SCANNING, DETECTION, GENERAL

TECHNITIUM MAC ADDRESS CHANGER

http://tmac.technitium.com/tmac/index.html

TECHNITIUM MAC ADDRESS CHANGER ALLOWS YOU TO CHANGE MEDIA ACCESS CONTROL (MAC) ADDRESS OF YOUR NETWORK INTERFACE CARD (NIC) IRRESPECTIVE TO YOUR NIC MANUFACTURER OR ITS DRIVER. IT HAS A VERY SIMPLE USER INTERFACE AND PROVIDES AMPLE OF INFORMATION REGARDING EACH NIC IN THE MACHINE. EVERY NIC HAS AN MAC ADDRESS HARD CODED IN ITS CIRCUIT BY ITS MANUFACTURER. THIS HARD CODED MAC ADDRESS IS USED BY WINDOWS DRIVERS TO ACCESS ETHERNET NETWORKS (LAN). THIS TOOL CAN SET A NEW MAC ADDRESS TO YOUR NIC, BYPASSING THE ORIGINAL HARD CODED MAC ADDRESS. TECHNITIUM MAC ADDRESS CHANGER IS A MUST TOOL IN EVERY SECURITY PROFESSIONALS TOOL BOX

COLASOFT MAC SCANNER

http://www.colasoft.com/mac_scanner/

COLASOFT MAC SCANNER IS A SCAN TOOL USED FOR SCANNING IP ADDRESSES AND MAC ADDRESSES IN A LOCAL NETWORK, IT SUPPORTS MULTIPLE NICS AND AUTOMATICALLY DETECTS ALL SUBNETS, SCAN RESULTS CAN BE EXPORTED TO A TEXT OR CSV FILE.
COLASOFT MAC SCANNER SENDS ARP QUERIES TO THE SPECIFIED SUBNET AND LISTENS TO THE ARP RESPONSES IN ORDER TO GET IP ADDRESSES AND MAC ADDRESSES. THE SCANNING IS VERY FAST, AND USERS CAN CHANGE THE NUMBER OF SCANNING THREADS TO GET BETTER EFFICIENCY. THE SCANNING RESULTS WILL BE GROUPED BY MAC ADDRESS IF A MAC ADDRESS IS CONFIGURED WITH MULTIPLE IP ADDRESSES. IT IS EASY FOR USERS TO CUSTOM SUBSEQUENT THREADS TO MANAGE THE SCAN PROCESS, BUT THE SUBSEQUENT THREAD IS LESS, THE SCANNING OPERATION WILL TAKE MORE TIME TO COMPLETE.

COLASOFT PING TOOL

http://www.colasoft.com/ping_tool/

COLASOFT PING TOOL IS POWERFUL IN SUPPORTING TO PING MULTIPLE IP ADDRESSES SIMULTANEOUSLY AND COMPARING RESPONSE TIME IN A GRAPHIC CHART. USERS CAN VIEW HISTORICAL CHARTS AND SAVE THE CHARTS TO A *.BMP FILE. WITH THIS BUILD-IN TOOL, USERS ARE ABLE TO PING THE IP ADDRESSES OF CAPTURED PACKETS IN A PROTOCOL ANALYZER (E.G. COLASOFT CAPSA) CONVENIENTLY, INCLUDING RESOURCE IP, DESTINATION IP OR BOTH.

STERM

http://www.oxid.it/sterm.html

STERM IS A TELNET CLIENT WITH A UNIQUE FEATURE. IT CAN ESTABLISH AN ENTIRE BI-DIRECTIONAL TELNET SESSION TO A TARGET HOST NEVER SENDING YOUR REAL IP AND MAC ADDRESSES IN ANY PACKET. BY USING "ARP POISONING", "MAC SPOOFING" AND "IP SPOOFING" TECHNIQUES STERM CAN EFFECTIVELY BYPASS ACLS, FIREWALL RULES AND IP RESTRICTIONS ON SERVERS AND NETWORK DEVICES. THE CONNECTION WILL BE DONE IMPERSONATING A TRUSTED HOST.

SUPERSCAN

http://www.foundstone.com/us/resources/proddesc/superscan4.htm

(FOUNDSTONE'S WINDOWS TCP PORT SCANNER) A CONNECT-BASED TCP PORT SCANNER, PINGER AND HOSTNAME RESOLVER. NO SOURCE CODE IS PROVIDED. IT CAN HANDLE PING SCANS AND PORT SCANS USING SPECIFIED IP RANGES. IT CAN ALSO CONNECT TO ANY DISCOVERED OPEN PORT USING USER-SPECIFIED "HELPER" APPLICATIONS (E.G. TELNET, WEB BROWSER, FTP).

NOTE: NUMEROUS FREE FOUNDSTONE TOOLS CAN BE FOUND AT THE BELOW WEB LINK:

http://www.foundstone.com/us/resources-free-tools.asp

UNICORNSCAN

http://www.unicornscan.org/

UNICORNSCAN IS AN ATTEMPT AT A USER-LAND DISTRIBUTED TCP/IP STACK. IT IS INTENDED TO PROVIDE A RESEARCHER A SUPERIOR INTERFACE FOR INTRODUCING A STIMULUS INTO AND MEASURING A RESPONSE FROM A TCP/IP ENABLED DEVICE OR NETWORK. ALTHOUGH IT CURRENTLY HAS HUNDREDS OF INDIVIDUAL FEATURES, A MAIN SET OF ABILITIES INCLUDE:

  • ASYNCHRONOUS STATELESS TCP SCANNING WITH ALL VARIATIONS OF TCP FLAGS.
  • ASYNCHRONOUS STATELESS TCP BANNER GRABBING
  • ASYNCHRONOUS PROTOCOL SPECIFIC UDP SCANNING (SENDING ENOUGH OF A SIGNATURE TO ELICIT A RESPONSE).
  • ACTIVE AND PASSIVE REMOTE OS, APPLICATION, AND COMPONENT IDENTIFICATION BY ANALYZING RESPONSES.
  • PCAP FILE LOGGING AND FILTERING
  • RELATIONAL DATABASE OUTPUT
  • CUSTOM MODULE SUPPORT
  • CUSTOMIZED DATA-SET VIEWS

SYNSCAN

http://www.portcullis-security.com/tools/free/synscan-3.1.tar.bz2

ANOTHER ASPECT OF ENUMERATION OF HOSTS IS THE DETERMINING OF TCP PORTS IN AN OPEN STATE, THAT IS TO SAY TCP PORTS WHICH RESPOND TO SYN PACKETS WITH A SYN AND THE ACK FLAG SET, SYN-ACK. SYNSCAN IS IMPRESSIVELY FAST AT DETERMININING THIS VIA THE USE OF TWO PROCESSES, ONE TO SEND THE SYN PACKETS AND ONE TO LISTEN FOR THE RESPONSES. NB: AT FIRST START WITH LOW SETTINGS AS IT CAN IMPACT SYSTEMS IF IT IS RUN TOO FAST. THE PORT PARSE UTILITY IS ALSO A USEFUL LITTLE TOOL!

GPS

http://packetstormsecurity.org/UNIX/scanners/gps-0.9.0.tar.gz

GHOST PORT SCAN IS AN ADVANCED PORT SCANNER AND A FIREWALL RULE DISCLOSURE TOOL. THIS TOOL USES IP & ARP SPOOFING, SNIFFING, STEALTH SCANNING, ARP POISONING, IP FRAGMENTATION, AND OTHER TECHNIQUES TO PERFORM STEALTH AND UNTRACKABLE INFORMATION COLLECTION. GPS IS ESPECIALLY EFFICIENT IN LAN PEN-TESTING, DUE TO ITS ABILITY TO DISCLOSE THE FIREWALL SETTINGS OF A HOST.

ONESIXTYONE

http://www.portcullis-security.com/tools/free/onesixtyone-0.6.tar.gz

THIS IS AN UPDATED VERISON OF THE WELL KNOWN ONESIXTYONE SNMP BRUTEFORCE TOOL. ONESIXTYONE IS AN SNMP SCANNER THAT SENDS MULTIPLE SNMP REQUESTS TO MULTIPLE IP ADDRESSES, TRYING DIFFERENT COMMUNITY STRINGS AND WAITING FOR REPLIES. THIS VERSION FIXES A NUMBER OF BUGS IN OTHER PUBLICLY AVAILABLE VERSIONS OF THE SOFTWARE, SUCH AS ALLOWING FOR VERY LARGE DICTIONARY FILES AND READING TARGET IP ADDRESSES FROM A FILE.

NTOP (NETWORK TRAFFIC USAGE MONITOR)

http://www.insecure.org/tools.html

NTOP SHOWS NETWORK USAGE IN A WAY SIMILAR TO WHAT TOP DOES FOR PROCESSES. IN INTERACTIVE MODE, IT DISPLAYS THE NETWORK STATUS ON THE USER'S TERMINAL. IN WEB MODE, IT ACTS AS A WEB SERVER, CREATING AN HTML DUMP OF THE NETWORK STATUS. IT SPORTS A NETFLOW/SFLOW EMITTER/COLLECTOR, AN HTTP-BASED CLIENT INTERFACE FOR CREATING NTOP-CENTRIC MONITORING APPLICATIONS, AND RRD FOR PERSISTENTLY STORING TRAFFIC STATISTICS.

NETCAT

http://netcat.sourceforge.net/

A SIMPLE UNIX UTILITY WHICH READS AND WRITES DATA ACROSS NETWORK CONNECTIONS, USING TCP OR UDP PROTOCOL. IT IS DESIGNED TO BE A RELIABLE "BACK-END" TOOL THAT CAN BE USED DIRECTLY OR EASILY DRIVEN BY OTHER PROGRAMS AND SCRIPTS. AT THE SAME TIME, IT IS A FEATURE-RICH NETWORK DEBUGGING AND EXPLORATION TOOL, SINCE IT CAN CREATE ALMOST ANY KIND OF CONNECTION YOU WOULD NEED AND HAS SEVERAL INTERESTING BUILT-IN CAPABILITIES.

NMAP

http://www.insecure.org/nmap/

NMAP ("NETWORK MAPPER") IS A FREE OPEN SOURCE UTILITY FOR NETWORK EXPLORATION OR SECURITY AUDITING. IT WAS DESIGNED TO RAPIDLY SCAN LARGE NETWORKS, ALTHOUGH IT WORKS FINE AGAINST SINGLE HOSTS. NMAP USES RAW IP PACKETS IN NOVEL WAYS TO DETERMINE WHAT HOSTS ARE AVAILABLE ON THE NETWORK, WHAT SERVICES (APPLICATION NAME AND VERSION) THOSE HOSTS ARE OFFERING, WHAT OPERATING SYSTEMS (AND OS VERSIONS) THEY ARE RUNNING, WHAT TYPE OF PACKET FILTERS/FIREWALLS ARE IN USE, AND DOZENS OF OTHER CHARACTERISTICS. NMAP RUNS ON MOST TYPES OF COMPUTERS AND BOTH CONSOLE AND GRAPHICAL VERSIONS ARE AVAILABLE. NMAP IS FREE AND OPEN SOURCE.

NOTE: A GREAT COMPLIMENT TO NMAP IS CALLED NMAP MAGIC

NMAP MAGIC USES AN IMPLEMENTATION OF THE I,SUSHI ALGORITHM TO INFER STRUCTURAL CHARACTERISTICS FROM NMAP SCAN REPORTS ACROSS MULTIPLE MACHINES

THE NMAP MAGIC SOURCE CODE CAN BE FOUND HERE:

http://www.the-mathclub.net/site/code/nmap-magic.tar.bz2

FURTHER INFORMATION ABOUT THIS TOOL CAN BE FOUND HERE:

http://the-mathclub.net/index.php/Gleaning_Structure_from_NMAP_Scan_Reports_Using_I%2CSushi

NWRAP

http://www.isecom.org/projects/toolsandtemplates.shtml

A TOOL DEVELOPED BY SIMON BILES TO ADD THE OPEN PROTOCOL RESOURCE DATABASE AS AN EXTENDED FUNCTIONALITY TO NMAP. THIS WILL SHOW ALL KNOWN PROTOCOLS FOR DISCOVERED PORTS WHICH GREATLY EXTENDS THE NMAP_SERVICES FILE OF ONE SERVICE PER PORT. FOR THIS TO WORK, NMAP MUST BE INSTALLED AND YOU SHOULD INCLUDE THE CURRENT VERSION OF THE OPRP.DUMP SHOULD BE IN THE SAME DIRECTORY.

AMAP

http://thc.org/thc-amap/

AMAP IS A NEXT-GENERATION TOOL FOR ASSISTING NETWORK PENETRATION TESTING. IT PERFORMS FAST AND RELIABLE APPLICATION PROTOCOL DETECTION, INDEPENDENT ON THE TCP/UDP PORT THEY ARE BEING BOUND TO.

HMAP

http://ujeni.murkyroc.com/hmap/

HMAP IS A WEB SERVER FINGERPRINTING TOOL.

SINFP

http://www.gomor.org/cgi-bin/sinfp.pl?mode=view;page=sinfp_description

http://packetstormsecurity.nl/filedesc/SinFP-2.04-1.tar-gz.html

SINFP IS A NEW APPROACH TO OS FINGERPRINTING, WHICH BYPASSES LIMITATIONS THAT NMAP HAS. NMAP APPROACHES TO FINGERPRINTING ARE SHOWN TO BE EFFICIENT FOR YEARS. NOWADAYS, WITH THE OMNI-PRESENCE OF STATEFUL FILTERING DEVICES, PAT/NAT CONFIGURATIONS AND EMERGING PACKET NORMALIZATION TECHNOLOGIES, ITS APPROACH TO OS FINGERPRINTING IS BECOMING TO BE OBSOLETE. SINFP USES THE AFOREMENTIONED LIMITATIONS AS A BASIS FOR TESTS TO BE ABSOLUTELY AVOIDED IN USED FRAMES TO IDENTIFY ACCURATELY THE REMOTE OPERATING SYSTEM. THAT IS, IT ONLY REQUIRES ONE OPEN TCP PORT, SENDS ONLY FULLY STANDARD TCP PACKETS, AND LIMITS THE NUMBER OF TESTS TO 2 OR 3 (WITH ONLY 1 TEST GIVING THE OS RELIABLY IN MOST CASES).

HTTPRINT

http://net-square.com/httprint/

HTTPRINT IS A WEB SERVER FINGERPRINTING TOOL. IT RELIES ON WEB SERVER CHARACTERISTICS TO ACCURATELY IDENTIFY WEB SERVERS, DESPITE THE FACT THAT THEY MAY HAVE BEEN OBFUSCATED BY CHANGING THE SERVER BANNER STRINGS, OR BY PLUG-INS SUCH AS MOD_SECURITY OR SERVERMASK. HTTPRINT CAN ALSO BE USED TO DETECT WEB ENABLED DEVICES WHICH DO NOT HAVE A SERVER BANNER STRING, SUCH AS WIRELESS ACCESS POINTS, ROUTERS, SWITCHES, CABLE MODEMS, ETC. HTTPRINT USES TEXT SIGNATURE STRINGS AND IT IS VERY EASY TO ADD SIGNATURES TO THE SIGNATURE DATABASE.

INTERACTIVE TCP RELAY (ITR)

http://www.imperva.com/download.asp?id=17

THIS TOOL PROVIDES A SECURITY-TESTING ENVIRONMENT FOR NON-HTTP CLIENT/SERVER APPLICATIONS, SIMILAR TO THAT PROVIDED BY INTERACTIVE HTTP PROXIES. WHEN STARTED, ITR OPERATES AS A SIMPLE TCP TUNNEL, LISTENING ON A SPECIFIC PORT, AND FORWARDING ALL THE TRAFFIC TO THE REMOTE HOST AND PORT. BY CONFIGURING THE CLIENT TO TREAT THE ITR AS ITS SERVER, ALL TRAFFIC BETWEEN A CLIENT AND A SERVER CAN BE TUNNELED AND LOGGED. THE TRUE POWER OF ITR, HOWEVER, LIES IN ITS ABILITY TO INTERCEPT AND EDIT THE TRAFFIC PASSING THROUGH IT. WHEN INVOKING INTERCEPT MODE, THE ITR STOPS EVERY MESSAGE SENT THROUGH IT (CLIENT TO SERVER AND/OR SERVER TO CLIENT). THE TRAFFIC CAN THEN BE EDITED FREELY, PROVIDING A COMFORTABLE ENVIRONMENT FOR TESTING CLIENT/SERVER APPLICATIONS. THE EDITING OF MESSAGES IS PERFORMED USING A BUILT-IN COMFORTABLE HEXA EDITOR. TO PROVIDE SUPPORT AND COMPATIBILITY FOR VARIOUS SYSTEMS, THE ITR CAN OPERATE BOTH ITS LOGS AND HEXA EDITOR USING DIFFERENT TYPES OF CHARACTER ENCODINGS, SUCH AS ASCII OR EBCDIC.

TCPREPLAY

http://tcpreplay.synfin.net/trac/
TCPREPLAY IS A SUITE OF BSD LICENSED TOOLS WRITTEN BY AARON TURNER FOR *NIX OPERATING SYSTEMS WHICH GIVES YOU THE ABILITY TO USE PREVIOUSLY CAPTURED TRAFFIC IN LIBPCAP FORMAT TO TEST A VARIETY OF NETWORK DEVICES. IT ALLOWS YOU TO CLASSIFY TRAFFIC AS CLIENT OR SERVER, REWRITE LAYER 2, 3 AND 4 HEADERS AND FINALLY REPLAY THE TRAFFIC BACK ONTO THE NETWORK AND THROUGH OTHER DEVICES SUCH AS SWITCHES, ROUTERS, FIREWALLS, NIDS AND IPS'S. TCPREPLAY SUPPORTS BOTH SINGLE AND DUAL NIC MODES FOR TESTING BOTH SNIFFING AND INLINE DEVICES.

TOMAHAWK

http://www.tomahawktesttool.org/

TOMAHAWK IS A UTILITY TO BIDIRECTIONALLY REPLAY SAVED TCPDUMP DUMPFILES AT ARBITRARY SPEEDS. IT CAN BE USED TO TEST THE THROUGHPUT AND BLOCKING CAPABILITIES OF NETWORK-BASED INTRUSION PREVENTION SYSTEMS (NIPS).

KEY ATTRIBUTES:

  • NETWORK TESTING: BACKGROUND TRAFFIC
  • COLLECT TRACE FROM TARGET NETWORK, REPLAY WITH TOMAHAWK
  • BOTTLENECKS WILL SHOW UP AS PERFORMANCE PROBLEM
  • CONNECTIONS/SEC TESTING
  • TRACE WITH 1000 FULL TCP CONNECTION SETUP AND TEARDOWN
  • SIX (6)64 BYTE PACKET CONNECTIONS
  • TRACE HAS 6000 PACKETS
  • REPLAY 250 COPIES OF TRACE IN PARALLEL
  • 31,000 CONNECTIONS/SEC TEST CAPABILITY
  • SECURITY TESTING: BLOCKING
  • COLLECT TRACE WITH ATTACK TRAFFIC, REPLAY WITH TOMAHAWK
  • IF TRACE COMPLETES, ATTACK WAS NOT BLOCKED REPEATABILITY
  • REPLAY ATTACKS SIMULTANEOUSLY: E.G. 20 PCAPS REPLAYED 10X EACH FOR A TOTAL OF 200 ATTACKS
  • IPS SHOULD CONSISTENTLY BLOCK OR MISS ALL OF THEM THROUGHPUT AND BLOCKING CAPABILITIES OF NETWORK-BASED INTRUSION PREVENTION SYSTEMS (NIPS).

TOMAHAWK PATCH FOR ROUTED NETWORK TESTING

http://labs.musecurity.com/wp-content/uploads/2007/04/tomahawk_patch.txt

WE HAVE ADDED SOME OPTIONS TO THE TOMAHAWK NETWORK TESTING TOOL WHICH ALLOWS FOR TESTING OF ROUTED NETWORKS.
CONSIDER THE FOLLOWING TOPOLOGY ( A1 AND A2 ARE NETWORK INTERFACES ON A BOX RUNNING TOMAHAWK ):
[A1] +--+
|
| IP = 192.168.1.254
| MAC = AA:AA:AA:AA:AA:AA
|
[ DUT ]
|
| MAC = BB:BB:BB:BB:BB:BB
| IP = 10.0.0.1
|
[A2] +--+

WHEN REPLAYING AN IP CONVERSATION, PACKETS COMING FROM A1 DESTINED FOR A2 MUST HAVE THE DESTINATION IP ADDRESS BE WITHIN THE SUBNET THAT CONTAINS A2 ( 10.0.0.0 ), AND A DESTINATION MAC ADDRESS OF THE ROUTER’S INTERFACE WHICH IS ON THE SAME NETWORK AS A1 (AA:AA:AA:AA:AA:AA).

WE HAVE ADDED 4 OPTIONS TO TOMAHAWK TO ENABLE TESTING IN THIS SCENARIO. IN THE DESCRIPTIONS BELOW, “CLIENT” AND “SERVER” REFER TO THE INTERFACES SPECIFIED BY THE -I AND -J TOMAHAWK OPTIONS RESPECTIVELY (AND THE EXAMPLES ASSUME “-I A1 -J A2? ).

-X — CLIENT SIDE MAC ADDRESS OF ROUTER ( AA:AA:AA:AA:AA:AA )
-Y — SERVER SIDE MAC ADDRESS OF ROUTER ( BB:BB:BB:BB:BB:BB )
-X — CLIENT SIDE SUBNET ( 192.168.0.0 )
-Y — SERVER SIDE SUBNET ( 10.0.0.0 )

THE -Y AND -X OPTIONS ONLY USE THE TWO MOST SIGNIFICANT BYTES WHEN RE-WRITING THE PACKET IP ADDRESSES.

USAGE:

  • APPLY PATCH AND BUILD:
  • DOWNLOAD TOMAHAWK
  • DOWNLOAD TOMAHAWK.PATCH
  • TAR -XVF TOMAHAWK1.1.TAR
  • CD TOMAHAWK1.1
  • PATCH -P1 < ../TOMAHAWK_PATCH.TXT
  • THEN BUILD TOMAHAWK AS NORMAL.

EXAMPLE:

TOMAHAWK -I ETH0 -J ETH1 -X AA:AA:AA:AA:AA:AA -Y BB:BB:BB:BB:BB:BB -X 10.0.0.0 -Y 192.168.0.0 -L 1 -F TEST.PCAP

TCPIVO

http://www.thefengs.com/wuchang/work/tcpivo/

TCPIVO IS A TOOL THAT PROVIDES HIGH-SPEED PACKET REPLAY FROM A TRACE FILE USING STANDARD PC HARDWARE AND FREELY AVAILABLE OPEN-SOURCE SOFTWARE [1]. THIS WORK IS SUPPORTED BY THE NATIONAL SCIENCE FOUNDATION UNDER GRANT EIA-0130344 AND THE GENEROUS DONATIONS OF INTEL CORPORATION. NOTE THAT THE TOOL WAS FORMERLY KNOWN AS NETVCR.

IKE-SCAN

http://www.nta-monitor.com/tools/ike-scan/

IKE-SCAN WAS DEVELOPED BY NTA'S TECHNICAL DIRECTOR ROY HILLS AND RELEASED IN 2003 UNDER THE GNU GENERAL PUBLIC LICENSE (GPL). IKE-SCAN EXPLOITS TRANSPORT CHARACTERISTICS IN THE INTERNET KEY EXCHANGE (IKE) SERVICE, THE MECHANISM USED BY VPNS TO ESTABLISH A CONNECTION BETWEEN A SERVER AND A REMOTE CLIENT. IT SCANS IP ADDRESSES FOR VPN SERVERS BY SENDING A SPECIALLY CRAFTED IKE PACKET TO EACH HOST WITHIN A NETWORK.

USER DOCUMENTATION CAN BE FOUND AT WEB URL:

http://www.nta-monitor.com/wiki/index.php/Ike-scan_Documentation

IPSECSCAN

http://ntsecurity.nu/toolbox/ipsecscan/

IPSECSCAN IS A TOOL THAT CAN SCAN EITHER A SINGLE IP ADDRESS OR A RANGE OF IP ADDRESSES LOOKING FOR SYSTEMS THAT ARE IPSEC ENABLED.

IKEPROBE

http://www.ernw.de/download/ikeprobe.zip

IKEPROBE CAN BE USED TO DETERMINE VULNERABILITIES IN THE PSK IMPLEMENTATION OF THE VPN SERVER. IT TRIES OUT VARIOUS COMBINATIONS OF CIPHERS, HASHES AND DIFFIE-HELMAN GROUPS AND ATTEMPTS TO FORCE THE REMOTE SERVER INTO AGGRESSIVE MODE.

ARP-SCAN

http://www.nta-monitor.com/tools/arp-scan/

THE ADDRESS RESOLUTION PROTOCOL (ARP) IS THE METHOD FOR FINDING A HOST'S HARDWARE ADDRESS WHEN ONLY ITS IP ADDRESS IS KNOWN. THIS TOOL RUNS ON LINUX AND ALLOWS HOST DETECTION AND FINGERPRINTING USING THE ARP PROTOCOL.

ARP0C CONNECTION INTERCEPTOR

http://www.phenoelit.de/arpoc/index.html

ARP0C IS A CONNECTION INTERCEPTOR (USING ARP SPOOFING AND A BRIDGING ENGINE). ARP REQUESTS FROM VARIOUS SOURCES IN A SWITCHED ENVIRONMENT GET FALSE ARP RESPONSE PACKETS WHICH POINT TO THE HOST RUNNING ARP0C. PACKETS FROM THESE HOSTS ARE BRIDGED WITH AN INTERNAL ENGINE TO THE REAL DESTINATION ADDRESS TO ALLOW NORMAL NETWORK OPERATION AND KEEP TCP CONNECTIONS ALIVE. PACKETS TO HOSTS IN REMOTE (READ: REACHABLE USING A ROUTER) SUBNETS ARE FORWARDED TO A GATEWAY USING AN INTERNAL ROUTING TABLE - INDEPENDENT FROM THE HOSTS ROUTING TABLE.

W3BFUKK0R

http://www.ngolde.de/w3bfukk0r.html

W3BFUKK0R IS A FORCED BROWSING TOOL, IT BASICALLY SCANS WEBSERVERS (HTTP/HTTPS) FOR A DIRECTORY BY USING HTTP HEAD COMMAND AND BRUTE FORCE MECHANISM BASED ON A WORD LIST. FEATURES:

  • HTTP/HTTPS(SSL) SUPPORT
  • BANNER GRABBING
  • USER-AGENT FAKING
  • PROXY SUPPORT (HTTP/S)
  • REPORTS FOUND AND NON-EXISTEND DIRECTORIES

NOTE: NOT ALL WEBSERVERS ARE HANDLING HTTP STATUS CODES CORRECTLY, SO IF THE WEBSERVER DOESN'T CARE ABOUT RFCS THE REPORT GENERATED BY W3BFUKK0R MAY INCLUDE FALSE POSITIVES. MAYBE WE'LL FIND A GOOD METHOD TO DETECT THOSE FALSE POSITIVES.

ODYSSEUS

http://www.wastelands.gen.nz/odysseus/

ODYSSEUS IS A PROXY SERVER, WHICH ACTS AS A MAN-IN-THE-MIDDLE DURING AN HTTP SESSION. A TYPICAL HTTP PROXY WILL RELAY PACKETS TO AND FROM A CLIENT BROWSER AND A WEB SERVER. ODYSSEUS WILL INTERCEPT AN HTTP SESSION'S DATA IN EITHER DIRECTION AND GIVE THE USER THE ABILITY TO ALTER THE DATA BEFORE TRANSMISSION. FOR EXAMPLE, DURING A NORMAL HTTP SSL CONNECTION A TYPICAL PROXY WILL RELAY THE SESSION BETWEEN THE SERVER AND THE CLIENT AND ALLOW THE TWO END NODES TO NEGOTIATE SSL. IN CONTRAST, WHEN IN INTERCEPT MODE, ODYSSEUS WILL PRETEND TO BE THE SERVER AND NEGOTIATE TWO SSL SESSIONS, ONE WITH THE CLIENT BROWSER AND ANOTHER WITH THE WEB SERVER. AS DATA IS TRANSMITTED BETWEEN THE TWO NODES, ODYSSEUS DECRYPTS THE DATA AND GIVES THE USER THE ABILITY TO ALTER AND/OR LOG THE DATA IN CLEAR TEXT BEFORE TRANSMISSION.

FEATURES:

  • MULTI-THREADED NATIVE WIN32 EXECUTABLE THE USE OF NATIVE WINDOW CODE, COMBINED WITH EXTENSIVE MULTI-THREADING, MEANS THAT ODYSSEUS IS FAST. SPEED WAS A PRIMARY DEVELOPMENT OBJECTIVE.
  • NO EXTERNAL DEPENDENCIES EVERYTHING NEEDED TO INTERCEPT WEB REQUESTS (APART FROM A BROWSER CONFIGURED TO USE ODYSSEUS AS A PROXY :) IS INCLUDED IN THE DISTRIBUTION ARCHIVE. NO ADDITIONAL DOWNLOADS OR INSTALLATIONS ARE REQUIRED.
  • FLEXIBLE & CONFIGURABLE A WEALTH OF CONFIGURATION OPTIONS MEANS ODYSSEUS SHOULD BE FLEXIBLE ENOUGH TO MEET THE NEEDS OF NEARLY ANY WEB BASED APPLICATION ASSESSMENT.
  • LOW DESKTOP PROFILE ODYSSEUS DOESN'T CLUTTER YOUR DESKTOP WITH REDUNDANT WINDOWS. A SIMPLE SYSTEM TRAY ICON IS ALL THAT IS NEEDED TO ACCESS ITS MANY FEATURES. THE VARIOUS COMPONENTS OF ODYSSEUS APPEAR AND DISAPPEAR AS CONFIGURED, OR INSTRUCTED, BY THE USER.

SECURITY COMPASS WEB APPLICATION AUDITING TOOL (SWAAT)

http://www.securitycompass.com/

SECURITY COMPASS WEB APPLICATION AUDITING TOOL (SWAAT) IS A FREE STATIC WEB APPLICATION SOURCE CODE AUDITING TOOL. THE AIM OF SWAAT IS TO HELP DEVELOPERS, TESTERS, SECURITY STAFF, AND AUDITORS LOCATE POTENTIALLY DANGEROUS PORTIONS OF SOURCE CODE; IT IS DESIGNED TO ASSIST SOURCE CODE REVIEW. AFTER REVIEWING MILLIONS OF LINES OF SOURCE CODE, WE AT SECURITY COMPASS BELIEVE THAT AUTOMATED RUN-TIME ANALYSIS TOOLS ARE USEFUL AT IDENTIFYING SIMPLE, COMMON VULNERABILITIES. IN MOST CASES, HOWEVER, THE VAST MAJORITY OF VULNERABILITIES REQUIRE HUMAN INTELLIGENCE AND KNOWLEDGE OF THE APPLICATION. SWAAT HELPS TO REDUCE THE BURDEN OF SOURCE CODE REVIEW BY IDENTIFYING POTENTIALLY DANGEROUS FUNCTIONS AND STRINGS IN CODE AND EXPLAINING BOTH HOW THEY MAY BE DANGEROUS AND HOW TO MITIGATE POTENTIAL RISKS.

SIFT WEB METHOD SEARCH TOOL

http://www.sift.com.au/73/171/sift-web-method-search-tool.htm

AS WEB SERVICES ARE BECOMING MORE PREVALENT, POOR SECURITY PRACTICES FROM PREVIOUS GENERATIONS OF APPLICATION ARCHITECTURES ARE BEING TRANSFERRED TO THE WEB SERVICE SPACE. ONE OF THESE PRACTICES IS THE USE OF "SECURITY THROUGH OBSCURITY" TO HIDE CERTAIN WEB METHODS FROM USERS - THAT IS, WEB METHODS EXIST THAT CAN BE CALLED, BUT THAT ARE NOT PUBLISHED IN THE WSDL OR OTHERWISE DISCLOSED.

THE SIFT WEB METHOD SEARCH TOOL IS A DICTIONARY ATTACK TOOL THAT CAN BE USED TO BRUTE FORCE THE WEB METHOD NAMES FOR A GIVEN WEB SERVICE UNDER CERTAIN CIRCUMSTANCES. THAT IS, SOAP REQUESTS CAN BE SUBMITTED TO A WEB SERVICE USING PROBABLE COMBINATIONS OF WORDS TO ALLOW THE IDENTIFICATION OF HIDDEN WEB METHODS NOT PUBLISHED IN THE CORRESPONDING WSDL DOCUMENT. THIS IS POSSIBLE BECAUSE RESPONSES TO REQUESTS FOR NON-EXISTENT WEB METHODS AND WEB METHODS THAT EXIST DIFFER MARKEDLY UNDER MOST PLATFORMS.

OSCANNER

http://www.cqure.net/wp/?page_id=3

OSCANNER IS AN ORACLE ASSESSMENT FRAMEWORK DEVELOPED IN JAVA. IT HAS A PLUGIN-BASED ARCHITECTURE AND COMES WITH A COUPLE OF PLUGINS THAT CURRENTLY DO:

  • SID ENUMERATION
  • PASSWORDS TESTS (COMMON & DICTIONARY)
  • ENUMERATE ORACLE VERSION
  • ENUMERATE ACCOUNT ROLES
  • ENUMERATE ACCOUNT PRIVILEGES
  • ENUMERATE ACCOUNT HASHES
  • ENUMERATE AUDIT INFORMATION
  • ENUMERATE PASSWORD POLICIES
  • ENUMERATE DATABASE LINKS THE RESULTS ARE GIVEN IN A GRAPHICAL JAVA TREE.

SCUBA

http://www.imperva.com/application_defense_center/scuba/default.asp

SCUBA BY IMPERVA IS A FREE, LIGHTWEIGHT JAVA TOOL THAT SCANS ORACLE, DB2, MS-SQL, AND SYBASE DATABASES FOR HUNDREDS OF SOFTWARE VULNERABILITIES. IT ALSO DETECTS CONFIGURATION FLAWS LIKE INSECURE PASSWORDS, UNSAFE PROCESSES, UNRESTRICTED PERMISSION LEVELS, AND MORE. FURTHERMORE, IT GENERATES HTML AND JAVA REPORTS THAT SHOW OVERALL SECURITY RISK LEVEL AND DETAILED INFORMATION ABOUT EACH VULNERABILITY – SO YOU CAN PINPOINT CONFIGURATION RISKS WITHIN MINUTES.
SCUBA BY IMPERVA DETECTS HUNDREDS OF DATABASE VULNERABILITIES AND CONFIGURATION ISSUES. AND BETTER YET – IT HELPS YOU MEET INDUSTRY-LEADING BEST PRACTICES STANDARDS FOR DATABASE CONFIGURATION AND MANAGEMENT.

PSTOOLS SUITE

http://download.sysinternals.com/Files/PSTools.zip

THE TOOLS INCLUDED IN THE PSTOOLS SUITE, WHICH ARE DOWNLOADABLE INDIVIDUALLY OR AS A PACKAGE, ARE:

PSEXEC - EXECUTE PROCESSES REMOTELY
PSFILE - SHOWS FILES OPENED REMOTELY
PSGETSID - DISPLAY THE SID OF A COMPUTER OR A USER
PSKILL - KILL PROCESSES BY NAME OR PROCESS ID
PSINFO - LIST INFORMATION ABOUT A SYSTEM
PSLIST - LIST DETAILED INFORMATION ABOUT PROCESSES
PSLOGGEDON - SEE WHO'S LOGGED ON LOCALLY AND VIA RESOURCE SHARING (FULL SOURCE IS INCLUDED)
PSLOGLIST - DUMP EVENT LOG RECORDS
PSPASSSWD - CHANGES ACCOUNT PASSWORDS
PSSERVICE - VIEW AND CONTROL SERVICES
PSSHUTDOWN - SHUTS DOWN AND OPTIONALLY REBOOTS A COMPUTER
PSSUSPEND - SUSPENDS PROCESSES

FERRET - A BROADCAST ANALYSIS TOOL

http://www.erratasec.com/ferret.html

THIS TOOL IS DESIGNED TO DEMONSTRATE THE PROBLEM OF "DATA SEAPAGE". THE AVERAGE MACHINE BROADCASTS A LOT OF INFORMATION ABOUT ITSELF ON OPEN NETWORKS. THIS TOOL CAPTURES AND ORGANIZES THIS INFORMATION.

CAFFEINE MONKEY

http://www.secureworks.com/research/tools/caffeinemonkey.html

THIS TOOL HELPS RESEARCHERS DISCOVER DIFFERENT WAYS HACKERS HIDE THEIR MALICIOUS JAVASCRIPT.  THE TOOL UNMASKS WHAT THE CODE IS ACTUALLY DOING AND ALLOWS RESEARCHERS TO CREATE ALGORITHMS/FUNCTIONS TO CLASSIFY IN WHATEVER WAY THEY MIGHT WANT TO. ONE OF THE KEY COMPONENTS OF THIS TOOL IS THAT IT IS BEHAVIOR BASED, NOT SIGNATURE BASED. IT IDENTIFIES SPECIFIC BEHAVIORS THAT ARE INDICATIVE OF MALICIOUS CODE.  BUILDING ON THE WORK OF SEVERAL EXISTING CLIENT HONEYPOT IMPLEMENTATIONS, THEIR GOAL IS TO LARGELY AUTOMATE THE PAINSTAKING WORK OF MALICIOUS SOFTWARE COLLECTION.  THE FOCUS IS ON ATTACKS USING JAVASCRIPT FOR OBFUSCATION OR EXPLOITATION.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License