Term Project

Analysis of Five Security Tools

By Brian Miller

Drexel University
Professor Shuyuan Mary Ho, Ph.D.
CT-420 IT Security 2
Fall Quarter 2010
Thursday, October 28th, 2010
Table of Contents
Abstract..........................................................................................................................................4
WinAudit v2.28.2...........................................................................................................................6
Steps to run WinAudit..............................................................................................................7
Advantages of WinAudit........................................................................................................11
Summary of WinAudit...........................................................................................................12
Secunia Personal Software Inspector (PSI) v1.5.0.2.................................................................14
Steps to run PSI......................................................................................................................15
Advantages of PSI...................................................................................................................18
Summary of PSI......................................................................................................................19
LanTricks LanSpy v2.0.0.155.....................................................................................................21
Steps to run LanSpy...............................................................................................................23
Advantages of LanSpy............................................................................................................26
Summary of LanSpy...............................................................................................................27
Malwarebytes’ Anti-Malware v1.46...........................................................................................29
Steps to run Anti-Malware....................................................................................................30
Advantages of Malwarebytes Anti-Malware........................................................................33
Summary of Malwarebytes’ Anti-Malware.........................................................................34
McAfee SiteAdvisor v3.2.0.152_p4.............................................................................................36
Steps to use McAfee SiteAdvisor...........................................................................................37
Advantages of McAfee SiteAdvisor.......................................................................................40
Summary of McAfee SiteAdvisor..........................................................................................41
Project Summary.........................................................................................................................42
Future Implications.....................................................................................................................44
End Note References....................................................................................................................46
Appendix A...................................................................................................................................47
Abstract........................................................................................................................................49
Microsoft Baseline Security Analyzer 2.2..................................................................................51
Steps to run MBSA.................................................................................................................53
Advantages of MBSA.............................................................................................................60
Summary of MBSA.................................................................................................................61
Microsoft TCPView 3.02.............................................................................................................63
Steps to run and interpret TCPView....................................................................................64
Advantages of TCPView........................................................................................................67
Summary of TCPView...........................................................................................................68
Microsoft Process Explorer v12.04............................................................................................70
Advantages of Process Explorer............................................................................................76
Summary of Process Explorer...............................................................................................77
Nessus v4.2.2 (Build 9129)...........................................................................................................79
Steps to run Nessus.................................................................................................................81
Advantages of Nessus.............................................................................................................86
Summary of Nessus.................................................................................................................87
Wireshark v1.2.10........................................................................................................................89
Steps to run a packet capture in Wireshark........................................................................91
Advantages of Wireshark.......................................................................................................95
Summary of Wireshark..........................................................................................................96

Page 2 of 160
SuperScan v4.0.............................................................................................................................98
Steps to run SuperScan........................................................................................................101
Advantages of SuperScan.....................................................................................................105
Summary of SuperScan........................................................................................................106
NEWT Professional v2.5...........................................................................................................108
Steps to run NEWT Professional.........................................................................................110
Advantages of NEWT Professional.....................................................................................114
Summary of NEWT Professional........................................................................................115
Snort v2.8.6.1..............................................................................................................................117
Steps to run Snort.................................................................................................................118
Advantages of Snort.............................................................................................................125
Summary of Snort.................................................................................................................126
Cain & Abel v4.9.36...................................................................................................................128
Steps to run Cain & Abel.....................................................................................................129
Advantages of Cain & Abel.................................................................................................135
Summary of Cain & Abel.....................................................................................................136
PGP Desktop v10.......................................................................................................................138
Steps to run PGP Desktop....................................................................................................141
Advantages of PGP Desktop................................................................................................150
Summary of PGP Desktop...................................................................................................151
Project Summary.......................................................................................................................152
Future Implications...................................................................................................................153
End Note References..................................................................................................................155

Page 3 of 160
________
Abstract:
________

In this document, five IT Security Tools are analyzed. The tools analyzed are Parmavex

Services’ WinAudit, Secunia Personal Software Inspector (PSI), LANTricks LANSpy,

Malwarebytes’ Anti-Malware, and McAfee SiteAdvisor, We will explore each tool’s use,

advantages, disadvantages and overall complexity. In addition, a tutorial of each tool will be

given with screen shots and instructions for use.

Page 4 of 160
WinAudit

v2.28.2
Page 5 of 160
________________
WinAudit v2.28.2:
________________

WinAudit is an easy to use Windows auditing tool that will conduct an in depth audit of

hardware and software configuration on a computer. WinAudit is a single executable utility

approximately 1MB in size and is compatible with the following Operating Systems:

 Windows NT

 Windows 2000

 Windows XP

 Windows Vista

 Windows 7

 Windows Server 2003 and R2 Edition

 Windows Server 2008 and R2 Edition

The utility can be downloaded from this location: http://winaudit.zymichost.com/index.html

(WinAudit Freeware v2.28.2, 2009)

When you start the utility, you will see a statement that says “To audit your computer

click Here”. After the scan has completed the resulting report contains details on installed

software, license information, peripherals, memory usage, processor model, network settings,

startup programs and more. The report can be viewed from within the application or exported to

a text file, an HTML web page, CSV file to be imported into Excel, sent via an email or even

exported directly to a database via an ODBC connection. The utility is not processor intensive

and takes only a short amount of time to complete.

Page 6 of 160
Steps to run WinAudit:

1. When you first execute WinAudit be sure to configure the scan options by clicking the

icon. This will display the scan options screen:

Check off the various options that you would like to scan for, when you are finished click

the “Apply” button.

2. Once you have configured your options, click the link to start the scan:

Page 7 of 160
3. WinAudit will begin to scan your computer:

4. After a short time the scan will finish and display the results in a split screen format. For

example, the first highlighted section will be the “System Overview”:

Page 8 of 160
5. There are various categories in list format on the left pane window in which you can drill

down and see the results on the report side of the screen:

Page 9 of 160
6. If you wish to save the results you can click the save icon which will give you the

opportunity to save in these formats:

Page 10 of 160
Additionally, you can click the email icon to automatically populate an email

message in your default email client and send it to whomever is needed. Lastly, you can

select database export from the File menu:

This will display a dialog box for connecting to an ODBC source to export the reports to

a database:

Page 11 of 160
Advantages of WinAudit:

 The program is free.

 Effective for the supported products.

 Easy to use.

 Exports report to multiple formats. For example CSV/HTML/PDF/XML.

 It can export to database.

 It can auto populate an email with the content of the report.

 The program is portable.

Disadvantages of WinAudit:

 It only scans Microsoft Windows computers.

Page 12 of 160
Summary of WinAudit:

WinAudit is a simple computer auditing tool to detail the hardware and software

configuration of any Windows computer. It is a single executable program that does not require

any installation which makes it highly portable. There are plenty of configurable options for scan

properties. Once the report is generated, the results can be exported to a multitude of formats

including CSV (for import to Excel), HTML, PDF, and XML. There is also an option to auto

populate an email or export the results data directly into a database via an ODBC connection.

The program provides a lot of detail about a computer for being a single executable program.

This fact and the ability to be portable make this utility a personal favorite among IT security

professionals.

Page 13 of 160
 Secunia Personal

Software Inspector (PSI)

v1.5.0.2
Page 14 of 160
____________________________________________
Secunia Personal Software Inspector (PSI) v1.5.0.2:
____________________________________________

The Secunia PSI software is a free security tool designed to scan and detect vulnerable or

out of date programs that may be susceptible to attach. The PSI software scans your computer

and generates a list of programs that are out of date and have security fixes issued for them. PSI

automates this and alerts you when your programs and plug-ins require updating to stay secure.

The PSI installation file is small in size at 738KB and is compatible with the following Operating

Systems:

 Windows NT

 Windows 2000

 Windows XP

 Windows Vista

 Windows 7

 Windows Server 2003 and R2 Edition

 Windows Server 2008 and R2 Edition

PSI can be downloaded from this location:

http://secunia.com/vulnerability_scanning/personal/ (Secunia Personal Software Inspector

(PSI), 2010)

PSI provides extensive details on the software installed on your computer and gives you

direct links to update programs that are older and potentially not secure. PSI offers users a simple

or advanced layout. The simple interface provides basic information about the installed programs

with a chart to detail their security over time and a listing of any errors. The Advanced layout tab

exposes more details and more updates. It also checks your Microsoft XML, your Adobe Flash

Page 15 of 160
player installation, and others programs, looking for mission-critical holes and their respective

updates. Installed programs get flagged as Patched, End-of-Life, and Insecure, with the most

recent reported threat noted with a colored bar and a mouse-over label on the right column. The

program is not very processor intensive and completes a scan in a reasonable amount of time.

Steps to run PSI:

1. To run PSI, select it from your start menu. The program will open and you can select to

start a scan of your PC:

2. The scan will complete and display a message on the screen:

3. Now you must analyze the results of the scan:

4. The threat level is indicated by the graphic which is color coded with green

being the lowest and red being the highest threat. By clicking on the solution button

on the line item, it will open an Internet Explorer (or your default) browser and navigate

to the correct location to resolve the found security threat. This is typically the site where

Page 16 of 160
 you can download the newest version of the application is which was found to be

vulnerable.

5. In addition, if you register with Secunia, you can click the forum icon and be taken to

an online discussion forum for the application in question to see what others are

encountering, if anything, about the application.

6. You can switch to advanced mode by clicking on the “ADVANCED” link in the top right

corner of the application. An informational message saying that this interface is for the

more technologically advanced users will be displayed. Within the advanced interface

you have the following tabs:

7. The Insecure tab displays the most popular and vulnerable programs installed on the

computer:

You can click the icon next to the identified program to see all the technical details

about the program and specifically why it has been identified as a potential threat. You

can accomplish the same by clicking on the series of icons that will

either direct you how to resolve the issue or give you more specific information on the

specific threat.

8. The “End-ofLife” tab displays the applications that have reached the end of continued

production and offers links to the final versions of the software:

Page 17 of 160
9. The “Patched” tab offers a look at all detected software installed on the system and

displays the patch threat for each. You can again click on the icon to expand the

details of the particular program.

10. After the initial scan and your assessment of the vulnerabilities, you can work your way

through and install all of the patches or updates to the installed software. When you close

the PSI interface it will continue to run in the background with the display of the icon

in the computer’s system tray.

Page 18 of 160
Advantages of PSI:

 The program is free.

 Effective for the supported products.

 Easy to use.

 Provides incredible detail about vulnerabilities found with direct links to solutions.

 There is a forum link to an online collaboration site discussing the particular program.

 Provides detail on end of life products.

Disadvantages of PSI:

 It only scans Microsoft Windows computers.

 Will require administrative rights on the computer to install the necessary software

updates.

Page 19 of 160
Summary of PSI:

Secunia PSI is software that scans the host computer for security vulnerabilities within

the installed programs. The software maintains an up-to-date threat database for what seems to

be any program that is installed on the system. The interface is professional looking and provides

great detail over the results of the scan. Each application that is scanned and found to have an

issue that can be resolved by applying the newest version is provided a direct link to the software

download location from the manufacturer. By switching to advanced mode, more specific details

are given about the threat. The detail will show the actual files, such as DLLs, that are affected

by the threat. If you need assistance with a particular application, PSI provides a link to a forum

based online discussion board about the product. There you can pose questions to others about

any issues or concerns you may have.

This is a great product and does a superb job with accurately describing any threats found

from the system scan. With clear instructions and direct links, this program should be considered

for both home and office use.

Page 20 of 160
LanTricks LanSpy

V2.0.0.155

Page 21 of 160
__________________________
LanTricks LanSpy v2.0.0.155:
__________________________

LanTricks LanSpy is a network scan utility that provides in depth details of the systems

that are targeted all from a single easy to use interface. LanSpy is a simple yet powerful network

auditing tool that will scan systems for processes, installed applications, shares, open ports, user

and groups, along with many other details. The LanSpy installation is small in size at 1.1MB and

is compatible with the following Operating Systems:

 Windows 2000

 Windows XP

 Windows Vista

 Windows 7

 Windows Server 2003 and R2 Edition

LanSpy is made for gathering the following information about a remote computer:

 Ping

 Domain name

 NetBios names

 MAC address

 Server information

 Domain (workgroup) information

 Domain controllers

 Remote control

 Time

 Disks
Page 22 of 160
  Users

 Logged users

 Global groups

 Local groups

 Security options

 Shared resources

 Sessions

 Open files

 Services

 Processes

 Registry

 Event log

 TCP port scanner

 UDP port scanner

The utility can be downloaded from http://lantricks.com/lanspy/ (LanSpy, 2010)

Once you open the utility you can configure options such as authentication and setting the

detection parameters. The program is not processor intensive and can remotely scan other

workstations or servers as well. For a simple utility it is quite effective for its purpose. For these

reasons it is one of the utilities I use often to remotely audit certain workstations.

Page 23 of 160
Steps to run LanSpy:

1. Open LanSpy from the programs menu and first chose to set up your options from the

File menu:

In the options interface set up the scan properties, authentication, the operations to

perform, and what ports to scan.

2. Next define the subnet range you wish to scan:

Page 24 of 160
 For the purposes of this tutorial I have chosen my localhost. Click the icon to start the

scan process.

3. You will notice in the lower pane window what the status of the various scan operations

are:

4. When the scan operations complete is when you can analyze the results. By clicking the

icon you can expand the selection to view what was discovered:

Page 25 of 160
 For instance, in this scan we see that at this particular moment the following ports are

open:

5. As an administrator for auditing purposes, you can export the findings to such formats as

XML or HTML from the File menu:

Page 26 of 160
Page 27 of 160
Advantages of LanSpy:

 The program is free.

 Effective for the supported products.

 Easy to use.

 Provides much auditing details about scanned systems.

 The utility is not processor intensive.

 The utility has the ability to scan an entire subnet or individual systems from remote

locations.

 You can export the audit results to XML or HTML format.

Disadvantages of LanSpy:

 It only scans Microsoft Windows computers.

 Will require administrative rights on the computer being scanned.

Page 28 of 160
Summary of LanSpy:

LanTricks LanSpy is a network scan utility great for conducting quick audits of local or

remote systems. The program is small in size and is easily configured. By specifying an

administrative account locally or domain level, you can scan the selected systems for a wide

range of detection such as open ports, user and groups, shared resources and so much more.

Once the results are displayed they can be analyzed and saved in HTML or XML format for

future reference. The program is simple, quick and effective for what it is supposed to

accomplish all without being processor intensive or intrusive to the end system. This is a great

utility to have for any systems security professional.

Page 29 of 160
Malwarebytes’

Anti-Malware

v1.46
Page 30 of 160
_______________________________

Malwarebytes’ Anti-Malware v1.46:

_______________________________

Malwarebytes’ Anti-Malware is a utility to fight what its name implies; malware. This

anti-malware utility is free and incredibly effective for what its purpose is. The utility software

program is about 6MB in size which makes it small and powerful. Malwarebytes maintains a

current database of known malware definitions that the software program downloads on a regular

basis to keep up to date. It's a relatively speedy malware remover, with the quick scan taking

about 8 minutes even with other high-resource programs running. The heuristics engine proved

that it was capable of determining the difference between false positives and dangerous

applications. It supports multiple drives scanning including networked drives, context menu

options including a scan-on-demand for individual files, and the FileAssassin option under the

More Tools section for removing locked files. The interface is easy to use and professional

looking with the layout being organized in a pleasant manner. The Anti-Malware installation file

is small in size at 6MB and is compatible with the following Operating Systems:

 Windows 2000

 Windows XP

 Windows Vista

 Windows 7

 Windows Server 2003 and R2 Edition

 Windows Server 2008 and R2 Edition

Anti-Malware can be downloaded from this location: http://www.malwarebytes.org/

(Malwarebytes Anti-Malware, 2010)

Page 31 of 160
 There are free and paid versions of this product. The free version supports on demand

scans and the ability to remove malware. The paid version supports real time monitoring and

prevention of malware being installed on your system. Still, the free product is highly effective

in removal of Malware.

Steps to run Anti-Malware:

1. Open Malwarebytes Anti-Malware from the programs menu and select the “Update” tab.

The first operation you will want to complete is updating the malware definition from the

Malwarebytes online location:

2. Once the database has updated, from the “Scanner” tab run a quick scan:

Page 32 of 160
 You will then notice progress as the scan is running. It will display real time statistics:

As the scan continues pay attention to the number of objects infected. This will be

displayed again later but gives you a first look:

After some time the following message will display:

3. Next click on the button to view what has been determined as

Malware on your system. My system yielded only four potential issue in which I will

have to conduct research on:

Page 33 of 160
4. If you have determined that the entries are in fact a threat to your system, you can click

the button to have Anti-Malware automatically remove the

offending software or registry entries. If files are in use the software will likely indicate a

need for a reboot. In my particular instance it was not needed.

5. Lastly, if locked files are a problem, on the “More Tools” tab you can chose to run

FileASSASSIN:

Page 34 of 160
Advantages of Malwarebytes Anti-Malware:

 The program has a free version.

 Effective for the supported products.

 Easy to use.

 Malwarebytes maintains a current malware definition file for the product.

 The program automatically removes the selected entries for you.

 There is a built in utility for dealing with locked files.

 The purchased version allows for real time monitoring and prevention services against

malware.

Disadvantages of Malwarebytes Anti-Malware:

 It only scans Microsoft Windows computers.

 Will require administrative rights on the computer being scanned.

 The utility is a little processor intensive.

 You have to purchase the full version for real time threat prevention.

Page 35 of 160
Summary of Malwarebytes’ Anti-Malware:

Malwarebytes’ Anti-Malware is a very powerful malware threat scanning utility that

conducts in depth analysis of systems and displays the results in a professional looking interface.

Malwarebytes maintains a current online database of potential threats that the Anti-Malware

programs updates with. The program will scan the registry, running processes and all of the files

on selected systems. The most in depth profile will be created if one selects the full scan option.

This will scan the entire system from top to bottom. The quick scan will target high threats and

all the processes that are running. After the scan completes the findings are clearly presented

with the option to automatically remove them.

The scan time can take a while depending on which options you chose and are a little

processor intensive. However, this utility is absolutely essential in any IT Security professional’s

arsenal for preventative maintenance against the spread of malicious malware. This particular

product along with HijackThis is among the top performers against malware.

Page 36 of 160
McAfee SiteAdvisor

v3.2.0.152_p4
Page 37 of 160
______________________________

McAfee SiteAdvisor v3.2.0.152_p4:

______________________________

McAfee’s SiteAdvisor is a utility that allows you to surf the Internet with confidence.

The product helps guard against exposing yourself to intrusive programs, malware and online

scams. SiteAdvisor is a free online safety service provided by McAfee and provides safety

rankings for sites you visit or sites displayed in search results. SiteAdvisor integrates nicely into

Microsoft Internet Explorer and Mozilla Firefox. The installed safety button changes colors

depending on the safety level of the site you are visiting. Green means go, it's safe. Yellow

means proceed with caution, and Red means don't go there, ever. A question mark means the site

is not yet rated. These same safety levels are provided alongside individual Internet search

results. If you do a search in Google, MSN, Yahoo, AOL, or Ask.com, SiteAdvisor adds an icon

next to each resulting link so you can tell at a glance whether it leads to a good site, suspect site,

or downright bad one.

McAfee SiteAdvisor supports:

 Internet Explorer 5.5-8.0 running under Windows 98/ME/2000/XP/Vista/7

 Mozilla Firefox 1.0.7-3.6.11 running under Windows 98/ME/2000/XP/Vista/7, Linux and

Mac OS X.

The installation file is small at about 6.5MB and can be downloaded from this location:

http://www.siteadvisor.com/ (McAfee SiteAdvisor, 2010)

The program is not invasive or processor intensive at all. It is simply a plug-in that

integrates with Internet Explorer or Firefox. The product is lightweight yet very effective for

what it is intended to do. McAfee SiteAdvisor delivers exactly what is promised, web site safety

rankings, with no unwanted tradeoffs in performance.

Page 38 of 160
Steps to use McAfee SiteAdvisor:

1. After the installation of SiteAdvisor when you open a browser window you will now see

the McAfee toolbar in the top right:

2. Open the options and go through each tab to make sure your settings are the way you

want them. For most the default options will suffice:

3. There are different levels of threats. These levels are represented by different colors on

the McAfee toolbar and browser icons:

Page 39 of 160
4. When you are conducting searches on Google or any other search engine, you will see

either a , or icon indicating the rating of the site. If you hover your mouse

over the color indicator, information about the rating is displayed:

The most important ranking to be aware of are the red icons which are sites you

should avoid:

Page 40 of 160
5. In addition, you can view the report on a particular site by clicking the “View Site

Report” from the drop down menu on the toolbar:

This report shows that McAfee either approves or disapproves of the site:

Lastly, the report provides feedback from the user community about the website:

Page 41 of 160
Advantages of McAfee SiteAdvisor:

 The program has a free version.

 Effective for the supported products.

 Easy to use.

 Helps protect against spyware and adware.

 Alerts on potentially malicious web sites.

 Provides safety ratings for search results.

 Helps filter safe web sites from not so safe web sites.

 Helps to identify nefarious phishing scam sites.

 Runs on Windows, Linux and Mac Operating Systems.

Disadvantages of McAfee SiteAdvisor:

 You have to purchase the full version for more advanced options and customizations.

Page 42 of 160
Summary of McAfee SiteAdvisor:

The McAfee SiteAdvisor product detects what sites are being visited or searched for and

provides a ranking of each of those sites with respect to a security threat. The program is small in

size and is not processor intensive. It is a simple browser plug-in that is compatible with

Microsoft Internet Explorer and Mozilla Firefox and runs on major Operating Systems such as

Windows, Linux and Mac. SiteAdvisor helps guard against exposure to sites hosting potentially

intrusive programs, malware, and online scams. Colored icons next to individual search results

help you quickly identify potentially risky sites. The product also automatically updates to

provide guidance for newly discovered sites. This simple browser plug-in can save users and

administrators alike a lot of time by deflecting the possibility of harmful sites loading malicious

content on computers. I would highly recommend installing and actively paying attention to the

warnings given by SiteAdvisor.

Page 43 of 160
Project Summary:

In this paper we reviewed Parmavex Services’ WinAudit, Secunia Personal Software

Inspector (PSI), LANTricks LANSpy, Malwarebytes’ Anti-Malware, and McAfee SiteAdvisor.

The objective of this document was to review in detail all of the referenced programs and in

doing so learn the importance of computer security and have more insight as to system and

network vulnerabilities.

Each of these programs was effective for what they are designed to accomplish.

WinAudit provided in depth analysis of systems that were scanned. This is helpful for

conducting quick audits. Plus the program is portable. The results can be exported for future

reference making this utility one that should kept.

PSI is designed to give users or administrators greater control over programs that have

known vulnerabilities in them or have product patches available. This product did what it was

supposed to accomplish. The interface was easy to use and navigate and presented clear

instructions on how to fix what was identified. I would recommend this product to anyone.

LANTricks LANSpy is a simple utility for scanning remote systems and generating a list

of specifics about the system such as open ports, shared resources, users and groups and running

processes. This product was not as good as I thought it would be but is still a good utility for a

quick scan of remote systems.

Malwarebytes’ Anti-Malware scans the host computer for known threats concerning

malware. This program is highly effective and is one of my favorite utilities in the field. The

interface is easy to follow and is professional looking. Malwarebytes maintains an up to date

definition file that the program updates on a regular basis. This is one of those essential tools that

Page 44 of 160
all support professionals need. After all, we all know how users just love to browse the Internet

without and concerns. This fact leads us into the next product reviewed, McAfee SiteAdvisor.

McAfee SiteAdvisor is a very helpful program that when installed adds a plug-in to

Internet Explorer and/or Mozilla Firefox. The program is designed to guide you through the

hazards of the Internet by providing you with a stop light like visual on the rating of each site.

The “green” sites are obviously the safest. SiteAdvisor also works with search engine results.

When the results are display the SiteAdvisor rating engine displays the appropriate symbol next

to the link of the site. Users of all ages could benefit from having this utility installed and paying

attention to the site ratings.

Overall each of these products reviewed I was pleased with. The Anti-Malware program

was probably the most processor intensive but only lasts for the duration of the scan. All of these

products I have been aware of and use on a semi-regular basis. I would recommend any user or

engineer to have these applications in their arsenal of IT Security related products.

Page 45 of 160
Future Implications:

Systems and Network Engineers and users alike have the responsibility to keep data safe

and securely transmitted so this data is not stolen or compromised. Each computer user across

the planet also should share this responsibility. Various security audit tools in general can be

used to thwart malicious individual’s intentions on stealing data or identities and thus creating a

more secure Internet infrastructure for all to use.

In order to be successful in securing data and communication, the correct tools need to be

in place. The tools reviewed in this document are a good place to start. The future of security

auditing tools needs to focus on hardening all systems and communication. The products like

Anti-Malware, PSI and SiteAdvisor provide a great way to protect against systems

vulnerabilities. Within these three products you have a hardened system with no malware,

software applications being up to date and having a virtual guidance counselor directing you

though the vastness of the Internet safely.

Proper auditing of systems and networks is another primary focus of IT Security

professionals. The products such as WINAUDIT and LANSpy can conduct these audits on local

systems or remotely and have that data exported to various formats for future reference or

analysis. These audits should be conducted on a regular basis.

Let’s also not forget about IT policies. For proper security to be truly effective, especially

in the corporate environment, you need to have well written and highly detailed IT security

policies. Make it mandatory to conduct security audits and to relay to employees the proper use

of systems, email, Internet and the data that they interact with.

Security audits and tools in general will only get better. As we gain experience and

knowledge, IT professionals will no doubt build upon those experiences and design even more

Page 46 of 160
highly efficient security programs and auditing utilities. The ultimate goal is to have a

completely secure public and private infrastructure. Hopefully with hard work, research and

ingenuity, IT professionals will continue forward with great ideas and security implementations.

Page 47 of 160
End Note References:

LanSpy. (2010). Retrieved October 25, 2010, from LanTricks: http://lantricks.com/lanspy/

Malwarebytes Anti-Malware. (2010). Retrieved October 25, 2010, from Malwarebytes:

http://www.malwarebytes.org/

McAfee SiteAdvisor. (2010). Retrieved October 25, 2010, from McAfee:

http://www.siteadvisor.com/

Secunia Personal Software Inspector (PSI). (2010). Retrieved October 25, 2010, from

Secunia: http://secunia.com/vulnerability_scanning/personal/

WinAudit Freeware v2.28.2. (2009). Retrieved October 23, 2010, from Parmavex Services:

http://winaudit.zymichost.com/index.html

Page 48 of 160
 Appendix A
Final Exam Project
Analysis of Ten Security Tools
By Brian Miller

Drexel University
Professor Irv Schlanger
CT-395 IT Security 1
Summer Quarter 2010
Tuesday, August 31st, 2010

(Final Exam Project Grade from I.T. Security 1: 97%)

Page 49 of 160
Final Exam Project
Analysis of Ten Security Tools
By Brian Miller

Drexel University
Professor Irv Schlanger
CT-395 IT Security 1
Summer Quarter 2010
Tuesday, August 31st, 2010

Page 50 of 160
________
Abstract:
________

In this document, ten IT Security Tools are analyzed. The tools analyzed are Microsoft

Baseline Security Analyzer (MBSA), Microsoft TCPView, Microsoft Process Explorer, Nessus,

Wireshark, Foundstone (McAfee) SuperScan, NEWT Professional, Snort, Cain & Abel, and PGP

Desktop 10. We will explore each tool’s use, advantages, disadvantages and overall complexity.

In addition, a tutorial of each tool will be given with screen shots and instructions for use.

Page 51 of 160
Baseline Security Analyzer

(MBSA v2.2)

Page 52 of 160
____________________________________
Microsoft Baseline Security Analyzer 2.2:
____________________________________

Baseline Security Analyzer (MBSA) from Microsoft is the free scan tool to easily assess

the security state of Windows computers. The file size is small with 1.6 MB. MBSA includes a

graphical and command line interface that can perform local or remote scans of Microsoft

Windows systems.

MBSA 2.2 runs on:

 Windows 2000

 Windows XP

 Windows Vista

 Windows 7

 Windows Server 2003 and R2 Edition

 Windows Server 2008 and R2 Edition

MBSA will scan for missing security updates, rollups and service packs using Microsoft Update

technologies. MBSA includes a 64-bit installation. The security update and vulnerability

assessment checks are run against a list of less secure settings and configurations for most

Microsoft products. MBSA will scan for missing security updates, update rollups and service

packs that are readily available from Microsoft Update. MBSA will not scan or report missing

non-security updates, tools or drivers.

MBSA provides a checklist of missing patches or updates and configuration problems or

concerns. The security report generated by MBSA includes the lines of "What was scanned",

Result details" and "How to correct this" which describe important details.

Page 53 of 160
Some of what MSBA checks for are bulleted in the following:

 Windows security updates.

 Internet Explorer security updates.

 Windows Media Player security updates.

 Microsoft Office security updates.

 File system type on hard drives.

 Auto Logon feature is enabled.

 Guest account is enabled.

 Number of local Administrator accounts.

 Blank or simple local user account passwords.

 Unnecessary services are running.

 Firewall is enabled.

 Automatic Updates is enabled.

 List the Internet Explorer security zone settings for each local user.

 Internet Explorer Enhanced Security Configuration is enabled for Administrators.

 Internet Explorer Enhanced Security Configuration is enabled for non-Administrators.

 List the Office products security zone settings for each local user.

Requirements:

 The computer must be running Windows 2000 Service Pack 3 or later, Windows XP,

Windows Vista, Windows 7, Windows Server 2003, or Windows Server 2008 and R2

Edition.

 The "Workstation" and "Server" services must be enabled.

Page 54 of 160
  MBSA requires an Internet connection as it downloads the security update catalog from

the Microsoft Web site in the form of a cabinet file called wsusscan.cab.

 You must have local administrative privileges on the computer being scanned.

Steps to run MBSA:

You may obtain MBSA from the following link:

http://www.microsoft.com/downloads/details.aspx?FamilyID=02be8aee-a3b6-4d94-b1c9-

4b1989e0900c&displayLang=en (Microsoft Baseline Security Analyzer 2.2, 2010)

1. Double click to open MBSA. You have the option to scan a single computer, multiple

computers or review reports that have been generated from previous scans. For the

purposes of this tutorial we will scan a single computer. Click "Scan a computer".

Page 55 of 160
2. By default, the local computer will be pre-selected for scanning. You can also choose to

scan another computer if you are in a network by selecting its name or its IP address. You

have multiple options to select. The most important options are "Check for Windows

Administrative vulnerabilities", "Check for weak passwords" and "Check for security

updates". You can uncheck the options "Check for IIS administrative vulnerabilities" and

"Check for SQL administrative vulnerabilities" if you don't have them installed. On this

server IIS is installed for the purposes of this tutorial. You can leave the default report

name or customize it.

Page 56 of 160
 3. MBSA downloads the list of latest security vulnerabilities in the form of a signed .cab file

from Microsoft and scans the computer.

The results are shown in an organized report that has details of "What was scanned",

"Result details" and "How to correct this" via links. The checks will not be performed if the

products are not found on the scanned machines and therefore will not be detailed in this report.

Reading the report:

MBSA displays different icons in the report depending on whether vulnerabilities where

found. For the administrative vulnerability and security checks, a red is used when a critical

check failed (In this result, Automatic Updates not enabled). An orange is used when a non-

critical check failed (In this result, an account has a password that does not expire). A green

is used when a check passes (that is, no issue was found for that particular check). A blue is

used for best practice checks (for example, no incomplete software updates found), and for

checks that simply provide information about the computer being scanned (for example, the

operating system version of the scanned computer).

Page 57 of 160
Security Update Scan Results:

Security Update Scan determines which available service packs and security updates for

Microsoft products are not installed on the computer. MBSA will report missing updates marked

as critical security updates in Microsoft Update for most Microsoft products.

Windows Scan Results:

The Windows Scan determines if Automatic Updates is enabled, the Windows version, if

Firewall is enabled, checks for account password expiration, if Guest account is enabled, etc.

These are the Windows centric administrative vulnerabilities.

MBSA provides additional system information about unnecessary services, Windows

shares, Windows version etc.

Page 58 of 160
Internet Information Services (IIS) Scan Results:

For those computers that have additional software installed such as Internet Information

Services (IIS) it will scan for administrative vulnerabilities along with providing additional

information.

Desktop Application Scan Results:

The Windows Scan lists:

 The Internet Explorer security zone settings for each local user.

 If Internet Explorer Enhanced Security Configuration is enabled for Administrators

 If Internet Explorer Enhanced Security Configuration is enabled for non-Administrators

 The Office products macro settings for each local user.

Page 59 of 160
Fixing the vulnerabilities:

Clicking on the "Result details" displays another window with details of vulnerabilities

found for the particular area. For instance, with "Windows Security Updates", it will display the

needed updates and all of those already installed.

Page 60 of 160
 Clicking on “How to correct this” displays another window with the recommended

solution with step-by-step instructions as in this example for “IE Enhanced Security

Configuration for Administrators”.

Page 61 of 160
Advantages of MBSA:

 The program is free.

 Effective for the supported products.

 Easy to use.

 Updates the database of products via the Internet when it runs.

 Informative reports. It details the vulnerability and tells you how to fix it (but not

automatically fix it).

Disadvantages of MBSA:

 It does nothing to actually update the systems; it just gives details on the vulnerability and

how to fix them.

 It only scans Microsoft products.

 Requires local admin rights.

 It did not appear to be resource intensive but very well could be with more covered software

packages installed.

Page 62 of 160
Summary of MBSA:

In summary, Microsoft Baseline Security Analyzer (MBSA) is an effective tool that

works as it is designed to. Though this tool is limited to the core Microsoft products, it provides a

thorough scan for vulnerabilities and displays them in an easy to read report. The file size is

small with less than 2MB and the installation is seamless. Executing the program is not difficult

at all so any novice should have little issue. The reports are detailed and present a clear step-by-

step process of resolving the found vulnerabilities. In this particular implementation of MBSA it

was not resource intensive as not all covered products were installed. Even with multiple covered

products installed, this program is likely not resource intensive. My only negative comment

about this tool is that it is Microsoft centric where some other similar products on the market are

not limited to one specific developer of software.

Page 63 of 160
TCPView

v3.02
Page 64 of 160
______________________

Microsoft TCPView 3.02:

______________________

TCPView was originally developed by SysInternals (Mark Russinovich) who was

subsequently acquired by Microsoft. The utility can be downloaded from this location:

http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx (TCPView v3.02, 2010)

The TCPView utility is a single executable (308KB) that displays the TCP and UDP

sessions on your system along with the remote addresses and state of the connections. This utility

allows you to monitor what processes are running on your system and make decisions based on

its output. One can spot suspicious software that is making unnecessary calls to a public Internet

location and block them with your firewall or investigate which is the offending software and

remove it all together. Right click on a process that has an established remote connection will

display the “Who is” option. It will display detailed information on the owner of the process.

This is similar to performing a “Who is” search at a popular domain name register like Network

Solutions. When a new connection occurs the line will turn green and when it disconnects the

line will turn red. This allows you to keep tracking of what new processes and connection are

made when you execute a program. TCPView also keeps track of the packets/bytes sent and

received with the option of updating this every second. This program is a quick and easy way to

spot trouble.

TCPView runs on:

 Windows XP

 Windows Vista

 Windows 7

 Windows Server 2003 and R2 Edition

Page 65 of 160
  Windows Server 2008 and R2 Edition

Information displayed:

 Process

 Process ID

 Protocol

 Local Address

 Local Port

 Remote Address

 Remote Port

 State

 Sent Packets

 Sent Bytes

 Received Packets

 Received Bytes

Steps to run and interpret TCPView:

Once you download the Zip file from the link above, extract the contents and double click

on “Tcpview.exe”. This will launch the application and begin populating the interface with all of

the current TCP and UPD sessions and their associated program.

Page 66 of 160
 Any new incoming connections will be highlighted in green. Any connections that

change state from one update to the next are highlighted in yellow. Any connections being closed

are highlighted in red.

TCPView details a list of running processes that have established network connections.

This allows administrators to easily see in real time what is being communicated via this

workstation. If a computer is suspected of being compromised, this utility could help track down

the malicious software that has allowed for the back door. You can easily identify suspicious

software and uninstall it along with block the ports with your network firewall appliances. Right

clicking on the process will tell you the directory of the file and give you an option to kill the

process:

Page 67 of 160
 By right clicking on “Whois” it will display the registration information similar to

Network Solutions:

TCPView also give you the ability to save the output for future reference. As you can see,

with this simple one executable utility, an administrator can identify problems and proactively

block unnecessary communication, troubleshoot processes, identify external IP addresses, etc.,

and thwart the ongoing or potential attack.

Also included with the download of TCPView is the single executable utility called

Tcpvcon which is similar to the Windows built in netstat utility. The usage of Tcpvcon is:

Page 68 of 160
Advantages of TCPView:

 The program is free.

 Effective for the supported operating systems.

 Easy to use.

 Highlights different sessions using color coding for easy identification of incoming and

outgoing connections.

 Allows you to kill the various processes.

 Gives you detailed information on the originating connection, processes, protocols, etc.

 Informs you of the path of the software running in case you want to block or uninstall it.

 It is not system intensive.

Disadvantages of TCPView:

 It does not give you the option to add in a local firewall rule for the running process. It would

be nice to be able to right click a process and choose “Add Firewall Rule” or something to

that effect.

 It is basically just the GUI form of the netstat command.

Page 69 of 160
Summary of TCPView:

In summary, Microsoft’s TCPView is a single executable utility that will display all TCP

and UDP connections, the corresponding local and remote IP addresses and the state of those

connections. It will update in real time and color code all new incoming, established connections

and closing connections. TCPView provides administrators an easy way to identify suspicious

software and proactively block those by ending the process, uninstalling the software, adding in

firewall rules or just allow for basic troubleshooting. The utility is very easy to run, understand

and is not system intensive. Also included in the download of TCPView is a single executable

utility called Tcpvcon which is similar to the Windows built in netstat utility. An administrator

can save the output of the screen for future reference. This tool is very handy for emergencies

with having to identify the source of offending software on any Windows system.

Page 70 of 160
Process Explorer

v12.04
Page 71 of 160
______________________________

Microsoft Process Explorer v12.04:

______________________________

Process Explorer was originally developed by SysInternals (Mark Russinovich) who was

subsequently acquired by Microsoft. The utility can be downloaded from this location:

http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx (Process Explorer v12.04,

2010)

The Process Explorer utility is a single executable (3.70MB) advanced process

identification utility from Microsoft. It displays detailed information on the processes that are

currently running on your computer. It is considered an advanced form of Windows inherent

Task Manager Application.

MBSA 2.2 runs on:

 Windows 98/ME

 Windows NT4.0

 Windows 2000

 Windows XP

 Windows Vista

 Windows 7

 Windows Server 2003 and R2 Edition

 Windows Server 2008 and R2 Edition

Process Explorer displays a hierarchy of all the running processes on the computer. The list will

also include the icon of the process running. The interface is highly configurable with many

display columns to add or remove. This program will help administrators track the owner, path,

Page 72 of 160
registry entries and DLLs associated with various running programs for troubleshooting

purposes. The default display interface looks like this:

The processes are color coded and that option can also be customized:

Page 73 of 160
 The optional lower window pane lists either all the DLLs associated with the running

process if the program is set to “DLL view” or the various handles if set to “Handle view”:

Handle View:

DLL View:

Page 74 of 160
 Double clicking on a process will display all the information that Process Explorer has on

the program in one window with multiple tabs:

Users can “kill” the process by right clicking the application and choosing “Kill Process”:

Page 75 of 160
 Within Process Explorer’s View menu, if you click “System Information” it will display

the current CPU and memory usage of the computer:

Being that Process Explorer is an advanced form of the built in Windows Task Manager,

you have the option to replace the Task Manager with Process Explorer when you select

alt+ctrl+del by choosing “Replace Task Manager” from the options menu:

Page 76 of 160
 Another beneficial feature of Process Explorer is the ability to conduct an online search

for information of the process with a simple right click and choose “Search Online” or selecting

from the Process dropdown menu:

This will launch an Internet Explorer window and automatically populate whatever your

browsers default search engine is with the process name. My default search provider is Google:

Process Viewer is highly configurable and is a great replacement to the built in Windows

Task Manager.

Page 77 of 160
Advantages of Process Explorer:

 The program is free.

 Effective for the supported operating systems.

 Easy to use.

 Highlights different processes using color coding for easy identification. The color codes

are configurable.

 Allows you to kill the various processes at the tree level.

 Gives you detailed information on running processes.

 Informs you of the path of the software running in case you want to block or uninstall it.

 It is not system intensive.

 Can replace the Windows built in Task Manager and can be minimized to the system

tray.

 Provides online search capabilities.

 Associates the program icon with the process for easy identification.

 You can restart processes/services with a right click.

 You can set priority levels of processes with a right click.

Disadvantages of Process Explorer:

 Program depends on user rights.

 Having the ability to unlock handles would be beneficial.

Page 78 of 160
Summary of Process Explorer:

In summary, Microsoft’s Process Explorer is a single executable utility that will display

all processes currently running on your computer. The program provides detailed information

about the processes including the DLL files associated with the process, some registry

information, path location, CPU load, along with many other details. The program is highly

configurable with options for color codes, display columns, and even to replace Process Explorer

for the built in Windows Task Manager when launched. The program gives you the ability to set

priority of the process/service/application, restart it with a right click, or simply kill the process.

Double clicking on a process will open a new window with all the details of the process in an

easy to read tabbed format. The option for searching online for information on the process is also

beneficial. Process Explorer is a great free program for administrators to learn about the running

processes on a computer for troubleshooting purposes by determining which services are

utilizing the most memory, CPU and I/O resources. Then administrators can make a decision as

to uninstalling all together or perhaps scan for a virus.

Page 79 of 160
V4.2.2 (Build 9129)

Page 80 of 160
_______________________

Nessus v4.2.2 (Build 9129):

_______________________

Nessus Vulnerability Scanner by Tenable is a Network Vulnerability Scanner that scans

systems and detects potential network and Operating System related vulnerabilities. Nessus is

offered for home use for free through subscription to the “Nessus HomeFeed” and for businesses

by subscribing to the “Nessus ProfessionalFeed” for approximately $1,200 per year. The Nessus

installation file is 10.8 MB is size and in the form of an MSI file. Nessus no longer is a client

based product but rather a client-server web based product. It now uses a web interface for

configuration, scanning and reporting. The server side contains the “Plug-Ins”, which is the

vulnerability database, and the scan engine. There is over 37,000 plug-in available for Nessus

each scanning for vulnerabilities. The client piece is a web interface and contains the reporting

tool and is where you set configuration options and initiate scans. Nessus is supported on the

following Operating Systems:

 Windows XP

 Windows Vista

 Windows 7

 Windows Server 2003 and R2 Edition

 Windows Server 2008 and R2 Edition

 Mac OS X Tiger

 Mac OS X Leopard

 Mac OS X Snow Leopard

 Debian Linux

Page 81 of 160
  Fedora Linux

 Red Hat Linux

 SuSE Linux

 Ubuntu Linux

 FreeBSD 7

 Solaris 10

You can obtain Nessus from here: http://www.nessus.org/download/ (Nessus, 2010)

Once you install Nessus you must subscribe to the “HomeFeed” and an email will be sent to you

containing the activation key. You input this key in the Nessus Server Manager registration area:

Immediately after applying the activation key, Nessus will download and install all

current plug-ins available for the HomeFeed subscription (or ProfessionalFeed depending on the

Page 82 of 160
subscription). Here is also where you can set Nessus to start automatically, manage users or stop

and start the service.

Steps to run Nessus:

1. Nessus no longer has a client piece of software rather a web interface. You first user

needs to be created via the Server Manager referenced above. Open your Internet browser

to the following location:

2. You will be brought to the web interface login page. If you are unable to browse to this

location is it likely that your built in Windows Firewall is blocking the application. You

will need to create an exception to allow the program and port to be unrestricted:

3. Before you are able to perform a scan you must configure at least one vulnerability scan

policy. Click on the “Policy” tab and then click “Add”:

Page 83 of 160
4. Now you must step through the process of creating your scan policy. For the purposes of

this tutorial you can leave the default selections. However, there are quite a few different

options to choose from over the four tab creation of a policy:

5. On the plug-in page you can choose to deselect any of the vulnerability scan definitions

by clicking on the orange circle. Notice there are currently 37,515 definitions within the

database at the time of this writing:

6. When you are finished customizing click “Submit” to create the scan policy.

Page 84 of 160
7. Now you have a scan policy to work with:

8. The next step is to add a host or network to scan. Click on the “Scans” tab and click

“Add”:

9. Define the name for your scan, choose to run now, select the policy that was created

above from the drop down menu, and define the IP subnet range or single host to scan.

When you are finished click “Launch Scan”:

Page 85 of 160
10. Let the process run. You can check the status be double clicking the scan job. After a bit

it will complete and display an overview of the results:

11. From the results screen you can click on each individual vulnerability found; in this scan

only low priority issues were found. Or you can choose to download all the results to one

easy to read HTML report by clicking on “Download Report”:

Choose “HTML export” from the drop down menu:

Page 86 of 160
12. Review the detailed report for the findings of the scan and determine if any corrective

actions are necessary for example, closing ports:

For instance, this particular computer runs VNC and the Nessus scan picked that up as a

potential vulnerability and presented information about it:

13. Once you are finished reviewing the report and addressing the concerns, the individual

host or hosts on the subnet will be a little more secure.

Page 87 of 160
Advantages of Nessus:

 Free for home users.

 Inexpensive for professional use.

 Easy setup.

 Reports can be generated on demand.

 Ability to customize policies.

 Ability to compare reports generated at different times.

Disadvantages of Nessus:

 Updates require subscription.

 Potential exists that scanning can be perceived as Denial of Service attacks.

 Does not play well with VMware guests. Runs much more efficiently on physical

hardware.

Page 88 of 160
Summary of Nessus:

Nessus from Tenable Network Security is a powerful network and system vulnerability

scanner. Nessus was originally an open source product but was closed after Tenable bought the

rights. However, Tenable still releases the functionality of Nessus to home users for free by

subscribing to the Nessus “HomeFeed”. There is a “ProfessionalFeed” that businesses can

subscribe to. Nessus is a client-server software product with a built in Oracle database. The

Client interface is accessed via an Internet browser to port 8834. The Nessus server contains a

vulnerability database, referred to as plug-ins, that contains the definitions of what to scan for.

Currently there are over 37,000 plug-ins available for Nessus at the time of this writing.

Nessus allows you to scan one IP Address or a range of IP Addresses effectively covering

an entire subnet. After the scan is complete, Nessus will generate a detailed report of its findings

and offer solutions to the found vulnerabilities. You can download the findings into one easy to

follow HTML report. As a broad overview, Nessus will scan for missing patches, open ports,

applications running, audits antivirus software and discovers potentially sensitive data. Nessus

supports practically all major Operating Systems which makes this product very appealing to

System and Network Administrators as a one product solution for scanning corporate networks

for potential vulnerabilities. Overall, the program is not difficult to use and is effective for what

it was designed for.

Page 89 of 160
Network Protocol Analyzer

V1.2.10
Page 90 of 160
________________

Wireshark v1.2.10:
________________

Wireshark is a free open source packet analyzer originally called Ethereal and written by

Gerald Combs. It was renamed to Wireshark in 2006 because of copyrights held on the name of

Ethereal. Wireshark is freely available under the General Public License (GNU) and is actively

maintained and enhanced by many people. The main purpose of Wireshark is to analyze all

packets being sent and received from a particular network interface. This allows network

administrators to determine what kind of packet traffic is traversing the network. If you have

been charged with the secure transmission of data on the network, you can use Wireshark to

analyze the packets for any sensitive data that is sent in clear text. For example, the protocols

FTP, SMTP and POP are inherently insecure and anyone using these protocols has the potential

to have sensitive information acquired. FTP example:

Wireshark is approximately 18MB in size and runs on the following Operating Systems:

 Windows XP

 Windows Vista

 Windows 7

 Windows Server 2003 and R2 Edition

Page 91 of 160
  Windows Server 2008 and R2 Edition

 Mac OS X Tiger

 Mac OS X Leopard

 Mac OS X Snow Leopard

 Debian Linux

 Fedora Linux

 Red Hat Linux

 SuSE Linux

 Ubuntu Linux

 FreeBSD 7

 Solaris 10

Some of the Wireshark features include:

 The capture of live packet data from a given interface.

 Deep inspection of various protocols.

 Three window view for analysis of the packets.

 Filter packets on a given criteria.

 Search for packets on a given criteria.

 Color coding the packets on display based on filter settings.

WinPcap is needed to capture packets on Windows systems. It is essentially a driver library

that allows Wireshark to capture packets on Windows LAN and WLAN interfaces. WinPcap is

included within the installation of Wireshark.

Page 92 of 160
Wireshark can be downloaded here: http://www.wireshark.org/download.html (Wireshark,

2010)

Download and install the Wireshark program. It is self explanatory, just accept the defaults.

Steps to run a packet capture in Wireshark:

This tutorial will display a simple secure POP connection from an email that is sent. Ports

of reference will be:

1. You have the option to set the capture options from the “Capture” menu. Typically you

can accept the default:

Page 93 of 160
2. Open Wireshark and select “Interfaces” from the “Capture” menu:

3. When the Interfaces dialog box opens you will notice what interfaces are currently

attached to the network as you will see packets being received. Typically this will be one

interface. Click the “Start” button to begin the capture:

4. You will see the lower pane filling with data from the packet capture. Once you are

finished with the capture click on “Stop” from the “Capture” menu. For this packet

Page 94 of 160
 capture I sent a test email that was sent via SSL. The capture will not show you the detail

of the data as it is encrypted. You will just see the negations:

5. Notice the source port is 465 which is stated in the above screen shot and the data part of

the packet is encrypted:

6. If you wanted to just filter out the particular traffic that deals with the SSL traffic, you

can apply the filter “tcp.port eq 465”. Click on “Apply” and the lower window will only

include traffic that has port 465 as a source or destination:

Page 95 of 160
7. At this point an administrator can dissect the result of the packet capture and diagnose

network problems or the amount of sensitive data being transmitted over the network.

Familiarize yourself with the various menus and options. The most important to

understand is:

 The packet window (top): this lists the packets with source, destination, protocol

and other information.

 The packet detail window (middle): Show the detail of the packet that is

highlighted in the top window. It will highlight the Ethernet frame, protocol

information, data along with other important details.

 The packet bytes window (lower): This is the hexadecimal view of the highlighted

packet.

8. Am administrator can then save the packet capture for future reference.

Page 96 of 160
Advantages of Wireshark:

 The program is free.

 Can interpret many popular protocols.

 Highly detailed.

 Very effective.

 Can export reports to popular formats such as CSV, XML and text files.

 Save for future reference and analysis.

 Support for 64 bit Operating Systems.

 Color coded rule sets.

Disadvantages of Wireshark:

 Can be a little overwhelming trying to decipher what communication actually transpired.

If one does not have moderate knowledge of the composition of packets it will be

difficult to follow.

 The filtering of packet communication is somewhat challenging. You must research the

proper commands to filter out what you are looking for.

Page 97 of 160
Summary of Wireshark:

Wireshark is an open source network protocol analyzer that can capture data packets in

real time on any active interface. The program then displays each packet for analysis. It runs on

practically all major Operating Systems. Wireshark gives administrators the ability to perform

deep packet inspection by deciphering every detail of the frames down to hexadecimal format.

You can apply filters to segregate the gathered information to look for specifics like source or

destination ports, protocols, IP Addresses, etc. Typically the best place to run Wireshark for

corporate networks is where there is broadcast of data. Hubs are a good source for broadcast data

but these are not widely used any longer. However, switches can be configured to allow for

programs like Wireshark to be effective. Wireshark is useful for network troubleshooting and

monitoring for and potentially unencrypted sensitive data being transmitted across the network.

If you have been charged with the security of sensitive data on the network, Wireshark is an

essential tool. The program is very effective at what it was designed to do and is relatively easy

to use once you conduct enough research about composition of packets and applying filters.

Page 98 of 160
SuperScan v4.0

Page 99 of 160
______________

SuperScan v4.0:
______________

SuperScan is a port scanning utility developed by FoundStone, now a division of

McAfee. You can download the utility from here:

http://www.foundstone.com/us/resources/proddesc/superscan.htm (McAfee, 2003)

SuperScan is a single executable utility that will scan for any open ports on a system. The

utility is approximately 203 KB is size. It is intended for the Windows 2000 and Windows XP

Operating Systems. In order to run the application, the user needs administrative access to the

computer. SuperScan allows administrators to scan the network and systems for any potential

open port thus creating a security hazard. For example if users inadvertently enable FTP on their

computers. This scan utility will pick that up.

There is a note on the download web site that reads:

“Windows XP Service Pack 2 has removed raw sockets support which now limits SuperScan and

many other network scanning tools. Some functionality can be restored by running the following

at the Windows command prompt before starting SuperScan:

net stop SharedAccess” (McAfee, 2003)

McAfee lists the features as being (McAfee, 2003):

 Superior scanning speed

 Support for unlimited IP ranges

 Improved host detection using multiple ICMP methods

 TCP SYN scanning

 UDP scanning (two methods)

 IP address import supporting ranges and CIDR formats

Page 100 of 160

  Simple HTML report generation

 Source port scanning

 Fast hostname resolving

 Extensive banner grabbing

 Massive built-in port list description database

 IP and port scan order randomization

 A selection of useful tools (ping, traceroute, Whois etc)

 Extensive Windows host enumeration capability

SuperScan has the following tabs:

 Scan tab: Defines the IP range for scanning.

 Host and Service Discovery: Defines the UDP and TCP port ranges to scan for.

Page 101 of 160

 Scan Options: Define other scan properties.

 Tools: This tab has various tools such as ping, whois, and traceroute.

Page 102 of 160

 Windows Enumeration: Will scan for certain Windows resources.

Page 103 of 160

Steps to run SuperScan:

1. Launch the SuperScan program by double clicking “SuperScan4.exe”. The default Host

and Service Discovery along with Scan Options is fine, but is customizable. Input the

appropriate IP ranges and click the right arrow:

You will notice the progress bar filling:

2. When the scan completes it will display the results of the scan test in the lower windows:

Page 104 of 160

You can also click the “View HTML Results” to view a report in your web browser:

Page 105 of 160

3. In addition you can run useful commands like ping, traceroute and hostname lookup:

4. Lastly, SpuerScan can enumerate certain Windows characteristics:

Page 106 of 160

Advantages of SuperScan:

Page 107 of 160

  The program is free.

 Easy to use.

 Quickly scans for open ports.

 Effective for what it is supposed to accomplish.

Disadvantages of SuperScan:

 Requires administrative rights to run.

 Is only good for Windows 2000 and XP.

 Does not tell you if port is closed or filtered.

 Not a very advanced port scanner.

Page 108 of 160

Summary of SuperScan:

SuperScan is a free port scanning utility offered by Foundstone, a division of McAfee.

The program is very small in size and effective for what it needs to do. The main feature of

SuperScan is to scan a given IP address range for open ports. It displays these reports in the

bottom window or as an HTML report. Additional capabilities are commands such as ping,

traceroute, whois, and hostname lookup. The program seems a little dated but if you are looking

for an easy and quick port scanning utility, SuperScan is an effective option.

Page 109 of 160

NEWT Professional

V2.5 (Build 164)

Page 110 of 160

_____________________

NEWT Professional v2.5:

_____________________

NEWT Professional is an extremely informative network discovery and inventory utility

by Komodo Laboratories. There is both a professional and freeware version. The file size is

approximately 4.1 MB in size. You can download the utility here:

Freeware: http://www.komodolabs.com/newtfree.shtml

Professional: http://www.komodolabs.com/newtpro_download.shtml (NEWT Professional,

2010)

NEWT is a powerful tool that will allow administrators to gather detailed information

about systems running on the network. It can gather hardware and inventory information

remotely without users being impacted. The data is gathered and displayed in an Excel like view.

NEWT allows for export of the data to a Microsoft Access database, HTML, CSV or text files.

NEWT will scan for the following items:

Page 111 of 160

NEWT runs on the following Operating Systems:

 Windows NT4.0

 Windows 2000

 Windows XP

 Windows Vista

 Windows 7

 Windows Server 2003 and R2 Edition

 Windows Server 2008 and R2 Edition

The program uses a light weight client that is automatically deployed to clients during the

scan. This allows for faster scanning initially and subsequent scans. The client will automatically

remove itself without user intervention after a defined amount of time. NEWT will also scan the

properties of network devices, such as printers, switches, routers or other peripherals. If

administrators are scanning across multiple domains, there is an unlimited credential manager to

input Domain Admin usernames and passwords:

Page 112 of 160

 There are two modes in which to scan with NEWT, Discover Only or Full Scan. For a

quick scan of devices and IP addresses simply choose “Discover Only”. This will perform a less

invasive scan and simply return a simple list of devices in a given IP address range:

NEWT Professional (or free version) is an incredibly powerful network discovery tool that is

essential for any network or systems administrator to have.

Steps to run NEWT Professional:

1. When you launch NEWT you will need to configure the credentials to use when scanning

the network if you are scanning across multiple domains. If you are scanning a single

domain of which you are an administrator or a workgroup to which you are an

administrator, credentials do not need to be entered as the currently logged on user

credentials will be passed. To access the “Credentials Manager” click on “Tools” menu:

Page 113 of 160

2. Next you will want to set the scan properties. Typically one would leave the default and

scan for everything but you can customize it:

Page 114 of 160

3. Next you need to define the IP address range of the systems you wish to discover and

inventory. Open the scan window by clicking on “Tools” and then “Scanning”:

4. Depending on your objective, whether you just want a quick list of devices present or a

detailed inventory of each device, you launch the appropriate scan by clicking with

“Discover Only” for the quick list or “Scan” for the highly detailed scan:

5. You will see the scan in progress:

6. After a short time you will see the scan job complete:

Page 115 of 160

7. You can then double click on the scanned computers and see detailed information

regarding the system:

8. After reviewing the content you can then export all the data into a Microsoft Access

database, HTML format or CSV file to import into Microsoft Excel.

Page 116 of 160

Advantages of NEWT Professional:

 There is a free version of the program.

 Easy to use.

 Provides incredible detail about systems.

 Supports scanning of multiple Operating Systems, devices and other peripherals.

 Allows export of data into multiple formats.

 Can scan across multiple domains with additional credentials.

 Automatic installation/uninstalling of client software.

Disadvantages of NEWT Professional:

 Requires administrative rights to run.

 Can be a little processor intensive on the machine conducting the scanning.

Page 117 of 160

Summary of NEWT Professional:

NEWT Professional is an incredibly useful network discovery and inventory tool

developed by Komodo Laboratories. With a few clicks an administrator can have a complete

network and system inventory across domains and spanning multiple subnets. The program is

highly customizable for what features to scan for. If you are in the need for a quick scan of

devices there is an option to “Discover Only” to avoid the intrusive scanning and just display a

list of devices and their IP addresses. Selecting the “Scan” option will completely scan for all

selected options and display the results in an Excel like format. Double clicking on the scanned

devices will open a window with all of the discovered information about the device. An

administrator can then export this data to a Microsoft Access database for future reference or

export it to CSV for Excel. This tool is not difficult to use, is not network intensive and is run

completely without disturbing users on the scanned systems. Any client side software is

deployed silently and removed after a defined period of time. This utility is one of my personal

favorites and is used almost daily. It is an essential tool for any network or security professional.

Page 118 of 160

v2.8.6.1
Page 119 of 160
____________

Snort v2.8.6.1:
____________

Snort is an open source network Intrusion Detection and Prevention System. It has been

primarily been designed to run on Linux but can also run on Windows. The program was

originally created by Martin Roesch in 1998 but is now maintained by his company SourceFire

which has since been acquired by Checkpoint. Still, the program remains free and is a great

starter IDS system. The program integrates nicely with Linux, MySQL and Apache making

Snort a completely free implementation. The actual install file of Snort for Windows is

approximately 3 MB in size. The Snort rules database that you must also download is

approximately 20 MB in size. The program can be downloaded from here:

http://www.snort.org/snort-downloads (Snort, 2010)

The Snort Rules database can be downloaded from here: http://www.snort.org/snort-rules

For detailed instructions on how to get Snort to run on Windows you can read the instructions

here: http://www.snort.org/assets/135/Installing_Snort_2.8.5.2_on_Windows_7.pdf

Snort is not as seamless an installation and configuration as most of the software

reviewed in this document. Some of the considerations you must be aware of are:

 The Rules database needs to be downloaded and applied to the installation directory of

Snort. In order to download the Rules database, you must be a registered user.

 You must change some of the parameter configurations within the “snort.conf” file. This

procedure is detailed within the above PDF file.

 You are better off leaving the default installation directory of C:\Snort.

Page 120 of 160

Snort can allow administrators to have an effective free product to monitor network traffic and

log that information to a database or file. In its simplest form, Snort can be a packet sniffer and

IDS. In the following demonstration we will see this.

Steps to run Snort:

This example will start from the point after initial installation and configuration which

includes downloading and applying the rule sets. For more information on this process please

review the following document:

http://www.snort.org/assets/135/Installing_Snort_2.8.5.2_on_Windows_7.pdf

1. In its simplest form, Snort can act as a packet sniffer. Open a command prompt and

navigate to the Snort\bin installation directory:

2. Next type the command “snort –W” and hit enter to receive this output and reference

which interface number will be necessary to monitor packet traffic:

Page 121 of 160

3. Type in the command “snort” and hit enter to review some of the command line options:

Familiarize yourself with the usage parameters of Snort. There are many command line

switches to take advantage of.

Page 122 of 160
4. Too execute Snort in sniffer mode simply type command “snort -dev -i 1” where the

number is the associated interface that was determined above. You will see data packets

being monitored:

Page 123 of 160

5. When you are finished monitoring simply hit “ctrl+c” to break the monitoring and

display a summary of the packets monitored:

As you can see on the interface being monitored, some TCP, UDP, and ARP traffic was

sniffed.

Page 124 of 160

6. Next run Snort in Intrusion Detection Mode, log the detection and view the output. Run

the command “snort -c C:\Snort\etc\snort.conf -l C:\Snort\log -i 1” which tells Snort to

use the downloaded rule set, read the configuration file and log any attacks to the log

folder location. You know when Snort is fully initialized when you view this screen:

7. Ping is considered an intrusion because of the lack of security of the protocol. Issue a

ping command from another workstation to the workstation running snort:

Page 125 of 160

8. After the ping attack, hit “ctrl+c” to break the detection. You will notice that Snort

detected intrusions and logged that information. The logged information will be placed in

the log folder within the Snort installation directory:

Page 126 of 160

 9. View the “alerts.ids” file for detailed information on the attack:

You can see that the ping attack was recognized by Snort and logged. This gives

administrators the power to know what is happening on the network and archive this information

to a database for future reference. It also alerts them to network vulnerabilities and appropriate

decisions can be made to combat the situation.

Page 127 of 160

Advantages of Snort:

 The program is free.

 It is the most robust and popular open source IDS platform so a lot of technical

information about the setup and use is available.

 Integrates nicely with MySQL and Apache for archiving purposes and future reference.

 Effective for what it is suppose to accomplish.

 Snort can be set to be reactive to threats as well with further configuration.

 Has many options.

 Is not resource intensive.

Disadvantages of Snort:

 It is a DOS based program.

 The program is highly customizable and scalable but is difficult to configure and use.

One must fully research and read carefully the installation and configuration

documentation.

 You must update the rule set in order for Snort to be effective.

 Snort relies on the rule set. So any traffic that is not defined within the rules is considered

an attack even though it might actually be common place in the network itself. Further

rule configurations will be needed to tweak it.

 The free distribution of Snort rules are 30 days old. For up to date rules you have to

subscribe in order to download newest rules to protect against zero-day attacks.

Page 128 of 160

Summary of Snort:

Snort is an incredibly useful open source Intrusion Detection and Prevention System

(IDS) from SourceFire. The program is free and relatively small in size. It integrates nicely with

MySQL and Apache for complete logging capabilities for future reference. This makes Snort the

most robust and completely free IDS system available. The installation and configuration is a

little daunting, but once you have correctly configured Snort, it will be very effective in

monitoring all the traffic on a specified interface. Sign up for the commercial rules subscription

for a fee and have the ability to download and apply all the newest rule sets to guard against

zero-day attacks as much as possible. Snort was mainly designed to run on Linux but can also

run on Windows servers or workstations. It is a DOS based product so familiarize yourself with

the command line usage. Snort is very light weight so it is not resource intensive. For an

effective free IDS system, Snort is the best way to go.

Page 129 of 160

v4.9.36
Page 130 of 160
__________________

Cain & Abel v4.9.36:

__________________

Cain & Abel is designated as being a password recovery tool for Windows. The use of

this program goes much further in reality. The program is open source and is developed and

distributed for free by OXID.IT or specifically Massimiliano Montoro. The program is relatively

small in size at approximately 8 MB. It can be downloaded from this location:

http://www.oxid.it/cain.html (Cain & Abel, 2010)

The program has been developed to add to the ability of network administrators or other

security professionals to better secure systems and networks. Cain is designed to:

 Sniff the network

 Crack encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks

 Record VoIP conversations

 Decode scrambled passwords

 Recover wireless network keys

 Reveal password boxes

 Uncover cached passwords

 Analyze routing protocols

Cain is able to crack a host of different hashes from MD2 to MD5, 3DES, RADIUS, NTLM, and

many more. In order for Cain to be effective, you must download what are called Rainbow

Tables. Rainbow tables reduce the difficulty in brute force cracking a single password by

creating a large pre-generated data set of hashes from nearly every possible password. Rainbow

tables will be very large. Some free tables can be downloaded from here:

Page 131 of 160

http://ophcrack.sourceforge.net/tables.php

Steps to run Cain & Abel:

In this demonstration I will use Cain to sniff the network for hosts and monitor those

hosts for any passwords. If passwords need to be decrypted a brute force dictionary attack will be

performed.

1. Execute Cain and click on “Configure”:

Be sure to select the appropriate network interface and click “OK”.

Page 132 of 160

2. Click on the “Sniffer” tab. Activate the sniffer by clicking on the “Start/Stop Sniffer”

circuit board icon. Right click anywhere in the lower window and choose “Scan MAC

Addresses”:

3. Click to choose all hosts in the subnet or a range of IP addresses:

Page 133 of 160

4. You will see a list of hosts on the network that was generated:

5. At the bottom of the sniffer tab click on the “ARP” tab:

6. Click on the “+” symbol and add your router’s IP address and all the right side MACs:

7. Then click on the “Start/Stop ARP” icon:

Page 134 of 160

8. You will notice that Cain is actively sniffing the network:

9. I executed a couple of functions that would allow Cain to pick up on sensitive traffic.

Stop the sniffing process by clicking again on the “Start/Stop ARP” icon:

Page 135 of 160

10. On the sniffer tab click on the “Passwords” tab at the bottom:

11. Notice that Cain picked up an FTP session and a password for Facebook:

FTP Protocol 21 is sent in clear text so Cain displayed the full characters:

12. If you wanted to crack the Facebook password you can right click the line item and click

“Send to Cracker”:

Page 136 of 160

13. Run the hash against a Rainbow Table or launch a brute force dictionary attack. This

process can take days depending on the length of the password. This tool is very effective

for administrators to monitor the network for insecure protocols and passwords being sent

in clear text. In addition, Cain can scan wireless networks for SSID information along

with the encryption details to be executed against Rainbow Tables or other dictionaries.

Cain includes other useful tools like traceroute, being able to run queries against multiple

database formats, and even recording VoIP traffic.

Page 137 of 160

Advantages of Cain & Abel:

 The program is free.

 Allows for sniffing the network for vulnerable protocols and passwords.

 You can recover passwords via a dictionary or Rainbow Table.

 The recovery of passwords is relatively fast.

 Provides other useful tools like traceroute and scanning wireless networks.

Disadvantages of Cain & Abel:

 In order for the program to be really efficient at recovering passwords, Rainbow Tables

will be needed and they are very large files.

 This is an advanced program and can be intimidating.

 Is definitely processor intensive to run brute force attacks on a password hash.

 Can slow network performance as typically you are targeting a central device such as a

router.

Page 138 of 160

Summary of Cain & Abel:

Cain and Abel was designed to be an effective password recovery tool but has expanded

to be so much more. The program is maintained by OXID.IT or specifically Massimiliano

Montoro. Cain is capable of sniffing the network for vulnerable protocols and displaying

passwords in hash format or clear text. You can then run those against a brute force dictionary or

Rainbow Table. Cain can decipher from MD2 to MD5, 3DES, RADIUS, NTLM, and many

more. The program also includes the ability to record VoIP communication, perform functions

like traceroute, and scan for detailed information on wireless networks. Administrators can take

advantage of Cain’s many utilities for deep inspection into the network traffic. Once vulnerable

traffic is identified, corrective resolutions can be put in place. Cain & Abel is a very effective

free tool that should be part of any computer forensic or network security professional.

Page 139 of 160

PGP Desktop

v10

Page 140 of 160

________________

PGP Desktop v10:

________________

PGP stands for “Pretty Good Privacy” and is a data encryption and decryption program

created by Philip Zimmermann in 1991. It is most commonly used for encrypting files, instant

messaging, data drives and email communication. PGP uses the OpenPGP (RFC 4880) standard

for encrypting and decrypting data which was derived from Zimmermann’s PGP. PGP

Corporation has been acquired by Symantec.

Here is a description of how PGP works from a SearchSecurity.TechTarget.com article, which

describes it best:

“PGP uses a variation of the public key system. In this system, each user has a publicly

known encryption key and a private key known only to that user. You encrypt a message you

send to someone else using their public key. When they receive it, they decrypt it using their

private key. Since encrypting an entire message can be time-consuming, PGP uses a faster

encryption algorithm to encrypt the message and then uses the public key to encrypt the shorter

key that was used to encrypt the entire message. Both the encrypted message and the short key

are sent to the receiver who first uses the receiver's private key to decrypt the short key and then

uses that key to decrypt the message.

Page 141 of 160

 PGP comes in two public key versions - Rivest-Shamir-Adleman (RSA) and Diffie-

Hellman. The RSA version, for which PGP must pay a license fee to RSA, uses the IDEA

algorithm to generate a short key for the entire message and RSA to encrypt the short key. The

Diffie-Hellman version uses the CAST algorithm for the short key to encrypt the message and

the Diffie-Hellman algorithm to encrypt the short key.

For sending digital signatures, PGP uses an efficient algorithm that generates a hash (or

mathematical summary) from the user's name and other signature information. This hash code is

then encrypted with the sender's private key. The receiver uses the sender's public key to decrypt

the hash code. If it matches the hash code sent as the digital signature for the message, then the

receiver is sure that the message has arrived securely from the stated sender. PGP's RSA version

uses the MD5 algorithm to generate the hash code. PGP's Diffie-Hellman version uses the SHA-

1 algorithm to generate the hash code.

To use PGP, you download or purchase it and install it on your computer system.

Typically, it contains a user interface that works with your customary e-mail program. You may

also need to register the public key that your PGP program gives you with a PGP public-key

server so that people you exchange messages with will be able to find your public key.” (Pretty

Good Privacy, 2009)

PGP is compatible with the following Operating Systems:

 All versions of Windows

 Unix

 OS/2

 Mac

 Amiga

Page 142 of 160

  Atari

 Linux

 Plus others

A popular commercial product and company that uses the PGP standard is Hushmail. The free

Java based webmail application provided by Hushmail boasts the ability to send completely

anonymous and encrypted email and instant messaging.

The version of PGP Desktop 10 that I am reviewing can be downloaded here:

http://www.pgp.com/downloads/desktoptrial/desktoptrial2.html (PGP Desktop, 2010)

After accepting the end user license agreement you will be taken to a download section where an

installation key will be generated and you can download the product:

Page 143 of 160

 PGP Desktop professional comes with a 30 day trial after which if you want to continue

to use the product you can purchase the license for $149. The installation file is approximately

53MB in size.

Page 144 of 160

Steps to run PGP Desktop:

In this tutorial we will use PGP desktop to send secure email communication and encrypt

a file.

1. After you download and install PGP Desktop you will need to create your PGP

encryption key. Open the PGP key window by clicking “File” and “New PGP Key”:

2. Enter in your information:

Page 145 of 160

 Notice the encryption by clicking on the “Advanced” button:

3. Create you key until the “Passphrase Quality” is at 100%:

Page 146 of 160

4. Your key will generate and you will have the option to publish this key to the global PGP

Directory. Process through the next screen and you will receive an email to verify if you

want to publish it:

5. Once you are finished generating the key, export the generated key by clicking “File”

then “Export” then “Key”:

Page 147 of 160

If you open the key in Notepad it will look similar to:

This is your public key that is published to the directory, if you choose to do so.

Recipients need this public key so they can encrypt any message sent to you. You then

decrypt the message as you have the private key associated with your public key. They

can look for your public key by searching the directory or by attaching the public key to

an email you send to them initially. You can also use PGP Desktop to encrypt files which

will be presented a little later.

Page 148 of 160

6. Create a new mail message and attach your public key then send it. In this example I send

the message to myself:

7. When the recipient receives the message they will use this public key to decrypt the

message:

Page 149 of 160

 If I were sending a message to Professor Schlanger, I would encrypt the message with his

public key. He then decrypts the message with his private key, which he only possesses.

8. To secure a file with PGP simply right click the file and select from menu “PGP

Desktop” the option “Add “File” to new PGP Zip”:

Page 150 of 160

9. Click next on the first wizard window:

10. Choose the appropriate option, in this case “Recipient keys”:

Page 151 of 160

11. Choose the appropriate public key for the recipient:

12. You also have the option to sign the file:

Page 152 of 160

13. Then you can right click the new file and choose “Send to mail recipient”:

This will populate your mail client and you can follow the above directions for sending

the file via your secured email account with PGP Desktop.

Page 153 of 160

Advantages of PGP Desktop:

 The program is inexpensive.

 Complete solution for encrypting email, instant messaging, data drives and files.

 PGP is a proven solution.

 Runs as a service and is always monitoring communication.

 Can also protect online email services such as Gmail.

Disadvantages of PGP Desktop:

 PGP Desktop may seem a little complex to the average computer user. Some individuals

have a hard time grasping the concept of needing to encrypt with public keys and

decrypting with private keys.

 In order for PGP communication to work, both parties need to be using the program.

 Key management can be a little daunting. It may be difficult to find public keys or they

may become lost or corrupted.

Page 154 of 160

 Summary of PGP Desktop:

PGP Desktop is a program designed to encrypt and decrypt email communications,

instant messages, data drives and individual files. It is available for download as freeware or a

professional version. PGP was originally developed by Philip Zimmermann and has since been

acquired by Symantec. With privacy being a major concern these days, PGP desktop is a great

way to communicate with individuals securely with less of a possibility of your data being

compromised. The program is relatively small in size at 53 MB. Once you understand the

concept and truly comprehend how private and public key encryption, decryption and

distribution works, PGP desktop will be a highly effective implementation to secure your critical

files and communication. The program is not resource intensive and constantly monitors for any

activity that can be encrypted. This is an excellent and proven effective encryption technology

that any organization or individual concerned with privacy should implement.

Page 155 of 160

Project Summary:

In this paper we reviewed Microsoft Baseline Security Analyzer (MBSA), Microsoft

TCPView, Microsoft Process Explorer, Nessus, Wireshark, Foundstone (McAfee) SuperScan,

NEWT Professional, Snort, Cain & Abel, and PGP Desktop 10. The objective of this document

was to review in detail all of the referenced programs and in doing so learn the importance of

computer security and have more insight as to system and network vulnerabilities. Some of these

tools I knew about but have never used. This assignment gave me the opportunity to explore

deeper into the realm of system and network security. As a Senior level Engineer, I now have the

knowledge to better secure the systems and networks that have been placed under my

supervision. Most of these tools I will continue to use.

Each of these programs was useful in their own right. I have read about Snort in the past

but never implemented a solution using it. Having chosen to include Snort in this project, it gave

me the opportunity to explore its uses and ultimately recognized how powerful this program is.

Snort is an open source solution which automatically makes it appealing, but more so is the fact

of how robust and efficient the program really is. In addition, Snort can integrate with other open

source programs such as MySQL and Apache making it a complete open source IDS

implementation. For these reasons I have chosen Snort as my favorite utility out of the reviewed

programs.

Foundstone SuperScan is a dated product. Some of the features of Windows XP make

SuperScan less effective. For newer Operating Systems that fact is even more so. There are other

products on the market that accomplish the same tasks that are open source and still relevant for

the current technology. For this reason I have chosen SuperScan to be the least favorite and

effective.

Page 156 of 160

Future Implications:

Systems and Network Engineers have the responsibility to keep data safe and securely

transmitted so this data is not stolen or compromised. Each computer user across the planet also

should share this responsibility. Various security audit tools in general can be used to thwart

malicious individual’s intentions on stealing data or identities and thus creating a more secure

Internet infrastructure for all to use.

In order to be successful in securing data and communication, the correct tools need to be

in place. The tools reviewed in this document are a good place to start. The future of security

auditing tools needs to focus on hardening all communication. That is, encrypting all data and

communication across the entire public and private network infrastructure. This might seem like

a monumental task and will likely never be achieved. However, every little bit helps. For

instance, if everyone were to use the PGP product for secure email, instance messaging and data

encryption then there would be less likely a chance of identity theft or loss of business

information. Just this implementation alone will work wonders.

For securing corporate networks and systems, administrators should have proper

IPS/IDS, firewalls, and conduct regular audits of data packets across the network looking for

potential vulnerabilities. One tool reviewed in this document, Snort, is a fine example of what

needs to be deployed on any company network scanning packets for potential security threats.

Let’s also not forget about IT policies. For proper security to be truly effective, especially

in the corporate environment, you need to have well written and highly detailed IT security

policies. Make it mandatory to conduct security audits and to relay to employees the proper use

of systems, email, Internet and the data that they interact with.

Page 157 of 160

 Security audits and tools in general will only get better. As we gain experience and

knowledge, IT professionals will no doubt build upon those experiences and design even more

highly efficient security programs and auditing utilities. The ultimate goal is to have a

completely secure public and private infrastructure. Hopefully with hard work, research and

ingenuity, IT professionals will continue forward with great ideas and security implementations.

Page 158 of 160

 End Note References:

Cain & Abel. (2010). Retrieved August 9, 2010, from Oxid.it: http://www.oxid.it/cain.html

McAfee. (2003). SuperScan. Retrieved July 19, 2010, from Foundstone.com:

http://www.foundstone.com/us/resources/proddesc/superscan.htm

Microsoft Baseline Security Analyzer 2.2. (2010). Retrieved June 7, 2010, from

Microsoft.com: http://www.microsoft.com/downloads/details.aspx?FamilyID=02be8aee-

a3b6-4d94-b1c9-4b1989e0900c&displayLang=en

Nessus. (2010). Retrieved June 28, 2010, from Nessus.org:

http://www.nessus.org/download/

NEWT Professional. (2010). Retrieved July 26, 2010, from Komodolabs.com:

http://www.komodolabs.com/newtpro_download.shtml

PGP Desktop. (2010). Retrieved August 16, 2010, from PGP.com:

http://www.pgp.com/downloads/desktoptrial/desktoptrial2.html

Pretty Good Privacy. (2009, October 8). Retrieved August 28, 2010, from

SearchSecurity.TechTarget.com:

http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci214292,00.html

Process Explorer v12.04. (2010, June 8). Retrieved June 21, 2010, from

Technet.Microsoft.com: http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

Page 159 of 160

Snort. (2010). Retrieved August 2, 2010, from Snort.org: http://www.snort.org/snort-

downloads

TCPView v3.02. (2010, August 2). Retrieved June 14, 2010, from Technet.Microsoft.com:

http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx

Wireshark. (2010). Retrieved July 12, 2010, from Wireshark.org:

http://www.wireshark.org/download.html

Page 160 of 160