1 MULVAL

MulVAL stands for ”Multi-host, Multi-stage Vulnerability Analysis Language”.Itis a ”A Logic-based Network Security Analyzer”. It is a framework for modeling theinteraction of software bugs with system and network configurations.It is a research tool forsecurity practitioners and system administrators to better manage the configuration of anenterprise network such that the security risks are appropriately controlled.

1.1 Features

• MulVAL uses Datalog as its modeling language. The information in the vulnerabilitydatabase provided by the bug-reporting community, the configuration information ofeach machine and the network, and other relevant information are all encoded asDatalog facts.

• The reasoning engine consists of a collection of Datalog rules that captures the operat-ing system behavior and the interaction of various components in the network. Thusintegrating information from the bug-reporting community and off-the-shelf scanningtools in the reasoning model is straightforward. The reasoning engine in MulVAL scaleswell with the size of the network.

• The inputs to MulVALs analysis are:

– Advisories: What vulnerabilities have been reported and do they exist on themachines?

– Host configuration: What software and services are running on the hosts, andhow are they configured?

– Network configuration: How are the network routers and firewalls configured?

– Principals: Who are the users of the network?

– Interaction: What is the model of how all these components interact?

– Policy: What accesses do I want to permit?

• MulVAL comprises a scannerrun asynchronously on each host and which adapts exist-ing tools such as OVAL to a great extent and an analyzer, run on one host whenevernew information arrives from the scanners.

1.2 URL

Mulval can be downloaded from link http://people.cis.ksu.edu/ xou/argus/software/mulval/mulval1.tar.gz

1.3 Operating System supported

The current version of MulVAL has been tested on the Linux and Mac OS X operatingsystems.

2

1.4 Download

To run MulVAL, you need to have the following software installed and make sure both theprogram ”xsb” and ”dot” reside in your PATH.

• XSB: http://xsb.sourceforge.net/

• GraphViz: http://www.graphviz.org/.

• MySQL: http://dev.mysql.com/downloads

1.5 Installation

Follow these instructions for installation:UNCOMPRESS:

tar xzf mulval.tar.gzBASIC SETUP: The environmental variable MULVALROOT should point to thispackage’s root folderInclude MULVALROOT/bin and MULVALROOT/utils in PATHCOMPILATION:Type ”make” to compile everything

3

2 ARGUS : THE ALL SEEING

Argus is a system and network monitoring application.It will monitor nearly anythingyou ask it to monitor. It presents a nice clean, easy to view web interface that will keep boththe managers happy and the techs happy . It can send alerts numerous ways and can au-tomatically escalate if someone falls asleep.Argus was originally designed to monitor serversand network connections in a mission-critical ISP (Internet Service Provider) environment,and scales well from small-businesses through large enterprises.

2.1 Features

• It is open-source available at no charge.

• It has a clean and intuitive web interface.

• The web pages can easily be understood by non-technical people.

• It can generate graphs of what is going on.

• It can monitor network connectivity (Ping test).

• It can monitor TCP/UDP ports.

• It can monitor a wide variety of TCP/UDP applications (HTTP, SMTP, RADIUS, ...).

• It can monitor the output or exit code of a program (Program test).

• It can monitor the content of a web page (such as a shopping cart application).

• It can monitor the authoritativeness of a nameserver.

• It can monitor SNMP OIDs (such as BGP status, UPS voltage, room temperature, ...)

• It can monitor the results of SQL queries.

• It can monitor itself.

• It can be extended to monitor things that the author didn’t think of.

• It can notify someone (or many people) when something happens

• It can escalate, and notify someone else, if things don’t get fixed.

• It can not alarm for known downtime (maintenance overrides).

• It will summarize and rate-limit multiple notifications to prevent paging-floods.

• It keeps historical statistics, for analysis or SLA verification.

• It scales well and can monitor many, many things.

4

• It can restrict users to viewing only certain items (user ”views”).

• It can restrict users access to certain features (access control).

• It can support IPv6.

• It can support SNMPv3.

• It can support l10n for your native language.

• It can support redundant multi-server configurations.

2.2 URL

http://argus.tcp4me.com/

2.3 Operating System compatibility

Argus has been tested with:

• perl 5.00503

• perl 5.6.0

• perl 5.6.1

• perl 5.8.0

• perl 5.8.1

• NetBSD

• FreeBSD

• Linux

• Solaris

• Mac OS X

Argus has also been confirmed to not work with:

• perl versions 1 - 4

• microsoft windows

5

2.4 Language used

Argus has the ability to display its web pages in the language of your choice. Argus shipswith support for several languages, and support for additional languages can be easily added.ConfiguringWhen displaying web pages, the argus cgi program uses the language value set in the configfile (lang), or set in the environment, and uses that to load a file.

The cgi program checks the environment variables LC ALL, LC ARGUS, and then LANG,in order and uses the first one it finds. If none are set, it uses the value default. Often, oneof these environment variables will already be set correctly.

It then looks in the directory datadir/locale for a file by that name. If it cannot load thespecified file, it will use english.

So, to configure your language of choice, you have 3 options:

• add a line to your argus config like: lang: en us

• adjust the environment variables to match the correct filename. the variable will needto be set before starting your web server. how exactly to set environment variables foryour web server is beyond the scope of this document.

• adjust the name of the file in datadir/locale to match what argus is looking for (eitherto the environment variable that is already configured or the value default). you caneither rename or symlink the correct file to the desired name.

2.5 Download

Argus is fully open-source, and may be downloaded and used by anyone at no charge.

• Find the current stable version here:argus-3.7.tgz [14 Feb 2013 - 436K]

• The current development code is here:argus-dev-20121229.tgz

• Older versions are available here:http://www.tcp4me.com/code/argus-archive/

2.6 Installation

• Prerequisites that should be installed previously:

– perl the software has been tested with 5.6.1 and should work with most otherversions of perl 5 as well. Find perl at www.perl.org

– sendmail and qpage are recommended. either or both can be used to send notifi-cations. Find sendmail at www.sendmail.org Find qpage at www.qpage.org

6

– fping is used by the Ping Monitoring module for ping tests. While this is notrequired, it is highly recommended. Find fping at www.fping.com

– a cgi capable web server, such as apache. Find apache at httpd.apache.org

– Berkeley DB and perl DB File Find DB at www.sleepycat.com DB File ships withperl.

– an understanding of UNIX file permissions and how to use and operate your webserver.

• unbundle the tarball

• run ./Configure

• run make

• as root, run make install

• create 2 files in the data directory:

– config

– users

• configure your web server be sure that

– data dir is writable by the www user (or whatever uid your web server runs as)

– copy icons to somewhere accessible by your web server (these locations get spec-ified in config file, above) or feel free to replace them with your own icons, or noicons at all.

• start the argus server by running argusdor install the rc.argusd script as appropriate for your system.

• check the argus log file (datadir/log) and/or your syslog logs to verify that argus isoperating correctly.

• load the argus cgi interface in your web browser, and verify that everything is configuredcorrectly.

• perform any optional advanced configuration described in the advanced installationsection.

2.7 Configuring

A single config file, or a directory of separate config files is created.By default, argus will look in the configured data directory for a file or subdirectory namedconfig. This can be overridden with the -c command line option.

7

2.7.1 Config File Structure

The config file defines what and how things are monitored as well as the layout and relation-ships of the various items.

It contains various types of things:

• key-value pairs, aka. datafrequency: 300

• specifications of things to monitor, aka. Services Service TCP/SMTP

• groups of services, aka. GroupsGroup ”Foo”hostname: foo.example.comService TCP/SMTPService TCP/HTTP

• alternate names for things, aka. AliasesAlias ”Foo” ”Top:Servers:Foo”Aliases are described further in the advanced documentation

• definitions of notification methods notification methods are described in notificationdocumentation

• definitions of special features, such as DARP, the asynchronous resolver

In the config file, the parameter-value data must come first, followed by notificationmethods and special features, followed by groups and services.

2.7.2 Example

Example of config file is:

8

3 WIRESHARK

Wireshark is a network packet analyzer. A network packet analyzer will try to capturenetwork packets and tries to display that packet data as detailed as possible. Wireshark isperhaps one of the best open source packet analyzers available today.

3.1 Features

Some features of wireshark are:-

• The current stable release of Wireshark is 1.12.7.

• Capture live packet data from a network interface.

• Open files containing packet data captured with tcpdump/WinDump, Wireshark, anda number of other packet capture programs.

• Import packets from text files containing hex dumps of packet data.

• Display packets with very detailed protocol information.

• Save packet data captured.

• Export some or all packets in a number of capture file formats.

• Filter packets on many criteria.

• Search for packets on many criteria.

• Colorize packet display based on filters.

• Create various statistics.

3.2 URL

http://www.wireshark.org

3.3 Operating system supported

• The current version of Wireshark should support any version of Windows that is stillwithin its extended support lifetime and it includes Windows 8, 7, Vista, Server 2012,Server 2008 R2, Server 2008, and Server 2003.Older versions of Windows which are outside Microsofts extended lifecycle supportwindow are no longer supported.

• Wireshark currently runs on most UNIX platforms.Binary packages are available formost Unices and Linux distributions including the following platforms:

– Apple Mac OS X

10

– Debian GNU/Linux

– FreeBSD

– Gentoo Linux

– HP-UX

– Mandriva Linux

– NetBSD

– OpenPKG

– Red Hat Enterprise/Fedora Linux

– Sun Solaris/i386

– Sun Solaris/SPARC

– Canonical Ubuntu

3.4 Download

Wireshark can be downloaded from the link https://www.wireshark.org/download.html Wecan download the wireshark according to the configuration of the system.

3.5 Installation

To use Wireshark, we must:

• Obtain a binary package for your operating system, or

• Obtain the source and build Wireshark for your operating system.

• Build the source into a binary, if we have downloaded the source.

• Install the binaries into their final destinations.

After downloading the wireshark from above stated link ,execute it. Beside the usual installeroptions like where to install the program, there are several optional components.

3.6 Configuration

Wireshark is used to capture packets .Taking an example ,Steps to capture packets:

• Make sure we are allowed to do capture packets from the network on which we areworking .

• Setup the machine’s configuration to be able and allowed to capture.

– /CapturePrivileges - we must have sufficient privileges to capture packets, e.g.special privileges allowing capturing as a normal user (preferred) or root / Ad-ministrator privileges

11

– /CaptureSupport - operating system must support packet capturing, e.g. cap-ture support is enabled / a capture driver is installed

– User’s Guide about Time Zones computer’s time and time zone settingsshould be correct, so the time stamps captured are meaningful

• Capture traffic ”sent to” and ”sent from” the local machine

• Capture traffic destined for machines other than our ownMake sure you capture from a location in the network where all relevant traffic willpass through:

– /NetworkTopology - choose the right place in the network topology in orderto get the required network traffic.

– /NetworkMedia - there might be network media (/Ethernet, /PPP, ...) specificlimitations

– Promiscuous mode - must be switched on

• Capture traffic using a remote machineRemote Capturing is currently very limited:

– /Pipes - using a UNIX pipe and use a different tool to capture from

– /WinPcapRemote - using [WinPcap]’s remote capturing feature (rpcapd)

– RMON - use SNMP’s RMON to capture

12

4 ARGUS

Argus is the network Audit Record Generation and Utilization System. The ArgusProject is focused on developing all aspects of large scale network activity audit. Argus,itself, is next-generation network flow technology, going from packets on the wire to ad-vanced network flow data, to network forensics data; all in support of Network Operations,Performance and Security Management.

4.1 Features

• Argus is composed of an advanced comprehensive network flow data generator, the Ar-gus sensor, which processes packets and generates detailed network flow status reportsof all the flows in the packet stream.

• It captures much of the packet dynamics and semantics of each flow, with a greatdeal of data reduction, so we can store, process, inspect and analyze large amounts ofnetwork data efficiently.

• It provides reachability, availability, connectivity, duration, rate, load, good-put, loss,jitter, retransmission, and delay metrics for all network flows.

• It is used by many sites to generate network activity reports for every network trans-action on their networks.

• The network audit data that it generates is great for security, operations and perfor-mance management. The data is used for network forensics, non-repudiation, networkasset and service inventory, behavioral baselining of server and client relationships,detecting covert channels, and analyzing Zero day events.

4.2 URL

http://qosient.com/argus/

4.3 Operating System Compatibility

Argus is currently running on:

• Mac OS X

• Linux

• Solaris

• FreeBSD

• OpenBSD

• NetBSD

13

• AIX

• HP-UX

• VxWorks

• IRIX

• Windows (under Cygwin)

• OpenWrt

4.4 Download

Currently, the set of stable source code can be grabbed from these links:

• http://qosient.com/argus/src/argus-3.0.8.1.tar.gz

• http://qosient.com/argus/src/argus-clients-3.0.8.tar.gz

Download the files from these links and den follow the instructions of installation processas defined below.

4.5 Installation

’argus‘ and ‘argus-clients‘ require the following packages to build:

gcc make bison libpcap libpcap-devel readline-devel flex

Once the dependencies are installed, perform the following build process:cdtar zxvf argus-latest.tar.gzcd argus-*./configuremake and make installcdtar zxvf argus-clients-latest.tar.gzcd argus-clients-*./configuremake and make install

4.6 Configuration

Argus accepts configuration options on the command line, but Argus is generally configuredusing the argus.conf file that is normally found in either /etc or ARGUSHOME. The variablesthat are set by this file can be overriden by the use of command line switches. And on thecommand line you can specify an alternative configuration file that is specified using the ”-F

14

configfile” option.You can also eliminate any configuration directives in the /etc/argus.conf file by using the-X option on the commandline, so you have a lot of flexibility.To setup a /etc/argus.conf file, copy the example configuration to /etc and modify its valuesaccordingly.Argus can compile more than one file together .Use this command for this purpose:argus -w tcp.file ”tcp” -w nottcp.file ”not tcp”

15

5 HP WEBINSPECT

HP WebInspect is the industry-leading Web application security assessment solution de-signed to thoroughly analyze todays complex Web applications and Web services for secu-rity vulnerabilities. With broad technology cover and application runtime visibility throughthe HP WebInspect Agent, HP WebInspect provides the broadest dynamic application se-curity testing coverage and detects new types of vulnerabilities that often go undetectedby black-box security testing technologies.An automated dynamic application secu-rity testing (DAST) tool that mimics real-world hacking techniques and attacks,and provides comprehensive dynamic analysis of complex web applications andservices.

5.1 Features

• Dynamic and Runtime analysisGo beyond black box testing: Integrate dynamic and runtime analysis to find morevulnerabilitiesand fix them faster.

• Technology made simpleOptimize your testing resources. Advanced technologies, such as simultaneous crawl,bring professional-level testing to novice security testers.

• Compliance managementEasily inform management on vulnerability trending, compliance management, andROI. Clearly communicate with development on the details and priorities of each vul-nerability.

• IntegrationLeverage prebuilt integrations for HP ALM and Quality Center and other securitytesting and management systems.

• On demand or On premiseStart quickly and scale as needed. HP WebInspect dynamic application security testing(DAST) is available on demand or as a licensed product.

• Centralized Program ManagementBuild an enterprise-wide AppSec program. WebInspect Enterprise establishes a sharedservice to centralize results while distributing security intelligence.

5.2 URL

http://www8.hp.com/in/en/software-solutions/webinspect-dynamic-analysis-dast/

5.3 Current Stable version

HP WebInspect 10.30

16


HP Webinspect supports Windows Server 2012, SQL Server 2012, ALM 11.5 and 11.52 aswell as continued support for Windows 8.

5.5 Language used

Net 4.5.1common language runtime (CLR)

5.6 Download

HP Webinspect can be downloaded from:

https://saas.hp.com/signup/try/webinspect?utm-source=hp.com.utm-medium=referral utm-term=webinspect utm-content=try-flow and utm-campaign=hp-redirect After downloadingfollow the steps of installation process as mentioned in the next section.

5.7 Installation

Some prerequisites for installation of HP webinspect are:

• 2 GB Ram

• 1 MS SQL Server

Install the HP Webinspect.After the installation it opens ”License Wizard” and prompt usto add license key. We can choose 15 days trial version if we are not having license key forwhich activation token will be send to us by mail.

17

6 IBM WATCHFIRE

6.1 Features

6.2 URL


6.4 Language used

6.5 Download

6.6 Installation

18

7 IBM APPSCAN

IBM Security AppScan enhances web application security and mobile application security,improves application security program management and strengthens regulatory compliance.By scanning your web and mobile applications prior to deployment, AppScan enables us toidentify security vulnerabilities and generate reports and fix recommendations.

7.1 Features

• Flash support: Appscan 8.0 has increased flash support compared to its earlierversions. It can now explore and test applications based on an Adobe Flex framework.AMF protocol is also supported.

• Glass box testing: This process installs an agent on the server which helps findhidden URLs and additional issues.

• Web services scanning: Web service scanning is one area which organizations arelooking for a more effective automated support, and Appscan has scored well in thisarea.

• Java script security analyzer : Appscan has introduced JavaScript security analyserwhich analyses the crawled html pages for vulnerabilities and allows users to focus ondifferent client-side issues and DOM (document object model) based XSS problems.

• Reporting: Based on your requirements, you can generate reports in desired formatsand include desired fields in it.

• Remediation support: For the identified vulnerabilities, the program provides adescription of the issue along with the remediation notes.

• Customizable scanning policies: Appscan comes with a set of defined scanningpolicies.

• Tools support: It has tools like Authentication Tester, Token Analyzer, and HTTPRequest Editor which comes in handy when testing for vulnerabilities manually. Sup-port for Ajax and dojo frameworks.

7.2 URL

http://www-03.ibm.com/software/products/en/appscan


Supported operating systems (both 32-bit and 64-bit editions): :

• Microsoft Windows Server 2012: Essentials, Standard and Datacenter

• Microsoft Windows Server 2012 R2: Essentials, Standard and Datacenter

19

• Microsoft Windows Server 2008: Standard and Enterprise, SP1 and SP2

• Microsoft Windows Server 2008 R2: Standard and Enterprise, with or without SP1

• Microsoft Windows 8.1: Pro and Enterprise

• Microsoft Windows 8: Standard, Pro and Enterprise

• Microsoft Windows 7: Enterprise, Professional and Ultimate, with or without SP1

• Linux and Mac OS

7.4 Language used

Language Support on Windows.IBM Security AppScan Source command line interface(CLI) support scanning these languages:

• C/C++

• COBOL

• ColdFusion

• Java (including support for Android APIs)

• JavaServer Pages (JSP)

• JavaScript

• Perl

• PHP (Versions 4.x up to 5.3)

• PL/SQL

• T-SQL

• .NET ( ASP.NET, VB.NET) - Microsoft .NET Framework Versions 2.0, 3.0, 3.5, 4.0,and 4.5

• ASP (JavaScript/VBScript)

• Visual Basic 6

Language Support on Linux.IBM Security AppScan Source command line interface(CLI) support scanning these languages:

• C/C++

• COBOL

• ColdFusion

20



• JavaScript

• Perl

• PHP (Versions 4.x up to 5.3)

• PL/SQL

• T-SQL

Language Support on OS X.IBM Security AppScan Source command line interface(CLI) support scanning these languages:

• Objective-C in Xcode projects and workspaces



• JavaScript

7.5 Download

IBM Appscan can be downloaded from http://www-03.ibm.com/software/products/en/appscanAfter downloading it installation instructions are followed as discussed below.

7.6 Installation

To run IBM appscan some prerequisite are:

• The system needs to have a minimum of 3 GB RAM.

• install .NET Framework and Adobe Flash player to execute flash content during scan-ning.

• Take backup of all the data before proceeding with the scan as .automated scannersends loads of data to the server while the scan is in progress. So it might delete fileson the server, add new records or even bring the server down unintentionally.

To start the installation:

• Close any Microsoft Office applications that are open.

• Start AppScan setup.The InstallShield Wizard starts, and checks that your workstation meets the mini-mum installation requirements. Then the AppScan installation wizard welcome screenappears.

• Follow the wizard instructions to complete AppScan installation.

21

7.7 Configuration

This section describes standard application scan configuration using thewizard:

1 Launch AppScan.

2 In the Welcome Screen, click Create new Scan.

3 In the New Scan dialog box, verify that the Launch wizard checkbox is selected.

4 In the Predefined Templates area, click Default to use the default template.

5 Select Web Application Scan, and click Next for Step 1 of the three-stage setup.

6 Type in the URL where the scan will start.

7 Click Next to advance to Step 2.

8 Select Recorded Login, then click New. A message appears describing the proce-dure for recording a login.

9 Click OK. The embedded browser opens with the Record button pressed .

10 Browse to the login page, record a valid login sequence, and then close the browser.

11 In the Session Information dialog box, review the login sequence and click OK.

12 Click Next to advance to Step 3. At this stage you can review the Test Policythat will be used for the scan and multiphase scanning.

13 The In-Session Detection checkbox is selected by default, and text indicatingthat the response is ”in-session” is highlighted. During the scan AppScan sendsheartbeat requests, checking the responses for this text to verify that it is stilllogged in .Verify that the highlighted text is indeed proof of a valid session.

14 Click Next.

15 Select the appropriate radio button to start Automatic Scan, start with ManualExplore or Later .

16 (Optional) By default the Scan Expert checkbox is selected so that Scan Expertwill run when you complete the wizard. You can clear this to proceed directly tothe scan stage.

17 Click Finish to exit the wizard.

22

network tools.pdf

Documents

Transcript of network tools.pdf