Re: Security Assessment Tools

[Randy Marchany <marchany () VT EDU>]

Here's my list of assessment tools:

1. Vulnerability/Port Scanners
        - Nessus (mentioned in a previous note) is still the best even though
          their licensing has changed.
        - nmap - still the best of the port scanner, OS identification tools and
          builtin most Linux distros.
        - Active Ports - host based GUI version of netstat or lsof that attempts
          to map system processes to port listeners.

2. Configuration Tools
        
        - Center for Internet Security NG Tool/Benchmark for Windows - free
          from www.cisecurity.org. Provides a consensus benchmark and scanning
          tool that compares system settings with the benchmark. Provides a
          numeric score showing what % of your setting match the benchmark

        - Microsoft Baseline Security Analyzer v2.0 - scans local and remote
          systems and provides a nice report of system settings.

        - Belarc Advisor - similar to MBSA but harder to find these days

3. Exploit tools

        - Metasploit Framework - freeware suite of exploits and payloads for
          various platforms. Good to actually test your security. Available
          from www.metaploit.org.
        - Commercial pent test tools include CoreImpact and Canvas Immunity.

4. Web Application Security

        - Paros - excellent tool with spider capabilities, limited security scan
                  capabilities, ability to freeze www transactions and allow
for
                  dynamic replacement of www strings. Also, does some minor
                  cross site scripting tests.
        -WebScarab - available from www.owasp.org. Another good web security
                     tool that allows you to replace session ID, cookie values
                     to test web app security.

4. 1 stop shop

        - Backtrack (formerly Auditor) available from www.remote-exploit.org.
          This is the big daddy of toolkits. Standalone Knoppix implementation
          that contains most of the tools mentioned above plus a whole suite
          of password crackers, enumeration tools, wireless security tools and
          more. You need this suite to fully assess your assets.

We use all of these for our security reviews. We'd be lost without them.
Of course, there are commercial products that do the same thing and have
better reporting capabilities. I've always maintained that to properly
evaluate a commercial tool, you need to get experience with the freeware
version of similar tools.

        -Randy Marchany
        VA Tech IT Security Lab