This article can also be found in the Premium Editorial Download "Information Security magazine: What's the best IT security advice you've ever received?."
Download it now to read this article plus other related content.
Hacker tools are double-edged swords. Attackers probe and slash at your enterprise with powerful weapons that find its weak spots and invade, disrupting your business and stealing
Every auditor and admin know about tools like Nessus and Nmap, mainstays of the assessment arsenal, but you're going to need more--much more. With hundreds of free tools available, where do you start? With the best and most powerful, of course.
To help get you rolling, we built a list of five must-have tools for audits, assessments and penetration tests that represent a wide range of technologies to help you probe for flaws in Web apps, authentication mechanisms and wireless LANs.
Give these tools a spin in your lab to get a feel for their capabilities, and then carefully incorporate each into your assessment methodology.
You need a solid Web server vulnerability scanner if you're going to find flaws before attackers do. Internet-facing Web apps open enormous business opportunities--and dangerous holes for malicious and criminal hackers.
In the last year, thousands of sites running vulnerable phpBB Web forum scripts, and countless others hosting the AWStats CGI script for gathering access statistics from log files, have fallen victim to attackers.
Beyond those notable examples, vulnerabilities in various Web scripts are discovered on a regular basis. To help find such flaws in your network, turn to Wikto, an impressive Web server scanning tool.
Written by Sensepost, a security services firm based in South Africa, Wikto builds on the popular command-line Nikto Web scanner Perl script with an easy-to-use Windows GUI and extended capabilities.
Like Nikto, Wikto searches for thousands of flawed scripts, common server misconfigurations and unpatched systems. Wikto adds HTTP fingerprinting technology to identify Web server types based on their protocol behaviors, even if administrators purposely disguise Web server banner information to deceive attackers. For white hats, it's a powerful inventory feature.
What's more, attackers are increasingly turning to well-crafted Google searches to look for vulnerable sites. Security researcher Johnny Long maintains the Google Hacking Database (GHDB) list of more than 1,000 Google searches that can locate vulnerable systems. Wikto can import the latest GHDB vulnerability list, and then query Google for such holes in your domain.
Web app manipulation proxy
Many custom Web apps are vulnerable to SQL injection, cross-site scripting, session cloning and other attacks. Attackers often rely on a specialized Web proxy tool designed to manipulate Web applications to reveal and exploit such flaws--and so must you.
A Web app manipulation proxy sits between the attacker's browser and the target Web server. All HTTP and HTTPS requests and responses are channeled through the proxy, which gives the attacker a window to view and alter all of the information passed in the browsing session, including any variables passed by the Web app in cookies, hidden form elements and URLs.
Paros Proxy, which runs on Windows or Linux (with a Java Run-time Environment), is the best of these proxies, chock-full of Web app assessment widgets that make it a versatile and powerful hacking tool:
- Recorder. Paros goes be-yond similar tools by maintaining a thorough history of all HTTP requests and responses. Later, the attacker can review all of the actions, with every page, variable and other element re-corded for detailed analysis.
- Web spider. An automated Web spider surfs every linked page on a target site, storing its HTML locally for later inspection, and harvests URLs, cookies and hidden form elements for later attack.
- Hash calculator. Attackers sometimes have a hunch about the encoding or hashing of specific data elements that are returned. Using the Paros calculator, a hacker can quickly and easily test such hunches. Paros Proxy has a GUI tool for calculating the SHA-1, MD5 and Base64 value of any arbitrary text typed in by its user or pasted from an application.
- SSL-buster. While most other Web app attack and assessment proxies handle server-side SSL certificates, Paros can also probe apps that require client-side SSL certificates.
Paros also includes automated vulnerability scanning and detection capabilities for some of the most common Web application attacks, including SQL injection and cross-site scripting. Paros even scans for unsafe Web content, such as unsigned ActiveX controls and browser ex-ploits sent by the target Web server.
CAIN & ABEL
Cain & Abel is a password-cracking juggernaut that runs on Windows. This amazing software, created by Mass-imiliano Montoro, features more than a dozen different useful capabilities for cracking passwords and various encryption keys.
For starters, Cain can dump and reveal various encrypt-ed or hashed passwords cached on a local Windows machine, including the standard Windows LANMAN and NTLM password representations, as well as application-specific passwords for Microsoft's Outlook, Internet Ex-plorer and MSN Explorer. Organizations can use Cain to test individual passwords and the effectiveness of their password policies.
Cain & Abel can crack passwords for over a dozen different OS and protocol types. Just for the Windows operating system alone, Cain handles the LANMAN and NTLM password representations in the SAM database, as well as Windows network authentication protocols such as LANMAN Challenge and Response, NTLMv1, NTLMv2 and Micro-soft Kerberos. Its integrated sniffer monitors the LAN, grabbing challenge-and- response packets and cracking passwords using a built-in dictionary of more than 306,000 words.
Beyond Windows passwords, Cain also cracks various Cisco passwords, routing proto-col hashes, VNC passwords, RADIUS Shared Secrets, Win95/98 Password List (PWL) files, and Micro-soft SQL Server 2000 and MySQL passwords. It can also crack IKE preshared keys in order to penetrate IPSec VPNs that use IKE to exchange and to update their cryptography keys.
Beyond password cracking, Cain includes a wireless LAN discovery tool, a hash calculator and an ARP cache-poisoning tool (which can be used to redirect traffic on a LAN so that an attacker can more easily sniff in a switched environment)--all bound together in a sophisticated GUI.
Windows configuration harvester
Windows systems contain a treasure trove of sensitive configuration information that's accessible in a variety of ways. Attackers and assessment teams typically extract as much information as possible from Windows systems to help refine and augment their vulnerability scans.
Winfingerprint, written by Vacuum, is an invaluable tool for harvesting Windows configuration information, using a variety of mechanisms, including Windows domain access, Active Directory and Windows Manage-ment Instrumentation (WMI), Microsoft's comprehensive framework for analyzing system configurations.
Winfingerprint pulls lists of users, groups and security settings from a single Windows machine or a network range. The tool also grabs information about the local hard drives of target machines, local system time and date, registry settings, and event logs.
Rounding out its features, this handy tool includes a Simple Network Management Protocol (SNMP) scanner, as well as a TCP and UDP port scanner, all accessible from a single GUI.
Passive WLAN detector
While numerous tools detect wireless LANs, one of the very best is Wellenreiter. Traditional war driving tools, such as the popular NetStumbler, send a barrage of probe request packets to find wireless access points. But, NetStumbler can't locate an access point that's configured to ignore probe requests from clients that don't know the WLAN SSID.
Max Moser's Wellenreiter can.
Wellenreiter is completely passive; instead of sending probe requests, it puts a wireless card into so-called "rfmon mode," so that it sniffs wireless traffic, capturing all data sent, including the entire wireless frames of all packets with their associated SSIDs, displaying the discovered access points in its GUI. It then listens for ARP or DHCP traffic to determine the MAC and IP addresses of each discovered wireless device.
Wellenreiter can store wireless packets in a tcpdump or Ethe-real packet capture file for later detailed analysis. An attacker or wireless penetration tester can fire up Well-enreiter, let the tool run passively for an hour or so, and return to find a nifty inventory of nearby wireless devices. It can also interface with GPS devices, storing the physical location of each war-driving computer when wireless LANs are detected.
Wellreiter runs on Linux and supports Prism2, Lucent and Cisco wireless cards.
About the author:
Ed Skoudis, CISSP, is cofounder of the security consultancy Intelguardians and author of Malware: Fighting Malicious Code and Counter Hack Reloaded, the soon-to-be released update to his best selling book, Counter Hack. Send your thoughts on this article to firstname.lastname@example.org.
This was first published in August 2005