Tuesday, August 10, 2010

Favorite Tools

New tools come out with amazing regularity. If you're getting started in NetSec, one of the first things you'll find out is there are tons of tools, and multiple ones to do any task, AND that you better learn enough Linux to install, configure and run them, as most of them don't have ports to Windows. With a few exceptions, even the ones that ARE available for Windows rarely run as well.
I have a toolkit (actually two, as I keep Windows and Linux tools separate) that has dozens and dozens of tools in it. Many I've tried out for a day or two, some I use on a semi-regular basis, and some I've never even found the time to install yet. But every network security analyst has, or should have, their core essentials.
If they run a distro on a thumb drive for emergency use, these would undoubtedly be on it. They are probably installed on every test box and personal box they have access to.
Mine as as follows (in no particular ranking or order...)

  1. nmap - You have to have a port scanner, and year in and year out, Fyodor keeps making nmap better to the point that I've never changed. I've tried a bunch of others, but nmap continues to be the most stable and  dependable scanner I've ever tried. (Unicornscan WAS fun, I'll admit... smokin'!)
  2. hping - You also need a packet crafting tool.. in this area, I think there are several really good ones, including scapy and Nemesis, but I like hping the best for it's simplicity and functionality. 
  3. netcat - netcat does just about anything you need it to do as far as sending and receiving packets. It's called the "swiss army knife" of network tools for good reason. Need encryption? Get crypcat instead of or in addition to. 
  4. ngrep - Ngrep is a libpcap tool that searches for strings in packets. If you're doing traffic analysis, it's almost indispensable.
  5. dsniff - This suite of tools by Dug Song includes dsniff that searches traffic for logon credentials, as well as tools to sniff for web pages, files, mail and chat. There are also tools to do man in the middle attacks on SSH and HTTPS, as well as a nifty sniping tool to shoot down traffic.
I use many others, but those are the core 5 for my toolkit...


Ron Acierno said...

Have you ever used backtrack Linux? I'm starting out in NetSec and it seems like a good distro.

JeffSoh said...

Yes I have. That's a great distro for pen testing/vuln assessment. If you're interested in one from the intrusion analysis perspective, check out Hex. You can find links to download mirrors at:

Blog Archive