Unblocking The Main Thread Solving ANRs and Frozen Frames
Top open source security tools you should know
1. What are relevant open source security
tools you should know and use today?
Marc Vael, SAI.be
Jan Guldentops, BA.be
Wednesday 20th of March 2019
Brussels, Belgium
2. Disclaimer
The views and opinions expressed during this session are
those of the speakers.
Nothing in this session should be construed as professional
or security advice.
For all tools shown in this presentation, quality has been
demonstrated by thousands of users who have
downloaded, deployed and actively used/reviewed them.
3. Disclaimer bis
This presentation is only a “45 minute appetizer” !
• There are plenty of open source security tools that we will not
discuss today…. (more about this later)
4.
5. Red Hat = 100% open source company
• IBM could download all their code for free &
use it
• Still IBM paid 34.000.000.000 USD
6. Why use open source security tools?
1. Cost is one of the reasons why security professionals spend
some of their time working with open source security tools.
2. Whether for learning, experimenting, dealing with new or
unique situations or deploying on a production basis, security
professionals look at open source security software as a
valuable part of their toolkit.
3. Transparancy: you have access to all code & you are free to do
whatever you like with it!
4. Avoiding lock-in with a specific security vendor/supplier.
8. Categories
We have taken the liberty to split up all open source
security tools in the following 3 main categories :
I. Security audits, testing & forensics
II. Security monitoring & logging
III.System Security
12. • Hindu goddess, destroyer of evil forces
• = a Debian-based Linux distribution aimed at advanced Penetration Testing
and Security Auditing. Kali contains several hundred tools aimed at various
information security tasks, such as Penetration Testing, Forensics and
Reverse Engineering.
• The ideal place to start if you want to start using open source tools for
auditing & forensic.
• Used to be called backtrack
• Just boot the distro and you have all your tools available.
• A lot of tutorials available
https://www.kali.org/
https://tools.kali.org/tools-listing
KALI
13. How to use KALI (1)
• Bootable usb
• Live
• Install
• Use encrypted filesystems !
• vm
• Virtualbox, KVM or vmware on your
laptop.
• @ cloud provider ideal for auditing the
“outside”
• E.g. Azure, Google Cloud, Hetzner, etc.
KALI
https://www.kali.org/
https://tools.kali.org/tools-listing
14. Advanced Kali use
• Probe
• We use a raspberry pi as an audit
device.
• PI3 + POE HAT/powerbank + external
usbbased WIFI
• +- 130€
• Leave it behind at customers :
• Sets up a vpn, ssh or dns tunnel to our hq
• We have all the tools available for wifi,
network and other auditing.
https://www.kali.org/
https://tools.kali.org/tools-listing
KALI
17. NMAP
• Nmap (Network Mapper) is a free and open source utility for network discovery and
security auditing.
• Many systems and network administrators also find it useful for tasks such as
network inventory, managing service upgrade schedules, and monitoring host or
service uptime.
• Nmap uses raw IP packets in novel ways to determine what hosts are available on
the network, what services (application name and version) those hosts are offering,
what operating systems (and OS versions) they are running, what type of packet
filters/firewalls are in use, and dozens of other characteristics.
• Nmap was designed to rapidly scan large networks, but works fine against single
hosts. In addition to the classic command-line Nmap executable, the Nmap suite
includes an advanced GUI and results viewer (Zenmap), a flexible data transfer,
redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff),
and a packet generation and response analysis tool (Nping).
• Nmap also has scripts that can detect network related issues.
https://nmap.org/
18. • Beginners : use zenmap
• Easy selection of what you want to do
• All type of scans from pingsweep to intense scan
• Nice way of displaying and reporting the stuff you find
• But : you always get the nmap cli command for later use
• Cool stuff :
• NSE – all kinds of scripts to check out services and test them
• OS detection
• Service fingerprinting
NMAP
https://nmap.org/
20. NMAP
Examples from the cli
• nmap --open 10.0.0.0/24 –p22
(quick way of finding all hosts in a network running ssh)
• nmap --script http-headers -p80,443 www.ba.be
• Checks the headers of the webserver
• Nmap –script ssl-* -p443 storefront.marks.com
• Checks the ssl-quality of a webserver ( keys, vulnerabilities, etc. )
• Locate *.nse gives you an overview of all plugins ( > 540 )
• All kinds of scripts for brute-forcing, checking known vulnerabilities, etc.
https://nmap.org/
21. OPENVAS
•Vulnerability scanner
• Fork of the open source NESSUS tool that became
commercial in 2005.
• Nessus/Openvas is the most popular vulnerability scanner
and third most popular security program currently in use.
• Sits underneath a lot of commercial offerings : Greenbone,
Acunetix, Alienvault, etc.
•Uses a lot of tools (nmap, etc.) to check service and
creates a clean report.
https://www.tenable.com/products/nessus/nessus-professional
http://www.openvas.org/
22. OPENVAS
• Webbased vulnerability
assessment tool
• Especially important is de feed
of vulnerabilities!
• Community
• Commercial feeds are available
(react faster)
http://www.openvas.org/
24. WIRESHARK
• Wireshark is a network protocol analyzer. It lets you view traffic in as much
detail as you want. Use Wireshark to follow network streams and find
problems.
• Wireshark is a tool designed for anyone needing to monitor their network
for security or performance issues. And because Wireshark can read
captured information from applications like Snoop, Sniffer, and Microsoft
Network Monitor, it can also serve as an additional tool for network
analysis.
• Wireshark solves the problem of being able to analyze network traffic on
any size network. Wireshark does this with the power often found in more
costly tools, but for free.
https://www.wireshark.org/
25. ETTERCAP
• If you need to test your enterprise network for resistance to man-in-
the-middle attacks (MITM), Ettercap is the tool. This program has
been doing one thing – launching MITM attacks – since its initial
release in 2001.
• Ettercap has four basic modes of attack: IP-based, MAC-based, and
two ARP-based strategies. You can decide which type of
vulnerabilities to explore and look for how your environment
responds to each.
• In the process of scanning for a testing attack, Ettercap can provide a
great deal of information about the network and its devices. As part
of an overall security toolkit, Ettercap provides strong capabilities
for MITM attacks and solid augmentation for analysis and visibility
functions.
https://www.ettercap-project.org/ettercap/
26. METASPLOIT
• Metasploit is free and open source penetration software, which is very popular
among white or black hat hackers. It is the best tool to test the network in an
offensive way against open and well-known vulnerabilities. It is a combination of
different modules for checking different exploits. It is also used for auditing and
scanning.
• Metasploit helps teams do more than just verify vulnerabilities, manage security
assessments, and improve security awareness; it empowers and arms defenders to
always stay one step (or two) ahead of the game.
• It is useful for exploitation validation. When a vulnerability scanner shows a machine is
vulnerable to an exploit manual testing is always a preferred practice to ensure it is not a
false positive from the scanner. Manual validation allows the tester to better understand
the exploit and how to properly defend from it.
• Metasploit framework is used to run internal security tests. It helps to identify possible
weaknesses in internal networks before compromise occurs. It's also used to justify
costly updates to software and business practices by illustrating a vulnerability's possible
use in the wild.
https://github.com/rapid7/metasploit-framework
https://www.metasploit.com/
27. GHIDRA
• Ghidra is a software reverse engineering (SRE) framework developed
by the NSA. It helps analyze malicious code and malware like viruses,
and can give cybersecurity professionals a better understanding of
potential vulnerabilities in their networks and systems.
• The tool is ideal for software engineers, but will be especially useful
for malware analysts first and foremost.
• Capabilities include disassembly, assembly, decompilation, graphing,
and scripting, along with hundreds of other features. Ghidra supports
a wide variety of processor instruction sets and executable formats
and can be run in both user-interactive and automated modes. Users
may also develop their own Ghidra plug-in components and/or scripts
using Java or Python.
https://ghidra-sre.org/
https://github.com/NationalSecurityAgency/ghidra
28. SIFT
• SIFT is a group of free open-source incident response & forensic
tools designed to perform detailed digital forensic examinations in
a variety of settings.
• SIFT can match any current incident response and forensic tool
suite.
• SIFT demonstrates that advanced incident response capabilities
and deep dive digital forensic techniques to intrusions can be
accomplished using cutting-edge open-source tools that are freely
available and frequently updated.
• This open source all-in-one forensic toolkit can easily be built right
in cloud environments.
https://digital-forensics.sans.org/community/downloads#overview
29. BINWALK
Binwalk can:
• Find and extract interesting files / data from binary images
• Find and extract raw compression streams
• Identify opcodes for a variety of architectures
• Perform data entropy analysis
• Heuristically analyze unknown compression / encryption
• Visualize binary data
• Diff an arbitrary number of files
http://binwalk.org/
30. Ddrescue
• GNU ddrescue is a data recovery tool. It copies data from one file or block device (hard disc,
cdrom, etc) to another, trying to rescue the good parts first in case of read errors.
• Ddrescue helps you make correct, forensic copies of disks (even when they are damaged)
• Ddrescuelog is a tool that manipulates ddrescue mapfiles, shows mapfile contents, converts
mapfiles to/from other formats, compares mapfiles, tests rescue status, and can delete a
mapfile if the rescue is done. Ddrescuelog operations can be restricted to one or several parts of
the mapfile if the domain setting options are used.
• The basic operation of ddrescue is fully automatic.
• The mapfile is periodically saved to disc. So in case of a crash you can resume the rescue with
little recopying. Also, the same mapfile can be used for multiple commands that copy different
areas of the file, and for multiple recovery attempts over different subsets.
• Ddrescue also features a "fill mode" able to selectively overwrite parts of the output file, which
has a number of interesting uses like wiping data, marking bad areas or even, in some cases,
"repair" damaged sectors.
• One of the great strengths of ddrescue is that it is interface-agnostic, and so can be used for any
kind of device supported by your kernel (ATA, SATA, SCSI, old MFM drives, floppy discs, or even
flash media cards like SD).
https://www.gnu.org/software/ddrescue/
31. XPLICO
• helps you extract files from internet traffic capture the applications data
contained
• For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP
protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, and so on.
• Xplico is an open source Network Forensic Analysis Tool (NFAT).
• Xplico System is composed from 4 macro-components:
• a Decoder Manager called DeMa
• an IP decoder called Xplico
• a set of data manipulators
• a visualization system to view data extracted
https://www.xplico.org/
33. NAGIOS
• Nagios monitors the network: Infrastructure, traffic, and
attached servers all fall within the reach of its basic or extended
capabilities.
• Nagios is available in both free and commercial versions.
• Nagios Core is the heart of the open source project, based on
the free, open source version. Individual products can be
monitored, and individual tasks can be performed, by plug-ins;
there are roughly 50 "official" plug-ins developed by Nagios and
more than 3,000 plug-ins contributed by the community.
• Nagios's user interface can be modified through a front end for
the desktop, web, or mobile platform, and configuration can be
managed through one of the available config tools.
https://www.nagios.org/
34. ELK Stack
3 open source projects:
• Elasticsearch is a search and analytics
engine.
• Logstash is a server-side data
processing pipeline that ingests data
from multiple sources simultaneously,
transforms it, and then sends it to a
"stash" like Elasticsearch.
• Kibana lets users visualize data with
charts and graphs in Elasticsearch.
https://www.elastic.co/elk-stack
38. SNORT
• SNORT has been the starting point of knowledge about
intrusion detection systems (IDS) for more than a generation
of security pros.
• Snort can be configured in three separate modes: as a
network sniffer, packet logger, or full IDS. As such, it can be
the core of an automated security system or a component
that sits alongside an array of commercial products.
• Now owned by Cisco, Snort continues to evolve and be
developed by an active community.
• Community-developed IDS rules are available, as are rules
licensed on a commercial basis.
https://www.snort.org/
39. MOD_SECURITY
•Open source Web Application Firewall addon for
Apache and NGINX
•Can be used with the standard OWASP set and
commercial subscription.
•Checks all incoming http/https sessions on certain
based security guidelines
https://modsecurity.org/
40. Lynis
• Lynis is a tool that makes lists — lists of the applications and
utilities it finds on Unix-based systems, lists of the versions of
those systems, and lists of the vulnerabilities it finds in either the
code or the configurations of each one.
• With source code available on GitHub, Lynis has an active
development community, with primary support coming from
Cisofy.
• One of the special capabilities of Lynis is that, because of its Unix
foundation, it is able to perform scanning & evaluation of popular
IoT development boards, including Raspberry Pi.
https://cisofy.com/lynis/
41. Certbot
• Encryption is critical for many security standards, including everyone's
new favorite, GDPR. Implementing encryption can be complicated and
costly, but the EFF has tried to make it less of both with tools like
Certbot, an open source automatic client that fetches and deploys
SSL/TLS certificates for your web server.
• Certbot began as a front end for Let's Encrypt, but it has grown to be a
client for any CA that supports the ACME protocol.
• The Certbot project is part of the EFF's effort to "Encrypt the Internet,"
a goal that has been embraced by many privacy advocates and
government regulators. Keeping your employees, partners, and
customers safe is both a worthwhile goal and a legal responsibility; the
open source tools discussed in this article can be helpful in making
steps in that direction.
https://certbot.eff.org/
42. VeraCrypt
• VeraCrypt is the free open source disk encryption utility available
to encrypt the file system.
• Nowadays, we store our data in Dropbox, Google Drive and other
cloud based software which guarantee privacy and security. But
what if employees of those cloud services companies use that
data for their own purposes? A better option is to encrypt those
files/flash drives before dumping them into the cloud.
https://www.veracrypt.fr/en/Home.html
43.
44. Want to know more about
open source security tools?
http://www.hackingtools.in/
45. Want to know more about
open source security tools?
Marc Vael
• marc@vael.net
• @marcvael
• https://www.linkedin.com/in/marcvael/
Jan Guldentops
• j@ba.be
• @JanGuldentops
• https://www.linkedin.com/in/janguldentops/