Movatterモバイル変換

[0]ホーム
URL:

Home page logo

Top 75 Security Tools

Note: These are archived 2003 survey results. For the latest survey, visithttp://SecTools.Org.

In May of 2003, I conducted a survey ofNmapusers from thenmap-hackersmailing list to determine their favorite security tools. Eachrespondent could list up to 8. This was a followup to the highlysuccessful June 2000Top 50 list. Anastounding 1854 people responded in '03, and their recommendationswere so impressive that I have expanded the list to 75 tools! Anyonein the security field would be well advised to go over the list andinvestigate tools they are unfamiliar with. I discovered severalpowerful new tools this way. I also plan to point newbies to thispage whenever they write me saying "I do not know where to start".

Respondents were allowed to list open source or commercial tools onany platform. Commercial tools are noted as such in the list below.Many of the descriptions were taken from the application home page ortheDebian orFreshmeat package descriptions. Iremoved marketing fluff like "revolutionary" and "next generation".No votes for theNmap SecurityScanner were counted because the survey was taken on an Nmapmailing list. This audience also means that the list is slightlybiased toward "attack" tools rather than defensive ones.

These icons are used:
Did not appear on the2000 list

Generally costs money. These rarely includes source code. A free limited/demo/trial version may be available.
Works on Linux
Works on FreeBSD/NetBSD/OpenBSD and/or proprietary UNIX systems (Solaris, HP-UX, IRIX, etc.)
Supports Microsoft Windows

Translations:
Spanish Translation by ThiOsk (os_k&at&softhome.net) and Kerozene (kerozene&at&hackemate.com.ar)
Portuguese Translation by André Zúquete (avz&at&det.ua.pt)

Here is the list (starting with the most popular):



Nessus: Formerly open source vulnerability assessment tool
Nessus is a remote security scanner for Linux, BSD, Solaris, and otherUnices. It is plug-in-based, has a GTK interface, and performs over1200 remote security checks. It allows for reports to be generated inHTML, XML, LaTeX, and ASCII text, and suggests solutions for securityproblems. It was open source for many years, but theyturned proprietary in late 2005.


Ethereal: Sniffing the glue that holds the Internet together
Ethereal is a free network protocol analyzer for Unix and Windows. Itallows you to examine data from a live network or from a capture fileon disk. You can interactively browse the capture data, viewingsummary and detail information for each packet. Ethereal has severalpowerful features, including a rich display filter language and theability to view the reconstructed stream of a TCP session. Atext-based version called tethereal is included.



Snort: A free intrusion detection system (IDS) for the masses
Snort is a lightweight network intrusion detection system, capable ofperforming real-time traffic analysis and packet logging on IPnetworks. It can perform protocol analysis, content searching/matchingand can be used to detect a variety of attacks and probes, such asbuffer overflows, stealth port scans, CGI attacks, SMB probes, OSfingerprinting attempts, and much more. Snort uses a flexible rulebased language to describe traffic that it should collect or pass, anda modular detection engine. Many people also suggested that the Analysis Console for Intrusion Databases (ACID) be used with Snort.



Netcat: The network swiss army knife
A simple Unix utility which reads and writes data across networkconnections, using TCP or UDP protocol. It is designed to be areliable "back-end" tool that can be used directly or easily driven byother programs and scripts. At the same time, it is a feature-richnetwork debugging and exploration tool, since it can create almost anykind of connection you would need and has several interesting built-incapabilities.



TCPDump /WinDump: The classic sniffer for network monitoring and data acquisition
Tcpdump is a well-known and well-loved text-based network packetanalyzer ("sniffer"). It can be used to print out the headers ofpackets on a network interface that matches a given expression. Youcan use this tool to track down network problems or to monitor networkactivities. There is a separate Windows port namedWinDump. TCPDump is also thesource of theLibpcap/WinPcap packet capture library, whichis used byNmap among many otherutilities. Note that many users prefer the newerEthereal sniffer.


Hping2: A network probing utility like ping on steroids
hping2 assembles and sends customICMP/UDP/TCP packets and displays any replies. It was inspired by theping command, but offers far more control over the probes sent. Italso has a handy traceroute mode and supports IP fragmentation. Thistool is particularly useful when trying to traceroute/ping/probe hostsbehind a firewall that blocks attempts using the standard utilities.



DSniff: A suite of powerful network auditing and penetration-testing tools
This popular and well-engineered suite by Dug Song includes manytools. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspypassively monitor a network for interesting data (passwords, e-mail,files, etc.). arpspoof, dnsspoof, and macof facilitate theinterception of network traffic normally unavailable to an attacker(e.g, due to layer-2 switching). sshmitm and webmitm implement activemonkey-in-the-middle attacks against redirected SSH and HTTPS sessionsby exploiting weak bindings in ad-hoc PKI. A separately maintained partial Windows port is availablehere.




GFI LANguard: A commercial network security scanner for Windows
LANguard scans networks and reports information such asservice pack level of each machine, missing security patches, openshares, open ports, services/applications active on the computer, keyregistry entries, weak passwords, users and groups, and more. Scanresults are outputted to an HTML report, which can becustomized/queried. Apparently a limited free version is availablefor non-commercial/trial use.




Ettercap: In case you still thought switched LANs provide much extra security
Ettercap is a terminal-based network sniffer/interceptor/logger for ethernet LANs. It supports active and passive dissection of many protocols (even ciphered ones, like SSH and HTTPS). Data injection in an established connection and filtering on the fly is also possible, keeping the connection synchronized. Many sniffing modes were implemented to give you a powerful and complete sniffing suite. Plugins are supported. It has the ability to check whether you are in a switched LAN or not, and to use OS fingerprints (active or passive) to let you know the geometry of the LAN.



Whisker/Libwhisker: Rain.Forest.Puppy's CGI vulnerability scanner and library
Whisker is a scanner which allows you to test HTTP servers for many known security holes, particularly the presence of dangerous CGIs. Libwhisker is a perl library (used by Whisker) which allows for the creation of custom HTTP scanners. If you wish to audit more than just web servers, have a look atNessus.



John the Ripper: An extraordinarily powerful, flexible, andfast multi-platform password hash cracker
John the Ripper is a fast password cracker, currently available for many flavors of Unix (11 are officially supported, not counting different architectures), DOS, Win32, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. It supports several crypt(3) password hash types which are most commonly found on various Unix flavors, as well as Kerberos AFS and Windows NT/2000/XP LM hashes. Several other hash types are added with contributed patches.



OpenSSH /SSH: A secure way to access remote computers
Ssh (Secure Shell) is a program for logging into or executing commandson a remote machine. It provides secureencrypted communications between two untrusted hosts over an insecurenetwork. X11 connections and arbitrary TCP/IP ports can also beforwarded over the secure channel. It is intended as a replacement forrlogin, rsh and rcp, and can be used to provide rdist, and rsync witha secure communication channel. OpenSSH is affiliated with the OpenBSD project, though aportable version runs on most UNIX systems. Note that the SSH.Comlink above costs money for some uses, while OpenSSH is always free.Windows users may want to try the freePuTTY SSHClient or the nice terminal-based port of OpenSSH that comes withCygwin. There are dozens ofother clients (free or prorietary) available for most platforms - hereis ahuge list.


Sam Spade: Freeware Windows network query tool
SamSpade provides a consistent GUI and implementation for many handy network query tasks. It was designed with tracking down spammers in mind, but can be useful for many other network exploration, administration, and security tasks. It includes tools such as ping, nslookup, whois, dig, traceroute, finger, raw HTTP web browser, DNS zone transfer, SMTP relay check, website search, and more. Non-Windows users can enjoyonline versions of many of their tools.



ISS Internet Scanner: Application-level vulnerability assessment
Internet Scanner started off in '92 as a tiny Open Source scanner byChristopher Klaus. Now he has grown ISS into a billion-dollar companywith a myriad of security products. ISS Internet Scanner is prettygood, but is not cheap. So companies on a tight budget may wish to look atNessus instead. A March 2003 Information Security magazine review of 5 VA tools (including these) is availablehere. Note that VA tools only report vulnerabilities. Commercial tools for actually exploiting them includeCORE Impact and Dave Aitel'sCanvas. Free exploits for some vulnerabilities can be found at sites likePacket Storm andSecurityFocus




Tripwire: The grand-daddy of file integrity checkers
A file and directory integrity checker. Tripwire is a tool that aidssystem administrators and users in monitoring a designated set offiles for any changes. Used with system files on a regular (e.g.,daily) basis, Tripwire can notify system administrators of corruptedor tampered files, so damage control measures can be taken in a timelymanner. An Open Source Linux version is freely available atTripwire.Org. UNIX users may alsowant to considerAIDE, which has beendesigned to be a free Tripwire replacement. Or you may wish toinvestigateRadmind.




Nikto: A more comprehensive web scanner
Nikto is a web server scanner which looks for over 2000 potentially dangerous files/CGIs and problems on over 200 servers. It usesLibWhisker but is generally updated more frequently than Whisker itself.




Kismet: A powerful wireless sniffer
Kismet is an 802.11b network sniffer and network dissector. It is capable of sniffing using most wireless cards, automatic network IP block detection via UDP, ARP, and DHCP packets, Cisco equipment lists via Cisco Discovery Protocol, weak cryptographic packet logging, and Ethereal and tcpdump compatible packet dump files. It also includes the ability to plot detected networks and estimated network ranges on downloaded maps or user supplied image files. Windows support is currently preliminary, so those users may want to look atNetstumbler if they run into trouble. Linux (and Linux PDAs like Zaurus) users may wish to also look at theWellenreiter wireless scanner.



SuperScan: Foundstone's Windows TCP port scanner
A connect-based TCP port scanner, pinger and hostname resolver. No source code is provided. It can handle ping scans and port scans using specified IP ranges. It can also connect to any discovered open port using user-specified "helper" applications (e.g. Telnet, Web browser, FTP).



L0phtCrack 4 (nowcalled "LC4"): Windows password auditing and recovery application
L0phtCrack attempts to crack Windows passwords from hashes which it can obtain (given proper access) from stand-alone Windows NT/2000 workstations, networked servers, primary domain controllers, or Active Directory. In some cases it can sniff the hashes off the wire. It also has numerous methods of generating password guesses (dictionary, brute force, etc). L0phtcrack currently costs $350/machine and no source code is provided. Companies on a tight budget may want to look atJohn the Ripper,Cain & Abel, andpwdump3.



Retina: Commertial vulnerability assessment scanner by eEye
LikeNessus andISS Internet Scanner mentioned previously, Retina's function is to scan all the hosts on a network and report on any vulnerabilities found.

Netfilter: The current Linux kernel packet filter/firewall
Netfilter is a powerful packet filter which is implemented in the standard Linux kernel. The userspace iptables tool is used for configuration. It now supports packet filtering (stateless or stateful), all different kinds of NAT (Network Address Translation) and packet mangling. For non-Linux platforms, seepf (OpenBSD),ipfilter (many other UNIX variants), or even theZone Alarm personal firewall (Windows).



traceroute/ping/telnet/whois: The basics
While there are many whiz-bang high-tech tools out there to assist in security auditing, don't forget about the basics! Everyone should be very familiar with these tools as they come with most operating systems (except that Windows omits whois and uses the name tracert). They can be very handy in a pitch, although for more advanced usage you may be better off withHping2 andNetcat.



Fport: Foundstone's enhanced netstat
fport reports all open TCP/IP and UDP ports on the machine you run iton and shows what application opened each port. So it can be used toquickly identify unknown open ports and their associated applications.It only runs on Windows, but many UNIX systems now provided thisinformation via netstat (try 'netstat -pan' on Linux). Here is aPDF-FormatSANS article on using Fport and analyzing the results.



SAINT: Security Administrator's Integrated Network Tool
Saint is another commercial vulnerability assessment tool (likeISS Internet Scanner oreEye Retina). Unlike those Windows-only tools, SAINT runs exclusively on UNIX. Saint used to be free and open source, but is now a commercial product.



Network Stumbler: Free Windows 802.11 Sniffer
Netstumbler is the best known Windows tool for finding open wireless access points ("wardriving"). They also distribute a WinCE version for PDAs and such calledMinistumbler. The tool is currently free but Windows-only and no source code is provided. They note that "the author reserves the right to change this license agreement as he sees fit, without notice." UNIX users (and advanced Win users) may want to look atKismet instead.


SARA: Security Auditor's Research Assistant
SARA is a vulnerability assessment tool that was derived from the infamous SATAN scanner. They try to release updates twice a month and try to leverage other software created by the open source community (such as Nmap and Samba).




N-Stealth: Web server scanner
N-Stealth is a commercial web server security scanner. It isgenerally updated more frequently than free web scanners such aswhisker andnikto, but dotake their web site with a grain of salt. The claims of "30,000vulnerabilities and exploits" and "Dozens of vulnerability checks areadded every day" are highly questionable. Also note that essentiallyall general VA tools such asnessus,ISS,Retina,SAINT, andSARA include webscanning components. They may not all be as up-to-date or flexiblethough. N-stealth is Windows only and no source code is provided.




AirSnort: 802.11 WEP Encryption Cracking Tool
AirSnort is a wireless LAN (WLAN) tool that recovers encryption keys. It was developed by theShmoo Group and operates by passively monitoring transmissions, computing the encryption key when enough packets have been gathered. Windows support is still very preliminary.




NBTScan: Gathers NetBIOS info from Windows networks
NBTscan is a program for scanning IP networks for NetBIOS nameinformation. It sends NetBIOS status query to each address in suppliedrange and lists received information in human readable form. For eachresponded host it lists IP address, NetBIOS computer name, logged-inuser name and MAC address.



GnuPG /PGP: Secure your files and communication w/advanced encryption
PGP is the famous encryption program by Phil Zimmerman which helpssecure your data from eavesdroppers and other risks. GnuPG is a verywell-regarded open source implentation of the PGP standard (the actualexecutable is named gpg). While GnuPG is always free, PGP costs moneyfor some uses.


Firewalk: Advanced traceroute
Firewalk employs traceroute-like techniques to analyze IP packet responses to determine gateway ACL filters and map networks. This classic tool was rewritten from scratch in October 2002. Note that much or all of this functionality can also be performed by theHping2 --traceroute option.



Cain & Abel: The poor man's L0phtcrack
Cain & Abel is a free password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary & Brute-Force attacks, decoding scrambled passwords, revealing password boxes, uncovering cached passwords and analyzing routing protocols. Source code is not provided.



XProbe2: Active OS fingerprinting tool
XProbe is a tool for determining the operating system of a remotehost. They do this using some of thesametechniques asNmap aswell as many different ideas. Xprobe has always emphasized the ICMPprotocol in their fingerprinting approach.




SolarWinds Toolsets: A plethora of network discovery/monitoring/attack tools
SolarWinds has created and sells dozens of special-purpose toolstargetted at systems administrators. Security related tools includemany network discovery scanners and an SNMP brute-force cracker.These tools are Windows only, cost money, and do not include sourcecode.



NGrep: Convenient packet matching & display
ngrep strives to provide most of GNU grep's common features, applying them to the network layer. ngrep is a pcap-aware tool that will allow you to specify extended regular or hexadecimal expressions to match against data payloads of packets. It currently recognizes TCP, UDP and ICMP across Ethernet, PPP, SLIP, FDDI, Token Ring and null interfaces, and understands bpf filter logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop.



Perl /Python: Portable, general-purpose scripting languages
While many canned security tools are available on this page for handling common tasks, it is important to have the ability to write your own (or modify the existing ones) when you need something more custom. Perl and Python make it very easy to write quick, portable scripts to test, exploit, or even fix systems! Archives likeCPAN are filled with modules such asNet::RawIP and protocol implementations to make your tasks even easier.



THC-Amap: An application fingerprinting scanner
Amap (byTHC) is a new but powerfulscanner which probes each port to identify applications and services rather than relying on static port mapping.




OpenSSL: The premier SSL/TLS encryption library
The OpenSSL Project is a collaborative effort to develop a robust,commercial-grade, full-featured, and Open Source toolkit implementingthe Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLSv1) protocols as well as a full-strength general purpose cryptographylibrary. The project is managed by a worldwide community of volunteersthat use the Internet to communicate, plan, and develop the OpenSSLtoolkit and its related documentation.



NTop: A network traffic usage monitor
Ntop shows network usage in a way similar to what top does forprocesses. In interactive mode, it displays the network status on theuser's terminal. In Web mode, it acts as a Web server, creating anHTML dump of the network status. It sports a NetFlow/sFlowemitter/collector, an HTTP-based client interface for creatingntop-centric monitoring applications, and RRD for persistently storingtraffic statistics.



Nemesis: Packet injection simplified
The Nemesis Project is designed to be a commandline-based, portablehuman IP stack for UNIX/Linux (and now Windows!). The suite is broken down by protocol, and should allow for useful scripting of injected packet streams from simple shell scripts. If you enjoy Nemesis, you might also want to look athping2. They complement each other well.


LSOF: LiSt Open Files
This Unix-specific diagnostic and forensics toollists information about any files that are open by processes currentlyrunning on the system. It can also list communications sockets open byeach process.

Hunt: An advanced packet sniffing and connection intrusion tool for Linux
Hunt can watch TCP connections, intrude into them, or reset them.Hunt is meant to be used on ethernet, and has active mechanisms tosniff switched connections. Advanced features include selective ARPrelaying and connection synchronization after attacks. If you likeHunt, also take a look atEttercap andDsniff.




Honeyd: Your own personalhoneynet
Honeyd is a small daemon that creates virtual hosts on a network. Thehosts can be configured to run arbitrary services, and their TCPpersonality can be adapted so that they appear to be running certainversions of operating systems. Honeyd enables a single host to claimmultiple addresses on a LAN for network simulation. It is possible toping the virtual machines, or to traceroute them. Any type of serviceon the virtual machine can be simulated according to a simpleconfiguration file. It is also possible to proxy services to anothermachine rather than simulating them. The web page is currently downfor legal reasons, but the V. 0.5 tarball is still availablehere.



Achilles: A Windows web attack proxy
Achilles is a tool designed for testing the security of webapplications. Achilles is a proxy server, which acts as aman-in-the-middle during an HTTP session. A typical HTTP proxy willrelay packets to and from a client browser and a web server. Achilleswill intercept an HTTP session's data in either direction and give theuser the ability to alter the data before transmission. For example,during a normal HTTP SSL connection a typical proxy will relay thesession between the server and the client and allow the two end nodesto negotiate SSL. In contrast, when in intercept mode, Achilles willpretend to be the server and negotiate two SSL sessions, one with theclient browser and another with the web server. As data is transmittedbetween the two nodes, Achilles decrypts the data and gives the userthe ability to alter and/or log the data in clear text beforetransmission.



Brutus: A network brute-force authentication cracker
This Windows-only cracker bangs against network services of remotesystems trying to guess passwords by using a dictionary andpermutations thereof. It supports HTTP, POP3, FTP, SMB, TELNET, IMAP,NTP, and more. No source code is available. UNIX users should take a look atTHC-Hydra.




Stunnel: A general-purpose SSL cryptographic wrapper
The stunnel program is designed to work as an SSL encryption wrapper between remote client and local (inetd-startable) or remote server. It can be used to add SSL functionality to commonly used inetd daemons like POP2, POP3, and IMAP servers without any changes in the programs' code. It will negotiate an SSL connection using theOpenSSL or SSLeay libraries.



Paketto Keiretsu: Extreme TCP/IP
The Paketto Keiretsu is a collection of tools that use new and unusualstrategies for manipulating TCP/IP networks. They tap functionalitywithin existing infrastructure and stretch protocols beyond what theywere originally intended for. It includes Scanrand, an unusually fastnetwork service and topology discovery system, Minewt, a user spaceNAT/MAT router, linkcat, which presents a Ethernet link to stdio,Paratrace, which traces network paths without spawning newconnections, and Phentropy, which uses OpenQVIS to render arbitraryamounts of entropy from data sources in three dimensional phase space.Got all that? :).



Fragroute: IDS systems' worst nightmare
Fragroute intercepts, modifies, and rewrites egress traffic,implementing most of the attacks described in the Secure NetworksIDSEvasion paper. It features a simple ruleset language to delay,duplicate, drop, fragment, overlap, print, reorder, segment,source-route, or otherwise monkey with all outbound packets destinedfor a target host, with minimal support for randomized orprobabilistic behaviour. This tool was written in good faith to aid inthe testing of intrusion detection systems, firewalls, and basicTCP/IP stack behaviour. LikeDsniff, and Libdnet, this excellent tool was written by Dug Song.




SPIKE Proxy: HTTP Hacking
Spike Proxy is an open source HTTP proxy for finding security flaws inweb sites. It is part of theSpike Application TestingSuite and supports automated SQL injection detection, web sitecrawling, login form brute forcing, overflow detection, and directorytraversal detection.



THC-Hydra: Parallized network authentication cracker
This tool allows for rapid dictionary attacks against network loginsystems, including FTP, POP3, IMAP, Netbios, Telnet, HTTP Auth, LDAPNNTP, VNC, ICQ, Socks5, PCNFS, and more. It includes SSL support andis apparently now part ofNessus. LikeAmap, this release is from the fine folks atTHC.

To save space & time, the next 25 best tools are listed in a more compact table:


[8]ページ先頭
©2009-2025 Movatter.jp