Network Defense and Countermeasures: Assessing System Security

This chapter is from the book

Network Defense and Countermeasures: Principles and Practices, 2nd Edition

Learn More Buy

This chapter is from the book

This chapter is from the book 

Network Defense and Countermeasures: Principles and Practices, 2nd Edition

Learn More Buy

Probing the Network

Perhaps the most critical step in assessing any network is to probe the network for vulnerabilities. This means using various utilities to scan your network for vulnerabilities. Some network administrators skip this step. They audit policies, check the firewall logs, check patches, and so on. However, the probing tools discussed in this section are the same ones that most hackers use. If you want to know how vulnerable your network is, it is prudent to try the same tools that an intruder would use. In this section we review the more common scanning/probing tools. There are essentially three types of probes that are usually done. These are the same types of probes that skilled hackers use to evaluate your network:

• Port scanning: This is a process of scanning the well-known ports (there are 1024) or even all the ports (there are 65,535) and seeing which ports are open. Knowing what ports are open tells a lot about a system. If you see that 160 and 161 are open that tells you that the system is using SNMP. From the perspective of a network administrator, there should be no ports open that are not necessary.
• Enumerating: This is a process whereby the attacker tries to find out what is on the target network. Items such as user accounts, shared folders, printers, and so on are sought after. Any of these might provide a point of attack.
• Vulnerability assessment: This is the use of some tool to seek out known vulnerabilities, or the attacker might try to manually assess vulnerabilities. Some outstanding tools are available for vulnerability assessment.

A number of tools are freely available on the Internet for active scanning. They range from the simple to the complex. Anyone involved in preventing or investigating computer crimes should be familiar with a few of these.

NetCop

The first scanner we will examine is NetCop. This particular scanner is not necessarily the most widely used in the security or hacking communities, but it is easy to use and therefore makes a very good place for us to start. This utility can be obtained from many sites, including http://download.cnet.com/windows/netcop-software/3260-20_4-112009.html. When you download NetCop, you get a simple self-extracting executable that will install the program on your machine and will even place a shortcut in your program menu. Launching NetCop brings up the screen shown in Figure 12.1. As you can see from this image, this scanner is relatively simple and intuitive to use.

FIGURE 12.1 NetCop port scanner.

The first selection you make is how to scan the IP address. You can either choose to scan a single IP address or a range of IP addresses. The latter option makes this tool particularly useful for network administrators who want to check for open ports on their entire network. For our purposes we will begin by scanning a single IP address, our own machine. To follow along on your own computer, you will need to type in your machine’s IP address. You can either type your machine’s actual IP address or simply the loop back address (127.0.0.1). When you type in a single IP address and click on Scan Now, you can watch the display showing that it is checking each and every port, as shown in Figure 12.2. This is very methodical but also a bit slow.

FIGURE 12.2 Screen an IP address with NetCop.

You can stop the scan if you wish to do so; however, if you let the scan run through all of the ports, you will then see something similar to what is shown in Figure 12.3. Of course, different machines you examine will have different ports open. That is the entire point of scanning, to find out which ports are open.

FIGURE 12.3 IP Scan results.

Finding out which ports are open on a given machine is only half the battle. It is important that you know what each port is used for, and which ones you can shut down without negatively impacting the machine’s purpose.

Over time you will probably memorize several commonly used ports. For a complete list of all ports, you can check any of these Web sites:

• www.networksorcery.com/enp/protocol/ip/ports00000.htm
• www.iana.org/assignments/port-numbers

Consider what sort of information these ports tell you. Machines running port 80 are probably Web servers. But other ports can give a hacker even more useful information. For example, ports 137, 138, and 139 are used by NetBios, which is most often associated with older versions of Windows. If an intruder realizes that the target machine is using an older version of Windows, she knows she can exploit flaws that have been corrected in newer versions. Other ports can indicate if the target machine is running a database server, e-mail server, or other vital services. This information not only helps hackers to compromise systems, but also helps them identify information-rich targets.

If you are working within an organizational structure, the best course of action is to make a list of all open ports and identify which ones you believe are required for operations and which ones are not. You should then forward that list to relevant parties such as other network administrators, the IT manager, and the security manager. Give them a chance to identify any additional ports that may be needed. Then you can proceed to close all the ports not needed.

NetBrute

Some port scanners do more than simply scan for open ports. Some also give you additional information. One such product is NetBrute from RawLogic, located at www.rawlogic.com/netbrute/. This one is quite popular with both the security and hacker community. No computer security professionals should be without this item in their tool chests. This utility will give you open ports, as well as other vital information. Once you install and launch NetBrute, you will see a screen such as the one depicted in Figure 12.4.

FIGURE 12.4 NetBrute main screen.

As you can see in Figure 12.4, there are three tabs. We will concentrate on the NetBrute tab first. You can elect to scan a range of IP addresses (perfect for network administrators assessing the vulnerability of their own systems), or you can choose to target an individual IP. When you are done, it will show you all the shared drives on that computer, as you see in Figure 12.5.

FIGURE 12.5 Shared drives.

Shared folders and drives are important to security because they provide one possible way for a hacker to get into a system. If the hacker can gain access to that shared folder, she can use that area to upload a Trojan horse, virus, key logger, or other device. The rule on shared drives is simple: If you don’t absolutely need them, then don’t have them. Any drive or folder can be shared or not shared. Unless you have a compelling reason to share a drive, you should not. And if you do decide to share it, then the details of that shared drive—including content and reason for sharing it—should be in your security documentation.

With the PortScan tab, you can find ports. It works exactly like the first tab except that instead of giving you a list of shared folders/drives, it gives you a list of open ports. Thus, with NetBrute, you get a port scanner and a shared folder scanner. In essence the second tab contains the most pertinent information you might obtain from other products such as NetCop.

When scanning your own network, these first two tabs will be the most important. However if you wish to check the security of your Web server you would want to use the WebBrute tab. The WebBrute tab allows you to scan a target Web site and obtain information similar to what you would get from Netcraft. This scan gives you information such as the target system’s operating system and Web server software.

NetBrute is easy to use and provides most of the basic information you might need. The ability to track shared folders and drives in addition to open ports is of particular use. This tool is widely used by hackers as well as security professionals.

Cerberus

One of the most widely used scanning utilities, and a personal favorite of this author, is the Cerberus Internet Scanner, available as a free download from http://www.cerberusftp.com/download/ (alternative download locations are listed in the Appendices at the back of this book, or you can simply do a web search for Cerberus with your favorite search engine). This tool is remarkably simple to use and very informative. When you launch this tool, you will see a screen like the one shown in Figure 12.6.

FIGURE 12.6 The Cerberus Internet Scanner.

From this screen you can click on the button on the far left that has an icon of a house. Or you can go to File and select Host. You then simply key in either the URL or the IP address of the machine that you wish to scan. Click either the button with the “S” on it or go to File and select Start Scan. Cerberus will then scan that machine and give you a wealth of information. You can see in Figure 12.7 all the various categories of information that you get from this scan.

FIGURE 12.7 Cerberus scan results.

Click on the third button to review the report. The report will launch a Hypertext Markup Language (HTML) document (thus the document is easy to save for future reference) with links to each category. Click on the category you wish to view. As a rule you should save all such security reports for future audits. In the event of litigation it may be necessary for you to verify that you were practicing due diligence in implementing and auditing security. It is also important to document these activities as a part of the record of security precautions you take. This documentation could be crucial in the case of any external audit or even in helping a new IT security professional get up to speed on what actions have already been taken. This information should be stored in a secure location, as it is of great value to someone wishing to compromise your system security. An example of the report is shown in Figure 12.8.

FIGURE 12.8 The Cerberus Report.

One of the most interesting sections to review, particularly for a security administrator, is the NT Registry report. This report will examine the Windows Registry and inform you of any security flaws found there and how to correct them. This report is shown in Figure 12.9.

FIGURE 12.9 The NT Registry Report.

This list shows specific Windows Registry settings, why those settings are not particularly secure, and what you can do to secure them. For obvious reasons, this tool is very popular with hackers. Cerberus can provide a great map of all of a system’s potential vulnerabilities including, but not limited to, shared drives, insecure registry settings, services running, and known flaws in the operating system.

You may have noted that more detail was given on Cerberus than some of the other scanners. This is for two reasons. The first is that this particular scanner gives more information than most port scanners. The second reason is that this scanner is a particular favorite of the author. My recommendation to you is that if you have to go with just one scanner, this is the one. NOTE: Cerberus is also available for Android https://www.cerberusapp.com/download.php.

Port Scanner for Unix: SATAN

One tool that has been quite popular for years with Unix administrators (as well as hackers) is SATAN. This tool is not some diabolical supernatural entity, but rather an acronym for Security Administrator Tool for Analyzing Networks. It can be downloaded for free from any number of Web sites. Many of these sites are listed at http://linux.softpedia.com/progDownload/SATAN-Download-23306.html. This tool is strictly for Unix and does not work in Windows.

SATAN was created by Dan Farmer, author of COPS (Computer Oracle and Password System) and Wietse Venema and from the Eindhoven University of Technology in the Netherlands. It was originally released on April 5, 1995. It should be noted that SATAN, as well as many other probing tools, was originally used by hackers to find out about a target system. Over time, the more creative network administrators began to use these tools for their own purposes. Clearly if you wish to protect your system against intruders, it can be quite helpful to try the same tools that intruders use.

The user can enter either a single machine or an entire domain of machines to attack. There are three classes of attacks:

• Light: A light attack simply reports what hosts are available and what Remote Procedure Call services those hosts are running.
• Normal: A normal attack probes the targets by establishing various connections including telnet, FTP, WWW, gopher, and SMTP. These are used to discover what operating system the host is running and what vulnerabilities may be available.
• Heavy: A heavy attack includes everything that a normal attack does with the addition of a search for several other known vulnerabilities, such as writable anonymous FTP directories or trusted hosts.

The history of this particular product is quite illuminating. It began with the work of two computer scientists, Dan Farmer of Sun Microsystems and Wietse Venema of Eindhoven University of Technology. Together they published a paper entitled “Improving the Security of Your Site by Breaking Into It” (http://www.csm.ornl.gov/~dunigan/cracking.html). In it, they discussed using hacking techniques to attempt to break into your own system and thereby discover its security flaws. In the process of writing this paper, they developed the SATAN tool in order to aid network administrators in carrying out the recommendations of their paper. This means SATAN is the product of computer scientists working to improve computer security. It is not a commercial product and can be freely downloaded from numerous Web sites.

SAINT^®

SAINT (Security Administrator’s Integrated Network Tool) is a network vulnerability assessment scanner (http://www.saintcorporation.com/) that scans a system and finds security weaknesses. It prioritizes critical vulnerabilities in the network and recommends safeguards for your data. SAINT can benefit you in several ways:

• Prioritized vulnerabilities let you focus your resources on the most critical security issues. This is probably the most distinctive feature of SAINT.
• Fast assessment results help you identify problems quickly.
• Highly configurable scans increase the efficiency of your network security program.
• It allows network administrators to design and generate vulnerability assessment reports quickly and easily. Such reports are particularly useful when conducting audits.
• The product is automatically updated whenever a scan is run.

This product is newer than Cerberus and SATAN, and is gaining widespread acceptance in both the hacking and security communities.

Nessus

Nessus, or the “Nessus Project,” is another extremely powerful network scanner. It is open source and can be downloaded from www.nessus.org. Nessus is fast and reliable, with a modular architecture that allows you to configure it to your needs. Nessus works on Unix-like systems (MacOS X, FreeBSD, Linux, Solaris, and more) and also has a Windows version (called NeWT).

Nessus includes a variety of plug-ins that can be enabled, depending on the type of security checks you want to perform. These plug-ins work cooperatively with each test specifying what is needed to proceed with the test. For example, if a certain test requires a remote FTP server and a previous test showed that none exists, that test will not be performed. Not performing futile tests speeds up the scanning process. These plug-ins are updated daily and are available from the Nessus Web site.

The output from a Nessus scan of a system is incredibly detailed, and there are multiple formats available for the reports. These reports give information about security holes, warnings, and notes. Nessus does not attempt to fix any security holes that it finds. It simply reports them and gives suggestions for how to make the vulnerable system more secure.

Some security professionals complain that Nessus can give false positives. This means it can report a problem where there is none. This product is also not as widely used as Cerberus, SATAN, or some of the other scanners we have examined.

NetStat Live

One of the most popular protocol monitors is NetStat, which ships free with Microsoft Windows. A version of this, NetStat Live (NSL), is freely available on the Internet from a variety of sites, such as www.analogx.com/contents/download/network/nsl.htm. This product is an easy-to-use TCP/IP protocol monitor that can be used to see the exact throughput on both incoming and outgoing data whether you are using a modem, cable modem, DSL, or a local network. It allows you to see the speed at which your data goes from your computer to another computer on the Internet. It even tells you how many other computers your data must go through to get to its destination. NSL also graphs the CPU usage of a system. This can be especially useful if, for example, you are experiencing slowed connection speeds. It can identify whether your computer or your Internet connection is the reason for the slowdown.

The NetStat Live screen is shown in Figure 12.10. This display shows the last 60 seconds of data throughput. It displays the average datarate, the total amount of data sent since last reboot, and the maximum datarate. It tracks these for all incoming and outgoing messages.

FIGURE 12.10 NetStat Live.

To enable or disable a pane, simply right-click on the window, choose Statistics, and then place a check next to any statistics that you would like to see. Your choices are:

• Local Machine. The current machine name, IP address, and network interface being monitored
• Remote Machine. The remote machine, including average ping time and number of hops
• Incoming Data. Data on the incoming (download) channel
• Incoming Totals. Totals for the incoming data
• Outgoing Data. Data on the outgoing (upload) channel
• Outgoing Totals. Totals for the outgoing data
• System Threads. Total number of threads currently running in the system
• CPU Usage. Graphs the CPU load

Notice that the Remote section has a machine listed and some information pertaining to it. You can easily change the server for which you are gathering information. Simply open your Web browser, go to a Web page, and copy the URL (including “http://”) into the clipboard (by using Ctrl+C). When you return to viewing NSL, you will see that the server has been replaced with information on the site to which you browsed. One of the most important reasons to use NetStat or NetStat Live is to find out what the normal traffic flow is to a given server (or your entire network). It is difficult to determine whether abnormal activity is taking place if you do not know the characteristics of normal activity.

Active Ports

Active Ports is another easy-to-use scanning tool for Windows. You can download it for free from http://www.majorgeeks.com/files/details/active_ports.html. This program enables you to monitor all open TCP and UDP ports on the local computer. Figure 12.11 shows the main screen of Active Ports. Active Ports maps ports to the owning application so you can watch which process has opened which port. It also displays a local and remote IP address for each connection and allows you to terminate the process that is using that port.

FIGURE 12.11 Active Ports user interface.

Active Ports lacks some of the features you would find in more advanced tools such as Cerberus or SATAN. It is a good place to start, though, especially if you have no experience port scanning at all.

Other Port Scanners

There are many more port scanners and security tools available on the Internet, a few of which are listed here:

• Like Active Ports, Fport reports all open TCP/IP and UDP ports and maps them to the owning application. Additionally, it maps those ports to running processes. Fport can be used to quickly identify unknown open ports and their associated applications. This product is available at http://www.mcafee.com/us/downloads/free-tools/fport.aspx.
• TCPView is a Windows program that will show you detailed listings of all TCP and UDP endpoints on your system, including the remote address and the state of TCP connections. TCPView provides a conveniently presented subset of the NetStat program.
• SuperScan is a port scanner originally from Foundstone Inc, now distributed by McAffee. It is available as a free download at http://www.mcafee.com/us/downloads/free-tools/superscan.aspx/. This particular scanner gives its report in HTML format. What is most interesting about SuperScan is the wide variety of tools also available at that same Web site, including tools that scan for any number of very specific vulnerabilities. Exploring this Web site is well worth your time.

The specific port scanner you use is often more a matter of personal preference than anything else. The best approach is to use three or four separate scanners to ensure that you are checking all the possible vulnerabilities. Using more than three or four scanners provides limited incremental benefits and can be very time consuming. I would definitely recommend that Cerberus be one of the scanners you use. You may also wish to fully test your password with some of the password crackers we mentioned in Chapter 6 to ensure that your passwords cannot be easily cracked.

More security savvy network administrators will use these tools on their servers, just to check security. Full-time security professionals should try to stay abreast of trends in the hacking community, and may even use the same tools as hackers. This is a proactive and important step for a network administrator to take.

Microsoft Security Baseline Analyzer

The Microsoft Security Baseline Analyzer is certainly not the most robust vulnerability assessment tool, but it has a remarkably easy-to-use interface and it is free (see Figure 12.12). This tool is available from http://technet.microsoft.com/en-us/security/cc184923.aspx.

FIGURE 12.12 Microsoft Security Baseline Analyzer.

You can choose to scan one machine or many, and you can select which vulnerabilities you want to scan for, as shown in Figure 12.13.

FIGURE 12.13 Microsoft Security Baseline Analyzer—Scan Selection.

When the scan completes, a complete report appears to the user, shown in Figure 12.14.

FIGURE 12.14 Microsoft Security Baseline Analyzer—Results.

As you can see this easy-to-use tool gives you a clear overview of not only a given system’s vulnerabilities, but also specific details. This should make it easy for an attacker to exploit those vulnerabilities, but would also make it easy for you to correct them. This is the sort of tool someone might use to find possible attack vectors into your system but is also an excellent tool for system administrators to use to check their system for vulnerabilities.

NSAudit

The NSAudit tool offers basic system enumeration. If you look under Tools, you see the Enumerate Computers button, shown in Figure 12.15.

FIGURE 12.15 NSAudit Enumerate Computers.

Click it to see a number of choices as to what you want to enumerate, as shown in Figure 12.16

FIGURE 12.16 NSAudit enumeration choices.

You have a number of choices: You can enumerate all computers, or just the domain controller, or servers, or MS SQL database servers. When you run the enumerator the output is in XML format as shown in Figure 12.17.

FIGURE 12.17 NSAudit enumeration results.

You can see that a great deal of information is provided about every computer on that network. You get a list of all the computers on the network, and then you can see what services they are running. Any running service is a potential attack vector.