- a beautiful place

Security tools

February 8, 2006 at 2:10 am - 4166 words, reading time ~13 minutes

Choose a section of interest

Attack tools (back to top)

Nessus vulnerability scanner Formerly open source vulnerability assessment tool

The Nessus Security Scanner is a security auditing tool (remote network security auditor). It makes possible to test security modules in an attempt to find vulnerable spots that should be fixed. It is made up of two parts: a server and a client. The server/daemon, nessusd, is in charge of the attacks, whereas the client, nessus, interferes with the user through nice X11/GTK+ interface. It performs over 1200 remote security checks and allows for reports to be generated in HTML, XML, LaTeX, and ASCII text, and suggests solutions for security problems. It was open source for many years, but they turned proprietary in late 2005. [ Windows client ]

Metasploit The evolution of exploit frameworks

The Metasploit Framework is a complete environment for writing, testing, and using exploit code. This environment provides a solid platform for penetration testing, shellcode development, and vulnerability research.

SAINT Vulnerability scanner

SAINT (Security Administrator's Integrated Network Tool) is a security assesment tool based on SATAN. Features include scanning through a firewall, updated security checks from CERT & CIAC bulletins, 4 levels of severity (red, yellow, brown, & green) and a feature rich HTML interface.

Whisker / Libwhisker Rain.Forest.Puppy's CGI vulnerability scanner and library

The primary purpose of whisker is to be a URL scanner, which is used to search for known vulnerable CGIs on websites. Whisker does this by both scanning the the CGIs directly as well as crawling the website in order to determine what CGIs are already currently in use.

IIS Internet Security Scanner

Internet Scanner performs scheduled and selective probes of communication services, operating systems, applications and routers to uncover and report systems vulnerabilities that might be open to attack.

Acunetix Web Vulnerability Scanner

Acunetix WVS automatically checks your web applications for SQL Injection, XSS other web vulnerabilities.

SQL Power Injector

SQL Power Injector is an application created in .Net 1.1 that helps the penetrating tester to inject SQL commands on a web page.
For now it is SQL Server, Oracle and MySQL compliant, but it is possible to use it with any existing DBMS when using the inline injection (Normal mode). Indeed, the normal mode is basically the command that someone will put in the parameter sent to the server.


AccessDiver is a software which can detect security failures on your web pages. It has multiple efficient tools which will verify the robustness of your accounts and directories accurately.

Wikto Web Server Assessment Tool

Windows-based tool will scan a host for all the entries in the Google Hacking Database, and does much more, including full web-based vulnerability scanning. There really are too many features to list, but if you want to protect a server from web-based and Google-based attackers, Wikto's a great place to start.


A suite of powerful tools for sniffing networks for passwords and other information, network auditing and penetration testing. Includes sophisticated techniques for defeating the "protection" of network switchers. Dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.). Arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker (e.g, due to layer-2 switching). Sshmitm and webmitm implement active monkey-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI. A separately maintained partial DSniff Windows port is available.

GFI LANguard Network Security Scanner

GFI LANguard N.S.S. scans your entire network, IP by IP, and provides information such as service pack level of the machine, missing security patches, wireless access points, USB devices, open shares, open ports, services/applications active on the computer, key registry entries, weak passwords, users and groups, and more. Scan results can easily be analyzed using filters and reports, enabling you to proactively secure your network ‚?? for example, by shutting down unnecessary ports, closing shares, installing service packs and hotfixes, etc.

Retina Network Security Scanner

Retina can scan every machine on your network, including a variety of operating systems, networked devices, databases and third-party or custom applications, all in record time.

HPing Command-line TCP/IP packet assembler/analyzer

HPing2 is a network tool able to send custom ICMP/UDP/TCP packets and to display target replies like ping does with ICMP replies. It handles fragmentation and arbitrary packet body and size, and can be used to transfer files under supported protocols. Using hping2, you can: test firewall rules, perform [spoofed] port scanning, test net performance using different protocols, packet size, TOS (type of service), and fragmentation, do path MTU discovery, tranfer files (even between really Fascist firewall rules), perform traceroute-like actions under different protocols, fingerprint remote OSs, audit a TCP/IP stack, etc. hping2 is a good tool for learning TCP/IP.

SARA Security Auditor's Research Assistant

SARA is a third generation security analysis tool that is based on the SATAN model which is covered by the GNU GPL-like open license. It is fostering a collaborative environment and is updated periodically to address latest threats

SATAN Security Administrator Tool for Analyzing Networks

This is a powerful tool for analyzing networks for vulnerabilities created for sysadmins that cannot keep a constant look at bugtraq, rootshell and the like.

Ettercap In case you still thought switched LANs provide much extra security

Ettercap is a terminal-based network sniffer/interceptor/logger for ethernet LANs. It supports active and passive dissection of many protocols (even ciphered ones, like SSH and HTTPS). Data injection in an established connection and filtering on the fly is also possible, keeping the connection synchronized. Many sniffing modes were implemented to give you a powerful and complete sniffing suite. Plugins are supported. It has the ability to check whether you are in a switched LAN or not, and to use OS fingerprints (active or passive) to let you know the geometry of the LAN.


Firewalking is a technique developed by MDS and DHG that employs traceroute-like techniques to analyze IP packet responses to determine gateway ACL filters and map networks. Firewalk the tool employs the technique to determine the filter rules in place on a packet forwarding device. The newest version of the tool, firewalk/GTK introduces the option of using a graphical interface and a few bug fixes.

L0pht Crack

L0phtCrack is an NT password auditting tool. It will compute NT user passwords from the cryptographic hashes that are stored by the NT operation system. L0phtcrack can obtain the hashes through many sources (file, network sniffing, registry, etc) and it has numerous methods of generating password guesses (dictionary, brute force, etc).

John The Ripper

An active password cracking tool john, normally called john the ripper, is a tool to find weak passwords of your users.


Advanced packet sniffer and connection intrusion. Hunt is a program for intruding into a connection, watching it and resetting it. . Note that hunt is operating on Ethernet and is best used for connections which can be watched through it. However, it is possible to do something even for hosts on another segments or hosts that are on switched ports.


Secure rlogin/rsh/rcp replacement (OpenSSH) OpenSSH is derived from OpenBSD's version of ssh, which was in turn derived from ssh code from before the time when ssh's license was changed to be non-free. Ssh (Secure Shell) is a program for logging into a remote machine and for executing commands on a remote machine. It provides secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. It is intended as a replacement for rlogin, rsh and rcp, and can be used to provide rdist, and rsync with a secure communication channel.

TCP Wrappers

Wietse Venema's TCP wrappers library Wietse Venema's network logger, also known as TCPD or LOG_TCP. These programs log the client host name of incoming telnet, ftp, rsh, rlogin, finger etc. requests. Security options are: access control per host, domain and/or service; detection of host name spoofing or host address spoofing; booby traps to implement an early-warning system.


Display network usage in top-like format ntop is a Network Top program. It displays a summary of network usage by machines on your network in a format reminicent of the unix top utility. It can also be run in web mode, which allows the display to be browsed with a web browser.

NAT (NetBIOS Auditing Tool)

The NetBIOS Auditing Tool (NAT) is designed to explore the NETBIOS file-sharing services offered by the target system. It implements a stepwise approach to gather information and attempt to obtain file system-level access as though it were a legitimate local client.


A portscan detecting tool Scanlogd is a daemon written by Solar Designer to detect portscan attacks on your machine

Sam Spade

Online tools for investigating IP addresses and tracking down spammers.


Mails anomalies in the system logfiles to the administrator Logcheck is part of the Abacus Project of security tools. It is a program created to help in the processing of UNIX system logfiles generated by the various Abacus Project tools, system daemons, Wietse Venema's TCP Wrapper and Log Daemon packages, and the Firewall Toolkit© by Trusted Information Systems Inc.(TIS). . Logcheck helps spot problems and security violations in your logfiles automatically and will send the results to you in e-mail. This program is free to use at any site. Please read the disclaimer before you use any of this software.


grep for network traffic ngrep strives to provide most of GNU grep's common features, applying them to the network layer. ngrep is a pcap-aware tool that will allow you to specify extended regular expressions to match against data payloads of packets. It currently recognizes TCP, UDP and ICMP across Ethernet, PPP, SLIP and null interfaces, and understands bpf filter logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop.


A GTK based network "swiss-army-knife" Cheops gives a simple interface to most network utilities, maps local or remote networks and can show OS types of the machines on the network.


Routines for the construction and handling of network packets. libnet provides a portable framework for low-level network packet writing and handling. Libnet features portable packet creation interfaces at the IP layer and link layer, as well as a host of supplementary functionality. Still in it's infancy however, the library is evolving quite a bit. Additional functionality and stability are added with each release. Using libnet, quick and simple packet assembly applications can be whipped up with little effort. With a bit more time, more complex programs can be written (Traceroute and ping were easily rewritten using libnet and libpcap).

Crack / CrackLib

Crack 5 is an update version of Alec Muffett's classic local password cracker. Traditionally these allowed any user of a system to crack the /etc/passwd and determine the passwords of other users (or root) on the system. Modern systems require you to obtain read access to /etc/shadow in order to perform this. It is still a good idea for sysadmins to run a cracker occasionally to verify that all users have strong passwords.

Defense tools (back to top)


Flexible packet sniffer/logger that detects attacks Snort is a libpcap-based packet sniffer/logger which can be used as a lightweight network intrusion detection system. It features rules based logging and can perform content searching/matching in addition to being used to detect a variety of other attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and much more. Snort has a real-time alerting capability, with alerts being sent to syslog, a separate "alert" file, or even to a Windows computer via Samba. Snort uses a flexible rule based language to describe traffic that it should collect or pass, and a modular detection engine. Many people also suggested that the Analysis Console for Intrusion Databases (ACID) be used with Snort.

ACID Analysis Console for Intrusion Databases

The Analysis Console for Intrusion Databases (ACID) is a PHP-based analysis engine to search and process a database of security events generated by various IDSes, firewalls, and network monitoring tools.

OSSIM Open Source Security Information Management

IP Filter

IP Filter is a TCP/IP packet filter, suitable for use in a firewall environment. To use, it can either be used as a loadable kernel module or incorporated into your UNIX kernel; use as a loadable kernel module where possible is highly recommended. Scripts are provided to install and patch system files, as required.


IP packet filter administration for 2.4.X/2.6.X kernels Iptables is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. The iptables tool also supports configuration of dynamic and static network address translation.

Abacus Portsentry

Portscan detection daemon PortSentry has the ability to detect portscans(including stealth scans) on the network interfaces of your machine. Upon alarm it can block the attacker via hosts.deny, dropped route or firewall rule. It is part of the Abacus program suite. Note: If you have no idea what a port/stealth scan is, I'd recommend to have a look at before installing this package. Otherwise you might easily block hosts you'd better not (e.g. your NFS-server, name-server, etc.)

Port Knocking

Port knocking is a method of establishing a connection to a networked computer that has no open ports look up ports on look up ports on FOLDOC . Before a connection is established, ports are opened using a port knock sequence, which is a series of connection attempts to closed ports. A remote host generates and sends an authentic knock sequence in order to manipulate the server's firewall look up firewall on look up firewall on FOLDOC rules to open one or more specific ports. These manipulations are mediated by a port knock daemon, running on the server, which monitors the firewall log file for connection attempts which can be translated into authentic knock sequences. Once the desired ports are opened, the remote host can establish a connection and begin a session. Another knock sequence may used to trigger the closing of the port.


A file and directory integrity checker. Tripwire is a tool that aids system administrators and users in monitoring a designated set of files for any changes. Used with system files on a regular (e.g., daily) basis, Tripwire can notify system administrators of corrupted or tampered files, so damage control measures can be taken in a timely manner.

Generic tools (back to top)

NetCat The network swiss army knife

TCP/IP swiss army knife A simple Unix utility which reads and writes data across network connections using TCP or UDP protocol. It is designed to be a reliable "back-end" tool that can be used directly or easily driven by other programs and scripts. At the same time it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need and has several interesting built-in capabilities.

TCP Dump / WinDump The classic sniffer for network monitoring and data acquisition

A powerful tool for network monitoring and data acquisition This program allows you to dump the traffic on a network. It can be used to print out the headers of packets on a network interface that matches a given expression. You can use this tool to track down network problems, to detect "ping attacks" or to monitor the network activities. There is a separate Windows port named WinDump. TCPDump is also the source of the Libpcap/WinPcap packet capture library, which is used by Nmap among many other utilities. Note that many users prefer the newer Ethereal sniffer.


Ethereal is a free network protocol analyzer, traffic analyzer, or "sniffer" for Unix and Windows. It uses GTK+, a graphical user interface library, and libpcap, a packet capture and filtering library. It allows you to examine data from a live network or from a capture file on disk. You can interactively browse the capture data, viewing summary and detail information for each packet. Ethereal has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session. A text-based version called tethereal is included.

Fuzzer (back to top)

Various tools and papers found on the net. If you known any other please let me know!

Web (back to top)

Todo, sorry!

Proxy (back to top)

We have a dedicated page for this category, please refer to Proxy tools. You'll find online services and lists plus the selection of host based software for Microsoft Windows and Linux / BSD / *NIX host based software.

Reed's Alert! Got something burning? Tell USH team.
THP USH (HTTPS) Wisec DigitalBullets TheHackersPlace network