Top Network Administrator Tools

Scanning Tools

Nmap
http://www.nmap.org

Nmap is a port scanner. A port scanner scans for open ports, such as 80 (http) or 25 (SMTP)

Port Scanners-Every computer program and utility that is designed to interact with a network is also assigned a specific port number. A port number can range from 1 to whatever the designer assigns. Your browser uses port 80 because this is the number assigned to HTTP. FTP is 21, mail or SMTP is 25 or 110 for POP3. Because ports are the entrance in anynetwork ready device they have to sometimes be blocked off to preventintrusion. This is where a port scanner comes into play. It can be aimed at a single IP address or an entire network to scan to see whichports are open and available. Because of this, many networkadministrators limit the number of ports to be used. There are several methods to closing off port access, either by blocking them on your workstation or server, through a security access-list from a router or firewall, or using port translation. (Port translation is where all incoming requests for say port 80 are translated to port 2080.) A network administrator uses a port scanner to test his or her networkas well as a hacker. Follow this LINK to a series of FREE Scanning tools.

Sam
Spade – www.samspade.org/

Sam Spade is a multi network query tool with many extra built in utilities, even a tool for spam. It includes utilities such as ping, whois, traceroute, and finger.

NetScanTools

Pro ($199)
http://www.netscantools.com/nstmain.html

NetScanTools Pro is an investigation tool that gathers information about the Internet or local LAN users, IP addresses, ports, and many other network specifics. NetScanTools Pro has a Port Scanner, Ping, Traceroute, OS Fingerprinting, NetScanner and custom ICMP packet generator. This tool tests systems and firewalls for vulnerabilities and exposed ports. This utility can also use NetBIOS info to look for open (writeable) Windows shares on the local area network.

SuperScan
http://www.foundstone.com/

SuperScan is a powerful connect-based TCP port scanner, pinger and hostname resolver. Multithreaded and asynchronous techniques make this program extremely fast and versatile. The Foundstone Group as a multitude of free tools and is a division of McAfee.

NetCat
http://netcat.sourceforge.net/

NetCat is a featured networking utility, which reads and writes data across network connections, using the TCP/IP protocol. It is designed to be a reliable "back-end" tool that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need and has several interesting built-in capabilities. This tool can also be used as a port sniffer.

Sniffers/Network Protocol Analyzer

Sniffers and network protocol analyzers capture packets so you can examine them. You can see what resource or port is being used, and where the requesting packets are originating. If a program is mailing spam from a computer, you will see the destination address and port 25 being used. Any program sending packets in or out of your system, a sniffer will capture its progress and display it in a report.

Ethereal
http://www.ethereal.com/

Ethereal is a powerful multi-platform networkers tool that can be used with Unix and Windows. It allows you to examine data from a live network or from a capture file on disk. You can interactively browse the capture data, viewing summary and detail information for each packet. Ethereal has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session. A text-based version called ethereal is included. This tool that hackers and network admins preferred tool.

EtterCap
http://ettercap.sourceforge.net/

Ettercap is a network sniffer/interceptor/logger for Ethernet LANs. It supports active and passive dissection of many protocols. Data injection in an established connection and filtering on the fly is also possible, keeping the connection synchronized. Many sniffing modes were implemented to give you a powerful and complete sniffing suite. Plugins are supported. It has the ability to check whether you are in a switched LAN or not, and to use OS fingerprints (active or passive) to let you know the geometry of the LAN.

Snort
http://www.snort.org/

A free intrusion detection system (IDS) for the masses. Snort is a lightweight network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. Snort uses a flexible rule based language to describe traffic that it should collect or pass, and a modular detection engine. Many people also suggested that the Analysis Console for Intrusion Databases (ACID) be used with Snort.

WinDump / TCPDump
http://www.tcpdump.org/wpcap.html

WinDump is the porting to the Windows platform of TCPDump, the most used network sniffer/analyzer for UNIX. WinDump is fully compatible with TCPDump and can be used to watch and diagnose network traffic according to various complex rules. It can run under Windows 95/98/ME, and under Windows NT/2000/XP.

DSniff
http://naughty.monkey.org/~dugsong/dsniff/

DSniff is a collection of tools for network auditing and penetration testing. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker (e.g, due to layer-2 switching). sshmitm and webmitm implement active monkey-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI.

Process Enumeration

Viruses, trojans, rootkits, and other host infections that have been executed can show up in processes inside the task manager, but not always. You cannot rely on the task manager to display all processes; this is why it is necessary to have a program that will detail all running processes. Here are a few programs that I like to use to flush out a hiding pest.

Fport
http://www.foundstone.com/

Fport is a great tool that I use often. It reports all open TCP/IP and UDP ports and maps them to the owning application. This is the same information you would see using the 'netstat -an' command, but it also maps those ports to running processes with the PID, process name and path. Fport can be used to quickly identify unknown open ports and their associated applications. Foundstone offers over 30 free networking tools to down load from there website.

PsTools
http://www.sysinternals.com/

PsTools is a suite of fantastic and dangerous (in the wrong hands) command line utilities made by Mark Russinovich for Windows. In the right hands, (computer professionals) PsTools can either automatic a computers shutdown, list a computer’s running processes, or kill a process. PsTools is a favorite of network pros and hackers alike. In this book I demonstrate the use of this tools on page:

The tools included in the PsTools suite, which are downloadable individually or as a package, are:

• PsExec - execute processes remotely
• PsFile - shows files opened remotely
• PsGetSid - display the SID of a computer or a user
• PsKill - kill processes by name or process ID
• PsInfo - list information about a system
• PsList - list detailed information about processes
• PsLoggedOn - see who's logged on locally and via resource sharing (full source is included) PsLogList - dump event log records
• PsPasswd - changes account passwords
• PsService - view and control services
• PsShutdown - shuts down and optionally reboots a computer
• PsSuspend - suspends processes
• PsUptime - shows you how long a system has been running since its last reboot (PsUptime's functionality has been incorporated into PsInfo) - shows you how long a system has been running since its last reboot (PsUptime's functionality has been incorporated into PsInfo)
  

Tlist – Microsoft Resource Kit

Tlist is a task list viewer that can be found in Microsoft Recourse Kit. This tool displays a list of IDs, names, and windows of processes running on the local computer. Tlist is my main tool used in my arsenal of anti-hacker tools. It allows me to view not only the processes running on the system, but where the program is located within the server. Once you can isolate the alien program running on your system, you can use kill.exe, another Resource Kit tool to stop it so you can delete in from your system, or Pskill.exe to remove it.

Tasklist – Windows XP

Tasklist displays a list of applications and services with their Process ID (OID) for all tasks running on either a local or a remote computer.

Syntax

tasklist[.exe] [/s computer] [/u domain\user [/p password]] [/fo
{TABLE|LIST|CSV}] [/nh] [/fi FilterName [/fi FilterName2 [ ... ]]] [/m [ModuleName] | /svc | /v]

Process Killer

Programs, alien or not, run as processes. Sometimes Windows will not allow you to delete a file if it is running as a process until you stop it first. Here a few programs that you can use to kill a process with.

PsKill.exe – From the PsTools suite of utilities.

Kill.exe – This tool can be found with Window Resource Kit.

TaskKill – Windows XP

TaskKill is an XP utility that allows you to end one or more tasks or processes. Processes can be killed by process ID or image name.

Syntax taskkill [/s Computer]
[/u Domain\User [/p Password]]] [/fi FilterName] [/pidProcessID]|[/imImageName] [/f][/t]

Wireless

Network Stumbler
http://www.stumbler.net/

Network Stumbler is a free Windows 802.11 (wireless) Sniffer. This tool finds open wireless access points, or “wardriving”, as it is most often referred to. They also distribute a WinCE version for PDAs known as Ministumbler. This tool is free but for Windows-only and no source code is provided by its maker.

AirSnort
http://airsnort.shmoo.com/

AirSnort is an 802.11 WEP encryption cracking tool for local area networks. AirSnort operates by passively monitoring transmissions, computing the encryption key when enough packets have been gathered. AirSnort is a Linux based program that can be installed on a Windows computer, but is a little tricky to do so.