Assessing Vulnerabilities
ISA 4220 Server Systems Security
Sr. Security Analyst
Cincinnati Bell Technology Solutions
Assessing Vulnerabilities
Vulnerability Scanning
• Host and Service Enumeration
▫ Port Scanning (nmap, scanline)
▫ SNMP Scanning (Solarwinds, onesixtyone,
▫ NetBIOS Scanning (browsat, net view, nbtscan)
Network Mapper (nmap)
• Latest stable version is 5.51.
• More than a port scanner
▫ Service and OS Identification
▫ Traceroute
▫ Nmap Scripting Engine
 177 scripts for vulnerability discovery, windows
enumeration, fuzzing, & more.
 Write your own!
• Additional tools: Zenmap GUI, Ndiff, Ncat, &
Nmap Reporting
• Nmap generates three file types (nmap, gnmap,
▫ results.nmap: log file that is the same as the
screen output (with verbose turned off)
▫ results.gnmap: output for each host found is
placed on one line so grep can be used for simple
shell script parsing.
▫ results.xml: used for advanced report generation
and loading into a database.
• Simple, free, standalone Windows port scanning
▫ Requires no installation
▫ Perfect for upload to a compromised machine to
scan internally.
▫ Conducts banner grabbing for port identification.
▫ Runs slow, output is horrible, shows only if a port
is open, and no advanced features.
• Formally created by Foundstone Tools now
owned by McAfee.
Solarwinds SNMP Sweep
• Part of the commercial Engineer’s Toolset
(starting at $1390).
▫ You will have to ask your company Networking
group very nicely if you can use one of the
▫ Very easy to use GUI tools for SNMP scanning and
▫ MS Excel compatible reporting features.
Open Source SNMP Scanning
• Nmap
▫ Look for open UDP port 161
• onesixtyone
▫ Community string dictionary attack
▫ Obtain detailed host information for Windows,
Linux, and Cisco
• Formally open source vulnerability scanner. The
product went closed source with version 3.0 but
was still free for commercial use. Now with
version 4.0 you have to obtain a license to use
the product for commercial purposes.
• The current version, Nessus 4.4, is still free for
educational purposes and home use.
• Nikto is an open source web server scanner
which performs comprehensive tests against web
servers for multiple items, including over 6400
potentially dangerous files/CGIs, checks for
outdated versions of over 1000 servers, and
version specific problems on over 270 servers.
• Latest version is 2.1.4 (2.20.2011)
• Video for integrating Nikto with Nessus
Web Application Attack and Audit Framework
• The project's goal is to create a framework to
find and exploit web application vulnerabilities
that is easy to use and extend.
• Open Source alternative to commercial tools HP
Web Inspect, IBM Appscan, Acunetix, and Burp
• Most scanners include their own report
generation. However, even for expensive
commercial tools, the reports generated include
a mountain of information. No IT staff will read
a 100-200 page report on the application or
database vulnerabilities.
• Most scanners allow you to export the report
information in XML format. You can then parse
the information, load it into a database, and
generate your own reports.
Parsing XML with Perl or PHP
• XML can be parsed with your favorite scripting
or programming language (Perl, PHP, Python,
Ruby, Java, etc).
▫ I’m sure you can do this with windows scripting
languages but I know NOTHING about this.
• Examples will be given in Perl and PHP.
Parsing XML with Perl or PHP
• Linux, Apache, MySQL and PHP, Perl, or Python
(LAMP) creates an environment for custom
report generation.
• Many virtual images/appliances exist allowing
an easy way to get the environment you need to
process XML output.
▫ Turnkey LAMP Appliance
Turnkey LAMP Appliance
• Download the Vmware Appliance from the
Turnkey website.
• Open the appliance in the free VMWare Player
or Virtualbox.
• When the image boots it will ask to set the
system root password and the MySQL root
• The image will then assist you in configuring
network access.
Helpful Links!
Using Nmap
Using Nessus
Using Metasploit
Top 100 Network Security Tools
• James A. Edge Jr.
• Email: [email protected]
• Web:

similar documents