Nmap is of course of the most famous port scanners and hacking tools of all time, the last stable release was back in July 2009.

For those that may not know, Nmap (“Network Mapper”) is a free open source utility for network exploration or security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.

Nmap 5.20 offers more than 150 significant improvements, including:

• 30+ new Nmap Scripting Engine scripts
• Enhanced performance and reduced memory consumption
• Protocol-specific payloads for more effectie UDP scanning
• A completely rewritten traceroute engine
• Massive OS and version detection DB updates (10,000+ signatures)

You can download Nmap 5.21 here (more options):

Linux – nmap-5.21.tgz
Windows – nmap-5.21-win32.zip

Or read more here.

This is another tool that has been around for a long time and I’ve been using it for years since it’s earliest versions, oddly however I’ve never posted about it.

So here it for the few of you that haven’t heard of it, probably the best port scanner on the Windows platform, very fast and compact and has good banner grabbing functionality.

SuperScan 4 is an update of the highly popular Windows port scanning tool, SuperScan.

Windows XP Service Pack 2 has removed raw sockets support which now limits SuperScan and many other network scanning tools. Some functionality can be restored by running the following at the Windows command prompt before starting SuperScan:

net stop SharedAccess

Same goes if you’re using nmap for Windows.

Features

Here are some of the new features in this version.

• Superior scanning speed
• Support for unlimited IP ranges
• Improved host detection using multiple ICMP methods
• TCP SYN scanning
• UDP scanning (two methods)
• IP address import supporting ranges and CIDR formats
• Simple HTML report generation
• Source port scanning
• Fast hostname resolving
• Extensive banner grabbing
• Massive built-in port list description database
• IP and port scan order randomization
• A selection of useful tools (ping, traceroute, Whois etc)
• Extensive Windows host enumeration capability

You can download Superscan v4.0 here:

Superscan v4.0

Or read more here.

Note that SuperScan 4 is intended for Windows 2000 and XP only. Administrator privileges are required to run the program. It will not run on Windows 95/98/ME. You may need to try SuperScan v3 if this will not work with your system.

Unicornscan has always been a favourite of mine, especially for UDP scanning and scanning large networks (and getting it done fast).

Unicornscan is a new information gathering and correlation engine built for and by members of the security research and testing communities. It was designed to provide an engine that is Scalable, Accurate, Flexible, and Efficient. It is released for the community to use under the terms of the GPL license.

In some ways the implementation is better than Nmap – in some ways worse. Both are great tools and for me they work well hand in hand, both have certain advantages over the other in different situations.

I did get half way to writing an article about Nmap vs Unicornscan for large network scanning.

Benefits of Unicornscan

Unicornscan is an attempt at a User-land Distributed TCP/IP stack. It is intended to provide a researcher a superior interface for introducing a stimulus into and measuring a response from a TCP/IP enabled device or network. Although it currently has hundreds of individual features, a main set of abilities include:

• Asynchronous stateless TCP scanning with all variations of TCP Flags.
• Asynchronous stateless TCP banner grabbing
• Asynchronous protocol specific UDP Scanning (sending enough of a signature to elicit a response).
• Active and Passive remote OS, application, and component identification by analyzing responses.
• PCAP file logging and filtering
• Relational database output
• Custom module support
• Customized data-set views

Anyway on the news – Unicornscan has finally been updated and v0.4.7 is available and released for download.

Unicornscan has also been awarded 2nd place in the security category for this years Les Trophees du libre 2007 (http://www.tropheesdulibre.org).

You can download Unicornscan here:

Source Code: unicornscan-0.4.7-2.tar.bz2
Fedora Core 8 RPM: unicornscan-0.4.7-4.fc8.i386.rpm

Or read more here.

Documentation is available here: Unicornscan-Getting_Started.pdf

At last a new major release of Nmap!

If for some odd reason you don’t already know what Nmap is, it is a free and open source utility for network exploration or security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.

The changelog shows 320 changes since 4.00 with a lot of great stuff in this release! It has a brand new GUI and results viewer (Zenmap), a scripting engine allowing you to write your own scripts for high-performance network discovery (or use one of the 40 scripts shipped with it), the 2nd generation OS detection system (now with more than a thousand fingerprints), nearly 1,500 more version detection signatures, and a lot more!

Zenmap is the official Nmap Security Scanner GUI. It is a multi-platform (Linux, Windows, Mac OS X, BSD, etc.) free and open source application which aims to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users. Frequently used scans can be saved as profiles to make them easy to run repeatedly. A command creator allows interactive creation of Nmap command lines. Scan results can be saved and viewed later. Saved scan results can be compared with one another to see how they differ. The results of recent scans are stored in a searchable database.

More on Zenmap here:

Zenmap – the Nmap GUI

You can download the new Nmap here:

Nmap 4.50

Or read more here.

I think everyone has heard of this one, recently evolved into the 4.x series.

Nmap (“Network Mapper”) is a free open source utility for network exploration or security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. Nmap runs on most types of computers and both console and graphical versions are available. Nmap is free and open source.

Can be used by beginners (-sT) or by pros alike (–packet_trace). A very versatile tool, once you fully understand the results.

Get Nmap Here

2. Nessus Remote Security Scanner

Recently went closed source, but is still essentially free. Works with a client-server framework.

Nessus is the world’s most popular vulnerability scanner used in over 75,000 organizations world-wide. Many of the world’s largest organizations are realizing significant cost savings by using Nessus to audit business-critical enterprise devices and applications.

Get Nessus Here

3. John the Ripper

Yes, JTR 1.7 was recently released!

John the Ripper is a fast password cracker, currently available for many flavors of Unix (11 are officially supported, not counting different architectures), DOS, Win32, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. Besides several crypt(3) password hash types most commonly found on various Unix flavors, supported out of the box are Kerberos AFS and Windows NT/2000/XP/2003 LM hashes, plus several more with contributed patches.

You can get JTR Here

4. Nikto

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3200 potentially dangerous files/CGIs, versions on over 625 servers, and version specific problems on over 230 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired).

Nikto is a good CGI scanner, there are some other tools that go well with Nikto (focus on http fingerprinting or Google hacking/info gathering etc, another article for just those).

Get Nikto Here

5. SuperScan

Powerful TCP port scanner, pinger, resolver. SuperScan 4 is an update of the highly popular Windows port scanning tool, SuperScan.

If you need an alternative for nmap on Windows with a decent interface, I suggest you check this out, it’s pretty nice.

Get SuperScan Here

6. p0f

P0f v2 is a versatile passive OS fingerprinting tool. P0f can identify the operating system on:

– machines that connect to your box (SYN mode),
– machines you connect to (SYN+ACK mode),
– machine you cannot connect to (RST+ mode),
– machines whose communications you can observe.

Basically it can fingerprint anything, just by listening, it doesn’t make ANY active connections to the target machine.

Get p0f Here

7. Wireshark (Formely Ethereal)

Wireshark is a GTK+-based network protocol analyzer, or sniffer, that lets you capture and interactively browse the contents of network frames. The goal of the project is to create a commercial-quality analyzer for Unix and to give Wireshark features that are missing from closed-source sniffers.

Works great on both Linux and Windows (with a GUI), easy to use and can reconstruct TCP/IP Streams! Will do a tutorial on Wireshark later.

Get Wireshark Here

8. Yersinia

Yersinia is a network tool designed to take advantage of some weakeness in different Layer 2 protocols. It pretends to be a solid framework for analyzing and testing the deployed networks and systems. Currently, the following network protocols are implemented: Spanning Tree Protocol (STP), Cisco Discovery Protocol (CDP), Dynamic Trunking Protocol (DTP), Dynamic Host Configuration Protocol (DHCP), Hot Standby Router Protocol (HSRP), IEEE 802.1q, Inter-Switch Link Protocol (ISL), VLAN Trunking Protocol (VTP).

The best Layer 2 kit there is.

Get Yersinia Here

9. Eraser

Eraser is an advanced security tool (for Windows), which allows you to completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns. Works with Windows 95, 98, ME, NT, 2000, XP and DOS. Eraser is Free software and its source code is released under GNU General Public License.

An excellent tool for keeping your data really safe, if you’ve deleted it..make sure it’s really gone, you don’t want it hanging around to bite you in the ass.

Get Eraser Here.

10. PuTTY

PuTTY is a free implementation of Telnet and SSH for Win32 and Unix platforms, along with an xterm terminal emulator. A must have for any h4x0r wanting to telnet or SSH from Windows without having to use the crappy default MS command line clients.

Get PuTTY Here.

11. LCP

Main purpose of LCP program is user account passwords auditing and recovery in Windows NT/2000/XP/2003. Accounts information import, Passwords recovery, Brute force session distribution, Hashes computing.

A good free alternative to L0phtcrack.

LCP was briefly mentioned in our well read Rainbow Tables and RainbowCrack article.

Get LCP Here

12. Cain and Abel

My personal favourite for password cracking of any kind.

Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, revealing password boxes, uncovering cached passwords and analyzing routing protocols. The program does not exploit any software vulnerabilities or bugs that could not be fixed with little effort.

Get Cain and Abel Here

13. Kismet

Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. Kismet will work with any wireless card which supports raw monitoring (rfmon) mode, and can sniff 802.11b, 802.11a, and 802.11g traffic.

A good wireless tool as long as your card supports rfmon (look for an orinocco gold).

Get Kismet Here

14. NetStumbler

Yes a decent wireless tool for Windows! Sadly not as powerful as it’s Linux counterparts, but it’s easy to use and has a nice interface, good for the basics of war-driving.

NetStumbler is a tool for Windows that allows you to detect Wireless Local Area Networks (WLANs) using 802.11b, 802.11a and 802.11g. It has many uses:

• Verify that your network is set up the way you intended.
• Find locations with poor coverage in your WLAN.
• Detect other networks that may be causing interference on your network.
• Detect unauthorized “rogue” access points in your workplace.
• Help aim directional antennas for long-haul WLAN links.
• Use it recreationally for WarDriving.

Get NetStumbler Here

15. hping

To finish off, something a little more advanced if you want to test your TCP/IP packet monkey skills.

hping is a command-line oriented TCP/IP packet assembler/analyzer. The interface is inspired to the ping unix command, but hping isn’t only able to send ICMP echo requests. It supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covered channel, and many other features.

Get hping Here

Yah I’ve stayed away from commercial products in this article, perhaps I’ll cover those another day.

Digg This Article

You can also check out the Top 10 Security Live CDs for Pen-Testing, Forensics and Recovery Here.