can assist with penetration testing.

Summary

This chapter introduced security testing methodologies and some of the tools used to conduct those tests. It is not an exhaustive list of all potentially useful security testing tools, but should give a sampling of some of the most popular that any auditor can find useful. If you are interested in learning more about penetration testing or want to take a class with hands on practice, the SANS Institute offers a fantastic class called Security 560: Network Penetration Testing and Ethical Hacking.

In summary:

  • Evaluating security controls requires testing three elements: people, process, and technology. If one area is weak, it can leave an organization vulnerable to attack.
  • Penetration testing is a discipline that requires a structured and repeatable methodology. Without one, you are simply launching exploits and hoping to get in.
  • Commercial tools such as Core Impact and open source tools such as Metasploit assist with testing security controls. Which one you choose depends on your budget, skill level, and desired reportability.
  • The easiest way to get access to many of the tools discussed in this chapter is to download and launch Backtrack3. Not only does it save you many hours of setup, but it also gives you a powerful suite of tools with strong community support.