112 Managing Network Vulnerability Assessment
the documents. Additionally, it has just been announced that the company is
now shipping a PC-based version of the Web site.
In the zero-information-based section, we will actually begin running tools
other than a standard Web browser. The first tool we use in the vulnerability
assessment is an Internet ferret tool. The primary focus of such tools is to list
all of the Web sites that link to our target company’s name and also, hopefully,
to uncover the domain name for our target network.
Copernic Basic
URL: http://www.copernic.com (Exhibit 14)
Price: Free
OS: NT
Vendor’s comments: This entry-level Web search tool, used and trusted by
millions of users worldwide, combines many search enhancement fea-
tures along with an intuitive user interface, making your Web searches
faster and easier than ever. Moreover, it is free!
Opinion: This is a great all-around tool. It can be used in place of common
Internet search engines. The added features of search sources other
than the Internet make it a more definitive ferret than other products.
The Copernic utility is like a “search engine on steroids;” it does a much
more exhaustive search for any and all references to your target company.
Exhibit 14. Copernic Basic
Technical (Bottom-Up) Methodology 113
This tool helps by eliminating the need for us to guess what the Internet
domain for our company is; it shows us any Web sites that contain the name
of our company; and finally, it allows us to look over the search results to
see if there are any potentially compromising Web sites postings about our
target network. We will be looking in the search results for Web site postings
that may be an HTML version of an e-mail posting to a newsgroup. We would
be looking for postings made by internal employees, past or present, that
may have information such as the types of systems the target network is
running. Sometimes, it is possible to find Web sites with postings such as:
Hi I’m Bob from Pelttech. We just got a new CheckPoint Firewall-1 in
our organization, and I’m having some trouble trying to configure split-
level DNS. Can anyone offer suggestions?
Thanks in advance,
Bob
Sam Spade
URL: http://www.samspade.org/ssw (Exhibit 15)
Price: Free
OS: NT
Vendor’s comments: Sam Spade does the majority of the work in the zero-
information-based section. It does a great job of taking UNIX command-
line tools and making them easier through the point-and-click interface.
There are a couple of key points to note about the Sam Spade utility. The
first item is that, by default, no nameserver is listed and no e-mail address is
listed. To do the spam relay check later on, you will need to put an e-mail
address in the e-mail address field. The nameserver field does not have to
build completed; however, if you are going to be using the tool frequently,
it is a time saver to have a nameserver already listed. Exhibit 15 reveals these
options.
The second point of note with Sam Spade is that some of the functionality
is disabled by default. To turn on all of these functions, you need to go to
the ”Edit” menu and then select ”Options” (Exhibit 16) and ”Advanced”
(Exhibit 17).
Once you have the options set in Sam Spade, you are ready to begin using
the tool. The best way to begin is to simply plug the domain name uncovered
in the Copernic search into the target field and either click on the “Whois”
button on the left-hand side or simply hit the Enter key. The tool runs a
standard “Whois” lookup on the domain name that you specified in the target
field. Exhibit 18 illustrates these fields.
There are several pieces of useful information that you can get from the
simple “Whois” search in Sam Spade. The first and possibly most useful piece
of information is the location of the company that registered the domain.
114 Managing Network Vulnerability Assessment
Exhibit 15. The Default Sam Spade Workspace
Exhibit 16. The Sam Spade Options Screen
Technical (Bottom-Up) Methodology 115
Exhibit 17. The Sam Spade Advanced Options Screen
Exhibit 18. The Sam Spade Default Fields
116 Managing Network Vulnerability Assessment
While this record may not always be the true address of the company, it is
accurate the majority of the time. This will be the first check that the domain
you have selected is the correct target network. It is beneficial to find out this
information now, before you spend days running vulnerability tests against
the wrong target domain. A mistake that you only make once!
The second piece of information you will get from the “Whois” is the
administrative and billing contact information. If the information in this portion
of the “Whois” looks like accurate information, it can be useful for social
engineering testing later on. If the information is accurate right down to the
phone extensions for the contacts, it might be time to list it as a vulnerability
in the final report.
The third piece of information that we find from running the “Whois” is
the primary and secondary nameserver for our target domain. If there is only
a single DNS server listed in the domain, it could potentially be a single point
of failure for the target network, and it might warrant a mention as a
vulnerability in the final report. Exhibit 19 provides an average “Whois” screen.
Having finished the “Whois” lookup on the target domain, the next step
is to attempt a “zone transfer” (see Exhibit 20 and Exhibit 21). Zone transfer
can be a vulnerability because it allows a client to download the entire contents
of a DNS file from the server. All major DNS server manufacturers provide
the functionality to restrict zone transfer to only the other name servers for
that domain. After all, those are the devices that actually need to perform a
zone transfer, to keep the database information current and synchronized.
Exhibit 19. Sam Spade Whois
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.