Network Security Testing Tools

Security Testing Tools- Networking

Praveen Darshanam

http://darshanams.blogspot.com

http://darshanams.blogspot.com/

for absolute beginners ….

http://disects.com/ Praveen Darshanam

Tools• Operating Systems

– Kali/Backtrack, Fedora Security Spin, Knoppix

• Packet Crafting

– hping, ngrep, sendip, scapy

• Packet Replay

– tcpreplay, tcpreplay-edit, tcpdump

• Scanning

– nmap, nc, metasploit, nessus

• Fuzzing

– metasploit, nikto, nessus, spike, radamsa, webfuzz

• Stats

– dstat, ifstat, iftop, ntop

• Web

– wget, curl, ab

• Debugging

– ping, netstat, tracert, ngrep

• Benchmarking

– ab, iperf, netperf


Command Help

• man command_name• man ps

• man hping

• command_name –help or

• command_name –h• dig –h

• nc --help

• info command_name• info nmap


Backtrack

• Operating System for Security Researchers, Penetration Testers etc

• Plethora of Tools

• Fuzzers, DoS Tools, Scanners, Exploits etc.

http://www.backtrack-linux.org/



nmap

• Port Scanning

• OS fingerprinting

• Version guessing

• nmap [Scan Type(s)] options target_ip/domain

• Useful options -sN/sF/sX: TCP Null, FIN, and Xmas scans--scanflags <flags>: Customize TCP scan flags-sV:Probe open ports to determine service/version info-O: Enable OS detection


nmap snapshot


ngrepgrep patterns from pcap or live stream

• ngrep is to pcap what grep is to normal files

• Sniffer mode ngrep –d any ‘HTTP/1.1 200 OK’ port 80

ngrep –d eth0 –i ‘user|pass’ port 21

• Pcap pattern match – regex pattern + BPF filter ngrep -t ‘pattern’ –I pcap

ngrep –tx –X ‘0xhex pattern’ –I pcap

• Grep’ing, one packet at a time


ngrep snapshot


hping

• Packet crafting

• Port Scanning

• Tcl scripting engine

• Ars Packet Description(APD), string representation of TCP/IP packets

• hping –S 192.168.1.102 –p 80,21 –flood

• hping3>hping send {ip(ihl=0x5,ver=0x4,tos=0x00,totlen=348,id=29974,fragoff=0,mf=0,df=1,rf=0,ttl=64,proto=6,cksum=0x6a40,saddr=192.168.1.102,daddr=192.168.1.101)+tcp(sport=5555,dport=6666,seq=3879420856,ack=3264306705,x2=0x0,off=5,flags=pa,win=18760,cksum=0xc4a2,urp=0)+data(str=You are Hacked!!!)}


hping3 snapshot


nikto

• Web Server Scanner for known Vulnerabilities

• Options -dbcheck Check database and other key filesfor syntax errors

-evasion Encoding technique (premature URL’s,long strings, tabs, fake parameters)

-o output format (html, xml, csv)

#nikto -o htm -host 192.168.0.127


nikto snapshot


ethtoolview and change NIC settings

• View settings – ethtool eth0 – ethtool –i eth0 – ethtool –k eth0 – ethtool –p eth0

• Change settings – Speed;

ethtool –s eth0 speed 100

– Duplexethtool –s eth0 duplex full

– TSO,GSO,checksumethtool -K eth0 tso off gso off tx off


ping

• Ping• Used for trouble shooting connectivity

• Uses ICMP protocol

• Based on raw sockets

• Uses different types, codes based on error

• Ping of death, pretty famous

• Options-f fast ping -s data size

-c number of packets to send

#ping –f –s 65000 192.168.1.102


netstat

• netstat-p display the PID and program name of the process owning a socket -l displays the listening sockets-t display TCP socket -u display UDP socket -c continuous display--unix unix domain socket

Linux netstat –ant |grep 22

Windows netstat -an -p tcp | find "135"


ab

• Apache HTTP server benchmarking tool

• Part of apache2-utils

• Options -n Number of requests to perform

-c Number of multiple requests to make

-k Use HTTP KeepAlive feature

#ab –n 1000 –c 50 -k


netcat

• Open and Connect to TCP/UDP Ports • File Transfer • Port Scanning

• Server nc –l 4444

• Client nc 192.168.1.102 80

• Port Scanning nc -z 192.168.1.102 1-1023


metasploit

• Penetration testing tool

• Exploit Framework

use use an exploitset set a variable value

infoinfomation of PAYLOAD/Exploit

PAYLOAD Shellcode to selectRHOST target/victim hostLPORT attackers TCP/UDP portexploit/run launch exploit


metasploit banner snapshot


metasploit launching exploit snapshot


stats (dstat, ifstat,iftop)


tcpdump, tcpreplay, tcpreplay-edit, tomahawk

• Tcpdump• Captures/Sniffs Packets on an Interface tcpdump –i eth0 –xX –s0 –w capture.pcap

• Tomahawk• replayed using single machine with two interfaces

• Tcpreplay• Replays packet captures tcpreplay -K –C –i eth1 –M 400.00 capture.pcap

• tcpreplay-edit• Similar to ‘tcpreplay’ with an option to edit the capture


tcpreplay-edit (setup)


tcpreplay-edit (commands)

• Command1 (refer above image)tcpreplay-edit –C –M 400.00 –l 100000 –enet-

dmac=00:13:D3:A7:00:42,14:D6:4D:14:BB:BB –s

0.0.0.0/0:10.0.0.5/32 –d 0.0.0.0/0:10.0.0.6/32 –I eth1

*.pcap

• Command2 (refer above image)tcpreplay-edit –C –M 400.00 –l 100000 –enet-

dmac=14:D6:4D:14:BB:BB, 00:13:D3:A7:00:42 –s

0.0.0.0/0:10.0.0.6/32 –d 0.0.0.0/0:10.0.0.5/32 –I eth0

*.pcap


netperf

• netperf - network performance benchmark

• Server

netserver

• Client

netperf –H 192.168.1.102


iperf

• iperf- perform network throughput tests

• Server iperf –s –p 8888

• Client iperf –c –p 8888


Snort IDS Testing

• stick

• IDSwakeup

• IDS Informer

• mucus

• sneeze.pl

• fpg

• NOTE: These are pretty old tools, pre PCRE.


SNMP

• SNMP is used for remote management and monitoring of network devices

snmpwalk –v 1 –c mysnmp 192.168.1.1 hrSWRunState

• Options-v version

-c community string or user name


snmpwalk snapshot


Network Time Protocol

• NTP is used to synchronise clocks

• Ntpupdate collects time samples from Time Server

ntpupdate ntp_server_ip

• Ntptrace gets source of time to a particular server

ntptrace

• Ntpdc used to query NTP daemons current state

ntpdc –c sysinfo ip_address

• Ntpq monitor NTP daemons operations and performance

ntpq ip_address


DoS

• tcpjunk

• slowloris.pl

• thc-ssl-dos tool

• many fuzzers

• few Metasploit auxiliary/ modules


References

• http://www.backtrack-linux.org/

• http://tcpreplay.synfin.net/

• http://nmap.org/

• http://wiki.hping.org/

• http://www.secdev.org/projects/scapy/doc/usage.html

• http://www.gnu.org/software/wget/manual/wget.html

• http://www.ntop.org/

• http://cirt.net/nikto2-docs/



http://tcpreplay.synfin.net/

http://nmap.org/

http://wiki.hping.org/

http://www.secdev.org/projects/scapy/doc/usage.html

http://www.gnu.org/software/wget/manual/wget.html

http://www.ntop.org/

http://cirt.net/nikto2-docs/

Questions ???!

Please do it for me

http://disects.com Praveen Darshanam

http://disects.com/

Education

Network Security Testing Tools