Open Source Security Tool Overview Presented by Kitch Spicer & Douglas Couch Security Engineers for ITaP 1
Introduction Vulnerability Testing Network Security Passive Network Detection Firewalls Anti-virus/Anti-malware Host Intrusion Forensics Encryption Log File Analysis Miscellaneous All-In-One disks 2
Vulnerability Testing OpenVAS Network and host vulnerability scanner. Offshoot of Nessus NSAT Network Security Analysis Tool (similar to OpenVAS) Nikto Web application vulnerability scanner. W3AF Web Application Attack and Audit Pixy PHP Code scanner for XSS and SQLI 3
Network Security Wireshark (Windows, Linux, UNIX) Multi-platform network protocol analyzer with a lot of features and a variety of export format options. Snort (Windows, Linux, UNIX, Mac) IDS/IPS which combines signature, protocol and anomaly-based inspection. 4
Network Security NTop (Windows, Linux, UNIX, Mac) Network traffic probe providing insight to network usage. Analyzes IP traffic and sorts it based upon source and destination and has the ability to passively identify the host OS. 5
Network Security nfdump (Linux, UNIX) Set of command-line tools to collect and process netflow data. NfSen (Linux, UNIX) Web-based GUI for nfdump tools. Allows you to view flows, packets and bytes and easily navigate through netflow data. 6
Network Security Nmap (Windows, Linux, UNIX, Mac) Network discovery tool which uses raw IP packets to determine what hosts are on the network as well as any services the hosts are running, the OS, and more. 7
Network Security Netcat (Linux, UNIX, Mac) Network utility which provides data reading and writing capabilities using the TCP/IP protocol. Also has built-in port scanning, tunneling mode, and advanced usage options. 8
Network Security AFICK (Windows, Linux) File integrity tool - very simple interface that shows what files have changed on a system. 9
Network Security tcpdump (Linux, UNIX, Mac) Command-line packet sniffer/analyzer which allows the user to display packets that are being sent and received over the network which the system is attached. WinDump (Windows) Windows version of tcpdump 10
Passive Network Detection P0f (Windows, Linux, UNIX) Extremely versatile passive OS fingerprinting tool which can not only identify OS, but can detect the use of a firewall, NAT, load balancer, and even remote system ISP. 11
Passive Network Detection PADS Passive Asset Detection System Signature-based detection engine which passively detects network assets. Provides context to IDS alerts when used to supplement existing IDS/IPS systems. 12
Firewalls pfsense Customized FreeBSD distro to be used as a firewall and router. It includes features such as: VPN, NAT, Redundancy, Load Balancing, DHCP Server and Relay, etc. 13
Firewalls SmoothWall Firewall which includes its own hardened OS and provides a userfriendly web interface. Features include: proxies (Web, POP3 email, IM), QoS, IDS via Snort, real-time traffic graphs, etc. 14
Firewalls AppArmor (Linux) Utilizes policy-based profiles for application access and protects the system from malware aimed at application vulnerabilities as well as unwanted programs. 15
Firewalls ModSecurity (OS Independent) Web Application firewall which can work embedded or as a reverse proxy. Protects against various web application attacks and has HTTP traffic logging, monitoring and real-time analysis capabilities. 16
Anti-Virus/Anti-Malware ClamAV (Windows, Linux) Anti-virus toolkit for UNIX with a focus on e-mail scanning at the mail gateway. Rootkit Hunter (Linux, UNIX) Tool used to check Linux/UNIX systems for the presence of rootkits as well as other unwanted tools. 17
Anti-Virus/Anti-Malware Nixory (OS independent) Program used with the Firefox web browser which protects users from malicious data mining. It is aimed at removing cookies which are used for tracking purposes in a malicious manner. 18
Host Intrusion Osiris Host integrity monitoring system. A tripwire replacement OSSEC Host intrusion detection including file integrity, log analysis, policy monitoring, and rootkit detect Samhain (Beltain) Similar to OSSEC. Beltain (non-free) offers a control panel. 19
Forensics AIR Automated Image and Restore is a GUI front-end to dd for creating forensic images. Autopsy A web front-end for the sleuth kit tools. ODESSA An open and extensible suite for acquisition, analysis and documentation of evidence. Live View Creates a Vmware image out of a raw DD image. Keeps a pristine image. 20
Encryption GnuPG (Windows, Linux, Mac) OpenPGP suite that allows users to encrypt and sign data and communication. Features a key management system as well as access modules for public key directories. gpg4win (Windows) Windows version of GnuPG. 21
Encryption AxCrypt (Windows) File encryption software which provides the ability to compress, encrypt, decrypt, store, send and work with files. Integrates with Windows Explorer. 22
Log File Analysis BASE (OS Independent) Basic Analysis and Security Engine - Web interface which performs analysis of Snort alerts and detections. Snare (Various OSes) Collects and analyzes security, application, system, DNS, file replication service, and AD logs. 23
Log File Analysis Splunk (Various OSes) Monitoring and reporting tool which utilizes logs, metrics, and various data from applications, servers and network devices. The information is then indexed into a searchable repository from which graphs, reports and alerts can be generated. 24
Miscellaneous OCS Inventory and package deployment system for Windows and *nix systems. DBAN Darik s Boot And Nuke: wipes drives effectively BleachBit Wipes free space Portable Apps Various SysInternals Windows tools 25
All-In-One SIFT Workstation Created by SANS for forensic analysis BackTrack Penetration testing and other hacker tools OSSIM Live CD with a network SIEM system preinstalled. Metasploit Ruby based framework for penetration tools and security tools 26
Conclusion Further questions? Where do you want to go from here? 27