Ten Tools for Security Professionals

41
Ten security tools you can pick up and use right now (and a few extras) CSE 4/6243 January 28, 2008 Wesley McGrew [email protected]

description

A short lecture that I gave to the Information and Computer Security class at Mississippi State University this semester

Transcript of Ten Tools for Security Professionals

Page 1: Ten Tools for Security Professionals

Ten security tools you can pick up and use right now

(and a few extras)

CSE 4/6243January 28, 2008Wesley McGrew [email protected]

Page 2: Ten Tools for Security Professionals

Introduction

Focus is on “everyday” kinds of tools.

Many security tools are double-edged swords

The same tool that can be used to test your defenses can be used in an attack

Use these tools in the lab! Never attack a network or system without explicit and specific permission!

Page 3: Ten Tools for Security Professionals

Introduction

This list is inspired by previous “tool” lectures given by Russ Ward and myself

http://sectools.org/ also a great resource

Focus is on free tools, unless otherwise stated

also plenty of good commercial tools out there, such as Core Impact

Page 4: Ten Tools for Security Professionals

Watch the network, file, and registry activity of specific processes

Great for

Analyzing the behavior of known malware

Determining how programs store/transmit information

http://technet.microsoft.com/en-us/sysinternals/default.aspx

Page 5: Ten Tools for Security Professionals

FileMon - File access monitoring

ProcessMonitor - General purpose task monitor

PsTools - Command-line process tools (can work remotely)

TCPView - View active TCP connections

RegMon - Monitor registry reads/writes

Many more

Page 6: Ten Tools for Security Professionals

Signature-based Intrusion Detection and Prevention

Can also be used as a general-purpose sniffer

Very powerful when used with custom rules

snort.org and bleedingthreats.net for up-to-date signatures

Page 7: Ten Tools for Security Professionals

Framework for developing exploits rapidly

Many exploits for popular vulnerabilities built-in

Mix and match exploits with payloads

Interfaces: command-line, console, web

Versions 2.x and prior used Perl

Started using Ruby with Version 3

Page 8: Ten Tools for Security Professionals
Page 9: Ten Tools for Security Professionals
Page 10: Ten Tools for Security Professionals
Page 11: Ten Tools for Security Professionals
Page 12: Ten Tools for Security Professionals
Page 13: Ten Tools for Security Professionals
Page 14: Ten Tools for Security Professionals

Formerly known as Ethereal

Excellent packet sniffer and protocol analyzer

Built-in dissectors for most protocols

Follows TCP streams

Be very careful with viewing packets captured live (RAM and security issues).

Page 15: Ten Tools for Security Professionals
Page 16: Ten Tools for Security Professionals
Page 17: Ten Tools for Security Professionals
Page 18: Ten Tools for Security Professionals
Page 19: Ten Tools for Security Professionals
Page 20: Ten Tools for Security Professionals

Nessus

Vulnerability Scanner

Was open-source, now free to use, so long as you don’t mind subscribing to the plugin feed (or getting a delayed feed for free)

Good for getting an overall view of what’s on the network, and some common vulnerabilities that may exist

Schedule vulnerability scans, track improvement

Page 21: Ten Tools for Security Professionals

Burp Suite

Java-based set of applications for attacking web applications

Proxy allows you to change GET/POST parameters and cookies in-transit

Spider allows you to map a web app as you’re using it

http://www.portswigger.net/suite/

Page 22: Ten Tools for Security Professionals

Burp Suite

Page 23: Ten Tools for Security Professionals

Burp Suite

Page 24: Ten Tools for Security Professionals

Burp Suite

Page 25: Ten Tools for Security Professionals

Burp Suite

Page 26: Ten Tools for Security Professionals

Burp Suite

Page 27: Ten Tools for Security Professionals

The best option for wireless AP mapping, reconnaissance, sniffing

Unlike netstumbler/etc., Kismet operates in “Monitor mode”

Completely passive

Will discover APs that other tools won’t find

Wireshark can be used to analyze packets it captures

Page 28: Ten Tools for Security Professionals
Page 29: Ten Tools for Security Professionals
Page 30: Ten Tools for Security Professionals
Page 31: Ten Tools for Security Professionals
Page 32: Ten Tools for Security Professionals

nmapMost versatile port scanner out there

Become familiar with different types of scans. The most useful are:

-sS : SYN Stealth scan

-sV : Full-connect with version probing

-sP : Ping sweep

Be aware of its defaults (especially on what ports are scanned)

Page 33: Ten Tools for Security Professionals

nmap “sightings”

Page 34: Ten Tools for Security Professionals

nmap “sightings”

Page 35: Ten Tools for Security Professionals

nmap “sightings”

Page 36: Ten Tools for Security Professionals

nmap “sightings”

Page 37: Ten Tools for Security Professionals

nmap “sightings”

Page 38: Ten Tools for Security Professionals

Emulates a fully-functional PC

You can install Linux/Windows/etc. on it

Use tools you normally couldn’t use

Checkpoints allow you to experiment

Have a multi-computer lab in the convenience of one laptop

Page 39: Ten Tools for Security Professionals

Python/Perl/Ruby/etc.

Learn a scripting language

Great for small one-off tools

Be lazy! Automate things!

If you can already write C/C++/Java, it’s very easy to pick up one of these languages

Many packages/modules available for security-related activities

Page 40: Ten Tools for Security Professionals

A few extras:Backtrack - Live CD distro containing many of these tools

Google - In the right hands, the best recon tool you could ask for

Scapy - Python framework for sniffing and packet crafting

Tor - Anonymous browsing

OllyDbg - For “design recovery” or “deep analysis”

Truecrypt - Encrypted volumes with plausible

Page 41: Ten Tools for Security Professionals

Useful Resources

milw0rm.com - Up-to-date archive of exploits

isc.sans.org - Internet Storm Center blog

dshield.org - Aggregated statistics/trends

sectools.org - Top 100 Security Tools

securityfocus.com - Security news, articles, and tutorials