Vulnerability Assessment Planning Guide

 

Assessment Functions

Objectives

Key Activities

Recommended Tools

Tool Description

Example

 

P1: Conduct the Assessment

Planning and Preparation

gather all relevant information and define “black-out” dates/times not available for testing

 

 

 

 

defining the scope; activities, users and systems – tells us where to look.

 

Important – define who is and who is not informed

Enum4linux

Enum information enumeration utility. Using null sessions, enum can retrieve user lists, machine lists, share lists, name lists, group and member lists, password and LSA policy information. Enum is also capable of a rudimentary brute force dictionary attack on individual accounts.

https://labs.portcullis.co.uk/tools/enum4linux/

 

 

defining roles and responsibilities, and making others aware through the change management process

 

Important – Prior to any penetration test engagements, legal documents protecting the penetration testers and their company must be signed. (SANS, 2002)

 

 

 

 

Performing

interviewing and testing system administrators and other key stakeholders

SET (ReL1K)

The social engineering toolkit v1.0 release, code-named Devolution, is a suite of custom tools solely focusing on attacking the human element of penetration testing. Social Engineer Toolkit (SET) uses Backtrack as the framework for penetration testing. SET has been written by David Kennedy, who is also known by the nickname ReL1K. Complete details on the Social Engineer Toolkit are available at http://www.social-engineer.org

http://www.computerweekly.com/tutorial/Social-Engineer-Toolkit-SET-tutorial-for-penetration-testers

 

http://searchsecurity.techtarget.com/tip/Social-engineering-penetration-testing-Four-effective-techniques

 

 

reviewing appropriate policies and procedure relating to the systems being assessed. Compliance to policies include password (E2R, H2C),

John the Ripper

John the Ripper is a fast password cracker, currently available for many flavors of Unix, Windows, DOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. Besides several crypt(3) password hash types most commonly found on various Unix systems, supported out of the box are Windows LM hashes, plus lots of other hashes and ciphers in the community-enhanced version.

http://www.openwall.com/john/

 

 

Network security scanning. The goal here is to find the number of systems that are reachable. The expected results that should be obtained from a network surveying should consist of domain names, server names, Internet service provider information, IP addresses of hosts involved as well as a network map. (SANS, 2002)

nmap

Nmap is a utility for network discovery and/or security auditing. It can be used to scan large networks or single hosts quickly and accurately, determining which hosts are available, what services each host is running and the operating system that is being used. http://www.insecure.org/nmap

https://nmap.org/

 

 

 

 

Web Server Scanning

Nikto2

web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software.

https://cirt.net/nikto2

 

 

 

 

Wireless Scan

aircrack-ng

 

Aircrack is the most popular and widely-known wireless password cracking tool. It is used as 802.11 WEP and WPA-PSK keys cracking tool around the globe. This tool is powerful and used most widely across the world.

 

 

P2: Identify Exposures

 

Review resulting data from assessment phase

VA Team

 

 

 

 

Identify points of accountability by tying results from resulting data

VA Team

Develop an assessment of the results by tying back to the business activities. Additionally, an estimate of false positives will be provided.

 

 

 

Conduct enterprise-wide risk analysis and report to the Leadership Team

VA & Leadership Teams

An executive read-out will be developed to show the risks and exposure discovered during the VA.  This will be followed by an analysis and commentary on critical vulnerabilities that exist in the network or systems; separate the critical few versus the trivial many.  

 

 

P3: Address Exposures

Remediation

Conduct needs assessment for services that created exposure

VA Team and business representatives

Will work with the business to identify level of need for services where exposure was identified.  This will include; printers, applications, data marts, routers, cloud applications, unused code, user accounts, etc.

 

 

Inform management of potential risks of un-upgradable needed systems

VA Team, business and Leadership Team

Identify and present critical services required by the business that have exposures where there is no solution to upgrade.

 

 

Disable unnecessary services

VA Team

The VA Team will document a plan with timing to decommission services that are unnecessary; this will include applications, dormant code within applications, networking eqpt, etc.

 

 
Jeff Howell  -  San Carlos, CA  -  Privacy Statement - email Jeff