Technical (Bottom-Up) Methodology 127
ports that respond (see Exhibit 33). For example, TCP ports 137, 138, and 139
correspond to the Microsoft network access. While some Linux systems will
respond on these ports, it is generally the domain of only Microsoft machines.
The other way in which the tools can fingerprint the OS is through TCP
sequence prediction. Inside TCP communications, a sequence number is used
on the packets to help keep the information flow moving smoothly and in
the correct order. However, certain OSs respond to TCP communication with
an easy-to-predict TCP sequence number, and through the sequence number
increment the tools can make a good guess at the OS.
Nmap for Linux
URL: http://www.insecure.org
Price: Free
OS: NT or Linux
Vendor’s comments: Nmap is a utility for network exploration or security
auditing. It supports ping scanning (determine which hosts are up),
many port scanning techniques (determine what services the hosts are
offering), and TCP/IP fingerprinting (remote host operating system
identification). Nmap also offers flexible target and port specification,
decoy or stealth scanning, sunRPC scanning, and more.
Opinion: Nmap is probably the most commonly used tool in network
vulnerability assessments due to the feature richness of the product
and its lack of cost.
Exhibit 33. The Vulnerability Assessment Model: OS Fingerprint Layer
Zero--Information-Based (ZIB) Tools
Network Enumeration Tools
OS Fingerprinting Tools
Number of Hosts
Length of Time
Information In: Active hosts
Information Out: Operating system on the active hosts
128 Managing Network Vulnerability Assessment
Nmap for NT
URL: http://www.eeye.com
Price: Free
OS: NT
Opinion: Nmap for NT is still not as stable or as fast as the Linux version,
but has come very far in a very short period of time. This suite of tools
is a real credit to the talent of the people at eeye (see Exhibit 34).
Application Discovery Tools
At this layer in the network vulnerability assessment model, we are looking
to determine the specific applications that are running on the active hosts
(see Exhibit 35). At this point, you really should start to get a good idea of
what the target network looks like. To ascertain the applications running on
the active hosts, we use port scan tools. Port scanners attempt to identify any
services that are open on the network device. There are several different
mechanisms that port scanners can use — TCP, UDP, or ICMP — to request
open ports. Many port scanners can be easily detected by intrusion detection
systems.
Exhibit 34. Nmap for Windows
Technical (Bottom-Up) Methodology 129
Nmap for Linux
URL: http://www.insecure.org
Price: Free
OS: NT or Linux
Vendor’s comments: Nmap is a utility for network exploration or security
auditing. It supports ping scanning (determines which hosts are up),
many port scanning techniques (determines what services the hosts are
offering), and TCP/IP fingerprinting (remote host operating system
identification). Nmap also offers flexible target and port specification,
decoy or stealth scanning, sunRPC scanning, and more.
Opinion: Nmap is probably the most commonly used tool in network
vulnerability assessments due to the lack of cost and the feature richness
of the product. Nmap is not only good at fingerprinting an operating
system, but it is also a very good port scanner.
Nmap for NT
URL: http://www.eeye.com
Price: Free
OS: NT
Opinion: Nmap for NT is still not as stable or as fast as the Linux version,
but has come very far in a very short period of time. It is a real credit
to the talent of the people at eeye.
Exhibit 35. The Vulnerability Assessment Model: Application Discovery Layer
Zero-Information-Based (ZIB) Tools
Network Enumeration Tools
OS Fingerprinting Tools
Application Discovery Tools
Number of Hosts
Length of Time
Information In: Operating system on active hosts
Information Out: Application running on active hosts
130 Managing Network Vulnerability Assessment
SuperScan
URL: http://www.foundstone.com
Price: Free
OS: NT
Vendor’s comments: SuperScan is a powerful connect-based TCP port scanner,
pinger, and hostname resolver (see Exhibit 36). Multi-threaded and asyn-
chronous techniques make this program extremely fast and versatile.
Opinion: A highly configurable port scanner, this tool allows you to set
up lists of ports, use common port lists, or scan exhaustively from all
possible ports.
Windows UDP Port Scanner (WUPS)
URL: http://www.ntsecurity.nu/toolbox/wups
Price: Free
OS: NT
Vendor’s comments: WUPS is a UDP port scanner for Windows (Exhibit 37).
Opinion: The very nature of UDP port scanning tools makes them unpre-
dictable. You may find that any time you run this UDP port scan that
it gets responses on every port. This, however, is in the implementation
of UDP and not the tool.
Port Scanner
URL: http://www.megasecurity.org/Scanners.html
Price: Free
OS: NT
Opinion: A good generic port scanner (see Exhibit 38).
Ultra Scan
URL: http://packetstormsecurity.nl/UNIX/scanners
Price: Free
OS: NT
Opinion: Fastest port scanner around (see Exhibit 39).
Queso
URL: http://www.apostols.org
Price: Free
OS: Linux
Opinion: Queso performs operating system identification like NMAP does,
but because it is included most often in the tool listed below i.e., cheops),
it is left in as a port scanner. This tool by itself is an OS fingerprint tool.
Technical (Bottom-Up) Methodology 131
Exhibit 36. Super Scan
Exhibit 37. WUPS
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset