Whether storage is within the scope of your organization's information security testing or even on your radar at all, it's important that you're testing your storage-related systems to see where you're vulnerable. External attackers and rogue insiders know that storage systems can be broken into, and the only way to keep up is to find the holes ahead of -- or at least in step with -- the bad guys. I covered the methodology as well as various security tools and techniques in this tip on hacking storage and this tip on rooting through unstructured information. Now, it's time to drill down further into a set of tools specifically designed to test storage security.
StorScan is a Windows-based command line tool (as shown below) that will scan your network for live storage systems running SSH, telnet, TFTP, HTTP/HTTPS, SNMP, CIFS, NFS, iSNS, iSCSI and NDMP. These are essentially the main TCP ports that signify a storage area network (SAN) or network attached storage (NAS) host.
StorScan has two scanning options: single host (-h) or entire subnet (-k)
StorScan focuses on just the basics. You can use any other port scanner, such as SuperScan, and may wish to once you've identified your storage hosts. That way, you can see if other services are running on the systems that need to be probed and prodded further.
CHAP Password Tester is a Windows-based command line tool as shown below that will take iSCSI SAN authentication information you've captured using a network analyzer (such as Wireshark [formerly Ethereal] or, my favorite, EtherPeek) and perform a dictionary crack on the password.
CHAP Password Tester walks you through the password cracking process
You'll need access to the network session in order to sniff CHAP information off the wire but this is easily accomplished by plugging into a span/mirror/monitor port on your Ethernet switch or by using an ARP poisoning tool such as Cain. Just be careful with the latter since ARP poisoning can bring down your network.
GrabiQNs is a Windows-based command line tool that allows you to extract iSCSI Qualified Names (iQNs) from an Ethereal (Wireshark) capture as shown below. This can be used to demonstrate the iQN spoofability weakness on iSCSI networks.
GrabiQNs' basic interface for extracting iQN authorization values from a network analysis session
NASanon is a Windows-based command line tool that will scan a NAS share via CIFS to see if anonymous connections are allowed as shown in the following figure. This could be scripted to perform an analysis of your NAS environment.
Using NASanon for an easy way to see if anonymous share connections are possible
CIFSShareBF is a Windows-based command line tool for guessing CIFS share passwords as shown in the following figure.
CIFSShareBF can be used to guess weak CIFS share passwords
These aren't the be-all end-all storage security testing tools (you've got to look at the entire picture from applications to operating systems and beyond. That said, Dwivedi and the guys at iSec Partners are definitely onto something good here. Hopefully they'll continue their storage security tool development and end up with a broad range of tools like what Foundstone and similar security research/consulting firms have amassed over the years.
I'm a big believer that you've got to have good tools to find the most security vulnerabilities. With storage security coming into the spotlight, these are the very tools you need to be using to keep up and to keep your storage environment secure.
Do you know…
About the author: Kevin Beaver is an independent information security consultant, speaker, and expert witness with Atlanta-based Principle Logic, LLC. He has more than 18 years of experience in IT and specializes in performing information security assessments revolving around compliance and IT governance. Kevin has written six books including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley) as well as The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He can be reached at kbeaver@ principlelogic.com.