Loading
A Penetration Tester's Toolkit
Ever wonder exactly how vulnerable your network is? Using these tools can give you an idea and provide the means to protect yourself.
I don't know about you, but during the years of my IT career, I've become more and more concerned with security. I'm sure everyone has to a certain degree, but for me, it has become a daily part of my job (not that I'm complaining; on the contrary, it's quite exciting). As such, there are a multitude of tools I've used to get said job done. Some I like, and some I don't. But, I keep coming back to three in particular: Nmap, Nessus and Metasploit.
In this article, I introduce these three tools at a high level to give you an idea of how to use them and what to use them for. I also provide some examples from my own experiences to better explain how I use these tools (and how you could possibly use them) in the real world.
Nmap is my go-to tool when beginning my investigations on systems. Nmap has enjoyed quite a long life, starting back in 1997. It's a scanning tool that allows you to perform various tasks, such as remote scanning, fingerprinting, monitoring, inventory and other such functions. It utilizes various techniques like packet manipulation to get the answers to questions like the types of operating systems in use or the version of Web serving software that's running on a target. It's great information if you are to protect your network successfully.
The next tool in my bag is Metasploit. Metasploit has come a long way since its creation in early 2003. Metasploit is a framework for developing and testing vulnerabilities (these are its core functions; its features seem almost limitless at times). It's a great tool for testing server security (just be sure to use test servers, because you never know when code could crash a box).
Finally, the last (but certainly not least) tool in my bag is Nessus. Nessus is a scanner similar to Nmap and has been around almost as long (since 1998). However, Nessus is capable of running vulnerability code against a machine like Metasploit (whereas Metasploit can be used both to develop and run exploitation code), but at a much simpler level. In fact, that's Nessus' strong point; it's easy to use, like Nmap, and it has some of the strengths of Metasploit. Depending on the situation, I may use one or all of these tools, which brings me to a good point—duplication.
Redundant features aren't bad. For example, each one of these tools are capable of doing basic scans. However, you will find that Nmap runs the fastest and offers the least intrusive scanning method. These are the things to consider when taking into account each of these tool's features and how to best use them.
Regardless of the duplicating features in these tools, take the time to learn each tool's individual features to find what works best for you. You might discover that although Nmap is fast, you like the idea of scanning and exploiting with Nessus (all in one step, if you will). You might like the simplicity of Nessus but need the strength of Metasploit (for scripting and grouping tests together). Even though they all get the job done, it depends on your situation as to how you use these tools.
The first thing to do is install these tools. Because this article is in Linux Journal, I assume you're running this on a Linux platform, but all of these tools work on Windows as well. You could install these tools from your repositories, but I recommend going to each tool's Web site and installing from its packages (this ensures that you get the latest version with all current fixes and gives you the best success for installation).
Installation is pretty straightforward; just follow the steps from each tool's respective site, and you'll be fine. As soon as the tools are installed, it's time to start playing with them. I highly recommend that you have either a virtual machine or a test machine of some sort as your first target, so as not to crash anything critical. Nothing's worse than running a scan against a box, only to find out that you crashed it by accident (very high possibility with Nessus and Metasploit, depending on what you are doing) and interrupted someone's work.
For the purpose of this article, I'm going to set up an example scenario. I am going to use a virtual machine with Windows XP (SP3) loaded on it to run these three tools against. This machine will be a fresh install with no patches and the firewall disabled. The reason for this, quite simply, is to be realistic when running these scans. More often than not, I have come across this very machine, sitting in a corner, collecting dust and running some sort of old-mission-critical app (I'm sure you've encountered something similar). Especially in large environments, these machines are very easy to forget about and can give you the biggest amount of trouble. I have configured the host machine to use an IP of 192.168.56.1, and the guest machine to use an IP of 192.168.56.101.
Figure 1. Windows XP Machine
Figure 2. Scanning Machine
Let's start with Nmap to begin the information-gathering stage (you have to know what you're working with) on your target. Because you know the IP of the machine in question, you don't have to but just as easily could run a scan against a subnet or some other subset of IP addresses. For this article, let's stick with 192.168.56.101. In your terminal, run the following (remember that you can run this command as a regular user on the machine, as long as said user has access to /usr/bin/):
nmap -sV -A -v 192.168.56.101 > /tmp/nmap-output
I always send the output to a file, as it's easier to read through afterward. Before delving into the output, however, let's look at those switches:
-
-sV— this tells Nmap the type of scan. In this case, it's a version scan to see what programs are running on what ports (where available). -
-A— this tells Nmap to run a fingerprint check. This means Nmap will attempt to identify the version of the OS and any related information correctly. -
-v— verbosity—this is important, as you need this to get critical information from Nmap.
Note:
When it comes to tools like Nmap, man pages are your friend. Remember that these tools are extremely complex and have a lot of functions, and that means a lot of switches. When in doubt, always refer to the man pages, lest you use the wrong switch and accidentally crash a box (easily done with tools like Nessus).
______________________
Matthew Agle is a 30-year-old senior architect. When he's not focusing on work, hacking, security, his blog or various other hobbies, he can be found playing with his kids and generally annoying his wife.
Webcast
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers
Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.
Sponsored by AMD
White Paper
Red Hat White Paper: Using an Open Source Framework to Catch the Bad Guy
Built-in forensics, incident response, and security with Red Hat Enterprise Linux 6
Every security policy provides guidance and requirements for ensuring adequate protection of information and data, as well as high-level technical and administrative security requirements for a system in a given environment. Traditionally, providing security for a system focuses on the confidentiality of the information on it. However, protecting the data integrity and system and data availability is just as important. For example, when processing United States intelligence information, there are three attributes that require protection: confidentiality, integrity, and availability.
Learn more about catching the bad guy in this free white paper.
Sponsored by DLT Solutions
- New Products
- Linux Systems Administrator
- Senior Perl Developer
- Technical Support Rep
- UX Designer
- Web & UI Developer (JavaScript & j Query)
- Designing Electronics with Linux
- Dynamic DNS—an Object Lesson in Problem Solving
- Using Salt Stack and Vagrant for Drupal Development
- Making Linux and Android Get Along (It's Not as Hard as It Sounds)
- another very interesting
2 min 49 sec ago - Reply to comment | Linux Journal
1 hour 56 min ago - Reply to comment | Linux Journal
8 hours 50 min ago - Reply to comment | Linux Journal
9 hours 6 min ago - Favorite (and easily brute-forced) pw's
10 hours 57 min ago - Have you tried Boxen? It's a
16 hours 49 min ago - seo services in india
21 hours 21 min ago - For KDE install kio-mtp
21 hours 21 min ago - Evernote is much more...
23 hours 21 min ago - Reply to comment | Linux Journal
1 day 8 hours ago
Free Webinar: Hadoop
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers
Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.
Some of key questions to be discussed are:
- What is the “typical” Hadoop cluster and what should be installed on the different machine types?
- Why should you consider the typical workload patterns when making your hardware decisions?
- Are all microservers created equal for Hadoop deployments?
- How do I plan for expansion if I require more compute, memory, storage or networking?
Comments
Great post .Thank you for
Great post .Thank you for this article.
I'm not really into networking, so being able to use such tools is very convenient to me... Temizlik şirketleri
The botheration I see is that
The botheration I see is that Microsoft bankrupt their own disciplinarian archetypal and a lot of humans are XP users still because they can't allow to bandy out all or a lot auto diagnostics of of their hardware. These humans don't apperceive about or accept alone Linux, conceivably because their in abode software will not plan beneath WINE. There is ReactOS, but ReactOS is not abiding and it is not adapted for day to day use yet.
Very cool article. I have
Very cool article. I have used all these tools (been a while since I used nessus though). Metasploit is awesome, but can be a little overwhelming to use. Nmap is amazing though and has a lot of great features and can be used for a bunch of different things. Great article thank you!
Nmap is a great tool for this
Nmap is a great tool for this type of work. Have you had a look at OpenVAS?
I think an article on OpenVAS would be a good follow up.
Thanx
Thank you for this article. A must read !
I'm not really into networking, so being able to use such tools is very convenient to me :)
Good Article. Should get
Good Article. Should get people interested enough to try these tools out.
As for ease of use metasploit also has a good frontend: Armitage.
Progress in engineering
Progress in engineering haven't left the car industry guiding. Do-it-yourself devices can be a issue of your earlier. You could no extra get less than the hood of auto diagnostics the auto to remove elements and put them jointly with out stressing in regards to the car's doing work. Now, fuel techniques, ignition timing, temperature sensors, and so on. are managed and supervised by way of sophisticated pc systems.
Your missing The
Your missing The Social-Engineer Toolkit -- One of the best ones out there as well. Good article!
Cool
This is really highly interesting, I tested this on the hosting account used for my website here and I must say the results were more than surprising. You pointed out a few details I never really cared about much. Really simple if you know the problem, which makes being aware even more important. To sum it up: Thanks :)