Network security tools

Tools

• Top 75 Security Tools
• arp-sk tools
• dsniff, Various tools to sniff network traffic for cleartext insecurities
• Snort, The Open Source Network Intrusion Detection System
• Scapy - Packet generator/sniffer and network scanner/discovery
  • cf excellent article in LM52 (Linux France Magazine no 52)
  • Scapy Homepage
  • Python Tutorial
• Netcat
  • Penetration Testing Tip #21: netcat ( nc ) utility resources
  • Netcat rules the net
  • How to duplicate a complete PC via network
  • Wonders of 'dd' and 'netcat' :: Cloning Operating Systems
  • Netcat6 with IPv6 support
  • CryptCat: Netcat with cryptography

My own recipes for partition to partition copy over the network (ex. copying sdb5 from source on hda1 of target):
Target (192.168.1.1):

netcat -l -p 2000 -w 5 | dd of=/dev/hda1

It will wait max 5 secs so be prepared to launch immediately the next command as well on the source.
Source (192.168.1.2):

dd if=/dev/sdb5 conv=noerror,sync | netcat 192.168.1.1 2000

We can do better:
See what happen: add |pipeview| or |pv| if you have them to get real-time statistics on speed
Without pipeview you can still provoke dd to display stats by sending signals to it:

while :; do sleep 5; killall -SIGUSR1 dd;done

Compress on the fly: add |gzip -c| on source and |gunzip -c| on target
Compute checksums on-the-fly on both sides: create a fifo and md5 it.

So the complete ideal example:
Target (192.168.1.1):

mkfifo /tmp/foo
netcat -l -p 2000 -w 5 | pipeview | gunzip -c | tee /tmp/foo | dd of=/dev/hda1
# and in another window
md5sum /tmp/foo

Source (192.168.1.2), within next 5 secs:

mkfifo /tmp/foo
dd if=/dev/sdb5 conv=noerror,sync | tee /tmp/foo | pipeview | gzip -c | netcat 192.168.1.1 2000
# and in another window
md5sum /tmp/foo

Note that pipeview will measure drive speed on the source and network speed on the target due to its relative position with gzip (which you can swap of course)

• SoCat: Netcat on steroids, if you were amazed by netcat, you've seen *nothing*!!!
  • See here how we use it to bypass proxies and there to replace minicom
  • We can also sniff a tty

socat -v -x PTY,link=/tmp/myttyUSB0,raw,echo=0,isig=0 /dev/ttyUSB0,raw,echo=0,isig=0

• Ettercap
• Wireshark

Sniff over network:

wireshark -N n -S -l -k -i <(ssh root@zeus tshark -w - not tcp port 22)
wireshark -N n -S -l -k -i <(ssh root@zeus tcpdump -s 1500 -w - -i lo not tcp port 22)

Others

• The Honeynet Project

Filtering

• IPTables Linux firewall with packet string-matching support
• Filtering packets based on string matching

cf also

• Bypass Proxy
• Forensics
• Wireless Security
• Virtual Private Network
• Securing Debian HOWTO