Paranoid Penguin - Seven Top Security Tools
Scanning, Probing and Fuzzing: Caution
I enjoy using and writing about port scanners, security scanners and other offense-oriented security tools. In the hands of a careful and responsible user, they serve an important role in validating system and network security.
They also carry significant potential for abuse, however, so much so that if someone unexpectedly discovers you using such tools against their system, they probably won't assume you're trying to help them. Never scan any host you haven't been authorized explicitly to scan.
Also, never install a security scanner on a bastion host (a hardened, publicly accessible server). Such hosts are at higher-than-average risk of being compromised by outsiders, so they're the last place to keep security-probing tools. If you need to do your scans on the same LANs as your target systems, get a laptop computer. A used laptop capable of running Nmap, Nessus and other tools shouldn't cost you more than $350 US, and I do much of my own scanning and penetration-testing with such a system.
Before we leave the realm of security validation checking, let's consider Web application security. Web applications constitute the single largest area of growth both in Internet-accessible services and in externally exploitable system vulnerabilities. So how do we test the security of our Web applications?
You might think that Nessus is a good start, and it is, but mainly for generic Web dæmon security. Most of what Nessus tells us about Web services applies to the server dæmon itself, such as Apache, not to the actual Web content it serves up. It doesn't tell us whether our custom Web applications do proper input validation, whether they're vulnerable to cross-site scripting vulnerabilities, whether they're vulnerable to fuzzing attacks (in which expected parameters are altered or fuzzed) and so forth. That's where tools like Paros come in.
Paros (Figure 2) is a free tool released under the Clarified Artistic License, and it's written in Java. You need the Java Runtime Environment installed in order to use Paros. You can download both Paros' executable JAR file and its complete source code from www.proofsecure.com.
Paros works on a principle common to the new generation of Web security tools. You run it as a local proxy on your scanning workstation, and all the interaction between your local browser and the target Web server is brokered by the security tool. In this way, you can capture an outbound query, alter or fuzz it and then send it along to the server. For example, suppose your Web application uses a form with pull-down menus, and you want to make sure that the application is validating input properly. With Paros, you could replace pull-down menu options arbitrarily with random strings—blozzle instead of monday—and see that query's effect on the application.
Paros also supports several scanning-type features, such as directory traversal. Although the JRE can be taxing on older systems, overall Paros is a flexible and user-friendly tool. Furthermore, being Java-based, it's cross-platform. I've also used it on several different flavors of Windows.
Paros isn't the only free fuzzing proxy. I also should mention Dave Aitel's SPIKE Proxy. It too acts as a local proxy but has the ability to run automated fuzzing attacks based on things it learns about the target site by watching you interact with it. SPIKE has the added advantage of being written in Python, which means much less CPU and memory overhead than Paros requires.
I'm closing my little survey with a forensics tool: William Salusky's F.I.R.E., the Forensics and Incident Response Environment. It's unpleasant to contemplate, but no matter how careful and proactive you are, you may nonetheless someday experience a system compromise. If you do and you want to understand how and why, F.I.R.E. can help.
F.I.R.E. is a single CD-ROM Linux distribution geared toward analyzing compromised systems and recovering data from them. You can use it either by rebooting the compromised system with the F.I.R.E. CD-ROM or by mounting the CD-ROM in a running but feared-compromised Linux system and running tools directly off the CD. The latter technique is useful particularly when you don't trust the system's binaries, as when you fear they've been replaced by rootkit or trojaned versions, but can't take the system off-line just yet.
Besides analysis, F.I.R.E. makes it easy to copy data from the compromised system to other hosts on your network. F.I.R.E. also includes the X Windows System and a variety of both command-line and X-based security tools (including Nmap and Nessus). You can use F.I.R.E. to transform an ordinary Windows laptop into an awesome penetration-testing juggernaut. And at no extra charge, F.I.R.E.'s major functions can be accessed from a menu system comprehendable even by those of us who aren't full-time computer forensics specialists. You can learn all about and obtain F.I.R.E. at fire.dmzs.com.
Practical Task Scheduling Deployment
July 20, 2016 12:00 pm CDT
One of the best things about the UNIX environment (aside from being stable and efficient) is the vast array of software tools available to help you do your job. Traditionally, a UNIX tool does only one thing, but does that one thing very well. For example, grep is very easy to use and can search vast amounts of data quickly. The find tool can find a particular file or files based on all kinds of criteria. It's pretty easy to string these tools together to build even more powerful tools, such as a tool that finds all of the .log files in the /home directory and searches each one for a particular entry. This erector-set mentality allows UNIX system administrators to seem to always have the right tool for the job.
Cron traditionally has been considered another such a tool for job scheduling, but is it enough? This webinar considers that very question. The first part builds on a previous Geek Guide, Beyond Cron, and briefly describes how to know when it might be time to consider upgrading your job scheduling infrastructure. The second part presents an actual planning and implementation framework.
Join Linux Journal's Mike Diehl and Pat Cameron of Help Systems.
Free to Linux Journal readers.Register Now!
- Google's SwiftShader Released
- SUSE LLC's SUSE Manager
- My +1 Sword of Productivity
- Managing Linux Using Puppet
- Interview with Patrick Volkerding
- Murat Yener and Onur Dundar's Expert Android Studio (Wrox)
- Non-Linux FOSS: Caffeine!
- SuperTuxKart 0.9.2 Released
- Tech Tip: Really Simple HTTP Server with Python
- Parsing an RSS News Feed with a Bash Script