www.novell.com

Hot Tools for Analyzing Networks

Laura Chappell Sr. Protocol Analyst, FounderProtocol Analysis Institutelchappell@packet-level.com

Vision…one NetA world where networks of all types—corporate and public, intranets, extranets, and the Internet—work together as one Net and securely connect employees, customers, suppliers, and partners across organizational boundaries

MissionTo solve complex business and technical challenges with Net business solutions that enable people, processes, and systems to work together and our customers to profit from the opportunities of a networked world

Tool Types

• Cheap tools

• Cool tools worth paying for

• Basic/Simple v. Advanced/Complex

• These tools can be used to analyze, secure and test your network

Tools to Get• NetScanTools Pro $• Ethereal• Sam Spade• Snort• nMap• Nessus• GRC’s tools• Dsniff et al• Netcat

• Whisker• Firewalk• LC3 (L0phtCrack)• LANGuard$• NetStumbler• Invisible Secrets$• HexWorkshop$• EtherPeek$• Sniffer$

• … and more

NetScanTools Pro

• OS Fingerprinting

• IP-to-MAC mapping

• Port probing

• TCP Term… and more HOT!

Ethereal: Network Analyzer • Win32 version on Laura’s Lab Kit

1. Ethereal: Packet analyzer/decoder tool2. WinPcap: architecture for packet capture

and network analysis for the Win32 platforms• Kernal-level packet filter• Low-level dll (PACKET.DLL)• High-level library (WPCAP.DLL)

Worth the time to install/setup!Get winpcap at netgroup-serv.polito.it/winpcap/

Link: www.ethereal.com

Sam Spade (Multifunction Tool)

• www.samspade.org Traceroute Ping DNS lookups DIG Whois Finger Etc.

Link: www.samspade.org

Snort IDS

• Network Intruder Detection System (NIDS)• Rules-based• Plug-ins available• Sample snort rule

alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"INFO - Possible Squid Scan"; flags:S; classtype:attempted-recon; sid:618; rev:1;)

Link: www.snort.org

Where Do You Put Your Pig?

• Off a hub• Off a spanned/mirrored switch port

Client A

Server 1

Switch

HubClient B

1

2

Nmap Tester

• Port scanner UDP TCP (including

Xmas, null scans, etc.)

• OS fingerprinter• Ping sweeper… and more

Link: www.insecure.org/nmap

Nessus Tester• Port scanner• Fingerprinter• Vulnerabilities

tester• Client/server set

Client collects data

Server sends attacks

Server OS: Solaris, FreeBSD, GNU/Linux, etc.—not Windows

Link: www.nessus.org

GRC’s Tools• Shields Up (test

vulnerabilities)• Portscan (check

open ports)• UnPlug ‘n Pray (shut

down PnP function)• IDServe (ID Internet

Servers)• Great reading

Link: www.grc.com

Dsniff, et al. Testers• Passive tools

Dsniff Filesnarf Mailsnarf Msgsnarf Urlsnarf Webspy

• Active attack tools Arpspoof Dnsspoof Macof (fail open/duplicate MACs)

Target:MAC

address table

Link: www.monkey.org/~dugsong/dsniff/

Netcat Connecter• Setup connections

TCP UDP

• Now included in the Red Hat Power Tools collection and comes standard on SuSE Linux, Debian Linux, NetBSD and OpenBSD distributions

Link: www.atstake.com/research/tools/index.html#network_utilities

TCP TCP

Whisker CGI Scanner

• Whisker (by rain.forest.puppy) www.wiretrip.net Checks for CGI directory and CGI Checks for server type and version Can test vulnerabilities in sub-domains Uses URL coding (see next slide) Written in Perl See RFP2K01: “How I hacked PacketStorm”

Link: www.wiretrip.net/rfp/

• Mutant traceroute• Learn gateway access filters

No answer = blocked ICMP TTL answer = open

• Block outgoing ICMP TTL messages

RouterwithACL

Port 21 TTL=2

ICMP: TTL exceeded in

transit

Block all outgoingICMP TTL messages

Link: www.packetfactory.net/Projects/Firewalk/

Discovery Tool

LC3 Password Cracker• Password cracking tool—

excellent

• Uh…er…I mean Password auditing and recovery tool

• Also check out John the Ripper

www.openwall.com/john/

Link: www.atstake.com/research/lc3/

LANGuard Scanner• Bulk vulnerability

scanner NetBIOS scanner SNMP scanner Ping sweeper Port prober

and more

Link: www.gfi.com/languard/

HOT!

NetStumbler Eavesdropper

• Wireless scanner

• “MiniStumbler”

• Yipes

Link: www.netstumbler.com/

HOT!

Invisible Secrets Steganography

• Hide files within files

• Check out www.packet-level.com’s banner• Password = hide• Encryption = blowfish

++ ==

Link: www.neobytesolutions.com/invsecr/

Hex Workshop Decoder• Open files (without

executing them)

• Change file contents

• Base converter

Link: www.bpsoft.com/

EtherPeek Analyzer• One of the best

packet analyzers around

• NX has an expert system and lots of added filtering capabilities

Link: www.wildpackets.com

Sniffer Analyzer

• Another great protocol analyzer

Link: www.sniffer.com

In Summary• Scary, eh?• Learn to use the tools to test your

network• Keep up on the vulnerabilities• Join me on the 2002 US/Canada• roadshow—hands-on courses

Register NOW www.nuihotlabs.org/cybercrimeRegister NOW www.nuihotlabs.org/cybercrime

Laura Chappell’s US/Canada Hands-On Roadshow

• Get hands-on experience with many tools and analysis techniques for analysis and security

Washington, DC April 1-2Chicago April 4-5Seattle April 8-9Atlanta April 15-16Boston May 2-3Dallas May 13-14Houston May 16-17San Jose May 23-24San Francisco June 4-5

Minneapolis June 10-11Phoenix June 24-25San Diego June 27-28Toronto July 8-9Vancouver July 11-12St. Louis July 22-23Los Angeles July 25-26Honolulu July 29-30New York City August 5-6

Hands-OnClasses