NetAlly CyberScope™ – Handheld Cyber Security Analyzer - Julio Petrovitch

 

In April 2023, NetAlly released CyberScope, the world’s first handheld cybersecurity analyzer. Still, for many such a description could be considered very broad. So, what exactly is a CyberScope and what does it do? More importantly, how can it help a network or security professional like yourself?

In a nutshell, CyberScope is a handheld cybersecurity analysis tool that offers comprehensive risk assessment, analysis and reporting for the site access layer. All in a single, powerful, and portable form factor. It supports endpoint and network discovery, wireless security scans, vulnerability assessments using Nmap, plus segmentation and provisioning validation.

As a ruggedized, purpose-built all-in-one tool, CyberScope is a network security solution that eliminates the use of fragile laptops and tablets. With multiple functions, it provides fast, actionable insights into your network, filling the critical visibility gaps that other cybersecurity tools frequently do not address.

As for what it does and how it can help, there is a lot. Here is some of its core functionality:

Probe Endpoints and Networks

Network discovery is a critical cybersecurity best practice, providing valuable information about the network infrastructure, layout, devices, and services that are present. CyberScope’s Discovery combines scanning and active probing via five different network interfaces (wired and wireless) using multiple technologies (including CDP, LLDP, FDCP, SNMP, Nmap, and others) to find endpoints, network infrastructure elements, and potential attack surfaces.

Classify Devices as Authorized, Unauthorized, Neighbor or Unknown

Network segmentation and provisioning can be complicated and prone to error. CyberScope can verify proper segmentation of both wired and Wi-Fi networks at the point of access with clear pass/fail indication. CyberScope can also examine switch ports for proper provisioning, join a VLAN to ensure correct segmentation, and capture traffic on a specific VLAN for deeper analysis. Not only that, all discovered devices and even endpoint manufacturers can be classified as Authorized, Unauthorized, Neighbor or Unknown.

Locate Endpoints on the Wire or in the Air

Path analysis is critical to understand how devices are interconnected. CyberScope provides complete port by port details of the network path – both wired and wireless – to any device. This is crucial when hunting down unknown or nefarious devices. Rogue hunting is made fast and easy on Wi-Fi with CyberScope’s external directional antenna.

Identify Endpoint Vulnerabilities

Nmap can help identify potential vulnerabilities like open backdoors, malware or poorly configured firewalls and intrusion detection systems. However, the cryptic nature of Nmap’s command line interface and excessive textual output prevents many network professionals from using it to its fullest extent.

CyberScope’s intuitive user interface integrates with Nmap’s robust probing capabilities to help with efficiency and repeatability. Even seasoned Nmap users will appreciate the ease of use that CyberScope brings to vulnerability detection.

Also, the embedded Nmap analysis engine in the CyberScope automatically scans for vulnerabilities on all endpoint devices connected to the network. Nmap allows CyberScope to enhance the information gathered from each device with valuable vulnerability information by running built-in or custom scripts and automatically generating warning and error notifications. All this can help identify potential security weaknesses and prioritize remediation efforts to reduce risk.

Generate Reports, Collaborate, and Share

Vulnerability reporting is easy using the Link-Live collaboration platform. With features that include vulnerability scan results visibility, discovery snapshots and comparisons, plus heat and topology maps, Link-Live makes it easier to collaborate and share with other team members. There is also a licensed, containerized version for on-prem use, available for those of you that don’t like the idea of storing network data in the cloud. Not only that, but Link-Live allows for secure sharing and even analyzer remote control by centralized experts, which fully enables collaboration across your team regardless of their location.

In conclusion, CyberScope is a rugged, hand-held instrument which allows you to identify wired and wireless network vulnerabilities in a single walkthrough. Plus, as a dedicated, purpose-built tool, CyberScope integrates all the hardware capabilities you need to complete any type of network survey or analysis. That includes:

• 10 gig fiber optic and copper (RJ45) Ethernet ports with high-power PoE support – functionality you won’t find on a laptop.

• One Bluetooth/BLE and two Wi-Fi radios with up to 802.11ax and 6GHz band support.

• USB ports that provide connectivity for accessories, like a spectrum analyzer, a headset for voice communications, label printers, and more.

Want to know more about NetAlly’s CyberScope? Then make sure to visit cyberscope.netally.com and check it out!

About NetAlly

The NetAlly® family of network test and analysis solutions has been helping network engineers and technicians better deploy, manage, and maintain today’s complex wired and wireless networks for decades. Since creating the industry’s first handheld network analyzer in 1993, NetAlly continues to set the standard for portable network analysis with tools that include EtherScope® nXG, CyberScope™, AirMagnet®, LinkRunner®, LinkSprinter®, AirCheck™, and more. NetAlly simplifies the complexities of network testing and cybersecurity assessments, provides instant visibility for efficient problem resolution, and enables seamless collaboration between site personnel and remote experts. To learn more and see how NetAlly helps network and security professionals get their jobs done fast, visit https://www.netally.com, follow us on Facebook, Twitter, Linked-in, Instagram or YouTube.

Http ping and tracert ipv6/ipv4 tips

 I am starting to run into more environments where ipv6 is showing up. I must admit most of the time, the client wasn’t aware the impact of having ipv6 enabled on hosts can have. Other times the client intentionally had ipv6 enabled and in use.

Either way, I get asked how to perform some of the most basic troubleshooting when a Windows host has both ipv4 and ipv6 on it. I must admit, that the first time I was asked about this a few years ago, it was stumped until I stopped, took a breath and read the ping and tracert help screen , lol.  Accessing a webserver using a ipv6 address took a little bit more digging but well worth it since the same questions come up in my classes and troubleshooting engagements.

In this video I cover how to ping, tracert and http using ipv6 addresses and how to force the usage of ipv4 addresses when using a host name.

Find your tools with Nmap

 

Every network technician will have a sort of network tool that connects to the network. It can be a packet capture tool, like the IOTA I used in my example, a laptop, etc..

In some scenarios, you might send the tool out with a technician or ship it out to a remote site. If you’re lucky, you can preconfigure a static IP, gateway, etc, and connect to it remotely. But what if you have to rely on DHCP assigned address. If you have time you can work with the DHCP administrator and reserve an IP address, or look through the DHCP database for the device’s Mac address. In my experience, getting multiple departments coordinated to find an ip address can take a while, not to mention, what if it's after hours?

In this video, I use Nmap to locate my Profitap IOTA capture device. All I needed to know was a port number that it has ‘open’. In this case, TCP 3000. As I mention in the video, if you had more than one unit, you would need to know your device’s Mac address. Tip; to have Nmap return the Mac address, you need to be on the same VLAN as the target device. In our case, they had a support computer on that VLAN, but I have also used a remote client computer (with their permission).

Free Command Line timer

 Command line or batch files are incredibly important to me as an analyst.

I cannot count the number of times creating a simple script has saved me countless hours. Some examples that come mind;

• Performing testing when I’m working alone

• Running tests unattended

• Having other people perform your testing

• Running a task as part of a notification system

In this article I use a simple example of recording the start/stop or elapsed time when copying a file. This can be easily modified for a wget, iperf, iperf3 copy, etc.

I would strongly encourage you to get a little familiar with this as a valuable skill and to better understand similar commercial applications that you may have.

URL to the timer.exe utility https://www.gammadyne.com/cmdline.htm

Troubleshooting HTTP 503 Issues

 I have mentioned in the past that you should really look ‘under the hood’ as far as application communication goes.

I have seen many applications that ‘work’ but not ‘work well’ generate error messages. These errors can be categorized as follows;

Application - Messages are entirely application based and are addressed by the application team or vendor.

Sending commands with no authentication, wait for the error message, then resend the same command but this time with authentication

Using small packet or data payload sizes

Inefficient multi-tiered server architecture

Login processes that download application files without checking if you have the current files

References to servers that are de-commissioned or used for testing/development

Network – Messages generated by the network devices that can affect application performance and are addressed by the networking team

MTU issues caused by different network topologies, firewalls, routers or load balancers

Blocked ICMP error messages that the application needs to make proper adjustments, like MTU and routing

Inefficient routes

Proxies or firewalls that do not allow application access but fails to the default gateway that still works

New equipment with old switch port speed or duplex configurations

Access points with 1 Gb Ethernet ports using the previous 100Mb POE injector

Client/Server- Errors caused at the server or host configurations. These are addressed by the server and desktop team.

Old configurations blindly used on newer operating systems

Using all the default protocols and services when they are not needed

Aggressive antivirus or firewall settings causing disconnections or performance issues

Server with limited resources (RAM or CPU)

In this example, I will focus on HTTP 503 Service Unavailable messages generated from web servers. In many cases, these are generated from a component as a webpage loads and the user has no idea this is happening.

If you’re lucky, the error will cause a noticeable issue, so you can investigate.  If you’re not lucky the issue may intermittently resolve itself quickly resulting in performance or ‘random’ problems.

Many protocol analyzers and applications can report or count the number of errors. I suggest you initially concentrate on 4xx or 5xx error codes. If none exist, look for big delta times between the HTTP command responses.

If you are using HTTPS, look into what logs or analysis tools are available. For example most web browsers have a Developer Tools facility that will record all sorts of helpful information.  Alternatively there are agents you can load on your clients to record and log performance or errors.

In any case, I suggest you test and get familiar with your chosen tools to ensure they are accurate and that you understand what they are reporting.

The HFS HTTP server link is here https://www.rejetto.com/hfs/

Enjoy