1
Open Source Security Tool Overview
Presented by
Kitch Spicer & Douglas Couch Security Engineers for ITaP
Vulnerability Testing Network Security
Passive Network Detection Firewalls
Anti-virus/Anti-malware Host Intrusion
Forensics Encryption
Log File Analysis Miscellaneous
Vulnerability Testing
OpenVAS – Network and host vulnerability scanner. Offshoot of Nessus
NSAT – Network Security Analysis Tool (similar to OpenVAS)
Nikto – Web application vulnerability scanner.
W3AF – Web Application Attack and Audit Pixy – PHP Code scanner for XSS and SQLI
Network Security
Wireshark (Windows, Linux, UNIX)
• Multi-platform network protocol
analyzer with a lot of features and a variety of export format options.
Snort (Windows, Linux, UNIX, Mac)
• IDS/IPS which combines signature,
Network Security
NTop (Windows, Linux, UNIX, Mac)
• Network traffic probe providing insight to network usage. Analyzes IP traffic
and sorts it based upon source and destination and has the ability to
passively identify the host OS.
Network Security
nfdump (Linux, UNIX)
• Set of command-line tools to collect and process netflow data.
NfSen (Linux, UNIX)
• Web-based GUI for nfdump tools.
Allows you to view flows, packets and bytes and easily navigate through
Network Security
Nmap (Windows, Linux, UNIX, Mac)
• Network discovery tool which uses raw IP packets to determine what hosts are on the network as well as any services the hosts are running, the OS, and
more.
Network Security
Netcat (Linux, UNIX, Mac)
• Network utility which provides data
reading and writing capabilities using the TCP/IP protocol. Also has built-in port scanning, tunneling mode, and advanced usage options.
Network Security
AFICK (Windows, Linux)
• File integrity tool - very simple interface that shows what files have changed on a system.
Network Security
tcpdump (Linux, UNIX, Mac)
• Command-line packet sniffer/analyzer which allows the user to display
packets that are being sent and
received over the network which the system is attached.
WinDump (Windows)
Passive Network Detection
P0f (Windows, Linux, UNIX)
• Extremely versatile passive OS
fingerprinting tool which can not only identify OS, but can detect the use of a firewall, NAT, load balancer, and even remote system ISP.
Passive Network Detection
PADS
• Passive Asset Detection System
• Signature-based detection engine which passively detects network assets.
Provides context to IDS alerts when used to supplement existing IDS/IPS systems.
Firewalls
pfSense
• Customized FreeBSD distro to be used as a firewall and router. It includes
features such as: VPN, NAT,
Redundancy, Load Balancing, DHCP Server and Relay, etc.
Firewalls
SmoothWall
• Firewall which includes its own
hardened OS and provides a
user-friendly web interface. Features include: proxies (Web, POP3 email, IM), QoS, IDS via Snort, real-time traffic graphs, etc.
Firewalls
AppArmor (Linux)
• Utilizes policy-based profiles for
application access and protects the system from malware aimed at
application vulnerabilities as well as unwanted programs.
Firewalls
ModSecurity (OS Independent)
• Web Application firewall which can
work embedded or as a reverse proxy. Protects against various web
application attacks and has HTTP traffic logging, monitoring and real-time
Anti-Virus/Anti-Malware
ClamAV (Windows, Linux)
• Anti-virus toolkit for UNIX with a focus on e-mail scanning at the mail gateway.
Rootkit Hunter (Linux, UNIX)
• Tool used to check Linux/UNIX systems for the presence of rootkits as well as other unwanted tools.
Anti-Virus/Anti-Malware
Nixory (OS independent)
• Program used with the Firefox web browser which protects users from malicious data mining. It is aimed at removing cookies which are used for tracking purposes in a malicious
Host Intrusion
Osiris – Host integrity monitoring system. A tripwire replacement
OSSEC – Host intrusion detection
including file integrity, log analysis, policy monitoring, and rootkit detect Samhain (Beltain) – Similar to OSSEC.
Beltain (non-free) offers a control panel.
Forensics
AIR – Automated Image and Restore is a GUI front-end to dd for creating forensic images. Autopsy – A web front-end for the sleuth kit
tools.
ODESSA – An open and extensible suite for acquisition, analysis and documentation of evidence.
Live View – Creates a Vmware image out of a raw DD image. Keeps a pristine image.
Encryption
GnuPG (Windows, Linux, Mac)
• OpenPGP suite that allows users to encrypt and sign data and
communication. Features a key
management system as well as access modules for public key directories.
gpg4win (Windows)
• Windows version of GnuPG.
Encryption
AxCrypt (Windows)
• File encryption software which provides the ability to compress, encrypt,
decrypt, store, send and work with
Log File Analysis
BASE (OS Independent)
• Basic Analysis and Security Engine -
Web interface which performs analysis of Snort alerts and detections.
Snare (Various OSes)
• Collects and analyzes security, application, system, DNS, file
replication service, and AD logs.
Log File Analysis
Splunk (Various OSes)
• Monitoring and reporting tool which
utilizes logs, metrics, and various data from applications, servers and network devices. The information is then
indexed into a searchable repository from which graphs, reports and alerts can be generated.
Miscellaneous
OCS – Inventory and package deployment system for Windows and *nix systems.
DBAN – Darik’s Boot And Nuke: wipes drives effectively
BleachBit – Wipes free space Portable Apps – Various
SysInternals – Windows tools
All-In-One
SIFT Workstation – Created by SANS for forensic analysis
BackTrack – Penetration testing and other hacker tools
OSSIM – Live CD with a network SIEM system preinstalled.
Metasploit – Ruby based framework for penetration tools and security tools
Conclusion