This full version of the learning materials has been uploaded to CSDN. If you need it, you can scan the QR code of the CSDN official certification below on WeChat to get it for free [guaranteed 100% free]
1. Nessus: The best UNIX vulnerability scanning tool
Nessus is the best free network vulnerability scanner, it can run on almost all UNIX platforms. It is not only permanently upgraded, but also provides up to 11,000 plug-ins for free (but requires registration and acceptance of EULA-acceptance–End User License Agreement).
Its main functions are remote or local (authorized) security checks, client/server architecture, GTK (a graphical interface under Linux) graphical interface, built-in scripting language compiler, which can be used to write custom plug-ins, or Used to read plugins written by others. Nessus 3 has been developed (now closed source), it is still free at this stage, unless you want to get the latest plugins.
2. Wireshark: Network sniffing tool
Wireshark (known as Ethereal until summer 2006) is an excellent open source network protocol analyzer for Unix and Windows. It can detect network communication data in real time, and can also detect snapshot files of network communication data captured by it. These data can be browsed through the graphical interface, and the detailed content of each layer in the network communication data packet can be viewed.
Wireshark has many powerful features: it includes a strong display filter language (rich display filter language) and the ability to view TCP session reconstruction streams; it supports hundreds of protocols and media types; it has a tool similar to tcpdump (a Linux-based A command-line version of a network protocol analyzer called tethereal. I have to say that Ethereal already suffers from many remotely exploitable vulnerabilities, so please update it frequently and use it with caution on unsecured or hostile networks (such as those for secure conferences).
3. Snort: a popular open source IDS (Intrusion Detection System) (** detection system) tool
This small intrusion detection and prevention system specializes in traffic analysis and IP packet logging. Snort can detect thousands of worms, vulnerabilities, port scans, and other suspicious behavior detections, in addition to protocol analysis, content searching, and many other preprocessing programs. Snort uses a simple rule-based language to describe network communication, and to judge whether to allow or block network data, and its detection engine is modular. The Basic Analysis and Security Engine (BASE), a web-based engine for analyzing Snort alerts, is freely available.
The open source Snort provides good services for individuals, small businesses, and group users. Its parent company, SourceFire, provides rich enterprise-class features and regular upgrades to enrich its product line. A free 5-day rule trial is available (registration required), and you can also find many free rules at Bleeding Edge Snort.
4. Netcat: The Swiss Army Knife of Networking
This simple gadget can read and write data over TCP or UDP network connections. It is designed as a reliable background tool that can be used directly and easily by other programs or scripts. At the same time, it is also a versatile network debugging and inspection tool, because it can generate almost any network connection you want, including through port binding to accept incoming connections.
Netcat was first released by Hobbit in 1995, but it was not well maintained during its popularity. Now nc110.tgz is hard to find. This easy-to-use tool has inspired many people to write other Netcat applications, many of which have features that the original version did not have. The most interesting of these is Socat, which extends Netcat into a more powerful tool that supports multiple other socket types, SSL encryption, SOCKS proxies, and other extensions. It also gets its place on this list (No. 71).
There is also Chris Gibson's Ncat, which can provide more support for portable devices. Other Netcat-based tools include OpenBSD's nc, Cryptcat, Netcat6, PNetcat, SBD, also known as GNU Netcat.
5. Metasploit Framework: Hack the entire planet
The release of Metasploit in 2004 caused a strong earthquake in the security world. No new tool has been able to squeeze into the top 15 of this list as soon as it is released (that is, the 2000 and 2003 surveys did not do this), let alone this tool is in the top 5, surpassing many widely circulated tools. The birth of decades-old tools. It is a powerful open source platform for developing, testing and using malicious code. This extensible model integrates payload control, encoders, no-op generators, and exploits, making Metasploit Framework an avenue for researching high-severity vulnerabilities.
It comes with hundreds of vulnerabilities, and you can also see how to generate vulnerabilities in the online exploit building demo. This makes it easier to write your own exploits, which is bound to increase the level of illegal shellcode code and expand the dark side of the Internet. Similar professional vulnerability tools, such as Core Impact and Canvas, have been used by users in many professional fields. Metasploit has lowered the barrier to entry for this capability, making it available to the masses.
6. Hping2: A network detection tool, a super variant of ping
This little tool can send custom ICMP, UDP and TCP packets and receive all feedback information. It was inspired by the ping command, but it does much more than ping. It also includes a small traceroute module and supports IP fragmentation.
This tool can be useful when common tools cannot traceroute/ping/probe hosts protected by firewalls. It can often help you find out the rule set of the firewall, and of course you can use it to learn the TCP/IP protocol and do some IP protocol experiments.
7. Kismet: A super powerful wireless sniffer
Kismet is a command line (ncurses) based 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. It passively sniffs networks (as opposed to many active tools such as NetStumbler) and can discover invisible networks (non-beacons).
It can automatically detect network IP segments by sniffing TCP, UDP, ARP and DHCP packets, record communication logs in a Wireshark/TCPDump compatible format, and can even segment the detected network into blocks and estimate the range according to the downloaded distribution map . As you can imagine, this tool is generally used by wardriving. Um! And warwalking, warflying and warskating...
8. Tcpdump: The most classic network monitoring and data capture sniffer
Everyone used Tcpdump before Ethereal (Wireshark) appeared, and many people still use it now. It may not have as many bells and whistles as Wireshark (such as a beautiful graphical interface, or hundreds of application protocol logic analysis), but it can do many tasks well, and has very few bugs and consumes very little system resources.
It rarely adds new features, but often fixes some bugs and maintains a small size. It does a good job of tracking down the source of network problems and monitors network activity. Its version under Windows is called WinDump. The packet capture library of Libpcap/WinPcap is based on TCPDump, which is also used in other tools such as Nmap.
9. Cain and Abel: Best Password Recovery Tool for Windows
UNIX users often claim that Unix is the best platform because there are so many very good free security tools for it, and that Windows is generally not in their consideration. They may be right, but Cain & Abel really shines. This Windows-only password recovery tool can do a lot.
It can find passwords by sniffing the network, crack encrypted passwords with dictionaries, brute-force passwords and password analysis, record VoIP sessions, decode very complex passwords, asterisk viewing, strip cached passwords, and analyze routing protocols. In addition, its documentation is also very complete (well documented).
10. John the Ripper: A powerful, simple and multi-platform password cracker
John the Ripper is the fastest password cracker, currently supports a variety of mainstream Unix (officially supports 11 kinds, not counting different architectures), DOS, Win32, BeO and OpenVMS. Its main function is to detect weak Unix passwords.
It supports multiple (3) password hash encryption types under mainstream Unix, they are Kerberos, AFS and Windows NT/2000/XP LM. Other hash types can be loaded via patches. If you wish to start with some word lists, you can find them here, here and here.
11. Ettercap: More protection for switched LANs
Ettercap is a terminal based Ethernet LAN sniffer/interceptor/logger. It supports active and passive analysis of multiple protocols (even encrypted ones like ssh and https).
Data injection and real-time filtering of established connections can also be performed to keep connections synchronized. Most of the sniffing modes are powerful and comprehensive sniffing combinations. Plugins are supported. Ability to identify if you are on a switched LAN, by using OS fingerprinting (active or passive) techniques to derive the LAN structure.
12. Nikto: Very comprehensive web scanner
Nikto is an open source (GPL) web server scanner, which can perform a comprehensive multi-scan on web servers, including more than 3200 potentially dangerous files/CGIs; more than 625 server versions; more than 230 specific server problems . Scan items and plugins can be updated automatically (if required). Complete its underlying functions based on Whisker/libwhisker. It's a great tool, but the software itself isn't updated very often, and the latest and most dangerous might go undetected.
13. Ping/telnet/dig/traceroute/whois/netstat: basic commands
While there are many heavy-duty high-tech cybersecurity tools out there, don't forget the basics! All network security professionals should be very familiar with these basic commands, because they are applicable to most platforms (whois is tracert on Windows platforms).
They can be pinched at will, of course, if you need to use some more advanced functions, you can choose Hping2 and Netcat.
14. OpenSSH/PuTTY/SSH: A secure way to access remote computers
SSH (Secure Shell) is now commonly used to log in to or execute commands on a remote computer. It provides secure encryption for communication between two untrusted computers on an insecure network, replacing the very unreliable telnet/rlogin/rsh interaction content. Most UNIXes use the open source OpenSSH server and client programs. Windows users prefer the free PuTTY client, which also runs on a variety of mobile devices. There are also some Windows users who prefer to use Cygwin, a terminal-based OpenSSH emulator. There are many other paid and free clients. You can find it here and here.
15. THC Hydra: The fastest network authentication cracker that supports multiple services
If you need to brute force a remote authentication service, Hydra is often the choice. It can perform dictionary-based fast cracking on more than 30 ports at the same time, including telnet, ftp, http, https, smb, various databases and other services. Like THC Amap, this Hydra version comes from the civil society THC.
16. Paros proxy: web program vulnerability assessment proxy
Java-based web program vulnerability assessment agent. Supports real-time editing and browsing of HTTP/HTTPS information, modification of content such as cookies and table fields. It includes a web traffic recorder, web spider, hash calculator and a scanner for common web program attacks such as SQL injection and cross-site scripting.
17. Dsniff: A powerful network assessment and penetration detection tool suite
Well designed and popular by Dug Song, this set contains a lot of tools. Dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor networks for sensitive data (e.g. passwords, email addresses, files, etc.). Arpspoof, dnsspoof, and macof can intercept network traffic that would normally be difficult to obtain (for example due to layer-2 switching).
Sshmitm and webmitm redirect ssh and https sessions through weak binding vulnerabilities in ad-hoc PKI to implement dynamic monkey-in-the-middle (using man-in-the-middle attack technology to hijack sessions) attacks. The Windows version can be obtained here. All in all, a very useful toolset. It can do almost everything password sniffing needs to do.
18. NetStumbler: Free Windows 802.11 Sniffer
Netstumbler is a well-known Windows tool for finding open wireless access points ("wardriving"). The WinCE system version on its PDA is called Ministumbler. This software is currently free, but it can only run on the Windows platform, and the code is not open. It uses many active methods to find WAPs, while Kismet or KisMAC use more passive sniffing.
19. THC Amap: An App Fingerprint Scanner
Amap is a great program that can detect what program is listening on a certain port. Because of its unique version detection feature, its database will not become as large as Nmap. You can consider using it when Nmap detects that a certain service fails or other software does not work. Another feature of Amap is its ability to parse Nmap output files. This is another valuable tool contributed by THC.
20. GFI LANguard: A commercial network security scanner for Windows
GFI LANguard discovers running computers by scanning the IP network, and then attempts to collect the operating system version and running applications on the host. I have tried gathering service pack levels, missing security updates, wireless access points, USB devices, open shares, open ports, running services and applications, major registry entries, weak passwords on Windows hosts , users and groups, and more. Scan results are stored in a customizable/queryable HTML report document. It also includes a patch manager that checks for and installs missing patches. A trial version is available for free, but only for 30 days.
21. Aircrack: The fastest WEP/WPA cracking tool
Aircrack is a suite of tools for cracking 802.11a/b/g WEP and WPA. It can crack 40- to 512-bit WEP keys once it collects enough encrypted packets, and it can also crack WPA 1 or 2 networks through advanced encryption methods or brute force. The package includes airodump (802.11 packet capture program), aireplay (802.11 packet injector), aircrack (static WEP and WPA-PSK cracking), and airdecap (decrypts WEP/WPA capture files).
22. Superscan: A port scanner, ping tool and parser that only runs on the Windows platform
SuperScan is a free non-open source TCP/UDP port scanner developed by Foundstone that only runs on the Windows platform. It also contains many other network tools, such as ping, traceroute, http head and whois.
23. Netfilter: The latest Linux kernel packet filter/firewall
Netfilter is a powerful packet filter that runs on a standard Linux kernel. It integrates with userspace IP list tools. Currently, it supports packet filtering (stateless or stateful), all types of network address and port translation (NAT/NAPT) and supports multi-API layer third-party extensions. It contains various modules for handling irregular protocols such as FTP. For other UNIX platforms, please refer to Openbsd PF (for OpenBSD only) or IP Filter. Many personal firewalls support Windows (Tiny, Zone Alarm, Norton, Kerio...), but none of them provide the above IP list. Microsoft has integrated a very basic firewall into Windows XP SP2, and if you don't install it, it will constantly prompt you to install it.
24. Sysinternals: A powerful and comprehensive collection of Windows tools
Sysinternals provides many very useful gadgets for Windows low-level hackers. Some of them are free, some come with source code, and others require a fee to use. Respondents liked the following tools from this collection the most:
- ProcessExplorer monitors all files and directories opened by all processes (similar to LSoF on Unix).
- PsTools manages (executes, suspends, kills, views) local and remote processes.
- Autoruns discovers which executables are loaded at system startup and login.
- RootkitRevealer detects registry and file system API anomalies to discover user-mode or kernel-mode rootkit tools.
- TCPView View the TCP and UDP communication endpoints of each process (similar to Netstat on Unix).
- The company that produced this software was acquired by Microsoft in 2005, so the characteristics of its future product line cannot be predicted.
25. Retina: Commercial vulnerability assessment scanner produced by eEye
Like Nessus, Retina's function is to scan all hosts in the network and report any vulnerabilities found. Produced by eEye, a company known for its security research.
26. Perl/Python/Ruby: Simple, multi-purpose scripting language
There are tools available online for common security problems, but using scripting languages you can write your own (or edit existing) tools when you need to solve a specific problem. Fast, simple scripting language to test, find bugs and even fix system bugs. CPAN is full of program modules like Net::RawIP and implementation protocols that can make your life easier.
27. L0phtcrack: Windows password guessing and recovery program
L0phtCrack, also known as LC5, is used to try to crack passwords such as Windows NT/2000 workstations, networked servers, primary domain controllers, or Active Directory by hashing (obtained through some access method), and sometimes it can also be obtained by sniffing Get the hash of the password. It can also guess passwords through various means (dictionary, brute force, etc.).
Symantec has stopped the development of LC5 in 2006, but the installation files of LC5 installer can be found everywhere. The free trial version can only be used for 15 days, and Symantec has stopped selling the registration code of this software, so if you do not want to give up using it, you must find a corresponding registration code generator (key generator). Because Symantec no longer maintains this software, it's best to try Cain and Abel or John the Ripper instead.
28. Scapy: Interactive packet processing tool
Scapy is a powerful interactive packet processing tool, packet generator, network scanner, network discovery tool and packet sniffer tool. It provides various classes of functions for interactively generating packets or collections of packets, manipulating packets, sending packets, sniffing packets, matching acknowledgments and responses, and more. The Python interpreter provides interactive functions, so knowledge of Python programming (such as variables, loops, and functions) is used. Report generation is supported, and report generation is simple.
29. Sam Spade: Windows Internet query free tool
Sam Spade provides a graphical interface and convenient operation for the general work of many network queries. This tool is designed to track spammers, but it can also be used for many other network exploration, management, and security tasks. It contains many useful tools such as ping, nslookup, whois, dig, traceroute, finder, raw HTTP web browser, DNS address translation, SMTP relay check, website search and many more. Non-Windows users can use more other tools online.
30. GnuPG/PGP: Advanced encryption for your files and communications
PGP is a well-known encryption program produced by Phil Zimmerman, which can protect your data from eavesdropping and other dangers. GnuPG is a well-reputed open source application that follows the PGP standard (the executable program is called gpg). GunPG is free, while PGP charges for some users.
31. Airsnort: 802.11 WEP encryption cracking tool
AirSnort is a wireless LAN (WLAN) tool used to recover encrypted passwords. Produced by Shmoo Group, the working principle is to passively monitor the transmission information, and start to calculate the encryption password when enough data packets are collected. Aircrack is a lot like it.
32. BackTrack: a very innovative and breakthrough Live (engraved on the CD, the CD can be started directly) CD self-starting Linux system platform
This excellent CD-ROM bootable Linux system is the result of the merger of Whax and Auditor. It is known for its super rich set of security and protection tools paired with a rich development environment. The key lies in its user-modular design, users can customize which modules are engraved on the CD, such as scripts written by themselves, additional tools, custom kernels, and so on.
33. P0f: Universal passive operating system fingerprint tool
P0f can identify the operating system on the host by capturing and analyzing the data packets sent by the target host, even if the system is equipped with a good firewall. P0f does not add any direct or indirect network load, no name searches, no secret probes, no ARIN queries, nothing. Some masters can also use P0f to detect whether there is a firewall on the host, whether there is NAT, whether there is a load balancer, etc.!
34. Google: Everyone's Favorite Search Engine
Google is certainly not a security tool, but its super-large database is the best resource for security experts and attackers. If you want to know about a certain company, you can directly use it to search for "site: target-domain.com ", you can get employee names, sensitive information (usually the company does not disclose it to the public, but it is difficult to say on Google), company Internally installed software vulnerabilities and more. Similarly, if you find a website with a certain vulnerability on Google, Google will also provide you with a list of other websites with the same vulnerability.
Among them, Johny Long, a master who used Google for hacking activities, established a Google Hacking Database (Google Hacking Database) and published a book on how to use Google for hacking activities, Google Hacking for Penetration Testers.
35. WebScarab: A framework for analyzing applications using the HTTP and HTTPS protocols
Its principle is very simple. WebScarab records the session content (request and response) it detects, and users can view the records in various forms. The design purpose of WebScarab is to allow users to grasp the operation process of a certain HTTP(S)-based program; it can also be used to debug difficult bugs in the program, and it can also help security experts discover potential program loopholes.
36. Ntop: Network Communication Monitor
Ntop displays network usage in a process manager-like manner. In application mode, it can display the network status on the user terminal. In webpage mode, it acts as a webpage server, displaying network conditions in the form of HTML documents. It is a NetFlow/sFlow transmitter and collector. It generates an ntop-centric monitoring program through an HTTP-based client interface. RRD (Round Robin Database) is used to continuously store network communication status information.
37. Tripwire: Very old file integrity checker
A file and directory integrity checker. Tripwire is a tool that can help system administrators and general users monitor changes to a specific file or directory. It can be used for daily (for example: daily) inspection of system files, and Tripwire can notify system administrators of file corruption or tampering, so this is a periodic file damage control method.
A free open source Linux version can be downloaded at http://Tripwire.Org . AIDE is a Tripwire replacement for UNIX platforms. Or Radmind, RKHunter and chkrootkit are also good options. Windows users please use RootkitRevealer from Sysinternals.
38. Ngrep: Convenient packet matching and display tool
ngrep implements as many GNU grep functions as possible, applying them to the network layer. Ngrep is a pcap-aware tool that allows you to specify various regular or hexadecimal expressions to match data payloads or packets. Currently supports TCP, UDP, ICMP on Ethernet, PPP, SLIP, FDDI, Token Ring (Token Ring) and null interfaces (null interfaces), and can also understand bpf filter logic in the same form as Tcpdump and snoop.
39 Nbtscan: Gathering NetBIOS Information on a Windows Network
NBTscan is a tool for scanning NetBIOS name information on IP networks. It obtains feedback information by sending a status query to all addresses within the specified range and presents it to the user in the form of a table. The feedback information of each address includes IP address, NetBIOS computer name, login user, and MAC address.
40. WebInspect: powerful web program scanner
SPI Dynamics' WebInspect application security assessment tool helps you identify known and unknown web layer vulnerabilities. It can also detect web server configuration properties and perform common web attacks such as parameter injection, cross-site scripting, directory walking, and more.
41. OpenSSL: The best SSL/TLS encryption library
The purpose of the OpenSSL project is to develop a robust, full-featured, open-source application to SSL v2/v3 (Secure Sockets Layer) and TLS v1 (Transport Layer Security) through open source cooperation. A generally applicable cryptographic library toolset for the protocol. The project is maintained by volunteers worldwide who connect, plan, and develop the OpenSSL toolset and associated documentation through the Internet.
42 Xprobe2: Proactive OS Fingerprint Tool
XProbe is a remote host operating system probing tool. The developers built on some of the same techniques as Nmap and added their own innovations. Xprobe obtains fingerprints through the ICMP protocol.
43. EtherApe: EtherApe is a graphical interface network monitor imitating etherman on the Unix platform
Including three modes of connection layer, IP and TCP, the EtherApe network activity diagram uses different colors to identify different protocols. The graph size for hosts and connections varies with communication. It supports Ethernet, FDDI, Token Ring, ISDN, PPP and SLIP devices. It can implement filtering network communication, and can also capture network communication snapshot files.
44. Core Impact: Fully automatic and comprehensive *** detection tool
Core Impact is not cheap (be prepared to spend tens of thousands of dollars), but it is widely recognized as the strongest vulnerability detection tool. It has a powerful regularly updated professional vulnerability database, which can easily hack a computer and use it as a springboard to do other things. If you can't afford Core Impact, take a look at the cheaper Canvas or the free Metasploit Framework. Of course, it is best to use all three at the same time.
45. IDA Pro: Windows or Linux decompiler and debugger
Decompiler is a very important security research direction. It can help you disassemble Microsoft's patches to understand Microsoft's undisclosed and quietly patched vulnerabilities, or directly detect a server in binary form to find out why a certain existing vulnerability does not work. There are many decompilers, but IDA Pro is a malicious code and vulnerability research and analysis tool that complies with the binary package de-facto standard. This graphical, programmable, extensible, multiprocessor-capable decompiler now has a Windows-like version for Linux (command line mode).
46. SolarWinds: Network Discovery/Monitoring/Attack Series Tools
SolarWinds manufactures and sells many professional systems management tools. Security related ones include many network discovery scanners, an SNMP brute force cracker, router password decryptor, TCP connection reset program, one of the fastest and easiest to use router settings download and upload programs, and more.
47. Pwdump: A Windows Password Recovery Tool
Pwdump can fetch NTLM and LanMan hashes from Windows hosts, whether system passwords are enabled or not. It can also display historical passwords that exist in the system. The data output format is a L0phtcrack compatible format, and the data can also be output in the form of a file.
48. LSoF: open file list
This is a diagnostic and research tool on the Unix platform, which can list information about the files currently opened by all processes. It can also list all communication sockets (communications sockets) opened by the process. A similar tool on the Windows platform is Sysinternals.
49. RainbowCrack: An innovative password hash cracker
RainbowCrack is a hash cracking tool that uses large-scale time-memory trade-off technology. Traditional brute force tools try every possible password, and it can be time-consuming to crack complex passwords. RainbowCrack uses time exchange technology to pre-calculate the cracking time, and saves the calculation results in a table called "rainbow tables". Precomputation does take a long time, but it is much shorter than brute force cracking, and once the precomputation is complete and cracking begins, the time required for cracking is very, very short.
50. Firewalk: Advanced Traceroute Tool
Firewalk uses a traceroute-like technique to analyze IP packet feedback to determine gateway ACL filter types and network structure. This classic tool was rewritten by scratch in October 2002. Most of the functions of this tool can also be implemented in the routing trace part of Hping2
51. Angry IP Scanner: A very fast IP scanner and port scanner for Windows
Angry IP Scanner can realize host discovery and port scanning on the most basic Windows platform. Its size is very small, and it can also obtain other information about the host by mounting a few plugins.
52. RKHunter: A Rootkit Detector for Unix Platforms
RKHunter is a tool for detecting malicious programs such as rootkits, backdoors, and vulnerabilities. It uses a variety of detection methods, including MD5 hash value comparison, rootkits original file name detection, file permission detection, and suspicious string detection in LKM and KLD modules.
53. Ike-scan: VPN detector and scanner
Ike-scan is a tool to detect the transmission characteristics of IKE (Internet Key Exchange) service. IKE is a mechanism for establishing a connection between a server and a remote client in a VPN network. After the IP address of the VPN server is scanned, the transformed IKE data packet is distributed to each host in the VPN network. Any host running IKE will send back feedback to prove it exists. The tool then records and displays these feedback packets and compares them to a series of known VPN product fingerprints. Ike-scan's VPN fingerprints include products from Checkpoint, Cisco, Microsoft, Nortel, and Watchguard.
54. Arpwatch: Keep track of Ethernet/IP address pairings, which can detect man-in-the-middle attacks
Arpwatch is a classic ARP man-in-the-middle attack detector produced by the LBNL Network Research Group. It records system logs of network activity and reports specific changes to administrators via email. Arpwatch uses LibPcap to listen for ARP packets on the local Ethernet interface.
55. KisMAC: A Graphical Passive Wireless Network Finder for Mac OS X
This very popular searcher under Mac OS X has similar functions to Kismet, but unlike Kismet, Kismet is based on the command line, while KisMac has a very beautiful graphical interface, and it appeared on OS X earlier than Kismet. It also provides mapping, Pcap compatible format data input, login and some decryption, verification and cracking functions.
56. OSSEC HIDS: An open source host-based hacking detection system
The main functions of OSSEC HIDS are log analysis, integrity check, rootkit detection, time-based alert and proactive response. In addition to its detection system function, it is also generally used in SEM/SIM (Security Event Management (SEM: Security Event Management) / Security Information Management (SIM: Security Information Management)) solutions. Because of its powerful log analysis engine, ISPs (Internet service providers), universities and data centers use it to monitor and analyze logs generated by their firewalls, detection systems, web services and authentication, etc.
57. Openbsd PF: OpenBSD Packet Filter
Like Netfilter and IP Filter on other platforms, OpenBSD users love to use PF, which is their firewall tool. Its functions include network address translation, managing TCP/IP communication, providing bandwidth control and data packet classification control. It also has some extra features, such as passive OS detection. PF was written by the same people who wrote OpenBSD, so you can rest assured that it has been well evaluated, designed, and coded to avoid exposing similar vulnerabilities to other packet filters.
58. Nemesis: Simple Packet Injection
The design purpose of the Nemesis project is to provide a command-line-based, compact, and user-friendly IP stack for Unix/Linux (and now Windows). This toolset is categorized by protocol and allows simple shell scripting on injected packet streams. If you like Nemesis, you may also be interested in Hping2, they are complementary.
59. Tor: anonymous network communication system
Tor is a toolset for a broad range of organizations and the general public looking to improve their network security. Tor's functions include anonymous web browsing and publishing, instant messaging, irc, ssh, and other functions related to the TCP protocol. Tor also provides a software platform for software developers to develop built-in anonymity, security and other privacy features. A cross-platform graphical interface is available in Vidalia.
60. Knoppix: A multi-purpose CD or DVD disc self-booting system
Knoppix consists of a series of typical GNU/Linux software, which can automatically detect the hardware environment and support a variety of graphics cards, sound cards, SCSI and USB devices, and other peripheral devices. As an efficient Linux CD-ROM system, KNOPPIX can be used for various purposes such as desktop system, Linux teaching CD, rescue system, etc. After this investigation in nmap, it is confirmed that it is also a small and compact security tool. If you want to use a more professional Linux security system, please see BackTrack.
61. ISS Internet Scanner: Application Vulnerability Scanner
Internet Scanner is an open source scanner tool written by Christopher Klaus in 1992. Now that tool has morphed into a multi-billion-dollar company that produces countless security products.
62. Fport: Enhanced version of netstat produced by Foundstone
Fport can report all open TCP/IP and UDP ports on the local machine, and display the ports opened by any program. So use it to quickly identify unknown open ports and their associated applications. It's only available for Windows, but netstat on many UNIX systems now provides the same functionality (for Linux use 'netstat -pan'). The SANS article has Fport's usage instructions and result analysis methods.
63. chkrootkit: local rootkit detector
chkrootkit is a small and easy-to-use tool on the Unix platform that can detect various rootkit**s. Its functions include detection of file modification, utmp/wtmp/last log modification, promiscuous interfaces, and malicious kernel modules.
64. SPIKE Proxy: HTTP attack
Spike Proxy is an open source HTTP proxy for the purpose of discovering website vulnerabilities. It is part of the Spike Application Testing Suite and features include automatic SQL injection detection, web site crawling, login list brute force, overflow detection, and directory walk detection.
65. OpenBSD: Considered the most secure operating system
OpenBSD is one of the operating systems that takes security as the top priority of the operating system, and sometimes the level of security is higher than ease of use, so its impressive security is self-evident. OpenBSD also attaches great importance to system stability and hardware support. Perhaps their greatest initiative was the creation of OpenSSH. OpenBSD users also have good reviews for [pf] (the firewall tool for OpenBSD, featured at #57 on this list) on this system.
66. Yersinia: A low-level attack tool that supports multiple protocols
Yersinia is a low-level protocol attack attack detection tool. It can implement a variety of attacks against a variety of protocols. For example, seizing the root role of the spanning tree (Spanning Tree Protocol: Spanning Tree Protocol), generating virtual CDP (Cisco Discovery Protocol: Cisco Discovery Protocol) neighbors, and virtualizing into an HSRP (Hot Standby Router Protocol) environment Active routers, fake DHCP replies, and other low-level attacks.
67. Nagios: An open source host, service and network monitoring program
Nagios is a system and network monitoring program. It can monitor the host and service you specify, and send out prompt information when any problems occur in the monitored objects or when the problems are solved. Its main functions include monitoring network services (smtp, pop3, http, nntp, ping, etc.), monitoring host resources (process load, hard disk space usage, etc.), and sending out prompts in various forms when problems are found or solved Message (Email, pager or other user-defined methods).
68. Fragroute/Fragrouter: A tool set for network hacking detection evasion
Fragrouter is a one-way segment router that sends (receives) IP packets from the attacker to Fragrouter, converts the packets into segmented data streams, and sends them to the victim. Many inspection systems are unable to reconstruct a piece of network data as a whole (via IP fragmentation and TCP flow reassembly), see this classic paper for details. Fragrouter helps hackers launch IP-based attacks after evading detection. It is part of the NIDSbench suite by Dug Song. Fragroute is another tool similar to Fragrouter produced by Dug song.
69. X-scan: A network vulnerability scanner
A multi-threaded, plugin-enabled vulnerability scanner. The main functions of X-Scan include comprehensive support for NASL (Nessus Attack Scripting Language), service type detection, remote operating system type (version) detection, weak username/password matching, etc. The latest version can be obtained here. Please note that this is a Chinese website (the original text is in English, so the author of the original text reminds English readers that this is a Chinese website).
70. Whisker/libwhisker: CGI vulnerability scanner and vulnerability library produced by Rain.Forest.Puppy
Libwhisker is a collection of Perl templates for testing HTTP. Its function is to test whether there are many known security vulnerabilities on the HTTP server, especially CGI vulnerabilities. Whisker is a scanner based on libwhisker, but now everyone tends to use Nikto, which is also based on libwhisker.
71. Socat: Two-way data transmission relay
Netcat-like tool that works on many protocols, runs on files, pipes, devices (terminals or modems, etc.), sockets (Unix, IP4, IP6-raw, UDP, TCP), Socks4 clients, proxy servers between connections, or SSL, etc. It provides forking, logging and dumping, and different modes of interactive processing communication, and many other options. It can be used as a TCP relay (single trigger: one-shot or daemon (background program for mail sending and receiving in the Internet)), as a dynamic Socksification (socksifier) based on daemon, as a shell interface of sockets on the Unix platform, as IP6 trunking, redirecting TCP-oriented programs to Serial Line programs, or setting up a secure environment (su and chroot) for running shell scripts on clients or servers with network connections.
72. Sara: Safety Review Research Assistant
SARA is a vulnerability assessment tool derived from the infamous SATAN scanner. This tool is updated about every two months, and the open source community that produces this tool also maintains Nmap and Samba.
73. QualysGuard: Web-based vulnerability scanner
Published as a service on the website, so QualysGuard does not have the burden of developing, maintaining and updating vulnerability management software or ad-hoc security applications. Clients can securely access QualysGuard through an easy-to-use web page. QualysGuard contains more than 5,000 single vulnerability checks, an inference-based scanning engine, and the vulnerability knowledge base is automatically updated daily.
74. ClamAV: An anti-virus tool set based on GPL (General Public License: General Public License) on a UNIX platform
ClamAV is a powerful antivirus scanner that focuses on mail server attachment scanning. It contains a small upgradeable multi-threaded daemon, a command line scanner and automatic upgrade tool. Clam AntiVirus is based on the open source virus database released by the AntiVirus package. You can also apply this virus database to your own software, but don't forget to update it frequently.
75. cheops / cheops-ng: Provides many simple network tools, such as local or remote network mapping and identifying computer operating systems
Cheops provides many nice GUI web tools. It includes host/network discovery, that is, host operating system detection. Cheops-ng is used to detect services running on the host. For some services, cheops-ng can detect what application is running the service, as well as the version number of the program. Cheops has stopped development and maintenance, so please better use cheops-ng.
76. Burpsuite: An integrated platform for web program attacks
Burp suite allows attackers to combine manual and automatic techniques to enumerate, analyze, and attack web programs. These different burp tools work together to effectively share information and support the use of information in one tool for another tool to launch attacks.
77. Brutus: A network authentication brute force cracker
This brute force cracker on the Windows platform guesses the password of the remote system network service through a dictionary. It supports HTTP, POP3, FTP, SMB, TELNET, IMAP, NTP, and more. Not open source, similar software on the UNIX platform has THC Hydra.
78. Unicornscan: Alternative port scanner
Unicornscan is a port scanner that obtains information and associations by trying to connect to the user-land distributed TCP/IP stack. It attempts to provide researchers with a super interface that can stimulate TCP/IP devices and networks and measure feedback. Its main functions include asynchronous stateless TCP scanning with all TCP variant flags, asynchronous stateless TCP flag capture, and active/passive remote operating system, application, and component information by analyzing feedback information. It is an alternative scanner like Scanrand.
79. Stunnel: Versatile SSL Encryption Wrapper
stunnel is used to encapsulate the SSL encryption between the remote client and the local machine (inetd-startable that can start inetd) or the remote server. It can add SSL function to general POP2, POP3 and IMAP servers using inetd daemon without modifying any code. It establishes SSL connection by using OpenSSL or SSLeay library.
80、 Honeyd: Your personal honeypot system
Honeyd is a small daemon that can create virtual hosts on the network. The services and TCP of this virtual host can be configured to make it appear to the network that it is running some kind of operating system. Honeyd can make a host simulate multiple addresses in the local area network to meet the requirements of the network experiment environment. Virtual hosts can be pinged and traceroute can be done on them. By setting the configuration file, the virtual computer can simulate running any service. Service proxies can also be used instead of service mocks. It has many libraries, so compiling and installing Honeyd is difficult.
81. Fping: A multi-host simultaneous ping scanner
fping is a program similar to ping(1) (ping(1) is a program that responds to a request to detect the existence of a host through the ICMP (Internet Control Message Protocol) protocol. The difference between Fping and ping is that you can specify the range of hosts to ping on the command line, or you can specify a file containing the list of hosts to ping. Unlike ping, which needs to wait for a host to connect to timeout or send back feedback information, fping sends a data packet to the next host immediately after sending a data packet to a host, so as to realize simultaneous ping of multiple hosts. If a host is pinged successfully, the host will be marked and removed from the waiting list. If not pinged, the host cannot be reached, and the host remains in the waiting list, waiting for subsequent operations.
82. BASE: Basic Analysis and Security Engine
BASE is a PHP-based analysis engine that can search and implement security events. Its security event database comes from security events generated by many hacker detection systems, firewalls, and network detection tools. Its features include a lookup generator and search interface to search for vulnerabilities; a packet browser (decoder); and the ability to generate state diagrams based on time, sensors, signals, protocols, and IP addresses, among others.
83、 Argus: IP Network Matters Review Tool
Argus is a fixed-model, real-time traffic monitor that tracks and reports the status and performance of all transactions in data network traffic flows. Argus has customized a data format for traffic evaluation, including connectivity, capacity, request, packet loss, delay, and fluctuation, which are used as elements for evaluating transactions. This data format is flexible and easy to expand, supports common traffic identification and measurement, and can also obtain specified application/protocol information.
84. Wikto: Web server evaluation tool
Wikto is a tool for checking web server vulnerabilities. It's similar to Nikto, but adds a lot of other features, such as a Google-integrated background finder. Wikto works under MS ...NET environment, downloading this software and source code requires registration.
85. Sguil: Network Security Monitor Command Line Analyzer
Sguil (pronounced sgweel) is a network security analysis tool produced by network security analysts. The main component of Sguil is a Snort/barnyard real-time event display interface. It also includes some auxiliary tools for network security monitoring and event-driven intrusion detection system analysis reports.
86、 Scanrand: An exceptionally fast stateless network service and topology discovery system
Scanrand is a stateless host discovery and port scanning tool similar to Unicornscan. It trades reliability for exceptional speed and uses encryption to prevent hackers from altering scan results. This tool is part of Paketto Keiretsu by Dan Kaminsky.
87. IP Filter: A small UNIX packet filter
IP Filter is a software package that can implement network address translation (NAT) or firewall services. It can be used as a core module of UNIX, or not embedded in the core. It is strongly recommended to be used as a core module of UNIX. Install and patch system files using scripts. IP Filter is built into FreeBSD, NetBSD and Solaris. OpenBSD can use Openbsd PF, and Linux users can use Netfilter.
88、 Canvas: A Comprehensive Vulnerability Detection Framework
Canvas is a vulnerability detection tool produced by Aitel's ImmunitySec. It contains more than 150 exploits, and it's a bit cheaper than Core Impact, but it's also worth thousands of dollars. You can also purchase VisualSploit Plugin to generate vulnerabilities by dragging and dropping on the graphical interface. Canvas also occasionally finds some ODay vulnerabilities.
89. VMware: Multi-platform virtualization software
VMware virtualization software allows you to virtually run one system inside another. This is very useful for security professionals to test code and vulnerabilities on multiple platforms. It only runs on Windows and Linux platforms, but it can virtually run almost all x86 operating systems. It is also very useful for creating sandboxes. Malware infection on a VMware virtual system will not affect the host machine, and the infected virtual system can be restored by loading a snapshot file. VMware cannot create image files of virtual systems. VMware just recently declared it free. Another popular virtual platform software under Linux is Xen.
90. Tcptraceroute: a routing tracking tool based on TCP packets
Firewalls are widely used in modern networks, resulting in the (ICMP response (ICMP echo) or UDP) packets sent by traditional traceroute tools being filtered out, so complete traceroute cannot be performed. However, in many cases, the firewall will allow reverse (inbound) TCP packets to pass through the firewall to designated ports, which are used by some programs and external connections behind the firewall in the host. By sending TCP SYN packets instead of UDP or ICMP reply packets, tcptraceroute can penetrate most firewalls.
91. SAINT: Comprehensive Network Tool for Security Management
SAINT, like Nessus, ISS Internet Scanner and Retina, is a commercial vulnerability assessment tool. It used to be a free open source tool running on top of UNIX systems, but now it costs money.
92. OpenVPN: Full-featured SSL VPN solution
OpenVPN is an open source SSL VPN toolkit, which can implement many functions, including remote login, site-to-site VPN, WiFi security, enterprise-level remote login solution with load balancing, node control handover (failover), strict Access control. OpenVPN runs on OSI Layer 2 or Layer 3 security network, uses SSL/TLS industry standard protocol, supports flexible client authentication methods based on certificates, smart cards, and binary authentication, and allows firewall rules to be used on VPN virtual interfaces as user or specified Access control policies for user groups. OpenVPN uses OpenSSL as its preferred encryption library
93. OllyDbg: Assembly-level Windows debugger
OllyDbg is a 32-bit assembly-level analysis debugger on the Microsoft Windows platform. Because it analyzes the binary code directly, it is very useful when the source code is not available. OllyDbg contains a graphical user interface, its advanced code analyzer can identify procedures, loops, API calls, exchanges, tables, constants and strings, it can load runtime programs, and supports multi-threading. OllyDbg is free to download, but not open source.
94. Helix: A Security-focused Linux Edition
Helix is a customized version of Knoppix self-booting Linux CD system. Helix is much more than a bootable CD. In addition to booting from the CD to a custom Linux environment, it also has super hardware support capabilities and includes many software to deal with various problems. Helix touches as little as possible the hard and soft resources of the host. Helix does not autoload swap space, nor does it autoload any other peripherals. Helix can also automatically load Windows in case of the unexpected.
95. Bastille: Security Hardening Script for Linux, Mac OS X and HP-UX
Bastille makes the operating system impenetrable, reduces the possibility of the system being in danger, and increases the security of the system. Bastille can also assess the current security of the system and periodically report on each security setting and its working status. Bastille currently supports Red Hat (Fedora Core, Enterprise, and Numbered/Classic editions), SUSE, Debian, Gentoo, and Mandrake Linux distributions, as well as HP-UX and Mac OS X. Bastille is designed to educate system users and administrators on how to harden their systems. In its default most solid mode, it constantly asks users questions, explains these questions, and chooses different coping strategies according to the different answers of users to the questions. In its assessment mode, it generates a report designed to tell the user which security settings are available and which settings have been hardened.
96 Acunetix Web Vulnerability Scanner: Commercial Vulnerability Scanner
Acunetix WVS automatically checks your web program vulnerabilities, such as SQL injection, cross-site scripting and weak password cracking on authentication pages. Acunetix WVS has a very friendly user interface and can also generate personalized website security assessment reports.
97. TrueCrypt: Open source disk encryption software for Windows and Linux
TrueCrypt is a very good open source disk encryption system. Users can encrypt the entire file system, and it can encrypt/decrypt in real time without user intervention, as long as the password is entered in advance. The very clever hidden volume feature allows you to apply a second layer of encryption to particularly sensitive content to hide its existence. So even if the password of the encryption system is exposed, the hacker does not know that there is still hidden content.
98. Watchfire AppScan: Commercial web vulnerability scanner
AppScan conducts security testing in accordance with the application development life cycle, unit testing and security assurance as early as the development stage. Appscan can scan for a variety of common vulnerabilities, such as cross-site scripting, HTTP response splitting, parameter tampering, hidden value tampering, backdoor/debugging options, buffer overflows, and more.
99. N-Stealth: Web server scanner
N-Stealth is a web server security scanner. It is updated more frequently than free web scanners such as Whisker/libwhisker and Nikto, but it claims on its website that it can scan 30,000 vulnerabilities (30,000 vulnerabilities and exploits) and add dozens of vulnerabilities every day (Dozens of vulnerability checks are added every day) is highly doubtful. Anti-virus tools like Nessus, ISS Internet Scanner, Retina, SAINT, and Sara all contain web scanning components, which are difficult to update daily. N-Stealth runs on the Windows platform and is not open source.
100. MBSA: Microsoft Baseline Security Analyzer
Microsoft Baseline Security Analyzer (MBSA) is an easy-to-use tool that helps IT professionals detect the security of their small and medium-sized business applications, compare user systems with Microsoft security recommendations (Microsoft security recommendations), and give Specific recommended guidance. By cooperating with the built-in Windows Update Agent (Windows Update Agent) and Microsoft Update infrastructure (Microsoft Update infrastructure), MBSA can ensure data consistency with other Microsoft management products, including Microsoft Update (Microsoft Update (MU)), Windows Server Update Services (WSUS)), Systems Management Server (SMS) and Microsoft Operations Manager (MOM). MBSA scans an average of 3 million computers per week.