Hacking Tools

Tools

Hackers use a variety of tools to attack a system. Each of the tools we cover in this

article have distinct capabilities. We describe the most popular tools from each of the

following categories:

·        Port scanners

·        Vulnerability scanners

·        Rootkits

·        Sniffers

Later in this article, we use some of these tools in realistic scenarios to demonstrate

how easily even a novice hacker or script-kiddie can gain access to an unsecured

system.

Port Scanners

Port scanners are probably the most commonly used scanning tools on the Internet.

These tools scan large IP spaces and report on the systems they encounter, the ports

available, and other information, such as OS types. The most popular port scanner is

Network Mapper (Nmap).

The Nmap port scanner is described as follows on the Nmap web site:

Nmap (“Network Mapper”) is an open source utility for network exploration or

security auditing. It was designed to rapidly scan large networks, although it

works fine against single hosts. Nmap uses raw IP packets in novel ways to

determine what hosts are available on the network, what services (ports) they are

offering, what operating system (and OS version) they are running, what type of

packet filters/firewalls are in use, and dozens of other characteristics. Nmap runs

on most types of computers, and both console and graphical versions are

available. Nmap is free software, available with full source code under the terms

of the GNU GPL.3

Nmap is an excellent security tool because it allows you to determine which services

are being offered by a system. Because Nmap is optimized to scan large IP ranges, it

can be run against all IP addresses used by an organization, or all cable modem IP

addresses provided by an organization. After using Nmap to find machines and

identify their services, you can run the Nessus vulnerability scanner against the

vulnerable machines.

Tools

Nmap supports an impressive array of scan types that permit everything from TCP

SYN (half open) to Null scan sweeps. Additional options include OS fingerprinting,

parallel scan, and decoy scanning, to name a few. Nmap supports a graphical

version through xnmap. For more information about Nmap, refer to the Nmap web

site or the nmap(1m) man page.

 

Vulnerability Scanners

This section describes tools available for scanning vulnerable systems. Vulnerability

scanners look for a specific vulnerability or scan a system for all potential

vulnerabilities. Vulnerability tools are freely available. We focus on the most popular

and best-maintained vulnerability scanner available, Nessus.

The Nessus vulnerability tool is described on the Nessus web site:

The “Nessus” Project aims to provide to the Internet community a free,

powerful, up-to-date and easy to use remote security scanner. A security scanner

is a software which will remotely audit a given network and determine whether

bad guys (aka ‘crackers’) may break into it, or misuse it in some way.

Unlike many other security scanners, Nessus does not take anything for granted.

That is, it will not consider that a given service is running on a fixed port—that

is, if you run your web server on port 1234, Nessus will detect it and test its

security. It will not make its security tests regarding the version number of the

remote services, but will really attempt to exploit the vulnerability.

Nessus is very fast, reliable and has a modular architecture that allows you to fit

it to your needs.4

Nessus provides administrators and hackers alike with a tool to scan systems and

evaluate vulnerabilities present in services offered by that system. Through both its

command line and GUI-based client, Nessus provides capabilities that are

invaluable. Running Nessus is much more convenient in its GUI mode. For more

information about Nessus, refer to their web site.

How Hackers Do It: Tricks, Tools, and Techniques • May 2002

 

Rootkits

The term rootkit describes a set of scripts and executables packaged together that

allow intruders to hide any evidence that they gained root access to a system. Some

of the tasks performed by a rootkit are as follows:

 

·        Modify system log files to remove evidence of an intruder’s activities.

·        Modify system tools to make detection of an intruder’s modifications more difficult.

·        Create hidden back-door access points in the system.

·        Use the system as a launch point for attacks against other networked systems.

 

Sniffers

Network sniffing, or just “sniffing,” is using a computer to read all network traffic,

of which some may not be destined for that system. To perform sniffing, a network

interface must be put into promiscuous mode so that it forwards, to the application

layer, all network traffic, not just network traffic destined for it.

The Solaris OE includes a tool called snoop that can capture and display all network

traffic seen by a network interface on the system. While being relatively primitive,

this tool can quite effectively gather clear-text user IDs and passwords passing over

a network. Many popular protocols in use today such as Telnet, FTP, IMAP, and

POP-3 do not encrypt their user authentication and identification information.

Once a system is accessed, an intruder typically installs a network sniffer on the

system to gain additional user ID and password information, to gather information

about how the network is constructed, and to learn what it is used for.