Having complete step 1, information gathering, we now need to assess the Web and database servers for vulnerabilities.To do this we’ll need to switch tools. Nmap aided in the information-gathering process, but it’s not a vulner- ability assessment tool; its strengths reside in the information-gathering arena. To detect vulnerabilities we need a vulnerability assessment utility. Several VA tools are on the market, but for our purposes, we’ll utilize Retina 5.0 from eEye Digital Security.Table 6.3 includes a partial list of the vulnerability scan- ners on the market today.
Table 6.3List of VA Scanners
Company Product URL
eEye Digital Security Retina www.eeye.com
Tenable Network Security Nessus www.nessus.org
Setting Up the VA
Within Retina, we need to create a scan job.The scan job will define the parameters of our vulnerability assessment. As per the Retina User Guide, these parameters include:
■ Hosts Hosts to be assessed
■ Ports TCP and User Datagram Protocol (UDP) ports that are included in the assessment
■ Audits Vulnerabilities the hosts are evaluated against
■ Options Attributes such as operating system detection, reverse domain name system (DNS) query, and so on
■ Credentials Account information, if any, used to remotely connect to a system
The following steps will guide us through setting up a scan job within retina.
1. Upon launching Retina, select the Audit tab from the Retina inter- face. Figure 6.6 shows the Audit interface.
Figure 6.6Retina Audit Interface
2. Next, select the Targetstab and create an Address Group associated with the Web and database servers by selecting the Modify button on the Targets tab.
3. After creating the Address Group, supply a Filename and Job Name to the scan and select the Ports tab.The Filenameand Job Name parameters are simply descriptors for the scan. Selecting the Ports tab displays Figure 6.7.
Figure 6.7Retina Ports Interface
For our purposes, select All Ports. We’re doing this to ensure that we don’t miss any applications or services that could be running on an uncommon or frequently used port. If we were conducting a vul- nerability assessment against our enterprise, we would need to reduce the number of ports evaluated to improve the audit speed and perfor- mance. Accessing every host against more than 65,000 ports could prove to be quite time consuming. Since we’re evaluating only two hosts, this isn’t an issue for use. Following are descriptions for the var- ious Port Group options:
■ All Ports Scans on all ports
■ Common Ports Scans common application ports such as TCP port80 for web servers and TCP port 25 for email servers
■ Discovery Ports Scans those ports used in Discover.
■ HTTP Ports Scans ports 80 and 443
■ NetBIOS Ports Scans ports 135, 139, and 445
4. After selecting All Ports, continue to the Audits tab and check All Audits. Figure 6.8 displays Retina’s default audit selection. Recall that audits determine which known vulnerabilities our hosts will be evaluated against.
We’ve decided to evaluate the Web and database servers against all the vulnerabilities within the Retina database. Once again, if this were an enterprise assessment, we’d want to scope this. Since we’re evaluating only two hosts, we’ll select All Audits to unearth all pos- sible system and application-level vulnerabilities.
5. Next we’ll define the options of the scan by selecting the Options tab.These options include:
■ Perform OS Detection
■ Get Reverse DNS
■ Get NetBIOS Name
■ Get MAC Address
■ Perform Traceroute
■ Enable Connect Scan Connect to the target port and complete a full three-way handshake (SYN, SYN/ACK, and ACK).
■ Enable Force Scan
■ Perform the Various NetBIOS Enumerations
For our scan, we select Perform OS Detection,Enable Connect Scan Mode, and Perform the Various NetBIOS Enumerations. Notice that we’re repeating some of the same efforts we conducted in the information-gathering phase. Unfortunately, Retina can’t utilize the information gathered via Nmap. Because of this, we’ll need to repeat these exercises to accurately detect the vul- nerabilities present on the Web and database servers. We could have leveraged Retina to begin with. We instead utilized Nmap for its robust operating system detection and enumeration options.
6. Having finalized our options, and because we’re not leveraging cre- dentials within this scan, we select the Scan button shown on the left-hand side in Figure 6.8 to initiate the vulnerability assessment.
Interpreting the VA Results
Once the vulnerability assessment is complete, we analyze the results to see whether any vulnerabilities were discovered on the Web and database servers. Remember that the goal of the penetration test is to see whether we can gain unauthorized access to customer records housed on the database. Ideally we’d like to discover a vulnerability on the database server and use it as an avenue into the system. If a vulnerability isn’t present on the database server, we’ll look to exploit the Web server in an attempt to gain access to the customer records. Figure 6.9 contains the output of our vulnerability assessment.Table 6.4 is our System Information Table, updated to include the Retina data.
Figure 6.9Retina Vulnerability Output
eEye Digital Security
Retina Network Security Scanner
Network Vulnerability Assessment & Remediation Management
Summary Report
10.192.146.34
---
General10.192.146.34 (Machine Informaiton – DB Server) ---
Machine Name: N/A NetBIOS Domain: N/A DNS Name:
IP Address: 10.192.146.34 MAC Address: N/A
Traceroute: Time to Live: 125 Ping: Host Responded Open TCP Ports: N/A Open UDP Ports: N/A
---
Audits 10.192.146.34 (Vulnerability Detail) ---
Limited Null Session
Risk Level: Low BugtraqID: 494 CVE: CVE-2000-1200
DCOM Enabled
Risk Level: Medium BugtraqID: N/A CVE: CAN-1999-0658
No Remote Registry Access Available
Risk Level: Information BugtraqID: N/A
CVE: N/A
TCP:3389 - Terminal Services enabled
Risk Level: Low BugtraqID: N/A CVE: N/A
Microsoft Windows Non-Default User Service
Risk Level: Information BugtraqID: N/A
CVE: N/A
ICMP Timestamp Request
Risk Level: Low BugtraqID: N/A CVE: CVE-1999-0524
---
Ports 10.192.146.34 (Open Ports) ---
111 : TCP : Open : SUNRPC - SUN Remote Procedure Call
135 : TCP : Open : RPC-LOCATOR - RPC (Remote
Procedure Call) Location Service
139 : TCP : Open : NETBIOS-SSN - NETBIOS Session
Service
445 : TCP : Open : MICROSOFT-DS - Microsoft-DS
1433 : TCP : Open : MS-SQL-S - Microsoft-SQL-Server
3389 : TCP : Open : MS RDP (Remote Desktop Protocol) /
Terminal Services
4987 : TCP : Open : Unknown Port
5250 : TCP : Open : Unknown Port
5555 : TCP : Open : ServeMe
10204 : TCP : Open : CA License Client/Server
---
10.192.144.54
---
General10.192.144.54 (Machine information – Web Server) ---
Machine Name: N/A
NetBIOS Domain: N/A DNS Name:
IP Address: 10.192.144.54 MAC Address: N/A
Traceroute: Time to Live: 125 Ping: Host Responded Open TCP Ports: N/A Open UDP Ports: N/A
Operating System: N/A
--- Audits 10.192.144.54 (Vulnerability Detail) ---
TCP:2301 - JetPhoto Server "Name" And "Page" Variables Cross Site Scripting
Risk Level: Low BugtraqID: N/A CVE: N/A
DCOM Enabled
Risk Level: Medium BugtraqID: N/A CVE: CAN-1999-0658
Microsoft MSDTC and COM+ Buffer Overflow (902400) - Remote
Risk Level: High
BugtraqID: 15056,15057
CVE: CAN-2005-1979,CAN-2005-2119,CAN-2005-1978
TCP:3389 - Terminal Services enabled
Risk Level: Low BugtraqID: N/A CVE: N/A
TCP:2967 - Norton AntiVirus Corporate Edition (managed service) detected
Risk Level: Information BugtraqID: N/A
CVE: N/A
ICMP Timestamp Request
Risk Level: Low BugtraqID: N/A
CVE: CVE-1999-0524
No Remote Registry Access Available
Risk Level: Information BugtraqID: N/A
CVE: N/A
---
Ports 10.192.144.54 (Open Ports) ---
135 : TCP : Open : RPC-LOCATOR - RPC (Remote
Procedure Call) Location Service
139 : TCP : Open : NETBIOS-SSN - NETBIOS Session
Service
443 : TCP : Open : HTTPS - HTTPS (Hyper Text Transfer
Protocol Secure) - SSL (Secure Socket Layer)
445 : TCP : Open : MICROSOFT-DS - Microsoft-DS
1065 : TCP : Open : HP OpenView
2103 : TCP : Open : ZEPHYR-CLT - Zephyr Serv-HM
Conncetion
2105 : TCP : Open : EKLOGIN - Kerberos (v4) Encrypted
RLogin
2301 : TCP : Open : CIM - Compaq Insight Manager
3389 : TCP : Open : MS RDP (Remote Desktop Protocol) /
Terminal Services
Table 6.4Summary of Retina Output
Operating Vulnerabilities/ # Host IP Address System Open Ports Severity
1 Web 10.192.144.54 Windows 135/tcp JetPhoto (Low)
2000 139/tcp DCOM (Medium) 443/tcp MSDTC (High) 445/tcp TS (Low) 1043/tcp Norton (Low) 2105/tcp ICMP(Low) 2301/tcp
Table 6.4 continuedSummary of Retina Output
Operating Vulnerabilities/ # Host IP Address System Open Ports Severity
3372/tcp 3389/tcp 49400/tcp
2 Database 10.192.146.34 Windows 111/tcp Null Session
2000 135/tcp (Low) 139/tcp DCOM (Medium) 445/tcp TS (Low) 1433/tcp ICMP (Low) 3389/tcp 4125/tcp 4987/tcp 5555/tcp
Referring to Table 6.4 we notice that the database doesn’t contain a high- level vulnerability that we can exploit to gain unauthorized access to it.The highest-level vulnerability it possesses is associated with Microsoft Distributed Component Object Model (DCOM) being enabled, which really doesn’t rep- resent a vulnerability.The Web server, on the other hand, does possess a high- level vulnerability. It’s susceptible to a Microsoft Distributed Transaction Coordinator (MSDTC) and Component Object Model (COM)+ buffer overflow. In an effort to gain access to the customer records, we’ll need to first exploit the Web server. If we’re successful, we’ll attempt to leverage the Web server to gain access to the database.
Penetration Testing
Penetration tests utilize the vulnerabilities discovered during a VA to exploit, or gain unauthorized access to, targeted systems. Whereas a vulnerability assessment identifies security holes within a system or application, a penetra- tion test takes advantage of these weaknesses to gain unauthorized system- level access.
Having reported and detected the vulnerabilities present on the Web and database servers, it’s now time to exploit, attack, and penetrate these weak- nesses.To aid us we’ll leverage Core Impact 5.1 from Core Security.
Additional penetration tools include Dave Aitel’s Canvas and Metasploit.You can also find free vulnerability exploits at www.packetstormsecurity.org and www.securityfocus.com/bid.