Snort 2.9.4.1 - Network intrusion detection system

Snort is a free and open source network intrusion prevention system (NIPS) and network intrusion detection system (NIDS) . Snort having the ability to perform real-time traffic analysis and packet logging on Internet Protocol (IP) networks. Snort performs protocol analysis, content searching, and content matching.

The program can also be used to detect probes or attacks, including, but not limited to, operating system fingerprinting attempts, common gateway interface, buffer overflows, server message block probes, and stealth port scans. Snort can be configured in three main modes: sniffer, packet logger, and network intrusion detection.

Improvements in Snort 2.9.4.1

• Updated File processing for partial HTTP content and MIME attachments.
• Addition of new config option max_attribute_services_per_host and improve memory usage within attribute table.
• Handle excessive overlaps in frag3.
• Stream API updates to return session key for a session.
• Reduce false positives for TCP window slam events.
• Updates to provide better encoding for TCP packets generated for respond and react.
• Disable non-Ethernet decoders by default for performance reasons. If needed, use --enable-non-ether-decoders with configure.

Download Snort 2.9.4.1

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

Unhide Forensic Tool, Find hidden processes and ports

Unhide is a forensic tool to find processes hidden by rootkits, Linux kernel modules or by other techniques. It detects hidden processes using six techniques:

• Compare /proc vs /bin/ps output
• Compare info gathered from /bin/ps with info gathered by walking thru the procfs. ONLY for Linux 2.6 version
• Compare info gathered from /bin/ps with info gathered from syscalls (syscall scanning).
• Full PIDs space ocupation (PIDs bruteforcing). ONLY for Linux 2.6 version
• Compare /bin/ps output vs /proc, procfs walking and syscall. ONLY for Linux 2.6 version
• Reverse search, verify that all thread seen by ps are also seen in the kernel.
• 6- Quick compare /proc, procfs walking and syscall vs /bin/ps output. ONLY for Linux 2.6 version.
• Unhide-TCP

unhide-tcp is a forensic tool that identifies TCP/UDP ports that are listening but are not listed in /bin/netstat through brute forcing of all TCP/UDP ports available.

How to Use ?

• -f    Write a log file (unhide.log) in the current directory.
• -h    Display help
• -m  Do more checks. As of 2010-11-21 version, this option has only effect for the procfs, procall, checkopendir and checkchdir tests.
• -r   Use alternate version of sysinfo check in standard tests
• -V  Show version and exit
• -v   Be verbose, display warning message (default : don't display). This option may be repeated more than once.

Compiling :
gcc –static unhide.c -o unhide
gcc -Wall -O2 –static unhide-tcp.c -o unhide-tcp
gcc -Wall -O2 –static -pthread unhide-linux26.c -o unhide-linux26
gcc -Wall -O2 -static -o unhide_rb unhide_rb.c

Available for Windows & Linux Platform. Download latest Version : Windows or Linux

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

Password Cracker Tool Hashkill version 0.3.1 released

Hashkill is an opensource hash cracker for Linux that uses OpenSSL. Currently it supports 4 attack methods (dictionary, bruteforce, hybrid).

Hashkill has 35 plugins for different types of passwords (ranging from simple hashes like MD5 and SHA1 to passworded ZIP files and private SSL key passphrases).

Multi-hash support (you may load hashlists of length up to 1 million) and very fast GPU support on Nvidia (compute capability 2.1 cards also supported) and ATI (4xxx, 5xxx and 6xxx).

The latest update includes 9 new plugins: bfunix, drupal7, django256, sha256unix, mssql-2012, o5logon, msoffice-old, msoffice, luks. Of them msoffice-old is currently supported on CPU only, the rest are GPU-accelerated. Improved bitmaps handling in non-salted kernels addded, so that huge hashlists would be cracked at faster speeds. Now Thermal monitoring can now be disabled using -T 0 command-line argument.

Download Hashkill 0.3.1

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

Automated HTTP Enumeration Tool

Null Security Team writing a python script for Automated HTTP Enumeration. currently only in the initial beta stage, but includes basic checking of files including the Apache server-status as well as well IIS WebDAV and Microsoft FrontPage Extensions, many more features will be added to this tool which will make lot of the enumeration process quick and simple.

Version 0.2 adds scanning of SSL / TLS as well as an option for probing delays and general bug fixes.

Download the Python Script

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

PwnStar latest version with new Exploits released

A bash script to launch a Soft AP, configurable with a wide variety of attack options. Includes a number of index.html and server php scripts, for sniffing/phishing. Can act as multi-client captive portal using php and iptables.  Launches classic exploits such as evil-PDF. De-auth with aireplay, airdrop-ng or MDK3.

Changes and New Features

• “hotspot_3″ is a simple phishing web page, used with basic menu option 4.
• “portal_simple” is a captive portal which allows you to edit the index.html with the name of the portal eg “Joe’s CyberCafe”. It is used for sniffing.
• “portal_hotspot3″ phishes credentials, and then allows clients through the portal to the internet
• “portal_pdf” forces the client to download a malicious pdf in order to pass through the portal

Updated feature list:

• captive-portal with iptables and php
• more php scripts added
• exploits added
• mdk3 and airdrop deauth

General Features :

• manage interfaces and MACspoofing
• set up sniffing
• serve up phishing or malicious web pages
• launch karmetasploit
• grab WPA handshakes
• de-auth clients
• manage IPtables

Download Here

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

PwnPi v2.0 - A Pen Test Drop Box distro for the Raspberry Pi

PwnPi is a Linux-based penetration testing dropbox distribution for the Raspberry Pi. It currently has 114 network security tools pre-installed to aid the penetration tester. It is built on the debian squeeze image from the raspberry pi foundation’s website and uses Xfce as the window manager

Login username and password is root:root

Tools List:

Download Here

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

JBoss Autopwn - JSP Hacking Tool For JBoss AS Server

This JBoss script deploys a JSP shell on the target JBoss AS server. Once deployed, the script uses its upload and command execution capability to provide an interactive session.

Features include:

- Multiplatform support - tested on Windows, Linux and Mac targets

- Support for bind and reverse bind shells

- Meterpreter shells and VNC support for Windows targets

Installation: Dependencies include

- Netcat

- Curl

- Metasploit v3, installed in the current path as "framework3"

Download JBoss Autopwn

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

Penetration Testing Cheat Sheet from 'Average Security Guy'

'Average Security Guy' upload a cool Cheat sheet on their website, that are really useful on one's pentest engagements. We have make a image of the sheet for your easiness, you can Download the image from Here, or get the Text version from their website Here.

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

TCHead - TrueCrypt Password Cracking Tool

TCHead is software that decrypts and verifies TrueCrypt headers. TCHead supports all the current hashes, individual ciphers, standard volume headers, hidden volume headers and system drive encrypted headers (preboot authentication).

Brute-force TrueCrypt : However, TrueCrypt passwords go through many iterations and are strengthened. Cracking them takes time. Very strong passwords will not be cracked. Also, in addition to trying multiple passwords an attacker must try each password against each combination of hash and cipher (assuming they do not know what these are beforehand). System encrypted hard drives use only one hash and cipher, so attacking those is faster.

Testing TCHead: Create a TrueCrypt volume using the default hash and cipher (RIPEMD-160 and AES), set the password to "secret", then run TCHead against it like this and it will decrypt the header (provided that the word "secret" is in the word list)

Command : TCHead -f name_of_volume.tc -P words.txt

Decrypt hidden volumes:

Command : TCHead -f name_of_volume.tc -P words.txt --hidden

Multiple passwords (brute-force): Create or download a list of words in a text file (one word per line) using words that you think are likely to decrypt the header, then run TCHead against it like this. If the correct password is found, the header will be decrypted:

Command : TCHead -f name_of_volume.tc -P words.txt

Download TCHead

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

OWASP Zed Attack Proxy (ZAP) Weekly Releases

The OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen tester's toolbox.

Team is now releasing weekly updates on every Monday. These are not the full releases , like stable one, but to give more enhancements as soon as possible, ZAP team decide to release weekly updates also.

The following new features are included in weekly releases:

• Completely rewritten 'traditional' Spider (c/o Cosmin Stefan and the GSoC)
• New Ajax Spider (using Crawljax, c/o Guifre Ruiz and the GSoC)
• Web sockets support (c/o Robert Koch and the GSoC)
• Performance improvements (both speed and memory)
• Session awareness
• Authentication handling
• Contexts
• Modes (Safe, Protected and Standard)
• Online links in menu

Download ZAP week update

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

WebSploit Framework 2.0.3 with Wifi Jammer

WebSploit Is An Open Source Project For Scan And Analysis Remote System From Vulnerability.

WebSploit Is An Open Source Project For :
[>]Social Engineering Works
[>]Scan,Crawler & Analysis Web
[>]Automatic Exploiter
[>]Support Network Attacks
----
[+]Autopwn - Used From Metasploit For Scan and Exploit Target Service
[+]wmap - Scan,Crawler Target Used From Metasploit wmap plugin
[+]format infector - inject reverse & bind payload into file format
[+]phpmyadmin Scanner
[+]LFI Bypasser
[+]Apache Users Scanner
[+]Dir Bruter
[+]admin finder
[+]MLITM Attack - Man Left In The Middle, XSS Phishing Attacks
[+]MITM - Man In The Middle Attack
[+]Java Applet Attack
[+]MFOD Attack Vector
[+]USB Infection Attack
[+]ARP Dos Attack
[+]Web Killer Attack
[+]Fake Update Attack
[+]Fake Access point Attack

Download WebSploit Framework 2.0.3

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

Ettercap 0.7.5 released - codename "Assimilation"

Ettercap is a multipurpose sniffer/interceptor/logger for switched LAN. It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis.

It is a comprehensive suite for man in the middle attacks. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols and includes many features for network and host analysis.

Changes log:

• Fix versioning, flags.
• Need latest version of libnet that supports IPv6
• Fix gtk crash.
• Switched to git repo and CMAKE
• Now that IPv6 is supported the cli requires an extra “/”. To poison all hosts in a broadcast domain the command would be /// (Instead of // // in past versions.)
• Fixed Release tag and build flags, BZ 855504.
• Fixed Obsoletes, BZ 855067.
• Switch to git ettercap_rc branch for gtk crash, BZ 853791.
• Dropped UI and daemon patches.
• Merged subpackages, in part due to buildsystem change.
• Spec cleanup.
• Rebuilt for https ://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
• Add hardened build.
• libnet rebuild.
• New upstream.
• Rebuild against PCRE 8.30

Download Ettercap 0.7.5

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

ModSecurity 2.7.0 Stable Release

The ModSecurity Development Team is pleased to announce the availability of ModSecurity 2.7.0 Stable Release.The stability of this release is good and includes many new features and bug fixes.

ModSecurity is a web application firewall that can work either embedded or as a reverse proxy. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.

Highlights include:

• Internationalization (I18N) Support
• HMAC Token Injection to prevent data manipulation
• PCRE JIT Support to speed up regular expression operators
• Caching Lua VMs to speed up multiple scripts
• Ability to add exceptions based on TAG and MSG data
• Per-rule Performance information in audit log

Download ModSecurity 2.7.0

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

Server Analyser : Simple Server Malware Scanner

Server Analyser  is a service for detecting and analyzing web-based threats. It currently handles shells, obfuscated JavaScript, Executables, Iframes and port scans.

Featured added:

+ Logging scans

+ Just paste the results ( option 1 )

+ Added new Exploit methods to option 1

+ Latest infections ( will be updated automaticly )

+ Added PHP Shell detection exec()/system() etc. ( more will be added soon )

+ The code has been changed into a smaller one

+ Added new BlackHole methods

+ Added different javascript methods

+ Added decoded php syntaxes

+ gzinflate

+ var url

+ base64_decode

+ The Beta has been releases and uploaded

+ code improvements

+ fixed the dos2unix issue

Download Server Analyser

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

Server Shield v1.0.2 - Protect your Linux machine in 1 minute

Server Shield is a lightweight method of protecting and hardening your Linux server. It is easy to install, hard to mess up, and makes your server instantly and effortlessly resilient to many basic and advanced attacks.

Features

• Firewall Hardening
• TCP Hardening
• Data Leakage Protection
• ICMP/Ping Flood Protection
• Rootkit Protection
• DoS Protection
• Spoof Protection
• Bogus TCP Protection
• SYN Flood Protection
• Requires
• iptables ("yum install iptables")

Installation

git clone https://github.com/Brian-Holt/server-shield

cd server-shield;chmod +x sshield;mv sshield /etc/init.d

/etc/init.d/sshield start

Download Server Shield v1.0.2

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

Whonix ALPHA 0.4.5 - Anonymous Virtual operating system

Whonix (called TorBOX or aos in past) is an anonymous general purpose operating system based on Virtual Box, Debian GNU/Linux and Tor. By Whonix design, IP and DNS leaks are impossible. Not even malware with root rights can find out the user's real IP/location.

Whonix consists of two machines, which are connected through an isolated network. One machine acts as the client or Whonix-Workstation, the other as a proxy or Whonix-Gateway, which will route all of the Whonix-Workstation's traffic through Tor. This setup can be implemented either through virtualization and/or Physical Isolation.

Whonix advantages:

• All applications, including those, which do not support proxy settings, will automatically be routed through Tor.
• Installation of any software package possible.
• Safe hosting of Hidden services possible.
• Protection against side channel attacks, no IP or DNS leaks possible^3^ To test for leaks, see LeakTests.
• Advantage over Live CD's: Tor's data directory is still available after reboot, due to persistent storage. Tor requires persistent storage to save it's Entry Guards.
• Java / JavaScript / flash / Browser Plugins / misconfigured applications cannot leak your real external IP.
• Whonix does even protect against root exploits (Malware with root rights) on the Workstation.
• Uses only Free Software.
• Building Whonix from source is easy.
• Tor+Vidalia and Tor Browser are not running inside the same machine. That means that for example an exploit in the browser can't affect the integrity of the Tor process.
• It is possible to use Whonix setup in conjunction with VPNs, ssh and other proxies. But see Tor plus VPN/proxies Warning. Everything possible, as first chain or last chain, or both.
• Loads of Optional Configurations (additional features / Add-Ons) available.
• Best possible Protocol-Leak-Protection and Fingerprinting-Protection.

Download Whonix ALPHA 0.4.5

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

Social Engineer Toolkit version 4.1 released

The Social Engineering Toolkit (SET) updated to version 4.1 . It is an open source, python-driven, social-engineering penetration testing framework of custom tools which solely focuses on attacking the human element of penetration testing. It was designed in order to arm penetration testers and security researchers with the ability to effectively test heavily advanced social-engineering attacks armed with logical methods. The Social Engineer Toolkit leverages multiple attack vectors that take advantage of the human element of security in an effort to target attackers.

Toolkit change log

• Removed the Java Exploit from being built into the Java Applet. Being detected by to many AV vendors.
• Added core libraries to the scraper, needed for check_config and apache mode checks
• Added check for apache mode within harvester, will move new php customize script to apache directory and extract under different directory
• Rewrote new check mechanism in scraper for config checks and cleaned up code
• Fixed a bug that would cause the verified signature import to error out when selecting number 9 in the web attack menu
• Added a custom php script into harvester that allows you to check harvested credentials through apache
• Added compatibility with multiattack and apache mode for credential harvester and java applet combined
• Fixed the allports payload, really buggy at first with powershell injection, got it more stable
• Added better stability for the credential harvester to handle exceptions when being passed certain pieces of data including null connections
• Added better stability on the multiattack credential harvester php and applet attack
• Fixed a bug that would cause payload selection to not work correctly when using pyInjector
• Added so the peensy attack will prompt for an IP address and rewrite the pde file for the appropriate IP addresses
• Added datetime on teensy devices so they don’t overwrite the teensy.pde files anymore
• Added better encoding into the java applet attack vector
• Added better packing and encryption on the pyinjector attack, loads super fast now when executing applet
• Added better reliability in the Java Applet
• Even more improved load times for the Java Applet and executable execution
• Added anti debugger and encryption to the initial staged downloader which is used for fast loading of payloads

Download Social Engineer Toolkit 4.0:

svn co http://svn.trustedsec.com/social_engineering_toolkit set/

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

Nessus 5.0.2 vulnerability scanner updates

Nessus is the world’s most widely-deployed vulnerability and configuration assessment product updated to version 5.0.2 .Nessus 5 features high-speed discovery, configuration auditing, asset profiling, sensitive data discovery, patch management integration, and vulnerability analysis of your security posture with features that enhance usability, effectiveness, efficiency, and communication with all parts of your organization.

Nessus 5.0.2 change logs:

• UTF8 encoding problems would sometimes cause the generation of reports to fail
• Fixed a case where generating some compliance checks reports would cause the scanner to hang, using 100% of the CPU
• Resolved a resource leak issue occurring when a large number of different users are connected at the same time .
• Network congestion errors are now detected more conservatively
• Upgraded libxml2, libxslt, openssl to their newest versions
• Some nessusd.rules directives were not honored by the port scanners
• Solaris 10 build

Download Nessus 5.0.2 Windows version

Download Nessus 5.0.2 Linux Version

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

CAINE 3.0 - QUASAR Computer forensics Live CD Released

CAINE (Computer Aided INvestigative Environment) is an Italian GNU/Linux live distribution created as a project of Digital Forensics. Caine is a simple Ubuntu 12.04 customized for the computer forensics.

CAINE offers a complete forensic environment that is organized to integrate existing software tools as software modules and to provide a friendly graphical interface.

Objectives that CAINE aims:

• an interoperable environment that supports the digital investigator during the four phases of the digital investigation
• a user friendly graphical interface
• a semi-automated compilation of the final report

CAINE represents fully the spirit of the Open Source philosophy, because the project is completely open, everyone could take the legacy of the previous developer or project manager. The distro is open source, the Windows side (Wintaylor) is open source and, the last but not the least, the distro is install-able.

CHANGELOG CAINE 3.0 "Quasar"

• Kernel 3.2.0-31

ADDED:

• MATE 1.4 + LightDM
• iphonebackupanalyzer
• exiftool phil harvey
• tcpflow
• tshark
• john
• wireshark
• firefox
• vinetto
• mdbtool
• gdisk
• LVM2
• tcpdump
• Mobius
• QuickHash
• SQLiteBrowser
• FRED
• docanalyzer
• nerohistanalyzer
• knowmetanalyzer
• PEFrame
• grokEVT
• zenmap (nmap)
• blackberry tools
• IDevice tools

Download CAINE

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

Volatility 2.2 Released - Introduced Linux support (Intel x86, x64)

The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer unprecedented visibilty into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.

Windows Basic

• Current date, time, CPU count, CPU speed, service pack
• Current thread and idle thread
• Addresses of the KDBG, KPCR, DTB, PsActiveProcessHead, PsLoadedModuleList, etc

Processes

• List active processes (column or tree view)
• Scan for hidden or terminated _EPROCESS objects (using pool tags or _DISPATCHER_HEADER)
• Enumerate DLLs in the PEB LDR lists
• Rebuild/extract DLLs or EXEs to disk based on name, base address, or physical offset
• Print open handles to files, registry keys, mutexes, threads, processes, etc
• List security identifiers (SIDs) for processes
• Scan for cmd.exe command history and full console input/output buffers
• List process environment variables
• Print PE version information from processes or DLLs (file version, company name, etc)
• Enumerate imported and exported API functions anywhere in process or kernel memory
• Show a list of virtual and physical mappings of all pages available to a process
• Dump process address space to disk as a single file
• Analyze Virtual Address Descriptor (VAD) nodes, show page protection, flags, and mapped files
• Represent the VAD in tree form or Graphviz .dot graphs
• Dump each VAD range to disk for inspecting with external tools
• Parse XP/2003 event log records

Kernel Memory

• List loaded kernel modules and scan for hidden/unloaded module structures
• Extract PE files including drivers from anywhere in kernel memory
• Dump the SSDT for all 32- and 64-bit windows systems
• Scan for driver objects, print IRP major function tables
• Show devices and device tree layout
• Scan for file objects (can show deleted files, closed handles, etc)
• Scan for threads, mutex objects and symbolic links

GUI Memory

• Analyze logon sessions and the processes and mapped images belonging to the session
• Scan for window stations and clipboard artifacts (clipboard snooping malware)
• Scan for desktops, analyze desktop heaps and attached GUI threads
• Locate and parse atom tables (class names, DLL injection paths, etc)
• Extract the contents of the windows clipboard
• Analyze message hooks and event hooks, show the injected DLL and function address
• Dump all USER object types, pool tags, and flags from the gahti
• Print all open USER handles, associated threads or processes, and object offsets
• Display details on all windows, such as coordiates, window title, class, procedure address, etc
• Take screen shots from memory dumps (requires PIL)

Malware Analysis

• Find injected code and DLLs, unpacker stubs, and decrypted configurations, etc
• Scan process or kernel memory for any string, regular expression, byte pattern, URL, etc
• Analyze services, their status (running, stopped, etc) and associated process or driver
• Cross-reference memory mapped executable files with PEB lists to find injected code
• Scan for imported functions in process or kernel memory (without using import tables)
• Detect API hooks (Inline, IAT, EAT), hooked winsock tables, syscall hooks, etc
• Analyze the IDT and GDT for each CPU, alert on hooks and disassemble code
• Dump details of threads, such as hardware breakpoints, context registers, etc
• Enumerate kernel callbacks for process creation, thread creation, and image loading
• Display FS registration, registry, shutdown, bugcheck, and debug print callbacks
• Detect hidden processes with alternate process listings (6+ sources)
• Analyze kernel timers and their DPC routine functions

Networking

• Walk the list of connection and socket objects for XP/2003 systems
• Scan physical memory for network information (recover closed/terminated artifacts)
• Determine if listening sockets are IPv4, IPv6, etc and link to their owning processes

Registry

• Scan for registry hives in memory
• Parse and print any value or key cached in kernel memory, with timestamps
• Dump an entire registry hive recursively
• Extract cached domain credentials from the registry
• Locate and decrypt NT/NTLM hashes and LSA secrets
• Analyze user assist keys, the shimcache, and shellbags
• Crash Dumps, Hibernation, Conversion
• Print crash dump and hibernation file header information
• Run any plugin on a crash dump or hibernation file (hiberfil.sys)
• Convert a raw memory dump to a crash dump for opening in !WinDBG
• Convert a crash dump or hibernation file to a raw memory dump

Miscellaneous

• Link strings found at physical offsets to their owning kernel address or process
• Interactive shell with disassembly, type display, hexdumps, etc

Download Volatility 2.2

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email