IPsec Tools of the Trade: Don't Bring a Knife to a Gunfight
Pull up outside any construction site and you'll see tools scattered about—hammers, jigsaws, nail guns, hydraulic pipe benders—these are the tools of the trade. You would be hard-pressed to build a home or office building with just your hands! On that same page, security professionals also have their own go-to tools that they use on the job site, only their job site is your server.
In this article, I'm going to list my five favorite tools. This doesn't mean these are the only tools you should use, and it also doesn't mean there isn't a better tool for the job in some situations. These are the tools I use when I sit down to go to work.
$ svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a great detection engine, many niche features for using a proxy, and a broad range of switches, from database fingerprinting, to data fetching from the database, to accessing the underlying file system and executing commands on the operating system. Here is a shot of just some of the options below.
sqlmap is developed in Python, so if you do not have it on your system, you can download the latest version right here. If you want to get into some real fun with sqlmap, you'll need another package to go along with it. sqlmap uses the Metasploit Framework to create and deliver payloads. No surprise that is our number two!
$ svn co https://www.metasploit.com/svn/framework3/trunk/
Metasploit is an open source computer security project written in Ruby, which provides information about security vulnerabilities and aids in penetration testing and IDS signature development. Its most well-known sub-project is the Metasploit Framework, a tool for developing and executing exploit code against a remote target machine, and the suite I will be referring to when I say 'Metasploit'.
Like almost all pentesting applications, Metasploit can be used for analysis and discovery or used to gain unauthorized access into a computer. This provides a public resource for researching security vulnerabilities and developing code that allows a network administrator to break into his own network to identify security risks and document which vulnerabilities need to be addressed first.
Also worth a mention is the extensive anti-forensics and IDS evasion options built in.
$ svn co https://w3af.svn.sourceforge.net/svnroot/w3af/trunk w3af
W3af has been called the Metasploit for web application testing, and I can agree with that. W3af uses more than 130 plug-ins to find vulnerabilities in web applications. After finding vulnerabilities like SQL injections, OS commanding, remote file inclusions (PHP), cross-site scripting (XSS), and unsafe file uploads, these can be exploited in order to gain different types of access to the remote system.
W3af has plugins that communicate with each other. For example, the discovery plugin in W3af looks for different URLs to test for vulnerabilities and passes it on to the audit plugin which then uses these URLs to search for vulnerabilities. It removes some of the headaches involved in manual web application testing through its fuzz testing and manual request generator feature.
$ wget http://www.snort.org/dl/snort-current/snort-22.214.171.124.tar.gz -O snort-126.96.36.199.tar.gz
Snort is the Swiss army knife of security. Snort has a few uses—a packet sniffer like tcpdump, packet logger for network troubleshooting, or an intrusion detection system. Snort can be placed on machines throughout your network and it works in promiscuous mode to watch all traffic on the wire. Snort can also be used to sift through already-made tcpdump files.
Many times it's far too easy for attackers to scan your network for vulnerable services that could be running or ports that are available. With this being a fact, there isn't an excuse to ignore security when putting intrusion detection in when it's so easy to do. Having Snort watch your internal network is important because many of the security problems actually come from inside your network, and in that case, you have more of a chance to correct something before it goes too far. Best of all, this tool is free and available on most platforms!
Of course there are several other great tools out there, but getting acquainted with these 5 will provide you with a great place to start. We'll go over those in more detail in the coming weeks. I wanted to give a broad overview of what I believe to be key collections and frameworks you should know. In later articles, I will explain each of these in much more detail. Coming up next... an Intro to Snort and IDS, so stay tuned!