Transcription
The Do-It-YourselfSecurity AuditanSecurity eBook
contents[]The Do-It-Yourself Security AuditPaul Rubens is an IT consultant based in Marlow,England, and has been writing about businesstechnology for leading US and UK publications foralmost 20 years.24278481012161214The Do-It-Yourself Security Audit, an Internet.com Security eBook. 2008, Jupitermedia Corp.1IntroductionCarrying Out Your OwnPenetration TestsNetwork Discovery:Scanning with NmapSniffing Your Networkwith WiresharkChecking Password Securitywith HydraSpotting Weak PasswordsUsing Offline AttacksChecking Wireless Securitywith aircrack-ng
[The Do-It-Yourself Security Audit]The Do-It-Yourself Security AuditBy Paul RubensKeeping the servers, laptops and desktop PCs in yourorganization secure is a vital job, as a breach in securitycan lead to valuable data being destroyed or altered;confidential data being leaked; loss ofcustomer confidence (leading to lostbusiness); and the inability to use computing resources (and therefore lost productivity).The cost of a serious security breachcan be very high indeed, so mostorganizations devote significantresources to keeping malware andmalicious hackers from getting on tothe corporate network and gettingaccess to data.getting on to the network hidden in e-mail, instantmessaging or Web traffic The use of passwords to prevent unauthorizedaccess to networks, computers, ordata stored on them.Every organization should havethese defenses in place, but thisleaves a very important question tobe answered: How effective arethese measures? It's a deceptivelysimple question, but it's essentialthat you know the answer to it.That's because if you don't it mayturn out that: Holes in your firewall leave yournetwork vulnerable Your IPS/IDS is not configured correctly and will not protect your network effectivelyJupiterimages The passwords used to protectyour resources are not sufficiently strong to providethe protection you require Your IT infrastructure has other vulnerabilities youare not aware of, such as an unauthorized and insecure wireless access point, set up by an employee.Typical defenses against these threatsinclude: A firewall to separate the corporate network from the Internet An intrusion prevention/detection system (IPS/IDS)to detect when typical hacker activities, such as portscans, occur and to take steps to prevent them fromsuccessfully penetrating the network Malware scanners to prevent malicious software“The cost of a serious security breach can be very high indeed, so most organizationsdevote significant resources to keeping malware and malicious hackers from getting onto the corporate network and getting access to data.2”The Do-It-Yourself Security Audit, an Internet.com Security eBook. 2008, Jupitermedia Corp.
[The Do-It-Yourself Security AuditPenetration TestingPenetration testing seeks to find out how effective thesecurity measures you have in place to protect yourcorporate IT infrastructure really are by putting them tothe test. It may involve a number of stages including:]are experts at defending a network – but hackers, whoare experts at attacking them.The best penetration tests involve using the services of"ethical hackers" who are engaged to attempt to breakin to the network and discover as much informationand get access to as many computers as possible. Information gathering: using Google and otherresources to find out as much as possible about a comA cheaper option is to use penetration-testing softpany, its employees, their names, and so onware, which searches for vulnerabilities, and in some Port scanning: to establishcases even carries out attackswhat machines are connected toautomatically. A skilled human isa network and what services theymorelikely to be successful thanA skilled human is morehave running that may be vulnerany software tool, but using penelikely to be successful thanable to attacktration-testing software to carryany software tool, but Reconnaissance: contactingout your own penetration tests isparticular servers that an organiusing penetration-testingstill a good idea.zation may be running and getsoftware to carry out yourting information from them (likeThe software allows you to carryown penetration tests isthe usernames of employees, orout these tests yourself on astill a good idea.the applications that are runningmonthly or even weekly basis, oron a server)whenever you make significant Network sniffing: to find userinfrastructure changes, withoutnames and passwords as they travel over the networkincurring the costs associated with repeated tests car Password attacks: to decrypt passwords found inried out by a consultant. If you use many of the freeencrypted form, or to guess passwords to get access topenetration testing tools that are available you willcomputers or servicesalmost certainly be using the same ones that many“”Defending a network and attacking a network are twodifferent disciplines that require different mindsets, so itfollows that the people best qualified to carry out apenetration test are not corporate security staff – who3hackers use as hacking tools. If you can successfullycompromise your organization's security with thesetools then so can hackers – even relatively unskilledhackers who know how to use the software. IThe Do-It-Yourself Security Audit, an Internet.com Security eBook. 2008, Jupitermedia Corp.
[The Do-It-Yourself Security Audit]Carrying Out Your Own Penetration TestsNote: The instructions in this eBook have been testedwith Acer's Aspire One but should work with the EeePC or any other laptop with little or no modification.The more skills and knowledge you have, the moreeffective your penetration tests will be. A completeguide to penetration testing is beyond the scope ofthis eBook, but with some very basic hardware and free orlow-cost software it's still possible to carry out some important checks to see how effective your security systems are.Any vulnerability you spot and correct raises the bar for anyone wanting to break in to your network andharm your organization.What You Will NeedHardwareTo carry out your penetration testsyou'll need a light, portable computer with wireless and Ethernetnetworking capability.Although just about any reasonably new laptop will suffice, "netbooks" such as Acer's Aspire Oneor Asus' Eee PC make ideal penetration testing machines becausethey are extremely lightweightand portable, making it easy tocarry around office buildings.Costing about 350 they are inexpensive, yet powerful enough for the job, and they canrun operating systems booted from a USB stick.SoftwareMost of the software needed is open-source and available free to download, compile, install, and run onLinux. But by far the easiest wayto get hold of all the softwarecovered in this eBook (plus plenty more to experiment with) isby downloading a "live" Linuxsecurity distribution CD imageand burning it on to a CD, orcopying the contents on to aUSB drive (since most netbookslack an optical drive.) The benefit of a "live" distribution is thatthe entire operating system andall the software can be run fromthe removable media withoutthe need for hard disk installation.Note: The instructions in thiseBook assume that the reader isJupiterimagesusing a security Linux distribution called BackTrack 3, which can be downloadedfrom www.remote-exploit.org/backtrackdownload.html and run from an CD or USB stick.“Although just about any reasonably new laptop will suffice, "netbooks" such as Acer'sAspire One or Asus' Eee PC make ideal penetration testing machines because they areextremely lightweight and portable, making it easy to carry around office buildings.4”The Do-It-Yourself Security Audit, an Internet.com Security eBook. 2008, Jupitermedia Corp.
[The Do-It-Yourself Security AuditTo start BackTrack3, simply insert the CD or USB intoyour penetration-testing machine, start it up, and bootfrom the removable media. Once the boot sequence iscomplete you will be greeted with the standardBackTrack 3 desktop:]Creating a Backtrack 3"Live" CD or USB StickTo create a bootable BackTrack CD, downloadthe BackTrack 3 CD image from www.remoteexploit.org/backtrack download.html and burnit to a CD.To create a bootable BackTrack 3 USB stick,follow these steps:1. Download the extended USB version ofBacktrack 3 fromhttp://www.remote-exploit.org/backtrack download.html2. Open the downloaded .iso file using anapplication such as MagicIso or WinRAR (onWindows) or unrar (Linux).3. Copy the "boot" and "bt3" folders on to amemory stick (minimum 1Gb)The BackTrack 3 desktop.Automated Penetration Testing with db autopwndb autopwn is an automated penetration testing toolthat can test large numbers of Windows, Linux, andUnix computers on a network for vulnerabilities at thepush of a few buttons. It is part of a suite of softwarepopular with both penetration testers and hackersknown as the Metaspoit Framework.To use db autopwn you first need to scan your network using a tool called Nmap to discover computerson the network and to establish which ports each ofthese has open.Using this information, db-autopwn matches any knownvulnerabilities in services that usually run on those portswith exploits in the Metasploit exploit library which usethose vulnerabilities, and attacks the machines by running those exploits. If any of the servers on your network are successfully compromised (or "pwn"ed), youwill be presented with a command shell giving youcontrol over the compromised machine.db autopwn has a number of benefits. First of all, it'sfree. It's also a popular tool with hackers. Using it willreveal if a hacker could easily compromise your network by using it. And if you do find that any of yourcomputers can be compromised, it is easy to identify54. Make the USB stick bootable. In Windows, open a command prompt andnavigate to the "boot" folder on your memorystick. If your memory stick is drive F:\ thentype:cd f:\bootbootinst.bat In Linux, open a terminal window, andchange directory to your memory stick, probably:cd /media/diskand execute the script bootinst.sh by typing:bootinst.shthe weakness, patch or update the relevant software,and then re-run the test to ensure the problem hasbeen corrected.On the other hand, db autpwn generally does not findvulnerabilities in services running on non-default ports(although hackers using the tool generally won't either).There is also the possibility that running the tool couldThe Do-It-Yourself Security Audit, an Internet.com Security eBook. 2008, Jupitermedia Corp.
[The Do-It-Yourself Security Auditcause "collateral damage," i.e., you might crash serverson your network. A hacker running the tool would alsodo this, so arguably it is better to crash the machines]yourself when you are prepared for it than for a hackerto do so unannounced IAutomated PenetrationTest Using db autopwn1.Open a terminal window and move to theMetasploit Framework folder:cd /pentest/exploits/framework32. Start Metasploit:./msfconsole3. Create a database to store the results of yourNmap scan:load db sqlite3db create Nmapresults4. Scan your network and place the results in thedatabase:db Nmap [target] (Replace the [target] stringwith the network block of your local subnet or theIP address of a target system that you want totest, e.g. 192.168.1.*)5. Try to exploit the known vulnerabilities in anyservices running on the default ports on any ofthe machines:db autopwn -t -p -e6. Once the auto pwn process is over, check to seeif you managed to compromised any machineswith the command:sessions –l6Preparing to run db autopwn in BackTrack37. A numbered list of compromised computers willbe displayed. To take control of one of these computers, type:sessions –i 1 (replacing 1 with the number ofthe computer you want to control)This will result in the command shell of the compromised computer, looking something like this:[*] Starting interaction with 1.Microsoft Windows XP [Version 5.1.2600](C) Copyright 1985-2001 Microsoft Corp.C:\WINDOWS\system32 The Do-It-Yourself Security Audit, an Internet.com Security eBook. 2008, Jupitermedia Corp.
[The Do-It-Yourself Security Audit]Network Discovery: Scanning with Nmapdb autopwn is often used by relatively unskilled"script kiddies," and if it fails to find any vulnerable machines this doesn't mean that all the systems on the network are secure. That's because askilled hacker may use other, more labor-intensivemethods, plus knowledge and creativity, to try to finda way into machines on the targeted network.One of the first thingsan intruder is likely todo is scan the networkto find out whatmachines are connected, and what ports theyhave open, possiblyusing Nmap, (the samescanner used to findmachines to exploitusing db autopwn.)Scanning your own network with this scanningtool can reveal what ahacker could discover,the devices connectedto your network, andthe ports they haveopen and the servicesthey are (probably) runningScanning Your Network with ZeNmap1. Start Zenmap by typing "zenmap" into the text boxon the bottom panel on the BackTrack3 desktop.2. Type in the network block of your local subnet or theIP address of a target system that you want to test inthe Target box, e.g. 192.168.1.*, choose a scan profile(or leave the default "intense scan") and click on scan.After some minutesyou'll be presented withthe results:On the left you can seea list of the hostsattached to the networkand an icon representingthe operating systemsthey are running. On theright is displayed a list ofopen ports and corresponding services on thehost 192.168.1.10, aWindows Server 2003machine.In this example you cansee that the server isZenmap displaying the results of a scan.running Windows IIS Webserver, and also has port3389 open for remote desktop sessions. Both of theseThis should alert you if unauthorized machines arehave potential vulnerabilities, and present you with theattached to your network, or if any users are runningopportunity to close these port
The Do-It-Yourself Security Audit TostartBackTrack3,simplyinserttheCDorUSBinto yourpenetration-testingmachine,startitup,andboot fromtheremovablemedia.Oncethebootsequenceis
