| I l@ve RuBoard | |
URL: www.ca.com
Client OS: Windows NT/9x
Target OS: IP networks
Price: Over $1,000
Description: SessionWall-3, shown in Figure 14-1, is a commercial sniffing tool and intrusion detection product from Abirnet. Abirnet was acquired by Computer Associates, and the product has been improved and is now sold as eTrust Intrusion Detection. Although the product is sold as an intrusion detection system, it also works well as a sniffing tool for testing a network. Using sniffing technology, SessionWall-3 records and displays HTTP, FTP, SMTP, POP, NNTP, and telnet traffic. The tool reassembles the network traffic into legible documents. For instance, you can gather an entire e-mail, HTTP session, or telnet session. telnet and FTP traffic tends to be the most useful, since user names and passwords are displayed in clear text and commonly enable you to gain administrator access to the target system.
Additionally, SessionWall-3 is particularly useful if you want to gain access to a mainframe or AS400 computer system. The telnet session with a mainframe often looks like binary traffic. SessionWall-3 can do on-the-fly translation from EBCDIC to ASCII if you right-click on the captured data. This makes AS400 and mainframe systems that use telnet vulnerable in a shared media environment. Without this translation capability, you would have to perform an extra step to read the EBCDIC traffic, such as using “dd” on the file on a UNIX system.
Use: SessionWall-3 is easy to install and use. First install the executable. By default SessionWall-3 will capture FPT, HTTP, telnet, and SMTP traffic. You can modify the default traffic SessionWall-3 captures through the Functions menu, Monitor/Block/Alert Rules. In the Monitor/Block/Alert window you can use Edit Rules to add rules to specify the type of traffic to be monitored, the source, the destination, and an action such as log or block. The upper left pane lists the capture sessions sorted by protocol. You can drill down to individual sessions to view the actual communications (and user names and passwords) if present. The same pane offers different views by selecting the Clients, Servers, or Rules tab. The bottom pane shows the statistics for the captured traffic. For penetration testing, you are usually only concerned with viewing the captured information, especially FTP, telnet, HTTP, and e-mail.
Benefits: SessionWall-3 is very easy to use. It reassembles the packets into complete sessions and transmissions, making them easy to follow and read. The rules are easy to configure to target specific traffic and servers.
Cons: SessionWall-3 is an expensive tool. In addition, if you do not target very specific traffic the log files will grow very quickly. Also, it can be difficult to view the raw packet or to extract a particular session for documentation or reporting purposes.
| I l@ve RuBoard | |