Scanning and Analysis Tools

Key Terms
fingerprinting The systematic survey of a targeted organization’s Internet addresses
collected during the footprinting phase to identify the network services offered by the hosts
in that range.
footprinting The organized research and investigation of Internet addresses owned or
© Cengage Learning, Inc. This content is not final and may not match the published product.

controlled by a target organization.

honey net A monitored network or network segment that contains multiple honey pot
systems.
honey pot An application that entices individuals who are illegally perusing the internal
areas of a network by providing simulated rich content areas while the software notifies the
administrator of the intrusion.
port A network channel or connection point in a data communications system.
port scanners Tools used both by attackers and defenders to identify or fingerprint active
computers on a network, the active ports and services on those computers, the functions and
roles of the machines, and other useful information.
trap and trace applications Applications that combine the function of honey pots or honey
nets with the capability to track the attacker back through the network.
vulnerability scanner An application that examines systems connected to networks and
their network traffic to identify exposed usernames and groups, open network shares,
configuration problems, and other vulnerabilities in servers.

In the previous section, wireless network controls were covered. Now, we return to the
technology and tools that are useful in all compound (wired and wireless) networks.
Although they are not always perceived as defensive tools, scanners, sniffers, and
other analysis tools enable security administrators to see what an attacker sees.
Scanner and analysis tools can find vulnerabilities in systems, holes in security
components, and other unsecured points in the network. Unfortunately, they cannot
detect the unpredictable behavior of people.
Some of these devices are extremely complex; others are very simple. Some
are expensive commercial products; others are available for free from their creators.
Conscientious administrators will have several hacking Web sites bookmarked and
should frequently browse for discussions about new vulnerabilities, recent conquests,
and favorite assault techniques. There is nothing wrong with security administrators
using the tools used by hackers to examine their own defenses and search out areas
of vulnerability. A word of caution: Many of these tools have distinct signatures, and

05713_ch12_hr_619-682.indd 651 19/02/18 6:00 pm

 some ISPs scan for these signatures. If the ISP discovers someone using hacker tools,
it may choose to deny access to that customer and discontinue service. It is best to
establish a working relationship with the ISP and notify it before using such tools.
Scanning tools collect the information that an attacker needs to succeed. Collecting
information about a potential target is done through a research process known as
footprinting (not to be confused with the wireless footprint). Attackers may use public
Internet data sources to perform keyword searches to identify the network addresses
of the organization. They may also use the organization’s Web page to find information
that can be used in social engineering attacks. For example, the Reveal Source option on

© Cengage Learning, Inc. This content is not final and may not match the published product.
most popular Web browsers allows users to see the source code behind the graphics on a
Web page. A number of clues can provide additional insight into the configuration of an
internal network: the locations and directories for Common Gateway Interface (CGI) script
bins, and the names and possibly addresses of computers and servers.
The next phase of the pre-attack data gathering process is fingerprinting, which
yields a detailed network analysis that provides useful information about the targets
of the planned attack. The tool discussions here are necessarily brief; to attain true
expertise in the use and configuration of these tools, you will need more specific
education and training.

Port Scanners
Port scanners are a group of utility software applications that can identify (or fingerprint)
active computers on a network, as well as the active ports and the services associated
with them on those computers, the functions and roles fulfilled by the machines, and
other useful information. These tools can scan for specific types of computers, protocols,
or resources, or they can conduct generic scans. It is helpful to understand your network
environment so that you can select the best tool for the job. The more specific the
scanner is, the more detailed and useful the information it provides. However, you
should keep a generic, broad-based scanner in your toolbox as well, to help locate and
identify rogue nodes on the network that administrators may not be aware of.
The first step in securing a system is to secure open ports. Why? Simply put, an
open port can be used to send commands to a computer, gain access to a server, and
exert control over a networking device. As a general rule, you should secure all ports
and remove from service any ports not required for essential functions. For instance, if
an organization does not host Web services, there is no need for port 80 to be available
in its network or on its servers.

Vulnerability Scanners
Vulnerability scanners, which are variants of port scanners, are capable of scanning
networks for very detailed information. As a class, they identify exposed user names
and groups, show open network shares, and expose configuration problems and other
server vulnerabilities. One vulnerability scanner is Nmap, a professional freeware
utility available from www.insecure.org/nmap. Nmap identifies the systems available
on a network, the services (ports) each system is offering, the operating system and

05713_ch12_hr_619-682.indd 652 19/02/18 6:00 pm

 operating system version they are running, the type of packet filters and firewalls in
use, and dozens of other characteristics. Several commercial vulnerability scanners are
available as well, including products from IBM’s Internet Security Systems, and from
Foundstone, a division of McAfee.

Packet Sniffers
A packet sniffer can provide a network administrator with valuable information to
help diagnose and resolve networking issues. In the wrong hands, it can be used to
eavesdrop on network traffic. The commercially available and open-source sniffers
include Sniffer (a commercial product), Snort (open-source software), and Wireshark
© Cengage Learning, Inc. This content is not final and may not match the published product.

(also open-source software). Wireshark is an excellent free network protocol analyzer;

it allows administrators to examine both live network traffic and previously captured
data. This application offers a variety of features, including language filters and TCP
session reconstruction utility.
Typically, to use a packet sniffer effectively, you must be connected directly to a local
network from an internal location. Simply tapping into any public Internet connection
will flood you with more data than you can process and technically constitutes a
violation of wiretapping laws. To use a packet sniffer legally, you must satisfy the
following criteria: (1) Be on a network that the organization owns, not leases, (2) be under
the direct authorization of the network’s owners, (3) have the knowledge and consent
of the content creators (users), and (4) have a justifiable business reason for doing
so. If all four conditions are met, you can look at anything you want captured on that
network. If not, you can only selectively collect and analyze packets using packet header
information to identify and diagnose network problems. Conditions 1, 2, and 4 are self-
explanatory, and condition 3 is usually a stipulation for using the company network.
Incidentally, these conditions are the same as for employee monitoring in general.

Trap and Trace

Trap and trace applications are another set of technologies used to deploy IDPS
technology that detects individuals who are intruding into network areas or
investigating systems without authorization. Trap function software entices individuals
who are illegally perusing the internal areas of a network in order to determine who
they are. While perusing, these individuals discover indicators of particularly rich
content areas on the network, but these areas are set up to attract potential attackers.
Incorporating the functions of honey pots and honey nets, these directories or servers
distract the attacker while the software notifies the administrator of the intrusion.
The accompaniment to the trap is the trace. Similar in concept to telephone caller
ID service, the trace is a process by which the organization attempts to determine
the identity of someone discovered in unauthorized areas of the network or systems.
However, you must understand it is a violation of the Electronic Communications
Protection Act to trace communications outside of networks owned by the
organization. Use of any trap and trace functions requires compliance with the same
four rules as packet sniffers.

05713_ch12_hr_619-682.indd 653 19/02/18 6:00 pm

 The U.S. government defines a trap and trace device as similar to a pen register in
U.S. Code Title 18, Section 3127:

“(3) the term “pen register” means a device or process which records or decodes
dialing, routing, addressing, or signaling information transmitted by an instrument
or facility from which a wire or electronic communication is transmitted,
provided, however, that such information shall not include the contents of any
communication, but such term does not include any device or process used by
a provider or customer of a wire or electronic communication service for billing,
or recording as an incident to billing, for communications services provided by

© Cengage Learning, Inc. This content is not final and may not match the published product.
such provider or any device or process used by a provider or customer of a wire
communication service for cost accounting or other like purposes in the ordinary
course of its business;

(4) the term “trap and trace device” means a device or process which captures the
incoming electronic or other impulses which identify the originating number or
other dialing, routing, addressing, and signaling information reasonably likely to
identify the source of a wire or electronic communication, provided, however, that
such information shall not include the contents of any communication;”8

Note that these definitions explicitly exclude the content of communications and
only focus on the header information to trace the origins of communications. Unlike
packet sniffers, trap and trace devices are mainly used by law enforcement to identify
the origin of communications for legal and prosecution purposes.

Managing Scanning and Analysis Tools

It is vitally important that the security manager be able to see the organization’s
systems and networks from the viewpoint of potential attackers. Therefore, the
security manager should develop a program, using in-house resources, contractors, or
an outsourced service provider, to periodically scan the organization’s systems
and networks for vulnerabilities, using the same tools that a typical hacker might use.
There are a number of drawbacks to using scanners and analysis tools, content
filters, and trap and trace tools:
• These tools are not human and thus cannot simulate the more creative behavior
of a human attacker.
• Most tools function by pattern recognition, so only previously known issues
can be detected. New approaches, modifications to well-known attack patterns,
and the randomness of human behavior can cause them to misdiagnose the
situation, thereby allowing vulnerabilities to go undetected or threats to go
unchallenged.
• Most of these tools are computer-based software or hardware and so are prone
to errors, flaws, and vulnerabilities of their own.
• All of these tools are designed, configured, and operated by humans and are
subject to human errors.

05713_ch12_hr_619-682.indd 654 19/02/18 6:00 pm

 • You get what you pay for. Use of hackerware may actually infect a system with a
virus or open the system to outside attacks or other unintended consequences.
Always view a hacker kit skeptically before using it and especially before
connecting it to the Internet. Never put anything valuable on the computer that
houses the hacker tools. Consider segregating it from other network segments,
and disconnect it from the network when not in use.
• Specifically for content filters, some governments, agencies, institutions, and
universities have established policies or laws that protect the individual user’s right
to access content, especially if it is necessary for the conduct of his or her job. There
© Cengage Learning, Inc. This content is not final and may not match the published product.

are also situations in which an entire class of content has been proscribed and
mere possession of that content is a criminal act—for example, child pornography.
• Tool usage and configuration must comply with an explicitly articulated policy
as well as the law, and the policy must provide for valid exceptions. This
mandate prevents administrators from becoming arbiters of morality as they
create a filter rule set.9

05713_ch12_hr_619-682.indd 655 19/02/18 6:00 pm