Backtrack Linux

Backtrack is a Linux distribution based off Ubuntu. It is used for penetration testing and forensics. The distro was a combination of WHAX and Auditor. It has numerous open source security tools such as Metasploit, Aircrack-ng, Nmap, Wireshark, and Hydra. You can run it by booting off a copy on a DVD or USB stick. It boots to a console. But you can use the startx command to bring up a GUI. Nevertheless, if you start most of the applications, they come up in a terminal window. It has a menu like the Windows start button.

Backtrack development was funded by Offensive Security. It is no longer being maintained. That is because the distro was rebuilt from Debian and was subsequently rebadged Kali Linux. Backtrack is still a useful distro. But if you want the latest and greatest, you got to use Kali Linux. Understanding this, I now know why I have mostly heard about Kali and was unaware about Backtrack.

Syslog

Syslog is a message logging standard for network devices (printers, routers, switches) It was developed by Eric Allman when he was creating SendMail. It separates out the generation, storage, and reporting of messages. The messages usually get stored on a server. It is a good practice for the server to stick the messages in a database.

Messages have a facility code and a severity label. The facility code indicates what type of program generated the message. Messages can also be broken down by tag plus content. There is no official formatting of the content. Messages are normally sent via UDP on port 514.

Syslog is less complicated than SNMP. There is no polling of devices in Syslog. Windows does not natively support Syslog. You can buy a commercial version for Windows such as Syslog Watcher which costs $249.

Nessus

Nessus is a vulnerability scanner written by Renaud Deraison, founder of Tenable Network Security. It was originally released as an open source project. However the license changed to a closed source one. The product continues to be free for personal usage. However the commercial version runs $2190 a year.

Nessus is available on Windows and Linux based systems. It is purportedly the most popular vuln scanner. It can scan for a number of things such as remove control and access, misconfiguration, bad passwords, and Denial of Service exploits. The tool can help you prepare for a security audit.

You write tests for Nessus to perform. The tests are written in a custom scripting language called NASL. You can subscript to receive tests from Tenable. The program output can be formatted in text, HTML, or even XML formats. A free competitor in the vuln scanning space is OpenVAS.

Snort

Snort is a free open source program written by Martin Roesch in 1998. It has many uses. Snort is mainly noted for its network IDS and IPS capabilities. The program is based on libpcap. It is released under the GNU GPL version 2.0 license. Snort runs on both Windows and Linux operating systems.

Snort was originally maintained by Sourcefire, the company that Roesch founded. However Sourcecfire was acquired by Cisco in 2013. So the program is distributed by Cisco now. The program remains free. However the latest rule sets can be obtained quickly if you purchase a subscription that runs $499 per year.

Snort can do real time analysis of traffic. It can do protocol analysis and content search. Snort can read captures files. And it detects many types of attacks such a denial of service, worms, buffer overflows, stealth port scans, operating system fingerprinting and so on. When it detects such an attack, it can log alerts to syslog.

There are three main modes that Snort runs in:
  1. sniffer - packets displayed on screen
  2. logger - packets written to disk
  3. IDS - packets compared to rule sets
The rules are written to detect vulnerabilities. You can get access to official rule sets by registering. That costs nothing. Rule sets are provided to users with subscriptions, but the rules are released for free 30 days later to the public.

Snort boats 4M+ downloads and 500k+ registered users. It claims to be the most widely deployed IDS out there. Some say it beats the pants off proprietary IDS solutions. There are other programs which interface with Snort such as BASE, which is a free web interface for Snort alerts.

FPort

FPort is a free command line Windows program that identifies open ports. It is like the netstat program, but also shows information on the processes that opened the ports. This program was created by Foundstone and is distributed by McAffee. Foundstone is a security company.

Version 2 of FPort added support to run on Windows NT, Windows 2000, and Windows XP. Although the program itself is free, it is not open source. You get the executable and a readme file for free. No source code is included.

FPort works for both TCP and UDP. It can tell you the name, PID, and path of the program that opened the port. You can sort the list of ports by port number, application name, PID, or path. Run this program often to see if there is malware communicating with other machines on the Internet.

FPort runs only on the Microsoft Windows operating system. However if you are on a UNIX box, they have the lsof (List Open Files) program that is very similar.

TCPView

TCPView is a free program for Microsoft Windows platforms that shows TCP and UDP endpoints. The program can also show the name of the program that owns the network connections. It was written by Mark Russinovich of Sysinternals (which got acquired by Microsoft).

TCPView provides more information than netstat. The information updates once a second by default. The lines are highlighted in different colors to represent the state of the connection:
  • green is a new connection
  • yellow is a connection that has changed
  • red is a connection that was deleted
The TCPView program can itself close connections. Under the hood, it employs the IPHelper API. TCPView is helpful in discovering malicious traffic and programs running on your system.

Netstat

I have been researching info on a utility called netstat. There is surprisingly not much said about it, other than the multiple options that it support. Netstat is short for network statistics. It is a command line program. It actually comprises of many tools rolled into one. The main and default usage is to show active TCP/IP network connections. It includes incoming and outgoing connections. It will tell you the local and remote IP addresses, the port, the protocol, state of the connection, and optionally the program that opened the connection.

Netstat can show both TCP and UDP traffic. It can show the routing table. It also can show statistics for network protocols like Ethernet. The program was written by Fred Baumgarten. It is widely available on operating systems like UNIX, Windows, and Macintosh. The netstat program is allegedly replaced by the ss program on Linux machines.

One thing that might require some explaining is the state of the connection that the program displays. Here are the types of states and a description of each:
  • listening - waiting for reply from host
  • established - connection has been made
  • close_wait - the foreign host closed the connection, but you are still waiting for data
  • time_wait - you closed the connection, but it is still in a waiting state
The netstate program might show weird results if the underlying socket is changing. A good way to see what is going on is to repeatedly run netstat, possibly from a scripting program. I had mentioned that netstat can show the program that opened the connection. You can do that with the "netstat -b" option. However on Windows that requires elevated privileges.