Reviews of Network security scanning tools

Reviews of Network security scanning tools

Post by Audit Divisio » Wed, 04 Jun 1997 04:00:00



Can anyone direct me to any 'independent' reviews of the various network
security scanners that are available. eg. SATAN, ISS

I am currently using SATAN, however I am interested to hear about the
commercial products that are available as well as the other freeware ones.

Peoples comments about their experience with network scanners would also be
appreciated.

Thankyou

Ross Richards
Systems Auditor
NBS Bank Limited
South Africa

 
 
 

Reviews of Network security scanning tools

Post by Matthew V. McClu » Wed, 04 Jun 1997 04:00:00


I am looking for a tool that will scan my internal network for web servers
that are running on any machine within that net.  I don't want any unathorized
web servers running out there, but I need to know if there are.

Matt

 
 
 

Reviews of Network security scanning tools

Post by Chris Kilbou » Fri, 06 Jun 1997 04:00:00






> >I am looking for a tool that will scan my internal network for web servers
> >that are running on any machine within that net.  I don't want any
unathorized
> >web servers running out there, but I need to know if there are.

>         You can try getting strobe and then running it on all the
> machines in your internal network, depending on the size of the
> network this may or may not be reasonable.  Another more efficient
> way, would be writing a script that checks port 80 on machines on your
> network to see if a web server is running there or not.

The other option would be to use a packet analyizer that has a filter
set up to look for http traffic on any port.  Etherpeek for Mac does
a great job at something like this.

Regards,
Chris

--
______________________________________________________________
Chris Kilbourn                                  digital.forest

  Hosting your Macintosh Web server on a T1 for $300 a month.

 
 
 

Reviews of Network security scanning tools

Post by Nishnabotna Be » Sat, 07 Jun 1997 04:00:00



> I am looking for a tool that will scan my internal network for web servers
> that are running on any machine within that net.  I don't want any unathorized
> web servers running out there, but I need to know if there are.

There are some pretty simple ways to do this, and you've probably already
discovered one by now, but there's one thing you should remember about
* web servers.

Some people, to avoid detection by simple tools, put up web services on
different ports...if it's really important to know what's going on with
your network, you might want to invest in a good commerical package with
port scanning and run it on a regular basis.  ISS might be a good choice.

======================================================================
|                                |                                   |
| Nishnabotna Bend Technologies  | Visit us & request a free issue   |
| Advanced Technology Consulting | of our weekly security report. We |
| Networks-Security-Computing    | summarize current security news   |
| http://www.veryComputer.com/     | and alerts for you!               |
|                                |                                   |
======================================================================

 
 
 

Reviews of Network security scanning tools

Post by Brian Mitche » Sun, 08 Jun 1997 04:00:00


Quote:>There are some pretty simple ways to do this, and you've probably already
>discovered one by now, but there's one thing you should remember about
>* web servers.

>Some people, to avoid detection by simple tools, put up web services on
>different ports...if it's really important to know what's going on with
>your network, you might want to invest in a good commerical package with
>port scanning and run it on a regular basis.  ISS might be a good choice.

or maybe a packet sniffer that looks for html commands; need to look for
stuff like USER/PASS too, since some ftp commands are similar to HTML
commands, so it can't be completely brain dead.
 
 
 

Reviews of Network security scanning tools

Post by Ian Stirlin » Sun, 08 Jun 1997 04:00:00



: I am looking for a tool that will scan my internal network for web servers
: that are running on any machine within that net.  I don't want any unathorized
: web servers running out there, but I need to know if there are.

You don't need http to run web-servers, ftp, nntp, gopher can all be
used (some not as easily)

: Matt

--

Notice: Anyone mailing to this account should check the notices in the header.
Ian Stirling.                     Currently designing a new PDA, see homepage.
Homepage:                         http://www.mauve.demon.co.uk/
Get off a shot FAST, this upsets him long enough to let you make your
second shot perfect.
Robert A Heinlein.

 
 
 

Reviews of Network security scanning tools

Post by Chris Wal » Wed, 11 Jun 1997 04:00:00




>Perhaps the only real way to completely check for web servers is to log
>into each machine on the net and check for any unknown processes that are
>listening on nonstandard port numbers (which would also catch * ftp
>servers, telnet servers, etc.). If your routers are smart enough, they
>could listen for HTTP requests, but I don't know if that's even possible.

Just do a port scan on each host.   This should be close to a one-liner
with netcat.  Might take a while to run, though.

--

ECE Dept., Northwestern Univ.           for PGP 2.6.2 public key
Evanston, IL                            1-847-491-8141
  "Warning: really *ed make detected" -- procmail Makefile

 
 
 

Reviews of Network security scanning tools

Post by Ian Stirlin » Wed, 11 Jun 1997 04:00:00





: >
: >Perhaps the only real way to completely check for web servers is to log
: >into each machine on the net and check for any unknown processes that are
: >listening on nonstandard port numbers (which would also catch * ftp

: Just do a port scan on each host.   This should be close to a one-liner
: with netcat.  Might take a while to run, though.

It's not only httpd's you need to look for, also gopher, ftpd,
nntpd.
Also fingerd could be used to host webpages, if someone has as many
users as pages involved.
(and can be accessed by standard browsers, just quoting gopher:???:79???
as the URL)

I suppose NFS, appleshare, and other remote disk mounters could be used,
though they would need an external page somewhere else, detailing
how to get onto the site.

--
Ian Stirling.   Designing a linux PDA, see  http://www.veryComputer.com/
-----******* If replying by email, check notices in header *******-------
Money is a powerful aphrodisiac, but flowers work almost as well.
Robert A Heinlein.

 
 
 

Reviews of Network security scanning tools

Post by Chris Wal » Thu, 12 Jun 1997 04:00:00




Quote:>It's not only httpd's you need to look for, also gopher, ftpd,
>nntpd.
>Also fingerd could be used to host webpages, if someone has as many
>users as pages involved.
>(and can be accessed by standard browsers, just quoting gopher:???:79???
>as the URL)

Fair enough.  Still sound's like a one-liner with netcat, followed by
some human interpretation of the output.

Quote:

>I suppose NFS, appleshare, and other remote disk mounters could be used,
>though they would need an external page somewhere else, detailing
>how to get onto the site.

>--
>Ian Stirling.   Designing a linux PDA, see  http://www.veryComputer.com/
>-----******* If replying by email, check notices in header *******-------
>Money is a powerful aphrodisiac, but flowers work almost as well.
>Robert A Heinlein.

--

ECE Dept., Northwestern Univ.           for PGP 2.6.2 public key
Evanston, IL                            1-847-491-8141
  "Warning: really *ed make detected" -- procmail Makefile
 
 
 

Reviews of Network security scanning tools

Post by Ian Stirlin » Thu, 12 Jun 1997 04:00:00



: >Also fingerd could be used to host webpages, if someone has as many
: >users as pages involved.
: >(and can be accessed by standard browsers, just quoting gopher:???:79???
: >as the URL)

: Fair enough.  Still sound's like a one-liner with netcat, followed by
: some human interpretation of the output.

What is netcat? Is it similar to netpipes?
(which basically extends pipes over the net.

--
Ian Stirling.   Designing a linux PDA, see  http://www.mauve.demon.co.uk/
-----******* If replying by email, check notices in header *******-------
Two parrots sitting on a perch. One asks the other, "Can you smell fish?"

 
 
 

Reviews of Network security scanning tools

Post by Chris Wal » Fri, 13 Jun 1997 04:00:00




Quote:>What is netcat?

It's a neat tool.  Undoubtedly available from the coast archive.

From its README:

Netcat is a simple Unix utility which reads and writes data across network
connections, using TCP or UDP protocol.  It is designed to be a reliable
"back-end" tool that can be used directly or easily driven by other programs
and scripts.  At the same time, it is a feature-rich network debugging and
exploration tool, since it can create almost any kind of connection you would
need and has several interesting built-in capabilities.  Perhaps some
equivalent to netcat, or "nc" as I prefer to name the actual program, should
have been written and distributed ten years earlier as another one of those
cryptic but fundamental Unix tools that we all use daily without even thinking
about it.
[...]
Some of netcat's major features are:

     Outbound or inbound connections, TCP or UDP, to or from any ports
     Full DNS forward/reverse checking, with appropriate warnings
     Ability to use any local source port
     Ability to use any locally-configured network source address
     Built-in port-scanning capabilities, with optional randomizer
     Built-in loose source-routing capability
     Can read command line arguments from standard input
     Slow-send mode, one line every N seconds
     Optional ability to let another program service inbound connections

--

ECE Dept., Northwestern Univ.           for PGP 2.6.2 public key
Evanston, IL                            1-847-491-8141
  "Warning: really *ed make detected" -- procmail Makefile

 
 
 

Reviews of Network security scanning tools

Post by Ryan Perm » Fri, 13 Jun 1997 04:00:00


netcat is a nifty++ utility that i use almost daily.  it is similar to catting
over the net, with similar ideas as netpipes...   it can be snagged at
ftp.avian.org, and i wish they would start including it with a stanard dist, as it
is one of the utils every system should have, alongwith dig and ncftp.


: : >Also fingerd could be used to host webpages, if someone has as many
: : >users as pages involved.
: : >(and can be accessed by standard browsers, just quoting gopher:???:79???
: : >as the URL)
:
: : Fair enough.  Still sound's like a one-liner with netcat, followed by
: : some human interpretation of the output.
:
: What is netcat? Is it similar to netpipes?
: (which basically extends pipes over the net.
:
: --
: Ian Stirling.   Designing a linux PDA, see  http://www.mauve.demon.co.uk/
: -----******* If replying by email, check notices in header *******-------
: Two parrots sitting on a perch. One asks the other, "Can you smell fish?"
:

 
 
 

Reviews of Network security scanning tools

Post by Ian Stirlin » Fri, 13 Jun 1997 04:00:00





: >What is netcat?

: It's a neat tool.  Undoubtedly available from the coast archive.

Sounds good, like netpipes, which is in the slackware distribution,
but does not have as many features.

--
Ian Stirling.   Designing a linux PDA, see  http://www.mauve.demon.co.uk/
-----******* If replying by email, check notices in header *******-------
Money is a powerful aphrodisiac, but flowers work almost as well.
Robert A Heinlein.

 
 
 

Reviews of Network security scanning tools

Post by Theo de Raa » Sat, 14 Jun 1997 04:00:00


In article <33a000f...@nntp1.nac.net> ta...@millcomm.com (Ryan Permeh) writes:

   netcat is a nifty++ utility that i use almost daily.  it is similar to catting
   over the net, with similar ideas as netpipes...   it can be snagged at
   ftp.avian.org, and i wish they would start including it with a stanard dist, as it
   is one of the utils every system should have, alongwith dig and ncftp.

netcat, or nc(1), is included in OpenBSD.  We even wrote a man page
for it.  The crackers are using it to play with the services provided
by your machines; so should you.

NAME
     nc - Arbitrary tcp and udp connections and listens.

     nc [-e command] [-g intermediates] [-G hopcount] [-i interval] [-lnrtuvz]
     [-o filename] [-p source port] [-s ip address] [-w timeout] [hostname]
     [port[s...]]

DESCRIPTION
     The nc (or netcat) utility is used for just about anything under the sun
     involving TCP or UDP.  It can open tcp connections, send udp packets,
     listen on arbitrary tcp and udp ports, do port scanning, and source rout-
     ing.  Unlike telnet(1),  nc scripts nicely, and separates error messages
     onto standard error instead of sending them to standard output, as tel-
     net(1) does with some.

     Destination ports can be single integers, names as listed in
     /etc/services(5),  or ranges.  Ranges are in the form nn-mm, and several
     separate ports and/or ranges may be specified on the command line.

     Common uses include:

     o   simple tcp proxies

     o   shell-script based http clients and servers

     o   network daemon testing

     o   source routing based connectivity testing

     o   and much, much more

     The options are as follows:

     -e command
             Execute the specified command, using data from the network for
             stdin, and sending stdout and stderr to the network.  This option
             is only present if nc was compiled with the GAPING_SECURITY_HOLE
             compile time option, since it allows users to make arbitrary pro-
             grams available to anyone on the network.

     -g intermediate-host
             Specifies a hop along a loose source routed path.  Can be used
             more than once to build a chain of hop points.

     -G pointer
             Positions the "hop counter" within the list of machines in the
             path of a source routed packet.  Must be a multiple of 4.

     -i seconds
             Specifies a delay time interval between lines of text sent and
             received.  Also causes a delay time between connections to multi-
             ple ports.

     -l      Is used to specify that nc should listen for an incoming connec-
             tion, rather than initiate a connection to a remote host.  Any
             hostname/ip address and port arguments restrict the source of in-
             bound connections to only that address and source port.

     -n      Do not do DNS lookups on any of the specified addresses or host-
             names, or names of port numbers from /etc/services.

     -o filename
             Create a hexadecimal log of data transferred in the specified
             file.  Each line begins with < or >.  < means "from the net" and
             > means "to the net."

     -p port
             Specifies the source port nc should use, subject to privilege re-
             strictions and availability.

     -r      Specified that source and/or destination ports should be chosen
             semi-randomly instead of sequentially within a range or in the
             order that the system assigns.

     -s hostname/ip-address
             Specifies the ip of the interface which is used to send the pack-
             ets.  On some platforms, this can be used for udp spoofing by us-
             ing ifconfig to bring up a dummy interface with the desired
             source ip address.

     -t      Causes nc to send RFC854 DON'T and WON'T responses to RFC854 DO
             and WILL requests.  This makes it possible to use nc to script
             telnet sessions.  The presence of this option can be enabled or
             disabled as a compile-time option.

     -u      Use UDP instead of TCP.  On most platforms, nc will behave as if
             a connection is established until it receives an ICMP packet in-
             dicating that there is no program listening to what it sends.

     -v      Verbose.  Cause nc to display connection information.  Using -v
             more than once will cause nc to become even more verbose.

     -w timeout
             Specifies the number of seconds nc should wait before deciding
             that an attempt to establish a connection is hopeless.  Also used
             to specify how long to wait for more network data after standard
             input closes.

     -z      Specifies that nc should just scan for listening daemons, without
             sending any data to them.  Diagnostic messages about refused con-
             nections will not be displayed unless -v is specified twice.

EXAMPLES
     nc
       Wait for the user to type what would normally be command-line arguments
       in at stdin.

     nc example.host 42
       Open a TCP connection to port 42 of example.host.  If the connection
       fails, do not display any error messages, but simply exit.

     nc -p 31337 example.host 42
       Open a TCP connection to port 42 of example.host, and use port 31337 as
       the source port.

     nc -w 5 example.host 42
       Open a tcp connection to port 42 of example.host, and time out after
       five seconds while attempting to connect.

     nc -u example.host 53
       Send any data from stdin to UDP port 53 of example.host, and display
       any data returned.

     nc -s 10.1.2.3 example.host 42
       Open a tcp connection to port 42 of example.host using 10.1.2.3 as the
       ip for the local end of the connection.

     nc -v example.host 42
       Open a tcp connection to port 42 of example.host, displaying some diag-

       nostic messages on stderr.

     nc -v -v example.host 42
       Open a tcp connection to port 42 of example.host, displaying all diag-
       nostic messages on stderr.

     nc -v -z example.host 20-30
       Attempt to open tcp connections to ports 20 through 30 of example.host,
       and report which ones nc was able to connect to.

     nc -v -u -z -w 3 example.host 20-30
       Send udp packets to ports 20-30 of example.host, and report which ones
       did not respond with an ICMP packet after three seconds.

     nc -l -p 3000
       Listen on TCP port 3000, and once there is a connection, send stdin to
       the remote host, and send data from the remote host to stdout.

     echo foobar | nc example.host 1000
       Connect to port 1000 of example.host, send the string "foobar" followed
       by a newline, and move data from port 1000 of example.host to stdout
       until example.host closes the connection.

SEE ALSO
     telnet(1),  cat(1),  and the netcat README

AUTHOR
     *Hobbit*  [hob...@avian.org]

OpenBSD 2.0                     August 1, 1996                               3
--
This space not left unintentionally unblank.            dera...@openbsd.org
www.OpenBSD.org -- We're fixing security problems so you can sleep at night.
(If it wasn't so fascinating I might get some sleep myself...)