Chapter 4
In This Chapter
Examining steps for successful ethical hacking
Gleaning information about your organization from the Internet
Scanning your network
Looking for vulnerabilities
Before you dive in head first with your security testing, it’s critical to have a methodology to work from. Vulnerability assessments and penetration testing involves more than just poking and prodding a system or network. Proven techniques can help guide you along the hacking highway and ensure that you end up at the right destination. Using a methodology that supports your testing goals separates you from the amateurs. A methodology also helps ensure that you make the most of your time and effort.
In the past, a lot of security assessment techniques involved manual processes. Now, certain vulnerability scanners can automate various tasks, from testing to reporting to remediation validation (the process of determining whether a vulnerability was fixed). Some vulnerability scanners can even help you take corrective actions. These tools allow you to focus on performing the tests and less on the specific steps involved. However, following a general methodology and understanding what’s going on behind the scenes will help you find the things that really matter.
Think logically — like a programmer, a radiologist, or a home inspector — to dissect and interact with all the system components to see how they work. You gather information, often in many small pieces, and assemble the pieces of the puzzle. You start at point A with several goals in mind, run your tests (repeating many steps along the way), and move closer until you discover security vulnerabilities at point B.
The process used for such testing is basically the same as the one a malicious attacker would use. The primary differences lie in the goals and how you achieve them. Today’s attacks can come from any angle against any system, not just from the perimeter of your network and the Internet as you might have been taught in the past. Test every possible entry point, including partner, vendor, and customer networks, as well as home users, wireless networks, and mobile devices. Any human being, computer system, or physical component that protects your computer systems — both inside and outside your buildings — is fair game for attack, and it needs to be tested, eventually.
Your main task is to find the vulnerabilities and simulate the information gathering and system compromises carried out by someone with malicious intent. This task can be a partial attack on one computer, or it can constitute a comprehensive attack against the entire network. Generally, you look for weaknesses that malicious users and external attackers might exploit. You’ll want to assess both external and internal systems (including processes and procedures that involve computers, networks, people, and physical infrastructures). Look for vulnerabilities; check how all your systems interconnect and how private systems and information are (or aren’t) protected from untrusted elements.
These steps don’t include specific information on the methods that you use for social engineering and assessing physical security, but the techniques are basically the same. I cover social engineering and physical security in more detail in Chapters 6 and 7, respectively.
As a security professional, you might not have to worry about covering your tracks or evading IPSs or related security controls because everything you do is legitimate. But you might want to test systems stealthily. In this book, I discuss techniques that hackers use to conceal their actions and outline some countermeasures for concealment techniques.
Getting an outside look can turn up a ton of information about your organization and systems that others can see, and you do so through a process often called footprinting. Here’s how to gather the information:
The amount of information you can gather about an organization’s business and information systems can be staggering and is often widely available on the Internet. Your job is to find out what’s out there. From social media to search engines to dedicated intelligence-gathering tools, you can gain quite a bit of insight into network and information vulnerabilities if you look in the right places. This information allows malicious attackers and employees to gain potentially sensitive information and target specific areas of the organization, including systems, departments, and key individuals. I cover information gathering in detail in Chapter 5.
Active information gathering produces more details about your network and helps you see your systems from an attacker’s perspective. For instance, you can:
www.vmware.com/products/workstation/overview.html
)www.virtualbox.org
)Scan and document specific hosts that are accessible from the Internet and your internal network. Start by pinging either specific hostnames or IP addresses with one of these tools:
www.netscantools.com
) for Windows and fping (http://fping.sourceforge.net
) for LinuxThe site WhatIsMyIP.com (www.whatismyip.com
) shows how your gateway IP address appears on the Internet. Just browse to that site, and your public IP address (your firewall or router — preferably not your local computer) appears. This information gives you an idea of the outermost IP address that the world sees.
Scan for open ports by using network scanning and analysis tools:
http://nmap.org
). See Chapter 9 for details.www.savvius.com
) or Wireshark (www.wireshark.com
). I cover this topic in various chapters throughout this book.Scanning internally is easy. Simply connect your PC to the network, load the software, and fire away. Just be aware of network segmentation and internal IPSs that may impede your work. Scanning from outside your network takes a few more steps, but it can be done. The easiest way to connect and get an outside-in perspective is to assign your computer a public IP address and plug that system into a switch on the public side of your firewall or router. Physically, the computer isn’t on the Internet looking in, but this type of connection works just the same as long as it’s outside your network perimeter. You can also do this outside-in scan from home or from a remote office location.
As a security professional, you need to gather the things that count when scanning your systems. You can often identify the following information:
You can look for the following sampling of open ports (your network-scanning program reports these as accessible or open):
Thousands of ports can be open — 65,534 each for both TCP (Transmission Control Protocol) and UDP (User Datagram Protocol), to be exact. I cover many popular port numbers when describing security checks throughout this book. A continually updated listing of all well-known port numbers (ports 0–1023) and registered port numbers (ports 1024–49151), with their associated protocols and services, is located at www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt
. You can also perform a port number lookup at www.cotse.com/cgi-bin/port.cgi
.
If you detect a web server running on the system that you test, you can check the software version by using one of the following methods:
www.your_domain.com/1234.html
. Many web servers return an error page showing detailed version information.www.netcraft.com
), which connects to your server from the Internet and displays the web server version and operating system, as shown in Figure 4-1.You can dig deeper for more specific information on your hosts:
http://sourceforge.net/projects/nmapwin
) can determine the system OS version.www.softperfect.com/products/networkscanner
) can extract users, groups, and file and share permissions directly from Windows.220 mail.your_domain.com ESMTP all_the_version_info_
you_need_to_hack Ready
Most e-mail servers return detailed information, such as the version and the current service pack installed. After you have this information, you (and the bad guys) can determine the vulnerabilities of the system from some of the websites listed in the next section.
After finding potential security holes, the next step is to confirm whether they’re indeed vulnerabilities in the context of your environment. Before you test, perform some manual searching. You can research websites and vulnerability databases, such as these:
http://cve.mitre.org/cve
)www.kb.cert.org/vuls
)http://nvd.nist.gov
)These sites list known vulnerabilities — at least the formally classified ones. As I explain in this book, you see that many other vulnerabilities are more generic in nature and can’t easily be classified. If you can’t find a vulnerability documented on one of these sites, search the vendor’s site. You can also find a list of commonly exploited vulnerabilities at www.sans.org/critical-security-controls
. This site contains the SANS Critical Security Controls consensus list, which is compiled and updated by the SANS organization.
If you don’t want to research your potential vulnerabilities and can jump right into testing, you have a couple of options:
Many great vulnerability assessment scanners test for flaws on specific platforms (such as Windows and Linux) and types of networks (either wired or wireless). They test for specific system vulnerabilities and some focus around standards like the SANS Critical Security Controls and the Open Web Application Security Project (www.owasp.org
). Some scanners can map out the business logic within a web application; others can map out a view of the network; others can help software developers test for code flaws. The drawback to these tools is that they find only individual vulnerabilities; they often don’t necessarily aggregate and correlate vulnerabilities across an entire network. That’s where your skills, and the methodologies I share in this book, come into play!
As with most good security tools, you pay for Nexpose. It isn’t the least expensive tool, but you definitely get what you pay for, especially when it comes to others taking you seriously (such as when PCI DSS compliance is required of your business). There’s also a free version Nexpose dubbed the Community Edition for scanning smaller networks with less features. Additional vulnerability scanners that work well include QualysGuard (www.qualys.com
) and GFI LanGuard (www.gfi.com/products-and-solutions/network-security-solutions
)
You can use identified security vulnerabilities to do the following:
Metasploit (www.metasploit.com
) is great for exploiting many of the vulnerabilities you find and allows you to fully penetrate many types of systems. Ideally, you’ve already made your decision on whether to fully exploit the vulnerabilities you find. You might want to leave well enough alone by just demonstrating the existence of the vulnerabilities and not actually exploiting them.
52.15.55.18