Information Security Systems Performance Assessment

Information Security Systems Performance assessment

Sumit Chhuttani

B.tech 2 nd year

Department of Computer Science and Engineering

Indian Institute of Technology (IIT), Hyderabad -

[email protected]

Project guide: Dr. B.M. Mehtre

Associate professor

Institute of Development and Research in Banking Technology (IDRBT)

Road No. 1, Castle Hills, Masab Tank, Hyderabad – 500 057 http://www.idrbt.ac.in/

June 2, 2012

CONTENTS

Certificate

Declaration

Acknowledgement

Abstract

1. Introduction ...... 7 2. Process and methodology...... 8 2.1 Planning and Preparation ...... 8 2.2 Information Gathering and Analysis ...... 8 2.3 Enumeration and Fingerprinting ...... 8 2.4 Vulnerability detection ...... 9 2.5 Penetration Attempt ...... 9 2.6 Analysis and Reporting ...... 9 2.7 Cleaning up ...... 10 3. Security Assessment Tool-Kit ...... 10 3.1 Categories of scanning tools ...... 11 4. My Handy Tool-Kit ...... 12 4.1 Nmap ...... 12 (i) Results ...... 13 4.2 Wireshark ...... 16 (i) What Wireshark is not? ...... 16 (ii) Capturing features ...... 17 (iii) Filters ...... 17 (iv) Application...... 18 (v) Wireshark as a traffic analysis ...... 18 4.3 Tor ...... 18 (i) Functionality ...... 19 (ii) Features ...... 20 (iii) Disadvantages ...... 20 (iv) Application...... 20 4.4 Nessus ...... 21

(i) Results ...... 21 (ii) Major vulnerabilities ...... 23 4.5 w3af ...... 27 (i) Plugins ...... 27 (ii) Test results ...... 27 (iii) Vulnerabilities in IDRBT website ...... 28 5. Conclusion ...... 32 6. Reference ...... 33

CERTIFICATE

This is to certify that project report titled “Information Security Systems: Performance Assessment” submitted by Sumit Chhuttani of B.tech. 2 nd year, dept. of Computer Science and Engineering, IIT Hyderabad is record of a bonafide work carried out by him under my guidance during the period 4 th may 2012 to 4 th July 2012 at Institute of Development and Research in Banking Technology, Hyderabad.

The project work is a research study, which has been successfully completed as per the set objectives.

Dr. B.M. Mehtre

Associate Professor

IDRBT,Hyderabad

DECLARATION

I declare that the summer internship project report titled “Information Security Systems: Performance Assessment” is my own work conducted under the supervision of Prof. B.M. Mehtre at the Institute of Development and Research in Banking Technology, Hyderabad. I have put in 61 days of my attendance with my supervisor at IDRBT and have been awarded project fellowship. I further declare that to the best of my knowledge, the report does not contain any part of any work which has been submitted for the award of any degree either in this institute or any other institute without proper citation.

Sumit Chhuttani B.tech 2nd year Dept. of Computer Science and Engineering IIT Hyderabad

Information Security Systems Performance assessment

Abstract

This report is about preparing a professional security consultant’s toolkit for performing tasks such as reconnaissance, network scanning, and exploiting the vulnerabilities. Literally thousands of tools—both commercial and open source—are available to professionals who need to assess their network's security. The trick is having the right tool for the job when you need it and being able to trust it.

Nowadays everyone is moving towards e-banking and all the information is flowing through the network.The account number, expiration date and possibly the cardholder's name are sent from the point of payment to a processor, which is then sent to the card issuer — often a bank — which ultimately authorizes the transaction. The actual transfer of money occurs later. Processing companies, which perform millions of authorizations each day, are supposed to encrypt card information. But a breach could occur if someone gains access to the system and identifies a gap in the encryption.

So, to stop these kinds of breaches, it is necessary for an enterprise to ensure end-to-end security. Many people mistakenly think that network security means installing a firewall and forgetting about it. But security is an on-going, everyday practice of perseverance and diligence. Sure, you need a firewall, but you also need to develop good habits, which include routine checks and analysis. This practice requires some specialized tools to get the job done quickly and easily, and I can recommend a few basic tools that you need in your toolkit and explain how to use them.This document explores the usage of some vulnerability tools, namely Nmap, Wireshark, Nessus, w3af etc. To explore the usage of the given tools, various tests were made with them to penetrate the given system and the results are presented in this report.

1. Introduction

Recently as a consequence of growing hacker's activity, periodically occurring technical faults and compliance issues, information security have become tasks of the highest concern for most of organizations. Security systems aim for control of access to a computer system's resources, specially its data and operating system files. The three pillars of security are: Confidentiality, Integrity and Availability (CIA).

Security in its most basic meaning is the protection of asset from or absence of danger. The motive behind using security system performance assessment model is to ensure that necessary security controls are integrated into the design and implementation of system. Vulnerabilities and exposures in most environments are due to poor system management, patches not installed in a timely fashion, weak password policy, poor access control, etc. Therefore, the principal reason and objective behind penetration testing should be to identify and correct the underlying systems management process failures that produced the vulnerability detected by the test. Our Aim is to evaluate the security of the information system or network set up by an organisation by simulating the attack from a malicious hacker.

• It involves gathering the information about the system, such as its IP Address, Operating System, status of the ports etc.

• It also involves identification of the vulnerabilities present in the system due to the various reasons

Security assessment consists of four fundamental phases: Reconnaissance , Enumeration , Assessment and Exploitation.

The reconnaissance phase involves discovery of the network devices through alive scanning via Internet Control Message Protocol (ICMP) or TCP.During the enumeration and assessment phases, the security assessor determines whether a service or application is running on a particular host and assesses it for potential vulnerabilities. In the exploitation phase, the assessor leverages one or more vulnerabilities to gain some level of privileged access to the host and uses this access to further exploit the host or to escalate privilege on that host or throughout the network or domain. Process and Methodology for Security assessment is explained in Section 2 in detail.

2. Process and Methodology

2.1 Planning and Preparation For carrying out a penetration test for an organisation, lots of preparation is needed. Before starting, ideally there should be a meeting between the officials and the penetration testers. In this meeting, they should decide the scope, extent and the aim of the penetration test. Generally, the aim of the Penetration Test is to demonstrate the presence of weakness in the network infrastructure which might compromise it.The scoping of the penetration test is done by identifying the machines, systems and network, operational requirements and the staff involved. Also, agreement must be there on the form of the output result.

Another important aspect on which planning is required is the duration and the timing of the test. The test should be carried out in such a way that it has a minimal effect on the normal work and everyday processes. A tester may have to decide on some particular interval during the day in which he wants to carry out the test. Testing during the intervals of heavy and critical use should be avoided. There is a possibility that the test might crash the system due to the unusual network traffic created by it. So, possible measures should be taken to deal with any future system failure and if such a risk cannot be tolerated, then such system should be excluded from the test

2.2 Information Gathering and Analysis After the planning and preparation, the next step is to gather as much information as we can about the target system. For this purpose, there are plenty of tools available online which allow you to do network survey. A network survey is an introduction to the system. It allows us to find the reachable hosts in the system. Through a network survey, we get information about the following fields: • Domain names • Server names • Internet Service Provider • IP addresses of hosts • Network map

After completing a network survey, the next task to be done is a port scan. There are basically about 65,000 possible TCP and UDP ports. The basic results obtained from a port scan are a list of open ports on a particular IP addresses. At this point system information like the operating system should also be associated with the IP address.

2.3 Enumeration and Fingerprinting Target network enumeration and host fingerprinting are crucial parts of both legitimate penetration testing and a hacking attack. You cannot go on the offensive without detailed terrain mapping and target reconnaissance. A great deal of enumeration and fingerprinting tools such as ping, trace route, whois, dig, host, and various port scanners (especially Fyodor's Nmap) are already available on internet and elsewhere. Specific targets are determined in this phase. Various services and open ports are determined. Operating system enumeration is also done. The methods used for the same can be: • Banner grabbing 8

• Responses to various protocol (ICMP &TCP) commands • Port / Service Scans – TCP Connect, TCP SYN, TCP FIN, etc .

2.4 Vulnerability Detection The next step after gathering of relevant information is to determine the vulnerability that exists in each of the systems in the network. The Tester needs to have a collection of exploits and vulnerabilities for this purpose. He should analyse the gathered information to find any vulnerability using his skills and knowledge. This is called manual vulnerability detection. There are tools available on the internet which can automate the whole process such as Nessus etc. They scan the systems and generate a list of vulnerabilities present on each system with the available exploits. This will allow us to create a list of targets to be investigated in detail. These systems will be subject to a penetration attempt in the next step.

2.5 Penetration Attempt After the detection of the vulnerabilities, the targets for the penetration test are identified. Also timeline is decided for carrying out the penetration test. For performing the penetration test on a system, there are various tools available on the internet. But these tools need customization to be suited for our specific purpose. Although we might know thatvulnerability is present in a system, it does not mean that it can be exploited. Therefore, it might not be possible to penetrate a system even when in theory it is possible. First of all, the tester should try the existing exploits on the system with the vulnerabilities. Next step is password cracking. There will be services on this system running in Telnet and FTP. These applications can be subjected to password cracking. Some of the passwords cracking methods are: • Dictionary attack • Brute Force • Hybrid Crack There are two more suitable methods to attempt a penetration. This is through social engineering and testing the organization’s physical security. Social engineering is an art used by hackers that capitalizes on the weakness of the human element of the organization’s defence .Physical security testing involves a situation of penetration testerstrying to gain access to the organization’s facility by defeating their physical security.Social engineering can be used to get pass the organization’s physical security as well.

2.6 Analysis and Reporting After conduction all the tasks above, the next task ahead is to generate a report for the organization. The report should start with an overview of the penetration testingprocess done. This should be followed by an analysis and commentary on criticalvulnerabilities that exist in the network or systems. Vital vulnerabilities are addressedfirst to highlight it to the organization. Less vital vulnerabilities should then behighlighted. The reason for separating the vital vulnerabilities from the less vital oneshelps the organization in decision making. For example, organizations might acceptthe risk incurred from the less vital vulnerabilities and only address to fix the morevital ones. 9

The other contents of the report should be as follows: - • Summary of any successful penetration scenarios • Detailed listing of all information gathered during penetration testing • Detailed listing of all vulnerabilities found • Description of all vulnerabilities found • Suggestions and techniques to resolve vulnerabilities found

2.7 Cleaning Up The cleaning up process is done to clear any mess that has been made as a result ofthe penetration test. A detailed and exact list of all actions performed during thepenetration test must be kept. This is vital so that any cleaning up of the system can bedone. The cleaning up of compromised hosts must be done securely as well as notaffecting the organization’s normal operations. The cleaning up process should beverified by the organization’s staff to ensure that it has been done successfully. Badpractices and improperly documented actions during penetration test will result in thecleaning up process being left as a backup and restore job for the organization thusaffecting normal operations and taking up its IT resources.

3. Security Assessment Tool-Kit

Security Assessment Tool-kit comprises the components and tools that make up a professional security consultant’s toolkit for performing tasks including reconnaissance, network scanning, and exploitation of vulnerable software components. Many advanced tools can only be run from Unix-based systems, while other Windows specific tools are required when testing Microsoft-based platforms and environments, and so building a flexible platform is very important. At a high level, the tools and components that you need to consider are as follows:

Virtualization software to allow you to run multiple virtual systems on one physical machine Operating systems within your assessment platform Reconnaissance tools to perform initial Internet-based open source querying Network scanning tools to perform automated bulk scanning of accessible IP addresses Exploitation frameworks to exploit vulnerable software components and accessible services Web application testing tools to perform specific testing of web applications

A security assessment application (or scanner) can be defined as a tool that can be used to test a system or network security and finds weak points. These applications do not provide protection or security directly to a system or network, but collect and report information

that other mechanisms, policies and applications can implement so as to provide protection against the identified vulnerabilities.

Vulnerability scans provide a mechanism for system administrators to assess the security posture of the servers they manage by probing the systems for open ports, services and application and operating system patch levels. Open ports are queried for information regarding what services are listening and each service is compared against a database of known vulnerabilities or issues. System Administrators can utilize vulnerability scan reports to assess the security posture of their system and outline remediation tasks required to bring the system into compliance.

3.1 Categories of Scanning Tools

Most network break-ins occur on networks that are already secured but aren't monitored closely enough. Literally thousands of tools—both commercial and open source—are available to professionals who need to assess their network's security. The trick is having the right tool for the job when you need it and being able to trust it. A Security Analyst Tool kit should contain following tools:

Port Scanners: A port scanner lets you scan ranges of IP addresses looking for TCP/IP ports that are listening. To accomplish its goal, it sends specially crafted packets to the target host and then analyses the responses. Vulnerability Scanner : A vulnerability scanner can be used to conduct network reconnaissance, which is typically carried out by a remote attacker attempting to gain information or access to a network on which it is not authorized or allowed. Packet Sniffers: A network packet sniffer will try to capture network packets and tries to display that packet data as detailed as possible. Intrusion attempts can sometimes confuse your network or make it behave in strange ways. If you suspect something is not quite right, a good packet sniffer can lead you directly to the source of the problem in a hurry. Password crackers: Password cracking is the process of recovering passwords from data that has been stored in or transmitted by a computer system. Most methods of password cracking require the computer to produce many candidate passwords, each of which is checked. Forex. Brute-force cracking, Dictionary attacks. Web Scanners: A web application security scanner is program which communicates with a web application through the web front-end in order to identify potential security vulnerabilities in the web application and architectural weaknesses. Wireless Tools: Wireless Tools are intended to support and facilitate the configuration of wireless devices by verifying network configurations, finding locations with poor coverage in a WLAN, detecting causes of wireless interference, detecting unauthorized ("rogue") access points etc. Exploitation Tools: Exploitation framework is used to exploit flaws in the accessible network services and gain access to the target host. A tool for developing and

executing exploit code against a remote target machine. Exploit code is a code that enters a target system by taking advantage of one of its bugs.

4. My Handy Tool-Kit

With the advent of the Internet, my toolkit has grown to include mainly TCP/IP-related tools, which I think you'll find useful on your network. The products I use are my personal preferences, and you certainly have several other choices available. There are various vulnerability tools which are available on the internet but our Tool-kit contains following five tools which are sufficient enough to assess our Network:

Port Scanners: Nmap Sniffers: Wireshark Encryption tool: Tor Vuln Scanners: Nessus Web Scanners: w3af

Let's glance at tools of my Handy Tool-kit one by one…

4.1 Nmap

Nmap (Network Mapper) is a security scanner originally written by Gordon Lyon (also known by his pseudonym Fyodor Vaskovich ) [1] used to discover hosts and services on a computer network, thus creating a "map" of the network. To accomplish its goal, Nmap sends specially crafted packets to the target host and then analyses the responses. Unlike many simple port scanners that just send packets at some predefined constant rate, Nmap accounts for the network conditions (latency fluctuations, network congestion, and the target interference with the scan) during the run. Also, owing to the large and active user community providing feedback on its features and contributing back, Nmap has succeeded to extend its discovery capabilities beyond basic host being up/down or port being open/closed to being able to determine operating system of the target, names and versions of the listening services, estimate uptime, the type of device, presence of the firewall.

Nmap runs on Linux, Microsoft Windows, Solaris, HP-UX and BSD variants (including Mac OS X), and also on AmigaOS and SGI IRIX.Linux is the most popular Nmap platform with Windows following it closely.

Four basic features provided by Nmap are:

Network Mapping Sending messages to a host that will generate a response if the host is active

Port Scanning Sending messages to a specified port to determine if it is active

Service and Version Detection Sending specially crafted messages to active ports to generate responses that will indicate the type and version of service running

OS Detection Sending specially crafted messages to an active host to generate certain responses that will indicate the type of operating system running on the host

4.1 (i) Results:

Nmap is a highly customizable tool providing many options. Thus, we carried out tests using various combinations of the options available and then assessed the results.

The result of the scan that gave us maximum information was:

…………………………………………………………………………………………………………………………..

Starting Nmap 5.21 (http://nmap.org) at 2012-05-16 10:40 IST

NSE: Loaded 80 scripts for scanning.

Initiating ARP Ping Scan at 10:40

Scanning 220.227.240.189 [1 port]

Completed ARP Ping Scan at 10:40, 0.01s elapsed (1 total hosts)

Initiating Parallel DNS resolution of 1 host.at 10:40

Completed Parallel DNS resolution of 1 host.at 10:40, 0.61s elapsed

Initiating SYN Stealth Scan at 10:40

Scanning idrbt.ac.in (220.227.240.189) [1000 ports]

Discovered open port 8000/tcp on 220.227.240.189

Completed SYN Stealth Scan at 10:40, 19.86s elapsed (1000 total ports)

Initiating UDP Scan at 10:40

Scanning idrbt.ac.in (220.227.240.189) [1000 ports]

Completed UDP Scan at 10:40, 4.02s elapsed (1000 total ports)

Initiating Service scan at 10:40

Scanning 1001 services on idrbt.ac.in (220.227.240.189)

Completed Service scan at 11:23, 2543.55s elapsed (1001 services on 1 host)

Initiating OS detection (try #1) against idrbt.ac.in (220.227.240.189)

Retrying OS detection (try #2) against idrbt.ac.in (220.227.240.189)

NSE: Script scanning 220.227.240.189.

NSE: Starting runlevel 1 (of 2) scan.

Initiating NSE at 11:23

Completed NSE at 11:23, 37.00s elapsed

NSE: Starting runlevel 2 (of 2) scan.

Initiating NSE at 11:23

Completed NSE at 11:24, 5.00s elapsed

NSE: Script Scanning completed.

Nmap scan report for idrbt.ac.in (220.227.240.189)

Host is up (0.0014s latency).

Not shown: 1000 open|filtered ports, 999 filtered ports

PORT STATE SERVICE VERSION

8000/tcpopen http Apache Tomcat/Coyote JSP engine 1.1

|_http-malware-host: Host appears to be clean

|_http-date: Thu, 16 May 2012 04:53:04 GMT; -17s from local time.

|_html-title: Apache Tomcat

| http-headers:

| Server: Apache-Coyote/1.1

| Accept-Ranges: bytes

| ETag: W/"7777-1242256504000"

| Last-Modified: Wed, 13 May 2009 23:15:04 GMT

| Content-Type: text/html

| Content-Length: 7777

| Date: Thu, 16 May 2012 04:53:06 GMT

| Connection: close

|_ (Request type: HEAD)

|_http-enum:

|_http-iis-webdav-vuln: ERROR: This web server is not supported.

MAC Address: 00:18:19:6A:14:F8 (Cisco Systems)

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

Device type: general purpose

Running (JUST GUESSING) : Microsoft Windows XP|2003 (98%)

Aggressive OS guesses: Microsoft Windows XP Professional SP2 (French) (98%), Microsoft Windows Server 2003 SP0 or Windows XP SP2 (91%), Microsoft Windows XP SP2 (91%), Microsoft Windows XP SP3 (91%), Microsoft Windows Server 2003 SP1 (91%), Microsoft Windows Server 2003 SP2 (89%), Microsoft Windows XP Professional SP2 (firewall enabled) (89%), Microsoft Windows Small Business Server 2003 (89%)

No exact OS matches for host (test conditions non-ideal).

Network Distance: 1 hop

TCP Sequence Prediction: Difficulty=258 (Good luck!)

IP ID Sequence Generation: Incremental

Host script results:

| asn-query:

| BGP: 220.227.240.0/23 | Country: IN

| Origin AS: 18101 - RELIANCE-COMMUNICATIONS-IN Reliance Communications Ltd.DAKC MUMBAI

|_ Peer AS: 15412

HOP RTT ADDRESS

1 1.43 ms idrbt.ac.in (220.227.240.189)

Read data files from: /usr/share/nmap

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 2617.83 seconds

Raw packets sent: 4096 (153.436KB) | Rcvd: 30 (2166B)

…………………………………………………………………………………………………………………………………..

From the scan we got the following information about the server on which we performed the scan:

• MAC address: 00:18:19:6A:14:F8 (Cisco Systems) • Resolved name: 220.227.240.189 – idrbt.ac.in • ISP: RELIANCE-COMMUNICATIONS-IN Reliance Communications Ltd.DAKC MUMBAI • OS: Microsoft Windows XP|2003 • Port: 8000/tcp, http open, Service- Apache Tomcat/Coyote JSP engine 1.1

4.2 Wireshark

Wireshark is a network packet analyzer. A network packet analyzer will try to capture network packets and tries to display that packet data as detailed as possible.You could think of a network packet analyzer as a measuring device used to examine what's going on inside a network cable, just like a voltmeter is used by an electrician to examine what's going on inside an electric cable.

It is software that "understands" the structure of different networking protocols. Thus, it is able to display the encapsulation and the fields along with their meanings of different packets specified by different networking protocols

4.2 (i) What Wireshark is not? Wireshark isn't an intrusion detection system. It will not warn you when someone does strange things on your network that he/she isn't allowed to do. However, if strange things happen, Wireshark might help you figure out what is really going on.

Wireshark will not manipulate things on the network, it will only " measure " things from it. Wireshark doesn't send packets on the network or do other active things

4.2 (ii) Capturing Features: The Wireshark capture engine provides the following features:

• Capture from different kinds of network hardware (Ethernet, Token Ring, etc.).

• Stop the capture on different triggers like: amount of captured data, captured time, captured number of packets.

• Simultaneously show decoded packets while Wireshark keeps on capturing.

• Filter packets, reducing the amount of data to be captured,

4.2(iii) Filters: Wireshark consists of many filters that can be used according to our need. For ex. Specify particular source and destination of the packet, or any particular protocol… etc.

User Interface of Wireshark (performing scan on IDRBT local area network) is shown in Fig. 1

Fig.1: Screenshot of Wireshark

4.2(iv) Application: Intrusion attempts can sometimes confuse your network or make it behave in strange ways. If you suspect something is not quite right, a good packet sniffer like Wireshark can lead you directly to the source of the problem in a hurry.

4.2(v) Wireshark as a form of traffic analysis: Wireshark is a form of Internet surveillance known as "traffic analysis." Traffic analysis can be used to infer who is talking to whom over a public network. Knowing the source and destination of your Internet traffic allows others to track your behavior and interests. This can be used by hackers!!! How? For that let us first focus on how a traffic analysis works.

Internet data packets have two parts: a data payload and a header used for routing. Even if you encrypt the data payload of your communications, traffic analysis still reveals a great deal about what you're doing and, possibly, what you're saying. That's because it focuses on the header, which discloses source, destination, size, timing, and so on. These parameters can be used by an attacker to reveal the purpose of an enterprise.

We need something which can protect us against such kind of traffic analyzer

The simplest way is to distribute our transactions over several places on the Internet, so no single point can link to our destination. Instead of taking a direct route from source to destination, data packets take a random pathway through several relays that cover your tracks so no observer at any single point can tell where the data came from or where it's going.This can be done through TOR

4.3 Tor

Tor is free software and an open network that helps you defend against a form of network surveillance that threatens personal freedom and privacy, confidential business activities and state security

It protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world (refer Fig. 2).It is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet.

4.3(i) Functionality:

Fig. 2: Alice connecting to Bob using Tor relays

Tor is an implementation of onion routing, which encrypts and then randomly bounces communications through a network of relays run by volunteers throughout the globe. These onion routers employ encryption in a multi-layered manner (hence the onion metaphor) to ensure perfect forward secrecy between relays, thereby providing users with anonymity in network location.

Because the internet address of the sender and the recipient are not both in clear text at any hop along the way at non-exit (or "middle") relays neither piece of information is in clear text, such that anyone eavesdropping at any point along the communication channel cannot directly identify both ends. Furthermore, to the recipient it appears that the last Tor node (the exit node) is the originator of the communication rather than the sender.

User Interface of Tor is shown in Fig. 3

Fig. 3: Screenshot of Tor showing Tor relays(red dots in world map)

4.3(ii) Features: • Tor aims to conceal its users’ identities and their network activity from surveillance and traffic analysis by separating identification and routing.

• Tor can also provide anonymity to servers in the form of location-hidden services, which are Tor clients or relays running specially configured server software.

4.3(iii) Disadvantages: • Tor cannot and does not attempt to protect against monitoring of traffic at the boundaries of the Tor network, i.e., the traffic entering and exiting the network.

• Tor cannot prevent traffic confirmation

4.3(iv) Applications: • Tor works with many of our existing applications, including web browsers, instant messaging clients, remote login, and other applications based on the TCP protocol.

• It prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location.

• Businesses use Tor to research competition, keep business strategies confidential, and facilitate internal accountability.

• Militaries and law enforcement use Tor to protect their communications, investigations, and intelligence gathering online

4.4 Nessus

In computer security, Nessus is a proprietary comprehensive vulnerability scanning program. It is free of charge for personal use in a non-enterprise environment. Its goal is to detect potential vulnerabilities on the tested systems. For example:

• Vulnerabilities that allow a remote cracker to control or access sensitive data on a system. • Misconfiguration (e.g. open mail relay, missing patches, etc.). • Default passwords, a few common passwords, and blank/absent passwords on some system accounts. Nessus can also call Hydra (an external tool) to launch a dictionary attack. • Denials of service against the TCP/IP stack by using mangled packets

On UNIX (including Mac OS X), it consists of nessusd, the Nessus daemon, which does the scanning, and nessus , the client, which controls scans and presents the vulnerability results to the user. According to surveys done by sectools.org, Nessus is the world's most popular vulnerability scanner, taking first place in the 2000, 2003, and 2006 security tools survey. Tenable estimates that it is used by over 75,000 organizations worldwide.

4.4(i) Results: Nessus is a tool with many options. Thus, we have to configure it to make it suit our purpose. For this purpose many tests were done over the time period of 1 month using many policies, including the ones which are predefined in the software and some created by us.

Multiple IPs can be scanned at same time by providing a range like “172.16.7.101-200”. It will scan and display the results (vulnerabilities) of all the hosts which are UP and lie between the provided ranges. One of the few such test results is shown in Fig. 4

Fig. 4: Screenshot of Nessus 5 scanning IPs 172.16.7.121,117 and 115

The vulnerabilities obtained are classified into following categories on the basis of their CVSS (base and temporal)score:

o High Severity (red mark) o Medium Severity(orange mark) o Low Severity(blue mark) o Information(green mark)

All the scans performed did not yield the same vulnerabilities. All of them highlighted the low risk vulnerabilities which are very difficult to exploit. Some of them highlighted the medium risk vulnerabilities which can be exploited with some effort and only some of them showed vulnerabilities which were highly exploitable. The medium and high risk vulnerabilities were shown in PCI-DSS policy (pre-set in Nessus) and with one the new policies which were created. The Vulnerability summary of IP 172.16.7.104 is shown in Fig. 5

Fig. 5: Scan result of IP 172.16.7.104

4.4(ii) The main vulnerabilities detected were:

• Microsoft Windows SMB shares unprivileged access

The remote has one or more windows shares that can be accessed through the network with the given credentials. Attacker can use these sharing rights to read/write confidential data (see Fig. 6).

Fig. 6: High severity vulnerability

• Microsoft Windows SMB Null Session Authentication:

It is possible for an unauthenticated remote attacker to log into hosts windows using NULL session (i.e. with no login or password) (see Fig. 7)

Fig. 7: Medium severity vulnerability

• IP Forwarding enabled:

An attacker may use this flaw to use the route packets through this host and potentially bypass some firewalls/routers/NAC filtering (see Fig. 8)

Fig. 8: Low severity vulnerability

• Apache Tomcat Manager Common Administrative Credentials:

The default username and password were not changed which are publically exploitable. According to Nessus, based on the version of the apache tomcat, it can be affected by various vulnerabilities as denial of service, cross-site scripting etc. (see Fig. 9 and 10)

Fig. 9: Scan result showing Synopsis, Description and Solution of the vulnerability found

Fig. 10: Scan result showing username and password of the server

4.5 W3af (Web Application Attack and Audit Framework)

W3af is an extremely popular, powerful, and flexible framework for finding and exploiting web application vulnerabilities. It is easy to use and extend and features dozens of web assessment and exploitation plugins. In some ways it is like a web-focused Metasploit.

It provides information about security vulnerabilities and aids in penetration testing efforts.

4.5(i) Plugins: Plugins do all the magic. They will find the URLs, discover the vulnerabilities and exploit them. They are categorized into the following types:

Discovery: Discovery plugins have only one responsibility, finding new URLs, forms, and other “injection points”

Audit:Audit plugins take the injection points found by discovery plugins and send specially crafted data to all of them in order to find vulnerabilities. Ex. SQL Injection vulnerability

Grep: Grep plugins analyze HTTP requests and responses that are initiated by other plugins and identify vulnerabilities on that traffic

Attack: Attack plugins objective is to exploit vulnerabilities found by audit plugins

Exploit: Exploit plugins [ab]use the vulnerabilities found in the audit phase and return something useful to the user ( remote shell, SQL table dump, a proxy, etc. )

Output: Output plugins save the data to a text or html file.

Mangle: Mangle plugins allow modification of requests and responses based on regular expressions

Bruteforce: Bruteforce plugins will brute force logins. These plugins are part of the discovery phase.

Evade: evasion plugins try to evade simple intrusion detection rules.

4.5(ii) Test Results: Few sites were scanned and vulnerabilities found were recorded. Some of them are:

www.google.com : No such major vulnerability was found.

www.elan.org.in : Thorough Scanning took around 5-6 hours. Few GET and POST vulnerabilities were found along with some unwanted comments in its source code.

www.ratrace.in : Scanning took long time, few loop holes for SQL Injection were found along with some GET/POST flaws

www.youtube.com : No such big issues were encountered.

www.idrbt.ac.in : Large amount of vulnerabilities were encountered after performing a “fast scan” which took around 10 hours.

4.5(iii) Vulnerabilities found in IDRBT website ( www.idrbt.ac.in ):

Total 52 vulnerabilities were found on scanning www.idrbt.ac.in (see Fig. 11). As vulnerabilities are found, they are stored in specific locations of the knowledge base, where exploit plugins can read from and use that information to exploit the vulnerability. Vulnerabilities found are explained below:

Fig. 11: Screenshot of w3af showing vulnerabilities in IDRBT website

# 26 Path Disclosure Vulnerability :Full Path Disclosure (FPD) vulnerabilities enable the attacker to see the path to the web-root/file. While FPD vulnerabilities are generally perceived as low risk, they can often be used with other exploiting techniques to reveal confidential information.

Forex: The URL: " http://www.idrbt.ac.in/med_2008.html " has a path disclosure vulnerability which discloses: "/media/Banks_should_take_advantage_of_mobile_comn.pdf".

# 8 Directory indexing vulnerability :"Website Directory Index Vulnerability" simply means that if someone goes to a directory that does not have an index file, they will see a listing of all files in the directory.

For ex: The URL: " http://www.idrbt.ac.in/tenders/2012/ " has a directory indexing vulnerability.

# 7 Credit card number Disclosure: At 7 places/URLs, the credit card number is disclosed openly. W3af uses “grep” plugin to get these numbers

For ex: The URL: “ http://www.idrbt.ac.in/tenders/Annexure-1_DRS.htm ” discloses the credit card number: “67698703 67698713”.

Solution: For comments, use jsp/asp comment instead of HTML/JavaScript comment which can be seen by client browsers. (See Fig. 12)

Fig. 12: Scan Results showing credit Card vulnerability in IDRBT web site

# 2 php and jsp code Disclosure: An attacker can gather sensitive information (database connection strings, application logic) by analysing the source code. This information can be used to conduct further attacks. In IDRBT website, php and jsp codes are disclosed at 2 places.

Solution:Get Tomcat 4.0 beta 3, which has already addressed this issue. Also Additional patches are available to resolve this problem.

# 3 private IP Disclosure: The remote web server leaks a private IP address through the WebDAV interface. If this web server is behind a Network Address Translation (NAT) firewall or proxy server, then the internal IP addressing scheme has been leaked.

Solution: Remove the private IP address from the HTTP response body.

5. Conclusion

The Vulnerability tools Nmap, Nessus and W3af are very powerful and among the best in their classes. They contain among themselves almost all the known vulnerabilities and exploits. But they have to be customised heavily to suit ones purpose. They have many options available and thus we need to perform various tests with different combinations till we get the maximum amount of information possible. For this purpose, documenting and reporting the results is very important as then we can compare the results of previous scan with the present scan and identify what new information about the system was revealed in this scan. One more conclusion was that even though vulnerabilities might be present in the system but it may not be possible to exploit them. It might be theoretically possible but it depends on the skill of the tester/attacker to actually exploit them.

This short list is by no means complete, but it is a good starting point for building your toolkit. If you're not using some of these tools, consider them because most are great time savers and essential to good security. So now one can know some of my security secrets, which lie in the tools in my bag of tricks. An enterprise will be doing themself big favour by getting these tools and using them.

6. Reference

1. www.sectools.org 2. www.wikipedia.org 3. www.windowsitpro.com 4. www.teenable.com/products/nessus 5. www.torproject.org.in 6. www.nmap.org 7. www.wireshark.org 8. www.w3af.sourceforge.net

======END ======