[Techtalk] Server was broken into ... what good tools are there to probe vulnerabilities?
Michael Carson
mikecarson at usa.net
Wed Nov 21 15:28:32 EST 2001
Raven, corporate courtesan wrote:
>
> When nmapping a system, always do it from another external
>system. That way (as long as your external system is trusted) you know
>you're getting the real output. Nmap has some other useful options you
>may want to check out as well as the basic portscan -- read the man page
>for details. OS fingerprinting, etc -- exactly the sorts of things that
>hackers do when determining how to attack your system.
>
>
Another tool you might find useful is Nessus ( http://www.nessus.org
). It's an open-source remote vulnerability scanner, and the best one
I've seen. It's not perfect, as it will get some false positives, can't
possibly know about every remote exploit known to man, can't detect
local exploits and can't 2+2 together, in cases where seemingly minor
problems combine in nasty ways.* Disclaimers aside, it's a very useful
tool if used within it's limitations. It used nmap to determine what
ports are open, and then tries a (user controlable) barrage of security
tests against known vulnerabilities and common misconfigurations.
Network Computing ran a head-to-head test of a bunch of these scanners,
and Nessus came out on top, with 15 of 17 configured vulnerabilities
detected. NC notes that missing even one is a serious problem, which is
true, but, as they go on to say, Nessus is still a powerful, worthy,
addition to your toolbelt.
C.
* for example, I saw a web server that had the httpd directory exported
via NFS. Nessus reported the existance of the web server, and of the
NFS exports (flagging the fact that they were exported rw to the world
as a vulnerability). Alone, these would only be file exposure
vulnerabilities. However, what it couldn't determine on it's own is
that since I could * *write** to the cgi-bin directory, I could put a
script there to run whatever I wanted, and then run it using the web
server, effective local access. From there, I was able to exploit a
local root vulnerability (I don't remember which one, it was a
pre-compiled local buffer overflow) and use netcat back out through
their firewall to give myself a two-way, root interactive shell.
More information about the Techtalk
mailing list