Information security is a vast field and has a broad interest there
are so many penetration tester and ethical hacker out there that
provides there services for network and web application testing. IT
auditing is an essential part of today networks, network can be a small
(LAN) and a big both are requires auditing.
IT auditing is not directly
reflect the image of penetration testing and vulnerability assessment
because there are multiple types of audit, its all depend on the
objectives and the goals. An organization uses IT auditing to control
the flow of information, to find the network weaknesses, policies,
backup procedure, patching and to ensure the protection of users and
customer information, well as said earlier its all depend on the goal.
Generally
IT audit means to find the hardware’s and software’s that are
associated with the network, like IT auditing can be used to track
- Partition
- Sound cards, Videos cards, LAN cards and other
- System component
- Installed software’s (including OS)
- Security setting
A quick example of an IT audit result can be see in this picture.
Auditing Network Security
As
the security is an important part of IT audit so how an auditor can
perform network security test, information gathering is the first step
of it, gather maximum information about the network.
- What actually a network is?
- What is the network topology?
- How many devices are associated with the network?
- How many hosts are alive?
- What are the weaknesses of the network?
- Which operating system are used on most of the host?
- Is patch management work?
- How to break network security?
- How to exploit a host? To gain the access on the network.
So
these are the main question of network security auditing and an auditor
supposed to give the detail answer of these questions.
Tools are
the essential component of any test including network security auditing,
there are both open source and commercial tools are available for this
purpose. Nmap, Openaudit and nessus are the best tools for this purpose.
Network
mapper (Nmap) the best tool for multiple purposes, basically it is a
network scanner and a port scanner utility but in this tutorial we will
use it for auditing network security. Zenmap is a GUI of nmap, while
nmap is a command line tool.
Let start with the first phase, what
is a network ? Network topology, number of host, alive host, open ports,
services and others can be find by using nmap.
On the target box enter the IP of the target but for auditing case I
want to scan the whole network that is why I have used class C IP
subnet. Intense scan is a famous and
it gives you the complete picture of the network while if you want just
ping than you can do this and if you want nmap to scan a specific port Intense scan, all TCP ports and than define the range of the ports.
By looking the result you can realize the alive host and the open ports even we can find the topology look at the picture below.
The important picture that give you all the
information about any host including the operating system, IP address,
MAC address, open ports, operating system class, up time, last boot time
and many more.
So after this quick scan an auditor has
so many information about a network and in my views the more information
more the chance of the success. Now the next step would be to find the
weaknesses (vulnerabilities) that cause a network to exploit.
Vulnerability Assessment
This
is another an important step for network security auditing,
vulnerabilities assessment is a process to find the vulnerability on a
system and a network. There are different kind of vulnerability can be
find on a system like the high risk vulnerability and low risk
vulnerability. Usually the high risk vulnerabilities like :
- Buffer overflow
- Default password
- Known back-doors
- Poor/mis configuration
- Out dated software’s
If
we see as a hacker/attacker perspective than these vulnerabilities can
cause a network to be compromise so a network security auditor is
responsible to find the vulnerabilities and suggest something (technical
stuffs) to fix the vulnerabilities.
There
are different vulnerability scanners are available on both open source
and commercial platform but make sure there are some vulnerability
scanner for web application but in this article our focus is network
vulnerability scanner. Nessus, OpenVAS and Retina vulnerability scanner
and management are the wonderful tools for this purpose, before going to
the practical aspect I want to introduce false positive
result/response.
False positive
means an incorrect result, a software may find a vulnerability that you
want it to find, if you think that false positive response is not a
matter than you are wrong it takes your time. Keep in mind about false
positive result before deciding a software for vulnerabilities
assessment.
In this
article we will discuss Nessus and we will use Nessus as a
vulnerabilities scanner and assessment tool, nessus is a very power tool
that can used for multiple purposes from network vulnerabilities
scanning to web vulnerability scanning, it can be used for:
- Vulnerability scanning
- Vulnerability management
- Configuration auditing
- Log management
- Network discovery
Now why nessus and what nessus can do for us, if we are discussing about passive scanning than is a tool to find:
- SSL certificate
- Host file detection
- Host services detection
- Open port detection
- Vulnerability detection (It suggests the solution too)
- Internal IP address detection
- VPN detection
- Firewall, IDS and IPS detection
- Proxy detection
- Real time DNS traffic
- Real time web traffic
- More
For
detection purposes the real weapon of Nessus is SYN packets because
every operating system uses SYN packets in a unique way so by using the
SYN packets Nessus discover the host and the services, as in a basic DOS
attack theory the SYN packets can be used for SYN flooding so an
auditor must take care these aspect of vulnerability assessment. Your
test must not be count as a Denial of service attack for a network.
Vulnerability
monitoring that is used in Nessus vulnerability scanner are CVE (Common
vulnerability and exposure) and CPE, beside auditing and analyzing
host, port, services and vulnerability nessus can be used to monitor
real time activities like:
- DNS (DNS lookup analysis)
- Facebook (Log in/ log out, user ID analysis)
- SMTP (source and sink of an email)
- SMB
- Twitter (Log in/ log out and other activity analysis)
- Database (SQL,Oracle and other database analysis)
- More..
Continuous
monitoring or real time monitoring reduce the chance of the active
scanning so as a economical aspect it is a good process and highly
recommended because active scanning means operation or test on all the
network from physical layer to application layer and it takes time,
money, human effort (more engineer required) and the process may slow
down the network or if the test is not perform carefully than there is
chance of denial of service.
As
we have discussed most of the theorical, economical and technical side
of this test but before going to the example of test I want to let you
know about an important side of the picture, let suppose an network
security auditor/ penetration tester going to conduct a test on a large
enterprise network keep in mind that these sort of network usually has
web application server or may be some of the applications are enable for
web. So in this case web server security monitory is also a necessary
part and the web applications are the most common victim. That is why I
choose nessus for vulnerability assessment because it provides an
effective platform to perform a test on web application as well as
network.
Nessus has
designed to check each and every port of a web application and other
services whether it is an uncommon port, the depth analysis of web
application provides:
- Analysis of HTTP and HTTPS services
- Analyze all the website that is host on a server
- Analyze SSL certificate, expiry of SSL certificate and more
- Analyze content for insecure JavaScript that is lead towards the code injection attack
Second part of this series article will be publish!
