Scanners and Analyzers

A port scanner is a software application designed to probe a server or host for open ports. This is often used by administrators to verify security policies of their networks and by attackers to identify running services on a host with the view to compromise it.

Popular scanners are

Nmap

Nmap (Network Mapper) is a security scanner originally written by Gordon Lyon (also known by his pseudonym Fyodor Vaskovich) used to discover hosts and services on a computer network, thus creating a “map” of the network. To accomplish its goal, Nmap sends specially crafted packets to the target host and then analyzes the responses.

The software provides a number of features for probing computer networks, including host discovery and service and operating system detection. These features are extensible by scripts that provide more advanced service detection, vulnerability detection, and other features. Nmap is also capable of adapting to network conditions including latency and congestion during a scan. Nmap is under development and refinement by its user community.

Nmap was originally a Linux-only utility, but it was ported to Microsoft Windows, Solaris, HP-UX, BSD variants (including Mac OS X), AmigaOS, and SGI IRIX. Linux is the most popular platform, followed closely by Windows.

Nmap features include:

  • Host discovery – Identifying hosts on a network. For example, listing the hosts that respond to TCP and/or ICMP requests or have a particular port open.
  • Port scanning – Enumerating the open ports on target hosts.
  • Version detection – Interrogating network services on remote devices to determine application name and version number.
  • OS detection – Determining the operating system and hardware characteristics of network devices.
  • Scriptable interaction with the target – using Nmap Scripting Engine (NSE) and Lua programming language.

Nmap can provide further information on targets, including reverse DNS names, device types, and MAC addresses.

Typical uses of Nmap:

  • Auditing the security of a device or firewall by identifying the network connections which can be made to, or through it.
  • Identifying open ports on a target host in preparation for auditing.
  • Network inventory, network mapping, maintenance and asset management.
  • Auditing the security of a network by identifying new servers.
  • Generating traffic to hosts on a network.
  • Find and exploit vulnerabilities in a network.

Backtrack

BackTrack was a Linux distribution that focused on security based on the Ubuntu Linux distribution aimed at digital forensics and penetration testing use. In March 2013, the Offensive Security team rebuilt BackTrack around the Debian distribution and released it under the name Kali Linux.

The BackTrack distribution originated from the merger of two formerly competing distributions which focused on penetration testing:

  • WHAX: a Slax-based Linux distribution developed by Mati Aharoni, a security consultant. Earlier versions of WHAX were called Whoppix and were based on Knoppix.
  • Auditor Security Collection: a Live CD based on Knoppix developed by Max Moser which included over 300 tools organized in a user-friendly hierarchy.

The overlap with Auditor and WHAX in purpose and in collection of tools partly led to the merger.

BackTrack provided users with easy access to a comprehensive and large collection of security-related tools ranging from port scanners to Security Audit. Support for Live CD and Live USB functionality allowed users to boot BackTrack directly from portable media without requiring installation, though permanent installation to hard disk and network was also an option.

BackTrack included many well known security tools including:

  • Metasploit for integration
  • Wi-Fi drivers supporting monitor mode (rfmon mode) and packet injection
  • Aircrack-ng
  • Gerix Wifi Cracker
  • Kismet
  • Nmap
  • Ophcrack
  • Ettercap
  • Wireshark (formerly known as Ethereal)
  • BeEF (Browser Exploitation Framework)
  • Hydra
  • OWASP Mantra Security Framework, a collection of hacking tools, add-ons and scripts based on Firefox
  • Cisco OCS Mass Scanner, a very reliable and fast scanner for Cisco routers to test default telnet and enabling password.
  • A large collection of exploits as well as more commonplace software such as browsers.
  • Armitage – java frontend to Metasploit.

BackTrack arranged tools into 12 categories:

  • Information gathering
  • Vulnerability assessment
  • Exploitation tools
  • Privilege escalation
  • Maintaining access
  • Reverse engineering
  • RFID tools
  • Stress testing
  • Forensics
  • Reporting tools
  • Services
  • Miscellaneous

Metasploit Project

The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development.

Its best-known sub-project is the open source Metasploit Framework, a tool for developing and executing exploit code against a remote target machine. Other important sub-projects include the Opcode Database, shellcode archive and related research. The Metasploit Project is well known for its anti-forensic and evasion tools, some of which are built into the Metasploit Framework.

Metasploit was created by HD Moore in 2003 as a portable network tool using Perl. By 2007, the Metasploit Framework had been completely rewritten in Ruby. On October 21, 2009, the Metasploit Project announced that it had been acquired by Rapid7, a security company that provides unified vulnerability management solutions.

Like comparable commercial products such as Immunity’s Canvas or Core Security Technologies’ Core Impact, Metasploit can be used to test the vulnerability of computer systems or to break into remote systems. Like many information security tools, Metasploit can be used for both legitimate and unauthorized activities. Since the acquisition of the Metasploit Framework, Rapid7 has added two open core proprietary editions called Metasploit Express and Metasploit Pro.

Metasploit’s emerging position as the de facto exploit development framework led to the release of software vulnerability advisories often accompanied by a third party Metasploit exploit module that highlights the exploitability, risk and remediation of that particular bug. Metasploit 3.0 began to include fuzzing tools, used to discover software vulnerabilities, rather than just exploits for known bugs. This avenue can be seen with the integration of the lorcon wireless (802.11) toolset into Metasploit 3.0 in November 2006. Metasploit 4.0 was released in August 2011.

The basic steps for exploiting a system using the Framework include:

  • Choosing and configuring an exploit (code that enters a target system by taking advantage of one of its bugs; about 900 different exploits for Windows, Unix/Linux and Mac OS X systems are included);
  • Optionally checking whether the intended target system is susceptible to the chosen exploit;
  • Choosing and configuring a payload (code that will be executed on the target system upon successful entry; for instance, a remote shell or a VNC server);
  • Choosing the encoding technique so that the intrusion-prevention system (IPS) ignores the encoded payload;
  • Executing the exploit.

This modular approach – allowing the combination of any exploit with any payload – is the major advantage of the Framework. It facilitates the tasks of attackers, exploit writers and payload writers. Metasploit runs on Unix (including Linux and Mac OS X) and on Windows. The Metasploit Framework can be extended to use add-ons in multiple languages.

To choose an exploit and payload, some information about the target system is needed, such as operating system version and installed network services. This information can be gleaned with port scanning and OS fingerprinting tools such as Nmap. Vulnerability scanners such as Nexpose or Nessus can detect target system vulnerabilities. Metasploit can import vulnerability scan data and compare the identified vulnerabilities to existing exploit modules for accurate exploitation.

Apply for IT Support Certification

https://www.vskills.in/certification/certified-it-support-professional

Back to Tutorials

Network Scanning Techniques
HTTP tunneling and IP spoofing

Get industry recognized certification – Contact us

keyboard_arrow_up
Open chat
Need help?
Hello 👋
Can we help you?