IP Address Scanning | Ports | TTY Watcher | RotoRouter | Industrial Programs | IP Watcher | EtherPeek | Intruders

   However, back to EtherPeek. It has a "Tools" menu that allows you to test firewalls and routers. For example, you can check to make sure the firewall is blocking the computers on your LAN from replying with valuable information to a port scan from someone on the outside.

    The creator of EtherPeek and president of AG Group, Mahboud Zabetian, also explains that his software can collect "messages looking for passwords." EtherPeek has a "File Transfer Protocol (ftp) application in the TCP/IP suite has a PASSWORD embedded command in the command stream channel that is ideal for filter writing. By setting up EtherPeek with a filter for PASSWORD commands embedded in FTP, the security person can quickly examine why systems are failing password connections or where high connection count password attempts are coming from when trying to find the source of random login hacking."

    OK, I agree with you, the kind of cracker who repeatedly attempts to get into an ftp server by guessing at passwords is seriously lame. However, even lame hackers sometimes get lucky. You would be surprised at how many users choose a password that is the same as their user name, or even choose to have no password at all (just hit "enter"). The best way to deal with this problem is to run a program that forces users to choose secure passwords. Alec Muffet's cracklib will do this. It's available for free at http://www.nmrc.org/files/sunix/index.html.

    Zabetian also has advice for how to spot the sophisticated break-in artist at work. "By looking for what 'does not belong' on the network connections as well as what does..." one may spot "potential security issues before they become problems. For instance, if there are a lot of connection attempts from a specific address external to the authorized group, it's time to pay a visit to the offender and find out what's going on before it gets serious."

    Yes, that's right, a hacker really can get punched in the nose, er, paid a "visit," if he or she does too much port scanning and poking around someone's network.

    For best results, EtherPeek (or any good computer crime fighting software) should be set up on one computer outside the firewall (you do have a firewall, right?) and another inside to deal with the intruders who manage to get inside anyhow. Besides, almost half of all computer crime is committed by people who are already users on the local area networks they attack.

    EtherPeek is shipped with a companion program, AGNetTools, which can port scan your network while EtherPeek records its results. As mentioned above, one of the warning signs that you have an unexpected visitor is unauthorized ports showing up. Also, sometimes someone gets careless and accidentally opens a Web or ftp port that has little or no security -- and opens the door to invaders.

    EtherPeek is a great hacker research tool, too. It can detect the corrupted packets of exploits such as Land and Teardrop that disable vulnerable computers. It can save these packets for you to resend against a test computer so you can learn how they do their dirty work. Besides, sometimes there is a hardware glitch that accidentally manufactures destructively corrupt packets. One time when Rt66 Internet was suffering from corrupt packets, EtherPeek helped a sysadmin find the offending hardware within minutes.

    Occasionally you may be attacked by a truly sophisticated opponent. For example, one trick is to run a denial of service attack such as syn flood in which each packet has a different origination IP address. This will trick many router and firewall defenses into not realizing they are under an attack which will soon shut them down. EtherPeek, however, can analyze (but not deflect) this attack.

    As mentioned above, EtherPeek easily identifies the sender of so-called stealth port scans. It also detects the true IP address of someone setting up a spoofed IP connection. The attacker is sitting there sending messages to the victim computer thinking that the identity of his computer is hidden. Yet on the other end a sysadmin is looking on the screen of his Mac G3 at the IP address, laughing as he unleashes a Teardrop attack to crash the attacker's computer.