 |
|
|
Symantec NetRecon 3.0.9 NetRecon is the vulnerability assessment part of Symantec’s security suite, designed to analyse and report holes in network security. It achieves this through conducting an external assessment of network security by scanning and probing systems on the network. NetRecon re-enacts common intrusion or attack scenarios to identify and report network vulnerabilities, while suggesting corrective actions. Other products in the suite include network IDS (NetProwler), host-based IDS (Intruder Alert), and security policy auditing and enforcement (Enterprise Security Manager). There are three main components to the NetRecon architecture: the GUI, the scan engine and the scan modules. Graphical User Interface - This provides the means for the administrator to configure and initiate scans, examine the results on-screen, and run reports to provide more detailed analysis. Data is stored in an MS Access database as well as in NetRecon .NRD files. Scan Engine - The scan engine stores and processes the data generated by the modules. The scan engine consists of a data repository where the data is stored (MS Access), a data processor, and agents that monitor input from and output to the modules. The data processor receives data from the modules in the form of records, and decides whether that data should be added to the repository. The data processor also decides which records in the data repository should be sent to which modules. The ability of the scan engine to process data from multiple objectives, allowing them to share information with one another quickly and efficiently, is referred to as Progressive Scanning technology. Scan Modules - Modules perform all the network scanning. There are several modules that allow NetRecon to run individual objectives more quickly (by permitting only relevant scanning to be performed), and allow a complete scan to run more quickly (by performing many scanning operations in parallel). Modules use NetRecon records as both their input and output. New vulnerability checks can be added quickly and easily by Symantec as new scan modules, and these can be obtained via the automatic Web-based update process from the Symantec Web site.
Progressive Scanning technology executes checks in parallel and shares information obtained during the scan to search for deeper weaknesses. In addition, it learns as it goes, adapting the penetration strategy based on previous results. The idea is that whereas other scanners can identify security weaknesses, NetRecon can exploit those weaknesses and show which potential threats demand immediate countermeasures. An example of Progressive Scanning might be:
In short, where other scanners might report a number of unrelated potential vulnerabilities, NetRecon attempts to combine those (even across multiple machines) to gain real access to a system or highlight the potential for a Denial of Service (DoS) attack, thus providing, in theory, a much more useful set of results. Below are a few of the vulnerabilities NetRecon checks for: Resource discovered - Normally the first vulnerability checked for is whether or not a network resource can be discovered. For TCP/IP systems NetRecon sends a ping broadcast over the network to see which systems respond. Other protocols such as IPX are used to discover NetWare systems. Exec service enabled - The exec service (also called rexec) provides remote command execution facilities with authentication based on user names and passwords. NetRecon checks for many other common services that are known to be vulnerable to attack. SMTP decode alias enabled - Including a decode mail alias in /etc/aliases makes it easier to send and receive binary files by e-mail. Unfortunately, a decode mail alias can be used to create or overwrite files on the system. NetRecon checks for a number of vulnerabilities in the smtp service and related programs (such as sendmail). Null session access obtained - In Windows NT networks with multiple domains, some Windows NT programs and services use null session connections to enumerate account names and available shares. NetRecon checks for this. User level access obtained – This vulnerability exists if NetRecon can login to a network resource as a valid user. NetRecon uses login names and passwords it obtains from various sources to attempt access regardless of the system type (e.g., Windows NT, UNIX, NetWare). The first step in gaining administrative access to a machine is usually to get access as a normal user. With NetWare, Windows NT, Samba servers, and others, NetRecon attempts to enumerate all exposed file systems (possibly using null session connections) and connect with the shared directory using known login names and passwords. Discovered system type – Discovering the system type is a big help to someone trying to break in. For example, if attackers can detect that a system is running Windows NT 4.0 without service pack 3, they can exploit a number of well-known vulnerabilities. NIS encrypted password obtained – The NIS service (also sometimes called yp, for yellow pages) allows transfer of information between hosts that share administrative control. NIS servers typically contain databases (also known as maps) of passwords. If attackers can locate NIS servers and obtain password maps, they can extract encrypted passwords to crack using any resources available to them. Password cracked using small/large dictionary – If an attackers can obtain encrypted passwords from a system they can encrypt passwords from a dictionary and compare them to the passwords obtained from the victim, thereby guessing any passwords that match words in the dictionary. NetRecon uses a small dictionary (for speed) and a large dictionary (for completeness) to try to guess passwords. Local disks mountable via SMB – SMB (server message block) is a standard message format used by many operating systems to share files, directories, and devices. Windows NT 4.0 with no service packs by default allows SMB clients (such as Samba) to mount any local drives with read/write permission. An attacker can use this method to gain unrestricted access to the local disks of an NT workstation. Ports active – Active ports indicate services in use, and in many cases, an inquiry to an active port causes the service to return information about itself (such as its name and version). NetRecon performs separate scans for privileged ports (1-1023), which indicate services running with administrative rights, and non-privileged ports (1024-65535). NetRecon can be integrated with Symantec’s Enterprise Security Manager (ESM) via the ESM integration module, feeding all the discovered vulnerabilities into the policy enforcement engine of ESM for further analysis. Installation is very straightforward, requiring only a single Windows NT 4.0 machine (workstation or server) with 64MB RAM and 40MB of hard disk space. Symantec has adopted an extremely user-friendly and cost-effective method of licensing. A limited (254 node) license or unrestricted license can be purchased for a single organisation (compare this with the per node license model used by some competitors), and a consultant’s license can also be obtained for unlimited use in multiple organisations. Documentation is not particularly extensive, but to be honest, it is not required. The Installation and Getting Started Guide which is provided as hard copy out of the box is more than adequate to get you up and running. The NetRecon installation routine attempts to determine if ESM is installed on the system, and if it finds an ESM Agent, it asks if it should install the ESM/NetRecon integration software, whereupon it will prompt for a user name, password and ESM Manager ID. This registers the integration module to a particular ESM Manager, which can be on a remote system. The graphical interface bears some strong similarities to the other products in the Symantec security suite, and is very easy to master. It consists primarily of one main window, which is broken up into three panes - the Control pane, the Graph pane, and the Data Table pane. The Control pane is where the administrator initiates scans. Listed in a hierarchical tree display are a number of “objectives”, under the headings of Light, Medium and Heavy scan. There is very little to do in the way of configuration, since the policies are fixed and there is no way to change them or to meddle with the settings of the individual scanning modules.
The light intensity scan will identify network resources including alias information, operating system, version, and so on. It simulates the first logical stage of an attack, looking for problems that are simple to detect, unlikely to cause target systems to fail, and likely to yield results quickly. It finds information that can be used to focus the second stage of an attack, and thus elimination of vulnerabilities reported by a light scan should discourage or complicate the second stage of an attack. It will also use Windows Networking to find vulnerabilities and employ a selective scan for services known to have vulnerabilities such as SMTP. A medium intensity scan will simulate the first and second stages of an attack (each level of attack automatically includes all the modules from the level before it). In order to extract more detailed and complete information than a light scan, a medium scan will try things that are less likely to yield results and are more time consuming. The medium scan will perform a complete TCP and UDP port scan (both half-open and full connect) and look for a broad range of vulnerabilities in common service protocols such as NIS, HTTP, NFS, SMB, and FTP. A heavy intensity scan should ultimately identify most security problems that can be detected remotely with a reasonable level of safety. Heavy scans are not as cautious as light and medium scans, and are therefore more likely to cause accounts to be locked out, or network resources to become unresponsive. No intentionally dangerous checks are performed in a heavy scan, however, since NetRecon does not contain any true DoS or “crash” code, but heavy scans may stress sensitive software and hardware. Once the appropriate scan level has been selected, a dialogue box appears prompting for the range of machines to be scanned. Host names and addresses (single, multiple or ranges) can be entered, or NetRecon will ping sweep the subnet to build a list of suggested resources. A scheduling function is provided to schedule scans to execute after a predetermined amount of elapsed time, or at a specific day and time.
During and after execution, the Data Table lists individual vulnerabilities and potential problems in detail, whilst the Graph window summarises these pictorially, categorising vulnerabilities into high, medium, and low risks. The Graph pane, therefore, gives a quick visual overview of the scan results, whilst the Data Table pane is a view into the data repository (part of the scan engine). The Data Table provides information such as the risk ID, network resource name/IP, vulnerability name and ID number, service details, port number, version number, protocol, and all banner/connection responses, and can be sorted on any one of the columns. The icons against each scan module in the Control pane also turn different colours depending on the results of the scan for an instant visual notification of problems. Once the scan is completed, the data can be viewed in a number of different ways. For example, as individual scan modules are selected in the Control pane, the full display of all vulnerabilities in the Data Table is replaced by just the vulnerabilities relating to that particular scan. Another tab in the Control pane is labelled Network Resources, and this shows a list of all resources discovered during the scanning operation. Selecting individual resources brings up a list of vulnerabilities in the Data Table relating only to that resource. The final tab in the Control pane is labelled Vulnerabilities which, as you might expect, contains a list of all vulnerabilities discovered during the last scan. Selecting any of those brings up a list of all instances of that particular vulnerability in the Data Table. Each time a new list is generated in the Data Table, the Graph pane is updated to show charts of the new contents. The interaction of the contents of the tabs in the Control Pane, the Data Table and the Graph pane makes it very easy to drill down and view the nature of the vulnerabilities found during a NetRecon scan. The drill down capability is taken one step further in the Data Table too. Right clicking on a vulnerability brings up a context menu from where it is possible to display a detailed description of the vulnerability along with any potential solutions and links to further information, and the Path Analysis. The Path Analysis provides the means to see not only what vulnerabilities were discovered on the network, but also how those vulnerabilities were discovered. Since NetRecon uses some vulnerabilities to discover others via its Progressive Scanning capability, it’s often useful to know exactly what steps it took to perform a particular exploit. This is what the Path Analysis display shows, allowing the administrator to determine exactly which vulnerabilities are acting as “gateways” that can lead to other information gathering and exploits. This is a unique feature amongst the scanners we have seen, and is potentially very useful. Despite the excellent on-screen analysis of scan results, it is always useful to be able to produce printed reports. Crystal Reports are now provided with NetRecon, and there is a small number of built-in report templates that generate standard reports targeted for varying audience levels. The user has the ability to select between three report formats: Executive Report, Detail Report by System, and Detail Report by Vulnerability. Reports may be viewed on line with the Crystal viewer, which provides a hyperlinked navigation tree in the left hand pane – grouped by vulnerability or host – and the report detail in the right hand pane. After viewing on screen, reports can be printed or exported to a variety of formats including Word, HTML, Excel, rich text format and others. Custom reports may also be used in NetRecon if you have the Crystal Reports Designer. In addition to the scan data reports, there are also two “static” reports included with NetRecon which administrators will find very useful. View Objective Descriptions provides details of what each of the scan objectives is trying to achieve, whilst View Vulnerability Descriptions provides a detailed list of all the vulnerabilities covered by NetRecon together with solutions and links to additional information. It is not possible to customise the contents of any of the built in reports within NetRecon, nor is there a huge choice of available reports. However, most of the information you will need is contained within the few reports available – adequate is the best way to describe NetRecon’s reporting capabilities. In use, NetRecon is fairly simple, and it does not appear to be necessary to have a detailed knowledge of hacking in order to run it, unlike some of the competition. Of course, without the means to tweak and configure your own set of test parameters, NetRecon might overlook something, but there will always be a trade-off between flexibility and ease of use – NetRecon is extremely easy to use. However, on its “Heavy Scan” setting, it will frequently produce a list of far more discovered vulnerabilities than competitors with much larger vulnerability databases, which can make the reports cumbersome and difficult to wade through. At the end of the day, NetRecon is actually quite a different prospect to the more traditional “hacker in a box” type of VA Scanner. It’s vulnerability database is not as extensive as some (though with over 440 it is not doing badly), and it is not possible to tweak the parameters of a test or perform DoS attacks directly. However, it supports NetWare and VMS, as well as NT and Unix, and its Progressive Scan technology provides a means to look beyond individual vulnerabilities to identify real threats. This provides a systematic understanding of how network vulnerabilities are interrelated and how high risk vulnerabilities may be caused by other lower risk vulnerabilities in the network. This unique feature means you can focus on the true cause of your vulnerabilities for immediate correction without having to decipher exhaustive lists of symptoms of the problem. NetRecon is thus geared less for the security specialist and more for the network administrator, or perhaps novice security administrator (although the Path Analysis output from the Progressive Scanning technology could be of tremendous use to anyone, no matter how experienced). It also complements ESM perfectly, providing network-based assessment to integrate with ESM’s host-based assessment. Company name:
Symantec Technologies, Inc. Tel:
+1 (301) 258-5043 Click here
to return to the Symantec NetRecon Questionnaire |
Security Testing |
Send mail to webmaster
with questions or
|