logging in or signing up Linuxworld Toronto Presentation OpenSource Securit Me_I Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINTLite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 277 Category: Entertainment License: All Rights Reserved Like it (1) Dislike it (0) Added: October 07, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Open Source Security Tools : Open Source Security Tools Linux World / Network Toronto Tutorial Part IAgenda: Agenda Open Source and Security Firewalls Port Scanners Network Sniffers Vulnerability Assessment Intrusion Detection Systems Logging Analysis Unix-like Windows Tools Crypto Tools Wireless Tools Open Source Security OpportunitiesPresenter: Presenter Tony Howlett President of Network Security Services, Inc. CISSP, GSNA Author of “Open Source Security Tools” 17 years of experience building and managing networksPre-speech Caveats: Pre-speech Caveats Contains updates to material in book; a preview of 2nd edition OS Requirements; Linux or BSD, Reference OS is Mandrake 10.1 Choice of Security apps are my favorites, yes there are others, these are MY favorites Please hold questions till of seminarSecurity Tool Warnings: Security Tool Warnings DO NOT run these tools on any machines that don’t belong to you without WRITTEN permission Be very careful when running them on production machines at work Failure to abide by this could result in getting fired, legal action or losing your ISP connection.Windoze Warning: Windoze Warning While most of it is Unix/Linux centric, I do present some Windoze tools The number of open source Windows tools is still low but the number is increasing and some of them are quite good It’s a Windows world out there, and we all have to live in it Most are at the end, so hardcore Windows haters can leave then Open Source and Security: Open Source and Security Just about every category of security application is available in open source Many commercial security vendors use open source software as a base or engine Many of the programs compare very favorably to expensive commercial programs Example: Snort has been rated right up with commercial choices by critics and trade mags Open Source and Security: Open Source and Security More Secure or Less Secure? The worlds most proprietary operating system is also the most exploited Linux and Windows about even with number of exploits available Best practices in fields like cryptography are to have open peer review Bottom line; code being closed or open source doesn’t make programmers write secure codeOpen Source Opportunities: Open Source Opportunities Cost Reduction within your company (be the budget hero) Expansion/ addition to your existing tools Education – a great way to learn Development of new open source tools (www.sourceforge.net , www.freshmeat.net) Career / Resume Enhancement Run a Security consultancy with it (I do!)Securing Operating Systems: Securing Operating Systems The operating system is the base upon which you build all your other tools; if its insecure, you are building on a foundation of sand When building a security tool system, try to always start with a new OS installation Then lock down and harden the system Bastille Linux A OS Hardening Tool: Bastille Linux A OS Hardening Tool Not an OS, but a set of scripts that automates the hardening process Asks questions and performs actions based on the response Can run from the command line or via a config file to run on multiple systemsBastille Linux A OS Hardening Tool: Bastille Linux A OS Hardening Tool Requirements: Perl 5.5 or greater Perl TK Module 8.0 or greater Perl Curses Module 1.06 or greater Packages available for Debian, Redhat and Mandrake Also available for Mac OS-X, HP/UX and Solaris Download from www.bastille-linux.org Open Source Firewalls: Open Source Firewalls The Ole Standby: IPTables Included with every Linux distribution with Kernel 2.4 and higher Can run from command line or via scripts Several public IPTables scripts available Many commercial firewalls are merely Linux boxes running IP tables in fancy cases Example: Watchguard Firebox Do you have it? Type “iptables –L” at the command line to find out OS Firewall Alternatives: OS Firewall Alternatives Ipchains Turtle Firewall Smoothwall IPChains: IPChains Available in Linux distributions with Kernel 2.2-2.3 Similar to IPTables with a little less functionality Before Kernel 2.3, IPFW is firewall programTurtle Firewall: Turtle Firewall Web-based interface to IPTables Makes IPTables much easier to navigate Seeing mistakes in rules is easier Uses the Webmin Linux Administration Interface. Turtle Firewall: Turtle Firewall Turtle Firewall: Turtle Firewall Requirements: Kernel 2.4 or higher Iptables Webmin Interface (www.webmin.org) Perl with Expat Library Get Turtle Firewall at www.turtlefirewall.com Free for download, ~$100 for a supported version SmoothWall Express: SmoothWall Express A turn-key firewall Supports NAT, DHCP, SSH Admin, VPNs and a lot more Requires a dedicated system to run on; wipes the harddrive and installs its own OS (Linux of course!) Express version is free, commercial version available with more features Get it at www.smoothwall.orgSmoothWall Express: SmoothWall Express Port Scanners: Port Scanners Port scanners determine the state of the TCP/UDP network ports on a system Very useful from a network security standpoint Nmap is the most fully featured scanner out there, bar none. Uses for Port Scanners: Uses for Port Scanners Determine number of answering machines on the network (Ping Sweep) OS Identification (TCP Fingerprinting) Identify unnecessary or rogue services running on machinesNmap: Nmap Powerful light weight port scanner Runs on Unix or Windows Command Line or GUI Easy to run but also deep in functionality Nmap Requirements: Nmap Requirements Nmap Requirements: LibPcap libraries (www.tcpdump.org) Download Nmap from www.insecure.org (a great security information site too!)Nmap Demo: Nmap Demo Vulnerability Scanners: Vulnerability Scanners These programs take port scanning a bit farther and try to run exploits against open ports These scripts replicate the actions of hackers or other malware such as viruses or worms Can be very useful to show how good your defenses are Can be run in “safe mode” which means holes aren't exploited if found. This results in a higher false positive rate, howeverNessus-NOT!: Nessus-NOT! Was one of the better open source security programs available Uses Nmap and other popular programs as modules Utilizes a “plug-in” architecture for each security test so latest exploits can easily be added Now closed source by authors commercial companyAlternatives to Nessus: Alternatives to Nessus Several of the major contributors “forked” the open source version of nessus to form new Open Source VAS projects OpenVAS http://www.openvas.org ATF http://www.computec.ch/projekte/atk/ Porz-Wahn http://developer.berlios.de/projects/porz-wahn/Benefits of OpenVAS and other Nessus Forks: Benefits of OpenVAS and other Nessus Forks Client-Server architecture. Supports multiple platforms for clients (Linux, Windows, Web-based, Java) Has a built in scripting language (NASL) for writing custom security tests Well documented and supported from legacy Best of all, absolutely FREE!OpenVAS Requirements: OpenVAS Requirements LibPcap Libraries (www.tcpdump.org) Gimp Took Kit (GTK) ftp.gimp.org/pub/gtk/v1.2 Nmap (if you want to use it as your port scanner) OpenSSL (if you want to connect securely www.openssl.org) OpenVAS Demo: OpenVAS Demo Netscan Command Console (NCC): Netscan Command Console (NCC) A web based interface and database backend for managing multiple .nsr-based vulnerability scans Allows for scheduling of future scans, recurrence and storing of results in a database Web based analysis tool for results Multi-user, multi group (good for consultants) Version 2.0 coming out in June (sneak preview today!) Co-written by yours truly Netscan Command Console (NCC): Netscan Command Console (NCC) Written using Perl and PHP Based on the LAMP platform (Linux, Apache, MySQL and PHP (Perl too!) Backwards compatible with OS Nessus Requirements: MySQL: Version 3.2352 or higher PHP: Version 4.32 or higher Perl: Version 5.8 or higher OpenVAS/Nessus: Version 2.07 or higher Apache: Version 2.0.47 or higher Get it at www.netsecuritysvcs.com/ncc NCC Demo: NCC Demo Network Sniffers: Network Sniffers These programs grab data packets off the network for examination/analysis Highly useful for any number of tasks including but not limited to security Commercial sniffers can run into the tens of thousands of dollarsEthereal: Ethereal A free open source Ethernet sniffer with many features Graphic Interface Also, works with other programs (both as a slave program and to produce files for use/analysis in 3rd party programs)Ethereal: Ethereal Requirement LibPcap Libraries Network card capable of working in promiscuous mode Download at www.ethereal.org Ethereal Demo: Ethereal DemoIntrusion Detection Systems: Intrusion Detection Systems Programs that look for anomalous behavior on a system and alert operators Some systems provide for additional analysis / reporting capability This is CRUTIAL to the usability of the system A vital backup to your firewall and perimeter defenses. A strong defense against internal attacks which firewalls can’t detect or stop IDS Vs. IPS: IDS Vs. IPS What is the the difference between IPS (Intrusion Prevention System) and IDS? Answer: Marketing mostly! Some combine a firewall with IDS to take action on alerts such as blocking ports, etc. WARNING: these features can cause a your network to be DOS’d inadvertently Host IDS Vs. Network based: Host IDS Vs. Network based A host based IDS (Tripwire) looks for changes/anomalous activity on a single host such as file modifications, etc. A network based IDS (NIDS) looks for suspicious behavior on a network wire. Network-based will pick up activities on all boxes that enter from the network but may miss activity that doesn’t match signatures or comes from a different source. For Example, brute force attempts on a login or floppy-based trojans Host-based can pick up things NIDS can’t (changes to files by a legal user, etc) but must be loaded on every box. Some systems may warrant both.Network Intrusion Detection Systems: Network Intrusion Detection Systems NIDS systems are complicated sniffers that check all data packets on the network against a database of signatures Some IDS systems also do anomalous activity detection and Intrusion Prevention (taking action on the results) Slide43: A powerful, lightweight open source NIDS Large default rule set (several thousand) Highly customizable and configurable Offers a scripting language to write custom rules to match your network Works on Linux/BSD/WindowsSlide44: Software requirements LibPcap Libraries Linux Kernel 2.4 or greater Hardware requirements Network card capable of working in promiscuous mode Intel 500 Ghx processor or greater (Its works on less) 128MB of ram Command line interface only Download at www.snort.org Get the Pig: Get the Pig Download tar file from www.snort.org Most current version 2.4.4 Decide if you want to register as a user Sourcefire (owner of Snort) subscribers get real-time feeds (cost: approx $1700/year) Registered users (no cost) get 5 day delayed Verified rules feed Non-registered users get static rule set with installation GPL feed available for those that don’t want to use the Verified rule set. Useful Snort Add-on Tools: Useful Snort Add-on Tools Webmin Snort Module BASE/ACID Webmin Snort Module: Webmin Snort Module Module for popular Webmin administration program Benefits: easy rule set and conf file management Downside: have to run Webmin and web server on Snort box Download at www.webmin.com Webmin Snort Demo: Webmin Snort DemoBasic Analysis and Security Engine (BASE): Basic Analysis and Security Engine (BASE) Formerly Analysis Console for Intrusion Detection (ACID) Web front end and database interface for Snort This program allows you to really tap into the power of Snort Imports alerts into a database and allows viewing through a web-based interface This allows analysis of your Snort data and helps with tuning your Snort sensors BASE Requirements: BASE Requirements MySQL, PostGreSQL or Oracle database PHP-enabled web server One or more snort sensors to gather data from Important: You must build your Snort boxes with the “--with-mysql” or appropriate parameter and edit the snort.conf files correctly. Download BASE from: http://secureideas.sourceforge.net/ BASE Demo: BASE DemoCrypto Security: Crypto Security GPG (GNU PGP) Unix Cain and Abel (Windows) OS version of Windows PGP no longer available (volunteers anyone?) GnuPG: GnuPG The GNU Privacy Guard (get it?) The GNU implementation of the OpenPGP standard Versions available for Unix/Windows/Mac OS Command line interface only Get it www.gnupg.orgCain and Abel: Cain and Abel Password and Credential recovery tool for Windows (read between the lines) Not revolutionary but evolutionary; contains many tools in one simple, easy to use package. One very scary tool… Cain and Abel: Cain and Abel Integrates the following features in an easy to use GUI Network sniffer (wireless too!) Password cracking for just about every OS and platform ARP cache poisoning tool (to circumvent switches) Remote control agent And More! Support for Rainbow Tables, the latest innovation in password cracking Download it at http://www.oxid.it/cain.htmlCain and Abel Platforms Cracked: Cain and Abel Platforms Cracked Windows NT Hashes Windows Protected Storage Windows Credential Manager Windows LSA Secrets Windows Remote Desktop MS Access MS SQL Server Base 64 Cisco Type 7 Cisco VPN VNC RSA SecurID OracleCain and Abel Demo: Cain and Abel Demo Sorry no Cain and Abel demo… I don’t want to embarrass anyone or go to jail At a recent hacker convention, I saw this tool used to reveal the password of attendees including some federal agents and a professor of a major university Moral of this story.. Don’t use wireless networks at conventions.. Especially hacker conventions! Wireless Security: Wireless Security Kismet Wireless (Unix/Linux/BSD) Palm version available Netstumbler (Windows) Stumbverter (Windows) One of the few areas where Windows Tools meet or surpass Unix tools in quality Kismet Wireless: Kismet Wireless Curses based wireless exploration program Can interface with wireless cracking programs like WEPcrack Requirements: Wireless network card that supports rfmon GPSD (GPD monitoring daemon) Expat libraries Download it at: http://www.kismetwireless.net/ NetStumber: NetStumber Not purely Open Source, but Freeware License Available at www.netstumbler.com along with lots of other good wireless resources Gives lots of useful information (signal strengths, type of equipment, AP settings, GPS data) Requirements: Windows W2K or later Prism2, Hermes or Atmel chip-based Wifi card Optional external antenna for better results Optional GPS receiver for map data Stumbverter: Stumbverter Open Source add-on to Netstumbler; also works with Kismet files Converts your Netstumbler files captured with GPS data into MS Map Point Makes a nice graphical representation of the APs in your area Good for finding areas of signal interference, channel choices Surveying for rogue access points Requirements: Netstumbler GPS sensor with PC interface Licensed version of MS Map Point 2004 or later Get it at http://www.sonar-security.com/sv.html Netstumbler/Stumbverter Demo: Netstumbler/Stumbverter Demo Email Security: Email Security Anti spam (SpamAssassin) Anti virus (ClamAV) Blackhole Lists (RBL, )AntiSpam Tools: AntiSpam Tools SpamAssassin Perl based Spam filter Works with Sendmail/Postfix Filters spam based on signature matching, location, attributes (futures date, internal addresses) or Bayesian logic. Part of many commercial anti-spam Solutions Get it at http://spamassassin.apache.org/ClamAV: ClamAV Open Source Anti-virus Toolkit project Works at the mail server rather than on desktops Upsides: Takes processing job off of the desktops Free! Downsides Mainly for Email Attachment scanning; Doesn’t catch Viruses on CDs or downloaded via other means (web) Best used as a additional protection not sole Download at: http://www.clamav.net/Blackhole Lists: Blackhole Lists Not software per say, but collaborative lists of known spamming addresses Most mail servers will work automatically with these lists Some charge for subscriptions, some are free SpamHaus sbl.spamhaus.org MAPS Spam Relay List relays.mail-abuse.org Arbitrary Black Hole List spammers.v6net.org Forensic Security: Forensic Security UNIX DD Command The Sleuth Kit Autopsy Forensic Browser The Forensic Toolkit (Windows) Unix DD Command: Unix DD Command Useful for making exact copies of evidence after an attack Available on almost all Unix Systems Be careful with this command, you can also destroy data Make sure you follow proper forensic data collection techniques or you may make evidence unusable in courtSleuthKit/Autopsy Forensic Browser: SleuthKit/Autopsy Forensic Browser A Unix/Linux/BSD data collection and analysis program Allows for multiple case file Allows for viewing of different file types Browser interface (AFS) Get it at: http://www.sleuthkit.org/SleuthKit/AFB Demo: SleuthKit/AFB DemoThe Forensic ToolKit: The Forensic ToolKit A collection of free tools made available by AtStake Not open source but freeware (be careful of license restrictions on commercial use) Useful for Windows systems analysis without modifying file access traits (time, etc) plus info not available through built in OS tools Afind shows files by access time Hfind shows windows hidden files Sfind shows hidden data streams on Filestat Shows all attributes of files Hunt Uses null session to generate info on a Windows host Download at: http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/forensics.htmForensic ToolKit Demo: Forensic ToolKit Demo Windows Tools for UNIX/Linux like features: Windows Tools for UNIX/Linux like features Windows is notorious lacking in built-in command line / network diagnostic tools Example: whois, SSH, etc There are open source tools to add these and more to your Windows system: PuTTY (SSH Client for Windows) Sam Spade (whois,graphical traceroute, finger, IPBlock, Spam Blackhole list, etc) EverestPuTTY: PuTTY Window SSH/Telnet/Secure Telnet client Great for saving terminal session logs too Get it at http://www.chiark.greenend.org.uk/~sgtatham/putty/PuTTY Demo: PuTTY Demo Sam Spade: Sam Spade Just like the fictional detective, great at finding things out and tracking down bad guys Offers Windows based whois, graphical trace route, finger Can find owner of Ips (IPBlock) Can find the abuse contact and file a complaint Find out if your mail server is on a blackhole list Get it at www.samspade.org/ssw Sam Spade Demo: Sam Spade Demo Open Source Software Needs: Open Source Software Needs Opportunities to contribute and gain experience and reputation Better Windows Tools! Encryption Windows VAS Windows Snort tools OpenVAS project or side projects (like NCC!) Better Unix wireless toolsREPEAT Security Tool Warnings: REPEAT Security Tool Warnings DO NOT run these tools on any machines that don’t belong to you without WRITTEN permission Be very careful when running them on production machines at work Failure to abide by this could result in getting fired, legal action or losing your ISP connection.Questions / Comments?: Questions / Comments? Email me at thowlett@netsecuritysvcs.com Most of the tools mentioned and more can be found in my book “Open Source Security Tools”, available from your bookseller or online You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
Linuxworld Toronto Presentation OpenSource Securit Me_I Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINTLite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 277 Category: Entertainment License: All Rights Reserved Like it (1) Dislike it (0) Added: October 07, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Open Source Security Tools : Open Source Security Tools Linux World / Network Toronto Tutorial Part IAgenda: Agenda Open Source and Security Firewalls Port Scanners Network Sniffers Vulnerability Assessment Intrusion Detection Systems Logging Analysis Unix-like Windows Tools Crypto Tools Wireless Tools Open Source Security OpportunitiesPresenter: Presenter Tony Howlett President of Network Security Services, Inc. CISSP, GSNA Author of “Open Source Security Tools” 17 years of experience building and managing networksPre-speech Caveats: Pre-speech Caveats Contains updates to material in book; a preview of 2nd edition OS Requirements; Linux or BSD, Reference OS is Mandrake 10.1 Choice of Security apps are my favorites, yes there are others, these are MY favorites Please hold questions till of seminarSecurity Tool Warnings: Security Tool Warnings DO NOT run these tools on any machines that don’t belong to you without WRITTEN permission Be very careful when running them on production machines at work Failure to abide by this could result in getting fired, legal action or losing your ISP connection.Windoze Warning: Windoze Warning While most of it is Unix/Linux centric, I do present some Windoze tools The number of open source Windows tools is still low but the number is increasing and some of them are quite good It’s a Windows world out there, and we all have to live in it Most are at the end, so hardcore Windows haters can leave then Open Source and Security: Open Source and Security Just about every category of security application is available in open source Many commercial security vendors use open source software as a base or engine Many of the programs compare very favorably to expensive commercial programs Example: Snort has been rated right up with commercial choices by critics and trade mags Open Source and Security: Open Source and Security More Secure or Less Secure? The worlds most proprietary operating system is also the most exploited Linux and Windows about even with number of exploits available Best practices in fields like cryptography are to have open peer review Bottom line; code being closed or open source doesn’t make programmers write secure codeOpen Source Opportunities: Open Source Opportunities Cost Reduction within your company (be the budget hero) Expansion/ addition to your existing tools Education – a great way to learn Development of new open source tools (www.sourceforge.net , www.freshmeat.net) Career / Resume Enhancement Run a Security consultancy with it (I do!)Securing Operating Systems: Securing Operating Systems The operating system is the base upon which you build all your other tools; if its insecure, you are building on a foundation of sand When building a security tool system, try to always start with a new OS installation Then lock down and harden the system Bastille Linux A OS Hardening Tool: Bastille Linux A OS Hardening Tool Not an OS, but a set of scripts that automates the hardening process Asks questions and performs actions based on the response Can run from the command line or via a config file to run on multiple systemsBastille Linux A OS Hardening Tool: Bastille Linux A OS Hardening Tool Requirements: Perl 5.5 or greater Perl TK Module 8.0 or greater Perl Curses Module 1.06 or greater Packages available for Debian, Redhat and Mandrake Also available for Mac OS-X, HP/UX and Solaris Download from www.bastille-linux.org Open Source Firewalls: Open Source Firewalls The Ole Standby: IPTables Included with every Linux distribution with Kernel 2.4 and higher Can run from command line or via scripts Several public IPTables scripts available Many commercial firewalls are merely Linux boxes running IP tables in fancy cases Example: Watchguard Firebox Do you have it? Type “iptables –L” at the command line to find out OS Firewall Alternatives: OS Firewall Alternatives Ipchains Turtle Firewall Smoothwall IPChains: IPChains Available in Linux distributions with Kernel 2.2-2.3 Similar to IPTables with a little less functionality Before Kernel 2.3, IPFW is firewall programTurtle Firewall: Turtle Firewall Web-based interface to IPTables Makes IPTables much easier to navigate Seeing mistakes in rules is easier Uses the Webmin Linux Administration Interface. Turtle Firewall: Turtle Firewall Turtle Firewall: Turtle Firewall Requirements: Kernel 2.4 or higher Iptables Webmin Interface (www.webmin.org) Perl with Expat Library Get Turtle Firewall at www.turtlefirewall.com Free for download, ~$100 for a supported version SmoothWall Express: SmoothWall Express A turn-key firewall Supports NAT, DHCP, SSH Admin, VPNs and a lot more Requires a dedicated system to run on; wipes the harddrive and installs its own OS (Linux of course!) Express version is free, commercial version available with more features Get it at www.smoothwall.orgSmoothWall Express: SmoothWall Express Port Scanners: Port Scanners Port scanners determine the state of the TCP/UDP network ports on a system Very useful from a network security standpoint Nmap is the most fully featured scanner out there, bar none. Uses for Port Scanners: Uses for Port Scanners Determine number of answering machines on the network (Ping Sweep) OS Identification (TCP Fingerprinting) Identify unnecessary or rogue services running on machinesNmap: Nmap Powerful light weight port scanner Runs on Unix or Windows Command Line or GUI Easy to run but also deep in functionality Nmap Requirements: Nmap Requirements Nmap Requirements: LibPcap libraries (www.tcpdump.org) Download Nmap from www.insecure.org (a great security information site too!)Nmap Demo: Nmap Demo Vulnerability Scanners: Vulnerability Scanners These programs take port scanning a bit farther and try to run exploits against open ports These scripts replicate the actions of hackers or other malware such as viruses or worms Can be very useful to show how good your defenses are Can be run in “safe mode” which means holes aren't exploited if found. This results in a higher false positive rate, howeverNessus-NOT!: Nessus-NOT! Was one of the better open source security programs available Uses Nmap and other popular programs as modules Utilizes a “plug-in” architecture for each security test so latest exploits can easily be added Now closed source by authors commercial companyAlternatives to Nessus: Alternatives to Nessus Several of the major contributors “forked” the open source version of nessus to form new Open Source VAS projects OpenVAS http://www.openvas.org ATF http://www.computec.ch/projekte/atk/ Porz-Wahn http://developer.berlios.de/projects/porz-wahn/Benefits of OpenVAS and other Nessus Forks: Benefits of OpenVAS and other Nessus Forks Client-Server architecture. Supports multiple platforms for clients (Linux, Windows, Web-based, Java) Has a built in scripting language (NASL) for writing custom security tests Well documented and supported from legacy Best of all, absolutely FREE!OpenVAS Requirements: OpenVAS Requirements LibPcap Libraries (www.tcpdump.org) Gimp Took Kit (GTK) ftp.gimp.org/pub/gtk/v1.2 Nmap (if you want to use it as your port scanner) OpenSSL (if you want to connect securely www.openssl.org) OpenVAS Demo: OpenVAS Demo Netscan Command Console (NCC): Netscan Command Console (NCC) A web based interface and database backend for managing multiple .nsr-based vulnerability scans Allows for scheduling of future scans, recurrence and storing of results in a database Web based analysis tool for results Multi-user, multi group (good for consultants) Version 2.0 coming out in June (sneak preview today!) Co-written by yours truly Netscan Command Console (NCC): Netscan Command Console (NCC) Written using Perl and PHP Based on the LAMP platform (Linux, Apache, MySQL and PHP (Perl too!) Backwards compatible with OS Nessus Requirements: MySQL: Version 3.2352 or higher PHP: Version 4.32 or higher Perl: Version 5.8 or higher OpenVAS/Nessus: Version 2.07 or higher Apache: Version 2.0.47 or higher Get it at www.netsecuritysvcs.com/ncc NCC Demo: NCC Demo Network Sniffers: Network Sniffers These programs grab data packets off the network for examination/analysis Highly useful for any number of tasks including but not limited to security Commercial sniffers can run into the tens of thousands of dollarsEthereal: Ethereal A free open source Ethernet sniffer with many features Graphic Interface Also, works with other programs (both as a slave program and to produce files for use/analysis in 3rd party programs)Ethereal: Ethereal Requirement LibPcap Libraries Network card capable of working in promiscuous mode Download at www.ethereal.org Ethereal Demo: Ethereal DemoIntrusion Detection Systems: Intrusion Detection Systems Programs that look for anomalous behavior on a system and alert operators Some systems provide for additional analysis / reporting capability This is CRUTIAL to the usability of the system A vital backup to your firewall and perimeter defenses. A strong defense against internal attacks which firewalls can’t detect or stop IDS Vs. IPS: IDS Vs. IPS What is the the difference between IPS (Intrusion Prevention System) and IDS? Answer: Marketing mostly! Some combine a firewall with IDS to take action on alerts such as blocking ports, etc. WARNING: these features can cause a your network to be DOS’d inadvertently Host IDS Vs. Network based: Host IDS Vs. Network based A host based IDS (Tripwire) looks for changes/anomalous activity on a single host such as file modifications, etc. A network based IDS (NIDS) looks for suspicious behavior on a network wire. Network-based will pick up activities on all boxes that enter from the network but may miss activity that doesn’t match signatures or comes from a different source. For Example, brute force attempts on a login or floppy-based trojans Host-based can pick up things NIDS can’t (changes to files by a legal user, etc) but must be loaded on every box. Some systems may warrant both.Network Intrusion Detection Systems: Network Intrusion Detection Systems NIDS systems are complicated sniffers that check all data packets on the network against a database of signatures Some IDS systems also do anomalous activity detection and Intrusion Prevention (taking action on the results) Slide43: A powerful, lightweight open source NIDS Large default rule set (several thousand) Highly customizable and configurable Offers a scripting language to write custom rules to match your network Works on Linux/BSD/WindowsSlide44: Software requirements LibPcap Libraries Linux Kernel 2.4 or greater Hardware requirements Network card capable of working in promiscuous mode Intel 500 Ghx processor or greater (Its works on less) 128MB of ram Command line interface only Download at www.snort.org Get the Pig: Get the Pig Download tar file from www.snort.org Most current version 2.4.4 Decide if you want to register as a user Sourcefire (owner of Snort) subscribers get real-time feeds (cost: approx $1700/year) Registered users (no cost) get 5 day delayed Verified rules feed Non-registered users get static rule set with installation GPL feed available for those that don’t want to use the Verified rule set. Useful Snort Add-on Tools: Useful Snort Add-on Tools Webmin Snort Module BASE/ACID Webmin Snort Module: Webmin Snort Module Module for popular Webmin administration program Benefits: easy rule set and conf file management Downside: have to run Webmin and web server on Snort box Download at www.webmin.com Webmin Snort Demo: Webmin Snort DemoBasic Analysis and Security Engine (BASE): Basic Analysis and Security Engine (BASE) Formerly Analysis Console for Intrusion Detection (ACID) Web front end and database interface for Snort This program allows you to really tap into the power of Snort Imports alerts into a database and allows viewing through a web-based interface This allows analysis of your Snort data and helps with tuning your Snort sensors BASE Requirements: BASE Requirements MySQL, PostGreSQL or Oracle database PHP-enabled web server One or more snort sensors to gather data from Important: You must build your Snort boxes with the “--with-mysql” or appropriate parameter and edit the snort.conf files correctly. Download BASE from: http://secureideas.sourceforge.net/ BASE Demo: BASE DemoCrypto Security: Crypto Security GPG (GNU PGP) Unix Cain and Abel (Windows) OS version of Windows PGP no longer available (volunteers anyone?) GnuPG: GnuPG The GNU Privacy Guard (get it?) The GNU implementation of the OpenPGP standard Versions available for Unix/Windows/Mac OS Command line interface only Get it www.gnupg.orgCain and Abel: Cain and Abel Password and Credential recovery tool for Windows (read between the lines) Not revolutionary but evolutionary; contains many tools in one simple, easy to use package. One very scary tool… Cain and Abel: Cain and Abel Integrates the following features in an easy to use GUI Network sniffer (wireless too!) Password cracking for just about every OS and platform ARP cache poisoning tool (to circumvent switches) Remote control agent And More! Support for Rainbow Tables, the latest innovation in password cracking Download it at http://www.oxid.it/cain.htmlCain and Abel Platforms Cracked: Cain and Abel Platforms Cracked Windows NT Hashes Windows Protected Storage Windows Credential Manager Windows LSA Secrets Windows Remote Desktop MS Access MS SQL Server Base 64 Cisco Type 7 Cisco VPN VNC RSA SecurID OracleCain and Abel Demo: Cain and Abel Demo Sorry no Cain and Abel demo… I don’t want to embarrass anyone or go to jail At a recent hacker convention, I saw this tool used to reveal the password of attendees including some federal agents and a professor of a major university Moral of this story.. Don’t use wireless networks at conventions.. Especially hacker conventions! Wireless Security: Wireless Security Kismet Wireless (Unix/Linux/BSD) Palm version available Netstumbler (Windows) Stumbverter (Windows) One of the few areas where Windows Tools meet or surpass Unix tools in quality Kismet Wireless: Kismet Wireless Curses based wireless exploration program Can interface with wireless cracking programs like WEPcrack Requirements: Wireless network card that supports rfmon GPSD (GPD monitoring daemon) Expat libraries Download it at: http://www.kismetwireless.net/ NetStumber: NetStumber Not purely Open Source, but Freeware License Available at www.netstumbler.com along with lots of other good wireless resources Gives lots of useful information (signal strengths, type of equipment, AP settings, GPS data) Requirements: Windows W2K or later Prism2, Hermes or Atmel chip-based Wifi card Optional external antenna for better results Optional GPS receiver for map data Stumbverter: Stumbverter Open Source add-on to Netstumbler; also works with Kismet files Converts your Netstumbler files captured with GPS data into MS Map Point Makes a nice graphical representation of the APs in your area Good for finding areas of signal interference, channel choices Surveying for rogue access points Requirements: Netstumbler GPS sensor with PC interface Licensed version of MS Map Point 2004 or later Get it at http://www.sonar-security.com/sv.html Netstumbler/Stumbverter Demo: Netstumbler/Stumbverter Demo Email Security: Email Security Anti spam (SpamAssassin) Anti virus (ClamAV) Blackhole Lists (RBL, )AntiSpam Tools: AntiSpam Tools SpamAssassin Perl based Spam filter Works with Sendmail/Postfix Filters spam based on signature matching, location, attributes (futures date, internal addresses) or Bayesian logic. Part of many commercial anti-spam Solutions Get it at http://spamassassin.apache.org/ClamAV: ClamAV Open Source Anti-virus Toolkit project Works at the mail server rather than on desktops Upsides: Takes processing job off of the desktops Free! Downsides Mainly for Email Attachment scanning; Doesn’t catch Viruses on CDs or downloaded via other means (web) Best used as a additional protection not sole Download at: http://www.clamav.net/Blackhole Lists: Blackhole Lists Not software per say, but collaborative lists of known spamming addresses Most mail servers will work automatically with these lists Some charge for subscriptions, some are free SpamHaus sbl.spamhaus.org MAPS Spam Relay List relays.mail-abuse.org Arbitrary Black Hole List spammers.v6net.org Forensic Security: Forensic Security UNIX DD Command The Sleuth Kit Autopsy Forensic Browser The Forensic Toolkit (Windows) Unix DD Command: Unix DD Command Useful for making exact copies of evidence after an attack Available on almost all Unix Systems Be careful with this command, you can also destroy data Make sure you follow proper forensic data collection techniques or you may make evidence unusable in courtSleuthKit/Autopsy Forensic Browser: SleuthKit/Autopsy Forensic Browser A Unix/Linux/BSD data collection and analysis program Allows for multiple case file Allows for viewing of different file types Browser interface (AFS) Get it at: http://www.sleuthkit.org/SleuthKit/AFB Demo: SleuthKit/AFB DemoThe Forensic ToolKit: The Forensic ToolKit A collection of free tools made available by AtStake Not open source but freeware (be careful of license restrictions on commercial use) Useful for Windows systems analysis without modifying file access traits (time, etc) plus info not available through built in OS tools Afind shows files by access time Hfind shows windows hidden files Sfind shows hidden data streams on Filestat Shows all attributes of files Hunt Uses null session to generate info on a Windows host Download at: http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/forensics.htmForensic ToolKit Demo: Forensic ToolKit Demo Windows Tools for UNIX/Linux like features: Windows Tools for UNIX/Linux like features Windows is notorious lacking in built-in command line / network diagnostic tools Example: whois, SSH, etc There are open source tools to add these and more to your Windows system: PuTTY (SSH Client for Windows) Sam Spade (whois,graphical traceroute, finger, IPBlock, Spam Blackhole list, etc) EverestPuTTY: PuTTY Window SSH/Telnet/Secure Telnet client Great for saving terminal session logs too Get it at http://www.chiark.greenend.org.uk/~sgtatham/putty/PuTTY Demo: PuTTY Demo Sam Spade: Sam Spade Just like the fictional detective, great at finding things out and tracking down bad guys Offers Windows based whois, graphical trace route, finger Can find owner of Ips (IPBlock) Can find the abuse contact and file a complaint Find out if your mail server is on a blackhole list Get it at www.samspade.org/ssw Sam Spade Demo: Sam Spade Demo Open Source Software Needs: Open Source Software Needs Opportunities to contribute and gain experience and reputation Better Windows Tools! Encryption Windows VAS Windows Snort tools OpenVAS project or side projects (like NCC!) Better Unix wireless toolsREPEAT Security Tool Warnings: REPEAT Security Tool Warnings DO NOT run these tools on any machines that don’t belong to you without WRITTEN permission Be very careful when running them on production machines at work Failure to abide by this could result in getting fired, legal action or losing your ISP connection.Questions / Comments?: Questions / Comments? Email me at thowlett@netsecuritysvcs.com Most of the tools mentioned and more can be found in my book “Open Source Security Tools”, available from your bookseller or online