Here is a list of my favorite old & new school information security & hacking tools:
Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an applications attack surface, through to finding and exploiting security vulnerabilities.
Cain & Abel is a password-cracking juggernaut that runs on Windows. This amazing software, created by Mass-imiliano Montoro, features more than a dozen different useful capabilities for cracking passwords and various encryption keys. For starters, Cain can dump and reveal various encrypted or hashed passwords cached on a local Windows machine, including the standard Windows LANMAN and NTLM password representations, as well as application-specific passwords for Microsoft’s Outlook, Internet Explorer and MSN Explorer. Organizations can use Cain to test individual passwords and the effectiveness of their password policies. Cain & Abel can crack passwords for over a dozen different OS and protocol types. Just for the Windows operating system alone, Cain handles the LANMAN and NTLM password representations in the SAM database, as well as Windows network authentication protocols such as LANMAN Challenge and Response, NTLMv1, NTLMv2 and Micro-soft Kerberos. Its integrated sniffer monitors the LAN, grabbing challenge-and- response packets and cracking passwords using a built-in dictionary of more than 306,000 words. Beyond Windows passwords, Cain also cracks various Cisco passwords, routing proto-col hashes, VNC passwords, RADIUS Shared Secrets, Win95/98 Password List (PWL) files, and Micro-soft SQL Server 2000 and MySQL passwords. It can also crack IKE pre-shared keys in order to penetrate IPSec VPNs that use IKE to exchange and to update their cryptography keys. Beyond password cracking, Cain includes a wireless LAN discovery tool, a hash calculator and an ARP cache-poisoning tool (which can be used to redirect traffic on a LAN so that an attacker can more easily sniff in a switched environment)–all bound together in a sophisticated GUI.
DNSiff is a collection of tools for network auditing and penetration testing. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.).
Ettercap is a comprehensive suite for man in the middle attacks. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols and includes many features for network and host analysis. Ettercap is a multipurpose sniffer/interceptor/logger for switched LAN.
Fast-track is an open source security tool aimed at helping penetration testers conduct highly advanced and time consuming attacks in a more methodical and automated way. Fast-Track is now included in Backtrack version 3 onwards under the Backtrack –> Penetration category. In this talk given at Shmoocon 2009, the author of Fast-Track Dave Kennedy runs us through a primer on the tool and demonstrates 7 different scenarios in which he breaks into systems using the Fast-Track tool. These scenarios include automated SQL injection, MSSQL brute forcing, Query string pwnage, Exploit rewrite, Destroying the Client and Autopwnage.
fport identifies all open TCP/IP and UDP ports and maps them to the owning application.
GFI LANguard Network Security Scanner (N.S.S.) automatically scans your entire network, IP by IP, and plays the devil’s advocate alerting you to security vulnerabilities.
hping is a command-line oriented TCP/IP packet assembler/analyser. The interface is inspired to the ping(8) unix command, but hping isn’t only able to send ICMP echo requests. It supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covered channel, and many other features. Kind of like the ping program (but with a lot of extensions).
IP Filter is a software package that can be used to provide network address translation (NAT) or firewall services.
John the Ripper is a fast password cracker, currently available for many flavours of Unix, Windows, DOS, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. Besides several crypt(3) password hash types most commonly found on various Unix systems, supported out of the box are Windows LM hashes, plus lots of other hashes and ciphers in the community-enhanced version.
Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. Kismet will work with any wireless card which supports raw monitoring (rfmon) mode, and (with appropriate hardware) can sniff 802.11b, 802.11a, 802.11g, and 802.11n traffic. Kismet also supports plugins which allow sniffing other media such as DECT. It separates and identifies different wireless networks in the area.
Metasploit Community Edition simplifies network discovery and vulnerability verification for specific exploits, increasing the effectiveness of vulnerability scanners. This helps prioritize remediation and eliminate false positives, providing true security risk intelligence. Metasploit provides useful information to people who perform penetration testing, IDS signature development, and exploit research. This project was created to provide information on exploit techniques and to create a useful resource for exploit developers and security professionals. The tools and information on this site are provided for legal security research and testing purposes only.
Ncat is a feature-packed networking utility which reads and writes data across networks from the command line. Ncat was written for the Nmap Project as a much-improved reimplementation of the venerable Netcat. It uses both TCP and UDP for communication and is designed to be a reliable back-end tool to instantly provide network connectivity to other applications and users. Ncat will not only work with IPv4 and IPv6 but provides the user with a virtually limitless number of potential uses.
The Nessus Project aims to provide to the internet community a free, powerful, up-to-date and easy to use remote security scanner for Linux, BSD, Solaris, and other flavours of Unix.
Netcat has been dubbed the network Swiss army knife. It is a simple Unix utility which reads and writes data across network connections, using TCP or UDP protocol
NetFilter and iptables are the framework inside the Linux 2.4.x kernel which enables packet filtering, network address translation (NAT) and other packet mangling.
The Nexpose Community Edition is a free, single-user vulnerability management solution. Nexpose Community Edition is powered by the same scan engine as Nexpose Enterprise and offers many of the same features.
Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6400 potentially dangerous files/CGIs, checks for outdated versions of over 1200 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software.
Nmap (Network Mapper) is a free and open source (license) utility for network discovery and security auditing. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.
OpenPGP is a non-proprietary protocol for encrypting email using public key cryptography. It is based on PGP as originally developed by Phil Zimmermann.
OpenSSH is a FREE version of the SSH protocol suite of network connectivity tools, which encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks.
Many custom Web apps are vulnerable to SQL injection, cross-site scripting, session cloning and other attacks. Attackers often rely on a specialized Web proxy tool designed to manipulate Web applications to reveal and exploit such flaws–and so must you. A Web app manipulation proxy sits between the attacker’s browser and the target Web server. All HTTP and HTTPS requests and responses are channelled through the proxy, which gives the attacker a window to view and alter all of the information passed in the browsing session, including any variables passed by the Web app in cookies, hidden form elements and URLs. Paros Proxy, which runs on Windows or Linux (with a Java Run-time Environment), is the best of these proxies, chock-full of Web app assessment widgets that make it a versatile and powerful hacking tool:
- Recorder. Paros goes be-yond similar tools by maintaining a thorough history of all HTTP requests and responses. Later, the attacker can review all of the actions, with every page, variable and other element re-corded for detailed analysis.
- Web spider. An automated Web spider surfs every linked page on a target site, storing its HTML locally for later inspection, and harvests URLs, cookies and hidden form elements for later attack.
- Hash calculator. Attackers sometimes have a hunch about the encoding or hashing of specific data elements that are returned. Using the Paros calculator, a hacker can quickly and easily test such hunches. Paros Proxy has a GUI tool for calculating the SHA-1, MD5 and Base64 value of any arbitrary text typed in by its user or pasted from an application.
- SSL-buster. While most other Web app attack and assessment proxies handle server-side SSL certificates, Paros can also probe apps that require client-side SSL certificates.
Paros also includes automated vulnerability scanning and detection capabilities for some of the most common Web application attacks, including SQL injection and cross-site scripting. Paros even scans for unsafe Web content, such as unsigned ActiveX controls and browser ex-ploits sent by the target Web server.
OpenBSD Packet Filter
SAINT network vulnerability assessment scanner detects vulnerabilities in your network’s security before they can be exploited.
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
analyses the dump file format generated by TCPdump and other applications.
A very fast network logon cracker which support many different services.
Tripwire is a tool that can be used for data and program integrity assurance.
w3af is a Web Application Attack and Audit Framework. The project’s goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend.
WebScarabhas a large amount of functionality, and as such can be quite intimidating to the new user. But, for the simplest case, intercepting and modifying requests and responses between a browser and HTTP/S server, there is not a lot that needs to be learned.
A Passive WLAN detector. While numerous tools detect wireless LANs, one of the very best is Wellenreiter. Traditional war driving tools, such as the popular NetStumbler, send a barrage of probe request packets to find wireless access points. But, NetStumbler can’t locate an access point that’s configured to ignore probe requests from clients that don’t know the WLAN SSID. Max Moser’s Wellenreiter can. Wellenreiter is completely passive; instead of sending probe requests, it puts a wireless card into so-called “rfmon mode,” so that it sniffs wireless traffic, capturing all data sent, including the entire wireless frames of all packets with their associated SSIDs, displaying the discovered access points in its GUI. It then listens for ARP or DHCP traffic to determine the MAC and IP addresses of each discovered wireless device. Wellenreiter can store wireless packets in a tcpdump or Wireshark packet capture file for later detailed analysis. An attacker or wireless penetration tester can fire up Wellenreiter, let the tool run passively for an hour or so, and return to find a nifty inventory of nearby wireless devices. It can also interface with GPS devices; storing the physical location of each war-driving computer when wireless LANs are detected. Wellenreiter runs on Linux and supports Prism2, Lucent and Cisco wireless cards.
You need a solid Web server vulnerability scanner if you’re going to find flaws before attackers do. Internet-facing Web apps open enormous business opportunities–and dangerous holes for malicious and criminal hackers. In the last year, thousands of sites running vulnerable phpBB Web forum scripts, and countless others hosting the AWStats CGI script for gathering access statistics from log files, have fallen victim to attackers. Beyond those notable examples, vulnerabilities in various Web scripts are discovered on a regular basis. To help find such flaws in your network, turn to Wikto, an impressive Web server scanning tool. Written by Sensepost, a security services firm based in South Africa, Wikto builds on the popular command-line Nikto Web scanner Perl script with an easy-to-use Windows GUI and extended capabilities. Like Nikto, Wikto searches for thousands of flawed scripts, common server misconfigurations and unpatched systems. Wikto adds HTTP fingerprinting technology to identify Web server types based on their protocol behaviour’s, even if administrators purposely disguise Web server banner information to deceive attackers. For white hats, it’s a powerful inventory feature. What’s more, attackers are increasingly turning to well-crafted Google searches to look for vulnerable sites. Security researcher Johnny Long maintains the Google Hacking Database (GHDB) list of more than 1,000 Google searches that can locate vulnerable systems. Wikto can import the latest GHDB vulnerability list, and then query Google for such holes in your domain.
A Windows configuration harvester. Windows systems contain a treasure trove of sensitive configuration information that’s accessible in a variety of ways. Attackers and assessment teams typically extract as much information as possible from Windows systems to help refine and augment their vulnerability scans. Winfingerprint, written by Vacuum, is an invaluable tool for harvesting Windows configuration information, using a variety of mechanisms, including Windows domain access, Active Directory and Windows Manage-ment Instrumentation (WMI), Microsoft’s comprehensive framework for analysing system configurations. Winfingerprint pulls lists of users, groups and security settings from a single Windows machine or a network range. The tool also grabs information about the local hard drives of target machines, local system time and date, registry settings, and event logs. Rounding out its features, this handy tool includes a Simple Network Management Protocol (SNMP) scanner, as well as a TCP and UDP port scanner, all accessible from a single GUI
Wireshark is a network protocol analyser. It lets you capture and interactively browse the traffic running on a computer network.