Intrusion testing - scanning / intrusion tools

By Kurt Seifried [email protected]


 

Over the last few years the number of security tools for Windows and UNIX has risen dramatically, even more surprising is the fact that most of them are freely available on the Internet. I will only cover the free tools since they tend to be the best (i.e. nmap, Nessus, etc.) and any serious cracker will have these tools at their disposal, why shouldn't you? There are several main categories of tools; ones that scan hosts from within that host, ones that scan other hosts and report back variously what OS they are running, services that are available and so on (i.e. TCP level scanners), and at the top of the food chain are the intrusion tools (i.e. application level scanners) that can actually execute exploits, and report back whether they worked or not, and lastly I include the exploits category, while not strictly an intrusion tool per se they do exist and you should be aware of them.  These tools and techniques can also be used to conduct a self audit and ensure that the systems react as you think they should (i.e. you should be able to run the denial of service attacks that Nessus is capable of with no ill effects on your servers).

 

Host scanners

Host scanners are software packages you run locally on the system to probe for problems. Most of them are "dead" now because vendors have become much more security conscious and started to move away from some of the insanely insecure defaults that used to be common. As well with the increase of networking (i.e. virtually every system is now attached to the Internet full-time or at least part-time) the focus has shifted from host security (i.e. people with accounts) to network security (which means anyone of 100+ million people can potentially access it). For information on finding and removing setuid bits and tightening file permissions please see the filesystem section.

 

Network scanners

Network scanners typically operate at the network level (imagine that), using protocols like TCP-IP, UDP, ICMP to elicit a response that will (among other things) tell them if a server is listening on the port, if it is firewalled, what the OS in use is and so forth. If you can find open ports and services then chances are an attacker can too. The popularity of these network scanners is apparent if you run a firewall, often within an hour (or much less) you will be scanned, often aggressively. These tools are also quite useful for finding out how a network is secured, firewall and other restriction software such as tcp_wrappers tend to respond differently.

 

Nmap

Nmap is a newer and much more fully-featured host scanning tool. It features advanced techniques such as TCP-IP fingerprinting, a method by which the returned TCP-IP packets are examined and the host OS is deduced based on various quirks present in all TCP-IP stacks. Nmap also supports a number of scanning methods from normal TCP scans (simply trying to open a connection as normal) to stealth scanning and half-open SYN scans (great for crashing unstable TCP-IP stacks). This is arguably one of the best port scanning programs available, commercial or otherwise. Nmap is available http://www.insecure.org/nmap/index.html.

 

Firewalk

Firewalk is a program that uses a traceroute style of packets to scan a firewall and attempt to deduce the rules in place on that firewall. By sending out packets with various time to lives and seeing where they die or are refused a firewall can be tricked into revealing rules. There is no real defense against this apart from silently denying packets instead of sending a rejection message which hopefully will reveal less. I would advise utilizing this tool against your systems as the results can help you tighten up security. Firewalk is available http://www.packetfactory.net/firewalk/.

 

ICMP related scanning

There is an excellent paper entitled "ICMP Usage In Scanning" by Ofir Arkin available http://www.sys-security.com/html/papers.html. It covers topics from detecting ACL's using ICMP to specific hardware and operating system issues.

 

spidermap

spidermap is a set of perl scripts to help automate scans and make them more selective. You can get it http://www.digitaloffense.net/spidermap/.

 

Application level Scanners

Application level scanners are one evolutionary step up from network scanners (although they often incorporate network scanning). These software packages will actually identify vulnerabilities, and in some cases allow you to actively try and exploit them. If your machines are susceptible to these attacks, you need to start fixing things, as any attacker can get these programs and use them.

 

Nessus

Nessus is relatively new but is fast shaping up to be one of the best intrusion scanning tools. It has a client/server architecture, the server currently runs on Linux, FreeBSD, NetBSD and Solaris, clients are available for Linux, Windows and there is a Java client. Communication between the server and client is ciphered for added security all in all a very slick piece of code. Nessus supports port scanning, and attacking, based on IP addresses or host name(s). It can also search through network DNS information and attack related hosts at your bequest. Nessus is relatively slow in attack mode, which is hardly surprising. However it currently has over 200 attacks and a plug-in language so you can write your own. Nessus is available from http://www.nessus.org/.

 

Saint

Saint is the sequel to Satan, a network security scanner made (in)famous by the media a few years ago (there were great worries that bad people would take over the Internet using it). Saint also uses a client/server architecture, but uses a www interface instead of a client program. Saint produces very easy to read and understand output, with security problems graded by priority (although not always correctly) and also supports add-in scanning modules making it very flexible. Saint is available from: http://www.wwdsi.com/products/saint_engine.html.

 

Ftpcheck / Relaycheck

Two simple utilities that scan for ftp servers and mail servers that allow relaying, good for keeping tabs on naughty users installing services they shouldn’t (or simply misconfiguring them), available from: http://david.weekly.org/code/.

 

SARA

Security Auditor’s Research Assistant (SARA) is a tool similar in function to SATAN and Saint. SARA supports multiple threads for faster scans, stores it’s data in a database for ease of access and generates nice HTML reports. SARA is free for use and is available from: http://www-arc.com/sara/.

 

BASS

BASS is the “Bulk Auditing Security Scanner” allows you to scan the internet for a variety of well known exploits. It was basically a proof of concept that the Internet is not secure. You can get it from: http://www.securityfocus.com/data/tools/network/bass-1.0.7.tar.gz

 

Exploits

I won't cover exploits specifically, since there are hundreds if not thousands of them floating around for Linux. Probably the best site to visit for exploits is Packetstorm (which is about the only major public exploit archive available now), available http://www.packetstormsecurity.net/.

 


Back

Last updated on 7/5/2002

Copyright Kurt Seifried 2001 [email protected]