10 Essential Linux Tools for Network and Security Professionals

10 Essential Linux Tools for Network and Security Professionals

Choosing just 10 open source Linux security tools isn’t easy, especially when network professionals and security experts have dozens, if not several hundred, tools available.

There are different sets of tools for almost every task: network tunneling, tracing, scanning, mapping. And for all environments: Wi-Fi networks, web applications, database servers.

We consulted a group of experts (Vincent Danen, VP of Product Security, RedHat; Casey Bisson, Head of Product Growth, BluBracket; Andrew Schmitt, BluBracket Security Advisory Panel Member; and John Hammond, Senior Security Researcher, Huntress) to develop this list of must-have Linux security tools.

Most of the ones listed here are free and open source. The two that cost money are Burp Suite Pro and Metasploit Pro. Both are considered indispensable in any enterprise penetration testing and vulnerability assessment program.

1. Aircrack-ng for Wi-Fi network security

Aircrack-ng is a set of tools for security testing of wireless networks and Wi-Fi protocols. Security professionals use this wireless scanner for network administration, hacking, and penetration testing. It focuses on:

  • Supervision: Packet capture and data export to text files for further processing by third-party tools.
  • Aggressor: Replay attacks, deauthentication, rogue access points via packet injection.
  • Tests: Check Wi-Fi cards and driver capabilities.
  • Cracking: WEP and WPA PSK (WPA 1 and 2).

According to the Aircrack-ng website, all tools are command line, allowing heavy scripting. The tool works mainly on Linux, but also on Windows, macOS, FreeBSD, OpenBSD, NetBSD, as well as Solaris and even eComStation 2.

Cost: Free open source software.

2. Burp Suite Pro targets web application security

Burp Suite Professional is a suite of web application tests used to assess the security of online websites. Burp Suite works as a local proxy solution that allows security professionals to decrypt, observe, manipulate, and repeat web requests (HTTP/websockets) and responses between a web server and a browser.

The tool comes with a passive scanner that allows security professionals to map the site and check for potential vulnerabilities while manually crawling the site. The Pro version also offers a very useful Active Web Vulnerability Scanner that enables further vulnerability detection. Burp Suite is extensible through plugins, so security professionals can develop their own enhancements. The Pro version has the most robust plugins, making Burp a multi-tool suite of very useful web attack tools.

Cost: The professional version costs $399. There is also an enterprise version that allows for multiple simultaneous scans that can be used by application development teams.

3. Impacket for Penetration Testing Network Protocols

This collection of tools is essential for penetration testing network protocols and services. Powered by SecureAuth, impact pack operates as a collection of Python classes for working with network protocols. Impacket focuses on providing low-level access to packets and, for some protocols, such as SMB1-3 and MSRPC, the protocol implementation itself. Security professionals can build packages from scratch as well as analyze them from raw data. The object-oriented API makes it quite easy to work with deep protocol hierarchies. Ipacket supports the following protocols:

  • ethernet-linux;
  • IP, TCP, UDP, ICMP, IGMP, ARP;
  • IPv4 and IPv6;
  • NMB and SMB1, SMB2 and SMB3;
  • MSRPC Version 5, over different transports: TCP, SMB/TCP, SMB/NetBIOS and HTTP;
  • Simple authentications, NTLM and Kerberos, using password/hashes/tickets/keys;
  • Parts of the TDS (MSSQL) and LDAP protocol implementation

Cost: Free as long as the user credits SecureAuth. Impacket is provided under a slightly modified version of the Apache Software License. Security professionals can review it here and compare it to the official Apache Software license.

4. Metasploit: a super tool to detect exploits

A Rapid7 exploitation framework used for general penetration testing and vulnerability assessments, it is considered by security professionals to be a “super tool” that contains working versions of almost every known exploit out there.

metasploit enables security professionals to scan networks and endpoints (or import NMAP scan results) for vulnerabilities and then automatically perform any potential exploits to take control of systems.

According to a recent Rapid7 blog post, Credential capture has been a critical and early phase in the playbook of many security testers. Metasploit has made this easy for years with protocol-specific modules, all under the helper/server/capture role. Security professionals can launch and configure each of these modules individually, but now there’s a capture plugin that streamlines the process.

Cost: Metasploit Pro, which comes with commercial support from Rapid7, starts at $12,000 per year, but there’s also a free version.

5. NCAT probe network connectivity

From creators of NMAPNCAT is a successor to the popular NETCAT. It makes it easy to read and write data over a network from the command line, but adds features like SSL encryption. Security experts say that NCAT has become crucial for hosting TCP/UDP clients and servers to send/receive arbitrary data from victim and attacker systems. It is also a popular tool for setting up a reverse shell or extracting data. NCAT was written for the NMAP Project and represents the culmination of the currently fragmented family of NETCAT incarnations. It is designed as a reliable back-end tool to run network connectivity to other applications and users. NCAT works with both IPv4 and IPv6 and offers the ability to chain NCAT, forward TCP, UDP, and SCTP ports to other sites, as well as SSL support.

Cost: Free open source tool.

6. NMAP scanning and network maps.

NMAP is a command line network scanning tool that discovers accessible ports on remote devices. Many security professionals consider NMAP to be the most important and effective tool on our list – the tool is so powerful that it has become mandatory for penetration testers. The main feature of NMAP is to scan network ranges for active servers and then all their ports for operating system, service and version discovery. Via NMAP’s scripting engine, it then performs more automated vulnerability detection and exploitation against any services it finds. NMAP supports dozens of advanced techniques to map networks full of IP filters, firewalls, routers, and other obstacles. This includes many TCP and UDP port scanning mechanisms, OS detection, version detection, and ping sweeps. Security professionals have used NMAP to scan large networks of hundreds of thousands of machines.

Cost: Free open source tool.

7. ProxyChains for network tunnels

ProxyChains, the de facto standard for network tunneling, allows security professionals to issue proxy commands from their attacking Linux machine through multiple compromised machines to traverse network boundaries and firewalls, while evading detection. They use it when they want to use the Linux operating system to hide their identity on a network. ProxyChains routes TCP traffic from pen testers through the following proxies: TOR, SOCKS, and HTTP. TCP reconnaissance tools such as NMAP are supported, and the TOR network is used by default. Security professionals also use ProxyChains for firewall evasion and IDS/IPS detection.

Cost: Free open source tool.

8. Responder simulates attacks on DNS systems

Responder it’s a NBT-NS (NetBIOS Name Service), LLMNR (Link-Local Multicast Name Resolution) and mDNS (Multicast DNS) Poisoner used by penetration testers to simulate an attack intended to steal credentials and other data during the name resolution process when the DNS server does not find any records.

The latest version of Responder (v. 3.1.1.0) comes with full IPv6 support by default, allowing security professionals to perform more attacks on both IPv4 and IPv6 networks. This is important because Responder lacked IPv6 support and therefore missed several attack routes. This was especially true on IPv6-only networks or even mixed IPv4/IPv6 networks, especially considering that IPv6 has become the preferred networking stack in Windows.

Cost: Free open source software.

9. sqlmap finds SQL injection flaws in database servers

sql map is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws that could be used to take control of database servers. The tool comes with a powerful detection engine and has many features for penetration testing, including database fingerprinting, underlying file system access, and running commands on the operating system via of out-of-band connections.

Security professionals say it helps them automate SQL discovery and injection attacks against major SQL backends. Supports a wide range of database servers including MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB, and HSQLDB. It also supports various types of SQL injection attacks, including boolean-based blind, time-based blind, error-based, stacked query, and out-of-band.

Cost: Free open source software.

10. Wireshark – Popular Network Protocol Analyzer

Wireshark, which has been around since 1998, is a network protocol analyzer, commonly called a network interface sniffer. The latest update is version 3.6.3.

Wireshark allows security professionals to observe the network behavior of a device to see what other devices it is communicating with (IP addresses) and why. In some older network topologies, network requests from other devices pass through the network interface of a security professional’s device, allowing them to observe traffic from the entire network, not just their own. Security experts say it’s a great tool for finding out where DNS servers and other services are for further network exploitation. Wireshark runs on most computing platforms, including Windows, MacOs, Linux, and Unix.

Cost: Free open source software.

Join the Network World communities at Facebook Y LinkedIn to comment on the issues that are most important.

Copyright © 2022 IDG Communications, Inc.

Leave a Comment