Sunday, February 27, 2011

Sectool Security Audit & IDS

Security audit tool

Sectool is a security tool that can be used both as a security audit as well as a part of an intrusion detection system. It consists of set of tests, library and textual/graphical frontend. Tests are sorted into groups and security levels. Administrators can run selected tests, groups or whole security levels.


Tar archive:

Anonymous access of development version at:

$ git clone git:// sectool 

Or the web interface:


Help wanted

We are open to all new ideas, comments and features requests. If there is something on your mind, please send us email

and we try to get you fast response. To subscribe to the list, visit

If you write your own tests or just have an idea, what should be checked, inform us. We can implement and include it in next release. There is a list of existing and planed tests for this purpose. See




Feel free to submit your translation via Transifex at:

Similar projects

  • Debian's checksecurity
  • Mandriva's msec
  • SuSE's seccheck
  • OpenBSD's security script
  • Tiger
  • Security Blanket (commercial)
  • Lynis


  • sectool-gui.png (117.9 kB) -Screenshot of secTool, added by mbarabas on 03/11/08 12:46:24.
  • sectool-gui-1.png (72.4 kB) -Screenshot of secTool, added by mbarabas on 03/11/08 12:48:45.
  • sectool-logo.gif (6.3 kB) - added by pvrabec on 04/28/08 14:58:13.
  • sectool1.png (89.8 kB) -Screenshot of sectool GUI, added by mbarabas on 07/09/08 11:36:50.
  • sectool2.png (93.7 kB) -Screenshot of sectool GUI, added by mbarabas on 07/09/08 11:37:04.

Thursday, February 24, 2011

Security Info and Guide

This is an OLD post from my R.I.P Wordpress blog but i like the link of  that post. Ok here it is....!!!

Awareness and Training Awareity MOAT
Birch Systems Privacy Posters
Greenidea Visible Statement
Interpact, Inc. Awareness Resources
NIST resources
SANS Security Awareness Program
Security Awareness, Inc. Awareness Resources
Bluetooth BlueScanner
BlueSniper rifle
Bluejacking community site
Detailed presentation on the various Bluetooth attacks
NIST Special Publication 800-48
Certifications Certified Ethical Hacker
Dictionary Files and Word Lists
Default vendor passwords
Exploit Tools CORE IMPACT
General Research Tools AfriNIC
CERT/CC Vulnerability Notes Database
Common Vulnerabilities and Exposures
Government domains
Hoover’s business information
Military domains
NIST National Vulnerability Database
RIPE Network Coordination Centre
Sam Spade
U.S. Patent and Trademark Office
U.S. Securities and Exchange Commission
Yahoo! Finance site
Hacker Stuff 2600 @@md The Hacker Quarterly magazine
Blacklisted 411
Computer Underground Digest
Hacker T-shirts, equipment, and other trinkets
Honeypots: Tracking Hackers
The Online Hacker Jargon File
Linux Amap
Bastille Linux Hardening Program
Comprehensive listing of live bootable Linux toolkits
Debian Linux Security Alerts
Linux Administrator’s Security Guide
Linux Kernel Updates
Linux Security Auditing Tool (LSAT)
Network Security Toolkit
Red Hat Linux Security Alerts
Security Tools Distribution
Slackware Linux Security Advisories
SUSE Linux Security Alerts
VLAD the Scanner
Log Analysis ArcSight Enterprise Security Manager
GFI LANguard Security Event Log Monitor
Internet Security Systems Managed Services system logging resources
Malware chkrootkit
EICAR Anti-Virus test file
The File Extension Source
McAfee AVERT Stinger
Wotsit’s Format
Messaging SMTP relay checker
Cain and Abel relay checker
GFI e-mail security test
How to disable SMTP relay on various e-mail servers
mailsnarf or for the Windows version
Sam Spade for Windows
NetWare Adrem Freecon
Craig Johnson’s BorderManager resources
JRB Software
Novell Product Updates
Rcon program
Networks Cain and Abel
Essential NetTools
Ethereal network analyzer
GFI LANguard Network Scanner
GNU MAC Changer
MAC address vendor lookup
Nessus vulnerability scanner
NetScanTools Pro all-in-one network testing tool
Nmap port scanner
Port number listing
Port number lookup
QualysGuard vulnerability assessment tool
Sunbelt Network Security Inspector
SuperScan port scanner
TrafficIQ Pro
Password Cracking BIOS passwords
Cain and Abel
Elcomsoft Distributed Password Recovery
John the Ripper
Proactive Password Auditor
Proactive System Password Recovery
NetBIOS Auditing Tool
Rainbow tables
Patch Management BigFix Enterprise Suite Patch Management
Ecora Patch Manager
GFI LANguard Network Security Scanner
HFNetChkPro from Shavlik Technologies
Patch Authority Plus
UpdateEXPERT from St. Bernard Software
Windows Server Update Services from Microsoft
Source Code Analysis Compuware
Fortify Software
Ounce Labs
SPI Dynamics
Security Standards Center for Internet Security’s Benchmarks/Scoring Tools
NIST Special Publications
Open Source Security Testing Methodology Manual
SANS Step-by-Step Guides
Security Education Kevin Beaver’s Security on Wheels podcasts and information security training resources
Privacy Rights Clearinghouse’s Chronology of Data Breaches Reported Since the ChoicePoint Incident
Storage CHAP Password Tester
Risk Analysis and Threat Modeling SecureITree
Software Engineering Institute’s OCTAVE methodology
Voice over IP Cain and Abel
NIST’s SP800-58 document
SIP Forum Test Framework
War Dialing Sandstorm Enterprises PhoneSweep
Sandstorm Enterprises Sandtrap wardialing honepot
Web Applications and Databases 2600’s Hacked Pages
Acunetix Web Vulnerability Scanner
HTTrack Website Copier
Foundstone’s Hacme Tools
Google Hacking Database
N-Stealth Security Scanner
Paros Proxy
Pete Finnigan’s listing of Oracle scanning tools
Port 80 Software’s ServerMask
Port 80 Software’s Custom Error
SQLPing2 and SQLRecon
Effective File Search
FileLocator Pro
Microsoft Baseline Security Analyzer
Microsoft TechNet Security Center
Network Users
SMAC MAC address changer
Wireless Networks Aircrack
AirMagnet Laptop Analyzer
AiroPeek SE
Cantenna war-driving kit
CommView for Wi-Fi
Digital Hotspotter
Homebrew WiFi antenna
Lucent Orinoco Registry Encryption/Decryption program
RFprotect Mobile
SeattleWireless HardwareComparison page
Security of the WEP Algorithm
The Unofficial 802.11 Security Web Page
WiGLE database of wireless networks at
Wireless Vulnerabilities and Exploits
WPA Cracker

How To Count The Number Of Hosts In NMAP Network Scan Results With Zenmap

Earlier today while working with a friend at our offices we were playing around with a large NMAP scan of the anoNet network. His computer would not open the network topology in Zenmap because of a lack of RAM so we were looking at it on another laptop with much more RAM. After discussing it for a little bit we were curious how many hosts had been discovered on anoNet but initially I didn’t see an easy way to get this information. Use the information below for a quick count of hosts in Zenmap discovered via a NMAP scan.

Count Number Of Hosts Located Via NMAP Scan With Zenmap GUI
  1. Open Zenmap: First open the Zenmap GUI. On Windows 7 you can accomplish this by typing zenmap in the Search Programs and Files field in your Windows 7 Start Menu and then typing enter which will launch the Zenmap GUI as shown in the below example image.
    Zenmap: The NMAP GUI
  2. Open NMAP Scan Results: Now click Scan in the top navigation menu and select Open Scan In This Window from the drop down menu as shown in the below image.
    Zenmap: Open Scan Results In This Window
    Browse to the location of the scan results file such as scan-results.xml and open the file which will provide a view similar to the below example window in Zenmap.
    anoNet NMAP Scan Results In Zenmap
  3. Zenmap Filter Hosts: Select Tools from the top navigation menu and select Filter Hosts from the drop down menu as shown in the below example image.
    Zenmap Tools Filter Hosts

    Once Filter Hosts has been selected a new bar will show at the bottom of Zenmap as shown in the below example image.
    Zenmap Displaying Total Number Of Hosts In NMAP Scan Results
    At the beginning of this new bar it will show how many hosts are being displayed in the total number of hosts of the NMAP scan. In this example there were 2,693 hosts found on anoNet.
So it was extremely easy to display the total number of hosts in a NMAP scan via Zenmap but I wanted to note since there is no menu item that specifically states display the total number of hosts.

Thanks Alex from for this and it give me an idea to do something

Tuesday, February 22, 2011

Automated Password Cracking: Use oclHashcat To Launch A Fingerprint Attack

The below article explains how I used password fingerprinting to crack 500,000 password hashes in less than half a day completly automated. This article shows each command step by step, but only to describe the details of how password fingerprinting with oclHashcat works. The reality is that the password fingerprinting process can easily be automated by a script which is why we call it automated password cracking.
The Fingerprint Attack in my example had a success rate of about 80% in a 100% automated process after 12 hours with a single GeForce GTX 285. In order to reach the 500,000 cracked hashes I first created a list of 650,000 unique password hashes using a well known leaked password hash database. Once I had the list of 650,000 unique password hashes I started out by doing some easy attacks on the hashes such as a five character long brute force using all possible character sets which will provide an initial wordlist to start the fingerprint attack with. You really do not need to perform this step as explained further below. Once the initial brute force attack is complete the real fingerprinting starts. You will take the initial results, pipe them into the expander, and then run a combined dictionary attack against the hash list. Once we have results from the second set of attacks we use the expander again and issue another attack. You will see through the process, which is described in detail below, that results are returned at a very high rate by automated finding patterns and exploiting those patterns to return results.

Resources Used For Password Fingerprinting Example:

Generate Example Hashlist:
Here we use a real-world database of passwords that was leaked to prove that password fingerprinting works on all levels of passwords including easy passwords, medium strength passwords, and a bit more difficult passwords. Please note that real long and complex passwords are still safe.
Follow the examples below to generate the password hash file containing 650,000 unique md5 password hashes.
  1. Make Password Entries Unique:
    $ bzcat rockyou.txt.bz2 | sort -u > rockyou.txt.uniq
  2. Limit Random Password List Entries To 650,000:
    $ sort -R rockyou.txt.uniq | head -650000 > rockyou.txt.uniq.650k

  3. Generate Hashes From Password List Using
    $ perl < rockyou.txt.uniq.650k > rockyou.txt.uniq.650k.md5
The is a simple script for generating md5 hashes from dictionary files as shown below. It is available for download at the top of this article under “Resources Used For Password Fingerprinting”.

Issue Some Simple Attacks On The Hash List To Generate Initial Wordlist:
We need a base wordlist to begin our fingerprint attack from so we first issue a simple brute force attack using a full charset at a minimum length so it returns results quickly. By using the full charset we will get password patterns that include special characters, lowercase characters, uppercase characters, and digits which are all used in medium strength password hashes to a bit more difficult strength passwords hashes. You can of course use your own wordlist to generate the initial pattern results files however if you do I recommend you have all types of characters in the wordlist. Follow the examples below to generate the initial wordlist.
  1. Issue Brute Force Attack With oclHashcat: Here we use a full charset (lowercase, uppercase, digits, special characters) to run a five character long brute force against the list of 650,000 unique hashes. This is again what will generate our initial wordlist where we will use password fingerprinting to generate patterns and password results. This specific attack took only a few seconds using oclHashcat with my GeForce GTX 285. Notice in the below oclHashcat command we use the “–-remove” switch to remove the found hashes so we can track results much easier as well as output the results to “res” using the “-o” switch.
    $ ./oclHashcat64.bin -n 80 --remove rockyou.txt.uniq.650k.md5 -1 ?l?d?s?u ?1?1?1 ?1?1 -o res
    Recovered.: 11584/650000 Digests
    Note: If you did the random step above by yourself, these and all following numbers can vary.
  2. Remove MD5′s In Front Of Results: Use the below cut command below to remove the the md5 hash from the beginning of the output so we are left with a list of passwords only.

    $ cut -b 34- < res > res.dict
The Init Looping Process:
We are now going to expand our results file generated above and use these results in a combined dictionary attack. This is where the fingerprint attack really starts.
The expander will do something very easy which is to first decompile a list of provided words into all possible parts or into patterns. Most humans will create passwords from patterns. Many humans are familiar with typical patterns such as appending a 1 to the pattern or adding the year 2010 to end of a pattern so these patterns are known to not be safe. So instead of simply using those patterns many humans will now create more complex patterns. So by using the expander to decompile a big number of words into all of their parts we have all of the complex patterns in our expanded dictionary. Take for example the pattern “!1Qq” which looks complicated but technically it is not very complex. Once we have used the expander to generate an pattern dictionary that will include such patterns thus raising the chances that a human has picked such a password.

How The Expander Works On A Single Pattern:
root@dev:~/oclHashcat-0.22# echo 'an12!Qi' | ./expander.bin

The above provides a simple real world idea of how password fingerprinting works. The fingerprint is simply a specific pattern which is not from a specific person but from a specific source which in this example the source is humans.
  1. Just to see how the status is, use “wc” To Count Lines In the original Results File:
    $ wc -l res.dict
    11584 res.dict
  2. Use Expander On Password Dictionary Results File:
    $ ./expander.bin < res.dict | sort -u > res.dict.exp

  3. Just to see what happend, use “wc” To Count Lines In New Results File:
    $ wc -l res.dict.exp
    112158 res.dict.exp
As a first result, we now have a dictionary file that is filled with all possible patterns from our first five character in length brute force attack. Examples of the patterns that have been located include the below.

Now we simply combine all of these strange looking words in the results file using the combination attack. The combination attack is the base of oclHashcat which is very simple. You have two wordlists which include a left wordlist and a right wordlist and the combination attack combines each word in the right wordlist to each word in the left wordlist for greater length character combinations.
The Looping Process Itself, Combine Results Using oclHashcat’s Combination Engine:
  1. Use Combination Mode To Attack The Hash List With The Expanded Dictionary:
    $ ./oclHashcat64.bin -n 80 --remove rockyou.txt.uniq.650k.md5 res.dict.exp res.dict.exp -o res2
    Recovered.: 147747/638416 Digests
    This 2nd attack only took 1 minute on my GeForce GTX 285. After this attack we had cracked nearly 150,000 unique hashes! Can you believe it?

  2. Remove The MD5 Hashes From Results: Now remove the MD5′s from the results file to generate another password dictionary list as shown below.
    $ cut -b 34- < res2 > res2.dict
  3. Analyze New Password Results List: We now have a treasure of real life patterns such as the examples displayed below.

  4. Expand The New Dictionary List:
    $ ./expander.bin < res2.dict | sort -u > res2.dict.exp
  5. Repeat From Beginning Of The Looping Process: You can also step out of the looping process here and use some of the tips and tricks from the “Password Fingerprinting Tips & Tricks” section below and then go back to the actual looping process. I repeated these steps for two more iterations while I sit back and watch how it continues to crack more and more complex passwords which is completely automated. In less than two hours I had already found 420,000 passwords from the initial list of 650,000 hashes including these complex examples below.

    I didn’t need a single wordlist to accomplish these results however I could use a wordlist as described more in the “Password Fingerprinting Tips & Tricks” section below.
Password Fingerprinting Attack Tips & Tricks:

  1. Fingerprinting Attack Is Made For GPU’s: You can also use Hashcat CPU version to run a fingerprint attack however it has specifically been designed to run on GPU’s using oclHashcat. The fingerprint attack is similar to hybrid attacks or rule attacks however it is definitely superior to them. Hybrid attacks much search a larger key space to find the same results therefore a hybrid attack takes much longer than a fingerprint attack. Rule based attacks can not be applied effeciently enough on GPU’s because the engine was written for CPU’s. Rule based attacks can also be annoying because of the lengthy process of writing the actual rules that will be used in the attack.
  2. Fingerprint Attacks Can Be Automated: You would not need to do anything by hand and your wordlists are never exhausted because they increase in size while the attack is running. You will have zero holes in your attack if you do not know how to use the GPU power effeciently. You can stop the loop at any time if no new passwords are found and after doing so add some words from your wordlists. You can simply build a script that executes the steps from the Looping Process above.
  3. Use Your Own Wordlists: If you have wordlists containing names, wiki dumps, or good small dictionarys like that from milworm, or anything else you can change up your patterns a lot by using such data. At some point you can step out of the loop to use your own wordlist on the right or left side of a combination attack. Use the pattern file on the opposite side of the combination attack and then step back to the loop which will greatly improve the attacks effectiveness.
  4. Careful To Not Use Huge Wordlists With The Expander: Be careful to not use wordlists or dictionaries  that are to large such as the wikipedia-wordlist-sraveau-20090325.txt with the expander. These types of wordlists are great by themselves but you will fail attempting to use them with the expander. These huge wordlists are only good if you use them in combination with a pattern file.
  5. Sharpen Your Patterns: Your pattern file will contain lots of patterns that only consist of lowercase characters which are typically words that are already in our dictionary wordlists so we do not want them in our pattern file. You can filter such words using another simple program called req.bin which is also part of the hashcat-utils. The req.bin application will only output words that match a specific number and any of the dictionary entries which you provide. The numbers paramter defines a character-class that must match the words in your dictionary. in our case we only want words that contain at least one capitalized letter or at least one digit or at least one special character. This process requires three seperate steps which are displayed in examples below.
    1 = lower, 2 = upper, 4 = digit, 8 = symbol
    $ ./req.bin 2 < res2.dict.exp >> pattern.dict.exp
    $ ./req.bin 4 < res2.dict.exp >> pattern.dict.exp
    $ ./req.bin 8 < res2.dict.exp >> pattern.dict.exp

  6. Build Your Own Pattern Dictionary: You can use your pattern multiple times or you can add patterns from small but efficient dictionaries such as milworm, frt, or opencrack_plains. There is a possibility in the beginning of our fingerprint attack that we do not have all of the possible characters in our initial wordlist which would mean we would never find passwords containing the missing characters. Please note that while this article relates to automated cracking of multiple hashes it is entirely possible to use the pattern files you are generating in this process to crack single high quality hashes in the future. It makes sense to save the new dictionary files you have generated and use these in attacks against single hashes.
  7. Limit Length Of The Patterns: Since patterns only make sense in combination mode they should have a maximum length. The oclHashcat application supports password lengths up to 15 characters long which means a good length for the patterns is seven characters long. When used in a combination attack the two pattern files would reach password lengths of 14. The maximum length can be increased by modifying the LEN_MAX variable in expander.c however be careful because this will create huge results!

thanks to atom from for this guide you are the man!!!

Creating Wireless Recon Maps with Google Earth, Kismet, GPSD and Backtrack

Part of Wireless Assessments is always getting a visual view of your client set up. I am always looking for new ways to do this however the best way I have found is using a tool called GISkismet which was written by a guy I know named Jabra.  I was getting ready for work this week and I decided to write a quick article on how to do this. All the tools are open source and available on the backtrack 4 cd except Google earth which you must install.

The first thing to do is start our gps device:

root@bt:~#gpsd -N -n -D 3 /dev/ttyUSB0

NOTE: The -N option makes gpsd run n the foreground and the -D sets the debug level. This alows us to make sure the gps actually gets connected to the satellite.
Once we get our gps going we will want to get Kismet started:

1. Select it from the menu
2. Start the server

3. Start the client
4. Select yes to define a source wifi device for the packet capture
5. Enter the name of your interface, in my case it is wlan0

NOTE: Kismet puts your interface into monitor mode for you so the is no need to do it manually.
6. Close the server window and then you will be presented with the client interface of Kismet

You will need to make sure the gps data is working, you can check this on the Kismet client interface right under the list of access points. I normally capture for a good amount of time to get the most accurate possible gps data.
Kismet saves 5 different types of files by default, the one we are interested in is called the .netxml file:
Once we have made sure our file was properly created we can select GISKismet for the backtrack menu:
GISKismet created a database file using Sqlite so that multiple instances of data can be added. The following command will insert the data from the .netxml file into the database:
1root@bt:~# giskismet -x Kismet-20110221-08-56-26-1.netxml

Once we do that we can query our database at any time and output the results to a kml file which is what Google earth will accept:

1giskismet -q "select * from wireless" -o giskismet_demo.kml
Now lets open Google Earth from the Backtrack Menu: How to can be found here

Next go to File > Open and select our .kml file we just created:

Once Google Earth parses your data you will be taken to a aerial view of the source of your capture which maps out the access points around and color codes them based on encryption:

You can also click on each AP in the map and get more info about the access point like essid, bssid and a few other things. Well thats it, I hope this can help someone to make their wireless reporting a little easier.

thanks to my guru pureh@te from for this guide