Evaluating the Tools
A typical assessment can start by using some form of information
gathering tool. If assessing the entire network, map the network layout
first to find the hosts that are running. Once located, we can then focus
on examining them. Focusing on these hosts will require another set of
tools. Knowing which tools to use may be the most crucial step in finding
vulnerabilities.
Just as in any aspect of everyday life, there are many different tools
that perform the same job. This concept applies to performing
vulnerability assessments as well. There are tools specific to operating
systems, applications, and even networks (based on protocols used). Some
tools are free (in terms of cost) while others are not. Some tools are
intuitive and easy to use, while others are cryptic and poorly
documented.
Deciding which tools are the right tools for you may be a daunting
task. In the end, experience counts. If possible, set up a test lab and
try out as many tools as you can, noting the strengths and weaknesses of
each. Review the README file or man page for the tool. In addition, look
to the Internet for more information, such as articles, step-by-step
guides, or even mailing lists specific to a tool.
The tools discussed below are just a small sampling of the available
tools.
Scanning Hosts with Nmap
Nmap is a popular tool for mapping
networks is included in Red Hat Linux. Nmap has
been available for many years and is probably the most often used tool
when gathering information. An excellent man page is included that
covers the details, options, and examples of using
Nmap. Use it on your network to find host
systems and open ports on those systems.
Nmap is a competent first step in
vulnerability assessment. You can map out all the hosts within your
network, and even pass an option that will allow it to attempt to
identify the operating system running on those
hosts. Nmap is a good foundation for
establishing a policy of using secure services and stopping unused
services.
Using Nmap
Nmap can be run from a shell prompt
or using a graphical version. At a shell prompt, type the
nmap command followed by the hostname or IP
address of the machine you want to scan.
The results of the scan (which could take up to a few minutes,
depending on where the host is located) should look similar to the
following:
nmap 127.0.0.1
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on localhost.localdomain (127.0.0.1):
(The 1591 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
25/tcp open smtp
111/tcp open sunrpc
515/tcp open printer
950/tcp open oftep-rpc
6000/tcp open X11
Nmap run completed -- 1 IP address (1 host up) scanned in 0 seconds |
If you were to use the graphical version (which can be run by
typing /usr/bin/nmapfe at a shell prompt), the
results will look similar to the following:
Nmap tests the most common network
communication ports for listening or waiting services. This knowledge
can be helpful to an administrator who wants to, for example, close
down unnecessary services.
For more information about using Nmap,
refer to the official homepage at http://www.insecure.org.
Nessus
Nessus is a full-service security
scanner. The plug-in architecture of
Nessus allows users to customize it for
their systems and networks. As with any scanner,
Nessus is only as good as the signature
database it relies upon. Fortunately,
Nessus is updated on a daily basis. It
features full reporting, host scanning, and real-time vulnerability
searches. Remember that there could be false positives and false
negatives, even in a tool as powerful and as frequently updated as
Nessus.
 | Note |
|---|
| | Nessus is not
included with Red Hat Linux and is not supported. It has been
included in this document as a reference to users who may be
interested in using this popular application.
|
For more information about Nessus,
refer to the official website at http://www.nessus.org.
Whisker
Whisker is an excellent CGI scanner.
Whisker has the capability to not only
check for CGI vulnerabilities but do so in an evasive manner, so as to
elude intrusion detection systems. It comes with excellent
documentation which should be carefully reviewed prior to running the
program. When you have found your Web servers serving up CGI scripts,
Whisker can be an excellent resource for
checking the security of these servers.
| Note |
|---|
| | Whisker is not
included with Red Hat Linux and is not supported. It has been
included in this document as a reference to users who may be
interested in using this popular application.
|
More information about Whisker can be found at http://www.wiretrip.net.
VLAD the Scanner
VLAD is a scanner developed by the
RAZOR team at Bindview, Inc. that may be used to
check for vulnerabilities. It checks for the SANS Top Ten list of
common security issues (SNMP issues, file sharing issues, etc.).
While not as full-featured as Nessus,
VLAD is worth investigating.
| Note |
|---|
| | VLAD is not
included with Red Hat Linux and is not supported. It has been
included in this document as a reference to users who may be
interested in using this popular application.
|
More information about VLAD can be
found on the Tools page on the RAZOR team
website at http://razor.bindview.com/index.shtml.
Anticipating Your Future Needs
Depending upon your target and resources, there are any number of
tools available. There are tools for wireless networks, Novell
networks, UNIX systems, Linux systems, and more. Another essential
part of performing assessments may include reviewing physical security
as well as war dialing — dialing
numbers and extensions enterprise-wide for modem access to your
network. New concepts, such as war walking
— scanning the perimeter of your enterprise's physical
structures for wireless network access — are some emerging
concepts that you can investigate and, if needed, incorporate in your
assessments. Imagination and exposure are the only limits of planning
and conducting vulnerability assessments.
