I am not calling anyone to anything, the article was written for informational purposes!
Scanners for various tasks, penetration tests, hacking.
- OpenVAS 4 is a framework of several services and tools offering a comprehensive and powerful solution for vulnerability testing and vulnerability management.
- The Metasploit Framework is a tool for developing and executing exploit code against a remote target machine. Other important sub-projects include the Opcode database, shellcode archive and related research.
- pig is a tool for processing Linux packages.
- Scapy is a python-based interactive batch manipulation program and library.
- Pompem is an open source tool designed to automate the search for exploits in major databases. Built on top of Python, it has an advanced search engine that makes it easier for pentesters as well as ethical hackers. In its current version, it searches databases: Exploit-db, 1337day, Packetstorm Security …
- Nmap is a free and open source utility for network exploration and security auditing.
Network monitoring, collection of data from open sources
- Justniffer 1 is a network protocol analyzer that captures network traffic and creates logs on an individual basis, can emulate Apache web server log files, track response times and extract all “intercepted” files from HTTP traffic.
- ngrep — ngrep aims to provide most of the common GNU grep features, applying them at the network level. ngrep is a pcap-enabled tool that will allow you to specify extended regular or hexadecimal expressions to match the payloads of the package data. It currently recognizes IPv4 / 6, TCP, UDP, ICMPv4 / 6, IGMP and Raw over Ethernet, PPP, SLIP, FDDI, Token Ring, and zero interfaces, and understands BPF filter logic in the same way as more common tools like tcpdump and snoop.
- passivedns is a passive DNS record collection tool to help with incident handling, network security monitoring (NSM) and general digital forensics. PassiveDNS examines traffic from an interface or reads a pcap file and writes DNS server responses to a log file. PassiveDNS can cache / merge duplicate DNS responses in memory, limiting the amount of data in the log file, without losing the essence of the DNS response.
- Sagan — uses the “Snort like” engine and rules for log analysis (syslog / event log / snmptrap / netflow / etc).
- Node Security Platform 1 — Has a similar feature set as Snyk, but is free in most cases and very cheap for other kinds of cases.
- Ntopng is a network traffic explorer that shows network usage, similar to what the popular Unix command does.
- Fibratus is a tool for exploring and tracking the Windows kernel. It is capable of capturing most of the Windows kernel activity — process / thread creation and termination, file system I / O, registry, network activity, DLL load / unload, and more. Fibratus has a very simple CLI that encapsulates mechanisms for starting a kernel event collector, installs kernel event filters, or runs lightweight Python modules called filaments.
Anti-intrusion and defense systems
- Snort is an open source network intrusion prevention system (NIPS) and network intrusion detection system (NIDS), created by Martin Roesch in 1998. Snort is now developed by Sourcefire, where Roche is the founder and CTO. In 2009, Snort was inducted into the InfoWorld Hall of Fame as one of the “largest open source software projects of all time.”
- Bro 1 is a powerful network analysis framework that is very different from the typical IDS you might know.
- OSSEC stands for Comprehensive Open Source HIDS. Not for the faint of heart. It will take a long time to understand how it works. It is capable of performing log analysis, file integrity checking, rootkit detection, and provides real-time alert and proactive response. It works on most operating systems including Linux, macOS, Solaris, HP-UX, AIX, and Windows. There is a lot of helpful documentation to get you familiar with how it works.
- Suricata 1 is a high performance network IDS, IPS and network security monitoring engine. It is open source and owned by a community-based non-profit foundation called the Open Information Security Foundation (OISF). Suricata is developed by OISF and its supporting vendors.
- Security Onion is a Linux distribution for intrusion detection, network security monitoring and log management. It is based on Ubuntu and contains Snort, Suricata, Bro, OSSEC, Sguil, Squert, Snorby, ELSA, Xplico, NetworkMiner and many more security tools. Easy to use. The setup wizard lets you create an army of sensors for your enterprise in minutes!
- sshwatch — IPS for SSH, similar to DenyHosts, written in Python. It can also collect information about the attacker in the log during the attack.
- Stealth — Provides you with a file integrity checker that leaves virtually no traces. The controller is launched from another computer, which makes it difficult for an attacker to understand the fact that the file system is checked at certain pseudo-random intervals over SSH. Highly recommended for small to medium volumes of work.
- AIEngine — AIEngine is a next generation interactive / programmable Python / Ruby / Java / Lua packet tracking engine with non-human learning capabilities, Network Intrusion Detection System (NIDS) functionality, DNS domain classification, network collector, network forensics and many others.
- Denyhosts — successfully resists SSH dictionary brute force attacks, as well as brute force attacks.
- Fail2Ban — scans log files and takes appropriate action against those IP addresses that show certain signs of malicious behavior.
- SSHGuard is service security software in addition to SSH written in C.
- Lynis is an open source security inspection and monitoring tool for Linux / Unix.
Network intelligence tools Honey Pot, Honey Net
- HoneyPy 1— HoneyPy is a low to medium interaction honeypot. It is designed for easy deployment, extending functionality with plugins, and applying custom configurations.
- Conpot — ICS / SCADA Honeypot. Conpot is a small, interactive server honeypot designed for easy deployment, modification, and expansion. By providing a set of generic manufacturing control protocols, we have created the foundations for building your own system capable of emulating complex infrastructures to convince an attacker that he has just found a huge industrial complex.
- Amun — Amun is a low interaction Python based Honeypot.
- Glastopf is a Honeypot that emulates thousands of vulnerabilities to collect data on attacks targeting web applications.
- Kippo is a mid-tier SSH interoperability honeypot designed to log brute force attacks and, most importantly, all shell communication performed by an attacker.
- Kojoney is a low interaction honeypot that emulates an SSH server. The daemon is written in Python using the Twisted Conch libraries.
- HonSSH is a high interaction Honey Pot. HonSSH will sit between the attacker and the honey pot, creating two separate SSH connections between them.
- Bifrozt is a DHCP server NAT device that is typically deployed with one network adapter connected directly to the Internet and one network adapter connected to the internal network. What sets Bifrozt apart from other standard NAT devices is its ability to act as a transparent SSHv2 proxy between an attacker and your honeypot.
- HoneyDrive is the premier honeypot Linux distribution. This is a virtual appliance (OVA) with Xubuntu Desktop 12.04.4 LTS installed. It contains more than 10 pre-installed and pre-configured honeypots such as Kippo SSH honeypot, Dionaea and Amun malware honeypots, Honeyd low interaction honeypots, Glastopf and Wordpot web honeypots, SCPAD / ICS Conpot honeypot, Thug honeyclients and PhoneyC other.
- Cuckoo Sandbox is an open source software for automating the analysis of suspicious files. For this, custom components are used that monitor the behavior of malicious processes while working in an isolated environment.
Capture network packets. Forensics systems
- tcpflow 1 is a program that captures data sent as part of TCP connections (streams) and stores the data in a way that is convenient for parsing and debugging the protocol.
- Xplico — The purpose of Xplico is to extract application data from Internet traffic. For example, from a pcap file, Xplico extracts every email address (POP, IMAP and SMTP), all HTTP content, every VoIP call (SIP), FTP, TFTP, etc. Xplico is not a network protocol analyzer. Xplico is an open source forensic analysis tool (NFAT).
- Moloch is an open source IPv4 packet capturing (PCAP) with indexing and database systems. A simple web interface is provided for viewing, searching and exporting PCAP. APIs are displayed that allow you to directly load PCAP data and JSON session data. Simple security is implemented with HTTPS password support and HTTP digest, or through the use of apache. Moloch is not intended to replace the IDS engine, but instead works with them to store and index all network traffic in a standard PCAP format for fast access. Moloch is built to be deployed on many systems and can scale up to handle multiple gigabits of traffic per second.
- OpenFPC is a set of tools that combine to provide a lightweight full-band network traffic recorder and buffering system. The goal of the project is to enable non-expert users to deploy a distributed network traffic recorder on COTS hardware while integrating into existing log and alert management tools.
- Dshell 1 is a forensic analysis network. Allows you to quickly develop plugins to support network packet capture splitting.
- stenographer 1 — designed to capture packets, the purpose of which is to quickly collapse all of them to disk, and then provide easy and fast access to various subsets of these packets.