What tools do security professionals and hackers rely on? It's a question whose answer changes as quickly as the online threat landscape, but there are some favourites in the current toolkit that never go out of fashion.
Far from being major, comprehensive attack platforms, these utilities usually do one obscure thing quickly and reliably. Their developers simply keep updating them to add new facilities and, crucially, to make them easier to use.
Article continues below
Some of these utilities are online, while others can be carried on a USB pen drive. The common factor is that they're available to anyone. While every security researcher and hacker typically carries a small armoury of such tools, they have their own ways of using them to assess security or mount attacks.
The first step in mounting an attack or securing an online information resource is to assess what is visible to others over the internet. For large organisations, more than just the mail and web servers will be visible. Sometimes this is a mistake on the part of the network administrator, but sometimes it's done for misplaced expediency.
However, both these reasons can lead to a full-scale exploit of the internal network. The best and safest way to assess what's visible is to use a public Dig service.
Dig stands for 'Domain Information Groper'. Such services interrogate the global DNS system for details about a target. Using a Dig service, you can uncover several classes of information, including the local DNS servers, web servers and mail servers (mail exchangers in DNS speak). It's sometimes also possible to uncover plenty of addresses of computers that really shouldn't be online, but which someone has added to DNS in the mistaken belief that others won't know they're there.
This goes against the maxim that 'security through obscurity is no security'. One such Dig service is provided here. To get started, enter the name of a domain (without the 'www.') and click the button marked 'Dig'. Depending on how much information DNS holds about a domain, Dig's output can be very comprehensive, and gives a good overview of the parts of a network that can be seen from the internet.
The most important part of this information begins after the line containing the words 'ANSWER SECTION'. This gives the fixed IP addresses of any internet-facing servers. For a website hosted by a third-party company, this will be the IP address of the shared server on which the site resides.
You can focus the information returned by selecting the 'Type' dropdown menu. 'Network addresses' will return only the IP addresses of any server that can be contacted directly. You can also return only information about the mail exchangers and the domain's authoritative DNS nameservers.
Most Dig services let you try something called a zone transfer. This shouldn't be possible these days, but back when network administrators were less focused on security than keeping internet connectivity going, zone transfers were possible from many DNS nameservers.
A zone transfer is a transfer of authoritative domain information. It's meant to occur only between nameservers, but poorly configured nameservers will let anyone request one.
A zone transfer contains a long list of computers and their IP addresses, which, while not listed in DNS, have a direct connection to the internet and are vulnerable to attack. This information is ideal for hackers, who need to scan a range of IP addresses to build a list of targets without tripping any intrusion detection systems.
The next step is knowing which hosts are available on a network, and what ports they have open. The great granddaddy of port mappers is NMap.
It's grown into an essential tool for anyone interested in online security. NMap was originally a Linux command line tool, but it's been ported to Windows and given a snazzy GUI front end called Zenmap. The underlying NMap has a huge number of command line options, but Zenmap makes it considerably easier to use. Get the Windows version here.
The installer includes the WinPcap driver software that forms the special packets needed to probe the TCP/IP stacks of remote hosts, and gain information identifying the OS running on that host.
Once installation is complete, run Zenap and the user interface should appear. Enter the IP address of a computer on your own network in the 'Target' box, and select 'Quick scan' on the 'Profile' menu. Click 'Scan'. This produces an overview of which ports are open and listening on the target PC. This includes the MAC address of the target's network card, which Zenmap uses to determine the manufacturer.
This is the kind of information that a hacker will use to look up exploits that may grant him access or the ability to create mayhem due to bugs in the firmware on the network card. For a more comprehensive view of the machine, select 'Intense scan, all TCP ports' and click 'Scan'.
This fires a large number of packets at all 65535 ports on the target PC. It also interrogates the machine, revealing clues about its running OS. This information is vital in determining the next course of action to penetrate the system.
One of Zenmap's particularly useful features is the ability to scan an entire subnet for targets, which it then interrogates for details. Simply substitute the last number in the IP address for an asterisk ('192.168.0.*' for example). This is also a great way to see if anything has been connected to your network secretly.
Once we know what targets are available to a hacker who has penetrated our defences and can see our network, the next task is to try to discover what facilities each machine offers for exploit. This is important because, even if the hacker can't exploit them directly, they may well be able to interrogate them to produce much more useful information.
NBTEnum, originally written by Reed Arvin, is a very old utility that is now difficult to find, but don't let its age or obscurity fool you. NBTEnum can uncover shockingly large amounts of information from an unprotected Windows PC just by asking for it. You can currently download NBTEnum from the Packet Storm security website.
Open the ZIP file and move the contents into a new folder. NBTEnum is a command line utility, so open a command prompt and navigate to its directory.
To run enum, enter the command NBTEnum -q <ip address>, substituting the address of a Windows PC on your network where appropriate. If the target accepts connection requests via its NetBIOS service, NBTEnum will create a web page detailing what this shockingly indiscrete service tells it.
Open this in a browser and you should, at minimum, see that NBTEnum has enumerated the shares (if any) that the target says are available for remote mounting. If you know a username and password on the target computer, you can reveal a huge amount of information.
Enter NBTEnum -s <IP address> <username> <password>, making the necessary substitutions. NBTEnum generates more verbiage, but the resultant web page can offer masses of detail.
NBTEnum can also recover the open shares, users and groups, whether accounts are enabled, their lockout threshold and on Windows 7, a full list of services including which ones are currently running. This is all still possible because so many people insist on having no password, one that is simply guessed, or one that is the same as their username.
When I was a network security consultant, finding a network populated by targets running older versions of Windows usually meant a day running NBTEnum against them with a username of 'Guest' and no password. By default, the guest account was enabled and unprotected - perfect to shock network administrators into disabling such accounts.
We live in an increasingly wireless world, but the nature of a wireless signal means the information it carries is broadcast over a wide area. There are a large number of tools that can be used to survey the local Wi-Fi landscape, but one of the best is the Windows port of InSSIDder 2 by Metageek. You can download InSSIDer here.
When run, InSSIDer begins discovering and enumerating the Wi-Fi networks in range. The top half of the interface fills with details of the networks, including their security level. Those with 'none' are wide open for anyone to log in and look around. Those using the older WEP protection are potentially vulnerable to attack, because the algorithm has weaknesses that can be exploited.
In the average neighbourhood, there could be as many as three dozen networks in range, some without any protection. InSSIDer's also displays the Wi-Fi channel used by each router within range.
Change yours to a channel not used in your area and you could see an improvement in overall data transfer speeds.