Attackers usually search for remote security vulnerabilities to destroy resources on your network. Backtrack Linux is a security testing release that helps you check your network and servers and find Remote Security Vulnerabilities and potential security vulnerabilities.
Based on Ubuntu, backtrack is bundled with a variety of tools essential for penetration testing and security auditing. You don't have to run backtrack to use the tools it provides, but starting live CD allows you to get started immediately.
Before you start, it is necessary to remind you that scanning the network may consume system and network resources. Therefore, make sure that you fully coordinate your scanning within your company and inform the management team.
Use NMAP to test the Network Environment
One of the first tools you want to try out is Nmap, a powerful and intelligent command line network scanning tool. In fact, NMAP displays the enabled ports and some service information about listening to these ports.
NMAP comes with many useful options that are enabled by default. For example, when you test the network, port randomization (SCAN port order randomization) can prevent simple intrusion detection and prevent the system from detecting and blocking you. Other useful options include:
· -- Script -- execute scanning with the help of a set of scripts. NMAP itself is bound with several sets of scripts based on their purposes, such as for detecting DoS attacks, brute force attacks, and other weak links. You can find the complete list on the Nmap Script Engine homepage (http://nmap.org/nsedoc. If you have no idea what script to use, select the default value: the default value is more stable and less interference than other options.
·-P -- specify the ports you are interested in. For UDP and TCP Protocols, most valid services run within the port range. Scanning ports in a wider range consumes more time and resources.
·-SV -- displays the service and version information of the enabled port. This is useful to indicate whether a service is listening on non-default ports, such as Apache listening on TCP port 8080. version information may indicate outdated software and potential security vulnerabilities. If you use NMAP to detect such outdated applicationsProgramTo patch them as soon as possible.
· Target -- defines the target host or network as the final real parameter of the Nmap command.
By combining the above options, you can get the following command:
NMAP -- script = default-p u: 1-10000, T: 1-10000-SV 192.168.1.0/24
In this example, the target is an internal private network (192.168.1.0/24 ). If you are looking for real remote security vulnerabilities, you should scan the local network. However, internal scanning is also useful to show services that do not need to be exposed, which is always a security risk.
The output of this instance is similar:
...
Nmap scan report for example.org (192.168.1.102)
Host is up (0.0017 s latency ).
Not shown: 9997 closed ports
Port State Service version
22/tcp Open SSH OpenSSH 6.0p1 Debian 3 (Protocol 2.0)
...
80/tcp open HTTP Apache httpd 2.2.22 (Debian ))
| _ Http-Methods: no allow or public header in Options response (Status Code 200)
...
3306/tcp open MySQL 5.5.28-1
...
The above snippets from NMAP output show information about services such as SSH, HTTP, and MySQL running on 192.168.1.102. It clearly shows the names and versions of each software: OpenSSH 6.0p1, Apache httpd 2.2.22, and MySQL 5.5.28-1.
Limit network exposure
For each exposed service, you should determine whether it is necessary to expose it. If there is no need to expose the service, one way is to ensure that the service only listens to the local delivery interface (127.0.0.1 ). When the MySQL service only serves local requests, this is a good solution for this service. For this reason, for the MySQL service, edit the my. CNF file. When MySQL listens to all interfaces, the bind-address command looks like this: bind-address = 0.0.0.0. To make it listen only to the local interface, change it to bind-address = 127.0.0.1.
In addition, MySQL allows you to explicitly restrict remote hosts that allow users to connect to. connecting to a remote host is part of the MySQL connection verification process. Such an additional security restriction helps prevent brute-force attacks, but it usually does not help prevent remote software security vulnerabilities.
You can also use a firewall to restrict access to services. If configured properly, the firewall can only allow some hosts to connect to a specific service. An example of MySQL iptables command looks like this: iptables-I input-s 192.168.1.1-P TCP -- dport 3306-J accept; iptables-I input-P TCP -- dport 3306-J Drop. This example command only allows MySQL connection from IP address 192.168.1.1.
As the last move, you can decide to change the default port for a service. This is usually applicable to sensitive services that must remain relatively hidden but still fully accessible from outside. SSH is often the case when the system administrator wants to gain access from anywhere. You can change the ssh port to a port above the normal scan range (1-10000. For example, if you set up an SSH daemon to listen to port 19999, it is unlikely to be detected, but you can still access the service from anywhere, as long as you know the port. To change the ssh port, edit the command port in the/etc/ssh/sshd_config file and restart the service. When you use your SSH client for connection later, do not forget to specify this port (ssh-P in the Linux Shell ).
These are the simplest ways to restrict remote connection and prevent external attacks. If you are interested in more advanced techniques, consider using port knocking.
Restrict exposed information
After processing SSH and MySQL services through our instances, only Web services are exposed. It is reasonable to say that the service can be accessed through the standard http tcp port 80. We cannot hide the service behind a different port or restrict access to the service. Our only choice is to disclose as little information as possible.
According to the previous instance, Apache version is Apache httpd 2.2.22 (Debian )). This provides attackers with a lot of information: the Web server name, version, and even the operating system. You can restrict this information by changing the Apache configuration and setting the server privilege to ServerTokens productonly. Then, when you run the scan again, you will see that the version information is only Apache httpd.
Even if we use the basic NMAP instance, we can get more information except the version. For Apache, NMAP also shows that the Options Header is allowed. There is no limit on HTTP methods: | _ http-Methods: no allow or public header in Options response (Status Code 200 ). From a security perspective, it is very important to limit the allowed HTTP methods to several methods that your website really needs. Therefore, there are few methods available for attackers.
For example, the trace HTTP Method responds to user input. Obviously, this feature is suitable for debugging, but is not required on the web server in the production environment. The trace method is used by some attacks. Because it allows access to sensitive information, it should be almost always disabled. In fact, most common Web servers should support only two HTTP methods: Get and post. To disable other methods, use the Apache command limit10000t, as shown in the following code:
Order deny, allow
Deny from all
Hiding server tokens and forbidding unwanted contact methods is a good start, but it is far from enough. The application firewall is also required, which provides more comprehensive and in-depth protection. Almost all services with public access have such a firewall solution. Take Apache as an example. For more information, seeArticleHow to protect your web server with modsecurity (http://www.openlogic.com/wazi/bid/188075 ).
Check the Nmap output carefully and perform similar processing on any publicly exposed services. You should be able to defeat common, non-targeted attacks that scan the Internet randomly to find out outdated or improperly configured software.
More in-depth analysis of penetration tests with Nessus
NMAP features are powerful, allowing you to perform a rigorous penetration test on your environment, but it is not as easy to use as some advanced security vulnerability scanning tools, and its functions are not as comprehensive as they are. For example, Nessus is a commercial security vulnerability scanning tool that allows users to use it for free for a limited amount of time. To get started with backtrack, You have to register a license key and follow the several preparation steps described in the official Nessus on Backtrack Guide (http://www.tenable.com/blog/enabling-nessus-on-backtrack-5-the-official-guide.
Once you set and run Nessus in backtrack, you can control it through an intuitive web interface that can be accessed at https: // localhost: 8834. The Web interface makes it easy for you to configure penetration tests. Once configured, you can generate professional reports on the interface.
Nessus can detect more than 50000 security vulnerabilities at all exposure levels, from improperly configured services to outdated software. Once a security vulnerability is detected, all relevant information is reported. The most important thing is what kind of solution is recommended. This saves you time, ensures that you comply with the Best Practices for solving problems, and ensures that you meet the highest security standards.
Nessus is the most favored penetration testing solution for enterprise users. However, NMAP is still the Swiss army knife in the field of network scanning, because it provides the fastest and simplest way to detect the network environment, and does not need to be bound to a license or spend a lot of money.
No matter which application you choose, the most important thing is to understand the concept of Remote Security. Do not expose unnecessary services or any information that is not explicitly required. This should ensure that you do not attract security threats that can exploit zero-day vulnerabilities.