10 Network Security Assessment Tools You Can’t Live Without

6. Enum
For a Windows guy who also dabbles in Linux, it really comes in handy to have a comprehensive (and free) tool that enumerates all kinds of information about a Windows system. The Enum tool is exactly that tool. The command-line console-based utility reports a lot of great Win32 information about a host through NetBIOS running on TCP port 139. Using null or authenticated sessions, Enum can retrieve user lists, machine lists, share lists, group and member lists, and password and Local Security Authority (LSA) policy information. Enum is also capable of a rudimentary brute-force dictionary attack on individual local accounts. Figure 1 shows the many details about a given Windows host that are available remotely via Enum. You can download Enum (along with some other great tools, such as Pwdump2 and LSAdump2) from BindView at http://www.bindview.com/services/razor/utilities.

7. PsTools
Most of you are familiar with the many great tools and resources provided by Sysinternals. From a security assessment perspective, the PsTools suite is perhaps the most useful. Named after the UNIX ps (process listing) command-line tool, PsTools is a collection of tools that fill the gaps left by the standard Windows OS command-line tools and the Windows resource kit tools. PsTools are particularly useful for both remote and local system assessment and exploitation.

After you've exploited a host vulnerability, PsTools are a huge help in remotely manipulating a system and allowing you further exploitation such as privilege escalation. For example, if you've exploited a host and gained local administrator access but you want to escalate your privilege to the domain administrator who's currently logged on, PsTools can help you through such features as remote shutdown and process kill.

PsExec is perhaps my favorite of the PsTools. It allows someone with local administrator access (via an authenticated network connection) to remotely execute programs on a system. My favorite operation is to use PsExec to run cmd.exe on a remote system, giving me a remote command-line prompt to the system with administrator privileges (PsExec doesn't obtain these privileges for you—you have to get them some other way). For more information about PsExec, see Windows Power Tools, "PsExec," July 2004, InstantDoc ID 42919.

Other favorites include PsList, which lets you list all processes running on a remote system and PsKill, which lets you kill individual processes running on a remote system. For more information about these tools, see Windows Power Tools, "PsList and PsKill," September 2004, InstantDoc ID 43569. Besides security assessment, the PsTools suite is quite useful simply for performing many administrator functions remotely from the command line (which is probably more the authors' intention). You can get PsTools (along with many other awesome resources) at the Sysinternals Web site at http://www.sysinternals.com/utilities.html.

8. Netcat
Although many know about Netcat because of its use as a back door that allows attackers access to a system (an exploitation feature), Netcat isn't as well known for its capabilities as a tool to perform enumeration and assessment, as well as other important operations that are part of traditional network security assessment. Developed more than 10 years ago for UNIX and ported to Windows in 1998, Netcat is an extension of the UNIX

cat

command, which lets you "stream" file contents to and from the screen and view, modify, or combine them. Netcat allows data from the system's standard I/O to be read and written across network connections by using TCP/IP. This means that you can directly manipulate the TCP/IP stack and read/write data over TCP or UDP ports.

In addition to using Netcat as a back-door tool, you can use it for grabbing banners (such as Telnet, SMTP, and FTP banners), "piping" files and data, port scanning, remote service and port enumeration, and many other creative functions. Every time I turn around, someone is showing me new ways that I hadn't thought of to use Netcat. I use it most frequently for port fuzzing (connecting to a TCP port and poking around to see what I can learn) and shell-shoveling (piping a command prompt from a target host back to me—a poor man's reverse shell).

Download the Windows version of Netcat at http://www.vulnwatch.org/netcat, and read http://www.vulnwatch.org/netcat/ readme.html to learn more than you ever wanted to know about the tool. Learn still more at "Netcat," Security Administrator, September 2003, InstantDoc ID 39680.

9. John the Ripper
Most people have heard of the L0phtCrack password-cracking and -audit tool originally developed by The Cult of the Dead Cow (don't ask) and now owned and maintained by @stake (recently acquired by Symantec). I prefer John the Ripper, a simple, high-performance password cracker available for many platforms (including Windows) that grew out of the well-known UNIX Crack tool. John can detect system characteristics and capabilities that allow it to optimize performance. In my experience, John runs circles around other crackers such as L0phtCrack in terms of tries per second (LC5—the current version of L0phtCrack—is supposedly greatly improved over previous versions, but you have to pay for it).

Also, John doesn't crack just Windows (LAN Manager and NT LAN Manager—NTLM) password hashes but out of the box cracks any password hashes that use DES (standard, single, extended), MD5, Blowfish, or Andrew File System (AFS) ciphertext or hash formats. John used in conjunction with a dictionary file (numerous such files are available containing most any language known in the galaxy—even Wookie and Klingon) is a can't-live-without-it tool for password cracking and audit (which every company should be doing regardless of how strong its password policy is). You can get John the Ripper at http://www.openwall.com/john or http://www.securiteam.com/tools/3X5QLPPNFE.html.

10. The Metasploit Framework
Wouldn't it be nice to have an easy-to-use exploit platform that contained the most recent exploits, featured an auto-update capability, and was extensible via a well-known language such as Perl? Yes, but ... . It's scary (and somewhat irresponsible) that someone would provide such a capability to the masses for free—it just calls out to script kiddies everywhere (roughly similar to offering a nuclear suitcase on eBay). However, I'll concede that having a tool such as the Metasploit Framework is beneficial for network security assessors emulating threats (if Pandora's box has been opened, the good guys should have the same tools as the bad guys).

The Metasploit Framework was introduced about 2 years ago as a research project by the well-known security researchers H.D. Moore and spoonm. The project's goals were half noble: to further security research and provide a resource for exploit developers. I use the Metasploit Framework (with care and with prior testing in a lab environment) as an exploitation tool for security assessments.

Metasploit is a Perl script–based engine that allows you to select from a myriad of exploits for a variety of platforms and applications (more than 75 exploits and 75 payloads and growing at the time of this writing). In addition to giving you a selection of exploits for known vulnerabilities, Metasploit lets you select the specific payloads that you'd like to send with the exploits. For example, if you want to exploit a system that has the SQL Slammer vulnerability, as mentioned in the SQLRECON section above, you can choose how you want to manipulate the vulnerable system: by creating a Win32 Bind shell connection, by sending back a Win32 Reverse shell, by simply running a remote command, by injecting a rogue Virtual Network Computing (VNC) server DLL into an exploited running process, or by some other means. Since the Metasploit Framework is also extensible via Perl modules, you can write your own exploits, plug them into the framework and use an existing applicable payload. Figure 2 shows the easy-to-use Metasploit Web interface listing the available exploits.

I recommend that you approach the Metasploit Framework with caution and use it only to demonstrate specific vulnerabilities during your network security assessment. You can download the Metasploit Framework at http://www.metasploit.com. Nessus (http://www.nessus.org) is another popular vulnerability scanner and exploit platform that has been around for years and is worth a look.

I've attempted to do the somewhat impossible—provide a list of the most popular free tools available to aid in network security assessment. It's difficult at best to choose just 10 tools—there are many tools for the job. If what I've recommended doesn't work for you, there are bound to be other, comparable free tools you can try. Or you can look into commercial tools, which are often more fully developed or have better support models than free tools do. I hope you've come away with some new knowledge about tools that you can leverage. Even if you learned about only one new great tool, this article was probably worth the read!

End of Article

Previous 1 [2] Next

Very informative...

DFiore.FMS@GMail.com October 18, 2005 (Article Rating:

)

Very informative article. I've downloaded all the tools mentioned and learnng about them, one by one. great place for a beginner like me to start

AIRIT July 07, 2006 (Article Rating:

)

perfect,but where can i read the full article?

hankern July 21, 2008 (Article Rating:

)

You must log on before posting a comment.

If you don't have a username & password, please register now.