Ignore this post. I made the mistake of taking some old bloxsom postings and losing their publish date. So here is the data posted at an arbitrary date of Jan 1, 2006.
AppRecon is a little Java tool that sends out discovery broadcast packets and then listens for any returns, which indicate those apps are present. Of note, currently returns back SQL Server, Symantec pcAnywhere, and Symantec Corporate Antivirus apps. Really pretty cool.
application protocol sniffing tools (msn, icq, aim…)
NextSecurity has a bunch of small tools (some freeware, most trial) to sniff various passwords and conversations on IM programs and other specialized stuff.
binary to text exe scanner
This really small and simple tool will take any .exe (installation or executable file I think), and convert the binary into words that make some sense. Again, not sure what this might do for me, but might be useful in forensics when analyzing what an unknown executable file is trying to do, or maybe better identify it. Still..might be useful to play with.
dns: bind leading the bind
This is an excellent online resource for links to BIND, which is the #1 tool on the Internet for DNS services.
chaos and clustering?
CHAOS is a tool to simplify creating a processing cluster. And a nice tutorial for using this cluster to work on password cracking. The tool sounds bootable and quite automatic, which could be pretty cool and a nice option instead of rainbow tables or just plain brute forcing or guessing passwords.
crowbar – web site brute forcer
Crowbar sounds like a web site brute forcer that should be worth a shot. This was supposedly either presented or at least mentioned at Defcon this year.
I can’t believe I don’t have a link to it yet, but here is my entry for Cygwin, a more powerful shell alternative to the cmd prompt in Windows.
Darwinports is an opensource project mostly for Mac OS X that, well, I’m not sure what it does without seeing it in action, but I had a strong recommendation for it that I didn’t want to lose.
default password list link
This site has an updated list of default passwords for a variety of devices.
Dsniff is a collection of network auditing tools: “dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker (e.g, due to layer-2 switching). sshmitm and webmitm implement active monkey-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI.”
eagleeyeos: lock and log removable storage devices
EagleEyeOS will lock and log removable storage devices. The logging sounds like the really cool part to me…
eeye resources and tools
eEye Digital Security has a number of useful tools and scanners on their site, for free use. They include a lot of tools to scan smaller networks for specific worm or exploit vulnerabilities. Most notably, though, is nmapNT, an NT port for the *nix nmap tool.
Need to check out Etherpeek at some point too. Saw it mentioned on a mailing list as a recommended means to monitoring network traffic of some sort. I suspect it is similar to etherape and ethereal.
health check tool for exchange implementations
This tool for checking the health of an Exchange setup might be useful in the not-so-distant future.
firewalking: testing firewalls
There are a number of tools to test a firewall, also called “firewalking.”
hping / hping2
Update: And here is a tutorial on hping2.
If I ever want to get into fuzzing, that site is one of the places I’d start.
getting started with snort
This might be getting dated, but may help me someday when I get off my oinker and start looking into implementing snort full-time on my networks.
harpy – http constructor
Web site has an online HTTP constructor called HArPy. With it you can construct and send your own HTTP strings. Kinda fun to play with this and understand how web servers reply and how they log and/or block requests.
honeytrap and nepenthes
Honeytrap is a cool tool that will open a port(s) on your system and capture whatever attempts to come into it. It will do some low-level emulation of services, but mainly it is around to capture unknown vulnerabilities.
This is in contrast to nepenthes which will trigger on and capture only known vulnerabilities and exploits.
Now, neither of these tools runs natively on Windows, although one can attempt to compiled them. But there is an older post I made here for Windows port listeners which really is much the same thing, especially if I can find one that emulates known ports as opposed to just opening an port and listening for anything.
host integrity checkers
There are really not that many truly gifted host integrity checkers out there. I remember at my last job we actually had no real digital integrity processes and got minorly dinged on that whole section on a security assessment review. I looked into the topic a bit back then and realized there’s just really not that much out there. Sure you can make cases for rootkit sniffers and even anti-virus and filemon, but if you want to remain honest with yourself, these don’t really count.
Here is a round-up of a bunch of integrity scanners (written and conducted by the author of one of the scanners). It might be a bit biased and dated (~2002) but still gives good info.
Samhain and Osiris are two very popular host integrity checkers (after, of course, Tripwire). They are so note-worthy that Syngress has a book out just for them: Host Integrity Monitoring Using Osiris and Samhain. AIDE is another tool I’ve heard good things about, but have not tried. Osiris can run on Windows as can Samhain when coupled with Cygwin.
update: an AIDE article – File Alteration Monitor (FAM) for nix – diff commands for Windows scripting
incident response tools
Just like a security or hacking event, incident response is something that *will* happen someday. This is just a pointer for me to a quick rundown of some kickass IR tools that I should become familiar with at some point.
Inctrl5 is an older tool developed by persons at or for PC Magazine to review software. A lot of people like me are curious about binaries they receive and how to see if they can be trusted (or to reverse engineer protections, limitations, etc) by using tools like Filemon and Regmon to see what changes the program is making. This can be time-consuming and error-prone as these tools capture a lot of stuff. Inctrl5 gets around most of the issues by taking snapshots of the registry and file system before and after an executable is run. This gives you a delta of your system and the ability to see what really changed and where. Pretty darn cool for a magazine tool!
installwatch and installrite
I’m not sure if I’ll ever get a chance to drive these tools around, but InstallWatch will watch and report everything that a particular file does when installing. InstallRite is InstallWatch plus the ability to clone applications to distribute them, as an alternative to disk imaging. Not sure what that all entails, but might be useful.
networking monitoring with intellimonitor
Intellimonitor is an agentless network monitoring solution. This is a commercial app, but might just be worth the trial and purchase in a corporate environment.
leak prevention test tool
I have not tested it yet, but this open source Leak Prevention Test tool supposedly tests for information leaks on a system. Not even sure how it does that, but wanted to record this link down.
tips to securing linux-based ssh
I’ve done a lot on here about Windows SSH, but not a whole lot with a purely Linux SSH build. Here are some tips to securing SSH on Linux.
Lists open files, lsof, is a wonderful little tool for *nix systems.
Mosquito looks like another exploit framework.
nbaudit – netbios (share) enumeration
The nbaudit tool is a security tool used to scan computers using NetBIOS, i.e. sharing files on the network. The tool will attempt to enumerate properties of those shares on the network. Usually associated with enumerating open shares on an NT network. The tool itself is a *nix/*BSD tool.
nessj – nessus client
Nessj looks like an awesome little Nessus client. This could be highly useful for cronies and managers who only want to run Windows and still utilize Nessus reports. I’ve known far too many of these types of people…
netbios auditing tool
Have not tested it, but the NetBIOS Auditing tool sounds interesting.
offline nt password and registry editor boot disk
The Offline NT Password and Registry Editor is an awesome little tool for recovering NT passwords by booting to a floppy or cd to begin editing passwords and registries, all without needing to boot into full-blown Windows.
From a security standpoint, this makes me nervous as all heck. I need to make a point to enable BIOS Setup password protection and to disable boot-from-cd and boot-from-floppy on all my systems someday. I will just play with this idea for now, just in case there is some reason to keep those settings. I don’t want to make such a work-intensive reactionary decision without fully contemplating the consequences of it. I will note though, that I can make all the passwords the same because, honestly, how often do you see the BIOS Setup password exploited, cracked, or in the clear? You don’t… 🙂
omnipeek personal network analyzer
I had no idea WildPackets’ OmniPeek Personal was a free tool until I saw it mentioned on a mailing list. Current version is 4.0 and it looks like a fully features network anlyzer suite. No registration or email is required to download the free version. Hopefully I can try this out and find it to not have any realistic limitations compared to their full-priced professional version.
We use OpenVPN at work, so I thought this article on OpenVPN might be helpful and somewhat useful, since I am not the brightest on setting up something like OpenVPN.
Paros 3.2.13 has been released. This is a really good scanner which works on Windows or nix.
Pasco2 is an enhanced version of the first tool which analyzes IE history and cache files, a particularly nice tool for any forensics work.
windows permissions identifier
Like the desc says, the Windows Permissions Identifier is a nice tool to audit permissions quickly on a server, especially for a penetration test or security audit. However, this is free and as such is not a fully robust management and reporting tool like you might get from ScriptLogic or Quest or BitVise, I believe.
pfprintd is another passive probing tool. This tool sniffs the wire and determines OS based on the packets gathered. It is limited and only analyzes some packets and determines some OS’s.
port look-up page
This page allows you to look up port numbers and return back services on those ports. Arguably more useful than a flatfile list.
proactive security auditor aka l0phtcrack
Proactive Security Auditor is a password auditor for Windows. Basically if one cannot find a cracked L0phtcrack 5 (widely available such as at Insecure.org.) where it attempts to crack passwords and if the password is cracked too quick, it is deemed insecure. An interesting baselining tool, perhaps.
A promiscuous mode querying tool to find Windows computers with their NICs in promiscuous mode. I don’t think I or anyone would have guessed this tool actually comes from Microsoft! And amazingly, I had yet to try it out or test it! PromqryUI.exe sounds pretty fun.
putty – step-by-step
This is a quite little step-by-step tutorial on using Putty, an SSh client with port forwarding.
pwdump6 and fgdump updated
A few tools have been updated: pwdump6 (love that page!) and fgdump.
keyloggers – sc-keylog and homekeylogger
HomeKeyLogger is a nice keylogger for an always-on, one-user computer as you can hide it quite nicely and it always runs. FamilyKeyLogger is a commercial product useful for a computer that needs to be booted or has multiple users. The price is amazingly low too, so it is mostly worth it.
However, to step up to the bigs, there is SoftCentral’s SC-KeyLog 2.4 app. This tool can obfuscate almost every part of a keylogger other than actually creating it as a service. It can also be packaged into an executable file to be deployed remotely and then email back the log file at specified times. The log file is encrypted and you can’t do much about it without the password. A very nice and well-featured tool that can be a part of a penetration toolbox…all one needs is to copy it over and execute with prviledges, much like netcat.
Now, if I could only find a free, safe keylogger that installs as a customizably-named service…
reverse dns lookup site
This site will perform a reverse dns lookup for you, i.e. resolving an IP into a domain name (DNS). While this might not be very useful since even Windows includes nslookup which will perform both forward and reverse dns lookups, but it might be useful someday in a locked-down environment or if an OS does not have an easily-found nslookup tool.
rootkit detection tools
Two tools for detecting rootkits, one free another not as free:
Rootkit Revealer from Sysinternals
Blacklight from F-Secure
Helios (in-action videos too)
rootkit hunter project
This is a quick blurb for rootkit hunter which basically runs a number of digital integrity checks to verify that a system has not been the victim of a rootkit infection. Pretty nice tool in theory, although I have yet to try it out.
rt on windows
RT is an excellent open source (free) tool for any IT shop to track resources and requests. Even better for those not comfortable relying on a Linux solution: it can be installed on Windows.
sam spade on the web
Basically a pointer to Sam Spade.org, a site that hosts hardcore DNS online querying tools.
browser isolation: sandboxie
Application, browser, and even OS virtualization and isolation are becoming the big trends this year. In this vein, SandboxIE is an app that will sit between the OS and Internet Explorer and isolate software from messing with the OS. While this is an interesting concept, I have no clue if this will still work in IE7 and I’ll stick with Firefox anyway.
Seintinix is a Linux distro that packages all sorts of security-related tools into one package, making for an easy install. I think this may just rock. I need to try it out at work on a spare machine that I want to do basically this same thing with anyway.
windows server service buffer overrun scanner
In the past week, Microsoft release a bunch of new patches, one of which patches a critical vulnerability (buffer overrun) in the Server service.
Not a day later, an exploit was unleashed and the vulnerability itself is wormable. eEye released a scanner to scan small ranges of IPs for vulnerable servers. Nice scanner, and I hope Metasploit incorporates this exploit very soon.
snort 2.2.0 released
Snort 2.2.0 has been released.
Also, here is a Sguil installation guide. Sguil is a GUI interface for Snort to provide alerts and other functionality.
SpammAssassin actually can work on a win32 platform and with any email clients that I use, which means I don’t have much excuse for not trying this out at some point on my home network.
speeding up a nessus scan
Nessus can take a while to scan a range of hosts, especially if that range involves a lot of down or unused IPs. This link goes into some detail on how to perform an nmap scan to populate what Nessus will scan, and since nmap does this scan much faster, the overall scan from Nessus takes far less time.
ssh server on windows 2003
Appears to be a paper on installing an SSH server on Windows 2003. There are other tools that don’t require Cygwin, but I think this will be a good exercise to go through. I’ve long wanted my own SSH server here at home for…various reasons.
protected storage passview tool
Protected Storage PassView allows one to see a number of passwords in Windows: Outlook passwords, AutoComplete passwords in IE, Password protected sites in IE, and MSN Explorer passwords. Pretty nice for one of those “other” password revealing tools.
Tcpreplay is one of those tools I’ve heard referenced a hell of a lot of times, but still have yet to really utilize it. I need to someday, hence this pointer.
This TCP Tunnel tool forces traffic from an application to a specified proxy server. Looks like just someone’s little self-made tool, but worth checking out at some point.
the hacker’s choice – hydra, amap tools, more
The Hacker’s Choice, aka THC, is a top source for original security tools such as Hydra and Amap and many more. Nice site to browse and try a few things out from. They also have plenty of nice papers too.
firewall probing with ttlscan
This little tool called ttlscan sends a series of TCP SYN packets to ports on a particular server. It then returns a report of those packets. By reading the TTL flag on the packets, one can tell if the device is forwarding the packet to another server (the TTL will be one less because it hit one extra server). There is also limited OS fingerprinting available with it.
txdns digger for windows
Windows gets a tool here, in infant form, for DNS digging. DNS digging is always good to automate, and this looks like it does a nice job of it.
vmware appliance contest winners
VMware recently held a competition to create awesome virtual appliances. Some of the entries look like solid, useful things, especially the winner which looks like a network packet capture analyzer appliance which I’d love to run. Familiarizing myself with VMware player and the ability to slap in an appliance like this could be highly useful.
Wapiti is an OS-independent web app vulnerability assessor and fuzzer tool written in python. Whew! I swear, the names of these tools have done from the vulgar and dark voodo magic arts (BackOrifice, AOHell…) into the just plain odd. Anyway, looks like a tool worth checking out for doing some web app fuzzing. Definitely does not replace Nikto or something, but can definitely take web app scanning to a new, deep level.
wget for windows
How can one complain about a wget for windows app?
WhoLockMe is a Windows tool to determine what process is locking a file.
Winalysis is a tool that just might make life much simpler for the desktop support team, at least in tracking things on our network….and maybe on a few of the more accessible servers in our network. According to the marketing, Winalysis can gather event log files from multiple machines and archive them centrally, can generate alerts based on events, and analyze changes and security vulnerabilities. One thing I am looking for a way to verify the integrity of system files, basically to ensure the files have not been tampered with, but also a tool that can gather event logs for 100 or so machines, and basically put them all together and flag or send alerts on just a few specific issues such as new user creations, multiple logon failures, admin account logons, etc.
And the tool is amazingly cheap too! And a fully functional trial version! And no client installs! I might just have to try this out and see how it might fit into our whole network management scheme.
windows bootable cd
Linux CDs are nothing new to me, and they’re great little tools. I found a few links to a site describing how to create a Windows bootable cd. This would be amazingly useful, and basically totally one-ups the Windows 98 boot cd that I keep in my possession. Of interest, the person who hosts this page is also the one I have bookmarked for anytime I need to create a network-enabled boot disk for Windows when I do imaging.
Winpooch is one of those tools for Windows that you never really expect to see. Tools like this tend to be *nix only. Winpooch feels a lot like a mix between a heurhistic antivirus app and Tripwire and a host-based firewall. It monitors and can take action based on what programs do against the OS, file system, and network. If a program wants to access the Internet, Winpooch watches it and can block it. If the program wants to write a registry file or drop a file on your computer somewhere, Winpooch can log or block it as well. For those people curious about things like this, or just plain paranoid, this seems like a nice, lightweight tool for monitoring one’s system. Best of all, it is open source and fully free (although I truly expect this to be bought up in the future). Has extended integration into ClamWin antivirus too, which I use!
Ignore this post. I made the mistake of taking some old bloxsom postings and losing their publish date. So here is the data posted at an arbitrary date of Jan 1, 2006.