Patch

The first rule of computer security is to check patches. This is true for networks, home computers, laptops, tablets, smart phones,…literally any computer. The operating system, database management systems, development tools, Internet browsers, and so forth all need to be checked for patches. In a Microsoft environment, this should be easy, as the Microsoft website has a utility that will scan your system for any required patches to the browser, operating system, or Office products. It is a very basic tenet of security to ensure that all patches are up to date. This should be one of the first tasks when assessing a system.

It is also important to consider the types of patches. The most important patches are labeled important or critical. (Microsoft labels them critical, but other vendors may use another designation.) These patches must be applied; without them, your system simply is not secure. Recommended patches should be applied unless you have some compelling reason not to. Finally, optional patches usually enhance or correct some minor functionality in the system but are not necessary for security. Your system will not be vulnerable without them.

While home users might benefit from automatic patching, automatic patching is not appropriate for network administrators. It is always possible that a patch might interfere with some custom software or some system configuration. Therefore, patches need to be deployed first to a test system to ensure that they do not disrupt any other software or configurations. Once the testing is complete, you can push a patch out to the production network. Even then, patches should be rolled out in stages, in case something goes wrong. This does not mean that patches are not applied in a timely manner. If there is a critical patch, it must be tested promptly so that it can be rolled out to the production network.

Once you have ensured that all patches are up to date, the next step is to set up a system to ensure that they are kept up to date. One simple method is to initiate a periodic patch review during which, at a scheduled time, all machines are checked for patches. There are also automated solutions that can patch all systems in an organization. It is imperative that all machines be patched, not just the servers.

An important issue is when to patch. For home users, it is usually recommended that automatic patching be turned on so that their systems get patched as soon as patches are available. However, this is not recommended for network administrators. It is entirely possible that a particular patch might not be compatible with some software on the network. A good example occurred in May 2022, when Microsoft’s “patch Tuesday” update caused Windows Active Directory authentication errors. Microsoft stated:¹

1. https://threatpost.com/microsofts-may-patch-tuesday-updates-cause-windows-ad-authentication-errors/179631/

After installing updates released May 10, 2022 on your domain controllers, you might see authentication failures on the server or client for services such as Network Policy Server (NPS), Routing and Remote Access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP).

It is recommended that you install patches on a test machine that has an identical configuration to your network’s workstations. Then after the patch has been tested, it can be pushed out to the network.

Ports

As you learned in Chapter 2, “Networks and the Internet,” all communication takes place via some port. Any port you do not explicitly need should be shut down. Any unused services on servers and individual workstations should be shut down. Both Windows (XP, Vista, 7, 8, 10, and 11) and Linux have built-in port-filtering capability. Windows 2000 Professional was the first Windows operating system to include port-filtering capability. Windows XP expanded this to a fully functional firewall. Windows 7 added a firewall that could block outgoing as well as incoming traffic and that continues to Windows 11. Shutting down a service in Windows and port filtering are both discussed in more detail in Chapter 9, “Computer Security Technology.”

You should also shut down any unused router ports in your network. If your network is part of a larger WAN, then it is likely that you have a router connecting you to that WAN. Every open port is a possible avenue of entry for malware or an intruder. Therefore, every port you close eliminates an opportunity for such attacks to affect your system.

In Practice

Shutting Down a Service in Windows

For an individual machine that is not running firewall software, you do not directly close ports; instead, you shut down the service using a port. For example, if you do not use an FTP service but you see that the FTP port is on, chances are that you have an FTP service running on that machine. In Windows (any Windows version since Windows 7, including Windows 11) or in Windows Server (any version from 2008 on), if you have administrative privileges, you can take the following two steps to shut down an unneeded service:

1. Go to the Control Panel and double-click Administrative Tools. (Note that in Windows 10 you go to Control Panel, click on System and Security, and double-click Administrative Tools.)

2. Double-click Services. You should see a window similar to the one shown in Figure 11.1.

The window in Figure 11.1 shows all services installed on the machine, whether they are running or not. Notice that the window also displays information about whether a service is running, whether it starts up automatically, and so forth. In Windows, more information can be seen by selecting an individual service. When you double-click on an individual service in any version of Windows (Windows XP through Windows 11, Server 2003 through Server 2019), you see a dialog box similar to the one in Figure 11.2 that provides details about that service.

In the example shown in Figure 11.1, you can see a service on a machine that does not require it. In Figure 11.2 you see how to disable that service. To illustrate the procedure, next we will walk through disabling this service. (Before you turn off any service, however, you need to check whether other services depend on the one you are about to shut off. If other services depend on the one you want to turn off and you proceed to turn it off, you will cause the other services to fail.) Follow these steps to turn off a service:

1. Click on the Dependencies tab. In this case, the service has no dependencies.

2. Click the General tab.

3. Change the Startup type to Disabled.

4. Click the Stop button in the Service status section, if necessary. Your dialog box should look similar to the one in Figure 11.2. The fax service is now shut down.

5. Click OK to accept the edits made and close the Properties dialog box. Close the Services dialog box and the Administrative Tools dialog box.

Shutting down unneeded ports and services is an essential and very basic part of computer security. As mentioned, every port that is open (and every service that is running) is a possible avenue for a hacker or virus to get to your machine. Therefore, keep in mind this important rule: If you don’t need it, shut it down and block it.

Of course, you should make certain you are not shutting down services you do indeed need. Some services depend on other services. Fortunately, Windows gives you information about what services depend on a given service. If you are not certain, take the time to research a service before shutting it down. You don’t want to disable software and services that you do, in fact, need.

It is often the case that one will use a system that has an identical configuration to your production workstations and that system is used as a test. Either adding patches or shutting down services should be done on a test system. Then if there are no issues, you can roll the changes out to production machines. Even after using a test system, you should roll out to production in stages rather than roll out the entire network at one time. There is always the possibility of some issue occurring.

It is a best practice to make a list of all software that you are running. Then look up the ports and protocols that you need for that software and allow only those. It is important to keep in mind that these are ports for incoming traffic. If your machine is not used as a database server, web server, or other type of server and if your machine is a stand-alone one, you can (and should) close all ports. Workstations on networks may need some ports open for network utilities. We will examine some interesting utilities later in this chapter.

Protect

The next phase of assessing a system’s security is to ensure that all reasonable protective software and devices are employed. This means, at a minimum, having a firewall between your network and the outside world (refer to Chapter 2). You should also consider using an intrusion detection system (IDS) on that firewall and any web servers. (We discussed the Snort IDS in Chapter 9.) Some security experts consider IDSs to be nonessential; you can certainly have a secure network without one. However, using an IDS is the only way to know of impending attacks; there are free, open-source IDSs available, and I highly recommend using them. A firewall and an IDS will provide basic security to your network’s perimeter, but you also need virus scanning. Each and every machine, including servers, must have a virus scanner that is updated regularly. The point has already been made that a virus infection is the greatest threat to most networks. As also previously discussed, it is probably prudent to consider installing antispyware software on all of your systems to prevent users of your network from inadvertently running spyware on the network.

Policies

While policies are discussed in detail in Chapter 10, “Security Policies,” we briefly review some aspects of policies here. It is absolutely essential that any organization have clearly written policies on computer security—and that those policies be strongly enforced by management. Those policies should cover acceptable use of organizational computers, the Internet, email, and any other aspect of the system. Policies should prohibit the installation of any software on the systems. Only IT personnel should install software—and only after they have verified its safety.

Policies should also advise users against opening unknown/unexpected attachments. I recommend that people within an organization or department use a code word. If that code word does not appear in the body of an email (or in the subject line), then they do not open the attachment. Most virus attacks spread via email attachments. The subject line and body of such email messages are generated automatically by the virus itself. All of your legitimate attachments can have a code word in the subject line; it is highly unlikely that this word would be in the subject line of an email sent by a virus. This alone could prevent your users from inadvertently opening a virus.

Policies should also clearly delineate who has access to what data, how backups are performed, and what to do to recover data in the case of a disaster (commonly called a disaster recovery plan). Data access must be limited to only those personnel with an actual need to access the data. For example, not everyone in the human resources department needs access to disciplinary files on all employees. Does your organization have a plan for what to do if a fire destroys your servers and all their data? Where do you get new machines? Who gets them? Is there an offsite copy of the data backup? Such questions must be addressed in a disaster recovery plan.

There should be a policy regarding passwords: acceptable minimum length, lifetime of a password, password history, and passwords to be avoided, such as any word that has a direct connection to the user. For example, a user who is a big fan of the Dallas Cowboys should not use a password that has any relationship to that sports team. Also, passwords that relate to personal data, such as spouse’s birthday, children’s names, or pet names, are poor choices. A password policy could also include recommendations or restrictions on a password.

Additionally, a password should not be kept for long periods of time. A 90- or 180-day password replacement schedule is good for most situations. More secure environments might require 30 or even fewer days. Microsoft recommends 42 days (6 weeks). This is referred to as password age. (The frequency of required password changes, of course, must be based on the user’s access to sensitive information or data. A company financial officer might change her password weekly; a nuclear arms engineer might change his password daily; and a mail clerk might need to change her password on a much less frequent basis.) You can set many systems (including Windows) to force the user to get a new password after a certain period of time. You should also make sure the person does not merely reuse old passwords, referred to as password history and also referred to in some operating systems as uniqueness. A good rule of thumb is a history depth of five—meaning that the person cannot reuse any of her previous five passwords. Additionally, you may need to implement a minimum password age to prevent users from immediately changing their password five times to return to her current password. Generally, a minimum of 1 day is recommended.

Finally, policies should include specific instructions on what to do in case of an employee termination. It is imperative that all of that person’s login accounts be immediately disabled and any physical access to any part of the system be immediately discontinued. Unfortunately, many organizations fail to address this properly and end up providing opportunities for disgruntled former employees to inflict retribution on the former employer.

Probe

An important step in assessing any network is to probe the network. We will look at several probes later in this chapter. The key is to periodically probe your own network for security flaws. This should be a regularly scheduled event—perhaps once a quarter. At a minimum, a complete audit of your security should be completed once per year. That would, of course, include probing your ports. However, a true security audit would also include a review of your security policies, your patching system, any security logs you maintain, personnel files of those in secure positions, and so forth.

Physical

Finally, you cannot ignore physical security. The most robustly secure computer that is left sitting unattended in an unlocked room is not at all secure. You must have some policy or procedure governing the locking of rooms with computers as well as the handling of laptops, PDAs, and other mobile computer devices. Servers must be in a locked and secure room with as few people as is reasonably possible having access to them. Backup tapes should be stored in a fireproof safe. Documents and old backup tapes should be destroyed before disposal (for example, by melting tapes, magnetizing hard disks, destroying external storage devices, and so on).

Physical access to routers and hubs should also be tightly controlled. Having the most high-tech, professional information security on the planet but leaving your server in an unlocked room to which everyone has access is a recipe for disaster. One of the most common mistakes in the arena of physical security is co-locating a router or switch in a janitorial closet. This means that, in addition to your own security personnel and network administrators, the entire cleaning staff has access to your router or switch, and any one of them could leave the door unlocked for an extended period of time.

There are some basic rules you should follow regarding physical security:

• Server rooms: The room where servers are kept should be the most fire-resistant room in the building. It should have a strong door with a strong lock, such as a deadbolt. Only those personnel who actually have a need to go in the room should have a key. You might also consider a server room log wherein each person logs in when she enters or exits the room. There are actually electronic locks that record who enters a room, when she enters, and when she leaves. You may also wish to consider using biometric locks on critical areas such as server rooms. Consult local security vendors in your area for more details on price and availability.

• Workstations: Every workstation should have an engraved identifying mark. You should also routinely inventory them. It is usually physically impossible to secure them as well as you secure servers, but you can take a few steps to improve their security. Some companies choose to attach the workstations to the desks with cables. This can be effective and affordable.

• Miscellaneous equipment: Projectors, CD burners, laptops, and so forth should be kept under lock and key. Any employee who wishes to use one should be required to sign it out, and it should be checked to see that it is in proper working condition and that all parts are present when it is returned.

Having appropriate locks on doors is important. Locks that work with a passkey or swipe card that records who opened the door and when are recommended. Such recording of physical access should be done at least for sensitive areas like server rooms. Video monitoring has become quite inexpensive, and cameras can provide high-definition and night vision, as well as backup to the cloud. Such systems are even commonly found in homes.

Securing an Individual Workstation

There are a number of steps that any prudent individual can take to make his own computer secure. These steps should be taken for both home computers and workstations on a network. In the former case, securing the individual computer is the only security option available. In the latter case, securing the individual computers as well as the perimeter allows for a layered approach to security. While some network administrators simply secure the perimeter via a firewall and/or proxy server, it is generally believed that you should also secure each machine in your organization. This is particularly vital in protecting against virus attacks and some of the distributed denial of service attacks that you learned about in Chapter 4, “Denial of Service Attacks.”

The first step with an individual computer is to ensure that all patches are appropriately applied. Microsoft’s website has utilities that will scan your machine for needed patches for both Windows and Microsoft Office. It is critical that you do this on a regular basis—once per quarter as a minimum. You should also check your other software vendors to see whether they have some similar mechanism to update patches for their products. It is amazing how many virus outbreaks have been widespread despite patches being available to secure the flaws they exploited. Too many people simply do not ensure that patches are applied regularly. For a home computer, this is the most critical step in your security strategy and will protect you from a number of attacks designed to exploit security flaws. For a networked workstation, this is still a vital piece of the overall security strategy and cannot be ignored.

The second step in securing an individual computer is restricting the ability to install programs or alter the machine configuration. In a network environment, this would mean that most users do not have permissions to install software or change system settings. Only network administrators and designated support staff should have that ability. In a home environment, this would mean that only a responsible party or parties (such as the parents) have access rights to install software.

One of the reasons for this particular precaution is to prevent users from accidentally installing a Trojan horse or other malware on their machine. If a person is prevented from installing any software, then there is no chance of inadvertently installing improper software such as a Trojan horse, adware, or other malware. Blocking users from altering the machine’s configuration also prevents them from changing system security settings. Novice users may hear of some way to change some setting and will do so, not realizing the security risks they are exposing their system to.

A perfect example in which a novice might adversely alter security settings involves the Windows Messenger service. This is not used for chat rooms or instant messaging, as many novices incorrectly assume. It is instead used for network administrators to send a broadcast message to all people on a network. Unfortunately, some adware programs also use that service to circumvent pop-up blockers and inundate you with ads. Thus, a security-conscious person might disable that service. You would not want an inexperienced person to turn it back on by thinking it is needed for instant messaging.

It is absolutely critical in any network environment that limits be placed on what the average user can do to a machine’s configuration. Without such limits, even well-meaning employees could eventually compromise security. This particular step is often met with some resistance from the organization. If you are in charge of a system’s security, it is your job to educate the decision makers as to why this step is so critical.

The next step has been discussed previously in this book. Each and every computer must have antivirus and antispyware software. You must also set it to routinely automatically update its virus definitions. Updated, running antivirus software is an integral part of any security solution. The two-pronged approach of antispyware and antivirus software should be a major component in your individual computer security strategy. Some analysts feel that antispyware is a nice extra but not a critical component. Others contend that spyware is a rapidly growing problem and will probably eventually equal or surpass the dangers of virus attacks.

Of course, if your operating system has a built-in firewall, it is a good idea to configure it and have it turned on. Windows (10 and 11) and Linux both come with built-in firewall features. Turn them on and configure them properly. The only significant problem you may encounter in implementing this step is that most networks require a certain amount of traffic between key servers (such as the DNS server) and individual computers. When you configure your firewall, make certain you are allowing appropriate traffic through. If you are at home, you can simply block all incoming traffic. If you are on a network, you must identify what traffic you need to allow.

Passwords and physical security, as discussed earlier in this chapter, are a critical part of computer security. You must ensure that all users utilize passwords that are at least eight characters long and consist of a combination of letters, numbers, and characters. In general, make sure that your password policy is complete and that all employees follow it. This will ensure that your physical security system is sound.

Following these guidelines will not make your computer totally impervious to danger, but these guidelines will make your workstation as secure as it reasonably can be. Remember that, even in a network environment, it is critical to also secure each computer as well as the perimeter.

Securing a Server

The core of any network is its servers—database servers, web servers, DNS servers, file and print servers, and so on. These computers provide the resources for the rest of the network. Generally, your most critical data will be stored on these machines. This means that these computers are an especially attractive target for intruders, and securing them is of paramount importance.

Essentially, to secure a server, you should apply the same steps that you would apply to any workstation and then add additional steps. There will not be a user on that machine routinely typing documents or using spreadsheets, so extra-tight restrictions are unlikely to cause the same difficulties for end users that they might on a workstation.

To begin with, you must follow the same steps you would for a workstation. Each and every server should have its software routinely patched. It should also have virus-scanning software and perhaps antispyware as well. It is critical that access to these machines, both via logging on and physical access, be limited to only those people with a clear need. There are, however, additional steps you should take with a server that you might not take with a standard workstation.

Most operating systems for servers (for example, Windows 2019 Server, Linux) have the ability to log a variety of activities. These activities would include failed logon attempts, software installation, and other activities. You should make sure that logging is turned on and that all actions that might pose a security risk are logged. You then must make certain that those logs are checked on a periodic basis.

Remember that the data on a server is more valuable than the actual machine. For this reason, data must be backed up on a regular basis. A daily backup is usually preferred but, in some cases, a weekly backup might be adequate. The backup tapes should be kept in a secure offsite location (such as a bank safety deposit box) or in a fireproof safe. It is critical that you limit access to those backup tapes just as you would limit access to the servers themselves.

With any computer, you should shut down any service you do not need. However, with a server, you may wish to take the extra step of uninstalling any software or operating system components you do not need, meaning that anything not required for the server to function should be removed. But think carefully about this before proceeding. Clearly, games and office suites are not needed for a server. However, a browser might be necessary to update patches.

There is another step that should be taken with servers that is not necessary with workstations. Most server operating systems have built-in accounts. For example, Windows has built-in administrator, guest, and power user accounts. Any hacker who wants to try to guess passwords will begin by trying to guess the passwords that go with these standard users. In fact, there are utilities on the Web that will do this automatically for the would-be intruder. First, you should create your own accounts with names that do not reflect their level of permission. For example, disable the administrator account and create an account called basic_user. Set up basic_user as the administrator account, with appropriate permissions. (Of course, only give that username and password to those people you want to have administrator privileges.) If you do this, a hacker would not immediately guess that this account is the one that he wants to crack. Remember, hackers ultimately want administrative privileges on a target system; concealing which accounts have those privileges is a vital step in preventing the hacker from breaching your security.

There are a variety of Registry settings in any version of Windows that can be altered to increase your security. If you use a scanning tool, such as Cerberus, it returns a report stating the weaknesses in your Registry settings. What items in the Registry settings might cause security problems? A few items that are commonly examined include the following:

• Logon: If your Registry is set so that the logon screen shows the last user’s name, you have done half of the hacker’s work for her. Since she now has a username, she only needs to guess the password.

• Default shares: Certain drives/folders are shared by default. Leaving them shared like this presents a security hazard.

These are just a few of the potential problems in the Windows Registry. A tool such as Cerberus will not only tell you what the problems are but will make recommendations for corrections. To start the Registry editor, go to Start, select Run, and then enter regedit. You can then edit the Registry.

Securing a Network

Obviously, the first step in securing a network is to secure all computers that take part in that network, including all workstations and servers. However, this is just one part of network security. By now it should be clear that using a firewall and proxy server are also critical elements in network security. Chapter 12, “Cyber Terrorism and Information Warfare,” provides more details on these devices. For now, it is important to realize that you need to have them. Most experts also recommend using an IDS. There are a number of such systems available—and some are even free. These systems can detect things, such as port scanning, which might indicate that a person is preparing to attempt a breach of your security perimeter.

If your network is at all large, then you might consider partitioning it into smaller segments with a firewall-enabled router between segments. Of course, “large” is a vague term, and you will have to decide if your network is large enough to require partitioning. In this way, if one segment is compromised, the entire network will not be compromised. In this system, you might consider putting your most important servers (database, file) on a secure segment.

Because web servers must be exposed to the outside world and are the most common point of attack, it then makes sense to separate them from the rest of the network. Many network administrators will put a second firewall between the web server and the rest of the network. This means that if a hacker exploits a flaw in your web server and gains access to it, then he will not have access to your entire network. This brings up the issue of what should be on your web server. The answer is: only what you need to post web pages. No data, documents, or other information should be stored on that server, and certainly no extraneous software. The operating system and web server software are all that are required. You may add a few other items (such as an IDS) if your situation requires it. Any other software running on that server is a potential security risk.

Another concept you should consider is the DMZ (which stands for demilitarized zone). A DMZ essentially involves two firewalls: one outer and one inner. Resources that must be accessible to the outside world are between the two firewalls. The outer firewall is more permissive, and the inner firewall is highly restrictive. There are even routers that include this functionality in a single box. By plugging into certain ports, you are adding a device either behind the inner firewall or in the DMZ. This is shown in Figure 11.3.

You must also have policies that guide users in how to use the system, as we discussed earlier in this chapter. The most robust security in the world will not be of much use if a careless user inadvertently compromises your security. Keep in mind that you must have policies in place that guide users in what is considered appropriate use of the system and what is not.

Just as you take steps to harden your servers (such as patching the operating system and shutting down unneeded services), you should also harden your router. The specifics of what needs to be done will be contingent on your particular router manufacturer and model, but a few general rules should be followed:

• Use good passwords: All routers are configurable. They can be programmed. Therefore, you must obey the same password policies on a router that you would use on any server, including minimum password length and complexity, age of password, and password history. If your router allows you to encrypt the password (as Cisco and other vendors do), then do it.

• Use logging: Most routers allow for logging. You should turn this on and monitor it just as you would monitor server logs.

• Security rules: Some basic router security rules should also be followed:

  • Do not answer to Address Resolution Protocol (ARP) requests for hosts that are not on the user local area network (LAN).

  • If no applications on your network use a given port, that port should be also shut down on the router.

  • Packets not originating from inside your LAN should not be forwarded.

These rules are simply a beginning. You will need to consult your vendor’s documentation for additional recommendations. You must absolutely pay as much attention to securing your router as you do to securing your servers. The following links might be helpful:

• Router security: www.mavetju.org/networking/security.php

• Cisco router hardening: https://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html

NESSUS

Nessus (www.Nessus.org) is the premiere network vulnerability scanner. There was formerly a free version for personal use and a commercial version. It is now only available for a fee. This is perhaps the most widely used vulnerability scanner available today. It is not nearly as simple to use as MBSA but has many more capabilities. We will explore the basic functionality. If you have an interest in learning more about Nessus, then it is recommended that you consult the documentation available at the Nessus website.

Nessus is a well-known vulnerability scanner. It has been used for many years. Unfortunately, it is not free. The license, which costs over $3300 per year, can be obtained from https://www.tenable.com. Its price has been a barrier for many penetration testers. The primary advantage of Nessus is that the vendor is constantly updating the vulnerabilities it can scan for. Nessus also has a very easy-to-use web interface, as shown in Figure 11.4.

If you click New Scan, you are given a number of options, as shown in Figure 11.5.

You can select Basic Network Scan to see a number of intuitive basic settings. You have to name your scan and select a range of IP addresses, as shown in Figure 11.6.

Then you can either schedule the scan to run later or launch it right away. Nessus scans can take some time to run because they are quite thorough. The results are presented in a very organized screen, as illustrated in Figure 11.7.

You can then drill down on any item of interest. If you double-click on a specific IP address, you can see details for that address, as illustrated in Figure 11.8.

You can then double-click on any individual item for more details about the issues and how to remediate them.

OWASP Zap

The Open Web Application Security Project (OWASP) is the standard for web application vulnerability. OWASP offers a free vulnerability scanner called the Zed Attack Proxy, commonly known as OWASP ZAP. You can download it from https://www.zaproxy.org/download/. The interface, shown in Figure 11.9, is very easy to use.

Just type in the URL of the site you wish to scan and click Attack. After a few moments, the results are displayed at the bottom of the screen. You can then expand any item. If you click on a specific item, details are loaded as shown in Figure 11.10.

OWASP ZAP is a very easy-to-use tool. The basics can be mastered in a few minutes. And given that OWASP is the organization that tracks web application vulnerabilities, it is a very good source for testing the vulnerabilities of a website.

Shodan

The Shodan tool is widely used by black hat hackers and security professionals alike. The website https://www.shodan.io is essentially a search engine for vulnerabilities. You need to sign up for a free account to use it, but then it can be invaluable to a pen tester trying to identify vulnerabilities. Of course, the site can also be invaluable to attackers. You can see the website in Figure 11.11.

Shodan allows you to search using a number of options, including the following:

• Search for default passwords, using search terms such as the following:

  • default password country:US

  • default password hostname:chuckeasttom.com

  • default password city:Chicago

• Find Apache servers, using search terms such as the following:

  • apache city: “San Francisco”

• Find webcams, using search terms such as the following:

  • webcamxp city:Chicago

• OLD IIS, using search terms such as the following:

  • “iis/5.0”

With Shodan you can use a number of filters, including these:

• city: Find devices in a specific city.

• country: Find devices in a specific country.

• geo: Specify coordinates (such as latitude and longitude).

• hostname: Find values that match a specific hostname.

• net: Search based on an IP address or an /x CIDR address.

• os: Search based on operating system.

• port: Find particular ports that are open.

• before/after: Find results within a specified time frame.

For example, Figure 11.12 shows the results of a search for default password city:Miami.

When you are performing a penetration test, it is a good idea to search Shodan for your company domain to find information that can guide your penetration testing efforts. Of course, would-be attackers can also use Shodan to find the same information. You can restrict your search to the hostname or domain name of a client who has hired you to conduct a penetration test. You can use Shodan to seek out default passwords, old web servers, unsecured web cameras, and other vulnerabilities in the target network.

The search shown in Figure 11.12 was conducted using the free version of Shodan. Shodan also offers a paid version that starts at $69 and provides additional tools. There are also small business and corporate memberships available at a higher price.

Kali Linux

Kali Linux is a Linux distribution that comes packed with open-source tools for cybersecurity, digital forensics, and penetration testing. There are several scanners in Kali Linux you should be familiar with, as described in the sections that follow.

Lynsis

Lynsis is a host-based, open-source security auditing application that can evaluate the security profile and posture of Linux and other UNIX-like operating systems. This tool comes installed with the Kali Linux distribution. Figure 11.13 shows a basic scan process with Lynsis.

Nikto

Nikto is a Kali Linux tool that scans websites for common vulnerabilities. There is no convenient graphical user interface; rather, you run Nikto from the Linux shell, and it is very simple to learn and use. You can see Nikto being used to scan my website in Figure 11.14.

The options with Nikto are easy to understand and use. For example, you can scan a group of IP addresses by just putting them all in a text file and using the command nikto -h targetIP.txt.

You can choose from several formats for output:

• csv: Comma-separated-values format

• htm: HTML format

• nbe: Nessus NBE format

• sql: Generic SQL format

• txt: Plain text

• xml: XML format

If not specified, the format is taken from the file extension that is passed to -output.

Sparta

Sparta is a vulnerability scanner that comes with Kali Linux and includes a number of other tools all in one package, including:

• Mysql-default

• Nikto

• Snmp-enum

• Smtp-enum-vrfy

• Snmp-default

• Snmp-check

Sparta also has an easy-to-use graphical user interface. Figures 11.15 through 11.17 show a basic Sparta scan.

Vega

Vega, like OWASP ZAP, is a scanner for web applications. It is free and open source. Using both OWASP ZAP and Vega on your web applications will help validate your findings. You can download Vega from https://subgraph.com/vega/download/. As with OWASP ZAP, you only need to type in the URL and select the modules, and Vega does the rest, as shown in Figure 11.18.

OpenVAS

OpenVAS is an open-source vulnerability scanner that was created by Greenbone Networks. The OpenVAS framework includes several services and tools that enable you to perform detailed vulnerability scanning against hosts and networks. OpenVAS can be downloaded from https://github.com/greenbone/openvas-scanner, and the documentation can be accessed at https://docs.greenbone.net/#user_documentation.

OpenVAS also includes an API that allows you to programmatically interact with its tools and automate the scanning of hosts and networks. The OpenVAS API documentation can be accessed at https://docs.greenbone.net/#api_documentation.

Running OpenVAS is very easy. The result screen will prompt you to purchase the full version by upgrading to a pro account, but you can ignore that if you wish and continue using the free version (see Figure 11.19).

NIST 800-115

NIST 800-115, “Technical Guide to Information Security Testing and Assessment,” is a general guide for testing—not just penetration testing. This standard covers items one would include as part of a system audit, such as document review, log review, and similar items. However, the standard also covers items that should be included in both penetration tests and vulnerability scans. Most importantly, NIST 800-115 uses three specific phases:

• Planning

• Execution

• Post-execution

This may seem like a rather simplified plan, but these phases are described in detail in the NIST 800-115 documentation. In fact, the standard recommends specific tools, many of which you have seen in this chapter already.

NSA-IAM

The National Security Agency InfoSec Assessment Methodology (NSA-IAM) is an excellent guide for penetration tests. The document describes three general phases, each subdivided into specific tasks:

• Pre-assessment

  • Determine and manage the customer’s expectations

  • Gain an understanding of the organization’s information criticality

  • Determine customer’s goals and objectives

  • Determine the system boundaries

  • Coordinate with customer

  • Request documentation

• On-site assessment

  • Conduct opening meeting

  • Gather and validate system information (via interview, system demonstration, and document review)

  • Analyze assessment information

  • Develop initial recommendations

  • Present out-brief

• Post-assessment

  • Additional review of documentation

  • Additional expertise

  • Report coordination

The NSA-IAM has three levels of security testing. Assessment Level I involves reviewing policies and procedures; it is essentially an audit. Assessment Level II involves the use of tools for diagnosing and finding flaws; this is a vulnerability scan. Assessment Level III involves red team exercises; this is where the penetration testing occurs. So you can see that audits, vulnerability scans, and penetration tests are all covered in this standard.

PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) is the standard used by Visa, MasterCard, American Express, and Discover. There are in fact a great many parts to the standard, but here we will focus on the penetration testing part. Obviously, if you have a system that deals with credit cards, this is an important standard.

The main focus of PCI DSS is the security controls and objectives that companies that process credit cards should implement. Security auditing and penetration testing are done to ensure that such controls are implemented and the objectives are met. You need a basic understanding of PCI DSS in order to truly understand a PCI DSS penetration test.

National Vulnerability Database

The National Vulnerability Database is not a standard but rather a database of known vulnerabilities. When checking your network for vulnerabilities, it should be rather clear that you need to check for known vulnerabilities. An excellent place to start is the National Vulnerability Database, which is a U.S. government repository of vulnerability data that uses the Security Content Automation Protocol (SCAP, pronounced “ess-cap”). The National Vulnerability Database is essentially a set of open standards that allows interoperability among vulnerability scanners. The SCAP protocol is used to enable automated vulnerability management. It can also be used to support policy compliance, including compliance with the Federal Information Security Modernization Act of 2002 commonly referred to as FISMA. You can view the NVD website in Figure 11.20.