Handbook of Security Tools For IT Directors

MSc
Information
Security
Project
Report
Handbook of Security Tools

for IT Directors,
Iyad Abou-Hawili, Student Number: 0090417849,
John Austen, Information Security Group, University of
London, RHUL
Submitted as part of the requirements for the award of

the MSc in Information Security of the University of
London.
23-Mar-2014
1|Page
TABLE OF CONTENTS
Table of Contents .................................................................................................................................... 2
Executive Summary................................................................................................................................. 5
1.
2.
3.
Introduction to Information Security Tools .................................................................................... 6

1.1.
Setting the stage: .................................................................................................................... 6
1.2.
Approaches to Security: .......................................................................................................... 6
1.3.
The need for hacking tools (Offensive method): .................................................................... 7
1.4.
Tools in the market: ................................................................................................................ 7
1.5.
Our approach on deciding what tools to use:......................................................................... 9
1.6.
Skill sets of people using these tools: ................................................................................... 10
1.7.
Limitation on tools usage (Conclusion): ................................................................................ 11
Securing your Environment .......................................................................................................... 12

2.1.
Introduction .......................................................................................................................... 12
2.2.
Hackers Techniques ............................................................................................................. 12
2.3.
Difference between Hackers and IT Director(s) requirements: ............................................ 14
2.3.1.
First: .............................................................................................................................. 14
2.3.2.
Second:.......................................................................................................................... 15
2.4.
Proposed New Model: .......................................................................................................... 17
2.5.
Limitations of model usage (Conclusion): ............................................................................. 18
Anti-Reconnaissance and Reconnaissance: .................................................................................. 20

3.1.
3.1.1.
Reconnaissance Objectives: .......................................................................................... 20
3.1.2.
Tools used in Reconnaissance: ...................................................................................... 21
3.2.
4.
5.
Reconnaissance (Information Gathering): ............................................................................ 20
Anti-Reconnaissance ............................................................................................................. 22
3.2.1.
Fundamentals of Anti-Reconnaissance: ........................................................................ 22
3.2.2.
Objectives of Anti-Reconnaissance: .............................................................................. 23
3.2.3.
Tools and software:....................................................................................................... 23
Vulnerability Assessment: ............................................................................................................. 29

4.1.
Vulnerability Assessment Fundamentals .............................................................................. 29
4.2.
Objectives of Vulnerability Assessment: ............................................................................... 30
4.3.
Vulnerability Scanning Tools: ................................................................................................ 30
4.3.1.
Wireless Tools ............................................................................................................... 30
4.3.2.
Network Tools ............................................................................................................... 32
4.3.3.
Web Application Vulnerability assessment Tools ......................................................... 33
Penetration Testing:...................................................................................................................... 34
2|Page
5.1.
Pre-Exploitation/Pre-attack: ................................................................................................. 34
5.2.
Exploitation/Attack: .............................................................................................................. 34
5.3.
Post-exploitation/post-attack: .............................................................................................. 35
5.4.
Areas of Penetration Testing (Exploitation):......................................................................... 35
5.5.
Penetration testing Fundamentals: ...................................................................................... 35
5.6.
Penetration Testing Steps: .................................................................................................... 36
5.6.1.
Reconnaissance/Information Gathering: ...................................................................... 36
5.6.2.
Target Evaluation: ......................................................................................................... 36
5.6.3.
Exploitation: .................................................................................................................. 36
5.6.4.
Privilege Escalation: ...................................................................................................... 37
5.6.5.
Maintaining Access: ...................................................................................................... 37
5.7.
Penetration Testing Objectives: ............................................................................................ 37
5.8.
Penetration Tools .................................................................................................................. 38
5.8.1.
Wireless Tools ............................................................................................................... 38
5.8.2.
Web Application Tools ................................................................................................. 39
5.8.3.
Network/Host Tools ...................................................................................................... 40
5.9.
Challenges of Penetration Testing: ....................................................................................... 42
5.10.
6.
7.
Final Step after Penetration Testing completion: ............................................................. 42
Rectification: ................................................................................................................................. 44
6.1.
Rectification Phase ................................................................................................................ 44
6.2.
Rectification Fundamentals: ................................................................................................. 45
6.3.
Objectives/Goals of Rectification:......................................................................................... 45
6.4.
Types of Analysis to be conducted........................................................................................ 46
6.5.
Rectification Tools: ................................................................................................................ 46
6.5.1.
Tcpdump/WinDump ..................................................................................................... 46
6.5.2.
Wireshark ...................................................................................................................... 46
6.5.3.
Chkrootkit...................................................................................................................... 46
6.5.4.
Md5deep ....................................................................................................................... 47
6.5.5.
Rootkit Revealer ............................................................................................................ 47
6.5.6.
TSK (The Sleuth Kit) ....................................................................................................... 47
6.5.7.
Fatback .......................................................................................................................... 47
6.5.8.
Nikto .............................................................................................................................. 47
Conclusion: .................................................................................................................................... 49
Bibliography .......................................................................................................................................... 50
Additional Resources ............................................................................................................................ 53
Appendix A ............................................................................................................................................ 55
3|Page
Appendix B ............................................................................................................................................ 60
Appendix C ............................................................................................................................................ 64
Appendix D ........................................................................................................................................... 74
4|Page
EXECUTIVE SUMMARY
The purpose of this Handbook is to develop a model and recommend to IT Director(s) a set of
important IT Security tools. These tools not only used by most security professionals but also
by IT Security Firms to audit businesses and secure their information assets. The Handbook
will serve as a starting guide for IT Director(s) and their staff in their Endeavor to secure their
companies Infrastructure.
There is a big number of free Security tools in the market, and it becomes confusing for IT
Director(s) what tools to use. Furthermore, there are a lot of literatures about hackers
process attacking a target, but few take into consideration IT Director(s) requirements into
consideration.
This Handbook will shed the light on the hackers process to attack a target and modify this
model to fit IT Director(s) requirements and suggest few IT Security tools for each phase of
the proposed model, to be used by IT Director(s) team, Security Analysts, Penetration Testers,
and others.
The model developed is composed of four phases. It is similar to model used by Ethical hackers
and Attackers, but customized to meet IT Director(s) requirements. We discuss fundamentals,
objectives, and tools of each of the four phases.
Suggested tools fall into the following categories: Anti-Reconnaissance, Information
Gathering, Scanning and Inventory, Vulnerability Assessment, Penetration Testing, and
Detecting Traces of an attack.
The suggested tools are open-source and free to be used, but still very powerful to accomplish
the requirements. Moreover, these tools are Offensive tools and that differentiate them from
the known Defensive tools used by most IT Director(s), and are promoted by most security
vendors.
5|Page
1. INTRODUCTION TO INFORMATION SECURITY TOOLS

1.1.
SETTING THE STAGE:
Information Security tools are becoming a need for any IT Department as threats increase due
to the Internet of everything in our small village earth. These tools are used to identify
potential weaknesses in any of the devices or systems used to move, store, or process data in
any business.
This Handbook is intended for IT Director(s), within their area of responsibility, to secure
information assets in their company.
On the other hand, IT Director(s) are not expected to be experts in these IT Security tools
mentioned in this Handbook. However, knowledge of these tools, their functions, purposes,
and phases of using them will be appropriate and a definite advantage to the process of
improving security.
Before we proceed further, we need to define the following terms that are used extensively
in this document.
Ethical-Hacker or White-Hat Hacker: is a Security Analyst (good person) who will work on
securing an environment using IT Security or hackers tools.
Hacker or Black-Hat Hacker: is a bad person who tries to cause harm for various reasons
to systems owned by other people or companies.
White-Box Hacking: is the method where information about targeted devices is given to
the Ethical-Hacker/White-Hat Hacker.
Black-Box Hacking: is the method where information about targeted devices is not given
to an Ethical-Hacker/White-Hat Hacker.
Grey-Box Hacking: is a process where some information about targeted devices and
company under testing is shared with Ethical-Hackers/White-Hat Hackers.
1.2.
APPROACHES TO SECURITY:
In Information Security, there are two approaches to secure information. The first approach,
which is the most popular between the two, is the Defensive one.
[ER11], for example, defines Network Security Defensive methodologies as Switches Security,
Firewalls, Intrusion-Detection Systems (IDS), Logs, Network, Antivirus, Hardware,
Troubleshooting, Availability, Server/Client Security, Creating Policies, Network Management,
etc
The second approach is the Offensive. In the same course, [ER11] defines Offensive Method
or Ethical Hacking for network security is as looking for Denial of Service (DOS), Trojans,
Worms, Viruses, Social Engineering, Password Cracking, Session hijacking, System failure,
Spam, Phishing, Identity theft, Wardriving, Warchalking, Bluejacking, Lock picking, Buffer
Overflow, System hacking, Sniffing, SQL injection, etc.
6|Page
The tools that we will cover in this Handbook are not the known defending tools such as
Firewalls, IDSs, Antivirus, and others. These tools are offensive/attacking tools that might
cause harm if used without caution or in an unethical manner. Black-Hat hackers use these
tools to gather information about their targets, exploit vulnerabilities, and cause damage. On
the other hand, Ethical Hackers can use the same tools to close security holes and improve
security. The only difference between a hacker tool and a cyber security professional tool is,
written permission. [SW13]
1.3.
THE NEED FOR HACKING TOOLS (OFFENSIVE METHOD):
In a very old article written in 1993 by [DF93], Dan Farmer and Wietse Venema mentioned
that the best way to secure your environment is by trying to break into it. Similarly, [MM06]
emphasizes the role of attacking your systems by using the same tools as those used by BlackHat hackers, instead of defending it only. These days, Ethical Hackers or security analysts,
assume the role of attacking your own systems in a controlled manner. IT Director(s)
awareness about these tools, phases of applying these tools, fundamentals, and objectives is
inevitable to survive in the digital world.
The importance of the offensive technique comes from the mindset of the Ethical Hacker, who
is actually playing the role of a hacker running the same tools. In this role, Ethical Hackers try
to answer the following questions:
What does an intruder see in a targeted system,
Why does an intruder need this information,
What can she/he do with the information obtained after compromising a system,
Did anyone notice the intruders attempts to gain access,
Did anyone discover a compromise of a system? [ER11]
The above does not mean, in any way, to remove the defending tools and replace it with the
offensive ones. The above emphasize the need of other (offensive) tools to win the battle in
which IT Director(s) (i.e. their businesses) are losing it most of the time.
1.4.
TOOLS IN THE MARKET:
Looking into the available security tools used by White-Hat hackers Ethical Hackers in
Information Security Auditing firms, we can see their classification into four major categories:
Commercial and Proprietary Freeware, and Open-Source.
The Commercial and proprietary tools are tools that we can buy from vendors. Usually,
vendors provide support for both types and usage of these tools is subject to license
agreements [CA12]. In addition, some of the proprietary tools are given free. Moreover, some
of the proprietary tools are not sold to external clients, and dedicated for usage by specific IT
Security Auditing Firms.
7|Page
The Freeware and Open-Source are tools that you can download free from the Internet. Both
types are not subject to support agreements. In Freeware tools, you do not have access to the
source code. On the other hand, Open-Source tools provide access to the source code, but
it is subject to open-source initiative rules and regulations [OS98].
A security analyst will need to choose between these different types of tools, based on the
tool functionality and her/his need. Most of the time, a Security Professional will need to
choose from a set of tools provided by various vendors with different licensing and support
terms and conditions.
Sometimes and in a particular situation, there is no open-source or freeware to complete the
task or the free tool is very limited. This might mandate the need to use proprietary or
commercial tools. Furthermore, commercial tools are subject to support agreements while
the free and open-source tools are not subject to such agreements. In addition, these tools
(commercial and proprietary) are subject to license agreements and source code is not
accessible to users [CA12]. On the other hand, commercial tools might not fit all scenarios of
different companies, and the security analyst cannot modify or tailor the tool to his/her
preference, while experienced security analysts are able to tailor open-source tools to meet
businesss requirements.
Another important consideration about proprietary free tools is specific to their products
(Microsoft and Cisco) and cannot be used on different vendors products of hardware or
operating systems. This put us in front of two approaches.
The First Approach is using specific vendor tools on vendor specific devices, which will
definitely improve security of the environment, but it is subject to two main limitations [SH11]:
First, it requires testers to have a deep understanding of the systems under testing and
scrutinizing to include as much as possible from these systems.
Second, these tools have two major issues:
Parameters set in the tool might not cover everything in the tested environment
It is difficult to map operations of these tools to all requirements of a targeted

infrastructure.
A third limitation is the assumption that a security analyst (Ethical Hacker) knows the
systems that are under consideration, which is not true in a real-life situation. These tools
cannot be used when a security analyst is conducting a Black-Box testing. In this situation,
Ethical Hackers do not have any knowledge about the systems and using specific vendor
tools will not be the appropriate approach.
The Second Approach of not using specific vendor tools when testing an environment has
many advantages over the first approach. Firstly, it is similar to approach followed by Black
and White-Hat hackers. Secondly, non-vendor specific tools have more applicability to all
environments without any restriction. A third advantage mentioned by [ES07] that the opensource and free tools are suitable for IT Director(s) with a limited budget and with using free
tools they can build a complete set of an arsenal to secure their systems without paying much.
Open-Source Applications and Tools while it is pretty common to see companies embrace
commercial tools in their production environments; you cant discount the sheer innovation
available in the open-source community. [JS11] Then [JS11] describes the benefit of using
open-source tools to build your information security skill set. Most security professionals
8|Page
cannot afford to purchase multiple commercial security applications to learn with, so

leveraging open-source is a cost-effective career builder.
The other value that open-source security tools bring to a security professional is that these
are the same tools hackers will use. One of the most important skills you can develop is the
ability to understand the methods and tools used by hackers to get into your systems. Learning
the tools and techniques they may use by developing parallel expertise will take you far in
your career. Commercial applications seldom offer the same learning opportunities. Attackers
generally are not using commercial applications in their attacks, and they typically dont draw
from the same community available with open-source solutions as you will to help your
learning [JS11].
1.5.
OUR APPROACH ON DECIDING WHAT TOOLS TO USE:
The challenge for any IT Director(s) is the availability of thousands of tools in the market.
Choosing from this big pool without sacrificing functionality and keeping easiness is much of
an effort to be taken.
However, there is a lot of work done by Information Security experts for gathering different
free tools into one consolidated package or distribution. Most of these distributions are based
on Linux operating system. Some of the most-used distributions are listed below:
Backtrack and its commercial version Kali Linux. These distributions include around 300
tools categorized into various groups: Information Gathering, Vulnerability Assessment,
Exploitation tools, Privilege Escalation, Maintaining Access, Reverse Engineering, RFID
tools, Stress Testing, Forensics, and many Reporting tools) [BT13].
Backtrack is based on Ubuntu Linux version. Kali Linux is based on Debian Linux version.
For a full list of Tools sub-categorization and names on Backtrack and Kali Linux, please
refer to Appendix A and B respectively [KL13].
Matriux "Leandros" is analogous to Backtrack and include more than 300 open-source and
free tool based on Debian Linux version, but also include tools to test PCI/DSS controls,
which are not available in Backtrack and Kali Linux distributions. For a detailed list of tools
and their categorization, please refer to Appendix C [ML13].
Fedora Security Spin/Lab is a collection of security-related tools built on Fedora Linux

Operating System. For a detailed list of tools, please refer to Appendix D [FP13].
Katana is a multi-boot DVD/USB that includes different tools and Backtrack distribution
into a single location [JD12].
Blackbuntu is based on Ubuntu 10.10.
Blackbox is another distribution that includes tools used for information gathering,
Incident Handling, penetration testing, and forensics. It is based on Ubuntu Linux
Operating System.
Etc...
In this Handbook, our proposed model/approach to secure information using Security tools
will be applicable to all distributions (free tools) and to commercial tools, as well. However,
9|Page
reference will be given mostly to tools that are present in Backtrack and Kali Linux since it is
the most popular between security experts, more resources are available, more literatures,
and more sample implementations using than other distributions.
For the above reasons, Backtrack distribution is widely accepted between security experts and
is considered as the premiere security-oriented operating system. .. and the recent release
of Kali Linux is sure to gain widespread popularity [JP13].
One major and important website that list and rank security tools is: http://sectools.org/ .
The SecTool.org releases a security survey every three years (2006, 2009, 2012) [MC08]
ranking tools. Most of the tools that are referenced in this Handbook are part of the Top 125
Network Security Tools listed on the above site, with the exception of tools and
methodologies referenced to in the Anti-reconnaissance phase.
In addition, the tools that we will reference are used by IT Security Auditing firms in India,
including the Big Four auditing firms (Deloitte, PWC, KPMG, and EY) as per a report produced
by cert-in.org [CI12].
1.6.
SKILL SETS OF PEOPLE USING THESE TOOLS:
However, many important things to keep in mind. The first that these tools cannot replace
skilled information security professionals and system engineers. Experience and intuition of
the personnel using these tools are fundamental requirements to understand and identify
attacks and to discover holes in the deployed systems [SI13].
Since most of these free tools are Linux based, IT Director(s) should know that his subordinates
need to have experience in Linux operating system [CA12], [SI07]. This does not mean that
experience of the subordinates should be limited to Linux. Knowledge about Linux is necessary
but not sufficient. For example, Penetration Testers should have several years of experience
in the IT field, such as application development, systems administration, networking, or
consultancy before they do penetration testing [ER11].
On the other hand, the tools referred to in this document are used in mission-critical
security jobs and effective skills development is an essential step to ensure that the right
people with the right skills are in place [SI13].
The author of [HS12] stated the most important mission-critical security jobs for most
companies as follows:
1. System and network penetration testers,
2. Application penetration testers,
3. Threat analysts/counter-intelligence analysts,
4. Advanced forensics analysts,
5. Security monitoring and event analysts,
6. Risk assessment engineers,
10 | P a g e
7. Incident responders in-depth,

8. Secure coders and code reviewers,
9. Security engineers - operations, and
10. Security engineers/architects who built security in [HS12].
1.7.
LIMITATION ON TOOLS USAGE (CONCLUSION):
A very important thing to mention that the use of security tools (in our case offensive and
Ethical Hackers tools) in Reconnaissance, Anti-Reconnaissance, Vulnerability Assessment,
Penetration testing, and Prevention is just one link in the security chain. Using these tools
does not mean, by any sense, that your information is protected. Vulnerability assessment
and penetration testing are just two links in a long chain.
In the ISO/IEC 2700x standard series, we find eleven different areas that emphasize how to
secure Information. Other standards or frameworks (e.g. COBIT, SOX, HIPAA, etc) has similar
areas also, some of which are overlapping with each other. Vulnerability Assessment and
Penetration Testing are just two parts of the whole standard. Security Audits, for example,
address so many different areas than Vulnerability Assessment and Penetration testing, and
recommend the use of different types of controls for each area [TB07].
In addition, these tools are not a replacement of a manual IT Security audit or conformance
audit. Just because we used these tools and did not find a vulnerability, does not mean that
none exists [MC08].
Moreover, different tools give different results, and these scanners detect vulnerabilities at a
given point of time. One tool might discover a vulnerability; another tool might not find the
same vulnerability, or a new vulnerability might appear and have the signature updated in the
database after the scan is conducted, or the tool might not have the signature of the
vulnerability during the time of scanning. All of the above put limitations on the results of
using these tools. This does not mean, to forget about using these tools, but it is meant to
alert IT Director(s) that there is no 100% secure system, and there is no 100% compliant
System. If an attacker wants to break in, then it is a matter of how much time and money the
attackers are willing to invest to accomplish the task. The two essential things for an IT
Director(s) are:
to reduce the duration needed to figure out that a system is compromised, and
to reduce the duration of a compromised system.
The above are addressed by Incident Handling and Forensics procedures and tools (some of
which are mentioned in this Handbook) that play a key role in responding to an incident and
closing it the soonest possible [TB07].
11 | P a g e
2. SECURING YOUR ENVIRONMENT

2.1.
INTRODUCTION
Hacking is not a new thing that just has appeared recently. It started in the 1960s, and hackers
were a group of technology enthusiasts. At that time, hacking was out of intellectual
curiosity, and there was no intention to harming others. It was against the law in the mindset
of those hackers who were leading software-development movements that led to the
presence of open-source software, and paved the way toward the development of the
Internet (ARPANET) [SO11]. However, things are no longer the same as it was 50 years ago.
Hackers are driven most of the time and except for Ethical Hackers, by bad intentions and acts
that are against the law in most countries. Hackers developed techniques, and arsenals of
tools to reach their goals, which differ, from one group of hackers to another.
Besides, security experts, government agencies, and other companies developed several
standards and methodologies to help IT and Security experts understand what to be done to
secure information. However, these methodologies describe and imitate the process followed
by Black-Hat hackers step-by-step and advise Ethical Hackers to follow the same steps in their
Endeavor to secure information.
On the other hand, there are a lot of literature, training guides, articles, and researches made
on various security tools. However, few of these works addressed the usage of these tools
from an IT Director(s) perspective. Most of the work done was trying to imitate step by step
what hackers will do in their journey to compromise their targets. This Handbook is intended
to simplify these procedures into a manageable process and set of tools, and customize the
process followed by Ethical Hackers to meet IT Director(s) requirements. The defined
process/approach differs slightly from that developed by Ethical Hackers, but also will propose
a new concept of how IT Director(s) should approach security. It is not totally new and but
different from this found in most literatures about the phases of how hackers work and attack
targets. It modifies the former approach, and tailors it to fit more to the needs of IT Director(s).
The same applies to the tools proposed in our model. Some of the proposed tools are intended
to be for securing the infrastructure and discovering hackers, and other tools could be used
by both hackers and security analysts.
2.2.
HACKERS TECHNIQUES
Many literatures, articles, and researches describe hackers methodology and their techniques
to attack targets. In [SO11], techniques were divided as follows:
Footprinting,
Scanning,
Enumeration,
System Hacking,
Escalation of Privilege,
Covering tracks,
12 | P a g e
Planting Backdoors.
In [JW07], [KG07] hacking phases were summarized in a similar way to the previous one
mentioned by [SO11]:
Reconnaissance,
Scanning and Enumeration,
Gaining Access,
Escalation of Privilege,
Maintaining Access,
Covering Tracks, and
Placing Backdoors.
Others, like [KG07] divide it as follows:
Reconnaissance,
Scanning,
Gaining Access,
Maintaining Access, and
Covering Tracks.
In addition, in most of the guides developed by EC-Council and SANS Institute, an Ethical
Hacking process is divided into similar phases as those mentioned above.
Over time a proven framework has emerged that is used by professional Ethical Hackers. The
four phases of this framework guide the penetration tester through the process of empirically
exploiting information systems in a way that results in a well-documented report that can be
used if needed to repeat portions of the testing engagement. This process not only provides
a structure for the tester but also used to develop high-level plans for penetration testing
activities. Each phase builds on the previous step and provides details to the step that follows.
While the process is sequential, many testers return to earlier phases to clarify discoveries
and validate findings. The first four steps in the process have been clearly defined by Patrick
Engebretson in his book The Basics of Hacking and Penetration Testing. These steps are
Reconnaissance, Scanning, Exploitation, and Maintaining Access [JB14].
Before elaborating on the above phases and how, these phases need to be addressed and
tailored; we will define briefly, what is meant by each phase to make things afterwards easier
to understand.
Reconnaissance: Reconnaissance, Footprinting, Information-Gathering are used

interchangeably in this document and refer to the same process. It is the process to uncover
13 | P a g e
and collect information about targeted networks or systems. There are different methods to
collect information about a target. Googling the company, social engineering, and many other
tools and techniques that might be either active or passive process.
Scanning: is the process to find targeted systems technical details such as IP addresses,
Operating systems, services, applications used, etc to be used in finding vulnerabilities.
Enumeration: is the process of gathering and compiling usernames, machine names, network
resources, shares, and services [KG07]. Some literatures consider enumeration as part of the
Scanning process and do not distinguish them from each other because the tools used are
almost the same.
Gaining Access: Gaining Access, System Hacking, System Exploitation, and Target Exploitation
are used interchangeably in this document and refer to the same process. It is the process of
exploiting a vulnerability, found during the previous phase, in a targeted system. It is the
phase where the real hacking takes place [KG07].
Maintaining Access: Maintaining Access and Escalating privileges are used interchangeably in
this document. This process happens after exploitation of a vulnerability in a system and
gaining normal user account privileges and working to escalate access to a privileged user
(Admin, root, etc...).
Covering Tracks: This is the process where a hacker removes evidence of his/her actions to
avoid detection by Security Analysts or Ethical Hackers.
Placing backdoor: This is a process where a hacker places a set code (program/s) on the
exploited system to allow him/her access it easily without being noticed.
2.3.
DIFFERENCE BETWEEN HACKERS AND IT DIRECTOR(S) REQUIREMENTS:
From the above literature, we can see that the phases proposed to be followed by Ethical
Hackers are almost the same with minor differences in nomenclature. The above phases are
followed by Black-Hat hackers to attack a target and by Ethical Hackers to simulate the work
of Black-Hat hackers testing the strength and maturity of the security investment made to
protect information.
The above is proposed to be used in one of three scenarios: White-Box testing, Black-Box
testing, and Gray-Box testing (White, Black, or Gray).
However, and in my opinion, IT Director(s) need to have a different approach. However,
before defining this approach, I will lay down the foundations for it.
2.3.1. FIRST:
14 | P a g e
IT Director(s) should be advised to follow a White-Box testing approach. In my opinion, IT

Director(s) (or his team members) cannot run Black-Box testing (hacking) process to test
infrastructure he/she is managing since they have the information ready at their hands
and in their minds, and the conducted process will be biased.
On the other hand, hiring a third party to execute Black-Box Testing and avoid the above
limitation is not practical and has many limitations due to two main reasons.
Firstly, the contract signed between both parties should specify the scope,
duration, rules of engagement, boundaries of the attack, tools to be used, and
many other things. If an external Ethical Hacker failed to do so, then he will
be faced with a scope creep that will change and grow in an uncontrolled
manner. A Black-Hat hacker is not limited to any rules [JM13].
By doing so, we are revealing more information to the Ethical Hacker. This
process is moving us to the gray area between White and Black-Box testing.
Secondly, crucial and important processes, in simulating hackers attacks, are

Vulnerability Assessment and Penetration Testing, and it is an auditing
requirement in most organizations. IT Directors concern by accepting a
Black/Gray box vulnerability assessment and penetration testing is that this
kind of testing (Black/Gray) might affect the services provided. This will lead
her/him in most cases, and through all phases, to move the hacking process
to the white area slightly as the work progresses to minimize the risk
exposure.
Then it is obvious in most scenarios, and in my opinion that IT Director(s) will
most probably operate near the white area of testing or in the white area,
which will definitely lower the risk, save time and money.
Definitely, a Black-Box hacking process resembles more a Black-Hat hacker in numerous
facets, but the risk will increase as the resemblance increase and as we move to the black
area of testing.
2.3.2. SECOND:
From the second side, three phases: Reconnaissance, Maintain Access, and Covering
Tracks need to be modified from an IT Director(s) point of view. We will base our analysis
and recommendations on White-Box testing.
First, there is no need, for an Ethical Hacker to gather information about
systems using the same tools and techniques Black-Hat hackers do.
Information gathering and updating of the targets to be secured, is already
done, and it is part of the IT Department team job. IT Director(s) along with
his/her team know their infrastructure in and out. Also, we cannot agree with
[KG07], when he suggested that Reconnaissance, Information Gathering, and
Scanning could be bypassed by an Ethical Hacker and jump directly to the
attack phase. His assumption that a White-Hat hacker is either an employee
or an outsourced company eliminates the need for collecting information is
correct, but it does not reduce the need to verify this information.
15 | P a g e
Second, Ethical Hackers need to gather information about illegitimate

devices, whether these devices are installed by insiders or hackers. It is better
to spend time to check and gather information about systems that were
missed by IT Department than discovering what IT Department already
knows.
Ethical Hacker needs to identify both legitimate and illegitimate devices,
tools, and software instead of skipping the search because they know the
organization infrastructure. Some IT Security consultants, from my
experience, show to your office and deploy a scanning software to identify
the IP addresses of your legitimate devices and forget about gathering
information of illegitimate devices and tools.
Nevertheless, to know the illegitimate devices and systems you need to know
the legitimate ones.
In my opinion, regardless of the method of testing (Black-Box or White-Box),
and regardless if the person is a Black-Hat hacker or a White-Hat hacker,
information needs to be gathered and documented to start the process.
However, the target of examination, methodology of gathering information,
sources of information, and tools will be slightly different.
On the other hand, [JM13] does not agree with [KG07] and emphasizes that
Reconnaissance should be the first step of any White or Black-Box testing
scenario regardless if you are (Black-Hat or White-Hat tester) verifying
information given to you by IT Department or building new intelligence about
a target. Reconnaissance begins by defining the scope of work related to the
target environment in case of White-Hat tester. Once the scope is defined,
information gathering is performed on the target. Information gathered
include, IP Addresses and Ports used, deployed services, local or external
hosting, types of services offered, and so on. This data along with the rules of
engagement will lead to the development of Statement of Work, Action Plan,
and methods to conduct the test. The deliverable of the Reconnaissance
phase should include a summary list of all relevant IT assets being targeted,
what applications are running on the assets, and services used.
Third, Ethical Hackers need to employ Anti-Reconnaissance tools and devices

to protect the infrastructure from reconnaissance. The idea is similar to Antivirus, anti-malware, and anti-spam tools used by most organizations. Having
an Anti-virus is much more important and effective for an IT Director(s) than
knowing how a virus attacks a system and trying to simulate this attack. The
same applies for Anti-Reconnaissance, which is much more important than
only knowing how hackers gather information and imitating their actions.
Anti-Reconnaissance is the process of using a set of tools and techniques to
misguide, and trap attackers.
Fourth, there is no need for IT Director(s) to cover tracks and plant
backdoors as hackers do. In other words, IT Director(s) does not want to
attack their own systems. They want to secure their systems. Why does IT
16 | P a g e
Director(s) need to plant backdoors after gaining access to a target? Does

planting a backdoor and modifying specific system processes add to the
security of the target anything? Does restoring the attacked system back to
its original state, cleaning registries, and replacing infected system files give
IT Director(s) more confidence in their systems? Is it a mere imitation of
hackers footsteps?
As per my experience, IT Director(s) concerns, objectives from all the tools
used, methodologies, and investments are to prevent the last two phases
(Covering Tracks and planting backdoors) to happen. IT Director(s) needs to
know (tools and methodologies) how hackers cover their traces, maintain
access, and create backdoors. However, the more important is to uncover and
detect the existence of it, if any.
I think; it is better to spend time and money in rectifying the holes and
strengthening security, instead of covering Ethical Hackers tracks and planting
backdoors, then undoing what was done.
2.4.
PROPOSED NEW MODEL:
Based on the above a new model is proposed for IT Director(s) to use in their attempt to secure
their infrastructure:
1.
2.
3.
4.
Anti-Reconnaissance/Reconnaissance (Information Gathering)

Vulnerability Assessment (Scanning, Enumeration, Vulnerability Discovery)
Penetration Testing (Exploitation, Escalate Privilege and Maintain Access)
Rectification (Forensic tools)
As we can see, from the above proposed model, that we have customized the first phase
previously called Reconnaissance and called it Anti-Reconnaissance. In addition, we have
replaced completely Covering Tracks and Planting backdoors by a Rectification phase.
In this scene, and from an IT Director(s) perspective, Reconnaissance and Scanning phases will
remain as part of the Ethical Hacker duties to discover and gather information about both
legitimate and illegitimate devices. Secondly, Reconnaissance phase is renamed as AntiReconnaissance to include tools, and techniques that misguide attackers and trap them.
Thirdly, the role of Rectification phase is not to prove a case in the court of law, but to search
for possible traces of hackers. Ethical Hacker is encouraged to use tools to discover rootkits,
backdoors, traces of compromised systems, and traces of attempts to compromise systems.
In the next modules (Four, Five, Six, Seven and Eight), we will discuss three main notions:
Fundamentals, Objectives, and Tools for each phase of the proposed model, elaborating on
similarities and differences of each phase. Additionally, we will look into similarities and
difference between the new proposed model and the old model. The phases proposed are
inter-related, and some Fundamentals, Objectives, and/or Tools might be the same in many
phases and might differ slightly or completely in others.
17 | P a g e
However, there is a huge difference between what a Black-Hat Hacker will do and that of an
Ethical Hacker regardless of the model (old or proposed). For example, Hackers do not have
boundaries on systems to attack, time and duration of an attack, funding, or ethical values,
and will use any available tool. They also do not inform other people about what they are
doing, the time of doing it. They are not bound by any ethical value.
Going back to the previous module, we will limit ourselves to few tools that fit the above
model. There are plenty of other tools within Backtrack, but we will not reference it in this
Handbook if it falls outside the above model. Moreover, in the first phase, AntiReconnaissance will have a different set of tools that are not mentioned in either Backtrack
or Kali Linux.
The above-proposed model is not rigid in the sense that we might do few things of AntiReconnaissance/Reconnaissance, next do Vulnerability Assessment, then based on the
outcome of the Vulnerability Assessment we might go back to Anti-Reconnaissance, then we
might start Penetration Testing and so on so forth. This is very important to remember and
keep in mind. A security analyst, like a hacker, he/she might jump back and forth between
phases. She might gather information, afterwards do a vulnerability assessment, later go back
to gather information and so on so forth with other phases.
One last thing we need to mention, hackers techniques and tools might differ slightly from
one type of system being hacked to another. For example, hacking a web server will differ in
the tools used from those used in hacking a wireless network or those used in hacking wired
networks. However, they follow almost the same process to reach their goals. In each phase
of this process, they have particular fundamentals and objectives and employ a set of tools to
complete this phase, but usually the output of one tool in a particular phase is used as input
of the other tool in the next phase.
2.5.
LIMITATIONS OF MODEL USAGE (CONCLUSION):
The following is the limitations of the above model on Ethical Hackers:
Limited time to complete your work and provide your report.
Limited tools to be used and methods used, not allowed to use botnets and rootkits
Limited scope and you cannot do everything on all systems
You need to be very cautious when doing your own test where hackers do not care
about any harm they might impose on the target.
Limitation on experience of Ethical Hackers whose doing
One very important thing to mention for the time needed to scan all hosts, and all ports in a
given enterprise will take a long period that will render this scanning process useless. An
example of this when an Ethical Hacker is doing the scope of an organization with 1000 hosts
and devices. He/she cannot scan all ports on all hosts. A scan of this type might take 6.5 years
assuming 1.5 seconds for each port (65,536 UDP and 65536 TCP, which leads to an
18 | P a g e
approximate total of 130 million ports). This means that a limited number of hosts and ports
will be scanned. Careful selection needs to be made on what to be scanned, and IT Director(s)
will feed in on this topic rather than leaving it solely to the Ethical Hacker who is conducting
the work.
Another thing to keep in mind that the tools mentioned in this Handbook might change. New
tools will come out that prove better than an old one. Tools that are used today might not be
useful tomorrow.
19 | P a g e
3. ANTI-RECONNAISSANCE AND RECONNAISSANCE:

We talked in the previous modules (two and three) about the phases to be followed by IT
Director(s) in securing their infrastructure, and we have modified the phases that are used by
Ethical Hackers to fit more the needs of IT Director(s).
In this module, we will talk about Anti-Reconnaissance, Reconnaissance, and other related
concepts.
The first step in Information gathering Reconnaissance - is to gather information from
System Administrators, Network Administrators, and Application Administrators about:
Subnets Internally and externally used,
Operating systems Flavors of all devices,
Devices used,
Network Infrastructure,
Etc
The above is needed, because Security Admins need to look for abnormalities and deviation
from the existing setup. Then Ethical Hacker (Pen-Tester) will do their own gathering for
information using their tools. All collected information should be documented, and deviations
should be marked to be investigated further.
3.1.
RECONNAISSANCE (INFORMATION GATHERING):
Reconnaissance has different forms or areas of applicability. Some of these methods and areas
are Internet footprinting, Competitive Intelligence, Whois, DNS, Network, Website
footprinting, email discovery, Google hacking, etc.
The prime objective of the attacker is to gather information about devices, operating systems,
and other information about the entity to be attacked. Ethical Hackers doing a White-Box
testing, will have an easier job in terms of collecting information, since he/she is working to
strengthen the security, and the information is given to him/her in advance. Hackers usually
gather any type of information that might possibly help them in finding IP Addresses,
Operating Systems flavors, Network Devices brands and types, Applications, Databases, etc
from whatever source. However, both Hackers and Security Analysts initially try to find two
important pieces of information: IP addresses and open Ports on these IP addresses. After
that, both (hackers and analysts) start discovering, the operating systems, services running on
these Ports, then determine the rest of information needed to exploit/secure existing
vulnerability.
3.1.1. RECONNAISSANCE OBJECTIVES:

In the case of a White-Box testing, Pen-Testers still need to verify the information he/she was
given to them. Information Gathering by a White-Hat hacker does not require as much effort
as when collected by Black-Hat hackers who need to put more time and effort. White-Hat
hackers have the following objectives:
20 | P a g e
Identify and verify existing hosts or network devices and other system(s),
Identify and verify that all installed applications are legitimate,
Identify and verify system types Operating Systems and versions,
Identify and verify open ports and which ports will be targeted,
Identify and verify running services and corresponding applications,
Passively social engineer information,
Compare his/her finding to those gathered by internal IT staff,
Document findings.
3.1.2. TOOLS USED IN RECONNAISSANCE:

Some of the very widely used tools for information gathering by both all kinds of hackers, and
Security Analysts are DNSmap, Nmap, Zenmap (Windows version of Nmap), Metasploit,
Armitage, Meterpreter, Maltego, hping3, Nessus, and many others. Metasploit is a multi-facet
tool that works with Armitage as its graphical interface. It is used for discovery, vulnerability
assessment, Penetration Testing, and other purposes. It is one of many tools that are multifunctional.
Tools used for scanning IP Addresses, and Ports use various techniques to accomplish their
port scanning probes mission. The most-used attacks during the Information Gathering phase
are: SYN Scans, TCP Connect Scan, TCP Half-Connect Scan, ACK Scan, FIN Scan, NULL Scan,
Xmas Tree Scan, UDP Scan, ICMP Scan, and Fragmentation Attack [MD11], [JG08]. In this
module, we will not touch-base any of these IP and Port scanning techniques because we
assume it is obvious to the reader.
3.1.2.1.
DNSmap:
is a Domain Name System map tool that has the ability to discover all
subdomains and related domains of a target domain.
3.1.2.2.
Hping3:
is a smart tool that is able to perform Port scan bypassing Firewalls
intelligently, and without being detected by IDSs/IPSs. It can send custom
packets at a specific target, by manipulating the MTU, spoofing source IP
address, setting source ports, setting TTL values, fragmenting packets,
sending packets with a bogus checksum, and many other things. It supports
the main protocols TCP, UDP, and ICMP. The latest version of Hping is version
3 (Hping3). Hping3 is available in *nix, Windows, and Mac OS. Hping2 was
available in *nix only. DNSmap and Hping3 are free tools.
3.1.2.3.
HTTrack:
is a cross-platform free web crawling tool to clone websites (http, https, and
ftp). It allows Ethical Hacker to look at the content of a website offline
browsing, analyzing, and editing what they have. Some hackers might use this
tool to develop a fake fishing website (Social Engineering Attacks) to trap
users into believing that this is a legitimate site. HTTrack is a command line
tool that has an easy menu driven interface. Its Windows version is
WinHTTrack.
21 | P a g e
3.1.2.4.
Wget:
is similar to HTTrack. However, it is included in scripts and Cron jobs for
mirroring websites. HTTrack has more features than Wget. Wget does not
analyze captured data as HTTrack does.
3.1.2.5.
Maltego:
is an open-source information gathering, forensic, audit, and threat
assessment tool. It has the ability to collect information from various sources
and used to launch Social Engineering Attacks based on collected information.
It gathers e-mail addresses, servers names, etc then associate gathered
email addresses to a person, and website to a person, then verify email
addresses, etc then graphs the output. The power of the tool is in its ability
to gather information about a domain, company, and people. It uses open
web resources to gather then correlate information using a simple GUI. It has
75 transforms available free. Full version is a paid version. Maltego provides
CaseFile as a sub-module to document all collected data in the informationgathering phase in one document by mapping relationships manually in a
graphical format.
3.2.
ANTI-RECONNAISSANCE
Anti-Reconnaissance is the process to discover malicious attempts of scanning IP address and

ports and discover the attack at the early stages of it.
As we know, IP/Port scan, exploitation of a vulnerability, maintaining access, planting Trojans
or back doors and clearing trails are the main steps in intrusion. The IP and Port scan are at
the beginning of the whole process, and its detection and prevention is a successful defense
mechanism [CY04], [JJ13].
3.2.1. FUNDAMENTALS OF ANTI-RECONNAISSANCE:
Time: No Limited time on when to start or complete this phase. The tools employed
here to secure the infrastructure shall stay indefinitely and shall be maintained like
any Firewall, Anti-virus, or IDS system. Information Gathering about malicious
activities is a continuous process.
Devices: No limit on devices to be discovered and analyzed. Devices might be those

facing Internet in DMZ, server-side, or client side. We need to be selective on what
ports to scan on devices. If the number of devices is small, then all ports can be
scanned. However, if we have a large number of devices, then scanning all ports on
all devices might take a couple of years. The decision on the above need to be clear
and based on Risk Assessment output.
Tools/Applications: Information gathering methods, software, and devices used

should be defined. Active or passive methods should be defined also. What might the
impact be by the methods used on the systems should be considered.
People: Parties involved throughout the process: Network Engineers, System

Engineers, Applications administrators, Security Engineers, and Management
22 | P a g e
approval on the scope, rules of engagements and what need to be done in the next
phase.
Report: Report Planning, Information Collection, Writing First Draft, Review and
Finalize [MA10].
3.2.2. OBJECTIVES OF ANTI-RECONNAISSANCE:

The following are the objectives of Anti-Reconnaissance:
Educate corporate staff about social engineering attacks. This is the most important
objectives, because people are the weakest link.
Hide, as much as possible, of the corporate information that could be used by

hacker(s).
Misguide hackers by presenting false information.
Discover malicious activities attempts.
Make information collection, a more difficult task for hackers.
Prevent attackers from reaching their goals.
3.2.3. TOOLS AND SOFTWARE:

There are many methods to fight hackers Reconnaissance. The very familiar is the
detective method such as restricting routers, web servers, and other devices to respond
to reconnaissance activities. In what follows, we will talk about the offensive method of
fighting hackers Reconnaissance, the most important of which are the following:
Deceptive Hiding, Active Detection Techniques, and Anti-Social Engineering.
3.2.3.1.
Deceptive hiding: [BJ13] mentioned in his article that the defender is at an

advantage to the hacker because the defender knows the environment more
than the hacker does. This will allow defenders to have superior defensive
positions that will actively identify attackers after deceiving them in a field
defender
knows
better.
These deceptive techniques are different from the traditional layers of
defense known for the last 3 decades: firewall, Intrusion detection IDS, IPS,
Ant-virus,
etc
In the offensive approach, we do not wait for the incident to happen and then
react. We prepare our infrastructure to win any battle with the attacker.
Decoy Services:
An example of Decoy Services is SpiderTrap and WebLabyrinth. These tools
are designed to make any web crawler stuck in an infinite loop of useless
webpages, instead of gathering information. This will alert the defender on
web fingerprinting and information-gathering [BJ13].
23 | P a g e
SpiderTrap acts like a small web server that is built of random links looping
until either hacker web-crawler tool or SpiderTrap are stopped. It is not
available within Kali Linux but could be downloaded from sourceforge.net and
installed free. It is written in python2.
WebLabyrinth is similar to SpiderTrap in functionality, but it runs on Apache
web server rather acting as a web server.
Careful consideration when using both tools because you may not want to
block google or other search engines crawl your web site.
Another example of Decoy services is by installing additional packages (e.g.
Oracle DB instances) that are not used for production on existing servers to
misguide the attacker and let him/her think that all these databases are
Production instances/services. [BJ13]. However, this will add additional
management tasks to the team and additional cost for space and licensing.
Darknets:
Security Administrators usually use Firewalls and IDSs to filter out traffic that
is considered malicious and allow legitimate traffic only. Darknet has a
different approach where sensors monitor and collect malicious traffic
instead of dropping it.
A Darknet is a portion of routed, allocated IP space in which no active
services or servers reside. They are "dark" because there is, seemingly,
nothing within these networks. All traffic entering a Darknet will be malicious
to some extent, as nothing legitimate should be routed there. Traffic entering
a Darknet typically comes from scans generated by automated tools and
malware, looking for vulnerable ports with nefarious intent [TC08]. This led
toward the development of various devices and tools to monitor Darknets.
Definitely, the size of the IP space and the location of the sensors on the
network are two main factors of the collected traffic.
HoneyTokens:
HoneyTokens are pieces of data whose use indicates a possible intrusion
[BJ13]. This piece of information could be an invalid credit card number, user
login, e-mail address, and/or any piece of information that an attacker might
be looking for. Use of these forged data, such as trying to login with a fake
username, indicates a possible attack.
Web Bugs:
Web bugs are defined as tracking devices embedded in web pages,
executables or scripts that secretly monitor your activity on the web and send
the information back to a 3rd party [NS03]. These web bugs could be used
to monitor attackers activity. These bugs are analogous to bugs in any
24 | P a g e
program, but these were intentionally written and left between the lines of
code.
Web Server Anonimization:

This activity is done by removing unnecessary HTTP headers and response
data. ServerMask is a tool that can misguide hackers and intruders. This is not
a free tool. Nevertheless, plenty of written scripts that hide server banner are
available.
Scanning Tools
[JM13] suggests changing Ports default values to other specific numbers to
invalidate information being returned by a scanning tool. E.g., ftp port 21
could be changed to another port number. Changing Port numbers will force
the attacker to spend more time to discover what exactly is running on a given
device. In my opinion, definitely, this might delay the attack on a system but
will not prevent it. Also, it will add another duty for System and Network
Administrators to manage this change.
Other Tools:
Other tools are available to discover our systems as part of the hackers
arsenal. These tools, if used by our Security Analysts, will make our
environment safer. Some of these tools are Metagoofil, ExifTool, and
Strings. The output of these tools will be analyzed to eliminate any kind of
data that might help hackers attack systems [JM13].
3.2.3.2.
Active Detection techniques: The need of Active detection techniques is to

find the intruder before compromising the target with an exploit. In other
words, it is preferred to catch the attacker in the early phases of his attack
(Reconnaissance, scanning, or finding suitable exploit). As the attacker moves,
undetected, from one phase to another, as the Risk becomes bigger and more
difficult to detect. This is the goal of employing active detection techniques.
SNORT as described in [SF13] as an open-source Network Intrusion Detection

and Prevention tool used to discover malicious activity. SNORT does not have
a user interface through which you can monitor the alerts and check the logs.
SNORT has a primitive command line interface. You need to use another tool
to do this. There are many tools listed on www.snort.org web site that can
be used to monitor and manage SNORT. BASE (Basic Analysis and Security
Engine), ACID (Analysis Console for Intrusion Detection), and others are from
the most popular tools that work as a front-end to SNORT.
25 | P a g e
Captured packets in SNORT are run against a set of rules configured by the
Security Administrator. SNORT can be installed on Unix, Linux, Windows, and
Mac OS. SNORT can sniff packets, log packets, and generate alerts based on
pre-set rules. It consists of the following modules:
Packet Decoder or sniffer,
Preprocessors,
Detection Engine,
Logging and Alerting System, and
Output module.
One of the most important features of SNORT is its ability to analyze packets
traffic in real time. SNORT gives us the ability to see what is happening.
SNORT analyzes the logs searching for possible intrusion or attempts for
intrusion. It is the most used IPS worldwide as indicated on SNORT website.
Lot of literature is written about SNORT and lot of users contribute by writing
new rules, plugins and applications that work with SNORT. It is freely
available, and users can see what is going inside the tool and tweak it to meet
their needs. This option is not present in most of the Commercial IDS/IPS
applications. Netflow is Cisco commercial counterpart of SNORT.
TripWire is an integrity tool used to monitor in real-time, log manipulation

and deletion and alert about these actions. After installing the tool, it scans
system files and set a base line to compare to the baseline in the future when
invoked. Changes that are not authorized to system files will be flagged to be
suspicious for further investigation. To benefit from TripWire, it should be
installed on a clean system, then a baseline is determined. Tripwire has the
capacity to monitor services as well. Tripwire is now an open-source after it
was a commercial tool. Tripwire is very similar to AIDE (Advanced Intrusion
Detection Environment) tool. AIDE checks integrity against a pre-captured
image. Any changes to files are logged in a separate file and sent to the system
administrator for verification. EnCase, is a more powerful commercial utility
that combines several functions in one application.
Nova (Network Obfuscation and Virtualized Anti-Reconnaissance System):

is a Cyber defense product (www.projectnova.org) to defeat hackers
attempts gain information about a given target [DS13]. Nova has web
interface to manage and monitor different honeypots from a single console.
It works with Honeyd. It builds virtual honeypots on the un-used address
space. Ubuntu Linux is the recommended Operating system to install Nova.
Honeyd is an open-source project.
26 | P a g e
Honeypots:
The traditional way of placing honeypots is from outside of the
network, but Nova places honeypots from the inside and emulates
hosts, services, and fools fingerprinting of different operating systems
that defeat hackers Nmap scanning and discovers attackers attempts
to gather information.
Honeypots, Honeynets, and padded cells are complementary
technologies to IDS/IPS deployments. A honeypot is a trap for
hackers. A honeypot is designed to distract hackers from real targets,
detect new exploitations, and learn about the identity of hackers. A
Honeynet is just a collection of Honeypots used to present an
attacker even more realistic attack environment. A padded cell is a
system that waits for IDS to detect attackers and then transfers the
attackers to a special host where they cannot do any damage to the
production environment. While these are all extremely useful
technologies, not many corporate environments deploy them. You
usually see these deployed by educational institutions and security
research firms. Generally corporate information security
professionals are so busy securing their environment from attacks
that they do not spend time researching attack patterns. As long as
the attack doesnt succeed, they are satisfied [JS11].
3.2.3.3.
Anti-Social Engineering Social Engineering is a term that describes a nontechnical kind of intrusion that relies heavily on human interaction and often
involves tricking other people to break normal security procedures. [RE07]
Anti-Social Engineering is the process that defeats and discovers the act of
social Engineering. It is one of the most important defenders tools that
could be achieved by administrative policies and training
IT Director(s) should work on having continuous training programs about AntiSocial Engineering to change the behavior of staff into cautious and secure
aware.
Administrative policies
Administrative policies will put a framework on how to deal with incidents on
Social Engineering attacks. This is a major part that is mostly missed in all
organizations security policies. Management in organizations is emphasizing
on placing information security policies about passwords, anti-virus, technical
tools (Firewalls, IDSs, etc...) to protect their information and forgetting about
policies related to the most successful attack, Social Engineering. Social
Engineering is related to the weakest link within the security chain People.
By including such kind of policies, we emphasize on the user responsibility in
protecting data to be a key factor instead of depending on Security
Administrators
only.
The author of [JA14] emphasizes that one of the major keys to protect
27 | P a g e
successfully your systems lies in the area of security policy and proper
authority to enforce its implementation.
Awareness and Training

The second method to defend against Social Engineering attacks is through
awareness and training. User awareness and knowledge about how attackers
conduct social engineering will minimize the effect of this tool and help in
minimizing the risk. This is very clear when the author [EN07] emphasizes the
need for user responsibility and awareness in controlling corporate or
personnel data through education and the presence of a set of policies to
ensure privacy and security.
28 | P a g e
4. VULNERABILITY ASSESSMENT:
Since we are assuming White-Box testing setup for the systems, vulnerability scanning or
assessment will be conducted. If the network scanning were not completed during the
previous phase (Anti-Reconnaissance/Reconnaissance), it should be conducted in this phase.
Scanning could be part of either phase (Anti-Reconnaissance/Reconnaissance or Vulnerability
Assessment). The output is fed from the scanning tool to the vulnerability assessment tool, or
we can use one tool for both activities (scanning and vulnerability assessment). However and
before discussing the fundamentals, objectives, and tools of vulnerability assessment, it is
important to clarify the difference between Vulnerability Assessment (discussed in this
module) and Penetration Testing (discussed in module 5) because many people within the
security community and vendors of IT security products incorrectly use these terms
interchangeably [PE13].
Vulnerability Assessment is the process of reviewing applications and systems for the
presence of security issues, whereas penetration testing actually performs exploitation of
specific vulnerabilities as a Proof of Concept (PoC) to demonstrate the presence of a security
issue. Though Penetration Testing go a step beyond Vulnerability Assessment by simulating
hackers activity and delivering live payloads, it is completed in a very limited scope than that
of any Vulnerability Assessment [PE13].
Penetration Testing uses aggregated results from the previous two phases to determine what
attacks will be successful.
4.1.
VULNERABILITY ASSESSMENT FUNDAMENTALS
Time: Start time and end time should be established. Planning the Vulnerability
Assessment is very important to avoid scope creeping in a rapid changing environment.
Devices: Specific ranges of IP Addresses and particular hosts, systems, or applications shall
be defined during scope preparation. Internet side hosts, or Internal hosts. Wired or
Wireless Network devices.
Methods: Vulnerability Assessment (Active or Passive) and Risk Assessment (Qualitative

or Quantitative) methods shall be defined. What scanning techniques are acceptable and
what is not allowed.
Tools: What tools will be used for Vulnerability Assessment shall be specified.
Notified parties: at least one person in the chain of incident handling process need to be
notified. In case the assessment was detected by any defensive or offensive device
planted in the network, a decision will be taken whether to continue or stop the process.
Other parties might be notified such as System Administrators, Network Administrators,
ISP representative (if the assessment is conducted on the side facing the internet), and/or
owners of the system.
Initial Level of Access: This depends on the part of the network (Internet-side, Server side,
or Client side) being assessed. Assessing DMZ servers from the Internet side will require
no special level of access. Similarly, evaluating wireless network requires no initial level of
access. On the other hand, assessing servers inside the perimeter will mandate, at least,
authorization to plug a network cable to the LAN infrastructure. An IT Director(s) might
29 | P a g e
grant standard user access to the network to assess what a regular internal user might be
able to hack.
Risk Assessment of discovered vulnerabilities must be made. This is very important

because it provides a real value for the report generated during a Vulnerability
Assessment. Without Risk Assessment report value will be very low.
Deliver a report based on risk assessment done for the discovered vulnerabilities.
Delivering a vulnerability report based on the outcome of an automated tool, most of the
time, is not enough without checking associated risk. Furthermore, the contents of this
report should be clear for whether to include remediation to vulnerabilities found or not.
4.2.
OBJECTIVES OF VULNERABILITY ASSESSMENT:
Objectives of a Black-Hat hacker differ from that of a White-Hat hacker in the sense that a
hacker is looking for a vulnerability to exploit while ethical hacker is looking for a vulnerability
to close it and apply necessary patches or measure to close it. The objectives of a vulnerability
assessment for an ethical hacker are as follows:
Use given information (since it is a White-Hat hacking process), and gathered information
through probing, port scanning, social engineering, and other methods to determine
vulnerabilities in systems,
Map vulnerable systems to asset owners. In a Black-Hat hacker this goal is not considered,
Evaluate Targets for vulnerabilities and afterward for security risks by constructing attack
hierarchy or tree,
Identify and prioritize vulnerable systems based on risks value and importance to the
business,
Document findings to work on eliminating, reducing and mitigating risk [JM13], [SD06].
4.3.
VULNERABILITY SCANNING TOOLS:
In this module, we will discuss some of the most important tools for three main areas of an IT
infrastructure: Wireless Networks, Wired Networks, and Web applications.
4.3.1. WIRELESS TOOLS

With the increase of Wireless Networks, the need arises to secure and audit these
networks. Examples of Wireless Security applications are Aircrack, OmniPeek (Network
Analyzer), Netstumbler, AirSnort, and Kismet.
4.3.1.1.
Aircrack-ng (Aircrack Suite): Aircrack-ng is a suite of tools for auditing

wireless networks. The suite includes a network detector, a packet sniffer, a
WEP/WPA cracker, and other useful tools [MA09]. Aircrack is a free tool that
works on Linux and Windows. It is a WEP and WPA/WPA-PSK (pre-shared
keys) cracking tool; it is faster than similar cracking tools. It is intended for
802.11 protocol as compared to Wireshark that works with many protocols
30 | P a g e
other than the 802.11. From Aircrack-ng suite, we will use the following
program:
Airmon-ng: It is used to enable monitor mode on wireless card

interfaces. It may also be used to shut down (stop) interfaces [WP13].
Airodump-ng: this program will locate available wireless networks in

the range of the Wireless card used and will capture packets [WP13].
This program is similar to Ssidsniff, but it has the option to connect
to a GPS device and locate AP on the map, while ssidsniff does not
have this option. Airodump-NG can be used for sniffing similarly to
TCPdump and Tshark (command line version of Wireshark). It has the
option to store captured data in Pcap files for later analysis and
processing.
Aireplay: It is used to associate the attacking machine with the MAC

address of the Wireless Device we are attacking. In other words, it
attacks Access Points. Aireplay has several attack methods: Deauthentication, Fake authentication, Interactive packet replay, ARP
request replay, KoreK Chopchop, Fragmentation, and Injection test
[WP13].
4.3.1.2.
Gerix: is an automated GUI for Aircrack suite. It speeds up the wireless

cracking efforts by eliminating typing commands manually in a terminal
window [WP13].
4.3.1.3.
Fern WiFi Cracker provides a GUI, similar to Gerix, for Aireplay-ng, Airodumpng, and Aircrack-ng. FERN WIFI Cracker has built in functionalities that are not
present in Gerix. It finds the type of encryption applied by Access Points and
figure out weak encryption protocols such as WEP/WPA/WPS and work on
cracking them. Fern WiFi cracker needs other tools to crack a key (Aircrack,
Python Scrapy, and Reaver). All these tools and Fern WiFi Cracker are preinstalled on Kali Linux and Backtrack
4.3.1.4.
Netstumbler/Vistumbler (Network Stumbler): Netstumbler is a well-known

enumeration tool that can identify Access Points and determine their SSIDs.
It runs on Windows XP and has a mini version. Both versions are free of
charge, but no update was made on its site since 2005. Its main purpose is to
determine rouge Access Points. It does not have all the functionalities of
Kismet, but some users prefer it for its easy and simple GUI. Netstumbler, for
example, does not sniff traffic. However, Kismet does sniff traffic. Vistumbler
is similar to Netstumbler but works on Windows Vista and 7 and supports GPS
connectivity very easily. Netstumbler does not have these features.
4.3.1.5.
Ettercap: is an open-source sniffing tool that involves DNS spoofing, Fiddling

with traffic, and Man in the Middle Attack. It can sniff live connections and
display traffic based on applied filters. It can dissect ciphered protocols
actively and passively. It can collect passwords. An Attacker using Ettercap can
initiate Man in the Middle Attack (MITM), by eavesdropping on all the packets
transferred back and forth between the target machines. It works on UNIX,
Linux, Windows, MAC OS and other Operating systems and has a GUI menu.
31 | P a g e
4.3.2. NETWORK TOOLS

After discovering the network and knowing what is there. Vulnerability assessment tools
need to be used.
4.3.2.1.
Nessus It is an automated open-source tool to discover vulnerabilities in

targeted systems. Nessus has a GUI version and could be launched from
Metasploit (mfsconsole). Nessus has a web browser from which configuration
and scanning is carried out. Nessus is a server and client tool. The client
controls the server behavior. Nessus has a built-in port scanner similar to
Nmap. Nessus after discovering open ports, it determines the running service
and compare it to a database of known vulnerabilities. Nessus has a number
of methods of comparison: The first against a set of enabled plugins. This is
called a light scan. The second is against all applicable plug-ins available in the
database. The third based on predefined policy, and the fourth based on userdefined policy. Nessus Server and client are available for UNIX, Linux and
Windows OS. Nessus can scan a specific host, a set of hosts IP range --, or a
subnet. Sensors can be distributed in different areas within the organization
(DMZ, Inside the Network, and different physical networks). Nessus uses
different plugins depending on the device to be scanned. For example, plugins
used to discover Linux vulnerabilities are different from those used to
discover vulnerabilities for Windows or network devices. Nessus has two
licensing schemes: Home and Professional. The Home version is intended for
personal use and cannot scan more than 16 IP Addresses. The commercial
version has more options than the home version. The Professional is for
commercial usage. It has additional features that are not present in the home
version
such
as
unlimited
concurrent
connections.
Nessus exports its findings into various file formats such as HTML, CSV, PDF
and many other types. Nessus classifies vulnerabilities into informational,
notes, warnings, and holes. Nessus offers URL links to external resources to
describe
discovered
vulnerabilities.
Nessus is rightly suited for large enterprises. Regardless of how commercial
security providers apply Nessus to their business model, the vast majority of
security-services rms use Nessus to some extent [MC08]. Twenty-two
security firms were listed in one of CERT-in.org [CI12] reports, and all of them
are using Nessus. Nessus is a must-have in the security consultants cadre of
tools [MC08].
4.3.2.2.
OpenVAS is one of the vulnerability assessment tools that have a GUI

interface (OpenVAS Desktop), and it can be opened through its web browser.
OpenVAS is a free, open-source tool. Just three security firms out of twentytwo firms listed by cert-in.org [CI12] are using OpenVAS.
Both Nessus and OpenVAS are available in Backtrack, Kali Linux, and other
distributions and have almost the same set of vulnerabilities. Both can check
vulnerabilities in Windows and Linux hosts and network devices.
32 | P a g e
4.3.3. WEB APPLICATION VULNERABILITY ASSESSMENT TOOLS

4.3.3.1.
ProxyStrike is a web application proxy tool used to identify vulnerabilities in

a given web application while being browsed by a client web browser such as
Firefox or internet Explorer. All traffic is passed through ProxyStrike after
configuring the client web browser to use it as a proxy server. ProxyStrike can
analyze the parameters in the background while surfing the targeted web
application. ProxyStrike has the capacity to identify, intercept, and modify
(delete or edit) requests initiated by the client browser. In addition, it has the
option to crawl a web server application and identify SQL, SSL, or XSS plugins
vulnerabilities. In the case of crawling a website, there is no need for a client
browser. It is launched from the ProxyStrike GUI. All what you need is to enter
the URL of the targeted web site. The results of a crawl can be exported to
HTML or XML file [JM13].
4.3.3.2.
Vega is another security-testing tool that has similar functions as ProxyStrike.

However, Vega gives details about the discovered vulnerabilities and its
possible impact. It also lists other domains associated with the main targeted
domain.
4.3.3.3.
Webshag is a web server-scanning tool that can do port scanning, URL

scanning, web spider crawling, and File Fuzzing. It works on multiple platforms
and can audit web servers. It has both command line interface and an easy to
use Graphical User Interface. Webshag has an exporting option for the data
captured/generated into XML, HTML, and TXT file. Webshag: It is a multithreaded, multi-platform tool used to audit web servers. Webshag gathers
commonly useful functionalities for web servers such as port scanning, URL
scanning and file fuzzing. It can be used to scan a web server in HTTP or HTTPS,
through a proxy and using HTTP authentication (basic or digest) [JM13],
[SI14].
4.3.3.4.
Websploit: It is an open-source project that has four major functions:
Launch Social Engineering attacks,
Scan, crawl, and analyze web sites,
Automatic Exploiter,
Assist in conducting network attacks.
The above was few tools that are used in Vulnerability Assessment. In the next module, we
will talk about penetration Testing and tools used during this phase.
33 | P a g e
5. PENETRATION TESTING:
Penetration Testing assesses the effectiveness of applied security controls in an infrastructure.
It does not improve security as this is evident from the steps followed, here below. Pen-Testing
evaluates security and does not improve it [JM13], [SD06]. It is recommended that IT
Director(s) do Pen-Testing when he/she believes that they have strong security; otherwise it
will be a waste of time and money. Vulnerability Assessment is conducted to improve security
by closing discovered vulnerabilities, and should be conducted before Penetration Testing.
Penetration Testing has three Steps: Pre-Attack, Attack, and Post-Attack steps [ER11]. Others
make it two steps: Exploitation and Post-Exploitation [MA13]. The Pre-Attack/Pre-Exploitation
step is passive most of the time; the second and third are active attacks. However, for our
proposed model, Pen-testing includes Exploitation step only. Pre and Post-Exploitation, in our
model, will not be discussed as part of Penetration Testing. Post-Exploitation will be replaced
by Rectification Phase.
5.1.
PRE-EXPLOITATION/PRE-ATTACK:
In this step, information is gathered about the target under consideration. PreExploitation could be part of the Pen-Testing Phase or the Vulnerability Assessment Phase.
If a vulnerability assessment was conducted then, this pre-exploitation step is completed
in the vulnerability assessment. If no vulnerability assessment was made, or it was done,
but the pen-test will be conducted by a different party (Out-sourced), then preexploitation (data gathering and target evaluation) need to be part of the Pen-Testing
phase.
5.2.
EXPLOITATION/ATTACK:
Exploitation is probably one of the most fascinating parts of a penetration test for the PenTester. Pen-Tester should be very careful in selecting a vulnerability to exploit. He/she can
not make sure that exploitation will succeed, but it should be highly probable. Firing a
bunch of exploits blindly, and wishing one of them will succeed is not efficient and might
trigger specific events on the targeted system.
This step is composed of three main activities: (1) Exploiting a Vulnerability, (2) Escalating
Privileges, and (3) Maintaining Access. Exploiting a Vulnerability is a successful step to
all attackers but it is not an end in itself. After exploitation of vulnerabilities in a targeted
system(s), attackers try to (1) Escalate Privilege and (2) Maintain Access on these
systems using various techniques. Attackers do not want to run the same exploit every
time they intend to access the system. It will be time consuming, and there is a possibility
that this vulnerability be closed after some time by the system owner. For this reason,
they try to escalate privilege and maintain access to the attacked system using different
techniques [JB14].
34 | P a g e
5.3.
POST-EXPLOITATION/POST-ATTACK:
The post exploitation phase begins after a system or more than one system is being
compromised, but is not even close to being fully done yet [MA13].
Post exploitation is a critical part in any of the penetration tests. A successful exploitation
might only give limited access to resources on the targeted machine and will not be
considered as a successful step. Post-Exploitation is about maintaining a foothold,
creating a backdoor, and covering traces.
[JB14] mentions several methods of Post-Exploitation, some of which are: Malware,
Trojan Horse, Viruses, Worms, Keyloggers, Botnets, Backdoors, Colocation and Remote
Communications Services, and Command and Control systems. Post-Exploitation will not
be discussed for our model, since it was replaced by the Rectification Phase.
5.4.
AREAS OF PENETRATION TESTING (EXPLOITATION):

Penetration Testing could be executed in a single area, or in several areas of the IT
infrastructure under consideration. [ER11] listed the following areas of applicability for
Pen Testing. These areas are External network (Internet facing), Internal (DMZ, and behind
DMZ), Routers and Switches, Firewall, IDS, IPS, Wireless Network, Denial of Service (DOS),
Password Cracking, Social Engineering, Stolen Laptop, PDA, Cell phone, Application,
Physical security, Database, VOIP, VPN, War dialing, Virus and Trojan detection, Log
Management, File Integrity checking, Bluetooth, Hand-held devices, Communication
system, Email Security, Security patches, and Data leakage.
Definitely, we can include more areas, but that depends on the infrastructure and systems
owned by the organization. The purpose of the test will determine which one of the above
areas will be the starting point for determining the scope of the Pen-test.
5.5.
PENETRATION TESTING FUNDAMENTALS:
Time: very Limited time and it will be less than that of a vulnerability assessment.
Devices: Limited to specific users/accounts on specific devices, which were defined in

the Penetration Testing Phase. Specifying user(s)/Account(s) will narrow the data
that will be affected by gaining access.
Testing methods: is it going to be through social engineering, technical tools (e.g.

cracking password), or physical exploitation.
Tools: Multi-functional tools that were used in a vulnerability assessment might be

used in this phase as long as they have the functionality to carry the pen-test. The
tools need to be defined based on the Testing methods (Password crackers, Social
Engineering Toolkit, John the Ripper, Cain and Abel, etc...).
Notified parties: At least one person in the chain of command of Incident handling.
System owner to be notified also. This mainly depends what systems are tested and
the type of exploit being conducted. If the test is conducted on the DMZ servers, ISP
representative need to be notified. Sometimes, approvals need to be taken from
government bodies to conduct penetration testing especially if you are doing it on
DMZ zone or Wireless network.
35 | P a g e
Initial level of access: On wireless networks, no access is granted. In wired networks,

at least physical access is granted.
Definition of Target space by defining business functions that will be targeted in the
penetration testing. This will be based on the Vulnerability Assessment report.
Definition on how far the Penetration test should go. Shall data be removed, service
be stopped, is it allowed to use this target as a source to attack other devices and
discover more vulnerabilities or not? Do you want to add a user to the exploited
system or tunnel a reverse shell back to your testing machine? Etc. Also we need to
define how far Gaining Access test should go. For example, if an Administrator
account of an Operating System was compromised, then what data shall be targeted,
and what services to be stopped, if any? This depends on the details of what is being
targeted. If the Target is an SQL Database, then after gaining access to the OS, the
steps need to be defined on how to gain access to Data in the SQL DB or other
application. All this need to be defined very well, otherwise the scope will get bigger
without any control.
Deliver a report. The contents of this report should be clear for whether to include
remediation to problems discovered or not. If an exploitation succeeded, what are
the steps to return to the previous state, then move the system to the secure state.
5.6.
PENETRATION TESTING STEPS:
These steps constitute the Pen-Test if it is conducted separately. If it is conducted as part of

our proposed model then the third step Exploitation is required only.
5.6.1. RECONNAISSANCE/INFORMATION GATHERING:

This step of Pen-Testing is different from the Anti-Reconnaissance/Reconnaissance phase
mentioned in module 4. The information gathering in this step is narrowed to the scope
defined for the Pen-Testing. Anti-Reconnaissance/Reconnaissance phase covers a larger
scope. Part of the output from Anti-Reconnaissance/Reconnaissance could be used in the
Pen-Testing to minimize the time needed to complete this step.
5.6.2. TARGET EVALUATION:

Evaluating the target for vulnerabilities or weaknesses. Pen-tester may use the output
from the Vulnerability Assessment phase as an input for his/her testing.
5.6.3. EXPLOITATION:
This step is an active step and might result in undesired consequences if executed
incorrectly. Usually, Pen-Tester starts with a high risk vulnerability, then goes down as the
risk decreases. Exploiting a vulnerability will initially give limited access to a system(s). To
accomplish the goal of the Pen-Test, the next step Escalate Privilege then Maintain
Access. The following are sample parameters to be defined before the exploitation is
carried out as indicated by an example in [KI01]:
Vulnerability Type: Loose Access Control
Target: MS Exchange 2000
Target Type: Enterprise Email system

36 | P a g e
Versions affected: 2000
Operating System: Windows Server 2000
Description: by taking advantage of the specified flaw, the whole email system will be
compromised
Protocol: TCP, port 80
5.6.4. PRIVILEGE ESCALATION:

This step will follow the Exploitation Step will include actions such as cracking passwords
and user accounts.
Privilege Escalation can include identifying and cracking passwords, user accounts, and
unauthorized IT space. An example is achieving limited user access, identifying a shadow
file containing administration login credentials, obtaining an administrator password
through password cracking, and accessing internal application systems with administrator
access rights [JM13].
5.6.5. MAINTAINING ACCESS:

In order for an Attacker not to repeat all the steps done again and again, this step is
needed. From an IT Director(s) perspective, there is no need to maintain a foothold on the
attacked system. There is one reason for an IT Director to permit this, is to prove the
successfulness of the next phase (Rectification) and the ability of a Security Analyst to
discover the presence of traces of exploitation. However, this will mandate that Pen-tester
is a different person than the one who will work on discovering backdoors and rootkits
5.7.
PENETRATION TESTING OBJECTIVES:

The main objectives of this phase are:
Test the effectiveness of the security controls placed to protect business

infrastructure,
Provide management with assurance on security measures and controls,
Satisfy Audit requirements by conducting a Pen-Test,
Link up the results of the Vulnerability Assessment phase and use the most critical
ones to identify high potential threats,
Exploit vulnerabilities and achieve a more focused results in a pre-defined time frame,
Gain access to Targets (Servers, Desktops, Applications, etc) by obtaining a foothold,
Allow Pen-Tester run commands on the command shell of the remote targeted
system to explore further whats inside. This is the most obvious from a Pen-Test.
Document your findings and propose a roll back scenario to the previous state and
solution to close the vulnerability transferring the system to a secure state.
In [JM13] it is stated that the Central Objective of a penetration Test is to exploit the
inherent security weaknesses in the defined scope regardless to which area of an
infrastructure this weakness belong to.
37 | P a g e
5.8.
PENETRATION TOOLS
In this part, we will discuss the tools used in Penetration Testing for three major areas of
any IT Infrastructure. These areas are Wireless Network, Wired Network, and Web
Applications.
5.8.1. WIRELESS TOOLS

In this section, many wireless tools are used. All these tools are free and constitute part
of Backtrack and other distributions.
5.8.1.1.
Wicd Network Manager, discovers SSID, Encryption type, Access Point MAC
address, and channel number used for transmission. Using this tool, will allow
us check the existence of any rouge Access Points or clients. This is achieved
by comparing a list of legitimate Access Points given by the Network
Administrator to Pen-Tester and the list discovered by the tool. In a similar
way, we can apply this to illegitimate clients. In addition, we can check the
type of encryption configured on Access Points and advise if there are any
Access Points that are using open authentication or weak encryption.
5.8.1.2.
Ssidsnif tool: allows identification, classification and data capturing of

wireless networks. This tool also list the machines that are connected to the
Access Point [BT11].
5.8.1.3.
Aircrack-ng: this tool was discussed in Vulnerability Assessment Module. This

tool has multi-functions that can be used in Vulnerability Assessment as well
as Penetration Testing.
5.8.1.4.
CoWPAtty: is a tool that crack WPA-PSK passphrase offline using a dictionary

file. The tool is easy to use and does not require capturing except Extensible
Authentication Protocol Over Local Area Network (EAPOL) handshake
packets. CoWPAtty and Aircrack-ng both use dictionary method when
cracking WPA/WPA2 pre-shared keys [KL13].
5.8.1.5.
Kismet: is a wireless network detector, sniffer, and intrusion detection

system. The differentiator of Kismet is its ability to discover hidden Access
Points as long as there is at least one client connected to the Access Point.
Kismet provides a wealth of information about discovered AP such as, BSSID,
Channel used, signal strength, encryption scheme used, IP range, supported
rates, and wireless clients connected to the Access Point. It works for 802.11
layer 2 protocol. As a WIDS, it can work with SNORT. Also, it can use multiple
interfaces to collect information from several devices that are using different
channels. Kismet will determine what kind of authentication is employed by
the Access Point. Then, the captured data can be processed by Aircrack-ng or
similar applications to crack the key. It works on *BSD, Linux, Windows, and
OS X. Kismet has three components: Server, Drones, and Clients. The Server
component is the Central location that connects to drones and clients. It can
capture wireless traffic also. Drones capture wireless traffic and report it to
the Server. Clients are the GUI components that connect to the server. Kismet
has built-in features to detect many of the well-known attacks (DeAuthentication flood, Disassociation attacks, etc) similar to those launched
38 | P a g e
by Netstumbler and other tools. Also, Kismet has a GPSMap program that
locates Access Point locations on a map using a GPS device [BT11], [KL13].
5.8.1.6.
Wireshark: is an open-source multi-purpose network packet analyzer that

captures packets over a network and can present it after manipulation in an
understandable format. It was named previously Ethereal. It can be used
under different conditions and has plenty of functionalities. It can be used in
Network architecture and troubleshooting, and in Systems and Security
Administration. It has options to filter packets while capturing and displaying.
It can analyze online traffic and present results immediately about the
protocols used, media flow, communication channels and many others. It can
analyze collected data and provide some insight to what is happening on the
network. Wireshark helps Security Staff to analyze data, and look around for
things that might have not been discovered through IDS/IPS. One of these
functions is discovering malicious behavior. In addition, Wireshark has the
capacity to inject packets and to do interpretations to captured traffic by
applying either capture or display filters and gathering a stream of
packets in the same connection. The capture filter syntax of Wireshark is
the same as that of TCPdump. However, Wireshark supports more than 750
protocols and runs over 20 different OS platforms. It can reassemble packets
in TCP established connections and display it in ASCII and other readable
formats. Wireshark has a graphical interface that makes data analysis much
more easy than TCPdump/Windump. Tshark, is the command line version of
Wireshark. It is the best open-source network analyzer available [AO07].
5.8.2. WEB APPLICATION TOOLS

5.8.2.1.
OWASP-ZAP is a simple security testing tool that could be used as a proxy

server intercepting traffic (HTTP and HTTPs) between a client web browser
and a web server application. It could be used as a Vulnerability Assessment
tool ( using a spider crawl method) and as a Penetration testing tool. The tool
has the option to authenticate to a website before testing. It can also export
the results to an HTML, XML, and other file formats. ZAP has both options of
running active and passive scanners against the targeted web site.
5.8.2.2.
SET (Social Engineering Toolkit) is used to get information from people to

launch an attack. It is an open-source framework that includes a set of
exploitation and testing tool that traps a user to run a script on his/her
machine, which will lead to malicious activity such as granting access to a
hacker or Pen-Tester. The use of SET involves running other tools such as
HTtrack, Metasploit, Meterpreter, Wireshark, Airodump-ng, ETTERCAP,
SENDMAIL, and many others. Metasploit is required for proper functioning of
SET.
SET has the option to load different attack vectors (10 attack vectors)
including an option to load third party attack vectors. Each attack vector
utilizes multiple attacks and each attack has several payloads. Pen-Tester
selects from these payloads to launch an attack. SET has a very easy CLI with
a menu driven interface and a GUI that runs through a browser. SET is a very
39 | P a g e
powerful toolset that works on multiple platforms. SET is written in Python,

any open-source HTTP server can access the browser version of SET.
5.8.2.3.
w3af (Web Application Attack and Audit Framework) is an open-source web

application security scanner and exploitation tool [JM13]. It is an awesome
tool for scanning and exploiting web resources. It provides an easy-to-use
graphical user interface that allows through using profiles (OWASP TOP10) to
search quickly and easily for the top 10 security flaws including but not limited
to SQL injection, XSS, file includes, and cross-site request forgery. It works on
Windows, Linux, and Mac OS [JM13].
5.8.3. NETWORK/HOST TOOLS

5.8.3.1.
Nmap/Zenmap: Zenmap is the graphical interface of Nmap. It offers most of

Nmap features but with a graphical representation. Nmap/Zenmap detects
applications running on different systems with Operating System
fingerprinting capabilities. Zenmap performs Intense Scan, Ping Scan, Quick
scan, regular scan, full scan, etc. Also, an Ethical Hacker can create profiles
for each scan and save that profile for later use. Zenmap output can be
exported to Text, Excel Files, CSV, and other formats. Zenmap allows to export
graphics to other applications. This is very useful in Report preparation.
5.8.3.2.
Metasploit is used as a legitimate Penetration Testing tool, and as a hacking

tool used by attackers to conduct unauthorized exploitation of systems
[JM13]. It has all the tools used by penetration testers and hackers from
Gathering Information till Covering Traces. The Metasploit framework is
one of the most popular exploit frameworks that contains tools for
developing, testing, and using exploit code to launch attacks. It is one of the
most useful free and open-source tools for Penetration Testers. It has the
largest database of tested exploits written in Ruby language. It has a
standardized syntax for writing exploits and provides dynamic shellcode
abilities such as, bind shell, reverse shell, download, execute, and many
others. It has a number of built-in port scanning capabilities and can be
integrated with third-party tools to enhance Port scanning process.
Metasploit architecture is based on Modules, Libraries, Interfaces, Tools and
Plugins. It could be set with MYSQL or PostgreSQL database to store results in
it. Metasploit Console (MSFCONSOLE) is used to manage Metasploit
Database and open sessions to the targets. It is also used to launch and
configure Metasploit modules and get Pen-Tester connection to the target.
On the other hand, Meterpreter launch the actual payload and exploit
process. Nmap is integrated with Metasploit and can be launched from
Msfconsole. Auxiliary modules (e.g. SYN Port Scanner, etc) can be started
from
the
Msfconsole
to
launch
Port
scan.
Metasploit works on Windows and Linux. When working with Metasploit you
need to understand the following terminology:
Vulnerability: is a weakness in a system that allows an attacker to

compromise it.
40 | P a g e
Exploit: is a process by which an attacker takes advantage of a bug in

a target system. It is a small program or set of commands that will
cause unintended behavior in a system. Metasploit version 4 has
more than 700 exploits.
Payload: is a code (shellcode) that will run on the targeted system by

an attacker to achieve the desired outcome. Metasploit version 4 has
more than 250 payloads.
Module: is a program or software that can be used by Metasploit

framework. Each module in Metasploit performs a specific task.
There are more than 350 different auxiliary modules present in the
Metasploit framework. Auxiliary modules give power to the
Metasploit Framework.
5.8.3.3.
Meterpreter is a powerful post-exploitation tool provided by Metasploit.

Meterpreter: is an advanced multi-function payload that works in Metasploit
Framework. It works like any command interpreter but from within an
exploited process, and it does not create any new process. Two powerful and
useful commands within Meterpreter are: Privilege Escalation and Process
Migration. The first is used to escalate the rights of the created user on the
targeted machine, while the second is used to migrate from one process to
another without writing to the disk. A third useful functionality for PenTesters is the availability of scripts in Meterpreter that establishes persistent
connections to backdoors. Another feature in Meterpreter called Pivoting
allows a Pen-Tester to launch attacks from a compromised machine to other
machines in the network. Metasploit/Meterpreter are used from within Social
Engineering Toolkit (SET) to gain access to target machine.
5.8.3.4.
Armitage: is an interactive GUI part of Metasploit. It makes using Metasploit

easier by displaying information graphically, and it allows a Pen-Tester to see
more than one Metasploit or Meterpreter session on different tabs in its GUI.
It can display its pre-configured module with the ability to search for a specific
module if it is installed. It also displays active targets that were exploited.
5.8.3.5.
NeXpose is a vulnerability scanner that can be used alone by using the GUI
version, and can be launched from Metasploit Console (Msfconsole). When
using the GUI version of NeXpose, results can be imported to Metasploit
database.
5.8.3.6.
Nessus: Please refer to Tools in Vulnerability Assessment module.
5.8.3.7.
Core Impact: is the commercial counterpart of Metasploit. It is an automated,

comprehensive commercial penetration testing tool that has the capacity to
assess the effectiveness of security investments through safely exploiting
vulnerabilities in a given network infrastructure. It is a complex and powerful
tool with features that do not exist in Metasploit. It has a well-developed GUI
with 100s of options.
41 | P a g e
5.9.
CHALLENGES OF PENETRATION TESTING:
The following are challenges for Pen-Testers:
Hiring Skilled and Experienced professionals to carry the test. Tools and software do not
replace experienced security professionals.
Choosing a Suitable set of tests to conduct.
Proper planning is a key success factor.
Decide on what to be tested.
It is not feasible to test everything
External testing from the internet side (outside of the company) does not simulate
internal hackers
On-site testing does not simulate external hackers
Announced Testing versus un-announced testing
White-Box testing provides Pen-Testers with the following: Company infrastructure

details, network design, IP Addresses for internal and external subnets, Firewalls,
IDS/IPS details, and Company security policies and procedures. This does not simulate
hackers method for some Security Experts.
5.10.
FINAL STEP AFTER PENETRATION TESTING COMPLETION:
Restore the system to their pre-test state
Remove all files, tools, exploits and programs that were loaded to the target
Cleaning Registry entries
Remove vulnerabilities created
Close exploited vulnerabilities
Restoring system to a secure state (pre-test state + closing holes)
Documenting and analyzing the results
Finally, and as a word of caution, Pen-Tester under any circumstances should not work
beyond or outside the scope of work and rules of engagement that were agreed upon
with the management of the company. Violating this principle, will make the Pen-Tester
appear as an Attacker in the eyes of law enforcement agencies and will give the company
the right to sue him/her for violating the scope of work and rules of engagement.
The reason for IT Director(s) to skip rootkit and backdoors installations was mentioned
indirectly by [PE13]. The author explains this as, once a rootkit has been installed, it can
be very difficult to remove, or at least to remove completely. Sometimes, rootkit removal
requires you to boot your machine into an alternate operating system and mount your
42 | P a g e
original hard drive. By booting your machine to an alternate operating system or mounting
the drive to another machine, you can scan the drive more thoroughly. Because the
original operating system will not be running and your scanner will not be using API calls
from an infected system, it is more likely you will be able to discover and remove the
rootkit. Even with all of this, oftentimes your best bet is to simply wipe the system,
including a full format, and start over [PE13].
43 | P a g e
6. RECTIFICATION:
The objectives of Covering Tracks/Maintaining Access as stated in most literatures of
colored (black and white) hacking are as follows:
The following is a list of goals for maintaining a foothold:
Establish multiple access methods to target network
Remove evidence of authorized access
Repair systems impacted by exploitation
Inject false data if needed
Hide communication methods through encryption and other means
Document findings [JM13].
However, there is no need for IT Director(s) to erase traces and plant backdoors. In my
opinion, IT Directors goal does not meet any of the above objectives. For this reason,
Covering Tracks/Maintaining Access phase was replaced by Rectification Phase, which
meets IT Director(s) requirements and his need to improve security.
6.1.
RECTIFICATION PHASE
This phase is divided into three parts. (1) Rectification of an un-exploited vulnerability by
installing patches and changing configurations and (2) Rectification of an exploited
vulnerability where an attacker has gained access or (3) search for possible traces of an attack.
Our focus will be on the last part. The former is very well known to most IT Director(s), and
System and Network administrators know exactly what to do about it. The second and third
parts are much more demanding, and require different set of tools. However, the third part is
the most challenging between the three. We will emphasize on the last part.
[ER11] asks the following question in one of his trainings: How do you get rid of something
you do not know if you already have? The answer to this question is not simple and requires
a lot of research and innovative thinking, but we will touch the surface of it in this module.
In this phase, IT Director(s) should employ the use of various Forensic tools to discover any
planted malware, rootkit, or traces left by a hacker, spyware, and viruses. There is a lot of
open-source Forensic tools, but only few of them will be useful in this phase to IT Director(s).
[JM13] mentions that Forensics is important after identifying that your web application or
other assets have been compromised, to avoid future negative impact and this statement is
in accordance with our suggestion to use Forensic tools to find traces of hackers. However,
the challenge is where to look for these traces and what to collect.
In our scenario, we do not have a known victim machine, but we suspect the presence of a
rootkit, backdoor, or a suspicious behavior on a system, or we want to keep our staff alerted
by assuming a hacker was able to plant a backdoor.
What we will talk about is what an IT Director need to do, and not about a real incident that
needs investigation, because the latter involves specialized people who are recognized in front
44 | P a g e
of the court of law as experts in the domain. In other words, it is not an investigation of an
attack; however, it is a search for a possible traces, backdoors, or rootkits in an environment.
However, the use of Forensic tools on all hosts will be tedious especially in enterprise
organizations that might have thousands of hosts. Doing it randomly, also, will not be very
efficient. So how can we decide on which hosts to run these tools?
First, these tools shall be used on suspected machines. The suspected machines will be
determined based on the findings of two phases from our proposed model: AntiReconnaissance and the Vulnerability Assessment phases. E.g. if we got traces from one of the
implemented solutions that we mentioned in Anti-Reconnaissance Phase about a host that
was scanned for open ports by a suspect machine. Another example of a host scanned by a
Security Analyst and found an unknown open port. These two hosts constitute two valid cases
for investigation by the tools described in this module. These two hosts are considered as
suspected machines and might indicate the presence of rootkits, backdoors, traces of a
hacker, etc
6.2.
RECTIFICATION FUNDAMENTALS:
The following are the fundamentals that will be followed in this phase:
Duration: No Limited duration. It is a continuous process. However, it gets feedback from

Anti-Reconnaissance and Vulnerability Assessment tools.
Devices: It will be limited to devices indicated by Anti-Reconnaissance and Vulnerability

Assessment tools.
Methods: Rectification shall not violate any internal policy.
Notified parties: System owners, Incident Handling team, System, Application, and
Network Admins.
Level of access equivalent to root and Administrator. They need full access like Forensic
investigator in order to examine the findings.
Delivery of a final report for this phase and all other phases concluding with
recommendations. Feedback to Anti-Reconnaissance tools users for any configuration
changes to eliminate false positives.
6.3.
OBJECTIVES/GOALS OF RECTIFICATION:
Goals and objectives from IT Director(s) angle are as follows:
Minimize Data Loss if intruder traces were detected,
Capture information and traces about intruders, if any
Evaluate Risk value of any traces of infected systems and/or data leaked or
compromised, and invoke Incident Handling procedure.
Prevent any possibility to escalate privileges,
Remove backdoors or rootkits, if any
Repair infected system, if any.

45 | P a g e
6.4.
Document findings
TYPES OF ANALYSIS TO BE CONDUCTED
There are several areas to examine and check to discover traces of a malicious activity. Below
are the most important areas to analyze by Security Analyst followed by tools that can be used
in these areas:
File Analysis
Executable file or services Analysis
Resident Data Analysis
Rootkits detection
Log File manipulation
Registry Analysis
There are other areas to analyze (e.g. memory), but that are executed by Forensics
investigators, and requires very specialized skills and will not be covered in our project.
6.5.
RECTIFICATION TOOLS:
6.5.1. TCPDUMP/WINDUMP
TCPdump and its Windows counterpart Windump are free simple command line tools.
TCPdump/Windump are passive packet capturing tools that neither have the capacity to
alter traffic on the network, nor make interpretations of what it captures.
TCPdump/Windump serve as a start point for non-experts to learn about a more advanced
tool Wireshark. TCPdump has a couple of functionalities of Wireshark. TCPdump is
available in Backtrack and Kali Linux in addition to other *nux and Windows operating
systems.
6.5.2. WIRESHARK
Please refer to Penetration Testing Module for complete description of the tool.
6.5.3. CHKROOTKIT
This tool is considered as an Anti-virus or anti-malware for Linux systems [JM13].
ChkRootKit scans the file system and checks if a rootkit has been installed or any signs that
indicate the presence of a rootkit. In addition, it checks for malware and Trojans on a
suspected host. Chkrootkit is a command line tool. You cannot rely 100% on Chkrootkit to
discover rootkits, but it usually points to possible problems. Other scanners like MD5deep
along with chkrootkit is a better solution. Both could be classified as a HIDS because they
scan a host to check for signs of un-customized public rootkits based on signatures and
processes. One thing that chkrootkit can do for sure is discovering if Kali Linux or Backtrack
installed version is infected or not. Chkrootkit is available in Kali Linux and other
distributions.
46 | P a g e
6.5.4. MD5DEEP
MD5Deep is a tool that computes Hashes and message digests for one or more files. This
will help security analysts to identify changes happened to system files and exe files and
identify them. A package could be queried to check if any of its binaries were changed. In
addition, it has the option to scan a directory of files and generate MD5 signatures for
each file. The drawback of this tool that it does not have a GUI interface. Though it is based
on CLI, it is simple to use. SHA/MD5 is similar to MD5Deep, but it has a GUI interface that
is easy to use.
6.5.5. ROOTKIT REVEALER

RootKit Revealer is a great free option that can detect hidden registry keys, hidden files
and rootkits also. F-Secures Blacklight is another free version but not as efficient as
Rootkit
Revealer.
Both
run
on
Windows
Operating
System.
Tools like Rootkit Revealer, Vice, and F-Secures Blacklight are some great free options
for revealing the presence of hidden files and rootkits [PE13].
6.5.6. TSK (THE SLEUTH KIT)

TSK is an open-source simple command line tool that can look at specific disk, file
information, raw files, and their metadata and analyze these findings. Autopsy is a
graphical version of The Sleuth Kit. The analysis shows the time of what was modified,
accessed, and changed which will make analysis easier. Hash values can also be compared
to check if any system file or application code was changed. Autopsy is an open-source
that runs on Windows, Linux, UNIX, and Mac Operating systems. It can analyses NTFS,
FAT, HFS+, Ext3, UFS, and many other volume types.
Autopsy
browser
is
part
of
the
TSK
(The
Sleuth
ToolKit)
(http://www.sleuthkit.org/autopsy/download.php) to analyze Hard Disk images. This tool
allows you to open various types of images at the same time showing different views of
data using its web browser. With this tool, you can recover deleted files and directories
for further investigation. Recovery of deleted files/directories might lead to an attacker
who was able to delete log files or other files used in the attack process to cover attack
traces. It also has the option to extract history, cookies, and bookmarks from several
browsers (Firefox, Chrome, Safari, and Internet Explorer). It runs the commands and
shows the results in a web browser.
Autopsy could be used with other forensic tools. Autopsy browser makes TSK easier to
use, but it is valued as poor and limited when compared to commercial tools like EnCase
and FTK.
6.5.7. FATBACK
FatBack is a *nix recovery tool from a problematic source in FAT file systems. It searches
for data on a target, based on its content. It works with Single partitions or whole disks.
Its strength is the ability to search for any malicious program or deleted logs that was
present on the target and deleted to cover attacker traces.
6.5.8. NIKTO
NIkto is a web-server vulnerability scanner. After running a port scan and discovering a
service running on port 80 or port 443, one of the first tools that should be used to
47 | P a g e
evaluate the service is Nikto. Nikto automates the process of scanning web servers for
out-of-date and unpatched software as well as searching for dangerous files and scripts
that may be placed on web servers. Nikto is capable of identifying a wide range of specific
issues
and
checks
the
server
for
misconfiguration
[PE13].
Nikto has many advantages: It is very fast, and base it scans on plug-ins that can be
updated manually by security experts. It updates the Database with a simple command.
It supports Nmap output as input for its scan. Multiple targets can be included in a file to
be scanned simultaneously. It supports Proxy and SSL (HTTPS). It is very simple to use and
free.
Nikto has several limitations. It does not accept IP addresses as input. It does not support
Digest or NTLM authentication, but it does support NTLM through Authorization proxy
server installed. Since it is very fast, it will be detected by IDSs and might crash the server
if it is not able to handle the load. It is available in Linux and Windows.
48 | P a g e
7. CONCLUSION:
The main goal of the project, initially, was to discuss what security tools from those tools that
are used by hackers and security consultants an IT Director(s) can use. But, and during the
development of the project, I found that developing a model to be followed by IT Director(s)
in securing their environments and describing the most used free tools will be more useful
than summarizing text about how tools and their features.
The model developed above, is not completely a new one, but rather a customization of a
methodology used by hackers and Security Analysts. I took IT Director(s) requirements to
secure the infrastructure he/she is managing by customizing hackers methodology to do the
same.
There is lot of studies, books, articles, describing how hackers in all colors are conducting
their work. However, very few is the literatures that considers that from an IT director
perspective.
For example, Reconnaissance, Escalation of Privileges, Creation of Backdoors are very well
known topics in this field. But, Anti-Reconnaissance, Attackers Traces Discovery, Rectification
are rarely discussed. The traditional method for IT Director(s) is Defensive, while the proposed
model is Offensive.
In this model I discussed each phase of the proposed model alone, and proposed several
security tools or methodologies to be used in each phase. In each phase of the model, I limited
my work to three major areas that are available in almost every environment. These areas are
Wireless Networks, Wired Networks, and Web Applications. However, there are still many
areas that could be addressed like Databases, VOIP, PCI/DSS, RFID, SCADA, and many others.
Moreover, it is not intended in this Handbook to use the listed tools only and forget about the
other tools and techniques. It will be foolish to do so. Every environment has its own unique
parameters, and the IT Director(s) will need to use this as a guide and not as a step-by-step
process.
The above depict a summary, on what can be done, and alert IT Director(s) not to be
traditional in protecting his/her IT environment.
49 | P a g e
BIBLIOGRAPHY
[AO07] Angela Orebaugh, Gilbert Ramirez, Josh Burke, Greg Morris, Larry Pesce, Joshua Wright,
Wireshark & Ethereal Network Protocol Analyzer Toolkit, Syngress MA, USA, 2007
[BJ13] Benjamin Jackson, Home Field Advantage: Employing Active Detection Techniques, SANS
Institute, SANS Penetration Testing, 2013
[BT11] BackTrack R5 http://www.backtrack-linux.org/wiki/index.php/Main_Page
[CA12] Cory Altheide and Harlan Carvey, Digital Forensics with Open Source Tools, first edition,
Syngress, Waltham, MA, USA, 2012.
[CI12] Computer Emergency Response Team-India (Cert-in), EMPANELLED OF INFORMATION
SECURITY AUDITING ORGANISATIONS, 2012, www.cert-in.org.in/PDF/emprognew.pdf
[CY04] Chunmei Yin, Mingchu LI, Jianbo MA, Jizhou Sun, Department of Computer Science and
Technology, Tianjin University, Electrical and Computer Engineering, 2004. Canadian Conference
(Volume:2), Canada, 2004, pp. 1107-1110 Vol.2
[DF93] Dan Farmer and Wietse Venema, Improving the Security of Your Site by Breaking Into it, Sun
Microsystems
Eindhoven
University
of
Technology,
1993
(http://www.dcs.ed.ac.uk/home/rah/Resources/Security/admin_guide_to_cracking.pdf )
[DS13] Nova, Network Abfuscation and Virtualized Anti-Reconnaissance System, DataSoft,
http://www.datasoft.com, Tempe, AZ, USA, 2013
[EN07] Enkhbold Nyamsuren, Ho-Jin Choi, Preventing Social Engineering in Ubiquitous Environment,
Future Generation Communication and Networking (FGCN 2007, Volume 2, 2007, Pages: 573-577
[ER11] Eric Reed, EC-Council Certified Ethical Hacker v.7 Study Guide, Career Academy,
http://www.careeracademy.com/, 2011
[ES07] Eric Seagren, Secure Your Network for Free: Using Nmap, Wireshark, Snort, Nessus, and MRTG,
Syngress Publishing, Rockland, MA, USA, 2007
[FP13] Fedora Project, 2013, https://fedorahosted.org/security-spin/wiki/availableApps
[JG08] Jayant Gadge, Anish Anand Patil, Port Scan Detection, Networks, ICON 2008, 16th IEEE
International Conference, New Delhi, 2008, pp. 1-6
[JA14] Jason Andress, Steve Winterfeld, Cyber Warefare, Techniques, Tactics and tools for security
practitioners, 2nd edition, Syngress, Waltham, MA USA, 2014
[JB14] James Broad, Andrew Binder, Hacking with Kali Practical Penetration Testing Technique,
Syngress, 225 Wyman Street, Waltham, MA 02451, USA, 2014
[JD12]
JP
Dunning,
Kanata:
Portable
Multi-Boot
http://www.hackfromacave.com/katana.html#katana_description
Security
Suite,
2012,
[JJ13] Josh Johnson, Implementing Active Defense Systems on Private Networks, The SANS Institute:
InfoSec Reading Room, 2013
[JM13] Joseph Muniz, Aamir Lakhani, Web Penetration Testing with Kali Linux, Packt Publishing,
Birmingham, Mumbai, India, 2013
[JP13] Josh Pauli, The basics of Web Hacking, Syngress, Waltham, MA, USA, 2013
[JS11] J. Michael Stewart, Network Security, Firewalls, and VPNs, Jones & Bartlett Learning, London,
UK, 2011
50 | P a g e
[JW07] Jack Wiles, Anthony Reyes, The Best Damn Cybercrime and Digital Forensics Book, Syngress,
Burlington, MA, USA, 2007
[KG07] Kimberly Graves, CEH Official Certified Ethical Hacker Review Guide, Wiley Publishing, Indiana,
USA, 2007
[KL13] Kali Linux, http://docs.kali.org/
[MA09] Mati, Aharoni, Thomas dOtreppe de Bouvette, Backtrack WiFu An Introduction to Practical
Wireless Attacks v.2.0 based on Aircrack-ng, Offensive Security Training guide, Offensive Security LLC,
2009
[MA10] Mansour A. Alharbi, Writing a Penetration Testing Report, The SANS Institute, InfoSec Reading
Room, 2010
[MA13] Monika Agarwal, Abhinav Singh, Metasploit Penetration Testing Cookbook, Second Edition,
Packt Publishing, Birmingham, Mumbai, 2013
[MC08] Mark Carey, Paul Criscuolo, and Mike Petruzzi, Nessus Network Auditing, Second Edition,
Syngress Publishing, Burlington, MA, USA, 2008
[MD11] Mehiar Dabbagh, Ali J. Ghandour, Kassem Fawaz, Wissam El Hajj, Hazem Hajj, Slow Port
Scanning Detection, Department of Electrical and Computer Engineering, American University of
Beirut, Information Assurance and Security (IAS), 2011 7th International Conference, Melaka, 2011,
pp. 228-233
[MM06] Martin Mink, Felix C. Freiling, Proceeding InfoSecCD 06 Procedings of the 3rd annual
conference on information security curriculum development, Is attack better than defense?: teaching
information security the right way, 2006, pp. 44 48.
[ML13] Matriux LENNDROS, http://www.matriux.com/index.php?page=arsenal
[NS03] Nichols, S. (2003). Big Brother is Watching: An Update on Web Bugs. SANS Institute. Reading
room, https://www.sans.org/reading_room/whitepapers/threats/big-brotherwatching-update-webbugs_445
[OS98] The Open Source Definition | Open Source Initiative, http://opensource.org/docs/osd
[PE13] Patrick Engebretson, The Basics of Hacking and Penetration Testing, 2nd Edition, Syngress,
Waltham, MA, USA, 2013
[RE07] Rabinovitch, E, Staying Protected from Social Engineering, Communications Magazine, IEEE
Volume:45, Issue 9, 2008, pages 20-21,
[SD06] Steven Drew, Vulnerability Assessment Versus Penetration Tests, Dell SecureWorks, June 2006,
http://www.secureworks.com/resources/newsletter/2006-03/
[SF13] Snort, Source Fire, License, http://www.snort.org/snort/license, 2014.
[SI07] The SANS Institute, Assessing and Securing Wireless Networks: Wireless Architecture and RF
Fundamentals, SANS GWAN 617 study guide, 2007
[SI14] webshag - Software Informer, http://webshag.software.informer.com/ 2014.
[SO11] Sean-Philip Oriyano, Michael Gregg, Hacker Techniques, Tools and Incident Handling, Jones &
Bartlett Learning, London, UK, 2011
[SW13], Steve Winterfeld, Jason Andress, The Basics of Cyber Warfare Understanding the
Fundamentals of Cyber Warfare in Theory and Practice, Syngress, Waltham, MA USA, 2013
[TC08] Team Cymru, Who is Looking for your SCADA infrastructure?, Briefing paper Team Cymru
Communit
Services,
2008,
http://www.teamcymru.com/ReadingRoom/Whitepapers/2009/scada.pdf
51 | P a g e
[TB07] Tanya Baccam, The SANS Institute, Auditing Networks, Perimeters and Systems (SANS 507)
Study Guide Book1, 2007.
[WP12] Willie Pritchett, David De Smet, BackTrack 5 Cookbook, Packt Publishing, Birmingham, UK,
2012
[WP13] Willie L. Pritchett, David De Smet, Kali Linux Cookbook, Packet Publishing, Birmingham, UK,
2013
52 | P a g e
ADDITIONAL RESOURCES
[AS12] Abhinav Singh, Metasploit Penetration Testing Cookbook, PACKT Publishing, Burmingham, UK,
2012
[BH08] Brad Haines, Frank Thornton, Michael Schearer, Kismet Hacking, Syngress Publishing,
[BS05] British Standard Institute, BS ISO/IEC 27002/BS 7799-1: Information Technology Security
techniques Code of Practice for Information security management, second edition 2005
[CG10] Carl Gebhardt and Allan Tomlinson, Challenges for Inter Virtual Machine Communication,
Technical Report RHUL-MA-2010-12, Department of Mathematics, Royal Holloway, 2010, (available
from author)
[CP12] ChristianW. Probst, M. Angela Sasse, Wolter Pieters, Trajce Dimkov, Erik Luysterborg and
Michel Arnaud, Privacy Penetration Testing: How to Establish Trust in Your Cloud Provider, European
Data Protection: In Good Health? Springer, NY USA, 2012, pp 251-265
[DB10] Diane Barrett, Gregory Kipper, Virtualization and Forensics A Digital Forensic Investigators
Guide to Virtual Environments, Syngress, Waltham, MA, USA, 2010.
[DK07] Dave Kleiman, Computer Hacking Forensic Investigator Study Guide (Exam 312-49), Syngress,
[DK11] David Kennedy, Jim OGorman, Devon Kearsns, Mati Aharoni, Metasploit The Penetration
Testers Guide, No Starch Press, San Francisisco, USA, 2011
[DM07] David Maynor, K.K. Mookhey, Metasploit Toolkit For Penetration Testing, Exploit
Development, and Vulnerability Research, Syngress, Burlington, MA, 2007
[DO12] Davi Ottenheimer, Mathew Wallace, Securing the Virtual Environment: How to Defend the
Enterprise Against Attack, John Wiley & Sons, USA, 2012
[DS12] Dave Shackleford, Virtualization Security: Protecting Virtualized Environments, John Wiley &
Sons, Inc., Indianapolis, Indiana, USA, 2013
[HC07] Harlan Carvey, Windows Forensic Analysis DVD Toolkit, Syngress, Burlington, MA, USA, 2007
[HC12] Harlan Carvey, Windows Forensic Analysis Toolkit, 3rd Edition, Syngress, Waltham, MA, USA,
2012.
[JB07] John Baschab and Jon Piot, The Executives Guide to Information Technology, Second Edition,
John Wiley & Sons, Inc., Hoboken, New Jersey. Published simultaneously in Canada, 2007
[JC10] Johnny Cache, Joshua Wright, Vincent Liu, Hacking Exposed Wireless: Wireless Security Secrets
& Solutions, McGraw Hill, Toronto, 2010
[JF11] Jeremy Faircloth, Penetration Testes Open Source Toolkit, Third Edition, Syngress, Waltham,
MA, USA, 2011
[JF12] Joe Fichera, Steven Bolt, Network Intrusion Analysis Methodologies, Tools, and Techniques for
Incident Analysis and Response, Syngress, Waltham, MA, USA, 2012
[JH09] John Hoops, Virtualization for Security: Including Sandboxing, Disaster Recovery, High
Availability, Forensics Analysis, and Honeypotting, Syngress Publishing, Burlington, MA, USA, 2008
[JT13] James Tarala, Implementing and Auditing the Twenty Critical Security Controls In Depth
(Sec566), SANS Institute, 2013
53 | P a g e
[KC13] Kevin Cardwell, BackTrack Testing Wireless Network Security, Packt Publishing, Birmingham,
UK, 2013
[KR01] Karl Rademacher, The SANS Institute, Use Offense to inform defense. Find flaws before the bad
guys do, GIAC practical repository, SANS Penetration Testing, 2001
[KR13] Karthik Ranganath, Metasploit Starter The art of ethical hacking made easy with metasploit,
PACKT Publishing, Birmingham, UK, 2013
[MK11] Mike Kershaw, Kismet Readme 2011-01-R1
[PI09], PenTest Inc., Internet Infrastructure Network Penetration Test Final Report, The SANS Institute,
Example Pen Test Report, 2009
[PP12] Paulino Calderon Pale, Nmap 6: Network Exploration and Security Auditing, first edition, Packet
Publishing, Birmingham, UK, 2012
[RH12] Raphael Hertzog, Roland Mas, Debian: The Administrators Handbook, Freexian SARL, 2012
[RL13] Rob Lee, et al, SANS Investigative Forensic Toolkit v. 2.14, http://computerforensics.sans.org/community/downloads
[SA12] Steven Anson, Steve Bunting, Ryan Johnson, Scott Pearson, Mastering Windows Network
Forensics and Investigation, 2nd edition, Sybex, USA, 2012
[SG10] S. Ghosh, E. Turrini (eds.), A pragmatic Experimental Definition of Computer crimes,
Cybercrimes: A Multidisplinary Analysis, Springer Verlag Berlin, 2010
[SH10a] Stephen Helba, Marah Bellegarade, Meghan Orvis, Disaster Recovery, First Edition, EC-Council
Press, Clifton Park, NY, USA, 2010
[SH10b] Stephen Helba, Marah Bellegarade, Meghan Orvis, Virtualization Security, First Edition, ECCouncil Press, Clifton Park, NY, USA, 2010
[SM07] Steve Manzuik, Andre Gold, Chris Gatford, Network Security Assessment from Vulnerability to
Patch, Syngress Publishing, Rockland MA, USA, 2007
[TW12] Tyler Wrightson, Wireless Network Security: A Beginners Guide, MCGraw-Hill, New York,
Toronto, 2012
[WM12] William Manning, GIAC Certified Forensic Analyst Certification (GCFA) Exam Preparation,
Emereo Publishing, USA, 2012
[WS12] Wale Soyinka, Linux Administration: A Beginners Guide, Sixth Edition, McGraw-Hill, New York,
Toronto, 2012
54 | P a g e
APPENDIX A
List of Tools Functions in BackTrack package [BT11]:
BackTrack Distribution includes the following major tool categories:
Information Gathering
Network Analysis
DNS Analysis (dnsdict6, dnsenum, dnsmap, dnsrecon, dnstracer, dnswalk, fierce,
lbd, maltego, reverseraider)
Identify Live Hosts (0trace, alive6, arping, detect-new-ip6, dnmap, fping, hping2,
hping3, netdiscover, netifera, nmap, nping, pbnj, sctpscan, svwar, trace6,
traceroute, wol-e, zenmap)
IDS IPS Identification (fragroute, fragrouter, ftester, hexinject, pytbull, sniffjoke)
Network Scanners (autoscan, davtest, implementation6, implementation6d,
netifera, nmap, scapy, unicornscan, unicornscan-pgsql-setup, zenmap)
Network Traffic Analysis (Scapy, tcpdump, tshark, wireshark)
OS Finger Printing (nmap, p0f, sctpscan, xprobe2, zenmap)
OSINT Analysis (creepy, jigsaw)
Route Analysis (Dmitry, netmask, scapy, tcptraceroute)
Service Fingerprinting (amap, dmitry, httprint, httsquash, Miranda, nbtscan, ncat,
nmap, sslscan, zenmap)
SMB Analysis (samrdump, smbclient)
SMTP Analysis (maltego, nmap, smtprc, smtpscan, smtp-user-enum, swaks,
zenmap)
SNMP Analysis (admsnmp, braa, onesixtyone, snmpcheck, snmpenum)
SSL Analysis (sslcaudit, ssldump, sslh, sslsniff, sslstrip, sslyze, testssl.sh,
thcsslcheck, tlssled)
Telephony Analysis (dedected, iwar, svmap, warvox)
VOIP Analysis (ace, enumiax, iwar, sip-scan, smap, voiphoney)
VPN Analysis (fiked, ike-scan)
Web Application Analysis
CMS Identification (blindelphant, cms-explorer, dpscan, whatweb)
IDS IPS Identification (ua-tester, waffit)
Open Source Analysis (casefile, ghdb, goofile, maltego, revhosts, revhosts-cli,
urlcrazy, xssed)
Web Crawlers (apache-users, deblaze, dirb, golismero, sqlscan, webshag-cli,
webshag-gui)
Database Analysis
MSSQL Analysis (sqlbrute, sqldict, sqllhf, sqlmap, sqlninja)
MySQL Analysis (sqlmap)
Oracle Analysis (dbpwaudit, getsids, opwg, oquery, oscanner, osd, ose, otnsctl,
sqlbrute, sqlmap, tnscmd10g)
Others (bbqsql, dbpwaudit)
Wireless Analysis
BlueTooth Analysis (bluediving, blueranger, btscanner, hcidump)
55 | P a g e
WLAN Analysis (airodump-ng, giskismet, kismet, pcapdump, ssidsniff, xgps)

Vulnerability Assessment
Vulnerability Scanners
Nessus (nessus register, nessus start, nessus user add)
OpenVAS (OpenVAS adduser, Openvas check setup, OpenVAS Mkcert,
OpenVASNVT Sync, Start Greenbone Security Assistant, Start Greenbone Security
Desktop, start Openvas administrator, Start Openvas Cli, Start OpenVAS Manager,
Start OpenVAS Scanner, Stop Greenbone Security Assistant, Stop openvas
Administrator, Stop OpenVAS Cli, Stop OpenVAS Manager, Stop OpenVAS
Scanner)
SAINT (SAINT, SAINT web Daemon)
Others (lynis, mantra)
Network Assessment
Cisco Tools (cisco-auditing-tool, cisco-ocs, cisco passwd scanner, cisco-torch, copyrouter-config, merge-router-config, tftp-bruteforce)
Network Fuzzers (bed, fuzz_ip6, sfuzz, sickfuzz, spike)
Open Source Assessment (mitre-cve, osvdb)
VOIP Fuzzers (ohrwurm, protos-sip, voiper)
Web Application Assessment
CMS Vulnerability Identification (joomscan, plecost)
Web Application Fuzzers (dirbuster, dotdotpwn, powerfuzzer, rfuzz, untidy,
webshag-cli, webshag-cli, webshag-gui, webslayer, xssfuzz, xssfuzz-start, xssfuzzstop)
Web Application Proxies (burpsuite, owasp-zap)
Web Open Source Assessment (goohost, gooscan, metagoofil, mitre-cve, osvdb,
shodan, theharvester)
Web Vulnerability Scanners (asp-auditor, burpsuite, grabber, Grendel-scan,
mopest, nikto, owasp-zap, proxystrike, skipfish, sqlmap, uniscan, vega, w3af
console, w3af gui, wapiti, watobo, webscarab, wstool)
Database Assessment
MSSQL Assessment (sqlbrute, sqldict, sqllhf, sqlmap, sqlninja)
MySQL Assessment (sqlmap)
Oracle Assessment (dbpwaudit, getsids, opwg, oquery, oscanner, osd, ose, otnsctl,
sqlbrute, sqlmap, tnscmd10g)
Exploitation Tools
Network Exploitation tools
Cisco Attacks (cisco-global-exploiter, tftp-bruteforce)
Fast-Track (fasttrack-cli, fasttrack-interactive, fasttrack-web)
Metasploit Framework (Armitage, msfcli, msfconsole, msfupdate, start msfpro)
SAP Exploitation (sapyto)
Others (isr-evilgrade, netgear-telnetenable, termineter)
Web Exploitation Tools (asp-auditor, darkmysqli, fimap, htexploit, jboss-autopwn,
oscanner, padbuster, sqlmap, sqlninja, sqlsus, sslstrip, w3af console, w3af gui,
websecurity, websploit, xsser)
Database Exploitation Tools
MSSQL Exploitation Tools (sqlmap, sqlninja)
-
56 | P a g e
MySQL Exploitation Tools (sqlmap)

Oracle Exploitation (dbpwaudit, getsids, opwg, oquery, oscanner, osd, ose, otnsctl,
sqlmap)
Wireless Exploitation Tools
- BlueTooth Exploitation (atshel, bluediving, bluelog, bluemaho, bluepot, bt-audit,
btftp, redfang, spooftooph)
- GSM Exploitation (smartphone-pentest-framework)
- WLAN Exploitation (aircrack-ng, airmon-ng, airodump-ng, fern-wifi-cracker,
freeradius-wpe, freeradius-wpe setup, gerix-wifi-cracker-ng, horst, pcapgetiv,
pyrit, reaver, weakivgen, wepcrack, wifhoney, wifite)
Social Engineering Tools
BEEF XSS Framework (BeEF, BeEF installer)
HoneyPots (honeyd, honeyedctl, spamhole)
Social Engineering Toolkit (set, set)
Physical Exploitation (arduino, kautilya, u3-pwn)
Open Source Exploitation
Exploit-DB (exploitdb directory, exploit search)
Online Archives (mitre-cve, osvdb, securityfocus)
Privilege Escalation
Password Attacks
GPU Tools (oclhashcat+(ATI), oclhashcat+(Nvidia))
Offline Attacks (asleep, cowpatty, creddump, crunch, cup, dictstat, eapmd5pass,
fcrakzip, genkeys, genpmk, hashcat, hashcat-gui, hashcat-utils, hash-identifier,
johnny, john the ripper, manglefizz, maskgen, multiforcer, oclhashcat(ATI),
oclhashcat-lite(ATI), oclhashcat-lite(Nvidia), oclhashcat(Nvidia), ophcrack,
Ophcrack-GUI, phrasendrescher, pipal, policygen, rainbowcrack, rainbowcrackmt, sipcrack, sipdump, statsprocessor, truecrack, twofi)
Online Attacks (acccheck, cewl, findmyhash, hexorbase, hydra, hydra-gtk, keimpx,
medusa, ncrack, patator, smbexec, sqldict, sqllhf, svcrack, wce)
Physical Attacks (sucrack)
Privilege Escalation Media
VOIP Tools (rtpinjct)
Protocol Analysis
Network Sniffers (darkstat, driftnet, dsniff, easy-creds, ettercap, ettercap-gtk,
ettercap-gtk, ettercap-ng, fake_route6, ferret, hamster, parasite6, redir6, scapy,
subterfuge, tcpdump, tshark, wireshark, xspy)
VOIP Sniffers (ferret, rtpbrak, voipctl, voipong)
Web Sniffers (mitmproxy)
Spoofing Attacks
- Network
Spoofing
(dnschef,
fake_mipv6,
fake_mld26,
fake_mld6,
fake_mldrouter6, fake_router6, fiked, fuzz_advertise6, hexinject, intercepter-ng,
redir6, thcping6, toobig6, Yersinia)
- VOIP Spoofing (sipsak, voiphopper)
Maintaining Access
OS Backdoors (dbd, hotpatch, intersect, msfencode, msfpayload, powersploit, sbd,
trixd00r, u3-pwn, unix-pivesc-check)
-
57 | P a g e
Tunneling (3proxy, cryptcat, iodine, miredo, ping tunnel, proxychains, proxytunnel,

pwant, socat, sslh, stunnel4, tinyproxy, udptunnel)
Web Backdoors (msfencode, msfpayload, webshells, weevely)
Reverse Engineering (android-sdk, apktool, binwalk, ded, dex2jar, edb-debugger, flasm,
gdb.py, install ida-pro free, jad, javasnoop, mercury, ollydbg, rec-studio, smali, strace.py)
RFID Tools
RFID ACG (brute force hitag2, bruteforce mifare, bruteforce mifare, calculate jcop
mifare keys, continuous select tag, copy iso15693 tag, epassport read write clone,
format mifare 1k value blocks, identity hf tag type, identify if tag type, jcop info, jcop
mifare read write, jcop set atr historical bytes, read acg reader eeprom, read if tag,
read mifare, read tag, read write clone unique (em4x02), reset q5 tag, select tag, set
fdx-b id, test acg lahf)
RFID Frosch (read write clone unique (em4x02), reset hitag2 tag, set fdx-b id, test
frosch reader)
RFID PCSC (bruteforce mifare, calculate jcop mifare keys, chip & pin info, continuous
select tag, epassport read/write/clone, identify hf tag type, install atr historical byte
applet to jcop, install mifare applet to jcop, install vonjeek epassport emulator to jcop,
install vonjeek epassport emulator to nokia, jcop info, jcop mifare read/write, jcop set
atr historical bytes, read mifare, read tag, select tag)
Stress Testing
Network Stress Testing (denial6, dhcpig, dos-new-ip6, flood_advertise6,
flood_router6, hping2, hping3, inundator, letdown, rsmurf6, sendpees6, siege,
smurf6, t50, thc-ssl-dos, udp.pl)
VOIP Stress Testing (iaxflood, inviteflood, rtpflood, sip)
WLAN Stress Testing (mdk3)
Forensics
Anti-Virus Forensics Tools (chkrootkit, rkhunter)
Digital Anti Forensics (install truecrypt)
Digital Forensics (hexedit, iphoneanalyzer, rifiuti2)
Forensic Analysis Tools (bulk-extractor, evtparse.pl, exiftool, misidentify, mork.pl,
pref.pl, ptk, readpst, reglookup, stegdetect, vinetto)
Forensic Carving Tools (extundelete, fatback, foremost, magicrescue, recoverjpeg,
safecopy, scalpel, scrounge-ntfs, testdisk)
Forensic Hashing Tools (hashdeep, md5deep, sha1deep, sha256deep, tigerdeep,
whirlpooldeep)
Forensic Imaging Tools (air, dc3dd, ddrescue, ewfacquire)
Forensic Suites (ptk, setup autopsy, sleuthkit)
Network Forensics (darkstat, driftnet, p0f, tcpflow, tcpreplay, wireshark)
Password Forensics Tools (cmospwd, fcrackzip, samdump)
PDF Forensics Tools (pdfid, pdf-parser, peepdf)
RAM Forensics Tools (pdfbook, pdgmail, ptk, volafox)
Reporting Tools
Evidence Management (casefile, keepnote, magictree, maltego, svreport)
Media Capture (cutycapt, recordmydesktop)
Services
GPSD (gpsd start, gpsd stop)
HTTPD (apache start, apache stop)
58 | P a g e
MySQLD (mysql start, mysql stop)

PCSCD (pcscd start, pcscd stop)
Snort Service (snort start, snort stop)
SSHD (sshd start, sshd stop)
Miscellaneous tools
59 | P a g e
APPENDIX B
List of Tools Functions in Kali Linux package: (http://www.kali.org/ and http://docs.kali.org/)
[JB14] and [KL13] lists the mostly used tools in Kali Linux and all the commands used to lunch
a tool in Kali Linux.
The Kali Linux platform comes preloaded with over 400 tools that can be used for the various
stages of a penetration test or an ethical hacking engagement. The following table lists each
tool and its location in the Kali Linux menu structure.
Menu
Kali Linux
Kali Linux
Kali Linux
Kali Linux
Kali Linux
Kali Linux
Kali Linux
Kali Linux
Kali Linux
Kali Linux
Activity Menu
Top 10
Top 10
Top 10
Top 10
Top 10
Top 10
Top 10
Top 10
Top 10
Top 10
Application
aircrack-ng
burpsuite
hydra
john
maltigo
metasploit framework
nmap
sqlmap
wireshark
zaproxy
The Kali Linux Distribution includes the following major tool categories:
Information Gathering
DNS Analysis (dnsdict6, dnsenum, dnsmap, dnsrecon, dnsrevenum6, dnstracer,
dnswalk, fierce, maltego, nmap, urlcrazy)
IDS/IPS Identification (fragroute, fragrouter, wafw00f)
Live Hosts Identification (alive6, arping, cdpsnart, detect-new-ip6, detect_sniffer6,
Dmitry, dnmap-client, dnmp-server, fping, hping3, inverse_lookup6, Miranda,
ncat, netdiscover, nmap, passive_discovery6, thcping6, wol-e, xprobe2)
Network Scanners (dimitry, dnmap-client, dnmap-server, netdiscover, nmap)
OS Fingerprinting (dnmap-client, dnmap-server, Miranda, nmap)
OSINT Analysis (casefile, creepy, dimitry, jigsaw, maltigo, metagoofil,
theharvester, twofi, urlcrazy)
Route Analysis (dnmap-client, dnmap-server, intrace, netmask, trace6)
Service
Fingerprinting (dnmap-client, dnmap-server, implementation6,
implementation6d, ncat, nmap, sslscan, sslyze, tlssled)
SMB Analysis (acccheck, nbtscan, nmap)
SMTP Analysis (nmap, smtp-user-enum, swaks)
SNMP Analysis (, braa, cisco-auditing-tool, cisco-torch, copy-router-config, mergerouter-config, nmap, onesixone, snmpcheck)
SSL Analysis (sslcaudit, ssldump, sslh, sslscan, sslsniff, sslstrip, sslyze, stunnel4,
tlssled)
Telephony Analysis (ace)
Traffic Analysis (cdpsnarf, intrace, irpas-ass, ipras-cdp, p0f, tcpflow, wireshark)
60 | P a g e
VOIP Analysis (ace, enumiax)

VPN Analysis (ike-scan)
Vulnerability Analysis
Cisco Tools (cisco-auditing-tool, cisco-global-explorer, cisco-ocs, cisco-torch,
yersinia)
Database Assessment (bbqsql, dbpwaudit, hexorbase, mdb-export, mdb-export,
mdb-hexdump, mdb-parsecsv, mdb-sql, mdb-tables, oscanner, sidguesser,
sqlmap, sqlninja, sqlsus, tnscmd10g)
Fuzzing Tools (bed, fuzz_ip6, ohrwurm, powerfuzzer, sfuzz, siparmyknofe, spikegeneric_chunked,
spike-generic_listen_tcp,
spike_generic_send_tcp,
spike_generic_send_udp)
Misc Scanners (lynis, nikto, nmap, unix-privesc-check)
Open Source Assessment (casefile, maltigo)
OpenVAS (openvas-gsd, openvas-setup)
Web Application Assessment
CMS Identification (blindelephant, plecost, wpscan)
Database Exploitation (bbqsql, sqlninja, sqlsus, ua-tester)
IDS/IPS Identification (ua-tester)
Web Application Fuzzers (burpsuite, powerfuzzer, webscarab, webslayer,
websploit, wfuzz, xsser, zaproxy, burpsuite, paros, proxystrike, webscarab,
zaproxy)
Web Application Proxies (burpesuite, paros, proxystrike, webscarab, zaproxy)
Web Crawlers (apache-users, burpsuite, cutycapt, dirb, dirbuster, vega,
webscarab, webslayer, zaproxy)
Web Vulnerability Scanners (burpsuite, cadaver, davtest, deblaze, fimap, grabber,
joomscan, nikto, padbuster, proxystrike, skipfish, sqlmap, vega, w3af, wapiti,
webscarab, webshag-cli, webshag-gui, websploit, whatweb, wpscan, xsser,
zaproxy)
Password Attacks
GPU Tools (oclhashcat-lite, oclhashcat-plus, pyrit)
Offline Attacks (cachedump, chntpw, cmospwd, crunch, dictstat, fcrackzip,
hashcat, hash-identifier, john, johnny, lsadump, maskgen, multiforcer, oclhashcatlite, oclhashcat-plus, ophcrack, opchcrack-cli, policygen, pwdump, pyrit,
rainbowcrack, rcracki_mt, rsmangler, samdump2, sipcrack, sucrack, truecrack)
Online Attacks (acccheck, burpsuite, cewl, cisco-auditing-tool, dbpwaudit,
findmyhash, hydra, hydra-gtk, medusa, ncrack, onesixone, patetor,
phraseendrescher, thc-pptp-bruter, webscarab, zaproxy)
Passing the Hash
Wireless Attacks
802.11 Wireless Tools (aircrack-ng, aireplay-ng, airmon-ng, airodump-ng, asleep,
cowpatty, eapmd5pass, fern-wifi-cracker, genkeys, genpmk, giskismet, mdk3,
wifiarp, wifidns, wifi-honey, wifiping, wifitap, wifite)
Bluetooth Tools (bluelog, bluemaho, bluranger, btscanner, fang, spooftooph)
Other Wireless Tools (zbassocflood, zbconvert, zbdsniff, zbdump, zpfind,
zbgoodfind, zbreplay, zbstumbler)
RFID/NFC Tools
Software Defined Radio
61 | P a g e
Exploitation Tools
BEEF XSS Framework
Cisco Attacks (Cisco-auditing-tool, cisco-global-explorer, cisco-ocs, cisco-torch,
yersinia)
Exploit Database (searchsploit)
Metasploit (Metasploit Community/Pro, Metasploit diagnostic logs, Metasploit
diagnostic shell, Metasploit Framework, Update metasploit)
Network Exploitation (exploit6, ikat, jboss-autopwn-win, jboss-autopwn-linux,
termineter)
Social Engineering (se-toolkit)
Sniffing/Spoofing
Network Sniffers (darkstat, dnschef, dnsspoof, dsniff, ettercap-graphical,
hexinject, mailsnarf, msgsnarf, netsniff-ng, passive_discovery6, sslsniff, tcpflow,
urlsnarf, webmitm, webspy, wireshark)
Network Spoofing (dnschef, ettercap-graphical, evilgrade, fake_advertise6,
fake_dhcps6, fake_dns6, fake_mldrouter6, fake_router26, fake_router6,
fake_solicitate6, fiked, macchanger, parasite6, randicmp6, rebind, redir6,
sniffjoke, sslstrip, tcpreplay, wifi-honey, Yersinia)
Voice and Surveillance (msgsnarf)
VoIP Tools (iaxflood, inviteflood, ohrwurm, protos-sip, rtpbreak, rtpflood,
rtpinsertsound, rtpmixsound, sctpscan, siparmyknife, sip, sipsak, svcrach, svmap,
svreport, svwar, viophopper)
Web Sniffers (burpesuite, dnsspoof, driftnet, ferret, mitmproxy, urlsnarf,
webmitm, webscarab, webspy, zaproxy)
Maintaining Access
OS Backdoors (cymothoa, dbd, intersect, powersploit, sbd, u3-pwn)
Tunneling Tools (cryptcay, dbd, dns2tcpc, iodine, miredo, ncat, proxychains,
proxytunnel, ptunnel, pwnat, sbd, socat, sslh, udptunnel)
Web Backdoors (webacco, weevely)
Reverse Engineering
Debuggers (edb-debugger, ollydbg)
Disassembly (jad, rabin2, rsdiff2, rasm2)
Misc RE Tools (apktool, clang, clang++, dex2jar, flasm, javasnoop, radare2, rafind2,
ragg2, ragg2-cc, rahash2, rarun2, rax2)
Stress Testing
Network Stress Testing (denial6, dhcpig, dos-new-ip6, flood_advertise6,
flood_dhcpc6, flood_mld6, flood_mldrouter6, flood_solicitate6, fragmentation6,
fragmentation6, inundator, kill_router6, macof, rsmurf6, siege, smurf6, t50)
VOIP Stress Testing (iaxflood, inviteflood)
Web Stress Testing (thc-ssl-dos)
WLAN Stress Testing (Mdk3, reaver)
Hardware Hacking
Android Tools (android-sdk, apktool, baksmali, dex2jar, smali)
Arduino Tools (arduino)
Forensics
Anti-Virus Forensics Tools (chkrootkit)
Digital Anti Forensics (chhkrootkit)
62 | P a g e
Digital Forensics (autopsy, binwalk, bulk_extractor, chkrootkit, dc3dd, dcfldd,

extundelete, foremost, fsstat, galleta, tsk_comparedir, tsk_loaddb)
Forensic Analysis Tools (affcompare, affcopy, affcrypto, affdiskprint, affinfo,
affsign, affstats, affuse, affverify, affxml, autopsy, binwalk, blkcalc, blkcat, blkstat,
bulk_extractor, ffind, fls, foremost, galleta, hfind, icat-sleuthkit, ifind, iLs-sluthkit,
istat, jcat, mactime-sluthkit, misidentify, mmcat, pdgmail, readpst, reglookup,
sorter, srch_strings, tsk_recover, vinetto)
Forensic Carving Tools (binwalk, bulk_extractor, foremost, jLs, magicrescue, pasco,
pev, recoverjpeg, rifiuti2, rifiuti, safecopy, scalpel, scrounge-nfs)
Forensic Hashing Tools (md5deep, rahash2)
Forensic Imaging Tools (affcat, affconvert, blkls, dc3dd, dcfldd, ddrescue,
ewfacquire, ewfacquirestream, ewfexport, ewfinfo, ewfverify, fsstat, guymager,
img_cat, img_stat, mmls, tsk_gettimes)
Forensic Suites (autopsy, dff)
Network Forensics (p0f)
Password Forensics Tools (chntpw)
PDF Forensics Tools (pdf-parser, peepdf)
RAM Forensics Tools (volafox, volatility)
Reporting Tools
Documentation
Evidence Management (casefile, keepnote, magictree, maltego, maltegoofil,
truecrypt)
Media Capture (cutycapt, recordmydesktop)
Systems Services
HTTP (apache2 restart, apche2 start, apache2 stop)
Metasploit (community/pro start, community/pro stop)
MySQL (mysql restart, mysql start, mysql stop)
SSH (sshd restart, sshd start, sshd stop)
63 | P a g e
APPENDIX C
[ML13] describes the tools available in Matriux Arsenal
The Matriux Arsenal contains a huge collection of more than 300 most powerful and versatile
security and penetration testing tools. The Matriux Arsenal includes the following tool /
utilities / libraries (The eta release will contain only few of the listed tools): (Copied from:
http://www.matriux.com/index.php?page=arsenal)
This arsenal is for Matriux Ec-Centric 2.49 beta edition
Reconnaissance
DNS
- chaosmap
- DIG
- DNSTracer
- DNSWalk
- rebind
HTTrack
- HTTrack
- WebHTTrack Website Copier
- Browse Mirrored Websites
- Chaosreader
- Deepmagic Information Gathering Tool
- dradis framework
- dsniff password sniffer
- EtherApe
- EtherApe (root)
- fragroute
- magictree
- peepdf
- quickrecon
- tcpdump
- tcpslice
- tcptrace
- tcptraceroute
- vidalia
- Network Analyzer (Wireshark)
- xtrace
Scanning
Cisco
- CDP Packet Generator
64 | P a g e
CDP Global Exploiter

HSRP Generator
BATMAN-Tools
batping
batroute
batdump
Routing-Protocols
Autonomous System Scanner
IGRP Route Injector
Web-Scanners
- blindelephant
- dirbuster
- JHijack
- Nikto
- RIPS Scanner
- theHarvester
- scrapy
- urlcrazy
- vega
- wafp
- whatweb
- xxser
- XSSploit (CLI)
- XSSploit (GUI)
Angry IP Scan
CryptCat
ettercap console
Ettercap Gui
file2cable
Web Server Fingerprinting Tool
gggooglescan
metagoofil
icmpush
icmpquery
IRDP Packet Sender
IRDP Responder Packet Sender
Netcat
netenum
netmask
Nmap
Nmap Si4 Full mode
Nmap Si4 user mode
Nmap Si4 Logr
65 | P a g e
ostinato
p0f
sinfp
snacktime
Paris Traceroute
Pastenum
Protocol Scanner
Parallel Internet Measurement Utility
t50
tctrace
THC-Amap
wapiti
Zenmap
Zenmap(root)
Gain Access (Attack Tools)

Password
- Password List Download
- apligen
- BruteSSH
- Cacheebr
- EmDebr
- iisbruteforcer
- bbox-keygen
- cmospwd
- crunch
- etemenanki
- gcrack
- John the ripper
- rarcrack
- medusa
- sucrack
- THC-Hydra Console
- THC-Hydra GUI
- vncrack
- vncpwddump
- wfuzz
- routerkeygen
- md5pack
- md5unpack
- md5-utils
SQL
- bing-sqli-scanner
66 | P a g e
bsqlbf
minimysqlat0r
pblind
sqlibf
sqlinjtools
sqlmap
SQLninja
sqlid
sqlsus
THC-IPv6
address6
alive6
covert_send6
covert_send6d
denial6
detect-new-ipv6
detect_sniffer6
dnsdict6
dnssrevenum6
dnssecwalk
dos-new-ip6
dump_router6
exploit6
detectnewip6
fakemipv6
fake_mld26
fake_mld6
fake_mldrouter6
fake_router6
fakeadvertise6
fuzzip6
implementation6
- implementation6d
- parasite6
- redir6
- rsmumrf6
- sendpees6
- smurf6
- thcping6
- toobig6
- trace6
Mac Changer
sipcrack
67 | P a g e
Framework
Inguma
- Inguma-cli
- Inguma-gui
Metasploit Framework
- armitage
- msfconsole
- msfpro
- msfupdate
SET
- SET Console Mode
- SET web mode
w3af
- w3af console
- w3af gui
socat
Radio
BeEF
Grendel-Scan
HTTP Request Exploit Framework
isr-evilgrade
Mantra Framework
skipfish
webscarab
shell storm framework
yersinia
WSFuzzer
subterfuge
Burpsuite
g0tbeEF
Maltego
Bluetooth
bluemaho
blueper
bluescan
bluesnarfer
bss
carwhisperer
haraldscan
68 | P a g e
kismet
kismet
kismet client
kismet drone
kismet server
reaver-wps
reaver
reaverwash
voip
- sipvicious
- authtool
- enuimiax
- iaxscan
- scapy
- SIP Proxy
- Voiper
airbase-ng
aircrack-ng
airdecap-ng
airdecloak-ng
airdriver-ng
aireplay-ng
airmon-ng
airodump-ng
airolib-ng
airoscript-ng
airserv-ng
airtun-ng
buddy-ng
chapcrack-ng
cowpatty
fern wifi cracker
gerix wificracker
grimwepa
packetforge-ng
pyrit
wepbuster
weplab
wesside-ng
whichdriver
wicd
WiFi Radar
69 | P a g e
Wifite
Digital-Forensics
Acquisition
- Automated Image & Restore
- galleta
- voolatilitux
- steghide
- volatility
- Guymager
Analysis
- bokken & pyew
- Androguard
- apk inspector
- Start Autopsy
- Autopsy Forensics Browser
- foremost
- forensic data identifier
- Gparted
- iphone analyzer
- Jbrofuzz
- mmsdec
- scalpel
- Pasco
- steghide
- Vinetto
- Start WarVOX
- Open WarVOX Web Interface
- Xplico Console Mode (Internet Traffic Decoder)
- Xplico Web Interface (Internet Traffic Decoder)
Digital Forensic Framework
- DFF console
- DFF GUI
metaextractors
- antiword
- catdoc
- exifcom
- exifgrep
- exiflibtool
- exifprobe
- exiftags
- exiftime
- exiftool
70 | P a g e
exiv2
flare
flasm
jhead
pdffonts
pdfimages
pdfinfo
pdftops
pdftotext
pngchunks
pngcp
pngcrush
pnginfo
dcfldd
Draugr
Extensive File Dumper
Mobius Forensic Toolkit
pyflag
testdisk
warrick
Dhash
PCI-DSS
- babel console
- babel server
- ccsrch
- code janitor
- dep-checker
- eramba
- fossbarcode scan
- fossology
- ftimes
- openpscan
- panbuster
- seNF
- Spider Helix Process
- Spider Helix Server
- strings
- stunnel
- verinice
Debugger
- boomerang
71 | P a g e
Tracer
Crash
ddd
dissy
e2dbg
gdb
gdbserver
hexedit
efence
JavaScript Lint
netifera
valgrind
Leak-Tracer
- Leak Analyze
- Leak Check
- etrace
- latrace
- ltrace
- pstack
- strace
Misc
Fuzzers
- JbroFuzzer
- zzuf
sipvicious
- svcrack
- svcrash
- svlearnfp
- svmap
- svreport
- svwar
- burpsuite
- geoipgen
- packetpig
- PE file analysis toolkit
- pytbull
- ROP gadget
- Scamper
- sslstrip
- stegoshare
- truecrypt
Services
72 | P a g e
apache start
apache stop
metasploit start
metasploit stop
mysql start
mysql stop
postgresql start
postgresql stop
73 | P a g e
APPENDIX D
The following packages currently exist in Fedora and are part of the Fedora Security Lab. Not
all packages are available on the Fedora Security Live CD. (The following tools list was copied
from https://fedorahosted.org/security-spin/wiki/availableApps)
1. Code Analysis
splint - An implementation of the lint program - Fedora Package Database - Bug
Reports
pscan - Limited problem scanner for C source files - Fedora Package Database Bug Reports
flawfinder - Examines C/C++ source code for security flaws - Fedora Package
Database - Bug Reports
rats - Rough Auditing Tool for Security - Fedora Package Database - Bug Reports
2. Forensics
ddrescue - Data recovery tool trying hard to rescue data in case of read errors Fedora Package Database - Bug Reports
gparted - Gnome Partition Editor - Fedora Package Database - Bug Reports
testdisk - Tool to check and undelete partition, PhotoRec? recovers lost files Fedora Package Database - Bug Reports
foremost - Recover files by "carving" them from a raw disk - Fedora Package
sectool-gui - GUI for sectool - security audit system and intrusion detection system
- Fedora Package Database - Bug Reports
unhide - Tool to find hidden processes and TCP/UDP ports from rootkits - Fedora
Package Database - Bug Reports
examiner - Utility to disassemble and comment foreign executable binaries Fedora Package Database - Bug Reports
srm - Secure file deletion - Fedora Package Database - Bug Reports
nwipe - Securely erase disks using a variety of recognized methods - Fedora
firstaidkit-gui - FirstAidKit? GUI - Fedora Package Database - Bug Reports
xmount - A on-the-fly convert for multiple hard disk image types - Fedora Package
dc3dd - Patched version of GNU dd for use in computer forensics - Fedora Package
afftools - Utilities for afflib - Fedora Package Database - Bug Reports
scanmem - Simple interactive debugging utility - Fedora Package Database - Bug
Reports
74 | P a g e
sleuthkit - The Sleuth Kit (TSK) - Fedora Package Database - Bug Reports
scrub - Disk scrubbing program - Fedora Package Database - Bug Reports
ht - File editor/viewer/analyzer for executables - Fedora Package Database - Bug
Reports
driftnet - Network image sniffer - Fedora Package Database - Bug Reports
binwalk - Firmware analysis tool - Fedora Package Database - Bug Reports
scalpel - Fast file carver working on disk images - Fedora Package Database - Bug
Reports
pdfcrack - A Password Recovery Tool for PDF files - Fedora Package Database - Bug
Reports
wipe - Secure file erasing tool - Fedora Package Database - Bug Reports
safecopy - Safe copying of files and partitions - Fedora Package Database - Bug
Reports
hfsutils - Tools for reading and writing Macintosh HFS volumes - Fedora Package
cmospwd - BIOS password cracker utility - Fedora Package Database - Bug Reports
3. General
security-menus - Menu Structure for the Security Spin - Fedora Package Database
- Bug Reports
nc6 - Netcat with IPv6 Support - Fedora Package Database - Bug Reports
mc - User-friendly text console file manager and visual shell - Fedora Package
screen - A screen manager that supports multiple logins on one terminal - Fedora
macchanger - An utility for viewing/manipulating the MAC address of network
interfaces - Fedora Package Database - Bug Reports
ngrep - Network layer grep tool - Fedora Package Database - Bug Reports
ntfs-3g - Linux NTFS userspace driver - Fedora Package Database - Bug Reports
ntfsprogs - NTFS filesystem libraries and utilities - Fedora Package Database - Bug
Reports
pcapdiff - Compares packet captures, detects forged, dropped or mangled packets
net-snmp - A collection of SNMP protocol tools and libraries - Fedora Package
openvas-scanner - Open Vulnerability Assessment (OpenVAS) Scanner - Fedora
hexedit - A hexadecimal file viewer and editor - Fedora Package Database - Bug
Reports
irssi - Modular text mode IRC client with Perl scripting - Fedora Package Database
- Bug Reports
powertop - Power consumption monitor - Fedora Package Database - Bug Reports
mutt - A text mode mail user agent - Fedora Package Database - Bug Reports
75 | P a g e
nano - A small text editor - Fedora Package Database - Bug Reports

vim-enhanced - A version of the VIM editor which includes recent enhancements
wget - A utility for retrieving files using the HTTP or FTP protocols - Fedora Package
yum-utils - Utilities based around the yum package manager - Fedora Package
mcabber - Console Jabber instant messaging client - Fedora Package Database Bug Reports
firstaidkit-plugin-all - All firstaidkit plugins, and the gui - Fedora Package Database
- Bug Reports
netsed - A tool to modify network packets - Fedora Package Database - Bug
Reports
dnstop - Displays information about DNS traffic on your network - Fedora Package
sslstrip - Tool that provides a demonstration of HTTPS stripping attacks - Fedora
bonesi - The DDoS Botnet Simulator - Fedora Package Database - Bug Reports
proxychains - Provides proxy support to any application - Fedora Package Database
- Bug Reports
prewikka - Graphical front-end analysis console for the Prelude Hybrid IDS
Framework - Fedora Package Database - Bug Reports
prelude-manager - Prelude-Manager - Fedora Package Database - Bug Reports
picviz-gui - Graphical frontend for picviz - Fedora Package Database - Bug Reports
telnet - The client program for the Telnet remote login protocol - Fedora Package
openssh - An open source implementation of SSH protocol versions 1 and 2 Fedora Package Database - Bug Reports
dnstracer - Trace a DNS record to its start of authority - Fedora Package Database
- Bug Reports
4. Intrusion Detection
chkrootkit - Tool to locally check for signs of a rootkit - Fedora Package Database Bug Reports
aide - Intrusion detection environment - Fedora Package Database - Bug Reports
pads - Passive Asset Detection System - Fedora Package Database - Bug Reports
rkhunter - A host-based tool to scan for rootkits, backdoors and local exploits Fedora Package Database - Bug Reports
labrea - Tarpit (slow to a crawl) worms and port scanners - Fedora Package
nebula - Intrusion signature generator - Fedora Package Database - Bug Reports
tripwire - IDS (Intrusion Detection System) - Fedora Package Database - Bug
Reports
76 | P a g e
prelude-lml - The prelude log analyzer - Fedora Package Database - Bug Reports
5. Network Statistics
iftop - Command line tool that displays bandwidth usage on an interface - Fedora
scamper - A network measurement tool - Fedora Package Database - Bug Reports
scamper - A network measurement tool - Fedora Package Database - Bug Reports
iptraf-ng - A console-based network monitoring utility - Fedora Package Database
- Bug Reports
iperf - Measurement tool for TCP/UDP bandwidth performance - Fedora Package
nethogs - A tool resembling top for network traffic - Fedora Package Database Bug Reports
uperf - Network performance tool with modelling and replay support - Fedora
nload - A tool can monitor network traffic and bandwidth usage in real time Fedora Package Database - Bug Reports
ntop - A network traffic probe similar to the UNIX top command - Fedora Package
trafshow - A tool for real-time network traffic visualization - Fedora Package
vnstat - Console-based network traffic monitor - Fedora Package Database - Bug
Reports
6. Password Tools
john - John the Ripper password cracker - Fedora Package Database - Bug Reports
sucrack - A su cracker - Fedora Package Database - Bug Reports
ophcrack - Free Windows password cracker based on rainbow tables - Fedora
medusa - Parallel brute forcing password cracker - Fedora Package Database - Bug
Reports
pwgen - Automatic password generation - Fedora Package Database - Bug Reports
ncrack - High-speed network auth cracking tool - Fedora Package Database - Bug
Reports
hydra - Very fast network log-on cracker - Fedora Package Database - Bug Reports
7. Reconnaissance
xprobe2 - Xprobe2 is an active operating system fingerprinting tool - Fedora
dsniff - Tools for network auditing and penetration testing - Fedora Package
77 | P a g e
wireshark - Network traffic analyzer - Fedora Package Database - Bug Reports

hping3 - TCP/IP stack auditing and much more - Fedora Package Database - Bug
Reports
nmap - Network exploration tool and security scanner - Fedora Package Database
- Bug Reports
nmap-frontend - The GTK+ front end for nmap - Fedora Package Database - Bug
Reports
p0f - Versatile passive OS fingerprinting tool - Fedora Package Database - Bug
Reports
sing - Sends fully customized ICMP packets from command line - Fedora Package
scapy - Interactive packet manipulation tool and network scanner - Fedora
socat - Bidirectional data relay between two data channels ('netcat++') - Fedora
tcpdump - A network traffic monitoring tool - Fedora Package Database - Bug
Reports
unicornscan - Scalable, accurate, flexible and efficient network probing - Fedora
nbtscan - Tool to gather NetBIOS info from Windows networks - Fedora Package
tcpxtract - Tool for extracting files from network traffic - Fedora Package Database
- Bug Reports
firewalk - Active Reconnaissance network security tool - Fedora Package Database
- Bug Reports
hunt - Tool for demonstrating well known weaknesses in the TCP/IP protocol suite
dnsenum - A tool to enumerate DNS info about domains - Fedora Package
argus - Network transaction audit tool - Fedora Package Database - Bug Reports
ettercap - Network traffic sniffer/analyser, NCURSES interface version - Fedora
packETH - A GUI packet generator tool - Fedora Package Database - Bug Reports
etherape - Graphical network monitor for Unix - Fedora Package Database - Bug
Reports
lynis - Security and system auditing tool - Fedora Package Database - Bug Reports
netsniff-ng - Packet sniffing beast - Fedora Package Database - Bug Reports
tcpjunk - TCP protocols testing tool - Fedora Package Database - Bug Reports
ssldump - An SSLv3/TLS network protocol analyzer - Fedora Package Database Bug Reports
yersinia - Network protocols tester and attacker - Fedora Package Database - Bug
Reports
openvas-client - Client component of Open Vulnerability Assessment (OpenVAS)
Scanner - Fedora Package Database - Bug Reports
78 | P a g e
sslscan - Security assessment tool for SSL - Fedora Package Database - Bug Reports
snmpcheck - An utility to get information via SNMP protocols - Fedora Package
samdump2 - Retrieves syskey and extracts hashes from Windows 2k/NT/XP/Vista
SAM - Fedora Package Database - Bug Reports
bkhive - Dump the syskey bootkey from a Windows system hive - Fedora Package
tcpick - A tcp stream sniffer, tracker and capturer - Fedora Package Database - Bug
Reports
tcpflow - Network traffic recorder - Fedora Package Database - Bug Reports
dnsmap - Sub-domains bruteforcer - Fedora Package Database - Bug Reports
whois - Improved WHOIS client - Fedora Package Database - Bug Reports
paris-traceroute - A network diagnosis and measurement tool - Fedora Package
nmbscan - NMB/SMB network scanner - Fedora Package Database - Bug Reports
slowhttptest - An Application Layer DoS attack simulator - Fedora Package
httpry - A specialized packet sniffer designed for displaying and logging HTTP traffic
pyrit - A GPGPU-driven WPA/WPA2-PSK key cracker - Fedora Package Database Bug Reports
onesixtyone - An efficient SNMP scanner - Fedora Package Database - Bug Reports
raddump - RADIUS packets interpreter - Fedora Package Database - Bug Reports
ArpON - ARP handler inspection - Fedora Package Database - Bug Reports
tcpreen - A TCP/IP re-engineering and monitoring program - Fedora Package
tcpreplay - Replay captured network traffic - Fedora Package Database - Bug
Reports
siege - HTTP regression testing and benchmarking utility - Fedora Package
inception - A fireWire physical memory manipulation tool - Fedora Package
bannergrab - A banner grabbing tool - Fedora Package Database - Bug Reports
mausezahn - A fast versatile packet generator - Fedora Package Database - Bug
Reports
arp-scan - Scanning and fingerprinting tool - Fedora Package Database - Bug
Reports
mtr - A network diagnostic tool - Fedora Package Database - Bug Reports
sslsplit - Transparent and scalable SSL/TLS interception - Fedora Package Database
- Bug Reports
fping - Scriptable, parallelized ping-like utility - Fedora Package Database - Bug
Reports
fping - Scriptable, parallelized ping-like utility - Fedora Package Database - Bug
Reports
79 | P a g e
bro - Open-source, Unix-based Network Intrusion Detection System - Fedora

tcpcopy - An online request replication tool - Fedora Package Database - Bug
Reports
httrack - Website copier and offline browser - Fedora Package Database - Bug
Reports
httpie - A Curl-like tool for humans - Fedora Package Database - Bug Reports
echoping - TCP "echo" performance test - Fedora Package Database - Bug Reports
dhcping - DHCP daemon ping program - Fedora Package Database - Bug Reports
wbox - HTTP testing tool and configuration-less HTTP server - Fedora Package
swaks - Command-line SMTP transaction tester - Fedora Package Database - Bug
Reports
8. VoIP
sipsak - SIP swiss army knife - Fedora Package Database - Bug Reports
sipp - SIP test tool / traffic generator - Fedora Package Database - Bug Reports
9. Web Application Testing

halberd - Tool to discover HTTP load balancers - Fedora Package Database - Bug
Reports
httping - Ping alike tool for http requests - Fedora Package Database - Bug Reports
nikto - Web server scanner - Fedora Package Database - Bug Reports
ratproxy - A passive web application security assessment tool - Fedora Package
lbd - DNS/HTTP load balancing detector - Fedora Package Database - Bug Reports
skipfish - Web application security scanner - Fedora Package Database - Bug
Reports
sqlninja - A tool for SQL server injection and takeover - Fedora Package Database
- Bug Reports
10. Wireless
aircrack-ng - 802.11 (wireless) sniffer and WEP/WPA-PSK key cracker - Fedora
airsnort - Wireless LAN (WLAN) tool which recovers encryption keys - Fedora
kismet - WLAN detector, sniffer and IDS - Fedora Package Database - Bug Reports
weplab - Analyzing WEP encryption security on wireless networks - Fedora
cowpatty - WPA password cracker - Fedora Package Database - Bug Reports
80 | P a g e
wavemon - Ncurses-based monitoring application for wireless network devices Fedora Package Database - Bug Reports
horst - A highly optimized radio scanning tool - Fedora Package Database - Bug
Reports
kismon - A simple GUI client for kismet - Fedora Package Database - Bug Reports
81 | P a g e

Handbook of Security Tools For IT Directors

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Handbook of Security Tools For IT Directors

Caricato da

Copyright:

Formati disponibili

MSc

Handbook of Security Tools

Submitted as part of the requirements for the award of

Introduction to Information Security Tools .................................................................................... 6

Setting the stage: .................................................................................................................... 6

Approaches to Security: .......................................................................................................... 6

The need for hacking tools (Offensive method): .................................................................... 7

Tools in the market: ................................................................................................................ 7

Our approach on deciding what tools to use:......................................................................... 9

Skill sets of people using these tools: ................................................................................... 10

Limitation on tools usage (Conclusion): ................................................................................ 11

Securing your Environment .......................................................................................................... 12

Hackers Techniques ............................................................................................................. 12

Difference between Hackers and IT Director(s) requirements: ............................................ 14

Proposed New Model: .......................................................................................................... 17

Limitations of model usage (Conclusion): ............................................................................. 18

Anti-Reconnaissance and Reconnaissance: .................................................................................. 20

Reconnaissance Objectives: .......................................................................................... 20

Tools used in Reconnaissance: ...................................................................................... 21

Reconnaissance (Information Gathering): ............................................................................ 20

Fundamentals of Anti-Reconnaissance: ........................................................................ 22

Objectives of Anti-Reconnaissance: .............................................................................. 23

Tools and software:....................................................................................................... 23

Vulnerability Assessment: ............................................................................................................. 29

Vulnerability Assessment Fundamentals .............................................................................. 29

Objectives of Vulnerability Assessment: ............................................................................... 30

Vulnerability Scanning Tools: ................................................................................................ 30

Wireless Tools ............................................................................................................... 30

Network Tools ............................................................................................................... 32

Web Application Vulnerability assessment Tools ......................................................... 33

Areas of Penetration Testing (Exploitation):......................................................................... 35

Penetration testing Fundamentals: ...................................................................................... 35

Penetration Testing Steps: .................................................................................................... 36

Reconnaissance/Information Gathering: ...................................................................... 36

Target Evaluation: ......................................................................................................... 36

Privilege Escalation: ...................................................................................................... 37

Maintaining Access: ...................................................................................................... 37

Penetration Testing Objectives: ............................................................................................ 37

Penetration Tools .................................................................................................................. 38

Wireless Tools ............................................................................................................... 38

Web Application Tools ................................................................................................. 39

Network/Host Tools ...................................................................................................... 40

Challenges of Penetration Testing: ....................................................................................... 42

Final Step after Penetration Testing completion: ............................................................. 42

Rectification Phase ................................................................................................................ 44

Rectification Fundamentals: ................................................................................................. 45

Types of Analysis to be conducted........................................................................................ 46

Rectification Tools: ................................................................................................................ 46

Rootkit Revealer ............................................................................................................ 47

TSK (The Sleuth Kit) ....................................................................................................... 47

1. INTRODUCTION TO INFORMATION SECURITY TOOLS

SETTING THE STAGE:

THE NEED FOR HACKING TOOLS (OFFENSIVE METHOD):

What does an intruder see in a targeted system,

Why does an intruder need this information,

Did anyone notice the intruders attempts to gain access,

Did anyone discover a compromise of a system? [ER11]

TOOLS IN THE MARKET:

It is difficult to map operations of these tools to all requirements of a targeted

cannot afford to purchase multiple commercial security applications to learn with, so

OUR APPROACH ON DECIDING WHAT TOOLS TO USE:

Fedora Security Spin/Lab is a collection of security-related tools built on Fedora Linux

Blackbuntu is based on Ubuntu 10.10.