This article can also be found in the Premium Editorial Download "Information Security magazine: Dollars and sense: Getting the security budget you need -- and spending it wisely."
Download it now to read this article plus other related content.
A real hacker thinks outside the box and learns to use tools in a way they may not have been intended. While the Google search engine is not, strictly speaking, an auditing tool, it's great for gathering information about a site. For example, trying entering "@my company.com" (where "mycompany" is your domain). Sometimes, this can yield some good data, such as a system administrator posting technical details about his site, which conveniently contains his account name. Google is like the Unix "grep" command on steroids.
These are single-purpose tools that may either be native to the operating system or freely available. Utility tools require a manual approach, though they are often included in customized scripts--or even commercial products.
Pros: Utility tools are freely available and are tightly focused for a specific task, making them more efficient.
Cons: It requires skill to use them. For a large audit, manual testing is time-consuming and may produce inconsistent results, depending on the skill of the auditor. For example, a skilled auditor using a manual approach may find 25 vulnerabilities on one system, while his partner only finds five on another because he didn't run the same utilities or misinterpreted the results. Examples include native utilities, such as:
- ping: available on most platforms, used to determine if a network target responds to ICMP packets.
- Traceroute: a network tracing utility used to determine the network route to a host.
- nslookup: used to determine domain ownership.
And open-source scripts, including:
- Nmap: Free port-scanning utility.
- Crack: Popular password-cracking tool used to determine if passwords are weak by attempting to break them.
- John the Ripper: A password-cracking tool used primarily to discover Unix passwords.
- binfo.c: A BIND version checker, binfo is a quick little script to pull back the version of named running on a remote name server.
- ghba.c: A handy tool for extracting all the machine names and IP addresses of a given class B or C subnet.
Multifunction bundled utilities intended to streamline and automate parts of the audit process. While some are open-source packages, many are commercial products with custom vulnerability databases.
Pros: Automated tools scan for vulnerabilities against a database. Alerts may be tied into help desk monitoring tools. In some cases, a scanning tool may be integrated with a firewall or intrusion detection management station. Some commercial scanners produce excellent reports detailing exposures and associated risk.
Cons: Scanners only check for vulnerabilities in their database, which must be current. Many scanners are marketed on the number of vulnerability checks performed. This isn't always a good indication of the tool's effectiveness. A computer program has no intuition and only does what it's programmed to do. Often, vulnerabilities are misdiagnosed. A scanner can't accurately assess risk. That's what the auditor is supposed to do.
Open-source power tools include:
- Nessus: Free, open-source package written by Renaud Deraison. Nessus is surprisingly comprehensive.
- SARA: The Security Auditor's Research Assistant is a descendant of COPS (later SATAN), one of the first packaged vulnerability scanners.
- Whisker: A comprehensive utility for checking a Web site for vulnerable CGI scripts. It's intuitive and checks for CGIs based on the remote operating system.
- Hping2: A network tool that supports TCP, UDP, ICMP and RAW-IP protocols. IT has a Traceroute mode, the ability to send files between a covered channel and many other features.
Among the commercial scanners available:
- Internet Security System's Internet Scanner: Provides good reporting mechanisms along with a comprehensive vulnerability database.
- eEye Digital Security's Retina uses artificial intelligence to emulate hacker methods.
- BindView's BV-Control products offer cross-platform solutions to proactively detect and correct security problems.
- CORE Security Technology's Auditing Tools Suite centralizes logging and reporting to help manage security information by presenting data in a graphical format.
- Foundstone's FoundScan, available as a software package or as a managed vulnerability assessment subscription service.
1For a more complete list, see Unix Host and Network Security Tools, a dated, but good resource; and Quality Security Tools, which lists the 50 top security tools as rated by a survey of Nmap users.
This was first published in March 2003