USE OF THESE TOOLS ON MACHINES NOT LEGALLY
OWNED BY YOU COULD END UP PUTTING A NASTY MARK
ON YOUR CRIMINAL RECORD

• Protocol Analyzing, Sniffers, Interceptors, Port Scanning o Wireshark, Ettercap, Nmap
• Vulnerability Assessment o OpenVAS (nessus replacement)
• Pen Testing Tools o metasploit framework
• Password Crackers o john the ripper, ophcrack
• Wireless Security Tools o aircrack-ng, kismet
• Honeypots o kippo
• Security Focused Distributions
• Notes on Hardening
• Dispelling some bullshit

• capture and analyze network traffic o promiscuous mode
• Wireshark is extremely popular and powerful o o uses pcap to capture packets capture ethernet, 802.11, PPP and loopback traffic o o o o
"knows" about different networking protocols and can display useful information about each use filters to find relevant data used to need special privileges, can run as normal user on most platforms now
CLI interface Tshark

• MITM - man in the middle
• Ettercap is highly regarded and very powerful o o o use in promiscuous mode four modes (IP, MAC, ARP, PublicARP) can sniff encrypted traffic (SSH, HTTPS) o o o o o
Password collectors for tons of protocols inject into an established connection hijack dns alter/drop packets can detect other poisoners on the network

• self descriptive, designed to probe and scan for open ports
• Nmap is THE port scanner. Just use it o o very comprehensive and smart
 accounts for network conditions during the scan turned into a swiss army knife due to excellent community
 OS fingerprinting
 names and versions of running services
 estimated uptime
 presence of firewall
 type of device
 new scripting engine (SoC project)
 ZenWalk gui available (also SoC project)

• meant to be a one stop shop for discovering vulnerabilities in systems o port scanning, enumerator, web app scanner, exploit checks, default accounts and passwords, misconfigurations, DoS checks, etc
• Nessus is huge in the industry ( OpenVAS is the open source implementation) o exploits published regularly as a "feed" o attacks are written in NASL (nessus attack scripting language)

• often used in conjunction with vulnerability scans to actively attempt to penetrate a system
• very broad term
• Metasploit Framework is becoming the de facto standard for vulnerability development o o o largest ruby project in existence often times new exploits will include a Metasploit module that includes full details of the exploit choose exploit -> check if exploit applies -> configure o payload -> configure encoding to evade IDS -> execute the exploit includes an extensive shell code and opcode database with full source code

• two main modes o dictionary (rainbow tables) o brute force
• John The Ripper probably most popular o can auto detect password type
 DES flavors, LM Hash (MD5), SHA, Blowfish,
Kerberos AFS o o can be fed rainbow tables o pretty simple to use
• Ophcrack o Cracks windows LM hash passwords via rainbow tables
 some basic tables provided livecd available

• valuable recon tool
• set up to look like a vulnerable machine, really used to divert attacks and possibly gather information o o distraction tool research attack methods o watch skiddies try and fail over and over
• sometimes turn out to be pretty entertaining
• Kippo is a simple open source honeypot with recording capabilities

• backtrack linux o includes most of the tools we'll talk about tonight o one of the best (most up to date) security live cd o latest release is 4r2
• knoppix std o o used to be an excellent security live cd o now stagnant unfortunately
• damn vulnerable linux pretty much exactly what it sounds like o designed to be easy to break, good for learning about vulnerabilities
• almost all of these tools are available in distribution repositories

• mandatory vs. discretionary access control
• intrusion detection systems
• reduce your attack surface o close unneeded ports (port knocking) o disable unneeded services
• open source vs. proprietary o aka: security through obscurity = FAIL
• intrusion detection systems
• regular security auditing
• always be aware of social engineering
• use key login for ssh, disable password login o use a password for you key and protect it!
o disable root login via ssh
• disable smtp open relays

• upping password change frequency not really that helpful, false sense of security
• good idea to write down passwords?
o argument still going on about this o bruce schneier seems to think it's ok
• changing default ports doesn't really do much o auto scanners are patient b/c they're, well, machines
• hashing != encryption
• not broadcasting SSID doesn't really do much o neither does MAC black/whitelisting
• DON'T USE DICTIONARY WORDS IN PASSWORDS o use different passwords for sites!
• physical access = root

• beware of unencrypted access points o free public wifi
• pay attention to those messages about server keys changing
• phishing can get anyone, even smart people
• Linux and OSX do have nasty attacks out there o just a matter of time people o don't assume you're automatically secure
• DO NOT rely on tor for confidentiality o malicious nodes are not unheard of
• Don't let anyone convince you that they are omniscient just because they have a CISSP
• as mentioned before...security via obscurity == FAIL
• don't connect LOIC via hivemind, regardless of what people on the anonops irc channel tell you