Hot Tools for Analyzing
Networks
www.novell.com
Laura Chappell
Sr. Protocol Analyst, Founder
Protocol Analysis Institute
lchappell@packet-level.com
Vision…one Net
A world where networks of all types—corporate and public,
intranets, extranets, and the Internet—work together as
one Net and securely connect employees, customers,
suppliers, and partners across organizational boundaries
Mission
To solve complex business and technical challenges with Net
business solutions that enable people, processes, and
systems to work together and our customers to profit from
the opportunities of a networked world
Tool Types
• Cheap tools
• Cool tools worth paying for
• Basic/Simple v. Advanced/Complex
• These tools can be used to analyze, secure
and test your network
Tools to Get
•
•
•
•
•
•
•
•
•
NetScanTools Pro $
Ethereal
Sam Spade
Snort
nMap
Nessus
GRC’s tools
Dsniff et al
Netcat
•
•
•
•
•
•
•
•
•
Whisker
Firewalk
LC3 (L0phtCrack)
LANGuard$
NetStumbler
Invisible Secrets$
HexWorkshop$
EtherPeek$
Sniffer$
• … and more
NetScanTools Pro
• OS Fingerprinting
• IP-to-MAC mapping
• Port probing
• TCP Term
… and more
HOT!
Ethereal: Network Analyzer
• Win32 version on Laura’s Lab Kit
1. Ethereal: Packet analyzer/decoder tool
2. WinPcap: architecture for packet capture
and network analysis for the Win32 platforms
• Kernal-level packet filter
• Low-level dll (PACKET.DLL)
• High-level library (WPCAP.DLL)
Worth the time to install/setup!
Get winpcap at netgroup-serv.polito.it/winpcap/
Link: www.ethereal.com
Sam Spade (Multifunction Tool)
• www.samspade.org
 Traceroute
 Ping
 DNS
lookups
 DIG
 Whois
 Finger
 Etc.
Link: www.samspade.org
Snort IDS
•
•
•
•
Network Intruder Detection System (NIDS)
Rules-based
Plug-ins available
Sample snort rule
alert tcp $EXTERNAL_NET any -> $HOME_NET 3128
(msg:"INFO - Possible Squid Scan"; flags:S;
classtype:attempted-recon; sid:618; rev:1;)
Link: www.snort.org
Where Do You Put Your Pig?
• Off a hub
• Off a spanned/mirrored switch port
Switch
2
Hub
Client A Client B
1
Server 1
Nmap Tester
• Port scanner
 UDP
 TCP
(including Xmas,
null scans, etc.)
• OS fingerprinter
• Ping sweeper
… and more
Link: www.insecure.org/nmap
Nessus Tester
•
•
•
•
Port scanner
Fingerprinter
Vulnerabilities tester
Client/server set



Client collects data
Server sends attacks
Server OS: Solaris,
FreeBSD,
GNU/Linux, etc.—
not Windows
Link: www.nessus.org
GRC’s Tools
• Shields Up (test
•
•
•
•
vulnerabilities)
Portscan (check
open ports)
UnPlug ‘n Pray (shut
down PnP function)
IDServe (ID Internet
Servers)
Great reading
Link: www.grc.com
Dsniff, et al. Testers
• Passive tools






Dsniff
Filesnarf
Mailsnarf
Msgsnarf
Urlsnarf
Webspy
Target:
MAC
address
table
• Active attack tools



Arpspoof
Dnsspoof
Macof (fail open/duplicate MACs)
Link: www.monkey.org/~dugsong/dsniff/
Netcat Connecter
• Setup connections
 TCP
 UDP
• Now included in the
Red Hat Power Tools
collection and comes
standard on SuSE
Linux, Debian Linux,
NetBSD and OpenBSD
distributions
TCP
Link: www.atstake.com/research/tools/index.html#network_utilities
TCP
Whisker CGI Scanner
• Whisker (by rain.forest.puppy)
 www.wiretrip.net
 Checks
for CGI directory and CGI
 Checks for server type and version
 Can test vulnerabilities in sub-domains
 Uses URL coding (see next slide)
 Written in Perl
 See RFP2K01: “How I hacked PacketStorm”
Link: www.wiretrip.net/rfp/
Discovery Tool
• Mutant traceroute
• Learn gateway access filters


Block all outgoing
ICMP TTL messages
No answer = blocked
ICMP TTL answer = open
• Block outgoing ICMP TTL messages
ICMP: TTL exceeded
in transit
Port 21 TTL=2
Router
with
ACL
Link: www.packetfactory.net/Projects/Firewalk/
LC3 Password Cracker
• Password cracking tool—
excellent
• Uh…er…I mean Password
auditing and recovery tool
• Also check out John the Ripper

www.openwall.com/john/
Link: www.atstake.com/research/lc3/
LANGuard Scanner
• Bulk vulnerability
scanner




NetBIOS scanner
SNMP scanner
Ping sweeper
Port prober
and more
HOT!
Link: www.gfi.com/languard/
NetStumbler Eavesdropper
• Wireless scanner
• “MiniStumbler”
• Yipes
HOT!
Link: www.netstumbler.com/
Invisible Secrets Steganography
• Hide files within files
+
• Check out www.packet-level.com’s banner
• Password = hide
• Encryption = blowfish
Link: www.neobytesolutions.com/invsecr/
=
Hex Workshop Decoder
• Open files (without
executing them)
• Change file contents
• Base converter
Link: www.bpsoft.com/
EtherPeek Analyzer
• One of the best
packet analyzers
around
• NX has an expert
system and lots
of added filtering
capabilities
Link: www.wildpackets.com
Sniffer Analyzer
• Another great
protocol analyzer
Link: www.sniffer.com
In Summary
•
•
•
•
•
Scary, eh?
Learn to use the tools to test your network
Keep up on the vulnerabilities
Join me on the 2002 US/Canada
roadshow—hands-on courses
Laura Chappell’s
US/Canada Hands-On Roadshow
• Get hands-on experience with many tools and
analysis techniques for analysis and security
Washington, DC
Chicago
Seattle
Atlanta
Boston
Dallas
Houston
San Jose
San Francisco
April 1-2
April 4-5
April 8-9
April 15-16
May 2-3
May 13-14
May 16-17
May 23-24
June 4-5
Minneapolis
Phoenix
San Diego
Toronto
Vancouver
St. Louis
Los Angeles
Honolulu
New York City
June 10-11
June 24-25
June 27-28
July 8-9
July 11-12
July 22-23
July 25-26
July 29-30
August 5-6
Hands-On
Classes
Register NOW www.nuihotlabs.org/cybercrime