NETWORK SECURITY SCANNING TOOLS

Network Security Scanning Tools

Vulnerability scanning of a network needs to be done from both within the network as well as without (from both “sides” of the firewall). The approach I would suggest is to start from the network evaluation phase, where sniffing and primary attacks are performed. The gathered data is used in the attack phase to exploit the exposed vulnerabilities.

Wireshark (http://www.wireshark.org)

The very first step in vulnerability assessment is to have a clear picture of what is happening on the network. Wireshark (previously named Ethereal) works in promiscuous mode to capture all traffic of a TCP broadcast domain.

Customised filters can be set to intercept specific traffic; for example, to capture communication between two IP addresses, or capture UDP-based DNS queries on the network. Traffic data can be dumped into a capture file, which can be reviewed later. Additional filters can also be set during the review.

Typically, the tester is looking for stray IP addresses, spoofed packets, unnecessary packet drops, and suspicious packet generation from a single IP address. Wireshark gives a broad and clear picture of what is happening on the network.

However, it does not have its own intelligence, and should be used as a data provider. Due to its great GUI, any person with even some basic knowledge can use it.

Nmap (http://nmap.org)

This is probably the only tool to remain popular for almost a decade. This scanner is capable of crafting packets and performing scans to a granular TCP level, such as SYN scan, ACK scan, etc. It has built-in signature-checking algorithms to guess the OS and version, based on network responses such as a TCP handshake.

Nmap is effective enough to detect remote devices, and in most cases correctly identifies firewalls, routers, and their make and model. Network administrators can use Nmap to check which ports are open, and also if those ports can be exploited further in simulated attacks. The output is plain text and verbose; hence, this tool can be scripted to automate routine tasks and to grab evidence for an audit report.

You can read the series of Nmap articles published earlier for better understanding.

Metasploit (http://www.metasploit.com)

Once sniffing and scanning is done using the above tools, it’s time to go to the OS and application level. Metasploit is a fantastic, powerful open source framework that performs rigorous scans against a set of IP addresses.

Unlike many other frameworks, it can also be used for anti-forensics. Expert programmers can write a piece of code exploiting a particular vulnerability, and test it with Metasploit to see if it gets detected. This process can be reversed technically — when a virus attacks using some unknown vulnerability, Metasploit can be used to test the patch for it.

While this is a commercial tool, I have mentioned it here because the community edition is free, yet makes no compromises on the feature set.

OpenVAS (http://openvas.org)

The Nessus scanner is a famous commercial utility, from which OpenVAS branched out a few years back to remain open source. Though Metasploit and OpenVAS are very similar, there is still a distinct difference.

OpenVAS is split into two major components — a scanner and a manager. A scanner may reside on the target to be scanned and feed vulnerability findings to the manager. The manager collects inputs from multiple scanners and applies its own intelligence to create a report.

In the security world, OpenVAS is believed to be very stable and reliable for detecting the latest security loopholes, and for providing reports and inputs to fix them. A built-in Greenbone security assistant provides a GUI dashboard to list all vulnerabilities and the impacted machines on the network.

Creating detailed reports is one thing that makes OpenVAS a tool favoured by infrastructure security managers.

Aircrack (http://aircrack-ng.org)

The list of network scanners would be incomplete without wireless security scanners. Today’s infrastructure contains wireless devices in the data centre as well as in corporate premises to facilitate mobile users. While having WPA-2 security is believed to be adequate for 802.11 WLAN standards, misconfiguration and the use of over-simple passwords leaves such networks open to attacks.

Aircrack is a suite of software utilities that acts as a sniffer, packet crafter and packet decoder. A targeted wireless network is subjected to packet traffic to capture vital details about the underlying encryption. A decryptor is then used to brute-force the captured file, and find out passwords. Aircrack is capable of working on most Linux distros, but the one in BackTrack Linux is highly preferred.