From the Command Line To run SARA from the terminal, use the following syntax: ./sara [options] [target target target ][target/mask_bits][target_start-target_end] with these options: -a. Attack level (0 = light, 1 = normal, 2 = heavy, 3 = extreme, 4 = custom0, 5 = custom1, and 6 = custom2; default 2) -A. Proximity descent (default 1) -c list. Change variables (list format: name = value; name = value; ) -C. Apply global corrections for Reporter (in rules/correct_report) -d database. Data directory (default sara-data) -D. Run in the daemon mode -f. Enable firewall analysis -F file. File of hostnames and/or IPs -i. Ignore existing results -I plugin. Ignore named plugin (-I ignores all plugins) -l proximity. Maximal proximity level (default 0) -n. Perform Nmap (host type) Operating System fingerprinting (if Nmap is available) -o list. Scan only these (default) -p. Slow performance (packet density) for slow networks/hosts -P num. Increase performance by allowing num simultaneous processes -r. Generate SARA Report (see sara.cf) (command line only) -R. Activate timing-logic IAW rules/timing -s option. On = enable SAN Top 10/20 reporting; off = disable -S status_file. Pathname with the scanning status file (default status_file) -t level. Time-out (0 = short, 1 = medium, 2 = long; default 1) -T time. Start SARA at the specified time (time = day-hour:minutes [#]or time = yy/mm/dd-hour:minutes[#]) -u. Running from an untrusted host (for rsh/nfs tests) SARA 431 -U. Running from a trusted host (for rsh/nfs tests) -v. Turn on debugging output -V. Version number -x list. Stay away from these (default) -X filename. Stay away from hosts listed in filename -z. When attack level becomes negative, continue at level 0 -Z. Stop at attack level 0 Reporting The reporting function in SARA is very simple to use. Simply click to Continue with report and analysis from the output screen preceding your scan (see Figure 14.5). At that point simply click to select an option from the SARA Reporting and Analysis con- tents screen, shown in Figure 14.6. The following contains extracts from a testing target scan. Figure 14.5 Generating a report preceding a scan by clicking a link on the bottom of the output screen. 432 Chapter 14 TEAMFLY Team-Fly ® Figure 14.6 Reporting and analysis options. SARA 433 SARA Scan Results of sara-data INTRODUCTION Advanced Research Corporation was tasked to perform a Security Auditor’s Research Assistant (SARA) security scan on hosts on the sara-data sub-nets. The SARA scan was performed to identify potential security vulnerabilities in the sara-data sub-domain. The SARA scan was completed on 2002/05/31 and its scan mode was set to heavy. The ver- sion of SARA was Version 3.5.6b . DISCUSSION SARA is a third-generation security analysis tool that analyzes network-based services on the target computers. SARA classifies a detected service in one of five categories: ■■ Green: Services found that were not exploitable ■■ Grey: No services or vulnerabilities ■■ Red: Services with potentially severe exploits (account compromise) ■■ Yellow: Services with potentially serious exploits found (data compromise) ■■ Brown: Possible security problems A total of 1 devices were detected of which 1 are possibly vulnerable. Figure 1 summa- rizes this scan by color where the Green bar indicates hosts with no detected vulnerabili- ties. Grey indicates hosts with no services. The Red bar indicates hosts that have one or more red vulnerabilities. The Yellow bar indicates hosts that have one or more yellow vulnerabilities (but no red). And the Brown bar indicates hosts that have one or more brown problems (but no red or yellow). Green 0 Grey 0 Red 0 Yellow 0 Brown 1 Figure 1 Host Summary by Color The SARA scan results are distributed as five appendices to this paper: ■■ Appendix A: Previous scan results ■■ Appendix B: Sub-net tables depicting hosts, host-types, and vulnerability counts ■■ Appendix C: Details on the hosts reported ■■ Appendix D: Vulnerabilities sorted by severity ■■ Appendix E: Description of the vulnerabilities 434 Chapter 14 Appendices are hyper-linked to assist the reader in navigating through this report. The report includes information on all non-Windows hosts that have one or more vulnerabili- ties. In addition, Windows hosts that have Red and/or Yellow vulnerabilities are also included. RECOMMENDATION The identified hosts should be analyzed immediately. Appendix A N/A Appendix B SARA Scan Summary Host Name IP Address Host Type Green Red Yellow Brown FP 192.168.0.48 192.168.0.48 Windows 4 0 0 1 0 Table 1 Hosts on Sub-net 192.168.0 Appendix C Scan Details Host: 192.168.0.48 General host information: Host type: Windows ■■ Subnet 192.168.0 ■■ FTP server (GREEN) SARA 435 ■■ Gopher server (GREEN) ■■ SMB server (IS~NTSERVER)(GREEN) ■■ WWW (hosts2-ns) server (GREEN) Vulnerability information: DNS may be vulnerable (BROWN) Appendix D Vulnerability List by Severity Possible Vulnerabilities (BROWN) 192.168.0.48: (DNS may be vulnerable) Appendix E Vulnerability Tutorials Tutorial: Possible_DNS_vulnerabilities.html DNS Vulnerabilities Impact There are numerous vulnerabilities in Domain Name Servers (DNS) that are documented in the CERT Advisories. The two principal areas are: ■■ A remote intruder can gain root-level access to your name server. ■■ A remote intruder is able to disrupt normal operation of your name server. Problems BIND 4.9 releases prior to BIND 4.9.7 and BIND 8 releases prior to 8.1.2 do not properly bounds check a memory copy when responding to an inverse query request. An improp- erly or maliciously formatted inverse query on a TCP stream can crash the server or allow an attacker to gain root privileges. 436 Chapter 14 BIND 4.9 releases prior to BIND 4.9.7 and BIND 8 releases prior to 8.1.2 do not properly bounds check many memory references in the server and the resolver. An improperly or maliciously formatted DNS message can cause the server to read from invalid memory locations, yielding garbage record data or crashing the server. Many DNS utilities that process DNS messages (e.g., dig, nslookup) also fail to do proper bounds checking. BIND 4.9 releases and BIND 8 release prior to 8.2.2 Patch 5 have a variety of security issues. You can review them and BIND Security. Resolutions The SARA test could not determine the version number of your DNS server. Contact your vendor to confirm that your DNS server is not vulnerable. According to the product’s documentation, entitled Analyzing SARA Output, learning how to effectively interpret the results of a SARA scan is the most difficult part about using SARA. This is partly because there is no “correct” security level. “Good” security is very much dependent on the policies and concerns of the site or system involved. In addition, some of the concepts used in SARA (such as why trust and network infor- mation can be so damaging) and many of the options that can be chosen (like proxim- ity, proximity descent, attack filters, etc.) will not be very familiar to many system administrators. It is important to read and understand the documentation to use the tool effectively. In the reports if there is a host listed with a red dot • next to it, that means the host has a vulnerability that could compromise it. A black dot • means that no vulnerabilities have been found for that particular host yet. Clicking on hyperlinks will give you more information on that host, network, piece of information, or vulnerability, just as expected. Each service will be preceded by one of the following: • The service was not found to be vulnerable. • The service has serious vulnerabilities. Compromise of data and/or accounts is probable! • The service has vulnerabilities that could assist the hacker. • The service may be vulnerable to exploit but SARA cannot determine with certainty. From the control panel in the HTML interface, select SARA Reporting & Data Analysis. You will then be prompted with a wealth of choices; when first learning to use the tool, the Vulnerabilities section will probably be the one of the most immediate interest. In that sec- tion, the By Approximate Danger Level link is a good place to start. If you find no warnings there, congratulations! Note that this does NOT mean that your host is secure—it simply means that SARA could not find any problems. You might try scanning your targets at a higher level and check this again; in any case, you should investigate the other categories (Hosts and Trust) in the reporting page. The best way to learn what SARA can do for you is by using it—scanning networks and examining the results with the Report and Analysis tools can reveal interesting things about your network. Remember, anyone has access to this information, so act accordingly! SARA 437 Reading, or at least browsing through, the full documentation is strongly recommended— this tutorial merely covered the very basic capabilities of SARA. A wealth of possible options can be used to unleash SARA’s full potential. Be careful, however, because it is easy to unwittingly make your neighbors think that you’re trying to attack them with the scans—always be certain that you have permission to scan any potential hosts that you’re thinking of testing. 438 Chapter 14 PART IV Vulnerability Assessment Remember that good security examinations comply with the vulnerabilities posted by alert organizations, such as the CERT Coordination Center, the SANS Institute (Incidents-Org), BugTraq (SecurityFocus Online), and RHN Alert. Such examina- tions include the tools necessary for performing scans against PC systems, servers, firewalls, proxies, switches, modems, and screening routers to identify security vul- nerabilities. The single chapter in this part offers a cumulative vulnerability assess- ment of a testing target network from both remote and internal access points. We’ll use only the tools mentioned in this text that are marketed as vulnerability assess- ment scanners, namely, CyberCop Scanner, Internet Scanner, STAT Scanner, Nessus Security Scanner, SAINT, and SARA. NOTE Neither the eEye Digital Security’s Retina Network Security Scanner nor the Symantec Corporation’s NetRecon were available for evaluation as of this writing. Visit www.TigerTools.net to see their results from this vulnerability assessment. Our Tiger Box will consist of dual-boot Windows 2000 Professional and Red Hat Linux operating systems. We’ll assume that discovery or fingerprinting of our target network components was achieved accurately by using Nmap, hping/2, and Tiger- Suite products—each covered in previous chapters. [...]... 1) all services which you don’t plan to use Remember: You need to not only protect against known vulnerabilities, but also the possibility that some newlydiscovered vulnerability will affect your system If a particular service is not enabled, no one can use it to break into your system • For those services you wish to provide, consider restricting their use to known friendly sites, and/or logging their... indicate that you wish to log both successful and failure information (as shown in the Figure) Comparative Analysis • Improve Password Security Password security is the first and most powerful line of defense Password security on Unix systems can be improved by doing the following (Refer to Reference 1, Chapter 10 for examples): 1 Check password policies: Review your password policy to confirm that some... program—>Services Many services install into the powerful System account and can therefore completely subvert security However, many services don’t need the following security- sensitive Rights, any one of which can completely subvert system security: TE 452 • • • • • • • • Backup files and directories Restore files and directories Act as part of the operating system Create a token object Debug programs Load... non-required services SARA Limit access to services Administrator Action Secure Anonymous FTP Administrator Action Web Services (IIS): Securing the Web Server Confirm IIS has latest security patch Administrator Action Follow Microsoft IIS Security Checklist Administrator Action Confirm FrontPage extensions are secure Administrator Action Patch and restrict Cold Fusion Administrator Action Important Actions Resource... for the system administrator of one or more Windows NT Server systems Where possible automated tools have been identified that will greatly simplify the execution of this checklist Tools include: • SARA: Open Source (pending) network assessment tools for security auditing • • • • NTLAST: NT access auditing tool VirusScan: Enterprise virus scanning solution C2CONFIG: Microsoft Security “Hardening” program... less • Administrator Rights The Administrator account is a member of the built-in local Administrators group and has virtually unlimited control over the NT system (review reference 1, Chapter 5 for more information) The following should be performed to safeguard this account: 451 Chapter 15 1 Rename the Administrator Account: Change the name of the Administrator account to conform to the naming convention... password policies Administrator Action Remove old accounts Administrator Action Check accounts with no passwords SARA, Administrator Action Use password-protected screen savers Administrator Action Administrator Rights: Protecting system privileges Rename Administrator Account Administrator Action Check who is using Admin NTLAST Confirm password is “bulletproof” Administrator Action Network Services:... service needs to run on a system, it is best to assign a complete disk partition as the FTP store, and to make only that partition accessible via FTP 2 • Web Services This section pertains to the Microsoft Internet Information Server (IIS) Refer to vendor documentation for non-Microsoft Web servers 1 Confirm that IIS has latest security patch: Recently, there have been several successful security exploits... 0 to login directly At all other terminals the user will need to login as a normal user and then su to root Marking terminals as unsecured is a good idea, although not necessary Example /etc/ttytab: console “/usr/etc/getty std .96 00” sun on local unsecure ttya “/usr/etc/getty std .96 00” vt100 off local unsecure ttyd0 “/usr/etc/getty std. 192 00” dialup on unsecure tty00 “/usr/etc/getty std .96 00” unknown... SNMP to reconfigure or shut down devices remotely Sniffed SNMP traffic can reveal a great deal about the structure of your network, as well as the systems and devices attached to it Intruders can use such information to pick targets and plan attacks NT and *NIX Auditing Checklists To ensure fortified system defenses, the ARC has developed the following Windows NT and Unix auditing checklists for security . root-level access to your name server. ■■ A remote intruder is able to disrupt normal operation of your name server. Problems BIND 4 .9 releases prior to BIND 4 .9. 7 and BIND 8 releases prior to 8.1.2. number of your DNS server. Contact your vendor to confirm that your DNS server is not vulnerable. According to the product’s documentation, entitled Analyzing SARA Output, learning how to effectively. Corporation was tasked to perform a Security Auditor’s Research Assistant (SARA) security scan on hosts on the sara-data sub-nets. The SARA scan was performed to identify potential security vulnerabilities