Final Project

Analysis of Ten Defense

Countermeasure Tools
By Brian Miller

Drexel University
Professor Tim Gillin
CT-472 IT Security Defense Countermeasures
Spring Quarter 2012
Monday, June 11th, 2012
Table of Contents
Abstract..........................................................................................................................................4

LanTricks LanSpy v2.0.0.155.......................................................................................................6

Steps to run LanSpy..................................................................................................................8

Advantages of LanSpy.............................................................................................................11
Disadvantages of LanSpy........................................................................................................11
Summary of LanSpy................................................................................................................12
Nessus v4.2.2 (Build 9129)...........................................................................................................14

Steps to run Nessus..................................................................................................................16

Advantages of Nessus..............................................................................................................21
Disadvantages of Nessus..........................................................................................................21
Summary of Nessus..................................................................................................................22
Wireshark v1.2.10........................................................................................................................24

Steps to run Wireshark...........................................................................................................26

Advantages of Wireshark........................................................................................................30
Disadvantages of Wireshark...................................................................................................30
Summary of Wireshark...........................................................................................................31
SuperScan v4.0.............................................................................................................................33

Steps to run SuperScan...........................................................................................................37

Advantages of SuperScan........................................................................................................40
Disadvantages of SuperScan...................................................................................................40
Summary of SuperScan...........................................................................................................41
NEWT Professional v2.5.............................................................................................................43

Steps to run NEWT Professional............................................................................................46

Advantages of NEWT Professional........................................................................................49
Disadvantages of NEWT Professional...................................................................................49
Summary of NEWT Professional...........................................................................................50
Snort v2.8.6.1................................................................................................................................52

Steps to run Snort....................................................................................................................54

Advantages of Snort................................................................................................................61

Page 2 of 100
 Disadvantages of Snort............................................................................................................61
Summary of Snort....................................................................................................................62
Cain & Abel v4.9.36.....................................................................................................................64

Steps to run Cain & Abel........................................................................................................65

Advantages of Cain & Abel....................................................................................................71
Disadvantages of Cain & Abel................................................................................................71
Summary of Cain & Abel........................................................................................................72
Netcat 1.1.1...................................................................................................................................74

Steps to run Netcat...................................................................................................................75

Advantages of Netcat...............................................................................................................78
Disadvantages of Netcat..........................................................................................................78
Summary of Netcat..................................................................................................................79
inSSIDer 2.1.1.1387......................................................................................................................81

Steps to run inSSIDer..............................................................................................................82

Advantages of inSSIDer..........................................................................................................84
Disadvantages of inSSIDer......................................................................................................84
Summary of inSSIDer.............................................................................................................85
WinDump 3.9.5............................................................................................................................87

Steps to run WinDump............................................................................................................88

Advantages of WinDump........................................................................................................91
Disadvantages of WinDump...................................................................................................91
Summary of WinDump...........................................................................................................92
Future Implications.....................................................................................................................95

End Note References....................................................................................................................97

Page 3 of 100
________

Abstract:
________

In this document, ten Defense Countermeasure Tools are analyzed. The tools analyzed

are LANTricks LANSpy, Nessus, Wireshark, Foundstone (McAfee) SuperScan, NEWT

Professional, Snort, Cain & Abel, Netcat, inSSIDer, and WinDump. We will explore each tool’s

use, advantages, disadvantages and overall complexity. In addition, a tutorial of each tool will be

given with screen shots and instructions for use.

Page 4 of 100
LanTricks LanSpy

v2.0.0.155

Page 5 of 100
__________________________

LanTricks LanSpy v2.0.0.155:

__________________________

LanTricks LanSpy is a network scan utility that provides in depth details of the systems

that are targeted all from a single easy to use interface. LanSpy is a simple yet powerful network

auditing tool that will scan systems for processes, installed applications, shares, open ports, user

and groups, along with many other details. The LanSpy installation is small in size at 1.1MB and

is compatible with the following Operating Systems:

 Windows 2000

 Windows XP

 Windows Vista

 Windows 7

 Windows Server 2003 and R2 Edition

LanSpy is made for gathering the following information about a remote computer:

 Ping

 Domain name

 NetBios names

 MAC address

 Server information

 Domain (workgroup) information

 Domain controllers

 Remote control

 Time

Page 6 of 100
  Disks

 Users

 Logged users

 Global groups

 Local groups

 Security options

 Shared resources

 Sessions

 Open files

 Services

 Processes

 Registry

 Event log

 TCP port scanner

 UDP port scanner

The utility can be downloaded from http://lantricks.com/lanspy/ [ CITATION Lan10 \l 1033 ].

Once you open the utility you can configure options such as authentication and setting the

detection parameters. The program is not processor intensive and can remotely scan other

workstations or servers as well. For a simple utility it is quite effective for its purpose. For these

reasons it is one of the utilities I use often to remotely audit certain workstations.

Page 7 of 100
Steps to run LanSpy:

1. Open LanSpy from the programs menu and first chose to set up your options from the

File menu:

In the options interface set up the scan properties, authentication, the operations to

perform, and what ports to scan.

2. Next define the subnet range you wish to scan:

For the purposes of this tutorial I have chosen my localhost. Click the icon to start the

scan process.

Page 8 of 100
3. You will notice in the lower pane window what the status of the various scan operations

are:

4. When the scan operations complete is when you can analyze the results. By clicking the

icon you can expand the selection to view what was discovered:

Page 9 of 100
 For instance, in this scan we see that at this particular moment the following ports are

open:

5. As an administrator for auditing purposes, you can export the findings to such formats as

XML or HTML from the File menu:

Page 10 of 100
Advantages of LanSpy:

 The program is free.

 Effective for the supported products.

 Easy to use.

 Provides much auditing details about scanned systems.

 The utility is not processor intensive.

 The utility has the ability to scan an entire subnet or individual systems from remote

locations.

 You can export the audit results to XML or HTML format.

Disadvantages of LanSpy:

 It only scans Microsoft Windows computers.

 Will require administrative rights on the computer being scanned.

Page 11 of 100
Summary of LanSpy:

LanTricks LanSpy is a network scan utility great for conducting quick audits of local or

remote systems. The program is small in size and is easily configured. By specifying an

administrative account locally or domain level, you can scan the selected systems for a wide

range of detection such as open ports, user and groups, shared resources and so much more.

Once the results are displayed they can be analyzed and saved in HTML or XML format for

future reference. The program is simple, quick and effective for what it is supposed to

accomplish all without being processor intensive or intrusive to the end system. This is a great

utility to have for any systems security professional.

Page 12 of 100
v4.2.2 (Build 9129)

Page 13 of 100
_______________________

Nessus v4.2.2 (Build 9129):

_______________________

Nessus Vulnerability Scanner by Tenable is a Network Vulnerability Scanner that scans

systems and detects potential network and Operating System related vulnerabilities. Nessus is

offered for home use for free through subscription to the “Nessus HomeFeed” and for businesses

by subscribing to the “Nessus ProfessionalFeed” for approximately $1,200 per year. The Nessus

installation file is 10.8 MB is size and in the form of an MSI file. Nessus no longer is a client

based product but rather a client-server web based product. It now uses a web interface for

configuration, scanning and reporting. The server side contains the “Plug-Ins”, which is the

vulnerability database, and the scan engine. There is over 37,000 plug-in available for Nessus

each scanning for vulnerabilities. The client piece is a web interface and contains the reporting

tool and is where you set configuration options and initiate scans. Nessus is supported on the

following Operating Systems:

 Windows XP

 Windows Vista

 Windows 7

 Windows Server 2003 and R2 Edition

 Windows Server 2008 and R2 Edition

 Mac OS X Tiger

 Mac OS X Leopard

 Mac OS X Snow Leopard

 Debian Linux

Page 14 of 100
  Fedora Linux

 Red Hat Linux

 SuSE Linux

 Ubuntu Linux

 FreeBSD 7

 Solaris 10

You can obtain Nessus from here: http://www.nessus.org/download/ [ CITATION Ten10 \l

1033 ].

Once you install Nessus you must subscribe to the “HomeFeed” and an email will be sent to you

containing the activation key. You input this key in the Nessus Server Manager registration area:

Page 15 of 100
 Immediately after applying the activation key, Nessus will download and install all

current plug-ins available for the HomeFeed subscription (or ProfessionalFeed depending on the

subscription). Here is also where you can set Nessus to start automatically, manage users or stop

and start the service.

Steps to run Nessus:

1. Nessus no longer has a client piece of software rather a web interface. You first user

needs to be created via the Server Manager referenced above. Open your Internet browser

to the following location:

2. You will be brought to the web interface login page. If you are unable to browse to this

location is it likely that your built in Windows Firewall is blocking the application. You

will need to create an exception to allow the program and port to be unrestricted:

3. Before you are able to perform a scan you must configure at least one vulnerability scan

policy. Click on the “Policy” tab and then click “Add”:

Page 16 of 100
4. Now you must step through the process of creating your scan policy. For the purposes of

this tutorial you can leave the default selections. However, there are quite a few different

options to choose from over the four tab creation of a policy:

5. On the plug-in page you can choose to deselect any of the vulnerability scan definitions

by clicking on the orange circle. Notice there are currently 37,515 definitions within the

database at the time of this writing:

Page 17 of 100
6. When you are finished customizing click “Submit” to create the scan policy.

7. Now you have a scan policy to work with:

8. The next step is to add a host or network to scan. Click on the “Scans” tab and click

“Add”:

9. Define the name for your scan, choose to run now, select the policy that was created

above from the drop down menu, and define the IP subnet range or single host to scan.

When you are finished click “Launch Scan”:

Page 18 of 100
10. Let the process run. You can check the status be double clicking the scan job. After a bit

it will complete and display an overview of the results:

11. From the results screen you can click on each individual vulnerability found; in this scan

only low priority issues were found. Or you can choose to download all the results to one

easy to read HTML report by clicking on “Download Report”:

Page 19 of 100
 Choose “HTML export” from the drop down menu:

12. Review the detailed report for the findings of the scan and determine if any corrective

actions are necessary for example, closing ports:

For instance, this particular computer runs VNC and the Nessus scan picked that up as a

potential vulnerability and presented information about it:

Page 20 of 100
 13. Once you are finished reviewing the report and addressing the concerns, the individual

host or hosts on the subnet will be a little more secure.

Advantages of Nessus:

 Free for home users.

 Inexpensive for professional use.

 Easy setup.

 Reports can be generated on demand.

 Ability to customize policies.

 Ability to compare reports generated at different times.

Disadvantages of Nessus:

 Updates require subscription.

 Potential exists that scanning can be perceived as Denial of Service attacks.

Page 21 of 100
 Does not play well with VMware guests. Runs much more efficiently on physical

hardware.

Page 22 of 100
Summary of Nessus:

Nessus from Tenable Network Security is a powerful network and system vulnerability

scanner. Nessus was originally an open source product but was closed after Tenable bought the

rights. However, Tenable still releases the functionality of Nessus to home users for free by

subscribing to the Nessus “HomeFeed”. There is a “ProfessionalFeed” that businesses can

subscribe to. Nessus is a client-server software product with a built in Oracle database. The

Client interface is accessed via an Internet browser to port 8834. The Nessus server contains a

vulnerability database, referred to as plug-ins, that contains the definitions of what to scan for.

Currently there are over 37,000 plug-ins available for Nessus at the time of this writing.

Nessus allows you to scan one IP Address or a range of IP Addresses effectively covering

an entire subnet. After the scan is complete, Nessus will generate a detailed report of its findings

and offer solutions to the found vulnerabilities. You can download the findings into one easy to

follow HTML report. As a broad overview, Nessus will scan for missing patches, open ports,

applications running, audits antivirus software and discovers potentially sensitive data. Nessus

supports practically all major Operating Systems which makes this product very appealing to

System and Network Administrators as a one product solution for scanning corporate networks

for potential vulnerabilities. Overall, the program is not difficult to use and is effective for what

it was designed for.

Page 23 of 100
 Network Protocol Analyzer

v1.2.10
_________________

Wireshark v1.2.10:
_________________

Wireshark is a free open source packet analyzer originally called Ethereal and written by

Gerald Combs. It was renamed to Wireshark in 2006 because of copyrights held on the name of

Ethereal. Wireshark is freely available under the General Public License (GNU) and is actively

maintained and enhanced by many people. The main purpose of Wireshark is to analyze all

Page 24 of 100
packets being sent and received from a particular network interface. This allows network

administrators to determine what kind of packet traffic is traversing the network. If you have

been charged with the secure transmission of data on the network, you can use Wireshark to

analyze the packets for any sensitive data that is sent in clear text. For example, the protocols

FTP, SMTP and POP are inherently insecure and anyone using these protocols has the potential

to have sensitive information acquired. FTP example:

Wireshark is approximately 18MB in size and runs on the following Operating Systems:

 Windows XP

 Windows Vista

 Windows 7

 Windows Server 2003 and R2 Edition

 Windows Server 2008 and R2 Edition

 Mac OS X Tiger

 Mac OS X Leopard

 Mac OS X Snow Leopard

 Debian Linux

 Fedora Linux

Page 25 of 100
  Red Hat Linux

 SuSE Linux

 Ubuntu Linux

 FreeBSD 7

 Solaris 10

Some of the Wireshark features include:

 The capture of live packet data from a given interface.

 Deep inspection of various protocols.

 Three window view for analysis of the packets.

 Filter packets on a given criteria.

 Search for packets on a given criteria.

 Color coding the packets on display based on filter settings.

WinPcap is needed to capture packets on Windows systems. It is essentially a driver library

that allows Wireshark to capture packets on Windows LAN and WLAN interfaces. WinPcap is

included within the installation of Wireshark.

Wireshark can be downloaded here: http://www.wireshark.org/download.html [ CITATION

The10 \l 1033 ].

Download and install the Wireshark program. It is self explanatory, just accept the defaults.

Steps to run Wireshark:

This tutorial will display a simple secure POP connection from an email that is sent. Ports

of reference will be:

Page 26 of 100
1. You have the option to set the capture options from the “Capture” menu. Typically you

can accept the default:

2. Open Wireshark and select “Interfaces” from the “Capture” menu:

Page 27 of 100
3. When the Interfaces dialog box opens you will notice what interfaces are currently

attached to the network as you will see packets being received. Typically this will be one

interface. Click the “Start” button to begin the capture:

4. You will see the lower pane filling with data from the packet capture. Once you are

finished with the capture click on “Stop” from the “Capture” menu. For this packet

capture I sent a test email that was sent via SSL. The capture will not show you the detail

of the data as it is encrypted. You will just see the negations:

5. Notice the source port is 465 which is stated in the above screen shot and the data part of

the packet is encrypted:

Page 28 of 100
6. If you wanted to just filter out the particular traffic that deals with the SSL traffic, you

can apply the filter “tcp.port eq 465”. Click on “Apply” and the lower window will only

include traffic that has port 465 as a source or destination:

7. At this point an administrator can dissect the result of the packet capture and diagnose

network problems or the amount of sensitive data being transmitted over the network.

Familiarize yourself with the various menus and options. The most important to

understand is:

 The packet window (top): this lists the packets with source, destination, protocol

and other information.

 The packet detail window (middle): Show the detail of the packet that is

highlighted in the top window. It will highlight the Ethernet frame, protocol

information, data along with other important details.

Page 29 of 100
  The packet bytes window (lower): This is the hexadecimal view of the highlighted

packet.

8. Am administrator can then save the packet capture for future reference.

Page 30 of 100
Advantages of Wireshark:

 The program is free.

 Can interpret many popular protocols.

 Highly detailed.

 Very effective.

 Can export reports to popular formats such as CSV, XML and text files.

 Save for future reference and analysis.

 Support for 64 bit Operating Systems.

 Color coded rule sets.

Disadvantages of Wireshark:

 Can be a little overwhelming trying to decipher what communication actually transpired.

If one does not have moderate knowledge of the composition of packets it will be

difficult to follow.

 The filtering of packet communication is somewhat challenging. You must research the

proper commands to filter out what you are looking for.

Page 31 of 100
Summary of Wireshark:

Wireshark is an open source network protocol analyzer that can capture data packets in

real time on any active interface. The program then displays each packet for analysis. It runs on

practically all major Operating Systems. Wireshark gives administrators the ability to perform

deep packet inspection by deciphering every detail of the frames down to hexadecimal format.

You can apply filters to segregate the gathered information to look for specifics like source or

destination ports, protocols, IP Addresses, etc. Typically the best place to run Wireshark for

corporate networks is where there is broadcast of data. Hubs are a good source for broadcast data

but these are not widely used any longer. However, switches can be configured to allow for

programs like Wireshark to be effective. Wireshark is useful for network troubleshooting and

monitoring for and potentially unencrypted sensitive data being transmitted across the network.

If you have been charged with the security of sensitive data on the network, Wireshark is an

essential tool. The program is very effective at what it was designed to do and is relatively easy

to use once you conduct enough research about composition of packets and applying filters.

Page 32 of 100
SuperScan v4.0

Page 33 of 100
______________

SuperScan v4.0:
______________

SuperScan is a port scanning utility developed by FoundStone, now a division of

McAfee. You can download the utility from here:

http://www.foundstone.com/us/resources/proddesc/superscan.htm [ CITATION McA10 \l 1033

].

SuperScan is a single executable utility that will scan for any open ports on a system. The

utility is approximately 203 KB is size. It is intended for the Windows 2000 and Windows XP

Operating Systems. In order to run the application, the user needs administrative access to the

computer. SuperScan allows administrators to scan the network and systems for any potential

open port thus creating a security hazard. For example if users inadvertently enable FTP on their

computers. This scan utility will pick that up.

There is a note on the download web site that reads:

“Windows XP Service Pack 2 has removed raw sockets support which now limits SuperScan and

many other network scanning tools. Some functionality can be restored by running the following

at the Windows command prompt before starting SuperScan:

net stop SharedAccess” (McAfee, 2003).

McAfee lists the features as being (McAfee, 2003):

 Superior scanning speed

 Support for unlimited IP ranges

 Improved host detection using multiple ICMP methods

 TCP SYN scanning

 UDP scanning (two methods)

Page 34 of 100
  IP address import supporting ranges and CIDR formats

 Simple HTML report generation

 Source port scanning

 Fast hostname resolving

 Extensive banner grabbing

 Massive built-in port list description database

 IP and port scan order randomization

 A selection of useful tools (ping, traceroute, Whois etc)

 Extensive Windows host enumeration capability

SuperScan has the following tabs:

 Scan tab: Defines the IP range for scanning.

 Host and Service Discovery: Defines the UDP and TCP port ranges to scan for.

Page 35 of 100
 Scan Options: Define other scan properties.

 Tools: This tab has various tools such as ping, whois, and traceroute.

Page 36 of 100
 Windows Enumeration: Will scan for certain Windows resources.

Page 37 of 100
Page 38 of 100
Steps to run SuperScan:

1. Launch the SuperScan program by double clicking “SuperScan4.exe”. The default Host

and Service Discovery along with Scan Options is fine, but is customizable. Input the

appropriate IP ranges and click the right arrow:

You will notice the progress bar filling:

2. When the scan completes it will display the results of the scan test in the lower windows:

Page 39 of 100
 You can also click the “View HTML Results” to view a report in your web browser:

3. In addition you can run useful commands like ping, traceroute and hostname lookup:

Page 40 of 100
4. Lastly, SpuerScan can enumerate certain Windows characteristics:

Page 41 of 100
Advantages of SuperScan:

 The program is free.

 Easy to use.

 Quickly scans for open ports.

 Effective for what it is supposed to accomplish.

Disadvantages of SuperScan:

 Requires administrative rights to run.

 Is only good for Windows 2000 and XP.

 Does not tell you if port is closed or filtered.

 Not a very advanced port scanner.

Page 42 of 100
Summary of SuperScan:

SuperScan is a free port scanning utility offered by Foundstone, a division of McAfee.

The program is very small in size and effective for what it needs to do. The main feature of

SuperScan is to scan a given IP address range for open ports. It displays these reports in the

bottom window or as an HTML report. Additional capabilities are commands such as ping,

traceroute, whois, and hostname lookup. The program seems a little dated but if you are looking

for an easy and quick port scanning utility, SuperScan is an effective option.

Page 43 of 100
NEWT Professional

v2.5 (Build 164)

Page 44 of 100
_____________________

NEWT Professional v2.5:

_____________________

NEWT Professional is an extremely informative network discovery and inventory utility

by Komodo Laboratories. There is both a professional and freeware version. The file size is

approximately 4.1 MB in size. You can download the utility here:

Freeware: http://www.komodolabs.com/newtfree.shtml

Professional: http://www.komodolabs.com/newtpro_download.shtml [ CITATION Kom10 \l

1033 ].

NEWT is a powerful tool that will allow administrators to gather detailed information

about systems running on the network. It can gather hardware and inventory information

remotely without users being impacted. The data is gathered and displayed in an Excel like view.

NEWT allows for export of the data to a Microsoft Access database, HTML, CSV or text files.

NEWT will scan for the following items:

Page 45 of 100
NEWT runs on the following Operating Systems:

 Windows NT4.0

 Windows 2000

 Windows XP

 Windows Vista

 Windows 7

 Windows Server 2003 and R2 Edition

 Windows Server 2008 and R2 Edition

The program uses a light weight client that is automatically deployed to clients during the

scan. This allows for faster scanning initially and subsequent scans. The client will automatically

remove itself without user intervention after a defined amount of time. NEWT will also scan the

properties of network devices, such as printers, switches, routers or other peripherals. If

administrators are scanning across multiple domains, there is an unlimited credential manager to

input Domain Admin usernames and passwords:

Page 46 of 100
 There are two modes in which to scan with NEWT, Discover Only or Full Scan. For a

quick scan of devices and IP addresses simply choose “Discover Only”. This will perform a less

invasive scan and simply return a simple list of devices in a given IP address range:

NEWT Professional (or free version) is an incredibly powerful network discovery tool that is

essential for any network or systems administrator to have.

Page 47 of 100
Steps to run NEWT Professional:

1. When you launch NEWT you will need to configure the credentials to use when scanning

the network if you are scanning across multiple domains. If you are scanning a single

domain of which you are an administrator or a workgroup to which you are an

administrator, credentials do not need to be entered as the currently logged on user

credentials will be passed. To access the “Credentials Manager” click on “Tools” menu:

Page 48 of 100
2. Next you will want to set the scan properties. Typically one would leave the default and

scan for everything but you can customize it:

3. Next you need to define the IP address range of the systems you wish to discover and

inventory. Open the scan window by clicking on “Tools” and then “Scanning”:

Page 49 of 100
4. Depending on your objective, whether you just want a quick list of devices present or a

detailed inventory of each device, you launch the appropriate scan by clicking with

“Discover Only” for the quick list or “Scan” for the highly detailed scan:

5. You will see the scan in progress:

6. After a short time you will see the scan job complete:

7. You can then double click on the scanned computers and see detailed information

regarding the system:

8. After reviewing the content you can then export all the data into a Microsoft Access

database, HTML format or CSV file to import into Microsoft Excel.

Page 50 of 100
Advantages of NEWT Professional:

 There is a free version of the program.

 Easy to use.

 Provides incredible detail about systems.

 Supports scanning of multiple Operating Systems, devices and other peripherals.

 Allows export of data into multiple formats.

 Can scan across multiple domains with additional credentials.

 Automatic installation/uninstalling of client software.

Disadvantages of NEWT Professional:

 Requires administrative rights to run.

 Can be a little processor intensive on the machine conducting the scanning.

Page 51 of 100
Summary of NEWT Professional:

NEWT Professional is an incredibly useful network discovery and inventory tool

developed by Komodo Laboratories. With a few clicks an administrator can have a complete

network and system inventory across domains and spanning multiple subnets. The program is

highly customizable for what features to scan for. If you are in the need for a quick scan of

devices there is an option to “Discover Only” to avoid the intrusive scanning and just display a

list of devices and their IP addresses. Selecting the “Scan” option will completely scan for all

selected options and display the results in an Excel like format. Double clicking on the scanned

devices will open a window with all of the discovered information about the device. An

administrator can then export this data to a Microsoft Access database for future reference or

export it to CSV for Excel. This tool is not difficult to use, is not network intensive and is run

completely without disturbing users on the scanned systems. Any client side software is

deployed silently and removed after a defined period of time. This utility is one of my personal

favorites and is used almost daily. It is an essential tool for any network or security professional.

Page 52 of 100
v2.8.6.1
Page 53 of 100
_____________

Snort v2.8.6.1:
_____________

Snort is an open source network Intrusion Detection and Prevention System. It has been

primarily been designed to run on Linux but can also run on Windows. The program was

originally created by Martin Roesch in 1998 but is now maintained by his company SourceFire

which has since been acquired by Checkpoint. Still, the program remains free and is a great

starter IDS system. The program integrates nicely with Linux, MySQL and Apache making

Snort a completely free implementation. The actual install file of Snort for Windows is

approximately 3 MB in size. The Snort rules database that you must also download is

approximately 20 MB in size. The program can be downloaded from here:

http://www.snort.org/snort-downloads [ CITATION Mar10 \l 1033 ].

The Snort Rules database can be downloaded from here: http://www.snort.org/snort-rules

For detailed instructions on how to get Snort to run on Windows you can read the instructions

here: http://www.snort.org/assets/135/Installing_Snort_2.8.5.2_on_Windows_7.pdf

Snort is not as seamless an installation and configuration as most of the software

reviewed in this document. Some of the considerations you must be aware of are:

 The Rules database needs to be downloaded and applied to the installation directory of

Snort. In order to download the Rules database, you must be a registered user.

 You must change some of the parameter configurations within the “snort.conf” file. This

procedure is detailed within the above PDF file.

 You are better off leaving the default installation directory of C:\Snort.

Page 54 of 100
Snort can allow administrators to have an effective free product to monitor network traffic and

log that information to a database or file. In its simplest form, Snort can be a packet sniffer and

IDS. In the following demonstration we will see this.

Page 55 of 100
Steps to run Snort:

This example will start from the point after initial installation and configuration which

includes downloading and applying the rule sets. For more information on this process please

review the following document:

http://www.snort.org/assets/135/Installing_Snort_2.8.5.2_on_Windows_7.pdf

1. In its simplest form, Snort can act as a packet sniffer. Open a command prompt and

navigate to the Snort\bin installation directory:

2. Next type the command “snort –W” and hit enter to receive this output and reference

which interface number will be necessary to monitor packet traffic:

3. Type in the command “snort” and hit enter to review some of the command line options:

Page 56 of 100
Familiarize yourself with the usage parameters of Snort. There are many command line

switches to take advantage of.

Page 57 of 100
4. Too execute Snort in sniffer mode simply type command “snort -dev -i 1” where the

number is the associated interface that was determined above. You will see data packets

being monitored:

Page 58 of 100
5. When you are finished monitoring simply hit “ctrl+c” to break the monitoring and

display a summary of the packets monitored:

As you can see on the interface being monitored, some TCP, UDP, and ARP traffic was

sniffed.

Page 59 of 100
6. Next run Snort in Intrusion Detection Mode, log the detection and view the output. Run

the command “snort -c C:\Snort\etc\snort.conf -l C:\Snort\log -i 1” which tells Snort to

use the downloaded rule set, read the configuration file and log any attacks to the log

folder location. You know when Snort is fully initialized when you view this screen:

7. Ping is considered an intrusion because of the lack of security of the protocol. Issue a

ping command from another workstation to the workstation running snort:

Page 60 of 100
8. After the ping attack, hit “ctrl+c” to break the detection. You will notice that Snort

detected intrusions and logged that information. The logged information will be placed in

the log folder within the Snort installation directory:

Page 61 of 100
 9. View the “alerts.ids” file for detailed information on the attack:

You can see that the ping attack was recognized by Snort and logged. This gives

administrators the power to know what is happening on the network and archive this information

to a database for future reference. It also alerts them to network vulnerabilities and appropriate

decisions can be made to combat the situation.

Page 62 of 100
Advantages of Snort:

 The program is free.

 It is the most robust and popular open source IDS platform so a lot of technical

information about the setup and use is available.

 Integrates nicely with MySQL and Apache for archiving purposes and future reference.

 Effective for what it is supposed to accomplish.

 Snort can be set to be reactive to threats as well with further configuration.

 Has many options.

 Is not resource intensive.

Disadvantages of Snort:

 It is a DOS based program.

 The program is highly customizable and scalable but is difficult to configure and use.

One must fully research and read carefully the installation and configuration

documentation.

 You must update the rule set in order for Snort to be effective.

 Snort relies on the rule set. So any traffic that is not defined within the rules is considered

an attack even though it might actually be common place in the network itself. Further

rule configurations will be needed to tweak it.

 The free distribution of Snort rules are 30 days old. For up to date rules you have to

subscribe in order to download newest rules to protect against zero-day attacks.

Page 63 of 100
Summary of Snort:

Snort is an incredibly useful open source Intrusion Detection and Prevention System

(IDS) from SourceFire. The program is free and relatively small in size. It integrates nicely with

MySQL and Apache for complete logging capabilities for future reference. This makes Snort the

most robust and completely free IDS system available. The installation and configuration is a

little daunting, but once you have correctly configured Snort, it will be very effective in

monitoring all the traffic on a specified interface. Sign up for the commercial rules subscription

for a fee and have the ability to download and apply the entire newest rule sets to guard against

zero-day attacks as much as possible. Snort was mainly designed to run on Linux but can also

run on Windows servers or workstations. It is a DOS based product so familiarize yourself with

the command line usage. Snort is very light weight so it is not resource intensive. For an

effective free IDS system, Snort is the best way to go.

Page 64 of 100
v4.9.36

Page 65 of 100
__________________

Cain & Abel v4.9.36:

__________________

Cain & Abel is designated as being a password recovery tool for Windows. The use of

this program goes much further in reality. The program is open source and is developed and

distributed for free by OXID.IT or specifically Massimiliano Montoro. The program is relatively

small in size at approximately 8 MB. It can be downloaded from this location:

http://www.oxid.it/cain.html [ CITATION Mas10 \l 1033 ].

The program has been developed to add to the ability of network administrators or other

security professionals to better secure systems and networks. Cain is designed to:

 Sniff the network

 Crack encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks

 Record VoIP conversations

 Decode scrambled passwords

 Recover wireless network keys

 Reveal password boxes

 Uncover cached passwords

 Analyze routing protocols

Cain is able to crack a host of different hashes from MD2 to MD5, 3DES, RADIUS, NTLM,

and many more. In order for Cain to be effective, you must download what are called Rainbow

Tables. Rainbow tables reduce the difficulty in brute force cracking a single password by

creating a large pre-generated data set of hashes from nearly every possible password. Rainbow

tables will be very large. Some free tables can be downloaded from here:

Page 66 of 100
http://ophcrack.sourceforge.net/tables.php

Steps to run Cain & Abel:

In this demonstration I will use Cain to sniff the network for hosts and monitor those

hosts for any passwords. If passwords need to be decrypted a brute force dictionary attack will be

performed.

1. Execute Cain and click on “Configure”:

Be sure to select the appropriate network interface and click “OK”.

Page 67 of 100
2. Click on the “Sniffer” tab. Activate the sniffer by clicking on the “Start/Stop Sniffer”

circuit board icon. Right click anywhere in the lower window and choose “Scan MAC

Addresses”:

3. Click to choose all hosts in the subnet or a range of IP addresses:

Page 68 of 100
4. You will see a list of hosts on the network that was generated:

5. At the bottom of the sniffer tab click on the “ARP” tab:

6. Click on the “+” symbol and add your router’s IP address and all the right side MACs:

7. Then click on the “Start/Stop ARP” icon:

Page 69 of 100
8. You will notice that Cain is actively sniffing the network:

9. I executed a couple of functions that would allow Cain to pick up on sensitive traffic.

Stop the sniffing process by clicking again on the “Start/Stop ARP” icon:

Page 70 of 100
10. On the sniffer tab click on the “Passwords” tab at the bottom:

11. Notice that Cain picked up an FTP session and a password for Facebook:

FTP Protocol 21 is sent in clear text so Cain displayed the full characters:

12. If you wanted to crack the Facebook password you can right click the line item and click

“Send to Cracker”:

Page 71 of 100
13. Run the hash against a Rainbow Table or launch a brute force dictionary attack. This

process can take days depending on the length of the password. This tool is very effective

for administrators to monitor the network for insecure protocols and passwords being sent

in clear text. In addition, Cain can scan wireless networks for SSID information along

with the encryption details to be executed against Rainbow Tables or other dictionaries.

Cain includes other useful tools like traceroute, being able to run queries against multiple

database formats, and even recording VoIP traffic.

Page 72 of 100
Advantages of Cain & Abel:

 The program is free.

 Allows for sniffing the network for vulnerable protocols and passwords.

 You can recover passwords via a dictionary or Rainbow Table.

 The recovery of passwords is relatively fast.

 Provides other useful tools like traceroute and scanning wireless networks.

Disadvantages of Cain & Abel:

 In order for the program to be really efficient at recovering passwords, Rainbow Tables

will be needed and they are very large files.

 This is an advanced program and can be intimidating.

 Is definitely processor intensive to run brute force attacks on a password hash.

 Can slow network performance as typically you are targeting a central device such as a

router.

Page 73 of 100
Summary of Cain & Abel:

Cain and Abel was designed to be an effective password recovery tool but has expanded

to be so much more. The program is maintained by OXID.IT or specifically Massimiliano

Montoro. Cain is capable of sniffing the network for vulnerable protocols and displaying

passwords in hash format or clear text. You can then run those against a brute force dictionary or

Rainbow Table. Cain can decipher from MD2 to MD5, 3DES, RADIUS, NTLM, and many

more. The program also includes the ability to record VoIP communication, perform functions

like traceroute, and scan for detailed information on wireless networks. Administrators can take

advantage of Cain’s many utilities for deep inspection into the network traffic. Once vulnerable

traffic is identified, corrective resolutions can be put in place. Cain & Abel is a very effective

free tool that should be part of any computer forensic or network security professional.

Page 74 of 100
v1.1.1

Page 75 of 100
___________

Netcat 1.1.1:
___________

Netcat is a utility that is primarily used as a scanning tool but can also be used as a

banner grabbing tool, a Trojan, a port redirector, a port listener or some form of back door. The

utility is used to read and write data across TCP and UDP networks. It is a great utility for

debugging network problems and as an exploration tool but can just as easily be used for

malicious intent. The primary feature set of Netcat is the following:

 Outbound and inbound connections, TCP or UDP, to or from any ports.

 Featured tunneling mode which allows also special tunneling such as UDP to TCP, with

the possibility of specifying all network parameters (source port/interface, listening

port/interface, and the remote host allowed to connect to the tunnel).

 Built-in port-scanning capabilities, with randomizer.

 Advanced usage options, such as buffered send-mode (one line every N seconds), and

hexdump (to stderr or to a specified file) of transmitted and received data.

The utility was originally developed by “Hobbit” in 1996. There have since been others who

have contributed code to the Netcat program. This utility was also intended for the UNIX

environment but a Windows equivalent has also been compiled. Other comparable utilities are

Ncat and Nmap. The utility is very small in size and can be downloaded here:

http://joncraton.org/files/nc111nt.zip [ CITATION Hob04 \l 1033 ].

It seems that most virus scan programs detect Netcat as a potential virus. Specifically, the

computer on which this file was extracted is using McAfee Anti-Virus and was detected as a

“Potentially Unwanted Program” as shown below:

Page 76 of 100
Steps to run Netcat:

1. Netcat is run from the command line. Once you have downloaded the program and

extracted the contents, open a command prompt and navigate to the appropriate directory

location. The first command to run is “nc - h” which will display the help information on

the various command line switches:

2. Once you have a firm comprehension of the commands we can run Netcat in its most

simple of forms, the network scan. To run a port scan type in the following command:

nc -v -w2 -z 10.0.1.121 1-140

This command will scan the particular IP address in the 1 to 140 port range. You can

specify the necessary port range as the above is only an example. Refer to the help listing

as to what command line switches are needed. Netcat can also be used as a banner

grabbing utility.

Page 77 of 100
3. The term banner grabbing simply means returning the application version information

from the target. To run Netcat to acquire service information, run the following

command(s):

nc -v -n 10.0.1.121 25 (SMTP)

nc -v -n 10.0.1.121 21 (FTP)

nc -v -n 10.0.1.121 80 (HTTP)

(UNKNOWN) [10.0.1.121] 80 (?) open

GET http://192.168.1.90/scripts/..%255c../winnt/system32/cmd.exe?/c+dir+c:\

4. Netcat is useful as a back door as it can be run to listen on a specific port. Some versions

of IIS have known vulnerabilities that allow remote connections to upload files. One file

can be Netcat. Once Netcat has been uploaded, send the command to create a back door.

Page 78 of 100
 In this case we start Netcat listening on a specific port. You can then establish a telnet

session to it:

In addition to the above, Netcat can provide advanced proxy services, transfer files,

enable listening ports along with a host of other features. It is best to become familiar with all the

command line switches provided in the help menu. There are also plenty of online tutorial

resources for more advanced commands.

Page 79 of 100
Advantages of Netcat:

 The program is free.

 There is a Windows and Linux/UNIX version.

 The utility is not processor intensive.

 The utility has the ability to scan individual systems from remote locations.

 Has the ability to act as a process server, such as listening on a defined port.

 Can transfer files.

 Effective for what it is intended.

Disadvantages of Netcat:

 The utility can be a little advanced for the novice.

 It is a command line utility with no GUI.

 Detected as a virus on most anti-virus implementations.

Page 80 of 100
Summary of Netcat:

Netcat is a program for reading and writing from network connections using TCP or

UDP. It is a feature rich network debugging and investigation tool that can be used as a back

door, banner grabber or port scanner among various other abilities. Netcat is designed to be a

reliable backend device that can be used via the command line or bundled with other programs or

scripts. Netcat is often referred to as the “Swiss-army knife for TCP/IP” given its feature set and

being so small in size. The tests performed with Netcat yielded positive results. The program

does exactly as it is intended. The use of the help menu allows for easy understanding of the

various command line switches. There are also plenty of online tutorials for the utility as well.

The tool is not processor intensive and is highly customizable. Overall, Netcat is an impressive

little utility for remote exploration of systems and networks.

Page 81 of 100
v2.1.1.1387
Page 82 of 100
__________________

inSSIDer 2.1.1.1387:
__________________

The utility inSSIDer is an open source wireless network scanner for Windows from

MetaGeek, LLC. This product review was actually going to be NetStumbler but was quickly

realized that the utility was incompatible with newer operating systems. This is precisely why

MetaGeek developed inSSIDer, as a Wi-Fi network scanner designed for the current generation

of the Windows operating system. The inSSIDer utility is compatible with Windows 2000

through the Windows 7 operating system, MAC and Linux. With the inSSIDer utility you can:

 Scan and filter hundreds of nearby access points.

 Troubleshoot competing access points and clogged Wi-Fi channels.

 Highlight access points for areas with high Wi-Fi concentration.

 Track the strength of received signals in dBm over time.

 Sort results by MAC Address, SSID, Channel, and RSSI.

 Export Wi-Fi and GPS data to a KML file in Google Earth. The inSSIDer utility is

compatible with most GPS devices (NMEA v2.3 +).

The Windows MSI installer file is small in size at 1.8 MB in size and can be downloaded

from the following location: http://files.metageek.net/downloads/inSSIDer-Installer-2.1.1.13.msi

[ CITATION Met12 \l 1033 ]. The utility does require the installation of the Microsoft .NET

Framework version 2.0, a wireless network adapter and a GPS solution if you wish to use that

feature. It is best to ensure the newest version of .NET with all service packs has been applied to

the workstation prior to installing inSSIDer. The installation is easy but does require

administrative privileges on the workstation. The installation will automatically detect the

wireless adapter. When the program is launched, the scanning begins.

Page 83 of 100
Steps to run inSSIDer:

1. After installing inSSIDer, simply launch the program. The utility will begin scanning the

area for any wireless access points. The main full screen is shown in the following screen

shot:

2. You have the option to apply filters:

3. The scan process is ongoing. As the utility picks up more wireless networks, they will be

listed. The main area displays all the necessary information on the wireless networks

including MAC, SSID, signal strength, etc:

Notice that there is one completely open wireless network with an SSID of TRENDnet.

This suggests to me that the individual simply purchased a wireless router and plugged it

Page 84 of 100
 in. It likely still has the default username and password of “admin” to which anyone

could log into the interface of the wireless router. In addition, there are multiple

“Westell” wireless devices being discovered. They are most certainly Verizon DSL

routers. The WEP encryption is easily broken. All of these access points are susceptible

to hackers. It is always best to disable the radio all together on any ISP issued consumer

grade devices. Specifically, these routers should be placed into bridge mode where it

simply passes packets. I could go into detail but it is outside the scope of this document.

Lastly, for testing purposes, I enabled the SSID broadcast of one of the wireless devices

directly connected to my network.

4. There are also useful tabs within the main interface of inSSIDer. These include the Time

Graph, the 2.4 and 5 GHz channels and GPS if you have that feature activated:

There are no 5 GHz channels in range (mine are disabled) and the GPS feature is

disabled. Nevertheless, inSSIDer provides a great many details about surrounding

wireless networks. All of this information is very useful for hackers and war drivers.

Page 85 of 100
Advantages of inSSIDer:

 The program is open source and free as a result.

 Incredibly easy to use.

 Displays all of the necessary information on wireless access point even if the SSID is not

broadcasting.

 Works with the newest Windows operating systems.

 Includes a GPS feature which can be used in conjunction with Google Maps.

Disadvantages of inSSIDer:

 There are no disadvantages to inSSIDer if you are a Windows, MAC or Linux user.

Page 86 of 100
Summary of inSSIDer:

The inSSIDer utility is an open source wireless network scanner developed by the

MetaGeek team. It was built as a replacement to NetStumbler to support the newest operating

systems. With inSSIDer you can gain insight to any wireless network within range including

MAC address, SSID, signal strength, the hardware vendor, channel information and encryption

type. The software is small in size and was an easy installation. The added feature of GPS and

Google Maps integration is definitely a bonus. The utility is not processor intensive and provides

an intuitive GUI. The information provided by the main interface of inSSIDer is very useful for

hackers and war drivers. This utility accomplishes exactly what it is supposed to.

Page 87 of 100
v3.9.5

Page 88 of 100
______________

WinDump 3.9.5:
______________

The utility WinDump is the Windows equivalent to tcpdump for Linux and UNIX

systems. WinDump runs under all versions of Windows. WinDump is free and is released under

a BSD-style license. WinDump captures packets using the WinPcap library of files and drivers.

The WinPcap suite is freely available from the WinPcap.org website. The utility also supports

802.11b/g wireless capture through the Riverbed AirPcap adapter. This is a hardware device

available for purchase. There is no installation package for WinDump. The executable that is

downloaded is the entire package. You simply supply commands to the executable to run packet

captures. The utility can be downloaded from the following location:

http://www.winpcap.org/windump/install/bin/windump_3_9_5/WinDump.exe [ CITATION

Riv11 \l 1033 ].

*NOTE*

The usage of PowerShell in association with WinDump can make viewing the packet

capture a little easier. In the tutorial to follow, the use of a PowerShell script allows for color

coding for easier viewing. The script can be downloaded from the following Windows Security

Blog by Jason Fossen: http://www.sans.org/windows-security/2009/10/22/windump-color-

highlighting/ [ CITATION Jas09 \l 1033 ]. Also note that PowerShell 2.0 or later will be

needed.

Page 89 of 100
Steps to run WinDump:

1. The first step is ensuring the prerequisites for WinDump have been installed, such as

PowerShell. Next, run the command to display the help menu to become familiar with the

usage. The command is:

windump –help

2. Verify which network interface WinDump is to run the packet capture on. The command

is:

windump –D

In this case the only adapter present in the WMware virtual adapter from the image in

which I am testing from.

3. The usage of the PowerShell script comes into play when establishing a packet capture.

To run a simple packet capture, execute the script by typing “sniff.ps1” into the

PowerShell interface:

Page 90 of 100
4. To provide greater detail on the packet capture, pass additional parameters to the

PowerShell script. In the following command, additional detail is given and additional

spacing between packets is formatted for easier viewing:

Sniff.ps1 -options "-v -t -X" -spacing 2

Page 91 of 100
5. WinDump also has the capability to capture packets on a remote host. To accomplish this

simply pass additional parameters to include the hostname or IP address of the remote

host:

Sniff.ps1 -options "-v -t -X host 10.0.1.121" -spacing 2

In the above example, you can see that the remote host had established a connection to

the Internet. Specifically MSN.com:

Page 92 of 100
Advantages of WinDump:

 The program is free.

 There is no installation package. The utility is simply an executable.

 It is a simple utility and relatively easy to use.

 The program is portable being that it is a single executable.

 Can run packet captures on local host or remote host.

Disadvantages of WinDump:

 Running WinDump from the native command line is a bit hard to read. The use of the

PowerShell script makes it easier to read.

 Requires the installation of other programs such as WinPcap or PowerShell.

 It is command line and does not provide a GUI.

Page 93 of 100
Summary of WinDump:

WinDump is the Windows replacement for the Linux version of tcpdump. The program is

free and small in size since it is a self-contained executable. The only regrettable part is that the

utility requires prerequisites such as WinPcap or PowerShell. This is not a deal breaker though.

The utility is powerful enough to warrant a little preparation work. With the incorporation of the

PowerShell script, the output is a little easier to read. There are plenty of command line switches

to pass to the utility making it customizable for what is intended to be captured. The utility can

capture remote packets or those passing on the local computer. The program is small in size,

portable with a bit of work and not processor intensive. Overall, WinDump does what it is

designed to do which is a simple packet capture utility.

Page 94 of 100
 Project Summary:

In this paper we reviewed LANTricks LANSpy, Nessus, Wireshark, Foundstone

(McAfee) SuperScan, NEWT Professional, Snort, Cain & Abel, Netcat, inSSIDer, and

WinDump. The objective of this document was to review in detail all of the referenced programs

and in doing so learn the importance of computer security and have more insight as to system

and network vulnerabilities. Some of these tools I knew about but have never used. This

assignment gave me the opportunity to explore deeper into the realm of system and network

security. As a Senior level Engineer, I now have the knowledge to better secure the systems and

networks that have been placed under my supervision. Most of these tools I will continue to use.

Each of these programs was useful in their own right. I have read about Snort in the past

plenty of times and have implemented solutions using it on occasion. Having chosen to include

Snort in this project, it gave me the opportunity to explore its uses and ultimately recognized

how powerful this program is. Snort is an open source solution which automatically makes it

appealing, but more so is the fact of how robust and efficient the program really is. In addition,

Snort can integrate with other open source programs such as MySQL and Apache making it a

complete open source IDS implementation. There are also bundled Snort appliances such as

Snorby and Smooth-Sec. For these reasons I have chosen Snort as my favorite utility out of the

reviewed programs.

LANTricks LANSpy is a simple utility for scanning remote systems and generating a list

of specifics about the system such as open ports, shared resources, users and groups and running

processes. This product was not as good as I thought it would be but is still a good utility for a

quick scan of remote systems. The superior scan utilities are Wireshark, NEWT and WinDump

along with inSSIDer on the wireless side.

Page 95 of 100
 Foundstone SuperScan is a dated product. Some of the features of Windows XP make

SuperScan less effective. For newer Operating Systems that fact is even more so. There are other

products on the market that accomplish the same tasks that are open source and still relevant for

the current technology. For this reason I have chosen SuperScan to be the least favorite and

effective.

Overall each of these products reviewed I was pleased with. The Nessus program was

probably the most processor intensive but only lasts for the duration of the scan. All of these

products I have been aware of and use on a semi-regular basis. I would recommend any user or

engineer to have these applications in their arsenal of IT Security related products.

Page 96 of 100
Future Implications:

Systems and Network Engineers have the responsibility to keep data safe and securely

transmitted so this data is not stolen or compromised. Each computer user across the planet also

should share this responsibility. Various security centric tools in general can be used to thwart

malicious individual’s intentions on stealing data or identities and thus creating a more secure

Internet infrastructure for all to use.

In order to be successful in securing data and communication, the correct tools need to be

in place. The tools reviewed in this document are a good place to start. The future of security

tools needs to focus on hardening all communication. That is, encrypting all data and

communication across the entire public and private network infrastructure. This might seem like

a monumental task and will likely never be achieved. However, every little bit helps.

For securing corporate networks and systems, administrators should have proper

IPS/IDS, firewalls, and conduct regular audits of data packets across the network looking for

potential vulnerabilities. One tool reviewed in this document, Snort, is a fine example of what

needs to be deployed on any company network scanning packets for potential security threats.

Other tools reviewed such as Wireshark, Nessus, and WinDump can also aide in auditing

network communications. The Nessus vulnerability scanner gives insight to system holes that

can be resolved by disabling various services or installing operating system or application

patches. The point is, there are a ton of resources readily accessible on the Internet for securing

the infrastructure whether it is the utilities such as those reviewed in this document or the

necessary knowledge to secure the environment.

Let’s also not forget about IT policies. For proper security to be truly effective, especially

in the corporate environment, you need to have well written and highly detailed IT security

Page 97 of 100
policies. Make it mandatory to conduct security audits and to relay to employees the proper use

of systems, email, Internet and the data that they interact with.

Security audits and tools in general will only get better. As we gain experience and

knowledge, IT professionals will no doubt build upon those experiences and design even more

highly efficient security programs and auditing utilities. The ultimate goal is to have a

completely secure public and private infrastructure. Hopefully with hard work, research and

ingenuity, IT professionals will continue forward with great ideas and security implementations.

Page 98 of 100
End Note References:

Fossen, J. (2009, October 22). WinDump Color Highlighting PowerShell Script. Retrieved

May 27, 2012, from Sans.org: http://www.sans.org/windows-

security/2009/10/22/windump-color-highlighting

Hobbit. (2004, December 27). Netcat. Retrieved May 26, 2012, from JonCraton.org:

http://joncraton.org/files/nc111nt.zip

Laboratories, K. (2010). NEWT Professional. Retrieved May 19, 2012, from

Komodolabs.com: http://www.komodolabs.com/newtpro_download.shtml

LanTricks. (2010). LanSpy. Retrieved May 19, 2012, from LanTricks.com:

http://lantricks.com/lanspy/

McAfee. (2003). SuperScan. Retrieved May 19, 2012, from Foundstone.com:

http://www.foundstone.com/us/resources/proddesc/superscan.htm

MetaGeek. (2012, February). inSSIDer. Retrieved May 27, 2012, from MetaGeek.net:

http://files.metageek.net/downloads/inSSIDer-Installer-2.1.1.13.msi

Montoro, M. (2010). Cain & Abel. Retrieved May 19, 2012, from Oxid.it:

http://www.oxid.it/cain.html

Roesch, M. (2010). Snort. Retrieved May 19, 2012, from Snort.org:

http://www.snort.org/snort-downloads

Security, T. N. (2010). Nessus. Retrieved May 19, 2012, from Nessus.org:

http://www.nessus.org/download/

Team, T. W. (2010). Wireshark. Retrieved May 19, 2012, from Wireshark.org:

http://www.wireshark.org/download.html

Page 99 of 100
Technology, R. (2011, December 6). WinDump. Retrieved May 27, 2012, from

WinPcap.org:

http://www.winpcap.org/windump/install/bin/windump_3_9_5/WinDump.exe

Page 100 of 100