Security Tools
Vulnerability assessment tools:
The Bitdefender Trojan.StartPage.AABI removal tool will clean all infections from the Trojan.StartPage.AABI.
The Kaspersky Virus Removal Tool Special ITU Edition removes Gauss, Flame, Stuxnet, Duqu and all other known malicious programs. Please note that you have to launch the tool twice for the full recovery from the Gauss malware.
Kaspersky Virus Removal Tool Special ITU Edition is designed to cure infected computers running under Microsoft Windows of malicious programs including the Flame virus. The application does not require installation.It is recommended to run the application in Microsoft Windows safe mode to minimize access to computer resources by malware.
The premier Open Source vulnerability assessment tool Nessus is a remote security scanner forWindows, Linux, BSD, Solaris, and other Unices. It is plug-in-based, has a GTK interface, and performs over 1200 remote security checks. It allows for reports to be generated in HTML, XML, LaTeX, and ASCII text, and suggests solutions for security problems.
A commercial network security scanner for Windows LANguard scans networks and reports information such as service pack level of each machine, missing security patches, open shares, open ports, services/applications active on the computer, key registry entries, weak passwords, users and groups, and more. Scan results are outputted to an HTML report, which can be customised/queried. Apparently a limited free version is available for non-commercial/trial use.
SamSpade provides a consistent GUI and implementation for many handy network query tasks. It was designed with tracking down spammers in mind, but can be useful for many other network exploration, administration, and security tasks. It includes tools such as ping, nslookup, whois, dig, traceroute, finger, raw HTTP web browser, DNS zone transfer, SMTP relay check, website search, and more. Non-Windows users can enjoy online versions of many of their tools.
ISS Internet Scanner:
Internet Scanner started off in ’92 as a tiny Open Source scanner by Christopher Klaus. Now he has grown ISS into a billion-dollar company with a myriad of security products. ISS Internet Scanner is pretty good, but is not cheap. So companies on a tight budget may wish to look at Nessus instead. A March 2003 Information Security magazine review of 5 VA tools (including these) is available here. Note that VA tools only report vulnerabilities. Commercial tools for actually exploiting them include CORE Impact and Dave Aitel’s Canvas. Free exploits for some vulnerabilities can be found at sites like Packet Storm and Security Focus.
Nikto is a web server scanner which looks for over 2600 potentially dangerous files/CGIs and problems on over 625 servers. It uses LibWhisker but is generally updated more frequently than Whisker itself.
SuperScan: Foundstone’s Windows TCP port scanner http://www.foundstone.com/index.htm?subnav= resources/navigation.htm&subcontent= /resources /proddesc/superscan.htm
A connect-based TCP port scanner, pinger and hostname resolver. No source code is provided. It can handle ping scans and port scans using specified IP ranges. It can also connect to any discovered open port using user-specified “helper” applications (e.g. Telnet, Web browser, FTP).
Commertial vulnerability assessment scanner by eEye Like Nessus and ISS Internet Scanner mentioned previously, Retina’s function is to scan all the hosts on a network and report on any vulnerabilities found.
Security Administrator’s Integrated Network Tool Saint is another commercial vulnerability assessment tool (like ISS Internet Scanner or eEye Retina). Unlike those Windows-only tools, SAINT runs exclusively on UNIX. Saint used to be free and open source, but is now a commercial product.
SARA is a vulnerability assessment tool that was derived from the infamous SATAN scanner. They try to release updates twice a month and try to leverage other software created by the open source community (such as Nmap and Samba).
N-Stealth is a commercial web server security scanner. It is generally updated more frequently than free web scanners such as whisker and nikto, but do take their web site with a grain of salt. The claims of “20,000 vulnerabilities and exploits” and “Dozens of vulnerability checks are added every day” are highly questionable. Also note that essentially all general VA tools such as nessus, ISS, Retina, SAINT, and SARA include web scanning components. They may not all be as up-to-date or flexible though. n-stealth is Windows only and no source code is provided.
Firewalk employs traceroute-like techniques to analyze IP packet responses to determine gateway ACL filters and map networks. This classic tool was rewritten from scratch in October 2002. Note that much or all of this functionality can also be performed by the Hping2 –traceroute option.
XProbe is a tool for determining the operating system of a remote host. They do this using some of the same techniques as Nmap as well as many different ideas. Xprobe has always emphasized the ICMP protocol in their fingerprinting approach.
Toolsets: A plethor of network discovery/monitoring/ attack tools http://www.solarwinds.net/
SolarWinds has created and sells dozens of special-purpose tools targetted at systems administrators. Security related tools include many network discovery scanners and an SNMP brute-force cracker. These tools are Windows only, cost money, and do not include source code.
Amap (by THC) is a new but powerful scanner which probes each port to identify applications and services rather than relying on static port mapping.
Hunt can watch TCP connections, intrude into them, or reset them. Hunt is meant to be used on ethernet, and has active mechanisms to sniff switched connections. Advanced features include selective ARP relaying and connection synchronization after attacks. If you like Hunt, also take a look at Ettercap and Dsniff.
Achilles is a tool designed for testing the security of web applications. Achilles is a proxy server, which acts as a man-in-the-middle during an HTTP session. A typical HTTP proxy will relay packets to and from a client browser and a web server. Achilles will intercept an HTTP session’s data in either direction and give the user the ability to alter the data before transmission. For example, during a normal HTTP SSL connection a typical proxy will relay the session between the server and the client and allow the two end nodes to negotiate SSL. In contrast, when in intercept mode, Achilles will pretend to be the server and negotiate two SSL sessions, one with the client browser and another with the web server. As data is transmitted between the two nodes, Achilles decrypts the data and gives the user the ability to alter and/or log the data in clear text before transmission.
This Windows-only cracker bangs against network services of remote systems trying to guess passwords by using a dictionary and permutations thereof. It supports HTTP, POP3, FTP, SMB, TELNET, IMAP, NTP, and more. No source code is available. UNIX users should take a look at THC-Hydra.
Fragroute intercepts, modifies, and rewrites egress traffic, implementing most of the attacks described in the Secure Networks IDS Evasion paper. It features a simple ruleset language to delay, duplicate, drop, fragment, overlap, print, reorder, segment, source-route, or otherwise monkey with all outbound packets destined for a target host, with minimal support for randomized or probabilistic behaviour. This tool was written in good faith to aid in the testing of intrusion detection systems, firewalls, and basic TCP/IP stack behaviour. Like Dsniff, and Libdnet, this excellent tool was written by Dug Song.
Spike Proxy is an open source HTTP proxy for finding security flaws in web sites. It is part of the Spike Application Testing Suite and supports automated SQL injection detection, web site crawling, login form brute forcing, overflow detection, and directory traversal detection.
A commercial vulnerability assessment tool
A popular tool used for portsscaning and OS finger printing