| ||
hunt ( lin.fsid.cvut.cz/~kra/index.html ) This is one of the popular sniffer programs. It also has built-in functions to send fake ARP packets to fake MAC addresses and to intercept connections.
dsniff ( monkey .org/~dugsong/dsniff/ ) This is a utility package for traffic monitoring and related tasks . It comprises the following utilities:
dsniff Intercepts passwords (the main utility). The utility monitors the network for authorization packets. When it detects such a packet, the utility extracts and displays the password. Authorization packets for all of the main protocols Telnet, FTP, POP, etc. are supported.
arpspoof Sends ARP reply packets to fake IP addresses.
dnsspoof Sends fake DNS packets. If the target machine requests that a host name be resolved to its IP address, you can switch the reply from the DNS server to make the target connect to your computer instead of the requested host.
filesnaf Monitors traffic, waiting for NFS file transfers.
mailsnaf Monitors traffic, waiting for POP and SMTP mail messages.
msgsnaf Monitors Internet pager and chat messages, such as ICQ and IRC.
macof Floods a switch with packets with generated MAC addresses. If the switch fails to handle the route-resolution workload, it starts functioning as a simple hub, replicating the incoming traffic to all outgoing ports.
tcpkill Terminates a third-party connection by sending an RST packet.
webspy Monitors Web connections and creates a list of sites visited by a specific user .
webmint Emulates a Web server to carry out a man-in-the-middle attack (see Section 7.9 ).
ettercap ( ettercap. sourceforge .net ) In my opinion, this is the most convenient traffic-monitoring program. Its main function is to look for passwords in packets of all popular protocols. Administrators will also appreciate the function to detect other sniffing programs.
LSAT ( usat.sourceforge.net/ ) This utility is used to check the system configuration ( considered in Section 12.3 ). It analyzes the server's configuration, displaying potential faults, and in some cases can give recommendations on how to fix them.
Bastille ( bastille-linux.sourceforge.net/ ) This utility detects potential server-configuration errors. It can automatically correct configuration errors and faults.
Klaxon ( www.eng.auburn.edu/users/doug/second.html ) This is an attack-detection utility (see Section 12.4 ).
PortSentry ( sourceforge.net/projects/sentrytools ) This utility monitors ports for port-scanning activities (see Section 12.4 ). It can automatically configure the firewall to prohibit connections with the computer, from which port scanning was detected .
Swatch ( sourceforge.net/projects/swatch ) This is a handy program for analyzing system logs on a schedule (see Section 12.6 ).
Logsurfer ( sourceforge.net/projects/logsurfer ) This is one of the few utilities that can analyze security logs dynamically (see Section 12.6 ).
John the Ripper ( www.openwall.com/john/ ) This is the most famous password-cracking program.
POP-before-SMTP ( popbsmtp.sourceforge.net/ ) This service allows email to be sent only if the user first checks the POP3 mailbox.
nmap ( www. insecure .org/nmap/ ) This is a port scanner with numerous features.