DS3 interfaces on a Cisco 7000 series router.

Network Security Auditing Tools

Modified 20 August 2009

Startling statistics about distributed denial of service and spam

• 2% of all Internet traffic is DDOS (Distributed Denial Of Service)
  According to high level traffic analysis by Arbor Networks.
• 95% percent of all e-mail sent in 2007 was spam
  
  • As reported at cnet.com.
  • As reported at vnunet.com.
• 39% of all spam comes from just one 'botnet, and
  85% of all spam comes from just six 'botnets, according to a report described at thetechdon.com.
  Much of that is under the control of the Russian Business Network

A list of TCP ports used by common attacks. Use this to make sense of all those entries in your firewall logs. See the latest package of the Snort package for far more details. See http://www.dshield.org/ for reports on current scanning patterns.

Legitimate TCP Ports Commonly Probed For Exploits

TCP and UDP ports used for remote system control.

Suspicious TCP and UDP Ports. Most of these are used for Windows worms and Trojans, a few are used for denial-of-service (DOS) and distributed denial-of-service (DDOS) attacks.

Analysis Tools

Analysis tools fit into major categories. Executive summary: use Nmap for port scanning and version detection, use OpenVAS or Nessus for vulnerability scanning.

Port Scanners

• The best single tool is Nmap, it has excellent OS and server software version detection: http://insecure.org/nmap/
• ScanUDP does an aggressive UDP-only scan: http://www.geocities.com/fryxar/scanudp.c
• Download a device's entire MIB with snmpwalk
• See my web security page for tools to detect problems with your web servers
• Winfingerprint enumerates Windows-specific shares and services: http://winfingerprint.sourceforge.net/
• CATTscanner enumerates NFS shares, RPC services, NETBIOS name, versions of services: http://packetstormsecurity.nl/UNIX/scanners/cattscanner-0.6.tar.gz
• Outdated tools (SATAN, SAINT, SARA) that only do simple port-scanning can tell you that a machine has a TCP service listening on a specific port, but that's about it. You get a list of open ports, and maybe a guess as to the remote OS. These are out of date — use Nmap instead!

Vulnerability Scanners

Vulnerability scanners can also provide warnings about apparent risks due to buggy network server software. Note that some just make assumptions based on banner details, while others may attempt an exploit to see if it works. Also, some of the commercial Windows-specific ones may give false-negative errors if run without remote administrative privileges:

• Nessus — It's a very good tool. It used to be free but now it's expensive.
• OpenVAS — Open Vulnerability Assessment System — It's free, a fork of the Nessus project.
• Vlad the Scanner
• Retina Network Security Scanner from eEye Digital Security
• The Penetrator Pen Testing Appliance from SecPoint uses a large set of remote signatures, updated daily.
• NeVO — from Tenable Network Security
• QualysGuard
• Asmodeus for the Windows NT family of operating systems.
• OGRE, from "rhino9", is a Windows based network auditing tool. As per AFCERT, OGRE:
  • Determines which hosts are active on the network.
  • Scans those the hosts to determine available remote services.
  • Gathers statistical information on netbios. (nbtstat)
  • Displays publicly viewable network shares. (net view)
  • Checks for the existence of Microsoft Frontpage Server Extensions.
  • Checks for the IIS Admin HTML administration page.
  • Checks for the Index Server default sample documents.
  It only checks for three classes of Win95/98/NT security holes:
  • Microsoft Frontpage Extensions
  • IIS Admin HTML administration page
  • Index Server default sample documents

Lists of links to many network scanners in various categories: http://www.networkintrusion.co.uk/

Host-based analysis. So port 80 is open, and the banner says it's Apache 2.0.45, but now you must answer further question: What binary program has that port open, what shared libraries is it using, and what other files, sockets, and pipes does that process have open? And should I have complete confidence in all of this?

• lsof answers the first question on UNIX-like systems (commercial UNIX, BSD, Linux, Mac OS X). Either find lsof already included in your OS, or add it easily. http://freshmeat.net/projects/lsof/
• Three choices if you're stuck with Windows: fport.exe and Vision are free from the Resources page at: http://www.foundstone.com/
• You could also try Process Explorer from http://www.microsoft.com/technet/sysinternals

Other network scanners are found at:

• http://www.cotse.com/tools/vuln.htm
• http://ftp.cerias.purdue.edu/pub/tools/unix/scanners/

The top 100 network security tools — short descriptions and links to get them: http://sectools.org/index.html

Use Snort to detect scans and other network attacks: http://www.snort.org/

hping2 lets you send craft and send customized ICMP packets: http://www.kyuzz.org/antirez/hping/

icmpenum — distributed ICMP-based host enumerator and network census-taker. http://linux.softpedia.com/get/System/Networking/Icmpenun-25545.shtml

Gibson Research Corporation has an interesting site — it will scan your host for you and report the results: http://www.grc.com/

More tool FTP sites:

• ftp://coast.cs.purdue.edu/pub/tools/
• http://ciac.llnl.gov/ciac/tools.html
• ftp://ftp.nec.com/pub/security
• ftp://ftp.funet.fi/pub/unix/security

Other tools:

• Detecting and dealing with TCP SYN flood attacks against Solaris, click for details.
• Dealing with TCP SYN flood attacks against Cisco routers, click for details.
• Test your system's IP stack robustness with ipsend, available from: http://linux.softpedia.com/get/System/Networking/ipsend-33285.shtml

DNS Authentication

Earlier versions of DNS are susceptible to DNS spoofing and other abuses. To fix your DNS, make sure you're running the latest version of BIND, available at http://www.isc.org.

Then make sure you configure it correctly: http://www.team-cymru.org/ReadingRoom/Documents/secure-bind-template.html

Automatic Teller Machine (ATM) Security

The ATM Marketplace site has a "buyer's guide" that lets you compare features, and in some cases it reveals some details of network interface, CPU, and even OS. http://www.atmmarketplace.com/

Back to the main Security Page

Home Unix/Linux Networking Infosec Travel Technical Radio Site Map Contact