Today we going to speak about how quickly execute security scanning and assessment of big networks, which tools we will need and in which cases it may be required.
In which cases do we need to scan big networks
Some compliance's like PCI DSS or HIPAA may require to execute security scans against huge networks and subnets, including testing of isolated environment and network segmentation at all. This process may require lots of time but here all will depend on your experience and tools set of course.Main reason of such activities - identify live hosts, find open ports and available services for possible outdated versions, vulnerabilities or services which communicate through not encrypted protocols as this is critical in such compliance's and user data can be at risk, our main aim here to reduce such risks.
Such kind of scans / tests usually done under the model of so called white box when you have access to internal network or if speak about external - your targets were specified by the customer and there no need in any additional research and targets finding.
As this is mostly network scanning project, here we going to use tools for network security analysis:
- OpenVAS (optional)
From our list you can find out that we going to use only free and open source software mostly. ARP scan require for proper check of network segmentation and isolation of critical subnetworks, dirb and nikto will help us to work out web applications, network level security issues we'll identify with help of nmap
First we'll need to identify live hosts in our network (internal or external):
$ nmap -sn -T5 192.168.0.0/24
To not waste our time for inactive host, we going to filter them out and work only with live hosts. On next step we going to identify open ports and grab banners, output will make in grapable format:
Scanning & Vulnerabilities finding
$ nmap -sV -T4 -F 192.168.0.1 192.168.0.3 192.168.0.15 --script banner -oG /tmp/nmap-banners.txt
The same action we can do in case if have loads of live hosts but with masscan:
$ masscan 192.168.0.0/24 -p0-5000 --banners -oG /tmp/masscan-banners.txt
After we have results of those scan, on next step we can do following:
- Apply nmap vulnerability scan (nmap -sV -p <ports> <hosts> -T4 --script vuln)
- Apply Dirb for web apps (dirb https://192.168.0.15 as example) to find sensitive files & directories
- Use Nikto for some simple web security checks (nikto -host http://192.168.0.15 as example)
- Finally we'll need to check network isolation with arp-scan (segmentation also can be checked with nmap as well)
In case if any services with authentication will be discovered we going to use hydra. As example of such services - ssh, rdp, ftp, samba, telnet, databases and others... Hydra here can help us much with brute force attacks execution. By the way - this attacks you also can do with nmap, though I can't say anything about who will do this faster, but both those tools are effective and popular among penetration testers.To check internally for available devices/segmentation we can use following arp-scan command:
$ arp-scan --interface=eth0 --localnet
By changing adapters on your machine you may check each subnet.
Automated Vulnerability Assessment Solutions
In the end - we can also cover nearly the same checks (and in several cases even more) with help of solutions like OpenVAS or Nessus. But Nessus for free available only as home edition and not for commercial purpose, so our choice will stop on OpenVAS.This is fully automated vulnerability scanner which will execute discovery scans, identify open ports and find actual vulnerabilities or misconfiguration issues. The only thing - it also requires targets to be inserted and here you can do the same thing as we've done at the beginning - first identify live hosts, add them to OpenVAS and launch vulnerability scan.Here we were doing vulnerability assessment, not penetration testing
, please don't miss use approaches as they are different as well as techniques of execution. Vulnerability assessment mainly runs as white box activity with already identified scope and if speak about penetration testing and black box approach - in this situation we may know only company name or company website url for example.