Tools for the attacker, tools for the defender

Like any good tools, network analysis programs can be used for either good or evil. During his weeklong SANS course on in-depth Web application training, Intelguardians consultant Kevin Johnson demonstrated and discussed some of the tools commonly used by both attackers and by Web application penetration testers. These are the tools attackers can gain entry to your system, so you should know know what they are, and what they can do. They are also essential for network security auditing. Most are available for free.

Absinthe: This tool speeds the process of SQL Blind injection, or the testing of the database in order to insert malicious commands. Good for testing a database for vulnerabilities.

AttackAPI: AttackAPI is PHP and Javascript-based modular client for testing exploits. Working with different modules, it can examine a client browser for holes, show what sites have been visited before, guess user names and passwords and maps hosts on a network.

Browser Exploitation Framework (BeEF): BeEF allows penetration testers to build attacks based on different exploitation techniques. It operates by issuing attacks through zombie computers already under control. It has modules for actions such as stealing data from user clipboards, browsing the user's history, inject JavaScript into a user session.

Burp Suite: Burp Suite is a bundle of Web application attacker tools assembled into one easy-to-use interface. It includes a proxy to intercept network packets, a spider that can scan an application for exposed functionality, an intruder to customizing attacks on the site, and a decoder for for fingerprinting databases. It even has a set of application programming interfaces for extending functionality with third-party tools.

CAL9000: This tool is actually a Web page that serves as a framework for testing exploitation code. It includes a testing checklist, an attack library, a scratch pad and various encoders and decoders.

Net-Square's HTTPrint: HTTPrint fingerprints servers, offering not only what the server reported but, in cases where the server deliberately reports the wrong information, infers the correct software based on operating characteristics. Netcraft uses HTTPrint to profile servers for its service.

Netcat: Often referred to as the Swiss Army Knife of TCP/IP, Netcat allows administrators to issue commands over a network. It's useful for checking configurations on remote machines, as well as issuing these machines commands. It can also be scripted to automate many remote control procedures.

Nikto: Nikto is a Web server vulnerability scanner, one that can look for open directories, configuration files, open ports, and holes in Common Gateway Interface scripts.

NMAP: This tool can scan ports as well as return information about the operating system being run by the server. Zenmap is a graphical user interface for NMAP

Paros: Paros is a combination proxy and packet scanner. It allows you to intercept, inspect and even modify packets between a Web server and a browser. It can be used in conjunction with SwitchProxy add-in for Firefox, which diverts packets through proxies such as Paros.

Foundstone's SiteDigger and Sensepost's Wikto: Both tools can conduct automated searches through Google, which can be useful for finding user names, passwords, sensitive files and other valuable information. Either may requires a Google API search key.

Sourcefire's Snort: Snort is a command-line based network activity analyzer. It can read packets off the network or log them to disk. It will also allow administrators to set up rules to watch for, and even filter out, malicious activity.

THCSSLCheck and Foundstone's SSLDigger: Both of these tools can query a remote server and return a list of supported Secure Socket Layer-based encryption ciphers and protocols.

Tcpdump and Windump: Two more command-line tools that sniff network traffic. Windump is a Tcpdump ported to Microsoft Windows.

WebScarab: WebScarab can spider and Web site, as well as search the content for vulnerabilities. It allows users to generate their own plug-ins to test for new vulnerabilities.

Cace Technologies Wireshark: Wireshack is a packet analyzer, allowing to examine all the packets flowing through a computer's network connection, including packets destined for other hosts. It can filter packets, color-code different sections of the packets, and export what is captured to a variety of file formats.

XSS Assistant: Used in conjunction with the Firefox Greasemonkey plug-in, this program spots each form field on a Web page you visit, and provides a list of injection methods, or ways to use faulty coding of the form to inject malicious code into system.

XSS-Proxy: XSS-Proxy is a tool for crafting Cross Site Scripting attacks that, using an XSS-vulnerable site, will allow the attacker to take control of a user's browser, permitting the the attacker to steal cookies, hijack the browser to visit a Web page and run arbitrary JavaScript code.

About the Author

Joab Jackson is the senior technology editor for Government Computer News.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected