CERT Failure Observation Engine (FOE) – Mutational Fuzzing Tool

The CERT Failure Observation Engine (FOE) is a software testing tool that finds defects in applications that run on the Windows platform. FOE performs mutational fuzzing on software that consumes file input. (Mutational fuzzing is the act of taking well-formed input data and corrupting it in various ways, looking for cases that cause crashes.) The FOE automatically collects test cases that cause software to crash in unique ways, as well as debugging information associated with the crashes. The goal of FOE is to minimize the effort required for software vendors and security researchers to efficiently discover and analyze security vulnerabilities found via fuzzing.

Note: this software package contains both the source code for the distribution and a binary installer package for Windows. The installer package will attempt to install FOE and all of its dependent software packages on the system. If you wish to evaluate the binary installer, it is highly advisable to do so on a non-enterprise system devoted solely to testing. An ISO image is also available for convenient use within a Windows virtual machine instance.

At the CERT/CC, we have already used the FOE infrastructure to find a number of critical vulnerabilities in products such as Adobe Reader, Flash Player, and Shockwave player; Microsoft Office and Windows; Google Chrome; Oracle Outside In; Autonomy Keyview IDOL; Apple QuickTime; and many others.
Note: Because fuzzing can fill temporary directories, put the target application in an unusable state, or trigger other operating-system-level bugs, we recommend that FOE be used in a virtual machine.


You can download FOE here:
http://www.cert.org/vuls/discovery/foe.html

 Happy Hunting!!!!

Microsoft® EMET third-party GUI

Around this time last year I was working on a contract implementing a service running on a Microsoft® Embedded XP device that required a high level of security. Unfortunately I knew that Embedded XP did not have the SEHOP and ASLR protections of modern operating systems such as Windows® Vista and Microsoft Windows® 7. Because my service was communicating over the WAN it could potentially be vulnerable to zero-day exploits.

The Problem

    I really wanted to use the Enhanced Mitigation Experience Toolkit for providing SEHOP and pseudo-ASLR but unfortunately the EMET graphical interface was implemented with the .NET Framework. This imposed several problems; I had very limited drive space to work with... the operating system was installed on a 512 megabyte Secure Digital (SD) card. The operating system and other various tools consumed most of this space. Also because the device was designated as High-Security I did not want to increase the attack surface by installing the .NET framework. There have been many vulnerabilities found within the .NET framework over the last few years.

The Solution

    I began developing a custom graphical interface for the EMET package. But first there were a few hurdles I would need to overcome. The first problem I encountered was the archaic Application Compatibility Database engine that was being used. I began reverse engineering this beast and it appears to be similar to the old hash-bucket databases we used back in the old Unix days. Somewhat similar to the old ndbm, dbm and gdbm. The problem was that the AppHelp.dll that is distributed with Microsoft Windows® XP is missing many of the functions for creating and writing to the Application Compatibility Database.
    There were a few other issues such as figuring out how the mostly-undocumented Boot Configuration Data (BCD) store is implemented. On operating systems prior to Vista I could simply change a few registry keys and modify the boot.ini but to make my software future proof I would need to support the BCD. 

  I recently added the ability to install and configure EMET on ComputerA and export all of the settings and package all of the binaries into a redistributable package ready for installation on ComputerB. I also wanted to expose more of the EMET internals to the end-user such as heap pre-allocations.

Final Thoughts

    If you are interested in using the third-party graphical interface for the Enhanced Mitigation Experience Toolkit you may download it here.
Download: Native EMET graphical interface

MD5: B8FB870B831954EC6FB6580F72E4AF83
SHA1: 806E50C3A7BF38363E045BD1B5CA42351D40DB3B

    During my research I encountered some absolutely astonishing security issues related to the App Compat engine. I want to make a public call to other security researchers to focus some attention on this area.

thanks to the  David Delaune at www.scatternetwork.com

Stuxnet Review

Just for info maybe it's an old news but Stuxnet still threat all PC in the world especially in industrial.

12 June 2012 | 1,163 views MySQL 1 Liner Hack Gives Root Access Without Password

MySQL 1 Liner Hack Gives Root Access Without Password

The latest news that has hit the streets is the occurence of the easiest hack ever, if you have local shell access (any user privelege level) and you can connect to MySQL – you can get root access to MySQL within a few seconds.
I tried this yesterday on one of my servers on Ubuntu 12.04 running the latest version of MySQL in the repo…and it worked in about 30 seconds. Scary really, you can use this single line of bash to hack MySQL:

while [ 1 ];do mysql -u root --password=123; done

Or the Python version I originally saw:

#!/usr/bin/python
import subprocess

while 1:
        subprocess.Popen("mysql -u root mysql --password=blah", shell=True).wait()

" Security experts have identified some 879,046 servers vulnerable to a brute force flaw that undermines password controls in MySQL and MariaDB systems.
According to Rapid7 security chief HD Moore, one in every 256 brute force attempts could override authentication controls on the servers and allow any password combination to be accepted. An attacker only needed to know a legitimate username which in most circumstances included the name ‘root’.
The flaw has already been exploited. Moore reported that the flaw (CVE-2012-2122) was already patched for both MySQL and MariaDB, but many MySQL administrators had not fixed the hole in their deployments.
Upon scanning 1.7 million publicly exposed MySQL servers, he found more than half (879,046) vulnerable to the “tragically comedic” flaw."

 
There’s a lot of vulnerable servers out there, so you better hope they aren’t yours because it’s not hard to scan whole subnets for servers with port 3306 open that accept connections from the outside world.
And if your server is in that state – it’s vulnerable. I just checked the repos for Ubuntu 10.04 LTS and Ubuntu 12.04 LTS and they both have a patched version of MySQL available for download so I suggest you get on your servers and do -

 aptitude update; aptitude safe-ugprade

 if you are using a shitty OS that uses yum or something – figure it out yourself.

"Affected versions, listed below, require for memcmp() to return an arbitrary integer outside of the range -128 to 127. All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5 and 5.5.22 were vulnerable, Golubchik said.
Moore and other security boffins identified vulnerable versions in Ubuntu 64-bit versions 10.04, 10.10, 11.04, 11.10, and 12.04, OpenSUSE 12.1 64-bit MySQL 5.5.23, and Fedora. Official builds of MariaDB and MySQL were safe, along with Red Hat Enterprise Linux 4, 5 and 6 and some flavours of Debian Linux and Gentoo 64 bit.
A list of accessible MySQL servers found 356,000 deployments running versions of 5.0.x, followed by 285,000 running 5.1.x, and 134,436 running 5.5.x. Another list of MySQL build flavours revealed 43,900 running Ubuntu, 6408 on Debian, and 98,665 on Windows."

Honestly I find that this is a really serious vulnerability, but has a pretty low risk profile. It will only work in cases of badly configured MySQL users where they accept connections from any IP address – user@% type entries in the user table.
NO ONE should be running root@% – so that would mean the attacker would need local shell access. And well if they have that, it’s pretty much game over anyway.

This vulnerability is notated as CVE-2012-2122.
Source: SC Magazine

TQ darknet.org.uk for this info

Patator – Multi Purpose Brute Forcing Tool

Patator is a multi-purpose brute-forcer, with a modular design and a flexible usage. Basically the author got tired of using Medusa, Hydra, ncrack, metasploit auxiliary modules, nmap NSE scripts and the like because:

• They either do not work or are not reliable (false negatives several times in the past)
• They are slow (not multi-threaded or not testing multiple passwords within the same TCP connection)
• They lack very useful features that are easy to code in python (eg. interactive runtime)

Basically you should give Patator a try once you get disappointed by Medusa, Hydra or other brute-force tools and are about to code your own small script because Patator will allow you to:

• Not write the same code over and over
• Run multi-threaded
• Benefit for useful features such as the interactive runtime commands, response logging, etc.

Currently it supports the following modules:

• ftp_login : Brute-force FTP
• ssh_login : Brute-force SSH
• telnet_login : Brute-force Telnet
• smtp_login : Brute-force SMTP
• smtp_vrfy : Enumerate valid users using the SMTP VRFY command
• smtp_rcpt : Enumerate valid users using the SMTP RCPT TO command
• http_fuzz : Brute-force HTTP/HTTPS
• pop_passd : Brute-force poppassd (not POP3)
• ldap_login : Brute-force LDAP
• smb_login : Brute-force SMB
• mssql_login : Brute-force MSSQL
• oracle_login : Brute-force Oracle
• mysql_login : Brute-force MySQL
• pgsql_login : Brute-force PostgreSQL
• vnc_login : Brute-force VNC
• dns_forward : Forward lookup subdomains
• dns_reverse : Reverse lookup subnets
• snmp_login : Brute-force SNMPv1/2 and SNMPv3
• unzip_pass : Brute-force the password of encrypted ZIP files
• keystore_pass : Brute-force the password of Java keystore files

The name “Patator” comes from this tv interview clip – patator
Patator is NOT script-kiddie friendly, please read the README inside patator.py before reporting/complaining/asking me how to use this tool..
You can download Patator v0.3 here:
patator_v0.3.py

for more detail read more here.

from Darknet.org

Fast and Full-Featured SSL Configuration Scanner - SSLYZE

Transport Layer Security (TLS), commonly called SSL, is one of the most widely used protocols to secure network communications. As costs fall and user security and privacy expectations rise companies are deploying it more widely every year. Attacks against the CA system, SSL implementation flaws and aging protocol versions have grabbed news headlines, bringing attention to weak configurations, and the need to avoid them. Additionally, server misconfiguration has always greatly increased the overhead caused by SSL, slowing the transition to improved communications security.
To help improve system configurations, iSEC is releasing the free software “SSLyze” tool. They have found this tool helpful for analyzing the configuration of SSL servers and for identifying misconfiguration such as the use of outdated protocol versions, weak hash algorithms in trust chains, insecure renegotiation, and session resumption settings.
SSLyze is a stand-alone python application that looks for classic SSL misconfiguration, while providing the advanced user with the opportunity to customize the application via a simple plugin interface.
Features

• Insecure renegotiation testing
• Scanning for weak strength ciphers
• Checking for SSLv2, SSLv3 and TLSv1 versions
• Server certificate information dump and basic validation
• Session resumption capabilities and actual resumption rate measurement
• Support for client certificate authentication
• Simultaneous scanning of multiple servers, versions and ciphers

For example, SSLyze can help user’s identify server configurations vulnerable to THC’s recently released SSL DOS attack by checking the server’s support for client-initiated renegotiations. For more information on testing for client-initiated renegotiations, you can read here.
You can download sslyze here:
sslyze-0.3_src.zip


from Darknet

for more detail click here : SSLYZE

Researcher: DEP Would Have Stopped Exploit Used In RSA Breach

New research dissecting the initial exploit and malware used in the attack against RSA concludes that Windows' Data Execution Prevention (DEP) would have halted the attack if the victims were on Windows 7 machines.
DEP, which is built into Windows 7 and is available for Vista and XP SP2, would have stopped the exploit in its tracks, says Rodrigo Rubira Branco, director of Qualys' Vulnerability & Malware Research Labs, who tested the exploit and published his results today. He says it appears that the EMC RSA victims were running XP and did not have DEP enabled on their systems.

"The victims were using Windows XP, which is DEP-capable since SP2. I know that for sure because the exploit won't work against Windows 7 due to limitations in the exploit code itself," Branco says. "In this specific case, it was possible to change the exploit to work against DEP, but the exploit has been likely reused from another target. Having DEP on would prevent the exploitation.

"We can't say that the attacker would not change the exploit and try again, but it clearly was going to give more time to the defense to detect the attack and mitigate its effects."

Researchers have demonstrated bypassing DEP in older versions of Windows. Branco says the exploit demonstrates how even using patched, older technologies can leave an organization vulnerable. "If you use old technologies, even when they are patched, they are more exposed since the prevention mechanisms are not there, and when they are, they are easily bypassed," he says.

Branco, who published his new research today in a blog post, says digging into the original phishing email and rigged Excel attachment helped confirm the theory that the attackers wanted access to U.S. military contractors, not RSA itself.


RSA has said publicly that its breach was a means to an end for the attackers. "We were a path to try to attack other organizations," says Eddie Schwartz, CSO for EMC RSA. "That was very clear just based on other things we've subsequently learned from the attack."

And F-Secure, which was the first to find the RSA email on VirusTotal, believes the attackers needed RSA SecurID tokens to get into Lockheed-Martin and Northrop Grumman.

EMC RSA's Schwartz says Branco's in-depth analysis of a targeted attack can help organizations in their own environments. "The way it describes the different stages of an exploit and how these types of attacks work and the risks associated with them" is helpful, Schwartz says.

"If you start to look and say, 'Here's how an attack like this begins,' you can start mapping it to other attacks you've seen and understand how it fits into the different portions of the 'kill chain' of the attack," he says. "After you experience this kind of attack, you become more sensitive to certain types … of indicators of compromise" and can begin to piece together potential targeted attacks as they emerge.

The spreadsheet used to infect EMC RSA users contained an embedded Flash object with an Adobe Flash Player zero-day exploit. When triggered, the exploit installed the Poison Ivy remote administrative tool, which is known for keylogging, scanning, and data exfiltration, among other things.

Still unclear is how the attackers chose their targets for the emails, and just how much intelligence they had about RSA's systems, if at all. "Did the attacker have all the information previously -- so, he knew RSA was using Windows XP, without DEP -- or did he just try to see if it works? This actually tells a lot about the sophistication of the attack," Qualys' Branco says.

Mikko Hypponen, chief research officer at F-Secure, said in his April post that the email used in the attack was simple, but the exploit was not. "And the ultimate target of the attacker was advanced. If somebody hacks a security vendor just to gain access to their customers systems, we'd say the attack is advanced, even if some of the interim steps weren't very complicated," he wrote.


Even so, the key steps to protecting against this attack would be patching, which Branco says RSA likely did, and running the latest data protection mechanisms, like DEP. Another key would be understanding the weakest points in the chain of access to the most valuable data, he says. "I mean, the target will always be the easiest one to target, like HR people, in this case. How the attack spread horizontally in the organization until it compromised really critical customer data is not really clear," he says.

And just how the attackers got to the SecurID servers remains a mystery, he says.

While some security experts have criticized RSA for keeping mum on many details surrounding the attack, Branco lauded RSA's openness. "RSA was very open regarding the attack, and this demonstrates a great level of maturity from their side. I wish we had more and more companies openly discussing the issues so everybody in the community could benefit and learn the hard lessons," he says.

from DarkReading

WebSurgery – Web Application Security Testing Suite

WebSurgery is a suite of tools for security testing of web applications. It was designed for security auditors to help them with the web application planning and exploitation. Currently, it uses an efficient, fast and stable Web Crawler, File/Dir Brute forcer, Fuzzer for advanced exploitation of known and unusual vulnerabilities such as SQL Injection, Cross site scripting (XSS), Brute force for login forms, identification of firewall-filtered rules, DOS Attacks and WEB Proxy to analyze, intercept and manipulate the traffic between your browser and the target web application.

WEB Crawler

WEB Crawler was designed to be fast, accurate, stable, completely parametrable and the use of advanced techniques to extract links from Javascript and HTML Tags. It works with parametrable timing settings (Timeout, Threading, Max Data Size, Retries) and a number of rules parameters to prevent infinitive loops and pointless scanning (Case Sensitive, Dir Depth, Process Above/Below, Submit Forms, Fetch Indexes/Sitemaps, Max Requests per File/Script Parameters). It is also possible to apply custom headers (user agent, cookies etc) and Include/Exclude Filters. WEB Crawler come with an embedded File/Dir Brute Forcer which helps to directly brute force for files/dirs in the directories found from crawling.

WEB Bruteforcer

WEB Bruteforcer is a brute forcer for files and directories within the web application which helps to identify the hidden structure. It is also multi-threaded and completely parametrable for timing settings (Timeout, Threading, Max Data Size, Retries) and rules (Headers, Base Dir, Brute force Dirs/Files, Recursive, File’s Extension, Send GET/HEAD, Follow Redirects, Process Cookies and List generator configuration).

By default, it will brute force from root / base dir recursively for both files and directories. It sends both HEAD and GET requests when it needs it (HEAD to identify if the file/dir exists and then GET to retrieve the full response).

WEB Fuzzer

WEB Fuzzer is a more advanced tool to create a number of requests based on one initial request. Fuzzer has no limits and can be used to exploit known vulnerabilities such (blind) SQL Inections and more unsual ways such identifing improper input handling, firewall/filtering rules, DOS Attacks.

WEB Editor

A simple WEB Editor to send individual requests. It also contains a HEX Editor for more advanced requests.

WEB Proxy

WEB Proxy is a proxy server running locally and will allow you to analyze, intercept and manipulate HTTP/HTTPS requests coming from your browser or other application which support proxies.
You can download WebSurgery here:

Setup – setup.msi

Portable – websurgery.zip Or read more here.

Vega – Open Source Cross Platform Web-Application Security Assessment Platform

Vega is an open source platform to test the security of web applications. Vega can help you find and validate SQL Injections, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities. It is written in Java, GUI based, and runs on Linux, OS X, and Windows.
Vega includes an automated scanner for quick tests and an intercepting proxy for tactical inspection. Vega can be extended using a powerful API in the language of the web: Javascript.

Features

• Automated Crawler and Vulnerability Scanner
• Consistent UI
• Website Crawler
• Intercepting Proxy
• SSL MITM
• Content Analysis
• Extensibility through a Powerful Javascript Module API
• Customizable alerts
• Database and Shared Data Model

There are also modules for:

• Cross Site Scripting (XSS)
• SQL Injection
• Directory Traversal
• URL Injection
• Error Detection
• File Uploads
• Sensitive Data Discovery

There is documentation for getting started here or check out the intro to the Vega Proxy here.

You can download Vega here:
Windows – 32-bit/64-bit

Linux – 32-bit/64-bit
Or read more here.

June 2011: four Cisco vulnerabilities

The Cisco Product Security Incident Response Team (PSIRT) has published four important vulnerability advisories:

• Multiple Vulnerabilities in Cisco AnyConnect Secure Mobility Client
• Multiple Vulnerabilities in Cisco Unified IP Phones 7900 Series
• Default Credentials Vulnerability in Cisco Network Registrar
• Default Credentials for root Account on the Cisco Media Experience Engine 5600

Multiple Vulnerabilities in Cisco AnyConnect Secure Mobility Client


The Cisco AnyConnect Secure Mobility Client, previously known as the Cisco AnyConnect VPN Client, is affected by the following vulnerabilities:

• Arbitrary Program Execution Vulnerability
• Local Privilege Escalation Vulnerability

Vulnerable Products

The vulnerabilities described in this document apply to the Cisco AnyConnect Secure Mobility Client. The affected versions are included in the following table:

• Arbitrary Program Execution Vulnerability
  
  • Microsoft Windows: All versions prior to 2.3.185
  • Linux, Apple MacOS X: All versions in major releases other than 2.5.x and 3.0.x. /2.5.x releases prior to 2.5.3041 / 3.0.x releases prior to 3.0.629
• Local Privilege Escalation Vulnerability
  
  • Microsoft Windows: All versions prior to 2.3.254
  • Linux, Apple MacOS X: Not affected

Details

The Cisco AnyConnect Secure Mobility Client is the Cisco next-generation VPN client, which provides remote users with secure IPsec (IKEv2) or SSL Virtual Private Network (VPN) connections to Cisco 5500 Series Adaptive Security Appliances (ASA) and devices that are running Cisco IOS Software.

The Cisco AnyConnect Secure Mobility Client is affected by the following vulnerabilities:

• Arbitrary Program Execution Vulnerability
• Additional Considerations for the Arbitrary Program Execution Vulnerability
• Local Privilege Escalation Vulnerability

Impact

• Arbitrary Program Execution Vulnerability: Exploitation of this vulnerability may allow an attacker to execute arbitrary programs on the computer of a Cisco AnyConnect Secure Mobility Client user with the privileges of the user who is establishing the VPN connection.
• Local Privilege Escalation Vulnerability: Successful exploitation of this vulnerability may allow users with physical access to a computer that is running the Cisco AnyConnect Secure Mobility Client to elevate their privileges and gain full control of the system.

Link: http://www.cisco.com/…/advisory09186a0080b80123.shtml
Multiple Vulnerabilities in Cisco Unified IP Phones 7900 Series

Cisco Unified IP Phones 7900 Series devices, also known as TNP phones, are affected by three vulnerabilities that could allow an attacker to elevate privileges, change phone configurations, disclose sensitive information, or load unsigned software. These three vulnerabilities are classified as two privilege escalation vulnerabilities and one signature bypass vulnerability.
Vulnerable Products

Refer to the following link to determine what product upgrade and substitution options are available: http://www.cisco.com/…/prod_eol_notices_list.html
Details

Cisco Unified IP Phones 7900 Series devices are affected by two privilege escalation vulnerabilities and a signature bypass vulnerability. The following sections provide the details of each vulnerability addressed in this security advisory.

• Privilege Escalation Vulnerabilities: Cisco Unified IP Phones 7900 Series devices are affected by two privilege escalation vulnerabilities that could allow an authenticated attacker to make unauthorized phone configuration changes or obtain potentially sensitive information.
• Signature Verification Bypass Vulnerability: Cisco Unified IP Phones 7900 Series devices are affected by a signature verification bypass vulnerability that could allow an authenticated attacker to load a software image without verification of its signature.

Impact

Successful exploitation of the two privilege escalation vulnerabilities could allow an authenticated attacker to change phone configuration and obtain system information. Successful exploitation of the signature verification bypass vulnerability that could allow an authenticated attacker to load and execute a software image without verification of its signature.
Link: http://www.cisco.com/…/advisory09186a0080b80111.shtml
Default Credentials Vulnerability in Cisco Network Registrar

Cisco Network Registrar Software Releases prior to 7.2 contain a default password for the administrative account. During the initial installation, users are not forced to change this password, allowing it to persist after the installation. An attacker who is aware of this vulnerability could authenticate with administrative privileges and arbitrarily change the configuration of Cisco Network Registrar.

Vulnerable Products

This vulnerability affects all releases of Cisco Network Registrar prior to Software Release 7.2. The vulnerability is present in the affected releases on all platforms.
Details

Cisco Network Registrar provides highly scalable and reliable DNS, DHCP, and TFTP services. The central management capabilities of Cisco Network Registrar simplify administrative tasks associated with network and device configuration.
Impact

Successful exploitation of the vulnerability may allow an attacker to make arbitrary changes to the configuration of Cisco Network Registrar.
Link: http://www.cisco.com/…/advisory09186a0080b80121.shtml
Default Credentials for root Account on the Cisco Media Experience Engine 5600


Cisco Media Experience Engine (MXE) 5600 devices that are running Cisco Media Processing Software releases prior to 1.2 ship with a root administrator account that is enabled by default with a default password. An unauthorized user could use this account to modify the software configuration and operating system settings or gain complete administrative control of the device. A software upgrade is not required to resolve this vulnerability. Customers can change the root account password by issuing a configuration command on affected engines. The workarounds detailed in this document provide instructions for changing the root account password.
Vulnerable Products

This vulnerability affects Cisco MXE 5600 units that are running Cisco Media Processing Software releases prior to 1.2. To determine the software release that is running on a Cisco MXE unit, log in to the device and issue the show version command-line interface (CLI) command to display the system banner
Details

The Cisco Media Experience Engine (MXE) 5600 is a modular media-processing platform that provides advanced media-processing and media-transformation services.
Impact

Successful exploitation of the vulnerability may allow an unauthorized user to modify the software configuration and the operating system settings or gain complete administrative control of the device.
Link: http://www.cisco.com/…/advisory09186a0080b80122.shtml

sslsnoop v0.6 – Dump Live Session Keys From SSH & Decrypt Traffic On The Fly

sslsnoop dumps live session keys from openssh and can also decrypt the traffic on the fly.

1. Works if scapy doesn’t drop packets. using pcap instead of SOCK_RAW helps a lot now.
2. Works better on interactive traffic with no traffic at the time of the ptrace. It follows the flow, after that.
3. Dumps one file by fd in outputs/
4. Attaching a process is quickier with –addr 0xb788aa98 as provided by haystack INFO:abouchet:found instance @ 0xb788aa98
5. how to get a pickled session_state file : $ sudo haystack –pid `pgrep ssh` sslsnoop.ctypes_openssh.session_state search > ss.pickled

Not all ciphers are implemented.
Workings ciphers: aes128-ctr, aes192-ctr, aes256-ctr, blowfish-cbc, cast128-cbc

Partially workings ciphers (INBOUND only ?!): aes128-cbc, aes192-cbc, aes256-cbc

Non workings ciphers: 3des-cbc, 3des, ssh1-blowfish, arcfour, arcfour1280
It can also dump DSA and RSA keys from ssh-agent or sshd ( or others ).

You can download sslsnoop here:
trolldbois-sslsnoop.zip

HOWTO:
------
  $ sudo easy_install sslsnoop
  $ mkdir outputs

You really have to. Please.
  
  $ sudo sslsnoop    # try ssh, sshd and ssh-agent... for various things
  $ sudo sslsnoop-openssh live `pgrep ssh`       # dumps SSH decrypted traffic in outputs/
  $ sudo sslsnoop-openssh offline --help         # dumps SSH decrypted traffic in outputs/ from a pcap file
  $ sudo sslsnoop-openssl `pgrep ssh-agent` # dumps RSA and DSA keys

and go and check outputs/.

hints :
-------
a) works if scapy doesn't drop packets. using pcap instead of SOCK_RAW  helps a lot now.
b) works better on interactive traffic with no traffic at the time of the ptrace. It follows the flow, after that.
c) Dumps one file by fd in outputs/
d) Attaching a process is quickier with --addr 0xb788aa98 as provided by haystack
    INFO:abouchet:found instance <class 'ctypes_openssh.session_state'> @ 0xb788aa98
e) how to get a pickled session_state file :
  $ sudo haystack --pid `pgrep ssh` sslsnoop.ctypes_openssh.session_state search > ss.pickled


not so FAQ :
============

What does it do, really ?:
--------------------------
It dumps live session keys from an openssh , and decrypts the traffic on the fly.
Not all ciphers are implemented. 

Workings ciphers : aes128-ctr, aes192-ctr, aes256-ctr, blowfish-cbc, cast128-cbc
Partially workings ciphers (INBOUND only ?!): aes128-cbc,  aes192-cbc, aes256-cbc
Non workings ciphers : 3des-cbc, 3des, ssh1-blowfish, arcfour, arcfour1280

It can also dump DSA and RSA keys from ssh-agent or sshd ( or others ).

How do it knows that the structures is valid ? :
------------------------------------------------
You add some constraints ( expectedValues ) on the fields. Pointers are also a good start.

Yeah, but you have to be root, so what's the use ? :
----------------------------------------------------
Monitoring ssh traffic on honeypots ?
Monitoring encrypted traffic on honeypots ?
Monitoring encrypted traffic on ... somewhere your are root ?

It does not work on my openssh ? :
-----------------------------------
tested on OpenSSH 5.5.
Should work on most recent version.. I didn't check for structure modification. but that would explain a lot.
It work really good on intereactive session with no traffic at the time of execution. (clean cipher state in memory)
It can work on a busy ssh stream, *IF* a) the cipher state is clean, b) scapy doesn't loose packets (CPU ?).
-> yeah the GIL really sucks

How can i decrypt a pcap file ? :
----------------------------------
Use the offline mode.
 
Where does the idea comes from ? :
-----------------------------------
use http://www.hsc.fr/ressources/breves/passe-partout.html.fr  to get keys
use http://pauldotcom.com/2010/10/tsharkwireshark-ssl-decryption.html  
 or http://www.rtfm.com/ssldump/ to read streams
use scapy, because it's fun ? but we need IP reassembly . 
pynids could be more useful...
dsniff is now in python ?
flowgrep
use python.


What are the dependencies ? :
----------------------------
python-haystack (same author)
python-ptrace
scapy
python-pcap / python-xxxpcap ( recommended for perf issues )
paramiko (for ssh decryption) [ TODO, extract & kill dep. we only need Message and Packetizer ]
python-psutil 

Conclusion :
------------
poc done.
Next, `pgrep firefox`. 


Biblio
-------

Bringing volatility to Linux
http://dfsforensics.blogspot.com/2011/03/bringing-linux-support-to-volatility.html

Extracting truecrypt keys from memory
http://jessekornblum.com/tools/volatility/cryptoscan.py

python-ptrace ( hey, haypo again)
https://bitbucket.org/haypo/python-ptrace/wiki/Home
https://bitbucket.org/haypo/python-ptrace/wiki/Documentation

from ptrace.debugger.memory_mapping import readProcessMappings

openssl.py is passe-partout.py - OK - 04/03/2011

OpenSSH, testing ciphers
========================
     Ciphers
             Specifies the ciphers allowed for protocol version 2 in order of preference.  Multiple ciphers must be comma-separated.  The supported ciphers
             are “3des-cbc”, “aes128-cbc”, “aes192-cbc”, “aes256-cbc”, “aes128-ctr”, “aes192-ctr”, “aes256-ctr”, “arcfour128”, “arcfour256”, “arcfour”,
             “blowfish-cbc”, and “cast128-cbc”.  The default is:

                aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
                aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
                aes256-cbc,arcfour

force one :

ssh -c aes192-ctr log@host


firefox & NSS
=============
INFO:abouchet:found instance <class 'ctypes_nss_generated.CERTCertificateStr'> @ 0xbfe12c20   => sur la stack

INFO:abouchet:Looking at 0x85f00000-0x86000000 (rw-p)
INFO:abouchet:processed 6465536 bytes
ptrace.debugger.process_error.ProcessError: readBytes(0x84d28ae4, 392) error: [Errno 5] Input/output error
## weird ....

4894720


Architecture
============


openssh creates a OpenSSHLiveDecryptatator which inherits a OpenSSHKeysFinder
OpenSSHLiveDecryptatator :
 * connects to/launch a network.Sniffer. (scapy)
 * OpenSSHKeysFinder calls haystack to fetch the session_state
   - memory capture/ptrace is done in a subprocess
   - target process is not under ptrace anymore when openssh runs. 
   - keys are acquired
 * SessionCiphers are created from pickled values from haystack
   - one for inbound traffic
   - one for outbound traffic
 * each SessionCipher is coupled with :
   - a socket given by a TCPStream ( Inbound and Outbound TCPstate)
   - a paramiko Packetizer which is a ssh protocol handler.
 * a cipher engine is used by the paramiko.Packetizer to decrypt data from the TCPStream socket
 * the Packetizer uses :
   - the socket to read it's data from the 'network'.
   - the cipher to decrypt the data
 * a SSHStreamToFile is created for each stream and is given the packetizer and the overall context ( cipher, socket )
   - the SSHStreamToFile try to process the packetizer's outputs into a file.
 * a Supervisor is created to handle traffic ( select on socket )
   - both SSHStreamToFile are given to the Supervisor with their respective socket


TODO:

SSHStream uses the packets is orderedQueue and the cipher, to try to find a SSH packet
 - algo 1 : copy original cipher state, decrypt first block of packet [0], 
              if not valid, drop packet and loop to next one (for x packets) 
              if valid, switch to go-trough mode and queue current + all packets data to socket 

 - algo 2 : try to find a valid packet, block per block/long by long
              if valid, switch to go-trough mode and queue current + all packets data to socket 

Or read more here.

The RSA Hack: How They Did It

The hack last month at RSA Security has been shrouded in mystery.
How did a hacker manage to infiltrate one of the world’s top computer-security companies? And could the data that was stolen be used to impair its SecurID products, which are used by 40 million businesses that are trying to keep their own networks safe from intruders?
The division of the EMC Corporation is staying mum about what exactly was stolen from its computer systems, aside from that it was data related to SecurID.
But on Friday RSA shed some light on the nature of the attack. In a blog post titled “Anatomy of an Attack,” the company’s head of new technologies, Uri Rivner, described a three-stage operation that was similar to several other recent prominent attacks on technology companies, including a 2009 attack on Google that it said originated in China.

In the attack on RSA, the attacker sent “phishing” e-mails with the subject line “2011 Recruitment Plan” to two small groups of employees over the course of two days. Unfortunately, one was interested enough to retrieve one of these messages from his or her junk mail and open the attached Excel file. The spreadsheet contained malware that used a previously unknown, or “zero-day,” flaw in Adobe’s Flash software to install a backdoor. RSA said that Adobe had since released a patch to fix that hole.
After installing a stealthy tool that allowed the hacker to control the machine from afar, he stole several account passwords belonging to the employee and used them to gain entry into other systems, where he could gain access to other employees with access to sensitive data, Mr. Rivner said.
Then came stage three: spiriting RSA files out of the company to a hacked machine at a hosting provider, and then on to the hacker himself.
The attacker left few traces. But an unclassified document from the United States Computer Emergency Readiness Team (US-CERT) obtained by the blogger Brian Krebs revealed three Web addresses used in the intrusion, one of which includes the letters “PRC,” which could refer to the People’s Republic of China — or it could be a ruse.
According to Mr. Rivner, it’s difficult for companies with the world’s most sophisticated defenses to stop this newfangled “advanced persistent threats,” which are made potent by the combination of low-tech “social-engineering” cons and a high-tech zero-day attack that antivirus software won’t recognize.
That RSA detected the attack in progress was a victory, he argued. Many other companies hit by similar attacks “either detected the attacks after months, or didn’t detect them at all and learned about it from the government,” he said. “As an industry, we have to act fast and develop a new defense doctrine; the happy days of good old hacking are gone, and gone too are the old defense paradigms.”
But some security experts ridiculed the notion that the attack was sophisticated. Jeremiah Grossman, founder of WhiteHat Security, posted on Twitter: “I can’t tell if this RSA APT blog post is actually being serious or an April 1st gag. The content is absurd either way.”

USB autorun attacks against Linux

Many people think that Linux is immune to the type of Autorun attacks that have plagued Windows systems with malware over the years. However, there have been many advances in the usability of Linux as a desktop OS - including the addition of features that can allow Autorun attacks.

This Shmoocon presentation by Jon Larimer from IBM X-Force starts off with a definition of autorun vulnerabilities and some examples from Windows, then jumps straight into the Linux side of things.


Larimer explains how attackers can abuse these features to gain access to a live system by using a USB flash drive. He also shows how USB as an exploitation platform can allow for easy bypass of protection mechanisms like ASLR and how these attacks can provide a level of access that other physical attack methods do not.


The talk concludes with steps that Linux vendors and end-users can take to protect systems from this threat to head off a wave of Linux Autorun malware.

Sectool Security Audit & IDS

Security audit tool

Sectool is a security tool that can be used both as a security audit as well as a part of an intrusion detection system. It consists of set of tests, library and textual/graphical frontend. Tests are sorted into groups and security levels. Administrators can run selected tests, groups or whole security levels.

Download

Tar archive:

• sectool-0.9.5.tar.bz2
  

Anonymous access of development version at:

$ git clone git://git.fedorahosted.org/git/sectool.git/ sectool 

Or the web interface:

• http://git.fedorahosted.org/git/sectool.git/
  

Screenshots

• GUI - screenshot1
  
• GUI - screenshot2
  

Help wanted

We are open to all new ideas, comments and features requests. If there is something on your mind, please send us email

• sectool-list@redhat.com
  

and we try to get you fast response. To subscribe to the list, visit

• https://www.redhat.com/mailman/listinfo/sectool-list.
  

If you write your own tests or just have an idea, what should be checked, inform us. We can implement and include it in next release. There is a list of existing and planed tests for this purpose. See

• Wish list
  

Documentation

• User documentation
  
• Create your own test in bash
  
• Create your own test in python
  
• Developer documentation
  
• Why sectool?
  

Authors

• Jakub Hrozek <jhrozek@redhat.com> - the backend, TUI, few tests
  
  
• Michel Samia <msamia@redhat.com> - lots of tests
  
• Dan Kopecek <dkopecek@redhat.com> - lots of tests
  
• Maros Barabas <mbarabas@redhat.com> - GUI, few tests
  
• Peter Vrabec <pvrabec@redhat.com> - Master of ceremony
  

Translators

Feel free to submit your translation via Transifex at:

• https://translate.fedoraproject.org/projects/sectool/master
  

Similar projects

• Debian's checksecurity
  
• Mandriva's msec
  
• SuSE's seccheck
  
• OpenBSD's security script
  
• Tiger
  
• Security Blanket (commercial)
  
• Lynis
  

Attachments

• sectool-gui.png (117.9 kB) -Screenshot of secTool, added by mbarabas on 03/11/08 12:46:24.
• sectool-gui-1.png (72.4 kB) -Screenshot of secTool, added by mbarabas on 03/11/08 12:48:45.
• sectool-logo.gif (6.3 kB) - added by pvrabec on 04/28/08 14:58:13.
• sectool1.png (89.8 kB) -Screenshot of sectool GUI, added by mbarabas on 07/09/08 11:36:50.
• sectool2.png (93.7 kB) -Screenshot of sectool GUI, added by mbarabas on 07/09/08 11:37:04.

Download in other formats:

• Plain Text

Security Info and Guide

This is an OLD post from my R.I.P Wordpress blog but i like the link of  that post. Ok here it is....!!!

Awareness and Training Awareity MOAT
www.awareity.com
Birch Systems Privacy Posters
www.privacyposters.com
Greenidea Visible Statement
www.greenidea.com
Interpact, Inc. Awareness Resources
www.thesecurityawarenesscompany.com
NIST resources
http://csrc.nist.gov/ATE
SANS Security Awareness Program
www.sans.org/awareness/awareness.php
Security Awareness, Inc. Awareness Resources
www.securityawareness.com
Bluetooth BlueScanner
www.networkchemistry.com/products/bluescanner.php
Bluesnarfer
www.alighieri.org/tools/bluesnarfer.tar.gz
BlueSniper rifle
www.tomsnetworking.com/2005/03/08/how_to_bluesniper_pt
Blooover
http://trifinite.org/trifinite_stuff_blooover.html
Bluejacking community site
www.bluejackq.com
Detailed presentation on the various Bluetooth attacks
http://trifinite.org/Downloads/21c3_Bluetooth_Hacking.pdf
NIST Special Publication 800-48
http://csrc.nist.gov/publications/nistpubs/800-48/NIST_SP_800-48.pdf
Certifications Certified Ethical Hacker
www.eccouncil.org/CEH.htm
Dictionary Files and Word Lists ftp://ftp.cerias.purdue.edu/pub/dictftp://ftp.ox.ac.uk/pub/wordlists
http://packetstormsecurity.nl/Crackers/wordlists
www.outpost9.com/files/WordLists.html
Default vendor passwords
www.cirt.net/cgi-bin/passwd.pl
Exploit Tools CORE IMPACT
www.coresecurity.com
Metasploit
www.metasploit.com/projects/Framework
General Research Tools AfriNIC
www.afrinic.net
APNIC
www.apnic.net
ARIN
www.arin.net/whois/index.html
CERT/CC Vulnerability Notes Database
www.kb.cert.org/vuls
ChoicePoint
www.choicepoint.com
Common Vulnerabilities and Exposures
http://cve.mitre.org/cve
DNSstuff.com
www.DNSstuff.com
Google
www.google.com
Government domains
www.dotgov.gov
Hoover’s business information
www.hoovers.com
LACNIC
www.lacnic.net
Military domains
www.nic.mil/dodnic
NIST National Vulnerability Database
http://nvd.nist.gov/
RIPE Network Coordination Centre
www.ripe.net/whois
Sam Spade
www.samspade.org
SecurityTracker
http://securitytracker.com/
Switchboard.com
www.switchboard.com
U.S. Patent and Trademark Office
www.uspto.gov
U.S. Search.com
www.ussearch.com
U.S. Securities and Exchange Commission
www.sec.gov/edgar.shtml
Whois.org
www.whois.org
Yahoo! Finance site
http://finance.yahoo.com/
Hacker Stuff 2600 @@md The Hacker Quarterly magazine
www.2600.com
Blacklisted 411
www.blacklisted411.net
Computer Underground Digest
www.soci.niu.edu/~cudigest
Hacker T-shirts, equipment, and other trinkets
www.thinkgeek.com
Honeypots: Tracking Hackers
www.tracking-hackers.com
The Online Hacker Jargon File
www.jargon.8hz.com
PHRACK
www.phrack.org
Linux Amap
http://packages.debian.org/unstable/net/amap
Bastille Linux Hardening Program
www.bastille-linux.org
BackTrack
www.remote-exploit.org/index.php/BackTrack
Comprehensive listing of live bootable Linux toolkits
www.frozentech.com/content/livecd.php
Debian Linux Security Alerts
www.debian.org/security
Linux Administrator’s Security Guide
www.seifried.org/lasg
Linux Kernel Updates
www.linuxhq.com
Linux Security Auditing Tool (LSAT)
http://usat.sourceforge.net/
Metasploit
www.metasploit.com
Network Security Toolkit
www.networksecuritytoolkit.org
Red Hat Linux Security Alerts
www.redhat.com/securityupdates
Security Tools Distribution
http://s-t-d.org/
Slackware Linux Security Advisories
www.slackware.com/security
SUSE Linux Security Alerts
www.suse.com/us/business/security.html
Tiger
ftp://ftp.debian.org/debian/pool/main/t/tiger
VLAD the Scanner
www.bindview.com/Services/RAZOR/Utilities/Unix_Linux/vlad.cfm
Log Analysis ArcSight Enterprise Security Manager
www.arcsight.com/product.htm
GFI LANguard Security Event Log Monitor
www.gfi.com/lanselm
Internet Security Systems Managed Services
www.iss.net/products_services/managed_services
LogAnalysis.org system logging resources
www.loganalysis.org
Malware chkrootkit
www.chkrootkit.org
EICAR Anti-Virus test file
www.eicar.org/anti_virus_test_file.htm
The File Extension Source
http://filext.com/
McAfee AVERT Stinger
http://vil.nai.com/vil/stinger
Rkdet
http://vancouver-webpages.com/rkdet
Wotsit’s Format
www.wotsit.org
Messaging Abuse.net SMTP relay checker
www.abuse.net/relay.html
Brutus
http://securitylab.ru/_tools/brutus-aet2.zip
Cain and Abel
www.oxid.it/cain.html
DNSstuff.com relay checker
www.dnsstuff.com
GFI e-mail security test
www.gfi.com/emailsecuritytest
How to disable SMTP relay on various e-mail servers
www.mail-abuse.com/an_sec3rdparty.html
mailsnarf
www.monkey.org/~dugsong/dsniff or
www.datanerds.net/~mike/dsniff.html for the Windows version
Sam Spade for Windows
www.samspade.org/ssw
smtpscan
www.greyhats.org/?smtpscan
NetWare Adrem Freecon
www.adremsoft.com
Craig Johnson’s BorderManager resources
http://nscsysop.hypermart.net/
JRB Software
www.jrbsoftware.com
NCPQuery
www.bindview.com/resources/razor/files/ncpquery-1.2.tar.gz
NetServerMon
www.simonsware.com/Products.shtml
Novell Product Updates
http://support.novell.com/filefinder
Pandora
www.nmrc.org/project/pandora
Rcon program
http://packetstormsecurity.nl/Netware/penetration/rcon.zip
Remote
www.securityfocus.com/data/vulnerabilities/exploits/Remote.zip
UserDump
www.hammerofgod.com/download/userdump.zip
Networks Cain and Abel
www.oxid.it/cain.html
CommView
www.tamos.com/products/commview
dsniff
www.monkey.org/~dugsong/dsniff
Essential NetTools
www.tamos.com/products/nettools
Ethereal network analyzer
www.ethereal.com
EtherPeek
www.wildpackets.com/products/etherpeek/overview
ettercap
http://ettercap.sourceforge.net/
Firewalk
www.packetfactory.net/firewalk
Getif
www.wtcs.org/snmp4tpc/getif.htm
GFI LANguard Network Scanner
www.gfi.com/lannetscan
GNU MAC Changer
www.alobbs.com/macchanger
IETF RFCs
www.rfc-editor.org/rfcxx00.html
LanHound
www.sunbelt-software.com/LanHound.cfm
MAC address vendor lookup
http://standards.ieee.org/regauth/oui/index.shtml
Nessus vulnerability scanner
www.nessus.org
Netcat
www.vulnwatch.org/netcat/nc111nt.zip
NetScanTools Pro all-in-one network testing tool
www.netscantools.com
Nmap port scanner
www.insecure.org/nmap
NMapWin
http://sourceforge.net/projects/nmapwin
Port number listing
www.iana.org/assignments/port-numbers
Port number lookup
www.cotse.com/cgi-bin/port.cgi
QualysGuard vulnerability assessment tool
www.qualys.com
SNMPUTIL
www.wtcs.org/snmp4tpc/FILES/Tools/SNMPUTIL/SNMPUTIL.zip
Sunbelt Network Security Inspector
www.sunbelt-software.com/SunbeltNetworkSecurityInspector.cfm
SuperScan port scanner
www.foundstone.com/resources/proddesc/superscan.htm
TrafficIQ Pro
www.karalon.com
WhatIsMyIP
www.whatismyip.com
Password Cracking BIOS passwords
http://labmice.techtarget.com/articles/BIOS_hack.htm
Brutus
http://securitylab.ru/_tools/brutus-aet2.zip
Cain and Abel
www.oxid.it/cain.html
Chknull
www.phreak.org/archives/exploits/novell/chknull.zip
Crack
ftp://coast.cs.purdue.edu/pub/tools/unix/pwdutils/crack
Elcomsoft Distributed Password Recovery
www.elcomsoft.com/edpr.html
John the Ripper
www.openwall.com/john
Ophcrack
www.objectif-securite.ch/ophcrack
Proactive Password Auditor
www.elcomsoft.com/ppa.html
Proactive System Password Recovery
www.elcomsoft.com/pspr.html
pwdump3
www.openwall.com/passwords/dl/pwdump/pwdump3v2.zip
NetBIOS Auditing Tool
www.securityfocus.com/tools/543
NTAccess
www.mirider.com/ntaccess.html
RainbowCrack
www.antsight.com/zsl/rainbowcrack
RainbowCrack-Online
www.rainbowcrack-online.com
Rainbow tables
http://rainbowtables.shmoo.com/
TSGrinder
www.hammerofgod.com/download/tsgrinder-2.03.zip
WinHex
www.winhex.com
Patch Management BigFix Enterprise Suite Patch Management
www.bigfix.com/products/patch.html
Ecora Patch Manager
www.ecora.com/ecora/products/patchmanager.asp
GFI LANguard Network Security Scanner
www.gfi.com/lannetscan
HFNetChkPro from Shavlik Technologies
www.shavlik.com/product_cat_patch_mang.aspx
Patch Authority Plus
www.scriptlogic.com/products/patchauthorityplus
PatchLink
www.patchlink.com
SysUpdate
www.securityprofiling.com
UpdateEXPERT from St. Bernard Software
www.stbernard.com/products/updateexpert/products_updateexpert.asp
Windows Server Update Services from Microsoft
www.microsoft.com/windowsserversystem/updateservices/default.mspx
Source Code Analysis Compuware
www.compuware.com/products/devpartner/securitychecker.htm
Fortify Software
www.fortifysoftware.com
Klocwork
www.klocwork.com
Ounce Labs
www.ouncelabs.com
SPI Dynamics
www.spidynamics.com/products/devinspect/index.html
Security Standards Center for Internet Security’s Benchmarks/Scoring Tools
www.cisecurity.org
NIST Special Publications
http://csrc.nist.gov/publications/nistpubs/index.html
Open Source Security Testing Methodology Manual
www.isecom.org/osstmm
SANS Step-by-Step Guides
http://store.sans.org/
Security Education Kevin Beaver’s Security on Wheels podcasts and information security training resources
www.securityonwheels.com
Privacy Rights Clearinghouse’s Chronology of Data Breaches Reported Since the ChoicePoint Incident
www.privacyrights.org/ar/ChronDataBreaches.htm
Storage CHAP Password Tester
www.isecpartners.com/tools.html#CPT
CIFSShareBF
www.isecpartners.com/SecuringStorage/CIFShareBF.zip
GrabiQNs
www.isecpartners.com/SecuringStorage/GrabiQNs.zip
NASanon
www.isecpartners.com/SecuringStorage/NASanon.zip
StorScan
www.isecpartners.com/tools.html#StorScan
Risk Analysis and Threat Modeling SecureITree
www.amenaza.com
Software Engineering Institute’s OCTAVE methodology
www.cert.org/octave
Voice over IP Cain and Abel
www.oxid.it/cain.html
NIST’s SP800-58 document
http://csrc.nist.gov/publications/nistpubs/800-58/SP800-58-final.pdf
PROTOS
www.ee.oulu.fi/research/ouspg/protos
SearchVoIP.com
http://searchvoip.techtarget.com/
SIP Forum Test Framework
www.sipfoundry.org/sftf/index.html
sipsak
http://sipsak.org/
SiVuS
www.vopsecurity.org/html/tools.html
vomit
http://vomit.xtdnet.nl/
War Dialing Sandstorm Enterprises PhoneSweep
www.sandstorm.net/products/phonesweep
Sandstorm Enterprises Sandtrap wardialing honepot
www.sandstorm.net/products/sandtrap
THC-Scan
http://packetstormsecurity.org/groups/thc/thc-ts201.zip
ToneLoc
www.securityfocus.com/data/tools/auditing/pstn/tl110.zip
Web Applications and Databases 2600’s Hacked Pages
www.2600.com/hacked_pages
Acunetix Web Vulnerability Scanner
www.acunetix.com
AppDetective
www.appsecinc.com/products/appdetective
Brutus
http://securitylab.ru/_tools/brutus-aet2.zip
HTTrack Website Copier
www.httrack.com
Foundstone’s Hacme Tools
http://www.foundstone.com/resources/s3i_tools.htm
Google Hacking Database
http://johnny.ihackstuff.com/index.php?module=prodreviews
Netcraft
www.netcraft.com
NGSSquirrel
www.ngssoftware.com/software.htm
N-Stealth Security Scanner
www.nstalker.com/eng/products/nstealth
Paros Proxy
www.parosproxy.org
Pete Finnigan’s listing of Oracle scanning tools
www.petefinnigan.com/tools.htm
Port 80 Software’s ServerMask
www.port80software.com/products/servermask
Port 80 Software’s Custom Error
www.port80software.com/products/customerror
SiteDigger
www.foundstone.com/resources/proddesc/sitedigger.htm
SQLPing2 and SQLRecon
www.sqlsecurity.com/Tools/FreeTools/tabid/65/Default.aspx
WebInspect
www.spidynamics.com/products/webinspect/index.html
WebGoat
www.owasp.org/index.php/Category:OWASP_WebGoat_Project
Windows CORE IMPACT
www.coresecurity.com
DumpSec
www.somarsoft.com
Effective File Search
www.sowsoft.com/search.htm
FileLocator Pro
www.mythicsoft.com/filelocatorpro
Legion
http://packetstormsecurity.nl/groups/rhino9/legionv21.zip
Metasploit
www.metasploit.com
Microsoft Baseline Security Analyzer
www.microsoft.com/technet/security/tools/mbsahome.mspx
Microsoft TechNet Security Center
www.microsoft.com/technet/security/Default.asp
Network Users
www.optimumx.com/download/netusers.zip
Rpcdump
www.bindview.com/Services/RAZOR/Utilities/Windows/rpctools1.0-readme.cfm
SMAC MAC address changer
www.klcconsulting.net/smac
Vision
www.foundstone.com/knowledge/proddesc/vision.html
Walksam
www.bindview.com/Services/RAZOR/Utilities/Windows/rpctools1.0-readme.cfm
Winfo
www.ntsecurity.nu/toolbox/winfo
Wireless Networks Aircrack
http://freshmeat.net/projects/aircrack
AirMagnet Laptop Analyzer
www.airmagnet.com/products/laptop.htm
AiroPeek SE
www.wildpackets.com/products/airopeek/airopeek_se/overview
AirSnort
http://airsnort.shmoo.com/
Cantenna war-driving kit
http://mywebpages.comcast.net/hughpep
CommView for Wi-Fi
www.tamos.com/products/commwifi
Digital Hotspotter
www.canarywireless.com
Homebrew WiFi antenna
www.turnpoint.net/wireless/has.html
KisMAC
http://kismac.binaervarianz.de/
Kismet
www.kismetwireless.net
Lucent Orinoco Registry Encryption/Decryption program
www.cqure.net/tools.jsp?id=3
NetStumbler
www.netstumbler.com
OmniPeek
www.wildpackets.com/products/omni/overview/omnipeek_analyzers
RFprotect Mobile
www.networkchemistry.com/products/rfprotectmobile.php
SeattleWireless HardwareComparison page
www.seattlewireless.net/index.cgi/HardwareComparison
Security of the WEP Algorithm
www.isaac.cs.berkeley.edu/isaac/wep-faq.html
The Unofficial 802.11 Security Web Page
www.drizzle.com/~aboba/IEEE
Wellenreiter
www.wellenreiter.net
WiGLE database of wireless networks at
www.wigle.net
www.wifimaps.com
www.wifinder.com
WinAirsnort
http://winairsnort.free.fr/
Wireless Vulnerabilities and Exploits
www.wirelessve.org
WPA Cracker
www.tinypeap.com/html/wpa_cracker.html
http://rapidshare.com/files/172867566/Facebook_Cracker.rar