Security Auditing

Register or login to post to the forum.
26 Sep, 2015 19:23

Notes and tools for security auditing

26 Sep, 2015 19:24

Step 1 in Penetration Testing is Looking for Vulnerabilities

Let's start simple and show a listing of someone trying different keys to get into a server guessing port 23 (DPT - destination port)

root@localhost:~# tail /var/log/ufw.log -f

May 11 15:38:25 localhost kernel: [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:70:48:cc:84:78:ac:0d:a6:41:08:00 SRC=1.182.64.189 DST=198.74.51.236 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=54573 DF PROTO=TCP SPT=32929 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0

May 11 15:38:28 localhost kernel: [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:70:48:cc:84:78:ac:0d:a6:41:08:00 SRC=1.182.64.189 DST=198.74.51.236 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=54574 DF PROTO=TCP SPT=32929 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0

May 11 15:38:34 localhost kernel: [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:70:48:cc:84:78:ac:0d:a6:41:08:00 SRC=1.182.64.189 DST=198.74.51.236 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=54575 DF PROTO=TCP SPT=32929 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0

On the above 3 - note the DPT is port 23 - a non-standard port and is closed and correctly blocked by UFW (Uncomplicated Firewall). They all originate from a fake IP address of 1.182.64.189 They are all sent from port 32929. There are three and only three tries because fail2ban is installed and blocks over 5 tries.

This next example is a port-scan. He is escalating through the server looking for open ports. Here is the source.

root@localhost:~# tail /var/log/ufw.log -f

May 11 15:41:44 localhost kernel: [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:70:48:cc:84:78:ac:0d:a6:41:08:00 SRC=222.186.21.202 DST=198.74.51.236 LEN=40 TOS=0x00 PREC=0x00 TTL=106 ID=256 PROTO=TCP SPT=6000 DPT=5901 WINDOW=16384 RES=0x00 SYN URGP=0

May 11 15:42:12 localhost kernel: [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:70:48:cc:84:78:ac:0d:a6:41:08:00 SRC=222.186.21.202 DST=198.74.51.236 LEN=40 TOS=0x00 PREC=0x00 TTL=105 ID=256 PROTO=TCP SPT=6000 DPT=5902 WINDOW=16384 RES=0x00 SYN URGP=0

May 11 15:42:24 localhost kernel: [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:70:48:cc:84:78:ac:0d:a6:41:08:00 SRC=222.186.21.202 DST=198.74.51.236 LEN=40 TOS=0x00 PREC=0x00 TTL=105 ID=256 PROTO=TCP SPT=6000 DPT=5903 WINDOW=16384 RES=0x00 SYN URGP=0

Note the climbing destination ports (DPT) of 5901, 5902, 5903

Then he stops but will return and keep mapping his way through the ports until he has a full picture of the server. Studying the server is the first step.