Various tools are used in the auditing process. Site audits may only use generalized network and security scanners while penetration tests may use more invasive tools such as sniffers, password crackers or session hijackers.
Scanners provide for the automated auditing of a large number of networked hosts. Scanners can detect and identify active hosts on a network. This allows for network mapping and discovery of host based services. Vulnerability scanners can identify potential security or misconfiguration problems.
Network Tools provide for the analysis of a network under audit. Network traffic and protocols can be analyzed for security concerns. Firewall ACLs and router filtering can be probed and tested.
Sniffers are employed to capture specific network content. They are often used to collect user names and passwords transfered in the clear or in hash form. Content such as email, printouts, web browsing and file sharing can be captured. Data collected can be used to evaluate the risks associated with various network protocols, applications and user activities.
Password Crackers are used to evaluate weak password selections. These tools can be used proactively by system administrators to identify users with weak passwords. during a penetration test, password crackers are used to attempt privilege escalation.
Intruder Tools include tools that exploit a specific weakness in an application, protocol or device. They can be used to bypass or confuse security applications. They may be capable of inserting commands in a communications channel or allow the penetration tester to masquerade as a valid user. Other tools may exploit flaws either locally or remotely to gain unauthorized or privileged access to data or services.
The following provides a Best of Breed selection from the (In)Security Database in the major categories. Unless otherwise noted, they are designed to run under Unix-like operating systems.
| Tool Class | Name | Description | Status |
|---|---|---|---|
| Scanners | nmap | Nmap is a utility for network exploration or security auditing. | Public |
| BASS | A network vulnerability scanner intended to passively scan large numbers of hosts | Public | |
| Nessus | Remote network security auditor that makes it possible to test security modules in an attempt to find vulnerable spots. | Public | |
| Saint | Scans through firewalls, and performs security checks | Modified | |
| Strobe | The classic high-speed port scanner | Public | |
| SARA | A security analysis tool based on SATAN | Public | |
| NAT | NetBIOS Auditing Tool to explore file-sharing services | Public | |
| Networks | Netcat | TCP/IP Swiss Army Knife and network exploration. | Modified |
| Cheops | Another swiss army knife for local or remote networks. | Public | |
| Tcpdump | Tool for network monitoring and data acquisition | Modified | |
| Cerberus Internet Scanner | Locate and identify security holes. Runs on WinNT. | Commercial | |
| Ethereal | Network traffic analyzer. | Public | |
| Ngrep | Grep for network traffic and data payloads of packets | Public | |
| Hping2 | Sends custom tcp packets, and makes use of fragmentation | Public | |
| Firewalk | Employs traceroute-like techniques to analyze responses from gateways and firewalls. | Modified | |
| Sniffers | Dsniff | A suite of powerful network sniffers for passwords and other information. | Modified |
| Sniffit | Packet sniffer and monitoring tool | Public | |
| dogsniff | Telnet and password sniffer | Private | |
| Password Crackers |
Crack | The classic password cracker | Public |
| L0pht Crack | An NT password cracking and auditing tool | Commercial | |
| John the Ripper | A multipurpose password cracker that works equally well against NT or Unix passwords | Public | |
| Intruders | Hunt | Packet sniffer and connection intrusion | Public |
| Firehose | Modified Firewalk that uses firewall information to apply tunnelling techniques | Private | |
| Nemesis | A command line based IP stack that allows scripting of injected packet streams from shell scripts. | Modified | |
| Fragrouter | Tests the correctness of a network intrusion detection system. | Modified |
Last modified: Sat Oct 30 22:46:31 PDT 2004