SANS InfoSec Reading Room - Tools

<<Reading Room Home
Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

Core_1

Featuring 32 papers as of May 22, 2013
PDF IP Fragment Reassembly with Scapy
By: Mark Baggett (posted on July 5, 2012)
Overlapping IP fragments can be used by attackers to hide their nefarious intentions from intrusion detection system and analysts.
PDF Computer Forensic Timeline Analysis with Tapestry
By: Derek Edwards (posted on November 29, 2011)
One question commonly asked of investigators and incident responders is, "What happened?" The answer often takes the form of a story designed to convey understanding of complex mechanisms and interactions in a simple, straightforward way.
PDF Tracking Malware With Public Proxy Lists
By: James Powers (posted on January 27, 2011)
The Web was born on Christmas Day, 1990 when the CERN Web server (CERN httpd 1.0) went online. By version 2.0, released in 1993, CERN httpd, was also capable of performing as an application gateway. By 1994, content caching was added. With the publication of RFC 1945 two years later, proxy capabilities were forever embedded into the HTTP specification (Berners-Lee, Fielding, & Frystyk, 1996).
PDF About Face: Defending Your Organization Against Penetration Testing Teams
By: TTerrence OConnor (posted on December 6, 2010)
In the following paper, we outline several methods for obscuring your network from attack during an external penetration test. Understanding how a penetration testing team performs a test and the tools in their arsenal is essential to defense. The penetration testing cycle in the next section. Following that, we discuss defeating recon and enumeration efforts, how to exhaust the penetration testing team’s time and effort, how to properly scrub outbound and inbound traffic, and finally, we present some obscure methods for preventing a successful penetration test.
PDF Capturing and Analyzing Packets with Perl
By: John Brozycki (posted on January 28, 2010)
The steps in setting up a Windows system with Perl and the necessary add-ons to be able to run and create packet capturing Perl scripts.
PDF Winquisitor: Windows Information Gathering Tool
By: Michael Cardosa (posted on January 19, 2010)
Winquisitor is a tool that facilitates the timely retrieval of information from multiple Windows systems enabling the administrator to respond in an appropriate amount of time. Unlike other command line tools, Winquisitor allows multiple types of queries in a single command with several output formats.
PDF Building an Automated Behavioral Malware Analysis Environment using Open Source Software
By: Jim Clausing (posted on June 18, 2009)
This paper describes how an automated behavioral malware analysis environment for analyzing malware targeted at Microsoft Windows can be built using free and open source software.
PDF IOScat - a Port of Netcat's TCP functions to Cisco IOS
By: Robert Vandenbrink (posted on May 29, 2009)
This paper outlines both how IOScat was written, and how it can be used for both Penetration Testing and System Administration.
PDF IOSMap: TCP and UDP Port Scanning on Cisco IOS Platforms
By: Robert VandenBrink (posted on November 18, 2008)
PDF Developing a Snort Dynamic Preprocessor
By: Daryl Ashley (posted on August 20, 2008)
PDF OS and Application Fingerprinting Techniques
By: Jon Mark Allen (posted on September 27, 2007)
PDF Nessus Primer with the NessusWX Client
By: Cecil Stoll (posted on September 16, 2004)
The focus of this paper will be to proactively seek out known vulnerabilities on the end systems and the processes running on them.
PDF An Ettercap Primer
By: Duane Norton (posted on June 9, 2004)
Ettercap is a versatile network manipulation tool. It uses its ability to easily perform man-in-the-middle (MITM) attacks in a switched LAN environment as the launch pad for many of its other functions.
PDF Managing Peer-to-Peer Applications in Dormitory Networks
By: Wayne Lai (posted on March 9, 2004)
Network security for dormitory networks have similar but special network security implications than the typical network.
PDF Demystifying security tools: Should I use commercial or freeware?
By: Sang Han (posted on October 31, 2003)
In this paper, I will touch upon why all network administrators need to incorporate security tool usage into their daily practices to help secure their environment.
PDF Virtually Free Network Security Software - For the *nix disinclined
By: Dennis W. McHugh (posted on October 31, 2003)
This paper discusses some of the tools that have become a part of my personal toolkit that provide me with the ability to detect or verify different attacks and vulnerabilities as well as give me information necessary to report the attacks to the proper authorities.
PDF Netprowler--A Look at Symantec's Network Based IDS
By: Eric Biedermann (posted on October 31, 2003)
This paper examines the features and capabilities of the Netprowler IDS, reviews common types of attacks and looks at an example of a typical intrusion scenario.
PDF Intrusion Detection using ACID on Linux
By: Rusty Scott (posted on October 31, 2003)
This paper addresses a set of security practices that includes a number of key features mentioned in the SANS defense in depth model.
PDF PhoneSweep: The Corporate War Dialer
By: Greg Hodes (posted on October 31, 2003)
The unsecured modem provides a weak and often overlooked avenue into some of the most secure networks as discussed in this paper.
PDF An Overview of SecureIIS - Are We Really Secured Now?
By: Zul Azhan Suhaimi (posted on October 31, 2003)
The objective of this practical paper is to understand how our IIS can be protected using an application firewall.
PDF Using Basic Security Module (BSM), Tripwire, System Logs, and Symantec's ITA for Audit Data C
By: Philip DiFato (posted on October 31, 2003)
The primary focus of this paper is to provide host based set of tools auditing trace records of attempted attacks on a secured network of Solaris boxes.
PDF Network Monitoring with Nagios
By: Scott V. Seglie (posted on October 31, 2003)
Nagios is a network-monitoring tool that allows administrators the ability to examine computers, routers, printers, and services.
PDF Stop Port Scans with LaBrea
By: Jim McClurg (posted on October 31, 2003)
LaBrea is one of the best ideas in security retaliation.
PDF Tools, Tools, and TOOLS!!
By: Firas Shaheen (posted on October 31, 2003)
This paper provides a quick reference on popular tools (IDSes, Firewalls, Exploits, Scanners, Reconnaissance, Password crackers, Auditing, etc.), with a brief explanation on how they work, and where to get them.
PDF Pocket Nessus
By: Tony Enriquez (posted on October 31, 2003)
The purpose of this paper is to introduce a particular set of tools that can be used to secure your network.
PDF netForensics - A Security Information Management Solution
By: Michael B. Godfrey (posted on October 31, 2003)
This paper discusses netForensics, a security information management (SIM) solution that positions itself as a central point for your security information that is collected by various devices.
PDF Patch Management of Microsoft Products Using HFNetChkPro
By: Kris Poznanski (posted on October 31, 2003)
Microsoft together with Shavlik Technologies has developed a Network Security Hotfix Checker the HFNetChk tool (Hfnetchk.exe), a command-line tool that administrators can use to centrally assess a computer or group of computers for the absence of security patches.
PDF Using Sam Spade
By: Terry Pasley (posted on October 31, 2003)
This paper will examine a number of the more useful tools in Sam Spade.
PDF An Introduction to NMAP
By: Tim Corcoran (posted on October 25, 2001)
NMAP is an excellent, multi functional utility that should be a part of every system administrator's toolkit.
PDF Free NT Security Tools
By: Douglas T. Orey (posted on August 6, 2001)
A discussion of several software tools available to assist with security for NT users.
PDF Password Cracking with L0phtCrack 3.0
By: Patrick Boismenu (posted on June 19, 2001)
This paper was designed to describe how most password crackers operate.
PDF Netcat - The TCP/IP Swiss Army Knife
By: Tom Armstrong (posted on February 15, 2001)
Netcat is a tool that every security professional should be aware of and possibly have in their 'security tool box'.
SANS Reading Room

There are many places to get Security Training, but SANS is premium training.
-Carl Ness, University of Iowa

vLive LEG523

Latest Whitepapers

Event Monitoring and Incident Response
By Ryan Boyle

Dead Linux Machines Do Tell Tales
By James Fung

Setting Up a Database Security Logging and Monitoring Program
By Jim Horwath

Latest Tweets

#appsec "WhatWorks in AppSec: Log Forging" http://t.co/Gsq91O7UAH
May 22, 2013 - 10:00 AM

DFIR Webcast starts in 75 minutes - 50 Shades of Hidden - Di [...]
May 17, 2013 - 3:46 PM

New blog post by @yorikv on pen test tips for file analysis. [...]
May 16, 2013 - 5:07 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"It has really been an eye opener concerning the depth of security training & awareness that SANS has to offer."
- Michael Hall, Drivesavers

"It was a great learning experience that helped open my eyes wider. The instructor's knowledge was fantastic."
- Manuja Wikesekera, Melbourne Cricket Club

"The perfect balance of theory and hands-on experience."
- James D. Perry II, University of Tennessee