Professional Documents
Culture Documents
Drexel University
Professor Tim Gillin
CT-472 IT Security Defense Countermeasures
Spring Quarter 2012
Monday, June 11th, 2012
Table of Contents
Abstract..........................................................................................................................................4
Page 2 of 100
Disadvantages of Snort............................................................................................................61
Summary of Snort....................................................................................................................62
Cain & Abel v4.9.36.....................................................................................................................64
Page 3 of 100
________
Abstract:
________
In this document, ten Defense Countermeasure Tools are analyzed. The tools analyzed
Professional, Snort, Cain & Abel, Netcat, inSSIDer, and WinDump. We will explore each tool’s
use, advantages, disadvantages and overall complexity. In addition, a tutorial of each tool will be
Page 4 of 100
LanTricks LanSpy
v2.0.0.155
Page 5 of 100
__________________________
LanTricks LanSpy is a network scan utility that provides in depth details of the systems
that are targeted all from a single easy to use interface. LanSpy is a simple yet powerful network
auditing tool that will scan systems for processes, installed applications, shares, open ports, user
and groups, along with many other details. The LanSpy installation is small in size at 1.1MB and
Windows 2000
Windows XP
Windows Vista
Windows 7
LanSpy is made for gathering the following information about a remote computer:
Ping
Domain name
NetBios names
MAC address
Server information
Domain controllers
Remote control
Time
Page 6 of 100
Disks
Users
Logged users
Global groups
Local groups
Security options
Shared resources
Sessions
Open files
Services
Processes
Registry
Event log
Once you open the utility you can configure options such as authentication and setting the
detection parameters. The program is not processor intensive and can remotely scan other
workstations or servers as well. For a simple utility it is quite effective for its purpose. For these
reasons it is one of the utilities I use often to remotely audit certain workstations.
Page 7 of 100
Steps to run LanSpy:
1. Open LanSpy from the programs menu and first chose to set up your options from the
File menu:
In the options interface set up the scan properties, authentication, the operations to
For the purposes of this tutorial I have chosen my localhost. Click the icon to start the
scan process.
Page 8 of 100
3. You will notice in the lower pane window what the status of the various scan operations
are:
4. When the scan operations complete is when you can analyze the results. By clicking the
icon you can expand the selection to view what was discovered:
Page 9 of 100
For instance, in this scan we see that at this particular moment the following ports are
open:
5. As an administrator for auditing purposes, you can export the findings to such formats as
Page 10 of 100
Advantages of LanSpy:
Easy to use.
The utility has the ability to scan an entire subnet or individual systems from remote
locations.
Disadvantages of LanSpy:
Page 11 of 100
Summary of LanSpy:
LanTricks LanSpy is a network scan utility great for conducting quick audits of local or
remote systems. The program is small in size and is easily configured. By specifying an
administrative account locally or domain level, you can scan the selected systems for a wide
range of detection such as open ports, user and groups, shared resources and so much more.
Once the results are displayed they can be analyzed and saved in HTML or XML format for
future reference. The program is simple, quick and effective for what it is supposed to
accomplish all without being processor intensive or intrusive to the end system. This is a great
Page 12 of 100
v4.2.2 (Build 9129)
Page 13 of 100
_______________________
systems and detects potential network and Operating System related vulnerabilities. Nessus is
offered for home use for free through subscription to the “Nessus HomeFeed” and for businesses
by subscribing to the “Nessus ProfessionalFeed” for approximately $1,200 per year. The Nessus
installation file is 10.8 MB is size and in the form of an MSI file. Nessus no longer is a client
based product but rather a client-server web based product. It now uses a web interface for
configuration, scanning and reporting. The server side contains the “Plug-Ins”, which is the
vulnerability database, and the scan engine. There is over 37,000 plug-in available for Nessus
each scanning for vulnerabilities. The client piece is a web interface and contains the reporting
tool and is where you set configuration options and initiate scans. Nessus is supported on the
Windows XP
Windows Vista
Windows 7
Mac OS X Tiger
Mac OS X Leopard
Debian Linux
Page 14 of 100
Fedora Linux
SuSE Linux
Ubuntu Linux
FreeBSD 7
Solaris 10
1033 ].
Once you install Nessus you must subscribe to the “HomeFeed” and an email will be sent to you
containing the activation key. You input this key in the Nessus Server Manager registration area:
Page 15 of 100
Immediately after applying the activation key, Nessus will download and install all
current plug-ins available for the HomeFeed subscription (or ProfessionalFeed depending on the
subscription). Here is also where you can set Nessus to start automatically, manage users or stop
1. Nessus no longer has a client piece of software rather a web interface. You first user
needs to be created via the Server Manager referenced above. Open your Internet browser
2. You will be brought to the web interface login page. If you are unable to browse to this
location is it likely that your built in Windows Firewall is blocking the application. You
will need to create an exception to allow the program and port to be unrestricted:
3. Before you are able to perform a scan you must configure at least one vulnerability scan
Page 16 of 100
4. Now you must step through the process of creating your scan policy. For the purposes of
this tutorial you can leave the default selections. However, there are quite a few different
5. On the plug-in page you can choose to deselect any of the vulnerability scan definitions
by clicking on the orange circle. Notice there are currently 37,515 definitions within the
Page 17 of 100
6. When you are finished customizing click “Submit” to create the scan policy.
8. The next step is to add a host or network to scan. Click on the “Scans” tab and click
“Add”:
9. Define the name for your scan, choose to run now, select the policy that was created
above from the drop down menu, and define the IP subnet range or single host to scan.
Page 18 of 100
10. Let the process run. You can check the status be double clicking the scan job. After a bit
11. From the results screen you can click on each individual vulnerability found; in this scan
only low priority issues were found. Or you can choose to download all the results to one
Page 19 of 100
Choose “HTML export” from the drop down menu:
12. Review the detailed report for the findings of the scan and determine if any corrective
For instance, this particular computer runs VNC and the Nessus scan picked that up as a
Advantages of Nessus:
Easy setup.
Disadvantages of Nessus:
Page 21 of 100
Does not play well with VMware guests. Runs much more efficiently on physical
hardware.
Page 22 of 100
Summary of Nessus:
Nessus from Tenable Network Security is a powerful network and system vulnerability
scanner. Nessus was originally an open source product but was closed after Tenable bought the
rights. However, Tenable still releases the functionality of Nessus to home users for free by
subscribe to. Nessus is a client-server software product with a built in Oracle database. The
Client interface is accessed via an Internet browser to port 8834. The Nessus server contains a
vulnerability database, referred to as plug-ins, that contains the definitions of what to scan for.
Currently there are over 37,000 plug-ins available for Nessus at the time of this writing.
Nessus allows you to scan one IP Address or a range of IP Addresses effectively covering
an entire subnet. After the scan is complete, Nessus will generate a detailed report of its findings
and offer solutions to the found vulnerabilities. You can download the findings into one easy to
follow HTML report. As a broad overview, Nessus will scan for missing patches, open ports,
applications running, audits antivirus software and discovers potentially sensitive data. Nessus
supports practically all major Operating Systems which makes this product very appealing to
System and Network Administrators as a one product solution for scanning corporate networks
for potential vulnerabilities. Overall, the program is not difficult to use and is effective for what
Page 23 of 100
Network Protocol Analyzer
v1.2.10
_________________
Wireshark v1.2.10:
_________________
Wireshark is a free open source packet analyzer originally called Ethereal and written by
Gerald Combs. It was renamed to Wireshark in 2006 because of copyrights held on the name of
Ethereal. Wireshark is freely available under the General Public License (GNU) and is actively
maintained and enhanced by many people. The main purpose of Wireshark is to analyze all
Page 24 of 100
packets being sent and received from a particular network interface. This allows network
administrators to determine what kind of packet traffic is traversing the network. If you have
been charged with the secure transmission of data on the network, you can use Wireshark to
analyze the packets for any sensitive data that is sent in clear text. For example, the protocols
FTP, SMTP and POP are inherently insecure and anyone using these protocols has the potential
Wireshark is approximately 18MB in size and runs on the following Operating Systems:
Windows XP
Windows Vista
Windows 7
Mac OS X Tiger
Mac OS X Leopard
Debian Linux
Fedora Linux
Page 25 of 100
Red Hat Linux
SuSE Linux
Ubuntu Linux
FreeBSD 7
Solaris 10
that allows Wireshark to capture packets on Windows LAN and WLAN interfaces. WinPcap is
The10 \l 1033 ].
Download and install the Wireshark program. It is self explanatory, just accept the defaults.
This tutorial will display a simple secure POP connection from an email that is sent. Ports
Page 26 of 100
1. You have the option to set the capture options from the “Capture” menu. Typically you
Page 27 of 100
3. When the Interfaces dialog box opens you will notice what interfaces are currently
attached to the network as you will see packets being received. Typically this will be one
4. You will see the lower pane filling with data from the packet capture. Once you are
finished with the capture click on “Stop” from the “Capture” menu. For this packet
capture I sent a test email that was sent via SSL. The capture will not show you the detail
5. Notice the source port is 465 which is stated in the above screen shot and the data part of
Page 28 of 100
6. If you wanted to just filter out the particular traffic that deals with the SSL traffic, you
can apply the filter “tcp.port eq 465”. Click on “Apply” and the lower window will only
7. At this point an administrator can dissect the result of the packet capture and diagnose
network problems or the amount of sensitive data being transmitted over the network.
Familiarize yourself with the various menus and options. The most important to
understand is:
The packet window (top): this lists the packets with source, destination, protocol
The packet detail window (middle): Show the detail of the packet that is
highlighted in the top window. It will highlight the Ethernet frame, protocol
Page 29 of 100
The packet bytes window (lower): This is the hexadecimal view of the highlighted
packet.
8. Am administrator can then save the packet capture for future reference.
Page 30 of 100
Advantages of Wireshark:
Highly detailed.
Very effective.
Can export reports to popular formats such as CSV, XML and text files.
Disadvantages of Wireshark:
If one does not have moderate knowledge of the composition of packets it will be
difficult to follow.
The filtering of packet communication is somewhat challenging. You must research the
Page 31 of 100
Summary of Wireshark:
Wireshark is an open source network protocol analyzer that can capture data packets in
real time on any active interface. The program then displays each packet for analysis. It runs on
practically all major Operating Systems. Wireshark gives administrators the ability to perform
deep packet inspection by deciphering every detail of the frames down to hexadecimal format.
You can apply filters to segregate the gathered information to look for specifics like source or
destination ports, protocols, IP Addresses, etc. Typically the best place to run Wireshark for
corporate networks is where there is broadcast of data. Hubs are a good source for broadcast data
but these are not widely used any longer. However, switches can be configured to allow for
programs like Wireshark to be effective. Wireshark is useful for network troubleshooting and
monitoring for and potentially unencrypted sensitive data being transmitted across the network.
If you have been charged with the security of sensitive data on the network, Wireshark is an
essential tool. The program is very effective at what it was designed to do and is relatively easy
to use once you conduct enough research about composition of packets and applying filters.
Page 32 of 100
SuperScan v4.0
Page 33 of 100
______________
SuperScan v4.0:
______________
].
SuperScan is a single executable utility that will scan for any open ports on a system. The
utility is approximately 203 KB is size. It is intended for the Windows 2000 and Windows XP
Operating Systems. In order to run the application, the user needs administrative access to the
computer. SuperScan allows administrators to scan the network and systems for any potential
open port thus creating a security hazard. For example if users inadvertently enable FTP on their
“Windows XP Service Pack 2 has removed raw sockets support which now limits SuperScan and
many other network scanning tools. Some functionality can be restored by running the following
Page 34 of 100
IP address import supporting ranges and CIDR formats
Host and Service Discovery: Defines the UDP and TCP port ranges to scan for.
Page 35 of 100
Scan Options: Define other scan properties.
Tools: This tab has various tools such as ping, whois, and traceroute.
Page 36 of 100
Windows Enumeration: Will scan for certain Windows resources.
Page 37 of 100
Page 38 of 100
Steps to run SuperScan:
1. Launch the SuperScan program by double clicking “SuperScan4.exe”. The default Host
and Service Discovery along with Scan Options is fine, but is customizable. Input the
2. When the scan completes it will display the results of the scan test in the lower windows:
Page 39 of 100
You can also click the “View HTML Results” to view a report in your web browser:
3. In addition you can run useful commands like ping, traceroute and hostname lookup:
Page 40 of 100
4. Lastly, SpuerScan can enumerate certain Windows characteristics:
Page 41 of 100
Advantages of SuperScan:
Easy to use.
Disadvantages of SuperScan:
Page 42 of 100
Summary of SuperScan:
The program is very small in size and effective for what it needs to do. The main feature of
SuperScan is to scan a given IP address range for open ports. It displays these reports in the
bottom window or as an HTML report. Additional capabilities are commands such as ping,
traceroute, whois, and hostname lookup. The program seems a little dated but if you are looking
for an easy and quick port scanning utility, SuperScan is an effective option.
Page 43 of 100
NEWT Professional
Page 44 of 100
_____________________
by Komodo Laboratories. There is both a professional and freeware version. The file size is
Freeware: http://www.komodolabs.com/newtfree.shtml
1033 ].
NEWT is a powerful tool that will allow administrators to gather detailed information
about systems running on the network. It can gather hardware and inventory information
remotely without users being impacted. The data is gathered and displayed in an Excel like view.
NEWT allows for export of the data to a Microsoft Access database, HTML, CSV or text files.
Page 45 of 100
NEWT runs on the following Operating Systems:
Windows NT4.0
Windows 2000
Windows XP
Windows Vista
Windows 7
The program uses a light weight client that is automatically deployed to clients during the
scan. This allows for faster scanning initially and subsequent scans. The client will automatically
remove itself without user intervention after a defined amount of time. NEWT will also scan the
administrators are scanning across multiple domains, there is an unlimited credential manager to
Page 46 of 100
There are two modes in which to scan with NEWT, Discover Only or Full Scan. For a
quick scan of devices and IP addresses simply choose “Discover Only”. This will perform a less
invasive scan and simply return a simple list of devices in a given IP address range:
NEWT Professional (or free version) is an incredibly powerful network discovery tool that is
Page 47 of 100
Steps to run NEWT Professional:
1. When you launch NEWT you will need to configure the credentials to use when scanning
the network if you are scanning across multiple domains. If you are scanning a single
credentials will be passed. To access the “Credentials Manager” click on “Tools” menu:
Page 48 of 100
2. Next you will want to set the scan properties. Typically one would leave the default and
3. Next you need to define the IP address range of the systems you wish to discover and
inventory. Open the scan window by clicking on “Tools” and then “Scanning”:
Page 49 of 100
4. Depending on your objective, whether you just want a quick list of devices present or a
detailed inventory of each device, you launch the appropriate scan by clicking with
“Discover Only” for the quick list or “Scan” for the highly detailed scan:
6. After a short time you will see the scan job complete:
7. You can then double click on the scanned computers and see detailed information
8. After reviewing the content you can then export all the data into a Microsoft Access
Page 50 of 100
Advantages of NEWT Professional:
Easy to use.
Page 51 of 100
Summary of NEWT Professional:
developed by Komodo Laboratories. With a few clicks an administrator can have a complete
network and system inventory across domains and spanning multiple subnets. The program is
highly customizable for what features to scan for. If you are in the need for a quick scan of
devices there is an option to “Discover Only” to avoid the intrusive scanning and just display a
list of devices and their IP addresses. Selecting the “Scan” option will completely scan for all
selected options and display the results in an Excel like format. Double clicking on the scanned
devices will open a window with all of the discovered information about the device. An
administrator can then export this data to a Microsoft Access database for future reference or
export it to CSV for Excel. This tool is not difficult to use, is not network intensive and is run
completely without disturbing users on the scanned systems. Any client side software is
deployed silently and removed after a defined period of time. This utility is one of my personal
favorites and is used almost daily. It is an essential tool for any network or security professional.
Page 52 of 100
v2.8.6.1
Page 53 of 100
_____________
Snort v2.8.6.1:
_____________
Snort is an open source network Intrusion Detection and Prevention System. It has been
primarily been designed to run on Linux but can also run on Windows. The program was
originally created by Martin Roesch in 1998 but is now maintained by his company SourceFire
which has since been acquired by Checkpoint. Still, the program remains free and is a great
starter IDS system. The program integrates nicely with Linux, MySQL and Apache making
Snort a completely free implementation. The actual install file of Snort for Windows is
approximately 3 MB in size. The Snort rules database that you must also download is
For detailed instructions on how to get Snort to run on Windows you can read the instructions
here: http://www.snort.org/assets/135/Installing_Snort_2.8.5.2_on_Windows_7.pdf
reviewed in this document. Some of the considerations you must be aware of are:
The Rules database needs to be downloaded and applied to the installation directory of
Snort. In order to download the Rules database, you must be a registered user.
You must change some of the parameter configurations within the “snort.conf” file. This
You are better off leaving the default installation directory of C:\Snort.
Page 54 of 100
Snort can allow administrators to have an effective free product to monitor network traffic and
log that information to a database or file. In its simplest form, Snort can be a packet sniffer and
Page 55 of 100
Steps to run Snort:
This example will start from the point after initial installation and configuration which
includes downloading and applying the rule sets. For more information on this process please
http://www.snort.org/assets/135/Installing_Snort_2.8.5.2_on_Windows_7.pdf
1. In its simplest form, Snort can act as a packet sniffer. Open a command prompt and
2. Next type the command “snort –W” and hit enter to receive this output and reference
3. Type in the command “snort” and hit enter to review some of the command line options:
Page 56 of 100
Familiarize yourself with the usage parameters of Snort. There are many command line
Page 57 of 100
4. Too execute Snort in sniffer mode simply type command “snort -dev -i 1” where the
number is the associated interface that was determined above. You will see data packets
being monitored:
Page 58 of 100
5. When you are finished monitoring simply hit “ctrl+c” to break the monitoring and
As you can see on the interface being monitored, some TCP, UDP, and ARP traffic was
sniffed.
Page 59 of 100
6. Next run Snort in Intrusion Detection Mode, log the detection and view the output. Run
use the downloaded rule set, read the configuration file and log any attacks to the log
folder location. You know when Snort is fully initialized when you view this screen:
7. Ping is considered an intrusion because of the lack of security of the protocol. Issue a
Page 60 of 100
8. After the ping attack, hit “ctrl+c” to break the detection. You will notice that Snort
detected intrusions and logged that information. The logged information will be placed in
Page 61 of 100
9. View the “alerts.ids” file for detailed information on the attack:
You can see that the ping attack was recognized by Snort and logged. This gives
administrators the power to know what is happening on the network and archive this information
to a database for future reference. It also alerts them to network vulnerabilities and appropriate
Page 62 of 100
Advantages of Snort:
It is the most robust and popular open source IDS platform so a lot of technical
Integrates nicely with MySQL and Apache for archiving purposes and future reference.
Disadvantages of Snort:
The program is highly customizable and scalable but is difficult to configure and use.
One must fully research and read carefully the installation and configuration
documentation.
You must update the rule set in order for Snort to be effective.
Snort relies on the rule set. So any traffic that is not defined within the rules is considered
an attack even though it might actually be common place in the network itself. Further
The free distribution of Snort rules are 30 days old. For up to date rules you have to
Page 63 of 100
Summary of Snort:
Snort is an incredibly useful open source Intrusion Detection and Prevention System
(IDS) from SourceFire. The program is free and relatively small in size. It integrates nicely with
MySQL and Apache for complete logging capabilities for future reference. This makes Snort the
most robust and completely free IDS system available. The installation and configuration is a
little daunting, but once you have correctly configured Snort, it will be very effective in
monitoring all the traffic on a specified interface. Sign up for the commercial rules subscription
for a fee and have the ability to download and apply the entire newest rule sets to guard against
zero-day attacks as much as possible. Snort was mainly designed to run on Linux but can also
run on Windows servers or workstations. It is a DOS based product so familiarize yourself with
the command line usage. Snort is very light weight so it is not resource intensive. For an
Page 64 of 100
v4.9.36
Page 65 of 100
__________________
Cain & Abel is designated as being a password recovery tool for Windows. The use of
this program goes much further in reality. The program is open source and is developed and
distributed for free by OXID.IT or specifically Massimiliano Montoro. The program is relatively
The program has been developed to add to the ability of network administrators or other
security professionals to better secure systems and networks. Cain is designed to:
Cain is able to crack a host of different hashes from MD2 to MD5, 3DES, RADIUS, NTLM,
and many more. In order for Cain to be effective, you must download what are called Rainbow
Tables. Rainbow tables reduce the difficulty in brute force cracking a single password by
creating a large pre-generated data set of hashes from nearly every possible password. Rainbow
tables will be very large. Some free tables can be downloaded from here:
Page 66 of 100
http://ophcrack.sourceforge.net/tables.php
In this demonstration I will use Cain to sniff the network for hosts and monitor those
hosts for any passwords. If passwords need to be decrypted a brute force dictionary attack will be
performed.
Page 67 of 100
2. Click on the “Sniffer” tab. Activate the sniffer by clicking on the “Start/Stop Sniffer”
circuit board icon. Right click anywhere in the lower window and choose “Scan MAC
Addresses”:
Page 68 of 100
4. You will see a list of hosts on the network that was generated:
6. Click on the “+” symbol and add your router’s IP address and all the right side MACs:
Page 69 of 100
8. You will notice that Cain is actively sniffing the network:
9. I executed a couple of functions that would allow Cain to pick up on sensitive traffic.
Stop the sniffing process by clicking again on the “Start/Stop ARP” icon:
Page 70 of 100
10. On the sniffer tab click on the “Passwords” tab at the bottom:
11. Notice that Cain picked up an FTP session and a password for Facebook:
FTP Protocol 21 is sent in clear text so Cain displayed the full characters:
12. If you wanted to crack the Facebook password you can right click the line item and click
“Send to Cracker”:
Page 71 of 100
13. Run the hash against a Rainbow Table or launch a brute force dictionary attack. This
process can take days depending on the length of the password. This tool is very effective
for administrators to monitor the network for insecure protocols and passwords being sent
in clear text. In addition, Cain can scan wireless networks for SSID information along
with the encryption details to be executed against Rainbow Tables or other dictionaries.
Cain includes other useful tools like traceroute, being able to run queries against multiple
Page 72 of 100
Advantages of Cain & Abel:
Allows for sniffing the network for vulnerable protocols and passwords.
Provides other useful tools like traceroute and scanning wireless networks.
In order for the program to be really efficient at recovering passwords, Rainbow Tables
Can slow network performance as typically you are targeting a central device such as a
router.
Page 73 of 100
Summary of Cain & Abel:
Cain and Abel was designed to be an effective password recovery tool but has expanded
Montoro. Cain is capable of sniffing the network for vulnerable protocols and displaying
passwords in hash format or clear text. You can then run those against a brute force dictionary or
Rainbow Table. Cain can decipher from MD2 to MD5, 3DES, RADIUS, NTLM, and many
more. The program also includes the ability to record VoIP communication, perform functions
like traceroute, and scan for detailed information on wireless networks. Administrators can take
advantage of Cain’s many utilities for deep inspection into the network traffic. Once vulnerable
traffic is identified, corrective resolutions can be put in place. Cain & Abel is a very effective
free tool that should be part of any computer forensic or network security professional.
Page 74 of 100
v1.1.1
Page 75 of 100
___________
Netcat 1.1.1:
___________
Netcat is a utility that is primarily used as a scanning tool but can also be used as a
banner grabbing tool, a Trojan, a port redirector, a port listener or some form of back door. The
utility is used to read and write data across TCP and UDP networks. It is a great utility for
debugging network problems and as an exploration tool but can just as easily be used for
Featured tunneling mode which allows also special tunneling such as UDP to TCP, with
Advanced usage options, such as buffered send-mode (one line every N seconds), and
The utility was originally developed by “Hobbit” in 1996. There have since been others who
have contributed code to the Netcat program. This utility was also intended for the UNIX
environment but a Windows equivalent has also been compiled. Other comparable utilities are
Ncat and Nmap. The utility is very small in size and can be downloaded here:
It seems that most virus scan programs detect Netcat as a potential virus. Specifically, the
computer on which this file was extracted is using McAfee Anti-Virus and was detected as a
Page 76 of 100
Steps to run Netcat:
1. Netcat is run from the command line. Once you have downloaded the program and
extracted the contents, open a command prompt and navigate to the appropriate directory
location. The first command to run is “nc - h” which will display the help information on
2. Once you have a firm comprehension of the commands we can run Netcat in its most
simple of forms, the network scan. To run a port scan type in the following command:
This command will scan the particular IP address in the 1 to 140 port range. You can
specify the necessary port range as the above is only an example. Refer to the help listing
as to what command line switches are needed. Netcat can also be used as a banner
grabbing utility.
Page 77 of 100
3. The term banner grabbing simply means returning the application version information
from the target. To run Netcat to acquire service information, run the following
command(s):
nc -v -n 10.0.1.121 25 (SMTP)
nc -v -n 10.0.1.121 21 (FTP)
nc -v -n 10.0.1.121 80 (HTTP)
GET http://192.168.1.90/scripts/..%255c../winnt/system32/cmd.exe?/c+dir+c:\
4. Netcat is useful as a back door as it can be run to listen on a specific port. Some versions
of IIS have known vulnerabilities that allow remote connections to upload files. One file
can be Netcat. Once Netcat has been uploaded, send the command to create a back door.
Page 78 of 100
In this case we start Netcat listening on a specific port. You can then establish a telnet
session to it:
In addition to the above, Netcat can provide advanced proxy services, transfer files,
enable listening ports along with a host of other features. It is best to become familiar with all the
command line switches provided in the help menu. There are also plenty of online tutorial
Page 79 of 100
Advantages of Netcat:
The utility has the ability to scan individual systems from remote locations.
Has the ability to act as a process server, such as listening on a defined port.
Disadvantages of Netcat:
Page 80 of 100
Summary of Netcat:
Netcat is a program for reading and writing from network connections using TCP or
UDP. It is a feature rich network debugging and investigation tool that can be used as a back
door, banner grabber or port scanner among various other abilities. Netcat is designed to be a
reliable backend device that can be used via the command line or bundled with other programs or
scripts. Netcat is often referred to as the “Swiss-army knife for TCP/IP” given its feature set and
being so small in size. The tests performed with Netcat yielded positive results. The program
does exactly as it is intended. The use of the help menu allows for easy understanding of the
various command line switches. There are also plenty of online tutorials for the utility as well.
The tool is not processor intensive and is highly customizable. Overall, Netcat is an impressive
Page 81 of 100
v2.1.1.1387
Page 82 of 100
__________________
inSSIDer 2.1.1.1387:
__________________
The utility inSSIDer is an open source wireless network scanner for Windows from
MetaGeek, LLC. This product review was actually going to be NetStumbler but was quickly
realized that the utility was incompatible with newer operating systems. This is precisely why
MetaGeek developed inSSIDer, as a Wi-Fi network scanner designed for the current generation
of the Windows operating system. The inSSIDer utility is compatible with Windows 2000
through the Windows 7 operating system, MAC and Linux. With the inSSIDer utility you can:
Export Wi-Fi and GPS data to a KML file in Google Earth. The inSSIDer utility is
The Windows MSI installer file is small in size at 1.8 MB in size and can be downloaded
[ CITATION Met12 \l 1033 ]. The utility does require the installation of the Microsoft .NET
Framework version 2.0, a wireless network adapter and a GPS solution if you wish to use that
feature. It is best to ensure the newest version of .NET with all service packs has been applied to
the workstation prior to installing inSSIDer. The installation is easy but does require
administrative privileges on the workstation. The installation will automatically detect the
Page 83 of 100
Steps to run inSSIDer:
1. After installing inSSIDer, simply launch the program. The utility will begin scanning the
area for any wireless access points. The main full screen is shown in the following screen
shot:
3. The scan process is ongoing. As the utility picks up more wireless networks, they will be
listed. The main area displays all the necessary information on the wireless networks
Notice that there is one completely open wireless network with an SSID of TRENDnet.
This suggests to me that the individual simply purchased a wireless router and plugged it
Page 84 of 100
in. It likely still has the default username and password of “admin” to which anyone
could log into the interface of the wireless router. In addition, there are multiple
“Westell” wireless devices being discovered. They are most certainly Verizon DSL
routers. The WEP encryption is easily broken. All of these access points are susceptible
to hackers. It is always best to disable the radio all together on any ISP issued consumer
grade devices. Specifically, these routers should be placed into bridge mode where it
simply passes packets. I could go into detail but it is outside the scope of this document.
Lastly, for testing purposes, I enabled the SSID broadcast of one of the wireless devices
4. There are also useful tabs within the main interface of inSSIDer. These include the Time
Graph, the 2.4 and 5 GHz channels and GPS if you have that feature activated:
There are no 5 GHz channels in range (mine are disabled) and the GPS feature is
wireless networks. All of this information is very useful for hackers and war drivers.
Page 85 of 100
Advantages of inSSIDer:
Displays all of the necessary information on wireless access point even if the SSID is not
broadcasting.
Includes a GPS feature which can be used in conjunction with Google Maps.
Disadvantages of inSSIDer:
There are no disadvantages to inSSIDer if you are a Windows, MAC or Linux user.
Page 86 of 100
Summary of inSSIDer:
The inSSIDer utility is an open source wireless network scanner developed by the
MetaGeek team. It was built as a replacement to NetStumbler to support the newest operating
systems. With inSSIDer you can gain insight to any wireless network within range including
MAC address, SSID, signal strength, the hardware vendor, channel information and encryption
type. The software is small in size and was an easy installation. The added feature of GPS and
Google Maps integration is definitely a bonus. The utility is not processor intensive and provides
an intuitive GUI. The information provided by the main interface of inSSIDer is very useful for
hackers and war drivers. This utility accomplishes exactly what it is supposed to.
Page 87 of 100
v3.9.5
Page 88 of 100
______________
WinDump 3.9.5:
______________
The utility WinDump is the Windows equivalent to tcpdump for Linux and UNIX
systems. WinDump runs under all versions of Windows. WinDump is free and is released under
a BSD-style license. WinDump captures packets using the WinPcap library of files and drivers.
The WinPcap suite is freely available from the WinPcap.org website. The utility also supports
802.11b/g wireless capture through the Riverbed AirPcap adapter. This is a hardware device
available for purchase. There is no installation package for WinDump. The executable that is
downloaded is the entire package. You simply supply commands to the executable to run packet
http://www.winpcap.org/windump/install/bin/windump_3_9_5/WinDump.exe [ CITATION
Riv11 \l 1033 ].
*NOTE*
The usage of PowerShell in association with WinDump can make viewing the packet
capture a little easier. In the tutorial to follow, the use of a PowerShell script allows for color
coding for easier viewing. The script can be downloaded from the following Windows Security
highlighting/ [ CITATION Jas09 \l 1033 ]. Also note that PowerShell 2.0 or later will be
needed.
Page 89 of 100
Steps to run WinDump:
1. The first step is ensuring the prerequisites for WinDump have been installed, such as
PowerShell. Next, run the command to display the help menu to become familiar with the
windump –help
2. Verify which network interface WinDump is to run the packet capture on. The command
is:
windump –D
In this case the only adapter present in the WMware virtual adapter from the image in
3. The usage of the PowerShell script comes into play when establishing a packet capture.
To run a simple packet capture, execute the script by typing “sniff.ps1” into the
PowerShell interface:
Page 90 of 100
4. To provide greater detail on the packet capture, pass additional parameters to the
PowerShell script. In the following command, additional detail is given and additional
Page 91 of 100
5. WinDump also has the capability to capture packets on a remote host. To accomplish this
simply pass additional parameters to include the hostname or IP address of the remote
host:
In the above example, you can see that the remote host had established a connection to
Page 92 of 100
Advantages of WinDump:
Disadvantages of WinDump:
Running WinDump from the native command line is a bit hard to read. The use of the
Page 93 of 100
Summary of WinDump:
WinDump is the Windows replacement for the Linux version of tcpdump. The program is
free and small in size since it is a self-contained executable. The only regrettable part is that the
utility requires prerequisites such as WinPcap or PowerShell. This is not a deal breaker though.
The utility is powerful enough to warrant a little preparation work. With the incorporation of the
PowerShell script, the output is a little easier to read. There are plenty of command line switches
to pass to the utility making it customizable for what is intended to be captured. The utility can
capture remote packets or those passing on the local computer. The program is small in size,
portable with a bit of work and not processor intensive. Overall, WinDump does what it is
Page 94 of 100
Project Summary:
(McAfee) SuperScan, NEWT Professional, Snort, Cain & Abel, Netcat, inSSIDer, and
WinDump. The objective of this document was to review in detail all of the referenced programs
and in doing so learn the importance of computer security and have more insight as to system
and network vulnerabilities. Some of these tools I knew about but have never used. This
assignment gave me the opportunity to explore deeper into the realm of system and network
security. As a Senior level Engineer, I now have the knowledge to better secure the systems and
networks that have been placed under my supervision. Most of these tools I will continue to use.
Each of these programs was useful in their own right. I have read about Snort in the past
plenty of times and have implemented solutions using it on occasion. Having chosen to include
Snort in this project, it gave me the opportunity to explore its uses and ultimately recognized
how powerful this program is. Snort is an open source solution which automatically makes it
appealing, but more so is the fact of how robust and efficient the program really is. In addition,
Snort can integrate with other open source programs such as MySQL and Apache making it a
complete open source IDS implementation. There are also bundled Snort appliances such as
Snorby and Smooth-Sec. For these reasons I have chosen Snort as my favorite utility out of the
reviewed programs.
LANTricks LANSpy is a simple utility for scanning remote systems and generating a list
of specifics about the system such as open ports, shared resources, users and groups and running
processes. This product was not as good as I thought it would be but is still a good utility for a
quick scan of remote systems. The superior scan utilities are Wireshark, NEWT and WinDump
Page 95 of 100
Foundstone SuperScan is a dated product. Some of the features of Windows XP make
SuperScan less effective. For newer Operating Systems that fact is even more so. There are other
products on the market that accomplish the same tasks that are open source and still relevant for
the current technology. For this reason I have chosen SuperScan to be the least favorite and
effective.
Overall each of these products reviewed I was pleased with. The Nessus program was
probably the most processor intensive but only lasts for the duration of the scan. All of these
products I have been aware of and use on a semi-regular basis. I would recommend any user or
Page 96 of 100
Future Implications:
Systems and Network Engineers have the responsibility to keep data safe and securely
transmitted so this data is not stolen or compromised. Each computer user across the planet also
should share this responsibility. Various security centric tools in general can be used to thwart
malicious individual’s intentions on stealing data or identities and thus creating a more secure
In order to be successful in securing data and communication, the correct tools need to be
in place. The tools reviewed in this document are a good place to start. The future of security
tools needs to focus on hardening all communication. That is, encrypting all data and
communication across the entire public and private network infrastructure. This might seem like
a monumental task and will likely never be achieved. However, every little bit helps.
For securing corporate networks and systems, administrators should have proper
IPS/IDS, firewalls, and conduct regular audits of data packets across the network looking for
potential vulnerabilities. One tool reviewed in this document, Snort, is a fine example of what
needs to be deployed on any company network scanning packets for potential security threats.
Other tools reviewed such as Wireshark, Nessus, and WinDump can also aide in auditing
network communications. The Nessus vulnerability scanner gives insight to system holes that
patches. The point is, there are a ton of resources readily accessible on the Internet for securing
the infrastructure whether it is the utilities such as those reviewed in this document or the
Let’s also not forget about IT policies. For proper security to be truly effective, especially
in the corporate environment, you need to have well written and highly detailed IT security
Page 97 of 100
policies. Make it mandatory to conduct security audits and to relay to employees the proper use
of systems, email, Internet and the data that they interact with.
Security audits and tools in general will only get better. As we gain experience and
knowledge, IT professionals will no doubt build upon those experiences and design even more
highly efficient security programs and auditing utilities. The ultimate goal is to have a
completely secure public and private infrastructure. Hopefully with hard work, research and
ingenuity, IT professionals will continue forward with great ideas and security implementations.
Page 98 of 100
End Note References:
Fossen, J. (2009, October 22). WinDump Color Highlighting PowerShell Script. Retrieved
security/2009/10/22/windump-color-highlighting
Hobbit. (2004, December 27). Netcat. Retrieved May 26, 2012, from JonCraton.org:
http://joncraton.org/files/nc111nt.zip
Komodolabs.com: http://www.komodolabs.com/newtpro_download.shtml
http://lantricks.com/lanspy/
http://www.foundstone.com/us/resources/proddesc/superscan.htm
MetaGeek. (2012, February). inSSIDer. Retrieved May 27, 2012, from MetaGeek.net:
http://files.metageek.net/downloads/inSSIDer-Installer-2.1.1.13.msi
Montoro, M. (2010). Cain & Abel. Retrieved May 19, 2012, from Oxid.it:
http://www.oxid.it/cain.html
http://www.snort.org/snort-downloads
http://www.nessus.org/download/
http://www.wireshark.org/download.html
Page 99 of 100
Technology, R. (2011, December 6). WinDump. Retrieved May 27, 2012, from
WinPcap.org:
http://www.winpcap.org/windump/install/bin/windump_3_9_5/WinDump.exe