Vulnerability Assessment Planning Guide
|
Assessment Functions |
Objectives |
Key Activities |
Recommended Tools |
Tool Description |
Example |
|
P1: Conduct the Assessment |
Planning and
Preparation |
gather all
relevant information and define “black-out” dates/times not available for
testing |
|
|
|
|
defining the
scope; activities, users and systems – tells us where to look. Important – define who is and who is not informed |
Enum4linux |
Enum information enumeration utility. Using null sessions, enum can retrieve user lists, machine lists, share lists,
name lists, group and member lists, password and LSA policy information. Enum is also capable of a rudimentary brute force
dictionary attack on individual accounts. |
https://labs.portcullis.co.uk/tools/enum4linux/ |
||
|
defining
roles and responsibilities, and making others aware through the change
management process Important – Prior to any penetration test engagements,
legal documents protecting the penetration testers and their company must be
signed. (SANS, 2002) |
|
|
|
||
|
Performing |
interviewing and
testing system administrators and other key stakeholders |
SET (ReL1K) |
The social
engineering toolkit v1.0 release, code-named Devolution, is a suite of custom
tools solely focusing on attacking the human element of penetration testing.
Social Engineer Toolkit (SET) uses Backtrack as the framework for penetration
testing. SET has been written by David Kennedy, who is also known by the
nickname ReL1K. Complete details on the Social Engineer Toolkit are available
at http://www.social-engineer.org |
http://www.computerweekly.com/tutorial/Social-Engineer-Toolkit-SET-tutorial-for-penetration-testers |
|
|
reviewing
appropriate policies and procedure relating to the systems being assessed.
Compliance to policies include password (E2R, H2C), |
John the
Ripper |
John the
Ripper is a fast password cracker, currently available for many flavors of
Unix, Windows, DOS, and OpenVMS. Its primary purpose is to detect weak Unix
passwords. Besides several crypt(3) password hash
types most commonly found on various Unix systems, supported out of the box
are Windows LM hashes, plus lots of other hashes and ciphers in the
community-enhanced version. |
|
||
|
Network security
scanning. The goal here is to find the number of systems that are reachable.
The expected results that should be obtained from a network surveying should
consist of domain names, server names, Internet service provider information,
IP addresses of hosts involved as well as a network map. (SANS, 2002) |
nmap |
Nmap is a
utility for network discovery and/or security auditing. It can be used to
scan large networks or single hosts quickly and accurately, determining which
hosts are available, what services each host is running and the operating
system that is being used. http://www.insecure.org/nmap |
|
||
|
|
|
Web Server
Scanning |
Nikto2 |
web server
scanner which performs comprehensive tests against web servers for multiple
items, including over 6700 potentially dangerous files/programs, checks for
outdated versions of over 1250 servers, and version specific problems on over
270 servers. It also checks for server configuration items such as the
presence of multiple index files, HTTP server options, and will attempt to
identify installed web servers and software. |
|
|
|
|
Wireless Scan |
aircrack-ng |
Aircrack is the most popular and widely-known wireless password cracking
tool. It is used as 802.11 WEP and WPA-PSK keys cracking tool around the
globe. This tool is powerful and used most widely across the world. |
|
|
P2: Identify Exposures |
|
Review
resulting data from assessment phase |
VA Team |
|
|
|
|
Identify
points of accountability by tying results from resulting data |
VA Team |
Develop an
assessment of the results by tying back to the business activities.
Additionally, an estimate of false positives will be provided. |
|
|
|
|
Conduct
enterprise-wide risk analysis and report to the Leadership Team |
VA &
Leadership Teams |
An executive
read-out will be developed to show the risks and exposure discovered during
the VA. This will be followed by an
analysis and commentary on critical vulnerabilities that exist in the network
or systems; separate the critical few versus the trivial many. |
|
|
|
P3: Address Exposures |
Remediation |
Conduct needs
assessment for services that created exposure |
VA Team and
business representatives |
Will work
with the business to identify level of need for services where exposure was
identified. This will include;
printers, applications, data marts, routers, cloud applications, unused code,
user accounts, etc. |
|
|
Inform
management of potential risks of un-upgradable needed systems |
VA Team,
business and Leadership Team |
Identify and
present critical services required by the business that have exposures where
there is no solution to upgrade. |
|
||
|
Disable unnecessary
services |
VA Team |
The VA Team
will document a plan with timing to decommission services that are
unnecessary; this will include applications, dormant code within
applications, networking eqpt, etc. |
|