An assessment can start by using some form of an information
gathering tool. When assessing the entire network, map the layout
first to find the hosts that are running. Once located, examine
each host individually. Focusing on these hosts requires another
set of tools. Knowing which tools to use may be the most crucial
step in finding vulnerabilities.
Just as in any aspect of everyday life, there are many different
tools that perform the same job. This concept applies to performing
vulnerability assessments as well. There are tools specific to
operating systems, applications, and even networks (based on the
protocols used). Some tools are free; others are not. Some tools
are intuitive and easy to use, while others are cryptic and poorly
documented but have features that other tools do not.
Finding the right tools may be a daunting task and in the end,
experience counts. If possible, set up a test lab and try out as
many tools as you can, noting the strengths and weaknesses of each.
Review the README file or man page for the tool. Additionally, look
to the Internet for more information, such as articles,
step-by-step guides, or even mailing lists specific to a tool.
The tools discussed below are just a small sampling of the
available tools.
Nmap is a popular tool included in Red Hat Enterprise Linux that
can be used to determine the layout of a network. Nmap has been
available for many years and is probably the most often used tool
when gathering information. An excellent man page is included that
provides a detailed description of its options and usage.
Administrators can use Nmap on a network to find host systems and
open ports on those systems.
Nmap is a competent first step in vulnerability assessment. You
can map out all the hosts within your network and even pass an
option that allows Nmap to attempt to identify the operating system
running on a particular host. Nmap is a good foundation for
establishing a policy of using secure services and stopping unused
services.
Nmap can be run from a shell prompt by typing the nmap command followed by the hostname or IP address
of the machine to scan.
The results of the scan (which could take up to a few minutes,
depending on where the host is located) should look similar to the
following:
Starting nmap V. 3.50 ( www.insecure.org/nmap/ )
Interesting ports on localhost.localdomain (127.0.0.1):
(The 1591 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
25/tcp open smtp
111/tcp open sunrpc
443/tcp open https
515/tcp open printer
950/tcp open oftep-rpc
6000/tcp open X11
Nmap run completed -- 1 IP address (1 host up) scanned in 71.825 seconds
|
Nmap tests the most common network communication ports for
listening or waiting services. This knowledge can be helpful to an
administrator who wants to close down unnecessary or unused
services.
For more information about using Nmap, refer to the official
homepage at the following URL:
https://www.insecure.org/
Nessus is a full-service security scanner. The plug-in
architecture of Nessus allows users to customize it for their
systems and networks. As with any scanner, Nessus is only as good
as the signature database it relies upon. Fortunately, Nessus is
frequently updated and features full reporting, host scanning, and
real-time vulnerability searches. Remember that there could be
false positives and false negatives, even in a tool as powerful and
as frequently updated as Nessus.
 |
Note |
| |
Nessus is not included with Red Hat Enterprise Linux and is not
supported. It has been included in this document as a reference to
users who may be interested in using this popular application.
|
For more information about Nessus, refer to the official website
at the following URL:
https://www.nessus.org/
Nikto is an excellent common gateway interface (CGI) script
scanner. Nikto not only checks for CGI vulnerabilities but does so
in an evasive manner, so as to elude intrusion detection systems.
It comes with thorough documentation which should be carefully
reviewed prior to running the program. If you have Web servers
serving up CGI scripts, Nikto can be an excellent resource for
checking the security of these servers.
|
Note |
| |
Nikto is not included with Red Hat Enterprise Linux and is not
supported. It has been included in this document as a reference to
users who may be interested in using this popular application.
|
More information about Nikto can be found at the following
URL:
https://www.cirt.net/code/nikto.shtml
VLAD is a vulnerabilities scanner developed by the
RAZOR team at Bindview, Inc.,
which checks for the SANS Top Ten list of common security issues
(SNMP issues, file sharing issues, etc.). While not as
full-featured as Nessus, VLAD is worth investigating.
|
Note |
| |
VLAD is not included with Red Hat Enterprise Linux and is not
supported. It has been included in this document as a reference to
users who may be interested in using this popular application.
|
More information about VLAD can be found on the RAZOR team
website at the following URL:
https://www.bindview.com/Support/Razor/Utilities/
Depending upon your target and resources, there are many tools
available. There are tools for wireless networks, Novell networks,
Windows systems, Linux systems, and more. Another essential part of
performing assessments may include reviewing physical security,
personnel screening, or voice/PBX network assessment. New concepts,
such as war walking — scanning the
perimeter of your enterprise's physical structures for wireless
network vulnerabilities — are some emerging concepts that you
can investigate and, if needed, incorporate into your assessments.
Imagination and exposure are the only limits of planning and
conducting vulnerability assessments.
