Hacking For Dummies. Kevin Beaver

Чтение книги онлайн.

Читать онлайн книгу Hacking For Dummies - Kevin Beaver страница 26

Hacking For Dummies - Kevin  Beaver

Скачать книгу

ReadyMost email servers return detailed information, such as the version and the current service pack installed. After you have this information, you (and the bad guys) can determine the vulnerabilities of the system from some of the websites listed in the next section.

       An email to an invalid address may return with detailed email header information. A bounced message often discloses information that can be used against you, including internal IP addresses and software versions. On certain Windows systems, you can use this information to establish unauthenticated connections and sometimes even map drives. I cover these issues in Chapter 12.

      After finding potential security holes, the next step is confirming whether they’re indeed vulnerabilities in the context of your environment. Before you test, perform some manual searching. You can research websites and vulnerability databases, such as these:

       Common Vulnerabilities and Exposures (http://cve.mitre.org/cve)

       US-CERT Vulnerability Notes Database (www.kb.cert.org/vuls)

       NIST National Vulnerability Database (https://nvd.nist.gov)

      These sites list known vulnerabilities — at least, the formally classified ones. As I explain in this book, many other vulnerabilities are more generic in nature and can’t easily be classified. If you can’t find a vulnerability documented on one of these sites, search the vendor’s site. You can also find a list of commonly exploited vulnerabilities at www.cisecurity.org/controls/. This site contains the SANS Critical Security Controls consensus list, which is compiled and updated by the SANS organization.

       Manual assessment: You can assess the potential vulnerabilities by connecting to the ports that are exposing the service or application and poking around in these ports. You should manually assess certain systems (such as web applications). The vulnerability reports in the preceding databases often disclose how to do this, at least generally. If you have a lot of free time, manually performing these tests may work for you.

       Automated assessment: Manual assessments are great ways to learn, but people usually don’t have time to complete most manual steps. If you’re like me, you’ll scan for vulnerabilities automatically when you can and dig around manually as needed.

      Many great vulnerability assessment scanners test for flaws on specific platforms (such as Windows and Linux) and types of networks (wired or wireless). They test for specific system vulnerabilities and may focus on standards such as the SANS Critical Security Controls and the Open Web Application Security Project (www.owasp.org). Some scanners map the business logic within a web application; others map a view of the network; others help software developers test for code flaws. The drawback to these tools is that they find only individual vulnerabilities; they don’t necessarily aggregate and correlate vulnerabilities across an entire network. This task is where your skills and the methodologies I share in this book come into play.

      

One of my favorite security tools is a vulnerability scanner called Nessus by Tenable (www.tenable.com/products/nessus). It’s both a port scanner and vulnerability assessment tool, and it offers a great deal of help for vulnerability management. You can run one-time scans immediately or schedule scans to run on a periodic basis.

      As with most good security tools, you pay for Nessus. It’s one of the least expensive tools. A free version, dubbed Nessus Essentials, is available for scanning smaller networks with fewer features. Additional vulnerability scanners that work well include QualysGuard (www.qualys.com) and GFI LanGuard (http://www.gfi.com/products-and-solutions/network-security-solutions/gfi-languard).

      

Assessing vulnerabilities with a tool such as Nessus requires follow-up expertise. You can’t rely on the scanner results alone. You must validate the vulnerabilities that the tool reports. Study the reports to base your recommendations on the context and criticality of the tested systems. You’ll find that higher-end vulnerability scanners provide proof and related information to help you in your validation efforts.

      You can use identified security vulnerabilities to do the following:

       Gain further information about the host and its data

       Obtain a remote command prompt

       Start or stop certain services or applications

       Access other systems

       Disable logging or other security controls

       Capture screenshots

       Access sensitive files

       Send an email as the administrator

       Perform SQL injection

       Launch a denial of service attack

       Upload a file or create a backdoor user account proving the exploitation of a vulnerability

      Metasploit (www.metasploit.com) is great for exploiting many of the vulnerabilities you find and allows you to fully penetrate many types of systems. Ideally, you’ve already made your decision about whether to fully exploit the vulnerabilities you find. If you have chosen to do so, a screenshot of a remote command prompt on a vulnerable system via Metasploit is a great piece of evidence demonstrating vulnerability.

      

If you want to delve further into best practices for vulnerability and penetration testing methodologies, I recommend that you check out the Open Source Security Testing Methodology Manual (www.isecom.org/research.html). The Penetration Testing Execution Standard (www.pentest-standard.org/index.php/Main_Page) and PCI DSS Penetration Testing Guidance (http://www.pcisecuritystandards.org/documents/Penetration-Testing-Guidance-v1_1.pdf) are great resources as well.

Скачать книгу