Rack of Ethernet switches.

Network Security Auditing Tools

Audit Your Network

Startling statistics about distributed denial of service and spam

Recommended references

You need to understand the fundamentals of TCP/IP before you can make sense of any of this!

The best single reference is Doug Comer's Internetworking with TCP/IP, Volume 1. It's well written and clearly tells the story of how the TCP/IP protocol suite works. Yes, it's a textbook and new copies of the latest edition can be pretty expensive. But investigate used copies, and remember that if you're just trying to learn the fundamentals of the main host protocols (Ethernet, ARP, IP, UDP, TCP, ICMP, and DNS), they haven't changed much in ages and an older edition may serve your needs.

Internetworking With TCP/IP, Volume 1
Amazon 013608530X
TCP/IP Illustrated, Volume 1
Amazon 0321336313

Richard Stevens' TCP/IP Illustrated, Volume 1: The Protocols is another great reference, but it's more of an encyclopedia and it isn't easy reading.

Be careful when ordering either of Comer's or Stevens' books! Both wrote a three-volume series, in which the first volume (what you probably want) is about the protocols themselves, while the second and third volumes are about how to implement those protocols in an operating system (using BSD Unix as a case study) and how to write applications using those protocols.

Once you understand TCP/IP, you can start working with vulnerability scanners. Network Security Assessment, by Chris McNab, has an in-depth look at network scanning methods and application vulnerability detection and exploit.

TCP and UDP Ports

These TCP ports are used by common attacks. Use this to make sense of all those entries in your firewall logs. See the latest package of the Snort package for far more details. See dshield.org for reports on current scanning patterns.

Legitimate TCP Ports Commonly Probed For Exploits

21 FTP
22 SSH
53 DNS
109 POPv2
110 POPv3
111 portmap
113 AUTH/identd
119 NNTP
139 SMB (Windows NT and later)
143 IMAP
445 SMB (Windows 2000 and later)
513 rsh
514 rlogin
515 LPD (print spooler)
1433 Microsoft SQL Server
3128 squid (web/ftp proxy/cache)
3389 Terminal Server (Windows 2000 and later)
5632 PCAnywhere
5555 Napster
6000 X11
6666 Napster
6699 Napster
7777 Napster
8875 Napster
8080 Common web proxy port
8888 Napster

TCP and UDP ports used for remote system control.

Port Protocol Software
799TCPRemotely Possibly / ControlIT
800TCPRemotely Possibly / ControlIT
800UDPRemotely Possibly / ControlIT
1494TCPCitrix ICA
1494UDPCitrix ICA
2000TCPRemotely Anywhere
2001TCPRemotely Anywhere
3389TCPWindows Terminal Server
5800TCPVNC (and 5801, ...)
5900TCPVNC (and 5901, ...)

Suspicious TCP and UDP Ports. Most of these are used for Windows worms and Trojans, a few are used for denial-of-service (DOS) and distributed denial-of-service (DDOS) attacks.

Port on
Protocol Attack
21TCP ADMw0rm
23TCP w00w00
23TCP r00t
23TCP rewt
23TCP sm4ck
23TCP HidePak
23TCP HideSource
80TCP BackOriface
139TCP QAZ Worm
139TCP WinNuke DOS
146TCP Infector
445TCP Various Windows worms
555TCP PhaseZero
617TCP arkiea DOS
666TCP SatansBackdoor
666TCP BackConstruction
1054TCP ACKcmdC
2140UDP DeepThroat
2773TCP Sub7 trojan keystroke logger
3150UDP DeepThroat
3344TCP Matrix
3345TCP Matrix
4120UDP DeepThroat
2589TCP Dagger
5401TCP BackConstruction
5402TCP BackConstruction
5714TCP WinCrash
6789TCP Doly
6838UDP mstream DDOS
6969TCP GateCrasher
7215TCP Sub7 trojan remote terminal (aka "The Matrix")
7597TCP QAZ Worm
10498UDP mstream DDOS
12345TCP netbus
12346TCP netbus
12754TCP mstream DDOS
15104TCP mstream DDOS
18753UDP shaft DDOS
20034TCP netbus
20432TCP shaft DDOS
20433TCP shaft DDOS
21554TCP GirlFriendaccess
23476TCP DonaldDick
27374TCP Sub7 trojan
27444UDP Trin00
27665TCP Trin00
30100TCP NetSphere
30101TCP NetSphere
30102TCP NetSphere
31335UDP Trin00
31337UDP Back Oriface
31785UDP HackAttack
54238TCP Sub7 trojan remote application eavesdropper
54320UDP Back Oriface 2000 (aka BO2k)
54321UDP Back Oriface 2000 (aka BO2k)
Port on
Protocol Attack
110TCP QAZ Worm
1000-1300TCP Infector
1024TCP SatansBackdoor
2589TCP Dagger
3344TCP Matrix
3345TCP Matrix
5031TCP NetMetro
5032TCP NetMetro
16959TCP Subseven trojan
27374TCP Subseven trojan
60000UDP DeepThroat

Analysis Tools

Get OpenVAS

Analysis tools fit into major categories. Executive summary: use Nmap for port scanning and version detection, use OpenVAS or Nessus for vulnerability scanning.

DS3 interfaces on a Cisco 7000 series router.

DS3 interfaces on a Cisco 7000 series router.

Port Scanners

  • The best single tool is Nmap, it has excellent OS and server software version detection. Get it from nmap.org.
  • ScanUDP does an aggressive UDP-only scan.
  • Download a device's entire MIB with snmpwalk.
  • See my web security page for tools to detect problems with your web servers.
  • CATTscanner enumerates NFS shares, RPC services, NETBIOS name, and versions of services.
  • Outdated tools (SATAN, SAINT, SARA) that only do simple port-scanning can tell you that a machine has a TCP service listening on a specific port, but that's about it. You get a list of open ports, and maybe a guess as to the remote OS. These are out of date — use Nmap instead!

Vulnerability Scanners

Vulnerability scanners can also provide warnings about apparent risks due to buggy network server software. Note that some just make assumptions based on banner details, while others may attempt an exploit to see if it works. Also, some of the commercial Windows-specific ones may give false-negative errors if run without remote administrative privileges:

Nessus is a very good tool. It used to be free but now it's expensive, and so...

Get OpenVAS

OpenVAS or the Open Vulnerability Assessment System is a free fork of the Nessus project.

Sectools.org has nice lists of vulnerability scanners and also web vulnerability scanners.

Retina Network Security Scanner originally from eEye Digital Security, now BeyondTrust, has been the U.S. DOD standard vulnerability scanner.

The Penetrator Pen Testing Appliance from SecPoint uses a large set of remote signatures, updated daily.

The IP360 was originally from nCircle, now it's Tripwire IP360.

QualysGuard is a cloud-based scanner from Qualys.

Host-based analysis. So port 80 is open, and the banner says it's Apache 2.0.45, but now you must answer further question: What binary program has that port open, what shared libraries is it using, and what other files, sockets, and pipes does that process have open? And should I have complete confidence in all of this?

lsof answers your questions on UNIX-like systems (commercial UNIX, BSD, Linux, macOS). Either find lsof already included in your OS, or add it.

If you're stuck with Windows, try fport.exe, Vision, and the Process Explorer originally from NTSysInternals.

Other network scanners are found at: cotse.com and Purdue's CERIAS.

SHODAN is an interesting search engine for computer operating systems and server software versions. Rather than search web page content, SHODAN indexes servers, routers, and more, by their OS and version. It aggregates banners from well-known services. You can search for things like the list of all known FTP servers running the vulnerable version 2.6.0 of the Wu-Ftpd server, with a remote format string stack overwrite vulnerability.

Commercial vulnerability scanners aren't cheap. Here are prices from the June 20, 2011 Network World review:

McAfee McAfee Vulnerability Manager (MVM) 7 $16,820 including 1U appliance first year,
$9,020 second year
Qualys QualysGuard Vulnerability Management $17,495
SAINT SAINTmanager $19,000 first year, $4,750 second year
eEye Retine CS 2.0 $28,000 first year, $7,000 second year
Critical Watch FusionVM $18,500 for first year for 1,000 IP addresses
Lumension Lumension Scan 6.4 $6,500

The top 100 network security tools — short descriptions and links to get them: http://sectools.org/index.html

Use Snort to detect scans and other network attacks.

hping2 lets you send craft and send customized ICMP packets.

icmpenum is a distributed ICMP-based host enumerator and network census-taker.

Gibson Research Corporation has an interesting site — it will scan your host for you and report the results.

More tool FTP sites are at coast.cs.purdue.edu, ciac.llnl.gov, and ftp.funet.fi/.

Other tools:

DNS Authentication

Earlier versions of DNS are susceptible to DNS spoofing and other abuses. To fix your DNS, make sure you're running the latest version of BIND.

Then make sure you configure it correctly, see Team Cymru's Secure BIND Template.

Back to the main Security Page