It should come as no surprise that there is quite a lot of malicious activity that can be accomplished with seemingly harmless tools. You could make the analogy of a workshop tool, such as a hammer, being both a creative and destructive implement depending on who wields it. The same is true of many legitimate diagnostic tools.
Not all of the applications in our list are necessarily malicious in their own right, though. Many of them simply provide information to an attacker, allowing them to either use the information inside another tool or to change the angle of their attack once they have performed some reconnaissance.
1. Angry IP Scanner
IP scanners are legitimate tools that can help users to discover devices they weren’t aware of on the network. This is especially helpful where there are newly configured devices that haven’t yet been documented, or as a troubleshooting step when trying to diagnose connectivity issues.
Angry IP Scanner is able to scan multiple broadcast domains and find out network host information such as the network name, IP address and MAC address. This is very useful with the many different IoT devices that use ethernet and Wi-Fi to connect to modern networks.
However, these same features can also be used for malicious purposes. The most obvious one is reconnaissance work by a potential attacker. Mapping the network and the devices that are present is one of the quickest and easiest ways to find potential targets. Angry IP Scanner is able to identify targets so that other tools can be used to further the attack. Angry IP Scanner can also find fetchers that relate to each target machine such as TTL, open ports, filtered ports, web detect, HTTP sender, comments, NetBIOS information, MAC address, MAC vendor and even packet loss.
Most Intrusion Detection/Prevention Systems (NIDS/NIPS) are able to find network scanning activity when it is present on the network, so if it is an unsanctioned activity, it can be quickly identified and stopped.
A copy of Angry IP Scanner can be downloaded here.
Wireshark is the default packet analyzer for many network professionals, so it should come as no surprise that this powerful freeware tool can also be used for malicious purposes. In fact, we looked at how we can find login details for Telnet by using Wireshark in this article here.
Perhaps one of the most publicized hacking activities that are performed with Wireshark is packet interception. This is not always easy because in order to sniff traffic, the attacker usually needs to have physical access to the network.
Assuming the person performing the attack is present within the network, there is a lot of information that can be discerned from analyzing packets. Encryption is important, as it hides identifiable information that the user is entering. If the attacker had to do a simple packet capture in the hopes of capturing http traffic that is unencrypted, this could easily be done by filtering POST data. POST data is usually generated when a login request is sent to a web page, so if you have any unsecured web applications on your network, then this data can be captured with Wireshark.
You can download Wireshark here.
PuTTY is a versatile SSH and Telnet client that can be downloaded for most operating systems. IT allows users to remotely log in and administer devices such as hardware appliances and applications that host SSH or Telnet sessions.
PuTTY is not malicious in its own right, as it is merely a conduit for attackers to pass their commands through. By leveraging the information that is gathered through packet sniffing, shoulder-surfing or dumpster-diving, an attacker could potentially find out just enough information to connect to a system without gaining authorization to do so.
Once connected to a system via SSH or Telnet, the attacker can begin performing actions that compromise the system, or interconnected series of systems such as a LAN or WAN. The data that is passed through Telnet is in plaintext, as we discussed in our article link above. This means that you need to use encrypted SSH sessions whenever possible if you are going to avoid giving away important login details for sensitive appliances and devices.
Using SSH is a much better bet, but you need to keep your login credentials safe to prevent unauthorized access. This means disabling any default accounts that might be built into network devices and making sure that any SSH ports that are not needed are closed.
You can download a copy of PuTTY here.
NMAP is a network probe and discovery application. It has legitimate purposes on a network, but it is often used as a reconnaissance tool that helps an attacker line up targets for an attack to be carried out later. It helps to unearth a lot of information about hosts on the network, just like Angry IP Scanner, but there are many finer-tuned abilities that can be leveraged via the command line.
NMAP is often used from a Kali installation, as it is full of additional hacking tools that can be used on the fly once vulnerabilities have been discovered.
With NMAP, you can accomplish tasks such as port scanning, as well as banner grabs that give important information about the targets on the network such as the operating system and software versions that are installed on them. NMAP can also be configured to allow for scans to be enabled with different parameters, making detection harder and speeding up scan times. NMAP allows for advanced features such as IP spoofing and other evasive features, which can make an attacker very difficult to identify.
NMAP has been ported to most operating systems and can be downloaded here.
5. Hiren’s BootCD
Hiren’s BootCD is a real Swiss army knife for computer technicians. It has many tools that have been compiled for many tasks such as hard drive scans and hardware checks. Most of the tools included on the disk are freeware or shareware, while some are demo versions and trials of software. IT operates in a gray area with regards to how legitimate its use is, so be aware of this if you plan on using it.
Hiren ships with many tools that are helpful, such as drive cloning software, driver scanners and repair applications, and even live bootable operating systems for repairing non-booting systems. There are, however, some other tools included on it that can help users to sidestep passwords and secure user accounts, so it can be used maliciously as well as in a repair environment.
It can be downloaded and made into a bootable flash drive, meaning that you can use it on any system that allows for USB booting from USB devices.
Find out more here.
We hope that this guide has shown you the other side to some of the applications that you might use on a daily basis. This is not to say that an installed instance of any of this software is a sign that there is malicious activity going on in your network, but it can help you to identify suspicious behavior if you start noticing odd systems coming from a computer within your network.