November 3, 2008
Building a Security Tool Chest – Part 2 – Recon Tools
The previous article gave us a base point to begin building our tool chest with two Live CDs
that provide a wide array of security tools. This article is going to cover the first
phase of an assessment: information gathering and reconnaissance. I have put together
a list of the top 10 most useful utilities and websites I use on a daily basis for
security related assessments.
Device and service enumeration –
1. Nmap – Perhaps the most well known security tool ever created. At its core,
Nmap is a port scanner. Over the years it has evolved to incorporate OS detection,
service version detection, and ACL verifier. It is free, well documented and runs
on every major operating system. (http://www.nmap.org/)
2. Superscan – A feature rich Windows port scanner, pinger, DNS resolver utility.
It may not get as much press as Nmap but it if you are a more GUI oriented individual
and prefer to use as many Windows based tools as possible Superscan will provide all
the features you need in a port scanner. (http://www.foundstone.com/us/resources/proddesc/superscan4.htm)
Banner capture and port probing –
3. Netcat / Cryptcat – Netcat and cryptcat are two bare-bones networking tools
that allow you to connect to network services and feed and receive input directly
with those services. They are excellent for interrogating services that use cleartext
to communicate. They can also be used to create communication tunnels between devices
for either executing remote commands or piping other types of traffic out permitted
ports through a firewall. (http://netcat.sourceforge.net/, http://sourceforge.net/projects/cryptcat/)
4. Banner Grab – Capturing the banners from network services is a good method
to determine which versions is running. Banner Grab supports most major cleartext
and SSL based network services. (http://sourceforge.net/project/showfiles.php?group_id=204334)
DNS Investigation –
5. SamSpade / Whois amp; dig – SamSpade is a Windows utility that has become
the Swiss army knife of DNS investigations. It incorporates many of the command line
utilities found in a Linux environment into an easy to use Windows application. It
includes dig, nslookup, reverse DNS lookup, whois queries, zone transfers and more.
6. ARIN – The American Registry for Internet Number (ARIN) allocates and maintains
contact records for all the IP address blocks assigned to organizations within
. Their database can help determine the IP subnets assigned to a corporation or organization.
Many organizations do not use generic contact addresses in this type of registration
so often times you are able to identify a point of contact using these records. (http://www.arin.net/whois/index.html)
Corporate Reconnaissance –
7. LinkedIn – LinkedIn is now the number professional networking website on
the Internet. Through it you can identify individuals who work for various organizations.
Many people post additional personal details on these types of sites and they can
be very useful in creating social engineering types of exercises against an organization.
8. EDGAR – The Electronic Data Gathering, Analysis and Retrieval System (EDGAR)
database is run by the SEC and collects information from all publically traded companies.
It is a valuable source about corporate management and business performance. (http://www.sec.gov/edgar.shtml)
9. GHDB amp; Google – The Google Hacking Database (GHDB) is a collection of
Google queries designed to help location documents and information that some many
not wish to have indexed and be easily searchable publically. The GHDB has been incorporated
into a number of web application scanning toolkits but can also be used in a more
manual process by anyone wishing to locate certain types of information via Google’s
massive index of the web. (http://johnny.ihackstuff.com/ghdb.php, http://www.google.com)
Vulnerability Identification –
10. CVE amp; OSVDB – These two web sites hold repositories of vulnerabilities
for a very large number of applications. They are extremely useful once the version
information of services and software running on a target system have been identified.
They also provide a central reference to all known vulnerabilities and use a well
formatted number convention for convenient use as references.(http://cve.mitre.org/, http://www.osvdb.org/)
These 10 website and tools are a small sampling of what is available to use in reconnaissance.
However, they will provide anyone with a very solid foundation and allow you to collect
a large and board amount of information about an organization without ever stepping
foot in the door.