Assessments: Difference between revisions

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search
No edit summary
 
(54 intermediate revisions by 6 users not shown)
Line 1: Line 1:
=='''Authentication'''==
* freeradius 0.9.3 : GPL RADIUS server
=='''Encryption'''==
* 2c2 : multiple plaintext -> one ciphertext
* 4c : as with 2c2 (think plausible deniability)
* acfe : traditional cryptanalysis (like Vigenere)
* cryptcat : netcat  encryption
* gifshuffle : stego tool for gif images
* gpg 1.2.3 : GNU Privacy Guard
* ike-scan : VPN fingerprinting
* mp3stego : stego tool for mp3
* openssl 0.9.7c
* outguess : stego tool
* stegbreak : brute-force stego'ed JPG
* stegdetect : discover stego'ed JPG
* sslwrap : SSL wrapper
* stunnel : SSL wrapper
* super-freeSWAN 1.99.8 : kernel IPSEC support
* texto : make gpg ascii-armour look like weird English
* xor-analyze : another "intro to crytanalysis" tool
=='''Forensics'''==
* [[Forensic_Education_Resources:|Forensic Education and Resources]]<br>
<br>
* sleuthkit 1.66 : extensions to The Coroner's Toolkit forensic toolbox.
* autopsy 1.75 : Web front-end to TASK. Evidence Locker defaults to /mnt/evidence
* biew : binary viewer
* bsed : binary stream editor
* consh : logged shell (from F.I.R.E.)
* coreography : analyze core files
* dcfldd : US DoD Computer Forensics Lab version of dd
* fenris : code debugging, tracing, decompiling, reverse engineering tool
* fatback : Undelete FAT files
* foremost : recover specific file types from disk images (like all JPG files)
* ftimes : system baseline tool (be proactive)
* galleta : recover Internet Explorer cookies
* hashdig : dig through hash databases
* hdb : java decompiler
* mac-robber : TCT's graverobber written in C
* md5deep : run md5 against multiple files/directories
* memfetch : force a memory dump
* pasco : browse IE index.dat
* photorec : grab files from digital cameras
* readdbx : convert Outlook Express .dbx files to mbox format
* readoe : convert entire Outlook Express .directory to mbox format
* rifiuti : browse Windows Recycle Bin INFO2 files
* secure_delete : securely delete files, swap, memory....
* testdisk : test and recover lost partitions
* wipe : wipe a partition securely. good for prep'ing a partition for dd
* and other typical system tools used for forensics (dd, lsof, strings, grep, etc.)
=='''Firewall'''==
* blockall : script to block all inbound TCP (excepting localhost)
* flushall : flush all firewall rules
* firestarter : quick way to a firewall
* firewalk : map a firewall's rulebase
* floppyfw : turn a floppy into a firewall
* fwlogwatch : monitor firewall logs
* iptables 1.2.8
* gtk-iptables : GUI front-end
* shorewall 1.4.8-RC1 : iptables based package
* nipper 0.12.0 : quickly document network device configuration (including cisco, juniper, checkpoint, sonicwall and more)
=='''Honeypots'''==
* honeyd 0.7
* labrea : tarpit (slow to a crawl) worms and port scanners
* thp : tiny honeypot
=='''IDS | IPS'''==
* [http://safetynet-info.com SafetyNET] Security Appliance and suite of products.
* snort 2.1.0: network IDS
* ACID : snort web frontend
* barnyard : fast snort log processor
* oinkmaster : keep your snort rules up to date
* hogwash : access control based on snort sigs
* bro : network IDS
* prelude : network and host IDS
* WIDZ : wireless IDS, ap and probe monitor
* aide : host baseline tool, tripwire-esque
* logsnorter : log monitor
* swatch : monitor any file, oh like say syslog
* sha1sum
* md5sum
* syslogd
=='''Network Utilities'''==
* LinNeighboorhood : browse SMB networks like windows network neighborhood
* argus : network auditor
* arpwatch : keep track of the MACs on your wire
* cdpr : cisco discovery protocol reporter
* cheops : snmp, network discovery and monitor tool
* etherape : network monitor and visualization tool
* iperf : measure IP performance
* ipsc : IP subnet calculator
* iptraf : network monitor
* mrtg : multi router traffic grapher
* mtr : traceroute tool
* ntop 2.1.0 : network top, protocol analyzer
* rrdtool : round robin database
* samba : opensource SMB support
* tcptrack : track existing connections
=='''Password Tools'''==
* john 1.6.34 : John the Ripper password cracker
* allwords2 : CERIAS's 27MB English dictionary
* chntpw : reset passwords on a Windows box (including Administrator)
* cisilia : distributed password cracker
* cmospwd : find local CMOS password
* djohn : distributed John the Ripper
* pwl9x : crack Win9x password files
* rcrack : rainbow crack
=='''Packet Sniffers'''==
* aimSniff : sniff AIM traffic
* driftnet : sniffs for images
* dsniff : sniffs for cleartext passwords (thanks Dug)
* ethereal 0.10.0 : the standard. includes tethereal
* ettercap 0.6.b : sniff on a switched network and more.
* filesnarf : grab files out of NFS traffic
* mailsnarf : sniff smtp/pop traffic
* msgsnarf : sniff aol-im, msn, yahoo-im, irc, icq traffic
* ngrep : network grep, a sniffer with grep filter capabilities
* tcpdump : the core of it all
* urlsnarf : log all urls visited on the wire
* webspy : mirror all urls visited by a host in your local browser
* Wireshark 1.0.3 : replaces ethereal, the standard.
=='''[[Searching_and_Seizing_Computers_and_Obtaining_Electronic_Evidence_Manual | Searching and Seizing Computers and Obtaining Electronic Evidence Manual]]'''==
=='''TCP Tools'''==
* arpfetch : fetch MAC
* arping : ping by MAC
* arpspoof : spoof arp
* arpwatch : montior MAC addresses on the wire
* despoof : detect spoofed packets via TTL measurement
* excalibur : packet generator
* file2cable : replay a packet capture
* fragroute : packet fragmentation tool (thanks again Dug)
* gspoof : packet generator
* hopfake : spoof hopcount replies
* hunt : tcp hijacker
* ipmagic : packet generator
* lcrzoex : suite of tcp tools
* macof : flood a switch with MACs
* packetto : Dan Kaminsky's suite of tools (includes 1.10 and 2.0pre3)
* netsed : insert and replace strings in live traffic
* packETH : packet generator
* tcpkill : die tcp, die!
* tcpreplay : replay packet captures
=='''Tunnels'''==
* cryptcat : encrypted netcat
* httptunnel : tunnel data over http
* icmpshell : tunnel data over icmp
* netcat : the incomparable tcp swiss army knife
* shadyshell : tunnel data over udp
* stegtunnel : hide data in TCP/IP headers
* tcpstatflow : detect data tunnels
* tiny shell : small encrypted shell
=='''Vulnerability Assessment'''==
* ADM tools : like ADM-smb and ADMkillDNS
* amap 4.5 : maps applications running on remote hosts
* IRPAS : Internet Routing Protocol Attack Suite
* chkrootkit 0.43 : look for rootkits
* clamAV : virus scanner. update your signatures live with freshclam
* curl : commandline utility for transferring anything with a URL
* exodus : web application auditor
* ffp : fuzzy fingerprinter for encrypted connections
* firewalk : map a firewall rulebase
* hydra : brute force tool
* nbtscan : scan SMB networks
* ncpquery : scan NetWare servers
* nessus 2.0.9 : vulnerability scanner. update your plugins live with nessus-update-plugins
* nikto : CGI scanner
* nmap 3.48 : the standard in host/port enumeration
* p0f : passive OS fingerprinter
* proxychains: chain together multiple proxy servers
* rpcinfo : hmmmm.... info from RPC?
* screamingCobra : CGI scanner
* siege : http testing and benchmarking utility
* sil : tiny banner grabber
* snot : replay snort rules back onto the wire. test your ids/incidence response/etc.
* syslog_deluxe : spoof syslog messages
* thcrut : THC's "r you there?" network mapper
* vmap : maps application versions
* warscan : exploit automation tool
* xprobe2 : uses ICMP for fingerprinting
* yaph : yet another proxy hunter
* zz : zombie zapper kills DDoS zombies
=='''Wireless Tools'''==
* airsnarf : rogue AP setup utility
* airsnort : sniff, find, crack 802.11b
* airtraf : 802.11b network performance analyzer
* gpsdrive : use GPS and maps
* kismet 3.0.1 : for 802.11 what else do you need?
* kismet-log-viewer : manage your kismet logs
* macchanger : change your MAC address
* wellenreiter : 802.11b discovery and auditing
* patched orinoco drivers : automatic (no scripts necessary)
=='''Internet Information Resources'''==
'''US-CERT Current Activity'''<br>
'''US-CERT Current Activity'''<br>
The US-CERT Current Activity web page is a regularly updated summary of the most frequent, high-impact types of security incidents currently being reported to the US-CERT.<br>
The US-CERT Current Activity web page is a regularly updated summary of the most frequent, high-impact types of security incidents currently being reported to the US-CERT.<br>
Line 4: Line 222:
[http://www.us-cert.gov/current/ US-CERT Current Activity]<br>
[http://www.us-cert.gov/current/ US-CERT Current Activity]<br>
<br>
<br>
'''Oracle Audit Assessment Script tool:''' [http://www.lazarusalliance.com/horsewiki/images/e/e8/Oracle_Audit_Script.txt Oracle Assessment Script]<br>

Latest revision as of 12:30, 5 August 2011

Authentication

  • freeradius 0.9.3 : GPL RADIUS server

Encryption

  • 2c2 : multiple plaintext -> one ciphertext
  • 4c : as with 2c2 (think plausible deniability)
  • acfe : traditional cryptanalysis (like Vigenere)
  • cryptcat : netcat encryption
  • gifshuffle : stego tool for gif images
  • gpg 1.2.3 : GNU Privacy Guard
  • ike-scan : VPN fingerprinting
  • mp3stego : stego tool for mp3
  • openssl 0.9.7c
  • outguess : stego tool
  • stegbreak : brute-force stego'ed JPG
  • stegdetect : discover stego'ed JPG
  • sslwrap : SSL wrapper
  • stunnel : SSL wrapper
  • super-freeSWAN 1.99.8 : kernel IPSEC support
  • texto : make gpg ascii-armour look like weird English
  • xor-analyze : another "intro to crytanalysis" tool

Forensics


  • sleuthkit 1.66 : extensions to The Coroner's Toolkit forensic toolbox.
  • autopsy 1.75 : Web front-end to TASK. Evidence Locker defaults to /mnt/evidence
  • biew : binary viewer
  • bsed : binary stream editor
  • consh : logged shell (from F.I.R.E.)
  • coreography : analyze core files
  • dcfldd : US DoD Computer Forensics Lab version of dd
  • fenris : code debugging, tracing, decompiling, reverse engineering tool
  • fatback : Undelete FAT files
  • foremost : recover specific file types from disk images (like all JPG files)
  • ftimes : system baseline tool (be proactive)
  • galleta : recover Internet Explorer cookies
  • hashdig : dig through hash databases
  • hdb : java decompiler
  • mac-robber : TCT's graverobber written in C
  • md5deep : run md5 against multiple files/directories
  • memfetch : force a memory dump
  • pasco : browse IE index.dat
  • photorec : grab files from digital cameras
  • readdbx : convert Outlook Express .dbx files to mbox format
  • readoe : convert entire Outlook Express .directory to mbox format
  • rifiuti : browse Windows Recycle Bin INFO2 files
  • secure_delete : securely delete files, swap, memory....
  • testdisk : test and recover lost partitions
  • wipe : wipe a partition securely. good for prep'ing a partition for dd
  • and other typical system tools used for forensics (dd, lsof, strings, grep, etc.)

Firewall

  • blockall : script to block all inbound TCP (excepting localhost)
  • flushall : flush all firewall rules
  • firestarter : quick way to a firewall
  • firewalk : map a firewall's rulebase
  • floppyfw : turn a floppy into a firewall
  • fwlogwatch : monitor firewall logs
  • iptables 1.2.8
  • gtk-iptables : GUI front-end
  • shorewall 1.4.8-RC1 : iptables based package
  • nipper 0.12.0 : quickly document network device configuration (including cisco, juniper, checkpoint, sonicwall and more)

Honeypots

  • honeyd 0.7
  • labrea : tarpit (slow to a crawl) worms and port scanners
  • thp : tiny honeypot

IDS | IPS

  • SafetyNET Security Appliance and suite of products.
  • snort 2.1.0: network IDS
  • ACID : snort web frontend
  • barnyard : fast snort log processor
  • oinkmaster : keep your snort rules up to date
  • hogwash : access control based on snort sigs
  • bro : network IDS
  • prelude : network and host IDS
  • WIDZ : wireless IDS, ap and probe monitor
  • aide : host baseline tool, tripwire-esque
  • logsnorter : log monitor
  • swatch : monitor any file, oh like say syslog
  • sha1sum
  • md5sum
  • syslogd

Network Utilities

  • LinNeighboorhood : browse SMB networks like windows network neighborhood
  • argus : network auditor
  • arpwatch : keep track of the MACs on your wire
  • cdpr : cisco discovery protocol reporter
  • cheops : snmp, network discovery and monitor tool
  • etherape : network monitor and visualization tool
  • iperf : measure IP performance
  • ipsc : IP subnet calculator
  • iptraf : network monitor
  • mrtg : multi router traffic grapher
  • mtr : traceroute tool
  • ntop 2.1.0 : network top, protocol analyzer
  • rrdtool : round robin database
  • samba : opensource SMB support
  • tcptrack : track existing connections

Password Tools

  • john 1.6.34 : John the Ripper password cracker
  • allwords2 : CERIAS's 27MB English dictionary
  • chntpw : reset passwords on a Windows box (including Administrator)
  • cisilia : distributed password cracker
  • cmospwd : find local CMOS password
  • djohn : distributed John the Ripper
  • pwl9x : crack Win9x password files
  • rcrack : rainbow crack

Packet Sniffers

  • aimSniff : sniff AIM traffic
  • driftnet : sniffs for images
  • dsniff : sniffs for cleartext passwords (thanks Dug)
  • ethereal 0.10.0 : the standard. includes tethereal
  • ettercap 0.6.b : sniff on a switched network and more.
  • filesnarf : grab files out of NFS traffic
  • mailsnarf : sniff smtp/pop traffic
  • msgsnarf : sniff aol-im, msn, yahoo-im, irc, icq traffic
  • ngrep : network grep, a sniffer with grep filter capabilities
  • tcpdump : the core of it all
  • urlsnarf : log all urls visited on the wire
  • webspy : mirror all urls visited by a host in your local browser
  • Wireshark 1.0.3 : replaces ethereal, the standard.

Searching and Seizing Computers and Obtaining Electronic Evidence Manual

TCP Tools

  • arpfetch : fetch MAC
  • arping : ping by MAC
  • arpspoof : spoof arp
  • arpwatch : montior MAC addresses on the wire
  • despoof : detect spoofed packets via TTL measurement
  • excalibur : packet generator
  • file2cable : replay a packet capture
  • fragroute : packet fragmentation tool (thanks again Dug)
  • gspoof : packet generator
  • hopfake : spoof hopcount replies
  • hunt : tcp hijacker
  • ipmagic : packet generator
  • lcrzoex : suite of tcp tools
  • macof : flood a switch with MACs
  • packetto : Dan Kaminsky's suite of tools (includes 1.10 and 2.0pre3)
  • netsed : insert and replace strings in live traffic
  • packETH : packet generator
  • tcpkill : die tcp, die!
  • tcpreplay : replay packet captures

Tunnels

  • cryptcat : encrypted netcat
  • httptunnel : tunnel data over http
  • icmpshell : tunnel data over icmp
  • netcat : the incomparable tcp swiss army knife
  • shadyshell : tunnel data over udp
  • stegtunnel : hide data in TCP/IP headers
  • tcpstatflow : detect data tunnels
  • tiny shell : small encrypted shell

Vulnerability Assessment

  • ADM tools : like ADM-smb and ADMkillDNS
  • amap 4.5 : maps applications running on remote hosts
  • IRPAS : Internet Routing Protocol Attack Suite
  • chkrootkit 0.43 : look for rootkits
  • clamAV : virus scanner. update your signatures live with freshclam
  • curl : commandline utility for transferring anything with a URL
  • exodus : web application auditor
  • ffp : fuzzy fingerprinter for encrypted connections
  • firewalk : map a firewall rulebase
  • hydra : brute force tool
  • nbtscan : scan SMB networks
  • ncpquery : scan NetWare servers
  • nessus 2.0.9 : vulnerability scanner. update your plugins live with nessus-update-plugins
  • nikto : CGI scanner
  • nmap 3.48 : the standard in host/port enumeration
  • p0f : passive OS fingerprinter
  • proxychains: chain together multiple proxy servers
  • rpcinfo : hmmmm.... info from RPC?
  • screamingCobra : CGI scanner
  • siege : http testing and benchmarking utility
  • sil : tiny banner grabber
  • snot : replay snort rules back onto the wire. test your ids/incidence response/etc.
  • syslog_deluxe : spoof syslog messages
  • thcrut : THC's "r you there?" network mapper
  • vmap : maps application versions
  • warscan : exploit automation tool
  • xprobe2 : uses ICMP for fingerprinting
  • yaph : yet another proxy hunter
  • zz : zombie zapper kills DDoS zombies

Wireless Tools

  • airsnarf : rogue AP setup utility
  • airsnort : sniff, find, crack 802.11b
  • airtraf : 802.11b network performance analyzer
  • gpsdrive : use GPS and maps
  • kismet 3.0.1 : for 802.11 what else do you need?
  • kismet-log-viewer : manage your kismet logs
  • macchanger : change your MAC address
  • wellenreiter : 802.11b discovery and auditing
  • patched orinoco drivers : automatic (no scripts necessary)

Internet Information Resources

US-CERT Current Activity
The US-CERT Current Activity web page is a regularly updated summary of the most frequent, high-impact types of security incidents currently being reported to the US-CERT.

US-CERT Current Activity