Documente Academic
Documente Profesional
Documente Cultură
Information
Security
Project
Report
1|Page
TABLE OF CONTENTS
Table of Contents .................................................................................................................................... 2
Executive Summary................................................................................................................................. 5
1.
2.
3.
1.2.
1.3.
1.4.
1.5.
1.6.
1.7.
Introduction .......................................................................................................................... 12
2.2.
2.3.
2.3.1.
First: .............................................................................................................................. 14
2.3.2.
Second:.......................................................................................................................... 15
2.4.
2.5.
3.1.1.
3.1.2.
3.2.
4.
5.
Anti-Reconnaissance ............................................................................................................. 22
3.2.1.
3.2.2.
3.2.3.
4.2.
4.3.
4.3.1.
4.3.2.
4.3.3.
Penetration Testing:...................................................................................................................... 34
2|Page
5.1.
Pre-Exploitation/Pre-attack: ................................................................................................. 34
5.2.
Exploitation/Attack: .............................................................................................................. 34
5.3.
Post-exploitation/post-attack: .............................................................................................. 35
5.4.
5.5.
5.6.
5.6.1.
5.6.2.
5.6.3.
Exploitation: .................................................................................................................. 36
5.6.4.
5.6.5.
5.7.
5.8.
5.8.1.
5.8.2.
5.8.3.
5.9.
5.10.
6.
7.
Rectification: ................................................................................................................................. 44
6.1.
6.2.
6.3.
Objectives/Goals of Rectification:......................................................................................... 45
6.4.
6.5.
6.5.1.
Tcpdump/WinDump ..................................................................................................... 46
6.5.2.
Wireshark ...................................................................................................................... 46
6.5.3.
Chkrootkit...................................................................................................................... 46
6.5.4.
Md5deep ....................................................................................................................... 47
6.5.5.
6.5.6.
6.5.7.
Fatback .......................................................................................................................... 47
6.5.8.
Nikto .............................................................................................................................. 47
Conclusion: .................................................................................................................................... 49
Bibliography .......................................................................................................................................... 50
Additional Resources ............................................................................................................................ 53
Appendix A ............................................................................................................................................ 55
3|Page
Appendix B ............................................................................................................................................ 60
Appendix C ............................................................................................................................................ 64
Appendix D ........................................................................................................................................... 74
4|Page
EXECUTIVE SUMMARY
The purpose of this Handbook is to develop a model and recommend to IT Director(s) a set of
important IT Security tools. These tools not only used by most security professionals but also
by IT Security Firms to audit businesses and secure their information assets. The Handbook
will serve as a starting guide for IT Director(s) and their staff in their Endeavor to secure their
companies Infrastructure.
There is a big number of free Security tools in the market, and it becomes confusing for IT
Director(s) what tools to use. Furthermore, there are a lot of literatures about hackers
process attacking a target, but few take into consideration IT Director(s) requirements into
consideration.
This Handbook will shed the light on the hackers process to attack a target and modify this
model to fit IT Director(s) requirements and suggest few IT Security tools for each phase of
the proposed model, to be used by IT Director(s) team, Security Analysts, Penetration Testers,
and others.
The model developed is composed of four phases. It is similar to model used by Ethical hackers
and Attackers, but customized to meet IT Director(s) requirements. We discuss fundamentals,
objectives, and tools of each of the four phases.
Suggested tools fall into the following categories: Anti-Reconnaissance, Information
Gathering, Scanning and Inventory, Vulnerability Assessment, Penetration Testing, and
Detecting Traces of an attack.
The suggested tools are open-source and free to be used, but still very powerful to accomplish
the requirements. Moreover, these tools are Offensive tools and that differentiate them from
the known Defensive tools used by most IT Director(s), and are promoted by most security
vendors.
5|Page
Information Security tools are becoming a need for any IT Department as threats increase due
to the Internet of everything in our small village earth. These tools are used to identify
potential weaknesses in any of the devices or systems used to move, store, or process data in
any business.
This Handbook is intended for IT Director(s), within their area of responsibility, to secure
information assets in their company.
On the other hand, IT Director(s) are not expected to be experts in these IT Security tools
mentioned in this Handbook. However, knowledge of these tools, their functions, purposes,
and phases of using them will be appropriate and a definite advantage to the process of
improving security.
Before we proceed further, we need to define the following terms that are used extensively
in this document.
Ethical-Hacker or White-Hat Hacker: is a Security Analyst (good person) who will work on
securing an environment using IT Security or hackers tools.
Hacker or Black-Hat Hacker: is a bad person who tries to cause harm for various reasons
to systems owned by other people or companies.
White-Box Hacking: is the method where information about targeted devices is given to
the Ethical-Hacker/White-Hat Hacker.
Black-Box Hacking: is the method where information about targeted devices is not given
to an Ethical-Hacker/White-Hat Hacker.
Grey-Box Hacking: is a process where some information about targeted devices and
company under testing is shared with Ethical-Hackers/White-Hat Hackers.
1.2.
APPROACHES TO SECURITY:
In Information Security, there are two approaches to secure information. The first approach,
which is the most popular between the two, is the Defensive one.
[ER11], for example, defines Network Security Defensive methodologies as Switches Security,
Firewalls, Intrusion-Detection Systems (IDS), Logs, Network, Antivirus, Hardware,
Troubleshooting, Availability, Server/Client Security, Creating Policies, Network Management,
etc
The second approach is the Offensive. In the same course, [ER11] defines Offensive Method
or Ethical Hacking for network security is as looking for Denial of Service (DOS), Trojans,
Worms, Viruses, Social Engineering, Password Cracking, Session hijacking, System failure,
Spam, Phishing, Identity theft, Wardriving, Warchalking, Bluejacking, Lock picking, Buffer
Overflow, System hacking, Sniffing, SQL injection, etc.
6|Page
The tools that we will cover in this Handbook are not the known defending tools such as
Firewalls, IDSs, Antivirus, and others. These tools are offensive/attacking tools that might
cause harm if used without caution or in an unethical manner. Black-Hat hackers use these
tools to gather information about their targets, exploit vulnerabilities, and cause damage. On
the other hand, Ethical Hackers can use the same tools to close security holes and improve
security. The only difference between a hacker tool and a cyber security professional tool is,
written permission. [SW13]
1.3.
In a very old article written in 1993 by [DF93], Dan Farmer and Wietse Venema mentioned
that the best way to secure your environment is by trying to break into it. Similarly, [MM06]
emphasizes the role of attacking your systems by using the same tools as those used by BlackHat hackers, instead of defending it only. These days, Ethical Hackers or security analysts,
assume the role of attacking your own systems in a controlled manner. IT Director(s)
awareness about these tools, phases of applying these tools, fundamentals, and objectives is
inevitable to survive in the digital world.
The importance of the offensive technique comes from the mindset of the Ethical Hacker, who
is actually playing the role of a hacker running the same tools. In this role, Ethical Hackers try
to answer the following questions:
What can she/he do with the information obtained after compromising a system,
The above does not mean, in any way, to remove the defending tools and replace it with the
offensive ones. The above emphasize the need of other (offensive) tools to win the battle in
which IT Director(s) (i.e. their businesses) are losing it most of the time.
1.4.
Looking into the available security tools used by White-Hat hackers Ethical Hackers in
Information Security Auditing firms, we can see their classification into four major categories:
Commercial and Proprietary Freeware, and Open-Source.
The Commercial and proprietary tools are tools that we can buy from vendors. Usually,
vendors provide support for both types and usage of these tools is subject to license
agreements [CA12]. In addition, some of the proprietary tools are given free. Moreover, some
of the proprietary tools are not sold to external clients, and dedicated for usage by specific IT
Security Auditing Firms.
7|Page
The Freeware and Open-Source are tools that you can download free from the Internet. Both
types are not subject to support agreements. In Freeware tools, you do not have access to the
source code. On the other hand, Open-Source tools provide access to the source code, but
it is subject to open-source initiative rules and regulations [OS98].
A security analyst will need to choose between these different types of tools, based on the
tool functionality and her/his need. Most of the time, a Security Professional will need to
choose from a set of tools provided by various vendors with different licensing and support
terms and conditions.
Sometimes and in a particular situation, there is no open-source or freeware to complete the
task or the free tool is very limited. This might mandate the need to use proprietary or
commercial tools. Furthermore, commercial tools are subject to support agreements while
the free and open-source tools are not subject to such agreements. In addition, these tools
(commercial and proprietary) are subject to license agreements and source code is not
accessible to users [CA12]. On the other hand, commercial tools might not fit all scenarios of
different companies, and the security analyst cannot modify or tailor the tool to his/her
preference, while experienced security analysts are able to tailor open-source tools to meet
businesss requirements.
Another important consideration about proprietary free tools is specific to their products
(Microsoft and Cisco) and cannot be used on different vendors products of hardware or
operating systems. This put us in front of two approaches.
The First Approach is using specific vendor tools on vendor specific devices, which will
definitely improve security of the environment, but it is subject to two main limitations [SH11]:
First, it requires testers to have a deep understanding of the systems under testing and
scrutinizing to include as much as possible from these systems.
Second, these tools have two major issues:
Parameters set in the tool might not cover everything in the tested environment
A third limitation is the assumption that a security analyst (Ethical Hacker) knows the
systems that are under consideration, which is not true in a real-life situation. These tools
cannot be used when a security analyst is conducting a Black-Box testing. In this situation,
Ethical Hackers do not have any knowledge about the systems and using specific vendor
tools will not be the appropriate approach.
The Second Approach of not using specific vendor tools when testing an environment has
many advantages over the first approach. Firstly, it is similar to approach followed by Black
and White-Hat hackers. Secondly, non-vendor specific tools have more applicability to all
environments without any restriction. A third advantage mentioned by [ES07] that the opensource and free tools are suitable for IT Director(s) with a limited budget and with using free
tools they can build a complete set of an arsenal to secure their systems without paying much.
Open-Source Applications and Tools while it is pretty common to see companies embrace
commercial tools in their production environments; you cant discount the sheer innovation
available in the open-source community. [JS11] Then [JS11] describes the benefit of using
open-source tools to build your information security skill set. Most security professionals
8|Page
1.5.
The challenge for any IT Director(s) is the availability of thousands of tools in the market.
Choosing from this big pool without sacrificing functionality and keeping easiness is much of
an effort to be taken.
However, there is a lot of work done by Information Security experts for gathering different
free tools into one consolidated package or distribution. Most of these distributions are based
on Linux operating system. Some of the most-used distributions are listed below:
Backtrack and its commercial version Kali Linux. These distributions include around 300
tools categorized into various groups: Information Gathering, Vulnerability Assessment,
Exploitation tools, Privilege Escalation, Maintaining Access, Reverse Engineering, RFID
tools, Stress Testing, Forensics, and many Reporting tools) [BT13].
Backtrack is based on Ubuntu Linux version. Kali Linux is based on Debian Linux version.
For a full list of Tools sub-categorization and names on Backtrack and Kali Linux, please
refer to Appendix A and B respectively [KL13].
Matriux "Leandros" is analogous to Backtrack and include more than 300 open-source and
free tool based on Debian Linux version, but also include tools to test PCI/DSS controls,
which are not available in Backtrack and Kali Linux distributions. For a detailed list of tools
and their categorization, please refer to Appendix C [ML13].
Katana is a multi-boot DVD/USB that includes different tools and Backtrack distribution
into a single location [JD12].
Blackbox is another distribution that includes tools used for information gathering,
Incident Handling, penetration testing, and forensics. It is based on Ubuntu Linux
Operating System.
Etc...
In this Handbook, our proposed model/approach to secure information using Security tools
will be applicable to all distributions (free tools) and to commercial tools, as well. However,
9|Page
reference will be given mostly to tools that are present in Backtrack and Kali Linux since it is
the most popular between security experts, more resources are available, more literatures,
and more sample implementations using than other distributions.
For the above reasons, Backtrack distribution is widely accepted between security experts and
is considered as the premiere security-oriented operating system. .. and the recent release
of Kali Linux is sure to gain widespread popularity [JP13].
One major and important website that list and rank security tools is: http://sectools.org/ .
The SecTool.org releases a security survey every three years (2006, 2009, 2012) [MC08]
ranking tools. Most of the tools that are referenced in this Handbook are part of the Top 125
Network Security Tools listed on the above site, with the exception of tools and
methodologies referenced to in the Anti-reconnaissance phase.
In addition, the tools that we will reference are used by IT Security Auditing firms in India,
including the Big Four auditing firms (Deloitte, PWC, KPMG, and EY) as per a report produced
by cert-in.org [CI12].
1.6.
However, many important things to keep in mind. The first that these tools cannot replace
skilled information security professionals and system engineers. Experience and intuition of
the personnel using these tools are fundamental requirements to understand and identify
attacks and to discover holes in the deployed systems [SI13].
Since most of these free tools are Linux based, IT Director(s) should know that his subordinates
need to have experience in Linux operating system [CA12], [SI07]. This does not mean that
experience of the subordinates should be limited to Linux. Knowledge about Linux is necessary
but not sufficient. For example, Penetration Testers should have several years of experience
in the IT field, such as application development, systems administration, networking, or
consultancy before they do penetration testing [ER11].
On the other hand, the tools referred to in this document are used in mission-critical
security jobs and effective skills development is an essential step to ensure that the right
people with the right skills are in place [SI13].
The author of [HS12] stated the most important mission-critical security jobs for most
companies as follows:
1. System and network penetration testers,
2. Application penetration testers,
3. Threat analysts/counter-intelligence analysts,
4. Advanced forensics analysts,
5. Security monitoring and event analysts,
6. Risk assessment engineers,
10 | P a g e
1.7.
A very important thing to mention that the use of security tools (in our case offensive and
Ethical Hackers tools) in Reconnaissance, Anti-Reconnaissance, Vulnerability Assessment,
Penetration testing, and Prevention is just one link in the security chain. Using these tools
does not mean, by any sense, that your information is protected. Vulnerability assessment
and penetration testing are just two links in a long chain.
In the ISO/IEC 2700x standard series, we find eleven different areas that emphasize how to
secure Information. Other standards or frameworks (e.g. COBIT, SOX, HIPAA, etc) has similar
areas also, some of which are overlapping with each other. Vulnerability Assessment and
Penetration Testing are just two parts of the whole standard. Security Audits, for example,
address so many different areas than Vulnerability Assessment and Penetration testing, and
recommend the use of different types of controls for each area [TB07].
In addition, these tools are not a replacement of a manual IT Security audit or conformance
audit. Just because we used these tools and did not find a vulnerability, does not mean that
none exists [MC08].
Moreover, different tools give different results, and these scanners detect vulnerabilities at a
given point of time. One tool might discover a vulnerability; another tool might not find the
same vulnerability, or a new vulnerability might appear and have the signature updated in the
database after the scan is conducted, or the tool might not have the signature of the
vulnerability during the time of scanning. All of the above put limitations on the results of
using these tools. This does not mean, to forget about using these tools, but it is meant to
alert IT Director(s) that there is no 100% secure system, and there is no 100% compliant
System. If an attacker wants to break in, then it is a matter of how much time and money the
attackers are willing to invest to accomplish the task. The two essential things for an IT
Director(s) are:
to reduce the duration needed to figure out that a system is compromised, and
The above are addressed by Incident Handling and Forensics procedures and tools (some of
which are mentioned in this Handbook) that play a key role in responding to an incident and
closing it the soonest possible [TB07].
11 | P a g e
INTRODUCTION
Hacking is not a new thing that just has appeared recently. It started in the 1960s, and hackers
were a group of technology enthusiasts. At that time, hacking was out of intellectual
curiosity, and there was no intention to harming others. It was against the law in the mindset
of those hackers who were leading software-development movements that led to the
presence of open-source software, and paved the way toward the development of the
Internet (ARPANET) [SO11]. However, things are no longer the same as it was 50 years ago.
Hackers are driven most of the time and except for Ethical Hackers, by bad intentions and acts
that are against the law in most countries. Hackers developed techniques, and arsenals of
tools to reach their goals, which differ, from one group of hackers to another.
Besides, security experts, government agencies, and other companies developed several
standards and methodologies to help IT and Security experts understand what to be done to
secure information. However, these methodologies describe and imitate the process followed
by Black-Hat hackers step-by-step and advise Ethical Hackers to follow the same steps in their
Endeavor to secure information.
On the other hand, there are a lot of literature, training guides, articles, and researches made
on various security tools. However, few of these works addressed the usage of these tools
from an IT Director(s) perspective. Most of the work done was trying to imitate step by step
what hackers will do in their journey to compromise their targets. This Handbook is intended
to simplify these procedures into a manageable process and set of tools, and customize the
process followed by Ethical Hackers to meet IT Director(s) requirements. The defined
process/approach differs slightly from that developed by Ethical Hackers, but also will propose
a new concept of how IT Director(s) should approach security. It is not totally new and but
different from this found in most literatures about the phases of how hackers work and attack
targets. It modifies the former approach, and tailors it to fit more to the needs of IT Director(s).
The same applies to the tools proposed in our model. Some of the proposed tools are intended
to be for securing the infrastructure and discovering hackers, and other tools could be used
by both hackers and security analysts.
2.2.
HACKERS TECHNIQUES
Many literatures, articles, and researches describe hackers methodology and their techniques
to attack targets. In [SO11], techniques were divided as follows:
Footprinting,
Scanning,
Enumeration,
System Hacking,
Escalation of Privilege,
Covering tracks,
12 | P a g e
Planting Backdoors.
In [JW07], [KG07] hacking phases were summarized in a similar way to the previous one
mentioned by [SO11]:
Reconnaissance,
Gaining Access,
Escalation of Privilege,
Maintaining Access,
Placing Backdoors.
Reconnaissance,
Scanning,
Gaining Access,
Covering Tracks.
In addition, in most of the guides developed by EC-Council and SANS Institute, an Ethical
Hacking process is divided into similar phases as those mentioned above.
Over time a proven framework has emerged that is used by professional Ethical Hackers. The
four phases of this framework guide the penetration tester through the process of empirically
exploiting information systems in a way that results in a well-documented report that can be
used if needed to repeat portions of the testing engagement. This process not only provides
a structure for the tester but also used to develop high-level plans for penetration testing
activities. Each phase builds on the previous step and provides details to the step that follows.
While the process is sequential, many testers return to earlier phases to clarify discoveries
and validate findings. The first four steps in the process have been clearly defined by Patrick
Engebretson in his book The Basics of Hacking and Penetration Testing. These steps are
Reconnaissance, Scanning, Exploitation, and Maintaining Access [JB14].
Before elaborating on the above phases and how, these phases need to be addressed and
tailored; we will define briefly, what is meant by each phase to make things afterwards easier
to understand.
and collect information about targeted networks or systems. There are different methods to
collect information about a target. Googling the company, social engineering, and many other
tools and techniques that might be either active or passive process.
Scanning: is the process to find targeted systems technical details such as IP addresses,
Operating systems, services, applications used, etc to be used in finding vulnerabilities.
Enumeration: is the process of gathering and compiling usernames, machine names, network
resources, shares, and services [KG07]. Some literatures consider enumeration as part of the
Scanning process and do not distinguish them from each other because the tools used are
almost the same.
Gaining Access: Gaining Access, System Hacking, System Exploitation, and Target Exploitation
are used interchangeably in this document and refer to the same process. It is the process of
exploiting a vulnerability, found during the previous phase, in a targeted system. It is the
phase where the real hacking takes place [KG07].
Maintaining Access: Maintaining Access and Escalating privileges are used interchangeably in
this document. This process happens after exploitation of a vulnerability in a system and
gaining normal user account privileges and working to escalate access to a privileged user
(Admin, root, etc...).
Covering Tracks: This is the process where a hacker removes evidence of his/her actions to
avoid detection by Security Analysts or Ethical Hackers.
Placing backdoor: This is a process where a hacker places a set code (program/s) on the
exploited system to allow him/her access it easily without being noticed.
2.3.
From the above literature, we can see that the phases proposed to be followed by Ethical
Hackers are almost the same with minor differences in nomenclature. The above phases are
followed by Black-Hat hackers to attack a target and by Ethical Hackers to simulate the work
of Black-Hat hackers testing the strength and maturity of the security investment made to
protect information.
The above is proposed to be used in one of three scenarios: White-Box testing, Black-Box
testing, and Gray-Box testing (White, Black, or Gray).
However, and in my opinion, IT Director(s) need to have a different approach. However,
before defining this approach, I will lay down the foundations for it.
2.3.1. FIRST:
14 | P a g e
2.3.2. SECOND:
From the second side, three phases: Reconnaissance, Maintain Access, and Covering
Tracks need to be modified from an IT Director(s) point of view. We will base our analysis
and recommendations on White-Box testing.
First, there is no need, for an Ethical Hacker to gather information about
systems using the same tools and techniques Black-Hat hackers do.
Information gathering and updating of the targets to be secured, is already
done, and it is part of the IT Department team job. IT Director(s) along with
his/her team know their infrastructure in and out. Also, we cannot agree with
[KG07], when he suggested that Reconnaissance, Information Gathering, and
Scanning could be bypassed by an Ethical Hacker and jump directly to the
attack phase. His assumption that a White-Hat hacker is either an employee
or an outsourced company eliminates the need for collecting information is
correct, but it does not reduce the need to verify this information.
15 | P a g e
2.4.
Based on the above a new model is proposed for IT Director(s) to use in their attempt to secure
their infrastructure:
1.
2.
3.
4.
As we can see, from the above proposed model, that we have customized the first phase
previously called Reconnaissance and called it Anti-Reconnaissance. In addition, we have
replaced completely Covering Tracks and Planting backdoors by a Rectification phase.
In this scene, and from an IT Director(s) perspective, Reconnaissance and Scanning phases will
remain as part of the Ethical Hacker duties to discover and gather information about both
legitimate and illegitimate devices. Secondly, Reconnaissance phase is renamed as AntiReconnaissance to include tools, and techniques that misguide attackers and trap them.
Thirdly, the role of Rectification phase is not to prove a case in the court of law, but to search
for possible traces of hackers. Ethical Hacker is encouraged to use tools to discover rootkits,
backdoors, traces of compromised systems, and traces of attempts to compromise systems.
In the next modules (Four, Five, Six, Seven and Eight), we will discuss three main notions:
Fundamentals, Objectives, and Tools for each phase of the proposed model, elaborating on
similarities and differences of each phase. Additionally, we will look into similarities and
difference between the new proposed model and the old model. The phases proposed are
inter-related, and some Fundamentals, Objectives, and/or Tools might be the same in many
phases and might differ slightly or completely in others.
17 | P a g e
However, there is a huge difference between what a Black-Hat Hacker will do and that of an
Ethical Hacker regardless of the model (old or proposed). For example, Hackers do not have
boundaries on systems to attack, time and duration of an attack, funding, or ethical values,
and will use any available tool. They also do not inform other people about what they are
doing, the time of doing it. They are not bound by any ethical value.
Going back to the previous module, we will limit ourselves to few tools that fit the above
model. There are plenty of other tools within Backtrack, but we will not reference it in this
Handbook if it falls outside the above model. Moreover, in the first phase, AntiReconnaissance will have a different set of tools that are not mentioned in either Backtrack
or Kali Linux.
The above-proposed model is not rigid in the sense that we might do few things of AntiReconnaissance/Reconnaissance, next do Vulnerability Assessment, then based on the
outcome of the Vulnerability Assessment we might go back to Anti-Reconnaissance, then we
might start Penetration Testing and so on so forth. This is very important to remember and
keep in mind. A security analyst, like a hacker, he/she might jump back and forth between
phases. She might gather information, afterwards do a vulnerability assessment, later go back
to gather information and so on so forth with other phases.
One last thing we need to mention, hackers techniques and tools might differ slightly from
one type of system being hacked to another. For example, hacking a web server will differ in
the tools used from those used in hacking a wireless network or those used in hacking wired
networks. However, they follow almost the same process to reach their goals. In each phase
of this process, they have particular fundamentals and objectives and employ a set of tools to
complete this phase, but usually the output of one tool in a particular phase is used as input
of the other tool in the next phase.
2.5.
Limited tools to be used and methods used, not allowed to use botnets and rootkits
You need to be very cautious when doing your own test where hackers do not care
about any harm they might impose on the target.
One very important thing to mention for the time needed to scan all hosts, and all ports in a
given enterprise will take a long period that will render this scanning process useless. An
example of this when an Ethical Hacker is doing the scope of an organization with 1000 hosts
and devices. He/she cannot scan all ports on all hosts. A scan of this type might take 6.5 years
assuming 1.5 seconds for each port (65,536 UDP and 65536 TCP, which leads to an
18 | P a g e
approximate total of 130 million ports). This means that a limited number of hosts and ports
will be scanned. Careful selection needs to be made on what to be scanned, and IT Director(s)
will feed in on this topic rather than leaving it solely to the Ethical Hacker who is conducting
the work.
Another thing to keep in mind that the tools mentioned in this Handbook might change. New
tools will come out that prove better than an old one. Tools that are used today might not be
useful tomorrow.
19 | P a g e
Devices used,
Network Infrastructure,
Etc
The above is needed, because Security Admins need to look for abnormalities and deviation
from the existing setup. Then Ethical Hacker (Pen-Tester) will do their own gathering for
information using their tools. All collected information should be documented, and deviations
should be marked to be investigated further.
3.1.
Reconnaissance has different forms or areas of applicability. Some of these methods and areas
are Internet footprinting, Competitive Intelligence, Whois, DNS, Network, Website
footprinting, email discovery, Google hacking, etc.
The prime objective of the attacker is to gather information about devices, operating systems,
and other information about the entity to be attacked. Ethical Hackers doing a White-Box
testing, will have an easier job in terms of collecting information, since he/she is working to
strengthen the security, and the information is given to him/her in advance. Hackers usually
gather any type of information that might possibly help them in finding IP Addresses,
Operating Systems flavors, Network Devices brands and types, Applications, Databases, etc
from whatever source. However, both Hackers and Security Analysts initially try to find two
important pieces of information: IP addresses and open Ports on these IP addresses. After
that, both (hackers and analysts) start discovering, the operating systems, services running on
these Ports, then determine the rest of information needed to exploit/secure existing
vulnerability.
20 | P a g e
Identify and verify existing hosts or network devices and other system(s),
Identify and verify open ports and which ports will be targeted,
Document findings.
DNSmap:
is a Domain Name System map tool that has the ability to discover all
subdomains and related domains of a target domain.
3.1.2.2.
Hping3:
is a smart tool that is able to perform Port scan bypassing Firewalls
intelligently, and without being detected by IDSs/IPSs. It can send custom
packets at a specific target, by manipulating the MTU, spoofing source IP
address, setting source ports, setting TTL values, fragmenting packets,
sending packets with a bogus checksum, and many other things. It supports
the main protocols TCP, UDP, and ICMP. The latest version of Hping is version
3 (Hping3). Hping3 is available in *nix, Windows, and Mac OS. Hping2 was
available in *nix only. DNSmap and Hping3 are free tools.
3.1.2.3.
HTTrack:
is a cross-platform free web crawling tool to clone websites (http, https, and
ftp). It allows Ethical Hacker to look at the content of a website offline
browsing, analyzing, and editing what they have. Some hackers might use this
tool to develop a fake fishing website (Social Engineering Attacks) to trap
users into believing that this is a legitimate site. HTTrack is a command line
tool that has an easy menu driven interface. Its Windows version is
WinHTTrack.
21 | P a g e
3.1.2.4.
Wget:
is similar to HTTrack. However, it is included in scripts and Cron jobs for
mirroring websites. HTTrack has more features than Wget. Wget does not
analyze captured data as HTTrack does.
3.1.2.5.
Maltego:
is an open-source information gathering, forensic, audit, and threat
assessment tool. It has the ability to collect information from various sources
and used to launch Social Engineering Attacks based on collected information.
It gathers e-mail addresses, servers names, etc then associate gathered
email addresses to a person, and website to a person, then verify email
addresses, etc then graphs the output. The power of the tool is in its ability
to gather information about a domain, company, and people. It uses open
web resources to gather then correlate information using a simple GUI. It has
75 transforms available free. Full version is a paid version. Maltego provides
CaseFile as a sub-module to document all collected data in the informationgathering phase in one document by mapping relationships manually in a
graphical format.
3.2.
ANTI-RECONNAISSANCE
Time: No Limited time on when to start or complete this phase. The tools employed
here to secure the infrastructure shall stay indefinitely and shall be maintained like
any Firewall, Anti-virus, or IDS system. Information Gathering about malicious
activities is a continuous process.
22 | P a g e
approval on the scope, rules of engagements and what need to be done in the next
phase.
Report: Report Planning, Information Collection, Writing First Draft, Review and
Finalize [MA10].
Educate corporate staff about social engineering attacks. This is the most important
objectives, because people are the weakest link.
3.2.3.1.
Decoy Services:
An example of Decoy Services is SpiderTrap and WebLabyrinth. These tools
are designed to make any web crawler stuck in an infinite loop of useless
webpages, instead of gathering information. This will alert the defender on
web fingerprinting and information-gathering [BJ13].
23 | P a g e
SpiderTrap acts like a small web server that is built of random links looping
until either hacker web-crawler tool or SpiderTrap are stopped. It is not
available within Kali Linux but could be downloaded from sourceforge.net and
installed free. It is written in python2.
WebLabyrinth is similar to SpiderTrap in functionality, but it runs on Apache
web server rather acting as a web server.
Careful consideration when using both tools because you may not want to
block google or other search engines crawl your web site.
Another example of Decoy services is by installing additional packages (e.g.
Oracle DB instances) that are not used for production on existing servers to
misguide the attacker and let him/her think that all these databases are
Production instances/services. [BJ13]. However, this will add additional
management tasks to the team and additional cost for space and licensing.
Darknets:
Security Administrators usually use Firewalls and IDSs to filter out traffic that
is considered malicious and allow legitimate traffic only. Darknet has a
different approach where sensors monitor and collect malicious traffic
instead of dropping it.
A Darknet is a portion of routed, allocated IP space in which no active
services or servers reside. They are "dark" because there is, seemingly,
nothing within these networks. All traffic entering a Darknet will be malicious
to some extent, as nothing legitimate should be routed there. Traffic entering
a Darknet typically comes from scans generated by automated tools and
malware, looking for vulnerable ports with nefarious intent [TC08]. This led
toward the development of various devices and tools to monitor Darknets.
Definitely, the size of the IP space and the location of the sensors on the
network are two main factors of the collected traffic.
HoneyTokens:
HoneyTokens are pieces of data whose use indicates a possible intrusion
[BJ13]. This piece of information could be an invalid credit card number, user
login, e-mail address, and/or any piece of information that an attacker might
be looking for. Use of these forged data, such as trying to login with a fake
username, indicates a possible attack.
Web Bugs:
Web bugs are defined as tracking devices embedded in web pages,
executables or scripts that secretly monitor your activity on the web and send
the information back to a 3rd party [NS03]. These web bugs could be used
to monitor attackers activity. These bugs are analogous to bugs in any
24 | P a g e
program, but these were intentionally written and left between the lines of
code.
Scanning Tools
[JM13] suggests changing Ports default values to other specific numbers to
invalidate information being returned by a scanning tool. E.g., ftp port 21
could be changed to another port number. Changing Port numbers will force
the attacker to spend more time to discover what exactly is running on a given
device. In my opinion, definitely, this might delay the attack on a system but
will not prevent it. Also, it will add another duty for System and Network
Administrators to manage this change.
Other Tools:
Other tools are available to discover our systems as part of the hackers
arsenal. These tools, if used by our Security Analysts, will make our
environment safer. Some of these tools are Metagoofil, ExifTool, and
Strings. The output of these tools will be analyzed to eliminate any kind of
data that might help hackers attack systems [JM13].
3.2.3.2.
25 | P a g e
Captured packets in SNORT are run against a set of rules configured by the
Security Administrator. SNORT can be installed on Unix, Linux, Windows, and
Mac OS. SNORT can sniff packets, log packets, and generate alerts based on
pre-set rules. It consists of the following modules:
Preprocessors,
Detection Engine,
Output module.
One of the most important features of SNORT is its ability to analyze packets
traffic in real time. SNORT gives us the ability to see what is happening.
SNORT analyzes the logs searching for possible intrusion or attempts for
intrusion. It is the most used IPS worldwide as indicated on SNORT website.
Lot of literature is written about SNORT and lot of users contribute by writing
new rules, plugins and applications that work with SNORT. It is freely
available, and users can see what is going inside the tool and tweak it to meet
their needs. This option is not present in most of the Commercial IDS/IPS
applications. Netflow is Cisco commercial counterpart of SNORT.
26 | P a g e
Honeypots:
The traditional way of placing honeypots is from outside of the
network, but Nova places honeypots from the inside and emulates
hosts, services, and fools fingerprinting of different operating systems
that defeat hackers Nmap scanning and discovers attackers attempts
to gather information.
Honeypots, Honeynets, and padded cells are complementary
technologies to IDS/IPS deployments. A honeypot is a trap for
hackers. A honeypot is designed to distract hackers from real targets,
detect new exploitations, and learn about the identity of hackers. A
Honeynet is just a collection of Honeypots used to present an
attacker even more realistic attack environment. A padded cell is a
system that waits for IDS to detect attackers and then transfers the
attackers to a special host where they cannot do any damage to the
production environment. While these are all extremely useful
technologies, not many corporate environments deploy them. You
usually see these deployed by educational institutions and security
research firms. Generally corporate information security
professionals are so busy securing their environment from attacks
that they do not spend time researching attack patterns. As long as
the attack doesnt succeed, they are satisfied [JS11].
3.2.3.3.
Anti-Social Engineering Social Engineering is a term that describes a nontechnical kind of intrusion that relies heavily on human interaction and often
involves tricking other people to break normal security procedures. [RE07]
Anti-Social Engineering is the process that defeats and discovers the act of
social Engineering. It is one of the most important defenders tools that
could be achieved by administrative policies and training
IT Director(s) should work on having continuous training programs about AntiSocial Engineering to change the behavior of staff into cautious and secure
aware.
Administrative policies
Administrative policies will put a framework on how to deal with incidents on
Social Engineering attacks. This is a major part that is mostly missed in all
organizations security policies. Management in organizations is emphasizing
on placing information security policies about passwords, anti-virus, technical
tools (Firewalls, IDSs, etc...) to protect their information and forgetting about
policies related to the most successful attack, Social Engineering. Social
Engineering is related to the weakest link within the security chain People.
By including such kind of policies, we emphasize on the user responsibility in
protecting data to be a key factor instead of depending on Security
Administrators
only.
The author of [JA14] emphasizes that one of the major keys to protect
27 | P a g e
successfully your systems lies in the area of security policy and proper
authority to enforce its implementation.
28 | P a g e
4. VULNERABILITY ASSESSMENT:
Since we are assuming White-Box testing setup for the systems, vulnerability scanning or
assessment will be conducted. If the network scanning were not completed during the
previous phase (Anti-Reconnaissance/Reconnaissance), it should be conducted in this phase.
Scanning could be part of either phase (Anti-Reconnaissance/Reconnaissance or Vulnerability
Assessment). The output is fed from the scanning tool to the vulnerability assessment tool, or
we can use one tool for both activities (scanning and vulnerability assessment). However and
before discussing the fundamentals, objectives, and tools of vulnerability assessment, it is
important to clarify the difference between Vulnerability Assessment (discussed in this
module) and Penetration Testing (discussed in module 5) because many people within the
security community and vendors of IT security products incorrectly use these terms
interchangeably [PE13].
Vulnerability Assessment is the process of reviewing applications and systems for the
presence of security issues, whereas penetration testing actually performs exploitation of
specific vulnerabilities as a Proof of Concept (PoC) to demonstrate the presence of a security
issue. Though Penetration Testing go a step beyond Vulnerability Assessment by simulating
hackers activity and delivering live payloads, it is completed in a very limited scope than that
of any Vulnerability Assessment [PE13].
Penetration Testing uses aggregated results from the previous two phases to determine what
attacks will be successful.
4.1.
Time: Start time and end time should be established. Planning the Vulnerability
Assessment is very important to avoid scope creeping in a rapid changing environment.
Devices: Specific ranges of IP Addresses and particular hosts, systems, or applications shall
be defined during scope preparation. Internet side hosts, or Internal hosts. Wired or
Wireless Network devices.
Tools: What tools will be used for Vulnerability Assessment shall be specified.
Notified parties: at least one person in the chain of incident handling process need to be
notified. In case the assessment was detected by any defensive or offensive device
planted in the network, a decision will be taken whether to continue or stop the process.
Other parties might be notified such as System Administrators, Network Administrators,
ISP representative (if the assessment is conducted on the side facing the internet), and/or
owners of the system.
Initial Level of Access: This depends on the part of the network (Internet-side, Server side,
or Client side) being assessed. Assessing DMZ servers from the Internet side will require
no special level of access. Similarly, evaluating wireless network requires no initial level of
access. On the other hand, assessing servers inside the perimeter will mandate, at least,
authorization to plug a network cable to the LAN infrastructure. An IT Director(s) might
29 | P a g e
grant standard user access to the network to assess what a regular internal user might be
able to hack.
Deliver a report based on risk assessment done for the discovered vulnerabilities.
Delivering a vulnerability report based on the outcome of an automated tool, most of the
time, is not enough without checking associated risk. Furthermore, the contents of this
report should be clear for whether to include remediation to vulnerabilities found or not.
4.2.
Objectives of a Black-Hat hacker differ from that of a White-Hat hacker in the sense that a
hacker is looking for a vulnerability to exploit while ethical hacker is looking for a vulnerability
to close it and apply necessary patches or measure to close it. The objectives of a vulnerability
assessment for an ethical hacker are as follows:
Use given information (since it is a White-Hat hacking process), and gathered information
through probing, port scanning, social engineering, and other methods to determine
vulnerabilities in systems,
Map vulnerable systems to asset owners. In a Black-Hat hacker this goal is not considered,
Evaluate Targets for vulnerabilities and afterward for security risks by constructing attack
hierarchy or tree,
Identify and prioritize vulnerable systems based on risks value and importance to the
business,
Document findings to work on eliminating, reducing and mitigating risk [JM13], [SD06].
4.3.
In this module, we will discuss some of the most important tools for three main areas of an IT
infrastructure: Wireless Networks, Wired Networks, and Web applications.
30 | P a g e
other than the 802.11. From Aircrack-ng suite, we will use the following
program:
4.3.1.2.
4.3.1.3.
Fern WiFi Cracker provides a GUI, similar to Gerix, for Aireplay-ng, Airodumpng, and Aircrack-ng. FERN WIFI Cracker has built in functionalities that are not
present in Gerix. It finds the type of encryption applied by Access Points and
figure out weak encryption protocols such as WEP/WPA/WPS and work on
cracking them. Fern WiFi cracker needs other tools to crack a key (Aircrack,
Python Scrapy, and Reaver). All these tools and Fern WiFi Cracker are preinstalled on Kali Linux and Backtrack
4.3.1.4.
4.3.1.5.
31 | P a g e
4.3.2.1.
4.3.2.2.
32 | P a g e
4.3.3.2.
4.3.3.3.
4.3.3.4.
Automatic Exploiter,
The above was few tools that are used in Vulnerability Assessment. In the next module, we
will talk about penetration Testing and tools used during this phase.
33 | P a g e
5. PENETRATION TESTING:
Penetration Testing assesses the effectiveness of applied security controls in an infrastructure.
It does not improve security as this is evident from the steps followed, here below. Pen-Testing
evaluates security and does not improve it [JM13], [SD06]. It is recommended that IT
Director(s) do Pen-Testing when he/she believes that they have strong security; otherwise it
will be a waste of time and money. Vulnerability Assessment is conducted to improve security
by closing discovered vulnerabilities, and should be conducted before Penetration Testing.
Penetration Testing has three Steps: Pre-Attack, Attack, and Post-Attack steps [ER11]. Others
make it two steps: Exploitation and Post-Exploitation [MA13]. The Pre-Attack/Pre-Exploitation
step is passive most of the time; the second and third are active attacks. However, for our
proposed model, Pen-testing includes Exploitation step only. Pre and Post-Exploitation, in our
model, will not be discussed as part of Penetration Testing. Post-Exploitation will be replaced
by Rectification Phase.
5.1.
PRE-EXPLOITATION/PRE-ATTACK:
In this step, information is gathered about the target under consideration. PreExploitation could be part of the Pen-Testing Phase or the Vulnerability Assessment Phase.
If a vulnerability assessment was conducted then, this pre-exploitation step is completed
in the vulnerability assessment. If no vulnerability assessment was made, or it was done,
but the pen-test will be conducted by a different party (Out-sourced), then preexploitation (data gathering and target evaluation) need to be part of the Pen-Testing
phase.
5.2.
EXPLOITATION/ATTACK:
Exploitation is probably one of the most fascinating parts of a penetration test for the PenTester. Pen-Tester should be very careful in selecting a vulnerability to exploit. He/she can
not make sure that exploitation will succeed, but it should be highly probable. Firing a
bunch of exploits blindly, and wishing one of them will succeed is not efficient and might
trigger specific events on the targeted system.
This step is composed of three main activities: (1) Exploiting a Vulnerability, (2) Escalating
Privileges, and (3) Maintaining Access. Exploiting a Vulnerability is a successful step to
all attackers but it is not an end in itself. After exploitation of vulnerabilities in a targeted
system(s), attackers try to (1) Escalate Privilege and (2) Maintain Access on these
systems using various techniques. Attackers do not want to run the same exploit every
time they intend to access the system. It will be time consuming, and there is a possibility
that this vulnerability be closed after some time by the system owner. For this reason,
they try to escalate privilege and maintain access to the attacked system using different
techniques [JB14].
34 | P a g e
5.3.
POST-EXPLOITATION/POST-ATTACK:
The post exploitation phase begins after a system or more than one system is being
compromised, but is not even close to being fully done yet [MA13].
Post exploitation is a critical part in any of the penetration tests. A successful exploitation
might only give limited access to resources on the targeted machine and will not be
considered as a successful step. Post-Exploitation is about maintaining a foothold,
creating a backdoor, and covering traces.
[JB14] mentions several methods of Post-Exploitation, some of which are: Malware,
Trojan Horse, Viruses, Worms, Keyloggers, Botnets, Backdoors, Colocation and Remote
Communications Services, and Command and Control systems. Post-Exploitation will not
be discussed for our model, since it was replaced by the Rectification Phase.
5.4.
5.5.
Time: very Limited time and it will be less than that of a vulnerability assessment.
Notified parties: At least one person in the chain of command of Incident handling.
System owner to be notified also. This mainly depends what systems are tested and
the type of exploit being conducted. If the test is conducted on the DMZ servers, ISP
representative need to be notified. Sometimes, approvals need to be taken from
government bodies to conduct penetration testing especially if you are doing it on
DMZ zone or Wireless network.
35 | P a g e
Definition of Target space by defining business functions that will be targeted in the
penetration testing. This will be based on the Vulnerability Assessment report.
Definition on how far the Penetration test should go. Shall data be removed, service
be stopped, is it allowed to use this target as a source to attack other devices and
discover more vulnerabilities or not? Do you want to add a user to the exploited
system or tunnel a reverse shell back to your testing machine? Etc. Also we need to
define how far Gaining Access test should go. For example, if an Administrator
account of an Operating System was compromised, then what data shall be targeted,
and what services to be stopped, if any? This depends on the details of what is being
targeted. If the Target is an SQL Database, then after gaining access to the OS, the
steps need to be defined on how to gain access to Data in the SQL DB or other
application. All this need to be defined very well, otherwise the scope will get bigger
without any control.
Deliver a report. The contents of this report should be clear for whether to include
remediation to problems discovered or not. If an exploitation succeeded, what are
the steps to return to the previous state, then move the system to the secure state.
5.6.
5.6.3. EXPLOITATION:
This step is an active step and might result in undesired consequences if executed
incorrectly. Usually, Pen-Tester starts with a high risk vulnerability, then goes down as the
risk decreases. Exploiting a vulnerability will initially give limited access to a system(s). To
accomplish the goal of the Pen-Test, the next step Escalate Privilege then Maintain
Access. The following are sample parameters to be defined before the exploitation is
carried out as indicated by an example in [KI01]:
Description: by taking advantage of the specified flaw, the whole email system will be
compromised
5.7.
Link up the results of the Vulnerability Assessment phase and use the most critical
ones to identify high potential threats,
Exploit vulnerabilities and achieve a more focused results in a pre-defined time frame,
Allow Pen-Tester run commands on the command shell of the remote targeted
system to explore further whats inside. This is the most obvious from a Pen-Test.
Document your findings and propose a roll back scenario to the previous state and
solution to close the vulnerability transferring the system to a secure state.
In [JM13] it is stated that the Central Objective of a penetration Test is to exploit the
inherent security weaknesses in the defined scope regardless to which area of an
infrastructure this weakness belong to.
37 | P a g e
5.8.
PENETRATION TOOLS
In this part, we will discuss the tools used in Penetration Testing for three major areas of
any IT Infrastructure. These areas are Wireless Network, Wired Network, and Web
Applications.
Wicd Network Manager, discovers SSID, Encryption type, Access Point MAC
address, and channel number used for transmission. Using this tool, will allow
us check the existence of any rouge Access Points or clients. This is achieved
by comparing a list of legitimate Access Points given by the Network
Administrator to Pen-Tester and the list discovered by the tool. In a similar
way, we can apply this to illegitimate clients. In addition, we can check the
type of encryption configured on Access Points and advise if there are any
Access Points that are using open authentication or weak encryption.
5.8.1.2.
5.8.1.3.
5.8.1.4.
5.8.1.5.
38 | P a g e
by Netstumbler and other tools. Also, Kismet has a GPSMap program that
locates Access Point locations on a map using a GPS device [BT11], [KL13].
5.8.1.6.
5.8.2.2.
5.8.3.2.
40 | P a g e
5.8.3.3.
5.8.3.4.
5.8.3.5.
NeXpose is a vulnerability scanner that can be used alone by using the GUI
version, and can be launched from Metasploit Console (Msfconsole). When
using the GUI version of NeXpose, results can be imported to Metasploit
database.
5.8.3.6.
5.8.3.7.
41 | P a g e
5.9.
Hiring Skilled and Experienced professionals to carry the test. Tools and software do not
replace experienced security professionals.
External testing from the internet side (outside of the company) does not simulate
internal hackers
5.10.
Remove all files, tools, exploits and programs that were loaded to the target
Finally, and as a word of caution, Pen-Tester under any circumstances should not work
beyond or outside the scope of work and rules of engagement that were agreed upon
with the management of the company. Violating this principle, will make the Pen-Tester
appear as an Attacker in the eyes of law enforcement agencies and will give the company
the right to sue him/her for violating the scope of work and rules of engagement.
The reason for IT Director(s) to skip rootkit and backdoors installations was mentioned
indirectly by [PE13]. The author explains this as, once a rootkit has been installed, it can
be very difficult to remove, or at least to remove completely. Sometimes, rootkit removal
requires you to boot your machine into an alternate operating system and mount your
42 | P a g e
original hard drive. By booting your machine to an alternate operating system or mounting
the drive to another machine, you can scan the drive more thoroughly. Because the
original operating system will not be running and your scanner will not be using API calls
from an infected system, it is more likely you will be able to discover and remove the
rootkit. Even with all of this, oftentimes your best bet is to simply wipe the system,
including a full format, and start over [PE13].
43 | P a g e
6. RECTIFICATION:
The objectives of Covering Tracks/Maintaining Access as stated in most literatures of
colored (black and white) hacking are as follows:
The following is a list of goals for maintaining a foothold:
However, there is no need for IT Director(s) to erase traces and plant backdoors. In my
opinion, IT Directors goal does not meet any of the above objectives. For this reason,
Covering Tracks/Maintaining Access phase was replaced by Rectification Phase, which
meets IT Director(s) requirements and his need to improve security.
6.1.
RECTIFICATION PHASE
This phase is divided into three parts. (1) Rectification of an un-exploited vulnerability by
installing patches and changing configurations and (2) Rectification of an exploited
vulnerability where an attacker has gained access or (3) search for possible traces of an attack.
Our focus will be on the last part. The former is very well known to most IT Director(s), and
System and Network administrators know exactly what to do about it. The second and third
parts are much more demanding, and require different set of tools. However, the third part is
the most challenging between the three. We will emphasize on the last part.
[ER11] asks the following question in one of his trainings: How do you get rid of something
you do not know if you already have? The answer to this question is not simple and requires
a lot of research and innovative thinking, but we will touch the surface of it in this module.
In this phase, IT Director(s) should employ the use of various Forensic tools to discover any
planted malware, rootkit, or traces left by a hacker, spyware, and viruses. There is a lot of
open-source Forensic tools, but only few of them will be useful in this phase to IT Director(s).
[JM13] mentions that Forensics is important after identifying that your web application or
other assets have been compromised, to avoid future negative impact and this statement is
in accordance with our suggestion to use Forensic tools to find traces of hackers. However,
the challenge is where to look for these traces and what to collect.
In our scenario, we do not have a known victim machine, but we suspect the presence of a
rootkit, backdoor, or a suspicious behavior on a system, or we want to keep our staff alerted
by assuming a hacker was able to plant a backdoor.
What we will talk about is what an IT Director need to do, and not about a real incident that
needs investigation, because the latter involves specialized people who are recognized in front
44 | P a g e
of the court of law as experts in the domain. In other words, it is not an investigation of an
attack; however, it is a search for a possible traces, backdoors, or rootkits in an environment.
However, the use of Forensic tools on all hosts will be tedious especially in enterprise
organizations that might have thousands of hosts. Doing it randomly, also, will not be very
efficient. So how can we decide on which hosts to run these tools?
First, these tools shall be used on suspected machines. The suspected machines will be
determined based on the findings of two phases from our proposed model: AntiReconnaissance and the Vulnerability Assessment phases. E.g. if we got traces from one of the
implemented solutions that we mentioned in Anti-Reconnaissance Phase about a host that
was scanned for open ports by a suspect machine. Another example of a host scanned by a
Security Analyst and found an unknown open port. These two hosts constitute two valid cases
for investigation by the tools described in this module. These two hosts are considered as
suspected machines and might indicate the presence of rootkits, backdoors, traces of a
hacker, etc
6.2.
RECTIFICATION FUNDAMENTALS:
The following are the fundamentals that will be followed in this phase:
Notified parties: System owners, Incident Handling team, System, Application, and
Network Admins.
Level of access equivalent to root and Administrator. They need full access like Forensic
investigator in order to examine the findings.
Delivery of a final report for this phase and all other phases concluding with
recommendations. Feedback to Anti-Reconnaissance tools users for any configuration
changes to eliminate false positives.
6.3.
OBJECTIVES/GOALS OF RECTIFICATION:
Evaluate Risk value of any traces of infected systems and/or data leaked or
compromised, and invoke Incident Handling procedure.
6.4.
Document findings
There are several areas to examine and check to discover traces of a malicious activity. Below
are the most important areas to analyze by Security Analyst followed by tools that can be used
in these areas:
File Analysis
Rootkits detection
Registry Analysis
There are other areas to analyze (e.g. memory), but that are executed by Forensics
investigators, and requires very specialized skills and will not be covered in our project.
6.5.
RECTIFICATION TOOLS:
6.5.1. TCPDUMP/WINDUMP
TCPdump and its Windows counterpart Windump are free simple command line tools.
TCPdump/Windump are passive packet capturing tools that neither have the capacity to
alter traffic on the network, nor make interpretations of what it captures.
TCPdump/Windump serve as a start point for non-experts to learn about a more advanced
tool Wireshark. TCPdump has a couple of functionalities of Wireshark. TCPdump is
available in Backtrack and Kali Linux in addition to other *nux and Windows operating
systems.
6.5.2. WIRESHARK
Please refer to Penetration Testing Module for complete description of the tool.
6.5.3. CHKROOTKIT
This tool is considered as an Anti-virus or anti-malware for Linux systems [JM13].
ChkRootKit scans the file system and checks if a rootkit has been installed or any signs that
indicate the presence of a rootkit. In addition, it checks for malware and Trojans on a
suspected host. Chkrootkit is a command line tool. You cannot rely 100% on Chkrootkit to
discover rootkits, but it usually points to possible problems. Other scanners like MD5deep
along with chkrootkit is a better solution. Both could be classified as a HIDS because they
scan a host to check for signs of un-customized public rootkits based on signatures and
processes. One thing that chkrootkit can do for sure is discovering if Kali Linux or Backtrack
installed version is infected or not. Chkrootkit is available in Kali Linux and other
distributions.
46 | P a g e
6.5.4. MD5DEEP
MD5Deep is a tool that computes Hashes and message digests for one or more files. This
will help security analysts to identify changes happened to system files and exe files and
identify them. A package could be queried to check if any of its binaries were changed. In
addition, it has the option to scan a directory of files and generate MD5 signatures for
each file. The drawback of this tool that it does not have a GUI interface. Though it is based
on CLI, it is simple to use. SHA/MD5 is similar to MD5Deep, but it has a GUI interface that
is easy to use.
6.5.7. FATBACK
FatBack is a *nix recovery tool from a problematic source in FAT file systems. It searches
for data on a target, based on its content. It works with Single partitions or whole disks.
Its strength is the ability to search for any malicious program or deleted logs that was
present on the target and deleted to cover attacker traces.
6.5.8. NIKTO
NIkto is a web-server vulnerability scanner. After running a port scan and discovering a
service running on port 80 or port 443, one of the first tools that should be used to
47 | P a g e
evaluate the service is Nikto. Nikto automates the process of scanning web servers for
out-of-date and unpatched software as well as searching for dangerous files and scripts
that may be placed on web servers. Nikto is capable of identifying a wide range of specific
issues
and
checks
the
server
for
misconfiguration
[PE13].
Nikto has many advantages: It is very fast, and base it scans on plug-ins that can be
updated manually by security experts. It updates the Database with a simple command.
It supports Nmap output as input for its scan. Multiple targets can be included in a file to
be scanned simultaneously. It supports Proxy and SSL (HTTPS). It is very simple to use and
free.
Nikto has several limitations. It does not accept IP addresses as input. It does not support
Digest or NTLM authentication, but it does support NTLM through Authorization proxy
server installed. Since it is very fast, it will be detected by IDSs and might crash the server
if it is not able to handle the load. It is available in Linux and Windows.
48 | P a g e
7. CONCLUSION:
The main goal of the project, initially, was to discuss what security tools from those tools that
are used by hackers and security consultants an IT Director(s) can use. But, and during the
development of the project, I found that developing a model to be followed by IT Director(s)
in securing their environments and describing the most used free tools will be more useful
than summarizing text about how tools and their features.
The model developed above, is not completely a new one, but rather a customization of a
methodology used by hackers and Security Analysts. I took IT Director(s) requirements to
secure the infrastructure he/she is managing by customizing hackers methodology to do the
same.
There is lot of studies, books, articles, describing how hackers in all colors are conducting
their work. However, very few is the literatures that considers that from an IT director
perspective.
For example, Reconnaissance, Escalation of Privileges, Creation of Backdoors are very well
known topics in this field. But, Anti-Reconnaissance, Attackers Traces Discovery, Rectification
are rarely discussed. The traditional method for IT Director(s) is Defensive, while the proposed
model is Offensive.
In this model I discussed each phase of the proposed model alone, and proposed several
security tools or methodologies to be used in each phase. In each phase of the model, I limited
my work to three major areas that are available in almost every environment. These areas are
Wireless Networks, Wired Networks, and Web Applications. However, there are still many
areas that could be addressed like Databases, VOIP, PCI/DSS, RFID, SCADA, and many others.
Moreover, it is not intended in this Handbook to use the listed tools only and forget about the
other tools and techniques. It will be foolish to do so. Every environment has its own unique
parameters, and the IT Director(s) will need to use this as a guide and not as a step-by-step
process.
The above depict a summary, on what can be done, and alert IT Director(s) not to be
traditional in protecting his/her IT environment.
49 | P a g e
BIBLIOGRAPHY
[AO07] Angela Orebaugh, Gilbert Ramirez, Josh Burke, Greg Morris, Larry Pesce, Joshua Wright,
Wireshark & Ethereal Network Protocol Analyzer Toolkit, Syngress MA, USA, 2007
[BJ13] Benjamin Jackson, Home Field Advantage: Employing Active Detection Techniques, SANS
Institute, SANS Penetration Testing, 2013
[BT11] BackTrack R5 http://www.backtrack-linux.org/wiki/index.php/Main_Page
[CA12] Cory Altheide and Harlan Carvey, Digital Forensics with Open Source Tools, first edition,
Syngress, Waltham, MA, USA, 2012.
[CI12] Computer Emergency Response Team-India (Cert-in), EMPANELLED OF INFORMATION
SECURITY AUDITING ORGANISATIONS, 2012, www.cert-in.org.in/PDF/emprognew.pdf
[CY04] Chunmei Yin, Mingchu LI, Jianbo MA, Jizhou Sun, Department of Computer Science and
Technology, Tianjin University, Electrical and Computer Engineering, 2004. Canadian Conference
(Volume:2), Canada, 2004, pp. 1107-1110 Vol.2
[DF93] Dan Farmer and Wietse Venema, Improving the Security of Your Site by Breaking Into it, Sun
Microsystems
Eindhoven
University
of
Technology,
1993
(http://www.dcs.ed.ac.uk/home/rah/Resources/Security/admin_guide_to_cracking.pdf )
[DS13] Nova, Network Abfuscation and Virtualized Anti-Reconnaissance System, DataSoft,
http://www.datasoft.com, Tempe, AZ, USA, 2013
[EN07] Enkhbold Nyamsuren, Ho-Jin Choi, Preventing Social Engineering in Ubiquitous Environment,
Future Generation Communication and Networking (FGCN 2007, Volume 2, 2007, Pages: 573-577
[ER11] Eric Reed, EC-Council Certified Ethical Hacker v.7 Study Guide, Career Academy,
http://www.careeracademy.com/, 2011
[ES07] Eric Seagren, Secure Your Network for Free: Using Nmap, Wireshark, Snort, Nessus, and MRTG,
Syngress Publishing, Rockland, MA, USA, 2007
[FP13] Fedora Project, 2013, https://fedorahosted.org/security-spin/wiki/availableApps
[JG08] Jayant Gadge, Anish Anand Patil, Port Scan Detection, Networks, ICON 2008, 16th IEEE
International Conference, New Delhi, 2008, pp. 1-6
[JA14] Jason Andress, Steve Winterfeld, Cyber Warefare, Techniques, Tactics and tools for security
practitioners, 2nd edition, Syngress, Waltham, MA USA, 2014
[JB14] James Broad, Andrew Binder, Hacking with Kali Practical Penetration Testing Technique,
Syngress, 225 Wyman Street, Waltham, MA 02451, USA, 2014
[JD12]
JP
Dunning,
Kanata:
Portable
Multi-Boot
http://www.hackfromacave.com/katana.html#katana_description
Security
Suite,
2012,
[JJ13] Josh Johnson, Implementing Active Defense Systems on Private Networks, The SANS Institute:
InfoSec Reading Room, 2013
[JM13] Joseph Muniz, Aamir Lakhani, Web Penetration Testing with Kali Linux, Packt Publishing,
Birmingham, Mumbai, India, 2013
[JP13] Josh Pauli, The basics of Web Hacking, Syngress, Waltham, MA, USA, 2013
[JS11] J. Michael Stewart, Network Security, Firewalls, and VPNs, Jones & Bartlett Learning, London,
UK, 2011
50 | P a g e
[JW07] Jack Wiles, Anthony Reyes, The Best Damn Cybercrime and Digital Forensics Book, Syngress,
Burlington, MA, USA, 2007
[KG07] Kimberly Graves, CEH Official Certified Ethical Hacker Review Guide, Wiley Publishing, Indiana,
USA, 2007
[KL13] Kali Linux, http://docs.kali.org/
[MA09] Mati, Aharoni, Thomas dOtreppe de Bouvette, Backtrack WiFu An Introduction to Practical
Wireless Attacks v.2.0 based on Aircrack-ng, Offensive Security Training guide, Offensive Security LLC,
2009
[MA10] Mansour A. Alharbi, Writing a Penetration Testing Report, The SANS Institute, InfoSec Reading
Room, 2010
[MA13] Monika Agarwal, Abhinav Singh, Metasploit Penetration Testing Cookbook, Second Edition,
Packt Publishing, Birmingham, Mumbai, 2013
[MC08] Mark Carey, Paul Criscuolo, and Mike Petruzzi, Nessus Network Auditing, Second Edition,
Syngress Publishing, Burlington, MA, USA, 2008
[MD11] Mehiar Dabbagh, Ali J. Ghandour, Kassem Fawaz, Wissam El Hajj, Hazem Hajj, Slow Port
Scanning Detection, Department of Electrical and Computer Engineering, American University of
Beirut, Information Assurance and Security (IAS), 2011 7th International Conference, Melaka, 2011,
pp. 228-233
[MM06] Martin Mink, Felix C. Freiling, Proceeding InfoSecCD 06 Procedings of the 3rd annual
conference on information security curriculum development, Is attack better than defense?: teaching
information security the right way, 2006, pp. 44 48.
[ML13] Matriux LENNDROS, http://www.matriux.com/index.php?page=arsenal
[NS03] Nichols, S. (2003). Big Brother is Watching: An Update on Web Bugs. SANS Institute. Reading
room, https://www.sans.org/reading_room/whitepapers/threats/big-brotherwatching-update-webbugs_445
[OS98] The Open Source Definition | Open Source Initiative, http://opensource.org/docs/osd
[PE13] Patrick Engebretson, The Basics of Hacking and Penetration Testing, 2nd Edition, Syngress,
Waltham, MA, USA, 2013
[RE07] Rabinovitch, E, Staying Protected from Social Engineering, Communications Magazine, IEEE
Volume:45, Issue 9, 2008, pages 20-21,
[SD06] Steven Drew, Vulnerability Assessment Versus Penetration Tests, Dell SecureWorks, June 2006,
http://www.secureworks.com/resources/newsletter/2006-03/
[SF13] Snort, Source Fire, License, http://www.snort.org/snort/license, 2014.
[SI07] The SANS Institute, Assessing and Securing Wireless Networks: Wireless Architecture and RF
Fundamentals, SANS GWAN 617 study guide, 2007
[SI14] webshag - Software Informer, http://webshag.software.informer.com/ 2014.
[SO11] Sean-Philip Oriyano, Michael Gregg, Hacker Techniques, Tools and Incident Handling, Jones &
Bartlett Learning, London, UK, 2011
[SW13], Steve Winterfeld, Jason Andress, The Basics of Cyber Warfare Understanding the
Fundamentals of Cyber Warfare in Theory and Practice, Syngress, Waltham, MA USA, 2013
[TC08] Team Cymru, Who is Looking for your SCADA infrastructure?, Briefing paper Team Cymru
Communit
Services,
2008,
http://www.teamcymru.com/ReadingRoom/Whitepapers/2009/scada.pdf
51 | P a g e
[TB07] Tanya Baccam, The SANS Institute, Auditing Networks, Perimeters and Systems (SANS 507)
Study Guide Book1, 2007.
[WP12] Willie Pritchett, David De Smet, BackTrack 5 Cookbook, Packt Publishing, Birmingham, UK,
2012
[WP13] Willie L. Pritchett, David De Smet, Kali Linux Cookbook, Packet Publishing, Birmingham, UK,
2013
52 | P a g e
ADDITIONAL RESOURCES
[AS12] Abhinav Singh, Metasploit Penetration Testing Cookbook, PACKT Publishing, Burmingham, UK,
2012
[BH08] Brad Haines, Frank Thornton, Michael Schearer, Kismet Hacking, Syngress Publishing,
Burlington, MA, USA, 2008
[BS05] British Standard Institute, BS ISO/IEC 27002/BS 7799-1: Information Technology Security
techniques Code of Practice for Information security management, second edition 2005
[CG10] Carl Gebhardt and Allan Tomlinson, Challenges for Inter Virtual Machine Communication,
Technical Report RHUL-MA-2010-12, Department of Mathematics, Royal Holloway, 2010, (available
from author)
[CP12] ChristianW. Probst, M. Angela Sasse, Wolter Pieters, Trajce Dimkov, Erik Luysterborg and
Michel Arnaud, Privacy Penetration Testing: How to Establish Trust in Your Cloud Provider, European
Data Protection: In Good Health? Springer, NY USA, 2012, pp 251-265
[DB10] Diane Barrett, Gregory Kipper, Virtualization and Forensics A Digital Forensic Investigators
Guide to Virtual Environments, Syngress, Waltham, MA, USA, 2010.
[DK07] Dave Kleiman, Computer Hacking Forensic Investigator Study Guide (Exam 312-49), Syngress,
Burlington, MA, USA, 2007
[DK11] David Kennedy, Jim OGorman, Devon Kearsns, Mati Aharoni, Metasploit The Penetration
Testers Guide, No Starch Press, San Francisisco, USA, 2011
[DM07] David Maynor, K.K. Mookhey, Metasploit Toolkit For Penetration Testing, Exploit
Development, and Vulnerability Research, Syngress, Burlington, MA, 2007
[DO12] Davi Ottenheimer, Mathew Wallace, Securing the Virtual Environment: How to Defend the
Enterprise Against Attack, John Wiley & Sons, USA, 2012
[DS12] Dave Shackleford, Virtualization Security: Protecting Virtualized Environments, John Wiley &
Sons, Inc., Indianapolis, Indiana, USA, 2013
[HC07] Harlan Carvey, Windows Forensic Analysis DVD Toolkit, Syngress, Burlington, MA, USA, 2007
[HC12] Harlan Carvey, Windows Forensic Analysis Toolkit, 3rd Edition, Syngress, Waltham, MA, USA,
2012.
[JB07] John Baschab and Jon Piot, The Executives Guide to Information Technology, Second Edition,
John Wiley & Sons, Inc., Hoboken, New Jersey. Published simultaneously in Canada, 2007
[JC10] Johnny Cache, Joshua Wright, Vincent Liu, Hacking Exposed Wireless: Wireless Security Secrets
& Solutions, McGraw Hill, Toronto, 2010
[JF11] Jeremy Faircloth, Penetration Testes Open Source Toolkit, Third Edition, Syngress, Waltham,
MA, USA, 2011
[JF12] Joe Fichera, Steven Bolt, Network Intrusion Analysis Methodologies, Tools, and Techniques for
Incident Analysis and Response, Syngress, Waltham, MA, USA, 2012
[JH09] John Hoops, Virtualization for Security: Including Sandboxing, Disaster Recovery, High
Availability, Forensics Analysis, and Honeypotting, Syngress Publishing, Burlington, MA, USA, 2008
[JT13] James Tarala, Implementing and Auditing the Twenty Critical Security Controls In Depth
(Sec566), SANS Institute, 2013
53 | P a g e
[KC13] Kevin Cardwell, BackTrack Testing Wireless Network Security, Packt Publishing, Birmingham,
UK, 2013
[KR01] Karl Rademacher, The SANS Institute, Use Offense to inform defense. Find flaws before the bad
guys do, GIAC practical repository, SANS Penetration Testing, 2001
[KR13] Karthik Ranganath, Metasploit Starter The art of ethical hacking made easy with metasploit,
PACKT Publishing, Birmingham, UK, 2013
[MK11] Mike Kershaw, Kismet Readme 2011-01-R1
[PI09], PenTest Inc., Internet Infrastructure Network Penetration Test Final Report, The SANS Institute,
Example Pen Test Report, 2009
[PP12] Paulino Calderon Pale, Nmap 6: Network Exploration and Security Auditing, first edition, Packet
Publishing, Birmingham, UK, 2012
[RH12] Raphael Hertzog, Roland Mas, Debian: The Administrators Handbook, Freexian SARL, 2012
[RL13] Rob Lee, et al, SANS Investigative Forensic Toolkit v. 2.14, http://computerforensics.sans.org/community/downloads
[SA12] Steven Anson, Steve Bunting, Ryan Johnson, Scott Pearson, Mastering Windows Network
Forensics and Investigation, 2nd edition, Sybex, USA, 2012
[SG10] S. Ghosh, E. Turrini (eds.), A pragmatic Experimental Definition of Computer crimes,
Cybercrimes: A Multidisplinary Analysis, Springer Verlag Berlin, 2010
[SH10a] Stephen Helba, Marah Bellegarade, Meghan Orvis, Disaster Recovery, First Edition, EC-Council
Press, Clifton Park, NY, USA, 2010
[SH10b] Stephen Helba, Marah Bellegarade, Meghan Orvis, Virtualization Security, First Edition, ECCouncil Press, Clifton Park, NY, USA, 2010
[SM07] Steve Manzuik, Andre Gold, Chris Gatford, Network Security Assessment from Vulnerability to
Patch, Syngress Publishing, Rockland MA, USA, 2007
[TW12] Tyler Wrightson, Wireless Network Security: A Beginners Guide, MCGraw-Hill, New York,
Toronto, 2012
[WM12] William Manning, GIAC Certified Forensic Analyst Certification (GCFA) Exam Preparation,
Emereo Publishing, USA, 2012
[WS12] Wale Soyinka, Linux Administration: A Beginners Guide, Sixth Edition, McGraw-Hill, New York,
Toronto, 2012
54 | P a g e
APPENDIX A
List of Tools Functions in BackTrack package [BT11]:
BackTrack Distribution includes the following major tool categories:
Information Gathering
Network Analysis
DNS Analysis (dnsdict6, dnsenum, dnsmap, dnsrecon, dnstracer, dnswalk, fierce,
lbd, maltego, reverseraider)
Identify Live Hosts (0trace, alive6, arping, detect-new-ip6, dnmap, fping, hping2,
hping3, netdiscover, netifera, nmap, nping, pbnj, sctpscan, svwar, trace6,
traceroute, wol-e, zenmap)
IDS IPS Identification (fragroute, fragrouter, ftester, hexinject, pytbull, sniffjoke)
Network Scanners (autoscan, davtest, implementation6, implementation6d,
netifera, nmap, scapy, unicornscan, unicornscan-pgsql-setup, zenmap)
Network Traffic Analysis (Scapy, tcpdump, tshark, wireshark)
OS Finger Printing (nmap, p0f, sctpscan, xprobe2, zenmap)
OSINT Analysis (creepy, jigsaw)
Route Analysis (Dmitry, netmask, scapy, tcptraceroute)
Service Fingerprinting (amap, dmitry, httprint, httsquash, Miranda, nbtscan, ncat,
nmap, sslscan, zenmap)
SMB Analysis (samrdump, smbclient)
SMTP Analysis (maltego, nmap, smtprc, smtpscan, smtp-user-enum, swaks,
zenmap)
SNMP Analysis (admsnmp, braa, onesixtyone, snmpcheck, snmpenum)
SSL Analysis (sslcaudit, ssldump, sslh, sslsniff, sslstrip, sslyze, testssl.sh,
thcsslcheck, tlssled)
Telephony Analysis (dedected, iwar, svmap, warvox)
VOIP Analysis (ace, enumiax, iwar, sip-scan, smap, voiphoney)
VPN Analysis (fiked, ike-scan)
Web Application Analysis
CMS Identification (blindelphant, cms-explorer, dpscan, whatweb)
IDS IPS Identification (ua-tester, waffit)
Open Source Analysis (casefile, ghdb, goofile, maltego, revhosts, revhosts-cli,
urlcrazy, xssed)
Web Crawlers (apache-users, deblaze, dirb, golismero, sqlscan, webshag-cli,
webshag-gui)
Database Analysis
MSSQL Analysis (sqlbrute, sqldict, sqllhf, sqlmap, sqlninja)
MySQL Analysis (sqlmap)
Oracle Analysis (dbpwaudit, getsids, opwg, oquery, oscanner, osd, ose, otnsctl,
sqlbrute, sqlmap, tnscmd10g)
Others (bbqsql, dbpwaudit)
Wireless Analysis
BlueTooth Analysis (bluediving, blueranger, btscanner, hcidump)
55 | P a g e
56 | P a g e
57 | P a g e
58 | P a g e
59 | P a g e
APPENDIX B
List of Tools Functions in Kali Linux package: (http://www.kali.org/ and http://docs.kali.org/)
[JB14] and [KL13] lists the mostly used tools in Kali Linux and all the commands used to lunch
a tool in Kali Linux.
The Kali Linux platform comes preloaded with over 400 tools that can be used for the various
stages of a penetration test or an ethical hacking engagement. The following table lists each
tool and its location in the Kali Linux menu structure.
Menu
Kali Linux
Kali Linux
Kali Linux
Kali Linux
Kali Linux
Kali Linux
Kali Linux
Kali Linux
Kali Linux
Kali Linux
Activity Menu
Top 10
Top 10
Top 10
Top 10
Top 10
Top 10
Top 10
Top 10
Top 10
Top 10
Application
aircrack-ng
burpsuite
hydra
john
maltigo
metasploit framework
nmap
sqlmap
wireshark
zaproxy
The Kali Linux Distribution includes the following major tool categories:
Information Gathering
DNS Analysis (dnsdict6, dnsenum, dnsmap, dnsrecon, dnsrevenum6, dnstracer,
dnswalk, fierce, maltego, nmap, urlcrazy)
IDS/IPS Identification (fragroute, fragrouter, wafw00f)
Live Hosts Identification (alive6, arping, cdpsnart, detect-new-ip6, detect_sniffer6,
Dmitry, dnmap-client, dnmp-server, fping, hping3, inverse_lookup6, Miranda,
ncat, netdiscover, nmap, passive_discovery6, thcping6, wol-e, xprobe2)
Network Scanners (dimitry, dnmap-client, dnmap-server, netdiscover, nmap)
OS Fingerprinting (dnmap-client, dnmap-server, Miranda, nmap)
OSINT Analysis (casefile, creepy, dimitry, jigsaw, maltigo, metagoofil,
theharvester, twofi, urlcrazy)
Route Analysis (dnmap-client, dnmap-server, intrace, netmask, trace6)
Service
Fingerprinting (dnmap-client, dnmap-server, implementation6,
implementation6d, ncat, nmap, sslscan, sslyze, tlssled)
SMB Analysis (acccheck, nbtscan, nmap)
SMTP Analysis (nmap, smtp-user-enum, swaks)
SNMP Analysis (, braa, cisco-auditing-tool, cisco-torch, copy-router-config, mergerouter-config, nmap, onesixone, snmpcheck)
SSL Analysis (sslcaudit, ssldump, sslh, sslscan, sslsniff, sslstrip, sslyze, stunnel4,
tlssled)
Telephony Analysis (ace)
Traffic Analysis (cdpsnarf, intrace, irpas-ass, ipras-cdp, p0f, tcpflow, wireshark)
60 | P a g e
61 | P a g e
Exploitation Tools
BEEF XSS Framework
Cisco Attacks (Cisco-auditing-tool, cisco-global-explorer, cisco-ocs, cisco-torch,
yersinia)
Exploit Database (searchsploit)
Metasploit (Metasploit Community/Pro, Metasploit diagnostic logs, Metasploit
diagnostic shell, Metasploit Framework, Update metasploit)
Network Exploitation (exploit6, ikat, jboss-autopwn-win, jboss-autopwn-linux,
termineter)
Social Engineering (se-toolkit)
Sniffing/Spoofing
Network Sniffers (darkstat, dnschef, dnsspoof, dsniff, ettercap-graphical,
hexinject, mailsnarf, msgsnarf, netsniff-ng, passive_discovery6, sslsniff, tcpflow,
urlsnarf, webmitm, webspy, wireshark)
Network Spoofing (dnschef, ettercap-graphical, evilgrade, fake_advertise6,
fake_dhcps6, fake_dns6, fake_mldrouter6, fake_router26, fake_router6,
fake_solicitate6, fiked, macchanger, parasite6, randicmp6, rebind, redir6,
sniffjoke, sslstrip, tcpreplay, wifi-honey, Yersinia)
Voice and Surveillance (msgsnarf)
VoIP Tools (iaxflood, inviteflood, ohrwurm, protos-sip, rtpbreak, rtpflood,
rtpinsertsound, rtpmixsound, sctpscan, siparmyknife, sip, sipsak, svcrach, svmap,
svreport, svwar, viophopper)
Web Sniffers (burpesuite, dnsspoof, driftnet, ferret, mitmproxy, urlsnarf,
webmitm, webscarab, webspy, zaproxy)
Maintaining Access
OS Backdoors (cymothoa, dbd, intersect, powersploit, sbd, u3-pwn)
Tunneling Tools (cryptcay, dbd, dns2tcpc, iodine, miredo, ncat, proxychains,
proxytunnel, ptunnel, pwnat, sbd, socat, sslh, udptunnel)
Web Backdoors (webacco, weevely)
Reverse Engineering
Debuggers (edb-debugger, ollydbg)
Disassembly (jad, rabin2, rsdiff2, rasm2)
Misc RE Tools (apktool, clang, clang++, dex2jar, flasm, javasnoop, radare2, rafind2,
ragg2, ragg2-cc, rahash2, rarun2, rax2)
Stress Testing
Network Stress Testing (denial6, dhcpig, dos-new-ip6, flood_advertise6,
flood_dhcpc6, flood_mld6, flood_mldrouter6, flood_solicitate6, fragmentation6,
fragmentation6, inundator, kill_router6, macof, rsmurf6, siege, smurf6, t50)
VOIP Stress Testing (iaxflood, inviteflood)
Web Stress Testing (thc-ssl-dos)
WLAN Stress Testing (Mdk3, reaver)
Hardware Hacking
Android Tools (android-sdk, apktool, baksmali, dex2jar, smali)
Arduino Tools (arduino)
Forensics
Anti-Virus Forensics Tools (chkrootkit)
Digital Anti Forensics (chhkrootkit)
62 | P a g e
63 | P a g e
APPENDIX C
[ML13] describes the tools available in Matriux Arsenal
The Matriux Arsenal contains a huge collection of more than 300 most powerful and versatile
security and penetration testing tools. The Matriux Arsenal includes the following tool /
utilities / libraries (The eta release will contain only few of the listed tools): (Copied from:
http://www.matriux.com/index.php?page=arsenal)
Reconnaissance
DNS
- chaosmap
- DIG
- DNSTracer
- DNSWalk
- rebind
HTTrack
- HTTrack
- WebHTTrack Website Copier
- Browse Mirrored Websites
- Chaosreader
- Deepmagic Information Gathering Tool
- dradis framework
- dsniff password sniffer
- EtherApe
- EtherApe (root)
- fragroute
- magictree
- peepdf
- quickrecon
- tcpdump
- tcpslice
- tcptrace
- tcptraceroute
- vidalia
- Network Analyzer (Wireshark)
- xtrace
Scanning
Cisco
- CDP Packet Generator
64 | P a g e
Angry IP Scan
CryptCat
ettercap console
Ettercap Gui
file2cable
Web Server Fingerprinting Tool
gggooglescan
metagoofil
icmpush
icmpquery
IRDP Packet Sender
IRDP Responder Packet Sender
Netcat
netenum
netmask
Nmap
Nmap Si4 Full mode
Nmap Si4 user mode
Nmap Si4 Logr
65 | P a g e
ostinato
p0f
sinfp
snacktime
Paris Traceroute
Pastenum
Protocol Scanner
Parallel Internet Measurement Utility
t50
tctrace
THC-Amap
wapiti
Zenmap
Zenmap(root)
bsqlbf
minimysqlat0r
pblind
sqlibf
sqlinjtools
sqlmap
SQLninja
sqlid
sqlsus
THC-IPv6
address6
alive6
covert_send6
covert_send6d
denial6
detect-new-ipv6
detect_sniffer6
dnsdict6
dnssrevenum6
dnssecwalk
dos-new-ip6
dump_router6
exploit6
detectnewip6
fakemipv6
fake_mld26
fake_mld6
fake_mldrouter6
fake_router6
fakeadvertise6
fuzzip6
implementation6
- implementation6d
- parasite6
- redir6
- rsmumrf6
- sendpees6
- smurf6
- thcping6
- toobig6
- trace6
Mac Changer
sipcrack
67 | P a g e
Framework
Inguma
- Inguma-cli
- Inguma-gui
Metasploit Framework
- armitage
- msfconsole
- msfpro
- msfupdate
SET
- SET Console Mode
- SET web mode
w3af
- w3af console
- w3af gui
socat
Radio
BeEF
Grendel-Scan
HTTP Request Exploit Framework
isr-evilgrade
Mantra Framework
skipfish
webscarab
shell storm framework
yersinia
WSFuzzer
subterfuge
Burpsuite
g0tbeEF
Maltego
Bluetooth
bluemaho
blueper
bluescan
bluesnarfer
bss
carwhisperer
haraldscan
68 | P a g e
kismet
kismet
kismet client
kismet drone
kismet server
reaver-wps
reaver
reaverwash
voip
- sipvicious
- authtool
- enuimiax
- iaxscan
- scapy
- SIP Proxy
- Voiper
airbase-ng
aircrack-ng
airdecap-ng
airdecloak-ng
airdriver-ng
aireplay-ng
airmon-ng
airodump-ng
airolib-ng
airoscript-ng
airserv-ng
airtun-ng
buddy-ng
chapcrack-ng
cowpatty
fern wifi cracker
gerix wificracker
grimwepa
packetforge-ng
pyrit
wepbuster
weplab
wesside-ng
whichdriver
wicd
WiFi Radar
69 | P a g e
Wifite
Digital-Forensics
Acquisition
- Automated Image & Restore
- galleta
- voolatilitux
- steghide
- volatility
- Guymager
Analysis
- bokken & pyew
- Androguard
- apk inspector
- Start Autopsy
- Autopsy Forensics Browser
- foremost
- forensic data identifier
- Gparted
- iphone analyzer
- Jbrofuzz
- mmsdec
- scalpel
- Pasco
- steghide
- Vinetto
- Start WarVOX
- Open WarVOX Web Interface
- Xplico Console Mode (Internet Traffic Decoder)
- Xplico Web Interface (Internet Traffic Decoder)
Digital Forensic Framework
- DFF console
- DFF GUI
metaextractors
- antiword
- catdoc
- exifcom
- exifgrep
- exiflibtool
- exifprobe
- exiftags
- exiftime
- exiftool
70 | P a g e
exiv2
flare
flasm
jhead
pdffonts
pdfimages
pdfinfo
pdftops
pdftotext
pngchunks
pngcp
pngcrush
pnginfo
dcfldd
Draugr
Extensive File Dumper
Mobius Forensic Toolkit
pyflag
testdisk
warrick
Dhash
PCI-DSS
- babel console
- babel server
- ccsrch
- code janitor
- dep-checker
- eramba
- fossbarcode scan
- fossology
- ftimes
- openpscan
- panbuster
- seNF
- Spider Helix Process
- Spider Helix Server
- strings
- stunnel
- verinice
Debugger
- boomerang
71 | P a g e
Tracer
Crash
ddd
dissy
e2dbg
gdb
gdbserver
hexedit
efence
JavaScript Lint
netifera
valgrind
Leak-Tracer
- Leak Analyze
- Leak Check
- etrace
- latrace
- ltrace
- pstack
- strace
Misc
Fuzzers
- JbroFuzzer
- zzuf
sipvicious
- svcrack
- svcrash
- svlearnfp
- svmap
- svreport
- svwar
- burpsuite
- geoipgen
- packetpig
- PE file analysis toolkit
- pytbull
- ROP gadget
- Scamper
- sslstrip
- stegoshare
- truecrypt
Services
72 | P a g e
apache start
apache stop
metasploit start
metasploit stop
mysql start
mysql stop
postgresql start
postgresql stop
73 | P a g e
APPENDIX D
The following packages currently exist in Fedora and are part of the Fedora Security Lab. Not
all packages are available on the Fedora Security Live CD. (The following tools list was copied
from https://fedorahosted.org/security-spin/wiki/availableApps)
1. Code Analysis
splint - An implementation of the lint program - Fedora Package Database - Bug
Reports
pscan - Limited problem scanner for C source files - Fedora Package Database Bug Reports
flawfinder - Examines C/C++ source code for security flaws - Fedora Package
Database - Bug Reports
rats - Rough Auditing Tool for Security - Fedora Package Database - Bug Reports
2. Forensics
ddrescue - Data recovery tool trying hard to rescue data in case of read errors Fedora Package Database - Bug Reports
gparted - Gnome Partition Editor - Fedora Package Database - Bug Reports
testdisk - Tool to check and undelete partition, PhotoRec? recovers lost files Fedora Package Database - Bug Reports
foremost - Recover files by "carving" them from a raw disk - Fedora Package
Database - Bug Reports
sectool-gui - GUI for sectool - security audit system and intrusion detection system
- Fedora Package Database - Bug Reports
unhide - Tool to find hidden processes and TCP/UDP ports from rootkits - Fedora
Package Database - Bug Reports
examiner - Utility to disassemble and comment foreign executable binaries Fedora Package Database - Bug Reports
srm - Secure file deletion - Fedora Package Database - Bug Reports
nwipe - Securely erase disks using a variety of recognized methods - Fedora
Package Database - Bug Reports
firstaidkit-gui - FirstAidKit? GUI - Fedora Package Database - Bug Reports
xmount - A on-the-fly convert for multiple hard disk image types - Fedora Package
Database - Bug Reports
dc3dd - Patched version of GNU dd for use in computer forensics - Fedora Package
Database - Bug Reports
afftools - Utilities for afflib - Fedora Package Database - Bug Reports
scanmem - Simple interactive debugging utility - Fedora Package Database - Bug
Reports
74 | P a g e
sleuthkit - The Sleuth Kit (TSK) - Fedora Package Database - Bug Reports
scrub - Disk scrubbing program - Fedora Package Database - Bug Reports
ht - File editor/viewer/analyzer for executables - Fedora Package Database - Bug
Reports
driftnet - Network image sniffer - Fedora Package Database - Bug Reports
binwalk - Firmware analysis tool - Fedora Package Database - Bug Reports
scalpel - Fast file carver working on disk images - Fedora Package Database - Bug
Reports
pdfcrack - A Password Recovery Tool for PDF files - Fedora Package Database - Bug
Reports
wipe - Secure file erasing tool - Fedora Package Database - Bug Reports
safecopy - Safe copying of files and partitions - Fedora Package Database - Bug
Reports
hfsutils - Tools for reading and writing Macintosh HFS volumes - Fedora Package
Database - Bug Reports
cmospwd - BIOS password cracker utility - Fedora Package Database - Bug Reports
3. General
security-menus - Menu Structure for the Security Spin - Fedora Package Database
- Bug Reports
nc6 - Netcat with IPv6 Support - Fedora Package Database - Bug Reports
mc - User-friendly text console file manager and visual shell - Fedora Package
Database - Bug Reports
screen - A screen manager that supports multiple logins on one terminal - Fedora
Package Database - Bug Reports
macchanger - An utility for viewing/manipulating the MAC address of network
interfaces - Fedora Package Database - Bug Reports
ngrep - Network layer grep tool - Fedora Package Database - Bug Reports
ntfs-3g - Linux NTFS userspace driver - Fedora Package Database - Bug Reports
ntfsprogs - NTFS filesystem libraries and utilities - Fedora Package Database - Bug
Reports
pcapdiff - Compares packet captures, detects forged, dropped or mangled packets
- Fedora Package Database - Bug Reports
net-snmp - A collection of SNMP protocol tools and libraries - Fedora Package
Database - Bug Reports
openvas-scanner - Open Vulnerability Assessment (OpenVAS) Scanner - Fedora
Package Database - Bug Reports
hexedit - A hexadecimal file viewer and editor - Fedora Package Database - Bug
Reports
irssi - Modular text mode IRC client with Perl scripting - Fedora Package Database
- Bug Reports
powertop - Power consumption monitor - Fedora Package Database - Bug Reports
mutt - A text mode mail user agent - Fedora Package Database - Bug Reports
75 | P a g e
4. Intrusion Detection
chkrootkit - Tool to locally check for signs of a rootkit - Fedora Package Database Bug Reports
aide - Intrusion detection environment - Fedora Package Database - Bug Reports
pads - Passive Asset Detection System - Fedora Package Database - Bug Reports
rkhunter - A host-based tool to scan for rootkits, backdoors and local exploits Fedora Package Database - Bug Reports
labrea - Tarpit (slow to a crawl) worms and port scanners - Fedora Package
Database - Bug Reports
nebula - Intrusion signature generator - Fedora Package Database - Bug Reports
tripwire - IDS (Intrusion Detection System) - Fedora Package Database - Bug
Reports
76 | P a g e
prelude-lml - The prelude log analyzer - Fedora Package Database - Bug Reports
5. Network Statistics
iftop - Command line tool that displays bandwidth usage on an interface - Fedora
Package Database - Bug Reports
scamper - A network measurement tool - Fedora Package Database - Bug Reports
scamper - A network measurement tool - Fedora Package Database - Bug Reports
iptraf-ng - A console-based network monitoring utility - Fedora Package Database
- Bug Reports
iperf - Measurement tool for TCP/UDP bandwidth performance - Fedora Package
Database - Bug Reports
nethogs - A tool resembling top for network traffic - Fedora Package Database Bug Reports
uperf - Network performance tool with modelling and replay support - Fedora
Package Database - Bug Reports
nload - A tool can monitor network traffic and bandwidth usage in real time Fedora Package Database - Bug Reports
ntop - A network traffic probe similar to the UNIX top command - Fedora Package
Database - Bug Reports
trafshow - A tool for real-time network traffic visualization - Fedora Package
Database - Bug Reports
vnstat - Console-based network traffic monitor - Fedora Package Database - Bug
Reports
6. Password Tools
john - John the Ripper password cracker - Fedora Package Database - Bug Reports
sucrack - A su cracker - Fedora Package Database - Bug Reports
ophcrack - Free Windows password cracker based on rainbow tables - Fedora
Package Database - Bug Reports
medusa - Parallel brute forcing password cracker - Fedora Package Database - Bug
Reports
pwgen - Automatic password generation - Fedora Package Database - Bug Reports
ncrack - High-speed network auth cracking tool - Fedora Package Database - Bug
Reports
hydra - Very fast network log-on cracker - Fedora Package Database - Bug Reports
7. Reconnaissance
xprobe2 - Xprobe2 is an active operating system fingerprinting tool - Fedora
Package Database - Bug Reports
dsniff - Tools for network auditing and penetration testing - Fedora Package
Database - Bug Reports
77 | P a g e
sslscan - Security assessment tool for SSL - Fedora Package Database - Bug Reports
snmpcheck - An utility to get information via SNMP protocols - Fedora Package
Database - Bug Reports
samdump2 - Retrieves syskey and extracts hashes from Windows 2k/NT/XP/Vista
SAM - Fedora Package Database - Bug Reports
bkhive - Dump the syskey bootkey from a Windows system hive - Fedora Package
Database - Bug Reports
tcpick - A tcp stream sniffer, tracker and capturer - Fedora Package Database - Bug
Reports
tcpflow - Network traffic recorder - Fedora Package Database - Bug Reports
dnsmap - Sub-domains bruteforcer - Fedora Package Database - Bug Reports
whois - Improved WHOIS client - Fedora Package Database - Bug Reports
paris-traceroute - A network diagnosis and measurement tool - Fedora Package
Database - Bug Reports
nmbscan - NMB/SMB network scanner - Fedora Package Database - Bug Reports
slowhttptest - An Application Layer DoS attack simulator - Fedora Package
Database - Bug Reports
httpry - A specialized packet sniffer designed for displaying and logging HTTP traffic
- Fedora Package Database - Bug Reports
pyrit - A GPGPU-driven WPA/WPA2-PSK key cracker - Fedora Package Database Bug Reports
onesixtyone - An efficient SNMP scanner - Fedora Package Database - Bug Reports
raddump - RADIUS packets interpreter - Fedora Package Database - Bug Reports
ArpON - ARP handler inspection - Fedora Package Database - Bug Reports
tcpreen - A TCP/IP re-engineering and monitoring program - Fedora Package
Database - Bug Reports
tcpreplay - Replay captured network traffic - Fedora Package Database - Bug
Reports
siege - HTTP regression testing and benchmarking utility - Fedora Package
Database - Bug Reports
inception - A fireWire physical memory manipulation tool - Fedora Package
Database - Bug Reports
bannergrab - A banner grabbing tool - Fedora Package Database - Bug Reports
mausezahn - A fast versatile packet generator - Fedora Package Database - Bug
Reports
arp-scan - Scanning and fingerprinting tool - Fedora Package Database - Bug
Reports
mtr - A network diagnostic tool - Fedora Package Database - Bug Reports
sslsplit - Transparent and scalable SSL/TLS interception - Fedora Package Database
- Bug Reports
fping - Scriptable, parallelized ping-like utility - Fedora Package Database - Bug
Reports
fping - Scriptable, parallelized ping-like utility - Fedora Package Database - Bug
Reports
79 | P a g e
8. VoIP
sipsak - SIP swiss army knife - Fedora Package Database - Bug Reports
sipp - SIP test tool / traffic generator - Fedora Package Database - Bug Reports
10. Wireless
aircrack-ng - 802.11 (wireless) sniffer and WEP/WPA-PSK key cracker - Fedora
Package Database - Bug Reports
airsnort - Wireless LAN (WLAN) tool which recovers encryption keys - Fedora
Package Database - Bug Reports
kismet - WLAN detector, sniffer and IDS - Fedora Package Database - Bug Reports
weplab - Analyzing WEP encryption security on wireless networks - Fedora
Package Database - Bug Reports
cowpatty - WPA password cracker - Fedora Package Database - Bug Reports
80 | P a g e
wavemon - Ncurses-based monitoring application for wireless network devices Fedora Package Database - Bug Reports
horst - A highly optimized radio scanning tool - Fedora Package Database - Bug
Reports
kismon - A simple GUI client for kismet - Fedora Package Database - Bug Reports
81 | P a g e