As a security professional, you need assessment tools to help keep your network secure. In this video, you’ll learn about active vs. passive tools, protocol analyzers, honeypots, and more.
<< Previous Video: Vulnerability Scanning OverviewNext: Assessment Types >>
What devices are connected to your network, and what operating systems are running on those devices? And of those operating systems, do any of them have any security vulnerabilities that we need to know about? Well, one way to go about answering these questions is to use something called an assessment tool on your network.
One type of assessment tool is something that can gather information passively. These would be tools that don’t interactively log into devices. And they’re not trying to break into a device using a vulnerability. Instead, these passive devices try to gather as much information from the outside without directly interacting with those devices.
Something like a packet capture is a good example of a passive assessment tool. But if you really want to go after a system and really see how much information you can get by knocking on the door or trying to see if all of the windows are open, you can use something like an active assessment tool. These devices are things like vulnerability scanners that are configured to log in to devices to see what might be inside of that machine.
They could be things like honey pots or port scanners or even devices that are designed to grab banner information when you first connect to a device. These are actively logging in and actively interacting with those devices. So we put them in the category of an active vulnerability assessment tool. Protocol analyzers are certainly a valuable tool to use when assessing what’s happening on the network.
They’re very passive. Since they’re watching all of the packets go back and forth, we sometimes will see these referred to as sniffers. But of course, the term sniffer is a trademark name from NetScout Systems, but we still generically call it a sniffer in many cases. This is really gathering everything from the network.
So all of the traffic that goes by is gathered, captured into memory or on to disk, and we’re able to go back and see what happened on the network when all of that traffic was going back and forth. One very popular open source version of a protocol analyzer is Wireshark. You can download this for free, load it on your system, and begin gathering packets immediately.
If you really want to see the way an application interacts with your computer or you just want to have an idea of what’s going on across the wire, then Wireshark is an excellent tool to use. If you’re interested in knowing the way an application works across the network or you’re just curious about traffic that may be going across the wire, then a protocol analyzer like Wireshark would be an excellent tool to use.
And it’s remarkable how much information is going across the network that is completely in the clear. You can gather information about where people are going, what they’re surfing the websites they connect to, email information, and even passwords can be found just by analyzing the traffic that goes over your network. Vulnerability scanners are a very useful tool to try to see if there are any problems with applications or servers or operating systems that you might have in your environment.
This is going to give you an idea of where problems might be. Application vulnerability scanners are focused in the way that applications operate. So if you’re trying to find a cross site scripting problem or you want to check to make sure there’s not a database injection vulnerability, then an application scanner would be an excellent choice. Operating system scanners look at the entire operating system, not just the applications that are going over them.
And if you’re thinking about those monthly updates you get from Microsoft that are telling us to patch our systems, and every month we get a series of patches from Microsoft, it’s these types of scanners that are going to be able to tell you if you are completely patched up or if there any holes that a bad guy might use to take advantage of one of these known vulnerabilities. There are a lot of different options for both application scanners and operating system scanners.
Certainly commercial scanners are available. There’s also a number of open source scanners. It just depends on what you would like to be able to scan and just how much information you would like to gather from these scanners. There’s a number of different vulnerability scanners that you can download and try for yourself.
One of the scanners that’s been around for a very long time is called SAINT, used to be called SATAN. And it’s one that you can download and install and run on your system. One that is licensed for home use to use absolutely free is Nessus. And Nikto is a very good application vulnerability scanner. All of these have advantages and disadvantages.
But if you start running one of these scanners, you’ll start to understand exactly how much information you’re able to see by simply scanning all the devices on your network. Just like bears are attracted to honey, the bad guys are attracted to honey pots. These are systems that we would install into our network. They look like an absolutely legitimate machine, a server that might be running in our environment.
And it might even have a door that we’ve simply propped open a little bit just so the bad guys can get in to see what’s going on. And the idea is to get them inside of this system and trap them into what might be happening. A single standalone device we call a honey pot. So the bad guy connects to this single system. And now he’s looking at file information.
He’s going through the file system. He’s trying to log on or even take care of a vulnerability, not understanding, of course, that this system is one that we completely created just so we can trap him here while he performs all of these vulnerability checks. If you want to get a lot of honey pots together on your network, you would have a honey net. And now you can bring the bad guys in and get them moving back and forth between many different systems all at the same time.
If you’d like to install a honey pot on your network, or see what other people are doing, you can go to the Project Honeypot website at projecthoneypot.org. Port scanners are used to try to determine what type of open ports might be available on a system. So if you want to see what a firewall may be passing from a port number perspective, you would want to use something like a port scanner.
This is also a good tool to use if you’d like to identify what an operating system might be or what a specific application version might be running on that operating system based on some of these open port numbers. You can very often determine all of this information without ever logging in, authenticating, or running that particular application. If you’ve ever used a port scanner before, you know that if you’re doing a TCP port scan, that it’s using this three way handshake to be able to see if those ports are open.
Now, take that same idea, do it across many thousands of port numbers on a device. And then do it across all of the devices on your network. And you’ll see how a port scanner can be a valuable network reconnaissance tool. Another useful reconnaissance tool that can be used for assessment is one that can grab banners from the services that might be running on a machine. You’ve probably seen these before if you’ve ever SSHed into a server or you connected to it with a web browser and you looked at the header.
You’ll see there’s a lot of information that is sent back to your machine, even though you’ve not even authenticated to that application. The banner is always going to be there, because the application is configured to always provide that banner information down to the client. Sometimes it’s behind the scenes. It might be in the header of HTTP information.
But if you grab the information from a protocol analyzer or you view a specialized tool that’s designed to grab these banners, you’ll be able to see all of this information. On the screen, I grabbed a banner, really an HTTP header of communication that goes back and forth when you connect to professormesser.com from your browser.
And you can see a lot of information inside of this. One at the very top, though, is the type of web server that you are connecting to. Now, I have a reverse proxy that you connect to before you ever hit the Professor Messer website. And that reverse proxy is running at a place called cloudflare. And you can see the engine that’s running here is engine x.
That is the web server on that reverse proxy. These are the types of details that the bad guys will gather from all of your systems to try to determine if there are some known vulnerabilities they can go after on these devices.