 |
 |
 |
 |
|
 |
||||||||||||||||||
|
|||||||||||||||||||
| |
|
||||||||||||||||||
|
|
||||||||||||||||||
|
|||||||||||||||||||
| |
|
||||||||||||||||||
|
|
||||||||||||||||||
|
|||||||||||||||||||
| |
|
||||||||||||||||||
|
|
||||||||||||||||||
|
|||||||||||||||||||
| |
|
||||||||||||||||||
|
|
||||||||||||||||||
|
|||||||||||||||||||
| |
|
||||||||||||||||||
|
|
||||||||||||||||||
|
|||||||||||||||||||
|
|||||||||||||||||||
|
|
|
||||||||||||||||||
|
|||||||||||||||||||
|
|
|
||||||||||||||||||
OS Scan Results
About The OS Scan
| Results
The study of security improvements of an OS via patches, and effectiveness of patches themselves.
Overview:
Q
Which Operating Systems reveal the greatest security improvements, that is,
a reduction in vulnerabilities from an out-of-the-box (default)
state to a patched state (via the latest vendor-patches)?
A Using Nmap and Nessus we will scan Operating Systems installed with default options that is, without any patches or configurations. Then we will scan them again with the latest patches and compare the scans of before and after.
Q Is a patch always effective in that they nullify all (high risk) vulnerabilities that were known prior to the patch release? Or do these patches sometimes overlook security holes and perhaps could do more damage?
A By looking at the progression of patches for each Operating System, (for example, from Windows 2000 Server SP1 to SP2 to SP3 to SP4) we will see specifically what threats were or weren’t eradicated between patches and thus help us better assess the effectiveness of a latter patch.
We
picked several of the more popular Operating Systems and put them to the test...
What
is NESSUS?
Nessus is a software package that performs Security Scanning of Operating Systems
(OS) and networks. It is a free product and is very popular in the Security
Industry. Many security professionals use it today to scan their systems looking
for common vulnerabilities and companies like Enterasys are incorporating Nessus
scanning into their Intrusion Detection products like Dragon and Squire.
Nessus will allow you to save the information it
has discovered in several formats, including but not limited to: XML, HTML,
Text, and etc. We provide you with the HTML format with a small paragraph at
the beginning of the scan to introduce the scan. In the beginning of the scan
results, you will see a reference to the following: Security holes, Security
Notes, and Security Warnings. We could not find a definition of any of these
in the MAN pages or on their site, so we emailed Renaud Deraison, one of the
developers of NESSUS and asked for his definitions of the three. He responded
with:
Basically,
Security Notes are just "nits". It's information that may be
valuable in itself (i.e.: the name of the remote operating system, and
so on), but it does not make the host more prone to be victim of an attack. |
Nessus offers much functionality, some of which consist of:
- Up-to-date security vulnerability database- We mostly focus on the development of security checks for recent security holes. Our security checks database is updated on a daily basis, and all the newest security checks are available here and on your FTP servers and mirrors.NASL- The Nessus Security Scanner includes NASL, (Nessus Attack Scripting Language) a language designed to write security test easily and quickly. (security checks can also be written in C)
- Smart Service Recognition- Nessus does not believe that the target hosts will respect the IANA assigned port numbers. This means that it will recognize a FTP server running on a non-standard port (31337 say), or a web server running on port 8080
- Cracker Behavior- Nessus does not believe that version x.y.z of a given software is immune to a security problem. 95% of the security checks will actually perform their job - they'll try to overflow your buffers, relay some mails, and even to crash down your computer !
The above information and additional information on Nessus can be found at www.nessus.org.
What is NMAP?
NMAP is a port scanner and OS detection tool. NMAP was written by a hacker known
as FYODOR. He has, throughout the years, with input from other hackers and security
experts, written and developed this tool used by both, the security administrators
and the hackers/crackers. Nmap offers some the following:
- Flexible: Supports dozens of advanced techniques for mapping out networks filled with IP filters, firewalls, routers, and other obstacles. This includes many port scanning mechanisms (both TCP & UDP), OS detection, pings sweeps, and more.
- Easy: While Nmap offers a rich set of advanced features for power users, you can start out as simply as "nmap -O -sS targethost". Both traditional command line and graphical (GUI) versions are available to suit your preference. Binaries are available for those who do not wish to compile Nmap from source.
- Free: The primary goals of the Nmap Project is to help make the Internet a little more secure and to provide administrators/auditors/hackers with an advanced tool for exploring their networks. Nmap is available for free download, and also comes with full source code that you may modify and redistribute under the terms of the GNU General Public License (GPL).
The above and additional information can be found at www.insecure.org.
What are Vulnerabilities?
According to Microsoft:
A security vulnerability is a flaw in a product that makes it infeasible – even when using the product properly – to prevent an attacker from usurping privileges on the user's system, regulating its operation, compromising data on it, or assuming un-granted trust.
Common Vulnerabilities and Exposures defines the word vulnerability as:
A universal vulnerability is a state in a computing system (or set of systems) which either
- allows an attacker to execute commands as another user
- allows an attacker to access data that is contrary to the specified access restrictions for that data
- allows an attacker to pose as another entity
- allows an attacker to conduct a denial of service
What is a default Install?
A default install as used for this report is defined as an installation of an
OS without changing, adding, or subtracting from the installation menus. In
other words, just clicking ‘Next’ as the install asks.
The Procedure
For our test, we used RedHat 7.2 on a Compaq Deskpro 233MMX
machine. We installed Nessus 1.0.9 and Nmap 2.54BETA22.
This was connected via a hub to each target machine.
For the Nessus scan, we choose the option “Enable all but dangerous plugins”. This option will scan the system for known vulnerabilities in it’s database and skip those that “may harm the remote host by disabling the attacked service or by crashing the host.” The scan was run and the results for Nessus were saved as html with charts.
NESSUS uses NMAP to do a default scan, and that is what is displayed with the results from NESSUS. However, we performed an NMAP scan of our own on some of the scans just to confirm the results. When we performed the additional scan, we used the following command:
nmap –v –sS target > (machine name)
This command tells Nmap to perform a vanilla SYN scan and be verbose about it. We had the results piped to a file that represented the machines name.
All
images, content & text (unless other ownership applies) are © copyrighted
2000 -
, Infosecwriters.com. All rights reserved. Comments are property of
the respective posters.
