Useful security tools

• Packet capture tools

  1. Cisco IOS Router and Cisco ASA (http://www.cisco.com/) can also both perform packets capture.

  2. Netsniff-ng (http://netsniff-ng.org/) is a free Linux networking toolkit that includes pcap capturing and replay.

  3. Sniffit (http://sniffit.sourceforge.net/) is a distributed sniffer system, which allows users to capture network traffic from a unique machine using a graphical client application. This feature is very useful in switched networks, where traditional sniffers only allow users to sniff their own network traffic.

  4. Tcpdump (http://www.tcpdump.org/) is a powerful network packet analyzer for Linux that can be used for network debugging and security monitoring. WinDump allows you to have the same functionality as tcpdump in a Windows environment. Tcpdump prints out a description of the contents of packets on a network interface that match the boolean expression. It can also be run with the -w flag, which causes it to save the packet data to a file for later analysis, and/or with the -r flag, which causes it to read from a saved packet file rather than to read packets from a network interface. In all cases, only packets that match expression will be processed by tcpdump.

  5. T-Shark (http://www.wireshark.org/docs/man-pages/tshark.html) is a network protocol analyzer. It lets you capture packet data from a live network, or read packets from a previously saved capture file, either printing a decoded form of those packets to the standard output or writing the packets to a file. T-Shark's native capture file format is libpcap format, which is also the format that is used by tcpdump and various other tools.

  6. Wireshark (http://www.wireshark.org/) is a GUI network protocol analyzer that lets you interactively browse packet data from a live network or from a previously saved capture file.

  7. Microsoft Message Analyzer (https://www.microsoft.com/en-us/download/details.aspx?id=44226) is a new tool for capturing, displaying, and analyzing protocol messaging traffic, events, and other system or application messages in network troubleshooting and other diagnostic scenarios. Message Analyzer also enables you to load, aggregate, and analyze data from log and saved trace files.

• Network scanners

1. NMAP (http://www.nmap.org/) is a free and open source (license) utility for network discovery and security auditing.

2. OpenVAS (http://www.openvas.org/) is an open source vulnerability-scanning suite that grew from a fork of the Nessus engine when it went commercial.

• Web testing tools

1. Burp Suite (https://portswigger.net/burp/) is an integrated platform that can be used to perform security testing of web applications—free and paid versions are available.

2. Nikto2 (https://cirt.net/Nikto2/) is an open source web server scanner that performs comprehensive tests against web servers for multiple items, including over 6400 potentially dangerous files and CGIs. Nikto checks for outdated versions of over 1200 servers, and version-specific problems on over 270 servers.

3. OWASP Mantra (http://www.getmantra.com/) a browser-based security framework, includes a selection of integrated and online tools that can be used for penetration testing and web application testing.

4. OWASP Mutillidae II (https://www.owasp.org/index.php/OWASP_Mutillidae_2_Project) is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiast. Mutillidae can be installed on Linux and Windows. Mutillidae II is an easy-to-use web hacking environment that is designed for labs, security enthusiasts, classrooms, and vulnerability assessment tool targets.

• Password crackers

1. Cain and Abel (http://www.oxid.it/cain.html) is a Windows-based password recovery tool that can be used to capture and monitor network traffic for passwords, and crack encrypted passwords using various methods.

2. John the Ripper (http://www.openwall.com/john/) is a fast password cracker, available for many flavors of Unix, Windows, DOS, and OpenVMS. These tools support several password hash types.

3. L0phtCrack (http://www.l0phtcrack.com/) is a tool that is used to crack Windows passwords from hashes, which it can obtain (given proper access) from stand-alone Windows workstations, networked servers, primary domain controllers, or active directory. Sometimes, it can sniff the hashes off the wire. It also has numerous methods of generating password guesses (dictionary, brute force, and so on).

4. Ophcrack (http://ophcrack.sourceforge.net/) is a free Windows password cracker that is based on rainbow tables. It is a very efficient implementation of rainbow tables that are done by the inventors of the method. Ophcrack comes with a GUI and runs on multiple platforms.

• Penetration testing tools

1. BackTrack (http://www.backtrack-linux.org/) is a free, bootable Linux distribution that contains many open source tools for network security and penetration testing. The tools are organized into different categories such as information gathering, vulnerability assessment, exploitation tools, and privilege escalation. Backtrack is no longer being maintained; it has been switched over to Kali Linux.

2. Kali Linux (https://www.kali.org/) is a Linux distribution that aggregates thousands of free software packages. Kali Linux’s non-free section contains several tools which are not open source, but which have been made available for redistribution by Offensive Security through default or specific licensing agreements with the vendors of those tools.

3. Metasploit Framework (https://www.metasploit.com/) is a comprehensive tool set that can test all aspects of security with an offensive focus.

• IPS/IDS

1. Bro (http://bro-ids.org/) is a network analysis framework that is different from the typical IDS.

2. OSSEC is a host-based intrusion detection system that supports multiple platforms including Linux, Solaris, AIX, HP-UX, BSD, Windows, Mac, and VMware ESX. OSSEC is easy to set up and configure, and is fully open source and free.

3. Snort (http://www.snort.org/) is an open source network intrusion prevention and detection system (IPS/IDS) developed by Sourcefire. Combining the benefits of signature, protocol, and anomaly-based inspection, Snort is the most widely deployed IDS/IPS technology worldwide. With millions of downloads and over 500,000 registered users, Snort has become the de facto standard for IPS.

4. Suricata (http://www.openinfosecfoundation.org/index.php/download-suricata) is an Open Source Next Generation Intrusion Detection and Prevention Engine. Suricata is open source and owned by Open Information Security Foundation (OISF), a community-run non-profit foundation.

• Network security monitoring tools

1. Security Onion (https://securityonion.net/) is an open source network security monitoring distribution. Security Onion is easy to set up and configure. With minimal effort, you will start to detect security-related events on your network. Detect everything from brute force scanning kids to those nasty APTs. Security Onion contains tools like Snort, ELSA, Xplico, and NetworkMiner. The in-built setup wizard makes it easy to use.

2. Sguil (http://sguil.sourceforge.net/) is an intuitive GUI that provides access to realtime events, session data, and raw packet captures. Sguil facilitates the practice of network security monitoring and event-driven analysis. The Sguil client is written in tcl/tk and can be run on any operating system that supports tcl/tk (including Linux, BSD, Solaris, MacOS, and Win32).

3. ELSA (https://github.com/mcholste/elsa/) is a centralized syslog framework that is built on Syslog-NG, MySQL, and Sphinx full-text search that provides a fully asynchronous web-based query interface that normalizes logs and makes searching billions of them for arbitrary strings as easy as searching the web. It includes tools to assign permissions for viewing the logs, and email-based alerts, scheduled queries, and graphing.

4. Splunk Enterprise (http://www.splunk.com/) is a platform for real-time operational intelligence. Splunk is the easy, fast, and secure way to search, analyze, and visualize the massive streams of log data that are generated by the IT systems and technology infrastructure: physical, virtual, and in the cloud. The free version license allows indexing of up to 500 megabytes of data per day.

• Security intelligence tools

1. The Talos Intelligence Group is made up of leading threat researchers that are supported by sophisticated systems to create threat intelligence for Cisco products that detects, analyzes, and protects against both known and emerging threats. The Talos Intelligence Group maintains the official rule sets of Snort.org, ClamAV, SenderBase.org, and SpamCop. (Reference: Talos Intelligence Group blog, http://www.talosintelligence.com, http://blogs.cisco.com/talos.)

2. CVSS (https://www.first.org/cvss/) is a free and open industry standard for assessing the severity of computer system security vulnerabilities. The current version of CVSS (CVSSv3.0) was released in June 2015.

3. OWASP (https://www.owasp.org/) is an open community that is dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. All the OWASP tools, documents, forums, and chapters are free and open to any one who is interested in improving application security. OWASP advocates are approaching application security as a people, process, and technology problem because the most effective approaches to application security include improvements in all these areas.

4. VirusShare.com (https://virusshare.com/) is a repository of malware samples to provide security researchers, incident responders, forensic analysts, and the morbidly curious access to samples of malicious code.

5. VirusTotal (https://www.virustotal.com/) is a subsidiary of Google. VirusTotal is a free online service that analyzes files and URLs enabling the identification of viruses, worms, Trojans, and other kinds of malicious content detected by antivirus engines and web site scanners.

Log parser/ analyzers, correlation and event mgmt tools (commercial)

https://www.keycdn.com/blog/log-analysis-tools (list of some free and paid)

splunk (free up to 500mb)

Qradar, Arcsight, LogRhythm, SolarWinds,

Client side security monitors and alerts

Osquery (mostly Linux but they have Win plugin as well)

Tripwire (Linux, Unix like systems)

SysMon (on Windows)

most commercial tools they will have their own client side app that can be distributed via some app delivery tools.

Patching and software delivery tools

WSUS (Windows patching, only native windows updates no 3^rd party)

BigFix (3^rd party patching tool non windows apps too)

GPO (can be used to deliver .msi applications to windows machines)

SCCM can be used for Windows software delivery and client side inventory

chef/ puppet is used to push updates to Linux and Unix like systems

Spacewalk is open source Linux patching tool

Cloud security tools on clients vm, containers (those run on kernel level)

stackrox

capsule8 (new not very mature yet)

App L7 Scanners

Nessus

Burp Suite

Qualys

Rapid7

Kali Linux is free and has bunch tools

14 Best Open Source Web Application Vulnerability Scanners [Updated for 2019]

https://resources.infosecinstitute.com/14-popular-web-application-vulnerability-scanners/

Browser traffic capture tools

HTTPWatch

Fiddler

browser builtin developer tools

http protocol analyzer

Client side incident investigate tools and programs

on windows refer to sysinternals suite

https://docs.microsoft.com/en-us/sysinternals/downloads/

on Linux and Unix like systems cli commands like

ps -aux, ps -ef combine with grep if known what you looking for

top -cb to see PID, app cpu and mem usage

netstat -nop grep for connected, listening and etc connections

lsof command https://www.tecmint.com/10-lsof-command-examples-in-linux/

df -h https://www.tecmint.com/how-to-check-disk-space-in-linux/

and many more depending on the incident

Open Source IDS, sec monitoring etc

Security Onion https://securityonion.net/

Kali Linux https://www.kali.org/downloads/

Online training, classes, exams

https://www.cybrary.it/

https://www.udemy.com/

https://www.coursera.org/