In the previous chapters, we learned about network and security protocols. In this chapter, we will provide a comprehensive overview of the various security tools that we will work with later in this book. We will start by describing the main open source and commercial tools. Then, we will look at tools that are used to gather information on our target network (which can be a network that we want to protect), followed by tools for discovering vulnerabilities and network weaknesses.
In this chapter, we're going to cover the following main topics:
Some tools fulfill tasks in several categories, such as when a tool can be used both as a vulnerability tool and for exploitation, and in these cases, we will look at these capabilities in each of the categories they're a part of.
We will start with a general category – open source and commercial tools. In addition to this, some of us are used to working with Windows, while others are used to Linux (and laugh about the former). We will talk about both Windows and Linux while focusing on open source tools and, when required, tools that we need to write ourselves.
We can divide security tools according to their objectives, what they do, what we test, and what we are trying to protect. For example, some tools are used to test communications servers, and we can use them to protect these servers.
Our book is about network protocols, so we will focus on network-oriented attacks and protection. The first type of tool that we will work with is open source tools.
All the tools we recommend in this book are free. Some of the tools are open source, some are commercial tools available for free in basic versions, and most of them are fully functional for a limited number of devices. In addition to this, we will learn how to work with Kali Linux, a Linux distribution with many tools intended for network scanning and penetration tests.
To use Kali Linux, you can use a dedicated machine or install it on a virtual machine on your PC/laptop. The following screenshot shows Kali Linux being installed on VirtualBox, installed on Windows 10:
There are many commercial tools we can use for the same purpose. Let's look at some examples.
There are various types of commercial tools available. The biggest advantage of using a commercial tool is the ease of use and technical support. Some commercial tools provide a limited free edition – in many cases, a fully functional version with a limited number of IPs or devices. We will come back to this later. For now, let's look at some information-gathering tools.
The first step in hacking into a network is to gather information about it. In many cases, connecting your laptop to the network and starting some basic tools will provide you with enough information to move forward. Let's start from the simple and obvious and continue with the tricky ones.
In this category, you have tools divided into four levels:
Let's discuss these tools one by one.
The first and most basic tools to use are network scanners. There are simple scanners that scan IP address range port numbers and names, and some of them are more sophisticated than others.
In the following screenshot, we can see an example of a simple scanner called Angry IP Scanner, an open source tool from https://angryip.org/:
With Angry IP Scanner, you simply configure the address range and the ports or port ranges you want to scan and click Start. Google searching for IP Scanner will give you a large number of software similar tools for Windows, Linux, and macOS.
These simple scanners are usually used to see who's on the network. For smarter scanning, the most common tool is NMAP, which can be downloaded from https://nmap.org/.
Running NMAP on our PC gives us the following window:
NMAP is a lot more than a network scanner. In NMAP, we can configure Layer 3 IP scans and ICMP scans, configure Layer 4 scans such as TCP and UDP scans, and configure application scans such as HTTP GETs, DNS queries, brute-force scans (password guessing), smart scripts, and more.
There are predefined scans and scripts that you can configure manually. In the following screenshot, we can see these predefined choices:
In the Target bar, we fill in our target(s). A target can be configured as a single IP address, such as 10.1.1.1 or any other IPv4 address.
It can be configured as an IP address range; see the following examples:
It can also be configured to scan DNS names, such as www.ndi-com.com, www.cisco.com, and so on.
Scanning the 10.0.0.0 to 10.0.0.255 address range using the 10.0.0.0/24 target will give us the following output:
In the second result (the scan of 10.0.0.7) we have several open ports. Among them is TCP port 1027 with a service called IIS; that is, Microsoft Internet Information Server (the former name for Microsoft Web Server).
Browsing to http://10.0.0.7:1027 opens the connection to it and sends a GET command. We can see this in the following screenshot of the Wireshark capture to 10.0.0.7:
We will talk about Wireshark in Chapter 8, Network Traffic Analysis and Eavesdropping.
In the results, we can see that the connection to 10.0.0.7 on the 1027 port is open, a GET request has been sent and acknowledged, and then nothing happens. We can see this due to the keep-alive messages that are sent, meaning that the connection stays open. In Chapter 14, Securing Web and Email Services, we will see what to do with these open connections.
The next way we can configure NMAP is to use scan options, as shown in the following screenshot:
As we can see, in the Scan tab, we have various options for TCP and UDP scans. In the tabs to the right of the Scan tab, we have the Ping tab for ICMP scans, the Target tab to make changes in the targets we scan, the Source tab for setting source addresses, the Other tab for various options, and the Timing tab for setting time variables.
You can use NMAP in Linux by using the standard Linux CLI, as shown in the following screenshot:
Here, we can see a brute-force attack being performed on SMB services and SMB capabilities attacks. In Chapter 15, Enterprise Applications Security – Databases and Filesystems, we will talk about the NetBIOS and Server Message Block (SMB) protocols.
In this category, we have two types of tools:
Let's see what they do.
For network analysis, the most common tool is Wireshark. When connecting to a network, especially when you have permission to configure a port mirror or install it at points in the network where you can see network traffic passing through, you will get a lot of information about what is happening in the network.
In the following screenshot, you can see that from a simple capture using Statistics | Conversations, we can see a lot of information about what is going on in the network:
From this capture, we can see that host 10.3.11.2 is running TCP port 8080, so it is a web proxy (1), 10.3.13.23 is running TCP port 80, so it is running an HTTP server (2), host 192.3.11.1 is running TCP port 445, so it is running SMB (3), someone is connected to host 10.3.61.120 on port 3389 (!), so this host is answering to RDP (4), and 10.3.13.2 is answering on port 443, so it is running an HTTPS service that can be connected to.
Gathering more details and digging into these packets will give us a lot more information, as we will learn in Chapter 8, Network Traffic Analysis and Eavesdropping.
Although SNMP tools are usually used for management and control, we can use them for network and service discovery as well. There are open source tools such as MRTG, OpenNMS, Nagios, Zabbix, and others we can use, and there are also some commercial tools that provide limited functionality, and in some cases full functionality for a limited amount of time.
PRTG from Paessler provides you with an unlimited license and functionality for 30 days and then continues with a limited number of 100 sensors for free. Running it will give you a scan of the network divides and the open services that are running on them. An example of this can be seen in the following screenshots:
Here, you can see the network infrastructure devices that were discovered, Linux devices, and even devices that are marked as unknown. You will be surprised at how many times these unknown devices are also unknown to the system administrator.
Now that we've learned about network discovery tools, let's go deeper and find out what we can learn about the protocols that run in the network.
Protocol discovery tools are tools that are used to discover protocols that are running on network devices, and in smart protocol discovery tools, you will see additional information about these protocols.
NMAP is one of the most popular tools for network scanning, and one of its simple features is port scanning. There are predefined scripts that can be used for smart scanning. In the following screenshot, you can see some ports that have been discovered on network devices:
You can see that several ports were found open on 10.0.0.7 – ports 17, 1102, 7, 1032, and others. Now, we will be able to use exploit tools and try to break into this device.
Now that we've discovered the IP addresses in the network and the open TCP and UDP ports, let's see what we can do with them. For this purpose, we can use vulnerability analysis tools. We will learn about these in the next section.
First, before we look at how to discover vulnerabilities, let's see what can cause them. In this category, we have the following:
Important Note
You can search Google for hardening procedures and find them on vendor websites, such as Cisco (https://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html), Juniper (https://www.juniper.net/assets/kr/kr/local/pdf/books/tw-hardening-junos-devices-checklist.pdf), and others.
In this section, we talked about vulnerability analysis; later, we will look at exploitation tools. There's a very thin line between them. Regarding vulnerability analysis, we find the vulnerability, while in exploitation, we attack it. If we look at a simple example, a vulnerability tool will discover that TCP port 80 is open on a device and you will see that you can connect to it, while exploitation tools will use scripts that will try to take advantage of this vulnerability and, for example, take control of the attacked system. In this section, we will talk about tools for exploiting various vulnerabilities in computer systems while emphasizing communication systems.
There are various types of vulnerabilities exploitation tools we can use, depending on the device and the protocol we plan to attack. Various tools can be used both for finding vulnerabilities and exploiting them.
As a general-purpose tool, we have tools such as NMAP, which we talked about in the previous section, and Nikto, which can scan and exploit multiple protocols. For web server scanning, we have tools such as Burp, theHarvester, and many others. Most of these are easier to use from Kali Linux, though some also have Windows versions.
To run some of these tools, you will need to have basic knowledge of scripting and code. For those of you that are networking people, don't be afraid of it – only basic knowledge is required. In the following chapters, whenever scripting will be required, we will provide clear and easy explanations.
Nikto is a vulnerability scanner that targets mostly web servers and can discover thousands of vulnerabilities. It is included in Kali Linux and can be also installed on Windows platforms. The following screenshot shows a basic Nikto command sent on www.ndi.co.il:
From the results, you can see that a Microsoft IIS/8.0 server is hosting the website, the allowed HTTP methods are GET, HEAD, OPTIONS, and TRACE, and some information about headers. In Chapter 14, Securing Web and Email Services, we will look at better ways to use it.
Legion, which originated from SECFORCE's Sparta, is an open source network penetration testing framework that uses various scanners, including NMAP, Nikto, Hydra, and many others. Although Legion comes with more than 100 built-in scripts for penetration tests, the framework allows additional external tools to be integrated with it.
You can run Legion from the main Kali Linux menu, as shown in the following screenshot:
In the results, you can see that the beautiful thing about a framework is that you can use multiple tools such as standard NMAP, Nikto, and others:
The preceding figures show how to run Legion. You start it from the Kali Linux menu, choose 02 – Vulnerability Analysis, and then click on legion. When the application opens, you add a scan. At this point, a new window opens, and you configure it. We will see advanced usage of this application in the protocols chapters in Part 3, Network Protocols – How to Attack and How to Protect – Methodologies and Tools.
Exploitations tools are tools that have been designed to take advantage of vulnerabilities that have been discovered in network devices. In this section, we will talk about one of the most important tools in this category: the Metasploit Framework.
MSF is a platform for writing, testing, and using exploit code. It is a smart framework that enables you to write complicated scripts but requires the know-how to do it.
First, you must understand the following terms surrounding MSF:
To install Metasploit on Kali Linux, use the following command from GitHub.com (in the Kali Linux shell):
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall &&
chmod 755 msfinstall &&
./msfinstall
Source: https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers.
To run Metasploit, type the msfconsole command in the Kali Linux shell or choose 08 – Exploitation Tools from the Kali Linux main menu and click on Metasploit Framework. Running msfconsole -q will make you run in quiet mode, which means that you won't see messages that are not sent to the console. Running it, you will get the following window, which is the start window of the framework:
MSF will be used in the upcoming chapters to test and exploit network devices and protocols.
Stress testing tools are tools that are used to test the network and network devices against several types of attacks. Let's look at them in more detail:
There are tools for each of these purposes, so let's look at some examples.
There are many open source ping tools for Windows. One popular tool for Windows (and Linux) is Nping, which can be downloaded from https://nmap.org/nping/.
Using Nping in Kali Linux is a part of the operating system. To run it, use the following command:
nping [Probe mode] [Options] {target specification}
Here, we have the following:
Typing the nping command provides a full list of the probes and options that are available.
The following is an example of this:
nping -c 1 --tcp -p 80,433,25,110 www.ndi-com.com
The preceding command generates one request to www.ndi-com.com on each of the requested ports:
Changing -c (count) to -c 4 will generate four requests to each of the ports:
nping -c 4 --tcp -p 80,433,25,110 www.ndi-com.com
To generate a large amount of traffic, you can, for example, configure the packets per second and increase their sizes:
nping -c 5000 -rate 500 -mtu 800 --tcp -p 80,433,25,110 10.0.0.138
In this command, we have the following:
This will give us a load that looks as follows (go to Wireshark | Statistics | IO graphs):
As we can see, we have roughly 1,000 packets per second (PPS). The reason we have 1,000 PPS while we have configured 500 is that we generated 500 PPS, but the destination replied with 500 PPS. So, adding both, we get roughly 1,000 PPS.
You can find a good Nping manual at https://www.mankier.com/1/nping.
Although there are various tools for network analysis, the best tool for network forensics is good old Wireshark. With Wireshark (and knowledge of your network and network protocols), you can identify suspicious patterns on the network based on a very simple principle – whatever you don't know can kill your network.
In Chapter 9, Using Behavior Analysis and Anomaly Detection, we will look into abnormal behaviors and suspicious behavior patterns.
Wireshark, along with its command-line interface (CLI) programs – TShark for Windows and TCPdump for Linux – provides strong analyzing capabilities, and tools such as pyshark can be used as plugins for Python for this purpose.
In this chapter, we talked about common tools for scanning and information gathering, vulnerability analysis, stress tests, and exploitation tools. Using these tools, along with similar tools, will allow you to perform these tasks in the next chapters, and as well as help you test your networks, understand the vulnerabilities you have discovered, and use protection mechanisms to protect yourself against them.
In the next chapter, we will learn how to use the tools that we learned about in this chapter to find protocol vulnerabilities.