Hack Attacks Testing How to Conduct Your Own Security Audit 3
Phase 4: Dial-up Audit
During a dial-up audit, one does the following:
¡¡ Utilizes wardialing to scan for and detect misconfigured dial-ups, and terminal
servers (e.g., PCAnywhere, Reachout, and Citrix), as well as any rogue or
unauthorized desk modems
¡¡ Documents procedures
Phase 5: Local Infrastructure Audit
The local infrastructure audit is a compilation of each section report as a deliverable. It
includes the following:
User Problem Report. Includes issues such as slow boot times, file/print difficulty,
low bandwidth availability, and spontaneous connection terminations.
Composition of Traffic by Protocol Family. A percentage breakdown by protocol,
utilized during the capture period. Each frame is categorized into protocol
families. A frame to which more than one protocol applies is categorized according
to the highest protocol analyzed. Thus, for example, a Transmission Control
Protocol/Internet Protocol (TCP/IP) frame encapsulated within frame relay
would be categorized as TCP/IP; all the bytes in the frame would be counted as
part of the TCP/IP percentage.
Network Segments/Stations versus Symptoms. A breakdown of the network
stations and symptoms found. This breakdown includes the number of errors
or symptoms per network. Symptoms that might be detected include the
following:
¡¡ Frame freezes, which indicate a hung application or inoperative station.
¡¡ File retransmission, which indicates that an entire file or a subset of a file has
been retransmitted and is generally caused by an application that does not
use the network efficiently.
■■ Low throughput, the calculation of which is based on the average throughput
during file transfers.
■■ Redirected host, which indicates that stations are receiving an ICMP redirect
message sent by a router or gateway to inform stations that a better route
exists or that a better route is not available.
Bandwidth Utilization. Indicates the total bandwidth utilized by stations during
the analysis session. From this data, recommendations can be made to increase
throughput and productivity.
Phase 6: Wide Area Network Audit
The wide area network (WAN) audit is a compilation of each section report as a deliverable.
This compilation incorporates the following:
Internetworking Equipment Discovery. An inventory of current internetworking
hardware, including switches, routers, firewalls, and proxies.
Alarms and Thresholds. This function tracks all HTTP, FTP, POP3, SMTP, and
Network News Transfer Protocol (NNTP) traffic, as well as custom-defined-site
access information, in real time. Other monitored access information includes, in
summary form, network load, number and frequency of each user’s access, and
rejected attempts.
Alarm/Event Logging. Excerpts from the actual log files during the analysis
session.
Phase 7: Reporting
The reporting phase is a compilation of each section report as a deliverable. It includes
the following:
■■ Detailed documentation of all findings
■■ Diagrams or screenshots of each event
■■ Recommended defense enhancement based on Tiger Team techniques
■■ List of required or optional enhancements to vulnerabilities in immediate
danger
The deliverables for your security analysis should incorporate all the functions outlined
in the project review of your analyses phases. Each deliverable should be in the
form of a detailed report, divided into parts such as scans, spoofs, spams, floods,
audits, penetrations, discoveries, network information, system information, vulnerability
assessment, and recommendations for increased network security (required and
optional). Time should be allotted for organizing the findings, as doing so will facilitate
subsequent remediation steps. You should incorporate findings from vulnerability
scanners, such as the Network Associates Inc. (NAI) CyberCop Scanner or Nessus
Security Scanner, into the report as well. We’ll talk more about these and other scanners
later in this book.
Unleashing the Power of Windows,
Linux, and Solaris
Before we discuss the specifics of vulnerability and penetration assessment, we’ll take a
moment to review the minimum requirements and construction of our testing system,
or Tiger Box. Tiger terminology was derived from a team of security experts. Originally,
a Tiger Team was a group of paid professionals whose purpose was to penetrate
perimeter security and test or analyze the internal security policies of corporations.
These people penetrated the security of computer systems, phone systems, safes, and
so on, to help companies assess the effectiveness of their security systems and learn
how to efficiently revamp their security policies.
More recently, however, a Tiger Team has come to be known as any official inspection
or special operations team that is called in to evaluate a security problem. A subset
of Tiger Teams comprises professional hackers and crackers who test the security of
computer installations by attempting remote attacks via networks or via supposedly
secure communication channels. In addition, Tiger Teams are also called in to test programming
code integrity. Many software development companies outsource a tiger
team to perform stringent dynamic code testing before putting their software on the
market. Tiger Teams use what’s coined a Tiger Box to provide the necessary tools for
revealing potential security weaknesses. A Tiger Box contains tools designed to discover,
scan, and in some cases penetrate security vulnerabilities.
The central element of a Tiger Box is the operating system foundation. A first-rate
Tiger Box is configured in a multiple-boot configuration setting that includes *NIX and
Microsoft Windows operating systems. Currently, Tiger Box utilities for Windows
operating systems are not as popular as those for *NIX, but Windows is becoming
more competitive in this regard. Originally developed at AT&T Bell Laboratories,
Unix, as you probably know, is a powerful operating system used by scientific, engineering,
and academic communities. By its nature, Unix is a multiuser, multitasking
environment that is both flexible and portable and offers e-mail, networking, programming,
text processing, and scientific capabilities. Over the years, two major forms
of Unix have evolved, each with numerous vendor variants: AT&T Unix System V and
Berkeley Software Distribution (BSD) Unix, developed at the University of California
at Berkeley. In addition, to Sun Microsystems Solaris, is Linux, a trendy Unix variant,
that is commonly configured on a Tiger Box. Linux offers direct control of the OS
command line, including custom code compilation for software stability and flexibility.
Linux is customized, packaged, and distributed by many vendors, including
the following:
RedHat Linux (www.redhat.com)
Slackware (www.slackware.org)
Debian (www.debian.org)
TurboLinux (www.turbolinux.com)
Mandrake (www.linux-mandrake.com)
SuSE (www.suse.com)
Trinux (www.trinux.org)
MkLinux (www.mklinux.org)
LinuxPPC (www.linuxppc.org)
SGI Linux (www.oss.sgi.com/projects/sgilinux11)
Caldera OpenLinux (www.caldera.com)
Corel Linux (www.linux.corel.com)
Stampede Linux (www.stampede.org)
Tiger Box Components
Step-by-step guidelines for installing and configuring your Tiger Box operating systems
are given in Part I. If you are technically savvy and/or if you already have a Tiger Box
operating system installed and configured with your Windows and/or *NIX operating
systems, you can simply move on to Part II.
Referring back, now, to the multiple operating system proposition: A multiple-boot
configuration makes it easy to boot different operating systems on a single Tiger Box.
(Note, for simplicity the Windows complement should be installed and configured prior
to *NIX.) As of this writing, the Windows versions that are most stable and competent
include Windows 2000, Windows 2000 Professional, and Windows 2000 Server. The *NIX
flavor regarded as the most flexible and supportive is Red Hat Linux (www.redhat
.com) version 7.3/8, and/or Sun Microsystems Solaris 8 (wwws.sun.com/software
/solaris/). The good news is that with the exception of the Microsoft operating
system, you can obtain the Linux and Solaris binaries at no charge.
Incidentally, if multiboot third-party products seem to rub you the wrong way, the
Red Hat installation, among other variants, offers the option of making a boot disk that
contains a copy of the installed kernel and all modules required to boot the system. The
boot disk can also be used to load a rescue disk. When it is time to execute Windows,
simply reboot the system minus the boot disk, or when you use Linux, simply reboot
the system with the boot disk. Inexperienced users may benefit from using a program
such as BootMagic (www.powerquest.com/products/index.html) by PowerQuest
Corporation for hassle-free, multiple-boot setup with a graphical interface.
Minimum System Requirements
Hardware requirements depend on the intended use of the Tiger Box, such as whether
the system will be used for exploit and script programming and whether the system
will be used for a network service. Currently, the minimum requirements, to accommodate
most scenarios, include the following:
Processor(s). Pentium II+.
RAM. 128 MB.
HDD. 10 GB.
Video. Support for at least a 1,024 × 768 resolution at 16,000 colors.
Network. Dual network interface cards (NICs), at least one of which supports the
passive or so-called promiscuous mode. (When an interface is in the promiscuous
mode, you would explicitly ask to receive a copy of all packets, regardless of
whether they are addressed to the Tiger Box.)
Other. Three-button mouse, CD-ROM, and floppy disk drive.
Part I begins by stepping you through the installation and configuration of a Windows
2000 and Server Tiger Box operating system.
During a dial-up audit, one does the following:
¡¡ Utilizes wardialing to scan for and detect misconfigured dial-ups, and terminal
servers (e.g., PCAnywhere, Reachout, and Citrix), as well as any rogue or
unauthorized desk modems
¡¡ Documents procedures
Phase 5: Local Infrastructure Audit
The local infrastructure audit is a compilation of each section report as a deliverable. It
includes the following:
User Problem Report. Includes issues such as slow boot times, file/print difficulty,
low bandwidth availability, and spontaneous connection terminations.
Composition of Traffic by Protocol Family. A percentage breakdown by protocol,
utilized during the capture period. Each frame is categorized into protocol
families. A frame to which more than one protocol applies is categorized according
to the highest protocol analyzed. Thus, for example, a Transmission Control
Protocol/Internet Protocol (TCP/IP) frame encapsulated within frame relay
would be categorized as TCP/IP; all the bytes in the frame would be counted as
part of the TCP/IP percentage.
Network Segments/Stations versus Symptoms. A breakdown of the network
stations and symptoms found. This breakdown includes the number of errors
or symptoms per network. Symptoms that might be detected include the
following:
¡¡ Frame freezes, which indicate a hung application or inoperative station.
¡¡ File retransmission, which indicates that an entire file or a subset of a file has
been retransmitted and is generally caused by an application that does not
use the network efficiently.
■■ Low throughput, the calculation of which is based on the average throughput
during file transfers.
■■ Redirected host, which indicates that stations are receiving an ICMP redirect
message sent by a router or gateway to inform stations that a better route
exists or that a better route is not available.
Bandwidth Utilization. Indicates the total bandwidth utilized by stations during
the analysis session. From this data, recommendations can be made to increase
throughput and productivity.
Phase 6: Wide Area Network Audit
The wide area network (WAN) audit is a compilation of each section report as a deliverable.
This compilation incorporates the following:
Internetworking Equipment Discovery. An inventory of current internetworking
hardware, including switches, routers, firewalls, and proxies.
Alarms and Thresholds. This function tracks all HTTP, FTP, POP3, SMTP, and
Network News Transfer Protocol (NNTP) traffic, as well as custom-defined-site
access information, in real time. Other monitored access information includes, in
summary form, network load, number and frequency of each user’s access, and
rejected attempts.
Alarm/Event Logging. Excerpts from the actual log files during the analysis
session.
Phase 7: Reporting
The reporting phase is a compilation of each section report as a deliverable. It includes
the following:
■■ Detailed documentation of all findings
■■ Diagrams or screenshots of each event
■■ Recommended defense enhancement based on Tiger Team techniques
■■ List of required or optional enhancements to vulnerabilities in immediate
danger
The deliverables for your security analysis should incorporate all the functions outlined
in the project review of your analyses phases. Each deliverable should be in the
form of a detailed report, divided into parts such as scans, spoofs, spams, floods,
audits, penetrations, discoveries, network information, system information, vulnerability
assessment, and recommendations for increased network security (required and
optional). Time should be allotted for organizing the findings, as doing so will facilitate
subsequent remediation steps. You should incorporate findings from vulnerability
scanners, such as the Network Associates Inc. (NAI) CyberCop Scanner or Nessus
Security Scanner, into the report as well. We’ll talk more about these and other scanners
later in this book.
Unleashing the Power of Windows,
Linux, and Solaris
Before we discuss the specifics of vulnerability and penetration assessment, we’ll take a
moment to review the minimum requirements and construction of our testing system,
or Tiger Box. Tiger terminology was derived from a team of security experts. Originally,
a Tiger Team was a group of paid professionals whose purpose was to penetrate
perimeter security and test or analyze the internal security policies of corporations.
These people penetrated the security of computer systems, phone systems, safes, and
so on, to help companies assess the effectiveness of their security systems and learn
how to efficiently revamp their security policies.
More recently, however, a Tiger Team has come to be known as any official inspection
or special operations team that is called in to evaluate a security problem. A subset
of Tiger Teams comprises professional hackers and crackers who test the security of
computer installations by attempting remote attacks via networks or via supposedly
secure communication channels. In addition, Tiger Teams are also called in to test programming
code integrity. Many software development companies outsource a tiger
team to perform stringent dynamic code testing before putting their software on the
market. Tiger Teams use what’s coined a Tiger Box to provide the necessary tools for
revealing potential security weaknesses. A Tiger Box contains tools designed to discover,
scan, and in some cases penetrate security vulnerabilities.
The central element of a Tiger Box is the operating system foundation. A first-rate
Tiger Box is configured in a multiple-boot configuration setting that includes *NIX and
Microsoft Windows operating systems. Currently, Tiger Box utilities for Windows
operating systems are not as popular as those for *NIX, but Windows is becoming
more competitive in this regard. Originally developed at AT&T Bell Laboratories,
Unix, as you probably know, is a powerful operating system used by scientific, engineering,
and academic communities. By its nature, Unix is a multiuser, multitasking
environment that is both flexible and portable and offers e-mail, networking, programming,
text processing, and scientific capabilities. Over the years, two major forms
of Unix have evolved, each with numerous vendor variants: AT&T Unix System V and
Berkeley Software Distribution (BSD) Unix, developed at the University of California
at Berkeley. In addition, to Sun Microsystems Solaris, is Linux, a trendy Unix variant,
that is commonly configured on a Tiger Box. Linux offers direct control of the OS
command line, including custom code compilation for software stability and flexibility.
Linux is customized, packaged, and distributed by many vendors, including
the following:
RedHat Linux (www.redhat.com)
Slackware (www.slackware.org)
Debian (www.debian.org)
TurboLinux (www.turbolinux.com)
Mandrake (www.linux-mandrake.com)
SuSE (www.suse.com)
Trinux (www.trinux.org)
MkLinux (www.mklinux.org)
LinuxPPC (www.linuxppc.org)
SGI Linux (www.oss.sgi.com/projects/sgilinux11)
Caldera OpenLinux (www.caldera.com)
Corel Linux (www.linux.corel.com)
Stampede Linux (www.stampede.org)
Tiger Box Components
Step-by-step guidelines for installing and configuring your Tiger Box operating systems
are given in Part I. If you are technically savvy and/or if you already have a Tiger Box
operating system installed and configured with your Windows and/or *NIX operating
systems, you can simply move on to Part II.
Referring back, now, to the multiple operating system proposition: A multiple-boot
configuration makes it easy to boot different operating systems on a single Tiger Box.
(Note, for simplicity the Windows complement should be installed and configured prior
to *NIX.) As of this writing, the Windows versions that are most stable and competent
include Windows 2000, Windows 2000 Professional, and Windows 2000 Server. The *NIX
flavor regarded as the most flexible and supportive is Red Hat Linux (www.redhat
.com) version 7.3/8, and/or Sun Microsystems Solaris 8 (wwws.sun.com/software
/solaris/). The good news is that with the exception of the Microsoft operating
system, you can obtain the Linux and Solaris binaries at no charge.
Incidentally, if multiboot third-party products seem to rub you the wrong way, the
Red Hat installation, among other variants, offers the option of making a boot disk that
contains a copy of the installed kernel and all modules required to boot the system. The
boot disk can also be used to load a rescue disk. When it is time to execute Windows,
simply reboot the system minus the boot disk, or when you use Linux, simply reboot
the system with the boot disk. Inexperienced users may benefit from using a program
such as BootMagic (www.powerquest.com/products/index.html) by PowerQuest
Corporation for hassle-free, multiple-boot setup with a graphical interface.
Minimum System Requirements
Hardware requirements depend on the intended use of the Tiger Box, such as whether
the system will be used for exploit and script programming and whether the system
will be used for a network service. Currently, the minimum requirements, to accommodate
most scenarios, include the following:
Processor(s). Pentium II+.
RAM. 128 MB.
HDD. 10 GB.
Video. Support for at least a 1,024 × 768 resolution at 16,000 colors.
Network. Dual network interface cards (NICs), at least one of which supports the
passive or so-called promiscuous mode. (When an interface is in the promiscuous
mode, you would explicitly ask to receive a copy of all packets, regardless of
whether they are addressed to the Tiger Box.)
Other. Three-button mouse, CD-ROM, and floppy disk drive.
Part I begins by stepping you through the installation and configuration of a Windows
2000 and Server Tiger Box operating system.
Comments