OSSTMM (ISECOM)

programming review

The basics

More more then ten years ISECOM (the Institute for Security and Open Methodologies) began with the release of the OSSTMM, the Open Source Security Testing Methodology Manual.

The manual for the Open Source Software of all kind was created to improve how security was tested and implemented.

Many researchers from various fields contributed because they saw the need for an open method, one that was bound towards truth and not commercial gain.

ISECOM is an open community (and a non-profit org) officially registered in Catalonia, Spain. ISECOM maintains offices in Barcelona, Spain and in New York, USA. Financing for ISECOM is provided through partnerships, subscriptions, certifications, licensing, seminars, and private research endowments.

The strategies

What are the areas where ISECOM develops the security strategies?:

  • Business Integrity Testing (BIT)
  • Security Metrics (ravs)
  • Security Employee Evaluation (JAT)
  • Security Maturity Model (SOMA)
  • Security Testing and Analysis (OSSTMM)
  • Security Testing Tools
  • Sourcecode Analysis (SCARE)
  • Software Security Testing (STICK)
  • Secure Programming Standards (SPSMM)
  • Home Security (HSM)
  • Child Security Awareness
  • Teen Security Awareness (Hacker High)
  • Smarter Safer Better
  • Bad People Project
  • Networking Protocols (OPRP)
  • Trusted Computing (AVIT)
  • Hacker Profiling Project (HPP)

The Tools

Probable the most important are the their testing tools:

DNS Scan

A PERL script which supplements the DNS connect scanning task under the Port Scanning Module. Uses DNS connections on a class C to find live hosts through a firewall.

MUTATEv2

Is an IDS evasion tool from Efrain Torres for assisting in system enumeration, port scanning, and vulnerability testing.

Assessment Scanner

A JAVA tool which supplements the Document Grinding Module for electronic dumpster diving. Supports GET and POST requests.

NWRAP

A tool developed by Simon Biles to add the Open Protocol Resource Database as an extended functionality to NMAP. This will show all known protocols for discovered ports which greatly extends the nmap_services file of one service per port. For this to work, NMAP must be installed and you should include the current version of the oprp.dump should be in the same directory.

Metis v.2.1.

This is a Java-based tool from Sacha Faust for finding the competitive intelligence weight of a web server and assists in satisfying the CI Scouting portion of the OSSTMM. Webpage: http://www.severus.org/sacha/metis/

WMAP v.1.2.

A less stupid web scanner from Efrain Torres. This brute-forces the known directories to uncover variations in structure for better vulnerability scanning. Also includes Spanish file and directory names in the search.

Firewall Tester

A tool developed in PERL by Andrea Barisani for testing ACLs on routers and firewalls. Special scripts allow for meeting OSSTMM testing requirements with or without having access to both sides of the firewall.

Special Attention

ISECOM also develops the UNICORN tool.

Unicornscan is information gathering and correlation engine - a port and protocol scanner with he speed and power to catch a Unicorn.

Actually, a truthful scanner that scales to very large networks while remaining equally fast.

The scanner is truthful as it tells the tester exactly what is being returned in a clear format with no tricks to try to outsmart the auditor’s experience. Results may go to an SQL DB for results you can revisit and map.

http://www.unicornscan.org/

tags: & category: -