The Sleuth Kit
The Sleuth Kit (TSK) is a library and collection of command line file and volume system forensic analysis tools that allow you to investigate and analyze volume and file system data. Read more hot
YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. new
AirSAM is a desktop GUI that compliments the Web based Snort Alert Monitor. AirSAM gives up to date insight into who might be attacking your network. The ultimate goal is to give audio/visual cues right at the time of the attack.
alph implements and analyses historical and traditional c(ai)phers providing a pipe interface in order to encrypt and decrypt block text. The program can be conjuncted with pipes reulting in transparent en-decrypt: Atbash, Caesar, Vigenere, Playfair, and Vernam.
AntiExploit is a on-access exploit scanner to detect local intruders. It scans for over 3900 suspicious files, has daily database updates, and will act if a file is accessed. It uses the dazuko kernel module, which is also used by clamAV, Amavis, and other virus scanners.
ARPSpoofDetector performs active and passive detection of ARP spoofing and IP (IPv4) address collision. The program can send healing packets with regular ARP information.
attackwatch analyzes the firewall-output in near-realtime and will run scripts in response to incoming packets that got logged.
authforce is an HTTP authentication brute forcer. Using various methods, it attempts brute force username and password pairs for a site. It has the ability to try common username and passwords, username derivations, and common username/password pairs.
Automated Image and Restore
Automated Image and Restore (AIR) is a graphical user interface front-end to dd/dc3dd. This tool is designed to make the task of creating forensic images of digital media easier for investigators and incident response personnel. Read more
Bluediving is a Bluetooth pentesting suite. It implements attacks like Bluebug, BlueSnarf, BlueSnarf++, BlueSmack, and features like Bluetooth address spoofing.
Bluefog is an experimental tool designed to create large numbers of phantom Bluetooth devices.
BlueProximity helps add a little more security to the desktop. It does so by detecting a certain Bluetooth device, most likely a mobile phone, and keeping track of its distance. If it is moved away from the computer and the distance is above a certain level (no measurement in meters is possible) for a given time, it automatically locks the desktop (or starts any other shell command wanted). Once away, the computer awaits its master's return: if the device is nearer than a given level for a set time, the computer unlocks without any interaction (or starts any other shell command wanted).
bpf is the Berkeley Packet Filter.
CaclMgr is a security package which enables UNIX users to have control over which user will get which UNIX command or SHELL script to be executed with my privilege.
CCSAT (Cisco Configuration Security Auditing Tool) is a tool for automated audit of configuration security of large numbers of Cisco routers and switches. The tool is based upon industry best practices, including Cisco, NSA, and SANS security guides and recommendations. It is flexible and can report details down to individual device interfaces, lines, ACLs, and ASs, etc. CCSAT has been tested, and used for real audits, on FreeBSD, Solaris 8 and Linux. It should also work on all other major UNIX platforms (POSIX.2).
cgichk is a web vulnerability tool that automatically searches for a series of interesting directories and files on a given site.
Cmb is a small utility that creates all the possible combinations from a user mask (that includes wildcards) and dumps them to stdout.
containers is a simple implementation of containers for Linux, making secure containers as easy to create and use as a traditional chroot.
Crank is short for "CRyptANalysis toolKit". Its overall purpose is to provide a powerful and extensible environment for solving classical (pen-and-paper) ciphers, providing as much automation as possible.
cryptmount is a utility which allows an ordinary user to mount an encrypted filing system on-demand, using the device-mapper infrastructure, but without requiring superuser priveleges. Filing systems can be hosted on either raw block devices or ordinary files, with loopback devices setup automatically.
CryptoHawk is a program about cryptography. It can calculate hashes (md2,md4,md5,sha-1,sha-256 and hmac). It can also perform cryptanalysis like frequency analysis for substutition cipher and exhaustive key search for rotation cipher, as well as searching internet databases for md5 hashes.
cvechecker reports about possible vulnerabilities on your system by scanning the installed software and matching the results with the CVE database.
DenyHosts is a Python program that automatically blocks ssh attacks by adding entries to /etc/hosts.deny. DenyHosts will also inform Linux administrators about offending hosts, attacked users and suspicious logins. Read more
DeTraS provides several tools to track development activities by registering applications that developers use on a X Window session. It also allows you to send collected data to a server and takes care about your privacy.
dradis is a tool for sharing information during security testing. While plenty of tools exist to help in the different stages of the test, not so many exist to share interesting information captured. When a team of testers is working on the same set of targets, having a common repository of information is esential to avoid duplication of efforts.
Dyper is a framework for adding connection tracking and dynamic pinhole capabilities to stock routers/switches that allows multiport protocol communication to be maintained with other sites under least privilege while achieving maximum performance.
EsteidUtil is a wxWidgets GUI tool for managing the Estonian ID smartcard. It allows the user to see the data on th card, change PINs, and perform some basic diagnostics both on card and necessary opsys configuration. The code has useful low-dependency C++ classes for other kinds of smartcard handling.
FakeBO fakes trojan server responses (Back Orifice, NetBus, etc.) and logs every attempt to a logfile, stdout/stderr or syslog. It is able to send fake pings and replies back to the client which is trying to access your system.
FBAC-LSM is a security mechanism for Linux which retricts applications based on the features they provide, such as "Web Browser" or "Image Editor".
A multiplatform, SDL/OpenGL based 3D visualization tool for network (security) information, it currently supports insecure.org's nmap and [has very very limited support for] languard XML log files.
Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces.
Firewall Builder for Cisco IOS ACL
Firewall Builder for Cisco IOS ACL completes a set of tools designed to manage a multi-tiered network security system. This module can generate access control list configuration for Cisco routers running IOS 12.x. The Firewall Builder GUI's built-in installer uses ssh to communicate with the router to install the generated ACL configuration. Several installation methods are provided to make sure the management workstation is not "cut off" from the router in the middle of ACL activation. Firewall Builder's built-in policy importer can be used to import existing router configurations.
Fortools_dd is a set of forensic apps, created with zenity, for terminal commandos and bash scripts in Linux.
Frankenwall is a bash shell script intended to create a highly secure IPTables based linux firewall/router with QOS/traffic shaping/bandwidth management.
GDecrypt was written for making the use of decrypted partitions under Linux more easy. It currently contains a GUI written in PyGTK for decrypting/mounting, unmounting and encryption partitions or container files and it supports partitions created with truecrypt and LUKS
glFlow is a robust, fast, portable, pcap-centric (D)DoS detection tool.
gnoMint is a tool for easily creating and managing certification authorities. It provides fancy visualization of all the pieces of information that pertain to a CA, such as x509 certificates, CSRs, and CRLs.
gpgutils is a set of utilities for GNUPG. It includes gpgedit, gpgsignfiles, and gpgverifyfiles. These allow encryption and code signing tasks to be simplified.
Graudit is a simple script and signature sets that allows you to find potential security flaws in source code using the GNU utility grep.
Hamachi is a zero-configuration virtual networking system featuring an open security architecture, NAT-to-NAT traversal, and multi-platform client software.
Hashrat is a hash-generation utility that supports the md5, sha1, sha256, sha512, whirlpool, jh-244, jh256, jh-384 and jh-512 hash functions, and also the HMAC versions of those functions.
Heimdal is an implementation of Kerberos 5 that aims to be protocol compatible with existing implementations and RFC 1510. It is also reasonably compatible with the M.I.T Kerberos V5 API, supports Kerberos V5 over GSS-API (RFC 1964), includes a number of important and useful applications (rsh, telnet, popper, etc.), and is backwards compatible with Kerberos V4.
Hogwash is an intrusion detection system(IDS)/packet scrubber. Hogwash can detect attacks on your network, and if you want, filter them out.
HoneyLattice is a simple honeypot system.
Honeytrap is a network security tool written Honeytrap is a network security tool written to observe attacks against TCP services. As a low-interactive honeypot, it collects information regarding known or unknown network-based attacks and thus can provide early-warning information.
HUNT is a tool for exploiting well known weaknesses in the TCP/IP protocol suite.
hwfwbypass can be used to bypass/fool hardware firewalls. The program has to be started with administrator level privileges on a server.
Hyenae is a highly flexible and platform independent network packet generator. It allows you to reproduce low level Ethernet attack scenarios (such as MITM, DoS, and DDoS) to reveal the potential security vulnerabilities of your network. Besides smart wildcard-based address randomization and a highly customizable packet generation control, Hyenae comes with a clusterable remote daemon for setting up distributed attack networks.
Injection Framework is a security tool designed to detect and research SQL injections.
ip-masq-log is a patch that can be used on a masquerading firewall (NAT) to keep a log of all the outgoing masqueraded TCP connections.
ipdecap can decapsulate traffic encapsulated within GRE, IPIP, 6in4, ESP (ipsec) protocols, and can also remove IEEE 802.1Q (virtual lan) header.
IP Stack Integrity Checker tests the stability of an IP Stack and its component stacks (TCP, UDP, ICMP et. al.) It does this by generating random packets of the desired protocol.
John the Ripper
John the Ripper is a password cracker, currently available for UNIX, DOS, WinNT/Win95. Its primary purpose is to detect weak UNIX passwords.
Johnny is a graphical user interface for John the Ripper. It was proposed by Shinnok.
KIside is a message digest computing and displaying tool. It computes and shows the hash code of any file as a string of hexadecimal numbers. KIside implements standard algorithms such as MD4, MD5, SHA1, SHA256, SHA384, SHA512, TIGER, RIPEMD160.
lightbar is a login enhancement for FreeBSD and Linux. It adds features from BSD4.4 SunOS(solaris) and HP-UX into a Linux, FreeBSD portable and simple login program.
Linux Unified Key Setup easy-to-use-drive-encryptor (Luksus) is a script that makes it quick and easy to create encrypted volumes such as hard drives, USB sticks, and SD cards on on Linux .
MAPDAV (More Accurate Password Dictionary Attack Vector) is designed to use what is known about users via the /etc/passwd file on Unix/Linux systems to generate a dynamic dictionary of more accurate guesses as to what their possible password may be.
MASTIFF is a static analysis framework that automates the process of extracting key characteristics from a number of different file formats. To ensure the framework remains flexible and extensible, a community-driven set of plug-ins is used to perform file analysis and data extraction. While originally designed to support malware, intrusion, and forensic analysis, the framework is well-suited to support a broader range of analytic needs.
The Monkeysphere enables you to use the OpenPGP web of trust to verify ssh connections. SSH key-based authentication is tried-and-true, but it lacks a true public key infrastructure for key certification, revocation, and expiration. Monkeysphere is a framework that uses the OpenPGP web of trust for these PKI functions. It can be used in both directions: for users to get validated host keys, and for hosts to authenticate users.
The Mozilla Defense Platform (MozDef) seeks to automate the security incident handling process and facilitate the real-time activities of incident handlers.
The Network Obfuscation and Virtualized Anti-Reconnaissance (Nova) system is an open-source software tool developed to detect network based reconnaissance efforts, to deny the attacker access to real network data while providing false information regarding the number and types of systems connected to the network.
Nstreams analyzes the streams that occur on a network. It displays which streams are generated by the users between several networks, and between the networks and the outside. It can optionally generate the ipchains or ipfw rules that will match these streams, thus only allowing what is required for the users, and nothing more.
The OATH Toolkit attempts to collect several tools that are useful when deploying technologies related to Open AuTHentication (OATH), such as the event-based HOTP and time-based TOTP one-time passwords. It is a fork of the earlier HOTP Toolkit.
Open Computer Forensics Architecture
The Open Computer Forensics Architecture (OCFA) is a modular computer forensics framework to automate the digital forensic process, to speed up the investigation and give tactical investigators direct access to the seized data through an easy to use search and browse interface. The architecture forms an environment where existing forensic tools and libraries can be easily plugged into the architecture and can thus be made part of the recursive extraction of data and metadata from digital evidence. It aims to be highly modular, robust, fault tolerant, recursive, and scalable in order to be usable in large investigations that spawn numerous terabytes of evidence data and cover hundreds of evidence items.
OpenSCAP is a set of open source libraries providing an easier path for integration of the SCAP line of standards.
OpenSSH-2.3.0p1 SecurID patch
OpenSSH-2.3.0p1 SecurID patch is an integrated SecurID authentication support for OpenSSH
OpenSSL-based signcode utility
OpenSSL-based signcode utility is used for Authenticode signing of EXE/CAB files. It also supports timestamping.
Ossim stands for Open Source Security Information Management. Its goal is to provide a comprehensive compilation of tools which, when working together, grant a network/security administrator with detailed view over each and every aspect of his networks/hosts/physical access devices/server/etc.
(commercial) P-Synch is a password management software toolkit that can: synchronize user passwords across all systems and platforms; enforce enterprise-wide password strength policies; allow help desk staff to reset passwords on every system, with no special administrative rights; allow authenticated users to reset their own forgotten passwords.
(commercial) PacketDam is a software solution against Denial-of-service attacks.
PAIP is a universal filter application. It uses plugins to transmit and convert data. They can be nested, so the inner structures can become quite complex.
The pam_ccreds module provides the means for Linux workstations to locally authenticate using an enterprise identity when the network is unavailable. Used in conjunction with the nss_updatedb utility, it provides a mechanism for disconnected use of network directories.
Panoptis plans to create a network security tool (N-IDS) to detect and block DoS and DDoS attacks.
Parano is a GNOME program to create, edit and verify hashfiles. For now MD5 and SFV formats are supported.
PGSSAPI lets you selectively plug external GSSAPI security libraries into applications without having to recompile the application each time.
portreserve aims to help services with well-known ports that lie in the bindresvport() range. It prevents portmap (or other programs using bindresvport()) from occupying a real service's port by occupying it itself, until the real service tells it to release the port (generally in its init script).
pppit allows one to tunnel through a firewall which only allows proxy telnet, such as SWAN. It is a modified, special-purpose ppp daemon.
Privbind is a small tool that allows unprivileged programs to be run securely, while still allowing them to bind to privileged ports.
ProShield is a security program for Debian Linux. It helps insure your system is secure and up-to-date by checking many different aspects of your system.
ptSCP seeks to create an easy front-end to secure file transfers using scp and ssh. It remotely resembles a popular Windows FTP client.
raddump interprets captured RADIUS packets to print a timestamp, packet length, RADIUS packet type, source and destination hosts and ports, and included attribute names and values for each packet.
rdd is a forensic copy program developed at and used by the Netherlands Forensic Institute (NFI). Read more
The rsbac-init tool is part of the Adamantix RSBAC support tools, which make RSBAC easier to administrate. It is automatically started at system bootup and sets RSBAC kernel options through the RSBAC /proc interface. RSBAC is a Linux kernel patch providing advanced security functionality.
rwsecure parses the /var/log/secure file for invalid usernames or failed passwords to help protect against brute force and similar attacks. If there are more than three invalid or failed attempts by one IP, it will add that IP to your /etc/hosts.deny file.
SafeRelay is a certificate authority center, based on OpenSSL, for network administrators who want to deploy certificates on a LAN (local area network). SafeRelay is written in CURSEL.
Slackware Administrators Security tool kit is a set of tools and utilities to install and maintain a reasonable level of security for the Slackware Linux distribution.
Secure Network Forwarding Tunnel
SNFT is a small program that creates a double encrypted (tunnel in a tunnel, using 2 different SSH supported encryption algorithms) SSH tunnel, as well as automatically forwarding commonly used ports to your local computer through the second tunnel.
SEFlow uses the SELinux technology to provide security centered on individual data objects in a running system instead of focusing on static system facilities. Thus it is suitable to prevent accidental linking of code under open source licenses with proprietary code, making a tainting mechanism similar to the one used in the Linux kernel possible in userspace.
sha_digest is an implementation of the secure hash algorithms SHA-1, SHA-224, SHA-256, SHA 384, and SHA-512 as described in the FIPS 180-3 standard.
Shark Cypher (Volume Gamma) is a strong cypher with unique recursive algorithm of bitwise gamma with great avalanche and diffusion.
Shishi is a free implementation of the Kerberos 5 network security system. Goals are full standards compliance, thread safe library and internationalization.
sigs provides secure digital signatures with verification at secret-key speeds. 2048-bit verification on a Pentium-100 takes under 150 microseconds.
single-honeypot simulates many services like SMTP, HTTP, POP-3, shell, and FTP.
skipfish is a high-performance, easy, and sophisticated Web application security testing tool.
Slurchin is a Web interface to a Quickcam for Notebooks Deluxe connected to a NSLU2 running Linux. (It might work for other webcams, hardware, and OSes, but it hasn't been tested.) The application allows the user to take pictures and see them through the Web. It also allows the user to check if the necessary drivers to make the camera work are installed and loaded. It requires w3camd to be installed in the device.
SoftHSM is an implementation of a cryptographic store accessible through a PKCS#11 interface.
sonar aims to provide automatic tools which network administrators may use to help check and test the security of their network.
squidefender is a Perl script which parses a squid log file in native format for attacks. If it finds an attack is sends a complaint email to the ISP of the attacker.
Squidwall is a fast, small, and secure squid redirector. It is written with security in mind. It enables the administrator to build an easy to use Web interface for controlling user-, host-, or IP-based access to squid. It also does pass-through antivirus scanning with clamav.
SSHatter uses a brute force technique to determine the how to log into an SSH server. It simply tries each combination in a list of usernames and passwords to determine which ones successfully log in.
sshdfilter blocks the frequent brute force attacks on ssh daemons, it does this by directly reading the sshd logging output and generating iptables rules, the process can be quick enough to block an attack before they get a chance to enter any password at all.
sshguard protects hosts from the plague of brute force attacks against ssh. Unlike many similar tools written in interpreted languages, it's independent, fast, and lightweight because it's completely written in C. Among the rest, it supports IPv6 and flexible whitelisting.
sslexpire provides remote check for ssl certificate expiration date. It connects to hosts:port, retrieves the expiration date and show you if it's going to expire. It can retrieve multiple host:ports from a config file to do mass daily checks.
SSLsplit is a tool that performs man-in-the-middle attacks against SSL/TLS encrypted network connections for network forensics and penetration testing.
ssss is an implementation of Shamir's secret sharing scheme for UNIX systems.
sydbox is a ptrace-based sandbox implementation. It intercepts system calls, checks for allowed filesystem prefixes, and denies them when checks fail.
System for Internet-Level Knowledge
SiLK (System for Internet-Level Knowledge) is a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks. The SiLK tool suite supports the efficient collection, storage and analysis of network flow data, enabling network security analysts to rapidly query large historical traffic data sets. SiLK is ideally suited for analyzing traffic on the backbone or border of a large, distributed enterprise or mid-sized ISP.
Systrace enforces system call policies for applications by constraining the application's access to the system. The policy is generated interactively. Operations not covered by the policy raise an alarm, allowing the user to refine the currently configured policy. After a policy has been sufficiently constructed, further alarms often indicate security problems. Policies can also be generated automatically for sandboxing purposes.
TACACS+ plugin for pppd
This "plugin" add to pppd authentication, authorization and accounting.
TFTPgrab is a TFTP (Trivial File Transfer Protocol) stream extractor that reads from tcpdump/libpcap capture files. It attempts to reconstruct data that has been transferred via TFTP, and may be useful in some network forensics situations.
The Autopsy Forensic Browser
The Autopsy Forensic Browser is a graphical interface to the command line digital investigation tools in The Sleuth Kit. The two together enable users to investigate volumes and file systems including NTFS, FAT, UFS1/2, and Ext2/3 in a 'File Manager' style interface and perform key word searches. Read more
ThePacketMaster Linux Security Server
ThePacketMaster Linux Security Server is a CD- based security auditing tool that boots and runs penetration testing and forensic analysis tools.
trapdoor2 allows remote users to execute local commands by sending 'magic cookies'. this can e.g. be used to alter local firewalling rules so people can connect to local services after sending the magick cookie.
triggers is a lightweight, asynchronous notification mechanism to set off events in and across systems.
txtorcon is a Twisted-based asynchronous Tor control protocol implementation. Twisted is an event-driven networking engine written in Python and Tor is an onion-routing network designed to improve people's privacy and anonymity on the Internet.
uevalrun is a self-contained computation sandbox, using User-mode Linux for both compilation and execution of the program to be sandboxed.
UrlCrazy is for the study of domain name typos and URL hijacking. It can detect typo domain squatters and help protect your domain security by identifying domain names to preemptively register.
userv is a Unix system facility to allow one program to invoke another when only limited trust exists between them.
uuturn allows you to detect someone remotely logging in to one of your boxen and then going on to another, without even logging into the box, by only analyzing the packets on the network.
webNIS is a simple authentication mechanism. It provides a server, or inetd service which simply takes in a login and a password, and responds with the user's real name (as listed in the gecos records) or nothing in case of failure.
Wellenreiter is a GTK/Perl program that makes the discovery, penetration and auditing of 802.11b wireless networks as easy as possible. All three major wireless cards (Prism2, Lucent, and Cisco) are supported. Usability is one of the main goals.
Weplab is a tool to review the security of WEP encryption in wireless networks from an educational point of view. Several attacks are available so it can be measured the effectiveness and minimum requirements of each one.
WiKID Strong Authentication System
The WiKID Strong Authentication System is a highly scalable, secure two-factor authentication system consisting of a server, a token client, and network clients that connect a service such as a VPN or Web page to the WiKID server to validate one-time passcodes. The user enters their PIN into the token client, where it is encrypted and sent to the server. If the PIN is correct, the encryption valid, and account active, the one-time passcode is generated, encrypted, and returned to the user. It is simple to implement and maintain, allows users to be validated automatically, requires no hardware tokens, has a simple API for application support via a COM object and Java component, supports multiple domains, and supports replication for fault tolerance and scalability.
WormWarner is a tool designed to warn hosts that are probably infected by worms. his is done by scanning the Apache log files and sending email to the host or the ISP when an worm or attack is detected. Wormwarner has a simple pattern database which makes it easy to add new worm patterns as they appear.
x509watch is a simple command line application that can be used to list soon expiring or already expired X.509 certificates, such as SSL certificates.
Yersinia is a network tool designed to take advantage of some weakness in different network protocols. It pretends to be a solid framework for analyzing and testing the deployed networks and systems. Read more
Zodiac is a DNS protocol analyzation and exploitation program. It is a robust tool to explore the DNS protocol.