Essential Security Tools
by Gr@ve_Rose
Over the course of my career in network security, I have come across a lot of security tools, most of which may already be familiar to people reading this article.
Some of you may be a lot more adept with them than I am. With this article, I am hoping to lay groundwork for these tools which people can then build upon.
For each tool, I will present where to find it, what it does, how and when to use it, and other tidbits of information which may come in handy.
Name: Nmap
Where: insecure.org/nmap
What: Nmap (Network Mapper) is probably one of the most recognizable names of programs when it comes to network security. Supporting both IPv4 and (some) IPv6, Nmap has become a staple for anyone working in network security. It is most commonly known for its port scanning abilities and its ability to customize the scans.
When: Nmap comes in very handy for a number of purposes. Vulnerability Assessments (VA), penetration tests, testing firewall rules, testing (H/N)IDS functionality, and network audits are the main ones which come to mind off the top of my head, although I'm sure many of you out there have used Nmap for other purposes as well.
How: Nmap can be used simply as a basic port scanner (nmap -v -sT $target). This will perform a full TCP connect scan on most common ports. Or, it can be used for something more complex: nmap -v -sN -T1 -PO -p0-65535 -O $target will perform a NULL (-sN, no flags set) TCP scan, very slowly (-T1), with no ICMP check (-PO) on all 65,536 ports, while attempting to guess the target's operating system based on the results.
Using Nmap to test your (H/N)IDS signatures and the alerting which goes along with them is a task which will alleviate a lot of headaches when setting up your IDS to test functionality. Using Nmap from outside your network and attacking your firewall and any statically NATed hosts will help you audit your current firewall policy and setup. Using some of the advanced options and scan types with Nmap will help you hide your hosts from fingerprinting attacks.
Name: THC-Amap
Where: www.thc.org/thc-amap
What: THC-Amap (Application Mapper) is a tool which a specific port. If you have ever set up a server, you know that most services can be re-mapped to run on a different port. For instance, editing Apache's ListenPort directive will allow you to change which port your webserver is on. If you change this to TCP/22, some scanners may report it as the SSH service. Using THC-Amap against this will trigger the HTTP signature and let you know what is really running on the port. THC-Amap supports both IPv4 and IPv6 for testing and is very accurate with its results.
When: THC-Amap can be used during Vulnerability Assessments (VA), Reliability Assessments (RA), pen-tests, and system setups or as a troubleshooting tool.
How: Using THC-Amap with the -bqv options is a good start. This will perform banner grabbing and attempt to match against the signature to let you know what is running on the port you have connected to. As a real-life example (sanitized), I had a customer who had rebooted their firewall and incoming TCP port 25 wasn't working. When I Telneted to the port, I got an odd banner so I ran THC-Amap against it.
This is what I got:
Noticing that that the banner matches smtppix, I was able to make the modifications to the firewall not to proxy incoming mail.
I re-ran THC-Amap after and got this:
Name: hping
Where: www.hping.org
What: Using the basics of traceroute, tcptraceroute uses TCP instead of the usual UDP/ICMP combination of traditional traceroute. Some firewalls block normal traceroute traffic but will allow TCP traffic to go through. By using tcptraceroute, you can see the path you're taking on the port you expect to use.
When: If you're troubleshooting and need to find the path a certain packet will take on a multihomed system or a large network with a lot of dynamic routing, but the intermediary routing devices don't allow regular traceroute, use tcptraceroute instead.
How: Running tcptraceroute $host $port will trace the route using TCP SYN packets to the $host on the specified TCP $port. It will first set the TTL to 1 which is expected to die at the first hop and receive an error message from the routing device that the TTL has expired. The program records that IP address as the first hop. It will then increment the TTL to 2 so the packet will make it past the first hop but not the second. This process repeats until either the maximum TTL, which defaults to 30, has been reached or the port is reached, either open or closed. If you don't expect the path to be too long, try using tcptraceroute -n -q 1 -m 15 $target Sport
The -n option, useful at any time, tells tcptraceroute not to perform domain lookups and to give you the IP addresses only. This makes the results quicker as the program doesn't spend time looking up hostnames. Using -q 1 tells the program to only query the hops once instead of the default three times. Again, this is also useful for almost every time. The last option, -m 15, specifies the maximum number of hops to use. The default is 30 and it can go as high as 255. Be warned: If you're stuck in an asymmetric routing scenario or are caught in a dynamic routing loop, you may cause some congestion and headaches for the admins.
Name: GRASS
Where: grass.pl
What: GRASS is a Perl program I created (yes, this paragraph is a bit of self-promotion) to help test stateful firewall software and connections tables of the firewalls. It supports both IPv4 and IPv6 and acts as a TCP "door-jam" to create a 3-way handshake. When you're ready to close the connection, a Ctrl-C will send the closing 3-way handshake and close the connection.
How: I was working on a customer issue where the firewall appeared to change a SYN packet into an ACK packet. Further troubleshooting found that the device downstream was a wireless router which (for some reason) could only handle 25 connections at a time. When connection 26 came in, it would use the same source port as connection 1 through the wireless router and, when it hit the firewall, the firewall would "help" the packet by changing the flags. I created GRASS to aid in troubleshooting stateful firewalls or stated connections over TCP.
Name: Netcat (nc)
Where: Netcat
What: It's probably easier to say what netcat isn't. Netcat is hyped as the "Swiss Army knife" of networking tools and it lives up to that hype. You can use Netcat for something as simple as creating a TCP connection or you can be more advanced by creating a server-client setup to compress and transfer files between two hosts. You can have Netcat listening on a server and run a program when you connect to it. The possibilities are almost endless.
How: As much as I want to talk a lot about Netcat, I think I should keep it short as this article could become a book. Netcat can be used on it's own or you can put it in your scripts. You can set it up to be a server or even just a listening socket on your TCP stack. I have taken the following example from the Netcat README file which illustrates a good use for Netcat:
A typical example of something rsh is often used for: on one side:
and then on the other side:
will transfer the contents of a directory from one machine to another, without having to worry about .rhosts files, user accounts, or inetd configurations at either end.
Name: ike-scan
Where: www.nta-monitor.com/tools/ike-scan
What: ike-scan has a name which is a bit misleading as it doesn't rely on Internet Security Association and Key Management Protocol (ISAKMP) only; it does IPSec scanning as well. If you are performing a VA, SA or pen-test against a VPN-capable machine, ike-scan is a must.
How: Using ike-scan may require a bit of reading on their Wiki site to glean a good amount of usage information. By itself, ike-scan will go and attempt to gain as much information about the VPN target as it can: Is it using Aggressive Mode? What encryption and hashing methods are supported? What sort of authentication is being done? These are just a few questions which ike-scan will attempt to answer for you.
In addition to performing basic enumeration, ike-scan can be used to negotiate full VPN connectivity, though this may not be for everyone to try. I have found that ike-scan is very helpful when troubleshooting VPN connections, especially when you don't control the remote end. Some VPN error messages from specific vendors can be rather cryptic ("No Valid SA" - Ye olde generic Check Point Error Message) and ike-scan helps give you good information in determining where the problem may lie. Using ike-scan in your VA, SA and pen-test work is also very helpful.
There are a lot more security tools out there which I haven't mentioned, including among others HUNT (man page), a session hijacker; THC-Hydra, a password auditor; and THC-ipv6, an IPv6 attack toolkit.
All of these, and others I haven't touched upon, could be put together to have a book written about them. I just wanted to draw some attention to the ones which I use on a regular basis and find most helpful in my day-to-day security work.
In other words, if I didn't mention $your_favorite_program in this article, I'm not trying to slight you, the tool's authors, or its importance.
I hope you find this article useful and begin to explore the uses of these and other programs. Once you become accustomed to how they work, you will find yourself using them in all sorts of scenarios in which you may not have thought of using them but in which they will help you out immensely.