Many businesses routinely employ "ethical" hackers as a means of testing whether their systems are secure, paying the tech-savvy to break into their computers in what is known as penetration testing, or pen testing.
But you do not need to outsource ethical hacking, and many good tools can be found that will allow your IT department to carry out its own assessment of your security. Here are five of the best, all of which happen to be free and open source.
1. The Metasploit Project
The Metasploit Project has a storied history among ethical hackers, created in October 2003 by HD Moore as a framework for developing exploits in order to beat cybercriminals to them.
Since then the project has been bought up by security vendor Rapid7, which continues to work on it alongside a 200,000 strong open source community. Metasploit’s key aim is to facilitate penetration testing, and it comes in several different flavours depending on your budget.
Available for free is the most basic, Framework, a command-line tool intended for experts, and Community, which works via a graphical interface. Users can also pay a premium for Metasploit Pro which comes with more tools to guide you through testing.
Snort is an example of a "sniffer": the sort of software that a hacker might install on a system in order to steal sensitive details such as passwords, usernames and bank details.
Of course this program is intended for the good guys to use, and as such displays the information it captures on a neat dashboard for easy monitoring. It also functions as an intrusion prevention system (IPS) to deliver traffic analysis for the systems’ admin, as well as a packet logger.
If all of the above was not enough, the project is backed by an open source group, as well as the company Sourcefire, which was founded by Snort creator Martin Roesch and is now owned by Cisco.
3. John the Ripper
John the Ripper is a password cracker, which in today’s era of weak password use is something that every company should consider implementing.
Distributed for free and also backed up by the open source community Openwall, the tool runs across Linux, Windows, and Mac, as well as some products from the Microsoft Office suite, several archiving programs and some instant messaging software.
Alongside the tool is a collection of wordlists for use when testing your workers’ passwords, as well as oodles of documents on maintaining good password policies.
4. Angry IP
Angry IP is an internet protocol scanner that can be used to check active addresses, for hostname resolution and for scanning ports, as well as see who is working on a particular computer.
IT admins will find the tool useful for keeping abreast of traffic on their systems, particularly the security of the various ports that are used to connect around and outside the network, with the software being both lightweight and working across many platforms.
As a bonus the entire source code is available online alongside a number of plugins, and Java programmers can add their own functionality.
Ettercap focuses specifically on man-in-the-middle (MitM) attacks, a form of computer-based eavesdropping that allows hackers to snatch details from unsuspecting victims.
This is achieved by sniffing live connections, rather like Snort, as well as a mix of content filtering on the basis of media access control (MAC) addresses, internet protocols, and address resolution protocol poisoning. The package has been tested across many different Linux systems, and also runs unsupported on Windows.
Like the others on this list, the source code is available to download from the website, where you can also find an archive of previous editions. Those behind the project also intend to open a forum in the undefined future.
This article is from the CBROnline archive: some formatting and images may not be present.