1.5 Network Security Assessment Methodology

The best practice assessment methodology used by determined attackers and network security consultants involves four distinct high-level components:

  • Network enumeration to identify IP networks and hosts of interest

  • Bulk network scanning and probing to identify potentially vulnerable hosts

  • Investigation of vulnerabilities and further network probing by hand

  • Exploitation of vulnerabilities and circumvention of security mechanisms

This complete methodology is relevant to Internet-based networks being tested in a blind fashion with limited target information (such as a single DNS domain name). If a consultant is enlisted to assess a specific block of IP space, he skips initial network enumeration and commences bulk network scanning and investigation of vulnerabilities.

1.5.1 Internet Host and Network Enumeration

Publicly available reconnaissance techniques, including web and newsgroup searches, Network Information Center (NIC) WHOIS querying, and Domain Name System (DNS) probing, are used to collect data about the structure of the target network from the Internet without actually scanning the network or necessarily probing it directly.

Initial reconnaissance is very important because it identifies hosts that aren't properly fortified from attack. A determined attacker invests time in identifying peripheral networks and hosts, while companies and organizations concentrate their efforts on securing obvious public systems (such as public web and mail servers) but neglecting hosts and networks that lay off the beaten track.

It may well be the case that a determined attacker also enumerates networks of third party suppliers and business partners that, in turn, have access to the target network space. Nowadays such third parties often have dedicated links into areas of internal corporate network space through VPN tunnels and other links.

Key pieces of information that are gathered through initial reconnaissance include details of Internet-based network blocks, internal IP addresses gathered from DNS servers, insight into the target organization's DNS structure (including domain names, subdomains, and hostnames), and IP network relationships between physical locations.

This information is then used to perform structured bulk network scanning and probing exercises to assess further the target network space and investigate potential vulnerabilities. Further reconnaissance involves extracting user details (including email addresses), telephone numbers, and office addresses.

1.5.2 Bulk Network Scanning and Probing

After identifying public IP network blocks that are related to the target network space, analysts should carry out bulk TCP, UDP, and ICMP network scanning and probing to identify active hosts and accessible network services (e.g., HTTP, FTP, SMTP, POP3, etc.), that can in turn be abused to gain access to trusted network space.

Key pieces of information that are gathered through bulk network scanning include details of accessible hosts and their TCP and UDP network services, along with peripheral information such as details of ICMP messages to which target hosts respond, and insight into firewall or host-based filtering policies.

After gaining insight into accessible hosts and network services, analysts can begin offline analysis of the bulk results and investigate the latest vulnerabilities in accessible network services.

1.5.3 Investigation of Vulnerabilities

New vulnerabilities in network services are disclosed daily to the security community and underground alike, through Internet mailing lists and public forums including Internet Relay Chat (IRC). Proof-of-concept tools are often published for use by security consultants, whereas full-blown exploits are increasingly retained by hackers and not publicly disclosed in this fashion.

Here are five web sites that are extremely useful for investigating potential vulnerabilities within network services:

  • SecurityFocus (http://www.securityfocus.com)

  • Packet Storm (http://www.packetstormsecurity.org)

  • CERT vulnerability notes (http://www.kb.cert.org/vuls/)

  • MITRE Corporation CVE (http://cve.mitre.org)

  • ISS X-Force (http://xforce.iss.net)

SecurityFocus hosts many useful mailing lists including BugTraq, Vuln-Dev, and Pen-Test. These can be subscribed to by email, and archived posts can be browsed through the web site. Due to the sheer number of posts through these lists, I personally browse the mailing-list archives only every couple of days.

Packet Storm actively archives underground exploit scripts, code, and other files. If you are in search of the latest public tools to compromise vulnerable services, Packet Storm is a good place to start. Often, SecurityFocus provides only proof-of-concept or old exploit scripts that aren't effective in some cases.

Lately, Packet Storm has not been updated as much as it could be, so I increasingly browse databases such as the MITRE Corporation Common Vulnerabilities and Exposures (CVE), ISS X-Force, and CERT vulnerability notes lists. These lists allow for effective collation and research of all publicly known vulnerabilities so that exploit scripts can be located or built from scratch.

Investigation at this stage may also mean further qualification of vulnerabilities. Often it is the case that bulk network scanning doesn't give detailed insight into service configuration and certain enabled options, so a degree of manual testing against key hosts is often carried out within this investigation phase.

Key pieces of information that are gathered through investigation include technical details of potential vulnerabilities along with tools and scripts to qualify and exploit the vulnerabilities present.

1.5.4 Exploitation of Vulnerabilities

Upon qualifying potential vulnerabilities in accessible network services to a degree that it's probable that exploit scripts and tools will work correctly, attacking and exploiting the host is the next step. There's not really a lot to say about exploitation at a high level, except that by exploiting a vulnerability in a network service and gaining unauthorized access to a host, an attacker breaks computer misuse laws in most countries (including the United Kingdom, United States, and many others). Depending on the goal of the attacker, she can pursue many different routes through internal networks, although after compromising a host, she usually undertakes the following:

  • Gain superuser privileges on the host

  • Download and crack encrypted user-password hashes (the SAM database under Windows and the /etc/shadow file under most Unix-based environments)

  • Modify logs and install a suitable backdoor to retain access to the host

  • Compromise sensitive data (databases and network-mapped NFS or NetBIOS shares)

  • Upload and use tools (network scanners, sniffers, and exploit scripts) to compromise other networked hosts

This book covers a number of specific vulnerabilities in detail but leaves cracking and pilfering techniques (deleting logs, installing back doors, sniffers and other tools) to the countless number of hacking books available. By providing you with technical information related to network and application vulnerabilities, you will be able to formulate effective countermeasures and risk-mitigation strategies.