marți, 16 octombrie 2007

Smart security testing on the cheap

A pragmatic open source testing methodology, and an abundance of excellent free tools, help you plug security holes without busting the budget

You don't need to be paranoid to be a chief information security officer, but it helps. Whether certifiably paranoid or, as the Woody Allen joke goes, just keenly observant, the chief security officer must tune into threats that others can't see, quantify risks that others can't fathom, and uncover weaknesses -- in the company's networks, systems, and business processes -- that want to remain hidden.It's a big job that requires a comprehensive plan, strong skills, and a good set of tools.

The time and skills necessary for effective security assessment will never be free, but a terrific plan and excellent tools are readily available at no cost, courtesy of the open source community. I'm a big believer in tapping open source solutions whenever possible, but there is a catch. Open source is free in cost, but not free in time. Be prepared to spend time learning how to use open source tools and techniques properly.

An open source method
The open source testing framework I recommend is called the Open Source Security Testing Methodology Manual (OSSTMM). The brainchild of Pete Herzog and his legion of dedicated security testing professionals, this project is well supported by the open source community, and it continues to impress me with its documentation and approach. Providing specific testing objectives and procedures, the OSSTMM is the cookbook for using your tools, in what order and at what time.

The OSSTMM is not simply a penetration testing approach but a methodological framework. The methodology helps guide the planning of the security audit project and properly quantifying the results, and provides the rules of engagement for those performing the audit. It relies on best practices and a threats database as well as knowledge of the target organization to provide a broad view of the risks posed to the infrastructure of the enterprise. Most testing frameworks, such as ISO 27001 (formerly 17799), OCTAVE, COBIT, and ISM3, take an organizational approach to assessment and evaluation. The OSSTMM takes an operational view of enterprise risk.

The OSSTMM contains six testing modules, covering information security, process security, internetworking, communications systems, wireless networks, and physical security. Together, they offer testing methodology and guides to measuring risk to intellectual property, private information, and paper documents, to social engineering attacks, to routers, switches, and firewalls, to PBX's, voicemail, and faxes, to WLAN sniffing and surveillance, and to environmental dangers to buildings and the locks on the doors.

The OSSTMM manual provides a wide range of template documents for the conduct of tests involved in each of the six modules. This set of templates negates the need for supporting software in completing other testing frameworks such as ISO 27001 or COBIT. However, you may need training from ISECOM (OSSTMM's parent organization) in the best use of the templates and modules.

In this authors estimation the true worth of this approach lies in the new "risk assessment values" (RAV) spreadsheet provided by the community. The spreadsheet is divided into the six operational areas and breaks down risk in each of these areas into a numerical value. All of these risk values are aggregated to provide an overall risk profile for the organization. Thus the OSSTMM provides an easy to use, consistent process that leads you toward meaningful results that can be compared over time. I am always comfortable approaching management with the numbers produced from my OSSTMM tests and the RAV spreadsheet. Though based in Spain the ISECOM organization provides global training courses and certifications. Just as the ISO 27001 and COBIT processes allow for test report validation, your OSSTMM reports may also receive certification.

A complete security testing toolbox
We've discussed the framework for conducting your penetration testing, now we move onto the basic toolbox for your testing. The tools below cover the information security, network and wireless modules of the OSSTMM. You'll need tools for testing servers and workstations, switches and routers, network protocols, wireless access points, applications, Web servers, and passwords, to name but a few. Because simple scanning does not meet the OSSTMM's requirement for thoroughness, you'll need exploit tools to verify potential vulnerabilities as well. My list of preferred tools is loosely based on the list of Top 100 Network Security Tools provided by Compiled through a global poll of professional security testers, this list is reviewed and updated every two years, and I've come to rely on it as the basis for my personal toolbox.

Although each tool in this set is important, it is ranked according to the list. The list shows whether the tool is either *nix, Windows based and whether it is open source or commercial software. When possible I like to use Windows tools. Don't get me wrong, I love Linux and use it all the time. I'm just lazy. If I don't have to switch between operating systems to conduct my testing, I'm happier. My management has an easier time understanding my reports if I can speak using an operating system they are familiar with.

Google and Google Hacking Database
Google is a great tool for finding all kinds of information on the Web -- including information that shouldn't be there. In the context of the information security portion of the OSSTMM process, Google is used for both the competitive intelligence and privacy scans of your assets. Johnny Long made this method famous with his Google Hacking Database (GHD).

Using Google to find vulnerable machines attached to our network is always an eye-opening experience. Imagine finding a printer attached directly through your firewall to the Internet. Well, this happens far more often than you might believe. Johnny Long's Web site is the easiest place to learn how this process is done. Simply redirect the queries in the GHD to your IP address range. Then massage the queries to match your particular routers, switches, printers, and Web servers. Granted, this is tedious work in the beginning but will save you many hours of penetration testing time in the long-term.

The same techniques are used to find privacy data of your employees that may have leaked to the Internet from your network. This process is well refined for any network infrastructure and systems that face the Internet. Where it becomes really interesting is in finding your corporate intellectual property on the Internet... but that is a story for another day. This is the first tool my team uses as it offers high risk results first. A vulnerability that faces the Internet and is known by Google is one that requires immediate attention.

Nessus security scanner
The open source Nessus Project was begun in 1998 by Renaud Deraison to compete with the available commercial vulnerability scanners. Nessus is no longer open source, but remains available in a free version that rivals the best commercial alternatives. As a result, Nessus is found in the toolbox of both the well funded and cash strapped security organizations. The difference between the free product and the licensed commercial version of Nessus is how often vulnerability signatures are updated. If you want up-to-the-minute vulnerability updates then opt for the commercial license. If you don't mind waiting seven days for those same updates, then the free product will serve you well.

Nessus has both a *nix version and a new Windows version (see screen image). The Nessus system consists of a Nessus server, a client, Nessus plug-ins and the knowledge base. The Windows version provides all these items in a single package though using it in this fashion is not required.

Nessus tests all aspects of a target including the operating system, ports, services, applications to name but a few. Thus the reports may be lengthy but are comprehensive. You'll need to validate the findings as

Nessus, like other network scanners, is prone to false positives.

Wireshark packet analyzer
Formerly known as Ethereal, Wireshark is an exceptionally powerful protocol analyzer. It runs a wide range of operating systems and allows for live capture of network traffic and analysis of traffic captured from external sources. It offers a wide range of default protocol decoders and can parse out traffic threads with ease. The screen is broken into four main sections: the menu bar, the packet list (color coded area, see screen image), packet details (protocols and protocol fields), and lastly the packet bytes showing the raw data stream in both hexadecimal and ASCII formats.

Wireshark's graphical analysis tools provide a clear picture when troubleshooting problems or looking for weaknesses during a penetration test. This example shows the handshake (communication initiation) process between various hosts on the network.

TCPDump network debugger
TCPDump and its Windows-based brother WinDump are the original packet capture utilities. They are identical in capability and are both actively supported. Both tools allow for the creation, injection, and capture of packets during a security test. Both are command line driven. The information provided is similar to that of Wireshark, and in fact the two may be used interchangeably (TCPDump data in Wireshark or the other way around).

TCPDump comes as a default installation with most *nix operating systems. WinDump requires the use of the Winpcap software for Windows to allow for packet capture. The Pcap software now allows for use with wireless capture as well. This is an old warhorse tool that continues to grow and change with the needs of the testing community.

Netcat network explorer
Netcat is known as the network Swiss army knife of testing tools. Netcat is a command line tool that's provides for reading and writing data across TCP and UDP connections. It creates nearly any connection needed including the acceptance of incoming connections. This makes it invaluable for exploring a network, server... during penetration testing. It is a perfect tool for setting up back doors and may be called from other programs. Thus your use of the tool may be automated or scripted. A wide range of Netcat derivatives now exist for specialized applications such as SSL or portable thumb drive based use.

Kismet wireless sniffer
Kismet is a powerful 802.11 (layer 2) wireless detection program. Unlike other wireless sniffers Kismet uses any wireless card that uses rfmon (raw monitoring) mode. This offers flexibility over other solutions. Kismet is capable of capturing both beaconing and nonbeaconing networks. The interface is neat and clean and allows for easy drill down for advanced information on a particular network. Its most interesting feature may be the ability to use Kismet with a GPS system to create maps of wireless networks.

Aircrack WLAN cracker
Aircrack is a password cracking program for use with both WEP and WPA networks. It needs a large enough database of packets from the target network for password cracking to begin. The four modules of this suite include airodump, a wireless packet capture utility; aireply, which performs packet injection for security testing; aircrack, which does password cracking using brute force and cryptographic methods; and airdecap, which decrypts WEP and WPA packet streams once the passwords are cracked.

Two new tools have been added to suite recently that allow for encrypted packet creation and virtual tunnels. Aircrack may also be installed in a virtual machine.

Aircrack supports a wide range of wireless cards though a new driver or patch may be required for your card. The interface is a combination of both Windows GUI and command line interfaces though they are easy to navigate This is another tool that requires some time to master but given the reliance of wireless networks in today's enterprise may prove invaluable to your team.

Cain and Abel password cracker
Cain and Abel is the top ranked Windows specific password cracking tool for security testers. This tool is well documented and supported by the community. It has a clean interface and provides for the cracking of a wide range of password types including Cisco, VNC, remote desktops, and many many more. It can do its cracking on the local machine or sniff passwords off the network via specific capture filters. Cain and Abel supports standard dictionary and brute force attacks as well as cryptanalysis attacks. It continues to evolve with the addition of VOIP and wireless password crackers. This tool has proved invaluable to my team for everything from a forgotten workstation password to forensic analysis.

Wikto Web server scanner
Wikto is similar to the better-known Nikto Web server assessment tool. Both are well supported by the open source community with Wikto adding some extra functionality. For example, Wikto always starts with a Web scanning wizard (see screen image).

Wikto also makes full use of the Google Hacking Database. The Wikto spider crawls the target Web site and maps its directory structure, while the vulnerability scanner reviews possible security weaknesses. For vulnerability assessment, Wikto uses the Nikto vulnerability database. The one minor weakness is the use of the CSV format for exporting reports. CSV was never known as an easy way to view report data, though it gets the job done.

Metasploit exploit framework
Released in 2004, Metasploit is another must-have in your toolbox. Essentially a framework for building security tools and the exploits to launch with those tools, Metasploit is the easiest way to verify that a vulnerability identified by Nessus or Wikto is truly a security hole. Metasploit contains a module launcher to customize both the exploit and payload intended for a particular target. If the penetration is successful the tester is provided a shell to interact with the payload on the target system. There are around 350 different modules to choose from covering a wide range of hosts and operating systems. If the Metasploit repository doesn't already have a canned exploit for the vulnerability in question, you can create one.

The true power of the framework is the ease of creation of new modules. Modules may be exploits, payloads, encoders, and no-ops. You can define an entirely new module or create variations of preexisting modules. Documentation and forum support is broad, detailed, and comprehensive. Be prepared to spend some time learning the framework, but it will be time well spent.

A plan of action
Penetration testing is an invaluable process in assessing business risk via IT infrastructure. To make the process cohesive and efficient, however, you must put it in an organized system. I highly recommend using the OSSTMM framework to organize your testing and help you interpret the results. The OSSTMM covers several operational areas and provides templates and valuation of risk for each one.

Once the testing framework is in place you will need a wide range of tools for your toolbox. Vulnerability scanners, protocol analyzers, and wireless tools are but a few of the areas to consider. I have learned to trust the list at to provide most of the tools in my toolbox. Lastly, don't forget about researching the target before the test. Using search engines, you can develop important insight into a target with fairly little effort. The information gained here may save you countless hours testing operating systems and applications that don't exist in the target area.