Linux Security Audit and Hacker Software Tools

Security Audit Tools:

Perform a "Security Risk Assessment" on your system with the following tools.

System Audits:

Chkrootkit (YoLinux tutorial) - Scan system for Trojans, worms and exploits.
Root kit detection:
- checkps - detect rootkits by detecting falsified output and similar anomalies. The ps check should work on anything with /proc. Also uses netstat.
- Rootkit hunter - scans for rootkits, back doors and local exploits
- Rkdet - root kit detector daemon. Intended to catch someone installing a rootkit or running a packet sniffer.
fsaudit - Perl script to scan filesystems and search for suspicious looking directories
COPS: Computer Oracle and Password System - UNIX security checks. Programs and shell scripts which perform security checks. Checks include file and directory permissions, passwords, system scripts, SUID files, ftp configuration check, ...
SARA - Security Auditor's Research Assistant - network security vulnerability scanner for SQL injections, remote scans, etc. (follow-on to the SATAN analysis tool)
Tiger Analytical Research Assistant (TARA Pro) - Commercial support

Network Vulnerability Audits:

Nessus (YoLinux tutorial) - Remote security scanner - This is my favorite security audit tool!! Checks service exploits and vulnerabilities.
OpenVAS: Open Vulnerability Assessment System. A branch of Nessus which is more free of licensing restrictions
Argus - IP network transaction auditing tool. This daemon promiscuously reads network datagrams from a specified interface, and generates network traffic status records
Argus 2
InterSect Alliance - Intrusion analysis. Identifies malicious or unauthorized access attempts.
Linuxforce: AdminForce CGI Auto Audit - CGI script analyzer to find security deficiencies.

Wireless:

AirSnort - wireless LAN (WLAN) tool that recovers encryption keys.
WEPCrack

Application Security Audit:

Gauntlt - app security tests. Can be integrated with Continuous Integration (CI) builds
PortSwigger.net: Burp - Coverage of over 100 generic application vulnerabilities, such as SQL injection and cross-site scripting (XSS), and all vulnerabilities in the OWASP top 10
Mozilla.org: Firefox browser security Plugins:
- Mozilla: HackBar - web-app security tests for sql injections, XSS holes, Broken Authentication and Session Management and site security
- Tamper Data - Trace and time http response/requests. Security test web applications by modifying POST parameters.
OWASP - Open Web Application Security Project
- ZAP - find web applications security vulnerabilities
- List of all OWASP security test tools
Watabo - security tool for semi-automated testing of web applications

Port Scanners:

Used to identify computer network services available for exploit.

nmap - Port scanner and security scanning and investigation tool
- NmapFe++ - GUI front-end to NMAP
- KNmap - KDE front-end
- pbnj - Diff nmap scans to find changes to systems on the network.
- nmap3d - nmap post processing to 3-d VRML
- nmap-sql - log scans to database
- Gremwell MagicTree - processes NMap and OpenVAS output to generate a report. Requires OpenOffice.
portscan - C++ Port Scanner will try to connect on every port you define for a particular host.
pof - passive OS fingerprinting.
Web/http scan:
- Nikto - web server scanner. CGI, vulnerability checks. Not a stealthy tool. For security tests.

Portscanning Information:

Art of port scanning - types of scans explained.

Network Sniffers:

Linux Tools for Network Examination.

DSniff - network tools for auditing and penetration testing.
Wireshark - full network protocol sniffer/analyzer
IPTraf - curses based IP LAN monitor
TcpDump - network monitor and data acquisition
- VOMIT - Voice Over Mis-configured Internet Telephones - Use TCP dump of VOIP stream and convert to WAV file.
  Cisco Call Manager depends on MS/SQL server and are thus vulnerable to SQL Slammer attacks.
KISMET - 802.11a/b/g wireless network detector, sniffer and intrusion detection system.
DISCO - Passive IP discovery and fingerprinting tool. Sits on a segment of a network to discover unique IPs and identify them.
Yersina - Framework for analyzing and testing the deployed networks and systems. Designed to take advantage of some weakness in different Layer 2 protocols: Spanning Tree Protocol (STP), Cisco Discovery Protocol (CDP), Dynamic Trunking Protocol (DTP), Dynamic Host Configuration Protocol (DHCP), Hot Standby Router Protocol (HSRP), IEEE 802.1q, Inter-Switch Link Protocol (ISL), VLAN Trunking Protocol (VTP).
YoLinux.com List of network monitoring tools and example tcpdump sessions

Hacker Tools:

Password crackers:

(can also be part of a vulnerability audit)

John the Ripper - weak password detection. crypt, Kerberos AFS, MS/Windows LM, ...
Rainbow CRACK - password hacker, RainbowCrack uses time-memory tradeoff algorithm to crack hashes. It differs from brute force hash crackers.
Medusa - speedy, massively parallel, modular, login brute-forcer

Exploits:

Exploit framework:

MetaSploit - Exploit launcher, test and development tool

Commercial Vendors:

RSA Security - Encryption and secure commerce.
CryptoHeaven - Secure online storage, file sharing and distribution, email, instant messaging. Free Linux client but it is a commercial for fee service. (less than 2MB storage is free)
Tiger Analytical Research Assistant (TARA Pro) - Texas A+M Tiger Commercial support
TIS: Trusted Informations Systems Inc. - [download] - TIS Internet firewall toolkit
Tripwire Security Systems - Intrusion detection
Labatam: Secure X-Server Encryption

Online Web Based Tools:

Clackcode.com: security scan
HackerTarget.com: online vulnerability tests
AutomatedScanning.com - commercial service

Cloud Computing - AWS Security Tools:

ThreatResponse - suite of tools for AWS Hardening and Responding
Netflix Security Monkey - suite of Netflix developed security tools
Amazon AWS tools - AWS security services

Software Updates and Security fixes:

Forensic and Data Recovery Tools:

Basic Steps in Forensic Analysis of Unix Systems - a case study
GIIS ext3/ext2FS file undelete tool.User can recover files by it's name or type or by its owner. Can't recover the files deleted before installation of giis.
Why Recovering a Deleted Ext3 File Is Difficult
Commercial Linux data recovery tools - list

Anti-Virus Software:

This has typically been the domain of the Microsoft Windows and Outlook products and NOT Linux but Linux administrators running SAMBA file servers often must be aware of these viruses. There are according to Symantec 68 Linux specific viruses and worms including the Ramen worm which attempts to attack unpatched rpc.statd, wuftpd, and LPRng.

Anti-Virus products:

F-Secure.com
- Anti-Virus for File Servers
- Anti-Virus for Desktops and Laptops
Kaspersky Lab - Workstation/Server/eMail gateway protection
Sophos.com
- Endpoint Security and Control: Anti-Virus and anti-spyware for Unix/Linux
- SOPHOS Anti-virus - Sophos Anti-Virus for Linux
- eMail security
Symantec.com
- Mail-Gear: (up to and including version 1.2.x)
- Antivirus client for Linux
TrendMicro.com
- Interscan VirusWall for Linux - Internet Gateway - detect/scan SMTP, HTTP and FTP
ClamAv.net - Clam anti-virus. Open source virus protection for mail servers.

Virus info:

CERT.org - Carnegie Mellon University's Software Engineering Institute - security vulnerability research.
ICSA.net - Anti-virus / Anti-spyware / Anti-spam Product Developers Consortium
Symantec security response - commercial security support
Threat Explorer - real and hoaxes

Virus email alert:

Attacks:

SYN packet manipulation:
- SYN flood description
- SYN Cookie
Smurf DOS:
- SMURF attack description
IRC (Internet Relay Chat) Client attacks:
- IRC client attack description
Service attacks:
- Buffer Overflow attacks
Session Hijacking:
- Session highjacking descriptions
ARP Cache poisoning:
- Wireless Attacks Threaten Wired Networks

Honeypots:

How to bait and catch the evil hackers:

honeyd
Honeynet.org - The honeynet project

DoD/DoE NISPOM Chapter 8 computer security configuration for Linux:

NISPOM (National Industry Security Program Operating Manual) chapter 8 is a computer security requirement developed by the US DoD (Department of Defense - US) and DoE (Department of Energy) and published by the DSS (Defense Security Service) which US defense contractors are required to meet when processing classified data on computers in a classified environment. Linux as issued by major distros defaults do not meet this requirement. Use the following software packages/configurations:

Use central authentication server (LDAP or NIS) with the proper security policies. See YoLinux LDAP authentication tutorial.
Meet reporting requirements: This auditing and reporting requirement can be met using Snare. This requires a kernel patch (or use of one of the kernels [RHEL3 or RHEL4] downloaded from the Snare home page.) and the running of a Snare audit daemon. It meets C-2 reporting requirements and records logins/logoffs, file and directory access, access denial, ...
Newer Linux distributions running auditd (RHEL4, FC3+) can get compliant results.
Intersect Alliance: Snare project.
Grant admin privileges without giving root password. Granular delegation of root privileges. File and directory access control. Symark.com: PowerBroker
Virus scanner. (See above list)

Links:

Sans.org: NISPOM Chapter 8 checklist [pdf]

Standards and Security Certification:

ISACA.org - The Information Systems Audit and Control Association & Foundation
CISA - Certified Information Systems Auditor
COBIT - Control Objectives for Information and related Technology

Links:

YoLinux.com security info web site list (see right hand column)
ZedZ.net - Cryptography Archives for data and network security
FTP directory of tools
Purdue FTP site of tools - Index
DFN-CERT FTP tools site - Tool descriptions/index
Wietse's tools and papers - Coroner's toolkit, SATAN, TCP wrappers, ...

Books:

	"Hacking Linux Exposed" by Brian Hatch, James B. Lee, George Kurtz ISBN #0072225645, McGraw-Hill (2nd edition) From the same authors of "Hacking Exposed".
	"Maximum Linux Security: A Hacker's Guide to Protecting Your Linux Server and Workstation" by Anonymous and John Ray ISBN #0672321343, Sams Covers not only audit and protection methods but also investigates and explains the attacks and how they work.
	"Network Intrusion Detection: An Analyst's Handbook" by Stephen Northcutt, Donald McLachlan, Judy Novak ISBN #0735710082, New Riders Publishing
	"SSH, the Secure Shell : The Definitive Guide" by Daniel J. Barrett, Richard Silverman ISBN #0596000111, O'Reilly & Associates
	"Computer Security Incident Handling Step by Step" by Stephen Northcutt ISBN #0967299217
	"Snort 2.1 Intrusion Detection, Second Edition" by Jay Beale, Caswell ISBN #1931836043, Syngress
	"Ethereal Packet Sniffing" by Angela D. Orebaugh, Gilbert Ramirez, Ethereal.com ISBN #1932266828, Syngress
	"Nessus Network Auditing (Jay Beale's Open Source Security)" by Renaud Deraison, Noam Rathaus, HD Moore, Raven Alder, George Theall, Andy Johnston, Jimmy Alderson ISBN #1931836086, Syngress
	"Security Assessment: Case Studies for Implementing the NSA IAM" by Russ Rogers, Greg Miles, Ed Fuller, Ted Dykstra ISBN #1932266968, Syngress
	"Network Security Assessment" by Chris McNab ISBN #059600611X, O'Reilly
	"A Practical Guide to Security Assessment" by Sudhanshu Kairab ISBN #0849317061, Auerbach Publications
	Security Source Magazine Security Source Magazine's cover story is about keeping the network secure, from the gateway to the desktop. Subscribe now and continue to learn about valuable security topics and strategies in each quarterly issue.	Free Subscription
	Info Security Magazine Business and management of information security. It is an international magazine, with an European focus. It is published in both print and digital editions, the latter containing the full content of the print publication, accessible via the web. Its experienced editorial team delivers stories that deal with the big picture issues of information security. Our sources and columnists are the expert security researchers and practitioners who define, drive, and lead the field. And our journalists are in demand by the IT trade and broadsheet press.	Free Subscription