2014년 1월 28일 화요일

Armitage for Metasploit Manual

I. Table of Contents

  1. About ArmitageBefore we begin...
  2. Getting StartedHow to get any woman to talk to you
  3. User Interface TourSo many pretty screenshots
  4. Host ManagementYou've got to find them to hack them.
  5. ExploitationThis is the fun stuff
  6. Post-ExploitationThis is the really fun stuff
  7. ManeuverGetting around the network and on to more targets
  8. Team MetasploitThis is cyber attack management!
  9. Scripting ArmitageThe next step...

1. About Armitage

1.1 What is Armitage?

Armitage is a scriptable red team collaboration tool for Metasploit that visualizes targets, recommends exploits, and exposes the advanced post-exploitation features in the framework.
Through one Metasploit instance, your team will:
  • Use the same sessions
  • Share hosts, captured data, and downloaded files
  • Communicate through a shared event log.
  • Run bots to automate red team tasks.
Armitage is a force multiplier for red team operations.

1.2 Cobalt Strike

Armitage is open source software developed by Raphael Mudge's company Strategic Cyber LLC. Cobalt Strike uses Armitage's user interface--but it's quite a different animal.

Check out the Cobalt Strike site to learn what's different between Armitage and Cobalt Strike.

1.3 Cyber Attack Management

Armitage organizes Metasploit's capabilities around the hacking process. There are features for discovery, access, post-exploitation, and maneuver. This section describes these features at a high-level, the rest of this manual covers these capabilities in detail.
Armitage's dynamic workspaces let you define and switch between target criteria quickly. Use this to segment thousands of hosts into target sets. Armitage also launches scans and imports data from many security scanners. Armitage visualizes your current targets so you'll know the hosts you're working with and where you have sessions.
Armitage recommends exploits and will optionally run active checks to tell you which exploits will work. If these options fail, use the Hail Mary attack to unleash Armitage's smart automatic exploitation against your targets.
Once you're in, Armitage exposes post-exploitation tools built into the Meterpreter agent. With the click of a menu you will escalate your privileges, log keystrokes, dump password hashes, browse the file system, and use command shells.
Armitage makes it trivial to setup and use pivots. You'll use compromised hosts as a hop to attack your target's network from the inside. Armitage uses Metasploit's SOCKS proxy module to let you use external tools through your pivots. These features allow you to maneuver through the network.
The rest of this manual is organized around this process, providing what you need to know in the order you'll need it.

1.4 Necessary Vocabulary

To use Armitage, it helps to understand Metasploit. Here are a few things you must know:

Metasploit is a console driven application. Anything you do in Armitage is translated into a command Metasploit understands. You can bypass Armitage and type commands yourself (covered later). If you're lost in a console, type help and hit enter.
Metasploit presents its capabilities as modules. Every scanner, exploit, and payload is available as a module. To launch a module, you must set one or more options to configure the module. This process is uniform for all modules and Armitage makes this process easier for you.
When you exploit a host, you will have a session on that host. Armitage knows how to interact with shell and meterpreter sessions.
Meterpreter is an advanced agent that makes a lot of post-exploitation functionality available to you. Armitage is built to take advantage of Meterpreter. Working with Meterpreter is covered later.
The Metasploit Unleashed course maintained by the Offensive Security folks is excellent. I recommend reading it before going further.

2. Getting Started

2.1 Requirements

Armitage exists as a client and a server that allow red team collaboration to happen. The Armitage client package is made available for Windows, MacOS X, and Linux. Armitage does NOT require a local copy of the Metasploit Framework to connect to a team server.
These getting started instructions are written assuming that you would like to connect to a local instance of the Metasploit Framework.
Armitage requires the following:
To quickly install all of the dependencies, you have a few options:
  • Use a Linux distribution for penetration testing such as Kali Linux or Pentoo Linux.
    These distributions ship with Metasploit and its dependencies installed for you.

  • Use the MSF Installer Script created by DarkOperator.
    This option will setup an environment that uses Git for updates.

  • Use the official installer provided by Rapid7.
    This option will require you to register with Rapid7 to get updates.

2.2 Kali Linux

Kali Linux comes with the Metasploit Framework installed. This is a good option if you want to get up and running with Armitage quickly.

Setup Instructions (do these once!)

  1. Open a terminal
  2. Start the database: service postgresql start
  3. Initialize the database: service metasploit start
  4. Stop the metasploit service: service metasploit stop
  5. Install/Update Armitage: apt-get update ; apt-get install armitage
  6. Use Java 1.7 by default (32-bit Kali):
    update-java-alternatives --jre -s java-1.7.0-openjdk-i386
  7. Use Java 1.7 by default (64-bit Kali):
    update-java-alternatives --jre -s java-1.7.0-openjdk-amd64

How to Start Armitage

  1. Open a terminal
  2. Start the PostgreSQL database: service postgres start
    (this does not happen automatically in Kali Linux)
  3. cd /path/to/armitage
  4. ./armitage

How to update Metasploit

  1. Open a terminal
  2. msfupdate
  3. service metasploit start
  4. service metasploit stop

2.3 BackTrack Linux

BackTrack Linux is no longer a supported environment for Armitage. Please move over to Kali Linux.
If you want to continue to use BackTrack Linux, you must uninstall the Metasploit Framework and install the latest dependencies. Due to dependency changes (far outside of my control) in the framework, your BackTrack Linux environment will not work if you update Metasploit.
To uninstall the Metasploit Framework:
cd /opt/metasploit
./uninstall

2.4 Linux

  1. Install the Metasploit Framework and its dependencies
  2. Extract armitage
  3. Change to the folder you installed armitage into
  4. Use ./armitage to start Armitage

2.5 Windows

Windows is not a supported environment to run Armitage with the Metasploit Framework. You may connect Armitage on Windows to a team server hosted on Linux.

2.6 Manual Setup

If you choose to setup the Metasploit Framework and its dependencies by hand, here are a few hard and fast requirements to help you:
  • You need a PostgreSQL database. No other database is supported.
  • msfrpcd must be in $PATH
  • $MSF_DATABASE_CONFIG must point to a YAML file
  • $MSF_DATABASE_CONFIG must be available to msfrpcd and armitage
  • the msgpack ruby gem is required
Take a look at the following resources for help in this area:

2.7 Updating Metasploit

When you run msfupdate, it's possible that you may break Armitage by doing this. The Metasploit team is cautious about what they commit to the primary git repository and they're extremely responsive to bug reports. That said, things still break from time to time. Sometimes the framework changes in a way that's not compatible until I update Armitage.
If you run msfupdate and Armitage stops working, you have a few options.
1) You can run msfupdate later and hope the issue gets fixed. Many times this is a valid strategy.
2) You can downgrade Metasploit to the last revision I tested it against. Take a look at the change log file for the latest development release tested against Armitage. The revision number is located next to the release date. To downgrade Metasploit:
cd /path/to/metasploit/msf3
source ../scripts/setenv.sh
git pull
git checkout [commit id]
bundle install

3) Reinstall Metasploit using the installer provided by Rapid7. The Metasploit installer includes the latest stable version of Metasploit. Usually, this release is very stable.
If you're preparing to use Armitage and Metasploit somewhere important--do not run msfupdate and assume it will work. It's very important to stick with what you know works or test the functionality you need to make sure it works. When in doubt, go with option (2) or (3).

2.8 Troubleshooting Help

If you're having trouble connecting Armitage to Metasploit, click the Help button to get troubleshooting advice. This button will take you to the Armitage Startup Troubleshooting Guide.

2.9 Quick Connect

If you'd like to quickly connect Armitage to a Metasploit server without filling in the setup dialog, use the --client option to specify a file with the connection details.
java -jar armitage.jar --client connect.prop
Here's an example connect.prop file:
host=192.168.95.241
port=55553
user=mister
pass=bojangles

If you have to manage multiple Armitage/Metasploit servers, consider creating a desktop shortcut that calls this --client option with a different properties file for each server.

3. User Interface Tour

3.1 Overview

The Armitage user interface has three main panels: modules, targets, and tabs. You may click the area between these panels to resize them to your liking.
Armitage User Interface

3.2 Modules

The module browser lets you launch a Metasploit auxiliary module, throw an exploit, generate a payload, and run a post-exploitation module. Click through the tree to find the desired module. Double click the module to open a module launch dialog.
Armitage will configure the module to run against the selected hosts. This works for auxiliary modules, exploits, and post modules.
Running a module against multiple hosts is one of the big advantages of Armitage. In the Metasploit console, you must configure and launch an exploit and post modules for each host you're working with.
You can search modules too. Click in the search box below the tree, type a wildcard expression (e.g., ssh_*), and press enter. The module tree will show the search results, expanded for quick viewing. Clear the search box and press enter to restore the module browser to its original state.

3.3 Targets - Graph View

The targets panel shows your targets to you. Armitage represents each target as a computer with its IP address and other information about it below the computer. The computer screen shows the operating system the computer is running.
Metasploited Targets
A red computer with electrical jolts indicates a compromised host.
A directional green line indicates a pivot from one host to another. Pivoting allows Metasploit to route attacks and scans through intermediate hosts. A bright green line indicates the pivot communication path is in use.
Click a host to select it. You may select multiple hosts by clicking and dragging a box over the desired hosts.
Right click a host to bring up a menu with available options. The attached menu will show attack and login options, menus for existing sessions, and options to edit the host information.
The login menu is only available after a port scan reveals open ports that Metasploit can use. The Attack menu is only available after finding attacks through the Attacks menu at the top of Armitage. Shell and Meterpreter menus show up when a shell or Meterpreter session exists on the selected host.
Several keyboard shortcuts are available in the targets panel. To edit these, go to Armitage -> Preferences.
  • Ctrl Plus - zoom in
  • Ctrl Minus - zoom out
  • Ctrl 0 - reset the zoom level
  • Ctrl A - select all hosts
  • Escape - clear selection
  • Ctrl C - arrange hosts into a circle
  • Ctrl S - arrange hosts into a stack
  • Ctrl H - arrange hosts into a hierarchy. This only works when a pivot is set up.
  • Ctrl P - export hosts into an image
Right click the targets area with no selected hosts to configure the layout and zoom-level of the targets area.

3.4 Targets - Table View

If you have a lot of hosts, the graph view becomes difficult to work with. For this situation Armitage has a table view. Go to Armitage -> Set Target View -> Table View to switch to this mode. Armitage will remember your preference.
Armitage Targets Table View
Click any of the table headers to sort the hosts. Highlight a row and right-click it to bring up a menu with options for that host.
Armitage will bold the IP address of any host with sessions. If a pivot is in use, Armitage will make it bold as well.

3.5 Tabs

Armitage opens each dialog, console, and table in a tab below the module and target panels. Click the X button to close a tab.
You may right-click the X button to open a tab in a window, take a screenshot of a tab, or close all tabs with the same name.
Armitage Tab Management
Hold shift and click X to close all tabs with the same name. Hold shift + control and click X to open the tab in its own window.
You may drag and drop tabs to change their order.
Armitage provides several keyboard shortcuts to make your tab management experience as enjoyable as possible. Use Ctrl+T to take a screenshot of the active tab. Use Ctrl+D to close the active tab. Try Ctrl+Left and Ctrl+Right to quickly switch tabs. And Ctrl+W to open the current tab in its own window.

3.6 Consoles

Metasploit console, Meterpreter console, and shell interfaces each use a console tab. A console tab lets you interact with these interfaces through Armitage.
The console tab tracks your command history. Use the up arrow to cycle through previously typed commands. The down arrow moves back to the last command you typed.
In the Metasploit console, use the Tab key to complete commands and parameters. This works just like the Metasploit console outside of Armitage.
Use Ctrl Plus to make the console font size larger, Ctrl Minus to make it smaller, and Ctrl 0 to reset it. This change is local to the current console only. Visit Armitage -> Preferences to permanently change the font.
Press Ctrl F to show a panel that will let you search for text within the console.
Use Ctrl A to select all text in the console's buffer.
Armitage sends a use or a set PAYLOAD command if you click a module or a payload name in a console.
To open a Console go to View -> Console or press Ctrl+N.
On MacOS X and Windows, you must click in the editbox at the bottom of the console to type. Linux doesn't have this problem. Always remember, the best Armitage experience is on Linux.
The Armitage console uses color to draw your attention to some information. To disable the colors, set the console.show_colors.boolean preference to false. You may also edit the colors through Armitage -> Preferences. Here is the Armitage color palette and the preference associated with each color:
Armitage color palette

3.7 Logging

Armitage logs all console, shell, and event log output for you. Armitage organizes these logs by date and host. You'll find these logs in the ~/.armitage folder. Go to View -> Reporting -> Acitivity Logs to open this folder.
Armitage also saves copies of screenshots and webcam shots to this folder.
Change the armitage.log_everything.boolean preference key to false to disable this feature.
Edit the armitage.log_data_here.folder to set the folder where Armitage should log everything to.

3.8 Export Data

Armitage and Metasploit share a database to track your hosts, services, vulnerabilities, credentials, loots, and user-agent strings captured by browser exploit modules.
To get this data, go to View -> Reporting -> Export Data. This option will export data from Metasploit and create easily parsable XML and tab separated value (TSV) files.

4. Host Management

4.1 Host Management

Armitage displays hosts in the graph and table view. The host icon indicates the best guess about the operating system on the host at the time. This information is taken from the database.
To change the displayed operating system icon for a host, select the host, right-click, and navigate to Host -> Operating System. Choose the correct operating system for the host.
You may attach a label to your hosts too. Select the host, right-click and go to Host -> Set Label.... Labels are user-specified notes. Armitage stores labels in the database. Labels are visible in both the graph and table view. Labels are shown to all team members. Use labels to track small notes and coordinate actions.
To remove a host, select the host, right-click and go to Host -> Remove Host. This will remove the host from the database.

4.2 Dynamic Workspaces

Armitage's dynamic workspaces feature allows you to create views into the hosts database and quickly switch between them. Use Workspaces -> Manage to manage your dynamic workspaces. Here you may add, edit, and remove workspaces you create.
Dynamic Workspaces in Armitage
To create a new dynamic workspace, press Add. You will see the following dialog:
Dynamic Workspaces in Armitage for Metasploit
Give your dynamic workspace a name. It doesn't matter what you call it. This description is for you.
If you'd like to limit your workspace to hosts from a certain network, type a network description in the Hosts field. A network description might be: 10.10.0.0/16 to display hosts between 10.10.0.0-10.10.255.255. Separate multiple networks with a comma and a space.
You can cheat with the network descriptions a little. If you type: 192.168.95.0, Armitage will assume you mean 192.168.95.0-255. If you type: 192.168.0.0, Armitage will assume you mean 192.168.0.0-192.168.255.255.
Fill out the Ports field to include hosts with certain services. Separate multiple ports using a comma and a space.
Use the OS field to specify which operating system you'd like to see in this workspace. You may type a partial name, such as indows. Armitage will only include hosts whose OS name includes the partial name. This value is not case sensitive. Separate multiple operating systems with a comma and a space.
Use the Labels field to show hosts with the labels you specify. Armitage treats each word in a host label as a separate label. You may specify any of these labels here. For example, if host 10.10.10.3 has the label dc corp, a workspace defined to show dc or corp labels will include this host. Separate each label with a comma and a space.
Select Hosts with sessions only to only include hosts with sessions in this dynamic workspace.
You may specify any combination of these items when you create your dynamic workspace.
Each workspace will have an item in the Workspaces menu. Use these menu items to switch between workspaces. You may also use Ctrl+1 through Ctrl+9 to switch between your first nine workspaces.
Use Workspaces -> Show All or Ctrl+Backspace to display the entire database.
Armitage will only display 512 hosts at any given time, no matter how many hosts are in the database. If you have thousands of hosts, use this feature to segment your hosts into useful target sets.

4.3 Importing Hosts

To add host information to Metasploit, you may import it. The Hosts -> Import Hosts menu accepts the following files:
  • Acunetix XML
  • Amap Log
  • Amap Log -m
  • Appscan XML
  • Burp Session XML
  • Foundstone XML
  • IP360 ASPL
  • IP360 XML v3
  • Microsoft Baseline Security Analyzer
  • Nessus NBE
  • Nessus XML (v1 and v2)
  • NetSparker XML
  • NeXpose Simple XML
  • NeXpose XML Report
  • Nmap XML
  • OpenVAS Report
  • Qualys Asset XML
  • Qualys Scan XML
  • Retina XML
You may manually add hosts with Hosts -> Add Hosts...

4.4 Nmap Scans

You may also launch an Nmap scan from Armitage and automatically import the results into Metasploit. The Hosts -> Nmap Scan menu has several scanning options.
Optionally, you may type db_Nmap in a console to launch Nmap with the options you choose.
Nmap scans do not use the pivots you have set up.

4.5 MSF Scans

Armitage bundles several Metasploit scans into one feature called MSF Scans. This feature will scan for a handful of open ports. It then enumerates several common services using Metasploit auxiliary modules built for the purpose.
Highlight one or more hosts, right-click, and click Scan to launch this feature. You may also go to Hosts -> MSF Scans to launch these as well.
These scans work through a pivot and against IPv6 hosts as well. These scans do not attempt to discover if a host is alive before scanning. To save time, you should do host discovery first (e.g., an ARP scan, ping sweep, or DNS enumeration) and then launch these scans to enumerate the discovered hosts.

4.6 DNS Enumeration

Another host discovery option is to enumerate a DNS server. Go to Hosts -> DNS Enum to do this. Armitage will present a module launcher dialog with several options. You will need to set the DOMAIN option to the domain you want to enumerate. You may also want to set NS to the IP address of the DNS server you're enumerating.
If you're attacking an IPv6 network, DNS enumeration is one option to discover the IPv6 hosts on the network.

4.7 Database Maintenance

Metasploit logs everything you do to a database. Over time your database will become full of stuff. If you have a performance problem with Armitage, try clearing your database. To do this, go to Hosts -> Clear Database.

5. Exploitation

5.1 Remote Exploits

Before you can attack, you must choose your weapon. Armitage makes this process easy. Use Attacks -> Find Attacks to generate a custom Attack menu for each host.
To exploit a host: right-click it, navigate to Attack, and choose an exploit. To show the right attacks, make sure the operating system is set for the host.
The Attack menu limits itself to exploits that meet a minimum exploit rank of great. Some useful exploits are ranked good and they won't show in the attack menu. You can launch these using the module browser.
Use Armitage -> Set Exploit Rank to change the minimum exploit rank.
Optionally, if you'd like to see hosts that are vulnerable to a certain exploit, browse to the exploit in the module browser. Right-click the module. Select Relevant Targets. Armitage will create a dynamic workspace that shows hosts that match the highlighted exploit. Highlight all of the hosts and double-click the exploit module to attack all of them at once.

5.2 Which exploit?

Learning which exploits to use and when comes with experience. Some exploits in Metasploit implement a check function. These check functions connect to a host and check if the exploit applies. Armitage can use these check functions to help you choose the right exploit when there are many options. For example, targets listening on port 80 will show several web application exploits after you use Find Attacks. Click the Check exploits... menu to run the check command against each of these. Once all the checks are complete, press Ctrl F and search for vulnerable. This will lead you to the right exploit.
Checking for vulnerabilities
Clicking a host and selecting Services is another way to find an exploit. If you have Nmap scan results, look at the information field and guess which server software is in use. Use the module browser to search for any Metasploit modules related to that software. One module may help you find information required by another exploit. Apache Tomcat is an example of this. The tomcat_mgr_login module will search for a username and password that you can use. Once you have this, you can launch the tomcat_mgr_deploy exploit to get a shell on the host.

5.3 Launching Exploits

Armitage uses this dialog to launch exploits:
Launch a Metasploit exploit from Armitage
The exploit launch dialog lets you configure options for a module and choose whether to use a reverse connect payload.
Armitage presents options in a table. Double click the value to edit it. If an option requires a filename, double click the option to open up a file chooser dialog. You may also check Show advanced options to view and set advanced options.
If you see SOMETHING ✚ in a table, this means you can double-click that item to launch a dialog to help you configure its value. This convention applies to the module launcher and preferences dialogs.
Some penetration testers organize their targets into text files to make them easier to track. Armitage can make use of these files too. Double-click RHOST ✚ and select your targets file. The file must contain one IP address per line. This is an easy way to launch an attack or action against all of those hosts.
For remote exploits, Armitage chooses your payload for you. Generally, Armitage will use Meterpreter for Windows targets and a command shell payload for UNIX targets.
Click Launch to run the exploit. If the exploit is successful, Armitage will make the host red and surround it with lightning bolts. Metasploit will also print a message to any open consoles.

5.4 Automatic Exploitation

If manual exploitation fails, you have the hail mary option. Attacks -> Hail Mary launches this feature. Armitage's Hail Mary feature is a smart db_autopwn. It finds exploits relevant to your targets, filters the exploits using known information, and then sorts them into an optimal order.
This feature won't find every possible shell, but it's a good option if you don't know what else to try.

5.5 Client-side Exploits

Through Armitage, you may use Metasploit's client-side exploits. A client-side attack is one that attacks an application and not a remote service. If you can't get a remote exploit to work, you'll have to use a client-side attack.
Use the module browser to find and launch client-side exploits. Search for fileformat to find exploits that trigger when a user opens a malicious file. Search for browser to find exploits that server browser attacks from a web server built into Metasploit.

5.6 Client-side Exploits and Payloads

If you launch an individual client-side exploit, you have the option of customizing the payload that goes with it. Armitage picks sane defaults for you.
In a penetration test, it's usually easy to get someone to run your evil package. The hard part is to get past network devices that limit outgoing traffic. For these situations, it helps to know about meterpreter's payload communication options. There are payloads that speak HTTP, HTTPS, and even communicate to IPv6 hosts. These payloads give you options in a tough egress situation.
To set the payload, double-click PAYLOAD in the option column of the module launcher. This will open a dialog asking you to choose a payload.
Configure Metasploit Payload
Highlight a payload and click Select. Armitage will update the PAYLOAD, DisablePayloadHandler, ExitOnSession, LHOST, and LPORT values for you. You're welcome to edit these values as you see fit.
If you select the Start a handler for this payload option, Armitage will set the payload options to launch a payload handler when the exploit launches. If you did not select this value, you're responsible for setting up a multi/handler for the payload.

5.7 Payload Handlers

A payload handler is a server that runs in Metasploit. Its job is to wait for a payload to connect to your Metasploit and establish a session.
To quickly start a payload handler, navigate to Armitage -> Listeners. A bind listener attempts to connect to a payload listening for a connection. A reverse listener waits for the payload to connect back to you.
You may set up shell listeners to receive connections from netcat.
Go to View -> Jobs to see which handlers are running.

5.8 Generate a Payload

Exploits are great, but don't ignore the simple stuff. If you can get a target to run a program, then all you need is an executable. Armitage can generate an executable from any of Metasploit's payloads. Choose a payload in the module browser, double click it, select the type of output, and set your options. Once you click launch, a save dialog will ask you where to save the file to.
Generate a Metasploit Payload
To create a Windows trojan binary, set the output type to exe. Set the Template option to a Windows executable. Set KeepTemplateWorking if you'd like the template executable to continue to work as normal. Make sure you test the resulting binary. Some template executables will not yield a working executable.
Remember, if you have a payload, it needs a handler. Use the multi/handler output type to create a handler that waits for the payload to connect. This option offers more flexibility and payload options than the Armitage -> Listeners menu.
If you plan to start a handler and then generate a payload, here's a tip that will save you some time. First, configure a multi/handler as described. Hold down Shift when you click Launch. This will tell Armitage to keep the module launch dialog open. Once your handler is started, change the output type to the desired value, and click Launch again. This will generate the payload with the same values used to create the multi/handler.

6. Post Exploitation

6.1 Managing Sessions

Armitage makes it easy to manage the meterpreter agent once you successfully exploit a host. Hosts running a meterpreter payload will have a Meterpreter N menu for each Meterpreter session.
Meterpreter Post Exploitation Options
If you have shell access to a host, you will see a Shell N menu for each shell session. Right click the host to access this menu. If you have a Windows shell session, you may go to Shell N -> Meterpreter... to upgrade the session to a Meterpreter session. If you have a UNIX shell, go to Shell N -> Upload to upload a file using the UNIX printf command.
You may also press Ctrl+I to select a session to interact with.

6.2 Privilege Escalation

Some exploits result in administrative access to the host. Other times, you need to escalate privileges yourself. To do this, use the Meterpreter N -> Access -> Escalate Privileges menu. This will highlight the privilege escalation modules in the module browser.
Try the getsystem post module against Windows XP/2003 era hosts.

6.3 Token Stealing

Another privilege escalation option is token stealing. When a user logs onto a Windows host, a token is generated and acts like a temporary cookie to save the user the trouble of retyping their password when they try to access different resources. Tokens persist until a reboot. You may steal these tokens to assume the rights of that user.
To see which tokens are available to you, go to Meterpreter N -> Access -> Steal Token. Armitage will present a list of tokens to you. Click Steal Token to steal one.
If you want to revert to your original token, press Revert to Self. The Get UID button shows your current user id.

6.4 Session Passing

Once you exploit a host, duplicating your access should be a first priority. Meterpreter N -> Access -> Pass Session will inject meterpreter into memory and execute it for you. By default this option is configured to call back to Armitage's default Meterpreter listener. Just click Launch.
You may also use Pass Session to send meterpreter to a friend. Set LPORT and LHOST to the values of their Meterpreter multi/handler.
If your friend uses Armitage, have them type set in a Console tab and report the LHOST and LPORT values to you. These are the values for their default Meterpreter listener.

6.5 File Browser

Meterpreter gives you several options for exploring a host once you've exploited it. One of them is the file browser. This tool will let you upload, download, and delete files. Visit Meterpreter N -> Explore -> Browse Files to access the File Browser.
Right-click a file to download or delete it. If you want to delete a directory, make sure it's empty first.
You may download entire folders or individual files. Go to View -> Downloads to access your downloaded files.
If you have system privileges, you may modify the file timestamps using the File Browser. Right-click a file or directory and go to the Timestomp menu. This features works like a clipboard. Use Get MACE Values to capture the timestamps of the current file. Right-click another file and use Set MACE Values to update the timestamps of that file.

6.6 Command Shell

You can reach a command shell for a host through Meterpreter N -> Interact -> Command Shell. The Meterpreter shell is also available under the same parent menu.
Navigating to the Meterpreter N menu for each action gets old fast. Right-click inside the Meterpreter shell window to see the Meterpreter N menu items right away.
Close the command shell tab to kill the process associated with the command shell.

6.7 VNC

To interact with a desktop on a target host, go to Meterpreter N -> Interact -> Desktop (VNC). This will stage a VNC server into the memory of the current process and tunnel the connection through Meterpreter. Armitage will provide you the details to connect a local VNC client to your target.

6.8 Screenshots and Webcam Spying

To grab a screenshot use Meterpreter N -> Explore -> Screenshot. There is a Webcam Shot option in the same location. This option snaps a frame from the user's webcam.
Right-click a screenshot or webcam shot image to change the zoom for the tab. This zoom preference will stay, even if you refresh the image. Click Refresh to update the screenshot or grab another frame from the webcam. Click Watch (10s) to automatically snap a picture every ten seconds.

6.9 Process Management and Key Logging

Go to Meterpreter N -> Explore -> Show Processes to see a list of processes on your victim. Use Kill to kill the highlighted processes.
Meterpreter runs in memory. It's possible to move Meterpreter from one process to another. This is called migration. Highlight a process and click Migrate to migrate to another process. Your session will have the permissions of that process.
While in a process, it's also possible to see keystrokes from the vantage point of that process. Highlight a process and click Log Keystrokes to launch a module that migrates meterpreter and starts capturing keystrokes. If you key log from explorer.exe you will see all of the keys the user types on their desktop.
If you choose to migrate a process for the purpose of key logging, you should duplicate your session first. If the process Meterpreter lives in closes, your session will go away.

6.10 Post-exploitation Modules

Metasploit has several post-exploitation modules too. Navigate the post branch in the module browser. Double-click a module and Armitage will show a launch dialog. Armitage will populate the module's SESSION variable if a compromised host is highlighted. Each post-exploitation module will execute in its own tab and present its output to you there.
To find out which post-modules apply for a session: right-click a compromised host and navigate to Meterpreter N -> Explore -> Post Modules or Shell N -> Post Modules. Clicking this menu item will show all applicable post-modules in the module browser.
Metasploit saves post-exploitation data into a Loot database. To view this data go to View -> Loot.
You may highlight multiple hosts and Armitage will attempt to run the selected post module against all of them. Armitage will open a new tab for the post module output of each session. This may lead to a lot of tabs. Hold down shift and click X on one of the tabs to close all tabs with the same name.

7. Maneuver

7.1 Pivoting

Metasploit can launch attacks from a compromised host and receive sessions on the same host. This ability is called pivoting.
To create a pivot, go to Meterpreter N -> Pivoting -> Setup.... A dialog will ask you to choose which subnet you want to pivot through the session.
Once you've set up pivoting, Armitage will draw a green line from the pivot host to all targets reachable by the pivot you created. The line will become bright green when the pivot is in use.
To use a pivot host for a reverse connection, set the LHOST option in the exploit launch dialog to the IP address of the pivot host.

7.2 Scanning and External Tools

Once you have access a host, it's good to explore and see what else is on the same network. If you've set up pivoting, Metasploit will tunnel TCP connections to eligible hosts through the pivot host. These connections must come from Metasploit.
To find hosts on the same network as a compromised host, right-click the compromised host and go to Meterpreter N -> ARP Scan or Ping Sweep. This will show you which hosts are alive. Highlight the hosts that appear, right-click, and select Scan to scan these hosts using Armitage's MSF Scan feature. These scans will honor the pivot you set up.
External tools (e.g., Nmap) will not use the pivots you've set up. You may use your pivots with external tools through a SOCKS proxy though. Go to Armitage -> SOCKS Proxy... to launch the SOCKS proxy server.
The SOCKS4 proxy server is one of the most useful features in Metasploit. Launch this option and you can set up your web browser to connect to websites through Metasploit. This allows you to browse internal sites on a network like you're local. You may also configure proxychains on Linux to use almost any program through a proxy pivot.

7.3 Password Hashes

To collect Windows password hashes, visit Meterpreter N -> Access -> Dump Hashes. You need administrative privileges to do this.
There are two hash dumping options. One is the lsass method and the other is the registry method. The lsass method attempts to grab the password hashes from memory. This option works well against Windows XP/2003 era hosts. The registry method works well against modern Windows systems.
You may view collected hashes through View -> Credentials. For your cracking pleasure, the Export button in this tab will export credentials in pwdump format. You may also use the Crack Passwords button to run John the Ripper against the hashes in the credentials database.

7.4 Pass-the-Hash

When you login to a Windows host, your password is hashed and compared to a stored hash of your password. If they match, you're in. When you attempt to access a resource on the same Windows domain, the stored hash is sent to the other host and used to authenticate you. With access to these hashes, you can use this mechanism to take over other hosts on the same domain. This is called a pass-the-hash attack.
Use Login -> psexec to attempt a pass-the-hash attack against another Windows host. Click Check all Credentials to have Armitage try all hashes and credentials against the host.
The pass-the-hash attack attempts to upload a file and create a service that immediately runs. Only administrator users can do this. Further, your targets must be on the same active directory domain for this attack to work.

7.5 Using Credentials

Armitage will create a Login menu on each host with known services. Right-click a host and navigate to Login -> service. This will open a dialog where you may choose a username and password from the credentials known to Metasploit.
Some services (e.g., telnet and ssh) will give you a session when a login succeeds. Others will not.
Check the Try all credentials option and Metasploit will login to the service with each of the known credentials. Metasploit automatically adds each successful login to the credentials table for you.
The best way into a network is through valid credentials. Remember that a successful username/password combination from one service may give you access to another host that you couldn't exploit.

7.6 Password Brute Force

Metasploit can attempt to guess a username and password for a service for you. This capability is easy to use through the module browser.
Metasploit supports brute forcing through the auxiliary modules named service_login. Type login in the module browser to search for them.
To brute force a username and password over SSH, browse to auxiliary/scanner/ssh/ssh_login in the modules panel and double click it.
If you know the username, set the USERNAME variable. If you'd like Metasploit to brute force the username, select a value for USER_FILE. Double click the USER_FILE variable to bring up a file chooser where you can select a text file containing a list of usernames.
Metasploit has many files related to brute forcing in the [metasploit install]/data/wordlists directory.
Set the PASS_FILE variable to a text file containing a list of passwords to try.
If you're only brute forcing one host and you have a lot of usernames/passwords to try, I recommend using an external tool like Hydra. Metasploit does not make several parallel connections to a single host to speed up the process. This lesson can be taken one step further--use the right tool for each job.

8. Team Metasploit

8.1 Remote Connections

You can use Armitage to connect to an existing Metasploit instance on another host. Working with a remote Metasploit instance is similar to working with a local instance. Some Armitage features require read and write access to local files to work. Armitage's team server adds these features and makes it possible for Armitage clients to use Metaspoit remotely.
Connecting to a remote Metasploit requires starting a Metasploit RPC server and Armitage's team server server.

8.2 Multi-Player Metasploit Setup

The Armitage Linux package comes with a teamserver script that you may use to start Metasploit's RPC daemon and Armitage's team server with one command. To run it:
cd /path/to/armitage
./teamserver [external IP address] [password]

Note: On Kali Linux, Armitage is installed in /usr/share/armitage
This script assumes armitage.jar is in the current folder. Make sure the external IP address is correct (Armitage doesn't check it) and that your team can reach port 55553 on your attack host. That's it.
Metasploit's RPC daemon and the Armitage team server are not GUI programs. You may run these over SSH.
The Armitage team server communicates over SSL. When you start the team server, it will present a server fingerprint. This is a SHA-1 hash of the server's SSL certificate. When your team members connect, Armitage will present the hash of the certificate the server presented to them. They should verify that these hashes match.
Do not connect to 127.0.0.1 when a teamserver is running. Armitage uses the IP address you're connecting to determine whether it should use SSL (teamserver, remote address) or non-SSL (msfrpcd, localhost). You may connect Armitage to your teamserver locally, use the [external IP address] in the Host field.
Armitage's red team collaboration setup is CPU sensitive and it likes RAM. Make sure you have 1.5GB of RAM in your team server.

8.3 Multi-Player Metasploit

Armitage's red team collaboration mode adds a few new features. These are described here:
View -> Event Log opens a shared event log. You may type into this log and communicate as if you're using an IRC chat room. In a penetration test this event log will help you reconstruct major events.
Metasploit Team Support in Armitage
Multiple users may use any Meterpreter session at the same time. Each user may open one or more command shells, browse files, and take screenshots of the compromised host.
Metasploit shell sessions are automatically locked and unlocked when in use. If another user is interacting with a shell, Armitage will warn you that it's in use.

Some Metasploit modules require you to specify one or more files. If a file option has a ✚ next to it, then you may double-click that option name to choose a local file to use. Armitage will upload the chosen local file and set the option to its remote location for you. Generally, Armitage will do its best to move files between you and the shared Metasploit server to create the illusion that you're using Metasploit locally.
Penetration testers will find this feature invaluable. Imagine you're working on a pen test and come across a system you don't know much about. You can reach back to your company and ask your local expert to load Armitage and connect to the same Metasploit instance. They will immediately have access to your scan data and they can interact with your existing sessions... seamlessly.

Or, imagine that you're simulating a phishing attack and you get access to a host. Your whole team can now work on the same host. One person can search for data, another can set up a pivot and search for internal hosts to attack, and another can work on persistence. The sky is the limit here.
Some meterpreter commands may have shortened output. Multi-player Armitage takes the initial output from a command and delivers it to the client that sent the command. Additional output is ignored (although the command still executes normally). This limitation primarily affects long running meterpreter scripts.

9. Scripting Armitage

9.1 Cortana

Armitage includes Cortana, a scripting technology developed through DARPA's Cyber Fast Track program. With Cortana, you may write red team bots and extend Armitage with new features. You may also make use of scripts written by others.
Cortana is based on Sleep, an extensible Perl-like language. Cortana scripts have a .cna suffix.
Read the Cortana Tutorial to learn more about how to develop bots and extend Armitage.
Cortana Architecture

9.2 Stand-alone Bots

A stand-alone version of Cortana is distributed with Armitage. You may connect the stand-alone Cortana interpreter to an Armitage team server.
Here's a helloworld.cna Cortana script:
on ready { println("Hello World!"); quit(); }
To run this script, you will need to start Cortana. First, stand-alone Cortana must connect to a team server. The team server is required because Cortana bots are another red team member. If you want to connect multiple users to Metasploit, you have to start a team server.
Next, you will need to create a connect.prop file to tell Cortana how to connect to the team server you started. Here's an example connect.prop file:
host=127.0.0.1 port=55553 user=msf pass=password nick=MyBot
Now, to launch your bot:
cd /path/to/metasploit/msf3/data/armitage
java -jar cortana.jar connect.prop helloworld.cna

9.3 Script Management

You don't have to run Cortana bots stand-alone. You may load any bot into Armitage directly. When you load a bot into Armitage, you do not need to start a teamserver. Armitage is able to deconflict its actions from any loaded bots on its own.
You may also use Cortana scripts to extend Armitage and add new features to it. Cortana scripts may define keyboard shortcuts, insert menus into Armitage, and create simple user interfaces.
To load a script into Armitage, go to Armitage -> Scripts. Press Load and choose the script you would like to load. Scripts loaded in this way will be available each time Armitage starts.
Output generated by bots and Cortana commands are available in the Cortana console. Go to View -> Script Console.

9.4 Resources

Cortana is a full featured environment for developing red team bots and extending Armitage. If you'd like to learn more, take a look at the following resources:

This document is licensed under a Creative Commons Attribution 3.0 Unported License.

2014년 1월 26일 일요일

윈도우즈 단축 명령어 모음

taskmgr 작업관리자
diskmgmt.msc 디스크 관리자
service.msc 서비스 관리자
eventvwr.msc 이벤트뷰어
secpol.msc 보안정책 관리자
tscc.msc 터미널 서비스 구성
msinfo32 시스템정보

리눅스 sendmail

1. sendmail이 서버에 존재하는지 확인. (없으면 2번부서 시작, 설치되어 있으면 3번부터 시작)
rpm -qa | grep sendmail

2. yum으로 sendmail과 sendmail-cf 설치
yum -y install sendmail sendmail-cf

3. sendmail 실행
service sendmail start

설치 끝! 설정 시작~

cd /etc/mail
mv ./sendmail.cf sendmail.cf_old
cp ./sendmail.mc sendmail.mc_old

4. sendmail.mc 파일수정
52,53 line 수정 (앞부분 dnl 제거)

TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl



116 line 수정
127.0.0.1을 0.0.0.0으로 개방
DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
(수정 후)
DAEMON_OPTIONS(`Port=smtp,Addr=0.0.0.0, Name=MTA')dnl


5. m4 명령으로 sendmail.cf 생성
m4 sendmail.mc > sendmail.cf

생성확인~
-rw-r--r-- 1 root root 58697 Dec 26 16:30 sendmail.cf
-rw-r--r-- 1 root root 58691 Nov 27 09:29 sendmail.cf.bak
-rw-r--r-- 1 root root 58439 Nov 12 2010 sendmail.cf_old
-rw-r--r-- 1 root root 58691 Nov 27 09:43 sendmail.cf.rpmsave
-rw-r--r-- 1 root root 7192 Dec 26 16:19 sendmail.mc
-rw-r--r-- 1 root root 7202 Nov 28 08:38 sendmail.mc_old
-rw-r--r-- 1 root root 7192 Nov 27 09:41 sendmail.mc.rpmsave


6. sendmail.cf 수정
95line 수정(도메인이 있을 경우 수정. 없다면 크게 신경 안써도 됨)
# my official domain name
# ... define this only if sendmail cannot automatically determine your domain
#DjYour domian name



7. 445 line 보안을 위해 일부 글자 다음과 같이 삭제
O SmtpGreetingMessage=$j Sendmail $v/$Z; $b
(수정 후)
O SmtpGreetingMessage=$j Sendmail; $b



8. /etc/mail/local-host-names 도메인추가
*hostname local-host-names과 동일한 도메인 입력할것!
9. 서비스 재시작
service sendmail restart
10. 테스트 메일 발송하기
# telnet localhost 25 // 방화벽에서 25번 포트를 열려있는지 확인할것. 안열려 있다면 방화벽에 막혀 메일전송 불가!
mail from: //보내는 사람 주소
rcpt to: //받는 사람 주소
data
hi. sendmail!! //메일 내용 입력
. //입력 마침. 내용작성 후 반드시 입력

quit //종료


해당메일로 가서 메일이 정상적으로 수신되었는지 확인!!

끝~

Linux 네트워크 설정경로 및 명령어

■ 네트워크 인터페이스(NIC, ethernet) 설정파일

# cat /etc/sysconfig/network-scripts/ifcfg-eth0

# Advanced Micro Devices [AMD] 79c970 [PCnet32 LANCE]
DEVICE=eth1
BOOTPROTO=static
IPADDR=172.16.8.25
NETMASK=255.255.0.0
ONBOOT=yes
HOSTNAME=localhost.localdomain
HWADDR=00:0c:29:a4:5b:88



■ DNS 설정파일 (DNS 서버를 설정)

# cat /etc/resolv.conf
; generated by /sbin/dhclient-script
search localdomain
nameserver 192.168.10.22

1차 네임서버, 2차 네임서버 입력 가능


네트워크 GUI 설정
system-config-network-tui


■ /etc/sysconfig/network 설정내용 (호스트네임[hostname] 설정과 기본 게이트웨이를 설정)
# cat /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=babo //서버명 기입
GATEWAY=192.168.10.22


IP alias 기능 (하나의 물리적인 메모리카드를 복제하여 여러개의 IP로 사용하는 기능)
[root@ajunews ~]# cd /etc/sysconfig/network-scripts

1. 물리적인 네트워크 환경파일을 복제
[root@ajunews network-scripts]# cp ifcfg-eth1 ifcfg-eth5

2. 복제한 네트워크 환경파일 내용 변경
[root@ajunews network-scripts]# vi ifcfg-eth5

DEVICE=eth1:1 <- :1="" :2...="" span="">
BOOTPROTO=static
ONBOOT=yes
IPADDR=172.16.50.252
NETMASK=255.255.0.0
HWADDR=00:0c:29:5f:b5:b4

[root@ajunews network-scripts]# service network restart
[root@ajunews network-scripts]# ping -c 4 172.16.50.252

PING 172.16.50.252 (172.16.50.252) 56(84) bytes of data.
64 bytes from 172.16.50.252: icmp_seq=1 ttl=64 time=0.035 ms
64 bytes from 172.16.50.252: icmp_seq=2 ttl=64 time=0.033 ms
64 bytes from 172.16.50.252: icmp_seq=3 ttl=64 time=0.036 ms
64 bytes from 172.16.50.252: icmp_seq=4 ttl=64 time=0.032 ms

하지만 외부에서 실 서비스용이 아닌 내부 모니터링용으로 사용한다.!


ifconfig /* 네트워크의 상황내역 확인 */
eth0 Link encap:Ethernet HWaddr 00:0C:29:A4:5B:88
inet addr:192.168.10.138 Bcast:192.168.10.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fea4:5b88/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:7470 errors:0 dropped:0 overruns:0 frame:0
TX packets:4789 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:921505 (899.9 KiB) TX bytes:698706 (682.3 KiB)
Interrupt:75 Base address:0x2000
① MAC 주소 : 00:0C:29:A4:5B:88
② eth0에 할당된 주소 : 192.168.10.138
③ 브로드캐스트(BroadCast) : 192.168.10.255
④ 서브넷마스크(Subnet Mask) : 255.255.255.0
⑤ MTU(Maxium Transfer Unit) : 최대 전송단위
⑥ RX Packets : 부팅후 현재까지 받은 패킷수
⑦ TX Packets : 부팅후 현재까지 보내어진 패킷수
⑧ Collisions : 충돌된 데이타가 있는지 확인
⑨ Interrupt 주소 : 75 번을 사용
⑩ 현재 UP(상태)

네트워크 이중화 Bonding 구성(이중화)
여러개의 NIC를 논리적으로 하나로 묶어 NIC 갯수만큼 대역폭을 가장하는 기술로 다른 말로 네트워크의 이
중화라고 한다.
- 네트워크를 이중화함으로써 한쪽의 NIC 문제 발생이 서비스 이용 가능
- NIC의 대역폭을 모두 이용 가능
[참고] 이중화 네트워크 카드는 같은 종류가 더욱 안전합니다.

<구성방법>
[조건] Network device support 에서 --> Bonding driver support 가 체크되어 있어야 한다.
① # /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=(실제호스트이름적을것)
GATEWAY=(게이트웨이아이피)
GATEDEV=bond0 <--- span="">
② 이중화 인터페이스로 사용할 가상 인터페이스 셋팅(ifcfg-bond0)
# /etc/sysconfig/network-scripts/ifcfg-bond0 <--- bonding="" nic="" span="" vi="">
DEVICE=bond0
ONBOOT=yes
BOOTPROTO=static
IPADDR=(서버아이피)
NETMASK=(서버넷마스크)
NETWORK=(서버네트워크아이피)
③새로운 네트워크 카드(eth1)
# /etc/sysconfig/network-scripts/ifcfg-eth1
DEVICE=eth1
ONBOOT=yes
USERCTL=no
MASTER=bond0
SLAVE=yes
BOOTPROTO=none
[참고] USERCTL=no
일반 계정이 해당 인터페이스를 비활성화 가능 여부
④ /etc/modprobe.conf
alias bond0 bonding
alias eth0 3c59x <-- span="">
alias eth1 3c59x <-- span="">
options bonding max_bonds=2 <--- span="">
[참고] /etc/modprobe.conf 내용
alias bond0 bonding : bond0를 bonding으로 알기 쉽게 별명 정의
Options bonding mode=1 : bonding 1번 모드로 설정
Options bond0 miimon=100 : NIC 상태 체크 시간(1/100 sec)
[참고] bonding 모드 종류 및 특징
0 : balance-round robine : 두개의 NIC를 통한 분배 + Fault Tolerance
1 : active-standby : Active 상태의 NIC에 문제 발생시 standby NIC에서 Fault Tolerance
2 : balance-xor : 0 모드와 비슷하지만 xor 연산을 이용한 목적지 MAC과 근원지 MAC을 이용한 분배
+ Fault Tolerance
3 : broadcast : 두개의 NIC에 어떤 규칙없이 데이터 통신 + Fault Tolerance
4 : 802.3ad : link aggregation switch에 aggregation 그룹생성이 필요
⑤ modprobe 명령어로 bonding 적용
# modprove bonding
⑥ lsmod 명령어로 bonding 확인
# lsmod | grep bonding
⑦ service network restart 네트워크 재시작
# service network restart
⑧ /proc/net/bonding/bond0 파일에서 구성상태 확인 및 검증
- Bonding Driver Version
- Bonding Mode
- Slave Interface 등의 정보를 확인할 수 있다.

리눅스 보안툴 관련사이트 50가지

2000년 5월/6월에, 우리는 어떤 보안툴을 좋아하고 있는 지를 알아보기 위하여 Nmap 해커 메일링 리스트에 올라와 있는 1200명의 Nmap 유저를 대상으로 설문조사를 시행한 바 있다. 응답자당 5개의 툴을 명시하게 하였다.
필자는 그들이 만든 보안툴 리스트를 보고 모두가 도움을 받을 수 있도록 상위 50개의 툴을 여기에 소개하고자 한다.
보안분야에 있는 사람이라면 누구든지 그 리스트를 검토하고 잘 모르는 툴도 함께 알아보는 것이 좋다고 필자는 생각한다.
또한 어떻게 시작해야 할 지 모르겠다고 필자에게 편지를 보내는 초보자들에게도 본 페이지를 참조하라고 알릴 계획이다.
응답자들은 어떤 플랫포옴에도 오픈소스나 상업용 툴을 명시할 수 있도록 허용되었다.
상업용 툴은 아래의 리스트에 있는 것들이라 할 수 있다.
새로운 툴들이 만들어 지고 또한 어떤 툴들은 주류를 형성할 만한 보안분야의 진전으로 인해 서서히 사라지는 경우도 있기 때문에 본 리스트는 가끔씩 변경될 수도 있음을 알아주기 바란다.
또한 본 리스트에 있는 많은 설명은 'Debian 패키지 설명', 'Freshmeat 설명' 혹은 기타 응용분야의 홈페이지에서 따온 것임을 밝힌다.
다음의 리스트(인지도가 높은 것부터 나열)를 참조하기 바란다.



☛ Nessus http://www.nessus.org
설명: 원격 네트워크 보안오디터(security auditor)인 '클라이언트 네서스 보안스캐너(client The Nessus Security Scanner)'는 보안 오디팅 툴이라 할 수 있다.
이것을 이용하면, 수정되어야하는 취약한 부분을 찾기 위해 보안모듈을 테스트할 수 있다. 이것은 두 부분, 즉 서버와 클라이언트로 구성되어 있다.
서버/대몬(server/daemon)인 nessusd는 침입사항(attacks)을 담당하고 있고 클라이언트인 nessuss는 X11/GTK+라는 멋진 인터페이스를 통해 유저를 담당하게 된다.
이 페키지에는 GTK+ 1.2 클라이언트도 들어 있는데 이것은 다른 형식으로도 나올 수 있고 다른 플랫포옴에도 적용된다.

☛ Netcat http://www.l0pht.com/~weld/netcat/
참고: 이곳은 공식사이트는 아님.
설명: TCP/IP 스위스 아미나이프(swiss army knife)라 할 수 있는 이 간편한 유닉스 유틸리티는 TCP 혹은 UDP 프로토콜을 이용하여 네트워크를 통한 데이트를 읽고 쓸 수 있다.
이것은 타 프로그램 및 스크립트에 의해 직접 이용될 수 있거나 쉽게 응용될 수 있는 믿을 만한 '백엔드(back-end)' 툴이라 할 수 있다. 또한 동시에, 이 툴은 원하는 거의 모든 종류의 접속형태를 만들어 낼 수 있고 흥미로운 몇 가지 내장기능을 갖고 있기 때문에 다기능의 네크워크 문제해결/조사 툴이라 할 수 있다.

☛ Tcpdump http://www.tcpdump.org
설명: 네트워크 감시 및 데이터 수집에 뛰어난 툴.
이 프로그램을 이용하면 네트워크상의 트래픽을 쉽게 비울 수 있다.
그리고 어떤 진술에 부합하는 네트워크 인터페이스상에서 패킷해더(headers of packets)를 인쇄할 수 있다.또한 이 툴을 이용해 네트워크 문제를 추적하고, '핑 공격(ping attacks)'를 감지하거나 네트워크 활동들을 감시할 수도 있다.

☛ Snort http://www.snort.org
설명: 침입행위를 감지할 수 있는 유연한 패킷 스니퍼/로거(sniffer/logger)라 할 수 있다.
이 Snort라는 프로그램은 libpcap 기반의 패킷 스니퍼/로거로서 가벼운 네트워크 침입감지시스템으로서 이용될 수 있다.
로깅(logging)에 기반을 둔 여러 기능을 갖추고 있으며, 버퍼과잉(buffer overflows),
스텔스 포트스캐닝(stealth port scans), CGI 침입, SMB 염탐(SMB probes) 등과 같은 다양한형태의 침입 및 염탐행위를 감시하는기능 이외에 콘텐츠 검색/매칭(content searching/matching)도 수행할 수 있다.
Snort에는 실시간의 경보기능도 갖추어져 있는데 개별적인 경보용 파일들이 syslog로 보내지거나 심지어 삼바(Samba)를 통해 윈도우즈 컴퓨터로도 보내질 수 있다.

☛Saint http://www.wwdsi.com/saint/
설명: SAINT(Security Administrator's Integrated Network Tool)는
SATAN에 기반을 둔 보안평가용 툴이라 할 수 있다. 기능으로는 방화벽을 통한 스캐닝작업,
CERT와 CIAC 불리틴에 게재된 업데이트된 점검기능, 4단계의 엄격성(홍색, 황색, 갈색 및 녹색) 및
풍부한 기능의 HTML 인터페이스 등이 있다.

☛ Ethereal http://www.ethereal.zing.org/
설명: 네트워크 트래픽 분석툴인 Ethereal은 유닉스와 이와 유사한 운영체제에 응용되는 네트워크 트래픽 분석툴 혹은 스니퍼(sniffer)라 할 수 있다.

☛ Whisker http://www.wiretrip.net/rfp/p/doc.asp?id=21&iface=2
설명: 'Rain. Forest. Puppy'의 뛰어난 CGI 취약성 스캐너.

☛Internet Security Scanner http://www.iss.net (새 창으로 열기)
참고: 이 툴에 대한 이용료는 매우 비싸고 동시에 소스코드도 제공되지 않음.
설명: 유명한 상업용 네트워크 보안용 스캐너.

☛Abacus Portsentry http://www.psionic.com/abacus/portentry/
설명: 포트스캔 감지의 으뜸이라 할 수 있는 PortSentry에는 자신의 네트워크 인터페이스상에서포트스캔(스텔스 스캔을 포함)을 감지하는 기능이 있다. 이것은 Abacus 프로그램의 일부라 할 수 있다.
참고: 혹시 포트/스텔스 스캔이 무엇인지 모른다면 본 패키지를 인스톨하기 전에
http://www.psionic.com/abacus/portsentry/을 참조하기 바란다.
그렇지 않으면 호스트가 자주 차단되는 경우가 있다(즉, 자신의 NFS-서버, 네임-서버 등과 같은 호스트).

☛ DSniff http://naughty.monkey.org/~dugsong/dsniff/
설명: 네트워크상의 패스워드나 기타 정보를 알아낼 수 있는 강력한 툴 세트.
여기에는 네크워크 담당자의 방어를 뚫을 수 있는 정교한 기법이 들어 있다.

☛Tripwire http://www.tripwire.com/
참고: 사용형태에 따라, 본 툴의 라이선스 비용은 매우 높을 수도 있다.
설명: 파일 및 디렉토리의 완전성을 점검해 줌.
본 툴은 변경된 특정한 파일들을 감시할 때 시스템 관리자와 이용자들에게 큰 도움을 줄 수 있다. 정기적(예: 하루 기준)으로 시스템파일과 함께 이용될 수 있는
Tripwire는 손상제어조치가 시기적절하게 취해질 수 있도록 시스템관리자에게 손상되었거나 건드려 진 파일들을 알려줄 수 있다.

☛Cybercop Scanner http://www.pgp.com/asp_set/products/tns/ccscanner_intro.asp
참고: 이 툴에 대한 이용료는 매우 비싸고 동시에 소스코드도 제공되지 않음.
테스트용의 강력한 데모버전이 나와 있다. 설명: 또다른 유명한 상업용 스캐너라 할 수 있다.

☛ Hping2 http://www.kyuzz.org/antirez/hping/
설명: Hping2는 이용자에게 ICMP/UDP/TCP 패킷을 보내고
핑의 ICMP응답처럼 목표응답을 보여줄 수 있는 네크워크 툴이라 할 수 있다. 개별적이거나 임의의패킷규모을 처리할 수 있는 이 툴은 지원 프로토콜하에서 파일을 전송하는데 이용될 수 있다.
이 툴을 이용하면 방화벽 룰을 테스트할 수 있고 이용당하고 있는 포트 스캐닝을 할 수도 있다.
또한 경로 MTU 디스커버리(path MTU discovery), 파일전송(심지어 매우 엄격한 방화벽을 통과하기도 함),
서로 다른 프로토콜, 지문식 원격운영체제하에서의 미로식 추적과 같은 기능도 수행하고
TCP/IP 스택(stack)을 감사하는 기능 등도 수행할 수 있다. Hping2는 TCP/IP를 배우는데 매우 중요한 툴이라 할 수 있다.

☛SARA http://www-arc.com/sara/
설명: SARA(Security Auditor's Research Assitant)은
제3세대 보안분석용 툴이라 할 수 있는데, 이것은 GNU GPL과 같은 오픈 라이센스로 처리되는 SATAN 모델에 기반을 둔 툴이다. 이것은 상호협력의 환경을 지원해주며 최근의 침입행위에 대처하기 위해 정기적으로 업데이트되고 있다.

☛ Sniffit http://reptile.rug.ac.be/~coder/sniffit/sniffit.html
설명: 패킷스니퍼(packet sniffer)이자 감시용 툴인 Sniffit은 TCP/UDP/ICMP 패킷에 대한 패킷스니퍼라 할 수 있다.
이것을 이용하면 이런 패킷들(SEC, ACK, TTL, Window, ...)에 대한 자세한 기술적 정보를 얻을 수 있고 또한 다양한 포맷(hex 혹은 plain text 등)의 패킷정보도 얻을 수 있다.

☛ SATAN http://www.fish.com/satan/
설명: 네트워크 분석을 위한 보안오디팅 툴.
이것은 bugtraq, rootshell 등과 같은 것들을 계속해서 지켜볼 수 없는 시스템관리자들을 위해 만들어 진 것으로서 네트워크의 취약성을 분석하는데 도움을 크게 줄 수 있는 툴이다.

☛ IPFilter http://coombs.anu.edu.au/ipfilter/
설명: 이것은 TCP/IP 패킷필터로서 방화벽환경에 잘 이용될 수 있다.
이것은 로드가 가능한 커널모듈로 이용되거나 자신의 유닉스커널속에 통합되어 이용될 수 있다. 가능하면 로드가 가능한 커널모듈로 이용되는 것이 낫다. 필요한 경우,시스템파일을 설치하고 패칭해주기 위해 스크립트가 제공된다.

☛iptables/netfilter/ipchains/ipfwadm http://netfilter.kernelnotes.org/
설명: 2.4.X.kernels를 위한 IP 패킷필터관리. 이것은 리툭스커렁에서 IP 패킷필터 룰의 테이블들을 설정 및 조사하는데 이용된다.
이 툴은 동적 및 정적 네트워크 어드레스변환구성을 지원하기도 한다.

☛ Firewalk http://www.packetfactory.net/Projects/Firewalk/
설명: 방화벽기법은 게이트웨이 ACL 필터를 결정하고 네트워크 매핑을 하기 위해 IP 패킷응답을 분석하는 미로식 기법을 이용하는 MDS와 DHG에 의해 개발된 기법이다. Firewalk라는 이 툴은 패킷전송장치에 위치한 필터 룰을 결정하는 기법을 이용한다.
이 툴의 최신버전이라 할 수 있는 firewalk/GTK는 그래픽 인터페이스와 두 세 개의 버그치유와 같은 옵션을 제공해 주고 있다.

☛ Strobe http://www.insecure.org/nmap/index.html#other
설명: 세련된 고속의 TCP 포트스캐너.

☛L0pht Crack http://www.l0pht.com/l0phtcrack/
참고: 소스코드(연구용은 제외)는 제공되지 않고 등록비는 100달러이다.
설명: 이것은 NT용 패스워드 오디팅 툴이다.
이 툴은 NT 운영체제에 의해 저장된 암호 해쉬(hashes)로부터 NT 이용자의 패스워드를 계산해 낸다.
또한 많은 소스(파일, 네트워크염탐, 등록 등)를 통해 해쉬를 얻어낼 수 있고 여기에는 여러 가지 패스워드 추적법(사전, 폭력 등)이 들어 있다.

☛John The Ripper http://www.openwall.com/john/
설명: 강력한 암호 크랙킹 툴인 John의 정상적인 호칭은 John The Ripper이다.
이 툴은 취약한 이용자들의 패스워드를 알아낸다.

☛ Hunt http://www.cri.cz/kra/index.html#HUNT
설명: 고급의 패킷스니퍼이자 침입용 툴인 Hunt는 접속망을 뚫고 이것을 재구성할 수도 있는 프로그램이다.
한편, 이것은 Ethernet을 통해 작동되며 이를 통해 뚫을 수 있는 접속망에 가장 용이하게 이용된다.그러나, 스위치포트상에 있는 다른 세그먼트 혹은 호스트상에서도 응용될 수 있다.

☛OpenSSH /SSH http://www.openssh.com/ http://www.ssh.com/commerce/index.html
참고: ssh.com버전은 유료이지만 소스코드는 공개되어 있다. 설명: 안전한 rlogin/rsh/rcp 대치.OpenSSH는 OpenBSD의 ssh버전에서 나온 것인데 또한 이것은 ssh 라이센스가 유료로 전환하기 전부터 ssh 코드에서나왔다고 볼 수 있다. ssh(Secure Shell)는 원격시스템에 로깅하여 명령어를 수행할 수 있게 해 주는 프로그램이다.
이것은 불안전한 네트워크상에서 두 개의 취약한 호스트 사이의 안전한 암호통신을 제공해 준다.X11접속과 임의의 TCP/IP 포트도 안전채널상에서 전송될 수 있다.
rlogin, rsh 및 rcp의 대체용으로 구상되었고 rdist와 rsync에게 안전한 통신채널을 제공하는데 이용될 수 있다.

☛tcp wrappers ftp://ftp.porcupine.org/pub/security/index.html
설명: Wietse Venema의 TCP 래퍼(wrappers)들로서
TCPD 혹은 LOG_TCP라고도 알려지는 네트워크 로깅 툴. 이 프로그램들은 telnet, ftp, rsh, rlogin, finer 등의 요청의클라이언트 호스트네임을 로깅해 준다. 보안옵션으로는 각 호스트, 도메인 및/혹은 서비스별의 액세스제어;
호스트네임의 염탐 혹은 호스트 어드레스의 염탐에 대한 감지; 조기경보시스템을 작동시키기 위한 부비트램 등이 있다.

☛Ntop http://www.ntop.org
설명: top형식의 포맷으로 네트워크 이용을 보여 줌. 이것은 네트워크 톱 프로그램이다.
이것은 유닉스의 톱 유틸리티와 같은 형식으로 네트워크상에서 이루어진 상황을 요약해서 보여 준다.또한 웹모드로도 작동되어 웹 브라우저로 검색될 수 있도록 해 준다.

☛traceroute/ping/telnet http://www.linux.com
설명: 이것들은 거의 모든 유닉스 박스가 이미 들어 있는 유틸리티라 할 수 있다.
실제로 윈도우즈 NT에도 들어 있다(그러나 여기에서 traceroute 커맨드는 tracert라 불림).

☛ NAT (NetBIOS Auditing Tool) http://www.tux.org/pub/security/secnet/tools/nat10/
참고: 이곳은 공식적 다운로드 사이트는 아님. 설명: 이 NAT(NetBIOS Auditing Tool)라는 툴은 목표시스템이 제공하는 NETBIOS 파일공유 서비스를 관찰할 수 있도록 만들어 졌다. 마치 합법적인 로컬 클라이언트인 것처럼 행색하는 이 툴은 단계적인 접근을 통해 정보를 수집하고 파일시스템수준의 액세스를 취하게 된다.

☛scanlogd http://www.openwall.com/scanlogd/
설명: 포트스캔 탐지용 툴.
이 툴은 시스템에 대한 포트스캔 공격을 탐지하기 위해 Solar Designer에 의해 만들어 진 디몬(daemon) 프로그램이다.

☛Sam Spade http://samspade.org/t/, http://www.samspade.org/
설명: IP 주소를 확인하고 스패머(spammers)들을 추적하기 위해 개발된 온라인상의 툴.

☛NFR http://www.nfr.com
참고: 한 번은 소스코드가 공개되었지만 현재도 그러한 지 필자는 모른다.
종류에 따라 유료인 경우도 있다. 설명: 침입탐지 시스템을 위한 상업용 스니핑 응용프로그램. 한 번은 소스코드가 공개되었지만 현재도 그러한 지 필자는 모른다.

☛logcheck http://www.psionic.com/abacus/logcheck/
설명: 시스템 로그파일의 잘못된 사항을 관리자에게 통보해 주는 툴이라 할 수 있는 Logcheck는 보안툴에 대한 Abacus Project의 일부이다. 이 프로그램은 다양한 Abacus Project 툴, 시스템 디몬 프로그램, Wietse Venema의 TCP 래퍼와 로그 디몬 패키지 및 TIS(Trusted Information Systems Inc.)의 방화벽 툴킷 등이 만드는유닉스 시스템로그파일의 처리에 도움을 주도록 만들어 졌다. 또한 자동으로 로그파일의 문제 혹은 보안위반사항
등을 찾아 주기도 한다. 어떤 사이트에서든지 무료로 이 프로그램을 구할 수 있다.
사용하기 전에 법률사항을 미리 읽어 보는 것이 좋겠다.

☛ Perl http://www.perl.org
설명: 보안취약성을 확인하기 위해 '엑스플로이트(exploits)'를 만들기 위해 자주이용되는 매우 강력한 스크립팅 언어이다. 물론 다른 목적들을 위해서도 이용되기도 한다.

☛ Ngrep http://www.packetfactory.net/Projects/ngrep/
설명: 네트워크 트래픽을 위한 grep. Ngrep은 GNU 그렙(grep)의 대부분의 기능을 제공하고 이것을 네트워크 레이어(layyer)에도 응용할 수 있다. Ngrep은 pcap 인식용 툴이기 때문에 이것을 이용하여 패킷의 데이터 하중(payloads)을 맞추기 위한 확장진술(extended regular statements)을 규정할 수 있다.
현재 이 툴은 Ethernet, PPP, SLIP 및 널모델의 인터페이스(null interfaces)상에서 TCP, UDP 및 ICMP를 식별하며 tcpdump와 snoop와 같은 좀 더 흔한 패킷 스니핑 툴과 동일한 방식으로 bpf 필터논리를 이해할 수 있다.

☛Cheops http://www.marko.net/cheops/
설명: GTK기반의 "스위스-아미-나이프(swiss-army-knife)"라 할 수 있는
Cheops는 대부분의 네트워크 유틸리티에 간편한 인터페이스를 제공하고 로컬 혹은 원격 네트워크를 매핑(mapping)해 주며,또한 네트워크상에 시스템의 OS유형들을 보여줄 수도 있다.
☛Vetescan http://www.self-evident.com/
설명: 이것은 Windows 혹은 UNIX에 대해 알려진 다양한 원격 네트워크 보안 엑스플로이트들을 점검하거나 공략하기 위한 프로그램이 내장되어 있는 대용량의 취약성관련 스캐너라 할 수 있다. 여기에는 다양한 유형의 스캐닝을 할 수 있는 여러 가지 프로그램들이 들어 있다.
취약성에 대한 해결책도 엑스플로이트와 더불어 포함되어 있다.

☛Retina http://www.eeye.com/html/Products/Retina.html
참고: 소스코드는 제공되지 않는 상업용 제품임. 테스트를 위한 데모파일을 구할 수 있다.
설명: eeye에 소속의 훌륭한 프로그래머들이 만든 상업용 보안스캐너이다.

☛Libnet http://www.packetfactory.net/libnet/
설명: 네트워크 패킷의 형성 및 처리에 필요한 통로인 Libnet는 낮은 차원의 패킷기록 및 처리를 위한 이동식 프레임워크라 할 수 있다. 다양한 보완적 기능 뿐만아니라 IP 레이어와 링크 레이어에서의 이동식 패킷형성 인터페이스를 갖추고 있다. 그러나 초창기상태이기 때문에 라이브러리(library)는 조금만 발전되어 있다고 볼 수 있다.
이 Libnet을 이용하면, 조금만 신경을 쓰도 신속하고 간편한 패킷 어셈블리 응용프로그램을 만들 수 있다.
시간을 약간 들이면 좀 더 복잡한 프로그램들도 만들 수 있다(Libnet과 Libpcap을 이용하여 traceroute와 ping이 다시 쓰였다.).

☛ Crack / Libcrack http://www.users.dircon.co.uk/~crypto/
설명: Crack 5는 Alec Muffett의 세련된 로컬 패스워드 크래커(cracker)의 업데이트 버전이라 할 수 있다.
이런 것들을 이용해 전통적으로 시스템 이용자는 누구든지 etc/passwd를 뚫어 시스템상의 타 이용자의 패스워드(혹은 root)를 확인할 수 있었다. 그러나 현대적인 시스템에서는, 이렇게 하기 위해서는 etc/shadow로의 읽기 액세스를 취득해야 한다. 모든 이용자가 강력한 패스워드를 갖도록 시스템관리자는 크래커를 가끔 가동하는 것이 여전히 중요하다.

☛Cerberus Internet Scanner http://www.cerberus-infosec.co.uk/cis.shtml
설명: CIS(Cerberus Internet Scanner)는 CIS(Cerberus Information Security, Ltd.)사가 만들어 유지해 온 무료 보안스캐너인데, 관리자가 자신의 컴퓨터 시스템상의 어떤 보안구멍을 찾아 처리하는데 도움을 주도록 만들어 졌다. Windows NT 혹은 Windows 2000상에서 가동.

☛ Swatch http://www.stanford.edu/~atkins/swatch/
설명: 본래 이것은 메시지들이 UNIX syslog 유틸리티를 통해 어떤 로그파일에 기록될 때 적극적으로 그 메시지들을 감시하도록 만들어 졌다.
시각적으로 그리고 이벤트를 조장함으로서 가능한 다양한 방식의 경보체계를 갖고 있다. master loghost를 위한 완벽한 툴이라 할 수 있다.
이것은 버전 3.0의 베타버전이다. 따라서 주의하여 이용해야 하겠다. 코드는 문서화보다 약간 앞서 있지만 그 예들은 존재한다고 보아야겠다.
참고: 리눅스(RH5), BSDI 및 Solaris 2.6(패치된 것)상에서 결함없이 작동됨.

☛OpenBSD http://www.openbsd.org
설명: 이 OpenBSD 프로젝트는 무료이면서 다수-플랫폼 4.4 BSD 기반의 유닉스식의 운영체제를 만들어 낸다. 이동성, 표준화, 정확성, 보안 및 암호방식 등을 강조할 수 있겠다. SVR4(Solaris), FreeBSD, Linux, BSDI, SunOS 및 HPUX에서 나온 대부분의 프로그램들의 2진수 에뮬레이션을 지원해 준다.

☛Nemesis http://celerity.bartoli.org/nemesis/
설명: Nemesis 프로젝트는 UNIC/Linux를 위한 acommandline기반의 이동식 human IP 스택(stack)이 되도록 구상된 것이다.
이 패키지는 프로토콜로 나뉘어 지고 단순한 쉘 스크립트(shell scripts)에서 나온 삽입된
패킷 스트림을 유용하게 스크립팅해 준다.

☛ LSOF ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/
설명: LSOF는 유닉스 특유의 진단용 툴이다. List Open Files의 준말이다.
시스템상에서 최근 가동되는 프로세스에 의해 오픈된 어떤 파일들의 정보를 열거해 준다.
바이너리는 커널버전 2.2에 고유하다.

☛ Lids http://www.turbolinux.com.cn/lids/
설명: 이것은 리눅스 커널에 있는 침입 탐지/방어 시스템이라 할 수 있다.
그 목표는 커널 자체에서의 어떤 시스템 콜을 무력화시킴으로서 루트 침입행위로부터 리눅스 시스템을 보호하는 것이다.
시스템관리에서 가끔 요구되는 경우에 LIDS 보호기능도 무력화시킬 수 있다.

☛IPTraf http://cebu.mozcom.com/riker/iptraf/
설명: 상호작용적인 다양한 색상의 IP LAN Monitor라 할 수 있는 IPTraf는 ncurses기반의 IP LAN 모니터로서 TCP정보, UDP 카운트, ICMP 및 OSPF정보, Ethernet 로드정보, 노드통계,
IP 체크섬 에러 등을 포함한 다양한 네트워크 통계를 산출해 준다. 2.0.0 이후에는 커널이 요구된다는 점을 알아야겠다.

☛IPLog http://ojnk.sourceforge.net/
설명: 이것은 TCP/IP 트래픽 로거(logger)이다. 최근에는 TCP, UDP 및 ICMP까지도 로깅할 수 있다.IPLog 2.0은 IPLog 1.x를 완전히 새롭게 만든 것이라 휴대성도 좋고 성능도 더욱 우수하다.
IPLog 2.0에는 새로운 것 이외에도 IPLog 1.x의 모든 기능도 갖고 있다.
현재 이것은 Linux, FreeBSD, OpenBSD, BSDI 및 Solaris상에서 작동된다.
현재, 기타의 협조(contributions)는 물론 타 시스템으로의 포트(posts)도 환영되고 있다.

☛ Fragrouter http://www.anzen.com/research/nidsbench/
설명: 이것의 목표는 Secure Networks NIDS evasion paper에 나와 있는 특수한 TCP/IP 공격들에 따라 NIDS의 정확성을 테스트하는 것이다.
이런 공격행위를 수행하는 기타 NIDS evasion 툴킷들이 해커를 통해, 혹은 일반일들을 통해 배포되고 있다. 현재로는 NIDS를 공략하기 위해 사용되고 있다고 짐작된다.

☛Queso http://www.apostols.org/projectz/queso/
참고: Queso의 두 개의 OS 탐지 테스트용이 나중에 Nmap로 통합되었다.
우리가 OS 탐지에 관해 쓴 논문을 보려면 이곳을 클릭한다.
설명: TCP응답을 봄으로서 원격시스템의 운영체제를 짐작할 수 있다.

☛ GPG/PGP http://www.gnupg.org/, http://www.pgp.com
설명: GNU 프라이버시 가드(GNU Privacy Guard: GnuPG)는 유럽에서 개발된 PGP에 대한 완벽하고 무료로 제공되는 대체용이라 할 수 있다. IDEA나 RSA를 이용하지 않기 때문에, 이것은 어떠한 제약없이 이용될 수 있다.
GnuPG는 RFC2440(OpenPGP) 호환프로그램(complliant application)이다.
PGP는 유명한 암호프로그램으로서 염탐꾼이나 기타 위험으로부터 자신의 데이트를 안전하게 해 준다.
Snort : IDS입니다. Intrusion Detection System(침입탐지시스템) . 네트워크 상의 패킷들을 조사하여 공격으로 의심되는 사항들에 대해서 로그를 남겨줍니다. 실제 공격예방이나 차단과는 무관하구요, 공격 탐지용입니다. 건물에 있는 감시카메라와 같은 역할이죠.
Snort inline : IPS 입니다. Intrusion Prevention System (침입방지시스템). Snort와 이름은 유사하지만 조금 개념이 다릅니다. Snort와 달리 시스템으로 들어오는 패킷을 직접 조사하여 공격으로 의심되는 패킷들을 걸러내는 것이 주된 기능 중 하나입니다.
SSH : Secure SHell의 약자이구요,
iptables : stateful inspection 방식의 방화벽입니다. 아주 훌륭하죠~.
squid : 우리나라말로 하면 오징어인데.. ㅠ.ㅠ 이건 웹 proxy 입니다.
OpenS/WAN : 요즘 유행하는 SSL VPN 입니다.
FreeS/WAN : 더 이상 프로젝트가 유지되지는 않는데... IPSec을 이용한 VPN입니다.
ARPWatch : ARP spoofing이나 ARP cache poisoning을 탐지하기 위한 툴입니다.
Nessus : 이건 취약점 스캐닝 툴입니다. 너무나도 유명하죠. 보안업체에서 자체 취약점
스캐닝 툴을 개발할 때 대부분 Nessus를 이용하는 것으로 알려져 있습니다.
nmap : 이건 해킹툴임과 동시에 보안에도 사용할 수 있는 툴이죠. 포트스캐닝, OS 탐지 등의 목적에 사용합니다.
The Sleuth Kit : 이건 컴퓨터 포렌식용 툴입니다. 유닉스 계열에서는 독보적인 존재죠.
침해대응, 컴퓨터과학수사등의 용도로 사용됩니다.