Nmap Security Tool Survey

← Back to Stories (view on slashdot.org)

Posted by michael on Sunday May 4, 2003 @12:24PM from the portscanning-for-fun-and-profit dept.

spring writes "Every so often, the author of everyone's favorite network reconnaissance tool, nmap, runs a survey to determine which security-oriented software products are most popular. This year's tool survey was just released, and it contains some interesting results. Old favorites like Nessus, Snort, Netcat, and Ethereal made the list, of course. SAINT and SARA are still around. But a number of new tools appeared this year, like Windows-only GFI LANguard, SuperScan, and Cain & Abel. Nikto and Kismet demonstrate the growing importance of wireless networks. The survey contains many good tools. Certainly worth a read."

38 of 104 comments (clear)

Security tools are awesome, but.... by whiteranger99x · 2003-05-04 12:33 · Score: 5, Insightful

remember that these tools aren't going to be the "end all/be all" of network security.

You also have to have a good preventive security plan, which these tools will help out in. However, there should also be a plan of action should these security measures get bypassed (i.e. an insider job, program exploits, trojans, etc...)

But that's just my contention...

--
Join the TWIT army now!
1. Re:Security tools are awesome, but.... by FiDooDa · 2003-05-04 12:38 · Score: 5, Insightful
  
  remember that these tools aren't going to be the "end all/be all" of network security.
  
  isn't why they are called tools and not solutions ?!?!
2. Re:Security tools are awesome, but.... by whiteranger99x · 2003-05-04 12:45 · Score: 3, Insightful
  
  Isn't why they are called tools and not solutions ?!?!
  
  Fair enough, I agree with you there. I simply meant to say that sometimes these tools are referred to as a complete solution, which is most likely a misnomer.
  
  --
  Join the TWIT army now!
3. Re:Security tools are awesome, but.... by FiDooDa · 2003-05-04 12:50 · Score: 2, Insightful
  
  sometimes these tools are referred to as a complete solution, which is most likely a misnomer.
  
  sooo true, I (unfortunately) witnessed it too many times.
4. Re:Security tools are awesome, but.... by ChazeFroy · 2003-05-04 12:52 · Score: 2, Informative
  
  Nikto...demonstrate[s] the growing importance of wireless networks.
  
  Last I checked, Nikto had nothing to do with wireless networks. It's a web server scanner based off Whisker.
5. Re:Security tools are awesome, but.... by SEWilco · 2003-05-04 13:00 · Score: 4, Insightful
  
  There is also no requirement to depend upon a single tool. Having alarms on your doors doesn't protect your windows. Perimeter detectors establish a fence, while tripwires, beams, and area detectors offer notification of activity in different ways -- and design is affected by issues such as whether or not you have a cat. Don't limit your design to only using one tool, consider your needs and the variety of tools.
6. Re:Security tools are awesome, but.... by jjb · 2003-05-04 16:01 · Score: 3, Insightful
  
  I totally agree. But they're tools, not "solutions."
  
  Anyway, Defense in Depth is always good -- if an attacker penetrates the firewall, it's good to have hosts that are harder to crack. If the host gets cracked, you'd want to have an incident response plan and policy so that you can contain the damage.
  
  In Bastille Linux's defense, we try very hard to educate the sysadmin/user so they'll make better decisions. Bastille tries to educate the user, to help her build a good hardening policy for her hosts and hopefully her site.
  
  And that education is one of the few things that will actually keep your sysadmins or users from blowing the entire site's security away with a bad decision... Who cares if you're proactively scanning for open ports when you don't know why some of those open ports are worse than others? Your admin has to know that allowing Samba/CIFS/Windows filesharing through the perimeter firewall is asking to be hurt badly. Your admin has to know that setting every Unix box to give root via rsh from a particular (spoofable) IP addess is asking for a domino effect.
  
  Education, unfortunately, is the hardest step.
I know the *most* popular security purchase..... by AMuse · 2003-05-04 12:40 · Score: 3, Informative

It's These Guys.

When a windows java exploit can reformat your disk by visiting a malformed web page, you don't really have to wonder why they're so popular.
Fine set of tools. by Jack+Va1enti · 2003-05-04 12:41 · Score: 5, Funny

Hilary and I intend to run these against every machine in the world, ferreting out and destroying those eeeevil P2P pirates!
Ethereal a security tool ? by Rosco+P.+Coltrane · 2003-05-04 12:47 · Score: 3, Informative

Ethereal == tcpdump with graphical interface. Incredibly nice tool, but hardly a security tool.

--
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
1. Re:Ethereal a security tool ? by the+uNF+cola · 2003-05-04 12:52 · Score: 4, Insightful
  
  You'd be surprised. tcpdump/ethereal is great for say, when some jerk is trying to DOS you and you need to know how.
  
  Knowing the how allows you to put in filters. Filters allows you to operate.
  
  --
  --
  "I'm not bright. Big words confuse me. But Wanda loves me and that should be enough for you." - Cosmo
2. Re:Ethereal a security tool ? by Rosco+P.+Coltrane · 2003-05-04 12:55 · Score: 3, Informative
  
  Of course, but I mean it's not a security tool per se, it's a general purpose tool that happens to be usable for security purposes. Kind of reading /var/log/messages actually :-)
  
  --
  "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
3. Re:Ethereal a security tool ? by hbackert · 2003-05-04 12:57 · Score: 4, Insightful
  
  It's a nice way to check a connection is not made, that packets do not go out of one or another interface, that traffic is encrypted. tcpdump can do the same (except follow TCP traffic, which is very enlightning for users who like telnet).
  
  So while Ethereal does not increase security by itself, it does add security by making it possible to check out the packets. That makes is IMHO a security tool.
4. Re:Ethereal a security tool ? by the+uNF+cola · 2003-05-04 14:04 · Score: 3, Informative
  
  Point is, sniffers are the only tool out there to actually see what traffic is out there. Yeah, you can use nmap for finding out what OS is running (sometimes) but that's not security per se either. Its just tcp/ip-to-OS identification.
  
  Sometimes ducks don't just quack. The sometimes fly and lay eggs too.
  
  --
  --
  "I'm not bright. Big words confuse me. But Wanda loves me and that should be enough for you." - Cosmo
mac os X tools by FiDooDa · 2003-05-04 13:07 · Score: 5, Informative

for those interested in sec tools on mac OS X, here is a small list of tools to add :

rpg password generator
kismac a kismet equivalent that also includes a WEP cracker. very nice!
macanalysis a really good security tools suite
1. Re:mac os X tools by jjb · 2003-05-04 15:40 · Score: 3, Interesting
  
  kismac looks pretty cool for wireless audits. BTW, Bastille Linux is even more badly misnamed -- we've got it working on Mac OS X now! It takes a perl compile and a tweak to perl-Tk, but it works under X on Mac.
  Anyway, if anyone here is interested in helping package Bastille for Mac, especially with that perl upgrade, please contact me!
  - Jay
Wellenreiter by Echelon309 · 2003-05-04 13:18 · Score: 5, Informative

Although it wasn't on the list, Wellenreiter is really great wireless scanner. Plus, it runs on the Zaurus under OZ3, which makes it great for less conspicuous scanning since you don't have to lug a laptop around.
1. Re:Wellenreiter by fv · 2003-05-04 15:01 · Score: 4, Informative
  
  > Although it wasn't on the list, Wellenreiter is really great wireless scanner.
  Wellenreiter only received 6 votes (even after correcting for poor spelling :) and 10 were needed to place #75. But since it is clearly a useful free tool, I just added a link to it in the Kismet entry.
  
  Thanks for the suggestion,
  -Fyodor
  Concerned about your network security? Try the free Nmap Security Scanner
WAP Detectors by muzzmac · 2003-05-04 13:27 · Score: 3, Interesting

Has anyone seen a decent piece of software that can find WAP's on your network by scanning from the wired part of your network?

What I want is something that scans for known MAC ID's or something to identifiy wireless access points without having to fly all over the country to do it.

There are plenty of wireless based scanners but they involve travel.

Any hints?
1. Re:WAP Detectors by lucifuge31337 · 2003-05-04 13:36 · Score: 3, Informative
  
  They may not exsit/certianly aren't popular because of a simple reason: WAPs aren't the only problem, so it's not a complete and meaningful scan. Lots of laptops have wireless built in and gets owned....since it's plugged into your network you can ingress that way.
  
  The popular scanning solutions include several APs that cover your building/area and passivly listen for WiFi traffic. They are typically permamently mounted and listening.
  
  --
  Do not fold, spindle or mutilate.
2. Re:WAP Detectors by Istealmymusic · 2003-05-04 14:17 · Score: 3, Informative
  
  See the MAC manufacturer reference. Linksys (a WAP maker) has a couple blocks, but they don't use different OUI's for WAPs only. Its easy to detect WAPs if remote administration is enabled (the domain will be descriptive), but otherwise not as far as I know.
  
  --
  "The lesson to be learned is not to take the comments on slashdot too literally." --Vinnie Falco, BearShare
Strangely enough... by GC · 2003-05-04 13:40 · Score: 4, Interesting

While all these tools turn out to be the Security Analyst's bible to utopia, they're also the ultimate cracker tools, missing only the Xploits that the old neverending line of script-kiddies use to bypass each and every point that these tools do their best to detect.

Nessus is, however, a single tool, that can be as both useful to the white hat5 as it is the bl4ck hats.

It gets my number one tool vote as being as useful to both partys - yet completely impartial.

A very difficult road to tread indeed...
1. Re:Strangely enough... by jareds · 2003-05-04 16:42 · Score: 2, Insightful
  
  Your analogy to file sharing is bad. A better analogy would be to weapons.
  
  In some la-la fantasy world where violence does not exist, no one would no needs weapons for self-defense. In reality, however, not allowing weapons puts the law-abiding at the mercy of criminals, who may still yet possess illegal weapons.
  
  In some la-la fantasy world where exploits do not exist, no would need to audit their network for security holes. In reality, however, not allowing such tools would leave law-abiding network administrators at the mercy of those who would scan their networks with an illegal tool and discover holes that the administrators have never even heard of.
  
  When a technology A has "strong dark uses", but one of its legitimate uses is defending against technology A, and it is in fact one of the best ways of defending against A, it is clear that making it illegal is sheer folly. For unless you stamp it out entirely, you are worse off than you would be if it were legal, and you could at least use it against itself.
Timely article for my needs by l0ungeb0y · 2003-05-04 13:42 · Score: 5, Interesting

In the last couple weeks I've amassed a few servers and a client network so, I've had no choice but to become a sysadmin. Which is not what I consider myself (I'm a graphic designer/Web App Programmmer) but, for the sake of responsibility, I find myself fast becoming one.

So I welcome any such article as the one posted here to help better educate me and get me up to date on the even the most mundane of utilities (I hadn't even heard of nessus/netcat)

I'm not a fresh unix convert or technically challenged, it's just that my occupation has demanded that I focus on front end and applicational development rather than network security and monitoring.

So to get by I've been using very basic common sense like running firewalls for port blocking, not running insecure services such as telnet and in the event that i have to (one of my servers is a multiuser webhost so I had to turn FTP on) research and run a more secure variant of that service (for FTP I opted for vsftpd over wu/pro)

And for security, besides my basic IP Masquerading and port blocking firewall (ya, it's that basic, I'm no guru) I run tripwire, which I run a sanity check daily as well as run snort.

This config runs on everyting from my OS X laptop to the RH9 boxes for dev/production serving and seems "ok" for the moment.

I do plan on evaluating/installing some kernal level patches to the RH boxen such as grsecurity but I thought I'd use this topic to fish for pointers as I am also looking for some good educational material such as IP/Network configuration and indepth material on properly setting up an ironclad DMZ. So if anyone has some highly recommended links or knows of soome good books on amazon to point out or even comments to make here to give some pointers, i'd be much appreciative.
Wasn't nmap the tool of controversy from SGI? by Billly+Gates · 2003-05-04 13:50 · Score: 2, Interesting

I remember back in 94 about a SGI product manager being fired for releasing a tool( nmap??). Basically Irix was being hacked to death and he wanted to do something about it.

He developed it as a tool to help system administators secure their system but SGI did not like it because crackers could use it.

Was this SGI tool nmap or not? I was only 16 at the time and can't remember.

--
http://saveie6.com/
1. Re:Wasn't nmap the tool of controversy from SGI? by IvyMike · 2003-05-04 14:21 · Score: 4, Informative
  
  You're almost certainly thinking of Dan Farmer's SATAN. Read the story for yourself.
Security for the home user by OneArmedMan · 2003-05-04 13:51 · Score: 5, Funny

1) Unplug the power cords and network cables / phone lines.
2) Put it back in the box.
3) Send it back to the place that you bought it from.

Sure its not very practical, but it would make my job a hell of a lot easier
1. Re:Security for the home user by /dev/trash · 2003-05-04 14:43 · Score: 2, Funny
  
  But if everyone did that wouldn't you be out of a job?
2. Re:Security for the home user by OneArmedMan · 2003-05-04 15:30 · Score: 4, Funny
  
  Nah, I'll always have my job, cause there are always people who say "But my *expert friend said*, followed by *and then my pc just stoped working*. At which point my fee / hour doubles
I am surprised ... by Anonymous Coward · 2003-05-04 13:55 · Score: 2, Interesting

I am surprised that aide was not listed. It is a free equivalent to tripwire (which is on the list), and works very well for my needs on both Linux and FreeBSD.
1. Re:I am surprised ... by fv · 2003-05-04 15:08 · Score: 4, Informative
  
  > I am surprised that aide was not listed.
  AIDE only received 4 votes, while 10 were needed to place #75. But I agree that it is a useful free tool that potential Tripwire users should know about. And so I have added an AIDE link to that entry.
  
  Thanks,
  -Fyodor
  Concerned about your network security? Try the free Nmap Security Scanner
SAINT not SAINTLY by wolf- · 2003-05-04 13:57 · Score: 2, Troll

After SAINT the network tool went after the author of Saint (the open source server/service uptime application) over a name/branding dispute, we have stopped recommending their product (the network security tool) entirely.

They were similarly named, however, there was very little chance of them being confused for one another. Apparently SAINT didn't have enough confidence in their own marketing or their customers intelligence to keep their lawyers out of it.

Just my 2 cents worth. But then, my 2 cents has an effect on a few large clients with large budgets. Good Job SAINT.

--
----- LoboSoft specializes in Digital Language Lab
uh.. wrong product name? by EvilStein · 2003-05-04 14:23 · Score: 3, Informative

I belive that you're thinking of Netsaint...aren't you?

It's now called Nagios :-)
Re:friewall by jandrese · 2003-05-04 15:14 · Score: 3, Informative
Zone alarm may provide good protection, but it's far from a great product.
- There's no way to prevent it from spitting up gobs of annoying dialog boxes. This is especially annoying when you're playing some 3D game and zone alarm tries to put up a box on the screen asking you to allow it to go online.
- It is a pig. It takes 5 minutes or more to boot on my laptop, and is by far the last component ready when I boot up my machine
- The interface needs work. It's hard for me to find just about everything in it, from the access logs, to the application table, to the network table, etc...
- It is not good about remembering your settings unless you shut it down normally. If the only time you leave windows is when you crash, be prepared to tell Zone Alarm that Mozilla is allowed to access the internet all over again. I've actually gone and run every network application I could think of, then rebooted just so I wouldn't have to tell Zone Alarm about it again.
Those are just the annoyances I could think of off the top of my head. I probably wouldn't run it (I'm behind a BSD firewall at home anyway) except that the IT department insists on it (it's my work machine).
--

I read the internet for the articles.
OT: Secure your SGI today... by green+pizza · 2003-05-04 16:27 · Score: 2, Informative

1) Update your install of IRIX 6.5 to the most recent version available to you (6.5.16m for most people, 6.5.19 or 6.5.20 for those with a support contract). If you're unsure about updating, read about the IRIX Release Process as well as theIRIX Compatibility Mandate.

2) Install the security patches for your version of IRIX (note that IRIX releases previous to 6.5.15 will probably not have the most recent security patches available).

3) If you're a security newbie, run the "Improve System Security" application... it can be found under the Security and Access Control section of the System Manager.

4) Install IPFilter, be sure to learn how to use it.

5) Subscribe to SGI's security advisory mailing list.

6) Newbies outta read some of SGI's other sysadmin manuals as well:
Personal Sysadmin
IRIX Admin

7) Update your various freeware apps... be sure to read the seperate freeware security notice:
http://freeware.sgi.com
Eeye by lonesome+phreak · 2003-05-04 17:03 · Score: 3, Informative

Retina, by Eeye, is another excellent scanning school. IMHO, it's better than GFILanguard. I especially like the ability to fix registry problems from the scanning machine. It's interface is also very smooth. It's located here. They also have another product for scanning IIS, but I haven't used it yet.

--
Maybe we DID take the blue pill. You wouldn't remember anyway.
1. Re:Eeye by barc0001 · 2003-05-04 20:35 · Score: 2, Informative
  
  Retina is good, but even the free version of LANGuard is great for the point-and-click crowd. Windows is not my preferred platform of choice, but I must say I was pleasantly surprised the first time I took a look at LANGuard.
  But I wonder if it's not a bad thing that these tools are starting to auto-fix so many items, like the aforementioned Retina and the registry issues. Call me old-fashioned, but I like my people to fix the problems on a box by actually getting onto the box and doing it from there. That way you can also tell if anything... funky... is going on. NT/2000 will do that to you sometimes. Responds to remote requests OK, but there's something going hogwild that you don't really notice until you get onto the console.
  Plus, of course, the more people just click a button for scan, and another for fix, the less they'll know what to do if the "fix" button doesn't work in a certain case.
APTools by _Sprocket_ · 2003-05-04 20:12 · Score: 3, Informative

APTools is one example.