Monday, March 31, 2014

nbtscan - NETBIOS nameserver scanner


This is a command-line tool that scans for open NETBIOS nameservers on a local or remote TCP/IP network, and this is a first step in finding of open shares. It is based on the functionality of the standard Windows tool nbtstat, but it operates on a range of addresses instead of just one. I wrote this tool because the existing tools either didn't do what I wanted or ran only on the Windows platforms: mine runs on just about everything.

NETBIOS is commonly known as the Windows "Network Neighborhood" protocol, and (among other things), it provides a nameservice that listens on UDP port 137. When it receives a query on this port, it responds with a list of all services it offers. Windows ships with a standard tool nbtstatwhich queries a single IP address when given the -A parameter. When run against a machine on the local network (a development box), it shows:

C:\> nbtstat -A 192.168.1.99
NetBIOS Remote Machine Name Table

Name Type Status
---------------------------------------------
XPDEV <00> UNIQUE Registered
UNIXWIX <00> GROUP Registered
XPDEV <03> UNIQUE Registered
XPDEV <20> UNIQUE Registered
UNIXWIX <1E> GROUP Registered

MAC Address = 00-50-04-6D-50-37

The numeric code (in hexadecimal) and the type serve to identify the service being offered, and (for instance) a UNIQUE code of <20> indicates that the machine is running the file-sharing service. Unfortunately, nbtstat only reports the codes, and it requires looking up the meanings elsewhere. The References section at the end of this document lists some resources to learn what all the codes mean.

Machines participating in NETBIOS listen on UDP port 137 for these queries and respond accordingly. Simple configurations might only have a few resource records (as above), but an NT server supporting a large enterprise could easily have more than a dozen. Though it's sometimes useful to examine the full set of resource records for a given machine, in practice it's more useful to summarize them into the key "interesting" services.

Our tool has taken this approach. Not only does it scan ranges of addresses -- instead of just one machine -- but it can fully decode most of the resource record types and can summarize the interesting data on a one-line display.

On our network we have quite a few machines, but it appears that only three respond to our queries:
C:\> nbtscan 192.168.1.0/24
192.168.1.3 MTNDEW\WINDEV SHARING DC
192.168.1.5 MTNDEW\TESTING
192.168.1.9 MTNDEW\WIZ SHARING U=STEVE
192.168.1.99 MTNDEW\XPDEV SHARING


DNSCrypt - A tool for securing communications between a client and a DNS resolver


dnscrypt-proxy provides local service which can be used directly as your local resolver or as a DNS forwarder, encrypting and authenticating requests using the DNSCrypt protocol and passing them to an upstream server.

The DNSCrypt protocol uses high-speed high-security elliptic-curve cryptography and is very similar to DNSCurve, but focuses on securing communications between a client and its first-level resolver.

While not providing end-to-end security, it protects the local network, which is often the weakest point of the chain, against man-in-the-middle attacks. It also provides some confidentiality to DNS queries.


Sunday, March 30, 2014

FolderChangesView - Monitor files changes on Windows


FolderChangesView is a simple tool that monitors the folder or disk drive that you choose and lists every filename that is being modified, created, or deleted while the folder is being monitored. 

You can use FolderChangesView with any local disk drive or with a remote network share, as long as you have read permission to the selected folder.


VirusTotal Scanner - Desktop Tool to Perform Quick Anti-virus Scan using VirusTotal


VirusTotal Scanner is the desktop tool to quickly perform Anti-virus scan using VirusTotal.com

VirusTotal.com is a free online scan service that analyzes suspicious files using 40+ Anti-virus applications. It facilitates the quick detection of viruses, worms, trojans, all kinds of malware and provides reliable results preventing any False Positive cases.

'VirusTotal Scanner' is the desktop tool which helps you to quickly scan your file using VirusTotal without actually uploading the file. It performs direct Hash based scan on VirusTotal thus reducing the time taken to upload the file.
It comes with attractive & user friendly interface making the VirusTotal scanning process simpler and quicker. You can simply right click on your file and start the scan.

It is fully portable tool but also comes with Installer for local installation & un-installation. It works on wide range of platforms starting from Windows XP to Windows 8.


Saturday, March 29, 2014

Windows Domain Credentials Phishing Tool



While performing a Pen test for a client i needed to catch a domain user name and password, there are several ways to gain users passwords and it really depends on a lot of factors on how to get it in my case i didn’t had time to wait for the user to enter his credentials and get it using a key logger so i created a fake windows domain login window to tried to force and trick the user to enter his password.

There are several tools and techniques such as “Mimikatz” but they require you to have administrative/system privileges, you don’t need special privileges to execute “Windows Domain Credentials Phishing Tool”.

* Please note, this tool require .NET framework on target system.
* This tool should not be used to perform illegal activities.


Pompem - Exploit Finder


Pompem is an open source tool, which is designed to automate the search for exploits in major databases. Developed in Python, has a system of advanced search, thus facilitating the work of pentesters and ethical hackers. In its current version, performs searches in databases: Exploit-db, 1337day, Packetstorm Security...

Usage

To get the list of basic options and information about the project:
python pompem.py -h

Examples of use:
python pompem.py -s Wordpress
python pompem.py -s Joomla --html
python pompem.py -s "Internet Explorer,joomla,wordpress" --html
python pompem.py -s FortiGate --txt
python pompem.py -s ssh,ftp,mysql
python pompem.py --update


Friday, March 28, 2014

CrowdInspect - Scan of your running processes on Windows with Virus Total, WOT & MHR


CrowdInspect is a free professional grade tool for Microsoft Windows systems from CrowdStrike aimed to help alert you to the presence of malware that communicates over the network that may exist on your computer. It is a host-based real-time monitoring and recording tool utilizing multiple sources of information to detect untrusted or malicious network-active processes.

The tool runs on both 32 bit and 64 bit versions of Windows from XP and above.

Beyond simple network connections, CrowdInspect associates the connection entry with the process that is responsible for that activity. It can display the process name as a simple file name or as as an optional full file path.

In addition to the process name, the entry's process ID number, local port, local IP address, remote port, remote IP address and reverse resolved DNS name of the remote IP address is shown. The tool accommodates both IPv4 and IPv6 addresses.

CrowdInspect records details of any entry that is associated with a remote IP address and maintains a chronological list of these accessed by clicking the "Live/History" toolbar button to switch between the regular live netstat window and the history list window.

Perhaps the most useful aspect of CrowdInspect though is its ability to utilize several sources of information that can be used to determine the reputation of the process using the network connection and the reputation of the domain it is connecting to. This is achieved through the use of the following technologies and services:

Thread Injection Detection

Detection of code injection using custom proprietary code

Many pieces of malware achieve part of their goal by manipulating already running applications and injecting themselves into those processes. Regular antivirus products that only act upon the actual physical file contents would not identify this behavior. CrowdInspect features experimental detection of such behavior and the results of this test on each process can be seen in the “Inject” column.

--  (o Gray icon)
Not applicable/not available. No process is not able to be tested.

??  (o Gray icon)
The process did not allow us to test for code injection.

OK  (o Green)
The process did not appear to have any evidence of thread injection.

!!  (o Red icon)
The entry appeared to have had a thread injected into its process. This is generally not a good thing or something usually encountered. Note though that there may be some classes of specialized software that does exhibit this behavior. The process/application should be investigated further.


VirusTotal

Multiple antivirus engine analysis results queried by SHA256 file hash

<http://www.virustotal.com>

Shown in the "VT" column of the tool are the basic summary results of querying the VirusTotal service against the file in question (actually the SHA256 hash of the file contents). VirusTotal utilizes multiple antivirus engines to analyze submitted files and we query its database to see if the file hash is in the database and if so, how the antivirus engines rated it. The value here can be one of the following:

--  (o Gray icon)
Not applicable/not available. No connection to the VirusTotal database was made or the process is not associated with a file.

??  (o Gray icon)
The entry does not exist in the VirusTotal database. This is probably good!

0% ... 100%  (o Green ... o Red icons)
The file is known to the VirusTotal database. This is the virus score. 0% means no antivirus vendor reported an issue with the process (very good). 100% means every antivirus vendor reported the process as problematic (very bad!)

More extensive details for the particular selected entry in the list can be seen by either clicking the "AV Results" toolbar button or selecting "View AV Test Results" from the right-click context menu for the selected item.

Note that it may take a short while before the results appear for each entry in the list due to rate throttling of connections to the service.


Team Cymru - Malware Hash Repository

Repository of known malware queried by MD5 file hash

<http://www.teamcymru.com>

Shown in the "MHR" column, Team Cymru maintains a repository of known malware that can be queried given an MD5 hash of the file contents. In this case we are simply querying for a yes/no answer so the results can be one of the following:

--  (o Gray icon)
Not applicable/not available. No response was received from the Team Cymru service or the process is not associated with a file.

??  (o Gray icon)
The entry does not exist in the MHR database. This is probably good, although the absence of a positive response doesn't necessarily mean the process is not malware.

!!  (o Red icon)
The entry DOES exist in the MHR database. The process is known to be malware. This is bad!



Web of Trust

Crowd-sourced domain name reputation system

<http://www.mywot.com>

Shown in the "WOT" column column of the tool are the basic summary results of querying the Web of Trust service against the reverse resolved domain name associated with the remote IP address of the connection's entry. The value here can be one of the following:

--  (o Gray icon)
Not applicable/not available. No connection to the WoT database was made or the entry's remote IP address does not have a usable valid domain name associated with it.

??  (o Gray icon)
The entry does not exist in the WoT database.

0% ... 100%  (o Red ... o Green icons)
The WoT reputation score. 0% means that everybody who has rated this domain thinks it is untrustworthy. 100% means that everybody who has rated this domain thinks it is reputable and can be trusted.


To avoid unnecessary querying of the above services all results are cached such that no unique process or domain is ever queried more than once for the duration the tool is running.


SEES (Social Enginnering Email Sender) - A Social Engineering Attack/Audit Tool for Spear Phishing

What is SEES?

Most of the companies nowadays have their firewalls, threat monitoring and prevention security appliances setup. With these mechanisms in place, security precautions are taken and incidents are monitored. Inbound traffic being restricted, SEES on the other hand is developed for sending targeted phishing emails in order to carry sophisticated social engineering attacks/audits.

SEES aims to increase the success rate of phishing attacks by sending emails to company users as if they are coming from the very same company’s domain. The attacks become much more sophisticated if an attacker is able to send an email, which is coming from ceo@example.org email address, to a company with domain example.org.


iRET - iOS Reverse Engineering Toolkit


iOS Reverse Engineering Toolkit o iRet es un conjunto de herramientas que ayudan al auditor de seguridad a llevar a cabo tareas comunes de forma automática. Dichas tareas se enfocan en análisis e ingeniería inversa de aplicaciones iOS, plataforma móvil de Apple (iPhone/iPad).

De entre las tareas que este toolkit es capaz de automatizar, tenemos:
  • Binary Analysis (basado en otool)
  • Keychain Analysis (keychain_dumper)
  • Database Analysis (sqlite3)
  • Log Viewer
  • Plist Viewer
  • Header Files
  • Create, edit, save and build theos tweaks
  • Display cached screenshots

Thursday, March 27, 2014

URLCrazy - Test domain typos and variations to detect typo squatting, URL hijacking, phishing, and corporate espionage


Generate and test domain typos and variations to detect and perform typo squatting, URL hijacking, phishing, and corporate espionage.

Usage

* Detect typo squatters profiting from typos on your domain name
* Protect your brand by registering popular typos
* Identify typo domain names that will receive traffic intended for another domain
* Conduct phishing attacks during a penetration test

Features

* Generates 15 types of domain variants
* Knows over 8000 common misspellings
* Supports cosmic ray induced bit flipping
* Multiple keyboard layouts (qwerty, azerty, qwertz, dvorak)
* Checks if a domain variant is valid
* Test if domain variants are in use
* Estimate popularity of a domain variant
URLCrazy requires Linux and the Ruby interpreter.


Nagios XI - The industry standard for IT infrastructure monitoring


Nagios XI is a system and network monitoring application. It watches hosts and services that you specify, alerting you when things go bad and when they get better. Some of its many features include monitoring of network services (SMTP, POP3, HTTP, NNTP, ICMP, etc.), monitoring of host resources (processor load, disk usage, etc.), and contact notifications when service or host problems occur and get resolved (via email, pager, or user-defined method).

With Nagios you can:
  • Monitor your entire IT infrastructure
  • Spot problems before they occur
  • Know immediately when problems arise
  • Share availability data with stakeholders
  • Detect security breaches
  • Plan and budget for IT upgrades
  • Reduce downtime and business losses

DNSQuerySniffer - DNS Queries Sniffer


DNSQuerySniffer is a network sniffer utility that shows the DNS queries sent on your system. For every DNS query, the following information is displayed: Host Name, Port Number, Query ID, Request Type (A, AAAA, NS, MX, and so on), Request Time, Response Time, Duration, Response Code, Number of records, and the content of the returned DNS records. 


You can easily export the DNS queries information to csv/tab-delimited/xml/html file, or copy the DNS queries to the clipboard, and then paste them into Excel or other spreadsheet application.



MITMer - Automated Man-In-The-Middle Attack Tool

MITMer is a man-in-the-middle and phishing attack tool that steals the victim’s credentials of some web services like Facebook.

Dependencies:
  • python2
  • scapy
  • python2-nfqueue
How to:
  • Run it as root.
    sudo python2 mitmer.py
  • Select a network interface.
  • After scanning the network for available hosts, choose one as a victim or enter an IP address manually.
  • Select one of the attack profiles or custom.
  • If custom is selected, type the domain(s) you want in the “Query request” field, and type the domain (or IP address) of the server that the victim should be redirected to in the “Query reply” field.
  • Start the attack and wait.

Wednesday, March 26, 2014

Cpuminer - CPU miner for Litecoin and Bitcoin


cpuminer is a multi-threaded, highly optimized CPU miner for Litecoin, Bitcoin and other cryptocurrencies. Currently supported algorithms are SHA-256d and scrypt(1024, 1, 1).

It supports the getwork mining protocol as well as the Stratum mining protocol, and can be used for both solo and pooled mining.

Dependencies:
libcurl http://curl.haxx.se/libcurl/
jansson http://www.digip.org/jansson/
(jansson is included in-tree)

Basic *nix build instructions:
./autogen.sh # only needed if building from git repo
./nomacro.pl # only needed if building on Mac OS X or with Clang
./configure CFLAGS="-O3"
make

Notes for AIX users:
* To build a 64-bit binary, export OBJECT_MODE=64
* GNU-style long options are not supported, but are accessible
 via configuration file

Basic Windows build instructions, using MinGW:
Install MinGW and the MSYS Developer Tool Kit (http://www.mingw.org/)
* Make sure you have mstcpip.h in MinGW\include
If using MinGW-w64, install pthreads-w64
Install libcurl devel (http://curl.haxx.se/download.html)
* Make sure you have libcurl.m4 in MinGW\share\aclocal
* Make sure you have curl-config in MinGW\bin
In the MSYS shell, run:
./autogen.sh # only needed if building from git repo
LIBCURL="-lcurldll" ./configure CFLAGS="-O3"
make

Architecture-specific notes:
ARM: No runtime CPU detection. The miner can take advantage
of some instructions specific to ARMv5E and later processors,
but the decision whether to use them is made at compile time,
based on compiler-defined macros.
To use NEON instructions, add "-mfpu=neon" to CFLAGS.
x86: The miner checks for SSE2 instructions support at runtime,
and uses them if they are available.
x86-64: The miner can take advantage of AVX, AVX2 and XOP instructions,
but only if both the CPU and the operating system support them.
   * Linux supports AVX starting from kernel version 2.6.30.
   * FreeBSD supports AVX starting with 9.1-RELEASE.
   * Mac OS X added AVX support in the 10.6.8 update.
   * Windows supports AVX starting from Windows 7 SP1 and
     Windows Server 2008 R2 SP1.
The configure script outputs a warning if the assembler
doesn't support some instruction sets. In that case, the miner
can still be built, but unavailable optimizations are left off.

Usage instructions:  Run "minerd --help" to see options.

Tuesday, March 25, 2014

[EMS] E-mail Spoofer


E-mail Spoofer is a tool designed for penetration testers who need to send phishing e-mails.

It allows to send mails to a single recipient or a list, it supports plain text/html email formats, attachments, templates and more…

Features

  • Support for Plain text and HTML
  • E-mail Templates
  • Spoofing Sender Address
  • Support SMTP Authentication and SSL
  • Single or Multiple Recipients
  • HTML E-mail Preview

Monday, March 24, 2014

[JRT] Junkware Removal Tool


Junkware Removal Tool is a security utility that searches for and removes common adware, toolbars, and potentially unwanted programs (PUPs) from your computer.  A common tactics among freeware publishers is to offer their products for free, but bundle them with PUPs in order to earn revenue.  This tool will help you remove these types of programs.

Junkware Removal Tool has the ability to remove the following types of programs:
  • Ask Toolbar
  • Babylon
  • Blekko
  • Claro / iSearch
  • Conduit
  • Crossrider
  • DealPly
  • Delta
  • Facemoods / Funmoods
  • Findgala
  • Globasearch
  • Hao123
  • iLivid
  • Iminent
  • IncrediBar
  • MocaFlix
  • MyPC Backup
  • MyWebSearch
  • PerformerSoft
  • Privitize
  • Qvo6
  • Searchqu
  • Snap Do
  • Swag Bucks
  • Wajam
  • Web Assistant
  • WhiteSmoke
  • Zugo
and many more…

[AdwCleaner] Removal Tool for Adware, Toolbars and Hijacker


AdwCleaner is a free removal tool for :

  • Adware (ads softwares)
  • PUP/LPI (Potentially Undesirable Program)
  • Toolbars
  • Hijacker (Hijack of the browser's homepage)

It works with a Search and Delete mode. It can be easily uninstalled using the mode "Uninstall".

It's compatible with Windows XP, Vista, 7, 8, 8.1 in 32 & 64 bits.


[VideoCacheView] Play offline/Save .flv video files from Web browser cache



After watching a video in a Web site, you may want to save the video file into your local disk for playing it offline in the future. If the video file is stored in your browser's cache, this utility can help you to extract the video file from the cache and save it for watching it in the future. 

It automatically scans the entire cache of Internet Explorer, Mozilla-based Web browsers (Including Firefox), Opera, and Chrome, and then finds all video files that are currently stored in it. It allows you to easily copy the cached video files into another folder for playing/watching them in the future. If you have a movie player that is configured to play flv files, it also allows you to play the video directly from your browser's cache.


Sunday, March 23, 2014

[Argus] Real Time Flow Monitor


Argus is a fixed-model Real Time Flow Monitor designed to track and report on the status and performance of all network transactions seen in a data network traffic stream. Argus provides a common data format for reporting flow metrics such as connectivity, capacity, demand, loss, delay, and jitter on a per transaction basis. The record format that Argus uses is flexible and extensible, supporting generic flow identifiers and metrics, as well as application/protocol specific information.

Argus is composed of an advanced comprehensive network flow data generator, the Argus sensor, which processes packets (either capture files or live packet data) and generates detailed network flow status reports of all the flows in the packet stream. Argus captures much of the packet dynamics and semantics of each flow, with a great deal of data reduction, so you can store, process, inspect and analyze large amounts of network data efficiently. Argus provides reachability, availability, connectivity, duration, rate, load, good-put, loss, jitter, retransmission, and delay metrics for all network flows, and captures most attributes that are available from the packet contents, such as L2 addresses, tunnel identifiers (MPLS, GRE, ESP, etc...), protocol ids, SAP's, hop-count, options, L4 transport identification (RTP, RTCP detection), host flow control indications, etc...

Argus is used by many sites to generate network activity reports for every network transaction on their networks. The network audit data that Argus generates is great for security, operations and performance management. The data is used for network forensics, non-repudiation, network asset and service inventory, behavioral baselining of server and client relationships, detecting covert channels, and analyzing Zero day events.

Argus is an Open Source project, currently running on Mac OS X, Linux, Solaris, FreeBSD, OpenBSD, NetBSD, AIX, IRIX, Windows (under Cygwin) and OpenWrt, and has been ported to many hardware accelerated platforms, such as Bivio, Pluribus, Arista, and Tilera. The software should be portable to many other environments with littleor no modifications. Performance is such that auditing an entire enterprise's Internet activity can be accomplished using modest computing resources.


[SearchMyFiles] Alternative to 'Search For Files And Folders' module of Windows + Duplicates Search


SearchMyFiles is an alternative to the standard "Search For Files And Folders" module of Windows. It allows you to easily search files in your system by wildcard, by last modified/created/last accessed time, by file attributes, by file content (text or binary search), and by the file size. SearchMyFiles allows you to make a very accurate search that cannot be done with Windows search. For Example: You can search all files created in the last 10 minutes with size between 500 and 700 bytes.

After you made a search, you can select one or more files, and save the list into text/html/csv/xml file, or copy the list to the clipboard.

SearchMyFiles is portable, and you can use it from a USB flash drive without leaving traces in the Registry of the scanned computer.


Saturday, March 22, 2014

[Peepdf] PDF Analysis and Creation/Modification Tool


peepdf is a Python tool to explore PDF files in order to find out if the file can be harmful or not. The aim of this tool is to provide all the necessary components that a security researcher could need in a PDF analysis without using 3 or 4 tools to make all the tasks. With peepdf it's possible to see all the objects in the document showing the suspicious elements, supports all the most used filters and encodings, it can parse different versions of a file, object streams and encrypted files. With the installation of PyV8 and Pylibemu it provides Javascript and shellcode analysis wrappers too. Apart of this it's able to create new PDF files and to modify/obfuscate existent ones.

The main functionalities of peepdf are the following:

Analysis:
  • Decodings: hexadecimal, octal, name objects
  • More used filters
  • References in objects and where an object is referenced
  • Strings search (including streams)
  • Physical structure (offsets)
  • Logical tree structure
  • Metadata
  • Modifications between versions (changelog)
  • Compressed objects (object streams)
  • Analysis and modification of Javascript (PyV8): unescape, replace, join
  • Shellcode analysis (Libemu python wrapper, pylibemu)
  • Variables (set command)
  • Extraction of old versions of the document
  • Easy extraction of objects, Javascript code, shellcodes (>, >>, $>, $>>)
  • Checking hashes on VirusTotal

Creation/Modification:
  • Basic PDF creation
  • Creation of PDF with Javascript executed wen the document is opened
  • Creation of object streams to compress objects
  • Embedded PDFs
  • Strings and names obfuscation
  • Malformed PDF output: without endobj, garbage in the header, bad header...
  • Filters modification
  • Objects modification

Execution modes:
  • Simple command line execution
  • Powerful interactive console (colorized or not)
  • Batch mode

TODO:
  • Embedded PDFs analysis
  • Improving automatic Javascript analysis
  • GUI 

[PingInfoView] Ping monitor utility


PingInfoView is a small utility that allows you to easily ping multiple host names and IP addresses, and watch the result in one table. It automatically ping to all hosts every number of seconds that you specify, and displays the number of succeed and failed pings, as well as the average ping time. You can also save the ping result into text/html/xml file, or copy it to the clipboard.


Friday, March 21, 2014

[ODA] Online Web Based Disassembler



ODA stands for Online DisAssembler. ODA is a general purpose machine code disassembler that supports a myriad of machine architectures. Built on the shoulders of libbfd and libopcodes (part of binutils), ODA allows you to explore an executable by dissecting its sections, strings, symbols, raw hex, and machine level instructions.

ODA is an online Web Based Disassembler for when you don’t have time or space for a thick client.

You can use it for a variety of purposes such as:
  • Malware analysis
  • Vulnerability research
  • Visualizing the control flow of a group of instructions
  • Disassembling a few bytes of an exception handler that is going off into the weeds
  • Reversing the first few bytes of a Master Boot Record (MBR) that may be corrupt
  • Debugging an embedded systems device driver



[NetBScanner] NetBIOS Scanner


NetBScanner is a network scanner tool that scans all computers in the IP addresses range you choose, using NetBIOS protocol. For every computer located by this NetBIOS scanner, the following information is displayed: IP Address, Computer Name, Workgroup or Domain, MAC Address, and the company that manufactured the network adapter (determined according to the MAC address). NetBScanner also shows whether a computer is a Master Browser. You can easily select one or more computers found by NetBScanner, and then export the list into csv/tab-delimited/xml/html file.


[Nsdtool] Toolset of scripts used to detect netgear switches in local networks

Nsdtool is a toolset of scripts used to detect netgear switches in local networks. The tool contains some extra features like bruteforce and setting a new password.

Netgear has its own protocol called NSDP (Netgear Switch Discovery Protocol), which is implemented to support security tests on the commandline. It is not being bound to the delivered tools by Netgear.

Usage

Define your interface and possible delay in the config.ini.
# cat config.ini
[NSDP]
SourcePort = 63323 <--- nsdp source
DestPort = 63324 <--- nsdp dest
Interface = eth0 <--- your network interface
DestIP = 255.255.255.255
Delay = 0.01 <--- interval delay


Thursday, March 20, 2014

[MultiMonitorTool] Enable/disable/configure multiple monitors on Windows


MultiMonitorTool is a small tool that allows you to do some actions related to working with multiple monitors. With MultiMonitorTool, you can disable/enable monitors, set the primary monitor, save and load the configuration of all monitors, and move windows from one monitor to another. You can do these actions from the user interface or from command-line, without displaying user interface. MultiMonitorTool also provides a preview window, which allows you to watch a preview of every monitor on your system.


[Ipdecap] Decapsulate traffic encapsulated within GRE, IPIP, 6in4, ESP (ipsec) protocols

 Ipdecap can decapsulate traffic encapsulated within GRE, IPIP, 6in4, ESP (ipsec) protocols, and can also remove IEEE 802.1Q (virtual lan) header.
It reads packets from an pcap file, removes the encapsulation protocol, and writes them to another pcap file.
Goals are:
  • Extract encapsulated tcp flow to analyze them with conventional tcp tools (tcptrace, tcpflow, …)
  • Reduce pcap files size by removing encapsulation protocol

Ipdecap was first written to analyze a strange tcp behavior encapsulated by ESP, without intervention on vpn endpoints.

[SSLsplit] Transparent and scalable SSL/TLS interception


SSLsplit is a tool for man-in-the-middle attacks against SSL/TLS encrypted network connections. Connections are transparently intercepted through a network address translation engine and redirected to SSLsplit. SSLsplit terminates SSL/TLS and initiates a new SSL/TLS connection to the original destination address, while logging all data transmitted.

SSLsplit is intended to be useful for network forensics and penetration testing.

SSLsplit supports plain TCP, plain SSL, HTTP and HTTPS connections over both IPv4 and IPv6. For SSL and HTTPS connections, SSLsplit generates and signs forged X509v3 certificates on-the-fly, based on the original server certificate subject DN and subjectAltName extension. SSLsplit fully supports Server Name Indication (SNI) and is able to work with RSA, DSA and ECDSA keys and DHE and ECDHE cipher suites. SSLsplit can also use existing certificates of which the private key is available, instead of generating forged ones. SSLsplit supports NULL-prefix CN certificates and can deny OCSP requests in a generic way.

SSLsplit removes HPKP response headers in order to prevent public key pinning.

Requirements
  • SSLsplit depends on the OpenSSL and libevent 2.x libraries.
  • The build depends on GNU make and a POSIX.2 environment in `PATH`.
  • The optional unit tests depend on the check library.

SSLsplit currently supports the following operating systems and NAT mechanisms:
  • FreeBSD: pf rdr and divert-to, ipfw fwd, ipfilter rdr
  • OpenBSD: pf rdr-to and divert-to
  • Linux: netfilter REDIRECT and TPROXY
  • Mac OS X: ipfw fwd and pf rdr (experimental)

Wednesday, March 19, 2014

[OpenedFilesView] View opened/locked files in your system (sharing violation issues)



OpenedFilesView displays the list of all opened files on your system. For each opened file, additional information is displayed: handle value, read/write/delete access, file position, the process that opened the file, and more... 

Optionally, you can also close one or more opened files, or close the process that opened these files.
This utility is especially useful if you try to delete/move/open a file and you get one of the following error messages:
  • Cannot delete [filename]: There has been a sharing violation. The source or destination file may be in use.
  • Cannot delete [filename]: It is being used by another person or program. Close any programs that might be using the file and try again.

When you get one of these error messages, OpenedFilesView will show you which process lock your file. Closing the right process will solve this problem. optionally, you can also release the file by closing the handle from OpenedFilesView utility. However, be aware that after closing a file in this way, the program that opened the file may become unstable, and even crash.


[DNmap] Distributed Nmap Framwork


DNmap is a distributed nmap framwork using a client/server architecture. The server reads the commands from a file and send them to each client. The client execute the nmap command and send the results back.


[WiFi Password Remover v2.0] Free Wireless (WEP/WPA/WPA2) Password/Profile Removal Software


WiFi Password Remover is the Free software to quickly recover and remove Wireless account passwords stored on your system.

For each recovered Wi-Fi account, it displays following details,
  • WiFi Name (SSID)
  • Security Settings (WEP-64/WEP-128/WPA2/AES/TKIP)
  • Password Type
  • Password in Hex format
  • Password in clear text

Once recovered, you can either remove single or all of them with just a click. Before proceeding with deletion, you can also take a backup of recovered Wi-Fi password list to HTML/XML/TEXT/CSV file.

One of the unique feature of this tool is that it can recover all type of Wi-Fi passwords including the ones which are not shown by 'Windows Wireless Manager', thus allowing you to remove all the hidden wireless passwords/profiles also.

Tuesday, March 18, 2014

[0verCheck] Script para comprobar si una dirección e-mail existe o no


Script para comprobar si una dirección de e-mail existe o es falsa. Admite listas de correo.

Mi idea es extraer el dominio a partir del correo  y comprobar a través de los DNS cual es el servidor SMTP (mirando los registros MX). Una vez que sabemos el servidor SMTP procedemos a lanzar unos sockets para conectarnos a él y proceder a intentar mandarle un e-mail a la cuenta que queremos comprobar si es válida. Mirando los códigos de respuesta, vemos que si el correo es válido nos devolverá un 250, y si no (en teoría) nos devuelve un 550.


[CountryTraceRoute] Fast Traceroute with IP country information


CountryTraceRoute is a Traceroute utility, similar to the tracert tool of Windows, but with graphical user interface, and it's also much faster than tracert of Windows. CountryTraceRoute also displays the country of the owner of every IP address found in the Traceroute. 
After the Traceroute is completed, you can select all items (Ctrl+A) and then save them into csv/tab-delimited/html/xml file with 'Save Selected Items' option (Ctrl+S) or copy them to the clipboard (Ctrl+C) and then paste the result into Excel or other spreadsheet application.


[Blackhash] Audit Passwords Without Hashes


A traditional password audit typically involves extracting password hashes from systems and then sending those hashes to a third-party security auditor or an in-house security team. These security specialists have the knowledge and tools to effectively audit password hashes. They use password cracking software such as John the Ripper and Hashcat in an effort to uncover weak passwords.

However, there are many risks associated with traditional password audits. The password hashes may be lost or stolen from the security team. A rogue security team member may secretly make copies of the password hashes. How would anyone know? Basically, once the password hashes are given to the security team, the system manager must simply trust that the password hashes are handled and disposed of securely and that access to the hashes is not abused.

Blackhash works by building a bloom filter from the system password hashes. The system manager extracts the password hashes and then uses Blackhash to build the filter. The filter is saved to a file, then compressed and given to the security team. The filter is just a bitset that contains ones and zeros. It does not contain the password hashes or any other information about the users or the accounts from the system. It’s just a string of ones and zeros. You may

view a Blackhash filter with a simple text editor. It will look similar to this:

00000100000001000100001

When the security team receives the filter, they use Blackhash to test it for known weak password hashes. If weak passwords are found, the security team creates a weak filter and sends that back to the system manager. Finally, the system manager tests the weak filter to identify individual users so that they can be contacted and asked to change passwords.

This enables you to audit passwords without actually giving out the hashes.
Pros
  • Password hashes never leave the system team.
  • Works with any simple, un-salted hash. LM, NT, MD5, SHA1, etc.
  • Security auditors do not have to transmit, handle or safe-guard the password hashes.
  • Anonymizes the users. The filter contains no data about the users at all.
Cons
  • Slower than traditional password cracking methods.
  • More complex than traditional password cracking methods.
  • Bloom Filters may produce a few false positives (very few in this case).

Download Blackhash: Windows - Linux

Monday, March 17, 2014

[Lynis 1.4.6] Security and System Auditing Tool to Harden Linux Systems


Lynis is an auditing tool for Unix/Linux. It performs a security scan and determines the hardening state of the machine. Any detected security issues will be provided in the form of a suggestion or warning. Beside security related information it will also scan for general system information, installed packages and possible configuration errors.
This software aims in assisting automated auditing, hardening, software patch management, vulnerability and malware scanning of Unix/Linux based systems. It can be run without prior installation, so inclusion on read only storage is possible (USB stick, cd/dvd).

Lynis assists auditors in performing Basel II, GLBA, HIPAA, PCI DSS and SOx (Sarbanes-Oxley) compliance audits.

Intended audience:Security specialists, penetration testers, system auditors, system/network managers.

Examples of audit tests:
  • Available authentication methods
  • Expired SSL certificates
  • Outdated software
  • User accounts without password
  • Incorrect file permissions
  • Configuration errors
  • Firewall auditing

[ProcessThreadsView] View process threads information



ProcessThreadsView is a small utility that displays extensive information about all threads of the process that you choose. The threads information includes the ThreadID, Context Switches Count, Priority, Created Time, User/Kernel Time, Number of Windows, Window Title, Start Address, and more. 

When selecting a thread in the upper pane, the lower pane displays the following information: Strings found in the stack, stack modules addresses, call stack, and processor registers. 

ProcessThreadsView also allows you to suspend and resume one or more threads.


[Skipfish] Web Application Security Scanner


Skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.

Key features:
  • High speed: pure C code, highly optimized HTTP handling, minimal CPU footprint - easily achieving 2000 requests per second with responsive targets.
  • Ease of use: heuristics to support a variety of quirky web frameworks and mixed-technology sites, with automatic learning capabilities, on-the-fly wordlist creation, and form autocompletion.
  • Cutting-edge security logic: high quality, low false positive, differential security checks, capable of spotting a range of subtle flaws, including blind injection vectors.
The tool is believed to support Linux, FreeBSD, MacOS X, and Windows (Cygwin) environments. 


Sunday, March 16, 2014

[DeviceIOView] View data transfer between a software and device driver


DeviceIOView allows you to watch the data transfer between a software or service and a device driver (DeviceIoControl calls). For each call to a device driver, the following information is displayed: Handle, Control Code, number of input bytes, number of output bytes, the name of the device handle, and all the input/output bytes, displayed as Hex dump.

System Requirements

This utility works on Windows 2000, Windows XP, Windows Server 2003, and Windows 7/Vista/2008 (32-bit only). Older versions of Windows are not supported.

Using DeviceIOView

DeviceIOView doesn't require any installation process or additional dll files. In order to start using it, simply run the executable file - DeviceIOView.exe After running it, select the process that you want to inspect, and click Ok. After clicking Ok, DeviceIOView will start to display the information about all calls to device drivers.
The upper pane displays the list of all device drivers calls. When you select an item in the upper pane, the lower pane displays the input/output bytes, as Hex dump.

Saturday, March 15, 2014

[SkypeLogView] Skype Log Viewer (.dbb and main.db files)


SkypeLogView reads the log files created by Skype application, and displays the details of incoming/outgoing calls, chat messages, and file transfers made by the specified Skype account. You can select one or more items from the logs list, and then copy them to the clipboard, or export them into text/html/csv/xml file.

System Requirements

This utility works on any version of Windows starting from Windows 2000 and up to Windows 8. You don't have to install Skype in order to use this utility. You only need the original log files created by skype, even if they are on an external drive.


Friday, March 14, 2014

[wig] WebApp Information Gatherer (Identify CMS)

wig is a Python tool that identifies a websites CMS by searching for fingerprints of static files and extracting version numbers from known files.

OS identification is done by using the value of the ‘server’ and ‘X-Powered-By’ in the response header. These values are compared to a database of which package versions are include with different operating systems.

The version detection is based on md5 checksums of statics files, regex and string matching. OS detection is based on headers and packages listed in the ‘server’ header. There’s a quite large database of package versions included in common linux distros.

The author uses scripts to automatically update the md5 checksums for new versions of open source CMS the the tool is capable to detecting. This one of the main advantages over BlindElephant and WhatWeb.

There are currently three profiles for wig:
  1. Only send one request: wig only sends a request for ‘/’. All fingerprints matching this url are tested.
  2. Only send one request per plugin: The url used in most fingerprints is used
  3. All fingerprints: All fingerprints are tested

Help screen:
# wig.py --help
usage: wig.py [-h] [-v] [-p {1,2,4}] host

WebApp Information Gatherer

positional arguments:
host the host name of the target

optional arguments:
-h, --help show this help message and exit
-v list all the urls where matches have been found
-p {1,2,4} select a profile: 1) Make only one request - 2) Make one request
per plugin - 4) All

Example of run:
# python3 wig.py www.example.com

CMS Drupal CMS: [7.25, 7.24, 7.26, 7.23, 7.22]
Operating System Microsoft Windows Server: [2008 R2]
Server Info Microsoft-IIS: [7.5, 6.0]
______________________________________________________________
Time: 18.0 sec | Plugins: 65 | Urls: 324 | Fingerprints: 14178

[WakeMeOnLan] Turn on computers on your network with Wake-on-LAN packet


This utility allows you to easily turn on one or more computers remotely by sending Wake-on-LAN (WOL) packet to the remote computers.

When your computers are turned on, WakeMeOnLan allows you to scan your network, and collect the MAC addresses of all your computers, and save the computers list into a file. Later, when your computers are turned off or in standby mode, you can use the stored computers list to easily choose the computer you want to turn on, and then turn on all these computers with a single click.

WakeMeOnLan also allows you to turn on a computer from command-line, by specifying the computer name, IP address, or the MAC address of the remote network card.

System Requirements And Limitations

  • On the computer that you run WakeMeOnLan: WakeMeOnLan works on any version of Windows, starting from Windows 2000 and up to Windows 8, including x64 versions of Windows.
  • On the remote computer: WakeMeOnLan can turn on the remote computer only if this feature is supported and enabled on the remote computer. Be aware that Wake-on-LAN feature only works on wired network. Wireless networks are not supported. 
    In order to enable the Wake-on-LAN feature on the remote computer:
    • On some computers, you may need to enable this feature on the BIOS setup.
    • In the network card properties, you should go to the 'Power Management' and/or 'Advanced' tabs of the network adapter, and turn on the Wake-on-LAN feature.