1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
|
<!--startcut ==============================================-->
<!-- *** BEGIN HTML header *** -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML><HEAD>
<title>Security Scanners LG #57</title>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#0000AF"
ALINK="#FF0000">
<!-- *** END HTML header *** -->
<CENTER>
<A HREF="http://www.linuxgazette.com/">
<H1><IMG ALT="LINUX GAZETTE" SRC="../gx/lglogo.jpg"
WIDTH="600" HEIGHT="124" border="0"></H1></A>
<!-- *** BEGIN navbar *** -->
<IMG ALT="" SRC="../gx/navbar/left.jpg" WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="bottom"><A HREF="okopnik.html"><IMG ALT="[ Prev ]" SRC="../gx/navbar/prev.jpg" WIDTH="16" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="index.html"><IMG ALT="[ Table of Contents ]" SRC="../gx/navbar/toc.jpg" WIDTH="220" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../index.html"><IMG ALT="[ Front Page ]" SRC="../gx/navbar/frontpage.jpg" WIDTH="137" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="http://www.linuxgazette.com/cgi-bin/talkback/all.py?site=LG&article=http://www.linuxgazette.com/issue57/sharma.html"><IMG ALT="[ Talkback ]" SRC="../gx/navbar/talkback.jpg" WIDTH="121" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../faq/index.html"><IMG ALT="[ FAQ ]" SRC="./../gx/navbar/faq.jpg"WIDTH="62" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="sipos.html"><IMG ALT="[ Next ]" SRC="../gx/navbar/next.jpg" WIDTH="15" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><IMG ALT="" SRC="../gx/navbar/right.jpg" WIDTH="15" HEIGHT="45" ALIGN="bottom">
<!-- *** END navbar *** -->
<P>
</CENTER>
<!--endcut ============================================================-->
<H4 ALIGN="center">
"Linux Gazette...<I>making Linux just a little more fun!</I>"
</H4>
<P> <HR> <P>
<!--===================================================================-->
<center>
<H1><font color="maroon">Security Scanners</font></H1>
<H4>By <a href="mailto:kapil@linux4biz.net">Kapil Sharma</a></H4>
</center>
<P> <HR> <P>
<!-- END header -->
<P> "A scanner is a program that automatically detects security weaknesses in a
remote or localhost.". Scanners are important to Internet security because
they reveal weaknesses in the network. System administrators can strengthen the
security of networks by scanning their own networks. The primary
attributes of a scanner should be:
<UL>
<LI> The capability to find a machine or network.
<LI> The capability to find out what services are being run on the host
(once having found the machine).
<LI> The capability to test those services for known holes.
</UL>
<P> There are various
tools available for Linux system scanning and intrusion detection.
I will
explain some of the very
famous tools available. I have divided the scanners into three categories:
<OL>
<LI> Host Scanners
<LI> Network Scanners
<LI> Intrusion Scanners
</OL>
<p><b><u>Host
scanners</u></b> <br>
Host scanners
are software you run locally on the system to probe for problems.
<p><b>Cops</b>
<br>
COPS is a collection of security tools that are designed specifically to aid
the typical UNIX systems administrator, programmer, operator, or consultant
in the oft neglected area of computer security. COPS is available at: <a href="http://www.fish.com/cops">http://www.fish.com/cops</a>
<p><b>Tiger</b>
<br>
Tiger is a
UNIX Security Checker. Tiger is a package consisting of Bourne Shell scripts,
C code and data files which is used for checking for security problems on a
UNIX system. It scans system configuration files, file systems, and user configuration
files for possible security problems and reports them. You can get it from:
<a href="http://www.giga.or.at/pub/hacker/unix">http://www.giga.or.at/pub/hacker/unix</a>
<p><b>check.pl</b>
<br>
Check.pl a
perl script that looks through your entire filesystem, (or just the directory
you tell it to) for suid, sgid, sticky, and writeable files. You should run
it as a regular user maybe once a week to check for permission problems. It
will output a list of questionable files to stdout which you can redirect wherever.
It's available at: <a href="http://opop.nols.com/proggie.html">http://opop.nols.com/proggie.html</a>.
<p><b><u>Network
scanners</u></b> <br>
Network scanners are run from a host and pound away on other machines, looking
for open services. If you can find them, chances are an attacker can too. These
are generally very useful for ensuring your firewall works.
<p><b>NSS (Network
Security Scanner):</b> <br>
NSS is a
perl script that scans either individual remote hosts or entire subnets of hosts
for various simple network security problems. It is extremely
fast. Routine checks that it can perform include the following:
<br>
1: sendmail
<br>
2: Anon FTP
<br>
3: NFS Exports
<br>
4: TFTP
<br>
5: Hosts.equiv
<br>
6: Xhost
<br>
NSS can be found at: <a href="http://www.giga.or.at/pub/hacker/UNIX">http://www.giga.or.at/pub/hacker/UNIX</a>
<p><b>SATAN (Security
Administrator's Tool for Analyzing Networks):</b> <br>
SATAN is an automated network vulnerability search and report tool that provides
an excellent framework for expansion.Satan scans remote hosts for most known
holes: <br>
1: FTPD vulnerabilities and writable FTP directories <br>
2: NFS vulnerabilities <br>
3: NIS vulnerabilities <br>
4: RSH vulnerability <br>
5: sendmail <br>
6: X server vulnerabilities SATAN performs these probes automatically and provides
this information in an extremely easy to use package. <br>
you can obtain
SATAN from : <a href="http://www.fish.com/satan/">http://www.fish.com/satan/</a>
<p><b>Strobe:</b>
<br>
Strobe is Super optimised TCP port surveyor. It is a network/security tool that
locates and describes all listening tcp ports on a (remote) host or on many
hosts in a bandwidth utilisation maximising, and pro- cess resource minimising
manner. It is simple to use and very fast, but doesn't have any of the features
newer port scanners have. <br>
Strobe is available at: <a href="ftp://suburbia.net/pub/">ftp://suburbia.net/pub/</a>.
<p><b>Nmap</b>:
<br>
Nmap is a newer and much more fully-featured host scanning tool. <br>
Specifically, nmap supports:
<ul>
<li> Vanilla
TCP connect() scanning</li>
<li> TCP SYN
(half open) scanning</li>
<li> TCP FIN,
Xmas, or NULL (stealth) scanning</li>
<li> TCP ftp
proxy (bounce attack) scanning SYN/FIN scanning using IP fragments (bypasses
some packet filters)</li>
<li> TCP ACK
and Window scanning</li>
<li> UDP raw
ICMP port unreachable scanning</li>
<li> ICMP scanning
(ping-sweep) TCP Ping scanning Direct (non portmapper) RPC scanning Remote
OS Identification by TCP/IP Fingerprinting, and Reverse-ident scanning. <br>
</li>
</ul>
<p> Nmap is available
at: <a href="http://www.insecure.org/nmap/index.html">http://www.insecure.org/nmap/index.html</a>.
<p><b>Network
Superscanner</b>: <br>
<a href="http://members.tripod.de/linux_progz/">http://members.tripod.de/linux_progz/</a>
<p><b>Portscanner</b>:
<br>
PortScanner is a Network Utility especially designed to "scan" for listening
TCP ports. It uses a simple method to achieve its goal, and it is extremely
compact taking in account all of the options available. It's opensource and
free to use, you can get it at: <a href="http://www.ameth.org/%7Eveilleux/portscan.html">http://www.ameth.org/~veilleux/portscan.html</a>.
<p><b>Queso:</b>
<br>
Queso is a tool to detect what
OS a remote host is running with a pretty good degree
of accuracy . Using a variety of valid and invalid tcp packets to probe the
remote host it checks the response against a list of known responses for various
operating systems, and will tell you which OS the remote end is running. You
can get Queso from: <a href="http://www.apostols.org/projectz/queso/">http://www.apostols.org/projectz/queso/</a>.
<p><u><b>Intrusion
Scanners</b></u> <br>
Intrusion scanners are software packages that will actually identify vulnerabilities,
and in some cases allow you to actively try and exploit them.
<p><b>Nessus:</b>
<br>
Nessus is very fast, reliable and has a modular architecture that allows you
to fit it to your needs.Nessus is one of the best intrusion scanning tools.
It has a client/server architecture, the server currently runs on Linux, FreeBSD,
NetBSD and Solaris, clients are available for Linux, Windows and there is a
Java client. Nessus supports port scanning, and attacking, based on IP
addresses or host name(s). It can also search through network DNS information
and attack related hosts at your request. Nessus is available from <a href="http://www.nessus.org/">http://www.nessus.org/</a>.
<p><b>Saint:</b>
<br>
SAINT is the Security Administrator's Integrated Network Tool. Saint also uses
a client/server architecture, but uses a www interface instead of a client program.
In its simplest mode, it gathers as much information about remote hosts and
networks as possible by examining such network services as finger, NFS, NIS,
ftp and tftp, rexd, statd, and other services. Saint produces very easy to read
and understand output, with security problems graded by priority (although
not always correctly) and also supports add-in scanning modules making it very
flexible. Saint is available from: <a href="http://www.wwdsi.com/saint/">http://www.wwdsi.com/saint/</a>.
<p><b>Cheops:</b>
<br>
Cheops is useful for detecting a hosts OS and dealing with a large number of
hosts quickly. Cheops is a "network neighborhood" on steroids, it builds a picture
of a domain, or IP block, what hosts are running and so on. It is extremely
useful for preparing an initial scan as you can locate interesting items (HP
printers, Ascend routers, etc) quickly. Cheops is available at:
<a href="http://www.marko.net/cheops/">http://www.marko.net/cheops/</a>.
<p><b>Ftpcheck
/ Relaycheck:</b> <br>
Ftpcheck and Relaycheck are two simple utilities that scan for ftp servers and
mail servers that allow relaying. These are available from: <a href="http://david.weekly.org/code/">http://david.weekly.org/code/</a>.
<p><b>BASS:</b>
<br>
BASS is the "Bulk Auditing Security Scanner" allows you to scan the Internet
for a variety of well known exploits. You can get it from: <a href="http://www.securityfocus.com/data/tools/network/bass-1.0.7.tar.gz">http://www.securityfocus.com/data/tools/network/bass-1.0.7.tar.gz</a>
<p><b><u>Firewall
scanners:</u></b> <br>
There are also a number of programs now that scan firewalls and execute other
penetration tests in order to find out how a firewall is configured.
<p><b>Firewalk:</b>
<br>
Firewalking is a tool that employs traceroute-like techniques to analyze IP
packet responses to determine gateway ACL filters and map networks. Firewalk
the tool employs the technique to determine the filter rules in place on a packet
forwarding device. System administrators should utilize this tool against their
systems to tighten up security. Firewalk is available from: <a href="http://www.packetfactory.net/Projects/Firewalk/">http://www.packetfactory.net/Projects/Firewalk/</a>.
<p><b><u>Conclusion:</u></b>
<p>"Security is not a solution, it's a way of life". System Administrators
must continuously scan their systems for security holes and fix the hole on
detection. This will tighten the security of system and reduce the chance of
security breaches. This process is a continuous process. The security vulnerabilities
will keep on arising and process of fixing the security holes will never end!
After all, "Precaution is better than cure".
<!-- *** BEGIN copyright *** -->
<P> <hr> <!-- P -->
<H5 ALIGN=center>
Copyright © 2000, Kapil Sharma<BR>
Published in Issue 57 of <i>Linux Gazette</i>, September 2000</H5>
<!-- *** END copyright *** -->
<!--startcut ==========================================================-->
<HR><P>
<CENTER>
<!-- *** BEGIN navbar *** -->
<IMG ALT="" SRC="../gx/navbar/left.jpg" WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="bottom"><A HREF="okopnik.html"><IMG ALT="[ Prev ]" SRC="../gx/navbar/prev.jpg" WIDTH="16" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="index.html"><IMG ALT="[ Table of Contents ]" SRC="../gx/navbar/toc.jpg" WIDTH="220" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../index.html"><IMG ALT="[ Front Page ]" SRC="../gx/navbar/frontpage.jpg" WIDTH="137" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="http://www.linuxgazette.com/cgi-bin/talkback/all.py?site=LG&article=http://www.linuxgazette.com/issue57/sharma.html"><IMG ALT="[ Talkback ]" SRC="../gx/navbar/talkback.jpg" WIDTH="121" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../faq/index.html"><IMG ALT="[ FAQ ]" SRC="./../gx/navbar/faq.jpg"WIDTH="62" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="sipos.html"><IMG ALT="[ Next ]" SRC="../gx/navbar/next.jpg" WIDTH="15" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><IMG ALT="" SRC="../gx/navbar/right.jpg" WIDTH="15" HEIGHT="45" ALIGN="bottom">
<!-- *** END navbar *** -->
</CENTER>
</BODY></HTML>
<!--endcut ============================================================-->
|
