Tuesday, August 31, 2010

Linux needed tools

Linux ToolsADMsnmp – SNMP audit scanner
aide – AIDE (Advanced Intrusion Detection Environment) is a free replacement for Tripwire(tm). It generates a database that can be used to check the integrity of files on server. It uses regular expressions for determening which files get added to the database. You can use several message digest algorithms to ensure that the files have not been tampered with.
aisnort – Airsnort is a tool for wireless lans which recovers encryption keys by passively monitoring transmissions, computing the encryption key when enough packets have been gathered. Works on both 40 and 128 bit encryption. Many weaknesses in the WEP 802.11 protocol are discussed here. AirSnort is the first publicly available implementation of this attack. Once enough packets have been gathered, AirSnort can guess the encryption password in under a second.
amap – Amap is a scanning tool that allows you to identify the applications that are running on (a) specific port(s). It does this by connecting to the port(s) and sending trigger packets. These trigger packets will typically be an application protocol handshake (i.e. SSL). Amap then looks up the response in a list and prints out any match it finds. Adding new response identifications can be done just by adding them to an easy-to-read text file. With amap, you will be able to identify that SSL server running on port 3445 and some oracle listener on port 233!
argus-client & argus server – Argus is a generic IP network transaction auditing tool; it enables a site to generate comprehensive network transaction audit logs, allowing user to perform extensive analysis of network traffic.
arpd – rarpd v1.0 is a Reverse Address Resolution Protocol Daemon. rarpd listens on the ethernet for broadcast packets asking for reverse address resolution. These packets are sent by hosts at boot time to find out their IP address.
arping – Arping is an arp level ping utility which broadcasts a who-has ARP packet on the network and prints answers. Very useful when you are trying to pick an unused IP for a net that you don’t yet have routing to.
arpwatch – Arpwatch is a tool that monitors ethernet activity and keeps a database of ethernet/ip address pairings. It also reports certain changes via email. Arpwatch requires tcpdump and libpcap. Includes FDDI support, updated ethercodes, uses autoconf.
autopsy – The Autopsy Forensic Browser is an HTML-based graphical interface to The [at]stake Sleuth Kit (TASK). Together, TASK and Autopsy Forensic Browser are an open source alternative to the common Windows-based digital forensic tools. Autopsy provides an investigator with an HTML-based graphical interface that allows one to browse images from compromised systems in a “File Manager”-like interface. Windows and UNIX file systems can be analyzed to view deleted files, create time lines of file activity, and perform key word searches.
babelweb – Babelweb is a program which allows to automate tests on a HTTP server. It is able to follow the links and the HTTP redirect but it is programmed to remain on the original server.
bfbtester – BFBTester is a utility for doing quick, proactive security checks of binary programs by performing checks of single and multiple argument command line overflows and environment variable overflows. It will also watch for tempfile creation activity to alert the user of any programs using unsafe tempfile names. While BFBTester can not test all overflows in software, it is useful for detecting initial mistakes that can red flag dangerous software.
biew – Biew is Binary vIEWer with built-in editor for binary, hexadecimal and disassembler modes. It contains a PentiumIII/K7Athlon/Cyrix-M2 disassembler, full preview of MZ, NE, PE, LE, LX, DOS.SYS, NLM, arch, ELF, a.out, coff32, PharLap, and rdoff executable formats, a code guider, a text viewer with russian codepages support, and many other features.
bing – Bandwidth
Ping. Estimates bandwidths between network hosts and routers.
cabextract – a program to extract Microsoft cabinet (.CAB) files.
cflow – Reads and analyzes flow files
cheops – Cheops is a network “swiss army knife”. It’s a combination of a variety of network tools to provide system adminstrators and users with a simple interface to managing and accessing their networks. Cheops aims to do for the network what the file manager did for the filesystem. Features include: Network mapping via UDP and/or ICMP packets, port detection using half-open tcp connections (ala halfscan), OS detection using invalid flags on TCP packets (ala queso), Domain scans, ICMP pings, much more.
chkrootkit – checks for signs of a rootkit. Includes ifpromisc.c to check and see if the interface is in promisc mode, chklastlog.c to check lastlog for deletions, and chkwtmp.c to check wtmp for deletions. Tested on Linux 2.0.x, 2.2.x and FreeBSD 2.2.x, 3.x and 4.0. Changes: lrk5 detection, Sun/Solaris support, and Red Hat fixes.
chntpw – NT SAM password recovery utility
cmospwd – CmosPwd decrypts password stored in cmos used to access BIOS SETUP
cracklib2 – A pro-active password checker library
cryptcat – Cryptcat is an encrypted version of netcat. It uses AES encryption and a static key to encrypt all transactions. Previous versions had a flaw in which not all network traffic was encrypted so this is the patched version.
darkstat – Darkstat is an ntop-workalike network statistics gatherer. Built to be faster and smaller than ntop, it uses libpcap to capture network traffic and serves up Web page reports of statistics such as data transferred by host, port, and protocol. It also has a neat bandwidth usage graph.
dcetest – tool which probes a windows machine over TCP port 135, MSRPC endpoint information. It can be though of as the equivalent of rpcinfo -p against a Windows box. Dcetest can also be very useful once inside a DMZ to fingerprint Windows machines on the network.
dcfldd – Enhanced DD imager with built in hashing. Works like dd from command line.
dd_rescue – Like dd, dd_rescue does copy data from one file or block device to another. You can specify file positions (called seek and Skip in dd).
dlint – Dlint analyzes any DNS zone you specify and reports any problems it finds by displaying errors and warnings. Then it descends recursively to examine all zones below the given one (this can be disabled with a command-line option).
dnswalk – dnswalk is a DNS database debugger. It works by initiating a zone transfer of a current zone, inspecting individual records for inconsistencies with other data, and generating warnings and errors. It is not a parser of DNS datafiles, it works strictly via existing DNS query methods on a “live” system (however dnswalk can be run on a separate nameserver which has data ready to move into production).
driftnet – Driftnet is a program which sniffs network traffic and picks out images from TCP streams it observes. It is interesting to run it on a host which sees a lot of web traffic. Changes: This release fixes problems with building in adjunct-only mode. There are performance enhancements.
dsniff – dsniff is a suite of utilities that are useful for penetration testing. It consists of the following programs: arpredirect intercepts packets from a target host on the LAN intended for another host on the LAN by forging ARP replies. findgw determines the local gateway of an unknown network via passive sniffing. macof floods the local network with random MAC addresses. tcpkill kills specified in-progress TCP connections. dsniff is a simple password sniffer which handles many protocols. mailsnarf outputs all messages sniffed from SMTP traffic in Berkeley mbox format. webspy sends URLs sniffed from a client to your local Netscape browser for display, updated in real-time. Changes: Added parsing for Napster, AIM, ICQ (v2, v5), and CVS pserver. Now supports more non-glibc Linux systems missing ether_ntoa(). Unique HTTP authentication information by directory is now supported. dsniff now skips IMAP command tag, and doesn’t rely on /etc/services.
echoping – echoping is a small program to approximatively test the performance of a remote host by sending it TCP “echo” packets. It is able to use the following protocols: echo, discard, chargen, HTTP (with SSL if you wish), ICP, and SMTP. It uses UDP instead of TCP for the protocols which accept it (like echo), it can repeat the test and display various statistics, and it can use T/TCP on systems which support it. Changes: SSL (Secure Sockets Layer) support, and a new ability to read many bytes at a time for a big performance improvement.
etherape – Etherape is an etherman clone which displays network activity graphically. Active hosts are shown as circles of varying size, and traffic among them is shown as lines of varying width. It is GNOME and pcap based. Changes: Much better now.
ethereal – Ethereal is a GTK+-based network protocol sniffer / analyzer
ettercap – Ettercap is a network sniffer/interceptor/logger for switched LANs. It uses ARP poisoning and the man-in-the-middle technique to sniff all the connections between two hosts. Features character injection in an established connection – you can inject characters to server (emulating commands) or to client (emulating replies) while maintaining the connection alive! Integrated into a easy-to-use and powerful ncurses interface.
farpd – Fake ARP user space daemon. This ARP daemon replies to any ARP request for a set of IP addresses with the hardware MAC address of one of the interfaces of the server after determining that no other host in the network is claiming that IP.
fatback – Analyze and recover deleted FAT files from Linux
fenris – Fenris is a multipurpose tracer, stateful analyzer and partial decompiler intended to simplify bug tracking, security audits, code, algorithm, protocol analysis and computer forensics by providing a structural program trace, general information about internal constructions, execution path, memory operations, I/O, conditional expression info, and much more.
flawfinder – Flawfinder searches through source code for potential security flaws, listing potential security flaws sorted by risk, with the most potentially dangerous flaws shown first. This risk level depends not only on the function, but on the values of the parameters of the function.
fping – Fping is a ping(1) like program which uses the Internet Control Message Protocol (ICMP) echo request to determine if a host is up. fping is different from ping in that you can specify any number of hosts on the command line, or specify a file containing the lists of hosts to ping. Instead of trying one host until it timeouts or replies, fping will send out a ping packet and move on to the next host in a round-robin fashion. If a host replies, it is noted and removed from the list of hosts to check. If a host does not respond within a certain time limit and/or retry limit it will be considered unreachable. Unlike ping, fping is meant to be used in scripts and its output is easy to parse.
fragroute – Fragroute intercepts, modifies, and rewrites egress traffic destined for a specified host, implementing most of the attacks described in the Secure Networks “Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection” paper of January 1998. It features a simple ruleset language to delay, duplicate, drop, fragment, overlap, print, reorder, segment, source-route, or otherwise monkey with all outbound packets destined for a target host, with minimal support for randomized or probabilistic behavior. Includes scripts to defeat even the current CVS snort IDS.
freeswan – Linux FreeS/WAN provides IPSEC (IP Security, which is both encryption and authentication) kernel extensions and an IKE (Internet Key Exchange, keying and encrypted routing daemon) as well as various rc scripts and documentation. This lets a bright Linux sysadmin build VPN’s gateways out of even old 584 and 486 PC Clone boxes. The 1.00 version is known to inter-operate with other IPSEC and IKE system already deployed by other vendors such as OpenBSD.
gdb – the GNU Project debugger, allows you to see what is going on `inside’ another program while it executes — or what another program was doing at the moment it crashed.
gnupg – GnuPG is a complete and free replacement for PGP. Because it does not use IDEA or RSA it can be used without any restrictions. GnuPG is a RFC2440 (OpenPGP) compliant application.
grenzgaenger – SOCKS-like hacker tool for tunneling nmap, netcat and exploits transparently through systems into protected networks
gtkrecover – gtkrecover is a GUI for recover, a program that undeletes files on ext2 partitions. You can search for a deleted files.
hackbot – host exploration tool and banner grabber. It scans hosts for FTP banners, SSH banners, Open Relays, EXPN and VRFY options, more than 200 common CGI vulnerabilities and common indexable directories, NT unicode vulnerabilities and NT nimda infections.
hammerhead – A stress testing tool designed to test out your web server and web site. It can initiate multiple connections from IP aliases and simulated numerous (256+) users at any given time. The rate at which Hammerhead attempts to pound your site is fully configurable, there are numerous other options for trying to create problems with a web site (so you can fix them).
hellkit – Hellkit is a shellcode generator. You write the your shellcode in C, and it gets converted to ASM for use with both heap and stack based overflows. Many examples included. Changes: Added generic shellcode decoder which can handle shellcode up to 64kb in length containing any bytes, added encoder for this type of decoder, and fixed some signedness issues in array accessment.
hjksuite – collection of programs for hijacking. First of all it contains hjklib, a library for hijacking. It contains also some programs like hjkbnc which allows irc hijackinig directly with your client, hjkhttpd for hijacking HTTP sessions, and hjknetcat, for hijacking text connections.
hping2 – Hping is a software to do TCP/IP stack auditing, to uncover firewall policy, to scan TCP port in a lot of different modes, to transfer files accross a firewall, test network performance, test of TOS is handled, etc.
httptunnel – httptunnel creates a bidirectional data channel through an HTTP proxy, from your isolated computer behind a restrictive firewall, to a system on the Internet you have access to.
httpush – HTTPush aims at providing an easy way to audit HTTP and HTTPS application/server security. It supports on-the-fly request modification, automated decission making and vulnerability detection through the use of plugins and full reporting capabilities.
hunt – Hunt is a tool for exploiting well known weaknesses in TCP/IP protocol. Use primarily to hijack connections, but has many other features.
hydra – the world’s first parallel login hacker. With this tool you are able to attack several services at once.
icmpinfo – Tracks ICMP packets, allowing you to proactively watch for suspicious behaviour, mainly ICMP unreachables.
icmpush – program that sends icmp error packets and obtains remote info throught icmp packets. Supports spoof and broadcasting. This new release supports the following ICMP error types: Unreach, Parameter Problem, Redirect and Source Quench; ICMP information types: Timestamp, Address Mask Request, Information Request, Router Solicitation (Router Discovery), Router Advertisement (Router Discovery) and Echo Request. This program features an excellent interface with a wide number of options (flags) and values. As an added bonus, Slayer has included a mini-script called try_reset that tries to reset existing telnet or rlogin connections. Your security auditing toolkit is not complete without this program! One of the few 5-star programs.
idswakeup – idswakeup is a Bourne shell script invoking hping2 (required) and iwu (part of this package) to generate false alarms in order to check if a network intrusion detection system works all right.
ipchains – ipchains-firewall is an easily-configurable shell script to establish masquerading and firewalling rules using ipchains.
iproute – professional set of tools to control the networking behavior in kernels 2.2.x and later.
ipsorc – TCPIP packet generator which allows you to send TCP, UDP, and ICMP packets with a GTK+ interface.
iptraf – ncurses-based IP LAN monitor that generates various network statistics including TCP info, UDP counts, ICMP and OSPF information, Ethernet load info, node stats, IP checksum errors, and others.
iputils-ping – Tools to test the reachability of network hosts
irpas – Internetwork Routing Protocol Attack Suite, a collection of programs used for advanced network operations, testing, and debugging.
isic – Crafts random packets and launches them. Can fix or randomize source/dest IP’s and Ports. You can specify the percentage of packets to fragment, to have IP options, to have bad IP versions…. Just about every field can be automagically twiddled. It contains distinct programs for TCP, UDP, ICMP, IP with a randomized protocol field and a program for randomized raw ethernet frames.
isnprober – tool that samples TCP Initial Sequence Numbers and can use that information to determine if a set of IP addresses belong to the same TCP/IP stack (machine) or not.
itunnel – ICMP tunneling tool
john – John the Ripper v1.6 (UNIX — source distribution) – High quality UNIX password cracker, probably the fastest available. New Features: Batch mode, Kerberos AFS passwords support, WinNT passwords support, Idle priority support on Linux, Rule reject flags: can reject entire rules on condition, New utility: ‘unique’ (removes duplicated lines without re-ordering), New options: ‘-stdout’, ‘-status’.
kismet – 802.11b wireless network sniffer. It is capable of sniffing using almost any wireless card supported in Linux, which currently divide into cards handled by libpcap and the Linux-Wireless extensions (such as Cisco Aironet), and cards supported by the Wlan-NG project which use the Prism/2 chipset (such as Linksys, Dlink, and Zoom). Features Multiple packet capture sources, Runtime network sorting by AP MAC address (bssid), IP block detection via ARP and DHCP packet dissection, Cisco product detection via CDP, Ethereal and tcpdump compatible file logging, Airsnort-compatible “interesting” (cryptographically weak) logging, and Secure SUID behavior.
l2tpd – the Layer 2 Tunnelling Protocol Daemon
lcrzoex – toolbox for network administrators and network hackers. Lcrzoex contains over 200 functionalities using network library lcrzo. For example, one can use it to sniff, spoof, create clients/servers, create decode and display packets, etc. The Ethernet, IP, UDP, TCP, ICMP, ARP and RARP protocols are supported.
lde – disk editor for linux, originally written to help recover deleted files.
login_hacker – THC Modem Login Hacker – A tool that will attempt to break into modem dialups using scripts written for minicom. Extremely configurable and a must have for any penetration test.
lsof – Lsof is a Unix-specific diagnostic tool. Its name stands for LiSt Open Files, and it does just that. It lists information about any files that are open by processes currently running on the system.
ltrace – debugging program which runs a specified command until it exits. While the command is executing, ltrace intercepts and records the dynamic library calls which are called by the executed process and the signals received by that process. It can also intercept and print the system calls executed by the program.
mac-robber – a forensics and incident response program that collects Modified, Access, and Change (MAC) times from files. Its output can be used as input to the ‘mactime’ tool in The [at]stake Sleuth Kit (TASK) to make a time line of file activity. mac-robber is similar to running the ‘grave-robber’ tool from The Coroner’s Toolkit with the ‘-m’ flag, except this is written in C and not Perl.
macchanger – MAC Changer is a utility for viewing/manipulating the MAC addresses of network interfaces which can set specific, random, vendor-based (with a 6000+ vendor list) and device-type-based MACs.
manipulate_data – Search data on a harddisk/partition/file, extract the part you are interested in, and write it back after you (maybe) modified it.
md5deep – cross-platform program to compute MD5 message digests on an arbitrary number of files.
memfetch – dumps the memory of a program without disrupting its operation, either immediately or on the nearest fault condition (such as SIGSEGV). It can be used to examine suspicious or misbehaving processes on your system, verify that processes are what they claim to be, and examine faulty applications using your favorite data viewer so that you are not tied to the inferior data inspection capabilities in your debugger.
mtr – mtr combines the functionality of the ‘traceroute’ and ‘ping’ programs in a single network diagnostic tool.
nasm – Netwide Assembler. NASM will currently output flat-form binary files, a.out, COFF and ELF Unix object files, and Microsoft 16-bit DOS and Win32 object files.
nast – Can sniff in normal mode or in promiscuos mode the packets on a network interface and log it. It dumps the headers of packets and the payload in ascii or ascii-hex format. You can apply a filter. The sniffed data can be saved in a separated file.
nbtscan – NBTscan is a program for scanning IP networks for NetBIOS name information. It sends NetBIOS status query to each address in supplied range and lists received information in human readable form. For each responded host it lists IP address, NetBIOS computer name, logged-in user name and MAC address (such as Ethernet).
nemesis – The Nemesis Project is designed to be a commandline-based, portable human IP stack for UNIX/Linux. The suite is broken down by protocol, and should allow for useful scripting of injected packet streams from simple shell scripts.
nessus – Nessus is a free, up-to-date, and full featured remote security scanner for Linux, BSD, Solaris and some other systems. It is multithreaded, plugin-based, has a nice GTK interface, and currently performs over 330 remote security checks. It has powerful reporting capabilities (HTML, LaTeX, ASCII text) and not only points out problems, but suggests a solution for each of them.
netcat – NetCat by Hobbit. Great all around TCP/IP utility loaded with features. Highly recommended.
netsed – Netsed v0.01b brings sed functionality to the network layer, allowing you to change the contents of packets traveling through your network on the fly and in a completely transparent manner. It features basic expressions and dynamic filtering, and cooperates with ipfwadm/ipchains transparent proxy rules to pick specific packets.
ngrep – an awesomly powerful network too which strives to provide most of GNU grep’s common features, applying them to the network layer.
nikto – web server scanner which supports SSL. Nikto checks for (and if possible attempts to exploit) remote web server vulnerabilities and misconfigurations. It also looks for outdated software and modules, warns of any version specific problems, supports scans through proxies (with authentication), host Basic authentication and more. Data is kept in CSV format databases for easy maintenance, and supports the ability to automatically update local databases with current versions on the Nikto web site.
Nmap – The best and most well-known network scanner there is. port scanning, OS detection, service detection, rpc service detection
nstreams – a program that analyzes the networks streams occuring on a network and prints them in a human readable form.
ntop – a tool that shows the network usage, similar to what the popular Unix command top does. ntop can be used in both interactive or web mode. In the first case, ntop displays the network status on the user’s terminal whereas in web mode a web browser (e.g. netscape) can attach to ntop (that acts as a web server) and get a dump of the network status. In the latter case, ntop can be seen as a simple RMON-like agent with an embedded web interface.
numby – scans for relay vulnerable http-proxies
obiwan – brute force authentication attack against Webserver with authentication requests – and in fact to break in insecure accounts.
objobf – objobf is an obfuscater for x86/Linux ELF relocatable object files (.o files) that can produce fancy graphs to visualize function structures.
ol2mbox – This project provides libraries and applications for the conversion of Outlook and Outlook Express data files to Linux MBOX format. The flagship of this project is LibPST which converts Outlook files.
onesixtyone – efficient SNMP scanner which utilizes a sweep technique to achieve good performance. It finds SNMP devices on your network and brute-forces the community strings using a dictionary. It is possible to scan a class B network (65536 ip addresses) in under 13 seconds with a high degree of accuracy.
openssl – OpenSSL is a robust, fully featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols with full-strength cryptography world-wide.
p0f – performs passive OS detection by watching SYN packets with tcpdump. Additionally, it is able to determine distance to remote host, and can be used to determine the structure of a foreign or local network. When running on the gateway of a network it is able to gather huge amounts of data and provide useful statistics. On a user-end computer it could be used to track which operating systems are making each connection. p0f supports full tcpdump-style filtering expressions, and has an easily modified fingerprinting database.
packit – Packit offers the ability to monitor, manipulate and inject IPv4 (and soon IPv6) traffic (TCP/UDP/ICMP) on and into your network. This can be valuable in testing firewalls, intrusion detection systems and in general TCP/IP auditing. At the comment Packit can be run using one of two modes. packet capture, and IPv4 packet injection.
paketto – implements many of the techniques described in recent TCP/IP Black Ops talks. Scanrand implements extremely fast and efficient port, host, and network trace scanning which uses cryptographic signatures. Minewt implements technique known as MAC Address Translation which allows several backend hosts to share the same IP address. Linkcat (lc) does at Layer 2 (Ethernet) what Netcat does for Layer 4-7(TCP/UDP). Phentropy plots large amounts of arbitrary data onto a three dimensional volumetric matrix allowing you to see the Strange Attractors which can be used to predict future values from an otherwise random system. Paratrace traces the path between a client and a server like traceroute but at Layer 4. It attaches to an existing, firewall-approved TCP flow, analyzing the resultant ICMP Time Exceeded replies.
partimage – utility to save partitions (ext2/3fs, reiserfs, fat16, fat32, hpfs, ntfs) into an image file. Only used blocks of the partition are saved, and the image can be
compressed in gzip or bzip2 format.
photorec – a little tool to recover pictures from digital camera memory.
pnscan – Pnscan is a multi threaded port scanner that can scan a large network very quickly. If does not have all the features that nmap have but is much faster.
pptpd – PoPToP Point to Point Tunneling Server. This implements a Virtual Private Networking Server (VPN) that is compatible with Microsoft VPN clients. It allows windows users to connect to an internal firewalled network using their dialup.
pwl9x – The Windows 9x Password List reader is a UNIX program that will allow you to see the passwords contained in your Windows PWL database. You can check the security of these files and try to recover the main password using brute force methods.
rarpd – Reverse Address Resolution Protocol Daemon. rarpd listens on the ethernet for broadcast packets asking for reverse address resolution. These packets are sent by hosts at boot time to find out their IP address
recover – Undelete files on ext2 partitions
redir – a port redirector, used to forward incoming connections to somewhere else. by far the cleanest piece of code here, because someone else liked it enough to fix it.
revinetd – GNU implementation of the TCP gender changer. It operates in two modes, listen-listen and connect-connect. It can be used to forward traffic through firewalls where outbound rule sets are more liberal than inbound rules.
samba-tng – fork of Samba. It was derived from the same code but is being developed independently.
sara – Security Auditor’s Research Assistant (SARA) is a security analysis tool based on the SATAN model. It is updated frequently to address the latest threats. Checks for common old holes, backdoors, trust relationships, default cgi, common logins.
scanssh – scans a list of addresses and networks for running SSH servers and their version numbers. scanssh supports random selection of IP addresses from large network ranges and is useful for gathering statistics on the deployment of SSH servers in a company or the Internet as whole.
scli – a collection of SNMP command line management tools
screamingcobra – an application for remote vulnerability discovery in ANY UNKNOWN web applications such as CGIs and PHP pages. Simply put, it attempts to find vulnerabilities in all web applications on a host without knowing anything about the applications. Modern CGI scanners scan a host for CGIs with known vulnerabilities. ScreamingCobra is able to ‘find’ the actual vulnerabilities in ANY CGI, whether it has been discovered before or not.
secpanel – A graphical user interface for SSH and SCP
secure_delete – Secure Deletion Utilities
sendip – a commandline tool to send arbitrary IP packets. It has a large number of command line options to specify the content of every header of a TCP, UDP, ICMP, or raw IP packet. It also allows any data to be added to the packet. Checksums can be calculated automatically, but if you wish to send out wrong checksums, that is supported too.
sharefuzz – shared library which automatically detects environment variable overflows in Unix systems. This tool can be used to ensure all necessary patches have been applied, or as a reverse engineering tool.
shiva – tool to encrypt ELF executables under Linux. Shiva can be used to wrap an executable in such a way that though it continues to run as it did before it is very difficult to debug or reverse engineer. Shiva can be used to password protect critical programs, including setuid programs, or simply to obfuscate sensitive data stored within programs.
sing – A fully programmable ping replacement
sleuthkit – collection of open source file system forensics tools that allow one to view allocated and deleted data from NTFS, FAT, FFS, and EXT2FS images. The Autopsy Forensic Browser provides a graphical interface to The Sleuth Kit
slogdump – extracts syslog packets from tcpdump ethernet savefiles
smb-nat – This tool can perform various security checks on remote servers running NetBIOS file sharing services. It is capable of enumerating shares and make break-in attempts using a (user-provided) list of users and passwords.
snapscreenshot – takes a screenshot from a single Linux virtual console (tty) or from a group of ttys.
socat – establishes two bidirectional byte streams and transfers data between them. Data channels may be files, pipes, devices (terminal or modem, etc.), or sockets (Unix, IPv4, IPv6, raw, UDP, TCP, SSL). It provides forking, logging, and tracing, different modes for interprocess communication, and many more options.
spike – Spikeman’s DoS Attack Tool – Revision 5.2. 33 denial of service attacks at once, launched from a 61k shell script! Changes: Never Die Menu Added, new attacks
spikeproxy – functions as an HTTP and HTTPS proxy, and allows the web developer or web application auditor low level access to the entire web application interface, while also providing a bevy of automated tools and techniques for discovering common problems.
splint – tool for statically checking C programs for security vulnerabilities and coding mistakes. With minimal effort, Splint can be used as a better lint. If additional effort is invested adding annotations to programs, Splint can perform stronger checking than can be done by any standard lint.
ssh – Secure rlogin/rsh/rcp replacement
ssldump – SSLv3/TLS network protocol analyzer. It identifies TCP connections on the chosen network interface and attempts to interpret them as SSLv3/TLS traffic. When it identifies SSLv3/TLS traffic, it decodes the records and displays them in a textual form to stdout. If provided with the appropriate keying material, it will also decrypt the connections and display the application data traffic.
strace – a system call trace, a debugging tool which prints out a trace of all the system calls made by another process/program. The program to be traced need not be recompiled for this, so you can use it on binaries for which you don’t have source. System calls and signals are events that happen at the user/kernel interface. A close examination of this boundary is very useful for bug isolation, sanity checking and attempting to capture race and buffer overflow conditions.
stunnel – designed to work as SSL encryption wrapper between remote client and local (inetd-startable) or remote server. The concept is that having non-SSL aware daemons running on your system you can easily setup to communicate with clients over secure SSL channels. stunnel can be used to add SSL functionality to commonly used inetd daemons like POP-2, POP-3 and IMAP servers as well as standalone daemons like NNTP, SMTP and HTTP without changes to the source code.
sudo – a program that provides limited superuser privileges, does not properly handle improper file access attempts, revealing information about file existence.
tcpdump – allows you to dump the traffic on a network. It can be used to print out the headers of packets on a network interface that matches a given expression. You can use this tool to track down network problems, to detect “ping attacks” or to monitor the network activities. Changes: -X option added, telnet command sequence decoder, many bug fixes, SMB printing, NFS parsing, AFS3 packet parsing, etc
tcpflow – a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis or debugging. tcpflow understands TCP sequence numbers and will correctly reconstruct data streams regardless of retransmissions or out-of-order delivery. Each stream is stored in a separate file for later analysis.
tcprelay – aimed at testing the performance of a NIDS by replaying real background network traffic in which to hide attacks. Tcpreplay allows you to control the speed at which the traffic is replayed, and can replay arbitrary tcpdump traces. Unlike programmatically-generated artificial traffic which doesn’t exercise the application/protocol inspection that a NIDS performs, and doesn’t reproduce the real-world anomalies that appear on production networks (asymmetric routes, traffic bursts/lulls, fragmentation, retransmissions, etc.), tcpreplay allows for exact replication of real traffic seen on real networks.
tcpslice – tool for extracting portions of packet trace files generated using tcpdump’s -w flag.
tcptrace – analyzer for tcpdump logfiles.
tct – collection of tools which are geared towards gathering and analyzing forensic data UNIX system after a break-in. TCT features the grave-robber tool which captures information, the ils and mactime tools that display access patterns of files dead or alive, the unrm and lazarus tools that recover deleted files, and the keyfind tool that recovers cryptographic keys from a running process or from files.
tethereal – Network traffic analyzer (console)
thcrut – local network discovery tool developed to brute force its way into wvlan access points. It offers arp-request on ip-ranges and identifies the vendor of the NIC, spoofed DHCP, BOOTP and RARP requests, icmp-address mask request and router discovery techniques. This tool should be ‘your first knife’ on a foreign network.
transproxy – The program is used in conjunction with the Linux Transparent Proxy networking feature, and ipfwadm, to transparently proxy HTTP and other requests.
tsocks – tsocks provides transparent network access through a SOCKS version 4 or 5 proxy (usually on a firewall). tsocks intercepts the calls applications make to establish TCP connections and transparently proxies them as necessary. This allows existing applications to use SOCKS without recompilation or modification.
valgrind – A memory debugger for x86-linux
vmap – utility for fingerprinting services by checking features and replies of bogus commands being fed to the daemon. Currently supports FTP, SMTP, POP3, IMAP, and HTTP.
walker – Compuserve 3.0 Password Decrypter. It decrypts Compuserve 3.0 ini files (cis.ini) that stores account passwords
wipe – Recovery of supposedly erased data from magnetic media is easier than what many people would like to believe. A technique called Magnetic Force Microscopy (MFM) allows any moderately funded opponent recover the last two or three layers of data written to disk. Wipe repeadetly overwrites special patterns to the files to be destroyed, using the fsync() call and/or the O_SYNC bit to force disk access. Changes: Use of /dev/urandom to seed libc’s random() additive feedback pseudo-random generator; a new 32-bit seed is fetched for every 1024 bytes.