All rights are reserved and copyright of this manuscript belongs to the authors.This manuscript has been published without reviewing and editing as receivedfrom the authors: posting the manuscript to SCIS 2008 does not prevent futuresubmissions to any journals or conferences with proceedings.

SCIS 2008 The 2008 Symposium onCryptography and Information Security

Miyazaki, Japan, Jan. 22-25, 2008The Institute of Electronics,

Information and Communication Engineers

Design and Implementation of an Integrated System for SecurityAssessment Based on LiveDVD/LiveUSB

吳佳寰Chia-Huan Wu ∗

楊中皇Chung-Huang Yang †

Abstract— There are many network security tools on the internet, and each of these tools maintainits own scanned results that can not be shared by each other. In this research, we integrate severalfamous network security tools, and propose a knowledge base database scheme to share each scannedresults. Moreover, due to there are more and more attacks focus on web applications, we take extravulnerability assessment on web applications, and use results saved in knowledge base database togenerate a complete reports written in Chinese for easily understood purpose. Finally, we setup thewhole system into a LiveDVD/LiveUSB based on Debian GNU/Linux to become a portable securityassessment system.

Keywords: Localization, vulnerability scanning, penetration testing, LiveDVD, LiveUSB

1 Introduction

Security testing can be categorized into several differ-ent types, like network scanning, virus detection, wardialing, and so on [1]. There are many powerful secu-rity tools existing on the internet, and each of thesetools has its suitable scope that can not exchange in-formation directly. In this paper, we integrate severalwell-known security assessment tools into a portableoperating system, and discuss relevant issues in latersections.

1.1 Network scanning

Network scanning, also known as network mapping,is a methodology by using a port scanner to identifyopened ports and the service listen on [2, 3]. Usuallywe enforce network scanning tasks to gain the informa-tion about targets, i.e., protocols, network applications,etc. The results of network scanning can be reused forfurther assessment tasks.

1.2 Vulnerability scanning

After network scanning complete, we can get intothe next level to confirm targets’ weakness by perform-ing vulnerability scanning, also known as vulnerabilityassessment [4]. In other words, vulnerability scanningwill cause advanced explorations carried out to acquiremore valuable information. By executing vulnerabilityscanning during auditing, we can at least estimate therisk degree of the targets.∗ Graduate Institute of Information and Computer Education,

National Kaohsiung Normal University, 116, Ho Ping FirstRoad, Kaohsiung 802, Taiwan. Email: willie@ice.nknu.edu.tw

† The same as ∗. Web: http://crypto.nknu.edu.tw/, Email:chyang@computer.org.

1.3 Penetration testing

Penetration testing is designed to simulate a real at-tack and locate the accurate attack path before criticaldamage happens [5, 6]. It is extremely useful to com-pany’s applications that may face to unknown threats.Since penetration testing acts like real intruders, testershave to get formal companies’ permission for the tasks.Further more, testers require well expertise to minimizethe impact during conducting penetration testing.

2 Design

2.1 Nmap

Nmap is one of famous port scanning tools, it cannot only identify the state of port, the network servicesoperating on that port, but also can guess the oper-ation system of the target by using novel techniques.Besides, nmap can also produce raw IP packets for IDSevasion idea. In this research, nmap will play the role ofnetwork scanning stage to obtain common information.

2.2 Nessus

Nessus, which is a well-known vulnerability scanner,can identity security holes on network hosts [7]. Themain difference between Nessus and other famous vul-nerability scanners is that Nessus has its own scriptinglanguage engine called NASL for developing auditingplug-ins. With NASL, you can add security testingplug-ins into Nessus quickly and easily, without modi-fying Nessus itself. In our system architecture, Nessuswill be responsible for finding out the weak of networkservices.

1

Figure 1: LiveDVD/LiveUSB screenshot

2.3 Metasploit

Metasploit is an advanced framework for contribut-ing, testing, and using exploits [8]. It provides vari-able modules, like payloads, encoders, and other usefulfunctions to conducting exploits efficiently. In our sys-tem, we integrate Metasploit to be in the character ofpenetration testing.

2.4 W3af

W3af, which is abbreviate from Web Application At-tack and Audit Framework, is a platform aiming to au-dit web applications. It has many profitable plug-ins,like SQL injection test and XSS attack test, making itpossible to automate audit progress. Moreover, testerscan enable exploit modules to enforce W3af causingdamage to network hosts. W3af is integrated into oursystem for additional web security assessing purpose.

2.5 LiveDVD/LiveUSB

Live Distro is a kind of operation system distribu-tion which can be booting without installing into harddisk. Usually, we named this operation system depend-ing on what media it stores. Consequently, it is namedLiveDVD because its media is DVD-ROM, and so doesLiveUSB. As concepts of Squashfs [9] and Unionfs [10]are proposed and implemented, it breaks physical limi-tations of media, and makes live distro broad applied indifferent domain. Since procedure for installing toolsdescribed above may be inconvenience and complex,we setup our system into LiveDVD/LiveUSB. There-fore, this system becomes portable, and easily deployseven moving to different network environment. Figure1 shows operative screenshot with well Chinese localesupport on LiveDVD/LiveUSB we made.

3 Implementation

3.1 System architecture

We design a system architecture to combine the ca-pabilities of security tools described in previous sec-tion. This system is divided into two parts: server-side

Figure 2: System architecture

Figure 3: Workflow

program and client-side program. Server-side programdoes the mainly tasks, it receives request, start assess-ment tasks by calling nmap, nessus, etc., and then re-turn the scanned results. In contrast, client-side one isa graphical user interface program, network managerneeds to specify IP and port that they want to scan,and everything will be done automatically. All datatransmitted between server-side and client-side is XMLformat encoded in base64, therefore client-side can beeasily replaced by constructing in other languages. Fig-ure 2 shows the whole system architecture.

3.2 Workflow

Figure 3 shows the workflow when taking an assess-ment task. When server-side program receives the re-quest packets, it will perform following steps:

1. Fork a child process to handle this task.

2. This process creates two threads named web-taskand va-task. The thread which named web-taskwill execute nmap and w3af by order, and thensave the results into knowledge base database.The other one will execute nessus and metasploit

2

Figure 4: Server-side screenshot

in turn, and integrate the results into databaseafter both of them ended.

3. Generate XML-format results by fetching resultsin database.

4. Send the results to client-side program.

After client-side program gets the results packets, itcan show the results to network manager or generatedetailed report by parsing the XML-format results.

3.3 Program presentation

The server-side program is developed in python lan-guage. Since python can be run in many different op-erating systems, the server-side program can be easilyported to other operating system like FreeBSD. Fig-ure 4 shows the screenshot while server-side programis running on LiveDVD/LiveUSB.

Client-side program is different from server-side one.For efficient purpose, we developed this one by usingGTK+. GTK+ is a toolkit for creating graphical userinterface, and applications written in GTK+ can becompiled in multi platforms like Windows.

In the end, we can generate well-formed html reports.Figure 5 shows the screenshot of viewing reports.

4 Conclusion

In this research, we not only integrate security toolsby sharing each scanned results in knowledge base database,but also make efforts on web applications assessment.Additionally, we use these results data to produce anintegrated report in Chinese, and integrate this wholesystem with LiveDVD/LiveUSB, to help network man-ager to easily find the vulnerabilities and take necessaryactions.

References

[1] J. Wack, M. Tracy, and M. Souppaya, “Guidelineon Network Security Testing [NIST SP 800-42],”US Department of Commerce, National Instituteof Standards and Technology, 2003.

Figure 5: Generated report

[2] R. Shirey, “Internet Security Glossary,” tech. rep.,FYI 36, RFC 2828, 2000.

[3] G. Stoneburner, A. Goguen, and A. Feringa, “RiskManagement Guide for Information TechnologySystems [NIST SP 800-30],” US Department ofCommerce, National Institute of Standards andTechnology, 2002.

[4] B. Skaggs, B. Blackburn, G. Manes, and S. Shenoi,“Network vulnerability analysis,” Circuits andSystems, 2002. MWSCAS-2002. The 2002 45thMidwest Symposium on, vol. 3, pp. III–493–5, 4-7Aug. 2002.

[5] D. Geer and J. Harthorne, “Penetration testing:a duet,” Computer Security Applications Confer-ence, 2002. Proceedings. 18th Annual, pp. 185–195, 2002.

[6] H. Thompson, “Application penetration testing,”Security & Privacy Magazine, IEEE, vol. 3, no. 1,pp. 66–69, 2005.

[7] J. Beale, R. Deraison, H. Meer, R. Temmingh, andC. Van Der Walt, Nessus Network Auditing. Syn-gress Publishing, 2004.

[8] C. Van Der Walt, H. Moore, R. Temmingh,H. Meer, J. Long, C. Hurley, and J. Foster, Pen-etration Tester’s Open Source Toolkit. SyngressPublishing, 2005.

[9] P. Lougher and R. Lougher, “Squashfs - asquashed read-only filesystem for linux,” 2002.

[10] C. Wright, J. Dave, P. Gupta, H. Krishnan,D. Quigley, E. Zadok, and M. Zubair, “Versa-tility and Unix semantics in namespace unifi-cation,” ACM Transactions on Storage (TOS),vol. 2, no. 1, pp. 74–105, 2006.

3