[Techtalk] Server was broken into ... what good tools are there to probe vulnerabilities?

Michael Carson mikecarson at usa.net
Wed Nov 21 15:28:32 EST 2001

Raven, corporate courtesan wrote:

>	When nmapping a system, always do it from another external
>system.  That way (as long as your external system is trusted) you know
>you're getting the real output.  Nmap has some other useful options you
>may want to check out as well as the basic portscan -- read the man page
>for details.  OS fingerprinting, etc -- exactly the sorts of things that
>hackers do when determining how to attack your system.

   Another tool you might find useful is Nessus ( http://www.nessus.org 
).  It's an open-source remote vulnerability scanner, and the best one 
I've seen.  It's not perfect, as it will get some false positives, can't 
possibly know about every remote exploit known to man, can't detect 
local exploits and can't 2+2 together, in cases where seemingly minor 
problems combine in nasty ways.* Disclaimers aside, it's a very useful 
tool if used within it's limitations.  It used nmap to determine what 
ports are open, and then tries a (user controlable) barrage of security 
tests against known vulnerabilities and common misconfigurations.  
Network Computing ran a head-to-head test of a bunch of these scanners, 
and Nessus came out on top, with 15 of 17 configured vulnerabilities 
detected.  NC notes that missing even one is a serious problem, which is 
true, but, as they go on to say, Nessus is still a powerful, worthy, 
addition to your toolbelt.


* for example, I saw a web server that had the httpd directory exported 
via NFS.  Nessus reported the existance of the web server, and of the 
NFS exports (flagging the fact that they were exported rw to the world 
as a vulnerability).  Alone, these would only be file exposure 
vulnerabilities.  However, what it couldn't determine on it's own is 
that since I could * *write** to the cgi-bin directory, I could put a 
script there to run whatever I wanted, and then run it using the web 
server, effective local access.  From there, I was able to exploit a 
local root vulnerability (I don't remember which one, it was a 
pre-compiled local buffer overflow) and use netcat back out through 
their firewall to give myself a two-way, root interactive shell.

More information about the Techtalk mailing list