Literally thousands of tools—both commercial and open source—are available to professionals who need to assess their network's security. The trick is having the right tool for the job when you need it and being able to trust it. To help you narrow the field, I offer descriptions of my 10 favorite free network security assessment tools.
Network security assessment consists of four fundamental phases: reconnaissance, enumeration, assessment, and exploitation. The reconnaissance phase involves discovery of the network devices through alive scanning via Internet Control Message Protocol (ICMP) or TCP. During the enumeration and assessment phases, the security assessor determines whether a service or application is running on a particular host and assesses it for potential vulnerabilities. In the exploitation phase, the assessor leverages one or more vulnerabilities to gain some level of privileged access to the host and uses this access to further exploit the host or to escalate privilege on that host or throughout the network or domain.
1. Nmap
The tried-and-true Network Mapper (Nmap) tool was written several years ago and is continually enhanced by Fyodor. I'd call Nmap the network security expert's Swiss army knife because it's such a useful tool. You can use Nmap in the reconnaissance phase to perform "alive scans" in a number of ways to determine which hosts on a given network are online. Nmap is also useful for router ACL or firewall rule discovery via ACK (acknowledgement) flag probe scanning and other techniques.
You can use Nmap in the enumeration and assessment phases for scanning ports, listing services and their version numbers, and fingerprinting OSs. Nmap is a great tool for digging deeper into automated scanning tool results or verifying them. Nmap was originally developed for the UNIX environment but has also become available for the Windows platform in recent years (although UNIX purists would scoff at the thought of using Nmap on anything but *IX). Nmap is open source and available free from a variety of sites, the primary one being http://www.insecure.org/nmap.
2. N-Stealth
One of the most challenging aspects of vulnerability assessment is the assessment part. After you've figured out which hosts are alive and which services they're running (this is the easy part), how do you determine whether a specific service is vulnerable? For Web services, one tool that works well is the N-Stealth Security Scanner by N-Stalker. N-Stalker sells a more comprehensive version of N-Stealth, but the free trial version works well for most basic assessment needs. The fee version includes a whopping 30,000+ Web server security checks, but the free version provides more than 16,000 specific vulnerability checks, including checks for the SANS Top 20 vulnerabilities for popular Web servers such as Microsoft IIS and Apache. For example, N-Stealth checks for vulnerable Common Gateway Interface (CGI) and Hypertext Preprocessor (PHP) scripts, SQL injection attacks, common cross-site scripting, and other vulnerabilities in popular Web servers.
N-Stealth supports both HTTP and HTTP Secure (HTTPS—using SSL), provides vulnerability correlation to the Common Vulnerabilities and Exposures (CVE) dictionary and Bugtraq vulnerability database, and provides some decent reporting options. I use N-Stealth to uncover the most common vulnerabilities on Web servers and then determine the most likely exploits. You can get more information about N-Stealth at http://www.nstalker.com/eng/products/nstealth. Of course, if you're thinking serious Web site and application security assessment, I recommend the fee version or a product such as WebInspect from SPI Dynamics.
3. SNMPWalk
SNMP is a well-known, widely used, and completely insecure protocol that runs over UDP port 161. Cisco Systems router, Windows server—chances are it supports SNMP and is, at best, minimally secured by requiring a commonly known clear-text community string for read and read/write access. When you want to assess SNMP security (what there is of it) on a network, it's great to have a tool such as SNMPWalk that lets you query network devices running SNMP for important information. It uses a simple SNMP query to find out whether your SNMP devices are giving away the keys to the kingdom. For example, a well-known default SNMP community string for Cisco routers is "ILMI". Using this string with SNMPWalk targeting Cisco routers can reveal a gold mine of information that allows complete control over a network's router infrastructure if a certain key piece of information is stored in the Cisco Management Information Base (MIB).
SNMPWalk is an open-source tool that was part of the Net-SNMP project at Carnegie Mellon University in the early 1990s when SNMP was first deployed. SNMPWalk uses an SNMP get-next request to retrieve SNMP MIB subtree management values (denoted in Abstract Syntax Notation—ASN). As I mentioned, authentication for read access to a device requires nothing more than a string value that's well-known or can be fairly easily sniffed from the network. SNMPWalk is available for both UNIX and Windows platforms at http://net-snmp.sourceforge.net.
4. Fpipe
One of the more complex network security tests that you might want to perform is to emulate the hacker threat by finding ways to bypass one or more defense-in-depth measures. One example of a bypass technique in the assessment or exploitation phase is port forwarding or redirection, and Fpipe from Foundstone (a division of McAfee) is a great free tool for this. To get around router ACLs, firewall rules, or other security mechanisms, it's sometimes possible to access a particular service running on a port by redirecting, or tunneling, traffic to your desired TCP port through another TCP port.
As a simplistic example, suppose you have a router between subnets that allows only HTTP traffic to TCP port 80 through. However, you want to connect to a host running Telnet (TCP port 23) on the other subnet and you've already compromised another host on the same subnet as the host running Telnet. A port forwarder such as Fpipe lets you create a TCP or UDP "stream" that encapsulates traffic for TCP port 23 in packets that are identified as TCP port 80 packets. These packets then traverse the router that allows TCP port 80 traffic and are received by the compromised host running Fpipe or another port forwarder. This port forwarder strips off the disguise and forwards the TCP port 23 traffic to its intended host.
You could also use Secure Shell (SSH) or Netcat (see description below) to do port forwarding or redirection, but I like Fpipe because it's well-documented, easy to use, and free. You can download the latest version of Fpipe at http://www.foundstone.com.
5. SQLRECON
SQL server vulnerabilities in products such as Microsoft SQL Server, Oracle Database, and Oracle Application Server have become quite numerous over the last few years, the most notable being the SQL Slammer worm in 2003 (described at http://www.cert.org/advisories/CA-2003-04.html). When you want to assess SQL Server hosts for potential vulnerabilities, there hasn't been a comprehensive tool for enumerating SQL Server instances and their version numbers and doing so accurately. All too often, tools incorrectly identify the SQL Server version because they grab information from ports (e.g., TCP port 1433, UDP port 1434), which often incorrectly show the SQL Server version.
Recently arrived on the scene is SQLRECON, which you can download from Special Ops Security at http://specialopssecurity.com/labs/sqlrecon. SQLRECON scans a network or host to identify all the SQL Server and Microsoft SQL Server Desktop Engine (MSDE) installations. The great thing about the tool is that it combines several known methods of SQL Server/MSDE enumeration and discovery into one utility. Once you have good information about the SQL Servers (and their versions) on your network, you can begin to determine potential vulnerabilities. SQLRECON isn't a vulnerability scanner but rather a discovery tool that makes the network security assessor's job a whole lot easier. Now we need a tool for Oracle ... .
Previous
)
DFiore.FMS@GMail.com October 18, 2005 (Article Rating: