280 lines
14 KiB
HTML
280 lines
14 KiB
HTML
<!--startcut ==============================================-->
|
|
<!-- *** BEGIN HTML header *** -->
|
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
|
|
<HTML><HEAD>
|
|
<title>Security Scanners LG #57</title>
|
|
</HEAD>
|
|
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#0000AF"
|
|
ALINK="#FF0000">
|
|
<!-- *** END HTML header *** -->
|
|
|
|
<CENTER>
|
|
<A HREF="http://www.linuxgazette.com/">
|
|
<H1><IMG ALT="LINUX GAZETTE" SRC="../gx/lglogo.jpg"
|
|
WIDTH="600" HEIGHT="124" border="0"></H1></A>
|
|
|
|
<!-- *** BEGIN navbar *** -->
|
|
<IMG ALT="" SRC="../gx/navbar/left.jpg" WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="bottom"><A HREF="okopnik.html"><IMG ALT="[ Prev ]" SRC="../gx/navbar/prev.jpg" WIDTH="16" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="index.html"><IMG ALT="[ Table of Contents ]" SRC="../gx/navbar/toc.jpg" WIDTH="220" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../index.html"><IMG ALT="[ Front Page ]" SRC="../gx/navbar/frontpage.jpg" WIDTH="137" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="http://www.linuxgazette.com/cgi-bin/talkback/all.py?site=LG&article=http://www.linuxgazette.com/issue57/sharma.html"><IMG ALT="[ Talkback ]" SRC="../gx/navbar/talkback.jpg" WIDTH="121" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../faq/index.html"><IMG ALT="[ FAQ ]" SRC="./../gx/navbar/faq.jpg"WIDTH="62" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="sipos.html"><IMG ALT="[ Next ]" SRC="../gx/navbar/next.jpg" WIDTH="15" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><IMG ALT="" SRC="../gx/navbar/right.jpg" WIDTH="15" HEIGHT="45" ALIGN="bottom">
|
|
<!-- *** END navbar *** -->
|
|
<P>
|
|
</CENTER>
|
|
|
|
<!--endcut ============================================================-->
|
|
|
|
<H4 ALIGN="center">
|
|
"Linux Gazette...<I>making Linux just a little more fun!</I>"
|
|
</H4>
|
|
|
|
<P> <HR> <P>
|
|
<!--===================================================================-->
|
|
|
|
<center>
|
|
<H1><font color="maroon">Security Scanners</font></H1>
|
|
<H4>By <a href="mailto:kapil@linux4biz.net">Kapil Sharma</a></H4>
|
|
</center>
|
|
<P> <HR> <P>
|
|
|
|
<!-- END header -->
|
|
|
|
|
|
|
|
|
|
<P> "A scanner is a program that automatically detects security weaknesses in a
|
|
remote or localhost.". Scanners are important to Internet security because
|
|
they reveal weaknesses in the network. System administrators can strengthen the
|
|
security of networks by scanning their own networks. The primary
|
|
attributes of a scanner should be:
|
|
<UL>
|
|
<LI> The capability to find a machine or network.
|
|
<LI> The capability to find out what services are being run on the host
|
|
(once having found the machine).
|
|
<LI> The capability to test those services for known holes.
|
|
</UL>
|
|
|
|
<P> There are various
|
|
tools available for Linux system scanning and intrusion detection.
|
|
I will
|
|
explain some of the very
|
|
famous tools available. I have divided the scanners into three categories:
|
|
<OL>
|
|
<LI> Host Scanners
|
|
<LI> Network Scanners
|
|
<LI> Intrusion Scanners
|
|
</OL>
|
|
|
|
<p><b><u>Host
|
|
scanners</u></b> <br>
|
|
Host scanners
|
|
are software you run locally on the system to probe for problems.
|
|
<p><b>Cops</b>
|
|
<br>
|
|
COPS is a collection of security tools that are designed specifically to aid
|
|
the typical UNIX systems administrator, programmer, operator, or consultant
|
|
in the oft neglected area of computer security. COPS is available at: <a href="http://www.fish.com/cops">http://www.fish.com/cops</a>
|
|
<p><b>Tiger</b>
|
|
<br>
|
|
Tiger is a
|
|
UNIX Security Checker. Tiger is a package consisting of Bourne Shell scripts,
|
|
C code and data files which is used for checking for security problems on a
|
|
UNIX system. It scans system configuration files, file systems, and user configuration
|
|
files for possible security problems and reports them. You can get it from:
|
|
<a href="http://www.giga.or.at/pub/hacker/unix">http://www.giga.or.at/pub/hacker/unix</a>
|
|
<p><b>check.pl</b>
|
|
<br>
|
|
Check.pl a
|
|
perl script that looks through your entire filesystem, (or just the directory
|
|
you tell it to) for suid, sgid, sticky, and writeable files. You should run
|
|
it as a regular user maybe once a week to check for permission problems. It
|
|
will output a list of questionable files to stdout which you can redirect wherever.
|
|
It's available at: <a href="http://opop.nols.com/proggie.html">http://opop.nols.com/proggie.html</a>.
|
|
<p><b><u>Network
|
|
scanners</u></b> <br>
|
|
|
|
Network scanners are run from a host and pound away on other machines, looking
|
|
for open services. If you can find them, chances are an attacker can too. These
|
|
are generally very useful for ensuring your firewall works.
|
|
<p><b>NSS (Network
|
|
Security Scanner):</b> <br>
|
|
|
|
NSS is a
|
|
perl script that scans either individual remote hosts or entire subnets of hosts
|
|
for various simple network security problems. It is extremely
|
|
fast. Routine checks that it can perform include the following:
|
|
<br>
|
|
1: sendmail
|
|
<br>
|
|
2: Anon FTP
|
|
<br>
|
|
3: NFS Exports
|
|
<br>
|
|
4: TFTP
|
|
<br>
|
|
5: Hosts.equiv
|
|
<br>
|
|
6: Xhost
|
|
<br>
|
|
|
|
NSS can be found at: <a href="http://www.giga.or.at/pub/hacker/UNIX">http://www.giga.or.at/pub/hacker/UNIX</a>
|
|
<p><b>SATAN (Security
|
|
Administrator's Tool for Analyzing Networks):</b> <br>
|
|
|
|
SATAN is an automated network vulnerability search and report tool that provides
|
|
an excellent framework for expansion.Satan scans remote hosts for most known
|
|
holes: <br>
|
|
|
|
1: FTPD vulnerabilities and writable FTP directories <br>
|
|
|
|
2: NFS vulnerabilities <br>
|
|
|
|
3: NIS vulnerabilities <br>
|
|
|
|
4: RSH vulnerability <br>
|
|
|
|
5: sendmail <br>
|
|
|
|
6: X server vulnerabilities SATAN performs these probes automatically and provides
|
|
this information in an extremely easy to use package. <br>
|
|
you can obtain
|
|
SATAN from : <a href="http://www.fish.com/satan/">http://www.fish.com/satan/</a>
|
|
<p><b>Strobe:</b>
|
|
<br>
|
|
|
|
Strobe is Super optimised TCP port surveyor. It is a network/security tool that
|
|
locates and describes all listening tcp ports on a (remote) host or on many
|
|
hosts in a bandwidth utilisation maximising, and pro- cess resource minimising
|
|
manner. It is simple to use and very fast, but doesn't have any of the features
|
|
newer port scanners have. <br>
|
|
Strobe is available at: <a href="ftp://suburbia.net/pub/">ftp://suburbia.net/pub/</a>.
|
|
<p><b>Nmap</b>:
|
|
<br>
|
|
|
|
Nmap is a newer and much more fully-featured host scanning tool. <br>
|
|
Specifically, nmap supports:
|
|
<ul>
|
|
<li> Vanilla
|
|
TCP connect() scanning</li>
|
|
<li> TCP SYN
|
|
(half open) scanning</li>
|
|
<li> TCP FIN,
|
|
Xmas, or NULL (stealth) scanning</li>
|
|
<li> TCP ftp
|
|
proxy (bounce attack) scanning SYN/FIN scanning using IP fragments (bypasses
|
|
some packet filters)</li>
|
|
<li> TCP ACK
|
|
and Window scanning</li>
|
|
<li> UDP raw
|
|
ICMP port unreachable scanning</li>
|
|
<li> ICMP scanning
|
|
(ping-sweep) TCP Ping scanning Direct (non portmapper) RPC scanning Remote
|
|
OS Identification by TCP/IP Fingerprinting, and Reverse-ident scanning. <br>
|
|
</li>
|
|
</ul>
|
|
<p> Nmap is available
|
|
at: <a href="http://www.insecure.org/nmap/index.html">http://www.insecure.org/nmap/index.html</a>.
|
|
|
|
<p><b>Network
|
|
Superscanner</b>: <br>
|
|
|
|
<a href="http://members.tripod.de/linux_progz/">http://members.tripod.de/linux_progz/</a>
|
|
<p><b>Portscanner</b>:
|
|
<br>
|
|
|
|
PortScanner is a Network Utility especially designed to "scan" for listening
|
|
TCP ports. It uses a simple method to achieve its goal, and it is extremely
|
|
compact taking in account all of the options available. It's opensource and
|
|
free to use, you can get it at: <a href="http://www.ameth.org/%7Eveilleux/portscan.html">http://www.ameth.org/~veilleux/portscan.html</a>.
|
|
<p><b>Queso:</b>
|
|
<br>
|
|
|
|
Queso is a tool to detect what
|
|
OS a remote host is running with a pretty good degree
|
|
of accuracy . Using a variety of valid and invalid tcp packets to probe the
|
|
remote host it checks the response against a list of known responses for various
|
|
operating systems, and will tell you which OS the remote end is running. You
|
|
can get Queso from: <a href="http://www.apostols.org/projectz/queso/">http://www.apostols.org/projectz/queso/</a>.
|
|
<p><u><b>Intrusion
|
|
Scanners</b></u> <br>
|
|
|
|
Intrusion scanners are software packages that will actually identify vulnerabilities,
|
|
and in some cases allow you to actively try and exploit them.
|
|
<p><b>Nessus:</b>
|
|
<br>
|
|
|
|
Nessus is very fast, reliable and has a modular architecture that allows you
|
|
to fit it to your needs.Nessus is one of the best intrusion scanning tools.
|
|
It has a client/server architecture, the server currently runs on Linux, FreeBSD,
|
|
NetBSD and Solaris, clients are available for Linux, Windows and there is a
|
|
Java client. Nessus supports port scanning, and attacking, based on IP
|
|
addresses or host name(s). It can also search through network DNS information
|
|
and attack related hosts at your request. Nessus is available from <a href="http://www.nessus.org/">http://www.nessus.org/</a>.
|
|
<p><b>Saint:</b>
|
|
<br>
|
|
|
|
SAINT is the Security Administrator's Integrated Network Tool. Saint also uses
|
|
a client/server architecture, but uses a www interface instead of a client program.
|
|
In its simplest mode, it gathers as much information about remote hosts and
|
|
networks as possible by examining such network services as finger, NFS, NIS,
|
|
ftp and tftp, rexd, statd, and other services. Saint produces very easy to read
|
|
and understand output, with security problems graded by priority (although
|
|
not always correctly) and also supports add-in scanning modules making it very
|
|
flexible. Saint is available from: <a href="http://www.wwdsi.com/saint/">http://www.wwdsi.com/saint/</a>.
|
|
<p><b>Cheops:</b>
|
|
<br>
|
|
|
|
Cheops is useful for detecting a hosts OS and dealing with a large number of
|
|
hosts quickly. Cheops is a "network neighborhood" on steroids, it builds a picture
|
|
of a domain, or IP block, what hosts are running and so on. It is extremely
|
|
useful for preparing an initial scan as you can locate interesting items (HP
|
|
printers, Ascend routers, etc) quickly. Cheops is available at:
|
|
<a href="http://www.marko.net/cheops/">http://www.marko.net/cheops/</a>.
|
|
<p><b>Ftpcheck
|
|
/ Relaycheck:</b> <br>
|
|
|
|
Ftpcheck and Relaycheck are two simple utilities that scan for ftp servers and
|
|
mail servers that allow relaying. These are available from: <a href="http://david.weekly.org/code/">http://david.weekly.org/code/</a>.
|
|
<p><b>BASS:</b>
|
|
<br>
|
|
|
|
BASS is the "Bulk Auditing Security Scanner" allows you to scan the Internet
|
|
for a variety of well known exploits. You can get it from: <a href="http://www.securityfocus.com/data/tools/network/bass-1.0.7.tar.gz">http://www.securityfocus.com/data/tools/network/bass-1.0.7.tar.gz</a>
|
|
<p><b><u>Firewall
|
|
scanners:</u></b> <br>
|
|
|
|
There are also a number of programs now that scan firewalls and execute other
|
|
penetration tests in order to find out how a firewall is configured.
|
|
<p><b>Firewalk:</b>
|
|
<br>
|
|
|
|
Firewalking is a tool that employs traceroute-like techniques to analyze IP
|
|
packet responses to determine gateway ACL filters and map networks. Firewalk
|
|
the tool employs the technique to determine the filter rules in place on a packet
|
|
forwarding device. System administrators should utilize this tool against their
|
|
systems to tighten up security. Firewalk is available from: <a href="http://www.packetfactory.net/Projects/Firewalk/">http://www.packetfactory.net/Projects/Firewalk/</a>.
|
|
<p><b><u>Conclusion:</u></b>
|
|
<p>"Security is not a solution, it's a way of life". System Administrators
|
|
must continuously scan their systems for security holes and fix the hole on
|
|
detection. This will tighten the security of system and reduce the chance of
|
|
security breaches. This process is a continuous process. The security vulnerabilities
|
|
will keep on arising and process of fixing the security holes will never end!
|
|
After all, "Precaution is better than cure".
|
|
|
|
|
|
|
|
<!-- *** BEGIN copyright *** -->
|
|
<P> <hr> <!-- P -->
|
|
<H5 ALIGN=center>
|
|
|
|
Copyright © 2000, Kapil Sharma<BR>
|
|
Published in Issue 57 of <i>Linux Gazette</i>, September 2000</H5>
|
|
<!-- *** END copyright *** -->
|
|
|
|
<!--startcut ==========================================================-->
|
|
<HR><P>
|
|
<CENTER>
|
|
<!-- *** BEGIN navbar *** -->
|
|
<IMG ALT="" SRC="../gx/navbar/left.jpg" WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="bottom"><A HREF="okopnik.html"><IMG ALT="[ Prev ]" SRC="../gx/navbar/prev.jpg" WIDTH="16" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="index.html"><IMG ALT="[ Table of Contents ]" SRC="../gx/navbar/toc.jpg" WIDTH="220" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../index.html"><IMG ALT="[ Front Page ]" SRC="../gx/navbar/frontpage.jpg" WIDTH="137" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="http://www.linuxgazette.com/cgi-bin/talkback/all.py?site=LG&article=http://www.linuxgazette.com/issue57/sharma.html"><IMG ALT="[ Talkback ]" SRC="../gx/navbar/talkback.jpg" WIDTH="121" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../faq/index.html"><IMG ALT="[ FAQ ]" SRC="./../gx/navbar/faq.jpg"WIDTH="62" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="sipos.html"><IMG ALT="[ Next ]" SRC="../gx/navbar/next.jpg" WIDTH="15" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><IMG ALT="" SRC="../gx/navbar/right.jpg" WIDTH="15" HEIGHT="45" ALIGN="bottom">
|
|
<!-- *** END navbar *** -->
|
|
</CENTER>
|
|
</BODY></HTML>
|
|
<!--endcut ============================================================-->
|