IT security and pentesting tools on FreeBSD

[Frank Leonhardt]

On 29/12/2013 13:36, Polytropon wrote:
> To expand my "daily work", I'd like to explore which tools
> exist on FreeBSD for pentesting and "overall IT security
> diagnostics". The following questions are primarily directed
> to those participants of the mailing list who do similar
> work and/or research and like to share their suggestions.
>
> Having primarily used Linux for this specific purpose, I'd
> like to try to find comparable (or maybe the same) tools
> on the base of FreeBSD which I prefer as a system for work.
> What tools in the ports collections can be used, which offer
> the same functionality? My goal is to migrate as much of
> the "pentesting toolset" to FreeBSD as possible.
>
> I'm already using FreeBSD tools like nmap, tcpdump, iftop or
> Wireshark, but I bet there are more that I should have
> a look at. I'm especially interested in tools to scan for
> WLAN traffic and to demonstrate weak encryption to customers
> (e. g. for those who insist that WEP is "ultimately secure"
> or that "a hidden SSID makes them unhackable"). Diagnostics
> should cover as many layers as possible, it doesn't even
> matter if this versatility is distributed across a set of
> different programs, that's okay.
>
> Those are fields where no special hardware compatibility
> is required. I'm aware that especially cellphone communications
> using a smartphone, connected to USB, may be more tricky on
> FreeBSD than on Linux where it doesn't seem to be a problem
> to make a "GSM scanner". SDR is probably a similarly compli-
> cated topic when FreeBSD is involved... but in regards of
> hardware I want to use, I've already learned the lessen to
> first check, _then_ buy. :-)
>
> A side question, if I may ask: I'm typically using a second
> LAN or WLAN adapter for on-site diagnostics for customers.
> To make it easier to check _their_ logs for my "actions",
> I'd like to give it an "obvious" MAC address, something like
> EE:EE:EE:EE:EE:EE (which is quite easy to spot in log files).
> Is this possible (and trivial) for LAN and WLAN interfaces
> on a FreeBSD host?
>
> For those hesitating to reply: I'm still one of the good guys.
> You may reply off-list in case the questions list is not the
> right place to expose that kind of knowledge. ;-)
>
>

You work for the NSA and I claim my $50!

I developed an MSc course in "ethical hacking" a few years ago, and I 
used FreeBSD throughout (not Linux). The big ones you missed off the 
list are SARA (Security Auditor's Research Assistant) and Metasploit. 
SARA was an NMAP-type scanner that looked for vulnerabilities (including 
the NVD Database). Unfortunately it's no longer being updated :-( And 
you also have ot port it to FreeBSD yourself - so trivial I don't even 
remember doing it.

I still use SARA, but should probably be looking at OpenVAS, which 
forked from Nessus when the latter was still open-source. I haven't 
actually compiled it for FreeBSD, but I don't see it being difficult. I 
should add to this that I work with proprietary, paid-for, software most 
of the time - I don't get to choose (and some of it is written by people 
I know, and they need to make a living).

Metasploit is very good for demonstrating to clients that there really 
is a problem. I don't think there's a FreeBSD port, but if your 
technical knowledge is good enough for penetration testing then this is 
hardly going to be a problem (i.e. just compile it and fix any errors 
that come up). I've used it extensively on FreeBSD.

For snooping WLAN, Kismet is the old favourite but if you just want to 
break WEP, Aircrack-ng works better (IMHO). I'm pretty sure there's a 
port for it under net management. Note that WPA is NOT secure - it just 
takes longer to crack than WEP (two hours vs. twenty seconds). This is 
NOT something I'd be interested in discussing further on an open list - 
all people need to know is that they need new keys every hour.

As to the MAC address, easy. Something like:

ifconfig bge1 link EE:EE:EE:EE:EE:EE

It'll either work, or it won't work.

Regards, Frank.

P.S. Buy my book - Handbook of Electronic Security and Forensics ;-)

P.P.S. Possibly don't, it's more academic than the name suggests.