Top 125+ Network Security Tools in 2021
Are you a network security engineer and looking to know about the Top Network Security Tools? This blog post will provide you a comprehensive list of Top 125 Network Security Tools.
Recommended Read: Top 13 Network Security Certifications
The prediction says that by 2021, Cybercrime damages will cost $6 trillion to the world. On an individual company level, the financial loss could hurt the company. The average cost of a cyber-attack is $1.67 million, including productivity and operational costs. These losses also cause a negative customer experience, along with other consequences. Hence to manage the results, there are numerous Network Security Tools present in the market which may save the company from damages.
List of Network Security Tools:
- Cain and Abel
- John the Ripper
- Open SSH/PuTTY/SSH
- Burp Suite
- THC Hydra
- Paros Proxy
- OSSEC HIDS
- Core Impact
- SQL Map
- IDA Pro
- GFI LanGuard
- Social Engineer Toolkit
- Angry Ip Scanner
- NetWitness NextGen
- Secunia PSI
- Immunity Debugger
- SQL Ninja
- Malware Bytes Anti Malware
- HP Webinspect
- OpenBSD PF
- Network Miner
- Samurai Web Testing Framework
- Tamper Data
- Virus Total
- Net Scan Tools
- The Sleuth Kit
- THC Amap
- Grendel Scan
- ArcSight SIEM Platform
- Unicorn Scan
Let us have a look at all the above tools briefly.
Wireshark is known to be an open multi-platform network protocol analyzer. It helps to examine data from a live network or a capture file. Wireshark will help you to browse capture data and get information about packet detail to the level you need. This tool can view the reconstructed stream of a TCP session and has a rich display filter language. It supports many media types and protocols. Despite all the positives, Wireshark has many security holes; hence you need to stay up-to-date and be careful while running it on hostile or untrusted networks.
Metasploit is an advanced open-source platform that can develop, test, and use exploit code. The Metasploit Framework can is an outlet for exploitation research. It ships with numerous exploits, thus helping you to write your exploit. Also, Metasploitable (Linux Virtual Machine) is used to test Metasploit, and another tool without hitting live servers. Metasploit is free and open-source but also offers a free but limited Community Edition and a Full-feature Pro Edition ($5000/year/user). This framework also includes an official Java-based GUI and Raphael Mudge’s Armitage. All the editions have a web-based GUI.
Nessus is a popular and very capable vulnerability scanner developed for UNIX systems, embedded scripting language to help you write your scripts and understand the existing ones. It has features like remote and local security checks. When launched, it was a free and open-source (closed in 2005). The current scanner costs $2190/year. The Nessus Home version is free but is licensed and limited only for a home network. Nessus comprises more than 70,000 plugins.
AirCrack is a combination of tools for 802.11 a/b/g WEP and WPA Cracking. It implements the best cracking algorithms to recover wireless keys once enough encrypted packets gather. This suite consists of tools like Airodump, Aireplay, Aircrack, and Airdecap.
This suite of tools helps in network intrusion detection and prevention during traffic analysis and packet logging on IP Networks. Snort can detect various worms; vulnerability exploit attempts, port scans, and other suspicious behaviors via protocol analysis, content searching, and multiple pre-processors. It has a flexible rule-based language that describes if it should collect or pass the traffic and a modular detection engine. The Basic Analysis and Security Engine (BASE) is a web interface which analyses Snort alerts. Snort is free and an open-source which offers their VRT certified rules for $499/sensor/year. It also provides a complementary product line of appliances and software with many enterprise-level features.
Cain and Abel
Cain and Abel is a Windows only password recovery tool that helps to handle a variety of tasks. It helps in recovering passwords by sniffing the network. It also helps in cracking encrypted passwords using a dictionary. Other functions include revealing password boxes, recovering cached passwords, decoding scrambled passwords. Apart from password related functions, it helps in recording VoIP conversations, analyzing routing protocols, and brute-force and cryptanalysis attacks.
BackTrack is an excellent bootable live CD Linux Distribution coming from the combination of Whax and Auditor. It helps to boast many Forensic and Security tools. These are the tools that provide a rich development environment. They mainly focus on user modularity, which helps distribution to be easily customized by the user, thus including personal scripts, customized kernels, and additional tools. BackTrack is succeeded by Kali Linux.
The original Netcat was released by Hobbit in 1995. Netcat helps to read and write data across TCP and UDP network connections. It is a reliable back-end tool that can be easily used by other scripts and programs. Netcat is also a feature-rich network debugging and exploration tool as it creates any type of connection you require, including accepting incoming connections or port binding. As this tool is useful and flexible, the Nmap Project had produced Ncat, which was a modern reimplementation supporting IPv6, SSL, SOCKS, connection brokering, HTTP proxies, etc.
Tcpdump is a network sniffer that was initially used before Wireshark, and many of us continue to use it. It may not have a pretty GUI or a parsing logic for many application protocols, but it functions well with less security risk. It also requires fewer system resources. Even though Tcpdump doesn’t receive new features frequently, it is still actively maintained to fix bugs and portability issues. It has received good reviews for tracking network problems and maintaining activity. The separate Windows port is called WinDump. Tcpdump is also the source of WinPcap/Libpcap.
John the Ripper
John the Ripper is another password cracker that is used for UNIX/Linux and Mac OS. It helps to detect weak Unix passwords despite supporting hashes for many other platforms. Three versions of John the Ripper are available in the market, namely, the official free version, the community enhanced version, and the inexpensive pro version.
Kismet is a console that is based on 802.11 Layer-2, Sniffer, Wireless Network Detector, and Intrusion Detection System. It helps to identify networks by passively sniffing and decloaking hidden networks if in use. It helps to detect network IP blocks by sniffing UDP, TCP, DHCP packets, and ARP by logging traffic in Wireshark/Tcpdump compatible format and plot detected networks. It helps to estimate ranges on downloaded maps. This tool is commonly used for wardriving, warflying, warskating, and warwalking.
Secure Shell (SSH)
SSH is a ubiquitous program used for logging into or executing commands on a remote machine. It helps to provide secure and encrypted communications between two untrusted hosts over an insecure network, thus replacing the insecure telnet/rsh/rlogin alternatives. Many UNIX users run the open-source Open SSH server and client. Windows users prefer the Putty client available for mobile devices and WinSCP. Other Windows users prefer the terminal-based port of OpenSSH, which comes with Cygwin.
Burp Suite is an integrated platform that helps to attack web applications. It comprises of tools with various interfaces between them, which help to facilitate and speeding up the process of attacking an application. All tools in the Burp Suite have a common framework to handle and display HTTP messages, authentication, persistence, logging, alerting, proxies, and extensibility. A limited free version of Burp Suite Professional is available for $299 per user per year.It helps in checking for server configuration items like the presence of multiple index files, HTTP server options, thus attempting to identify installed web servers and software. Scan items and plugins are updated or can be automatically updated.
Nikto is an open-source (GPL) web server scanner known to perform tests against web servers against 6400 dangerous files/CGIs, outdated versions of 1200 servers, and many other problems for 270 servers. It helps in checking the server configuration items like the presence of multiple index files, and HTTP server options. It attempts and identifies installed web servers and software. Scan items and plugins are updated and have an option to be updated automatically.
Hping helps in assembling and sending custom ICMP, TCP, and UDP packets and then displays any replies. Hping was or inspired by the ping command, but it offers more control over the probes sent. It also consists of a traceroute mode and helps supporting IP fragmentation. It is mainly useful when you are trying to ping/probe/traceroute hosts behind the firewall that blocks attempts using the standard utilities. Hping is used while learning about TCP/IP and experimenting with IP protocols. But unfortunately, Hping hasn’t been updated since 2005.
Ettercap is a suite used for attacks in LAN. Ettercap features sniffing of live connections, content filtering on the fly, and many other interesting tricks. It helps in supporting active and passive dissection of many protocols and includes many features for network and host analysis.
Sysinternals helps to provide many utilities that are useful for low-level windows hacking. Some are free of cost and/or include source code, while others are proprietary. Survey respondents were enamored with:
- PsTools: Manage (execute, suspend, detail, kill) local and remote processes
- RootkitRevealer: Detect registry and file system API discrepancies that indicate the presence of a user-mode or kernel-mode rootkit
- TCPView: View TCP and UDP traffic endpoints used by each process
- Autoruns: Discover executables set to run during system login/bootup
- ProcessExplorer: Look out for the files and directories open by any process
Many Sysinternals tools originally come with the source code (even Linux versions).
W3af is a popular, powerful, and flexible framework used to find and exploit web application vulnerabilities. It is easy to use and extend. It also features various web assessments and exploitation plugins.
OpenVAS is a vulnerability scanner, forked from the last free version of Nessus post, which the tool went proprietary in 2005. OpenVAS plugins are yet written in the Nessus NASL language. OpenVAS has been dead for a while, but redevelopment has recently started.
Scapy is an interactive and powerful manipulation tool, network discovery tool, network scanner, packet generator, and a packet sniffer. You will interact with Scapy while using the Python Programming Language. Scapy helps to provide classes to create sets or packets, manipulate them, and send them over the wire. They sniff other packets from the wire, match answers and replies, and perform many more functions.
Hydra is often used when you require to brute force crack a remote authentication service. It helps to perform a rapid attack against more than 50 protocols like HTTP, https, smb, FTP, telnet, various databases, etc. Other similar online crackers include Ncrack and Medusa.
Many canned security tools are available here to handle common tasks, scripting languages allowing you to write your own when you need some custom features. Quick, portable scripts can test, exploit, or fix systems. CPAN comprises of modules like Net RawIP and protocol implementation to make tasks easier. Many security tools make use of Scripting languages for extensibility. For example, Scapy interaction through a Python interpreter, Nmap’s scripting engine uses Lua, Metasploit modules are written in Ruby.
Netstumbler is a Windows tool that helps to find open wireless access points. They also help to distribute a WinCE version for PDAs and such named MiniStumbler. This tool is available for free for Windows only. It uses an active approach to finding WAPs than passive sniffers like KisMAC or Kismet.
Google’s huge database is known to be a gold mine for penetration testers and security researchers. There are functions where you can find information about a particular company by “site:taget-domain.com” and find employee names, sensitive hidden information, vulnerable software installations, and much more. When a bug is found in a web application, Google helps to provide a list of vulnerable servers available worldwide within seconds.
OSSEC HIDS helps performing integrity checking, time-based alerting, rootkit detection, active response, and log analysis. It is known to provide IDS functionality and commonly known as an SEM/SIM solution. OSSEC HIDS has a powerful log analysis engine due to which universities, data centers, and ISPs run OSSEC HIDS to monitor and analyze their IDSs, firewalls, authentication logs, and web servers.
WebScarab helps to record the conversations (requests and responses) that it observers and allows the operator to review them in various different ways. It is designed to be used for anyone who exposes the working of an HTTP(S) based application and decides whether to allow the security specialist to identify vulnerabilities in the application or to allow the developer to debug difficult issues.
Core Impact is one of the expensive tools available in the market (Minimum append = $30,000), but it is the most powerful exploitation tool available. It helps to sport a large and regularly updated database of professional exploits and can perform neat tricks like being able to exploit one machine and then establishes an encrypted tunnel through the machine to reach and exploit other boxes.
SQLMap is an open-source penetration testing tool that helps to automate the process of detecting and exploiting SQL Injection flaws and take over the backend database servers. It provides features like fetching data from the database, database fingerprinting, accessing the underlying file system and execute OS commands via out-of-band connections. It is recommended to use the development release from their Subversion repository.
TrueCrypt was abandoned in May 2014. But many people are still using the software, and there are many alternatives striving to take its lofty place. TrueCrypt is an open-source disk encryption system mainly for Linux, Mac, and Windows. Users have the option to encrypt filesystems, which are then encrypted/decrypted as required without user intervention and beyond entering their passphrase. There is a hidden volume feature that allows users to hide the second layer of sensitive content with deniability about whether it even exists. If you are forced to give up the passphrase, then you give them to the first level secret. That only allows them access to the innocuous material you have there without proving that a second-level key even exists.
Dsniff is a well-engineered suite of tools by Dug Song. It comprises of many tools like dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy. It helps monitoring networks for data like e-mails, passwords, files, etc. Macof, Dnsspoof, Arpspoof help in facilitating the interception of network traffic. Sshmitm and Webmitm help in implementing active monkey-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting the weak bindings in ad-hoc PKI. This suite suffers from a lack of any updates in the last decade, but it is a great toolset for handling password sniffing needs.
Disassembly is a huge part of security research. It helps to dissect the Microsoft Patch to help to discover the bugs or in examining a server binary to determine why your exploit is not working. IDA Pro has become a standard for analyzing the hostile code and for vulnerability research. This is an interactive, extensible, programmable, and is a multi-processor disassembler with a graphical interface on Windows and console interfaces on Mac OS and Linux.
Maltego is a data mining application also used for forensics. It helps in querying public data sources, and graphically depicts relationships between people, web sites, documents, companies. It is an open-source intelligence but not open-source software.
Ophcrack is a rainbow table-based cracker for Windows Passwords. It runs on Windows, Linux, and Mac. Its features include LM and NTLM hash cracking, ability to load hashes from SAM recovered from a Windows partition, GUI, Live CD version. Ophcrack is also available for free download but larger ones must be bought from Objectif Securite.
Nexpose is famous for scanning vulnerabilities in networks. It helps to support the vulnerability management lifecycle, including detection, discovery, verification, impact analysis, mitigation, reporting, and risk classification. It integrates with Metasploit for vulnerability exploitation. It is available as standalone software, virtual machine, application, managed service, or private cloud deployment. Nexpose is free but is limited to community edition and commercial versions, which cost up to $2,000 per user per year.
Netfilter is a packet filter that implements in the standard Linux kernel. Configuration is the primary function of this tool. It helps supporting packet filtering (stateful or stateless), different types of network addresses and port translation (NAPT/NAT), and multiple API layers for 3rd party extensions. It comprises of various modules which handle protocols like FTP.
Initially written by Phil Zimmerman, PGP is a famous encryption system that will help you secure your data from eavesdroppers and other risks. Whereas GnuPG is an open-source implementation of PGP. GnuPG is available for free while PGP owned by Symantec and costs a lot of money.
Skipfish is a web application and security reconnaissance tool that helps in preparing an interactive sitemap for the targeted site. The interactive sitemap helps in recursive crawling and dictionary-based probes. This map annotates the output from several active security checks. The final report is generated by a tool that serves as a foundation for professional web application security assessment.
GFI LanGuard is a vulnerability and network security scanner, specially designed to help clients with patch management, vulnerability assessment, software, and network audits. Costing for this tool depends on the number of IP addresses the client wishes to scan. Despite the cost, a free trial version of up to 5 IP addresses is available.
Acunetix is a web vulnerability scanner that checks web applications for vulnerabilities like SQL Injections, Arbitrary File Creation and Deletion, Cross-Site Scripting, and Weak Password Strength on authentication pages. It helps to boost a GUI and has the ability to create professional security audits and compliance reports.
QualysGuard us a SaaS vulnerability management tool. Its web-based User Interface offers network discovery and mapping, vulnerability assessment reporting, asset prioritization, and remediation tracking according to the business risk. Internal scans are handled by Qualys appliances, which helps to communicate back to the cloud-based system.
VMware is a virtualization tool that will let you run one operating system within another. Security researchers can use this to test codes, exploits, etc. on various platforms. It runs only on Linux and Windows as the host OS, but any OS (for example – x86 or x86_64) can run inside the virtualized environment, It also helps in setting up sandboxes. Browsing within a VMware window is possible, despite you being affected. Thus it will not reach your host. Recovering the guest OS is as simple as loading a snapshot from prior to the infection. An open-source alternative for VMware is VirtualBox.
OllyDbg is an assembler level which analyses debugger for MS Windows. Binary Code Analysis helps in making it useful in cases where the sources are unavailable. Some OllyDbg features include the intuitive user interface, Loops, Switches, Cables, API Calls, Constants, and Strings. It also comprises of an Intuitive User Interface. The OllyDbg can attach to a running program and comprises of good multi-thread support. It is free to download but without source code.
Ntop helps in showing network usage similar to what a top does for processes. Ntop displays the network status on the user’s terminal. It also acts as a Web Server, thus creating an HTML dump of the network status. It is a NetFlow/collector/sFlow emitter, and an HTTP based client interface for creating ntop centric monitoring applications and RRD for storing traffic statistics.
Microsoft Baseline Security Analyzer (MBSA) designed for IT Professionals, is commonly used in small and medium-sized businesses. They help to determine the security state per Microsoft Security offers and recommendations. It helps to maintain consistency with other Microsoft Management Products like WSUS, SMS, MU, and MOM.
AppScan is a tool that provides security testing in the application development lifecycle, thus easing the unit testing and security assurance. It scans vulnerabilities like HTTP Response Splitting, Cross-Site Scripting, Hidden Field Manipulation, Parameter Tampering, Buffer Overflows, Backdoor/Debug Options, etc.
Open Source Security Information Management (OSSIM)
Open Source Security Information Management (OSSIM) is a suite of tools that, while working together, provide network/security administrators with detailed information about hosts, networks, servers, and physical access devices. OSSIM incorporates tools like OSSEC HIDS and Nagios.
Medusa is a modular, speedy, massively parallel login brute forcer. It supports many protocols like AFP, CVS, FTP, HTTP, IMAP, SSH, Subversion, and VNC, to name a few. Other online crackers include THC Hydra and Ncrack.
OpenSSL helps to develop a robust, commercial-grade, open-source toolkit, and a full-featured Secure Sockets Layer and Transport Layer Security protocols. It is a component of many crypto programs. An OpenSSL comprises of a lot of command-line tools for hashing, encryption, certificate handling, etc.
Canvas is known to be a commercial vulnerability exploitation tool. It comprises of 370 exploits and is less expensive than the Core Impact or commercial versions of Metasploit. It has full source code and even includes zero-day exploits.
Fgdump is the latest version of the pwdump tool, which helps in extracting LanMan and NTLM password from Windows. It also displays password histories if available. It can disable antivirus software before running. It outputs the data in the L0pht-Crack-compatible form. It then runs pwdump, cache dump (cached credentials dump), and pstgdump (protected storage dump).
Tor is a network of virtual tunnels known to improve privacy and security on the Internet by routing requests through a series of intermediate machines. It makes use of a normal proxy server interface. It also helps preserve the user’s anonymity. Firewall restrictions can also be evaded using Tor. With the help of Tor, users can publish websites and other services without revealing their identity and location. Tor exit nodes run by malicious parties and can sniff your traffic, which helps in authentication using insecure network protocols like non-SSL websites and mail servers.
The retina can scan all the hosts on a network and report on vulnerabilities found in a network—the retina written by eEye, which is known for its security research.
Firefox is a web browser which is a descendant of Mozilla. Firefox was once a dangerous competition to Internet Explorer but with improved security. Firefox is not much in use today, but the security professionals still appreciate it for its wide selection of security-related add-ons like Firebug, NoScript, and Tamper Data.
OpenVPN is an open-source SSL VPN package that helps to accommodate various configurations like site-to-site VPNs, Remote Access, WiFi Security, and Enterprise Scale Remote Access Solutions with Failover, Load Balancing, and Fine-Grained Access Controls. An Open VPN helps to implement Layer 2 or Layer 3 Secure Network Extension using the industry-standard SSL/TLS protocol. It supports client authentication methods based on smart cards, certificates. It allows a user or a group of users to access control policies using firewall rules, which applies to the VPN Virtual Interface. An Open VPN uses the OpenSSL as its primary cryptographic library.
L0phtCrack helps in cracking Windows passwords from hashes, which it can obtain (given proper access) from stand-alone Windows workstations, networked servers, primary domain controllers, or Active Directory. It can also sniff the hashes off the wire. L0phtCrack has various methods to generate password guesses.
Social Engineer Toolkit
The Social-Engineer Toolkit is known to incorporate many social-engineering attacks all in one interface. The main purpose of the Social-Engineer Toolkit is to help to automate and improve many social-engineering attacks. It can also generate exploit-hiding web pages or email messages and can use Metasploit payloads to connect back with a shell.
Yersinia is a low-level protocol attack tool useful for penetration testing. It takes care of many attacks over multiple protocols like becoming the root role in the Spanning Tree (Spanning Tree Protocol), or creating virtual CDP (Cisco Discovery Protocol) neighbors, or help to become the active router in an HSRP (Hot Standby Router Protocol) scenario, faking DHCP replies, and other low-level attacks.
Fiddler is a Web Debugging Proxy tool that logs all HTTP(S) traffic between your computer and the Internet. It allows the user to inspect all HTTP(S) traffic, set breakpoints, and “fiddle” with incoming or outgoing data. Fiddler has an event-based scripting subsystem and extends using any .NET language.
SSLStrip is an SSL stripping proxy that makes unencrypted HTTP sessions look as much as possible like HTTPS sessions. It helps in converting HTTPS Links to HTTP or HTTPS with a known private key. The SSLStrip also provides a padlock favicon for the illusion of a secure channel. Many HTTPS sites normally access from a redirect on an HTTP page, and many users don’t notice when their connection is not upgraded.
SolarWinds is known to create and sell dozens of special-purpose tools targeted at systems administrators. Security-related tools include an SNMP brute-force cracker, network discovery scanners, a TCP connection reset program, router password decryption, one of the fastest and easiest router config download/upload applications available, and many more.
Ngrep provides features like applying them to the Network Layer. The Ngrep is a pcap-aware tool which allows you to specify extended regular or hexadecimal expressions to match against data payloads of packets. It helps to recognize TCP, UDP and ICMP. It helps understanding bpf filter logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop.
EtherApe is known to display network activity graphically with a color-coded protocols display. It also supports Ethernet, WLAN, FDDI, Token Ring, ISDN, PPP, and SLIP devices. It helps in filtering traffic to be shown and can read traffic from a file as well as live from the network.
Splunk searches, reports, monitors, and analyzes real-time streaming and historical IT data. It helps in collecting logs from a variety of sources and makes them searchable in a unified interface.
Angry IP Scanner
Angry IP Scanner is an open-source Java application known to perform host discovery (“ping scan”) and port scans. The initial 2.x release was applicable for Windows-only, but the current 3.X series supports Linux, Mac, or Windows only if Java is installed.
NetWitness NextGen is a network security monitor. The core of the monitor is the Decoder subsystem that records network traffic for analysis. The Investigator is a protocol analyzer runs on captured traffic.
Secunia PSI (Personal Software Inspector) is a free security tool that helps in detecting out-dated programs and plug-ins which expose your PC to attacks. Attacks that exploit Thus Secunia PSI checks only the machine it is running on. At the same time, its commercial sibling Secunia CSI (Corporate Software Inspector) helps in scanning multiple machines on a network.
Nagios helps in the system and network monitoring. It is known to keep an eye on the hosts and services and alert you if there are any disruptions. It has features like it helps to monitor network services (SMTP, POP3, HTTP, NNTP, ICMP, etc.), monitor host resources (processor load, disk usage, etc.), and contact notifications when service or host problems occur and get resolved (via email, pager, or user-defined method).
Immunity Debugger is a debugger whose design reflects the need to write exploits, analyze malware, and reverse engineer binary files. It is the industry’s first heap analysis tool built specifically for heap creation and a large and well supported Python API for easy extensibility.
Superscan is a free Windows-only closed-source TCP/UDP port scanner made by Foundstone. It includes a suite of networking tools like ping, traceroute, HTTP HEAD, and whois. This tool is currently not maintained.
SQLIninja helps in exploiting the web applications which make use of Microsoft SQL Server as a database backend. It also focuses on getting a running shell on the remote host. SQLIninja does not find an SQL injection in the first place but automates the exploitation process.
Helix is a Live CD customized for computer forensics. Helix does not access the host computer and is forensically sound. Helix will not auto mount swap space or any attached devices. Helix also has a special Windows autorun side for Incident Response and Forensics.
Malwarebyte’s Anti-Malware is a malware scanner for Windows. It is known to make use of many technologies to find malware undetectable by other malware scanners. A free trial available with limited options and a supported full version with the ability to run scheduled scans.
Netsparker is a web application security scanner, with support for both detection and exploitation of vulnerabilities. It aims to be false-positive–free by only reporting confirmed vulnerabilities after successfully exploiting or otherwise testing them.
WebInspect is a web application security assessment tool that helps to identify the known and unknown vulnerabilities within the Web application layer. It also helps in checking if the Web server is configured properly and attempts common web attacks such as parameter injection, cross-site scripting, directory traversal, and more. HP WebInspect, produced by Spidynamics, is now a part of HP.
BeEF is a browser exploitation framework. This tool helps in demonstrating the collection of zombie browsers and browser vulnerabilities in real-time. It also provides a command and control interface which facilitates the targeting of individual or groups of zombie browsers. It makes the creation of new exploit modules easy.
Argus is a Real-Time Flow Monitor that tracks and reports on the status and performance of all network transactions, which are seen in a data network traffic stream. It provides a common data format for reporting flow metrics like connectivity, capacity, demand, loss, delay, and jitter on a per-transaction basis. The record format that Argus uses is flexible and extensible, supporting generic flow identifiers and metrics, and application/protocol-specific information.
OpenBSD is known to handle the network address translation, helps in normalization of TCP/IP traffic, providing bandwidth control, and packet prioritizing. Other features include passive OS detection. It is well audited and coded, thus avoids the security holes usually seen.
ClamAV is an AntiVirus scanner that focuses on integration with mail servers for attachment scanning. It also provides a flexible and scalable multi-threaded daemon, a command-line scanner, and a tool for automatic updating via the Internet. The Clam AntiVirus is based on a shared library distributed with the Clam AntiVirus package, which you can use with your own software. Most importantly, the virus database is kept up to date.
Network Infrastructure Parser is the long-form of Nipper. It helps in the auditing of the security of network devices like firewalls, routers, and switches. It parses and analyses device configuration files that must be supplied by Nipper.
Network Miner is a Network Forensic Analysis Tool used for Windows. It is used as a passive network sniffer/packet capturing tool so as to detect operating systems, sessions, hostnames, open ports, etc. without putting any traffic on the network. Network Miner also holds the capability to parse pcap files for off-line analysis and to regenerate/reassemble transmitted files and certificates from pcap files. Network Miner’s display focuses on hosts and their attributes rather than raw packets.
Wikto helps in checking for flaws in webservers. It also helps in providing the same functionality as Nikto but additionally holds various interesting pieces of functionality, such as a Back-End miner and close Google integration. Wikto is written for the MS .NET environment, and registration is required to download the binary and/or source code.
P0f helps in identifying the operating system of a target host by examining captured packets even when the device in question is behind an overzealous packet firewall. P0f does not generate additional network traffic, be it direct or indirect. It also has no name lookups, no mysterious probes, no ARIN queries. Advanced users can use P0f to detect firewall presence, NAT use, the existence of load balancers, and much more.
Built by Network Security Analysts for Network Security Analysts, Sguil’s main component is the Graphical User Interface, which provides access to real-time events, session data, and raw packet captures. Sguil helps in practicing Network Security Monitoring and Event-Driven Analysis.
Samurai Web Testing Framework
The Samurai Web Testing Framework is a live Linux environment that has been pre-configured to function as a web pen-testing environment. The CD contains the best of the open-source and free tools that focus on testing and attacking websites. Samurai includes many other tools featured in this list, like WebScarab, Burp Suite, w3af, Ratproxy, and BeEF.
Tamper Data is an add-on for Firefox, which will let you view and modify HTTP requests before they are sent. It will show information the web browser is sending on your behalf, and cookies and hidden form fields. The use of this plugin can reveal web applications that trust the client not to misbehave.
Inssider is a wireless network scanner applicable for Windows, OS X, and Android. It helps in overcoming the limitations of NetStumbler. Inssider has the ability to find open wireless access points, track signal strength over time and save logs with its GPS records.
Nemesis helps in being a command line-based, portable human IP stack for Linux/UNIX. This suite of tools is categorized by protocols and should allow for useful scripting of injected packet streams from simple shell scripts.
KeePass is a password manager. It helps to store passwords that are unlocked by one master password. It helps in remembering one high-quality password, and still be able to use unique passwords for various accounts. It helps in feature to automatically fill in passwords in web forms.
GDB is the GNU Project’s debugger. Security professionals make use of it to analyze unknown binaries, by getting disassemblies and stepping through a program instruction by instruction. GDB can debug programs written in Ada, C, C++, Objective-C, Pascal, and other languages.
VirusTotal is a web service that helps in analyzing submitted files for known viruses and other malware. It also helps in incorporating dozens of antivirus engines from different vendors, updated regularly with new signatures. Participating antivirus vendors can get alerts when a file is not detected by their product but is by someone else’s.
Tripwire is a tool that aids system administrators and users in monitoring a designated set of files for any changes. Used with system files on a regular (e.g., daily) basis, Tripwire can notify system administrators of corrupted or tampered files, so damage control measures can be taken in a timely manner. Traditionally an open-source tool, Tripwire Corp, is now focused on their commercial enterprise configuration control offerings. An open-source Linux version can still be found at SourceForge. UNIX users may also want to consider AIDE, which has been designed to be a free Tripwire replacement.
Ratproxy is a semi-automated, largely passive web application security audit tool. It is meant to complement active crawlers and manual proxies more commonly used for this task and is optimized specifically for accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments.
KisMAC is a wireless stumbler available for Mac OS X. It offers features like Kismet, even though the codebase is entirely different. Unlike console-based Kismet, KisMAC offered a pretty GUI and was around before Kismet was ported to OS X. It also offers to map, Pcap-format import and logging, and even some decryption and deauthentication attacks.
IKE-scan is a command-line tool that uses the IKE protocol to discover, fingerprint, and test IPsec VPN servers. It scans IP addresses for VPN servers by sending a specially crafted IKE packet to each host within a network. Most hosts running IKE will respond, identifying their presence. The tool then remains silent and monitors retransmission packets. These retransmission responses are recorded, displayed, and matched against a known set of VPN product fingerprints. ike-scan can VPNs from manufacturers, including Checkpoint, Cisco, Microsoft, Nortel, and Watchguard.
Net Scan Tools
NetScanTools is a collection of over 40 network utilities for Windows, designed with an easy user interface in mind. It includes DNS tools, a ping and port scanner, traceroute, and other utilities. It comes in bundles with more or fewer tools based on the price.
Curl is a command-line tool for transferring data with URL syntax, supporting FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, IMAP, SMTP, POP3, and RTSP. Curl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, cookies, authentication, and more. libcurl provides these capabilities to other programs.
The Sleuth Kit is a collection of UNIX-based command line file and volume system forensic analysis tools. The file system tools allow you to examine file systems of a suspect computer in a non-intrusive fashion. Because the tools do not rely on the operating system to process the file systems, deleted and hidden content is shown.
Web security is a web application security testing environment designed from the ground up to provide the best combination of automatic and manual vulnerability testing technologies.
Knoppix comprises of a collection of GNU/Linux Software, Automatic Hardware Detection, and support for many graphics cards, sound cards, SCSI and USB devices, and other peripherals. Knoppix is used for the desktop, educational CD, rescue system, or as many Nmap survey takers attest, a portable security tool.
THC Amap helps in determining what application is listening on a given port. Their database is not very large, but it is definitely worth trying for a 2nd opinion or if Nmap fails to detect a service. Amap even knows how to parse Nmap output files.
Rainbow Crack is a tool that is a hash cracker that makes use of a large-scale time-memory trade-off. Rainbow Crack helps using a time-memory trade-off to help to do all the cracking-time computation in advance and store the results in so-called “rainbow tables.” It takes a long time to precompute the tables, but Rainbow Crack is faster than a brute force cracker once the precomputation is finished.
Grendel-Scan is an open-source web application security testing tool. It is an automated testing module for detecting common web application vulnerabilities and features geared at aiding manual penetration tests.
Dradis is an open-source framework that helps to enable the effective sharing of information among participants in a penetration test. It is also known to be a self-contained web application that helps to provide a centralized repository of information to keep track of what has been done so far and what is still ahead.
Socat works over a number of protocols and through files, pipes, devices (terminal or modem, etc.), sockets (Unix, IP4, IP6 – raw, UDP, TCP), a client for SOCKS4, proxy CONNECT, or SSL, etc. Socat provides forking, logging, and dumping, different modes for interprocess communication, and many more options. It can be used, for example, as a TCP relay (one-shot or daemon), as a daemon-based socksifier, as a shell interface to Unix sockets, as an IP6 relay, for redirecting TCP-oriented programs to a serial line or to establish a relatively secure environment (su and chroot) for running client or server shell scripts with network connections.
DumpSec is a security auditing program used for Microsoft Windows NT/XP/200x. It allows the dumping of the permissions (DACLs) and audit settings (SACLs) for the file system, registry, printers and shares in a concise, readable format so that holes in system security are readily apparent. DumpSec also dumps user, group, and replication information.
SAINT is a commercial vulnerability assessment tool. SAINT is used to be free and open-source but is now a commercial product. Unlike Nexpose and QualysGuard, SAINT runs on Linux and Mac OS X. SAINT is one of the few tools which does not run on Windows.
NBTScan is a program for scanning IP networks for NetBIOS name information. It helps to send a NetBIOS status query to each address in a supplied range and lists received information in a human-readable form. For each responded host, it lists IP address, NetBIOS computer name, logged-in username, and MAC address.
DirBuster helps in searching for hidden pages and directories on a web server. Sometimes developers leave a page accessible but unlinked; thus, the DirBuster finds these potential vulnerabilities.
WinDbg is known to be a graphical debugger from Microsoft. It is one component of the Debugging Tools for Windows package, which also includes the KD, CDB, and NTSD debuggers. It can even debug in kernel mode.
Wfuzz is used for Brute-forcing Web Applications. It can be used for finding resources not linked (directories, servlets, scripts, etc.), brute-forcing GET and POST parameters for different kinds of injections (SQL, XSS, LDAP, etc.), brute-forcing form parameters (user/password), fuzzing, and more.
ArcSight SIEM Platform
The ArcSight platform is a suite of tools used for Security Information and Event Management. The ArcSight Enterprise Security Manager is the “brain” of the SIEM platform. It is a log analyzer and has a correlation engine designed to shift out important network events. The ESM itself is a standalone appliance, and the management programs run on Linux, Windows, AIX, and Solaris.
UnicornScan helps in User-land Distributed TCP/IP stack for information gathering and correlation. It provides a superior interface for introduction to a stimulus into and measuring a response from a TCP/IP enabled device or network. Its feature includes asynchronous stateless TCP scanning with variations of TCP flags, asynchronous stateless TCP banner grabbing, and active/passive remote OS, application, and component identification by analyzing responses.
STunnel works as an SSL encryption wrapper between remote client and local (inetd-startable) or remote servers. It is used to add SSL functionality to commonly used inetd daemons like POP2, POP3, and IMAP servers without any changes in the programs’ code
Security Enhance Linux (SELinux)
Security-Enhanced Linux (SELinux) is a security enhancement to Linux implementing mandatory access control (MAC). Users and processes are granted their least required privileges in a much more granular way than with traditional Unix Access Control. The security model of SELinux has been ported to other operating systems.
Brutus is a Windows-only cracker which bangs against network services of remote systems and tries to guess passwords by using a dictionary and permutations thereof. It supports HTTP, POP3, FTP, SMB, TELNET, IMAP, NNTP, etc. No source code is available for the same.
EnCase is a suite of computer forensics software that is mainly used by law enforcement. It is a de-facto standard in forensics. It collects data from a computer in a forensically sound manner, thus employing checksums to help detect tampering.
The Wapiti tools help in auditing the web security of your web applications. It performs “black-box” scans; i.e., it does not study the source code of the application but will scan the webpages of the deployed web app, looking for scripts and forms where it can inject data. Once it gets this list, Wapiti acts like a fuzzer, injecting payloads to see if a script is vulnerable.
WebGoat is an insecure J2EE web application that teaches web application security lessons. Here the users can demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application.
HijackThis is designed to inspect a computer’s browser and operating system settings to generate a log file of its current state. It helps in removing unwanted settings and files. It focuses on web browser hijacking.
Honeyd helps in creating virtual hosts on a network. These hosts can be configured to run arbitrary services, and their TCP personality can be adapted so that they appear to be running certain versions of operating systems. Honeyd helps to enable a single host to claim multiple addresses on a LAN for network simulation. It is possible to ping the virtual machines or to traceroute them. Any type of service on the virtual machine can be simulated according to a simple configuration file. Honeyd has various library dependencies, which help in compiling/installing Honeyd.
Advanced Intrusion Detection Environment (AIDE)
AIDE (Advanced Intrusion Detection Environment) is a rootkit detector and also a free replacement for Tripwire. AIDE helps in making the cryptographic hashes of important system files and then stores them in a database. It can then make reports about which files have changed.
We hope that the above network security tools gave you a glimpse about the Network Security world. If you have any more information on the above or any other network security tools, do let us know in the comments section below.