COMPUTER AND NETWORK
SYSTEM ADINISTRATION
CIS 5406-01
Summer 1999 - Lesson (13 - A)

Security Tools
  1. Network monitoring and probing tools (UNIX).
  1. nmap http://www.insecure.org/nmap/index.html

    2. Nmap is great for scanning a host (your machine) to see what services are running. This tool can also can be used to identify what kind of machine you are probing (see example below). With nmap, you can also do neat things like scan a network with fragmented IP packets. This makes it harder for intrusion detection systems to detect the scan. Once you install nmap on your linux/Solaris machine, see "man nmap".

    Sample session:

    nmap -P0 -O 192.168.0.2

    Starting nmap V. 2.12 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)

    Interesting ports on test1 (192.168.0.2):

    Port State Protocol Service

    21 open tcp ftp

    23 open tcp telnet

    25 open tcp smtp

    37 open tcp time

    53 open tcp domain

    70 open tcp gopher

    79 open tcp finger

    80 open tcp http

    98 open tcp linuxconf

    109 open tcp pop-2

    110 open tcp pop-3

    111 open tcp sunrpc

    113 open tcp auth

    139 open tcp netbios-ssn

    143 open tcp imap2

    513 open tcp login

    514 open tcp shell

    635 open tcp unknown

    2049 open tcp nfs

    TCP Sequence Prediction: Class=random positive increments

    Difficulty=1830008 (Good luck!)

    Remote operating system guess: Linux 2.2.0-pre6 - 2.2.2-ac5

    Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds

    ------- next session -------

    nmap -P0 -O terran

    Starting nmap V. 2.12 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)

    Interesting ports on terran.cs.fsu.edu (128.186.121.242):

    Port State Protocol Service

    21 open tcp ftp

    70 open tcp gopher

    80 open tcp http

    135 open tcp loc-srv

    139 open tcp netbios-ssn

    1032 open tcp iad3

    6000 open tcp X11

    TCP Sequence Prediction: Class=trivial time dependency

    Difficulty=7 (Trivial joke)

    Remote operating system guess: Windows NT4 / Win95 / Win98

    Nmap run completed -- 1 IP address (1 host up) scanned in 1 second

    Once you install nmap, see "man nmap". Another cool feature is the —I flag. If the ident daemon is running on that machine, you can discover who is running what services (httpd–root?).

     

  2. Saint http://www.wwdsi.com/saint/

    3. Saint is the predecessor to SATAN. It’s a great tool for finding out any network accessible vulnerabilities in your machines. It even goes so far as recommending patches and web sites to visit in order to get the patches. I highly recommend it. It has a nice GUI web interface that’s easy use and set up.

    Show sample session from disco.

  3. Port Sentry http://www.psionic.com/abacus/portsentry/

PortSentry can detect just about any scan out there.

    1. PortSentry can monitor multiple tcp and udp ports.
    2. It can detect SYN/half-open, FIN, NULL, and other stealth scans (not perfect).
    3. PortSentry has the ability to react in real time to port scans. It can automatically add an entry to /etc/hosts.deny to avert the attack.
    4. It has false alarm prevention mechanisms.
    5. It suffers from denial of service problems. Some rpc traffic travels back and forth via obscure ports.
    6. Doesn’t catch everything: nmap —sS disco. TCP SYN scan using nmap.
    7. Have to be careful with the configuration so as to avoid DoS.
    8. Example sysrtà disco.

  1. Sniffit http://rufus.w3.org/linux/RPM/

Sniffit is a nice packet sniffing tool for linux. In order for sniffit to work, you have to be on the same ethernet segment as the target host. So, if I wanted to sniff packets going to/from a 192.168.1.* address from my machine in the 192.168.0.* subnet, I would be out of luck. Lets say someone from team one wants to sniff all the telnet traffic to the linux machine of team two. You would do the following:

sniffit -p 23 -t 192.168.0.5

This would allow you to "sniff" all packets going to the telnet port on their linux machine. This form of the command dumps packets in raw mode. If you want to get a better idea of what’s happening, try:

sniffit -p 23 -A . -t 192.168.0.5

This will clean things up a bit so you can see the passwords as they are being typed.

 
  1. Network monitoring and probing tools (WindowsNT). There aren’t as many (free) monitoring tools out there for NT. Most of the ones you can get are only demo versions. The good ones can cost > US$10,000. That’s a little to much for the cs department.
  1. NukeNabber http://www.dynamsol.com/puppet/nukenabber.html

NukeNabber is similar to PortSentry, but for NT. Its easy to install and there is little or no configuration necessary. It even caught the nmap —sS terran scan.

Show demo.