Go Back!
Nessus:
The premier Open Source vulnerability assessment tool
Nessus is a remote security scanner for Linux, BSD, Solaris,
and other Unix variants. It is plug-in-based, has a GTK
interface, and performs over 1200 remote security checks. It
allows for reports to be generated in HTML, XML, LaTeX, and
ASCII text, and suggests solutions for security problems. |
| nMap:
Nmap ("Network Mapper") is an open source utility for
network exploration or security auditing. It was designed to
rapidly scan large networks, although it works fine against
single hosts. Nmap uses raw IP packets in novel ways to
determine what hosts are available on the network, what services
(ports) they are offering, what operating system (and OS
version) they are running, what type of packet filters/firewalls
are in use, and dozens of other characteristics. Nmap runs on
most types of computers, and both console and graphical versions
are available. Nmap is free software, available with full source
code under the terms of the GNU GPL. |
Ethereal:
Sniffing the glue that holds the Internet together
Ethereal is a free network protocol analyzer for Unix and
Windows. It allows you to examine data from a live network or
from a capture file on disk. You can interactively browse the
capture data, viewing summary and detail information for each
packet. Ethereal has several powerful features, including a rich
display filter language and the ability to view the
reconstructed stream of a TCP session. A text-based version
called tethereal is included. |
Snort:
A free intrusion detection system (IDS) for the masses
Snort is a lightweight network intrusion detection system,
capable of performing real-time traffic analysis and packet
logging on IP networks. It can perform protocol analysis,
content searching/matching and can be used to detect a variety
of attacks and probes, such as buffer overflows, stealth port
scans, CGI attacks, SMB probes, OS fingerprinting attempts, and
much more. Snort uses a flexible rule based language to describe
traffic that it should collect or pass, and a modular detection
engine. Many people also suggested that the Analysis Console for
Intrusion Databases (ACID)
be used with Snort. |
Netcat:
The network Swiss-Army knife
A simple Unix utility which reads and writes data across network
connections, using TCP or UDP protocol. It is designed to be a
reliable "back-end" tool that can be used directly or
easily driven by other programs and scripts. At the same time,
it is a feature-rich network debugging and exploration tool,
since it can create almost any kind of connection you would need
and has several interesting built-in capabilities. |
TCPDump
/ WinDump: The classic
sniffer for network monitoring and data acquisition
Tcpdump is a well-known and well-loved text-based network packet
analyzer ("sniffer"). It can be used to print out the
headers of packets on a network interface that matches a given
expression. You can use this tool to track down network problems
or to monitor network activities. There is a separate Windows
port named WinDump.
TCPDump is also the source of the Libpcap/WinPcap
packet capture library, which is used by Nmap
among many other utilities. Note that many users prefer the
newer Ethereal sniffer. |
Hping2:
A network probing utility like ping on steroids
hping2 assembles and sends custom ICMP/UDP/TCP packets and
displays any replies. It was inspired by the ping command, but
offers far more control over the probes sent. It also has a
handy traceroute mode and supports IP fragmentation. This tool
is particularly useful when trying to traceroute/ping/probe
hosts behind a firewall that blocks attempts using the standard
utilities. |
DSniff:
A suite of powerful network auditing and penetration-testing
tools
This popular and well-engineered suite by Dug Song includes many
tools. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and
webspy passively monitor a network for interesting data
(passwords, e-mail, files, etc.). arpspoof, dnsspoof, and macof
facilitate the interception of network traffic normally
unavailable to an attacker (e.g, due to layer-2 switching).
sshmitm and webmitm implement active monkey-in-the-middle
attacks against redirected SSH and HTTPS sessions by exploiting
weak bindings in ad-hoc PKI. A separately maintained partial
Windows port is available here. |
GFI
LANguard: A commercial network security scanner for Windows
LANguard scans networks and reports information such as service
pack level of each machine, missing security patches, open
shares, open ports, services/applications active on the
computer, key registry entries, weak passwords, users and
groups, and more. Scan results are outputted to an HTML report,
which can be customized/queried. Apparently a limited free
version is available for non-commercial/trial use. |
Ettercap:
In case you still thought switched LANs provide much extra
security
Ettercap is a terminal-based network sniffer/interceptor/logger
for Ethernet LANs. It supports active and passive dissection of
many protocols (even ciphered ones, like SSH and HTTPS). Data
injection in an established connection and filtering on the fly
is also possible, keeping the connection synchronized. Many
sniffing modes were implemented to give you a powerful and
complete sniffing suite. Plugins are supported. It has the
ability to check whether you are in a switched LAN or not, and
to use OS fingerprints (active or passive) to let you know the
geometry of the LAN. |
Whisker/Libwhisker:
Rain.Forest.Puppy's CGI vulnerability scanner and library
Whisker is a scanner which allows you to test HTTP servers for
many known security holes, particularly the presence of
dangerous CGIs. Libwhisker is a Perl library (used by Whisker)
which allows for the creation of custom HTTP scanners. If you
wish to audit more than just web servers, have a look at Nessus. |
John
the Ripper: An extraordinarily powerful, flexible, and fast
multi-platform password hash cracker
John the Ripper is a fast password cracker, currently available
for many flavors of Unix (11 are officially supported, not
counting different architectures), DOS, Win32, BeOS, and OpenVMS.
Its primary purpose is to detect weak Unix passwords. It
supports several crypt(3) password hash types which are most
commonly found on various Unix flavors, as well as Kerberos AFS
and Windows NT/2000/XP LM hashes. Several other hash types are
added with contributed patches. |
OpenSSH
/ SSH: A
secure way to access remote computers
Secure rlogin/rsh/rcp replacement (OpenSSH) OpenSSH is derived
from OpenBSD's version of ssh, which was in turn derived from
ssh code from before the time when ssh's license was changed to
be non-free. Ssh (Secure Shell) is a program for logging into a
remote machine and for executing commands on a remote machine.
It provides secure encrypted communications between two
untrusted hosts over an insecure network. X11 connections and
arbitrary TCP/IP ports can also be forwarded over the secure
channel. It is intended as a replacement for rlogin, rsh and
rcp, and can be used to provide rdist, and rsync with a secure
communication channel. Note that the SSH.Com link above costs
money for some uses, while OpenSSH is always free. Windows users
may want to try the free PuTTY
SSH Client or the nice terminal-based port of OpenSSH that
comes with Cygwin. |
Sam
Spade: Freeware Windows network query tool
SamSpade provides a consistent GUI and implementation for many
handy network query tasks. It was designed with tracking down
spammers in mind, but can be useful for many other network
exploration, administration, and security tasks. It includes
tools such as ping, nslookup, whois, dig, traceroute, finger,
raw HTTP web browser, DNS zone transfer, SMTP relay check,
website search, and more. Non-Windows users can enjoy online
versions of many of their tools. |
ISS
Internet Scanner: Application-level vulnerability assessment
Internet Scanner started off in '92 as a tiny Open Source
scanner by Christopher Klaus. Now he has grown ISS into a
billion-dollar company with a myriad of security products. ISS
Internet Scanner is pretty good, but is not cheap. So companies
on a tight budget may wish to look at Nessus
instead. A March 2003 Information Security magazine review of 5
VA tools (including these) is available here. |
Tripwire:
The grand-daddy of file integrity checkers
A file and directory integrity checker. Tripwire is a tool that
aids system administrators and users in monitoring a designated
set of files for any changes. Used with system files on a
regular (e.g., daily) basis, Tripwire can notify system
administrators of corrupted or tampered files, so damage control
measures can be taken in a timely manner. An Open Source Linux
version is freely available at Tripwire.Org.
UNIX users may also want to consider AIDE,
which has been designed to be a free Tripwire replacement. |
Nikto:
A more comprehensive web scanner
Nikto is a web server scanner which looks for over 2000
potentially dangerous files/CGIs and problems on over 200
servers. It uses LibWhisker but is
generally updated more frequently than Whisker itself. |
Kismet:
A powerful wireless sniffer
Kismet is an 802.11b network sniffer and network dissector. It
is capable of sniffing using most wireless cards, automatic
network IP block detection via UDP, ARP, and DHCP packets, Cisco
equipment lists via Cisco Discovery Protocol, weak cryptographic
packet logging, and Ethereal and tcpdump compatible packet dump
files. It also includes the ability to plot detected networks
and estimated network ranges on downloaded maps or user supplied
image files. Windows support is currently preliminary, so those
users may want to look at Netstumbler
if they run into trouble. Linux (and Linux PDAs like Zaurus)
users may wish to also look at the Wellenreiter
wireless scanner. |
SuperScan:
Foundstone's Windows TCP port scanner
A connect-based TCP port scanner, pinger and hostname resolver.
No source code is provided. It can handle ping scans and port
scans using specified IP ranges. It can also connect to any
discovered open port using user-specified "helper"
applications (e.g. Telnet, Web browser, FTP). |
L0phtCrack
4: Windows password auditing and recovery application
L0phtCrack attempts to crack Windows passwords from hashes which
it can obtain (given proper access) from stand-alone Windows
NT/2000 workstations, networked servers, primary domain
controllers, or Active Directory. In some cases it can sniff the
hashes off the wire. It also has numerous methods of generating
password guesses (dictionary, brute force, etc). L0phtcrack
currently costs $350/machine and no source code is provided.
Companies on a tight budget may want to look at John
the Ripper, Cain & Abel, and pwdump3. |
Retina:
Commertial vulnerability assessment scanner by eEye
Like Nessus and ISS
Internet Scanner mentioned previously, Retina's function is
to scan all the hosts on a network and report on any
vulnerabilities found. |
Netfilter:
The current Linux kernel packet filter/firewall
Netfilter is a powerful packet filter which is implemented in
the standard Linux kernel. The userspace iptables tool is used
for configuration. It now supports packet filtering (stateless
or stateful), all different kinds of NAT (Network Address
Translation) and packet mangling. For non-Linux platforms, see pf
(OpenBSD), ipfilter (many other UNIX
variants), or even the Zone Alarm
personal firewall (Windows). |
traceroute/ping/telnet/whois:
The basics
While there are many whiz-bang high-tech tools out there to
assist in security auditing, don't forget about the basics!
Everyone should be very familiar with these tools as they come
with most operating systems (except that Windows omits whois
and uses the name tracert). They can be very handy in a pitch,
although for more advanced usage you may be better off with Hping2
and Netcat. |
Fport:
Foundstone's enhanced netstat
fport reports all open TCP/IP and UDP ports on the machine you
run it on and shows what application opened each port. So it can
be used to quickly identify unknown open ports and their
associated applications. It only runs on Windows, but many UNIX
systems now provided this information via netstat (try 'netstat
-pan' on Linux). Here is a SANS article
on using Fport and analyzing the results. |
SAINT:
Security Administrator's Integrated Network Tool
Saint is another commercial vulnerability assessment tool (like ISS
Internet Scanner or eEye Retina).
Unlike those Windows-only tools, SAINT runs exclusively on UNIX.
Saint used to be free and open source, but is now a commercial
product. |
Network
Stumbler: Free Windows 802.11 Sniffer
Netstumbler is the best known Windows tool for finding open
wireless access points ("wardriving"). They also
distribute a WinCE version for PDAs and such called Ministumbler.
The tool is currently free but Windows-only and no source code
is provided. They note that "the author reserves the right
to change this license agreement as he sees fit, without
notice." UNIX users (and advanced Win users) may want to
look at Kismet instead. |
SARA:
Security Auditor's Research Assistant
SARA is a vulnerability assessment tool that was derived from
the infamous SATAN scanner. They try to release updates twice a
month and try to leverage other software created by the open
source community (such as Nmap and Samba). |
N-Stealth:
Web server scanner
N-Stealth is a commercial web server security scanner. It is
generally updated more frequently than free web scanners such as
whisker and nikto,
but do take their web site with a grain of salt. The claims of
"20,000 vulnerabilities and exploits" and "Dozens
of vulnerability checks are added every day" are highly
questionable. Also note that essentially all general VA tools
such as nessus, ISS, Retina,
SAINT, and SARA include
web scanning components. They may not all be as up-to-date or
flexible though. n-stealth is Windows only and no source code is
provided. |
AirSnort:
802.11 WEP Encryption Cracking Tool
AirSnort is a wireless LAN (WLAN) tool that recovers encryption
keys. It was developed by the Shmoo
Group and operates by passively monitoring transmissions,
computing the encryption key when enough packets have been
gathered. Windows support is still very preliminary. |
NBTScan:
Gathers NetBIOS info from Windows networks
NBTscan is a program for scanning IP networks for NetBIOS name
information. It sends NetBIOS status query to each address in
supplied range and lists received information in human readable
form. For each responded host it lists IP address, NetBIOS
computer name, logged-in user name and MAC address. |
GnuPG
/ PGP: Secure your files and
communication w/advanced encryption
PGP is the famous encryption program by Phil Zimmerman which
helps secure your data from eavesdroppers and other risks. GnuPG
is a very well-regarded open source implemtation of the PGP
standard (the actual executable is named gpg). While GnuPG is
always free, PGP costs money for some uses. |
Firewalk:
Advanced traceroute
Firewalk employs traceroute-like techniques to analyze IP packet
responses to determine gateway ACL filters and map networks.
This classic tool was rewritten from scratch in October 2002.
Note that much or all of this functionality can also be
performed by the Hping2 --traceroute
option. |
Cain
& Abel: The poor man's L0phtcrack
Cain & Abel is a free password recovery tool for Microsoft
Operating Systems. It allows easy recovery of various kind of
passwords by sniffing the network, cracking encrypted passwords
using Dictionary & Brute-Force attacks, decoding scrambled
passwords, revealing password boxes, uncovering cached passwords
and analyzing routing protocols. Source code is not provided. |
XProbe2:
Active OS fingerprinting tool
XProbe is a tool for determining the operating system of a
remote host. They do this using some of the same
techniques as Nmap
as well as many different ideas. Xprobe has always emphasized
the ICMP protocol in their fingerprinting approach. |
SolarWinds
Toolsets: A plethora of network discovery/monitoring/attack
tools
SolarWinds has created and sells dozens of special-purpose tools
targeted at systems administrators. Security related tools
include many network discovery scanners and an SNMP brute-force
cracker. These tools are Windows only, cost money, and do not
include source code. |
NGrep:
Convenient packet matching & display
ngrep strives to provide most of GNU grep's common features,
applying them to the network layer. ngrep is a pcap-aware tool
that will allow you to specify extended regular or hexadecimal
expressions to match against data payloads of packets. It
currently recognizes TCP, UDP and ICMP across Ethernet, PPP,
SLIP, FDDI, Token Ring and null interfaces, and understands bpf
filter logic in the same fashion as more common packet sniffing
tools, such as tcpdump and snoop. |
Perl
/ Python: Portable,
general-purpose scripting languages
While many canned security tools are available on this page for
handling common tasks, it is important to have the ability to
write your own (or modify the existing ones) when you need
something more custom. Perl and Python make it very easy to
write quick, portable scripts to test, exploit, or even fix
systems! Archives like CPAN
are filled with modules such as Net::RawIP
and protocol implementations to make your tasks even easier. |
THC-Amap:
An application fingerprinting scanner
Amap (by THC) is a new but
powerful scanner which probes each port to identify applications
and services rather than relying on static port mapping. |
OpenSSL:
The premier SSL/TLS encryption library
The OpenSSL Project is a collaborative effort to develop a
robust, commercial-grade, full-featured, and Open Source toolkit
implementing the Secure Sockets Layer (SSL v2/v3) and Transport
Layer Security (TLS v1) protocols as well as a full-strength
general purpose cryptography library. The project is managed by
a worldwide community of volunteers that use the Internet to
communicate, plan, and develop the OpenSSL toolkit and its
related documentation. |
NTop:
A network traffic usage monitor
Ntop shows network usage in a way similar to what top does for
processes. In interactive mode, it displays the network status
on the user's terminal. In Web mode, it acts as a Web server,
creating an HTML dump of the network status. It sports a NetFlow/sFlow
emitter/collector, an HTTP-based client interface for creating
ntop-centric monitoring applications, and RRD for persistently
storing traffic statistics. |
Nemesis:
Packet injection simplified
The Nemesis Project is designed to be a command-line-based,
portable human IP stack for UNIX/Linux. The suite is broken down
by protocol, and should allow for useful scripting of injected
packet streams from simple shell scripts. If you enjoy Nemesis,
you might also want to look at hping2.
They complement each other well. |
LSOF:
LiSt Open Files
This Unix-specific diagnostic and forensics tool lists
information about any files that are open by processes currently
running on the system. It can also list communications sockets
open by each process. |
Hunt:
An advanced packet sniffing and connection intrusion tool for
Linux
Hunt can watch TCP connections, intrude into them, or reset
them. Hunt is meant to be used on Ethernet, and has active
mechanisms to sniff switched connections. Advanced features
include selective ARP relaying and connection synchronization
after attacks. If you like Hunt, also take a look at Ettercap
and Dsniff. |
Honeyd:
Your own personal honeynet
Honeyd is a small daemon that creates virtual hosts on a
network. The hosts can be configured to run arbitrary services,
and their TCP personality can be adapted so that they appear to
be running certain versions of operating systems. Honeyd enables
a single host to claim multiple addresses on a LAN for network
simulation. It is possible to ping the virtual machines, or to
traceroute them. Any type of service on the virtual machine can
be simulated according to a simple configuration file. It is
also possible to proxy services to another machine rather than
simulating them. The web page is currently down for legal
reasons, but the V. 0.5 tarball is still available here. |
Achilles:
A Windows web attack proxy
Achilles is a tool designed for testing the security of web
applications. Achilles is a proxy server, which acts as a
man-in-the-middle during an HTTP session. A typical HTTP proxy
will relay packets to and from a client browser and a web
server. Achilles will intercept an HTTP session's data in either
direction and give the user the ability to alter the data before
transmission. For example, during a normal HTTP SSL connection a
typical proxy will relay the session between the server and the
client and allow the two end nodes to negotiate SSL. In
contrast, when in intercept mode, Achilles will pretend to be
the server and negotiate two SSL sessions, one with the client
browser and another with the web server. As data is transmitted
between the two nodes, Achilles decrypts the data and gives the
user the ability to alter and/or log the data in clear text
before transmission. |
Brutus:
A network brute-force authentication cracker
This Windows-only cracker bangs against network services of
remote systems trying to guess passwords by using a dictionary
and permutations thereof. It supports HTTP, POP3, FTP, SMB,
TELNET, IMAP, NTP, and more. No source code is available. UNIX
users should take a look at THC-Hydra. |
Stunnel:
A general-purpose SSL cryptographic wrapper
The stunnel program is designed to work as an SSL encryption
wrapper between remote client and local (inetd-startable) or
remote server. It can be used to add SSL functionality to
commonly used inetd daemons like POP2, POP3, and IMAP servers
without any changes in the programs' code. It will negotiate an
SSL connection using the OpenSSL or
SSLeay libraries. |
Paketto
Keiretsu: Extreme TCP/IP
The Paketto Keiretsu is a collection of tools that use new and
unusual strategies for manipulating TCP/IP networks. They tap
functionality within existing infrastructure and stretch
protocols beyond what they were originally intended for. It
includes Scanrand, an unusually fast network service and
topology discovery system, Minewt, a user space NAT/MAT router,
linkcat, which presents a Ethernet link to stdio, Paratrace,
which traces network paths without spawning new connections, and
Phentropy, which uses OpenQVIS to render arbitrary amounts of
entropy from data sources in three dimensional phase space. Got
all that? :). |
Fragroute:
IDS systems' worst nightmare
Fragroute intercepts, modifies, and rewrites egress traffic,
implementing most of the attacks described in the Secure
Networks IDS
Evasion paper. It features a simple rule set language to
delay, duplicate, drop, fragment, overlap, print, reorder,
segment, source-route, or otherwise monkey with all outbound
packets destined for a target host, with minimal support for
randomized or probabilistic behavior. This tool was written in
good faith to aid in the testing of intrusion detection systems,
firewalls, and basic TCP/IP stack behavior. Like Dsniff,
and Libdnet, this excellent tool was written by Dug Song. |
SPIKE
Proxy: HTTP Hacking
Spike Proxy is an open source HTTP proxy for finding security
flaws in web sites. It is part of the Spike
Application Testing Suite and supports automated SQL
injection detection, web site crawling, login form brute
forcing, overflow detection, and directory traversal detection. |
THC-Hydra:
Parallel network authentication cracker
This tool allows for rapid dictionary attacks against network
login systems, including FTP, POP3, IMAP, Netbios, Telnet, HTTP
Auth, LDAP NNTP, VNC, ICQ, Socks5, PCNFS, and more. It includes
SSL support and is apparently now part of Nessus.
Like Amap, this release is from the fine
folks at THC. |
| TCP
Wrappers: A classic IP-based access control and logging
mechanism |
| pwdump3:
Allows for retreiving Windows password hashes locally or
across the network whether or not syskey is enabled. |
| LibNet:
A high-level API (toolkit) allowing the application programmer
to construct and inject network packets |
| IpTraf:
IP Network Monitoring Software |
| Fping:
A parallel ping scanning program |
| Bastille:
Security hardening script for Linux, Mac OS X, and HP-UX |
| pf:
The innovative packet filter in OpenBSD |
| LIDS:
A Linux kernel intrusion detection/defense system |
| hfnetchk:
Microsoft tool for checking the patch status of all the
Windows machines on a network from a central location |
| etherape:
A graphical network monitor for Unix modeled after etherman |
| dig:
A handy DNS query tool that comes free with Bind |
| cheops
/ cheops-ng:
Gives a simple interface to many network utilities, maps local
or remote networks and identifies OS of machines |
| Visual
Route: Obtains traceroute/whois data and plots it on a
World map |
| The
Coroner's Toolkit (TCT): A collection of tools that are
either oriented towards gathering or analyzing forensic data
on a Unix system |
| snoop:
It is a network sniffer that comes with Solaris. |
| putty:
An excellent Windows SSH client |
| pstools:
A suite of free command-line tools for managing Windows
systems (process listings, command execution, etc) |
Go
Back! |
|