Automated Assessment Tools

It's not always possible to perform every security test manually. Many checks, scans, and fixes are best performed by automated tools. So many new vulnerabilities are discovered daily that it's hard to keep up. If you're not using an automated patch management system, how do you know if all the patches that should have been installed actually have been?

To combat these problems, ethical hackers can benefit from automated assessment tools. In most situations, ethical hackers are going to use a combination of manual and automated tools. Automated tools allow the ethical hacker to cover a lot of ground quickly and use the results for further manual inspection. An entire range of security assessment tools are available. Some look at source code, others look at applications, and still others are developed to look at entire systems or networks. These solutions also have different usability and interfaces, which range from command-line interfaces to GUI products. These products can also be divided into further categories, as some are free and others are for purchase or are run through a subscription service.

Automated Assessment Tool Categories

You'll find that there is no shortage of vulnerability assessment tools on the market. These tools can be used to scan internal or external computers for vulnerabilities. Some of these tools are commercial and might require an annual subscription, whereas others are open source and won't cost you anything to initially acquire. All these tools can be broken into three basic categories, including

• Source code scanners examine the source code of an application.
• Application scanners examine a specific application or type of application.
• System scanners examine entire systems or networks for configuration or application-level problems.

Source Code Scanners

Source code scanners can be used to assist in auditing security problems in source code. Source code scanners can detect problems, such as buffer overflows, race conditions, privilege escalation, and tainted input. Buffer overflows enable data to be written over portions of your executable, which can allow a malicious user to do just about anything. Race conditions can prevent protective systems from functioning properly, or deny the availability of resources to their rightful users. Privilege escalation occurs when code runs with higher privileges than that of the user who executed it. Tainting of input allows potentially unchecked data through your defenses, possibly qualified as already error-checked information. Some tools used to find these types of problems include

• Flawfinder A Python program that searches through source code for potential security flaws, listing potential security flaws sorted by risk, with the most potentially dangerous flaws shown first.
• Rough Auditing Tool for Security (RATS) RATS is written in C and contains external XML collections of rules that apply to each language.
• StackGuard A compiler that builds programs hardened against stack smashing attacks. Stack smashing attacks are a common and big problem for Linux and Windows applications. After programs have been compiled with StackGuard, they are largely immune to stack smashing attack.
• Libsafe Produces a transparent protection method that has the big advantage of not requiring applications to be recompiled. It guards against buffer overflows and can protect applications for which the source code isn't available.

Application Level Scanners

Application-level scanners are the next type of vulnerability scanner examined. Application scanners provide testing against completed applications or components rather than the source code. This type of assessment tool looks at vulnerabilities as the program is running. Scanners can examine their configuration and look for problems. Some examples of application-level scanners include

• Whisker One of the oldest Web application scanners still around. Whisker has the capability to check for CGI vulnerabilities and comes with excellent documentation, which should be carefully reviewed. CGI is vulnerable in that it can leak system information that should be kept confidential, and it allows remote users to execute inappropriate commands. Whisker requires Perl, so if you're going to use it, make sure that you have an appropriate Perl environment available.
• N-stealth This GUI-based application assessment tool comes with an extensive database of over 30,000 vulnerabilities and exploits. It provides a well-formatted report that can be used to analyze problems as high, medium, or low threat.
• WebInspect Another web application vulnerability scanning tool. It can scan for over 1,500 known Web server and application vulnerabilities and perform smart guesswork checks for weak passwords.
• Nikto Simple, easy to use Perl script web vulnerability program that is fast and thorough. It even supports basic port scanning to determine if a Web server is running on any open ports.
• AppDetective This application-level scanner performs penetration and audit tests. The Pen Test examines your system from a hacker's point of view. It doesn't need any internal permissions; the test queries the server and attempts to glean information about the database it's running, such as its version. The audit test can detect any number of security violations on your server, from missing passwords and easily guessed user accounts to missing service packs and security patches.

System-Level Scanners

The final category of scanners is system-level scanners. These types of scanners are versatile in that they can probe entire systems and their components rather than individual applications. A system-level scanner can be run against a single address or a range of addresses and can also test the effectiveness of layered security measures, such as a system running behind a firewall. Nessus is a good example of a system-level scanner.

Although system-level scanners are not going to probe the source code of individual applications, they can sweep entire networks in search of a variety of vulnerabilities. When performing an ethical hack system, level scanners can be used remotely. This is far more efficient than attempting to audit the configuration of each individual machine. System scanners are not perfect. They cannot audit the source of the processes that are providing services, and they must rely on the responses of a service to a finite number of probes, meaning that all possible inputs cannot be reasonably tested. System level scanners can also crash systems. Many of the tests they can perform are considered dangerous and can bring a system offline. Although many tools of this type can perform IDS evasion, they are not generally considered stealth tools. So if the objective of the security test is to go undetected, a system level scanner might not be your best choice for a tool.

Probably the most important point about system-level scanners is that they are not a substitute for more thorough tests and examinations. They are but one tool in the ethical hacker's tool kit. They shouldn't be looked at as the sole component of a penetration test. Their role is to supplement other tools and test techniques. Source code and application scanning should also be used, where applicable. An in-depth vulnerability assessment consists of all the components we have discussed. No one can completely substitute for another. Let's now look at some of the more popular system level scanners:

• Nessus An open source, comprehensive, cross-platform vulnerability scanner with Command Line Interface (CLI) and Graphical User Interface (GUI) interfaces. Nessus has a client/server architecturewith clients available for UNIX, Linux, and Windows and servers available for UNIX, Linux, and Windows (commercial). Nessus is a powerful, flexible security scanning and auditing tool. It takes a basic "nothing for granted" approach. For example, an open port does not necessarily mean that a service is active. Nessus tells you what is wrong and provides suggestions for fixing a given problem. It also supports many types of plugins, ranging from harmless to those that can bring down a server. The Plugins menu is shown in Figure 5.3.

  Figure 5.3. Nessus setup.

• NeWT (Nessus Windows Technology) A Windows version of Nessus that has the same capabilities and checks as Nessus. The free version can only scan the local network. The more powerful remote version must be purchased. The configuration page is shown in Figure 5.4.

  Figure 5.4. NeWT setup.

• SAINT This commercial scanner provides industry respected vulnerability scanning and identification. It has a web-based interface, and the deployment platforms for this product are Linux and UNIX. It is certified Common Vulnerabilities and Exposures (CVE) compliant and allows you to prioritize and rank vulnerabilities to let you determine the most critical security issues that you should tackle first.
• SARA This system-level scanner features a command-line interface and web-based GUI. It is a freeware application. Instead of inventing a new module for ever conceivable action, SARA is adapted to interface to other open source products. It's considered a gentle scanner, which means that the scan does not present a risk to the operating network infrastructure. It's compliant with SANS Top 20, supports CVE references for identified vulnerabilities, and can be deployed on UNIX, Linux, and Mac OS X.
• ISS Internet Scanner A commercial product available from Internet Security Systems. Its deployment platform is Windows NT/2000/XP/2003. The package provides extensive vulnerability scanning and identification across network platforms and devices via CLI and GUI interfaces. It can identify more than 1,300 types of networked devices. After these devices have been scanned and identified, Internet Scanner can analyze their configuration, patch levels, operating systems, and installed applications. Then it can generate a report identifying vulnerabilities.
• NetRecon A commercial scanner produced by Symantec. It provides vulnerability scanning and identification. It has the capability to learn about the network as it is scanning. As an example, if it finds and cracks a password on one system, it will try the same password on others. The application has a GUI interface, and its deployment platform is Windows NT/2000/XP.
• Retina A commercial product from eEye Digital Security. It provides vulnerability scanning across systems and network devices. It is fast and can discover wired and wireless devices. Retina has a GUI interface, and its deployment platform is Windows NT/2000/XP/2003.
• LANguard A full service scanner that reports information, such as the service pack level of each machine, missing security patches, open shares, open ports, services/application active on the computer, key registry entries, weak passwords, users and groups, and more.
• VLAD An open source vulnerability scanner. Written in Perl, VLAD is designed to identify vulnerabilities in the SANS Top 10 List. It has been tested on Linux, OpenBSD, and FreeBSD.

Review Break

There are all different types of vulnerability assessment tools. Make sure that you understand the capabilities of each. Some of the major ones are shown here:

Exam Alert

You should be able to describe the different types of scanners and discuss how each is used.

Automated Exploit and Assessment Tools

Although the assessment tools recently discussed can make your job much easier, the next set of tools about to be discussed will be even more intriguing. These tools represent where vulnerability assessment software is headed. Tools such as Nessus and others have long had the capability to integrate the scanning, assessing, and reporting functions. The tools in the following list take this functionality to the next step by tightly integrating the capability to exploit a suspected vulnerability. That's right; these tools can actually offer one-click exploitation. This section discusses the free tool Metasploit and Exploitation Framework, and then moves on to CANVAS, and Core IMPACT, which are both commercial products.

• Metasploit An all-in-one exploit testing and development tool. Metasploit allows you to enter an IP address and port number of a target machine and run the chosen exploit against the targeted machine quite easily. This is an open source tool that can be compared to CANVAS and Core IMPACT. Metasploit was developed using Perl, C language, and Python. It is available for Linux and Windows. It can have the victim connect back to you, open a command shell on the victim, or allow you to execute code on the victim. After you have a shell on the victim, you are only a few short steps away from making yourself a privileged user.
• Exploitation Framework Similar to Metasploit, except that this particular tool is backed up by one of the largest exploit databases known. It runs off the ExploitTree database that is publicly available. It is almost scary to examine how easy this tool is to use even by the complete novice. A screenshot of the Exploitation Framework can be seen in Figure 5.5. After you have used a system level scanner (such as Nessus) to find a vulnerability, attacks can be launched in four simple steps:
   

  1.	Select your exploit from the Exploit List.
  2.	Specify all required parameters.
  3.	Click the Exploit button.
  4.	Enjoy the shell that you now have on the victim's computer.

  Figure 5.5. Exploitation Framework.

  Tip

  Practice using the Exploitation Framework to understand its operation.

• CANVAS An automated attack and penetration tool developed by Dave Aitel of Immunity.com. It was written in Python, so it is portable to Windows and Linux. It's a commercial tool that can provide the security professional with attack and penetration capabilities. Like Metasploit, it is not a complete all-in-one tool. It does not do an initial discovery, so you must add your targets manually. It's cleaner and more advanced that Metasploit, but it does require that you purchase a license. However, this does provide you with updates and support. Overall, this is a first-rate tool for someone with penetration and assessment experience.
• Core IMPACT An advanced commercial penetration testing tool suite. Core IMPACT is a mature point and click automated exploit and assessment tool. It's a complete package that steps the user through the process, starting at scanning and continuing through the exploit and control phase. One unique trait of the product is that it supports a feature known as pivoting. Basically pivoting allows a compromised machine to be used to compromise another. This tool is useful for everyone from the novice to the seasoned security professional. Take a look at the interface shown in Figure 5.6.

  Figure 5.6. Core IMPACT.