Top 50 Security Tools
In May/June of 2000, we conducted a survey of 1200 Nmap
users from the nmap-hackers
mailing list to determine their favorite security tools. Each respondant
could list up to 5.
I was so impressed by the list they created that I am putting the top
50 up here where everyone can benefit from them. I think anyone in the
security field would be well advised to go over the list and investigate
any tools they are unfamiliar with. I also plan to point newbies to this
page whenever they write me saying "I do not know where to start".
Respondants were allowed to list open source or commercial tools on
any platform. Commercial tools are noted as such in the list below.
I may change this list occasionally as new tools are created and others
fade into obscurity due to security enhancements becomming mainstream.
Or maybe I'll just have another survey next year.
Also note that many of the descriptions in this list were taken from
the Debian package descriptions, the
Freshmeat descriptions, or from
the home pages of the application. I didn't count any votes for Nmap
because the survey was taken on an Nmap mailing list.
Without further ado, here is the list (starting with the most popular):
| Nessus |
http://www.nessus.org |
| Description: Remote network security auditor, the
client The Nessus Security Scanner is a security auditing tool. It makes
possible to test security modules in an attempt to find vulnerable spots
that should be fixed. . It is made up of two parts: a server, and a client.
The server/daemon, nessusd, is in charge of the attacks, whereas the client,
nessus, interferes with the user through nice X11/GTK+ interface. . This
package contains the GTK+ 1.2 client, which exists in other forms and on
other platforms, too. |
| Netcat |
http://www.l0pht.com/~weld/netcat/ |
Note: This is an unofficial site
Description: TCP/IP swiss army knife A simple Unix utility which
reads and writes data across network connections using TCP or UDP protocol.
It is designed to be a reliable "back-end" tool that can be used directly
or easily driven by other programs and scripts. At the same time it is
a feature-rich network debugging and exploration tool, since it can create
almost any kind of connection you would need and has several interesting
built-in capabilities. |
| Tcpdump |
http://www.tcpdump.org |
| Description: A powerful tool for network monitoring
and data acquisition This program allows you to dump the traffic on a network.
It can be used to print out the headers of packets on a network interface
that matches a given expression. You can use this tool to track down network
problems, to detect "ping attacks" or to monitor the network activities. |
| Snort |
http://www.snort.org |
| Description: flexible packet sniffer/logger that
detects attacks Snort is a libpcap-based packet sniffer/logger which can
be used as a lightweight network intrusion detection system. It features
rules based logging and can perform content searching/matching in addition
to being used to detect a variety of other attacks and probes, such as
buffer overflows, stealth port scans, CGI attacks, SMB probes, and much
more. Snort has a real-time alerting capability, with alerts being sent
to syslog, a separate "alert" file, or even to a Windows computer via Samba. |
| Saint |
http://www.wwdsi.com/saint/ |
| Description: SAINT (Security Administrator's Integrated
Network Tool) is a security assesment tool based on SATAN. Features include
scanning through a firewall, updated security checks from CERT & CIAC
bulletins, 4 levels of severity (red, yellow, brown, & green) and a
feature rich HTML interface. |
| Ethereal |
http://ethereal.zing.org/ |
| Description: Network traffic analyzer Ethereal is
a network traffic analyzer, or "sniffer", for Unix and Unix-like operating
systems. It uses GTK+, a graphical user interface library, and libpcap,
a packet capture and filtering library. |
| Internet Security Scanner |
www.iss.net |
Note: This tool costs significant $$$ to use, and
does not come with source code.
Description: A popular commercial network security scanner. |
| Abacus Portsentry |
http://www.psionic.com/abacus/portsentry/ |
| Description: Portscan detection daemon PortSentry
has the ability to detect portscans(including stealth scans) on the network
interfaces of your machine. Upon alarm it can block the attacker via hosts.deny,
dropped route or firewall rule. It is part of the Abacus program suite.
. Note: If you have no idea what a port/stealth scan is, I'd recommend
to have a look at http://www.psionic.com/abacus/portsentry/ before installing
this package. Otherwise you might easily block hosts you'd better not(e.g.
your NFS-server, name-server, ...). |
| DSniff |
http://naughty.monkey.org/~dugsong/dsniff/ |
| Description: A suite of powerful for sniffing networks
for passwords and other information. Includes sophisticated techniques
for defeating the "protection" of network switchers. |
| Tripwire |
http://www.tripwire.com/ |
Note: Depending on usage, this tool may have expensive
licensing feesassociated with it.
Description: A file and directory integrity checker. Tripwire
is a tool that aids system administrators and users in monitoring a designated
set of files for any changes. Used with system files on a regular (e.g.,
daily) basis, Tripwire can notify system administrators of corrupted or
tampered files, so damage control measures can be taken in a timely manner. |
| Hping2 |
http://www.kyuzz.org/antirez/hping/ |
| Description: hping2 is a network tool able to send
custom ICMP/UDP/TCP packets and to display target replies like ping does
with ICMP replies. It handles fragmentation and arbitrary packet body and
size, and can be used to transfer files under supported protocols. Using
hping2, you can: test firewall rules, perform [spoofed] port scanning,
test net performance using different protocols, packet size, TOS (type
of service), and fragmentation, do path MTU discovery, tranfer files (even
between really Fascist firewall rules), perform traceroute-like actions
under different protocols, fingerprint remote OSs, audit a TCP/IP stack,
etc. hping2 is a good tool for learning TCP/IP. |
| SARA |
http://www-arc.com/sara/ |
| Description: The Security Auditor's Research Assistant
(SARA) is a third generation security analysis tool that is based on the
SATAN model which is covered by the GNU GPL-like open license. It is fostering
a collaborative environment and is updated periodically to address latest
threats. |
| Sniffit |
http://reptile.rug.ac.be/~coder/sniffit/sniffit.html |
| Description: packet sniffer and monitoring tool
sniffit is a packet sniffer for TCP/UDP/ICMP packets. sniffit is able to
give you very detailed technical info on these packets (SEC, ACK, TTL,
Window, ...) but also packet contents in different formats (hex or plain
text, etc. ). |
| SATAN |
http://www.fish.com/satan/ |
| Description: Security Auditing Tool for Analysing
Networks This is a powerful tool for analyzing networks for vulnerabilities
created for sysadmins that cannot keep a constant look at bugtraq, rootshell
and the like. |
| IPFilter |
http://coombs.anu.edu.au/ipfilter/ |
| Description: IP Filter is a TCP/IP packet filter,
suitable for use in a firewall environment. To use, it can either be used
as a loadable kernel module orincorporated into your UNIX kernel; use as
a loadable kernel module where possible is highly recommended. Scripts
are provided to install and patch system files, as required. |
| iptables/netfilter/ipchains/ipfwadm |
http://netfilter.kernelnotes.org/ |
| Description: IP packet filter administration for
2.4.X kernels Iptables is used to set up, maintain, and inspect the tables
of IP packet filter rules in the Linux kernel. The iptables tool also supports
configuration of dynamic and static network address translation. |
| Firewalk |
http://www.packetfactory.net/Projects/Firewalk/ |
| Description: Firewalking is a technique developed
by MDS and DHG that employs traceroute-like techniques to analyze IP packet
responses to determine gateway ACL filters and map networks. Firewalk the
tool employs the technique to determine the filter rules in place on a
packet forwarding device. The newest version of the tool, firewalk/GTK
introduces the option of using a graphical interface and a few bug fixes. |
| L0pht Crack |
http://www.l0pht.com/l0phtcrack/ |
Note: No source code is included (except in research
version) and their is a $100 registration fee.
Description: L0phtCrack is an NT password auditting tool. It
willcompute NT user passwords from the cryptographic hashes that are stored
by the NT operation system. L0phtcrack can obtain the hashes through many
sources (file, network sniffing, registry, etc) and it has numerous methods
of generating password guesses (dictionary, brute force, etc). |
| John The Ripper |
http://www.openwall.com/john/ |
| Description: An active password cracking tool john,
normally called john the ripper, is a tool to find weak passwords of your
users. |
| Hunt |
http://www.cri.cz/kra/index.html#HUNT |
| Description: Advanced packet sniffer and connection
intrusion. Hunt is a program for intruding into a connection, watching
it and resetting it. . Note that hunt is operating on Ethernet and is best
used for connections which can be watched through it. However, it is possible
to do something even for hosts on another segments or hosts that are on
switched ports. |
| OpenSSH / SSH |
http://www.openssh.com/
http://www.ssh.com/commerce/index.html |
Note: The ssh.com version cost money for some uses,
but source code is available.
Description: Secure rlogin/rsh/rcp replacement (OpenSSH) OpenSSH
is derived from OpenBSD's version of ssh, which was in turn derived from
ssh code from before the time when ssh's license was changed to be non-free.
Ssh (Secure Shell) is a program for logging into a remote machine and for
executing commands on a remote machine. It provides secure encrypted communications
between two untrusted hosts over an insecure network. X11 connections and
arbitrary TCP/IP ports can also be forwarded over the secure channel. It
is intended as a replacement for rlogin, rsh and rcp, and can be used to
provide rdist, and rsync with a secure communication channel. |
| tcp wrappers |
ftp://ftp.porcupine.org/pub/security/index.html |
| Description: Wietse Venema's TCP wrappers library
Wietse Venema's network logger, also known as TCPD or LOG_TCP. . These
programs log the client host name of incoming telnet, ftp, rsh, rlogin,
finger etc. requests. Security options are: access control per host, domain
and/or service; detection of host name spoofing or host address spoofing;
booby traps to implement an early-warning system. |
| Ntop |
http://www.ntop.org |
| Description: display network usage in top-like format
ntop is a Network Top program. It displays a summary of network usage by
machines on your network in a format reminicent of the unix top utility.
. It can also be run in web mode, which allows the display to be browsed
with a web browser. |
| traceroute/ping/telnet |
http://www.linux.com |
| Description: These are utilities that virtually
all UNIX boxes already have. In fact, even Windows NT has them ( but the
traceroute command is called tracert ). |
| NAT (NetBIOS Auditing Tool) |
http://www.tux.org/pub/security/secnet/tools/nat10/ |
Note: This is an unofficial download site.
Description: The NetBIOS Auditing Tool (NAT) is designed to
explorethe NETBIOS file-sharing services offered by the target system.
It implements a stepwise approach to gather information and attempt to
obtain file system-level access as though it were a legitimate local client. |
| scanlogd |
http://www.openwall.com/scanlogd/ |
| Description: A portscan detecting tool Scanlogd
is a daemon written by Solar Designer to detect portscan attacks on your
maschine. |
| NFR |
http://www.nfr.com |
Note: Source code was once freely available but
I do not know if this is still the case. Some usage may cost money.
Description: A commercial sniffing application for creating
intrusiondetection systems. Source code was at one time available, but
I do not know if that is still the case. |
| logcheck |
http://www.psionic.com/abacus/logcheck/ |
| Description: Mails anomalies in the system logfiles
to the administrator Logcheck is part of the Abacus Project of security
tools. It is a program created to help in the processing of UNIX system
logfiles generated by the various Abacus Project tools, system daemons,
Wietse Venema's TCP Wrapper and Log Daemon packages, and the Firewall Toolkit©
by Trusted Information Systems Inc.(TIS). . Logcheck helps spot problems
and security violations in your logfiles automatically and will send the
results to you in e-mail. This program is free to use at any site. Please
read the disclaimer before you use any of this software. |
| Perl |
http://www.perl.org |
| Description: A very powerful scripting language
which is often used to create "exploits" for the purpose of verifying security
vulnerabilities. Of course, it is also used for all sorts of other things. |
| Ngrep |
http://www.packetfactory.net/Projects/ngrep/ |
| Description: grep for network traffic ngrep strives
to provide most of GNU grep's common features, applying them to the network
layer. ngrep is a pcap-aware tool that will allow you to specify extended
regular expressions to match against data payloads of packets. It currently
recognizes TCP, UDP and ICMP across Ethernet, PPP, SLIP and null interfaces,
and understands bpf filter logic in the same fashion as more common packet
sniffing tools, such as tcpdump and snoop. |
| Cheops |
http://www.marko.net/cheops/ |
| Description: A GTK based network "swiss-army-knife"
Cheops gives a simple interface to most network utilities, maps local or
remote networks and can show OS types of the machines on the network. |
| Vetescan |
http://www.self-evident.com/ |
| Description: Vetescan is a bulk vulnerability scanner
which contains programs to check for and/or exploit many remote network
security exploits that are known for Windows or UNIX. It includes various
programs for doing different kinds of scanning. Fixes for vulnerablities
are included along with the exploits. |
| Libnet |
http://www.packetfactory.net/libnet/ |
| Description: Routines for the construction and handling
of network packets. libnet provides a portable framework for low-level
network packet writing and handling. . Libnet features portable packet
creation interfaces at the IP layer and link layer, as well as a host of
supplementary functionality. Still in it's infancy however, the library
is evolving quite a bit. Additional functionality and stability are added
with each release. . Using libnet, quick and simple packet assembly applications
can be whipped up with little effort. With a bit more time, more complex
programs can be written (Traceroute and ping were easily rewritten using
libnet and libpcap). |
| Crack / Libcrack |
http://www.users.dircon.co.uk/~crypto/ |
| Description: Crack 5 is an update version of Alec
Muffett's classiclocal password cracker. Traditionally these allowed any
user of a system to crack the /etc/passwd and determine the passwords of
other users (or root) on the system. Modern systems require you to obtain
read access to /etc/shadow in order to perform this. It is still a good
idea for sysadmins to run a cracker occasionally to verify that all users
have strong passwords. |
| Cerberus Internet Scanner |
http://www.cerberus-infosec.co.uk/cis.shtml |
| Description: CIS is a free security scanner written
and maintained by Cerberus Information Security, Ltd and is designed to
help administrators locate and fix security holes in their computer systems.
Runs on Windows NT or 2000. No source code is provided. |
| Swatch |
http://www.stanford.edu/~atkins/swatch/ |
| Description: Swatch was originally written to actively
monitor messages as they were written to a log file via the UNIX syslog
utility. It has multiple methods of alarming, both visually and by triggering
events. The perfect tools for a master loghost. This is a beta release
of version 3.0, so please use it with caution. The code is still slightly
ahead of the documentation, but examples exist. NOTE: Works flawlessly
on Linux (RH5), BSDI and Solaris 2.6 (patched). |
| OpenBSD |
http://www.openbsd.org |
| Description: The OpenBSD project produces a FREE,
multi-platform 4.4BSD-based UNIX-like operating system. Our efforts place
emphasis on portability, standardization, correctness, security, and cryptography.
OpenBSD supports binary emulation of most programs from SVR4 (Solaris),
FreeBSD, Linux, BSDI, SunOS, and HPUX. |
| Nemesis |
http://www.packetninja.net/nemesis/ |
| Description: The Nemesis Project is designed to
be acommandline-based, portable human IP stack for UNIX/Linux. The suite
is broken down by protocol, and should allow for useful scripting of injected
packet streams from simple shell scripts. |
| LSOF |
ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/ |
| Description: List open files. Lsof is a Unix-specific
diagnostic tool. Its name stands for LiSt Open Files, and it does just
that. It lists information about any files that are open by processes current
running on the system. The binary is specific to kernel version 2.2 |
| Lids |
http://www.turbolinux.com.cn/lids/ |
| Description: The LIDS is an intrusion detection/defense
system inLinux kernel. The goal is to protect linux systems against root
intrusions, by disabling some system calls in the kernel itself. As you
sometimes need to administrate the system, you can disable LIDS protection. |
| IPTraf |
http://cebu.mozcom.com/riker/iptraf/ |
| Description: Interactive Colorful IP LAN Monitor
IPTraf is an ncurses-based IP LAN monitor that generates various network
statistics including TCP info, UDP counts, ICMP and OSPF information, Ethernet
load info, node stats, IP checksum errors, and others. . Note that since
2.0.0 IPTraf requires a kernel >= 2.2 |
| IPLog |
http://ojnk.sourceforge.net/ |
| Description: iplog is a TCP/IP traffic logger. Currently,
it is capable of logging TCP, UDP and ICMP traffic. iplog 2.0 is a complete
re-write of iplog 1.x, resulting in greater portability and better performance.
iplog 2.0 contains all the features of iplog 1.x as well as several new
ones. Major new features include a packet filter and detection of more
scans and attacks. It currently runs on Linux, FreeBSD, OpenBSD, BSDI and
Solaris. Ports to other systems, as well as any contributions at all, are
welcome at this time. |
| Fragrouter |
http://www.anzen.com/research/nidsbench/ |
| Description: Fragrouter is aimed at testing the
correctness of a NIDS,according to the specific TCP/IP attacks listed in
the Secure Networks NIDS evasion paper. [2] Other NIDS evasion toolkits
which implement these attacks are in circulation among hackers or publically
available, and it is assumed that they are currently being used to bypass
NIDSs |
| Queso |
http://www.apostols.org/projectz/queso/ |
Note: A couple of the OS detection tests in Queso
were later incorporated into Nmap. A paper we wrote
on OS detection is available here.
Description: Guess the operating system of a remote machine
by looking in the TCP replies. |
| GPG/PGP |
http://www.gnupg.org/
http://www.pgp.com |
| Description: The GNU Privacy Guard (GnuPG) is a
complete and free replacement for PGP, developed in Europe. Because it
does not use IDEA or RSA it can be used without any restrictions. GnuPG
is a RFC2440 (OpenPGP) compliant application. PGP is the famous encryption
program which helps secure your data from eavesdroppers and other risks. |