From owner-freebsd-questions@FreeBSD.ORG Sun Dec 29 15:37:01 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2CE48274 for ; Sun, 29 Dec 2013 15:37:01 +0000 (UTC) Received: from bs1.fjl.org.uk (bs1.fjl.org.uk [84.45.41.196]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 9DA981D15 for ; Sun, 29 Dec 2013 15:37:00 +0000 (UTC) Received: from [192.168.1.35] (host86-161-162-125.range86-161.btcentralplus.com [86.161.162.125]) (authenticated bits=0) by bs1.fjl.org.uk (8.14.4/8.14.4) with ESMTP id rBTFavhp011367 (version=TLSv1/SSLv3 cipher=DHE-DSS-CAMELLIA256-SHA bits=256 verify=NO) for ; Sun, 29 Dec 2013 15:36:58 GMT (envelope-from frank2@fjl.co.uk) Message-ID: <52C04198.5070102@fjl.co.uk> Date: Sun, 29 Dec 2013 15:36:56 +0000 From: Frank Leonhardt User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: freebsd-questions@freebsd.org Subject: Re: IT security and pentesting tools on FreeBSD References: <20131229143625.b3f3a2cf.freebsd@edvax.de> In-Reply-To: <20131229143625.b3f3a2cf.freebsd@edvax.de> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.17 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Dec 2013 15:37:01 -0000 On 29/12/2013 13:36, Polytropon wrote: > To expand my "daily work", I'd like to explore which tools > exist on FreeBSD for pentesting and "overall IT security > diagnostics". The following questions are primarily directed > to those participants of the mailing list who do similar > work and/or research and like to share their suggestions. > > Having primarily used Linux for this specific purpose, I'd > like to try to find comparable (or maybe the same) tools > on the base of FreeBSD which I prefer as a system for work. > What tools in the ports collections can be used, which offer > the same functionality? My goal is to migrate as much of > the "pentesting toolset" to FreeBSD as possible. > > I'm already using FreeBSD tools like nmap, tcpdump, iftop or > Wireshark, but I bet there are more that I should have > a look at. I'm especially interested in tools to scan for > WLAN traffic and to demonstrate weak encryption to customers > (e. g. for those who insist that WEP is "ultimately secure" > or that "a hidden SSID makes them unhackable"). Diagnostics > should cover as many layers as possible, it doesn't even > matter if this versatility is distributed across a set of > different programs, that's okay. > > Those are fields where no special hardware compatibility > is required. I'm aware that especially cellphone communications > using a smartphone, connected to USB, may be more tricky on > FreeBSD than on Linux where it doesn't seem to be a problem > to make a "GSM scanner". SDR is probably a similarly compli- > cated topic when FreeBSD is involved... but in regards of > hardware I want to use, I've already learned the lessen to > first check, _then_ buy. :-) > > A side question, if I may ask: I'm typically using a second > LAN or WLAN adapter for on-site diagnostics for customers. > To make it easier to check _their_ logs for my "actions", > I'd like to give it an "obvious" MAC address, something like > EE:EE:EE:EE:EE:EE (which is quite easy to spot in log files). > Is this possible (and trivial) for LAN and WLAN interfaces > on a FreeBSD host? > > For those hesitating to reply: I'm still one of the good guys. > You may reply off-list in case the questions list is not the > right place to expose that kind of knowledge. ;-) > > You work for the NSA and I claim my $50! I developed an MSc course in "ethical hacking" a few years ago, and I used FreeBSD throughout (not Linux). The big ones you missed off the list are SARA (Security Auditor's Research Assistant) and Metasploit. SARA was an NMAP-type scanner that looked for vulnerabilities (including the NVD Database). Unfortunately it's no longer being updated :-( And you also have ot port it to FreeBSD yourself - so trivial I don't even remember doing it. I still use SARA, but should probably be looking at OpenVAS, which forked from Nessus when the latter was still open-source. I haven't actually compiled it for FreeBSD, but I don't see it being difficult. I should add to this that I work with proprietary, paid-for, software most of the time - I don't get to choose (and some of it is written by people I know, and they need to make a living). Metasploit is very good for demonstrating to clients that there really is a problem. I don't think there's a FreeBSD port, but if your technical knowledge is good enough for penetration testing then this is hardly going to be a problem (i.e. just compile it and fix any errors that come up). I've used it extensively on FreeBSD. For snooping WLAN, Kismet is the old favourite but if you just want to break WEP, Aircrack-ng works better (IMHO). I'm pretty sure there's a port for it under net management. Note that WPA is NOT secure - it just takes longer to crack than WEP (two hours vs. twenty seconds). This is NOT something I'd be interested in discussing further on an open list - all people need to know is that they need new keys every hour. As to the MAC address, easy. Something like: ifconfig bge1 link EE:EE:EE:EE:EE:EE It'll either work, or it won't work. Regards, Frank. P.S. Buy my book - Handbook of Electronic Security and Forensics ;-) P.P.S. Possibly don't, it's more academic than the name suggests.