Security Audit mit NIPPER

[Zwerg#7]

Hallo Leute,

heute möchte ich euch ein Tool vorstellen das so einfach wie genial ist.
NIPPER - an open source network devices security auditing tool


Dieses Tool analysiert Konfigurationen von verschiedenen Devices und liefert abschließend einen detailierten Bericht über mögliche Sicherheitslücken, unnötige Services oder sicherheitskritische (Fehl)konfigurationen.

Nipper läuft sowohl unter Windows als auch Linux und kann die Konfigurationen folgender Geräte analysieren:

• Cisco IOS-based Switches
• Cisco IOS-based Routers
• Cisco IOS-based Catalysts
• Cisco NMP-based Catalysts
• Cisco CatOS-based Catalysts
• Cisco PIX-based Firewalls
• Cisco ASA-based Firewalls
• Cisco FWSM-based Firewalls
• Cisco CSS-based Content Service Switches
• Juniper NetScreen ScreenOS-based Firewalls
• CheckPoint Firewall-1-based Firewalls
• Nortel Passport-based Devices
• SonicWALL SonicOS-based Firewalls

Die Bedienung ist äußerst einfach:
1) Nipper herunterladen und auf Platte ablegen (z.B. C:\NIPPER\) -> benötigt entpackt gerade mal 900k
2) Gerätekonfig als Textfile auf der Platte ablegen
3) Nipper starten, Gerätetyp, Config-File und Output-Path angeben
C:\NIPPER\nipper --ios-router --input=C:\NIPPER\RouterConf.txt --output=RouterAudit.html
4) Audit-Report öffnen und die guten Ratschläge befolgen 




Anbei noch die Feature Infos vom Programmierer.
Wem das Tool zusagt, sollte unbedingt mal bei http://www.titania.co.uk/nipper.php vorbeischauen und sich das Tool runterladen

Nipper performs a security audit of a device and produces a report which can include the following sections:

Security Related Issues
> Introduction
> The issues
> Conclusions
Configuration Report
> Introduction
> The configuration
Appendix Section
> Abbreviations
> Timezones
> Common Ports
> Logging Severity Levels
> Version Details

Reports can be output in HTML (default), XML, Latex and plain text formats.

During a security audit Nipper can test network filtering (ACL, policies...), these can be configured from the command line or using the configuration file. The configurable options are:

• Rule lists end with a deny all and log
• Rules allowing access from any source
• Rules allowing access from network sources
• Rules allowing access from any source port
• Rules allowing access to any destination
• Rules allowing access to destination networks
• Rules allowing access to any destination service
• Rules that do not log
• Deny rules that do not log
• Rules that are disabled
• Rules that reject rather than drop
• No bypass rules exist
• Default rules

During a security audit Nipper can test passwords and connection timeouts, these can be configured from the command line or using the configuration file. The configurable options are:

• Timeout
• Minimum Password Length
• Passwords must contain upper case characters
• Passwords must contain lower case characters
• Passwords must contain numbers
• Passwords must contain special characters
• Passwords can contain upper or lower case characters
• Dictionary for testing against passwords

Nipper will decode Cisco type 7 passwords, other passwords can be output to a john-the-ripper file for further testing.

Nipper includes support for a variety of different device types and gathers a lot of information whilst performing a security audit. However, nipper does not yet gather all information from a device configuration, support varies between different device types.

[crisirius]

 

schönes Tool habe es gleich angewendet oh und siehe da noch was vergessen in meiner Routerconfig.
Musste ich gleich nachbessern.

Von meiner Seite auch zu empfehlen um einen schnellen Test zu machen und funktioniert auch supper unter Windows.

Danke

Zwerg#7

[Zwerg#7]

Hab mal eine Config die hier im Forum gepostet wurde, von NIPPER überprüfen lassen.

Der Bericht wird normalerweise als HTML oder XML ausgegeben, ist also dementsprechend bunter und übersichtlicher als hier dargestellt.
Auch die Länge musste ich entsprechend kürzen, pro Posting sind "nur" 20.000 Zeichen erlaubt  

Also nur um mal eine Idee zu bekommen was einem das Tool so alles erzählen kann  

Nipper
Cisco Router Security Report of the router1 Cisco Router
--------------------------------------------------------------------------------

Contents
1. About This Report
    1.1. Organisation
    1.2. Conventions
2. Security Audit
    2.1. Introduction
    2.2. Software Version
    2.3. Connection Timeout
    2.4. Auxiliary Port
    2.5. HyperText Transport Protocol Service
    2.6. Access Control Lists
    2.7. Logging
    2.8. SSH Protocol Version
    2.9. Classless Routing
    2.10. Minimum Password Length
    2.11. Login Banner
    2.12. Domain Lookups
    2.13. Maintenance Operations Protocol
    2.14. Conclusions
3. Device Configuration
    3.1. Introduction
    3.2. General
    3.3. Services
    3.4. Domain Name Settings
    3.5. Time Zone Settings
    3.6. User Accounts and Privilages
    3.7. Logging
    3.8. Network Time Protocol
    3.9. HyperText Transfer Protocol
    3.10. Routing
    3.11. Lines
    3.12. Interfaces
    3.13. Access Control List
4. Appendix
    4.1. Abbreviations
    4.2. Common Ports
    4.3. Logging Severity Levels
    4.4. Time Zones
    4.5. Nipper Details



--------------------------------------------------------------------------------

1. About This Report
1.1. Organisation
This Cisco Router router1 report was produced by Nipper on Wednesday February 2008. The report contains the following sections:
 

a security audit report section that details any identified security-related issues. Each security issue includes a description of the issue, its impact, how easy it would be to exploit and a recommendation. The recommendations include, where appropriate, the command(s) to resolve the issue;
a configuration report section that details the configuration settings;
an abbreviations appendix section that expands any abbreviations used within the report;
a common ports appendix section that details the TCP and UDP port numbers for the common services outlined within the report;
an appendix section detailing the logging severity levels used by the logging facility;
a time zones appendix section that details a number of the most commonly used time zones;
an appendix section detailing the software used to produce this report.
1.2. Conventions
This report makes use of the text conventions outlined in Table 1.
 
Table 1: Report text conventions Convention Description
command This text style represents the Cisco Router command text that has to be entered literally.
string This text style represents the Cisco Router command text that the you have to enter.
[ ] Used to enclose a Cisco Router command option.
{ } Used to enclose a Cisco Router command requirement.
| Divides command option or requirement choices.
 

--------------------------------------------------------------------------------

2. Security Audit
2.1. Introduction
Nipper performed a security audit of the Cisco Router router1 on Sunday February 2008. This section details the findings of the security audit together with the impact and recommendations.
 

2.2. Software Version
Observation: It is critically important that software be regularly maintained with patches and upgrades in order to help mitigate the risk of an attacker exploiting a known software vulnerability. Furthermore, additional security features and other functionality are normally added or extended with each software revision.
 
Nipper determined that the Cisco Router router1 was running the out of date software Internet Operating System (IOS) version 12.3. Some of the known vulnerabilities for this software version are listed in Table 2.
 
Table 2: Potential software vulnerabilities Description CVE Reference Bugtraq ID
Telnet remote denial of service CVE-2004-1464 11060
IPv4 TCP listener denial of service CVE-2007-0479 22208
 
It is worth noting that Nipper used the version number detailed in the device configuration to identify the potential vulnerabilities, and patches may have already been applied. Additionally, a specific device configuration may be required in order for the device to become vulnerable.
 
Impact: The vulnerabilities listed in Table 2 could allow an attacker to perform a Denial of Service (DoS) attack.
 
Ease: Exploit code is widely available on the Internet for known Cisco Router vulnerabilities.
 
Recommendation: Nipper strongly recommends that the software be updated and patched to the latest software version. Furthermore, Nipper recommends that the current patch policy be reviewed.
 

2.3. Connection Timeout
Observation: Connection timeouts can be configured for a number of the device services. If a timeout were configured on an administrative service, an administrator that did not correctly terminate the connection would have it automatically closed after the timeout expires. However, if a timeout is not configured, or is configured to be a long timeout, an unauthorised user may be able to gain access using the administrator's previously logged-in connection.
 
Nipper identified three connection settings that were not configured to timeout within ten minutes, these are listed in Table 3.
 
Table 3: Connections with inadequate timeout periods Connection Timeout
Console line 0 No Timeout
Auxiliary line 0 No Timeout
VTY lines 0 to 4 Exec Timeout: 30 minutes
 
Impact: An attacker who was able to gain access to a connection that had not expired, would be able to continue using that connection. A connection could be a console port on the device that was not correctly terminated or a remote administrative connection.
 
Ease: The attacker would have to gain physical access to the device to use the console port, or gain remote access to an administration machine that is attached to the port. To gain access to remote connections, an attacker would have to be able to intercept network traffic between the client and router1. The attacker would then have to take over the connection, which could be very difficult with some services. Tools are available on the Internet that would facilitate the monitoring of network connections.
 
Recommendation: Nipper recommends that a timeout period of ten minutes be configured for connections to the device router1.
 

2.4. Auxiliary Port
Observation: The auxiliary port's primary purpose is to provide a remote administration capability. It can allow a remote administrator to use a modem to dial into the Cisco device.
 
Nipper determined that the auxiliary port on the Cisco device router1 allowed exec connections and did not appear to have the callback feature configured.
 
Impact: An attacker may discover the modem number for the device during a war-dial. If an attacker were able to connect to the device remotely, then they may be able to brute-force the login to gain access to the device.
 
Ease: The attacker would have to first identify the telephone number of the device, probably through a war-dial. A modem attached to a telephone line would have to be attached directly to the Cisco device's auxiliary port. Then the attacker would be able to attach to the device in order to perform a brute-force of the login.
 
Recommendation: Nipper recommends that, if not required, the auxiliary port exec be disabled. Exec can be disabled on the aux port with the following command:
 

no exec
 
If the auxiliary port is required for remote administration, the callback feature can be configured to dial a specific preconfigured telephone number.
 

2.5. HyperText Transport Protocol Service
Observation: Recent Cisco IOS-based devices support web-based administration using the HTTP protocol. Cisco web-based administration facilities can sometimes be basic but they do provide a simple method of administering remote devices. However, HTTP is a clear-text protocol and is vulnerable to various packet-capture techniques.
 
The HTTP service was configured to use the default authentication option, using the enable password to authenticate remote users.
 
Impact: An attacker who was able to monitor network traffic could capture authentication credentials. However, this issue is mitigated slightly by employing an access list to restrict network access to the device.
 

 
Ease: Network packet and password sniffing tools are widely available on the Internet. Once authentication credentials have been captured it is trivial to use the credentials to log in using the captured credentials. Furthermore, it may be possible for an attacker to masquerade as the administrators host in order to bypass configured network access restrictions.
 

 
Recommendation: Nipper recommends that, if not required, the HTTP service be disabled. If a remote method of access to the device is required, consider using HTTPS or Secure Shell (SSH). The encrypted HTTPS and SSH services may require a firmware or hardware upgrade. The HTTP service can be disabled with the following IOS command:
 

no ip http server
 
If it is not possible to upgrade the device to use the encrypted HTTPS or SSH services, additional security can be configured. An access list can be configured to restrict access to the device. An access list can be specified with the following command:
 

ip http access-class {access list number}

 

2.6. Access Control Lists
Observation: Access Control List (ACL) are sequential lists of allow and deny Access Control Entries (ACE) that specify whether network traffic should be allowed or dropped. ACLs are used to restrict access to services and network devices, preventing access to services and devices that should not be accessible.
 
Nipper identified 42 security-related issues with the configured ACL, these are listed in Table 4.
 
Table 4: Insecure Access Control Entries ACL Line Description
sdm_vlan1_in 1 Allows access from a network source to any address.
Allows access from 149.88.100.88 / 0.0.0.7 to any destination.
Allows access from 149.88.100.88 / 0.0.0.7 to any destination service.
sdm_vlan1_in 2 Does not log denied access.
9 1 Allows access from a network source.
9 N/A ACL does not end with a deny and log.
100 1 Allows access from a network source to any address.
Allows access from 149.88.100.88 / 0.0.0.7 to any destination.
Allows access from 149.88.100.88 / 0.0.0.7 to any destination service.
100 2 Does not log denied access.
101 1 Allows access from any source to any address.
Allows access from any address to any destination.
Allows access from any address to any destination service.
101 N/A ACL does not end with a deny all and log.
102 1 Allows access from 17.72.133.42 to any destination.
102 2 Does not log denied access.
102 3 Does not log denied access.
102 4 Does not log denied access.
102 5 Does not log denied access.
102 6 Does not log denied access.
102 7 Does not log denied access.
102 8 Does not log denied access.
102 9 Does not log denied access.
102 10 Does not log denied access.
102 11 Does not log denied access.
102 12 Does not log denied access.
102 13 Does not log denied access.
102 14 Does not log denied access.
102 15 Does not log denied access.
102 16 Does not log denied access.
102 17 Does not log denied access.
102 18 Does not log denied access.
102 19 Does not log denied access.
102 20 Does not log denied access.
102 21 Does not log denied access.
102 22 Does not log denied access.
102 23 Does not log denied access.
102 24 Does not log denied access.
102 25 Allows access from any source to any address.
Allows access from any address to any destination.
Allows access from any address to any destination service.
102 N/A ACL does not end with a deny all and log.
 
Impact: If ACEs are not sufficiently restrictive, an attacker may be able to access services or network devices that should not be accessible. Furthermore, an attacker who had compromised a device could install a backdoor which could listen on a network port that was not filtered.
 
Ease: N/A
 
Recommendation: Nipper recommends that the ACLs be reviewed and, where possible, modified to ensure that:
ACE do not allow access from any source;
ACE do not allow access from entire source networks;
ACE do not allow access to any destination;
ACE do not allow access to entire destination networks;
ACE do not allow access to any destination port;
ACE log denied access;
ACL end with a deny all and log.
However, in certain circumstances, such as a public web server, a more relaxed configuration may be required to allow any host to access specific hosts and services.
 

2.7. Logging
Observation: Logging is an essential component of a secure network configuration. Logging not only assists network administrators to identify issues when troubleshooting, but enables network administrators to react to intrusion attempts or Denial-of-Service attacks. It is therefore critical that logs be monitored, allowing administrators to take immediate action when an attack has been identified. Furthermore, system logs are a key component of a forensic investigation into past intrusions or service disruptions.
 
Nipper determined that, although logging was enabled on router1, Syslog logging was not configured.
 
Impact: An attacker could attempt to map and bypass any configured ACL or to gain access to the Cisco Router without network administrators being alerted to the attempts. Furthermore, after an unauthorised intrusion into the network had been detected, it would be more difficult for an investigation to identify the source of the attack or the entry point without access to logs.
 
Ease: N/A
 
Recommendation: Nipper recommends that Syslog and Buffered logging be configured on router1. Logging can be enabled with the following command:
 

logging on

 
To configure Syslog logging, four things need to be set; a source interface for the Syslog messages to be sent from, one or more Syslog hosts to send messages to, the Syslog logging message severity level and the Syslog facility. The following commands can be used to configure Syslog logging:
 

logging source-interface {Interface}
 

logging host {Syslog IP address or hostname}
 

logging trap {Logging message severity level}
 

logging facility {Syslog facility}



[...gekürzt...]
 




2.14. Conclusions
Nipper performed a security audit of the Cisco Router device router1 on Wednesday February 2008 and identified twelve security-related issues. Nipper determined that:
 

the software version was out of date;
all connections were not configured with secure connection timeout periods;
the AUX port was configured to allow EXEC connections without the callback functionality;
clear-text remote web-based administration was enabled using HTTP;
insecure ACL were configured;
insufficient logging was configured;
SSH protocol version 1 was configured;
classless routing was enabled;
an inadequate minimum password length was configured;
no login banner has been configured;
domain lookups were enabled;
MOP had not been disabled on all interfaces.

--------------------------------------------------------------------------------

3. Device Configuration
3.1. Introduction
This section details the configuration settings of the Cisco Router device router1.



[...gekürzt...]
 

[Otaku19]

Das tool schlägt zwar vor Classless zu deaktivieren,aber ansonsten kommen bei mir einige sinnvolle Tipps im Report vor...zB allerlei unnötige Services für X.25 oder gar DECNet.

[Zwerg#7]

Das tool schlägt zwar vor Classless zu deaktivieren,aber ansonsten kommen bei mir einige sinnvolle Tipps im Report vor...zB allerlei unnötige Services für X.25 oder gar DECNet.

Ja, das ist mir auch schon aufgefallen und ich denke ganz fest drüber nach ob's damit wirklich was auf sich hat   

[#9370]

Das tool schlägt zwar vor Classless zu deaktivieren,aber...

ich wüsste nicht, warum das böse wäre. In der heutigen Zeit kommt man eh nicht drum herum...

/#9370

[Zwerg#7]

Das tool schlägt zwar vor Classless zu deaktivieren,aber...

ich wüsste nicht, warum das böse wäre. In der heutigen Zeit kommt man eh nicht drum herum...

/#9370

Aber Classless deaktivieren = Classfull
Was macht man damit? Hab aber noch nicht fertig nachgedacht 

[#9370]

ich meinte ja, dass classfull in der heutigen Zeit nicht mehr wirklich verwendbar ist.

/#9370

[Zwerg#7]

ich meinte ja, dass classfull in der heutigen Zeit nicht mehr wirklich verwendbar ist.

Achso sorry, falsch verstanden...
Aber da höre ich raus, dass du auch keine Idee hast warum Classless böse sein könnte?