Xprobe2 - Active OS Fingerprinting Tool

Published at May 16, 2008 in Network Hacking and Hacking Tools. Comments

Sometimes I wonder to myself have I mentioned a certain tool on the site, usually one of my favourites…often I search the site to find I have never posted about it.

It just goes to show how we often overlook some of the more ‘obvious’ choices, and to many people they may not be that obvious. I’ll be going through the tools I use and posting them up here if I haven’t already.

Anyway one of the stock tools for any pen-tester is Xprobe usually known now as Xprobe2 - some of it’s logic has been absorbed into nmap and it’s basically an active OS fingerprinting tool meaning it sends actual data to the machine it’s fingerprinting rather than a passive tool like p0f which just listens.

Xprobe2 is a remote, active OS fingerprinting tool, the features are as below:

  • Port scanning is now available through the usage of the -T (TCP) and -U (UDP) command line option
  • Added the -B command line option (’blind port guess’) used for searching an open TCP port among the following ports: 80,21, 25, 22, 139
  • Include XSD schema with distribution and make our XML comply with that XSD
  • loopback (lo) is supported

You can read more on Xprobe2 and what it does here:

Intrusion Detection FAQ: What is XProbe?

Download Xprobe2 here:

xprobe2-0.3.tar.gz

Or read more here.

Technorati Tags: , , , , , , , ,

browserrecon - Passive Browser Fingerprinting

Published at May 15, 2008 in Privacy, Hacking Tools and Web Hacking. Comments

Most of todays tools for fingerprinting are focusing on server-side services. Well-known and widely-accepted implementations of such utilities are available for http web services, smtp mail server, ftp servers and even telnet daemons. Of course, many attack scenarios are focusing on server-side attacks.

Client-based attacks, especially targeting web clients, are becoming more and more popular. Browser-targeted attacks, drive-by pharming and web-based phishing provide a broad aspect of threats during surfing in the world wide web. Attacker might initialize and optimize their attacks by fingerprinting the target application to find the best possible way to compromise the client.

The browserrecon project is going to prove, that client-side fingerprinting is possible and useful too. In this particular implementation, currently available in php only, the given web browser is identified by the used http requests. Similar to the http fingerprinting provided within httprecon the header lines and values are analyzed and compared to a fingerprint database.

The current release of browserrecon is written in PHP. Therefore, you might be able to use browserrecon on a web server supporting PHP. If you want to include browserrecon in a given web application, the software has to support PHP itself or a fork of the PHP scripts.

You can download browserrecon here:

browserrecon-1.0-php.tar.gz

Or read more here.

Technorati Tags: , , , , , , , , ,

Metagoofil v1.4 Released - Metadata and Information Gathering Tool

Published at May 12, 2008 in Privacy, Hacking Tools and Web Hacking. Comments

Metagoofil is an information gathering tool designed for extracting metadata of public documents (pdf,doc,xls,ppt,odp,ods) available on the target/victim website.

It will generate a html page with the results of the metadata extracted, plus a list of potential usernames very useful for preparing a bruteforce attack on open services like ftp, pop3,web applications, vpn and so on. Also it will extract a list of disclosed PATHs in the metadata, with this information you can guess OS, network names, shared resources etc.

This new version extracts MAC address from Microsoft Office documents. Now you can have an idea of what kind of hardware they are using.

All this information should not be available on the net, but most of the companies don’t have policies about information leaking… and most of them don’t know this information exists. So you can show them what information an attacker can obtain, with this simple technique.

You can download Metagoofil v1.4 here:

MetaGooFil 1.4 (tar) (20/04/2008)

Or read more here.

Technorati Tags: , , , , , , , , , ,

rtpbreak 1.3a Released - RTP Analysis and Hacking

Published at May 7, 2008 in Network Hacking and Hacking Tools. Comments

With rtpbreak you can detect, reconstruct and analyze any RTP session. It doesn’t require the presence of RTCP packets and works independently form the used signaling protocol (SIP, H.323, SCCP etc). The input is a sequence of packets, the output is a set of files you can use as input for other tools (wireshark/tshark, sox, grep/awk/cut/cat/sed and so on). It also supports wireless (AP_DLT_IEEE802_11) networks.

This is a list of scenarios where rtpbreak is a good choice:

  • reconstruct any RTP stream with an unknown or unsupported signaling protocol
  • reconstruct any RTP stream in wireless networks, while doing channel hopping (VoIP activity detector)
  • reconstruct and decode any RTP stream in batch mode (with sox, asterisk)
  • reconstruct any already existing RTP stream
  • reorder the packets of any RTP stream for later analysis (with tshark, wireshark, …)
  • build a tiny wireless VoIP tapping system in a single chip Linux unit
  • build a complete VoIP tapping system (rtpbreak would be just the RTP dissector module!)

This project is released under license GPL version 2.

You can download rtpbreak 1.3a here:

rtpbreak-1.3a.tgz

Or read more here.

Technorati Tags: , , , , , , , , ,

Sandman - Read the Windows Hibernation File

Published at May 7, 2008 in Windows Hacking and Hacking Tools. Comments

This is a pretty new tool and a very cool one, Hibernation is a fairly new feature for Windows so it’s good to see a new tool targeting that.

Microsoft provides a feature called Hibernation also know as suspend to disk that aims to save the system state into an undocumented file called hiberfil.sys. This file contains all the physical memory saved by the Operating System and aims to be restored by the user the next time the computer is powered on. Live forensics analysis is used to use physical memory dump to recover information on the targeted machine.

One of the main problems is to obtain a readable physical memory dump, hibernation is an efficient way to save and load physical memory. Hibernation analysis has notable advantages. System activity is totally frozen, therefore coherent data is acquired and no software tool is able to block the analysis. The system is left perfectly functional after analysis, with no side effects.

The hibernation file opens two valuable doors:

The first one is forensics analysis for defensive computing. Hibernation is an efficient and easy way to get a physical memory dump. But the main issue about it was: How to read the hiberfil.sys? This is why SandMan was born.

The second one is a new concept we will be introducing and called “offensics” which is a portmanteau from “offensive” and “forensics”. If we can read hiberfil.sys, can we rewrite it? The answer is: Yes, with SandMan you can.

Sandman is a C Library that aims to read the hibernation file, regardless of Windows version. Thus, it makes possible to do forensics live analysis on the dumped file.

For a good explanation and technical info I suggest you read the whitepaper:

SandMan Project, Whitepaper [PDF]

You can download Sandman here:

SandMan-1.0.080226.zip

Or read more here.

Technorati Tags: , , , , , , ,