System and method for network vulnerability detection and reporting
First Claim
1. A system for determining an operating system of a target computer operably connected to a network, the system comprising:
- first and second data packets, said first and second data packets compliant with a protocol supported by said network, said first and second data packets transmitted via said network to said target computer;
first and second operating system fingerprints comprising data bits stored in a computer-readable medium, said first and second operating system fingerprints associated with a first operating system;
a first target computer fingerprint comprising data bits stored in a computer-readable medium, said first target computer fingerprint including a representation of at least a portion of data received in response to said transmission of said first data packet;
a second target computer fingerprint comprising data bits stored in a computer-readable medium, said second target computer fingerprint including a representation of at least a portion of data received in response to said transmission of said second data packet; and
fingerprint comparison instructions executable by a computer to compare said first operating system fingerprint and said first target computer fingerprint, to compare said second operating system fingerprint and said second target computer fingerprint, and to generate a result indicative of whether said first operating system was running on said target computer.
10 Assignments
0 Petitions
Accused Products
Abstract
A system and method provide comprehensive and highly automated testing of vulnerabilities to intrusion on a target network, including identification of operating system, identification of target network topology and target computers, identification of open target ports, assessment of vulnerabilities on target ports, active assessment of vulnerabilities based on information acquired from target computers, quantitative assessment of target network security and vulnerability, and hierarchical graphical representation of the target network, target computers, and vulnerabilities in a test report The system and method employ minimally obtrusive techniques to avoid interference with or damage to the target network during or after testing.
227 Citations
66 Claims
-
1. A system for determining an operating system of a target computer operably connected to a network, the system comprising:
-
first and second data packets, said first and second data packets compliant with a protocol supported by said network, said first and second data packets transmitted via said network to said target computer;
first and second operating system fingerprints comprising data bits stored in a computer-readable medium, said first and second operating system fingerprints associated with a first operating system;
a first target computer fingerprint comprising data bits stored in a computer-readable medium, said first target computer fingerprint including a representation of at least a portion of data received in response to said transmission of said first data packet;
a second target computer fingerprint comprising data bits stored in a computer-readable medium, said second target computer fingerprint including a representation of at least a portion of data received in response to said transmission of said second data packet; and
fingerprint comparison instructions executable by a computer to compare said first operating system fingerprint and said first target computer fingerprint, to compare said second operating system fingerprint and said second target computer fingerprint, and to generate a result indicative of whether said first operating system was running on said target computer. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A system for determining an operating system of a target computer accessible via a network, the system comprising:
-
a plurality of data packets compliant with a protocol supported by said network, said plurality of data packets transmitted via said network to said target computer;
a first plurality of operating system fingerprints, each comprising data bits stored in a computer-readable medium, each associated with a first operating system;
a plurality of target computer fingerprints, each comprising data bits stored in a computer-readable medium, each including a representation of at least a portion of data received in response to said transmission of said plurality of data packets; and
fingerprint comparison instructions executable by a computer to compare said first plurality of said operating system fingerprint and said plurality of said target computer fingerprints, and to generate a result indicative of whether said first operating system was running on said target computer. - View Dependent Claims (14, 15, 16)
-
-
17. A method for determining an operating system of a target computer accessible via a network, the method comprising the steps of:
-
transmitting to said target computer a plurality of data packets compliant with a protocol supported by said network;
generating a plurality of target computer fingerprints, each including at least a portion of data received via said network in response to said transmission of said plurality of data packets;
comparing said plurality of target computer fingerprints to a first set of predetermined operating system fingerprints, each of said first set of predetermined operating system fingerprints associated with a first operating system; and
generating a result indicative of whether said first operating system was running on said target computer. - View Dependent Claims (18, 19, 20, 21)
-
-
22. A method for identifying an operating system of a target computer via a network, the method comprising the steps of:
-
sending a first data packet to said target computer via said network, said first data packet complying with a protocol of said network and having a first pattern of bits in a first range of bits;
generating a first response value representing at least a portion of data received via said network in response to said sending of said first data packet;
sending a second data packet to said target computer via said network, said second data packet complying with said protocol and having a second pattern of bits in a first range of bits, said second pattern of bits different from said first pattern;
generating a second response value representing at least a portion of data received via said network in response to said sending of said second data packet;
sending a third data packet to said target computer via said network, said third data packet complying with said protocol and having a third pattern of bits in a first range of bits, said third pattern of bits different from said first or said second pattern;
generating a third response value representing at least a portion of data received via said network in response to said sending of said third data packet;
comparing said first response value to a first predetermined value associated with a first operating system;
comparing said second response value to a second predetermined value associated with said first operating system;
comparing said third response value to a third predetermined value associated with said first operating system; and
generating a value indicative of a relationship between said first operating system and said target computer. - View Dependent Claims (23, 24, 25, 26)
-
-
27. A system for determining whether a target computer is on a network, the system comprising:
-
a first set of port identifiers stored in a computer-readable medium, each of said first set of port identifiers representing a port used by computers to receive data packets compliant with a first protocol of said network, each of said first set of port identifiers representing a port associated with known network services;
a first set of data packets, each directed to a port represented by at least one of said first set of port identifiers, each of said first set of data packets compliant with said first protocol and transmitted to said target computer via said network;
a first set of acknowledgement packets received via said network in response to said transmission of said first set of data packets; and
a list of host identifiers, each host identifier representing a computer on said network that transmits data in response to a packet sent to said respective computer, a host identifier representing said target computer added to said list of host identifiers if said first set of acknowledgment packets indicates a responsiveness of said target computer. - View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35)
-
-
36. A system for testing the accessibility of a target computer via a network, the system comprising:
-
a set of port identifiers stored in a computer-readable medium, each of said set of port identifiers representing a UDP-compliant port, at least one of said port identifiers representing a port associated with known network services;
a set of UDP-compliant data packets, each associated with a port represented by at least one of said set of port identifiers, each of said UDP-compliant data packets transmitted continuously to said target computer for a duration approximately the same as the latency period of said target computer, at least one of said UDP-compliant data packets including data associated with said known network services;
a first list representing computers accessible via said network, said first list including said target computer if a nonzero set of UDP data response packets is received in response to said transmission of said data packets; and
a second list representing computers not known to be inaccessible via said network, said second list including said target computer if an empty set of ICMP error packets is received in response to said transmission of said data packets.
-
-
37. A method for determining whether a target computer is accessible via a network, the method comprising the steps of:
-
identifying TCP ports;
sending first data packets to said TCP ports of said target computer, each of said first data packets compliant with TCP;
receiving first acknowledgment packets in response to said sending of said first data packets; and
adding a representation of said target computer to a list representing accessible computers if said first acknowledgment packets are nonzero. - View Dependent Claims (38, 39, 40)
-
-
41. A method for assessing the vulnerability of a target computer via a network, the method comprising the steps of:
-
discovering a set of responsive computers on a network by transmitting a set of ICMP packets, a set of TCP packets and a set of UDP packets to a group of computers on a network;
detecting services on each of said set of responsive computers by transmitting TCP packets to first ports of each of said set of responsive computers and by transmitting UDP packets to second ports of each of said set of responsive computers, said first and second ports commonly used by computers to receive data packets over a network, said TCP packets including data associated with at least one computer-based service known to use one of said first ports, said UDP packets including data associated with at least one computer-based service known to use one of said second ports; and
generating a list of responsive ports using responses received in response to said transmission of said TCP packets and said UDP packets. - View Dependent Claims (42, 43, 44, 45, 46)
-
-
47. A method of creating a graphical representation of a network, the method comprising the steps of:
-
obtaining IP addresses of nodes on a network;
obtaining node distance and connectivity relationships between said nodes;
identifying some nodes as routers;
identifying other nodes as leaf nodes connected to one of said routers;
generating graphical representations of router nodes;
for each router, generating graphical representations of directly connected leaf nodes by depicting graphical representations of said directly connected leaf nodes having a spatial relationship to said graphical representation of said respective router; and
depicting links between routers having no intervening routers. - View Dependent Claims (48)
-
-
49. A method for creating a topological representation of a network, said method comprising the steps of:
-
identifying responsive computers on said network;
obtaining a plurality of sequences of IP addresses by sending to each responsive computer a sequence of packets having increasing time to live (TTL) values, each sequence of IP addresses representing nodes in said network between a source computer and one of said responsive computers, adjacent IP addresses in each sequence representing connected nodes, each of said nodes comprising a computer or a router;
generating a list of node structures, each of said node structures including data representing a node and data indicative of other nodes to which it directly connects, said list representing all IP addresses in said plurality of sequences;
determining for each IP address a distance count, said distance count representing a number of nodes between a node having said IP address and a source node;
creating a router structure for each node structure that represents a node comprising a router;
associating with each of said router structures connection data representative of each connecting node that connects to no other node except the router represented by said respective router structure;
for each router structure, visually depicting a graphical shape spatially related to one or more graphical shapes corresponding to connecting nodes represented by said connection data of said respective router structure; and
for each router structure, visually depicting a connection between a graphical shape associated with the respective router structure and another graphical shape associated with a different router structure when distance counts associated with the IP addresses of routers represented by said respective router structure and said different router structure indicate a direct connection. - View Dependent Claims (50, 51)
-
-
52. A method for calculating an objective vulnerability score, said method comprising the steps of:
-
identifying known vulnerabilities of a network;
weighting said known vulnerabilities based on either ease of exploitation or level of access granted; and
determining a vulnerability value numerically representing a combination of weighted known vulnerabilities of a network.
-
-
53. A method for calculating an objective security score for a network, said method comprising the steps of:
-
determining a vulnerability value numerically representing a combination of known vulnerabilities of a network;
determining an exposure value numerically representing a combination of accessible ports of computers on said network; and
deriving a score by combining said vulnerability value and said exposure value. - View Dependent Claims (54)
-
-
55. A method for conducting an automated network vulnerability attack, said method comprising the steps of:
-
selecting a set of vulnerability attacks for each responsive computer on a network, each selected vulnerability attack for each responsive computer designed to expose a vulnerability associated with ports of said respective computer known to be accessible and also associated with an operating system used by said respective computer;
encoding said set of vulnerability attacks such that each is represented in a database by a unique identifier;
representing each of said set of vulnerability attacks using instructions of an automated scripting language; and
executing said vulnerability attacks by processing said instructions with a computer.
-
-
56. A hierarchical network vulnerability report, comprising:
-
a first report level comprising;
an objective score representing the security of said network; and
a graphical representation of a network topology, including a graphical representation of computers accessible via said network and a color-based graphical representation of the vulnerability of at least some of said computers;
and a second report level comprising;
a textual list describing said computers and their associated vulnerabilities; and
an exposure report describing accessible ports and services of said computers.
-
-
57. A vulnerability assessment language comprising:
-
a set of programming language statements used to create executable scripts, said scripts executed in a thread-safe execution architecture wherein all variables are stack variables and wherein a parse tree is treated as a read-only data structure;
a set of special scalar data types interchangeable with an integer data type in expressions, each of said set of special scalar data types having a set of constant values configured to support vulnerability assessment operations embodied in scripts;
a set of native objects declared in a metascope owning a script scope to make available said native objects to executable scripts, said native objects facilitating network communication, providing callable member functions for building lists of unique ports and directing script execution to certain hosts, and providing IP addresses for scripts; and
a vulnerability object behaving to copy itself into a global data area where other scripts may access its information to compromise another machine, facilitating the use by one script of vulnerability data discovered by a different script. - View Dependent Claims (66)
-
-
58. A method for automated application of a known vulnerability on a target computer, the method comprising the steps of:
-
providing a database of known vulnerabilities, the database including a data object;
providing an executable script, the executable script associated with the data object;
applying the executable script to the target computer, the script performing the known vulnerability on a port of the target computer, and returning a value representing at least one of the success, failure or other outcome of the executable script.
-
-
59. A method for automated application of known vulnerabilities to target computers of a network, the method comprising the steps of:
-
providing a database of known vulnerabilities;
providing a set of executable scripts, each executable to apply a known vulnerability to a specified target computer;
executing first executable scripts to apply vulnerabilities on specified target computers;
monitoring return values representing a success, failure or other outcome of each of said first executable scripts; and
generating a report using said return values, said report representing a security level of said network. - View Dependent Claims (60, 61, 62, 63, 64, 65)
-
Specification