SecureSlash.com

THC Amap : An application fingerprinting scanner

Amap is a great tool for determining what application is listening on a given port. Their database isn’t as large as what Nmap uses for its version detection feature, but it is definitely worth trying for a 2nd opinion or if Nmap fails to detect a service. Amap even knows how to parse Nmap output files. This is yet another valuable tool from the great guys at THC.

Nbtscan : Gathers NetBIOS info from Windows networks
NBTscan is a program for scanning IP networks for NetBIOS name information. It sends a NetBIOS status query to each address in supplied range and lists received information in human readable form. For each responded host it lists IP address, NetBIOS computer name, logged-in user name and MAC address.

Ike-scan : VPN detector/scanner
Ike-scan exploits transport characteristics in the Internet Key Exchange (IKE) service, the mechanism used by VPNs to establish a connection between a server and a remote client. It scans IP addresses for VPN servers by sending a specially crafted IKE packet to each host within a network. Most hosts running IKE will respond, identifying their presence. The tool then remains silent and monitors retransmission packets. These retransmission responses are recorded, displayed and matched against a known set of VPN product fingerprints. Ike-scan can VPNs from manufacturers including Checkpoint, Cisco, Microsoft, Nortel, and Watchguard.

SPIKE Proxy : HTTP Hacking
Spike Proxy is an open source HTTP proxy for finding security flaws in web sites. It is part of the Spike Application Testing Suite and supports automated SQL injection detection, web site crawling, login form brute forcing, overflow detection, and directory traversal detection.

Angry IP Scanner : A fast windows IP scanner and port scanner

Angry IP Scanner can perform basic host discovery and port scans on Windows. Its binary file size is very small compared to other scanners and other pieces of information about the target hosts can be extended with a few plugins.

Superscan : A Windows-only port scanner, pinger, and resolver
SuperScan is a free Windows-only closed-source TCP/UDP port scanner by Foundstone. It includes a variety of additional networking tools such as ping, traceroute, http head, and whois.

Unicornscan : Not your mother’s port scanner
Unicornscan is an attempt at a User-land Distributed TCP/IP stack for information gathering and correlation. It is intended to provide a researcher a superior interface for introducing a stimulus into and measuring a response from a TCP/IP enabled device or network. Some of its features include asynchronous stateless TCP scanning with all variations of TCP flags, asynchronous stateless TCP banner grabbing, and active/passive remote OS, application, and component identification by analyzing responses. it isn’t for the faint of heart.

Scanrand : An unusually fast stateless network service and topology discovery system
Scanrand is a stateless host-discovery and port-scanner similar in design to Unicornscan. It trades off reliability for amazingly fast speeds and uses cryptographic techniques to prevent attackers from manipulating scan results. This utility is a part of a software package called Paketto Keiretsu which was written by Dan Kaminsky.

Netfilter : The current Linux kernel packet filter/firewall

Netfilter is a powerful packet filter implemented in the standard Linux kernel. The userspace iptables tool is used for configuration. It now supports packet filtering (stateless or stateful), all kinds of network address and port translation (NAT/NAPT), and multiple API layers for 3rd party extensions. It includes many different modules for handling unruly protocols such as FTP. For other UNIX platforms (OpenBSD specific), or IP Filter. Many personal firewalls are available for Windows (Tiny,Zone Alarm, Norton, Kerio, …), though none made this list. Microsoft included a very basic firewall in Windows XP SP2, and will nag you incessantly until you install it.

Openbsd PF : The OpenBSD Packet Filter
Like Netfilter and IP Filter on other platforms, OpenBSD users love PF, their firewall tool. It handles network address translation, normalizing TCP/IP traffic, providing bandwidth control, and packet prioritization. It also offers some eccentric features, such as passive OS detection. Coming from the same guys who created OpenBSD, you can trust that it has been well audited and coded to avoid the sort of security holes we have seen in other packet filters.

IP Filter : Portable UNIX Packet Filter
IP Filter is a software package that can be used to provide network address translation (NAT) or firewall services. It can either be used as a loadable kernel module or incorporated into your UNIX kernel; use as a loadable kernel module where possible is highly recommended. Scripts are provided to install and patch system files, as required. IP Filter is distributed with FreeBSD, NetBSD, and Solaris.

Sysinternals : An extensive collection of powerful windows utilities

Sysinternals provides many small windows utilities that are quite useful for low-level windows hacking. Some are free of cost and/or include source code, while others are proprietary. Survey respondents were most enamored with:

• ProcessExplorer for keeping an eye on the files and directories open by any process (like LSoF on UNIX).
• PsTools for managing (executing, suspending, killing, detailing) local and remote processes.
• Autoruns for discovering what executables are set to run during system boot up or login.
• RootkitRevealer for detecting registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit.
• TCPView, for viewing TCP and UDP traffic endpoints used by each process (like Netstat on UNIX).

Update: Microsoft acquired Sysinternals in July 2006, promising that “Customers will be able to continue building on Sysinternals’ advanced utilities, technical information and source code”. Less than four months later, Microsoft removed most of that source code. Future product direction is uncertain.

Tripwire : The grand-daddy of file integrity checkers
A file and directory integrity checker. Tripwire is a tool that aids system administrators and users in monitoring a designated set of files for any changes. Used with system files on a regular (e.g., daily) basis, Tripwire can notify system administrators of corrupted or tampered files, so damage control measures can be taken in a timely manner. An open source Linux version is freely available at Tripwire.Org. UNIX users may also want to consider AIDE, which has been designed to be a free Tripwire replacement. Or you may wish to investigate Radmind, RKHunter, or chkrootkit. Windows users may like RootkitRevealer from Sysinternals.

RKHunter : An Unix Rootkit Detector
RKHunter is scanning tool that checks for signs of various pieces of nasty software on your system like rootkits, backdoors and local exploits. It runs many tests, including MD5 hash comparisons, default filenames used by rootkits, wrong file permissions for binaries, and suspicious strings in LKM and KLD modules.

chkrootkit : Locally checks for signs of a rootkit
chkrootkit is a flexible, portable tool that can check for many signs of rootkit intrusion on Unix-based systems. Its features include detecting binary modification, utmp/wtmp/lastlog modifications, promiscuous interfaces, and malicious kernel modules.

GnuPG / PGP : Secure your files and communication w/advanced encryption

PGP is the famous encryption program by Phil Zimmerman which helps secure your data from eavesdroppers and other risks. GnuPG is a very well-regarded open source implementation of the PGP standard (the actual executable is named gpg). While GnuPG is always free, PGP costs money for some uses.

OpenSSL : The premier SSL/TLS encryption library
The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and open source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL toolkit and its related documentation.

Tor : An anonymous Internet communication system
Tor is a toolset for a wide range of organizations and people that want to improve their safety and security on the Internet. Using Tor can help you anonymize web browsing and publishing, instant messaging, irc, ssh, and other applications that use the TCP protocol. Tor also provides a platform on which software developers can build new applications with built-in anonymity, safety, and privacy features. For a free cross-platform GUI, users recommend Vidalia

Stunnel :A general-purpose SSL cryptographic wrapper
The stunnel program is designed to work as an SSL encryption wrapper between remote client and local (inetd-startable) or remote server. It can be used to add SSL functionality to commonly used inetd daemons like POP2, POP3, and IMAP servers without any changes in the programs’ code. It will negotiate an SSL connection using the OpenSSL or SSLeay libraries.

OpenVPN : A full-featured SSL VPN solution
OpenVPN is an open-source SSL VPN package which can accommodate a wide range of configurations, including remote access, site-to-site VPNs, WiFi security, and enterprise-scale remote access solutions with load balancing, failover, and fine-grained access-controls. OpenVPN implements OSI layer 2 or 3 secure network extension using the industry standard SSL/TLS protocol, supports flexible client authentication methods based on certificates, smart cards, and/or 2-factor authentication, and allows user or group-specific access control policies using firewall rules applied to the VPN virtual interface. OpenVPN uses OpenSSL as its primary cryptographic library.

TrueCrypt : Open-Source Disk Encryption Software for Windows and Linux
TrueCrypt is an excellent open source disk encryption system. Users can encrypt entire filesystems, which are then on-the-fly encrypted/decrypted as needed without user intervention beyond entering their passphrase intially. A clever hidden volume feature allows you to hide a 2nd layer of particularly sensitive content with plausible deniability about whether it exists. Then if you are forced to give up your passphrase, you give them the first-level secret. Even with that, attackers cannot prove that a second level key even exists.

IDA Pro : A Windows or Linux disassembler and debugger

Disassembly is a big part of security research. It will help you dissect that Microsoft patch to discover the silently fixed bugs they don’t tell you about, or more closely examine a server binary to determine why your exploit isn’t working. Many disassemblers are available, but IDA Pro has become the de-facto standard for the analysis of hostile code and vulnerability research. This interactive, programmable, extensible, multi-processor disassembler now supports Linux (console mode) as well as Windows.

OllyDbg : An assembly level Windows debugger
OllyDbg is a 32-bit assembler level analyzing debugger for Microsoft Windows. Emphasis on binary code analysis makes it particularly useful in cases where source is unavailable. OllyDbg features an intuitive user interface, advanced code analysis capable of recognizing procedures, loops, API calls, switches, tables, constants and strings, an ability to attach to a running program, and good multi-thread support. OllyDbg is free to download and use but no source code is provided.

Firewalk : Advanced traceroute

Firewalk employs traceroute-like techniques to analyze IP packet responses to determine gateway ACL filters and map networks. This classic tool was rewritten from scratch in October 2002. Note that much or all of this functionality can also be performed by the Hping2 –traceroute option.

Tcptraceroute : A traceroute implementation using TCP packets
The problem is that with the widespread use of firewalls on the modern Internet, many of the packets that the conventional traceroute(8) sends out (ICMP echo or UDP) end up being filtered, making it impossible to completely trace the path to the destination. However, in many cases, these firewalls will permit inbound TCP packets to specific ports that hosts sitting behind the firewall are listening for connections on. By sending out TCP SYN packets instead of UDP or ICMP ECHO packets, tcptraceroute is able to bypass the most common firewall filters.

Nessus : Premier UNIX vulnerability assessment tool

Nessus is the best free network vulnerability scanner available, and the best to run on UNIX at any price. It is constantly updated, with more than 11,000 plugins for the free (but registration and EULA-acceptance required) feed. Key features include remote and local (authenticated) security checks, a client/server architecture with a GTK graphical interface, and an embedded scripting language for writing your own plugins or understanding the existing ones. Nessus 3 is now closed source, but is still free-of-cost unless you want the very newest plugins.

GFI LANguard : A commercial network security scanner for Windows
GFI LANguard scans IP networks to detect what machines are running. Then it tries to discern the host OS and what applications are running. I also tries to collect Windows machine’s service pack level, missing security patches, wireless access points, USB devices, open shares, open ports, services/applications active on the computer, key registry entries, weak passwords, users and groups, and more. Scan results are saved to an HTML report, which can be customized/queried. It also includes a patch manager which detects and installs missing patches. A free trial version is available, though it only works for up to 30 days.

Retina : Commercial vulnerability assessment scanner by eEye
. Retina’s function is to scan all the hosts on a network and report on any vulnerabilities found. It was written by eEye, who are well known for their security research.

Core Impact : An automated, comprehensive penetration testing product
Core Impact isn’t cheap (be prepared to spend tens of thousands of dollars), but it is widely considered to be the most powerful exploitation tool available. It sports a large, regularly updated database of professional exploits, and can do neat tricks like exploiting one machine and then establishing an encrypted tunnel through that machine to reach and exploit other boxes. If you can’t afford Impact, take a look at the cheaper Canvas or the excellent and free Metasploit Framework. Your best bet is to use all three.

ISS Internet Scanner : Application-level vulnerability assessment
Internet Scanner started off in ’92 as a tiny open source scanner by Christopher Klaus. Now he has grown ISS into a billion-dollar company with a myriad of security products.

X-scan : A general scanner for scanning network vulnerabilities
A multi-threaded, plug-in-supported vulnerability scanner. X-Scan includes many features, including full NASL support, detecting service types, remote OS type/version detection, weak user/password pairs, and more. You may be able to find newer versions available here if you can deal with most of the page being written in Chinese.

Sara : Security Auditor’s Research Assistant
SARA is a vulnerability assessment tool that was derived from the infamous SATAN scanner. They try to release updates twice a month and try to leverage other software created by the open source community (such as Nmap and Samba).

QualysGuard : A web-based vulnerability scanner
Delivered as a service over the Web, QualysGuard eliminates the burden of deploying, maintaining, and updating vulnerability management software or implementing ad-hoc security applications. Clients securely access QualysGuard through an easy-to-use Web interface. QualysGuard features 5,000+ unique vulnerability checks, an Inference-based scanning engine, and automated daily updates to the QualysGuard vulnerability KnowledgeBase.

SAINT : Security Administrator’s Integrated Network Tool
SAINT is another commercial vulnerability assessment tool (like Nessus, ISS Internet Scanner, or Retina). It runs on UNIX and used to be free and open source, but is now a commercial product.

MBSA : Microsoft Baseline Security Analyzer
Microsoft Baseline Security Analyzer (MBSA) is an easy-to-use tool designed for the IT professional that helps small and medium-sized businesses determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance. Built on the Windows Update Agent and Microsoft Update infrastructure, MBSA ensures consistency with other Microsoft management products including Microsoft Update (MU), Windows Server Update Services (WSUS), Systems Management Server (SMS) and Microsoft Operations Manager (MOM). Apparently MBSA on average scans over 3 million computers each week.

P0f : A versatile passive OS fingerprinting tool

P0f is able to identify the operating system of a target host simply by examining captured packets even when the device in question is behind an overzealous packet firewall. P0f does not generate ANY additional network traffic, direct or indirect. No name lookups, no mysterious probes, no ARIN queries, nothing. In the hands of advanced users, P0f can detect firewall presence, NAT use, existence of load balancers, and more!

Xprobe2 : Active OS fingerprinting tool
XProbe is a tool for determining the operating system of a remote host. They do this using some of the same techniques as Nmap as well as some of their own ideas. Xprobe has always emphasized the ICMP protocol in its fingerprinting approach.

What is Port Scanner ?

A port scanner is a piece of software designed to search a network host for open ports. This is often used by administrators to check the security of their networks and by hackers to compromise it.
Understand and Write a Port Scanner in PERL

Port scanner script in PERL

#!/usr/bin/perl

use IO::Socket;

$port = 1;

$output = “/home/sakuramboo/perl/OpenPorts.txt”;

open (LIST, ” >>$output”);

while ($port <= 65535){

$sock = new IO::Socket::INET (PeerAddr => ’127.0.0.1′,

PeerPort => $port,

Proto => ‘tcp’);

if ($sock){

close $sock;

print “$port -open\n”;

print LIST “$port -open\n”;

$port = $port + 1;

}

else{

print “$port -closed\n”;;

$port = $port + 1;

}

}

close(LIST);
now, lets take a look at how all of this works, shall we?

#!/usr/bin/perl

start off the perl script with this line.

use IO::Socket;
you are saying that you are going to be using the perl modules named IO::Socket. This allows you to utilize the commands for socket programming.

$port = 1;
you are declaring $port to equal 1.

$output = “/home/sakuramboo/perl/OpenPorts.txt”;
you are declaring that $output will be a file, and it is given then exact location of the file and file name.

open (LIST, ” >>$output”);
this opens the file from $output to allow the script to write to it.

while ($port <= 65535){
while $port (which is 1 at the start) is less than or equal to 65535 (the total number of ports a computer can have) if will do what is in the brackets.

$sock = new IO::Socket::INET
this declares that $sock will be a new socket connection.

(PeerAddr => ’127.0.0.1′,PeerPort => $port, Proto => ‘tcp’);
this is the details of $sock. PeerAddr points to the IP address you want to scan. For this script, i used the localhost. PeerPort points to $port (which starts at 1). this will be increasing as the script is run. Proto points to the protocol that is being used. If you wanted to scan ports with udp, you could. Just replace ‘tcp’ with ‘udp’.

if ($sock){
this is where the script uses the socket and attempts to make a connection with what you have in $sock. It is basically saying, “if $sock makes a connection to the settings in $sock do what is in the brackets.”

close $sock;
this closes the connection.

print “$port -open\n”;
this will print what port just got scanned and tell you that it is open, as well as return a line so everything doesnt get printed right next to each other.

print LIST “$port -open\n”;
this will print the same things that it did in the command prompt, into the file in $output.

$port = $port + 1;
this is where $port gets increased by 1.

else{

print “$port -closed\n”;

$port = $port + 1;

}
here is what happens if the port is closed. Does the same as if it was open exept that it doesnt print it to a file. I did this just so i know where it is in the port scan.

close(LIST);