Handbook of Security Tools for IT Directors

MSc Information Security Project Report

Handbook of Security Tools for IT Directors, Iyad Abou-Hawili, Student Number: 0090417849, John Austen, Information Security Group, University of London, RHUL

Submitted as part of the requirements for the award of the MSc in Information Security of the University of London. 23-Mar-2014

1|Page

TABLE OF CONTENTS Table of Contents .................................................................................................................................... 2 Executive Summary................................................................................................................................. 5 1.

2.

3.

Introduction to Information Security Tools .................................................................................... 6 1.1.

Setting the stage: .................................................................................................................... 6

1.2.

Approaches to Security: .......................................................................................................... 6

1.3.

The need for hacking tools (Offensive method): .................................................................... 7

1.4.

Tools in the market: ................................................................................................................ 7

1.5.

Our approach on deciding what tools to use:......................................................................... 9

1.6.

Skill sets of people using these tools: ................................................................................... 10

1.7.

Limitation on tools usage (Conclusion): ................................................................................ 11

Securing your Environment .......................................................................................................... 12 2.1.

Introduction .......................................................................................................................... 12

2.2.

Hackers’ Techniques ............................................................................................................. 12

2.3.

Difference between Hackers and IT Director(s) requirements: ............................................ 14

2.3.1.

First: .............................................................................................................................. 14

2.3.2.

Second:.......................................................................................................................... 15

2.4.

Proposed New Model: .......................................................................................................... 17

2.5.

Limitations of model usage (Conclusion): ............................................................................. 18

Anti-Reconnaissance and Reconnaissance: .................................................................................. 20 3.1.

3.1.1.

Reconnaissance Objectives: .......................................................................................... 20

3.1.2.

Tools used in Reconnaissance: ...................................................................................... 21

3.2.

4.

5.

Reconnaissance (Information Gathering): ............................................................................ 20

Anti-Reconnaissance ............................................................................................................. 22

3.2.1.

Fundamentals of Anti-Reconnaissance: ........................................................................ 22

3.2.2.

Objectives of Anti-Reconnaissance: .............................................................................. 23

3.2.3.

Tools and software:....................................................................................................... 23

Vulnerability Assessment: ............................................................................................................. 29 4.1.

Vulnerability Assessment Fundamentals .............................................................................. 29

4.2.

Objectives of Vulnerability Assessment: ............................................................................... 30

4.3.

Vulnerability Scanning Tools: ................................................................................................ 30

4.3.1.

Wireless Tools ............................................................................................................... 30

4.3.2.

Network Tools ............................................................................................................... 32

4.3.3.

Web Application Vulnerability assessment Tools ......................................................... 33

Penetration Testing:...................................................................................................................... 34 2|Page

5.1.

Pre-Exploitation/Pre-attack: ................................................................................................. 34

5.2.

Exploitation/Attack: .............................................................................................................. 34

5.3.

Post-exploitation/post-attack: .............................................................................................. 35

5.4.

Areas of Penetration Testing (Exploitation):......................................................................... 35

5.5.

Penetration testing Fundamentals: ...................................................................................... 35

5.6.

Penetration Testing Steps: .................................................................................................... 36

5.6.1.

Reconnaissance/Information Gathering: ...................................................................... 36

5.6.2.

Target Evaluation: ......................................................................................................... 36

5.6.3.

Exploitation: .................................................................................................................. 36

5.6.4.

Privilege Escalation: ...................................................................................................... 37

5.6.5.

Maintaining Access: ...................................................................................................... 37

5.7.

Penetration Testing Objectives: ............................................................................................ 37

5.8.

Penetration Tools .................................................................................................................. 38

5.8.1.

Wireless Tools ............................................................................................................... 38

5.8.2.

Web Application Tools ................................................................................................. 39

5.8.3.

Network/Host Tools ...................................................................................................... 40

5.9.

Challenges of Penetration Testing: ....................................................................................... 42

5.10. 6.

7.

Final Step after Penetration Testing completion: ............................................................. 42

Rectification: ................................................................................................................................. 44 6.1.

Rectification Phase ................................................................................................................ 44

6.2.

Rectification Fundamentals: ................................................................................................. 45

6.3.

Objectives/Goals of Rectification:......................................................................................... 45

6.4.

Types of Analysis to be conducted........................................................................................ 46

6.5.

Rectification Tools: ................................................................................................................ 46

6.5.1.

Tcpdump/WinDump ..................................................................................................... 46

6.5.2.

Wireshark ...................................................................................................................... 46

6.5.3.

Chkrootkit...................................................................................................................... 46

6.5.4.

Md5deep ....................................................................................................................... 47

6.5.5.

Rootkit Revealer ............................................................................................................ 47

6.5.6.

TSK (The Sleuth Kit) ....................................................................................................... 47

6.5.7.

Fatback .......................................................................................................................... 47

6.5.8.

Nikto .............................................................................................................................. 47

Conclusion: .................................................................................................................................... 49

Bibliography .......................................................................................................................................... 50 Additional Resources ............................................................................................................................ 53 Appendix A ............................................................................................................................................ 55 3|Page

Appendix B ............................................................................................................................................ 60 Appendix C ............................................................................................................................................ 64 Appendix D ........................................................................................................................................... 74

4|Page

EXECUTIVE SUMMARY The purpose of this Handbook is to develop a model and recommend to IT Director(s) a set of important IT Security tools. These tools not only used by most security professionals but also by IT Security Firms to audit businesses and secure their information assets. The Handbook will serve as a starting guide for IT Director(s) and their staff in their Endeavor to secure their companies’ Infrastructure. There is a big number of free Security tools in the market, and it becomes confusing for IT Director(s) what tools to use. Furthermore, there are a lot of literatures about hackers’ process attacking a target, but few take into consideration IT Director(s)’ requirements into consideration. This Handbook will shed the light on the hackers’ process to attack a target and modify this model to fit IT Director(s)’ requirements and suggest few IT Security tools for each phase of the proposed model, to be used by IT Director(s)’ team, Security Analysts, Penetration Testers, and others. The model developed is composed of four phases. It is similar to model used by Ethical hackers and Attackers, but customized to meet IT Director(s) requirements. We discuss fundamentals, objectives, and tools of each of the four phases. Suggested tools fall into the following categories: Anti-Reconnaissance, Information Gathering, Scanning and Inventory, Vulnerability Assessment, Penetration Testing, and Detecting Traces of an attack. The suggested tools are open-source and free to be used, but still very powerful to accomplish the requirements. Moreover, these tools are Offensive tools and that differentiate them from the known Defensive tools used by most IT Director(s), and are promoted by most security vendors.

5|Page

1. INTRODUCTION TO INFORMATION SECURITY TOOLS 1.1.

SETTING THE STAGE:

Information Security tools are becoming a need for any IT Department as threats increase due to the Internet of everything in our small village “earth.” These tools are used to identify potential weaknesses in any of the devices or systems used to move, store, or process data in any business. This Handbook is intended for IT Director(s), within their area of responsibility, to secure information assets in their company. On the other hand, IT Director(s) are not expected to be experts in these IT Security tools mentioned in this Handbook. However, knowledge of these tools, their functions, purposes, and phases of using them will be appropriate and a definite advantage to the process of improving security. Before we proceed further, we need to define the following terms that are used extensively in this document. 

Ethical-Hacker or White-Hat Hacker: is a Security Analyst (good person) who will work on securing an environment using IT Security or hackers’ tools.



Hacker or Black-Hat Hacker: is a bad person who tries to cause harm for various reasons to systems owned by other people or companies.



White-Box Hacking: is the method where information about targeted devices is given to the Ethical-Hacker/White-Hat Hacker.



Black-Box Hacking: is the method where information about targeted devices is not given to an Ethical-Hacker/White-Hat Hacker.



Grey-Box Hacking: is a process where some information about targeted devices and company under testing is shared with Ethical-Hackers/White-Hat Hackers.

1.2.

APPROACHES TO SECURITY:

In Information Security, there are two approaches to secure information. The first approach, which is the most popular between the two, is the “Defensive” one. [ER11], for example, defines Network Security Defensive methodologies as “Switches Security, Firewalls, Intrusion-Detection Systems (IDS), Logs, Network, Antivirus, Hardware, Troubleshooting, Availability, Server/Client Security, Creating Policies, Network Management, etc…”

The second approach is the “Offensive”. In the same course, [ER11] defines Offensive Method or Ethical Hacking for network security is as looking for “Denial of Service (DOS), Trojans, Worms, Viruses, Social Engineering, Password Cracking, Session hijacking, System failure, Spam, Phishing, Identity theft, Wardriving, Warchalking, Bluejacking, Lock picking, Buffer Overflow, System hacking, Sniffing, SQL injection, etc….” 6|Page

The tools that we will cover in this Handbook are not the known defending tools such as Firewalls, IDSs, Antivirus, and others. These tools are offensive/attacking tools that might cause harm if used without caution or in an unethical manner. Black-Hat hackers use these tools to gather information about their targets, exploit vulnerabilities, and cause damage. On the other hand, Ethical Hackers can use the same tools to close security holes and improve security. “The only difference between a hacker tool and a cyber security professional tool is, “written permission.” [SW13]

1.3.

THE NEED FOR HACKING TOOLS (OFFENSIVE METHOD):

In a very old article written in 1993 by [DF93], Dan Farmer and Wietse Venema mentioned that the best way to secure your environment is by trying to break into it. Similarly, [MM06] emphasizes the role of attacking your systems by using the same tools as those used by BlackHat hackers, instead of defending it only. These days, Ethical Hackers or security analysts, assume the role of attacking your own systems in a controlled manner. IT Director(s) awareness about these tools, phases of applying these tools, fundamentals, and objectives is inevitable to survive in the digital world.

The importance of the offensive technique comes from the mindset of the Ethical Hacker, who is actually playing the role of a hacker running the same tools. In this role, Ethical Hackers try to answer the following questions: 

What does an intruder see in a targeted system,



Why does an intruder need this information,



What can she/he do with the information obtained after compromising a system,



Did anyone notice the intruder’s attempts to gain access,



Did anyone discover a compromise of a system? [ER11]

The above does not mean, in any way, to remove the defending tools and replace it with the offensive ones. The above emphasize the need of other (offensive) tools to win the battle in which IT Director(s) (i.e. their businesses) are losing it most of the time.

1.4.

TOOLS IN THE MARKET:

Looking into the available security tools used by White-Hat hackers “Ethical Hackers” in Information Security Auditing firms, we can see their classification into four major categories: Commercial and Proprietary Freeware, and Open-Source. The Commercial and proprietary tools are tools that we can buy from vendors. Usually, vendors provide support for both types and usage of these tools is subject to license agreements [CA12]. In addition, some of the proprietary tools are given free. Moreover, some of the proprietary tools are not sold to external clients, and dedicated for usage by specific IT Security Auditing Firms. 7|Page

The Freeware and Open-Source are tools that you can download free from the Internet. Both types are not subject to support agreements. In Freeware tools, you do not have access to the source code. On the other hand, “Open-Source” tools provide access to the source code, but it is subject to “open-source initiative” rules and regulations [OS98]. A security analyst will need to choose between these different types of tools, based on the tool functionality and her/his need. Most of the time, a Security Professional will need to choose from a set of tools provided by various vendors with different licensing and support terms and conditions. Sometimes and in a particular situation, there is no open-source or freeware to complete the task or the free tool is very limited. This might mandate the need to use proprietary or commercial tools. Furthermore, commercial tools are subject to support agreements while the free and open-source tools are not subject to such agreements. In addition, these tools (commercial and proprietary) are subject to license agreements and source code is not accessible to users [CA12]. On the other hand, commercial tools might not fit all scenarios of different companies, and the security analyst cannot modify or tailor the tool to his/her preference, while experienced security analysts are able to tailor open-source tools to meet business’s requirements. Another important consideration about proprietary free tools is specific to their products (Microsoft and Cisco) and cannot be used on different vendors’ products of hardware or operating systems. This put us in front of two approaches. The First Approach is using specific vendor tools on vendor specific devices, which will definitely improve security of the environment, but it is subject to two main limitations [SH11]: First, it requires testers to have a deep understanding of the systems under testing and scrutinizing to include as much as possible from these systems. Second, these tools have two major issues: 

Parameters set in the tool might not cover everything in the tested environment



It is difficult to map operations of these tools to all requirements of a targeted infrastructure.

A third limitation is the assumption that a security analyst (Ethical Hacker) knows the systems that are under consideration, which is not true in a real-life situation. These tools cannot be used when a security analyst is conducting a Black-Box testing. In this situation, Ethical Hackers do not have any knowledge about the systems and using specific vendor tools will not be the appropriate approach. The Second Approach of not using specific vendor tools when testing an environment has many advantages over the first approach. Firstly, it is similar to approach followed by Black and White-Hat hackers. Secondly, non-vendor specific tools have more applicability to all environments without any restriction. A third advantage mentioned by [ES07] that the opensource and free tools are suitable for IT Director(s) with a limited budget and with using free tools they can build a complete set of an arsenal to secure their systems without paying much. “Open-Source Applications and Tools while it is pretty common to see companies embrace commercial tools in their production environments; you can’t discount the sheer innovation available in the open-source community. [JS11]” Then [JS11] describes the benefit of using open-source tools to “build your information security skill set. Most security professionals 8|Page

cannot afford to purchase multiple commercial security applications to learn with, so leveraging open-source is a cost-effective career builder. The other value that open-source security tools bring to a security professional is that these are the same tools hackers will use. One of the most important skills you can develop is the ability to understand the methods and tools used by hackers to get into your systems. Learning the tools and techniques they may use by developing parallel expertise will take you far in your career. Commercial applications seldom offer the same learning opportunities. Attackers generally are not using commercial applications in their attacks, and they typically don’t draw from the same community available with open-source solutions as you will to help your learning [JS11].”

1.5.

OUR APPROACH ON DECIDING WHAT TOOLS TO USE:

The challenge for any IT Director(s) is the availability of thousands of tools in the market. Choosing from this big pool without sacrificing functionality and keeping easiness is much of an effort to be taken.

However, there is a lot of work done by Information Security experts for gathering different free tools into one consolidated package or distribution. Most of these distributions are based on Linux operating system. Some of the most-used distributions are listed below: 

Backtrack and its commercial version Kali Linux. These distributions include around 300 tools categorized into various groups: Information Gathering, Vulnerability Assessment, Exploitation tools, Privilege Escalation, Maintaining Access, Reverse Engineering, RFID tools, Stress Testing, Forensics, and many Reporting tools) [BT13].



Backtrack is based on Ubuntu Linux version. Kali Linux is based on Debian Linux version. For a full list of Tools’ sub-categorization and names on Backtrack and Kali Linux, please refer to Appendix A and B respectively [KL13].



Matriux "Leandros" is analogous to Backtrack and include more than 300 open-source and free tool based on Debian Linux version, but also include tools to test PCI/DSS controls, which are not available in Backtrack and Kali Linux distributions. For a detailed list of tools and their categorization, please refer to Appendix C [ML13].



Fedora Security Spin/Lab is a collection of security-related tools built on Fedora Linux Operating System. For a detailed list of tools, please refer to Appendix D [FP13].



Katana is a multi-boot DVD/USB that includes different tools and Backtrack distribution into a single location [JD12].



Blackbuntu is based on Ubuntu 10.10.



Blackbox is another distribution that includes tools used for information gathering, Incident Handling, penetration testing, and forensics. It is based on Ubuntu Linux Operating System.



Etc...

In this Handbook, our proposed model/approach to secure information using Security tools will be applicable to all distributions (free tools) and to commercial tools, as well. However, 9|Page

reference will be given mostly to tools that are present in Backtrack and Kali Linux since it is the most popular between security experts, more resources are available, more literatures, and more sample implementations using than other distributions. For the above reasons, Backtrack distribution is widely accepted between security experts and is considered as “the premiere security-oriented operating system. ….. and the recent release of Kali Linux is sure to gain widespread popularity” [JP13].

One major and important website that list and rank security tools is: http://sectools.org/ . The SecTool.org releases a security survey every three years (2006, 2009, 2012) [MC08] ranking tools. Most of the tools that are referenced in this Handbook are part of the “Top 125 Network Security Tools” listed on the above site, with the exception of tools and methodologies referenced to in the Anti-reconnaissance phase. In addition, the tools that we will reference are used by IT Security Auditing firms in India, including the Big Four auditing firms (Deloitte, PWC, KPMG, and EY) as per a report produced by cert-in.org [CI12].

1.6.

SKILL SETS OF PEOPLE USING THESE TOOLS:

However, many important things to keep in mind. The first that these tools cannot replace skilled information security professionals and system engineers. Experience and intuition of the personnel using these tools are fundamental requirements to understand and identify attacks and to discover holes in the deployed systems [SI13]. Since most of these free tools are Linux based, IT Director(s) should know that his subordinates need to have experience in Linux operating system [CA12], [SI07]. This does not mean that experience of the subordinates should be limited to Linux. Knowledge about Linux is necessary but not sufficient. For example, Penetration Testers should have several years of experience in the IT field, such as application development, systems administration, networking, or consultancy before they do penetration testing [ER11].

On the other hand, the tools referred to in this document are used in “mission-critical security” jobs and effective skills development is an essential step to ensure that the right people with the right skills are in place [SI13].

The author of [HS12] stated the most important “mission-critical security” jobs for most companies as follows: 1. System and network penetration testers, 2. Application penetration testers, 3. Threat analysts/counter-intelligence analysts, 4. Advanced forensics analysts, 5. Security monitoring and event analysts, 6. Risk assessment engineers, 10 | P a g e

7. Incident responders in-depth, 8. Secure coders and code reviewers, 9. Security engineers - operations, and 10. Security engineers/architects who built security in” [HS12].

1.7.

LIMITATION ON TOOLS USAGE (CONCLUSION):

A very important thing to mention that the use of security tools (in our case offensive and Ethical Hackers tools) in Reconnaissance, Anti-Reconnaissance, Vulnerability Assessment, Penetration testing, and Prevention is just one link in the security chain. Using these tools does not mean, by any sense, that your information is protected. Vulnerability assessment and penetration testing are just two links in a long chain.

In the ISO/IEC 2700x standard series, we find eleven different areas that emphasize how to secure Information. Other standards or frameworks (e.g. COBIT, SOX, HIPAA, etc…) has similar areas also, some of which are overlapping with each other. Vulnerability Assessment and Penetration Testing are just two parts of the whole standard. Security Audits, for example, address so many different areas than Vulnerability Assessment and Penetration testing, and recommend the use of different types of controls for each area [TB07]. In addition, these tools are not a replacement of a manual IT Security audit or conformance audit. Just because we used these tools and did not find a vulnerability, does not mean that none exists [MC08].

Moreover, different tools give different results, and these scanners detect vulnerabilities at a given point of time. One tool might discover a vulnerability; another tool might not find the same vulnerability, or a new vulnerability might appear and have the signature updated in the database after the scan is conducted, or the tool might not have the signature of the vulnerability during the time of scanning. All of the above put limitations on the results of using these tools. This does not mean, to forget about using these tools, but it is meant to alert IT Director(s) that there is no 100% secure system, and there is no 100% compliant System. If an attacker wants to break in, then it is a matter of how much time and money the attackers are willing to invest to accomplish the task. The two essential things for an IT Director(s) are: 

to reduce the duration needed to figure out that a system is compromised, and



to reduce the duration of a compromised system.

The above are addressed by Incident Handling and Forensics’ procedures and tools (some of which are mentioned in this Handbook) that play a key role in responding to an incident and closing it the soonest possible [TB07].

11 | P a g e

2. SECURING YOUR ENVIRONMENT 2.1.

INTRODUCTION

Hacking is not a new thing that just has appeared recently. It started in the 1960s, and hackers were a group of “technology enthusiasts.” At that time, hacking was out of intellectual curiosity, and there was no intention to harming others. It was against the law in the mindset of those hackers who were leading software-development movements that led to the presence of open-source software, and paved the way toward the development of the Internet (ARPANET) [SO11]. However, things are no longer the same as it was 50 years ago. Hackers are driven most of the time and except for Ethical Hackers, by bad intentions and acts that are against the law in most countries. Hackers developed techniques, and arsenals of tools to reach their goals, which differ, from one group of hackers to another. Besides, security experts, government agencies, and other companies developed several standards and methodologies to help IT and Security experts understand what to be done to secure information. However, these methodologies describe and imitate the process followed by Black-Hat hackers step-by-step and advise Ethical Hackers to follow the same steps in their Endeavor to secure information. On the other hand, there are a lot of literature, training guides, articles, and researches made on various security tools. However, few of these works addressed the usage of these tools from an IT Director(s) perspective. Most of the work done was trying to imitate step by step what hackers will do in their journey to compromise their targets. This Handbook is intended to simplify these procedures into a manageable process and set of tools, and customize the process followed by Ethical Hackers to meet IT Director(s) requirements. The defined process/approach differs slightly from that developed by Ethical Hackers, but also will propose a new concept of how IT Director(s) should approach security. It is not totally new and but different from this found in most literatures about the phases of how hackers work and attack targets. It modifies the former approach, and tailors it to fit more to the needs of IT Director(s). The same applies to the tools proposed in our model. Some of the proposed tools are intended to be for securing the infrastructure and discovering hackers, and other tools could be used by both hackers and security analysts.

2.2.

HACKERS’ TECHNIQUES

Many literatures, articles, and researches describe hackers’ methodology and their techniques to attack targets. In [SO11], techniques were divided as follows: 

Footprinting,



Scanning,



Enumeration,



System Hacking,



Escalation of Privilege,



Covering tracks, 12 | P a g e



Planting Backdoors.

In [JW07], [KG07] hacking phases were summarized in a similar way to the previous one mentioned by [SO11]:



Reconnaissance,



Scanning and Enumeration,



Gaining Access,



Escalation of Privilege,



Maintaining Access,



Covering Tracks, and



Placing Backdoors.

Others, like [KG07] divide it as follows: 

Reconnaissance,



Scanning,



Gaining Access,



Maintaining Access, and



Covering Tracks.

In addition, in most of the guides developed by EC-Council and SANS Institute, an Ethical Hacking process is divided into similar phases as those mentioned above.

“Over time a proven framework has emerged that is used by professional Ethical Hackers. The four phases of this framework guide the penetration tester through the process of empirically exploiting information systems in a way that results in a well-documented report that can be used if needed to repeat portions of the testing engagement. This process not only provides a structure for the tester but also used to develop high-level plans for penetration testing activities. Each phase builds on the previous step and provides details to the step that follows. While the process is sequential, many testers return to earlier phases to clarify discoveries and validate findings. The first four steps in the process have been clearly defined by Patrick Engebretson in his book The Basics of Hacking and Penetration Testing. These steps are Reconnaissance, Scanning, Exploitation, and Maintaining Access” [JB14].

Before elaborating on the above phases and how, these phases need to be addressed and tailored; we will define briefly, what is meant by each phase to make things afterwards easier to understand.

Reconnaissance: Reconnaissance, Footprinting, Information-Gathering are used interchangeably in this document and refer to the same process. It is the process to uncover 13 | P a g e

and collect information about targeted networks or systems. There are different methods to collect information about a target. Googling the company, social engineering, and many other tools and techniques that might be either active or passive process.

Scanning: is the process to find targeted systems technical details such as IP addresses, Operating systems, services, applications used, etc… to be used in finding vulnerabilities.

Enumeration: is the process of gathering and compiling usernames, machine names, network resources, shares, and services [KG07]. Some literatures consider enumeration as part of the Scanning process and do not distinguish them from each other because the tools used are almost the same.

Gaining Access: Gaining Access, System Hacking, System Exploitation, and Target Exploitation are used interchangeably in this document and refer to the same process. It is the process of exploiting a vulnerability, found during the previous phase, in a targeted system. “It is the phase where the real hacking takes place” [KG07].

Maintaining Access: Maintaining Access and Escalating privileges are used interchangeably in this document. This process happens after exploitation of a vulnerability in a system and gaining normal user account privileges and working to escalate access to a privileged user (Admin, root, etc...).

Covering Tracks: This is the process where a hacker removes evidence of his/her actions to avoid detection by Security Analysts or Ethical Hackers.

Placing backdoor: This is a process where a hacker places a set code (program/s) on the exploited system to allow him/her access it easily without being noticed.

2.3.

DIFFERENCE BETWEEN HACKERS AND IT DIRECTOR(S) REQUIREMENTS:

From the above literature, we can see that the phases proposed to be followed by Ethical Hackers are almost the same with minor differences in nomenclature. The above phases are followed by Black-Hat hackers to attack a target and by Ethical Hackers to simulate the work of Black-Hat hackers testing the strength and maturity of the security investment made to protect information. The above is proposed to be used in one of three scenarios: White-Box testing, Black-Box testing, and Gray-Box testing (White, Black, or Gray). However, and in my opinion, IT Director(s) need to have a different approach. However, before defining this approach, I will lay down the foundations for it.

2.3.1. FIRST: 14 | P a g e

IT Director(s) should be advised to follow a White-Box testing approach. In my opinion, IT Director(s) (or his team members) cannot run Black-Box testing (hacking) process to test infrastructure he/she is managing since they have the information ready at their hands and in their minds, and the conducted process will be biased. On the other hand, hiring a third party to execute Black-Box Testing and avoid the above limitation is not practical and has many limitations due to two main reasons. Firstly, the contract signed between both parties should specify the scope, duration, rules of engagement, boundaries of the attack, tools to be used, and many other things. If an external Ethical Hacker failed to do so, then he will be faced with a scope creep that will change and grow in an uncontrolled manner. A Black-Hat hacker is not limited to any rules [JM13]. By doing so, we are revealing more information to the Ethical Hacker. This process is moving us to the gray area between White and Black-Box testing.

Secondly, crucial and important processes, in simulating hackers’ attacks, are Vulnerability Assessment and Penetration Testing, and it is an auditing requirement in most organizations. IT Director’s concern by accepting a Black/Gray box vulnerability assessment and penetration testing is that this kind of testing (Black/Gray) might affect the services provided. This will lead her/him in most cases, and through all phases, to move the hacking process to the white area slightly as the work progresses to minimize the risk exposure. Then it is obvious in most scenarios, and in my opinion that IT Director(s) will most probably operate near the white area of testing or in the white area, which will definitely lower the risk, save time and money. Definitely, a Black-Box hacking process resembles more a Black-Hat hacker in numerous facets, but the risk will increase as the resemblance increase and as we move to the black area of testing.

2.3.2. SECOND: From the second side, three phases: Reconnaissance, Maintain Access, and Covering Tracks need to be modified from an IT Director(s) point of view. We will base our analysis and recommendations on White-Box testing. First, there is no need, for an Ethical Hacker to gather information about systems using the same tools and techniques Black-Hat hackers do. Information gathering and updating of the targets to be secured, is already done, and it is part of the IT Department team job. IT Director(s) along with his/her team know their infrastructure in and out. Also, we cannot agree with [KG07], when he suggested that Reconnaissance, Information Gathering, and Scanning could be bypassed by an Ethical Hacker and jump directly to the attack phase. His assumption that a White-Hat hacker is either an employee or an outsourced company eliminates the need for collecting information is correct, but it does not reduce the need to verify this information.

15 | P a g e

Second, Ethical Hackers need to gather information about illegitimate devices, whether these devices are installed by insiders or hackers. It is better to spend time to check and gather information about systems that were missed by IT Department than discovering what IT Department already knows. Ethical Hacker needs to identify both legitimate and illegitimate devices, tools, and software instead of skipping the search because they know the organization infrastructure. Some IT Security consultants, from my experience, show to your office and deploy a scanning software to identify the IP addresses of your legitimate devices and forget about gathering information of illegitimate devices and tools. Nevertheless, to know the illegitimate devices and systems you need to know the legitimate ones. In my opinion, regardless of the method of testing (Black-Box or White-Box), and regardless if the person is a Black-Hat hacker or a White-Hat hacker, information needs to be gathered and documented to start the process. However, the target of examination, methodology of gathering information, sources of information, and tools will be slightly different. On the other hand, [JM13] does not agree with [KG07] and emphasizes that Reconnaissance should be the first step of any White or Black-Box testing scenario regardless if you are (Black-Hat or White-Hat tester) verifying information given to you by IT Department or building new intelligence about a target. Reconnaissance begins by defining the scope of work related to the target environment in case of White-Hat tester. Once the scope is defined, information gathering is performed on the target. Information gathered include, IP Addresses and Ports used, deployed services, local or external hosting, types of services offered, and so on. This data along with the rules of engagement will lead to the development of Statement of Work, Action Plan, and methods to conduct the test. The deliverable of the Reconnaissance phase should include a summary list of all relevant IT assets being targeted, what applications are running on the assets, and services used.

Third, Ethical Hackers need to employ Anti-Reconnaissance tools and devices to protect the infrastructure from reconnaissance. The idea is similar to Antivirus, anti-malware, and anti-spam tools used by most organizations. Having an Anti-virus is much more important and effective for an IT Director(s) than knowing how a virus attacks a system and trying to simulate this attack. The same applies for Anti-Reconnaissance, which is much more important than only knowing how hackers gather information and imitating their actions. Anti-Reconnaissance is the process of using a set of tools and techniques to misguide, and trap attackers. Fourth, there is no need for IT Director(s) to “cover tracks” and “plant backdoors” as hackers do. In other words, IT Director(s) does not want to attack their own systems. They want to secure their systems. Why does IT 16 | P a g e

Director(s) need to plant backdoors after gaining access to a target? Does planting a backdoor and modifying specific system processes add to the security of the target anything? Does restoring the attacked system back to its original state, cleaning registries, and replacing infected system files give IT Director(s) more confidence in their systems? Is it a mere imitation of hackers’ footsteps? As per my experience, IT Director(s)’ concerns, objectives from all the tools used, methodologies, and investments are to prevent the last two phases (Covering Tracks and planting backdoors) to happen. IT Director(s) needs to know (tools and methodologies) how hackers cover their traces, maintain access, and create backdoors. However, the more important is to uncover and detect the existence of it, if any. I think; it is better to spend time and money in rectifying the holes and strengthening security, instead of covering Ethical Hackers tracks and planting backdoors, then undoing what was done.

2.4.

PROPOSED NEW MODEL:

Based on the above a new model is proposed for IT Director(s) to use in their attempt to secure their infrastructure:

1. 2. 3. 4.

Anti-Reconnaissance/Reconnaissance (Information Gathering) Vulnerability Assessment (Scanning, Enumeration, Vulnerability Discovery) Penetration Testing (Exploitation, Escalate Privilege and Maintain Access) Rectification (Forensic tools)

As we can see, from the above proposed model, that we have customized the first phase previously called “Reconnaissance” and called it “Anti-Reconnaissance”. In addition, we have replaced completely “Covering Tracks” and “Planting backdoors” by a “Rectification phase.” In this scene, and from an IT Director(s) perspective, Reconnaissance and Scanning phases will remain as part of the Ethical Hacker duties to discover and gather information about both legitimate and illegitimate devices. Secondly, Reconnaissance phase is renamed as AntiReconnaissance to include tools, and techniques that misguide attackers and trap them. Thirdly, the role of “Rectification” phase is not to prove a case in the court of law, but to search for possible traces of hackers. Ethical Hacker is encouraged to use tools to discover rootkits, backdoors, traces of compromised systems, and traces of attempts to compromise systems.

In the next modules (Four, Five, Six, Seven and Eight), we will discuss three main notions: Fundamentals, Objectives, and Tools for each phase of the proposed model, elaborating on similarities and differences of each phase. Additionally, we will look into similarities and difference between the new proposed model and the old model. The phases proposed are inter-related, and some Fundamentals, Objectives, and/or Tools might be the same in many phases and might differ slightly or completely in others.

17 | P a g e

However, there is a huge difference between what a Black-Hat Hacker will do and that of an Ethical Hacker regardless of the model (old or proposed). For example, Hackers do not have boundaries on systems to attack, time and duration of an attack, funding, or ethical values, and will use any available tool. They also do not inform other people about what they are doing, the time of doing it. They are not bound by any ethical value. Going back to the previous module, we will limit ourselves to few tools that fit the above model. There are plenty of other tools within Backtrack, but we will not reference it in this Handbook if it falls outside the above model. Moreover, in the first phase, AntiReconnaissance will have a different set of tools that are not mentioned in either Backtrack or Kali Linux.

The above-proposed model is not rigid in the sense that we might do few things of AntiReconnaissance/Reconnaissance, next do Vulnerability Assessment, then based on the outcome of the Vulnerability Assessment we might go back to Anti-Reconnaissance, then we might start Penetration Testing and so on so forth. This is very important to remember and keep in mind. A security analyst, like a hacker, he/she might jump back and forth between phases. She might gather information, afterwards do a vulnerability assessment, later go back to gather information and so on so forth with other phases.

One last thing we need to mention, hackers’ techniques and tools might differ slightly from one type of system being hacked to another. For example, hacking a web server will differ in the tools used from those used in hacking a wireless network or those used in hacking wired networks. However, they follow almost the same process to reach their goals. In each phase of this process, they have particular fundamentals and objectives and employ a set of tools to complete this phase, but usually the output of one tool in a particular phase is used as input of the other tool in the next phase.

2.5.

LIMITATIONS OF MODEL USAGE (CONCLUSION):

The following is the limitations of the above model on Ethical Hackers: 

Limited time to complete your work and provide your report.



Limited tools to be used and methods used, not allowed to use botnets and rootkits



Limited scope and you cannot do everything on all systems



You need to be very cautious when doing your own test where hackers do not care about any harm they might impose on the target.



Limitation on experience of Ethical Hackers whose doing

One very important thing to mention for the time needed to scan all hosts, and all ports in a given enterprise will take a long period that will render this scanning process useless. An example of this when an Ethical Hacker is doing the scope of an organization with 1000 hosts and devices. He/she cannot scan all ports on all hosts. A scan of this type might take 6.5 years assuming 1.5 seconds for each port (65,536 UDP and 65536 TCP, which leads to an 18 | P a g e

approximate total of 130 million ports). This means that a limited number of hosts and ports will be scanned. Careful selection needs to be made on what to be scanned, and IT Director(s) will feed in on this topic rather than leaving it solely to the Ethical Hacker who is conducting the work. Another thing to keep in mind that the tools mentioned in this Handbook might change. New tools will come out that prove better than an old one. Tools that are used today might not be useful tomorrow.

19 | P a g e

3. ANTI-RECONNAISSANCE AND RECONNAISSANCE: We talked in the previous modules (two and three) about the phases to be followed by IT Director(s) in securing their infrastructure, and we have modified the phases that are used by Ethical Hackers to fit more the needs of IT Director(s). In this module, we will talk about Anti-Reconnaissance, Reconnaissance, and other related concepts. The first step in Information gathering – Reconnaissance - is to gather information from System Administrators, Network Administrators, and Application Administrators about: 

Subnets Internally and externally used,



Operating systems Flavors of all devices,



Devices used,



Network Infrastructure,



Etc…

The above is needed, because Security Admins need to look for abnormalities and deviation from the existing setup. Then Ethical Hacker (Pen-Tester) will do their own gathering for information using their tools. All collected information should be documented, and deviations should be marked to be investigated further.

3.1.

RECONNAISSANCE (INFORMATION GATHERING):

Reconnaissance has different forms or areas of applicability. Some of these methods and areas are Internet footprinting, Competitive Intelligence, Whois, DNS, Network, Website footprinting, email discovery, Google hacking, etc…. The prime objective of the attacker is to gather information about devices, operating systems, and other information about the entity to be attacked. Ethical Hackers doing a White-Box testing, will have an easier job in terms of collecting information, since he/she is working to strengthen the security, and the information is given to him/her in advance. Hackers usually gather any type of information that might possibly help them in finding IP Addresses, Operating Systems flavors, Network Devices brands and types, Applications, Databases, etc… from whatever source. However, both Hackers and Security Analysts initially try to find two important pieces of information: IP addresses and open Ports on these IP addresses. After that, both (hackers and analysts) start discovering, the operating systems, services running on these Ports, then determine the rest of information needed to exploit/secure existing vulnerability.

3.1.1. RECONNAISSANCE OBJECTIVES: In the case of a White-Box testing, Pen-Testers still need to verify the information he/she was given to them. Information Gathering by a White-Hat hacker does not require as much effort as when collected by Black-Hat hackers who need to put more time and effort. White-Hat hackers have the following objectives:

20 | P a g e



Identify and verify existing hosts or network devices and other system(s),



Identify and verify that all installed applications are legitimate,



Identify and verify system types Operating Systems and versions,



Identify and verify open ports and which ports will be targeted,



Identify and verify running services and corresponding applications,



Passively social engineer information,



Compare his/her finding to those gathered by internal IT staff,



Document findings.

3.1.2. TOOLS USED IN RECONNAISSANCE: Some of the very widely used tools for information gathering by both all kinds of hackers, and Security Analysts are DNSmap, Nmap, Zenmap (Windows version of Nmap), Metasploit, Armitage, Meterpreter, Maltego, hping3, Nessus, and many others. Metasploit is a multi-facet tool that works with Armitage as its graphical interface. It is used for discovery, vulnerability assessment, Penetration Testing, and other purposes. It is one of many tools that are multifunctional. Tools used for scanning IP Addresses, and Ports use various techniques to accomplish their port scanning probes’ mission. The most-used attacks during the Information Gathering phase are: SYN Scans, TCP Connect Scan, TCP Half-Connect Scan, ACK Scan, FIN Scan, NULL Scan, Xmas Tree Scan, UDP Scan, ICMP Scan, and Fragmentation Attack [MD11], [JG08]. In this module, we will not touch-base any of these IP and Port scanning techniques because we assume it is obvious to the reader. 3.1.2.1.

DNSmap: is a Domain Name System map tool that has the ability to discover all subdomains and related domains of a target domain.

3.1.2.2.

Hping3: is a smart tool that is able to perform Port scan bypassing Firewalls intelligently, and without being detected by IDSs/IPSs. It can send custom packets at a specific target, by manipulating the MTU, spoofing source IP address, setting source ports, setting TTL values, fragmenting packets, sending packets with a bogus checksum, and many other things. It supports the main protocols TCP, UDP, and ICMP. The latest version of Hping is version 3 (Hping3). Hping3 is available in *nix, Windows, and Mac OS. Hping2 was available in *nix only. DNSmap and Hping3 are free tools.

3.1.2.3.

HTTrack: is a cross-platform free web crawling tool to clone websites (http, https, and ftp). It allows Ethical Hacker to look at the content of a website offline browsing, analyzing, and editing what they have. Some hackers might use this tool to develop a fake fishing website (Social Engineering Attacks) to trap users into believing that this is a legitimate site. HTTrack is a command line tool that has an easy menu driven interface. Its Windows version is WinHTTrack. 21 | P a g e

3.1.2.4.

Wget: is similar to HTTrack. However, it is included in scripts and Cron jobs for mirroring websites. HTTrack has more features than Wget. Wget does not analyze captured data as HTTrack does.

3.1.2.5.

Maltego: is an open-source information gathering, forensic, audit, and threat assessment tool. It has the ability to collect information from various sources and used to launch Social Engineering Attacks based on collected information. It gathers e-mail addresses, servers’ names, etc… then associate gathered email addresses to a person, and website to a person, then verify email addresses, etc… then graphs the output. The power of the tool is in its ability to gather information about a domain, company, and people. It uses open web resources to gather then correlate information using a simple GUI. It has 75 transforms available free. Full version is a paid version. Maltego provides CaseFile as a sub-module to document all collected data in the informationgathering phase in one document by mapping relationships manually in a graphical format.

3.2.

ANTI-RECONNAISSANCE

Anti-Reconnaissance is the process to discover malicious attempts of scanning IP address and ports and discover the attack at the early stages of it. As we know, IP/Port scan, exploitation of a vulnerability, maintaining access, planting Trojans or back doors and clearing trails are the main steps in intrusion. The IP and Port scan are at the beginning of the whole process, and its detection and prevention is a successful defense mechanism [CY04], [JJ13].

3.2.1. FUNDAMENTALS OF ANTI-RECONNAISSANCE: 

Time: No Limited time on when to start or complete this phase. The tools employed here to secure the infrastructure shall stay indefinitely and shall be maintained like any Firewall, Anti-virus, or IDS system. Information Gathering about malicious activities is a continuous process.



Devices: No limit on devices to be discovered and analyzed. Devices might be those facing Internet in DMZ, server-side, or client side. We need to be selective on what ports to scan on devices. If the number of devices is small, then all ports can be scanned. However, if we have a large number of devices, then scanning all ports on all devices might take a couple of years. The decision on the above need to be clear and based on Risk Assessment output.



Tools/Applications: Information gathering methods, software, and devices used should be defined. Active or passive methods should be defined also. What might the impact be by the methods used on the systems should be considered.



People: Parties involved throughout the process: Network Engineers, System Engineers, Application’s administrators, Security Engineers, and Management

22 | P a g e

approval on the scope, rules of engagements and what need to be done in the next phase. 

Report: Report Planning, Information Collection, Writing First Draft, Review and Finalize [MA10].

3.2.2. OBJECTIVES OF ANTI-RECONNAISSANCE: The following are the objectives of Anti-Reconnaissance: 

Educate corporate staff about social engineering attacks. This is the most important objectives, because people are the weakest link.



Hide, as much as possible, of the corporate information that could be used by hacker(s).



Misguide hackers by presenting false information.



Discover malicious activities attempts.



Make information collection, a more difficult task for hackers.



Prevent attackers from reaching their goals.

3.2.3. TOOLS AND SOFTWARE: There are many methods to fight hackers’ Reconnaissance. The very familiar is the detective method such as restricting routers, web servers, and other devices to respond to reconnaissance activities. In what follows, we will talk about the offensive method of fighting hackers’ Reconnaissance, the most important of which are the following: Deceptive Hiding, Active Detection Techniques, and Anti-Social Engineering.

3.2.3.1.

Deceptive hiding: [BJ13] mentioned in his article that the defender is at an advantage to the hacker because the defender knows the environment more than the hacker does. This will allow defenders to have superior defensive positions that will actively identify attackers after deceiving them in a field defender knows better. These deceptive techniques are different from the traditional layers of defense known for the last 3 decades: firewall, Intrusion detection IDS, IPS, Ant-virus, etc… In the offensive approach, we do not wait for the incident to happen and then react. We prepare our infrastructure to win any battle with the attacker.

Decoy Services: An example of Decoy Services is SpiderTrap and WebLabyrinth. These tools are designed to make any web crawler stuck in an infinite loop of useless webpages, instead of gathering information. This will alert the defender on web fingerprinting and information-gathering [BJ13].

23 | P a g e

SpiderTrap acts like a small web server that is built of random links looping until either hacker web-crawler tool or SpiderTrap are stopped. It is not available within Kali Linux but could be downloaded from sourceforge.net and installed free. It is written in python2. WebLabyrinth is similar to SpiderTrap in functionality, but it runs on Apache web server rather acting as a web server. Careful consideration when using both tools because you may not want to block google or other search engines crawl your web site. Another example of Decoy services is by installing additional packages (e.g. Oracle DB instances) that are not used for production on existing servers to misguide the attacker and let him/her think that all these databases are Production instances/services. [BJ13]. However, this will add additional management tasks to the team and additional cost for space and licensing.

Darknets: Security Administrators usually use Firewalls and IDSs to filter out traffic that is considered malicious and allow legitimate traffic only. Darknet has a different approach where sensors monitor and collect malicious traffic instead of dropping it. “A Darknet is a portion of routed, allocated IP space in which no active services or servers reside. They are "dark" because there is, seemingly, nothing within these networks. All traffic entering a Darknet will be malicious to some extent, as nothing legitimate should be routed there. Traffic entering a Darknet typically comes from scans generated by automated tools and malware, looking for vulnerable ports with nefarious intent” [TC08]. This led toward the development of various devices and tools to monitor Darknets. Definitely, the size of the IP space and the location of the sensors on the network are two main factors of the collected traffic.

HoneyTokens: HoneyTokens are pieces of data whose use indicates a possible intrusion [BJ13]. This piece of information could be an invalid credit card number, user login, e-mail address, and/or any piece of information that an attacker might be looking for. Use of these forged data, such as trying to login with a fake username, indicates a possible attack.

Web Bugs: Web bugs are defined as “tracking devices embedded in web pages, executables or scripts that secretly monitor your activity on the web and send the information back to a 3rd party” [NS03]. These web bugs could be used to monitor attacker’s activity. These bugs are analogous to bugs in any

24 | P a g e

program, but these were intentionally written and left between the lines of code.

Web Server Anonimization: This activity is done by removing unnecessary HTTP headers and response data. ServerMask is a tool that can misguide hackers and intruders. This is not a free tool. Nevertheless, plenty of written scripts that hide server banner are available.

Scanning Tools [JM13] suggests changing Ports default values to other specific numbers to invalidate information being returned by a scanning tool. E.g., ftp port 21 could be changed to another port number. Changing Port numbers will force the attacker to spend more time to discover what exactly is running on a given device. In my opinion, definitely, this might delay the attack on a system but will not prevent it. Also, it will add another duty for System and Network Administrators to manage this change.

Other Tools: Other tools are available to discover our systems as part of the hackers arsenal. These tools, if used by our Security Analysts, will make our environment safer. Some of these tools are “Metagoofil, “ExifTool”, and “Strings”. The output of these tools will be analyzed to eliminate any kind of data that might help hackers attack systems [JM13].

3.2.3.2.

Active Detection techniques: The need of “Active detection techniques” is to find the intruder before compromising the target with an exploit. In other words, it is preferred to catch the attacker in the early phases of his attack (Reconnaissance, scanning, or finding suitable exploit). As the attacker moves, undetected, from one phase to another, as the Risk becomes bigger and more difficult to detect. This is the goal of employing active detection techniques.

SNORT as described in [SF13] as an open-source Network Intrusion Detection and Prevention tool used to discover malicious activity. SNORT does not have a user interface through which you can monitor the alerts and check the logs. SNORT has a primitive command line interface. You need to use another tool to do this. There are many tools listed on www.snort.org web site that can be used to monitor and manage SNORT. BASE (Basic Analysis and Security Engine), ACID (Analysis Console for Intrusion Detection), and others are from the most popular tools that work as a front-end to SNORT.

25 | P a g e

Captured packets in SNORT are run against a set of rules configured by the Security Administrator. SNORT can be installed on Unix, Linux, Windows, and Mac OS. SNORT can sniff packets, log packets, and generate alerts based on pre-set rules. It consists of the following modules: 

Packet Decoder or sniffer,



Preprocessors,



Detection Engine,



Logging and Alerting System, and



Output module.

One of the most important features of SNORT is its ability to analyze packets’ traffic in real time. SNORT gives us the ability to see what is happening. SNORT analyzes the logs searching for possible intrusion or attempts for intrusion. It is the most used IPS worldwide as indicated on SNORT website. Lot of literature is written about SNORT and lot of users contribute by writing new rules, plugins and applications that work with SNORT. It is freely available, and users can see what is going inside the tool and tweak it to meet their needs. This option is not present in most of the Commercial IDS/IPS applications. Netflow is Cisco commercial counterpart of SNORT.

TripWire is an integrity tool used to monitor in real-time, log manipulation and deletion and alert about these actions. After installing the tool, it scans system files and set a base line to compare to the baseline in the future when invoked. Changes that are not authorized to system files will be flagged to be suspicious for further investigation. To benefit from TripWire, it should be installed on a clean system, then a baseline is determined. Tripwire has the capacity to monitor services as well. Tripwire is now an open-source after it was a commercial tool. Tripwire is very similar to AIDE (Advanced Intrusion Detection Environment) tool. AIDE checks integrity against a pre-captured image. Any changes to files are logged in a separate file and sent to the system administrator for verification. EnCase, is a more powerful commercial utility that combines several functions in one application.

Nova (Network Obfuscation and Virtualized Anti-Reconnaissance System): is a Cyber defense product (www.projectnova.org) to defeat hackers attempts gain information about a given target [DS13]. Nova has web interface to manage and monitor different honeypots from a single console. It works with Honeyd. It builds virtual honeypots on the un-used address space. Ubuntu Linux is the recommended Operating system to install Nova. Honeyd is an open-source project.

26 | P a g e

Honeypots: The traditional way of placing honeypots is from outside of the network, but Nova places honeypots from the inside and emulates hosts, services, and fools fingerprinting of different operating systems that defeat hackers Nmap scanning and discovers attackers’ attempts to gather information. “Honeypots, Honeynets, and padded cells are complementary technologies to IDS/IPS deployments. A honeypot is a trap for hackers. A honeypot is designed to distract hackers from real targets, detect new exploitations, and learn about the identity of hackers. A Honeynet is just a collection of Honeypots used to present an attacker even more realistic attack environment. A padded cell is a system that waits for IDS to detect attackers and then transfers the attackers to a special host where they cannot do any damage to the production environment. While these are all extremely useful technologies, not many corporate environments deploy them. You usually see these deployed by educational institutions and security research firms. Generally corporate information security professionals are so busy securing their environment from attacks that they do not spend time researching attack patterns. As long as the attack doesn’t succeed, they are satisfied” [JS11].

3.2.3.3.

Anti-Social Engineering Social Engineering is a term that describes a nontechnical kind of intrusion that relies heavily on human interaction and often involves tricking other people to break normal security procedures. [RE07] Anti-Social Engineering is the process that defeats and discovers the act of “social Engineering”. It is one of the most important defender’s tools that could be achieved by administrative policies and training IT Director(s) should work on having continuous training programs about AntiSocial Engineering to change the behavior of staff into cautious and secure aware.

Administrative policies Administrative policies will put a framework on how to deal with incidents on Social Engineering attacks. This is a major part that is mostly missed in all organization’s security policies. Management in organizations is emphasizing on placing information security policies about passwords, anti-virus, technical tools (Firewalls, IDSs, etc...) to protect their information and forgetting about policies related to the most successful attack, “Social Engineering”. Social Engineering is related to the weakest link within the security chain “People”. By including such kind of policies, we emphasize on the user responsibility in protecting data to be a key factor instead of depending on Security Administrators only. The author of [JA14] emphasizes that one of the major keys to protect 27 | P a g e

successfully your systems lies in the area of security policy and proper authority to enforce its implementation.

Awareness and Training The second method to defend against Social Engineering attacks is through awareness and training. User awareness and knowledge about how attackers conduct social engineering will minimize the effect of this tool and help in minimizing the risk. This is very clear when the author [EN07] emphasizes the need for user responsibility and awareness in controlling corporate or personnel data through education and the presence of a set of policies to ensure privacy and security.

28 | P a g e

4. VULNERABILITY ASSESSMENT: Since we are assuming White-Box testing setup for the systems, vulnerability scanning or assessment will be conducted. If the network scanning were not completed during the previous phase (Anti-Reconnaissance/Reconnaissance), it should be conducted in this phase. Scanning could be part of either phase (Anti-Reconnaissance/Reconnaissance or Vulnerability Assessment). The output is fed from the scanning tool to the vulnerability assessment tool, or we can use one tool for both activities (scanning and vulnerability assessment). However and before discussing the fundamentals, objectives, and tools of vulnerability assessment, it is important to clarify the difference between Vulnerability Assessment (discussed in this module) and Penetration Testing (discussed in module 5) because many people within the security community and vendors of IT security products incorrectly use these terms interchangeably [PE13]. Vulnerability Assessment is the process of reviewing applications and systems for the presence of security issues, whereas penetration testing actually performs exploitation of specific vulnerabilities as a Proof of Concept (PoC) to demonstrate the presence of a security issue. Though Penetration Testing go a step beyond Vulnerability Assessment by simulating hacker’s activity and delivering live payloads, it is completed in a very limited scope than that of any Vulnerability Assessment [PE13]. Penetration Testing uses aggregated results from the previous two phases to determine what attacks will be successful.

4.1.

VULNERABILITY ASSESSMENT FUNDAMENTALS



Time: Start time and end time should be established. Planning the Vulnerability Assessment is very important to avoid scope creeping in a rapid changing environment.



Devices: Specific ranges of IP Addresses and particular hosts, systems, or applications shall be defined during scope preparation. Internet side hosts, or Internal hosts. Wired or Wireless Network devices.



Methods: Vulnerability Assessment (Active or Passive) and Risk Assessment (Qualitative or Quantitative) methods shall be defined. What scanning techniques are acceptable and what is not allowed.



Tools: What tools will be used for Vulnerability Assessment shall be specified.



Notified parties: at least one person in the chain of incident handling process need to be notified. In case the assessment was detected by any defensive or offensive device planted in the network, a decision will be taken whether to continue or stop the process. Other parties might be notified such as System Administrators, Network Administrators, ISP representative (if the assessment is conducted on the side facing the internet), and/or owners of the system.



Initial Level of Access: This depends on the part of the network (Internet-side, Server side, or Client side) being assessed. Assessing DMZ servers from the Internet side will require no special level of access. Similarly, evaluating wireless network requires no initial level of access. On the other hand, assessing servers inside the perimeter will mandate, at least, authorization to plug a network cable to the LAN infrastructure. An IT Director(s) might

29 | P a g e

grant standard user access to the network to assess what a regular internal user might be able to hack. 

Risk Assessment of discovered vulnerabilities must be made. This is very important because it provides a real value for the report generated during a Vulnerability Assessment. Without Risk Assessment report value will be very low.



Deliver a report based on risk assessment done for the discovered vulnerabilities. Delivering a vulnerability report based on the outcome of an automated tool, most of the time, is not enough without checking associated risk. Furthermore, the contents of this report should be clear for whether to include remediation to vulnerabilities found or not.

4.2.

OBJECTIVES OF VULNERABILITY ASSESSMENT:

Objectives of a Black-Hat hacker differ from that of a White-Hat hacker in the sense that a hacker is looking for a vulnerability to exploit while ethical hacker is looking for a vulnerability to close it and apply necessary patches or measure to close it. The objectives of a vulnerability assessment for an ethical hacker are as follows: 

Use given information (since it is a White-Hat hacking process), and gathered information through probing, port scanning, social engineering, and other methods to determine vulnerabilities in systems,



Map vulnerable systems to asset owners. In a Black-Hat hacker this goal is not considered,



Evaluate Targets for vulnerabilities and afterward for security risks by constructing attack hierarchy or tree,



Identify and prioritize vulnerable systems based on risks value and importance to the business,



Document findings to work on eliminating, reducing and mitigating risk [JM13], [SD06].

4.3.

VULNERABILITY SCANNING TOOLS:

In this module, we will discuss some of the most important tools for three main areas of an IT infrastructure: Wireless Networks, Wired Networks, and Web applications.

4.3.1. WIRELESS TOOLS With the increase of Wireless Networks, the need arises to secure and audit these networks. Examples of Wireless Security applications are Aircrack, OmniPeek (Network Analyzer), Netstumbler, AirSnort, and Kismet. 4.3.1.1.

Aircrack-ng (Aircrack Suite): “Aircrack-ng is a suite of tools for auditing wireless networks. The suite includes a network detector, a packet sniffer, a WEP/WPA cracker, and other useful tools” [MA09]. Aircrack is a free tool that works on Linux and Windows. It is a WEP and WPA/WPA-PSK (pre-shared keys) cracking tool; it is faster than similar cracking tools. It is intended for 802.11 protocol as compared to Wireshark that works with many protocols

30 | P a g e

other than the 802.11. From Aircrack-ng suite, we will use the following program: 

Airmon-ng: It is used to enable monitor mode on wireless card interfaces. It may also be used to shut down (stop) interfaces [WP13].



Airodump-ng: this program will locate available wireless networks in the range of the Wireless card used and will capture packets [WP13]. This program is similar to Ssidsniff, but it has the option to connect to a GPS device and locate AP on the map, while ssidsniff does not have this option. Airodump-NG can be used for sniffing similarly to TCPdump and Tshark (command line version of Wireshark). It has the option to store captured data in Pcap files for later analysis and processing.



Aireplay: It is used to associate the attacking machine with the MAC address of the Wireless Device we are attacking. In other words, it attacks Access Points. Aireplay has several attack methods: Deauthentication, Fake authentication, Interactive packet replay, ARP request replay, KoreK Chopchop, Fragmentation, and Injection test [WP13].

4.3.1.2.

Gerix: is an automated GUI for Aircrack suite. It speeds up the wireless cracking efforts by eliminating typing commands manually in a terminal window [WP13].

4.3.1.3.

Fern WiFi Cracker provides a GUI, similar to Gerix, for Aireplay-ng, Airodumpng, and Aircrack-ng. FERN WIFI Cracker has built in functionalities that are not present in Gerix. It finds the type of encryption applied by Access Points and figure out weak encryption protocols such as WEP/WPA/WPS and work on cracking them. Fern WiFi cracker needs other tools to crack a key (Aircrack, Python Scrapy, and Reaver). All these tools and Fern WiFi Cracker are preinstalled on Kali Linux and Backtrack

4.3.1.4.

Netstumbler/Vistumbler (Network Stumbler): Netstumbler is a well-known enumeration tool that can identify Access Points and determine their SSIDs. It runs on Windows XP and has a mini version. Both versions are free of charge, but no update was made on its site since 2005. Its main purpose is to determine rouge Access Points. It does not have all the functionalities of Kismet, but some users prefer it for its easy and simple GUI. Netstumbler, for example, does not sniff traffic. However, Kismet does sniff traffic. Vistumbler is similar to Netstumbler but works on Windows Vista and 7 and supports GPS connectivity very easily. Netstumbler does not have these features.

4.3.1.5.

Ettercap: is an open-source sniffing tool that involves DNS spoofing, Fiddling with traffic, and Man in the Middle Attack. It can sniff live connections and display traffic based on applied filters. It can dissect ciphered protocols actively and passively. It can collect passwords. An Attacker using Ettercap can initiate Man in the Middle Attack (MITM), by eavesdropping on all the packets transferred back and forth between the target machines. It works on UNIX, Linux, Windows, MAC OS and other Operating systems and has a GUI menu.

31 | P a g e

4.3.2. NETWORK TOOLS After discovering the network and knowing what is there. Vulnerability assessment tools need to be used.

4.3.2.1.

Nessus It is an automated open-source tool to discover vulnerabilities in targeted systems. Nessus has a GUI version and could be launched from Metasploit (mfsconsole). Nessus has a web browser from which configuration and scanning is carried out. Nessus is a server and client tool. The client controls the server behavior. Nessus has a built-in port scanner similar to Nmap. Nessus after discovering open ports, it determines the running service and compare it to a database of known vulnerabilities. Nessus has a number of methods of comparison: The first against a set of enabled plugins. This is called a light scan. The second is against all applicable plug-ins available in the database. The third based on predefined policy, and the fourth based on userdefined policy. Nessus Server and client are available for UNIX, Linux and Windows OS. Nessus can scan a specific host, a set of hosts – IP range --, or a subnet. Sensors can be distributed in different areas within the organization (DMZ, Inside the Network, and different physical networks). Nessus uses different plugins depending on the device to be scanned. For example, plugins used to discover Linux vulnerabilities are different from those used to discover vulnerabilities for Windows or network devices. Nessus has two licensing schemes: Home and Professional. The Home version is intended for personal use and cannot scan more than 16 IP Addresses. The commercial version has more options than the home version. The Professional is for commercial usage. It has additional features that are not present in the home version such as unlimited concurrent connections. Nessus exports its findings into various file formats such as HTML, CSV, PDF and many other types. Nessus classifies vulnerabilities into informational, notes, warnings, and holes. Nessus offers URL links to external resources to describe discovered vulnerabilities. Nessus is rightly suited for large enterprises. “Regardless of how commercial security providers apply Nessus to their business model, the vast majority of security-services’ firms use Nessus to some extent” [MC08]. Twenty-two security firms were listed in one of CERT-in.org [CI12] reports, and all of them are using Nessus. “Nessus is a must-have in the security consultant’s cadre of tools” [MC08].

4.3.2.2.

OpenVAS is one of the vulnerability assessment tools that have a GUI interface (OpenVAS Desktop), and it can be opened through its web browser. OpenVAS is a free, open-source tool. Just three security firms out of twentytwo firms listed by cert-in.org [CI12] are using OpenVAS. Both Nessus and OpenVAS are available in Backtrack, Kali Linux, and other distributions and have almost the same set of vulnerabilities. Both can check vulnerabilities in Windows and Linux hosts and network devices.

32 | P a g e

4.3.3. WEB APPLICATION VULNERABILITY ASSESSMENT TOOLS 4.3.3.1.

ProxyStrike is a web application proxy tool used to identify vulnerabilities in a given web application while being browsed by a client web browser such as Firefox or internet Explorer. All traffic is passed through ProxyStrike after configuring the client web browser to use it as a proxy server. ProxyStrike can analyze the parameters in the background while surfing the targeted web application. ProxyStrike has the capacity to identify, intercept, and modify (delete or edit) requests initiated by the client browser. In addition, it has the option to crawl a web server application and identify SQL, SSL, or XSS plugins vulnerabilities. In the case of crawling a website, there is no need for a client browser. It is launched from the ProxyStrike GUI. All what you need is to enter the URL of the targeted web site. The results of a crawl can be exported to HTML or XML file [JM13].

4.3.3.2.

Vega is another security-testing tool that has similar functions as ProxyStrike. However, Vega gives details about the discovered vulnerabilities and its possible impact. It also lists other domains associated with the main targeted domain.

4.3.3.3.

Webshag is a web server-scanning tool that can do port scanning, URL scanning, web spider crawling, and File Fuzzing. It works on multiple platforms and can audit web servers. It has both command line interface and an easy to use Graphical User Interface. Webshag has an exporting option for the data captured/generated into XML, HTML, and TXT file. “Webshag: It is a multithreaded, multi-platform tool used to audit web servers. Webshag gathers commonly useful functionalities for web servers such as port scanning, URL scanning and file fuzzing. It can be used to scan a web server in HTTP or HTTPS, through a proxy and using HTTP authentication (basic or digest)” [JM13], [SI14].

4.3.3.4.

Websploit: It is an open-source project that has four major functions: 

Launch Social Engineering attacks,



Scan, crawl, and analyze web sites,



Automatic Exploiter,



Assist in conducting network attacks.

The above was few tools that are used in Vulnerability Assessment. In the next module, we will talk about penetration Testing and tools used during this phase.

33 | P a g e

5. PENETRATION TESTING: Penetration Testing assesses the effectiveness of applied security controls in an infrastructure. It does not improve security as this is evident from the steps followed, here below. Pen-Testing evaluates security and does not improve it [JM13], [SD06]. It is recommended that IT Director(s) do Pen-Testing when he/she believes that they have strong security; otherwise it will be a waste of time and money. Vulnerability Assessment is conducted to improve security by closing discovered vulnerabilities, and should be conducted before Penetration Testing. Penetration Testing has three Steps: Pre-Attack, Attack, and Post-Attack steps [ER11]. Others make it two steps: Exploitation and Post-Exploitation [MA13]. The Pre-Attack/Pre-Exploitation step is passive most of the time; the second and third are active attacks. However, for our proposed model, Pen-testing includes Exploitation step only. Pre and Post-Exploitation, in our model, will not be discussed as part of Penetration Testing. Post-Exploitation will be replaced by “Rectification Phase”.

5.1.

PRE-EXPLOITATION/PRE-ATTACK: In this step, information is gathered about the target under consideration. PreExploitation could be part of the Pen-Testing Phase or the Vulnerability Assessment Phase. If a vulnerability assessment was conducted then, this pre-exploitation step is completed in the vulnerability assessment. If no vulnerability assessment was made, or it was done, but the pen-test will be conducted by a different party (Out-sourced), then preexploitation (data gathering and target evaluation) need to be part of the Pen-Testing phase.

5.2.

EXPLOITATION/ATTACK: Exploitation is probably one of the most fascinating parts of a penetration test for the PenTester. Pen-Tester should be very careful in selecting a vulnerability to exploit. He/she can not make sure that exploitation will succeed, but it should be highly probable. Firing a bunch of exploits blindly, and wishing one of them will succeed is not efficient and might trigger specific events on the targeted system. This step is composed of three main activities: (1) Exploiting a Vulnerability, (2) “Escalating Privileges”, and (3) “Maintaining Access”. Exploiting a Vulnerability is a successful step to all attackers but it is not an end in itself. After exploitation of vulnerabilities in a targeted system(s), attackers try to (1) “Escalate Privilege” and (2) “Maintain Access” on these systems using various techniques. Attackers do not want to run the same exploit every time they intend to access the system. It will be time consuming, and there is a possibility that this vulnerability be closed after some time by the system owner. For this reason, they try to escalate privilege and maintain access to the attacked system using different techniques [JB14].

34 | P a g e

5.3.

POST-EXPLOITATION/POST-ATTACK: The post exploitation phase begins after a system or more than one system is being compromised, but is not even close to being fully done yet” [MA13]. Post exploitation is a critical part in any of the penetration tests. A successful exploitation might only give limited access to resources on the targeted machine and will not be considered as a successful step. Post-Exploitation is about maintaining a foothold, creating a backdoor, and covering traces. [JB14] mentions several methods of “Post-Exploitation”, some of which are: Malware, Trojan Horse, Viruses, Worms, Keyloggers, Botnets, Backdoors, Colocation and Remote Communications Services, and Command and Control systems. Post-Exploitation will not be discussed for our model, since it was replaced by the “Rectification Phase”.

5.4.

AREAS OF PENETRATION TESTING (EXPLOITATION): Penetration Testing could be executed in a single area, or in several areas of the IT infrastructure under consideration. [ER11] listed the following areas of applicability for Pen Testing. These areas are External network (Internet facing), Internal (DMZ, and behind DMZ), Routers and Switches, Firewall, IDS, IPS, Wireless Network, Denial of Service (DOS), Password Cracking, Social Engineering, Stolen Laptop, PDA, Cell phone, Application, Physical security, Database, VOIP, VPN, War dialing, Virus and Trojan detection, Log Management, File Integrity checking, Bluetooth, Hand-held devices, Communication system, Email Security, Security patches, and Data leakage. Definitely, we can include more areas, but that depends on the infrastructure and systems owned by the organization. The purpose of the test will determine which one of the above areas will be the starting point for determining the scope of the Pen-test.

5.5.

PENETRATION TESTING FUNDAMENTALS: 

Time: very Limited time and it will be less than that of a vulnerability assessment.



Devices: Limited to specific users/accounts on specific devices, which were defined in the “Penetration Testing” Phase. Specifying user(s)/Account(s) will narrow the data that will be affected by gaining access.



Testing methods: is it going to be through social engineering, technical tools (e.g. cracking password), or physical exploitation.



Tools: Multi-functional tools that were used in a vulnerability assessment might be used in this phase as long as they have the functionality to carry the pen-test. The tools need to be defined based on the Testing methods (Password crackers, Social Engineering Toolkit, John the Ripper, Cain and Abel, etc...).



Notified parties: At least one person in the chain of command of Incident handling. System owner to be notified also. This mainly depends what systems are tested and the type of exploit being conducted. If the test is conducted on the DMZ servers, ISP representative need to be notified. Sometimes, approvals need to be taken from government bodies to conduct penetration testing especially if you are doing it on DMZ zone or Wireless network.

35 | P a g e



Initial level of access: On wireless networks, no access is granted. In wired networks, at least physical access is granted.



Definition of Target space by defining business functions that will be targeted in the penetration testing. This will be based on the Vulnerability Assessment report.



Definition on how far the Penetration test should go. Shall data be removed, service be stopped, is it allowed to use this target as a source to attack other devices and discover more vulnerabilities or not? Do you want to add a user to the exploited system or tunnel a reverse shell back to your testing machine? Etc…. Also we need to define how far “Gaining Access” test should go. For example, if an “Administrator” account of an Operating System was compromised, then what data shall be targeted, and what services to be stopped, if any? This depends on the details of what is being targeted. If the Target is an SQL Database, then after gaining access to the OS, the steps need to be defined on how to gain access to Data in the SQL DB or other application. All this need to be defined very well, otherwise the scope will get bigger without any control.



Deliver a report. The contents of this report should be clear for whether to include remediation to problems discovered or not. If an exploitation succeeded, what are the steps to return to the previous state, then move the system to the secure state.

5.6.

PENETRATION TESTING STEPS:

These steps constitute the Pen-Test if it is conducted separately. If it is conducted as part of our proposed model then the third step “Exploitation” is required only.

5.6.1. RECONNAISSANCE/INFORMATION GATHERING: This step of Pen-Testing is different from the Anti-Reconnaissance/Reconnaissance phase mentioned in module 4. The information gathering in this step is narrowed to the scope defined for the Pen-Testing. Anti-Reconnaissance/Reconnaissance phase covers a larger scope. Part of the output from Anti-Reconnaissance/Reconnaissance could be used in the Pen-Testing to minimize the time needed to complete this step.

5.6.2. TARGET EVALUATION: Evaluating the target for vulnerabilities or weaknesses. Pen-tester may use the output from the Vulnerability Assessment phase as an input for his/her testing.

5.6.3. EXPLOITATION: This step is an active step and might result in undesired consequences if executed incorrectly. Usually, Pen-Tester starts with a high risk vulnerability, then goes down as the risk decreases. Exploiting a vulnerability will initially give limited access to a system(s). To accomplish the goal of the Pen-Test, the next step “Escalate Privilege” then “Maintain Access”. The following are sample parameters to be defined before the exploitation is carried out as indicated by an example in [KI01]: 

Vulnerability Type: Loose Access Control



Target: MS Exchange 2000



Target Type: Enterprise Email system 36 | P a g e



Versions affected: 2000



Operating System: Windows Server 2000



Description: by taking advantage of the specified flaw, the whole email system will be compromised



Protocol: TCP, port 80

5.6.4. PRIVILEGE ESCALATION: This step will follow the “Exploitation” Step will include actions such as cracking passwords and user accounts. “Privilege Escalation can include identifying and cracking passwords, user accounts, and unauthorized IT space. An example is achieving limited user access, identifying a shadow file containing administration login credentials, obtaining an administrator password through password cracking, and accessing internal application systems with administrator access rights” [JM13].

5.6.5. MAINTAINING ACCESS: In order for an Attacker not to repeat all the steps done again and again, this step is needed. From an IT Director(s) perspective, there is no need to maintain a foothold on the attacked system. There is one reason for an IT Director to permit this, is to prove the successfulness of the next phase (Rectification) and the ability of a Security Analyst to discover the presence of traces of exploitation. However, this will mandate that Pen-tester is a different person than the one who will work on discovering backdoors and rootkits

5.7.

PENETRATION TESTING OBJECTIVES: The main objectives of this phase are: 

Test the effectiveness of the security controls placed to protect business infrastructure,



Provide management with assurance on security measures and controls,



Satisfy Audit requirements by conducting a Pen-Test,



Link up the results of the Vulnerability Assessment phase and use the most critical ones to identify high potential threats,



Exploit vulnerabilities and achieve a more focused results in a pre-defined time frame,



Gain access to Targets (Servers, Desktops, Applications, etc…) by obtaining a foothold,



Allow Pen-Tester run commands on the command shell of the remote targeted system to explore further what’s inside. This is the most obvious from a Pen-Test.



Document your findings and propose a roll back scenario to the previous state and solution to close the vulnerability transferring the system to a secure state.

In [JM13] it is stated that the “Central Objective” of a penetration Test is to exploit the inherent security weaknesses in the defined scope regardless to which area of an infrastructure this weakness belong to.

37 | P a g e

5.8.

PENETRATION TOOLS In this part, we will discuss the tools used in Penetration Testing for three major areas of any IT Infrastructure. These areas are Wireless Network, Wired Network, and Web Applications.

5.8.1. WIRELESS TOOLS In this section, many wireless tools are used. All these tools are free and constitute part of Backtrack and other distributions. 5.8.1.1.

Wicd Network Manager, discovers SSID, Encryption type, Access Point MAC address, and channel number used for transmission. Using this tool, will allow us check the existence of any rouge Access Points or clients. This is achieved by comparing a list of legitimate Access Points given by the Network Administrator to Pen-Tester and the list discovered by the tool. In a similar way, we can apply this to illegitimate clients. In addition, we can check the type of encryption configured on Access Points and advise if there are any Access Points that are using open authentication or weak encryption.

5.8.1.2.

Ssidsnif tool: allows identification, classification and data capturing of wireless networks. This tool also list the machines that are connected to the Access Point [BT11].

5.8.1.3.

Aircrack-ng: this tool was discussed in Vulnerability Assessment Module. This tool has multi-functions that can be used in Vulnerability Assessment as well as Penetration Testing.

5.8.1.4.

CoWPAtty: is a tool that crack WPA-PSK passphrase offline using a dictionary file. The tool is easy to use and does not require capturing except Extensible Authentication Protocol Over Local Area Network (EAPOL) handshake packets. CoWPAtty and Aircrack-ng both use dictionary method when cracking WPA/WPA2 pre-shared keys [KL13].

5.8.1.5.

Kismet: is a wireless network detector, sniffer, and intrusion detection system. The differentiator of Kismet is its ability to discover hidden Access Points as long as there is at least one client connected to the Access Point. Kismet provides a wealth of information about discovered AP such as, BSSID, Channel used, signal strength, encryption scheme used, IP range, supported rates, and wireless clients connected to the Access Point. It works for 802.11 layer 2 protocol. As a WIDS, it can work with SNORT. Also, it can use multiple interfaces to collect information from several devices that are using different channels. Kismet will determine what kind of authentication is employed by the Access Point. Then, the captured data can be processed by Aircrack-ng or similar applications to crack the key. It works on *BSD, Linux, Windows, and OS X. Kismet has three components: Server, Drones, and Clients. The Server component is the Central location that connects to drones and clients. It can capture wireless traffic also. Drones capture wireless traffic and report it to the Server. Clients are the GUI components that connect to the server. Kismet has built-in features to detect many of the well-known attacks (DeAuthentication flood, Disassociation attacks, etc…) similar to those launched

38 | P a g e

by Netstumbler and other tools. Also, Kismet has a GPSMap program that locates Access Point locations on a map using a GPS device [BT11], [KL13]. 5.8.1.6.

Wireshark: is an open-source multi-purpose network packet analyzer that captures packets over a network and can present it after manipulation in an understandable format. It was named previously Ethereal. It can be used under different conditions and has plenty of functionalities. It can be used in Network architecture and troubleshooting, and in Systems and Security Administration. It has options to filter packets while capturing and displaying. It can analyze online traffic and present results immediately about the protocols used, media flow, communication channels and many others. It can analyze collected data and provide some insight to what is happening on the network. Wireshark helps Security Staff to analyze data, and look around for things that might have not been discovered through IDS/IPS. One of these functions is discovering malicious behavior. In addition, Wireshark has the capacity to inject packets and to do interpretations to captured traffic by applying either “capture” or “display” filters and gathering a stream of packets in the same connection. The “capture” filter syntax of Wireshark is the same as that of TCPdump. However, Wireshark supports more than 750 protocols and runs over 20 different OS platforms. It can reassemble packets in TCP established connections and display it in ASCII and other readable formats. Wireshark has a graphical interface that makes data analysis much more easy than TCPdump/Windump. Tshark, is the command line version of Wireshark. “It is the best open-source network analyzer available” [AO07].

5.8.2. WEB APPLICATION TOOLS 5.8.2.1.

OWASP-ZAP is a simple security testing tool that could be used as a proxy server intercepting traffic (HTTP and HTTPs) between a client web browser and a web server application. It could be used as a Vulnerability Assessment tool ( using a spider crawl method) and as a Penetration testing tool. The tool has the option to authenticate to a website before testing. It can also export the results to an HTML, XML, and other file formats. ZAP has both options of running active and passive scanners against the targeted web site.

5.8.2.2.

SET (Social Engineering Toolkit) is used to get information from people to launch an attack. It is an open-source framework that includes a set of exploitation and testing tool that traps a user to run a script on his/her machine, which will lead to malicious activity such as granting access to a hacker or Pen-Tester. The use of SET involves running other tools such as HTtrack, Metasploit, Meterpreter, Wireshark, Airodump-ng, ETTERCAP, SENDMAIL, and many others. Metasploit is required for proper functioning of SET. SET has the option to load different attack vectors (10 attack vectors) including an option to load third party attack vectors. Each attack vector utilizes multiple attacks and each attack has several payloads. Pen-Tester selects from these payloads to launch an attack. SET has a very easy CLI with a menu driven interface and a GUI that runs through a browser. SET is a very 39 | P a g e

powerful toolset that works on multiple platforms. SET is written in Python, any open-source HTTP server can access the browser version of SET. 5.8.2.3.

“w3af (Web Application Attack and Audit Framework) is an open-source web application security scanner and exploitation tool” [JM13]. It is an awesome tool for scanning and exploiting web resources. It provides an easy-to-use graphical user interface that allows through using profiles (OWASP TOP10) to search quickly and easily for the top 10 security flaws including but not limited to SQL injection, XSS, file includes, and cross-site request forgery. It works on Windows, Linux, and Mac OS [JM13].

5.8.3. NETWORK/HOST TOOLS 5.8.3.1.

Nmap/Zenmap: Zenmap is the graphical interface of Nmap. It offers most of Nmap features but with a graphical representation. Nmap/Zenmap detects applications running on different systems with Operating System fingerprinting capabilities. Zenmap performs Intense Scan, Ping Scan, Quick scan, regular scan, full scan, etc…. Also, an Ethical Hacker can create profiles for each scan and save that profile for later use. Zenmap output can be exported to Text, Excel Files, CSV, and other formats. Zenmap allows to export graphics to other applications. This is very useful in Report preparation.

5.8.3.2.

Metasploit is used as a legitimate Penetration Testing tool, and as a hacking tool used by attackers to conduct unauthorized exploitation of systems [JM13]. It has all the tools used by penetration testers and hackers from “Gathering Information” till “Covering Traces”. The Metasploit framework is one of the most popular exploit frameworks that contains tools for developing, testing, and using exploit code to launch attacks. It is one of the most useful free and open-source tools for Penetration Testers. It has the largest database of tested exploits written in Ruby language. It has a standardized syntax for writing exploits and provides dynamic shellcode abilities such as, bind shell, reverse shell, download, execute, and many others. It has a number of built-in port scanning capabilities and can be integrated with third-party tools to enhance Port scanning process. Metasploit architecture is based on Modules, Libraries, Interfaces, Tools and Plugins. It could be set with MYSQL or PostgreSQL database to store results in it. Metasploit Console (MSFCONSOLE) is used to manage Metasploit Database and open sessions to the targets. It is also used to launch and configure Metasploit modules and get Pen-Tester connection to the target. On the other hand, Meterpreter launch the actual payload and exploit process. Nmap is integrated with Metasploit and can be launched from Msfconsole. Auxiliary modules (e.g. SYN Port Scanner, etc…) can be started from the Msfconsole to launch Port scan. Metasploit works on Windows and Linux. When working with Metasploit you need to understand the following terminology: 

Vulnerability: is a weakness in a system that allows an attacker to compromise it.

40 | P a g e



Exploit: is a process by which an attacker takes advantage of a bug in a target system. It is a small program or set of commands that will cause unintended behavior in a system. Metasploit version 4 has more than 700 exploits.



Payload: is a code (shellcode) that will run on the targeted system by an attacker to achieve the desired outcome. Metasploit version 4 has more than 250 payloads.



Module: is a program or software that can be used by Metasploit framework. Each module in Metasploit performs a specific task. There are more than 350 different auxiliary modules present in the Metasploit framework. Auxiliary modules give power to the Metasploit Framework.

5.8.3.3.

Meterpreter is a powerful post-exploitation tool provided by Metasploit. Meterpreter: is an advanced multi-function payload that works in Metasploit Framework. It works like any command interpreter but from within an exploited process, and it does not create any new process. Two powerful and useful commands within Meterpreter are: “Privilege Escalation” and “Process Migration”. The first is used to escalate the rights of the created user on the targeted machine, while the second is used to migrate from one process to another without writing to the disk. A third useful functionality for PenTesters is the availability of scripts in Meterpreter that establishes persistent connections to backdoors. Another feature in Meterpreter called “Pivoting” allows a Pen-Tester to launch attacks from a compromised machine to other machines in the network. Metasploit/Meterpreter are used from within Social Engineering Toolkit (SET) to gain access to target machine.

5.8.3.4.

Armitage: is an interactive GUI part of Metasploit. It makes using Metasploit easier by displaying information graphically, and it allows a Pen-Tester to see more than one Metasploit or Meterpreter session on different tabs in its GUI. It can display its pre-configured module with the ability to search for a specific module if it is installed. It also displays active targets that were exploited.

5.8.3.5.

NeXpose is a vulnerability scanner that can be used alone by using the GUI version, and can be launched from Metasploit Console (Msfconsole). When using the GUI version of NeXpose, results can be imported to Metasploit database.

5.8.3.6.

Nessus: Please refer to Tools in Vulnerability Assessment module.

5.8.3.7.

Core Impact: is the commercial counterpart of Metasploit. It is an automated, comprehensive commercial penetration testing tool that has the capacity to assess the effectiveness of security investments through safely exploiting vulnerabilities in a given network infrastructure. It is a complex and powerful tool with features that do not exist in Metasploit. It has a well-developed GUI with 100s of options.

41 | P a g e

5.9.

CHALLENGES OF PENETRATION TESTING:

The following are challenges for Pen-Testers: 

Hiring Skilled and Experienced professionals to carry the test. Tools and software do not replace experienced security professionals.



Choosing a Suitable set of tests to conduct.



Proper planning is a key success factor.



Decide on what to be tested. 

It is not feasible to test everything



External testing from the internet side (outside of the company) does not simulate internal hackers



On-site testing does not simulate external hackers



Announced Testing versus un-announced testing



White-Box testing provides Pen-Testers with the following: Company infrastructure details, network design, IP Addresses for internal and external subnets, Firewalls, IDS/IPS details, and Company security policies and procedures. This does not simulate hackers’ method for some Security Experts.

5.10.

FINAL STEP AFTER PENETRATION TESTING COMPLETION: 

Restore the system to their pre-test state



Remove all files, tools, exploits and programs that were loaded to the target



Cleaning Registry entries



Remove vulnerabilities created



Close exploited vulnerabilities



Restoring system to a secure state (pre-test state + closing holes)



Documenting and analyzing the results

Finally, and as a word of caution, Pen-Tester under any circumstances should not work beyond or outside the scope of work and rules of engagement that were agreed upon with the management of the company. Violating this principle, will make the Pen-Tester appear as an Attacker in the eyes of law enforcement agencies and will give the company the right to sue him/her for violating the scope of work and rules of engagement.

The reason for IT Director(s) to skip rootkit and backdoors installations was mentioned indirectly by [PE13]. The author explains this as, “once a rootkit has been installed, it can be very difficult to remove, or at least to remove completely. Sometimes, rootkit removal requires you to boot your machine into an alternate operating system and mount your 42 | P a g e

original hard drive. By booting your machine to an alternate operating system or mounting the drive to another machine, you can scan the drive more thoroughly. Because the original operating system will not be running and your scanner will not be using API calls from an infected system, it is more likely you will be able to discover and remove the rootkit. Even with all of this, oftentimes your best bet is to simply wipe the system, including a full format, and start over” [PE13].

43 | P a g e

6. RECTIFICATION: The objectives of “Covering Tracks/Maintaining Access” as stated in most literatures of colored (black and white) hacking are as follows: “The following is a list of goals for maintaining a foothold: 

Establish multiple access methods to target network



Remove evidence of authorized access



Repair systems impacted by exploitation



Inject false data if needed



Hide communication methods through encryption and other means



Document findings” [JM13].

However, there is no need for IT Director(s) to erase traces and plant backdoors. In my opinion, IT Director’s goal does not meet any of the above objectives. For this reason, “Covering Tracks/Maintaining Access” phase was replaced by “Rectification” Phase, which meets IT Director(s)’ requirements and his need to improve security.

6.1.

RECTIFICATION PHASE

This phase is divided into three parts. (1) Rectification of an un-exploited vulnerability by installing patches and changing configurations and (2) Rectification of an exploited vulnerability where an attacker has gained access or (3) search for possible traces of an attack. Our focus will be on the last part. The former is very well known to most IT Director(s), and System and Network administrators know exactly what to do about it. The second and third parts are much more demanding, and require different set of tools. However, the third part is the most challenging between the three. We will emphasize on the last part. [ER11] asks the following question in one of his trainings: “How do you get rid of something you do not know if you already have?” The answer to this question is not simple and requires a lot of research and innovative thinking, but we will touch the surface of it in this module.

In this phase, IT Director(s) should employ the use of various Forensic tools to discover any planted malware, rootkit, or traces left by a hacker, spyware, and viruses. There is a lot of open-source Forensic tools, but only few of them will be useful in this phase to IT Director(s). [JM13] mentions that “Forensics is important after identifying that your web application or other assets have been compromised, to avoid future negative impact” and this statement is in accordance with our suggestion to use Forensic tools to find traces of hackers. However, the challenge is where to look for these traces and what to collect. In our scenario, we do not have a known victim machine, but we suspect the presence of a rootkit, backdoor, or a suspicious behavior on a system, or we want to keep our staff alerted by assuming a hacker was able to plant a backdoor. What we will talk about is what an IT Director need to do, and not about a real incident that needs investigation, because the latter involves specialized people who are recognized in front 44 | P a g e

of the court of law as experts in the domain. In other words, it is not an investigation of an attack; however, it is a search for a possible traces, backdoors, or rootkits in an environment. However, the use of Forensic tools on all hosts will be tedious especially in enterprise organizations that might have thousands of hosts. Doing it randomly, also, will not be very efficient. So how can we decide on which hosts to run these tools? First, these tools shall be used on suspected machines. The suspected machines will be determined based on the findings of two phases from our proposed model: AntiReconnaissance and the Vulnerability Assessment phases. E.g. if we got traces from one of the implemented solutions that we mentioned in Anti-Reconnaissance Phase about a host that was scanned for open ports by a suspect machine. Another example of a host scanned by a Security Analyst and found an unknown open port. These two hosts constitute two valid cases for investigation by the tools described in this module. These two hosts are considered as suspected machines and might indicate the presence of rootkits, backdoors, traces of a hacker, etc…

6.2.

RECTIFICATION FUNDAMENTALS:

The following are the fundamentals that will be followed in this phase: 

Duration: No Limited duration. It is a continuous process. However, it gets feedback from Anti-Reconnaissance and Vulnerability Assessment tools.



Devices: It will be limited to devices indicated by Anti-Reconnaissance and Vulnerability Assessment tools.



Methods: Rectification shall not violate any internal policy.



Notified parties: System owners, Incident Handling team, System, Application, and Network Admins.



Level of access equivalent to root and Administrator. They need full access like Forensic investigator in order to examine the findings.



Delivery of a final report for this phase and all other phases concluding with recommendations. Feedback to Anti-Reconnaissance tools’ users for any configuration changes to eliminate false positives.

6.3.

OBJECTIVES/GOALS OF RECTIFICATION:

Goals and objectives from IT Director(s) angle are as follows: 

Minimize Data Loss if intruder traces were detected,



Capture information and traces about intruders, if any



Evaluate Risk value of any traces of infected systems and/or data leaked or compromised, and invoke Incident Handling procedure.



Prevent any possibility to escalate privileges,



Remove backdoors or rootkits, if any



Repair infected system, if any. 45 | P a g e



6.4.

Document findings

TYPES OF ANALYSIS TO BE CONDUCTED

There are several areas to examine and check to discover traces of a malicious activity. Below are the most important areas to analyze by Security Analyst followed by tools that can be used in these areas: 

File Analysis



Executable file or services Analysis



Resident Data Analysis



Rootkits detection



Log File manipulation



Registry Analysis

There are other areas to analyze (e.g. memory), but that are executed by Forensics’ investigators, and requires very specialized skills and will not be covered in our project.

6.5.

RECTIFICATION TOOLS:

6.5.1. TCPDUMP/WINDUMP TCPdump and its Windows counterpart Windump are free simple command line tools. TCPdump/Windump are passive packet capturing tools that neither have the capacity to alter traffic on the network, nor make interpretations of what it captures. TCPdump/Windump serve as a start point for non-experts to learn about a more advanced tool Wireshark. TCPdump has a couple of functionalities of Wireshark. TCPdump is available in Backtrack and Kali Linux in addition to other *nux and Windows operating systems.

6.5.2. WIRESHARK Please refer to Penetration Testing Module for complete description of the tool.

6.5.3. CHKROOTKIT This tool is considered as an Anti-virus or anti-malware for Linux systems [JM13]. ChkRootKit scans the file system and checks if a rootkit has been installed or any signs that indicate the presence of a rootkit. In addition, it checks for malware and Trojans on a suspected host. Chkrootkit is a command line tool. You cannot rely 100% on Chkrootkit to discover rootkits, but it usually points to possible problems. Other scanners like MD5deep along with chkrootkit is a better solution. Both could be classified as a HIDS because they scan a host to check for signs of un-customized public rootkits based on signatures and processes. One thing that chkrootkit can do for sure is discovering if Kali Linux or Backtrack installed version is infected or not. Chkrootkit is available in Kali Linux and other distributions. 46 | P a g e

6.5.4. MD5DEEP MD5Deep is a tool that computes Hashes and message digests for one or more files. This will help security analysts to identify changes happened to system files and exe files and identify them. A package could be queried to check if any of its binaries were changed. In addition, it has the option to scan a directory of files and generate MD5 signatures for each file. The drawback of this tool that it does not have a GUI interface. Though it is based on CLI, it is simple to use. SHA/MD5 is similar to MD5Deep, but it has a GUI interface that is easy to use.

6.5.5. ROOTKIT REVEALER RootKit Revealer is a great free option that can detect hidden registry keys, hidden files and rootkits also. F-Secure’s Blacklight is another free version but not as efficient as Rootkit Revealer. Both run on Windows Operating System. “Tools like Rootkit Revealer, Vice, and F-Secure’s Blacklight are some great free options for revealing the presence of hidden files and rootkits” [PE13].

6.5.6. TSK (THE SLEUTH KIT) TSK is an open-source simple command line tool that can look at specific disk, file information, raw files, and their metadata and analyze these findings. Autopsy is a graphical version of The Sleuth Kit. The analysis shows the time of what was modified, accessed, and changed which will make analysis easier. Hash values can also be compared to check if any system file or application code was changed. Autopsy is an open-source that runs on Windows, Linux, UNIX, and Mac Operating systems. It can analyses NTFS, FAT, HFS+, Ext3, UFS, and many other volume types. Autopsy browser is part of the TSK (The Sleuth ToolKit) (http://www.sleuthkit.org/autopsy/download.php) to analyze Hard Disk images. This tool allows you to open various types of images at the same time showing different views of data using its web browser. With this tool, you can recover deleted files and directories for further investigation. Recovery of deleted files/directories might lead to an attacker who was able to delete log files or other files used in the attack process to cover attack traces. It also has the option to extract history, cookies, and bookmarks from several browsers (Firefox, Chrome, Safari, and Internet Explorer). It runs the commands and shows the results in a web browser. Autopsy could be used with other forensic tools. Autopsy browser makes TSK easier to use, but it is valued as poor and limited when compared to commercial tools like EnCase and FTK.

6.5.7. FATBACK FatBack is a *nix recovery tool from a problematic source in FAT file systems. It searches for data on a target, based on its content. It works with Single partitions or whole disks. Its strength is the ability to search for any malicious program or deleted logs that was present on the target and deleted to cover attacker traces.

6.5.8. NIKTO NIkto is a web-server vulnerability scanner. “After running a port scan and discovering a service running on port 80 or port 443, one of the first tools that should be used to 47 | P a g e

evaluate the service is Nikto. Nikto automates the process of scanning web servers for out-of-date and unpatched software as well as searching for dangerous files and scripts that may be placed on web servers. Nikto is capable of identifying a wide range of specific issues and checks the server for misconfiguration” [PE13]. Nikto has many advantages: It is very fast, and base it scans on plug-ins that can be updated manually by security experts. It updates the Database with a simple command. It supports Nmap output as input for its scan. Multiple targets can be included in a file to be scanned simultaneously. It supports Proxy and SSL (HTTPS). It is very simple to use and free. Nikto has several limitations. It does not accept IP addresses as input. It does not support Digest or NTLM authentication, but it does support NTLM through Authorization proxy server installed. Since it is very fast, it will be detected by IDS’s and might crash the server if it is not able to handle the load. It is available in Linux and Windows.

48 | P a g e

7. CONCLUSION: The main goal of the project, initially, was to discuss what security tools from those tools that are used by hackers and security consultants an IT Director(s) can use. But, and during the development of the project, I found that developing a model to be followed by IT Director(s) in securing their environments and describing the most used free tools will be more useful than summarizing text about how tools and their features. The model developed above, is not completely a new one, but rather a customization of a methodology used by hackers and Security Analysts. I took IT Director(s) requirements to secure the infrastructure he/she is managing by customizing hackers’ methodology to do the same. There is lot of studies, books, articles, describing how hackers – in all colors – are conducting their work. However, very few is the literatures that considers that from an IT director perspective. For example, Reconnaissance, Escalation of Privileges, Creation of Backdoors are very well known topics in this field. But, Anti-Reconnaissance, Attacker’s Traces Discovery, Rectification are rarely discussed. The traditional method for IT Director(s) is Defensive, while the proposed model is Offensive. In this model I discussed each phase of the proposed model alone, and proposed several security tools or methodologies to be used in each phase. In each phase of the model, I limited my work to three major areas that are available in almost every environment. These areas are Wireless Networks, Wired Networks, and Web Applications. However, there are still many areas that could be addressed like Databases, VOIP, PCI/DSS, RFID, SCADA, and many others. Moreover, it is not intended in this Handbook to use the listed tools only and forget about the other tools and techniques. It will be foolish to do so. Every environment has its own unique parameters, and the IT Director(s) will need to use this as a guide and not as a step-by-step process. The above depict a summary, on what can be done, and alert IT Director(s) not to be traditional in protecting his/her IT environment.

49 | P a g e

BIBLIOGRAPHY [AO07] Angela Orebaugh, Gilbert Ramirez, Josh Burke, Greg Morris, Larry Pesce, Joshua Wright, Wireshark & Ethereal Network Protocol Analyzer Toolkit, Syngress MA, USA, 2007 [BJ13] Benjamin Jackson, Home Field Advantage: Employing Active Detection Techniques, SANS Institute, SANS Penetration Testing, 2013 [BT11] BackTrack R5 http://www.backtrack-linux.org/wiki/index.php/Main_Page [CA12] Cory Altheide and Harlan Carvey, Digital Forensics with Open Source Tools, first edition, Syngress, Waltham, MA, USA, 2012. [CI12] Computer Emergency Response Team-India (Cert-in), EMPANELLED OF INFORMATION SECURITY AUDITING ORGANISATIONS, 2012, www.cert-in.org.in/PDF/emprognew.pdf [CY04] Chunmei Yin, Mingchu LI, Jianbo MA, Jizhou Sun, Department of Computer Science and Technology, Tianjin University, Electrical and Computer Engineering, 2004. Canadian Conference (Volume:2), Canada, 2004, pp. 1107-1110 Vol.2 [DF93] Dan Farmer and Wietse Venema, “Improving the Security of Your Site by Breaking Into it”, Sun Microsystems Eindhoven University of Technology, 1993 (http://www.dcs.ed.ac.uk/home/rah/Resources/Security/admin_guide_to_cracking.pdf ) [DS13] Nova, Network Abfuscation and Virtualized Anti-Reconnaissance System, DataSoft, http://www.datasoft.com, Tempe, AZ, USA, 2013 [EN07] Enkhbold Nyamsuren, Ho-Jin Choi, Preventing Social Engineering in Ubiquitous Environment, Future Generation Communication and Networking (FGCN 2007, Volume 2, 2007, Pages: 573-577 [ER11] Eric Reed, EC-Council Certified Ethical Hacker v.7 Study Guide, Career Academy, http://www.careeracademy.com/, 2011 [ES07] Eric Seagren, Secure Your Network for Free: Using Nmap, Wireshark, Snort, Nessus, and MRTG, Syngress Publishing, Rockland, MA, USA, 2007 [FP13] Fedora Project, 2013, https://fedorahosted.org/security-spin/wiki/availableApps [JG08] Jayant Gadge, Anish Anand Patil, Port Scan Detection, Networks, ICON 2008, 16th IEEE International Conference, New Delhi, 2008, pp. 1-6 [JA14] Jason Andress, Steve Winterfeld, Cyber Warefare, Techniques, Tactics and tools for security practitioners, 2nd edition, Syngress, Waltham, MA USA, 2014 [JB14] James Broad, Andrew Binder, Hacking with Kali Practical Penetration Testing Technique, Syngress, 225 Wyman Street, Waltham, MA 02451, USA, 2014 [JD12] JP Dunning, Kanata: Portable Multi-Boot http://www.hackfromacave.com/katana.html#katana_description

Security

Suite,

2012,

[JJ13] Josh Johnson, Implementing Active Defense Systems on Private Networks, The SANS Institute: InfoSec Reading Room, 2013 [JM13] Joseph Muniz, Aamir Lakhani, Web Penetration Testing with Kali Linux, Packt Publishing, Birmingham, Mumbai, India, 2013 [JP13] Josh Pauli, The basics of Web Hacking, Syngress, Waltham, MA, USA, 2013 [JS11] J. Michael Stewart, Network Security, Firewalls, and VPNs, Jones & Bartlett Learning, London, UK, 2011

50 | P a g e

[JW07] Jack Wiles, Anthony Reyes, The Best Damn Cybercrime and Digital Forensics Book, Syngress, Burlington, MA, USA, 2007 [KG07] Kimberly Graves, CEH Official Certified Ethical Hacker Review Guide, Wiley Publishing, Indiana, USA, 2007 [KL13] Kali Linux, http://docs.kali.org/ [MA09] Mati, Aharoni, Thomas d’Otreppe de Bouvette, Backtrack WiFu An Introduction to Practical Wireless Attacks v.2.0 based on Aircrack-ng, Offensive Security Training guide, Offensive Security LLC, 2009 [MA10] Mansour A. Alharbi, Writing a Penetration Testing Report, The SANS Institute, InfoSec Reading Room, 2010 [MA13] Monika Agarwal, Abhinav Singh, Metasploit Penetration Testing Cookbook, Second Edition, Packt Publishing, Birmingham, Mumbai, 2013 [MC08] Mark Carey, Paul Criscuolo, and Mike Petruzzi, Nessus Network Auditing, Second Edition, Syngress Publishing, Burlington, MA, USA, 2008 [MD11] Mehiar Dabbagh, Ali J. Ghandour, Kassem Fawaz, Wissam El Hajj, Hazem Hajj, Slow Port Scanning Detection, Department of Electrical and Computer Engineering, American University of Beirut, Information Assurance and Security (IAS), 2011 7th International Conference, Melaka, 2011, pp. 228-233 [MM06] Martin Mink, Felix C. Freiling, Proceeding InfoSecCD ’06 Procedings of the 3rd annual conference on information security curriculum development, Is attack better than defense?: teaching information security the right way, 2006, pp. 44 – 48. [ML13] Matriux LENNDROS, http://www.matriux.com/index.php?page=arsenal [NS03] Nichols, S. (2003). Big Brother is Watching: An Update on Web Bugs. SANS Institute. Reading room, https://www.sans.org/reading_room/whitepapers/threats/big-brotherwatching-update-webbugs_445 [OS98] The Open Source Definition | Open Source Initiative, http://opensource.org/docs/osd [PE13] Patrick Engebretson, The Basics of Hacking and Penetration Testing, 2nd Edition, Syngress, Waltham, MA, USA, 2013 [RE07] Rabinovitch, E, Staying Protected from “Social Engineering”, Communications Magazine, IEEE Volume:45, Issue 9, 2008, pages 20-21, [SD06] Steven Drew, Vulnerability Assessment Versus Penetration Tests, Dell SecureWorks, June 2006, http://www.secureworks.com/resources/newsletter/2006-03/ [SF13] Snort, Source Fire, License, http://www.snort.org/snort/license, 2014. [SI07] The SANS Institute, Assessing and Securing Wireless Networks: Wireless Architecture and RF Fundamentals, SANS GWAN 617 study guide, 2007 [SI14] webshag - Software Informer, http://webshag.software.informer.com/ 2014. [SO11] Sean-Philip Oriyano, Michael Gregg, Hacker Techniques, Tools and Incident Handling, Jones & Bartlett Learning, London, UK, 2011 [SW13], Steve Winterfeld, Jason Andress, The Basics of Cyber Warfare Understanding the Fundamentals of Cyber Warfare in Theory and Practice, Syngress, Waltham, MA USA, 2013 [TC08] Team Cymru, Who is Looking for your SCADA infrastructure?, Briefing paper Team Cymru Communit Services, 2008, http://www.teamcymru.com/ReadingRoom/Whitepapers/2009/scada.pdf 51 | P a g e

[TB07] Tanya Baccam, The SANS Institute, Auditing Networks, Perimeters and Systems (SANS 507) Study Guide Book1, 2007. [WP12] Willie Pritchett, David De Smet, BackTrack 5 Cookbook, Packt Publishing, Birmingham, UK, 2012 [WP13] Willie L. Pritchett, David De Smet, Kali Linux Cookbook, Packet Publishing, Birmingham, UK, 2013

52 | P a g e

ADDITIONAL RESOURCES [AS12] Abhinav Singh, Metasploit Penetration Testing Cookbook, PACKT Publishing, Burmingham, UK, 2012 [BH08] Brad Haines, Frank Thornton, Michael Schearer, Kismet Hacking, Syngress Publishing, Burlington, MA, USA, 2008 [BS05] British Standard Institute, BS ISO/IEC 27002/BS 7799-1: Information Technology – Security techniques – Code of Practice for Information security management, second edition 2005 [CG10] Carl Gebhardt and Allan Tomlinson, Challenges for Inter Virtual Machine Communication, Technical Report RHUL-MA-2010-12, Department of Mathematics, Royal Holloway, 2010, (available from author) [CP12] ChristianW. Probst, M. Angela Sasse, Wolter Pieters, Trajce Dimkov, Erik Luysterborg and Michel Arnaud, Privacy Penetration Testing: How to Establish Trust in Your Cloud Provider, European Data Protection: In Good Health? Springer, NY USA, 2012, pp 251-265 [DB10] Diane Barrett, Gregory Kipper, Virtualization and Forensics A Digital Forensic Investigator’s Guide to Virtual Environments, Syngress, Waltham, MA, USA, 2010. [DK07] Dave Kleiman, Computer Hacking Forensic Investigator Study Guide (Exam 312-49), Syngress, Burlington, MA, USA, 2007 [DK11] David Kennedy, Jim O’Gorman, Devon Kearsns, Mati Aharoni, Metasploit The Penetration Tester’s Guide, No Starch Press, San Francisisco, USA, 2011 [DM07] David Maynor, K.K. Mookhey, Metasploit Toolkit For Penetration Testing, Exploit Development, and Vulnerability Research, Syngress, Burlington, MA, 2007 [DO12] Davi Ottenheimer, Mathew Wallace, Securing the Virtual Environment: How to Defend the Enterprise Against Attack, John Wiley & Sons, USA, 2012 [DS12] Dave Shackleford, Virtualization Security: Protecting Virtualized Environments, John Wiley & Sons, Inc., Indianapolis, Indiana, USA, 2013 [HC07] Harlan Carvey, Windows Forensic Analysis DVD Toolkit, Syngress, Burlington, MA, USA, 2007 [HC12] Harlan Carvey, Windows Forensic Analysis Toolkit, 3rd Edition, Syngress, Waltham, MA, USA, 2012. [JB07] John Baschab and Jon Piot, The Executive’s Guide to Information Technology, Second Edition, John Wiley & Sons, Inc., Hoboken, New Jersey. Published simultaneously in Canada, 2007 [JC10] Johnny Cache, Joshua Wright, Vincent Liu, Hacking Exposed Wireless: Wireless Security Secrets & Solutions, McGraw Hill, Toronto, 2010 [JF11] Jeremy Faircloth, Penetration Teste’s Open Source Toolkit, Third Edition, Syngress, Waltham, MA, USA, 2011 [JF12] Joe Fichera, Steven Bolt, Network Intrusion Analysis Methodologies, Tools, and Techniques for Incident Analysis and Response, Syngress, Waltham, MA, USA, 2012 [JH09] John Hoops, Virtualization for Security: Including Sandboxing, Disaster Recovery, High Availability, Forensics Analysis, and Honeypotting, Syngress Publishing, Burlington, MA, USA, 2008 [JT13] James Tarala, Implementing and Auditing the Twenty Critical Security Controls – In Depth (Sec566), SANS Institute, 2013

53 | P a g e

[KC13] Kevin Cardwell, BackTrack – Testing Wireless Network Security, Packt Publishing, Birmingham, UK, 2013 [KR01] Karl Rademacher, The SANS Institute, Use Offense to inform defense. Find flaws before the bad guys do, GIAC practical repository, SANS Penetration Testing, 2001 [KR13] Karthik Ranganath, Metasploit Starter The art of ethical hacking made easy with metasploit, PACKT Publishing, Birmingham, UK, 2013 [MK11] Mike Kershaw, Kismet Readme 2011-01-R1 [PI09], PenTest Inc., Internet Infrastructure Network Penetration Test Final Report, The SANS Institute, Example Pen Test Report, 2009 [PP12] Paulino Calderon Pale, Nmap 6: Network Exploration and Security Auditing, first edition, Packet Publishing, Birmingham, UK, 2012 [RH12] Raphael Hertzog, Roland Mas, Debian: The Administrator’s Handbook, Freexian SARL, 2012 [RL13] Rob Lee, et al, SANS Investigative Forensic Toolkit v. 2.14, http://computerforensics.sans.org/community/downloads [SA12] Steven Anson, Steve Bunting, Ryan Johnson, Scott Pearson, Mastering Windows Network Forensics and Investigation, 2nd edition, Sybex, USA, 2012 [SG10] S. Ghosh, E. Turrini (eds.), A pragmatic Experimental Definition of Computer crimes, Cybercrimes: A Multidisplinary Analysis, Springer – Verlag Berlin, 2010 [SH10a] Stephen Helba, Marah Bellegarade, Meghan Orvis, Disaster Recovery, First Edition, EC-Council Press, Clifton Park, NY, USA, 2010 [SH10b] Stephen Helba, Marah Bellegarade, Meghan Orvis, Virtualization Security, First Edition, ECCouncil Press, Clifton Park, NY, USA, 2010 [SM07] Steve Manzuik, Andre Gold, Chris Gatford, Network Security Assessment from Vulnerability to Patch, Syngress Publishing, Rockland MA, USA, 2007 [TW12] Tyler Wrightson, Wireless Network Security: A Beginner’s Guide, MCGraw-Hill, New York, Toronto, 2012 [WM12] William Manning, GIAC Certified Forensic Analyst Certification (GCFA) Exam Preparation, Emereo Publishing, USA, 2012 [WS12] Wale Soyinka, Linux Administration: A Beginner’s Guide, Sixth Edition, McGraw-Hill, New York, Toronto, 2012

54 | P a g e

APPENDIX A List of Tools Functions in BackTrack package [BT11]: BackTrack Distribution includes the following major tool categories: 

Information Gathering Network Analysis DNS Analysis (dnsdict6, dnsenum, dnsmap, dnsrecon, dnstracer, dnswalk, fierce, lbd, maltego, reverseraider) Identify Live Hosts (0trace, alive6, arping, detect-new-ip6, dnmap, fping, hping2, hping3, netdiscover, netifera, nmap, nping, pbnj, sctpscan, svwar, trace6, traceroute, wol-e, zenmap) IDS IPS Identification (fragroute, fragrouter, ftester, hexinject, pytbull, sniffjoke) Network Scanners (autoscan, davtest, implementation6, implementation6d, netifera, nmap, scapy, unicornscan, unicornscan-pgsql-setup, zenmap) Network Traffic Analysis (Scapy, tcpdump, tshark, wireshark) OS Finger Printing (nmap, p0f, sctpscan, xprobe2, zenmap) OSINT Analysis (creepy, jigsaw) Route Analysis (Dmitry, netmask, scapy, tcptraceroute) Service Fingerprinting (amap, dmitry, httprint, httsquash, Miranda, nbtscan, ncat, nmap, sslscan, zenmap) SMB Analysis (samrdump, smbclient) SMTP Analysis (maltego, nmap, smtprc, smtpscan, smtp-user-enum, swaks, zenmap) SNMP Analysis (admsnmp, braa, onesixtyone, snmpcheck, snmpenum) SSL Analysis (sslcaudit, ssldump, sslh, sslsniff, sslstrip, sslyze, testssl.sh, thcsslcheck, tlssled) Telephony Analysis (dedected, iwar, svmap, warvox) VOIP Analysis (ace, enumiax, iwar, sip-scan, smap, voiphoney) VPN Analysis (fiked, ike-scan)  Web Application Analysis CMS Identification (blindelphant, cms-explorer, dpscan, whatweb) IDS IPS Identification (ua-tester, waffit) Open Source Analysis (casefile, ghdb, goofile, maltego, revhosts, revhosts-cli, urlcrazy, xssed) Web Crawlers (apache-users, deblaze, dirb, golismero, sqlscan, webshag-cli, webshag-gui)  Database Analysis MSSQL Analysis (sqlbrute, sqldict, sqllhf, sqlmap, sqlninja) MySQL Analysis (sqlmap) Oracle Analysis (dbpwaudit, getsids, opwg, oquery, oscanner, osd, ose, otnsctl, sqlbrute, sqlmap, tnscmd10g) Others (bbqsql, dbpwaudit)  Wireless Analysis BlueTooth Analysis (bluediving, blueranger, btscanner, hcidump) 

55 | P a g e

WLAN Analysis (airodump-ng, giskismet, kismet, pcapdump, ssidsniff, xgps) Vulnerability Assessment  Vulnerability Scanners Nessus (nessus register, nessus start, nessus user add) OpenVAS (OpenVAS adduser, Openvas check setup, OpenVAS Mkcert, OpenVASNVT Sync, Start Greenbone Security Assistant, Start Greenbone Security Desktop, start Openvas administrator, Start Openvas Cli, Start OpenVAS Manager, Start OpenVAS Scanner, Stop Greenbone Security Assistant, Stop openvas Administrator, Stop OpenVAS Cli, Stop OpenVAS Manager, Stop OpenVAS Scanner) SAINT (SAINT, SAINT web Daemon) Others (lynis, mantra)  Network Assessment Cisco Tools (cisco-auditing-tool, cisco-ocs, cisco passwd scanner, cisco-torch, copyrouter-config, merge-router-config, tftp-bruteforce) Network Fuzzers (bed, fuzz_ip6, sfuzz, sickfuzz, spike) Open Source Assessment (mitre-cve, osvdb) VOIP Fuzzers (ohrwurm, protos-sip, voiper)  Web Application Assessment CMS Vulnerability Identification (joomscan, plecost) Web Application Fuzzers (dirbuster, dotdotpwn, powerfuzzer, rfuzz, untidy, webshag-cli, webshag-cli, webshag-gui, webslayer, xssfuzz, xssfuzz-start, xssfuzzstop) Web Application Proxies (burpsuite, owasp-zap) Web Open Source Assessment (goohost, gooscan, metagoofil, mitre-cve, osvdb, shodan, theharvester) Web Vulnerability Scanners (asp-auditor, burpsuite, grabber, Grendel-scan, mopest, nikto, owasp-zap, proxystrike, skipfish, sqlmap, uniscan, vega, w3af console, w3af gui, wapiti, watobo, webscarab, wstool)  Database Assessment MSSQL Assessment (sqlbrute, sqldict, sqllhf, sqlmap, sqlninja) MySQL Assessment (sqlmap) Oracle Assessment (dbpwaudit, getsids, opwg, oquery, oscanner, osd, ose, otnsctl, sqlbrute, sqlmap, tnscmd10g) Others (bbqsql, dbpwaudit) Exploitation Tools  Network Exploitation tools Cisco Attacks (cisco-global-exploiter, tftp-bruteforce) Fast-Track (fasttrack-cli, fasttrack-interactive, fasttrack-web) Metasploit Framework (Armitage, msfcli, msfconsole, msfupdate, start msfpro) SAP Exploitation (sapyto) Others (isr-evilgrade, netgear-telnetenable, termineter)  Web Exploitation Tools (asp-auditor, darkmysqli, fimap, htexploit, jboss-autopwn, oscanner, padbuster, sqlmap, sqlninja, sqlsus, sslstrip, w3af console, w3af gui, websecurity, websploit, xsser)  Database Exploitation Tools MSSQL Exploitation Tools (sqlmap, sqlninja) -





56 | P a g e

MySQL Exploitation Tools (sqlmap) Oracle Exploitation (dbpwaudit, getsids, opwg, oquery, oscanner, osd, ose, otnsctl, sqlmap) Others (bbqsql, dbpwaudit)  Wireless Exploitation Tools - BlueTooth Exploitation (atshel, bluediving, bluelog, bluemaho, bluepot, bt-audit, btftp, redfang, spooftooph) - GSM Exploitation (smartphone-pentest-framework) - WLAN Exploitation (aircrack-ng, airmon-ng, airodump-ng, fern-wifi-cracker, freeradius-wpe, freeradius-wpe setup, gerix-wifi-cracker-ng, horst, pcapgetiv, pyrit, reaver, weakivgen, wepcrack, wifhoney, wifite)  Social Engineering Tools BEEF XSS Framework (BeEF, BeEF installer) HoneyPots (honeyd, honeyedctl, spamhole) Social Engineering Toolkit (set, set)  Physical Exploitation (arduino, kautilya, u3-pwn)  Open Source Exploitation Exploit-DB (exploitdb directory, exploit search) Online Archives (mitre-cve, osvdb, securityfocus) Privilege Escalation  Password Attacks GPU Tools (oclhashcat+(ATI), oclhashcat+(Nvidia)) Offline Attacks (asleep, cowpatty, creddump, crunch, cup, dictstat, eapmd5pass, fcrakzip, genkeys, genpmk, hashcat, hashcat-gui, hashcat-utils, hash-identifier, johnny, john the ripper, manglefizz, maskgen, multiforcer, oclhashcat(ATI), oclhashcat-lite(ATI), oclhashcat-lite(Nvidia), oclhashcat(Nvidia), ophcrack, Ophcrack-GUI, phrasendrescher, pipal, policygen, rainbowcrack, rainbowcrackmt, sipcrack, sipdump, statsprocessor, truecrack, twofi) Online Attacks (acccheck, cewl, findmyhash, hexorbase, hydra, hydra-gtk, keimpx, medusa, ncrack, patator, smbexec, sqldict, sqllhf, svcrack, wce) Physical Attacks (sucrack)  Privilege Escalation Media VOIP Tools (rtpinjct)  Protocol Analysis Network Sniffers (darkstat, driftnet, dsniff, easy-creds, ettercap, ettercap-gtk, ettercap-gtk, ettercap-ng, fake_route6, ferret, hamster, parasite6, redir6, scapy, subterfuge, tcpdump, tshark, wireshark, xspy) VOIP Sniffers (ferret, rtpbrak, voipctl, voipong) Web Sniffers (mitmproxy)  Spoofing Attacks - Network Spoofing (dnschef, fake_mipv6, fake_mld26, fake_mld6, fake_mldrouter6, fake_router6, fiked, fuzz_advertise6, hexinject, intercepter-ng, redir6, thcping6, toobig6, Yersinia) - VOIP Spoofing (sipsak, voiphopper) Maintaining Access  OS Backdoors (dbd, hotpatch, intersect, msfencode, msfpayload, powersploit, sbd, trixd00r, u3-pwn, unix-pivesc-check) -





57 | P a g e

Tunneling (3proxy, cryptcat, iodine, miredo, ping tunnel, proxychains, proxytunnel, pwant, socat, sslh, stunnel4, tinyproxy, udptunnel)  Web Backdoors (msfencode, msfpayload, webshells, weevely) Reverse Engineering (android-sdk, apktool, binwalk, ded, dex2jar, edb-debugger, flasm, gdb.py, install ida-pro free, jad, javasnoop, mercury, ollydbg, rec-studio, smali, strace.py) RFID Tools  RFID ACG (brute force hitag2, bruteforce mifare, bruteforce mifare, calculate jcop mifare keys, continuous select tag, copy iso15693 tag, epassport read write clone, format mifare 1k value blocks, identity hf tag type, identify if tag type, jcop info, jcop mifare read write, jcop set atr historical bytes, read acg reader eeprom, read if tag, read mifare, read tag, read write clone unique (em4x02), reset q5 tag, select tag, set fdx-b id, test acg lahf)  RFID Frosch (read write clone unique (em4x02), reset hitag2 tag, set fdx-b id, test frosch reader)  RFID PCSC (bruteforce mifare, calculate jcop mifare keys, chip & pin info, continuous select tag, epassport read/write/clone, identify hf tag type, install atr historical byte applet to jcop, install mifare applet to jcop, install vonjeek epassport emulator to jcop, install vonjeek epassport emulator to nokia, jcop info, jcop mifare read/write, jcop set atr historical bytes, read mifare, read tag, select tag) Stress Testing  Network Stress Testing (denial6, dhcpig, dos-new-ip6, flood_advertise6, flood_router6, hping2, hping3, inundator, letdown, rsmurf6, sendpees6, siege, smurf6, t50, thc-ssl-dos, udp.pl)  VOIP Stress Testing (iaxflood, inviteflood, rtpflood, sip)  WLAN Stress Testing (mdk3) Forensics  Anti-Virus Forensics Tools (chkrootkit, rkhunter)  Digital Anti Forensics (install truecrypt)  Digital Forensics (hexedit, iphoneanalyzer, rifiuti2)  Forensic Analysis Tools (bulk-extractor, evtparse.pl, exiftool, misidentify, mork.pl, pref.pl, ptk, readpst, reglookup, stegdetect, vinetto)  Forensic Carving Tools (extundelete, fatback, foremost, magicrescue, recoverjpeg, safecopy, scalpel, scrounge-ntfs, testdisk)  Forensic Hashing Tools (hashdeep, md5deep, sha1deep, sha256deep, tigerdeep, whirlpooldeep)  Forensic Imaging Tools (air, dc3dd, ddrescue, ewfacquire)  Forensic Suites (ptk, setup autopsy, sleuthkit)  Network Forensics (darkstat, driftnet, p0f, tcpflow, tcpreplay, wireshark)  Password Forensics Tools (cmospwd, fcrackzip, samdump)  PDF Forensics Tools (pdfid, pdf-parser, peepdf)  RAM Forensics Tools (pdfbook, pdgmail, ptk, volafox) Reporting Tools  Evidence Management (casefile, keepnote, magictree, maltego, svreport)  Media Capture (cutycapt, recordmydesktop) Services  GPSD (gpsd start, gpsd stop)  HTTPD (apache start, apache stop) 

 









58 | P a g e

MySQLD (mysql start, mysql stop) PCSCD (pcscd start, pcscd stop) Snort Service (snort start, snort stop) SSHD (sshd start, sshd stop) Miscellaneous tools

    

59 | P a g e

APPENDIX B List of Tools Functions in Kali Linux package: (http://www.kali.org/ and http://docs.kali.org/) [JB14] and [KL13] lists the mostly used tools in Kali Linux and all the commands used to lunch a tool in Kali Linux. “The Kali Linux platform comes preloaded with over 400 tools that can be used for the various stages of a penetration test or an ethical hacking engagement. The following table lists each tool and its location in the Kali Linux menu structure. Menu Kali Linux Kali Linux Kali Linux Kali Linux Kali Linux Kali Linux Kali Linux Kali Linux Kali Linux Kali Linux

Activity Menu Top 10 Top 10 Top 10 Top 10 Top 10 Top 10 Top 10 Top 10 Top 10 Top 10

Application aircrack-ng burpsuite hydra john maltigo metasploit framework nmap sqlmap wireshark zaproxy

The Kali Linux Distribution includes the following major tool categories: 

Information Gathering  DNS Analysis (dnsdict6, dnsenum, dnsmap, dnsrecon, dnsrevenum6, dnstracer, dnswalk, fierce, maltego, nmap, urlcrazy)  IDS/IPS Identification (fragroute, fragrouter, wafw00f)  Live Hosts Identification (alive6, arping, cdpsnart, detect-new-ip6, detect_sniffer6, Dmitry, dnmap-client, dnmp-server, fping, hping3, inverse_lookup6, Miranda, ncat, netdiscover, nmap, passive_discovery6, thcping6, wol-e, xprobe2)  Network Scanners (dimitry, dnmap-client, dnmap-server, netdiscover, nmap)  OS Fingerprinting (dnmap-client, dnmap-server, Miranda, nmap)  OSINT Analysis (casefile, creepy, dimitry, jigsaw, maltigo, metagoofil, theharvester, twofi, urlcrazy)  Route Analysis (dnmap-client, dnmap-server, intrace, netmask, trace6)  Service Fingerprinting (dnmap-client, dnmap-server, implementation6, implementation6d, ncat, nmap, sslscan, sslyze, tlssled)  SMB Analysis (acccheck, nbtscan, nmap)  SMTP Analysis (nmap, smtp-user-enum, swaks)  SNMP Analysis (, braa, cisco-auditing-tool, cisco-torch, copy-router-config, mergerouter-config, nmap, onesixone, snmpcheck)  SSL Analysis (sslcaudit, ssldump, sslh, sslscan, sslsniff, sslstrip, sslyze, stunnel4, tlssled)  Telephony Analysis (ace)  Traffic Analysis (cdpsnarf, intrace, irpas-ass, ipras-cdp, p0f, tcpflow, wireshark) 60 | P a g e

VOIP Analysis (ace, enumiax) VPN Analysis (ike-scan) Vulnerability Analysis  Cisco Tools (cisco-auditing-tool, cisco-global-explorer, cisco-ocs, cisco-torch, yersinia)  Database Assessment (bbqsql, dbpwaudit, hexorbase, mdb-export, mdb-export, mdb-hexdump, mdb-parsecsv, mdb-sql, mdb-tables, oscanner, sidguesser, sqlmap, sqlninja, sqlsus, tnscmd10g)  Fuzzing Tools (bed, fuzz_ip6, ohrwurm, powerfuzzer, sfuzz, siparmyknofe, spikegeneric_chunked, spike-generic_listen_tcp, spike_generic_send_tcp, spike_generic_send_udp)  Misc Scanners (lynis, nikto, nmap, unix-privesc-check)  Open Source Assessment (casefile, maltigo)  OpenVAS (openvas-gsd, openvas-setup) Web Application Assessment  CMS Identification (blindelephant, plecost, wpscan)  Database Exploitation (bbqsql, sqlninja, sqlsus, ua-tester)  IDS/IPS Identification (ua-tester)  Web Application Fuzzers (burpsuite, powerfuzzer, webscarab, webslayer, websploit, wfuzz, xsser, zaproxy, burpsuite, paros, proxystrike, webscarab, zaproxy)  Web Application Proxies (burpesuite, paros, proxystrike, webscarab, zaproxy)  Web Crawlers (apache-users, burpsuite, cutycapt, dirb, dirbuster, vega, webscarab, webslayer, zaproxy)  Web Vulnerability Scanners (burpsuite, cadaver, davtest, deblaze, fimap, grabber, joomscan, nikto, padbuster, proxystrike, skipfish, sqlmap, vega, w3af, wapiti, webscarab, webshag-cli, webshag-gui, websploit, whatweb, wpscan, xsser, zaproxy) Password Attacks  GPU Tools (oclhashcat-lite, oclhashcat-plus, pyrit)  Offline Attacks (cachedump, chntpw, cmospwd, crunch, dictstat, fcrackzip, hashcat, hash-identifier, john, johnny, lsadump, maskgen, multiforcer, oclhashcatlite, oclhashcat-plus, ophcrack, opchcrack-cli, policygen, pwdump, pyrit, rainbowcrack, rcracki_mt, rsmangler, samdump2, sipcrack, sucrack, truecrack)  Online Attacks (acccheck, burpsuite, cewl, cisco-auditing-tool, dbpwaudit, findmyhash, hydra, hydra-gtk, medusa, ncrack, onesixone, patetor, phraseendrescher, thc-pptp-bruter, webscarab, zaproxy)  Passing the Hash Wireless Attacks  802.11 Wireless Tools (aircrack-ng, aireplay-ng, airmon-ng, airodump-ng, asleep, cowpatty, eapmd5pass, fern-wifi-cracker, genkeys, genpmk, giskismet, mdk3, wifiarp, wifidns, wifi-honey, wifiping, wifitap, wifite)  Bluetooth Tools (bluelog, bluemaho, bluranger, btscanner, fang, spooftooph)  Other Wireless Tools (zbassocflood, zbconvert, zbdsniff, zbdump, zpfind, zbgoodfind, zbreplay, zbstumbler)  RFID/NFC Tools  Software Defined Radio  -









61 | P a g e















Exploitation Tools  BEEF XSS Framework  Cisco Attacks (Cisco-auditing-tool, cisco-global-explorer, cisco-ocs, cisco-torch, yersinia)  Exploit Database (searchsploit)  Metasploit (Metasploit Community/Pro, Metasploit diagnostic logs, Metasploit diagnostic shell, Metasploit Framework, Update metasploit)  Network Exploitation (exploit6, ikat, jboss-autopwn-win, jboss-autopwn-linux, termineter)  Social Engineering (se-toolkit) Sniffing/Spoofing  Network Sniffers (darkstat, dnschef, dnsspoof, dsniff, ettercap-graphical, hexinject, mailsnarf, msgsnarf, netsniff-ng, passive_discovery6, sslsniff, tcpflow, urlsnarf, webmitm, webspy, wireshark)  Network Spoofing (dnschef, ettercap-graphical, evilgrade, fake_advertise6, fake_dhcps6, fake_dns6, fake_mldrouter6, fake_router26, fake_router6, fake_solicitate6, fiked, macchanger, parasite6, randicmp6, rebind, redir6, sniffjoke, sslstrip, tcpreplay, wifi-honey, Yersinia)  Voice and Surveillance (msgsnarf)  VoIP Tools (iaxflood, inviteflood, ohrwurm, protos-sip, rtpbreak, rtpflood, rtpinsertsound, rtpmixsound, sctpscan, siparmyknife, sip, sipsak, svcrach, svmap, svreport, svwar, viophopper)  Web Sniffers (burpesuite, dnsspoof, driftnet, ferret, mitmproxy, urlsnarf, webmitm, webscarab, webspy, zaproxy) Maintaining Access  OS Backdoors (cymothoa, dbd, intersect, powersploit, sbd, u3-pwn)  Tunneling Tools (cryptcay, dbd, dns2tcpc, iodine, miredo, ncat, proxychains, proxytunnel, ptunnel, pwnat, sbd, socat, sslh, udptunnel)  Web Backdoors (webacco, weevely) Reverse Engineering  Debuggers (edb-debugger, ollydbg)  Disassembly (jad, rabin2, rsdiff2, rasm2)  Misc RE Tools (apktool, clang, clang++, dex2jar, flasm, javasnoop, radare2, rafind2, ragg2, ragg2-cc, rahash2, rarun2, rax2) Stress Testing  Network Stress Testing (denial6, dhcpig, dos-new-ip6, flood_advertise6, flood_dhcpc6, flood_mld6, flood_mldrouter6, flood_solicitate6, fragmentation6, fragmentation6, inundator, kill_router6, macof, rsmurf6, siege, smurf6, t50)  VOIP Stress Testing (iaxflood, inviteflood)  Web Stress Testing (thc-ssl-dos)  WLAN Stress Testing (Mdk3, reaver) Hardware Hacking  Android Tools (android-sdk, apktool, baksmali, dex2jar, smali)  Arduino Tools (arduino) Forensics  Anti-Virus Forensics Tools (chkrootkit)  Digital Anti Forensics (chhkrootkit) 62 | P a g e

Digital Forensics (autopsy, binwalk, bulk_extractor, chkrootkit, dc3dd, dcfldd, extundelete, foremost, fsstat, galleta, tsk_comparedir, tsk_loaddb)  Forensic Analysis Tools (affcompare, affcopy, affcrypto, affdiskprint, affinfo, affsign, affstats, affuse, affverify, affxml, autopsy, binwalk, blkcalc, blkcat, blkstat, bulk_extractor, ffind, fls, foremost, galleta, hfind, icat-sleuthkit, ifind, iLs-sluthkit, istat, jcat, mactime-sluthkit, misidentify, mmcat, pdgmail, readpst, reglookup, sorter, srch_strings, tsk_recover, vinetto)  Forensic Carving Tools (binwalk, bulk_extractor, foremost, jLs, magicrescue, pasco, pev, recoverjpeg, rifiuti2, rifiuti, safecopy, scalpel, scrounge-nfs)  Forensic Hashing Tools (md5deep, rahash2)  Forensic Imaging Tools (affcat, affconvert, blkls, dc3dd, dcfldd, ddrescue, ewfacquire, ewfacquirestream, ewfexport, ewfinfo, ewfverify, fsstat, guymager, img_cat, img_stat, mmls, tsk_gettimes)  Forensic Suites (autopsy, dff)  Network Forensics (p0f)  Password Forensics Tools (chntpw)  PDF Forensics Tools (pdf-parser, peepdf)  RAM Forensics Tools (volafox, volatility) Reporting Tools  Documentation  Evidence Management (casefile, keepnote, magictree, maltego, maltegoofil, truecrypt)  Media Capture (cutycapt, recordmydesktop) Systems Services  HTTP (apache2 restart, apche2 start, apache2 stop)  Metasploit (community/pro start, community/pro stop)  MySQL (mysql restart, mysql start, mysql stop)  SSH (sshd restart, sshd start, sshd stop)” 





63 | P a g e

APPENDIX C [ML13] describes the tools available in Matriux Arsenal” “The Matriux Arsenal contains a huge collection of more than 300 most powerful and versatile security and penetration testing tools. The Matriux Arsenal includes the following tool / utilities / libraries (The ßeta release will contain only few of the listed tools): (Copied from: http://www.matriux.com/index.php?page=arsenal)

This arsenal is for Matriux Ec-Centric 2.49 beta edition





Reconnaissance  DNS - chaosmap - DIG - DNSTracer - DNSWalk - rebind  HTTrack - HTTrack - WebHTTrack Website Copier - Browse Mirrored Websites - Chaosreader - Deepmagic Information Gathering Tool - dradis framework - dsniff password sniffer - EtherApe - EtherApe (root) - fragroute - magictree - peepdf - quickrecon - tcpdump - tcpslice - tcptrace - tcptraceroute - vidalia - Network Analyzer (Wireshark) - xtrace Scanning  Cisco - CDP Packet Generator 64 | P a g e

  

CDP Global Exploiter HSRP Generator BATMAN-Tools batping batroute batdump Routing-Protocols Autonomous System Scanner IGRP Route Injector Web-Scanners - blindelephant - dirbuster - JHijack - Nikto - RIPS Scanner - theHarvester - scrapy - urlcrazy - vega - wafp - whatweb - xxser - XSSploit (CLI) - XSSploit (GUI)

-

Angry IP Scan CryptCat ettercap console Ettercap Gui file2cable Web Server Fingerprinting Tool gggooglescan metagoofil icmpush icmpquery IRDP Packet Sender IRDP Responder Packet Sender Netcat netenum netmask Nmap Nmap Si4 Full mode Nmap Si4 user mode Nmap Si4 Logr 65 | P a g e

-



ostinato p0f sinfp snacktime Paris Traceroute Pastenum Protocol Scanner Parallel Internet Measurement Utility t50 tctrace THC-Amap wapiti Zenmap Zenmap(root)

Gain Access (Attack Tools)  Password - Password List Download - apligen - BruteSSH - Cacheebr - EmDebr - iisbruteforcer - bbox-keygen - cmospwd - crunch - etemenanki - gcrack - John the ripper - rarcrack - medusa - sucrack - THC-Hydra Console - THC-Hydra GUI - vncrack - vncpwddump - wfuzz - routerkeygen - md5pack - md5unpack - md5-utils  SQL - bing-sqli-scanner 66 | P a g e

 -

bsqlbf minimysqlat0r pblind sqlibf sqlinjtools sqlmap SQLninja sqlid sqlsus THC-IPv6 address6 alive6 covert_send6 covert_send6d denial6 detect-new-ipv6 detect_sniffer6 dnsdict6 dnssrevenum6 dnssecwalk dos-new-ip6 dump_router6 exploit6 detectnewip6 fakemipv6 fake_mld26 fake_mld6 fake_mldrouter6 fake_router6 fakeadvertise6 fuzzip6 implementation6 - implementation6d - parasite6 - redir6 - rsmumrf6 - sendpees6 - smurf6 - thcping6 - toobig6 - trace6

-

Mac Changer sipcrack 67 | P a g e

-



Framework  Inguma - Inguma-cli - Inguma-gui  Metasploit Framework - armitage - msfconsole - msfpro - msfupdate  SET - SET Console Mode - SET web mode  w3af - w3af console - w3af gui



socat

Radio  -

BeEF Grendel-Scan HTTP Request Exploit Framework isr-evilgrade Mantra Framework skipfish webscarab shell storm framework yersinia WSFuzzer subterfuge Burpsuite g0tbeEF Maltego

Bluetooth bluemaho blueper bluescan bluesnarfer bss carwhisperer haraldscan 68 | P a g e

  

kismet kismet kismet client kismet drone kismet server reaver-wps reaver reaverwash voip - sipvicious - authtool - enuimiax - iaxscan - scapy - SIP Proxy - Voiper

-

airbase-ng aircrack-ng airdecap-ng airdecloak-ng airdriver-ng aireplay-ng airmon-ng airodump-ng airolib-ng airoscript-ng airserv-ng airtun-ng buddy-ng chapcrack-ng cowpatty fern wifi cracker gerix wificracker grimwepa packetforge-ng pyrit wepbuster weplab wesside-ng whichdriver wicd WiFi Radar 69 | P a g e

-



Wifite

Digital-Forensics  Acquisition - Automated Image & Restore - galleta - voolatilitux - steghide - volatility - Guymager  Analysis - bokken & pyew - Androguard - apk inspector - Start Autopsy - Autopsy Forensics Browser - foremost - forensic data identifier - Gparted - iphone analyzer - Jbrofuzz - mmsdec - scalpel - Pasco - steghide - Vinetto - Start WarVOX - Open WarVOX Web Interface - Xplico Console Mode (Internet Traffic Decoder) - Xplico Web Interface (Internet Traffic Decoder)  Digital Forensic Framework - DFF console - DFF GUI  metaextractors - antiword - catdoc - exifcom - exifgrep - exiflibtool - exifprobe - exiftags - exiftime - exiftool 70 | P a g e

-





exiv2 flare flasm jhead pdffonts pdfimages pdfinfo pdftops pdftotext pngchunks pngcp pngcrush pnginfo

dcfldd Draugr Extensive File Dumper Mobius Forensic Toolkit pyflag testdisk warrick Dhash

PCI-DSS - babel console - babel server - ccsrch - code janitor - dep-checker - eramba - fossbarcode scan - fossology - ftimes - openpscan - panbuster - seNF - Spider Helix Process - Spider Helix Server - strings - stunnel - verinice Debugger - boomerang 71 | P a g e







Tracer 

Crash ddd dissy e2dbg gdb gdbserver hexedit efence JavaScript Lint netifera valgrind Leak-Tracer - Leak Analyze - Leak Check - etrace - latrace - ltrace - pstack - strace

Misc  Fuzzers - JbroFuzzer - zzuf  sipvicious - svcrack - svcrash - svlearnfp - svmap - svreport - svwar - burpsuite - geoipgen - packetpig - PE file analysis toolkit - pytbull - ROP gadget - Scamper - sslstrip - stegoshare - truecrypt Services 72 | P a g e

-

apache start apache stop metasploit start metasploit stop mysql start mysql stop postgresql start postgresql stop”

73 | P a g e

APPENDIX D The following packages currently exist in Fedora and are part of the Fedora Security Lab. Not all packages are available on the Fedora Security Live CD. (The following tools list was copied from https://fedorahosted.org/security-spin/wiki/availableApps)

1. Code Analysis  splint - An implementation of the lint program - Fedora Package Database - Bug Reports  pscan - Limited problem scanner for C source files - Fedora Package Database Bug Reports  flawfinder - Examines C/C++ source code for security flaws - Fedora Package Database - Bug Reports  rats - Rough Auditing Tool for Security - Fedora Package Database - Bug Reports

2. Forensics  ddrescue - Data recovery tool trying hard to rescue data in case of read errors Fedora Package Database - Bug Reports  gparted - Gnome Partition Editor - Fedora Package Database - Bug Reports  testdisk - Tool to check and undelete partition, PhotoRec? recovers lost files Fedora Package Database - Bug Reports  foremost - Recover files by "carving" them from a raw disk - Fedora Package Database - Bug Reports  sectool-gui - GUI for sectool - security audit system and intrusion detection system - Fedora Package Database - Bug Reports  unhide - Tool to find hidden processes and TCP/UDP ports from rootkits - Fedora Package Database - Bug Reports  examiner - Utility to disassemble and comment foreign executable binaries Fedora Package Database - Bug Reports  srm - Secure file deletion - Fedora Package Database - Bug Reports  nwipe - Securely erase disks using a variety of recognized methods - Fedora Package Database - Bug Reports  firstaidkit-gui - FirstAidKit? GUI - Fedora Package Database - Bug Reports  xmount - A on-the-fly convert for multiple hard disk image types - Fedora Package Database - Bug Reports  dc3dd - Patched version of GNU dd for use in computer forensics - Fedora Package Database - Bug Reports  afftools - Utilities for afflib - Fedora Package Database - Bug Reports  scanmem - Simple interactive debugging utility - Fedora Package Database - Bug Reports 74 | P a g e

 sleuthkit - The Sleuth Kit (TSK) - Fedora Package Database - Bug Reports  scrub - Disk scrubbing program - Fedora Package Database - Bug Reports  ht - File editor/viewer/analyzer for executables - Fedora Package Database - Bug Reports  driftnet - Network image sniffer - Fedora Package Database - Bug Reports  binwalk - Firmware analysis tool - Fedora Package Database - Bug Reports  scalpel - Fast file carver working on disk images - Fedora Package Database - Bug Reports  pdfcrack - A Password Recovery Tool for PDF files - Fedora Package Database - Bug Reports  wipe - Secure file erasing tool - Fedora Package Database - Bug Reports  safecopy - Safe copying of files and partitions - Fedora Package Database - Bug Reports  hfsutils - Tools for reading and writing Macintosh HFS volumes - Fedora Package Database - Bug Reports  cmospwd - BIOS password cracker utility - Fedora Package Database - Bug Reports

3. General  security-menus - Menu Structure for the Security Spin - Fedora Package Database - Bug Reports  nc6 - Netcat with IPv6 Support - Fedora Package Database - Bug Reports  mc - User-friendly text console file manager and visual shell - Fedora Package Database - Bug Reports  screen - A screen manager that supports multiple logins on one terminal - Fedora Package Database - Bug Reports  macchanger - An utility for viewing/manipulating the MAC address of network interfaces - Fedora Package Database - Bug Reports  ngrep - Network layer grep tool - Fedora Package Database - Bug Reports  ntfs-3g - Linux NTFS userspace driver - Fedora Package Database - Bug Reports  ntfsprogs - NTFS filesystem libraries and utilities - Fedora Package Database - Bug Reports  pcapdiff - Compares packet captures, detects forged, dropped or mangled packets - Fedora Package Database - Bug Reports  net-snmp - A collection of SNMP protocol tools and libraries - Fedora Package Database - Bug Reports  openvas-scanner - Open Vulnerability Assessment (OpenVAS) Scanner - Fedora Package Database - Bug Reports  hexedit - A hexadecimal file viewer and editor - Fedora Package Database - Bug Reports  irssi - Modular text mode IRC client with Perl scripting - Fedora Package Database - Bug Reports  powertop - Power consumption monitor - Fedora Package Database - Bug Reports  mutt - A text mode mail user agent - Fedora Package Database - Bug Reports 75 | P a g e

 nano - A small text editor - Fedora Package Database - Bug Reports  vim-enhanced - A version of the VIM editor which includes recent enhancements - Fedora Package Database - Bug Reports  wget - A utility for retrieving files using the HTTP or FTP protocols - Fedora Package Database - Bug Reports  yum-utils - Utilities based around the yum package manager - Fedora Package Database - Bug Reports  mcabber - Console Jabber instant messaging client - Fedora Package Database Bug Reports  firstaidkit-plugin-all - All firstaidkit plugins, and the gui - Fedora Package Database - Bug Reports  netsed - A tool to modify network packets - Fedora Package Database - Bug Reports  dnstop - Displays information about DNS traffic on your network - Fedora Package Database - Bug Reports  sslstrip - Tool that provides a demonstration of HTTPS stripping attacks - Fedora Package Database - Bug Reports  bonesi - The DDoS Botnet Simulator - Fedora Package Database - Bug Reports  proxychains - Provides proxy support to any application - Fedora Package Database - Bug Reports  prewikka - Graphical front-end analysis console for the Prelude Hybrid IDS Framework - Fedora Package Database - Bug Reports  prelude-manager - Prelude-Manager - Fedora Package Database - Bug Reports  picviz-gui - Graphical frontend for picviz - Fedora Package Database - Bug Reports  telnet - The client program for the Telnet remote login protocol - Fedora Package Database - Bug Reports  openssh - An open source implementation of SSH protocol versions 1 and 2 Fedora Package Database - Bug Reports  dnstracer - Trace a DNS record to its start of authority - Fedora Package Database - Bug Reports

4. Intrusion Detection  chkrootkit - Tool to locally check for signs of a rootkit - Fedora Package Database Bug Reports  aide - Intrusion detection environment - Fedora Package Database - Bug Reports  pads - Passive Asset Detection System - Fedora Package Database - Bug Reports  rkhunter - A host-based tool to scan for rootkits, backdoors and local exploits Fedora Package Database - Bug Reports  labrea - Tarpit (slow to a crawl) worms and port scanners - Fedora Package Database - Bug Reports  nebula - Intrusion signature generator - Fedora Package Database - Bug Reports  tripwire - IDS (Intrusion Detection System) - Fedora Package Database - Bug Reports 76 | P a g e

 prelude-lml - The prelude log analyzer - Fedora Package Database - Bug Reports

5. Network Statistics  iftop - Command line tool that displays bandwidth usage on an interface - Fedora Package Database - Bug Reports  scamper - A network measurement tool - Fedora Package Database - Bug Reports  scamper - A network measurement tool - Fedora Package Database - Bug Reports  iptraf-ng - A console-based network monitoring utility - Fedora Package Database - Bug Reports  iperf - Measurement tool for TCP/UDP bandwidth performance - Fedora Package Database - Bug Reports  nethogs - A tool resembling top for network traffic - Fedora Package Database Bug Reports  uperf - Network performance tool with modelling and replay support - Fedora Package Database - Bug Reports  nload - A tool can monitor network traffic and bandwidth usage in real time Fedora Package Database - Bug Reports  ntop - A network traffic probe similar to the UNIX top command - Fedora Package Database - Bug Reports  trafshow - A tool for real-time network traffic visualization - Fedora Package Database - Bug Reports  vnstat - Console-based network traffic monitor - Fedora Package Database - Bug Reports

6. Password Tools  john - John the Ripper password cracker - Fedora Package Database - Bug Reports  sucrack - A su cracker - Fedora Package Database - Bug Reports  ophcrack - Free Windows password cracker based on rainbow tables - Fedora Package Database - Bug Reports  medusa - Parallel brute forcing password cracker - Fedora Package Database - Bug Reports  pwgen - Automatic password generation - Fedora Package Database - Bug Reports  ncrack - High-speed network auth cracking tool - Fedora Package Database - Bug Reports  hydra - Very fast network log-on cracker - Fedora Package Database - Bug Reports

7. Reconnaissance  xprobe2 - Xprobe2 is an active operating system fingerprinting tool - Fedora Package Database - Bug Reports  dsniff - Tools for network auditing and penetration testing - Fedora Package Database - Bug Reports 77 | P a g e

 wireshark - Network traffic analyzer - Fedora Package Database - Bug Reports  hping3 - TCP/IP stack auditing and much more - Fedora Package Database - Bug Reports  nmap - Network exploration tool and security scanner - Fedora Package Database - Bug Reports  nmap-frontend - The GTK+ front end for nmap - Fedora Package Database - Bug Reports  p0f - Versatile passive OS fingerprinting tool - Fedora Package Database - Bug Reports  sing - Sends fully customized ICMP packets from command line - Fedora Package Database - Bug Reports  scapy - Interactive packet manipulation tool and network scanner - Fedora Package Database - Bug Reports  socat - Bidirectional data relay between two data channels ('netcat++') - Fedora Package Database - Bug Reports  tcpdump - A network traffic monitoring tool - Fedora Package Database - Bug Reports  unicornscan - Scalable, accurate, flexible and efficient network probing - Fedora Package Database - Bug Reports  nbtscan - Tool to gather NetBIOS info from Windows networks - Fedora Package Database - Bug Reports  tcpxtract - Tool for extracting files from network traffic - Fedora Package Database - Bug Reports  firewalk - Active Reconnaissance network security tool - Fedora Package Database - Bug Reports  hunt - Tool for demonstrating well known weaknesses in the TCP/IP protocol suite - Fedora Package Database - Bug Reports  dnsenum - A tool to enumerate DNS info about domains - Fedora Package Database - Bug Reports  argus - Network transaction audit tool - Fedora Package Database - Bug Reports  ettercap - Network traffic sniffer/analyser, NCURSES interface version - Fedora Package Database - Bug Reports  packETH - A GUI packet generator tool - Fedora Package Database - Bug Reports  etherape - Graphical network monitor for Unix - Fedora Package Database - Bug Reports  lynis - Security and system auditing tool - Fedora Package Database - Bug Reports  netsniff-ng - Packet sniffing beast - Fedora Package Database - Bug Reports  tcpjunk - TCP protocols testing tool - Fedora Package Database - Bug Reports  ssldump - An SSLv3/TLS network protocol analyzer - Fedora Package Database Bug Reports  yersinia - Network protocols tester and attacker - Fedora Package Database - Bug Reports  openvas-client - Client component of Open Vulnerability Assessment (OpenVAS) Scanner - Fedora Package Database - Bug Reports 78 | P a g e

 sslscan - Security assessment tool for SSL - Fedora Package Database - Bug Reports  snmpcheck - An utility to get information via SNMP protocols - Fedora Package Database - Bug Reports  samdump2 - Retrieves syskey and extracts hashes from Windows 2k/NT/XP/Vista SAM - Fedora Package Database - Bug Reports  bkhive - Dump the syskey bootkey from a Windows system hive - Fedora Package Database - Bug Reports  tcpick - A tcp stream sniffer, tracker and capturer - Fedora Package Database - Bug Reports  tcpflow - Network traffic recorder - Fedora Package Database - Bug Reports  dnsmap - Sub-domains bruteforcer - Fedora Package Database - Bug Reports  whois - Improved WHOIS client - Fedora Package Database - Bug Reports  paris-traceroute - A network diagnosis and measurement tool - Fedora Package Database - Bug Reports  nmbscan - NMB/SMB network scanner - Fedora Package Database - Bug Reports  slowhttptest - An Application Layer DoS attack simulator - Fedora Package Database - Bug Reports  httpry - A specialized packet sniffer designed for displaying and logging HTTP traffic - Fedora Package Database - Bug Reports  pyrit - A GPGPU-driven WPA/WPA2-PSK key cracker - Fedora Package Database Bug Reports  onesixtyone - An efficient SNMP scanner - Fedora Package Database - Bug Reports  raddump - RADIUS packets interpreter - Fedora Package Database - Bug Reports  ArpON - ARP handler inspection - Fedora Package Database - Bug Reports  tcpreen - A TCP/IP re-engineering and monitoring program - Fedora Package Database - Bug Reports  tcpreplay - Replay captured network traffic - Fedora Package Database - Bug Reports  siege - HTTP regression testing and benchmarking utility - Fedora Package Database - Bug Reports  inception - A fireWire physical memory manipulation tool - Fedora Package Database - Bug Reports  bannergrab - A banner grabbing tool - Fedora Package Database - Bug Reports  mausezahn - A fast versatile packet generator - Fedora Package Database - Bug Reports  arp-scan - Scanning and fingerprinting tool - Fedora Package Database - Bug Reports  mtr - A network diagnostic tool - Fedora Package Database - Bug Reports  sslsplit - Transparent and scalable SSL/TLS interception - Fedora Package Database - Bug Reports  fping - Scriptable, parallelized ping-like utility - Fedora Package Database - Bug Reports  fping - Scriptable, parallelized ping-like utility - Fedora Package Database - Bug Reports 79 | P a g e

 bro - Open-source, Unix-based Network Intrusion Detection System - Fedora Package Database - Bug Reports  tcpcopy - An online request replication tool - Fedora Package Database - Bug Reports  httrack - Website copier and offline browser - Fedora Package Database - Bug Reports  httpie - A Curl-like tool for humans - Fedora Package Database - Bug Reports  echoping - TCP "echo" performance test - Fedora Package Database - Bug Reports  dhcping - DHCP daemon ping program - Fedora Package Database - Bug Reports  wbox - HTTP testing tool and configuration-less HTTP server - Fedora Package Database - Bug Reports  swaks - Command-line SMTP transaction tester - Fedora Package Database - Bug Reports

8. VoIP  sipsak - SIP swiss army knife - Fedora Package Database - Bug Reports  sipp - SIP test tool / traffic generator - Fedora Package Database - Bug Reports

9. Web Application Testing  halberd - Tool to discover HTTP load balancers - Fedora Package Database - Bug Reports  httping - Ping alike tool for http requests - Fedora Package Database - Bug Reports  nikto - Web server scanner - Fedora Package Database - Bug Reports  ratproxy - A passive web application security assessment tool - Fedora Package Database - Bug Reports  lbd - DNS/HTTP load balancing detector - Fedora Package Database - Bug Reports  skipfish - Web application security scanner - Fedora Package Database - Bug Reports  sqlninja - A tool for SQL server injection and takeover - Fedora Package Database - Bug Reports

10. Wireless  aircrack-ng - 802.11 (wireless) sniffer and WEP/WPA-PSK key cracker - Fedora Package Database - Bug Reports  airsnort - Wireless LAN (WLAN) tool which recovers encryption keys - Fedora Package Database - Bug Reports  kismet - WLAN detector, sniffer and IDS - Fedora Package Database - Bug Reports  weplab - Analyzing WEP encryption security on wireless networks - Fedora Package Database - Bug Reports  cowpatty - WPA password cracker - Fedora Package Database - Bug Reports

80 | P a g e

 wavemon - Ncurses-based monitoring application for wireless network devices Fedora Package Database - Bug Reports  horst - A highly optimized radio scanning tool - Fedora Package Database - Bug Reports  kismon - A simple GUI client for kismet - Fedora Package Database - Bug Reports

81 | P a g e