Host Audits concern workstations, servers, and various computing platforms. This audit usually involves multiple hosts, but the methodology concerns itself with those things that are practical to consider for an operating system and the various applications that are used on a particular host. Various aspects of network devices such as basic operating system, default password, and patch level may also be considered to be part of a host audit.
Audits may involve the application of various external tests, such as scanners or sniffers. These audits should always consider the patch levels of the operating system and applications, and should also be concerned with the purpose of that host. There are different considerations in place for a LAN mailserver than for a workstation or desktop machine.
It is expected that the tester and the customer agree upon the scope and depth of the test. Tests may be expanded or narrowed to meet the needs of the customer. No extreme methods will be used, since it would impose undue logistical difficulties.
Steps 1 and 6 must be clearly defined in agreements with the customer. The remaining steps (2-5) will be completed and documented in a formal report. Certain steps may occur out of order or simultaneously.
The objective must be clearly defined in the agreement with the customer. Boundaries and limitations of the test must be defined. The testers and the customer should identify the host(s) that will be tested. Limitations on tools and methods must be discussed and agreed upon. Test duration and commencement times should be defined.
Decision points should be defined such that the test can be stopped or suspended appropriately. The customer or testing team may define the conditions in which the test can be halted. Contact individuals should be identified for this process. Conditions under which the test team themselves should suspend test activity should also be defined.
Confidentiality of information discovered during the test must be reviewed and agreed upon. Confidentiality of the reports and submitted data should also be reviewed and agreed upon.
Information collection creates a profile of the target. The profile is intended to aid in the selection of target hosts. The completed profile should include a map of the target's network presence and identification of host types, functionality and relationships.
Information collection may be done passively or actively. The process may begin with passive data collection, and escalate to more active collection methods. Information collection is not always restricted to electronic methods. It can include social engineering and physical access (internal and external) to the target site. The depth of the information collection step must be negotiated with the customer.
Passive collection of data includes but is not limited to the following publicly available data:
Active collection methods may vary greatly. Limitations on active collection tools and methods must be agreed upon in advance. Active Collection should be conducted in a non-disruptive manner, although some disruptions may be unavoidable.
Active network based information collection methods include but are not limited to:
Additional active information collection methods include but are not limited to:
Once adequate information is collected target host Selection may begin. Target host selection may be based on the host operating system, types of services and potential mis-configurations. Data bases of publicly known vulnerabilities may be consulted, as would vulnerabilities known privately to the testers.
Once the target host is identified, exploits and tools will be collected and built from public and private tool repositories. Additionally, tools may be written for privately known exploits or to customize known exploit tools.
Host compromise occurs when the exploit is successful. If restricted access is gained, then escalation of privileges may be conducted in accordance with customer agreements.
Thorough documentation of the compromise must be made. Documentation should include the time and date of the compromise and an outline of the methods and tools used in the compromise. Information gathered that enabled the compromise should be retained. System logs on the target host should also be retained for documentation purposes.
In accordance with customer agreement, information collection steps may be repeated using the compromised host as the collection point. Active or passive methods may be used.
The host compromise would at all times try to minimize system down time and be operationally transparent to users.
A compromise may not directly lead to privilege access. A series of local exploits may be used to gain privilege access if this is agreeable to the customer. Methods and tools used would be based on the host operating system, the services provided and any system misconfigurations. Public and private data bases of vulnerabilities would be consulted and tools would be built or written to exploit those vulnerabilities.
Acceptable levels of system modification must be agreed to with the customer. Escalation of Privilege may require the installation of executable files on the target host. Other exploits may require the injection of executable code on the target host or modification of configuration files.
If system modification or installation of executable code is permissible, documentation must be provided for those changes. The documentation must include clear instruction for the complete removal of executables and restoration of modified files.
In all cases, system modifications must be conducted in a non-destructive manner and conform to customer agreements. In certain situations it may be acceptable to demonstrate only the ability to modify system files. This may be accomplished by placing a marker file in an access controlled directory.
Last modified: Sat Oct 30 22:45:22 PDT 2004