Conducting Vulnerability Assessments

First, write a proposal for upper management. There are serious consequences of, say, crashing old Novell servers on the network with a port scan. Make sure management is knows the risks. Specify the scope: Will you run a one-time scan or a periodic one? Could it dangerous? Will it be run during business hours?

Unfortunately, many vulnerabilities can be tested only by exploiting them. You may not know your ftp server is vulnerable to a buffer overflow unless you try it. Many checks can make educated decisions about vulnerabilities based on banner strings, but there's often no substitute for an actual attack. So clarify up front which exploits you'll be trying on which targets--with input from management and system administrators.

Explain the pros and cons of conducting the scan. It's important to present the risks and benefits so management can make an informed decision. And there's little point in identifying problems if management isn't interested in allocating resources to address them. Getting buy-in from corporate helps ensure that when you blow the whistle, system admins will have the motivation and support to patch the vulnerabilities.

Once you know which networks will be scanned and how intrusive the VA will be, it's time to select your tools. Hundreds are available, both free and commercial. Some are versatile, conducting thousands of scans; others perform a specific function, such as identifying operating systems or trying a single exploit like NetBIOS RPC. Some of the best security tools are open source--the only costs are time and a willingness to learn. As the saying goes, open-source software is free as in beer and free as in speech.For organizations lacking security experience, it may be cheaper to buy a commercial product than to train IT staffers to use an open-source package. Moreover, commercial tools come with product support, which may be crucial for organizations with high availability and reliability requirements for a VA product. (For a more detailed look at the field of commercial VA tools, see "VA Scanners Pinpoint Your Weak Spots,".) However, the total cost of open source is usually less than or comparable to that of a commercial tool. The other advantage of open source is that your IT group will learn the intimate details of the scanning process and generate custom scans more easily.

Among the freeware tools we used for this article is Nessus, a fully featured open-source vulnerability scanner developed by Renaud Deraison of Tenable Network Security. Nessus contains more than 7,000 plug-ins and a built-in scripting language that can be used for most any type of scanning you want to code. It can chomp through vulnerabilities quickly and thoroughly. Nessus and nmap--the pre-eminent port scanner that Trinity used in The Matrix Reloaded--are two of the most popular VA tools.

If you're a Linux whiz, you'll probably want to select your favorite distribution. Even the uninitiated will appreciate how little effort is required to run a Linux scanner, thanks to Knoppix, the granddaddy of most LiveCD distributions--a whole OS running right from a bootable CD. Although there are nearly a dozen other LiveCD distributions enhanced specifically for security, few have been updated as regularly as Knoppix. Most important, it has very recent versions of both nmap and Nessus.

I used Knoppix 3.8 CeBIT edition. Download the ISO CD image from the Knoppix home page, burn it to a CD and boot the CD on the computer you'll be using to perform the VA. Don't worry--no changes will occur on the hard drive. If you're using a German ISO, you may want to use the boot code knoppix lang=us.

First, test your network connection by using the Konqueror Web browser, which loads when Knoppix finishes booting. If the network needs further tweaking, click the Penguin menu and select "network/Internet." Once you've verified that the network is working, run the "root shell" option available under the Penguin menu and enter nessus-update-plugins. This command does exactly what you'd expect: It updates Nessus with the latest open-source vulnerability tests. From the K menu (think Start button), select "System/Security/Nessus." Following the directions in the pop-up, enter the password knoppix and log in. You'll notice that Nessus uses a certificate login system. Since Nessus is actually run in two parts--a server and a client to control the server's scans and view results--the certificate structure lets the client be on a host or OS different from that of the server.After you've logged in, you'll see a notice saying dangerous plug-ins have been disabled. Nessus by default disables vulnerability tests that could cause problems like server crashes. Although the denial-of-service category may still be enabled, the option "safe checks" in the Scan Options tab will prevent some tests from running. Depending on your level of management approval, disable safe checks for a more intrusive scan. Feel free to experiment with the settings--scans can be configured to be very thorough, quick or somewhere in between.

One important option for scanning multiple hosts is "Number of hosts to test at the same time" on the Scan Options tab. With reasonably powerful hardware and networks, this can, and probably should be, increased well above the Knoppix default of 1. But beware that network load will increase accordingly.

If you're scanning a few hosts on a largely empty network, you may waste a lot of time on empty IP addresses. To speed things up, first use nmap to find live hosts, then use Nessus for the full scan. In the root shell opened for the plug-in update, issue the command nmap -sP -T4 -oG output.txt 192.168.0.0/24. Next, substitute the network and mask you plan on scanning. The results will flash by the screen, but they'll also be in the file "output.txt," which we can feed into Nessus. That command tells nmap the following options:

• Use ICMP ping packets (-sP)

• Aggressive speed (-T4)• Write output that's useful for scripts into output.txt (-oG)

• For the target network 192. 168.0.0/24.

With XP SP2 blocking ICMP pings by default, there are other scan options that may be more useful to determine the available hosts. The Nmap home page has more information on different scan types. To import the list of IP addresses into Nessus, use the command grep 'Status: Up' output.txt|awk '{print $2}' > ip-list.txt, which creates a list of all the pingable IP addresses in ip-list.txt. The directory by default is /ramdisk/home/knoppix. Now revisit the Target tab in Nessus, and use the "read file" button to access the address list. Start the scan and go for a coffee break.

When the scan is complete, you'll see a results pane. Export your scan results to the different file formats and see which you prefer. Although Nessus' reporting is not as feature-rich as some commercial scanners, it is functional. And the XML format allows post-processing by other programs, letting you take the raw Nessus results and develop your own custom report or filter.

Coming to GripsOnce you have your VA report, turn it over to management and the system admins who will patch the vulnerabilities. Don't start another scan without working through the vulnerabilities discovered. The goal is to help admins, not overwhelm them. Investigate technical and policy restrictions that require any new computer on the network to be scanned before it's allowed on the network--this will dramatically shrink the number of incidents.

VA is an ongoing process and just one component of a full security plan. By adopting a process of scan, patch and repeat, you can prevent the bad guys and rogue code from crossing the border.

Jordan Wiens is a network security engineer at the University of Florida, where he works on IDS/IPS, forensics, VA and system security. Write to him at [email protected].

There's no one-size-fits-all approach to VA. Here are some other tools worth considering:

• Continuous/periodic scanning. Out of the box, Nessus lacks what's considered standard in many commercial scanners: periodic scanning. Fortunately, Inprotect, an open-source front end to Nessus, provides this feature. It also can speed up scans by using a knowledge base--that is, it will conduct a new scan based on the results of a prior scan. But because the new scan will look only for vulnerabilities detected in the earlier baseline scan, it will miss new vulnerabilities.Purdue University's VSC (Vulnerability Scanning Cluster, vsc-dev. itsp. purdue. edu) lets you cluster multiple Nessus scanners to one front end. It offers many of the same reporting and scheduling features as Inprotect.

• Proof. Although false positives are relatively infrequent, system administrators don't always trust Nessus' results. The Metasploit Framework is useful for confirming VA results, though it can be abused. We've seen Metasploit code installed after a compromise by a malicious attacker and then used to attack other internal hosts. But it's useful for VA because it helps furnish proof that a vulnerability is real.

Commercial products Canvas by Immunity and Core Impact by Core Security Technologies both focus on a more complete set of exploits, have better interfaces than Metasploit, and may be better for a true pen-test team.

• Very large networks. Scanning a large network can be time-consuming. You must scale up the abilities of the scanner or scale down the scan's scope. Purdue's VSC may help by leveraging multiple scanners, but sparsely populated networks (think 10.0.0.0/8) may take a long time even for nmap. The Paketto Keiretsu suite from Dan Kaminsky includes a tool called Scanrand that uses cryptographic optimizations to scan large networks quickly.

• Subnet allocations. Large networks with many delegated subnets may have a tracking database or some other mechanism of tracking who owns what. If possible, automate reports from this database that generates targeted results for each subnet or administrator. That way, most of the hard work in preparing a useful report is already done.• Client-side vulnerabilities. Active scanning products can detect vulnerabilities only in servers, not clients. Since many vulnerabilities exploited are in Web, e-mail and other clients, active scanning has a blind spot.

Passive vulnerability assessment, however, can help stop client problems. It works like an IDS, passively monitoring the network but focusing on vulnerabilities rather than intrusions. Sourcefire's RNA and Tenable Network Security's NeVO are two such products, though some other conventional IDS products incorporate the profiling and client-side detection methods of passive assessment.