ksymhunter – Routines For Hunting Down Kernel Symbols

Routines for hunting down kernel symbols from from kallsyms, System.map, vmlinux, vmlinuz, and remote symbol servers.

Examples:

$ ./ksymhunter prepare_kernel_cred
[+] trying to resolve prepare_kernel_cred...
[+] resolved prepare_kernel_cred using 

    /boot/System.map-2.6.38-gentoo
[+] resolved prepare_kernel_cred to 0xffffffff81061060

And..

$ ./ksymhunter commit_creds
[+] trying to resolve commit_creds...
[+] resolved commit_creds using 

    /boot/System.map-2.6.38-gentoo
[+] resolved commit_creds to 0xffffffff81060dc0

You can download ksymhunter v1.0 here:

ksymhunter.tar.gz

Or read more here.

nb : darknet Read More...

CAT – Web Application Security Test & Assessment Tool

 Over the 12 years during which Context has been conducting application tests for clients there have been many developments in application security practices. Applications have become more complex, and we have had to expand and enhance testing methods to ensure that we continue to deliver the most thorough assessment possible. In 2007 we identified a need for a new tool designed to test the most complex applications; a tool capable of various different tests as yet unavailable on the market.

These tests included:

• Complex authorisation models
• Ability to test complex multi-phase forms e.g. single sign-on (SSO) systems
• Fuzzing forms protected by cross site request forgery (CRSF) tokens
• Supporting different encodings used by web services, Ajax and to leverage complex vulnerabilities
• Ability to perform sensitive timing attacks
• Heavy Ajax applications

No such tool existed – so we developed one ourselves instead. The result, the Context App Tool (CAT), has become the core application testing tool used at Context.

CAT is designed to facilitate manual web application penetration testing for more complex, demanding application testing tasks. It removes some of the more repetitive elements of the testing process, allowing the tester to focus on individual applications, thus enabling them to conduct a much more thorough test.

Conceptually it is similar to other proxies available both commercially and open source, but CAT provides a richer feature set and greater performance, combined with a more intuitive user interface.

CAT is designed to facilitate manual web application penetration testing for more complex, demanding application testing tasks. It removes some of the more repetitive elements of the testing process, allowing the tester to focus on individual applications, thus enabling them to conduct a much more thorough test.

Conceptually it is similar to other proxies available both commercially and open source, but CAT provides a richer feature set and greater performance, combined with a more intuitive user interface.

There are a number of differences between CAT and currently available web proxies. They include:

• CAT uses Internet Explorer’s rendering engine for accurate HTML representation
• It supports many different types of text conversions including: URL, Base64, Hex, Unicode, HTML/XML, SQL and JavaScript no quotes
• It offers integrated SQL Injection and XSS Detection
• Synchronised Proxies for Authentication and Authorisation checking
• Faster performance due to HTTP connection caching
• SSL Version and Cipher checker using OpenSSL
• Greater flexibility for importing/exporting logs and saving projects
• Tabbed Interface allows for multiple tools at once e.g. multiple repeaters & different logs
• The ability to repeat and modify a sequence of requests (particularly useful in SSO testing)
• It’s free!

Do bear in mind that this is a free tool, but it is NOT Open Source. Also take a good look at the EULA before using it (especially Section 6).

You can download CAT Beta 4 here:
CAT_Beta_4.msi

Or read more here.

nb : darknet Read More...

BodgeIt Store – Vulnerable Web Application For Penetration Testing

There are various vulnerable web applications such as Jarlsberg, WackoPicko, Damn Vulnerable Web Application (DVWA), Vicnum, etc. Now we have another application that is vulnerable and ready to be exploited! The BodgeIt Store is a vulnerable web application which is currently aimed at people who are new to penetration testing.

Features

• Easy to install – just requires java and a servlet engine, e.g. Tomcat
• Self contained (no additional dependencies other than to 2 in the above line)
• Easy to change on the fly – all the functionality is implemented in JSPs, so no IDE required
• Cross platform
• Open source
• No separate db to install and configure – it uses an ‘in memory’ db that is automatically (re)initialized on start up

There is also a ‘scoring’ page where you can see various hacking challenges and whether you have completed them or not.

The Bodge It Store include the following significant vulnerabilities:

• Cross Site Scripting
• SQL injection
• Hidden (but unprotected) content
• Cross Site Request Forgery
• Debug code
• Insecure Object References
• Application logic vulnerabilities

If you spot any others then let me know ;) There is also a 'scoring' page (linked from the 'About Us' page) where you can see various hacking challenges and whether you have completed them or not.
In the relatively near future I'm hoping to add things like:

• Ajax requests
• More vulnerabilities (of course)

 Install

All you need to do is download and open the zip file, and then extract the war file into the webapps directory of your favorite servlet engine.
Then point your browser at (for example) http://localhost:8080/bodgeit
The author recommends Zed Attack Proxy to get you started.

You can download BodgeIt Store here:
bodgeit.1.1.0.zip

nb : darknet Read More...

Malware Analyser v3.0 – A Static & Dynamic Malware Analysis Tool

Malware Analyser is freeware tool to perform static and dynamic analysis on malware executables, it can be used to identify potential traces of anti-debug, keyboard hooks, system hooks and DEP setting change calls in the malware.

This is a stepping release since for the first time the Dynamic Analysis has been included for file creations (will be improved for other network/registry indicators sooner) along with process dumping feature.
Features

• String based analysis for registry, API calls, IRC Commands, DLL’s called and VM Aware.
• Display detailed headers of PE with all its section details, import and export symbols etc.
• On Distro, can perform an ascii dump of the PE along with other options (check –help argument).
• For Windows, it can generate various section of a PE : DOS Header, DOS Stub, PE File Header, Image Optional Header, Section Table, Data Directories, Sections
• ASCII dump on windows machine
• Code Analysis (disassembling)
• Online malware checking (http://www.virustotal.com)
• Check for Packer from the Database.
• Tracer functionality
• Signature Creation: Allows to create signature of malware
• CRC and Timestamp verification.
• Entropy based scan to identify malicious sections.
• Dump a process memory
• Dynamic Analysis (Still in beginning stage) for file creations.

You can download Malware Analyser v3.0 here:
malware_analyser 3.0.zip
malware_analyser 3.2.zip

nb : darknet Read More...

Security Researchers Discover 4 Million Strong ‘Indestructible’ Botnet – TDSS/TDL

It’s been recently uncovered that there’s a HUGE botnet, which is extremely advanced and constantly evolving a variant of the ever popular (and usually quite advanced) TDL strain. We did write about a TDL variant earlier in 2010 – TDL AKA Alureon Rootkit Now Infecting 64-Bit Windows 7 Platform.

TDL itself has been around several years, but the new TDSS variant is really sophisticated and comes loaded with anti-virus capabilities to stop the Windows host PC getting infected by other malware or botmasters.

Development has been going on since TDL since 2008 (or perhaps even earlier) and now is on version 4 (TDL-4). You can see how these guys think as they only apportion a part of the CPU resources to their own malware so as to remain undercover.

A new strain of the TDSS malware has been pegged as “the most sophisticated threat” to computer security in the world today by a Kaspersky Labs researcher and is being used to slave more than 4.5 million PCs in a massive botnet that’s equipped with an “anti-virus” to prevent other bot-creating viruses from taking it over.

“TDSS uses a range of methods to evade signature, heuristic, and proactive detection, and uses encryption to facilitate communication between its bots and the botnet command and control center,” security expert Sergey Golovanov writes this week a research note in on the SecureList site.

Botnets are networks of malware-infected computers that can be commanded by cybercriminals and hacktivists to conduct such activities as delivering spam, launching distributed denial-of-service attacks to bring down targeted websites, manipulating search results and adware, and facilitating network intrusions to steal sensitive data.

Sophisticated bot-creating programs like TDSS, which according to Golovanov has been under development since 2008 and is now in its fourth version (TDL-4), can harness a portion of the computing power of each system it infects, leaving owners of infected computers with somewhat slower machines but none the wiser as to their participation in a botnet.

There a few distinctive improvements in TDL-4 over previous TDSS generations, the Kaspersky Labs researcher writes. One is that the latest edition of TDSS includes a kind of “anti-virus” that scans a slave bot’s registry for malicious programs that could interfere with a slaved computer’s efficiency or even try to take over the computer to make it part of a rival botnet.

Now this is a fairly huge operation with 4-5 million infected hosts within the botnet, it’s very difficult to remove and in most parts – because of it’s fairly intelligent design – it doesn’t even get spotted in the first place.

The downfall (if it really is) of such a complex piece of malware is that it’s more likely to have coding bugs/exploits contained in it’s own code – this is where security researchers can leverage their own hacking skills to gather more knowledge about the botnet.

“TDSS contains code to remove approximately 20 malicious programs, including Gbot, ZeuS, Clishmic, Optima, etc.,” Golovanov writes. “TDSS scans the registry, searches for specific file names, blacklists the addresses of the command and control centers of other botnets and prevents victim machines from contacting them.

“This ‘antivirus’ actually helps TDSS; on the one hand, it fights cybercrime competition, while on the other hand it protects TDSS and associated malware against undesirable interactions that could be caused by other malware on the infected machine.”

Another advance for TDL-4 is the extent to which it burrows into infected systems, making the botnets it creates “indestructible,” according to the researcher. Other improvements over the previous TDL-3 generation of TDSS malware include the encryption of communications between a botnet operator’s command-and-control servers and the botnet, and the ability to transmit commands to a botnet over the publicly accessible, peer-to-peer Kad network via TDL-4′s kad.dll module.

According to Golovanov, TDL “affiliates” can earn up to $200 when they manage 1,000 installations of the malware on victim computers.

“Affiliates can use any installation method they choose,” he writes. “Most often, TDL is planted on adult content sites, bootleg websites, and video and file storage services.”
About a third of the TDL-4-infected computers are in the U.S., according to Golovanov, and about 60 TDL-4 command-and-control centers all around the world have been identified since the beginning of 2011.

Most of the motivation behind such large botnets is of course money, we’ve written before about the Digital Underground Offering Cheap Botnets For Hire and about people getting caught like – Texas Man Pleads Guilty To Bot Network For Hire.

It seems like the main infection vector is still via the browser, people who visit dodgy sites (porn/pirated software etc) with old browsers are getting infected with botnet laden malware like this.

I doubt anyone reading is any danger of infection, but still – it pays to know what is out there.

Source: PC Mag

nb : darknet Read More...

Facebook To Start Paying Bug Bounties

We’ve covered various stories about companies offering hackers and security researchers bounties for giving them working exploits for their software/website etc. Early runners in the game were – Google Willing To Pay Bounty For Chrome Browser Bugs

Now, 2 years down the road, Facebook has decided it’s a good idea to offer up a $500 bounty for exploits reported to the Facebook security team.

They are claiming they will pay out larger amounts for ‘truly significant’ bugs, but they aren’t qualifying that claim with any guidelines or amounts.

Facebook is going to pay hackers to find problems with its website — just so long as they report them to Facebook’s security team first.

The company is following Google and Mozilla in launching a Web “Bug Bounty” program. For security related bugs — cross site scripting flaws, for example — the company will pay a base rate of $500. If they’re truly significant flaws Facebook will pay more, though company executives won’t say how much.

“In the past we’ve focused on name recognition by putting their name up on our page, sending schwag out and using this an avenue for interviews and the recruiting process,” said Alex Rice, Facebook’s product security lead. “We’re extending that now to start paying out monetary rewards.”

On Friday, Facebook will launch a new Whitehat hacking portal where researchers can sign up for the program and report bugs.

Many hackers go public with the software and website flaws they find to gain prestige. Finding an important bug on a widely used website such as Facebook can help make a journeyman hacker’s career, and going to the press with the issue can make him — or her — famous.

They have always credited people who made discovered of insecurities on the Facebook platform and gifted them with t-shirts and other goodies, but this is the first move Facebook has made towards paying for exploits.
It is true though, finding a serious bug in a prestigious web property like Facebook could make someone famous overnight. I would like to see more bounty programs and those bounty programs paying out larger amounts.

Although I have to say I don’t believe a flaw in a social network would be worth that much on the black market (as opposed to say a zero-day in the latest version of Apache).

But talking about the issue before Facebook has had a chance to patch it, can be risky for Facebook users. In recent years, other companies have started these bug bounty programs to encourage hackers to keep quiet about the problems they find until they are patched.
Google pays between $500 and $3,133.70, depending on the severity of the flaw.
Google started to pay for browser bugs in early 2010, and then in November it expanded the program to cover bugs in its Web properties too.

The Web bug bounty program has helped Google uncover a lot of programming errors in the past eight months, most of which have been in Google’s lesser-known products, a company spokesman said this week.

Google sees its Web program as a big success. “We’re very happy with the success of our vulnerability reward program so far. We’ve already given out $300,000 and have seen a variety of interesting bugs,” the spokesman said in an e-mail message.

Facebook’s security team already engages in a lot of dialogue between security researchers and its own programmers. The company is contacted between 30 and 50 times each week by hackers. Their information leads to an average of about one to three “actionable bugs,” per week, Rice said. Most of these are cross-site scripting or cross-site request forgery issues. These are both very common Web programming errors that could be abused by scammers and cybercrooks to rip off Facebook users.

Google have given out over $300,000 since they started their program in 2010 – initially it was only for Chrome bugs – but they expanded it to cover all of their web properties and they’ve reaped the rewards by being able to fix all kinds of issues.

I foresee Facebook not having to pay out so much, the site is fairly closed and it’s not as expansive as the Google empire. Plus they don’t have any kind of actual software offering like Chrome.

It’s an interesting program though and I hope it leads to Facebook becoming more secure.

nb : darknet Read More...

SIPVicious Tool Suite v0.2.6 – SIP/VoIP Security Auditing Tool

What is SIPVicious tool suite?

SIPVicious suite is a set of tools that can be used to audit SIP based VoIP systems. It currently consists of four tools:

• svmap - this is a sip scanner. Lists SIP devices found on an IP range
• svwar - identifies active extensions on a PBX
• svcrack - an online password cracker for SIP PBX
• svreport - manages sessions and exports reports to various formats
• svcrash - attempts to stop unauthorized svwar and svcrack scans

Requirements

Python

SIPVicious works on any system that supports python 2.4 or greater.

Operating System

It was tested on the following systems:

• Linux
• Mac OS X
• Windows
• FreeBSD 6.2
• Jailbroken iPhone with python installed

If you use it on systems that are not mentioned here please let me know goes it goes. 

SIPVicious suite is a set of tools that can be used to audit SIP based VoIP systems. Why the name? Because the tools are not exactly the nicest thing on earth next to a SIP device. And the play on the sound seems to work. As an extra bonus, it rhymes with the name of Sex Pistol’s bass player.

It’s been a while since we wrote about SIPVicious, way back when it first came out in 2008 – SIPVicious v0.2.3 – VoIP/SIP Auditing Toolkit. It’s come a fair way since v0.2.3 so I thought it’s about time for an update (although v0.2.6 has been out since 2010), you can view the full ChangeLog here.
It currently consists of five tools:

• svmap – this is a sip scanner. Lists SIP devices found on an IP range
• svwar – identifies active extensions on a PBX
• svcrack – an online password cracker for SIP PBX
• svreport – manages sessions and exports reports to various formats
• svcrash – attempts to stop unauthorized svwar and svcrack scans

Requirements

Python – SIPVicious works on any system that supports python 2.4 or greater.
There’s a good blog post covering the new stuff here too, mainly svcrash:
How to crash SIPVicious – introducing svcrash.py

You can download SIPVicious v0.2.6 here:
sipvicious-0.2.6.zip
sipvicious-0.2.6.tar.gz

nb : darknet Read More...

Sniffjoke 0.4.1 Released – Anti-sniffing Framework & Tool For Session Scrambling

What's SniffJoke ?

An internet client running SniffJoke injects in the transmission flow some packets able to seriously disturb passive analysis like sniffing, interception and low level information theft. No server supports needed!

 

Why is this possible ?

 

The internet protocols have been developed to allow two elements to communicate, not some third-parts to intercept their communication. This will happen, but the communication system has been not developed with this objective.
SniffJoke uses the network protocol in a permitted way, exploiting the implicit difference of network stack present in an operating system respect the sniffers dissector.

site map

• concepts, goals, details intro
• is this "security by obscurity" (no, but, there are a long answer).
• why and how setup a location

Tech:

• CODE you too: plugins specifications
• How does it works ? Hacks: how to fooling a dissector
• How does it works ? Scramble: make a sniffers desync

follow

• Sj@twitter
  
• Sj@github

Why has it been developed ?

 

Because too many people believe that the only way to obtain self-security is through control, I don't want to tell them they are wrong, but controlling internet is impossibile, if you want not to be controlled. It is obvious that you should not trust a security control that could be bypassed, isn't it?

When you understand this, remember that the progressive acceptance of the control measure has been treated like a "necessary sacrifice". when you realize that this security method don't bring security, but only possibile abuses, you will be ready to stop accepting this useless sacrifice.

 

What's SniffJoke don't protect from

 

If you are using a nontrusted third part (facebook?) it doesn't matter how much your data is encrypted, scrambled or whatever: your data is in facebook store. Unprotected and presented. If you use a trojanized box, it's the same, it's like have an invisible and weightless watchers sit on your legs, transcribing everything you're doing. SniffJoke protects from: a sniffer in your network, a sniffer in the provider flow, a sniffer in the destination network.

 

Security and social GOALs

 

Various goals SniffJoke aim to achieves. Information security, will not be control based, almost, not in traffic and data passive analysis, because Internet technology is not engineered with this capability. Passive wiretapping is not only used by law enforcement (they have a lot of other technology in their dispositions); Wiretapping technology is widespread and usable by every entities, not for your safety, but for the value derived from your data.

 

SniffJoke is an application for Linux that handle transparently your TCP connection, delaying, modifying and injecting fake packets inside your transmission, make them almost impossible to be correctly read by a passive wiretapping technology (IDS or sniffer).

An Internet client running SniffJoke injects in the transmission flow some packets able to seriously disturb passive analysis like sniffing, interception and low level information theft. No server support is needed!

The internet protocols have been developed to allow two elements to communicate, not some third-parts to intercept their communication. This will happen, but the communication system has been not developed with this objective. SniffJoke uses the network protocol in a permitted way, exploiting the implicit difference of network stack present in an operating system respect the sniffers dissector.

How Does It Work?

It works only under Linux (at the moment), creates a fake default gateway in your OS (the client or a default gateway) using a TUN interface check every traffic passing thru it, tracks every session and  applyies two concepts: the scramble and the hack.
The scramble is the technology to bring:

1. A sniffer to accept as true a packet who will be discarded by the server, or
2. A sniffer to drop a packet who will be accepted by the server.

The scramble technology brings in desynchronisation between the sniffer flow and the real flow.

The bogus packet accepted by the sniffer is generated by the “plugin” is a C++ simple class, which in a pseudo statefull tracking will forge the packet to be injected inside the flow. is pretty easy to develop
anew one, and if someone wants to make research on sniffers attack (or fuzzing the flow searching for bugs) need to make the hand inside its.

The configuration permits to define blacklist/whitelist ip address to scramble, a degree of aggressivity for each port, which plugin will be used.

You can download SniffJoke here:
sniffjoke-0.4.1.tar.bz2
 

nb : darknet

Read More...

FaceNiff – Taking FireSheep Mobile – Sniff & Intercept Web Sessions With Android

FaceNiff is an Android app that allows you to sniff and intercept web session profiles over the WiFi that your mobile is connected to.

It is possible to hijack sessions only when WiFi is not using EAP, but it should work over any private networks (Open/WEP/WPA-PSK/WPA2-PSK)
It's kind of like Firesheep for android. Maybe a bit easier to use (and it works on WPA2!).

*** ROOTED PHONE *** is required. Please note that if webuser uses SSL this application won't work.
This application due to its nature is very phone-dependant so please let me know if it won't work for You

Use with stock browser (might not work with other)
Legal notice: this application is for educational purposes only. Do not try to use it if it's not legal in your country.

 
I do not take any responsibility for anything you do using this application. Use at your own risk

This apk is limited to use only 3 hijacked profiles, if you want more - you will need activation code - contact me if you're interested.

DONATIONS/ACTIVATION CODES CAN BE BOUGHT USING BITCOIN - 1Lp9C3NXiR7tF28rTN8t31xmKLBPaThXLG

NEW 2.0 RELEASE: FaceNiff-2.0-alpha9.apk
OLD RELEASE: FaceNiff-1.9.4.apk

Any questions? - Look at forum here: http://faceniff.freeforums.org How to secure yourself: LINK
UPDATES

• 03-06-2011 (v1.9.4): fixed a bug when the app crashed network on some roms
• 03-06-2011 (v1.9.3): bugfix release if the app works for you - don't upgrade. If the app isn't working you should uninstall the old one and use this.
• 02-06-2011 (v1.9.2): *** UNINSTALL OLD APK ***
  • Amazon.com support
  • Sniffing all supported services at the same time!
  • Added option to clear list of sniffed profiles
  • fixed name resolving for Nasza-Klasa
  • a lot of bugfixes
• 25-05-2011 (v1.9.1): way too many updates!, fixed a bug when unlocked app wasn't working, sorry for all that trouble...
• 25-05-2011 (v1.9): added stealth mode which tries to bypass router anti-arpspoof protection,
  use it only when you don't see any profiles appearing in the profile list (stealth mode is much much slower) (thanks goto: karololszak)
• 25-05-2011 (v1.8.2): fixed bug when some devices couldn't buy app, added Nasza-Klasa support
• 24-05-2011 (v1.8.1): fixed twitter support, redesigned ui, added YouTube support
• 24-05-2011 (v1.8): *** UNINSTALL OLD APP FIRST *** So much changed I skipped a number!
  • total code rewrite! more reliable, more stable and most of all - new updates will be easier for me to code
  • now app works as a service so only explicit poweroff will shut it down
  • wakelock - phone won't go off when sniffing for profiles
  • fixed a bug when profiles showed up as "Unknown"
  • support for twitter! (unlocked version only) - please send me request for other services I'll add them ASAP
  • browse profiles from PC! (unlocked version only) - you can now use your PC at home to log onto sniffed profiles
• 20-05-2011 (v1.6.1): fixed FC when switching screens (thanks Matt!)
• 20-05-2011 (v1.6): code cleanup + when wifi disconnects you will get a message about it (that was annoying)
• 07-05-2011 (v1.5b): during update somehow Permission Denied bug reappeared, this update fixes it (I hope)
• 02-05-2011 (v1.5): fixed a bug when some devices couldn't buy an app from PP, if you encounter any problems please uninstall, *re-download* and install again
• 30-04-2011 (v1.4): *** UNINSTALL OLD APP FIRST ***
  • fixed arp bug now hijacking should be more continuous and reliable.
  • fixed name resolving problem that occur if hijacked invalid session
• 19-04-2011 (v1.3): lowered cpu usage + few bug fixes. (you will need to reinstall)
• 18-04-2011 (v1.2): fixed Permission Denied bug (thanks G.)

Thanks to Lukasz You can see how it works here: http://www.youtube.com/watch?v=3bgwVM7t_s4

Supported services: (new coming soon) FaceBook Twitter Youtube Amazon VKontakte Tumblr MySpace Tuenti MeinVZ/StudiVZ blogger Nasza-Klasa

Confirmed to work on: up-to-date list is here: http://faceniff.freeforums.org/supported-devices-rom-list-t10.html

If you have any questions please look at the forum first: http://faceniff.freeforums.org
  If you want to contact me look here: http://ponury.net/contact
 
If you didn't get the Key for the app after buying please check spam, if it's not there then click "Buy" again - it will redirect you to a page with your key. In case everything fails - contact me we'll figure this out

video tutorial 

nb : darknet Read More...

Burp Suite Free Edition v1.4 – Web Application Security Testing Tool

We love Burp Suite and we have since wayyyy back, the last update we posted was around 18 months ago back in January 2010 – Burp Suite v1.3 Released – Integrated Platform For Attacking Web Applications.

For the two people here who don’t know what this tool does, Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.

Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun.

And now, we’re happy to announce there’s a new version out and it’s available for download now!
New Features

• The ability to compare site maps
• Functions to help with testing access controls using your browser
• Support for preset request macros
• Session handling rules to help you work with difficult situations
• In-browser rendering of responses from all Burp tools
• Auto recognition and rendering of character sets
• Support for upstream SOCKS proxies
• Headless mode for unattended scripted usage
• Support for more types of redirection
• Support for NTLMv2 and IPv6
• Numerous enhancements to Burp’s extensibility
• Greater stability on OSX

You can download Burp Suite Free Edition v1.4 here:
burpsuite_v1.4.zip

Or read more here.

nb : darknet Read More...

Google Proposes Way To Speed Up SSL Handshake

I’m always interesting when it comes to cryptography and cryptographic trickery. We all know, the main problem with SSL is speed – it can really slow your surfing experience down and for most people it annoys them enough to just not use it.

Google researchers claim they’ve devised a way to reduce that painful wait when visiting an SSL encrypted site. Now, it may be faster but is it any less secure? You’d have to run through the paper to ascertain that.

And well it can only work in a few very specific sets of circumstances, it’s not like it’s really going to change anything on a large scale.

Google researchers say they’ve devised a way to significantly reduce the time it takes websites to establish encrypted connections with end-user browsers, a breakthrough that could make it less painful for many services to offer the security feature.

What’s more, the technique known as False Start requires that only simple changes be made to a user’s browser and appears to work with 99 percent of active sites that offer SSL, or secure sockets layer, protection.

“We implemented SSL False Start in Chrome 9, and the results are stunning, yielding a significant decrease in overall SSL connection setup times,” Google software engineer Mike Belshe wrote in a blog post published Wednesday. “SSL False Start reduces the latency of a SSL handshake by 30%. That is a big number.”

The finding should come as welcome news to those concerned about online privacy. With the notable exceptions of Twitter, Facebook, and a handful of Google services, many websites send the vast majority of traffic over unencrypted channels, making it easy for governments, administrators, and Wi-Fi hotspot providers to snoop or even modify potentially sensitive communications while in transit. Companies such as eBay have said it’s too costly to offer always-on encryption.

The Firesheep extension introduced last year for the Firefox browser drove home just how menacing the risk of unencrypted websites can be.

There’s a blog post about the speed improvements here:

SSL FalseStart Performance Results
It shows an approximate 30% reduction in the overall SSL connection setup time. They say they have implemented it in Chrome 9 (the current public release of Chrome is version 11) – so that makes me wonder has it been running in Chrome since February this year when 9 was released?

If you did want to disable it you can do so with the following command line option:

--disable-ssl-false-start command-line

False Start works by reducing the amount of data that must be exchanged when a webserver and browser are negotiating an SSL session. Under official SSL specifications, two round-trip passes of data must be exchanged before an encrypted tunnel is established. The requirement adds latency that can slow down the time it takes pages to load and increase the packets websites must process.

Latency “makes a difference in does it feel snappy or does it feel sluggish,” said Marsh Ray, a researcher and software developer at two-factor authentication service PhoneFactor. False Start “certainly eliminates an objection that some people have for SSL, which is that it increases the load time.”

False Start, as described in a proposal Google engineers submitted last year to the Internet Engineering Task Force, makes it possible to reduce the latency penalty of offering SSL to just a single round-trip pass. The technology does this by using an abbreviated handshake when

negotiating the key and other variables used in the encrypted session.
Belshe said engineers tested False Start on a list of all known websites that offer SSL and got a 94.6 percent success rate. Almost all of the unsuccessful connections came from sites that were no longer available, leaving a true failure rate of just 0.4 percent. Those sites have now been compiled into a manageable list used to turn off False Start when they are accessed in Chrome.

With all the media coverage from FireSheep – SSL is indeed a big issue now so this might come as a pleasant surprise for heavy SSL users.

You can read the entire paper here:

Transport Layer Security (TLS) False Start
Let me know your thoughts? Yah SSL is already a big mess, but does this make it worse?

nb : darknet Read More...

sqlmap 0.9 Released – Automatic Blind SQL Injection Tool

It’s been a while since we’ve written about sqlmap, the last time was when 0.7 was released back in July 2009 – sqlmap 0.7 Released – Automatic SQL Injection Tool.

Well sqlmap 0.9 has been released and has a considerable amount of changes including an almost entirely re-written SQL Injection detection engine.

For those that aren’t familiar with the tool, sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a kick-ass detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

New Features/Changes

• Rewritten SQL injection detection engine (Bernardo and Miroslav).
• Support to directly connect to the database without passing via a SQL injection, -d switch (Bernardo and Miroslav).
• Added full support for both time-based blind SQL injection and error-based SQL injection techniques (Bernardo and Miroslav).
• Implemented support for SQLite 2 and 3 (Bernardo and Miroslav).
• Implemented support for Firebird (Bernardo and Miroslav).
• Implemented support for Microsoft Access, Sybase and SAP MaxDB (Miroslav).
• Added support to tamper injection data with –tamper switch (Bernardo and Miroslav).
• Added automatic recognition of password hashes format and support to crack them with a dictionary-based attack (Miroslav).
• Added support to fetch unicode data (Bernardo and Miroslav).
• Added support to use persistent HTTP(s) connection for speed improvement, –keep-alive switch (Miroslav).
• Implemented several optimization switches to speed up the exploitation of SQL injections (Bernardo and Miroslav).
• Support to parse and test forms on target url, –forms switch (Bernardo and Miroslav).
• Added switches to brute-force tables names and columns names with a dictionary attack, –common-tables and –common-columns.

The complete changelog is available for viewing here.

You can also download the user manual here [PDF] – sqlmap README

You can download sqlmap 0.9 here:
sqlmap-0.9.tar.gz

nb : darknet Read More...

Inguma Is Back – The Penetration Testing & Vulnerability Research Toolkit

Inguma is back and being actively developed again. It’s been quite a long time, far too long in fact. We first reported about Inguma way back in 2007 and our latest mention of it was in March 2008.

A new version has just been released almost 3 years later with some major changes and a big GUI revamp. Inguma is a penetration testing toolkit entirely written in python. The framework includes modules to discover hosts, gather information about, fuzz targets, brute force user names and passwords and, of course, exploits. While the current exploitation capabilities in Inguma may be limited, this program provides numerous tools for information gathering and target auditing.

There are some good docs to get you up and running too:

• Installation Guide
• Getting Started
• Console Quick Start
• GUI Quick Start
• Full Documentation

The announcement from the developers blog is here:
We are back

This is the project website of Inguma, a penetration testing and vulnerability research toolkit. Here you will find documentation, links, notes about the project, news, etc...

Introduction

Inguma is a penetration testing toolkit entirely written in python. The framework includes modules to discover hosts, gather information about, fuzz targets, brute force user names and passwords and, of course, exploits.
While the current exploitation capabilities in Inguma may be limited, this program provides numerous tools for information gathering and target auditing. Inguma is still being heavily developed so be sure to stay current and check back for news and updates.

Documentation

Getting Started describes how to download, install and run Inguma.
The full documentation can be found here, but if you prefer to just start playing here you have Console and GUI quick start guides.

Changelog

• 17-11-2011: Inguma 0.2 released! More info on the developers blog.

You can download Inguma 0.2 here:
inguma-0.2.tar.gz

nb : darknet Read More...

Acunetix WVS (Web Vulnerability Scanner) 7 Review – Engine & Scanning Improvements

We wrote our first review of Acunetix WVS 6 back in January 2009 and published an update about the release of Acunetix Web Vulnerability Scanner (WVS) 6.5 in June 2009.

The team over at Acunetix have been working hard on version 7 for quite some time and released a new build with added features earlier this year in February. It also has an entirely new attack vector, DOM XSS.

If you are already familiar with WVS, it’ll feel on the surface much the same as the old version as the interface hasn’t changed drastically (which is a good thing).

Most of the improvements and major changes in version 7 are under the hood, but at first use you will notice the difference. The scanner is much faster and seems more intelligent (there were noticeably less false positives than I remember in version 6) and it has much better support for Web 2.0 and AJAX powered web applications. That is of course a huge area now and very important for a tool like this that focuses on Web Security to support well (the modules have been re-written to support technologies such as such as JSON, XML and more). It also helps that it uses new unique verification techniques so you don’t have to wade through all the false positives by hand.

The order and layout of the scan results is also clearer and easier to follow with better sections and more information about each alert.

The information given is also more complete with links to the original advisory and for application based flaws, it’s also extremely easy to see the full headers returned by the web server, relaunch the attack with the HTTP Editor, retest the alert or mark it as a false positive.

It also gives suggestions on how to fix the issue, these are usually quite general though rather than specific technical instructions. One thing I really like about WVS it’s a very well equipped scanner which can crawl, scan, do vulnerability checks and has a bunch of handy tools for comparing results and even fuzzing.

With the HTTP Fuzzer can define your own character sets, iterations, use files and much more. It’s a very neat tool and not only for fuzzing, you can also use it to validate query sets to create your own valid input rules for WVS to test.

Another useful tool to have built in to this kind of application is a local HTTP Proxy – which is labeled in WVS as HTTP Sniffer. The HTTP Sniffer acts as a proxy and allows you to capture, examine and modify HTTP traffic between an HTTP client and a web server. You can also enable, add or edit traps to trap traffic before it is sent to the web server or back to the web client.

It also has a tool called the Authentication Tester, which you can use to perform dictionary/brute-force attacks against login pages which use both HTTP (NTLM v1, NTLM v2, digest) or form based authentication. This tool uses two predefined text files (dictionaries) which contain a list of common user-names and passwords. You can add your own combinations to these text files. It’s a very easy to setup brute-forcing tool for form-based authentication testing.

For those of who do this for a living, the Compare Results tool is great for those clients you scan regularly – it even allows you compare site structure. With this and regular scans you can easily monitor if and when any vulnerabilities are introduced and keep things under control.

Overall this new version of WVS feels similar to version 6 but somehow tighter, faster and more efficient – if you liked WVS before, you’ll love it now.

As an addition for the more advanced users, you can actually write your own Acunetix WVS Vulnerability Checks now too. As the new Checks are JavaScript in WVS 7 – it’s faster, easier and more flexible to write completely new Checks or edit existing Checks.

You can get the tool and detailed scripting reference to develop your own Checks here:

Acunetix_SDK.zip

More details about that here:

Creating custom vulnerability checks for Acunetix WVS Version 7

Acunetix WVS Trial Edition

Download Acunetix Web Vulnerability Scanner v7 trial edition from here.
There are also some useful resources here:

• Getting started with Acunetix Web Vulnerability Scanner
• Getting Started Guide [PDF]
• Ordering Acunetix Web Vulnerability Scanner (WVS) & Pricing
• The Acunetix WVS FAQ

nb: darknet Read More...

pytbull – Intrusion Detection/Prevention System (IDS/IPS) Testing Framework

pytbull is an Intrusion Detection/Prevention System (IDS/IPS) Testing Framework for Snort, Suricata and any IDS/IPS that generates an alert file. It can be used to test the detection and blocking capabilities of an IDS/IPS, to compare IDS/IPS, to compare configuration modifications and to check/validate configurations.

The framework is shipped with about 300 tests grouped in 9 testing modules:

• clientSideAttacks: this module uses a reverse shell to provide the server with instructions to download remote malicious files. This module tests the ability of the IDS/IPS to protect against client-side attacks.
• testRules: basic rules testing. These attacks are supposed to be detected by the rules sets shipped with the IDS/IPS.
• badTraffic: Non RFC compliant packets are sent to the server to test how packets are processed.
• fragmentedPackets: various fragmented payloads are sent to server to test its ability to recompose them and detect the attacks.
• multipleFailedLogins: tests the ability of the server to track multiple failed logins (e.g. FTP). Makes use of custom rules on Snort and Suricata.
• evasionTechniques: various evasion techniques are used to check if the IDS/IPS can detect them.
• shellCodes: send various shellcodes to the server on port 21/tcp to test the ability of the server to detect/reject shellcodes.
• denialOfService: tests the ability of the IDS/IPS to protect against DoS attempts
• pcapReplay: enables to replay pcap files

It is easily configurable and could integrate new modules in the future.
There are basically 6 types of tests:

• socket: open a socket on a given port and send the payloads to the remote target on that port.
• command: send command to the remote target with the subprocess.call() python function.
• scapy: send special crafted payloads based on the Scapy syntax
• multiple failed logins: open a socket on port 21/tcp (FTP) and attempt to login 5 times with bad credentials.
• client side attacks: use a reverse shell on the remote target and send commands to it to make them processed by the server (typically wget commands).
• pcap replay: enables to replay traffic based on pcap files

The official documentations is available here: pytbull documentation.
Changes/Improvements in V1.1

• Issue #2 fixed (test number incrementing twice just after the last test from multipleFailedLogins test)
• Issue #3 fixed (pcapReplay module not present in the checks on STDOUT)
• Code factoring in pytbull.py
• Timing options are now in parameters (config.cfg)
• Automatically checks and informs if a new version is available (use PROXY section in the configuration file if needed)
• New basic checks: Checks that paths are valid
• SVN tags added in source code

You can download pytbull here:
pytbull-1.1.tar.bz2
pytbull-1.2.tar.bz2
pytbull-1.3.tar.bz2

nb : darknet Read More...

Digital Underground Offering Cheap Botnets For Hire

Perhaps even the cyber-criminals are effected by the recent recession – botnets for hire are hitting rock-bottom rates starting at just $2. We reported back in April 2010 about the Texas Man Who Pleaded Guilty To Bot Network For Hire.

They are becoming more multi-talented as well rather than just offering bot networks for DDoS attacks or Spam you can also hire them to get stolen credit card info, PayPal accounts, bank accounts for credit references, to set up a secure VPN and much more.

As always the bad guys are ahead of the game and adapting their ‘business model’ to suit consumer demands. It still not easy to get hold of these kind of services, but they are out there and as reported they are cheap.

Botnets for hire to launch your own spam campaign and stolen credit card information sold at the rock bottom price of $2 are just two of the commodities easily found on the cyber-crime black market today, according to a report released this month by Panda Security. The report, which was conducted by PandaLabs researchers who posed as cyber criminals, details a vast criminal network selling stolen bank account information in forums and dedicated online stores.

“This is a rapidly growing industry and cyber-criminals are aiding and abetting each other’s efforts to steal personal information for financial profit,” Panda Security officials note in a release on the findings. “The cyber-crime black market, which has traditionally centered on distributing bank and credit card details stolen from users around the world, diversified its business model in 2010, and now sells a much broader range of hacked confidential information including bank credentials, log-ins, passwords, fake credit cards and more.”

The report also delves into a detailed pricing system and the digital black market prices for various types of stolen information. However, PandaLabs discovered that while the information may be available, it can only be accessed by personally contacting the hackers who are promoting their information for sale on forums and in chat rooms.

It seems like $2 will get you a legitimate but unverified bank account or credit card number. It won’t however get you the verification number or the available account balance.

The bad guys are almost operating on a freemium model, offering basic card/bank details at close to nothing ($2) and then raising the price for additional information or in some cases larger credit lines/bank balances.
I’d imagine operating in such a way they are making quite a profit from their botnets, rather than just renting out the compromised machines they are also benefiting from the information stolen from the home desktops they have infected with their malware.

Once the information is in a criminal’s hands they can easily defraud any bank or credit card account long before the hack is discovered, the report claims. The data can be purchased for as little as $2 per card. But $2 will not provide the buyer with additional information or verification of the account balance available.

“If the buyer wants a guarantee for the available credit line or bank balance, the price increases to $80 for smaller bank balances and upwards of $700 to access accounts with a guaranteed balance of $82,000,” said researchers.

The report also details an intricate price structure for accounts with a history of online shopping or use of payment platforms such as PayPal. If stolen credit card numbers aren’t your thing, prices are also available for botnet rental to launch a spam campaign. The price range varies depending on the number of computers used and the frequency of the spam, or the rental period, the report reveals. Prices start at $15 and rise to $20 for the rental of a SMTP server or VPN to guarantee anonymity. One can also hire cyber criminals to assist with the set up of a fake online store to use rogueware techniques for stealing user details and profiting off unsuspecting victims who pay for fake antivirus products.

“There are also teams available to deliver turnkey projects, design, develop and publish the complete store, even positioning it in search engines,” the report states. “In this case, the price depends on the project.”

It seems like the criminals have quite an extensive ‘menu’ of offerings and can provide SMTP servers for spamming or VPN services to provide anonymity. You can also hire them to help you as a kind of cyber-criminal consultant to set up a fake online store or phishing site.

They offer the whole work-flow just like a professional software development company – design, deployment and even SEO services.
Pretty interesting stuff.

nb : darknet Read More...

French Company Intego Release First iPhone Malware Scanner

This is quite an interesting story as it’s very closely related to the story we published earlier this week – Malicious PDF Files To Exploit iPhone & iPad Zero Day In The Wild. Hot on the tail of that news is the first-ever malware scanning app for iOS devices (iPhone/iPad etc) from a French security company called Intego.

The odd thing is the app can’t scan the filesystem of the device due to the iOS sandbox – but it can scan remotely hosted files (e-mail attachments, files in your Dropbox account and on on).
It’ll be interesting to see what kind of response this app gets and if people will be interested in purchasing it.

A French security company known for its Mac OS X antivirus software today released the first malware-scanning app for the iPhone and iPad and iPod Touch. Intego’s VirusBarrier for iOS has been approved by Apple, and debuted on the App Store Tuesday for $2.99.

Because iOS prevents the program from accessing the file system or conducting automatic or scheduled scans — as do virtually all Mac and Windows antivirus software — VirusBarrier must be manually engaged, and then scans only file attachments and files on remote servers, said Peter James, a spokesman for Intego.

“Because of the sandbox, you can’t scan the file system,” said James. “Since you don’t see the iOS file system, the only things you can scan are attachments sent by email or files in, say, your Dropbox folder.”

Unlike software written for Android — such as Lookout, from the San Francisco-based company by the same name — VirusBarrier cannot scan apps for possible infection. When an email attachment is received by the iPhone, iPad or iPod Touch, the user can intercede by calling on VirusBarrier, which then scans the file for possible infection before the file is opened or forwarded to others.

“We’ve had enterprise customers say that although they know you can’t do a full system scan of an iPhone, they don’t like the fact that files go through these devices and end up on a Mac or Windows PC,” said James. “They want their users to be able to check that an attachment is safe.”

It also can’t scan apps for possible infection, which is kind of weak – but I guess it’s supportive of the walled garden approach implemented by Apple. Seen as though all official apps are vetted by Apple there shouldn’t be any infections anyway (unless the user executed a JailBreak their device).

Symantec did make some kind of push into the iOS market in October 2010, but I’m not sure what came of it – Symantec Expands Security Products To Cover Android & iOS.

With the whole model Apple is running on the iOS platform – there honestly isn’t that many vectors for attack.

He characterized VirusBarrier for iOS as a way for iPhone and iPad users to prevent their hardware from spreading malware. “You don’t want your iPhone becoming a ‘Typhoid Mary,’” James said.

VirusBarrier for iOS can scan email attachments in a variety of formats, including Microsoft’s Word, Excel and PowerPoint; PDF documents; JavaScript files; and Windows executables, those files tagged with the .exe extension. It can also scan files in a Dropbox folder, those stored on MobileMe’s iDisk, or files downloaded via the iOS version of Safari. The scanning engine and signatures — the digital “fingerprints” used to detect malware — in VirusBarrier for iOS are identical to those used by Intego’s Mac OS X product line.

VirusBarrier for iOS lets iPhone and iPad users run on-demand scans of email attachments before those files are opened or forwarded.

“It’s important that people understand what [VirusBarrier] can and cannot do,” said James, pointing to the malware scanner’s limitations. “Although there is no malware written for iOS today, if attackers do try to exploit the [recent] PDF vulnerability, this is something we can scan for.”

James was referring to the still-unpatched vulnerability in iOS that can be exploited through a malicious PDF document, one of two bugs used last week to “jailbreak” an iPhone , iPad or iPod Touch. VirusBarrier for iOS can be downloaded to an iPhone, iPad or iPod Touch from Apple’s App Store. It requires iOS 4.0 or later.

You can check out the app on Apple’s App Store here:

VirusBarrier By Intego

Basically the purpose of the app seems to more towards halting malware application on the iPhone – rather than preventing the device itself getting infected. You can read a lot more about it on the App Store description.

Source: darknet
Read More...

iViZ On Demand Penetration Testing

Introduction

iViZ is the industry’s first company to position themselves as an on-demand penetration testing service for web applications. This is very different from the normal low cost vulnerability assessment services like Qualys, Hackersafe, Hackerguardian etc.  Unlike conventional solutions, iViZ delivers consultant-grade quality with an on-demand experience. iViZ provides a hybrid solution that integrates automation with manual testing by security experts. This results in a cost-effective SaaS model to achieve a very low rate of false positives, manual expert validation, and business logic testing.  The key advantages are high quality, on-demand manageability, high scalability and unmatched service to price value.
iViZ Security is funded by IDG Ventures which also funded companies like Netscape, Baidu, MySpace and F5 amongst several others. iViZ currently has 200+ customers across several verticals including Finance, Telecom, Online Media and E-commerce.

Why did we evaluate iViZ On Demand Penetration Testing?

Although there are tons of penetration testing providers and solutions in the market today, iViZ visualized the gap in making penetration testing more proactive and repetitive in a cost effective manner. It has thus adopted the SaaS route which can be a potential disruptor to make penetration testing more affordable without the hassles of tools and costly consultants. Organizations worldwide are evolving at a rapid pace and thus they require a solution which helps them attain speed to market and profitability.
Also today’s market place is primarily focused on cost differentiation. This has led to automation and sub optimal quality with plenty of “me too” service providers. While automated scanning provides benefits like lowered cost and faster time to scan, application penetration testing requires manual intervention to remove false positives and more importantly conduct business logic testing. iViZ seems to have understood early on that pure automation will never be able to indentify complex business logic vulnerabilities in the context of today’s evolving application specially in online and telecom market.

Review Parameters

We evaluated iViZ primarily on 4 key parameters:

1. User Experience
2. Quality of Findings
3. Methodology
4. Packaging and Pricing

A. User Experience

We had been provided access to https://edge.ivizsecurity.com/ . The portal enables two views: partner and customer. The partner view essentially helps you manage your customer’s pen test. The customer can also login with his credentials and submit a new scan or download a complete report.

The dashboard nicely summarizes the essential info on completed scans and upcoming scans. “Scan in Verification” are the ones which have already passed automated testing and being manually verified for false positives and business logic testing. This hybrid testing is carried out by combining automation of testing with work flow automation and leveraging process engineering on top of it.
The customer dashboard is also clear and concise representing only the vital information without too much clutter of graphs and diagrams.

The interface to submit or schedule new scans has got plenty of options to specify advanced parameters that enhance the quality and performance of testing. Apart from date, time and target you can specify application details like user credentials, path to exclude, depth limit and link limit.

B. Quality of Findings

The key factor which differentiates this SaaS offering for other VA services is the quality of findings. The report section nicely summarizes vulnerability info and critical threats that needs to be fixed urgently. The reports can be viewed online or downloaded in a pdf format. The key thing which has impressed us is every high and critical vulnerability is accompanied by a “Proof of Exploit” – a screenshot depicting the impact of the vulnerability. This goes a long way in making the report meaningful and immense help for the application developers to quickly fix the vulnerability. This also gives the true essence of penetration testing.

Having a proof of exploit with high and critical vulnerability also ensures that these have been manually verified and thus the report is almost “Zero False Positive”. A huge time saver!

C. Scan Methodology

iViZ Penetration Testing Cloud service jumpstarts the scan process without employing consultants or buying expensive tools. Assessments are conducted in the cloud as needed and when requested by the customer. iViZ follows a hybrid approach for its scan methodology:

1. T0 Testing: Automated Testing using multiple in-house and commercial scanners
2. T1 Testing: False positives are removed with extensive manual investigation.
3. T2 Testing:  Business logic verification is carried out with further manual testing using complex attack paths.

The hybrid testing is carried out by combining automation of testing with work flow automation and leveraging process engineering on top of it. In terms of coverage, the service covers OWASP Top 10 and WASC 26 threat classes in premium app testing.

D. Packaging and Pricing

iViZ offers two penetration testing service packages depending on customer business environment – Standard and Premium. Standard Tests are suitable for non critical applications and thus has lesser coverage. Premium is suited for critical applications and thus it provides a deep diagnosis with zero false positive and proof of exploit.  The pricing packages are all subscription based with frequency ranging from half yearly, quarterly, yearly and unlimited.

Conclusion

Overall the service looks pretty impressive. It provides a seamless way to do penetration testing on demand without incurring high cost of tools and consultants. Basically, like the sales force of penetration testing. For partners it provides an easy way to deliver penetration testing much more profitably or even set up a security testing business with zero Capex. However, the primary challenge that iViZ faces is sticking to the quality as the volume scales to thousands of scans.

It’s an interesting service and we shall be keeping an eye on it.

nb : darknet Read More...

Top 15 Security/Hacking Tools & Utilities

1. Nmap

I think everyone has heard of this one, recently evolved into the 4.x series.
Nmap (“Network Mapper”) is a free open source utility for network exploration or security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. Nmap runs on most types of computers and both console and graphical versions are available. Nmap is free and open source.
Can be used by beginners (-sT) or by pros alike (–packet_trace). A very versatile tool, once you fully understand the results.

Get Nmap Here

2. Nessus Remote Security Scanner

Recently went closed source, but is still essentially free. Works with a client-server framework.
Nessus is the world’s most popular vulnerability scanner used in over 75,000 organizations world-wide. Many of the world’s largest organizations are realizing significant cost savings by using Nessus to audit business-critical enterprise devices and applications.

Get Nessus Here


3. John the Ripper

Yes, JTR 1.7 was recently released!
John the Ripper is a fast password cracker, currently available for many flavors of Unix (11 are officially supported, not counting different architectures), DOS, Win32, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. Besides several crypt(3) password hash types most commonly found on various Unix flavors, supported out of the box are Kerberos AFS and Windows NT/2000/XP/2003 LM hashes, plus several more with contributed patches.

You can get JTR Here

4. Nikto

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3200 potentially dangerous files/CGIs, versions on over 625 servers, and version specific problems on over 230 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired).
Nikto is a good CGI scanner, there are some other tools that go well with Nikto (focus on http fingerprinting or Google hacking/info gathering etc, another article for just those).

Get Nikto Here
 
5. SuperScan

Powerful TCP port scanner, pinger, resolver. SuperScan 4 is an update of the highly popular Windows port scanning tool, SuperScan.
If you need an alternative for nmap on Windows with a decent interface, I suggest you check this out, it’s pretty nice.

Get SuperScan Here

6. p0f

P0f v2 is a versatile passive OS fingerprinting tool. P0f can identify the operating system on:
– machines that connect to your box (SYN mode),
– machines you connect to (SYN+ACK mode),
– machine you cannot connect to (RST+ mode),
– machines whose communications you can observe.
Basically it can fingerprint anything, just by listening, it doesn’t make ANY active connections to the target machine.

Get p0f Here

7. Wireshark (Formely Ethereal)

Wireshark is a GTK+-based network protocol analyzer, or sniffer, that lets you capture and interactively browse the contents of network frames. The goal of the project is to create a commercial-quality analyzer for Unix and to give Wireshark features that are missing from closed-source sniffers.
Works great on both Linux and Windows (with a GUI), easy to use and can reconstruct TCP/IP Streams! Will do a tutorial on Wireshark later.

Get Wireshark Here

8. Yersinia

Yersinia is a network tool designed to take advantage of some weakeness in different Layer 2 protocols. It pretends to be a solid framework for analyzing and testing the deployed networks and systems. Currently, the following network protocols are implemented: Spanning Tree Protocol (STP), Cisco Discovery Protocol (CDP), Dynamic Trunking Protocol (DTP), Dynamic Host Configuration Protocol (DHCP), Hot Standby Router Protocol (HSRP), IEEE 802.1q, Inter-Switch Link Protocol (ISL), VLAN Trunking Protocol (VTP).
The best Layer 2 kit there is.

Get Yersinia Here

9. Eraser

Eraser is an advanced security tool (for Windows), which allows you to completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns. Works with Windows 95, 98, ME, NT, 2000, XP and DOS. Eraser is Free software and its source code is released under GNU General Public License.
An excellent tool for keeping your data really safe, if you’ve deleted it..make sure it’s really gone, you don’t want it hanging around to bite you in the ass.

Get Eraser Here.

10. PuTTY

PuTTY is a free implementation of Telnet and SSH for Win32 and Unix platforms, along with an xterm terminal emulator. A must have for any h4x0r wanting to telnet or SSH from Windows without having to use the crappy default MS command line clients.

Get PuTTY Here.

11. LCP

Main purpose of LCP program is user account passwords auditing and recovery in Windows NT/2000/XP/2003. Accounts information import, Passwords recovery, Brute force session distribution, Hashes computing.
A good free alternative to L0phtcrack.
LCP was briefly mentioned in our well read Rainbow Tables and RainbowCrack article.

Get LCP Here

12. Cain and Abel

My personal favourite for password cracking of any kind.
Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, revealing password boxes, uncovering cached passwords and analyzing routing protocols. The program does not exploit any software vulnerabilities or bugs that could not be fixed with little effort.

Get Cain and Abel Here

13. Kismet

Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. Kismet will work with any wireless card which supports raw monitoring (rfmon) mode, and can sniff 802.11b, 802.11a, and 802.11g traffic.
A good wireless tool as long as your card supports rfmon (look for an orinocco gold).

Get Kismet Here

14. NetStumbler

Yes a decent wireless tool for Windows! Sadly not as powerful as it’s Linux counterparts, but it’s easy to use and has a nice interface, good for the basics of war-driving.
NetStumbler is a tool for Windows that allows you to detect Wireless Local Area Networks (WLANs) using 802.11b, 802.11a and 802.11g. It has many uses:

• Verify that your network is set up the way you intended.
• Find locations with poor coverage in your WLAN.
• Detect other networks that may be causing interference on your network.
• Detect unauthorized “rogue” access points in your workplace.
• Help aim directional antennas for long-haul WLAN links.
• Use it recreationally for WarDriving.

Get NetStumbler Here

15. hping

To finish off, something a little more advanced if you want to test your TCP/IP packet monkey skills.
hping is a command-line oriented TCP/IP packet assembler/analyzer. The interface is inspired to the ping unix command, but hping isn’t only able to send ICMP echo requests. It supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covered channel, and many other features.



Get hping Here

nb : darknet Read More...