SIPcrack is a suite for sniffing and cracking the digest authentication used in the SIP protocol.
The tools offer support for pcap files, wordlists and many more to extract all needed information and bruteforce the passwords for the sniffed accounts.
If you don’t have OpenSSL installed or encounter any building problems try ‘make no-openssl’ to build with integrated MD5 function (which is slower than the OpenSSL implementation).
Usage
Use sipdump to dump SIP digest authentications to a file. If a login is found, the sniffed login is written to the dump file. See ’sipdump -h’ for options.
Use sipcrack to bruteforce the user password using the dump file generated by sipdump. If a password is found, the sniffed login in the dump file is updated See ’sipcrack -h’ for options.
[Source: Darknet ]
Read more on this article...
Nemesis is a command-line network packet injection utility for UNIX-like and Windows systems. You might think of it as an EZ-bake packet oven or a manually controlled IP stack. With Nemesis, it is possible to generate and transmit packets from the command line or from within a shell script. Nemesis is developed and maintained by Jeff Nathan
Nemesis can natively craft and inject packets for:
* ARP
* DNS
* ETHERNET
* ICMP
* IGMP
* IP
* OSPF
* RIP
* TCP
* UDP
Using the IP and the Ethernet injection modes, almost any custom packet can be crafted and injected.
Unix-like systems require: libnet-1.0.2a, and a C compiler (GCC)
Windows systems require: libnetNT-1.0.2g and either WinPcap-2.3 or WinPcap-3.0
Foundstone Blast v2.0 is a small, quick TCP service stress test tool. Blast does a good amount of work very quickly and can help spot potential weaknesses in your network servers.
Features:
/trial switch adds the ability to see how the buffer looks before sending it
/v switch adds verbose option - off by default
/nr switch turns off initial receive after initial connect - HTTP services don’t send and initial response, Mail services do
The /nr switch fixes the effect of HTTP timeouts when sending GET strings
/dr adds double LF/CR’s to buffers(useful for GET requests) off by default
Examples:
blast 134.134.134.4 110 600 680 /t 7000 /d 300 /b user
blast 134.134.134.4 110 600 680 /t 7000 /d 300 /b user /e endchars
blast 134.134.134.4 110 600 680 /noret
/t == timeout delay in milliseconds to wait for server response
/d == delay before each send
/noret means to send raw data with no newline chars that a pop server expects at end
/b is a way to add cust text to begin of buf
/e is an alternate way to end each buf
/v switches on verbose output - off by default
/nr turns off initial receive after initial connect (useful for HTTP GET)
/dr adds double LF/CR’s to buffers (useful for HTTP GET)
Read More & Download - Foundstone Blast v2.0
[Source: Darknet ]
Read more on this article...
Technitium MAC Address Changer allows you to change Media Access Control (MAC) Address of your Network Interface Card (NIC) irrespective to your NIC manufacturer or its driver. It has a very simple user interface and provides ample of information regarding each NIC in the machine. Every NIC has an MAC address hard coded in its circuit by its manufacturer. This hard coded MAC address is used by windows drivers to access Ethernet Networks (LAN). This tool can set a new MAC address to your NIC, bypassing the original hard coded MAC address. Technitium MAC Address Changer is a must tool in every security professionals tool box.
Features
+= Changes MAC address of Network Interface Card (NIC) including Wireless LAN Cards, irrespective of its manufacturer or its drivers.
+= Has list of all known manufacturers (with corporate addresses) to choose from. You can also enter any MAC address and know which manufacturer it belongs to.
+= Allows you to select random MAC address from the list of manufacturers by just clicking a button.
+= Restarts your NIC automatically to apply MAC address changes instantaneously.
+= Allows you to create and edit Configuration Presets, which saves all your NIC settings and makes it very simple to switch between many settings in just a click and hence saves lot of time.
+= Has command line interface which allows you to perform all the tasks from the command prompt or you can even create a DOS batch program to carry out regular tasks.
+= Allows you to export a detailed text report for all the network connections.
+= Displays all information you would ever need about your NIC in one view like Device Name, Configuration ID, Hardware ID, Connection Status, Link Speed, DHCP details, TCP/IP details etc.
+= Displays current data transfer speed per second.
+= Allows you to configure IP Address, Gateway and DNS Server for your NIC quickly and instantaneously.
+= Allows you to enable/disable DHCP instantaneously.
+= Allows you to Release/Renew DHCP IP address instantaneously.
+= Displays DHCP lease obtained and lease expires time.
+= Allows you to configure Interface Metric instantaneously.
+= Quick keyboard shortcuts for most operations.
+= Supports all Microsoft(R) Windows(TM) NT based versions in all languages.
+= All reported bugs in previous 4.0 version removed. (Thanks to all your feedbacks)
Read More
[Source: Darknet ]
Read more on this article...
This is a series of three to come articles about stealth scanning, everything that I am going to present is hping oriented so if you want to learn this techniques you’d better get a copy of hping.
This method is invoked when you add nmap the -sS parameter… so let’s start…
3 Way Handshake
If you didn’t know a tcp connection is based on a method called the three way handshake, that goes like this:
[host] syn flagged packet ———> [destination] receives packet
[destination] syn-ack flagged packet ———> [host] receives packet
[host] ack flagged packet ———> [destination] receives packet [connection established]
This is the methodology of a TCP connection, just upon a successful execution of this section a real connection is done… You probably can see a weak point in this method, can’t you. For every sent packet the host (and destination) waits a period of time for the next packet. If you can send really fast spoofed syn packets you can DoS a target in no time, this is the oldest DoSing method ever known to man (and women) =)
SYNner
Firstly let’s see what happens if we hit a closed port, try out the following command (and result after it):
____________________________________________________________________________
C:\\>hping -p 81 -S lx.ro
HPING (XPSP2) lx.ro (SiS 900 PCI Fast Ethernet Adapter -
Packet Scheduler Miniport 81.181.218.80): S set, 40 headers + 0
data bytes
len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=81 flags=RA seq=0
win=0 rtt=70.0 ms
len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=81 flags=RA seq=1
win=0 rtt=20.0 ms
len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=81 flags=RA seq=2
win=0 rtt=30.0 ms
len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=81 flags=RA seq=3
win=0 rtt=40.0 ms
_____________________________________________________________________________
As you can see on an unsuccessful port scan we get a Reset-Acknowledge , which tels us, as already mentioned, that we hit a closed port…
Now for the moment we all were waiting for:
____________________________________________________________________________
C:\\>hping -p 80 -S lx.ro
HPING (XPSP2) lx.ro (SiS 900 PCI Fast Ethernet Adapter -
Packet Scheduler Miniport 81.181.218.80): S set, 40 headers + 0
data bytes
len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=80 flags=SA seq=0
win=5840 rtt=30.0 ms
len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=80 flags=SA seq=0
win=5840 rtt=0.0 ms
len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=80 flags=SA seq=1
win=5840 rtt=50.0 ms
len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=80 flags=SA seq=0
win=5840 rtt=0.0 ms
____________________________________________________________________________
As you can see we hit an open port… If you weren’t attentive till now a syn-ack flag means an open port, half-way connected…
Epilogue
Nowadays this method isn’t as stealthy as it was years ago, because now firewalls most often drop unwanted packets or sees them as pre-DoS syn packets…
More about TCP :: www.rhyshaden.com
[Source: Darknet ]
Read more on this article...
Trinity Rescue Kit - Free Recovery and Repair for Windows
Trinity Rescue Kit or TRK is a free live Linux distribution that aims specifically at recovery and repair operations on Windows machines, but is equally usable for Linux recovery issues.
It is possible to boot TRK in three different ways:
* As a bootable CD which you can burn yourself from a downloadable isofile
* From a USB stick/disk (optionally also a fixed disk), installable from Windows or from the bootable TRK cd
* From network over PXE, which requires some modifications on your local network.
TRK is a complete commandline based distribution, apart from a few tools like qtparted, links, partition image and midnight commander
It’s recommend to keep a copy of TRK in your toolkit, we at Darknet do find it useful, especially for reseting passwords and fixing messed up file systems.
A summary of the main features:
* easily reset windows passwords
* 4 different virusscan products integrated in a single uniform commandline with online update capability
* full ntfs write support thanks to ntfs-3g (all other drivers included as well)
* clone NTFS filesystems over the network
* wide range of hardware support (kernel 2.6.19.2 and recent kudzu hwdata)
* easy script to find all local filesystems
* self update capability to include and update all virusscanners
* full proxyserver support.
* run a samba fileserver (windows like filesharing)
* run a ssh server
* recovery and undeletion of files with utilities and procedures
* recovery of lost partitions
* evacuation of dying disks
* UTF-8 international character support
Read more on this article...
FakeNetBIOS is a family of tools designed to simulate Windows hosts on a LAN. The individual tools are:
* FakeNetbiosDGM (NetBIOS Datagram)
* FakeNetbiosNS (NetBIOS Name Service)
Each tool can be used as a standalone tool or as a honeyd responder or subsystem.
FakeNetbiosDGM sends NetBIOS Datagram service packets on port UDP 138 to simulate Windows hosts bradcasts. It sends periodically NetBIOS announces over the network to simulate Windows computers. It fools the Computer Browser services running over the LAN and so on.
FakeNetbiosNS is a NetBIOS Name Service daemon, listening on port UDP 137. It responds to NetBIOS Name requests like real Windows computers: for example ‘ping -a’, ‘nbtstat -A’ and ‘nbtstat -a’, etc.
[Source: Darknet ]
Read more on this article...
Or half-open scanning technique is the first of three to come series about stealth scanning… The other two are Xmas/Fin/Null and idle/zombie scan techniques…
Intro
This is a series of three to come articles about stealth scanning, everything that I am going to present is hping oriented so if you want to learn this techniques you’d better get a copy of hping.
This method is invoked when you add nmap the -sS parameter… so let’s start…
3 Way Handshake
If you didn’t know a tcp connection is based on a method called the three way handshake, that goes like this:
[host] syn flagged packet ———> [destination] receives packet
[destination] syn-ack flagged packet ———> [host] receives packet
[host] ack flagged packet ———> [destination] receives packet [connection established]
This is the methodology of a TCP connection, just upon a successful execution of this section a real connection is done… You probably can see a weak point in this method, can’t you. For every sent packet the host (and destination) waits a period of time for the next packet. If you can send really fast spoofed syn packets you can DoS a target in no time, this is the oldest DoSing method ever known to man (and women) =)
SYNner
Firstly let’s see what happens if we hit a closed port, try out the following command (and result after it):C:\\>hping -p 81 -S lx.ro
As you can see on an unsuccessful port scan we get a Reset-Acknowledge , which tels us, as already mentioned, that we hit a closed port…
HPING (XPSP2) lx.ro (SiS 900 PCI Fast Ethernet Adapter -
Packet Scheduler Miniport 81.181.218.80): S set, 40 headers + 0
data bytes
len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=81 flags=RA seq=0
win=0 rtt=70.0 ms
len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=81 flags=RA seq=1
win=0 rtt=20.0 ms
len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=81 flags=RA seq=2
win=0 rtt=30.0 ms
len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=81 flags=RA seq=3
win=0 rtt=40.0 ms
Now for the moment we all were waiting for:C:\\>hping -p 80 -S lx.ro
HPING (XPSP2) lx.ro (SiS 900 PCI Fast Ethernet Adapter -
Packet Scheduler Miniport 81.181.218.80): S set, 40 headers + 0
data bytes
len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=80 flags=SA seq=0
win=5840 rtt=30.0 ms
len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=80 flags=SA seq=0
win=5840 rtt=0.0 ms
len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=80 flags=SA seq=1
win=5840 rtt=50.0 ms
len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=80 flags=SA seq=0
win=5840 rtt=0.0 ms
As you can see we hit an open port… If you weren’t attentive till now a syn-ack flag means an open port, half-way connected…
Epilogue
Nowadays this method isn’t as stealthy as it was years ago, because now firewalls most often drop unwanted packets or sees them as pre-DoS syn packets…
Read More: www.rhyshaden.com
[Source: Darknet ]
Read more on this article...
ProxyFuzz is a man-in-the-middle non-deterministic network fuzzer written in Python. ProxyFuzz randomly changes (fuzzes) contents on the network traffic. It supports TCP and UDP protocols and can also be configured to fuzz only one side of the communication. ProxyFuzz is protocol agnostic so it can randomly fuzz any network communication. Download ProxyFuzz 0.1 Source Code Download ProxyFuzz 0.1 Windows Binary
ProxyFuzz is a good tool for quickly testing network protocols and provide with basic proof of concepts. Using this tool you will be amazed by the poor quality of software and you will see clients and servers dying upon unexpected input, just be prepared to see the very weird behaviours.
Syntax of ProxyFuzz:
ProxyFuzz 0.1, Simple fuzzing proxy by Rodrigo Marcos
usage():
python proxyfuzz -l
[options]
-w: Number of requests to send before start fuzzing
-c: Fuzz only client side (both otherwise)
-s: Fuzz only server side (both otherwise)
-u: UDP protocol (otherwise TCP is used)
-v: Verbose (outputs network traffic)
-h: Help page
The video shows ProxyFuzz proxying traffic between a VMWare Console and a VMWare Server. This is just a dumb example of the things you can do with this tool.Free Download
tcpxtract is a tool for extracting files from network traffic based on file signatures. Extracting files based on file type headers and footers (sometimes called “carving”) is an age old data recovery technique. Tools like Foremost employ this technique to recover files from arbitrary data streams. tcpxtract uses this technique specifically for the application of intercepting files transmitted across a network.
Other tools that fill a similar need are driftnet and EtherPEG. driftnet and EtherPEG are tools for monitoring and extracting graphic files on a network and is commonly used by network administrators to police the internet activity of their users. The major limitations of driftnet and EtherPEG is that they only support three filetypes with no easy way of adding more. The search technique they use is also not scalable and does not search across packet boundries.
tcpxtract features the following:
* Supports 26 popular file formats out-of-the-box. New formats can be added by simply editing its config file.
* With a quick conversion, you can use your old Foremost config file with tcpxtract.
* Custom written search algorithm is lightning fast and very scalable.
* Search algorithm searches across packet boundries for total coverage and forensic quality.
* Uses libpcap, a popular, portable and stable library for network data capture.
* Can be used against a live network or a tcpdump formatted capture file.
Read more on this article...
ProxMon is an extensible Python based framework that reduces testing effort, improves consistency and reduces errors. Its use requires limited additional effort as it processes the proxy logs that you’re already generating and reports discovered issues. In addition to penetration testing, ProxMon is useful in QA, developer testing and regression testing scenarios.
Formerly announced as ScarabMon as part of BlackHat EU 2007, proxmon monitors proxy logs and reports on security issues it discovers. ProxMon was also presented at CanSecWest 2007.
t’s compatible with WebScarab.
ProxMon handles routine tasks like
* Checking server SSL configuration
* Looking for directories that allow listing or upload
It’s real strength is that it also helps with higher level analysis such as
* Finding values initially sent over SSL that later go cleartext
* Finding Secure cookie values also sent in the clear
* Finding values that are sent to 3rd party sites
It’s key features are
* automatic value tracing of set cookies, sent cookies, query strings and post parameters across sites
* proxy agnostic
* included library of vulnerability checks
* active testing mode
* cross platform
* open source license
* easy to program extensible python framework
[Source: Darknet ]
Read more on this article...
The Firewall Tester (FTester) is a tool designed for testing firewalls filtering policies and Intrusion Detection System (IDS) capabilities.
The tool consists of two perl scripts, a packet injector (ftest) and the listening sniffer (ftestd). The first script injects custom packets, defined in ftest.conf, with a signature in the data part while the sniffer listens for such marked packets. The scripts both write a log file which is in the same form for both scripts. A diff of the two produced files (ftest.log and ftestd.log) shows the packets that were unable to reach the sniffer due to filtering rules if these two scripts are ran on hosts placed on two different sides of a firewall. Stateful inspection firewalls are handled with the ‘connection spoofing’ option. A script called freport is also available for automatically parse the log files.
Of course this is not an automated process, ftest.conf must be crafted for every different situation. Examples and rules are included in the attached configuration file.
The IDS (Intrusion Detection System) testing feature can be used either with ftest only or with the additional support of ftestd for handling stateful inspection IDS, ftest can also use common IDS evasion techniques. Instead of using the configuration syntax currently the script can also process snort rule definition file.
Features:
* Firewall testing
* IDS testing
* Simulation of real TCP connections for stateful inspection firewalls and IDS
* Connection spoofing
* IP fragmentation / TCP segmentation
* IDS evasion techniques
Requirements:
The following PERL modules are required: Net::RawIP, Net::PcapUtils, NetPacket
Read more on this article...
The configuration of a Firewall is done by combining more than one rule. Sometimes a rule configuration may reside in a place other than the basic rule configuration place. In such a case, it is difficult to confirm whether it is an intended configuration by the system administrators. (Is an unnecessary hole open, or is a necessary hole open?).
We prepare a computer which has two network interface for this tool. Then, each network interface is connected to each of the network interfaces on both sides of the Firewall. The packet the source IP address and the destination IP address is forged and sent to the Firewall from one network interface. The packet which passed through the Firewall is confirmed in the other network interface. The rule of the Firewall is confirmed from the packets which passed through the Firewall, and the packets which didn’t pass.
This tool can check the rules without depending on the way of the Firewall is configured.
There is two modules in Dr. Morena - similar to the Firewal Tester (FTester). The first module is a check engine, and the second module is a packet list making engine.
Checker, which is the check engine, makes the check packet according to given packet information, and sends and receives this packet. Also, the check engine confirms whether the packet passed through the firewall, and returns the checked result.
Ideally, it is good to be able to check all packets of all services from all Internet Protocol addresses to all Internet Protocol addresses when we check the rules of a firewall. However, it is impossible to check all packets in appropriate time. Therefore, it is necessary to check the firewall by using only some limited packets. However, efficiency is bad in the check which uses packets chosen at random. Then, it is necessary to check the firewall by using the packet intended for an important address and the service listed in the security policy etc. by priority.
ListMaker, which is the check packet list making engine, lists necessary packets for the check, from information classified according to the importance degree.
Read more on this article...
An interesting happening this week, some ISP’s have been jacking the DNS entries for certain IRC networks to crack down on zombie/bot infections.
Is it ethical? Should they be doing this to their users?
I first got wind of this from a post on Full Disclosure mailing list from an IRC network administrator.
Internet service provider Cox Communications is reportedly diverting attempts to reach certain online chat channels and redirecting them to a server that attempts to remove spyware from the computer. By doing so the company seems to be attempting to cleanse computers of malware that hijacks the computers resources to send spam and participate in online service attacks as part of a large network of compromised computers known as a botnet.
Specifically, Cox’s DNS server is responding to a domain name request for an Internet Relay Chat server. Instead of responding with the correct IP address for the server, Cox sends the IP address of its own IRC server (70.168.70.4). That server then sends commands to the computer that attempt to remove malware.
They seem to run some kind of script when the user connects to try and ‘clean’ the machine from infection….even if it’s not infected.
IRC is still used heavily, I don’t really use it much anymore apart from Freenode. The Darknet channel used to be on DALnet back in the day.
Freenode is pretty happening for open source projects though.
Though clever, the tactic is being heavily debated by networking experts on the NANOG mailing list, some of whom question the effectiveness of the technique and who question whether blocking access to the channels for all users (by breaking the DNS protocol) in order to stop some malware is the appropriate solution. Cox does not seem to be blocking all IRC channels, but anyone trying to reach those channels using Cox’s DNS servers will be unable to reach them.
IRC channels are heavily used by programmers, non-traditional communities and black-hat hackers, among others. The malware-infected zombie computers Cox is attempting to clean can also be controlled remotely by having them connect to an IRC channel where they get instructions from their controller.
[Read more]
[Source Darknet ]
Read more on this article...
Link Layer Discovery Protocol Fuzzer
The first Link Layer Discovery Protocol Fuzzer is now available, test cases are also ready to be used along with the tool. The fuzzing architecure makes it easy to extend the tool with new test cases and more LLDP compliant devices arise.
LLDP is a Layer 2 protocol which allows network devices to advertise their identity and capabilities on the local network, it helps to keep track of devices and the packets are multi-casted.
CDP, EDP and NDP are similar to LLDP.
The LLDP fuzzer is meant for black box testing techniques on LLDP enabled networks/devices. Its aim is to find security vulnerabilities by using test cases as it’s important to be able to replicate a test case.
It can be automated and it tries to find bugs by sending malformed packets and look for corner cases.
It can find vulnerabilities in any agent receiving LLDP packets and is programmed in Python. It works fine on Linux but won’t work on Windows due to RAW socket limitations.free Download
LLDPfuzzer.tar
Download the paper - LLDPpaper.pdf
Download the presentation - LLDPpresentation.ppt
[Source Darknet ]
Read more on this article...
RTP Break - RTP Analysis & Hacking Tool
rtpBreak detects, reconstructs and analyzes any RTP [rfc1889] session through heuristics over the UDP network traffic. It works well with SIP, H.323, SCCP and any other signaling protocol. In particular, it doesn’t require the presence of RTCP packets (voipong needs them) that aren’t always transmitted from the recent VoIP clients.
The RTP sessions are composed by an ordered sequence of RTP packets. Those packets transport the Real Time data using the UDP transport protocol.
The RTP packets must respect some well defined rules in order to be considered valid, this characteristic allows to define a pattern on the single packet that is used to discriminate the captured network traffic from packets that can be
RTP and those that securely are not.
Read more on this article...
PIRANA - Exploitation Framework for Email Content Filters
PIRANA is an exploitation framework that tests the security of a email content filter. By means of a vulnerability database, the content filter to be tested will be bombarded by various emails containing a malicious payload intended to compromise the computing platform.
PIRANA’s goal is to test whether or not any vulnerability exists on the content filtering platform.
IPAudit - Network Activity Monitor with Web Interface
IPAudit monitors network activity on a network by host, protocol and port. It listens to a network device in promiscuous mode, and records every connection between two ip addresses. A unique connection is determined by the ip addresses of the two machines, the protocol used between them, and the port numbers (if they are communicating via udp or tcp).
IPAudit can be used to monitor network activity for a variety of purposes. It has proved useful for monitoring intrusion detection, bandwith consumption and denial of service attacks. It can be used with IPAudit-Web to provide web based network reports.
IPAudit is a free network monitoring program available and extensible under the GNU GPL.
IPAudit is a command line tool that uses the libpcap library to listen to traffic and generate data. The IPAudit-Web package includes the IPAudit binary in addition to the web interface that creates reports based on the collected data. Using the Web package is recommended, as it gives you a slick graphical interface complete with traffic charts and a search feature.
FREE DOWNLOAD
IPAudit 0.95
[Read More]
Read more on this article...
