Task 8.5: Performing Internet Vulnerability Profiling
Internet vulnerability profiling is reviewing what others can see when scanning your systems from the Internet. Before an attacker can launch an attack, they must know what ports are open and what potential services are tied to those ports. Once this has been determined, the attacker can begin to research known vulnerabilities for the applications found.
For the security professional, this means that it is important to know what outsiders and those on the Internet can access or determine about your network.
Scenario
The organization for which you work has grown quickly. Your manager asked you to run a quick, low-cost test from several of the organization’s systems to determine what attackers can see about these systems from the Internet. He has asked you to get this information together before his 4:00 staff meeting.
Scope of Task
Duration
This task should take about 10 minutes.
Setup
For this task, you will need a Windows computer, access to the Administrator account, and an Internet connection.
Caveat
Scanning activities can trip intrusion detection systems and should therefore be conducted only with the knowledge of network administrators.
Procedure
In this task, you will learn how to use Gibson Research Corp.’s ShieldsUP, an Internet vulnerability profiling tool.
Equipment Used
For this task, you must have:
- A Windows computer
- Access to the Administrator account
- An Internet connection
Details
This task will run ShieldsUP. The program will be used to scan your Internet connection from the Internet side and see what ports are open on your computer. It will also probe your computer to see if it responds to various requests, such as ICMP echo requests or pings.
Running ShieldsUP
1. Once you have accessed your Windows computer and logged in as Administrator, open your browser and go to https://www.grc.com/x/ne.dll?bh0bkyd2.
This URL takes you to the start page of ShieldsUP. This is an Internet-based tool that will scan your Internet connection and report its security status. You will want to read the warnings carefully before proceeding.
2. Click the Proceed button to continue and select All Service Ports. This option will allow the ShieldsUP application to scan all ports on the requested system and determine what services are opened and closed.
3. After a few minutes, the scan will finish. You can then view the scan results in HTML or text. A text version of the report is shown here:
————————————————-
GRC Port Authority Report created on UTC: 2011-01-13 at 11:21:14
Results from scan of ports: 0-1055
0 Ports Open
2 Ports Closed
1054 Ports Stealth
—————-
1056 Ports Tested
NO PORTS were found to be OPEN.
Ports found to be CLOSED were: 68, 113
Other than what is listed above, all ports are STEALTH.
TruStealth: FAILED - NOT all tested ports were STEALTH,
- NO unsolicited packets were received,
- A PING REPLY (ICMP Echo) WAS RECEIVED.
————————————————-
4. You will want to look over these results closely. Any open ports should be examined to understand why they are open and what the potential security risks are if these ports remain open. Common open ports that should be examined closely include 21, 25, 53, 80, 110, 135, 139, and 445.
To learn more about ports, check out www.iana.org/assignments/port-numbers.
Scanning for Messenger Spam
1. ShieldsUP can also be used to scan for Messenger spam. Remember that Microsoft Windows Messenger Service is on by default on Windows systems that administrators employ to send messages to users on the network. ShieldsUP can be used to verify the service has disabled spam.
2. Return to https://www.grc.com/x/ne.dll?bh0bkyd2, click the Proceed button and choose the Messenger Spam option from the menu.
3. On the Messenger Spam page, choose Spam Me With This Note. This will send several UDP packets to port 135 in an attempt to spam the Messenger Service. If you receive a message, the Messenger Service is open.
The Messenger Service can be disabled in the Services menu of Administrative Tools.
Examining Browser Headers
1. Our final system evaluation of ShieldsUP will be to use the tool to examine browser leakage. Return to www.grc.com/x/ne.dll?rh1dkyd2 and click the Proceed button. This time choose Browser Headers.
2. Remember that browser header information is transferred each time your browser makes a request to a web server. Although much of this information may be harmless, more advanced types of information can sometimes be displayed.
3. Once you click the Browser Header option, the test will be executed rather quickly and the screen will return its findings:
————————————————
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9
,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Connection: keep-alive
Host: www.grc.com
Referer: https://www.grc.com/x/ne.dll?rh1dkyd2
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.2) Gecko/20100316 Firefox/3.6.2
Cookie: temp=3uwye4rty5cfh; perm=1u5hcenz4lecd
Content-Length: 32
Content-Type: application/x-www-form-urlencoded
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
FirstParty: https://www.grc.com
ThirdParty: https://www.grctech.com
Secure: https://www.grc.com
Nonsecure: http://www.grc.com
Session: tp50n5rvhm2we
————————————————
You can see that the version of the browser was uncovered.
4. Look closely through your results to see what type of information was revealed.
One way to hide browser information while browsing is to use a proxy service. You can find an example of one at www.the-cloak.com/anonymous-surfing-home.html.
Criteria for Completion
You have completed this task when you have run ShieldsUP to examine open ports, scanned for Messenger spam, and examined what information your browser leaks to other Internet clients.