It is, for the most part, common knowledge that obtaining either an evaluation copy or buying the various commercial tools is quite easy.
This combined with the plethora of keygens and cracks for all of the
Notes from the Underground…
Continued
Exploring the Free Tools
Everybody likes getting something for free.The general rule however, has always been “you get what you pay for.” I would argue that in the case of vulnerability scanners, the general rule is actually the exception. One caveat though, you need to understand the limitations and expectation of freeware and open source software.
These are not packages that have large development teams who get paid for their work; they are packages that are developed by intelligent people in their spare time. Support is typically sparse, and operating most of these tools is not as easy as clicking on an icon.That being said, the freeware and open-source tools have their place and most of them do the job as advertised.
This section takes a look at some of the popular tools (Nessus, SAINT, SARA, ShadowScan, Nmap, whisker, and VLAD), what they do, and how effec- tive they are. Of course, your experience with each tool may differ from ours, but we try to present all of the issues—good and bad.
Nessus
The first tool is Nessus. Nessus is the most popular and probably the most effec- tive free tool. Nessus is a vulnerability scanner much like the commercial tools discussed in the preceding section. In fact, for a free scanning tool, it is just as good as or in same cases even better than most of the commercial products.
Nessus consists of both a client piece and a server.The server portion of Nessus runs on a UNIX environment; client pieces are available for both the var- ious UNIX and Win32 environments. Figure 17.3 depicts the client portion of Nessus performing a scan. Nessus may be one of those free tools that are sup- ported by an ad hoc group of people, but it offers accuracy in its checks that
commercial tools available on the Internet make commercial vulnera- bility scanners available to script kiddies and black hats.
Fortunately, most of the commercial scanners are very noisy on net- works and typically leave numerous footprints in system logs. Some, like CyberCop Scanner, will attempt to send a message to the console stating, “You are being scanned by CyberCop”.
Any black hat worth his CPU would know better than to use a com- mercial scanning tool to attempt to break into a network. They will almost definitely be noticed if they attempted to do so. You can find some of the issues with commercial vulnerability scanners and their use as script kiddie munitions at www.nmrc.org/lab/scanners.txt.
rival, if not exceed, those of the commercial products.Typically, you will find it best to use more than one scanning tool to obtain the most accurate and thor- ough results, and no matter what commercial tool you choose, your second scanner should be Nessus.You can find Nessus at www.nessus.org.
Security Administrators
Integrated Network Tool (SAINT)
SAINT is an updated version of one of the first vulnerability scanners, Security Administrator Tool for Analyzing Networks (SATAN). SATAN was released back in 1995 and checked for only ten security related problems. SAINT Corporation (for- merly World Wide Digital Security, Inc.) updated and improved upon SATAN, renamed their version to SAINT, and released it for free to the general public along with a number of supporting commercial applications. SAINT, like Nesuss and most of the commercial products, offers the capability to customize or create your own security checks. Reporting, however, is not included with the freeware SAINT, but it is sold as an add-on. I do have to admit that I have only taken a couple brief looks at this tool as it seems to not offer any significant advantages over the tools I normally use.You can find SAINT at www.saintcorporation.com.
Figure 17.3Nessus Performing a Scan
Security Administrators Research Assistant (SARA)
Another freeware tool based on the original SATAN is SARA, which is very similar to SAINT except that it does include a reporting engine that generates HTML and other formatted reports. One of the weaknesses that both SAINT and SARA share is that they do not offer a granular approach to identifying vul- nerabilities. Both of these products take a more generic information-gathering approach, leaving most of the vulnerability analysis work to be done by the oper- ator. A potential benefit of SARA, however, is its ability to interface with other security tools, enabling the user to use SARA to tie together each tool in his toolkit.You can find SARA at www-arc.com/sara/index.shtml.
ShadowScan
ShadowScan is a vulnerability detection and exploitation tool that has a GUI that looks suspiciously close to Internet Security Systems Internet Scanner. According to its Web site (www.rsh.kiev.ua/newse.htm), the ShadowScan checks database contains 1,130 different checks, more than most of the commercial products. As much as I hate stereotypes, the design of the Web page makes me think that this tool is directed to more of the script kiddie population than it is the security professional. I have ShadowScan listed under the free tool sections although the latest version of the tool is now only a 15-day trial and has a $100 ($4,999 if you want source code) price tag associated with it. In my test lab, the tool definitely performed as advertised, but the theme of the Web site combined with the lack of source code makes me a bit nervous about the product and its true intentions.
One day I will spend the lab time required to comfortably check out this pro- gram for any nefarious intentions, but without the source code to audit, it would be difficult to be 100 percent sure.The security business, especially the security scanning product business is about trust. Call me paranoid, but using my credit card to send funds to an organization that has no verifiable contact information and just happens to be in the former Soviet Union is not on my list of safe investments.
Nmap and NmapNT
Nmap and NmapNT are not considered to be full-featured vulnerability scanners but are useful freeware tools that every security professional must have in her toolkit. Nmap (www.insecure.org) runs on various *NIX systems and was created by Fyodor. Not only is it your basic port scanner, but it also incorporates other useful options, such as the capability to perform multiple types of port scans and
to use decoys to attempt to hide your scanning activity. Nmap has the capability to identify, most of the time, remote operating systems and scan hosts that don’t respond to ICMP PING requests. NmapNT (www.eeye.com/html/Research/
Tools/nmapnt.html) is the version of Nmap that eEye ported over to run on the Windows NT and Windows 2000 platform. If all you need is a sweep of your network identifying systems and what services are bound to ports, Nmap is the tool for you.
Whisker
Whisker, created by Rain Forest Puppy (RFP), is a simple Common Gateway Interface (CGI) vulnerability scanner written in Perl. Since its first revision, whisker has split into two separate projects, whisker, which is the scanner that we all know and love and libwhisker, a Perl module that is used by whisker.Whisker is not a traditional CGI scanner; traditional CGI scanners do not have a heck of a lot of intelligence built into them.They simply point themselves at a host and fill that host’s log files with a number of known CGI issues, regardless of the exis- tence of the /cgi-bin/ directory and regardless of the Web server running.The problem with this is that it does not make sense to blindly scan a machine, not only do you waste a lot of time and bandwidth, but you will also, more times than not, end up missing a number of issues.Whisker attempts to solve this problem by first having some intelligence built in, like a way to determine the operating system and revision of remote Web server being scanned, and the capa- bility to modify or script other options into your scans.Whisker also offers the capability to attempt to use some of the classic intrusion detection systems (IDSs) evasion techniques. Granted, whisker is only a CGI scanner and will not check for other vulnerabilities, such as weak versions of Sendmail and BIND, but it does excel at what it is meant to do and is a welcome addition to any toolkit.You can find whisker at www.wiretrip.net/rfp/p/doc.asp/i5/d21.htm.
VLAD the Scanner
VLAD the Scanner is another freeware tool of some use that, like whisker, is written mostly in Perl. Created by BindView’s RAZOR team to scan for the SANS top ten security vulnerabilities,VLAD is a small but very efficient scanning tool. Of course,VLAD does not check for everything that BindView’s commer- cial product (BV-Control for Internet Security) does, but it does give you the capability to quickly scan for the issues listed on the SANS top ten list.VLAD is a
tad dated as SANS has updated their list to be a top twenty, but the weak pass- word and CGI checks in VLAD are still very useful.You can find VLAD at http://razor.bindview.com/tools/vlad/index.shtml.
Other Resources
A large number of other freeware tools are probably out there, but this section has listed the most popular ones. A couple resources for finding and downloading some of these tools is PacketStorm Security (www.packetstormsecurity.org) and Technotronic (www.technotronic.com).When downloading freeware tools, you need to be careful that you fully understand what the tools do, and if possible, obtain source code for your own auditing to ensure that it is doing what it advertises to do.
Using Automated Tools