2.2 Given a scenario, use appropriate software tools to assess the security posture of an organization. Flashcards
Protocol Analyzer
Intrusion detection systems and honeypots deal with monitoring the hacker’s activities and discovering malicious activity on the network or system.
Another common tool you can use to discover the suspicious activity is a protocol analyzer or packet sniffer. The protocol analyzer, or packet sniffer, can capture all traffic on the network segment and can be used to identify suspicious traffic. (Wireshark, …)
Network Scanners
A very important set of tools to security testers and network administrators is a network scanner and a port scanner. A network scanner can help you map out what systems exist on the network, which is known as network mapping. Two common tools that could be used for networking mapping are nmap and Angry IP Scanner.
Network Scanners - Rogue System Detection
Network mapping software can also be used to identify invalid systems that have been connected to the network. This is known as rogue system detection.
Network Scanners - Network Mapping
A network scanner can help you map out what systems exist on the network, which is known as network mapping.
Wireless Scanners/Cracker
Wireless Scanners
A common set of tools used on today’s networks is a wireless scanner and a wireless cracker. A wireless scanner is a tool that can be used to discover wireless networks within range and their characteristics.
For example, with a wireless scanner you can see the SSID name, the channel, the type of encryption being used (WEP/WPA2), and the signal strength. Examples of wireless scanners are Acrylic WiFi for Windows and Kismet for Linux.
Wireless Cracker
A wireless cracker is a tool used to crack the encryption key on a WEP or WPA2 protected wireless network. There are tools such as Aircrack-ng that can be used to crack the wireless encryption once enough traffic has been captured.
Password Cracker
Various password-cracking tools are out there. You can use John the Ripper to crack passwords, or the very popular Cain & Abel.
Vulnerability Scanner
A vulnerability scanner is quite a bit different from a port scanner. The vulnerability scanner will scan the system for known vulnerabilities and then report the problems that have been found. The vulnerability scanner bases the decisions on a vulnerability database that is constantly being updated. When you do the scan, the vulnerability scanner compares the patch level and the configuration of your system(s) against the vulnerability database to see if you are not following best practices (have vulnerabilities).
Tools Can Use: MBSA, LanGuard, Nessus
Configuration Compliance Scanner
A configuration compliance scanner is a tool that can verify the configuration of a system or area of the system. For example, Nikto is an open-source vulnerability assessment tool for web servers that can identify misconfiguration of the web server and vulnerabilities based on a database of well known flaws.
Exploitation Frameworks
A common assessment tool for pen-testers is exploitation frameworks, which have a number of tools to exploit flaws within different products. Common examples of exploitation frameworks are the Web Application Attack and Audit Framework (w3af) and Metasploit.
Data Sanitization Tools
You can use data sanitization tools to ensure that all data is securely erased from drives. This is an important step when disposing of drives or using drives as the target for a forensic image.
Steganography Tools
Steganography tools are used to hide information inside images or other file types like MP3s.
Honeypot/Honeynet
Honeypot
Another popular method of assessing security is to have a honeypot set up on the network. A honeypot is a system that is placed on the network to attract the hacker instead of having the hacker hack into one of your production systems. The main goal of the honeypot is to buy yourself some time if the hacker has gained access to the network.
Honeypots are a great way to become aware of zero-day exploits. A zero-day exploit is an exploit that is unknown and hard to protect against because you are not aware of the exploit exists. When you set up a honeypot and the hacker uses the zero-day exploit, you are educated by the log files on the honeypot.
Honeynet
A honeynet is very much like a honeypot in the sense that it is designed to lure the hacker, but a honeynet is a full network of fake systems that will track the hacker’s activity.
Backup Utilities
You should use backup tools to back up the state of a system before performing a penetration test on that system. This will allow you to recover the system should something go wrong with the pen-test.
Banner Grabbing
After a port scan is performed and you determine which ports are open, you would next determine what software opened the port so that you can plan how to exploit that software during your penetration test. To determine what software is running on each open port, you can do a banner grab, which means connecting to each port and collecting the response from the server. When you connect to a server, it typically responds with a ready message indicating the version of the software running on the system.
Passive vs. Active
There are different types of tools to perform security tests on a system; there are passive tools and active tools. Passive tools do not try to connect to a system, while active tools do. An example of a passive scanning tool is DNS profiling, where the hacker is only collecting information about a company from a DNS server, not the actual intended target, which is the web or FTP server. An example of an active tool is a port scanner, as it communicates with the intended victim system. Because active tools communicate with the intended target, there is a chance the traffic can be detected.
