Assesment Toolkit for Linux
 

Hello,

I'm traying to select a good set of applications to start building a toolkit to do security assesments on Linux machines.

So far I have selected the following applications


Vulnerability Scanner - OpenVAS
Packet Sniffer - Wireshark
Intrusion Detection System - Snort
Web Vulnerability Scanner - Nikto
Password Cracker - THC Hydra
Rootkit Detector - Tripwire
Penetration Testing - Metasploit Framework


Do I need to really evaluate all these applications or some of them can do the job that others can do? For example, if I use the Metasploit Framework, do I need to use OpenVAS?

Thanks in advanced,

I am not a security expert, but:

• In an ideal world, you would start from capabilities and then select applications until you have one, or more, that covers each capability that you need
• You seem to have some of your list mis-filed (eg tripwire)
• You might want to look at some distros explicitly targeted at this area to see what the established players use:
• http://www.securitydistro.com/security-distros/
• http://www.darknet.org.uk/2006/03/10...sics-recovery/
• Also be aware that wireshark, while useful/vital/handy is quite a different thing from some of the others on the list. Some of the others are 'aim and fire' while wireshark won't do anything for you unless there is a sentient lifeform to look through the results. this may or may not be a concern to you.

And, be very careful what you ask for: it would be easy to get mistaken for someone who wants to hack in and do bad things rather than someone who is intent on improving and checking security by probing for vulnerabilities.

I will be doing a network assessment and the network has Linux machines. I selected those applications because those are the among the most popular ones.

Going back to my question. Do I need to really evaluate all these applications or some of them can do the job that others can do? For example, if I use the Metasploit Framework, do I need to use OpenVAS?

Thanks in advanced.

Unless there has been a pretty serious change of direction, I don't think Tripwire is a rootkit detector. Instead, Tripwire detects changes to files, regardless of how those changes are made. Aide and Samhain do a similar sort of thing. Examples of rootkit detectors would be rkhunter or chkrootkit.

It depends on what "doing a network assessment" comprises of here. Is it "just" reconnaissance, interpreting results and reporting, or would you be required to actively exploit specific vulns? Do you have a plan or an outline?

This is the workflow I'm planning to target:

Identity IP networks and hosts
Perform network scanning
Investigate vulnerabilities
Exploitation of vulnerabilities

So far I have found that I can use OpenVAS and Metasploit Framework for doing the tasks mentioned above.

Sorry, forgot to ask some more: what is the purpose of the assessment? Is it in any way linked to probing for or achieving a level of security as in SANS Top-10, HIPAA, CIS, NIST, OWASP, PCI-DSS or other official standards? What auditing best practices do you try to adhere to and which auditing templates do you use? Who owns the networks you'll be working on (you, your employer, paying customers)? Do these networks contain production servers? Can you assess what risk exploiting vulns on production servers holds and how to mitigate damages? What would be the added value of exploiting vulns when reporting them linking to the appropriate CVE entry for fixing should be enough? Sorry if you only see questions and no answers, I'm just interested to see how amateuristic or professional your approach is.

To get familiarized with the available tools.

No.


I dont have any templates yet. Where can I get more information about auditing templates?

I will be using VMWare Server to create a small environment.


I will be using VMWare Server to create a small environment.

I want to get exposure to Metasploit Framework.

Clear. I think you best just go read and experiment with those toolkits then. Exploiting vulns may seem thrilling but having the knowledge to interprete results, being able to explain the report to the client and making recommendations (adding value) is what rakes in the money. To get an idea of what the field contains have a look at the the reading material at say the CIS, NIST and OWASP sites and securityfocus.com and insecure.org mailing lists for starters?