Hackers use a variety of tools to attack a system. Each of the tools we cover in this article have distinct capabilities. We describe the most popular tools from each of the following categories:
- Port scanners
- Vulnerability scanners
Later in this article, we use some of these tools in realistic scenarios to demonstrate how easily even a novice hacker or script-kiddie can gain access to an unsecured system.
Port scanners are probably the most commonly used scanning tools on the Internet. These tools scan large IP spaces and report on the systems they encounter, the ports available, and other information, such as OS types. The most popular port scanner is Network Mapper (Nmap).
The Nmap port scanner is described as follows on the Nmap web site:
Nmap ("Network Mapper") is an open source utility for network exploration or security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (ports) they are offering, what operating system (and OS version) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. Nmap runs on most types of computers, and both console and graphical versions are available. Nmap is free software, available with full source code under the terms of the GNU GPL.3
Nmap is an excellent security tool because it allows you to determine which services are being offered by a system. Because Nmap is optimized to scan large IP ranges, it can be run against all IP addresses used by an organization, or all cable modem IP addresses provided by an organization. After using Nmap to find machines and identify their services, you can run the Nessus vulnerability scanner against the vulnerable machines.
Nmap supports an impressive array of scan types that permit everything from TCP SYN (half open) to Null scan sweeps. Additional options include OS fingerprinting, parallel scan, and decoy scanning, to name a few. Nmap supports a graphical version through xnmap. For more information about Nmap, refer to the Nmap web site or the nmap(1m) man page.
This section describes tools available for scanning vulnerable systems. Vulnerability scanners look for a specific vulnerability or scan a system for all potential vulnerabilities. Vulnerability tools are freely available. We focus on the most popular and best-maintained vulnerability scanner available, Nessus.
The Nessus vulnerability tool is described on the Nessus web site:
The "Nessus" Project aims to provide to the Internet community a free, powerful, up-to-date and easy to use remote security scanner. A security scanner is a software which will remotely audit a given network and determine whether bad guys (aka 'crackers') may break into it, or misuse it in some way.
Unlike many other security scanners, Nessus does not take anything for granted. That is, it will not consider that a given service is running on a fixed portthat is, if you run your web server on port 1234, Nessus will detect it and test its security. It will not make its security tests regarding the version number of the remote services, but will really attempt to exploit the vulnerability.
Nessus is very fast, reliable and has a modular architecture that allows you to fit it to your needs.4
Nessus provides administrators and hackers alike with a tool to scan systems and evaluate vulnerabilities present in services offered by that system. Through both its command line and GUI-based client, Nessus provides capabilities that are invaluable. Running Nessus is much more convenient in its GUI mode. For more information about Nessus, refer to their web site.
The term rootkit describes a set of scripts and executables packaged together that allow intruders to hide any evidence that they gained root access to a system. Some of the tasks performed by a rootkit are as follows:
Modify system log files to remove evidence of an intruder's activities.
Modify system tools to make detection of an intruder's modifications more difficult.
Create hidden back-door access points in the system.
Use the system as a launch point for attacks against other networked systems.
Network sniffing, or just "sniffing," is using a computer to read all network traffic, of which some may not be destined for that system. To perform sniffing, a network interface must be put into promiscuous mode so that it forwards, to the application layer, all network traffic, not just network traffic destined for it.
The Solaris OE includes a tool called snoop that can capture and display all network traffic seen by a network interface on the system. While being relatively primitive, this tool can quite effectively gather clear-text user IDs and passwords passing over a network. Many popular protocols in use today such as Telnet, FTP, IMAP, and POP-3 do not encrypt their user authentication and identification information.
Once a system is accessed, an intruder typically installs a network sniffer on the system to gain additional user ID and password information, to gather information about how the network is constructed, and to learn what it is used for.