System Notes Security Tools
Links need to be checked…
Major Security Sites for Information and Tools
COAST Archive
Axent – Raptor
Risks Forum Digest
Forum of Incident Response and Security Teams
DEFCON
| Nessus |
http://www.nessus.org |
|
Description: Remote network security auditor, the client The Nessus Security Scanner is a security auditing tool. It makes
possible to test security modules in an attempt to find vulnerable
spots that should be fixed. . It is made up of two parts: a server,
and a client. The server/daemon, nessusd, is in charge of the
attacks, whereas the client, nessus, interferes with the user through
nice X11/GTK+ interface. . This package contains the GTK+ 1.2
client, which exists in other forms and on other platforms, too.
|
| Tcpdump |
http://www.tcpdump.org |
|
Description: A powerful tool for network monitoring and data acquisition This program allows you to dump the traffic on a network. It can
be used to print out the headers of packets on a network interface
that matches a given expression. You can use this tool to track down
network problems, to detect “ping attacks” or to monitor the network
activities.
|
| Snort |
http://www.snort.org |
|
Description: flexible packet sniffer/logger that detects attacks Snort is a libpcap-based packet sniffer/logger which can be used as a
lightweight network intrusion detection system. It features rules
based logging and can perform content searching/matching in addition
to being used to detect a variety of other attacks and probes, such
as buffer overflows, stealth port scans, CGI attacks, SMB probes, and
much more. Snort has a real-time alerting capability, with alerts being
sent to syslog, a separate “alert” file, or even to a Windows computer
via Samba.
|
| Saint |
http://www.wwdsi.com/saint/ |
|
Description: SAINT (Security Administrator’s Integrated Network Tool) is a security assesment tool based on SATAN. Features include
scanning through a firewall, updated security checks from CERT &
CIAC bulletins, 4 levels of severity (red, yellow, brown, & green)
and a feature rich HTML interface.
|
| Ethereal |
http://ethereal.zing.org/ |
|
Description: Network traffic analyzer Ethereal is a network traffic analyzer, or “sniffer”, for Unix and
Unix-like operating systems. It uses GTK+, a graphical user interface
library, and libpcap, a packet capture and filtering library.
|
| Abacus Portsentry |
http://www.psionic.com/abacus/portsentry/ |
|
Description: Portscan detection daemon PortSentry has the ability to detect portscans(including stealth scans) on
the network interfaces of your machine. Upon alarm it can block the attacker
via hosts.deny, dropped route or firewall rule. It is part of the Abacus
program suite.
.
Note: If you have no idea what a port/stealth scan is, I’d recommend to have
a look at http://www.psionic.com/abacus/portsentry/ before installing this
package. Otherwise you might easily block hosts you’d better not(e.g. your
NFS-server, name-server, ...).
|
| DSniff |
| Tripwire |
http://www.tripwire.org/ |
Note: Depending on usage, this tool may have expensive licensing feesassociated with it.
Description: A file and directory integrity checker. Tripwire is a tool that aids system administrators and users in
monitoring a designated set of files for any changes. Used with
system files on a regular (e.g., daily) basis, Tripwire can notify
system administrators of corrupted or tampered files, so damage
control measures can be taken in a timely manner.
|
| Hping2 |
http://www.kyuzz.org/antirez/hping/ |
|
Description: hping2 is a network tool able to send custom ICMP/UDP/TCP packets and to display target replies like ping does with ICMP
replies. It handles fragmentation and arbitrary packet body and
size, and can be used to transfer files under supported
protocols. Using hping2, you can: test firewall rules, perform
[spoofed] port scanning, test net performance using different
protocols, packet size, TOS (type of service), and fragmentation,
do path MTU discovery, tranfer files (even between really Fascist
firewall rules), perform traceroute-like actions under different
protocols, fingerprint remote OSs, audit a TCP/IP stack,
etc. hping2 is a good tool for learning TCP/IP.
|
| SARA |
http://www-arc.com/sara/ |
|
Description: The Security Auditor’s Research Assistant (SARA) is a third generation security analysis tool that is based on the SATAN
model which is covered by the GNU GPL-like open license. It is
fostering a collaborative environment and is updated periodically
to address latest threats.
|
| IPFilter |
http://coombs.anu.edu.au/ipfilter/ |
|
Description: IP Filter is a TCP/IP packet filter, suitable for use in a firewall environment. To use, it can either be used as a loadable kernel module orincorporated into your UNIX kernel; use as a loadable kernel module where possible is highly recommended. Scripts are provided to install and
patch system files, as required.
|
| iptables/netfilter/ipchains/ipfwadm |
http://netfilter.kernelnotes.org/ |
|
Description: IP packet filter administration for 2.4.X kernels Iptables is used to set up, maintain, and inspect the
tables of IP packet filter rules in the Linux kernel.
The iptables tool also supports configuration of dynamic and static
network address translation.
|
| L0pht Crack |
http://www.l0phtcrack.com/ |
Note: No source code is included (except in research version) and their is a $100 registration fee.
Description: L0phtCrack is an NT password auditting tool. It willcompute NT user passwords from the cryptographic hashes that are
stored by the NT operation system. L0phtcrack can obtain the hashes
through many sources (file, network sniffing, registry, etc) and it
has numerous methods of generating password guesses (dictionary, brute
force, etc).
|
| John The Ripper |
http://www.openwall.com/john/ |
|
Description: An active password cracking tool john, normally called john the ripper, is a tool to find
weak passwords of your users.
|
| Hunt |
http://www.cri.cz/kra/index.html#HUNT |
|
Description: Advanced packet sniffer and connection intrusion. Hunt is a program for intruding into a connection, watching it and
resetting it.
.
Note that hunt is operating on Ethernet and is best used for connections
which can be watched through it. However, it is possible to do something
even for hosts on another segments or hosts that are on switched ports.
|
| OpenSSH / SSH |
http://www.openssh.com/
http://www.ssh.com/commerce/index.html |
Note: The ssh.com version cost money for some uses, but source code is available.
Description: Secure rlogin/rsh/rcp replacement (OpenSSH) OpenSSH is derived from OpenBSD’s version of ssh, which was in turn
derived from ssh code from before the time when ssh’s license was
changed to be non-free.
Ssh (Secure Shell) is a program for logging into a remote machine
and for executing commands on a remote machine.
It provides secure encrypted communications between two untrusted
hosts over an insecure network. X11 connections and arbitrary TCP/IP
ports can also be forwarded over the secure channel.
It is intended as a replacement for rlogin, rsh and rcp, and can be
used to provide rdist, and rsync with a secure communication channel.
|
| Ntop |
http://www.ntop.org |
|
Description: display network usage in top-like format ntop is a Network Top program. It displays a summary of network usage by
machines on your network in a format reminicent of the unix top utility.
.
It can also be run in web mode, which allows the display to be browsed with
a web browser.
|
| traceroute/ping/telnet |
http://www.linux.com |
|
Description: These are utilities that virtually all UNIX boxes already have. In fact, even Windows NT has them ( but the traceroute command is called tracert ).
|
| NAT (NetBIOS Auditing Tool) |
http://www.tux.org/pub/security/secnet/tools/nat10/ |
Note: This is an unofficial download site.
Description: The NetBIOS Auditing Tool (NAT) is designed to explorethe NETBIOS file-sharing services offered by the target system. It
implements a stepwise approach to gather information and attempt to
obtain file system-level access as though it were a legitimate local
client.
|
| scanlogd |
http://www.openwall.com/scanlogd/ |
|
Description: A portscan detecting tool Scanlogd is a daemon written by Solar Designer
to detect portscan attacks on your maschine.
|
| NFR |
http://www.nfr.com |
Note: Source code was once freely available but I do not know if this is still the case. Some usage may cost money.
Description: A commercial sniffing application for creating intrusiondetection systems. Source code was at one time available, but I do
not know if that is still the case.
|
| logcheck |
http://www.psionic.com/abacus/logcheck/ |
|
Description: Mails anomalies in the system logfiles to the administrator Logcheck is part of the Abacus Project of security tools. It is a program
created to help in the processing of UNIX system logfiles generated by the
various Abacus Project tools, system daemons, Wietse Venema’s TCP Wrapper
and Log Daemon packages, and the Firewall Toolkit© by Trusted Information
Systems Inc.(TIS).
.
Logcheck helps spot problems and security violations in your logfiles
automatically and will send the results to you in e-mail. This program is
free to use at any site. Please read the disclaimer before you use any of
this software.
|
| Perl |
http://www.perl.org |
|
Description: A very powerful scripting language which is often used to create “exploits” for the purpose of verifying security vulnerabilities. Of course, it is also used for all sorts of other things.
|
| Cheops |
http://www.marko.net/cheops/ |
|
Description: A GTK based network “swiss-army-knife” Cheops gives a simple interface to most network utilities, maps local or remote networks and can show OS types of the machines on the network.
|
| Vetescan |
http://www.self-evident.com/ |
|
Description: Vetescan is a bulk vulnerability scanner which contains programs to check for and/or exploit many remote network security
exploits that are known for Windows or UNIX. It includes various
programs for doing different kinds of scanning. Fixes for
vulnerablities are included along with the exploits.
|
| Libnet |
http://www.packetfactory.net/libnet/ |
|
Description: Routines for the construction and handling of network packets. libnet provides a portable framework for low-level network packet writing and
handling.
.
Libnet features portable packet creation interfaces at the IP layer and link
layer, as well as a host of supplementary functionality. Still in it’s
infancy however, the library is evolving quite a bit. Additional functionality
and stability are added with each release.
.
Using libnet, quick and simple packet assembly applications can be whipped up
with little effort. With a bit more time, more complex programs can be written
(Traceroute and ping were easily rewritten using libnet and libpcap).
|
| Crack / Libcrack |
| Cerberus Internet Scanner |
http://www.cerberus-infosec.co.uk/cis.shtml |
|
Description: CIS is a free security scanner written and maintained by Cerberus Information Security, Ltd and is designed to help
administrators locate and fix security holes in their computer
systems. Runs on Windows NT or 2000. No source code is
provided.
|
| OpenBSD |
http://www.openbsd.org |
|
Description: The OpenBSD project produces a FREE, multi-platform 4.4BSD-based UNIX-like operating system. Our efforts place emphasis
on portability, standardization, correctness, security, and
cryptography. OpenBSD supports binary emulation of most programs
from SVR4 (Solaris), FreeBSD, Linux, BSDI, SunOS, and HPUX.
|
| Nemesis |
http://www.packetfactory.net/Projects/nemesis/ |
|
Description: The Nemesis Project is designed to be acommandline-based, portable human IP stack for UNIX/Linux. The suite
is broken down by protocol, and should allow for useful scripting of
injected packet streams from simple shell scripts.
|
| LSOF |
ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/ |
|
Description: List open files. Lsof is a Unix-specific diagnostic tool. Its name stands
for LiSt Open Files, and it does just that. It lists
information about any files that are open by processes
current running on the system.
The binary is specific to kernel version 2.2
|
| Lids |
http://www.turbolinux.com.cn/lids/ |
|
Description: The LIDS is an intrusion detection/defense system inLinux kernel. The goal is to protect linux systems against root
intrusions, by disabling some system calls in the kernel itself. As
you sometimes need to administrate the system, you can disable LIDS
protection.
|
| IPTraf |
http://cebu.mozcom.com/riker/iptraf/ |
|
Description: Interactive Colorful IP LAN Monitor IPTraf is an ncurses-based IP LAN monitor that generates
various network statistics including TCP info, UDP counts,
ICMP and OSPF information, Ethernet load info, node stats,
IP checksum errors, and others.
.
Note that since 2.0.0 IPTraf requires a kernel >= 2.2
|
| IPLog |
http://ojnk.sourceforge.net/ |
|
Description: iplog is a TCP/IP traffic logger. Currently, it is capable of logging TCP, UDP and ICMP traffic. iplog 2.0 is a
complete re-write of iplog 1.x, resulting in greater portability
and better performance. iplog 2.0 contains all the features of
iplog 1.x as well as several new ones. Major new features include a
packet filter and detection of more scans and attacks. It currently
runs on Linux, FreeBSD, OpenBSD, BSDI and Solaris. Ports to other
systems, as well as any contributions at all, are welcome at this
time.
|
| Fragrouter |
http://www.anzen.com/research/nidsbench/ |
|
Description: Fragrouter is aimed at testing the correctness of a NIDS,according to the specific TCP/IP attacks listed in the Secure Networks
NIDS evasion paper. [2] Other NIDS evasion toolkits which implement
these attacks are in circulation among hackers or publically
available, and it is assumed that they are currently being used to
bypass NIDSs
|
| Queso |
http://www.apostols.org/projectz/queso/ |
Note: A couple of the OS detection tests in Queso were later incorporated into Nmap. A paper we wrote on OS detection is available here.
Description: Guess the operating system of a remote machine by looking in the TCP replies.
|
| GPG/PGP |
http://www.gnupg.org/
http://www.pgp.com |
|
Description: The GNU Privacy Guard (GnuPG) is a complete and free replacement for PGP, developed in Europe. Because it does not use
IDEA or RSA it can be used without any restrictions. GnuPG is a
RFC2440 (OpenPGP) compliant application. PGP is the famous
encryption program which helps secure your data from eavesdroppers
and other risks.
|
Location: System Notes / Linux / Security / Security Tools
