CompTIA CASP+ CAS-004 Certification: Selecting Vulnerability Assessment Tools

Key topics:
- Port scanners
- Protocol analyzers
- Application interceptors
- Exploitation frameworks
- Visualization tools
- Log analysis tools
- Physical security tools
- Analysis tools

While most people think in terms of the network when they consider security assessments, security assessments encompass much more than this. If only network security were considered, major vulnerabilities would be left exposed. It can be argued that without sufficient physical security, network security cannot be achieved. Moreover, when exercising a defense-in-depth strategy, security must be considered at the network, host, and physical levels. This guide looks at the tools used to perform assessments at each of these levels.

Structure
In this guide, we will discuss the following types of assessment tools:
- Network tools
- Host tools

Objectives
After going through this guide, you will be able to understand the following aspects:
- Network tool types: This section covers the types of tools used to perform security assessments of networks, including port scanners, vulnerability scanners, protocol analyzers, SCAP scanners, network enumerators, fuzzers, HTTP interceptors, exploitation tools and frameworks, visualization tools, and log reduction and analysis tools.
- Host tool types: This section describes the tools used to assess vulnerabilities that might be present on an individual host. These types of tools include password crackers, vulnerability scanners, command-line tools, local exploitation tools and frameworks, SCAP tools, file integrity monitoring utilities, log analysis tools, antivirus, and reverse engineering tools.
- Physical security tools: This covers devices used to assess the physical security of an environment, including lock picks, RFID tools, and IR cameras.

Network tool types
An enterprise must first establish where the security flaws exist before it can secure a network. The only way to do so is to conduct an honest assessment of the network’s current state. Multiple techniques of assessment should be utilized to account for the many sorts of weaknesses that can occur in a network. This guide goes over the various assessment techniques and the flaws that each one is supposed to disclose.

Port scanners
A network can be scanned for open ports using Internet Control Message Protocol (ICMP) messages. Services that are operating and listening on a device that is vulnerable to attack are indicated by open ports. An ICMP attack, also known as a port scanning attack, pings every address and port number combination on each device and keeps note of which ports are open on each device, as the pings are responded by open ports with listening services and not by closed ports. Network Mapper (Nmap), a free and open-source program for network discovery and security auditing, is one of the most extensively used port scanners.

The figure below displays the results of a scan for many hosts using Zenmap, an Nmap security scanner GUI:



Figure: Zenmap Port Scan Output
 

The figure below shows the output from the command-line version of Nmap. You can see in this figure that a ping scan of an entire network has just been completed. From it, you can see that the domain scanme.nmap.org has four ports open – 22, 80, 9929, and 31337:


Figure: Nmap Port Scan Output

In a scenario where you need to determine what applications and services are running on the devices in your network, a port scanner would be appropriate.

Network vulnerability scanners
A vulnerability scanner, unlike a port scanner, can search for a variety of security flaws, such as misconfigurations, out-of-date software, missing patches, and open ports. Scanners for network vulnerabilities scan the entire network. Nessus, a proprietary program developed by Tenable Network Security, is one of the most extensively used vulnerability scanners. It is available for personal use in a non-commercial setting at no cost. By default, Nessus starts by listing the issues detected on a host that is ranked as the most serious at the top of the output. A partial screenshot of Nessus is shown below:


Figure: Nessus Scan Output

There is one high-severity issue (the default password for a Firebird database on the host) and five medium-severity concerns, including two SSL certificates that cannot be trusted and a remote desktop man-in-the-middle attack vulnerability. When a network’s security flaws extend beyond open ports, such as weak passwords, misconfigurations, and missing updates, a vulnerability scanner is the best tool to use.

Protocol analyzer
Sniffing is the process of collecting packets for examination; eavesdropping is sniffing done maliciously. Sniffing happens when an attacker adds or inserts a device or program into a communication medium in order to gather all of the data sent through it. Both respectable security experts and attackers utilize sniffers, also known as protocol analyzers, to capture raw packets from the network. When a sniffer is used lawfully, the fact that it doesn’t send any data to the network is a benefit; when it’s used against you, it’s a drawback (because you cannot tell you are being sniffed). Sniffers should be monitored, and their use must be limited by the organizations. Wherever practicable, you should encrypt all network traffic.

Wired
One of the most widely used sniffers is Wireshark. It captures raw packets off the interface on which it is configured and allows you to examine each packet. If the data is unencrypted, you will be able to read the data.

The figure below shows an example of Wireshark in use:


Figure: Wireshark Output
 

The Figure shows the result, with each line representing a packet intercepted on the network. The source IP address, the destination IP address, the protocol in use, and the data in the packet are all visible. For example, line 16 displays a transmission with protocol ‘TCP’ from 192.168.0.1 to 192.168.0.2. When utilizing a display filter, the capture file retains all packets. The display filter affects just the appearance of the capture file, not its content. Following that, the server sends SYN, SYN-ACK, and ACK packets. You can click on a single packet to try and read it. You would be able to read and evaluate the data if it were clear language. As a result, it’s easy to understand how an attacker may obtain credentials and other sensitive data. Protocol analyzers are in handy when you need to observe what’s going on in your network. Assume that you have a security policy mandating that certain types of traffic be encrypted. However, you are unsure if everyone is adhering to the policy. You might detect if users are complying by collecting and inspecting raw packets on the network.

Wireless
Protocol analyzers can also capture and analyze wireless frames.

The figure below shows the process of a device sending a probe request packet to find an access point (AP), the AP responding with a probe response (frames 798 and 799), the device attempting authentication and association with the AP (frames 804–8010), and the AP requesting user credentials as an EAP message (frames 811 and 812):


Figure: Wireshark Frame List

We know this is 802.11 traffic because there are many frame types not found in wired networks, such as the probe request and probe response frames.

SCAP scanner
Security Content Automation Protocol (SCAP) is a security automation standard for identifying software defects and configuration concerns. The terminology and forms were standardized. A security automation product provider can acquire SCAP validation, proving that it will work with other scanners and represent scan findings in a consistent manner.

Understanding the operation of SCAP requires an understanding of its components, which are as follows:
- Common Configuration Enumeration (CCE): These are configuration best practice statements maintained by the National Institute of Standards and Technology (NIST).
- Common Platform Enumeration (CPE): These are methods for describing and classifying operating systems, applications, and hardware devices.
- Common Weakness Enumeration (CWE): These are design flaws in the development of software that can lead to vulnerabilities.
- Common Vulnerabilities and Exposures (CVE): These are vulnerabilities in published operating systems and applications software. The Common

Vulnerability Scoring System (CVSS) is a system of ranking vulnerabilities that are discovered based on predefined metrics. This system ensures that the most critical vulnerabilities can be easily identified and addressed after a vulnerability test is met.

Scores are awarded on a scale of 0 to 10, with the values having the following ranks:
- 0: No issues
- 0.1 to 3.9: Low
- 4.0 to 6.9: Medium
- 7.0 to 8.9: High
- 9.0 to 10.0: Critical

CVSS is composed of the following three metric groups:
- Base: Characteristics of a vulnerability that are constant over time and across user environments
- Temporal: Characteristics of a vulnerability that change over time but not among user environments
- Environmental: Characteristics of a vulnerability that are relevant and unique to a particular user’s environment

The base metric group includes the following metrics:
- Access Vector (AV): AV describes how the attacker would exploit the vulnerability and has the following three possible values:
- L: Stands for local and means that the attacker must have physical or logical access to the affected system.
- A: Stands for adjacent network and means that the attacker must be on the local network.
- N: Stands for network and means that the attacker can cause the vulnerability from any network.
- Access Complexity (AC): AC describes the difficulty of exploiting the vulnerability and has the following three possible values:
- H: Stands for high and means that the vulnerability requires special conditions that are hard to find.
- M: Stands for medium and means that the vulnerability requires somewhat special conditions.
- L: Stands for low and means that the vulnerability does not require special conditions.
- Authentication (Au): The Au metric describes the authentication an attacker would need to get through to exploit the vulnerability and has the following three possible values:
- M: Stands for multiple and means that the attacker would need to get through two or more authentication mechanisms.
- S: Stands for single and means that the attacker would need to get through one authentication mechanism.
- N: Stands for none and means that no authentication mechanisms are in place to stop the exploitation of the vulnerability.
- Availability (A): The A metric describes the disruption that might occur if the vulnerability is exploited and has the following three possible values:
- N: Stands for none and means that there is no availability impact.
- P: Stands for partial and means that system performance is degraded.
- C: Stands for complete and means that the system is completely shut down.
- Confidentiality (C): The C metric describes the information disclosure that may occur if the vulnerability is exploited and has the following three possible values:
- N: Stands for none and means that there is no confidentiality impact.
- P: Stands for partial and means some access to information would occur.
- C: Stands for complete and means all information on the system could be compromised.
- Integrity (I): The I metric describes the type of data alteration that might occur and has the following three possible values:
- N: Stands for none and means that there is no integrity impact.
- P: Stands for partial and means that some information modification would occur.
- C: Stands for complete and means that all information on the system could be compromised.

The CVSS vector looks something like the following:
CVSS2#AV:L/AC:H/Au:M/C:P/I:N/A:N

This vector is read as follows:
- AV:L: Access vector, where L stands for local and means that the attacker must have physical or logical access to the affected system.
- AC:H: Access complexity, where H stands for high and means that the vulnerability requires special conditions that are hard to find.
- Au:M: Authentication, where M stands for multiple and means that the attacker would need to get through two or more authentication mechanisms.
- C:P: Confidentiality, where P stands for partial and means that some access to information would occur.
- I:N: Integrity, where N stands for none and means that there is no integrity impact.
- A:N: Availability, where N stands for none and means that there is no availability impact.

Permissions and access
Access to scanning tools must be closely controlled because scanning devices without being authorized to do so is a crime. The group of users allowed to use these tools should be as small as possible. The use of these tools should also be audited to ensure that the tools are being used in accordance with the rules of engagement.

Execute scanning
Configuring a scan is somewhat specific to the scanning product, but the following are some general recommendations with respect to conducting a scan:
- Test the scanner for the environment and tackle the scan surgically rather than using a shotgun, all-at-once approach.
- Critical business traffic and traffic patterns need to be factored into vulnerability scans because a scan itself adds to network traffic.
- Give some thought to what time scans will be run and also to the time zones in which affected businesses operate.

The following are the high-level steps in conducting a scan:
Step 1: Add IP addresses or domain names to the scan.
Step 2: Choose scanner appliances (hardware or software sensors).
Step 3: Select the scan option. For example, in Nessus, under Advanced Settings, you can use custom policy settings to alter the operation of the scan.

The following are some selected examples:
- global.max_hosts: Maximum number of simultaneous checks against each host tested.
- auto_update_delay: Number of hours to wait between two updates. Four hours is the minimum allowed interval.
- global.max_simult_tcp_sessions: Maximum number of simultaneous TCP sessions between all scans.
- max_hosts: Maximum number of hosts checked at one time during a scan.
 

Step 4: Start the scan.
Step 5: View the scan status and results.
 

The figure below shows another option for editing a scan policy (and thus the operations of the scan), using checkboxes and drop-down menus:



Figure: Scan policy in Nessus

Network enumerator
Network enumerators scan the network and collect information on visible users, groups, shares, and services, a process known as device fingerprinting. Network enumerators collect data using protocols like ICMP and SNMP. Figure 13.7 shows an example of WhatsUp Gold, which not only detects problems with hosts and other network devices but also allows you to categorize and explore them by the problem. Currently, it is configured to show all devices. Select the devices without credentials folder in the tree view to see all devices that are lacking credentials. You may use a network enumerator to locate and arrange the information on the security posture of all machines in the network without having to physically visit each one.

Refer to the figure below for WhatsUp Gold output:



Figure: WhatsUp Gold Output

Fuzzer
Fuzzers are software tools that, through a process known as fuzzing, detect and exploit flaws in online applications. They work by inserting semi-random data into the program stack and then looking for problems. They are simple to use, but one of their drawbacks is that they are more likely to identify basic faults than more sophisticated ones. JBroFuzz and WSFuzzer are two tools recommended by the Open Web Application Security Project (OWASP), an organization dedicated to enhancing software security. WSFuzzer is primarily interested in HTTP-based Simple Object Access Protocol (SOAP) services.

During the development of a web application that would manage sensitive data, Fuzzer can be employed. The fuzzer will assist you in determining whether the program is processing error exceptions correctly. For example, you may notice that if you mistype your credentials on the application’s login page, the software crashes and you are provided with a command prompt. If you wanted to explore the problem, you could use an online fuzzer to simulate the login screen.

The output of a fuzzer named Peach is seen below. It fuzzes the program with a mutator named StringMutator, which changes the input repeatedly. Some input to the tool has caused a crash, as you can see in this output. Peach has confirmed the error by duplicating it. It will send extra information to a log, which you may study to figure out which string value caused the crash.

The figure below gives Peach Fuzzer output:


Figure: Peach Fuzzer Output

HTTP interceptor
Web communication between a browser and a website is intercepted by HTTP interceptors. They allow you to do things that your browser wouldn’t. For example, an HTTP interceptor may accept 300 characters of input but the browser may only allow 50. These tools allow you to simulate what would happen if a hacker managed to get around the browser’s restriction. An HTTP interceptor works similarly to a web proxy in that it monitors both channels of traffic. Burp Suite and Fiddler are two examples of HTTP interceptors.

The figure below shows how Fiddler, a Windows application, may be used to assess the performance of a website:


Figure: Fiddler

HTTP interceptors and fuzzers should both be used for testing web applications. They can also be used to test the proper validation of input.

Exploitation tools/frameworks
Exploitation tools, also known as exploit kits, are a collection of tools used to find and exploit security flaws. They are designed to be used in a wide range of situations. These tools target an application in the same way that a hacker would, allowing them to be used for both good and evil. Some are completely free, while others, like Core Impact, are incredibly costly. An exploit framework creates a consistent environment in which exploit code may be written and executed against a target.

The three most widely used frameworks are as follows:
- Metasploit: This is an open-source framework that ships with hundreds of exploits and payloads as well as many auxiliary modules.
- CANVAS: Sold on a subscription model, CANVAS ships with more than 400 exploits.
- IMPACT: This commercially available tool uses agent technology that helps an attacker gather information on the target.

Metasploit’s web interface is seen below. The attacker (or tester) chooses an exploit from the top panel, followed by a payload from the bottom panel. The tester can utilize the console to interface with the host once the attack has been initiated. Testing programs for security flaws should include using these exploitation frameworks.

Refer to the figure below for Metasploit’s web interface:


Figure: Metasploit Web Interface

Visualization tools
The sheer volume of security data created by the many devices scattered across our environments makes it impossible to determine what is going on in many circumstances. When the same raw data is given to us in a visual style, it becomes a little simpler to spot patterns and trends. It is much simpler to notice a pattern when the data is aggregated and graphed. Let’s imagine you wanted to understand the relative split of security incidents between your Windows and Linux machines. Most tools for this purpose can not only collect all occurrences of a certain category but also graph them over time.

Examples of such graphs may be seen below; many of the tools mentioned in this section are considered visualization tools since they aid in the display and interpretation of raw data:


Figure: Trend analysis

Log reduction and analysis tools
Audit reduction tools are pre-processors that are meant to minimize the number of audit records so that human review may be done more quickly. These technologies can delete numerous audit data that are recognized to have minimal security value before a security assessment. These utilities usually delete records that are created by specific types of events, such as nightly backups. Scripts are used by certain technicians for this reason.

Many Linux techs use a Perl script called Simple WATCHer (swatch). The amount of log data that has to be analyzed in large organizations might be fairly significant. As a result, many businesses use a SIEM system, which provides an automated method for analyzing events and determining where the attention should be focused.

Most SIEM products support two ways of collecting logs from log generators, which are as follows:
- Agentless: With this type of collection, the SIEM server receives data from the individual hosts without needing to have any special software installed on those hosts. Some servers pull logs from the hosts, which is usually done by having the server authenticate to each host and retrieve its logs regularly. In other cases, the hosts push their logs to the server, which usually involves each host authenticating to the server and transferring its logs regularly. Regardless of whether the logs are pushed or pulled, the server then performs event filtering and aggregation and log normalization and analysis on the collected logs.
- Agent-based: With this type of collection, an agent program is installed on the host to perform event filtering and aggregation, and log normalization for a particular type of log. The host then transmits the normalized log data to a SIEM server, usually on a real-time or near-real-time basis, for analysis and storage. Multiple agents may need to be installed if a host has multiple types of logs of interest.
- Some SIEM products also offer agents for generic formats such as Syslog and SNMP. A generic agent is used primarily to get log data from a source for which a format-specific agent and an agentless method are not available. Some products also allow administrators to create custom agents to handle unsupported log sources.

Each approach has its own set of benefits and drawbacks. The key benefit of the agentless technique is that it eliminates the need to install, configure, and maintain agents on each logging host. The main downside is the lack of filtering and aggregation at the individual host level, which can result in much higher volumes of data being carried over networks and a longer time to filter and analyze logs.

Another drawback of the agentless approach is that the SIEM server may require credentials to authenticate with each logging host.

In certain circumstances, only one of the two techniques is viable; for example, there may be no way to gather logs from a specific server without putting an agent on it. SIEM software often supports a wide range of log sources, including operating systems, security software, application servers (such as web servers and email servers), and even physical security control devices like badge scanners.

Except for general formats like Syslog, SIEM solutions normally know how to identify the most essential reported information for each supported log source type. This greatly enhances log data standardization, analysis, and correlation over software that has a broader awareness of specific log sources and formats. In addition, the SIEM software may conduct event reduction by ignoring data fields that are irrelevant to computer security, possibly lowering the SIEM program’s network traffic and data storage requirements.

The figure below shows the output from a SIEM system; notice the various types of events that have been recorded:


Figure: SIEM Output

Host tool types
In some cases, you are concerned with assessing the security of a single host rather than the network in general. This section looks at tools that are appropriate for assessing host security and issues for which they might be indicated.

Password cracker
Password crackers are programs that do what their name implies. They attempt to identify passwords. These programs can be used to mount several types of password attacks, including dictionary attacks and Bruteforce attacks, which are explained as follows:
- In a dictionary attack, an attacker uses a dictionary of common words to discover passwords. An automated program uses the hash of the dictionary word and compares this hash value to entries in the system password file. While the program comes with a dictionary, attackers also use extra dictionaries that are found on the Internet. To protect against these attacks, you should implement a security rule which says that a password must not be a word found in the dictionary.
- Brute-force attacks are more difficult to perform because they work through all possible combinations of numbers and characters. These attacks are also very time-consuming. The best countermeasures against password threats are to implement complex password policies, have users change passwords on a regular basis, employ account lockout policies, encrypt password files, and use password-cracking tools to discover weak passwords.

Cain and Abel is a well-known password-cracking program that sniffs the network, cracks encrypted passwords using the dictionary, brute-force, and cryptanalysis attacks, records VoIP conversations, decodes scrambled passwords, reveals password boxes, uncovers cached passwords, and analyses routing protocols.

The figure below illustrates the Cain and Abel output:



Figure: Cain and Abel Output

As you can see, each account can be subjected to a variety of attacks. This example illustrates a search of the local system for user accounts, and the software finds three – Admin, Sharpy, and JSmith. You may use the application to execute a brute-force attack or a variety of different attacks on that account.
 

John the Ripper is another example of a password cracker. It identifies weak UNIX passwords, but it also supports hashes for a variety of other platforms.

There are three versions of John the Ripper – a free official version, a community improved version (with numerous contributed patches but less quality assurance), and a cheap pro version. If you’re having trouble enforcing strong or complicated passwords and need to uncover weak passwords on your network, you may use a password cracker to determine which ones are weak and perhaps crack them. If assessing password security is time-sensitive, save the password file to one of your more powerful PCs (a cluster is even better) and execute the password cracker on that platform. This way, you’ll be able to use the extra resources to complete the audit more rapidly.

Host vulnerability scanners
Like network vulnerability scanners, host scanners scan for vulnerabilities —but only on the host on which the tool is installed. Many scanners can do both. The Microsoft Baseline Security Analyzer is a host scanner that can also scan multiple hosts at once. It returns a clean list of all vulnerabilities and prioritizes them, as shown below:


Figure: Microsoft Baseline Security Analyzer Output

Command-line tools
Many local command-line utilities are available in both Windows and Linux/UNIX for making security assessments as well. While not as user-friendly as some of the more automated tools, they are preferred by many of the more experienced in the field for their flexibility, as they do require more knowledge and background. The following sections discuss several security-related command-line tools.

Netstat
On a TCP/IP-based system, the netstat (network status) command is used to see what ports are listening. The -a option displays all ports, whereas /? displays what additional choices are available. (The possibilities vary depending on the operating system.) The current connections are displayed when the program is run without any switches, as shown in below. Netstat can help you figure out which ports are open and which services/protocols are using them. These open ports might put the host’s security at risk.

The figure below shows the Netstat output:


Figure: netstat Output

Each line of Netstat output lists the source IP address and port number, the destination IP address or hostname, and the state of the connection.

The following are the possible states:
- LISTEN: Represents waiting for a connection request from any remote TCP connection and port.
- SYN-SENT: Represents waiting for a matching connection request after having sent a connection request.
- SYN-RECEIVED: Represents waiting for a confirming connection request acknowledgment after having both received and sent a connection request.
- ESTABLISHED: Represents an open connection, and the data received can be delivered to the user. This is the normal state for the data transfer phase of the connection.
- FIN-WAIT-1: Represents waiting for a connection termination request from the remote TCP connection or an acknowledgment of the connection termination request previously sent.
- FIN-WAIT-2: Represents waiting for a connection termination request from the remote TCP connection.
- CLOSE-WAIT: Represents waiting for a connection termination request from the local user.
- CLOSING: Represents waiting for a connection termination request acknowledgment from the remote TCP connection.
- LAST-ACK: Represents waiting for an acknowledgment of the connection termination request previously sent to the remote TCP connection (which includes an acknowledgment of its connection termination request).

Ping
To verify the connection between two devices, the ping command uses the ICMP protocol. The TCP/IP protocol’s ping command is one of the most helpful. It transmits a sequence of packets to another system, which responds with a response of its own. When troubleshooting difficulties with distant hosts, the ping command may be incredibly beneficial. The ping command shows whether or not the host can be contacted and how long it takes for the host to respond. The time on a LAN is displayed as less than 10 milliseconds. However, on WAN networks, this figure can be significantly higher. Ping also tries to resolve the hostname associated with the IP address when the -a parameter is used.

A successful Ping is shown below:


Figure: Successful Ping
 

The figure below shows an unsuccessful Ping. In this case, the request timed out, which typically means the host is off or disconnected from the network. When the destination cannot be reached, an error code is displayed.

Refer to this figure for failed Ping:



Figure: Failed Ping

The most common of these codes are as follows:
- Destination unreachable: This indicates that the IP datagram could not be forwarded. This also includes an error code (number) that indicates more detail—for example, that there is no routing table entry or the destination is reachable but did not respond to ARP.
- Request timed out: This indicates that the TTL of the datagram was exceeded. This means you did not even get a response from a router. This can occur if the router is configured to not respond to ICMP, which is not uncommon. This is the situation in Figure 13.17.

Although there are easier ways to do this with other tools, such as Nmap, you can perform a ping sweep by creating a simple batch file, as follows:
for /l %i in(1,1,254) do ping -n 1 -w 100 <first three octets of host network>.%i

For example, to sweep the 192.168.1.0 network, you can use the following command:
for /l %i in(1,1,254) do ping -n 1 -w 100 192.168.1.%i

Tracert/traceroute
The traceroute command (in Linux and UNIX) is used to trace a packet’s journey via the network. Its most useful purpose is determining where a packet is lost in the network. It displays each hop (router) that the packet passes through, as well as the time it takes to do so.

A traced route to www.nascar.com is shown in part below. This command may also be used to record the route to a target and show it visually from within Nmap (Zenmap); graphical results are often simpler to interpret than command-line output. Each line indicates a hop, or a network that the communication passed through (that is, a router). Many times, these routes cannot be completely mapped because ICMP is blocked at the edge of the network in which the destination resides.

The figure below llustrates the Tracert output:



Figure: Tracert Output

Ipconfig/ifconfig
The ipconfig command is used to view the IP configuration of a device and, when combined with certain switches or parameters, can be used to release and renew the lease of an IP address obtained from a DHCP server and to flush the DNS resolver cache. Its most common use is to view the current configuration.

The figure below shows its execution with the /all switch, which results in a display of a wealth of information about the IP configuration:



Figure: Ipconfig Output

Ipconfig may be used to release and renew a DHCP server configuration by executing the ipconfig /release command first, then the ipconfig /renew command. It’s also good to note that after fixing a configuration issue (such as an IP address) on a target device, you should use the ipconfig /registerdns command to make sure that the device registers its new IP address with the DNS server. It may also be essential to remove any remaining inaccurate IP address-to-hostname mappings on the devices attempting to reach the destination device. This may be done with the ipconfig /flushdns command. The command to use on a Linux or UNIX system is ifconfig, not ipconfig.

The figure below shows an example of the command and its output for Linux OS; the ifconfig command with -a option shows all network interface information, even if the network interface is down:



Figure: ifconfig Output

Nslookup/dig
These tools allow us to interact with the DNS server and even exchange and update records with the server (if allowed), they can be used to verify that such an exchange is not possible. Allowing such updates would allow DNS pollution, which can lead to users being directed to phishing sites.

Sysinternals
Sysinternals is a collection of more than 70 Windows tools that can be used for both troubleshooting and security issues. Some of the utilities contained in Sysinternals are listed below:



Figure: Sysinternals Security Utilities

OpenSSL
OpenSSL is a library of software functions that support the use of the Secure Sockets Layer/Transport Layer Security (SSL/TLS) protocol. Once OpenSSL is installed, a set of commands become available. OpenSSL is open-source and written in C.

The following are some of the functions you can perform with this tool:
- Generate a certificate request
- Generate a self-signed certificate
- Generate a self-signed key
- Test an SSL server

Local exploitation tools/frameworks
Exploitation tools and the frameworks in which they operate are effective tools for detecting security flaws. Since the targets are known to not be present in the environment, certain attacks may be excluded in a local exploit. If you don’t have any Mac machines, for example, you may leave out Mac vulnerabilities.

In another example, you may write an exploit for an application that you built yourself.

SCAP tool
SCAP is a standard used by the security automation industry to identify software flaws and configuration concerns. Programs and applications are beginning to adopt SCAP’s terminology and formats as the computer industry accepts the standard. The Window System Centre Configuration Manager Extensions for SCAP is a good example of this. It transforms SCAP data files to Desired Configuration Management (DCM) Configuration Packs and DCM reports to SCAP format.

File integrity monitoring
Criminal software and malicious persons frequently alter files without permission. These files are frequently data files, but they can also be system files. Modifications to data files are unpleasant, but changes to system files can put a whole system at risk. File integrity software is the solution, which creates a hash value for each system file and validates it at regular intervals. This entire procedure is automated, and if a faulty system file is identified, it will be automatically replaced. Tripwire is a third-party application that does this, and Windows has a utility called System File Checker (SFC) that does the same thing. SFC is a command-line application for checking and verifying system file versions on a computer. If system files are corrupted, the SFC will replace the corrupted files with the correct versions. The switches vary a bit between different versions of Windows. The syntax for the SFC command is SFC [switch].

Log analysis tools
You learned how to use both scripts and filters to remove the clutter in network device logs so that you can focus on series events earlier in this guide. Most local audit logs, on the other hand, include built-in filters that may be used to zero in on more critical incidents. These filters can be configured as either display or capture filters. Consider the situation when you suspect a user of stealing another user’s password and you want to know if the suspect has used the password from his or her workstation. It might be tough to find what you’re searching for in the midst of all the security happenings. Only successful login events might be filtered.

For example, as shown below, the Windows Security Log is filtering to show only the audit success events:


Figure: Windows Security Log

Some good examples of log analysis tools are as follows:
- Loggly: This tool has both free and paid plans per month. It makes it easy to weed out the noise and perform full-text searches.
- Logentries: This cloud-based system also comes in both free and paid plans. You can filter logs in real-time and can tag important events, so you can return at a later time.
- GoAccess: This terminal-based tool is open source and free to use. You can generate the report in HTML or CSV format. This tool has both free and paid (per month) plans. You can filter by application or use custom parameters.
- Graylog: This open-source tool has many large customers, such as Cisco. It makes it easy to parse logs from any data source, and it can search terabytes of data almost instantly.

Antivirus
While many scenarios that we face are new, one is not – the ever-present danger from malware. While many are still fighting this battle using traditional premises-based anti-malware tools, new approaches have emerged.

Cloud antivirus products run not on the local computer but in the cloud, creating a smaller footprint on the client and utilizing the processing power in the cloud. They have the following advantages:
- They allow access to the latest malware data within minutes of the cloud antivirus service learning about it.
- They eliminate the need to continually update the antivirus software.
- The client is small, and it requires little processing power.

Cloud antivirus products have the following disadvantages:
- There is a client-to-cloud relationship, which means these products cannot run in the background.
- They may scan only the core Windows files for viruses and not the whole computer.
- They are highly dependent on an Internet connection.

Anti-spam services can also be offered from the cloud. Vendors such as Postini and Mimecast scan your email and then store anything identified as problematic on their server, where you can look through the spam to verify that it is, in fact, spam.

Reverse engineering tools
Reverse engineering may be used to solve a variety of security problems. When a host is breached, reverse engineering techniques may be used to determine the facts of the breach, including how the attacker gained access to the system and the measures taken to breach the system. When used to malware, reverse engineering may also refer to the use of tools to break down malware in order to understand its purpose and how to destroy it; when applied to malware, reverse engineering is done in a sandbox environment to prevent the virus from spreading. Reverse engineering tools are recommended for analyzing zero-day malware and sandboxing it, as well as when a host has been hacked and safely isolated and you want to uncover specifics of the breach to be better prepared for the future.

The Infosec Institute recommends the following as the top reverse engineering tools for cybersecurity professionals:
- Apktool: This third-party tool for reverse engineering can decode resources to the nearly original form and re-create them after making some adjustments.
- dex2jar: This lightweight API is designed to read the Dalvik Executable (.dex/.odex) format. It is used with Android and Java .class files.
- diStorm3: This tool is lightweight, easy to use, and has a fast decomposer library. It disassembles instructions in 16-, 32-, and 64-bit modes. It is also the fastest disassembler library. The source code is very clean, readable, portable, and platform-independent.
- edb-debugger: This is the Linux equivalent of the famous Olly debugger on the Windows platform. One of the main goals of this debugger is modularity.
- Jad debugger: This is the most popular Java decompiler ever written. It is a command-line utility written in C++.
- Javasnoop: This Aspect Security tool allows security testers to test the security of Java applications easily.
- OllyDbg: This is a 32-bit, assembler-level analyzing debugger for Microsoft Windows. Emphasis on binary code analysis makes it useful in cases where the source is unavailable.
- Valgrind: This suite is for debugging and profiling Linux programs.

Physical security tools
Without physical security, other forms of security are useless. Below are several host physical security assessment tools.

Lock picks
Lock picks are tools used to test the ability of your physical locks to withstand someone picking them. These are the same tools used by a professional locksmith to open a lock when hired to do so and one of the reasons many organizations have moved away from using physical locks.

The figure below shows examples of some lock picks; if a facility uses physical locks, the locks should be checked to see if they are susceptible to these tools; it may even be advisable to hire a locksmith to attempt to open them:



Figure: Lock Picks

Locks
Door locks can be either mechanical or electronic. Electric locks, or cipher locks, use a keypad that requires the correct code to open the lock. These are programmable, and organizations that use them should change the codes frequently.

Another type of door security system is a proximity authentication device, with which a programmable card is used to deliver an access code to the device either by swiping the card, or in some cases, by just being in the vicinity of the reader.

These devices typically contain the following electronic access control (EAC) components:
- An electromagnetic lock
- A credential reader
- A closed-door sensor

Locks are also used in places other than doors, such as protecting cabinets and securing devices.

The types of mechanical locks with which you should be familiar are as follows:
- Warded locks: This type of lock has a spring-loaded bolt with a notch in it. The lock has wards, or metal projections, inside the lock with which the key will match to enable opening the lock.

A warded lock design is shown below:



Figure: Warded Lock

- Tumbler locks: This type of lock has more moving parts than the warded lock, and the key raises the lock metal piece to the correct height. A tumbler lock design is shown below:


Figure: Tumbler Lock

- Combination locks: This type of lock requires rotating the lock in a pattern that, if correct, lines the tumblers up, opening the lock. A combination lock design is shown below:



Figure: Combination Lock
In the case of device locks, laptops are the main item that must be protected because they are so easy to steal. Laptops should never be left in the open without being secured to something solid with a cable lock—a vinyl-coated steel cable that connects to the laptop and locks around an object.

RFID tools
Malicious individuals use Radio-frequency identification (RFID) tools to steal the proximity badge information from an unsuspecting employee who physically walks near the concealed device.

One example is the Tastic RFID Thief by Bishop Fox. Specifically, it targets 125 KHz, low-frequency RFID badge systems used for physical security, such as those used in HID Prox and Indala proximity products. Alternatively, it could be used to weaponize a 13.56 MHz, high-frequency RFID reader, like those for HID iCLASS access control systems.

When RFID systems are in use, penetration tests should include testing the vulnerability of systems to the capture of such RFID credentials as their capture could lead to serious physical security issues.

IR camera
An infrared camera is a camera that forms an image using infrared radiation and can capture images in the dark. These cameras can also detect motion in the area, making them a great choice. When physical security assessments are performed, these devices should be fully tested to ensure that they capture all intrusion attempts.

Conclusion
This guide discussed various tools, related to the security assessment of network tools. This guide presented a brief on the different Host related tools to assess vulnerabilities that might be present on an individual host.

Such tools include password crackers, vulnerability scanners, command-line tools, local exploitation tools and frameworks, SCAP tools, file integrity monitoring utilities, log analysis tools, antivirus, and reverse engineering tools.

Physical security tools devices to assess the security of an environment, including lock picks, RFID tools, and IR cameras were discussed.