Our offices will be closed Monday, May 28 in honor of Memorial Day
as we recognize and remember the sacrifice of those who lost their lives while serving in the United States Armed Forces.
With unending gratitude - Tendenci

 

Security Auditing

Register or login to post to the forum.
26 Sep, 2015 19:23

Notes and tools for security auditing

26 Sep, 2015 19:24

Step 1 in Penetration Testing is Looking for Vulnerabilities

Let's start simple and show a listing of someone trying different keys to get into a server guessing port 23 (DPT - destination port)

root@localhost:~# tail /var/log/ufw.log -f

May 11 15:38:25 localhost kernel: [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:70:48:cc:84:78:ac:0d:a6:41:08:00 SRC=1.182.64.189 DST=198.74.51.236 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=54573 DF PROTO=TCP SPT=32929 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0

May 11 15:38:28 localhost kernel: [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:70:48:cc:84:78:ac:0d:a6:41:08:00 SRC=1.182.64.189 DST=198.74.51.236 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=54574 DF PROTO=TCP SPT=32929 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0

May 11 15:38:34 localhost kernel: [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:70:48:cc:84:78:ac:0d:a6:41:08:00 SRC=1.182.64.189 DST=198.74.51.236 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=54575 DF PROTO=TCP SPT=32929 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0

On the above 3 - note the DPT is port 23 - a non-standard port and is closed and correctly blocked by UFW (Uncomplicated Firewall). They all originate from a fake IP address of 1.182.64.189 They are all sent from port 32929. There are three and only three tries because fail2ban is installed and blocks over 5 tries.

This next example is a port-scan. He is escalating through the server looking for open ports. Here is the source.

root@localhost:~# tail /var/log/ufw.log -f

May 11 15:41:44 localhost kernel: [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:70:48:cc:84:78:ac:0d:a6:41:08:00 SRC=222.186.21.202 DST=198.74.51.236 LEN=40 TOS=0x00 PREC=0x00 TTL=106 ID=256 PROTO=TCP SPT=6000 DPT=5901 WINDOW=16384 RES=0x00 SYN URGP=0

May 11 15:42:12 localhost kernel: [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:70:48:cc:84:78:ac:0d:a6:41:08:00 SRC=222.186.21.202 DST=198.74.51.236 LEN=40 TOS=0x00 PREC=0x00 TTL=105 ID=256 PROTO=TCP SPT=6000 DPT=5902 WINDOW=16384 RES=0x00 SYN URGP=0

May 11 15:42:24 localhost kernel: [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:70:48:cc:84:78:ac:0d:a6:41:08:00 SRC=222.186.21.202 DST=198.74.51.236 LEN=40 TOS=0x00 PREC=0x00 TTL=105 ID=256 PROTO=TCP SPT=6000 DPT=5903 WINDOW=16384 RES=0x00 SYN URGP=0

Note the climbing destination ports (DPT) of 5901, 5902, 5903

Then he stops but will return and keep mapping his way through the ports until he has a full picture of the server. Studying the server is the first step.