Chapter 2. Network Security Assessment Platform

This chapter outlines and discusses the components and tools that make up a professional security consultant’s toolkit for performing tasks including reconnaissance, network scanning, and exploitation of vulnerable software components. Many advanced tools can only be run from Unix-based systems, while other Windows-specific tools are required when testing Microsoft-based platforms and environments, and so building a flexible platform is very important.

Although these tools and their respective configurations and uses are discussed in detail throughout the book, they are discussed here at a reasonably high level so that you may start to think about preparing and configuring your assessment platform. At a high level, the tools and components that you need to consider are as follows:

  • Virtualization software to allow you to run multiple virtual systems on one physical machine

  • Operating systems within your assessment platform

  • Reconnaissance tools to perform initial Internet-based open source querying

  • Network scanning tools to perform automated bulk scanning of accessible IP addresses

  • Exploitation frameworks to exploit vulnerable software components and accessible services

  • Web application testing tools to perform specific testing of web applications

With the exception of commercial tools that require licenses, all of the tools listed in this book can be found in the O’Reilly archive at I have listed the original sites in most cases so that you can freely browse other tools and papers on each respective site.

Virtualization Software

Most security consultants use server virtualization software to underpin their testing platforms. Virtualization software allows for multiple virtual machines, running different operating systems and tools, to be run in parallel on the same physical system. Virtual machines are also easily frozen, spun-back to a previous known good state, and copied or moved between different physical machines, all of which allows for easy maintenance.


VMware is an extremely useful program that allows you to run multiple instances of operating systems from a single system. You can download VMware Server and VMware Player for free from for both Windows and Linux. The more powerful VMware ESX and Infrastructure products require commercial licenses.

I run VMware Server from my Windows workstation to run and access Linux and other operating platforms in parallel as needed during a network security assessment. From a networking perspective, VMware can be used in many configurations. I use a virtual NAT configuration that gives my virtual machines access to the network card of my workstation.

Microsoft Virtual PC

Microsoft Virtual PC is available for free from Most Linux, BSD, and Solaris platforms run under Virtual PC (a comprehensive list of supported operating platforms can be found at Virtual PC can also be run from Mac OS X, to run Windows and other platforms. For more information, visit

Microsoft Virtual Server is also available, and offers datacenter-class features such as rapid configuration and deployment of virtual machine images. Virtual Server is available from


Parallels is a Mac OS-specific virtualization solution that allows users to run Microsoft Windows, Linux, and BSD-derived platforms within Mac OS X. Further details are available from the company web site at

Operating Systems

The operating platforms you use during a network security assessment will depend on the type of network you are going to test and the depth to which you will perform your assessment. It is often the case that to successfully launch exploit scripts against Linux or Unix systems, you will require access to a Unix-like platform (usually Linux or BSD-derived) to correctly compile and run specialist exploit tools.

Microsoft Windows Platforms

As Windows releases (XP, 2003 Server, Vista, etc.) start to mature and become more flexible, many more network assessment and hacking tools that run cleanly on the platform are becoming available. Previous Windows releases didn’t give raw access to network sockets, so many tools had to be run from Unix-based platforms. This is no longer the case; increasing amounts of useful security utilities have been ported across to Windows, including Nmap and powerful tools within the Dsniff package, such as arpspoof.

Windows operating platforms are usually required within a network security assessment exercise to use tools that are run against Windows targets, such as Urity’s RpcScan, because it uses internal Windows libraries and components that are not easily available or ported to Unix-based platforms.

Linux Platforms

Linux is the platform of choice for most hackers and security consultants alike. Linux is versatile, and the system kernel provides low-level support for leading-edge technologies and protocols (Bluetooth and IPv6 are good examples at the time of writing). All mainstream IP-based attack and penetration tools can be built and run under Linux with no problems, due to the inclusion of extensive networking libraries such as libpcap.

At the time of writing, the most popular Linux distributions are:

Ubuntu (
Gentoo (
openSUSE (
Fedora Core (

Binary distributions like Ubuntu are useful and reliable, and are updated easily using apt-get or aptitude package management programs. Many large companies, including Google, use Ubuntu on both client workstation and server systems. Maintaining binary Linux distributions is much simpler than using source distributions, such as Gentoo, which require compilation of new software components.

Apple Mac OS X

Mac OS X is a BSD-derived operating system. The underlying system looks and feels very much like any Unix environment, with standard command shells (such as sh, csh, and bash) and useful network utilities that can be used during an IP-based network security assessment (including telnet, ftp, rpcinfo, snmpwalk, host, and dig).

Mac OS X is supplied with a compiler and many header and library files that allow for specific assessment tools to be built, including Nmap, Nessus, and Nikto. Many other tools and packages are available for Mac OS X via DarwinPorts ( and Fink (

Reconnaissance Tools

A number of built-in operating system commands can be used to perform reconnaissance tasks. In particular, under Unix-based platforms (including Linux and Mac OS X), command-line clients such as whois, dig, traceroute, and nslookup are available, whereas Microsoft Windows platforms only have nslookup and tracert commands. Many reconnaissance tasks can also be launched through a web browser, including querying specific Internet WHOIS search engines.

In 2005, SensePost released a Windows tool called BiDiBLAH (, which is a framework for reconnaissance and assessment tasks, including Google and DNS querying. BiDiBLAH allows consultants to quickly and easily perform bulk reconnaissance tasks. The SensePost Black Hat USA 2005 presentation slides, outlining the tool and its features, are available from

Network Scanning Tools

Network scanners are used to perform bulk automated scanning of IP ranges to identify vulnerable network service components. The two most popular open source network scanners are Nmap and Nessus.


Nmap is a port scanner used to scan large networks and perform low-level ICMP, TCP, and UDP analysis. Nmap supports a large number of scanning techniques, also offering a number of advanced features such as service protocol fingerprinting, IP fingerprinting, stealth scanning, and low-level network traffic filter analysis. Nmap is available from Currently, Nmap can be run under most operating platforms, including Windows, Linux, and Mac OS X.


Nessus is a vulnerability assessment package that can perform many automated tests against a target network, including ICMP, TCP, and UDP scanning, testing of specific network services (such as Apache, MySQL, Oracle, Microsoft IIS, and many others), and rich reporting of vulnerabilities identified.

Having run the Sentinel testing platform and evaluated the security consultants of the world’s largest penetration testing providers, I know that all of them use Nessus to perform bulk network scanning and assessment, from which manual qualification and use of specific tools and techniques follows. Nessus has two components (daemon and client) and deploys in a distributed fashion that permits effective network coverage and management.

Nessus reporting is comprehensive in most cases. However, reports often contain a number of false positives and a lot of noise (as issues are often not reported concisely or different iterations of the same issue are reported), so it is important that consultants manually parse Nessus output, perform qualification, and produce an accurate and concise handwritten report. As with many other tools, Nessus uses CVE references to report issues. CVE is a detailed list of common vulnerabilities maintained by the MITRE Corporation (

Nessus is available for free download from, and can be run under Linux, Solaris, Windows, Mac OS X, and other platforms. Tenable Security maintains a commercially supported and up-to-date branch of Nessus and its scanning scripts, which has enhanced features relating to SCADA testing and compliance auditing under Windows and Unix. Further information is available from

Commercial Network Scanning Tools

Commercial scanning packages are used by many network administrators and those responsible for the security of large networks. Although not cheap (with software licenses often in the magnitude of tens of thousands of dollars), commercial systems are supported and maintained by the respective vendor, so vulnerability databases are kept up-to-date. With this level of professional support, a network administrator can assure the security of his network to a certain level.

Here’s a selection of popular commercial packages:

ISS Internet Scanner (
eEye Retina (
QualysGuard (
Matta Colossus (

An issue with such one-stop automated vulnerability assessment packages is that, increasingly, they record false positive results. As with Nessus, it is often advisable to use a commercial scanner to perform an initial bulk scanning and network service assessment of a network, then fully qualify and investigate vulnerabilities by hand to produce accurate results. Matta Colossus addresses this by allowing the user to supervise a scan as it is conducted, and also to edit the final report.

Exploitation Frameworks

Upon identifying vulnerable network services and components of interest by performing network scanning, exploitation frameworks are used to exploit the flaws in these accessible network services and gain access to the target host. Qualification in this way is often important so that a clear and accurate report can be presented to the client. The only exploitation framework that is available for free at the time of writing is Metasploit. Two popular commercial frameworks are CORE IMPACT and Immunity CANVAS.

Metasploit Framework

The Metasploit Framework (MSF) ( is an advanced open source platform for developing, testing, and using exploit code. The project initially started off as a portable network game and then evolved into a powerful tool for penetration testing, exploit development, and vulnerability research.

The framework and exploit scripts are written in Ruby, and widespread support for the language allows MSF to run on almost any Unix-like system under its default configuration. The system itself can be accessed and controlled through a command-line interpreter or web interface running from a suitable server.

Metasploit exploit modules are reliable and cover exploitation of the most popular vulnerabilities uncovered in Windows- and Unix-based platforms since 2004. A very useful feature in the current version (3.0 at the time of writing) is a reverse VNC server injection mechanism, which is invaluable when repositioning through Windows servers.

Commercial Exploitation Frameworks

Security consultants use commercial exploitation frameworks to perform penetration and repositioning tasks. At the time of writing, the two leading commercially available exploitation frameworks are CORE IMPACT and Immunity CANVAS. These tools are feature-rich, reliable, and commercially supported, offering advanced features such as repositioning using agent software. Also, third-party companies (including Argeniss and GLEG) offer zero-day exploit packs, which can be integrated into these systems to exploit unpublished zero-day vulnerabilities.

These exploitation frameworks are discussed along with Metasploit Framework in Chapter 16. For current details relating to IMPACT and CANVAS, you can visit their respective vendor web sites:

CORE Security Technologies (
Immunity Inc. (

Details of the GLEG and Argeniss 0day exploit packs, containing numerous unpublished exploit scripts, can be found at their respective web sites:

GLEG VulnDisco (
Ageniss Ultimate 0day Exploits Pack (


As this book was going to print, Argeniss announced that its 0day packs had been acquired by GLEG. I list both sites and cover the packs separately throughout the book, as it is difficult and time-prohibitive for me to go through and unify everything at this time. Please refer to GLEG for sales and support relating to both Argeniss and GLEG packs.

Web Application Testing Tools

Web application testing tools are used to perform crawling and fuzzing of accessible web-based applications and components to identify weaknesses such as command injection, cross-site scripting, and poor permissions. Such web application testing tools are run in two ways; either as passive proxies that modify data from a web browser as it is sent to the target web server, or as active scanners that crawl and fuzz input variables directly. Complex web applications (such as those using JavaScript) are difficult to actively scan and crawl, and so a passive proxy must be used in these cases.

Proxy-based open source web application testing tools include:

Paros (
WebScarab (
Burp suite (

Active open source web application crawling and fuzzing tools are as follows:

Wapiti (
Nikto (

Commercial Web Application Scanning Tools

A number of companies offer commercially available web application testing tools. Through running the Matta Sentinel program, we have had exposure to a number of these, and evaluated them accordingly. Three such commercial web application scanners used by professional security consultants are:

Watchfire AppScan (
SPI Dynamics WebInspect (
Cenzic Hailstorm (
