Chapter 1. Network Security Assessment
This chapter discusses the rationale behind Internet-based network security assessment and penetration testing at a high level. To retain complete control over your networks and data, you must take a proactive approach to security, an approach that starts with assessment to identify and categorize your risks. Network security assessment is an integral part of any security life cycle.
The Business Benefits
From a commercial standpoint, information assurance is a business enabler. As a security consultant, I have helped a number of clients in the retail sector secure their 802.11 wireless networks used in stores. By designing and implementing secure networks, these retailers can lower their costs and increase efficacy, by implementing queue-busting technologies, for example.
Shortcomings in network security and user adherence to security policy often allow Internet-based attackers to locate and compromise networks. High-profile examples of companies that have fallen victim to such determined attackers in recent times include:
|RSA Security (http://www.2600.com/hacked_pages/2000/02/www.rsa.com/)|
|Playboy Enterprises (http://www.vnunet.com/news/1127004)|
These compromises came about in similar ways, involving large losses in some cases. Cryptologic is an online casino gaming provider that lost $1.9 million in a matter of hours to determined attackers. In the majority of high-profile incidents, attackers use a number of the following techniques:
Compromising poorly configured or protected peripheral systems that are related to the target network
Directly compromising key network components using private zero-day exploit scripts and tools
Compromising network traffic using redirection attacks (including ARP spoofing, ICMP redirection, and VLAN hacking)
Cracking user account passwords and using those credentials to compromise other systems
To protect networks and data from determined attacks, you need assurance and understanding of the technical security of the network, along with adherence to security policy and incident response procedures. In this book, I discuss assessment of technical security and improving the integrity and resilience of IP networks. Taking heed of the advice presented here and acting in a proactive fashion ensures a decent level of network security.
IP: The Foundation of the Internet
The Internet Protocol version 4 (IPv4) is the networking protocol suite all public Internet sites currently use to communicate and transmit data to one another. From a network security assessment methodology standpoint, this book comprehensively discusses the steps that should be taken during the security assessment of any IPv4 network.
IPv6 is an improved protocol that is gaining popularity among academic networks. IPv6 offers a 128-bit network space (3.4 × 1038 addresses) as opposed to the 32-bit space of IPv4 (only 4 billion addresses) that allows a massive number of devices to have publicly routable addresses. Eventually, the entire Internet will migrate across to IPv6, and every electronic device in your home will have an address.
Due to the large size of the Internet and the sheer number of security issues and vulnerabilities publicized, opportunistic attackers will continue to scour the public IP address space seeking vulnerable hosts. The combination of new vulnerabilities being disclosed on a daily basis, along with the adoption of IPv6, ensures that opportunistic attackers will always be able to compromise a certain percentage of Internet networks.
Classifying Internet-Based Attackers
At a high level, Internet-based attackers can be divided into the following two groups:
Opportunistic attackers who scour large Internet address spaces for vulnerable systems
Focused attackers who attack select Internet-based systems with a specific goal in mind
Opportunistic threats are continuous, involving attackers using autorooting tools and scripts to compromise vulnerable systems across the Internet. Upon placing a vulnerable, default out-of-the-box server installation on the public Internet, researchers have found that it is usually compromised within an hour by automated software being run in this way.
Most Internet hosts compromised by opportunistic attackers are insecure home user systems. These systems are then turned into zombies that run software to log user keystrokes, launch denial-of-service (DoS) flooding attacks, and serve as a platform to attack and compromise other systems and networks.
Focused attackers adopt a more complex and systematic approach with a clear goal in mind. A focused attacker will exhaustively probe every point of entry into a target network, port-scanning every IP address and assessing each and every network service in depth. Even if this determined attacker can’t compromise the target network on his first attempt, he is aware of areas of weakness. Detailed knowledge of a site’s operating systems and network services allows the attacker to compromise the network upon the release of new exploit scripts in the future.
The networks that are most at risk are those with sizeable numbers of publicly accessible hosts. Having many entry points to a network multiplies the potential for compromise, and managing risk becomes increasingly difficult as the network grows. This is commonly known as the defender’s dilemma; a defender must ensure the integrity of every point of entry, whereas an attacker only needs to gain access through one to be successful.
Assessment Service Definitions
Security vendors offer a number of assessment services branded in a variety of ways. Figure 1-1 shows the key service offerings along with the depth of assessment and relative cost. Each service type can provide varying degrees of security assurance.
Vulnerability scanning uses automated systems (such as Nessus, ISS Internet Scanner, QualysGuard, or eEye Retina) with minimal hands-on qualification and assessment of vulnerabilities. This is an inexpensive way to ensure that no obvious vulnerabilities exist, but it doesn’t provide a clear strategy to improve security.
Network security assessment is an effective blend of automated and hands-on manual vulnerability testing and qualification. The report is usually handwritten, accurate, and concise, giving practical advice that can improve a company’s security.
Web application testing involves post-authentication assessment of web application components, identifying command injection, poor permissions, and other weaknesses within a given web application. Testing at this level involves extensive manual qualification and consultant involvement, and it cannot be easily automated.
Full-blown penetration testing lies outside the scope of this book; it involves multiple attack vectors (e.g., telephone war dialing, social engineering, and wireless testing) to compromise the target environment. Instead, this book fully demonstrates and discusses the methodologies adopted by determined Internet-based attackers to compromise IP networks remotely, which in turn will allow you to improve IP network security.
Onsite auditing provides the clearest picture of network security. Consultants have local system access and run tools on each system capable of identifying anything untoward, including rootkits, weak user passwords, poor permissions, and other issues. 802.11 wireless testing is often performed as part of onsite auditing. Onsite auditing is also outside the scope of this book.
Network Security Assessment Methodology
Network reconnaissance to identify IP networks and hosts of interest
Bulk network scanning and probing to identify potentially vulnerable hosts
Investigation of vulnerabilities and further network probing by hand
Exploitation of vulnerabilities and circumvention of security mechanisms
This complete methodology is relevant to Internet-based networks being tested in a blind fashion with limited target information (such as a single DNS domain name). If a consultant is enlisted to assess a specific block of IP space, he skips initial network enumeration and commences bulk network scanning and investigation of vulnerabilities.
Internet Host and Network Enumeration
Various reconnaissance techniques are used to query open sources to identify hosts and networks of interest. These open sources include web and newsgroup search engines, WHOIS databases, and DNS name servers. By querying these sources, attackers can often obtain useful data about the structure of the target network from the Internet without actually scanning the network or necessarily probing it directly.
Initial reconnaissance is very important because it can uncover hosts that aren’t properly fortified against attack. A determined attacker invests time in identifying peripheral networks and hosts, while companies and organizations concentrate their efforts on securing obvious public systems (such as public web and mail servers), and often neglect hosts and networks that lay off the beaten track.
It may well be the case that a determined attacker also enumerates networks of third-party suppliers and business partners who, in turn, have access to the target network space. Nowadays such third parties often have dedicated links to areas of internal corporate network space through VPN tunnels and other links.
Key pieces of information that are gathered through initial reconnaissance include details of Internet-based network blocks, internal IP addresses gathered from DNS servers, insight into the target organization’s DNS structure (including domain names, subdomains, and hostnames), and details of relationships between physical locations.
This information is then used to perform structured bulk network scanning and probing exercises to further assess the target network space and investigate potential vulnerabilities. Further reconnaissance involves extracting user details, including email addresses, telephone numbers, and office addresses.
Bulk Network Scanning and Probing
Upon identifying IP network blocks of interest, analysts should carry out bulk TCP, UDP, and ICMP network scanning and probing to identify accessible hosts and network services (such as HTTP, FTP, SMTP, and POP-3), that can in turn be abused to gain access to trusted network space.
Key pieces of information that are gathered through bulk network scanning include details of accessible hosts and their TCP and UDP network services, along with peripheral information such as details of ICMP messages to which target hosts respond, and insight into firewall or host-based filtering policies.
After gaining insight into accessible hosts and network services, analysts can begin offline analysis of the bulk results and investigate the latest vulnerabilities in accessible network services.
Investigation of Vulnerabilities
New vulnerabilities in network services are disclosed daily to the security community and the underground alike through Internet mailing lists and various public forums. Proof-of-concept tools are often published for use by security consultants, whereas full-blown exploits are increasingly retained by hackers and not publicly disclosed in this fashion.
|Packet Storm (http://www.packetstormsecurity.org)|
|MITRE Corporation CVE (http://cve.mitre.org)|
|NIST National Vulnerability Database (http://nvd.nist.gov)|
|ISS X-Force (http://xforce.iss.net)|
|CERT vulnerability notes (http://www.kb.cert.org/vuls)|
SecurityFocus hosts many useful mailing lists including BugTraq, Vuln-Dev, and Pen-Test. You can subscribe to these lists by email, and you can browse through the archived posts at the web site. Due to the sheer number of posts to these lists, I personally browse the SecurityFocus mailing list archives every couple of days.
Packet Storm and FrSIRT actively archive underground exploit scripts, code, and other files. If you are in search of the latest public tools to compromise vulnerable services, these sites are good places to start. Often, SecurityFocus provides only proof-of-concept or old exploit scripts that aren’t effective in some cases. FrSIRT runs a commercial subscription service for exploit scripts and tools. You can access and learn more about this service at http://www.frsirt.com/english/services/.
Commercial vulnerability alert feeds are very useful and often provide insight into unpatched zero-day issues. According to Immunity Inc., on average, a given zero-day bug has a lifespan of 348 days before a vendor patch is made available. The following notable commercial feed services are worth investigating (these vendors also run free public feeds):
|eEye Preview (http://research.eeye.com/html/services/)|
|3Com TippingPoint DVLabs (http://dvlabs.tippingpoint.com)|
|VeriSign iDefense Security Intelligence Services (http://labs.idefense.com/services/)|
Lately, Packet Storm has not been updated as much as it could be, so I increasingly use the milw0rm web site to check for new exploit scripts, along with browsing the MITRE Corporation CVE list, ISS X-Force, and CERT vulnerability notes lists. These lists allow for effective collation and research of publicly known vulnerabilities so that exploit scripts can be located or built from scratch. The NIST National Vulnerability Database (NVD) is a very useful enhancement to CVE that contains a lot of valuable information.
Investigation at this stage may also mean further qualification of vulnerabilities. It is often the case that bulk network scanning doesn’t give detailed insight into service configuration and certain enabled options, so a degree of manual testing against key hosts is often carried out within this investigation phase.
Key pieces of information that are gathered through investigation include technical details of potential vulnerabilities along with tools and scripts to qualify and exploit the vulnerabilities present.
Exploitation of Vulnerabilities
Upon qualifying potential vulnerabilities in accessible network services to a degree that it’s probable that exploit scripts and tools will work correctly, the next step is attacking and exploiting the host. There’s not really a lot to say about exploitation at a high level, except that by exploiting a vulnerability in a network service and gaining unauthorized access to a host, an attacker breaks computer misuse laws in most countries (including the United Kingdom, United States, and many others). Depending on the goal of the attacker, she can pursue many different routes through internal networks, although after compromising a host, she usually undertakes the following:
Download and crack encrypted user-password hashes (the SAM database under Windows and the /etc/shadow file under most Unix-based environments)
Modify logs and install a suitable backdoor to retain access to the host
Compromise sensitive data (files, databases, and network-mapped NFS or NetBIOS shares)
Upload and use tools (network scanners, sniffers, and exploit scripts) to compromise other hosts
This book covers a number of specific vulnerabilities in detail, but it leaves cracking and pilfering techniques (deleting logs and installing backdoors, sniffers, and other tools) to the countless number of hacking books available. By providing you with technical information related to network and application vulnerabilities, I hope to enable you to formulate effective countermeasures and risk mitigation strategies.
The Cyclic Assessment Approach
Assessment of large networks in particular can become a very cyclic process if you are testing the networks of an organization in a blind sense and are given minimal information. As you test the network, information leak bugs can be abused to find different types of useful information (including trusted domain names, IP address blocks, and user account details) that is then fed back into other processes. The flowchart in Figure 1-2 outlines this approach and the data being passed between processes.
This flowchart includes network enumeration, then bulk network scanning, and finally specific service assessment. It may be the case that by assessing a rogue nonauthoritative DNS service, an analyst may identify previously unknown IP address blocks, which can then be fed back into the network enumeration process to identify further network components. In the same way, an analyst may enumerate a number of account usernames by exploiting public folder information leak vulnerabilities in Microsoft Outlook Web Access, which can then be fed into a brute-force password grinding process later on.