It just goes to show how we often overlook some of the more ‘obvious’ choices, and to many people they may not be that obvious. I’ll be going through the tools I use and posting them up here if I haven’t already.

Anyway one of the stock tools for any pen-tester is Xprobe usually known now as Xprobe2 - some of it’s logic has been absorbed into nmap and it’s basically an active OS fingerprinting tool meaning it sends actual data to the machine it’s fingerprinting rather than a passive tool like p0f which just listens.

Xprobe2 is a remote, active OS fingerprinting tool, the features are as below:

• Port scanning is now available through the usage of the -T (TCP) and -U (UDP) command line option
• Added the -B command line option (’blind port guess’) used for searching an open TCP port among the following ports: 80,21, 25, 22, 139
• Include XSD schema with distribution and make our XML comply with that XSD
• loopback (lo) is supported

You can read more on Xprobe2 and what it does here:

Intrusion Detection FAQ: What is XProbe?

Download Xprobe2 here:

xprobe2-0.3.tar.gz

Or read more here.

Technorati Tags: fingerprinting, information gathering, Network Hacking, nmap, os-detection, os-fingerprinting, penetration-testing, xprobe, xprobe2

Client-based attacks, especially targeting web clients, are becoming more and more popular. Browser-targeted attacks, drive-by pharming and web-based phishing provide a broad aspect of threats during surfing in the world wide web. Attacker might initialize and optimize their attacks by fingerprinting the target application to find the best possible way to compromise the client.

The browserrecon project is going to prove, that client-side fingerprinting is possible and useful too. In this particular implementation, currently available in php only, the given web browser is identified by the used http requests. Similar to the http fingerprinting provided within httprecon the header lines and values are analyzed and compared to a fingerprint database.

The current release of browserrecon is written in PHP. Therefore, you might be able to use browserrecon on a web server supporting PHP. If you want to include browserrecon in a given web application, the software has to support PHP itself or a fork of the PHP scripts.

You can download browserrecon here:

browserrecon-1.0-php.tar.gz

Or read more here.

Technorati Tags: browser fingerpringt, browser fingerprinting, browser identification, browser strings, browserrecon, fingerprinting, information gathering, passive fingerprinting, PHP, Web Hacking

It will generate a html page with the results of the metadata extracted, plus a list of potential usernames very useful for preparing a bruteforce attack on open services like ftp, pop3,web applications, vpn and so on. Also it will extract a list of disclosed PATHs in the metadata, with this information you can guess OS, network names, shared resources etc.

This new version extracts MAC address from Microsoft Office documents. Now you can have an idea of what kind of hardware they are using.

All this information should not be available on the net, but most of the companies don’t have policies about information leaking… and most of them don’t know this information exists. So you can show them what information an attacker can obtain, with this simple technique.

You can download Metagoofil v1.4 here:

MetaGooFil 1.4 (tar) (20/04/2008)

Or read more here.

Technorati Tags: data gathering, Hacking Tools, information gathering, information leaking, metadata, metadata extraction, metadata gathering, metagoofil, penetration-testing, Privacy, surveillance

This is a list of scenarios where rtpbreak is a good choice:

• reconstruct any RTP stream with an unknown or unsupported signaling protocol
• reconstruct any RTP stream in wireless networks, while doing channel hopping (VoIP activity detector)
• reconstruct and decode any RTP stream in batch mode (with sox, asterisk)
• reconstruct any already existing RTP stream
• reorder the packets of any RTP stream for later analysis (with tshark, wireshark, …)
• build a tiny wireless VoIP tapping system in a single chip Linux unit
• build a complete VoIP tapping system (rtpbreak would be just the RTP dissector module!)

This project is released under license GPL version 2.

You can download rtpbreak 1.3a here:

rtpbreak-1.3a.tgz

Or read more here.

Technorati Tags: hacking rtp, Hacking Tools, hacking-networks, hacking-software, Network Hacking, rfc189, rtp, rtp tool, rtp-analysis, rtpbreak

Microsoft provides a feature called Hibernation also know as suspend to disk that aims to save the system state into an undocumented file called hiberfil.sys. This file contains all the physical memory saved by the Operating System and aims to be restored by the user the next time the computer is powered on. Live forensics analysis is used to use physical memory dump to recover information on the targeted machine.

One of the main problems is to obtain a readable physical memory dump, hibernation is an efficient way to save and load physical memory. Hibernation analysis has notable advantages. System activity is totally frozen, therefore coherent data is acquired and no software tool is able to block the analysis. The system is left perfectly functional after analysis, with no side effects.

The hibernation file opens two valuable doors:

The first one is forensics analysis for defensive computing. Hibernation is an efficient and easy way to get a physical memory dump. But the main issue about it was: How to read the hiberfil.sys? This is why SandMan was born.

The second one is a new concept we will be introducing and called “offensics” which is a portmanteau from “offensive” and “forensics”. If we can read hiberfil.sys, can we rewrite it? The answer is: Yes, with SandMan you can.

Sandman is a C Library that aims to read the hibernation file, regardless of Windows version. Thus, it makes possible to do forensics live analysis on the dumped file.

For a good explanation and technical info I suggest you read the whitepaper:

SandMan Project, Whitepaper [PDF]

You can download Sandman here:

SandMan-1.0.080226.zip

Or read more here.

Technorati Tags: hack windows, hacking hibernation file, hacking-windows, hibernation, hibernation file, read hibernation file, sandman, Windows Hacking

The application is written in C using the popular PCAP library.

Sample Output

Cisco AIR-AP1231G-E-K9 Access Point:

$ sudo ./cdpsnarf eth2
Waiting for a CDP packet...

[#0] Sniffed CDP advertisement with a size of 367 bytes.
——————————————————-
CDP Version: 2
TTL: 180 ms
Checksum: 0×7282

Device ID: cisco-ap.mydomain.net

Software version: Cisco IOS Software, C1200 Software (C1200-K9W7-M),
Version 12.3(8)JEA, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Wed 23-Aug-06 16:42 by kellythw

Platform: cisco AIR-AP1231G-E-K9

Addresses: 1
Address #: 1
Protocol type: [1] NLPID format
Protocol: [0xCC] IP
IP Address: 157.228.87.1

Port ID: Dot11Radio0

Capabilities:
[0x02] Transparent bridge

You can download CDPSnarf here:

CDPSnarf 0.1.6

Or read more here.

Technorati Tags: cdp, cdp packet sniffer, cdpsnarf, cisco, hacking routers, Hacking Tools, hacking-cisco, hacking-networks, Network Hacking

There are some famous, commercial tools available in the market for US$19.99 to as much as US$1500 (!), but Technitium MAC Address Changer is available for FREE. We don’t charge for just changing a registry value! Also knowing how this works doesn’t require extensive research as some commercial tool providers claim!

Features

• Identifies the preset applied to currently selected Network Interface Card (NIC) automatically making it easy to identify settings.
• Changes MAC address of Network Interface Card (NIC) including Wireless LAN Cards, irrespective of its manufacturer or its drivers.
• Has latest list of all known manufacturers (with corporate addresses) to choose from. You can also enter any MAC address and know which manufacturer it belongs to.
• Allows you to select random MAC address from the list of manufacturers by just clicking a button.
• Restarts your NIC automatically to apply MAC address changes instantaneously.
• Allows you to create Configuration Presets, which saves all your NIC settings and makes it very simple to switch between many settings in just a click and hence saves lot of time.
• Allows you to Import or Export Configuration Presets to or from another file, which saves lot of time spent in reconfiguration.
• Has command line interface which allows you to perform all the tasks from the command prompt or you can even create a DOS batch program to carry out regular tasks.

You can download Technitium MAC Address Changer v4.8 here:

Technitium-MAC-Address-Changer

Or read more here.

[tags]change mac address, change mac address windows, free-software, freeware mac changer, mac address changer, mac-changer, network-security, Security Software, technitium, technitium mac adress changer, tmac[tags]

Pass-The-Hash Toolkit

Pass-The-Hash Toolkit is comprised of three tools: IAM.EXE, WHOSTHERE.EXE and GENHASH.EXE.

GENHASH.EXE
This is just a utility that uses some undocumented Windows functions to generate the LM and NT hash of a password. This tool is useful to test IAM.EXE and WHOSTHERE.EXE and perhaps to do some other things. Pretty simple and small tool.

IAM.EXE
This tools allows you to change your current NTLM credentials without having the cleartext password but the hashes of the password. The program receives a username, domain name and the LM and NT hashes of the password; using this it will change in memory the NTLM credentials associated with the current windows logon session. After the program performs this operation, all outbound network connections to services that use for authentication the NTLM credentials of the currently logged on user will utilize the credentials modified by IAM.EXE.

WHOSTHERE.EXE
This tools will list logon sessions with NTLM credentials (username,domain name, LM and NT hashes). Logon sessions are created by windows services that log in using specific users, remote desktop connections, etc. This tool has many uses, one that i think is interesting: Let’s say you compromised a Windows Server that is part of a Windows Domain (e.g.: Backup server) but is NOT the domain controller.

You can download Pass-The-Hash Toolkit v1.3 here:

Source Code

Latest stable release (1.3), updated on February 29, 2008.

Win32 binaries

Latest stable release (1.3), updated on February 29, 2008.

Or read more here.

Technorati Tags: Hacking Tools, hacking-windows, hash toolkit, LSA, NTLM, ntlm hashes, pass the hash, pass the hash toolkit, Password Cracking, psh, Windows Hacking, windows password hash

The tool is intended to get all possible info from open wifi networks (and possibly encrypted also in the future, at least with WEP) without joining any network, and covering all wifi channels.

WifiZoo does the following:

• gathers bssid->ssid information from beacons and probe responses
• gathers list of unique SSIDS found on probe requests
• gathers the list and graphs which SSIDS are being probed from what sources
• gathers bssid->clients information and outputs it in a file that you can later use with graphviz and get a graph with “802.11 bssids->clients”.
• gathers ‘useful’ information from unencrypted wifi traffic (ala Ferret,and dsniff, etc); like pop3 credentials, smtp traffic, http cookies/authinfo, msn messages,ftp credentials, telnet network traffic, nbt, etc.

You can download WifiZoo v1.3 here:

wifizoo_v1.3.tgz

Or read more here.

Technorati Tags: data seepage, hacking wifi, information gathering, penetration-testing, wifi information gathering, wifi leakage, wifi-hacking

Functionality

INTEGRITY: HDIV guarantees integrity (no data modification) of all the data generated by the server which should not be modified by the client (links, hidden fields, combo values, radio buttons, destiny pages, etc.). Thanks to this property HDIV helps to eliminate most of the vulnerabilities based on the parameter tampering.

EDITABLE DATA VALIDATION: HDIV eliminates to a large extent the risk originated by attacks of type Cross-site scripting (XSS) and SQL Injection using generic validations of the editable data (text and textarea).

CONFIDENTIALITY: HDIV guarantees the confidentiality of the non editable data as well. Usually lots of the data sent to the client has key information for the attackers such as database registry identifiers, column or table names, web directories, etc.

ANTI-CROSS SITE REQUEST FORGERY (CSRF) TOKEN: Random string called a token is placed in each form and link of the HTML response, ensuring that this value will be submitted with the next request. This random string provides protection because not only does the compromised site need to know the URL of the target site and a valid request format for the target site, it also must know the random string which changes for each visited page.

You can download HDIV here:

hdiv 2.0.4

Or read more here.

Technorati Tags: hacking web apps, hacking-web-applications, hacking-websites, hdiv, http validator, java web security, security framework, web-application-security