Linux is one of the secured operating system. However, With the world of crackers (Evil minded Geeks & Hackers) Linux is also not so secure as we think.

Step 1: How to secure SSH port in Linux server?

Gaining SSH root access is the primary goal of every crackers around. Once they could get root access., They will install rookkits, keyloggers, mail bombs and etc. So, They usually try to gain access to your server using some formal password combinations.  They attempt to login to your server using bruteforce method.

SSH always runs on port number 22

You have to change it to some non-default number like., 2323 or 3009  some number that is hard to guess.

/etc/ssh/sshd_config

above file is the default ssh configuration file. You can change its “Port” value by opening it using Vi or Nano.  CentOS Documentation has clear information about how to change linux server ssh port to a non-standard number. This instructions applies for any redhat kernel based distro.

Step 2: Always check your /tmp folder

It is like., Checking your trash can of your bedroom for any hidden cams. Yes., Some crackers upload a *.php  *.py *.sh files to your server’s /tmp file and let them to become a primary spamming bot in your server.  You have to always try to find if there are any suspicious file around there in /tmp and delete them.  Usually deleting the file wont pay off. You have to find the source loop hole that allows such file in /tmp . You have to audit your web applications that allows file-uploads and anonymous FTP uploads to your server.

Step 3: Disable Anonymous FTP Service

Enabling anonymous FTP service is most like., Inviting robbers by opening your house window.

/etc/proftpd.conf

/etc/vsftpdvsftpd.conf

Simply disable anonymous FTP.

Step 3:  Always use SFTP and completely stop using FTP

SFTP is more secure than you think. Most windows based ftp clients such as filezilla, smartftp & coreftp could be affected by many malwares and it will upload “Trojan Horse JavaScript” code to your website files. I personally got affected my many javascript trojans because of virus infected ftp client transfers.  This wiki page has clear & simple information about how to install SFTP

Step 4:  How to disable direct file or image hotlinking?

Lets say you have a cool picture file in your website. http://mywebsite.com/images/picture.jpg  . If  a guy puts your file in his website and lets say his website has thousands of visitors per day., Then, You will be endup paying money for your excessive bandwidth. Disabling hotlink is like., Saving money in your server bandwidth. This is one of the best tool that lets your to generate .htaccess code for hotlink protection.

Its getting hit by Trojan virus:

Read the News about Thousands of infected websites.

A lot of sites are now being attacked with JavaScript Trojans

the server is not attacked by virus , this happens to both Linux and windows server sites.

so it is doesnt look like a server based attack

How this happens?

when the computer from where you upload data thru FTP/fp is infected , it injects some JavaScript to all html files.

so how you can prevent this happening is keep your pc up2date by having recent antivirus,antispyware and then change your ftp logins.

If there is a Repeating same pattern of JavaScript on 100s of your files you have a shell script for Linux server users that can remove these injected javascript .

so you can request your host or you yourself can run this on your shell

find ./ -type f -exec sed -i ‘/unescape/d’ {} \;

this command will remove all the lines with pattern ‘unescape’

some virus has lines of function okban, in that case you can try pattern ‘okban’

it depends on your need.

you can do the same with a software called GrepWin for replacing/searching PERL Regular Expression patterns on your files

http://tools.tortoisesvn.net/grepWin

use it to search for patterns and replace with null or use the options to delete those lines

this can be either used on a windows server or client side (but then you have to upload all modified files again )

Learn how to get Admin access in a XP machine.


Source: http://fadeproofonline.com/?p=171

Make Sure To Read All Of This Post Before Doing Anything, If You Don’t Understand It ALL, Do Not Continue

Install NTFS Support
yum -y install fuse fuse-libs ntfs-3g ntfsprogs ntfsprogs-gnomevfs

Check Your Partitions
Use fdisk to list partitions. Most ATA hard drives will be /dev/hda. Drives may also show up as /dev/hdb or /dev/sda depending on your configuration.
fdisk -l
(find all NTFS labels, using the partitions you want below)

Create Mount Points
For every partition in step 2 that you wish to access, you will need a “mount point”. A mount point is just a directory. Common directories are: /media/ and /mnt/. Use whichever, but be consistent.
cd /media/
mkdir c d e
(no spaces for the mount name, put a space between each “folder” you want to make)

Mount Partitions(first time)
Using NTFS-3G, we mount the NTFS partition using read-write.
mount /dev/hda1 /media/c -t ntfs-3g -rw -o umask=0000,force
mount /dev/hda2 /media/d -t ntfs-3g -rw -o umask=0000,force
mount /dev/hda3 /media/e -t ntfs-3g -rw -o umask=0000,force
(remember to only mount NTFS partitions this way, never leave out “force” else fedora may cause partition errors)

Install gedit Editor(including the stars)
yum -y install *gedit*

Fedora Boot Mounting
gedit /etc/fstab

Add mount lines to the END of the file you just opened in gedit
/dev/hda1 /media/c ntfs-3g rw,defaults,umask=0000,force 0 0
/dev/hda2 /media/d ntfs-3g rw,defaults,umask=0000,force 0 0
/dev/hda3 /media/e ntfs-3g rw,defaults,umask=0000,force 0 0

Hints:
hda# should be changed to your drive numbers, delete the extra commands…
c,d,e should be changed to whatever you want JUST NO SPACES IN THE NAMES

Deviating from this tutorial might damage your ntfs, this is proven to work over 9 months

How to Identify:
File Size equals 208Kb, uses a folder Icon the same name as parent folder,
but is an executable:
NB: Turn on view of system files and hidden files, also show file extension
types.

Removal instructions (Some of the info below was from AGV forum)
Description of what it does:
I you enter a directory it creates an exe of that directory, eg
Enter the directory c:\Program Files\ and it will create Program Files.exe

Properties of Program Files.exe:
Version:
Comments – Butterfly.
File version – 1.00
Internal name – My Things
Language – English(United states)
Legal Trademarks – 2007
Orignal file name – My Things.exe
Product Name – butterfly

Ensure you set the PC to show hidden and system files and file extensions.
Where it is located:
Registery:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
That is the entry that starts the bug.

Physical location if windows XP:
c:\WINDOWS\Help\sched.exe or schedl.exe

If Windows 2000: C:\WINNT\Help\sched.exe or schedl.exe

How to stop it:
0) Turn off system restore
1) Open Task Manager goto Processes sort by Image Name. Find the sched.exe
and kill it.
2) Delete the entry from the registery
3) Delete the sched.exe file
4) Need to find all the infected *.exe and delete them. If you run them, it
will reinstall itself.
5) Search for *.exe from 01 May 2007 to present, look for hidden files with
a maximum size of 209Kb and make a detailed list of them.
6) Check the properties. If they match delete them! Empty the recycle bin
(Safety net incase any valid files are deleted).
7) Restart machine and check 1) to 3).
If the user is using Offline files and folders and has no reason to be
using them, clear the offline folder cache by using Shift + left CTRL +
Deltete then disable offline files and folders.
9) Reboot and re-check 1, 2 and 3
10) The user may have browsed to network shares and used a memory stick, mp3
player or cellphone to view or store data. Run from step 5 to search and
delete the dormant virus files.

You can add the following basic script to the beginning (must be beginning)
of a logon batch file to kill the virus on a XP workstation. (Can also be
added as a startup script via a GPO).

rem ************************************************** **
rem Butterfly virus containment 06-06-07 mtd (thanks uct for the basics!)
rem ************************************************** **
echo This batch will kill the schedl.exe
echo process and remove it from startup
echo —————————————
rem —————————————
taskkill /F /IM schedl.exe /T
REG DELETE
“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur rentVersion\Run” /v schedl
/f

del /ah c:\WINDOWS\Help\schedl.exe
cls
echo Completed “schedl.exe” removal

Explorer stays very slow after the reboot!

This is a temporary fix until the AV vendors recognise this as a virus and
provide a fix with a system clean. We are unsure as to what else this bug
gets upto. It is possible that your antispam box will hammered with
x@yourdomain.x!

Fix by: Mark
Source: http://forums.techarena.in/showthread.php?s=edf51f2ef2d263961aec2ede790d5a5a&t=761551

Installing Apache binary
There are no special steps needed to build the Apache binary in order to install it in a chroot jail. The following steps apply equally to a precompiled binary (such as an RPM) or one you have compiled yourself. Starting with a working binary helps with debugging later, if necessary. Just make sure that you are using the latest patched version of the server, install Apache normally, and ensure that it is working as expected.

Finally, make sure you configure Apache to run with its own user and group IDs. Create a user and group with the commands:

# groupadd apache
# useradd -c “Apache Server” -d /dev/null -g apache -s /bin/false apache
These commands create the regular user apache and the apache group. Apache runs as nobody by default. User nobody may be used by many processes, and if it is compromised an intruder will gain access to all processes on your system running under that UID.
Creating the chroot tree
Our chroot jail is a mini-version of the Linux filesystem. I prefer to use a seperate partition mounted as /chroot, with Apache under a directory named httpd on my chroot partition.

# mkdir /chroot/httpd

# mkdir /chroot/httpd/dev

# mkdir /chroot/httpd/lib

# mkdir /chroot/httpd/etc

# mkdir -p /chroot/httpd/usr/sbin

# mkdir /chroot/httpd/usr/lib

# mkdir /chroot/httpd/usr/libexec

# mkdir -p /chroot/httpd/var/run

# mkdir -p /chroot/httpd/var/log/apache

# mkdir -p /chroot/httpd/home/httpd

Now set the permissions on your directory structure:

# chown -R root /chroot/httpd

# chmod -R 0755 /chroot/httpd

# chmod 750 /chroot/httpd/var/log/apache/

Your exact structure may vary slightly depending upon what features of Apache you are using and where the nescessary libraries live on your main file system.
Once you have created the nescessary directories you need to create the null device.

# mknod  /chroot/httpd/dev/null c 1 3

# chown root.sys /chroot/httpd/dev/null

# chmod 666 /chroot/httpd/dev/null

You need the null device and /chroot/httpd/var/log/httpd/ because, when run in chroot jail, Apache sees the /chroot/httpd directory as the equivalent of /. This means that it cannot access /dev/null or /var/log on the normal filesystem.
Copying the nescessary files
Now shut down Apache, run killall httpd, and you’re ready to start copying across the necessary files. Note that some directory names may be different in your case depending upon how you originally installed Apache. First, copy your configuration files:
# cp -r /etc/apache /chroot/httpd/etc/
Next, copy your Apache DocumentRoot and CGI scripts:
# cp -r /home/httpd/html /chroot/httpd/home/httpd/
# cp -r /home/httpd/cgi-bin /chroot/httpd/home/httpd/
Now copy your httpd binary (and, if you use them, the Apache scripts) from /usr/sbin:
# cp /usr/sbin/httpd /chroot/usr/sbin/
# cp /usr/sbin/apache* /chroot/usr/sbin/
If you use mod_ssl you need to copy the /etc/ssl directory and its contents too:
# cp -a /etc/ssl /chroot/httpd/etc/
You should also copy any modules from your original install:
cp -r /usr/libexec/apache /chroot/httpd/usr/libexec/
Once you have copied Apache itself (and ssl if needed) you need to copy all of the shared libraries Apache relies on to run. To find out which libraries you need, execute # ldd /chroot/httpd/usr/sbin/httpd. This should give output something like:

/lib/libsafe.so.2 => /lib/libsafe.so.2 (0x40017000)

libm.so.6 => /lib/libm.so.6 (0x40037000)

libcrypt.so.1 => /lib/libcrypt.so.1 (0x40059000)

libdb.so.2 => /lib/libdb.so.2 (0x40086000)

libexpat.so.0 => /usr/lib/libexpat.so.0 (0x40096000)

libdl.so.2 => /lib/libdl.so.2 (0x400b6000)

libc.so.6 => /lib/libc.so.6 (0x400b9000)

/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)

The exact output will depend upon how your httpd binary was built in the first place. Copy the required files to their respective directories in your chroot:

# cp /lib/libsafe* /chroot/httpd/lib/

# cp /lib/libm* /chroot/httpd/lib/

# cp /lib/libcrypt* /chroot/httpd/lib/

# cp /lib/libdb* /chroot/httpd/lib/

# cp /usr/lib/libexpat* /chroot/httpd/usr/lib/

# cp /lib/libdl* /chroot/httpd/lib/

# cp /lib/libc* /chroot/httpd/lib/

# cp /lib/ld-* /chroot/httpd/lib/

You need certain libraries for some standard networking functionality:

# cp /lib/libnss_compat* /chroot/httpd/lib/

# cp /lib/libnss_dns* /chroot/httpd/lib/

# cp /lib/libnss_files* /chroot/httpd/lib/

# cp /lib/libnsl* /chroot/httpd/lib/

The /chroot/httpd/etc configuration files
For Apache to function properly you also need several configuration files from /etc. First, edit the /etc/passwd and /etc/group files. These should contain only entries for the Apache user and group you created earlier. For example:

/etc/passwd:

apache:x:12347:12348:Apache Server:/dev/null:/bin/false

/etc/group:

apache:x:12347:

You also need several network configuration files:

# cp /etc/hosts /chroot/httpd/etc/

# cp /etc/host.conf /chroot/httpd/etc/

# cp /etc/resolv.conf /chroot/httpd/etc/

# cp /etc/nsswitch.conf /chroot/httpd/etc/

For extra security you can set the immutable bit on these configuration files. When the immutable bit is set, root has to specifically unset it before a file can be modified, making it much harder for an intruder to tamper with the files:

# chattr +i /chroot/httpd/etc/hosts

# chattr +i /chroot/httpd/etc/host.conf

# chattr +i /chroot/httpd/etc/resolv.conf

# chattr +i /chroot/httpd/etc/nsswitch.conf

# chattr +i /chroot/httpd/etc/passwd

# chattr +i /chroot/httpd/etc/group

In order that the log files be written with the correct time, you need to check /etc/localtime. localtime is a symlink to a file in /usr/share/zoneinfo. To find out which file, run ls -l /etc/localtime and copy the appropriate file to /chroot/httpd/etc/localtime.
By default, syslogd monitors log files only in /var/log. The chrooted httpd daemon will write its logs to /chroot/httpd/var/log, however, so you need to tell syslogd to monitor this directory too. To change this you need to edit the appropriate startup script, /etc/rc.d/rc.syslog or /etc/rc.d/init.d/syslog, depending upon your distro.
For /etc/rc.d/rc.syslog change daemon syslogd -m 0 to daemon syslogd -m 0 -a /chroot/httpd/dev/log.
For /etc/rc.d/rc.syslog change:

    echo -n " /usr/sbin/syslogd"

    /usr/sbin/syslogd

to:

    echo -n " /usr/sbin/syslogd"

    /usr/sbin/syslogd -m 0 -a /chroot/httpd/dev/log

It is a good idea to create the nescessary log files and set the appendable bit on them too.

# touch /chroot/httpd/var/log/apache/access_log

# touch /chroot/httpd/var/log/apache/error_log

# chmod 600 /chroot/httpd/var/log/apache/*

# chattr +a /chroot/httpd/var/log/apache/*

Finally, you need to change the httpd startup script to run the chrooted httpd. Depending on your distro, open up /etc/rc.d/rc.httpd or /etc/rc.d/init.d/httpd and change the command that starts the httpd daemon to read /usr/sbin/chroot /chroot/httpd/ /usr/sbin/httpd.
Testing the server
If you have not already done so you should shut down the httpd daemon now. Next, restart the syslog daemon: /etc/rc.d/rc.syslog restart (or /etc/rc.d/init.d/syslog restart accordingly). Now start the chrooted version of Apache with /etc/rc.d/rc.httpd start (or /etc/rc.d/init.d/httpd start).
If there are no errors, check the daemon is running with the command ps -aux | grep httpd. You should see several entries indicating a running httpd process. Taking the process number from the output of ps and running ls -l /proc/PROC_NUMBER/root/ should show the structure of your /chroot/httpd rather than your server’s / filesystem.
If something has gone wrong, you should try running your chrooted httpd with strace. The command # strace chroot /chroot/httpd /usr/sbin/httpd 2> httpd.strace redirects the output of strace to a file named httpd.strace which should give you an idea where the problem lies.
Once everything is running you can remove your original Apache install.
Summary

Although chroot can be used to help create a more secure environment, it is not perfect. You still need to keep your Web server patched up to date and monitor your logs. Your chroot environment should help to contain a potential breakin and protect your system’s main filesystem from unseen vulnerabilities in your Web server.

Fedora is the thought and action leader in many cutting-edge Linux security
initiatives. The following security features were developed by Fedora engineers.
In line with the Fedora policy, these security features have been pushed
upstream and they are available to all Linux distributions who choose
to take advantage of them.

SELinux

Fedora is the first mainstream operating system to provide MAC (Mandatory Access Control) based security using SELinux enabled by default. SELinux was developed in partnership with the NSA (National Security Agency) – A US based goverment security organisation and Red Hat with developers from projects such as Gentoo and Debian. Security Enhanced Linux protects users and processes by watching all actions on the system, from opening a file to using a socket. Users may write their own SELinux security policies according to their risk tolerance. By default, Fedora runs a targeted security policy that protects network daemons that have a higher chance of being attacked. If compromised, these programs are extremely limited in the damage they can do, even if the root account is cracked.

For example, Apache is protected in four different ways. The executable for Apache, httpd, is protected at compile time by PIE and Exec-Shield. The executable binary file on the system is protected by ELF hardening. Finally, SELinux policies are in place so that if httpd is cracked, it can only append to the Apache logs and mangle content in specific directories; it cannot roam around home directories or otherwise interact with the rest of the system.

References:

http://fedoraproject.org/wiki/SELinux

Exec-Shield

No eXecute (NX)

Modern processors support a feature called NX which allows a system to control the execution of various portions of memory. Data memory is flagged as non-executable and program memory is flagged as non-writeable. This help prevent certain types of buffer overflow exploits from working as expected.

Since not all processors support the NX feature, attemptes have been made to support this feature via segment limits. A segment limit will prevent certain portions of memory from being executed. This provides very similar functionality to NX technology.

Position Independent Executables (PIE)

PIE is an Exec-Shield technology that allows a programmer to make the executable load at a different memory address each time it starts. Attackers cannot predict where the application will start, making it very hard to exploit. Not all packages are compiled as PIE executables in Fedora Core. Using PIE causes a fair amount of processing overhead, so only select packages are compiled as PIE executables.

Applications that are not compiled as PIE, still have a small amount of added protection. The usage of prelink does place binaries and libraries at known locations. Fedora Core contains a feature which runs prelink every two weeks at which time the memory locations of binaries and libraries is randomized. Applications that are compiled as PIE do not use prelink, all memory addresses are randomized with each execution.

Compile Time Buffer Checks (FORTIFY_SOURCE)

GCC compiler and GLIBC C library from Fedora Core 4 onwards has gained a feature called “FORTIFY_SOURCE” that will detect and prevent a subset of the buffer overflows before they can do damage. The idea behind FORTIFY_SOURCE is relatively simple: there are cases where the compiler can know the size of a buffer (if it’s a fixed sized buffer on the stack, as in the example, or if the buffer just came from a malloc() function call). With a known buffer size, functions that operate on the buffer can make sure the buffer will not overflow.

References:

http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html

ELF (Executable and Linkable Format) Data Hardening

These are changes to the file components that protect the structure of the file itself.

References:

http://people.redhat.com/drepper/nonselsec.pdf

Restricted Kernel Memory access

Fedora restricts how the kernel memory (/dev/mem) can be overwritten. This prevents several rootkits from functioning resulting in a safer and more secure system.

References:

http://lwn.net/Articles/160380/

Stack Smash Protection, Buffer Overflow Detection and Variable Reordering

For this release, all of the software in the Fedora Core and Fedora Extras software repositories is compiled using a security feature called fstack-protector. fstack-protector puts a canary value on the stack of key functions. Just before the return address and just before returning from that value, that canary value is verified. If there was a buffer overflow, the canary no longer matches and the program aborts. The canary value is random for each time the application is started and makes it impossible to guess remotely. This is a security feature that has been backported from GCC 4.1 to the version of the GCC compiler used in Fedora Core 5 test1. This feature

[http://gcc.gnu.org/ml/gcc-patches/2005-05/msg01193.html) has been written by Red Hat developers and provides similar functionality to the IBM propolice/ssp patches.

This is in addition to using FORTIFY_SOURCE from Fedora Core 4 onwards.

References:

http://gcc.gnu.org/gcc-4.1/changes.html

Tor is a toolset for a wide range of organizations and people that want to improve their safety and security on the Internet. Using Tor can help you anonymize web browsing and publishing, instant messaging, IRC, SSH, and other applications that use the TCP protocol. Tor also provides a platform on which software developers can build new applications with built-in anonymity, safety, and privacy features.

Tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. It also enables software developers to create new communication tools with built-in privacy features. Tor provides the foundation for a range of applications that allow organizations and individuals to share information over public networks without compromising their privacy.

Why we need Tor

Using Tor protects you against a common form of Internet surveillance known as “traffic analysis.” Traffic analysis can be used to infer who is talking to whom over a public network. Knowing the source and destination of your Internet traffic allows others to track your behavior and interests. This can impact your checkbook if, for example, an e-commerce site uses price discrimination based on your country or institution of origin. It can even threaten your job and physical safety by revealing who and where you are. For example, if you’re travelling abroad and you connect to your employer’s computers to check or send mail, you can inadvertently reveal your national origin and professional affiliation to anyone observing the network, even if the connection is encrypted.

How does traffic analysis work? Internet data packets have two parts: a data payload and a header used for routing. The data payload is whatever is being sent, whether that’s an email message, a web page, or an audio file. Even if you encrypt the data payload of your communications, traffic analysis still reveals a great deal about what you’re doing and, possibly, what you’re saying. That’s because it focuses on the header, which discloses source, destination, size, timing, and so on.

Useful Links:
Tor Home Page
Tor Overview
Download Links:
Linux/Unix packages
Mac OS X 10.4 (Tiger)
Windows Installer

Wireshark : Sniffing the glue that holds the Internet together

Wireshark (known as Ethereal until a trademark dispute in Summer 2006) is a fantastic open source network protocol analyzer for Unix and Windows. It allows you to examine data from a live network or from a capture file on disk. You can interactively browse the capture data, delving down into just the level of packet detail you need. Wireshark has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session. It also supports hundreds of protocols and media types. A tcpdump-like console version named tethereal is included. One word of caution is that Ethereal has suffered from dozens of remotely exploitable security holes, so stay up-to-date and be wary of running it on untrusted or hostile networks (such as security conferences).

Kismet : A powerful wireless sniffer
Kismet is an console (ncurses) based 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. It identifies networks by passively sniffing (as opposed to more active tools such as NetStumbler), and can even decloak hidden (non-beaconing) networks if they are in use. It can automatically detect network IP blocks by sniffing TCP, UDP, ARP, and DHCP packets, log traffic in Wireshark/TCPDump compatible format, and even plot detected networks and estimated ranges on downloaded maps. As you might expect, this tool is commonly used for wardriving. Oh, and also warwalking, warflying, and warskating, …

Tcpdump : The classic sniffer for network monitoring and data acquisition
Tcpdump is the IP sniffer we all used before Ethereal (Wireshark) came on the scene, and many of us continue to use it frequently. It may not have the bells and whistles (such as a pretty GUI or parsing logic for hundreds of application protocols) that Wireshark has, but it does the job well and with fewer security holes. It also requires fewer system resources. While it doesn’t receive new features often, it is actively maintained to fix bugs and portability problems. It is great for tracking down network problems or monitoring activity. There is a separate Windows port named WinDump. TCPDump is the source of the Libpcap/WinPcap packet capture library, which is used by Nmap among many other tools.

Cain and Abel : The top password recovery tool for Windows
UNIX users often smugly assert that the best free security tools support their platform first, and Windows ports are often an afterthought. They are usually right, but Cain & Abel is a glaring exception. This Windows-only password recovery tool handles an enormous variety of tasks. It can recover passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, revealing password boxes, uncovering cached passwords and analyzing routing protocols. It is also well documented.

Ettercap : In case you still thought switched LANs provide much extra security
Ettercap is a terminal-based network sniffer/interceptor/logger for ethernet LANs. It supports active and passive dissection of many protocols (even ciphered ones, like ssh and https). Data injection in an established connection and filtering on the fly is also possible, keeping the connection synchronized. Many sniffing modes were implemented to give you a powerful and complete sniffing suite. Plugins are supported. It has the ability to check whether you are in a switched LAN or not, and to use OS fingerprints (active or passive) to let you know the geometry of the LAN.

Dsniff : A suite of powerful network auditing and penetration-testing tools
This popular and well-engineered suite by Dug Song includes many tools. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker (e.g, due to layer-2 switching). sshmitm and webmitm implement active monkey-in-the-middle attacks against redirected ssh and https sessions by exploiting weak bindings in ad-hoc PKI. A separately maintained partial Windows port is available here. Overall, this is a great toolset. It handles pretty much all of your password sniffing needs.

NetStumbler : Free Windows 802.11 Sniffer
Netstumbler is the best known Windows tool for finding open wireless access points (“wardriving”). They also distribute a WinCE version for PDAs and such named Ministumbler. The tool is currently free but Windows-only and no source code is provided. It uses a more active approach to finding WAPs than passive sniffers such as >Kismet or KisMAC.

Ntop : A network traffic usage monitor
Ntop shows network usage in a way similar to what top does for processes. In interactive mode, it displays the network status on the user’s terminal. In Web mode, it acts as a Web server, creating an HTML dump of the network status. It sports a NetFlow/sFlow emitter/collector, an HTTP-based client interface for creating ntop-centric monitoring applications, and RRD for persistently storing traffic statistics.

Ngrep : Convenient packet matching & display
ngrep strives to provide most of GNU grep’s common features, applying them to the network layer. ngrep is a pcap-aware tool that will allow you to specify extended regular or hexadecimal expressions to match against data payloads of packets. It currently recognizes TCP, UDP and ICMP across Ethernet, PPP, SLIP, FDDI, Token Ring and null interfaces, and understands bpf filter logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop.

EtherApe : EtherApe is a graphical network monitor for Unix modeled after etherman
Featuring link layer, IP and TCP modes, EtherApe displays network activity graphically with a color coded protocols display. Hosts and links change in size with traffic. It supports Ethernet, FDDI, Token Ring, ISDN, PPP and SLIP devices. It can filter traffic to be shown, and can read traffic from a file as well as live from the network.

KisMAC : A A GUI passive wireless stumbler for Mac OS X
This popular stumbler for Mac OS X offers many of the features of its namesake Kismet, though the codebase is entirely different. Unlike console-based Kismet, KisMAC offers a pretty GUI and was around before Kismet was ported to OS X. It also offers mapping, Pcap-format import and logging, and even some decryption and deauthentication attacks.

Snort : A Everyone’s favorite open source IDS
This lightweight network intrusion detection and prevention system excels at traffic analysis and packet logging on IP networks. Through protocol analysis, content searching, and various pre-processors, Snort detects thousands of worms, vulnerability exploit attempts, port scans, and other suspicious behavior. Snort uses a flexible rule-based language to describe traffic that it should collect or pass, and a modular detection engine. Also check out the free Basic Analysis and Security Engine (BASE), a web interface for analyzing Snort alerts.

Open source Snort works fine for many individuals, small businesses, and departments. Parent company SourceFire offers a complimentary product line with more enterprise-level features and real-time rule updates. They offer a free (with registration) 5-day-delayed rules feed, and you can also find many great free rules at Bleeding Edge Snort.

OSSEC HIDS : An Open Source Host-based Intrusion Detection System
OSSEC HIDS performs log analysis, integrity checking, rootkit detection, time-based alerting and active response. In addition to its IDS functionality, it is commonly used as a SEM/SIM solution. Because of its powerful log analysis engine, ISPs, universities and data centers are running OSSEC HIDS to monitor and analyze their firewalls, IDSs, web servers and authentication logs.
Fragroute/Fragrouter : A network intrusion detection evasion toolkit
Fragrouter is a one-way fragmenting router – IP packets get sent from the attacker to the Fragrouter, which transforms them into a fragmented data stream to forward to the victim. Many network IDS are unable or simply don’t bother to reconstruct a coherent view of the network data (via IP fragmentation and TCP stream reassembly), as discussed in this classic paper. Fragrouter helps an attacker launch IP-based attacks while avoiding detection. It is part of the NIDSbench suite of tools by Dug Song. Fragroute is a similar tool which is also by Dug Song.

BASE : The Basic Analysis and Security Engine
BASE is a PHP-based analysis engine to search and process a database of security events generated by various IDSs, firewalls, and network monitoring tools. Its features include a query-builder and search interface for finding alerts matching different patterns, a packet viewer/decoder, and charts and statistics based on time, sensor, signature, protocol, IP address, etc.

Sguil : The Analyst Console for Network Security Monitoring
Sguil (pronounced sgweel) is built by network security analysts for network security analysts. Sguil’s main component is an intuitive GUI that provides realtime events from Snort/barnyard. It also includes other components which facilitate the practice of Network Security Monitoring and event driven analysis of IDS alerts.

Metasploit Framework : Hack the Planet

Metasploit took the security world by storm when it was released in 2004. No other new tool even broke into the top 15 of this list, yet Metasploit comes in at #5, ahead of many well-loved tools that have been developed for more than a decade. It is an advanced open-source platform for developing, testing, and using exploit code. The extensible model through which payloads, encoders, no-op generators, and exploits can be integrated has made it possible to use the Metasploit Framework as an outlet for cutting-edge exploitation research. It ships with hundreds of exploits, as you can see in their online exploit building demo. This makes writing your own exploits easier, and it certainly beats scouring the darkest corners of the Internet for illicit shellcode of dubious quality. Similar professional exploitation tools, such as Core Impact and Canvas already existed for wealthy users on all sides of the ethical spectrum. Metasploit simply brought this capability to the masses.

Core Impact : An automated, comprehensive penetration testing product
Core Impact isn’t cheap (be prepared to spend tens of thousands of dollars), but it is widely considered to be the most powerful exploitation tool available. It sports a large, regularly updated database of professional exploits, and can do neat tricks like exploiting one machine and then establishing an encrypted tunnel through that machine to reach and exploit other boxes. If you can’t afford Impact, take a look at the cheaper Canvas or the excellent and free Metasploit Framework. Your best bet is to use all three.

Canvas : A Comprehensive Exploitation Framework
Canvas is a commercial vulnerability exploitation tool from Dave Aitel’sImmunitySec. It includes more than 150 exploits and is less expensive than Core Impact, though it still costs thousands of dollars. You can also buy the optional VisualSploit Plugin for drag and drop GUI exploit creation. Zero-day exploits can occasionally be found within Canvas.

Hping2 : A network probing utility like ping on steroids

This handy little utility assembles and sends custom ICMP, UDP, or TCP packets and then displays any replies. It was inspired by the ping command, but offers far more control over the probes sent. It also has a handy traceroute mode and supports IP fragmentation. This tool is particularly useful when trying to traceroute/ping/probe hosts behind a firewall that blocks attempts using the standard utilities. This often allows you to map out firewall rulesets. It is also great for learning more about TCP/IP and experimenting with IP protocols.

Scapy : Interactive packet manipulation tool
Scapy is a powerful interactive packet manipulation tool, packet generator, network scanner, network discovery tool, and packet sniffer. It provides classes to interactively create packets or sets of packets, manipulate them, send them over the wire, sniff other packets from the wire, match answers and replies, and more. Interaction is provided by the Python interpreter, so Python programming structures can be used (such as variables, loops, and functions). Report modules are possible and easy to make.

Nemesis : Packet injection simplified
The Nemesis Project is designed to be a commandline-based, portable human IP stack for UNIX/Linux (and now Windows!). The suite is broken down by protocol, and should allow for useful scripting of injected packet streams from simple shell scripts.

Yersinia : A multi-protocol low-level attack tool
Yersinia is a low-level protocol attack tool useful for penetration testing. It is capable of many diverse attacks over multiple protocols, such as becoming the root role in the Spanning Tree (Spanning Tree Protocol), creating virtual CDP (Cisco Discovery Protocol) neighbors, becoming the active router in a HSRP (Hot Standby Router Protocol) scenario, faking DHCP replies, and other low-level attacks.

THC Amap : An application fingerprinting scanner

Amap is a great tool for determining what application is listening on a given port. Their database isn’t as large as what Nmap uses for its version detection feature, but it is definitely worth trying for a 2nd opinion or if Nmap fails to detect a service. Amap even knows how to parse Nmap output files. This is yet another valuable tool from the great guys at THC.

Nbtscan : Gathers NetBIOS info from Windows networks
NBTscan is a program for scanning IP networks for NetBIOS name information. It sends a NetBIOS status query to each address in supplied range and lists received information in human readable form. For each responded host it lists IP address, NetBIOS computer name, logged-in user name and MAC address.

Ike-scan : VPN detector/scanner
Ike-scan exploits transport characteristics in the Internet Key Exchange (IKE) service, the mechanism used by VPNs to establish a connection between a server and a remote client. It scans IP addresses for VPN servers by sending a specially crafted IKE packet to each host within a network. Most hosts running IKE will respond, identifying their presence. The tool then remains silent and monitors retransmission packets. These retransmission responses are recorded, displayed and matched against a known set of VPN product fingerprints. Ike-scan can VPNs from manufacturers including Checkpoint, Cisco, Microsoft, Nortel, and Watchguard.

SPIKE Proxy : HTTP Hacking
Spike Proxy is an open source HTTP proxy for finding security flaws in web sites. It is part of the Spike Application Testing Suite and supports automated SQL injection detection, web site crawling, login form brute forcing, overflow detection, and directory traversal detection.

Angry IP Scanner : A fast windows IP scanner and port scanner

Angry IP Scanner can perform basic host discovery and port scans on Windows. Its binary file size is very small compared to other scanners and other pieces of information about the target hosts can be extended with a few plugins.

Superscan : A Windows-only port scanner, pinger, and resolver
SuperScan is a free Windows-only closed-source TCP/UDP port scanner by Foundstone. It includes a variety of additional networking tools such as ping, traceroute, http head, and whois.

Unicornscan : Not your mother’s port scanner
Unicornscan is an attempt at a User-land Distributed TCP/IP stack for information gathering and correlation. It is intended to provide a researcher a superior interface for introducing a stimulus into and measuring a response from a TCP/IP enabled device or network. Some of its features include asynchronous stateless TCP scanning with all variations of TCP flags, asynchronous stateless TCP banner grabbing, and active/passive remote OS, application, and component identification by analyzing responses. it isn’t for the faint of heart.

Scanrand : An unusually fast stateless network service and topology discovery system
Scanrand is a stateless host-discovery and port-scanner similar in design to Unicornscan. It trades off reliability for amazingly fast speeds and uses cryptographic techniques to prevent attackers from manipulating scan results. This utility is a part of a software package called Paketto Keiretsu which was written by Dan Kaminsky.

Netfilter : The current Linux kernel packet filter/firewall

Netfilter is a powerful packet filter implemented in the standard Linux kernel. The userspace iptables tool is used for configuration. It now supports packet filtering (stateless or stateful), all kinds of network address and port translation (NAT/NAPT), and multiple API layers for 3rd party extensions. It includes many different modules for handling unruly protocols such as FTP. For other UNIX platforms (OpenBSD specific), or IP Filter. Many personal firewalls are available for Windows (Tiny,Zone Alarm, Norton, Kerio, …), though none made this list. Microsoft included a very basic firewall in Windows XP SP2, and will nag you incessantly until you install it.

Openbsd PF : The OpenBSD Packet Filter
Like Netfilter and IP Filter on other platforms, OpenBSD users love PF, their firewall tool. It handles network address translation, normalizing TCP/IP traffic, providing bandwidth control, and packet prioritization. It also offers some eccentric features, such as passive OS detection. Coming from the same guys who created OpenBSD, you can trust that it has been well audited and coded to avoid the sort of security holes we have seen in other packet filters.

IP Filter : Portable UNIX Packet Filter
IP Filter is a software package that can be used to provide network address translation (NAT) or firewall services. It can either be used as a loadable kernel module or incorporated into your UNIX kernel; use as a loadable kernel module where possible is highly recommended. Scripts are provided to install and patch system files, as required. IP Filter is distributed with FreeBSD, NetBSD, and Solaris.

Sysinternals : An extensive collection of powerful windows utilities

Sysinternals provides many small windows utilities that are quite useful for low-level windows hacking. Some are free of cost and/or include source code, while others are proprietary. Survey respondents were most enamored with:

• ProcessExplorer for keeping an eye on the files and directories open by any process (like LSoF on UNIX).
• PsTools for managing (executing, suspending, killing, detailing) local and remote processes.
• Autoruns for discovering what executables are set to run during system boot up or login.
• RootkitRevealer for detecting registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit.
• TCPView, for viewing TCP and UDP traffic endpoints used by each process (like Netstat on UNIX).

Update: Microsoft acquired Sysinternals in July 2006, promising that “Customers will be able to continue building on Sysinternals’ advanced utilities, technical information and source code”. Less than four months later, Microsoft removed most of that source code. Future product direction is uncertain.

Tripwire : The grand-daddy of file integrity checkers
A file and directory integrity checker. Tripwire is a tool that aids system administrators and users in monitoring a designated set of files for any changes. Used with system files on a regular (e.g., daily) basis, Tripwire can notify system administrators of corrupted or tampered files, so damage control measures can be taken in a timely manner. An open source Linux version is freely available at Tripwire.Org. UNIX users may also want to consider AIDE, which has been designed to be a free Tripwire replacement. Or you may wish to investigate Radmind, RKHunter, or chkrootkit. Windows users may like RootkitRevealer from Sysinternals.

RKHunter : An Unix Rootkit Detector
RKHunter is scanning tool that checks for signs of various pieces of nasty software on your system like rootkits, backdoors and local exploits. It runs many tests, including MD5 hash comparisons, default filenames used by rootkits, wrong file permissions for binaries, and suspicious strings in LKM and KLD modules.

chkrootkit : Locally checks for signs of a rootkit
chkrootkit is a flexible, portable tool that can check for many signs of rootkit intrusion on Unix-based systems. Its features include detecting binary modification, utmp/wtmp/lastlog modifications, promiscuous interfaces, and malicious kernel modules.

Nessus : Premier UNIX vulnerability assessment tool

Nessus is the best free network vulnerability scanner available, and the best to run on UNIX at any price. It is constantly updated, with more than 11,000 plugins for the free (but registration and EULA-acceptance required) feed. Key features include remote and local (authenticated) security checks, a client/server architecture with a GTK graphical interface, and an embedded scripting language for writing your own plugins or understanding the existing ones. Nessus 3 is now closed source, but is still free-of-cost unless you want the very newest plugins.

GFI LANguard : A commercial network security scanner for Windows
GFI LANguard scans IP networks to detect what machines are running. Then it tries to discern the host OS and what applications are running. I also tries to collect Windows machine’s service pack level, missing security patches, wireless access points, USB devices, open shares, open ports, services/applications active on the computer, key registry entries, weak passwords, users and groups, and more. Scan results are saved to an HTML report, which can be customized/queried. It also includes a patch manager which detects and installs missing patches. A free trial version is available, though it only works for up to 30 days.

Retina : Commercial vulnerability assessment scanner by eEye
. Retina’s function is to scan all the hosts on a network and report on any vulnerabilities found. It was written by eEye, who are well known for their security research.

Core Impact : An automated, comprehensive penetration testing product
Core Impact isn’t cheap (be prepared to spend tens of thousands of dollars), but it is widely considered to be the most powerful exploitation tool available. It sports a large, regularly updated database of professional exploits, and can do neat tricks like exploiting one machine and then establishing an encrypted tunnel through that machine to reach and exploit other boxes. If you can’t afford Impact, take a look at the cheaper Canvas or the excellent and free Metasploit Framework. Your best bet is to use all three.

ISS Internet Scanner : Application-level vulnerability assessment
Internet Scanner started off in ’92 as a tiny open source scanner by Christopher Klaus. Now he has grown ISS into a billion-dollar company with a myriad of security products.

X-scan : A general scanner for scanning network vulnerabilities
A multi-threaded, plug-in-supported vulnerability scanner. X-Scan includes many features, including full NASL support, detecting service types, remote OS type/version detection, weak user/password pairs, and more. You may be able to find newer versions available here if you can deal with most of the page being written in Chinese.

Sara : Security Auditor’s Research Assistant
SARA is a vulnerability assessment tool that was derived from the infamous SATAN scanner. They try to release updates twice a month and try to leverage other software created by the open source community (such as Nmap and Samba).

QualysGuard : A web-based vulnerability scanner
Delivered as a service over the Web, QualysGuard eliminates the burden of deploying, maintaining, and updating vulnerability management software or implementing ad-hoc security applications. Clients securely access QualysGuard through an easy-to-use Web interface. QualysGuard features 5,000+ unique vulnerability checks, an Inference-based scanning engine, and automated daily updates to the QualysGuard vulnerability KnowledgeBase.

SAINT : Security Administrator’s Integrated Network Tool
SAINT is another commercial vulnerability assessment tool (like Nessus, ISS Internet Scanner, or Retina). It runs on UNIX and used to be free and open source, but is now a commercial product.

MBSA : Microsoft Baseline Security Analyzer
Microsoft Baseline Security Analyzer (MBSA) is an easy-to-use tool designed for the IT professional that helps small and medium-sized businesses determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance. Built on the Windows Update Agent and Microsoft Update infrastructure, MBSA ensures consistency with other Microsoft management products including Microsoft Update (MU), Windows Server Update Services (WSUS), Systems Management Server (SMS) and Microsoft Operations Manager (MOM). Apparently MBSA on average scans over 3 million computers each week.

P0f : A versatile passive OS fingerprinting tool

P0f is able to identify the operating system of a target host simply by examining captured packets even when the device in question is behind an overzealous packet firewall. P0f does not generate ANY additional network traffic, direct or indirect. No name lookups, no mysterious probes, no ARIN queries, nothing. In the hands of advanced users, P0f can detect firewall presence, NAT use, existence of load balancers, and more!

Xprobe2 : Active OS fingerprinting tool
XProbe is a tool for determining the operating system of a remote host. They do this using some of the same techniques as Nmap as well as some of their own ideas. Xprobe has always emphasized the ICMP protocol in its fingerprinting approach.