Network Security Auditing Tools
Audit Your Network
Startling statistics about distributed denial of service and spam
-
2% of all Internet traffic is DDOS
(Distributed Denial Of Service)
According to high level traffic analysis by Arbor Networks. -
95% percent of all e-mail sent in 2007 was spam
As reported at cnet.com and vnunet.com. -
39% of all spam comes from just one 'botnet, and
85% of all spam comes from just six 'botnets, according to a report described at thetechdon.com.
Much of that is under the control of the Russian Business Network.
Recommended references
You need to understand the fundamentals of TCP/IP before you can make sense of any of this!
The best single reference is Doug Comer's Internetworking with TCP/IP, Volume 1. It's well written and clearly tells the story of how the TCP/IP protocol suite works. Yes, it's a textbook and new copies of the latest edition can be pretty expensive. But investigate used copies, and remember that if you're just trying to learn the fundamentals of the main host protocols (Ethernet, ARP, IP, UDP, TCP, ICMP, and DNS), they haven't changed much in ages and an older edition may serve your needs.
Amazon 013608530X
Amazon 0321336313
Richard Stevens' TCP/IP Illustrated, Volume 1: The Protocols is another great reference, but it's more of an encyclopedia and it isn't easy reading.
Be careful when ordering either of Comer's or Stevens' books! Both wrote a three-volume series, in which the first volume (what you probably want) is about the protocols themselves, while the second and third volumes are about how to implement those protocols in an operating system (using BSD Unix as a case study) and how to write applications using those protocols.
Once you understand TCP/IP, you can start working with vulnerability scanners. Network Security Assessment, by Chris McNab, has an in-depth look at network scanning methods and application vulnerability detection and exploit.
TCP and UDP Ports
These TCP ports are used by common attacks. Use this to make sense of all those entries in your firewall logs. See the latest package of the Snort package for far more details. See dshield.org for reports on current scanning patterns.
Legitimate TCP Ports Commonly Probed For Exploits
| 21 | FTP |
| 22 | SSH |
| 23 | TELNET |
| 25 | SMTP |
| 53 | DNS |
| 79 | FINGER |
| 80 | HTTP |
| 109 | POPv2 |
| 110 | POPv3 |
| 111 | portmap |
| 113 | AUTH/identd |
| 119 | NNTP |
| 139 | SMB (Windows NT and later) |
| 143 | IMAP |
| 445 | SMB (Windows 2000 and later) |
| 513 | rsh |
| 514 | rlogin |
| 515 | LPD (print spooler) |
| 1433 | Microsoft SQL Server |
| 3128 | squid (web/ftp proxy/cache) |
| 3389 | Terminal Server (Windows 2000 and later) |
| 5632 | PCAnywhere |
| 5555 | Napster |
| 6000 | X11 |
| 6666 | Napster |
| 6699 | Napster |
| 7777 | Napster |
| 8875 | Napster |
| 8080 | Common web proxy port |
| 8888 | Napster |
TCP and UDP ports used for remote system control.
| Port | Protocol | Software |
| 22 | TCP | pcAnywhere |
| 22 | UDP | pcAnywhere |
| 407 | TCP | Timbuktu |
| 407 | UDP | Timbuktu |
| 799 | TCP | Remotely Possibly / ControlIT |
| 800 | TCP | Remotely Possibly / ControlIT |
| 800 | UDP | Remotely Possibly / ControlIT |
| 1494 | TCP | Citrix ICA |
| 1494 | UDP | Citrix ICA |
| 2000 | TCP | Remotely Anywhere |
| 2001 | TCP | Remotely Anywhere |
| 3127-3198 | TCP | Mydoom |
| 3389 | TCP | Windows Terminal Server |
| 4899 | TCP | RAdmin |
| 5800 | TCP | VNC (and 5801, ...) |
| 5900 | TCP | VNC (and 5901, ...) |
| 5631 | TCP | pcAnywhere |
| 5632 | TCP | pcAnywhere |
| 5632 | UDP | pcAnywhere |
| 43188 | TCP | ReachOut |
| 65301 | TCP | pcAnywhere |
Suspicious TCP and UDP Ports. Most of these are used for Windows worms and Trojans, a few are used for denial-of-service (DOS) and distributed denial-of-service (DDOS) attacks.
| Port on target |
Protocol | Attack |
| 21 | TCP | ADMw0rm |
| 23 | TCP | w00w00 |
| 23 | TCP | r00t |
| 23 | TCP | rewt |
| 23 | TCP | sm4ck |
| 23 | TCP | HidePak |
| 23 | TCP | HideSource |
| 79 | TCP | CDK |
| 80 | TCP | BackOriface |
| 139 | TCP | QAZ Worm |
| 139 | TCP | WinNuke DOS |
| 146 | TCP | Infector |
| 445 | TCP | Various Windows worms |
| 555 | TCP | PhaseZero |
| 617 | TCP | arkiea DOS |
| 666 | TCP | SatansBackdoor |
| 666 | TCP | BackConstruction |
| 1054 | TCP | ACKcmdC |
| 2140 | UDP | DeepThroat |
| 2773 | TCP | Sub7 trojan keystroke logger |
| 3150 | UDP | DeepThroat |
| 3344 | TCP | Matrix |
| 3345 | TCP | Matrix |
| 4120 | UDP | DeepThroat |
| 2589 | TCP | Dagger |
| 5401 | TCP | BackConstruction |
| 5402 | TCP | BackConstruction |
| 5714 | TCP | WinCrash |
| 6789 | TCP | Doly |
| 6838 | UDP | mstream DDOS |
| 6969 | TCP | GateCrasher |
| 7215 | TCP | Sub7 trojan remote terminal (aka "The Matrix") |
| 7597 | TCP | QAZ Worm |
| 10498 | UDP | mstream DDOS |
| 12345 | TCP | netbus |
| 12346 | TCP | netbus |
| 12754 | TCP | mstream DDOS |
| 15104 | TCP | mstream DDOS |
| 18753 | UDP | shaft DDOS |
| 20034 | TCP | netbus |
| 20432 | TCP | shaft DDOS |
| 20433 | TCP | shaft DDOS |
| 21554 | TCP | GirlFriendaccess |
| 23476 | TCP | DonaldDick |
| 27374 | TCP | Sub7 trojan |
| 27444 | UDP | Trin00 |
| 27665 | TCP | Trin00 |
| 30100 | TCP | NetSphere |
| 30101 | TCP | NetSphere |
| 30102 | TCP | NetSphere |
| 31335 | UDP | Trin00 |
| 31337 | UDP | Back Oriface |
| 31785 | UDP | HackAttack |
| 54238 | TCP | Sub7 trojan remote application eavesdropper |
| 54320 | UDP | Back Oriface 2000 (aka BO2k) |
| 54321 | UDP | Back Oriface 2000 (aka BO2k) |
| Port on Attacker |
Protocol | Attack |
| 80 | TCP | ACKcmdC |
| 110 | TCP | QAZ Worm |
| 1000-1300 | TCP | Infector |
| 1024 | TCP | SatansBackdoor |
| 2589 | TCP | Dagger |
| 3344 | TCP | Matrix |
| 3345 | TCP | Matrix |
| 5031 | TCP | NetMetro |
| 5032 | TCP | NetMetro |
| 16959 | TCP | Subseven trojan |
| 27374 | TCP | Subseven trojan |
| 60000 | UDP | DeepThroat |
Analysis Tools
Get OpenVASAnalysis tools fit into major categories. Executive summary: use Nmap for port scanning and version detection, use OpenVAS or Nessus for vulnerability scanning.
DS3 interfaces on a Cisco 7000 series router.
Port Scanners
- The best single tool is Nmap, it has excellent OS and server software version detection. Get it from nmap.org.
- ScanUDP does an aggressive UDP-only scan.
- Download a device's entire MIB with snmpwalk.
- See my web security page for tools to detect problems with your web servers.
- CATTscanner enumerates NFS shares, RPC services, NETBIOS name, and versions of services.
- Outdated tools (SATAN, SAINT, SARA) that only do simple port-scanning can tell you that a machine has a TCP service listening on a specific port, but that's about it. You get a list of open ports, and maybe a guess as to the remote OS. These are out of date — use Nmap instead!
Vulnerability Scanners
Vulnerability scanners can also provide warnings about apparent risks due to buggy network server software. Note that some just make assumptions based on banner details, while others may attempt an exploit to see if it works. Also, some of the commercial Windows-specific ones may give false-negative errors if run without remote administrative privileges:
Nessus is a very good tool. It used to be free but now it's expensive, and so...
Get OpenVASOpenVAS or the Open Vulnerability Assessment System is a free fork of the Nessus project.
Sectools.org has nice lists of vulnerability scanners and also web vulnerability scanners.
Retina Network Security Scanner originally from eEye Digital Security, now BeyondTrust, has been the U.S. DOD standard vulnerability scanner.
The Penetrator Pen Testing Appliance from SecPoint uses a large set of remote signatures, updated daily.
The IP360 was originally from nCircle, now it's Tripwire IP360.
QualysGuard is a cloud-based scanner from Qualys.
Host-based analysis. So port 80 is open, and the banner says it's Apache 2.0.45, but now you must answer further question: What binary program has that port open, what shared libraries is it using, and what other files, sockets, and pipes does that process have open? And should I have complete confidence in all of this?
lsof answers your questions on UNIX-like systems (commercial UNIX, BSD, Linux, macOS). Either find lsof already included in your OS, or add it.
If you're stuck with Windows, try
fport.exe,
Vision,
and the
Process Explorer
originally from NTSysInternals.
Other network scanners are found at: cotse.com and Purdue's CERIAS.
SHODAN is an interesting search engine for computer operating systems and server software versions. Rather than search web page content, SHODAN indexes servers, routers, and more, by their OS and version. It aggregates banners from well-known services. You can search for things like the list of all known FTP servers running the vulnerable version 2.6.0 of the Wu-Ftpd server, with a remote format string stack overwrite vulnerability.
Commercial vulnerability scanners aren't cheap. Here are prices from the June 20, 2011 Network World review:
| McAfee | McAfee Vulnerability Manager (MVM) 7 |
$16,820 including 1U appliance first year, $9,020 second year |
| Qualys | QualysGuard Vulnerability Management | $17,495 |
| SAINT | SAINTmanager | $19,000 first year, $4,750 second year |
| eEye | Retine CS 2.0 | $28,000 first year, $7,000 second year |
| Critical Watch | FusionVM | $18,500 for first year for 1,000 IP addresses |
| Lumension | Lumension Scan 6.4 | $6,500 |
The top 100 network security tools — short descriptions and links to get them: http://sectools.org/index.html
Use Snort to detect scans and other network attacks.
hping2 lets you send craft and send customized ICMP packets.
icmpenum is a distributed ICMP-based host enumerator and network census-taker.
Gibson Research Corporation has an interesting site — it will scan your host for you and report the results.
More tool FTP sites are at coast.cs.purdue.edu, ciac.llnl.gov, and ftp.funet.fi/.
Other tools:
- Detecting and dealing with TCP SYN flood attacks against Solaris.
- Dealing with TCP SYN flood attacks against Cisco routers.
-
Test your system's IP stack robustness
with
ipsend.
DNS Authentication
Earlier versions of DNS are susceptible to DNS spoofing and other abuses. To fix your DNS, make sure you're running the latest version of BIND.
Then make sure you configure it correctly, see Team Cymru's Secure BIND Template.