"A scanner is a program that automatically detects security weaknesses in a remote or localhost.". Scanners are important to Internet security because they reveal weaknesses in the network.
System
administrators can strengthen the security of networks by scanning
their own networks. The primary attributes of a scanner should be:
- The capability to find a machine or network.
- The capability to find out what services are being run on the host ( once having found the machine).
- The capability to test those services for known holes.
There are
various tools available for Linux system scanning and intrusion
detection. I will explain some of the very famous tools available. I
have divided the scanners into three categories: Host Scanners, Network
Scanners, and Intrusion Scanners.
Host Scanners
Host scanners are software you run locally on the system to probe for problems.
Cops
COPS is a collection of security tools that are designed
specifically to aid the typical UNIX systems administrator, programmer,
operator, or consultant in the oft neglected area of computer security.
COPS is available at: http://www.fish.com/cops
Tiger
Tiger is a UNIX Security Checker. Tiger is a package consisting of
Bourne Shell scripts, C code and data files which is used for checking
for security problems on a UNIX system. It scans system configuration
files, file systems, and user configuration files for possible security
problems and reports them. You can get it from: http://www.giga.or.at/pub/hacker/unix
check.pl
Check.pl a perl script that looks through your entire filesystem,
(or just the directory you tell it to) for suid, sgid, sticky, and
writeable files. You should run it as a regular user maybe once a week
to check for permission problems. It will output a list of questionable
files to stdout which you can redirect wherever. It's available at: http://opop.nols.com/proggie.html.
Network Scanners
Network scanners are run from
a host and pound away on other machines, looking for open services. If
you can find them, chances are an attacker can too. These are generally
very useful for ensuring your firewall works.
NSS (Network Security Scanner)
NSS is a perl script that scans either individual remote hosts or
entire subnets of hosts for various simple network security problems.
It is extremely fast. Routine checks that it can perform include the
following:
- sendmail
- Anon FTP
- NFS Exports
- TFTP
- Hosts.equiv
- Xhost
NSS can be found at: http://www.giga.or.at/pub/hacker/UNIX
SATAN (Security Administrator's Tool for Analyzing Networks)
SATAN is an automated network vulnerability search and report tool
that provides an excellent framework for expansion.Satan scans remote
hosts for most known holes:
- FTPD vulnerabilities and writable FTP directories
- NFS vulnerabilities
- NIS vulnerabilities
- RSH vulnerability
- sendmail
- X
server vulnerabilities SATAN performs these probes automatically and
provides this information in an extremely easy to use package.
You can obtain SATAN from: http://www.fish.com/satan/
Network Scanners (cont.)
Strobe
Strobe is Super optimised TCP port surveyor. It is a
network/security tool that locates and describes all listening tcp
ports on a (remote) host or on many hosts in a bandwidth utilisation
maximising, and pro- cess resource minimising manner. It is simple to
use and very fast, but doesn't have any of the features newer port
scanners have.
Strobe is available at: ftp://suburbia.net/pub/.
Nmap
Nmap is a newer and much more fully-featured host scanning tool. Specifically, nmap supports:
- Vanilla TCP connect() scanning
- TCP SYN (half open) scanning
- TCP FIN, Xmas, or NULL (stealth) scanning
- TCP ftp proxy (bounce attack) scanning SYN/FIN scanning using IP fragments (bypasses some packet filters)
- TCP ACK and Window scanning
- UDP raw ICMP port unreachable scanning
- ICMP
scanning (ping-sweep) TCP Ping scanning Direct (non portmapper) RPC
scanning Remote OS Identification by TCP/IP Fingerprinting, and
Reverse-ident scanning.
Nmap is available at: http://www.insecure.org/nmap/index.html.
Network Superscanner
http://members.tripod.de/linux_progz/
Portscanner
PortScanner is a Network Utility especially designed to "scan" for
listening TCP ports. It uses a simple method to achieve its goal, and
it is extremely compact taking in account all of the options available.
It's opensource and free to use, you can get it at: http://www.ameth.org/~veilleux/portscan.html.
Queso
Queso is a tool to detect what OS a remote host is running with a
pretty good degree of accuracy . Using a variety of valid and invalid
tcp packets to probe the remote host it checks the response against a
list of known responses for various operating systems, and will tell
you which OS the remote end is running. You can get Queso from: http://www.apostols.org/projectz/queso/.
Intrusion Scanners
Intrusion scanners are
software packages that will actually identify vulnerabilities, and in
some cases allow you to actively try and exploit them.
Nessus
Nessus is very fast, reliable and has a modular architecture that
allows you to fit it to your needs.Nessus is one of the best intrusion
scanning tools. It has a client/server architecture, the server
currently runs on Linux, FreeBSD, NetBSD and Solaris, clients are
available for Linux, Windows and there is a Java client. Nessus
supports port scanning, and attacking, based on IP addresses or
host name(s). It can also search through network DNS information and
attack related hosts at your request. Nessus is available from http://www.nessus.org/.
Saint
SAINT is the Security Administrator's Integrated Network Tool.
Saint also uses a client/server architecture, but uses a www interface
instead of a client program. In its simplest mode, it gathers as much
information about remote hosts and networks as possible by examining
such network services as finger, NFS, NIS, ftp and tftp, rexd, statd,
and other services. Saint produces very easy to read and understand
output, with security problems graded by priority (although not
always correctly) and also supports add-in scanning modules making it
very flexible. Saint is available from: http://www.wwdsi.com/saint/.
Cheops
Cheops is useful for detecting a hosts OS and dealing with a large
number of hosts quickly. Cheops is a "network neighborhood" on
steroids, it builds a picture of a domain, or IP block, what hosts are
running and so on. It is extremely useful for preparing an initial scan
as you can locate interesting items (HP printers, Ascend routers, etc)
quickly. Cheops is available at: http://www.marko.net/cheops/.
Ftpcheck / Relaycheck
Ftpcheck and Relaycheck are two simple utilities that scan for ftp
servers and mail servers that allow relaying. These are available from:
http://david.weekly.org/code/.
BASS
BASS is the "Bulk Auditing Security Scanner" allows you to scan the
Internet for a variety of well known exploits. You can get it
from: http://www.securityfocus.com/data/tools/network/bass-1.0.7.tar.gz
Firewall Scanners
There are also a number of
programs now that scan firewalls and execute other penetration tests in
order to find out how a firewall is configured.
Firewalk
Firewalking is a tool that employs traceroute-like techniques to
analyze IP packet responses to determine gateway ACL filters and map
networks. Firewalk the tool employs the technique to determine the
filter rules in place on a packet forwarding device. System
administrators should utilize this tool against their systems to
tighten up security. Firewalk is available from: http://www.packetfactory.net/Projects/Firewalk/.
Conclusion
"Security is not a solution,
it's a way of life." System Administrators must continuously scan their
systems for security holes and fix the hole on detection. This will
tighten the security of system and reduce the chance of security
breaches. This process is a continuous process. The security
vulnerabilities will keep on arising and process of fixing the security
holes will never end! After all, "Precaution is better than cure."
This article is Copyright (c) 2000 by Kapil Sharma. This material
may be distributed only subject to the terms and conditions set forth in the
Open Publication License, v1.0 or later (the latest version is presently available
at http://www.opencontent.org/openpub/).
Written by: Kapil Sharma
Email: kapil@linux4biz.net
Website: http://www.linux4biz.net
[Kapil Sharma is a Linux and Internet security consultant. He has been working
on various Linux/Unix systems and Internet Security for more than 2 years. He
is maintaing a web site http://www.linux4biz.net
for providing free as well as commercial support for web, Linux and Unix solutions.]
Only registered users can write comments.
Please login or register. Powered by AkoComment! |
