Literally thousands of tools—both commercial and open source—are available to professionals who need to assess their network's security. The trick is having the right tool for the job when you need it and being able to trust it. To help you narrow the field, I offer descriptions of my 10 favorite free network security assessment tools.
Network security assessment consists of four fundamental phases: reconnaissance, enumeration, assessment, and exploitation. The reconnaissance phase involves discovery of the network devices through alive scanning via Internet Control Message Protocol (ICMP) or TCP. During the enumeration and assessment phases, the security assessor determines whether a service or application is running on a particular host and assesses it for potential vulnerabilities. In the exploitation phase, the assessor leverages one or more vulnerabilities to gain some level of privileged access to the host and uses this access to further exploit the host or to escalate privilege on that host or throughout the network or domain.
The tried-and-true Network Mapper (Nmap) tool was written several years ago and is continually enhanced by Fyodor. I'd call Nmap the network security expert's Swiss army knife because it's such a useful tool. You can use Nmap in the reconnaissance phase to perform "alive scans" in a number of ways to determine which hosts on a given network are online. Nmap is also useful for router ACL or firewall rule discovery via ACK (acknowledgement) flag probe scanning and other techniques.
You can use Nmap in the enumeration and assessment phases for scanning ports, listing services and their version numbers, and fingerprinting OSs. Nmap is a great tool for digging deeper into automated scanning tool results or verifying them. Nmap was originally developed for the UNIX environment but has also become available for the Windows platform in recent years (although UNIX purists would scoff at the thought of using Nmap on anything but *IX). Nmap is open source and available free from a variety of sites, the primary one being http://www.insecure.org/nmap.
One of the most challenging aspects of vulnerability assessment is the assessment part. After you've figured out which hosts are alive and which services they're running (this is the easy part), how do you determine whether a specific service is vulnerable? For Web services, one tool that works well is the N-Stealth Security Scanner by N-Stalker. N-Stalker sells a more comprehensive version of N-Stealth, but the free trial version works well for most basic assessment needs. The fee version includes a whopping 30,000+ Web server security checks, but the free version provides more than 16,000 specific vulnerability checks, including checks for the SANS Top 20 vulnerabilities for popular Web servers such as Microsoft IIS and Apache. For example, N-Stealth checks for vulnerable Common Gateway Interface (CGI) and Hypertext Preprocessor (PHP) scripts, SQL injection attacks, common cross-site scripting, and other vulnerabilities in popular Web servers.
N-Stealth supports both HTTP and HTTP Secure (HTTPS—using SSL), provides vulnerability correlation to the Common Vulnerabilities and Exposures (CVE) dictionary and Bugtraq vulnerability database, and provides some decent reporting options. I use N-Stealth to uncover the most common vulnerabilities on Web servers and then determine the most likely exploits. You can get more information about N-Stealth at http://www.nstalker.com/eng/products/nstealth. Of course, if you're thinking serious Web site and application security assessment, I recommend the fee version or a product such as WebInspect from SPI Dynamics.
SNMP is a well-known, widely used, and completely insecure protocol that runs over UDP port 161. Cisco Systems router, Windows server—chances are it supports SNMP and is, at best, minimally secured by requiring a commonly known clear-text community string for read and read/write access. When you want to assess SNMP security (what there is of it) on a network, it's great to have a tool such as SNMPWalk that lets you query network devices running SNMP for important information. It uses a simple SNMP query to find out whether your SNMP devices are giving away the keys to the kingdom. For example, a well-known default SNMP community string for Cisco routers is "ILMI". Using this string with SNMPWalk targeting Cisco routers can reveal a gold mine of information that allows complete control over a network's router infrastructure if a certain key piece of information is stored in the Cisco Management Information Base (MIB).
SNMPWalk is an open-source tool that was part of the Net-SNMP project at Carnegie Mellon University in the early 1990s when SNMP was first deployed. SNMPWalk uses an SNMP get-next request to retrieve SNMP MIB subtree management values (denoted in Abstract Syntax Notation—ASN). As I mentioned, authentication for read access to a device requires nothing more than a string value that's well-known or can be fairly easily sniffed from the network. SNMPWalk is available for both UNIX and Windows platforms at http://net-snmp.sourceforge.net.
One of the more complex network security tests that you might want to perform is to emulate the hacker threat by finding ways to bypass one or more defense-in-depth measures. One example of a bypass technique in the assessment or exploitation phase is port forwarding or redirection, and Fpipe from Foundstone (a division of McAfee) is a great free tool for this. To get around router ACLs, firewall rules, or other security mechanisms, it's sometimes possible to access a particular service running on a port by redirecting, or tunneling, traffic to your desired TCP port through another TCP port.
As a simplistic example, suppose you have a router between subnets that allows only HTTP traffic to TCP port 80 through. However, you want to connect to a host running Telnet (TCP port 23) on the other subnet and you've already compromised another host on the same subnet as the host running Telnet. A port forwarder such as Fpipe lets you create a TCP or UDP "stream" that encapsulates traffic for TCP port 23 in packets that are identified as TCP port 80 packets. These packets then traverse the router that allows TCP port 80 traffic and are received by the compromised host running Fpipe or another port forwarder. This port forwarder strips off the disguise and forwards the TCP port 23 traffic to its intended host.
You could also use Secure Shell (SSH) or Netcat (see description below) to do port forwarding or redirection, but I like Fpipe because it's well-documented, easy to use, and free. You can download the latest version of Fpipe at http://www.foundstone.com.
SQL server vulnerabilities in products such as Microsoft SQL Server, Oracle Database, and Oracle Application Server have become quite numerous over the last few years, the most notable being the SQL Slammer worm in 2003 (described at http://www.cert.org/advisories/CA-2003-04.html). When you want to assess SQL Server hosts for potential vulnerabilities, there hasn't been a comprehensive tool for enumerating SQL Server instances and their version numbers and doing so accurately. All too often, tools incorrectly identify the SQL Server version because they grab information from ports (e.g., TCP port 1433, UDP port 1434), which often incorrectly show the SQL Server version.
Recently arrived on the scene is SQLRECON, which you can download from Special Ops Security at http://specialopssecurity.com/labs/sqlrecon. SQLRECON scans a network or host to identify all the SQL Server and Microsoft SQL Server Desktop Engine (MSDE) installations. The great thing about the tool is that it combines several known methods of SQL Server/MSDE enumeration and discovery into one utility. Once you have good information about the SQL Servers (and their versions) on your network, you can begin to determine potential vulnerabilities. SQLRECON isn't a vulnerability scanner but rather a discovery tool that makes the network security assessor's job a whole lot easier. Now we need a tool for Oracle ... .
For a Windows guy who also dabbles in Linux, it really comes in handy to have a comprehensive (and free) tool that enumerates all kinds of information about a Windows system. The Enum tool is exactly that tool. The command-line console-based utility reports a lot of great Win32 information about a host through NetBIOS running on TCP port 139. Using null or authenticated sessions, Enum can retrieve user lists, machine lists, share lists, group and member lists, and password and Local Security Authority (LSA) policy information. Enum is also capable of a rudimentary brute-force dictionary attack on individual local accounts. Figure 1 shows the many details about a given Windows host that are available remotely via Enum. You can download Enum (along with some other great tools, such as Pwdump2 and LSAdump2) from BindView at http://www.bindview.com/services/razor/utilities.
Most of you are familiar with the many great tools and resources provided by Sysinternals. From a security assessment perspective, the PsTools suite is perhaps the most useful. Named after the UNIX ps (process listing) command-line tool, PsTools is a collection of tools that fill the gaps left by the standard Windows OS command-line tools and the Windows resource kit tools. PsTools are particularly useful for both remote and local system assessment and exploitation.
After you've exploited a host vulnerability, PsTools are a huge help in remotely manipulating a system and allowing you further exploitation such as privilege escalation. For example, if you've exploited a host and gained local administrator access but you want to escalate your privilege to the domain administrator who's currently logged on, PsTools can help you through such features as remote shutdown and process kill.
PsExec is perhaps my favorite of the PsTools. It allows someone with local administrator access (via an authenticated network connection) to remotely execute programs on a system. My favorite operation is to use PsExec to run cmd.exe on a remote system, giving me a remote command-line prompt to the system with administrator privileges (PsExec doesn't obtain these privileges for you—you have to get them some other way). For more information about PsExec, see Windows Power Tools, "PsExec," July 2004, InstantDoc ID 42919.
Other favorites include PsList, which lets you list all processes running on a remote system and PsKill, which lets you kill individual processes running on a remote system. For more information about these tools, see Windows Power Tools, "PsList and PsKill," September 2004, InstantDoc ID 43569. Besides security assessment, the PsTools suite is quite useful simply for performing many administrator functions remotely from the command line (which is probably more the authors' intention). You can get PsTools (along with many other awesome resources) at the Sysinternals Web site at http://www.sysinternals.com/utilities.html.
Although many know about Netcat because of its use as a back door that allows attackers access to a system (an exploitation feature), Netcat isn't as well known for its capabilities as a tool to perform enumeration and assessment, as well as other important operations that are part of traditional network security assessment. Developed more than 10 years ago for UNIX and ported to Windows in 1998, Netcat is an extension of the UNIX
In addition to using Netcat as a back-door tool, you can use it for grabbing banners (such as Telnet, SMTP, and FTP banners), "piping" files and data, port scanning, remote service and port enumeration, and many other creative functions. Every time I turn around, someone is showing me new ways that I hadn't thought of to use Netcat. I use it most frequently for port fuzzing (connecting to a TCP port and poking around to see what I can learn) and shell-shoveling (piping a command prompt from a target host back to me—a poor man's reverse shell).
Download the Windows version of Netcat at http://www.vulnwatch.org/netcat, and read http://www.vulnwatch.org/netcat/ readme.html to learn more than you ever wanted to know about the tool. Learn still more at "Netcat," Security Administrator, September 2003, InstantDoc ID 39680.
9. John the Ripper
Most people have heard of the L0phtCrack password-cracking and -audit tool originally developed by The Cult of the Dead Cow (don't ask) and now owned and maintained by @stake (recently acquired by Symantec). I prefer John the Ripper, a simple, high-performance password cracker available for many platforms (including Windows) that grew out of the well-known UNIX Crack tool. John can detect system characteristics and capabilities that allow it to optimize performance. In my experience, John runs circles around other crackers such as L0phtCrack in terms of tries per second (LC5—the current version of L0phtCrack—is supposedly greatly improved over previous versions, but you have to pay for it).
Also, John doesn't crack just Windows (LAN Manager and NT LAN Manager—NTLM) password hashes but out of the box cracks any password hashes that use DES (standard, single, extended), MD5, Blowfish, or Andrew File System (AFS) ciphertext or hash formats. John used in conjunction with a dictionary file (numerous such files are available containing most any language known in the galaxy—even Wookie and Klingon) is a can't-live-without-it tool for password cracking and audit (which every company should be doing regardless of how strong its password policy is). You can get John the Ripper at http://www.openwall.com/john or http://www.securiteam.com/tools/3X5QLPPNFE.html.
10. The Metasploit Framework
Wouldn't it be nice to have an easy-to-use exploit platform that contained the most recent exploits, featured an auto-update capability, and was extensible via a well-known language such as Perl? Yes, but ... . It's scary (and somewhat irresponsible) that someone would provide such a capability to the masses for free—it just calls out to script kiddies everywhere (roughly similar to offering a nuclear suitcase on eBay). However, I'll concede that having a tool such as the Metasploit Framework is beneficial for network security assessors emulating threats (if Pandora's box has been opened, the good guys should have the same tools as the bad guys).
The Metasploit Framework was introduced about 2 years ago as a research project by the well-known security researchers H.D. Moore and spoonm. The project's goals were half noble: to further security research and provide a resource for exploit developers. I use the Metasploit Framework (with care and with prior testing in a lab environment) as an exploitation tool for security assessments.
Metasploit is a Perl script–based engine that allows you to select from a myriad of exploits for a variety of platforms and applications (more than 75 exploits and 75 payloads and growing at the time of this writing). In addition to giving you a selection of exploits for known vulnerabilities, Metasploit lets you select the specific payloads that you'd like to send with the exploits. For example, if you want to exploit a system that has the SQL Slammer vulnerability, as mentioned in the SQLRECON section above, you can choose how you want to manipulate the vulnerable system: by creating a Win32 Bind shell connection, by sending back a Win32 Reverse shell, by simply running a remote command, by injecting a rogue Virtual Network Computing (VNC) server DLL into an exploited running process, or by some other means. Since the Metasploit Framework is also extensible via Perl modules, you can write your own exploits, plug them into the framework and use an existing applicable payload. Figure 2 shows the easy-to-use Metasploit Web interface listing the available exploits.
I recommend that you approach the Metasploit Framework with caution and use it only to demonstrate specific vulnerabilities during your network security assessment. You can download the Metasploit Framework at http://www.metasploit.com. Nessus (http://www.nessus.org) is another popular vulnerability scanner and exploit platform that has been around for years and is worth a look.
I've attempted to do the somewhat impossible—provide a list of the most popular free tools available to aid in network security assessment. It's difficult at best to choose just 10 tools—there are many tools for the job. If what I've recommended doesn't work for you, there are bound to be other, comparable free tools you can try. Or you can look into commercial tools, which are often more fully developed or have better support models than free tools do. I hope you've come away with some new knowledge about tools that you can leverage. Even if you learned about only one new great tool, this article was probably worth the read!