Information Systems Security Assessment Framework (ISSAF) Draft 0.2
Total Page:16
File Type:pdf, Size:1020Kb
Information Systems Security Assessment Framework (ISSAF) draft 0.2 TABLE OF CONTENTS 1 EXECUTIVE SUMMARY .........................................................................................................12 A PENETRATION TESTING METHODOLOGY .....................................................................13 B PENETRATION TESTING METHODOLOGY, PHASE-II EXPLAINED.........................25 C HANDLING FALSE DETECTION RATES ..........................................................................170 -- NETWORK SECURITY................................................................................................................173 D PASSWORD SECURITY TESTING ......................................................................................174 E SWITCH SECURITY ASSESSMENT....................................................................................240 F ROUTER SECURITY ASSESSMENT ...................................................................................275 G FIREWALL SECURITY ASSESSMENT...............................................................................318 H INTRUSION DETECTION SYSTEM SECURITY ASSESSMENT....................................366 I VPN SECURITY ASSESSMENT ............................................................................................389 J ANTI-VIRUS SYSTEM SECURITY ASSESSMENT AND MANAGEMENT STRATEGY 399 K STORAGE AREA NETWORK (SAN) SECURITY ..............................................................413 L WLAN SECURITY ASSESSMENT........................................................................................423 M INTERNET USER SECURITY ...............................................................................................444 N AS 400 SECURITY....................................................................................................................450 O LOTUS NOTES SECURITY....................................................................................................477 -- HOST SECURITY..........................................................................................................................482 P UNIX /LINUX SYSTEM SECURITY ASSESSMENT..........................................................483 Q WINDOWS SYSTEM SECURITY ASSESSMENT ..............................................................523 R NOVELL NETWARE SECURITY ASSESSMENT ..............................................................594 S WEB SERVER SECURITY ASSESSMENT..........................................................................596 -- APPLICATION SECURITY.........................................................................................................607 T WEB APPLICATION SECURITY ASSESSMENT ..............................................................608 U U WEB APPLICATION SECURITY ASSESSMENT (CONTINUE…) – SQL INJECTIONS 672 V SOURCE CODE AUDITING...................................................................................................701 W BINARY AUDITING............................................................................................................723 X APPLICATION SECURITY EVALUATION CHECKLIST ...............................................724 -- DATABASE SECURITY ...............................................................................................................727 Y DATABASE SECURITY ASSESSMENT...............................................................................728 2 SOCIAL ENGINEERING ........................................................................................................777 ANNEXURE - KNOWLEDGE BASE..............................................................................................804 3 PENETRATION TESTING LAB ............................................................................................805 4 HANDLING FALSE DETECTION RATES ..........................................................................815 5 TEAM .........................................................................................................................................836 6 FEEDBACK FORM..................................................................................................................842 © 2005, Open Information Systems Security Group Page 3 of 845 Information Systems Security Assessment Framework (ISSAF) draft 0.2 1 EXECUTIVE SUMMARY .........................................................................................................12 A PENETRATION TESTING METHODOLOGY .....................................................................13 A.1 PHASE – I: PLANNING AND PREPARATION .................................................................13 A.2 PHASE – II: ASSESSMENT ................................................................................................13 A.2.1 INFORMATION GATHERING................................................................................................16 A.2.2 NETWORK MAPPING..........................................................................................................16 A.2.3 VULNERABILITY IDENTIFICATION .....................................................................................17 A.2.4 PENETRATION....................................................................................................................17 A.2.5 GAINING ACCESS AND PRIVILEGE ESCALATION ................................................................18 A.2.6 ENUMERATING FURTHER...................................................................................................19 A.2.7 COMPROMISE REMOTE USERS/SITES.................................................................................20 A.2.8 MAINTAINING ACCESS ......................................................................................................20 A.2.9 COVER THE TRACKS..........................................................................................................21 AUDIT (OPTIONAL)..............................................................................................................................23 A.3 PHASE – III: REPORTING, CLEAN UP & DESTROY ARTIFACTS................................23 A.3.1 REPORTING........................................................................................................................23 A.3.1.1 VERBAL REPORTING..........................................................................................................23 A.3.1.2 FINAL REPORTING .............................................................................................................23 A.3.2 CLEAN UP AND DESTROY ARTIFACTS ...............................................................................24 B PENETRATION TESTING METHODOLOGY, PHASE-II EXPLAINED.........................25 B.1 INFORMATION GATHERING ....................................................................................................26 PASSIVE INFORMATION GATHERING ...................................................................................................29 ACTIVE INFORMATION GATHERING ....................................................................................................62 B.2 NETWORK MAPPING (SCANNING, OS FINGERPRINTING AND ENUMERATION) .......................87 B.3 VULNERABILITY ASSESSMENT (IDENTIFICATION) ...............................................................127 B.4 PENETRATION ......................................................................................................................134 B.5 GAINING ACCESS AND PRIVILEGE ESCALATION ..................................................................134 B.6 ENUMERATING FURTHER .....................................................................................................136 B.7 COMPROMISE REMOTE USERS/SITES ...................................................................................136 B.8 MAINTAINING ACCESS.........................................................................................................138 B.9 COVERING THE TRACKS ......................................................................................................154 AUDIT (OPTIONAL)............................................................................................................................169 C HANDLING FALSE DETECTION RATES ..........................................................................170 -- NETWORK SECURITY................................................................................................................173 D PASSWORD SECURITY TESTING ......................................................................................174 D.1 FIRST PART: GATHERING AUTHENTICATION CREDENTIALS..............................175 STEP ONE: NETWORK AUTHENTICATION CREDENTIALS GATHERING AS AN OUTSIDER PENETRATION TESTER (LOW PRIVILEGE).................................................................................................................177 STEP ONE: NETWORK AUTHENTICATION CREDENTIALS GATHERING AS AN OUTSIDER PENETRATION TESTER (LOW PRIVILEGE).................................................................................................................178 D.1.1 PROCESS (STEPS TO COMPLETE THIS TASK) .....................................................................178 D.1.2 EXAMPLE USES OF COMMON TESTING TOOL(S)................................................................179 D.1.3 RESULT ANALYSIS / CONCLUSION / OBSERVATION .........................................................182 D.1.4 COUNTERMEASURES........................................................................................................182