By Kurt Seifried [email protected]
Over the last few years the number of security tools for Windows and UNIX has
risen dramatically, even more surprising is the fact that most of them are
freely available on the Internet. I will only cover the free tools since they
tend to be the best (i.e. nmap, Nessus, etc.) and any serious cracker will have
these tools at their disposal, why shouldn't you? There are several main
categories of tools; ones that scan hosts from within that host, ones that scan
other hosts and report back variously what OS they are running, services that
are available and so on (i.e. TCP level scanners), and at the top of the food
chain are the intrusion tools (i.e. application level scanners) that can
actually execute exploits, and report back whether they worked or not, and
lastly I include the exploits category, while not strictly an intrusion tool per
se they do exist and you should be aware of them. These tools and techniques can
also be used to conduct a self audit and ensure that the systems react as you
think they should (i.e. you should be able to run the denial of service attacks
that Nessus is capable of with no ill effects on your servers).
Host scanners are software packages you run locally on the system to probe
for problems.Most of them are "dead" now because vendors have become much more
security conscious and started to move away from some of the insanely insecure
defaults that used to be common. As well with the increase of networking (i.e.
virtually every system is now attached to the Internet full-time or at least
part-time) the focus has shifted from host security (i.e. people with accounts)
to network security (which means anyone of 100+ million people can potentially
Network scanners typically operate at the network level (imagine that), using
protocols like TCP-IP, UDP, ICMP to elicit a response that will (among other
things) tell them if a server is listening on the port, if it is firewalled,
what the OS in use is and so forth. If you can find open ports and services then
chances are an attacker can too. The popularity of these network scanners is
apparent if you run a firewall, often within an hour (or much less) you will be
scanned, often aggressively. These tools are also quite useful for finding out
how a network is secured, firewall and other restriction software such as
tcp_wrappers tend to respond differently.
Nmap is a newer and much more fully-featured host scanning tool. It features
advanced techniques such as TCP-IP fingerprinting, a method by which the
returned TCP-IP packets are examined and the host OS is deduced based on various
quirks present in all TCP-IP stacks. Nmap also supports a number of scanning
methods from normal TCP scans (simply trying to open a connection as normal) to
stealth scanning and half-open SYN scans (great for crashing unstable TCP-IP
stacks). This is arguably one of the best port scanning programs available,
commercial or otherwise. Nmap is available http://www.insecure.org/nmap/index.html.
Firewalk is a program that uses a traceroute style of packets to scan a
firewall and attempt to deduce the rules in place on that firewall. By sending
out packets with various time to lives and seeing where they die or are refused
a firewall can be tricked into revealing rules. There is no real defense against
this apart from silently denying packets instead of sending a rejection message
which hopefully will reveal less. I would advise utilizing this tool against
your systems as the results can help you tighten up security. Firewalk is
ICMP related scanning
There is an excellent paper entitled "ICMP Usage In Scanning" by Ofir Arkin
available http://www.sys-security.com/html/papers.html. It covers topics
from detecting ACL's using ICMP to specific hardware and operating system
spidermap is a set of perl scripts to help automate scans and make them more
selective. You can get it http://www.digitaloffense.net/spidermap/.
Application level Scanners
Application level scanners are one evolutionary step up from network scanners
(although they often incorporate network scanning). These software packages will
actually identify vulnerabilities, and in some cases allow you to actively try
and exploit them. If your machines are susceptible to these attacks, you need to
start fixing things, as any attacker can get these programs and use them.
Nessus is relatively new but is fast shaping up to be one of the best
intrusion scanning tools. It has a client/server architecture, the server
currently runs on Linux, FreeBSD, NetBSD and Solaris, clients are available for
Linux, Windows and there is a Java client. Communication between the server and
client is ciphered for added security all in all a very slick piece of code.
Nessus supports port scanning, and attacking, based on IP addresses or host
name(s). It can also search through network DNS information and attack related
hosts at your bequest. Nessus is relatively slow in attack mode, which is hardly
surprising. However it currently has over 200 attacks and a plug-in language so
you can write your own. Nessus is available from http://www.nessus.org/.
Saint is the sequel to Satan, a network security scanner made (in)famous by
the media a few years ago (there were great worries that bad people would take
over the Internet using it). Saint also uses a client/server architecture, but
uses a www interface instead of a client program. Saint produces very easy to
read and understand output, with security problems graded by priority (although
not always correctly) and also supports add-in scanning modules making it very
flexible. Saint is available from: http://www.wwdsi.com/products/saint_engine.html.
Ftpcheck / Relaycheck
Two simple utilities that scan for ftp servers and mail servers that allow
relaying, good for keeping tabs on naughty users installing services they
shouldn't (or simply misconfiguring them), available from: http://david.weekly.org/code/.
Security Auditor's Research Assistant (SARA) is a tool similar in function to
SATAN and Saint. SARA supports multiple threads for faster scans, stores it's
data in a database for ease of access and generates nice HTML reports. SARA is
free for use and is available from: http://www-arc.com/sara/.
BASS is the 'Bulk Auditing Security Scanner' allows you to scan the internet
for a variety of well known exploits. It was basically a proof of concept that
the Internet is not secure. You can get it from: http://www.securityfocus.com/data/tools/network/bass-1.0.7.tar.gz
I won't cover exploits specifically, since there are hundreds if not
thousands of them floating around for Linux. Probably the best site to visit for
exploits is Packetstorm (which is about the only major public exploit archive
available now), available http://www.packetstormsecurity.net/.