May 26th, 2004, 04:39 PM
Network Vulnerability Assessment
The company I work net admin for (fresh out of college, so I'm far from being an expert) currently has no security auditing that takes place. Considering we're one of the top financial planning companies in the region, I think that's pretty darn scary. So, I'm trying to learn about info sec auditing and where to start, and just read an excellent tutorial that TheHorse13 wrote last year in reference to this article:
While reading that, I started thinking about how I should start assessing possible network vulnerabilties here.
So my question to you, is where would you start? You're sitting behind an employee's computer, and now you have your chance to find out whatever you can. What are you going to do first? What tools are you going to use? How are you going to go about looking for network vulnerabilities?
May 26th, 2004, 05:50 PM
I would recommend that you check out the OSSTMM to learn about security testing methodolgy first.
Then there is a pretty comprehensive, if a bit old, list of the top 75 tools used by security professionals that can be found over at Insecure.org.
Hope those two help you on your way.
Give a man a match and he will be warm for a while, light him on fire and he will be warm for the rest of his life.
May 26th, 2004, 08:44 PM
Thanks, I've started checking it out. So does anybody know where any AO tutorials are on port scanning / vulnerability testing / etc.? I've been searching the forums but have had no luck, and knowing me it was probably staring right at me somewhere. I've asked about that topic a couple of times now already, but I still need more stuff to study. GIMME GIMME!
May 26th, 2004, 09:00 PM
Can't find an AO tutorial that your looking for? Try Negative's Tutorial Index.
May 26th, 2004, 09:07 PM
I saw a tutorial on nmap by thehorse13 in there somewhere,closes thing to port scanning I could get
May 26th, 2004, 09:17 PM
After you have a clear idea what you will assess, you will choose a set of tools to do some of the job for you.
I would suggest nessus, that is good one (although a pain in the neck to install without linux expertise)
It has a client-server archicture, well documented and (usually) up-to-date to vulnerabilities
People that passed the nightmare installation phase really like to tool.
FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
If I die before I sleep, I pray the Lord my soul to encrypt.
If I die before I wake, I pray the Lord my soul to brake.
May 26th, 2004, 09:34 PM
Retina by eEye is awesome, but not free (trial with limitations).
I've used nessus, and I'm not sure it's as comprehensive as eEye, but I've only used it on my own machine. eEye makes nice reports for your boss, I hear.
Nmap, thehorse's tutorial are wonderful. Make sure you know what your users have access to, make sure you can respond properly to any breach or scenario.
May 26th, 2004, 10:04 PM
Thanks guys, I'm reading all of Horse's tutorials and playing with Nmap as we speak. Currently trying to scan my home computer from work and getting nothing but interference. Yay!
Hey, this is wierd though. Look what popped up while I was doing that:
Is this a joke? How in the world...?
Commodore 64 with TFE Ethernet Card (u IP TCP/IP stack) (93%)
/edit...Ok, this is wierd. While I was port scanning my home computer from my work computer, our Internet went down. Figured it was just coincidence, so I restarted the router and got us back up. Then I got curious, repeated the same scan, and....Internet went down again. How can my port scanning an outside computer bring our entire Internet connection down?
May 26th, 2004, 10:33 PM
Some thoughts. Warning: you are going to get a headache when you realize all that needs audited...take a deep breath and attack this systematically and logically...
1. Split up what you are trying to audit (targets) first:
* Servers, desktops, network gear
2. Then split up what you are auditing for:
* Network login passwords: LC4 by @Stake, Crack, etc
* O/S vulnerabilities: Nesus (freeware, *Nix platform), Retina is very good (as stated by Soda) but is very expensive, GFI LANGuard isn't bad
* O/S patch levels: M$ MBSA
* Trojans: port scan machines, trojan scanners such as The Cleaner and TDS3
* Web/FTP servers not allowed on network: port scan all devices for 80,21,etc
* Permissions: group memberships, file share permissions
* Open file shares: Shed, Enum, etc
* Internet web sites
3. Prioritize items based on your company's business priorities and anticipated exposures. For example if you run e-commerce on Internet exposed web servers you should focus on these targets FIRST.
4. Perform audit(s)
5. Evaluate results
6. Remediate issues/problems found
8. Repeat 4-7 for each area
NOTE: Be CAREFULL!!! You can DOS and even crash systems by simply running a vulnerability audit against them.
I noticed you mentioned about NMap bringing down your Internet connection - this could be caused by any number of reasons: Nmap creating more TCP connections for your client than is allowed, bandwidth causing DOS, etc. Try setting Nmap to a slower speed or fewer threads and try again. You may be filling up firewall connection pool - what kind of firewall/router you running? Do you have egress filtering turned on your firewall/router (re.; ports allowed outbound)? If not you should blocking ports such as M$ chatter (135,137,139,445,etc) and STMP from clients other than approved mail servers.....etc list goes on.
Hope these thoughts help you. Have fun.
Forgot to ask: do you have explicit approval from your supervisor/boss to perform this work? You must also ensure you have approval from the people who own or manage the machines you are auditing! Get all of this in writing (email, paper, etc). VERY IMPORTANT!
May 26th, 2004, 10:49 PM
Thanks, you gave me a lot to think about!
This appeared in the firewall log shortly after my Nmap playing:
Does this explain the lost Internet connection?
The cache is full; 6144 open connections; some will be dropped