NetSleuth : Open source Network Forensics And Analysis Tools

NetSleuth identifies and fingerprints network devices by silent network monitoring or by processing data from PCAP files.

NetSleuth is an opensource network forensics and analysis tool, designed for triage in incident response situations. It can identify and fingerprint network hosts and devices from pcap files captured from Ethernet or WiFi data (from tools like Kismet).

It also includes a live mode, silently identifying hosts and devices without needing to send any packets or put the network adapters into promiscuous mode ("silent portscanning").

NetSleuth is a free network monitoring, cyber security and network forensics analysis (NFAT) tool that provides the following features:

• An easy realtime overview of what devices and what people are connected to any WiFi or Ethernet network.
• Free. The tool can be downloaded for free, and the source code is available under the GPL.
• Simple and cost effective. No requirement for hardware or reconfiguration of networks.
• “Silent portscanning” and undetectable network monitoring on WiFi and wired networks.
• Automatic identification of a vast array of device types, including smartphones, tablets, gaming consoles, printers, routers, desktops and more.
• Offline analysis of pcap files, from tools like Kismet or tcpdump, to aid in intrusion response and network forensics.

Download Here

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

The Autopsy Forensic Browser v 3.0.0 released

The Autopsy Forensic Browser is a graphical interface to The Sleuth Kit. Together, they can analyze Windows and UNIX disks and file systems (NTFS, FAT, UFS1/2, Ext2/3). Version 3.0 of Autopsy is a complete re-write and this page describes its features.

Autopsy 3 has been designed to be a graphical platform for open source digital forensics tools. It was written in Java using the NetBeans Platform. This approach allows Autopsy to run on multiple platforms (Windows, OS X, Linux, etc.) and have a modular framework that makes it easy to incorporate other open source forensics tools and create an end-to-end solution. Autopsy 3.0 is faster and easier to use than Autopsy 2.0

New features:

- Using Sleuthkit 4.0.0

- Integrated plugin installer.

- New options menu to globally access module options.

- Added custom ingest module loader and ingest module auto-discovery

Improvements:

- Updated ingest framework APIs.

- Merged the main modules into Autopsy-Core and Autopsy-CoreLibs.

- Improved logging infrastructure.

- Improved configuration infrastructure.

- Keyword search: upgraded Lucene from 34 to 36.

- Build system improvements.

- Updated documentation.

Download The Autopsy Forensic Browser v 3.0.0

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

Server Analyser : Simple Server Malware Scanner

Server Analyser  is a service for detecting and analyzing web-based threats. It currently handles shells, obfuscated JavaScript, Executables, Iframes and port scans.

Featured added:

+ Logging scans

+ Just paste the results ( option 1 )

+ Added new Exploit methods to option 1

+ Latest infections ( will be updated automaticly )

+ Added PHP Shell detection exec()/system() etc. ( more will be added soon )

+ The code has been changed into a smaller one

+ Added new BlackHole methods

+ Added different javascript methods

+ Added decoded php syntaxes

+ gzinflate

+ var url

+ base64_decode

+ The Beta has been releases and uploaded

+ code improvements

+ fixed the dos2unix issue

Download Server Analyser

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

CAINE 3.0 - QUASAR Computer forensics Live CD Released

CAINE (Computer Aided INvestigative Environment) is an Italian GNU/Linux live distribution created as a project of Digital Forensics. Caine is a simple Ubuntu 12.04 customized for the computer forensics.

CAINE offers a complete forensic environment that is organized to integrate existing software tools as software modules and to provide a friendly graphical interface.

Objectives that CAINE aims:

• an interoperable environment that supports the digital investigator during the four phases of the digital investigation
• a user friendly graphical interface
• a semi-automated compilation of the final report

CAINE represents fully the spirit of the Open Source philosophy, because the project is completely open, everyone could take the legacy of the previous developer or project manager. The distro is open source, the Windows side (Wintaylor) is open source and, the last but not the least, the distro is install-able.

CHANGELOG CAINE 3.0 "Quasar"

• Kernel 3.2.0-31

ADDED:

• MATE 1.4 + LightDM
• iphonebackupanalyzer
• exiftool phil harvey
• tcpflow
• tshark
• john
• wireshark
• firefox
• vinetto
• mdbtool
• gdisk
• LVM2
• tcpdump
• Mobius
• QuickHash
• SQLiteBrowser
• FRED
• docanalyzer
• nerohistanalyzer
• knowmetanalyzer
• PEFrame
• grokEVT
• zenmap (nmap)
• blackberry tools
• IDevice tools

Download CAINE

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

Volatility 2.2 Released - Introduced Linux support (Intel x86, x64)

The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer unprecedented visibilty into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.

Windows Basic

• Current date, time, CPU count, CPU speed, service pack
• Current thread and idle thread
• Addresses of the KDBG, KPCR, DTB, PsActiveProcessHead, PsLoadedModuleList, etc

Processes

• List active processes (column or tree view)
• Scan for hidden or terminated _EPROCESS objects (using pool tags or _DISPATCHER_HEADER)
• Enumerate DLLs in the PEB LDR lists
• Rebuild/extract DLLs or EXEs to disk based on name, base address, or physical offset
• Print open handles to files, registry keys, mutexes, threads, processes, etc
• List security identifiers (SIDs) for processes
• Scan for cmd.exe command history and full console input/output buffers
• List process environment variables
• Print PE version information from processes or DLLs (file version, company name, etc)
• Enumerate imported and exported API functions anywhere in process or kernel memory
• Show a list of virtual and physical mappings of all pages available to a process
• Dump process address space to disk as a single file
• Analyze Virtual Address Descriptor (VAD) nodes, show page protection, flags, and mapped files
• Represent the VAD in tree form or Graphviz .dot graphs
• Dump each VAD range to disk for inspecting with external tools
• Parse XP/2003 event log records

Kernel Memory

• List loaded kernel modules and scan for hidden/unloaded module structures
• Extract PE files including drivers from anywhere in kernel memory
• Dump the SSDT for all 32- and 64-bit windows systems
• Scan for driver objects, print IRP major function tables
• Show devices and device tree layout
• Scan for file objects (can show deleted files, closed handles, etc)
• Scan for threads, mutex objects and symbolic links

GUI Memory

• Analyze logon sessions and the processes and mapped images belonging to the session
• Scan for window stations and clipboard artifacts (clipboard snooping malware)
• Scan for desktops, analyze desktop heaps and attached GUI threads
• Locate and parse atom tables (class names, DLL injection paths, etc)
• Extract the contents of the windows clipboard
• Analyze message hooks and event hooks, show the injected DLL and function address
• Dump all USER object types, pool tags, and flags from the gahti
• Print all open USER handles, associated threads or processes, and object offsets
• Display details on all windows, such as coordiates, window title, class, procedure address, etc
• Take screen shots from memory dumps (requires PIL)

Malware Analysis

• Find injected code and DLLs, unpacker stubs, and decrypted configurations, etc
• Scan process or kernel memory for any string, regular expression, byte pattern, URL, etc
• Analyze services, their status (running, stopped, etc) and associated process or driver
• Cross-reference memory mapped executable files with PEB lists to find injected code
• Scan for imported functions in process or kernel memory (without using import tables)
• Detect API hooks (Inline, IAT, EAT), hooked winsock tables, syscall hooks, etc
• Analyze the IDT and GDT for each CPU, alert on hooks and disassemble code
• Dump details of threads, such as hardware breakpoints, context registers, etc
• Enumerate kernel callbacks for process creation, thread creation, and image loading
• Display FS registration, registry, shutdown, bugcheck, and debug print callbacks
• Detect hidden processes with alternate process listings (6+ sources)
• Analyze kernel timers and their DPC routine functions

Networking

• Walk the list of connection and socket objects for XP/2003 systems
• Scan physical memory for network information (recover closed/terminated artifacts)
• Determine if listening sockets are IPv4, IPv6, etc and link to their owning processes

Registry

• Scan for registry hives in memory
• Parse and print any value or key cached in kernel memory, with timestamps
• Dump an entire registry hive recursively
• Extract cached domain credentials from the registry
• Locate and decrypt NT/NTLM hashes and LSA secrets
• Analyze user assist keys, the shimcache, and shellbags
• Crash Dumps, Hibernation, Conversion
• Print crash dump and hibernation file header information
• Run any plugin on a crash dump or hibernation file (hiberfil.sys)
• Convert a raw memory dump to a crash dump for opening in !WinDBG
• Convert a crash dump or hibernation file to a raw memory dump

Miscellaneous

• Link strings found at physical offsets to their owning kernel address or process
• Interactive shell with disassembly, type display, hexdumps, etc

Download Volatility 2.2

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

Artillery 0.6 Released

Artillery is a combination of a honeypot, monitoring tool, and alerting system. It is an open-source Python driven tool for making it difficult for attackers to hit your network. Attackers utilize predefined patterns in most cases for attacking systems and servers.

Artillery takes advantage of that by making vulnerabilities and exposures look like they are existent when they are really not there. When the attacker goes after a given port, Artillery sends random data back to the attacker then bans them permanently.

In addition to the active banning and honeypot portions of Artillery, there is also file integrity monitoring, server health checks, and hardening checks.

Artillery 0.6 change log:

• fixed a bug in remove_ban that would not remove the ip address
• added threat intelligence feed – this is an automatic feed that will pull from trustedsec webservers around attacker IP addresses
• added ability to automatically block based on intelligence feed
• daily checks added to banlist
• fixed a bug when uninstall would not properly kill artillery
• added a check in the uninstall to see if artillery is actually running
• added some enhancements to the honeypot banning
• added new flag for intelligence feed in the config file
• added the ability to change threat feeds to a different server of your choice
• added threading to reloading the IP tables matrix, was causing a hang on other imports
• removed 3306 as a standard port, would cause conflicts at times if it was already installed
• added the ability to specify the threat intelligence feed server
• added the ability to configure your own threat intelligence feed server
• added ability to change the public directory for the HTTP server
• added ability to configure multiple threat feeds, can pull in multiple Artillery servers

Download Artillery from the SVN at the following link:

svn co http://svn.secmaniac.com/artillery artillery/

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

The Samurai Web Testing Framework v 2.0RC5

The Samurai Web Testing Framework is a live linux environment that has been pre-configured to function as a web pen-testing environment. The CD contains the best of the open source and free tools that focus on testing and attacking websites. In developing this environment, we have based our tool selection on the tools we use in our security practice. We have included the tools used in all four steps of a web pen-test.

Starting with reconnaissance, we have included tools such as the Fierce domain scanner and Maltego. For mapping, we have included tools such WebScarab and ratproxy. We then chose tools for discovery. These would include w3af and burp. For exploitation, the final stage, we included BeEF, AJAXShell and much more. This CD also includes a pre-configured wiki, set up to be the central information store during your pen-test.

Download The Samurai Web Testing Framework v 2.0RC5

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

PacketPig : Big Data Security Analytics Platform

PacketPig is an open source “big data” platform for analyzing full packet captures. "The idea of full packet capture has been likened to network TiVo, and largely discounted," said Michael Baker, CTO at Packetloop.

This open source tool was presented at this years BlackHat EU held in March. PacketPig is called so, because it has been created by a company called PacketLoop and Pig is the primary language used. It can be considered as a one stop shop for network security monitoring.

Baker said one challenge with analyzing large sets of data traditionally has been that as pcaps age, tools tend to aggregate the data, meaning that a minute-by-minute look at packets becomes averaged into an hour, and hours later rolled up into days or even months. "The key point is to not lose fidelity," he said.

Packetpig is built on Pig, which is a platform--programmed in a language called Pig Latin--for creating MapReduce jobs, a concept Google outlined in a 2004 research paper. The jobs spread problems involving large amounts of data across multiple nodes. In particular, Packetpig is a series of data-analysis jobs that run on Hadoop, an open-source implementation of MapReduce, to handle the replication of data across multiple nodes. These nodes could be anything from spare servers or compute time scrounged by the information security group to Amazon Simple Storage Service (Amazon S3).

List of PacketPig Pig Loaders:

1. PacketLoader() – opens packet captures and provides access to TCP, UDP and IP headers e.g. Source IP Address, Source Port, Destination IP Address, Destination Port.
2. SnortLoader() – wraps the Snort Intrusion Detection application allowing packet captures to be analysed across a Hadoop Cluster. The loader analyses packets and returns signature, priority, message, protocol and Source IP/Port, Destination IP/Port. It also produces a record for each alert triggered.
3. ConversationLoader() – links packets to their conversations or flows. The conversation start and end, the way the conversation ended, the number of packets, their size and delay can all be extracted through this loader.
4. DNSConversationLoader() – provides additional functionality for the deep packet inspection of DNS conversations.
5. HTTPConversationLoader() – provides additional functionality for the deep packet inspection of HTTP conversations.
6. ConversationFileLoader() – allows file metadata and files themselves to be extracted from conversations. The file name, extension, libmagic information as well as MD5, SHA1 and SHA256 hashes are returned through this loader. In addition the actual files themselves can be extracted and dumped.
7. FingerprintLoader() – a wrapper for p0f that allows it to operate across a Hadoop Cluster, giving you an operating system for each packet in a pcap.
8. PacketNgramLoader() – extracts data from each packet in a conversation and breaks it into an N-Gram. Unigram, Bigram and Trigrams are most commonly used however any integer can be passed to the loader.

These loaders are called Pig files and are written in PigLatin. Multiple loaders can be used to analyse data. The Packetpig Loaders are the building blocks for analysing full packet captures.

Download PacketPig

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

Andrubis - Analyze Unknown Android Applications

Andrubis is designed to analyze unknown apps for the Android platform (APKs). It has been brought to us by the guys at Iseclabs, who already have an awesome Windows executable scanner Anubis. Infact, it can be considered as an extension for Anubis.

Andrubis gives us an insight into various behavioral aspects and properties of a submitted app by employing both static and dynamic analysis approaches. During the dynamic analysis part an app is installed and run in an emulator – the Dalvik VM. In addition to the normal tracking of open, read and write events, network traffic operations and detection of dynamically registered broadcast receivers , taint analysis is also carried out to report on leakage of important data such as the IMEI. Not only that, cellphone specific events, such as phone calls and short messages sent are also captured by the Andrubis service.

Information is also obtained statically, without actually executing the Android application. Information related to the intent-filters declared by these components is also included.

In short, like the core-Anubis does for Windows PE executable’s, Andrubis executes Android apps in a sandbox and provides a detailed report on their behavior, including file access, network access, cryptographic operations, dynamic code loading and information leaks. An Andrubis static analysis yields information on e.g. the app’s activities, services, required external libraries and actually required permissions.

In order not to reinvent the wheel, Andrubis leverages several existing open source projects in addition to the Android SDK, such as:

1. DroidBox
2. TaintDroid
3. apktool
4. Androguard

To see how effective it is, an example report of the DroidKongFu.A Android malware, scanned via the Andrubis can be found here.

Get Andrubis here

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

SetMACE 1.0.0.6 : Windows Timestamp Tampering Tool

This is an advanced filesystem timestamp manipulating tool. Some interesting features. MACE timestamps explained:

• M – modify
• A – access
• C – create
• E – entry modified (sometimes also referred to as a ‘B’ for Born date)

Features: 

• Support for files and directories.
• Complete 64-bit timestamp (including the nanoseconds).
• Native 64-bit OS support (as well as 32-bit).
• Complete support for both $FILE_NAME and $STANDARD_INFORMATION timestamps, without workarounds.
• Clone timestamps from a second file.
• Dump all filesystem timestamps (up to 4+4+4)
• Damn hard to detect a manipulated timestamp..

How to use , Please Read this article

Download SetMACE 1.0.0.6

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

Revelo - The Javascript Deobfuscator

Revelo is not as full fledged as MalZilla. But I guess, doing what the now defunct MalZilla does is it’s purpose any way. Revelo automates some of the manual changes that are needed to de-obfuscate the script code. It is not a script debugger, just more like a set of tools to de-obfuscate scripts.

Revelo by writing the JavaScript with some user-based modifcations to an HTML file, opening the file inside of the tool, and extracting the de-obfuscated elements using the Internet Explorer engine. All this is done, while allowing the user to make choices based on his/her understanding of the obfuscated script.

Features of Revelo:

• Analyze a script quickly by loading a file or pasting in JavaScript code
• Includes several methods to de-obfuscate JavaScript
• Includes a built-in browser proxy which displays the URL of outgoing requests
• Displays the Document Object Model (DOM) elements
• Includes a packet sniffer which logs incoming and outgoing requests
• Includes a software firewall to prevent the program from accessing Internet content accidentally
• Ability to act as a web proxy to catch and block redirects
• Beautifies JavaScript code to make it more readable
• Ability to clear the browser cookies
• Ability to spoof the user-agent string

Download Revelo v0.3

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

Wifislax 4.1 - security and forensics tools live CD

Wifislax is a Slackware-based live CD containing a variety of security and forensics tools. The distribution’s main claim to fame is the integration of various unofficial network drivers into the Linux kernel, thus providing out-of-the-box support for a large number of wired and wireless network cards.

Official change log for Wifislax 4.1:

Binutils-library moved to core module that can open ark. Deb files without the devel

updated kernel to version 3.3.0 (compiled android drivers)

added support for EXT4 partitions

menu-config-retouched by subject office that showed the category

added rpm2xzm

broadcom firmware updated and added some more b43-fwcutter-added-015

upgraded to 1.1.1 libtheora

reconfigured to record my desktop 1.1.1 libtheora

added jack-audio-connection-kit-0.121.3- i486-1SL kpackage-3.5.9-added-2

fix autostart-date knemo in aircrack-ng suite to revision r2150

added support wps wifite 2 beta 9

Download Wifislax 4.1

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email