by December 5, 2002 0 comments

Keeping the network secure is high on the priority list of all companies these days, given all the security threats in the recent past. Unfortunately, since security is perceived as a complicated subject, and rightly so, most networks remain vulnerable and open to attacks. This article serves as a basic guide on helping you audit your networks for security.

Before we get down to the brass tacks, a bit on networks. Modern networks run on a huge cocktail of protocols. Everyone has heard of TCP/IP, but there is also UDP, IPX/SPX, NetBIOS etc. Each of these has its strengths and weaknesses, which can be exploited in many ways. For example, lets take IP (Internet Protocol). IP’s biggest weakness is probably its lack of authentication. A packet simply claims to be coming from a certain machine, and there is no way to be sure if this information is reliable. This gives rise to attacks such as IP spoofing (which can take advantage of services like rlogin to gain unauthorized access) and IP session hijacking (taking control of someone else’s session on a network). Then there are attacks such as DoS (Denial-of-Service), which can be devastating for companies hosting their own mail/web servers. 

Nessus determines loopholes in security by attacking the servers

Intrusions can occurs from within the organization as well. It could be a disgruntled employee, or simply someone who
decided to ‘borrow’ access to an insecure wireless access point. These can be all the more dangerous because they have high-speed 24/7 access to your network. Monitoring a network is crucial in such situations. Insecure machines on a corporate intranet are one of the greatest threats to security. People on the inside as well as outside can exploit old, bug-ridden software to take control of machines. It is this threat that we will try to combat the most in this article.

Backups, no single point of failure, OS patches, security advisories, firewalls, secure modems, cypto-capable routers, virtual private networks etc. etc. and the list goes on and on. You can never have absolute security. The only secure computer is one that is unplugged from the network, bolted in a safe and at the bottom of an ocean floor. The best way to find security vulnerabilities is to do the same thing that the hacker would–Scan and attack! Of course you mustn’t forget to get a good and trustworthy network administrator who knows his security to do this. We checked out two utilities in this article, Nessus and Snort, which can be used for attacking and scanning respectively. 

Offensive scanning
Nessus is an application that goes on the offensive. A great tool for auditing networks, it scrutinizes machines looking for bugs that have the potential to be exploited for malicious use. It is made up of two parts: a server, which performs the attacks, and a client that serves as the frontend. The server can run only on POSIX systems (Solaris, FreeBSD, Linux etc.), whereas the client has the additional capability of running on Windows. To install the server, copy to your home directory from this month’s CD and execute as follows.

Assuming all the package dependencies work out, Nessus will install itself and place the binaries in their appropriate locations. After installation, create user accounts for all the administrators using ‘nessus-adduser’. Finally, run the Nessus daemon using ‘nessusd —D’.

If you want, install the client on a Windows machine and run it. Give it the IP address of the POSIX machine the server is installed on and a username, and click on connect. The client communicates with the server using SSL by default, and will ask for a password after connecting. After this, the procedure is as simple as selecting the hosts to be scanned and the tests that are to be done on them. One word of warning though, Nessus also tries to exploit holes in OSs and applications. Thus, before launching a potential DoS attack on a server, make sure it’s not busy serving hundreds of users, else you’ll end up answering them instead of testing for security. After scanning, you can generate a report on all the hosts that were scanned and the weaknesses that were found. This report can be in saved in HTML, TXT or PDF format and can be very useful for consulting later.

Snort internals
A typical entry in a rule file in snort is like: 
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:”WEB-ATTACKS /bin/ps command attempt”; flow:to_server,established; uricontent:”ps%20”; nocase; sid:1329; classtype:web-application-attack; rev:4;)
Here, $EXTERNAL_NET, $HTTP_SERVERS and $HTTP_PORTS are variables set in the main config file (snort.conf). If this rule matches “ps “ in any URL, then it generates an alert in the msg: tag. This alert is routed to screen or a log file depending on how snort was invoked. To see more on writing rules visit
Once an alert is logged, here’s how it would be entered in the alert file: 
[**] [117:1:1] (spp_portscan2) Portscan detected from 1 targets 21 ports in 1 seconds [**]
11/20-03:22:40… -> TCP…
This represents a machine with IP address 
being port scanned from

Stealth scanning
Snort is a NDIS (network intrusion detection system) that can be run on Linux as well as Windows. It passively monitors a network by sniffing and searching for patterns in the traffic. These patterns are defined as rules in a separate file. Alert messages can either be logged in files or displayed on the console. Snort can also run as a background process (daemon in Unixes and service in Windows). However this only has a command line interface.

Rules mentioned above are written in a configuration file and included in the main configuration file snort.conf. A few network settings have also to reflect the network on which snort is run. Many of the rules have been provided by default and can be further modified as required.

Snort functions in three basic modes. The first is the packet sniffer mode where all packets floating on wire are picked up and shown on the screen (using the -dev option). Second is the packet-logging mode where these packets are logged in a separate directory using the “— l” option or in a single monolith file (in tcpdump file format) that can be analyzed later. This is done by using the using the —b option e.g. “snort —l ./log —b”. The file can be read later using the —r option (playback mode) in conjunction with the —dev option. However the usage of other packet analyzers like Ethereal is recommended as they give better visual output.

The third mode is where the intrusion detection takes places. The rules are applied on the packets by including the main configuration file in the command line options ( -c ).

snort -dev -l ./log -h -c snort.conf

When the above command is used, an alerts file is generated (or appended to if already existing) as soon as any packet data matches with any of the rules in the configuration files.

On the CD you can find the full source code for the Linux environment. 

Ankit Khare and Anuj Jain

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.