Appendix E

Security Testing Tools

A list of common security testing tools is discussed in this section. This is by no means an all-inclusive list of security tools, and the tools that are applicable to your organizational requirements need to be identified and used accordingly.

E.1 Reconnaissance (Information Gathering) Tools

• Ping: By sending Internet control message protocol (ICMP) echo request packets to a target host and waiting for an ICMP response, the network administration utility Ping can be used to test whether a particular host is reachable across an Internet Protocol (IP) network. It can also be used to measure the round-trip time for packets sent from the local host to a destination computer, including the local host’s own interfaces. More information can be obtained at http://ftp.arl.mil/~mike/ping.html.
• Traceroute (Tracert): Traceroute (or Tracert in Windows) can be used to determine the path (route) taken to a destination host by sending ICMP echo request messages to the destination with incrementally increasing time to live (TTL) field values. Traceroute utilizes the IP protocol TTL field and attempts to elicit an ICMP TIME_EXCEEDED response from each gateway along the path to the destination host. It can also be used to determine which hosts in the route are dropping the packets so that they can be addressed, if feasible. Visual traceroute programs that map the network path a packet takes when transmitted are now available.
• WHOIS: WHOIS is a query/response protocol widely used for querying databases in order to determine the registrant or assignee of Internet resources, such as a domain name, an IP address block, or an autonomous system number.
• Domain Information Groper (dig): A Linux/Unix command, dig is a flexible tool for interrogating DNS name servers. It performs DNS lookups and displays the answers that are returned from the name server(s) that were queried. More information can be obtained at http://linux.about.com/od/commands/l/blcmdl1_dig.htm.
• netstat: netstat (network statistics) is a command-line tool that displays network connections (both incoming and outgoing), routing tables, and a number of network interface statistics. It is available on Unix, Unix-like, and Windows NT-based operating systems. More information can be obtained at http://www.netstat.net.
• Telnet: Telnet is a network protocol commonly used to refer to an application that uses that protocol. The application is used to connect to remote computers, usually via TCP port 23. Most often, you will be establishing a connection (telneting) to a UNIX-like server system or a simple network device, such as a switch. Once a connection is established, you can then log in with your account information and execute commands remotely on that computer. The commands you use are operating system commands, and not telnet commands. In most remote access situations, telnet has been replaced by SSH for improved security across untrusted networks. However, telnet continues to be used for remote access today and remains a solid network troubleshooting tool as well. Telnet is also used in banner grabbing. More information can be obtained at http://www.telnet.org.

E.2 Vulnerability Scanners

• Network Mapper (Nmap): An extremely popular, free, and open source network exploration and security auditing tool. It uses raw IP packets to determine the hosts that are available on the network and can be used to fingerprint operating systems, determine application services (name and version) running on the hosts, and identify the types of packet filters and firewalls that are in use. It runs on all major operating systems, including Windows, Linux, and Mac OS X, and comes in both a command-line version as well as bundled with a GUI and result viewer called Zenmap. The Nmap suite additionally includes a Ncat, which is a flexible data transfer, redirection, and debugging tool, and Ndiff, a utility for comparing scan results. More information can be obtained at http://nmap.org.
• Nessus: A very popular vulnerability scanner that is implemented with a client/server architecture. It has a graphical interface and more than 20,000 plugins that scan for several vulnerabilities. Both UNIX and Windows versions are available. Salient features include remote and local (authenticated) security checks and a proprietary scripting language called Nessus Attack Scripting Language (NASL) that allows security testers to write their own plugins. More information can be obtained at http://www.nessus.org.
• Retina: Retina is a commercial vulnerability assessment scanner developed by eEye, a company known for security research. It functions like other vulnerability scanners and scans for systems aiming to detect and identify vulnerabilities. Both network and Web vulnerability scanners are available in eEye’s product offering. By using signature pattern matching, intelligence inference engines, context-sensitive vulnerability checks, site analysis, application vulnerabilities, such as input validation, poor coding practices, weak configuration management, and threats in source code, it can evaluate and determine scripts, directory content, and more. More information can be obtained at http://www.eeye.com.
• SAINT®: SAINT® scans the network to determine any weaknesses that will allow an attacker to gain unauthorized access, disclose sensitive information, or create a DoS in the network. Additionally, it gives the ability to remediate vulnerabilities. Other product offerings help with vulnerability management and penetration testing. More information can be obtained at http://www.saintcorporation.com.
• GFI LANguard: A commercial network security scanner for Windows that scans IP address to determine active hosts (running machines) on the network. It can also fingerprint the operating system (OS), detect service pack versions, and identify missing patches, USB devices, open shares, open ports, running services, groups, users, and passwords that are incompliant with password policies. The built-in patch manager can be used for installing missing patches as well. More information can be obtained at http://www.gfi.com/lannetscan.
• QualysGuard® Web Application Scanner (WAS): An on-demand scanner, the QualysGuard® WAS automates Web application security assessment, enabling organizations to assess, track, and remediate Web application vulnerabilities. It works by crawling Web applications and identifies Web application vulnerabilities, such as those in the OWASP Top 10 list and Web Application Security Consortium Threat Classification (WASC TC). It uses both pattern recognition and behavioral analysis to identify and verify vulnerabilities. It can also be used to detect sensitive content in HTML based on user setting and for conducting authenticated and nonauthenticated scanning tests. The QualysGuard WAS is one of the suite of security products that is offered by Qualys. The others include products for PCI compliance, policy compliance, and vulnerability management. More information can be obtained at http://www.qualys.com.
• IBM Internet Scanner, formerly Internet Security Systems (ISS): The IBM Internet Scanner can identify more than 1,300 types of network devices, including desktops, servers, routers/switches, firewalls, security devices, and application routers. Upon identification of the devices, the scanner can also analyze device configurations, patch levels, OSes, and installed applications that are susceptible to threats and prioritize remediation tasks preemptively. It identifies critical assets and can be used to prevent the compromise of confidentiality, integrity, and availability of critical business information. More information can be obtained at http://www.ibm.com/iss.
• Microsoft Baseline Security Analyzer (MBSA): MBSA can be used to detect common security misconfigurations and missing security updates on computer systems. Built on the Windows Update Agent and Microsoft Update infrastructure, MBSA ensures consistency with other Microsoft management products, including Microsoft Update (MU), Windows Server Update Services (WSUS), Systems Management Server (SMS), System Center Configuration Manager (SCCM) 2007, and Small Business Server (SBS). More information can be obtained at http://www.microsoft.com/mbsa.

E.3 Fingerprinting Tools

• P0f v2: P0f version 2 (P0f v2) is a resourceful, passive, OS fingerprinting tool that identifies the OS of a target host by merely analyzing captured packets. It does not generate any additional traffic, direct or indirect, or perform any name lookups, ARIN queries, or probes. It can also be used to detect the presence of a firewall, the use of network address translation (NAT), or the existence of a load balancer. More information can be obtained at http://lcamtuf.coredump.cx/p0f.shtml.
• XProbe-NG or XProbe2++: A low-volume, remote, network mapping and analysis tool that can be used for active OS fingerprinting. Using a signature engine and fuzzy signature matching process, a network traffic minimization algorithm, and module sequence optimization, this tool has been proven to fingerprint an OS successfully, even when the target host systems are behind protocol scrubbers. Additionally, XProbe2++ can be used to detect and identify HoneyNet systems that attempt to mimic actual network systems by responding to fingerprinting with packets that match certain OS signatures. More information can be obtained at http://xprobe.sourceforge.net.

E.4 Sniffers/Protocol Analyzers

• Wireshark (formerly Ethereal): Wireshark is a very popular open source sniffer and network protocol analyzer for both wired and wireless networks. It sniffs detailed information about the packets transmitted on the network interfaces being configured for capture. Wireshark can be used to determine traffic generated by protocols used in your network or application, examine security problems, and learn about the internals of the protocol. More information can be obtained at http://www.wireshark.org.
• Tcpdump and WinDump: Freely distributed under a BSD license, Tcpdump is another popular packet capture and analyzing tool. As the name suggests, it can be used to intercept and dump TCP/IP packets transmitted in the network. It works on almost all major Unix and Unix-like OSes (Linux, Solaris, BSD, Mac OS X, HP-UX, and AIX) as well as on a Windows version called WinDump. Tcpdump uses the libpcap library, and WinDump uses WinPcap for capturing packets. More information can be obtained at http://www.tcpdump.org and http://www.winpcap.org/windump.
• Ettercap: A very popular tool for conducting MITM attacks on a LAN, Ettercap is a sniffer/interceptor and logging tool that supports active and passive analysis of protocols, including ones that implement encryption, such as SSH and HTTPS. It can be used for data injection, content filtering, and OS fingerprinting, and it supports plugins. More information can be obtained at http://ettercap.sourceforge.net.
• DSniff: A very popular password sniffer, DSniff is not just one tool, but a collection of network auditing and penetration testing tools. These tools can be used for passively monitoring networks (dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and Webspy) for passwords, sensitive files, and emails, spoofing (arpspoof, dnsspoof, and macof), and actively conducting MITM attacks against redirected SSH and HTTPS sessions. More information can be obtained from http://monkey.org/~dugsong/dsniff.

E.5 Password Crackers

• Cain & Abel: Although Cain & Abel is an extremely powerful and popular password sniffing and cracking tool that uses dictionary, brute force, and cryptanalysis to discover passwords, even encrypted ones, it is also much more. It can record VoIP conversations, recover wireless network keys, decode scrambled passwords, reveal password boxes, uncover cached passwords, and analyze routing protocols. Currently, it is solely available in a Windows version. It can also be used for ARP poison routing (APR), which makes it possible to sniff even on switched LANs and MITM attacks. The new version also ships routing protocols authentication monitors and routes extractors, dictionary, and brute-force crackers for all common hashing algorithms and for several specific authentications, password/hash calculators, cryptanalysis attacks, password decoders, and some not-so-common utilities related to network and system security. More information can be obtained at http://www.oxid.it.
• John the Ripper: A free and open source software, John the Ripper is another powerful, flexible and fast multiplatform password hash cracker. Available in multiple flavors, it is primarily used to identify weak passwords, and a tester can use this to verify compliance with strong password policies. It can be used to determine various crypt(3) password hash types supported in Unix versions, Kerberos, and Windows LM hashes. With a wordlist, John the Ripper can be used for dictionary brute-force attacks. More information can be obtained at http://www.openwall.com/john.
• THC Hydra: A very fast network logon cracker that can be used to test the strength of a remote authentication service. Unlike many other password crackers that are restricted in the number of protocols they can support, THC supports multiprotocols. The current version supports 30+ protocols, including Telnet, FTP, HTTP, HTTPS, HTTP-Proxy, SMB, SMBNT, MS-SQL, MySQL, REXEC, RSH, RLOGIN, SNMP, SMTP-AUTH, SOCKS5, VNC, POP3, IMAP, ICQ, LDAP, Postgress, and Cisco. More information can be obtained at http://freeworld.thc.org/thc-hydra.
• L0phtcrack: One of the premier password cracking tools, L0phtcrack is a password audit and recovery tool for Windows and Unix passwords. It uses a scoring metric to assess the quality of passwords by measuring them against current industry best practices for password strength. It supports precomputed password hashes and can be used for password and network auditing from a remote interface. It also has the ability to schedule a password audit scan that is configurable based on the organization’s auditing needs. More information can be obtained at http://www.L0phtcrack.com.
• RainbowCrack: Unlike brute-force crackers that generate and match hashes of plaintext on the fly to discover a password, RainbowCrack is a brute-force hash cracker that uses rainbow tables of precomputed hash values for discovering passwords. This works on the principle of time–memory tradeoff, which basically means that memory use can be reduced at the cost of slower program execution or vice versa. By precomputing hash values and storing them in a table (known as a rainbow table), this cracker can be used to look up values that match in determining the actual password. During the precomputation phase, all plaintext/hash pairs for a particular hash function, character set, and plaintext length are computed, and the results are stored in a rainbow table. This can be time-consuming initially, but once the hashes are precomputed, then cracking can be significantly faster as it primarily works by looking up and comparing values. More information can be obtained at http://project-rainbowcrack.com.

E.6 Web Security Tools: Scanners, Proxies, and Vulnerability Management

• Nikto2: An open source application and Web server scanner, Nikto2 performs comprehensive tests against Web servers for detecting dangerous files and common gateway interfaces (CGIs), determining outdated Web server versions, and finding potential vulnerabilities in them. It can also be used to identify installed Web servers and applications that run on them, besides having the ability to check for server configuration items, such as multiple index files and HTTP Server options settings. Although it is not a very stealthy tool and is often evident in IDS logs, Nikto2 is a powerful and fast Web security scanner that uses Libwhisker (a Perl module geared toward HTTP testing) and provides support for anti-IDS methods that can be used to test your IDS. It also supports plugins for other vulnerability scanners, such as Nessus. More information can be obtained at http://www.cirt.net/nikto2.
• Paros: Written in Java, Paros is a Web application vulnerability assessment proxy that intercepts and proxies HTTP and HTTPS data between the Web server and the browser client. This makes it possible to view and edit HTTP/HTTPS messages, cookie, and form fields on the fly. As Web application scanning for common Web application attacks like SQL injection and cross-site scripting (XSS), it can also be used for spidering Web sites and performing MITM attacks. It comes with a Web traffic recorder and hash calculator to assist vulnerability assessment testing. More information can be obtained at http://www.parosproxy.org.
• WebScarab-NG (New Generation): A Web application intercepting proxy tool supported as an OWASP Project. Similar in function to the Paros proxy, it can be used to analyze and modify requests from the browser or client to the Web server. It can be used by anyone who wishes to understand the internals of their HTTP/HTTPS application and by testing teams to debug and identify Web application issues, besides giving a security specialist a tool to help identify vulnerabilities in their implemented Web applications. The current version supports a floating tool bar that stays on top of the client window and the ability to annotate conversations, and it has the ability to provide feedback to the user. More information can be obtained at http://www.owasp.org/index.php/OWASP_WebScarab_NG_Project.
• Burp Suite: Written in Java, Burp Suite is an integrated platform that can be used to test the resiliency of Web applications. It provides the ability to combine manual and automated testing techniques to analyze, scan, attack, and exploit Web applications. All tools in the suite use the same robust framework as used for handling HTTP requests, scanning, spidering, persistence, authentication, proxying, sequencing, decoding, logging, alternating, comparisons, and extensibility. More information can be obtained at http://www.portswigger.net/suite.
• Wikto: Written in Microsoft .Net, Wikto is one of the power tools that check for flaws in Web servers. In its functioning, it is very similar to Nikto2, but it has some unique features, such as the back-end miner and integration with Google that can be used in the assessment of the Web servers. More information can be obtained at http://www.sensepost.com/research/wikto.
• HP WebInspect: A popular Web application security assessment tool, HP WebInspect is built on Web 2.0 technologies that provide fast scanning capabilities and broad coverage for common and emerging Web application threats. It uses innovative assessment techniques, such as simultaneous crawl and audit (SCA), and concurrent application scanning for faster scans with accurate results. More information can be obtained at http://www.hp.com/go/securitysoftware.
• IBM Rational AppScan: This product suite has a list of products that makes it easy to integrate security testing throughout the application development life cycle, thereby providing security assurance early on in the development phase. Using multiple testing techniques, AppScan offers both static and dynamic security testing and can scan for many common vulnerabilities, such as XSS, HTTP response splitting, parameter tampering, hidden field manipulation, backdoors/debug options, and buffer overflow. There is a developer edition that automates security scanning for nonsecurity professionals and a tester edition that integrates Web application security testing into the QA process. More information can be obtained from http://www-01.ibm.com/software/awdtools/appscan.
• WhiteHat Sentinel: A software-as-a-service (SaaS) scalable Web site vulnerability management platform offered as a subscription-based service. It leverages technology with its advanced scanning technologies and complements that with human testing. It has the ability to integrate with some Web application firewalls (WAFs) and can be used to protect Web applications from attackers. More information can be obtained at http://www.whitehatsec.com.

E.7 Wireless Security Tools

• Kismet: A versatile and powerful 802.11 Layer 2 wireless network detector, sniffer, and IDS that works with any wireless card that supports raw monitoring (rfmon) mode. With the appropriate hardware, it can sniff 802.11 a/b/g and n network traffic as well. It is a passive sniffer that collects packets and detects standard named networks. It is commonly used for finding wireless access points (wardriving). It can also be used to discover WEP keys, decloak hidden networks and SSIDs, and infer the presence of nonbeaconing networks via data traffic that it sniffs. More information can be obtained at http://www.kismetwireless.net.
• NetStumbler: NetStumbler is a Windows-only tool used to detect wireless local area networks (WLANs) and sniff 802.11 a/b and g network traffic. It can be used to test correct configuration of your wireless network and find areas where the wireless signals are attenuated. It can also be used to detect interfering wireless networks and rogue access points installed within or in proximity to your network. Like Kismet, it is also used for wardriving. More information can be obtained at http://www.netstumbler.com.
• Aircrack-ng: A 802.11 suite of tools as listed below that can be used to test the strength of a wireless defense or its lack thereof. It is used primarily for cracking WEP and WPA-PSK keys by recovering the keys once enough data packets have been captured. The set of tools within the Aircrack-ng suite for auditing wireless networks includes a multipurpose tool aimed at attacking clients, as opposed to the access point (AP) itself (airbase-ng), a WEP/WPA/WPA2 captured files decryptor (airdecap-ng), a WEP Cloaking remover (airdecloak-ng), a script that allows installation of wireless drivers (airdriver-ng), a tool to inject and replay wireless frames (aireplay-ng), a wireless interface monitoring mode enabler and disabler (airmon-ng), a tool to dump and capture raw 802.11 frames (airodump-ng), a tool to precompute WPA/WPA2 passphrases in a database to use later with aircrack-ng (airolib-ng), a wireless card TCP/IP server that allows multiple applications to use a wireless card (airserv-ng), a virtual tunnel interface creator (airtun-ng), a packet forger that can be used in injection attacks (packetforge-ng), and more. More information can be obtained at http://www.aircrack-ng.org/.
• KisMAC-ng: A popular free and open source wireless stumbling and security tool for the Mac OS X. Originally developed in Germany, but with the introduction of the StGB §202c law in Germany that distribution of security software was a punishable offense, it had to find a place outside Germany for continued development. Its advantage over other wireless stumblers is that it uses monitor mode and passive scanning for detecting and sniffing wireless packets. Most major wireless cards and chipsets are supported. It also offers packet capture (Pcap) format import and logging and decryption and can be used for some deauthentication attacks. More information can be obtained at http://kismac-ng.org.

E.8 Reverse Engineering Tools (Assembler and Disassemblers, Debuggers, and Decompilers)

• ILDASM and ILASM: The Microsoft Intermediate Language Disassembler (ILDASM) takes a portable executable (PE) file that contains Microsoft Intermediate Language (MSIL) code and outputs a text file that can be used as an input into its companion tool, the Microsoft Intermediate Assembler (ILASM). Metadata attribute information of the MSIL code can be determined, and running a PE through ILDASM can help identify missing runtime metadata attributes. The text file output from ILDASM can then be edited to include any missing metadata attributes, and this can be input into the ILASM tool to generate a final executable. The ILDASM and ILASM tools can be used by a reverse engineer to understand the internal workings of a PE for which the source code is not available. More information can be obtained by searching for ILDASM and/or ILASM at http://msdn.microsoft.com.
• OllyDbg: A 32-bit assembler level analyzing debugger for Microsoft Windows. Emphasis on binary code analysis makes it particularly useful in cases where source is unavailable. OllyDbg features an intuitive user interface, advanced code analysis capable of recognizing procedures, loops, API calls, switches, tables, constants and strings, an ability to attach to a running program, and good multithread support. OllyDbg is shareware, free to download and use, but no source code is provided. More information can be obtained at http://www.ollydbg.de.
• IDA Pro: IDA Pro is deemed to be the de facto standard for host code analysis and vulnerability research. It is a commercial, interactive Windows and Linux multiprocesser disassembler and debugger that can also be programmed. It can also be used for COTS product validation and privacy protection analysis. More information can be obtained at http://www.hex-rays.com/idapro.
• .Net Reflector: A tool that enables you easily to view, navigate, and search through the class hierarchies of .NET assemblies, even if you do not have the code for them. With it, you can decompile and analyze .NET assemblies in C#, Visual Basic, and MSIL. This is useful for understanding the internal working of a .Net assembly and can be used for security research and vulnerability assessment. It supports add-ins that can be configured, which makes .Net Reflector a powerful tool in the arsenal of tools needed for security testing .Net applications. More information can be obtained at http://www.red-gate.com/products/reflector.

E.9 Source Code Analyzers

• IBM Ounce 6: IBM’s acquisition of Ouncelabs added to their security product suite Ounce 6, which is a source code analyzing solution for vulnerabilities and threat exposures in software. By integrating into the SDLC, Ounce 6 helps to ensure data privacy, document compliance efforts, and security of outsourced code. More information can be obtained at http://www.ouncelabs.com/products.
• Fortify Software: Both a static and dynamic source code analyzer. The source code analyzer component examines the applications source code for exploitable vulnerabilities and can be used during the development phase of the SDLC to catch security issues early. The program trace analyzer component identifies vulnerabilities that can be found when the application is running and can be used during the software testing or QA phase. The real-time analyzer monitors deployed applications, identifying how and when the application is being attacked. It provides detailed information about the internals of the application that identifies the vulnerabilities that are being exploited. This can be used while the application is in production to determine security weaknesses that were missed during development. The company also has an on-demand SaaS offering. More information can be obtained at http://www.fortify.com/products.

E.10 Vulnerability Exploitation Tools

• Metasploit Framework: A de facto tool in the hands of any security researcher or penetration tester. It provides useful information and tools for penetration testers, security researchers, and IDS signature developers. This project was created to provide information on exploit techniques and to create a functional knowledge base for exploit developers and security professionals. The tools and information on this site are provided for legal security research and testing purposes only. More information can be obtained at http://www.metasploit.com.
• CANVAS: Developed by Immunity, CANVAS is a comprehensive commercial exploitation framework that makes available hundreds of exploits, including Zero day exploits, along with its exploitation system. It also provides a development framework for penetration testers and security researchers. More information can be obtained at http://www.immunitysec.com.
• CORE IMPACT: The security testing software solutions from CORE IMPACT provide a comprehensive approach to assessing organizational readiness when facing real-world security threats. They can be used to expose vulnerabilities proactively, measure operational risk, and assure security effectiveness across various information systems. They can be used for penetration testing, and they come with a plethora of professional exploits. More information can be obtained at http://www.coresecurity.com.
• Browser Exploitation Framework: BeEF provides a modular framework that can be easily integrated with the browser. It can be used to demonstrate the impact of browser and cross-site scripting (XSS) issues in real time. Current modules include Metasploit, port scanning, keylogging, The Onion Routing (Tor) detection, and more. More information can be obtained at http://www.bindshell.net/tools/beef.
• Netcat and Socat: Deemed the Swiss Army Knife for network security, Netcat is a simple utility that reads and writes data across TCP and UDP network connections. It has a built-in port scanner and is a feature-rich debugging and exploration tool that can create almost any kind of connection, including port binding to accept incoming connections. A similar tool to Netcat is Socat, which extends Netcat to support other socket types, SSL encryption, SOCKS proxies, and more. More information can be obtained at http://netcat.sourceforge.net.

E.11 Security-Oriented Operating Systems

• BackTrack: A Linux-based penetration testing OS that aids security professionals and penetration testers in performing security assessments. It can be installed on the hard drive as the primary OS or can be booted from a LiveDVD or even a USB key fob (or thumb drive). BackTrack has been customized down to every package, kernel configuration, script, and patch solely for the purpose of the penetration tester. It has a variety of security and forensic tools that are preinstalled, and it is very popular among renowned penetration testers. More information can be obtained at http://www.backtrack-linux.org.
• Knoppix-NSM: Dedicated to providing a framework for individuals wanting to learn about network security monitoring (NSM) or who want quickly and reliably to deploy NSM in their network. It is now succeeded by Securix-NSM. More information can be obtained at http://www.securixlive.com/knoppix-nsm.
• Helix: A customized distribution of the Knoppix Live Linux CD. Helix is more than just a bootable live CD. You can still boot into a customized Linux environment that includes customized Linux kernels, excellent hardware detection, and many applications dedicated to incident response and forensics. More information can be obtained at http://www.e-fense.com/helix.
• OpenBSD: A free multiplatform Berkeley Software Distribution (BSD) based UNIX-like OS that emphasizes portability, standardization, correctness, proactive security, and integrated cryptography. With a track record of minimal security bugs in the default install, it is said to be one of the most proactive, secure OSes. One of their greatest accomplishment is developing OpenSSH and the packet-filtering firewall tool (PF). More information can be obtained from http://www.openbsd.org.
• Bastille: Bastille is not actually an OS, but a security hardening script for “locking down” an operating system, proactively configuring the system for increased security and decreasing its susceptibility to compromise. Bastille can also assess a system’s current state of hardening, granularly reporting on each of the security settings with which it works. Bastille currently supports the Red Hat (Fedora Core, Enterprise, and Numbered/Classic), SUSE, Debian, Gentoo, and Mandrake distributions, along with HP-UX and Mac OS X. Bastille’s focus is on letting the system’s user/administrator choose exactly how to harden the operating system. In its default hardening mode, it interactively asks the user questions, explains the topics of those questions, and builds a policy based on the user’s answers. It then applies the policy to the system. In its assessment mode, it builds a report intended to teach the user about available security settings as well as inform the user as to which settings have been tightened. More information can be obtained at http://bastille-linux.sourceforge.net.

E.12 Privacy Testing Tools

• The Onion Router (Tor): Tor is a system for using the Internet anonymously. It is free software and a network of virtual tunnels that allows people and groups to defend against network surveillance and provides anonymity online. It helps by anonymizing Web browsing and publishing, instant messaging, remote login, and other applications that use the TCP protocol. Tor provides protection by bouncing communications around a distributed network of relays all around the world, which prevents anyone watching the Internet connection from learning the site you visit or your physical location. Using Tor, one can build new applications with built-in anonymity and safety and privacy features and gain the assurance of privacy and anonymity in their applications that run over TCP. More information can be obtained at http://www.torproject.org.
• Stunnel – Universal SSL wrapper: Stunnel is a program that allows you to encrypt arbitrary TCP connections inside SSL and is available on both Unix and Windows. Stunnel can allow you to secure non-SSL aware daemons and protocols (e.g., POP, IMAP, LDAP) by having Stunnel provide the encryption, requiring no changes to the daemon’s code. It can be used for verification of confidentiality assurance when sensitive data are transmitted in the network. More information can be obtained at http://www.stunnel.org.