Top UBUNTU Security Tools

Here is a collection of security tools that you should look through to add to your arsenal to help keep the peace on your pc/network or unleash war on others for whatever reason.

You can simply install these tools by clicking on the title.

Most of these are command line tools which need to be invoked via the Terminal:

If you need help with these tools, please read the manual via man “application” in the terminal, and feel free to comment if you need a little assistance or care to add to this growing list. The Alternative is the command line ‘sudo apt-get install APPLICATION’.

1. Sniffers

1) dsniff

Various tools to sniff network traffic for clear text insecurities
This package contains several tools to listen to and create network traffic:

  • arpspoof – Send out unrequested (and possibly forged) arp replies.
  • dnsspoof – forge replies to arbitrary DNS address / pointer queries on the Local Area Network.
  • dsniff – password sniffer for several protocols.
  • filesnarf – saves selected files sniffed from NFS traffic.
  • macof – flood the local network with random MAC addresses.
  • mailsnarf – sniffs mail on the LAN and stores it in mbox format.
  • msgsnarf – record selected messages from different Instant Messengers.
  • sshmitm – SSH monkey-in-the-middle. proxies and sniffs SSH traffic.
  • sshow – SSH traffic analyser.
  • tcpkill – kills specified in-progress TCP connections.
  • tcpnice – slow down specified TCP connections via “active” traffic shaping.
  • urlsnarf – output selected URLs sniffed from HTTP traffic in CLF.
  • webmitm – HTTP / HTTPS monkey-in-the-middle. transparently proxies.
  • webspy – sends URLs sniffed from a client to your local browser (requires libx11-6 installed).

sudo aptitude install dsniff

2) NGrep

NGrep strives to provide most of GNU grep’s common features, applying them to the network layer. ngrep is a pcap-aware tool that will allow you to specify extended regular expressions to match against data payloads of packets. It currently recognizes TCP, UDP and ICMP across Ethernet, PPP, SLIP and null interfaces, and understands bpf filter logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop.

sudo aptitude install ngrep

3) Hydra

Number one of the biggest security holes are passwords, as every password security study shows. Hydra is a parallized login cracker which supports numerous protocols to attack. New modules are easy to add, beside that, it is flexible and very fast.

Currently this tool supports: TELNET, FTP, HTTP, HTTPS, HTTP-PROXY, SMB, SMBNT, MS-SQL, MYSQL, REXEC, RSH, RLOGIN, CVS, SNMP, SMTP-AUTH, SOCKS5, VNC, POP3, IMAP, NNTP, PCNFS, ICQ, SAP/R3, LDAP2, LDAP3, Postgres, Teamspeak, Cisco auth, Cisco enable, LDAP2, Cisco AAA (incorporated in telnet module).

sudo aptitude install hydra

4) imsniff

Simple program to log Instant Messaging activity on the network
The imsniff program can be used to log IM activity on the network. It uses libpcap to capture packets and analyzes them, logging conversation, contact lists, etc.

Users connecting after imsniff is started can get pretty good results, including complete contact lists and events (displaying a name change, for example). Users already connected will be able to get the conversations, but
will miss the other information.

The only required parameter is the interface name to listen to. This can be any interface that libpcap supports. A sample imsniff.conf.sample file is included.

imsniff is beta software, for now, only MSN is supported. Others could follow.

5) ksniffer

KSniffer is a network traffic analyzer, or “sniffer” for KDE.

A sniffer is a tool used to capture packets from your network. It detects network protocols like IP, TCP, UDP, ICMP and ARP.

6) nwatch

Network service detector. NWatch is a sniffer but can be conceptualized as a “passive port scanner”, in that it is only interested in IP traffic and it organizes results as a port scanner would.

The advantage of this tool is that services that are open for a short period of time can be detected with NWatch while successive nmap scans will miss them. The disadvantage is that the service have to be actively used to be detected.

7) scapy

Scapy is a powerful interactive packet manipulation tool, packet generator, network scanner, network discovery, packet sniffer, etc. It can for the moment replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, ….

In scapy you define a set of packets, then it sends them, receives answers, matches requests with answers and returns a list of packet couples (request, answer) and a list of unmatched packets. This has the big advantage over tools like nmap or hping that an answer is not reduced to (open/closed/filtered), but is the whole packet.


It was previously named scapy. This is a transitional package so scapy users get python-scapy on upgrades. This package handles scapy -> python-scapy. It can be safely removed.

8) Snort

Flexible Network Intrusion Detection System. Snort is a libpcap-based packet sniffer/logger which can be used as a
lightweight network intrusion detection system. It features rules based logging and can perform content searching/matching in addition to being used to detect a variety of other attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and much more. Snort has a real-time alerting capability, with alerts being sent to syslog, a separate “alert” file, or even to a Windows computer via Samba.

This package provides the plain-vanilla snort distribution and does not provide database (available in snort-pgsql and snort-mysql) support.

9) tcpick

TCP stream sniffer and connection tracker. This libpcap-based textmode sniffer can:

  • track, reassemble and reorder TCP streams
  • save the captured flows in different files or display them in the terminal
  • display all the stream on the terminal with different display modes like hexdump, hexdump + ascii, only printable characters, raw mode, colorized mode …
  • handle several network interface types, including ethernet cards and PPP interfaces

10) Tshark

Wireshark network traffic analyzer (console interface). Wireshark is a network traffic analyzer, or “sniffer”, for Unix and
Unix-like operating systems. A sniffer is a tool used to capture packets off the wire. Wireshark decodes numerous protocols (too many to list).

This package provides the console version of wireshark, named “tshark”.

11) WireShark

Nnetwork traffic analyzer. Wireshark is a network traffic analyzer, or “sniffer”, for Unix and Unix-like operating systems. A sniffer is a tool used to capture packets off the wire. Wireshark decodes numerous protocols (too many to list).

This package provides wireshark (the GTK+ version)

sudo aptitude install wireshark

12) Ettercap

Multipurpose sniffer/interceptor/logger for switched LAN. Ettercap supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis.

Data injection in an established connection and filtering (substitute or drop a packet) on the fly is also possible, keeping the connection synchronized.

Many sniffing modes were implemented to give you a powerful and complete sniffing suite. It’s possible to sniff in four modes: IP Based, MAC Based, ARP Based (full-duplex) and Public ARP Based (half-duplex).

It has the ability to check whether you are in a switched LAN or not, and to use OS fingerprints (active or passive) to let you know the geometry of the LAN.

sudo aptitude install ettercap

If you want to install ettercap GUI install following package

sudo aptitude install ettercap-gtk

13) Etherape

EtherApe is a graphical network monitor for Unix modeled after etherman. Featuring link layer, ip and TCP modes, it displays network activity graphically. Hosts and links change in size with traffic. Color coded protocols display.It supports Ethernet, FDDI, Token Ring, ISDN, PPP and SLIP devices. It can filter traffic to be shown, and can read traffic from a file as well as live from the network.

sudo aptitude install etherape

2. Network Manipulation

1) TcpReplay

Tcpreplay is aimed at testing the performance of a NIDS by replaying real background network traffic in which to hide attacks. Tcpreplay allows you to control the speed at which the traffic is replayed, and can replay arbitrary tcpdump traces. Unlike programmatically-generated artificial traffic which doesn’t exercise the application/protocol inspection that a NIDS performs, and doesn’t reproduce the real-world anomalies that appear on production networks (asymmetric routes, traffic bursts/lulls, fragmentation, retransmissions, etc.), tcpreplay allows for exact replication of real traffic seen on real networks.

sudo aptitude install tcpreplay

2) Nemesis

Nemesis is a command-line network packet crafting and injection utility for UNIX-like and Windows systems. Nemesis, is well suited for testing Network Intrusion Detection Systems, firewalls, IP stacks and a variety of other tasks. As a command-line driven utility, Nemesis is perfect for automation and scripting.

Nemesis can natively craft and inject ARP, DNS, ETHERNET, ICMP, IGMP, IP, OSPF, RIP, TCP and UDP packets. Using the IP and the Ethernet injection modes, almost any custom packet can be crafted and injected.

sudo aptitude install nemesis-menu

3) NBTScan

NBTscan is a program for scanning IP networks for NetBIOS name information. It sends NetBIOS status query to each address in supplied range and lists received information in human readable form. For each responded host it lists IP address, NetBIOS computer name, logged-in user name and MAC address (such as Ethernet).

sudo aptitude install nbtscan

3. Wireless Tools

1) aircrack-ng

Grab the latest @ It’s a wireless WEP/WPA cracking utility aircrack-ng is an 802.11a/b/g WEP/WPA cracking program that can recover a 40-bit, 104-bit, 256-bit or 512-bit WEP key once enough encrypted packets have been gathered. Also it can attack WPA1/2 networks with some advanced methods or simply by brute force.

It implements the standard FMS attack along with some optimizations, thus making the attack much faster compared to other WEP cracking tools.
It can also fully use a multiprocessor system to its full power in order to speed up the cracking process.

aircrack-ng is a fork of aircrack, as that project has been stopped by the upstream maintainer.

2) Kismet

Wireless 802.11b monitoring tool. Kismet is a 802.11b wireless network sniffer. It is capable of sniffing using almost any supported wireless card using the Airo, HostAP, Wlan-NG, and Orinoco (with a kernel patch) drivers.

Can make use of sox and festival to play audio alarms for network events and speak out network summary on discovery. Optionally works with gpsd to map scanning.

sudo aptitude install kismet

3) Prismstumbler

Wireless network sniffer. Prismstumbler is a packet sniffer for 802.11b wireless LANs.

4) SWScanner

Simple Wireless Scanner. SWScanner is a KDE application specially designed to make easy the whole wardriving process, but also intended to facilitate many tasks related to wireless networks. SWScanner is compatible with NetStumbler files and supports GPS devices.

5) WEPLab

Ttool designed to break WEP keys. WepLab is a tool designed to teach how WEP works, what different vulnerabilities it has, and how they can be used in practice to break a WEP protected wireless network.

WepLab can dump network traffic, analyse it or crack the WEP key.

4. Portscanning


The Network Mapper. Nmap is a utility for network exploration or security auditing. It supports ping scanning (determine which hosts are up), many port scanning techniques, version detection (determine service protocols and application versions listening behind ports), and TCP/IP fingerprinting (remote host OS or device identification). Nmap also offers flexible target and port specification, decoy/stealth scanning, sunRPC scanning, and more. Most Unix and Windows platforms are supported in both GUI and command line modes.

sudo aptitude install nmap

If you want nmap frontend install the following package

sudo aptitude install zenmap

2) PnScan

Multi threaded port scanner. Pnscan is a multi threaded port scanner that can scan a large network very quickly. If does not have all the features that nmap have but is much faster.

3) DoScan

Pport scanner for discovering services on large networks. Doscan is a tool to discover TCP services on your network. It is designed for scanning a single ports on a large network. doscan contacts many hosts in parallel, using standard TCP sockets provided by the operating system. It is possible to send strings to remote hosts, and collect the banners they return.

There are better tools for scanning many ports on a small set of hosts, for example nmap.


Active Network Smashing Tool. Hping3 is a network tool able to send custom ICMP/UDP/TCP packets and to display target replies like ping does with ICMP replies. It handles fragmentation and arbitrary packet body and size, and can be used to transfer files under supported protocols. Using hping3, you can test firewall rules, perform (spoofed) port scanning, test network performance using different protocols, do path MTU discovery, perform traceroute-like actions under different protocols, fingerprint remote operating systems, audit TCP/IP stacks, etc. hping3 is scriptable using the TCL language.

sudo aptitude install hping3

5) Paketto


Unusual TCP/IP testing toolsThe Paketto Keiretsu is a collection of tools that use new and unusual strategies for manipulating TCP/IP networks. scanrand is said to be
faster than nmap and more useful in some scenarios.

This package includes:

  • scanrand, a very fast port, host, and network trace scanner
  • minewt, a user space NAT/MAT (MAC Address Translation) gateway
  • linkcat(lc), that provides direct access to the network (Level 2)
  • paratrace, a “traceroute”-like tool using existing TCP connections
  • phentropy, that plots a large data source onto a 3D matrix

6) Packit

Network Injection and Capture. Packit is a network auditing tool. Its value is derived from its ability to customize, inject, monitor, and manipulate IP traffic. By allowing you to define (spoof) nearly all TCP, UDP, ICMP, IP, ARP, RARP, and Ethernet header options, Packit can be useful in testing firewalls, intrusion detection systems, port scanning, simulating network traffic, and general TCP/IP auditing. Packit is also an excellent tool for learning TCP/IP.

7) ScanSSH

Gget SSH server versions for an entire network. The ScanSSH protocol scanner scans a list of addresses and networks for running SSH protocol servers and their version numbers. Version 2.0 adds support for scanning arbitrary ports and specifically open proxies. The ScanSSH protocol scanner supports random selection of IP addresses from

large network ranges and is useful for gathering statistics on the deployment of SSH protocol servers in a company or the Internet as whole.

8) p0f

Passive OS fingerprinting tool. P0f performs passive OS detection based on SYN packets. Unlike nmap and queso, p0f does recognition without sending any data.
Additionally, it is able to determine the distance to the remote host, and can be used to determine the structure of a foreign or local network. When running on the gateway of a network it is able to gather huge amounts of data and provide useful statistics. On a user-end computer it could be used as powerful IDS add-on. p0f supports full tcpdump-style filtering expressions, and has an extensible and detailed fingerprinting database.

5. Crypto and Signature

1) GnuPG

GnuPG is GNU’s tool for secure communication and data storage. It can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC2440.GnuPG does not use any patented algorithms so it cannot be compatible with PGP2 because it uses IDEA (which is patented worldwide).

sudo aptitude install gnupg

If you want gnupg GUI tool use this

2) Seahorse

Seahorse is a GNOME application for managing encryption keys. It also integrates with nautilus, gedit and other places for encryption operations.

sudo aptitude install seahorse

6. Protection

1) Denyhosts

DenyHosts is a program that automatically blocks ssh brute-force attacks by adding entries to /etc/hosts.deny. It will also inform Linux administrators about offending hosts, attacked users and suspicious logins. Synchronization with a central server is possible too.
Differently from other software that do same work, denyhosts doesn’t need support for packet filtering or any other kind of firewall in your kernel

sudo aptitude install denyhosts

2) Firestarter

Firestarter is a gtk program for managing and observing your firewall, it’s a complete firewall tool for Linux machines. It features an easy to use firewall wizard to quickly create a firewall. Using the program you can then open and close ports with a few clicks, or stealth your machine giving access only to a select few. The real-time hit monitor shows attackers probing your machine.

sudo aptitude install firestarter

3) Clamav

Clam AntiVirus is an anti-virus toolkit for Unix. The main purpose of this software is the integration with mail servers (attachment scanning). The package provides a flexible and scalable multi-threaded daemon in the clamav-daemon package, a command-line scanner in the clamav package, and a tool for automatic updating via the Internet in the clamav-freshclam package. The programs are based on libclamav3, which can be used by other software.

This package contains the command line interface. Features:

  • built-in support for various archive formats, including Zip, RAR, Tar,Gzip, Bzip2, OLE2, Cabinet, CHM, BinHex, SIS and others;
  • built-in support for almost all mail file formats;
  • built-in support for ELF executables and Portable Executable files compressed with UPX, FSG, Petite, NsPack, wwpack32, MEW, Upack and obfuscated with SUE, Y0da Cryptor and others;
  • built-in support for popular document formats including Microsoft Office and Mac Office files, HTML, RTF and PDF.

For scanning to work, a virus database is needed. There are two options for getting it:

  • clamav-freshclam: updates the database from Internet. This is recommended with Internet access.
  • clamav-data: for users without Internet access. The package is not updated once installed.
  • The clamav-getfiles package allows creating custom packages from an Internet-connected computer.

sudo aptitude install clamav

4) Clamtk

Graphical Interface

sudo aptitude install clamtk

5) FwBuilder

FwBuilder is a tool to generate IPTABLES Rules and Scripts for local or remote machines

sudo aptitude install fwbuilder

7. Misc Tools

1) NetCat

A simple Unix utility which reads and writes data across network connections using TCP or UDP protocol. It is designed to be a reliable “back-end” tool that can be used directly or easily driven by other programs and scripts. At the same time it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need and has several interesting built-in capabilities.

sudo aptitude install netcat

2) TcpTrace

Tcptrace is a tool for analyzing and reporting on tcpdump (or other libpcap) dump files. It can summarize the data or generate graph data for use with the gnuplot tool from the gnuplot package. Graph data can be created for throughput, RTT, time sequences, segment size, and cwin.

sudo aptitude install tcptrace

3) Netwox

It is a toolbox. Toolbox netwox helps to find and solve network problems :

  • sniff, spoof
  • clients, servers
  • scan, ping, traceroute
  • etc.

Netwox contains 222 tools using network library netwib. Some tools are only a simplified implementation, while others are very sophisticated.

sudo aptitude install netwox

4) NTop

ntop is a Network Top program. It displays a summary of network usage by machines on your network in a format reminiscent of the unix top utility.It can also be run in web mode, which allows the display to be browsed with a web browser.
sudo aptitude install ntop

5) TCPTraceroute

A traceroute implementation using TCP packets. The more traditional traceroute(8) sends out either UDP or ICMP ECHO packets with a TTL of one, and increments the TTL until the destination has been reached. By printing the gateways that generate ICMP time exceeded messages along the way, it is able to determine the path packets are taking to reach the destination.

The problem is that with the widespread use of firewalls on the modern Internet, many of the packets that traceroute sends out end up being filtered, making it impossible to completely trace the path to the destination. However, in many cases, these firewalls will permit inbound TCP packets to specific ports that hosts sitting behind the firewall are listening for connections on. By sending out TCP SYN packets instead of UDP or ICMP ECHO packets, tcptraceroute is able to bypass the most common firewall filters.

6) Traceroute

Traces the route taken by packets over an IPv4/IPv6 network. The traceroute utility displays the route used by IP packets on their way to a specified network (or Internet) host. Traceroute displays the IP number and host name (if possible) of the machines along the route taken by the packets.
Traceroute is used as a network debugging tool. If you’re having network connectivity problems, traceroute will show you where the trouble is coming from along the route.

Install traceroute if you need a tool for diagnosing network connectivity problems.

7) Whois

The GNU whois client. This is a new whois (RFC 3912) client rewritten from scratch.
It is inspired from and compatible with the usual BSD and RIPE whois programs.
It is intelligent and can automatically select the appropriate whois server for most queries.

The package also contains mkpasswd, a simple front end to crypt.

8) HoneyD

Honeyd is a small daemon that creates virtual hosts on a network. The hosts can be configured to run arbitrary services, and their personality can be adapted so that they appear to be running certain operating systems. Honeyd enables a single host to claim multiple addresses – I have tested up to 65536 – on a LAN for network simulation. Honeyd improves cyber security by providing mechanisms for threat detection and assessment. It also deters adversaries by hiding real systems in the middle of virtual systems.

sudo aptitude install honeyd

8. Rootkit Detection

1) Chkrootkit

Checks for signs of rootkits on the local system
chkrootkit identifies whether the target computer is infected with a rootkit.
Some of the rootkits that chkrootkit identifies are:

  1. lrk3, lrk4, lrk5, lrk6 (and some variants);
  2. Solaris rootkit;
  3. FreeBSD rootkit;
  4. t0rn (including latest variant);
  5. Ambient’s Rootkit for Linux (ARK);
  6. Ramen Worm;
  7. rh[67]-shaper;
  8. RSHA;
  9. Romanian rootkit;
  10. RK17;
  11. Lion Worm;
  12. Adore Worm.

Please note that this is not a definitive test, it does not ensure that the target has not been cracked. In addition to running chkrootkit, one should perform more specific tests.

sudo aptitude install chkrootkit

2) RkHunter

rootkit, backdoor, sniffer and exploit scanner. Rootkit Hunter scans systems for known and unknown rootkits, backdoors, sniffers and exploits.

It checks for:

  • MD5 hash changes;
  • files commonly created by rootkits;
  • executable with anomalous file permissions;
  • suspicious strings in kernel modules;
  • hidden files in system directories; and can optionally scan within files.

Using rkhunter alone does not guarantee that a system is not compromised. Running additional tests, such as chkrootkit, is recommended.

Link :

My script

tar zxf rkhunter-1.3.6.tar.gz
cd rkhunter-1.3.6/
./ --layout /usr/local --install
cd /usr/local/
rkhunter --update
rkhunter --check

3) UnHide

Forensic tool to find hidden processes and ports. Unhide is a forensic tool to find processes and TCP/UDP ports hidden by rootkits, Linux kernel modules or by other techniques. It includes two utilities: unhide and unhide-tcp.

unhide detects hidden processes using three techniques:

  • comparing the output of /proc and /bin/ps
  • comparing the information gathered from /bin/ps with the one gathered from system calls (syscall scanning)
  • full scan of the process ID space (PIDs bruteforcing)

unhide-tcp identifies TCP/UDP ports that are listening but are not listed in /bin/netstat through brute forcing of all TCP/UDP ports available.

This package can be used by rkhunter in its daily scans.

9. Secure Erase

1) wipe

Secure file deletion. Recovery of supposedly erased data from magnetic media is easier than what many people would like to believe. A technique called Magnetic Force Microscopy (MFM) allows any moderately funded opponent to recover the last two or three layers of data written to disk. Wipe repeatedly writes special patterns to the files to be destroyed, using the fsync() call and/or the O_SYNC bit to force disk access.

10. Undelete/Recovery

1) Foremost

Forensics application to recover data. This is a console program to recover files based on their headers and footers for forensics purposes.

Foremost can work on disk image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive. The headers and footers are specified by a configuration file, so you can pick and choose which headers you want to look for.

2) e2undel

Undelete utility for the ext2 file system. Interactive console tool to recover the data of deleted files on an ext2 file system under Linux. It does not require knowledge about how ext2 file systems works and should be usable by most people.

This tools searches all inodes marked as deleted on a file system and lists them as sorted by owner and time of deletion. Additionally, it gives you the file size and tries to determine the file type in the way file(1) does. If you did not just delete a whole bunch of files with a ‘rm -r *’, this information should be helpful to find out which of the deleted files you would like to recover.

E2undel will not work on ext3 (journaling) filesystems.


3) Recover

Undelete files on ext2 partitions. Recover automates some steps as described in the ext2-undeletion howto. This means it seeks all the deleted inodes on your hard drive with debugfs. When all the inodes are indexed, recover asks you some questions about the deleted file. These questions are:

  • Hard disk device name
  • Year of deletion
  • Month of deletion
  • Weekday of deletion
  • First/Last possible day of month
  • Min/Max possible file size
  • Min/Max possible deletion hour
  • Min/Max possible deletion minute
  • User ID of the deleted file
  • A text string the file included (can be ignored)

If recover found any fitting inodes, it asks to give a directory name and dumps the inodes into the directory. Finally it asks you if you want to filter the inodes again (in case you typed some wrong answers).

Note that recover works only with ext2 filesystems – it does not support ext3.

11. Port Scan Detection


The Port Scan Attack Detector. PSAD is a collection of four lightweight system daemons written in Perl and in C that is designed to work with Linux firewalling code (iptables in the 2.4/6.x kernels, and ipchains in the 2.2.x kernels) to detect port scans. It features a set of highly configurable danger thresholds (with sensible defaults provided), verbose alert messages that include the source, destination, scanned port range, begin and end times, tcp flags and corresponding nmap options (Linux 2.4.x kernels only), reverse DNS info, email alerting, and automatic
blocking of offending ip addresses via dynamic configuration of ipchains/iptables firewall rulesets.

In addition, for the 2.4/6.x kernels psad incorporates many of the tcp signatures included in Snort to detect highly suspect scans for:

  • various backdoor programs (e.g. EvilFTP, GirlFriend, SubSeven)
  • DDoS tools (mstream, shaft)
  • advanced port scans (syn, fin, xmas) such as those made with nmap


2) PortSentry

Portscan detection daemon. PortSentry has the ability to detect portscans(including stealth scans) on the network interfaces of your machine. Upon alarm it can block the attacker via hosts.deny, dropped route or firewall rule. It is part of the Abacus program suite.

Note: If you have no idea what a port/stealth scan is, It’s recommended to have a look at before installing this package. Otherwise you might easily block hosts you’d better not (e.g. your
NFS-server, name-server, etc.).

3) Snort

Flexible Network Intrusion Detection System. Snort is a libpcap-based packet sniffer/logger which can be used as a
lightweight network intrusion detection system. It features rules based logging and can perform content searching/matching in addition to being used to detect a variety of other attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and much more. Snort has a real-time alerting capability, with alerts being sent to syslog, a separate “alert” file, or even to a Windows computer via Samba.

This package provides the plain-vanilla snort distribution and does not provide database (available in snort-pgsql and snort-mysql) support.

sudo aptitude install snort

12. Privilege escalation detection

1) Ninja

Ninja is a privilege escalation detection and prevention system for GNU/Linux hosts. While running, it will monitor process activity on the local host, and keep track of all processes running as root. If a process is spawned with UID or GID zero (root), ninja will log necessary information about this process, and optionally kill the process if it was spawned by an unauthorized user.
A “magic” group can be specified, allowing members of this group to run any setuid/setgid root executable.
Individual executables can be whitelisted. Ninja uses a fine grained whitelist that lets you whitelist executables on a group and/or user basis. This can be used to allow specific groups or individual users access to setuid/setgid root programs, such as su and passwd.


2) John

john, mostly known as John the Ripper, is a tool designed to help systems administrators to find weak (easy to guess or crack through brute force) passwords, and even automatically mail users warning them about it, if it is desired.
It can also be used with different cyphertext formats, including Unix’s DES and MD5, Kerberos AFS passwords, Windows’ LM hashes, BSDI’s extended DES, and OpenBSD’s Blowfish.

sudo aptitude install john

3) Tiger

TIGER, or the ‘tiger’ scripts, is a set of Bourne shell scripts, C programs and data files which are used to perform a security audit of UNIX systems.

TIGER has one primary goal: report ways ‘root’ can be compromised. Debian’s TIGER incorporates new checks primarily oriented towards Debian distribution including: md5sums checks of installed files, location of files not belonging to packages, check of security advisories and analysis of local listening processes.

sudo aptitude install tiger

13. File system Integrity

1) Aide

Advanced Intrusion Detection Environment – static binary AIDE is an intrusion detection system that detects changes to files on the local system. It creates a database from the regular expression rules that it finds from the config file. Once this database is initialized it can be used to verify the integrity of the files. It has several message digest algorithms (md5, sha1, rmd160, tiger, haval, etc.) that are used to check the integrity of the file. More algorithms can be added with relative ease. All of the usual file attributes can also be checked for inconsistencies.

This package contains the statically linked binary for “normal” systems.

You will almost certainly want to tweak the configuration file in /etc/aide/aide.conf or drop your own config snippets into /etc/aide/aide.conf.d.

Upstream URL:

2) Integrit

A file integrity verification program. Integrit helps you determine whether an intruder has modified your system. Without the use of integrit, a sysadmin wouldn’t know if the programs used for investigating the system are trojan horses or not.
Integrit works by creating a database that is a snapshot of the most essential parts of the system. You put the database somewhere safe, and then later you can use it to make sure that no one has made any illicit modifications to your file system.

Integrit’s key features are the small memory footprint, the design with unattended use in mind, intuitive cascading rule sets for the paths listed in the configuration file, the possibility of XML or human-readable output, and simultaneous checks and updates.

See for more information.

3) Debsums

Verify installed package files against MD5 checksums. Debsums can verify the integrity of installed package files against MD5 checksums installed by the package, or generated from a .deb archive.

4) Fcheck

IDS filesystem baseline integrity checker. The fcheck utility is an IDS (Intrusion Detection System) which can be used to monitor changes to any given filesystem.

Essentially, fcheck has the ability to monitor directories, files or complete filesystems for any additions, deletions, and modifications.
It is configurable to exclude active log files, and can be ran as often as needed from the command line or cron making it extremely difficult to circumvent.

5) SamHain

Data integrity and host intrusion alert system. Samhain is an integrity checker and host intrusion detection system that can be used on single hosts as well as large, UNIX-based networks.
It supports central monitoring as well as powerful (and new) stealth features to run undetected on memory using steganography.

Main features :

  • Complete integrity check
    • uses cryptographic checksums of files to detect modifications,
    • can find rogue SUID executable anywhere on disk, and
  • Centralized monitoring
    • native support for logging to a central server via encrypted and authenticated connections
  • Tamper resistance
    • database and configuration files can be signed
    • logfile entries and e-mail reports are signed
    • support for stealth operation


6) SleuthKit

Tools for forensics analysis. The Sleuth Kit (previously known as TASK) is a collection of UNIX-based command line file system and media management forensic analysis tools.
The file system tools allow you to examine file systems of a suspect computer in a non-intrusive fashion. Because the tools do not rely on the operating system to process the file systems, deleted and hidden content is shown.

The media management tools allow you to examine the layout of disks and other media. The Sleuth Kit supports DOS partitions, BSD partitions (disk labels), Mac partitions, and Sun slices (Volume Table of Contents). With these tools, you can identify where partitions are located and extract them so that they can be analyzed with file system analysis tools.

When performing a complete analysis of a system, we all know that command line tools can become tedious. The Autopsy Forensic Browser is a graphical interface to the tools in The Sleuth Kit, which allows you to more easily conduct an investigation. Autopsy provides case management, image integrity, keyword searching, and other automated operations.

The Sleuth Kit’s upstream homepage can be found at

7) Stealth

A stealthy File Integrity Checker. The STEALTH program performs File Integrity Checks on (remote) clients. It differs from other File Integrity Checkers by not requiring baseline integrity data to be kept on either write-only media or in the client’s file system. In fact, client’s will contain hardly any indication at all that they are being monitored, thus improving the stealthiness of the integrity scans.

STEALTH uses standard available software to perform file integrity checks (like find(1) and md5sum(1)). Using individualized policy files, it is highly adaptable to the specific requirements of its clients.

In production environments STEALTH should be run from an isolated computer (called the `STEALTH monitor’). In optimal configurations the STEALTH monitor should be a computer not accepting incoming connections. The account used to connect to its clients does not have to be `root’: usually read-access to the client’s file system is enough to perform a full integrity check. Instead of using `root’ a more restrictive administrative or ordinary account might offer all requirements for the desired integrity check.

STEALTH itself must communicate with the computers it should monitor. It is essential that this communication is secure, and STEALTH configurations will therefore normally specify SSH as the command-shell to use to connect to its
clients. STEALTH may be configured so as to use but one SSH connection per client, even if integrity scans are to be performed repeatedly. Apart from this, the STEALTH monitor might be allowed to send e-mail to remote clients
system’s maintainers.

STEALTH-runs itself may start randomly within specified intervals. The resulting unpredicability of STEALTH-runs further increases STEALTH’s stealthiness.

STEALTH’s acronym is expanded to `Ssh-based Trust Enforcement Acquired through a Locally Trusted Host’: the client’s trust is enforced, the locally trusted host is the STEALTH monitor.

8) TripWire

file and directory integrity checker. Tripwire is a tool that aids system administrators and users in monitoring a designated set of files for any changes. Used with system files on a regular (e.g., daily) basis, Tripwire can notify
system administrators of corrupted or tampered files, so damage control measures can be taken in a timely manner.

14. No yet described

1) Wapiti

sudo aptitude install wapiti

2) Nikto

sudo aptitude install nikto

3) IPTraf

sudo aptitude install iptraf

4) PWGen

PwGen is a password generator.

sudo aptitude install pwgen

5) AutoPsy

sudo aptitude install autopsy

6) OphCrack

sudo aptitude install ophcrack

7) Pasco

sudo aptitude install pasco

8) Vinetto

sudo aptitude install vinetto

9) W3af

sudo aptitude install w3af

10) SQLMap

sudo aptitude install sqlmap

11) Scalpel

sudo aptitude install scalpel

Be the first to comment

Leave a Reply

Your email address will not be published.