PenTest OPEN 01 20141

Need help with compliance?
Use Paws Studio

to audit your workstations and servers
Paws Studio is efficient, easy to use and cost effective. The Compliance Checklist Paws Studio
software provides comprehensive reporting and management
Antivirus
summaries to appeal to all levels of your organization.
Spyware
With Paws Studio you can: Audit Policy
1. Produce remote compliance Files & Directories
audits using remote connectivity Windows Firewalls
or audit offline with our unique Password Policies
Data Collector
Password Warnings
2. Use the Remedy Table to quickly Permissions
solve potential compliance Registry Settings
issues
Software Updates
3. Create and modify your own Installed Software
policies using the Paws Illegal Software
definition editor
Software Versions
User Policies
...from the creators of award
winning Nipper Studio software
evaluate for free at User Rights
www.titania.com
enquiries@titania.com
T: +44 (0) 1905 888785
P-ADV-0213
U P D AT E
NOW WITH
STIG
AUDITING
IN SOME CASES
nipper studio
HAS VIRTUALLY
REMOVED
the
NEED FOR a
MANUAL AUDIT
CISCO SYSTEMS INC.
Titania’s award winning Nipper Studio configuration
auditing tool is helping security consultants and end-
user organizations worldwide improve their network
security. Its reports are more detailed than those typically
produced by scanners, enabling you to maintain a higher
level of vulnerability analysis in the intervals between
penetration tests.
Now used in over 45 countries, Nipper Studio provides a

thorough, fast & cost effective way to securely audit over
100 different types of network device. The NSA, FBI, DoD
& U.S. Treasury already use it, so why not try it for free at
www.titania.com
www.titania.com
Dedicated Issue:
TITANIA
Copyright © 2013 Hakin9 Media Sp. z o.o. SK
Table of Contents
TOOLS
Titania Free Tools
By Nigel Matthews and Max McFarlane, Titania
08
Since the developers at Titania come from a penetration testing background, over the years they have created
a number of tools to assist with their work. Furthermore, some of those tools have been released to help
assist other penetration testers with their work. This article takes a look at two of those tools, SSL Scan and
Banner Grab.
Paws Studio Walkthrough

By Alen Damadzic, Titania
Paws Studio is a compliance auditing tool for servers, workstations and other Windows or Linux based
13
systems. At a basic level, creating a compliance report in Paws Studio can be as simple as selecting an audit
policy and clicking ‘go’. However, behind the scenes Paws Studio is performing a number of different
processes. This article provides a walkthrough of those processes to enable you to create truly effective and
thorough custom policies to audit against.
Automating Nipper Studio Audits

By Edwin Bentley, Titania 20
Nipper Studio is typically used by security specialists using the graphical interface from their testing desktop
environment. However the Nipper Studio system integrators make use of the equally powerful command
line interface to integrate the report output into their own setup. This article provides a glimpse in to the
integration possibilities by showing how Nipper Studio can be run from the command line and scheduled on
Linux and Windows systems.
Advanced Nipper Studio Configuration
By Ian Whiting and Edwin Bentley, Titania
Nipper Studio contains a wealth of configuration options to modify and customize the audits that are
26
produced. This article covers how to access and modify those settings to enable you to fine tune your own
audit reports.
TECHNIQUES
Listening to the Network
By Ian Whiting, Titania 33
It is all too easy during the start of a new penetration testing infrastructure commission to jump straight in
with network scanning. In the midst of all the excitement of identifying live IP addresses, open network ports
and all those potential vulnerabilities, it is easy to neglect what the network is trying to tell you.
Retrieving a Configuration for Use in Nipper Studio

By Aran Jarvis, Titania
When retrieving a configuration from a network device, it is always advisable to use the securest method
38
possible. Often the securest method will be to use a console port but not all devices will have a console port
or it may not be possible to access it. When you are not able to physically connect to the device there are
several other possibilities for retrieving the configuration.
4
Dedicated Issue: TITANIA
Using Nipper Studio for Pentration Testing

By Peter Wood, First Base Technologies 43
We first evaluated Nipper Studio in July 2012 when we had a requirement to audit several routers and switches
for a large client. After running a few reports, I realised the tool was exactly what we were looking for, as all
our previous reviews of network devices were done entirely manually. Nipper Studio was the only product we
could find that provided this level of detailed configuration audit review.
How to Inculcate a Cyber Security Culture Throughout an Organization

By James McDonagh, Titania
Amongst (most) IT professionals there is fundamental understanding of IT security practices. We would not
45
click on every link we see, nor plug just any USB drive into a machine. There is already a culture of this
embedded in our clique. But how do we go about establishing this and other security practices as normal
behaviour in the wider user community?
LET’S TALK ABOUT SECURITY

Security and the Rise of Compliance
By Andy Williams, Titania 51
Although penetration testers know that compliance does not equal security, Governments and standards bodies
could be said to be driving Global Cyber Defence towards compliance based auditing. So, what are the benefits
to be had and what are the risks to your organisation and how do you communicate them to your board?
Interview with Ian Whiting

By PenTest Team
Ian has been working with leading global organizations and government agencies to help improve computer
53
security for more than a decade. He has been accredited by CESG for his security and team leading expertise
for over 5 years. In 2009 Ian Whiting founded Titania with the aim of producing security auditing software
products that can be used by non-security specialists.
Infosecurity Europe Review

By Nicola Whiting, Titania
Infosecurity Europe is an annual show which takes place every April at Earls Court in London. Titania
56
will be exhibiting for its fourth year and we would recommend Infosecurity Europe as a key show for both
independent and corporate Penetrations Testers.
REVIEWS
A Tool that Tells a Tale
By Richard Hatch, Portcullis 58
At Portcullis we understand the benefits of automating data gathering and parsing data with tools to quickly
extract pertinent information. Such information can be used to automatically run additional targeted checks
against certain network services for example.
Configuration Auditing: The Hygienist you’ve Always Wanted!

By Nicola Whiting, Titania 60
For many, configuration security ranks about the same as dental hygiene. The most common result is to use a
dual approach, combining scanning or agent based software, with annual penetration test reviews - to use the
same analogy, daily brushing and an annual trip to the dentist.
Paws Studio Review

By Jim Halfpenny
How do you ensure that your systems are compliant with your policies or those mandated by compliance
63
standards? A program of auditing your systems will help you understand the state of your estate.
Nipper Studio Review

By Jim Halfpenny 66
Nipper Studio from Titania offers a means to audit that often forgotten part of your network: the network itself.
I’ve given Nipper Studio a test drive to see how it performs and how it differs from other tools out there.
5
Dear Readers,
With great pleasure we would like to present you the latest issue of PenTest Open, which has been created in
cooperation with Titania, multiple award winner provider and developer of IT audit software.
So what has the Titania Team prepared for you? The issue is divided into four sections: ‘Tools’,
‘Techniques’, ‘Let’s Talk about Security’, and ‘Reviews’.
The first section will be opened by Nigel Matthews and Max McFarlane from the Free Tools Development
Team at Titania. They will describe two tools that have been created to support Titania’s commercial
projects. Next, you will read ‘Paws Studio Walkthrough’ by Alen Damadzic who will explain what Titania’s
latest distro can do. Afterwards, thanks to Edwin Bentley and Ian Whiting, you will be able to profoundly
explore Nipper Studio, the kick-off project of Titania, in ‘Automating Nipper Studio Audits’ and ‘Advanced
Nipper Studio Configuration’.
The ‘Techniques’ section starts with ‘Listening to the Network’ by Ian Whiting, Founder and CEO of the
company, who will share with you his thoughts on what makes a good penetration tester and IT security
specialist in general. Then two real world examples of using Nipper Studio will follow: ‘Retrieving a
Configuration for Use in Nipper Studio’ by Aran Jarvis and ‘Using Nipper Studio for Penetration Testing’
by Peter Wood, CEO at First Base Technologies and Titania customer. The section will be closed by James
McDonagh explaining ‘How to Inculcate a Cyber Security Culture Throughout an Organization’.
And now, ‘Let’s Talk about Security’ shall we? So, what should we do in face of ‘Security and the Rise of
Compliance-based Auditing’? Andy Williams will give you some ideas on that. Next, we will invite Ian
Whiting to speak about his projects once more, this time interviewed by the PenTest Team. The section will
close with Nicola Whiting bringing you the ‘Exhibition Review: Infosecurity Europe’.
Finally, we have the ‘Reviews’. Here, Richard Hatch from Portcullis speaks first, presenting you with his
experiences of using Nipper Studio. Afterwards, Nicola Whiting will add some words about ‘The Security
Hygienist you’ve Always Wanted!’, and finally, the issue will close with two formal reviews of Nipper
Studio and Paws Studio, both by Jim Halfpenny, an independent expert.
That’s it, the newest PenTest Open brought to you by the PenTest Team, with the great help of the Titania
Team, their customers and Ruth Inglis, Marketing Manager at Titania, who has greatly contributed to this
publication.
So, there is nothing left but to wish you enjoyable reading. Ready... steady... pentest!
Zbigniew Fiolna and PenTest Team.
6
Editor in Chief: Ewa Duranc
ewa.duranc@pentestmag.com
Managing Editor: Zbigniew Fiołna

zbigniew.fiolna@pentestmag.com
Editorial Advisory Board: Ruth Inglis, Jeff Weaver, Rebecca

Wynn
Betatesters & Proofreaders: Rodrigo Comegno, Gilles Lami,

Elia Pinto, Sagar Rahalkar, Jeffrey Smith, Tom Updegrove
Special Thanks to the Beta testers and Proofreaders who helped

us with this issue. Without their assistance there would not be a
PenTest magazine.
Senior Consultant/Publisher: Pawel Marciniak
CEO: Ewa Dudzic

ewa.dudzic@pentestmag.com
Production Director: Andrzej Kuca [ GEEKED AT BIRTH ]

andrzej.kuca@pentestmag.com
DTP: Ireneusz Pogroszewski

Art Director: Ireneusz Pogroszewski
ireneusz.pogroszewski@pentestmag.com
Publisher: Hakin9 Media Sp. z o.o. SK

02-676 Warsaw, Poland
Postepu 17D
Phone: 1 917 338 3631
www.pentestmag.com
Whilst every effort has been made to ensure the high quality of
the magazine, the editors make no warranty, express or implied,
concerning the results of content usage.
You can talk the talk.
All trade marks presented in the magazine were used only for Can you walk the walk?
informative purposes.
All rights to trade marks presented in the magazine are re- [ IT’S IN YOUR DNA ]
served by the companies which own them. LEARN:
Advancing Computer Science
Artificial Life Programming
DISCLAIMER! Digital Media
The techniques described in our articles may only be Digital Video
Enterprise Software Development
used in private, local networks. The editors hold no Game Art and Animation
responsibility for misuse of the presented techniques Game Design
or consequent data loss. Game Programming
Human-Computer Interaction
Network Engineering
Network Security
Open Source Technologies
Robotics and Embedded Systems
Serious Game and Simulation
Strategic Technology Development
Technology Forensics
Technology Product Design
Technology Studies
Virtual Modeling and Design
Web and Social Media Technologies
www.uat.edu > 877.UAT.GEEK

Please see www.uat.edu/fastfacts for the latest information about
degree program performance, placement and costs.
Titania Free Tools

by Nigel Matthews and Max McFarlane
Since the developers at Titania come from a penetration testing background, over the
years they have created a number of tools to assist with their work. Furthermore, some of
those tools have been released to help assist other penetration testers with their work. This
article takes a look at two of those tools, SSL Scan and Banner Grab, and will also offer an
exclusive insight into a number of updates that will be released soon.
Although packages are available on Linux platforms for some of these tools, they are distributed in source
code form. This article shows how they can be compiled from the source code and run.
SSL Scan
The purpose of SSL Scan is to determine what encryption ciphers are supported by a particular SSL service.
It also obtains a copy of the SSL certificate, determines default ciphers and can send additional service
probes to determine if the cipher can actually be used with the service. Some SSL servers will accept
negotiation with an encryption cipher, but the service then disallows it.
SSL Scan makes use of the OpenSSL library (www.openssl.org) to create a list of potential ciphers that are
then used to test a service.
Compilation
From the SSL Scan page on the Titania website (www.titania.com), follow the link to download SSL Scan
(the latest version is 1.8.2). You will also need OpenSSL (and the development libraries, if these are separate
on your system) and the GNU C++ compiler. You may be able to use Cygwin (www.cygwin.com) / MinGW
(www.mingw.org) on Windows.
Extract the source code to a directory and then option a command prompt in that directory. You can then
compile the source code using the following command:
gcc -lssl -lcrypto -o sslscan sslscan.c
On Apple Mac OS X systems, the procedure is slightly different as you need to use the Ports version of
OpenSSL, rather than the restricted version that Apple supply. You can download and install Ports from
www.macports.org. Once installed execute the following command to install the Ports version of OpenSSL:
sudo port install openssl
Then you can compile SSL Scan using the following command:
gcc -I/opt/local/include -L/opt/local/lib -lssl -lcrypto -o sslscan sslscan.c
Using SSL Scan

Now that SSL Scan is compiled, you can obtain help on the command line options by typing the following
command (see Listing 1):
./sslscan --help
8
Listing 1. ‘sslscan --help’ results
Command:
./sslscan [Options] [host:port | host]
Options:
--targets=<file> A file containing a list of hosts to
check. Hosts can be supplied with
ports (i.e. host:port).
--no-failed List only accepted ciphers (default
is to listing all ciphers).
--ssl2 Only check SSLv2 ciphers.
--ssl3 Only check SSLv3 ciphers.
--tls1 Only check TLSv1 ciphers.
--pk=<file> A file containing the private key or
a PKCS#12 file containing a private
key/certificate pair (as produced by
MSIE and Netscape).
--pkpass=<password> The password for the private key or
PKCS#12 file.
--certs=<file> A file containing PEM/ASN1 formatted
client certificates.
--starttls If a STARTTLS is required to kick an
SMTP service into action.
--http Test a HTTP connection.
--bugs Enable SSL implementation bug work-
arounds.
--xml=<file> Output results to an XML file.
--version Display the program version.
--quiet Be quiet
--help Display the help text you are now
reading.
Example:
./sslscan 127.0.0.1
To use SSL Scan to determine what ciphers a standard HTTPS server operating on port 443 supports (using
Google as an example):
./sslscan www.google.com
You will then receive information similar to what you can see in Listing 2.
Listing 2. Testing SSL server www.google.com on port 443
Testing SSL server www.google.com on port 443
Supported Server Cipher(s):

Rejected SSLv2 168 bits DES-CBC3-MD5
Rejected SSLv2 128 bits RC2-CBC-MD5
Rejected SSLv2 128 bits RC4-MD5
Rejected SSLv2 56 bits DES-CBC-MD5
Rejected SSLv2 40 bits EXP-RC2-CBC-MD5
Rejected SSLv2 40 bits EXP-RC4-MD5
Failed SSLv3 256 bits ECDHE-RSA-AES256-GCM-SHA384
Failed SSLv3 256 bits ECDHE-ECDSA-AES256-GCM-SHA384
Failed SSLv3 256 bits ECDHE-RSA-AES256-SHA384
Failed SSLv3 256 bits ECDHE-ECDSA-AES256-SHA384
Accepted SSLv3 256 bits ECDHE-RSA-AES256-SHA
Rejected SSLv3 256 bits ECDHE-ECDSA-AES256-SHA
9
Rejected SSLv3 256 bits SRP-DSS-AES-256-CBC-SHA

Rejected SSLv3 256 bits SRP-RSA-AES-256-CBC-SHA
Failed SSLv3 256 bits DHE-DSS-AES256-GCM-SHA384
…
SSL Scan can be integrated in to third-party products by using the XML output option. The XML results
can then be easily imported and managed by your own custom applications. To do this you can use the
following command:
./sslscan --xml=scan-results.xml www.google.com
Banner Grab
When performing a penetration assessment, obtaining network service banners can often provide useful
information. This information is not always accurately processed and reported by vulnerability scanners.
Information leakage from a network service banner can have the potential to lead an attacker toward software
vulnerabilities. For example, SSH service banners will often include both software and version details.
Titania developed Banner Grab to go and get the service banner information for you. In addition to standard
service banners, Banner Grab has the ability to send specially formatted triggers for different types of
service in order to obtain as much information as possible. By default Banner Grab will send triggers when a
common port is used that has a trigger defined.
Compilation
From the Banner Grab page on the Titania website (www.titania.com), follow the link to download Banner Grab
(the latest version is 3.6). If you want to compile Banner Grab with SSL support then you will need to download
OpenSSL (and the development libraries, if these are separate on your system). You will also need the GNU C++
compiler. You may be able to use Cygwin (www.cygwin.com) / MinGW (www.mingw.org) on Windows.
Extract the source code to a directory and then option a command prompt in that directory. You can then
compile the source code using the following command:
gcc –lssl –lcrypto –o bannergrab bannergrab.c
If you want to build Banner Grab without SSL support you can use the following:
gcc –DNOSSL –o bannergrab bannergrab.c
Using Banner Grab

Once compiled you can get help on Banner Grab by typing the following command:
./bannergrab --help
The result should be similar to what you can see in Listing 3.
10
Listing 3. ‘./bannergrab --help’ results
Command:
./bannergrab [Options] host port
Options:
--udp Connect to a port using UDP. The
default is to use TCP.
--no-triggers Collect only the connection banner, no
triggers and no SSL.
--trigger=<trigger> Specify the trigger to use. Specify
DEFAULT to use the default trigger.
--no-ssl Prevent SSL connection creation.
--no-hex Output containing non-printable
characters are converted to hex. This
option prevents the conversion.
--conn-time=<secs> Connection timeout (default is 5s).
--read-time=<secs> Read timeout (default is 3s).
--verbose Show additional program details such as
any errors.
--show-triggers Show the supported triggers.
--version Show the program version.
--help Display the help text you are reading
now.
Example:
./bannergrab 127.0.0.1 80
To get a simple banner from an SSH server you could type the following:
./bannergrab 192.168.0.22 22
On my test SSH service the result was:
SSH-2.0-OpenSSH_5.3
As you can see the SSH service returned not only the SSH protocol but the SSH service software and version.
This is very useful information for an attacker attempting to identify software vulnerabilities to exploit.
I mentioned earlier about Banner Grab sending triggers to a service to identify additional information. In the
next example I will use Banner Grab to get service information from a SNMP service. The command was:
./bannergrab --udp 192.168.0.12 161
See the results in Listing 4.

Listing 4. ‘./bannergrab --udp 192.168.0.12 161’ results
30 82 00 49 02 01 00 04 06 70 75 62 6c 69 63 a2 0..I.....public�
82 00 3a 02 01 ff 02 01 00 02 01 00 30 82 00 2d ..:..�......0..-
30 82 00 29 06 08 2b 06 01 02 01 01 01 00 04 1d 0..)..+.........
48 50 20 45 54 48 45 52 4e 45 54 20 4d 55 4c 54 HP ETHERNET MULT
49 2d 45 4e 56 49 52 4f 4e 4d 45 4e 54 I-ENVIRONMENT
30 82 00 4a 02 01 00 04 07 70 72 69 76 61 74 65 0..J.....private
a2 82 00 3a 02 01 fe 02 01 00 02 01 00 30 82 00 �..:..�......0..
2d 30 82 00 29 06 08 2b 06 01 02 01 01 01 00 04 -0..)..+........
1d 48 50 20 45 54 48 45 52 4e 45 54 20 4d 55 4c .HP ETHERNET MUL
54 49 2d 45 4e 56 49 52 4f 4e 4d 45 4e 54 TI-ENVIRONMENT
11
When the information returned from a service includes non-printable characters, Banner Grab returns the
information in a HEX value format with the printable characters to the right. As you can see from the returned
information it appears to be a HP device and has community strings of “public” and “private” supported.
Future Developments
There are a number of exciting updates coming through the Titania Free Tool Development Team at the
moment. SSL Scan and Banner Grab tools described in this article are being updated, together with graphical
versions of the tools. The Banner Grab tool now also includes a port scanning tool to identify the live ports
on a device prior to performing the banner grabbing.
The Free Tool Team has also been updating our other tools such as IP Calculator, which now includes IPv6
support and provides much more address details. Plus there will be pre-compiled binary packages available
for Windows, Linux and Mac systems making them all much easier to use. For more information on our full
portfolio of free tools, go to www.titania.com/freetools.
About the Authors

Nigel Matthews and Max McFarlane, Free Tools Development Team
at Titania
The Titania Free Tools Team have worked hard to build and
maintain a number of free tools which have now been released to
help assist other auditors and Penetration Testers with their work.
12
Paws Studio Walkthrough

by Alen Damadzic
Paws Studio is a compliance auditing tool for servers, workstations and other Windows or
Linux based systems. At a basic level, creating a compliance report in Paws Studio can be
as simple as selecting an audit policy and clicking go. However, behind the scenes Paws
Studio is performing a number of different processes in order to determine what needs to
be checked, collecting the data, comparing the collected data against a policy and finally
creating a report. This article provides a walkthrough of those processes to enable you to
create truly effective and thorough custom policies to audit against.
Figure 1. Paws Studio audit process
A typical Paws Studio audit is a two-step process. The initial step is to collect the data for the audit and the
second is to create the report by comparing that data against a compliance list (see Figure 1).
Collecting Audit Data

Data, such as password policy settings, are collected using a data collector. On Windows, the data
collector is a small native program that reads the registry, file permissions and so on. The data collector
13
does not require installing on the system that is being audited and does not require anything to be
installed. On Linux systems the data collector is a shell script.
The data collector only collects what is required to create the report. Those audit parameters are specified in
a policy file, which we will come back to later.
Figure 2. Report creation methods
When you select to create a new report in Paws Studio (see Figure 2), it will give you the option to add all
the systems that you want to audit (local and remote). Paws Studio will then deal with executing the data
collector for you and retrieve the results. It is important to note that during this process, Paws Studio will
tidy up after itself, so no audit files will be left on the audited system.
Figure 3. Manual data collector option
14
It is also possible for you to run the data collector yourself on various systems and provide Paws Studio with
the collected data; this is shown as the “Manual” option (see Figure 3).
To obtain the latest data collector so that you can perform the audit yourself, select the “Export Collector”
option from the “Utilities” menu. You will also need a copy of the audit policy file for the data collector. By
default on a Windows system the policy files are stored in “C:\Program Files\Paws Studio\XML”. You will
find policy files for PCI, STIG, SANS, and others.
The data collector can be executed from the command line on both Windows and Linux systems. This gives
you the ability to script the software so you can automate the audit data collection process.
The Audit Policy
Figure 4. Audit policies
When you create a compliance audit report in Paws Studio you have to select an audit policy that you want
to check compliance with. It could be a PCI policy, STIG or others. The policy that you check compliance
against when producing a Paws Studio report is stored in a specially formatted XML file.
Although Paws Studio is supplied with a number of pre-defined audit policies, you can create your own. You
could use your favourite XML editor to create an audit policy file but Paws Studio includes a policy editor.
The audit policy editor has two modes of operation, a wizard mode and editor mode (see Figures 5, 6).
The wizard mode is designed to easily enable you to create your own new audit policy, or edit an existing
one, and guide you through the process. The editor mode is more suited for advanced users and editing
existing policies.
15
Figure 5. Policy editor: editor mode
Figure 6. Policy editor: wizard mode
16
Figure 7. Paws Studio Settings
Customizing an Audit Report

Your audit reports can be customized to change the company name, logo, classification and so on. If you
want to override the default Cascading Style Sheet (CSS) there is even an option to do that.
Some key customization options such as the “Policy Editor” “Authorized Software” and “Authorized Startup
Items” contain the lists of what is determined to be authorized or not during those particular checks.
The “Reporting” options include an “Interactive Mode” setting that will cause Paws Studio to potentially ask
you some questions during an audit. For example, some checks may require a physical analysis, such as “is
the server room door locked?”.
An Audit Walkthrough
Figure 8. Paws Studio main frame
17
Now that we have highlighted the key components of a Paws Studio audit, the simple process of performing
a report with all the available options is straight forward.
Select the “Create Report” option (see Figure 8).
Figure 9. Report creation methods
Select what you want to audit (see Figure 9).
“Local” will enable you to perform an audit of your local machine.
“Network” will enable to audit other computers on the network. You many need to specify a username and password.
“Manual” will allow you to add manually collected audit data.
Figure 10. Audit policies
18
Select the audit policy report that you are interested in. You can select multiple audit policies or specify your
own using the “Import Policy” button (see Figure 10).
Click on “Create Report”.
Then you can read your report and save it out to a number of different formats such as HTML, Word, PDF,
CSV and others.
Conclusion
This article has delved into what goes on behind the scenes of Paws Studio. By walking you through the key
processes involved in creating your own compliance reports, it will enable you to get the most out of the software.
About the Author

Alen Damadzic, Software Developer at Titania
Alen is a key member of the technical team and is the lead developer of Paws
Studio compliance auditing software. Since joining Titania as a computing
graduate three years ago, Alen’s knowledge of software development and cyber
security has grown with the company and he now uses this knowledge to support
and train new members to the ever growing development team.
19
Automating Nipper Studio Audits

by Edwin Bentley
Nipper Studio is typically used by security specialists using the graphical interface from their
testing desktop environment. However the Nipper Studio system integrators make use of the
equally powerful command line interface to integrate the report output into their own setup.
This article provides a glimpse in to the integration possibilities by showing how Nipper
Studio can be run from the command line and scheduled on Linux and Windows systems.
Running from the command line

Although Nipper Studio has a huge number of different configuration settings, in its most basic form you
want to provide it with a configuration to audit and give it a filename to save the report to. So from the
command line you could create a report using the following:
nipper --input=router.txt --output=report.html
The above example would make use of the current processing, reporting and save settings. Since the settings
are maintained between the command line and graphical interfaces, those settings could be changed using
the graphical interface.
To list all the possible configuration settings available on the command line you can use the built-in help system:
nipper --help=all
On Linux systems you could also look at the help using the UNIX man system.
Figure 1. Nipper man page
Nipper Studio includes a variety of different report formats; the ones system integrators are most familiar
with are XML and CSV. To write a report out in XML format you can use the following command:
nipper --input=router.txt --xml --output=report.xml
20
Scheduling on Linux
On Linux I am going to demonstrate using Cron to schedule a job to create a Nipper Studio report. I will
assume that you already have a grasp on using command line and Linux utilities, rather than provide a
tutorial on the shell and editors.
Typing the command crontab -e will open the crontab file for the current user and will make use of the
currently defined command line editor for your shell (see Figure 2).
Figure 2. ‘crontab -e’ command
I am then going to add a line that will schedule a job to run Nipper Studio to process a configuration stored
in /configs/myconfig.txt, and save the report to /configs/report.html at 15 minutes past 3 each day.
15 3 * * * nipper --input=/configs/myconfig.txt --output=/configs/report.html
Once you save and exit the editor the changes to your scheduled tasks will take effect, so as to include the
new task. If you aren’t comfortable using command line editors, you can just list out the current scheduled
task for your user by running the following:
crontab -l >scheduled-tasks.txt
You can then edit this file using a GUI text editor such as Kwrite or Gedit, or whichever your preferred
editor is (see Figure 3).
Figure 3. Task scheduling in GUI text editor
21
Once you have saved the file, running the following command will add it to the schedule:
crontab scheduled-task.txt
I have just used a basic example of processing a single file but Nipper Studio has many other, more advanced
capabilities. Cron also has many other scheduling options that I haven’t covered in this article. Using these
capabilities, together with other tools, it is possible to automate complete audits, integrate them with bespoke
systems, email updated reports and much more.
Scheduling on Windows
As with Linux, Windows also has a task scheduler. This can be found by going to the “Control Panel” then
“System and Security”, then “Administrative tools” and finally “Task Scheduler” (see Figure 4).
Figure 4. Task scheduler on Windows
To create a new task, select the “Create Basic Task” from the “Actions” pane or the “Action” menu (see Figure 5).
Figure 5. Creating a new task
22
A new task wizard will be shown. In the first step I am calling my task “Nipper”. You can also enter a
description for the task (see Figure 6).
Figure 6. Wizard task creation
The next page will then allow you to set the frequency of the schedule, with the usual options of daily,
weekly, monthly etc. I have selected daily, the same as the Linux example (see Figure 7).
Figure 7. Task frequency options (a)
The next page then allows you to fine tune your selection, for instance if you chose the monthly option, you
would be able to select the specific days of the month. You can also set the time that you want the task to
run. I am going to set it to 15 minutes past 3 (see Figure 8).
23
Figure 8. Task frequency options (b)
On the next page I will choose what type of task it is I want to perform. I am going to select the “Start a
Program” option. I am then going to specify the Program or script that I want to run. This will be the “nipper.
exe” executable that will be found in the installation directory for Nipper Studio, the default is “C:\Program
Files\NipperStudio\nipper.exe”.
In the “Add Arguments” I am going to add the options to pass to the command line. This is in the same format
as for Linux, so I have entered --input=c:\configs\myconfig.txt --output=c:\configs\report.html (see Figure 9).
Figure 9. Adding arguments
The last page will just show a review of the task that I have created. Clicking on “Finish” will add the task to
the scheduler (see Figure 10).
24
Figure 10. Complete task
Conclusion
There are a broad range of integration possibilities in Nipper Studio, this article set out to provide an insight
into just a few. Features such as scheduling and being able to run Nipper Studio from the command line are
included to make the software as useful as possible for network managers and auditors.
About the Author

Edwin Bentley, Software Developer at Titania
Edwin joined Titania in 2011 and has since become a key member of development
team, having primary involvement in advancement of both the Nipper Studio and
Paws Studio software. He has a keen interest in Information Security and the role
that the industry will play in the future advancement of technologies.
25
Advanced Nipper Studio Configuration

by Ian Whiting and Edwin Bentley
Nipper Studio contains a wealth of configuration options to modify and customize the audits
that are produced. This article covers how to access and modify those settings to enable you
to fine tune your own audit reports.
To start, it is worth mentioning that Nipper Studio settings are “sticky” by default. Therefore if you set an
option in the graphical environment, that option will remain set next time you run Nipper Studio. This is also
true of the command line version, setting an option in the graphical environment will set the option for the
command line as well.
To access the settings on Windows you select “Options” from the “Tools” menu (on Linux this is called
“Settings” and on the Mac it is called “Preferences”; see Figure 1).
Figure 1. Nipper Studio main frame
Due to the number of different customization and configuration options available, the settings window
categorizes the settings in to the following groups (see Figure 2):
• Global – These settings affect all areas of Nipper Studio and contain options such as changing the
company name used in the report, the formatting of dates and whether passwords should be shown in the
output. This section also contains an option labelled “Auto Save Settings”. This is the option that makes
Nipper Studio settings sticky.
• Devices – Nipper Studio supports over 100 different network devices and some devices have options that
modify how they process a configuration. For example, Check Point configurations can contain multiple
policies and options are available to determine how multiple policies are handled.
• Reports – You can create a number of different audit report types in Nipper Studio, with more report
types coming soon. These report options enable you to configure the settings for each of the report types.
For example, you may want to modify the audit password length checked during a security audit.
26
• Saving – As with report types, Nipper Studio also supports a wide variety of different file formats that a
report can be saved as. For example, the HTML report fonts, colors or entire Cascading Style Sheet (CSS)
can be modified using these settings.
Figure 2. Nipper Studio setting options
The best practice security audit report is the most common type of report created in Nipper Studio, so I will
guide you through the configuration of those options. These can be accessed by selecting the “Reports” icon
on the left and then selecting the “Settings” button next to the “Security Audit” entry.
On platforms that include the “?” icon in the window title, you can gain additional help on the various options
by selecting the “?” icon and then clicking on the option that you would like more information on. Additionally,
the options also include “tool tip” help that appears when you hover your mouse over an option.
Coverage
Due to the large number of different configuration options available for each report type, they have been
sectioned into tabs to make them easier to navigate. First off there is the “Coverage” tab, this is where you
can select or deselect the different categories of configuration settings that you would like included within
your audit report. For example, you may only be interested in auditing firewall rules, so you could deselect
everything except the “Audit Network Filtering” option (see Figure 3).
27
Figure 3. Setting audit areas
Reporting
On the reporting tab you can select various options relating to how the security audit is reported. For
example any identified security audits issues can be scored using one of two different rating systems. The
Nipper v1 (default) rating system is a best-practice rating system. Alternatively you could select the industry
standard CVSS v2 rating system that is a vulnerability scoring system (see Figure 4).
Figure 4. Reporting
28
If you choose to select the CVSS v2 rating system you can enter your own environmental metrics so that the
scores are modified to take in to account your own environment. You can find out more information on the
CVSS v2 rating system at: http://www.first.org/cvss/cvss-guide.html.
Filtering
The filtering tab includes options to modify how
firewall rules and objects are checked. These include
options to enable checks against certain categories
of firewall rules, rule complexity and more (see
Figure 5).
Figure 5. Filtering (firewall rules modifications)
You can enable the filter rules to be audited even if

filter rules have been disabled on a particular device.
Your own environment may separate functionality
between different classes of device, so you can
also prevent firewall rules from being processed on
certain types of device (such as print servers and
application switches, see Figure 6).
Figure 6. Filtering (devices)
29
Nipper Studio contains a number of black lists. If a firewall rule is identified which permits traffic that
matches a black list entry, an issue is reported. The black lists include unencrypted clear text services,
administrative services and hosts. You can modify each of those black lists by clicking on the “Define…”
button next to each one (see Figure 7).
Figure 7. Filtering (black lists)
As briefly mentioned earlier, Nipper Studio includes a number of rule complexity checks. These checks
are disabled by default as they add to the time taken to create the audit. If you are interested in identifying
firewall rules that contradict or overlap with other firewall rules, then this functionality can be enabled here.
On large and complex rule bases, especially those from Check Point devices, the complexity checks can add
a number of minutes to the audit process.
User Policy and Passwords

Although not all network devices include all the
functionality that is checked during the security audit,
where an insecure configuration is identified it is reported.
The user policy tab includes options for password
retention, account lockout and timeouts (see Figure 8).
Figure 8. User policy
30
Nipper Studio includes a number of advanced high

performance crypto routines that are able to reverse
passwords that have been encrypted using a number of
different algorithms. These deciphered passwords can then
be assessed against the password policy. Any non-reversed
passwords can be saved out to a file for brute-forcing
using a tool such as John the Ripper (http://www.openwall.
com/john/).
The passwords tab includes options for determining how

the password complexity checks are performed against the
known passwords. For options where a numerical value
is specified, help text will also offer a guide as to what
is considered more secure. For example the greater the
number of characters in a password, the more secure it will
be (see Figure 9).
Figure 9. Passwords
Vulnerability and Misc

The vulnerability tab enables you to configure the software
version vulnerability analysis performed against a particular
device. Generally the vulnerability analysis performed
compares the version information contained within the
configuration against the version detailed in the device
configuration. However the software version can only be
partially detailed in the configuration and sometimes not
detailed at all. In those cases Nipper Studio makes a guess
as to the version. This can lead to the reporting of false
positives, so the wording in the reported issue is suitably
adapted to highlight those details (see Figure 10).
You can specify the version details when processing a

configuration in order to filter out some false positives,
and you could include the “show version” (or equivalent)
output in the configuration. Additionally there is a
“Vulnerability Filtering” option that helps to filter out Figure 10. Vulnerability
the vulnerability list further based on the services and
protocols configured. So if the vulnerability is specific
to SSH and you have disabled that service then it is not
reported.
Finally, the misc tab includes options to set the logging

severity level and any words that should not be contained
within logon banner messages (see Figure 11).
31
Figure 11. Misc
Conclusion
I hope that this article has provided you with sufficient information about how you can use some of Nipper
Studio’s advanced settings to start customizing your own network audits. There are many other options for
configuring Nipper Studio, for more information about these you can visit the Titania website at www.titania.
com or contact us directly at enquiries@titania.com.
About the Author

Ian Whiting, Titania CEO and Creator of Nipper Studio
Ian has been working with leading global organizations and government agencies
to help improve computer security for more than a decade. He has previously been
accredited by CESG for his security and team leading expertise for over 5 years.
In 2009 Ian Whiting founded Titania with the aim of producing security auditing
software products that can be used by non-security specialists and provide the
detailed analysis that traditionally only an experienced penetration tester could
achieve.
About the Author

Edwin Bentley, Software Developer at Titania
Edwin joined Titania in 2011 and has since become a key member of development
team, having primary involvement in advancement of both the Nipper Studio and
Paws Studio software. He has a keen interest in Information Security and the role
that the industry will play in the future advancement of technologies.
32
Listening to the Network

by Ian Whiting
It is all too easy during the start of a new penetration testing infrastructure commission to
jump straight in with network scanning. In the midst of all the excitement of identifying live
IP addresses, open network ports and all those potential vulnerabilities, it is easy to neglect
what the network is trying to tell you. This can be even more difficult when multiple testers
are involved with the unspoken competition between them to find the first security hole.
Listening to what various connected network devices are sending to other network devices
can provide you with a wealth of information.
My favourite tool for monitoring network traffic with a graphical environment is Wireshark (www.
wireshark.org), on a command line then I would commonly use TCPDump (www.tcpdump.org). Both tools
are mature products that have been around for years, and if you are a penetration tester you have most likely
already used either one or both of them.
Many years ago now, when network hubs were used, the quantity of network traffic arriving at my laptop
used to be huge. In today’s modern switched networks you usually no longer get to see network traffic that
was sent to a specific network address. However it is still worth checking to see if you can see traffic that
should not be visible in a switched environment. I have had to report to clients on a number of occasions,
instances where I have been watching network packets that I simply should not have seen. I have recently
seen a network hub still being used on a network that should have long since been replaced. In this case the
company being tested was a financial organisation supplier and the network traffic on the hub contained data
from several competing financial clients.
A common network protocol I see used on networks is Link Layer Discovery Protocol (LLDP), which is
used for advertising the capabilities of the sender. LLDP is useful when combined with network management
software, but it is also useful information for an attacker. The screenshot from Wireshark (see Figure 1)
highlights a captured LLDP packet. You can clearly see that it contains information such as the make, model
and software version from the switch; in this case it is a Brocade ICX running IronWare 7.4.00T311. Using that
information it would be trivial for an attacker to review a vulnerability database and then download any exploit
code for vulnerabilities. The information could also be used to obtain default passwords and other configuration
settings that may not have been changed by the network administrator.
Figure 1. LLDP packet
33
Some manufacturers have developed their own variation of LLDP, the most prevalent of which is the
Cisco Discovery Protocol (CDP). Although CDP is a Cisco proprietary protocol it has appeared on other
manufacturer’s equipment too. You can see from the Wireshark CDP packet capture screenshot (see Figure
2), that the information in CDP also includes the software platform and version. You may have noticed that
both LLDP and CDP include the management address of the devices, very useful.
Figure 2. CDP packet
The Cisco CDP also includes VLAN Trunking Protocol (VTP) domain information, which is also included
in the Dynamic Trunking Protocol (DTP) packets (see Figure 3).
Figure 3. DTP packet
34
VTP is designed to make network administration easier by enabling the propagation of changes to the
VLANs on the network, such as adding and removing VLANs over multiple network switches. VTP can
be configured in server, client or transparent /off modes. If a switch is in server or client mode it is possible
to modify the VLAN configuration on the switch if you can determine the VTP password. Therefore the
presence of VTP could potentially pose a serious risk to a network, especially when a weak password has
been set.
The VTP password is not easily tested over the network without modifying the VLAN configuration (or
destroying it), Nipper Studio (www.titania.com) can be used to review the actual configuration in order to
determine its state without jeopardising the network (see Figure 4). It certainly would not make you a very
popular penetration tester if you took down a customer’s network by removing all their VLANs.
Figure 4. Nipper studio
A tool called Yersinia can be used to monitor the network in a similar manor to Wireshark, but it separates
out protocols such as CDP, DTP and VTP in easy to review sections. However I would recommend using
this tool with caution as it includes a number of network attacks such as using VTP (see Figure 5).
Figure 5. Yersinia
35
It is sometimes possible to audit the routing protocols present on the network by passively listening to the
network traffic. Even though I should not be seeing routing protocol traffic when plugging in to a standard
network port, at least the following Open Shortest Path First (OSPF) packet capture shown in the next
example (see Figure 6) shows that MD5 authentication has been configured.
Figure 6. OSPF packet
However I have often seen routing protocols where either no authentication is configured or default
credentials are transmitted with no encryption. In the next example (see Figure 7), Routing Information
Protocol (RIP) version 1 is being used which has no support for authentication.
Figure 7. Vulnerable Routing Information Protocol
36
There are a huge number of other interesting protocols that have not been covered in this article, such as
Dynamic Host Configuration Protocol (DHCP). However hopefully this article has bestowed a renewed
understanding that simply listening to what the network has to communicate can highlight some security
issues. These are issues which can be, and are too often, missed when security assessments place too great a
focus on the results of network scanners.
About the Author

Ian Whiting, Titania CEO
Ian has been working with leading global organizations and government agencies
to help improve computer security for more than a decade. He has previously been
accredited by CESG for his security and team leading expertise for over 5 years.
In 2009 Ian Whiting founded Titania with the aim of producing security auditing
software products that can be used by non-security specialists and provide the
detailed analysis that traditionally only an experienced penetration tester could
achieve.
37
Retrieving a Configuration for use in

Nipper Studio
by Aran Jarvis
When retrieving a configuration from a network device it is always advisable to use the
securest method possible. Often the securest method will be to use a console port but not all
devices will have a console port or it may not be possible to access it. Connecting to this
port helps to cut down the possibility of a third party intercepting the information being sent
from the network device. When you are not able to physically connect to the device there are
several other possibilities for retrieving the configuration. These will all depend on how the
device has been set up, its capabilities and what access you have.
Retrieving a configuration from a network device’s CLI (command line interface) is very similar across the
majority of network devices. Devices can typically be assessed using SSH or Telnet. On Windows the PuTTy
client supports both methods. SSH v2 is the suggested protocol to use as it will encrypt the data. Telnet is not
an advisable form of connecting as it has no encryption and all information is sent in clear text, this includes
the username and password used to log into the network device. Once you have initiated contact with the
network device you will then need to log in with an account that has raised privileges, this is usually the
admin account or super-user account. Once logged in you may need to elevate your privileges further with a
command such as ‘enable’, note this may also require a password. The next step will be to have the device
print the configuration to the screen. A command such as ‘show config’ or ‘show running config’ will be
used. This can be different depending on the Operating System that is running on the network device that
you are retrieving the configuration from. Once the configuration has been printed to the screen, you will
need to copy and paste it into a .txt file, it will then be ready to be processed by Nipper Studio.
Example: How to retrieve the configuration from a Cisco ASA network device.
Below are step by step instructions for retrieving the configuration from a Cisco ASA network device using a
terminal emulator over SSH v2.
1. Enter the necessary information into PuTTy or program of your choosing (see Figure 1).
Figure 1. Enter the necessary information into PuTTy
38
2. Enter the username of either the

system administrator or super-user
and then the associated password
when prompted (see Figure 2).
Figure 2. Enter the username and the associated password
3. Next enter the command

‘enable’ and the password when
prompted (see Figure 3).
Figure 3. Enter the command ‘enable’ and the password
4. Enter the command ‘show

config’ and the configuration will
be printed to the terminal (see
Figure 4).
Figure 4. Enter the command ‘show config’
39
5. Once the full configuration has been printed to the screen, copy and paste it into a .txt file ready for
Nipper Studio to process (see Figures 5, 6).
Figure 5. Printed configuration
Figure 6. Copy and paste the full configuration into a .txt file
Remote Configuration Retrieval

As well as the extensive configuration retrieval instructions integrated into the Nipper Studio software,
Nipper Studio also has the functionality to retrieve configurations from selected devices using either HTTP,
HTTPS, Telnet or SSH. Note, not all protocols are supported on all devices.
Below are step by step instructions for retrieving the configuration via SSH v2 from one of our test Cisco
ASA devices.
40
1. Launch Nipper Studio and click

New Report (see Figure 7).
Figure 7. Launch Nipper Studio and click New Report
2. Click Add Network (see Figure 8).
Figure 8. Click Add Network
3. Select the type of device that

you will be connecting to from the
Device Type drop down menu (see
Figure 9).
Figure 9. Select the type of device
41
4. Enter the device’s IP address,

then the username and password
used to log into the device. Select
the protocol to use, the port
number will be changed to the
default for the protocol. You may
need to change this depending
on how the device is set up.
Now enter the Privilege/Enable
password (see Figure 10).
Figure 10. Enter the device’s IP address, username and password
5. Once Nipper Studio has

retrieved the configuration from
your device, carry on creating
your report as if you had manually
retrieved your configuration (see
Figure 11).
There is extensive advice within

Nipper Studio that can assist you
with retrieving configurations from
a number of devices.
Figure 11. Retrived configuration
About the Author

Aran Jarvis, Support Technician at Titania
Aran has a key role within both the support and testing teams at Titania ensuring
that users of the software receive the best products and services possible.
Throughout his career Aran has always had a passion for cyber security and since
joining Titania his interest and knowledge of the industry has continued to grow.
42
Using Nipper Studio for Penetration

Testing
by Peter Wood
Pete has worked in the electronics and computer industries for over forty years and founded
First Base in 1989. He is a world-renowned security evangelist, speaking at conferences and
seminars on ethical hacking and social engineering. In this case study Pete explains how he
came across Nipper Studio security auditing software and why he thinks it is one of the best
tools of its kind on the market.
The first time I heard about Nipper Studio was back in 2009 when the product was very new to the market
and still in its first version, Nipper One. I received an industry newsletter which featured Nipper and outlined
the basic features of the tool. It sounded interesting but at that time it wasn’t a tool that I felt we needed and
didn’t take it any further.
Why did you decide to use Nipper Studio?

We first evaluated Nipper Studio in July 2012 when we had a requirement to audit several routers and
switches for a large client. After running a few reports I realised the tool was exactly what we were looking
for, as all our previous reviews of network devices were done entirely manually. Nipper Studio was the
only product we could find that provided this level of detailed configuration audit review. The reports
generated from Nipper Studio were easy to read and thorough and it saved us hours of manual work. We
have continued to use Nipper Studio to assist with network security audits for our clients and also in-house
to audit our own network security devices.
How do you use Nipper Studio at client sites?

One of the great things about Nipper Studio, from a Penetration Tester’s point of view, is that the software
can be downloaded onsite and installed in minutes, without causing any disruption to their networks.
Furthermore, because Nipper Studio does not store any configuration information and, unlike scanning tools,
does not need to connect to the network, using it poses no additional security issues to the organization.
Once we have Nipper Studio installed it enables us to automate much of the review process without
compromising the quality and accuracy of our results. During an engagement we can use the tool to help find
vulnerabilities in the device in a fraction of the time it would take us to do manually.
As a result of the extensive amount of devices supported, Nipper Studio enables us to provide a more
consistent and accurate set of results, irrespective of the manufacturer or model of device under review.
Also because we can install Nipper Studio on multiple machines we are able to use the license for various
different customer engagements throughout the year.
How have your customers benefited from you using

Nipper Studio?
It became obvious to us that our clients were facing a problem. They would often come to us asking
for us to review the configuration and security of their switches, routers and firewalls. However it is
a lengthy and painstaking process to manually audit every network device in a system, especially in
the larger organizations. As a result, it was not cost effective to review more than a small sample of an
organization’s infrastructure.
43
Using Nipper Studio means that our clients can now afford to have the security of all their infrastructure
devices checked, rather than just a sample.
How has using Nipper Studio benefitted First Base

Technologies as a business?
Using Nipper Studio has presented us the opportunity to expand our security reviews at a realistic price. This
means our clients expectations have been exceeded while still staying on time and in budget. This gives us
an advantage in the market and ultimately helps retain our existing customers and attract new ones.
About the Author

Peter Wood, CEO at First Base Technologies
Peter has worked in the electronics and computer industries since 1969. He has
extensive experience of communications and networking, with hands-on knowledge
of many large-scale systems. He founded First Base Technologies in 1989,
providing information security consultancy and security testing to commercial and
government clients. Peter has hands-on technical involvement in the firm on a daily
basis, working in penetration testing, social engineering and security awareness.
44
How to Inculcate a Cyber-Security

Culture throughout an Organization
by James McDonagh
Recently on a train, I overheard a conversation about herbal cigarettes. At an unspecified
time in the past, a lady was quitting smoking. She used these as a substitute. They look and
smoke just like a regular cigarette, but contain no tobacco. You can buy them at a chemist.
She had been smoking one of these things in a pub, and was asked to leave because the pungent odour led
the manager to believe the ‘herb’ in question was the kind defined by Urban Dictionary.
I was surprised by this story. Of course, in the UK it is now illegal to smoke indoors. It only transpired later
that this incident occurred before the ban.
The very thought of smoking inside these days is culturally anathema. The legislation preventing smoking in
enclosed spaces came into force on 1st of July 2007. Backed up by advertising and warning labels, it seems
to have become a social norm.
Cyber security as a cultural norm, or at least a thorough appreciation of the issues, is surely something to
strive for. The easiest opportunity will be the one attacked, and any organization is only as secure as those in
its supply chain.
The 2013 Information Security Breaches Survey conducted by PWC tells us that:
• 87% of small businesses had a security breach in the last year (up from 76% a year ago);
• 36% of the worst security breaches in the year were caused by inadvertent human error;
• 57% of small businesses suffered staff-related security breaches in the last year (up from 45% a year ago);
• 42% of large organizations don’t provide any on-going security awareness training to their staff (and 10%
don’t even brief staff on induction);
• 93% of companies where the security policy was poorly understood had staff-related breaches (versus
47% where the policy was well understood).
Amongst (most) IT professionals there is fundamental understanding of IT security practices. We would not
click on every link we see, nor plug just any USB drive into a machine. There is already a culture of this
embedded in our clique.
But how do we go about establishing this and other security practices as normal behaviour in the wider user
community? In the earlier example of the smoking ban, there has been a shift from a ‘top-down’ legislative
imposition to a widely accepted social rule. Peer pressure is as likely to prevent smoking indoors as much as
the threat of a fine.
Similarly, rules and technical solutions will only take you so far in preventing security breaches and data
loss. A good social engineering attack can gain ground no matter how well locked down your network is.
Some of us are old enough to recall a time when PCs were a rarity in the office outside of a thinly staffed
IT department. We now live in a world where we are all in ‘The IT Crowd’ to some degree. However cyber
security continues to be a niche area. While no one would expect everyone in an organization to possess the
skills of Pen Test Magazine readers, we are at a point where a basic understanding of cyber security needs to
spread throughout the workforce. Indeed, one would argue that it is more important than the skills which are
more often prioritized, such as MS Office.
45
The starting point is a workplace policy. You can create one from scratch, based on what the priorities are in
your business. Alternatively, there are numerous policy templates that can be downloaded from the Web.
Of course, most of the organizations using Pen Testing will already have a policy in place, but how do they
go about ensuring that is understood and implemented by all members of staff? And better yet, how do
you reach the point where it is embedded into the culture of your organization, where one employee will
challenge a colleague over poor IT hygiene practices?
As the PWC survey indicated, both induction and regular on-going training should be scheduled in as a
starting point. Once you have decided upon your workplace security policy, you could use a policy checking
tool such as Titania’s Paws Studio.
Paws Studio will help you enforce and check that your work machines are compliant.
Paws Studio, just like Nipper Studio, is very easy to use. You will also find a more detailed walk through
elsewhere in this issue.
While the software naturally comes with pre-installed policies for PCI and many other compliance standards,
the user generated\customizable policy option is the ideal tool to appeal to users in this arena.
Customizing your policy could hardly be more straightforward.
While readers of PenTest magazine will generally like to edit the XML themselves, there is an editor which
allows a further two ways of editing the policy file.
For, say, a small business owner with limited IT knowledge, the most convenient tool is probably the Wizard.
This maintains the hierarchical requirements of the XML while providing a more user friendly method of
creating or customizing your Policy.
Once you have installed and started Paws Studio, select the Policy Editor from the bottom right of the home
screen (see Figure 1).
Figure 1. Paws Studio main screen
46
When the initial screen opens, select the Wizard button on the left (see Figure 2).
Figure 2. Policy Editor wizard selection
In this example, I have chosen to use the supplied Titania template, which comes as a sample pre-defined
policy. Opening it provides some summary information (see Figure 3).
Figure 3. Policy Editor
At the top of this screen, you can see the three levels of the hierarchy in the policy file, which are:
Requirement, Group and Check. In the next screenshot (see Figure 4), I am at the Requirement level and
choose to add a Group.
Figure 4. Selecting requirement
47
I call this Group ‘Antivirus check’, and add the Check in at the next stage (see Figure 5).
Figure 5. Adding AV Check
In the next section, you are able to add the details of your specific Check. I give it an ID and a Title, and then I
am able to choose from one of the supported checks. For example, Manual Checks are Checks where the user
needs to perform some kind of check themselves – for example, ensuring that a suitable lock is fitted to the
server room door and that it is used. Naturally, Paws Studio can also automatically check for various issues on
an individual machine. In the example here I am looking for suitable antivirus software, but other examples
include (but are not limited to) password policy, system updates and installed software (see Figure 6).
Figure 6. Check
On the final screen, you can review all the checks in your file and save it for later use during Paws Studio
audit (see Figure 7).
48
Figure 7. Review and Save
So with both the training and the regular checks on your machines using software like Paws Studio, you can
go a long way in terms of both explaining and enforcing your security policy.
But we can do more. Of course, for the readers of this magazine, we certainly hope that organizations will
regularly engage the services of a Pen Testing company. However it is also worth considering setting up a
method to regularly check the response of your employees to some of the most common types of attack.
At Titania, we set up a webserver and used it to run mock phishing attacks against our employees. It was
very straight-forward, we just used a virtual machine, an Apache webserver and a variety of email accounts
to run some attacks. It was then simply a matter of checking the logs to see who had responded. I am very
happy to say that we had no responses from our employees – they are obviously very well trained!
Of course, once you have the webserver, you can use it in the future to run more ‘attacks’. It is worth doing it
often to both judge how aware your staff are of your policy, and to keep it fresh in their minds.
This is a simple method of testing your training methodologies and generating debate amongst staff. There
are probably many similar techniques you can use.
For example: Insert a point in your policy document that USB drives found on or near work premises should
be handed to a nominated person in your organization, then liberally sprinkle a few cheap USB drives
around the area.
If, when you check the drive locations they have disappeared but have not been handed in, then it can
perhaps be raised at the next staff meeting. If, for some reason, USB drives are not locked out on your
company hardware, you could perhaps have a text file on the drives with something like: ‘Oops, you have
breached security policy point X’.
One very important point that needs to be made here: this is not about punishing or tripping up employees.
It’s about lighting those metaphorical cigarettes in the workplace, and seeing who responds appropriately.
Those who do can be used as good examples or torch-bearers for the rest of the team.
49
So, this gives you – or your clients – a simple three pronged approach to building the IT aware culture we
should be aiming for:
• Codify a policy;
• Enforce it [regularly];
• Test it [regularly].
The fourth important ingredient is, of course, time for the policy to permeate and percolate until it becomes
normal behaviour.
Perhaps the more businesses that use this or a similar approach, then the more often such businesses will be
more exacting during their interactions with other organizations. If that happens, then such a culture might
start to spread exponentially.
Poor cyber security, like smoking, is an expensive bad habit. Unlike smoking, it can have very bad
consequences for more than just the user and those near to them.
About the Author

James McDonagh, Technical Services Manager at Titania
James joined Titania with a background in both project and personnel management
in various organizations, including blue chip companies. He has technical
experience across various sectors, and is currently responsible for managing the
development, testing and support functions of the company. Outside of work he
recently completed his first skydive!
50
Security and the rise of

compliance‑based auditing
by Andy Williams
Andy Williams is the Head of International Development at Titania. In this article Andy uses
his experience of the transatlantic information security market to highlight the potentially
dangerous assumption by many non-security professionals that compliance IS security.
Andy explains in business terms how adopting best practice, as laid down in recognised
information security compliance standards, makes good business sense – but does not
guarantee security.
Although penetration testers know that compliance does not equal security, Governments and standards
bodies could be said to be driving Global Cyber Defence towards compliance based auditing. So, what are
the benefits to be had and what are the risks to your organisation and how do you communicate them to your
board? As security professionals we know compliance standards have a clear benefit in raising the overall
security baseline, but there are major concerns as to whether it is also driving the belief that compliance
IS security. CEOs of compliant organisations are now concerned about the rising litigation associated with
liabilities accrued in failing their security ‘duty of care’. Compliance isn’t enough; you must also be able to
prove your company is undertaking due diligence on security.
Increasing compliance burden

There has been an increasing proliferation of industry, national and international information security
compliance standards. This in itself has been the cause of growing confusion and complexity for
organisations. A recent study indicated that international organisations have to obey some 600 different
regulations and laws in the information security space alone. Michael de Crespigny, CEO of the Information
Security Forum, encapsulated the dilemma for many companies when he explained that “our members are
finding it hard to understand what they are complying with and sometimes what the body of authority is”.
Security breaches continue to escalate

Despite the increasing focus on compliance, the simple truth is that the volume of security breaches
continues to escalate at an alarming rate. In its 2013 Information Security Breaches Survey in the UK,
PricewaterhouseCoopers reported that 93% of large firms and 87% of small firms had experienced a security
breach in the last 12 months.
51
Compliance makes good business sense

Adopting best practice, as laid down in recognised information security compliance standards, certainly
makes good business sense. A survey by the Ponemon Institute of 160 executives at 46 multi-national
companies from a range of industries found that achieving compliance with regulations and standards cost
the companies $3.5 million. Noncompliance cost a total of $9.4 million in fines and penalties, revenue loss,
data breach costs and lost productivity.
Compliance alone is not the answer

However, organisations should not make the mistake of thinking that compliance IS security. In an increasingly
connected world, “the price of security is eternal vigilance”. The US National Vulnerability Database is
currently reporting an average of 12 new security vulnerabilities a day, 35% of which are classified as “high
severity”. The rate at which new vulnerabilities are being reported has increased by 23% in the last year alone.
Cyber criminals target specific vulnerabilities at the point in time when they attack. In such a dynamic and
fast moving environment, regular and varied security activity is essential when addressing the continuously
evolving threat landscape and will complement your organisation’s compliance audits.
What do you need to raise with your board?

Increasing the regularity of detailed audits, either through advanced configuration auditing tools and/
or penetration testing, combined with regular scanning based security hygiene and investment into staff
awareness training, will help reduce liability risk on ‘duty of care’ litigation.
About the Author

Andy Williams, CSO at Titania
Andy Williams is the Head of International Business Operations at Titania Ltd,
which supplies cyber security audit software solutions to security consultants and
end-user organisations in government, finance, and technology corporations in
over 45 countries worldwide.
Previously, he served for 6 years as an international trade advisor for the
US Department of Commerce at the American Embassy in London, where he
responsible for promoting collaboration between UK and US cyber security companies, government and
academia.
52
Interview with Ian Whiting, CEO of

Titania
by PenTest Team
Ian has been working with leading global
organizations and government agencies to help
improve computer security for more than a decade.
He has been accredited by CESG for his security and
team leading expertise for over 5 years. In 2009 Ian
Whiting founded Titania with the aim of producing
security auditing software products that can be used
by non-security specialists and provide the detailed
analysis that traditionally only an experienced
penetration tester could achieve. Today Titania’s
products are used in over 50 countries by government
and military agencies, financial institutions,
telecommunications companies, national
infrastructure organizations and auditing companies,
to help them secure critical systems.
Hello Ian, please tell us few words about Titania.

Titania was founded with the aim of developing easy to use security auditing software that performs a
detailed analysis of systems that otherwise would require specialist knowledge. The software that we have
released to date has assisted both government and leading businesses in better securing their networks. In the
process, Titania has gained critical acclaim from leading industry analysts and several awards.
Since opening our first office in December 2010, Titania has experienced considerable growth. We now
supply our products directly, and through a network of global partners, to organizations in over 50 countries
worldwide. Our customers tend to be those that are security conscious, in sectors such as finance, defense,
telecommunications, auditing and manufacturing.
What is it like leading a company like Titania and what are some of your challenges you face?
There are of course many technical and development challenges to running a business like Titania that
specializes in cyber security auditing. However, as soon as we started trading our largest problem was
responding to our customers’ requests to purchase the software and keep up with the demand for new features
and functionality. In fact our largest challenge to date has been to manage the growth of the company.
We are always looking to keep ahead of the competition and we have decided on a plan to achieve that goal
through the technical capabilities of our products rather than through our companies marketing arm. So
although we sometimes have a difficult time communicating our message, our products speak for themselves.
Do you offer any professional services?
We do not provide any professional services at present, though we are always continuing to review that
situation. So we may add professional services at a later stage, both directly and through our network of
global partners.
Users of our software do not require training services as one of our development goals was always to make
our products as easy to use as possible. I believe we have succeeded in that goal. I have personally seen non-
53
technical people produce detailed and complex security audit reports using our software with no previous
experience with the tool. This being said, we are not resting on our laurels and we continue to look at ways
to further improve user interaction with our products.
How often do you refresh (update) your products to meet the latest security challenges and threats?
Our products are continually being updated and are evolving to meet the requirements of our customers
and the new issues that emerge in the industry. Typically each of our products has a short release cycle with
updates being made available monthly.
Can you mention some of your top-selling products?
Nipper Studio is our company’s flagship product. It takes the manual process of reviewing how network
switches, routers and firewalls have been configured and automates it. This is not done using the intrusive
method of scanning a network device, which would not give you the full picture of how the device has been
setup, but by analysing their native configuration.
The reports that are produced by Nipper Studio can contain security audit findings, compliance reporting,
configuration reporting and more. The reports produced are equally detailed and specific, they were designed
with technology that writes the report just like a human would. This is in contrast to traditional computer
report writing technology that simply joins pre-written paragraphs of text together and rarely accurately
describes how something specific has been configured.
Our most recent product, Paws Studio, is a Windows and Linux compliance product for servers, workstations
and cloud-based systems. It was developed based on very specific security requirements of our customers
who work in highly secure environments, with very sensitive information. They needed a solution that could
be run without installing software on the audited system. Therefore we built Paws Studio to be able to run
over the network, on the local system or offline with no connection to the audited system.
Although we have pre-configured Paws Studio with a number of different compliance check lists, you can
define your own compliance checklist within the product. We have developed a Policy Editor that enables
you to either modify one of the pre-defined compliance lists or create one of your own from scratch.
All of our products have been designed to be integrated with bespoke and third-party systems, including
continuous monitoring setups. They can easily be integrated using a scriptable interface and you can export
the report data in a variety of different formats. We also release our products with multi-platform support
covering Microsoft Windows, Apple Mac OS X, Red Hat Linux, Ubuntu, Fedora and so on.
Our customers are very important to us and their needs play a key role in the development of all of our
products. We base a lot of our development plans around their feedback and requests.
Where do you see Network Security heading in next few years? What are some of your predictions?
I see that security compliance is going to play an ever larger role within the industry than it does today.
It is great to see progress towards an ever improving security baseline, but it also saddens me to see
many organizations depending solely on compliance as the means to being secure. It is why I believe it is
important that the security industry, in addition to enhancing security compliance lists, highlight the fact that
being compliant does not mean you are secure. Unfortunately I can see there will continue to be security
breaches in organizations who manage security risks with compliance instead of striving to ensure a truly
secure environment. You can almost picture the victim company’s statement now. It would read something
along the lines of, “The company had met their compliance standards and we are now reviewing our current
operating practices to ensure how best future breaches could be avoided”.
Nipper Studio is fairly popular in the network security industry; can you give us some historical
background on that product?
I have a background as a penetration tester and regularly performed manual assessments of various network
devices. A proper assessment of a network device is not a five minute task, each aspect of how a device
can be configured needs to be properly analysed and any potential security risks highlighted. Anyone who
54
is simply reviewing firewall rules is not doing a thorough job. It is also a task that requires a high level of
knowledge about the device being reviewed. It seemed by me that this is exactly the type of task that is
suitable for automation.
***** It is worth noting that although penetration testers are typically both highly skilled and adaptable, they cannot be expected to have in-depth knowledge
of every system they come across. The same is also true of the network administrators who manage those systems, they may not have the in-depth security
background required to identify potential weaknesses in their systems. Nipper Studio is exactly the type of solution that could help each side. Giving penetration
testers, device specific assistance and helping network administrators identify potential security weaknesses. *****
Although Nipper Studio originally started life simply identifying a limited number of security weaknesses
with Cisco configurations, it soon grew by adding support for more devices, identifying more security
weaknesses and eventually writing the security audit report for you.
At Titania, how do you strive to achieve top-quality software? What kind of quality control do the
products go through?
This is a very challenging aspect of developing a product such as Nipper Studio. The number of moving
variables involved with the development process is huge. We support a large number of different devices, the
manufacturers of which are constantly updating and revising their platforms. Plus the vulnerabilities in each
platform are forever evolving.
We maintain a growing test environment that includes the different devices that we support, plan to support
and some others that may never get added to Nipper Studio. These are all used during the development and
testing process, together with different firmware versions. To help manage the development plan for this
we employ a development and tracking system that enables us to manage all these variables together with
improvements suggested by our customers. Each developer and tester knows from our tracking system what
tasks they need to be working on next.
Nipper Studio supports various Cisco devices and some people may be under the impression it
only supports Cisco devices. What would you like to say about that?
Nipper Studio does support a wide range of Cisco devices, it was originally developed with only Cisco
support and it is used by Cisco. So it is easy to understand how historically Nipper Studio could be mistaken
for supporting only Cisco devices. However, the latest versions of Nipper Studio support over 100 different
devices from different manufacturers and are used internally by a growing number of those manufacturers.
Even a network that predominantly uses devices made by a single manufacturer will undoubtedly have a
number of network devices made by someone else. We are often approached by customers asking for us
to add support for unusual systems and devices. The network devices that we see deployed in data centers
has evolved over time with increasing deployments of some devices and the reduction in others. We have
developed a plugin-based architecture for Nipper Studio to help us adapt to those changes, enabling us to
quickly develop, test and deploy support for new devices.
Very often clients complain that they are not offered good product/customer support. How do you
ensure good customer support?
It was important for us to achieve our ISO 9001 accreditation as it helps us to ensure that every customer
receives the same high standard of support from the point that they first engage with the company to when
they receive the product and the subsequent support process that follows. We believe that every customer
deserves great customer service and technical support and we offer these services free of charge to every one
of our customers. Our ISO 9001 conformance not only ensures that all of our staff deliver the highest level
of support but also promotes continuous improvement throughout the company. We achieve this through
collecting and reviewing customer feedback and auditing our customer care processes.
Thank you Ian, for the interview.
By PenTest Team
55
Exhibition Review: Infosecurity Europe

by Nicola Whiting
Infosecurity Europe is an annual show which takes place every April at Earls Court in
London. (2014’s show is later than normal and the scheduled dates are 29 April-01 May).
Figure 1. Outside Earls Court during Infosecurity Europe. Photograph Provided by Reed Exhibitions
(October 2013)
Titania will be exhibiting for its fourth year and we would recommend Infosecurity Europe as a key show for
both independent and corporate Penetrations Testers. Not only will it give you a good overview of the tools
your customers are using to manage their systems, but you will also gain invaluable information on the latest
business critical issues and hot topics.
You can register for FREE entry and there’s plenty

of value in attending:
The security professionals “intelligence boot camp”
Seminars are delivered at all levels and include industry focussed topics in both business and technical areas.
The keynote theatre is a great place to update on global trending topics and you’ll find both high level guest
speakers and strategic end-user panel discussions.
Hot topics for 2013 included application security, business continuity and digital forensics, encryption, managing
the human factor, compliance, identity access management, network infrastructure and secure transactions.
Whatever current problems are keeping your customers awake at night, you can be sure that the seminars,
workshops and keynote theatre will leave you armed with both the issues at hand AND the industry’s best
practice advice.
Hundreds of key vendors, thousands of products and services
Infosecurity Europe is on a growth streak and had over 13,000 visitors last year (ABC audited).
56
Figure 2. Inside Infosecurity Europe: Photograph provided by Reed Exhibitions (October 2013)
Visitors range from SME’s to large multinationals and from diverse market sectors.
It’s no surprise that leading security vendors choose InfoSec to showcase their latest and greatest innovations.
In a fast paced industry it’s important that, as a security professional, you are able to review your security
choice, method and message against the current security marketplace.
Are you getting best value, is there a leaner more efficient way of achieving your current requirements, are
you still “ahead of the curve”?
If you’re happy with your current choices it’s also a great opportunity to get an update on the latest features
from your current product vendors AND iron out any niggling operability questions!
In 2013 there were over 350 key security vendors at Infosecurity Europe, so there’s no better opportunity to
see what’s on offer and build some new business contacts.
Multiple Networking Opportunities
Through the exhibition, seminars and workshops, you’ll have the opportunity to network with peers from
other sectors, often gaining new and fresh insights into common threat areas.
Many of Titania’s customers are Penetration Testers (who use Nipper Studio to improve their ROI on configuration
reviews). Their first-hand experience is that InfoSec is a great B2B opportunity and not to be missed.
If you make it to Infosecurity Europe this year, stop by our stand (G25). We’d love to hear what you think of
the show and would be happy to show you our latest products and updates!
About the Author

Nicola Whiting, COO at Titania
Nicola Whiting is Titania Ltd’s Chief Operating Officer and has a solid
reputation for increasing revenues and profitability within technology based SME
environments. She joined the team in 2011 has overseen a period of intense growth
and change. Now Nicola’s focus is on extending the organizational capabilities and
workforce skills, in order continue to embrace innovation.
57
A Tool That Tells a Tale

by Richard Hatch
At Portcullis we understand the benefits of automating data gathering and parsing data with
tools to quickly extract pertinent information. Such information can be used to automatically
run additional targeted checks against certain network services for example. This enables a
penetration tester to be quickly alerted about known security issues and provides references
to related vulnerability information, e.g. matching Metasploit exploits to Nessus output.
When it comes to performing security assessments of network devices such as firewalls, routers or switches
then Nipper Studio is the first tool we reach for.
After running a Nipper Studio audit, the report is presented (as HTML) within an embedded browser. Nipper
Studio also allows the user to export that report in a number of easily selectable formats (CSV, txt, HTML,
XML etc.). A nice feature of the presented report is the cross-linked references to issues, tables, etc. which
enables the user to drill down in to logical names present in rules (such as object groups). Any passwords,
some of which are decoded from the obfuscated forms, can either be displayed inside the report or masked.
Additionally, Nipper Studio reports on known software vulnerability issues for the device firmware version,
without the need for an active Internet connection. This saves time that can then be spent reviewing the
issues identified or considering the device within the business context. For example does the device
adequately fulfil the role it is supposed to play, or should additional rules be present to address specific needs
or concerns of our customer?
The options to perform checks against different compliance policies, as well as differential comparisons (a
“before” and “after” review to highlight changes), makes what would be a time-consuming and challenging
task a quick and straight-forward one.
The output formats supported by Nipper Studio enables our penetration testers to use bespoke tools to
process the report output and process references such as CVE numbers. These are then imported in to our
own custom reporting tools.
The explanation of the issue findings in Nipper Studio also serve as both an insight and a reminder when
encountering some of the more obscure issues or features present on a device. For instance a configuration file
command that starts “glbp” may not be immediately recognised by a tester as the Gateway Load Balancing
Protocol, a proprietary Cisco protocol. The issue help text from Nipper Studio expands such acronyms and
enables the tester to recall their understanding of the technology invoked by the “glbp” technology.
The benefits of using Nipper Studio for security analysts mirror those for the client: It offers a faster,
potentially more in-depth review with more technical detail available. Furthermore is has the ability
to determine if a device adheres to necessary compliance policies, documented design rules, or what
configuration changes are present against a known baseline. For example, imagine a company detects
that their internal network has been compromised, but are unsure if the attacker gained access to a router
and changed the configuration (to breach network segregation). They can quickly compare the current
configuration against the Nipper Studio report of a known-good configuration that could not have been
affected by a hacker, (e.g. stored on a backup CD that is held in a safe at another location).
In one case, a client had asked for a security assessment of a firewall, with specific consideration given to
the protection of key network assets. The firewall had a large number of rules configured and there was a
chance that the assessment could not have been completed in the time available. By using Nipper Studio
to automate the time consuming process of manually identifying issues, the tester was able to take a “step
back”. With the help of a network diagram they determined that, although access to key assets was prevented
from the Internet, there were no such restrictions in place to prevent access from an internal network area.
The client was then able to add additional filtering to prevent access to the sensitive data held within those
key assets. The client commented that none of the previous firewall assessments undertaken had identified
this issue which when pointed out seemed obvious.
58
In conclusion, Portcullis use Nipper Studio to quickly identify potential security concerns arising from the
configuration of network devices, in a way that provides those findings in formats that can be processed by
scripts. The consultants save time, allowing more in-depth assessments even in environments were internet
access is not permitted. These assessments take into account the environment in which a device will operate,
allowing better (and more detailed) information to be provided to clients. Any technical team that have
a need to review, assess or compare the configurations of firewalls, routers or switches would do well to
consider Nipper Studio.
About the Author

Richard Hatch, IT Security Consultant at Portcullis
Richard Hatch is a software engineering graduate who joined Portcullis in 2011.
As an IT security consultant he carries out penetration testing, writes reports,
develops tools and supports in-house capabilities. He has an interest in reverse
engineering.
Portcullis is committed to providing a comprehensive IT security consultancy for
our clients to ensure that their networks and websites are secure from threat of
attack. As a leading UK service provider, we assist our clients through penetration
testing, digital forensic services, incident response, training and bespoke
consultancy services to ensure they have a true sense of security.
Portcullis can complete tests under the CREST and CESG CHECK schemes. http://
www.portcullis-security.com
59
Configuration Auditing, the Security

Hygienist you’ve Always Wanted!
by Nicola Whiting
For many, configuration security ranks about the same as dental hygiene.
Critical Infrastructure devices such as firewalls, switches and routers need to be secured against external
hackers and internal threats, but it’s not seen as exciting and doesn’t rank highly on boardroom agendas.
The most common result is to use a dual approach, combining scanning or agent based software, with annual
penetration test reviews – to use the same analogy, daily brushing and an annual trip to the dentist.
This two-layer response does offer some advantage, it’s great for regular big-picture analytics (the ones
that boardrooms like) and the annual penetration testers do a thorough job of analysing vulnerabilities and
providing a detailed report.
Unfortunately as anyone with a mouthful of fillings can testify, it also often lets the rot set in!
The dual response issue

Network scanners send huge numbers of network probes to a device and can impact performance. Only
exposed vulnerabilities are identified, this potentially misses many issues that would be found with a detailed
manual audit.
Agent-based audit software, requires software to be installed on the audit devices this is not possible for all
devices. Furthermore, the required agent software can introduce additional security vulnerabilities.
Penetration testing requires expert level knowledge and is one of the most widely used and trusted forms of
detailed security analysis. The process involves simulating an attack on your network systems through active
exploitation of security vulnerabilities. To the resident network team, it can feel like the equivalent of lining
up for a root canal….
Typically your primary goal is to test the operational capability of your network defenses to successfully
detect and respond to attacks. Depending on the agreed scope of the test, reported elements may include:
hardware and software vulnerabilities, poor or improper system configuration and suggested improvements
to operational processes.
Part of the testing process may involve a manual configuration review.
Examining individual device configurations is highly time-consuming with significant manpower costs.
Typically this results in point in time audits, extrapolating results from a sample of devices and potentially
leaving vulnerabilities on non-assessed devices.
The Third Option

Early in his career as a Penetration Tester and CHECK team leader, Ian Whiting (CEO of Titania Ltd)
realized there was a third option that was not being provided within the security marketplace.
He realized that by automating the detailed configuration vulnerability analysis he could improve auditing
speed, accuracy and return on investment.
His initial requirements were to:
60
• Flatten the Security assessment process.
• Achieve significant cost savings on current audit practices.
• Improve the productivity of the Audit Process
• Reduce human error factor through automation.
• Provide instant, device specific, expertise to non-specialist auditors.
Through many years of hard work he developed a configuration auditing solution, that is now a “go to” tool
in both SME and global Penetration Testers tool kits and has grown far past its original brief.
The “Configuration Hygienist”

Whilst penetration testers are typically both highly skilled and adaptable, you cannot be expected to have in-
depth knowledge of every system you come across! The same is also true of the network administrators who
manage those systems, they may not have the in-depth security background required to identify potential
weaknesses in their systems.
Typically your penetration tester’s toolkit isn’t something you can pass on, but as a “cyber hygiene”
professional, it makes sense to look for ways to reduce the likelihood of vulnerability cavities developing
between visits…
The interim use of a cost effective configuration auditor widens the potential for detailed device analysis
and on-going identification of potential security weaknesses. Return visits can then be less about finding
conflicting rules and compliance failures and allow more focus on operational improvements and higher
level security issues.
Nipper Studio – Configuration Auditing Tool

Nipper Studio’s early growth was entirely by word of mouth and Titania is very grateful to the penetration
testing community. Thanks to you, Nipper Studio is now a multi-award winning, global solution used in 50
countries and on every continent.
Nipper Studio quickly performs a thorough security assessment of multiple complex network devices,
providing a detailed audit report, typically unachievable with scanning based technologies. The audit report
can be used in a variety of ways and includes recommendations and commands to mitigate the issues.
It requires no additional services on the device or agents to be installed and can audit the devices without
either scanning or connecting to them (ideal for high security clients)!
Figure 1. Scanning in Nipper Studio
It is designed to be both flexible and easy to use. Functionality can be extended through plugins and allows
for custom integration into bespoke systems e.g. for use in continuous monitoring.
61
The device configuration can be read in by loading a saved configuration file obtained from the device or by
connecting to the device over the network.
Figure 2. Reading a configuration in Nipper Studio
Once a device’s configuration has been processed by Nipper Studio a wide range of report types can be
created, such as a penetration tester grade security audit, configuration reporting, compliance analysis,
change reporting and more.
An extensive range of options enable you to fine tune and customise your reports with no expert
knowledge required.
So if you’re looking at what configuration auditors could do to improve your own ROI, or a tool to aid your
clients monitor their internal controls then you can refer to our Nipper Studio overview above.
Other products in the marketplace now have some overlap, but it’s a good guide for what to expect your
configuration auditor to deliver.
For more information or to arrange a free trial please contact sales@titania.com.
About the Author

Nicola Whiting, COO at Titania
Nicola Whiting is Titania Ltd’s Chief Operating Officer and has a solid
reputation for increasing revenues and profitability within technology based SME
environments. She joined the team in 2011 has overseen a period of intense growth
and change. Now Nicola’s focus is on extending the organizational capabilities and
workforce skills, in order continue to embrace innovation.
62
Titania’s Paws
Studio Review
Whether you see compliance as a burden or an aspiration we are frequently mandated to meet a certain set
of security requirements around our information assets. One important aspect is being able to demonstrate to
yourself and to others that your systems meet the criteria set by your compliance regime. How do you ensure
that your systems are compliant with your policies or those mandated by compliance standards? A program
of auditing your systems will help you understand the state of your estate.
Titania’s Paws Studio provides a means to audit Windows and Linux systems and provide compliance
reports against a defined set of policies. It sets out to provide clear and detailed reports of the system’s level
of compliance. Policy templates are editable and Paws Studio comes with predefined templates based on
established policies and best practice including PCI, SANS and DoD STIG.
Policy templates are essentially a group of compliance audit checks built from the check library provided by
Paws Studio. Checks range from high-level tests such as the presence of antimalware software right down to
individual file permissions and registry settings.
There are two ways of creating and customising policy templates. The first is a wizard that guides you
through creating your policy. Here you can define the rules that comprise your policy by clicking through a
series of screen and selecting checks from the library. The interface is straightforward and self-explanatory
and it is a great tool for less advanced users. However, the more technically minded user might find it time
consuming and prefer to use the supplied Policy Editor instead which is undoubtedly the more powerful tool.
The Policy Editor provides you with a tree layout of your policy, giving you a bird’s eye view on the ability
to quickly navigate through the rules.
In addition clicking on the advanced tab gives you a syntax-highlighted view of the raw policy XML.
Whatever tool you choose, the result is an XML file defining the compliance checks for your policy and
metadata used to generate the final compliance reports.
63
Once you have your policy defined it’s time to audit your systems. In order to compile a report you need the
compliance audit data collected from a machine. At this point you’ve three options. You can choose to audit
the local machine where Paws Studio is installed. You can also audit a system over the network. To do this
will need valid administrator credentials on the remote system. Paws Studio will scan the local network for
hosts to audit or you can specify the IP address of the machines in scope.
The third option is to use the portable data collector software, a small executable that can be run from a
thumb drive. This is particularly useful where you need to audit a system that is not on the network or is
air gapped from your audit workstation. Run the Data Collector, choose an audit policy and it will create a
.paws file with the audit results.
Once you have collected your audit data you can produce a report on the audited system. Reports contain
the result of each test on the system as well as summary charts showing percent tests passed and a
breakdown of tests that failed by severity. Paws Studio creates a compliance audit report that can be saved
as HTML, PDF, PostScript or Microsoft Word document. CSV and XML formats are also available so you
can feed machine-readable reports into other reporting systems or build your own applications to consume
your compliance data.
64
Paws Studio is available for Windows, Mac OS X and various flavours of Linux and currently supports
auditing of Windows and Linux systems. This software pitches to the SME market who could be priced out
by enterprise-grade auditing software though they are unlikely to benefit from the bells and whistles these
tools provide. If you need a cost effective and easy to use compliance reporting tool, Titania’s Paws Studio
certainly merits a second look.
by Jim Halfpenny
65
Nipper Studio
Review
There’s no shortage of vulnerability assessment tools out there and this time I’m looking at one that’s a little
bit different. Nipper Studio from Titania offers a means to audit that often forgotten part of your network: the
network itself. Routers, switches, firewalls and other network appliances are the fabric of your network and
should definitely be in scope for any rigorous information security programme. I’ve given Nipper Studio a
test drive to see how it performs and how it differs from other tools out there.
Firstly it’s worth pointing out that Nipper Studio is not a traditional vulnerability scanner that trawls your
network looking for weak spots. Instead you feed Nipper Studio the configuration files from your network
devices and it audits them, producing a detailed report. This offline auditing means no traffic is generated
by the audit and there’s no need to plug anything into your network, a definite plus for those working in
high-security environments. Working from the inside out provides a totally different insight compared to
traditional network-based scanners.
Nipper Studio offers good cross-platform support with packages available for Fedora, OpenSuSE, CentOS
and Ubuntu flavours of Linux as well as Windows and Mac OS X. I’ve been testing out the version for
Ubuntu, which is supplied as .deb packages for 32-bit and 64-bit systems. There is a good range of supported
devices with all the usual players such as Cisco, Juniper and Checkpoint represented as well as some of the
rising stars like SonicWALL on the list. As well as a GUI tool for generating reports Nipper Studio includes
a command line version, very useful for scripting and automating audits.
Some of the wide range of network devices supported are shown above
66
Fire it up and Nipper Studio starts with a clean UI showing your reporting, configuration options and built-
in documentation. Creating a report is as simple as clicking on the new report link and telling it the location
of your configuration files. You can add multiple devices to a single report and load previous reports for
comparison. Human readable full and summary reports can be generated in several formats including
HTML, PDF, PostScript and LaTeX. Additionally you can create CSV, SQL and XML outputs enabling you
to further process, report and archive your results.
The Nipper Studio GUI is simple and straightforward to use
The reports may appear on the surface very similar to vulnerability assessment reports from other tools but it
is the level of detail that really shows off the benefits of this method of security auditing. Nipper Studio will
report on firmware version, timeouts, routing and VLAN configuration, service banners, authentication and
other configuration best practice which external scanners may miss. Exposing the internal configuration of
the device exposes potential issues that simply cannot be seen from the outside or may be time consuming to
evaluate such as weak authentication.
Reports on each finding are very detailed and include a severity level, ease of exploitation and
recommendations on how to remedy the issue as well as CVSS v2 scores where applicable. Audits can be
customised to include your organisation’s name and logo and to report based on your security organisation’s
security policy such as password age and strength. You can also include your own notes and control which
sections of the report to include so you can tailor it to the intended audience.
67
Reports drill down from high-level summary to detailed vulnerability breakdown
An important feature worth mentioning again is ability to compare the results from previous reports. This
enables you to see what has changed between audits and helps you to gauge the progress you’re making in
improving the security posture of your network environment as well as highlight new threats. You will also
be able to detect unauthorised or unplanned changes to your network outside of your change control process.
It’s all too easy to make an ad hoc change and not document it, with unpleasant consequences further down
the line. This is not a tool solely for point-in-time inspection of your network.
Nipper Studio is licensed on a per-device basis starting at $1000 for 25 licenses, working out at $40 per
device. As you would expect discounts are available for larger purchases; 1000 or more licenses will set you
back $8.50 per device. Compare this to the cost of a manual check by an experienced auditor and you’ll get
a figure an order of magnitude less for Nipper Studio as well as the benefit of rapid and repeatable reporting.
Is there anything that this product would miss that a trained auditor would catch? Quite possibly, but using
this tool for your initial baseline and regular testing means you can cover off the majority of common issues
and better spend your remaining security budget more effectively.
by Jim Halfpenny
68

PenTest OPEN 01 20141

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

PenTest OPEN 01 20141

Uploaded by

Copyright:

Available Formats

Need help with compliance?

Use Paws Studio

Now used in over 45 countries, Nipper Studio provides a

Copyright © 2013 Hakin9 Media Sp. z o.o. SK

Paws Studio Walkthrough

Automating Nipper Studio Audits

Retrieving a Configuration for Use in Nipper Studio

Using Nipper Studio for Pentration Testing

How to Inculcate a Cyber Security Culture Throughout an Organization

LET’S TALK ABOUT SECURITY

Interview with Ian Whiting

Infosecurity Europe Review

Configuration Auditing: The Hygienist you’ve Always Wanted!

Paws Studio Review

Nipper Studio Review

Zbigniew Fiolna and PenTest Team.

Managing Editor: Zbigniew Fiołna

Editorial Advisory Board: Ruth Inglis, Jeff Weaver, Rebecca

Betatesters & Proofreaders: Rodrigo Comegno, Gilles Lami,

Special Thanks to the Beta testers and Proofreaders who helped

Senior Consultant/Publisher: Pawel Marciniak

CEO: Ewa Dudzic

Production Director: Andrzej Kuca [ GEEKED AT BIRTH ]

DTP: Ireneusz Pogroszewski

Publisher: Hakin9 Media Sp. z o.o. SK

www.uat.edu > 877.UAT.GEEK

Titania Free Tools

gcc -lssl -lcrypto -o sslscan sslscan.c

sudo port install openssl

gcc -I/opt/local/include -L/opt/local/lib -lssl -lcrypto -o sslscan sslscan.c

Using SSL Scan

Listing 1. ‘sslscan --help’ results

Testing SSL server www.google.com on port 443

Supported Server Cipher(s):

Rejected SSLv3 256 bits SRP-DSS-AES-256-CBC-SHA

./sslscan --xml=scan-results.xml www.google.com

gcc –lssl –lcrypto –o bannergrab bannergrab.c

gcc –DNOSSL –o bannergrab bannergrab.c

Using Banner Grab

The result should be similar to what you can see in Listing 3.

Listing 3. ‘./bannergrab --help’ results

On my test SSH service the result was:

./bannergrab --udp 192.168.0.12 161

See the results in Listing 4.

About the Authors

Paws Studio Walkthrough

Figure 1. Paws Studio audit process

Collecting Audit Data

Figure 2. Report creation methods

Figure 3. Manual data collector option

The Audit Policy

Figure 4. Audit policies

Figure 5. Policy editor: editor mode

Figure 6. Policy editor: wizard mode

Figure 7. Paws Studio Settings

Customizing an Audit Report

Figure 8. Paws Studio main frame

Select the “Create Report” option (see Figure 8).

Figure 9. Report creation methods

Select what you want to audit (see Figure 9).

“Local” will enable you to perform an audit of your local machine.

“Manual” will allow you to add manually collected audit data.

Figure 10. Audit policies