Lesson 3: Assessing Security Posture with Software Tools

Question 1

Security Assessment Frameworks

Answer 1

• Security Assessment Frameworks
• “White hat” assessments are usually classed as either vulnerability scanning or penetration testing
• Many models and frameworks for conducting vulnerability scans and penetration tests, NIST’s Technical Guide to Information Security Testing and Assessment:
• Testing object under assessment to discover vulnerabilities
• Examining assessment objects to understand security system and identify any logical weaknesses
• Interviewing personnel to gather information and probe attitudes toward and understanding of security

Question 2

Vulnerability Scanning

Answer 2

• Process of auditing network (or application) for known vulnerabilities
• Vulnerabilities are weaknesses that could be triggered accidentally or exploited maliciously
• examples of vulnerabilities:
• Unpatched software application
• How with no anti-virus software
• Weak password
• Vulnerability scanning generally uses passive reconnaissance
• Performing Open Source Intelligence (OSINT) represents another type of passive reconnaissance

Question 3

Penetration Testing (Pen Test: Active Reconnaissance Technique)

Answer 3

• Ethical hacking: involves thinking like an attacker and trying to penetrate target’s security systems
• Involves the following steps
• Verify a threat exists–use surveillance, social engineering, network scanners, and vulnerabilities
• Bypass security controls–look for easy ways to attack system
• Actively test security controls–probe controls for configuration weaknesses and errors
• Exploit vulnerabilities–prove that vulnerability is high risk by exploiting it to gain access to data or install malware
• “Own” (or “pwn” in hacker idiom) server

Question 4

Ground rules for any type of security assessment

Answer 4

• should be made explicit in contractual agreement and backed by senior management:
  1. “No holds barred” or “smash and grab” testing

2. Whether to stop at perimeter
3. Attack profile–attacks come from different sources and motivations
   a. ) Black box (blind): consultant is given no privileged information about network and its security systems
   b. ) White box (full disclosure): given complete access to information about network
   c. ) Gray box: consultant given some information: typically, this would resemble knowledge of junior or non-IT staff
4. Test system or production environment
5. Out of hours: whether consultant should only perform testing out of hours to avoid causing problems on a production network
6. Full disclosure of test results
7. Confidentiality and non-disclosure

Question 5

Authorization for Testing

Answer 5

• If tests involve third-parties, some complications may arise
• Privacy and data confidentiality
• Penetration testing or performing vulnerability scan
• Legal considerations

Question 6

Penetration Testing Techniques

Answer 6

• Analysis of sophisticated adversary Techniques, Tactics, and Procedures (TTP) has established various “kill chain” models of way modern cyber-attacks are conducted
• Reconnaissance Phase Techniques
• Open Source Intelligence (OSINT) refers to using web search tools and social media to obtain information about target
• Social engineering refers to obtaining information, physical access to premises, or even access to user account through art of persuasion
• Scanning refers to using software tools to obtain information about a host or network topology

Question 7

Initial Exploitation (“Weaponization”)

Answer 7

An exploit is used to gain some sort of access to target’s network

Question 8

Persistence

Answer 8

• Tester’s ability to reconnect to compromised host and use it as a Remote Access Tool (RAT) or backdoor
• Tester must establish a Command and Control (C2 or C&C) network to use to control compromised host (upload tools and download data)
• Will typically require a malware executable to run and a connection network port and attacker’s IP address
  Will be followed by further reconnaissance

Question 9

Escalation of Privilege and Pivot

Answer 9

• System and/or set of privileges that allow tester to compromise other network systems (lateral spread)
• Tester has to find some way of escalating privileges available to him/her

Question 10

Guidelines For Implementing Penetration Testing

Answer 10

1. Consider benefits of conducting penetration test in addition to or instead of vulnerability assessment
2. Be aware of risks involved in conducting a pen test
3. Consider implementing pen test techniques as different phases in simulated attack
4. Consider conducting pen tests using different types of box testing methods
5. Understand different reconnaissance requirements associated with each box testing method

Question 11

Topology discovery (or “footprinting”)

Answer 11

• part of discovery phase where attacker or pen tester starts to identify structure of target network
• Auditing technique to build an asset database and identify non-authorized hosts (rogue system detection) or network configuration errors

Question 12

Network mapping tool

Answer 12

• performs host discovery and identifies how hosts connect together on network
• For auditing, there are enterprise suites:
• Microsoft’s System Center products
• HP’s OpenView/Business Technology Optimization (BTO)

Question 13

ipconfig

Answer 13

(Windows) command can be used to report configuration assigned to network adapter

Question 14

ifconfig

Answer 14

(Linux) command can be used to report adapter configuration and enable or disable it or apply different static IP configuration

Question 15

ping

Answer 15

command can be used to detect presence of host on particular IP address or responds to particular host name

Question 16

Machine’s Address Resolution Protocol (ARP)

Answer 16

• cache can also be examined for host entries (using arp -a command)
• ARP cache shows hardware (MAC) address of interface associated with each IP address local host has communicated with recently

Question 17

nmap HOST DISCOVERY

Answer 17

• Scanning a network using tools such as ping would be time-consuming and non-stealthy, and would not return detailed results
• Most topology discovery is performed using a dedicated too like Nmap Security Scanner (https://nmap.org)
• Nmap (open-source and can be operated with a GUI) can use diverse methods of host discovery, some of which can operate stealthily and serve to defeat security mechanisms such as firewalls and intrusion detection

Question 18

tracert (Windows) or traceroute (Linux)

Answer 18

• When performing host discovery on an internetwork (network of routed IP subnets), attacker will want to discover how subnets are connected by routers (and whether any misconfigured gateways between subnets exist)
• tracert (Windows) or traceroute (Linux) command tools provide simple means of probing path from one end system (host) to another, listing intermediate systems (routers) providing link

Question 19

DNS harvesting (nslookup AND dig)

Answer 19

• Attacker might be able to obtain useful information by examining company’s domain registration records by running a whois lookup against appropriate registry
• If DNS harvesting is successful, you will obtain IP addresses for servers in target domain

Question 20

to perform network topology discovery

Answer 20

1. Use ipconfig to return host address configuration of a Windows machine. Use ifconfig/iwconfig or ip on Linux host
2. Use ping tool to perform connectivity test. You can use ping sweep and then arp command to harvest MAC addresses of local hosts
3. Perform host discovery and network mapping using dedicated tool such as Nmap. The switches -sn or -sP will suppress port scanning
4. Use tracert (Windows) or traceroute (Linux) to test path to a host on a remote network
5. Use whois, nslookup (Windows), and dig (Linux) to query DNS records

Question 21

Service discovery

Answer 21

• identify “hosts of interest”
• Which operating systems are in use (for both PC hosts and network appliances, such as switches, routers, and firewalls)
• Which network services each host is running (and if possible, which application software is underpinning those services)

Question 22

fingerprinting

Answer 22

• detailed analysis of services on a particular host is often called fingerprinting
• Named because each OS or application software that underpins network service responds to probes in unique way

Question 23

netstat

Answer 23

• Allows you to check state of ports on local machine (Windows or Linux)
• Check for service misconfigurations (perhaps a host is running a web or FTP server that user installed without authorization)
• Most useful netstat output is to show which process is listening on which ports
• Note that an Advanced Persistent Threat (APT) might have been able to compromise netstat command to conceal ports it is using, so local scan may not be completely reliable

Question 24

switches

Answer 24

• a displays all connections (active TCP and UDP connections plus ports in listening state)
• b shows process name that has opened the port
• o shows Process ID (PID) number that has opened port
• n displays ports and addresses in numerical format. Skipping name resolution speeds up each query
• s shows per protocol statistics, such as packets received, errors, discards, unknown requests, port requests, failed connections, and so on
• p proto displays connections by protocol (TCP or UDP or TCPv6/UDPv6). When used with -s, this switch can also filter statistics shown by IP, IPv6, ICMP, and ICMPv6
• r shows routing table
• e displays Ethernet statistics

Question 25

Linux supports similar utility (to Windows) with some different switches

Answer 25

• used WITHOUT switches, shows active connections of any type

-t TCP
-u UDP
-w raw connections
-x UNIX sockets/local server ports
Command: netstat -tu | shows Internet connections (TCP and UDP)

• used WITH switches
• a includes ports in listening state in output
• p shows Process ID (PID) number that has opened port (similar to -o on Windows)
• r shows routing table
• i displays interface statistics (similar to -e on Windows)
• e displays extra information
• c sets output to update continuously

Question 26

nmap SERVICE DISCOVERY

Answer 26

• When nmap completes a host discovery scan, it will report on state of each port scanned for each IP address in scope
• Main scanning that nmap performs:
• TCP SYN (-sS): fast technique also referred to as half-open scanning
• TCP connect (-sT): half-open scan requires Nmap to have privileged access to network driver so that it can craft packets
• Port range (-p): by default, nmap scans 1000 commonly used ports. Use -p argument to specify port range

Question 27

OS Fingerprinting

Answer 27

• nmap with -sV or -A switch to probe a host more intensively to discover following info:
  1. Protocol: do not assume port is being used for its “well known” application protocol (HTTP, DNS, SMTP, etc)

2. Application name and version: software operating port, such as Apache web server or Internet Information Services (IIS) web server
3. OS type and version: use -o switch to enable OS fingerprinting (or -A use both OS fingerprinting and version discovery)
4. Host name
5. Device type: not all network devices are PCs. Nmap can identify switches and routers or other types of networked devices, such as NAS boxes, printers, and webcams
   - Comes with database of application and version fingerprint signatures, classified using standard syntax called Common Platform Enumeration (CPE)

Question 28

Banner/OUI Grabbing

Answer 28

• Probing server to try to elicit any sort of response that will identify server application and version number or any other interesting detail about the way the server is configured
• Allows an attacker to identify whether server fully patched and to look up any known software vulnerabilities that might be exposed
• 24-bit prefix of network interface’s MAC address (known as OUI or Organizationally Unique Identifier)
• Identifies manufacturer of network adapter, and thereby manufacturer of an appliance, such a router, switch, network printer, and etc
• Attacker can then target device with known exploits for devices from this manufacturer

Question 29

Sniffers and Protocol Analyzers

Answer 29

• Most important tools in network security (both from perspective of an adversary and for security posture assessment)
• Facilitates eavesdropping
• Eavesdropping is also valuable counterintelligence technique because it can be used to detect hostile or malicious traffic passing over unauthorized ports or IP ranges

Question 30

Sniffer

Answer 30

• Tools that captures frames moving over network medium, cabled or wireless network
• UNIX and Linux: libpcap
• Windows: wincap

Question 31

Promiscuous Mode and Sniffing Switched Ethernet

Answer 31

• Promiscuous mode

- Receives all traffic within Ethernet broadcast domain, whether it is intended for host machine or not

Question 32

Protocol Analyzer

Answer 32

• Works in conjunction with sniffer to perform traffic analysis
• Live capture or open saved capture (.pcap) file

Question 33

Preventing Eavesdropping

Answer 33

Need to control use of this kind of software by making sure that it is only installed and used by authorized users | prevent unauthorized attachment of devices

Question 34

TCPDUMP

Answer 34

• Number of tools available to perform packet capture and network monitoring
• Command-line packet capture for Linux (Windows windump)
• Basic syntax of common is tcpdump -i eth0, where eth0 is interface to listen on

Question 35

WIRESHARK (http://wireshark.org)

Answer 35

• Open source graphical packet capture and analysis utility, with installer packages for most operating systems
• Output display is in a three-pane view
  1. Top pane shows each frame
  2. Middle pane shows fields from currently selected frame
  3. Bottom pane showing raw data from frame in hex and ASCII
• Capable of parsing (interpreting) headers of hundreds of network protocols

Question 36

Packet Injection

Answer 36

• Network sniffing software libraries allow frames to be inserted (or injected) into network stream

- Well-known tools:
Dsniff
Ettercap
Nemesis
Scapy

Question 37

Wireless Scanners/Crackers

Answer 37

• Able to probe and audit wireless networks
• Detect presence of networks and report network name (SSID), MAC address of access point (BSSID), frequency band (2.4 5 GHZ) and radio channel used by network, and security mode
• Aircrack-ng suite of decoding wireless packet utilities
• airmon-ng: enable and disable monitor mode
• airodump-ng: capture 802.11 frames
• aireplay-ng: inject frames to perform an attack to obtain authentication credentials for an access point
• aircrack-ng: decode authentication key

Question 38

Remote Access Trojans

Answer 38

• Software that gives an adversary means of remotely accessing network
• Effective tool to configure a backdoor: netcat (nc)
• Set up a listener on victim system (IP: 10.1.0.1)

Question 39

Steganography

Answer 39

• “Hidden writing” - technique for obscuring presence of message
• Container document or file is called covertext
• Amounts to “security by obscurity,” which is usually deprecated; however, a message can be encrypted by some mechanism before embedding it, providing confidentiality
• Provide integrity or non-repudiation
• Encode messages within TCP packet data fields to create covert message channel
• Method might be used to exfiltrate data covertly, bypassing protection mechanisms such as Data Loss
  Prevention (DLP)
• Counterfeit Deterrence System (CDS)
• Embed watermark on currency
• Anti-counterfeiting measures overseen by Central Bank Counterfeit Deterrence Group

Question 40

Perform host fingerprinting

Answer 40

1. Use netstat to report local ports and connections with switch such as -o (Windows) or -p (Linux) to show process using port
2. Use Nmap scan techniques such as half-opening scanning (-sS) to improve scan speeds
3. Use Nmap’s -A switch (or use selected scripts) to perform OS fingerprinting

Question 41

perform packet sniffing using software tools

Answer 41

1. Connect a sniffer to an appropriate point on network, such as mirrored switch port or network media tap
2. Configure packet capture driver utility and software to write frames to file
3. Use analysis software such as Wireshark to examine captured data
   - Frame-level information such as host MAC addresses
   - Internet Protocol (IP)-level information such as source and destination addresses
   - Transport-level information such as source and destination ports
   - Application-level data
   - Use display filters and sort tools to locate frames of interest
   - Use wireless scanner to locate nearby wireless networks and identify their basic configuration
   - Use wireless packet capture/cracker utility to record wireless traffic and attempt to decode it

Question 42

Vulnerability Scanning Concepts

Answer 42

Evaluation of system’s security and ability to meet compliance requirements based on configuration of system

Question 43

Vulnerability Scanner

Answer 43

Examines an organization’s systems, applications, and devices and compares scan results to configuration templates plus lists of known vulnerabilities

Question 44

Vulnerability Scanner Types

Answer 44

• Best known software scanner:
  Tenable Nessus
• Open-source program:
  Greenbone Open VAS

- Others:
SAINT
BeyondTrust
Retina
Rapid7
NeXpose
Nikto

Question 45

Passive scanner

Answer 45

• Passively test security controls operates by sniffing network traffic to identify assets communicating on network, service ports used, and potentially some type vulnerabilities
• Banner grabbing

Question 46

Active scanning

Answer 46

• Making a connection to target host
• More likely to detect wider range of vulnerabilities in host systems and can reduce false positives
• Be aware of false negatives

Question 47

Non-credentialed scan

Answer 47

Without being able to log onto a host

Question 48

Credentialed scan

Answer 48

User account with logon rights to various hosts plus whatever other permissions are appropriate for testing routines

Question 49

Honeypot

Answer 49

computer system set up to attract attackers, with intention of analyzing attack strategies and tools, to provide early warnings of attack attempts, or possibly as a decoy to divert attention from actual computer systems

Question 50

Honeynet

Answer 50

entire decoy network

Question 51

Demilitarized Zone (DMZ)

Answer 51

On a production network, honeypot more likely to be located in protected but untrusted area between Internet and private network, referred to as a Demilitarized Zone (DMZ), or on an isolated segment on private network

Question 52

Configure vulnerability Scanners

Answer 52

1. Configure a host to run vulnerability scanner management software
2. Make sure scanner is obtaining updates via a plug-in/subscription service
3. Optionally, configure scanners to run on different network segments or agents to scan hosts
4. Create or adapt a scanning profile or template to account for your organization’s security profile and/or any framework or regulatory compliance requirement
5. Distribute scan reports to authorized personnel for analysis and identification of false positives and false negatives
6. Optionally, schedule intrusive tests with exploit framework tools to assess risk of identified vulnerabilities