Solved

How to perform a network security, penetration and vulnerability test?

Posted on 2011-03-23
7
465 Views
Last Modified: 2012-08-13
I need to perform a network intrussion and penetration testing.  I need some ideas on what "tools" such as software that would work.  I am the network administrator and just recently under went and IT audit and this was one issue that always gets me.  No Testing.  

Since I am the network admin, and I know all the hardware & passwords, it is a little hard for me to just sit down and do this type of testing.  First, I can not find anyone in my local area who does this type of work.  Second, the people I would get - Do I really trust their testing ??

Let's say I'm Joe the Hacker and I gain access to my network.  I take my laptop and plug into a network jack.  What do I do?  Being the hacker, I do not know anything about this network.  (network doe's have static IP's).  The hacker does not have physical access to any network equipment, such as the Servers, Cisco Router, PIX and or switches.  All the hacker has would be his laptop and maybe a local Windows XP Pro workstation.

So what do we do to get started to find anything?
0
Comment
Question by:rahowell2
7 Comments
 

Author Comment

by:rahowell2
ID: 35204132
That local workstation is locked down, either by the user logging out or it could be just sitting there at the log-in screen.
0
 
LVL 10

Accepted Solution

by:
Hutch_77 earned 168 total points
ID: 35204136
Sam spade is a good tool to test form the outside... but if you really want to test google PCI compliance testing.  There are loads of companies that do it and can do it form anywhere.  They are trustworthy as their business are relying on trust, as is their freedom.  REQUIRE a non disclosure agreement and have a lawyer look it over.
0
 
LVL 4

Assisted Solution

by:m_walker
m_walker earned 166 total points
ID: 35204190
While not the answer about what tools, keep in mind that part of an audit is also to test that things work they way the are configured.  So some of your testing should around the config.

eg: If you have a public wifi network that you allow to surf, but must go via your proxy server and must not be able to connect to your admin network..... how are you going to test it.  Hacking is one way, but you can also check your rules and acls work.

In my exampe, Connect a computer the the wifi network and dont set any proxy settings, can you surf, can you ping can you hit an admin server.... ie: does it stop what you think it should stop.

If data is meant to be encrypted, run wireshark and check it.

My key point is form a plan to test your rules and document the results.  List all the areas that failed your test and put an action agenst each to correct it, then check it of when corrected.   This does not rule out other hacking type testing, but will go a long way for your next audit.

I have seen a lot of systems were outside people set it up.  There job is to make it work, not make it safe as such, even though the design said "setup such that..." it was not done.  So we test what should happen to ensure it works as it should.

If you are trying to hack into something you look for weak points.  Seach the net for default password for you systems and services and see if they work.... there could be back door password you dont know of.  I had a wifi device that no one new the password.  I run a port scan and it showed snmp port as open.  So I connected via snmp with public and bingo got data out.  I connected with private and again got data out.  I did an snmp walk and scanned the log and found a few things that look like passwords in the clear and the 2nd one tried worked.  So while the device had a password on it, the snmp provided the back door.  Some/most devices wont store the password in the clear, nor allow you to get it via snmp now, but can allow you to change it via snmp if you have read/write.

use a tool link nmap (windows zenmap  give a windows gui version) to learn about the hosts.

eg: From one of my boxs, it tells me a bit about the box... did I know squid was running, did I know ssh was running  is this correct....

I am sure others will have lots of good tools and ideas.

sample nmap output

Initiating NSE at 14:05

Completed NSE at 14:05, 0.44s elapsed

Host 172.18.20.1 appears to be up ... good.

Interesting ports on 172.18.20.1:

Not shown: 995 closed ports

PORT      STATE SERVICE    VERSION

22/tcp    open  ssh        OpenSSH 3.6.1p2 (protocol 1.99)

|_ sshv1: Server supports SSHv1

|  ssh-hostkey: 1024 b5:e4:d8:b2:f6:5f:5f:3d:31:41:d9:79:a5:98:a7:77 (RSA1)

|  1024 5b:13:82:47:e5:9e:fd:ee:d1:a9:8e:56:57:0e:e4:24 (DSA)

|_ 1024 ce:b8:fc:47:38:3b:f8:b5:54:fc:b3:88:81:64:88:f2 (RSA)

53/tcp    open  domain     ISC BIND 9.2.3

80/tcp    open  http-proxy Squid webproxy 2.5.STABLE5

111/tcp   open  rpcbind

|  rpcinfo:  

|  100000  2    111/udp  rpcbind  

|  100024  1  32768/udp  status  

|  100000  2    111/tcp  rpcbind  

|  100024  1  32769/tcp  status  

|_ 391002  2  32770/tcp  sgi_fam  

32769/tcp open  rpcbind

MAC Address: 00:0B:DB:94:A1:8C (Dell ESG Pcba Test)

Device type: general purpose

Running: Linux 2.6.X

OS details: Linux 2.6.5 - 2.6.12, Linux 2.6.5 - 2.6.19, Linux 2.6.5 - 2.6.9

Uptime guess: 24.343 days (since Mon Feb 28 05:51:30 2011)

Network Distance: 1 hop

TCP Sequence Prediction: Difficulty=205 (Good luck!)

IP ID Sequence Generation: All zeros



Read data files from: C:\Program Files\Nmap

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 10.08 seconds

           Raw packets sent: 1020 (45.640KB) | Rcvd: 1016 (41.372KB)

0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 4

Assisted Solution

by:andrewglendean
andrewglendean earned 166 total points
ID: 35204223
My humble opinion is that your cant do your own Pen Testing. This needs to be an Independent assessment / test.

What your terminology needs to reflect is what is really required of your position, and that is vulnerability management.

There are plenty of solutions to help an admin gauge security their environments , NESSUS, GFI LANGUARD to name but a few. You need to show on a more regular basis in reporting to management your security posture. This will help drive the need for resourcing to remediate issues as they are found, and not up skilling to to a Pen test.

This is probably the best pragmatic way to gets results and quickly reduce the number of attack vectors in your environment.
0
 

Author Comment

by:rahowell2
ID: 35204457
To all so far:

Thanks for you input.  I'm still trying to put piece of this puzzle together.

I'm contracted by a bank for this fore mentioned issue.  Of the various agancies that do the IT evaluations, audits, examinations and reviews, I can never get a straight forward answer.  That is, yes the auditors are doing there jobs, but the questions they pose are so vague.  And when I inquire of just exactly what they are looking for or want.  I still cannot get a sensible answer.  Even the bank's officers have posed these questions for me and they still get the same thing.  The run around.

I guess that I looking for a sytematic way to document and prove that things are working, or not working correctly and the system/network is as secure as it can or should be, short of removing all computers from the bank and locking everyone in a window less room.

Keep the ideas coming !!!        Thanks

0
 
LVL 27

Expert Comment

by:Tolomir
ID: 36283856
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now