Security-Testing Tools

No discussion of firewall and security tools is complete without a brief discussion regarding security-testing tools.
Nội dung trích xuất từ tài liệu:
Security-Testing ToolsSecurity-Testing ToolsNo discussion of firewall and security tools is complete without a brief discussionregarding security-testing tools. Firewall administrators should make regular use of twoprimary tools to perform basic testing of the firewall ruleset and the firewalls ability toprotect hosts and networks: port-scanning tools and vulnerability-scanning tools. To besure, for an in-depth review of security, other tools such as password-cracking tools,packet-crafting tools, and exploit frameworks should absolutely be considered (adiscussion of which is beyond the scope of this appendix).Port-Scanning ToolsPort-scanning tools function by attempting to connect to a host using a range of TCP andUDP ports. This information can then be used to determine which ports are listening, andthus which applications are probably running on the host. Port-scanning tools are one ofthe best ways to test your firewall ruleset, because the ruleset should allow traffic only onthe ports that you have defined. If you port scan the firewall (or the IP addresses of theprotected hosts the firewall is protecting) and find that it responds on ports other than theones that you have defined, there is a good chance that the firewall ruleset ismisconfigured and therefore may be exposing the protected host/network to externalthreats.The most common and popular port scanner is Nmap. Nmap is an open source utility thatruns on Windows, Linux, and UNIX hosts and can be downloaded fromhttp://www.insecure.org. Nmap contains both a command-line utility and a graphicalfront end; however, the Windows graphical front end has not been maintained andupdated for quite some time.Running Nmap is a straightforward process. Running Nmap without any options bringsup the usage screen, as shown in Example A-9.Example A-9. Nmap Usage ScreenC:\Download\Hacking Tools\Nmap\nmap-3.93>nmapNmap 3.93 Usage: nmap [Scan Type(s)] [Options] Some Common Scan Types (* options require root privileges)* -sS TCP SYN stealth port scan (default if privileged (root)) -sT TCP connect() port scan (default for unprivileged users)* -sU UDP port scan -sP ping scan (Find any reachable machines)* -sF,-sX,-sN Stealth FIN, Xmas, or Null scan (experts only) -sV Version scan probes open ports determining service & appnames/versions -sR RPC scan (use with other scan types)Some Common Options (none are required, most can be combined):* -O Use TCP/IP fingerprinting to guess remote operating system -p ports to scan. Example range: 1-1024,1080,6666,31337 -F Only scans ports listed in nmap-services -v Verbose. Its use is recommended. Use twice for greater effect. -P0 Do not ping hosts (needed to scan www.microsoft.com and others)* -Ddecoy_host1,decoy2[,...] Hide scan using many decoys -6 scans via IPv6 rather than IPv4 -T General timingpolicy -n/-R Never do DNS resolution/Always resolve [default: sometimes resolve] -oN/-oX/-oG Output normal/XML/grepable scan logs to -iL Get targets from file; Use - for stdin* -S /-e Specify source address or network interface --interactive Go into interactive mode (then press h for help)Example: nmap -v -sS -O www.my.com 192.168.0.0/16 192.88-90.*.*SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS,AND EXAMPLESNmap supports both TCP and UDP port scanning, and for TCP port scanning it supportsthe following methods: • Connect scan This is a basic form of TCP scanning and uses the connect() system call provided by the operating system to attempt to connect to the remote host on the given port number and open a session. This is essentially the three-way handshake process, and although it provides a relatively certain method of identifying open ports, it is also easy to detect and is slower to perform a complete scan because of the additional overhead and wait time required for session establishment and teardown. • SYN scan This is the most common type of scan and is frequently referred to as half-open scanning because of how it works. For a SYN scan, Nmap attempts to initiate a SYN request to the target host on the given port number. If a RST response is received, the port is considered closed. If a SYN/ACK is received, the port is considered open. Nmap immediately sends an RST to tear down the session and proceeds to test the next port. This makes a SYN scan a fast scan to perform and complete, but it can produce incorrect results and requires root access on Linux and UNIX hosts to be run. • FIN stealth, Xmas tree, and Null scan These scanning techniques are all intended to be as quiet and difficult to detect as possible by sending packets that are out of context and have various TCP flags set (or unset in the case of a Null scan). The general concept behind these techniques is that a closed port is supposed to respond to a connection attempt with an RST, whereas open ports generally ignore these kinds of packets out of context. Nmap sends packets with the FIN flag (FIN stealth); FIN, URG, and PUSH flags (Xmas tree); and no flags (Null scan) in an attempt to surprise the host (that is, the host is receiving packets that it does not have a corresponding session with). The drawback to these kinds of scans is that although all hosts should support RFC 793, many do not and therefore respond inappropriately to FIN scans. This lack of support causes them to respond with an RST for all ports, when they should instead be dropping the packets on open ports. Therefore, these are rarely used.In most cases, a SYN or Connect scan is more than adequate for testing your systems.Example A-10 shows the running of a SYN scan.Example A-10. Basic Nmap SYN Port Scan Against a Cisco Secure PIX Firewall[root@keoland nmap]# nmap -s ...