CIW Security 1D0-470: Security Auditing: Text-only Version

CIW Security 1D0-470: Security Auditing

Lesson 1. Course Introduction

This course introduces you to security auditing and provides basic information on auditing concepts, methods, and applications. It begins with a discussion of basic auditor roles. You then learn about risk assessment concepts and methods.
The course covers several categories of auditing software, including DNS utilities, ping and port scanners, network discovery applications, and enterprise-grade vulnerability scanners. You learn how applications in each category can be used by auditors to test a network, or by hackers to reveal information about the network.

Lesson 2. Introduction to Auditing

Security audits are a fundamental tool used to determine the effectiveness of the security measures in place for your network.
After completing this lesson, you should be able to:

Define basic auditing terms
List some of the basic tasks performed during a security audit

*What Is an Auditor?
An auditor is an individual who is entrusted with assessing risk and determining the effective security of your network. An auditor is also responsible for recommending the most appropriate security solutions for a network.

Examine the following table

Term:

**Examine the following table**
	Effective Security: The extent of measurable compliance to a network security policy.

The most effective auditors endeavor to approach the network from two perspectives:

They think like hackers so they can protect company systems from illicit activity. Often, auditors are called "white hat hackers."
They think like employees and managers to consider how any proposed security measures might affect the ability of a business to function properly.

*What Does an Auditor Do?
An auditor interested in achieving a high level of effective security engages in two specific activities: compliance analysis and risk analysis.
First, she helps a network administrator determine employee compliance to the security policy, which is a list of procedures and policies.
However, one of the common problems for a network administrator or security manager is that she will often implement a sound policy, only to have users defeat it. Sometimes, employees unwittingly avoid compliance. At other times, they do so deliberately.

*Risk Analysis
Risk analysis is the activity of determining which servers are the most important to the company and then identifying which of them should be protected the most.
Risk analysis ensures that the network is secure, and that employees can still perform daily tasks.

A risk analysis is also sometimes referred to as a security audit. Below are some of the basic tasks performed during such an audit.

Determine the nature of the business you are auditing.
Work with management and employees to determine past problems and potential future problems.
Work with management to determine the proper chain of command.
Check for a written security policy.
Evaluate existing management and control architecture.
Identify and prioritize at-risk systems, including databases, Web servers, routers, and user account databases.
Write and deliver a detailed report of your findings.

Topic 2.1 Exercises

* Exercise 1
Try reviewing a risk analysis report.

**Examine the following table**
Step	Action
1	See if you can determine when the last security audit was performed on your company's network.
2	If possible, obtain and review any reports that were written by the auditors. See if you can determine how the basic risk analysis tasks were performed. A list of the basic risk analysis tasks is provided below: Determine the nature of the business you are auditing. Work with management and employees to determine past problems and potential future problems. Work with management to determine the proper chain of command. Check for a written security policy. Evaluate existing management and control architecture. Identify and prioritize at-risk systems, including databases, Web servers, routers, and user account databases. Write and deliver a detailed report of your findings.

In this lesson, you learned about key auditing terms, such as auditor, effective security, and risk analysis.
You also learned some of the basic steps performed during a security audit.

Lesson 3. Auditor Roles

An auditor takes on several distinct roles when examining and testing the security of a network.
After completing this lesson, you should be able to:

**Examine the following table**
	Describe the activities performed by auditors in their various roles, including that of security manager, consultant, and insider

As an auditor, you should be willing to approach a network from several different perspectives, including the following:

Security manager
Consultant
Insider

*Auditor As Security Manager
As a security manager, you know how the network is configured and you want to probe it for possible weaknesses. In a sense, you act as an informed hacker because you are searching systems that you already understand.
Another term for auditing from the perspective of security manager is administrative auditing.

The administrative auditing role can require you to probe systems from behind the firewall.
It allows you to test your network for possible employee-based snooping. Such audits focus more on individual hosts and servers, rather than the firewall.

However, sometimes a security manager will also conduct tests from outside the firewall.
The security manager will test the firewall to see if it can be penetrated, and will then move on to controlling network hosts. This perspective requires you to understand how to audit firewall logs. It also requires you to know some typical firewall configuration problems.

As an auditor, you will find that many systems administrators place sensitive equipment outside the firewall. For example, Web, DNS, and FTP servers may be placed outside the firewall for the sake of convenience.
Pay special attention to these systems and recommend placing them behind the firewall.

*Auditor As Consultant
As a consultant, you conduct many of the same activities as a security manager. You are similar to a security manager in that you may conduct tests on both sides of the firewall.
In this role, however, you are acting as someone without advance knowledge of the network, but with the tools hackers would often use to attempt to learn about and penetrate a network.

The auditor operating as a consultant has (at first) little or no knowledge of network topology, protocols, servers, or operations. His task is to discover, penetrate and demonstrate how he could control the network.
This type of auditor is often called an "ethical hacker" or "white hat hacker." The IBM ethical hacking division and the Symantec Tiger Team provide examples of this type of auditor.

Examine the following table

Caution:

**Examine the following table**
	Third-party consultants are highly effective tools. However, you should be aware that many "reformed hackers" might not be good resources. If you use a third party, take great care to ensure their claims are legitimate. Ask for recommendations and security clearances, and perform in-depth background checks before bringing someone into your network.

*Auditor As Insider
An auditor can also take on the role of an insider. If you operate from this perspective, you will first meet with the IT manager and other relevant employees, such as IT assistants and managers from other departments. You might even want to meet with several other employees.
You will then conduct an on-site analysis, learning all the network's resources and methods. As you operate in this mode, you are a third party who evaluates the network's existing security.

*Insider Threats
The general public tends to see the hacker only in terms of the anonymous person who attempts to penetrate the network from the outside.
However, in the last few years, more money and time have been lost on attacks originating from inside the firewall. Sometimes such attacks come from disgruntled employees. Other times, attacks originate from naive employees who have been tricked into violating policy. Industrial espionage is also an important consideration.

Examine the following table

Note:

**Examine the following table**
	Hackers use many of the tools, techniques, and principles you will use in this course. Both security managers and hackers have used NMAP and SATAN programs to test networks.

Many times, an auditor will combine the security manager, consultant/hacker, and insider perspectives to provide a more thorough audit.
You will learn about auditing activities on both sides of the firewall. As you learn and discuss some of these concepts, consider how a security manager, consultant, or insider would apply them.

In this lesson, you learned about the different roles auditors take on when examining and testing the security of a network.
You learned that auditors can act as a security manager, with detailed knowledge of a network.
You learned that auditors can also act as consultants posing as talented but uninformed hackers — sometimes referred to as "ethical hackers" or "white-hat hackers."
Finally, you learned how auditors can act as insiders to evaluate insider threats and test the internal security of a network.

Lesson 4. Risk Assessment

Risk assessment audits allow you to determine the effectiveness of the security measures you have in place.
After completing this lesson, you should be able to:

List the five basic steps you should take during a risk assessment
Describe the basic considerations to take into account at each step

Risk assessment is the ability to locate resources and determine the likelihood of attack.
Some references and professionals refer to a risk assessment audit as a "gap analysis," because it often shows the gap between what the security policy mandates and what is actually occurring.

There are five basic steps you should take during a risk assessment. They are listed here.

*The Security Policy
Reading the network security policy is the first step in understanding the role of network resources. You will not be able to successfully audit a network or network resource unless you understand its business role.
The security policy helps you focus on the most important company assets. As an auditor, you will usually have limited time and resources, and you must spend your time efficiently.

No network can have effective security without a written, well-published security policy in place. Most security professionals refer to a written security policy as a "road map" or a "framework" because it enables a network to remain secure as it scales for growth.
As an auditor, read this policy carefully, then determine exactly how well employees are following it.

An effective policy is a simple one. Although it has one goal, namely improved network and host-level security, an organization's security policy will probably comprise several sub-documents.
Some documents will define standard user and network policies, including acceptable Internet use, supported software installations, etc.

Procedural documents, however, are more detailed, as they will outline how to react to unauthorized network use, damage to files due to equipment failure and hacker intrusion, and other unplanned occurrences.

A design document outlines the network's topology and protocols, and discusses how the company plans to deploy its perimeter and internal security devices.

Examine the following table

Note:

**Examine the following table**
	In many organizations, the standard procedure is for the Human Resources department to identify acceptable Internet use. Many times, IT professionals are asked to write, or at least approve, such documentation.

*Network Resources
Discover the most important sources on the network. Hackers often prey upon less-important systems, hoping to use them as platforms to attack more valuable network resources.

Ask the following questions as you conduct a risk analysis.

**Examine the following table**
Question	Determination
What is the target?	If the target is a general-user local system, the risk is low. However, if the target is a human resources system, for example, the risk factor is higher.
How serious is the adverse result?	If the threat is carried out, what are the ramifications? Could it affect the entire organization or just isolated individuals? Generally, you should quantify results in terms of estimated dollar losses due to a realized threat, such as non-functional time.
What is the likelihood of occurrence?	How likely is the threat to actually take place? Is it an unlikely occurrence or something extremely probable?

Examine the following table

Note:

**Examine the following table**
	Some problems cannot be prevented, including extended power outages, natural disasters, and fire. You must determine what is possibly at risk, what is probably at risk, and your ability to countermand such risks.

*Commonly Attacked Resources
One reason data can become vulnerable is that it is distributed among several different operating systems, Web servers, and database applications. Such distribution enables security holes to be opened accidentally.
From a technical standpoint, you will naturally want to categorize resources according to type, as shown here.

Some of the more commonly attacked resources are listed below.

**Examine the following table**
Hot Spot	Commonly Attacked Resources
Network Resources	Routers and switches Firewalls Network hosts
Server Resources	Security account databases Information databases SMTP servers HTTP servers FTP servers

Determining resource priority often demands that you consider the company's organizational structure, because one department database could contain more sensitive information than another.
For example, each of the departments listed below might have its own database. However, the Human Resources, Accounting, and Research and Development databases might be more sensitive than the others.

*Business Concerns
Customize your audit to the organization's needs. Ordinarily, you will want to consult with the personnel and departments shown here, so they will be inclined to adopt your solutions.
They might not support your recommendations unless your policy accounts for their concerns and enables them to work efficiently. Always consider the nature of the business and which servers are central to business goals.
Emphasize that you will probably be able to improve the workings of most departments and make their data more secure.

*Perimeter and Internal Security
You need to discover what kind of security is already in place. This step involves learning about the company's perimeter and internal security, as well as management control architecture, logging, access control mechanisms, and other elements.
Perimeter security refers to a network's ability to differentiate itself from other networks. A firewall is the first line of defense in defining perimeter security. Popular firewall vendors include CheckPoint FireWall-1, Symantec Raptor, and CyberGuard Guardian Firewall. You will learn more about these concepts and products later.

As an auditor, you will want to consider the following vulnerabilities.

Bandwidth consumption: An attacker sends fraudulent data meant to clog a network's connection to the network and thus deny services.
Faulty firewall configuration: Holes in the network created by Improperly created proxy and packet-filter rules.
Systems placed outside the firewall: Try to place as many systems inside the firewall as possible.

Internal security is the ability of a network administrator to detect and countermand unauthorized activity. It is implemented in various ways, most notably through the use of an intrusion detection system (IDS).
An IDS is composed of various applications and services, each of which you will learn about in a later lesson.
Internal security is often neglected. However, the 2001 CSI/FBI Computer Crime and Security Survey states that threats perpetrated by insiders have become as common as attacks by outsiders. Several applications are available for implementing internal security, including eTrust Intrusion Detection and Snort for Windows.

*Management and Control Architecture
Administrators can choose several different ways to manage network security. Sometimes, a network will have such elements in place. If so, you must understand how these systems work. More often, you will need to recommend appropriate security solutions.
Two commonly used security models are the network-based model and the host-based model.

The network-based management model deploys security software on one server, which then issues queries on the network wire. The system that issues the queries is generally called a manager. The manager then scans the network wire for any suspect activities.
In the network-based model, each computer responds passively to the agent queries. Network-based security software products, such as eTrust Intrusion Detection, Snort, Network Flight Recorder, and Symantec NetProwler follow this model.

One benefit is that individual hosts do not know they are being monitored. You need not install software on the hosts you want to manage.
One of the drawbacks is that you have to take special measures to make it work in switched networks, because a switched network will open a dedicated connection between hosts.
Additionally, network-based scanning software generally cannot pass across a router.

Host-based security management architecture uses the standard three-tier management structure shown here.
The first tier involves a simple graphical user interface whose only functionality is to communicate with managers and display information.
The second tier, often called the manager, issues queries to agents, receives information from agents, and returns information to the graphical user interface. An agent is the small piece of software installed on each host.

This manager/agent architecture is more ambitious because it requires you to install software on each node you want to manage.
The agents must first be registered with the manager. The manager can then issue queries directly to these agents. Sometimes, the agents can then issue queries to non-managed hosts.
Such an architecture can report network activities much more accurately.

SNMP agents are often managed this way, as are products sold by Internet Security Systems, Symantec, and others.
A host-based scanner is efficient in switched networks, and can query agents across a router, as long as that router does not filter out the ports used by the manager.

Neither model is inherently better than the other. Each is appropriate for specific tasks.
You may suggest a different management strategy, or different configurations for the management architecture already in place.

Topic 4.1 Exercises

* Exercise 1
Try examining your company's security policy.

**Examine the following table**
Step	Action
1	Determine whether your company or organization has a security policy. If so, obtain a copy.
2	Assess how widely and effectively the policy is distributed. Are managers in each department familiar with it? Do employees know about the policies that affect their work environment?
3	Read the policy. Note how it is organized, and how detailed and clear the policies are.

* Exercise 2
Try performing basic steps in the risk assessment process.

**Examine the following table**
Step	Action
1	Select at least one step in the risk assessment process (in addition to reading the security policy) that you're able to perform in your corporate environment. Document that step as you perform it, as well as the information you find. The full list of risk assessment tasks is provided below: 1. Check for a written security policy. 2. Analyze, categorize, and prioritize resources. 3. Consider business concerns. 4. Evaluate existing perimeter and internal security. 5. Use existing management and control architecture.

In this lesson, you learned how risk assessment audits are used to evaluate the security of a network.
You learned about the five basic steps of a risk assessment, and some of the considerations to keep in mind while performing each step.

Lesson 5. Audit Stages

The stages of a security audit are similar to the steps hackers engage in when attempting to break into a network.
After completing this lesson, you should be able to:

**Examine the following table**
	Describe the basic stages of a security audit, including the discovery, penetration, and control stages

As you conduct your audit, you will attempt some of the same activities hackers engage in. You will try to discover, penetrate, and control network systems.
You will also perform certain analyses that will help improve the network's effective security. This ability to analyze and then report is the main difference between a hacker and an auditor.

*Discovery
During the discovery stage, you will scan and test the network for effective security.
Discovering the network means mapping it out and determining the location of each resource, including IP addresses (in an IP network), open ports, topology, and so forth. This analysis is usually the most time-consuming and the one you will perform most often.

The end result should be firm conclusions about the effectiveness and overall security achieved. This analysis will often use automated scanners and techniques that hackers use.
The discovery phase calls for a system-by-system examination. Some of the areas reviewed and tested are listed here.

Known vulnerable services
Improperly configured services
Information leakage
Manageable devices
Cryptography implementation
Known vulnerable software versions
Default installations
Unauthorized services, devices, or servers

Information leakage occurs when a host (e.g., an FTP server, router, or operating system) presents more information than necessary. By default, many FTP and HTTP servers present information that a hacker could use against the network.

Examine the following table

Note:

**Examine the following table**
	Until recently, networks were required to post sensitive information about themselves when registering a DNS domain, including the network administrator's name, the DNS servers for the network, the status of the network (active or inactive), and subdomains. Such information can be helpful to a hacker who wants to engage in social engineering or wants to scan your network.

*Penetration
Penetration means that you have bypassed access control mechanisms, such as login accounts and passwords. You will also attempt to compromise data confidentiality and integrity by defeating encryption schemes, and you will deny access to services provided by the network.
In the penetration phase of the auditing process, you inspect various systems for weaknesses, attempting to defeat the following elements:

Encryption
Passwords
Access lists

*Control
Control means that a person can effectively administer the server or network at will. An auditor never attempts to control a network host, but does demonstrate that she could have begun the control phase, and could have taken over the host.
As you will see, gaining control means that a hacker can become something like an administrator because she can access resources, create accounts, and manipulate logs. As you prepare your written report, you must show how to prevent hackers from gaining control of the network or system.

*Spreading to Other Systems
After control is obtained, a hacker then spreads to other systems.
When a hacker compromises one system on the network, gaining control of other systems is relatively easy, because most systems share trust relationships.

Examine the following table

Term:

**Examine the following table**
	Trust Relationship: Configuring a system or application to allow logon from a remote system without first requiring a password.

In this lesson, you learned about the basic phases of a security audit. You learned how auditors progress through the discovery, penetration, and control stages when performing an audit.

Lesson 6. Security Scans

A variety of utilities can be used to reveal basic information about a network.
After completing this lesson, you should be able to:

Use DNS tools to learn basic information about a domain
Explain how standard utilities are used to perform ping scans, traceroutes, port scans, and share scans

*Discovery
As you learned earlier, the first step a security auditor or hacker takes is to discover the network.
You will now learn more about some network discovery tools and methods.

*Security Scans
Security scans come in many varieties. You can use the following to gain information about a network:

DNS tools, such as Whois, nslookup, and host
Standard utilities, including ping, traceroute, Telnet, and SNMP
Ping, port, and share scanners
Network and share discovery applications, including NMAP and RedButton
Enterprise-grade vulnerability scanners, which combine these methods

You will use several tools to learn about the nature of your systems. Some are modest, focused applications that you can install and use quickly.
However, auditors and hackers often create their own tools, using programming languages such as Perl, C, C++, and Java. This is often a result of their realization that no tool exists for the particular weakness they want to exploit.
Other tools are more sophisticated and require configuration. After using them, you will spend considerable time analyzing and interpreting the reports. Before learning about such "hacker-in-a-box" solutions, you should study the individual techniques used by hackers.

*DNS Tools
The Whois service allows you to query the domain name service authority. You can gain valuable information about administrators, additional domains, physical locations, and domain name servers used by an organization. Programs such as the one shown here often give the security auditor a place to begin learning about a network.
After obtaining Whois records, you can then learn about the primary and secondary domain servers.

nslookup
Using nslookup, a DNS troubleshooting tool, you can use the information gained from your Whois query to learn more about the network.
For example, the nslookup on your system can be configured to imitate secondary (slave) servers. If successful in your imitation, you can ask a DNS server to conduct a zone transfer to your system.

After obtaining a zone transfer of a master DNS server, you have gained a great deal of information, including:

The names and IP addresses of all systems that use this DNS server for name resolution.
The networks and/or subnets the company uses.
The server's role on the network. Many organizations provide descriptive DNS names, such as mail.companya.com, www.companyb.com, and print.companyc.com.

Examine the following table

Note:

**Examine the following table**
	If the site uses HINFO records, you can determine the CPU and operating system of each network host.

To conduct a zone transfer using nslookup, begin by issuing a Whois query about the target network.

Open the nslookup client.
By default, nslookup will use the default name server for your domain. Change the default server to a domain server revealed by your Whois query.

The DNS server will then transfer its database to you. However, the server administrator may have instructed the DNS server to deny zone transfers. Also, many organizations place their DNS servers inside the firewall and allow zone transfers only to certain hosts.
After you have information gained from a zone transfer, you can conduct port scans on each host to learn more about the services it offers. If you are not able to conduct a zone transfer, you can resort to ping and port scans and additional tools such as traceroute.

host and dig
Many newer Linux systems (e.g., Red Hat Linux 7.0 and higher) have begun to deprecate the nslookup command in favor of the host and dig commands.
host -l mycompany.com
dig company.com any

*The host Command
Most UNIX systems provide the host command to help find information about hosts on the network. It converts host names to IP addresses and vice versa.
You can use host to:

Conduct zone transfers
Obtain name server information
Learn about the mail servers for a domain

  host -l mycompany.com

The -v option is useful because it displays more information.
The -l option conducts zone transfers.
The –t option allows you to query specific DNS server records.
For example, to query for the mail exchange (MX) record for the mycompany.com domain, you would enter the following command.
  host -t mx mycompany.com

*The dig Command
The dig command provides even more information. For example, the command shown here provides information about all the mail exchange (MX) and name server (NS) records for the domain named company.com.
  dig company.com any
If you want to find information about just the NS records, use the command shown here.
  dig company.com any

If you have only an IP address, you can conduct a reverse lookup.
If, for example, you have an IP address of 192.168.2.0/24, you can look up its in-addr.arpa domain and discover the name server, as follows.
  dig 2.168.192.in-addr.arpa ns

*Ping Scanning
Pinging an organization's Web server can help you learn the entire IP address range used by that organization.
After you learn the HTTP server's IP address, you can use a ping scanner to ping an entire range of addresses on that same subnet. This knowledge helps you create a map of the network.

As shown here, you can use a ping scanner to learn the physical topology of a network.
The ping scan program will automatically query IP addresses in a range that you specify.

*Ping Scan Software
Most often, ping scanners are included in a suite of programs such as WS_Ping ProPack.
Stand-alone ping scan programs are also numerous. One of the more popular applications is Rhino9 Pinger.

*Traceroute (tracert)
Traceroute discovers the number of routers, or hops, a packet must travel to reach its destination.
Most operating systems, including UNIX, Novell and Windows NT/2000, include a version of the traceroute program if configured for TCP/IP. You can also obtain third-party traceroute programs such as ITrace32.
Using traceroute, you can learn a network's physical layout, including the routers it uses to connect with other networks and the Internet. Traceroute can also identify slow servers and the intermediate hops a packet takes.

*Port Scans
A port scan is similar to a ping scan, except that instead of simply reporting back the IP addresses, the port scanner also discovers any active UDP and TCP ports present on the system.

In this example, the 192.168.2.10 address is running SMTP and Telnet servers, whereas the host using IP address 192.168.2.12 is running an FTP server.
The host at 192.168.2.14 is not running any identifiable port, and the host at 192.168.2.16 is running SNMP. Finally, you can tell that 192.168.2.18 belongs to a Microsoft network, because Microsoft networks use UDP ports 137 and 138, and TCP port 139.

*Port Scan Software
Port scanners are among the most commonly available hacker tools. Some port scanners are stand-alone tools such as Advanced Port Scanner 1.1, shown here.

After entering the IP address and declaring which port you want to scan, you can conduct a scan. The results will resemble those shown here.

Many stand-alone port-scanning applications exist, including UltraScan.
Like ping scans, many applications lump this service together with other related services. NetScan Tools, Ping Pro, and other applications attempt to combine as many tools as possible.
As you will see, many enterprise-grade network probes incorporate ping and port scanning into their security analysis regimens.

Topic 6.1 Exercises

* Exercise 1
Try performing several steps in the discovery phase of an audit.

**Examine the following table**
Step	Action
1	Please Note: For the exercises in this course, you should set up an isolated network for practice. Do not use your production network for these practice exercises. Practice using DNS utilities, such as Whois, `nslookup`, and `host`, to access DNS records for a domain. See if you can look up those records on Windows as well as Linux systems.
2	Use `nslookup` to perform a zone transfer for a domain.
3	Use the `dig` command to access name server (NS) and mail exchange (MX) records on a Linux system.
4	Access information about the routers packets travel through on the network.
5	Download a port scanner such as Advanced Port Scanner and a ping scanner such as WS_Ping Pro. Use them to determine as much as you can about network topology and open ports on the system.

In this lesson, you learned about the utilities used to reveal basic information about a network.
You learned how DNS tools like Whois and nslookup are used to probe for basic domain information.
You also learned the standard commands and applications used to perform ping scans, traceroutes, and port scans.

Lesson 7. Network Discovery Applications

Several commercially available applications are commonly used for network scanning.
After completing this lesson, you should be able to:

Identify common scanning applications and describe their capabilities
Describe the ways in which various services and protocols are vulnerable to network scanning

Using a simple program such as Ping Pro, shown here, you can discover Microsoft network ports open on the physical wire.
Ping Pro is designed to search for TCP and UDP ports 135 (the Remote Procedure Call service), as well as UDP ports 137, 138, and 139.
Other network-discovery applications allow you to discover UNIX (NIS-based), Novell, and AppleTalk networks as well.

Ping Pro provides an option that allows an auditor to scan Windows networks for shares.
Such programs can only discover share names; they do not break into the shares themselves. (Depending on the network, this type of program will scan a port specific to how shares work.)

Although Ping Pro will work only with the particular subnet on which it is installed, more sophisticated programs exist. More powerful applications are generally not network-specific, because their designers are interested in identifying as many network and server types as possible.
For example, NMAP is a UNIX tool that allows you to track the subtle differences in how a particular operating system implements TCP/IP. You can obtain NMAP at www.insecure.org. Additional programs include checkos, queso, and the older SATAN program. Most of these applications run on various flavors of UNIX.

*Service Scans
RedButton obtains information from Windows NT/2000 servers that have the Server service enabled.
Although it has been used often, it is still effective in learning the current name of the administrator account as long as the server service is started in Windows NT/2000.

*Stack Fingerprinting
Many of the applications discussed in this course use stack fingerprinting, a technique that uses TCP/IP to help identify specific operating systems and servers.
This process is often necessary because most system administrators limit information leakage and disable information banners.
Stack fingerprinting works because each server and vendor has its own behaviors regarding TCP/IP — behaviors that are difficult or impossible for a system administrator to control. Many auditors and hackers work to document these subtle differences in TCP/IP implementation, thereby creating a sort of fingerprint for each operating system.

The key to learning how one operating system uses TCP/IP differently from another is to generate idiosyncratic TCP/IP packets and direct them to IP addresses and ports. Certain operating systems will respond in different ways, allowing you to deduce which type of system the host is running.
For example, you can send a FIN packet (or any packet without an ACK or SYN flag) to a host's open port and elicit a response from the following systems:

Microsoft Windows XP, 2000, NT, 98, 95, and 3.11
FreeBSD
CISCO
HP/UX

Most other systems will not respond. Although you have narrowed the field only slightly, you have at least begun to investigate the nature of the host you are targeting.
If you generate a TCP packet with an undefined flag in the header, versions of Linux before 2.0.35 tend to include this undefined flag in their responses. This behavior is unique to this version of Linux, allowing you to determine the operating system running at that host.

In UNIX systems, you can download files from /bin/ls. The files you might find could reveal important information about the flavor of UNIX on the host.
The following is a partial list of checks made by fingerprinting programs. Many operating systems implement these activities differently.

ICMP Error Message Quenching
Type of Service (TOS) value
TCP/IP options
SYN flood resistance
TCP initial window

*TCP Initial Window
TCP begins its three-way handshake with an initial SYN packet. This is also called the TCP initial window.
A program such as NMAP sends initial SYN packets that trick the operating system into a response. A fingerprinting application can deduce several things from the way this packet is formed, then arrive at an educated guess concerning the operating system.

*NMAP
NMAP is popular because it is relatively powerful, constantly updated, and free. It is an effective network discovery program for two reasons.
First, it deploys a fairly sophisticated series of TCP/IP fingerprinting engines. Its creator is also actively updating these engines so they can arrive at as many educated guesses as possible. NMAP can accurately scan server operating systems (including Novell, UNIX, Linux, and NT), routers (including CISCO, 3COM, and HP), and dial-up devices.

Secondly, NMAP is effective because it is designed to defeat perimeter security applications, such as firewalls.
One of the ways it does so is through its ability to fragment scans, primarily via the stealth option.

Note:

**Examine the following table**
	A version of NMAP for Windows NT and Windows 2000 is available at the following location: `www.eeye.com/html/Research/Tools/nmapnt.html`

With NMAP, you can send stealth FIN packets (-sF), stealth Xmas tree packets (sX), or stealth NULL packets (sN). These options allow you to fragment TCP queries to bypass most firewall rules.
Such strategies have been effective on even the most popular of software companies, as well as many other organizations.

The Options tab provides access to several features. For example, selecting OS Detection will cause NMAP to use stack fingerprinting to identify an operating system.

You can also adjust the timing of your scans using options in the Timing tab.
For example, setting the Throttle to Paranoid causes NMAP to wait five minutes between sending packets to a host you are scanning, while setting it to Sneaky will cause it to wait 15 seconds. The Normal option causes it to scan as quickly as possible.

You can also spoof source IP addresses, so auditors can evade traceback during a scan.

*Using Telnet
Telnet is a program designed to allow a user to work with a remote computer as if she were sitting at the remote computer's terminal.
By default, Telnet uses TCP port 23. However, you can use any Telnet client application to connect to different ports.
For example, you can connect to the standard HTTP port with Telnet. If you enter a text string and press enter a few times, the server will usually disconnect you from the system because it will not recognize the request.

However, you will generally receive some sort of message from the HTTP server. Many times, you can use this message to learn the server vendor and the version (such as Apache Web Server 1.3.19).
Other messages might not be as informative, but you can often deduce the server type from the error message it delivers. You will probably be disconnected from the Web server port, but part of the error message will include the HTTP server version.

*Using SNMP
The Simple Network Management Protocol (SNMP) allows you to determine relevant statistics and information from your hosts. You can, for example, gather information about TCP/IP, as well as various services running on routers, workstations, and other network components.

Examine the following table

Term:

**Examine the following table**
	Simple Network Management Protocol (SNMP): The protocol that enables management and maintenance of TCP/IP hosts; standard since 1990.

SNMP requires a Network Management System (NMS) application and an agent. An NMS is usually installed on a workstation, whereas you can install an agent on any host that accepts configuration. An NMS issues queries to an agent, which then sends information back to the NMS.

Currently, three versions of SNMP exist. SNMPv1 is the most common, but is also the least secure, for two reasons.
First, it uses what the authors of SNMP call "trivial authentication." The authentication scheme involves the use of a "community name," which is nothing more than a small string of text.

Secondly, SNMP transmits this community name in cleartext, making it a perfect target for packet-sniffing programs. Unless you use IPsec between hosts, such transmissions are vulnerable.
Furthermore, many network administrators use the word "public" for their community names. Any hacker will try this word first when attempting to gain access to SNMP.

*The setrequest Command
You can also use SNMP to actually reprogram an interface or service with the setrequest command. These changes include setting router hops, stopping and starting services, starting and stopping interfaces, etc. Therefore, if you are running SNMPv1 and a hacker gains access to the community name, he can discover information and gain a certain amount of control over the system.
SNMPv3 includes sophisticated encryption and authentication schemes, but many network administrators keep default settings and passwords that still allow hacker access. Also, encrypted SNMP passwords can be captured and submitted to a brute-force attack.

*SNMP Software
Many vendors sell SNMP managers and NMS applications. The most commonly used NMS applications include:

HP OpenView
Scotty, a powerful UNIX/Linux NMS application
SNMPUTIL, available in the Windows NT or Windows 2000 Resource Kit
Add-on utilities with various network utilities, such as WS_Ping Pro

Although programs such as HP OpenView are the industry standard, you can still use less advanced applications such as WS_Ping Pro to discover network elements.

*TCP/IP Services
Most SMTP and POP3 servers still send passwords in the clear, raising the possibility of a man-in-the-middle attack.
Finally, LDAP, FTP, SMTP, and especially HTTP servers tend to divulge too much information about their configuration, and are quite vulnerable to buffer overflows.
E-mail applications such as Microsoft Outlook, Eudora, and Netscape Communicator include LDAP client software. However, network management applications such as Ping Pro and NetScan Tools allow you to formulate more complex queries.

*Trivial TCP/IP Services
Trivial TCP/IP services such as Finger and TFTP can help divulge important information that hackers use for social engineering and other attacks.

*Finger
Finger allows you to access user information from remote servers.
Using Finger, you can learn the following:

User names
Server names
E-mail accounts
Whether a user is currently connected
When the user logged in

finger -l user@computer

*Trivial File Transfer Protocol (TFTP)
TFTP constitutes a problem because it does not require any authentication.
Hackers are fond of conducting denial-of-service attacks against this service, thereby presenting a high risk to systems running it.

Topic 7.1 Exercises

* Exercise 2
Try using commonly available scanning applications.

**Examine the following table**
Step	Action
1	Please Note: For the exercises in this course, you should set up an isolated network for practice. Do not use your production network for these practice exercises. Determine whether scanning applications, such as WS_Ping Pro and NMAP, are available to you on any part of the network. If not, download one or more scanning applications.
2	Perform various kinds of scans with each available application. See if you can perform OS detection scans that use stack fingerprinting, SNMP scans, network share scans, traceroutes, etc.

In this lesson, you learned how several commercially available scanning applications can be used to discover information and map out a network. You learned about the basic scanning features available in WS_Ping Pro and NMAP.
You also learned about the features of network services and protocols that make them vulnerable to these kinds of scans.

Lesson 8. Enterprise-Grade Audit Applications

Sophisticated audit applications can perform coordinated attacks on multiple systems and services. These are called enterprise-grade audit applications.
After completing this lesson, you should be able to:

Describe the common features of enterprise-grade audit applications
List and describe some of the more popular applications

Thus far, you have learned about the simple tools available to auditors. They are easy to install and can give you a great deal of information about a network. They also help you assess risk in a particular system.
Their main weakness is that they conduct single queries at separate times. They're not configured to conduct a coordinated discovery of multiple systems and services. A talented auditor is needed to coordinate such methods and make the discovery phase of the audit successful.
Enterprise-grade auditing applications help coordinate information. They also attempt to beat hackers at their own game. These programs subject a network to a barrage of coordinated attacks, allowing you to detect specific problems in a real-time, practical setting.

*Protocol and OS Support
All commercial scanners support TCP/IP. Many also support protocols such as IPX/SPX, NetBEUI, AppleTalk, DECnet, and others. You might need to purchase different versions, depending upon the protocol you use.
Many versions are operating-system specific, so you must decide which platform you will use when conducting your scans. Traditionally, network scanners, probes, and intruder-detection systems have been more powerful when based on a UNIX system. However, many powerful products have emerged that support Windows 2000.

*Vulnerability Database
A vulnerability scanner always has a database of vulnerabilities for which it searches.
It is important to understand that a vulnerability scanner is only as good as its vulnerability database. Update it regularly.

*Scan Levels
Most enterprise-grade applications allow you to determine the extent of the security scan.
A light network scan generally searches the well-known ports (0 through 1023) as well as standard security weaknesses, including poor password protection, low patch levels, and extraneous services.
If you scan a small subnet, the scan might take up to 30 minutes. Medium and heavy scans can take several days, depending on the speed of the network and the clock speed of the processor running the network probe.

A heavy scan allows the application to conduct a barrage of attacks, some of which can actually crash a host. If you set a scanning application to scan all 65,5535 ports, as well as attempt to defeat passwords and conduct a detailed analysis of every service from administrative accounts to UNIX subsystems, your scan could take days to complete.
Such scans can also clog network connections and overwhelm the target host. Therefore, time your scans so they do not interfere with the business you are auditing.

*Scanners, Firewalls, and False Negatives
You can specify a scan type that will not cross a subnet. For example, if a firewall blocks Microsoft networking (e.g., port 139), you will have to use your scanning software directly on that subnet to gather information about Microsoft systems.
Whenever a scanner does not report a host in such cases, it is said to report a "false negative." The host is, in fact, participating on the network, but the scanner cannot find it. Similarly, a scanner may be able to find a host, but may not report an important vulnerability, because an intervening firewall or router has been configured to drop the packets that might reveal the vulnerability.

*Profiles and Policies
To use many scanners, you must first define a profile, then apply a policy. Most programs predefine profiles and policies, but you can edit and create new ones at will. You must remember, however, to associate a specific policy with your profiles.

Examine the following table

Term:

**Examine the following table**
	Policy: An instruction that determines the scan level applied to the host or range of hosts.

*Reporting
Any enterprise-grade scanning application will provide detailed reporting mechanisms. You should be able to export this information into several formats, including:

Simple ASCII text
HTML
Word-processing document formats, such as RTF, or proprietary formats, such as Microsoft Word (DOC) or Corel Word Perfect (WPD)
A spreadsheet, such as Microsoft Excel
Graphics for inclusion in a slide presentation, such as Microsoft PowerPoint or IBM FreeLance
A Microsoft Visio image

As an auditor, pay close attention to the quality of your scanner's reporting mechanism, because many customers will rely on these to secure their networks and network hosts.
Although many applications generate reports in a proprietary format, they increasingly have turned to generating HTML-based reports, which anyone can view with a common Web browser.
Most network scanners categorize threats into low, medium, and high risk. You will see how various network scanners report what they have found.

*Symantec NetRecon
NetRecon is one of the first network probes specifically designed for Windows NT and Windows 2000. It can discover network elements, and can coordinate each of the activities discussed in this lesson, including password examinations (also called password cracking). Because NetRecon is able to coordinate attacks, it can simulate attacks with much greater accuracy.

As with any vulnerability scanner, you can scale the depth of the search you want to conduct. Extensive probe scans can take considerable time. For example, the most extensive scans might take up to two days.

*ISS Internet Scanner
The ISS Internet Scanner can scan both UNIX and NT networks, and is able to work with remote hosts, much like Symantec NetRecon, WebTrends Security Analyzer, and others.

Internet Scanner uses three modules: intranet, firewall, and Web server. It attempts to categorize network activities, and then provide a scanning solution for each one.
This feature makes the program particularly effective because you can direct scans toward the more vital and commonly attacked systems. You can also define your own search parameters within each of these three categories.

*Eeye Retina
Retina is developed by the Eeye team (www.eeye.com). The Eeye team is proficient at finding buffer overflows, which are occurrences of an application writing data onto an area of memory that the operating system has not actually allocated to it. Buffer overflows also tend to focus on Web servers. Thus, Retina reflects these strengths.
The Retina scanner is easy to use, and has numerous reporting capabilities.

Retina has the following strengths:

It can be configured to conduct brute-force attacks against remote hosts. In a brute-force attack, the application conducts repeated logon attempts in order to guess a password.
It can imitate hacker behavior through the Common Hacking Attack Methods (CHAM) feature, which conducts quick scans against Web servers (including CGI- and script-based attacks).
It can scan IP ranges.

*Additional Vendors
Other products that allow you to scan and assess weaknesses include:

Nessus (www.nessus.org)
Network Flight Recorder (www.nfr.com)

Topic 8.1 Exercises

* Exercise 1
Try deploying an enterprise-grade audit application.

**Examine the following table**
Step	Action
1	Please Note: For the exercises in this course, you should set up an isolated network for practice. Do not use your production network for these practice exercises. Install Eeye Retina on your system.
2	Go to Start \| Programs \| Retina \| Retina and open the application.
3	Go to File \| Save and save the current session under your name.
4	Go to Edit \| IP Range and enter one or more valid IP addresses on your network.
5	The task bar will say scanner. Now click the Start button. The scan will begin.
6	By default, the first system scanned will be reported. Note that weaknesses are listed by IP address. You can then "drill down" into each IP address and learn about specific weaknesses. Retina will give you general information about the remote server, then about specific "audits," which show system weaknesses. You will then be shown open ports and services, as well as users defined on the system.
7	When you have finished viewing the first system, click the next IP address in the left panel. View all the systems that Retina was able to discover.
8	Go to Tools \| Policies and select Brute Force. Rescan a selected host to see what Retina discovers using a brute-force attack.
9	Retina's Miner feature allows you to scan Web servers for weaknesses. It is designed to mimic actions of a potential hacker. This feature can take considerable time, because it conducts various brute-force attacks. Select one system, then use the Miner feature against it.
10	Finally, use the Tracer feature, which conducts a `traceroute` between you and a remote system.

In this lesson, you learned about some of the more complex and sophisticated tools used to audit security for a network — applications that can perform coordinated attacks on multiple systems and services.
You learned about the common features of enterprise-grade audit applications, and you learned some of the features of commercially available applications such as NetRecon, ISS Internet Scanner, and Eeye Retina.

Lesson 9. Using Audit Applications

A wide variety of tools are available to assist with network auditing.
After completing this lesson, you should be able to:

Use a ping scanner to scan ranges of IP addresses
Use a packet sniffer to capture packet transmissions

Let's take a closer look at a couple of the more commonly used auditing tools.
We'll look at one ping scanner (WS_Ping Pro) and one packet sniffer (Ethereal).

*Ping Scanners
In WS_Ping Pro, your main scanning options are shown on the Scan tab.
You can type in the start and end addresses for the range of IP addresses you wish to scan, and use the options listed in the lower left to select the types of communications to be picked up by the scan.

In this case, we'll scan everything between 192.168.9.1 and 192.168.9.255, and we'll scan for all DNS, FTP, and HTTP communications.
We'll also ask Ping Pro to resolve the name of each address it finds.

This window shows WS_Ping Pro during the scan.
It has located and named 6 addresses from the first 95 in the scanning range. In each case, it shows you what service(s) are running at that address.

Additional information can be revealed using WS_Ping Pro.

Let's look for domain information.

Now click Start to begin your scan.

In this case, WS_Ping Pro found two domain names within the scanned range. Note that one of them is a Windows workgroup.

Now select shares from the Network Items menu.

WS_Ping Pro reveals the shares shown here.

*Packet Sniffers
Now let's take a closer look at some of the more sophisticated techniques that can be used to capture and analyze network traffic.
Ethereal is a protocol analyzer that can capture network packets in real time. It works on the network or subnet on which it is installed.

To begin capturing packets with Ethereal, select Start from the Capture menu.

To capture all available packets on the subnet, select the option that says Capture packets in promiscuous mode.
You can then begin capturing packets.

Each figure in the Capture dialog box should begin at 0, but will quickly change (assuming there is any traffic on the subnet).

You can watch the numbers change for a bit.
You can also generate traffic by, for example, issuing a ping to this IP address from a different machine.

In this case, our ping generated the first ICMP packets of this session.

As soon as you end the capture, Ethereal displays a variety of information in the main window regarding your captured transmissions, including the time, source, destination, and protocol used by each packet.

Scroll down the display, and you can see the first ICMP packet generated by the ping sent to this machine.
This kind of detailed information about network traffic can make a variety of attacks possible. For example, when used against a network that uses SNMP, packet sniffers like Ethereal can reveal the community name SNMP uses for authentication. Hackers can use this to gain partial control over the system.

Topic 9.1 Exercises

* Exercise 1
Try discovering network elements with WS_Ping Pro.

**Examine the following table**
Step	Action
1	Please Note: For the exercises in this course, you should set up an isolated network for practice. Do not use your production network for these practice exercises. Select a range of IP addresses on your network. Open Ping Pro, and perform a scan of your selected address range. Scan for POP3, HTTP, SMTP, SNMP, and FTP services.
2	Perform a domain name search and list all the available domains.
3	Using Windows Explorer, establish a share on the `c:\temp` directory. If necessary, create the folder, then share it. You may restrict access to it.
4	Use Ping Pro to perform a share search. Verify that the share you created is listed.

In this lesson, you learned to use a couple of the many tools available to help you audit a network.
You learned to perform ping, domain, and share scans using WS_Ping Pro. You also learned to use Ethereal to perform real-time captures of network packets.

Lesson 10. Social Engineering

Not all elements of an effective attack are performed directly on your systems. Sometimes hackers attempt to exploit human resources in their efforts to penetrate a network.
After completing this lesson, you should be able to:

Explain how hackers use social engineering when attacking a system
Describe the most effective tool against social engineering

You have been introduced to several discovery programs, some of which are quite sophisticated and comprehensive.
However, consider the convenience of having someone else discover network elements for you. A good auditor will find ways to learn information about the network from human sources.
Although you can use social engineering to penetrate and control a network, it is also quite helpful when attempting to learn more about network devices. As a security manager, you should not underestimate this threat. As a security auditor, you should not omit social engineering from your list of tools and techniques.

*Telephone Calls
An auditor attempts to use people as a discovery tool. After obtaining information from a DNS lookup, either impersonate the network administrator or drop his name in a conversation.
You might learn more information — or actually get someone to grant you access to a network host.

*Education and Social Engineering
For the security manager, the best way to ensure that network users do not become discovery tools is to provide end-user education.
If you raise people's understanding of the equipment they use and give them a sense of responsibility, they will be more difficult to manipulate.

Topic 10.1 Exercises

* Exercise 1
Try learning more about security training programs.

**Examine the following table**
Step	Action
1	Do some research and reading on techniques that are commonly used in security training in the corporate environment. Begin with a Web search using phrases like "network security training" and "computer security education."
2	Review any principles, programs, or techniques you can find. Determine whether social engineering is covered in each program.
3	Make a list of common principles and techniques used in security training.

In this lesson, you learned about the ways in which hackers can exploit human resources while attempting to penetrate a network.
You learned about social engineering, and you learned the most effective method for protecting a network against social engineering.

Lesson 11. Basic Audit Information

Security auditors often classify the information they receive as either network-level or host-level information.
After completing this lesson, you should be able to:

Classify network-level and host-level information
Explain the role of research in security auditing

As a security auditor, you can categorize the information you receive into network-level and host-level categories.

*Network-Level Information
Some of the more valuable network-level information you can obtain is listed below.

**Examine the following table**
Information	Description
Network topology	A security auditor should learn the network types (ethernet, token ring, etc.) as well as IP address ranges, subnets, and the location of access panels and wiring closets. Your goal is to keep such information away from hackers through the use of firewalls, proxy servers, etc.
Routers and switches	Learning the types of routers and/or switches is extremely valuable for analyzing security. Routers can leak information.
Firewall type	Most networks have a firewall. If you can gain access to the specific type of firewall, you can then study it and learn about possible weaknesses.
IP services	The most essential services include DHCP, BOOTP, WINS, SAMBA, and DNS. DNS services are especially prone to buffer overflow attacks.
Modem banks	Perhaps the most popular way to get around a firewall is to exploit modem connections by conducting a man-in-the-middle attack and packet sniffing. War dialers, which are programs that speed-dial numbers across the Internet to find network connections, are important auditor tools.

*Host-Level Information
Some of the more valuable host-level information is listed below.

**Examine the following table**
Information	Description
Active ports and server type	You can find ports for each of the servers you run. More importantly, vulnerability scanners query the daemon or service that is listening on that port. You can also discover the type of server being used.
Databases	Database type (e.g., Oracle, Microsoft SQL Server, IBM DB2) as well as physical location and connecting protocol can be valuable.
Configuration defaults and problems	Vulnerability scanners are not limited to scanning remote systems. They can also be installed directly on the host to determine if a host's configuration can lead to a compromise, or if a server is configured in such a way that one compromise can lead to compromise of the entire network.

*The Next Step: Research
In recent years, most successful hackers have been people with a lot of spare time. Hackers devote much of this time to reading manuals and learning about system defaults and built-in weaknesses.
Regardless of whether you are a security manager or a security auditor, you should learn as much as possible about the products being used.

Research can take many different forms, including the following:

Live testing, in which auditors test popular network daemons and services for weaknesses.
Searching recognized security sites for reports about bugs relevant to a particular daemon, operating system, or combination thereof. For example, you can study the TCP/IP RFCs to learn more about how vendors implement TCP/IP.
Networking with known auditors and hackers to learn more about ways common daemons are attacked.
Studying the source code of the daemon in question. Although obtaining code for commercial applications is very difficult, you can study the source code of open-source operating systems and applications.

*Legitimate vs. Illegitimate Tools
In most cases, no difference exists between a hacker tool and an auditing tool.
Some of the tools we've discussed, such as Symantec NetRecon, broadcast the name of the host issuing the query in an attempt to ensure that they are not used illicitly. This broadcast is often made using Windows pop-up messages, which are designed to enable systems administrators to quickly identify the source of the scan.
Nevertheless, the use of such programs is not limited to legitimate systems administrators or security professionals.

Topic 11.1 Exercises

* Exercise 1
Try performing in-depth research on specific network components.

**Examine the following table**
Step	Action
1	Select two specific elements of any network with which you are familiar. It can be a service, operating system, router, firewall, or any other element in the network.
2	Research each of your two specific network components. See if you can determine the most recent security information about them, including any vulnerabilities and techniques used to protect them.
3	Make a list of the vulnerabilities for each item as well as the tools and techniques used to protect them.

In this lesson, you learned how auditors classify information in network-level and host-level categories.
You learned to classify information revealed during an audit. You also learned the role of product research in security auditing.

Lesson 12. Course in Review

This lesson is designed to help you prepare for the CIW Security 1D0-470 exam. It reviews the material presented in this course through questions and study strategies. It also includes a list of the CIW Security 1D0-470 exam objectives that are covered in this course.

Topic 12.1 Exam Objectives

Listed below are the CIW Security 1D0-470 objectives that are covered in this course. Now that you have completed this course, you should be able to:

Explain security auditing principles and the security auditor's chief duties
Apply security auditing and discovery processes using network-based and host-based discovery software

Topic 12.2 Study Strategies

*General Review Questions
You should be able to answer the questions and perform the tasks listed here.

**Examine the following table**
1.	Define the terms "effective security" and "risk analysis."
2.	What are the different roles security auditors can adopt in the course of an audit? Define each role.
3.	List the five basic steps you should take during a risk assessment.
4.	What are the three basic stages of a security audit? Define each stage.
5.	Compare and contrast the functions of different types of auditing software, including DNS utilities, ping and port scanners, network discovery applications, and enterprise-grade applications. Give examples of each type.
6.	Define the term "stack fingerprinting." Name at least one application that can perform stack fingerprinting.
7.	What are the security vulnerabilities of networks that use the SNMP protocol?
8.	Name at least two enterprise-grade auditing applications, and describe their basic features.
9.	What does it mean when a scan produces a false negative?
10.	How can a packet-sniffing program be used to attack a network that uses SNMP?
11.	Define social engineering.