Must Have Security Audit Tools
I have always had an interest in network/computer/data security and have for years played around with a number of interesting and useful tools that can be used to audit systems for vulnerabilities as well as exploit them. To that end, I have never put together a list of the security audit and penetration testing applications and tools that I find indispensable when performing these types of scans and audits – this is that list.
This article involves the use of tools and techniques that may be illegal and in most cases are frowned upon to be used in any manner other than research and/or security testing of YOUR OWN infrastructure. Mis-use of these tools or the techniques mentioned in this article can get you in REAL TROUBLE. I take no responsibility for any damage to system that you may cause by using this information or any trouble that you get into by mis-using this information. If you plan to use these tools in a consulting capacity on behalf of a customer wanting a security audit, ensure that you have a well defined scope and signed agreements that release you from liability caused by any damage/outage as a result of your testing.
None of the information in this article is intended to be used in a malicious manner. If you choose to use it in such a manner, do do at your own peril.
Zmap is a tool that is used to scan very large networks and is best known for its ability to scan the “entire Internet” (IPv4) in under an Hour. It can be used to scan a broad range of IP addresses for particular open ports and save the results to file for later input to tools like nmap or ncrack. You can learn more and download zmap at their website. zmap
In this example, I am going to scan the Internet (no particular IP range) for 20 open web server ports (port 80) and send the results to a file (output) in the current directory.
sudo zmap -N 20 -B 1M -p 80 -o output
Once the process completes, you can cat the file output and there will be a list of IP addresses that have port 80 open. You can then use the results as input into nmap to find out more about the web server version or target itself. Local scans are disabled by default but can be enabled by modifying the zmap config file. See the documentation for details.
nmap -iL output
Nmap is one of the necessities for anyone performing network scans. It is the Swiss Army Knife of network scanning tools and has so many options, that even scratching the surface in this article is outside the scope as entire books have been written around nmap. Nmap is more than just a port scanner though. It can be used for fingerprinting and IDS/IPS evasion scans and much more. See the nmap site to learn more about it, check out other applications and download a copy. nmap
In this example, we will scan a target to determine what ports are open as well as what OS version it is running. We will also tell nmap to ignore if the server reports down (Skip host discovery) and scan it anyway.
nmap -PN -O 192.168.1.10
From the wonderful folks that brought us nmap comes ncrack. It is a newer tool on the scene and is designed to offer fast brute force attacks against just about any protocol you may want to attack. You can create your own custom user name and password lists or use the comprehensive built in lists. It has a very similar syntax to nmap, is fast and works well. Check out the site for more information about ncrack.
In this example, I will run ncrack against an open remote Desktop Server using a username.usr and password.pwd list of credentials.
ncrack -U username.usr -P passwd.pwd 192.168.1.10:3389
Nikto is a nifty little web scanner that checks for known vulnerabilities as well as possibly interesting items on a web server and prints the output to the console (Or you can send it to file). It is also useful for fingerprinting applications and servers and detecting configuration issues with web servers and sites. It is simple and versatile and is good for initial reconnaissance against web applications. Visit the site to learn more and download nikto.
Here we will perform the most basic of scans against foo.com
nikto –host foo.com
Ettercap is another one of those must have tools when performing penetration testing or security audits. The primary use of this tool is to perform ARP spoofing/poisoning MITM (Man in the Middle) attacks to intercept credentials and other juicy information on the network. It can also be used to sniff and inject data into the network.
Because ettercap is so versatile and can be used to perform so many different attacks (and because this is more of a list than a tutorial), I am not going to provide any examples here. I suggest that you visit the site and review the documentation as well as the Man page for ettercap to learn all that it has to offer.
Wireshark is an advanced packet capture and analysis tool. It can be used to capture packets and analyze them to extract passwords and other information from the traffic traversing the network. It is most useful when used on a span port or hub so that all traffic is passed to it. It is also very useful when used in conjunction with ettercap and a MITM attack on switched networks. It has many advanced features that allow you dive deep into your network and re-construct data streams (Such as voIP calls) and much more. Visit the wireshark website for more information and to download your copy.
Nexpose is a great tool for performing vulnerability scans against your environment. It is web based and integrates with Metasploit Framework for easy vulnerability identification and exploitation. It also has the ability to perform scheduled scans and can provide a nice report that can automatically be emailed to the appropriate party on a regular basis. Scan types include PCI/DSS and HIPAA to name a few, plus you can define your own custom policies. Nexpose comes in 2 flavors. One is the community edition that supports up to 32 targets and has a few other limitations. The other is a subscription based product that can scan unlimited hosts and has more features. The product can also be setup in a distributed deployment with an agent/server architecture which is useful for distributing load or having scanners on multiple vLans. Nexpose is another one of those applications that is too complex to cover in this article, so I suggest you visit the site to learn more.
Metasploit is a framework designed to provide a vulnerability development platform. It can be used not only to perform vulnerability scans but also exploit known vulnerabilities and develop your own exploits. It is one of the most widely used exploit platforms available and is highly versatile. Metasploit does require a reasonable level of experience and knowledge and can be dangerous for those that are not well versed with security scanning and exploits. It has a PostgreSQL back-end that can be used to store ‘loot’ as well as information gathered during scans as well as exploits. As mentioned in the section above, it can be integrated with NeXpose for easy exploitation of vulnerabilities found through NeXpose. Metasploit is developed by the same company as NeXpose (Rapid7) and more information can be found here.
All of the tools mentioned above are just some of my favorites and necessities for security audits. There are PLENTY of other tools out there that are not mentioned here (Nessus, dnsmap, sqlmap, burpsuite, john, cain and on and on) due to the sheer number of tools available. I encourage you to do a few searches for other tools to try. You can also find many of the tools mentioned here (and more) in linux distributions that are specifically designed for penetration testing and security audits, the most popular being Cali linux (Formerly BackTrack). I prefer to use my own distribution and install the tools I like and set things up the way I am comfortable working. Regardless of the path you choose, security auditing is fun and interesting. Just remember to stay on the white hat side of the road so you do not get yourself into hot water with the authorities.