Article Title: 10 common Linux security tools. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
First, describe how to install and prepare the tool-unzip some compressed files in Linux:
Tar xvf *. tar (tar compressed package)
Tar zxvf * .tar.gz (packages compressed by tar and gzip)
Unrar x *. rar unpack_path (the unpack_path package for rar compression is the decompressed storage path. The unrar decompression command must be installed with the rar tool in Linux)
Rpm-vhU *. rpm (RPM package installation)
General steps for installing the tool:
(1) Go to the extract directory to run./configure;
(2) execute make all;
(3) execute make install.
Some tools also need to install specific Lib libraries during the installation process, which will be described in the usage of the tools.
I. Hping2 --- network detection tool Tool Name: Hping2
Application Environment: Linux
Tool Introduction: hping is a command line-Based TCP/IP tool, which is well applied on UNIX, but it is not just an ICMP request/response tool, it also supports TCP, UDP, ICMP; RAW-IP protocol, and a routing model HPING has been used as a security tool, can be used to test the security of the network and host, it has the following features:
1. firewall detection (through the ping return code for judgment, for example, when a firewall such as Cisco blocks an ICMP packet, it returns the target inaccessible information in status 13, for this purpose, we can determine that the detection target is protected by the Cisco Firewall)
2. Advanced port scanning (2-7 is mainly used to analyze and test the returned status of the sent packet based on the understanding of TCP/IP)
3. Network Testing (different protocols, TOS, and packet fragmentation can be used to implement this function)
4. Manual MTU Mining
5. Advanced routing (available under any Protocol)
6. OS fingerprint judgment
7. Slight UPTIME Prediction
Example:
The ICMP inaccessible return values used by the scan through the firewall are determined. The returned values of different firewalls are different. For example, the Cisco status value is 13. For other tests, we need to understand the packet header structure of TCP/IP.
Set the time interval and the packet sending frequency (-I uX X is microsecond) hping2 192.168.0.1-c 2-I u1000
One type of ping attack test (-d packet size) hping2 192.168.0.1-d 20000-I u1
Test the Internet hping2-A/F/S-p 80 www.my.com. For details about how to run the command, see (use ping test first, no return, and then use hping2 for testing ):
Ii. Nbtscan-collect NetBIOS information from a Windows Network Tool Name: nbtscan-1.5.1a
Application Environment: Linux
Tool Introduction: This is a program used to scan NetBIOS Name Information on Windows networks. This program sends a NetBIOS status query to each address within the given range, and lists the received information in a readable table. For each response host, NBTScan lists its IP addresses, NetBIOS computer names, logon usernames, and MAC addresses.
Example:
This is relatively simple, but you can only scan the Intranet
Scan the network segment of 192.168.0.0: nbtscan 172.16.15.0/24. For test operations, see:
Iii. Xprobe2 --- fingerprint recognition tool for active Operating Systems Tool Name: Xprobe2
Application Environment: Linux
Tool Introduction: Xprobe2 is an active fingerprint recognition tool for operating systems. Unlike fingerprint recognition for other operating systems, Xprobe2 relies on Fuzzy Matching with a signature library, and reasonable speculation to jointly determine the type of remote operating system.
Example:
Simple Intranet Detection: xprobe2 192.168.0.1
Internet probe (Web service is enabled on the target host): xprobe2-p tcp: 80: open/tcp: 25: open www.my.com; Operating System 3 of the target host is shown as follows:
Iv. nmap --- network scanning and sniffing Toolkit Tool Name: nmap-3.50
Application Environment: Linux
Tool Introduction: NMap is a network scanning and sniffing tool kit in Linux. It can help the network administrator to thoroughly detect UDP or TCP ports until the operating system used by the host. It can also record all the test results to logs of various formats to serve system security. NMap, or Network Mapper, is a Network scanning and sniffing toolkit in Linux. It has three basic functions: first, to detect whether a group of hosts are online, and second, to scan host ports, network Service provided by sniffing; the operating system used by the host can also be inferred. Nmap can be used to scan networks with only two nodes and more than 500 nodes. Nmap also allows you to customize scan techniques. Generally, a simple ping operation using ICMP can meet General requirements. You can also thoroughly test the UDP or TCP port until the operating system used by the host; all test results can also be recorded in logs of various formats for further analysis. However, nmap is found to have DOS attacks. To address such attacks, you can take the following measures: install the latest patch from the System Seller; and use the unaffected system as the firewall.
Example:
This method is applicable to intranet and Internet detection. intranet operations are used as an example (the Internet parameters are the same)
Simple Port Scan: nmap-vv-sT (sS, sF, sU, sA) 192.168.0.1-D 127.0.0.1 (-D forged address)
OS Detection: nmap-vv-sS-O 192.168.0.1
RPC Authentication: portmap on nmap-sS-sR 192.168.0.1 Linux is a simple RPC service. The listening port is 111 (default). For testing, see
Ping scan: nmap-sP 172.16.15.0/24. For test results, see
5. tcpdump --- professional network management tools Tool Name: tcpdump-3.8.1
Application Environment: Linux
Tool Introduction: Tcpdump is a famous sniffer. It is regarded by many UNIX experts as a professional network management tool. Remember that TsutomuShimomura (it should be called a sub-village invasion) he used his modified TCPDUMP version to record records of KEVINMITNICK's attack on his system, and then cooperated with the FBI to seize KEVINMITNICK. You can use this tool to check the file package information on your server and monitor the problems on your network.
Example:
Intercept all packets received and sent by all hosts at 192.168.0.1:
Tcpdump host 192.168.0.1 (the address in the test image shall prevail, see ):
Intercept the communication between host 192.168.0.1 and host 192.168.0.2 or 192.168.0.3, and run the following command ):
Tcpdump host 192.168.0.1 and \ (192.168.0.2 or 192.168.0.3 \)
Obtain the IP packet of host 192.168.0.1 that communicates with all hosts except host 192.168.0.2. Run the following command:
Tcpdump ip host 192.168.0.1 and! 192.168.0.2
To obtain the telnet packet received or sent by the host 192.168.0.1, run the following command:
Tcpdump tcp port 23 host 192.168.0.1
Installation Note: libpcap must be installed before the tool is installed.
Tool Introduction: advanced packet sniffing and session hijacking on the Linux platform. Hunt can monitor, hijack, and reset TCP connections on the network, it also includes an active mechanism for monitoring and switching connections, as well as optional advanced features such as ARP broadcast and connection Synchronization After successful hijacking. Precautions for anti-sniffing tools: preventing hackers from obtaining system access permissions at the beginning is the best method for sniffing. The switch network is used to replace the hub, network Traffic is visible to every system in the LAN. In the switched network, only the network adapter with the corresponding MAC address can see its own frame. Do not use Plaintext when transmitting sensitive data. Precautions for anti-sniffing tools: preventing hackers from obtaining system access permissions at the beginning is the best method for sniffing. The switch network is used to replace the hub, network Traffic is visible to every system in the LAN. In the switched network, only the network adapter with the corresponding MAC address can see its own frame. Do not use Plaintext when transmitting sensitive data.
Example:
With the advanced sniffing function, hunt uses ARP spoofing or ARP-forced methods to trick the system into adding a new MAC-to-IP ing to the cache. (Perform the following steps: Enter daemon, enter a to add, and use l to list the settings. Use arp-a to view the changes .) This function can sniff and exchange data in the network. In addition, the user name and password can be captured by the sniffer provided by hunt, which relies on the dictionary library. As shown in running hunt 7, there are simple menu operations:
Tool Introduction: THC-Hydra is the world's first hacker tool for parallized protocol logon. It can be used to quickly launch Dictionary Attacks on systems requiring network logon, includes Samba, FTP, POP3, IMAP, Telnet, HTTP Auth, LDAP, NNTP, MySQL, VNC, ICQ, Socks5, PCNFS, and Cisco, and supports SSL encryption. Supports Socks5 and SSL.
Example (supported by dictionary Library ):
Hydra-l login-P/tmp/passlist 192.168.0.1 ftp login is the username to be cracked, and passlist is the password dictionary library.
Hydra-l login-P passfile 192.168.0.1 smb login is the login name to be cracked, passfile is the password dictionary library, and smb operating system logon password cracking, as shown in test example 8:
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.