This is part 2 of my Windows XP Optimization article: Make Windows XP Blazingly Fast.

The first article was meant as a detailed and thorough introduction to speeding up Windows-based PC's in a way that makes it easy to follow, without getting too specific. So make sure you read that first, and pay the most attention to freeing up RAM, CPU, and Disk IO speed by reducing the number of services and processes that are running, we will deal with defragmentation, hard-drive speed, Disk IO, Prefetching, and Pagefile/Registry Defragmentation now.

This article has some really really really great stuff for ya. It shows which tools (all but one completely free) are the best and you will use them for a long time, they are all very good. That is just a side benefit, as this article is really more of a step-by-step guide to optimizing your system that won't have to be repeated for at least a year. The result of course is a much more responsive PC.

Whats New

After writing that article I continued my research and testing into the subject on my personal computers. I wanted to test out several additional programs and methods before I wrote about them for you guys, and I found a few really sweet additions that had a very big performance gain for all my computers, from my oldest and slowest PC's to my new 4K power laptop. This article is primarily focused on optimizing your hard drive data and improving your Disk IO speed, and you will definately see an improvement in speed. It doesn't get REALLY good until the defragmenting section..

1. Clean Up Hard Drive - Removing unneccessary files
2. Clean Registry - Fixing slow registry problems automatically
3. Ultimate Defragmenting - The best defrag method I use
4. Optimize Physical Hard Disk - Final step that cleans and heals your physical disk

Clean Up Hard Drive

The first step is to clean up all the extra, temporary, and unneccessary files cluttering your hard-drive. The reason is because we will be defragmenting your hard-drive like its never been defragged before, then we are going to go over every single bit and byte of your hard-drive to optimize the physical sectors and storage of your data.. Also we will be running a check of your registry and cleaning out bad links and other slow errors, so get it as clutter-free as possible. DON'T use Windows built-in folder compression, it makes defragmentation worse... DO use 7-zip or winrar to create a solid archive file of any misc directories with a bunch of files... You only need one program to clean your system.

CCleaner

CCleaner is a Small, Fast and Free software that removes unused and temporary files from your system and allows Windows to run faster, more efficiently and gives you more hard disk space. I've now been using it for several months and love it. As well as cleaning up old files and settings left by standard Windows components, CCleaner also cleans temporary files and recent file lists for many applications. Including: Firefox, Opera, Safari, Media Player, eMule, Kazaa, Google Toolbar, Netscape, Microsoft Office, Nero, Adobe Acrobat Reader, WinRAR, WinAce, WinZip and more... Google Chrome, Opera, Safari, etc..

• Recycle Bin, Clipboard
• Windows Temporary files, Windows Log files, Chkdsk file fragments
• Recent Documents (on the Start Menu), Run history (on the Start Menu)
• Windows XP Search Assistant history, old Prefetch data, Windows memory dumps after crashes

Download CCleaner

Registry Cleaning

The registry is Windows biggest mistake, (although I'm sure they like it), and basically holds all the information for your programs and Windows. Things like the size of your windows, recent file lists, icon files for different icons, etc.. I've never seen a computer that didn't have some registry issues, so this needs to be cleaned and may have a huge impact on your speed. Real quickly, here are some programs to backup and restore your registry, optimize and defrag your registry, and finally search and clean any errors in your registry.

CCleaner

Yup! CCleaner also takes care of most of the performance issues of your registry. It's very safe and fast. CCleaner uses an advanced Registry Cleaner to check for problems and inconsistencies. It checks the following:

• ClassIDs, ProgIDs, Application Paths, Icons
• Uninstallers, Shared DLLs, Fonts, Help File references
• File Extensions, ActiveX Controls, Invalid Shortcuts and more...

Download CCleaner

ERUNT - The Emergency Recovery Utility NT

ERUNT is a Registry Backup and Restore utility for Windows NT/2000/2003/XP. I use this to backup my registry automatically or on command.. Ive used it for years and it's always good to backup before you do anything.

# Here's the command I use (only for advanced users familiar with autoback)
"%ProgramFiles%\ERUNT\AUTOBACK.EXE" %SystemRoot%\ERDNT\#Date# sysreg curuser otherusers /noconfirmdelete /noprogresswindow /days:45 /alwayscreate

Download ERUNT · (Details)

NTGREGOPT - NT Registry Optimizer

NTGREGOPT is a Registry Optimization tool for Windows NT/2000/2003/XP/Vista that minimizes the size of your registry files by simply compacting the registry hives to the minimum size possible.

Registry files in an NT-based system can become fragmented over time, occupying more space on your hard disk than necessary and decreasing overall performance. You should use the NTREGOPT utility regularly, but especially after installing or uninstalling a program, to minimize the size of the registry files and optimize registry access. The program works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. It does NOT change the contents of the registry in any way, nor does it physically defrag the registry files on the drive. I recommend using this once every couple weeks. I scheduled it to run automatically.

Download NTGREGOPT · (Details)

Ultimate Defragmenting

I say "Ultimate Defragmenting" because this is the result of a lot of testing of all the various defragmenting software out there, reading a lot of documentation, and running benchmarking to find the fastest results. This is a mix of several individual defragmenting steps combined for a once-a-year ultimate defragmenting session. This is what I use today, and although it's altogether a long process, each step you'll add a new tool or skill that you can use by itself from here on out.

ATTENTION: While running MyDefrag/JkDefrag, SpinRite, and UltraDefrag your computer can get very hot and that is very not cool. I set my laptop on a coke can and pointed a small desk fan at it which kept it very very cool, so do what you can to minimize heat during these programs.

PageDefrag

PageDefrag uses advanced techniques to provide you what commercial defragmenters cannot: the ability for you to see how fragmented your paging files and Registry hives are, and to defragment them. In addition, it defragments event log files and Windows 2000/XP hibernation files (where system memory is saved when you hibernate a laptop). One of the limitations of the Windows NT/2000 defragmentation interface is that it is not possible to defragment files that are open for exclusive access. Thus, standard defragmentation programs can neither show you how fragmented your paging files or Registry hives are, nor defragment them. Paging and Registry file fragmentation can be one of the leading causes of performance degradation related to file fragmentation in a system.

I personally keep this enabled for every boot, as it only takes a few seconds after the first time it's run.

Download PageDefrag

MyDefrag

JkDefrag is a disk defragmenter and optimizer for Windows 2000/2003/XP/Vista/2008/X64. Completely automatic and very easy to use, fast, low overhead, with several optimization strategies, and can handle floppies, USB disks, memory sticks, and anything else that looks like a disk to Windows. Included are a Windows version, a commandline version (for scheduling by the task scheduler or for use from administrator scripts), a screensaver version, a DLL library (for use from programming languages), versions for Windows X64, and the complete sources. (Frequently Asked Questions)

After trying out dozens of degragmenting programs, this is my favorite. I utilize the cool screensaver function and just run sometimes when I'm calling it a day.

Tips and tricks

• Many users start looking for defragmentation/optimization programs when their computer becomes slow. The main reason for a slow computer is a full harddisk. A full harddisk is slow because the distance between files is greater than on a fresh practically empty harddisk. Deleting half the data on a full disk will just about double the speed. The more free diskspace, the faster your computer will be.
• Buy a second harddisk (for example an USB harddisk) and move little used stuff from your primary harddisk to that secondary harddisk. The second disk can also be used for backing up the primary disk.
• When buying a new computer, buy the biggest harddisk you can afford. Investing in a bigger harddisk gives more speed-per-dollar than investing in a faster CPU or investing in more memory.
• Cleanup old junk from your harddisk before running MyDefrag. You can clean Windows files with for example "Start -> Programs -> Accessories -> System Tools -> Disk Cleanup", or with something like the freeware CCleaner program.
• Reboot before running MyDefrag. This will release files that are in use, so they can be defragmented and optimized.
• Boot into Windows safe mode by pressing F8 when booting, and then run MyDefrag. It will be slower because the Windows disk cache is off in safe mode, but MyDefrag will be able to process (a few) more files.
• Stop your real time virus scanner before running MyDefrag. Virus scanners check all disk activity, making defragmentation and optimization very slow.
• Move the swap file to another volume, reboot, defragment, and move the swap file back. If you don't have a second volume then temporarily make the swap file small, for example 100Mb.
• Package unused files with a packager such as 7-zip. The packagefile not only takes less harddisk space, but will also defragment and optimize much faster than the individual files. Note: This does not apply to Windows NTFS compression, which will actually make defragmentation and optimization slower.
• The first partition on a harddisk is significantly faster than other partitions. Try to use other partitions only for data that is used less often, such as music, movies, archives, backups, logfiles.
• If you have 2 physical harddisks of the same speed, then place the pagefile on the first partition of the second harddisk.

The way I recommend is to run MyDefrag at the highest level of defragmentation once, which took my fastest PC almost 30 hours. Once that is done you can just run it normally in 20 minutes or so.. This software also has the best defrag information I've found to date, so check out the documentation on the site.

Download MyDefrag

UltraDefrag

UltraDefrag is a powerful Open Source Defragmentation tool for Windows Platform. It is very fast, because the defragmenting is done via the kernel-mode driver. There are three interface available : Graphical, Console and Native. I personally like the MyDefrag more because I think it does a better job, but I also use the UltraDefrag tool because it has one very important feature like the PageDefrag tool. It has a native version. That means it can run before Windows loads up by utilizing the bootexecute, the same place that windows chkdsk runs at boot. It also can takeover for Windows builtin prefetcher, to speed up the loading of frequently used programs, which I'll explain a bit later.

I set ultradefrag up after the MyDefrag 30hour defrag completes, to run at boot and control the prefetching, then I erase any prefetch files currently saved and reboot which lets it defrag the system.

erase /Q "%SYSTEMROOT%\Prefetch\*.*"

Once both MyDefrag and UltraDefrag have run THEN I finally login to windows and don't open any programs to let the windows OS files get optimized by not doing anything at all for 5 minutes.. Then I reboot and log back in and this time I don't do anything for 30 minutes and reboot. Finally I log back in and this time I instantly load up 10 of my most frequently used programs, (DreamWeaver, Photoshop, Firefox, Chrome, Notepad2, Thunderbird, Internet Explorer, and a few others) and once they are all loaded I don't do anything for an hour. Then I reboot and repeat that same process.

This may seem odd or made up but I do my research and this allows your prefetched files to be optimized, including your boot prefetch files. Once that is done I reboot and run all the defrags again. Then I reboot and am ready for the last step.

Download UltraDefrag

Optimize Physical Hard Disk

Now at this point the system is defragged and optimized as much as I can get it, but the last step is to run a program to go over every single bit on our hard-drive-disk to keep the drive clean and healthy and its too technical for me to understand, I just know its amazingly cool and I noticed a big change right away.

HD Tune

HD Tune is a fantastic little utility that you can use to benchmark the DISK IO speed of your various drives, internal and external, fixed and USB, firewire, etc.. Other than using it to determine your fastest drives for moving your program files and temps to, I am just including it in this article because it is an awesome program that you will love.

Download HD Tune

SpinRite

This is the last step in this guide, and was the one thing that surprised me the most in terms of how much of a speed improvement I noticed after using it. SpinRite is the most capable, thorough, and reliable utility that has ever been created for the long term maintenance, recovery, and repair of mass storage systems. SpinRite is not a drive defragmenter. SpinRite operates with the drive's built-in intelligence to reassign and relocate defective sectors without creating file system fragments. Thus, running SpinRite does not create fragments, but neither does it eliminate any that may exist before it was run. Unlike any other disk utility, SpinRite interfaces directly to the hard disk system’s hardware, rather than working through the system’s operating system or BIOS. FAQ.

The way that we use SpinRite in this article is method #4, Drive Maintenance mode, which reads and writes and verifies every single sector and area of your hard drives, and improves the health of your hard drive a lot. Even on my new 4K dell power laptop, this had a noticeable improvement on speed. After running this 20+ hours for my fastest PC, I rebooted, defragged with jkdefrag, and that is the end of this article.

In case you don't already know . . . What is SpinRite?

SpinRite is a stand-alone DOS application that specializes in the recovery of marginally or completely unreadable hard and floppy disk data, and in the lifetime maintenance of PC mass storage devices. It earned its stripes many years ago by introducing the concept of non-destructive low-level reformatting and sector interleave optimization. Since then its capabilities have continued to broaden until it has become the premiere tool for disk data recovery and magnetic mass storage drive maintenance. Written in assembly language, SpinRite still performs as well on a clunky old 4.77 megahertz PC/XT as on a screaming 333 megahertz Pentium II.

While SpinRite 6.0 is running, you can toggle through seven displays:

Purchase and Download SpinRite

More Reading

• PCNet File Catch - SpinRite 6.0
• SpinRite 6.0 for Linux Users
• Anticipate Drive Problems Early with SpinRite v6.0
• Black Viper - Windows XP Super Tweaks
• Black Viper - Optimize your Services
• Advanced Windows Shell Tutorial
• Batch Files (Scripts) in Windows
• File System Heirarchy
• Steve Gibson discussing Defragmenting

Windows Optimization – Intense Part II originally appeared on AskApache.com

List of mainly obscure security software geared more for the master pentester. These are mostly for unix, bsd, and mac and many are difficult to install and setup (require custom servers, inside access points, obscure libraries). Only programs that output data are included, so no actual exploits or anything. Most of these output extremely useful albeit extremely technical information.

You may be looking for the article: Vulnerability Scanners Review, or Top 5 Vulnerability Port Scanners

Obscure/Rare Security Software

rwhois

really great addition to using whois. Get additional info not on whois, query rwhois servers.

lft

useful alternative method of tracerouteing. oppleman

packit

define (spoof) nearly all TCP, UDP, ICMP, IP, ARP, RARP, and Ethernet header options

etherape

really cool graphical program that displays connections and protocols similar to cheops.

amap

fingerprinting

xprobe2

fingerprinting

p0f2

really exceptional fingerprinting. can be passively run in the BG.

firewalk

good packetfiltering enumerator

BGPview

bgp anyone?

icmpenum

icmp fingerprinting

dnstracer

awesome and creative graphical output of dns

ssldump

not really that useful but impressive in a report

ftester

for master pentesters only — get the lowdown on your packetfiltering

mtr

alternative traceroute

MRTG

favorite tool of ISPs, many uses here

host

don't forget this one

ike-scan

scan for vpns

upnpscan

scan for upnp devices

ftp-spider

get info on ftp server

traceproto

very nice alternative to traceroute/firewalk

sing

packet crafting

nmbscan

NBM Scanner

nbtscan

NBT Scanner

admsmb

ADMsmb

netleak

Netleak

dmitry

 

sara

Original security auditing software

isic

ISIC

dnsa

DNS

nemesis

Packet Crafting

zodiacdns

DNS Hacking

fragroute

Fragmented Packet Crafter/Scanner

sentry 2.0

 

Caecus

 

C-Parse

 

ftester

Master Pentesting Tool, Map out the filtering of your firewall with internal and external nodes

pchar

More common security programs

Nessus

Premier UNIX vulnerability assessment tool - Nessus is the best free network vulnerability scanner available, and the best to run on UNIX at any price. It is constantly updated, with more than 11,000 plugins for the free (but registration and EULA-acceptance required) feed. Key features include remote and local (authenticated) security checks, a client/server architecture with a GTK graphical interface, and an embedded scripting language for writing your own plugins or understanding the existing ones.

Wireshark

Sniffing the glue that holds the Internet together - Wireshark (known as Ethereal until a trademark dispute in Summer 2006) is a fantastic open source network protocol analyzer for Unix and Windows. It allows you to examine data from a live network or from a capture file on disk. You can interactively browse the capture data, delving down into just the level of packet detail you need. Wireshark has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session. It also supports hundreds of protocols and media types. A tcpdump-like console version named tethereal is included. One word of caution is that Ethereal has suffered from dozens of remotely exploi security holes, so stay up-to-date and be wary of running it on unusted or hostile networks (such as security conferences).

Snort

A Everyone's favorite open source IDS - This lightweight network inusion detection and prevention system excels at traffic analysis and packet logging on IP networks. Through protocol analysis, content searching, and various pre-processors, Snort detects thousands of worms, vulnerability exploit attempts, port scans, and other suspicious behavior. Snort uses a flexible rule-based language to describe traffic that it should collect or pass, and a modular detection engine. Also check out the free Basic Analysis and Security Engine (BASE), a web interface for analyzing Snort alerts. Open source Snort works fine for many individuals, small businesses, and departments. Parent company SourceFire offers a complimentary product line with more enterprise-level features and real-time rule updates. They offer a free (with registration) 5-day-delayed rules feed, and you can also find many great free rules at Bleeding Edge Snort.

Netcat

The network Swiss army knife - This simple utility reads and writes data across TCP or UDP network connections. It is designed to be a reliable back-end tool that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need, including port binding to accept incoming connections. The original Netcat was released by Hobbit in 1995, but it hasn't been maintained despite its immense popularity. It can sometimes even be hard to find nc110.tgz. The flexibility and usefulness of this tool have prompted people to write numerous other Netcat implementations - often with modern features not found in the original. One of the most interesting is Socat, which extends Netcat to support many other socket types, SSL encryption, SOCKS proxies, and more. It even made this list on its own merits. There is also Chris Gibson's Ncat, which offers even more features while remaining por and compact. Other takes on Netcat include OpenBSD's nc, Cryptcat, Netcat6, PNetcat, SBD, and so-called GNU Netcat.

Metasploit Framework

Hack the Planet - Metasploit took the security world by storm when it was released in 2004. No other new tool even broke into the top 15 of this list, yet Metasploit comes in at #5, ahead of many well-loved tools that have been developed for more than a decade. It is an advanced open-source platform for developing, testing, and using exploit code. The extensible model through which payloads, encoders, no-op generators, and exploits can be integrated has made it possible to use the Metasploit Framework as an outlet for cutting-edge exploitation research. It ships with hundreds of exploits, as you can see in their online exploit building demo. This makes writing your own exploits easier, and it certainly beats scouring the darkest corners of the Internet for illicit shellcode of dubious quality. Similar professional exploitation tools, such as Core Impact and Canvas already existed for wealthy users on all sides of the ethical specum. Metasploit simply brought this capability to the masses.

Hping2

A network probing utility like ping on steroids - This handy little utility assembles and sends custom ICMP, UDP, or TCP packets and then displays any replies. It was inspired by the ping command, but offers far more conol over the probes sent. It also has a handy aceroute mode and supports IP fragmentation. This tool is particularly useful when ying to aceroute/ping/probe hosts behind a firewall that blocks attempts using the standard utilities. This often allows you to map out firewall rulesets. It is also great for learning more about TCP/IP and experimenting with IP protocols.

Kismet

A powerful wireless sniffer - Kismet is an console (ncurses) based 802.11 layer2 wireless network detector, sniffer, and inusion detection system. It identifies networks by passively sniffing (as opposed to more active tools such as NetStumbler), and can even decloak hidden (non-beaconing) networks if they are in use. It can automatically detect network IP blocks by sniffing TCP, UDP, ARP, and DHCP packets, log traffic in Wireshark/TCPDump compatible format, and even plot detected networks and estimated ranges on downloaded maps. As you might expect, this tool is commonly used for wardriving. Oh, and also warwalking, warflying, and warskating

Tcpdump

The classic sniffer for network monitoring and data acquisition - Tcpdump is the IP sniffer we all used before Ethereal (Wireshark) came on the scene, and many of us continue to use it frequently. It may not have the bells and whistles (such as a pretty GUI or parsing logic for hundreds of application protocols) that Wireshark has, but it does the job well and with fewer security holes. It also requires fewer system resources. While it doesn't receive new features often, it is actively maintained to fix bugs and portability problems. It is great for acking down network problems or monitoring activity. There is a separate Windows port named WinDump. TCPDump is the source of the Libpcap/WinPcap packet capture library, which is used by Nmap among many other tools.

Cain and Abel

The top password recovery tool for Windows - UNIX users often smugly assert that the best free security tools support their platform first, and Windows ports are often an afterthought. They are usually right, but Cain & Abel is a glaring exception. This Windows-only password recovery tool handles an enormous variety of tasks. It can recover passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, revealing password boxes, uncovering cached passwords and analyzing routing protocols. It is also well documented.

John the Ripper

A powerful, flexible, and fast multi-platform password hash cracker - John the Ripper is a fast password cracker, currently available for many flavors of Unix (11 are officially supported, not counting different architectures), DOS, Win32, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. It supports several crypt(3) password hash types which are most commonly found on various Unix flavors, as well as Kerberos AFS and Windows NT/2000/XP LM hashes. Several other hash types are added with conibuted patches. You will want to start with some wordlists, which you can find here, here, or here.

Ettercap

In case you still thought switched LANs provide much exa security - Ettercap is a terminal-based network sniffer/interceptor/logger for ethernet LANs. It supports active and passive dissection of many protocols (even ciphered ones, like ssh and https). Data injection in an established connection and filtering on the fly is also possible, keeping the connection synchronized. Many sniffing modes were implemented to give you a powerful and complete sniffing suite. Plugins are supported. It has the ability to check whether you are in a switched LAN or not, and to use OS fingerprints (active or passive) to let you know the geomey of the LAN.

Nikto

A more comprehensive web scanner - Nikto is an open source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3200 potentially dangerous files/CGIs, versions on over 625 servers, and version specific problems on over 230 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired). It uses Whisker/libwhisker for much of its underlying functionality. It is a great tool, but the value is limited by its infrequent updates. The newest and most critical vulnerabilities are often not detected.

Ping/telnet/dig/aceroute/whois/netsta

The basics - While there are many whiz-bang high-tech tools out there to assist in security auditing, don't forget about the basics! Everyone should be very familiar with these tools as they come with most operating systems (except that Windows omits whois and uses the name acert). They can be very handy in a pinch, although for more advanced usage you may be better off with Hping2 and Netcat.

OpenSSH / PuTTY / SSH

A secure way to access remote computers - SSH (Secure Shell) is the now ubiquitous program for logging into or executing commands on a remote machine. It provides secure encrypted communications between two unusted hosts over an insecure network, replacing the hideously insecure telnet/rlogin/rsh alternatives. Most UNIX users run the open source OpenSSH server and client. Windows users often prefer the free PuTTY client, which is also available for many mobile devices. Other Windows users prefer the nice terminal-based port of OpenSSH that comes with Cygwin. Dozens of other free and proprietary clients exist. You can explore them here or here.

THC Hydra

A Fast network authentication cracker which support many different services - When you need to brute force crack a remote authentication service, Hydra is often the tool of choice. It can perform rapid dictionary attacks against more then 30 protocols, including telnet, ftp, http, https, smb, several databases, and much more. Like THC Amap this release is from the fine folks at THC.

Paros proxy

A web application vulnerability assessment proxy - A Java based web proxy for assessing web application vulnerability. It supports editing/viewing HTTP/HTTPS messages on-the-fly to change items such as cookies and form fields. It includes a web traffic recorder, web spider, hash calculator, and a scanner for testing common web application attacks such as SQL injection and cross-site scripting.

Dsniff

A suite of powerful network auditing and peneation-testing tools - This popular and well-engineered suite by Dug Song includes many tools. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker (e.g, due to layer-2 switching). sshmitm and webmitm implement active monkey-in-the-middle attacks against redirected ssh and https sessions by exploiting weak bindings in ad-hoc PKI. A separately maintained partial Windows port is available here. Overall, this is a great toolset. It handles pretty much all of your password sniffing needs.

NetStumbler

Free Windows 802.11 Sniffer - Netstumbler is the best known Windows tool for finding open wireless access points ("wardriving"). They also disibute a WinCE version for PDAs and such named Ministumbler. The tool is currently free but Windows-only and no source code is provided. It uses a more active approach to finding WAPs than passive sniffers such as Kismet or KisMAC.

THC Amap

An application fingerprinting scanner - Amap is a great tool for determining what application is listening on a given port. Their database isn't as large as what Nmap uses for its version detection feature, but it is definitely worth ying for a 2nd opinion or if Nmap fails to detect a service. Amap even knows how to parse Nmap output files. This is yet another valuable tool from the great guys at THC.

GFI LANguard

A commercial network security scanner for Windows - GFI LANguard scans IP networks to detect what machines are running. Then it ies to discern the host OS and what applications are running. I also ies to collect Windows machine's service pack level, missing security patches, wireless access points, USB devices, open shares, open ports, services/applications active on the computer, key registry enies, weak passwords, users and groups, and more. Scan results are saved to an HTML report, which can be customized/queried. It also includes a patch manager which detects and installs missing patches. A free ial version is available, though it only works for up to 30 days.

Aircrack

The fastest available WEP/WPA cracking tool - Aircrack is a suite of tools for 802.11a/b/g WEP and WPA cracking. It can recover a 40 through 512-bit WEP key once enough encrypted packets have been gathered. It can also attack WPA 1 or 2 networks using advanced cryptographic methods or by brute force. The suite includes airodump (an 802.11 packet capture program), aireplay (an 802.11 packet injection program), aircrack (static WEP and WPA-PSK cracking), and airdecap (decrypts WEP/WPA capture files).

Superscan

A Windows-only port scanner, pinger, and resolver - SuperScan is a free Windows-only closed-source TCP/UDP port scanner by Foundstone. It includes a variety of additional networking tools such as ping, aceroute, http head, and whois.

Netfilter

The current Linux kernel packet filter/firewall - Netfilter is a powerful packet filter implemented in the standard Linux kernel. The userspace ips tool is used for configuration. It now supports packet filtering (stateless or stateful), all kinds of network address and port anslation (NAT/NAPT), and multiple API layers for 3rd party extensions. It includes many different modules for handling unruly protocols such as FTP. For other UNIX platforms, see Openbsd PF (OpenBSD specific), or IP Filter. Many personal firewalls are available for Windows (Tiny,Zone Alarm, Norton, Kerio, ...), though none made this list. Microsoft included a very basic firewall in Windows XP SP2, and will nag you incessantly until you install it.

Retina

Commercial vulnerability assessment scanner by eEye - Like Nessus, Retina's function is to scan all the hosts on a network and report on any vulnerabilities found. It was written by eEye, who are well known for their security research.

Angry IP Scanner

A fast windows IP scanner and port scanner - Angry IP Scanner can perform basic host discovery and port scans on Windows. Its binary file size is very small compared to other scanners and other pieces of information about the target hosts can be extended with a few plugins.

RKHunter

An Unix Rootkit Detector - RKHunter is scanning tool that checks for signs of various pieces of nasty software on your system like rootkits, backdoors and local exploits. It runs many tests, including MD5 hash comparisons, default filenames used by rootkits, wrong file permissions for binaries, and suspicious sings in LKM and KLD modules.

Ike-scan

VPN detector/scanner - Ike-scan exploits ansport characteristics in the Internet Key Exchange (IKE) service, the mechanism used by VPNs to establish a connection between a server and a remote client. It scans IP addresses for VPN servers by sending a specially crafted IKE packet to each host within a network. Most hosts running IKE will respond, identifying their presence. The tool then remains silent and monitors reansmission packets. These reansmission responses are recorded, displayed and matched against a known set of VPN product fingerprints. Ike-scan can VPNs from manufacturers including Checkpoint, Cisco, Microsoft, Nortel, and Watchguard.

Arpwatch

Keeps ack of ethernet/IP address pairings and can detect certain monkey business Arpwatch is the classic ARP man-in-the-middle attack detector from LBNL's Network Research Group. It syslogs activity and reports certain changes via email. Arpwatch uses LibPcap to listen for ARP packets on a local ethernet interface.

KisMAC

A A GUI passive wireless stumbler for Mac OS X - This popular stumbler for Mac OS X offers many of the features of its namesake Kismet, though the codebase is entirely different. Unlike console-based Kismet, KisMAC offers a pretty GUI and was around before Kismet was ported to OS X. It also offers mapping, Pcap-format import and logging, and even some decryption and deauthentication attacks.

OSSEC HIDS

An Open Source Host-based Inusion Detection System - OSSEC HIDS performs log analysis, integrity checking, rootkit detection, time-based alerting and active response. In addition to its IDS functionality, it is commonly used as a SEM/SIM solution. Because of its powerful log analysis engine, ISPs, universities and data centers are running OSSEC HIDS to monitor and analyze their firewalls, IDSs, web servers and authentication logs.

Openbsd PF

The OpenBSD Packet Filter - Like Netfilter and IP Filter on other platforms, OpenBSD users love PF, their firewall tool. It handles network address anslation, normalizing TCP/IP traffic, providing bandwidth conol, and packet prioritization. It also offers some eccenic features, such as passive OS detection. Coming from the same guys who created OpenBSD, you can ust that it has been well audited and coded to avoid the sort of security holes we have seen in other packet filters.

Nemesis

Packet injection simplified - The Nemesis Project is designed to be a commandline-based, por human IP stack for UNIX/Linux (and now Windows!). The suite is broken down by protocol, and should allow for useful scripting of injected packet streams from simple shell scripts. If you enjoy Nemesis, you might also want to look at Hping2 as they complement each other well.

Tor

An anonymous Internet communication system - Tor is a toolset for a wide range of organizations and people that want to improve their safety and security on the Internet. Using Tor can help you anonymize web browsing and publishing, instant messaging, irc, ssh, and other applications that use the TCP protocol. Tor also provides a platform on which software developers can build new applications with built-in anonymity, safety, and privacy features. For a free cross-platform GUI, users recommend Vidalia

Knoppix

A general-purpose boo live system on CD or DVD - Knoppix consists of a representative collection of GNU/Linux software, automatic hardware detection, and support for many graphics cards, sound cards, SCSI and USB devices and other peripherals. KNOPPIX can be used as a productive Linux system for the desktop, educational CD, rescue system, or as many nmap survey takers attest, a por security tool. For a security-specific Linux disibution see Backack.

ISS Internet Scanner

Application-level vulnerability assessment - Internet Scanner started off in '92 as a tiny open source scanner by Christopher Klaus. Now he has grown ISS into a billion-dollar company with a myriad of security products.

Fport

Foundstone's enhanced netstat - Fport reports all open TCP/IP and UDP ports on the machine you run it on and shows what application opened each port. So it can be used to quickly identify unknown open ports and their associated applications. It only runs on Windows, but many UNIX systems now provided this information via netstat (y 'netstat -pan' on Linux). Here is a PDF-Format SANS article on using Fport and analyzing the results.

chkrootkit

Locally checks for signs of a rootkit - chkrootkit is a flexible, por tool that can check for many signs of rootkit inusion on Unix-based systems. Its features include detecting binary modification, utmp/wtmp/lastlog modifications, promiscuous interfaces, and malicious kernel modules.

SPIKE Proxy

HTTP Hacking - Spike Proxy is an open source HTTP proxy for finding security flaws in web sites. It is part of the Spike Application Testing Suite and supports automated SQL injection detection, web site crawling, login form brute forcing, overflow detection, and directory aversal detection.

OpenBSD

The Proactively Secure Operating System - OpenBSD is one of the only operating systems to eat security as their very highest priority. Even higher than usability in some cases. But their enviable security record speaks for itself. They also focus on stability and fight to obtain documentation for the hardware they wish to support. Perhaps their greatest achievement was creating OpenSSH. OpenBSD users also love [pf], their firewall tool.

Yersinia

A multi-protocol low-level attack tool - Yersinia is a low-level protocol attack tool useful for peneation testing. It is capable of many diverse attacks over multiple protocols, such as becoming the root role in the Spanning ee (Spanning ee Protocol), creating virtual CDP (Cisco Discovery Protocol) neighbors, becoming the active router in a HSRP (Hot Standby Router Protocol) scenario, faking DHCP replies, and other low-level attacks.

Nagios

An open source host, service and network monitoring program - Nagios is a system and network monitoring application. It watches hosts and services that you specify, alerting you when things go bad and when they get better. Some of its many features include monitoring of network services (smtp, pop3, http, nntp, ping, etc.), monitoring of host resources (processor load, disk usage, etc.), and contact notifications when service or host problems occur and get resolved (via email, pager, or user-defined method).

Fragroute / Fragrouter

A network inusion detection evasion toolkit - Fragrouter is a one-way fragmenting router - IP packets get sent from the attacker to the Fragrouter, which ansforms them into a fragmented data stream to forward to the victim. Many network IDS are unable or simply don't bother to reconsuct a coherent view of the network data (via IP fragmentation and TCP stream reassembly), as discussed in this classic paper. Fragrouter helps an attacker launch IP-based attacks while avoiding detection. It is part of the NIDSbench suite of tools by Dug Song. Fragroute is a similar tool which is also by Dug Song.

X-scan

A general scanner for scanning network vulnerabilities - A multi-threaded, plug-in-supported vulnerability scanner. X-Scan includes many features, including full NASL support, detecting service types, remote OS type/version detection, weak user/password pairs, and more. You may be able to find newer versions available here if you can deal with most of the page being written in Chinese.

Whisker/libwhisker

Rain.Forest.Puppy's CGI vulnerability scanner and library - Libwhisker is a Perl module geared geared towards HTTP testing. It provides functions for testing HTTP servers for many known security holes, particularly the presence of dangerous CGIs. Whisker is a scanner that used libwhisker but is now deprecated in favor of Nikto which also uses libwhisker.

Socat

A relay for bidirectional data ansfer - A utility similar to the venerable Netcat that works over a number of protocols and through a files, pipes, devices (terminal or modem, etc.), sockets (Unix, IP4, IP6 - raw, UDP, TCP), a client for SOCKS4, proxy CONNECT, or SSL, etc. It provides forking, logging, and dumping, different modes for interprocess communication, and many more options. It can be used, for example, as a TCP relay (one-shot or daemon), as a daemon-based socksifier, as a shell interface to Unix sockets, as an IP6 relay, for redirecting TCP-oriented programs to a serial line, or to establish a relatively secure environment (su and chroot) for running client or server shell scripts with network connections.

Sara

Security Auditor's Research Assistant - SARA is a vulnerability assessment tool that was derived from the infamous SATAN scanner. They y to release updates twice a month and y to leverage other software created by the open source community (such as Nmap and Samba).

QualysGuard

A web-based vulnerability scanner - Delivered as a service over the Web, QualysGuard eliminates the burden of deploying, maintaining, and updating vulnerability management software or implementing ad-hoc security applications. Clients securely access QualysGuard through an easy-to-use Web interface. QualysGuard features 5,000+ unique vulnerability checks, an Inference-based scanning engine, and automated daily updates to the QualysGuard vulnerability KnowledgeBase.

ClamAV

A GPL anti-virus toolkit for UNIX - ClamAV is a powerful AntiVirus scanner focused towards integration with mail servers for attachment scanning. It provides a flexible and scalable multi-threaded daemon, a command line scanner, and a tool for automatic updating via the Internet. Clam AntiVirus is based on a shared library disibuted with the Clam AntiVirus package, which you can use with your own software. Most importantly, the virus database is kept up to date.

Burpsuite

An integrated platform for attacking web applications - Burp suite allows an attacker to combine manual and automated techniques to enumerate, analyze, attack and exploit web applications. The various burp tools work together effectively to share information and allow findings identified within one tool to form the basis of an attack using another.

Brutus

A network brute-force authentication cracker - This Windows-only cracker bangs against network services of remote systems ying to guess passwords by using a dictionary and permutations thereof. It supports HTTP, POP3, FTP, SMB, TELNET, IMAP, NTP, and more. No source code is available. UNIX users should take a look at THC Hydra.

Unicornscan

Not your mother's port scanner - Unicornscan is an attempt at a User-land Disibuted TCP/IP stack for information gathering and correlation. It is intended to provide a researcher a superior interface for inoducing a stimulus into and measuring a response from a TCP/IP enabled device or network. Some of its features include asynchronous stateless TCP scanning with all variations of TCP flags, asynchronous stateless TCP banner grabbing, and active/passive remote OS, application, and component identification by analyzing responses. Like Scanrand, it isn't for the faint of heart.

Stunnel

A general-purpose SSL cryptographic wrapper - The stunnel program is designed to work as an SSL encryption wrapper between remote client and local (ine-star) or remote server. It can be used to add SSL functionality to commonly used ine daemons like POP2, POP3, and IMAP servers without any changes in the programs' code. It will negotiate an SSL connection using the OpenSSL or SSLeay libraries.

Honeyd

Your own personal honeynet Honeyd is a small daemon that creates virtual hosts on a network. The hosts can be configured to run arbiary services, and their TCP personality can be adapted so that they appear to be running certain versions of operating systems. Honeyd enables a single host to claim multiple addresses on a LAN for network simulation. It is possible to ping the virtual machines, or to aceroute them. Any type of service on the virtual machine can be simulated according to a simple configuration file. It is also possible to proxy services to another machine rather than simulating them. It has many library dependencies, which can make compiling/installing Honeyd difficult.

Fping

A parallel ping scanning program - fping is a ping(1) like program which uses the Internet Conol Message Protocol (ICMP) echo request to determine if a host is up. fping is different from ping in that you can specify any number of hosts on the command line, or specify a file containing the lists of hosts to ping. Instead of ying one host until it timeouts or replies, fping will send out a ping packet and move on to the next host in a round-robin fashion. If a host replies, it is noted and removed from the list of hosts to check. If a host does not respond within a certain time limit and/or rey limit it will be considered unreachable.

BASE

The Basic Analysis and Security Engine - BASE is a PHP-based analysis engine to search and process a database of security events generated by various IDSs, firewalls, and network monitoring tools. Its features include a query-builder and search interface for finding alerts matching different patterns, a packet viewer/decoder, and charts and statistics based on time, sensor, signature, protocol, IP address, etc.

Argus

A generic IP network ansaction auditing tool - Argus is a fixed-model Real Time Flow Monitor designed to ack and report on the status and performance of all network ansactions seen in a data network traffic stream. Argus provides a common data format for reporting flow meics such as connectivity, capacity, demand, loss, delay, and jitter on a per ansaction basis. The record format that Argus uses is flexible and extensible, supporting generic flow identifiers and meics, as well as application/protocol specific information.

Wikto

Web Server Assessment Tool - Wikto is a tool that checks for flaws in webservers. It provides much the same functionality as Nikto but adds various interesting pieces of functionality, such as a Back-End miner and close Google integration. Wikto is written for the MS .NET environment and registration is required to download the binary and/or source code.

Sguil

The Analyst Console for Network Security Monitoring - Sguil (pronounced sgweel) is built by network security analysts for network security analysts. Sguil's main component is an intuitive GUI that provides realtime events from Snort/barnyard. It also includes other components which facilitate the practice of Network Security Monitoring and event driven analysis of IDS alerts.

Scanrand

An unusually fast stateless network service and topology discovery system - Scanrand is a stateless host-discovery and port-scanner similar in design to Unicornscan. It ades off reliability for amazingly fast speeds and uses cryptographic techniques to prevent attackers from manipulating scan results. This utility is a part of a software package called Paketto Keiretsu which was written by Dan Kaminsky.

IP Filter

Por UNIX Packet Filter - IP Filter is a software package that can be used to provide network address anslation (NAT) or firewall services. It can either be used as a loadable kernel module or incorporated into your UNIX kernel; use as a loadable kernel module where possible is highly recommended. Scripts are provided to install and patch system files, as required. IP Filter is disibuted with FreeBSD, NetBSD, and Solaris. OpenBSD users should see Openbsd PF and Linux users Netfilter.

Canvas

A Comprehensive Exploitation Framework - Canvas is a commercial vulnerability exploitation tool from Dave Aitel's ImmunitySec. It includes more than 150 exploits and is less expensive than Core Impact, though it still costs thousands of dollars. You can also buy the optional VisualSploit Plugin for drag and drop GUI exploit creation. Zero-day exploits can occasionally be found within Canvas.

VMware

Multi-platform Virtualization Software - VMware virtualization software lets you run one operating system within another. This is quite useful for security researchers who commonly need to test code, exploits, etc on multiple platforms. It only runs on Windows and Linux as the host OS, but pretty much any x86 OS will run inside the virtualized environment. It is also useful for setting up sandboxes. You can browse from within a VMware window so the even if you are infected with malware, it cannot reach your host OS. And recovering the guest OS is as simple as loading a "snapshot" from prior to the infection. VMware player (executes, but can't create OS images) and VMWare Server (partitions a physical server machine into multiple virtual machines) were recently released for free. Another interesting virtualization system (Linux focused) is Xen.

Tcpaceroute

A aceroute implementation using TCP packets - The problem is that with the widespread use of firewalls on the modern Internet, many of the packets that the conventional aceroute(8) sends out (ICMP echo or UDP) end up being filtered, making it impossible to completely ace the path to the destination. However, in many cases, these firewalls will permit inbound TCP packets to specific ports that hosts sitting behind the firewall are listening for connections on. By sending out TCP SYN packets instead of UDP or ICMP ECHO packets, tcpaceroute is able to bypass the most common firewall filters.

SAINT

Security Adminisator's Integrated Network Tool - SAINT is another commercial vulnerability assessment tool (like Nessus, ISS Internet Scanner, or Retina). It runs on UNIX and used to be free and open source, but is now a commercial product.

OpenVPN

A full-featured SSL VPN solution - OpenVPN is an open-source SSL VPN package which can accommodate a wide range of configurations, including remote access, site-to-site VPNs, WiFi security, and enterprise-scale remote access solutions with load balancing, failover, and fine-grained access-conols. OpenVPN implements OSI layer 2 or 3 secure network extension using the indusy standard SSL/TLS protocol, supports flexible client authentication methods based on certificates, smart cards, and/or 2-factor authentication, and allows user or group-specific access conol policies using firewall rules applied to the VPN virtual interface. OpenVPN uses OpenSSL as its primary cryptographic library.

OllyDbg

An assembly level Windows debugger - OllyDbg is a 32-bit assembler level analyzing debugger for Microsoft Windows. Emphasis on binary code analysis makes it particularly useful in cases where source is unavailable. OllyDbg features an intuitive user interface, advanced code analysis capable of recognizing procedures, loops, API calls, switches, s, constants and sings, an ability to attach to a running program, and good multi-thread support. OllyDbg is free to download and use but no source code is provided.

Helix

A Linux Disibution with Computer Forensics in Mind - Helix is a customized disibution of the Knoppix Live Linux CD. Helix is more than just a boo live CD. You can still boot into a customized Linux environment that includes customized Linux kernels, excellent hardware detection and many applications dedicated to Incident Response and Forensics. Helix has been designed very carefully to NOT touch the host computer in any way and it is forensically sound. Helix will not auto mount swap space, or auto mount any attached devices. Helix also has a special Windows autorun side for Incident Response and Forensics.

Bastille

Security hardening script for Linux, Mac OS X, and HP-UX - The Bastille Hardening program "locks down" an operating system, proactively configuring the system for increased security and decreasing its susceptibility to compromise. Bastille can also assess a system's current state of hardening, granularly reporting on each of the security settings with which it works. Bastille currently supports the Red Hat (Fedora Core, Enterprise, and Numbered/Classic), SUSE, Debian, Gentoo, and Mandrake disibutions, along with HP-UX and Mac OS X. Bastille's focuses on letting the system's user/adminisator choose exactly how to harden the operating system. In its default hardening mode, it interactively asks the user questions, explains the topics of those questions, and builds a policy based on the user's answers. It then applies the policy to the system. In its assessment mode, it builds a report intended to teach the user about available security settings as well as inform the user as to which settings have been tightened.

Acunetix Web Vulnerability Scanner

Commercial Web Vulnerability Scanner - Acunetix WVS automatically checks your web applications for vulnerabilities such as SQL Injection, cross site scripting, and weak password sength on authentication pages. Acunetix WVS boasts a comfor GUI and an ability to create professional website security audit reports.

trueCrypt

Open-Source Disk Encryption Software for Windows and Linux - trueCrypt is an excellent open source disk encryption system. Users can encrypt entire filesystems, which are then on-the-fly encrypted/decrypted as needed without user intervention beyond entering their passphrase intially. A clever hidden volume feature allows you to hide a 2nd layer of particularly sensitive content with plausible deniability about whether it exists. Then if you are forced to give up your passphrase, you give them the first-level secret. Even with that, attackers cannot prove that a second level key even exists.

Watchfire AppScan

Commercial Web Vulnerability Scanner - AppScan provides security testing throughout the application development lifecycle, easing unit testing and security assurance early in the development phase. Appscan scans for many common vulnerabilities, such as cross site scripting, HTTP response splitting, parameter tampering, hidden field manipulation, backdoors/debug options, buffer overflows and more.

N-Stealth

Web server scanner - N-Stealth is a commercial web server security scanner. It is generally updated more frequently than free web scanners such as Whisker/libwhisker and Nikto, but do take their web site with a grain of salt. The claims of "30,000 vulnerabilities and exploits" and "Dozens of vulnerability checks are added every day" are highly questionable. Also note that essentially all general VA tools such as Nessus, ISS Internet Scanner, Retina, SAINT, and Sara include web scanning components. They may not all be as up-to-date or flexible though. N-Stealth is Windows only and no source code is provided.

MBSA

Microsoft Baseline Security Analyzer - Microsoft Baseline Security Analyzer (MBSA) is an easy-to-use tool designed for the IT professional that helps small and medium-sized businesses determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance. Built on the Windows Update Agent and Microsoft Update infrasucture, MBSA ensures consistency with other Microsoft management products including Microsoft Update (MU), Windows Server Update Services (WSUS), Systems Management Server (SMS) and Microsoft Operations Manager (MOM). Apparently MBSA on average scans over 3 million computers each week.

COMPUTER SECURITY TOOLBOX originally appeared on AskApache.com

.With over 70% of all attacks now carried out over the web application level, organizations need as much help as they can get in making their systems secure. WAFs are deployed to establish an external security layer that increases security, detects, and prevents attacks before they reach web applications.

« Apache Variable fun (mod_env) | .htaccess Tutorial Index | SetEnvIf and SetEnvIfNoCase Examples

Target Audience:

• Web Server Administrators
• Web security Adminis
• Security consultants and other ballers.
• Web Developers

Laying the smack down on attacks

ModSecurity„ is an Apache Module just like mod_rewrite that is in fact a Web Application Firewall, providing access to every tiny bit of a HTTP Connection. HTTP Headers, Cookie and Post Payloads in their entirety, XML-RPC calls from Ajax, protocol and connection information, etc... its totally stacked.

Mod_Security uses Regex and .htaccess / httpd.conf directives similar to mod_rewrite, allowing for complete control from within .htaccess files and httpd.conf blocks.

Contents

• Laying the smack down on attacks
• mod_security + mod_rewrite
• Block Spam by examining POST form fields
• Enable mod_security - DreamHost
• Disabling mod_security conditionally per IP
• Disabling mod_security with .htaccess Authorization
  • Adding password protection for mod_security bypass
  • Magic Authorization shut-off using .htaccess
• AskApache's MOD_SECURITY config for DreamHost
• Block WordPress Spam Forever!
• Force Any Connections to be Paused a set number of ms
• Only Allow Certain REQUEST_METHODS
• ModSecurity Debugging and Logging
  • Control mod_security logging to your error log
• Turn Off/On Logging JUST for your IP Address
• Mod_Security Directives for DreamHost
• How I got Started with mod_sec
• Example httpd.conf mod_security rule files

mod_security + mod_rewrite

mod_security is the missing piece if all you know is mod_rewrite. This gives you the ability to scan ALL messages received by your website, including POST, Trackbacks, Pings, Ajax XMLHTTP calls, etc. It lets you create your own rules so that you can stop spam and prevent web application, protocol, and server attacks.

Mod_Security has the ability to parse entire POST_PAYLOADS, specific and individual POST/GET arguments... This is a spammers worst nightmare, and I'm going to make that nightmare reality for them.

Block Spam by examining POST form fields

mod_security gives you the option to block, redirect, handle using an errordocument, PAUSE, close, and chain connections. If someone is spamming your blog from many different IP's, but they often use the same keywords in a certain field of your form (like .blackjack. in the url field) mod_security lets you examine that specific url field and block all connections that contain the regexp pattern of your choice.

Enable mod_security - DreamHost

To enable mod_security, login to the DreamHost panel and navigate to the "Manage Domains" area, Edit your site and enable the extra security option.

DreamHost, has set itself apart as being the top web host IMHO. They've provided the option to enable an Apache module called mod_security for any of your hosted domains. The sysops and tech over there are really doing a great job of staying true to the industry, they are web hosts, not some corporate outsourced bought-out thing. Anyways thanks DH!

Disabling mod_security conditionally per IP

This will make sure that you aren't processed by mod_security, but this only works if you have a static IP (Get your IP information). Just add this towards the top of your .htaccess file. before your mod_security code. Setting this variable causes the module to be disabled for this specific IP address, this means you won't run into any problems while posting yourself..

SetEnvIfNoCase Remote_Addr ^208\.113\.183\.103$ MODSEC_ENABLE=Off
 
# You can use multiple SetEnvIf directives to control it further.
# This only turns it off for your IP + a POST request method.
#
# SetEnvIf Remote_Addr ^208\.113\.183\.103$ MODSEC_ENABLE=Off
# SetEnvIf Request_Method !^POST$ MODSEC_ENABLE=On

Disabling mod_security with .htaccess Authorization

So I did some experimenting to see if there was an alternative way to disable mod_security for the users out there without a static IP address. I found a couple silly solutions that suggested you simply modify your browsers User Agent request header, but thats not very safe is it? No. So I came up with using Basic Authorization.

First you need to setup password protection for the directory that you want mod_security disabled for. In the case of WordPress blogs, you can use the AskApache Password Protect Plugin to get setup. Or you can generate a new htpasswd.

Adding password protection for mod_security bypass

AuthName "htaccess password prompt"
AuthType Basic
AuthUserFile /fullpath-to/.htpasswd
Require valid-user

Magic Authorization shut-off using .htaccess

When you login using this authentication, the environment variables REMOTE_USER and AUTH_TYPE are set (though its hard to find them). Since these are unique to you specifically and hard to spoof, use them to turn off mod_security only after you login. This is added up at the top of your mod_security rules.

SecFilterSelective REMOTE_USER "^yourusername$" "allow"
 
# More variables you can experiment with
# HTTP_Authorization|AUTH_TYPE
#
# You may have to add this to your mod_rewrite code
#RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization}]

AskApache's MOD_SECURITY config for DreamHost

Custom mod_security .htaccess code

Heres how I start my mod_security code, keep in mind I have a lot to learn.

### ASKAPACHE MOD_SECURITY ###
<IfModule mod_security.c>
# Turn the filtering engine On or Off or DynamicOnly for cgi/php/etc
SecFilterEngine On
 
# Only log suspicious requests
SecAuditEngine RelevantOnly
 
# Goes up to 9 but at 2 its overwhelming trust me
SecFilterDebugLevel 0
 
# Make sure that URL encoding is valid
SecFilterCheckURLEncoding On
 
# Unicode encoding check
SecFilterCheckUnicodeEncoding Off
 
# Should mod_security inspect POST payloads
SecFilterScanPOST On
 
# The default rule to apply to inherited rules
SecFilterDefaultAction "deny,log,status:500"

Minimal httpd.conf or .htaccess sample from source

<IfModule mod_security.c>
 
# Enable ModSecurity
SecFilterEngine On
 
# Reject requests with status 403
SecFilterDefaultAction "deny,log,status:403"
 
# Some sane defaults
SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilterCheckUnicodeEncoding Off
 
# Accept almost all byte values
SecFilterForceByteRange 1 255
 
# Server masking is optional
# SecServerSignature "Microsoft-IIS/5.0"
 
# Designate a directory for temporary files
# storage. It is a good idea to change the
# value below to a private directory, just as
# an additional measure against race conditions
SecUploadDir /tmp
SecUploadKeepFiles Off
 
# Only record the interesting stuff
SecAuditEngine RelevantOnly
# Uncomment below to record responses with unusual statuses
# SecAuditLogRelevantStatus ^5
SecAuditLog logs/modsec_audit.log
 
# You normally won't need debug logging
SecFilterDebugLevel 0
SecFilterDebugLog logs/modsec_debug.log
 
# Only accept request encodings we know how to handle
# we exclude GET requests from this because some (automated)
# clients supply "text/html" as Content-Type
SecFilterSelective REQUEST_METHOD "!^(GET|HEAD)$" chain
SecFilterSelective HTTP_Content-Type "!(^application/x-www-form-urlencoded$|^multipart/form-data;)"
 
# Do not accept GET or HEAD requests with bodies
SecFilterSelective REQUEST_METHOD "^(GET|HEAD)$" chain
SecFilterSelective HTTP_Content-Length "!^$"
 
# Require Content-Length to be provided with
# every POST request
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"
 
# Don't accept transfer encodings we know we don't handle
SecFilterSelective HTTP_Transfer-Encoding "!^$"
 
</ifModule>

Block WordPress Spam Forever!

Ok this is my first attempt at this, and I am really excited about the possibilities! This example goes inside your mod_security block towards the bottom, and it sets up a default action for each of the filters below it. This denies the connection, doesn't log it, and issues a 403 Forbidden Status code, which causes my Apache ErrorDocument to be displayed. This ErrorDocument can be a blank page to minimize bandwidth, or it can be a cgi perl type of script that send you an email, whatever. Many people use different Status Codes for different situations, some like 400, 412, 406, and 410 for spammers. Others prefer 503. You can see all 57 that are available for anyone running Apache and choose your own.

<filesMatch "wp-comments-post\.php$">
SecFilterSignatureAction deny,nolog,status:403
SecFilterSelective ARG_url "casino|ringtone|lyrics"
SecFilterSelective ARG_comment_post_ID "^$"
 
# reject blog spam from all POST and GET fields
SecFilterSelective ARGS "blockspam|blockspam|blockspam|blockspam|blockspam|blockspam|blockspam|blockspam \
blockspam|blockspam|blockspam|blockspam|blockspam|blockspam|blockspam|blockspam|blockspam|blockspam \
nomorespam|nospam"
</filesMatch>

• The FilesMatch Directive specifies that these rules only apply to these files.
• The ARG_url line says that if those words appear in the form field with the id/name of "url", than deny them.
• The ARG_comment_post_ID line denies requests that have an empty comment_post_ID field, which a surprisingly large number of spammers forget to add.
• The final multi-line section searches ALL get and post items for any of these keywords.

Force Any Connections to be Paused a set number of ms

This is just an example to show you how cool this module is, you really shouldn't every do this except for very specific instances, because it will end up consuming your servers resources and making a ddos attack more likely. This example forces anyone who doesn't come from the askapache.com site to have their connection delayed 5000 ms, then processing continues.

SecFilterSelective "HTTP_REFERER" "askapache\.com" log,pass,pause:5000

Only Allow Certain REQUEST_METHODS

I've created a free online scanner that you can use to scan your site and see how it handles all 27 REQUEST_METHODS.

# Sends matching requests a 405 Method Not Allowed Status Code
SecFilterSelective REQUEST_METHOD "!^(GET|HEAD|POST|OPTIONS)$" "deny,auditlog,status:405"

Debugging and Logging

First its my best guess that DreamHost is running ModSecurity v1.9.4 so its pretty darn difficult to find information about this modules directives and how to use it. So debugging through the use of trial and error and logging is the best or only way to figure it out.

If you have already been using DreamHosts "extra security" option and use your shell or check your error logs, you will have seen plenty of verbose messages about something or other being blocked. Thats mod_security doing its thing but it takes up resources on everyones servers and makes your error log close to unusable.

Control mod_security logging to your error log

Each filter can have its own actions, so turn logging on (log, auditlog) only for those you want, turn off (nolog, noauditlog) for anything else.

# Not logged
SecFilterDefaultAction "deny,nolog,noauditlog,status:500"
 
# Logged but not as verbose.
SecFilterDefaultAction "deny,nolog,auditlog,status:500"

log

Indicates that a successful match of the rule needs to be logged.

noauditlog

Indicates that a successful match of the rule should not be used as criteria whether the transaction should be logged to the audit log.

nolog

Prevents rule matches from appearing in both the error and audit logs.

Turn Off/On Logging JUST for your IP Address

This is handy when you want to test your rules.

# Turn logging of for your IP
SecFilterSelective REMOTE_ADDR "208\.113\.183\.103" "nolog,noauditlog,pass"
 
# Turn logging on just for your IP
SecFilterSelective REMOTE_ADDR "!^208\.113\.183\.103" "nolog,noauditlog,pass"
SecFilterSelective REMOTE_ADDR "208\.113\.183\.103" "log,auditlog,pass"

Mod_Security Directives for DreamHost

SecFilter

The filtering expression

SecFilterDebugLog

The filename of the filter debugging log file

SecFilterDebugLevel

The level of the debugging log file verbosity

SecFilterSelective

The variable representing areas where filtering is wanted, the filtering regular expression and optional action to take on match

SecFilterEngine

On, Off, or DynamicOnly to determine when will request be filtered

SecServerResponseToken

On or Off to set whether the mod_security token will appear in the server signature

SecFilterScanPOST

On or Off to set whether a request body will be processed

SecFilterDefaultAction

The default action to take on rule match

SecFilterSignatureAction

Base action template for signatures that follow this directive

SecFilterInheritance

On or Off to set whether rules from the parent context will be inherited

SecAuditEngine

On, Off, RelevantOnly or DynamicOrRelevent to determine the level of audit logging

SecAuditLog

The filename of the audit log file

SecUploadDir

The path to the directory where uploaded files should be stored

SecUploadKeepFiles

On or Off to choose whether to keep the uploaded files or not

SecUploadApproveScript

The path to the script that will be called to approve every uploaded file

SecFilterCheckURLEncoding

On or Off to set whether URL encoding validation will be performed

SecFilterCheckUnicodeEncoding

On or Off to set whether Unicode encoding validation will be performed

SecFilterForceByteRange

The first and the last byte value of the range that will be accepted

SecChrootDir

The path of the directory to which server will be chrooted

SecChrootLock

The filename of the lock file used during the chroot process, defaults to "logs/modsec_chroot.lock"

SecServerSignature

The new signature of the server

SecFilterNormalizeCookies

On or Off to determine whether cookie values will be normalized for testing, defaults to On

SecFilterCheckCookieFormat

On or Off to determine whether cookie format will be checked. Defaults to On

SecFilterCookieFormat

version of the Cookie specification to use for parsing. Possible values are 0 and 1.

SecCharset

Configures the charset

SecFilterImport

imports a rule from the parent configuration context.

SecFilterRemove

removes a rule that was inherited from the parent configuration context.

SecFilterInheritanceMandatory

when this directive is set to On then the rules in the parent context cannot be removed from a child context.

SecAuditLogType

whether to use the old audit log format (Serial) or new (Concurrent)

SecAuditLogStorageDir

path to the audit log storage area; absolute, or relative to the root of the server

SecAuditLogParts

list of audit log parts that go into the log.

SecAuditLogRelevantStatus

regular expression that will be used to determine if the response status is relevant for audit logging

SecFilterActionsRestricted

whether to allow rules to override SecFiltersDefaultAction configuration

Just remember each version is different, I think most of the directives in the above list are allowed on DreamHosts install, but I'm not 100%, I'm sure they'll be upgrading soon anyway.

How I got Started with mod_sec

Subject: mod_security denying blog post

Is there any way you could modify the mod_security rules for me? For the past 2-4 months I have been having a problem on WordPress where I go to edit a post and when I hit submit and POST the changes it gives me a 503 Message, which is odd to use a 503 Service Temporarily Unavailable, that threw me off for at a month thinking the service was unavailable.

Basically this only happens to about 5 of my posts, and almost all of them have something to do with php code, or some other type of programming language. An example is when I try to edit custom-phpini-tips-and-tricks. So what I've had to do is go into phpmyadmin and manually edit the database.. I don't want to turn off the mod_security for my site because I am getting hit all the time by malicious looking bots, is that the only way around this? I have no clue, but if it helps that IP 64.233.167.99 is static for me, and this problem only occurs when posting to the /wp-admin/post.php file.

Reply from DreamHost Support
Unfortunately, the mod_security rules need to be changed on all machines and Apache instances if they are changed on just one as our admins like to keep the servers in sync. So getting mod_security modified isn't really something that can be done easily. I'll put in a suggestion as we do host a lot of WordPress blogs, but I can't guarantee that we'll be able to do it very quickly. I know you don't want to turn mod_security off, but honestly it's your best bet if you want to be able to post without 503's right now. If "64.233.167.99" is always your IP, might I suggest setting up an .htaccess rule in your wp-admin folder to deny all traffic to that folder except for your IP address? I know that doesn't work if you're on the road - although adding IPs to allow to an .htaccess file is pretty easy to do - but it will keep the malicious folks out.

Example httpd.conf mod_security rules

• mod_sec-httpd.conf
• got_root example rules for httpd.conf
• Parent Directory
• modsecurity_crs_21_protocol_anomalies.conf
• modsecurity_crs_20_protocol_violations.conf
• README
• modsecurity_crs_45_trojans.conf
• modsecurity_crs_35_bad_robots.conf
• modsecurity_crs_10_config.conf
• modsecurity_crs_50_outbound.conf

Reprint: The old modsecurity malware-blacklist-high.txt file contained on this site used to list ThankfulPraise.com as a malware site, this site is not a malware site.

Some of the attacks this Apache module has the ability to smack with its unique positioning within Apache HTTP.

1. HTTP protection - detecting violations of the HTTP protocol and a locally defined usage policy
   • SQL Injection
   • Cross-Site Scripting (XSS)
   • OS Command execution
   • Remote code inclusion
   • LDAP Injection
   • SSI Injection
   • Information leak
   • Buffer overflows
   • File disclosure
2. Common Web Attacks Protection - detecting common web application security attack
3. Automation detection - Detecting bots, crawlers, scanners and other surface malicious activity
4. Trojan Protection - Detecting access to Trojans horses
5. Errors Hiding - Disguising error messages sent by the server

mod_security links

1. DreamHost Version 1.9.5 Manual
2. Reference of Actions, Commands, etc. - Official Site
3. version 1.9 got_root rules
4. mod-security-users - mailing list
5. mod_security online rules generator - Noel Jackson
6. An Intro to mod_security - Atomic Playboy
7. Get mod_sec training

MOD_SECURITY: The Most Powerful Server-Side Security Technology I've Seen

htaccess Guide Sections

• htaccess tricks for Webmasters
• HTTP Header control with htaccess
• PHP on Apache tips and tricks
• SEO Redirects without mod_rewrite
• mod_rewrite examples, tips, and tricks
• HTTP Caching and Site Speedups
• Authentication on Apache
• htaccess Security Tricks and Tips
• SSL tips and examples
• Variable Fun (mod_env) Section
• .htaccess Security with MOD_SECURITY
• SetEnvIf and SetEnvIfNoCase Examples

« Apache Variable fun (mod_env) | .htaccess Tutorial Index | SetEnvIf and SetEnvIfNoCase Examples

Mod_Security .htaccess tricks originally appeared on AskApache.com

While testing the exploitability of your target and mapping out vulnerabilities it is important to gain access inside the targets defenses so that you can establish an internal foothold like a owned box or switch. This is so you can use a tool to discover the packet-filtering being used, and literally map out the firewall/IDS rules. Needless to say that really provides you with a lot more complete vulnerability assessment to help discover more weak spots in the system.

• Socat

  Socat is a relay for bidirectional data transfer between two independent data channels. Each of these data channels may be a file, pipe, device (terminal or modem, etc.), socket (Unix, IP4, IP6 - raw, UDP, TCP), SSL, a client for SOCKS4, or proxy CONNECT. It supports broadcasts and multicasts, abstract Unix sockets, Linux tun/tap, GNU readline, and PTYs. It provides forking, logging, and dumping and different modes for interprocess communication. Many options are available for tuning socat and its channels. Socat can be used, for example, as a TCP relay (one-shot or daemon), as a daemon-based socksifier, as a shell interface to Unix sockets, as an IP6 relay, or for redirecting TCP-oriented programs to a serial line.

• Samplicator

  UDP Samplicator receives UDP datagrams on a given port and resends those datagrams to a specified set of receivers. In addition, a sampling divisor N may be specified individually for each receiver, which will then only receive one in N of the received packets.

Also see: Vulnerability Scanner Review

• sing
• netleak
• dmitry
• isic
• dnsa
• nemesis
• sara
• zodiacdns
• fragroute
• sentry 2.0
• Caecus
• C-Parse
• pchar
• nmbscan
• nbtscan
• admsmb

Pen-testing Security Tools originally appeared on AskApache.com

I've tried 100's of Anti-virus, Anti-Rootkit, and Anti-Spyware tools over the last 10 years, but it's always good to re-examine your system's security every couple of months.

I recommend using all the AVG Security Software unless you are running MAC, or of course if you are already a genius and are running Linux/Unix/BSD :)

Anti-Spyware

This is also a newer release from Grisoft and is fantastic. It detects everything from hidden NTFS file streams to cookies. Also includes Real-Time protection. Learn more and get the free download at AVG Anti-Spyware Free Edition.

AVG Anti-Spyware Free Edition is a popular free antispyware solution available at no cost to home users and provides a high level of detection capability.

Anti-Rootkit

Rootkits are definately scandalously cool but extremely dangerous because they run underneath your Operating System so that even Anti-Virus programs can't detect it, yet it can see EVERYTHING that you are doing. AVG has a new anti-rootkit program out that is available for free. Learn more and get the free download at AVG Anti-Rootkit Free Edition.

AVG Anti-Rootkit Free is a powerful tool with state-of-the-art technology for the detection and removal of rootkits.

What is a Rootkit

Rootkits are used to hide the presence of a malicious object like trojans or keyloggers on your computer. If a threat uses rootkit technology to hide itself it is very hard to find the malware on your PC. AVG Anti-Rootkit gives you the power to find and delete the rootkit and to uncover the threat the rootkit is hiding.

Anti-Virus

I have used this product for many years on many computers and I love it. It doesn't slow down your computer and most importantly it has kept me safe from virii for many years. And that is saying a heck of a lot considering all the shady places I go on the net. It has wonderful email-scanning, shell-extension scanning, etc.. very easy and intuitive. Get the free download at AVG Anti-Virus Free Edition. They also have a Linux version!

AVG Free is the most popular free solution available at no cost to home users and provides the high level of detection capability that millions of users around the world trust to protect their computers.

• Avira's bootable CD scanner program (daily manual signature updates) is at http://www.brothersoft.com/avira-antivir-rescue-system-197951.html
• Dr. Web's capable bootable CD scanner program (do a manual signature update before scanning) is at http://www.freedrweb.com/livecd
• F-Secure's bootable CD scanner program (updates when run) is at http://www.brothersoft.com/f-secure-rescue-cd-198321.html
• Kaspersky's bootable CD scanner program (occasional manual updates) is at http://www.brothersoft.com/kaspersky-rescue-disk-197959.html
• Sunbelt's Vipre rescue program (download and put on computer or USB drive--a bootable CD is in the works) is at http://live.sunbeltsoftware.com/

• Bleeping Computer has downloads, forums, assistance, and information at http://www.bleepingcomputer.com/
• Malwarehelp Org has information, security news, links, and a blog at http://www.malwarehelp.org/

• Clam Antivirus accepts files it doesn't detect and false positives at http://cgi.clamav.net/sendvirus.cgi
• Jotti online file scanning service at http://virusscan.jotti.org/ - All participating AVs will get a copy
• VirusTotal online file scanning service at http://www.virustotal.com/ - All participating AVs will get a copy

• ESET (NOD32) malware scan is at http://www.eset.com/onlinescan/index.php
• Microsoft's Live One Care has several types of scans at http://onecare.live.com/site/en-us/default.htm
• Panda ActiveScan is at http://www.pandasecurity.com/usa/homeusers/solutions/activescan/default.htm
• SuperAntiSpyware's research center provides free scans of running computer processes at http://www.fileresearchcenter.com/
• Trend Micro's Housecall scan for malware is at http://housecall.trendmicro.com/

• Alliance Of Security Analysis Professonals is a good starting place at http://asap.maddoktor2.com/
• A-Squared (Emsisoft) (with initial self help) at http://forum.emsisoft.com/Default.aspx?g=topics&f=38
• Malwareteks (same personnel as Emsisoft with initial self help) at http://www.malwareteks.com/forum.html
• Spyware Warrior has free help and a list of rogue antispyware products to avoid at http://www.spywarewarrior.com/index.php

• Alwil Software has a free cleaner tool, Avast Free Virus Cleaner, at http://www.avast.com/eng/programs.html
• AVG has free removal tools (including VCleaner) at http://free.grisoft.com/doc/virus-removal/us/frt/0
• CureIt from Dr. Web is a capable free scanner that can be updated manually at http://www.freedrweb.com/
• F-Secure's free Easy Cleaner is at http://support.f-secure.com/enu/home/onlineservices/fsec/fsec.shtml
• F-Secure also has specific removal tools at http://www.f-secure.com/security_center/malware_removal_tools.html
• Malwarebytes has a freeware version of their capable Anti-Malware program at http://www.malwarebytes.org/index.php
• Malwareteks has do-it yourself removal guides at http://www.malwareteks.com/forum-t408.html
• Microsoft's Malicous Removal Tool (updated monthly on Patch Tuesday) is at http://www.microsoft.com/security/malwareremove/default.mspx
• Norman has a capable Malware Cleaner (use in Safe Mode) at http://www.norman.com/Virus/Virus_removal_tools/24789/en-us
• Smitfraud/Antivermins removal tools are at http://www.bleepingcomputer.com/forums/topic69886.html
• Softpedia has some tools at http://www.softpedia.com/get/Antivirus/Malware-Removal-Tool.shtml
• SuperAntiSpyware has a capable free on-demand antispyware program for home users at http://www.superantispyware.com/
• Symantec has individual malware removal tools at http://www.symantec.com/business/security_response/removaltools.jsp
• Trend Micro's HijackThis can be used to locate malware at http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis
• Various dedicated anti-malware tools are available at http://www.smokey-services.eu/forum/viewtopic.php?t=2026
• Various spyware/adware removal tools are available at http://www.pchell.com/support/spyware.shtml

• About Dot Com's removal/prevention guide is at http://antivirus.about.com/od/windowsbasics/a/virusremoval.htm
• AVG's free anti-malware site has a removal guide at http://forum.grisoft.cz/freeforum/read.php?4,27725,backpage=
• Bleeping Computer has a removal/disinfection guide at http://www.bleepingcomputer.com/tutorials/tutorial101.html
• Bleeping Computer also has removal instructions for specific rogue spyware programs at http://www.bleepingcomputer.com/malware-removal/
• Major Geeks has a list of rogue security programs at http://forums.majorgeeks.com/showthread.php?t=79754
• Spyware Techie has spyware removal information/links at http://www.spyware-techie.com/
• Large antivirus vendors offer free manual disinfection information, including:
• F-Secure has malware search/descriptions at http://www.f-secure.com/v-descs/
• Kaspersky has general information at http://www.viruslist.com/en/viruses/encyclopedia?chapter=153280800
• McAfee has threat resources at http://vil.nai.com/vil/default.aspx
• Symantec has current threat information at http://www.symantec.com/business/security_response/threatexplorer/threats.jsp
• Trend Micro's virus encyclopedia is at http://www.trendmicro.com/vinfo/virusencyclo/

Freshen your Anti-virus, Anti-Rootkits, and Anti-Spyware originally appeared on AskApache.com

Asked some hackers and Computer Security gurus to list their 5 favorite Vulnerability/Port Scanners. Here are the results.

You might like the more in-depth article: Vulnerability Scanners Review, or you may be looking for the Computer Security Toolbox

1. netcat
2. nmap
3. hping3
4. isic
5. p0f2
6. sing
7. nikto
8. firewalk - Detecting Firewall Rulles
9. nikto/wnikto - cgi scanner
10. whisker - cgi scanner with IDS feature
11. nessus / NewT - Vulnerability scanner
12. Qualys
13. eEye Retina
14. GFI Languard
15. ISS
16. Shadow Security Scanner (SSS)
17. pakketo's scanrand
18. FX Scanner
19. Acunetix web vulnerability scanner
20. IPCScan
21. SQLRecon
22. Metasploit
23. Whax
24. SoftPerfect Network Scanner - Network Share Scanner
25. Cain & Abel
26. autoscan - . integrate some other tools
27. hydra - Password finder by Brute forcer
28. Retina - Vulnerability scanner
29. X-scan3 - Vulnerability scanner GUI & CLI uses nasl
30. SupperScan - fast port scanner
31. Dfind - CLI vuln scanner
32. Sfind - CLI vuln scanner
33. scan1000 - fast CLI vuln scanner
34. ScanLine - CLI vuln scanner
35. GhostPortScanner (GPS) to keep from triggering firewalls
36. Superscan 3.0 for TCP Scanning
37. Superscan 4.0 for UDP Scanning
38. X-Scan v2.3 (nmap + nessus for windows)
39. Webdavscan.exe for Mass Port 80 Banner
40. NTscan for IPC$ Passwords
41. foundstone tools
42. sara
43. X-Scan
44. FOUNDSCAN
45. HSCAN
46. cheops-ng
47. dsns
48. MicrosoftBaseLine - IIS vuln scanner

Top 5 Vulnerability Port Scanners originally appeared on AskApache.com

A few months back I did some intense testing of all the best vulnerability scanners out there.. I had a couple unix boxes hooked up, as well as some windows machines, and figured I could add clients to a "once-a-week" scanning contract. So naturally, I wanted to use the scanner that was the best for my purpose.

You might be looking for the article: Top 5 best Vulnerability Port scanners

I tested the following (trying to only list automated vulnerability scanners):

1. ISS Internet Security Systems
2. SSS Shadow Security Scanner
3. Retina eEye
4. Nessus
5. GFI Languard Network Security Scanner
6. Qualys www.qualys.com
7. Nstealth Security Scanner www.nstalker.com
8. Nikto
9. Whisker
10. Infiltrator infiltration-systems.com
11. Nscan

I was looking at 3 main areas while evaluating the scanners.

1. Comprehensiveness of the testing: including how many options are allowed for different scanning, IDS evasion, and types of scans. Also in this category is the availability for the latest exploits and a custom exploit option to allow me to plug in custom exploits.
2. Quality of the program: included in this category is availability of updates, speed of various variables, efficiency, "smartness" or "AI" of the program while scanning/reporting, security- (does running this version of this vuln scanner leave me vulnerable?), scheduling capabilities, alert and message capabilities, quaility of exploits, reactions to "false positives", and overall feature and capabilities.
3. Reporting Capabilities: How easy is it to create a report? The quality and design of the report. The comprehensiveness and personalization of the reports..

My findings

All of these programs can be tested for free, either through an evaluation or trial. I believe that the availability of these programs on the net (cracked versions) represents the conspiracy to aid script-kiddies everywhere so that these companies will then profit after an intrusion (or even a loud scan). Any of these programs are not to be used for cracking... Nothing serious at least.. using these programs is akin to knocking on every window of a house, while simultaneously ringing the doorbell and playing loud music in the driveway.. Some of the programs allow for easy use of anonymous socks and web proxys, but we all know by now that to achieve any real anonymity takes much more work than that.

After several months testing

It became clear to me which ones I liked the best. The top pick all-around (for windows) has to be retina's eeye, the company has a bunch of hackers and you can tell by their awesome product. Another great scanner (windows -web) are the different products offered by nstalker... very good web vuln scanner. Free for download.. A close 2nd would be the SSS, I love it, its great, but eEye's is better. The best choice for me however is nessus. Although it has a few negatives compared to some of the other products, it is the best solution for anything serious. Set-up up a couple of nessus servers around the globe and try attacking the same location through different networks for some real eye-opening fun. Also good to practice tracking and tracing. Qualys is poised to be super-rich, just check out their site... great if you don't want to mess with a scanner yourself. ISS is way to expensive and I didn't like the fact that I had to try for awhile until I could download it. But it is considered to be the best scanner and I admit the anti-pirating features and licensing of their software is pretty darn good. GFI is another top contender. It was just prone to crashing... A money place to get some other cool tools (Especially a professional SSL encryption tester) are available for free at www.foundstone.com. Get them soon, make a foundstone toolkit.... mcafee bought them so expect the free stuff to get yanked shortly... (I can't believe foundstone is almost gone...) Unless you are using these tools on yourself, or to check your friends pc or company (use scheduling with alerts to email or pager), there is no sane or logical reason to use these tools on any pc that you do not have express permission to use against.

Remember these tools are the noisiest tools in a security testers arsenal and if you use it just once on an unknown host, your ISP can yank your account, you can face legal action, etc.. Better to use firewalk, hping3 (now with scripting!), nmap, etc, and leave these crutch-like tools alone. Also check out www.coresecurity.com , for the best product I have found so far.

A few pointers..

If you have a network of your own, and you don't have the time or resources to set up a nessus installation at a remote site to repeatedly test your network, the best solution IME is Qualys. I am not affiliated in any way, I checked it out merely to examine the competition in the marketplace... after experiencing their free trial, unheard of amounts of documentation, and extremely skilled marketing team, I am still very jealous. What an easy concept but they took it to that level and it stands alone, IMHO. So if you need that kind of simple, safe, comprehensive fix, check out qualys. Still, you would ultimately save a lot of money (even after computing time and costs) by setting up your own remote server somewhere to automatically check the network for you. Multiple locations of course are ideal (go through different networks etc..) The major lack of enthusiasm I have for most of these "vulnerability scanners" is the fact that so many of them run on windows and nothing else. The benefits to running from (almost anything else) a linux type platform are enormous. IOW, nessus can only continue to get better and better, while the only advantage eeye, ISS, and the rest of the dozer boys have is better knowledge of exploits. This is really a small point (in the big picture) because of the fact that it is sooo easy to copy an exploit (for those that do that sort of thing). So if you are out there, go help out the excellent people who give us nessus, go give them a donation, help them develop the software, test it out and email them detailed feedback of your likes and dislikes, do what you can to keep it around. I see it as having the most potential. There are also vuln scanners that operate locally, many professionals use these to scan a lan of windows hosts for example. These are hard to find, so if you know of any, post.

Also, after months of testing all the different vuln tools, including tons not listed above, still failed to find a bug that allowed me root on a particular server I was testing for a friend. It was the mole.cfm script that finally got me in... an old exploit that none of the scanners tried. So if you are serious about keeping your data safe, hire a real expert (like foundstone or coresecurity) and do not rely on a commericial marketing solution alone.

Other Good Vulnerability Scanner Review here.. (12+ pages)

Vulnerability Scanners Review originally appeared on AskApache.com