Differences

This shows you the differences between two versions of the page.

--- network_security_assesment [2009/06/08 02:59]
k2patel
+++ network_security_assesment [2020/08/10 02:35]
@@ Line 1: / Line 1: @@
-====== Network Security Assesment ======
-[[ http://examples.oreilly.com/9780596510305/tools/ | Site Tools ]]
-**NOTE : Some link might not work, but search based on the name and site.**
-==== technical results to management categories ====
-== OS configuration ==
-Vulnerabilities due to improperly configured operating system software
-== Software maintenance ==
-Vulnerabilities due to failure to apply patches to known vulnerabilities
-== Password/access control ==
-Failure to comply with password policy and improper access control settings
-== Malicious software ==
-Existence of malicious software (Trojans, worms, etc.) or evidence of use
-== Dangerous services ==
-Existence of vulnerable or easily exploited services or processes
-== Application configuration ==
-Vulnerabilities due to improperly configured applications
-==== Recognized Assesment Standard ====
-  - [[ http://www.iatrp.com | NSA IAM ]]
-  - [[ http://www.cesg.gov.uk | CESG CHECK ]]
-== PCI Data Security Standards ==
-  - [[ https://www.pcisecuritystandards.org | PCI Secuity ]]
-  - [[ http://www.mastercard.com/us/sdp/index.html | Mastercard Information ]]
-  - [[ http://www.visaeurope.com/aboutvisa/security/ais/main.jsp | Visa Information ]]
-== Other Assessment Standards and Associations ==
-  - [[ http://www.isecom.org | ISECOM’s Open Source Security ]]
-  - [[ http://www.crestapproved.com | Council of Registered Ethical Security Testers ]]
-  - [[ http://www.tigerscheme.org | Tiger Scheme ]]
-  - [[ http://www.eccouncil.org | EC-Counsil ]]
-  - [[ http://www.owasp.org | Open Web Application Security Project ]]
-==== Investigation of Vulnerabilities ====
-  - [[ http://www.packetstormsecurity.org | Packet Storm ]]
-  - [[ http://www.milw0rm.com | Milw0rm ]]
-  - [[ http://www.frsirt.com | FrSIRT ]]
-  - [[ http://www.securityfocus.com | Security Focus ]]
-  - [[ http://www.kb.cert.org/vuls/ | CERT vulnerability notes ]]
-  - [[ http://cve.mitre.org | MITRE Corporation CVE ]]
-  - [[ http://xforce.iss.net | ISS X-Force ]]
-== commercial feed services ==
-  - [[ http://research.eeye.com/html/services | eEye Preview ]]
-  - [[ http://dvlabs.tippingpoint.com | 3Com TippingPoint DVLabs ]]
-  - [[ http://labs.idefense.com/services | VeriSign iDefense Security Intelligence Services ]]
-==== Cyclic Assesment Process ====
-{{:cyclic_assesment.jpg|}}
-==== Reconnaissance Tools ====
-  - [[ http://www.sensepost.com/research/bidiblah | BiDiBLAH ]]
-  - [[ http://www.blackhat.com/presentations/bh-usa-05/bh-us-05-sensepost.pdf | The SensePost Black Hat USA
-presentation slides ]]
-==== Free Network Scanning Tools ====
-  - [[ http://www.insecure.org/nmap | nmap ]]
-  - [[ http://www.nessus.org | Nessus ]]
-  - [[ http://sourceforge.net/projects/nsat | NSAT ]]
-  - [[ http://www.foundstone.com/knowledge/scanning.html | Foundstone SuperScan]]
-==== Commercial Network Scanning Tools ====
-  - [[ http://www.corest.com/products/coreimpact/ | Core IMPACT ]]
-  - [[ http://www.iss.net | ISS Internet Scanner ]]
-  - [[ http://www.cisco.com/warp/public/cc/pd/sqsw/nesn | Cisco Secure Scanner ]]
-  - [[ http://www.eeye.com/html/index.html | eEye Retina ]]
-  - [[ http://www.qualys.com/index.php | QualysGuard ]]
-  - [[ http://www.trustmatta.com | Matta Colossus ]]
-==== Exploitation Frameworks ====
-  - [[ http://www.metasploit.com | The Metasploit Framework ]]
-== Commercial Exploitation Frameworks ==
-  - [[ http://www.coresecurity.com | Core Security ]]
-  - [[ http://www.immunityinc.com/products-canvas.shtml | Immunity Inc. ]]
-  - [[ http://gleg.net/products.shtml | GLEG VulnDisco ]]
-  - [[ http://www.argeniss.com/products.html | Ageniss Ultimate 0day Exploits Pack ]]
-==== Web Application Testing Tools ====
-  - [[ http://www.parosproxy.org | Paros ]]
-  - [[ http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project | WebScarab ]]
-  - [[ http://portswigger.net | Burp suite ]]
-=== Active open source web application crawling and fuzzing tools ===
-  - [[ http://wapiti.sourceforge.net | Wapiti ]]
-  - [[ http://www.cirt.net/code/nikto.shtml | Nikto ]]
-== Commercial Web Application Scanning Tools ==
-  - [[ http://www.watchfire.com/products/appscan | Watchfire AppScan ]]
-  - [[ http://www.spidynamics.com/products/webinspect | SPI Dynamics WebInspect ]]
-  - [[ http://www.cenzic.com/products_services/cenzic_hailstorm.php | Cenzic Hailstorm ]]
-==== Protocol Dependent Assesment Tools ====
-=== Enumeration and Information gathering tools ===
-  - [[ http://razor.bindview.com/tools/files/enum.tar.gz | enum ]]
-  - [[ http://www.packetstormsecurity.org/NT/audit/epdump.zip | epdump ]]
-  - "nbtstat" Available with Microsoft OS's
-  - [[ http://www.microsoft.com/ntserver/nts/downloads/netkit/default.asp | usrstat ]]
-=== Brute-force password guessing tools ===
-  - [[ http://www.netxeyes.org/smbcrack.exe | SMBCrack ]]
-  - [[ http://www.netxeyes.org/WMICracker.exe | WMICracker ]]
-  - [[ http://www.cqure.net/tools01.html | SMB Auditing tools ]]
-==== DNS ====
-  - nslookup
-  - host and dig
-  - ghba (available at tools links it is source)
-== BGP Querying ==
-  - We can cross-reference AS11278 at [[http://fixedorbit.com/search.htm]] to reveal the IP blocks associated with the AS number.
-  - Many BGP looking glass sites and route servers can be queried to reveal this information. Route servers are maintained by ISPs and can be connected to using Telnet to issue specific BGP queries. A list of looking glass sites and route servers is maintained by NANOG at [[http://www.nanog.org/lookingglass.html]]
-==== HTTP and HTTPS ====
-  - [[ http://www.nstalker.com/nstealth | N-Stealth ]]
-  - [[ http://www.cirt.net/code/nikto.shtml.com | nikto ]]
-  - [[ http://sourceforge.net/projects/cgichk | cgichk ]]
-==== Using google ====
-=== Enumerating CIA contact details with googl ===
-<code text>
- +"ucia.go" +tel +fax
-</code>
-=== Effective search query strings ===
-<code text>
-allintitle: "index of /" site:.redhat.com
-</code>
-** Another site for effective search [[http://www.netcraft.com | Netcraft ]]
-==== How to use whois effectively ====
-<code text>
- * whois cs-security-mnt
- * whois "@citicorp.com" @whois.arin.net
-</code>
-==== Forwarding DNS query ====
-  * Forward DNS querying transfer using nslookup
-  <code text>
-  #nslookup
-  >set querytype=any
-  >cia.gov
-  >server auth100.ns.uu.net             #zone transfer using nslookup.
-  >ls -d ucia.gov
-  </code>
-  * Using dig to perform a DNS zone transfer
-  <code text>
-  dig @relay2.ucia.gov ucia.gov axfr
-  </code>
-  * PTR record enumeration through DNS zone transfer
-  <code text>
-  dig @relay2.ucia.gov 129.81.198.in-addr.arpa axfr
-  </code>
-==== Forward DNS Grinding ====
-  * Using a forward DNS lookup to enumerate MX records
-  <code text>
-  $ nslookup
-  > set querytype=mx
-  > bankofengland.co.uk
-  </code>
-  * Windows tool that support dictionary-based hostname grinding
- [[ http://www.txdns.net | TXDNS ]]
- <code text>
- txdns -f mail-dict.txt bankofengland.co.uk
- </code>
-==== Reverse DNS Sweeping ====
-  * [[ http://www.attrition.org/tools/other/ghba.c | GHBA ]]
- <code text>
- $ghba 198.81.129.0
- </code>
-==== Web Server Crawling ====
-  * [[ http://www.sensepost.com/research/wikto/ | Wikto ]]
-  * [[ http://www.httrack.com | HTTrack ]]
-  * [[ http://www.softaward.com/1775.html | BlackWidow ]]
-  * [[ http://www.gnu.org/software/wget/ | GNU Wget ]]
- [[ http://en.wikipedia.org/wiki/Web_crawler | Wikipedia Entry for Crowler ]]
-==== Automating Enumeration ====
-  * [[ http://www.binarypool.com/spiderfoot/ | SpiderFoot ]]
-  * [[ http://www.sensepost.com/research/bidiblah/ | BiDiBLAH ]]
-=== SMTP Probing ===
- Reading/Understanding Header of Returned Mail.
- <code text>
-  The original message was received at Fri, 1 Mar 2002 07:42:48 -0500
-  from ain-relay2.net.ucia.gov [192.168.64.3]
-  ----- The following addresses had permanent fatal errors -----
-  <blahblah@ucia.gov>
-  ----- Transcript of session follows -----
-  ... while talking to mailhub.ucia.gov:
-  >>> RCPT To:<blahblah@ucia.gov>
-  <<< 550 5.1.1 <blahblah@ucia.gov>... User unknown
-<blahblah@ucia.gov>... User unknown
-  ----- Original message follows -----
-  Return-Path: <hacker@hotmail.com>
-  Received: from relay2.net.ucia.gov
-  by puff.ucia.gov (8.8.8+Sun/ucia internal v1.35)
-  with SMTP id HAA29202; Fri, 1 Mar 2002 07:42:48 -0500 (EST)
-  Received: by relay2.net.ucia.gov; Fri, 1 Mar 2002 07:39:18
-  Received: from 212.84.12.106 by relay2.net.ucia.gov via smap (4.1)
-  id xma026449; Fri, 1 Mar 02 07:38:55 -0500
- </code>
-Reading above header in English
- <code text>
-  In particular, the following data in this transcript is useful:
-  • The Internet-based relay2.ucia.gov gateway has an internal IP address of
-.168.64.3 and an internal DNS name of relay2.net.ucia.gov.
-  • relay2.ucia.gov is running TIS Gauntlet 4.1 (smap 4.1, a component of TIS
-    Gauntlet, is mentioned in the via field).
-  • puff.ucia.gov is an internal SMTP mail relay system running Sun Sendmail
-.8.8.
-  • mailhub.ucia.gov is another internal mail relay running Sendmail (this can be
-    seen from analyzing the SMTP server responses to the RCPT TO: command).
-</code>
-===== IP Network Scanning =====
-=== ICMP Probing ===
-From a network scanning perspective, the following types of ICMP messages are useful:
-  - Type 8 (echo request)
-  - Type 13 (timestamp request)
-  - Type 15 (information request)
-  - Type 17 (subnet address mask request)
-=== ICMP Probing Tools ===
-  * SING - Send ICMP Nasty Garbage (is a command-line utility that sends customizable ICMP probes.)
-[[http://sourceforge.net/projects/sing | SING Source ]]
- <code text>
- $ sing -echo 192.168.0.255
- $ sing -tstamp 192.168.0.50
- $ sing -mask 192.168.0.25
- </code>
-  * Nmap - can perform ICMP ping sweep scans of target IP blocks easily
-[[http://insecure.org/nmap/ | NMAP Source]]
- <code text>
- $ nmap -sP -PI 192.168.0.0/24 (Performing a ping sweep with Nmap)
- </code>
-  * ICMPScan - ICMPScan is a bulk scanner that sends type 8, 13, 15, and 17 ICMP messages
-[[http://www.bindshell.net/tools/icmpscan | ICMPScan Source]]
- <code text>
- You can get how to use by simply running application
- $ icmpscan –c -t 500 -r 1 192.168.1.0/24
- </code>
-Enumerating subnet network and broadcast addresses with Nmap
-<code bash>
-nmap -sP 154.14.224.0/26
-</code>
-<code text>
-Useful details about subnet network and broadcast addresses and
-CIDR slash notation can be found at http://en.wikipedia.org/wiki/
-Classless_Inter-Domain_Routing.
-</code>
-==== TCP Port Scanning ====
-Accessible TCP ports can be identified by port scanning target IP addresses. The\\
-following nine different types of TCP port scanning are used in the wild by both\\
-attackers and security consultants:\\
-<code text>
-Standard scanning methods
-Vanilla connect( ) scanning
-Half-open SYN flag scanning
-Stealth TCP scanning methods
-Inverse TCP flag scanning
-ACK flag probe scanning
-TCP fragmentation scanning
-Third-party and spoofed TCP scanning methods
-FTP bounce scanning
-Proxy bounce scanning
-Sniffer-based spoofed scanning
-IP ID header scanning
-</code>
-Using Nmap to perform IP ID header scanning
-<code bash>
-nmap -P0 -sI 192.168.0.155 192.168.0.50
-</code>
-[[ http://www.geocities.com/fryxar | Nice tools From Fryxar]]
-=== Fragmenting Probe Packets ===
-Probe packets can be fragmented easily with fragroute to fragment all probe packets\\
-flowing from your host or network or with a port scanner that supports simple\\
-fragmentation, such as Nmap. Many IDS sensors can’t process large volumes of fragmented\\
-packets because doing so creates a large overhead in terms of memory and\\
-CPU consumption at the network sensor level.\\
-== Fragtest ==
-Dug Song’s fragtest utility can determine exactly which types of fragmented\\
-ICMP messages are processed and responded to by the remote host. ICMP\\
-echo request messages are used by fragtest for simplicity and allow for easy analysis;\\
-the downside is that the tool can’t assess hosts that don’t respond to ICMP\\
-messages.\\
-After undertaking ICMP probing exercises (such as ping sweeping and hands-on use\\
-of the sing utility) to ensure that ICMP messages are processed and responded to by\\
-the remote host, fragtest can perform three particularly useful tests:
-  * Send an ICMP echo request message in 8-byte fragments (using the frag option)
-  * Send an ICMP echo request message in 8-byte fragments, along with a 16-byte overlapping fragment, favoring newer data in reassembly (using the frag-new option)
-  * Send an ICMP echo request message in 8-byte fragments, along with a 16-byte
-overlapping fragment, favoring older data in reassembly (using the frag-old
-option)
-Here is
- an example that uses fragtest to assess responses to fragmented ICMP echo\\
-request messages with the frag, frag-new, and frag-old options:
-<code bash>
-$ fragtest frag frag-new frag-old www.bbc.co.uk
-frag: 467.695 ms
-frag-new: 516.327 ms
-frag-old: 471.260 ms
-</code>
-== Fragroute ==
-The fragroute utility intercepts, modifies, and rewrites egress traffic destined for a\\
-specific host, according to a predefined rule set. When built and installed, version 1.2\\
-comprises the following binary and configuration files:
-<code bash>
-/usr/local/sbin/fragtest
-/usr/local/sbin/fragroute
-/usr/local/etc/fragroute.conf
-</code>
-The fragroute.conf file defines the way fragroute fragments, delays, drops, duplicates,\\
-segments, interleaves, and generally mangles outbound IP traffic.\\
-Using the default configuration file, fragroute can be run from the command line in\\
-the following manner:
-<code bash>
-$ cat /usr/local/etc/fragroute.conf
-tcp_seg 1 new
-ip_frag 24
-ip_chaff dup
-order random
-print
-$ fragroute
-Usage: fragroute [-f file] dst
-$ fragroute 192.168.102.251
-fragroute: tcp_seg -> ip_frag -> ip_chaff -> order -> print
-</code>
-Egress traffic processed by fragroute is displayed in tcpdump format if the print\\
-option is used in the configuration file. When running fragroute in its default configuration,\\
-TCP data is broken down into 1-byte segments and IP data into 24-byte\\
-segments, along with IP chaffing and random reordering of the outbound packets.\\
-fragroute.conf. The fragroute man page covers all the variables that can be set within\\
-the configuration file. The type of IP fragmentation and reordering used by fragtest\\
-when using the frag-new option can be applied to all outbound IP traffic destined for\\
-a specific host by defining the following variables in the fragroute.conf file:
-<code bash>
-ip_frag 8 old
-order random
-print
-</code>
-TCP data can be segmented into 4-byte, forward-overlapping chunks (favoring\\
-newer data), interleaved with random chaff segments bearing older timestamp\\
-options (for PAWS elimination), and reordered randomly using these fragroute.conf\\
-variables:
-<code text>
-tcp_seg 4 new
-tcp_chaff paws
-order random
-print
-</code>
-I recommend testing the variables used by fragroute in a controlled environment\\
-before live networks and systems are tested. This ensures that you see decent results\\
-when passing probes through fragroute and allows you to check for adverse reactions\\
-to fragmented traffic being processed. Applications and hardware appliances\\
-alike have been known to crash and hang from processing heavily fragmented and
-mangled data!\\
-[[ http://monkey.org/~dugsong/fragroute | Nice tools from Dugsongs]]
-Using Nmap to perform a fragmented SYN scan
-<code bash>
-$ nmap -sS -f 192.168.102.251
-</code>
-Using Nmap to specify decoy addresses
-<code bash>
-$ nmap -sS -P0 -D 62.232.12.8,ME,65.213.217.241 192.168.102.251
-</code>
-== Assessing source routing vulnerabilities ==
-tools that can assess and exploit source routing vulnerabilities found in\\
-remote networks:
-  * LSRScan [[ http://www.synacklabs.net/projects/lsrscan | lsrscan ]]
-  * LSRTunnel [[ http://www.synacklabs.net/projects/lsrtunnel | lsrscan ]]
-[[91]]

Daily *Nix

User Tools

Site Tools

Differences

Page Tools