General

Security Tools for the Budget Conscious ISP, Part II: System Vulnerability Assessment Tools

by Lisa Phifer VP Core Competence, Inc. [January 30, 2004]

System Vulnerability Assessment Tools
To continue your vulnerability assessment, you'll need tools that dig deeper into the security of discovered systems. System assessment tools can fingerprint operating systems, enumerate user accounts and share names, check system policies for mis-configuration or vulnerabilities, and evaluate the strength of passwords.

Although these checks could be run on any host, you can get more bang for the buck by focusing on DMZ servers that are those the most exposed and mission critical servers that would hurt you the most if compromised. On the other hand, keep in mind that some penetration tests can impact the target system. It's always a good idea to run new tools on a system that isn't critical first to learn what the test does and how it might affect a production system.

Here's a quick list of representative commercial products that can help during system vulnerability assessments:

• @Stake LC4 (commercial L0ftCrack)
• Application Security's AppDetective
• Intrusion.Com SecurityAnalyst
• NetIQ Security Analyzer
• PoliVec3 Scanner
• Shavlik HFNetChkPro Account Inspector
• Shavlik HFNetChkPro Enterprise Inspector
• Symantec Vulnerability Assessment

In addition, many of the network scanners identified previously also test for system vulnerabilities. One might argue that all of these tools belong to a single category, but we've divided them to illustrate differences between evaluating the security of your network as a whole and penetration-testing individual systems. Also see Security Audit Tools, since they can be used for both self-assessment and third-party audits.

If you don't have the cash for commercial products, here are several open source and shareware system assessment tools that you might want to consider:

• Cerberus Information Security Scanner (CIS) is a free security scanner that runs on Windows NT and 2000 PCs. CIS uses scan modules to check for common vulnerabilities in Web, SQL, FTP, SMTP, POP, DNS, and Finger services. To view a sample CIS scan report, click here.
• Foundstone Fport is a handy tool that overcomes an annoying deficiency in standard-issue Windows utilities. This Windows NT/2000/XP command line utility identifies applications and processes associated with open TCP and UDP ports. A graphic version called Vision is available for 2000 and NT only. To view sample Fport output, click here.
• Microsoft Baseline Security Analyzer (MBSA) is a free command line utility that centrally scans Windows NT, 2000, XP, and Server 2003 PCs for vulnerabilities, mis-configurations, and missing security patches that affect the OS, IIS, SQLServer, Exchange, and many other Microsoft products. MBSA replaces the older HfNetChk command line utility.
• Shavlik's HFNetChkPro Free Version is a node-limited release of Shavlik's commercial offering. The free version lets you perform system security setting and patch checks on 10 computers and look for suspicious accounts and weak passwords on up to 50 computers.
• Winfingerprint is an open source Win32 program that uses SMB, TCP, UDP, ICMP, RPC, and SNMP to enumerate users, groups, password policies, services, service packs, shares, sessions, disks, and more on all PCs within a Windows domain. A command line version called Winfingerprint-cli can be used for batch scans. To view sample Winfingerprint output, click here.
• Xprobe is an open source C++ OS fingerprinting tool that uses unconventional techniques like ICMP fingerprinting and fuzzy signature matching. Xprobe can work in some situations where TCP-based fingerprinting fails. To learn more, read the research papers posted on the Xprobe home page.