A security professional will need to use a large list of software tools. In this video, you’ll learn which tools can be a useful addition to your security toolbag.
<< Previous Video: Other Security Devices Next: Command Line Security Tools >>
If you’re working IT security, there are a number of software tools that you should have in your arsenal. In this video, we’ll talk about a number of those tools. Some of them are passive tools and others work actively. A passive tool is one that watches as network traffic goes by, and it gives you information about what might be happening inside of the traffic or on a client or server.
An active tool will be sending traffic to a device. We may be trying a set of credentials on that device, we may be trying to exploit a known vulnerability, or may just trying to query a login page on that device to see if it’s active.
If you’re going to capture packets, then you’ll need a protocol analyzer. Not only does a protocol analyzer gather these packets, but it’s able to present the information inside the packets in plain English. We can gather these packets from a wired network, but we can also gather them wirelessly. Sometimes the ability to capture these packets is something built into the device, and you won’t even need to install any additional software.
A protocol analyzer is going to allow you to view traffic patterns. You’ll be able to see exactly what protocols are going back and forth and perhaps, more importantly, you’ll be able to identify traffic that is unknown. If you’re trying to find traffic that may be unusual or malicious, this is a great way to do it. Some protocol analyzers are designed to gather a large amount of traffic into a large storage array. For example, you could have an analyzer store an entire week’s worth of data and then use analytics to be able to gather details about what happened during that timeframe.
A network scanner is commonly used to determine what services might be running on a remote device. You can find out if a server is running web services, FTP services, IRC services, or any other type of service. These network scanners can also determine what operating system might be running on a remote device. You would commonly tell a network scanner to scan an individual IP address or an entire range, and it will report back whatever it finds out on the network.
Once the scanner has identified all of the devices on a particular subnet, it can even visually graph them. This is a tool called Zenmap that has taken a scan and has identified all of the different devices on the network and now allows you to go through the entire list to determine exactly what services are running on each individual device on the network. This is also a good way to find devices that you weren’t expecting to see on the network.
It’s difficult for a device to completely hide itself on the network, and these scanners are designed to find every device that they can. You may want to try downloading one of these and try it yourself Nmap in Zenmap are a good example of a very popular network scanner, but there are other options out there such as the Angry IP Scanner. Because of the unique characteristics of wireless networks, you need unique security tools.
One good example of these are the wireless scanners and crackers that you can find for wireless networks. The first type of tool you’ll need is one to do wireless monitoring. You need some way to capture all of the traffic that’s going across this wireless network. You may also want to try your own set of wireless attacks to see if your access points are susceptible to deauthentication attacks and other type of wireless attacks.
And if you are interested in seeing how difficult it might be to find the password on your wireless network, you can run wireless cracking tools. These can either cryptographically find the WEP key that you might be running on an old network, or you can run through a dictionary or brute force attack if you’re running a WPA2 network. You may have seen me crack a web password in one of our earlier videos. I was using the Aircrack NG Suite to be able to do that, but there’s other tools like Fern available that would allow you to find and crack these wireless passwords.
On most of our operating systems and applications, we’re storing user’s passwords as hashes that’s because a hash is a one-way function. We can take a password and very easily convert it to a hash, but there’s no way to take a hash and convert it back to the password. Some older operating systems or poorly developed applications might store their hashes in a very straightforward way. There might not be any salting, and they might be using a relatively weak hash.
This makes it very easy to perform a brute-force attack if you’re able to get your hands on those hashes. But the process of getting your hands on those hashes is usually not very trivial. There’s usually an involved process to break into a system just so you can gain access to the files that contain all of these hashes. But if you do get your hands on these hashes, you’ll be able to run some brute-force attacks. Maybe you try a list of common passwords or run through different languages of passwords.
And ultimately, you might try rainbow tables to see if those hashes have already been brute-forced and you can very easily find the password using a rainbow table. There are many tools available for password cracking. You can find many tools available in the cloud where you simply upload the hashes, and it runs through some rainbow tables, or you can try some local cracking tools like John the Ripper or Ophcrack.
It is a constant race to stay up to date with the latest security patches before the bad guys try to exploit those vulnerabilities on a system. If you happen to miss a patch, it’s very common for someone to come around behind you and find that open door on your system. Running a vulnerability scanner would be a good way to find out if you happen to miss any of the known vulnerabilities that might be on your system. This is an active test, but it’s only minimally invasive. It’s not an active exploitation that you might have with a penetration test.
The idea of a vulnerability scanner is that we’ll find as much information as possible and gather details about everything it can about your operating system. You’ll be able to go through the logs afterwards to see what vulnerabilities may be of a higher priority and others that may be of a lower or informational priority. There are many tools to do this. Microsoft makes a Baseline Security Analyzer, Tenable makes a very popular vulnerability scanner with Nessus, and you’ve probably seen me in a previous video run a web-based vulnerability scanner called Nikto.
On your network, you may have a series of requirements for the security of your system. There may be internal requirements for your organization, or there may be regulations in your industry that require a certain level of security for all of your systems. To see if you meet these minimum requirements, you’ll need some type of compliance scanner on your systems. These scanners will be able to determine the operating system you’re using, it will know what applications are installed on your systems, look through the network settings, identify the anti-virus or anti-malware, and know exactly what signatures of those may be installed, and you’ll be able to get detailed information about the configurations of all of your systems.
Information from all of your devices are stored in a central database and from there, you’re able to monitor and create reports on what you found. You’ll be able to identify if any devices are changing over time, and you can usually integrate this with a login process. That way you’ll know someone logs in and their system is dramatically different than the last time they logged in, and you’ll be able to take that system and determine what the changes might be and if any of those changes go outside the scope of your compliance requirements.
The bad guys use every possible tool to gain access to your systems. They can look for vulnerabilities that might be in your browser, in your operating system and applications you use, and anything else that might be running on your system. To be able to take advantage of these different vulnerabilities, the bad guys will need to write an exploit. And instead of writing the exploit from scratch every time, they’ll instead use an exploitation framework. All they have to do is find the exact piece of code they need to be able to put into the framework and all of the other mechanisms for delivering the payload and having it execute on that remote system are already built into the framework.
You can download and use these frameworks right now and test your own systems to see how secure there might be. Some very common frameworks to use are BeEF– this is the Browser Exploitation Framework Project. RouterSploit will try to exploit routers and other routing type devices, and you’ve probably seen me use in a previous video Metasploit where I used a built-in, exploit to be able to take advantage of a known vulnerability on a server. It’s time to upgrade the hard drive in your computer, and you’ve copied everything from the smaller hard drive onto the drive with much more capacity.
Now, you’ve got this additional drive that you’ve taken out of your computer. But what do you do with the data that was on that old drive? You probably have information on there that you don’t want to get in the hands of anyone else, so it’s important that everything on that drive be sanitized. Normally, the sanitation process on these drives is one where we can simply overwrite the data that is already there. Generally, when you overwrite the data one time on a hard drive, it is gone forever. There’s no way to recover it.
Sometimes, people overwrite multiple times on a drive just to make themselves really sure that that data is gone, but the reality is a single override will make all of that data unrecoverable. If you have drives that you’d like to sanitize, and you know you’re never going to need that data again, you can use a program like Derek’s Boot and Nuke or DBAN. You can boot with that, and it will delete everything that happens to be on a hard drive.
If you just need to delete one individual file or a set of folders on your system and make sure that nobody is able to recover those, you can use something like Microsoft’s SDelete– that is secure delete and that will delete individual components from your drive leaving everything else available. You have to make sure also that you delete the caches and any temporary files that you may have on that system. You may securely delete one file forgetting that another copy of it happens to exist in the cache.
One way to store data in plain sight but hidden is by using steganography. Steganography allows you to take an image and embed a bit of data inside of the image. To us human beings, the image looks exactly the same as it always has been but a bit of data has now been embedded inside the pixels of this image. And there are many programs that can hide the data and then recover it using this steganography capability.
In steganography, an important part of this is the cover text. This is the container document or the file that is going to have the information contained within it. Steganography doesn’t have to include an image though. We could also hide data within other packets of data going across the network for this network-based steganography. Although it’s very common to use a graphical image to store this text in data, sometimes the steganography is one that is right the open.
A laser printer can put very tiny almost invisible yellow dots at the bottom of the page. The structure of these yellow dots will include the serial number of the printer, so you know exactly what physical printer happened to print this document, and they also include a timestamp so you know exactly what date and time was used to print this document. If we look a little closer, we can now see a little better those yellow dots that are on the page. This is how security professionals and law enforcement can really make a determination of where a particular document may have originated.
Instead of having the bad guys come across the internet and try to break into our own systems why don’t we set up a system for them that is very attractive and that they could spend a lot of time trying to break into? This is a honeypot. You’re attracting these bears, which in most cases are just automated systems trying to find a device that is vulnerable to their attacks. They’re usually just performing reconnaissance, so we can put this honeypot in place to catch all of the reconnaissance they happened to be doing. Some of these honeypots allow us to build entire infrastructures inside of them– virtual servers and networks that to the bad guys looks like an entire company.
But in reality, it’s a virtual system that’s all defined within the honeypot. There’s many different honeypot options out there. Projecthoneypot.org and honeyd are two very good examples that you can install on your systems to try out different options for honeypots. The bad guys are also keeping their eyes open for these honeypots, so it’s a bit of a battle to build a honeypot that looks real enough so that the bad guys can’t recognize they’ve been trapped inside of this virtual world.
Part of your ongoing security policy should be the verification of a good set of backups. This will protect you if a system fails, it will protect you if your systems are infected with malware or ransomware, and if you’ve ever been in a position where you’ve lost data, you know these backups can really be a lifesaver. There are many different strategies for backing up data, and you may choose to use one or more of these strategies simultaneously.
One thing I often will do is perform an rsync. This is a real-time file sync, so you can make sure that a secondary system has an exact duplicate of all of the data that’s on the first system. You’ll of course also want to have backups that are occurring constantly– maybe every hour you’ve got an update of everything that happens to be on a particular server. And of course, you’ll want to make sure you have full complete file backups so if you need to restore an entire system, you can reimage it in a matter of minutes.
From a security perspective, you want to be sure that you have all of your devices covered, so you will never lose any data, and you want to make sure the process you have in place for restoring that data is one that works as quickly as possible. You may not realize it, but some applications really provide a lot of information about themselves when you first connect to them. They tell you everything about themselves– what their name is, they’ll tell you what version of software they happen to be running, and they may give you a lot more information about the server that they’re running on.
These are called application banners, and they’re usually always there. But usually, we don’t see them. This is something that happens behind the scenes over the network, and it’s usually said that the client and the server can communicate to each other, and everybody knows exactly who they’re communicating with. But you can capture this data– you can grab the packets themselves, or you can use Netcat nc, Nmap, and a number of different security tools to be able to capture these banners.