[Leaplist] Security Audit Advice

Hank Lambert hank at hanklambert.com
Sat Dec 15 02:52:52 GMT 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Is this a Microsoft network? These are some of the things I do to my
networks. I scan the networks with nmap and with Nessus. On the
server's, I run the Microsoft Baseline Security Analyzer (MBSA) and
make sure that they are completely updated and patched. I verify that
I cannot create a null session to the servers from workstations and
see if the servers will give up the NTLM hash with pwdump and/or
samdump2. I verify that the routers won't pass ICMP requests to the
broadcast address or the network address. Finally, if it is a 2000 or
earlier server, I run exploits against it with metasploit to see if I
can get to a system-level console.

On the firewall, I verify that inbound ftp and telnet are denied and
install secure ftp and ssh if needed. I also block ports 3389, 4000,
5000, and 5900, and use port forwarding if these ports are required.

If they are running Exchange, make sure that they have reverse NDR
filtering set and relaying turned off. If they have any Web servers, I
run Nikto against them.

For tools, I use nmap, nessus, metasploit, bkhive, samdump2. All of
these tools are included in the Linux distribution BackTrack 2.0. It
is a live CD that can be installed on a computer as well, and is the
best tool available yet. Version 3 is released in beta, and is the
most comprehensive penetration testing distribution there is. The beta
also includes forensic tools. It can be downloaded from
http://www.remote-exploit.org. Furthermore, all or most of the other
tools can be downloaded from http://insecure.org.

If this is a Linux/Unix network, I can't help you. One day I will be
able to, but I'm not there yet. I know I am forgetting things, but
fatigue is winning. Hope this helps and good luck. I look forward to
hearing how it went and also other suggestions from others in the group.

Hank Lambert
KB4MTO
Certified Geek


Aaron Morrison wrote:
> Ok.
>
> Looks like I may have a small gig doing a security audit for a company.
>
> Other than port scanning (which will be authorized, BTW), checking
> running services/processes, checking usernames, and the odd setuid
> root app, what kinds of things should a good audit be checking for?
>
> Opinions?  Tool recommendations?
>
> --am
>
>
>
> _______________________________________________
> Leaplist mailing list
> Leaplist at leap-cf.org
> http://lists.leap-cf.org/mailman/listinfo/leaplist
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
iD8DBQFHY0GDYWuM0sYAtp4RAlyOAJ9CRmU/Xvl3SOepElrudoO8veY2MQCfevYp
qxh/xapdzddIH0zltE76e2A=
=KjuW
-----END PGP SIGNATURE-----

More information about the Leaplist mailing list