6. RESULTADOS
6.4 DESCRIPCIÓN Y ANÁLISIS DE LA APLICACIÓN DE LA SECUENCIA
6.4.7 Descripción de la cuarta actividad de la secuencia didáctica
Having complete step 1, information gathering, we now need to assess the Web and database servers for vulnerabilities. To do this we’ll need to switch tools. Nmap aided in the information-gathering process, but it’s not a vulnerability assessment tool; its strengths reside in the information-gathering arena. To detect vulnerabilities we need a vulnerability assessment utility. Several VA tools are on the
market, but for our purposes, we’ll utilize Retina 5.0 from eEye Digital Security. Table 6.3 includes a partial list of the vulnerability scanners on the market today.
Setting Up the VA
Within Retina, we need to create a scan job. The scan job will defi ne the parameters of our vulnerability assessment. As per the Retina User Guide, these parameters include:
■ Hosts Hosts to be assessed
■ Ports TCP and User Datagram Protocol (UDP) ports that are included in the assessment
■ Audits Vulnerabilities the hosts are evaluated against
■ Options Attributes such as operating system detection, reverse domain name system
(DNS) query, and so on
■ Credentials Account information, if any, used to remotely connect to a system
The following steps will guide us through setting up a scan job within retina.
1. Upon launching Retina, select the Audit tab from the Retina interface. Figure 6.6 shows the Audit interface.
Table 6.3 List of VA Scanners
Company Product URL
eEye Digital Security Retina www.eeye.com
Tenable Network Security Nessus www.nessus.org
Internet Security Systems (ISS) Internet Scanner www.iss.net
Figure 6.6 Retina Audit Interface
2. Next, select the Targets tab and create an Address Group associated with the Web and database servers by selecting the Modify button on the Targets tab.
3. After creating the Address Group, supply a Filename and Job Name to the scan and select
the Ports tab. The Filename and Job Name parameters are simply descriptors for the
For our purposes, select All Ports. We’re doing this to ensure that we don’t miss any applications or services that could be running on an uncommon or frequently used port. If we were conducting a vulnerability assessment against our enterprise, we would need to reduce the number of ports evaluated to improve the audit speed and performance.
Accessing every host against more than 65,000 ports could prove to be quite time consuming. Since we’re evaluating only two hosts, this isn’t an issue for use. Following are descriptions for the various Port Group options:
■ All Ports Scans on all ports
■ Common Ports Scans common application ports such as TCP port80 for web
servers and TCP port 25 for email servers
■ Discovery Ports Scans those ports used in Discover.
■ HTTP Ports Scans ports 80 and 443
■ NetBIOS Ports Scans ports 135, 139, and 445
4. After selecting All Ports, continue to the Audits tab and check All Audits. Figure 6.8 displays Retina’s default audit selection. Recall that audits determine which known vulnerabilities our hosts will be evaluated against.
Figure 6.7 Retina Ports Interface
Figure 6.8 Retina Audit Groups
We’ve decided to evaluate the Web and database servers against all the vulnerabilities within the Retina database. Once again, if this were an enterprise assessment, we’d want to scope this. Since we’re evaluating only two hosts, we’ll select All Audits to unearth all possible system and application-level vulnerabilities.
5. Next we’ll defi ne the options of the scan by selecting the Options tab. These options include:
■ Perform OS Detection
■ Get Reverse DNS
■ Get NetBIOS Name
■ Get MAC Address
■ Perform Traceroute
■ Enable Connect Scan Connect to the target port and complete a full three-way handshake (SYN, SYN/ACK, and ACK).
■ Enable Force Scan
■ Perform the Various NetBIOS Enumerations
For our scan, we select Perform OS Detection, Enable Connect Scan Mode, and
Perform the Various NetBIOS Enumerations. Notice that we’re repeating some of the
same efforts we conducted in the information-gathering phase. Unfortunately, Retina can’t utilize the information gathered via Nmap. Because of this, we’ll need to repeat these exercises to accurately detect the vulnerabilities present on the Web and database servers. We could have leveraged Retina to begin with. We instead utilized Nmap for its robust operating system detection and enumeration options.
6. Having fi nalized our options, and because we’re not leveraging credentials within this scan, we select the Scan button shown on the left-hand side in Figure 6.8 to initiate the vulnerability assessment.
Interpreting the VA Results
Once the vulnerability assessment is complete, we analyze the results to see whether any vulnerabilities were discovered on the Web and database servers. Remember that the goal of the penetration test is to see whether we can gain unauthorized access to customer records housed on the database. Ideally we’d like to discover a vulnerability on the database server and use it as an avenue into the system. If a vulnerability isn’t present on the database server, we’ll look to exploit the Web server in an attempt to gain access to the customer records. Figure 6.9 contains the output of our vulnerability assessment. Table 6.4 is our System Information Table, updated to include the Retina data.
eEye Digital Security
Retina Network Security Scanner
Network Vulnerability Assessment & Remediation Management Summary Report
10.192.146.34
____________________________________________
General 10.192.146.34 (Machine Information – DB Server) ____________________________________________
Machine Name: N/A NetBIOS Domain: N/A DNS Name:
IP Address: 10.192.146.34 MAC Address: N/A
Traceroute: Time to Live: 125 Ping: Host Responded Open TCP Ports: N/A Open UDP Ports: N/A
Operating System: Windows 2000
____________________________________________ Audits 10.192.146.34 (Vulnerability Detail)
____________________________________________ Limited Null Session
Risk Level: Low BugtraqID: 494 CVE: CVE-2000-1200 DCOM Enabled
Risk Level: Medium BugtraqID: N/A CVE: CAN-1999-0658
No Remote Registry Access Available
Figure 6.9 Retina Vulnerability Output
Risk Level: Information BugtraqID: N/A
CVE: N/A
TCP:3389 - Terminal Services enabled Risk Level: Low
BugtraqID: N/A CVE: N/A
Microsoft Windows Non-Default User Service Risk Level: Information
BugtraqID: N/A CVE: N/A
ICMP Timestamp Request Risk Level: Low BugtraqID: N/A CVE: CVE-1999-0524
____________________________________________ Ports 10.192.146.34 (Open Ports)
____________________________________________
111 : TCP : Open : SUNRPC - SUN Remote Procedure Call 135 : TCP : Open : RPC-LOCATOR - RPC (Remote Procedure
Call) Location Service 139 : TCP : Open : NETBIOS-SSN - NETBIOS Session
Service
445 : TCP : Open : MICROSOFT-DS - Microsoft-DS 1433 : TCP : Open : MS-SQL-S - Microsoft-SQL-Server 3389 : TCP : Open : MS RDP (Remote Desktop Protocol) /
Terminal Services 4987 : TCP : Open : Unknown Port 5250 : TCP : Open : Unknown Port 5555 : TCP : Open : ServeMe
10204 : TCP : Open : CA License Client/Server ___________________________________________________________________________ 10.192.144.54
____________________________________________
General 10.192.144.54 (Machine information – Web Server)
Continued
DNS Name:
IP Address: 10.192.144.54 MAC Address: N/A
Traceroute: Time to Live: 125 Ping: Host Responded Open TCP Ports: N/A Open UDP Ports: N/A Operating System: N/A
____________________________________________ Audits 10.192.144.54 (Vulnerability Detail) ____________________________________________
TCP:2301 - JetPhoto Server "Name" And "Page" Variables Cross Site Scripting
Risk Level: Low BugtraqID: N/A CVE: N/A
DCOM Enabled
Risk Level: Medium BugtraqID: N/A CVE: CAN-1999-0658
Microsoft MSDTC and COM+ Buffer Overflow (902400) - Remote
Risk Level: High BugtraqID: 15056,15057
CVE: CAN-2005-1979,CAN-2005-2119,CAN-2005-1978
TCP:3389 - Terminal Services enabled
Risk Level: Low BugtraqID: N/A CVE: N/A
TCP:2967 - Norton AntiVirus Corporate Edition (managed service) detected
Risk Level: Information BugtraqID: N/A
CVE: N/A
ICMP Timestamp Request Risk Level: Low BugtraqID: N/A CVE: CVE-1999-0524
No Remote Registry Access Available
Machine Name: N/A NetBIOS Domain: N/A
Table 6.4 Summary of Retina Output
# Host IP Address Operating Open Vulnerabilities/
System Ports Severity
1 Web 10.192.144.54 Windows 135/tcp 2000 139/tcp 443/tcp 445/tcp 1043/tcp 2105/tcp 2301/tcp 3372/tcp 3389/tcp 49400/tcp JetPhoto (Low) DCOM (Medium) MSDTC (High) TS (Low) BugtraqID: N/A CVE: N/A ____________________________________________
Ports 10.192.144.54 (Open Ports)
____________________________________________
135 : TCP : Open : RPC-LOCATOR - RPC (Remote Procedure Call) Location Service
139 : TCP : Open : NETBIOS-SSN - NETBIOS Session Service
443 : TCP : Open : HTTPS - HTTPS (Hyper Text Transfer Protocol Secure) - SSL (Secure Socket Layer) 445 : TCP : Open : MICROSOFT-DS - Microsoft-DS
1065 : TCP : Open : HP OpenView
2103 : TCP : Open : ZEPHYR-CLT - Zephyr Serv-HM Conncetion
2105 : TCP : Open : EKLOGIN - Kerberos (v4) Encrypted RLogin
2301 : TCP : Open : CIM - Compaq Insight Manager 3389 : TCP : Open : MS RDP (Remote Desktop Protocol) /
Terminal Services Risk Level: Information
Table 6.4 Continued
# Host IP Address Operating Open Vulnerabilities/
System Ports Severity
Norton (Low) ICMP(Low) 2 Database 10.192.146.34 Windows 111/tcp 2000 135/tcp 139/tcp 445/tcp 1433/tcp 3389/tcp 4125/tcp 4987/tcp 5555/tcp Null Session (Low) DCOM (Medium) TS (Low) ICMP (Low)
Referring to Table 6.4 we notice that the database doesn’t contain a high-level vulnerability that we can exploit to gain unauthorized access to it. The highest-level vulnerability it possesses is
associated with Microsoft Distributed Component Object Model (DCOM) being enabled, which really doesn’t represent a vulnerability. The Web server, on the other hand, does possess a high-level vulnerability. It’s susceptible to a Microsoft Distributed Transaction Coordinator (MSDTC) and Component Object Model (COM)+ buffer overfl ow. In an effort to gain access to the customer records, we’ll need to fi rst exploit the Web server. If we’re successful, we’ll attempt to leverage the Web server to gain access to the database.
Penetration Testing
Penetration tests utilize the vulnerabilities discovered during a VA to exploit, or gain unauthorized access to, targeted systems. Whereas a vulnerability assessment identifi es security holes within a system or application, a penetration test takes advantage of these weaknesses to gain unauthorized system-level access.
Having reported and detected the vulnerabilities present on the Web and database servers, it’s now time to exploit, attack, and penetrate these weaknesses. To aid us we’ll leverage Core Impact 5.1 from Core Security. Additional penetration tools include Dave Aitel’s Canvas and Metasploit. You can also fi nd free vulnerability exploits at www.packetstormsecurity.org and www.securityfocus.com/bid.