Assessments: Difference between revisions

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search
 
(46 intermediate revisions by 6 users not shown)
Line 1: Line 1:
=='''Information Security Assessment Resources'''==
Information security is an evolving art and so are the tools and resources available to the Information Securtiy Practitioner. There are many high quality resources both in the commercial sector but equally in the open community. In the spirit of the HORSE project, below are publically available resources.<br>
<br>
--[[User:Mdpeters|Mdpeters]] 09:25, 25 February 2007 (EST)
<br>
=='''Information Security Assessment Guidance'''==
Find practical guidance on a variety of subject matter including:<br>
:* [[Web_Application_Auditing:|Web Application Auditing]]
:* [[Database_Application_Auditing:|Database Application Auditing]]
=='''Popular Security Tools'''==
This is by far a complete listing of every avaialble information security tool avaialable but it is certainly a collection of some very popular tools. Use these at your own risk and please use them responsibly.
=='''Scripts'''==
'''Oracle Audit Assessment Script tool:''' [[Media:Oracle_Audit_UNIX_Script.txt]]<br>
=='''Authentication'''==
=='''Authentication'''==


Line 28: Line 8:
* 4c : as with 2c2 (think plausible deniability)
* 4c : as with 2c2 (think plausible deniability)
* acfe : traditional cryptanalysis (like Vigenere)
* acfe : traditional cryptanalysis (like Vigenere)
* cryptcat : netcat + encryption
* cryptcat : netcat   encryption
* gifshuffle : stego tool for gif images
* gifshuffle : stego tool for gif images
* gpg 1.2.3 : GNU Privacy Guard
* gpg 1.2.3 : GNU Privacy Guard
Line 45: Line 25:
=='''Forensics'''==
=='''Forensics'''==


* [[Forensic_Education_Resources:|Forensic Education and Resources]]<br>
<br>
* sleuthkit 1.66 : extensions to The Coroner's Toolkit forensic toolbox.
* sleuthkit 1.66 : extensions to The Coroner's Toolkit forensic toolbox.
* autopsy 1.75 : Web front-end to TASK. Evidence Locker defaults to /mnt/evidence
* autopsy 1.75 : Web front-end to TASK. Evidence Locker defaults to /mnt/evidence
Line 83: Line 65:
* gtk-iptables : GUI front-end
* gtk-iptables : GUI front-end
* shorewall 1.4.8-RC1 : iptables based package
* shorewall 1.4.8-RC1 : iptables based package
* nipper 0.12.0 : quickly document network device configuration (including cisco, juniper, checkpoint, sonicwall and more)


=='''Honeypots'''==
=='''Honeypots'''==
Line 151: Line 134:
* urlsnarf : log all urls visited on the wire
* urlsnarf : log all urls visited on the wire
* webspy : mirror all urls visited by a host in your local browser
* webspy : mirror all urls visited by a host in your local browser
* Wireshark 1.0.3 : replaces ethereal, the standard.
=='''[[Searching_and_Seizing_Computers_and_Obtaining_Electronic_Evidence_Manual | Searching and Seizing Computers and Obtaining Electronic Evidence Manual]]'''==


=='''TCP Tools'''==
=='''TCP Tools'''==

Latest revision as of 12:30, 5 August 2011

Authentication

  • freeradius 0.9.3 : GPL RADIUS server

Encryption

  • 2c2 : multiple plaintext -> one ciphertext
  • 4c : as with 2c2 (think plausible deniability)
  • acfe : traditional cryptanalysis (like Vigenere)
  • cryptcat : netcat encryption
  • gifshuffle : stego tool for gif images
  • gpg 1.2.3 : GNU Privacy Guard
  • ike-scan : VPN fingerprinting
  • mp3stego : stego tool for mp3
  • openssl 0.9.7c
  • outguess : stego tool
  • stegbreak : brute-force stego'ed JPG
  • stegdetect : discover stego'ed JPG
  • sslwrap : SSL wrapper
  • stunnel : SSL wrapper
  • super-freeSWAN 1.99.8 : kernel IPSEC support
  • texto : make gpg ascii-armour look like weird English
  • xor-analyze : another "intro to crytanalysis" tool

Forensics


  • sleuthkit 1.66 : extensions to The Coroner's Toolkit forensic toolbox.
  • autopsy 1.75 : Web front-end to TASK. Evidence Locker defaults to /mnt/evidence
  • biew : binary viewer
  • bsed : binary stream editor
  • consh : logged shell (from F.I.R.E.)
  • coreography : analyze core files
  • dcfldd : US DoD Computer Forensics Lab version of dd
  • fenris : code debugging, tracing, decompiling, reverse engineering tool
  • fatback : Undelete FAT files
  • foremost : recover specific file types from disk images (like all JPG files)
  • ftimes : system baseline tool (be proactive)
  • galleta : recover Internet Explorer cookies
  • hashdig : dig through hash databases
  • hdb : java decompiler
  • mac-robber : TCT's graverobber written in C
  • md5deep : run md5 against multiple files/directories
  • memfetch : force a memory dump
  • pasco : browse IE index.dat
  • photorec : grab files from digital cameras
  • readdbx : convert Outlook Express .dbx files to mbox format
  • readoe : convert entire Outlook Express .directory to mbox format
  • rifiuti : browse Windows Recycle Bin INFO2 files
  • secure_delete : securely delete files, swap, memory....
  • testdisk : test and recover lost partitions
  • wipe : wipe a partition securely. good for prep'ing a partition for dd
  • and other typical system tools used for forensics (dd, lsof, strings, grep, etc.)

Firewall

  • blockall : script to block all inbound TCP (excepting localhost)
  • flushall : flush all firewall rules
  • firestarter : quick way to a firewall
  • firewalk : map a firewall's rulebase
  • floppyfw : turn a floppy into a firewall
  • fwlogwatch : monitor firewall logs
  • iptables 1.2.8
  • gtk-iptables : GUI front-end
  • shorewall 1.4.8-RC1 : iptables based package
  • nipper 0.12.0 : quickly document network device configuration (including cisco, juniper, checkpoint, sonicwall and more)

Honeypots

  • honeyd 0.7
  • labrea : tarpit (slow to a crawl) worms and port scanners
  • thp : tiny honeypot

IDS | IPS

  • SafetyNET Security Appliance and suite of products.
  • snort 2.1.0: network IDS
  • ACID : snort web frontend
  • barnyard : fast snort log processor
  • oinkmaster : keep your snort rules up to date
  • hogwash : access control based on snort sigs
  • bro : network IDS
  • prelude : network and host IDS
  • WIDZ : wireless IDS, ap and probe monitor
  • aide : host baseline tool, tripwire-esque
  • logsnorter : log monitor
  • swatch : monitor any file, oh like say syslog
  • sha1sum
  • md5sum
  • syslogd

Network Utilities

  • LinNeighboorhood : browse SMB networks like windows network neighborhood
  • argus : network auditor
  • arpwatch : keep track of the MACs on your wire
  • cdpr : cisco discovery protocol reporter
  • cheops : snmp, network discovery and monitor tool
  • etherape : network monitor and visualization tool
  • iperf : measure IP performance
  • ipsc : IP subnet calculator
  • iptraf : network monitor
  • mrtg : multi router traffic grapher
  • mtr : traceroute tool
  • ntop 2.1.0 : network top, protocol analyzer
  • rrdtool : round robin database
  • samba : opensource SMB support
  • tcptrack : track existing connections

Password Tools

  • john 1.6.34 : John the Ripper password cracker
  • allwords2 : CERIAS's 27MB English dictionary
  • chntpw : reset passwords on a Windows box (including Administrator)
  • cisilia : distributed password cracker
  • cmospwd : find local CMOS password
  • djohn : distributed John the Ripper
  • pwl9x : crack Win9x password files
  • rcrack : rainbow crack

Packet Sniffers

  • aimSniff : sniff AIM traffic
  • driftnet : sniffs for images
  • dsniff : sniffs for cleartext passwords (thanks Dug)
  • ethereal 0.10.0 : the standard. includes tethereal
  • ettercap 0.6.b : sniff on a switched network and more.
  • filesnarf : grab files out of NFS traffic
  • mailsnarf : sniff smtp/pop traffic
  • msgsnarf : sniff aol-im, msn, yahoo-im, irc, icq traffic
  • ngrep : network grep, a sniffer with grep filter capabilities
  • tcpdump : the core of it all
  • urlsnarf : log all urls visited on the wire
  • webspy : mirror all urls visited by a host in your local browser
  • Wireshark 1.0.3 : replaces ethereal, the standard.

Searching and Seizing Computers and Obtaining Electronic Evidence Manual

TCP Tools

  • arpfetch : fetch MAC
  • arping : ping by MAC
  • arpspoof : spoof arp
  • arpwatch : montior MAC addresses on the wire
  • despoof : detect spoofed packets via TTL measurement
  • excalibur : packet generator
  • file2cable : replay a packet capture
  • fragroute : packet fragmentation tool (thanks again Dug)
  • gspoof : packet generator
  • hopfake : spoof hopcount replies
  • hunt : tcp hijacker
  • ipmagic : packet generator
  • lcrzoex : suite of tcp tools
  • macof : flood a switch with MACs
  • packetto : Dan Kaminsky's suite of tools (includes 1.10 and 2.0pre3)
  • netsed : insert and replace strings in live traffic
  • packETH : packet generator
  • tcpkill : die tcp, die!
  • tcpreplay : replay packet captures

Tunnels

  • cryptcat : encrypted netcat
  • httptunnel : tunnel data over http
  • icmpshell : tunnel data over icmp
  • netcat : the incomparable tcp swiss army knife
  • shadyshell : tunnel data over udp
  • stegtunnel : hide data in TCP/IP headers
  • tcpstatflow : detect data tunnels
  • tiny shell : small encrypted shell

Vulnerability Assessment

  • ADM tools : like ADM-smb and ADMkillDNS
  • amap 4.5 : maps applications running on remote hosts
  • IRPAS : Internet Routing Protocol Attack Suite
  • chkrootkit 0.43 : look for rootkits
  • clamAV : virus scanner. update your signatures live with freshclam
  • curl : commandline utility for transferring anything with a URL
  • exodus : web application auditor
  • ffp : fuzzy fingerprinter for encrypted connections
  • firewalk : map a firewall rulebase
  • hydra : brute force tool
  • nbtscan : scan SMB networks
  • ncpquery : scan NetWare servers
  • nessus 2.0.9 : vulnerability scanner. update your plugins live with nessus-update-plugins
  • nikto : CGI scanner
  • nmap 3.48 : the standard in host/port enumeration
  • p0f : passive OS fingerprinter
  • proxychains: chain together multiple proxy servers
  • rpcinfo : hmmmm.... info from RPC?
  • screamingCobra : CGI scanner
  • siege : http testing and benchmarking utility
  • sil : tiny banner grabber
  • snot : replay snort rules back onto the wire. test your ids/incidence response/etc.
  • syslog_deluxe : spoof syslog messages
  • thcrut : THC's "r you there?" network mapper
  • vmap : maps application versions
  • warscan : exploit automation tool
  • xprobe2 : uses ICMP for fingerprinting
  • yaph : yet another proxy hunter
  • zz : zombie zapper kills DDoS zombies

Wireless Tools

  • airsnarf : rogue AP setup utility
  • airsnort : sniff, find, crack 802.11b
  • airtraf : 802.11b network performance analyzer
  • gpsdrive : use GPS and maps
  • kismet 3.0.1 : for 802.11 what else do you need?
  • kismet-log-viewer : manage your kismet logs
  • macchanger : change your MAC address
  • wellenreiter : 802.11b discovery and auditing
  • patched orinoco drivers : automatic (no scripts necessary)

Internet Information Resources

US-CERT Current Activity
The US-CERT Current Activity web page is a regularly updated summary of the most frequent, high-impact types of security incidents currently being reported to the US-CERT.

US-CERT Current Activity