Professional Documents
Culture Documents
enquiries@titania.com
T: +44 (0) 1905 888785
P-ADV-0213
U P D AT E
NOW WITH
STIG
AUDITING
IN SOME CASES
nipper studio
HAS VIRTUALLY
REMOVED
the
NEED FOR a
MANUAL AUDIT
CISCO SYSTEMS INC.
Titania’s award winning Nipper Studio configuration
auditing tool is helping security consultants and end-
user organizations worldwide improve their network
security. Its reports are more detailed than those typically
produced by scanners, enabling you to maintain a higher
level of vulnerability analysis in the intervals between
penetration tests.
www.titania.com
Dedicated Issue:
TITANIA
Table of Contents
TOOLS
Titania Free Tools
By Nigel Matthews and Max McFarlane, Titania
08
Since the developers at Titania come from a penetration testing background, over the years they have created
a number of tools to assist with their work. Furthermore, some of those tools have been released to help
assist other penetration testers with their work. This article takes a look at two of those tools, SSL Scan and
Banner Grab.
TECHNIQUES
Listening to the Network
By Ian Whiting, Titania 33
It is all too easy during the start of a new penetration testing infrastructure commission to jump straight in
with network scanning. In the midst of all the excitement of identifying live IP addresses, open network ports
and all those potential vulnerabilities, it is easy to neglect what the network is trying to tell you.
4
Dedicated Issue: TITANIA
REVIEWS
A Tool that Tells a Tale
By Richard Hatch, Portcullis 58
At Portcullis we understand the benefits of automating data gathering and parsing data with tools to quickly
extract pertinent information. Such information can be used to automatically run additional targeted checks
against certain network services for example.
5
Dedicated Issue: TITANIA
Dear Readers,
With great pleasure we would like to present you the latest issue of PenTest Open, which has been created in
cooperation with Titania, multiple award winner provider and developer of IT audit software.
So what has the Titania Team prepared for you? The issue is divided into four sections: ‘Tools’,
‘Techniques’, ‘Let’s Talk about Security’, and ‘Reviews’.
The first section will be opened by Nigel Matthews and Max McFarlane from the Free Tools Development
Team at Titania. They will describe two tools that have been created to support Titania’s commercial
projects. Next, you will read ‘Paws Studio Walkthrough’ by Alen Damadzic who will explain what Titania’s
latest distro can do. Afterwards, thanks to Edwin Bentley and Ian Whiting, you will be able to profoundly
explore Nipper Studio, the kick-off project of Titania, in ‘Automating Nipper Studio Audits’ and ‘Advanced
Nipper Studio Configuration’.
The ‘Techniques’ section starts with ‘Listening to the Network’ by Ian Whiting, Founder and CEO of the
company, who will share with you his thoughts on what makes a good penetration tester and IT security
specialist in general. Then two real world examples of using Nipper Studio will follow: ‘Retrieving a
Configuration for Use in Nipper Studio’ by Aran Jarvis and ‘Using Nipper Studio for Penetration Testing’
by Peter Wood, CEO at First Base Technologies and Titania customer. The section will be closed by James
McDonagh explaining ‘How to Inculcate a Cyber Security Culture Throughout an Organization’.
And now, ‘Let’s Talk about Security’ shall we? So, what should we do in face of ‘Security and the Rise of
Compliance-based Auditing’? Andy Williams will give you some ideas on that. Next, we will invite Ian
Whiting to speak about his projects once more, this time interviewed by the PenTest Team. The section will
close with Nicola Whiting bringing you the ‘Exhibition Review: Infosecurity Europe’.
Finally, we have the ‘Reviews’. Here, Richard Hatch from Portcullis speaks first, presenting you with his
experiences of using Nipper Studio. Afterwards, Nicola Whiting will add some words about ‘The Security
Hygienist you’ve Always Wanted!’, and finally, the issue will close with two formal reviews of Nipper
Studio and Paws Studio, both by Jim Halfpenny, an independent expert.
That’s it, the newest PenTest Open brought to you by the PenTest Team, with the great help of the Titania
Team, their customers and Ruth Inglis, Marketing Manager at Titania, who has greatly contributed to this
publication.
So, there is nothing left but to wish you enjoyable reading. Ready... steady... pentest!
6
Editor in Chief: Ewa Duranc
ewa.duranc@pentestmag.com
Whilst every effort has been made to ensure the high quality of
the magazine, the editors make no warranty, express or implied,
concerning the results of content usage.
You can talk the talk.
All trade marks presented in the magazine were used only for Can you walk the walk?
informative purposes.
All rights to trade marks presented in the magazine are re- [ IT’S IN YOUR DNA ]
served by the companies which own them. LEARN:
Advancing Computer Science
Artificial Life Programming
DISCLAIMER! Digital Media
The techniques described in our articles may only be Digital Video
Enterprise Software Development
used in private, local networks. The editors hold no Game Art and Animation
responsibility for misuse of the presented techniques Game Design
or consequent data loss. Game Programming
Human-Computer Interaction
Network Engineering
Network Security
Open Source Technologies
Robotics and Embedded Systems
Serious Game and Simulation
Strategic Technology Development
Technology Forensics
Technology Product Design
Technology Studies
Virtual Modeling and Design
Web and Social Media Technologies
Although packages are available on Linux platforms for some of these tools, they are distributed in source
code form. This article shows how they can be compiled from the source code and run.
SSL Scan
The purpose of SSL Scan is to determine what encryption ciphers are supported by a particular SSL service.
It also obtains a copy of the SSL certificate, determines default ciphers and can send additional service
probes to determine if the cipher can actually be used with the service. Some SSL servers will accept
negotiation with an encryption cipher, but the service then disallows it.
SSL Scan makes use of the OpenSSL library (www.openssl.org) to create a list of potential ciphers that are
then used to test a service.
Compilation
From the SSL Scan page on the Titania website (www.titania.com), follow the link to download SSL Scan
(the latest version is 1.8.2). You will also need OpenSSL (and the development libraries, if these are separate
on your system) and the GNU C++ compiler. You may be able to use Cygwin (www.cygwin.com) / MinGW
(www.mingw.org) on Windows.
Extract the source code to a directory and then option a command prompt in that directory. You can then
compile the source code using the following command:
On Apple Mac OS X systems, the procedure is slightly different as you need to use the Ports version of
OpenSSL, rather than the restricted version that Apple supply. You can download and install Ports from
www.macports.org. Once installed execute the following command to install the Ports version of OpenSSL:
Then you can compile SSL Scan using the following command:
./sslscan --help
8
Dedicated Issue: TITANIA
Command:
./sslscan [Options] [host:port | host]
Options:
--targets=<file> A file containing a list of hosts to
check. Hosts can be supplied with
ports (i.e. host:port).
--no-failed List only accepted ciphers (default
is to listing all ciphers).
--ssl2 Only check SSLv2 ciphers.
--ssl3 Only check SSLv3 ciphers.
--tls1 Only check TLSv1 ciphers.
--pk=<file> A file containing the private key or
a PKCS#12 file containing a private
key/certificate pair (as produced by
MSIE and Netscape).
--pkpass=<password> The password for the private key or
PKCS#12 file.
--certs=<file> A file containing PEM/ASN1 formatted
client certificates.
--starttls If a STARTTLS is required to kick an
SMTP service into action.
--http Test a HTTP connection.
--bugs Enable SSL implementation bug work-
arounds.
--xml=<file> Output results to an XML file.
--version Display the program version.
--quiet Be quiet
--help Display the help text you are now
reading.
Example:
./sslscan 127.0.0.1
To use SSL Scan to determine what ciphers a standard HTTPS server operating on port 443 supports (using
Google as an example):
./sslscan www.google.com
You will then receive information similar to what you can see in Listing 2.
Listing 2. Testing SSL server www.google.com on port 443
9
Dedicated Issue: TITANIA
SSL Scan can be integrated in to third-party products by using the XML output option. The XML results
can then be easily imported and managed by your own custom applications. To do this you can use the
following command:
Banner Grab
When performing a penetration assessment, obtaining network service banners can often provide useful
information. This information is not always accurately processed and reported by vulnerability scanners.
Information leakage from a network service banner can have the potential to lead an attacker toward software
vulnerabilities. For example, SSH service banners will often include both software and version details.
Titania developed Banner Grab to go and get the service banner information for you. In addition to standard
service banners, Banner Grab has the ability to send specially formatted triggers for different types of
service in order to obtain as much information as possible. By default Banner Grab will send triggers when a
common port is used that has a trigger defined.
Compilation
From the Banner Grab page on the Titania website (www.titania.com), follow the link to download Banner Grab
(the latest version is 3.6). If you want to compile Banner Grab with SSL support then you will need to download
OpenSSL (and the development libraries, if these are separate on your system). You will also need the GNU C++
compiler. You may be able to use Cygwin (www.cygwin.com) / MinGW (www.mingw.org) on Windows.
Extract the source code to a directory and then option a command prompt in that directory. You can then
compile the source code using the following command:
If you want to build Banner Grab without SSL support you can use the following:
./bannergrab --help
10
Dedicated Issue: TITANIA
Command:
./bannergrab [Options] host port
Options:
--udp Connect to a port using UDP. The
default is to use TCP.
--no-triggers Collect only the connection banner, no
triggers and no SSL.
--trigger=<trigger> Specify the trigger to use. Specify
DEFAULT to use the default trigger.
--no-ssl Prevent SSL connection creation.
--no-hex Output containing non-printable
characters are converted to hex. This
option prevents the conversion.
--conn-time=<secs> Connection timeout (default is 5s).
--read-time=<secs> Read timeout (default is 3s).
--verbose Show additional program details such as
any errors.
--show-triggers Show the supported triggers.
--version Show the program version.
--help Display the help text you are reading
now.
Example:
./bannergrab 127.0.0.1 80
To get a simple banner from an SSH server you could type the following:
./bannergrab 192.168.0.22 22
SSH-2.0-OpenSSH_5.3
As you can see the SSH service returned not only the SSH protocol but the SSH service software and version.
This is very useful information for an attacker attempting to identify software vulnerabilities to exploit.
I mentioned earlier about Banner Grab sending triggers to a service to identify additional information. In the
next example I will use Banner Grab to get service information from a SNMP service. The command was:
30 82 00 49 02 01 00 04 06 70 75 62 6c 69 63 a2 0..I.....public�
82 00 3a 02 01 ff 02 01 00 02 01 00 30 82 00 2d ..:..�......0..-
30 82 00 29 06 08 2b 06 01 02 01 01 01 00 04 1d 0..)..+.........
48 50 20 45 54 48 45 52 4e 45 54 20 4d 55 4c 54 HP ETHERNET MULT
49 2d 45 4e 56 49 52 4f 4e 4d 45 4e 54 I-ENVIRONMENT
30 82 00 4a 02 01 00 04 07 70 72 69 76 61 74 65 0..J.....private
a2 82 00 3a 02 01 fe 02 01 00 02 01 00 30 82 00 �..:..�......0..
2d 30 82 00 29 06 08 2b 06 01 02 01 01 01 00 04 -0..)..+........
1d 48 50 20 45 54 48 45 52 4e 45 54 20 4d 55 4c .HP ETHERNET MUL
54 49 2d 45 4e 56 49 52 4f 4e 4d 45 4e 54 TI-ENVIRONMENT
11
Dedicated Issue: TITANIA
When the information returned from a service includes non-printable characters, Banner Grab returns the
information in a HEX value format with the printable characters to the right. As you can see from the returned
information it appears to be a HP device and has community strings of “public” and “private” supported.
Future Developments
There are a number of exciting updates coming through the Titania Free Tool Development Team at the
moment. SSL Scan and Banner Grab tools described in this article are being updated, together with graphical
versions of the tools. The Banner Grab tool now also includes a port scanning tool to identify the live ports
on a device prior to performing the banner grabbing.
The Free Tool Team has also been updating our other tools such as IP Calculator, which now includes IPv6
support and provides much more address details. Plus there will be pre-compiled binary packages available
for Windows, Linux and Mac systems making them all much easier to use. For more information on our full
portfolio of free tools, go to www.titania.com/freetools.
12
Dedicated Issue: TITANIA
A typical Paws Studio audit is a two-step process. The initial step is to collect the data for the audit and the
second is to create the report by comparing that data against a compliance list (see Figure 1).
13
Dedicated Issue: TITANIA
does not require installing on the system that is being audited and does not require anything to be
installed. On Linux systems the data collector is a shell script.
The data collector only collects what is required to create the report. Those audit parameters are specified in
a policy file, which we will come back to later.
When you select to create a new report in Paws Studio (see Figure 2), it will give you the option to add all
the systems that you want to audit (local and remote). Paws Studio will then deal with executing the data
collector for you and retrieve the results. It is important to note that during this process, Paws Studio will
tidy up after itself, so no audit files will be left on the audited system.
14
Dedicated Issue: TITANIA
It is also possible for you to run the data collector yourself on various systems and provide Paws Studio with
the collected data; this is shown as the “Manual” option (see Figure 3).
To obtain the latest data collector so that you can perform the audit yourself, select the “Export Collector”
option from the “Utilities” menu. You will also need a copy of the audit policy file for the data collector. By
default on a Windows system the policy files are stored in “C:\Program Files\Paws Studio\XML”. You will
find policy files for PCI, STIG, SANS, and others.
The data collector can be executed from the command line on both Windows and Linux systems. This gives
you the ability to script the software so you can automate the audit data collection process.
When you create a compliance audit report in Paws Studio you have to select an audit policy that you want
to check compliance with. It could be a PCI policy, STIG or others. The policy that you check compliance
against when producing a Paws Studio report is stored in a specially formatted XML file.
Although Paws Studio is supplied with a number of pre-defined audit policies, you can create your own. You
could use your favourite XML editor to create an audit policy file but Paws Studio includes a policy editor.
The audit policy editor has two modes of operation, a wizard mode and editor mode (see Figures 5, 6).
The wizard mode is designed to easily enable you to create your own new audit policy, or edit an existing
one, and guide you through the process. The editor mode is more suited for advanced users and editing
existing policies.
15
Dedicated Issue: TITANIA
16
Dedicated Issue: TITANIA
Some key customization options such as the “Policy Editor” “Authorized Software” and “Authorized Startup
Items” contain the lists of what is determined to be authorized or not during those particular checks.
The “Reporting” options include an “Interactive Mode” setting that will cause Paws Studio to potentially ask
you some questions during an audit. For example, some checks may require a physical analysis, such as “is
the server room door locked?”.
An Audit Walkthrough
17
Dedicated Issue: TITANIA
Now that we have highlighted the key components of a Paws Studio audit, the simple process of performing
a report with all the available options is straight forward.
“Network” will enable to audit other computers on the network. You many need to specify a username and password.
18
Dedicated Issue: TITANIA
Select the audit policy report that you are interested in. You can select multiple audit policies or specify your
own using the “Import Policy” button (see Figure 10).
Then you can read your report and save it out to a number of different formats such as HTML, Word, PDF,
CSV and others.
Conclusion
This article has delved into what goes on behind the scenes of Paws Studio. By walking you through the key
processes involved in creating your own compliance reports, it will enable you to get the most out of the software.
19
Dedicated Issue: TITANIA
The above example would make use of the current processing, reporting and save settings. Since the settings
are maintained between the command line and graphical interfaces, those settings could be changed using
the graphical interface.
To list all the possible configuration settings available on the command line you can use the built-in help system:
nipper --help=all
On Linux systems you could also look at the help using the UNIX man system.
Nipper Studio includes a variety of different report formats; the ones system integrators are most familiar
with are XML and CSV. To write a report out in XML format you can use the following command:
20
Dedicated Issue: TITANIA
Scheduling on Linux
On Linux I am going to demonstrate using Cron to schedule a job to create a Nipper Studio report. I will
assume that you already have a grasp on using command line and Linux utilities, rather than provide a
tutorial on the shell and editors.
Typing the command crontab -e will open the crontab file for the current user and will make use of the
currently defined command line editor for your shell (see Figure 2).
I am then going to add a line that will schedule a job to run Nipper Studio to process a configuration stored
in /configs/myconfig.txt, and save the report to /configs/report.html at 15 minutes past 3 each day.
Once you save and exit the editor the changes to your scheduled tasks will take effect, so as to include the
new task. If you aren’t comfortable using command line editors, you can just list out the current scheduled
task for your user by running the following:
crontab -l >scheduled-tasks.txt
You can then edit this file using a GUI text editor such as Kwrite or Gedit, or whichever your preferred
editor is (see Figure 3).
21
Dedicated Issue: TITANIA
Once you have saved the file, running the following command will add it to the schedule:
crontab scheduled-task.txt
I have just used a basic example of processing a single file but Nipper Studio has many other, more advanced
capabilities. Cron also has many other scheduling options that I haven’t covered in this article. Using these
capabilities, together with other tools, it is possible to automate complete audits, integrate them with bespoke
systems, email updated reports and much more.
Scheduling on Windows
As with Linux, Windows also has a task scheduler. This can be found by going to the “Control Panel” then
“System and Security”, then “Administrative tools” and finally “Task Scheduler” (see Figure 4).
To create a new task, select the “Create Basic Task” from the “Actions” pane or the “Action” menu (see Figure 5).
22
Dedicated Issue: TITANIA
A new task wizard will be shown. In the first step I am calling my task “Nipper”. You can also enter a
description for the task (see Figure 6).
The next page will then allow you to set the frequency of the schedule, with the usual options of daily,
weekly, monthly etc. I have selected daily, the same as the Linux example (see Figure 7).
The next page then allows you to fine tune your selection, for instance if you chose the monthly option, you
would be able to select the specific days of the month. You can also set the time that you want the task to
run. I am going to set it to 15 minutes past 3 (see Figure 8).
23
Dedicated Issue: TITANIA
On the next page I will choose what type of task it is I want to perform. I am going to select the “Start a
Program” option. I am then going to specify the Program or script that I want to run. This will be the “nipper.
exe” executable that will be found in the installation directory for Nipper Studio, the default is “C:\Program
Files\NipperStudio\nipper.exe”.
In the “Add Arguments” I am going to add the options to pass to the command line. This is in the same format
as for Linux, so I have entered --input=c:\configs\myconfig.txt --output=c:\configs\report.html (see Figure 9).
The last page will just show a review of the task that I have created. Clicking on “Finish” will add the task to
the scheduler (see Figure 10).
24
Dedicated Issue: TITANIA
Conclusion
There are a broad range of integration possibilities in Nipper Studio, this article set out to provide an insight
into just a few. Features such as scheduling and being able to run Nipper Studio from the command line are
included to make the software as useful as possible for network managers and auditors.
25
Dedicated Issue: TITANIA
To start, it is worth mentioning that Nipper Studio settings are “sticky” by default. Therefore if you set an
option in the graphical environment, that option will remain set next time you run Nipper Studio. This is also
true of the command line version, setting an option in the graphical environment will set the option for the
command line as well.
To access the settings on Windows you select “Options” from the “Tools” menu (on Linux this is called
“Settings” and on the Mac it is called “Preferences”; see Figure 1).
Due to the number of different customization and configuration options available, the settings window
categorizes the settings in to the following groups (see Figure 2):
• Global – These settings affect all areas of Nipper Studio and contain options such as changing the
company name used in the report, the formatting of dates and whether passwords should be shown in the
output. This section also contains an option labelled “Auto Save Settings”. This is the option that makes
Nipper Studio settings sticky.
• Devices – Nipper Studio supports over 100 different network devices and some devices have options that
modify how they process a configuration. For example, Check Point configurations can contain multiple
policies and options are available to determine how multiple policies are handled.
• Reports – You can create a number of different audit report types in Nipper Studio, with more report
types coming soon. These report options enable you to configure the settings for each of the report types.
For example, you may want to modify the audit password length checked during a security audit.
26
Dedicated Issue: TITANIA
• Saving – As with report types, Nipper Studio also supports a wide variety of different file formats that a
report can be saved as. For example, the HTML report fonts, colors or entire Cascading Style Sheet (CSS)
can be modified using these settings.
The best practice security audit report is the most common type of report created in Nipper Studio, so I will
guide you through the configuration of those options. These can be accessed by selecting the “Reports” icon
on the left and then selecting the “Settings” button next to the “Security Audit” entry.
On platforms that include the “?” icon in the window title, you can gain additional help on the various options
by selecting the “?” icon and then clicking on the option that you would like more information on. Additionally,
the options also include “tool tip” help that appears when you hover your mouse over an option.
Coverage
Due to the large number of different configuration options available for each report type, they have been
sectioned into tabs to make them easier to navigate. First off there is the “Coverage” tab, this is where you
can select or deselect the different categories of configuration settings that you would like included within
your audit report. For example, you may only be interested in auditing firewall rules, so you could deselect
everything except the “Audit Network Filtering” option (see Figure 3).
27
Dedicated Issue: TITANIA
Reporting
On the reporting tab you can select various options relating to how the security audit is reported. For
example any identified security audits issues can be scored using one of two different rating systems. The
Nipper v1 (default) rating system is a best-practice rating system. Alternatively you could select the industry
standard CVSS v2 rating system that is a vulnerability scoring system (see Figure 4).
Figure 4. Reporting
28
Dedicated Issue: TITANIA
If you choose to select the CVSS v2 rating system you can enter your own environmental metrics so that the
scores are modified to take in to account your own environment. You can find out more information on the
CVSS v2 rating system at: http://www.first.org/cvss/cvss-guide.html.
Filtering
The filtering tab includes options to modify how
firewall rules and objects are checked. These include
options to enable checks against certain categories
of firewall rules, rule complexity and more (see
Figure 5).
29
Dedicated Issue: TITANIA
Nipper Studio contains a number of black lists. If a firewall rule is identified which permits traffic that
matches a black list entry, an issue is reported. The black lists include unencrypted clear text services,
administrative services and hosts. You can modify each of those black lists by clicking on the “Define…”
button next to each one (see Figure 7).
As briefly mentioned earlier, Nipper Studio includes a number of rule complexity checks. These checks
are disabled by default as they add to the time taken to create the audit. If you are interested in identifying
firewall rules that contradict or overlap with other firewall rules, then this functionality can be enabled here.
On large and complex rule bases, especially those from Check Point devices, the complexity checks can add
a number of minutes to the audit process.
30
Dedicated Issue: TITANIA
Figure 9. Passwords
31
Dedicated Issue: TITANIA
Conclusion
I hope that this article has provided you with sufficient information about how you can use some of Nipper
Studio’s advanced settings to start customizing your own network audits. There are many other options for
configuring Nipper Studio, for more information about these you can visit the Titania website at www.titania.
com or contact us directly at enquiries@titania.com.
32
Dedicated Issue: TITANIA
Many years ago now, when network hubs were used, the quantity of network traffic arriving at my laptop
used to be huge. In today’s modern switched networks you usually no longer get to see network traffic that
was sent to a specific network address. However it is still worth checking to see if you can see traffic that
should not be visible in a switched environment. I have had to report to clients on a number of occasions,
instances where I have been watching network packets that I simply should not have seen. I have recently
seen a network hub still being used on a network that should have long since been replaced. In this case the
company being tested was a financial organisation supplier and the network traffic on the hub contained data
from several competing financial clients.
A common network protocol I see used on networks is Link Layer Discovery Protocol (LLDP), which is
used for advertising the capabilities of the sender. LLDP is useful when combined with network management
software, but it is also useful information for an attacker. The screenshot from Wireshark (see Figure 1)
highlights a captured LLDP packet. You can clearly see that it contains information such as the make, model
and software version from the switch; in this case it is a Brocade ICX running IronWare 7.4.00T311. Using that
information it would be trivial for an attacker to review a vulnerability database and then download any exploit
code for vulnerabilities. The information could also be used to obtain default passwords and other configuration
settings that may not have been changed by the network administrator.
33
Dedicated Issue: TITANIA
Some manufacturers have developed their own variation of LLDP, the most prevalent of which is the
Cisco Discovery Protocol (CDP). Although CDP is a Cisco proprietary protocol it has appeared on other
manufacturer’s equipment too. You can see from the Wireshark CDP packet capture screenshot (see Figure
2), that the information in CDP also includes the software platform and version. You may have noticed that
both LLDP and CDP include the management address of the devices, very useful.
The Cisco CDP also includes VLAN Trunking Protocol (VTP) domain information, which is also included
in the Dynamic Trunking Protocol (DTP) packets (see Figure 3).
34
Dedicated Issue: TITANIA
VTP is designed to make network administration easier by enabling the propagation of changes to the
VLANs on the network, such as adding and removing VLANs over multiple network switches. VTP can
be configured in server, client or transparent /off modes. If a switch is in server or client mode it is possible
to modify the VLAN configuration on the switch if you can determine the VTP password. Therefore the
presence of VTP could potentially pose a serious risk to a network, especially when a weak password has
been set.
The VTP password is not easily tested over the network without modifying the VLAN configuration (or
destroying it), Nipper Studio (www.titania.com) can be used to review the actual configuration in order to
determine its state without jeopardising the network (see Figure 4). It certainly would not make you a very
popular penetration tester if you took down a customer’s network by removing all their VLANs.
A tool called Yersinia can be used to monitor the network in a similar manor to Wireshark, but it separates
out protocols such as CDP, DTP and VTP in easy to review sections. However I would recommend using
this tool with caution as it includes a number of network attacks such as using VTP (see Figure 5).
Figure 5. Yersinia
35
Dedicated Issue: TITANIA
It is sometimes possible to audit the routing protocols present on the network by passively listening to the
network traffic. Even though I should not be seeing routing protocol traffic when plugging in to a standard
network port, at least the following Open Shortest Path First (OSPF) packet capture shown in the next
example (see Figure 6) shows that MD5 authentication has been configured.
However I have often seen routing protocols where either no authentication is configured or default
credentials are transmitted with no encryption. In the next example (see Figure 7), Routing Information
Protocol (RIP) version 1 is being used which has no support for authentication.
36
Dedicated Issue: TITANIA
There are a huge number of other interesting protocols that have not been covered in this article, such as
Dynamic Host Configuration Protocol (DHCP). However hopefully this article has bestowed a renewed
understanding that simply listening to what the network has to communicate can highlight some security
issues. These are issues which can be, and are too often, missed when security assessments place too great a
focus on the results of network scanners.
37
Dedicated Issue: TITANIA
Example: How to retrieve the configuration from a Cisco ASA network device.
Below are step by step instructions for retrieving the configuration from a Cisco ASA network device using a
terminal emulator over SSH v2.
1. Enter the necessary information into PuTTy or program of your choosing (see Figure 1).
38
Dedicated Issue: TITANIA
39
Dedicated Issue: TITANIA
5. Once the full configuration has been printed to the screen, copy and paste it into a .txt file ready for
Nipper Studio to process (see Figures 5, 6).
Figure 6. Copy and paste the full configuration into a .txt file
Below are step by step instructions for retrieving the configuration via SSH v2 from one of our test Cisco
ASA devices.
40
Dedicated Issue: TITANIA
41
Dedicated Issue: TITANIA
42
Dedicated Issue: TITANIA
The first time I heard about Nipper Studio was back in 2009 when the product was very new to the market
and still in its first version, Nipper One. I received an industry newsletter which featured Nipper and outlined
the basic features of the tool. It sounded interesting but at that time it wasn’t a tool that I felt we needed and
didn’t take it any further.
Once we have Nipper Studio installed it enables us to automate much of the review process without
compromising the quality and accuracy of our results. During an engagement we can use the tool to help find
vulnerabilities in the device in a fraction of the time it would take us to do manually.
As a result of the extensive amount of devices supported, Nipper Studio enables us to provide a more
consistent and accurate set of results, irrespective of the manufacturer or model of device under review.
Also because we can install Nipper Studio on multiple machines we are able to use the license for various
different customer engagements throughout the year.
43
Dedicated Issue: TITANIA
Using Nipper Studio means that our clients can now afford to have the security of all their infrastructure
devices checked, rather than just a sample.
44
Dedicated Issue: TITANIA
She had been smoking one of these things in a pub, and was asked to leave because the pungent odour led
the manager to believe the ‘herb’ in question was the kind defined by Urban Dictionary.
I was surprised by this story. Of course, in the UK it is now illegal to smoke indoors. It only transpired later
that this incident occurred before the ban.
The very thought of smoking inside these days is culturally anathema. The legislation preventing smoking in
enclosed spaces came into force on 1st of July 2007. Backed up by advertising and warning labels, it seems
to have become a social norm.
Cyber security as a cultural norm, or at least a thorough appreciation of the issues, is surely something to
strive for. The easiest opportunity will be the one attacked, and any organization is only as secure as those in
its supply chain.
The 2013 Information Security Breaches Survey conducted by PWC tells us that:
• 87% of small businesses had a security breach in the last year (up from 76% a year ago);
• 36% of the worst security breaches in the year were caused by inadvertent human error;
• 57% of small businesses suffered staff-related security breaches in the last year (up from 45% a year ago);
• 42% of large organizations don’t provide any on-going security awareness training to their staff (and 10%
don’t even brief staff on induction);
• 93% of companies where the security policy was poorly understood had staff-related breaches (versus
47% where the policy was well understood).
Amongst (most) IT professionals there is fundamental understanding of IT security practices. We would not
click on every link we see, nor plug just any USB drive into a machine. There is already a culture of this
embedded in our clique.
But how do we go about establishing this and other security practices as normal behaviour in the wider user
community? In the earlier example of the smoking ban, there has been a shift from a ‘top-down’ legislative
imposition to a widely accepted social rule. Peer pressure is as likely to prevent smoking indoors as much as
the threat of a fine.
Similarly, rules and technical solutions will only take you so far in preventing security breaches and data
loss. A good social engineering attack can gain ground no matter how well locked down your network is.
Some of us are old enough to recall a time when PCs were a rarity in the office outside of a thinly staffed
IT department. We now live in a world where we are all in ‘The IT Crowd’ to some degree. However cyber
security continues to be a niche area. While no one would expect everyone in an organization to possess the
skills of Pen Test Magazine readers, we are at a point where a basic understanding of cyber security needs to
spread throughout the workforce. Indeed, one would argue that it is more important than the skills which are
more often prioritized, such as MS Office.
45
Dedicated Issue: TITANIA
The starting point is a workplace policy. You can create one from scratch, based on what the priorities are in
your business. Alternatively, there are numerous policy templates that can be downloaded from the Web.
Of course, most of the organizations using Pen Testing will already have a policy in place, but how do they
go about ensuring that is understood and implemented by all members of staff? And better yet, how do
you reach the point where it is embedded into the culture of your organization, where one employee will
challenge a colleague over poor IT hygiene practices?
As the PWC survey indicated, both induction and regular on-going training should be scheduled in as a
starting point. Once you have decided upon your workplace security policy, you could use a policy checking
tool such as Titania’s Paws Studio.
Paws Studio will help you enforce and check that your work machines are compliant.
Paws Studio, just like Nipper Studio, is very easy to use. You will also find a more detailed walk through
elsewhere in this issue.
While the software naturally comes with pre-installed policies for PCI and many other compliance standards,
the user generated\customizable policy option is the ideal tool to appeal to users in this arena.
While readers of PenTest magazine will generally like to edit the XML themselves, there is an editor which
allows a further two ways of editing the policy file.
For, say, a small business owner with limited IT knowledge, the most convenient tool is probably the Wizard.
This maintains the hierarchical requirements of the XML while providing a more user friendly method of
creating or customizing your Policy.
Once you have installed and started Paws Studio, select the Policy Editor from the bottom right of the home
screen (see Figure 1).
46
Dedicated Issue: TITANIA
When the initial screen opens, select the Wizard button on the left (see Figure 2).
In this example, I have chosen to use the supplied Titania template, which comes as a sample pre-defined
policy. Opening it provides some summary information (see Figure 3).
At the top of this screen, you can see the three levels of the hierarchy in the policy file, which are:
Requirement, Group and Check. In the next screenshot (see Figure 4), I am at the Requirement level and
choose to add a Group.
47
Dedicated Issue: TITANIA
I call this Group ‘Antivirus check’, and add the Check in at the next stage (see Figure 5).
In the next section, you are able to add the details of your specific Check. I give it an ID and a Title, and then I
am able to choose from one of the supported checks. For example, Manual Checks are Checks where the user
needs to perform some kind of check themselves – for example, ensuring that a suitable lock is fitted to the
server room door and that it is used. Naturally, Paws Studio can also automatically check for various issues on
an individual machine. In the example here I am looking for suitable antivirus software, but other examples
include (but are not limited to) password policy, system updates and installed software (see Figure 6).
Figure 6. Check
On the final screen, you can review all the checks in your file and save it for later use during Paws Studio
audit (see Figure 7).
48
Dedicated Issue: TITANIA
So with both the training and the regular checks on your machines using software like Paws Studio, you can
go a long way in terms of both explaining and enforcing your security policy.
But we can do more. Of course, for the readers of this magazine, we certainly hope that organizations will
regularly engage the services of a Pen Testing company. However it is also worth considering setting up a
method to regularly check the response of your employees to some of the most common types of attack.
At Titania, we set up a webserver and used it to run mock phishing attacks against our employees. It was
very straight-forward, we just used a virtual machine, an Apache webserver and a variety of email accounts
to run some attacks. It was then simply a matter of checking the logs to see who had responded. I am very
happy to say that we had no responses from our employees – they are obviously very well trained!
Of course, once you have the webserver, you can use it in the future to run more ‘attacks’. It is worth doing it
often to both judge how aware your staff are of your policy, and to keep it fresh in their minds.
This is a simple method of testing your training methodologies and generating debate amongst staff. There
are probably many similar techniques you can use.
For example: Insert a point in your policy document that USB drives found on or near work premises should
be handed to a nominated person in your organization, then liberally sprinkle a few cheap USB drives
around the area.
If, when you check the drive locations they have disappeared but have not been handed in, then it can
perhaps be raised at the next staff meeting. If, for some reason, USB drives are not locked out on your
company hardware, you could perhaps have a text file on the drives with something like: ‘Oops, you have
breached security policy point X’.
One very important point that needs to be made here: this is not about punishing or tripping up employees.
It’s about lighting those metaphorical cigarettes in the workplace, and seeing who responds appropriately.
Those who do can be used as good examples or torch-bearers for the rest of the team.
49
Dedicated Issue: TITANIA
So, this gives you – or your clients – a simple three pronged approach to building the IT aware culture we
should be aiming for:
• Codify a policy;
• Enforce it [regularly];
• Test it [regularly].
The fourth important ingredient is, of course, time for the policy to permeate and percolate until it becomes
normal behaviour.
Perhaps the more businesses that use this or a similar approach, then the more often such businesses will be
more exacting during their interactions with other organizations. If that happens, then such a culture might
start to spread exponentially.
Poor cyber security, like smoking, is an expensive bad habit. Unlike smoking, it can have very bad
consequences for more than just the user and those near to them.
50
Dedicated Issue: TITANIA
Although penetration testers know that compliance does not equal security, Governments and standards
bodies could be said to be driving Global Cyber Defence towards compliance based auditing. So, what are
the benefits to be had and what are the risks to your organisation and how do you communicate them to your
board? As security professionals we know compliance standards have a clear benefit in raising the overall
security baseline, but there are major concerns as to whether it is also driving the belief that compliance
IS security. CEOs of compliant organisations are now concerned about the rising litigation associated with
liabilities accrued in failing their security ‘duty of care’. Compliance isn’t enough; you must also be able to
prove your company is undertaking due diligence on security.
51
Dedicated Issue: TITANIA
52
Dedicated Issue: TITANIA
Since opening our first office in December 2010, Titania has experienced considerable growth. We now
supply our products directly, and through a network of global partners, to organizations in over 50 countries
worldwide. Our customers tend to be those that are security conscious, in sectors such as finance, defense,
telecommunications, auditing and manufacturing.
What is it like leading a company like Titania and what are some of your challenges you face?
There are of course many technical and development challenges to running a business like Titania that
specializes in cyber security auditing. However, as soon as we started trading our largest problem was
responding to our customers’ requests to purchase the software and keep up with the demand for new features
and functionality. In fact our largest challenge to date has been to manage the growth of the company.
We are always looking to keep ahead of the competition and we have decided on a plan to achieve that goal
through the technical capabilities of our products rather than through our companies marketing arm. So
although we sometimes have a difficult time communicating our message, our products speak for themselves.
Do you offer any professional services?
We do not provide any professional services at present, though we are always continuing to review that
situation. So we may add professional services at a later stage, both directly and through our network of
global partners.
Users of our software do not require training services as one of our development goals was always to make
our products as easy to use as possible. I believe we have succeeded in that goal. I have personally seen non-
53
Dedicated Issue: TITANIA
technical people produce detailed and complex security audit reports using our software with no previous
experience with the tool. This being said, we are not resting on our laurels and we continue to look at ways
to further improve user interaction with our products.
How often do you refresh (update) your products to meet the latest security challenges and threats?
Our products are continually being updated and are evolving to meet the requirements of our customers
and the new issues that emerge in the industry. Typically each of our products has a short release cycle with
updates being made available monthly.
Can you mention some of your top-selling products?
Nipper Studio is our company’s flagship product. It takes the manual process of reviewing how network
switches, routers and firewalls have been configured and automates it. This is not done using the intrusive
method of scanning a network device, which would not give you the full picture of how the device has been
setup, but by analysing their native configuration.
The reports that are produced by Nipper Studio can contain security audit findings, compliance reporting,
configuration reporting and more. The reports produced are equally detailed and specific, they were designed
with technology that writes the report just like a human would. This is in contrast to traditional computer
report writing technology that simply joins pre-written paragraphs of text together and rarely accurately
describes how something specific has been configured.
Our most recent product, Paws Studio, is a Windows and Linux compliance product for servers, workstations
and cloud-based systems. It was developed based on very specific security requirements of our customers
who work in highly secure environments, with very sensitive information. They needed a solution that could
be run without installing software on the audited system. Therefore we built Paws Studio to be able to run
over the network, on the local system or offline with no connection to the audited system.
Although we have pre-configured Paws Studio with a number of different compliance check lists, you can
define your own compliance checklist within the product. We have developed a Policy Editor that enables
you to either modify one of the pre-defined compliance lists or create one of your own from scratch.
All of our products have been designed to be integrated with bespoke and third-party systems, including
continuous monitoring setups. They can easily be integrated using a scriptable interface and you can export
the report data in a variety of different formats. We also release our products with multi-platform support
covering Microsoft Windows, Apple Mac OS X, Red Hat Linux, Ubuntu, Fedora and so on.
Our customers are very important to us and their needs play a key role in the development of all of our
products. We base a lot of our development plans around their feedback and requests.
Where do you see Network Security heading in next few years? What are some of your predictions?
I see that security compliance is going to play an ever larger role within the industry than it does today.
It is great to see progress towards an ever improving security baseline, but it also saddens me to see
many organizations depending solely on compliance as the means to being secure. It is why I believe it is
important that the security industry, in addition to enhancing security compliance lists, highlight the fact that
being compliant does not mean you are secure. Unfortunately I can see there will continue to be security
breaches in organizations who manage security risks with compliance instead of striving to ensure a truly
secure environment. You can almost picture the victim company’s statement now. It would read something
along the lines of, “The company had met their compliance standards and we are now reviewing our current
operating practices to ensure how best future breaches could be avoided”.
Nipper Studio is fairly popular in the network security industry; can you give us some historical
background on that product?
I have a background as a penetration tester and regularly performed manual assessments of various network
devices. A proper assessment of a network device is not a five minute task, each aspect of how a device
can be configured needs to be properly analysed and any potential security risks highlighted. Anyone who
54
Dedicated Issue: TITANIA
is simply reviewing firewall rules is not doing a thorough job. It is also a task that requires a high level of
knowledge about the device being reviewed. It seemed by me that this is exactly the type of task that is
suitable for automation.
***** It is worth noting that although penetration testers are typically both highly skilled and adaptable, they cannot be expected to have in-depth knowledge
of every system they come across. The same is also true of the network administrators who manage those systems, they may not have the in-depth security
background required to identify potential weaknesses in their systems. Nipper Studio is exactly the type of solution that could help each side. Giving penetration
testers, device specific assistance and helping network administrators identify potential security weaknesses. *****
Although Nipper Studio originally started life simply identifying a limited number of security weaknesses
with Cisco configurations, it soon grew by adding support for more devices, identifying more security
weaknesses and eventually writing the security audit report for you.
At Titania, how do you strive to achieve top-quality software? What kind of quality control do the
products go through?
This is a very challenging aspect of developing a product such as Nipper Studio. The number of moving
variables involved with the development process is huge. We support a large number of different devices, the
manufacturers of which are constantly updating and revising their platforms. Plus the vulnerabilities in each
platform are forever evolving.
We maintain a growing test environment that includes the different devices that we support, plan to support
and some others that may never get added to Nipper Studio. These are all used during the development and
testing process, together with different firmware versions. To help manage the development plan for this
we employ a development and tracking system that enables us to manage all these variables together with
improvements suggested by our customers. Each developer and tester knows from our tracking system what
tasks they need to be working on next.
Nipper Studio supports various Cisco devices and some people may be under the impression it
only supports Cisco devices. What would you like to say about that?
Nipper Studio does support a wide range of Cisco devices, it was originally developed with only Cisco
support and it is used by Cisco. So it is easy to understand how historically Nipper Studio could be mistaken
for supporting only Cisco devices. However, the latest versions of Nipper Studio support over 100 different
devices from different manufacturers and are used internally by a growing number of those manufacturers.
Even a network that predominantly uses devices made by a single manufacturer will undoubtedly have a
number of network devices made by someone else. We are often approached by customers asking for us
to add support for unusual systems and devices. The network devices that we see deployed in data centers
has evolved over time with increasing deployments of some devices and the reduction in others. We have
developed a plugin-based architecture for Nipper Studio to help us adapt to those changes, enabling us to
quickly develop, test and deploy support for new devices.
Very often clients complain that they are not offered good product/customer support. How do you
ensure good customer support?
It was important for us to achieve our ISO 9001 accreditation as it helps us to ensure that every customer
receives the same high standard of support from the point that they first engage with the company to when
they receive the product and the subsequent support process that follows. We believe that every customer
deserves great customer service and technical support and we offer these services free of charge to every one
of our customers. Our ISO 9001 conformance not only ensures that all of our staff deliver the highest level
of support but also promotes continuous improvement throughout the company. We achieve this through
collecting and reviewing customer feedback and auditing our customer care processes.
Thank you Ian, for the interview.
By PenTest Team
55
Dedicated Issue: TITANIA
Figure 1. Outside Earls Court during Infosecurity Europe. Photograph Provided by Reed Exhibitions
(October 2013)
Titania will be exhibiting for its fourth year and we would recommend Infosecurity Europe as a key show for
both independent and corporate Penetrations Testers. Not only will it give you a good overview of the tools
your customers are using to manage their systems, but you will also gain invaluable information on the latest
business critical issues and hot topics.
Seminars are delivered at all levels and include industry focussed topics in both business and technical areas.
The keynote theatre is a great place to update on global trending topics and you’ll find both high level guest
speakers and strategic end-user panel discussions.
Hot topics for 2013 included application security, business continuity and digital forensics, encryption, managing
the human factor, compliance, identity access management, network infrastructure and secure transactions.
Whatever current problems are keeping your customers awake at night, you can be sure that the seminars,
workshops and keynote theatre will leave you armed with both the issues at hand AND the industry’s best
practice advice.
Hundreds of key vendors, thousands of products and services
Infosecurity Europe is on a growth streak and had over 13,000 visitors last year (ABC audited).
56
Dedicated Issue: TITANIA
Figure 2. Inside Infosecurity Europe: Photograph provided by Reed Exhibitions (October 2013)
Visitors range from SME’s to large multinationals and from diverse market sectors.
It’s no surprise that leading security vendors choose InfoSec to showcase their latest and greatest innovations.
In a fast paced industry it’s important that, as a security professional, you are able to review your security
choice, method and message against the current security marketplace.
Are you getting best value, is there a leaner more efficient way of achieving your current requirements, are
you still “ahead of the curve”?
If you’re happy with your current choices it’s also a great opportunity to get an update on the latest features
from your current product vendors AND iron out any niggling operability questions!
In 2013 there were over 350 key security vendors at Infosecurity Europe, so there’s no better opportunity to
see what’s on offer and build some new business contacts.
Multiple Networking Opportunities
Through the exhibition, seminars and workshops, you’ll have the opportunity to network with peers from
other sectors, often gaining new and fresh insights into common threat areas.
Many of Titania’s customers are Penetration Testers (who use Nipper Studio to improve their ROI on configuration
reviews). Their first-hand experience is that InfoSec is a great B2B opportunity and not to be missed.
If you make it to Infosecurity Europe this year, stop by our stand (G25). We’d love to hear what you think of
the show and would be happy to show you our latest products and updates!
57
Dedicated Issue: TITANIA
When it comes to performing security assessments of network devices such as firewalls, routers or switches
then Nipper Studio is the first tool we reach for.
After running a Nipper Studio audit, the report is presented (as HTML) within an embedded browser. Nipper
Studio also allows the user to export that report in a number of easily selectable formats (CSV, txt, HTML,
XML etc.). A nice feature of the presented report is the cross-linked references to issues, tables, etc. which
enables the user to drill down in to logical names present in rules (such as object groups). Any passwords,
some of which are decoded from the obfuscated forms, can either be displayed inside the report or masked.
Additionally, Nipper Studio reports on known software vulnerability issues for the device firmware version,
without the need for an active Internet connection. This saves time that can then be spent reviewing the
issues identified or considering the device within the business context. For example does the device
adequately fulfil the role it is supposed to play, or should additional rules be present to address specific needs
or concerns of our customer?
The options to perform checks against different compliance policies, as well as differential comparisons (a
“before” and “after” review to highlight changes), makes what would be a time-consuming and challenging
task a quick and straight-forward one.
The output formats supported by Nipper Studio enables our penetration testers to use bespoke tools to
process the report output and process references such as CVE numbers. These are then imported in to our
own custom reporting tools.
The explanation of the issue findings in Nipper Studio also serve as both an insight and a reminder when
encountering some of the more obscure issues or features present on a device. For instance a configuration file
command that starts “glbp” may not be immediately recognised by a tester as the Gateway Load Balancing
Protocol, a proprietary Cisco protocol. The issue help text from Nipper Studio expands such acronyms and
enables the tester to recall their understanding of the technology invoked by the “glbp” technology.
The benefits of using Nipper Studio for security analysts mirror those for the client: It offers a faster,
potentially more in-depth review with more technical detail available. Furthermore is has the ability
to determine if a device adheres to necessary compliance policies, documented design rules, or what
configuration changes are present against a known baseline. For example, imagine a company detects
that their internal network has been compromised, but are unsure if the attacker gained access to a router
and changed the configuration (to breach network segregation). They can quickly compare the current
configuration against the Nipper Studio report of a known-good configuration that could not have been
affected by a hacker, (e.g. stored on a backup CD that is held in a safe at another location).
In one case, a client had asked for a security assessment of a firewall, with specific consideration given to
the protection of key network assets. The firewall had a large number of rules configured and there was a
chance that the assessment could not have been completed in the time available. By using Nipper Studio
to automate the time consuming process of manually identifying issues, the tester was able to take a “step
back”. With the help of a network diagram they determined that, although access to key assets was prevented
from the Internet, there were no such restrictions in place to prevent access from an internal network area.
The client was then able to add additional filtering to prevent access to the sensitive data held within those
key assets. The client commented that none of the previous firewall assessments undertaken had identified
this issue which when pointed out seemed obvious.
58
Dedicated Issue: TITANIA
In conclusion, Portcullis use Nipper Studio to quickly identify potential security concerns arising from the
configuration of network devices, in a way that provides those findings in formats that can be processed by
scripts. The consultants save time, allowing more in-depth assessments even in environments were internet
access is not permitted. These assessments take into account the environment in which a device will operate,
allowing better (and more detailed) information to be provided to clients. Any technical team that have
a need to review, assess or compare the configurations of firewalls, routers or switches would do well to
consider Nipper Studio.
59
Dedicated Issue: TITANIA
The most common result is to use a dual approach, combining scanning or agent based software, with annual
penetration test reviews – to use the same analogy, daily brushing and an annual trip to the dentist.
This two-layer response does offer some advantage, it’s great for regular big-picture analytics (the ones
that boardrooms like) and the annual penetration testers do a thorough job of analysing vulnerabilities and
providing a detailed report.
Unfortunately as anyone with a mouthful of fillings can testify, it also often lets the rot set in!
Agent-based audit software, requires software to be installed on the audit devices this is not possible for all
devices. Furthermore, the required agent software can introduce additional security vulnerabilities.
Penetration testing requires expert level knowledge and is one of the most widely used and trusted forms of
detailed security analysis. The process involves simulating an attack on your network systems through active
exploitation of security vulnerabilities. To the resident network team, it can feel like the equivalent of lining
up for a root canal….
Typically your primary goal is to test the operational capability of your network defenses to successfully
detect and respond to attacks. Depending on the agreed scope of the test, reported elements may include:
hardware and software vulnerabilities, poor or improper system configuration and suggested improvements
to operational processes.
Examining individual device configurations is highly time-consuming with significant manpower costs.
Typically this results in point in time audits, extrapolating results from a sample of devices and potentially
leaving vulnerabilities on non-assessed devices.
He realized that by automating the detailed configuration vulnerability analysis he could improve auditing
speed, accuracy and return on investment.
60
Dedicated Issue: TITANIA
Through many years of hard work he developed a configuration auditing solution, that is now a “go to” tool
in both SME and global Penetration Testers tool kits and has grown far past its original brief.
Typically your penetration tester’s toolkit isn’t something you can pass on, but as a “cyber hygiene”
professional, it makes sense to look for ways to reduce the likelihood of vulnerability cavities developing
between visits…
The interim use of a cost effective configuration auditor widens the potential for detailed device analysis
and on-going identification of potential security weaknesses. Return visits can then be less about finding
conflicting rules and compliance failures and allow more focus on operational improvements and higher
level security issues.
Nipper Studio quickly performs a thorough security assessment of multiple complex network devices,
providing a detailed audit report, typically unachievable with scanning based technologies. The audit report
can be used in a variety of ways and includes recommendations and commands to mitigate the issues.
It requires no additional services on the device or agents to be installed and can audit the devices without
either scanning or connecting to them (ideal for high security clients)!
It is designed to be both flexible and easy to use. Functionality can be extended through plugins and allows
for custom integration into bespoke systems e.g. for use in continuous monitoring.
61
Dedicated Issue: TITANIA
The device configuration can be read in by loading a saved configuration file obtained from the device or by
connecting to the device over the network.
Once a device’s configuration has been processed by Nipper Studio a wide range of report types can be
created, such as a penetration tester grade security audit, configuration reporting, compliance analysis,
change reporting and more.
An extensive range of options enable you to fine tune and customise your reports with no expert
knowledge required.
So if you’re looking at what configuration auditors could do to improve your own ROI, or a tool to aid your
clients monitor their internal controls then you can refer to our Nipper Studio overview above.
Other products in the marketplace now have some overlap, but it’s a good guide for what to expect your
configuration auditor to deliver.
62
Dedicated Issue: TITANIA
Titania’s Paws
Studio Review
Whether you see compliance as a burden or an aspiration we are frequently mandated to meet a certain set
of security requirements around our information assets. One important aspect is being able to demonstrate to
yourself and to others that your systems meet the criteria set by your compliance regime. How do you ensure
that your systems are compliant with your policies or those mandated by compliance standards? A program
of auditing your systems will help you understand the state of your estate.
Titania’s Paws Studio provides a means to audit Windows and Linux systems and provide compliance
reports against a defined set of policies. It sets out to provide clear and detailed reports of the system’s level
of compliance. Policy templates are editable and Paws Studio comes with predefined templates based on
established policies and best practice including PCI, SANS and DoD STIG.
Policy templates are essentially a group of compliance audit checks built from the check library provided by
Paws Studio. Checks range from high-level tests such as the presence of antimalware software right down to
individual file permissions and registry settings.
There are two ways of creating and customising policy templates. The first is a wizard that guides you
through creating your policy. Here you can define the rules that comprise your policy by clicking through a
series of screen and selecting checks from the library. The interface is straightforward and self-explanatory
and it is a great tool for less advanced users. However, the more technically minded user might find it time
consuming and prefer to use the supplied Policy Editor instead which is undoubtedly the more powerful tool.
The Policy Editor provides you with a tree layout of your policy, giving you a bird’s eye view on the ability
to quickly navigate through the rules.
In addition clicking on the advanced tab gives you a syntax-highlighted view of the raw policy XML.
Whatever tool you choose, the result is an XML file defining the compliance checks for your policy and
metadata used to generate the final compliance reports.
63
Dedicated Issue: TITANIA
Once you have your policy defined it’s time to audit your systems. In order to compile a report you need the
compliance audit data collected from a machine. At this point you’ve three options. You can choose to audit
the local machine where Paws Studio is installed. You can also audit a system over the network. To do this
will need valid administrator credentials on the remote system. Paws Studio will scan the local network for
hosts to audit or you can specify the IP address of the machines in scope.
The third option is to use the portable data collector software, a small executable that can be run from a
thumb drive. This is particularly useful where you need to audit a system that is not on the network or is
air gapped from your audit workstation. Run the Data Collector, choose an audit policy and it will create a
.paws file with the audit results.
Once you have collected your audit data you can produce a report on the audited system. Reports contain
the result of each test on the system as well as summary charts showing percent tests passed and a
breakdown of tests that failed by severity. Paws Studio creates a compliance audit report that can be saved
as HTML, PDF, PostScript or Microsoft Word document. CSV and XML formats are also available so you
can feed machine-readable reports into other reporting systems or build your own applications to consume
your compliance data.
64
Dedicated Issue: TITANIA
Paws Studio is available for Windows, Mac OS X and various flavours of Linux and currently supports
auditing of Windows and Linux systems. This software pitches to the SME market who could be priced out
by enterprise-grade auditing software though they are unlikely to benefit from the bells and whistles these
tools provide. If you need a cost effective and easy to use compliance reporting tool, Titania’s Paws Studio
certainly merits a second look.
by Jim Halfpenny
65
Dedicated Issue: TITANIA
Nipper Studio
Review
There’s no shortage of vulnerability assessment tools out there and this time I’m looking at one that’s a little
bit different. Nipper Studio from Titania offers a means to audit that often forgotten part of your network: the
network itself. Routers, switches, firewalls and other network appliances are the fabric of your network and
should definitely be in scope for any rigorous information security programme. I’ve given Nipper Studio a
test drive to see how it performs and how it differs from other tools out there.
Firstly it’s worth pointing out that Nipper Studio is not a traditional vulnerability scanner that trawls your
network looking for weak spots. Instead you feed Nipper Studio the configuration files from your network
devices and it audits them, producing a detailed report. This offline auditing means no traffic is generated
by the audit and there’s no need to plug anything into your network, a definite plus for those working in
high-security environments. Working from the inside out provides a totally different insight compared to
traditional network-based scanners.
Nipper Studio offers good cross-platform support with packages available for Fedora, OpenSuSE, CentOS
and Ubuntu flavours of Linux as well as Windows and Mac OS X. I’ve been testing out the version for
Ubuntu, which is supplied as .deb packages for 32-bit and 64-bit systems. There is a good range of supported
devices with all the usual players such as Cisco, Juniper and Checkpoint represented as well as some of the
rising stars like SonicWALL on the list. As well as a GUI tool for generating reports Nipper Studio includes
a command line version, very useful for scripting and automating audits.
Some of the wide range of network devices supported are shown above
66
Dedicated Issue: TITANIA
Fire it up and Nipper Studio starts with a clean UI showing your reporting, configuration options and built-
in documentation. Creating a report is as simple as clicking on the new report link and telling it the location
of your configuration files. You can add multiple devices to a single report and load previous reports for
comparison. Human readable full and summary reports can be generated in several formats including
HTML, PDF, PostScript and LaTeX. Additionally you can create CSV, SQL and XML outputs enabling you
to further process, report and archive your results.
The reports may appear on the surface very similar to vulnerability assessment reports from other tools but it
is the level of detail that really shows off the benefits of this method of security auditing. Nipper Studio will
report on firmware version, timeouts, routing and VLAN configuration, service banners, authentication and
other configuration best practice which external scanners may miss. Exposing the internal configuration of
the device exposes potential issues that simply cannot be seen from the outside or may be time consuming to
evaluate such as weak authentication.
Reports on each finding are very detailed and include a severity level, ease of exploitation and
recommendations on how to remedy the issue as well as CVSS v2 scores where applicable. Audits can be
customised to include your organisation’s name and logo and to report based on your security organisation’s
security policy such as password age and strength. You can also include your own notes and control which
sections of the report to include so you can tailor it to the intended audience.
67
Dedicated Issue: TITANIA
An important feature worth mentioning again is ability to compare the results from previous reports. This
enables you to see what has changed between audits and helps you to gauge the progress you’re making in
improving the security posture of your network environment as well as highlight new threats. You will also
be able to detect unauthorised or unplanned changes to your network outside of your change control process.
It’s all too easy to make an ad hoc change and not document it, with unpleasant consequences further down
the line. This is not a tool solely for point-in-time inspection of your network.
Nipper Studio is licensed on a per-device basis starting at $1000 for 25 licenses, working out at $40 per
device. As you would expect discounts are available for larger purchases; 1000 or more licenses will set you
back $8.50 per device. Compare this to the cost of a manual check by an experienced auditor and you’ll get
a figure an order of magnitude less for Nipper Studio as well as the benefit of rapid and repeatable reporting.
Is there anything that this product would miss that a trained auditor would catch? Quite possibly, but using
this tool for your initial baseline and regular testing means you can cover off the majority of common issues
and better spend your remaining security budget more effectively.
by Jim Halfpenny
68