For those new to the art of vulnerability management, the vast array of scanners and other tools of the trade can be overwhelming. Which ones work best? Which ones are most affordable?
At last month's SANS Boston 2010 training sessions, SANS Institute President Stephen Northcutt ran through the basic tools and what they do in a talk called "SANS Security Leadership Essentials for Managers with Knowledge Compression."
How to do a vulnerability scan
First, Northcutt ran students through the basic functions of these scanners and how to go about running one. Before getting started, he suggested practitioners heed the following checklist:
- First, get permission from the top brass before running a scan. Explain what you are doing, which is essentially finding the company's vulnerabilities before the bad guys do.
- Put out the word ahead of time, publish your phone number and remember people hate the kind of surprises a scan will generate.
- Click your target selection, choose a system to go after and tell it to expand the subnet. From there, keep the window narrow, scanning only one subnet at a time. That way, you won't bog down the system and overwhelm yourself by making a whole bunch of flaws show up at one. Find and fix them in small batches to avoid mental overload.
- During a heavy scan, do not initiate a denial-of-service scan right out of the gate.
- Only do a scan when you are in the office and by the phone.
- Fix the red priority problems first.
Also remember that you should only scan networks you are authorized to scan. Going beyond your mandate and widening the field too much will probably set off someone else's intrusion detection system and get you in trouble, Northcutt said.
When choosing a scanner, Northcutt said you must consider the following:
- How is the product licensed?
- Is the product flexible enough to handle your company's planned growth?
- How interoperable is the product? Does it support the Common Vulnerabilities and Exposures (CVE) standard for cataloguing vulnerabilities?
- Can you easily compare the results of a scan today with the results of a scan from four weeks ago, or is it a fully manual process?
- Does your manager like the reporting output?
Enter Hping, the spoofing port scanner
Next, Northcutt walked students through the ins and outs of Hping version 3.0, a a network analysis tool he described as stealthier than another, more well-known tool called Nmap. Hping can craft packets with a customized destination and source port, window size, identification field, TCP flags and more.
Like Nmap, one of Hping's most valuable (or more dangerous) abilities is to spoof the IP address of a third party, making the true origin of the scan hard to detect. But unlike Nmap, Hping will first find a silent host on the Internet that is idle. At any given time, many Internet hosts are up but not engaged in any communications. No packets are being sent or received. Although unattended, silent hosts still listen on the network and will "speak up if asked politely," Northcutt said. By using multiple silent hosts, an attacker could run a very stealthy port scan that's very difficult to detect.
p0f: Passive OS detection
Another tool worth knowing about is p0f, which passively observes network traffic and can examine specific portions of the TCP/IP stack. It will make fairly accurate predictions about the operating system of the network that sent the traffic. The tool works best when observing implementations that do not have alterations to its TCP/IP stack implementation. But it's also capable of identifying systems whose TCP/IP fingerprint may have been altered to hide another operating system.
Nmap and Nessus
Two of the more popular scanners in use today are Nmap and Nessus. For those unfamiliar with these tools, Northcutt offered the following breakdown:
Northcutt warned that vulnerability scanners work more slowly and can create some false positives. The user should go in understanding that and take care not to go nuts if the scanner spits back a report telling you there are a large number of vulnerabilities. An administrator's task upon seeing the scan results is to confirm what really exists and how serious they are in terms of the software affected and the potential damage hackers can do if exploiting them. That's where the exploit tools come in.
Exploitable vulnerabilities? Prove it
After a scanner reports back on vulnerabilities that may exist, there are automated tools you can use to see if they do indeed exist and are exploitable. Northcutt mentioned two in particular -- Metasploit and CORE Impact.
Metasploit is widely popular in the hacker community and offers safety rankings for exploits. CORE Impact from Core Security Technologies is a commercial version that's well respected. Others worthy of mention include Saint and Canvas from ImmunitySec.
These tools lead us to another aspect of vulnerability management that will be the focus of our next article in the series: penetration testing.