Assessments: Difference between revisions

Latest revision as of 12:30, 5 August 2011

Authentication

freeradius 0.9.3 : GPL RADIUS server

Encryption

2c2 : multiple plaintext -> one ciphertext
4c : as with 2c2 (think plausible deniability)
acfe : traditional cryptanalysis (like Vigenere)
cryptcat : netcat encryption
gifshuffle : stego tool for gif images
gpg 1.2.3 : GNU Privacy Guard
ike-scan : VPN fingerprinting
mp3stego : stego tool for mp3
openssl 0.9.7c
outguess : stego tool
stegbreak : brute-force stego'ed JPG
stegdetect : discover stego'ed JPG
sslwrap : SSL wrapper
stunnel : SSL wrapper
super-freeSWAN 1.99.8 : kernel IPSEC support
texto : make gpg ascii-armour look like weird English
xor-analyze : another "intro to crytanalysis" tool

Forensics

Forensic Education and Resources

sleuthkit 1.66 : extensions to The Coroner's Toolkit forensic toolbox.
autopsy 1.75 : Web front-end to TASK. Evidence Locker defaults to /mnt/evidence
biew : binary viewer
bsed : binary stream editor
consh : logged shell (from F.I.R.E.)
coreography : analyze core files
dcfldd : US DoD Computer Forensics Lab version of dd
fenris : code debugging, tracing, decompiling, reverse engineering tool
fatback : Undelete FAT files
foremost : recover specific file types from disk images (like all JPG files)
ftimes : system baseline tool (be proactive)
galleta : recover Internet Explorer cookies
hashdig : dig through hash databases
hdb : java decompiler
mac-robber : TCT's graverobber written in C
md5deep : run md5 against multiple files/directories
memfetch : force a memory dump
pasco : browse IE index.dat
photorec : grab files from digital cameras
readdbx : convert Outlook Express .dbx files to mbox format
readoe : convert entire Outlook Express .directory to mbox format
rifiuti : browse Windows Recycle Bin INFO2 files
secure_delete : securely delete files, swap, memory....
testdisk : test and recover lost partitions
wipe : wipe a partition securely. good for prep'ing a partition for dd
and other typical system tools used for forensics (dd, lsof, strings, grep, etc.)

Firewall

blockall : script to block all inbound TCP (excepting localhost)
flushall : flush all firewall rules
firestarter : quick way to a firewall
firewalk : map a firewall's rulebase
floppyfw : turn a floppy into a firewall
fwlogwatch : monitor firewall logs
iptables 1.2.8
gtk-iptables : GUI front-end
shorewall 1.4.8-RC1 : iptables based package
nipper 0.12.0 : quickly document network device configuration (including cisco, juniper, checkpoint, sonicwall and more)

Honeypots

honeyd 0.7
labrea : tarpit (slow to a crawl) worms and port scanners
thp : tiny honeypot

IDS | IPS

SafetyNET Security Appliance and suite of products.
snort 2.1.0: network IDS
ACID : snort web frontend
barnyard : fast snort log processor
oinkmaster : keep your snort rules up to date
hogwash : access control based on snort sigs
bro : network IDS
prelude : network and host IDS
WIDZ : wireless IDS, ap and probe monitor
aide : host baseline tool, tripwire-esque
logsnorter : log monitor
swatch : monitor any file, oh like say syslog
sha1sum
md5sum
syslogd

Network Utilities

LinNeighboorhood : browse SMB networks like windows network neighborhood
argus : network auditor
arpwatch : keep track of the MACs on your wire
cdpr : cisco discovery protocol reporter
cheops : snmp, network discovery and monitor tool
etherape : network monitor and visualization tool
iperf : measure IP performance
ipsc : IP subnet calculator
iptraf : network monitor
mrtg : multi router traffic grapher
mtr : traceroute tool
ntop 2.1.0 : network top, protocol analyzer
rrdtool : round robin database
samba : opensource SMB support
tcptrack : track existing connections

Password Tools

john 1.6.34 : John the Ripper password cracker
allwords2 : CERIAS's 27MB English dictionary
chntpw : reset passwords on a Windows box (including Administrator)
cisilia : distributed password cracker
cmospwd : find local CMOS password
djohn : distributed John the Ripper
pwl9x : crack Win9x password files
rcrack : rainbow crack

Packet Sniffers

aimSniff : sniff AIM traffic
driftnet : sniffs for images
dsniff : sniffs for cleartext passwords (thanks Dug)
ethereal 0.10.0 : the standard. includes tethereal
ettercap 0.6.b : sniff on a switched network and more.
filesnarf : grab files out of NFS traffic
mailsnarf : sniff smtp/pop traffic
msgsnarf : sniff aol-im, msn, yahoo-im, irc, icq traffic
ngrep : network grep, a sniffer with grep filter capabilities
tcpdump : the core of it all
urlsnarf : log all urls visited on the wire
webspy : mirror all urls visited by a host in your local browser
Wireshark 1.0.3 : replaces ethereal, the standard.

Searching and Seizing Computers and Obtaining Electronic Evidence Manual

TCP Tools

arpfetch : fetch MAC
arping : ping by MAC
arpspoof : spoof arp
arpwatch : montior MAC addresses on the wire
despoof : detect spoofed packets via TTL measurement
excalibur : packet generator
file2cable : replay a packet capture
fragroute : packet fragmentation tool (thanks again Dug)
gspoof : packet generator
hopfake : spoof hopcount replies
hunt : tcp hijacker
ipmagic : packet generator
lcrzoex : suite of tcp tools
macof : flood a switch with MACs
packetto : Dan Kaminsky's suite of tools (includes 1.10 and 2.0pre3)
netsed : insert and replace strings in live traffic
packETH : packet generator
tcpkill : die tcp, die!
tcpreplay : replay packet captures

Tunnels

cryptcat : encrypted netcat
httptunnel : tunnel data over http
icmpshell : tunnel data over icmp
netcat : the incomparable tcp swiss army knife
shadyshell : tunnel data over udp
stegtunnel : hide data in TCP/IP headers
tcpstatflow : detect data tunnels
tiny shell : small encrypted shell

Vulnerability Assessment

ADM tools : like ADM-smb and ADMkillDNS
amap 4.5 : maps applications running on remote hosts
IRPAS : Internet Routing Protocol Attack Suite
chkrootkit 0.43 : look for rootkits
clamAV : virus scanner. update your signatures live with freshclam
curl : commandline utility for transferring anything with a URL
exodus : web application auditor
ffp : fuzzy fingerprinter for encrypted connections
firewalk : map a firewall rulebase
hydra : brute force tool
nbtscan : scan SMB networks
ncpquery : scan NetWare servers
nessus 2.0.9 : vulnerability scanner. update your plugins live with nessus-update-plugins
nikto : CGI scanner
nmap 3.48 : the standard in host/port enumeration
p0f : passive OS fingerprinter
proxychains: chain together multiple proxy servers
rpcinfo : hmmmm.... info from RPC?
screamingCobra : CGI scanner
siege : http testing and benchmarking utility
sil : tiny banner grabber
snot : replay snort rules back onto the wire. test your ids/incidence response/etc.
syslog_deluxe : spoof syslog messages
thcrut : THC's "r you there?" network mapper
vmap : maps application versions
warscan : exploit automation tool
xprobe2 : uses ICMP for fingerprinting
yaph : yet another proxy hunter
zz : zombie zapper kills DDoS zombies

Wireless Tools

airsnarf : rogue AP setup utility
airsnort : sniff, find, crack 802.11b
airtraf : 802.11b network performance analyzer
gpsdrive : use GPS and maps
kismet 3.0.1 : for 802.11 what else do you need?
kismet-log-viewer : manage your kismet logs
macchanger : change your MAC address
wellenreiter : 802.11b discovery and auditing
patched orinoco drivers : automatic (no scripts necessary)

Internet Information Resources

US-CERT Current Activity
The US-CERT Current Activity web page is a regularly updated summary of the most frequent, high-impact types of security incidents currently being reported to the US-CERT.

US-CERT Current Activity