Security testing tools can be used to test security of the system by trying to break it or by hacking it. The attacks may focus on the network, the support software, the application code or the underlying database.
Features or characteristics of security testing tools are:
- To identify viruses;
- To detect intrusions such as denial of service attacks;
- To simulate various types of external attacks;
- Probing for open ports or other externally visible points of attack;
- To identify weaknesses in password files and passwords;
- To do the security checks during operation, e.g. for checking integrity of files, and intrusion detection, e.g. checking results of test attacks.
Port Scanner
A port scanner is a software application designed to probe a server or host for open ports. This is often used by administrators to verify security policies of their networks and by attackers to identify running services on a host with the view to compromise it.
A port scan or portscan can be defined as a process that sends client requests to a range of server port addresses on a host, with the goal of finding an active port. While not a nefarious process in and of itself, it is one used by hackers to probe target machine services with the aim of exploiting a known vulnerability of that service,. However the majority of uses of a port scan are not attacks and are simple probes to determine services available on a remote machine.
To portsweep is to scan multiple hosts for a specific listening port. The latter is typically used to search for a specific service, for example, an SQL-based computer worm may portsweep looking for hosts listening on TCP port 1433.
Some port scanners scan only the most common port numbers, or ports most commonly associated with vulnerable services, on a given host. The result of a scan on a port is usually generalized into one of three categories:
- Open or Accepted: The host sent a reply indicating that a service is listening on the port.
- Closed or Denied or Not Listening: The host sent a reply indicating that connections will be denied to the port.
- Filtered, Dropped or Blocked: There was no reply from the host.
Open ports present two vulnerabilities of which administrators must be wary:
- Security and stability concerns associated with the program responsible for delivering the service – Open ports.
- Security and stability concerns associated with the operating system that is running on the host – Open or Closed ports.
Filtered ports do not tend to present vulnerabilities.
Popular scanners are
Nmap – Nmap (Network Mapper) is a security scanner originally written by Gordon Lyon (also known by his pseudonym Fyodor Vaskovich) used to discover hosts and services on a computer network, thus creating a “map” of the network. To accomplish its goal, Nmap sends specially crafted packets to the target host and then analyzes the responses.
The software provides a number of features for probing computer networks, including host discovery and service and operating system detection. These features are extensible by scripts that provide more advanced service detection, vulnerability detection, and other features. Nmap is also capable of adapting to network conditions including latency and congestion during a scan. Nmap is under development and refinement by its user community.
Metasploit Project – The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development.
Its best-known sub-project is the open source Metasploit Framework, a tool for developing and executing exploit code against a remote target machine. Other important sub-projects include the Opcode Database, shellcode archive and related research. The Metasploit Project is well known for its anti-forensic and evasion tools, some of which are built into the Metasploit Framework.
Packet Sniffer
Sniffers are programs designed to detect and capture certain types of data. Packet sniffers are designed to detect packets traveling online. Packets are packages of information traveling on the Internet that contain the destination address in addition to content. Packet can be used to capture login information and passwords for a device or computer network.
A packet analyzer (also known as a network analyzer, protocol analyzer or packet sniffer—or, for particular types of networks, an Ethernet sniffer or wireless sniffer) is a computer program or piece of computer hardware that can intercept and log traffic that passes over a digital network or part of a network. As data streams flow across the network, the sniffer captures each packet and, if needed, decodes the packet’s raw data, showing the values of various fields in the packet, and analyzes its content according to the appropriate RFC or other specifications.
Packet capture is the process of intercepting and logging traffic.
On wired broadcast LANs, depending on the network structure (hub or switch), one can capture traffic on all or parts of the network from a single machine on the network. However, some methods avoid traffic narrowing by switches to gain access to traffic from other systems on the network (e.g., ARP spoofing). For network monitoring purposes, it may also be desirable to monitor all data packets in a LAN by using a network switch with a so-called monitoring port that mirrors all packets that pass through all ports of the switch when systems (computers) are connected to a switch port. To use a network tap is an even more reliable solution than to use a monitoring port, since taps are less likely to drop packets during high traffic load.
On wireless LANs, one can capture traffic on a particular channel, or on several channels using multiple adapters.
On wired broadcast and wireless LANs, to capture traffic other than unicast traffic to the machine running the sniffer, multicast traffic to a multicast group that machine is monitoring, or broadcast traffic—the network adapter capturing the traffic must be in promiscuous mode. Some sniffers support this, but not all. On wireless LANs, even if the adapter is in promiscuous mode, packets not for the service set the adapter is configured for are usually ignored. To see those packets, the adapter must be in monitor mode.
When traffic is captured, either the entire contents of packets are recorded, or the headers are recorded without recording the total content of the packet. This can reduce storage requirements, and avoid legal problems, yet provide sufficient information to diagnose problems.
Captured information is decoded from raw digital form into a human-readable format that lets users easily review exchanged information. Protocol analyzers vary in their abilities to display data in multiple views, automatically detect errors, determine root causes of errors, generate timing diagrams, reconstruct TCP and UDP data streams, etc.
Some protocol analyzers can also generate traffic and thus act as the reference device. These can act as protocol testers. Such testers generate protocol-correct traffic for functional testing, and may also have the ability to deliberately introduce errors to test the DUT’s ability to handle errors.
Protocol analyzers can also be hardware-based, either in probe format or, as is increasingly common, combined with a disk array. These devices record packets (or a slice of the packet) to a disk array. This allows historical forensic analysis of packets without users having to recreate any fault.
Vulnerability Scanner
A vulnerability scanner is a computer program designed to assess computers, computer systems, networks or applications for weaknesses.
They can be run either as part of vulnerability management by those tasked with protecting systems – or by black hat attackers looking to gain unauthorized access.
Types
- Port scanner (e.g. Nmap)
- Network vulnerability scanner (e.g. Nessus, SAINT, OpenVAS)
- Web application security scanner (e.g. Nikto, w3af)
- Database security scanner
- Host based vulnerability scanner (Lynis)
