Assessments
Authentication
- freeradius 0.9.3 : GPL RADIUS server
Encryption
- 2c2 : multiple plaintext -> one ciphertext
- 4c : as with 2c2 (think plausible deniability)
- acfe : traditional cryptanalysis (like Vigenere)
- cryptcat : netcat encryption
- gifshuffle : stego tool for gif images
- gpg 1.2.3 : GNU Privacy Guard
- ike-scan : VPN fingerprinting
- mp3stego : stego tool for mp3
- openssl 0.9.7c
- outguess : stego tool
- stegbreak : brute-force stego'ed JPG
- stegdetect : discover stego'ed JPG
- sslwrap : SSL wrapper
- stunnel : SSL wrapper
- super-freeSWAN 1.99.8 : kernel IPSEC support
- texto : make gpg ascii-armour look like weird English
- xor-analyze : another "intro to crytanalysis" tool
Forensics
- sleuthkit 1.66 : extensions to The Coroner's Toolkit forensic toolbox.
- autopsy 1.75 : Web front-end to TASK. Evidence Locker defaults to /mnt/evidence
- biew : binary viewer
- bsed : binary stream editor
- consh : logged shell (from F.I.R.E.)
- coreography : analyze core files
- dcfldd : US DoD Computer Forensics Lab version of dd
- fenris : code debugging, tracing, decompiling, reverse engineering tool
- fatback : Undelete FAT files
- foremost : recover specific file types from disk images (like all JPG files)
- ftimes : system baseline tool (be proactive)
- galleta : recover Internet Explorer cookies
- hashdig : dig through hash databases
- hdb : java decompiler
- mac-robber : TCT's graverobber written in C
- md5deep : run md5 against multiple files/directories
- memfetch : force a memory dump
- pasco : browse IE index.dat
- photorec : grab files from digital cameras
- readdbx : convert Outlook Express .dbx files to mbox format
- readoe : convert entire Outlook Express .directory to mbox format
- rifiuti : browse Windows Recycle Bin INFO2 files
- secure_delete : securely delete files, swap, memory....
- testdisk : test and recover lost partitions
- wipe : wipe a partition securely. good for prep'ing a partition for dd
- and other typical system tools used for forensics (dd, lsof, strings, grep, etc.)
Firewall
- blockall : script to block all inbound TCP (excepting localhost)
- flushall : flush all firewall rules
- firestarter : quick way to a firewall
- firewalk : map a firewall's rulebase
- floppyfw : turn a floppy into a firewall
- fwlogwatch : monitor firewall logs
- iptables 1.2.8
- gtk-iptables : GUI front-end
- shorewall 1.4.8-RC1 : iptables based package
- nipper 0.12.0 : quickly document network device configuration (including cisco, juniper, checkpoint, sonicwall and more)
Honeypots
- honeyd 0.7
- labrea : tarpit (slow to a crawl) worms and port scanners
- thp : tiny honeypot
IDS | IPS
- SafetyNET Security Appliance and suite of products.
- snort 2.1.0: network IDS
- ACID : snort web frontend
- barnyard : fast snort log processor
- oinkmaster : keep your snort rules up to date
- hogwash : access control based on snort sigs
- bro : network IDS
- prelude : network and host IDS
- WIDZ : wireless IDS, ap and probe monitor
- aide : host baseline tool, tripwire-esque
- logsnorter : log monitor
- swatch : monitor any file, oh like say syslog
- sha1sum
- md5sum
- syslogd
Network Utilities
- LinNeighboorhood : browse SMB networks like windows network neighborhood
- argus : network auditor
- arpwatch : keep track of the MACs on your wire
- cdpr : cisco discovery protocol reporter
- cheops : snmp, network discovery and monitor tool
- etherape : network monitor and visualization tool
- iperf : measure IP performance
- ipsc : IP subnet calculator
- iptraf : network monitor
- mrtg : multi router traffic grapher
- mtr : traceroute tool
- ntop 2.1.0 : network top, protocol analyzer
- rrdtool : round robin database
- samba : opensource SMB support
- tcptrack : track existing connections
Password Tools
- john 1.6.34 : John the Ripper password cracker
- allwords2 : CERIAS's 27MB English dictionary
- chntpw : reset passwords on a Windows box (including Administrator)
- cisilia : distributed password cracker
- cmospwd : find local CMOS password
- djohn : distributed John the Ripper
- pwl9x : crack Win9x password files
- rcrack : rainbow crack
Packet Sniffers
- aimSniff : sniff AIM traffic
- driftnet : sniffs for images
- dsniff : sniffs for cleartext passwords (thanks Dug)
- ethereal 0.10.0 : the standard. includes tethereal
- ettercap 0.6.b : sniff on a switched network and more.
- filesnarf : grab files out of NFS traffic
- mailsnarf : sniff smtp/pop traffic
- msgsnarf : sniff aol-im, msn, yahoo-im, irc, icq traffic
- ngrep : network grep, a sniffer with grep filter capabilities
- tcpdump : the core of it all
- urlsnarf : log all urls visited on the wire
- webspy : mirror all urls visited by a host in your local browser
- Wireshark 1.0.3 : replaces ethereal, the standard.
Searching and Seizing Computers and Obtaining Electronic Evidence Manual
TCP Tools
- arpfetch : fetch MAC
- arping : ping by MAC
- arpspoof : spoof arp
- arpwatch : montior MAC addresses on the wire
- despoof : detect spoofed packets via TTL measurement
- excalibur : packet generator
- file2cable : replay a packet capture
- fragroute : packet fragmentation tool (thanks again Dug)
- gspoof : packet generator
- hopfake : spoof hopcount replies
- hunt : tcp hijacker
- ipmagic : packet generator
- lcrzoex : suite of tcp tools
- macof : flood a switch with MACs
- packetto : Dan Kaminsky's suite of tools (includes 1.10 and 2.0pre3)
- netsed : insert and replace strings in live traffic
- packETH : packet generator
- tcpkill : die tcp, die!
- tcpreplay : replay packet captures
Tunnels
- cryptcat : encrypted netcat
- httptunnel : tunnel data over http
- icmpshell : tunnel data over icmp
- netcat : the incomparable tcp swiss army knife
- shadyshell : tunnel data over udp
- stegtunnel : hide data in TCP/IP headers
- tcpstatflow : detect data tunnels
- tiny shell : small encrypted shell
Vulnerability Assessment
- ADM tools : like ADM-smb and ADMkillDNS
- amap 4.5 : maps applications running on remote hosts
- IRPAS : Internet Routing Protocol Attack Suite
- chkrootkit 0.43 : look for rootkits
- clamAV : virus scanner. update your signatures live with freshclam
- curl : commandline utility for transferring anything with a URL
- exodus : web application auditor
- ffp : fuzzy fingerprinter for encrypted connections
- firewalk : map a firewall rulebase
- hydra : brute force tool
- nbtscan : scan SMB networks
- ncpquery : scan NetWare servers
- nessus 2.0.9 : vulnerability scanner. update your plugins live with nessus-update-plugins
- nikto : CGI scanner
- nmap 3.48 : the standard in host/port enumeration
- p0f : passive OS fingerprinter
- proxychains: chain together multiple proxy servers
- rpcinfo : hmmmm.... info from RPC?
- screamingCobra : CGI scanner
- siege : http testing and benchmarking utility
- sil : tiny banner grabber
- snot : replay snort rules back onto the wire. test your ids/incidence response/etc.
- syslog_deluxe : spoof syslog messages
- thcrut : THC's "r you there?" network mapper
- vmap : maps application versions
- warscan : exploit automation tool
- xprobe2 : uses ICMP for fingerprinting
- yaph : yet another proxy hunter
- zz : zombie zapper kills DDoS zombies
Wireless Tools
- airsnarf : rogue AP setup utility
- airsnort : sniff, find, crack 802.11b
- airtraf : 802.11b network performance analyzer
- gpsdrive : use GPS and maps
- kismet 3.0.1 : for 802.11 what else do you need?
- kismet-log-viewer : manage your kismet logs
- macchanger : change your MAC address
- wellenreiter : 802.11b discovery and auditing
- patched orinoco drivers : automatic (no scripts necessary)
Internet Information Resources
US-CERT Current Activity
The US-CERT Current Activity web page is a regularly updated summary of the most frequent, high-impact types of security incidents currently being reported to the US-CERT.
US-CERT Current Activity