The Open Source Security Tool Arena - Part 1

by Jeremy Chan

At a mid-day security session at the LinuxWorld and NetworkWorld Conference & Expo in Toronto, Tony Howlett gave an overview of some of the open-source tools available for performing a network security audit to a small group of attendees, covering Network discovery and Mapping, TCP/IP service enumeration, network vulnerability, firewall and router auditing, and wireless security.

Howlett, who is founder and CTO of NSS and author of "Open Source Security Tools" (Prentice-Hall, 2004), simulated some of the tools he uses and steps he would take in performing a network security audit. Using a laptop running VMWare, he simulated an entire network of windows and linux machines, each running various pieces of software (databases, web servers, etc).

With a few clicks, Howlett demonstrated the use of ping sweeps, snmp-based probes, web spidering, mail hacking, and google-hacking, Port scanning, fingerprinting, and banner grabbing to discover all kinds of information about the various hosts and the services they were running, including the names of user accounts, services, shares, routing tables, MAC addresses.... the list goes on.

An audit (or attack) might proceed as follows, using freely-available tools:

• Ping sweep to detect hosts running within the network.

• Port scan using nMap to discover a web server running on port 80.

• Invoke wikto to spider the site and do some google hacking to see if there any files with potentially sensitive information being served anywhere on the site

• Use Hydra to crack passwords of any user account names discovered using nMap or wikto.

• Banner Grab using Nessus to determine that this is IIS5.0. Look up potential known IIS 5.0 exploits.

• Use Metasploit to exploit an IIS 5.0 buffer overflow vulnerability. Install command shell and assume administrative control of the entire machine using nothing but a web browser.

• Use AirSnort to discover MAC addresses, crack WEP-based networks.

• Use RATs (Router Auditing Tools) to convert your specific firewall configuration file into a list of likely vulnerabilities/candidates for exploitation.

• Employ any of a host of free packet sniffers (TCPdump, windump, ngrep, Ettercap) to wait for someone to type in plain-text credentials

• Rule the world.

Network security newbies like myself were surprised to find, among other things, that:

• Some firewalls deny TCP SYN packets, but allow ACK, FIN, and RST packets through, allowing for the discovery of active TCP services that are specifically shielded by firewall rules.

• Forgetting to replace the default SNMP community string on all hosts in the network is tantamount to completely giving away the store, because of all the information that can be gathered from a host using this protocol.

• The number of known security vulnerabilities is endless. If you're not up-to-date on all of your software patches, all of the effort you'd spent to harden your network is effectively lost
  
  

Familiarizing yourself with open-source tools like the ones listed above is a good first step in understanding network security. Using them to perform a mini-audit of your own network will likely give you a scare or two, but will help you to take the necessary steps to secure your network.

Jeremy Chan is a Principal Consultant at the Jonah Group and a Technical Architect with over 10 years of experience in object-oriented software engineering.

Posted by Jeremy Chan at 06:52 PM  Permalink

This is a public forum. CMP Media and its affiliates are not responsible for and do not control what is posted herein. CMP Media makes no warranties or guarantees concerning any advice dispensed by its staff members or readers.

Community standards in this comment area do not permit hate language, excessive profanity, or other patently offensive language. Please be aware that all information posted to this comment area becomes the property of CMP Media LLC and may be edited and republished in print or electronic format as outlined in CMP Media's Terms of Service.

Important Note: This comment area is NOT intended for commercial messages or solicitations of business.