NMap
I've written three previous articles about free utilities for Windows IT Pro magazine, and I can't believe I've overlooked NMap until now. NMap is a network security scanner that originally came from the UNIX world over a decade ago, but to describe NMap as “just a port scanner” would be like describing the Hummer as “just a truck.” NMap is, by far, one of the most in-depth network security scanning tools available on any platform, at any price.
Available as a Windows executable, NMap scans the IP addresses and subnets you instruct it to and gives you a wealth of information about any hosts it finds: running services, responses received on various TCP ports, versions of applications that are listening on those ports, and more. Through a series of advanced TCP/IP fingerprinting techniques, it will even try to guess the target host's OS. As you see in Figure 7, in which I've run a test against Wikipedia, NMap has guessed that there's a 93 percent chance that the OS in use is Ubuntu Linux. A quick look at Wikipedia's own technical FAQ confirms that it is, in fact, running Linux—although the FAQ claims that the site is running Fedora's distribution.
For your IP network security needs, NMap is a must-have tool. The GUI is a great way to get familiar with the tool at first, but once you've learned the various command-line switches to run NMap, you can simply run the nmap.exe application directly and skip the GUI. The command-line flexibility provides many possibilities for batching and scripting NMap's operation.
BotHunter
Five years ago, in "Sniff with Snort" (InstantDoc ID 42606), I wrote an article about implementing Snort—the world's leading open-source intrusion-detection suite—in a Windows environment. Snort is a terrific utility, and to this day I still recommend it to anyone who needs a good, reliable intrusion-detection tool to protect their networks. But Snort takes some time to get working just right, and it still relies solely on a “signature matching” algorithm within single data packets to detect intrusion attempts.
That's still an effective (and necessary) approach for intrusion detection in an enterprise network, but SRI International's BotHunter takes matters a step further, adding a higher level of intelligence to the process. By correlating a number of packets over time and watching for the signature communication sequences that bot software typically utilizes—exploit usage, payload downloading, outbound bot coordination dialogs, outbound attack propagations, and so on—BotHunter can detect problems that simple intrusion detection can't. Although any individual packet might or might not be picked up by an intrusion-detection engine such as Snort, BotHunter's intelligent correlation engine can watch a system's communications over time and try to tie all the individual events together to determine whether a bot is operating in your network.
The most impressive aspect of BotHunter isn't just its advanced approaches to solving this type of security problem but the flexibility that SRI International provides—freely—to individual users and corporate users alike. If you're a freelance professional who wants to make sure your individual workstation isn't infected by a bot the next time you use free WiFi at your favorite coffee shop, BotHunter can help. If you're an enterprise network administrator who wants to keep track of traffic going throughout your entire network and have access to a Switched Port Analyzer (SPAN) port or some similar means of watching all your traffic, BotHunter can help you out, too.
BotHunter's installation is relatively straightforward: Simply launch the installer executable and follow through the prompts. To operate properly, BotHunter requires the Java Standard Edition Runtime Engine and WinPcap—a promiscuous mode packet capture driver. The installer determines whether you already have these installed, and it downloads and installs them for you if you don't. The only other thing BotHunter asks you to provide is your network's IP address particulars—what subnets you have, where your DNS servers are, where your mail servers are, and so on. After that, BotHunter is ready to run.
If you see an alert come up in the GUI, which Figure 8 shows, you can then investigate it within your network and determine the problem. There aren't any alerts that BotHunter can send out right now, so you'll have to check the GUI from time to time, but posts in SRI International's user forums indicate that email notifications are coming in a future release.
We're Up to 32
So, now you have eight more free utilities to add to your toolbelt. This batch will help you inventory your systems, recover lost data, and help keep your network secure. Of all the tools here, my favorite is PhotoRec, but I hope that you find all of them useful and that they can make your job a little bit easier.