Chapter 10: Attack and Penetration Techniques - Building.Open.Source.Network.Security.Tools.Components.And.Techniques [Electronic resources] نسخه متنی

Chapter 10: Attack and Penetration Techniques

Vulnerability is the state of being open to attack or damage from an assailant. From a network computer security perspective, this definition extends to the state of being open to attack or damage across a network resulting from a security flaw. Vulnerabilities come in all shapes and sizes, including user error, unexpected interactions between two systems, and programming flaws. A short list of vulnerability categories includes: buffer overflows, format strings, race conditions, cross-site scripting (XSS), and denial of service (DoS). These vulnerabilities, when exposed (via scanning) and subsequently exploited (via testing), can yield all sorts of jewels to the attacker, including information leakage, network enumeration, down time, file contents, usernames, passwords, and the holy grail of privilege escalation.

The attack and penetration class concerns itself with the vulnerabilities that lie in computer systems. Being able to determine the susceptibility of a particular system to a class or range of vulnerabilities is a powerful technique, trumped only by having the ability to actually execute a program to exploit the vulnerability. This chapter discusses both techniques.

Vulnerability Scanning

Vulnerability scanning is the process of determining a system's susceptibility to a series of security flaws. Tools that implement this technique test a target for a series of catalogued vulnerabilities, reporting the results to the user. This technique is equally important to the security consultant as to the system administrator, because the protection of systems should be a proactive task. By scanning systems for vulnerabilities and rinding them before malevolent individuals do, the protagonist can then fix them before they become security breaches.

Vulnerability Scanner Constituent Elements

Vulnerability scanners (or just scanners) range from relatively simple programs like the one at the end of this chapter to incredibly complex multi-tiered applications. Regardless of complexity however, most scanners have a structure similar to the one shown in Figure 10.1.

Figure 10.1: Vulnerability scanner breakdown.

Interface and Scanning Engine

The interface is the command and control element by which the user controls the behavior of the scanner. The interface, which is often graphical, coordinates and receives updates from the scanning engine and dictates how the final report should generate. It might also be remotely located (across a network or across the Internet) from the scanning engine. When remotely positioned, the interface engages in a textbook client/server relationship with the scanning engine. As a matter of best practice, they will (should) communicate over an encrypted channel. Also, when physically detached from the scanning engine, the interface might control multiple scanning engines (which you can deploy in order to distribute and parallelize the scan). The scanning engine itself performs the actual testing across one or more target systems, handling all of the details of each vulnerability that you will test.

Target Systems

The IP address or hostname specify target systems, which are fed to the scanning engine from the interface. While single systems might be scanned individually, a group of contiguous systems are typically scanned one after another (or in parallel), grouped by IP netblock.

Vulnerability Database

The scanning engine pulls the vulnerabilities that it needs to scan for from the vulnerability database. The makeup of the database varies across different implementations, but generally speaking, each entry contains all of the information that is necessary for the scanning engine to perform the test and to subsequently determine whether the target system is vulnerable or not. Some vulnerability scanners include a high-level scripting language enabling users to rapidly add their own custom tests.

The important distinction to make concerning vulnerability scanners is that they do not actually find new or as yet undiscovered vulnerabilities. They simply try to determine whether a given system is vulnerable to a given security flaw. How complete the scanner's vulnerability database solely determines the robustness of a scanner.

Scan Results and Final Report

The scanning engine writes the results of each test to the results database, which the interface then uses to generate the final report. How flexible and robust the vulnerability scanner's reporting capability is often measures its utility. The final report is often the fruit of a laborious effort, and how you present this information is extremely important. The composition of the final report often varies depending on the audience. Modern scanners enable the user to choose from a variety of reporting templates, including an executive or technical summary, and from formats such as Hypertext Markup Language (HTML), Extensible Markup Language (XML), or plain ASCII text.