Would your network withstand an attack? How easy would it be for someone to break into your network, find anything they want on your Mac, and steal enough information to masquerade as you on the Internet? To answer this question, you’d need to take a good hard look at your network and audit for intrusion vulnerabilities. Imagine having to catalog all the programs, files, and services that run on your Mac, cross-referencing each program and file extension on the Internet, one at a time, against all the known exploits. This auditing process would take a considerable amount of time. Unfortunately, hackers have easy access to a wide variety of auditing tools, and already have a good idea of which exploits to look for. Thankfully, the very same auditing software can help you expedite the process of keeping them out.

This is not to say you shouldn’t be mindful of open ports, listening services, and the daily activities of a computer when analyzing security on a machine. You should be. Keep in mind, however, that each item that represents a security risk will need to be handled separately. The more time you can save in the actual audit of a computer, the quicker you will be able to secure the items that are flagged as a security threat. In this chapter, we’ll cover the types of scans that hackers and auditors are likely to employ and how to use auditing software to counteract them.

Scanning Techniques

White-box testing is a methodology used when the auditor has full knowledge of the target environment. If you know all the relevant network information about the environment, such as the IP address of each system and what types of computers and network appliances exist, then you do not have to perform any discovery and can move straight into attempting to exploit systems or document threats.

Black-box testing assumes that the person auditing the network knows nothing about the environment. Because security information about an environment can be difficult to obtain, black-box testing should be conducted to assess security threats in the environment. If you’re new to the environment, the first step in black-box testing is to understand what kind of information an attacker might be able to obtain. Once you have a full understanding of an environment, the techniques then become similar to those used in white-box testing. For the discovery portion of black-box testing, you can use a variety of techniques, which generally fall into two categories: active or passive scanning.

Active scanning involves targeted probing of a network or a specific host, trying to ferret out vulnerabilities. Many attackers will avoid active scanning, because it will often leave traces in the target system’s logs, making their activities easier to trace. Active scanning methods include using a port scanner to find open ports, testing web applications for weak passwords or insecure code, or sending web links to users in the hope that they will visit a web site that will log their IP address and information that might identify potential attack vectors. Active scanning is easily detected as most of these are blatant and high-speed probes. You can then block offending addresses based on the malicious detection.

Passive scanning uses less intrusive means of observation, so as not to leave indications that a scan is taking place. Passive scanning requires much more patience, because the techniques are rather investigative in nature. Searching newspapers and job boards for specific technologies will give indications of what technologies are being used. Requests for assistance on a vendor’s support page or a mailing list will tell an attacker not only what technologies are in use, but what problems the users are having, and potentially very detailed information about what solutions are being implemented. You may also be able to gather information about the staff responsible for the network. When looking for information that could be used against an organization, the search must be comprehensive, often including chat rooms, the whois database, newsgroups, web sites, mailing list archives, and the target user or company’s web site. A company web site can even give an attacker usernames, e-mail addresses, and the location of CGI scripts on web servers. Sometimes there will even be passwords discovered, or at least hints as to password policies. To help reduce the amount of information about your organization that is on the Web, consider routinely using Google to search for information that is available about your organization. There are a number of advanced Google search operators that make it easier to narrow your search. For example, A search for site:mysite.com filetype:doc will return all indexed Word Documents on your site.

Fingerprinting

Fingerprinting is the practice of gathering as much information as possible about your systems or network and using that information to positively identify the hardware and software in use. The goal is to get as much information as possible about a network or host’s security, including its remote access capabilities, vulnerable services, and open ports. Successfully attacking a system depends on having this information. Tools that can be used in fingerprinting include general-purpose tools such as host, dig and traceroute, and specialized tools like nmap and Ethereal.

The easiest and safest way to go about finding information about a company is to use publicly available information. This includes researching and collecting phone numbers, addresses, press releases, SEC filings, and other seemingly innocuous information. Company blogs are wonderful mediums for discussing technology, but they can also be a great resource from which to extract information about a company’s infrastructure. Many companies post a great deal of information about themselves on their web site, including information about the systems they have deployed, the revisions of services running on these systems, and the security solutions used to protect these services. A lot of this information can be very useful to hackers.

Let’s fingerprint the site apress.com to find out as much as we can about our publisher. We can hopefully assume that, as a publisher of books on network security, they maintain good security practices.

According to whois, the domain was registered in 1998. The DNS Servers are on Rackspace. We can glean from this that the web servers are also probably hosted on Rackspace. The current registrar for the domain is Network Solutions. Sometimes you can see the name of the person that registered the domain, as well as the technical contact for the domain; however, as you can see in Figure 17-1, this is becoming much more rare than it used to be.

Next, let’s find the IP address of www.apress.com. The host command performs both forward and reverse DNS lookups. Running it on www.apress.com returns the IP address 207.97.243.208. Running host on the IP address returns NXDOMAIN, which means there’s no reverse DNS mapping for that address. Running whois on the IP address reveals that the address belongs to Rackspace, which confirms that Rackspace is where the site is hosted.

A cornerstone of fingerprinting is port scanning. Apple has provided a built-in port scanner with OS X, under the Port Scan tab of the Network Utility application (located in the /Applications/Utilities folder) Later in this chapter we will review nmap, a far more capable port-scanning utility. For now, open Network Utility, and click the Port Scan tab. Then, type www.apress.com in the search box, and let’s see what services are running on that computer by clicking the Scan button. The most common and important services use the lower-numbered ports, so we’ll limit our scan to only ports between 1 and 1000. Our results are as follows:

Port Scan has started...

Port Scanning host: 66.211.109.45

        Open TCP Port:          21                    ftp
        Open TCP Port:          22                    ssh
        Open TCP Port:          25                    smtp
        Open TCP Port:          80                    http
        Open TCP Port:          110                   pop3
        Open TCP Port:          111                   rpcbind
        Open TCP Port:          119                   nntp
        Open TCP Port:          143                   imap
        Open TCP Port:          443                   https
        Open TCP Port:          688                   unknown

Port Scan has completed...

From this scan, we can see that www.apress.com has HTML and e-mail ports open, so it is either running or pretending to run mail services as well as web services. It’s accepting RPC requests, and also has port 688 open, which is assigned for use by the ApplianceWare Management Protocol. ApplianceWare is a provider of Network Attached Storage solutions, and RPC is used for Network File System connections. We can now begin looking for potential exploits for these services.

Enumeration

Network enumeration is the process of identifying domain names and their associated networks. Enumeration involves querying whois databases and performing DNS lookups. Whois databases often hold names and contact information for people involved in managing a domain, and the date a domain was registered. The information gathered from these inquiries can be used to facilitate Social engineering attacks. Social engineering is the art of convincing network users to divulge private information (information they should not be giving out) about the network, such as IP addresses, usernames, and even passwords. In some cases, a lucky (or skillful) attacker only needs to ask a user nicely for their password.

Vulnerability and Port Scanning

Scanning can be performed on a single host or a whole network. Scanning with a vulnerability scanner allows you to rapidly review your computer and the computers on your network for known security holes such as outdated software. You can then move on to penetration testing, which typically starts by going a step beyond scanning and into using automated tools that attempt to exploit vulnerabilities.

Be very careful when trying to access any open ports you may find. Brute-forcing an FTP or a web server can land you in a pile of trouble. As a rule of thumb, if attempting to access a service requires a password, you probably shouldn’t be there. In fact, in some jurisdictions, accessing a resource without permission is illegal, even when it is configured to allow anonymous access. However, if you access something important and the system doesn’t ask you for a password, then this is a problem that should be resolved immediately. Further, you should issue a stern warning that any unauthorized access will be prosecuted.

nmap

Nmap is a network exploration tool that can be installed on OS X from nmap.org. It is one of the most valuable tools for a security engineer or penetration tester (someone who attempts to break into a system in order to test its security). It is, as its name suggests, a network mapping tool. With nmap, you can probe an entire network and discover which services are listening on each specific port on every workstation, server, and router accessible. Nmap can also perform operating system fingerprinting. By comparing different fingerprints, nmap gives users an educated guess as to the operating system a target machine is running.

For this section, we’ll be using nmap to run scans. The binary can be downloadd and installed from https://nmap.org/book/inst-macosx.html.

Nmap is very flexible, and offers a lot of options or flags that let you perform a wide variety of scans. For example, you can perform a TCP connect() scan (which initiates a full connection to the host) or a SYN scan (also known as a half connection). You can test firewall rules and distinguish whether you are scanning a firewall or a packet filter. You can also throw out decoys to make your real address harder to trace. Table 17-1 describes the nmap options for the actual binary command. The proper usage of nmap includes the following:

nmap [Scan Type] [Options] <target(s)>

Here’s an example:

nmap -v -sS -O www.krypted.com 10.0.0.0/16 ’10.0.*.*’

The stealthiest and most widely used nmap-scanning method is SYN scanning, also known as half open or stealth scanning. There are a couple of downsides to using this method. Unfortunately, most intrusion detection systems (described more later in this chapter) can detect these packets, and some firewalls and packet filtration mechanisms will drop SYN packets, which make it harder to get an accurate list of what ports on the host are open.

With a SYN/stealth scan, you do not actually make a full connection with the host. It will send a SYN packet and request a connection. The host being scanned then responds with a SYN/ACK packet informing you about whether the port is open and responding. As soon as you receive the SYN/ACK packet from the remote host, nmap sends one RST packet terminating the connection. It does not make a full connection or three-way handshake (full connection), which is why SYN/stealth scanning is called a half open scan.

Running a SYN/Stealth Scan

Here is what an nmap SYN/stealth scan would typically look like. First, we initialize the scan with the following Terminal command, assuming we are scanning a system with the IP address of 192.168.210.5:

nmap -sS 192.168.210.5

This command results in the following output:

Starting Nmap 5.21 ( http://nmap.org ) at 2015-08-29 20:15 PST
Nmap scan report for 192.168.210.5
Host is up (0.018s latency).
Not shown: 985 closed ports
PORT      STATE    SERVICE
22/tcp    open     ssh
88/tcp    open     kerberos-sec
139/tcp   open     netbios-ssn
445/tcp   open     microsoft-ds
515/tcp   filtered printer
631/tcp   open     ipp
777/tcp   filtered unknown
1063/tcp  filtered unknown
3306/tcp  open     mysql
3689/tcp  open     rendezvous
5100/tcp  filtered admd
5900/tcp  open     vnc
12000/tcp filtered cce4x
60443/tcp filtered unknown
MAC Address: 00:0D:93:83:F3:B0 (Apple Computer)

Nmap done: 1 IP address (1 host up) scanned in 5.99 seconds

Here is a log of a stealth SYN scan from an intrusion detection system called snort (we will discuss intrusion detection systems, including snort, later in the chapter):

[**] [111:13:1] spp_stream4: STEALTH ACTIVITY (SYN FIN scan) detection [**]
09/21-19:18:03 10.0.0.4:80 -> 10.0.0.8:88
TCP TTL:255 TOS:0x0 ID:2304 IpLen:20 DgmLen:42
******SF Seq: 0x90AB763  Ack: 0x0  Win: 0x1000  TcpLen: 20
9-21 19:18:04 10.0.0.4:80 -> 192.168.0.8: 88 SYN ******S*

As you can see by the warning message, snort has built a rule set that is able to identify nmap’s SYN/stealth scanning sequence.

Other nmap Scans

Nmap scans can be limited to specific criteria. For example, if you wanted to scan only UDP ports 1 through 80 on a server using the IP address 10.0.0.4, you would use the following command:

nmap –sU –p 1-80 10.0.0.4

If you only wanted to find out what addresses actually have machines responding, you can skip the actual port scan and simply send a ping. This is commonly called a ping sweep. For the whole 10.0.0.1-254 network, you would use this command:

nmap –sP 10.0.0.0/16

Using the -O flag, nmap can also identify many operating systems, based on how the target responds to a large number of tests. The results of a scan are compared against a large database of known OS fingerprints. Nmap can often identify an operating system even when very few services are running.

Scanning a network for vulnerabilities is only one piece of the network intrusion pie. We must now make steps to secure the weaknesses that our scans have uncovered. So that we aren’t overlooking anything, we should first look for intrusion instances that may have already been attempted and then implement measures to prevent future attempts.

Intrusion Detection and Prevention

In information security, intrusion detection is the practice of detecting attempts (successful as well as unsuccessful) to compromise a network resource. Intrusion detection does not usually involve the prevention of intrusions; however, we will discuss some preventive measures that can work in tandem with intrusion detection. With any intrusion detection solution, it is important that it somehow alerts you to potential intrusions so that you can determine whether your security was actually compromised, allowing you to act swiftly in order to limit the damage. Once you’ve mitigated the damage, you can examine what the attack vector was, investigate whether it was done maliciously, and then take measures to prevent future intrusions based on this information.

Host-based Intrusion Detection System

The purpose of a host intrusion detection system is to monitor and analyze a system in such a way that an administrator can determine whether a change has occurred on a system. Most host-based intrusion detection systems focus on checking for changes to configuration files or folders containing binary files (applications).

Tripwire

Tripwire is an intrusion detection system that is used to track changes to the files on a computer. Tripwire can scan for files on computers by creating a checksum of the files and folders on a system, and then comparing that against a checksum created at installation time. This enables a fast scan of a variety of files and folders on a computer. Regular Tripwire scans will alert system administrators of changes to the file system that shouldn’t be made.

You shouldn’t be able to edit some of these locations due to SIP restrictions. However, some folders we recommend scanning regularly still include the following:

/dev
/opt
/usr
/usr/sbin
/bin
/mach.kern
/Library/Preferences
/Library/FileSystems
/etc
/System/Library/Extensions
/System/Library/CoreServices

Tripwire Installation

The simplest method of installing Tripwire is to first install MacPorts. MacPorts is a package management tools that allows for easy installation of software from a large repository of open source projects. To install Tripwire from MacPorts, you would use the port command.

sudo port install tripwire

After installation is finished, run the tripwire configuration script. This will create the necessary configuration files and passphrases, and then sign the configuration files with those passphrases.

sudo /opt/local/etc/tripwire/twsetup.sh

When that’s finished, you need to define the baseline state of the computer.

sudo tripwire --init

To update your Tripwire database after making system changes, run this command:

sudo tripwire -m u -r /opt/var/db/tripwire/report/day-month-year-initials.twr

To update your Tripwire config, change the /opt/local/etc/twcfg.txt file, and run this command:

sudo twadmin -m F -S /opt/local/etc/tripwire /site.key /opt/local/etc/tripwire/twcfg.txt

To enforce a new policy, edit the /opt/local/etc/tripwire/twpol.txt file, and run this command:

sudo twadmin -m p > /opt/local/etc/tripwire/twpol.txt

To view Tripwire reports, run this command:

sudo twprint -m r -r /opt/local/var/db/tripwire/report/*.twr

To scan for changes that have been made to the system, run this command:

sudo tripwire -m c

To e-mail these changes to the e-mail address listed in the config file, if you have identified an e-mail address, run the following command:

sudo tripwire –m c -M

Bear in mind that Tripwire will not be able to restore any modified files that it finds. This is another reason that proper backups are important.

Network Intrusion Detection

Host-based intrusion detection scans the system for changes. But it is also possible to use a network intrusion detection system (NIDS), which can scan the network interface of systems to identify traffic patterns based on signatures of known exploits. One example of a popular NIDS application is snort.

Snort from the Command Line

Snort is an open source network intrusion detection and prevention system that is capable of packet logging and real-time traffic analysis. Proprietary solutions that include integrated hardware and support services are sold by Sourcefire, and there are hundreds of additional rule sets and downloads available to extend the snort platform.

Snort can perform protocol analysis along with content matching, and it is often used to help detect attacks and probes. But it’s mainly used as a means of finding existing threats to your network infrastructure. Some of the attacks that snort can detect include buffer overflows, stealthy port scans (such as those stemming from nmap), specific CGI attacks, SMB probes, and OS fingerprinting techniques. Snort can also be used for intrusion prevention by dropping attacks as they are taking place or augmenting your firewall to block future attempts from flagged IP addresses. SnortSnarf, sguil, OSSIM, and the Basic Analysis and Security Engine (BASE) help administrators effectively analyze the mountains of data generated by snort.

The easiest way to install snort is to use MacPorts.

sudo port install snort

Once it’s installed, snort can immediately be run in sniffer mode or packet logger mode, both of which will give you a real-time view of the traffic on your network. Create a folder in your home directory called snortlogs, and then run the following command:

sudo snort –dev –l ~/snortlogs

This will run snort in logger mode. All the traffic that snort can see will be captured to file in snortlogs for later review.

In order to run snort in NIDS mode, you will need to install rules that snort can match traffic against. To install rules, you need to make a place for snort settings files, rules, and logs:

sudo mkdir –p  /var/log/snort

Go to the snort rules page at http://www.snort.org, download the latest snort rules package, and unzip it. In order to download rules, you’ll need to register as a user with snort.org or use the community rules available at https://snort.org/downloads/#rule-downloads. Once you’ve unzipped the rules:

cd <snort-rules-download-dir>/rules
sudo cp rules/* /opt/local/etc/snort/rules
sudo cp etc/* /opt/local/etc/snort/etc

Copy the default snort.conf.dist sample file to snort.conf. Keep the original as a failsafe:

cd /opt/local/etc/snort
sudo cp snort.conf snort.conf.orig

Now it’s time to fire up snort and test it. If you have installed snort, then the first thing you will want to do is run the following command to initialize snort:

sudo /opt/local/bin/snort –c /opt/local/etc/snort/snort.conf

After the initialization information is displayed, you will see live packet capture information on the Terminal screen if you are connected to a network. Now kill the snort foreground process by pressing Ctrl+C to take a look at the summary information. You should be ready to roll if you see packet captures that resemble Figure 17-2.

Honeypots

A honeypot is a trap set by a network administrator to detect, deflect, or even attract attempts at unauthorized use of the network. Generally, it consists of a computer, data repository, or network resource that appears to be part of a network, containing information valuable to attackers, but is actually isolated and monitored by the network admins.

Honeypots are valuable surveillance and early-warning tools. Honeypots should have no production value, and should not see any legitimate traffic or activity. They should in no way be connected to actual production networks, and should not be running any production services. Whatever they capture can then be assumed to be malicious or unauthorized. For example, honeypots designed to thwart spam by masquerading as zombie systems can categorize the material they trap 100%accurately: it is all illicit. A honeypot needs no spam-recognition capability and no filter to separate ordinary e-mail from spam. Ordinary e-mail should never come to a honeypot.

Implemented improperly, honeypots can easily be leveraged as Denial and Deception (D&D) hosts. Therefore, be careful when deploying a honeypot in your environment, so there isn’t a rogue point that can easily be leveraged as a Denial of Service host. A good strategy is to use a technology like Docker or nightly reimaging to deploy hosts, so they can easily be redeployed when needed. And scan them routinely, bringing them offline when possible. Finally, you can also host them on an external LAN to minimize the impact they can have on a production network.

Web traffic can be reviewed in the same manner. Create a script to put a file in a web directory that tells bots not to search the folder. If a bot then searches the folder, you can update the firewall configuration on that server to block future traffic from the IP address of the originating bot. This is a rudimentary form of a honeypot. MacPorts includes a port of honeyd, a small daemon that creates virtual hosts that appear to be running arbitrary services.

Honeypots can take on other forms, such as files or data records or even unused IP address space (for example, a file that is watched with verbose logging called payroll.xls). A collection of honeypots is known as a honeynet.

Security Auditing on the Mac

Several products on the market allow for vulnerability scanning and security auditing on the Mac. Some of them are freeware, and some of them are not. SAINT, Nessus, and Metasploit are our favorites for this critical piece of the security puzzle. Only Nessus and Metasploit are free products. Assume that an attacker will have a copy of each of these and much more advanced tools as well.

Nessus

Nessus is a comprehensive vulnerability scanner and analyzer, which is estimated to be used by more than 75,000 organizations. The core of Nessus is nessusd, the Nessus daemon, which performs the actual scanning. nessusd provides a web-based management interface.

Nessus begins by performing a port scan with its own internal port scanner (or it can optionally use nmap) to determine which ports are open on the target and then tries various exploits on the open ports. The vulnerability tests, available as a large body of plug-ins, are written in Nessus Attack Scripting Language (NASL), a scripting language optimized for custom network interaction.

Optionally, the results of the scan can be reported in various formats, such as plain text, XML, HTML, and LaTeX. The results can also be saved in a knowledge base for reference against future vulnerability scans. Scanning can be automated through the use of a command-line client by using the nessus command located in the /Library/Nessus/run/bin folder.

If the user chooses to do so (by disabling the option safe checks), some of Nessus’s vulnerability tests may try to cause vulnerable services or operating systems to crash. This lets a user test the resistance of a device before putting it in production.

Nessus provides additional functionality beyond testing for known network vulnerabilities. For instance, it can use Windows credentials to examine patch levels on computers running the Windows operating system and can perform password auditing.

Installing Nessus

To install Nessus, go to the Tenable Network Security web site at www.nessus.org, and download the Nessus installer. You’ll also need to register for a subscription. All of the audits performed by Nessus are coded as plug-ins. In order to download plug-ins, you’ll need to register for either the HomeFeed or the ProfessionalFeed. The HomeFeed is free, but can only be used by home users. If you’re planning on using Nessus for professional or government use, you’ll need to purchase the ProfessionalFeed. When you register for a feed, an activation code will be emailed to you.

During the install, you have the option to choose whether you want the server to start when the system boots or whether you want to start it manually. If the system is a dedicated Nessus server, then you will want the Nessus daemon to launch at boot. Otherwise, it’s better to launch manually as needed, especially if Nessus is installed on a laptop (it can be a sizeable resource hog).

After installation, launch the Nessus Server Manager application, enter your activation code and click Register. Once your copy of Nessus is registered, you’ll be able to start the Nessus Server (see Figure 17-3).

You’ll be prompted to authenticate to the system once Nessus starts. Log in and you can then start using Nessus.

In order to scan a target, you’ll need to define a policy. A scanning policy defines options like types of scan and range of ports to use, and also which plug-ins to use. Each plug-in typically corresponds to a specific vulnerability. Enabling fewer plug-ins will speed up scans, since the scanner will not take the time to perform disabled probes. For example, if you’re scanning a Mac OS X Server system, you can probably disable the Cisco plug-in family.

To define a policy, click on Policies, and then click New Policy. At the list of policies, you can choose a template, or perform an Advanced scan. Click Basic Network Scan, as you can see in Figure 17-4.

Once you have defined a policy, you can create a scan and select your targets. There are multiple options for defining a target. To define your targets, click on Scans and then click on the New Scan button. At the New Scan screen, choose a scan type (as done in the policies section, click on Basic Network Scan. Then provide a name for the scan and enter a range of IP addresses in the Targets field (see Figure 17-5). Once you’ve entered the appropriate information, click on the Save button.

The scan then starts. You might want to give it some time after the scan starts to let the scan complete. Obviously, it may take awhile to run a scan.

Reviewing a Scan

Once the scan is finished, you can click the Report tab to view the vulnerabilities available for your system (see Figure 17-6). Clicking on a scanned host will show you the open ports and running services. Clicking on a service will show you more details about the vulnerability as well as possible exploits.

You can export Nessus reports into HTML to make reviewing and saving them easy. There are companies that specialize in running automated scans of servers on behalf of institutions, such as credit card processors and insurance companies. These companies often simply rebrand a Nessus scan by replacing the images in the HTML exports. To export a scan, click the Export button in your report.

Metasploit

Metasploit is a free, open source framework that can be used to launch automated exploits to target known vulnerabilities. The Metasploit framework makes it easy for administrators to use these exploits to discover how vulnerable their network is.

You can download the latest version of Metasploit at www.metasploit.com. Download the latest version and you can run a scan on a Mac using Windows or Linux. There are also instructions to run Metasploit on a Mac available at http://www.darkoperator.com/installing-metasploit-framewor/.

Summary

If you want to keep your network and your systems secure, you should be mindful of the methods that potential intruders use and be aware of the attack vectors they will try to use. In this chapter, we reviewed some of the more common tools that are used to both enumerate and secure client systems. There are a lot of other tools out there. Take the time to understand the methods that attackers use and apply their techniques to your network, and you’ll be better prepared to defend yourself from them.

Additionally, follow Bugtraq and RISKS digest daily and have all CERT advisories for OS X e-mailed to you when the advisories are issued. This will keep you informed on what is happening for the platforms that you support.