Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Ask Slashdot: Do-It-Yourself Security Auditing Tools? 116

An anonymous reader writes "I'm a 'prosumer' website builder, have a few sites that are mainly hobbies, but I would like to know that they're at least fairly robust. I'm thinking of the equivalent of a 'dental clinic' — where someone interested in the white hat security field might be willing to take on an audit for the experience and to build a resume. Or, tools such as websites that let you put in a password and see how long it takes to crack it. Or sites where you can put in a URL and it gets poked and prodded by a number of different cracker tools and a 'score' is given. Ideally with suggestions on how to improve. Does anything like that exist? I'm not talking FBI/CIA level security, but just common-sense basics. I've tried to use techniques that improve security, but I don't know how well they work. And I've realized that in the ever growing, fast changing field of computers I'm not going to ever get the knowledge I need to do this myself. I know there are software suites that allow you to sniff and test things on your own, but I'm afraid it's overwhelmingly foreign to me and I just feel like I can't reliably do this myself. Any ideas?"
This discussion has been archived. No new comments can be posted.

Ask Slashdot: Do-It-Yourself Security Auditing Tools?

Comments Filter:
  • I believe this questions really requires a list of possible attack vectors. Is a list like that even possible, or is it infinite.
    • I believe this questions really requires a list of possible attack vectors. Is a list like that even possible, or is it infinite.

      The known vectors are finite.

      • The known vectors are finite.

        Yes, the number equals 1: human.

        Fix that attack vector and you won't have anything to worry about.
        • Nah, a vector has magnitude and direction. I would say for at least human/2 the best you could hope for would approximate a drunken curve.

          Good news is human/2 is finite unti human == infinte.
        • Not true at all.

          While humans are the biggest attack surface, they are far from the only one.

          My suggestions are Backtrack Linux & a copy of The Art of Deception by Kevin Mitnick.

          Backtrack has some great security auditing tools, however you will still need to understand exploits to test for them. The Art of Deception gives real world examples of social engineering & suggestions on how to plug those gaping holes called humans.

      • And the unknown vectors are infinite.

    • I tried looking for a list of just known vulnerable web app product versions, but it just doesn't seem to exist, there's too much out there, too many plugins, etc.
  • You could try PWNPI (Score:4, Interesting)

    by randomErr ( 172078 ) <ervin.kosch@gmPARISail.com minus city> on Tuesday March 26, 2013 @12:50PM (#43282369) Journal

    This is a nifty suite of programs made for a lot of what you want that runs on a Raspberry Pi. If you don;t want to get a Pi you can look at the list of software and download then into your favorite Linux distro. Most (if not all) of these are open source.

    http://pwnpi.sourceforge.net/ [sourceforge.net]

  • by Anonymous Coward
    Post your site on /b for maximum security pokes
  • Whats the point? (Score:5, Informative)

    by Splab ( 574204 ) on Tuesday March 26, 2013 @12:53PM (#43282397)

    What's the point of "basic" security check?

    But a quick search for metasploit should get you going, perhaps add a Nessus scan and go watch some Def Con presentations on SQL injection and penetration testing http://www.youtube.com/user/ChRiStIaAn008 [youtube.com] is a good place to start.

  • by Anonymous Coward

    Nessus is the big cheese with the big price but OpenVAS is the way to go. Do have a machine with plenty of power.

  • by schneidafunk ( 795759 ) on Tuesday March 26, 2013 @12:53PM (#43282405)
    If you have a decent hosting company, they'll do this for you. Mine will send out alerts if a popular CMS install has a known hole in it, and require people to upgrade the software.
  • by Anonymous Coward

    You have no idea what you're doing, you have no idea what you WANT to do, and you have no idea what you need to do in order to get the knowledge to do whatever that is.

    Please, re-think your idea.

  • by Anonymous Coward on Tuesday March 26, 2013 @12:57PM (#43282453)

    There are plenty of web (vulnerability scanners) that you could use, some requiring no experience and point and click, otherwise will require prior knowledge.


  • Hate to tell you, but security auditing is mostly about documentation. Checking that the right documents are in place and have been updated, verifying office procedures, physical security, etc. Technical tests are mostly about checking for the status and presence of files or configurations, not about probing networks or white hat hacking. There is a vaild business opportunity in pen testing, which is just one component of auditing, and is not even needed for every type of audit.

    • by jeffmeden ( 135043 ) on Tuesday March 26, 2013 @01:32PM (#43282817) Homepage Journal

      Hate to tell you, but security auditing is mostly about documentation. Checking that the right documents are in place and have been updated, verifying office procedures, physical security, etc. Technical tests are mostly about checking for the status and presence of files or configurations, not about probing networks or white hat hacking. There is a vaild business opportunity in pen testing, which is just one component of auditing, and is not even needed for every type of audit.

      This. While it would seem logical to put a round of known vulnerabilities into a scanner (like a Virus Scanner works) in the real world this is extremely tricky. Vulnerabilities that come about from combinations of different packages and different configurations interacting are very hard to systematically detect, and even if you do detect them they are just one piece in the huge puzzle that is information security.

      Case in point, I often get audit reports from "creditable" security professionals that there are a set of vulnerabilities in XYZ product, specific to "somesoft operating system 9.0", when in fact the product in question uses no such operating system (or even one similar to it) so the "audit" was obviously just a set of false-positives from a scanner tool. Scanner tools are just that, a TOOL, they are not even close to a true security solution that would produce a meaningful audit; that can only come (at least in this day and age) from a combination of tools and a *lot* of expertise.

  • by quinto2000 ( 211211 ) on Tuesday March 26, 2013 @01:00PM (#43282477) Homepage Journal
    From the way you describe your goal, you are building mostly one-off websites. For small companies and the like? You'll be best off just using popular open source products like Drupal, WordPress, or ModX and keeping up to date with security updates. Many of these will automatically notify you of security updates and you can apply them right away. Don't try to host the websites on your own server either. Get a hosting product from a company that will keep the underlying OS, Apache, and PHP up to date and secure. This will reduce your exposure quite a bit. You still need to make sure to choose good passwords. Nessus or OpenVAS are also an option.
  • Read ArsTechnica (Score:2, Informative)

    by Anonymous Coward

    Two articles on arstechnica recently covered booters (paid services to attack your sites using a large set of vectors), and password cracking for script kiddies.
    Here they are :

    That should give you a first hint...

  • OWASP (Score:3, Informative)

    by Anonymous Coward on Tuesday March 26, 2013 @01:01PM (#43282487)

    Posting as AC because for some annoying reason Slashdot won't let me log ion right now...


  • by Anonymous Coward

    Whether you wanted to or not, just by having a site, you've already asked the whole Internet to check it out. One way to find out if you've done things right, is to look for evidence that you've done things wrong. And there's a little tip I learned...

    Grep your logs for your table names.

    If you have an injection hole, for example, then automated spiders have already found it and exploited it, and (so far) they don't obfuscate or even escape/character-encode their requests, so you'll plainly see their injected

  • And I gather you (the OP) is getting worried; the problem is that you're not paranoid enough.

    Do you, for example, validate your code using the HTML validator from w3c?

    You also need to learn to run tools. I mean, online website tools are nice... as long as you're *SURE* that they've not been hacked, nor are they actually crackers trying to lure you in.

    Determining what tools to use is another issue: are you writing for Windows or *Nix? There's a lot more free tools on the latter, but you will have to learn mo

  • Sectools.org has a comprehensive list of tools with explanations of what each one does. Look at the web tools and the vulnerability scanners and you will find something you feel comfortable using. Most of the other tools mentioned so far can be found there. Also, the Open Web Applicaiton Security project (owasp.org) has some good information on secure app development.

    good luck.

  • by holophrastic ( 221104 ) on Tuesday March 26, 2013 @01:19PM (#43282675)

    If yours isn't a mass-market, mass-profit, hugely-popular site, you don't need to secure it. You just need to be different enough that the standard chinese attack vectors looking for standard run-of-the-mill popular web-site building packages don't find any.

    Trust me, no one's going to your tiny site and trying to find the holes -- no matter how big they are.

    We secure bank vaults with big heavy locks. Your house with a tiny mediocre lock. Your car door with a tinnier very crappy lock. Your car trunk with a down-right shitty lock.

    Just be different. It'll get you through the 99% that you care about.

    • by Anonymous Coward

      That's silly... small unsecured servers are targeted because they are easy prey and can relay spam. Just because you don't have valuable customer data to exploit does not take you off the target list.

      • No one's going to find this small unsecured server, and figure out how to hack some mystery unknown customer software. It's just not worth the trouble.

        • by achbed ( 97139 )

          China and Russia thank you for your small unsecured server that is now a full-blown botnet C&C server. Hope your customer doesn't mind their unknown software going slow.

          • Umm, wrong-o. I've been in business for twenty years. Over the course of two decades, my servers have been down due to security-related attacks for six hours spread out over the two decades. You'll find that to be a very successful result across the industry. I profit, my clients profit.

            It's worked and is working for me.

            How's your business doing?

    • by Anonymous Coward

      The bots don't care how popular your site is. All they want an exploitable vulnerability on a host with reasonable bandwidth. You'll be scanned within minutes of going online. And exploited minutes later [sans.edu] if you have a common vulnerability.

      • I think you missed my entire statement. Which is odd, because it was in both the title and the body.

        Different != Common. Make a note.

    • Three big things you can do to de-target-ify yourself:

      * use SQL prepared statements, never concatenate strings

      * never touch the user's real password... key-stretch it client-side using PBKDF2, and only send the salt & hash to your server. People use the same password everywhere, and attackers know it. If you don't KNOW the passwords of your own users, your site is a lot less interesting to attackers.

      * block outbound traffic on port 25.

      ok, I lied... here are a few more...

      * Don't allow connections to your

  • Kali Linux (Score:5, Informative)

    by Jane Q. Public ( 1010737 ) on Tuesday March 26, 2013 @01:21PM (#43282693)
    This suite of tools used to go under the name of "BackTrack", most recently BackTrack 5. It has now been named Kali Linux.

    This is a full-blown Linux distro with all the security tools you are ever likely to need. Metasploit? It's there. Nessus? It's there. The actual list of tools is huge.

    Kali won't teach you everything about using the tools (though there are good instructions available online). But it does offer all you could want in one package.
    • I didn't know BT was renamed. I thought it had just petered out. Thanks for that.

      I thought it was more of a forensic distro, though.

      • Some of the tools can be used for forensics. But it has a large number of penetration testing tools for doing security audits. The largest and best collection I know about. Of free and open source tools, anyway.
    • by muridae ( 966931 )

      If you want to do it yourself, yes, this is the way to go about it. The OP is an idiot to think that any site on the internet that 'asks permission before hacking your site, just give us the URL or code'' is not going to turn around an sell that information afterwards. Either hire professionals, or DIY.

      I keep a copy of BT 5 (i hadn't seen the move to Kali Linux) in a virtual machine. Not the fastest scanner out there, but a small networked box in my house gets the same copy of code installed on it as my web

  • by Anonymous Coward

    Try the OWASP website: https://www.owasp.org/index.php/Main_Page. They have a lot of free tools for doing security testing of websites.

  • Check out https://purecloud.ncircle.com/solutions/en/WebApp/ [ncircle.com]. It is not free, but it covers common web applications, and it is very easy to use. Disclaimer: I work for nCircle
  • The only things tools can tell you is whether another person running the same tool could get in. For anything else they are pretty worthless. Also, the FBI/CIA does not have a clue about IT security. If you must name a TLA, make it at least the NSA.

  • No matter what an intruder tries, if you put your operating system on read-only media, intrusion becomes limited.
    Of course, installation and changes become more difficult because you must reboot with your media set to read-write, then reboot again to read-only. SDHC memory works well for this, since it has a read-write switch like the old floppy drives. Put the memory in a
    USB "card reader" for SD
    (microSD doesn't appear to have a read-write switch).
    You can insert the SDHC in something

    • The SDHC read-write tab? It's more like a vague suggestion than a lock. I've yet to find a card reader that will actually refuse to write to a "write-protected" card.

      • The operating system often seems to write to a lock-switched memory card, and "ls" indicates it has.
        But removing the card reveals data has not been written.
        I'll keep an eye out for actually writing when actually lock-switched.

        • I have now actually checked this.
          I switched an SDHC to read-only, wrote a file to it on Linux, took the SDHC to another computer, and the file was indeed written.
          So, the SDHC lock is no guarantee against writing, and is apparently useless.
          I stand corrected, and thank Carnildo for ending my misadventure.

          I prefer using read-only hardware to "chattr -i" immutability plus a Linux kernel enforcing this,
          since the software approach is cumbersome and changes files' ctime attribute.
          What is available?
          The following in

  • You can use this free scanner to test your FTP or SFTP access.
    http://www.filetransferconsulting.com/low-and-slow-ftp-scanner/ [filetransf...ulting.com]

    Set this utility up with about four garbage usernames, then your actual admin credentials in the username list, and put four junk passwords before your admin password in the password list. Then run the utility with one-second intervals. If your FTP server (or SFTP service) is set up well, your IP (and possibly your username) should be locked out before the utility gets to your legit

  • You may want to see if any of your local colleges have computer security tracks. You may be able to do an Internship, or someone may
    be available to just do it for experience. YMMV

    While you are doing these scans, please note, you may clog up your pipes to the Internet. If you are using hosted services

    There are many sites with CVE information, Secunia is ok, search for applications you care about.
    http://secunia.com/community/advisories/historic/ [secunia.com]

    Be carefu

  • I'd recommend you proxy your web site through CloudFlare -- www.cloudflare.com -- by having them handle your DNS. You can read more about them at their web site -- I'm not affiliated with them in any way. They offer a free proxy service that acts as a web application firewall and will do a good job at blocking hack attempts.

    From there, you should restrict your webserver's firewall to only allow traffic from CloudFlare's known IPs, so people cannot directly hit your webserver.

    If Linux, install fail2ban on the SSH daemon + require SSH-key based access (no passwords!)

    Finally, get a copy of the home version of Nessus from Tenable and use that to scan your server. It's interface is relatively easy to use, and if you hit your webserver IPs every couple months with this, in addition to using CloudFlare and hardening your SSH daemon, you should be in good shape and not have to worry about silly hacks.

    • I wouldn't recommend CloudFlare. Their engineers are fucking morons, and their service doesn't actually block attacks.

    • + revoke old / unused keys.
      + encrypt the computers that have keys (truecrypt, luks) in case of theft.

  • I'd venture acunetix from http://www.acunetix.com/ [acunetix.com] it does a decent job
  • If you don't understand the application-layer issues which might be present in your programs, then you won't necessarily understand what the tools (whichever) are trying to tell you. Read and learn, grasshopper. You can get a ton of info from OWASP (http://owasp.org) for free, including some issue-specific "cheat sheet" pages. Next, buy the Web Application Hacker's Handbook. Really, do it now, or at least after you've read the OWASP stuff. It's in dead-tree and e-book versions, now second edition.


  • If you are going to get into active testing, then I think professional ethics demand you take precautions to avoid harming other users or their systems, even (or especially) by mistake.

    If you have two computers, then set up a little testing lab for yourself. Take both machines off the Net but put them on the same LAN (preferably a wired LAN but wireless will do). Set up one box as the target with a Web server and the site of your design. Use the other to run your attacks, Kali Linux or whatever.

    The reason t

  • "Do-it-yourself Cryptography"
    "Home Heart Surgery"
    "Roll Yer Own O.S."
    "Kernel and Driver Programming for Dummies"
  • A lot of this conversation has been about remote security scans, but once you find a vulnerability, how do you remediate it? How do you maintain your security posture, and continue auditing your hosts on a regular bases? To what standard?

    The National Institute of Standards & Technology provides a lot of help to those attempting to implement security standards.

    First is the Security Content Automation Protocol (SCAP) - scap.nist.gov [nist.gov]. This defines how you manage, measure and evaluate vulnerabilities.


  • I would bump Kali Linux as the true DIY solution.
    You could just leave it up to someone else and have someone to blame. These guys would make a good scapegoat:

    http://sitecheck.sucuri.net/scanner/ [sucuri.net]

    I have actually used their scanner to find a backdoor in a common PHP script that shall remain nameless. They did report exactly where the vulnerable file was. After I deleted the file they told me the site was secure. Simple.

    Not really DIY and I wouldn't trust anyone 100% but if you pay for a service you have do

Garbage In -- Gospel Out.