NETWORKING TOOLS

M.Tech 1st Semester-Report on networking tools

By

Alisha Gupta
September 6, 2015
Roll No.:31503209

DEPARTMENT OF COMPUTER ENGINEERING

NATIONAL INSTITUTE OF TECHNOLOGY
KURUKSHETRA-136119, HARYANA (INDIA)
July-Dec, 2015

MULVAL

MulVAL stands for Multi-host, Multi-stage Vulnerability Analysis Language.It

is a A Logic-based Network Security Analyzer. It is a framework for modeling the
interaction of software bugs with system and network configurations.It is a research tool for
security practitioners and system administrators to better manage the configuration of an
enterprise network such that the security risks are appropriately controlled.

1.1

Features

MulVAL uses Datalog as its modeling language. The information in the vulnerability
database provided by the bug-reporting community, the configuration information of
each machine and the network, and other relevant information are all encoded as
Datalog facts.
The reasoning engine consists of a collection of Datalog rules that captures the operating system behavior and the interaction of various components in the network. Thus
integrating information from the bug-reporting community and off-the-shelf scanning
tools in the reasoning model is straightforward. The reasoning engine in MulVAL scales
well with the size of the network.
The inputs to MulVALs analysis are:
Advisories: What vulnerabilities have been reported and do they exist on the
machines?
Host configuration: What software and services are running on the hosts, and
how are they con- figured?
Network configuration: How are the network routers and firewalls configured?
Principals: Who are the users of the network?
Interaction: What is the model of how all these components interact?
Policy: What accesses do I want to permit?
MulVAL comprises a scannerrun asynchronously on each host and which adapts existing tools such as OVAL to a great extent and an analyzer, run on one host whenever
new information arrives from the scanners.

1.2

URL

Mulval can be downloaded from link http://people.cis.ksu.edu/ xou/argus/software/mulval/mulval1.tar.gz

1.3

Operating System supported

The current version of MulVAL has been tested on the Linux and Mac OS X operating
systems.

1.4

Download

To run MulVAL, you need to have the following software installed and make sure both the
program xsb and dot reside in your PATH.
XSB: http://xsb.sourceforge.net/
GraphViz: http://www.graphviz.org/.
MySQL: http://dev.mysql.com/downloads

1.5

Installation

Follow these instructions for installation:

UNCOMPRESS:
tar xzf mulval.tar.gz
BASIC SETUP: The environmental variable MULVALROOT should point to this
packages root folder
Include MULVALROOT/bin and MULVALROOT/utils in PATH
COMPILATION:
Type make to compile everything

ARGUS : THE ALL SEEING

Argus is a system and network monitoring application.It will monitor nearly anything
you ask it to monitor. It presents a nice clean, easy to view web interface that will keep both
the managers happy and the techs happy . It can send alerts numerous ways and can automatically escalate if someone falls asleep.Argus was originally designed to monitor servers
and network connections in a mission-critical ISP (Internet Service Provider) environment,
and scales well from small-businesses through large enterprises.

2.1

Features

It is open-source available at no charge.

It has a clean and intuitive web interface.
The web pages can easily be understood by non-technical people.
It can generate graphs of what is going on.
It can monitor network connectivity (Ping test).
It can monitor TCP/UDP ports.
It can monitor a wide variety of TCP/UDP applications (HTTP, SMTP, RADIUS, ...).
It can monitor the output or exit code of a program (Program test).
It can monitor the content of a web page (such as a shopping cart application).
It can monitor the authoritativeness of a nameserver.
It can monitor SNMP OIDs (such as BGP status, UPS voltage, room temperature, ...)
It can monitor the results of SQL queries.
It can monitor itself.
It can be extended to monitor things that the author didnt think of.
It can notify someone (or many people) when something happens
It can escalate, and notify someone else, if things dont get fixed.
It can not alarm for known downtime (maintenance overrides).
It will summarize and rate-limit multiple notifications to prevent paging-floods.
It keeps historical statistics, for analysis or SLA verification.
It scales well and can monitor many, many things.

 It can restrict users to viewing only certain items (user views).

It can restrict users access to certain features (access control).
It can support IPv6.
It can support SNMPv3.
It can support l10n for your native language.
It can support redundant multi-server configurations.

2.2

URL

http://argus.tcp4me.com/

2.3

Operating System compatibility

Argus has been tested with:

perl 5.00503
perl 5.6.0
perl 5.6.1
perl 5.8.0
perl 5.8.1
NetBSD
FreeBSD
Linux
Solaris
Mac OS X
Argus has also been confirmed to not work with:
perl versions 1 - 4
microsoft windows

2.4

Language used

Argus has the ability to display its web pages in the language of your choice. Argus ships
with support for several languages, and support for additional languages can be easily added.
Configuring
When displaying web pages, the argus cgi program uses the language value set in the config
file (lang), or set in the environment, and uses that to load a file.
The cgi program checks the environment variables LC ALL, LC ARGUS, and then LANG,
in order and uses the first one it finds. If none are set, it uses the value default. Often, one
of these environment variables will already be set correctly.
It then looks in the directory datadir/locale for a file by that name. If it cannot load the
specified file, it will use english.
So, to configure your language of choice, you have 3 options:
add a line to your argus config like: lang: en us
adjust the environment variables to match the correct filename. the variable will need
to be set before starting your web server. how exactly to set environment variables for
your web server is beyond the scope of this document.
adjust the name of the file in datadir/locale to match what argus is looking for (either
to the environment variable that is already configured or the value default). you can
either rename or symlink the correct file to the desired name.

2.5

Download

Argus is fully open-source, and may be downloaded and used by anyone at no charge.
Find the current stable version here:
argus-3.7.tgz [14 Feb 2013 - 436K]
The current development code is here:
argus-dev-20121229.tgz
Older versions are available here:
http://www.tcp4me.com/code/argus-archive/

2.6

Installation

Prerequisites that should be installed previously:

perl the software has been tested with 5.6.1 and should work with most other
versions of perl 5 as well. Find perl at www.perl.org
sendmail and qpage are recommended. either or both can be used to send notifications. Find sendmail at www.sendmail.org Find qpage at www.qpage.org
6

 fping is used by the Ping Monitoring module for ping tests. While this is not
required, it is highly recommended. Find fping at www.fping.com
a cgi capable web server, such as apache. Find apache at httpd.apache.org
Berkeley DB and perl DB File Find DB at www.sleepycat.com DB File ships with
perl.
an understanding of UNIX file permissions and how to use and operate your web
server.
unbundle the tarball
run ./Configure
run make
as root, run make install
create 2 files in the data directory:
config
users
configure your web server be sure that
data dir is writable by the www user (or whatever uid your web server runs as)
copy icons to somewhere accessible by your web server (these locations get specified in config file, above) or feel free to replace them with your own icons, or no
icons at all.
start the argus server by running argusd
or install the rc.argusd script as appropriate for your system.
check the argus log file (datadir/log) and/or your syslog logs to verify that argus is
operating correctly.
load the argus cgi interface in your web browser, and verify that everything is configured
correctly.
perform any optional advanced configuration described in the advanced installation
section.

2.7

Configuring

A single config file, or a directory of separate config files is created.

By default, argus will look in the configured data directory for a file or subdirectory named
config. This can be overridden with the -c command line option.

2.7.1

Config File Structure

The config file defines what and how things are monitored as well as the layout and relationships of the various items.
It contains various types of things:
key-value pairs, aka. data
frequency: 300
specifications of things to monitor, aka. Services Service TCP/SMTP
groups of services, aka. Groups
Group Foo
hostname: foo.example.com
Service TCP/SMTP
Service TCP/HTTP
alternate names for things, aka. Aliases
Alias Foo Top:Servers:Foo
Aliases are described further in the advanced documentation
definitions of notification methods notification methods are described in notification
documentation
definitions of special features, such as DARP, the asynchronous resolver
In the config file, the parameter-value data must come first, followed by notification
methods and special features, followed by groups and services.
2.7.2

Example

Example of config file is:

WIRESHARK

Wireshark is a network packet analyzer. A network packet analyzer will try to capture
network packets and tries to display that packet data as detailed as possible. Wireshark is
perhaps one of the best open source packet analyzers available today.

3.1

Features

Some features of wireshark are: The current stable release of Wireshark is 1.12.7.
Capture live packet data from a network interface.
Open files containing packet data captured with tcpdump/WinDump, Wireshark, and
a number of other packet capture programs.
Import packets from text files containing hex dumps of packet data.
Display packets with very detailed protocol information.
Save packet data captured.
Export some or all packets in a number of capture file formats.
Filter packets on many criteria.
Search for packets on many criteria.
Colorize packet display based on filters.
Create various statistics.

3.2

URL

http://www.wireshark.org

3.3

Operating system supported

The current version of Wireshark should support any version of Windows that is still
within its extended support lifetime and it includes Windows 8, 7, Vista, Server 2012,
Server 2008 R2, Server 2008, and Server 2003.
Older versions of Windows which are outside Microsofts extended lifecycle support
window are no longer supported.
Wireshark currently runs on most UNIX platforms.Binary packages are available for
most Unices and Linux distributions including the following platforms:
Apple Mac OS X
10

 Debian GNU/Linux
FreeBSD
Gentoo Linux
HP-UX
Mandriva Linux
NetBSD
OpenPKG
Red Hat Enterprise/Fedora Linux
Sun Solaris/i386
Sun Solaris/SPARC
Canonical Ubuntu

3.4

Download

Wireshark can be downloaded from the link https://www.wireshark.org/download.html We

can download the wireshark according to the configuration of the system.

3.5

Installation

To use Wireshark, we must:

Obtain a binary package for your operating system, or
Obtain the source and build Wireshark for your operating system.
Build the source into a binary, if we have downloaded the source.
Install the binaries into their final destinations.
After downloading the wireshark from above stated link ,execute it. Beside the usual installer
options like where to install the program, there are several optional components.

3.6

Configuration

Wireshark is used to capture packets .

Taking an example ,Steps to capture packets:
Make sure we are allowed to do capture packets from the network on which we are
working .
Setup the machines configuration to be able and allowed to capture.
/CapturePrivileges - we must have sufficient privileges to capture packets, e.g.
special privileges allowing capturing as a normal user (preferred) or root / Administrator privileges
11

 /CaptureSupport - operating system must support packet capturing, e.g. capture support is enabled / a capture driver is installed
Users Guide about Time Zones computers time and time zone settings
should be correct, so the time stamps captured are meaningful
Capture traffic sent to and sent from the local machine
Capture traffic destined for machines other than our own
Make sure you capture from a location in the network where all relevant traffic will
pass through:
/NetworkTopology - choose the right place in the network topology in order
to get the required network traffic.
/NetworkMedia - there might be network media (/Ethernet, /PPP, ...) specific
limitations
Promiscuous mode - must be switched on
Capture traffic using a remote machine
Remote Capturing is currently very limited:
/Pipes - using a UNIX pipe and use a different tool to capture from
/WinPcapRemote - using [WinPcap]s remote capturing feature (rpcapd)
RMON - use SNMPs RMON to capture

12

ARGUS

Argus is the network Audit Record Generation and Utilization System. The Argus
Project is focused on developing all aspects of large scale network activity audit. Argus,
itself, is next-generation network flow technology, going from packets on the wire to advanced network flow data, to network forensics data; all in support of Network Operations,
Performance and Security Management.

4.1

Features

Argus is composed of an advanced comprehensive network flow data generator, the Argus sensor, which processes packets and generates detailed network flow status reports
of all the flows in the packet stream.
It captures much of the packet dynamics and semantics of each flow, with a great
deal of data reduction, so we can store, process, inspect and analyze large amounts of
network data efficiently.
It provides reachability, availability, connectivity, duration, rate, load, good-put, loss,
jitter, retransmission, and delay metrics for all network flows.
It is used by many sites to generate network activity reports for every network transaction on their networks.
The network audit data that it generates is great for security, operations and performance management. The data is used for network forensics, non-repudiation, network
asset and service inventory, behavioral baselining of server and client relationships,
detecting covert channels, and analyzing Zero day events.

4.2

URL

http://qosient.com/argus/

4.3

Operating System Compatibility

Argus is currently running on:

Mac OS X
Linux
Solaris
FreeBSD
OpenBSD
NetBSD
13

 AIX
HP-UX
VxWorks
IRIX
Windows (under Cygwin)
OpenWrt

4.4

Download

Currently, the set of stable source code can be grabbed from these links:
http://qosient.com/argus/src/argus-3.0.8.1.tar.gz
http://qosient.com/argus/src/argus-clients-3.0.8.tar.gz
Download the files from these links and den follow the instructions of installation process
as defined below.

4.5

Installation

argus and argus-clients require the following packages to build:

gcc make bison libpcap libpcap-devel readline-devel flex
Once the dependencies are installed, perform the following build process:
cd
tar zxvf argus-latest.tar.gz
cd argus-*
./configure
make and make install
cd
tar zxvf argus-clients-latest.tar.gz
cd argus-clients-*
./configure
make and make install

4.6

Configuration

Argus accepts configuration options on the command line, but Argus is generally configured
using the argus.conf file that is normally found in either /etc or ARGUSHOME. The variables
that are set by this file can be overriden by the use of command line switches. And on the
command line you can specify an alternative configuration file that is specified using the -F
14

configfile option.
You can also eliminate any configuration directives in the /etc/argus.conf file by using the
-X option on the commandline, so you have a lot of flexibility.
To setup a /etc/argus.conf file, copy the example configuration to /etc and modify its values
accordingly.
Argus can compile more than one file together .Use this command for this purpose:
argus -w tcp.file tcp -w nottcp.file not tcp

15

HP WEBINSPECT

HP WebInspect is the industry-leading Web application security assessment solution designed to thoroughly analyze todays complex Web applications and Web services for security vulnerabilities. With broad technology cover and application runtime visibility through
the HP WebInspect Agent, HP WebInspect provides the broadest dynamic application security testing coverage and detects new types of vulnerabilities that often go undetected
by black-box security testing technologies.An automated dynamic application security testing (DAST) tool that mimics real-world hacking techniques and attacks,
and provides comprehensive dynamic analysis of complex web applications and
services.

5.1

Features

Dynamic and Runtime analysis

Go beyond black box testing: Integrate dynamic and runtime analysis to find more
vulnerabilitiesand fix them faster.
Technology made simple
Optimize your testing resources. Advanced technologies, such as simultaneous crawl,
bring professional-level testing to novice security testers.
Compliance management
Easily inform management on vulnerability trending, compliance management, and
ROI. Clearly communicate with development on the details and priorities of each vulnerability.
Integration
Leverage prebuilt integrations for HP ALM and Quality Center and other security
testing and management systems.
On demand or On premise
Start quickly and scale as needed. HP WebInspect dynamic application security testing
(DAST) is available on demand or as a licensed product.
Centralized Program Management
Build an enterprise-wide AppSec program. WebInspect Enterprise establishes a shared
service to centralize results while distributing security intelligence.

5.2

URL

http://www8.hp.com/in/en/software-solutions/webinspect-dynamic-analysis-dast/

5.3

Current Stable version

HP WebInspect 10.30

16

5.4

Operating System Compatibility

HP Webinspect supports Windows Server 2012, SQL Server 2012, ALM 11.5 and 11.52 as
well as continued support for Windows 8.

5.5

Language used

Net 4.5.1common language runtime (CLR)

5.6

Download

HP Webinspect can be downloaded from:

https://saas.hp.com/signup/try/webinspect?utm-source=hp.com.utm-medium=referral utmterm=webinspect utm-content=try-flow and utm-campaign=hp-redirect After downloading
follow the steps of installation process as mentioned in the next section.

5.7

Installation

Some prerequisites for installation of HP webinspect are:

2 GB Ram
1 MS SQL Server
Install the HP Webinspect.After the installation it opens License Wizard and prompt us
to add license key. We can choose 15 days trial version if we are not having license key for
which activation token will be send to us by mail.

17

IBM WATCHFIRE

6.1

Features

6.2

URL

6.3

Operating System Compatibility

6.4

Language used

6.5

Download

6.6

Installation

18

IBM APPSCAN

IBM Security AppScan enhances web application security and mobile application security,
improves application security program management and strengthens regulatory compliance.
By scanning your web and mobile applications prior to deployment, AppScan enables us to
identify security vulnerabilities and generate reports and fix recommendations.

7.1

Features

Flash support: Appscan 8.0 has increased flash support compared to its earlier
versions. It can now explore and test applications based on an Adobe Flex framework.
AMF protocol is also supported.
Glass box testing: This process installs an agent on the server which helps find
hidden URLs and additional issues.
Web services scanning: Web service scanning is one area which organizations are
looking for a more effective automated support, and Appscan has scored well in this
area.
Java script security analyzer : Appscan has introduced JavaScript security analyser
which analyses the crawled html pages for vulnerabilities and allows users to focus on
different client-side issues and DOM (document object model) based XSS problems.
Reporting: Based on your requirements, you can generate reports in desired formats
and include desired fields in it.
Remediation support: For the identified vulnerabilities, the program provides a
description of the issue along with the remediation notes.
Customizable scanning policies: Appscan comes with a set of defined scanning
policies.
Tools support: It has tools like Authentication Tester, Token Analyzer, and HTTP
Request Editor which comes in handy when testing for vulnerabilities manually. Support for Ajax and dojo frameworks.

7.2

URL

http://www-03.ibm.com/software/products/en/appscan

7.3

Operating System Compatibility

Supported operating systems (both 32-bit and 64-bit editions): :

Microsoft Windows Server 2012: Essentials, Standard and Datacenter
Microsoft Windows Server 2012 R2: Essentials, Standard and Datacenter
19

 Microsoft Windows Server 2008: Standard and Enterprise, SP1 and SP2
Microsoft Windows Server 2008 R2: Standard and Enterprise, with or without SP1
Microsoft Windows 8.1: Pro and Enterprise
Microsoft Windows 8: Standard, Pro and Enterprise
Microsoft Windows 7: Enterprise, Professional and Ultimate, with or without SP1
Linux and Mac OS

7.4

Language used

Language Support on Windows.IBM Security AppScan Source command line interface

(CLI) support scanning these languages:
C/C++
COBOL
ColdFusion
Java (including support for Android APIs)
JavaServer Pages (JSP)
JavaScript
Perl
PHP (Versions 4.x up to 5.3)
PL/SQL
T-SQL
.NET ( ASP.NET, VB.NET) - Microsoft .NET Framework Versions 2.0, 3.0, 3.5, 4.0,
and 4.5
ASP (JavaScript/VBScript)
Visual Basic 6
Language Support on Linux.IBM Security AppScan Source command line interface
(CLI) support scanning these languages:
C/C++
COBOL
ColdFusion
20

 Java (including support for Android APIs)

JavaServer Pages (JSP)
JavaScript
Perl
PHP (Versions 4.x up to 5.3)
PL/SQL
T-SQL
Language Support on OS X.IBM Security AppScan Source command line interface
(CLI) support scanning these languages:
Objective-C in Xcode projects and workspaces
Java (including support for Android APIs)
JavaServer Pages (JSP)
JavaScript

7.5

Download

IBM Appscan can be downloaded from http://www-03.ibm.com/software/products/en/appscan

After downloading it installation instructions are followed as discussed below.

7.6

Installation

To run IBM appscan some prerequisite are:

The system needs to have a minimum of 3 GB RAM.
install .NET Framework and Adobe Flash player to execute flash content during scanning.
Take backup of all the data before proceeding with the scan as .automated scanner
sends loads of data to the server while the scan is in progress. So it might delete files
on the server, add new records or even bring the server down unintentionally.
To start the installation:
Close any Microsoft Office applications that are open.
Start AppScan setup.
The InstallShield Wizard starts, and checks that your workstation meets the minimum installation requirements. Then the AppScan installation wizard welcome screen
appears.
Follow the wizard instructions to complete AppScan installation.
21

7.7

Configuration

This section describes standard application scan configuration using the

wizard:
1 Launch AppScan.
2 In the Welcome Screen, click Create new Scan.
3 In the New Scan dialog box, verify that the Launch wizard checkbox is selected.
4 In the Predefined Templates area, click Default to use the default template.
5 Select Web Application Scan, and click Next for Step 1 of the three-stage setup.
6 Type in the URL where the scan will start.
7 Click Next to advance to Step 2.
8 Select Recorded Login, then click New. A message appears describing the procedure for recording a login.
9 Click OK. The embedded browser opens with the Record button pressed .
10 Browse to the login page, record a valid login sequence, and then close the browser.
11 In the Session Information dialog box, review the login sequence and click OK.
12 Click Next to advance to Step 3. At this stage you can review the Test Policy
that will be used for the scan and multiphase scanning.
13 The In-Session Detection checkbox is selected by default, and text indicating
that the response is in-session is highlighted. During the scan AppScan sends
heartbeat requests, checking the responses for this text to verify that it is still
logged in .Verify that the highlighted text is indeed proof of a valid session.
14 Click Next.
15 Select the appropriate radio button to start Automatic Scan, start with Manual
Explore or Later .
16 (Optional) By default the Scan Expert checkbox is selected so that Scan Expert
will run when you complete the wizard. You can clear this to proceed directly to
the scan stage.
17 Click Finish to exit the wizard.

22