you are here: home > security > docs > audit
Call trans opt: receveid. 9-18-99 14:32:31 REC:log>
WARNING: carrier anomaly
Trace program: running
> Welcome 38.107.191.95
16.03.2010 - 01:24 (00:24 GMT)
5orry, you have... NO MAIL.

Security audit: The Complete Documentation

  • This category contains 21 Papers
  • The last paper was added on 2007-03-26 (YYYY-MM-DD)

100 Industrial-Strength Tips and Tools for the Script Kiddie

Published on 2003, by modular, ©truncode security development.

100 Industrial-Strength Tips and Tools for the Script Kiddie.

File infos:

Auditing Inside the Enterprise via Port Scanning & Related Tools

Published on 2002, by GIAC, ©SANS Institute.

This paper assumes that the difficulty of maintaining and verifying the state of all systems on a network of any significant complexity is more than most system/network administrators have time to deal with directly. It proposes that internal port scanning (and derivative tools) be used on an ongoing basis to keep watch on various, listed aspects of network security. A number of commercial, freeware, demo, and open source tools are described along with how best to use them to identify problems. Additional consideration and discussion is given to other planning requirements.

File infos:

Auditing Web Site Authentication, Part One

Published on April 24, 2003, by Mark Burnett, ©SecurityFocus.

Consider this scenario: you build a Web site that requires some kind of user log-in. You allow users to create usernames and passwords and require a valid username and password to get in to your site. But is your Web site authentication scheme secure? Every time I register at a site, I marvel at the consistently laughable - sometimes pathetic - security among even the world's largest Web sites. As the Web becomes more a part of our personal lives, the threat of fraud and identity theft grows accordingly.

File infos:

Auditing Web Site Authentication, Part Two

Published on May 5, 2003, by Mark Burnett, ©SecurityFocus.

Inadequate user security is a problem that Web developers must address. Perhaps it is lack of standards. Perhaps it is a lack of auditing. This is the second part of an article addressing both of those issues by establishing a standard audit procedure by which to measure your own security. Test this list of questions against your own Web site's authentication scheme and see how it stands. The first article focused on issues surrounding usernames and passwords. This article will explore issues surrounding user privacy, session authentication, user security, and cookies.

File infos:

Battle for the Internet: The War is On!

Published on April 20, 2003, by Mark Burnett, ©SANS Institute.

There is a war going on, did you know that? Everyday there are people using the Internet to declare a war on both individuals and computers. There are two sides to this battle: on the one side is the security professional in the trenches trying to defend, and on the other side, there is the hacker (cracker).

File infos:

Conducting a Security Audit: An Introductory Overview

Published on 2003-05-26, by Bill Hayes, ©SecurityFocus.

The word "audit" can send shivers down the spine of the most battle-hardened executive. It means that an outside organization is going to conduct a formal written examination of one or more crucial components of the organization. Financial audits are the most common examinations a business manager encounters. This is a familiar area for most executives: they know that financial auditors are going to examine the financial records and how those records are used. They may even be familiar with physical security audits. However, they are unlikely to be acquainted with information security audits; that is, an audit of how the confidentiality, availability and integrity of an organization's information is assured. They should be. An information security audit is one of the best ways to determine the security of an organization's information without incurring the cost and other associated damages of a security incident.

File infos:

FootPrinting :: Before the real fun begins

Published on May 24, 2003, by Krishna, ©eBCVG Net.

FootPrinting is an art of gathering target information. Its, just like knowing about your enemy before you try to attack. A successful attacker must harvest a wealth of information to execute a focussed and surgical attack. This enables an attacker to create a complete profile of an organization's security posture and this is achieved by using a combination of tools and techniques.

File infos:

Frequently Asked Questions about computer auditing

Published on 2002-03-01, by IsecT Ltd., ©IsecT Ltd..

The FAQ explains the main aspects of computer auditing to someone with limited prior knowledge of the topic. Reading the whole FAQ will give you a good overview of the whole subject and should help put it into context, but don't feel embarrassed about being bored stiff by the tenth line (or earlier if you are a quick reader). It's not everyone's cup of tea. Just pick some slightly-less-boring topics from the contents list and browse the hyperlinks until you slump over your keyboard.

File infos:

Google Your Site For Security Vulnerabilities

Published on 2004-10-07, by Nitesh Dhanjani, ©O'Reilly Media, Inc..

If Google™ stumbles across data that may expose sensitive information about your organization, Google™ will not hesitate to index it. The search engine does not discriminate against data it indexes. How can you tell if your secrets have gone public? You can use Google™ to your advantage with some specific search queries. The inspiration for the examples presented in this article come from Johnny Long. This article will also show you how to use the Google™ API to automate the process of searching Google™ for vulnerabilities.

File infos:

Identifying Services

Published on 2004-02-19, by ryan, ©Packetwatch Research.

The guide explains how to identify services. The tools and methods used in this guide have proven helpful to me when trying to identify what services are running on a system. This paper is aimed toward people that perform penetration tests and vulnerability assessments. Keep in mind this guide shows only one method of identifying services. For security-minded individuals out there reading this guide, feel free to contact me with your preferred method(s) of identifying services.

File infos:

Introduction to Nessus

Published on 2003-10-28, by Harry Anderson, ©SecurityFocus.

Nessus™ is a great tool designed to automate the testing and discovery of known security problems. Typically someone, a hacker group, a security company, or a researcher discovers a specific way to violate the security of a software product. The discovery may be accidental or through directed research; the vulnerability, in various levels of detail, is then released to the security community. Nessus™ is designed to help identify and solve these known problems, before a hacker takes advantage of them. Nessus™ is a great tool with lots of capabilities. However it is fairly complex and few articles exist to direct the new user through the intricacies of how to install and use it. Thus, this article shall endeavor to cover the basics of Nessus™ setup and configuration. The features of the current versions of Nessus™ (Nessus™ 2.0.8a and NessusWX™ 1.4.4) will be discussed. Future articles will cover Nessus™ in more depth.

File infos:

Knockin' At Your Backdoor

Published on October 2000, by Thomas Rude, ©CrazyTrain.

Penetration testing. This phrase can conjur up many images and thoughts, some of which are better left to the creators of horror films. However, in today's digital data arena, where corporate empires are being built with people's personal information, penetration testing is a necessary function for every Security Department. Penetration testing needs to be thought of and discussed. The empires' data needs to be protected. No longer can we rely on firewall implementations as the answer to privacy. Misconfigurations, exploits, updates, patches, backdoors, disgruntled employees - all are driving reasons for the need for penetration testing.

File infos:

Nessus, Part 2: Scanning

Published on 2003-12-16, by Harry Anderson, ©SecurityFocus.

Nessus™ is a vulnerability scanner, a program that looks for security bugs in software. There is a freely available open source version which runs on Unix. Tenable Security has also recently released a commercial version for Windows™ called Newt. Boasting over 1200 checks for individual security vulnerabilities, Nessus™ is a wonderful tool to help track down and eliminate security problems. This article, the second in the series, will attempt to provide direction through the actual scanning process, general logic and rules of thumbs for parameter choices in different situations. If unfamiliar with Nessus™, a reading of the first article will provide needed background information.

File infos:

Nessus, Part 3: Analysing Reports

Published on 2004-02-03, by Harry Anderson, ©SecurityFocus.

This article, the last in the series about Nessus™, will endeavor to explain a Nessus™ report and how to analyze it. Nessus™ is a vulnerability scanner, a program that looks for security bugs in software. The first article explained how to install Nessus™ and a basic overview of features. The second article gave general rules of thumb for various scanning situations. It is suggested that you review the first two articles before reading this one.

File infos:

Network Security Audit (Part I)

Published on 2002-08-10, by Mahadev Geetha, ©Guardian Digital, Inc..

Information for the right people at right time and from anywhere has been the driving force for providing access to the most of the vital information on the network of an organization over the Internet. This is a simple guide on conducting a network security audit, This article contains points for conducting an audit.

File infos:

Network Security Audit (Part II)

Published on 2002-012, by Mahadev Geetha, ©Guardian Digital, Inc..

In the First part of Network Security we had a brief overview of the areas that are to be considered on accessing a network's security and also we looked into a few points in each of Management and Administration areas.

File infos:

Open-Source Security Testing Methodology Manual

Published on February 26, 2002, by Peter V. Herzog, ©Ideahamster Organization.

It began with a simple idea: to make a methodology for security testing open to all. I had no interest in competing with the many hacking books and articles in existence. I knew that this would be important if it worked. I knew it had to work since much of security testing follows a methodology whether or not we sec testers really saw it as anything but a rhythm.

File infos:

Packet Crafting for Firewall & IDS Audits (Part One)

Published on 2004-06-28, by Don Parker, ©SecurityFocus.

With the current threat environment that home and corporate users face today, having a firewall and IDS is no longer a luxury, but rather a necessity. Yet many people do not really take the time to make sure though that these lines of defense are indeed working properly. After all, it is very easy to invalidate your router's entire ACL list by making a single misconfigured entry. The same can be said for your firewall, whereby one poor entry into your iptables script, for example, could leave you vulnerable. Have you properly configured certain options which may be available with your firewall? All of these questions can be answered, and more importantly verified through the use of packet crafting. What this will allow you to do is manually verify that all is working well with your firewall and IDS, and that each is properly configured.

File infos:

Recovering From a Failed Security Audit - A Case Study

Published on 2003, by Wayne Fielder, ©SANS Institute.

In the spring of 2001 my pride was shattered when an independent auditor revealed a number of basic security problems with the network for which I am the Senior Network Administrator including null passwords and SNMP services with vendor default public and private strings. Further internal investigation revealed many security and behavioral issues within the Agency (the term I will use for my employer throughout this document) including anonymous FTP accounts enabled, no written policies, and sensitive data being mishandled.

File infos:

Understanding Traceroute With hping2

Published on 2003, by modular, ©truncode security development.

Traceroute is often used for what it was intended: identify the route on which a packet travels until it reaches its destination. Although, traceroute can also be used for devious purposes. This paper does not only focus on traceroute per se, but hping as well which can emulate the functionality of traceroute. This can help a hacker understand the network topology he is attacking in more detail.

File infos:

Verifying Packet Level Response

Published on 2004-02-19, by ryan, ©Packetwatch Research.

The guide explains how to verify packet level responses. The tools and methods used in this guide have proven helpful to me when trying to verify packet level responses on a system. This paper is aimed toward people that perform penetration tests and vulnerability assessments. Keep in mind this guide shows only one method of verifying packet level responses. For security-minded individuals out there reading this guide, feel free to contact me with your preferred method(s) of verifying packet level responses.

File infos:

Created: 2010-03-16 01:23 | Modified: 2009-01-10 02:16 | Size: 56293 octets

Search:

Search:



Anonymizers:

Computer attack:

"Test them to find out where they are sufficient and where they are lacking", Lao Tzu.

  1. Foot Printing/Reconnaissance
  2. Scanning
  3. Enumeration
  4. Gaining Access
  5. Escalating Privilege
  6. Creating Backdoors/Maintaining Access
  7. Covering Your Tracks

Hacking Exposed, Stuart McClure, Joel Scambray, George Kurtz, 2003.

Documents:

  1. Anonymity Tutorial (The), Raven, blacksun.box.sk, 2000.
  2. Anonymous Usenet posting, another view, Timo Salmi, ©University of Vaasa, 2002.
  3. CERT System and Network Security Practices, ©CERT, 2001.
  4. Default Password List, Nicolas Gregoire, phenoelit, 2003.
  5. Identifying the 10 most common application-level hacker attacks, Izhar Bar-Gad, ©Yahoo! Inc., 2001.
  6. Neophyte's Guide to Hacking (The), Deicide, 1993.
  7. Oracle Default Users, Passwords and Hashes, Pete Finnigan, blacksun.box.sk, 2001.
  8. Pocket Nessus, Tony Enriquez, ©SANS Institute, 2002.
  9. Port Numbers, ©IANA, 2003.
  10. RIPE Database Reference Manual, ©RIPE Network Coordination Centre, 2002.
  11. Script Kiddies and Packet Monkeys - The New Generation of "Hackers", Denis Dion, ©GIAC, 2001.
  12. Twenty Most Critical Internet Security Vulnerabilities (The), ©SANS Institute, 2003.

Glossaries:

  1. Glossary of Computer Security Terms, ©National Computer Security Center, 1988.
  2. Glossary of terms used in software testing, ©British Computer Society.
  3. Glossary of Vulnerability Testing Terminology, ©University of Oulu, 2002.
  4. SANS Glossary of Terms Used in Security and Intrusion Detection, ©SANS, 2003.

Links:

Online Port Scanner:

Recommended Tools:

  1. Crack [en]
  2. Firewalk [en]
  3. Hping [en]
  4. John the Ripper [en]
  5. Nessus [en]
  6. Nmap [en]
  7. Nikto [en]
  8. SARA [en]

Top 75 Security Tools

Registrar:

  1. The Accredited Registrar Directory, ©InterNIC.

Request For Comments:

  1. RFC 0812: NICNAME/WHOIS, Ken Harrenstien, 1982.
  2. RFC 1983: Internet Users' Glossary, G. Malkin, 1996.
  3. RFC 2196: Site Security Handbook, B. Fraser, 1997.
  4. RFC 2828: Internet Security Glossary, R. Shirey, 1990.

Search Engines:

Traceroute:

Utilities:

Vulnerabilities:

Whois:

RSS

RSS associated with this resource:

view RSS 1.0 feed

Keywords:

  • Computer incident
  • Information gathering
  • Penetration studies
  • Penetration testing
  • Security audit
  • Social engineering
  • Vulnerability testing
  • Zero-knowledge

This page is also available in the following languages:
| English |

Copyleft L0T3K, The Look of Love Research Alliance - 2001-2010
Fédération Anarchiste Interplanétaire --[ Collectif l'Histrion -- Groupe Carl Einstein ]

Emergency Contact: webmistress [AT&belle] l0t3k [CYPHERPUNK] org | Version: Alpha 0.5 "Angelique"

A Solaar System site dedicaced to Ada Byron King, Countess of Lovelace ; Edith Clarke ; Rosa Peter ; Grace Murray Hopper ; Alexandra Illmer Forsythe ; Evelyn Boyd Granville ; Margaret R. Fox ; Erna Schneider Hoover ; Kay McNulty Mauchly Antonelli ; Alice Burks ; Adele Goldstine ; Joan Margaret Winters...

L0T3K: Le Premier Féminin High-tech à vocation interplanétaire